+|AzureAdB2C|ClientId| The Web App Application (client) ID from [step 2](#step-2-register-a-web-application).|

+In this sample tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [Transmit Security](https://www.transmitsecurity.com/bindid) passwordless authentication solution **BindID**. BindID is a passwordless authentication service that uses strong Fast Identity Online (FIDO2) biometric authentication for a reliable omni-channel authentication experience. The solution ensures a smooth login experience for all customers across every device and channel eliminating fraud, phishing, and credential reuse.

+| 1. | User attempts to log in to an Azure AD B2C application and is forwarded to Azure AD B2CΓÇÖs combined sign-in and sign-up policy.

+| 2. | Azure AD B2C redirects the user to BindID using the OpenID Connect (OIDC) authorization code flow.

+For [Applications](https://admin.bindid-sandbox.io/console/#/applications) to configure your tenant application in BindID, the following information is needed

+2. Select your previously created **CustomSignUpSignIn** and select the settings:

+If you're using a [custom domain](custom-domain.md), replace `{tenant}.b2clogin.com` with the custom domain, such as `contoso.com`, in the endpoints.

+ HtmlMessageError = "<p> An error occurred: {0}. Details {1}</p>",

+- Use your corporate Azure AD credentials to login to Windows VMs in Azure.

+* It is not supported to configure hybrid experiences that utilize forest level configuration in AD, such as Seamless SSO and Hybrid Azure AD Join (non-targeted approach), with more than one tenant. Doing so would overwrite the configuration of the other tenant, making it no longer usable. You can find additional information in [Plan your hybrid Azure Active Directory join deployment](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan#hybrid-azure-ad-join-for-single-forest-multiple-azure-ad-tenants).

+* You can synchronize device objects to more than one tenant but a device can be Hybrid Azure AD Joined to only one tenant.

+ Title: 'Tutorial: Configure AlexisHR for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to AlexisHR.

+writer: twimmers

+ms.assetid: 438a007c-2c3f-466f-ac9a-7e752e2532a4

+# Tutorial: Configure AlexisHR for automatic user provisioning

+This tutorial describes the steps you need to perform in both AlexisHR and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [AlexisHR](https://alexishr.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities Supported

+> [!div class="checklist"]

+> * Create users in AlexisHR.

+> * Remove users in AlexisHR when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and AlexisHR.

+> * [Single sign-on](alexishr-tutorial.md) to AlexisHR (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in AlexisHR with Admin permissions.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and AlexisHR](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure AlexisHR to support provisioning with Azure AD

+1. Log in to [AlexisHR Admin Console](https://app.alexishr.com/login/). Navigate to **Settings > Access tokens**.

+ 

+1. Once on the Access token page, fill in the **Name** and **Description** textbox and click on **Save**.A pop-up window will appear with the token in it.Copy and save the token. This value will be entered in the **Secret Token** * field in the Provisioning tab of your AlexisHR application in the Azure portal.

+ 

+## Step 3. Add AlexisHR from the Azure AD application gallery

+Add AlexisHR from the Azure AD application gallery to start managing provisioning to AlexisHR. If you have previously setup AlexisHR for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* When assigning users and groups to AlexisHR, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+## Step 5. Configure automatic user provisioning to AlexisHR

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in AlexisHR based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for AlexisHR in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **AlexisHR**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. In the **Admin Credentials** section, input your AlexisHR **Tenant URL** and **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to AlexisHR. If the connection fails , ensure your AlexisHR account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to AlexisHR**.

+1. Review the user attributes that are synchronized from Azure AD to AlexisHR in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in AlexisHR for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the AlexisHR API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by AlexisHR

+ |||||

+ |userName|String|&check;|&check;

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|Reference||

+ |active|Boolean||&check;

+ |title|String||

+ |emails[type eq "work"].value|String||&check;

+ |name.givenName|String||&check;

+ |name.familyName|String||&check;

+ |phoneNumbers[type eq "work"].value|String||&check;

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String||

+ > [!NOTE]

+ > phonenumbers value should be in E164 format. For example +16175551212

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for AlexisHR, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to AlexisHR by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you are ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+> [!NOTE]

+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

+Contact [Atea support](mailto:sso.support@atea.com) to configure Atea to support provisioning with Azure AD.

+ Title: 'Tutorial: Azure AD SSO integration with Envoy'

+# Tutorial: Azure AD SSO integration with Envoy

+> [!NOTE]

+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

+1. Sign in to the [G Suite Admin console](https://admin.google.com/) with your administrator account, then click on **Main menu** and then select **Security**. If you don't see it, it might be hidden under the **Show More** menu.

+ 

+

+ 

+1. Navigate to **Security -> Access and data control -> API Controls** .Select the check box **Trust internal,domain-owned apps** and then click **SAVE**

+ 

+ > For every user that you intend to provision to G Suite, their user name in Azure AD **must** be tied to a custom domain. For example, user names that look like bob@contoso.onmicrosoft.com are not accepted by G Suite. On the other hand, bob@contoso.com is accepted. You can change an existing user's domain by following the instructions [here](../fundamentals/add-custom-domain.md).

+1. Once you have added and verified your desired custom domains with Azure AD, you must verify them again with G Suite. To verify domains in G Suite, refer to the following steps:

+ 1. In the [G Suite Admin Console](https://admin.google.com/), navigate to **Account -> Domains -> Manage Domains**.

+ 

+ 1. In the Manage Domain page, click on **Add a domain**.

+ 

+ 1. In the Add Domain page, type in the name of the domain that you want to add.

+ 

+ 1. Select **ADD DOMAIN & START VERIFICATION**. Then follow the steps to verify that you own the domain name. For comprehensive instructions on how to verify your domain with Google, see [Verify your site ownership](https://support.google.com/webmasters/answer/35179).

+ 1. Repeat the preceding steps for any additional domains that you intend to add to G Suite.

+1. Next, determine which admin account you want to use to manage user provisioning in G Suite. Navigate to **Account->Admin roles**.

+ 

+1. For the **Admin role** of that account, edit the **Privileges** for that role. Make sure to enable all **Admin API Privileges** so that this account can be used for provisioning.

+ 

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. Users will need to log in to `portal.azure.com` and will not be able to use `aad.portal.azure.com`.

+ Title: 'Tutorial: Azure AD SSO integration with Hoxhunt'

+# Tutorial: Azure AD SSO integration with Hoxhunt

+## Add Hoxhunt from the gallery

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ c. In the **Sign on URL** text box, type the URL:

+ `https://game.hoxhunt.com/`

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Hoxhunt Client support team](mailto:support@hoxhunt.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+Once you configure Hoxhunt you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Configure Joyn FSM for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Joyn FSM.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: e778e26b-c998-4432-85b7-5a0d0047ccae

+ms.devlang: na

+# Tutorial: Configure Joyn FSM for automatic user provisioning

+This tutorial describes the steps you need to perform in both Joyn FSM and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Joyn FSM](https://www.sevenlakes.com/solutions/field-service-management/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).

+## Capabilities Supported

+> [!div class="checklist"]

+> * Create users in Joyn FSM

+> * Remove users in Joyn FSM when they do not require access anymore

+> * Keep user attributes synchronized between Azure AD and Joyn FSM

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Joyn FSM](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Joyn FSM to support provisioning with Azure AD

+Contact your [SevenLakes Customer Success Representative](mailto:mailto:CustomerSuccessTeam@sevenlakes.com) in order to obtain the Tenant URL and Secret Token which are required for configuring provisioning.

+## Step 3. Add Joyn FSM from the Azure AD application gallery

+Add Joyn FSM from the Azure AD application gallery to start managing provisioning to Joyn FSM. If you have previously setup Joyn FSM for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* When assigning users and groups to Joyn FSM, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+## Step 5. Configure automatic user provisioning to Joyn FSM

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Joyn FSM based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Joyn FSM in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Joyn FSM**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. In the **Admin Credentials** section, input your Joyn FSM Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Joyn FSM. If the connection fails, ensure your Joyn FSM account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Joyn FSM**.

+1. Review the user attributes that are synchronized from Azure AD to Joyn FSM in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Joyn FSM for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Joyn FSM API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Joyn FSM|

+ |||||

+ |userName|String|&check;|&check;

+ |emails[type eq "work"].value|String||&check;

+ |active|Boolean||

+ |name.formatted|String||

+ |displayName|String||

+ |externalId|String||

+ |name.givenName||

+ |name.familyName|String||

+ |addresses[type eq "work"].formatted|String||

+ |addresses[type eq "work"].streetAddress|String||

+ |addresses[type eq "work"].locality|String||

+ |addresses[type eq "work"].region|String||

+ |addresses[type eq "work"].postalCode|String||

+ |addresses[type eq "work"].country|String||

+ |phoneNumbers[type eq "mobile"].value|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||

+ |urn:ietf:params:scim:schemas:extension:joynfsm:2.0:User:xid|String||

+ |urn:ietf:params:scim:schemas:extension:joynfsm:2.0:User:joynFieldId|String||

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Joyn FSM, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to Joyn FSM by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Azure AD SSO integration with Looker Analytics Platform'

+# Tutorial: Azure AD SSO integration with Looker Analytics Platform

+> [!NOTE]

+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

+> You may also choose to enable SAML-based single sign-on for Meta Networks Connector, following the instructions provided in the [Meta Networks Connector Single sign-on tutorial](./metanetworksconnector-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features complement each other

+ > phonenumbers value should be in E164 format. For example +16175551212

+ Title: 'Tutorial: Azure AD SSO integration with Postman'

+# Tutorial: Azure AD SSO integration with Postman

+> [!NOTE]

+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

+ Title: 'Tutorial: Azure AD SSO integration with ProProfs Knowledge Base'

+# Tutorial: Azure AD SSO integration with ProProfs Knowledge Base

+> [!NOTE]

+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

+* ProProfs Knowledge Base supports **IDP** initiated SSO.

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://<Environment>.usbank.com/sp/ACS.saml2`

+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact [U.S. Bank Prepaid Client support team](mailto:web.access.management@usbank.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+You can also use Microsoft My Apps to test the application in any mode. When you click the U.S. Bank Prepaid tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the U.S. Bank Prepaid for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+Once you configure U.S. Bank Prepaid you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+> [!NOTE]

+> For applications outside of the kube-system or gatekeeper-system namespaces that needs to talk to the API server, an additional network rule to allow TCP communication to port 443 for the API server IP in addition to adding application rule for fqdn-tag AzureKubernetesService is required.

+description: Explain topics related to certificates in an App Service Environment. Learn how certificate bindings work on the single-tenanted apps in an App Service Environment.

+The App Service Environment is a deployment of the Azure App Service that runs within your Azure virtual network. It can be deployed with an internet accessible application endpoint or an application endpoint that is in your virtual network. If you deploy the App Service Environment with an internet accessible endpoint, that deployment is called an External App Service Environment. If you deploy the App Service Environment with an endpoint in your virtual network, that deployment is called an ILB App Service Environment. You can learn more about the ILB App Service Environment from the [Create and use an ILB App Service Environment](./creation.md) document.

+Applications that are hosted in an App Service Environment support the following app-centric certificate features, which are also available in the multi-tenant App Service. For requirements and instructions for uploading and managing those certificates, see [Add a TLS/SSL certificate in Azure App Service](../configure-ssl-certificate.md).

+- [SNI certificates](../configure-ssl-certificate.md)

+- [KeyVault hosted certificates](../configure-ssl-certificate.md#import-a-certificate-from-key-vault)

+Once you add the certificate to your App Service app or function app, you can [secure a custom domain name with it](../configure-ssl-bindings.md) or [use it in your application code](../configure-ssl-certificate-in-code.md).

+### Limitations

+[App Service managed certificates](../configure-ssl-certificate.md#create-a-free-managed-certificate) aren't supported on apps that are hosted in an App Service Environment.

+A common use case is to configure your app as a client in a client-server model. If you secure your server with a private CA certificate, you'll need to upload the client certificate to your app. The following instructions will load certificates to the truststore of the workers that your app is running on. You only need to upload the certificate once to use it with apps that are in the same App Service plan.

+Follow these steps to upload the certificate (*.cer* file) to your app in your App Service Environment. The *.cer* file can be exported from your certificate. For testing purposes, there's a PowerShell example at the end to generate a temporary self-signed certificate:

+1. Go to **TLS/SSL settings** in the app. Select **Public Key Certificate (.cer)**. Select **Upload Public Key Certificate**. Provide a name. Browse and select your *.cer* file. Select upload.

+The certificate will be available by all the apps in the same app service plan as the app, which configured that setting. If you need it to be available for apps in a different App Service plan, you'll need to repeat the app setting operation in an app in that App Service plan. To check that the certificate is set, go to the Kudu console and issue the following command in the PowerShell debug console:

+In this tutorial, you'll learn how to deploy an ASP.NET Core app to Azure App Service and connect to an Azure SQL Database. Azure App Service is a highly scalable, self-patching, web-hosting service that can easily deploy apps on Windows or Linux. Although this tutorial uses an ASP.NET Core 6.0 app, the process is the same for other versions of ASP.NET Core and ASP.NET Framework.

+This article assumes you're familiar with [.NET](https://dotnet.microsoft.com/download/dotnet/6.0) and have it installed locally. You'll also need an Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free).

+To follow along with this tutorial, [Download the Sample Project](https://github.com/Azure-Samples/msdocs-app-service-sqldb-dotnetcore/archive/refs/heads/main.zip) from the repository [https://github.com/Azure-Samples/msdocs-app-service-sqldb-dotnetcore](https://github.com/Azure-Samples/msdocs-app-service-sqldb-dotnetcore) or clone it using the Git command below:

+Let's first create the Azure App Service that hosts our deployed Web App. There are several different ways to create an App Service depending on your ideal workflow.

+Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps to create your Azure App Service resources:

+| [!INCLUDE [Create app service step 4](<./includes/tutorial-dotnetcore-sqldb-app/azure-portal-create-app-service-04.md>)] | :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-create-app-service-4-240px.png" alt-text="A screenshot of the Spec Picker dialog that lets you select the App Service plan to use for your web app." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-create-app-service-4.png"::: |

+You can run Azure CLI commands in the [Azure Cloud Shell](https://shell.azure.com) or on a workstation with the [Azure CLI installed](/cli/azure/install-azure-cli).

+First, create a resource group using the [az group create](/cli/azure/group#az_group_create) command. The resource group acts as a container for all of the Azure resources related to this application.

+* The `--sku` parameter defines the size (CPU, memory) and cost of the app service plan. This example uses the F1 (Free) service plan. For a full list of App Service plans, view the [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/windows/) page.

+Next, let's create the Azure SQL Database that manages the data in our app.

+Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps to create your Azure App Service resources:

+| [!INCLUDE [Create database step 4](<./includes/tutorial-dotnetcore-sqldb-app/azure-portal-sql-db-create-04.md>)] | :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-create-sql-04-240px.png" alt-text="A screenshot showing the form used to allow other Azure services to connect to the database." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-create-sql-04.png"::: |

+First, create an Azure SQL Server to host the database. A new Azure SQL Server is created by using the [az sql server create ](/cli/azure/sql/server#az_sql_server_create) command.

+Replace the *server-name* placeholder with a unique SQL Database name. The SQL Database name is used as part of the globally unique SQL Database endpoint. Also, replace *db-username* and *db-username* with a username and password of your choice.

+Setting up an SQL Server might take a few minutes. When the resource is available, we can create a database with the [az sql db create](/cli/azure/sql/db#az_sql_db_create) command.

+We also need to add the following firewall rule to our database server to allow other Azure resources to connect to it.

+| [!INCLUDE [Deploy app service step 2](<./includes/tutorial-dotnetcore-sqldb-app/visual-studio-deploy-app-service-02.md>)] | :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/visual-studio-deploy-app-service-02-240px.png" alt-text="A screenshot showing how to select the deployment target in Azure." lightbox="./media/tutorial-dotnetcore-sqldb-app/visual-studio-deploy-app-service-02.png"::: |

+| [!INCLUDE [Deploy app service step 3](<./includes/tutorial-dotnetcore-sqldb-app/visual-studio-deploy-app-service-03.md>)] | :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/visual-studio-deploy-app-service-03-240px.png" alt-text="A screenshot showing the sign-in to Azure dialog in Visual Studio." lightbox="./media/tutorial-dotnetcore-sqldb-app/visual-studio-deploy-app-service-03.png"::: |

+| [!INCLUDE [Deploy app service step 1](<./includes/tutorial-dotnetcore-sqldb-app/visual-studio-code-deploy-app-service-01.md>)] | :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-deploy-01-240px.png" alt-text="A screenshot showing how to install the Azure Account and App Service extensions in Visual Studio Code." lightbox="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-deploy-01.png"::: |

+Next, we must connect the App hosted in our App Service to our database using a Connection String.

+Sign in to the [Azure portal](https://portal.azure.com/) and follow the steps to create your Azure App Service resources:

+Run Azure CLI commands in the [Azure Cloud Shell](https://shell.azure.com) or on a workstation with the [Azure CLI installed](/cli/azure/install-azure-cli).

+We can retrieve the Connection String for our database using the [az sql db show-connection-string](/cli/azure/sql/db#az_sql_db_show_connection_string) command. This command allows us to add the Connection String to our App Service configuration settings. Copy this Connection String value for later use.

+Next, let's assign the Connection String to our App Service using the command below. `MyDbConnection` is the name of the Connection String in our appsettings.json file, which means it gets loaded by our app during startup.

+Replace the username and password in the connection string with your own before running the command.

+To generate our database schema, we need to set up a firewall rule on our Database Server. This rule allows our local computer to connect to Azure. For this step, you'll need to know your local computer's IP address. For more information about how to find the IP address, [see here](https://whatismyipaddress.com/).

+Next, update the appsettings.json file in our local app code with the Connection String of our Azure SQL Database. The update allows us to run migrations locally against our database hosted in Azure. Replace the username and password placeholders with the values you chose when creating your database.

+Finally, run the following commands to install the necessary CLI tools for Entity Framework Core. Create an initial database migration file and apply those changes to update the database:

+After the migration finishes, the correct schema is created.

+Go back to your web app in the browser. You can always get back to your site by selecting the **Browse** link at the top of the App Service overview page. If you refresh the page, you can now create todos and see them displayed on the home page. Congratulations!

+Azure App Service provides a web-based diagnostics console named Kudu. Kudu lets you examine the server-hosting environment, view deployed files to Azure, review deployment history, and even open an SSH session into the hosting environment.

+To use Kudu, go to one of the following URLs. You'll need to sign into the Kudu site with your Azure credentials.

+From the main page in Kudu, you can find information about the application-hosting environment, app settings, deployments, and browse the files in the wwwroot directory.

+| [!INCLUDE [Stream logs from Visual Studio Code 2](<./includes/tutorial-dotnetcore-sqldb-app/visual-studio-code-stream-logs-02.md>)] | :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-stream-logs-2-240px.png" alt-text="A screenshot showing the output stream of an application login Visual Studio Code." lightbox="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-stream-logs-2.png"::: |

+Refresh the home page in the app or attempt other requests to generate some log messages. The output should look similar to the below output.

+When you're finished, you can delete all of the resources from Azure by deleting the resource group for the application. It deletes all of the resources contained inside the group.

+Follow these steps while signed-in to the Azure portal to delete a resource group:

+You can delete the resource group you created by using the [az group delete](/cli/azure/group#az_group_delete) command. Deleting the resource group deletes all of the resources contained within it.

+> We recommend you don't use the **Log Analytics Contributor** role to execute Automation jobs. Instead, create the Azure Automation Contributor custom role and use it for actions related to the Automation account.

+> * If the resource group of the Automation account is deleted, to recover, you must recreate the resource group with the same name. After a few hours, the Automation account is repopulated in the list of deleted accounts. Then you can restore the account.

+> * Though the resource group isn't present, you can see the Automation account in the deleted list. If the resource group isn't present, the account restore operation fails with the error *Account restore failed*.

+ - Resource provisioning and deprovisioning.

+ - Add correct tags, locks, NSGs, UDRs per business rules.

+ - Resource group creation, deletion & update.

+ - Start container group.

+ - Register DNS record.

+ - Encrypt Virtual machines.

+ - Configure disk (disk snapshot, delete old snapshots).

+ - Subscription management.

+ - Start-stop resources to save cost.

+* **Monitoring & integrate** with 1st party (through Azure Monitor) or 3rd party external systems.

+ - Ensure resource creation\deletion operations is captured to SQL.

+ - Send resource usage data to web API.

+ - Send monitoring data to ServiceNow, Event Hub, New Relic and so on.

+ - Collect and store information about Azure resources.

+ - Perform SQL monitoring checks & reporting.

+ - Check website availability.

+* **Configure VMs** - Assess and configure Windows and Linux machines with configurations for the infrastructure and application.

+* **Retrieve inventory** - Get a complete inventory of deployed resources for targeting, reporting, and compliance.

+* **Find changes** - Identify and isolate machine changes that can cause misconfiguration and improve operational compliance. Remediate or escalate them to management systems.

+As a result of this security risk, we recommend you don't use the Log Analytics Contributor role to execute Automation jobs. Instead, create the Azure Automation Contributor custom role and use it for actions related to the Automation account.

+| `--cluster-extension-ids` | Azure Resource Manager identifiers of the cluster extension instances installed on the connected cluster. Provide a space-separated list of the cluster extension IDs |

+| `--cluster-extension-ids` | Associate new cluster extensions to this custom location by providing Azure Resource Manager identifiers of the cluster extension instances installed on the connected cluster. Provide a space-separated list of the cluster extension IDs |

+| `--cluster-extension-ids` | Associate new cluster extensions to this custom location by providing Azure Resource Manager identifiers of the cluster extension instances installed on the connected cluster. Provide a space-separated list of the cluster extension IDs |

+| [Azure Monitor for containers](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json) | Provides visibility into the performance of workloads deployed on the Kubernetes cluster. Collects memory and CPU utilization metrics from controllers, nodes, and containers. |

+| [Azure Policy](../../governance/policy/concepts/policy-for-kubernetes.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json) | Azure Policy extends [Gatekeeper](https://github.com/open-policy-agent/gatekeeper), an admission controller webhook for [Open Policy Agent](https://www.openpolicyagent.org/) (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |

+| [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json) | Gathers information related to security like audit log data from the Kubernetes cluster. Provides recommendations and threat alerts based on gathered data. |

+> To create a service principal, your Azure Active Directory tenant needs to allow users to register applications. If it does not, your account must be a member of the **Application Administrator** or **Cloud Application Administrator** administrative role. See [Delegate app registration permissions in Azure Active Directory](../../active-directory/roles/delegate-app-roles.md) for more information about tenant-level requirements. To assign Arc-enabled server roles, your account must be a member of the **Owner** or **User Access Administrator** role in the subscription that you want to use for onboarding.

