+| .NET |OWIN for AzureAD|[NuGet](https://www.nuget.org/packages/Microsoft.Owin.Security.ActiveDirectory/) |[GitHub](https://github.com/aspnet/AspNetKatan) | |

+| .NET |OWIN for OpenIDConnect |[NuGet](https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect) |[GitHub](https://github.com/aspnet/AspNetKatana/tree/main/src/Microsoft.Owin.Security.OpenIdConnect) |[Web App](https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) | |

+| .NET |OWIN for WS-Federation |[NuGet](https://www.nuget.org/packages/Microsoft.Owin.Security.WsFederation) |[GitHub](https://github.com/aspnet/AspNetKatana/tree/main/src/Microsoft.Owin.Security.WsFederation) |[MVC Web App](https://github.com/AzureADSamples/WebApp-WSFederation-DotNet) | |

+ 

+ 

+ 

+ 

+The Azure AD Connect server must be treated as a Tier 0 component as documented in the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). We recommend hardening the Azure AD Connect server as a Control Plane asset by following the guidance provided in [Secure Privileged Access]( https://docs.microsoft.com/security/compass/overview)

+- We recommend hardening the Azure AD Connect server as a Control Plane (formerly Tier 0) asset by following the guidance provided in [Secure Privileged Access]( https://docs.microsoft.com/security/compass/overview) and [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).

+## Impact of groups assigned to Azure AD roles and Azure resource roles in access reviews

+ΓÇó For **Azure AD roles**, role-assignable groups can be assigned to the role using [role-assignable groups](../roles/groups-concept.md). When a review is created on an Azure AD role with role-assignable groups assigned, the group name shows up in the review without expanding the group membership. The reviewer can approve or deny access of the entire group to the role. Denied groups will lose their assignment to the role when review results are applied.

+ΓÇó For **Azure resource roles**, any security group can be assigned to the role. When a review is created on an Azure resource role with a security group assigned, the users assigned to that security group will be fully expanded and shown to the reviewer of the role. When a reviewer denies a user that was assigned to the role via the security group, the user will not be removed from the group, and therefore the apply of the deny result will be unsuccessful.

+> [!NOTE]

+> It is possible for a security group to have other groups assigned to it. In this case, only the users assigned directly to the security group assigned to the role will appear in the review of the role.

+ Title: 'Tutorial: Azure AD SSO integration with IBMid'

+# Tutorial: Azure AD SSO integration with IBMid

+ `https://login.ibm.com`

+Once you configure IBMid you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ a. In the **Identifier** text box, type the following value or URL pattern:

+ | App | URL |

+ |--||

+ | For EDC | `Informatica` |

+ | For Axon | `https://<host name: port number>/saml/metadata`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+

+ In the **Sign-on URL** text box, type a URL using the following pattern:

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Informatica Platform Client support team](mailto:support@informatica.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ Title: 'Tutorial: Azure AD SSO integration with PostBeyond'

+# Tutorial: Azure AD SSO integration with PostBeyond

+In this tutorial, you'll learn how to integrate PostBeyond with Azure Active Directory (Azure AD). When you integrate PostBeyond with Azure AD, you can:

+* Control in Azure AD who has access to PostBeyond.

+* Enable your users to be automatically signed-in to PostBeyond with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To configure Azure AD integration with PostBeyond, you need to have:

+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/pricing/free-trial/).

+* PostBeyond subscription that has single sign-on enabled.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* PostBeyond supports **SP** initiated SSO.

+## Add PostBeyond from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **PostBeyond** in the search box.

+1. Select **PostBeyond** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for PostBeyond

+Configure and test Azure AD SSO with PostBeyond using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in PostBeyond.

+To configure and test Azure AD SSO with PostBeyond, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure PostBeyond SSO](#configure-postbeyond-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create PostBeyond test user](#create-postbeyond-test-user)** - to have a counterpart of B.Simon in PostBeyond that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **PostBeyond** application integration page, find the **Manage** section and select **Single sign-on**.

+1. On the **Select a Single sign-on method** page, select **SAML**.

+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [PostBeyond Client support team](mailto:sso@postbeyond.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to PostBeyond.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **PostBeyond**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure PostBeyond SSO

+To configure single sign-on on **PostBeyond** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [PostBeyond support team](mailto:sso@postbeyond.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to PostBeyond Sign-on URL where you can initiate the login flow.

+* Go to PostBeyond Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the PostBeyond tile in the My Apps, this will redirect to PostBeyond Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure PostBeyond you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+This tutorial describes the steps you need to perform in both Preciate and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Preciate](https://preciate.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Azure AD SSO integration with Predictix Ordering'

+# Tutorial: Azure AD SSO integration with Predictix Ordering

+In this tutorial, you'll learn how to integrate Predictix Ordering with Azure Active Directory (Azure AD). When you integrate Predictix Ordering with Azure AD, you can:

+* Control in Azure AD who has access to Predictix Ordering.

+* Enable your users to be automatically signed-in to Predictix Ordering with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+To configure the integration of Predictix Ordering into Azure AD, you need to add Predictix Ordering from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Predictix Ordering** in the search box.

+1. Select **Predictix Ordering** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Predictix Ordering

+Configure and test Azure AD SSO with Predictix Ordering using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Predictix Ordering.

+To configure and test Azure AD SSO with Predictix Ordering, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Predictix Ordering SSO](#configure-predictix-ordering-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create a Predictix Ordering test user](#create-a-predictix-ordering-test-user)** - to have a counterpart of B.Simon in Predictix Ordering that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Predictix Ordering** application integration page, find the **Manage** section and select **Single sign-on**.

+1. On the **Select a Single sign-on method** page, select **SAML**.

+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+4. In the **Basic SAML Configuration** dialog box, perform the following steps:

+

+ a. In the **Identifier (Entity ID)** box, type a URL using one of the following patterns:

+

+ | **Identifier** |

+ |--|

+ | `https://<companyname-pricing>.dev.ordering.predictix.com` |

+ | `https://<companyname-pricing>.ordering.predictix.com` |

+

+ b. In the **Sign on URL** box, type a URL using the following pattern:

+ `https://<companyname-pricing>.ordering.predictix.com/sso/request`

+ > These values are placeholders. Update these values with the actual Identifier and Sign on URL. Contact the [Predictix Ordering support team](https://www.predix.io/support/) to get the values. You can also refer to the patterns shown in the **Basic SAML Configuration** dialog box in the Azure portal.

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Predictix Ordering.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Predictix Ordering**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Predictix Ordering SSO

+To configure single sign-on on the Predictix Ordering side, you need to send the certificate that you downloaded and the URLs that you copied from the Azure portal to the [Predictix Ordering support team](https://www.predix.io/support/). This team ensures the SAML SSO connection is set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Predictix Ordering Sign-on URL where you can initiate the login flow.

+* Go to Predictix Ordering Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Predictix Ordering tile in the My Apps, this will redirect to Predictix Ordering Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Predictix Ordering you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Predictix Price Reporting'

+# Tutorial: Azure AD SSO integration with Predictix Price Reporting

+In this tutorial, you'll learn how to integrate Predictix Price Reporting with Azure Active Directory (Azure AD). When you integrate Predictix Price Reporting with Azure AD, you can:

+* Control in Azure AD who has access to Predictix Price Reporting.

+* Enable your users to be automatically signed-in to Predictix Price Reporting with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Predictix Price Reporting single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Add Predictix Price Reporting from the gallery

+To configure the integration of Predictix Price Reporting into Azure AD, you need to add Predictix Price Reporting from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Predictix Price Reporting** in the search box.

+1. Select **Predictix Price Reporting** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Predictix Price Reporting

+Configure and test Azure AD SSO with Predictix Price Reporting using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Predictix Price Reporting.

+To configure and test Azure AD SSO with Predictix Price Reporting, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Predictix Price Reporting SSO](#configure-predictix-price-reporting-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create a Predictix Price Reporting test user](#create-a-predictix-price-reporting-test-user)** - to have a counterpart of B.Simon in Predictix Price Reporting that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Predictix Price Reporting** application integration page, find the **Manage** section and select **Single sign-on**.

+1. On the **Select a Single sign-on method** page, select **SAML**.

+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+4. In the **Basic SAML Configuration** dialog box, perform the following steps:

+ a. In the **Identifier (Entity ID)** box, type a URL using one of the following patterns:

+

+ | **Identifier** |

+ |-|

+ | `https://<companyname-pricing>.predictix.com` |

+ | `https://<companyname-pricing>.dev.predictix.com` |

+ b. In the **Sign on URL** box, type a URL using the following pattern:

+ `https://<companyname-pricing>.predictix.com/sso/request`

+ > These values are placeholders. Update these values with the actual Identifier and Sign on URL. Contact the [Predictix Price Reporting support team](https://www.infor.com/company/customer-center/) to get the values. You can also refer to the patterns shown in the **Basic SAML Configuration** dialog box in the Azure portal.

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Predictix Price Reporting.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Predictix Price Reporting**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Predictix Price Reporting SSO

+To configure single sign-on on the Predictix Price Reporting side, you need to send the certificate that you downloaded and the URLs that you copied from the Azure portal to the [Predictix Price Reporting support team](https://www.infor.com/company/customer-center/). This team ensures the SAML SSO connection is set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Predictix Price Reporting Sign-on URL where you can initiate the login flow.

+* Go to Predictix Price Reporting Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Predictix Price Reporting tile in the My Apps, this will redirect to Predictix Price Reporting Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Predictix Price Reporting you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with ProNovos Ops Manager'

+# Tutorial: Azure AD SSO integration with ProNovos Ops Manager

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* ProNovos Ops Manager supports **SP and IDP** initiated SSO.

+## Add ProNovos Ops Manager from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for ProNovos Ops Manager

+To configure and test Azure AD SSO with ProNovos Ops Manager, perform the following steps:

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure ProNovos Ops Manager SSO](#configure-pronovos-ops-manager-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create ProNovos Ops Manager test user](#create-pronovos-ops-manager-test-user)** - to have a counterpart of B.Simon in ProNovos Ops Manager that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+1. In the Azure portal, on the **ProNovos Ops Manager** application integration page, find the **Manage** section and select **Single sign-on**.

+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ In the **Sign-on URL** text box, type the URL:

+## Configure ProNovos Ops Manager SSO

+To configure single sign-on on **ProNovos Ops Manager** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [ProNovos Ops Manager support team](mailto:support@pronovos.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to ProNovos Ops Manager Sign on URL where you can initiate the login flow.

+* Go to ProNovos Ops Manager Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ProNovos Ops Manager for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the ProNovos Ops Manager tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ProNovos Ops Manager for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure ProNovos Ops Manager you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Speexx'

+description: Learn how to configure single sign-on between Azure Active Directory and Speexx.

+# Tutorial: Azure AD SSO integration with Speexx

+In this tutorial, you'll learn how to integrate Speexx with Azure Active Directory (Azure AD). When you integrate Speexx with Azure AD, you can:

+* Control in Azure AD who has access to Speexx.

+* Enable your users to be automatically signed-in to Speexx with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Speexx single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Speexx supports **SP** initiated SSO.

+* Speexx supports **Just In Time** user provisioning.

+## Add Speexx from the gallery

+To configure the integration of Speexx into Azure AD, you need to add Speexx from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Speexx** in the search box.

+1. Select **Speexx** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Speexx

+Configure and test Azure AD SSO with Speexx using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Speexx.

+To configure and test Azure AD SSO with Speexx, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Speexx SSO](#configure-speexx-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Speexx test user](#create-speexx-test-user)** - to have a counterpart of B.Simon in Speexx that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Speexx** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a URL using the following pattern:

+ `https://portal.speexx.com/auth/saml/<customername>`

+

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://portal.speexx.com/auth/saml/<customername>/adfs/postResponse`

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://portal.speexx.com/auth/saml/<customername>`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Speexx Client support team](mailto:support@speexx.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Speexx.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Speexx**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Speexx SSO

+To configure single sign-on on **Speexx** side, you need to send the **App Federation Metadata Url** to [Speexx support team](mailto:support@speexx.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Speexx test user

+In this section, a user called B.Simon is created in Speexx. Speexx supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Speexx, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Speexx Sign-on URL where you can initiate the login flow.

+* Go to Speexx Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Speexx tile in the My Apps, this will redirect to Speexx Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Speexx you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with Twilio Sendgrid'

+description: Learn how to configure single sign-on between Azure Active Directory and Twilio Sendgrid.

+# Tutorial: Azure AD SSO integration with Twilio Sendgrid

+In this tutorial, you'll learn how to integrate Twilio Sendgrid with Azure Active Directory (Azure AD). When you integrate Twilio Sendgrid with Azure AD, you can:

+* Control in Azure AD who has access to Twilio Sendgrid.

+* Enable your users to be automatically signed-in to Twilio Sendgrid with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Twilio Sendgrid single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Twilio Sendgrid supports **SP and IDP** initiated SSO.

+* Twilio Sendgrid supports **Just In Time** user provisioning.

+## Add Twilio Sendgrid from the gallery

+To configure the integration of Twilio Sendgrid into Azure AD, you need to add Twilio Sendgrid from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Twilio Sendgrid** in the search box.

+1. Select **Twilio Sendgrid** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Twilio Sendgrid

+Configure and test Azure AD SSO with Twilio Sendgrid using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Twilio Sendgrid.

+To configure and test Azure AD SSO with Twilio Sendgrid, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Twilio Sendgrid SSO](#configure-twilio-sendgrid-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Twilio Sendgrid test user](#create-twilio-sendgrid-test-user)** - to have a counterpart of B.Simon in Twilio Sendgrid that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Twilio Sendgrid** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://api.sendgrid.com/v3/public/sso/saml/response/id/<uuid>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://api.sendgrid.com/v3/public/sso/saml/response/id/<uuid>`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://app.sendgrid.com/ssologin`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Twilio Sendgrid Client support team](mailto:help@sendgrid.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Click **Save**.

+1. Twilio Sendgrid application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Twilio Sendgrid application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | FirstName | user.givenname |

+ | LastName | user.surname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Twilio Sendgrid** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Twilio Sendgrid.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Twilio Sendgrid**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Twilio Sendgrid SSO

+To configure single sign-on on **Twilio Sendgrid** side, you need to send the **Certificate (Base64)** to [Twilio Sendgrid support team](mailto:help@sendgrid.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Twilio Sendgrid test user

+In this section, a user called B.Simon is created in Twilio Sendgrid. Twilio Sendgrid supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Twilio Sendgrid, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Twilio Sendgrid Sign on URL where you can initiate the login flow.

+* Go to Twilio Sendgrid Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Twilio Sendgrid for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Twilio Sendgrid tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Twilio Sendgrid for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Twilio Sendgrid you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ b. In the **Reply URL** text box, type the URL:

+ `https://federation.usbank.com/sp/ACS.saml2`

+ c. In the **Sign-on URL** text box, type the URL:

+ `https://federation.usbank.com/sp/startSSO.ping?PartnerIdpId=<ID>`

+ > [!NOTE]

+ > The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [U.S. Bank Prepaid Client support team](mailto:web.access.management@usbank.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+

+ Title: 'Tutorial: Azure AD SSO integration with Vault Platform'

+description: Learn how to configure single sign-on between Azure Active Directory and Vault Platform.

+# Tutorial: Azure AD SSO integration with Vault Platform

+In this tutorial, you'll learn how to integrate Vault Platform with Azure Active Directory (Azure AD). When you integrate Vault Platform with Azure AD, you can:

+* Control in Azure AD who has access to Vault Platform.

+* Enable your users to be automatically signed-in to Vault Platform with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Vault Platform single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Vault Platform supports **IDP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Vault Platform from the gallery

+To configure the integration of Vault Platform into Azure AD, you need to add Vault Platform from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Vault Platform** in the search box.

+1. Select **Vault Platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Vault Platform

+Configure and test Azure AD SSO with Vault Platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Vault Platform.

+To configure and test Azure AD SSO with Vault Platform, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Vault Platform SSO](#configure-vault-platform-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Vault Platform test user](#create-vault-platform-test-user)** - to have a counterpart of B.Simon in Vault Platform that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Vault Platform** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following step:

+ a. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://vaultplatform.com/api/portal/sessions/saml/<tenant-identifier>`

+ > [!NOTE]

+ > The Reply URL value is not real. Update the value with the actual Reply URL. Contact [Vault Platform Client support team](mailto:azure@vaultplatform.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Vault Platform** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Vault Platform.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Vault Platform**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Vault Platform SSO

+To configure single sign-on on **Vault Platform** side, you need to send the **Certificate (Base64)** to [Vault Platform support team](mailto:azure@vaultplatform.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Vault Platform test user

+In this section, you create a user called Britta Simon in Vault Platform. Work with [Vault Platform support team](mailto:azure@vaultplatform.com) to add the users in the Vault Platform platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Vault Platform for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Vault Platform tile in the My Apps, you should be automatically signed in to the Vault Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Vault Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+In either case, you need to provide the fault domain count for your host group. If you do not want to span fault domains in your group, use a fault domain count of 1.

+For example, a MySQL connection string named *connectionstring1* can be accessed as the environment variable `MYSQLCONNSTR_connectionString1`. For language-stack specific steps, see:

+zone_pivot_groups: app-service-containers-code

+> [!NOTE]

+> Mounting Azure Storage as a local share for App Service on Windows code is currently in preview.

+>

+This guide shows how to mount Azure Storage Files as a network share in Windows code in App Service. Only [Azure Files Shares](../storage/files/storage-how-to-use-files-portal.md) and [Premium Files Shares](../storage/files/storage-how-to-create-file-share.md) are supported. The benefits of custom-mounted storage include:

+- Configure persistent storage for your App Service app and manage the storage separately.

+- Make static content like video and images readily available for your App Service app.

+- Write application log files or archive older application log to Azure File shares.

+- Share content across multiple apps or with other Azure services.

+The following features are supported for Windows code:

+- Secured access to storage accounts with [private endpoints](../storage/common/storage-private-endpoints.md) and [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) (when [VNET integration](./overview-vnet-integration.md) is used).

+- Azure Files (read/write).

+- Up to five mount points per app.

+- Mount Azure Storage file shares using "/mounts/`<path-name>`".

+## Prerequisites

+- [An existing Windows code app in App Service](quickstart-dotnetcore.md)

+- [Create Azure file share](../storage/files/storage-how-to-use-files-portal.md)

+- [Upload files to Azure File share](../storage/files/storage-how-to-create-file-share.md)

+- [Storage firewall](../storage/common/storage-network-security.md) is supported only through [private endpoints](../storage/common/storage-private-endpoints.md) and [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) (when [VNET integration](./overview-vnet-integration.md) is used).

+- Azure blobs are not supported when configuring Azure storage mounts for Windows code apps deployed to App Service.

+- FTP/FTPS access to mounted storage not supported (use [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/)).

+- Mapping `/mounts`, `mounts/foo/bar`, `/`, and `/mounts/foo.bar/` to custom-mounted storage is not supported (you can only use /mounts/pathname for mounting custom storage to your web app.)

+- Storage mounts cannot be used together with clone settings option during [deployment slot](deploy-staging-slots.md) creation.

+- Storage mounts are not backed up when you [back up your app](manage-backup.md). Be sure to follow best practices to back up the Azure Storage accounts.

+## Mount storage to Windows code

+- The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See the [scalability and performance targets for Files](../storage/files/storage-files-scale-targets.md).

+- If your app [scales to multiple instances](../azure-monitor/autoscale/autoscale-get-started.md), all the instances connect to the same mounted Azure Storage account. To avoid performance bottlenecks and throughput issues, choose the appropriate performance tier for the storage account.

+- It's not recommended to use storage mounts for local databases (such as SQLite) or for any other applications and components that rely on file handles and locks.

+- If you [initiate a storage failover](../storage/common/storage-initiate-account-failover.md) and the storage account is mounted to the app, the mount will fail to connect until you either restart the app or remove and add the Azure Storage mount.

+

+- When using Azure Storage [private endpoints](../storage/common/storage-private-endpoints.md) with the app, you need to [enable the **Route All** setting](configure-vnet-integration-routing.md).

+- When VNET integration is used, ensure app setting, `WEBSITE_CONTENTOVERVNET` is set to `1` and the following ports are open:

+ - Azure Files: 80 and 445

+- To avoid potential issues related to latency, place the app and the Azure Storage account in the same Azure region. Note, however, if the app and Azure Storage account are in same Azure region, and if you grant access from App Service IP addresses in the [Azure Storage firewall configuration](../storage/common/storage-network-security.md), then these IP restrictions are not honored.

+- In the Azure Storage account, avoid [regenerating the access key](../storage/common/storage-account-keys-manage.md) that's used to mount the storage in the app. The storage account contains two different keys. Use a stepwise approach to ensure that the storage mount remains available to the app during key regeneration. For example, assuming that you used **key1** to configure storage mount in your app:

+ 1. Regenerate **key2**.

+ 1. In the storage mount configuration, update the access the key to use the regenerated **key2**.

+ 1. Regenerate **key1**.

+- If you delete an Azure Storage account, container, or share, remove the corresponding storage mount configuration in the app to avoid possible error scenarios.

+- The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See the [scalability and performance targets for Files](../storage/files/storage-files-scale-targets.md).

+- If you [initiate a storage failover](../storage/common/storage-initiate-account-failover.md) and the storage account is mounted to the app, the mount will fail to connect until you either restart the app or remove and add the Azure Storage mount.

+

+- To avoid potential issues related to latency, place the app and the Azure Storage account in the same Azure region. Note, however, if the app and Azure Storage account are in same Azure region, and if you grant access from App Service IP addresses in the [Azure Storage firewall configuration](../storage/common/storage-network-security.md), then these IP restrictions are not honored.

+- The mount directory in the custom container should be empty. Any content stored at this path is deleted when the Azure Storage is mounted (if you specify a directory under `/home`, for example). If you are migrating files for an existing app, make a backup of the app and its content before you begin.

+- Mounting the storage to `/home` is not recommended because it may result in performance bottlenecks for the app.

+

+- In the Azure Storage account, avoid [regenerating the access key](../storage/common/storage-account-keys-manage.md) that's used to mount the storage in the app. The storage account contains two different keys. Use a stepwise approach to ensure that the storage mount remains available to the app during key regeneration. For example, assuming that you used **key1** to configure storage mount in your app:

+ 1. Regenerate **key2**.

+ 1. In the storage mount configuration, update the access the key to use the regenerated **key2**.

+ 1. Regenerate **key1**.

+- If you delete an Azure Storage account, container, or share, remove the corresponding storage mount configuration in the app to avoid possible error scenarios.

+- The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See the scalability and performance targets that correspond to the storage type:

+ - [For Files](../storage/files/storage-files-scale-targets.md)

+ - [For Blobs](../storage/blobs/scalability-targets.md)

+- If your app [scales to multiple instances](../azure-monitor/autoscale/autoscale-get-started.md), all the instances connect to the same mounted Azure Storage account. To avoid performance bottlenecks and throughput issues, choose the appropriate performance tier for the storage account.

+- It's not recommended to use storage mounts for local databases (such as SQLite) or for any other applications and components that rely on file handles and locks.

+- [Migrate custom software to Azure App Service using a custom container](tutorial-custom-container.md?pivots=container-windows).

+> [!IMPORTANT]

+> Because Azure fully manages the certificates on your behalf, any aspect of the managed certificate, including the root issuer, can be changed at anytime. These changes are outside of your control. You should avoid having a hard dependency or practice certificate "pinning" to the managed certificate, or to any part of the certificate hierarchy. If you need the certificate pinning behavior, add a certificate to your custom domain using any other available method in this article.

+The following command will check whether your App Service Environment is supported for migration. If you receive an error or if your App Service Environment is in an unhealthy or suspended state, you can't migrate at this time. See the [troubleshooting](migrate.md#troubleshooting) section for descriptions of the potential error messages you may get. If your environment [won't be supported for migration](migrate.md#supported-scenarios) or you want to migrate to App Service Environment v3 without using the migration feature, see the [manual migration options](migration-alternatives.md).

+From the [Azure portal](https://portal.azure.com), navigate to the **Overview** page for the App Service Environment you'll be migrating. The platform will validate if migration is supported for your App Service Environment. Wait a couple seconds after the page loads for this validation to take place. See the [troubleshooting](migrate.md#troubleshooting) section for descriptions of the potential error messages if migration for your environment isn't supported by the migration feature.

+The migration feature doesn't plan on supporting App Service Environment v1 within a Classic VNet. See the [manual migration options](migration-alternatives.md) if your App Service Environment falls into this category.

