+> Australia (AU) and New Zealand (NZ)

+ > [!NOTE]

+ > Under **Advanced diagnostic information**, it's highly recommended that you allow the collection of advanced information by selecting **Yes**. It enables Microsoft support team to investigate the issue faster.

+ Title: Instructions for data retrieval from Azure Active Directory Domain Services | Microsoft Docs

+description: Learn how to retrieve data from Azure Active Directory Domain Services (Azure AD DS).

+# Azure AD DS instructions for data retrieval

+This document describes how to retrieve data from Azure Active Directory Domain Services (Azure AD DS).

+## Use Azure Active Directory to create, read, update, and delete user objects

+You can create a user in the Azure AD portal or by using Graph PowerShell or Graph API. You can also read, update, and delete users. The next sections show how to do these operations in the Azure AD portal.

+### Create, read, or update a user

+You can create a new user using the Azure Active Directory portal.

+To add a new user, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com/) in the User Administrator role for the organization.

+1. Search for and select *Azure Active Directory* from any page.

+1. Select **Users**, and then select **New user**.

+ 

+1. On the **User** page, enter information for this user:

+ - **Name**. Required. The first and last name of the new user. For example, *Mary Parker*.

+ - **User name**. Required. The user name of the new user. For example, `mary@contoso.com`.

+ - **Groups**. Optionally, you can add the user to one or more existing groups.

+ - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role.

+ - **Job info**: You can add more information about the user here.

+1. Copy the autogenerated password provided in the **Password** box. You'll need to give this password to the user to sign in for the first time.

+1. Select **Create**.

+The user is created and added to your Azure AD organization.

+To read or update a user, search for and select the user such as, _Mary Parker_. Change any property and click **Save**.

+### Delete a user

+To delete a user, follow these steps:

+1. Search for and select the user you want to delete from your Azure AD tenant. For example, _Mary Parker_.

+1. Select **Delete user**.

+ 

+The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time.

+When a user is deleted, any licenses consumed by the user are made available for other users.

+## Use RSAT tools to connect to an Azure AD DS managed domain and view users

+Sign in to an administrative workstation with a user account that's a member of the *AAD DC Administrators* group. The following steps require installation of [Remote Server Administration Tools (RSAT)](tutorial-create-management-vm.md#install-active-directory-administrative-tools).

+1. From the **Start** menu, select **Windows Administrative Tools**. The Active Directory Administration Tools are listed.

+ 

+1. Select **Active Directory Administrative Center**.

+1. To explore the managed domain, choose the domain name in the left pane, such as *aaddscontoso*. Two containers named *AADDC Computers* and *AADDC Users* are at the top of the list.

+ 

+1. To see the users and groups that belong to the managed domain, select the **AADDC Users** container. The user accounts and groups from your Azure AD tenant are listed in this container.

+ In the following example output, a user account named *Contoso Admin* and a group for *AAD DC Administrators* are shown in this container.

+ 

+1. To see the computers that are joined to the managed domain, select the **AADDC Computers** container. An entry for the current virtual machine, such as *myVM*, is listed. Computer accounts for all devices that are joined to the managed domain are stored in this *AADDC Computers* container.

+You can also use the *Active Directory Module for Windows PowerShell*, installed as part of the administrative tools, to manage common actions in your managed domain.

+## Next steps

+* [Azure AD DS Overview](overview.md)

+ h. **NOT REGEX MATCH**. Clause returns "true" if the evaluated attribute doesn't match a regular expression pattern. It will return "false" if the attribute is null / empty.

+> - Scoping filters will return "false" if the value is null / empty

+### Add a comma between last name and first name.

+Add a comma between last name and first name.

+**Expression:**

+`Join(", ", "", [surname], [givenName])`

+**Sample input/output:**

+* **INPUT** (givenName): "John"

+* **INPUT** (surname): "Doe"

+* **OUTPUT**: "Doe, John"

+# Azure AD on-premises application identity provisioning architecture (preview)

+## Provisioning agent history

+### Download link

+### 1.1.846.0

+#### Fixed issues

+>This information last updated on April 14th, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Microsoft 365 F5 Security Add-on | SPE_F5_SEC | 67ffe999-d9ca-49e1-9d2c-03fb28aa7a48 | MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>WINDEFATP (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) | Microsoft 365 Defender (bf28f719-7844-4079-9c78-c1307898e192)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Defender for Office 365 (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>Microsoft Defender for Endpoint (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>Azure Active Directory Premium P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>Microsoft Defender for Cloud Apps (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>Microsoft Defender for Identity (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) |

+ <when condition="@(context.Response.StatusCode >= 500)">

+ <send-one-way-request mode="new">

+ <set-url>https://hooks.slack.com/services/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</set-url>

+ <set-method>POST</set-method>

+ <set-body>@{

+ return new JObject(

+ new JProperty("username","APIM Alert"),

+ new JProperty("icon_emoji", ":ghost:"),

+ new JProperty("text", String.Format("{0} {1}\nHost: {2}\n{3} {4}\n User: {5}",

+ context.Request.Method,

+ context.Request.Url.Path + context.Request.Url.QueryString,

+ context.Request.Url.Host,

+ context.Response.StatusCode,

+ context.Response.StatusReason,

+ context.User.Email

+ ))

+ ).ToString();

+ }</set-body>

+ </send-one-way-request>

+ </when>

+ <!-- Check active property in response -->

+ <when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">

+ <!-- Return 401 Unauthorized with http-problem payload -->

+ <return-response response-variable-name="existing response variable">

+ <set-status code="401" reason="Unauthorized" />

+ <set-header name="WWW-Authenticate" exists-action="override">

+ <value>Bearer error="invalid_token"</value>

+ </set-header>

+ </return-response>

+ </when>

+ </choose>

+ <set-url>@($"https://production.acme.com/throughput?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")</set-url>

+ <set-url>@($"https://production.acme.com/accidentdata?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")</set-url>

+API Management will send these requests sequentially.

+ <inbound>

+ <set-variable name="fromDate" value="@(context.Request.Url.Query["fromDate"].Last())">

+ <set-variable name="toDate" value="@(context.Request.Url.Query["toDate"].Last())">

+ <set-url>@($"https://production.acme.com/throughput?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")"</set-url>

+ <set-url>@($"https://production.acme.com/accidentdata?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")"</set-url>

+ ).ToString())

+ </inbound>

+ <backend>

+ <base />

+ </backend>

+ <outbound>

+ <base />

+ </outbound>

+> * Using NAT gateway with App Service is dependent on virtual network integration, and therefore a supported App Service plan pricing tier is required.

+* The feature is available from all App Service deployments in Premium v2 and Premium v3. It's also available in Basic and Standard tier but only from newer App Service deployments. If you're on an older deployment, you can only use the feature from a Premium v2 App Service plan. If you want to make sure you can use the feature in a Standard App Service plan, create your app in a Premium v3 App Service plan. Those plans are only supported on our newest deployments. You can scale down if you want after the plan is created.

+* **App Service plan pricing tier charges**: Your apps need to be in a Basic, Standard, Premium, Premium v2, or Premium v3 App Service plan. For more information on those costs, see [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/).

+## RBAC permissions required to access Kudu

+| [!INCLUDE [Deploy app service step 2](<./includes/tutorial-dotnetcore-sqldb-app/visual-studio-code-deploy-app-service-02.md>)] | :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-publish-folder-small.png" alt-text="A screenshot showing how to deploy using the publish folder." lightbox="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-publish-folder.png"::: :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-publish-workflow-small.png" alt-text="A screenshot showing the command palette deployment workflow." lightbox="./media/tutorial-dotnetcore-sqldb-app/visual-studio-code-publish-workflow.png"::: |

+ Title: 'Quickstart: Direct web traffic using Bicep'

+description: In this quickstart, you learn how to use Bicep to create an Azure Application Gateway that directs web traffic to virtual machines in a backend pool.

