+- [Create and run your own custom policies in Azure Active Directory B2C](custom-policies-series-overview.md)

+- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md)

+- [Collect and manipulate user inputs by using Azure AD B2C custom policy](custom-policies-series-collect-user-input.md)

+- [Validate user inputs by using Azure Active Directory B2C custom policy](custom-policies-series-validate-user-input.md)

+- [Create branching in user journey by using Azure Active Directory B2C custom policy](custom-policies-series-branch-user-journey.md)

+- [Validate custom policy files by using TrustFrameworkPolicy schema](custom-policies-series-install-xml-extensions.md)

+- [Call a REST API by using Azure Active Directory B2C custom policy](custom-policies-series-call-rest-api.md)

+- [Create and read a user account by using Azure Active Directory B2C custom policy](custom-policies-series-store-user.md)

+- [Set up a sign-up and sign-in flow by using Azure Active Directory B2C custom policy](custom-policies-series-sign-up-or-sign-in.md)

+- [Set up a sign-up and sign-in flow with a social account by using Azure Active Directory B2C custom policy](custom-policies-series-sign-up-or-sign-in-federation.md)

+- [Manage administrator accounts in Azure Active Directory B2C](tenant-management-manage-administrator.md)

+- [Manage emergency access accounts in Azure Active Directory B2C](tenant-management-emergency-access-account.md)

+- [Review tenant creation permission in Azure Active Directory B2C](tenant-management-check-tenant-creation-permission.md)

+- [Find tenant name and tenant ID in Azure Active Directory B2C](tenant-management-read-tenant-name.md)

+To manage user security in Azure Active Directory Domain Services (Azure AD DS), you can define fine-grained password policies that control account lockout settings or minimum password length and complexity. A default fine grained password policy is created and applied to all users in an Azure AD DS managed domain. To provide granular control and meet specific business or compliance needs, additional policies can be created and applied to specific users or groups.

+1. In the **Locations** dialog, expand the domain name, such as *aaddscontoso.com*, then select an OU, such as **AADDC Users**. If you have a custom OU that contains a group of users you wish to apply, select that OU.

+1. Type the name of the user or group you wish to apply the policy to. Select **Check Names** to validate the account.

+1. Click **OK** to save your custom password policy.

+> The on-premises service account that handles password write-back requests cannot change the passwords for users that belong to protected groups. Administrators can change their password in the cloud but they cannot use password write-back to reset a forgotten password for their on-premises user. For more information about protected groups, see [Protected accounts and groups in AD DS](/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory).

+To troubleshoot issues with deploying the Azure AD Kerberos Server, use the logs for the new [AzureADHybridAuthenticationManagement](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement) PowerShell module.

+The Azure AD Kerberos Server PowerShell cmdlets in the [AzureADHybridAuthenticationManagement](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement) module use the same logging as the standard Azure AD Connect Wizard. To view information or error details from the cmdlets, complete the following steps:

+1. On the machine where the [AzureADHybridAuthenticationManagement](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement) module was used, browse to `C:\ProgramData\AADConnect\`. This folder is hidden by default.

+1. On the Azure AD Connect Server or any other machine where the [AzureADHybridAuthenticationManagement](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement) module is installed, open PowerShell and navigate to `C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\`

+> SSH clients based on PuTTY now supports OpenSSH certificates and can be used to log in with Azure AD OpenSSH certificate-based authentication.

+ Title: 'Tutorial: Configure Acunetix 360 for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Acunetix 360.

+writer: twimmers

+ms.assetid: cb0c2e2c-ade9-4e6b-9ce5-d7c7d2743d90

+# Tutorial: Configure Acunetix 360 for automatic user provisioning

+This tutorial describes the steps you need to perform in both Acunetix 360 and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Acunetix 360](https://www.acunetix.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Supported capabilities

+> [!div class="checklist"]

+> * Create users in Acunetix 360.

+> * Remove users in Acunetix 360 when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Acunetix 360.

+> * Provision groups and group memberships in Acunetix 360

+> * [Single sign-on](acunetix-360-tutorial.md) to Acunetix 360 (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* An administrator account with Acunetix 360.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Acunetix 360](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Acunetix 360 to support provisioning with Azure AD

+1. Log in to [Acunetix 360 admin console](https://online.acunetix360.com/).

+1. Click on profile logo and navigate to **API Settings**.

+1. Enter your **Current Password** and then click on **Submit**.

+1. Copy and save the **Token**.This value will be entered in the **Secret Token** field in the Provisioning tab of your Acunetix 360 application in the Azure portal.

+ >[!NOTE]

+ >Click on **Reset API Token** in order to reset the Token.

+1. And `https://online.acunetix360.com/scim/v2` will be entered in the **Tenant Url** field in the Provisioning tab of your Acunetix 360 application in the Azure portal.

+## Step 3. Add Acunetix 360 from the Azure AD application gallery

+Add Acunetix 360 from the Azure AD application gallery to start managing provisioning to Acunetix 360. If you have previously setup Acunetix 360 for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Acunetix 360

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Acunetix 360 in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Acunetix 360**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Acunetix 360 Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Acunetix 360. If the connection fails, ensure your Acunetix 360 account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Acunetix 360**.

+1. Review the user attributes that are synchronized from Azure AD to Acunetix 360 in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Acunetix 360 for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Acunetix 360 API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Acunetix 360|

+ |||||

+ |userName|String|✓|✓

+ |active|Boolean||✓

+ |emails[type eq "work"].value|String||✓

+ |name.givenName|String||✓

+ |name.familyName|String||✓

+ |phoneNumbers[type eq "mobile"].value|String||

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Acunetix 360**.

+1. Review the group attributes that are synchronized from Azure AD to Acunetix 360 in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Acunetix 360 for update operations. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Acunetix 360|

+ |||||

+ |displayName|String|✓|✓

+ |members|Reference||

+

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Acunetix 360, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to Acunetix 360 by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Configure Ardoq for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Ardoq.

+writer: twimmers

+ms.assetid: 0339e63a-5262-4019-a85d-18c9617fc4b3

+# Tutorial: Configure Ardoq for automatic user provisioning

+This tutorial describes the steps you need to perform in both Ardoq and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [Ardoq](https://www.ardoq.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Supported capabilities

+> [!div class="checklist"]

+> * Create users in Ardoq.

+> * Remove users in Ardoq when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Ardoq.

+> * [Single sign-on](ardoq-tutorial.md) to Ardoq (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* An administrator account with Ardoq.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Ardoq](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Ardoq to support provisioning with Azure AD

+1. Log in to [Ardoq](https://aad.ardoq.com/).

+1. In the left menu click on profile logo and, navigate to **Organization Settings->Manage Organization->Manage SCIM Token**.

+1. Click on **Generate new**.

+1. Copy and save the **Token**.This value will be entered in the **Secret Token** field in the Provisioning tab of your Ardoq application in the Azure portal.

+1. And `https://aad.ardoq.com/api/scim/v2` will be entered in the **Tenant Url** field in the Provisioning tab of your Ardoq application in the Azure portal.

+## Step 3. Add Ardoq from the Azure AD application gallery

+Add Ardoq from the Azure AD application gallery to start managing provisioning to Ardoq. If you have previously setup Ardoq for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Ardoq

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in TestApp based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Ardoq in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Ardoq**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Ardoq Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Ardoq. If the connection fails, ensure your Ardoq account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Ardoq**.

+1. Review the user attributes that are synchronized from Azure AD to Ardoq in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Ardoq for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Ardoq API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Ardoq|

+ |||||

+ |userName|String|✓|✓

+ |active|Boolean||✓

+ |displayName|String||✓

+ |roles[primary eq "True"].value|String||✓

+

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Ardoq, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users that you would like to provision to Ardoq by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Configure Netsparker Enterprise for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Netsparker Enterprise.

+writer: twimmers

+ms.assetid: 6e951318-213e-40d1-9947-88242059f877

+# Tutorial: Configure Netsparker Enterprise for automatic user provisioning

+This tutorial describes the steps you need to perform in both Netsparker Enterprise and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Netsparker Enterprise](https://www.netsparker.com/product/enterprise/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Supported capabilities

+> [!div class="checklist"]

+> * Create users in Netsparker Enterprise.

+> * Remove users in Netsparker Enterprise when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Netsparker Enterprise.

+> * Provision groups and group memberships in Netsparker Enterprise

+> * [Single sign-on](netsparker-enterprise-tutorial.md) to Netsparker Enterprise (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* An administrator account with Netsparker Enterprise.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Netsparker Enterprise](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Netsparker Enterprise to support provisioning with Azure AD

+1. Log in to [Netsparker Enterprise admin console](https://www.netsparkercloud.com).

+1. Click on profile logo and navigate to **API Settings**.

+1. Enter your **Current Password** and then click on **Submit**.

+1. Copy and save the **Token**.This value will be entered in the **Secret Token** field in the Provisioning tab of your Netsparker Enterprise application in the Azure portal.

+ >[!NOTE]

+ >Click on **Reset API Token** in order to reset the Token.

+1. And `https://www.netsparkercloud.com/scim/v2` will be entered in the **Tenant Url** field in the Provisioning tab of your Netsparker Enterprise application in the Azure portal.

+## Step 3. Add Netsparker Enterprise from the Azure AD application gallery

+Add Netsparker Enterprise from the Azure AD application gallery to start managing provisioning to Netsparker Enterprise. If you have previously setup Netsparker Enterprise for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Netsparker Enterprise

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Netsparker Enterprise in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Netsparker Enterprise**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Netsparker Enterprise Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Netsparker Enterprise. If the connection fails, ensure your Netsparker Enterprise account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Netsparker Enterprise**.

+1. Review the user attributes that are synchronized from Azure AD to Netsparker Enterprise in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Netsparker Enterprise for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Netsparker Enterprise API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Netsparker Enterprise|

+ |||||

+ |userName|String|✓|✓

+ |active|Boolean||✓

+ |emails[type eq "work"].value|String||✓

+ |name.givenName|String||✓

+ |name.familyName|String||✓

+ |phoneNumbers[type eq "mobile"].value|String||

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Netsparker Enterprise**.

+1. Review the group attributes that are synchronized from Azure AD to Netsparker Enterprise in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Netsparker Enterprise for update operations. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Netsparker Enterprise|

+ |||||

+ |displayName|String|✓|✓

+ |members|Reference||

+

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Netsparker Enterprise, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to Netsparker Enterprise by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+Once you configure Oracle IDCS for PeopleSoft you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+To manually create a service principal with the Azure CLI, use the [`az ad sp create-for-rbac`][az-ad-sp-create] command.

+To manually create a service principal with Azure PowerShell, use the [`New-AzADServicePrincipal`][new-azadserviceprincipal] command.

+To use an existing service principal when you create an AKS cluster using the [`az aks create`][az-aks-create] command, use the `--service-principal` and `--client-secret` parameters to specify the `appId` and `password` from the output of the [`az ad sp create-for-rbac`][az-ad-sp-create] command:

+To delegate permissions, create a role assignment using the [`az role assignment create`][az-role-assignment-create] command. Assign the `appId` to a particular scope, such as a resource group or virtual network resource. A role then defines what permissions the service principal has on the resource, as shown in the following example:

+To delegate permissions, create a role assignment using the [`New-AzRoleAssignment`][new-azroleassignment] command. Assign the `ApplicationId` to a particular scope, such as a resource group or virtual network resource. A role then defines what permissions the service principal has on the resource, as shown in the following example:

+If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the [`az aks create`][az-aks-create] or [`az aks update`][az-aks-update] command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-to-acr].

+If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the [`New-AzAksCluster`][new-azakscluster] or [`Set-AzAksCluster`][set-azakscluster] command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-to-acr].

+- When you delete an AKS cluster that was created by [`az aks create`][az-aks-create], the service principal created automatically isn't deleted.

+ - To delete the service principal, query for your clusters *servicePrincipalProfile.clientId* and then delete it using the [`az ad sp delete`][az-ad-sp-delete] command. Replace the values for the `-g` parameter for the resource group name, and `-n` parameter for the cluster name:

+ ```azurecli

+ az ad sp delete --id $(az aks show -g myResourceGroup -n myAKSCluster --query servicePrincipalProfile.clientId -o tsv)

+ ```

+- When you delete an AKS cluster that was created by [`New-AzAksCluster`][new-azakscluster], the service principal created automatically isn't deleted.

+ - To delete the service principal, query for your clusters *ServicePrincipalProfile.ClientId* and then delete it using the [`Remove-AzADServicePrincipal`][remove-azadserviceprincipal] command. Replace the values for the `-ResourceGroupName` parameter for the resource group name, and `-Name` parameter for the cluster name:

+ ```azurepowershell-interactive

+ $ClientId = (Get-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster ).ServicePrincipalProfile.ClientId

+ Remove-AzADServicePrincipal -ApplicationId $ClientId

+ ```

+The service principal credentials for an AKS cluster are cached by the Azure CLI. If these credentials have expired, you encounter errors during deployment of the AKS cluster. The following error message when running [`az aks create`][az-aks-create] may indicate a problem with the cached service principal credentials:

+```azurecli

+Check the expiration date of your service principal credentials using the [`az ad app credential list`][az-ad-app-credential-list] command with the `"[].endDateTime"` query.

+```azurecli

+az ad app credential list --id <app-id> --query "[].endDateTime" -o tsv

+The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](/update-credentials#reset-the-existing-service-principal-credentials) or [create a new service principal](/update-credentials#create-a-new-service-principal).

+The service principal credentials for an AKS cluster are cached by Azure PowerShell. If these credentials have expired, you encounter errors during deployment of the AKS cluster. The following error message when running [`New-AzAksCluster`][new-azakscluster] may indicate a problem with the cached service principal credentials:

+```azurepowershell-interactive

+Check the expiration date of your service principal credentials using the [Get-AzADAppCredential][get-azadappcredential] command. The output will show you the `StartDateTime` of your credentials.

+Get-AzADAppCredential -ApplicationId <ApplicationId>

+The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](/update-credentials#reset-the-existing-service-principal-credentials) or [create a new service principal](/update-credentials#create-a-new-service-principal).

+[az-ad-app-credential-list]: /cli/azure/ad/app/credential#az_ad_app_credential_list

+[get-azadappcredential]: /powershell/module/az.resources/get-azadappcredential

+Use the following command to update all secrets. Otherwise, the old secrets will still be encrypted with the previous key and the encrypt/decrypt permission on key vault is still required. For larger clusters, you may want to subdivide the secrets by namespace or script an update.

+> If you run a single system node pool for your AKS cluster in a production environment, we recommend you use at least three nodes for the node pool. If one node goes down, you lose control plane resources and redundancy is compromised. You can mitigate this risk by having more control plane nodes.

+This article explains how to manage system node pools in AKS. For information about how to use multiple node pools, see [use multiple node pools][use-multiple-node-pools].

+* See [Quotas, VM size restrictions, and region availability in AKS][quotas-skus-regions].

+* The name of a node pool may only contain lowercase alphanumeric characters and must begin with a lowercase letter. For Linux node pools, the length must be between 1 and 12 characters. For Windows node pools, the length must be between one and six characters.

+* System node pools must support at least 30 pods as described by the [minimum and maximum value formula for pods][maximum-pods].

+In this article, you learned how to create and manage system node pools in an AKS cluster. For information about how to start and stop AKS node pools, see [start and stop AKS node pools][start-stop-nodepools].

+[start-stop-nodepools]: /start-stop-nodepools.md

+| [Pass-through WebSocket APIs](websocket-api.md) | No | Yes | Yes | Yes | Yes |

+| [Pass-through GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes |

+| [Synthetic GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes |

+⁴ The following policies aren't available in the Consumption tier: rate limit by key and quota by key.

+| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ | ❌ |

+| [Synthetic GraphQL](graphql-apis-overview.md)| ✔️ | ✔️ | ❌ |

+| [Pass-through WebSocket](websocket-api.md) | ✔️ | ❌ | ❌ |

+| [GraphQL resolvers](api-management-policies.md#graphql-resolver-policies) and [GraphQL validation](api-management-policies.md#validation-policies)| ✔️ | ✔️ | ❌ |

+| [Get authorization context](get-authorization-context-policy.md) | ✔️ | ✔️ | ❌ |

+1. For the location you would like to remove, select the context menu using the **...** button at the right end of the table. Select **Delete**.

+1. Confirm the deletion and select **Save** to apply the changes.

+## Disable routing to a regional gateway

+Under some conditions, you might need to temporarily disable routing to one of the regional gateways. For example:

+* After adding a new region, to keep it disabled while you configure and test the regional backend service

+* During regular backend maintenance in a region

+* To redirect traffic to other regions during a planned disaster recovery drill that simulates an unavailable region, or during a regional failure

+To disable routing to a regional gateway in your API Management instance, update the gateway's `disableGateway` property value to `true`. You can set the value using the [Create or update service](/rest/api/apimanagement/current-glet, or other Azure tools.

+

+To disable a regional gateway using the Azure CLI:

+1. Use the [az apim show](/cli/azure/apim#az-apim-show) command to show the locations, gateway status, and regional URLs configured for the API Management instance.

+ ```azurecli

+ az apim show --name contoso --resource-group myResourceGroup \

+ --query "additionalLocations[].{Location:location,Disabled:disableGateway,Url:gatewayRegionalUrl}" \

+ --output table

+ ```

+ Example output:

+ ```

+ Location Disabled Url

+ - -

+ West US 2 True https://contoso-westus2-01.regional.azure-api.net

+ West Europe True https://contoso-westeurope-01.regional.azure-api.net

+ ```

+1. Use the [az apim update](/cli/azure/apim#az-apim-update) command to disable the gateway in an available location, such as West US 2.

+ ```azurecli

+ az apim update --name contoso --resource-group myResourceGroup \

+ --set additionalLocations[location="West US 2"].disableGateway=true

+ ```

+ The update may take a few minutes.

+1. Verify that traffic directed to the regional gateway URL is redirected to another region.

+

+To restore routing to the regional gateway, set the value of `disableGateway` to `false`.

+### GraphQL resolver policies

+In API Management, a [GraphQL resolver](configure-graphql-resolver.md) is configured using policies scoped to a specific operation type and field in a [GraphQL schema](graphql-apis-overview.md#resolvers).

+* Currently, API Management supports GraphQL resolvers that specify HTTP data sources. Configure a single [`http-data-source`](http-data-source-policy.md) policy with elements to specify a request to (and optionally response from) an HTTP data source.

+* You can't include a resolver policy in policy definitions at other scopes such as API, product, or all APIs. It also doesn't inherit policies configured at other scopes.

+* The gateway evaluates a resolver-scoped policy *after* any configured `inbound` and `backend` policies in the policy execution pipeline.

+For more information, see [Configure a GraphQL resolver](configure-graphql-resolver.md).

+## GraphQL resolver policies

+- [HTTP data source for resolver](http-data-source-policy.md) - Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema.

+- [Publish event to GraphQL subscription](publish-event-policy.md) - Publishes an event to one or more subscriptions specified in a GraphQL API schema. Used in the `http-response` element of the `http-data-source` policy

+- [Validate GraphQL request](validate-graphql-request-policy.md) - Validates and authorizes a request to a GraphQL API.

+|`context`|[`Api`](#ref-context-api): [`IApi`](#ref-iapi)<br /><br /> [`Deployment`](#ref-context-deployment)<br /><br /> Elapsed: `TimeSpan` - time interval between the value of `Timestamp` and current time<br /><br /> [`GraphQL`](#ref-context-graphql)<br /><br />[`LastError`](#ref-context-lasterror)<br /><br /> [`Operation`](#ref-context-operation)<br /><br /> [`Request`](#ref-context-request)<br /><br /> `RequestId`: `Guid` - unique request identifier<br /><br /> [`Response`](#ref-context-response)<br /><br /> [`Subscription`](#ref-context-subscription)<br /><br /> `Timestamp`: `DateTime` - point in time when request was received<br /><br /> `Tracing`: `bool` - indicates if tracing is on or off <br /><br /> [User](#ref-context-user)<br /><br /> [`Variables`](#ref-context-variables): `IReadOnlyDictionary<string, object>`<br /><br /> `void Trace(message: string)`|

+|<a id="ref-context-graphql"></a>`context.GraphQL`|`GraphQLArguments`: `IGraphQLDataObject`<br /><br /> `Parent`: `IGraphQLDataObject`<br/><br/>[Examples](configure-graphql-resolver.md#graphql-context)|

+|<a id="ref-igraphqldataobject"></a>`IGraphQLDataObject`|TBD<br /><br />|

+ Title: Configure GraphQL resolver in Azure API Management

+description: Configure a GraphQL resolver in Azure AI Management for a field in an object type specified in a GraphQL schema

+# Configure a GraphQL resolver

+Configure a resolver to retrieve or set data for a GraphQL field in an object type specified in a GraphQL schema. The schema must be imported to API Management. Currently, API Management supports resolvers that use HTTP-based data sources (REST or SOAP APIs).

+* A resolver is a resource containing a policy definition that's invoked only when a matching object type and field is executed.

+* Each resolver resolves data for a single field. To resolve data for multiple fields, configure a separate resolver for each.

+* Resolver-scoped policies are evaluated *after* any `inbound` and `backend` policies in the policy execution pipeline. They don't inherit policies from other scopes. For more information, see [Policies in API Management](api-management-howto-policies.md).

+> [!IMPORTANT]

+> * If you use the preview `set-graphql-resolver` policy in policy definitions, you should migrate to the managed resolvers described in this article.

+> * After you configure a managed resolver for a GraphQL field, the gateway will skip the `set-graphql-resolver` policy in any policy definitions. You can't combine use of managed resolvers and the `set-graphql-resolver` policy in your API Management instance.

+## Prerequisites

+- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).

+- Import a [pass-through](graphql-api.md) or [synthetic](graphql-schema-resolve-api.md) GraphQL API.

+## Create a resolver

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, select **APIs** and then the name of your GraphQL API.

+1. On the **Design** tab, review the schema for a field in an object type where you want to configure a resolver.

+ 1. Select a field, and then in the left margin, hover the pointer.

+ 1. Select **+ Add Resolver**.

+ :::image type="content" source="media/configure-graphql-resolver/add-resolver.png" alt-text="Screenshot of adding a resolver from a field in GraphQL schema in the portal.":::

+1. On the **Create Resolver** page, update the **Name** property if you want to, optionally enter a **Description**, and confirm or update the **Type** and **Field** selections.

+1. In the **Resolver policy** editor, update the [`http-data-source`](http-data-source-policy.md) policy with child elements for your scenario.

+ 1. Update the required `http-request` element with policies to transform the GraphQL operation to an HTTP request.

+ 1. Optionally add an `http-response` element, and add child policies to transform the HTTP response of the resolver. If the `http-response` element isn't specified, the response is returned as a raw string.

+ 1. Select **Create**.