+### Troubleshooting

+If your App Service Environment doesn't pass the validation checks or you try to perform a migration step in the incorrect order, you may see one of the following error messages:

+|Error message |Description |

+|||

+|Migrate can only be called on an ASE in ARM VNET and this ASE is in Classic VNET. |App Service Environments in Classic VNets can't migrate using the migration feature. |

+|ASEv3 Migration is not yet ready. |The underlying infrastructure isn't ready to support App Service Environment v3. |

+|Migration cannot be called on this ASE, please contact support for help migrating. |Support will need to be engaged for migrating this App Service Environment. This is potentially due to custom settings used by this environment. |

+|Migrate cannot be called on Zone Pinned ASEs. |App Service Environment v2s that are zone pinned can't be migrated using the migration feature at this time. |

+|Migrate cannot be called if IP SSL is enabled on any of the sites|App Service Environments that have sites with IP SSL enabled can't be migrated using the migration feature at this time. |

+|Migrate is not available for this kind|App Service Environment v1 can't be migrated using the migration feature at this time. |

+|Full migration cannot be called before IP addresses are generated|You'll see this error if you attempt to migrate before finishing the pre-migration steps. |

+|Migration to ASEv3 is not allowed for this ASE|You won't be able to migrate using the migration feature. |

+|Subscription has too many App Service Environments. Please remove some before trying to create more.|The App Service Environment [quota for your subscription](/azure/azure-resource-manager/management/azure-subscription-service-limits#app-service-limits) has been met. You'll need to remove unneeded environments or contact support to review your options.|

+|`<ZoneRedundant><DedicatedHosts><ASEv3/ASE>` is not available in this location|You'll see this error if you're trying to migrate an App Service Environment in a region that doesn't support one of your requested features. |

+### Verify the app works

+* [Tutorial: Run a load test to identify performance bottlenecks in a web app](../load-testing/tutorial-identify-bottlenecks-azure-portal.md)

+The prebuilt-read model extracts printed and handwritten textual elements including lines, words, locations, and detected languages from documents (PDF and TIFF) and images (JPG, PNG, and BMP). The read model is the foundation for all Form Recognizer models. Layout, general document, custom, and prebuilt models use the prebuilt-read model as a basis for extracting text from documents.

+Get started with Azure Form Recognizer using the Python programming language. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models by integrating our client library SDks into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+> [!NOTE]

+> If you would like to preview the upcoming version of **Windows Server Azure Edition**, see [Windows Server VNext Datacenter: Azure Edition](windows-server-azure-edition-vnext.md).

+Automanage supports toggling services ON and OFF. It also currently supports customizing settings on [Azure Backup](..\backup\backup-azure-arm-vms-prepare.md#create-a-custom-policy) and [Microsoft Antimalware](../security/fundamentals/antimalware.md#default-and-custom-antimalware-configuration). You can also specify an existing log analytics workspace. Also, for Windows machines only, you can modify the audit modes for the [Azure security baselines in Guest Configuration](../governance/policy/concepts/guest-configuration.md).

+Automanage allows you to tag the following resources in the custom profile:

+* Resource Group

+* Automation Account

+* Log Analytics Workspace

+* Recovery Vault

+Check out the [ARM template](#create-a-custom-profile-using-azure-resource-manager-templates) for modifying these settings.

+> [!NOTE]

+> If you want to use a specific log analytics workspace, specify the ID of the workspace like this: "/subscriptions/**subscriptionId**/resourceGroups/**resourceGroupName**/providers/Microsoft.OperationalInsights/workspaces/**workspaceName**"

+ },

+ "logAnalyticsWorkspace": {

+ "type": "String"

+ },

+ "LogAnalyticsBehavior": {

+ "defaultValue": false,

+ "type": "Bool"

+ }

+ "LogAnalytics/Reprovision": "[parameters('LogAnalyticsBehavior')]",

+ "LogAnalytics/Workspace": "[parameters('logAnalyticsWorkspace')]",

+ "VMInsights/Enable": true,

+ "Tags/ResourceGroup": {

+ "foo": "rg"

+ },

+ "Tags/AzureAutomation": {

+ "foo": "automationAccount"

+ },

+ "Tags/LogAnalyticsWorkspace": {

+ "foo": "workspace"

+ },

+ "Tags/RecoveryVault": {

+ "foo": "recoveryVault"

+ }

+You can also specify an existing log analytics workspace by adding this setting to the configuration section of properties below:

+* "LogAnalytics/Workspace": "/subscriptions/**subscriptionId**/resourceGroups/**resourceGroupName**/providers/Microsoft.OperationalInsights/workspaces/**workspaceName**"

+* "LogAnalytics/Reprovision": false

+Specify your existing workspace in the `LogAnalytics/Workspace` line. Set the `LogAnalytics/Reprovision` setting to true if you would like this log analytics workspace to be used in all cases. This means that any machine with this custom profile will use this workspace, even it is already connected to one. By default, the `LogAnalytics/Reprovision` is set to false. If your machine is already connected to a workspace, then that workspace will continue to be used. If it is not connected to a workspace, then the workspace specified in `LogAnalytics\Workspace` will be used.

+Also, you can add tags to resources specified in the custom profile like below:

+```json

+"Tags/ResourceGroup": {

+ "foo": "rg"

+},

+"Tags/ResourceGroup/Behavior": "Preserve",

+"Tags/AzureAutomation": {

+ "foo": "automationAccount"

+},

+"Tags/AzureAutomation/Behavior": "Replace",

+"Tags/LogAnalyticsWorkspace": {

+ "foo": "workspace"

+},

+"Tags/LogAnalyticsWorkspace/Behavior": "Replace",

+"Tags/RecoveryVault": {

+ "foo": "recoveryVault"

+},

+"Tags/RecoveryVault/Behavior": "Preserve"

+```

+The `Tags/Behavior` can either be set to Preserve or Replace. If the resource you are tagging already has the same tag key in the key/value pair, you can choose if you would like to replace that key with the specified value in the configuration profile by using the *Replace* behavior. By default, the behavior is set to *Preserve*, meaning that the tag key that is already associated with that resource will be kept and not overwritten by the key/value pair specified in the configuration profile.

+ Title: "Preview: Windows Server VNext Datacenter (Azure Edition) for Azure Automanage"

+description: Learn how to preview the upcoming version of Windows Server Azure Edition and know what to expect.

+# Preview: Windows Server VNext Datacenter (Azure Edition) for Azure Automanage

+> [!IMPORTANT]

+> **Windows Server VNext Datacenter Azure Edition** is currently in public preview.

+> This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+[Windows Server: Azure Edition (WSAE)](https://aka.ms/wsae) is a new edition of Windows Server focused on innovation and efficiency. Featuring an annual release cadence and optimized to run on Azure properties, WSAE brings new functionality to Windows Server users faster than the traditional Long-Term Servicing Channel (LTSC) editions of Windows Server (2016,2019,2022, etc.) the first version of this new variant is Windows Server 2022 Datacenter: Azure Edition, announced at Microsoft Ignite in November 2021.

+The annual WSAE releases are delivered using Windows Update, rather than a full OS upgrade. As part of this annual release cadence, the WSAE Insider preview program will spin up each spring with the opportunity to access early builds of the next release - leading to general availability in the fall. Install the preview to get early access to all the new features and functionality prior to general availability. If you are a registered Microsoft Server Insider, you have access to create and use virtual machine images from this preview. For more information and to manage your Insider membership, visit the [Windows Insider home page](https://insider.windows.com/) or [Windows Insiders for Business home page.](https://insider.windows.com/for-business/)

+## WhatΓÇÖs in the preview?

+Much like the [Dev Channel of the insider program for Windows 11](https://insider.windows.com/understand-flighting), the WSAE Preview comes directly from an active, still-in-development codebase. As a result, you may encounter some features that are not yet complete, and in some cases, you may see features & functionality that will not appear in the Azure Edition annual release.

+Details regarding each preview will be shared in release announcements posted to the [Windows Server Insiders](https://techcommunity.microsoft.com/t5/windows-server-insiders/bd-p/WindowsServerInsiders) space on Microsoft Tech Community.

+## How do I get started?

+To create a Windows Server: Azure Edition preview virtual machine in Azure, visit the [Microsoft Server Operating Systems Preview](https://aka.ms/createWSAEpreview) offer in the Azure marketplace.

+## Next steps

+To learn more about the features and functionality in the Windows Server: Azure Edition preview, [view the most recent preview announcement here.](https://aka.ms/currentWSAEpreview)

+ - You can orchestrate complex workflows through [durable functions](/azure/azure-functions/durable/durable-functions-overview?tabs=csharp).

+ - You can orchestrate complex workflows through [durable functions](/azure/azure-functions/durable/durable-functions-overview?tabs=csharp).

+After initial deployment of the Azure Connected Machine agent, you may need to reconfigure the agent, upgrade it, or remove it from the computer. These routine maintenance tasks can be done manually or through automation (which reduces both operational error and expenses).

+The azcmagent tool is used to configure the Azure Connected Machine agent during installation, or modify the initial configuration of the agent after installation. azcmagent.exe provides the following command-line parameters to customize the agent and view its status:

+* **check** - Troubleshoot network connectivity issues.

+* **connect** - Connect the machine to Azure Arc.

+* **disconnect** - Disconnect the machine from Azure Arc.

+* **logs** - Create a .zip file in the current directory containing logs to assist you while troubleshooting.

+* **version** - Show the Connected Machine agent version.

+* **-useStderr** - Direct error and verbose output to stderr. Include the `-json` parameter to output the results in JSON format.

+* **-h or --help** - Show available command-line parameters. For example, to see detailed help for the **Connect** parameter, type `azcmagent connect -h`.

+* **-v or --verbose** - Enable verbose logging.

+You can perform a **connect** and **disconnect** manually while logged on interactively, or with a Microsoft identity platform [access token](../../active-directory/develop/access-tokens.md), or by using the same service principal you used to onboard multiple agents. If you didn't use a service principal to register the machine with Azure Arc-enabled servers, you can [create a service principal now](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale).

+### check

+This parameter allows you to run network connectivity tests to troubleshoot networking issues between the agent and Azure services. The network connectivity check includes all [required Azure Arc network endpoints](network-requirements.md#urls), but does not include endpoints accessed by extensions you install.

+When running a network connectivity check, you must provide the name of the Azure region (for example, eastus) that you want to test. It's also recommended to use the `--verbose` parameter to see the results of both successful and unsuccessful tests:

+### connect

+This parameter specifies a resource in Azure Resource Manager and connects it to Azure Arc. You must specify the subscription and resource group of the resource to connect. Data about the machine is stored in the Azure region specified by the `--location` setting. The default resource name is the hostname of the machine unless otherwise specified.

+### disconnect

+This parameter specifies a resource in Azure Resource Manager to delete from Azure Arc. Running this parameter doesn't remove the agent from the machine; you must uninstall the agent separately. After the machine is disconnected, you can re-register it with Azure Arc-enabled servers by using `azcmagent connect` so a new resource is created for it in Azure.

+> If you have deployed one or more Azure VM extensions to your Azure Arc-enabled server and you delete its registration in Azure, the extensions remain installed and may continue performing their functions. Any machine intended to be retired or no longer managed by Azure Arc-enabled servers should first have its [extensions removed](#step-1-remove-vm-extensions) before removing its registration from Azure.

+### config

+If the property you're changing supports a list of values, you can use the `--add` and `--remove` flags to add or remove specific items without having to re-type the entire list:

+## Upgrade the agent

+The Azure Connected Machine agent is updated regularly to address bug fixes, stability enhancements, and new functionality. [Azure Advisor](../../advisor/advisor-overview.md) identifies resources that are not using the latest version of the machine agent and recommends that you upgrade to the latest version. It will notify you when you select the Azure Arc-enabled server by presenting a banner on the **Overview** page or when you access Advisor through the Azure portal.

+The following table describes the methods supported to perform the agent upgrade:

+Windows Server doesn't check for updates in Microsoft Update by default. To receive automatic updates for the Azure Connected Machine Agent, you must configure the Windows Update client on the machine to check for other Microsoft products.

+1. Sign into a computer used for server administration with an account that can manage Group Policy Objects (GPO) for your organization.

+1. Open the **Group Policy Management Console**.

+1. Right-click the container and select **Create a GPO in this domain, and Link it here...**.

+1. Provide a name for your policy such as "Enable Microsoft Update".

+1. Right-click the policy and select **Edit**.

+1. Navigate to **Computer Configuration > Administrative Templates > Windows Components > Windows Update**.

+1. Select the **Configure Automatic Updates** setting to edit it.

+1. Select the **Enabled** radio button to allow the policy to take effect.

+1. At the bottom of the **Options** section, check the box for **Install updates for other Microsoft products** at the bottom.

+1. Select **OK**.

+1. Sign in to the computer with an account that has administrative rights.

+1. Download the latest agent installer from https://aka.ms/AzureConnectedMachineAgent

+1. Run **AzureConnectedMachineAgent.msi** to start the Setup Wizard.

+If the Setup Wizard discovers a previous version of the agent, it will upgrade it automatically. When the upgrade completes, the Setup Wizard closes automatically.

+1. Download the latest agent installer from https://aka.ms/AzureConnectedMachineAgent

+1. To upgrade the agent silently and create a setup log file in the `C:\Support\Logs` folder, run the following command:

+Updating the agent on a Linux machine involves two commands; one command to update the local package index with the list of latest available packages from the repositories, and another command to upgrade the local package.

+> To upgrade the agent, you must have *root* access permissions or an account that has elevated rights using Sudo.

+When you change the name of a Linux or Windows machine connected to Azure Arc-enabled servers, the new name is not recognized automatically because the resource name in Azure is immutable. As with other Azure resources, you must delete the resource and re-create it in order to use the new name.

+For Azure Arc-enabled servers, before you rename the machine, it's necessary to remove the VM extensions before proceeding:

+1. Audit the VM extensions installed on the machine and note their configuration using the [Azure CLI](manage-vm-extensions-cli.md#list-extensions-installed) or [Azure PowerShell](manage-vm-extensions-powershell.md#list-extensions-installed).

+2. Remove any VM extensions installed on the machine. You can do this using the [Azure portal](manage-vm-extensions-portal.md#remove-extensions), the [Azure CLI](manage-vm-extensions-cli.md#remove-extensions), or [Azure PowerShell](manage-vm-extensions-powershell.md#remove-extensions).

+3. Use the **azcmagent** tool with the [Disconnect](manage-agent.md#disconnect) parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. You can run this manually while logged on interactively, with a Microsoft identity [access token](../../active-directory/develop/access-tokens.md), or with the service principal you used for onboarding (or with a [new service principal that you create](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale).

+ Disconnecting the machine from Azure Arc-enabled servers doesn't remove the Connected Machine agent, and you do not need to remove the agent as part of this process.

+4. Re-register the Connected Machine agent with Azure Arc-enabled servers. Run the `azcmagent` tool with the [Connect](manage-agent.md#connect) parameter to complete this step. The agent will default to using the computer's current hostname, but you can choose your own resource name by passing the `--resource-name` parameter to the connect command.

+For servers you no longer want to manage with Azure Arc-enabled servers, follow the steps below to remove any VM extensions from the server, disconnect the agent, and uninstall the software from your server. It's important to complete all of these steps to fully remove all related software components from your system.

+If you have deployed Azure VM extensions to an Azure Arc-enabled server, you must uninstall the extensions before disconnecting the agent or uninstalling the software. Uninstalling the Azure Connected Machine agent doesn't automatically remove extensions, and these extensions won't be recognized if you reconnect the server to Azure Arc.

+Disconnecting the agent deletes the corresponding Azure resource for the server and clears the local state of the agent. To disconnect the agent, run the `azcmagent disconnect` command as an administrator on the server. You'll be prompted to log in with an Azure account that has permission to delete the resource in your subscription. If the resource has already been deleted in Azure, you'll need to pass an additional flag to clean up the local state: `azcmagent disconnect --force-local-only`.

+Follow these steps to uninstall the Windows agent from the machine:

+1. Sign in to the computer with an account that has administrator permissions.

+1. In **Control panel**, select **Programs and Features**.

+1. In **Programs and Features**, select **Azure Connected Machine Agent**, select **Uninstall**, and then select **Yes**.

+You can also delete the Windows agent directly from the agent setup wizard. Run the **AzureConnectedMachineAgent.msi** installer package to do so.

+You can uninstall the agent manually from the Command Prompt or by using an automated method (such as a script) by following the example below. First you need to retrieve the product code, which is a GUID that is the principal identifier of the application package, from the operating system. The uninstall is performed by using the Msiexec.exe command line - `msiexec /x {Product Code}`.

+3. Uninstall the agent using Msiexec, as in the following examples:

+> To uninstall the agent, you must have *root* access permissions or an account that has elevated rights using sudo.

+The command used to uninstall the Linux agent depends on the Linux operating system.

+To configure the agent to communicate to the service through a proxy server or to remove this configuration after deployment, use one of the methods described below. Note that the agent communicates outbound using the HTTP protocol under this scenario.

+As of agent version 1.13, proxy settings can be configured using the `azcmagent config` command or system environment variables. If a proxy server is specified in both the agent configuration and system environment variables, the agent configuration will take precedence and become the effective setting. Use `azcmagent show` to view the effective proxy configuration for the agent.

+1. [Upgrade the Azure Connected Machine agent](#upgrade-the-agent) to the latest version (starting with version 1.13) to use the new proxy configuration settings.

+1. Configure the agent with your proxy server information by running `azcmagent config set proxy.url "http://ProxyServerFQDN:port"`.

+1. Remove the unused environment variables by following the steps for [Windows](#windows-environment-variables) or [Linux](#linux-environment-variables).

+To upgrade your machine to the version of the agent required, see [Upgrade agent](manage-agent.md#upgrade-the-agent).

+The following function uses an HTTP trigger to read a single table row as input to a function.

+In this example, binding configuration specifies an explicit value for the table's `partitionKey` and uses an expression to pass to the `rowKey`. The `rowKey` expression, `{id}` indicates that the row key comes from the `{id}` part of the route in the request.

+[`IEnumerable<T>`]: /dotnet/api/system.collections.generic.ienumerable-1

+[dh-records]: /rest/api/maps/weather/get-daily-historical-records

+[dh-actuals]: /rest/api/maps/weather/get-daily-historical-actuals

+[dh-normals]: /rest/api/maps/weather/get-daily-historical-normals

+ Title: Azure Monitor agent extension versions

+description: This article describes the version details for the Azure Monitor agent virtual machine extension.

+# Azure Monitor agent extension versions

+This article describes the version details for the Azure Monitor agent virtual machine extension. This extension deploys the agent on virtual machines, scale sets, and Arc-enabled servers (on premise servers with Azure Arc agent installed).

+We strongly recommended to update to the latest version at all times, or opt in to the [Automatic Extension Update](../../virtual-machines/automatic-extension-upgrade.md) feature.

+## Version details

+| Release Date | Release notes | Windows | Linux |

+|:|:|:|:|

+| March 2022 | <ul><li>Fixed timestamp and XML format bugs in Windows Event logs</li><li>Full Windows OS information in Log Analytics Heartbeat table</li><li>Fixed Linux performance counters to collect instance values instead of 'total' only</li></ul> | 1.3.0.0 | 1.17.5.0 |

+| February 2022 | <ul><li>Bugfixes for the AMA Client installer (private preview)</li><li>Versioning fix to reflect appropriate Windows major/minor/hotfix versions</li><li>Internal test improvement on Linux</li></ul> | 1.2.0.0 | 1.15.3 |

+| January 2022 | <ul><li>Syslog RFC compliance for Linux</li><li>Fixed issue for Linux perf counters not flowing on restart</li><li>Fixed installation failure on Windows Server 2008 R2 SP1</li></ul> | 1.1.5.1^Hotfix | 1.15.2.0^Hotfix |

+| December 2021 | <ul><li>Fixed issues impacting Linux Arc-enabled servers</li><li>'Heartbeat' table > 'Category' column reports "Azure Monitor Agent" in Log Analytics for Windows</li></ul> | 1.1.4.0 | 1.14.7.0² |

+| September 2021 | <ul><li>Fixed issue causing data loss on restarting the agent</li><li>Fixed issue for Arc Windows servers</li></ul> | 1.1.3.2^Hotfix | 1.12.2.0 ¹ |

+| August 2021 | Fixed issue allowing Azure Monitor Metrics as the only destination | 1.1.2.0 | 1.10.9.0^Hotfix |

+| July 2021 | <ul><li>Support for direct proxies</li><li>Support for Log Analytics gateway</li></ul> [Learn more](https://azure.microsoft.com/updates/general-availability-azure-monitor-agent-and-data-collection-rules-now-support-direct-proxies-and-log-analytics-gateway/) | 1.1.1.0 | 1.10.5.0 |

+| June 2021 | General availability announced. <ul><li>All features except metrics destination now generally available</li><li>Production quality, security and compliance</li><li>Availability in all public regions</li><li>Performance and scale improvements for higher EPS</li></ul> [Learn more](https://azure.microsoft.com/updates/azure-monitor-agent-and-data-collection-rules-now-generally-available/) | 1.0.12.0 | 1.9.1.0 |

+^Hotfix Do not use AMA Linux versions v1.10.7, v1.15.1 and AMA Windows v1.1.3.1, v1.1.5.0. Please use hotfix versions listed above.

+¹ Known issue: No data collected from Linux Arc-enabled servers

+² Known issue: Linux performance counters data stops flowing on restarting/rebooting the machine(s)

+## Next steps

+- [Install and manage the extension](azure-monitor-agent-manage.md).

+- [Create a data collection rule](data-collection-rule-azure-monitor-agent.md) to collect data from the agent and send it to Azure Monitor.

+[View Azure Monitor Agent extension versions](./azure-monitor-agent-extension-versions.md).

+| Cloud |Endpoint |Purpose |Port |Direction |Bypass HTTPS inspection|

+|||||--|--|

+| Azure Commercial |global.handler.control.monitor.azure.com |Access control service|Port 443 |Outbound|Yes |

+| Azure Commercial |`<virtual-machine-region-name>`.handler.control.monitor.azure.com |Fetch data collection rules for specific machine |Port 443 |Outbound|Yes |

+| Azure Commercial |`<log-analytics-workspace-id>`.ods.opinsights.azure.com |Ingest logs data |Port 443 |Outbound|Yes |

+| Azure Government |global.handler.control.monitor.azure.us |Access control service|Port 443 |Outbound|Yes |

+| Azure Government |`<virtual-machine-region-name>`.handler.control.monitor.azure.us |Fetch data collection rules for specific machine |Port 443 |Outbound|Yes |

+| Azure Government |`<log-analytics-workspace-id>`.ods.opinsights.azure.us |Ingest logs data |Port 443 |Outbound|Yes |

+| Azure China |global.handler.control.monitor.azure.cn |Access control service|Port 443 |Outbound|Yes |

+| Azure China |`<virtual-machine-region-name>`.handler.control.monitor.azure.cn |Fetch data collection rules for specific machine |Port 443 |Outbound|Yes |

+| Azure China |`<log-analytics-workspace-id>`.ods.opinsights.azure.cn |Ingest logs data |Port 443 |Outbound|Yes |

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+### Create a telemetry processor

+### C#

+### Java

+To learn more about telemetry processors and their implementation in Java, please reference the [Java telemetry processors documentation](./java-standalone-telemetry-processors.md).

+If `IConfiguration` has loaded configuration from multiple providers, then `services.AddApplicationInsightsTelemetry` prioritizes configuration from `appsettings.json`, irrespective of the order in which providers are added. Use the `services.AddApplicationInsightsTelemetry(IConfiguration)` method to read configuration from IConfiguration without this preferential treatment for `appsettings.json`.

+### Enrich data through HTTP

+```csharp

+HttpContext.Features.Get<RequestTelemetry>().Properties["myProp"] = someData

+```

+* [Dependency Injection in ASP.NET Core](/aspnet/core/fundamentals/dependency-injection)

+* Application Insights spring-boot-starter

+2. The above should get you up and running with pre-aggregated metrics auto collected to Azure Monitor.

+> The telemetry processors feature is designated as preview because we cannot guarantee backwards compatibility from release to release due to the experimental state of the attribute [semantic conventions](https://opentelemetry.io/docs/reference/specification/trace/semantic_conventions). However, the feature has been tested and is supported in production.

+| level |Level of the event. One of the following values: ΓÇ£CriticalΓÇ¥, or ΓÇ£InformationalΓÇ¥ (other levels are not supported) |

+| Azure Media Services | [Media Services monitoring schemas](/azure/media-services/latest/monitoring/monitor-media-services-data-reference#schemas) |

+You can configure certain tables in a Log Analytics workspace to use [Basic Logs](basic-logs-configure.md). Data in these tables has a significantly reduced ingestion charge and a limited retention period. There is a charge though to search against these tables. Basic Logs are intended for high-volume verbose logs you use for debugging, troubleshooting and auditing, but not for analytics and alerts.

+The charge for searching against Basic Logs is based on the GB of data scanned in performing the search.

+## Log data retention and archive

+In addition to data ingestion, there is a charge for the retention of data in each Log Analytics workspace. You can set the retention period for the entire workspace or for each table. After this period, the data is either removed or archived. Archived Logs have a reduced retention charge, and there is a charge search against them. Use Archive Logs to reduce your costs for data that you must store for compliance or occasional investigation.

+## Search jobs

+Searching against Archived Logs uses [search jobs](search-jobs.md). Search jobs are asynchronous queries that fetch records into a new search table within your workspace for further analytics. Search jobs are billed by the number of GB of data scanned on each day that is accessed to perform the search.

+## Log data restore

+For situations in which older or archived logs need to be intensively queried with the full analyitics query capabilities, the [data restore](restore.md) feature is a powerful tool. The restore operation makes a specific time range of data in a table available in the hot cache for high-performance queries. You can later dismiss the data when you're done. Log data restore is billed by the amount of data restored, and by the time the restore is kept active. The minimal values billed for any data restore is 2 TB and 12 hours. Data restored of more than 2 TB and/or more than 12 hours in duration are billed on a pro-rated basis.

+## Log data export

+[Data export](logs-data-export.md) in Log Analytics workspace lets you continuously export data per selected tables in your workspace, to an Azure Storage Account or Azure Event Hubs as it arrives to Azure Monitor pipeline. Charges for the use of data export are based on the amount of data exported. The size of data exported is the number of bytes in the exported JSON formatted data.