+# Quickstart: Direct web traffic with Azure Application Gateway - Bicep

+In this quickstart, you use Bicep to create an Azure Application Gateway. Then you test the application gateway to make sure it works correctly.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Review the Bicep file

+This Bicep file creates a simple setup with a public front-end IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool.

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/ag-docs-qs/)

+Multiple Azure resources are defined in the Bicep file:

+- [**Microsoft.Network/applicationgateways**](/azure/templates/microsoft.network/applicationgateways)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses) : one for the application gateway, and two for the virtual machines.

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines) : two virtual machines

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces) : two for the virtual machines

+- [**Microsoft.Compute/virtualMachine/extensions**](/azure/templates/microsoft.compute/virtualmachines/extensions) : to configure IIS and the web pages

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name myResourceGroupAG --location eastus

+ az deployment group create --resource-group myResourceGroupAG --template-file main.bicep --parameters adminUsername=<admin-username>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name myResourceGroupAG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName myResourceGroupAG -TemplateFile ./main.bicep -adminUsername "<admin-username>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<admin-username\>** with the admin username for the backend servers. You'll also be prompted to enter **adminPassword**.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Validate the deployment

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group myResourceGroupAG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName myResourceGroupAG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name myResourceGroupAG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name myResourceGroupAG

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Manage web traffic with an application gateway using the Azure CLI](./tutorial-manage-web-traffic-cli.md)

+Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine-learning models to extract key-value pairs, text, and tables from your documents. You can use Form Recognizer to automate your data processing in applications and workflows, enhance data-driven strategies, and enrich document search capabilities.

+You'll need the following to get started:

+1. On the sample tool home page, select **Use prebuilt model to get data**.

+1. Select the **Form Type** to analyze from the dropdown window.

+1. On the sample tool home page, select **Use Layout to get text, tables and selection marks**.

+ [CORS (Cross Origin Resource Sharing)](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) needs to be configured on your Azure storage account for it to be accessible from the Form Recognizer Studio. To configure CORS in the Azure portal, you'll need access to the CORS blade of your storage account.

+ :::image type="content" source="../media/quickstarts/cors-setting-menu.png" alt-text="Screenshot of the CORS setting menu in the Azure portal.":::

+ 1. Set the **Allowed origins** to **<https://fott-2-1.azurewebsites.net>**.

+ :::image type="content" source="../media/quickstarts/storage-cors-example.png" alt-text="Screenshot that shows CORS configuration for a storage account.":::

+ > [!TIP]

+ > You can use the wildcard character '*' rather than a specified domain to allow all origin domains to make requests via CORS.

+ 1. Select the save button at the top of the page to save the changes.

+1. On the sample tool home page, select **Use custom form to train a model with labels and get key-value pairs**.

+ * To retrieve the SAS URL for your custom model training data, go to your storage resource in the Azure portal and select the **Storage Explorer** tab. Navigate to your container, right-click, and select **Get shared access signature**. It's important to get the SAS for your container, not for the storage account itself. Make sure the **Read**, **Write**, **Delete** and **List** permissions are checked, and select **Create**. Then copy the value in the **URL** section to a temporary location. It should have the form: `https://<storage account>.blob.core.windows.net/<container name>?<SAS value>`.

+The labeling tool will also show which tables have been automatically extracted. Select the table/grid icon on the left hand of the document to see the extracted table. Because the table content is automatically extracted, we won't label the table content, but rather rely on the automated extraction.

+Next, you'll create tags (labels) and apply them to the text elements that you want the model to analyze. Note the sample label data set includes already labeled fields; we'll add another field.

+1. Select the **Analyze** (light bulb) icon on the left to test your model.

+1. Select source **Local file** and browse for a file to select from the sample dataset that you unzipped in the test folder.

+> Form Recognizer Studio is currently in public preview. Some features may not be supported or have limited capabilities.

+ :::image type="content" source="../media/quickstarts/cors-setting-menu.png" alt-text="Screenshot of the CORS setting menu in the Azure portal.":::

+1. Start by creating a new CORS entry in the Blob service.

+1. Set the **Allowed origins** to **<https://formrecognizer.appliedai.azure.com>**.

+ :::image type="content" source="../media/quickstarts/cors-updated-image.png" alt-text="Screenshot that shows CORS configuration for a storage account.":::

+ > [!TIP]

+ > You can use the wildcard character '*' rather than a specified domain to allow all origin domains to make requests via CORS.

+1. Select all the available 8 options for **Allowed methods**.

+1. Approve all **Allowed headers** and **Exposed headers** by entering an * in each field.

+1. Set the **Max Age** to 120 seconds or any acceptable value.

+1. Select the save button at the top of the page to save the changes.

+> Signature fields are currently only supported for custom template models. When training a custom neural model, labeled signature fields are ignored.

+Applications hosted in Kubernetes can access data in App Configuration [using the App Configuration provider library](./enable-dynamic-configuration-aspnet-core.md). The App Configuration provider has built-in caching and refreshing capabilities so applications can have dynamic configuration without redeployment. If you prefer not to update your application, this tutorial shows how to bring data from App Configuration to your Kubernetes using Helm via deployment. This way, your application can continue accessing configuration from Kubernetes variables and secrets. You run Helm upgrade when you want your application to pick up new configuration changes.

+| Connections Created Per Second | The number of instantaneous connections created per second on the cache via port 6379 or 6380 (SSL). This metric can help identify whether clients are frequently disconnecting and reconnecting, which can cause higher CPU usage and Redis Server Load. |

+| Connections Closed Per Second | The number of instantaneous connections closed per second on the cache via port 6379 or 6380 (SSL). This metric can help identify whether clients are frequently disconnecting and reconnecting, which can cause higher CPU usage and Redis Server Load. |

+> * Starting with [version 2.3.0](https://github.com/Azure/azure-functions-durable-extension/releases/tag/v2.3.0) of the Durable Extension, Durable timers are unlimited for .NET apps. For JavaScript, Python, and PowerShell apps, as well as .NET apps using earlier versions of the extension, Durable timers are limited to six days. When you are using an older extension version or a non-.NET language runtime and need a delay longer than six days, use the timer APIs in a `while` loop to simulate a longer delay.

+|[Ciracom Inc.](https://www.ciracomcloud.com)|

+|I10 Inc|

+| Windows client installer | Public preview | [Set up Azure Monitor agent on Windows client devices](azure-monitor-agent-windows-client.md) |

+Prices for Log Alert rules are available on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).

+ | Adds CPU, memory, and I/O usage trends |No |Yes |

+> On **February 29th, 2024,** [support for classic Application Insights will end](https://azure.microsoft.com/updates/we-re-retiring-classic-application-insights-on-29-february-2024). [Transition to workspace-based Application Insights](convert-classic-resource.md) to take advantage of [new capabilities](create-workspace-resource.md#new-capabilities). Newer regions introduced after February 2021 do not support creating classic Application Insights resources.

+### I can't see some of the logs from my application in the workspace.

+This may happen because of adaptive sampling. Adaptive sampling is enabled by default in all the latest versions of the Application Insights ASP.NET and ASP.NET Core Software Development Kits (SDKs). See the [Sampling in Application Insights](/azure/azure-monitor/app/sampling) for more details.

+Download the [applicationinsights-agent-3.2.11.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.2.11/applicationinsights-agent-3.2.11.jar) file.

+Add `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` to your application's JVM args.