+> This feature currently works for all Windows and Linux virtual network-supported SKUs in the Dedicated (App Service) plan and for Windows Elastic Premium plans. ASEv3 is not supported yet. Consumption tier isn't supported.

+Specifies the maximum number of language worker processes, with a default value of `1`. The maximum value allowed is `10`. Function invocations are evenly distributed among language worker processes. Language worker processes are spawned every 10 seconds until the count set by FUNCTIONS\_WORKER\_PROCESS\_COUNT is reached. Using multiple language worker processes is not the same as [scaling](functions-scale.md). Consider using this setting when your workload has a mix of CPU-bound and I/O-bound invocations. This setting applies to all language runtimes, except for .NET running in process (`dotnet`).

+* [Regional virtual network integration](../app-service/overview-vnet-integration.md#regional-virtual-network-integration)

+* [Gateway-required virtual network integration](../app-service/overview-vnet-integration.md#gateway-required-virtual-network-integration)

+To learn how to set up virtual network integration, see [Enable virtual network integration](#enable-virtual-network-integration).

+## Enable virtual network integration

+1. The drop-down list contains all of the Azure Resource Manager virtual networks in your subscription in the same region. Select the virtual network you want to integrate with.

+ * The Functions Premium Plan only supports regional virtual network integration. If the virtual network is in the same region, either create a new subnet or select an empty, pre-existing subnet.

+ * To select a virtual network in another region, you must have a virtual network gateway provisioned with point to site enabled. Virtual network integration across regions is only supported for Dedicated plans, but global peerings will work with regional virtual network integration.

+During the integration, your app is restarted. When integration is finished, you'll see details on the virtual network you're integrated with. By default, Route All will be enabled, and all traffic will be routed into your virtual network.

+Using regional virtual network integration enables your app to access:

+* Resources in the same virtual network as your app.

+* Resources in virtual networks peered to the virtual network your app is integrated with.

+When you use regional virtual network integration, you can use the following Azure networking features:

+* **Network security groups (NSGs)**: You can block outbound traffic with an NSG that's placed on your integration subnet. The inbound rules don't apply because you can't use virtual network integration to provide inbound access to your app.

+> When you route all of your outbound traffic into your virtual network, it's subject to the NSGs and UDRs that are applied to your integration subnet. When virtual network integrated, your function app's outbound traffic to public IP addresses is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.

+> Regional virtual network integration isn't able to use port 25.

+There are some limitations with using virtual network:

+* The feature is available from all App Service deployments in Premium V2 and Premium V3. It's also available in Standard but only from newer App Service deployments. If you are on an older deployment, you can only use the feature from a Premium V2 App Service plan. If you want to make sure you can use the feature in a Standard App Service plan, create your app in a Premium V3 App Service plan. Those plans are only supported on our newest deployments. You can scale down if you desire after that.

+* The feature requires an unused subnet that's a /28 or larger in an Azure Resource Manager virtual network.

+* The app and the virtual network must be in the same region.

+* You can't delete a virtual network with an integrated app. Remove the integration before you delete the virtual network.

+* You can have only one regional virtual network integration per App Service plan. Multiple apps in the same App Service plan can use the same integration subnet.

+* You can't change the subscription of an app or a plan while there's an app that's using regional virtual network integration.

+Virtual network integration depends on a dedicated subnet. When you provision a subnet, the Azure subnet loses five IPs from the start. One address is used from the integration subnet for each plan instance. When you scale your app to four instances, then four addresses are used.

+When you want your apps in another plan to reach a virtual network that's already connected to by apps in another plan, select a different subnet than the one being used by the pre-existing virtual network integration.

+To provide a higher level of security, you can restrict a number of Azure services to a virtual network by using service endpoints. Regional virtual network integration enables your function app to reach Azure services that are secured with service endpoints. This configuration is supported on all [plans](functions-scale.md#networking-features) that support virtual network integration. To access a service endpoint-secured service, you must do the following:

+1. Configure regional virtual network integration with your function app to connect to a specific subnet.

+You can use network security groups to block inbound and outbound traffic to resources in a virtual network. An app that uses regional virtual network integration can use a [network security group][VNETnsg] to block outbound traffic to resources in your virtual network or the internet. To block traffic to public addresses, you must have virtual network integration with Route All enabled. The inbound rules in an NSG don't apply to your app because virtual network integration affects only outbound traffic from your app.

+To control inbound traffic to your app, use the Access Restrictions feature. An NSG that's applied to your integration subnet is in effect regardless of any routes applied to your integration subnet. If your function app is virtual network integrated with Route All enabled, and you don't have any routes that affect public address traffic on your integration subnet, all of your outbound traffic is still subject to NSGs assigned to your integration subnet. When Route All isn't enabled, NSGs are only applied to RFC1918 traffic.

+Border Gateway Protocol (BGP) routes also affect your app traffic. If you have BGP routes from something like an ExpressRoute gateway, your app outbound traffic is affected. By default, BGP routes affect only your RFC1918 destination traffic. When your function app is virtual network integrated with Route All enabled, all outbound traffic can be affected by your BGP routes.

+After your app integrates with your virtual network, it uses the same DNS server that your virtual network is configured with and will work with the Azure DNS private zones linked to the virtual network.

+* Integrate with Azure DNS private zones. When your virtual network doesn't have a custom DNS server, this is done automatically.

+This feature is supported for all Windows and Linux virtual network-supported SKUs in the Dedicated (App Service) plan and for the Premium plans. The Consumption plan isn't supported. To learn how to set up a function with a storage account restricted to a private network, see [Restrict your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network).

+When you integrate a function app in a Premium plan or an App Service plan with a virtual network, the app can still make outbound calls to the internet by default. By integrating your function app with a virtual network with Route All enabled, you force all outbound traffic to be sent into your virtual network, where network security group rules can be used to restrict traffic.

+|Azure Key Vault | `AzureWebJobsSecretStorageType`<br/>`AzureWebJobsSecretStorageKeyVaultName` | `keyvault`<br/>`<VAULT_NAME>` | The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: `Get`,`Set`, `List`, and `Delete`. <br/>When running locally, the developer identity is used, and settings must be in the [local.settings.json file](functions-develop-local.md#local-settings-file). |

+#### Using Key Vault in Functions v4

+The application settings for using Azure Key Vault as the secret repository in Functions v4:

+##### System-assigned managed identity

+| Setting | Value |

+||-|

+| `AzureWebJobsSecretStorageType` | `keyvault` |

+| `AzureWebJobsSecretStorageKeyVaultUri` | `<VAULT_URI>` |

+##### User-assigned managed identity

+| Setting | Value |

+||-|

+| `AzureWebJobsSecretStorageType` | `keyvault` |

+| `AzureWebJobsSecretStorageKeyVaultUri` | `<VAULT_URI>` |

+| `AzureWebJobsSecretStorageKeyVaultClientId` | `<CLIENT_ID>` |

+##### App registration

+| Setting | Value |

+||-|

+| `AzureWebJobsSecretStorageType` | `keyvault` |

+| `AzureWebJobsSecretStorageKeyVaultUri` | `<VAULT_URI>` |

+| `AzureWebJobsSecretStorageKeyVaultTenantId` | `<TENANT_ID>` |

+| `AzureWebJobsSecretStorageKeyVaultClientId` | `<CLIENT_ID>` |

+| `AzureWebJobsSecretStorageKeyVaultClientSecret` | `<CLIENT_SECRET>` |

+> [!NOTE]

+> The Vault URI should be the full value displayed in the Key Vault overview tab, including `https://`.

+Microsoft's goal for Azure Government is to match service availability in Azure. For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). Services available in Azure Government are listed by category and whether they are Generally Available or available through Preview. If a service is available in Azure Government, that fact is not reiterated in the rest of this article. Instead, you are encouraged to review [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true) for the latest, up-to-date information on service availability.

+This section outlines variations and considerations when using **Azure Bot Service**, **Azure Machine Learning**, and **Cognitive Services** in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=machine-learning-service,bot-service,cognitive-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Analytics services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share,power-bi-embedded,analysis-services,event-hubs,data-lake-analytics,storage,data-catalog,data-factory,synapse-analytics,stream-analytics,databricks,hdinsight&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Databases services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-api-for-fhir,data-factory,sql-server-stretch-database,redis-cache,database-migration,synapse-analytics,postgresql,mariadb,mysql,sql-database,cosmos-db&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Developer tools in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=load-testing,app-configuration,devtest-lab,lab-services,azure-devops&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Identity services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=information-protection,active-directory-ds,active-directory&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Management and Governance services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=managed-applications,azure-policy,network-watcher,monitor,traffic-manager,automation,scheduler,site-recovery,cost-management,backup,blueprints,advisor&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Media services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=cdn,media-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Migration services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=database-migration,cost-management,azure-migrate,site-recovery&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Networking services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-bastion,frontdoor,virtual-wan,dns,ddos-protection,cdn,azure-firewall,network-watcher,load-balancer,vpn-gateway,expressroute,application-gateway,virtual-network&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Security services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sentinel,azure-dedicated-hsm,information-protection,application-gateway,vpn-gateway,security-center,key-vault,active-directory-ds,ddos-protection,active-directory&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Storage services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=hpc-cache,managed-disks,storsimple,backup,storage&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+This section outlines variations and considerations when using Web services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud,signalr-service,api-management,notification-hubs,search,cdn,app-service-linux,app-service&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+- [Azure Government compliance](./documentation-government-plan-compliance.md)

+For current Azure Government regions and available services, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+For current Azure Government regions and available services, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). Services available in Azure Government are listed by category and whether they are Generally Available or available through Preview. In general, service availability in Azure Government implies that all corresponding service features are available to you. Variations to this approach and other applicable limitations are tracked and explained in [Compare Azure Government and global Azure](./compare-azure-government-global-azure.md#service-availability).

+In January 2017, DISA awarded the [IL5 Provisional Authorization](/azure/compliance/offerings/offering-dod-il5) (PA) to [Azure Government](https://azure.microsoft.com/global-infrastructure/government/get-started/), making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government regions (US DoD Central and US DoD East) that are [dedicated to the DoD](https://azure.microsoft.com/global-infrastructure/government/dod/). Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover the remaining Azure Government regions: US Gov Arizona, US Gov Texas, and US Gov Virginia. For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-iowa,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).

+For AI and machine learning services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=project-bonsai,genomics,search,bot-service,databricks,machine-learning-service,cognitive-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Analytics services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share,power-bi-embedded,analysis-services,event-hubs,data-lake-analytics,storage,data-catalog,monitor,data-factory,synapse-analytics,stream-analytics,databricks,hdinsight&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Compute services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud,azure-vmware,cloud-services,batch,app-service,service-fabric,functions,virtual-machine-scale-sets,virtual-machines&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Containers services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=openshift,app-service-linux,container-registry,service-fabric,container-instances,kubernetes-service&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Databases services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sql,sql-server-stretch-database,redis-cache,database-migration,postgresql,mariadb,mysql,sql-database,cosmos-db&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Integration services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=event-grid,api-management,service-bus,logic-apps&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Internet of Things services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=notification-hubs,azure-rtos,azure-maps,iot-central,iot-hub&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Management and governance services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-automanage,resource-mover,azure-portal,azure-lighthouse,cloud-shell,managed-applications,azure-policy,monitor,automation,scheduler,site-recovery,cost-management,backup,blueprints,advisor&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).

+For Migration services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=database-migration,azure-migrate&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Security services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sentinel,azure-dedicated-hsm,security-center,key-vault&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+For Storage services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=hpc-cache,managed-disks,storsimple,storage&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). For a list of services in scope for DoD IL5 PA, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.

+- [Azure Government compliance](./documentation-government-plan-compliance.md)

+**Azure Government regions** (US Gov Arizona, US Gov Texas, and US Gov Virginia) are intended for US federal (including DoD), state, and local government agencies, and their partners. **Azure Government DoD regions** (US DoD Central and US DoD East) are reserved for exclusive DoD use. Separate DoD IL5 PAs are in place for Azure Government regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) vs. Azure Government DoD regions (US DoD Central and US DoD East). For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+### What services are available in Azure Government?

+For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+For current Azure Government regions and available services, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

+You can access Azure and Azure Government audit reports and related documentation from the [Service Trust Portal](https://servicetrust.microsoft.com) (STP) in the following sections:

+US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be confident that [Microsoft Azure Government](https://azure.microsoft.com/global-infrastructure/government/) provides world-class security and compliance. Azure Government delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services can accommodate data that is subject to various [US government regulations and requirements](./documentation-government-plan-compliance.md).

+Azure Government offers [Infrastructure-as-a-Service (IaaS)](https://azure.microsoft.com/overview/what-is-iaas/), [Platform-as-a-Service (PaaS)](https://azure.microsoft.com/overview/what-is-paas/), and [Software-as-a-Service (SaaS)](https://azure.microsoft.com/overview/what-is-saas/) cloud service models based on the same underlying technologies as global Azure. For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). Services available in Azure Government are listed by category and whether they're Generally Available or available through Preview.

+- [Azure compliance](../compliance/index.yml)

+ - Not all Log Analytics solutions are supported yet. [View supported features and services](#supported-services-and-features).

+ - The support for collecting file based logs or IIS logs is in [private preview](https://aka.ms/amadcr-privatepreviews).

+ - No support yet for Event Hubs and Storage accounts as destinations.

+ - No support yet for collecting file based logs, IIS logs, ETW events, .NET events and crash dumps.

+The following table shows the current support for the Azure Monitor agent with other Azure services.

+| File based logs and Windows IIS logs | Private preview | [Sign-up link](https://aka.ms/amadcr-privatepreviews) |

+- [toguid](/azure/data-explorer/kusto/query/toguidfunction)

+- [toint](/azure/data-explorer/kusto/query/tointfunction)

+- [tolong](/azure/data-explorer/kusto/query/tolongfunction)

+|errors|Yes|Errors|Count|Maximum|The number errors that occurred on the cache. For more details, see https://aka.ms/redis/metrics.|ShardId, ErrorType|

+- TimeGenerated

+- RawData

+## February, 2022

+### General

+**Updated articles**

+- [What is monitored by Azure Monitor?](monitor-reference.md)

+### Agents

+**New articles**

+- [Sample data collection rule - agent](agents/data-collection-rule-sample-agent.md)

+- [Using data collection endpoints with Azure Monitor agent (preview)](agents/azure-monitor-agent-data-collection-endpoint.md)

+**Updated articles**

+- [Azure Monitor agent overview](/azure/azure-monitor/agents/azure-monitor-agent-overview.md)

+- [Manage the Azure Monitor agent](/azure/azure-monitor/agents/azure-monitor-agent-manage.md)

+### Alerts

+**Updated articles**

+- [How to trigger complex actions with Azure Monitor alerts](/azure/azure-monitor/alerts/action-groups-logic-app.md)

+### Application Insights

+**New articles**

+- [Migrate from Application Insights instrumentation keys to connection strings](app/migrate-from-instrumentation-keys-to-connection-strings.md)

+**Updated articles**

+- [Application Monitoring for Azure App Service and Java](/azure/azure-monitor/app/azure-web-apps-java.md)

+- [Application Monitoring for Azure App Service and Node.js](/azure/azure-monitor/app/azure-web-apps-nodejs.md)

+- [Enable Snapshot Debugger for .NET apps in Azure App Service](/azure/azure-monitor/app/snapshot-debugger-appservice.md)

+- [Profile live Azure App Service apps with Application Insights](/azure/azure-monitor/app/profiler.md)

+- [Visualizations for Application Change Analysis (preview)](/azure/azure-monitor/app/change-analysis-visualizations.md)

+### Autoscale

+**New articles**

+- [Use predictive autoscale to scale out before load demands in virtual machine scale sets (Preview)](autoscale/autoscale-predictive.md)

+### Data collection

+**New articles**

+- [Data collection endpoints in Azure Monitor (preview)](essentials/data-collection-endpoint-overview.md)

+- [Data collection rules in Azure Monitor](essentials/data-collection-rule-overview.md)

+- [Data collection rule transformations](essentials/data-collection-rule-transformations.md)

+- [Structure of a data collection rule in Azure Monitor (preview)](essentials/data-collection-rule-structure.md)

+### Essentials

+**Updated articles**

+- [Azure Activity log](/azure/azure-monitor/essentials/activity-log.md)

+### Logs

+**Updated articles**

+- [Azure Monitor Logs overview](logs/data-platform-logs.md)

+**New articles**

+- [Configure Basic Logs in Azure Monitor (Preview)](logs/basic-logs-configure.md)

+- [Configure data retention and archive in Azure Monitor Logs (Preview)](logs/data-retention-archive.md)

+- [Log Analytics workspace overview](logs/log-analytics-workspace-overview.md)

+- [Overview of ingestion-time transformations in Azure Monitor Logs](logs/ingestion-time-transformations.md)

+- [Query data from Basic Logs in Azure Monitor (Preview)](logs/basic-logs-query.md)

+- [Restore logs in Azure Monitor (Preview)](logs/restore.md)

+- [Sample data collection rule - custom logs](logs/data-collection-rule-sample-custom-logs.md)

+- [Search jobs in Azure Monitor (Preview)](logs/search-jobs.md)

+- [Send custom logs to Azure Monitor Logs with REST API](logs/custom-logs-overview.md)

+- [Tables that support ingestion-time transformations in Azure Monitor Logs (preview)](logs/tables-feature-support.md)

+- [Tutorial - Send custom logs to Azure Monitor Logs (preview)](logs/tutorial-custom-logs.md)

+- [Tutorial - Send custom logs to Azure Monitor Logs using resource manager templates](logs/tutorial-custom-logs-api.md)

+- [Tutorial - Add ingestion-time transformation to Azure Monitor Logs using Azure portal](logs/tutorial-ingestion-time-transformations.md)

+- [Tutorial - Add ingestion-time transformation to Azure Monitor Logs using resource manager templates](logs/tutorial-ingestion-time-transformations-api.md)

+**New articles**

+- [Sample data collection rule - agent](agents/data-collection-rule-sample-agent.md)

+- [Migrate from Application Insights instrumentation keys to connection strings](app/migrate-from-instrumentation-keys-to-connection-strings.md)

+This article provides a guide on set up and usage of the new features in preview for **AzAcSnap v5.1**. These new features can be used with Azure NetApp Files, Azure BareMetal, and now Azure Managed Disk. This guide should be read along with the documentation for the generally available version of AzAcSnap at [aka.ms/azacsnap](./azacsnap-introduction.md).

+The five new preview features provided with AzAcSnap v5.1 are:

+- Oracle Database support.

+- Backint coexistence.

+- Azure Managed Disk.

+- RunBefore and RunAfter capability.

+- Azure Key Vault support for storing Service Principal.

+Minor addition to `--volume` option:

+- All volumes snapshot.

+mode, `azacsnap` will query the Oracle database to get a list of files, which have backup-mode as active. This file list is output into an external file, which is in

+The following examples show the set up of the Oracle database user, the use of `mkstore` to create an Oracle Wallet, and the `sqlplus` configuration files required for

+1. The Oracle Wallet provides a method to manage database credentials across multiple domains. This capability is accomplished by using a database connection string in

+ This makes it possible to use the Oracle Transparent Network Substrate (TNS) administrative file with a connection string alias, thus hiding details of the database

+ connection string. If the connection information changes, it's a matter of changing the `tnsnames.ora` file instead

+ Set up the Oracle Wallet (change the password) This example uses the mkstore command from the Linux shell to set up the Oracle wallet. These commands

+ 1. Get the Oracle environment variables to be used in set up. Run the following commands as the `root` user on the Oracle Database Server.

+ > If deploying to a centralized virtual machine, then it will need to have the Oracle instant client installed and set up so the AzAcSnap user can

+ 1. Test the set up with AzAcSnap

+ > The `$TNS_ADMIN` variable must be set up correctly for `azacsnap` to run correctly, either by adding to the user's `.bash_profile` file,

+The following changes must be applied to the Oracle Database to allow for monitoring by the database administrator.

+ These SQL commands allow AzAcSnap to output messages to standard output using the PUT_LINE procedure in the DBMS_OUTPUT package, and also to the Oracle database `alert.log`

+ΓÇ£Do you need AzAcSnap to automatically disable/enable backint during snapshot? (y/n) [n]ΓÇ¥. Editing the configuration as described will set the

+autoDisableEnableBackint value to true in the JSON configuration file (for example, `azacsnap.json`). It's also possible to change this value by editing

+the configuration file directly.

+Microsoft provides many storage options for deploying databases such as SAP HANA. Many of these options are detailed on the

+AzAcSnap is able to take application consistent database snapshots when deployed on this type of architecture (that is, a VM with Managed Disks). However, the set up

+With the Azure VM set up as prescribed, AzAcSnap can take snapshots of Azure Managed Disks. The snapshot operations are similar to those for other storage back-ends supported by AzAcSnap (for example, Azure NetApp Files, Azure Large Instance (Bare Metal)). Because AzAcSnap communicates with the Azure Resource Manager to take snapshots, it also needs a Service Principal with the correct permissions to take managed disk snapshots.

+This delay can be overridden by adding a number to wait in seconds after a `%` character (for example, `--runbefore "mycommand.sh%60"` will wait up to 60 seconds for `mycommand.sh`

+## Azure Key Vault

+From AzAcSnap v5.1, it's possible to store the Service Principal securely as a Secret in Azure Key Vault. Using this feature allows for centralization of Service Principal credentials

+where an alternate administrator can set up the Secret for AzAcSnap to use.