+- See [Azure Monitor best practices - Cost management](../best-practices-cost.md) for best practices on configuring and managing Azure Monitor to minimize your charges.

+## Pricing model

+Data export charges are based on the volume of data exported measured in bytes. The size of data exported by Log Analytics Data Export is the number of bytes in the exported JSON formatted data. Data volume is measured in GB (10^9 bytes)

+For more information, including the data export billing timeline, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+ | [Azure Media Services](/azure/media-services/) | Microsoft.Medi#microsoftmediamediaservices) | | |

+ | [Azure Media Services](/azure/media-services/) | Microsoft.Medi#microsoftmediamediaservicesliveevents) | No | | |

+ | [Azure Media Services](/azure/media-services/) | Microsoft.Medi#microsoftmediamediaservicesstreamingendpoints) | No | | |

+ | [Azure Media Services](/azure/media-services/) | Microsoft.Medi#microsoftmediavideoanalyzers) | | |

+- Complete a [tutorial on creating a metrics chart to analyze data in Azure Monitor Metrics](essentials/tutorial-metrics.md).

+* Germany West Central

+* [Run Your Most Demanding Oracle Workloads in Azure without Sacrificing Performance or Scalability](https://techcommunity.microsoft.com/t5/azure-architecture-blog/run-your-most-demanding-oracle-workloads-in-azure-without/ba-p/3264545)

+To discover which operations use the Azure Resource Manager URL, see the [Azure REST API](/rest/api/azure/). For example, the [create or update operation](/rest/api/mysql/singleserver/databases/create-or-update) for MySQL is a control plane operation because the request URL is:

+ Title: Move Azure classic deployment resources

+description: Use Azure Resource Manager to move classic deployment resources to a new resource group or subscription.

+# Move guidance for classic deployment model resources

+- Virtual networks (classic) can't be moved.

+- Virtual machines (classic) must be moved with the cloud service.

+- Cloud service can only be moved when the move includes all its virtual machines.

+- Only one cloud service can be moved at a time.

+- Only one storage account (classic) can be moved at a time.

+- Storage account (classic) can't be moved in the same operation with a virtual machine or a cloud service.

+When moving classic cloud services to a new subscription, the following restrictions apply:

+- The source and target subscriptions need to be under the same Azure AD tenant.

+- Cloud Service Provider (CSP) subscriptions do not support migrating classic cloud services.

+- All classic resources in the subscription must be moved in the same operation.

+- The target subscription must not have any other classic resources.

+- The move can only be requested through a separate REST API for classic moves. The standard Resource Manager move commands don't work when moving classic resources to a new subscription.

+## Possible error messages in the source subscription validation stage

+### "Subscription migration for SubscriptionId {subscription ID} cannot continue as IaaS classic to ARM migration is in progress for the following deployment resource: _xx in HostedService {classic-cloud-service-name}_"

+This message means there is a classic cloud service that is ongoing migrating to the cloud service (extended support). Users should abort this ARM migration operation and then retry validation.

+### "Source subscription _{subscription ID}_ is empty"

+The source subscription cannot be empty, disabled, deleted or currently undergoing migration. During the migration period, write operations are not allowed on resources within the subscription.

+### "Source subscription contains application(s) which doesn't support migration: _{application name}_"

+### "Source subscription contains following cloud service(s) which doesn't support migration: _{cloud service name}_"

+The resources mentioned in the error message cannot be migrated, so users should delete these resources before triggering the migration.

+### More information

+The domain name and the public IP are still the same as before migration. Under normal circumstances, there should be no downtime for the cloud service during the migration.

+1. Learn how to [collect metrics](https://github.com/Azure/iotedge/blob/main/test/modules/TestMetricsCollector/Program.cs)

+1. Use Docker CLI commands to build the [Docker file](https://github.com/Azure/iotedge/blob/main/mqtt/docker/linux/amd64/Dockerfile) and publish the image to your Azure container registry.

+|Media Insights|[Enhanced](video-indexer-output-json-v2.md) |[Fundamentals](/azure/media-services/latest/analyze-video-audio-files-concept)|

+[Media Services v3 overview](/azure/media-services/latest/media-services-overview)

+1. Use the [Azure](https://portal.azure.com/) portal to create an Azure Media Services account, as described in [Create an account](/azure/media-services/previous/media-services-portal-create-account).

+4. For Video Analyzer for Media to authenticate with Media Services API, an AD app needs to be created. The following steps guide you through the Azure AD authentication process described in [Get started with Azure AD authentication by using the Azure portal](/azure/media-services/previous/media-services-portal-get-started-with-aad):

+ 2. Select [Service principal authentication method](/azure/media-services/previous/media-services-portal-get-started-with-aad).

+Starting August 1st 2021, Azure Video Analyzer for Media (formerly Video Indexer) enabled [Reserved Units](/azure/media-services/latest/concept-media-reserved-units)(MRUs) auto scaling by [Azure Media Services](/azure/media-services/latest/media-services-overview) (AMS), as a result you do not need to manage them through Azure Video Analyzer for Media. That will allow price optimization, e.g. price reduction in many cases, based on your business needs as it is being auto scaled.

+[docs-ms]: /azure/media-services/latest/media-services-overview

+* An Azure Media Services (AMS) account. You can create one for free through the [Create AMS Account](/azure/media-services/latest/account-create-how-to).

+For a list of file formats that you can use with Video Analyzer for Media, see [Standard Encoder formats and codecs](/azure/media-services/latest/encode-media-encoder-standard-formats-reference).

+The default setting is [content-aware encoding](/azure/media-services/latest/encode-content-aware-concept).

+Starting August 1st 2021, Azure Video Analyzer for Media (formerly Video Indexer) enabled [Media Reserved Units (MRUs)](/azure/media-services/latest/concept-media-reserved-units) auto scaling by [Azure Media Services](/azure/media-services/latest/media-services-overview), as a result you do not need to manage them through Azure Video Analyzer for Media. That will allow price optimization, for example price reduction in many cases, based on your business needs as it is being auto scaled.

+* Use existing an Azure Media Services asset by providing the [asset ID](/azure/media-services/latest/assets-concept). This option is supported in paid accounts only.

+For a list of file formats that you can use with Video Analyzer for Media, see [Standard Encoder formats and codecs](/azure/media-services/latest/encode-media-encoder-standard-formats-reference).

+The default setting is [content-aware encoding](/azure/media-services/latest/encode-content-aware-concept).

+See the [input container/file formats](/azure/media-services/latest/encode-media-encoder-standard-formats-reference) article for a list of file formats that you can use with Video Analyzer for Media.

+#Customer intent: As an Azure service administrator, I want to <define conditional forwarding rules for a desired domain name to a desired set of private DNS servers via the NSX-T Data Center DNS Service.>

+By default, Azure VMware Solution management components such as vCenter Server can only resolve name records available through Public DNS. However, certain hybrid use cases require Azure VMware Solution management components to resolve name records from privately hosted DNS to properly function, including customer-managed systems such as vCenter Server and Active Directory.

+Private DNS for Azure VMware Solution management components lets you define conditional forwarding rules for the desired domain name to a selected set of private DNS servers through the NSX-T Data Center DNS Service.

+This capability uses the DNS Forwarder Service in NSX-T Data Center. A DNS service and default DNS zone are provided as part of your private cloud. To enable Azure VMware Solution management components to resolve records from your private DNS systems, you must define an FQDN zone and apply it to the NSX-T Data Center DNS Service. The DNS Service conditionally forwards DNS queries for each zone based on the external DNS servers defined in that zone.

+>If desired, you can also use the conditional forwarding rules for workload segments by configuring virtual machines on those segments to use the NSX-T Data Center DNS Service IP address as their DNS server.

+The diagram shows that the NSX-T Data Center DNS Service can forward DNS queries to DNS systems hosted in Azure and on-premises environments.

+ >While NSX-T Data Center allows spaces and other non-alphanumeric characters in a DNS zone name, certain NSX-T Data Center resources such as a DNS Zone are mapped to an Azure resource whose names donΓÇÖt permit certain characters.

+ >As a result, DNS zone names that would otherwise be valid in NSX-T Data Center may need adjustment to adhere to the [Azure resource naming conventions](../azure-resource-manager/management/resource-name-rules.md#microsoftresources).

+ It takes several minutes to complete, and once finished, you'll see the *Completed* message from **Notifications**. At this point, management components in your private cloud should be able to resolve DNS entries from the FQDN zone provided to the NSX-T Data Center DNS Service.

+The NSX-T Policy API lets you run nslookup commands from the NSX-T Data Center DNS Forwarder Service. The required cmdlets are part of the `VMware.VimAutomation.Nsxt` module in PowerCLI. The following example demonstrates output from version 12.3.0 of that module.

+1. Connect to your NSX-T Manager cluster.

+ >You can obtain the IP address of your NSX-T Manager cluster from the Azure portal under **Manage** > **Identity**.

+DHCP does not work for virtual machines (VMs) on the VMware HCX L2 stretch network when the DHCP server is in the on-premises data center. This is because NSX-T Data Center, by default, blocks all DHCP requests from traversing the L2 stretch. Therefore, to send DHCP requests from your Azure VMware Solution VMs to a non-NSX-T Data Center DHCP server, you'll need to configure DHCP on L2 stretched VMware HCX networks.

+ 1. Sign in to your on-premises vCenter Server, and under **Home**, select **HCX**.

+ :::image type="content" source="media/manage-dhcp/add-segment-profile.png" alt-text="Screenshot of how to add a segment profile in NSX-T Data Center." lightbox="media/manage-dhcp/add-segment-profile.png":::

+ Title: Configure NSX-T Data Center network components using Azure VMware Solution

+description: Learn how to use the Azure VMware Solution to configure NSX-T Data Center network segments.

+# Customer intent: As an Azure service administrator, I want to configure NSX-T Data Center network components using a simplified view of NSX-T Data Center operations a VMware administrator needs daily. The simplified view is targeted at users unfamiliar with NSX-T Manager.

+# Configure NSX-T Data Center network components using Azure VMware Solution

+An Azure VMware Solution private cloud comes with NSX-T Data Center by default. The private cloud comes pre-provisioned with an NSX-T Data Center Tier-0 gateway in **Active/Active** mode and a default NSX-T Data Center Tier-1 gateway in Active/Standby mode. These gateways let you connect the segments (logical switches) and provide East-West and North-South connectivity.

+After deploying Azure VMware Solution, you can configure the necessary NSX-T Data Center objects from the Azure portal. It presents a simplified view of NSX-T Data Center operations a VMware administrator needs daily and is targeted at users not familiar with NSX-T Manager.

+You'll have four options to configure NSX-T Data Center components in the Azure VMware Solution console:

+- **Segments** - Create segments that display in NSX-T Manager and vCenter Server. For more information, see [Add an NSX-T Data Center segment using the Azure portal](tutorial-nsx-t-network-segment.md#use-azure-portal-to-add-an-nsx-t-segment).

+>You'll still have access to the NSX-T Manager console, where you can use the advanced settings mentioned and other NSX-T Data Center features.

+An Azure VMware Solution private cloud with access to the vCenter Server and NSX-T Manager interfaces. For more information, see the [Configure networking](tutorial-configure-networking.md) tutorial.

+1. Test your connection by [creating an NSX-T Data Center segment](./tutorial-nsx-t-network-segment.md) and provisioning a VM on the network. Ping both the on-premise and Azure VMware Solution endpoints.

+#Customer intent: As an Azure service administrator, I want set the VMware vSAN storage policies to determine how storage is allocated to the VM.

+VMware vSAN storage policies define storage requirements for your virtual machines (VMs). These policies guarantee the required level of service for your VMs because they determine how storage is allocated to the VM. Each VM deployed to a vSAN datastore is assigned at least one VM storage policy.

+Now that you've learned how to configure VMware vSAN storage policies, you can learn more about:

+- [How to configure external identity for vCenter](configure-identity-source-vcenter.md) - vCenter Server has a built-in local user called cloudadmin and assigned to the CloudAdmin role. The local cloudadmin user is used to set up users in Active Directory (AD). With the Run command feature, you can configure Active Directory over LDAP or LDAPS for vCenter as an external identity source.

+#Customer intent: As an Azure service administrator, I want to collect VMware syslogs and store it in my storage account so that I can view the vCenter Server logs and analyze for any diagnostic purposes.

+In this article, you'll configure a diagnostic setting to collect VMware syslogs for your Azure VMware Solution private cloud. You'll store the syslog to a storage account to view the vCenter Server logs and analyze for diagnostic purposes.

+Make sure you have an Azure VMware Solution private cloud with access to the vCenter Server and NSX-T Manager interfaces.

+The following diagram illustrates the architecture of WSFC virtual nodes on an Azure VMware Solution private cloud. It shows where Azure VMware Solution resides, including the WSFC virtual servers (blue box), in relation to the broader Azure platform. This diagram illustrates a typical hub-spoke architecture, but a similar setup is possible using Azure Virtual WAN. Both offer all the value other Azure services can bring you.

+6. Configure a Cluster Witness for quorum (this can be a file share witness).

+ - **Validate Network Communication**. The Cluster Validation test displays a warning indicating that only one network interface per cluster node is available. You can ignore this warning. Azure VMware Solution provides the required availability and performance needed, since the nodes are connected to one of the NSX-T Data Center segments. However, keep this item as part of the Cluster Validation test, as it validates other aspects of network communication.

+16. Create a Placement Policy to situate the WSFC VMs on the same Azure VMware Solution nodes. To do so, you need a host-to-VM affinity rule. This way, cluster nodes will run on the same Azure VMware Solution host.

+- [JetStream DR on Azure Marketplace](https://ms.portal.azure.com/#blade/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/jetstreamsoftware1596597632545.jsdravs-111721)

+| **JetStream Management Server Virtual Appliance (MSA)** | MSA enables both Day 0 and Day 2 configuration, such as primary sites, protection domains, and recovering VMs. MSA is installed on a vSphere node by the cloud admin. The MSA implements a vCenter Server plugin that allows you to manage JetStream DR natively from vCenter Server. The MSA doesn't handle replication data of protected VMs. |

+| **JetStream ESXi host components (IO Filter packages)** | JetStream software installed on each ESXi host configured for JetStream DR. The host driver intercepts the vSphere VMs IO and sends the replication data to the DRVA. |

+- On-premises VMware vSphere to Azure VMware Solution DR

+### Scenario 1: On-premises VMware vSphere to Azure VMware Solution DR

+In this scenario, the primary site is your on-premises VMware vSphere environment and the DR site is an Azure VMware Solution private cloud.

+### Scenario 1: On-premises VMware vSphere to Azure VMware Solution DR

+- [Setup and Subscribe to JetStream DR](https://ms.portal.azure.com/#blade/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/jetstreamsoftware1596597632545.jsdravs-111721) from the Azure Marketplace to download the JetStream DR software.

+- An NSX-T Data Center network segment configured on Azure VMware Solution private cloud and optionally enable DHCP on the segment for the JetStream Virtual appliances.

+- A DNS server configured to resolve the IP addresses of Azure VMware Solution vCenter Server, Azure VMware Solution ESXi hosts, Azure Storage account, and the JetStream Marketplace service for the JetStream virtual appliances.

+- [Setup and Subscribe to JetStream DR](https://ms.portal.azure.com/#blade/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/jetstreamsoftware1596597632545.jsdravs-111721) from the Azure Marketplace to download the JetStream DR software.

+- An NSX-T Data Center network segment configured on Azure VMware Solution private cloud and optionally enable DHCP on the segment for the JetStream Virtual appliances.

+- A DNS server configured on both the primary and DR sites to resolve the IP addresses of Azure VMware Solution vCenter Server, Azure VMware Solution ESXi hosts, Azure Storage account, and the JetStream Marketplace service for the JetStream virtual appliances.

+ | **Network** | Name of the NSX-T Data Center network segment where you must deploy the JetStream MSA. |

+ | **Network** | Name of the NSX-T Data Center network segment where you must deploy the JetStream MSA. |

+ | **Network** | Name of the NSX-T Data Center network segment where you must deploy the JetStream MSA. |

+If choosing the NE path for example, the MON policy routes have to specifically address the subnet on the on-premises side; otherwise, the 0.0.0.0/0 default route is used. Policy routes can be found under the NE segment, selecting advanced. By default, all RFC1918 IP addresses are included in the MON policy routes definition.

+> [!VIDEO https://www.youtube.com/embed/xg_TnyhK34o]

+MicrosoftWindowsServer | WindowsServer | Windows Server 2016 Datacenter - Gen 2 (2016-Datacenter-gensecond)

+MicrosoftWindowsServer | WindowsServer | Windows Server 2019 Datacenter - Gen 2 (2019-Datacenter-gensecond)

+MicrosoftWindowsServer | WindowsServer | Windows Server 2022 Datacenter - Gen 2 (2022-datacenter-g2)

+MicrosoftWindowsServer | WindowsServer | [smalldisk] Windows Server 2022 Datacenter: Azure Edition - Gen 2 (2022-datacenter-azure-edition-smalldisk)

+MicrosoftWindowsServer | WindowsServer | [smalldisk] Windows Server 2022 Datacenter: Azure Edition Core - Gen 2 (2022-datacenter-azure-edition-core-smalldisk)

+MicrosoftWindowsServer | WindowsServer | [smalldisk] Windows Server 2022 Datacenter -Gen 2 (2022-datacenter-smalldisk-g2)

+MicrosoftWindowsServer | WindowsServer | [smalldisk] Windows Server 2022 Datacenter -Gen 1 (2022-datacenter-smalldisk)

+MicrosoftWindowsServer | WindowsServer | [smalldisk]Windows Server 2022 Datacenter Server Core -Gen 1 (2022-datacenter-core-smalldisk)

+> [!NOTE]

+> Private endpoints are supported for Azure Backup and Azure storage. Azure AD has support private end-points in private preview. Until they are generally available, Azure backup supports setting up proxy for AAD so that no outbound connectivity is required for HANA VMs. Refer to the [proxy support section](#use-an-http-proxy-server-to-route-traffic) for more details.

+##### Using an HTTP proxy server for AAD traffic

+1. Go to the "opt/msawb/bin" folder

+2. Create a new JSON file named "ExtensionSettingOverrides.JSON"

+3. Add a key-value pairs to the JSON file as follows:

+ ```json

+ {

+ "UseProxyForAAD":true,

+ "UseProxyForAzureBackup":false,

+ "UseProxyForAzureStorage":false,

+ "ProxyServerAddress":"http://xx.yy.zz.mm:port"

+ }

+ ```

+4. Change the permissions and ownership of the file as follows:

+

+ ```bash

+ chmod 750 ExtensionSettingsOverrides.json

+ chown root:msawb ExtensionSettingsOverrides.json

+ ```

+5. No restart of any service is required. The Azure Backup service will attempt to route the AAD traffic via the proxy server mentioned in the JSON file.

+1. To configure cache headers using Azure portal, refer to [How to Manage Streaming Endpoints](/azure/media-services/previous/media-services-portal-manage-streaming-endpoints) section Configuring the Streaming Endpoint.

+

+ :::image type="content" source="./media/cdn-create-new-endpoint/cdn-select-endpoint.png" alt-text="Create CDN endpoint.":::

+ :::image type="content" source="./media/cdn-create-new-endpoint/cdn-add-endpoint.png" alt-text="Add endpoint pane.":::

+

+ :::image type="content" source="./media/cdn-create-new-endpoint/cdn-endpoint-success.png" alt-text="View added endpoint.":::

+This article demonstrates how to call the Image Analysis API to return information about an image's visual features. It also shows you how to parse the returned information using the client SDKs or REST API.

+This guide assumes you have already <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision" title="created a Computer Vision resource" target="_blank">created a Computer Vision resource </a> and obtained a subscription key and endpoint URL. If you're using a client SDK, you'll also need to authenticate a client object. If you haven't done these steps, follow the [quickstart](../quickstarts-sdk/image-analysis-client-library.md) to get started.

+The code in this guide uses remote images referenced by URL. You may want to try different images on your own to see the full capability of the Image Analysis features.

+#### [REST](#tab/rest)

+When analyzing a local image, you put the binary image data in the HTTP request body. For a remote image, you specify the image's URL by formatting the request body like this: `{"url":"http://example.com/images/test.jpg"}`.

+#### [C#](#tab/csharp)

+In your main class, save a reference to the URL of the image you want to analyze.

+[!code-csharp[](~/cognitive-services-quickstart-code/dotnet/ComputerVision/ImageAnalysisQuickstart.cs?name=snippet_analyze_url)]

+#### [Java](#tab/java)

+In your main class, save a reference to the URL of the image you want to analyze.

+[!code-java[](~/cognitive-services-quickstart-code/java/ComputerVision/src/main/java/ImageAnalysisQuickstart.java?name=snippet_urlimage)]

+#### [JavaScript](#tab/javascript)

+In your main function, save a reference to the URL of the image you want to analyze.

+[!code-javascript[](~/cognitive-services-quickstart-code/javascript/ComputerVision/ImageAnalysisQuickstart.js?name=snippet_describe_image)]

+#### [Python](#tab/python)

+Save a reference to the URL of the image you want to analyze.

+[!code-python[](~/cognitive-services-quickstart-code/python/ComputerVision/ImageAnalysisQuickstart.py?name=snippet_remoteimage)]

+### Select visual features

+The Analyze API gives you access to all of the service's image analysis features. Choose which operations to do based on your own use case. See the [overview](../overview.md) for a description of each feature. The examples below add all of the available visual features, but for practical usage you'll likely only need one or two.

+#### [REST](#tab/rest)

+You can specify which features you want to use by setting the URL query parameters of the [Analyze API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b). A parameter can have multiple values, separated by commas. Each feature you specify will require more computation time, so only specify what you need.

+|`visualFeatures`|`Adult` | detects if the image is pornographic in nature (depicts nudity or a sex act), or is gory (depicts extreme violence or blood). Sexually suggestive content ("racy" content) is also detected.|

+|`visualFeatures`|`Categories` | categorizes image content according to a taxonomy defined in documentation. This value is the default value of `visualFeatures`.|

+A populated URL might look like this:

+#### [C#](#tab/csharp)

+Define your new method for image analysis. Add the code below, which specifies visual features you'd like to extract in your analysis. See the **[VisualFeatureTypes](/dotnet/api/microsoft.azure.cognitiveservices.vision.computervision.models.visualfeaturetypes)** enum for a complete list.

+[!code-csharp[](~/cognitive-services-quickstart-code/dotnet/ComputerVision/ImageAnalysisQuickstart.cs?name=snippet_visualfeatures)]

+#### [Java](#tab/java)

+Specify which visual features you'd like to extract in your analysis. See the [VisualFeatureTypes](/java/api/com.microsoft.azure.cognitiveservices.vision.computervision.models.visualfeaturetypes) enum for a complete list.

+[!code-java[](~/cognitive-services-quickstart-code/java/ComputerVision/src/main/java/ImageAnalysisQuickstart.java?name=snippet_features_remote)]

+#### [JavaScript](#tab/javascript)

+Specify which visual features you'd like to extract in your analysis. See the [VisualFeatureTypes](/javascript/api/@azure/cognitiveservices-computervision/visualfeaturetypes?view=azure-node-latest) enum for a complete list.

+[!code-javascript[](~/cognitive-services-quickstart-code/javascript/ComputerVision/ImageAnalysisQuickstart.js?name=snippet_features_remote)]

+#### [Python](#tab/python)

+Specify which visual features you'd like to extract in your analysis. See the [VisualFeatureTypes](/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.models.visualfeaturetypes?view=azure-python) enum for a complete list.

+[!code-python[](~/cognitive-services-quickstart-code/python/ComputerVision/ImageAnalysisQuickstart.py?name=snippet_features_remote)]

+You can also specify the language of the returned data.

+#### [REST](#tab/rest)

+The following URL query parameter specifies the language. The default value is `en`.

+A populated URL might look like this:

+#### [C#](#tab/csharp)

+Use the *language* parameter of [AnalyzeImageAsync](/dotnet/api/microsoft.azure.cognitiveservices.vision.computervision.computervisionclientextensions.analyzeimageasync?view=azure-dotnet#microsoft-azure-cognitiveservices-vision-computervision-computervisionclientextensions-analyzeimageasync(microsoft-azure-cognitiveservices-vision-computervision-icomputervisionclient-system-string-system-collections-generic-ilist((system-nullable((microsoft-azure-cognitiveservices-vision-computervision-models-visualfeaturetypes))))-system-collections-generic-ilist((system-nullable((microsoft-azure-cognitiveservices-vision-computervision-models-details))))-system-string-system-collections-generic-ilist((system-nullable((microsoft-azure-cognitiveservices-vision-computervision-models-descriptionexclude))))-system-string-system-threading-cancellationtoken)) call to specify a language. A method call that specifies a language might look like the following.

+```csharp

+ImageAnalysis results = await client.AnalyzeImageAsync(imageUrl, visualFeatures: features, language: "en");

+```

+#### [Java](#tab/java)

+Use the [AnalyzeImageOptionalParameter](/java/api/com.microsoft.azure.cognitiveservices.vision.computervision.models.analyzeimageoptionalparameter) input in your Analyze call to specify a language. A method call that specifies a language might look like the following.