+ - Or you can create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.2.11.jar` with the following content:

+1. Add `applicationinsights-core-2.6.4.jar` to your application. All 2.x versions are supported by Application Insights Java 3.x. If you have a choice, it's worth using the latest version:

+Add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` somewhere before `-jar`, for example:

+java -javaagent:path/to/applicationinsights-agent-3.2.11.jar -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `"-javaagent:path/to/applicationinsights-agent-3.2.11.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.2.11.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:path/to/applicationinsights-agent-3.2.11.jar -jar <myapp.jar>

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.2.11.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.2.11.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.2.11.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.2.11.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.2.11.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.2.11.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.2.11.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.2.11.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.2.11.jar>

+Go to **servers > WebSphere application servers > Application servers**, choose the appropriate application servers and select:

+-javaagent:path/to/applicationinsights-agent-3.2.11.jar

+-javaagent:path/to/applicationinsights-agent-3.2.11.jar

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.2.11.jar`.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.2.11.jar` is located.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.2.11.jar` is located.

+Starting from 3.2.11, you can capture request and response headers on your server (request) telemetry:

+Starting from version 3.2.11, you can change this behavior to capture them as success if you prefer:

+> Vertx HTTP Library instrumentation is available starting from version 3.2.11

+`applicationinsights-agent-3.2.11.jar` is located.

+that holds the `applicationinsights-agent-3.2.11.jar` file.

+`applicationinsights-agent-3.2.11.jar` file.

+Activity logs insights let you view information about changes to resources and resource groups in your Azure subscription. It uses information from the [Activity log](activity-log.md) to also present data about which users or services performed particular activities in the subscription. This includes which administrators deleted, updated or created resources, and whether the activities failed or succeeded. This article explains how to enable and use Activity log insights.

+## Enable Activity log insights

+The only requirement to enable Activity log insights is to [configure the Activity log to export to a Log Analytics workspace](activity-log.md#send-to-log-analytics-workspace). Pre-built [workbooks](/azure/azure-monitor/visualize/workbooks-overview) curate this data, which is stored in the [AzureActivity](/azure/azure-monitor/reference/tables/azureactivity) table in the workspace.

+Pricing is available on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).

+You can communicate with the Azure Monitor Log Analytics API using this endpoint: `https://api.loganalytics.io`. To access the API, you must authenticate through Azure Active Directory (Azure AD).

+ - **hostname**: `https://api.loganalytics.io`

+You can also use this flow to request a token to `https://api.loganalytics.io`. Replace the "resource" in the example.

+- A direct URL for the API: `https://api.loganalytics.io`

+Azure NetApp Files volumes have a limit called *`maxfiles`*. The `maxfiles` limit is the number of files a volume can contain. Linux file systems refer to the limit as *inodes*. The `maxfiles` limit for an Azure NetApp Files volume is indexed based on the size (quota) of the volume. The `maxfiles` limit for a volume increases or decreases at the rate of 21,251,126 files per TiB of provisioned volume size.

+The service dynamically adjusts the `maxfiles` limit for a volume based on its provisioned size. For example, a volume configured initially with a size of 1 TiB would have a `maxfiles` limit of 21,251,126. Subsequent changes to the size of the volume would result in an automatic readjustment of the `maxfiles` limit based on the following rules:

+| <= 1 TiB | 21,251,126 |

+| > 1 TiB but <= 2 TiB | 42,502,252 |

+| > 2 TiB but <= 3 TiB | 63,753,378 |

+| > 3 TiB but <= 4 TiB | 85,004,504 |

+| > 4 TiB | 106,255,630 |

+If you have allocated at least 4 TiB of quota for a volume, you can initiate a [support request](#request-limit-increase) to increase the `maxfiles` (inodes) limit beyond 106,255,630. For every 106,255,630 files you increase (or a fraction thereof), you need to increase the corresponding volume quota by 4 TiB. For example, if you increase the `maxfiles` limit from 106,255,630 files to 212,511,260 files (or any number in between), you need to increase the volume quota from 4 TiB to 8 TiB.

+You can increase the `maxfiles` limit to 531,278,150 if your volume quota is at least 20 TiB.

+> [!NOTE]

+> From Visual Studio Code, you can directly create resource declarations by importing from existing resources. For more information, see [Bicep commands](./visual-studio-code.md#bicep-commands).

+In this quickstart, you use the [GitHub Actions for Azure Resource Manager deployment](https://github.com/marketplace/actions/deploy-azure-resource-manager-arm-template) to automate deploying a Bicep file to Azure.

+Your GitHub Actions runs under an identity. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) for the identity.

+ Title: Create Bicep files by using Visual Studio Code

+description: Describes how to create Bicep files by using Visual Studio Code

+# Create Bicep files by using Visual Studio Code

+This article shows you how to use Visual Studio Code to create Bicep files

+## Install VS Code

+To set up your environment for Bicep development, see [Install Bicep tools](install.md). After completing those steps, you'll have [Visual Studio Code](https://code.visualstudio.com/) and the [Bicep extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep). You also have either the latest [Azure CLI](/cli/azure/) or the latest [Azure PowerShell module](/powershell/azure/new-azureps-module-az).

+## Bicep commands

+Visual Studio Code comes with several Bicep commands.

+Open or create a Bicep file in VS Code, select the **View** menu and then select **Command Palette**. You can also use the key combination **[CTRL]+[SHIFT]+P** to bring up the command palette.

+

+### Build

+The `build` command converts a Bicep file to an Azure Resource Manager template (ARM template). The new JSON template is stored in the same folder with the same file name. If a file with the same file name exists, it overwrites the old file. For more information, see [Bicep CLI commands](./bicep-cli.md#bicep-cli-commands).

+### Insert Resource

+The `insert resource` command adds a resource declaration in the Bicep file by providing the resource ID of an existing resource. After you select **Insert Resource**, enter the resource ID in the command palette. It takes a few moments to insert the resource.

+You can find the resource ID from the Azure portal, or by using:

+# [CLI](#tab/CLI)

+```azurecli

+az resource list

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell

+Get-AzResource

+```

+Similar to exporting templates, the process tries to create a usable resource. However, most of the inserted resources require some modification before they can be used to deploy Azure resources.

+For more information, see [Decompiling ARM template JSON to Bicep](./decompile.md).

+### Open Visualizer

+The visualizer shows the resources defined in the Bicep file with the resource dependency information. The diagram is the visualization of a [Linux virtual machine Bicep file](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.compute/vm-simple-linux/main.bicep).

+[](./media/visual-studio-code/visual-studio-code-bicep-visualizer-expanded.png#lightbox)

+## Next steps

+To walk through a quickstart, see [Quickstart: Create Bicep files with Visual Studio Code](./quickstart-create-bicep-use-visual-studio-code.md).

+| Microsoft.Media | [Media Services](/azure/media-services/) |

+For more information about resource providers, including how to register a resource provider, see [Azure resource providers and types](resource-providers-and-types.md).

+ Title: 'Tutorial: Deploy Bastion using manual settings: Azure portal'

+# Tutorial: Deploy Bastion using manual settings

+1. Go to your VNet.

+1. Click **Bastion** in the left pane to open the **Bastion** page.

+1. On the Bastion page, click **Configure manually**. This lets you configure specific additional settings before deploying Bastion to your VNet.

+ :::image type="content" source="./media/tutorial-create-host-portal/configure-manually.png" alt-text="Screenshot of Bastion page showing configure manually button." lightbox="./media/tutorial-create-host-portal/configure-manually.png":::

+1. On the **Create a Bastion** page, configure the settings for your bastion host. Project details are populated from your virtual network values. Configure the **Instance details** values.

+ * **Name**: Type the name that you want to use for your bastion resource.