+The steps to follow to set up Azure Key Vault and store the Service Principal in a Secret are as follows:

+1. Within an Azure Cloud Shell session, make sure you're logged on at the subscription where you want to create the Azure Key Vault:

+ ```azurecli-interactive

+ az account show

+ ```

+1. If the subscription isn't correct, use the following command to set the Cloud Shell to the correct subscription:

+ ```azurecli-interactive

+ az account set -s <subscription name or id>

+ ```

+1. Create Azure Key Vault

+ ```azurecli-interactive

+ az keyvault create --name "<AzureKeyVaultName>" -g <ResourceGroupName>

+ ```

+1. Create the trust relationship and assign the policy for virtual machine to get the Secret

+ 1. Show AzAcSnap virtual machine Identity

+

+ If the virtual machine already has an identity created, retrieve it as follows:

+

+ ```azurecli-interactive

+ az vm identity show --name "<VMName>" --resource-group "<ResourceGroup>"

+ ```

+

+ The `"principalId"` in the output is used as the `--object-id` value when setting the Policy with `az keyvault set-policy`.

+

+ ```output

+ {

+ "principalId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "tenantId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "type": "SystemAssigned, UserAssigned",

+ "userAssignedIdentities": {

+ "/subscriptions/99z999zz-99z9-99zz-99zz-9z9zz999zz99/resourceGroups/AzSecPackAutoConfigRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AzSecPackAutoConfigUA-eastus2": {

+ "clientId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "principalId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99"

+ }

+ }

+ }

+ ```

+ 1. Set AzAcSnap virtual machine Identity (if necessary)

+

+ If the VM doesn't have an identity, create it as follows:

+

+ ```azurecli-interactive

+ az vm identity assign --name "<VMName>" --resource-group "<ResourceGroup>"

+ ```

+

+ The `"systemAssignedIdentity"` in the output is used as the `--object-id` value when setting the Policy with `az keyvault set-policy`.

+

+ ```output

+ {

+ "systemAssignedIdentity": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "userAssignedIdentities": {

+ "/subscriptions/99z999zz-99z9-99zz-99zz- 9z9zz999zz99/resourceGroups/AzSecPackAutoConfigRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/AzSecPackAutoConfigUA-eastus2": {

+ "clientId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "principalId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99"

+ }

+ }

+ }

+ ```

+ 1. Assign a suitable policy for the virtual machine to be able to retrieve the Secret from the Key Vault.

+ ```azurecli-interactive

+ az keyvault set-policy --name "<AzureKeyVaultName>" --object-id "<VMIdentity>" --secret-permissions get

+ ```

+1. Create Azure Key Vault Secret

+ Create the secret, which will store the Service Principal credential information.

+

+ It's possible to paste the contents of the Service Principal. In the **Bash** Cloud Shell below a single apostrophe character is put after value then

+ press the `[Enter]` key, then paste the contents of the Service Principal, close the content by adding another single apostrophe and press the `[Enter]` key.

+ This command should create the Secret and store it in Azure Key Vault.

+

+ > [!TIP]

+ > If you have a separate Service Principal per installation the `"<NameOfSecret>"` could be the SID, or some other suitable unique identifier.

+

+ Following example is for using the **Bash** Cloud Shell:

+ ```azurecli-interactive

+ az keyvault secret set --name "<NameOfSecret>" --vault-name "<AzureKeyVaultName>" --value '

+ {

+ "clientId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "clientSecret": "<ClientSecret>",

+ "subscriptionId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "tenantId": "99z999zz-99z9-99zz-99zz-9z9zz999zz99",

+ "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",

+ "resourceManagerEndpointUrl": "https://management.azure.com/",

+ "activeDirectoryGraphResourceId": "https://graph.windows.net/",

+ "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",

+ "galleryEndpointUrl": "https://gallery.azure.com/",

+ "managementEndpointUrl": "https://management.core.windows.net/"

+ }'

+ ```

+ Following example is for using the **PowerShell** Cloud Shell:

+ > [!WARNING]

+ > In PowerShell the double quotes have to be escaped with an additional double quote, so one double quote (") becomes two double quotes ("").

+ ```azurecli-interactive

+ az keyvault secret set --name "<NameOfSecret>" --vault-name "<AzureKeyVaultName>" --value '

+ {

+ ""clientId"": ""99z999zz-99z9-99zz-99zz-9z9zz999zz99"",

+ ""clientSecret"": ""<ClientSecret>"",

+ ""subscriptionId"": ""99z999zz-99z9-99zz-99zz-9z9zz999zz99"",

+ ""tenantId"": ""99z999zz-99z9-99zz-99zz-9z9zz999zz99"",

+ ""activeDirectoryEndpointUrl"": ""https://login.microsoftonline.com"",

+ ""resourceManagerEndpointUrl"": ""https://management.azure.com/"",

+ ""activeDirectoryGraphResourceId"": ""https://graph.windows.net/"",

+ ""sqlManagementEndpointUrl"": ""https://management.core.windows.net:8443/"",

+ ""galleryEndpointUrl"": ""https://gallery.azure.com/"",

+ ""managementEndpointUrl"": ""https://management.core.windows.net/""

+ }'

+ ```

+ The output of the command `az keyvault secret set` will have the URI value to use as `"authFile"` entry in the AzAcSnap JSON configuration file. The URI is

+ the value of the `"id"` below (for example, `"https://<AzureKeyVaultName>.vault.azure.net/secrets/<NameOfSecret>/z9999999z9999999z9999999"`).

+ ```output

+ {

+ "attributes": {

+ "created": "2022-02-23T20:21:01+00:00",

+ "enabled": true,

+ "expires": null,

+ "notBefore": null,

+ "recoveryLevel": "Recoverable+Purgeable",

+ "updated": "2022-02-23T20:21:01+00:00"

+ },

+ "contentType": null,

+ "id": "https://<AzureKeyVaultName>.vault.azure.net/secrets/<NameOfSecret>/z9999999z9999999z9999999",

+ "kid": null,

+ "managed": null,

+ "name": "AzureAuth",

+ "tags": {

+ "file-encoding": "utf-8"

+ },

+ "value": "\n{\n \"clientId\": \"99z999zz-99z9-99zz-99zz-9z9zz999zz99\",\n \"clientSecret\": \"<ClientSecret>\",\n \"subscriptionId\": \"99z999zz-99z9-99zz-99zz-9z9zz999zz99\",\n \"tenantId\": \"99z999zz-99z9-99zz-99zz-9z9zz999zz99\",\n \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com\",\n \"resourceManagerEndpointUrl\": \"https://management.azure.com/\",\n \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\",\n \"sqlManagementEndpointUrl\": \"https://management.core.windows.net:8443/\",\n \"galleryEndpointUrl\": \"https://gallery.azure.com/\",\n \"managementEndpointUrl\": \"https://management.core.windows.net/\"\n}"

+ }

+ ```

+1. Update AzAcSnap JSON configuration file

+ Replace the value for the authFile entry with the Secret's ID value. Making this change can be done by editing the file using a tool like `vi`, or by using the

+ `azacsnap -c configure --configuration edit` option.

+ 1. Old Value

+

+ ```output

+ "authFile": "azureauth.json"

+ ```

+

+ 1. New Value

+

+ ```output

+ "authFile": "https://<AzureKeyVaultName>.vault.azure.net/secrets/<NameOfSecret>/z9999999z9999999z9999999"

+ ```

+## All Volumes Snapshot

+A new optional value for `--volume` allows for all the volumes to be snapshot as a group. This option allows for the snapshots to all have the same snapshot

+name, which is useful if doing a `-c restore` to clone or recover a system to specific date/time.

+Running the AzAcSnap command `azacsnap -c backup --volume all --retention 5 --prefix all-volumes` will take snapshot backups, with all the snapshots having

+the same name with a prefix of `all-volumes` and a maximum of five snapshots with that prefix per volume.

+The processing is handled in the order outlined as follows:

+1. `data` Volume Snapshot (same as the normal `--volume data` option)

+ 1. put the database into *backup-mode*.

+ 1. take snapshots of the Volume listed in the configuration file's `"dataVolume"` stanza.

+ 1. take the database out of *backup-mode*.

+ 1. perform snapshot management.

+1. `other Volume Snapshot (same as the normal `--volume other` option)

+ 1. take snapshots of the Volumes listed in the configuration file's `"otherVolume"` stanza.

+ 1. perform snapshot management.

+- [Back up using AzAcSnap](azacsnap-cmd-ref-backup.md)

+## Mar-2022

+### AzAcSnap v5.1 Preview (Build: 20220302.81795)

+AzAcSnap v5.1 Preview (Build: 20220302.81795) has been released with the following new features:

+- Azure Key Vault support for securely storing the Service Principal.

+- A new option for `-c backup --volume` which has the `all` parameter value.

+Details of these new features are in the AzAcSnap Preview documentation.

+Read about the new features and how to use the [AzAcSnap Preview](azacsnap-preview.md).

+Download the [latest release of the Preview installer](https://aka.ms/azacsnap-preview-installer).

+- [Authorize request to SignalR resources with Azure AD from Azure applications](signalr-howto-authorize-application.md)

+Advance notifications (Preview) are available for databases configured to use a non-default [maintenance window](maintenance-window.md). Advance notifications enable customers to configure notifications to be sent up to 24 hours in advance of any planned event.

+> While [maintenance windows](maintenance-window.md) are generally available, advance notifications for maintenance windows are in public preview for Azure SQL Database and Azure SQL Managed Instance.

+## Permissions

+While Advance Notifications can be sent to any email address, Azure subscription RBAC (role-based access control) policy determines who can access the links in the email. Querying resource graph is covered by [Azure RBAC](../../role-based-access-control/overview.md) access management. To enable read access, each recipient should have resource group level read access. For more information, see [Steps to assign an Azure role](../../role-based-access-control/role-assignments-steps.md).

+## Retrieve the list of impacted resources

+[Azure Resource Graph](../../governance/resource-graph/overview.md) is an Azure service designed to extend Azure Resource Management. The Azure Resource Graph Explorer provides efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

+You can use the Azure Resource Graph Explorer to query for maintenance events. For an introduction on how to run these queries, see [Quickstart: Run your first Resource Graph query using Azure Resource Graph Explorer](../../governance/resource-graph/first-query-portal.md).

+When the advanced notification for planned maintenance is received, you will get a link that opens Azure Resource Graph and executes the query for the exact event, similar to the following. Note that the `notificationId` value is unique per maintenance event.

+```kusto

+resources

+| project resource = tolower(id)

+| join kind=inner (

+ maintenanceresources

+ | where type == "microsoft.maintenance/updates"

+ | extend p = parse_json(properties)

+ | mvexpand d = p.value

+ | where d has 'notificationId' and d.notificationId == 'LNPN-R9Z'

+ | project resource = tolower(name), status = d.status

+) on resource

+|project resource, status

+```

+For the full reference of the sample queries and how to use them across tools like PowerShell or Azure CLI, visit [Azure Resource Graph sample queries for Azure Service Health](../../service-health/resource-graph-samples.md).

+> The Azure SQL built-in roles in this section apply to a dedicated SQL pool (formerly SQL DW) but are not available for dedicated SQL pools and other SQL resources within Azure Synapse workspaces. For SQL resources in Azure Synapse workspaces, use the available actions for data classification to create custom Azure roles as needed for labelling. For more information on the `Microsoft.Synapse/workspaces/sqlPools` provider operations, see [Microsoft.Synapse](/azure/role-based-access-control/resource-provider-operations#microsoftsynapse).

+| [Maintenance window advance notifications](../database/advance-notifications.md)| Advance notifications are available for databases configured to use a non-default [maintenance window](maintenance-window.md). Advance notifications for maintenance windows are in public preview for Azure SQL Database. |

+| [Maintenance window](../database/maintenance-window.md)| March 2022 | The maintenance window feature allows you to configure maintenance schedule for your Azure SQL Database. [Maintenance window advance notifications](../database/advance-notifications.md), however, are in preview.|

+| **GA for maintenance window** | The [maintenance window](maintenance-window.md) feature allows you to configure a maintenance schedule for your Azure SQL Database and receive advance notifications of maintenance windows. [Maintenance window advance notifications](../database/advance-notifications.md) are in public preview for databases configured to use a non-default [maintenance window](maintenance-window.md).|

+ Title: Distributed transactions across cloud databases

+# Distributed transactions across cloud databases

+Elastic database transactions for Azure SQL Database and Azure SQL Managed Instance allow you to run transactions that span several databases. Elastic database transactions are available for .NET applications using ADO.NET and integrate with the familiar programming experience using the [System.Transaction](/dotnet/api/system.transactions) classes. To get the library, see [.NET Framework 4.6.1 (Web Installer)](https://www.microsoft.com/download/details.aspx?id=49981).

+| Windows authentication | No | Yes, see [Windows Authentication for Azure Active Directory principals (Preview)](../managed-instance/winauth-azuread-overview.md). |

+ Title: Configure maintenance window

+# Configure maintenance window

+Configure the [maintenance window](maintenance-window.md) for an Azure SQL database, elastic pool, or Azure SQL Managed Instance database during resource creation, or anytime after a resource is created.

+- To learn more about maintenance window, see [Maintenance window](maintenance-window.md).

+# Maintenance window

+[Advance notifications (Preview)](advance-notifications.md) are available for databases configured to use a non-default maintenance window. Advance notifications enable customers to configure notifications to be sent up to 24 hours in advance of any planned event.

+Maintenance notifications can be configured to alert you of upcoming planned maintenance events for your Azure SQL Database. The alerts arrive 24 hours in advance, at the time of maintenance, and when the maintenance is complete. For more information, see [Advance Notifications](advance-notifications.md).

+| Brazil Southeast | Yes | Yes | |

+| US Gov Texas| Yes | Yes | |

+| US Gov Virginia | Yes | Yes | |

+## Retrieving list of maintenance events

+[Azure Resource Graph](../../governance/resource-graph/overview.md) is an Azure service designed to extend Azure Resource Management. The Azure Resource Graph Explorer provides efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

+You can use the Azure Resource Graph Explorer to query for maintenance events. For an introduction on how to run these queries, see [Quickstart: Run your first Resource Graph query using Azure Resource Graph Explorer](../../governance/resource-graph/first-query-portal.md).

+To check for the maintenance events for all SQL databases in your subscription, use the following sample query in Azure Resource Graph Explorer:

+```kusto

+servicehealthresources

+| where type =~ 'Microsoft.ResourceHealth/events'

+| extend impact = properties.Impact

+| extend impactedService = parse_json(impact[0]).ImpactedService

+| where impactedService =~ 'SQL Database'

+| extend eventType = properties.EventType, status = properties.Status, description = properties.Title, trackingId = properties.TrackingId, summary = properties.Summary, priority = properties.Priority, impactStartTime = properties.ImpactStartTime, impactMitigationTime = properties.ImpactMitigationTime

+| where properties.Status == 'Active' and tolong(impactStartTime) > 1 and eventType == 'PlannedMaintenance'

+```

+To check for the maintenance events for all managed instances in your subscription, use the following sample query in Azure Resource Graph Explorer:

+```kusto

+servicehealthresources

+| where type =~ 'Microsoft.ResourceHealth/events'

+| extend impact = properties.Impact

+| extend impactedService = parse_json(impact[0]).ImpactedService

+| where impactedService =~ 'SQL Managed Instance'

+| extend eventType = properties.EventType, status = properties.Status, description = properties.Title, trackingId = properties.TrackingId, summary = properties.Summary, priority = properties.Priority, impactStartTime = properties.ImpactStartTime, impactMitigationTime = properties.ImpactMitigationTime

+| where properties.Status == 'Active' and tolong(impactStartTime) > 1 and eventType == 'PlannedMaintenance'

+```

+For the full reference of the sample queries and how to use them across tools like PowerShell or Azure CLI, visit [Azure Resource Graph sample queries for Azure Service Health](../../service-health/resource-graph-samples.md).

+The [maintenance window feature](maintenance-window.md) allows for the configuration of predictable maintenance window schedules for eligible Azure SQL databases and SQL managed instances. [Maintenance window advance notifications](../database/advance-notifications.md) are available for databases configured to use a non-default [maintenance window](maintenance-window.md). Maintenance windows and advance notifications for maintenance windows are generally available for Azure SQL Database. For Azure SQL Managed Instance, maintenance windows are generally available but advance notifications are in public preview.

+Authentication is the process of proving the user is who they claim to be. Azure SQL Database and SQL Managed Instance support SQL authentication and Azure AD authentication. SQL Managed instance additionally supports Windows Authentication for Azure AD principals.

+ Additional Azure AD authentication options available are [Active Directory Universal Authentication for SQL Server Management Studio](authentication-mfa-ssms-overview.md) connections including [multi-factor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) and [Conditional Access](conditional-access-configure.md).

+- **Windows Authentication for Azure AD Principals (Preview)**:

+ [Kerberos authentication for Azure AD Principals](../managed-instance/winauth-azuread-overview.md) (Preview) enables Windows Authentication for Azure SQL Managed Instance. Windows Authentication for managed instances empowers customers to move existing services to the cloud while maintaining a seamless user experience and provides the basis for infrastructure modernization.

+ To enable Windows Authentication for Azure Active Directory (Azure AD) principals, you will turn your Azure AD tenant into an independent Kerberos realm and create an incoming trust in the customer domain. Learn [how Windows Authentication for Azure SQL Managed Instance is implemented with Azure Active Directory and Kerberos](../managed-instance/winauth-implementation-aad-kerberos.md).

+| [Maintenance window advance notifications](../database/advance-notifications.md)| Advance notifications (preview) for databases configured to use a non-default [maintenance window](../database/maintenance-window.md). Advance notifications are in preview for Azure SQL Managed Instance. |

+|[Maintenance window](../database/maintenance-window.md)| March 2022 | The maintenance window feature allows you to configure maintenance schedule for your Azure SQL Managed Instance. [Maintenance window advance notifications](../database/advance-notifications.md), however, are in preview for Azure SQL Managed Instance.|

+| **GA for maintenance window, preview for advance notifications** | The [maintenance window](../database/maintenance-window.md) feature allows you to configure a maintenance schedule for your Azure SQL Managed Instance and receive advance notifications of maintenance windows. [Maintenance window advance notifications](../database/advance-notifications.md) (preview) are available for databases configured to use a non-default [maintenance window](../database/maintenance-window.md). |

+| **Maintenance window** | The maintenance window feature allows you to configure a maintenance schedule for your Azure SQL Managed Instance. To learn more, see [maintenance window](../database/maintenance-window.md).|

+|Isolated environment ([VNet integration](connectivity-architecture-overview.md), single tenant service, dedicated compute and storage) <br>[Transparent data encryption (TDE)](/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql)<br>[Azure Active Directory (Azure AD) authentication](../database/authentication-aad-overview.md), single sign-on support <br> [Azure AD server principals (logins)](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-mi-current&preserve-view=true) <br>[What is Windows Authentication for Azure AD principals (Preview)](winauth-azuread-overview.md) <br>Adheres to compliance standards same as Azure SQL Database <br>[SQL auditing](auditing-configure.md) <br>[Advanced Threat Protection](threat-detection-configure.md) |Azure Resource Manager API for automating service provisioning and scaling <br>Azure portal functionality for manual service provisioning and scaling <br>Data Migration Service

+SQL Managed Instance authentication refers to how users prove their identity when connecting to the database. SQL Managed Instance supports three types of authentication:

+- **Windows Authentication for Azure AD Principals (Preview)**:

+ [Kerberos authentication for Azure AD Principals](../managed-instance/winauth-azuread-overview.md) (Preview) enables Windows Authentication for Azure SQL Managed Instance. Windows Authentication for managed instances empowers customers to move existing services to the cloud while maintaining a seamless user experience and provides the basis for infrastructure modernization.

+- SQL Managed Instance supports [Azure AD authentication](../database/authentication-aad-overview.md) and [Windows Authentication for Azure Active Directory principals (Preview)](winauth-azuread-overview.md).

+For these machines, the Azure Backup service ensures that the latest recovery point with the longest retention doesn't expire (that is, doesn't get pruned) according to the retention rules specified in the backup policy. Therefore, you can safely restore the machine using this RP. Consider the following scenarios you can perform on the backed-up data:

+- For more frequently asked questions, see the [MARS agent FAQ](backup-azure-file-folder-backup-faq.yml).

+To establish the correct key mappings for your target language, you must set either the keyboard layout on your local computer to English (United States) or the keyboard layout inside the target VM to English (United States). That is, the keyboard layout on your local computer must be set to English (United States) while the keyboard layout on your target VM is set to your target language, or vice versa.

+To set English (United States) as your keyboard layout on a Windows workstation, navigate to Settings > Time & Language > Lanugage & Region. Under "Preferred languages," select "Add a language" and add English (United States). You will then be able to see your keyboard layouts on your toolbar. To set English (United States) as your keyboard layout, select "ENG" on your toolbar or click Windows + Spacebar to open keyboard layouts.

+Azure Bastion offers support for file transfer between your target VM and local computer using Bastion and a native RDP or native SSH client. To learn more about native client support, refer to [Connect to a VM using the native client](connect-native-client-windows.md). While it may be possible to use third-party clients and tools to upload or download files, this article focuses on working with supported native clients.

+ console.log("Error occurred while creating task for container " + containerName + ". Details : " + error.response);

+## February 2022

+- Model improvements for latest model-version for [text summarization](text-summarization/overview.md)

+ * [Question Answering (now Generally Available)](question-answering/overview.md)

+ * [Sentiment Analysis and opinion mining](sentiment-opinion-mining/overview.md)

+ * [Key Phrase Extraction](key-phrase-extraction/overview.md)

+ * [Named Entity Recognition (NER), Personally Identifying Information (PII)](named-entity-recognition/overview.md)

+ * [Language Detection](language-detection/overview.md)

+ * [Text Analytics for health](text-analytics-for-health/overview.md)

+ * [Text summarization preview](text-summarization/overview.md)

+ * [Custom Named Entity Recognition (Custom NER) preview](custom-named-entity-recognition/overview.md)

+ * [Custom Text Classification preview](custom-classification/overview.md)

+ * [Conversational Language Understanding preview](conversational-language-understanding/overview.md)

+ * Improved prediction quality.

+ * [Additional language support](sentiment-opinion-mining/language-support.md?tabs=sentiment-analysis) for the opinion mining feature.