+```java

+ImageAnalysis analysis = compVisClient.computerVision().analyzeImage().withUrl(pathToRemoteImage)

+ .withVisualFeatures(featuresToExtractFromLocalImage)

+ .language("en")

+ .execute();

+```

+#### [JavaScript](#tab/javascript)

+Use the **language** property of the [ComputerVisionClientAnalyzeImageOptionalParams](/javascript/api/@azure/cognitiveservices-computervision/computervisionclientanalyzeimageoptionalparams) input in your Analyze call to specify a language. A method call that specifies a language might look like the following.

+```javascript

+const result = (await computerVisionClient.analyzeImage(imageURL,{visualFeatures: features, language: 'en'}));

+```

+#### [Python](#tab/python)

+Use the *language* parameter of your [analyze_image](/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.operations.computervisionclientoperationsmixin?view=azure-python#azure-cognitiveservices-vision-computervision-operations-computervisionclientoperationsmixin-analyze-image) call to specify a language. A method call that specifies a language might look like the following.

+```python

+results_remote = computervision_client.analyze_image(remote_image_url , remote_image_features, remote_image_details, 'en')

+```

+## Get results from the service

+This section shows you how to parse the results of the API call. It includes the API call itself.

+> Some of the features in Image Analysis can be called directly as well as through the Analyze API call. For example, you can do a scoped analysis of only image tags by making a request to `https://{endpoint}/vision/v3.2/tag` (or to the corresponding method in the SDK). See the [reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) for other features that can be called separately.

+#### [REST](#tab/rest)

+The service returns a `200` HTTP response, and the body contains the returned data in the form of a JSON string. The following text is an example of a JSON response.

+ * `NotSupportedVisualFeature` - Specified feature type isn't valid.

+ * `NotSupportedLanguage` - The requested operation isn't supported in the language specified.

+ * `BadArgument` - More details are provided in the error message.

+* 415 - Unsupported media type error. The Content-Type isn't in the allowed types:

+#### [C#](#tab/csharp)

+The following code calls the Image Analysis API and prints the results to the console.

+[!code-csharp[](~/cognitive-services-quickstart-code/dotnet/ComputerVision/ImageAnalysisQuickstart.cs?name=snippet_analyze)]

+#### [Java](#tab/java)

+The following code calls the Image Analysis API and prints the results to the console.

+[!code-java[](~/cognitive-services-quickstart-code/java/ComputerVision/src/main/java/ImageAnalysisQuickstart.java?name=snippet_analyze)]

+#### [JavaScript](#tab/javascript)

+The following code calls the Image Analysis API and prints the results to the console.

+[!code-javascript[](~/cognitive-services-quickstart-code/javascript/ComputerVision/ImageAnalysisQuickstart.js?name=snippet_analyze)]

+#### [Python](#tab/python)

+The following code calls the Image Analysis API and prints the results to the console.

+[!code-python[](~/cognitive-services-quickstart-code/python/ComputerVision/ImageAnalysisQuickstart.py?name=snippet_analyze)]

+* Explore the [concept articles](../concept-object-detection.md) to learn more about each feature.

+* See the [API reference](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) to learn more about the API functionality.

+Get started with the Image Analysis REST API or client libraries. The Analyze Image service provides you with AI algorithms for processing images and returning information on their visual features. Follow these steps to install a package to your application and try out the sample code for a basic task.

+Follow the instructions in [Create an Azure Media Services account](/azure/media-services/previous/media-services-portal-create-account) to subscribe to AMS and create an associated Azure storage account. In that storage account, create a new Blob storage container.

+For a more thorough walkthrough of the above process, See [Get started with Azure AD authentication](/azure/media-services/previous/media-services-portal-get-started-with-aad).

+[Download the Visual Studio solution](https://github.com/Azure-Samples/cognitive-services-dotnet-sdk-samples/tree/master/ContentModerator) for this and other Content Moderator quickstarts for .NET.

+To train the detector model, select the **Train** button. The detector uses all of the current images and their tags to create a model that identifies each tagged object. This process can take several minutes.

+- A set of images with which to train your classifier. You can use the set of [sample images](https://github.com/Azure-Samples/cognitive-services-sample-data-files/tree/master/CustomVision/ImageClassification/Images) on GitHub. Or, you can choose your own images using the tips below.

+To train the classifier, select the **Train** button. The classifier uses all of the current images to create a model that identifies the visual qualities of each tag. This process can take several minutes.

+Data with these errors will not be used for training. Imported data with errors will be ignored, so you don't need to delete them. You can resubmit the corrected data for training.

+### Difference between voice talent script and training script

+The training script can differ from the voice talent script, especially for scripts that contain digits, symbols, abbreviations, date, and time. Scripts prepared for the voice talent must follow the native reading conventions, such as 50% and $45. The scripts used for training must be normalized to match the audio recording, such as *fifty percent* and *forty-five dollars*.

+> [!NOTE]

+> We provide some example scripts for the voice talent on [GitHub](https://github.com/Azure-Samples/Cognitive-Speech-TTS/tree/master/CustomVoice/script). To use the example scripts for training, you must normalize them according to the recordings of your voice talent before uploading the file.

+The following table shows the difference between scripts for voice talent and the normalized script for training.

+| Category |Voice talent script example | Training script example (normalized) |

+| | | |

+| Digits |123| one hundred and twenty-three |

+| Symbols |50%| fifty percent|

+| Abbreviation |ASAP| as soon as possible|

+| Date and time |March 3rd at 5:00 PM| March third at five PM|

+* [Install Java (version 8) for Windows](https://developers.redhat.com/products/openjdk/download)

+> Note that there are certain known incompatible build targets with newer versions. If you already have a newer version of Java, you can still download JDK8.

+> If you have newer Java installed in addition to JDK8: Set the %JAVA_HOME% variable in the local command prompt to target JDK8. This will only change Java version for the current session and leave global machine settings intact.

+| Partial | Only supported with unique indexes |

+| $expr | Yes |

+| Partial | Only supported with unique indexes |

+| $expr | Yes |

+Azure Cosmos DB supports a time-to-live (TTL) based on the timestamp of the document. TTL can be enabled for collections from the [Azure portal](https://portal.azure.com).

+ - If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

+| Partial | Only supported with unique indexes |

+| $expr | Yes |

+Azure Cosmos DB supports a time-to-live (TTL) based on the timestamp of the document. TTL can be enabled for collections from the [Azure portal](https://portal.azure.com).

+ - If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md).

+#### Limitations

+On accounts that have continuous backup or synapse link enabled, unique indexes will need to be created while the collection is empty.

+#### Unique partial indexes

+Unique partial indexes can be created by specifying a partialFilterExpression along with the 'unique' constraint in the index. This results in the unique constraint being applied only to the documents that meet the specified filter expression.

+The unique constraint will not be effective for documents that do not meet the specified criteria. As a result, other documents will not be prevented from being inserted into the collection.

+This feature is supported with the Cosmos DB API for MongoDB versions 3.6 and above.

+To create a unique partial index from Mongo Shell, use the command `db.collection.createIndex()` with the 'partialFilterExpression' option and 'unique' constraint.

+The partialFilterExpression option accepts a json document that specifies the filter condition using:

+* equality expressions (i.e. field: value or using the $eq operator),

+*'$exists: true' expression,

+* $gt, $gte, $lt, $lte expressions,

+* $type expressions,

+* $and operator at the top-level only

+The following command creates an index on collection `books` that specifies a unique constraint on the `title` field and a partial filter expression `rating: { $gte: 3 }`:

+```shell

+db.books.createIndex(

+ { Title: 1 },

+ { unique: true, partialFilterExpression: { rating: { $gte: 3 } } }

+)

+```

+To delete a partial unique index using om Mongo Shell, use the command `getIndexes()` to list the indexes in the collection.

+Then drop the index with the following command:

+```shell

+db.books.dropIndex("indexName")

+```

+| <input type="checkbox"/> | SDK Logging | Use SDK logging to capture additional diagnostics information and troubleshoot latency issues. Log the [CosmosDiagnostics](/java/api/com.azure.cosmos.cosmosdiagnostics?view=azure-java-stable&preserve-view=true) in Java SDK for more detailed cosmos diagnostic information for the current request to the service. As an example use case, capture Diagnostics on any exception and on completed operations if the `CosmosDiagnostics#getDuration()` is greater than a designated threshold value (i.e. if you have an SLA of 10 seconds, then capture diagnostics when `getDuration()` > 10 seconds). It's advised to only use these diagnostics during performance testing. For more information, follow [capture diagnostics on Java SDK](/azure/cosmos-db/sql/troubleshoot-java-sdk-v4-sql#capture-the-diagnostics) |

+The Billing account overview page might show costs that differ from costs shown in the EA portal.

+>[!NOTE]

+>The **Select date range** selector doesnΓÇÖt affect or change overview tiles. Instead, the overview tiles show the costs for the current billing month. This behavior is intentional.

+Data shown in the bar graph is determined by the date selection.

+Here's how values in the overview tiles are calculated.

+- The value shown in the **Charges against credit** tile is calculated as the sum of `adjustments`.

+- The value shown in the **Service overage** tile is calculated as the sum of `ServiceOverage`.

+- The value shown in the **Billed separately** tile is calculated as the sum of `chargesBilledseparately`.

+- The value shown in the **Azure Marketplace** tile is calculated as the sum of `azureMarketplaceServiceCharges`.

+- The value shown in the **New purchase amount** tile is calculated as the sum of `newPurchases`.

+- The value shown in the **Total charges** tile is calculated as the sum of (`adjustments` + `ServiceOverage` + `chargesBilledseparately` + `azureMarketplaceServiceCharges`).

+The EA portal doesn't the Total charges column. The Power BI template app includes Adjustments, Service Overage, Charges billed separately, and Azure marketplace service charges as Total charges.

+

+The Prepayment Usage shown in the EA portal isn't available in the Template app as part of the total charges.

+You will generate two data flows in this tutorial. The first data flow is a simple source to sink to generate a new Delta Lake from the movies CSV file from above. Lastly, you'll create this flow design below to update data in Delta Lake.

+- [Deploy a cloud managed VM via a script](https://github.com/Azure-Samples/azure-stack-edge-deploy-vms/blob/master/dotnetSamples/CloudManaged/README.md)

+> [!IMPORTANT]

+> Solution targeting has been deprecated because the Log Analytics agent is being replaced with the Azure Monitor agent and solutions in Azure Monitor are being replaced with insights. You can continue to use solution targeting if you already have it configured, but it is not available in new regions.

+> The feature will not be supported after August 31, 2024.

+> Regions that support solution targeting until the deprecation date are:

+>

+> | Region code | Region name |

+> | : | :- |

+> | CCAN | canadacentral |

+> | CHN | switzerlandnorth |

+> | CID | centralindia |

+> | CQ | brazilsouth |

+> | CUS | centralus |

+> | DEWC | germanywestcentral |

+> | DXB | UAENorth |

+> | EA | eastasia |

+> | EAU | australiaeast |

+> | EJP | japaneast |

+> | EUS | eastus |

+> | EUS2 | eastus2 |

+> | NCUS | northcentralus |

+> | NEU | NorthEurope |

+> | NOE | norwayeast |

+> | PAR | FranceCentral |

+> | SCUS | southcentralus |

+> | SE | KoreaCentral |

+> | SEA | southeastasia |

+> | SEAU | australiasoutheast |

+> | SUK | uksouth |

+> | WCUS | westcentralus |

+> | WEU | westeurope |

+> | WUS | westus |

+> | WUS2 | westus2 |

+>

+> | Air-gapped clouds | Region code | Region name |

+> | :- | :- | :- |

+> | UsNat | EXE | usnateast |

+> | UsNat | EXW | usnatwest |

+> | UsGov | FF | usgovvirginia |

+> | China | MC | ChinaEast2 |

+> | UsGov | PHX | usgovarizona |

+> | UsSec | RXE | usseceast |

+> | UsSec | RXW | ussecwest |

+Microsoft Defender for Cloud can stream your security alerts into the most popular Security Information and Event Management (SIEM),

+Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.

+Security alerts are notifications that Defender for Cloud generates when it detects threats on your resources.

+Defender for Cloud prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem.

+Defender for Cloud also provides detailed steps to help you remediate attacks.

+Alerts data is retained for 90 days.

+There are built-in Azure tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:

+## Stream alerts to Microsoft Sentinel

+Defender for Cloud natively integrates with Microsoft Sentinel, Azure's cloud-native SIEM and SOAR solution.

+- [Connect all subscriptions in your tenant to Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-security-center-auto-connect-to-sentinel/ba-p/1387539)

+## Stream alerts to QRadar and Splunk

+The export of security alerts to Splunk and QRadar uses Event Hubs and a built-in connector.

+You can either use a PowerShell script or the Azure portal to set up the requirements for exporting security alerts for your subscription or tenant.

+Then youΓÇÖll need to use the procedure specific to each SIEM to install the solution in the SIEM platform.

+### Prerequisites

+Before you set up the Azure services for exporting alerts, make sure you have:

+- Azure subscription ([Create a free account](https://azure.microsoft.com/free/))

+- Azure resource group ([Create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md))

+- **Owner** role on the alerts scope (subscription, management group or tenant), or these specific permissions:

+ - Write permissions for event hubs and the Event Hub Policy

+ - Create permissions for [Azure AD applications](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app), if you aren't using an existing Azure AD application

+ - Assign permissions for policies, if you're using the Azure Policy 'DeployIfNotExist'

+ <!-

+ - if it **has the SecurityCenterFree solution**, you'll need a minimum of read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`

+ - if it **doesn't have the SecurityCenterFree solution**, you'll need write permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/action` -->

+### Step 1. Set up the Azure services

+You can set up your Azure environment to support continuous export using either:

+- A PowerShell script (Recommended)

+ Download and run [the PowerShell script](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/3rd%20party%20SIEM%20integration).

+ Enter the required parameters and the script performs all of the steps for you.

+ When the script finishes, it outputs the information youΓÇÖll use to install the solution in the SIEM platform.

+- In the Azure portal

+ Here's an overview of the steps you'll do in the Azure portal:

+ 1. Create an Event Hubs namespace and event hub.

+ 2. Define a policy for the event hub with ΓÇ£SendΓÇ¥ permissions.

+ 3. **If you are streaming your alerts to QRadar SIEM** - Create an event hub "Listen" policy, then copy and save the connection string of the policy that youΓÇÖll use in QRadar.

+ 4. Create a consumer group, then copy and save the name that youΓÇÖll use in the SIEM platform.

+ 5. Enable continuous export of your security alerts to the defined event hub.

+ 6. **If you are streaming your alerts to QRadar SIEM** - Create a storage account, then copy and save the connection string to the account that youΓÇÖll use in QRadar.

+ 7. **If you are streaming your alerts to Splunk SIEM**:

+ 1. Create a Microsoft Azure Active Directory application.

+ 2. Save the Tenant, App ID, and App password.

+ 3. Give permissions to the Azure AD Application to read from the event hub you created before.

+ For more detailed instructions, see [Prepare Azure resources for exporting to Splunk and QRadar](export-to-splunk-or-qradar.md).

+### Step 2. Connect the event hub to your preferred solution using the built-in connectors

+Each SIEM platform has a tool to enable it to receive alerts from Azure Event Hubs. Install the tool for your platform to start receiving alerts.

+| Tool | Hosted in Azure | Description |

+|:|:| :|

+| IBM QRadar | No | The Microsoft Azure DSM and Microsoft Azure Event Hubs Protocol are available for download from [the IBM support website](https://www.ibm.com/docs/en/qsip/7.4?topic=microsoft-azure-platform). |

+| Splunk | No | [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/) is an open source project available in Splunkbase. <br><br> If you can't install an add-on in your Splunk instance, for example if you're using a proxy or running on Splunk Cloud, you can forward these events to the Splunk HTTP Event Collector using [Azure Function For Splunk](https://github.com/Microsoft/AzureFunctionforSplunkVS), which is triggered by new messages in the event hub. |

+## Stream alerts with continuous export

+To stream alerts into **ArcSight**, **SumoLogic**, **Syslog servers**, **LogRhythm**, **Logz.io Cloud Observability Platform**, and other monitoring solutions, connect Defender for Cloud using continuous export and Azure Event Hubs:

+1. Enable [continuous export](continuous-export.md) to stream Defender for Cloud alerts into a dedicated event hub at the subscription level. To do this at the Management Group level using Azure Policy, see [Create continuous export automation configurations at scale](continuous-export.md?tabs=azure-policy#configure-continuous-export-at-scale-using-the-supplied-policies).

+2. Connect the event hub to your preferred solution using the built-in connectors:

+ | Tool | Hosted in Azure | Description |

+ |:|:| :|

+ | SumoLogic | No | Instructions for setting up SumoLogic to consume data from an event hub are available at [Collect Logs for the Azure Audit App from Event Hubs](https://help.sumologic.com/Send-Data/Applications-and-Other-Data-Sources/Azure-Audit/02Collect-Logs-for-Azure-Audit-from-Event-Hub). |

+ | ArcSight | No | The ArcSight Azure Event Hubs smart connector is available as part of [the ArcSight smart connector collection](https://community.microfocus.com/cyberres/arcsight/f/arcsight-product-announcements/163662/announcing-general-availability-of-arcsight-smart-connectors-7-10-0-8114-0). |

+ | Syslog server | No | If you want to stream Azure Monitor data directly to a syslog server, you can use a [solution based on an Azure function](https://github.com/miguelangelopereira/azuremonitor2syslog/).

+ | LogRhythm | No| Instructions to set up LogRhythm to collect logs from an event hub are available [here](https://logrhythm.com/six-tips-for-securing-your-azure-cloud-environment/).

+ |Logz.io | Yes | For more information, see [Getting started with monitoring and logging using Logz.io for Java apps running on Azure](/azure/developer/java/fundamentals/java-get-started-with-logzio)

+3. Optionally, stream the raw logs to the event hub and connect to your preferred solution. Learn more in [Monitoring data available](../azure-monitor/essentials/stream-monitoring-data-event-hubs.md#monitoring-data-available).

+To view the event schemas of the exported data types, visit the [Event Hubs event schemas](https://aka.ms/ASCAutomationSchemas).

+## Use the Microsoft Graph Security API to stream alerts to third-party applications

+As an alternative to Sentinel and Azure Monitor, you can use Defender for Cloud's built-in integration with [Microsoft Graph Security API](https://www.microsoft.com/security/business/graph-security-api). No configuration is required and there are no additional costs.

+You can use this API to stream alerts from your **entire tenant** (and data from many Microsoft Security products) into third-party SIEMs and other popular platforms:

+- **Splunk Enterprise and Splunk Cloud** - [Use the Microsoft Graph Security API Add-On for Splunk](https://splunkbase.splunk.com/app/4564/)

+ Title: Set up the required Azure resources to export security alerts to IBM QRadar and Splunk

+description: Learn how to configure the required Azure resources in the Azure portal to stream security alerts to IBM QRadar and Splunk

+# Prepare Azure resources for exporting to Splunk and QRadar

+In order to stream Microsoft Defender for Cloud security alerts to IBM QRadar and Splunk, you have to set up resources in Azure, such as Event Hubs and Azure Active Directory (Azure AD). Here are the instructions for configuring these resources in the Azure portal, but you can also configure them using a PowerShell script. Make sure you review [Stream alerts to QRadar and Splunk](export-to-siem.md#stream-alerts-to-qradar-and-splunk) before you configure the Azure resources for exporting alerts to QRadar and Splunk.

+To configure the Azure resources for QRadar and Splunk in the Azure portal:

+## Step 1. Create an Event Hubs namespace and event hub with send permissions

+1. In the [Event Hubs service](../event-hubs/event-hubs-create.md), create an Event Hubs namespace:

+ 1. Select **Create**.

+ 1. Enter the details of the namespace, select **Review + create**, and select **Create**.

+ :::image type="content" source="media/export-to-siem/create-event-hub-namespace.png" alt-text="Screenshot of creating an Event Hubs namespace in Microsoft Event Hubs." lightbox="media/export-to-siem/create-event-hub-namespace.png":::

+1. Create an event hub:

+ 1. In the namespace that you create, select **+ Event Hub**.

+ 1. Enter the details of the event hub, and select **Review + create**, and select **Create**.

+1. Create a shared access policy.

+ 1. In the Event Hub menu, select the Event Hubs namespace you created.

+ 1. In the Event Hub namespace menu, select **Event Hubs**.

+ 1. Select the event hub that you just created.

+ 1. In the event hub menu, select **Shared access policies**.

+ 1. Select **Add**, enter a unique policy name, and select **Send**.

+ 1. Select **Create** to create the policy.

+ :::image type="content" source="media/export-to-siem/create-shared-access-policy.png" alt-text="Screenshot of creating a shared policy in Microsoft Event Hubs." lightbox="media/export-to-siem/create-shared-access-policy.png":::

+## Step 2. **For streaming to QRadar SIEM** - Create a Listen policy

+1. Select **Add**, enter a unique policy name, and select **Listen**.

+1. Select **Create** to create the policy.

+1. After the listen policy is created, copy the **Connection string primary key** and save it to use later.

+ :::image type="content" source="media/export-to-siem/create-shared-listen-policy.png" alt-text="Screenshot of creating a listen policy in Microsoft Event Hubs." lightbox="media/export-to-siem/create-shared-listen-policy.png":::

+## Step 3. Create a consumer group, then copy and save the name to use in the SIEM platform

+1. In the Entities section of the Event Hubs event hub menu, select **Event Hubs** and select the event hub you created.

+ :::image type="content" source="media/export-to-siem/open-event-hub.png" alt-text="Screenshot of opening the event hub Microsoft Event Hubs." lightbox="media/export-to-siem/open-event-hub.png":::

+1. Select **Consumer group**.

+## Step 4. Enable continuous export for the scope of the alerts

+1. In the Azure search box, search for "policy" and go to the Policy.

+1. In the Policy menu, select **Definitions**.

+1. Search for "deploy export" and select the **Deploy export to Event Hub for Azure Security Center data** built-in policy.

+1. Select **Assign**.

+1. Define the basic policy options:

+ 1. In Scope, select the **...** to select the scope to apply the policy to.

+ 1. Find the root management group (for tenant scope), management group, subscription, or resource group in the scope and select **Select**.

+ - To select a tenant root management group level you need to have permissions on tenant level.

+ 1. (Optional) In Exclusions you can define specific subscriptions to exclude from the export.

+ 1. Enter an assignment name.

+ 1. Make sure policy enforcement is enabled.

+ :::image type="content" source="media/export-to-siem/create-export-policy.png" alt-text="Screenshot of assignment for the export policy." lightbox="media/export-to-siem/create-export-policy.png":::

+1. In the policy parameters:

+ 1. Enter the resource group where the automation resource is saved.

+ 1. Select resource group location.

+ 1. Select the **...** next to the **Event Hub details** and enter the details for the event hub, including:

+ - Subscription.

+ - The Event Hubs namespace you created.

+ - The event hub you created.

+ - In **authorizationrules**, select the shared access policy that you created to send alerts.

+ :::image type="content" source="media/export-to-siem/create-export-policy-parameters.png" alt-text="Screenshot of parameters for the export policy." lightbox="media/export-to-siem/create-export-policy-parameters.png":::

+1. Select **Review and Create** and **Create** to finish the process of defining the continuous export to Event Hubs.

+ - Notice that when you activate continuous export policy on the tenant (root management group level), it automatically streams your alerts on any **new** subscription that will be created under this tenant.

+## Step 5. **For streaming alerts to QRadar SIEM** - Create a storage account

+1. Go to the Azure portal, select **Create a resource**, and select **Storage account**. If that option isn't shown, search for "storage account".

+1. Select **Create**.

+1. Enter the details for the storage account, select **Review and Create**, and then **Create**.

+ :::image type="content" source="media/export-to-siem/create-storage-account.png" alt-text="Screenshot of creating storage account." lightbox="media/export-to-siem/create-storage-account.png":::

+1. After you create your storage account and go to the resource, in the menu select **Access Keys**.

+1. Select **Show keys** to see the keys, and copy the connection string of Key 1.

+ :::image type="content" source="media/export-to-siem/copy-storage-account-key.png" alt-text="Screenshot of copying storage account key." lightbox="media/export-to-siem/copy-storage-account-key.png":::

+## Step 6. **For streaming alerts to Splunk SIEM** - Create an Azure AD application

+1. In the menu search box, search for "Azure Active Directory" and go to Azure Active Directory.

+1. Go to the Azure portal, select **Create a resource**, and select **Azure Active Directory**. If that option isn't shown, search for "active directory".

+1. In the menu, select **App registrations**.

+1. Select **New registration**.

+1. Enter a unique name for the application and select **Register**.

+ :::image type="content" source="media/export-to-siem/register-application.png" alt-text="Screenshot of registering application." lightbox="media/export-to-siem/register-application.png":::

+1. Copy to Clipboard and save the **Application (client) ID** and **Directory (tenant) ID**.

+1. Create the client secret for the application:

+ 1. In the menu, go to **Certificates & secrets**.

+ 1. Create a password for the application to prove its identity when requesting a token:

+ 1. Select **New client secret**.

+ 1. Enter a short description, choose the expiration time of the secret, and select **Add**.

+ :::image type="content" source="media/export-to-siem/create-client-secret.png" alt-text="Screenshot of creating client secret." lightbox="media/export-to-siem/create-client-secret.png":::

+1. After the secret is created, copy the Secret ID and save it for later use together with the Application ID and Directory (tenant) ID.

+## Step 7. **For streaming alerts to Splunk SIEM** - Allow Azure AD to read from the event hub

+1. Go to the Event Hubs namespace you created.