+ * **Region**: The Azure public region in which the resource will be created. Choose the region in which your virtual network resides.

+ * **Tier:** The tier is also known as the **SKU**. For this tutorial, select **Standard**. The Standard SKU lets you configure the instance count for host scaling and other features. For more information about features that require the Standard SKU, see [Configuration settings - SKU](configuration-settings.md#skus).

+ * **Instance count:** This is the setting for **host scaling**. It's configured in scale unit increments. Use the slider or type a number to configure the instance count that you want. For this tutorial, you can select the instance count you'd prefer. For more information, see [Host scaling](configuration-settings.md#instance) and [Pricing](https://azure.microsoft.com/pricing/details/azure-bastion).

+ :::image type="content" source="./media/tutorial-create-host-portal/instance-values.png" alt-text="Screenshot of Bastion page instance values." lightbox="./media/tutorial-create-host-portal/instance-values.png":::

+1. Configure the **virtual networks** settings. Select the VNet from the dropdown. If you don't see your VNet in the dropdown list, make sure you selected the correct Resource Group and Region in the previous settings on this page.

+1. To configure the AzureBastionSubnet, click **Manage subnet configuration**.

+ :::image type="content" source="./media/tutorial-create-host-portal/select-vnet.png" alt-text="Screenshot of configure virtual networks section." lightbox="./media/tutorial-create-host-portal/select-vnet.png":::

+1. On the **Add subnet page**, create the 'AzureBastionSubnet' subnet using the following values. Leave the other values as default.

+ * The subnet name must be **AzureBastionSubnet**.

+ Click **Save** at the bottom of the page to save your values.

+1. At the top of the **Subnets** page, click **Create a Bastion** to return to the Bastion configuration page.

+1. The public IP address section is where you configure the public IP address of the Bastion host resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you're creating. This IP address doesn't have anything to do with any of the VMs that you want to connect to. Create a new IP address. You can leave the default naming suggestion.

+1. When you finish specifying the settings, select **Review + Create**. This validates the values.

+1. Once validation passes, you can deploy Bastion. Click **Create**. You'll see a message letting you know that your deployment is process. Status will display on this page as the resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.

+Let's use a sample Cloud Foundry application called Hello Spring Cloud, which is written in Java and based on the [Spring Framework](https://spring.io) and [Spring Boot](https://spring.io/projects/spring-boot).

+[spring-boot]: https://spring.io/projects/spring-boot

+* The minimum height of the text to be extracted is 12 pixels for a 1024X768 image. This corresponds to about 8 font point text at 150 DPI.

+ * The throughput for question answering is currently capped at 10 transactions per second for both management APIs and prediction APIs.

+* **Number of documents as sources**: There are no limits to the number of documents you can add as sources in question answering.

+The throughput for question answering is currently capped at 10 transactions per second for both management APIs and prediction APIs. To target 10 transactions per second for your service, we recommend the S1 (one instance) SKU of Azure Cognitive Search.

+|SIP/TLS|SIP Proxy|SBC|1024ΓÇô65535|Defined on the SBC|

+ Title: Connect to SQL databases

+description: Automate workflows for SQL databases on premises or in the cloud with Azure Logic Apps.

+This article shows how to access your SQL database with the SQL Server connector in Azure Logic Apps. You can then create automated workflows that are triggered by events in your SQL database or other systems and manage your SQL data and resources.

+For example, you can use actions that get, insert, and delete data along with running SQL queries and stored procedures. You can create workflow that checks for new records in a non-SQL database, does some processing work, creates new records in your SQL database using the results, and sends email alerts about the new records in your SQL database.

+ The SQL Server connector supports the following SQL editions:

+* [SQL Server](/sql/sql-server/sql-server-technical-documentation)

+* [Azure SQL Database](../azure-sql/database/sql-database-paas-overview.md)

+* [Azure SQL Managed Instance](../azure-sql/managed-instance/sql-managed-instance-paas-overview.md)

+If you're new to Azure Logic Apps, review the following documentation:

+* [What is Azure Logic Apps](../logic-apps/logic-apps-overview.md)

+* [Quickstart: Create your first logic app workflow](../logic-apps/quickstart-create-first-logic-app-workflow.md)

+* [SQL Server database](/sql/relational-databases/databases/create-a-database), [Azure SQL Database](../azure-sql/database/single-database-create-quickstart.md), or [SQL Managed Instance](../azure-sql/managed-instance/instance-create-quickstart.md).

+ The SQL connector requires that your tables contain data so that SQL connector operations can return results when called. For example, if you use Azure SQL Database, you can use the included sample databases to try the SQL connector operations.

+* The information required to create a SQL database connection, such as your SQL server and database names. If you're using Windows Authentication or SQL Server Authentication to authenticate access, you also need your user name and password. You can usually find this information in the connection string.

+ > [!NOTE]

+ >

+ > If you use a SQL Server connection string that you copied directly from the Azure portal,

+ > you have to manually add your password to the connection string.

+ * For a SQL database in Azure, the connection string has the following format:

+ 1. To find this string in the [Azure portal](https://portal.azure.com), open your database.

+ 1. On the database menu, under **Properties**, select **Connection strings**.

+ * For an on-premises SQL server, the connection string has the following format:

+ `Server={your-server-address};Database={your-database-name};User Id={your-user-name};Password={your-password};`

+* The logic app workflow where you want to access your SQL database. If you want to start your workflow with a SQL Server trigger operation, you have to start with a blank workflow.

+* To connect to an on-premises SQL server, the following extra requirements apply based on whether you have a Consumption logic app workflow, either in multi-tenant Azure Logic Apps or an [integration service environment (ISE)](../logic-apps/connect-virtual-network-vnet-isolated-environment-overview.md), or if you have a Standard logic app workflow in [single-tenant Azure Logic Apps](../logic-apps/single-tenant-overview-compare.md).

+ * Consumption logic app workflow

+ * In multi-tenant Azure Logic Apps, you need the [on-premises data gateway](../logic-apps/logic-apps-gateway-install.md) installed on a local computer and a [data gateway resource that's already created in Azure](../logic-apps/logic-apps-gateway-connection.md).

+ * In an ISE, when you have non-Windows or SQL Server Authentication connections, you don't need the on-premises data gateway and can use the ISE-versioned SQL Server connector. For Windows Authentication and SQL Server Authentication, you still have to use the [on-premises data gateway](../logic-apps/logic-apps-gateway-install.md) and a [data gateway resource that's already created in Azure](../logic-apps/logic-apps-gateway-connection.md). Also, the ISE-versioned SQL Server connector doesn't support Windows authentication, so you have to use the non-ISE SQL Server connector.

+ * Standard logic app workflow

+ In single-tenant Azure Logic Apps, you can use the built-in SQL Server connector, which requires a connection string. If you want to use the managed SQL Server connector, you need follow the same requirements as a Consumption logic app workflow in multi-tenant Azure Logic Apps.

+## Connector technical reference

+This connector is available for logic app workflows in multi-tenant Azure Logic Apps, ISEs, and single-tenant Azure Logic Apps.

+* For Consumption logic app workflows in multi-tenant Azure Logic Apps, this connector is available only as a managed connector. For more information, review the [managed SQL Server connector operations](/connectors/sql).

+* For Consumption logic app workflows in an ISE, this connector is available as a managed connector and as an ISE connector that's designed to run in an ISE. For more information, review the [managed SQL Server connector operations](/connectors/sql).

+* For Standard logic app workflows in single-tenant Azure Logic Apps, this connector is available as a managed connector and as a built-in connector that's designed to run in the same process as the single-tenant Azure Logic Apps runtime. However, the built-in version differs in the following ways:

+ * The built-in SQL Server connector has no triggers.