+ * For more information, see the [project z-code site](https://www.microsoft.com/research/project/project-zcode/).

+ * To use this [model version](sentiment-opinion-mining/how-to/call-api.md#specify-the-sentiment-analysis-model), you must specify it in your API calls, using the model version parameter.

+ * [Custom Named Entity Recognition](custom-named-entity-recognition/how-to/call-api.md?tabs=client#use-the-client-libraries)

+ * [Custom text classification](custom-classification/how-to/call-api.md?tabs=api#use-the-client-libraries)

+ * [Custom language understanding](conversational-language-understanding/how-to/deploy-query-model.md#use-the-client-libraries-azure-sdk)

+* [What is Azure Cognitive Service for Language?](overview.md)

+Confidential ledgers are created as blocks in blob storage containers belonging to an Azure Storage account. Transaction data can either be stored encrypted or in plaintext depending on your needs. When you create a Ledger, you will associate a Storage Account using the steps described in [Register a confidential ledger Service Principal](register-ledger-service-principal.md).

+- Azure confidential ledger does not support standard Azure Disaster Recovery at this time. However, Azure confidential ledger offers built-in redundancy within the Azure region, as the confidential ledger runs on multiple independent nodes.

+## Service principal renewal

+The service principal is created with one-year validity. You have options to extend the validity further than one year, or can provide expiry date of your choice using the [`az ad sp credential reset`](/cli/azure/ad/sp/credential#az-ad-sp-credential-reset) command.

+The admin account is provided with two passwords, both of which can be regenerated. New passwords created for admin accounts are available immediately. Regenerating passwords for admin accounts will take 60 seconds to replicate and be available. Two passwords allow you to maintain connection to the registry by using one password while you regenerate the other. If the admin account is enabled, you can pass the username and either password to the `docker login` command when prompted for basic authentication to the registry. For example:

+* A **token** along with a generated password lets the user authenticate with the registry. You can set an expiration date for a token password, or disable a token at any time.

+To use a token created in the portal, you must generate a password. You can generate one or two passwords, and set an expiration date for each one. New passwords created for tokens are available immediately. Regenerating new passwords for tokens will take 60 seconds to replicate and be available.

+If you didn't generate a token password, or you want to generate new passwords, run the [az acr token credential generate][az-acr-token-credential-generate] command.Regenerating new passwords for tokens will take 60 seconds to replicate and be available.

+[az-acr-token-credential-generate]: /cli/azure/acr/token/credential/#az_acr_token_credential_generate

+echo "deb https://downloads.apache.org/cassandra/debian 311x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list

+To create a free tier account by using an ARM template, set the property `"enableFreeTier": true`. For the complete template, see deploy an [ARM template with free tier](manage-with-templates.md#free-tier) example.

+Integration runtimes don't change often and are similar across all stages in your CI/CD. Data Factory requires you to have the same name and type of integration runtime across all stages of CI/CD. If you want to share integration runtimes across all stages, consider using a dedicated factory just to contain the shared integration runtimes. You can then use this shared factory in all of your environments as a linked integration runtime type.

+> [!IMPORTANT]

+> This connector is currently in preview. You can try it out and give us feedback. If you want to take a dependency on preview connectors in your solution, please contact [Azure support](https://azure.microsoft.com/support/).

+> [!IMPORTANT]

+> This connector is currently in preview. You can try it out and give us feedback. If you want to take a dependency on preview connectors in your solution, please contact [Azure support](https://azure.microsoft.com/support/).

+> [!IMPORTANT]

+> This connector is currently in preview. You can try it out and give us feedback. If you want to take a dependency on preview connectors in your solution, please contact [Azure support](https://azure.microsoft.com/support/).

+> [!IMPORTANT]

+> This connector is currently in preview. You can try it out and give us feedback. If you want to take a dependency on preview connectors in your solution, please contact [Azure support](https://azure.microsoft.com/support/).

+|**1.**|Preview features |For this release, the following features are available in preview: <br> - Clustering and Multi-Access Edge Computing (MEC) for Azure Stack Edge Pro GPU devices only. <br> - VPN for Azure Stack Edge Pro R and Azure Stack Edge Mini R only. <br> - Local Azure Resource Manager, VMs, Cloud management of VMs, Kubernetes cloud management, and Multi-process service (MPS) for Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R. |These features will be generally available in later releases. |

+|**3.**|Wi-Fi |Wi-Fi does not work on Azure Stack Edge Pro 2 in this release. | This functionality may be available in a future release. |

+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <br> - In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**<br> - Download `sqlcmd` on your client machine from [SQL command utility](/sql/tools/sqlcmd-utility). <br> - Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.<br> - Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd".</li>After this, steps 3-4 from the current documentation should be identical. </li></ol> |

+| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, may result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<br> 1. Create blob in cloud. Or delete a previously uploaded blob from the device.<br> 2. Refresh blob from the cloud into the appliance using the refresh functionality.<br> 3. Update only a portion of the blob using Azure SDK REST APIs.</li></ol>These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.|

+|**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<br> - Only block blobs are supported. Page blobs are not supported.<br> - There is no snapshot or copy API support.<br> - Hadoop workload ingestion through `distcp` is not supported as it uses the copy operation heavily.</li></ul>||

+|**23.**|Custom script VM extension |There is a known issue in the Windows VMs that were created in an earlier release and the device was updated to 2103. <br> If you add a custom script extension on these VMs, the Windows VM Guest Agent (Version 2.7.41491.901 only) gets stuck in the update causing the extension deployment to time out. | To work around this issue: <br> - Connect to the Windows VM using remote desktop protocol (RDP). <br> - Make sure that the `waappagent.exe` is running on the machine: `Get-Process WaAppAgent`. <br> - If the `waappagent.exe` is not running, restart the `rdagent` service: `Get-Service RdAgent` \| `Restart-Service`. Wait for 5 minutes.<br> - While the `waappagent.exe` is running, kill the `WindowsAzureGuest.exe` process. <br> - After you kill the process, the process starts running again with the newer version. <br> - Verify that the Windows VM Guest Agent version is 2.7.41491.971 using this command: `Get-Process WindowsAzureGuestAgent` \| `fl ProductVersion`.<br> - [Set up custom script extension on Windows VM](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md). </li><ol> |

+ - You'll need to first configure compute as described in [Tutorial: Configure compute on Azure Stack Edge Pro 2 device](azure-stack-edge-pro-2-deploy-configure-compute.md). This step creates a Kubernetes cluster that acts as the hosting platform for IoT Edge on your device.

+> [Configure compute to deploy IoT Edge and Kubernetes workloads on Azure Stack Edge](./azure-stack-edge-pro-2-deploy-configure-compute.md)

+| Device management | - Azure subscription. <br> - Resource providers registered. <br> - Azure Storage account.|- Enabled for Azure Stack Edge, owner or contributor access. <br> - In Azure portal, go to **Home > Subscriptions > Your-subscription > Resource providers**. Search for `Microsoft.EdgeOrder` and register. Repeat for `Microsoft.Devices` if deploying IoT workloads. <br> - Need access credentials. |

+| | - At least one X 1-GbE RJ-45 network cable for Port 1. <br> - At least 100-GbE QSFP28 Passive Direct Attached Cable (tested in-house) for each data network interface Port 3 and Port 4 to be configured. <br> - At least one 100-GbE network switch to connect a 1 GbE or a 100-GbE network interface to the Internet for data.| Customer needs to procure these cables.<br><br>For a full list of supported cables, modules, and switches, see [Connect-X6 DX adapter card compatible firmware](https://docs.nvidia.com/networking/display/ConnectX6DxFirmwarev22271016/Firmware%20Compatible%20Products).|

+| First-time device connection | Laptop whose IPv4 settings can be changed. This laptop connects to Port 1 via a switch or a USB to Ethernet adapter. </li><!--<li> A minimum of 1 GbE switch must be used for the device once the initial setup is complete. The local web UI will not be accessible if the connected switch is not at least 1 Gbe.</li>-->| |

+| Network settings | Device comes with 2 x 10/1-GbE, 2 x 100-GbE network ports. <br> - Port 1 is used to configure management settings only. One or more data ports can be connected and configured. <br> - At least one data network interface from among Port 2 to Port 4 needs to be connected to the Internet (with connectivity to Azure). <br> - DHCP and static IPv4 configuration supported. | Static IPv4 configuration requires IP, DNS server, and default gateway. |

+| Advanced networking settings | - Require 2 free, static, contiguous IPs for Kubernetes nodes, and one static IP for IoT Edge service. <br> - Require one additional IP for each extra service or module that you'll deploy.| Only static IPv4 configuration is supported.|

+| (Optional) Web proxy settings |Web proxy server IP/FQDN, port |HTTPS URLs are not supported. |

+| (Recommended) Time settings | Configure time zone, primary NTP server, secondary NTP server. | Configure primary and secondary NTP server on local network. <br> - If local server isnΓÇÖt available, public NTP servers can be configured. |

+| (Optional) Update server settings | Require update server IP address on local network, path to WSUS server. | By default, public windows update server is used.|

+| Device settings | - Device fully qualified domain name (FQDN). <br> - DNS domain. | |

+| Device management | - Azure subscription <br> - Resource providers registered <br> - Azure Storage account|Enabled for Azure Stack Edge, owner or contributor access. <br> - In Azure portal, go to **Home > Subscriptions > Your-subscription > Resource providers**. Search for `Microsoft.EdgeOrder` and register. Repeat for `Microsoft.Devices` if deploying IoT workloads. <br> - Need access credentials</li> |

+| Device installation | One power cable in the package per device node. <!--<br>For US, an SVE 18/3 cable rated for 125 V and 15 Amps with a NEMA 5-15P to C13 (input to output) connector is shipped.--> | For more information, see the list of [Supported power cords by country](azure-stack-edge-technical-specifications-power-cords-regional.md) |

+| | <br> - At least two 1-GbE RJ-45 network cable for Port 1 on the two device nodes <br> - You would need two 1-GbE network cables to connect Port 2 on each device node to the internet. Depending on the network topology you wish to deploy, you may also need at least one 100-GbE QSFP28 Passive Direct Attached Cable (tested in-house) to connect Port 3 and Port 4 across the device nodes. <br> - You would also need at least one 10/1-GbE network switch to connect Port 1 and Port 2. You would need a 100/10-GbE switch to connect Port 3 or Port 4 network interface to the Internet for data.| Customer needs to procure these cables and switches. Exact number of cables and switches would depend on the network topology that you deploy. <br><br> For a full list of supported cables, modules, and switches, see [Connect-X6 DX adapter card compatible firmware](https://docs.nvidia.com/networking/display/ConnectX6DxFirmwarev22271016/Firmware%20Compatible%20Products).|

+| First-time device connection | Via a laptop whose IPv4 settings can be changed. This laptop connects to Port 1 via a switch or a USB to Ethernet adapter. |

+| Network settings | Device comes with 2 x 10/1-GbE network ports, Port 1 and Port 2. Device also has 2 x 100-GbE network ports, Port 3 and Port 4. <br> - Port 1 is used for initial configuration. Port 2, Port 3, and Port 4 are also connected and configured. <br> - At least one data network interface from among Port 2 - Port 4 needs to be connected to the Internet (with connectivity to Azure). <br> - DHCP and static IPv4 configuration supported. | Static IPv4 configuration requires IP, DNS server, and default gateway. |

+| Advanced networking settings | <br> - Require 3 free, static, contiguous IPs for Kubernetes nodes, and one static IP for IoT Edge service. <br> - Require one additional IP for each extra service or module that you'll deploy.| Only static IPv4 configuration is supported.|

+| (Optional) Web proxy settings | Web proxy server IP/FQDN, port| HTTPS URLs are not supported. |

+| (Optional) Update server settings | Require update server IP address on local network, path to WSUS server. | By default, public windows update server is used.|

+| Device settings | <br> - Device fully qualified domain name (FQDN) <br> - DNS domain| |

+ On your physical device, there are four network interfaces. Port 1 and Port 2 are 1-Gbps network interfaces that can also serve as 10-Gbps network interfaces. Port 3 and Port 4 are 100-Gbps network interfaces. Port 1 is used for the intial configuration of the device. For a new device, the **Network** page is as shown below.

+ On your physical device, there are four network interfaces. Port 1 and Port 2 are 1-Gbps network interfaces that can also serve as 10-Gbps network interfaces. Port 3 and Port 4 are 100-Gbps network interfaces.

+1. You'll see a **Confirm network setting** dialog. This dialog reminds you to make sure that your node is cabled as per the network topology you selected. Once you choose the network cluster topology and create a cluster, you can't update the topology without a device reset. Select **Yes** to confirm the network topology.

+ 

+ If for any reason, you need to reset or update the network topology, you can use the **Update topology** option. If you update the topology, you may need to make sure the cabling for the device is changed accordingly.

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+You can add or delete virtual networks associated with your virtual switches. To add a virtual network, follow these steps:

+> [!div class="checklist"]

+> * Prerequisites

+> * Select device setup type

+> * Configure network and network topology on both nodes

+> * Get authentication token for prepared node

+> * Configure cluster witness and add prepared node

+> * Configure virtual IP settings for Azure Consistent Services and NFS

+> * Configure advanced networking

+> * Configure web proxy

+ The back plane of the device may look slightly different depending on the exact model youΓÇÖve received. For more information, see [Cable your device](azure-stack-edge-pro-2-deploy-install.md#cable-the-device).

+ - A pair of packaged Wi-Fi antennas in the accessory box.

+ - One single enclosure Azure Stack Edge Pro 2 device.

+ - One power cord.

+ - One packaged bezel.

+ - A pair of packaged Wi-Fi antennas in the accessory box.

+ - A safety, environmental, and regulatory information booklet.

+If you didn't receive all of the items listed here, [Contact Microsoft Support](azure-stack-edge-contact-microsoft-support.md). The next step is to mount your device on a rack or wall.

+- Inner rails.

+- Chassis of your device.

+- 10L M5 screws.

+If deploying a two-node device cluster, make sure to mount both the devices on the rack or the wall.

+The following procedures explain how to cable your Azure Stack Edge Pro 2 device for power and network.

+- At least one 1-GbE RJ-45 network cable to connect to the Port 1. Port 1 and Port 2 the two 10/1-GbE network interfaces on your device.

+- One 100-GbE QSFP28 passive direct attached cable (tested in-house) for each data network interface Port 3 and Port 4 to be configured. Here is an example of the QSFP28 DAC connector:

+- At least one 100-GbE network switch to connect a 10/1-GbE or a 100-GbE network interface to the internet for data. At least one data network interface from among Port 2, Port 3, and Port 4 needs to be connected to the Internet (with connectivity to Azure).

+- One power cable for each device node (included in the device package).

+- Access to one power distribution unit for each device node.

+- At least two 1-GbE RJ-45 network cable per device to connect to Port 1 and Port2. These are the two 10/1-GbE network interfaces on your device.

+- A pair of Wi-Fi antennas (included in the accessory box).

+ - Two 10/1-Gbps interfaces, Port 1 and Port 2.

+1. Identify the various ports on the back plane of each device.

+1. Connect the 10/1-GbE network interface Port 1 to the computer that's used to configure the physical device. Port 1 is used for the initial configuration of the device.

+You need administrator privileges to complete the setup and configuration process. The portal preparation takes less than 20 minutes.

+|**[8. Configure compute](azure-stack-edge-pro-2-deploy-configure-compute.md)** |Configure the compute role on your device. A Kubernetes cluster is also created. |

+- The network in your datacenter is configured per the networking requirements for your Azure Stack device. For more information, see [Azure Stack Edge Pro 2 System Requirements](azure-stack-edge-pro-2-system-requirements.md).

+ 

+|Double encryption | Use self-encrypting drives to provide a layer of encryption. BitLocker support to locally encrypt data and secure data transfer to cloud over *https*. For more information, see [Configure encryption-at-rest](azure-stack-edge-pro-2-deploy-configure-certificates.md#configure-encryption-at-rest)|

+* **Azure Stack Edge Pro 2 physical device** - A compact 2U device supplied by Microsoft that can be configured to send data to Azure.

+| Number of data disks | 2 SATA SSDs |

+| Single data disk capacity | 960 GB |

+ * A Phillips-head screwdriver

+| **A possible connection to malicious location has been detected. (Preview)**<br>(K8S.NODE_ThreatIntelCommandLineSuspectDomain) | Analysis of processes running within a container detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise may have occurred. | InitialAccess | Medium |

+ :::image type="content" source="media/how-to-work-with-alerts-sensor/custom-alerts-rules.png" alt-text="Screenshot of the Create custom alert rules pane.":::

+1. Select the source and destination devices for the activity you want to detect.

+ :::image type="content" source="media/how-to-work-with-alerts-sensor/custom-rule-conditions.png" alt-text="Screenshot of the Custom rule condition options.":::

+**Condition based on when activity took place**

+## Next steps

+For more information, see [Manage the alert event](how-to-manage-the-alert-event.md).

+## Next steps

+For more information, see [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md).

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/sensor-log-in-1.png" alt-text="Screenshot of a Defender for IoT sensor sign in page.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/sensor-log-in-wizard-activate.png" alt-text="Screenshot of the sensor network settings options when signing into the sensor.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/sensor-log-in-wizard-activate-proxy.png" alt-text="Screenshot of the proxy options for signing in to a sensor.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/wizard-upload-activation-file.png" alt-text="Screenshot of a first time activation file upload option.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/wizard-upload-activation-certificates-1.png" alt-text="Screenshot of the SSL/TLS Certificates page when signing in to a sensor.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/activation-popup.png" alt-text="Screenshot of a license expiration popup message.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/add-license.png" alt-text="Screenshot of the license activation box and button.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/initial-dashboard.png" alt-text="Screenshot of the initial sensor console dashboard Overview page." lightbox="media/how-to-activate-and-set-up-your-sensor/initial-dashboard.png":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/sensor-log-in-1.png" alt-text="Screenshot of the sensor sign in page after the initial setup.":::

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/main-page-side-bar.png" alt-text="Screenshot of the sensor console's main menu on the left.":::

+| Overview | View a dashboard with high-level information about your sensor deployment, alerts, traffic, and more. |

+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/system-messages.png" alt-text="Screenshot of the System messages area on the sensor console page, displayed after selecting the bell icon.":::

+## Next steps

+For more information, see:

+- [Threat intelligence research and packages ](how-to-work-with-threat-intelligence-packages.md)

+- [Onboard a sensor](getting-started.md#onboard-a-sensor)

+- [Manage sensor activation files](how-to-manage-individual-sensors.md#manage-sensor-activation-files)

+- [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)

+ :::image type="content" source="media/how-to-work-with-maps/differences.png" alt-text="Screenshot of a Programming Change Log":::

+ :::image type="content" source="media/how-to-work-with-maps/timeline-view.png" alt-text="Screenshot of a programming timeline window.":::

+ :::image type="content" source="media/how-to-work-with-maps/choose-file.png" alt-text="Screenshot of selecting the file you want to work with.":::

+ :::image type="content" source="media/how-to-work-with-maps/compare.png" alt-text="Screenshot of the compare indicator.":::

+ :::image type="content" source="media/how-to-work-with-maps/scroll.png" alt-text="Screenshot of scrolling down to your selection.":::

+ :::image type="content" source="media/how-to-work-with-maps/program-timeline.png" alt-text="Screenshot of the programming timeline view." lightbox="media/how-to-work-with-maps/program-timeline.png":::

+| The device inventory | The device inventory indicates if the device is a programming device. <br> :::image type="content" source="media/how-to-work-with-maps/inventory-v2.png" alt-text="Screenshot of the device inventory page."::: |

+## Next steps

+For more information, see [Import device information to a sensor](how-to-import-device-information.md).

+## Next steps

+For more information, see [Work with device notifications](how-to-work-with-device-notifications.md).

+## Next steps

+For more information, see [Manage your subscriptions](how-to-manage-subscriptions.md).

+## Next steps

+For more information, see:

+- [Investigate sensor detections in a device inventory](how-to-investigate-sensor-detections-in-a-device-inventory.md)

+- [Investigate sensor detections in the device map](how-to-work-with-the-sensor-device-map.md)

+ :::image type="content" source="media/how-to-create-and-manage-users/users-pane.png" alt-text="Screenshot of the Users pane for creating users.":::

+ :::image type="content" source="media/how-to-create-and-manage-users/track-user-activity.png" alt-text="Screenshot of the Event timeline showing a user that signed in to Defender for IoT.":::

+ :::image type="content" source="media/how-to-create-and-manage-users/change-password.png" alt-text="Screenshot of the Change password dialog for local sensor users.":::

+ :::image type="content" source="media/how-to-create-and-manage-users/password-recovery.png" alt-text="Screenshot of the Select Password recovery from the sign in screen of either the on-premises management console, or the sensor.":::

+ :::image type="content" source="media/how-to-create-and-manage-users/password-recovery-screen.png" alt-text="Screenshot of selecting either the Defender for IoT user or the support user.":::

+ :::image type="content" source="media/how-to-create-and-manage-users/recover-password.png" alt-text="Screenshot of the recover on-premises management console password option.":::

+ :::image type="content" source="media/how-to-create-and-manage-users/enter-identifier.png" alt-text="Screenshot of entering enter the unique identifier and then selecting recover." lightbox="media/how-to-create-and-manage-users/enter-identifier.png":::

+- [Activate and set up your sensor](how-to-activate-and-set-up-your-sensor.md)

+- [Activate and set up your on-premises management console](how-to-activate-and-set-up-your-on-premises-management-console.md)

+- [Track sensor activity](how-to-track-sensor-activity.md)

+## Next steps

+For more information, see [Attack vector reporting](how-to-create-attack-vector-reports.md).

+## Next steps

+For more information, see:

+- [Risk assessment reporting](how-to-create-risk-assessment-reports.md)

+- [Attack vector reporting](how-to-create-attack-vector-reports.md)

+- [Create trends and statistics dashboards](how-to-create-trends-and-statistics-reports.md)

+## Next steps

+For more information, see [Attack vector reporting](how-to-create-attack-vector-reports.md).