+1. In the menu, go to **Access control**.

+1. Select **Add** and select **Add role assignment**.

+1. Select **Add role assignment**.

+ :::image type="content" source="media/export-to-siem/add-role-assignment.png" alt-text="Screenshot of adding a role assignment." lightbox="media/export-to-siem/add-role-assignment.png":::

+1. In the Roles tab, search for **Azure Event Hubs Data Receiver**.

+1. Select **Next**.

+1. Select **Select Members**.

+1. Search for the Azure AD application you created before and select it.

+1. Select **Close**.

+To continue setting up export of alerts, [install the built-in connectors](export-to-siem.md#step-2-connect-the-event-hub-to-your-preferred-solution-using-the-built-in-connectors) for the SIEM you're using.

+## October 2021

+Updates in October include:

+- [Microsoft Threat and Vulnerability Management added as vulnerability assessment solution (in preview)](#microsoft-threat-and-vulnerability-management-added-as-vulnerability-assessment-solution-in-preview)

+- [Vulnerability assessment solutions can now be auto enabled (in preview)](#vulnerability-assessment-solutions-can-now-be-auto-enabled-in-preview)

+- [Software inventory filters added to asset inventory (in preview)](#software-inventory-filters-added-to-asset-inventory-in-preview)

+- [Changed prefix of some alert types from "ARM_" to "VM_"](#changed-prefix-of-some-alert-types-from-arm_-to-vm_)

+- [Changes to the logic of a security recommendation for Kubernetes clusters](#changes-to-the-logic-of-a-security-recommendation-for-kubernetes-clusters)

+- [Recommendations details pages now show related recommendations](#recommendations-details-pages-now-show-related-recommendations)

+- [New alerts for Azure Defender for Kubernetes (in preview)](#new-alerts-for-azure-defender-for-kubernetes-in-preview)

+### Microsoft Threat and Vulnerability Management added as vulnerability assessment solution (in preview)

+We've extended the integration between [Azure Defender for Servers](defender-for-servers-introduction.md) and Microsoft Defender for Endpoint, to support a new vulnerability assessment provider for your machines: [Microsoft threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt).

+Use **threat and vulnerability management** to discover vulnerabilities and misconfigurations in near real time with the [integration with Microsoft Defender for Endpoint](integration-defender-for-endpoint.md) enabled, and without the need for additional agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities based on the threat landscape and detections in your organization.

+Use the security recommendation "[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/ffff0522-1e88-47fc-8382-2a80ba848f5d)" to surface the vulnerabilities detected by threat and vulnerability management for your [supported machines](/microsoft-365/security/defender-endpoint/tvm-supported-os?view=o365-worldwide&preserve-view=true).

+To automatically surface the vulnerabilities, on existing and new machines, without the need to manually remediate the recommendation, see [Vulnerability assessment solutions can now be auto enabled (in preview)](#vulnerability-assessment-solutions-can-now-be-auto-enabled-in-preview).

+Learn more in [Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md).

+### Vulnerability assessment solutions can now be auto enabled (in preview)

+Security Center's auto provisioning page now includes the option to automatically enable a vulnerability assessment solution to Azure virtual machines and Azure Arc machines on subscriptions protected by [Azure Defender for Servers](defender-for-servers-introduction.md).

+If the [integration with Microsoft Defender for Endpoint](integration-defender-for-endpoint.md) is enabled, Defender for Cloud presents a choice of vulnerability assessment solutions:

+- (**NEW**) The Microsoft threat and vulnerability management module of Microsoft Defender for Endpoint (see [the release note](#microsoft-threat-and-vulnerability-management-added-as-vulnerability-assessment-solution-in-preview))

+- The integrated Qualys agent

+Your chosen solution will be automatically enabled on supported machines.

+Learn more in [Automatically configure vulnerability assessment for your machines](auto-deploy-vulnerability-assessment.md).

+### Software inventory filters added to asset inventory (in preview)

+The [asset inventory](asset-inventory.md) page now includes a filter to select machines running specific software - and even specify the versions of interest.

+Additionally, you can query the software inventory data in **Azure Resource Graph Explorer**.

+To use these new features, you'll need to enable the [integration with Microsoft Defender for Endpoint](integration-defender-for-endpoint.md).

+For full details, including sample Kusto queries for Azure Resource Graph, see [Access a software inventory](asset-inventory.md#access-a-software-inventory).

+### Changed prefix of some alert types from "ARM_" to "VM_"

+In July 2021, we announced a [logical reorganization of Azure Defender for Resource Manager alerts](release-notes-archive.md#logical-reorganization-of-azure-defender-for-resource-manager-alerts)

+As part of a logical reorganization of some of the Azure Defender plans, we moved twenty-one alerts from [Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md) to [Azure Defender for Servers](defender-for-servers-introduction.md).

+With this update, we've changed the prefixes of these alerts to match this reassignment and replaced "ARM_" with "VM_" as shown in the following table:

+| Original name | From this change |

+||--|

+| ARM_AmBroadFilesExclusion | VM_AmBroadFilesExclusion |

+| ARM_AmDisablementAndCodeExecution | VM_AmDisablementAndCodeExecution |

+| ARM_AmDisablement | VM_AmDisablement |

+| ARM_AmFileExclusionAndCodeExecution | VM_AmFileExclusionAndCodeExecution |

+| ARM_AmTempFileExclusionAndCodeExecution | VM_AmTempFileExclusionAndCodeExecution |

+| ARM_AmTempFileExclusion | VM_AmTempFileExclusion |

+| ARM_AmRealtimeProtectionDisabled | VM_AmRealtimeProtectionDisabled |

+| ARM_AmTempRealtimeProtectionDisablement | VM_AmTempRealtimeProtectionDisablement |

+| ARM_AmRealtimeProtectionDisablementAndCodeExec | VM_AmRealtimeProtectionDisablementAndCodeExec |

+| ARM_AmMalwareCampaignRelatedExclusion | VM_AmMalwareCampaignRelatedExclusion |

+| ARM_AmTemporarilyDisablement | VM_AmTemporarilyDisablement |

+| ARM_UnusualAmFileExclusion | VM_UnusualAmFileExclusion |

+| ARM_CustomScriptExtensionSuspiciousCmd | VM_CustomScriptExtensionSuspiciousCmd |

+| ARM_CustomScriptExtensionSuspiciousEntryPoint | VM_CustomScriptExtensionSuspiciousEntryPoint |

+| ARM_CustomScriptExtensionSuspiciousPayload | VM_CustomScriptExtensionSuspiciousPayload |

+| ARM_CustomScriptExtensionSuspiciousFailure | VM_CustomScriptExtensionSuspiciousFailure |

+| ARM_CustomScriptExtensionUnusualDeletion | VM_CustomScriptExtensionUnusualDeletion |

+| ARM_CustomScriptExtensionUnusualExecution | VM_CustomScriptExtensionUnusualExecution |

+| ARM_VMAccessUnusualConfigReset | VM_VMAccessUnusualConfigReset |

+| ARM_VMAccessUnusualPasswordReset | VM_VMAccessUnusualPasswordReset |

+| ARM_VMAccessUnusualSSHReset | VM_VMAccessUnusualSSHReset |

+Learn more about the [Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md) and [Azure Defender for Servers](defender-for-servers-introduction.md) plans.

+### Changes to the logic of a security recommendation for Kubernetes clusters

+The recommendation "Kubernetes clusters should not use the default namespace" prevents usage of the default namespace for a range of resource types. Two of the resource types that were included in this recommendation have been removed: ConfigMap and Secret.

+Learn more about this recommendation and hardening your Kubernetes clusters in [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md).

+### Recommendations details pages now show related recommendations

+To clarify the relationships between different recommendations, we've added a **Related recommendations** area to the details pages of many recommendations.

+The three relationship types that are shown on these pages are:

+- **Prerequisite** - A recommendation that must be completed before the selected recommendation

+- **Alternative** - A different recommendation which provides another way of achieving the goals of the selected recommendation

+- **Dependent** - A recommendation for which the selected recommendation is a prerequisite

+For each related recommendation, the number of unhealthy resources is shown in the "Affected resources" column.

+> [!TIP]

+> If a related recommendation is grayed out, its dependency isn't yet completed and so isn't available.

+An example of related recommendations:

+1. Security Center checks your machines for supported vulnerability assessment solutions:<br>

+ **A vulnerability assessment solution should be enabled on your virtual machines**

+1. If one is found, you'll get notified about discovered vulnerabilities:<br>

+ **Vulnerabilities in your virtual machines should be remediated**

+Obviously, Security Center can't notify you about discovered vulnerabilities unless it finds a supported vulnerability assessment solution.

+Therefore:

+ - Recommendation #1 is a prerequisite for recommendation #2

+ - Recommendation #2 depends upon recommendation #1

+### New alerts for Azure Defender for Kubernetes (in preview)

+To expand the threat protections provided by Azure Defender for Kubernetes, we've added two preview alerts.

+These alerts are generated based on a new machine learning model and Kubernetes advanced analytics, measuring multiple deployment and role assignment attributes against previous activities in the cluster and across all clusters monitored by Azure Defender.

+| Alert (alert type) | Description | MITRE tactic | Severity |

+|||:--:|-|

+| **Anomalous pod deployment (Preview)**<br>(K8S_AnomalousPodDeployment) | Kubernetes audit log analysis detected pod deployment that is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties. | Execution | Medium |

+| **Excessive role permissions assigned in Kubernetes cluster (Preview)**<br>(K8S_ServiceAcountPermissionAnomaly) | Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender. | Privilege Escalation | Low |

+For a full list of the Kubernetes alerts, see [Alerts for Kubernetes clusters](alerts-reference.md#alerts-k8scluster).

+- [PowerShell script to stream alerts to Splunk and QRadar](#powershell-script-to-stream-alerts-to-splunk-and-ibm-qradar)

+### PowerShell script to stream alerts to Splunk and IBM QRadar

+We recommend that you use Event Hubs and a built-in connector to export security alerts to Splunk and IBM QRadar. Now you can use a PowerShell script to set up the Azure resources needed to export security alerts for your subscription or tenant.

+Just download and run the PowerShell script. After you provide a few details of your environment, the script configures the resources for you. The script then produces output that you use in the SIEM platform to complete the integration.

+To learn more, see [Stream alerts to Splunk and QRadar](export-to-siem.md#stream-alerts-to-qradar-and-splunk).

+In addition, Defender for Cloud also begins gradual support for the [Defender for Endpoint unified agent for Windows Server 2012 R2 and 2016 (Preview)](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292). Defender for Servers Plan 1 deploys the new unified agent to Windows Server 2012 R2 and 2016 workloads. Defender for Servers Plan 2 deploys the legacy agent to Windows Server 2012 R2 and 2016 workloads, and will deploy the unified agent soon after it is approved for general use.

+In October, [we announced](release-notes-archive.md#microsoft-threat-and-vulnerability-management-added-as-vulnerability-assessment-solution-in-preview) an extension to the integration between [Microsoft Defender for Servers](defender-for-servers-introduction.md) and Microsoft Defender for Endpoint, to support a new vulnerability assessment provider for your machines: [Microsoft threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt). This feature is now released for general availability (GA).

+To automatically surface the vulnerabilities, on existing and new machines, without the need to manually remediate the recommendation, see [Vulnerability assessment solutions can now be auto enabled (in preview)](release-notes-archive.md#vulnerability-assessment-solutions-can-now-be-auto-enabled-in-preview).

+In October, [we announced](release-notes-archive.md#vulnerability-assessment-solutions-can-now-be-auto-enabled-in-preview) the addition of vulnerability assessment solutions to Defender for Cloud's auto provisioning page. This is relevant to Azure virtual machines and Azure Arc machines on subscriptions protected by [Azure Defender for Servers](defender-for-servers-introduction.md). This feature is now released for general availability (GA).

+In October, [we announced](release-notes-archive.md#software-inventory-filters-added-to-asset-inventory-in-preview) new filters for the [asset inventory](asset-inventory.md) page to select machines running specific software - and even specify the versions of interest. This feature is now released for general availability (GA).

+| [Changes to recommendations for managing endpoint protection solutions](#changes-to-recommendations-for-managing-endpoint-protection-solutions) | May 2022 |

+| [Changes to vulnerability assessment](#changes-to-vulnerability-assessment) | May 2022 |

+**Estimated date for change:** May 2022

+### Changes to vulnerability assessment

+**Estimated date for change:** May 2022

+Currently, Defender for Containers doesn't show vulnerabilities that have medium and low level severities that are not patchable.

+As part of this update, vulnerabilities that have medium and low severities, that don't have patches will be shown. This update will provide maximum visibility, while still allowing you to filter undesired vulnerabilities by using the provided Disable rule.

+Learn more about [vulnerability management](deploy-vulnerability-assessment-tvm.md)

+ Title: OT monitoring appliance catalog - Microsoft Defender for IoT

+description: Learn about hardware and virtual appliances for certified Microsoft Defender for IoT sensors and the on-premises management console.

+# OT monitoring appliance catalog

+This section describes installation procedures for *legacy* appliances only. See [Identify required appliances](how-to-identify-required-appliances.md), if you are buying a new appliance.

+az dt twin query --dt-name <instance-hostname-or-name> --query-command "SELECT * FROM DigitalTwins T Where T.\$dtId = 'room0'"

+az dt twin create --dt-name <instance-hostname-or-name> --dtmi "dtmi:contosocom:DigitalTwins:Thermostat;1" --twin-id thermostat67 --properties '{\"Temperature\": 0.0}'

+az dt twin query --dt-name <instance-hostname-or-name> --query-command "SELECT * FROM DigitalTwins T Where T.`$dtId = 'room0'"

+az dt twin create --dt-name <instance-hostname-or-name> --dtmi "dtmi:contosocom:DigitalTwins:Thermostat;1" --twin-id thermostat67 --properties "{\"Temperature\": 0.0}"

+You'll then need to create one twin using this model. Use the following command to create a thermostat twin named thermostat67, and set 0.0 as an initial temperature value. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+az dt twin create --dt-name <instance-hostname-or-name> --dtmi "dtmi:contosocom:DigitalTwins:Thermostat;1" --twin-id thermostat67 --properties '{"Temperature": 0.0}'

+While running the device simulator above, the temperature value of your digital twin will be changing. In the Azure CLI, run the following command to see the temperature value. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+az dt twin query --query-command "select * from digitaltwins" --dt-name <instance-hostname-or-name>

+1. Create an Event Grid topic, which will receive events from your Azure Digital Twins instance, using the CLI command below:

+2. Create an endpoint to link your Event Grid topic to Azure Digital Twins, using the CLI command below:

+3. Create a route in Azure Digital Twins to send twin update events to your endpoint, using the CLI command below. For the Azure Digital Twins instance name placeholder in this command, you can use the friendly name or the host name for a boost in performance.

+ az dt route create --dt-name <your-Azure-Digital-Twins-instance-hostname-or-name> --endpoint-name <Event-Grid-endpoint-name> --route-name <my-route> --filter "type = 'Microsoft.DigitalTwins.Twin.Update'"

+Create a [route](concepts-route-events.md#create-an-event-route) in Azure Digital Twins to send twin update events to your endpoint from above. The filter in this route will only allow twin update messages to be passed to your endpoint. Specify a name for the twins hub event route. For the Azure Digital Twins instance name placeholder in this command, you can use the friendly name or the host name for a boost in performance.

+az dt route create --dt-name <your-Azure-Digital-Twins-instance-hostname-or-name> --endpoint-name <your-twins-hub-endpoint-from-earlier> --route-name <name-for-your-twins-hub-event-route> --filter "type = 'Microsoft.DigitalTwins.Twin.Update'"

+Use the [az dt twin update](/cli/azure/dt/twin#az-dt-twin-update) CLI command to update a property on the twin you added in the [Prerequisites](#prerequisites) section. If you used the twin creation instructions from [Ingest telemetry from IoT Hub](how-to-ingest-iot-hub-data.md)), you can use the following command in the local CLI or the Cloud Shell bash terminal to update the temperature property on the thermostat67 twin. There's one placeholder for the Azure Digital Twins instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+az dt twin update --dt-name <your-Azure-Digital-Twins-instance-hostname-or-name> --twin-id thermostat67 --json-patch '{"op":"replace", "path":"/Temperature", "value": 20.5}'

+The flow you've set up in this article will result in the device automatically being registered in Azure Digital Twins. Use the following [Azure Digital Twins CLI](/cli/azure/dt/twin#az-dt-twin-show) command to find the twin of the device in the Azure Digital Twins instance you created. There's a placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance), and a placeholder for the device registration ID.

+az dt twin show --dt-name <instance-hostname-or-name> --twin-id "<device-registration-ID>"

+Use the following [Azure Digital Twins CLI](/cli/azure/dt/twin#az-dt-twin-show) command to verify the twin of the device in the Azure Digital Twins instance was deleted. There's a placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance), and a placeholder for the device registration ID.

+az dt twin show --dt-name <instance-hostname-or-name> --twin-id "<device-registration-ID>"

+az dt create --dt-name <new-instance-name> --resource-group <resource-group> --assign-identity --scopes "/subscriptions/<subscription ID>/resourceGroups/<resource-group>/providers/Microsoft.EventHub/namespaces/<Event-Hubs-namespace>/eventhubs/<event-hub-name>" --role MyCustomRole

+>If you know the friendly name of your instance, you can use the following CLI command to get the host name and subscription values:

+1. Next, use the [az dt model create](/cli/azure/dt/model#az-dt-model-create) command as shown below to upload your updated Room model to your Azure Digital Twins instance. The second command uploads another model, Floor, which you'll also use in the next section to create different types of twins. There's a placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance), and a placeholder for a path to each model file. If you're using Cloud Shell, *Room.json* and *Floor.json* are in the main storage directory, so you can just use the file names directly in the command below where a path is required.

+ az dt model create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --models <path-to-Room.json>

+ az dt model create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --models <path-to-Floor.json>

+1. Verify the models were created with the [az dt model list](/cli/azure/dt/model#az-dt-model-list) command as shown below. Doing so will print a list of all models that have been uploaded to the Azure Digital Twins instance with their full information. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt model list --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --definition

+az dt model create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --models Room.json

+1. Run this code in the CLI to create several twins, based on the Room model you updated earlier and another model, Floor. Recall that Room has three properties, so you can provide arguments with the initial values for these properties. (Initializing property values is optional in general, but they're needed for this tutorial.) There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt twin create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --dtmi "dtmi:example:Room;2" --twin-id room0 --properties '{"RoomName":"Room0", "Temperature":70, "HumidityLevel":30}'

+ az dt twin create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --dtmi "dtmi:example:Room;2" --twin-id room1 --properties '{"RoomName":"Room1", "Temperature":80, "HumidityLevel":60}'

+ az dt twin create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --dtmi "dtmi:example:Floor;1" --twin-id floor0

+ az dt twin create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --dtmi "dtmi:example:Floor;1" --twin-id floor1

+1. You can verify that the twins were created with the [az dt twin query](/cli/azure/dt/twin#az-dt-twin-query) command as shown below. The query shown finds all the digital twins in your Azure Digital Twins instance. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt twin query --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --query-command "SELECT * FROM DIGITALTWINS"

+1. Run the following [az dt twin update](/cli/azure/dt/twin#az-dt-twin-update) command to change room0's RoomName from Room0 to PresidentialSuite. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt twin update --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id room0 --json-patch '{"op":"add", "path":"/RoomName", "value": "PresidentialSuite"}'

+1. You can verify the update succeeded by running the [az dt twin show](/cli/azure/dt/twin#az-dt-twin-show) command to see room0's information. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt twin show --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id room0

+1. Run the following code to add a `contains`-type relationship from each of the Floor twins you created earlier to the corresponding Room twin. The relationships are named relationship0 and relationship1. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt twin relationship create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --relationship-id relationship0 --relationship contains --twin-id floor0 --target room0

+ az dt twin relationship create --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --relationship-id relationship1 --relationship contains --twin-id floor1 --target room1

+1. You can verify the relationships with any of the following commands, which print the relationships in your Azure Digital Twins instance. Each command has one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt twin relationship list --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id floor0

+ az dt twin relationship list --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id floor1

+ az dt twin relationship list --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id room0 --incoming

+ az dt twin relationship list --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id room1 --incoming

+ az dt twin relationship show --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id floor0 --relationship-id relationship0

+ az dt twin relationship show --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --twin-id floor1 --relationship-id relationship1

+Run the following queries in the CLI to answer some questions about the sample environment. Each command has one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

+ az dt twin query --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --query-command "SELECT * FROM DIGITALTWINS"

+ az dt twin query --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --query-command "SELECT * FROM DIGITALTWINS T WHERE IS_OF_MODEL(T, 'dtmi:example:Room;2')"

+ az dt twin query --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --query-command "SELECT room FROM DIGITALTWINS floor JOIN room RELATED floor.contains where floor.\$dtId = 'floor0'"

+ az dt twin query --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --query-command "SELECT * FROM DigitalTwins T WHERE T.Temperature > 75"

+ az dt twin query --dt-name <Azure-Digital-Twins-instance-hostname-or-name> --query-command "SELECT room FROM DIGITALTWINS floor JOIN room RELATED floor.contains where floor.\$dtId = 'floor0' AND IS_OF_MODEL(room, 'dtmi:example:Room;2') AND room.Temperature > 75"

+> Defining authorization headers is a sensible option when your destination is a Webhook. It should not be used for [functions subscribed with a resource id](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update#azurefunctioneventsubscriptiondestination), Service Bus, Event Hubs, and Hybrid Connections as those destinations support their own authentication schemes when used with Event Grid.

+You can find the error result codes in [live Event error codes](/azure/media-services/latest/live-event-error-codes-reference).

+You can find the error result codes in [live Event error codes](/azure/media-services/latest/live-event-error-codes-reference).

+[Register for job state change events](/azure/media-services/latest/monitoring/job-state-events-cli-how-to)

+- [Live Event error codes](/azure/media-services/latest/live-event-error-codes-reference)

+- Create an [event subscription on an Azure resource as an extension resource](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update), which automatically creates a system topic with the name in the format: `<Azure resource name>-<GUID>`. The system topic created in this way is automatically deleted when the last event subscription for the topic is deleted.

+- [Private link support for partner namespaces](/rest/api/eventgrid/controlplane-version2021-10-15-preview/partner-namespaces/create-or-update#privateendpoint). Azure portal doesn't support it yet.

+- [IP Filtering for partner namespaces](/rest/api/eventgrid/controlplane-version2021-10-15-preview/partner-namespaces/create-or-update#inboundiprule). Azure portal doesn't support it yet.

+- [System Identity for partner topics](/rest/api/eventgrid/controlplane-version2021-10-15-preview/partner-namespaces/update#request-body). Azure portal doesn't support it yet.

+ * Pagination and search filter for resources list operations. For an example, see [Topics - List By Subscription](/rest/api/eventgrid/controlplane-version2021-10-15-preview/partner-namespaces/list-by-subscription).

+ * Pagination and search filter for resources list operations. For an example, see [Topics - List By Subscription](/rest/api/eventgrid/controlplane-version2021-10-15-preview/partner-namespaces/list-by-subscription).

+**Reader** have access to all _read_ Azure Policy operations.

+**Contributor** may trigger resource

+permissions.

+> [!NOTE]

+> All Policy objects, including definitions, initatives, and assignments, will be readable to all

+> roles over its scope. For example, a Policy assignment scoped to an Azure subscription will be readable

+> by all role holders at the subscription scope and below.

+> This policy initiative was built to CMMC version 1.0 and will be updated in the future.

+>

+Azure Resource Graph is an Azure service designed to extend Azure Resource Management by

+## How Resource Graph complements Azure Resource Manager

+Azure Resource Manager currently supports queries over basic resource fields, specifically:

+Azure Resource Manager also provides

+[Kusto Query Language (KQL)](/azure/data-explorer/data-explorer-overview) used by Azure Data Explorer.

+* [Create an alert notification](https://docs.cloudera.com/HDPDocuments/Ambari-latest/managing-and-monitoring-ambari/content/amb_create_an_alert_notification.html)

+* For more information on user-defined routes, see [User-defined routes and IP forwarding](../virtual-network/virtual-networks-udr-overview.md).

+| (0008, 1155) | ReferencedSOPInstanceUID | The SOP instance unique identifier of the instance that failed to store. |

+| (0008, 1155) | ReferencedSOPInstanceUID | The SOP instance unique identifier of the instance that failed to store. |

+You can include a `modelId` field in the body. Use this field to assign the device to a device template during provisioning.

+> [!TIP]

+> You can use a job to migrate all the devices in a device group to a new device template at the same time.

+To use data export features, you must have the [Data export](howto-manage-users-roles.md) permission.

+1. Choose **Cloud property**, **Property**, **Command**, or **Change device template** as the **Job type**:

+ To configure a **Property** job, select a property and set its new value. A property job can set multiple properties. To configure a **Command** job, choose the command to run. To configure a **Change device template** job, select the device template to assign to the devices in the device group.

+1. Select the devices you want to assign to a template.

+- Provision new devices.

+You can use the following tools in your IoT Central application:

+- The **Devices** page lets you monitor and manage individual devices.

+- The **Device groups** and **Data explorer** pages let you monitor aggregate data from your devices.

+- The **Jobs** page lets you manage your devices in bulk.

+- Custom dashboards let you manage and monitor devices in a way that suits you.