+

+ :::image type="content" source="media/configure-graphql-resolver/configure-resolver-policy.png" alt-text="Screenshot of resolver policy editor in the portal." lightbox="media/configure-graphql-resolver/configure-resolver-policy.png":::

+1. The resolver is attached to the field. Go to the **Resolvers** tab to list and manage the resolvers configured for the API.

+ :::image type="content" source="media/configure-graphql-resolver/list-resolvers.png" alt-text="Screenshot of the resolvers list for GraphQL API in the portal." lightbox="media/configure-graphql-resolver/list-resolvers.png":::

+ > [!TIP]

+ > The **Linked** column indicates whether or not the resolver is configured for a field that's currently in the GraphQL schema. If a resolver isn't linked, it can't be invoked.

+## GraphQL context

+* The context for the HTTP request and HTTP response (if specified) differs from the context for the original gateway API request:

+ * `context.GraphQL` properties are set to the arguments (`Arguments`) and parent object (`Parent`) for the current resolver execution.

+ * The HTTP request context contains arguments that are passed in the GraphQL query as its body.

+ * The HTTP response context is the response from the independent HTTP call made by the resolver, not the context for the complete response for the gateway request.

+The `context` variable that is passed through the request and response pipeline is augmented with the GraphQL context when used with a GraphQL resolver.

+### context.GraphQL.parent

+The `context.ParentResult` is set to the parent object for the current resolver execution. Consider the following partial schema:

+``` graphql

+type Comment {

+ id: ID!

+ owner: string!

+ content: string!

+}

+type Blog {

+ id: ID!

+ Title: string!

+ content: string!

+ comments: [Comment]!

+ comment(id: ID!): Comment

+}

+type Query {

+ getBlog(): [Blog]!

+ getBlog(id: ID!): Blog

+}

+```

+Also, consider a GraphQL query for all the information for a specific blog:

+``` graphql

+query {

+ getBlog(id: 1) {

+ title

+ content

+ comments {

+ id

+ owner

+ content

+ }

+ }

+}

+```

+If you set a resolver for the `comments` field in the `Blog` type, you'll want to understand which blog ID to use. You can get the ID of the blog using `context.GraphQL.Parent["id"]` as shown in the following resolver:

+``` xml

+<http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>@($"https://data.contoso.com/api/blog/{context.GraphQL.Parent["id"]}")

+ }</set-url>

+ </http-request>

+</http-data-source>

+```

+### context.GraphQL.Arguments

+The arguments for a parameterized GraphQL query are added to `context.GraphQL.Arguments`. For example, consider the following two queries:

+``` graphql

+query($id: Int) {

+ getComment(id: $id) {

+ content

+ }

+}

+query {

+ getComment(id: 2) {

+ content

+ }

+}

+```

+These queries are two ways of calling the `getComment` resolver. GraphQL sends the following JSON payload:

+``` json

+{

+ "query": "query($id: Int) { getComment(id: $id) { content } }",

+ "variables": { "id": 2 }

+}

+{

+ "query": "query { getComment(id: 2) { content } }"

+}

+```

+You can define the resolver as follows:

+``` xml

+<http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>@($"https://data.contoso.com/api/comment/{context.GraphQL.Arguments["id"]}")</set-url>

+ </http-request>

+</http-data-source>

+```

+## Next steps

+For more resolver examples, see:

+* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)

+* [Samples APIs for Azure API Management](https://github.com/Azure-Samples/api-management-sample-apis)

+ Title: Add a GraphQL API to Azure API Management | Microsoft Docs

+> * Add a pass-through GraphQL API to your API Management instance.

+ :::image type="content" source="media/graphql-api/create-from-graphql-endpoint.png" alt-text="Screenshot of fields for creating a GraphQL API.":::

+ | **GraphQL type** | Select **Pass-through GraphQL** to import from an existing GraphQL API endpoint. |

+ | **GraphQL API endpoint** | The base URL with your GraphQL API endpoint name. <br /> For example: *`https://example.com/your-GraphQL-name`*. You can also use a common "swapi" GraphQL endpoint such as `https://swapi-graphql.azure-api.net/graphql` as a demo. |

+ | **URL scheme** | Make a selection based on your GraphQL endpoint. Select one of the options that includes a WebSocket scheme (**WS** or **WSS**) if your GraphQL API includes the subscription type. Default selection: *HTTP(S)*. |

+1. After the API is created, browse or modify the schema on the **Design** tab.

+### Test a subscription

+If your GraphQL API supports a subscription, you can test it in the test console.

+1. Ensure that your API allows a WebSocket URL scheme (**WS** or **WSS**) that's appropriate for your API. You can enable this setting on the **Settings** tab.

+1. Set up a subscription query in the query editor, and then select **Connect** to establish a WebSocket connection to the backend service.

+ :::image type="content" source="media/graphql-api/test-graphql-subscription.png" alt-text="Screenshot of a subscription query in the query editor.":::

+1. Review connection details in the **Subscription** pane.

+ :::image type="content" source="media/graphql-api/graphql-websocket-connection.png" alt-text="Screenshot of Websocket connection in the portal.":::

+

+1. Subscribed events appear in the **Subscription** pane. The WebSocket connection is maintained until you disconnect it or you connect to a new WebSocket subscription.

+ :::image type="content" source="media/graphql-api/graphql-subscription-event.png" alt-text="Screenshot of GraphQL subscription events in the portal.":::

+## Secure your GraphQL API

+Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.

+ Title: Support for GraphQL APIs - Azure API Management

+description: Learn about GraphQL and how Azure API Management helps you manage GraphQL APIs.

+# Overview of GraphQL APIs in Azure API Management

+You can use API Management to manage GraphQL APIs - APIs based on the GraphQL query language. GraphQL provides a complete and understandable description of the data in an API, giving clients the power to efficiently retrieve exactly the data they need. [Learn more about GraphQL](https://graphql.org/learn/)

+API Management helps you import, manage, protect, test, publish, and monitor GraphQL APIs. You can choose one of two API models:

+|Pass-through GraphQL |Synthetic GraphQL |

+|||

+| ▪️ Pass-through API to existing GraphQL service endpoint<br><br/>▪️ Support for GraphQL queries, mutations, and subscriptions | ▪️ API based on a custom GraphQL schema<br></br>▪️ Support for GraphQL queries, mutations, and subscriptions<br/><br/>▪️ Configure custom resolvers, for example, to HTTP data sources<br/><br/>▪️ Develop GraphQL schemas and GraphQL-based clients while consuming data from legacy APIs |

+## Availability

+* GraphQL APIs are supported in all API Management service tiers

+* Pass-through and synthetic GraphQL APIs currently aren't supported in a self-hosted gateway

+* GraphQL subscription support in synthetic GraphQL APIs is currently in preview

+## What is GraphQL?

+GraphQL is an open-source, industry-standard query language for APIs. Unlike REST-style APIs designed around actions over resources, GraphQL APIs support a broader set of use cases and focus on data types, schemas, and queries.

+The GraphQL specification explicitly solves common issues experienced by client web apps that rely on REST APIs:

+* It can take a large number of requests to fulfill the data needs for a single page

+* REST APIs often return more data than needed the page being rendered

+* The client app needs to poll to get new information

+Using a GraphQL API, the client app can specify the data they need to render a page in a query document that is sent as a single request to a GraphQL service. A client app can also subscribe to data updates pushed from the GraphQL service in real time.

+## Schema and operation types

+In API Management, add a GraphQL API from a GraphQL schema, either retrieved from a backend GraphQL API endpoint or uploaded by you. A GraphQL schema describes:

+* Data object types and fields that clients can request from a GraphQL API

+* Operation types allowed on the data, such as queries

+For example, a basic GraphQL schema for user data and a query for all users might look like:

+```

+type Query {

+ users: [User]

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+API Management supports the following operation types in GraphQL schemas. For more information about these operation types, see the [GraphQL specification](https://spec.graphql.org/October2021/#sec-Subscription-Operation-Definitions).

+* **Query** - Fetches data, similar to a `GET` operation in REST

+* **Mutation** - Modifies server-side data, similar to a `PUT` or `PATCH` operation in REST

+* **Subscription** - Enables notifying subscribed clients in real time about changes to data on the GraphQL service

+ For example, when data is modified via a GraphQL mutation, subscribed clients could be automatically notified about the change.

+> [!IMPORTANT]

+> API Management supports subscriptions implemented using the [graphql-ws](https://github.com/enisdenjo/graphql-ws) WebSocket protocol. Queries and mutations aren't supported over WebSocket.

+>

+## Resolvers

+*Resolvers* take care of mapping the GraphQL schema to backend data, producing the data for each field in an object type. The data source could be an API, a database, or another service. For example, a resolver function would be responsible for returning data for the `users` query in the preceding example.

+In API Management, you can create a *custom resolver* to map a field in an object type to a backend data source. You configure resolvers for fields in synthetic GraphQL API schemas, but you can also configure them to override the default field resolvers used by pass-through GraphQL APIs.

+API Management currently supports HTTP-based resolvers to return the data for fields in a GraphQL schema. To use an HTTP-based resolver, configure a [`http-data-source`](http-data-source-policy.md) policy that transforms the API request (and optionally the response) into an HTTP request/response.

+For example, a resolver for the preceding `users` query might map to a `GET` operation in a backend REST API:

+```xml

+<http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>https://myapi.contoso.com/api/users</set-url>

+ </http-request>

+</http-data-source>

+```

+For more information, see [Configure a GraphQL resolver](configure-graphql-resolver.md).

+## Manage GraphQL APIs

+* Secure GraphQL APIs by applying both existing access control policies and a [GraphQL validation policy](validate-graphql-request-policy.md) to secure and protect against GraphQL-specific attacks.

+* Explore the GraphQL schema and run test queries against the GraphQL APIs in the Azure and developer portals.

+## Next steps

+- [Import a GraphQL API](graphql-api.md)

+- [Import a GraphQL schema and set up field resolvers](graphql-schema-resolve-api.md)

+ Title: Add a synthetic GraphQL API to Azure API Management | Microsoft Docs

+description: Add a synthetic GraphQL API by importing a GraphQL schema to API Management and configuring field resolvers that use HTTP-based data sources.

+# Add a synthetic GraphQL API and set up field resolvers

+> * Set up a resolver for a GraphQL query using an existing HTTP endpoint

+1. Under **Define a new API**, select the **GraphQL** icon.

+ :::image type="content" source="media/graphql-api/import-graphql-api.png" alt-text="Screenshot of selecting GraphQL icon from list of APIs.":::

+ | Field | Description |

+ | **GraphQL type** | Select **Synthetic GraphQL** to import from a GraphQL schema file. |

+ | **Fallback GraphQL endpoint** | Optionally enter a URL with a GraphQL API endpoint name. API Management passes GraphQL queries to this endpoint when a custom resolver isn't set for a field. |

+ | **Description** | Add a description of your API. |

+ | **URL scheme** | Make a selection based on your GraphQL endpoint. Select one of the options that includes a WebSocket scheme (**WS** or **WSS**) if your GraphQL API includes the subscription type. Default selection: *HTTP(S)*. |

+1. After the API is created, browse or modify the schema on the **Design** tab.

+Configure a resolver to map a field in the schema to an existing HTTP endpoint.

+<!-- Add link to resolver how-to article for details -->

+1. On the **Design** tab, review the schema for a field in an object type where you want to configure a resolver.

+ 1. Select a field, and then in the left margin, hover the pointer.

+ 1. Select **+ Add Resolver**

+ :::image type="content" source="media/graphql-schema-resolve-api/add-resolver.png" alt-text="Screenshot of adding a GraphQL resolver in the portal.":::

+1. On the **Create Resolver** page, update the **Name** property if you want to, optionally enter a **Description**, and confirm or update the **Type** and **Field** selections.

+1. In the **Resolver policy** editor, update the `<http-data-source>` element with child elements for your scenario. For example, the following resolver retrieves the *users* field by using a `GET` call on an existing HTTP data source.

+

+ :::image type="content" source="media/graphql-schema-resolve-api/configure-resolver-policy.png" alt-text="Screenshot of configuring resolver policy in the portal.":::

+1. Select **Create**.

+1. To resolve data for another field in the schema, repeat the preceding steps to create a resolver.

+## Secure your GraphQL API

+Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.

+ Title: Azure API Management policy reference - http-data-source | Microsoft Docs

+description: Reference for the http-data-source resolver policy available for use in Azure API Management. Provides policy usage, settings, and examples.

+# HTTP data source for a resolver

+The `http-data-source` resolver policy configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. The schema must be imported to API Management.

+## Policy statement

+```xml

+<http-data-source>

+ <http-request>

+ <set-method>...set-method policy configuration...</set-method>

+ <set-url>URL</set-url>

+ <set-header>...set-header policy configuration...</set-header>

+ <set-body>...set-body policy configuration...</set-body>

+ <authentication-certificate>...authentication-certificate policy configuration...</authentication-certificate>

+ </http-request>

+ <http-response>

+ <xml-to-json>...xml-to-json policy configuration...</xml-to-json>

+ <find-and-replace>...find-and-replace policy configuration...</find-and-replace>

+ <set-body>...set-body policy configuration...</set-body>

+ <publish-event>...publish-event policy configuration...</publish-event>

+ </http-response>

+</http-data-source>

+```

+## Elements

+|Name|Description|Required|

+|-|--|--|

+| http-request | Specifies a URL and child policies to configure the resolver's HTTP request. Each child element can be specified at most once. | Yes |

+| http-response | Optionally specifies child policies to configure the resolver's HTTP response. If not specified, the response is returned as a raw string. Each child element can be specified at most once. | No |

+### http-request elements

+> [!NOTE]

+> Each child element may be specified at most once. Specify elements in the order listed.

+|Element|Description|Required|

+|-|--|--|

+| [set-method](set-method-policy.md) | Sets the method of the resolver's HTTP request. | Yes |

+| set-url | Sets the URL of the resolver's HTTP request. | Yes |

+| [set-header](set-header-policy.md) | Sets a header in the resolver's HTTP request. | No |

+| [set-body](set-body-policy.md) | Sets the body in the resolver's HTTP request. | No |

+| [authentication-certificate](authentication-certificate-policy.md) | Authenticates using a client certificate in the resolver's HTTP request. | No |

+### http-response elements

+> [!NOTE]

+> Each child element may be specified at most once. Specify elements in the order listed.

+|Name|Description|Required|

+|-|--|--|

+| [xml-to-json](xml-to-json-policy.md) | Transforms the resolver's HTTP response from XML to JSON. | No |

+| [find-and-replace](find-and-replace-policy.md) | Finds a substring in the resolver's HTTP response and replaces it with a different substring. | No |

+| [set-body](set-body-policy.md) | Sets the body in the resolver's HTTP response. | No |

+| [publish-event](publish-event-policy.md) | Publishes an event to one or more subscriptions specified in the GraphQL API schema. | No |

+## Usage

+- [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver

+- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption

+### Usage notes

+* This policy is invoked only when resolving a single field in a matching GraphQL query, mutation, or subscription.

+## Examples

+### Resolver for GraphQL query

+The following example resolves a query by making an HTTP `GET` call to a backend data source.

+#### Example schema

+```

+type Query {

+ users: [User]

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+#### Example policy

+```xml

+<http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>https://data.contoso.com/get/users</set-url>

+ </http-request>

+</http-data-source>

+```

+### Resolver for a GraqhQL query that returns a list, using a liquid template

+The following example uses a liquid template, supported for use in the [set-body](set-body-policy.md) policy, to return a list in the HTTP response to a query. It also renames the `username` field in the response from the REST API to `name` in the GraphQL response.

+#### Example schema

+```

+type Query {

+ users: [User]

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+#### Example policy

+```xml

+<http-data-source>

+ <http-request>

+ <set-method>GET</set-method>

+ <set-url>https://data.contoso.com/users</set-url>

+ </http-request>

+ <http-response>

+ <set-body template="liquid">

+ [

+ {% JSONArrayFor elem in body %}

+ {

+ "name": "{{elem.username}}"

+ }

+ {% endJSONArrayFor %}

+ ]

+ </set-body>

+ </http-response>

+</http-data-source>

+```

+### Resolver for GraphQL mutation

+The following example resolves a mutation that inserts data by making a `POST` request to an HTTP data source. The policy expression in the `set-body` policy of the HTTP request modifies a `name` argument that is passed in the GraphQL query as its body. The body that is sent will look like the following JSON:

+``` json

+{

+ "name": "the-provided-name"

+}

+```

+#### Example schema

+```

+type Query {

+ users: [User]

+}

+type Mutation {

+ makeUser(name: String!): User

+}

+type User {

+ id: String!

+ name: String!

+}

+```

+#### Example policy

+```xml

+<http-data-source>

+ <http-request>

+ <set-method>POST</set-method>

+ <set-url> https://data.contoso.com/user/create </set-url>

+ <set-header name="Content-Type" exists-action="override">

+ <value>application/json</value>

+ </set-header>

+ <set-body>@{

+ var args = context.Request.Body.As<JObject>(true)["arguments"];

+ JObject jsonObject = new JObject();

+ jsonObject.Add("name", args["name"])

+ return jsonObject.ToString();

+ }</set-body>

+ </http-request>

+</http-data-source>

+```

+## Related policies

+* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)

+ Title: Azure API Management policy reference - publish-event | Microsoft Docs

+description: Reference for the publish-event policy available for use in Azure API Management. Provides policy usage, settings, and examples.

+# Publish event to GraphQL subscription

+The `publish-event` policy publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy using an [http-data-source](http-data-source-policy.md) GraphQL resolver for a related field in the schema for another operation type such as a mutation. At runtime, the event is published to connected GraphQL clients. Learn more about [GraphQL APIs in API Management](graphql-apis-overview.md).

+<!--Link to resolver configuration article -->

+## Policy statement

+```xml

+<http-data-source

+ <http-request>

+ [...]

+ </http-request>

+ <http-response>

+ [...]

+ <publish-event>

+ <targets>

+ <graphql-subscription id="subscription field" />

+ </targets>

+ </publish-event>

+ </http-response>

+</http-data-source>

+```

+## Elements

+|Name|Description|Required|

+|-|--|--|

+| targets | One or more subscriptions in the GraphQL schema, specified in `target` subelements, to which the event is published. | Yes |

+## Usage

+- [**Policy sections:**](./api-management-howto-policies.md#sections) `http-response` element in `http-data-source` resolver

+- [**Policy scopes:**](./api-management-howto-policies.md#scopes) GraphQL resolver only

+- [**Gateways:**](api-management-gateways-overview.md) dedicated, consumption

+### Usage notes

+* This policy is invoked only when a related GraphQL query or mutation is executed.

+## Example

+The following example policy definition is configured in a resolver for the `createUser` mutation. It publishes an event to the `onUserCreated` subscription.

+### Example schema

+```

+type User {

+ id: Int!

+ name: String!

+}

+type Mutation {

+ createUser(id: Int!, name: String!): User

+}

+type Subscription {

+ onUserCreated: User!

+}

+```

+### Example policy

+```xml

+<http-data-source>

+ <http-request>

+ <set-method>POST</set-method>

+ <set-url>https://contoso.com/api/user</set-url>

+ <set-body template="liquid">{ "id" : {{body.arguments.id}}, "name" : "{{body.arguments.name}}"}</set-body>

+ </http-request>

+ <http-response>

+ <publish-event>

+ <targets>

+ <graphql-subscription id="onUserCreated" />

+ </targets>

+ </publish-event>

+ </http-response>

+</http-data-source>

+```

+## Related policies

+* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)

+The `redirect-content-urls` policy rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. Use in the outbound section to rewrite response body links to the backend service to make them point to the gateway. Use in the inbound section for an opposite effect.

+description: Reference for the set-graphql-resolver policy in Azure API Management. Provides policy usage, settings, and examples. This policy is retired.

+# Set GraphQL resolver (retired)

+> [!IMPORTANT]

+> * The `set-graphql-resolver` policy is retired. Customers using the `set-graphql-resolver` policy must migrate to the [managed resolvers](configure-graphql-resolver.md) for GraphQL APIs, which provide enhanced functionality.

+> * After you configure a managed resolver for a GraphQL field, the gateway skips the `set-graphql-resolver` policy in any policy definitions. You can't combine use of managed resolvers and the `set-graphql-resolver` policy in your API Management instance.

+The `set-graphql-resolver` policy retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema. The schema must be imported to API Management. Currently the data must be resolved using an HTTP-based data source (REST or SOAP API).

+### 1.6.4 (February 2023)

+Changes made for this version:

+- Disabled extension reconciler (which attempts to restore the Flux extension if it fails). This resolves a potential bug where, if the reconciler is unable to recover a failed Flux extension and `prune` is set to `true`, the extension and deployed objects may be deleted.

+Capabilities of the Azure Key Vault Secrets Provider extension include:

+- Ensure you've met the [general prerequisites for cluster extensions](extensions.md#prerequisites). You must use version 0.4.0 or newer of the `k8s-extension` Azure CLI extension.

+1. Follow the prompts to deploy the extension. If needed, customize the installation by changing the default options on the **Configuration** tab.

+2. Install the Secrets Store CSI Driver and the Azure Key Vault Secrets Provider extension by running the following command:

+You should see output similar to this example. Note that it may take several minutes before the secrets provider Helm chart is deployed to the cluster.

+You should see output similar to this example.

+Currently, the Secrets Store CSI Driver on Arc-enabled clusters can be accessed through a service principal. Follow these steps to provide an identity that can access your Key Vault.

+1. Follow the steps [to create a service principal in Azure](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Take note of the Client ID and Client Secret generated in this step.

+1. Provide Azure Key Vault GET permission to the created service principal by [following these steps](../../key-vault/general/assign-access-policy.md).

+1. Use the client ID and Client Secret from the first step to create a Kubernetes secret on the connected cluster:

+The Azure Key Vault Secrets Provider extension supports [Helm chart configurations](https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/charts/csi-secrets-store-provider-azure/README.md#configuration).

+The following configuration settings are frequently used with the Azure Key Vault Secrets Provider extension:

+| rotationPollInterval | 2m | If `enableSecretRotation` is `true`, specifies the secret rotation poll interval duration. This duration can be adjusted based on how frequently the mounted contents for all pods and Kubernetes secrets need to be resynced to the latest. |

+You can also change these settings after installation by using the `az k8s-extension update` command:

+You can use other configuration settings as needed for your deployment. For example, to change the kubelet root directory while creating a cluster, modify the az k8s-extension create command:

+```azurecli-interactive

+az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.AzureKeyVaultSecretsProvider --name akvsecretsprovider --configuration-settings linux.kubeletRootDir=/path/to/kubelet secrets-store-csi-driver.enable secrets-store-csi-driver.linux.kubeletRootDir=/path/to/kubelet

+```

+If the extension was successfully removed, you won't see the Azure Key Vault Secrets Provider extension listed in the output. If you don't have any other extensions installed on your cluster, you'll see an empty array.