+## Next steps

+For more information, see:

+- [Risk assessment reporting](how-to-create-risk-assessment-reports.md)

+- [Sensor data mining queries](how-to-create-data-mining-queries.md)

+- [Attack vector reporting](how-to-create-attack-vector-reports.md)

+## Next steps

+For more information, see [About Defender for IoT console users](how-to-create-and-manage-users.md).

+- Consult your certificate lead.

+## Next steps

+For more information, see [Identify required appliances](how-to-identify-required-appliances.md).

+## Next steps

+For more information, see [Accelerate alert workflows](how-to-accelerate-alert-incident-response.md).

+## Import authorization status

+## Next steps

+For more information, see:

+- [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)

+- [Investigate sensor detections in a device inventory](how-to-investigate-sensor-detections-in-a-device-inventory.md)

+## Next steps

+For more information, see [Set up your network](how-to-set-up-your-network.md).

+## Next steps

+For more information, see:

+- [Investigate all enterprise sensor detections in a device inventory](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md)

+- [Manage your IoT devices with the device inventory](../device-builders/how-to-manage-device-inventory-on-the-cloud.md#manage-your-iot-devices-with-the-device-inventory)

+ :::image type="content" source="media/how-to-view-manage-cloud-alerts/filters-on-alerts-page.png" alt-text="Screenshot of the filters bar on the Alerts page in the Azure portal.":::

+ :::image type="content" source="media/how-to-view-manage-cloud-alerts/group-by-severity.png" alt-text="Screenshot of the Alerts page, filtered by severity.":::

+ :::image type="content" source="media/how-to-view-manage-cloud-alerts/alert-count-breakdown.png" alt-text="Screenshot of Alert filters showing protocols with count for each protocol.":::

+ :::image type="content" source="media/how-to-view-manage-cloud-alerts/alert-detected.png" alt-text="Screenshot of an alert selected from Alerts page in the Azure portal.":::

+ :::image type="content" source="media/how-to-view-manage-cloud-alerts/alert-full-details.png" alt-text="Screenshot of a selected alert with full details.":::

+ :::image type="content" source="media/how-to-view-manage-cloud-alerts/take-action-cloud-alert.png" alt-text="Screenshot of a remediation action for a sample alert in the Azure portal.":::

+## Next steps

+For more information, see [Gain insight into global, regional, and local threats](how-to-gain-insight-into-global-regional-and-local-threats.md#gain-insight-into-global-regional-and-local-threats).

+## Next steps

+For more information, see:

+- [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md)

+- [Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)

+## Next steps

+For more information, see [Manage individual sensors](how-to-manage-individual-sensors.md).

+ :::image type="content" source="media/how-to-manage-the-alert-event/main-alerts-screen.png" alt-text="Screenshot of the main sensor alerts screen.":::

+ :::image type="content" source="media/how-to-manage-the-alert-event/remediation-steps.png" alt-text="Screenshot of a sample set of remediation steps for alert action.":::

+ :::image type="content" source="media/how-to-manage-the-alert-event/learn-remediation.png" alt-text="Screenshot of the Learn option for Policy alerts.":::

+1. Navigate to the alert you learned.

+ :::image type="content" source="media/how-to-manage-the-alert-event/close-alert.png" alt-text="Screenshot of the option to close an alert from the Alerts page.":::

+ :::image type="content" source="media/how-to-manage-the-alert-event/multiple-close.png" alt-text="Screenshot of selecting multiple alerts to close from the Alerts page.":::

+ :::image type="content" source="media/how-to-view-alerts/alert-cloud-mitre.png" alt-text="Screenshot of a sample alert shown in the Azure portal.":::

+## Next steps

+For more information, see:

+## Next steps

+For more information, see:

+- [Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)

+- [Manage individual sensors](how-to-manage-individual-sensors.md)

+## Next steps

+For more information, see [Activate and set up your on-premises management console](how-to-activate-and-set-up-your-on-premises-management-console.md).

+## Next steps

+For more information, see [Export troubleshooting logs](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md).

+## Next steps

+For more information, see [View alerts](how-to-view-alerts.md).

+ :::image type="content" source="media/how-to-view-alerts/view-alerts-main-page.png" alt-text="Screenshot of the sensor Alerts page." lightbox="media/how-to-view-alerts/view-alerts-main-page.png":::

+ :::image type="content" source="media/how-to-view-alerts/alerts-filter.png" alt-text="Screenshot of Alert filter options.":::

+ :::image type="content" source="media/how-to-view-alerts/view-alerts-map.png" alt-text="Screenshot of a map view of the source and detected devices from an alert." lightbox="media/how-to-view-alerts/view-alerts-map.png" :::

+ :::image type="content" source="media/how-to-view-alerts/alert-event-timeline.png" alt-text="Screenshot of an alert timeline for the selected alert from the Alerts page." lightbox="media/how-to-view-alerts/alert-event-timeline.png" :::

+ :::image type="content" source="media/how-to-view-alerts/alert-remediation-rename.png" alt-text="Screenshot of the alert's Take action section.":::

+ :::image type="content" source="media/how-to-view-alerts/alert-cloud-mitre.png" alt-text="Screenshot of a sample alert shown in the Azure portal.":::

+For more information, see:

+- [Manage the alert event](how-to-manage-the-alert-event.md)

+- [Accelerate alert workflows](how-to-accelerate-alert-incident-response.md)

+ :::image type="content" source="media/how-to-view-alerts/alert-cloud-mitre.png" alt-text="Screenshot of a sample of alert as shown in the Azure portal.":::

+ :::image type="content" source="media/how-to-work-with-alerts-on-premises-management-console/learn-and-acknowledge.png" alt-text="Screenshot of the Learn & Acknowledge button.":::

+ :::image type="content" source="media/how-to-work-with-alerts-on-premises-management-console/management-console-create-forwarding-rule.png" alt-text="Screenshot of the Create Forwarding Rule window..":::

+ :::image type="content" source="media/how-to-work-with-alerts-on-premises-management-console/create-alert-exclusion-view.png" alt-text="Screenshot of the Create Alert Exclusion pane.":::

+1. In **Discovery Notifications**, choose **Select All**, and then clear the notifications you don't need. When you choose **Select All**, Defender for IoT displays information about which notifications can be handled or dismissed simultaneously, and which need your input.

+## Next steps

+For more information, see [View alerts](how-to-view-alerts.md).

+| **Attack vector simulations** | Vulnerable devices detected in attack vector reports. To view these devices on the map, select the **Display on Device Map** checkbox when generating the Attack Vector. :::image type="content" source="media/how-to-work-with-maps/add-attack-v3.png" alt-text="Screenshot of the Add Attack Vector Simulations":::|

+| :::image type="icon" source="media/how-to-work-with-maps/zoom-in-icon-v2.png" border="false"::: :::image type="icon" source="media/how-to-work-with-maps/zoom-out-icon-v2.png" border="false"::: | Zoom in or out of the map. |

+ :::image type="content" source="media/how-to-work-with-maps/colored-dots-v2.png" alt-text="Screenshot of a bird eye view of the map." lightbox="media/how-to-work-with-maps/colored-dots-v2.png":::

+ :::image type="content" source="media/how-to-work-with-maps/connections-purdue-level.png" alt-text="Screenshot of the detailed map view." lightbox="media/how-to-work-with-maps/connections-purdue-level.png" :::

+| :::image type="content" source="media/how-to-work-with-maps/host-v2.png" alt-text="Screenshot of the I P host name."::: | IP address host name and IP address, or subnet addresses |

+| :::image type="content" source="media/how-to-work-with-maps/amount-alerts-v2.png" alt-text="Screenshot of the number of alerts"::: | Number of alerts associated with the device |

+| :::image type="content" source="media/how-to-work-with-maps/grouped-v2.png" alt-text="Screenshot of devices grouped together."::: | Number of devices grouped in a subnet in an IT network. In this example 8. |

+| :::image type="content" source="media/how-to-work-with-maps/not-authorized-v2.png" alt-text="Screenshot of the device learning period"::: | A device that was detected after the Learning period and was not authorized as a network device. |

+| :::image type="content" source="media/how-to-work-with-maps/new-v2.png" alt-text="Screenshot of a new device discovered after learning is complete."::: | New device discovered after Learning is complete. |

+ :::image type="content" source="media/how-to-work-with-maps/device-details-from-map.png" alt-text="Screenshot of the device details shown for the device selected in map.":::

+| :::image type="content" source="media/how-to-work-with-maps/power.png" alt-text="Screenshot of the Power Supply icon."::: | Power Supply |

+| :::image type="content" source="media/how-to-work-with-maps/analog.png" alt-text="Screenshot the Analog I/O icon."::: | Analog I/O |

+| :::image type="content" source="media/how-to-work-with-maps/comms.png" alt-text="Screenshot of the Communication Adapter icon."::: | Communication Adapter |

+| :::image type="content" source="media/how-to-work-with-maps/digital.png" alt-text="Screenshot of the Digital I/O icon."::: | Digital I/O |

+| :::image type="content" source="media/how-to-work-with-maps/computer-processor.png" alt-text="Screenshot of the CPU icon."::: | CPU |

+| :::image type="content" source="media/how-to-work-with-maps/HMI-icon.png" alt-text="Screenshot of the HMI icon."::: | HMI |

+| :::image type="content" source="media/how-to-work-with-maps/average.png" alt-text="Screenshot of the Generic icon."::: | Generic |

+ :::image type="content" source="media/how-to-work-with-maps/edit-config.png" alt-text="Screenshot of the Edit device property pane.":::

+ :::image type="content" source="media/how-to-work-with-maps/name-the-device-v2.png" alt-text="Screenshot of the attributes dialog box.":::

+ :::image type="content" source="media/how-to-work-with-maps/attack-vector-reports.png" alt-text="Screenshot of the attack vector reports.":::

+ :::image type="content" source="media/how-to-work-with-maps/unauthorized-risk-assessment-report.png" alt-text="Screenshot of a Risk Assessment report showing an unauthorized device.":::

+## Next steps

+For more information, see [Investigate sensor detections in a Device Inventory](how-to-investigate-sensor-detections-in-a-device-inventory.md).

+## Next steps

+For more information, see:

+- [Onboard a sensor](getting-started.md#onboard-a-sensor)

+- [Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)

+## Next steps

+For more information, see [Tutorial: Get started with enterprise IoT](tutorial-getting-started-eiot-sensor.md).

+## Next steps

+For more information, see [Microsoft Defender for IoT architecture](architecture.md).

+## Next steps

+For more information, see [Defender for IoT API sensor and management console APIs](references-work-with-defender-for-iot-apis.md).

+## Next steps

+For more information, see [Customize alert rules](how-to-accelerate-alert-incident-response.md#customize-alert-rules).

+If you have defined [rule sets](standard-premium/concept-rule-set.md) for the route, they're executed in the order they're configured. [Rule sets can override the origin group](front-door-rules-engine-actions.md#origin-group-override) specified in a route. Rule sets can also trigger a redirection response to the request instead of forwarding it to an origin.

+ Title: Azure Front Door Rules actions

+description: This article provides a list of various actions you can do with Azure Front Door Rules engine/Rules set.

+zone_pivot_groups: front-door-tiers

+# Azure Front Door Rules actions

+An Azure Front Door Standard/Premium [Rule Set](standard-premium/concept-rule-set.md) consist of rules with a combination of match conditions and actions. This article provides a detailed description of the actions you can use in Azure Front Door Standard/Premium Rule Set. The action defines the behavior that gets applied to a request type that a match condition(s) identifies. In an Azure Front Door (Standard/Premium) Rule Set, a rule can contain up to five actions.

+> [!IMPORTANT]

+> Azure Front Door Standard/Premium (Preview) is currently in public preview.

+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+The following actions are available to use in Azure Front Door rule set.

+## <a name="CacheExpiration"></a> Cache expiration

+Use the **cache expiration** action to overwrite the time to live (TTL) value of the endpoint for requests that the rules match conditions specify.

+> [!NOTE]

+> Origins may specify not to cache specific responses using the `Cache-Control` header with a value of `no-cache`, `private`, or `no-store`. In these circumstances, Front Door will never cache the content and this action will have no effect.

+### Properties

+| Property | Supported values |

+|-||

+| Cache behavior | <ul><li>**Bypass cache:** The content should not be cached. In ARM templates, set the `cacheBehavior` property to `BypassCache`.</li><li>**Override:** The TTL value returned from your origin is overwritten with the value specified in the action. This behavior will only be applied if the response is cacheable. In ARM templates, set the `cacheBehavior` property to `Override`.</li><li>**Set if missing:** If no TTL value gets returned from your origin, the rule sets the TTL to the value specified in the action. This behavior will only be applied if the response is cacheable. In ARM templates, set the `cacheBehavior` property to `SetIfMissing`.</li></ul> |

+| Cache duration | When _Cache behavior_ is set to `Override` or `Set if missing`, these fields must specify the cache duration to use. The maximum duration is 366 days.<ul><li>In the Azure portal: specify the days, hours, minutes, and seconds.</li><li>In ARM templates: specify the duration in the format `d.hh:mm:ss`. |

+### Example

+In this example, we override the cache expiration to 6 hours, for matched requests that don't specify a cache duration already.

+# [Portal](#tab/portal)

+# [JSON](#tab/json)

+```json

+{

+ "name": "CacheExpiration",

+ "parameters": {

+ "cacheBehavior": "SetIfMissing",

+ "cacheType": "All",

+ "cacheDuration": "0.06:00:00",

+ "typeName": "DeliveryRuleCacheExpirationActionParameters"

+ }

+}

+```

+# [Bicep](#tab/bicep)

+```bicep

+{

+ name: 'CacheExpiration'

+ parameters: {

+ cacheBehavior: 'SetIfMissing'

+ cacheType: All

+ cacheDuration: '0.06:00:00'

+ typeName: 'DeliveryRuleCacheExpirationActionParameters'

+ }

+}

+```

+## <a name="CacheKeyQueryString"></a> Cache key query string

+Use the **cache key query string** action to modify the cache key based on query strings. The cache key is the way that Front Door identifies unique requests to cache.

+### Properties

+| Property | Supported values |

+|-||

+| Behavior | <ul><li>**Include:** Query strings specified in the parameters get included when the cache key gets generated. In ARM templates, set the `queryStringBehavior` property to `Include`.</li><li>**Cache every unique URL:** Each unique URL has its own cache key. In ARM templates, use the `queryStringBehavior` of `IncludeAll`.</li><li>**Exclude:** Query strings specified in the parameters get excluded when the cache key gets generated. In ARM templates, set the `queryStringBehavior` property to `Exclude`.</li><li>**Ignore query strings:** Query strings aren't considered when the cache key gets generated. In ARM templates, set the `queryStringBehavior` property to `ExcludeAll`.</li></ul> |

+| Parameters | The list of query string parameter names, separated by commas. |

+### Example

+In this example, we modify the cache key to include a query string parameter named `customerId`.

+# [Portal](#tab/portal)

+# [JSON](#tab/json)

+```json

+{

+ "name": "CacheKeyQueryString",

+ "parameters": {

+ "queryStringBehavior": "Include",

+ "queryParameters": "customerId",

+ "typeName": "DeliveryRuleCacheKeyQueryStringBehaviorActionParameters"

+ }

+}

+```

+# [Bicep](#tab/bicep)

+```bicep

+{

+ name: 'CacheKeyQueryString'

+ parameters: {

+ queryStringBehavior: 'Include'

+ queryParameters: 'customerId'

+ typeName: 'DeliveryRuleCacheKeyQueryStringBehaviorActionParameters'

+ }

+}

+```

+## <a name="ModifyRequestHeader"></a> Modify request header

+Use the **modify request header** action to modify the headers in the request when it is sent to your origin.

+### Properties

+| Property | Supported values |

+|-||

+| Operator | <ul><li>**Append:** The specified header gets added to the request with the specified value. If the header is already present, the value is appended to the existing header value using string concatenation. No delimiters are added. In ARM templates, use the `headerAction` of `Append`.</li><li>**Overwrite:** The specified header gets added to the request with the specified value. If the header is already present, the specified value overwrites the existing value. In ARM templates, use the `headerAction` of `Overwrite`.</li><li>**Delete:** If the header specified in the rule is present, the header gets deleted from the request. In ARM templates, use the `headerAction` of `Delete`.</li></ul> |

+| Header name | The name of the header to modify. |

+| Header value | The value to append or overwrite. |

+### Example

+In this example, we append the value `AdditionalValue` to the `MyRequestHeader` request header. If the origin set the response header to a value of `ValueSetByClient`, then after this action is applied, the request header would have a value of `ValueSetByClientAdditionalValue`.

+# [Portal](#tab/portal)

+# [JSON](#tab/json)

+```json

+{

+ "name": "ModifyRequestHeader",

+ "parameters": {

+ "headerAction": "Append",

+ "headerName": "MyRequestHeader",

+ "value": "AdditionalValue",

+ "typeName": "DeliveryRuleHeaderActionParameters"

+ }

+}

+```

+# [Bicep](#tab/bicep)

+```bicep

+{

+ name: 'ModifyRequestHeader'

+ parameters: {

+ headerAction: 'Append'

+ headerName: 'MyRequestHeader'

+ value: 'AdditionalValue'

+ typeName: 'DeliveryRuleHeaderActionParameters'

+ }

+}

+```

+## <a name="ModifyResponseHeader"></a> Modify response header

+Use the **modify response header** action to modify headers that are present in responses before they are returned to your clients.

+### Properties

+| Property | Supported values |

+|-||

+| Operator | <ul><li>**Append:** The specified header gets added to the response with the specified value. If the header is already present, the value is appended to the existing header value using string concatenation. No delimiters are added. In ARM templates, use the `headerAction` of `Append`.</li><li>**Overwrite:** The specified header gets added to the response with the specified value. If the header is already present, the specified value overwrites the existing value. In ARM templates, use the `headerAction` of `Overwrite`.</li><li>**Delete:** If the header specified in the rule is present, the header gets deleted from the response. In ARM templates, use the `headerAction` of `Delete`.</li></ul> |

+| Header name | The name of the header to modify. |

+| Header value | The value to append or overwrite. |

+### Example

+In this example, we delete the header with the name `X-Powered-By` from the responses before they are returned to the client.

+# [Portal](#tab/portal)

+# [JSON](#tab/json)

+```json

+{

+ "name": "ModifyResponseHeader",

+ "parameters": {

+ "headerAction": "Delete",

+ "headerName": "X-Powered-By",

+ "typeName": "DeliveryRuleHeaderActionParameters"

+ }

+}

+```

+# [Bicep](#tab/bicep)

+```bicep

+{

+ name: 'ModifyResponseHeader'

+ parameters: {

+ headerAction: 'Delete'

+ headerName: 'X-Powered-By'

+ typeName: 'DeliveryRuleHeaderActionParameters'

+ }

+}

+```

+## <a name="UrlRedirect"></a> URL redirect

+Use the **URL redirect** action to redirect clients to a new URL. Clients are sent a redirection response from Front Door.

+### Properties

+| Property | Supported values |

+|-||

+| Redirect type | The response type to return to the requestor. <ul><li>In the Azure portal: Found (302), Moved (301), Temporary Redirect (307), Permanent Redirect (308).</li><li>In ARM templates: `Found`, `Moved`, `TemporaryRedirect`, `PermanentRedirect`</li></ul> |

+| Redirect protocol | <ul><li>In the Azure portal: `Match Request`, `HTTP`, `HTTPS`</li><li>In ARM templates: `MatchRequest`, `Http`, `Https`</li></ul> |

+| Destination host | The host name you want the request to be redirected to. Leave blank to preserve the incoming host. |

+| Destination path | The path to use in the redirect. Include the leading `/`. Leave blank to preserve the incoming path. |

+| Query string | The query string used in the redirect. Don't include the leading `?`. Leave blank to preserve the incoming query string. |

+| Destination fragment | The fragment to use in the redirect. Leave blank to preserve the incoming fragment. |

+### Example

+In this example, we redirect the request to `https://contoso.com/exampleredirection?clientIp={client_ip}`, while preserving the fragment. An HTTP Temporary Redirect (307) is used. The IP address of the client is used in place of the `{client_ip}` token within the URL by using the `client_ip` [server variable](#server-variables).

+# [Portal](#tab/portal)

+# [JSON](#tab/json)

+```json

+{

+ "name": "UrlRedirect",

+ "parameters": {

+ "redirectType": "TemporaryRedirect",

+ "destinationProtocol": "Https",

+ "customHostname": "contoso.com",

+ "customPath": "/exampleredirection",

+ "customQueryString": "clientIp={client_ip}",

+ "typeName": "DeliveryRuleUrlRedirectActionParameters"

+ }

+}

+```

+# [Bicep](#tab/bicep)

+```bicep

+{

+ name: 'UrlRedirect'

+ parameters: {

+ redirectType: 'TemporaryRedirect'

+ destinationProtocol: 'Https'

+ customHostname: 'contoso.com'

+ customPath: '/exampleredirection'

+ customQueryString: 'clientIp={client_ip}'

+ typeName: 'DeliveryRuleUrlRedirectActionParameters'

+ }

+}

+```

+## <a name="UrlRewrite"></a> URL rewrite

+Use the **URL rewrite** action to rewrite the path of a request that's en route to your origin.

+### Properties

+| Property | Supported values |

+|-||

+| Source pattern | Define the source pattern in the URL path to replace. Currently, source pattern uses a prefix-based match. To match all URL paths, use a forward slash (`/`) as the source pattern value. |

+| Destination | Define the destination path to use in the rewrite. The destination path overwrites the source pattern. |

+| Preserve unmatched path | If set to _Yes_, the remaining path after the source pattern is appended to the new destination path. |

+### Example

+In this example, we rewrite all requests to the path `/redirection`, and don't preserve the remainder of the path.

+# [Portal](#tab/portal)

+# [JSON](#tab/json)

+```json

+{

+ "name": "UrlRewrite",

+ "parameters": {

+ "sourcePattern": "/",

+ "destination": "/redirection",

+ "preserveUnmatchedPath": false,

+ "typeName": "DeliveryRuleUrlRewriteActionParameters"

+ }

+}

+```

+# [Bicep](#tab/bicep)

+```bicep

+{

+ name: 'UrlRewrite'

+ parameters: {

+ sourcePattern: '/'

+ destination: '/redirection'

+ preserveUnmatchedPath: false

+ typeName: 'DeliveryRuleUrlRewriteActionParameters'

+ }

+}

+```

+## Origin group override

+Use the **Origin group override** action to change the origin group that the request should be routed to.