+- The REST API and Azure CLI enable you to automate device management tasks.

+## Search for devices

+IoT Central lets you search devices by device name, ID, property value, or cloud property value:

+## Add devices

+Use the **Devices** page to add individual devices, or [import devices](howto-manage-devices-in-bulk.md#import-devices) in bulk from a CSV file:

+## Group your devices

+On the **Device groups** page, you can use queries to define groups of devices. You can use device groups to:

+- Monitor aggregate data from devices on the **Device explorer** page.

+- Manage groups of devices in bulk by using jobs.

+- Control access to groups of devices if your application uses organizations.

+To learn more, see [Tutorial: Use device groups to analyze device telemetry](tutorial-use-device-groups.md).

+## Manage your devices

+Use the **Devices** page to manage individual devices connected to your application:

+For individual device, you can complete tasks such as [block or unblock it](howto-manage-devices-individually.md#device-status-values), [attach it to a gateway](tutorial-define-gateway-device-type.md), [approve it](howto-manage-devices-individually.md#device-status-values), [migrate it to a new device template](howto-edit-device-template.md#migrate-a-device-across-versions), [associate it with an organization](howto-create-organizations.md), and [generate a map to transform the incoming telemetry and properties](howto-map-data.md).

+You can also set writable properties and cloud properties that are defined in the device template, and call commands on the device.

+Use the **Jobs** page to manage your devices in bulk. Jobs can update properties, run commands, or assign a new device template on multiple devices. To learn more, see [Manage devices in bulk in your Azure IoT Central application](howto-manage-devices-in-bulk.md).

+> [!TIP]

+> If your IoT Central application uses *organizations*, an administrator controls which devices you have access to.

+## Monitor your devices

+To monitor individual devices, use the custom device views on the **Devices** page. A solution builder defines these custom views as part of the [device template](concepts-device-templates.md). These views can show device telemetry and property values. An example is the **Overview** view shown in the following screenshot:

+To monitor aggregate data from multiple devices, use device groups and the **Data explorer** page. To learn more, see [How to use data explorer to analyze device data](howto-create-analytics.md).

+## Customize

+You can further customize the device management and monitoring experience using the following tools:

+- Create more views to display on the **Devices** page for individual devices by adding view definitions to your [device templates](concepts-device-templates.md).

+- Customize the text that describes your devices in the application. To learn more, see [Change application text](howto-customize-ui.md#change-application-text).

+- Create [custom device management dashboards](howto-manage-dashboards.md). A dashboard can include a [pinned query](howto-manage-dashboards.md#pin-analytics-to-dashboard) from the **Data explorer**.

+## Automate

+To automate device management tasks, you can use:

+- Rules to trigger actions automatically when device data that you're monitoring reaches predefined thresholds. To learn more, see [Configure rules](howto-configure-rules.md).

+- [Job scheduling](howto-manage-devices-in-bulk.md#create-and-run-a-job) for regular device management tasks.

+- The Azure CLI to manage your devices from a scripting environment. To learn more, see [az iot central](/cli/azure/iot/central).

+- The IoT Central REST API to manage your devices programmatically. To learn more, see [How to use the IoT Central REST API to manage devices](howto-manage-devices-with-rest-api.md).

+Rules, CLI, REST API, job schedule

+## Troubleshoot and remediate device issues

+The [troubleshooting guide](troubleshoot-connection.md) helps you to diagnose and remediate common issues. You can use the **Devices** page to block devices that appear to be malfunctioning until the problem is resolved.

+* **IoT Edge 1.2** contains content for new features and capabilities that are in the latest stable release. This version of the documentation also contains content for the IoT Edge for Linux on Windows (EFLOW) continuous release version, which is based on IoT Edge 1.2 and contains the latest features and capabilities. IoT Edge 1.2 is now bundled with the [Microsoft Defender for IoT micro-agent for Edge](/azure/defender-for-iot/device-builders/overview).

+| [1.2](https://github.com/Azure/azure-iotedge/releases/tag/1.2.0) | Stable | April 2021 | [IoT Edge devices behind gateways](how-to-connect-downstream-iot-edge-device.md?view=iotedge-2020-11&preserve-view=true)<br>[IoT Edge MQTT broker (preview)](how-to-publish-subscribe.md?view=iotedge-2020-11&preserve-view=true)<br>New IoT Edge packages introduced, with new installation and configuration steps. For more information, see [Update from 1.0 or 1.1 to 1.2](how-to-update-iot-edge.md#special-case-update-from-10-or-11-to-12).<br>Includes [Microsoft Defender for IoT micro-agent for Edge](/azure/defender-for-iot/device-builders/overview.md).

+In this section, you'll create the resources for Azure Bastion. Azure Bastion is used to securely manage the virtual machines in the backend pool of the load balancer.

+ Title: Move an Azure Load testing resource to another region

+description: Learn how to move an Azure Load testing resource to another region.

+# Move an Azure Load Testing Preview resource to another region

+This article describes how to move your Azure Load Testing Preview resource to another Azure region. You might want to move your resource for a number of reasons. For example, to take advantage of a new Azure region, to meet internal policy and governance requirements, or in response to capacity planning requirements.

+Azure Load Testing resources are region-specific and can't be moved across regions automatically. You can use an Azure Resource Manager template (ARM template) to export the existing configuration of your Load Testing resource instead. Then, stage the resource in another region and create the tests in the new resource.

+## Prerequisites

+- Make sure that the target region supports Azure Load Testing.

+- Have access to the tests in the resource you're migrating.

+## Prepare

+To get started, you'll need to export and then modify an ARM template. You will also need to download artifacts for any exiting tests in the resource.

+1. Export the ARM template that contains settings and information for your Azure Load Testing resource by following the steps mentioned [here](/azure/azure-resource-manager/templates/export-template-portal).

+1. Download the input artifacts for all the existing tests from the resource. Navigate to the **Tests** section in the resource and then click on the test name. **Download the input file** for the test by clicking the More button (...) on the right side of the latest test run.

+ :::image type="content" source="media/how-to-move-an-azure-load-testing-resource/download-input-artifacts.png" alt-text="Screenshot that shows how to download input files for a test.":::

+> [!NOTE]

+> If you are using an Azure Key Vault to configure secrets for your load test, you can continue to use the same Key Vault.

+## Move

+Load and modify the template so you can create a new Azure Load Testing resource in the target region and then create tests in the new resource.

+### Move the resource

+1. In the Azure portal, select **Create a resource**.

+1. In the Marketplace, search for **template deployment**. Select **Template deployment (deploy using custom templates)**.

+1. Select **Create**.

+1. Select **Build your own template in the editor**.

+1. Select **Load file**, and then select the template.json file that you downloaded in the last section.

+1. In the uploaded template.json file, name the target Azure Load Testing resource by entering a new **defaultValue** for the resource name This example sets the defaultValue of the resource name to `myLoadTestResource`.

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "loadtest_name": {

+ "defaultValue": "myLoadTestResource",

+ "type": "String"

+ }

+ },

+ ```

+1. Edit the **location** property to use your target region. This example sets the target region to `eastus`.

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.LoadTestService/loadtests",

+ "apiVersion": "2021-12-01-preview",

+ "name": "[parameters('loadtest_name')]",

+ "location": "eastus",

+ ```

+ To obtain region location codes, see [Azure Locations](https://azure.microsoft.com/global-infrastructure/data-residency/). The code for a region is the region name with no spaces. For example, East US = eastus.

+1. Click on **Save**.

+1. Enter the **Subscription** and **Resource group** for the target resource.

+1. Select **Review and create**, then select **Create**.

+### Create tests

+Once the resource is created in the target location, you can create new tests by following the steps mentioned [here](/azure/load-testing/quickstart-create-and-run-load-test#create_test).

+1. You can refer to the test configuration in the config.yaml file of the input artifacts downloaded earlier.

+1. Upload the Apache JMeter script and optional configuration files from the downloaded input artifacts.

+If you are invoking the previous Azure Load Testing resource in a CI/CD workflow you can update the `loadTestResource` parameter in the [Azure Load testing task](/azure/devops/pipelines/tasks/test/azure-load-testing) or [Azure Load Testing action](https://github.com/marketplace/actions/azure-load-testing) of your workflow.

+> [!NOTE]

+> If you have configured any of your load test with secrets from Azure Key Vault, make sure to grant the new resource access to the Key Vault following the steps mentioned [here](/azure/load-testing/how-to-use-a-managed-identity?tabs=azure-portal#grant-access-to-your-azure-key-vault).

+## Clean up source resources

+After the move is complete, delete the Azure Load Testing resource from the source region. You pay for resources, even when the resource is not being utilized.

+1. In the Azure portal, search and select **Azure Load Testing**.

+1. Select your Azure Load Testing resource.

+1. On the resource overview page, Select **Delete**, and then confirm.

+> [!NOTE]

+> Test results for the test runs in the previous resource will be lost once the resource is deleted.

+## Next steps

+- Learn how to run high-scale load tests, see [Set up a high-scale load test](./how-to-high-scale-load.md).

+## Access data for training jobs on compute clusters (preview)

+When training on [Azure Machine Learning compute clusters](how-to-create-attach-compute-cluster.md#what-is-a-compute-cluster), you can authenticate to storage with your Azure Active Directory token.

+This authentication mode allows you to:

+* Set up fine-grained permissions, where different workspace users can have access to different storage accounts or folders within storage accounts.

+* Audit storage access because the storage logs show which identities were used to access data.

+> [!WARNING]

+> This functionality has the following limitations

+> * Feature is only supported for experiments submitted via the [Azure Machine Learning CLI v2 (preview)](how-to-configure-cli.md)

+> * Only CommandJobs, and PipelineJobs with CommandSteps and AutoMLSteps are supported

+> * User identity and compute managed identity cannot be used for authentication within same job.

+The following steps outline how to set up identity-based data access for training jobs on compute clusters.

+1. Grant the user identity access to storage resources. For example, grant StorageBlobReader access to the specific storage account you want to use or grant ACL-based permission to specific folders or files in Azure Data Lake Gen 2 storage.

+1. Create an Azure Machine Learning datastore without cached credentials for the storage account. If a datastore has cached credentials, such as storage account key, those credentials are used instead of user identity.

+1. Submit a training job with property **identity** set to **type: user_identity**, as shown in following job specification. During the training job, the authentication to storage happens via the identity of the user that submits the job.

+> [!NOTE]

+> If the **identity** property is left unspecified and datastore does not have cached credentials, then compute managed identity becomes the fallback option.

+```yaml

+command: |

+ echo "--census-csv: ${{inputs.census_csv}}"

+ python hello-census.py --census-csv ${{inputs.census_csv}}

+code: src

+inputs:

+ census_csv:

+ type: uri_file

+ path: azureml://datastores/mydata/paths/census.csv

+environment: azureml:AzureML-sklearn-1.0-ubuntu20.04-py38-cpu@latest

+compute: azureml:cpu-cluster

+identity:

+ type: user_identity

+```

+> [!IMPORTANT]

+> To run the certification test tool, the Windows Remote Management service must be running and configured on Windows. This enables access to port 5986.

+3. Configure the percentage-based margins <!-- or absolute **Pricing** -->for up to ten offers/plans in a private offer. Margin can be given at an offer level so it applies to all plans within the offer, or it can be given only for a specific plan. The margin the CSP partner receives will be a percentage off your plan's list price in the marketplace.

+ <! *Absolute price* can be used to specify a price point higher, lower, or equal to the publicly listed plan price; it can only be applied at a plan level and does not apply to Virtual Machine offer types. You can only customize the price based on the same pricing model, billing term, and dimensions of the public offer; you cannot change to a new pricing model or billing term or add dimensions.<br><br> -->

+ 1. Enter the margin percentage <!-- or configure the absolute price -->for each item in the pricing table.

+- If your SaaS offer supports metered billing using the commercial marketplace metering service, review and follow the testing best practices detailed in [Marketplace metered billing APIs](/azure/marketplace/partner-center-portal/saas-metered-billing).

+- Review and follow the testing instructions in [Implementing a webhook on the SaaS service](/azure/marketplace/partner-center-portal/pc-saas-fulfillment-webhook#development-and-testing) to ensure your offer is successfully integrated with the APIs.

+https:\//login.microsoftonline.cn <br/> https:\//secure.aadcdn.microsoftonline-p.cn <br/> https:\//login.live.com <br/> https://graph.chinacloudapi.cn <br/> https://login.chinacloudapi.cn <br/> https://www.live.com <br/> https://www.microsoft.com | Appliance setup with OVA needs access to these URLs. They are used for access control and identity management by Azure Active Directory.

+ Title: 'Troubleshoot Azure Microsoft.Network failed Provisioning State'

+description: Learn how to troubleshoot Azure Microsoft.Network failed Provisioning State.

+# Troubleshoot Azure Microsoft.Network failed provisioning state

+This article helps understand the meaning of various provisioning states for Microsoft.Network resources and how to effectively troubleshoot situations when the state is **Failed**.

+## Provisioning states

+The provisioning state is the status of a user-initiated, control-plane operation on an Azure Resource Manager resource.

+| Provisioning state | Description |

+|||

+| Updating | Resource is being created or updated. |

+| Failed | Last operation on the resource was not successful. |

+| Succeeded | Last operation on the resource was successful. |

+| Deleting | Resource is being deleted. |

+| Migrating | Seen when migrating from Azure Service Manager to Azure Resource Manager. |

+These states are just metadata properties of the resource and are independent from the functionality of the resource itself.

+Being in a failed state does not necessarily mean that the resource is not functional, in fact in most cases it can continue operating and servicing traffic without issues.

+However in several scenarios further operations on the resource or on other resources that depend on it may fail if the resource is in failed state, so the state needs to be reverted back to succeeded before executing other operations.

+For example, you cannot execute an operation on a VirtualNetworkGateway if it has a dependent VirtualNetworkGatewayConnection object in failed state and viceversa.

+## Restoring succeeded state through a PUT operation

+The correct way to restore succeeded state is to execute another write (PUT) operation on the resource.

+Most times, the issue that caused the previous operation might no longer be current, hence the newer write operation should be successful and restore the provisioning state.

+The easiest way to achieve this task is to use Azure PowerShell. You will need to issue a resource-specific "Get" command that fetches all the current configuration for the impacted resource as it is deployed. Next, you can execute a "Set" command (or equivalent) to commit to Azure a write operation containing all the resource properties as they are currently configured.

+> [!IMPORTANT]

+> 1. Executing a "Set" command on the resource without running a "Get" first will result in overwriting the resource with default settings which might be different from those you currently have configured. Do not just run a "Set" command unless resetting settings is intentional.

+> 2. Executing a "Get" and "Set" operation using third party software or otherwise any tool using older API version may also result in loss of some settings, as those may not be present in the API version with which you have executed the command.

+>

+## Azure PowerShell cmdlets to restore succeeded provisioning state

+### Preliminary operations

+1. Install the latest version of the Azure Resource Manager PowerShell cmdlets. For more information, see [Install and configure Azure PowerShell](/powershell/azure/install-az-ps).

+2. Open your PowerShell console with elevated privileges, and connect to your account. Use the following example to help you connect:

+ ```azurepowershell-interactive

+ Connect-AzAccount

+ ```

+3. If you have multiple Azure subscriptions, check the subscriptions for the account.

+ ```azurepowershell-interactive

+ Get-AzSubscription

+ ```

+4. Specify the subscription that you want to use.

+ ```azurepowershell-interactive

+ Select-AzSubscription -SubscriptionName "Replace_with_your_subscription_name"

+ ```

+5. Run the resource-specific commands listed below to reset the provisioning state to succeeded.

+

+> [!NOTE]

+>Every sample command in this article uses "your_resource_name" for the name of the Resource and "your_resource_group_name" for the name of the Resource Group. Make sure to replace these strings with the appropriate Resource and Resource Group names according to your deployment.

+### Microsoft.Network/applicationGateways

+```azurepowershell-interactive

+Get-AzApplicationGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzApplicationGateway

+```

+### Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies

+```azurepowershell-interactive

+Get-AzApplicationGatewayFirewallPolicy -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzApplicationGatewayFirewallPolicy

+```

+### Microsoft.Network/azureFirewalls

+```azurepowershell-interactive

+Get-AzFirewall -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzFirewall

+```

+### Microsoft.Network/bastionHosts

+```azurepowershell-interactive

+$bastion = Get-AzBastion -Name "your_resource_name" -ResourceGroupName "your_resource_group_name"

+Set-AzBastion -InputObject $bastion

+```

+### Microsoft.Network/connections

+```azurepowershell-interactive

+Get-AzVirtualNetworkGatewayConnection -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzVirtualNetworkGatewayConnection

+```

+### Microsoft.Network/expressRouteCircuits

+```azurepowershell-interactive

+Get-AzExpressRouteCircuit -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzExpressRouteCircuit

+```

+### Microsoft.Network/expressRouteGateways

+```azurepowershell-interactive

+Get-AzExpressRouteGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzExpressRouteGateway

+```

+> [!NOTE]

+> **Microsoft.Network/expressRouteGateways** are those gateways deployed within a Virtual WAN. If you have a standalone gateway of ExpressRoute type in your Virtual Network you need to execute the commands related to [Microsoft.Network/virtualNetworkGateways](#microsoftnetworkvirtualnetworkgateways).

+### Microsoft.Network/expressRoutePorts

+```azurepowershell-interactive

+Get-AzExpressRoutePort -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzExpressRoutePort

+```

+### Microsoft.Network/firewallPolicies

+```azurepowershell-interactive

+Get-AzFirewallPolicy -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzFirewallPolicy

+```

+### Microsoft.Network/loadBalancers

+```azurepowershell-interactive

+Get-AzLoadBalancer -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzLoadBalancer

+```

+### Microsoft.Network/localNetworkGateways

+```azurepowershell-interactive

+Get-AzLocalNetworkGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzLocalNetworkGateway

+```

+### Microsoft.Network/natGateways

+```azurepowershell-interactive

+Get-AzNatGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzNatGateway

+```

+### Microsoft.Network/networkInterfaces

+```azurepowershell-interactive

+Get-AzNetworkInterface -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzNetworkInterface

+```

+### Microsoft.Network/networkSecurityGroups

+```azurepowershell-interactive

+Get-AzNetworkSecurityGroup -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzNetworkSecurityGroup

+```

+### Microsoft.Network/networkVirtualAppliances

+```azurepowershell-interactive

+Get-AzNetworkVirtualAppliance -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Update-AzNetworkVirtualAppliance

+```

+> [!NOTE]

+> Most Virtual WAN related resources such as networkVirtualAppliances leverage the "Update" cmdlet and not the "Set" for write operations.

+>

+### Microsoft.Network/privateDnsZones

+```azurepowershell-interactive

+Get-AzPrivateDnsZone -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzPrivateDnsZone

+```

+### Microsoft.Network/privateEndpoints

+```azurepowershell-interactive

+Get-AzPrivateEndpoint -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzPrivateEndpoint

+```

+### Microsoft.Network/privateLinkServices

+```azurepowershell-interactive

+Get-AzPrivateLinkService -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzPrivateLinkService

+```

+### Microsoft.Network/publicIpAddresses

+```azurepowershell-interactive

+Get-AzPublicIpAddress -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzPublicIpAddress

+```

+### Microsoft.Network/routeFilters

+```azurepowershell-interactive

+Get-AzRouteFilter -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzRouteFilter

+```

+### Microsoft.Network/routeTables

+```azurepowershell-interactive

+Get-AzRouteTable -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzRouteTable

+```

+### Microsoft.Network/virtualHubs

+```azurepowershell-interactive

+Get-AzVirtualHub -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Update-AzVirtualHub

+```

+> [!NOTE]

+> Most Virtual WAN related resources such as virtualHubs leverage the "Update" cmdlet and not the "Set" for write operations.

+>

+### Microsoft.Network/virtualNetworkGateways

+```azurepowershell-interactive

+Get-AzVirtualNetworkGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzVirtualNetworkGateway

+```

+### Microsoft.Network/virtualNetworks

+```azurepowershell-interactive

+Get-AzVirtualNetwork -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Set-AzVirtualNetwork

+```

+### Microsoft.Network/virtualWans

+```azurepowershell-interactive

+Get-AzVirtualWan -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Update-AzVirtualWan

+```

+> [!NOTE]

+> Most Virtual WAN related resources such as virtualWans leverage the "Update" cmdlet and not the "Set" for write operations.

+### Microsoft.Network/vpnGateways

+```azurepowershell-interactive

+Get-AzVpnGateway -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Update-AzVpnGateway

+```

+> [!NOTE]

+> 1. **Microsoft.Network/vpnGateways** are those gateways deployed within a Virtual WAN. If you have a standalone gateway of VPN type in your Virtual Network you need to execute the commands related to [Microsoft.Network/virtualNetworkGateways](#microsoftnetworkvirtualnetworkgateways).

+> 2. Most Virtual WAN related resources such as vpnGateways leverage the "Update" cmdlet and not the "Set" for write operations.

+### Microsoft.Network/vpnSites

+```azurepowershell-interactive

+Get-AzVpnSite -Name "your_resource_name" -ResourceGroupName "your_resource_group_name" | Update-AzVpnSite

+```

+> [!NOTE]

+> Most Virtual WAN related resources such as vpnSites leverage the "Update" cmdlet and not the "Set" for write operations.

+## Next steps

+If the command executed didn't fix the failed state, it should return an error code for you.

+Most error codes contain a detailed description of what the problem might be and offer hints to solve it.

+Open a support ticket with [Microsoft support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) if you're still experiencing issues.

+Make sure you specify to the Support Agent both the error code you received in the latest operation, as well as the timestamp of when the operation was executed.

+|Azure Static Web Apps | All public regions | | Preview <br/> [Configure private endpoint in Azure Static Web Apps](../static-web-apps/private-endpoint.md) |

+The goal of search in Azure Purview is to speed up the process of quickly finding the data that matters. This article outlines how to search the Azure Purview data catalog to quickly find the data you're looking for.

+## Searching the catalog

+Once you click on the search bar, you'll be presented with your search history and the items recently accessed in the data catalog. This allows you to quickly pick up from previous data exploration that was already done.

+Enter in keywords that help narrow down your search such as name, data type, classifications, and glossary terms. As you enter in search keywords, Azure Purview dynamically suggests results and searches that may fit your needs. To complete your search, click on "View search results" or press "Enter".

+Once you enter in your search, Azure Purview returns a list of data assets and glossary terms a user is a data reader for to that matched to the keywords entered in.

+> Search will only return items in collections you're a data reader or curator for. For more information, see [create and manage Collections](how-to-create-and-manage-collections.md).

+| field:keyword | Searches the keyword in a specific attribute of an asset. Field search is case insensitive and is limited to the following fields at this time: <ul><li>name</li><li>description</li><li>entityType</li><li>assetType</li><li>classification</li><li>term</li><li>contact</li></ul> | The query `description: German` returns all assets that contain the word "German" in the description.<br><br>The query `term:Customer` will return all assets with glossary terms that include "Customer" and all glossary terms that match to "Customer". |

+> Searching "*" will return all the assets and glossary terms in the catalog.

+* Grouping isn't supported within a field search. Customers should use operators to connect field searches. For example,`name:(alice AND bob)` is invalid search syntax, but `name:alice AND name:bob` is supported.

+Start a portal-based debug session to identify and resolve errors, validate changes, and push changes to a published skillset in your Azure Cognitive Search service.

+## Debug a custom skill locally

+Custom skills can be more challenging to debug because the code runs externally. This section describes how to locally debug your Custom Web API skill, debug session, Visual Studio Code and [ngrok](https://ngrok.com/docs). This technique works with custom skills that execute in [Azure Functions](../azure-functions/functions-overview.md) or any other Web Framework that runs locally (for example, [FastAPI](https://fastapi.tiangolo.com/)).

+### Run ngrok

+[**ngrok**](https://ngrok.com/docs) is a cross-platform application that can create a tunneling or forwarding URL, so that internet requests reach your local machine. Use ngrok to forward requests from an enrichment pipeline in your search service to your machine to allow local debugging.

+1. Install ngrok.

+1. Open a terminal and go to the folder with the ngrok executable.

+1. Run ngrok with the following command to create a new tunnel:

+ ```console

+ ngrok http 7071

+ ```

+ > [!NOTE]

+ > By default, Azure Functions are exposed on 7071. Other tools and configurations might require that you provide a different port.

+1. When ngrok starts, copy and save the public forwarding URL for the next step. The forwarding URL is randomly generated.

+ :::image type="content" source="media/cognitive-search-debug/ngrok.png" alt-text="Screenshot of ngrok terminal." border="false":::

+### Configure in Azure portal

+Within the debug session, modify your Custom Web API Skill URI to call the ngrok forwarding URL. Ensure that you append "/api/FunctionName" when using Azure Function for executing the skillset code.

+You can edit the skill definition in the portal.

+### Test

+At this point, new requests from your debug session should now be sent to your local Azure Function. You can use breakpoints in your Visual Studio code to debug your code or run step by step.

+> - No special license is required to add UEBA functionality to Microsoft Sentinel, and there's no additional cost for using it.

+> - However, since UEBA generates new data and stores it in new tables that UEBA creates in your Log Analytics workspace, **additional data storage charges** will apply.

+## Configure the account information

+## Configure the account information

+## Configure the account information

+## Download the sample project + import SDK

+### Clone Samples Repo

+### Import ASA SDK

+Follow the instructions [here](../how-tos/setup-unity-project.md#download-asa-packages) to download and import the ASA SDK packages required for the HoloLens platform.

