+zone_pivot_groups: appconfig-provider

+This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, [Create a Java Spring app with Azure App Configuration](./quickstart-java-spring-app.md) first.

+- Azure subscription - [create one for free](https://azure.microsoft.com/free/)

+- A supported [Java Development Kit (JDK)](/java/azure/jdk) with version 11.

+- [Apache Maven](https://maven.apache.org/download.cgi) version 3.0 or above.

+ 

+1. Select your Azure subscription, for Managed Identity select **App Service**, then select your App Service name.

+1. Find the endpoint to your App Configuration store. This URL is listed on the **Overview** tab for the store in the Azure portal.

+1. Open `bootstrap.properties`, remove the connection-string property and replace it with endpoint:

+```properties

+spring.cloud.azure.appconfiguration.stores[0].endpoint=<service_endpoint>

+```

+> [!NOTE]

+> If you want to use **user-assigned managed identity** the property `spring.cloud.azure.appconfiguration.stores[0].managed-identity.client-id`, be sure to specify the clientId when creating the [ManagedIdentityCredential](/java/api/com.azure.identity.managedidentitycredential).

+Using managed identities requires you to deploy your app to an Azure service. Managed identities can't be used for authentication of locally-running apps. To deploy the Spring app that you created in the [Create a Java Spring app with Azure App Configuration](./quickstart-java-spring-app.md) quickstart and modified to use managed identities, follow the guidance in [Publish your web app](../app-service/quickstart-java.md?tabs=javase&pivots=platform-linux).

+* Virtual machines (preview): Provision, resize, delete and manage virtual machines based on [VMware vSphere](/azure/azure-arc/vmware-vsphere/overview) or [Azure Stack HCI](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines) and enable VM self-service through role-based access.

+* Perform virtual machine lifecycle and management operations for [VMware vSphere](/azure/azure-arc/vmware-vsphere/overview) and [Azure Stack HCI](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines) environments.

+* Learn about [Azure Arc-enabled VMware vSphere](vmware-vsphere/overview.md) and [Azure Arc-enabled Azure Stack HCI](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines)

+ 

+1. Search for **IT Service Management Connector** in Azure Marketplace. Then select **Create**:

+1. In the **LA Workspace** section, select the Log Analytics workspace where you want to install ITSMC.

+1. In the **Log Analytics workspace** section, select the resource group where you want to create the ITSMC resource:

+1. Specify the connection settings for the ITSM product that you're using:

+1. In the Azure portal, select **Monitor** and then **Alerts**.

+1. On the menu at the top of the screen, select **Manage actions**:

+1. In the **Action groups** window, select **+Create**.

+1. Select the **Subscription** and **Resource group** where you want to create your action group. Provide values in **Action group name** and **Display name** for your action group. Then select **Next: Notifications**.

+1. In the **Notifications** tab, select **Next: Actions**.

+1. In the **Actions** tab, select **ITSM** in the **Action Type** list. For **Name**, provide a name for the action. Then select the pen button that represents **Edit details**.

+1. In the **Subscription** list, select the subscription that contains your Log Analytics workspace. In the **Connection** list, select your ITSM connector name. It will be followed by your workspace name. An example is *MyITSMConnector(MyWorkspace)*.

+1. Select a **Work Item** type.

+1. In the last section of the interface for creating an ITSM action group, you can define how many work items will be created for each alert.

+1. Select **OK**.

+Activity logs you send to a [Log Analytics workspace](/azure/azure-monitor/logs/log-analytics-workspace-overview) are stored in a table called AzureActivity.

+Activity logs insights are a curated [Log Analytics workbook](/azure/azure-monitor/visualize/workbooks-overview) with dashboards that visualize the data in the AzureActivity table. For example, which administrators deleted, updated or created resources, and whether the activities failed or succeeded.

+ * **Azure Activity Logs Entries** shows the count of Activity log records in each [activity log category](/azure/azure-monitor/essentials/activity-log-schema#categories).

+* [Creating a diagnostic setting to send Activity logs to other destinations](./diagnostic-settings.md)

+- [Visual Studio Code (Stable Build)](https://code.visualstudio.com/download)

+- [Node.js (16.14.2 and above)](https://nodejs.org/en/download/)

+- Create an Azure Communication Services resource. For details, see [Create an Azure Communication Resource](../quickstarts/create-communication-resource.md). You'll need to record your resource **connection string** for this quickstart.