+The Azure Key Vault Secrets Provider extension is self-healing. If somebody tries to change or delete an extension component that was deployed when the extension was installed, that component will be reconciled to its original state. The only exceptions are for Custom Resource Definitions (CRDs). If CRDs are deleted, they won't be reconciled. To restore deleted CRDs, use the `az k8s-extension create` command again with the existing extension instance name.

+ Title: How to organize and inventory servers using hierarchies, tagging, and reporting

+description: Learn how to organize and inventory servers using hierarchies, tagging, and reporting.

+# Organize and inventory servers with hierarchies, tagging, and reporting

+Azure Arc-enabled servers allows customers to develop an inventory across hybrid, multicloud, and edge workloads with the organizational and reporting capabilities native to Azure management. Azure Arc-enabled servers supports a breadth of platforms and distributions across Windows and Linux. Arc-enabled servers is also domain agnostic and integrates with Azure Lighthouse for multi-tenant customers.

+By projecting resources into the Azure management plane, Azure Arc empowers customers to leverage the organizational, tagging, and querying capabilities native to Azure.

+## Organize resources with built-in Azure hierarchies

+Azure provides four levels of management scope:

+- Management groups

+- Subscriptions

+- Resource groups

+- Resources

+These levels of management help to manage access, policies, and compliance more efficiently. For example, if you apply a policy at one level, it propagates down to lower levels, helping improve governance posture. Moreover, these levels can be used to scope policies and security controls. For Arc-enabled servers, the different business units, applications, or workloads can be used to derive the hierarchical structure in Azure. Once resources have been onboarded to Azure Arc, you can seamlessly move an Arc-enabled server between different resource groups and scopes.

+## Tagging resources to capture additional, customizable metadata

+Tags are metadata elements you apply to your Azure resources. They are key-value pairs that help identify resources, based on settings relevant to your organization. For example, you can tag the environment for a resource as *Production* or *Testing*. Alternatively, you can use tagging to capture the ownership for a resource, separating the *Creator* or *Administrator*. Tags can also capture details on the resource itself, such as the physical datacenter, business unit, or workload. You can apply tags to your Azure resources, resource groups, and subscriptions. This extends to infrastructure outside of Azure as well, through Azure Arc.

+You can define tags in Azure portal through a simple point and click method. Tags can be defined when onboarding servers to Azure Arc-enabled servers or on a per-server basis. Alternatively, you can use Azure CLI, Azure PowerShell, ARM templates, or Azure policy for scalable tag deployments. Tags can be used to filter operations as well, such as the deployment of extensions or service attachments. This provides not only a more comprehensive inventory of your servers, but also operational flexibility and ease of management.

+## Reporting and querying with Azure Resource Graph (ARG)

+Numerous types of data are collected with Azure Arc-enabled servers as part of the instance metadata. This includes the platform, operating system, presence of SQL server, or AWS and GCP details. These attributes can be queried at scale using Azure Resource Graph.

+Azure Resource Graph is an Azure service designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment. These queries provide the ability to query resources with complex filtering, grouping, and sorting by resource properties.

+Results can be easily visualized and exported to other reporting solutions. Moreover there are dozens of built-in Azure Resource Graph queries capturing salient information across Azure VMs and Arc-enabled servers, such as their VM extensions, regional breakdown, and operating systems.

+## Additional resources

+* [What is Azure Resource Graph?](../../governance/resource-graph/overview.md)

+* [Azure Resource Graph sample queries for Azure Arc-enabled servers](resource-graph-samples.md)

+* [Use tags to organize your Azure resources and management hierarchy](/azure/azure-resource-manager/management/tag-resources?tabs=json)

+## Using modules with active geo-replication

+Only the `RediSearch` and `RedisJSON` modules can be used concurrently with [active geo-replication](cache-how-to-active-geo-replication.md).

+Using these modules, you can implement searches across groups of caches that are synchronized in an active-active configuration. Also, you can search JSON structures in your active-active configuration.

+| **Bloom and Cuckoo filters** | Tells you if an item is either (a) definitely not in a set or (b) potentially in a set. | Checking if an email has already been sent to a user|

+|**Top-k** | Finds the `k` most frequently seen items | Determine the most frequent words used in War and Peace. (for example, setting k = 50 returns the 50 most common words in the book) |

+1. To configure the Linux computer to connect to a Log Analytics workspace in Azure Government or Azure China cloud, run the following command that provides the workspace ID and primary key copied earlier, substituting `opinsights.azure.us` or `opinsights.azure.cn` respectively for the domain name:

+ sudo sh ./omsagent-*.universal.x64.sh --upgrade -w <workspace id> -s <shared key> -d <domain name>

+This section lists all supported platforms and frameworks.

+## Frequently asked questions

+Review [frequently asked questions](../faq.yml).

+Review dedicated [troubleshooting articles](/troubleshoot/azure/azure-monitor/welcome-azure-monitor) for Application Insights.

+## Help and support

+- [Auto-instrumentation overview](codeless-overview.md)

+- [Overview dashboard](overview-dashboard.md)

+- [Availability overview](availability-overview.md)

+- [Application Map](app-map.md)

+Microsoft doesn't recommend using any other telemetry SDKs for Python as a telemetry solution because they're unsupported.

+ """Generate random log data."""

+ for num in range(5):

+ logger.warning(f"Log Entry - {num}")

+1. A log entry is emitted for each number in the range.

+ Log Entry - 0

+ Log Entry - 1

+ Log Entry - 2

+ Log Entry - 3

+ Log Entry - 4

+1. We want to see this log data to Azure Monitor. You can specify it in an environment variable, `APPLICATIONINSIGHTS_CONNECTION_STRING`. You may also pass the connection_string directly into the `AzureLogHandler`, but connection strings shouldn't be added to version control.

+ ```shell

+ APPLICATIONINSIGHTS_CONNECTION_STRING=<appinsights-connection-string>

+ ```

+ We recommend using the connection string to instantiate the exporters that are used to send telemetry to Application Insights. Modify your code from the previous step based on the following code sample:

+ ```python

+ import logging

+ from opencensus.ext.azure.log_exporter import AzureLogHandler

+ logger = logging.getLogger(__name__)

+ logger.addHandler(AzureLogHandler())

+ # Alternatively manually pass in the connection_string

+ # logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>)

+ """Generate random log data."""

+ for num in range(5):

+ logger.warning(f"Log Entry - {num}")

+ ```

+ In this context, `traces` isn't the same as `tracing`. Here, `traces` refers to the type of telemetry that you see in Azure Monitor when you utilize `AzureLogHandler`. But `tracing` refers to a concept in OpenCensus and relates to [distributed tracing](./distributed-tracing.md).

+ logger.addHandler(AzureLogHandler())

+ # Alternatively manually pass in the connection_string

+ # logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>)

+You can configure logging explicitly in your application code like the preceding for your Django applications, or you can specify it in Django's logging configuration. This code can go into whatever file you use for Django site's settings configuration, typically `settings.py`.

+For information on how to configure Django settings, see [Django settings](https://docs.djangoproject.com/en/4.0/topics/settings/). For more information on how to configure logging, see [Django logging](https://docs.djangoproject.com/en/4.0/topics/logging/).

+ "class": "opencensus.ext.azure.log_exporter.AzureLogHandler",

+ "connection_string": "<appinsights-connection-string>",

+ },

+ },

+# views.py

+from django.shortcuts import request

+logger.addHandler(AzureLogHandler())

+# Alternatively, manually pass in the connection_string

+# logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>)

+logger.addHandler(AzureLogHandler())

+# Alternatively manually pass in the connection_string

+# logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>)

+- **Distribution**: The Azure exporter doesn't support the histogram distribution of the measurement points.

+1. First, let's generate some local metric data. We create a metric to track the number of times the user selects the **Enter** key.

+ for _ in range(4):

+ mmap.measure_int_put(prompt_measure, 1)

+ mmap.record(tmap)

+ metrics = list(mmap.measure_to_view_map.get_metrics(datetime.utcnow()))

+ print(metrics[0].time_series[0].points[0])

+1. Metrics are created to track many times. With each entry, the value is incremented and the metric information appears in the console. The information includes the current value and the current time stamp when the metric was updated.

+ Point(value=ValueLong(6), timestamp=2019-10-09 20:58:05.170167)

+ Point(value=ValueLong(7), timestamp=2019-10-09 20:58:05.438614)

+ Point(value=ValueLong(7), timestamp=2019-10-09 20:58:05.834216)

+ exporter = metrics_exporter.new_metrics_exporter()

+ # Alternatively manually pass in the connection_string

+ # exporter = metrics_exporter.new_metrics_exporter(connection_string='<appinsights-connection-string>')

+ for _ in range(10):

+ input("Press enter.")

+ mmap.measure_int_put(prompt_measure, 1)

+ mmap.record(tmap)

+ metrics = list(mmap.measure_to_view_map.get_metrics(datetime.utcnow()))

+ print(metrics[0].time_series[0].points[0])

+1. The exporter sends metric data to Azure Monitor at a fixed interval. You must set this value to 60 seconds as Application Insights backend assumes aggregation of metrics points on a 60-second time interval. We're tracking a single metric, so this metric data, with whatever value and time stamp it contains, is sent every interval. The data is cumulative, can only increase, and resets to 0 on restart.

+1. Under the `customMetrics` table, all metric records emitted by using `prompt_view` have custom dimensions `{"url":"http://example.com"}`.

+ )

+ def main():

+ for value in range(5):

+ print(value)

+1. With each entry, the value is printed to the shell. The OpenCensus Python module generates a corresponding piece of `SpanData`. The OpenCensus project defines a [trace as a tree of spans](https://opencensus.io/core-concepts/tracing/).

+ 0

+ 1

+ 2

+1. Viewing the output is helpful for demonstration purposes, but we want to emit `SpanData` to Azure Monitor. Pass your connection string directly into the exporter. Or you can specify it in an environment variable, `APPLICATIONINSIGHTS_CONNECTION_STRING`. We recommend using the connection string to instantiate the exporters that are used to send telemetry to Application Insights. Modify your code from the previous step based on the following code sample:

+ exporter=AzureExporter(),

+ # Alternatively manually pass in the connection_string

+ # exporter = AzureExporter(

+ # connection_string='<appinsights-connection-string>',

+ # ...

+ # )

+

+ with tracer.span(name="test") as span:

+ for value in range(5):

+ print(value)

+1. Now when you run the Python script, only the value is being printed in the shell. The created `SpanData` is sent to Azure Monitor. You can find the emitted span data under `dependencies`.

+`export_interval`| Used to specify the frequency in seconds of exporting. Defaults to `15s`. For metrics, you MUST set it to 60 seconds or else your metric aggregations don't make sense in the metrics explorer.|

+A [data collection endpoint](../essentials/data-collection-endpoint-overview.md) is required to accept the data from the script. After you configure the DCE and link it to a DCR, you can send data over HTTP from your application. The DCE must be located in the same region as the VM being associated, but it does not need to be in the same region as the Log Analytics workspace where the data will be sent or the data collection rule being used.

+This article lists significant changes to Azure Monitor documentation.

+## February 2023

+

+|Subservice| Article | Description |

+||||

+Agents|[Azure Monitor agent extension versions](agents/azure-monitor-agent-extension-versions.md)|Added release notes for the Azure Monitor Agent Linux 1.25 release.|

+Agents|[Migrate to Azure Monitor Agent from Log Analytics agent](agents/azure-monitor-agent-migration.md)|Updated guidance for migrating from Log Analytics Agent to Azure Monitor Agent.|

+Alerts|[Manage your alert rules](alerts/alerts-manage-alert-rules.md)|Included limitation and workaround for resource health alerts. If you apply a target resource type scope filter to the alerts rules page, the alerts rules list doesnΓÇÖt include resource health alert rules.|

+Alerts|[Customize alert notifications by using Logic Apps](alerts/alerts-logic-apps.md)|Added instructions for additional customizations that you can include when using Logic Apps to create alert notifications. You can extracting information about the affected resource from resource's tags, and then include the resource tags in the alert payload and use the information in your logical expressions used for creating the notifications.|

+Alerts|[Create and manage action groups in the Azure portal](alerts/action-groups-create-resource-manager-template.md)|Combined two articles about creating action groups into one article.|

+Alerts|[Create and manage action groups in the Azure portal](alerts/action-groups.md)|Clarified that you can't pass security certificates in a webhook action in action groups.|

+Alerts|[Create a new alert rule](alerts/alerts-create-new-alert-rule.md)|Add information about adding custom properties to the alert payload when you use action groups.|

+Alerts|[Manage your alert instances](alerts/alerts-manage-alert-instances.md)|Removed option for managing alert instances using the CLI.|

+Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|The continuous export deprecation notice has been added to this article for more visibility. It's recommended to migrate to workspace-based Application Insights resources as soon as possible to take advantage of new features.|

+Application-Insights|[Application Insights API for custom events and metrics](app/api-custom-events-metrics.md)|Client-side JavaScript SDK extensions have been consolidated into two new articles called "Framework extensions" and "Feature Extensions". We've additionally created new stand-alone Upgrade and Troubleshooting articles.|

+Application-Insights|[Create an Application Insights resource](app/create-new-resource.md)|Classic workspace documentation has been moved to the Legacy and Retired Features section of our table of contents and we've made both the feature retirement and upgrade path clearer. It's recommended to migrate to workspace-based Application Insights resources as soon as possible to take advantage of new features.|

+Application-Insights|[Monitor Azure Functions with Azure Monitor Application Insights](app/monitor-functions.md)|We've overhauled our documentation on Azure Functions integration with Application Insights.|

+Application-Insights|[Enable Azure Monitor OpenTelemetry for .NET, Node.js, Python and Java applications](app/opentelemetry-enable.md)|Java OpenTelemetry examples have been updated.|

+Application-Insights|[Application Monitoring for Azure App Service and Java](app/azure-web-apps-java.md)|We updated and separated out the instructions to manually deploy the latest Application Insights Java version.|

+Containers|[Enable Container insights for Azure Kubernetes Service (AKS) cluster](containers/container-insights-enable-aks.md)|Added section for enabling private link without managed identity authentication.|

+Containers|[Syslog collection with Container Insights (preview)](containers/container-insights-syslog.md)|Added use of ARM templates for enabling syslog collection|

+Essentials|[Data collection transformations in Azure Monitor](essentials/data-collection-transformations.md)|Added section and sample for using transformations to send to multiple destinations.|

+Essentials|[Custom metrics in Azure Monitor (preview)](essentials/metrics-custom-overview.md)|Added reference to the limit of 64 KB on the combined length of all custom metrics names|

+Essentials|[Azure monitoring REST API walkthrough](essentials/rest-api-walkthrough.md)|Refresh REST API walkthrough|

+Essentials|[Collect Prometheus metrics from AKS cluster (preview)](essentials/prometheus-metrics-enable.md)|Added Enabling Prometheus metric collection using Azure policy and Bicep|

+Essentials|[Send Prometheus metrics to multiple Azure Monitor workspaces (preview)](essentials/prometheus-metrics-multiple-workspaces.md)|Updated sending metrics to multiple Azure Monitor workspaces|

+General|[Analyzing and visualize data](best-practices-analysis.md)|Revised the article about analyzing and visualizing monitoring data to provide a comparison of the different visualization tools and guide customers when they would choose each tool for their implementation. |

+Logs|[Tutorial: Send data to Azure Monitor Logs using REST API (Resource Manager templates)](logs/tutorial-logs-ingestion-api.md)|Minor fixes and updated sample data.|

+Logs|[Analyze usage in a Log Analytics workspace](logs/analyze-usage.md)|Added query for data that has the IsBillable indicator set incorrectly, which could result in incorrect billing.|

+Logs|[Add or delete tables and columns in Azure Monitor Logs](logs/create-custom-table.md)|Added custom column naming limitations.|

+Logs|[Enhance data and service resilience in Azure Monitor Logs with availability zones](logs/availability-zones.md)|Clarified availability zone support for data resilience and service resilience and added new supported regions.|

+Logs|[Monitor Log Analytics workspace health](logs/log-analytics-workspace-health.md)|New article that explains how to monitor the service and resource health of a Log Analytics workspace.|

+Logs|[Feature extensions for Application Insights JavaScript SDK (Click Analytics)](app/javascript-click-analytics-plugin.md)|You can now launch Power BI and create a dataset and report connected to a Log Analytics query with one click.|

+Logs|[Set a table's log data plan to Basic or Analytics](logs/basic-logs-configure.md)|Added new tables to the list of tables that support Basic logs.|

+Logs|[Manage tables in a Log Analytics workspace]()|Refreshed all Log Analytics workspace images with the new left-hand menu (ToC).|

+Security-Fundamentals|[Monitoring App Service](../../articles/app-service/monitor-app-service.md)|Revised the Azure Monitor Overview to improve usability. The article has been cleaned up and streamlined, and better reflects the product architecture as well as the customer experience. |

+Snapshot-Debugger|[host.json reference for Azure Functions 2.x and later](../../articles/azure-functions/functions-host-json.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Snapshot-Debugger|[Configure Bring Your Own Storage (BYOS) for Application Insights Profiler and Snapshot Debugger](profiler/profiler-bring-your-own-storage.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Snapshot-Debugger|[Release notes for Microsoft.ApplicationInsights.SnapshotCollector](snapshot-debugger/snapshot-collector-release-notes.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Snapshot-Debugger|[Enable Snapshot Debugger for .NET apps in Azure App Service](snapshot-debugger/snapshot-debugger-app-service.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Snapshot-Debugger|[Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions](snapshot-debugger/snapshot-debugger-function-app.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Snapshot-Debugger|[ Troubleshoot problems enabling Application Insights Snapshot Debugger or viewing snapshots](snapshot-debugger/snapshot-debugger-troubleshoot.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Snapshot-Debugger|[Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines](snapshot-debugger/snapshot-debugger-vm.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Snapshot-Debugger|[Debug snapshots on exceptions in .NET apps](snapshot-debugger/snapshot-debugger.md)|Removing the TSG from the AzMon TOC and adding to the support TOC|

+Virtual-Machines|[Monitor virtual machines with Azure Monitor: Analyze monitoring data](vm/monitor-virtual-machine-analyze.md)|New article|

+Visualizations|[Use JSONPath to transform JSON data in workbooks](visualize/workbooks-jsonpath.md)|Added information about using JSONPath to convert data types in Azure Workbooks.|

+Containers|[Configure Container insights cost optimization data collection rules]()|New article on preview of cost optimization settings.|

+Application-Insights|[Application Insights for Java 2.x](app/deprecated-java-2x.md)|The Java 2.x retirement notice is available at https://azure.microsoft.com/updates/application-insights-java-2x-retirement.|

+Snapshot-Debugger|[Enable Snapshot Debugger for .NET apps in Azure App Service](snapshot-debugger/snapshot-debugger-app-service.md)|Per customer feedback, added new note that Consumption plan isn't supported|

+Application-Insights|[Create an Application Insights resource](app/create-new-resource.md)|Classic Application Insights resources are deprecated and support will end on February 29, 2024. Migrate to workspace-based resources to take advantage of new capabilities.|

+If you have more than two levels in the hierarchy, keep repeating parent names:

+This article describes the data types supported in [Bicep](./overview.md). [User-defined data types](./user-defined-data-types.md) are currently in preview.

+ Title: User-defined types in Bicep

+description: Describes how to define and use user-defined data types in Bicep.

+# User-defined data types in Bicep (Preview)

+Learn how to use user-defined data types in Bicep.

+[Bicep version 1.2 or newer](./install.md) is required to use this feature.

+## Enable the preview feature

+To enable this preview, modify your project's [bicepconfig.json](./bicep-config.md) file to include the following JSON:

+```json

+{

+ "experimentalFeaturesEnabled": {

+ "userDefinedTypes": true

+ }

+}

+```

+## User-defined data type syntax

+You can use the `type` statement to define user-defined data types. In addition, you can also use type expressions in some places to define custom types.

+```bicep

+Type <userDefinedDataTypeName> = <typeExpression>

+```

+The valid type expressions include:

+- Symbolic references are identifiers that refer to an *ambient* type (like `string` or `int`) or a user-defined type symbol declared in a `type` statement:

+ ```bicep

+ // Bicep data type reference

+ type myStringType = string

+ // user-defined type reference

+ type myOtherStringType = myStringType

+ ```

+- Primitive literals, including strings, integers, and booleans, are valid type expressions. For example:

+ ```bicep

+ // a string type with three allowed values.

+ type myStringLiteralType = 'bicep' | 'arm' | 'azure'

+ // an integer type with one allowed value

+ type myIntLiteralType = 10

+ // an boolean type with one allowed value

+ type myBoolLiteralType = true

+ ```

+- Array types can be declared by suffixing `[]` to any valid type expression:

+ ```bicep

+ // A string type array

+ type myStrStringsType1 = string[]

+ // A string type array with three allowed values

+ type myStrStringsType2 = ('a' | 'b' | 'c')[]

+ type myIntArrayOfArraysType = int[][]

+ // A mixed-type array with four allowed values

+ type myMixedTypeArrayType = ('fizz' | 42 | {an: 'object'} | null)[]

+ ```

+- Object types contain zero or more properties between curly brackets:

+ ```bicep

+ type storageAccountConfigType = {

+ name: string

+ sku: string

+ }

+ ```

+ Each property in an object consists of key and value. The key and value are separated by a colon `:`. The key may be any string (values that would not be a valid identifier must be enclosed in quotes), and the value may be any type syntax expression.