+ * The built-in SQL Server connector has only one operation: **Execute Query**

+For the managed SQL Server connector technical information, such as trigger and action operations, limits, and known issues, review the [SQL Server connector's reference page](/connectors/sql/), which is generated from the Swagger description.

+<a name="add-sql-trigger"></a>

+## Add a SQL Server trigger

+The following steps use the Azure portal, but with the appropriate Azure Logic Apps extension, you can also use the following tools to create logic app workflows:

+* Consumption logic app workflows: [Visual Studio](../logic-apps/quickstart-create-logic-apps-with-visual-studio.md) or [Visual Studio Code](../logic-apps/quickstart-create-logic-apps-visual-studio-code.md)

+* Standard logic app workflows: [Visual Studio Code](../logic-apps/create-single-tenant-workflows-visual-studio-code.md)

+### [Consumption](#tab/consumption)

+1. In the Azure portal, open your blank logic app workflow in the designer.

+1. Find and select the [managed SQL Server connector trigger](/connectors/sql) that you want to use.

+ 1. Under the designer search box, select **All**.

+ 1. In the designer search box, enter **sql server**.

+ 1. From the triggers list, select the SQL trigger that you want. This example continues with the trigger named **When an item is created**.

+ 

+1. If you're connecting to your SQL database for the first time, you're prompted to [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+1. In the trigger, specify the interval and frequency for how often the trigger checks the table.

+1. To add other properties available for this trigger, open the **Add new parameter** list and select those properties.

+ This trigger returns only one row from the selected table, and nothing else. To perform other tasks, continue by adding either a [SQL Server connector action](#add-sql-action) or [another action](../connectors/apis-list.md) that performs the next task that you want in your logic app workflow.

+ For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).

+1. On the designer toolbar, select **Save**.

+ Although this step automatically enables and publishes your logic app live in Azure, the only action that your logic app currently takes is to check your database based on your specified interval and frequency.

+### [Standard](#tab/standard)

+In Standard logic app workflows, only the managed SQL Server connector has triggers. The built-in SQL Server connector doesn't have any triggers.

+1. In the Azure portal, open your blank logic app workflow in the designer.

+1. Find and select the [managed SQL Server connector trigger](/connectors/sql) that you want to use.

+ 1. Under the designer search box, select **Azure**.

+ 1. In the designer search box, enter **sql server**.

+ 1. From the triggers list, select the SQL trigger that you want. This example continues with the trigger named **When an item is created**.

+ 

+1. If you're connecting to your SQL database for the first time, you're prompted to [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+1. In the trigger, specify the interval and frequency for how often the trigger checks the table.

+1. To add other properties available for this trigger, open the **Add new parameter** list and select those properties.

+ This trigger returns only one row from the selected table, and nothing else. To perform other tasks, continue by adding either a [SQL connector action](#add-sql-action) or [another action](../connectors/apis-list.md) that performs the next task that you want in your logic app workflow.

+ For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).

+1. On the designer toolbar, select **Save**.

+ Although this step automatically enables and publishes your logic app live in Azure, the only action that your logic app currently takes is to check your database based on your specified interval and frequency.

+<a name="trigger-recurrence-shift-drift"></a>

+## Trigger recurrence shift and drift (daylight saving time)

+Recurring connection-based triggers where you need to create a connection first, such as the managed SQL Server trigger, differ from built-in triggers that run natively in Azure Logic Apps, such as the [Recurrence trigger](../connectors/connectors-native-recurrence.md). For recurring connection-based triggers, the recurrence schedule isn't the only driver that controls execution, and the time zone only determines the initial start time. Subsequent runs depend on the recurrence schedule, the last trigger execution, *and* other factors that might cause run times to drift or produce unexpected behavior. For example, unexpected behavior can include failure to maintain the specified schedule when daylight saving time (DST) starts and ends.

+To make sure that the recurrence time doesn't shift when DST takes effect, manually adjust the recurrence. That way, your workflow continues to run at the expected or specified start time. Otherwise, the start time shifts one hour forward when DST starts and one hour backward when DST ends. For more information, see [Recurrence for connection-based triggers](../connectors/apis-list.md#recurrence-for-connection-based-triggers).

+<a name="add-sql-action"></a>

+## Add a SQL Server action

+The following steps use the Azure portal, but with the appropriate Azure Logic Apps extension, you can also use Visual Studio to edit Consumption logic app workflows or Visual Studio Code to the following tools to edit logic app workflows:

+* Consumption logic app workflow: Visual Studio or Visual Studio Code

+* Standard logic app workflows: Visual Studio Code

+In this example, the logic app workflow starts with the [Recurrence trigger](../connectors/connectors-native-recurrence.md), and calls an action that gets a row from a SQL database.

+### [Consumption](#tab/consumption)

+1. In the Azure portal, open your logic app workflow in the designer.

+1. Find and select the [managed SQL Server connector action](/connectors/sql) that you want to use. This example continues with the action named **Get row**.

+ 1. Under the trigger or action where you want to add the SQL action, select **New step**.

+ Or, to add an action between existing steps, move your mouse over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.

+ 1. In the **Choose an operation** box, under the designer search box, select **All**.

+ 1. In the designer search box, enter **sql server**.

+ 1. From the actions list, select the SQL Server action that you want. This example uses the **Get row** action, which gets a single record.

+ 

+1. If you're connecting to your SQL database for the first time, you're prompted to [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+1. If you haven't already provided the SQL server name and database name, provide those values. Otherwise, from the **Table name** list, select the table that you want to use. In the **Row id** property, enter the ID for the record that you want.

+ In this example, the table name is **SalesLT.Customer**.

+ 

+ This action returns only one row from the selected table, and nothing else. To view the data in this row, add other actions, for example, those that create a file that includes the fields from the returned row, and store that file in a cloud storage account. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).

+1. When you're done, on the designer toolbar, select **Save**.

+### [Standard](#tab/standard)

+1. In the Azure portal, open your logic app workflow in the designer.

+1. Find and select the SQL Server connector action that you want to use.

+ 1. Under the trigger or action where you want to add the SQL Server action, select **New step**.

+ Or, to add an action between existing steps, move your mouse over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.

+ 1. In the **Choose an operation** box, under the designer search box, select either of the following options:

+ * **Built-in** when you want to use built-in SQL Server actions such as **Execute Query**

+ 

+ * **Azure** when you want to use [managed SQL Server connector actions](/connectors/sql) such as **Get row**

+ 

+ 1. In the designer search box, enter **sql server**.

+ 1. From the actions list, select the SQL Server action that you want.

+ * Built-in actions

+ This example selects the only available built-in action named **Execute Query**.

+ 

+ * Managed actions

+ This example selects the action named **Get row**, which gets a single record.

+ 

+1. If you're connecting to your SQL database for the first time, you're prompted to [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+1. If you haven't already provided the SQL server name and database name, provide those values. Otherwise, from the **Table name** list, select the table that you want to use. In the **Row id** property, enter the ID for the record that you want.

+ In this example, the table name is **SalesLT.Customer**.

+ 

+ This action returns only one row from the selected table, and nothing else. To view the data in this row, add other actions, for example, those that create a file that includes the fields from the returned row, and store that file in a cloud storage account. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).

+1. When you're done, on the designer toolbar, select **Save**.

+After you provide this information, continue with these steps:

+* [Connect to cloud-based Azure SQL Database or SQL Managed Instance](#connect-azure-sql-db)

+### Connect to Azure SQL Database or SQL Managed Instance

+To access a SQL Managed Instance without using the on-premises data gateway or integration service environment, you have to [set up the public endpoint on the SQL Managed Instance](../azure-sql/managed-instance/public-endpoint-configure.md). The public endpoint uses port 3342, so make sure that you specify this port number when you create the connection from your logic app.