+### Properties

+| Property | Supported values |

+|-||

+| Origin group | The origin group that the request should be routed to. This overrides the configuration specified in the Front Door endpoint route. |

+### Example

+In this example, we route all matched requests to an origin group named `SecondOriginGroup`, regardless of the configuration in the Front Door endpoint route.

+# [Portal](#tab/portal)

+# [JSON](#tab/json)

+```json

+{

+ "name": "OriginGroupOverride",

+ "parameters": {

+ "originGroup": {

+ "id": "/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.Cdn/profiles/<profile-name>/originGroups/SecondOriginGroup"

+ },

+ "typeName": "DeliveryRuleOriginGroupOverrideActionParameters"

+ }

+}

+```

+# [Bicep](#tab/bicep)

+```bicep

+{

+ name: 'OriginGroupOverride'

+ parameters: {

+ originGroup: {

+ id: '/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.Cdn/profiles/<profile-name>/originGroups/SecondOriginGroup'

+ }

+ typeName: 'DeliveryRuleOriginGroupOverrideActionParameters'

+ }

+}

+```

+## Server variables

+Rule Set server variables provide access to structured information about the request. You can use server variables to dynamically change the request/response headers or URL rewrite paths/query strings, for example, when a new page load or when a form is posted.

+### Supported variables

+| Variable name | Description |

+||-|

+| `socket_ip` | The IP address of the direct connection to Azure Front Door edge. If the client used an HTTP proxy or a load balancer to send the request, the value of `socket_ip` is the IP address of the proxy or load balancer. |

+| `client_ip` | The IP address of the client that made the original request. If there was an `X-Forwarded-For` header in the request, then the client IP address is picked from the header. |

+| `client_port` | The IP port of the client that made the request. |

+| `hostname` | The host name in the request from the client. |

+| `geo_country` | Indicates the requester's country/region of origin through its country/region code. |

+| `http_method` | The method used to make the URL request, such as `GET` or `POST`. |

+| `http_version` | The request protocol. Usually `HTTP/1.0`, `HTTP/1.1`, or `HTTP/2.0`. |

+| `query_string` | The list of variable/value pairs that follows the "?" in the requested URL.<br />For example, in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the `query_string` value will be `id=123&title=fabrikam`. |

+| `request_scheme` | The request scheme: `http` or `https`. |

+| `request_uri` | The full original request URI (with arguments).<br />For example, in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the `request_uri` value will be `/article.aspx?id=123&title=fabrikam`. |

+| `ssl_protocol` | The protocol of an established TLS connection. |

+| `server_port` | The port of the server that accepted a request. |

+| `url_path` | Identifies the specific resource in the host that the web client wants to access. This is the part of the request URI without the arguments.<br />For example, in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the `uri_path` value will be `/article.aspx`. |

+### Server variable format

+Server variables can be specified using the following formats:

+* `{variable}`: Include the entire server variable. For example, if the client IP address is `111.222.333.444` then the `{client_ip}` token would evaluate to `111.222.333.444`.

+* `{variable:offset}`: Include the server variable after a specific offset, until the end of the variable. The offset is zero-based. For example, if the client IP address is `111.222.333.444` then the `{client_ip:3}` token would evaluate to `.222.333.444`.

+* `{variable:offset:length}`: Include the server variable after a specific offset, up to the specified length. The offset is zero-based. For example, if the client IP address is `111.222.333.444` then the `{client_ip:4:3}` token would evaluate to `222`.

+### Supported actions

+Server variables are supported on the following actions:

+* Cache key query string

+* Modify request header

+* Modify response header

+* URL redirect

+* URL rewrite

+In Azure Front Door (classic), a [Rules Engine](front-door-rules-engine.md) can consist up to 25 rules containing matching conditions and associated actions. This article provides a detailed description of each action you can define in a rule.

+An action defines the behavior that gets applied to the request type that matches the condition or set of match conditions. In the Rules engine configuration, a rule can have up to 10 matching conditions and 5 actions. You can only have one *Override Routing Configuration* action in a single rule.

+The following actions are available to use in Rules engine configuration.

+Use these actions to modify headers that are present in requests sent to your backend.

+| Action | HTTP header name | Value |

+| | - | -- |

+| Append | When this option gets selected and the rule matches, the header specified in **Header name** gets added to the request with the specified value. If the header is already present, the value is appended to the existing value. | String |

+| Overwrite | When this option is selected and the rule matches, the header specified in **Header name** gets added to the request with the specified value. If the header is already present, the specified value overwrites the existing value. | String |

+| Delete | When this option gets selected with matching rules and the header specified in the rule is present, the header gets deleted from the request. | String |

+Use these actions to modify headers that are present in responses returned to your clients.

+| Action | HTTP Header name | Value |

+| Append | When this option gets selected and the rule matches, the header specified in **Header name** gets added to the response by using the specified **Value**. If the header is already present, **Value** is appended to the existing value. | String |

+| Overwrite | When this option is selected and the rule matches, the header specified in **Header name** is added to the response by using the specified **Value**. If the header is already present, **Value** overwrites the existing value. | String |

+| Delete | When this option gets selected with matching rules and the header specified in the rule is present, the header gets deleted from the response. | String |

+Use these actions to redirect clients to a new URL.

+| Field | Description |

+| -- | -- |

+| Redirect type | Redirect is a way to send users/clients from one URL to another. A redirect type sets the status code used by clients to understand the purpose of the redirect. <br><br/>You can select the following redirect status codes: Found (302), Moved (301), Temporary redirect (307), and Permanent redirect (308). |

+| Redirect protocol | Retain the protocol as per the incoming request, or define a new protocol for the redirection. For example, select 'HTTPS' for HTTP to HTTPS redirection. |

+| Destination host | Set this to change the hostname in the URL for the redirection or otherwise retain the hostname from the incoming request. |

+| Destination path | Either retain the path as per the incoming request, or update the path in the URL for the redirection. |

+| Query string | Set this to replace any existing query string from the incoming request URL or otherwise retain the original set of query strings. |

+| Destination fragment | The destination fragment is the portion of URL after '#', normally used by browsers to land on a specific section on a page. Set this to add a fragment to the redirect URL. |

+Use these actions to forward clients to a new URL. These actions also contain sub actions for URL rewrites and caching.

+| Field | Description |

+| -- | -- |

+| Backend pool | Select the backend pool to override and serve the requests, this will also show all your pre-configured backend pools currently in your Front Door profile. |

+| Forwarding protocol | Protocol to use for forwarding request to backend or match the protocol from incoming request. |

+| URL rewrite | Path to use when constructing the request for URL rewrite to forward to the backend. |

+| Caching | Enable caching for this routing rule. When enabled, Azure Front Door will cache your static content. |

+| Field | Description |

+| -- | -- |

+| Custom forwarding path | Define a path for which requests will be forwarded to. |

+| Cache behavior | Description |

+| -- | |

+| Ignore query strings | Once the asset is cached, all ensuing requests ignore the query strings until the cached asset expires. |

+| Cache every unique URL | Each request with a unique URL, including the query string, is treated as a unique asset with its own cache. |

+| Ignore specified query strings | Request URL query strings listed in "Query parameters" setting are ignored for caching. |

+| Include specified query strings | Request URL query strings listed in "Query parameters" setting are used for caching. |

+| Additional fields | Description

+| Dynamic compression | Front Door can dynamically compress content on the edge, resulting in a smaller and faster response. |

+| Query parameters | A comma-separated list of allowed or disallowed parameters to use as a basis for caching.

+| Use default cache duration | Set to use Azure Front Door default caching duration or define a caching duration which ignores the origin response directive. |

+* Learn more about [Rules actions](front-door-rules-engine-actions.md)

+* Learn more about [Rule actions](front-door-rules-engine-actions.md).

+* Learn more about [Rule Set Actions](../front-door-rules-engine-actions.md)

+> When you use the [Front Door rules engine](concept-rule-set.md), you can configure a rule to [override the origin group](../front-door-rules-engine-actions.md#origin-group-override) for a request. The origin group set by the rules engine overrides the routing process described in this article.

+Finally, Azure Front Door Standard/Premium evaluates whether or not you have a [rule set](concept-rule-set.md) for the matched routing rule. If there's no rule set defined, then the request gets forwarded to the origin group as-is. Otherwise, the rule sets get executed in the order they're configured. [Rule sets can override the route](../front-door-rules-engine-actions.md#origin-group-override), forcing traffic to a specific origin group.

+* Support server variables to dynamically change the request/response headers or URL rewrite paths/query strings, for example, when a new page load or when a form is posted. Server variable is currently supported on **[Rule Set actions](../front-door-rules-engine-actions.md)** only.

+* *Action*: Actions dictate how AFD handles the incoming requests based on the matching conditions. You can modify caching behaviors, modify request headers/response headers, do URL rewrite and URL redirection. *Server variables are supported on Action*. A rule can contain up to 10 match conditions. A full list of actions can be found [Rule Set actions](../front-door-rules-engine-actions.md).

+Rule Sets can be configured using Azure Resource Manager templates. [See an example template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-rule-set). You can customize the behavior by using the JSON or Bicep snippets included in the documentation examples for [match conditions](concept-rule-set-match-conditions.md) and [actions](../front-door-rules-engine-actions.md).

+> [!NOTE]

+> Currently "reason for non-compliance" cannot be retrieved from Command line. We are working on mapping the reason code to the "reason for non-compliance" and at this point there is no ETA on this.

+1. Restart hosts. After you get the names of the nodes that you want to reboot, restart the nodes by using the REST API to reboot the nodes. The node name follows the pattern of *NodeType(wn/hn/zk/gw/id)* + *x* + *first six characters of cluster name*. For more information, see [HDInsight restart hosts REST API operation](/rest/api/hdinsight/2021-06-01/virtual-machines/restart-hosts).

+ | Rule_5 | * | https:443 | azure.archive.ubuntu.com | Allows Ubuntu security updates to be installed on the cluster |

+ comma-separated strings supported)

+ multiple comma-separated filenames supported)

+ as base64 string (multiple comma-separated strings supported)

+ multiple comma-separated filenames supported)

+ multiple comma-separated thumbprints supported)

+> [IIoT Platform GitHub repository](https://github.com/Azure/iot-edge-opc-publisher)

+During a TLS handshake, IoT Hub presents RSA-keyed server certificates to connecting clients. Its' root is the Baltimore Cybertrust Root CA. Because the Baltimore root is at end-of-life, we'll be migrating to a new root called DigiCert Global G2. This change will impact all devices currently connecting to IoT Hub. To prepare for this migration and for all other details, see [IoT TLS certificate update](https://aka.ms/iot-ca-updates).

+ Title: 'Quickstart: Manage secrets by using the Azure Key Vault Go client library'

+description: Learn how to create, retrieve, and delete secrets from an Azure key vault by using the Go client library.

+# Quickstart: Manage secrets by using the Azure Key Vault Go client library

+In this quickstart, you'll learn how to use the Azure SDK for Go to create, retrieve, list, and delete secrets from an Azure key vault.

+You can store a variety of [object types](../general/about-keys-secrets-certificates.md#object-types) in an Azure key vault. When you store secrets in a key vault, you avoid having to store them in your code, which helps improve the security of your applications.

+Get started with the [azsecrets](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets) package and learn how to manage your secrets in an Azure key vault by using Go.

+- An Azure subscription. If you don't already have a subscription, you can [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- [Go version 1.16 or later](https://golang.org/dl/), installed.

+- [The Azure CLI](/cli/azure/install-azure-cli), installed.

+For purposes of this quickstart, you use the [azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity) package to authenticate to Azure by using the Azure CLI. To learn about the various authentication methods, see [Azure authentication with the Azure SDK for Go](/azure/developer/go/azure-sdk-authentication).

+### Sign in to the Azure portal

+1. In the Azure CLI, run the following command:

+ If the Azure CLI can open your default browser, it will do so on the Azure portal sign-in page.

+ If the page doesn't open automatically, go to [https://aka.ms/devicelogin](https://aka.ms/devicelogin), and then enter the authorization code that's displayed in your terminal.

+1. Sign in to the Azure portal with your account credentials.

+Run the following Azure CLI commands:

+```azurecli

+az group create --name quickstart-rg --location eastus

+az keyvault create --name quickstart-kv --resource-group quickstart-rg

+```

+Run the following Go commands:

+```azurecli

+go mod init kvSecrets

+go get -u github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets

+go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity

+```

+In the following sections, you create a client, set a secret, retrieve a secret, and delete a secret.

+If you used a different key vault name, replace `quickstart-kv` with that name.

+### List secrets

+## Sample code

+Create a file named *main.go*, and then paste the following code into it:

+1. Before you run the code, create an environment variable named `KEY_VAULT_NAME`. Set the environment variable value to the name of the key vault that you created previously.

+ ```azurecli

+ export KEY_VAULT_NAME=quickstart-kv

+ ```

+1. To start the Go app, run the following command:

+ ```azurecli

+ go run main.go

+ ```

+ ```output

+ secretValue: createdWithGO

+ Secret ID: https://quickstart-kv.vault.azure.net/secrets/quickstart-secret

+ Secret ID: https://quickstart-kv.vault.azure.net/secrets/secretName

+ quickstart-secret has been deleted

+ ```

+Delete the resource group and all its remaining resources by running the following command:

+- [Azure Key Vault developers guide](../general/developers-guide.md)

+In *single-tenant* Azure Logic Apps, the *app settings* for a logic app specify the global configuration options that affect *all the workflows* in that logic app. However, these settings apply *only* when these workflows run in your *local development environment*. Locally-running workflows can access these app settings as *local environment variables*, which are used by local development tools for values that can often change between environments. For example, these values can contain connection strings. When you deploy to Azure, app settings are ignored and aren't included with your deployment.

+| `Runtime.Backend.FlowDefaultForeachItemsLimit` | `100000` array items | For a *stateful workflow*, sets the maximum number of array items to process in a `For each` loop. |

+| `Runtime.Backend.FlowDefaultSplitOnItemsLimit` | `100000` array items | Sets the maximum number of array items to debatch or split into multiple workflow instances based on the `SplitOn` setting. |

+| `Runtime.Backend.DefaultAppendArrayItemsLimit` | `100000` array items | Sets the maximum number of items in a variable with the Array type. |

+<a name="recurrence-triggers"></a>

+### Recurrence-based triggers

+| Setting | Default value | Description |

+|||-|

+| `Microsoft.Azure.Workflows.ServiceProviders.MaximumAllowedTriggerStateSizeInKB` | `1` KB | Sets the trigger state's maximum allowed size for recurrence-based triggers such as the built-in SFTP trigger. The trigger state persists data across multiple service provider recurrence-based triggers. <br><br>**Important**: Based on your storage size, avoid setting this value too high, which can adversely affect storage and performance. |

+||||

+<a name="http-operations"></a>

+| `Runtime.Backend.HttpWebhookOperation.DefaultWakeUpInterval` | `01:00:00` <br>(1 hour) | Sets the default wake up interval for HTTP webhook trigger and action jobs. |

+| `Runtime.Backend.ApiWebhookOperation.DefaultWakeUpInterval` | `01:00:00` <br>(1 day) | Sets the default wake up interval for managed API connector webhook trigger and action jobs. |

+| Workflow - Maximum name length | - Consumption: 80 characters <br><br>- Standard: 43 characters ||

+For **outbound connections** to work, you need to set up an egress firewall such as Azure firewall with user defined routes. For instance, you can use a firewall set up with [inbound/outbound configuration](how-to-access-azureml-behind-firewall.md) and route traffic there by defining a route table on the subnet in which the compute instance is deployed. The route table entry can set up the next hop of the private IP address of the firewall with the address prefix of 0.0.0.0/0.

+> Private offers can only be withdrawn if no CSP partner has sold it to a customer.

+The following video provides more information about transacting in the commercial marketplace.

+<br />

+<iframe src=https://docs.microsoft.com/_themes/docs.theme/master/en-us/_themes/global/video-embed.html?id=ae2b72e2-6591-407f-8740-50cc4860e8ee width="1080" height="529"></iframe>

+- Reach more customers and expand your sales opportunities with the [Cloud Solution Provider](/partner-center/csp-overview) (CSP) program, the [co-sell](/partner-center/co-sell-overview) program, and Microsoft Sales teams.

+# Tutorial: Plan an Azure Application offer

+This tutorial explains how to publish an Azure Application offer to the commercial marketplace, including different options and requirements available to you.

+## Prerequisites

+- To plan an Azure managed application, see [Plan an Azure managed application for an Azure application offer](plan-azure-app-managed-app.md).

+- General Availability: Migrate Windows and Linux Hyper-V virtual machines with large data disks (up to 32 TB in size).

+>Premium Storage accounts are not supported if you are sending the logs to Azure storage via diagnostics and settings.

+<!-

+In this scenario, you call the Network Watcher REST API to run IP Flow Verify. ARMclient is used to call the REST API using PowerShell. ARMClient is found on chocolatey at [ARMClient on Chocolatey](https://chocolatey.org/packages/ARMClient)

+In this scenario, you call the Network Watcher REST API to get the security group view for a virtual machine. ARMclient is used to call the REST API using PowerShell. ARMClient is found on chocolatey at [ARMClient on Chocolatey](https://chocolatey.org/packages/ARMClient)

+Shared_Preload_Libraries is a server configuration parameter determining which libraries are to be loaded when PostgreSQL starts. Any libraries which use shared memory must be loaded via this parameter. If your extension needs to be added to shared preload libraries this can be done:

+Using the [Azure portal](https://portal.azure.com):

+ 1. Select your Azure Database for PostgreSQL - Flexible Server.

+ 2. On the sidebar, select **Server Parameters**.

+ 3. Search for the `shared_preload_libraries` parameter.

+ 4. Select extensions you wish to add.

+ :::image type="content" source="./media/concepts-extensions/shared-libraries.png" alt-text=" Screenshot showing Azure Database for PostgreSQL -setting shared preload libraries parameter setting for extensions installation .":::

+

+Using [Azure CLI](https://docs.microsoft.com/cli/azure/):

+ You can set `shared_preload_libraries` via CLI parameter set [command]( https://docs.microsoft.com/cli/azure/postgres/flexible-server/parameter?view=azure-cli-latest&preserve-view=true).

+ ```bash

+az postgres flexible-server parameter set --resource-group <your resource group> --server-name <your server name> --subscription <your subscription id> --name shared_preload_libraries --value <extension name>,<extension name>

+ ```

+After extensions are allow-listed and loaded, these must be installed in your database before you can use them. To install a particular extension, you should run the [CREATE EXTENSION](https://www.postgresql.org/docs/current/sql-createextension.html) command. This command loads the packaged objects into your database.

+ > |[orafce](https://github.com/orafce/orafce) | 3.1.8 |implements in Postgres some of the functions from the Oracle database that are missing|

+> |[pg_cron](https://github.com/citusdata/pg_cron) | 1.4 | Job scheduler for PostgreSQL|

+> |[timescaledb](https://github.com/timescale/timescaledb) | 2.5.1 | Open-source relational database for time-series and analytics|

+> |[orafce](https://github.com/orafce/orafce) | 3.1.8 |implements in Postgres some of the functions from the Oracle database that are missing|

+> |[pg_cron](https://github.com/citusdata/pg_cron) | 1.4 | Job scheduler for PostgreSQL|

+> |[timescaledb](https://github.com/timescale/timescaledb) | 2.5.1 | Open-source relational database for time-series and analytics|

+> |[orafce](https://github.com/orafce/orafce) | 3.1.8 |implements in Postgres some of the functions from the Oracle database that are missing|

+> |[pg_cron](https://github.com/citusdata/pg_cron) | 1.4 | Job scheduler for PostgreSQL|

+> |[timescaledb](https://github.com/timescale/timescaledb) | 1.7.4 | Open-source relational database for time-series and analytics|

+When you scan [SAP ECC](register-scan-sapecc-source.md), [SAP S/4HANA](register-scan-saps4hana-source.md) and [SAP BW](register-scan-sap-bw.md) sources in Azure Purview, you need to create the dependent ABAP function module in your SAP server. Azure Purview invokes this function module to extract the metadata from your SAP system during scan.

+Download the SAP ABAP function module source code from Azure Purview Studio. After you register a source for [SAP ECC](register-scan-sapecc-source.md),[SAP S/4HANA](register-scan-saps4hana-source.md) or [SAP BW](register-scan-sap-bw.md), you can find a download link on top as follows. You can also see the link when new or edit a scan.

+1. Log in to the SAP server and open **Object Navigator** (SE80 transaction).

+The function will finish its execution and metadata will be downloaded much faster in case of launching it on the machine which has high-speed network connection with SAP server.

+- [Register and scan SAP Business Wareouse (BW) source](register-scan-sap-bw.md)

+|| [SAP Business Warehose](register-scan-sap-bw.md) | [Yes](register-scan-sap-bw.md#register) | No | No | No |

+| `*.servicebus.windows.net` | 443 | Required for setting up scan on Azure Purview Studio. This endpoint is used for interactive authoring from UI, for example, test connection, browse folder list and table list to scope scan. Currently wildcard is required as there is no dedicated resource. |

+* Download the Hive Metastore database's JDBC driver on the machine where your self-hosted integration runtime is running. For example, if the database is *mssql*, download [Microsoft's JDBC driver for SQL Server](/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server). If you scan Azure Databricks's Hive Metastore, download the MariaDB Connector/J version 2.7.5 from [here](https://dlm.mariadb.com/1965742/Connectors/java/connector-java-2.7.5/mariadb-java-client-2.7.5.jar); version 3.0.3 is not supported.

+ >

+ > If you scan Azure Databricks's Hive Metastore, download the MariaDB Connector/J version 2.7.5 from [here](https://dlm.mariadb.com/1965742/Connectors/java/connector-java-2.7.5/mariadb-java-client-2.7.5.jar). Version 3.0.3 is not supported.

+ > When you copy the URL from *hive-site.xml*, remove `amp;` from the string or the scan will fail.