+ Properties are required unless they have an optionality marker `?` between the property name and the colon. For example, the `sku` property in the following example is optional:

+ ```bicep

+ type storageAccountConfigType = {

+ name: string

+ sku?: string

+ }

+ ```

+ **Recursion**

+ Object types may use direct or indirect recursion so long as at least leg of the path to the recursion point is optional. For example, the `myObjectType` definition in the following example is valid because the directly recursive `recursiveProp` property is optional:

+ ```bicep

+ type myObjectType = {

+ stringProp: string

+ recursiveProp?: myObjectType

+ }

+ ```

+ But the following would not be valid because none of `level1`, `level2`, `level3`, `level4`, or `level5` is optional.

+ ```bicep

+ type invalidRecursiveObjectType = {

+ level1: {

+ level2: {

+ level3: {

+ level4: {

+ level5: invalidRecursiveObject

+ }

+ }

+ }

+ }

+ }

+ ```

+- [Bicep unary operators](./operators.md) can be used with integer and boolean literals or references to integer or boolean literal-typed symbols:

+ ```bicep

+ type negativeIntLiteral = -10

+ type negatedIntReference = -negativeIntLiteral

+ type negatedBoolLiteral = !true

+ type negatedBoolReference = !negatedBoolLiteral

+ ```

+- Unions may include any number of literal-typed expressions. Union types are translated into the [allowed-value constraint](./parameters.md#decorators) in Bicep, so only literals are permitted as members.

+ ```bicep

+ type oneOfSeveralObjects = {foo: 'bar'} | {fizz: 'buzz'} | {snap: 'crackle'}

+ type mixedTypeArray = ('fizz' | 42 | {an: 'object'} | null)[]

+ ```

+In addition to be used in the `type` statement, type expressions can also be used in these places for creating user-defined date types:

+- As the type clause of a `param` statement. For example:

+ ```bicep

+ param storageAccountConfig {

+ name: string

+ sku: string

+ }

+ ```

+- Following the `:` in an object type property. For example:

+ ```bicep

+ param storageAccountConfig {

+ name: string

+ properties: {

+ sku: string

+ }

+ } = {

+ name: 'store$(uniqueString(resourceGroup().id)))'

+ properties: {

+ sku: 'Standard_LRS'

+ }

+ }

+ ```

+- Preceding the `[]` in an array type expression. For example:

+ ```bicep

+ param mixedTypeArray ('fizz' | 42 | {an: 'object'} | null)[]

+ ```

+## An example

+A typical Bicep file to create a storage account looks like:

+```bicep

+param location string = resourceGroup().location

+param storageAccountName string

+@allowed([

+ 'Standard_LRS'

+ 'Standard_GRS'

+])

+param storageAccountSKU string = 'Standard_LRS'

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {

+ name: storageAccountName

+ location: location

+ sku: {

+ name: storageAccountSKU

+ }

+ kind: 'StorageV2'

+}

+```

+By using user-defined data types, it can look like:

+```bicep

+param location string = resourceGroup().location

+type storageAccountSkuType = 'Standard_LRS' | 'Standard_GRS'

+type storageAccountConfigType = {

+ name: string

+ sku: storageAccountSkuType

+}

+param storageAccountConfig storageAccountConfigType

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {

+ name: storageAccountConfig.name

+ location: location

+ sku: {

+ name: storageAccountConfig.sku

+ }

+ kind: 'StorageV2'

+}

+```

+## Next steps

+- For a list of the Bicep date types, see [Data types](./data-types.md).

+When moving a resource, you must also move its dependent resources (for example - public IP addresses, virtual network gateways, all associated connection resources). The virtual network assigned to the AKS instance can also be moved, and local network gateways can be in a different resource group.

+> [!WARNING]

+> Please refrain from moving the virtual network for an AKS cluster. The AKS cluster will stop working if its virtual network is moved.

+For information about features and other insights, see:

+- [Azure Video Indexer overview](video-indexer-overview.md)

+- [Transparency note](/legal/azure-video-indexer/transparency-note?context=/azure/azure-video-indexer/context/context)

+Based on the performance requirements of the datastore, you can change the service level of the Azure NetApp Files volume used for the datastore by following the instructions to [dynamically change the service level of a volume for Azure NetApp Files](../azure-netapp-files/dynamic-change-volume-service-level.md).

+Changing the service level has no impact on the datastore or private cloud. There is no downtime and the volume's IP address/mount path remain unchanged. However, the volume's resource ID will change as a result of the capacity pool change. To correct any metadata mismatch, re-run the datastore creation in Azure CLI for the existing datastore with the new Resource ID for the Azure NetApp Files volume:

+```azurecli

+az vmware datastore netapp-volume create \

+ --name <name of existing datastore> \

+ --resource-group <resource group containing AVS private cloud> \

+ --cluster <cluster name in AVS private cloud> \

+ --private-cloud <name of AVS private cloud> \

+ --volume-id /subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.NetApp/netAppAccounts/<NetApp account>/capacityPools/<changed capacity pool>/volumes/<volume name>

+```

+> The parameters for datastore **name**, **resource-group**, **cluster**, and **private-cloud** (SDDC) must be **exactly the same as those on the existing datastore in the private cloud**. The **volume-id** is the updated Resource ID of the Azure NetApp Files volume after the service level change.

+- Enhanced soft delete applies to all vaulted workloads alike and is supported for Recovery Services vaults and Backup vaults. However, it currently doesn't support operational tier workloads, such as Azure Files backup, Operational backup for Blobs, Disk and VM snapshot backups.

+ Title: Configure and manage backup for Azure Blobs using Azure Backup

+description: Learn how to configure and manage operational and vaulted backups for Azure Blobs.

+# Configure and manage backup for Azure Blobs using Azure Backup

+Azure Backup allows you to configure operational and vaulted backups to protect block blobs in your storage accounts. This article describes how to configure and manage backups on one or more storage accounts using the Azure portal.

+# [Operational backup](#tab/operational-backup)

+- Operational backup of blobs is a local backup solution that maintains data for a specified duration in the source storage account itself. This solution doesn't maintain an additional copy of data in the vault. This solution allows you to retain your data for restore for up to 360 days. Long retention durations may, however, lead to longer time taken during the restore operation.

+- If you delete a container from the storage account by calling the *Delete Container operation*, that container can't be restored with a restore operation. Rather than deleting an entire container, delete individual blobs if you may want to restore them later. Also, Microsoft recommends enabling soft delete for containers, in addition to operational backup, to protect against accidental deletion of containers.

+For more information about the supported scenarios, limitations, and availability, see the [support matrix](blob-backup-support-matrix.md).

+# [Vaulted backup](#tab/vaulted-backup)

+- Vaulted backup of blobs is a managed offsite backup solution that transfers data to the backup vault and retains as per the retention configured in the backup policy. You can retain data for a maximum of *10 years*.

+- Currently, you can use the vaulted backup solution to restore data to a different storage account only. While performing restores, ensure that the target storage account doesn't contain any *containers* with the same name as those backed up in a recovery point. If any conflicts arise due to the same name of containers, the restore operation fails.

+For more information about the supported scenarios, limitations, and availability, See the [support matrix](blob-backup-support-matrix.md).

+1. In the storage account that needs to be protected, go to the **Access Control (IAM)** tab on the left navigation pane.

+A backup policy defines the schedule and frequency of the recovery points creation, and its retention duration in the Backup vault. You can use a single backup policy for your vaulted backup, operational backup, or both. You can use the same backup policy to configure backup for multiple storage accounts to a vault.

+To create a backup policy, follow these steps:

+1. Go to **Backup center**, and then select **+ Policy**. This takes you to the create policy experience.

+2. Select the *data source type* as **Azure Blobs (Azure Storage)**, and then select **Continue**.

+3. On the **Basics** tab, enter a name for the policy and select the vault you want this policy to be associated with.

+ You can view the details of the selected vault in this tab, and then select **continue**.

+

+4. On the **Schedule + retention** tab, enter the *backup details* of the data store, schedule, and retention for these data stores, as applicable.

+ 1. To use the backup policy for vaulted backups, operational backups, or both, select the corresponding checkboxes.

+ 1. For each data store you selected, add or edit the schedule and retention settings:

+ - **vaulted backups**: Choose the frequency of backups between *daily* and *weekly*, specify the schedule when the backup recovery points need to be created, and then edit the default retention rule (selecting **Edit**) or add new rules to specify the retention of recovery points using a *grandparent-parent-child* notation.

+ - **Operational backups**: These are continuous and don't require a schedule. Edit the default rule for operational backups to specify the required retention.

+5. Go to **Review and create**.

+6. Once the review is complete, select **Create**.

+## Configure backups

+You can configure backup for one or more storage accounts in an Azure region if you want them to back up to the same vault using a single backup policy.

+To configure backup for storage accounts, follow these steps:

+1. Go to **Backup center** > **Overview**, and then select **+ Backup**.

+2. On the **Initiate: Configure Backup** tab, choose **Azure Blobs (Azure Storage)** as the **Datasource type**.

+3. On the **Basics** tab, specify **Azure Blobs (Azure Storage)** as the **Datasource type**, and then select the *Backup vault* that you want to associate with your storage accounts.

+ You can view details of the selected vault on this tab, and then select **Next**.

+

+4. Select the *backup policy* that you want to use for retention.

+ You can view the details of the selected policy. You can also create a new backup policy, if needed. Once done, select **Next**.

+5. On the **Datasources** tab, select the *storage accounts* you want to back up.

+ You can select multiple storage accounts in the region to back up using the selected policy. Search or filter the storage accounts, if required.

+ When you select the storage accounts, Azure Backup performs the following validations to ensure all prerequisites are met. The **Backup readiness** column shows if the Backup vault has enough permissions to configure backups for each storage account.

+ 1. Validates that the Backup vault has the required permissions to configure backup (the vault has the **Storage account backup contributor** role on all the selected storage accounts. If validation shows errors, then the selected storage accounts don't have **Storage account backup contributor** role. You can assign the required role, based on your current permissions. The error message helps you understand if you have the required permissions, and take the appropriate action:

+ - **Role assignment not done**: This indicates that you (the user) have permissions to assign the **Storage account backup contributor** role and the other required roles for the storage account to the vault.

+ Select the roles, and then select **Assign missing roles** on the toolbar to automatically assign the required role to the Backup vault, and trigger an auto-revalidation.

+ The role propagation may take some time (up to 10 minutes) causing the revalidation to fail. In this scenario, you need to wait for a few minutes and select **Revalidate** to retry validation.

+ - **Insufficient permissions for role assignment**: This indicates that the vault doesn't have the required role to configure backups, and you (the user) don't have enough permissions to assign the required role. To make the role assignment easier, Azure Backup allows you to download the role assignment template, which you can share with users with permissions to assign roles for storage accounts.

+ To do this, select the storage accounts, and then select **Download role assignment template** to download the template. Once the role assignments are complete, select **Revalidate** to validate the permissions again, and then configure backup.

+ >[!Note]

+ >The template contains details for selected storage accounts only. So, if there are multiple users that need to assign roles for different storage accounts, you can select and download different templates accordingly.

+ 1. Validates that the number of containers to be backed up is less than *100*. By default, all containers are selected; however, you can exclude containers that shouldn't be backed up. If your storage account has *>100* containers, you must exclude containers to reduce the count to *100 or below*.

+ >[!Note]

+ >The storage accounts to be backed up must contain at least *1 container*. If the selected storage account doesn't contain any containers or if no containers are selected, you may get an error while configuring backups.

+7. Once validation succeeds, open the **Review and configure** tab.

+8. Review the details on the **Review + configure** tab and select **Next** to initiate the *configure backup* operation.

+You'll receive notifications about the status of configuring protection and its completion.

+1. Go to **Overview** > **+Backup**.

+1. Choose the required storage accounts for configuring protection of blobs. You can choose multiple storage accounts at once and choose Select.<br></br>However, ensure that the vault you have chosen has the required Azure role-based access control (Azure RBAC) role assigned to configure backup on storage accounts. Learn more about [Grant permissions to the Backup vault on storage accounts](#grant-permissions-to-the-backup-vault-on-storage-accounts).<br></br>If the role isn't assigned, you can still assign the role while configuring backup. See step 7.

+ If validation displays errors (for two of the storage accounts), you haven't assigned the **Storage account backup contributor** role for these [storage accounts](#grant-permissions-to-the-backup-vault-on-storage-accounts). Also, you can assign the required role here, based on your current permissions. The error message can help you understand if you have the required permissions, and take the appropriate action:

+ - **Role assignment not done:** This error (as shown for the item _blobbackupdemo3_ in the figure above) indicates that you (the user) have permissions to assign the **Storage account backup contributor** role and the other required roles for the storage account to the vault. Select the roles, and select **Assign missing roles** on the toolbar. This will automatically assign the required role to the backup vault, and also trigger an auto-revalidation.<br><br>At times, role propagation may take a while (up to 10 minutes) causing the revalidation to fail. In such scenario, please wait for a few minutes and select the ΓÇÿRevalidateΓÇÖ button retry validation.

+ - **Insufficient permissions for role assignment:** This error (as shown for the item _blobbackupdemo4_ in the figure above) indicates that the vault doesnΓÇÖt have the required role to configure backup, and you (the user) donΓÇÖt have enough permissions to assign the required role. To make the role assignment easier, Backup allows you to download the role assignment template, which you can share with users with permissions to assign roles for storage accounts. To do this, select such storage accounts, and select **Download role assignment template** to download the template.<br><br>Once the roles are assigned, you can share it with the appropriate users. On successful assignment of the role, select **Revalidate** to validate permissions again, and then configure backup.

+1. Once the validation is successful for all selected storage accounts, continue to **Review and configure backup**.

+You'll receive notifications about the status of configuring protection and its completion.

+### Using Data protection settings of the storage account to configure operational backup

+1. Go to the storage account for which you want to configure backup for blobs, and then go to **Data Protection** in left pane (under **Data management**).

+1. Select the checkbox corresponding to **Enable operational backup with Azure Backup**. Then select the Backup vault and the Backup policy you want to associate.

+ You can select the existing vault and policy, or create new ones, as required.

+ - If you've already assigned the required role, select **Save** to finish configuring backup. Follow the portal notifications to track the progress of configuring backup.

+ - If you havenΓÇÖt assigned it yet, select **Manage identity** and Follow the steps below to assign the roles.

+ 1. On selecting **Manage identity**, brings you to the Identity pane of the storage account.

+ 1. Select **Add role assignment** to initiate the role assignment.

+ 1. Select **Save** to finish role assignment.

+

+ You'll receive notification through the portal once this completes successfully. You can also see the new role added to the list of existing ones for the selected vault.

+ 1. Select the cancel icon (**x**) on the top right corner to return to the **Data protection** pane of the storage account.<br><br>Once back, continue configuring backup.

+## Effects on backed-up storage accounts

+# [Vaulted backup](#tab/vaulted-backup)

+In storage accounts (for which you've configured vaulted backups), the object replication rules get created under the **Object replication** item in the left pane.

+# [Operational backup](#tab/operational-backup)

+## Manage backups

+You can use Backup Center as your single pane of glass for managing all your backups. Regarding backup for Azure Blobs, you can use Backup Center to do the following:

+## Stop protection

+>When you remove backups, the **OR policy** isn't removed from the source. So, you need to remove the policy separately. Stopping protection only dissociates the storage account from the Backup vault (and the backup tools, such as Backup center), and doesnΓÇÖt disable blob point-in-time restore, versioning, and change feed that were configured.

+1. Go to the backup instance for the storage account being backed up.<br><br>You can go to this from the storage account via **Storage account** -> **Data protection** -> **Manage backup settings**, or directly from the Backup Center via **Backup Center** -> **Backup instances** -> search for the storage account name.

+1. In the backup instance, select **Delete** to stop operational backup for the particular storage account.

+After stopping backup, you may disable other storage data protection capabilities (that are enabled for configuring backup) from the data protection pane of the storage account.

+ Title: Overview of Azure Blobs backup

+description: Learn about Azure Blobs backup.

+# Overview of Azure Blob backup

+Azure Backup provides a simple, secure, cost-effective, and cloud-based backup solution to protect your business or application-critical data stored in Azure Blob.

+This article gives you an understanding about configuring the following types of backups for your blobs:

+- **Continuous backups**: You can configure operational backup, a managed local data protection solution, to protect your block blobs from accidental deletion or corruption. The data is stored locally within the source storage account and not transferred to the backup vault. You donΓÇÖt need to define any schedule for backups. All changes are retained, and you can restore them from the state at a selected point in time.

+- **Periodic backups (preview)**: You can configure vaulted backup, a managed offsite data protection solution, to get protection against any accidental or malicious deletion of blobs or storage account. The backup data using vaulted backups is copied and stored in the Backup vault as per the schedule and frequency you define via the backup policy and retained as per the retention configured in the policy.

+You can choose to configure vaulted backups, operational backups, or both on your storage accounts using a single backup policy. The integration with [Backup center](backup-center-overview.md) enables you to govern, monitor, operate, and analyze backups at scale.

+## How the operational backup works?

+For information about the limitations of the current solution, see the [support matrix](blob-backup-support-matrix.md).

+## How the vaulted backup works?

+Vaulted backup (preview) uses the platform capability of object replication to copy data to the Backup vault. Object replication asynchronously copies block blobs between a source storage account and a destination storage account. The contents of the blob, any versions associated with the blob, and the blob's metadata and properties are all copied from the source container to the destination container.

+When you configure protection, Azure Backup allocates a destination storage account (Backup vault's storage account managed by Azure Backup) and enables object replication policy at container level on both destination and source storage account. When a backup job is triggered, the Azure Backup service creates a recovery point marker on the source storage account and polls the destination account for the recovery point marker replication. When the data transfer completes, the recovery point marker is replicated. Once the replication point marker is present on the destination, a recovery point is created.

+For information about the limitations of the current solution, see the [support matrix](blob-backup-support-matrix.md).

+## Protection

+### Protection using operational backup

+- **Point-in-time restore**: Set to ΓÇÿnΓÇÖ days, as defined in the backup policy. If the storage account already had point-in-time enabled with a retention of, say ΓÇÿxΓÇÖ days, before configuring backup, the point-in-time restore duration will be set to the greater of the two values that is max(n,x). If you had already enabled point-in-time restore and specified the retention to be greater than that in the backup policy, it will remain unchanged.

+- **Soft delete**: Set to ΓÇÿn+5ΓÇÖ days, that is, five days in addition to the duration specified in the backup policy. If the storage account that is being configured for operational backup already had soft delete enabled with a retention of, say ΓÇÿyΓÇÖ days, then the soft delete retention will be set to the maximum of the two values, that is, maximum (n+5, y). If you had already enabled soft delete and specified the retention to be greater than that according to the backup policy, it will remain unchanged.

+### Protection using vaulted backup (in preview)

+Vaulted backup is configured at the storage account level. However, you can exclude containers that don't need backup. If your storage account has *>100* containers, you need to mandatorily exclude containers to reduce the count to *100* or below. For vaulted backups, the schedule and retention are managed via backup policy. You can set the frequency as *daily* or *weekly*, and specify when the backup recovery points need to be created. You can also configure different retention values for backups taken every day, week, month, or year. The retention rules are evaluated in a pre-determined order of priority. The *yearly* rule has the priority compared to *monthly* and *weekly* rule. Default retention settings are applied if other rules don't qualify.

+In storage accounts (for which vaulted backups are configured), the object replication rules get created under the *object replication* item on the *TOC* blade of the source storage account.

+You can enable operational backup and vaulted backup (or both) of blobs on a storage account that is independent of each other using the same backup policy. The vaulted blob backup solution allows you to retain your data for up to *10 years*. Restoring data from older recovery points may lead to longer time taken (longer RTO) during the restore operation. You can currently use the vaulted backup solution to perform restores to a different storage account only. For restoring to the same account, you may use operational backups.

+## Management

+Both operational and vaulted backups integrate directly with Backup Center to help you manage the protection of all your storage accounts centrally, along with all other Backup supported workloads. Backup Center is your single pane of glass for all your Backup requirements like monitoring jobs and state of backups and restores, ensuring compliance and governance, analyzing backup usage, and performing operations pertaining to back up and restore of data.

+## Restore

+### Operational backup

+You won't incur any management charges or instance fee when using operational backup for blobs. However, you'll incur the following charges:

+### Vaulted backup (preview)

+Vaulted backup currently doesn't incur any charges with preview release.

+This article summarizes the regional availability, supported scenarios, and limitations of operational and vaulted backups of blobs.

+**Choose a backup type**

+# [Operational backup](#tab/operational-backup)

+# [Vaulted backup](#tab/vaulted-backup)

+Vaulted backup (preview) for blobs is currently available in the following regions: France Central, Canada Central, Canada East, US East, and US South.

+**Choose a backup type**

+# [Operational backup](#tab/operational-backup)

+- If there are [immutable blobs](../storage/blobs/immutable-storage-overview.md#about-immutable-storage-for-blobs) among those being restored, such immutable blobs won't be restored to their state as per the selected recovery point. However, other blobs that don't have immutability enabled will be restored to the selected recovery point as expected.

+# [Vaulted backup](#tab/vaulted-backup)

+The vaulted backup is currently in preview in the following regions: France Central, Canada Central, Canada East, US East, US South.

+- You can back up only block blobs in a *standard general-purpose v2 storage account* using the vaulted backup solution for blobs.

+- HNS-enabled storage accounts are currently not supported. This includes *ADLS Gen2 accounts*, *accounts using NFS 3.0*, and *SFTP protocols* for blobs.

+- You can back up storage accounts with *up to 100 containers*. You can also select a subset of containers to back up (up to 100 containers).

+ - If your storage account contains more than 100 containers, you need to select *up to 100 containers* to back up.

+ - To back up any new containers that get created after backup configuration for the storage account, modify the protection of the storage account. These containers aren't backed up automatically.

+- The storage accounts to be backed up must contain *a minimum of 1 container*. If the storage account doesn't contain any containers or if no containers are selected, an error may appear when you configure backup.

+- Currently, you can perform only *one backup* per day (that includes scheduled and on-demand backups). Backup fails if you attempt to perform more than one backup operation a day.

+- If you stop protection (vaulted backup) on a storage account, it doesn't delete the object replication policy created on the storage account. In these scenarios, you need to manually delete the *OR policies*.

+- Cool and archived blobs are currently not supported.

+[Overview of Azure Blobs backup for Azure Blobs](blob-backup-overview.md)

+This article describes how to use the Azure portal to perform restores for Azure Blob from operational or vaulted backups. With operational backups, you can restore all block blobs in storage accounts with operational backup configured or a subset of blob content to any point-in-time within the retention range. With vaulted backups, you can perform restores using a recovery point created, based on your backup schedule.

+# [Operational backup](#tab/operational-backup)

+- If you delete a container from the storage account by calling the **Delete Container** operation, that container can't be restored with a restore operation. Rather than deleting an entire container, delete individual blobs if you may want to restore them later. Also, Microsoft recommends enabling soft delete for containers in addition to operational backup to protect against accidental deletion of containers.

+# [Vaulted backup](#tab/vaulted-backup)

+- Vaulted backups only support restoring data to another storage account, which is different from the one that was backed up.

+- Ensure that the Backup vault has the *Storage account backup contributor* role assigned to the target storage account to which the backup data needs to be restored.

+To initiate a restore through the Backup center, follow these steps:

+1. In Backup center, go to **Restore** on the top bar.

+1. On the **Initiate Restore** tab, choose **Azure Blobs (Azure Storage)** as the Datasource type and select the **Backup Instance** you want to restore. The backup instance is the storage account that contains the blobs you want to restore.

+1. On the **Select recovery point** tab, select the type of backup you want to restore.

+ - For operational backup, choose the date and time you want to restore your data. You can also use the slider to choose the point-in-time to restore from. The restoration details appear next to the date, which shows the valid duration from which you can restore your data. Operational backup for blobs is a continuous backup and gives granular control over points to recover data from.

+ - For vaulted backup, choose a recovery point from which you want to perform the restore.

+

+ >[!NOTE]

+ > The time mentioned here is your local time.

+1. On the **Restore parameters** tab, select the options based on the type of backups you've chosen to perform restore.

+ For **operational backup**, choose one of these options:

+ For vaulted backup, choose one of these options:

+ - **Restore all backed-up containers**: Use this option to restore all backed-up containers in the storage account.

+ - **Browse and select containers to restore**: Use this option to browse and select up to **100** containers to restore. You must have sufficient permission to view the containers in the storage account, or you can't see the contents of the storage account. Select the target storage account (and its subscription), that is, the storage account where the data needs to be restored.