+## Configure + deploy the sample app

+In its default configuration, **Pet Clinic** uses an in-memory database (HSQLDB) which is populated at startup with data. A similar setup is provided for MySQL if a persistent database configuration is needed. A dependency for Connector/J, the MySQL JDBC driver, is already included in the pom.xml files.

+| `skip_api_build` | Set the value to `true` to skip building the API functions. | No |

+## Skip building the API

+If you want to skip building the API, you can bypass the automatic build and deploy the API built in a previous step.

+> Currently the `skip_api_build` is only supported in GitHub Actions and not Azure Pipelines.

+Steps to skip building the API:

+- In the *staticwebapp.config.json* file, set `apiRuntime` to the correct language and version. Refer to [Configure Azure Static Web Apps](configuration.md#selecting-the-api-language-runtime-version) for the list of supported languages and versions.

+```json

+{

+ "platform": {

+ "apiRuntime": "node:16"

+ }

+}

+```

+- Set `skip_api_build` to `true`.

+# [GitHub Actions](#tab/github-actions)

+```yml

+...

+with:

+ azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }}

+ repo_token: ${{ secrets.GITHUB_TOKEN }}

+ action: 'upload'

+ app_location: "src" # App source code path relative to repository root

+ api_location: "api" # Api source code path relative to repository root - optional

+ output_location: "public" # Built app content directory, relative to app_location - optional

+ skip_api_build: true

+```

+# [Azure Pipelines](#tab/azure-devops)

+This feature is unsupported in Azure Pipelines.

+ Title: Upload and analyze a file with Azure Functions and Blob Storage

+description: Learn how to upload an image to Azure Blob Storage and analyze its content using Azure Functions and Cognitive Services

+# Tutorial: Upload and analyze a file with Azure Functions and Blob Storage

+In this tutorial, you'll learn how to upload an image to Azure Blob Storage and process it using Azure Functions and Computer Vision. You'll also learn how to implement Azure Function triggers and bindings as part of this process. Together, these services will analyze an uploaded image that contains text, extract the text out of it, and then store the text in a database row for later analysis or other purposes.

+Azure Blob Storage is Microsoft's massively scalable object storage solution for the cloud. Blob Storage is designed for storing images and documents, streaming media files, managing backup and archive data, and much more. You can read more about Blob Storage on the [overview page](/azure/storage/blobs/storage-blobs-introduction).

+Azure Functions is a serverless computer solution that allows you to write and run small blocks of code as highly scalable, serverless, event driven functions. You can read more about Azure Functions on the [overview page](/azure/azure-functions/functions-overview).

+In this tutorial, you will learn how to:

+> [!div class="checklist"]

+> * Upload images and files to Blob Storage

+> * Use an Azure Function event trigger to process data uploaded to Blob Storage

+> * Use Cognitive Services to analyze an image

+> * Write data to Table Storage using Azure Function output bindings

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- [Visual Studio 2022](https://visualstudio.microsoft.com) installed.

+

+## Create the storage account and container

+The first step is to create the storage account that will hold the uploaded blob data, which in this scenario will be images that contain text. A storage account offers several different services, but this tutorial utilizes Blob Storage and Table Storage.

+### [Azure portal](#tab/azure-portal)

+Sign in to the [Azure portal](https://ms.portal.azure.com/#create/Microsoft.StorageAccount).

+1) In the search bar at the top of the portal, search for *Storage* and select the result labeled **Storage accounts**.

+2) On the **Storage accounts** page, select **+ Create** in the top left.

+3) On the **Create a storage account** page, enter the following values:

+ - **Subscription**: Choose your desired subscription.

+ - **Resource Group**: Select **Create new** and enter a name of `msdocs-storage-function`, and then choose **OK**.

+ - **Storage account name**: Enter a value of `msdocsstoragefunction`. The Storage account name must be unique across Azure, so you may need to add numbers after the name, such as `msdocsstoragefunction123`.

+ - **Region**: Select the region that is closest to you.

+ - **Performance**: Choose **Standard**.

+ - **Redundancy**: Leave the default value selected.

+

+

+4) Select **Review + Create** at the bottom and Azure will validate the information you entered. Once the settings are validated, choose **Create** and Azure will begin provisioning the storage account, which might take a moment.

+### Create the container

+1) After the storage account is provisioned, select **Go to Resource**. The next step is to create a storage container inside of the account to hold uploaded images for analysis.

+2) On the navigation panel, choose **Containers**.

+3) On the **Containers** page, select **+ Container** at the top. In the slide out panel, enter a **Name** of *imageanalysis*, and make sure the **Public access level** is set to **Blob (anonymous read access for blobs only**. Then select **Create**.

+You should see your new container appear in the list of containers.

+### Retrieve the connection string

+The last step is to retrieve our connection string for the storage account.

+1) On the left navigation panel, select **Access Keys**.

+2) On the **Access Keys page**, select **Show keys**. Copy the value of the **Connection String** under the **key1** section and paste this somewhere to use for later. You'll also want to make a note of the storage account name `msdocsstoragefunction` for later as well.

+These values will be necessary when we need to connect our Azure Function to this storage account.

+### [Azure CLI](#tab/azure-cli)

+Azure CLI commands can be run in the [Azure Cloud Shell](https://shell.azure.com) or on a workstation with the [Azure CLI installed](/cli/azure/install-azure-cli).

+To create the storage account and container, we can run the CLI commands seen below.

+```azurecli-interactive

+az group create --location eastus --name msdocs-storage-function \

+az storage account create --name msdocsstorageaccount -resource-group msdocs-storage-function -l eastus --sku Standard_LRS \

+az storage container create --name imageanalysis --account-name msdocsstorageaccount --resource-group msdocs-storage-function

+```

+You may need to wait a few moments for Azure to provision these resources.

+After the commands complete, we also need to retrieve the connection string for the storage account. The connection string will be used later to connect our Azure Function to the storage account.

+```azurecli-interactive

+az storage account show-connection-string -g msdocs-storage-function -n msdocsstoragefunction

+```

+Copy the value of the `connectionString` property and paste it somewhere to use for later. You'll also want to make a note of the storage account name `msdocsstoragefunction` for later as well.

+## Create the Computer Vision service

+Next, create the Computer Vision service account that will process our uploaded files. Computer Vision is part of Azure Cognitive Services and offers a variety of features for extracting data out of images. You can learn more about Computer Vision on the [overview page](/services/cognitive-services/computer-vision/#overview).

+### [Azure portal](#tab/azure-portal)

+1) In the search bar at the top of the portal, search for *Computer* and select the result labeled **Computer vision**.

+2) On the **Computer vision** page, select **+ Create**.

+3) On the **Create Computer Vision** page, enter the following values:

+- **Subscription**: Choose your desired Subscription.

+- **Resource Group**: Use the `msdocs-storage-function` resource group you created earlier.

+- **Region**: Select the region that is closest to you.

+- **Name**: Enter in a name of `msdocscomputervision`.

+- **Pricing Tier**: Choose **Free** if it is available, otherwise choose **Standard S1**.

+- Check the **Responsible AI Notice** box if you agree to the terms

+

+4) Select **Review + Create** at the bottom. Azure will take a moment validate the information you entered. Once the settings are validated, choose **Create** and Azure will begin provisioning the Computer Vision service, which might take a moment.

+5) When the operation has completed, select **Go to Resource**.

+### Retrieve the keys

+Next, we need to find the secret key and endpoint URL for the Computer Vision service to use in our Azure Function app.

+1) On the **Computer Vision** overview page, select **Keys and Endpoint**.

+2) On the **Keys and EndPoint** page, copy the **Key 1** value and the **EndPoint** values and paste them somewhere to use for later.

+### [Azure CLI](#tab/azure-cli)

+To create the Computer Vision service, we can run the CLI command below.

+```azurecli-interactive

+az cognitiveservices account create \

+ --name msdocs-process-image \

+ --resource-group msdocs-storage-function \

+ --kind ComputerVision \

+ --sku F1 \

+ --location eastus2 \

+ --yes

+```

+You may need to wait a few moments for Azure to provision these resources.

+Once the Computer Vision service is created, you can retrieve the secret keys and URL endpoint using the commands below.

+```azurelci-interactive

+ az cognitiveservices account keys list \

+ --name msdocs-process-image \

+ --resource-group msdocs-storage-function \

+ az cognitiveservices account list \

+ --name msdocs-process-image \

+ --resource-group msdocs-storage-function --query "[].properties.endpoint"

+```

+

+## Download and configure the sample project

+The code for the Azure Function used in this tutorial can be found in [this GitHub repository](https://github.com/Azure-Samples/msdocs-storage-bind-function-service/tree/main/dotnet). You can also clone the project using the command below.

+```terminal

+git clone https://github.com/Azure-Samples/msdocs-storage-bind-function-service.git \

+cd msdocs-storage-bind-function-service/dotnet

+```

+The sample project code accomplishes the following tasks:

+- Retrieves environment variables to connect to the storage account and Computer Vision service

+- Accepts the uploaded file as a blob parameter

+- Analyzes the blob using the Computer Vision service

+- Sends the analyzed image text to a new table row using output bindings

+Once you have downloaded and opened the project, there are a few essential concepts to understand in the main `Run` method shown below. The Azure function utilizes Trigger and Output bindings, which are applied using attributes on the `Run` method signature.

+The `Table` attribute uses two parameters. The first parameter specifies the name of the table to write the parsed image text value returned by the function. The second `Connection` parameter pulls a Table Storage connection string from the environment variables so that our Azure function has access to it.

+The `BlobTrigger` attribute is used to bind our function to the upload event in Blob Storage, and supplies that uploaded blob to the `Run` function. The blob trigger has two parameters of its own - one for the name of the blob container to monitor for uploads, and one for the connection string of our storage account again.

+```csharp

+// Azure Function name and output Binding to Table Storage

+[FunctionName("ProcessImageUpload")]

+[return: Table("ImageText", Connection = "StorageConnection")]

+// Trigger binding runs when an image is uploaded to the blob container below

+public async Task<ImageContent> Run([BlobTrigger("imageanalysis/{name}",

+ Connection = "StorageConnection")]Stream myBlob, string name, ILogger log)

+{

+ // Get connection configurations

+ string subscriptionKey = Environment.GetEnvironmentVariable("ComputerVisionKey");

+ string endpoint = Environment.GetEnvironmentVariable("ComputerVisionEndpoint");

+ string imgUrl = $"https://{ Environment.GetEnvironmentVariable("StorageAccountName")}

+ .blob.core.windows.net/imageanalysis/{name}";

+ ComputerVisionClient client = new ComputerVisionClient(

+ new ApiKeyServiceClientCredentials(subscriptionKey)) { Endpoint = endpoint };

+ // Get the analyzed image contents

+ var textContext = await AnalyzeImageContent(client, imgUrl);

+ return new ImageContent {

+ PartitionKey = "Images",

+ RowKey = Guid.NewGuid().ToString(), Text = textContext

+ };

+}

+public class ImageContent

+{

+ public string PartitionKey { get; set; }

+ public string RowKey { get; set; }

+ public string Text { get; set; }

+}

+```

+This code also retrieves essential configuration values from environment variables, such as the storage account connection string and Computer Vision key. We'll add these environment variables to our Azure Function environment after it's deployed.

+The `ProcessImage` function also utilizes a second method called `AnalyzeImage`, seen below. This code uses the URL Endpoint and Key of our Computer Vision account to make a request to that server to process our image. The request will return all of the text discovered in the image, which will then be written to Table Storage using the output binding on the `Run` method.

+```csharp

+static async Task<string> ReadFileUrl(ComputerVisionClient client, string urlFile)

+{

+ // Analyze the file using Computer Vision Client

+ var textHeaders = await client.ReadAsync(urlFile);

+ string operationLocation = textHeaders.OperationLocation;

+ Thread.Sleep(2000);

+

+ // Complete code omitted for brevity, view in sample project

+

+ return text.ToString();

+}

+```

+### Running locally

+If you'd like to run the project locally, you can populate the environment variables using the local.settings.json file. Inside of this file, fill in the placeholder values with the values you saved earlier when creating the Azure resources.

+Although the Azure Function code will run locally, it will still connect to the live services out on Azure, rather than using any local emulators.

+```javascript

+{

+ "IsEncrypted": false,

+ "Values": {

+ "AzureWebJobsStorage": "UseDevelopmentStorage=true",

+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",

+ "StorageConnection": "your-storage-account-connection-string",

+ "StorageAccountName": "your-storage-account-name",

+ "ComputerVisionKey": "your-computer-vision-key",

+ "ComputerVisionEndPoint": "your-computer-vision-endpoint"

+ }

+}

+```

+## Deploy the code to Azure Functions

+You are now ready to deploy our application to Azure by using Visual Studio. You can also create the Azure Functions app in Azure at the same time as part of the deployment process.

+1) To begin, right select the **ProcessImage** project node and select **Publish**.

+2) On the **Publish** dialog screen, select Azure and choose **Next**.

+

+3) Select **Azure Function App (Windows)** or **Azure Function App (Linux)** on the next screen, and then choose **Next** again.

+4) On the **Functions instance** step, make sure to choose the subscription you'd like to deploy to. Next, select the green **+** symbol on the right side of the dialog.

+5) A new dialog will open. Enter the following values for your new Function App.

+- **Name**: Enter *msdocsprocessimage* or something similar.

+- **Subscription Name**: Choose whatever subscription you'd like to use.

+- **Resource Group**: Choose the `msdocs-storage-function` resource group you created earlier.

+- **Plan Type**: Select **Consumption**.

+- **Location**: Choose the region closest to you.

+- **Azure Storage**: Select the storage account you created earlier.

+6) Once you have filled in all of those values, select **Create**. Visual Studio and Azure will begin provisioning the requested resources, which will take a few moments to complete.

+7) Once the process has finished, select **Finish** to close out the dialog workflow.

+8) The final step to deploy the Azure Function is to select **Publish** in the upper right of the screen. Publishing the function might also take a few moments to complete. Once it finishes, your application will be running on Azure.

+## Connect the services

+The Azure Function was deployed successfully, but it cannot connect to our storage account and Computer Vision services yet. The correct keys and connection strings must first be added to the configuration settings of the Azure Functions app.

+1) At the top of the Azure portal, search for *function* and select **Function App** from the results.

+2) On the **Function App** screen, select the Function App you created in Visual Studio.

+3) On the **Function App** overview page, select **Configuration** on the left navigation. This will open up a page where we can manage various types of configuration settings for our app. For now, we are interested in **Application Settings** section.

+4) The next step is to add settings for our storage account name and connection string, the Computer Vision secret key, and the Computer Vision endpoint.

+5) On the **Application settings** tab, select **+ New application setting**. In the flyout that appears, enter the following values:

+- **Name**: Enter a value of *ComputerVisionKey*.

+- **Value**: Paste in the Computer Vision key you saved from earlier.

+6) Click **OK** to add this setting to your app.

+7) Next, let's repeat this process for the endpoint of our Computer Vision service, using the following values:

+- **Name**: Enter a value of *ComputerVisionEndpoint*.

+- **Value**: Paste in the endpoint URL you saved from earlier.

+8) Repeat this step again for the storage account connection, using the following values:

+- **Name**: Enter a value of *StorageConnection*.

+- **Value**: Paste in the connection string you saved from earlier.

+9) Finally, repeat this process one more time for the storage account name, using the following values:

+- **Name**: Enter a value of *StorageAccountName*.

+- **Value**: Enter in the name of the storage account you created.

+10) After you have added these application settings, make sure to select **Save** at the top of the configuration page. When the save completes, you can hit **Refresh** as well to make sure the settings are picked up.

+All of the required environment variables to connect our Azure function to different services are now in place.

+## Upload an image to Blob Storage

+You are now ready to test out our application! You can upload a blob to the container, and then verify that the text in the image was saved to Table Storage.

+1) First, at the top of the Azure portal, search for *Storage* and select **storage account**. On the **storage account** page, select the account you created earlier.

+2) Next, select **Containers** on the left nav, and then navigate into the **ImageAnalysis** container you created earlier. From here you can upload a test image right inside the browser.

+3) You can find a few sample images included in the **images** folder at the root of the downloadable sample project, or you can use one of your own.

+4) At the top of the **ImageAnalysis** page, select **Upload**. In the flyout that opens, select the folder icon on the right to open up a file browser. Choose the image you'd like to upload, and then select **Upload**.

+5) The file should appear inside of your blob container. Next, you can verify that the upload triggered the Azure Function, and that the text in the image was analyzed and saved to Table Storage properly.

+6) Using the breadcrumbs at the top of the page, navigate up one level in your storage account. Locate and select **Storage browser** on the left nav, and then select **Tables**.

+7) An **ImageText** table should now be available. Click on the table to preview the data rows inside of it. You should see an entry for the processed image text of our upload. You can verify this using either the Timestamp, or by viewing the content of the **Text** column.

+Congratulations! You succeeded in processing an image that was uploaded to Blob Storage using Azure Functions and Computer Vision.

+## Clean up resources

+If you're not going to continue to use this application, you can delete the resources you created by removing the resource group.

+1) Select **Resource groups** from the main navigation

+1) Select the `msdocs-storage-function` resource group from the list.

+2) Select the **Delete resource group** button at the top of the resource group overview page.

+3) Enter the resource group name *msdocs-storage-function* in the confirmation dialog.

+4) Select delete.

+The process to delete the resource group may take a few minutes to complete.

+- [Append Block](/rest/api/storageservices/append-block) (REST API)

+- [Undelete Blob](/rest/api/storageservices/undelete-blob) (REST API)

+In this article, you learn how to restore an existing dedicated SQL pool in Azure Synapse Analytics using Azure portal, Synapse Studio, and PowerShell. This article applies to both restores and geo-restores.

+## Restore an existing dedicated SQL pool through PowerShell

+1. Open PowerShell.

+2. Connect to your Azure account and list all the subscriptions associated with your account.

+3. Select the subscription that contains the SQL pool to be restored.

+4. List the restore points for the dedicated SQL pool.

+5. Pick the desired restore point using the RestorePointCreationDate.

+6. Restore the dedicated SQL pool to the desired restore point using [Restore-AzSynapseSqlPool](/powershell/module/az.synapse/restore-azsynapsesqlpool?toc=/azure/synapse-analytics/toc.json&bc=/azure/synapse-analytics/breadcrumb/toc.json) PowerShell cmdlet.

+ 1. To restore the dedicated SQL pool to a different workspace, make sure to specify the other workspace name. This workspace can also be in a different resource group and region.

+ 2. To restore to a different subscription, see the [below section](#restore-an-existing-dedicated-sql-pool-to-a-different-subscription-through-powershell).

+7. Verify that the restored dedicated SQL pool is online.

+```powershell

+$SubscriptionName="<YourSubscriptionName>"

+$ResourceGroupName="<YourResourceGroupName>"

+$WorkspaceName="<YourWorkspaceNameWithoutURLSuffixSeeNote>" # Without sql.azuresynapse.net

+#$TargetResourceGroupName="<YourTargetResourceGroupName>" # uncomment to restore to a different workspace.

+#$TargetWorkspaceName="<YourtargetWorkspaceNameWithoutURLSuffixSeeNote>"

+$SQLPoolName="<YourDatabaseName>"

+$NewSQLPoolName="<YourDatabaseName>"

+Connect-AzAccount

+Get-AzSubscription

+Select-AzSubscription -SubscriptionName $SubscriptionName

+# list all restore points

+Get-AzSynapseSqlPoolRestorePoint -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Name $SQLPoolName

+# Pick desired restore point using RestorePointCreationDate "xx/xx/xxxx xx:xx:xx xx"

+$PointInTime="<RestorePointCreationDate>"

+# Get the specific SQL pool to restore

+$SQLPool = Get-AzSynapseSqlPool -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Name $SQLPoolName

+# Transform Synapse SQL pool resource ID to SQL database ID because currently the restore command only accepts the SQL database ID format.

+$DatabaseID = $SQLPool.Id -replace "Microsoft.Synapse", "Microsoft.Sql" `

+ -replace "workspaces", "servers" `

+ -replace "sqlPools", "databases"

+# Restore database from a restore point

+$RestoredDatabase = Restore-AzSynapseSqlPool ΓÇôFromRestorePoint -RestorePoint $PointInTime -ResourceGroupName $SQLPool.ResourceGroupName `

+ -WorkspaceName $SQLPool.WorkspaceName -TargetSqlPoolName $NewSQLPoolName ΓÇôResourceId $DatabaseID -PerformanceLevel DW100c

+# Use the following command to restore to a different workspace

+#$TargetResourceGroupName = $SQLPool.ResourceGroupName # for restoring to different workspace in same resourcegroup

+#$RestoredDatabase = Restore-AzSynapseSqlPool ΓÇôFromRestorePoint -RestorePoint $PointInTime -ResourceGroupName $TargetResourceGroupName `

+# -WorkspaceName $TargetWorkspaceName -TargetSqlPoolName $NewSQLPoolName ΓÇôResourceId $DatabaseID -PerformanceLevel DW100c

+# Verify the status of restored database

+$RestoredDatabase.status

+```

+## Restore an existing dedicated SQL pool to a different subscription through PowerShell

+When performing a cross-subscription restore, a synapse workspace dedicated SQL pool can only restore to a standalone dedicated SQL pool (formerly SQL DW). The PowerShell below is similar to the above however there are three main differences:

+- After retrieving the SQL Pool object to be restored, the subscription context needs to be switched to the destination (or target) subscription name.

+- When performing the restore, use the Az.Sql modules instead of the Az.Synapse modules.

+- If it is required to restore the dedicated SQL pool to a Synapse workspace in the destination subscription, an additional restore step is required.

+Steps:

+1. Open PowerShell.

+2. Update Az.Sql Module to 3.8.0 (or greater) if needed

+3. Connect to your Azure account and list all the subscriptions associated with your account.

+4. Select the subscription that contains the SQL pool to be restored.

+5. List the restore points for the dedicated SQL pool.

+6. Pick the desired restore point using the RestorePointCreationDate.

+7. Select the destination subscription in which the SQL pool should be restored.

+8. Restore the dedicated SQL pool to the desired restore point using [Restore-AzSqlDatabase](/powershell/module/az.sql/restore-azsqldatabase?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) PowerShell cmdlet.

+9. Verify that the restored dedicated SQL pool (formerly SQL DW) is online.

+10. If the desired destination is a Synapse Workspace, uncomment the code to perform the additional restore step.

+ 1. Create a restore point for the newly created data warehouse.

+ 2. Retrieve the last restore point created by using the "Select -Last 1" syntax.

+ 3. Perform the restore to the desired Synapse workspace.

+```powershell

+$SourceSubscriptionName="<YourSubscriptionName>"

+$SourceResourceGroupName="<YourResourceGroupName>"

+$SourceWorkspaceName="<YourServerNameWithoutURLSuffixSeeNote>" # Without sql.azuresynapse.net

+$SourceSQLPoolName="<YourDatabaseName>"

+$TargetSubscriptionName="<YourTargetSubscriptionName>"

+$TargetResourceGroupName="<YourTargetResourceGroupName>"

+$TargetServerName="<YourTargetServerNameWithoutURLSuffixSeeNote>" # Without sql.azuresynapse.net

+$TargetDatabaseName="<YourDatabaseName>"

+#$TargetWorkspaceName="<YourTargetWorkspaceName>" # uncomment if restore to a synapse workspace is required

+# Update Az.Sql module to the latest version (3.8.0 or above)

+# Update-Module -Name Az.Sql -RequiredVersion 3.8.0

+Connect-AzAccount

+Get-AzSubscription

+Select-AzSubscription -SubscriptionName $SourceSubscriptionName

+# list all restore points

+Get-AzSynapseSqlPoolRestorePoint -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Name $SQLPoolName

+# Pick desired restore point using RestorePointCreationDate "xx/xx/xxxx xx:xx:xx xx"

+$PointInTime="<RestorePointCreationDate>"

+# Get the specific SQL pool to restore

+$SQLPool = Get-AzSynapseSqlPool -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Name $SQLPoolName

+# Transform Synapse SQL pool resource ID to SQL database ID because currently the restore command only accepts the SQL database ID format.

+$DatabaseID = $SQLPool.Id -replace "Microsoft.Synapse", "Microsoft.Sql" `

+ -replace "workspaces", "servers" `

+ -replace "sqlPools", "databases"

+# Switch context to the destination subscription

+Select-AzSubscription -SubscriptionName $TargetSubscriptionName

+# Restore database from a desired restore point of the source database to the target server in the desired subscription

+$RestoredDatabase = Restore-AzSqlDatabase ΓÇôFromPointInTimeBackup ΓÇôPointInTime $PointInTime -ResourceGroupName $TargetResourceGroupName `

+ -ServerName $TargetServerName -TargetDatabaseName $TargetDatabaseName ΓÇôResourceId $Database.ID

+# Verify the status of restored database

+$RestoredDatabase.status

+# uncomment below cmdlets to perform one more restore to push the SQL Pool to an existing workspace in the destination subscription

+# # Create restore point

+# New-AzSqlDatabaseRestorePoint -ResourceGroupName $RestoredDatabase.ResourceGroupName -ServerName $RestoredDatabase.ServerName `

+# -DatabaseName $RestoredDatabase.DatabaseName -RestorePointLabel "UD-001"

+# # Gets the last restore point of the sql dw (will use the RestorePointCreationDate property)

+# $RestorePoint = Get-AzSqlDatabaseRestorePoint -ResourceGroupName $RestoredDatabase.ResourceGroupName -ServerName $RestoredDatabase.ServerName `

+# -DatabaseName $RestoredDatabase.DatabaseName | Select -Last 1

+# # Restore to destination synapse workspace

+# $FinalRestore = Restore-AzSynapseSqlPool ΓÇôFromRestorePoint -RestorePoint $RestorePoint.RestorePointCreationDate -ResourceGroupName $TargetResourceGroupName `

+# -WorkspaceName $TargetWorkspaceName -TargetSqlPoolName $TargetDatabaseName ΓÇôResourceId $RestoredDatabase.ResourceID -PerformanceLevel DW100c

+```

+ 2. To restore to a different subscription, see the [below section](#restore-an-existing-dedicated-sql-pool-formerly-sql-dw-to-a-different-subscription-through-powershell).