+ > [Download the SSL certificate](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) to the self-hosted integration runtime machine, then update the path to the SSL certificate's location on your machine in the URL.

+ >

+ > When you enter local file paths in the scan configuration, change the Windows path separator character from a backslash (`\`) to a forward slash (`/`). For example, if you place the SSL certificate at local file path *D:\Drivers\SSLCert\BaltimoreCyberTrustRoot.crt.pem*, change the `serverSslCert` parameter value to *D:/Drivers/SSLCert/BaltimoreCyberTrustRoot.crt.pem*.

+

+ `jdbc:mariadb://consolidated-westus2-prod-metastore-addl-1.mysql.database.azure.com:3306/organizationXXXXXXXXXXXXXXXX?useSSL=true&enabledSslProtocolSuites=TLSv1,TLSv1.1,TLSv1.2&serverSslCert=D:/Drivers/SSLCert/BaltimoreCyberTrustRoot.crt.pem`

+ Title: Connect to and manage an SAP Business Warehouse

+description: This guide describes how to connect to SAP Business Warehouse in Azure Purview, and use Azure Purview's features to scan and manage your SAP BW source.

+# Connect to and manage SAP Business Warehouse in Azure Purview (Preview)

+This article outlines how to register SAP Business Warehouse (BW), and how to authenticate and interact with SAP BW in Azure Purview. For more information about Azure Purview, read the [introductory article](overview.md).

+## Supported capabilities

+|**Metadata Extraction**| **Full Scan** |**Incremental Scan**|**Scoped Scan**|**Classification**|**Access Policy**|**Lineage**|

+||||||||

+| [Yes](#register)| [Yes](#scan)| No | No | No | No| No|

+The supported SAP BW versions are 7.3 to 7.5. SAP BW4/HANA is not supported.

+When scanning SAP BW source, Azure Purview supports extracting technical metadata including:

+- Instance

+- InfoArea

+- InfoSet

+- InfoSet query

+- Classic InfoSet

+- InfoObject including unit of measurement, time characteristic, navigation attribute, data packet characteristic, currency, characteristic, field, and key figure

+- Data store object (DSO)

+- Aggregation level

+- Open hub destination

+- Query including the query condition

+- Query view

+- HybridProvider

+- MultiProvider

+- InfoCube

+- Aggregate

+- Dimension

+- Time dimension

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An active [Azure Purview resource](create-catalog-portal.md).

+* You need Data Source Administrator and Data Reader permissions to register a source and manage it in Azure Purview Studio. For more information about permissions, see [Access control in Azure Purview](catalog-permissions.md).

+* Set up the latest [self-hosted integration runtime](https://www.microsoft.com/download/details.aspx?id=39717). For more information, see [the create and configure a self-hosted integration runtime guide](manage-integration-runtimes.md). The minimal supported Self-hosted Integration Runtime version is 5.15.8079.1.

+* Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

+* Ensure Visual C++ Redistributable for Visual Studio 2012 Update 4 is installed on the self-hosted integration runtime machine. If you don't have this update installed, [you can download it here](https://www.microsoft.com/download/details.aspx?id=30679).

+* The connector reads metadata from SAP using the [SAP Java Connector (JCo)](https://support.sap.com/en/product/connectors/jco.html) 3.0 API. Make sure the Java Connector is available on your machine where self-hosted integration runtime is installed. Make sure that you use the correct JCo distribution for your environment, and the **sapjco3.jar** and **sapjco3.dll** files are available.

+ > [!Note]

+ > The driver should be accessible to all accounts in the machine. Don't put it in a path under user account.

+* Deploy the metadata extraction ABAP function module on the SAP server by following the steps mentioned in [ABAP functions deployment guide](abap-functions-deployment-guide.md). You need an ABAP developer account to create the RFC function module on the SAP server. The user account requires sufficient permissions to connect to the SAP server and execute the following RFC function modules:

+ * STFC_CONNECTION (check connectivity)

+ * RFC_SYSTEM_INFO (check system information)

+ * OCS_GET_INSTALLED_COMPS (check software versions)

+ * Z_MITI_BW_DOWNLOAD (main metadata import)

+## Register

+This section describes how to register SAP BW in Azure Purview using the [Azure Purview Studio](https://web.purview.azure.com/).

+### Authentication for registration

+The only supported authentication for SAP BW source is **Basic authentication**.

+### Steps to register

+1. Navigate to your Azure Purview account.

+1. Select **Data Map** on the left navigation.

+1. Select **Register**.

+1. In **Register sources**, select **SAP BW** > **Continue**.

+On the **Register sources (SAP BW)** screen, do the following:

+1. Enter a **Name** that the data source will be listed within the Catalog.

+1. Enter the **Application server** name to connect to SAP BW source. It can also be an IP address of the SAP application server host.

+1. Enter the SAP **System number**. It's an integer between 0 and 99.

+1. Select a collection or create a new one (Optional).

+1. Finish to register the data source.

+ :::image type="content" source="media/register-scan-sap-bw/register-sap-bw.png" alt-text="Screenshot of registering an SAP BW source." border="true":::

+## Scan

+Follow the steps below to scan SAP BW to automatically identify assets and classify your data. For more information about scanning in general, see our [introduction to scans and ingestion](concept-scans-and-ingestion.md).

+### Create and run scan

+1. In the Management Center, select Integration runtimes. Make sure a self-hosted integration runtime is set up. If it isn't set up, use the steps mentioned [here](./manage-integration-runtimes.md) to create a self-hosted integration runtime.

+1. Navigate to **Sources**

+1. Select the registered SAP BW source.

+1. Select **+ New scan**

+1. Provide the below details:

+ 1. **Name**: The name of the scan

+ 1. **Connect via integration runtime**: Select the configured self-hosted integration runtime.

+ 1. **Credential**: Select the credential to connect to your data source. Make sure to:

+ * Select Basic Authentication while creating a credential.

+ * Provide a user ID to connect to SAP server in the User name input field.

+ * Store the user password used to connect to SAP server in the secret key.

+ 1. **Client ID**: Enter the SAP Client ID. It's a three-digit numeric number from 000 to 999.

+ 1. **JCo library path**: The directory path where the JCo libraries are located.

+ 1. **Maximum memory available:** Maximum memory (in GB) available on the Self-hosted Integration Runtime machine to be used by scanning processes. This is dependent on the size of SAP BW source to be scanned.

+ :::image type="content" source="media/register-scan-sap-bw/scan-sap-bw.png" alt-text="Screenshot of setting up an SAP BW scan." border="true":::

+1. Select **Test connection**.

+1. Select **Continue**.

+1. Choose your **scan trigger**. You can set up a schedule or ran the

+ scan once.

+1. Review your scan and select **Save and Run**.

+## Next steps

+Now that you have registered your source, follow the below guides to learn more about Azure Purview and your data.

+- [Search Data Catalog](how-to-search-catalog.md)

+- [Data insights in Azure Purview](concept-insights.md)

+- [Supported data sources and file types](azure-purview-connector-overview.md)

+More here on [registering a data source for Data use governance](./how-to-enable-data-use-governance.md)

+More here on [registering a data source for Data use governance](./how-to-enable-data-use-governance.md)

+> | microsoft.operationalinsights/operations/read | Lists all of the available OperationalInsights REST API operations. |

+## Add more services to a subscription

+Cognitive Search restricts the [number of resources](search-limits-quotas-capacity.md#subscription-limits) you can initially create in a subscription. If you exhaust your maximum limit, file a new support request to add more search services.

+1. Sign in to the Azure portal, and find your search service.

+1. On the left-navigation pane, scroll down and select **New Support Request.**

+1. ForΓÇ»**issue type**, chooseΓÇ»**Service and subscription limits (quotas).**

+1. Select the subscription that needs more quota.

+1. Under **Quota type**, select **Search**. Then select **Next**.

+1. In the **Problem details** section, select **Enter details**.

+1. Follow the prompts to select location and tier.

+1. Add the new limit you would like on the subscription. The value must not be empty and must between 0 to 100.

+ For example: The maximum number of S2 services is 8 and you would like to have 12 services, then request to add 4 of S2 services."

+1. When you're finished, select **Save and continue** to continue creating your support request.

+1. Complete the rest of the additional information requested, and then select **Next**.

+1. On the **review + create** screen, review the details that you'll send to support, and then select **Create**.

+|[Activity logs](../../azure-monitor/essentials/platform-logs-overview.md)|Control-plane events on Azure Resource Manager resources| Provides insight into the operations that were performed on resources in your subscription.| REST API, [Azure Monitor](../../azure-monitor/essentials/platform-logs-overview.md)|

+- **<a href="/azure/network-watcher/network-watcher-monitoring-overview">Audit Logs</a>**- Operations performed as part of the configuration of networks are logged. These logs can be viewed in the Azure portal or retrieved using Microsoft tools such as Power BI or third-party tools. Audit logs are available through the portal, PowerShell, CLI, and REST API. For more information on Audit logs, see Audit operations with Resource Manager. Audit logs are available for operations done on all network resources.

+The following table shows how Microsoft Sentinel and Log Analytics costs appear in the **Service name** and **Meter** columns of your Azure bill for free data services. For more information, see [Viewing Data Allocation Benefits](../azure-monitor/logs/manage-cost-storage.md#viewing-data-allocation-benefits).

+- An **Owner** role in the resource group that contains your Microsoft Sentinel workspace. The **Owner** role is required to create the connection between Microsoft Sentinel and your source control repository. If you are using Azure Lighthouse in your environment, you can instead have the combination of **User Access Administrator** and **Sentinel Contributor** roles to create the connection.

+* [REST API](/rest/api/servicebus/)

+ Title: Integrate Azure App Configuration with Service Connector

+description: Integrate Azure App Configuration into your application with Service Connector

+# Integrate Azure App Configuration with Service Connector

+This page shows the supported authentication types and client types of Azure App Configuration using Service Connector. You might still be able to connect to App Configuration in other programming languages without using Service Connector. You can learn more about the [Service Connector environment variable naming convention](concept-service-connector-internals.md).

+## Supported compute services

+- Azure App Service

+- Azure Spring Cloud

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+|-|::|::|::|::|

+| .NET |  |  |  |  |

+| Java |  |  |  |  |

+| Node.js |  |  |  |  |

+| Python |  |  |  |  |

+## Default environment variable names or application properties

+### .NET, Java, Node.JS, Python

+#### Secret / connection string

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | | |

+> | AZURE_APPCONFIGURATION_CONNECTIONSTRING | Your App Configuration Connection String | `Endpoint=https://{AppConfigurationName}.azconfig.io;Id={ID};Secret={secret}` |

+#### System-assigned managed identity

+| Default environment variable name | Description | Sample value |

+|--||-|

+| AZURE_APPCONFIGURATION_ENDPOINT | App Configuration endpoint | `https://{AppConfigurationName}.azconfig.io` |

+#### User-assigned managed identity

+| Default environment variable name | Description | Sample value |

+|--|-|--|

+| AZURE_APPCONFIGURATION_ENDPOINT | App Configuration Endpoint | `https://{AppConfigurationName}.azconfig.io` |

+| AZURE_APPCONFIGURATION_CLIENTID | Your client ID | `UserAssignedMiClientId` |

+#### Service principal

+| Default environment variable name | Description | Sample value |

+|-|-|-|

+| AZURE_APPCONFIGURATION_ENDPOINT | App Configuration Endpoint | `https://{AppConfigurationName}.azconfig.io` |

+| AZURE_APPCONFIGURATION_CLIENTID | Your client ID | `{yourClientID}` |

+| AZURE_APPCONFIGURATION_CLIENTSECRET | Your client secret | `{yourClientSecret}` |

+| AZURE_APPCONFIGURATION_TENANTID | Your tenant ID | `{yourTenantID}` |

+## Next steps

+Follow the tutorial listed below to learn more about Service Connector.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+ Title: Integrate Azure Event Hubs with Service Connector

+description: Integrate Azure Event Hubs into your application with Service Connector

+# Integrate Azure Event Hubs with Service Connector

+This page shows the supported authentication types and client types of Azure Event Hubs using Service Connector. You might still be able to connect to Event Hubs in other programming languages without using Service Connector. This page also shows default environment variable names and values or Spring Boot configuration you get when you create service connections. You can learn more about the [Service Connector environment variable naming convention](concept-service-connector-internals.md).

+## Supported compute services

+- Azure App Service

+- Azure Spring Cloud

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+| | :-: | :--:| :--:| :--:|

+| .NET |  |  |  |  |

+| Go |  |  |  |  |

+| Java |  |  |  |  |

+| Java - Spring Boot |  |  |  |  |

+| Node.js |  |  |  |  |

+| Python |  |  |  |  |

+## Default environment variable names or application properties

+### .NET, Java, Node.JS, Python

+#### Secret / connection string

+> [!div class="mx-tdBreakAll"]

+> |Default environment variable name | Description | Sample value |

+> | -- | -- | |

+> | AZURE_EVENTHUB_CONNECTIONSTRING | Event Hubs connection string | `Endpoint=sb://{EventHubNamespace}.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey={****}` |

+#### System-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| -- | -- | -- |

+| AZURE_EVENTHUB_FULLYQUALIFIEDNAMESPACE | Event Hubs namespace | `{EventHubNamespace}.servicebus.windows.net` |

+#### User-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| -- | -- | -- |

+| AZURE_EVENTHUB_FULLYQUALIFIEDNAMESPACE | Event Hubs namespace | `{EventHubNamespace}.servicebus.windows.net` |

+| AZURE_EVENTHUB_CLIENTID | Your client ID | `{yourClientID}` |

+#### Service principal

+| Default environment variable name | Description | Sample value |

+| | -- | -- |

+| AZURE_EVENTHUB_FULLYQUALIFIEDNAMESPACE | Event Hubs namespace | `{EventHubNamespace}.servicebus.windows.net` |

+| AZURE_EVENTHUB_CLIENTID | Your client ID | `{yourClientID}` |

+| AZURE_EVENTHUB_CLIENTSECRET | Your client secret | `{yourClientSecret}` |

+| AZURE_EVENTHUB_TENANTID | Your tenant ID | `{yourTenantID}` |

+### Java - Spring Boot

+#### Spring Boot secret/connection string

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> |--| -- | |

+> | spring.cloud.azure.storage.connection-string | Event Hubs connection string | `Endpoint=sb://servicelinkertesteventhub.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=****` |

+#### Spring Boot system-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| - | -- | -- |

+| spring.cloud.azure.eventhub.namespace | Event Hubs namespace | `{EventHubNamespace}.servicebus.windows.net` |

+#### Spring Boot user-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| - | -- | -- |

+| spring.cloud.azure.eventhub.namespace | Event Hubs namespace | `{EventHubNamespace}.servicebus.windows.net` |

+| spring.cloud.azure.client-id | Your client ID | `{yourClientID}` |

+#### Spring Boot service principal

+| Default environment variable name | Description | Sample value |

+| - | -- | -- |

+| spring.cloud.azure.eventhub.namespace | Event Hubs namespace | `{EventHubNamespace}.servicebus.windows.net` |

+| spring.cloud.azure.client-id | Your client ID | `{yourClientID}` |

+| spring.cloud.azure.tenant-id | Your client secret | `******` |

+| spring.cloud.azure.client-secret | Your tenant ID | `{yourTenantID}` |

+## Next steps

+Follow the tutorial listed below to learn more about Service Connector.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+The Service Connector service helps you connect Azure compute service to other backing services easily. This service configures the network settings and connection information (for example, generating environment variables) between compute service and target backing service in management plane. Developers just use preferred SDK or library that consumes the connection information to do data plane operations against target backing service.

+* Azure App Configuration

+* Azure Cache for Redis (Basic, Standard and Premium and Enterprise tiers)

+* Azure Database for MySQL

+* Azure Database for PostgreSQL

+* Azure Event Hubs

+* Azure Service Bus

+* Azure Storage (Blob, Queue, File and Table storage)

+ Title: Deploy a Service Fabric managed cluster using the Azure portal

+description: Learn how to create a Service Fabric managed cluster using the Azure portal

+# Quickstart: Deploy a Service Fabric managed cluster using the Azure portal

+Test out Service Fabric managed clusters in this quickstart by creating a **three-node Basic SKU cluster**.

+Azure Service Fabric is a distributed systems platform that makes it easy to package, deploy, and manage scalable and reliable microservices and containers. A Service Fabric cluster is a network-connected set of virtual machines onto which your microservices are deployed and managed.

+Service Fabric managed clusters are an evolution of the Azure Service Fabric cluster resource model. Managed clusters streamline your deployment and cluster management experience. Service Fabric managed clusters are fully-encapsulated resources that save you the effort of manually deploying all the underlying resources that make up a Service Fabric cluster.

+In this quickstart, you learn how to:

+* Use Azure Key Vault to create a client certificate for your managed cluster

+* Deploy a Service Fabric managed cluster

+* View your managed cluster in Service Fabric Explorer

+This article describes how to deploy a Service Fabric managed cluster for testing in Azure using the **Azure portal**. There is also a quickstart for [Azure Resource Manager templates](quickstart-managed-cluster-template.md).

+The three-node Basic SKU cluster created in this tutorial is only intended for instructional purposes. The cluster will use a self-signed certificate for authentication and will operate in the bronze reliability tier, so it's not suitable for production workloads. For more information on SKUs, see [Service Fabric managed cluster SKUs](overview-managed-cluster.md#service-fabric-managed-cluster-skus). For more information about reliability tiers, see [Reliability characteristics of the cluster](service-fabric-cluster-capacity.md#reliability-characteristics-of-the-cluster).

+## Prerequisites

+* An Azure subscription. If you don't already have one, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* A resource group to manage all the resources you use in this quickstart. We use the example resource group name **ServiceFabricResources** throughout this quickstart.

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Select **Resource groups** under **Azure services**.

+ 1. Choose **+ Create**, select your Azure subscription, enter a name for your resource group, and pick your preferred region from the dropdown menu.

+ 1. Select **Review + create** and, once the validation passes, choose **Create**.

+## Create a client certificate

+Service Fabric managed clusters use a client certificate as a key for access control.

+In this quickstart, we use a client certificate called **ExampleCertificate** from an Azure Key Vault named **QuickstartSFKeyVault**.

+To create your own Azure Key Vault:

+1. In the [Azure portal](https://portal.azure.com), select **Key vaults** under **Azure services** and select **+ Create**. Alternatively, select **Create a resource**, enter **Key Vault** in the `Search services and marketplace` box, choose **Key Vault** from the results, and select **Create**.

+1. On the **Create a key vault** page, provide the following information:

+ - `Subscription`: Choose your Azure subscription.

+ - `Resource group`: Choose the resource group you created in the prerequisites or create a new one if you didn't already. For this quickstart, we use **ServiceFabricResources**.

+ - `Name`: Enter a unique name. For this quickstart, we use **QuickstartSFKeyVault**.

+ - `Region`: Choose your preferred region from the dropdown menu.

+ - Leave the other options as their defaults.

+1. Select **Review + create** and, once the validation passes, choose **Create**.

+To generate and retrieve your client certificate:

+1. In the [Azure portal](https://portal.azure.com), navigate to your Azure Key Vault.

+1. Under **Settings** in the pane on the left, select **Certificates**.

+ 

+1. Choose **+ Generate/Import**.

+1. On the **Create a certificate** page, provide the following information:

+ - `Method of Certificate Creation`: Choose **Generate**.

+ - `Certificate Name`: Use a unique name. For this quickstart, we use **ExampleCertificate**.

+ - `Type of Certificate Authority (CA)`: Choose **Self-signed certificate**.

+ - `Subject`: Use a unique domain name. For this quickstart, we use **CN=ExampleDomain**.

+ - Leave the other options as their defaults.

+1. Select **Create**.

+1. Your certificate will appear under **In progress, failed or canceled**. You may need to refresh the list for it to appear under **Completed**. Once it's completed, select it and choose the version under **CURRENT VERSION**.

+1. Select **Download in PFX/PEM format** and select **Download**. The certificate's name will be formatted as `yourkeyvaultname-yourcertificatename-yyyymmdd.pfx`.

+ 

+1. Import the certificate to your computer's certificate store so that you may use it to access your Service Fabric managed cluster later.

+ >[!NOTE]

+ >The private key included in this certificate doesn't have a password. If your certificate store prompts you for a private key password, leave the field blank.

+Before you create your Service Fabric managed cluster, you need to make sure Azure Virtual Machines can retrieve certificates from your Azure Key Vault. To do so:

+1. In the [Azure portal](https://portal.azure.com), navigate to your Azure Key Vault.

+1. Under **Settings** in the pane on the left, select **Access policies**.

+ 

+1. Toggle **Azure Virtual Machines for deployment** under **Enable access to:**.

+1. Save your changes.

+## Create your Service Fabric managed cluster

+In this quickstart, we use a Service Fabric managed cluster named **quickstartsfcluster**.

+1. In the [Azure portal](https://portal.azure.com), select **Create a resource**, enter **Service Fabric** in the `Search services and marketplace` box, choose **Service Fabric Managed Cluster** from the results, and select **Create**.

+1. On the **Create a Service Fabric managed cluster** page, provide the following information:

+ - `Subscription`: Choose your Azure subscription.

+ - `Resource group`: Choose the resource group you created in the prerequisites or create a new one if you didn't already. For this quickstart, we use **ServiceFabricResources**.

+ - `Name`: Enter a unique name. For this quickstart, we use **quickstartsfcluster**.

+ - `Region`: Choose your preferred region from the dropdown menu. This must be the same region as your Azure Key Vault.

+ - `SKU`: Toggle **Basic** for your SKU option.

+ - `Username`: Enter a username for your managed cluster's administrator account.

+ - `Password`: Enter a password for your managed cluster's administrator account.

+ - `Confirm password`: Reenter the password you chose.

+ - `Key vault and primary certificate`: Choose **Select a certificate**, pictured below. Select your Azure Key Vault from the **Key vault** dropdown menu and your certificate from the **Certificate** dropdown menu, pictured below.

+ - Leave the other options as their defaults.

+ 

+ 

+ If you didn't already change your Azure Key Vault's access policies, you may get text prompting you to do so after you select your key vault and certificate. If so, choose **Edit access policies for yourkeyvaultname**, select **Click to show advanced access policies**, toggle **Azure Virtual Machines for deployment**, and save your changes. Click **Create a Service Fabric managed cluster** to return to the creation page.