+ >[!Note]

+ >The vault must have the *Storage account backup contributor* role assigned on the target storage account. Select **Validate** to ensure that the required permissions to perform the restore are assigned. Once done, proceed to the next tab.

+>[!Note]

+>This capability is currently supported only for operational backups.

+$backupContainersSQL = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVMAppContainer -VaultId $VaultToDelete.ID | Where-Object {$_.ExtendedInfo.WorkloadType -eq "SQL"}

+$backupContainersSAP = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVMAppContainer -VaultId $VaultToDelete.ID | Where-Object {$_.ExtendedInfo.WorkloadType -eq "SAPHana"}

+$StorageAccounts = Get-AzRecoveryServicesBackupContainer -ContainerType AzureStorage -VaultId $VaultToDelete.ID

+foreach($item in $protectableItemsSQL)

+ Remove-AzPrivateEndpointConnection -ResourceId $item.Id -Force #remove private endpoint connections

+$backupContainersSQLFin = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVMAppContainer -VaultId $VaultToDelete.ID | Where-Object {$_.ExtendedInfo.WorkloadType -eq "SQL"}

+$backupContainersSAPFin = Get-AzRecoveryServicesBackupContainer -ContainerType AzureVMAppContainer -VaultId $VaultToDelete.ID | Where-Object {$_.ExtendedInfo.WorkloadType -eq "SAPHana"}

+$StorageAccountsFin = Get-AzRecoveryServicesBackupContainer -ContainerType AzureStorage -VaultId $VaultToDelete.ID

+- February 2023

+ - [Azure Blob vaulted backups (preview)](#azure-blob-vaulted-backups-preview)

+## Azure Blob vaulted backups (preview)

+Azure Backup now enables you to perform a vaulted backup of block blob data in *general-purpose v2 storage accounts* to protect data against ransomware attacks or source data loss due to malicious or rogue admin. You can define the backup schedule to create recovery points and the retention settings that determine how long backups will be retained in the vault. You can configure and manage the vaulted and operational backups using a single backup policy.

+Under vaulted backups, the data is copied and stored in the Backup vault. So, you get an offsite copy of data that can be retained for up to *10 years*. If any data loss happens on the source account, you can trigger a restore to an alternate account and get access to your data. The vaulted backups can be managed at scale via the Backup center, and monitored via the rich alerting and reporting capabilities offered by the Azure Backup service.

+If you're currently using operational backups, we recommend you to switch to vaulted backups for complete protection against different data loss scenarios.

+For more information, see [Azure Blob backup overview](blob-backup-overview.md).

+> [!IMPORTANT]

+> Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM.

+1. Register the `Microsoft.ContainerInstance` and `Microsoft.Relay` resource providers with your subscription (if applicable).

+[](https://shell.azure.com)

+[](https://shell.azure.com)

+Embedded speech recognition only supports mono 16 bit, 8-kHz or 16-kHz PCM-encoded WAV audio.

+You can find ready to use embedded speech samples at [GitHub](https://aka.ms/embedded-speech-samples). For remarks on projects from scratch, see samples specific documentation:

+- [C# (.NET 6.0)](https://aka.ms/embedded-speech-samples-csharp)

+- [C# for Unity](https://aka.ms/embedded-speech-samples-csharp-unity)

+You can find ready to use embedded speech samples at [GitHub](https://aka.ms/embedded-speech-samples). For remarks on projects from scratch, see samples specific documentation:

+- [C++](https://aka.ms/embedded-speech-samples-cpp)

+You can find ready to use embedded speech samples at [GitHub](https://aka.ms/embedded-speech-samples). For remarks on projects from scratch, see samples specific documentation:

+- [Java (JRE)](https://aka.ms/embedded-speech-samples-java)

+- [Java for Android](https://aka.ms/embedded-speech-samples-java-android)

+**Example request payload:**

+`{capability}-{family}[-{input-type}]-{identifier}`

+| `{capability}` | The model capability of the model. For example, [GPT-3 models](#gpt-3-models) uses `text`, while [Codex models](#codex-models) use `code`.|

+| `{family}` | The relative family of the model. For example, GPT-3 models include `ada`, `babbage`, `curie`, and `davinci`.|

+> * Managed identity settings

+> [!NOTE]

+> You need [Contributor role](role-based-access-control.md) to enable Synapse Link at account level. And you need at least [Operator role](role-based-access-control.md) to enable Synapse Link in your containers or collections.

+A user-assigned identity is required in the restore request because the source account managed identity (User-assigned and System-assigned identities) cannot be carried over automatically to the target database account.

+> [!TIP]

+> All operations are charged based on the number of resources they consume. These charges are measured in request units. These charges include requests that do not complete successfully due to application errors such as `400`, `412`, `449`, etc. While looking at throttling or usage, it is a good idea to investigate if some pattern has changed in your usage which would result in an increase of these operations. Specifically, check for tags `412` or `449` (actual conflict).

+>

+> For more information about provisioned throughput, see [provisioned throughput in Azure Cosmos DB](../set-throughput.md).

+This template reads an external control file in json format on your storage store, which contains your SAP ODP contexts, SAP ODP objects and key columns from SAP source system as well as your containers, folders and partitions from Azure Data Lake Gen2 destination store. It then copies each of the SAP ODP object from SAP system to Azure Data Lake Gen2 in Delta format.

+An external control file in json format is required in this template. The schema for the control file is as below.

+- *checkPointKey* is your custom key to manage the checkpoint of your changed data capture in ADF. You can get more details [here](concepts-change-data-capture.md#checkpoint).

+- *sapContext* is your SAP ODP context from the source SAP system. You can get more details [here](sap-change-data-capture-prepare-linked-service-source-dataset.md#set-up-the-source-dataset).

+- *sapObjectName* is your SAP ODP object name to be loaded from the SAP system. You can get more details [here](sap-change-data-capture-prepare-linked-service-source-dataset.md#set-up-the-source-dataset).

+- *sapRunMode* is to determine how you want to load SAP object. It can be fullLoad, incrementalLoad or fullAndIncrementalLoad.

+- *sapKeyColumns* are your key column names from SAP ODP objects used to do the dedupe in mapping dataflow.

+- *sapPartitions* are list of partition conditions leading to separate extraction processes in the connected SAP system.

+- *deltaContainer* is your container name in the Azure Data Lake Gen2 as the destination store.

+- *deltaFolder* is your folder name in the Azure Data Lake Gen2 as the destination store.

+- *deltaKeyColumns* are your columns used to determine if a row from the source matches a row from the sink when you want to update or delete a row.

+- *deltaPartition* is your column used to create partitions for each unique value in such column to write data into Delta format on Azure Data Lake Gen2 via Spark cluster used by mapping dataflow. You can get more details [here](concepts-data-flow-performance.md#key)

+A sample control file is as below:

+```json

+[

+ {

+ "checkPointKey":"cba2acf0-d5e2-4d84-a552-e0a059b6d320",

+ "sapContext": "ABAP_CDS",

+ "sapObjectName": "ZPERFCDPOS$F",

+ "sapRunMode": "fullAndIncrementalLoad",

+ "sapKeyColumns": [

+ "TABKEY"

+ ],

+ "sapPartitions": [

+ [{

+ "fieldName": "TEXTCASE",

+ "sign": "I",

+ "option": "EQ",

+ "low": "1"

+ },

+ {

+ "fieldName": "TEXTCASE",

+ "sign": "I",

+ "option": "EQ",

+ "low": "X"

+ }]

+ ],

+ "deltaContainer":"delta",

+ "deltaFolder":"ZPERFCDPOS",

+ "deltaKeyColumns":["TABKEY"],

+ "deltaPartition":"TEXTCASE",

+ "stagingStorageFolder":"stagingcontainer/stagingfolder"

+ },

+ {

+ "checkPointKey":"fgaeca7f-d3d4-406f-bb48-a17faa83f76c",

+ "sapContext": "SAPI",

+ "sapObjectName": "Z0131",

+ "sapRunMode": "incrementalLoad",

+ "sapKeyColumns": [

+ "ID"

+ ],

+ "sapPartitions": [],

+ "deltaContainer":"delta",

+ "deltaFolder":"Z0131",

+ "deltaKeyColumns":["ID"],

+ "deltaPartition":"COMPANY",

+ "stagingStorageFolder":"stagingcontainer/stagingfolder"

+ }

+]

+```

+1. Create and upload a control file into json format to your Azure Data Lake Gen2 as the destination store. The default container to store the control file is **demo** and default control file name is **SapToDeltaParameters.json**.

+Orchestrate Synapse notebooks and Synapse spark job definitions natively [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/orchestrate-and-operationalize-synapse-notebooks-and-spark-job/ba-p/3724379)

+Microsoft Defender for Cloud uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to provide [built-in roles](../role-based-access-control/built-in-roles.md). You can assign these roles to users, groups, and services in Azure to give users access to resources according to the access defined in the role.

+Defender for Cloud assesses the configuration of your resources to identify security issues and vulnerabilities. In Defender for Cloud, you only see information related to a resource when you're assigned one of these roles for the subscription or for the resource group the resource is in: Owner, Contributor, or Reader.

+To allow the Security Admin role to automatically provision agents and extensions used in Defender for Cloud plans, Defender for Cloud uses policy remediation in a similar way to [Azure Policy](../governance/policy/how-to/remediate-resources.md). To use remediation, Defender for Cloud needs to create service principals, also called managed identities that assign roles at the subscription level. For example, the service principals for the Defender for Containers plan are:

+You can deploy SSL/TLS certificates during initial configuration as well as later on.

+Defender for IoT validates certificates against the certificate expiration date and against a passphrase, if one is defined. Validations against a Certificate Revocation List (CRL) and the certificate trust chain are available as well, though not mandatory. Invalid certificates can't be uploaded to OT sensors or on-premises management consoles, and will block encrypted communication between Defender for IoT components.

+### Deploy a certificate on an OT sensor

+1. Sign into your OT sensor and select **System settings** > **Basic** > **SSL/TLS certificate**.

+1. In the **SSL/TLS certificate** pane, select one of the following, and then follow the instructions in the relevant tab:

+ - **Import a trusted CA certificate (recommended)**

+ - **Use Locally generated self-signed certificate (Not recommended)**

+ # [Trusted CA certificates](#tab/import-trusted-ca-certificate)

+

+ 1. Enter the following parameters:

+

+ | Parameter | Description |

+ |||

+ | **Certificate Name** | Enter your certificate name. |

+ | **Passphrase** - *Optional* | Enter a passphrase. |

+ | **Private Key (KEY file)** | Upload a Private Key (KEY file). |

+ | **Certificate (CRT file)** | Upload a Certificate (CRT file). |

+ | **Certificate Chain (PEM file)** - *Optional* | Upload a Certificate Chain (PEM file). |

+

+ Select **Use CRL (Certificate Revocation List) to check certificate status** to validate the certificate against a [CRL server](#verify-crl-server-access). The certificate is checked once during the import process.

+ For example:

+ :::image type="content" source="media/how-to-deploy-certificates/recommended-ssl.png" alt-text="Screenshot of importing a trusted CA certificate." lightbox="media/how-to-deploy-certificates/recommended-ssl.png":::

+

+ # [Locally generated self-signed certificates](#tab/locally-generated-self-signed-certificate)

+

+ > [!NOTE]

+ > Using self-signed certificates in a production environment is not recommended, as it leads to a less secure environment.

+ > We recommend using self-signed certificates in test environments only.

+ > The owner of the certificate cannot be validated and the security of your system cannot be maintained.

+ Select **Confirm** to acknowledge the warning.

+

+1. In the **Validation for on-premises management console certificates** area, select **Required** if SSL/TLS certificate validation is required. Otherwise, select **None**.

+### Deploy a certificate on an on-premises management console

+1. Sign into your on-premises management console and select **System settings** > **SSL/TLS certificates**.

+1. In the **SSL/TLS certificate** pane, select one of the following, and then follow the instructions in the relevant tab:

+ - **Import a trusted CA certificate**

+ - **Use Locally generated self-signed certificate (Insecure, not recommended)**

+ # [Trusted CA certificates](#tab/cm-import-trusted-ca-certificate)

+

+ 1. In the **SSL/TLS Certificates** dialog, select **Add Certificate**.

+ 1. Enter the following parameters:

+

+ | Parameter | Description |

+ |||

+ | **Certificate Name** | Enter your certificate name. |

+ | **Passphrase** - *Optional* | Enter a passphrase. |

+ | **Private Key (KEY file)** | Upload a Private Key (KEY file). |

+ | **Certificate (CRT file)** | Upload a Certificate (CRT file). |

+ | **Certificate Chain (PEM file)** - *Optional* | Upload a Certificate Chain (PEM file). |

+ For example:

+ :::image type="content" source="media/how-to-deploy-certificates/management-ssl-certificate.png" alt-text="Screenshot of importing a trusted CA certificate." lightbox="media/how-to-deploy-certificates/management-ssl-certificate.png":::

+ # [Locally generated self-signed certificates](#tab/cm-locally-generated-self-signed-certificate)

+

+ > [!NOTE]

+ > Using self-signed certificates in a production environment is not recommended, as it leads to a less secure environment.

+ > We recommend using self-signed certificates in test environments only.

+ > The owner of the certificate cannot be validated and the security of your system cannot be maintained.

+ Select **I CONFIRM** to acknowledge the warning.

+

+1. Select the **Enable Certificate Validation** option to turn on system-wide validation for SSL/TLS certificates with the issuing [Certificate Authority](#create-ca-signed-ssltls-certificates) and [Certificate Revocation Lists](#verify-crl-server-access).

+1. Select **SAVE** to save your certificate settings.

+ :::image type="content" source="media/iot-solution/filter-incidents-defender-for-iot.png" alt-text="Screenshot of filtering incidents by product name for Defender for IoT devices." lightbox="media/iot-solution/filter-incidents-defender-for-iot.png":::

+ In the incident details pane on the right, view details such as incident severity, a summary of the entities involved, any mapped MITRE ATT&CK tactics or techniques, and more. For example:

+ :::image type="content" source="media/iot-solution/investigate-iot-incidents.png" alt-text="Screenshot of a Microsoft Defender for IoT incident in Microsoft Sentinel."lightbox="media/iot-solution/investigate-iot-incidents.png":::

+1. Select **View full details** to open the incident details page, where you can drill down even more. For example:

+ - Understand the incident's business impact and physical location using details, like an IoT device's site, zone, sensor name, and device importance.

+ - Learn about recommended remediation steps by selecting an alert in the incident timeline and viewing the **Remediation steps** area.

+ - Select an IoT device entity from the **Entities** list to open its [device entity page](/azure/sentinel/entity-pages). For more information, see [Investigate further with IoT device entities](#investigate-further-with-iot-device-entities).

+For more information, see [Investigate incidents with Microsoft Sentinel](../../sentinel/investigate-cases.md).

+> [!TIP]

+> To investigate the incident in Defender for IoT, select the **Investigate in Microsoft Defender for IoT** link at the top of the incident details pane on the **Incidents** page.

+### Investigate further with IoT device entities

+When you are investigating an incident in Microsoft Sentinel and have the incident details pane open on the right, select an IoT device entity from the **Entities** list to view more details about the selected entity. Identify an *IoT device* by the IoT device icon: :::image type="icon" source="media/iot-solution/iot-device-icon.png" border="false":::

+If you don't see your IoT device entity right away, select **View full details** to open the full incident page, and then check the **Entities** tab. Select an IoT device entity to view more entity data, like basic device details, owner contact information, and a timeline of events that occurred on the device.

+To drill down even further, select the IoT device entity link and open the device entity details page, or hunt for vulnerable devices on the Microsoft Sentinel **Entity behavior** page. For example, view the top five IoT devices with the highest number of alerts, or search for a device by IP address or device name:

+For more information, see [Investigate entities with entity pages in Microsoft Sentinel](../../sentinel/entity-pages.md) and [Investigate incidents with Microsoft Sentinel](../../sentinel/investigate-cases.md).

+## March 2023

+|Service area |Updates |

+|||

+| **OT networks** | **Cloud features**: - [New Microsoft Sentinel incident experience for Defender for IoT](#new-microsoft-sentinel-incident-experience-for-defender-for-iot) |

+### New Microsoft Sentinel incident experience for Defender for IoT

+Microsoft Sentinel's new [incident experience](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-new-incident-experience-is-here/ba-p/3717042) includes specific features for Defender for IoT customers. When investigating OT/IoT-related incidents, SOC analysts can now use the following enhancements on incident details pages:

+- **View related sites, zones, sensors, and device importance** to better understand an incident's business impact and physical location.

+- **Review an aggregated timeline of affected devices and related device details**, instead of investigating on separate entity details pages for the related devices

+- **Review OT alert remediation steps** directly on the incident details page

+For more information, see [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md) and [Navigate and investigate incidents in Microsoft Sentinel](/azure/sentinel/investigate-incidents).

+The **Alerts** page in the Azure portal is now out for General Availability. Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events detected in your network. Alerts are triggered when OT or Enterprise IoT network sensors, or the [Defender for IoT micro agent](../device-builders/index.yml), detect changes or suspicious activity in network traffic that needs your attention.

+[Getting started with Defender for IoT](getting-started.md)

+description: This quickstart shows you how to configure the Microsoft Dev Box Preview service to provide dev boxes for your users. You'll create a dev center, add a network connection, and then create a dev box definition and a project.

+Customer intent: As an enterprise admin, I want to understand how to create and configure dev box components so that I can provide dev box projects for my users.

+This quickstart describes how to configure your instance of the Microsoft Dev Box Preview service so that development teams can create their own dev boxes in your deployment.

+In the quickstart, you go through the process of setting up your Microsoft Dev Box environment by using the Azure portal. You create a dev center to organize your Dev Box resources, you configure network components so that dev boxes can connect to your organization's resources, and you create a dev box definition that is the basis of your dev boxes. Then, you create a project and a dev box pool to form a framework you can use to give access to users to manage or use dev boxes.

+When you finish this quickstart, you'll have a dev box configuration in which users you give access to can create dev boxes and connect to dev boxes in the dev box pool.

+To complete this quickstart, make sure that you have:

+- Owner or Contributor role on an Azure subscription or for the resource group you'll use to hold your dev box resources.

+- Network Contributor permissions on an existing virtual network (owner or contributor) or permissions to create a new virtual network and subnet.

+- User licenses. To use Dev Box, each user must be licensed for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Intune, and Azure Active Directory P1. These licenses are available independently and also are included in the following subscriptions:

+ - Microsoft 365 F3

+ - Microsoft 365 E3, Microsoft 365 E5

+ - Microsoft 365 A3, Microsoft 365 A5

+ - Microsoft 365 Business Premium

+ - Microsoft 365 Education Student Use Benefit

+- [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/), which allows you to use your Windows licenses on Azure with Dev Box.

+To begin the configuration, create a dev center you can use to manage your Dev Box resources. The following steps show you how to create and configure a dev center.

+1. In the search box, enter **dev centers**. In the search results, select **Dev centers**.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/discover-dev-centers.png" alt-text="Screenshot that shows the Azure portal with the search box and the Dev centers result highlighted.":::

+1. On the **Dev centers** page, select **Create**.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-dev-center.png" alt-text="Screenshot that shows the Azure portal Dev centers with Create highlighted.":::

+1. On the **Create a dev center** pane, on the **Basics** tab, enter the following values:

+ |**Subscription**|Select the subscription in which to create the dev center.|

+ |**Resource group**|Select an existing resource group, or select **Create new** and enter a name for the resource group.|

+ |**Location**|Select the location or region to create the dev center in.|

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-dev-center-basics.png" alt-text="Screenshot that shows the Create a dev center Basics tab.":::

+ Currently supported Azure locations with capacity are listed in [Frequently asked questions about Microsoft Dev Box](https://aka.ms/devbox_acom).

+1. \[Optional\] On the **Tags** tab, enter a name and value pair that you want to assign.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-dev-center-tags.png" alt-text="Screenshot that shows the Create a dev center Tags tab.":::

+ To check the progress of the dev center deployment, select your notifications on any page in the Azure portal.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/notifications-pane.png" alt-text="Screenshot that shows the Azure portal notifications pane.":::

+1. When the deployment is complete, select **Go to resource** to go to the dev center overview.

+A network connection determines the region where a dev box is deployed, and it allows a dev box to be connected to your existing virtual networks. The following steps show you how to create and configure a network connection in Microsoft Dev Box.

+- An existing virtual network and subnet. If you don't have a virtual network and subnet available, complete the instructions in [Create a virtual network and subnet](#create-a-virtual-network-and-subnet) to create them.

+- A configured and working Hybrid Azure Active Directory (Azure AD) join or Azure AD join deployment.

+ - **Azure AD join:** To learn how to join devices directly to Azure AD, see [Plan your Azure Active Directory join deployment](../active-directory/devices/azureadjoin-plan.md).

+ - **Hybrid Azure AD join:** To learn how to join your Active Directory Domain Services (AD DS) domain-joined computers to Azure AD from an on-premises AD DS environment, see [Plan your hybrid Azure Active Directory join deployment](../active-directory/devices/hybrid-azuread-join-plan.md).

+- If your organization routes egress traffic through a firewall, you must open certain ports to allow the Dev Box service to function. For more information, see [Network requirements](/windows-365/enterprise/requirements-network).

+You must have a virtual network and a subnet available for your network connection. You can create them by completing these steps:

+1. In the portal search box, enter **virtual network**. In the search results, select **Virtual Network**.

+1. On the **Create virtual network** pane, enter or select this information on the **Basics** tab:

+ | **Subscription** | Select your subscription. |

+ | **Resource group** | Select an existing resource group, or select **Create new** and enter a name for the resource group. |

+ | **Name** | Enter a name for your virtual network. |

+ | **Region** | Enter the location or region you want the virtual network to be created in. |

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/vnet-basics-tab.png" alt-text="Screenshot that shows creating a virtual network in Azure portal.":::

+1. Select the **Review + create** tab. Review the virtual network and subnet configuration.

+Now that you have a virtual network and subnet, you need a network connection to associate the virtual network and subnet with the dev center.

+To create a network connection, complete the steps on the relevant tab:

+#### [Azure AD join](#tab/AzureADJoin/)

+1. In the portal search box, enter **network connections**. In the search results, select **Network connections**.

+1. On the **Network Connections** page, select **Create**.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-network-connection.png" alt-text="Screenshot that shows the Network Connections page with Create highlighted.":::

+1. On the **Create a network connection** pane, on the **Basics** tab, select or enter the following values:

+ Name|Value|

+ |**Subscription**|Select the subscription in which to create the network connection.|

+ |**Resource group**|Select an existing resource group, or select **Create new** and enter a name for the resource group.|

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-nc-native-join.png" alt-text="Screenshot that shows the Create a network connection Basics tab with Azure Active Directory join highlighted.":::

+1. Select **Review + Create**.

+1. On the **Review** tab, select **Create**.