+## Restore an existing dedicated SQL pool (formerly SQL DW) to a different subscription through PowerShell

+This is similar guidance to restoring an existing dedicated SQL pool, however the below instructions show that [Get-AzSqlDatabase](/powershell/module/az.sql/Get-AzSqlDatabase?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) PowerShell cmdlet should be performed in the originating subscription while the [Restore-AzSqlDatabase](/powershell/module/az.sql/restore-azsqldatabase?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) PowerShell cmdlet should be performed in the destination subscription. Note that the user performing the restore must have proper permissions in both the source and target subscriptions.

+1. Open PowerShell.

+2. Update Az.Sql Module to 3.8.0 (or greater) if needed

+3. Connect to your Azure account and list all the subscriptions associated with your account.

+4. Select the subscription that contains the database to be restored.

+5. List the restore points for the dedicated SQL pool (formerly SQL DW).

+6. Pick the desired restore point using the RestorePointCreationDate.

+7. Select the destination subscription in which the database should be restored.

+8. Restore the dedicated SQL pool (formerly SQL DW) to the desired restore point using [Restore-AzSqlDatabase](/powershell/module/az.sql/restore-azsqldatabase?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) PowerShell cmdlet.

+9. Verify that the restored dedicated SQL pool (formerly SQL DW) is online.

+```powershell

+$SourceSubscriptionName="<YourSubscriptionName>"

+$SourceResourceGroupName="<YourResourceGroupName>"

+$SourceServerName="<YourServerNameWithoutURLSuffixSeeNote>" # Without database.windows.net

+$SourceDatabaseName="<YourDatabaseName>"

+$TargetSubscriptionName="<YourTargetSubscriptionName>"

+$TargetResourceGroupName="<YourTargetResourceGroupName>"

+$TargetServerName="<YourTargetServerNameWithoutURLSuffixSeeNote>" # Without database.windows.net

+$TargetDatabaseName="<YourDatabaseName>"

+# Update Az.Sql module to the latest version (3.8.0 or above)

+# Update-Module -Name Az.Sql -RequiredVersion 3.8.0

+Connect-AzAccount

+Get-AzSubscription

+Select-AzSubscription -SubscriptionName $SourceSubscriptionName

+# Pick desired restore point using RestorePointCreationDate "xx/xx/xxxx xx:xx:xx xx"

+$PointInTime="<RestorePointCreationDate>"

+# Or list all restore points

+Get-AzSqlDatabaseRestorePoint -ResourceGroupName $SourceResourceGroupName -ServerName $SourceServerName -DatabaseName $SourceDatabaseName

+# Get the specific database to restore

+$Database = Get-AzSqlDatabase -ResourceGroupName $SourceResourceGroupName -ServerName $SourceServerName -DatabaseName $SourceDatabaseName

+# Switch context to the destination subscription

+Select-AzSubscription -SubscriptionName $TargetSubscriptionName

+# Restore database from a desired restore point of the source database to the target server in the desired subscription

+$RestoredDatabase = Restore-AzSqlDatabase ΓÇôFromPointInTimeBackup ΓÇôPointInTime $PointInTime -ResourceGroupName $TargetResourceGroupName -ServerName $TargetServerName -TargetDatabaseName $TargetDatabaseName ΓÇôResourceId $Database.ResourceID

+# Verify the status of restored database

+$RestoredDatabase.status

+```

+If you are accessing storage using [credentials](develop-storage-files-storage-access-control.md#credentials), make sure that your [Managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity) or [SPN](develop-storage-files-storage-access-control.md?tabs=service-principal) has Data Reader/Contributor role, or ACL permissions. If you have used [SAS token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) make sure that it has `rl` permission and that it hasn't expired.

+If your query fails with the error 'File cannot be opened because it does not exist or it is used by another process' and you're sure that both files exist and aren't used by another process, then serverless SQL pool can't access the file. This problem usually happens because your Azure Active Directory identity doesn't have rights to access the file or because a firewall is blocking access to the file. By default, serverless SQL pool is trying to access the file using your Azure Active Directory identity. To resolve this issue, you need to have proper rights to access the file. The easiest way is to grant yourself a 'Storage Blob Data Contributor' role on the storage account you're trying to query.

+* All users that need access to some data in this container also need to have the EXECUTE permission on all parent folders up to the root (the container).

+Creation of the snapshots alone might not be sufficient for disaster recovery. You must also copy the snapshots to another region. See [Copy an incremental snapshot to a new region](disks-copy-incremental-snapshot-across-regions.md).

+ Title: Copy a snapshot to a new region

+description: Learn how to copy an incremental snapshot of a managed disk to a different region.

+ms.devlang: azurecli

+# Copy an incremental snapshot to a new region

+Incremental snapshots can be copied to any region. The process is managed by Azure, removing the maintenance overhead of managing the copy process by staging a storage account in the target region. Azure ensures that only changes since the last snapshot in the target region are copied to the target region to reduce the data footprint, reducing the recovery point objective. You can check the progress of the copy so you know when a target snapshot is ready to restore disks in the target region. You're only charged for the bandwidth cost of the data transfer across the region and the read transactions on the source snapshots.

+This article covers copying an incremental snapshot from one region to another. See [Create an incremental snapshot for managed disks](disks-incremental-snapshots.md) for conceptual details on incremental snapshots.

+## Restrictions

+- You can copy 100 incremental snapshots in parallel at the same time per subscription per region.

+- If you use the REST API, you must use version 2020-12-01 or newer of the Azure Compute REST API.

+## Get started

+# [Azure CLI](#tab/azure-cli)

+You can use the Azure CLI to copy an incremental snapshot. You will need the latest version of the Azure CLI. See the following articles to learn how to either [install](/cli/azure/install-azure-cli) or [update](/cli/azure/update-azure-cli) the Azure CLI.

+The following script will copy an incremental snapshot from one region to another:

+```azurecli

+subscriptionId=<yourSubscriptionID>

+resourceGroupName=<yourResourceGroupName>

+name=<targetSnapshotName>

+sourceSnapshotResourceId=<sourceSnapshotResourceId>

+targetRegion=<validRegion>

+sourceSnapshotId=$(az snapshot show -n $sourceSnapshotName -g $resourceGroupName --query [id] -o tsv)

+az snapshot create -g $resourceGroupName -n $targetSnapshotName --source $sourceSnapshotId --incremental --copy-start

+az snapshot show -n $sourceSnapshotName -g $resourceGroupName --query [completionPercent] -o tsv

+```

+# [Azure PowerShell](#tab/azure-powershell)

+You can use the Azure PowerShell module to copy an incremental snapshot. You will need the latest version of the Azure PowerShell module. The following command will either install it or update your existing installation to latest:

+```PowerShell

+Install-Module -Name Az -AllowClobber -Scope CurrentUser

+```

+Once that is installed, login to your PowerShell session with `Connect-AzAccount`.

+The following script will copy an incremental snapshot from one region to another.

+```azurepowershell

+$subscriptionId="yourSubscriptionIdHere"

+$resourceGroupName="yourResourceGroupNameHere"

+$sourceSnapshotName="yourSourceSnapshotNameHere"

+$targetSnapshotName="yourTargetSnapshotNameHere"

+$targetRegion="desiredRegion"

+Set-AzContext -Subscription $subscriptionId

+$sourceSnapshot=Get-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $sourceSnapshotName

+$snapshotconfig = New-AzSnapshotConfig -Location $targetRegion -CreateOption CopyStart -Incremental -SourceResourceId $sourceSnapshot.Id

+New-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $targetSnapshotName -Snapshot $snapshotconfig

+$targetSnapshot=Get-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $targetSnapshotName

+$targetSnapshot.CompletionPercent

+```

+# [Portal](#tab/azure-portal)

+You can also copy an incremental snapshot across regions in the Azure portal. However, you must use this specific link to access the portal, for now: https://aka.ms/incrementalsnapshot

+1. Sign in to the [Azure portal](https://aka.ms/incrementalsnapshot) and navigate to the incremental snapshot you'd like to migrate.

+1. Select **Copy snapshot**.

+ :::image type="content" source="media/disks-incremental-snapshots/disks-copy-snapshot.png" alt-text="Screenshot of snapshot overview, copy snapshot highlighted." lightbox="media/disks-incremental-snapshots/disks-copy-snapshot.png":::

+1. For **Snapshot type** under **Instance details** select **Incremental**.

+1. Change the **Region** to the region you'd like to copy the snapshot to.

+ :::image type="content" source="media/disks-incremental-snapshots/disks-copy-snapshot-region-select.png" alt-text="Screenshot of copy snapshot experience, new region selected, incremental selected." lightbox="media/disks-incremental-snapshots/disks-copy-snapshot-region-select.png":::

+1. Select **Review + Create** and then **Create**.

+# [Resource Manager Template](#tab/azure-resource-manager)

+You can also use Azure Resource Manager templates to copy an incremental snapshot. You must use version **2020-12-01** or newer of the Azure Compute REST API. The following snippet is an example of how to copy an incremental snapshot across regions with Resource Manager templates:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "name": {

+ "defaultValue": "isnapshot1",

+ "type": "String"

+ },

+ "sourceSnapshotResourceId": {

+ "defaultValue": "<your_incremental_snapshot_resource_ID>",

+ "type": "String"

+ },

+ "skuName": {

+ "defaultValue": "Standard_LRS",

+ "type": "String"

+ },

+ "targetRegion": {

+ "defaultValue": "desired_region",

+ "type": "String"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "type": "Microsoft.Compute/snapshots",

+ "sku": {

+ "name": "[parameters('skuName')]",

+ "tier": "Standard"

+ },

+ "name": "[parameters('name')]",

+ "apiVersion": "2020-12-01",

+ "location": "[parameters('targetRegion')]",

+ "scale": null,

+ "properties": {

+ "creationData": {

+ "createOption": "CopyStart",

+ "sourceResourceId": "[parameters('sourceSnapshotResourceId')]"

+ },

+ "incremental": true

+ },

+ "dependsOn": []

+ }

+ ]

+}

+```

+## Next steps

+If you'd like to see sample code demonstrating the differential capability of incremental snapshots, using .NET, see [Copy Azure Managed Disks backups to another region with differential capability of incremental snapshots](https://github.com/Azure-Samples/managed-disks-dotnet-backup-with-incremental-snapshots).

+See [Copy an incremental snapshot to a new region](disks-copy-incremental-snapshot-across-regions.md) to learn how to copy an incremental snapshot across regions.

+>Azure Hybrid Benefit for BYOS VMs is in Preview now. You can [sign up for the preview here.](https://aka.ms/ahb-linux-form) You will receive a mail from Microsoft once your subscriptions are enabled for Preview.

+If you need an X11 server for remote connections to an NV or NVv2 VM, [x11vnc](https://wiki.archlinux.org/title/X11vnc) is recommended because it allows hardware acceleration of graphics. The BusID of the M60 device must be manually added to the X11 configuration file (usually, `etc/X11/xorg.conf`). Add a `"Device"` section similar to the following:

+## What is RHEL in-place upgrade?

+During an in-place upgrade, the earlier RHEL OS major version will be replaced with the new RHEL OS major version without removing the earlier version first. The installed applications and utilities, along with the configurations and preferences, are incorporated into the new version.

+## Upgrade from RHEL 7 VMs to RHEL 8 VMs

+## Upgrade SAP environments from RHEL 7 VMs to RHEL 8 VMs

+# Azure Virtual Network NAT metrics and alerts

+This article provides an overview of all NAT gateway metrics and diagnostic capabilities. This article provides general guidance on how to use metrics and alerts to monitor, manage, and [troubleshoot](troubleshoot-nat.md) your NAT gateway resource.

+Azure Virtual Network NAT gateway provides the following diagnostic capabilities:

+- Multi-dimensional metrics and alerts through Azure Monitor. You can use these metrics to monitor and manage your NAT gateway and to assist you in troubleshooting issues.

+- Network Insights: Azure Monitor Insights provides you with visual tools to view, monitor, and assist you in diagnosing issues with your NAT gateway resource. Insights provide you with a topological map of your Azure setup and metrics dashboards.

+## Metrics overview

+| SNAT Connection Count | Number of new SNAT connections over a given interval of time | Sum | Connection State, Protocol (6 TCP; 17 UDP) |

+| Total SNAT connection count | Total number of active SNAT connections (~ SNAT ports currently in use by NAT gateway) | Sum | Protocol (6 TCP; 17 UDP) |

+| Data path availability (Preview) | Availability of the data path of the NAT gateway. Used to determine whether the NAT gateway endpoints are available for outbound traffic flow. | Avg | Availability (0, 100) |

+## Where to find my NAT gateway metrics

+NAT gateway metrics can be found in the following locations in the Azure portal.

+- **Metrics** page under **Monitoring** from a NAT gateway's resource page.

+- **Insights** page under **Monitoring** from a NAT gateway's resource page.

+ :::image type="content" source="./media/nat-metrics/nat-insights-metrics.png" alt-text="Screenshot of the insights and metrics options in NAT gateway overview.":::

+- Azure Monitor page under **Metrics**.

+ :::image type="content" source="./media/nat-metrics/azure-monitor.png" alt-text="Screenshot of the metrics section of Azure Monitor.":::

+To view any one of your metrics for a given NAT gateway resource:

+1. Select the NAT gateway resource you would like to monitor.

+2. In the **Metric** drop-down menu, select one of the provided metrics.

+3. In the **Aggregation** drop-down menu, select the recommended aggregation listed in the [metrics overview](#metrics-overview) table.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-1.png" alt-text="Screenshot of the metrics setup configuration in NAT gateway resource.":::

+4. To adjust the time frame over which the chosen metric is presented on the metrics graph or to adjust how frequently the chosen metric is measured, select the **Time** window in the top right corner of the metrics page and make your adjustments.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-2.png" alt-text="Screenshot of the metrics time setup configuration in NAT gateway resource.":::

+## How to use NAT gateway metrics

+### Bytes

+The **Bytes** metric shows you the amount of data going outbound through NAT gateway and returning inbound in response to an outbound connection.

+Use this metric for the following measurements:

+- Assess the amount of data being processed through NAT gateway to connect outbound or return inbound.

+To view the amount of data sent in one or both directions when connecting outbound through NAT gateway:

+1. Select the NAT gateway resource you would like to monitor.

+2. In the **Metric** drop-down menu, select the **Bytes** metric.

+3. In the **Aggregation** drop-down menu, select **Sum**.

+4. Select to **Add filter**.

+5. In the **Property** drop-down menu, select **Direction (Out | In)**.

+6. In the **Values** drop-down menu, select **Out**, **In**, or both.

+7. To see data processed inbound or outbound as their own individual lines in the metric graph, select **Apply splitting**.

+8. In the **Values** drop-down menu, select **Direction (Out | In)**.

+### Packets

+The packets metric shows you the number of data packets transmitted through the NAT gateway.

+Use this metric to:

+

+- To confirm that traffic is being sent through your NAT gateway to go outbound to the internet or return inbound.

+- To assess the amount of traffic being directed through your NAT gateway resource outbound or inbound (when in response to an outbound directed flow).

+To view the number of packets sent in one or both directions when connecting outbound through NAT gateway, follow the same steps in the [Bytes](#bytes) section.

+### Dropped packets

+The dropped packets metric shows you the number of data packets dropped by NAT gateway when directing traffic outbound or inbound in response to an outbound connection.

+Use this metric to:

+- Assess whether or not you're nearing or possibly experiencing SNAT exhaustion with a given NAT gateway resource. Check to see if periods of dropped packets coincide with periods of failed SNAT connections with the [Total SNAT Connection Count](#total-snat-connection-count) metric.

+- Help assess if you're experiencing a pattern of failed outbound connections.

+Reasons for why you may see dropped packets:

+- If you're seeing a high rate of dropped packets, it may be due to outbound connectivity failure. Connectivity failure may happen for various reasons. See the NAT gateway [troubleshooting guide](/azure/virtual-network/nat-gateway/troubleshoot-nat) to help you further diagnose.

+### SNAT connection count

+The SNAT connection count metric shows you the number of newly used SNAT ports within a specified time frame.

+Use this metric to:

+- Evaluate the number of successful and failed attempts to make outbound connections.

+- Help assess if you're experiencing a pattern of failed outbound connections.

+To view the number of attempted and failed connections:

+1. Select the NAT gateway resource you would like to monitor.

+2. In the **Metric** drop-down menu, select the **SNAT Connection Count** metric.

+3. In the **Aggregation** drop-down menu, select **Sum**.

+4. Select to **Add filter**.

+5. In the **Property** drop-down menu, select **Connection State**.

+6. In the **Values** drop-down menu, select **Attempted**, **Failed**, or both.

+7. To see attempted and failed connections as their own individual lines in the metric graph, select **Apply splitting**.

+8. In the **Values** drop-down menu, select **Connection State**.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-3.png" alt-text="Screenshot of the metrics configuration.":::

+Reasons for why you may see failed connections:

+- If you're seeing a pattern of failed connections for your NAT gateway resource, there could be multiple possible reasons. See the NAT gateway [troubleshooting guide](/azure/virtual-network/nat-gateway/troubleshoot-nat) to help you further diagnose.

+### Total SNAT connection count

+The **Total SNAT connection count** metric shows you the total number of active SNAT connections over a period of time.

+You can use this metric to:

+- Monitor SNAT port utilization on a given NAT gateway resource.

+- Analyze over a given time interval to provide insight on whether or not NAT gateway connectivity should be scaled out further by adding more public IPs.

+- Assess whether or not you're nearing or possibly experiencing SNAT exhaustion with a given NAT gateway resource.

+### Data path availability (Preview)

+The data path availability metric measures the status of the NAT gateway resource over time. This metric informs on whether or not NAT gateway is available for directing outbound traffic to the internet. This metric is a reflection of the health of the Azure infrastructure.

+You can use this metric to:

+- Monitor the availability of your NAT gateway resource.

+- Investigate the platform where your NAT gateway is deployed and determine if itΓÇÖs healthy.

+- Isolate whether an event is related to your NAT gateway or to the underlying data plane.

+Reasons for why you may see a drop in data path availability include:

+- An infrastructure outage has occurred.

+- There aren't healthy VMs available in your NAT gateway configured subnet. For more information, see the NAT gateway [troubleshooting guide](/azure/virtual-network/nat-gateway/troubleshoot-nat).

+Alerts can be configured in Azure Monitor for each of the preceding metrics. These alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address potential issues with your NAT gateway resource.

+For more information about how metric alerts work, see [Azure Monitor Metric Alerts](/azure/azure-monitor/alerts/alerts-metric-overview). See guidance below on how to configure some common and recommended types of alerts for your NAT gateway.

+### Alerts for SNAT port usage

+Use the total **SNAT connection count** metric and alerts for when you're nearing the limits of available SNAT ports.

+To create the alert, use the following steps:

+1. From the NAT gateway resource page, select **Alerts**.

+2. Select **Create alert rule**.

+3. From the signal list, select **Total SNAT Connection Count**.

+4. From the **Operator** drop-down menu, select **Less than or equal to**.

+5. From the **Aggregation type** drop-down menu, select **Total**.

+6. In the **Threshold value** box, enter a percentage value that the Total SNAT connection count must drop below before an alert is fired. When deciding what threshold value to use, keep in mind how much you've scaled out your NAT gateway outbound connectivity with public IP addresses. For more information, see [Scale NAT gateway](/azure/virtual-network/nat-gateway/nat-gateway-resource#scale-nat-gateway).

+7. From the **Unit** drop-down menu, select **Count**.

+8. From the **Aggregation granularity (Period)** drop-down menu, select a time period over which you would like the SNAT connection count to be measured.

+9. Create an **Action** for your alert by providing a name, notification type, and type of action that is performed when the alert is triggered.

+10. Before deploying your action, **test the action group**.

+11. Select **Create** to create the alert rule.

+>[!NOTE]

+>SNAT exhaustion on your NAT gateway resource is uncommon. If you see SNAT exhaustion, your NAT gateway's idle timeout timer may be holding on to SNAT ports too long or your may need to scale with additional public IPs. To troubleshoot these kinds of issues, refer to the NAT gateway [troubleshooting guide](/azure/virtual-network/nat-gateway/troubleshoot-nat).

+## Network Insights

+[Azure Monitor Network Insights](/azure/azure-monitor/insights/network-insights-overview) allows you to visualize your Azure infrastructure setup and to review all metrics for your NAT gateway resource from a pre-configured metrics dashboard. These visual tools help you diagnose and troubleshoot any issues with your NAT gateway resource.

+### View the topology of your Azure architectural setup

+To view a topological map of your setup in Azure:

+1. From your NAT gatewayΓÇÖs resource page, select **Insights** from the **Monitoring** section.

+2. On the landing page for **Insights**, you'll see a topology map of your NAT gateway setup. This map will show you the relationship between the different components of your network (subnets, virtual machines, public IP addresses).

+3. Hover over any component in the topology map to view configuration information.

+ :::image type="content" source="./media/nat-metrics/nat-insights.png" alt-text="Screenshot of the Insights section of NAT gateway.":::

+### View all NAT gateway metrics in a dashboard

+The metrics dashboard can be used to better understand the performance and health of your NAT gateway resource. The metrics dashboard shows a view of all metrics for NAT gateway on a single page.

+- All NAT gateway metrics can be viewed in a dashboard when selecting **Show Metrics Pane**.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-pane.png" alt-text="Screenshot of the show metrics pane.":::

+- A full page view of all NAT gateway metrics can be viewed when selecting **View Detailed Metrics**.

+ :::image type="content" source="./media/nat-metrics/detailed-metrics.png" alt-text="Screenshot of the view detailed metrics.":::

+For more information on what each metric is showing you and how to analyze these metrics, see [How to use NAT gateway metrics](#how-to-use-nat-gateway-metrics).

+- Resource health isn't supported.

+ Title: 'Create a NAT gateway - Bicep'

+description: This quickstart shows how to create a NAT gateway using Bicep.

+documentationcenter: na

+# Customer intent: I want to create a NAT gateway using Bicep so that I can provide outbound connectivity for my virtual machines.

+ na

+# Quickstart: Create a NAT gateway - Bicep

+Get started with Virtual Network NAT using Bicep. This Bicep file deploys a virtual network, a NAT gateway resource, and Ubuntu virtual machine. The Ubuntu virtual machine is deployed to a subnet that is associated with the NAT gateway resource.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/nat-gateway-1-vm/).

+This Bicep file is configured to create a:

+* Virtual network

+* NAT gateway resource

+* Ubuntu virtual machine

+The Ubuntu VM is deployed to a subnet that's associated with the NAT gateway resource.

+Nine Azure resources are defined in the Bicep file:

+* **[Microsoft.Network/networkSecurityGroups](/azure/templates/microsoft.network/networksecuritygroups)**: Creates a network security group.

+* **[Microsoft.Network/networkSecurityGroups/securityRules](/azure/templates/microsoft.network/networksecuritygroups/securityrules)**: Creates a security rule.

+* **[Microsoft.Network/publicIPAddresses](/azure/templates/microsoft.network/publicipaddresses)**: Creates a public IP address.

+* **[Microsoft.Network/publicIPPrefixes](/azure/templates/microsoft.network/publicipprefixes)**: Creates a public IP prefix.

+* **[Microsoft.Compute/virtualMachines](/azure/templates/Microsoft.Compute/virtualMachines)**: Creates a virtual machine.

+* **[Microsoft.Network/virtualNetworks](/azure/templates/microsoft.network/virtualnetworks)**: Creates a virtual network.

+* **[Microsoft.Network/natGateways](/azure/templates/microsoft.network/natgateways)**: Creates a NAT gateway resource.

+* **[Microsoft.Network/virtualNetworks/subnets](/azure/templates/microsoft.network/virtualnetworks/subnets)**: Creates a virtual network subnet.

+* **[Microsoft.Network/networkinterfaces](/azure/templates/microsoft.network/networkinterfaces)**: Creates a network interface.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminusername=<admin-name>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -adminusername "<admin-name>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<admin-name\>** with the administrator username for the virtual machine. You'll also be prompted to enter **adminpassword**.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart, you created a:

+* NAT gateway resource

+* Virtual network

+* Ubuntu virtual machine

+The virtual machine is deployed to a virtual network subnet associated with the NAT gateway.

+To learn more about Virtual Network NAT and Bicep, continue to the articles below.

+* Read an [Overview of Virtual Network NAT](nat-overview.md)

+* Read about the [NAT Gateway resource](nat-gateway-resource.md)

+* Learn more about [Bicep](../../azure-resource-manager/bicep/overview.md)