+The first time that you add either a [SQL Server trigger](#add-sql-trigger) or [SQL Server action](#add-sql-action), and you haven't previously created a connection to your database, you're prompted to complete these steps:

+1. For **Connection name**, provide a name to use for your connection.

+1. For **Authentication type**, select the authentication that's required and enabled on your database in Azure SQL Database or SQL Managed Instance:

+ | **Service principal (Azure AD application)** | - Available only for the managed SQL Server connector. <br><br>- Requires an Azure AD application and service principal. For more information, see [Create an Azure AD application and service principal that can access resources using the Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). |

+ | **Logic Apps Managed Identity** | - Available only for the managed SQL Server connector and ISE SQL Server connector. <br><br>- Requires the following items: <br><br> A valid managed identity that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. <br><br> **SQL DB Contributor** role access to the SQL Server resource <br><br> **Contributor** access to the resource group that includes the SQL Server resource. <br><br>For more information, see [SQL - Server-Level Roles](/sql/relational-databases/security/authentication-access/server-level-roles). |

+ | [**Azure AD Integrated**](../azure-sql/database/authentication-aad-overview.md) | - Available only for the managed SQL Server connector and ISE SQL Server connector. <br><br>- Requires a valid managed identity in Azure Active Directory (Azure AD) that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. For more information, see these topics: <br><br>- [Azure SQL Security Overview - Authentication](../azure-sql/database/security-overview.md#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](../azure-sql/database/logins-create-manage.md#authentication-and-authorization) <br>- [Azure SQL - Azure AD Integrated authentication](../azure-sql/database/authentication-aad-overview.md) |

+ | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Available only for the managed SQL Server connector and ISE SQL Server connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server database. For more information, see the following topics: <br><br>- [Azure SQL Security Overview - Authentication](../azure-sql/database/security-overview.md#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](../azure-sql/database/logins-create-manage.md#authentication-and-authorization) |

+ This connection and authentication information box looks similar to the following example, which selects **Azure AD Integrated**:

+ * Consumption logic app workflows

+ 

+ * Standard logic app workflows

+ 

+1. After you select **Azure AD Integrated**, select **Sign in**. Based on whether you use Azure SQL Database or SQL Managed Instance, select your user credentials for authentication.

+ | **Server name** | Yes | The address for your SQL server, for example, **Fabrikam-Azure-SQL.database.windows.net** |

+ | **Database name** | Yes | The name for your SQL database, for example, **Fabrikam-Azure-SQL-DB** |

+ | **Table name** | Yes | The table that you want to use, for example, **SalesLT.Customer** |

+ > * Find this information in your database's connection string. For example, in the Azure portal, find and open your database. On the database menu, select either **Connection strings** or **Properties**, where you can find the following string:

+ This database information box looks similar to the following example:

+ * Consumption logic app workflows

+ 

+ * Standard logic app workflows

+ 

+ | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Available only for the managed SQL Server connector and ISE SQL Server connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server. <br><br>For more information, see [SQL Server Authentication](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication). |

+ | [**Windows Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-windows-authentication) | - Available only for the managed SQL Server connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid Windows user name and password to confirm your identity through your Windows account. <br><br>For more information, see [Windows Authentication](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-windows-authentication). |

+ | **Connection Gateway** | Yes, for Windows authentication | The name for the data gateway resource that you previously created in Azure <br><br><br><br>**Tip**: If your gateway doesn't appear in the list, check that you correctly [set up your gateway](../logic-apps/logic-apps-gateway-connection.md). |

+ This connection and authentication information box looks similar to the following example, which selects **Windows Authentication**:

+ * Consumption logic app workflows

+ 

+ * Standard logic app workflows

+ 

+1. When you're ready, select **Create**.

+1. Now, continue with the steps that you haven't completed yet in either [Add a SQL trigger](#add-sql-trigger) or [Add a SQL action](#add-sql-action).

+ When a SQL action gets or inserts multiple rows, your logic app workflow can iterate through these rows by using an [*until loop*](../logic-apps/logic-apps-control-flow-loops.md#until-loop) within these [limits](../logic-apps/logic-apps-limits-and-config.md). However, when your logic app has to work with record sets so large, for example, thousands or millions of rows, that you want to minimize the costs resulting from calls to the database.

+ > and [SQL Managed Instance](../azure-sql/managed-instance/sql-managed-instance-paas-overview.md),

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

+1. In the **Choose an operation** box, find and select the action named [**Parse JSON**](../logic-apps/logic-apps-perform-data-operations.md#parse-json-action).

+* **A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.**

+* **(provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 53)**

+* **(provider: TCP Provider, error: 0 - No such host is known.) (Microsoft SQL Server, Error: 11001)**

+- HTTPS endpoints always use TLS 1.2, terminated at the ingress point

+- Request timeout is 240 seconds.

+The Azure Monitor metrics feature allows you to monitor your app's compute and network usage. These metrics are available to view and analyze through the [metrics explorer in the Azure portal](../azure-monitor/essentials/metrics-getting-started.md). Metric data is also available through the [Azure CLI](/cli/azure/monitor/metrics), and Azure [PowerShell cmdlets](/powershell/module/az.monitor/get-azmetric).

+You can configure alerts to send notifications based on metrics values and Log Analytics queries.  In the Azure portal, you can add alerts from the metrics explorer and the Log Analytics interface.

+### Setting alerts in the metrics explorer

+in the metrics explorer, you can create metric alerts based on Container Apps metrics. Once you create a metric chart, you're able to create alert rules based on the chart's settings. You can create an alert rule by selecting **New alert rule**.

+> [!div class="nextstepaction"]

+> [Health probes in Azure Container Apps](health-probes.md)

+> [Monitor an App in Azure Container Apps](monitor.md)

+[acr-scripts-cli]: https://github.com/Azure/azure-docs-cli-python-samples/tree/master/container-registry/create-registry/create-registry-service-principal-assign-role.sh

+Kubernetes uses an *image pull secret* to store information needed to authenticate to your registry. To create the pull secret for an Azure container registry, you provide the service principal ID, password, and the registry URL.

+[acr-scripts-cli]: https://github.com/Azure/azure-docs-cli-python-samples/tree/master/container-registry/create-registry/create-registry-service-principal-assign-role.sh

+* *Pull*: Deploy containers from a registry to orchestration systems including Kubernetes, DC/OS, and Docker Swarm. You can also pull from container registries to related Azure services such as [Azure Container Instances](container-registry-auth-aci.md), [App Service](../app-service/index.yml), [Batch](../batch/index.yml), [Service Fabric](../service-fabric/index.yml), and others.

+ > A service principal is recommended in several [Kubernetes scenarios](authenticate-kubernetes-options.md) to pull images from an Azure container registry. With Azure Kubernetes Service (AKS), you can also use an automated mechanism to authenticate with a target registry by enabling the cluster's [managed identity](../aks/cluster-container-registry-integration.md).

+Each value has the format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.

+If you've added a certificate to your service principal, you can sign into the Azure CLI with certificate-based authentication, and then use the [az acr login][az-acr-login] command to access a registry. Using a certificate as a secret instead of a password provides additional security when you use the CLI.

+* Create a [multitenant app](../active-directory/develop/single-and-multi-tenant-apps.md) (service principal) in Tenant A

+The service principal is created with one-year validity. You have options to extend the validity further than one year, or can provide expiry date of your choice using the [`az ad sp credential reset`](/cli/azure/ad/sp/credential#az-ad-sp-credential-reset) command.