+## Local run

+1. Set your connection string in `Server/appsettings.json`

+2. Set your endpoint URL string in `Server/appsettings.json`

+3. `npm run setup` from the root directory

+4. `npm run start` from the root directory

+You can test the sample locally by opening multiple browser sessions with the URL of your chat to simulate a multi-user chat.

+1. Under the root director, run these commands:

+```

+npm run setup

+npm run build

+npm run package

+```

+2. Use the Azure extension and deploy the Chat/dist directory to your app service

+| Maximum JOINs per query| 10 ^*|

+This article explains the resource model for the Azure Cosmos DB point-in-time restore feature. It explains the parameters that support the continuous backup and resources that can be restored. This feature is supported in Azure Cosmos DB API for SQL and the Cosmos DB API for MongoDB. Currently, this feature is in preview for Azure Cosmos DB Gremlin API and Table API accounts.

+The database account's resource model is updated with a few extra properties to support the new restore scenarios. These properties are `BackupPolicy`, `CreateMode`, and `RestoreParameters`.

+|gremlinDatabasesToRestore | List of `GremlinDatabaseRestoreResource` objects to specify which databases and graphs should be restored. Each resource represents a single database and all the graphs under that database. See the [restorable Gremlin resources](#restorable-graph-resources) section for more details. If this value is empty, then the entire account is restored. |

+|tablesToRestore | List of `TableRestoreResource` objects to specify which tables should be restored. Each resource represents a table under that database, see the [restorable Table resources](#restorable-table-resources) section for more details. If this value is empty, then the entire account is restored. |

+ "failoverPriority": "0",

+ "isZoneRedundant": "false"

+ }

+### Restorable Graph resources

+Each resource represents a single database and all the graphs under that database.

+|Property Name |Description |

+|||

+| gremlinDatabaseName | The name of the Graph database. |

+| graphNames | The list of Graphs under this database. |

+To get a list of all Gremlin database and graph combinations that exist on the account at the given timestamp and location, see [Restorable Graph Resources - List](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-gremlin-resources/list) article.

+### Restorable Graph database

+Each resource contains information about a mutation event, such as a creation and deletion, that occurred on the Graph database. This information can help in the scenario where the database was accidentally deleted and user needs to find out when that event happened.

+|Property Name |Description |

+|||

+|eventTimestamp| The time in UTC when this database event happened.|

+| ownerId| The name of the Graph database. |

+| ownerResourceId | The resource ID of the Graph database. |

+| operationType | The operation type of this database event. Here are the possible values:<br/><ul><li> Create: database creation event</li><li> Delete: database deletion event</li><li> Replace: database modification event</li><li> SystemOperation: database modification event triggered by the system. This event is not initiated by the user. </li></ul> |

+To get a event feed of all mutations on the Gremlin database for the account, see theΓÇ»[Restorable Graph Databases - List]( /rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-gremlin-databases/list) article.

+### Restorable Graphs

+Each resource contains information of a mutation event such as creation and deletion that occurred on the Graph. This information can help in scenarios where the graph was modified or deleted, and if you need to find out when that event happened.

+|Property Name |Description |

+|||

+| eventTimestamp |The time in UTC when this collection event happened. |

+| ownerId| The name of the Graph collection. |

+| ownerResourceId | The resource ID of the Graph collection. |

+| operationType |The operation type of this collection event. Here are the possible values:<br/><ul><li>Create: Graph creation event</li><li>Delete: Graph deletion event</li><li>Replace: Graph modification event</li><li>SystemOperation: collection modification event triggered by the system. This event is not initiated by the user.</li></ul> |

+To get a list of all container mutations under the same database, see graph [Restorable Graphs - List](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-gremlin-graphs/list) article.

+### Restorable Table resources

+Lists all the restorable Azure Cosmos DB Tables available for a specific database account at a given time and location. Note the Table API does not specify an explicit database.

+|Property Name |Description |

+|||

+| TableNames | The list of Table containers under this account. |

+To get a list of Table that exist on the account at the given timestamp and location, see [Restorable Table Resources - List](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-table-resources/list) article.

+### Restorable Table

+Each resource contains information of a mutation event such as creation and deletion that occurred on the Table. This information can help in scenarios where the table was modified or deleted, and if you need to find out when that event happened.