+1. Select **Review + create** and, once the validation passes, choose **Create**.

+Now, your managed cluster's deployment is in progress. The deployment will likely take around 20 minutes to complete.

+## Validate the deployment

+Once the deployment completes, you're ready to view your new Service Fabric managed cluster.

+1. In the [Azure portal](https://portal.azure.com), navigate to your managed cluster.

+1. On your managed cluster's **Overview** page, find the **SF Explorer** link and select it.

+ 

+ >[!NOTE]

+ >You may get a warning that your connection to your cluster isn't private. Select **Advanced** and choose **continue to yourmanagedclusterfqdn (unsafe)**.

+1. When prompted for a certificate, choose the certificate you created, downloaded, and stored for this quickstart and select **OK**. If you completed those steps successfully, the certificate should be in the list of certificates.

+1. You'll arrive at the Service Fabric Explorer display for your cluster, pictured below.

+ 

+Your Service Fabric managed cluster consists of three nodes. These nodes are WindowsServer 2019-Datacenter virtual machines with 2 vCPUs, 8 GiB of RAM, and four 256-GiB disks. These features are determined by the **Basic SKU** option and the default values in the **Primary node type** settings on the **Create a Service Fabric managed cluster** page.

+## Clean up resources

+When no longer needed, delete the resource group for your Service Fabric managed cluster. To delete your resource group:

+1. In the [Azure portal](https://portal.azure.com), navigate to your resource group.

+1. Select **Delete resource group**.

+1. In the `TYPE THE RESOURCE GROUP NAME:` box, type the name of your resource group and select **Delete**.

+## Next steps

+In this quickstart, you deployed a managed Service Fabric cluster. To learn more about how to scale a cluster, see:

+> [!div class="nextstepaction"]

+> [Scale out a Service Fabric managed cluster](tutorial-managed-cluster-scale.md)

+* EventStore service's REST APIs that allow you to query the cluster directly, or through the Service Fabric Client Library. See [Query EventStore APIs for cluster events](service-fabric-diagnostics-eventstore-query.md).

+While Site Recovery makes a best effort to ensure that capacity is available in the recovery region, it does not guarantee the same. Site Recovery's best effort is backed by a 2-hour RTO SLA. But if you require further assurance and _guaranteed compute capacity,_ then we recommend you to purchase [Capacity Reservations](https://aka.ms/on-demand-ca.pacity-reservations-docs)

+ 1. As soon as the SAS URL is revoked, go to **Size + Performance** for the managed disk. Increase the size so that Site Recovery supports the observed churn rate on the source disk.

+Yes. You can automate Site Recovery workflows using the REST API, PowerShell, or the Azure SDK. Currently supported scenarios for replicating Hyper-V to Azure using PowerShell:

+**Azure VM disaster recovery** | Support added for cross-continental disaster recovery of Azure VMs.<br/><br/> REST API support for protection of VMSS Flex.<br/><br/> Now supported for VMs running Oracle Linux 8.2 and 8.3.

+ Write-Host "Error occurred" -ForegroundColor "Red"

+ Write-Host "Error occurred" -ForegroundColor "Red"

+ Write-Error "Error occurred"

+Yes. You can automate Site Recovery workflows by using the REST API, PowerShell, or the Azure SDK. [Learn more](vmware-azure-disaster-recovery-powershell.md).

+Syntax | `UnifiedAgent.exe /Role \<MS/MT> /InstallLocation \<Install Location> /Platform "VmWare" /Silent`

+`/Role` | Mandatory installation parameter. Specifies whether the mobility service (MS) or master target (MT) should be installed.

+Syntax | `./install -d \<Install Location> -r \<MS/MT> -v VmWare -q`

+`-r` | Mandatory installation parameter. Specifies whether the mobility service (MS) or master target (MT) should be installed.

+## Authentication and authorization

+- _Local users_ is the only form of identity management that is currently supported for the SFTP endpoint.

+- Azure Active Directory (Azure AD) is not supported for the SFTP endpoint.

+- Account and container level operations are not supported for the SFTP endpoint.

+- Host keys are published [here](secure-file-transfer-protocol-host-keys.md). During the public preview, host keys may rotate frequently.

+- Change feed and Event Grid notifications are not supported.

+- Maximum file upload size is 90 GB.

+- Special containers such as $logs, $blobchangefeed, $root, $web are not accessible via the SFTP endpoint.

+ - The container name is specified in the connection string for local users don't have a home directory.

+

+ - The container name is specified in the connection string for local users that have a home directory that doesn't exist.

+- [Host keys for SSH File Transfer Protocol (SFTP) support for Azure Blob Storage](secure-file-transfer-protocol-host-keys.md)

+Change feed records are stored as [blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) in a special container in your storage account at standard [blob pricing](https://azure.microsoft.com/pricing/details/storage/blobs/) cost. You can control the retention period of these files based on your requirements (See the [conditions](#conditions) of the current release). Change events are appended to the change feed as records in the [Apache Avro](https://avro.apache.org/docs/1.8.2/spec.html) format specification: a compact, fast, binary format that provides rich data structures with inline schema. This format is widely used in the Hadoop ecosystem, Stream Analytics, and Azure Data Factory.

+- There's only one change feed for the blob service in each storage account. Change feed records are stored in the **$blobchangefeed** container.

+Your client applications can consume the change feed by using the blob change feed processor library that is provided with the change feed processor SDK.

+## Change feed segments

+## Change event records

+### Event record schemas

+For a description of each property, see [Azure Event Grid event schema for Blob Storage](../../event-grid/event-schema-blob-storage.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#event-properties). The BlobPropertiesUpdated and BlobSnapshotCreated events are currently exclusive to change feed and not yet supported for Blob Storage Events.

+> [!NOTE]

+> The change feed files for a segment don't immediately appear after a segment is created. The length of delay is within the normal interval of publishing latency of the change feed which is within a few minutes of the change.

+#### Schema version 1

+The following event types may be captured in the change feed records with schema version 1:

+The following example shows a change event record in JSON format that uses event schema version 1:

+ "schemaVersion": 1,

+ "topic": "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>",

+ "subject": "/blobServices/default/containers/<container>/blobs/<blob>",

+ "eventType": "BlobCreated",

+ "eventTime": "2022-02-17T12:59:41.4003102Z",

+ "id": "322343e3-8020-0000-00fe-233467066726",

+ "data": {

+ "api": "PutBlob",

+ "clientRequestId": "f0270546-168e-4398-8fa8-107a1ac214d2",

+ "requestId": "322343e3-8020-0000-00fe-233467000000",

+ "etag": "0x8D9F2155CBF7928",

+ "contentType": "application/octet-stream",

+ "contentLength": 128,

+ "blobType": "BlockBlob",

+ "url": "https://www.myurl.com",

+ "sequencer": "00000000000000010000000000000002000000000000001d",

+ "storageDiagnostics": {

+ "bid": "9d725a00-8006-0000-00fe-233467000000",

+ "seq": "(2,18446744073709551615,29,29)",

+ "sid": "4cc94e71-f6be-75bf-e7b2-f9ac41458e5a"

+ }

+ }

+#### Schema version 3

+The following event types may be captured in the change feed records with schema version 3:

+- BlobCreated

+- BlobDeleted

+- BlobPropertiesUpdated

+- BlobSnapshotCreated

+The following example shows a change event record in JSON format that uses event schema version 3:

+```json

+{

+ "schemaVersion": 3,

+ "topic": "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>",

+ "subject": "/blobServices/default/containers/<container>/blobs/<blob>",

+ "eventType": "BlobCreated",

+ "eventTime": "2022-02-17T13:05:19.6798242Z",

+ "id": "eefe8fc8-8020-0000-00fe-23346706daaa",

+ "data": {

+ "api": "PutBlob",

+ "clientRequestId": "00c0b6b7-bb67-4748-a3dc-86464863d267",

+ "requestId": "eefe8fc8-8020-0000-00fe-233467000000",

+ "etag": "0x8D9F216266170DC",

+ "contentType": "application/octet-stream",

+ "contentLength": 128,

+ "blobType": "BlockBlob",

+ "url": "https://www.myurl.com",

+ "sequencer": "00000000000000010000000000000002000000000000001d",

+ "previousInfo": {

+ "SoftDeleteSnapshot": "2022-02-17T13:08:42.4825913Z",

+ "WasBlobSoftDeleted": true,

+ "BlobVersion": "2024-02-17T16:11:52.0781797Z",

+ "LastVersion" : "2022-02-17T16:11:52.0781797Z",

+ "PreviousTier": "Hot"

+ },

+ "snapshot": "2022-02-17T16:09:16.7261278Z",

+ "blobPropertiesUpdated" : {

+ "ContentLanguage" : {

+ "current" : "pl-Pl",

+ "previous" : "nl-NL"

+ },

+ "CacheControl" : {

+ "current" : "max-age=100",

+ "previous" : "max-age=99"

+ },

+ "ContentEncoding" : {

+ "current" : "gzip, identity",

+ "previous" : "gzip"

+ },

+ "ContentMD5" : {

+ "current" : "Q2h1Y2sgSW51ZwDIAXR5IQ==",

+ "previous" : "Q2h1Y2sgSW="

+ },

+ "ContentDisposition" : {

+ "current" : "attachment",

+ "previous" : ""

+ },

+ "ContentType" : {

+ "current" : "application/json",

+ "previous" : "application/octet-stream"

+ }

+ },

+ "storageDiagnostics": {

+ "bid": "9d726370-8006-0000-00ff-233467000000",

+ "seq": "(2,18446744073709551615,29,29)",

+ "sid": "4cc94e71-f6be-75bf-e7b2-f9ac41458e5a"

+ }

+ }

+}

+```

+#### Schema version 4

+The following event types may be captured in the change feed records with schema version 4:

+- BlobCreated

+- BlobDeleted

+- BlobPropertiesUpdated

+- BlobSnapshotCreated

+- BlobTierChanged

+- BlobAsyncOperationInitiated

+The following example shows a change event record in JSON format that uses event schema version 4:

+```json

+{

+ "schemaVersion": 4,

+ "topic": "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>",

+ "subject": "/blobServices/default/containers/<container>/blobs/<blob>",

+ "eventType": "BlobCreated",

+ "eventTime": "2022-02-17T13:08:42.4835902Z",

+ "id": "ca76bce1-8020-0000-00ff-23346706e769",

+ "data": {

+ "api": "PutBlob",

+ "clientRequestId": "58fbfee9-6cf5-4096-9666-c42980beee65",

+ "requestId": "ca76bce1-8020-0000-00ff-233467000000",

+ "etag": "0x8D9F2169F42D701",

+ "contentType": "application/octet-stream",

+ "contentLength": 128,

+ "blobType": "BlockBlob",

+ "blobVersion": "2022-02-17T16:11:52.5901564Z",

+ "containerVersion": "0000000000000001",

+ "blobTier": "Archive",

+ "url": "https://www.myurl.com",

+ "sequencer": "00000000000000010000000000000002000000000000001d",

+ "previousInfo": {

+ "SoftDeleteSnapshot": "2022-02-17T13:08:42.4825913Z",

+ "WasBlobSoftDeleted": true,

+ "BlobVersion": "2024-02-17T16:11:52.0781797Z",

+ "LastVersion" : "2022-02-17T16:11:52.0781797Z",

+ "PreviousTier": "Hot"

+ },

+ "snapshot": "2022-02-17T16:09:16.7261278Z",

+ "blobPropertiesUpdated" : {

+ "ContentLanguage" : {

+ "current" : "pl-Pl",

+ "previous" : "nl-NL"

+ },

+ "CacheControl" : {

+ "current" : "max-age=100",

+ "previous" : "max-age=99"

+ },

+ "ContentEncoding" : {

+ "current" : "gzip, identity",

+ "previous" : "gzip"

+ },

+ "ContentMD5" : {

+ "current" : "Q2h1Y2sgSW51ZwDIAXR5IQ==",

+ "previous" : "Q2h1Y2sgSW="

+ },

+ "ContentDisposition" : {

+ "current" : "attachment",

+ "previous" : ""

+ },

+ "ContentType" : {

+ "current" : "application/json",

+ "previous" : "application/octet-stream"

+ }

+ },

+ "asyncOperationInfo": {

+ "DestinationTier": "Hot",

+ "WasAsyncOperation": true,

+ "CopyId": "copyId"

+ },

+ "storageDiagnostics": {

+ "bid": "9d72687f-8006-0000-00ff-233467000000",

+ "seq": "(2,18446744073709551615,29,29)",

+ "sid": "4cc94e71-f6be-75bf-e7b2-f9ac41458e5a"

+ }

+ }

+}

+```

+You can use a new or existing key vault to store customer-managed keys. The storage account and key vault may be in different regions or subscriptions in the same tenant. To learn more about Azure Key Vault, see [Azure Key Vault Overview](../../key-vault/general/overview.md) and [What is Azure Key Vault?](../../key-vault/general/basic-concepts.md).

+For more info on output batch size, see [Power BI REST API limits](/power-bi/developer/automation/api-rest-api-limitations).

+> [!NOTE]

+> - We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./stream-analytics-quick-create-vs.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+> - Visual Studio and Visual Studio Code tools don't support jobs in the China East, China North, Germany Central, and Germany NorthEast regions.

+|  |**Looker BI**<br>Looker gives everyone in your company the ability to explore and understand the data that drives your business. Looker also gives the data analyst a flexible and reusable modeling layer to control and curate that data. Companies have fundamentally transformed their culture using Looker as the catalyst.|[Product page](https://looker.com/)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/aad.lookeranalyticsplatform)<br> |

+|  |**Pyramid Analytics**<br>Pyramid 2020 is the trusted analytics platform that connects your teams, drives confident decisions, and produces winning results. Business users can do high-end, cloud-scale analytics and data science without IT help ΓÇö on any browser or device. Data scientists can take advantage of machine learning algorithms and scripting to understand difficult business problems. Power users can prepare and model their own data to create illuminating analytic content. Non-technical users can benefit from stunning visualizations and guided analytic presentations. It's the next generation of self-service analytics with governance. |[Product page](https://www.pyramidanalytics.com/resources/analyst-reports/)<br> [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/pyramidanalytics.pyramid2020v4) |

+|  |**Xplenty**<br> Xplenty ELT platform lets you quickly and easily prepare your data for analytics and production use cases using a simple cloud service. Xplenty's point & select, drag & drop interface enables data integration, processing and preparation without installing, deploying, or maintaining any software. Connect and integrate with a wide set of data repositories and SaaS applications including Azure Synapse, Azure blob storage, and SQL Server. Xplenty also supports all Web Services that are accessible via REST API.|[Product page](https://www.xplenty.com/integrations/azure-synapse-analytics/ )<br> |

+### Spark session configuration

+#### Spark session configuration magic command

+> - You can use %%configure in Synapse pipelines, but if it's not set in the first code cell, the pipeline run will fail due to cannot restart session.

+> - The %%configure used in mssparkutils.notebook.run is going to be ignored but used in %run notebook will continue executing.

+> - The standard Spark configuration properties must be used in the "conf" body. We do not support first level reference for the Spark configuration properties.

+> - Some special spark properties including "spark.driver.cores", "spark.executor.cores", "spark.driver.memory", "spark.executor.memory", "spark.executor.instances" won't take effect in "conf" body.

+#### Parameterized session configuration from pipeline

+Parameterized session configuration allows you to replace the value in %%configure magic with Pipeline run (Notebook activity) parameters. When preparing %%configure code cell, you can override default values (also configurable, 4 and "2000" in the below example) with an object like this:

+```

+{

+ "activityParameterName": "paramterNameInPipelineNotebookActivity",

+ "defaultValue": "defaultValueIfNoParamterFromPipelineNotebookActivity"

+}

+```

+```python

+%%configure

+{

+ "driverCores":

+ {

+ "activityParameterName": "driverCoresFromNotebookActivity",

+ "defaultValue": 4

+ },

+ "conf":

+ {

+ "livy.rsc.sql.num-rows":

+ {

+ "activityParameterName": "rows",

+ "defaultValue": "2000"

+ }

+ }

+}

+```

+Notebook will use default value if run a notebook in interactive mode directly or no parameter that match "activityParameterName" is given from Pipeline Notebook activity.

+During the pipeline run mode, you can configure pipeline Notebook activity settings as below:

+

+If you want to change the session configuration, pipeline Notebook activity parameters name should be same as activityParameterName in the notebook. When run this pipeline, in this example driverCores in %%configure will be replaced by 8 and livy.rsc.sql.num-rows will be replaced by 4000.

+> [!NOTE]

+> If run pipeline failed because of using this new %%configure magic, you can check more error information by running %%configure magic cell in the interactive mode of the notebook.

+>

+[%%time](https://ipython.readthedocs.io/en/stable/interactive/magics.html#magic-time), [%%timeit](https://ipython.readthedocs.io/en/stable/interactive/magics.html#magic-timeit), [%%capture](https://ipython.readthedocs.io/en/stable/interactive/magics.html#cellmagic-capture), [%%writefile](https://ipython.readthedocs.io/en/stable/interactive/magics.html#cellmagic-writefile), [%%sql](#use-multiple-languages), [%%pyspark](#use-multiple-languages), [%%spark](#use-multiple-languages), [%%csharp](#use-multiple-languages), [%%html](https://ipython.readthedocs.io/en/stable/interactive/magics.html#cellmagic-html), [%%configure](#spark-session-configuration-magic-command)

+## Reference unpublished notebook

+Reference unpublished notebook is helpful when you want to debug "locally", when enabling this feature, notebook run will fetch the current content in web cache, if you run a cell including a reference notebooks statement, you will reference the presenting notebooks in the current notebook browser instead of a saved versions in cluster, that means the changes in your notebook editor can be referenced immediately by other notebooks without having to be published(Live mode) or committed(Git mode), by leveraging this approach you can easily avoid common libraries getting polluted during developing or debugging process.

+For different cases comparison please check the table below:

+Notice that [%run](./apache-spark-development-using-notebooks.md) and [mssparkutils.notebook.run](./microsoft-spark-utilities.md) has same behavior here. We use `%run` here as an example.

+|Case|Disable|Enable|

+|-|-||

+|**Live Mode**|||

+|- Nb1 (Published) <br/> `%run Nb1`|Run published version of Nb1|Run published version of Nb1|

+|- Nb1 (New) <br/> `%run Nb1`|Error|Run new Nb1|

+|- Nb1 (Previously published, edited) <br/> `%run Nb1`|Run **published** version of Nb1|Run **edited** version of Nb1|

+|**Git Mode**|||

+|- Nb1 (Published) <br/> `%run Nb1`|Run published version of Nb1|Run published version of Nb1|

+|- Nb1 (New) <br/> `%run Nb1`|Error|Run new Nb1|

+|- Nb1 (Not published, committed) <br/> `%run Nb1`|Error|Run committed Nb1|

+|- Nb1 (Previously published, committed) <br/> `%run Nb1`|Run **published** version of Nb1|Run **committed** version of Nb1|

+|- Nb1 (Previously published, new in current branch) <br/> `%run Nb1`|Run **published** version of Nb1|Run **new** Nb1|

+|- Nb1 (Not published, previously committed, edited) <br/> `%run Nb1`|Error|Run **edited** version of Nb1|

+|- Nb1 (Previously published and committed, edited) <br/> `%run Nb1`|Run **published** version of Nb1|Run **edited** version of Nb1|

+

+## Conclusion

+* If disabled, always run **published** version.

+* If enabled, priority is: edited / new > committed > published.

+ - [Configure Spark session settings](./spark/../apache-spark-development-using-notebooks.md#spark-session-configuration)

+Dedicated SQL pool is a distributed query processing system. Data in a SQL table is distributed upto 60 nodes using one of three [distribution strategies](sql-data-warehouse-tables-distribute.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) (hash, round_robin, or replicated).

+- You must use version 2020-12-01 or newer of the Azure Compute REST API.

+## Enabling Write Accelerator using REST APIs

+To deploy through Azure REST API, you need to install the Azure armclient.

+With REST API, you can use a normal PUT or PATCH request to update the user data. The user data will be updated without the need to stop or reboot the VM.

+NAT can be created in a specific availability zone and has redundancy built in within the specified zone. NAT is non-zonal by default. A non-zonal Virtual Network NAT is one that hasn't been associated to a specific zone and instead is assigned to a specific zone by Azure. NAT can be isolated in a specific zone when you create [availability zones](../../availability-zones/az-overview.md) scenarios. This deployment is called a zonal deployment.

+* Presence of UDRs for virtual appliances and virtual network gateways override NAT gateway for directing internet bound traffic (route to the 0.0.0.0/0 address prefix). See [Troubleshooting NAT gateway](./troubleshoot-nat.md#virtual-appliance-and-virtual-network-gateway-udrs-supersede-nat-gateway-for-going-outbound) to learn more.

+* Learn more about [NAT gateway metrics](./nat-metrics.md).

+3. No [NSG rules](../network-security-groups-overview.md#outbound) or [UDRs](#virtual-appliance-and-virtual-network-gateway-udrs-supersede-nat-gateway-for-going-outbound) are blocking NAT gateway from directing traffic outbound to the internet.

+### Virtual appliance and virtual network gateway UDRs supersede NAT gateway for going outbound

+When NAT gateway is attached to a subnet also associated with a user defined route (UDR) for a virtual appliance or virtual network gateway, the UDR will take precedence over the NAT gateway for internet routed traffic. The internet traffic will flow from the IP configured for the UDR rather than from the NAT gateway public IP address(es).

+Virtual appliance / Virtual network gateway UDR >> NAT gateway >> default system

+Test and resolve issues with a virtual appliance or virtual network gateway UDR configured to your virtual network by:

+An exclusion list can be configured using [PowerShell](/powershell/module/az.frontdoor/New-AzFrontDoorWafManagedRuleExclusionObject), [Azure CLI](/cli/azure/network/front-door/waf-policy/managed-rules/exclusion#az_network_front_door_waf_policy_managed_rules_exclusion_add), [REST API](/rest/api/frontdoorservice/webapplicationfirewall/policies/createorupdate), or the Azure portal. The following example shows the Azure portal configuration.