+[acr-scripts-cli]: https://github.com/Azure/azure-docs-cli-python-samples/tree/master/container-registry/create-registry/create-registry-service-principal-assign-role.sh

+In addition to a [quick task](container-registry-tutorial-quick-task.md), ACR Tasks supports multi-step, multi-container-based workflows that can automatically trigger when you commit source code to a Git repository.

+>

+1. Runs a `build` step to build an image from the Dockerfile in the working directory. The image targets the `Run.Registry`, the registry where the task is run, and is tagged with a unique ACR Tasks run ID.

+This task specifies that any time code is committed to the *main* branch in the repository specified by `--context`, ACR Tasks will run the multi-step task from the code in that branch. The YAML file specified by `--file` from the repository root defines the steps.

+ * The first targets the `Run.Registry`, the registry where the task is run, and is tagged with the ACR Tasks run ID.

+For this example, we recommend that you create a [service principal](container-registry-auth-service-principal.md) with access to the registry scoped to the *AcrPush* role, so that it has permissions to push images. To create the service principal, use the following script:

+[az-acr-task-credential-add]: /cli/azure/acr/task/credential#az-acr-task-credential-add

+* To set the TTL on an item, you need to provide a non-zero positive number, which indicates the period, in seconds, to expire the item after the last modified timestamp of the item `_ts`. You can provide a `-1` as well when the item should not expire.

+* [Time to live](time-to-live.md)

+1. Sign up at [Azure.com](https://signup.azure.com/signup?offer=MS-AZR-0044p&appId=docs).

+The three activities work on all Azure Database for PostgreSQL deployment options:

+* [Single Server](../postgresql/single-server/index.yml)

+* [Flexible Server](../postgresql/flexible-server/index.yml)

+* [Hyperscale (Citus)](../postgresql/hyperscale/index.yml)

+## Mapping data flow properties

+When transforming data in mapping data flow, you can read resources from Twilio. For more information, see the [source transformation](data-flow-source.md) in mapping data flows. You can only use an [inline dataset](data-flow-source.md#inline-datasets) as source type.

+### Source transformation

+| [data.world (Preview)](connector-dataworld.md#mapping-data-flow-properties) | | -/Γ£ô |

+| [Twilio (Preview)](connector-twilio.md#mapping-data-flow-properties) | | -/Γ£ô |

+You can enable the **bi-directional alert synchronization** feature to automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud automatically closes the corresponding original alert.

+- The Azure portal

+ 3. **If you're streaming alerts to QRadar** - Create an event hub "Listen" policy, then copy and save the connection string of the policy that youΓÇÖll use in QRadar.

+ 5. Enable continuous export of security alerts to the defined event hub.

+ 6. **If you're streaming alerts to QRadar** - Create a storage account, then copy and save the connection string to the account that youΓÇÖll use in QRadar.

+ 7. **If you're streaming alerts to Splunk**:

+ 1. Create an Azure Active Directory (AD) application.

+As an alternative to Microsoft Sentinel and Azure Monitor, you can use Defender for Cloud's built-in integration with [Microsoft Graph Security API](https://www.microsoft.com/security/business/graph-security-api). No configuration is required and there are no additional costs.

+The minimum REST API version to support this field is the [2021-06-30-preview](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/digitaltwins/data-plane/Microsoft.DigitalTwins/preview/2021-06-30-preview) version. To work with this field using the [Azure Digital Twins SDKs](concepts-apis-sdks.md), we recommend using the latest version of the SDK to make sure this field is included (keep in mind that the latest version of an SDK may be in beta or preview).

+The `sourceTime` value must comply to ISO 8601 date and time format.

+1. Under the *Route Details* section, set the *Route Type* to **Redirect**. Set the *Redirect type* to **Moved (301)** and *Redirect protocol* get set to **HTTPS only**.

+## How to switch between certificate types

+ > * It may take up to an hour for the new certificate to be deployed when you switch between certificate types.

+ > * If your domain state is Approved, switching the certificate type between BYOC and managed certificate won't have any downtime. Whhen switching to managed certificate, unless the domain ownership is re-validated and the domain state becomes Approved, you will continue to be served by the previous certificate.

+ > * If you switch from BYOC to managed certificate, domain re-validation is required. If you switch from managed certificate to BYOC, you're not required to re-validate the domain.

+- [Manage HDInsight clusters with ESP](apache-domain-joined-manage.md)

+- For configuring Hive policies and run Hive queries, see [Configure Apache Hive policies for HDInsight clusters with ESP](apache-domain-joined-run-hive.md).

+* [Monitor cluster performance](../hdinsight-key-scenarios-to-monitor.md)

+ Title: 'Quickstart: Create Apache Hadoop cluster in Azure HDInsight using Bicep'

+description: In this quickstart, you create Apache Hadoop cluster in Azure HDInsight using Bicep

+#Customer intent: As a data analyst, I need to create a Hadoop cluster in Azure HDInsight using Bicep

+# Quickstart: Create Apache Hadoop cluster in Azure HDInsight using Bicep

+In this quickstart, you use Bicep to create an [Apache Hadoop](./apache-hadoop-introduction.md) cluster in Azure HDInsight. Hadoop was the original open-source framework for distributed processing and analysis of big data sets on clusters. The Hadoop ecosystem includes related software and utilities, including Apache Hive, Apache HBase, Spark, Kafka, and many others.

+

+Currently HDInsight comes with [seven different cluster types](../hdinsight-overview.md#cluster-types-in-hdinsight). Each cluster type supports a different set of components. All cluster types support Hive. For a list of supported components in HDInsight, see [What's new in the Hadoop cluster versions provided by HDInsight?](../hdinsight-component-versioning.md)

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-linux-ssh-password/).

+Two Azure resources are defined in the Bicep file:

+* [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts): create an Azure Storage Account.