+1. When the deployment is complete, select **Go to resource**. The network connection appears on the **Network Connections** page.

+#### [Hybrid Azure AD join](#tab/HybridAzureADJoin/)

+1. In the portal search box, enter **network connections**. In the search results, select **Network connections**.

+1. On the **Network Connections** page, select **Create**.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-network-connection.png" alt-text="Screenshot that shows the Network Connections page with Create highlighted.":::

+1. On the **Create a network connection** pane, on the **Basics** tab, select or enter the following values:

+ |**Subscription**|Select the subscription in which to create the network connection.|

+ |**Resource group**|Select an existing resource group, or select **Create new** and enter a name for the resource group.|

+ |**AD DNS domain name**| Enter the DNS name of the Active Directory domain to use for connecting and provisioning cloud PCs. For example, `corp.contoso.com`. |

+ |**Organizational unit**| \[Optional\] Enter an OU. An organizational unit (OU) is a container within an Active Directory domain that can hold users, groups, and computers. |

+ |**AD username UPN**| Enter the username, in user principal name (UPN) format, that you want to use to connect the cloud PCs to your Active Directory domain. For example, `svcDomainJoin@corp.contoso.com`. This service account must have permissions to join computers to the domain and the target OU, if set. |

+ |**AD domain password**| Enter the password for the user. |

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-nc-hybrid-join.png" alt-text="Screenshot that shows the Create a network connection Basics tab with Hybrid Azure Active Directory join highlighted.":::

+1. When the deployment is complete, select **Go to resource**. The network connection appears on the **Network Connections** page.

+## Attach a network connection to a dev center

+To provide networking configuration information for dev boxes, associate a network connection with a dev center.

+1. In the portal search box, enter **dev centers**. In the search results, select **Dev centers**.

+1. Select the dev center you created, and then select **Networking**.

+1. Select **Add**.

+1. On the **Add network connection** pane, select the network connection you created earlier, and then select **Add**.

+After the network connection is attached to the dev center, several health checks are run on the network connection. You can view the status of the checks on the resource overview page. You can add network connections that pass all health checks to a dev center and use them to create dev box pools. Dev boxes that are in dev box pools are created and domain joined in the location of the virtual network that's assigned to the network connection.

+To resolve any errors, see [Troubleshoot Azure network connections](/windows-365/enterprise/troubleshoot-azure-network-connection).

+The following steps show you how to create and configure a dev box definition. A dev box definition defines the image and SKU (compute + storage) that you use when you create a dev box.

+1. On the **Dev box definitions** page, select **Create**.

+1. On the **Create dev box definition** pane, select or enter the following values:

+ |**Image**|Select the base operating system for the dev box. You can select an image from Azure Marketplace or from an instance of the Azure Compute Gallery service. </br> If you're creating a dev box definition for testing purposes, consider using the **Visual Studio 2022 Enterprise on Windows 11 Enterprise + Microsoft 365 Apps 22H2** image. |To use custom images when you create a dev box definition, you can attach an instance of Compute Gallery that has the custom images. Learn [how to configure Azure Compute Gallery](./how-to-configure-azure-compute-gallery.md).|

+ |**Image version**|Select a specific, numbered version to ensure that all the dev boxes in the pool always use the same version of the image. Select **Latest** to ensure that new dev boxes use the latest image available.|When you select **Latest** for **Image version**, the dev box pool can use the most recent version of the image you choose in the gallery. This way, the dev boxes stay up to date with the latest tools and code for your image. Existing dev boxes aren't modified when an image version is updated.|

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/recommended-test-image.png" alt-text="Screenshot that shows the Create dev box definition page.":::

+You can use dev box projects to manage team-level settings, including providing access to development teams so that developers can create dev boxes.

+The following steps show you how to create and configure a project in Microsoft Dev Box.

+1. In the portal search box, enter **projects**. In the search results, select **Projects**.

+1. On the **Projects** page, select **Create**.

+1. On the **Create a project** pane, on the **Basics** tab, select or enter the following values:

+ |**Subscription**|Select the subscription in which to create the project.|

+ |**Resource group**|Select an existing resource group, or select **Create new** and enter a name for the resource group.|

+ |**Dev center**|Select the dev center to associate with this project. All the dev center-level settings are applied to the project.|

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/dev-box-project-create.png" alt-text="Screenshot that shows the Create a dev box project Basics tab.":::

+1. \[Optional\] On the **Tags** tab, enter a name and value pair that you want to assign.

+1. Verify that you see the project on the **Projects** page.

+A dev box pool is a collection of dev boxes that have similar settings. Dev box pools specify the dev box definitions and the network connections dev boxes will use. You must have at least one pool associated with your project before a user can create a dev box.

+The following steps show you how to create a dev box pool that's associated with a project.

+1. In the portal search box, enter **projects**. In the search results, select **Projects**.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/select-project.png" alt-text="Screenshot that shows the list of existing projects.":::

+1. On the left menu under **Manage**, select **Dev box pools**, and then select **Create**.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-pool.png" alt-text="Screenshot that shows the list of dev box pools in a project. The list is empty.":::

+1. On the **Create a dev box pool** pane, select or enter the following values:

+ |**Name**|Enter a name for the pool. The pool name is visible to developers to select when they're creating dev boxes. The pool name must be unique within a project.|

+ |**Dev box definition**|Select an existing dev box definition. The definition determines the base image and size for the dev boxes that are created in this pool.|

+ |**Network connection**|Select an existing network connection. The network connection determines the region of the dev boxes that are created in this pool.|

+ |**Dev box Creator Privileges**|Select Local Administrator or Standard User.|

+ |**Enable Auto-stop**|**Yes** is the default. Select **No** to disable an Auto-stop schedule. You can configure an Auto-stop schedule after the pool is created.|

+ |**Stop time**| Select a time to shut down all the dev boxes in the pool. All dev boxes in this pool will be shut down at this time every day.|

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-pool-details.png" alt-text="Screenshot that shows the Create a dev box pool pane.":::

+1. Verify that the new dev box pool appears in the list. You might need to refresh the page to see the dev box pool.

+ The dev box pool is deployed and health checks are run to ensure that the image and network pass the validation criteria to be used for dev boxes. The following screenshot shows four dev box pools, each with a different status.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/dev-box-pool-grid-populated.png" alt-text="Screenshot that shows a list of existing pools with four different status messages.":::

+Before a user can create a dev box that's based in the dev box pools in a project, you must give the user access through a role assignment. The Dev Box User role gives a dev box user the permissions to create, manage, and delete their own dev boxes. You must have sufficient permissions to a project before you can assign the role to a user.

+1. In the portal search box, enter **projects**. In the search results, select **Projects**.

+1. Select the project you want to give team members access to.

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/select-project.png" alt-text="Screenshot that shows a list of existing projects.":::

+1. On the left menu, select **Access control (IAM)**.

+1. On the command bar, select **Add** > **Add role assignment**.

+ The user will now be able to view the project and all the pools in it. They can create dev boxes from any of the pools and manage those dev boxes from the [developer portal](https://aka.ms/devbox-portal).

+## Assign project admin role

+Through the Microsoft Dev Box service, you can delegate project administration to a member of the project team. Project admins can assist with the day-to-day management of projects for their team, including creating and managing dev box pools. To give a user permissions to manage projects, assign the DevCenter Project Admin role to the user.

+You can assign the DevCenter Project Admin role by completing the steps in [Provide access to a dev box project](#provide-access-to-a-dev-box-project), but select the Project Admin role instead of the Dev Box User role. For more information, see [Provide access to projects for project admins](how-to-project-admin.md).

+In this quickstart, you created a dev box project and the resources necessary to support it. You created a dev center, added a network connection, created a dev box definition, and created a project. Then, you created a dev box pool within an existing project and assigned user permissions to create dev boxes that are based in the new pool.

+To learn how to create and connect to a dev box, go to the next quickstart:

+> [Create a dev box](./quickstart-create-dev-box.md)

+- If your table has a **JSON** column, any DELETE or UPDATE operations on this table can lead to a failed migration.

+

+- Ensure both the Azure Database Migration Service IP address and the Azure SQL Managed Instance subnet can communicate with the blob container.

+ Title: Azure Data Manager for Agriculture

+description: Describes the properties that are provided for Azure Data Manager for Agriculture events with Azure Event Grid.

+# Azure Data Manager for Agriculture (Preview) as Event Grid source

+This article provides the properties and schema for Azure Data Manager for Agriculture (Preview) events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md) and [Cloud event schema](cloud-event-schema.md).

+## Available event types

+### Farm management related event types

+|Event Name | Description|

+|:--:|:-:|

+|Microsoft.AgFoodPlatform.PartyChanged|Published when a `Party` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.FarmChangedV2| Published when a `Farm` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.FieldChangedV2|Published when a `Field` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.SeasonChanged|Published when a `Season` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.SeasonalFieldChangedV2|Published when a `Seasonal Field` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.BoundaryChangedV2|Published when a `Boundary` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.CropChanged|Published when a `Crop` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.CropProductChanged|Published when a `Crop Product` is created /updated/deleted.|

+|Microsoft.AgFoodPlatform.AttachmentChangedV2|Published when an `Attachment` is created/updated/deleted.

+|Microsoft.AgFoodPlatform.ManagementZoneChangedV2|Published when a `Management Zone` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.ZoneChangedV2|Published when an `Zone` is created/updated/deleted.|

+### Satellite data related event types

+|Event Name | Description|

+|:--:|:-:|

+|Microsoft.AgFoodPlatform.SatelliteDataIngestionJobStatusChangedV2| Published when a satellite data ingestion job's status is changed, for example, job is created, has progressed or completed.|

+### Weather data related event types

+|Event Name | Description|

+|:--:|:-:|

+|Microsoft.AgFoodPlatform.WeatherDataIngestionJobStatusChangedV2|Published when a weather data ingestion job's status is changed, for example, job is created, has progressed or completed.|

+|Microsoft.AgFoodPlatform.WeatherDataRefresherJobStatusChangedV2| Published when a weather data refresher job status is changed, for example, job is created, has progressed or completed.|

+### Farm activities data related event types

+|Event Name | Description|

+|:--:|:-:|

+|Microsoft.AgFoodPlatform.ApplicationDataChangedV2|Published when an `Application Data` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.HarvestDataChangedV2|Published when a `Harvesting Data` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.TillageDataChangedV2|Published when a `Tillage Data` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.PlantingDataChangedV2|Published when a `Planting Data` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.ImageProcessingRasterizeJobStatusChangedV2|Published when an image-processing rasterizes job's status is changed, for example, job is created, has progressed or completed.|

+|Microsoft.AgFoodPlatform.FarmOperationDataIngestionJobStatusChangedV2| Published when a farm operations data ingestion job's status is changed, for example, job is created, has progressed or completed.|

+### Sensor data related event types

+|Event Name | Description|

+|:--:|:-:|

+|Microsoft.AgFoodPlatform.SensorMappingChangedV2|Published when a `Sensor Mapping` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.SensorPartnerIntegrationChangedV2|Published when a `Sensor Partner Integration` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.DeviceDataModelChanged|Published when `Device Data Model` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.DeviceChanged|Published when a `Device` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.SensorDataModelChanged|Published when a `Sensor Data Model` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.SensorChanged|Published when a `Sensor` is created/updated/deleted.|

+### Insight and observations related event types

+|Event Name | Description|

+|:--:|:-:|

+|Microsoft.AgFoodPlatform.PrescriptionChangedV2|Published when a `Prescription` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.PrescriptionMapChangedV2|Published when a `Prescription Map` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.PlantTissueAnalysisChangedV2|Published when a `Plant Tissue Analysis` data is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.NutrientAnalysisChangedV2|Published when a `Nutrient Analysis` data is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.InsightChangedV2| Published when an `Insight` is created/updated/deleted.|

+|Microsoft.AgFoodPlatform.InsightAttachmentChangedV2| Published when an `Insight Attachment` is created/updated/deleted.|

+### Model inference jobs related event types

+|Event Name | Description|

+|:--:|:-:|

+|Microsoft.AgFoodPlatform.BiomassModelJobStatusChangedV2|Published when a Biomass Model job's status is changed, for example, job is created, has progressed or completed.|

+|Microsoft.AgFoodPlatform.SoilMoistureModelJobStatusChangedV2|Published when a Soil Moisture Model job's status is changed, for example, job is created, has progressed or completed.|

+|Microsoft.AgFoodPlatform.SensorPlacementModelJobStatusChangedV2|Published when a Sensor Placement Model job's status is changed, for example, job is created, has progressed or completed.|

+## Example events

+# [Event Grid event schema](#tab/event-grid-event-schema)

+The following example show schema for **Microsoft.AgFoodPlatform.PartyChanged**:

+```JSON

+[

+ {

+ "data": {

+ "actionType": "Deleted",

+ "modifiedDateTime": "2022-10-17T18:43:37Z",

+ "eTag": "f700fdd7-0000-0700-0000-634da2550000",

+ "properties": {

+ "key1": "value1",

+ "key2": 123.45

+ },

+ "id": "<YOUR-PARTY-ID>",

+ "createdDateTime": "2022-10-17T18:43:30Z"

+ },

+ "id": "23fad010-ec87-40d9-881b-1f2d3ba9600b",

+ "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{YOUR-RESOURCE-NAME}",

+ "subject": "/parties/<YOUR-PARTY-ID>",

+ "eventType": "Microsoft.AgFoodPlatform.PartyChanged",

+ "dataVersion": "1.0",

+ "metadataVersion": "1",

+ "eventTime": "2022-10-17T18:43:37.3306735Z"

+ }

+]

+```

+# [Cloud event schema](#tab/cloud-event-schema)

+The following example show schema for **Microsoft.AgFoodPlatform.PartyChanged**:

+```JSON

+[

+ {

+ "data": {

+ "actionType": "Deleted",

+ "modifiedDateTime": "2022-10-17T18:43:37Z",

+ "eTag": "f700fdd7-0000-0700-0000-634da2550000",

+ "properties": {

+ "key1": "value1",

+ "key2": 123.45

+ },

+ "id": "<YOUR-PARTY-ID>",

+ "createdDateTime": "2022-10-17T18:43:30Z"

+ },

+ "id": "23fad010-ec87-40d9-881b-1f2d3ba9600b",

+ "source": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{YOUR-RESOURCE-NAME}",

+ "subject": "/parties/<YOUR-PARTY-ID>",

+ "type": "Microsoft.AgFoodPlatform.PartyChanged",

+ "specversion":"1.0",

+ "time": "2022-10-17T18:43:37.3306735Z"

+ }

+]

+```

+## Event properties

+# [Event Grid event schema](#tab/event-grid-event-schema)

+An event has the following top-level data:

+| Property | Type | Description |

+|:--:|:-:|:-:|

+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |

+| `subject` | string | Publisher-defined path to the event subject. |

+| `eventType` | string | One of the registered event types for this event source. |

+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |

+| `id` | string | Unique identifier for the event. |

+| `data` | object | App Configuration event data. |

+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |

+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |

+# [Cloud event schema](#tab/cloud-event-schema)

+An event has the following top-level data:

+| Property | Type | Description |

+|:--:|:-:|:-:|

+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |

+| `subject` | string | Publisher-defined path to the event subject. |

+| `type` | string | One of the registered event types for this event source. |

+| `time` | string | The time the event is generated based on the provider's UTC time. |

+| `id` | string | Unique identifier for the event. |

+| `data` | object | App Configuration event data. |

+| `specversion` | string | CloudEvents schema specification version. |

+The data object has the following common properties:

+### For resource change related event types

+|Property | Type| Description|

+|:--:|:-:|:-:|

+|id| String| Unique ID of resource.|

+|actionType| String| Indicates the change, which triggered publishing of the event. Applicable values are created, updated, deleted.|

+|properties| Object| It contains user defined keyΓÇôvalue pairs.|

+|modifiedDateTime|String| Indicates the time at which the event was last modified.|

+|createdDateTime| String| Indicates the time at which the resource was created.|

+|status| String| Contains the user defined status of the object.|

+|eTag| String| Implements optimistic concurrency.|

+|description| string| Textual description of the resource.|

+|name| string| Name to identify resource.|

+### For job status change related event types

+Property| Type| Description

+|:--:|:-:|:-:|

+|id|String| Unique ID of the job.|

+|name| string| User-defined name of the job.|

+|status|string|Various states a job can be in.|

+|isCancellationRequested| boolean|Flag that gets set when job cancellation is requested.|

+|description|string| Textual description of the job.|

+|partyId|string| Party ID for which job was created.|

+|message|string| Status message to capture more details of the job.|

+|lastActionDateTime|date-time|Date-time when last action was taken on the job, sample format: yyyy-MM-ddTHH:mm:ssZ.|

+|createdDateTime|date-time|Date-time when resource was created, sample format: yyyy-MM-ddTHH:mm:ssZ.|

+|properties| Object| It contains user defined key-value pairs.|

+## Next steps

+* For an introduction to Azure Event Grid, see [What is Event Grid?](overview.md).

+* For more information about how to create an Azure Event Grid subscription, see [Event Grid subscription schema](subscription-creation-schema.md).

+ Title: 'Connect Azure Front Door Premium to a storage static website origin with Private Link'

+description: Learn how to connect your Azure Front Door Premium to a storage static website privately.

+# Connect Azure Front Door Premium to a storage static website with Private Link

+This article guides you through how to configure Azure Front Door Premium tier to connect to your storage static website privately using the Azure Private Link service.

+## Prerequisites

+* An Azure account with an active subscription. You can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* Create a [Private Link](../private-link/create-private-link-service-portal.md) service for your origin web server.

+* Storage static website is enabled on your storage account. Learn how to [enable static website](../storage/blobs/storage-blob-static-website-how-to.md?tabs=azure-portal).

+## Enable Private Link to a storage static website

+In this section, you map the Private Link service to a private endpoint created in Azure Front Door's private network.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Within your Azure Front Door Premium profile, under *Settings*, select **Origin groups**.

+1. Select the origin group that contains the storage static website origin you want to enable Private Link for.

+1. Select **+ Add an origin** to add a new storage static website origin or select a previously created storage static website origin from the list.

+ :::image type="content" source="./media/how-to-enable-private-link-storage-static-website/private-endpoint-storage-static-website-primary.png" alt-text="Screenshot of enabling private link to a storage static website primary.":::

+1. The following table has the information of what values to select in the respective fields while enabling private link with Azure Front Door. Select or enter the following settings to configure the storage static website you want Azure Front Door Premium to connect with privately.

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter a name to identify this storage static website origin. |

+ | Origin Type | Storage (Static website) |

+ | Host name | Select the host from the dropdown that you want as an origin. |

+ | Origin host header | You can customize the host header of the origin or leave it as default. |

+ | HTTP port | 80 (default) |

+ | HTTPS port | 443 (default) |

+ | Priority | Different origin can have different priorities to provide primary, secondary, and backup origins. |

+ | Weight | 1000 (default). Assign weights to your different origin when you want to distribute traffic.|

+ | Region | Select the region that is the same or closest to your origin. |

+ | Target sub resource | The type of sub-resource for the resource selected previously that your private endpoint can access. You can select *web* or *web_secondary*. |

+ | Request message | Custom message to see while approving the Private Endpoint. |

+1. Then select **Add** to save your configuration. Then select **Update** to save your changes.

+## Approve private endpoint connection from storage account

+1. Go to the storage account that you want to connect to Azure Front Door Premium privately. Select **Networking** under *Settings*.

+1. In **Networking**, select **Private endpoint connections**.

+ :::image type="content" source="./media/how-to-enable-private-link-storage-static-website/storage-networking-settings.png" alt-text="Screenshot of private endpoint connection tab under storage account networking settings.":::

+1. Select the pending private endpoint request from Azure Front Door Premium then select **Approve**.

+ :::image type="content" source="./media/how-to-enable-private-link-storage-static-website/approve-private-endpoint-connection.png" alt-text="Screenshot of approving private endpoint connection from storage account.":::

+1. Once approved, you can see the private endpoint connection status is **Approved**.

+ :::image type="content" source="./media/how-to-enable-private-link-storage-static-website/approved-private-endpoint-connection.png" alt-text="Screenshot of approved private endpoint connection from storage account.":::

+## Create private endpoint connection to web_secondary

+When creating a private endpoint connection to the storage static website's secondary sub resource, you need to add a **-secondary** suffix to the origin host header. For example, if your origin host header is *contoso.z13.web.core.windows.net*, you need to change it to *contoso-secondary.z13.web.core.windows.net*.

+Once the origin has been added and the private endpoint connection has been approved, you can test your private link connection to your storage static website.

+## Next steps

+Learn about [Private Link service with storage account](../storage/common/storage-private-endpoints.md).

+Install-Module -Name Az.Automation

+Next, use the `Get-AzAutomationAccount` command to identify your Automation

+The properties **ResourceGroupName** and **AutomationAccountName**

+```azurepowershell

+```azurepowershell

+`Export-AzAutomationDscConfiguration`. The resulting file name uses the

+```azurepowershell

+```azurepowershell

+```azurepowershell

+Get-AzAutomationAccount | Get-AzAutomationModule | Where-Object IsGlobal -eq $false

+```azurepowershell

+Get-AzAutomationAccount | Get-AzAutomationModule | Where-Object IsGlobal -eq $true | Find-Module -ErrorAction SilentlyContinue | Where-Object {'' -ne $_.Includes.DscResource} | Select-Object -Property Name, Version -Unique | Format-Table -AutoSize

+```azurepowershell

+Get-AzAutomationAccount | Get-AzAutomationModule | Where-Object IsGlobal -eq $false | Find-Module | Where-Object {'' -ne $_.Includes.DscResource} | Install-Module

+| Apache Spark | 3.1.3 | 2.4.4 |

+| Apache Spark | 3.3 * | 3.1.2 |

+| Apache Zookeeper | 3.6.3 * | 3.4.6 |

+ <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FHDInsight%2Fhdinsight-kafka-tools%2Fmaster%2Fsrc%2Farm%2FHDInsight4.0%2Fhdinsight-kafka-2.1-spark-2.4-vnet%2Fazuredeploy.json" target="_blank"><img src="./media/hdinsight-apache-spark-with-kafka/hdi-deploy-to-azure1.png" alt="Deploy to Azure button for new cluster"></a>

+ > To guarantee availability of Kafka on HDInsight, your cluster must contain at least four worker nodes. This template creates a Kafka cluster that contains four worker nodes.

+ This template creates an HDInsight 4.0 cluster for both Kafka and Spark.

+ metric_type CHAR(1) NOT NULL,

+ created_date DATE NOT NULL,

+ metric_id INTEGER NOT NULL

+In this article, you'll learn how to use the MedTech service Mapping debugger. The Mapping debugger is a self-service tool that is used for creating, updating, and troubleshooting the MedTech service device and FHIR destination mappings. The Mapping debugger enables you to easily view and make inline adjustments in real-time, without ever having to leave the Azure portal. The Mapping debugger can also be used for uploading test device messages to see how they'll look after being processed into normalized messages and transformed into FHIR Observations.