+|Property Name |Description |

+|||

+|eventTimestamp| The time in UTC when this database event happened.|

+| ownerId| The name of the Table database. |

+| ownerResourceId | The resource ID of the Table resource. |

+| operationType | The operation type of this Table event. Here are the possible values:<br/><ul><li> Create: Table creation event</li><li> Delete: Table deletion event</li><li> Replace: Table modification event</li><li> SystemOperation: database modification event triggered by the system. This event is not initiated by the user </li></ul> |

+To get a list of all table mutations under the same database, see [Restorable Table - List](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-tables/list) article.

+adobe-target: true

+> Protected resources include public IPs attached to an IaaS VM, Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Firewall, Bastion, VPN Gateway, Service Fabric or an IaaS based Network Virtual Appliance (NVA). Protection also covers public IP ranges brought to Azure via Custom IP Prefixes (BYOIPs). PaaS services (multitenant), which includes Azure App Service Environment for Power Apps or API management in a virtual network with a public IP, are not supported at present.

+and [Azure Media Services](/azure/media-services/previous/media-services-dotnet-how-to-use) provide client-side SDKs to let you access services from web and mobile client apps.

+ :::image type="content" source="media/investigate-cases/incident-severity.png" alt-text="Screenshot of view of incident severity." lightbox="media/investigate-cases/incident-severity.png":::

+ :::image type="content" source="media/investigate-cases/incident-timeline.png" alt-text="Screenshot of view of alert details." lightbox="media/investigate-cases/incident-timeline.png":::

+ :::image type="content" source="media/investigate-cases/assign-incident-to-user.png" alt-text="Screenshot of assigning incident to user.":::

+ [](media/investigate-cases/investigation-map.png#lightbox)

+ :::image type="content" source="media/investigate-cases/related-alerts.png" alt-text="Screenshot: view related alerts" lightbox="media/investigate-cases/related-alerts.png":::

+ :::image type="content" source="media/investigate-cases/map-timeline.png" alt-text="Screenshot: view timeline in map." lightbox="media/investigate-cases/map-timeline.png":::

+ :::image type="content" source="media/investigate-cases/use-timeline.png" alt-text="Screenshot: use timeline in map to investigate alerts.'" lightbox="media/investigate-cases/use-timeline.png":::

+

+- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Azure AD to ensure that stale records are fully updated.

+The following steps describe how to add a role assignment to your storage accounts, one at a time. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+1. In the Azure portal, navigate to your Azure SQL Server page.

+1. Select **Access control (IAM)**.

+1. Select **Add > Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

+1. On the **Roles** tab, select one of the roles listed in the beginning of this section.

+1. On the **Members** tab, select **Managed identity**, and then select **Select members**.

+1. Select **System-assigned managed identity**, search for a vault, and then select it.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+In addition to these permissions, you need to allow access to Microsoft trusted services. To do so, follow these steps:

+1. Go to **Firewalls and virtual networks**.

+1. In **Exceptions**, select **Allow trusted Microsoft services to access this storage account**.

+The following steps describe how to add a role assignment to your storage account. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+1. Go to the storage account.

+1. Select **Access control (IAM)**.

+1. Select **Add > Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

+1. On the **Roles** tab, select one of the roles listed in the beginning of this section.

+1. On the **Members** tab, select **Managed identity**, and then select **Select members**.

+1. Select **System-assigned managed identity**, search for a vault, and then select it.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+In addition to these permissions, you need to allow access to Microsoft trusted services. To do so, follow these steps:

+1. Go to **Firewalls and virtual networks**.

+1. In **Exceptions**, select **Allow trusted Microsoft services to access this storage account**.

+You can add a new user to the tenant subscription through the CSP portal as follows:

+1. Go to the tenantΓÇÖs CSP subscription page, and then select the **Users and licenses** option.

+ 

+1. Create a new user by entering the relevant details and selecting permissions, or by uploading the list of users in a CSV file.

+1. After you've created a new user, go back to the Azure portal.

+The following steps describe how to assign a role to a user. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+1. In the **Subscription** page, select the relevant subscription.

+1. In the navigation menu, select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows Access control (IAM) page with Add role assignment menu open.":::

+1. On the **Role** tab, select a role.

+ For most management operations, the *Contributor* role is sufficient. Users with this access level can do everything on a subscription except change access levels (for which *Owner*-level access is required).

+ Site Recovery also has three [predefined user roles](site-recovery-role-based-linked-access-control.md), that can be used to further restrict access levels as required.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot that shows Add role assignment page with the Role tab selected.":::

+1. On the **Members** tab, select **User, group, or service principal**, and then select a user with the relevant access level. The users that were created through the CSP portal are displayed here.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.