+* If the storage account uses a __private endpoint__, the workspace private endpoint and storage private endpoint must be in the same VNet. In this case, they can be in different subnets.

+The new Machine Learning extension **requires Azure CLI version `>=2.38.0`**. Ensure this requirement is met:

+mlflow_client = MlflowClient()

+)

+ returned_job_run.info.run_id, 'outputs/model_'+str(batch_size)+'.onnx', local_dir

+* To log metrics, parameters, artifacts and models in your experiments in Azure Machine Learning using MLflow, just import MLflow in your script:

+ ```python

+ import mlflow

+ ```

+MLflow supports two ways of logging images. Both of them persists the given image as an artifact inside of the run.

+## Logging files

+In general, files in MLflow are called artifacts. You can log artifacts in multiple ways in Mlflow:

+> [!TIP]

+> When __loggiging large files__, you may encounter the error `Failed to flush the queue within 300 seconds`. Usually, it means the operation is timing out before the upload of the file is completed. Consider increasing the timeout value by adjusting the environment variable `AZUREML_ARTIFACTS_DEFAULT_VALUE`.

+> [!TIP]

+> When __loggiging large models__, you may encounter the error `Failed to flush the queue within 300 seconds`. Usually, it means the operation is timing out before the upload of the model artifacts is completed. Consider increasing the timeout value by adjusting the environment variable `AZUREML_ARTIFACTS_DEFAULT_VALUE`.

+> You can control what gets automatically logged with autolog. For instance, if you indicate `mlflow.autolog(log_models=False)`, MLflow will log everything but models for you. Such control is useful in cases where you want to log models manually but still enjoy automatic logging of metrics and parameters. Also notice that some frameworks may disable automatic logging of models if the trained model goes behond specific boundaries. Such behavior depends on the flavor used and we recommend you to view they documentation if this is your case.

+ml_client_registry = MLClient(credential=credential,

+ registry_name="<REGISTRY_NAME>",

+ registry_location="<REGISTRY_REGION>")

+These types of environments have two subtypes. For the first type, BYOC (bring your own container), you bring an existing Docker image to Azure Machine Learning. For the second type, Docker build context based environments, Azure Machine Learning materializes the image from the context that you provide.

+Azure Machine Learning creates a new isolated conda environment by materializing your conda specification on top of a base Docker image. By default, Azure Machine Learning adds common features to the derived image.

+Azure Machine Learning's primary focus is to guarantee reproducibility. Environments fall under three categories: curated,

+You use **system-managed environments** when you want conda to manage the Python environment for you. Azure Machine Learning creates a new isolated conda environment by materializing your conda specification on top of a base Docker image. While Azure Machine Learning patches base images with each release, whether you use the

+ * You must specify a base Docker image for the environment; Azure Machine Learning builds the conda environment on top of the Docker image provided

+* [Python SDK v2 workspace connections](https://github.com/Azure/azureml-examples/blob/main/sdk/python/resources/connections/connections.ipynb)

+* [Python SDK v2 workspace connections](https://github.com/Azure/azureml-examples/blob/main/sdk/python/resources/connections/connections.ipynb)

+* [Python SDK v2 workspace connections](https://github.com/Azure/azureml-examples/blob/main/sdk/python/resources/connections/connections.ipynb)

+This issue can happen when Azure Machine Learning fails to find your Dockerfile. As a default, Azure Machine Learning looks for a Dockerfile named 'Dockerfile' at the root of your build context directory unless you specify a Dockerfile path.

+You must specify a base Docker image for the environment, and Azure Machine Learning then builds the conda environment on top of that image

+You must specify a base Docker image for the environment, and Azure Machine Learning then builds the conda environment on top of that image

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Set [workspace connections](https://github.com/Azure/azureml-examples/blob/main/sdk/python/resources/connections/connections.ipynb) for the container registry if needed

+**Resources**

+* [Workspace connections v1](https://aka.ms/azureml/environment/set-connection-v1)

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Azure Machine Learning requires Python 2.5 or 3.5+, but Python 3.7+ is recommended

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* [Python SDK v2 workspace connections](https://github.com/Azure/azureml-examples/blob/main/sdk/python/resources/connections/connections.ipynb)

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+| `is_deterministic` | boolean |This option determines if the component will produce the same output for the same input data. You should usually set this to `false` for components that load data from external sources, such as importing data from a URL. This is because the data at the URL might change over time. | | `true` |

+**Supported SQL configuration** | Discovery of standalone, highly available, and disaster protected SQL deployments is supported. Discovery of HADR SQL deployments powered by Always On Failover Cluster Instances and Always On Availability Groups is also supported.

+**Supported SQL configuration** | Discovery of standalone, highly available, and disaster protected SQL deployments is supported. Discovery of HADR SQL deployments powered by Always On Failover Cluster Instances and Always On Availability Groups is also supported.

+| `sum_timer_wait` | double| YES| Total execution time of this query during the interval in milliseconds|

+| `avg_timer_wait` | double| YES| Average execution time for this query during the interval in milliseconds|

+| `min_timer_wait` | double| YES| Minimum execution time for this query in milliseconds|

+| `max_timer_wait` | double| YES| Maximum execution time in milliseconds|

+oc exec -n openshift-apiserver $(oc get pod -n openshift-apiserver -o jsonpath="{.items[0].metadata.name}") -- cat /var/lib/kubelet/config.json

+#### Selecting a different ARO version

+You can select to use a specific version of ARO when creating your cluster. First, use the CLI to query for available ARO versions:

+`az aro get-versions --location <region>`

+Once you've chosen the version, specify it using the `--version` parameter in the `aro create` command:

+```azurecli-interactive

+az aro create \

+ --resource-group $RESOURCEGROUP \

+ --name $CLUSTER \

+ --vnet aro-vnet \

+ --master-subnet master-subnet \

+ --worker-subnet worker-subnet

+ --version <x.y.z>

+```

+description: Operator Nexus uses Azure Monitor and collects and aggregates data in Azure Log Analytics Workspace (LAW). The analysis, visualization, and alerting is performed on this collected data.

+- Azure Log Analytics Workspace (LAW) collects and aggregates logging data from multiple Azure subscriptions and tenants

+resources. The data collected from each of your instances can be viewed in your LAW.

+instance. These collected logs are routed to your Azure Monitor LAW.

+You should follow the steps to deploy the [Azure monitoring agents](/azure/azure-monitor/agents/agents-overview#install-the-agent-and-configure-data-collection). The data would be collected in your Azure LAW.

+You can use the sample Azure Resource Manager workbook templates for [Operator Nexus Logging and Monitoring](https://github.com/microsoft/AzureMonitorCommunity/tree/master/Azure%20Services/Azure%20Operator%20Distributed%20Services) to deploy Azure Workbooks within your Azure LAW.

+## Log Analytic Workspace

+A [LAW](/azure/azure-monitor/logs/log-analytics-workspace-overview)

+A single LAW can be created to collect all relevant data or multiple workspaces based on operator requirements.

+### Network Fabric Controller

+The Network Fabric Controller (NFC) is a resource that automates the life cycle management of all network devices deployed in an Operator Nexus instance.

+An NFC can manage the Network Fabric of many (subject to limits) Operator Nexus instances.

+### Network Fabric

+The Network Fabric resource models a collection of network devices, compute servers, and storage appliances, and their interconnections. The Network Fabric resource also includes the networking required for your network functions and workloads. Each Operator Nexus instance has one Network Fabric.

+The Network Fabric Controller (NFC) performs the lifecycle management of the Network Fabric.

+It configures and bootstraps the Network Fabric resources.

+Each cluster is mapped to the on-premises Network Fabric. A cluster provides a holistic view of the deployed compute capacity.

+### Network Rack

+The Network Rack consists of Consumer Edge (CE) routers, Top of Rack switches (ToRs), storage appliance, Network Packet Broker (NPB), and the Terminal Server (TS).

+The Rack also models the connectivity to the operator's Physical Edge switches (PEs) and the ToRs on the other Racks.

+- **Cloud Services Network Resource**: provides VMs/AKS-Hybrid clusters access to cloud services such as DNS, NTP, and user-specified Azure PaaS services. You must create at least one Cloud Services Network (CSN) in each of your Operator Nexus instances. Each CSN can be reused by many VMs and/or AKS-Hybrid clusters.

+- Power off the BMM

+1. Get the Resource group name that you created for `Cluster` resource

+## Power off the BMM

+## Start the BMM

+| <b>Compute scaling (User-initiated)| During compute scaling operation, active checkpoints are allowed to complete, client connections are drained, any uncommitted transactions are canceled, storage is detached, and then it's shut down. A new flexible server with the same database server name is provisioned with the scaled compute configuration. The storage is then attached to the new server and the database is started which performs recovery if necessary before accepting client connections. |

+| <b>Scaling up storage (User-initiated) | When a scaling up storage operation is initiated, active checkpoints are allowed to complete, client connections are drained, and any uncommitted transactions are canceled. After that the server is shut down. The storage is scaled to the desired size and then attached to the new server. A recovery is performed if needed before accepting client connections. Note that scaling down of the storage size isn't supported. |

+Unplanned downtimes can occur as a result of unforeseen disruptions such as underlying hardware fault, networking issues, and software bugs. If the database server configured with high availability goes down unexpectedly, then the standby replica is activated and the clients can resume their operations. If not configured with high availability (HA), then if the restart attempt fails, a new database server is automatically provisioned. While an unplanned downtime can't be avoided, flexible server helps mitigating the downtime by automatically performing recovery operations without requiring human intervention.

+In the event of the Azure Database for PostgreSQL - Flexible Server service outage, you'll be able to see additional details related to the outage in the following places.

+### Unplanned downtime: failure scenarios and service recovery

+| <B>Storage failure | Applications don't see any impact for any storage-related issues such as a disk failure or a physical block corruption. As the data is stored in three copies, the copy of the data is served by the surviving storage. The corrupted data block is automatically repaired and a new copy of the data is automatically created. | For any rare and non-recoverable errors such as the entire storage is inaccessible, the flexible server is failed over to the standby replica to reduce the downtime. For more information, see [HA concepts page](./concepts-high-availability.md). |

+| <b> Logical/user errors | To recover from user errors, such as accidentally dropped tables or incorrectly updated data, you have to perform a [point-in-time recovery](../concepts-backup.md) (PITR). While performing the restore operation, you specify the custom restore point, which is the time right before the error occurred.<br> <br> If you want to restore only a subset of databases or specific tables rather than all databases in the database server, you can restore the database server in a new instance, export the table(s) via [pg_dump](https://www.postgresql.org/docs/current/app-pgdump.html), and then use [pg_restore](https://www.postgresql.org/docs/current/app-pgrestore.html) to restore those tables into your database. | These user errors aren't protected with high availability as all changes are replicated to the standby replica synchronously. You have to perform point-in-time restore to recover from such errors. |

+To determine your current SSL connection status you can load the [sslinfo extension](concepts-extensions.md) and then call the `ssl_is_used()` function to determine if SSL is being used. The function returns t if the connection is using SSL, otherwise it returns f. You can also collect all the information about your Azure Database for PostgreSQL - Flexible Server instance's SSL usage by process, client, and application by using the following query:

+```sql

+SELECT datname as "Database name", usename as "User name", ssl, client_addr, application_name, backend_type

+ FROM pg_stat_ssl

+ JOIN pg_stat_activity

+ ON pg_stat_ssl.pid = pg_stat_activity.pid

+ ORDER BY ssl;

+```

+ Title: 'Quickstart: Create an Azure Database for PostgreSQL Flexible Server - Bicep'

+### Determining SSL connections status

+You can also collect all the information about your Azure Database for PostgreSQL - Single Server instance's SSL usage by process, client, and application by using the following query:

+```sql

+SELECT datname as "Database name", usename as "User name", ssl, client_addr, application_name, backend_type

+ FROM pg_stat_ssl

+ JOIN pg_stat_activity

+ ON pg_stat_ssl.pid = pg_stat_activity.pid

+ ORDER BY ssl;

+```

+2. Save your changes. The asset has a "Certified" label next to the asset name.

+All assets selected have the "Certified" label.

+When search or browsing the data catalog, you see a certification label on any asset that is certified. Certified assets boosted in search results to help data consumers discover them easily.

+Discover your assets in the Microsoft Purview Data Catalog by either:

+ > [!Note]

+ > Toggle on **Lineage extraction** will trigger daily scan.

+1. You can scope your scan to specific tables by choosing the appropriate items in the list after enter Database name.

+- For App Services that are configured to be zone redundant, the platform automatically spreads the VM instances in the App Service plan across three zones in the selected region. If a VM instance capacity larger than three is specified and the number of instances is a multiple of three (3 * N), the instances will be spread evenly. However, if the number of instances is not a multiple of three, the remainder of the instances will get spread across the remaining one or two zones.

+Applications that are deployed in an App Service plan that has availability zones enabled will continue to run and serve traffic if a single zone becomes unavailable. However it's possible that non-runtime behaviors including App Service plan scaling, application creation, application configuration, and application publishing may still be impacted from an outage in other Availability Zones. Zone redundancy for App Service plans only ensures continued uptime for deployed applications.

+This article summarizes all the [Extension resource types ](/articles/azure-resource-manager/management/extension-resource-types.md)that are currently supported while moving Azure resources across regions using Azure resource mover.

+> [!NOTE]

+> Removing a guest user from your Azure Active Directory does not remove the guest user's classic Co-Administrator access to a subscription. You must follow the steps in the [Remove a Co-Administrator](#remove-a-co-administrator) section to remove the guest user's classic Co-Administrator access to a subscription.

+## Re-enabling proxies in v4.x

+Azure Functions supports [re-enabling proxies in v4.x](../azure-functions/legacy-proxies.md#re-enable-proxies-in-functions-v4x). To enable proxy support in managed functions for your static web app, set `SWA_ENABLE_PROXIES_MANAGED_FUNCTIONS` to `true` in your application settings.

+[!NOTE] While proxies are supported in v4.x, consider using Azure API Management integration with your managed function apps, so your app isn't reliant on proxies.

+ You can generate inventory reports for blobs and containers. A report for blobs can contain base blobs, snapshots, content length, blob versions and their associated properties such as creation time, last modified time. Empty containers arenΓÇÖt listed in the Blob Inventory report. A report for containers describes containers and their associated properties such as immutability policy status, legal hold status.

+ Title: Spark Common Data Model connector for Azure Synapse Analytics

+description: Learn how to use the Spark CDM connector in Azure Synapse Analytics to read and write Common Data Model entities in a Common Data Model folder on Azure Data Lake Storage.

+# Spark Common Data Model connector for Azure Synapse Analytics

+The Spark Common Data Model connector (Spark CDM connector) is a format reader/writer in Azure Synapse Analytics. It enables a Spark program to read and write Common Data Model entities in a Common Data Model folder via Spark DataFrames.

+For information on defining Common Data Model documents by using Common Data Model 1.2, see [this article about what Common Data Model is and how to use it](/common-data-model/).

+## Capabilities

+At a high level, the connector supports:

+* Spark 2.4, 3.1, and 3.2.

+* Reading data from an entity in a Common Data Model folder into a Spark DataFrame.

+* Writing from a Spark DataFrame to an entity in a Common Data Model folder based on a Common Data Model entity definition.

+* Writing from a Spark DataFrame to an entity in a Common Data Model folder based on the DataFrame schema.

+The connector also supports:

+* Reading and writing to Common Data Model folders in Azure Data Lake Storage with a hierarchical namespace (HNS) enabled.

+* Reading from Common Data Model folders described by either manifest or *model.json* files.

+* Writing to Common Data Model folders described by a manifest file.

+* Data in CSV format with or without column headers, and with user-selectable delimiter characters.

+* Data in Apache Parquet format, including nested Parquet.

+* Submanifests on read, and optional use of entity-scoped submanifests on write.

+* Writing data via user-modifiable partition patterns.

+* Use of managed identities and credentials in Azure Synapse Analytics.

+* Resolving Common Data Model alias locations used in imports via Common Data Model adapter definitions described in a *config.json* file.

+The connector doesn't support the following capabilities and scenarios:

+* Parallel writes. We don't recommend them. There's no locking mechanism at the storage layer.

+* Programmatic access to entity metadata after you read an entity.

+* Programmatic access to set or override metadata when you're writing an entity.

+* Schema drift, where data in a DataFrame that's being written includes extra attributes not included in the entity definition.

+* Schema evolution, where entity partitions reference different versions of the entity definition. You can verify the version by running `com.microsoft.cdm.BuildInfo.version`.

+* Write support for *model.json*.

+* Writing `Time` data to Parquet. Currently, the connector supports overriding a time stamp column to be interpreted as a Common Data Model `Time` value rather than a `DateTime` value for CSV files only.

+* The Parquet `Map` type, arrays of primitive types, and arrays of array types. Common Data Model doesn't currently support them, so neither does the Spark CDM connector.

+To start using the connector, check out the [sample code and Common Data Model files](https://github.com/Azure/spark-cdm-connector/tree/spark3.2/samples).

+When the connector reads data, it uses metadata in the Common Data Model folder to create the DataFrame based on the resolved entity definition for the specified entity, as referenced in the manifest. The connector uses entity attribute names as DataFrame column names. It maps attribute data types to column data types. When the DataFrame is loaded, it's populated from the entity partitions identified in the manifest.

+The connector looks in the specified manifest and any first-level submanifests for the specified entity. If the required entity is in a second-level or lower submanifest, or if there are multiple entities of the same name in different submanifests, you should specify the submanifest that contains the required entity rather than the root manifest.

+Entity partitions can be in a mix of formats (for example, CSV and Parquet). All the entity data files identified in the manifest are combined into one dataset regardless of format and loaded to the DataFrame.

+When the connector reads CSV data, it uses the Spark `failfast` option by default. If the number of columns isn't equal to the number of attributes in the entity, the connector returns an error.

+Alternatively, as of 0.19, the connector supports permissive mode (only for CSV files). With permissive mode, when a CSV row has a lower number of columns than the entity schema, the connector assigns null values for the missing columns. When a CSV row has more columns than the entity schema, the columns greater than the entity schema column count are truncated to the schema column count. Usage is as follows:

+.option("mode", "permissive") or .option("mode", "failfast")

+When the connector writes to a Common Data Model folder, if the entity doesn't already exist in that folder, the connector creates a new entity and definition. It adds the entity and definition to the Common Data Model folder and references them in the manifest.

+The connector supports two writing modes:

+* **Explicit write**: The physical entity definition is based on a logical Common Data Model entity definition that you specify.

+ The connector reads and resolves the specified logical entity definition to create the physical entity definition used in the Common Data Model folder. If import statements in any directly or indirectly referenced Common Data Model definition file include aliases, you must provide a *config.json* file that maps these aliases to Common Data Model adapters and storage locations.

+ * If the DataFrame schema doesn't match the referenced entity definition, the connector returns an error. Ensure that the column data types in the DataFrame match the attribute data types in the entity, including for decimal data, precision, and scale set via traits in Common Data Model.

+ * If the DataFrame is inconsistent with the entity definition, the connector returns an error.

+ * If the DataFrame is consistent:

+ * If the entity already exists in the manifest, the connector resolves the provided entity definition and validates it against the definition in the Common Data Model folder. If the definitions don't match, the connector returns an error. Otherwise, the connector writes data and updates the partition information in the manifest.

+ * If the entity doesn't exist in the Common Data Model folder, the connector writes a resolved copy of the entity definition to the manifest in the Common Data Model folder. The connector writes data and updates the partition information in the manifest.

+* **Implicit write**: The entity definition is derived from the DataFrame structure.

+ * If the entity doesn't exist in the Common Data Model folder, the connector uses the implicit definition to create the resolved entity definition in the target Common Data Model folder.

+ * If the entity exists in the Common Data Model folder, the connector validates the implicit definition against the existing entity definition. If the definitions don't match, the connector returns an error. Otherwise, the connector writes data, and it writes derived logical entity definitions into a subfolder of the entity folder.

+ The connector writes data to data folders within an entity subfolder. A save mode determines whether the new data overwrites or is appended to existing data, or an error is returned if data exists. The default is to return an error if data already exists.

+## Common Data Model alias integration

+Common Data Model definition files use aliases in import statements to simplify the import statements and allow the location of the imported content to be late bound at runtime. Using aliases:

+* Facilitates easy organization of Common Data Model files so that related Common Data Model definitions can be grouped together at different locations.

+* Allows Common Data Model content to be accessed from different deployed locations at runtime.

+The following snippet shows the use of aliases in import statements in a Common Data Model definition file:

+The preceding example uses `cdm` as an alias for the location of the Common Data Model foundations file. It uses `core` as an alias for the location of the `TrackedEntity` definition file.

+Aliases are text labels that are matched to a namespace value in an adapter entry in a Common Data Model *config.json* file. An adapter entry specifies the adapter type (for example, `adls`, `CDN`, `GitHub`, or `local`) and a URL that defines a location. Some adapters support other configuration options, such as a connection timeout. Whereas aliases are arbitrary text labels, the `cdm` alias is treated in a special way.

+The Spark CDM connector looks in the entity definition's model root location for the *config.json* file to load. If the *config.json* file is at some other location or you want to override the *config.json* file in the model root, you can provide the location of a *config.json* file by using the `configPath` option. The *config.json* file must contain adapter entries for all the aliases used in the Common Data Model code that's being resolved, or the connector reports an error.

+The ability to override the *config.json* file means that you can provide runtime-accessible locations for Common Data Model definitions. Ensure that the content that's referenced at runtime is consistent with the definitions that were used when Common Data Model was originally authored.

+By convention, the `cdm` alias refers to the location of the root-level standard Common Data Model definitions, including the *foundations.cdm.json* file. This file includes the Common Data Model primitive data types and a core set of trait definitions required for most Common Data Model entity definitions.

+You can resolve the `cdm` alias like any other alias, by using an adapter entry in the *config.json* file. If you don't specify an adapter or you provide a null entry, the `cdm` alias is resolved by default to the Common Data Model public content delivery network (CDN) at `https://cdm-schema.microsoft.com/logical/`.

+You can also use the `cdmSource` option to override how the `cdm` alias is resolved. Using the `cdmSource` option is useful if the `cdm` alias is the only alias used in the Common Data Model definitions that are being resolved, because it can avoid the need to create or reference a *config.json* file.

+## Parameters, options, and save mode

+For both reads and writes, you provide the Spark CDM connector's library name as a parameter. You use a set of options to parameterize the behavior of the connector. When you're writing, the connector also supports a save mode.

+The connector library name, options, and save mode are formatted as follows:

+* `dataframe.read.format("com.microsoft.cdm") [.option("option", "value")]*`

+* `dataframe.write.format("com.microsoft.cdm") [.option("option", "value")]* .mode(savemode.\<saveMode\>)`

+Here's an example that shows some of the options in using the connector for reads:

+### Common read and write options

+The following options identify the entity in the Common Data Model folder that you're reading or writing to.

+|`storage`|The endpoint URL for the Azure Data Lake Storage account, with HNS enabled, that contains the Common Data Model folder. <br/>Use the `dfs.core.windows.net` URL. | `<accountName>.dfs.core.windows.net` `"myAccount.dfs.core.windows.net"`|

+|`manifestPath`|The relative path to the manifest or *model.json* file in the storage account. For reads, it can be a root manifest or a submanifest or a *model.json* file. For writes, it must be a root manifest.|`<container>/{<folderPath>}<manifestFileName>`, <br/>`"mycontainer/default.manifest.cdm.json"` `"models/hr/employees.manifest.cdm.json"` <br/> `"models/hr/employees/model.json"` (read only)|

+|`entity`| The name of the source or target entity in the manifest. When you're writing an entity for the first time in a folder, the connector gives the resolved entity definition this name. The entity name is case sensitive.| `<entityName>` <br/>`"customer"`|

+|`maxCDMThreads`| The maximum number of concurrent reads while the connector resolves an entity definition. | Any valid integer, such as `5`|

+> You no longer need to specify a logical entity definition in addition to the physical entity definition in the Common Data Model folder on read.

+The following options identify the logical entity definition for the entity that's being written. The logical entity definition is resolved to a physical definition that defines how the entity is written.

+|**Option** |**Description** |**Pattern or example usage** |

+|`entityDefinitionStorage` |The Azure Data Lake Storage account that contains the entity definition. Required if it's different from the storage account that hosts the Common Data Model folder.|`<accountName>.dfs.core.windows.net`<br/>`"myAccount.dfs.core.windows.net"`|

+|`entityDefinitionModelRoot`|The location of the model root or corpus within the account. |`<container>/<folderPath>` <br/> `"crm/core"`|

+|`entityDefinitionPath`|The location of the entity. It's the file path to the Common Data Model definition file relative to the model root, including the name of the entity in that file.|`<folderPath>/<entityName>.cdm.json/<entityName>`<br/>`"sales/customer.cdm.json/customer"`|

+`configPath`| The container and folder path to a *config.json* file that contains the adapter configurations for all aliases included in the entity definition file and any directly or indirectly referenced Common Data Model files. <br/><br/>This option is not required if *config.json* is in the model root folder.| `<container><folderPath>`|

+|`useCdmStandardModelRoot` | Indicates that the model root is located at [https://cdm-schema.microsoft.com/CDM/logical/](https://github.com/microsoft/CDM/tree/master/schemaDocuments). Used to reference entity types defined in the Common Data Model CDN. Overrides `entityDefinitionStorage` and `entityDefinitionModelRoot` (if specified).<br/>| `"useCdmStandardModelRoot"` |

+|`cdmSource`|Defines how the `cdm` alias (if it's present in Common Data Model definition files) is resolved. If you use this option, it overrides any `cdm` adapter specified in the *config.json* file. Values are `builtin` or `referenced`. The default value is `referenced`.<br/><br/> If you set this option to `referenced`, the connector uses the latest published standard Common Data Model definitions at `https://cdm-schema.microsoft.com/logical/`. If you set this option to `builtin`, the connector uses the Common Data Model base definitions built in to the Common Data Model object model that the connector is using. <br/><br/> Note: <br/> * The Spark CDM connector might not be using the latest Common Data Model SDK, so it might not contain the latest published standard definitions. <br/> * The built-in definitions include only the top-level Common Data Model content, such as *foundations.cdm.json* or *primitives.cdm.json*. If you want to use lower-level standard Common Data Model definitions, either use `referenced` or include a `cdm` adapter in *config.json*.| `"builtin"`\|`"referenced"` |

+In the preceding example, the full path to the customer entity definition object is `https://myAccount.dfs.core.windows.net/models/crm/core/sales/customer.cdm.json/customer`. In that path, *models* is the container in Azure Data Lake Storage.

+If you don't specify a logical entity definition on write, the entity is written implicitly, based on the DataFrame schema.

+When you're writing implicitly, a time stamp column is normally interpreted as a Common Data Model `DateTime` data type. You can override this interpretation to create an attribute of the Common Data Model `Time` data type by providing a metadata object that's associated with the column that specifies the data type. For details, see [Handling Common Data Model time data](#handling-common-data-model-time-data) later in this article.

+Support for writing time data exists for CSV files only. That support currently doesn't extend to Parquet.

+You can use the following options to change folder organization and file format.

+|**Option** |**Description** |**Pattern or example usage** |

+|`useSubManifest`|If `true`, causes the target entity to be included in the root manifest via a submanifest. The submanifest and the entity definition are written into an entity folder beneath the root. Default is `false`.|`"true"`\|`"false"` |

+|`format`|Defines the file format. Current supported file formats are CSV and Parquet. Default is `csv`.|`"csv"`\|`"parquet"` <br/> |

+|`delimiter`|CSV only. Defines the delimiter that you're using. Default is comma. | `"|"` |

+|`columnHeaders`| CSV only. If `true`, adds a first row to data files with column headers. Default is `true`.|`"true"`\|`"false"`|

+|`compression`|Write only. Parquet only. Defines the compression format that you're using. Default is `snappy`. |`"uncompressed"` \| `"snappy"` \| `"gzip"` \| `"lzo"` |

+|`dataFolderFormat`|Allows a user-definable data folder structure within an entity folder. Allows you to substitute date and time values into folder names by using `DateTimeFormatter` formatting. Non-formatter content must be enclosed in single quotation marks. Default format is `"yyyy"-"MM"-"dd"`, which produces folder names like *2020-07-30*.| `year "yyyy" / month "MM"` <br/> `"Data"`|

+The save mode specifies how the connector handles existing entity data in the Common Data Model folder when you're writing a DataFrame. Options are to overwrite, append to, or return an error if data already exists. The default save mode is `ErrorIfExists`.

+|**Mode**|**Description**|

+|`SaveMode.Overwrite` |Overwrites the existing entity definition if it's changed and replaces existing data partitions with the data partitions that are being written.|

+|`SaveMode.Append` |Appends data that's being written in new partitions alongside the existing partitions.<br/><br/>This mode doesn't support changing the schema. If the schema of the data that's being written is incompatible with the existing entity definition, the connector throws an error.|

+|`SaveMode.ErrorIfExists`|Returns an error if partitions already exist.|

+For details of how data files are named and organized on write, see the [Folder and file naming and organization](#naming-and-organization-of-folders-and-files) section later in this article.

+You can use three modes of authentication with the Spark CDM connector to read or write the Common Data Model metadata and data partitions: credential passthrough, shared access signature (SAS) token, and app registration.

+### Credential passthrough

+In Azure Synapse Analytics, the Spark CDM connector supports the use of [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md) to mediate access to the Azure Data Lake Storage account that contains the Common Data Model folder. A managed identity is [automatically created for every Azure Synapse Analytics workspace](/cli/azure/synapse/workspace/managed-identity). The connector uses the managed identity of the workspace that contains the notebook in which the connector is called to authenticate to the storage accounts.

+You must ensure that the chosen identity has access to the appropriate storage accounts:

+* Grant Storage Blob Data Contributor permissions to allow the library to write to Common Data Model folders.

+* Grant Storage Blob Data Reader permissions to allow only read access.

+In both cases, no extra connector options are required.

+### Options for SAS token-based access control

+SAS token credentials are an extra option for authentication to storage accounts. With SAS token authentication, the SAS token can be at the container or folder level. The appropriate permissions are required:

+* Read permissions for a manifest or partition need only read-level support.

+* Write permissions need both read and write support.

+| **Option** |**Description** |**Pattern and example usage** |

+| `sasToken` |The SAS token to access the relative storage account with the correct permissions | `<token>`|

+### Options for credential-based access control

+As an alternative to using a managed identity or a user identity, you can provide explicit credentials to enable the Spark CDM connector to access data. In Azure Active Directory, [create an app registration](../../../active-directory/develop/quickstart-register-app.md). Then grant this app registration access to the storage account by using either of the following roles:

+* Storage Blob Data Contributor to allow the library to write to Common Data Model folders

+* Storage Blob Data Reader to allow only read permissions

+After you create permissions, you can pass the app ID, app key, and tenant ID to the connector on each call to it by using the following options. We recommend that you use Azure Key Vault to store these values to ensure that they aren't stored in clear text in your notebook file.

+| `appId` | The app registration ID for authentication to the storage account | `<guid>` |

+| `appKey` | The registered app key or secret | `<encrypted secret>` |

+| `tenantId` | The Azure Active Directory tenant ID under which the app is registered | `<guid>` |

+The following examples all use `appId`, `appKey`, and `tenantId` variables. You initialized these variables earlier in the code, based on an Azure app registration: Storage Blob Data Contributor permissions on the storage for write, and Storage Blob Data Reader permissions for read.

+This code reads the `Person` entity from the Common Data Model folder with a manifest in `mystorage.dfs.core.windows.net/cdmdata/contacts/root.manifest.cdm.json`:

+### Implicit write by using a DataFrame schema only

+The following code writes the `df` DataFrame to a Common Data Model folder with a manifest to `mystorage.dfs.core.windows.net/cdmdata/Contacts/default.manifest.cdm.json` with an event entity.

+The code writes event data as Parquet files, compresses it with `gzip`, and appends it to the folder. (The code adds new files without deleting existing files.)

+### Explicit write by using an entity definition stored in Data Lake Storage

+The following code writes the `df` DataFrame to a Common Data Model folder with a manifest at

+`https://_mystorage_.dfs.core.windows.net/cdmdata/Contacts/root.manifest.cdm.json` with the `Person` entity. The code writes person data as new CSV files (by default) that overwrite existing files in the folder.

+The code retrieves the `Person` entity definition from

+`https://_mystorage_.dfs.core.windows.net/models/cdmmodels/core/Contacts/Person.cdm.json`.

+### Explicit write by using an entity defined in the Common Data Model GitHub repo

+The following code writes the `df` DataFrame to a Common Data Model folder with:

+* The manifest at `https://_mystorage_.dfs.core.windows.net/cdmdata/Teams/root.manifest.cdm.json`.

+* A submanifest that contains the `TeamMembership` entity that's created in a *TeamMembership* subdirectory.

+`TeamMembership` data is written to CSV files (the default) that overwrite any existing data files. The code retrieves the `TeamMembership` entity definition from the Common Data Model CDN at

+[https://cdm-schema.microsoft.com/logical/core/applicationCommon/TeamMembership.cdm.json](https://cdm-schema.microsoft.com/logical/core/applicationCommon/TeamMembership.cdm.json).

+### Mapping data types from Spark to Common Data Model

+The connector applies the following data type mappings when you convert Common Data Model to or from Spark.

+|**Spark**|**Common Data Model**|

+|`ShortType`|`SmallInteger`|

+|`IntegerType`|`Integer`|

+|`LongType` |`BigInteger`|

+|`DateType` |`Date`|

+|`Timestamp`|`DateTime` (optionally `Time`)|

+|`StringType`|`String`|

+|`DoubleType`|`Double`|

+|`DecimalType(x,y)`|`Decimal (x,y)` (default scale and precision are `18,4`)|

+|`FloatType`|`Float`|

+|`BooleanType`|`Boolean`|

+|`ByteType`|`Byte`|

+The connector doesn't support the Common Data Model `Binary` data type.

+### Handling Common Data Model Date, DateTime, and DateTimeOffset data

+The Spark CDM connector handles Common Data Model `Date` and `DateTime` data types as normal for Spark and Parquet. In CSV, the connector reads and writes those data types in ISO 8601 format.

+The connector interprets Common Data Model `DateTime` data type values as UTC. In CSV, the connector writes those values in ISO 8601 format. An example is `2020-03-13 09:49:00Z`.

+Common Data Model `DateTimeOffset` values intended for recording local time instants are handled differently in Spark and Parquet from CSV. CSV and other formats can express a local time instant as a structure that comprises a datetime, such as `2020-03-13 09:49:00-08:00`. Parquet and Spark don't support such structures. Instead, they use a `TIMESTAMP` data type that allows an instant to be recorded in UTC (or in an unspecified time zone).

+The Spark CDM connector converts a `DateTimeOffset` value in CSV to a UTC time stamp. This value is persisted as a time stamp in Parquet. If the value is later persisted to CSV, it will be serialized as a `DateTimeOffset` value with a +00:00 offset. There's no loss of temporal accuracy. The serialized values represent the same instant as the original values, although the offset is lost.

+Spark systems use their system time as the baseline and normally express time by using that local time. UTC times can always be computed through application of the local system offset. For Azure systems in all regions, the system time is always UTC, so all time stamp values are normally in UTC. When you're using an implicit write, where a Common Data Model definition is derived from a DataFrame, time stamp columns are translated to attributes with the Common Data Model `DateTime` data type, which implies a UTC time.

+If it's important to persist a local time and the data will be processed in Spark or persisted in Parquet, we recommend that you use a `DateTime` attribute and keep the offset in a separate attribute. For example, you can keep the offset as a signed integer value that represents minutes. In Common Data Model, DateTime values are in UTC, so you must apply the offset to compute local time.

+In most cases, persisting local time isn't important. Local times are often required only in a UI for user convenience and based on the user's time zone, so not storing a UTC time is often a better solution.

+### Handling Common Data Model time data

+Spark doesn't support an explicit `Time` data type. An attribute with the Common Data Model `Time` data type is represented in a Spark DataFrame as a column with a `Timestamp` data type. When The Spark CDM connector reads a time value, the time stamp in the DataFrame is initialized with the Spark epoch date 01/01/1970 plus the time value as read from the source.

+When you use explicit write, you can map a time stamp column to either a `DateTime` or `Time` attribute. If you map a time stamp to a `Time` attribute, the date portion of the time stamp is stripped off.

+When you use implicit write, a time stamp column is mapped by default to a `DateTime` attribute. To map a time stamp column to a `Time` attribute, you must add a metadata object to the column in the DataFrame that indicates that the time stamp should be interpreted as a time value. The following code shows how to do this in Scala:

+The Spark CDM connector supports time values in either `DateTime` or `Time`. Seconds have up to six decimal places, based on the format of the data in the file that's being read (CSV or Parquet) or as defined in the DataFrame. The use of six decimal places enables accuracy from single seconds to microseconds.

+### Naming and organization of folders and files

+When you're writing to Common Data Model folders, there's a default folder organization. By default, data files are written into folders created for the current date, named like *2010-07-31*. You can customize the folder structure and names by using the `dateFolderFormat` option.

+You can control the number of data partitions that are written by using the `sparkContext.parallelize()` method. The number of partitions is either determined by the number of executors in the Spark cluster or specified explicitly. The following Scala example creates a DataFrame with two partitions:

+Here's an example of an explicit write that's defined by a referenced entity definition:

+ |-- default.manifest.cdm.json << with entity reference and partition info

+Here's an example of an explicit write with a submanifest:

+ |-- default.manifest.cdm.json << contains reference to submanifest

+ |-- <entity>.manifest.cdm.json << submanifest with partition info

+Here's an example of an implicit write in which the entity definition is derived from a DataFrame schema:

+ | +-- <entity>.cdm.json << logical entity definitions

+Here's an example of an implicit write with a submanifest:

+ |-- default.manifest.cdm.json << contains reference to submanifest

+ |-- <entity>.manifest.cdm.json << submanifest with reference to the entity and partition info

+ | +-- <entity>.cdm.json << logical entity definitions

+* Ensure that the decimal precision and scale of decimal data type fields that you use in the DataFrame match the data type that's in the Common Data Model entity definition. If the precision and scale aren't defined explicitly in Common Data Model, the default is `Decimal(18,4)`. For *model.json* files, `Decimal` is assumed to be `Decimal(18,4)`.

+* Folder and file names in the following options shouldn't include spaces or special characters, such as an equal sign (=): `manifestPath`, `entityDefinitionModelRoot`, `entityDefinitionPath`, `dataFolderFormat`.

+ Title: What's new in Update management center (Preview)

+description: Learn about what's new and recent updates in the Update management center (Preview) service.

+# What's new in Update management center (Preview)

+[Update management center (preview)](overview.md) helps you manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. This article summarizes new releases and features in Update management center (Preview).

+## November 2022

+### New region support

+Update management center (Preview) now supports new five regions for Azure Arc-enabled servers. [Learn more](support-matrix.md#supported-regions).

+## October 2022

+### Improved on-boarding experience

+You can now enable periodic assessment for your machines at scale using [Policy](periodic-assessment-at-scale.md) or from the [portal](manage-update-settings.md#configure-settings-on-single-vm).

+## Next steps

+- [Learn more](support-matrix.md) about supported regions.

+## Disable drive redirection

+If you're making RDP connections from personal resources to corporate ones on the Terminal Server or Windows Desktop clients, you can disable drive redirection for security purposes. To disable drive redirection:

+1. Open the **Registry Editor (regedit)**.

+2. Go to **HKEY_LOCAL_MACHINE** > **SOFTWARE** > **Microsoft** > **Terminal Server Client**.

+3. Create the following registry key:

+ - **Key**: HKLM\\Software\\Microsoft\\Terminal Server Client

+ - **Type**: REG_DWORD

+ - **Name**: DisableDriveRedirection

+4. Set the value of the registry key to **0**.

+## Disable printer redirection

+If you're making RDP connections from personal resources to corporate ones on the Terminal Server or Windows Desktop clients, you can disable printer redirection for security purposes. To disable printer redirection:

+1. Open the **Registry Editor (regedit)**.

+1. Go to **HKEY_LOCAL_MACHINE** > **SOFTWARE** > **Microsoft** > **Terminal Server Client**.

+1. Create the following registry key:

+ - **Key**: HKLM\\Software\\Microsoft\\Terminal Server Client

+ - **Type**: REG_DWORD

+ - **Name**: DisablePrinterRedirection

+1. Set the value of the registry key to **0**.

+## Disable clipboard redirection

+If you're making RDP connections from personal resources to corporate ones on the Terminal Server or Windows Desktop clients, you can disable clipboard redirection for security purposes. To disable clipboard redirection:

+1. Open the **Registry Editor (regedit)**.

+1. Go to **HKEY_LOCAL_MACHINE** > **SOFTWARE** > **Microsoft** > **Terminal Server Client**.

+1. Create the following registry key:

+ - **Key**: HKLM\\Software\\Microsoft\\Terminal Server Client

+ - **Type**: REG_DWORD

+ - **Name**: DisableClipboardRedirection

+1. Set the value of the registry key to **0**.

+# Modify a Capacity Reservation

+For standard SSDs, each I/O operation less than or equal to 256 KiB of throughput is considered a single I/O operation. I/O operations larger than 256 KiB of throughput are considered multiple I/Os of size 256 KiB. These transactions incur a billable cost but, there is an hourly limit on the number of transactions that can incur a billable cost. If that hourly limit is reached, additional transactions during that hour no longer incur a cost. For details, see the [blog post](https://aka.ms/billedcapsblog).

+| Standard_D16ls_v5 | 16 | 32 | Remote Storage Only | 32 | 25600/600 | 40000/1200 | 8 | 12500 |

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+The agent runs on multiple operating systems. However, the extensions framework has a [limit for the operating systems that extensions use](https://support.microsoft.com/en-us/help/4078134/azure-extension-supported-operating-systems). Some extensions aren't supported across all operating systems and might emit error code 51 ("Unsupported OS"). Check the individual extension documentation for supportability.

+The Azure VM Agent doesn't have proxy server support for you to redirect agent traffic requests through. That means the Azure VM Agent relies on your custom proxy (if you have one) to access resources on the internet or on the host through IP 168.63.129.16.

+The following example uses the [VMAccess extension](/troubleshoot/azure/virtual-machines/reset-rdp#reset-by-using-the-vmaccess-extension-and-powershell) to reset the administrative password of a Windows VM to a temporary password. After you run this code, you should reset the password at first sign-in.

+You can apply VM extensions to an existing VM through the Azure portal. Select the VM in the portal, select **Extensions + applications**, and then select **Add**. Choose the extension that you want from the list of available extensions, and follow the instructions in the wizard.

+The following example shows an instance of the Custom Script extension for Windows. The command to run includes a set of credentials. In this example, the command to run isn't encrypted.

+- In a VM, if there's an existing extension with a failed provisioning state, any other new extension fails to install.

+For example, `/metadata/instance` returns the json object:

+The following PowerShell example takes your subscription ID and returns a list of VMs indicating whether they are scheduled for maintenance.

+function MaintenanceIterator {

+ param (

+ $SubscriptionId

+ )

+

+ Select-AzSubscription -SubscriptionId $SubscriptionId | Out-Null

+ $rgList = Get-AzResourceGroup

+ foreach ($rg in $rgList) {

+ $vmList = Get-AzVM -ResourceGroupName $rg.ResourceGroupName

+ foreach ($vm in $vmList) {

+ $vmDetails = Get-AzVM -ResourceGroupName $rg.ResourceGroupName -Name $vm.Name -Status

+ [pscustomobject]@{

+ Name = $vmDetails.Name

+ ResourceGroupName = $rg.ResourceGroupName

+ IsCustomerInitiatedMaintenanceAllowed = [bool]$vmDetails.MaintenanceRedeployStatus.IsCustomerInitiatedMaintenanceAllowed

+ LastOperationMessage = $vmDetails.MaintenanceRedeployStatus.LastOperationMessage

+ }

+ }

+MaintenanceIterator -SubscriptionId <Subscription ID> |

+ Where-Object -FilterScript {$_.IsCustomerMaintenanceAllowed} |

+ Restart-AzVM -PerformMaintenance

+> RBAC sharing can be used to share resources with users within the organization (or) users outside the organization (cross-tenant). Here are the instructions to consume an image shared with RBAC and create VM/VMSS:

+> [RBAC - Shared within your organization](vm-generalized-image-version.md#rbacshared-within-your-organization)

+> [RBAC - Shared from another tenant](vm-generalized-image-version.md#rbacshared-from-another-tenant)

+1. At the top of the **VPN (Site to site)** page, click **Download VPN Config**. You'll see a series of messages as Azure creates a new storage account in the resource group 'microsoft-network-[location]', where location is the location of the WAN. You can also add an existing storage account by clicking "Use Existing" and adding a valid SAS URL with write permissions enabled. To learn more about creating a new SAS URL, see [Generate the SAS URL](packet-capture-site-to-site-portal.md#URL).

+Some of the managed rules evaluate the raw payload of the request body, before it's parsed into POST arguments or JSON arguments. So, in some situations you might see log entries with a matchVariableName of `InitialBodyContents` or `DecodedInitialBodyContents`.

+For example, suppose you create an exclusion with a match variable of *Request body POST args* and a selector to identify and ignore POST arguments named *FOO*. You'll no longer see any log entries with a matchVariableName of `PostParamValue:FOO`. However, if a POST argument named *FOO* contains text that triggers a rule, the log might show the detection in the initial body contents. You can't currently create exclusions for initial body contents.