+* [Microsoft.HDInsight/cluster](/azure/templates/microsoft.hdinsight/clusters): create an HDInsight cluster.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters clusterName=<cluster-name> clusterType=<cluster-type> clusterLoginUserName=<cluster-username> sshUserName=<ssh-username>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -clusterName "<cluster-name>" -clusterType "<cluster-type>" -clusterLoginUserName "<cluster-username>" -sshUserName "<ssh-username>"

+ ```

+

+ You need to provide values for the parameters:

+ * Replace **\<cluster-name\>** with the name of the HDInsight cluster to create.

+ * Replace **\<cluster-type\>** with the type of the HDInsight cluster to create. Allowed strings include: `hadoop`, `interactivehive`, `hbase`, `storm`, and `spark`.

+ * Replace **\<cluster-username\>** with the credentials used to submit jobs to the cluster and to log in to cluster dashboards.

+ * Replace **\<ssh-username\>** with the credentials used to remotely access the cluster. The username cannot be admin.

+ You'll also be prompted to enter the following:

+ * **clusterLoginPassword**, which must be at least 10 characters long and contain one digit, one uppercase letter, one lowercase letter, and one non-alphanumeric character except single-quote, double-quote, backslash, right-bracket, full-stop. It also must not contain three consecutive characters from the cluster username or SSH username.

+ * **sshPassword**, which must be 6-72 characters long and must contain at least one digit, one uppercase letter, and one lowercase letter. It must not contain any three consecutive characters from the cluster login name.

+ > [!NOTE]

+ > When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart, you learned how to create an Apache Hadoop cluster in HDInsight using Bicep. In the next article, you learn how to perform an extract, transform, and load (ETL) operation using Hadoop on HDInsight.

+> [!div class="nextstepaction"]

+> [Extract, transform, and load data using Interactive Query on HDInsight](../interactive-query/interactive-query-tutorial-analyze-flight-data.md)

+The list below only gives a few FQDNs that may be needed for OS and security patching or certificate validations during the cluster create process and during the lifetime of cluster operations:

+### Data residency consideration

+Device Provisioning Service doesn't store or process customer data outside of the geography where you deploy the service instance. For more information, see [Cross-region replication in Azure](../availability-zones/cross-region-replication-azure.md).

+However, by default, DPS uses the same [device provisioning endpoint](concepts-service.md#device-provisioning-endpoint) for all provisioning service instances, and performs traffic load balancing to the nearest available service endpoint. As a result, authentication secrets may be temporarily transferred outside of the region where the DPS instance was initially created. However, once the device is connected, the device data will flow directly to the original region of the DPS instance.

+To ensure that your data doesn't leave the region that your DPS instance was created in, use a private endpoint. To learn how to set up private endpoints, see [Azure IoT Device Provisioning Service (DPS) support for virtual networks](virtual-network-support.md#private-endpoint-limitations).

+DPS leverages [paired regions](../availability-zones/cross-region-replication-azure.md) to enable automatic failover. Microsoft-initiated failover is exercised by Microsoft in rare situations when an entire region goes down to failover all the DPS instances from the affected region to its corresponding paired region. This process is a default option and requires no intervention from the user. Microsoft reserves the right to make a determination of when this option will be exercised. This mechanism doesn't involve user consent before the user's DPS instance is failed over.

+The only users who are able to opt-out of this feature are those deploying to the Brazil South and Southeast Asia (Singapore) regions.

+>[!NOTE]

+>Azure IoT Hub Device Provisioning Service doesn't store or process customer data outside of the geography where you deploy the service instance. For more information, see [Cross-region replication in Azure](../availability-zones/cross-region-replication-azure.md).

+>[!NOTE]

+>Azure IoT Hub doesn't store or process customer data outside of the geography where you deploy the service instance. For more information, see [Cross-region replication in Azure](../availability-zones/cross-region-replication-azure.md).

+Microsoft-initiated failover is exercised by Microsoft in rare situations to failover all the IoT hubs from an affected region to the corresponding geo-paired region. This process is a default option and requires no intervention from the user. Microsoft reserves the right to make a determination of when this option will be exercised. This mechanism doesn't involve a user consent before the user's hub is failed over. Microsoft-initiated failover has a recovery time objective (RTO) of 2-26 hours.

+The only users who are able to opt-out of this feature are those deploying to the Brazil South and Southeast Asia (Singapore) regions. For more information, see [Disable disaster recovery](#disable-disaster-recovery).

+>[!NOTE]

+>Azure IoT Hub doesn't store or process customer data outside of the geography where you deploy the service instance. For more information, see [Cross-region replication in Azure](../availability-zones/cross-region-replication-azure.md).

+|Java | 230 seconds | [Yes](https://github.com/Azure/azure-iot-sdk-java/blob/main/device/iot-device-client/src/main/java/com/microsoft/azure/sdk/iot/device/ClientOptions.java#L64) |

+> You must enable soft-delete on your key vaults immediately. The ability to opt out of soft-delete is deprecated and will be removed in February 202. See full details [here](soft-delete-change.md)

+ Title: What is Basic Azure Load Balancer?

+description: Overview of Basic Azure Load Balancer.

+# What is Basic Azure Load Balancer?

+Basic Azure Load Balancer is a SKU of Azure Load Balancer. A basic load balancer provides limited features and capabilities. Azure recommends a standard SKU Azure Load Balancer for production environments.

+For more information on a standard SKU Azure Load Balancer, see [What is Azure Load Balancer?](../load-balancer-overview.md).

+For more information about the Azure Load Balancer SKUs, see [SKUs](../skus.md).

+## Load balancer types

+An Azure Load Balancer is available in two types:

+A **[public load balancer](../components.md#frontend-ip-configurations)** can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public load balancers are used to load balance internet traffic to your VMs.

+An **[internal (or private) load balancer](../components.md#frontend-ip-configurations)** is used where private IPs are needed at the frontend only. Internal load balancers are used to load balance traffic inside a virtual network. A load balancer frontend can be accessed from an on-premises network in a hybrid scenario.

+## Next steps

+For more information on creating a basic load balancer, see:

+- [Quickstart: Create a basic internal load balancer - Azure portal](./quickstart-basic-internal-load-balancer-portal.md)

+- [Quickstart: Create a basic public load balancer - Azure portal](./quickstart-basic-public-load-balancer-portal.md)

+- ISV to ensure the SaaS private plan is using the correct tenant ID for the customer - [How to find your Azure Active Directory tenant ID](../active-directory/fundamentals/active-directory-how-to-find-tenant.md). For VMs use the [Azure Subscription ID. (video guide)](/azure/media-services/latest/setup-azure-subscription-how-to?tabs=portal)

+The current minor release is **13.6**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/13/static/release-13-6.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version.

+The current minor release is **12.10**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/12/static/release-12-10.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version. Your existing servers will be automatically upgraded to the latest supported minor version in your future scheduled maintenance window.

+The current minor release is **11.15**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/11/static/release-11-15.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version. Your existing servers will be automatically upgraded to the latest supported minor version in your future scheduled maintenance window.

+## Release: April 2022

+* Support for [latest PostgreSQL minors](./concepts-supported-versions.md) 13.6, 12.10 and 11.15 with new server creates^$.

+^**$** New servers get these features automatically. In your existing servers, these features are enabled during your server's future maintenance window.

+Log Analytics will ingest an average of 1.4 GB of data a day for each log streamed to it by a single packet core instance. [Monitor usage and estimated costs in Azure Monitor](../azure-monitor/usage-estimated-costs.md) provides information on how to estimate the cost of using Log Analytics to monitor Azure Private 5G Core.

+* [Access provisioning by data owner to Azure Storage datasets](how-to-data-owner-policies-storage.md)

+* [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./how-to-data-owner-policies-resource-group.md)

+The self-service data access policy is only supported when the prerequisites mentioned in [data use governance](./how-to-enable-data-use-governance.md#prerequisites) are satisfied.

+Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Azure purview portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective data source. Self-service data access policy gets auto-generated only if the data source is registered for **data use governance**. The pre-requisites mentioned within the [data use governance](./how-to-enable-data-use-governance.md#prerequisites) have to be satisfied.

+- [Enable data use governance](./how-to-enable-data-use-governance.md#prerequisites)

+ Title: Resource group and subscription access provisioning by data owner

+description: Step-by-step guide showing how a data owner can create access policies to resource groups or subscriptions.

+# Resource group and subscription access provisioning by data owner (preview)

+[Policies](concept-data-owner-policies.md) in Azure Purview allow you to enable access to data sources that have been registered to a collection. You can also [register an entire Azure resource group or subscription to a collection](register-scan-azure-multiple-sources.md), which will allow you to scan all available data sources in that resource group or subscription. If you create a single access policy against a registered resource group or subscription, a data owner can enable access to **all** available data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards.

+This article describes how a data owner can create a single access policy for **all available** data sources in a subscription or a resource group.

+> [!IMPORTANT]

+> Currently, these are the available data sources for access policies:

+> - Blob storage

+> - Azure Data Lake Storage (ADLS) Gen2

+## Prerequisites

+## Configuration

+### Register the subscription or resource group for data use governance

+The subscription or resource group needs to be registered with Azure Purview to later define access policies.

+To register your resource, follow the **Prerequisites** and **Register** sections of this guide:

+- [Register multiple sources in Azure Purview](register-scan-azure-multiple-sources.md#prerequisites)

+After you've registered your resources, you'll need to enable data use governance. Data use governance affects the security of your data, as it allows your users to manage access to resources from within Azure Purview.

+To ensure you securely enable data use governance, and follow best practices, follow this guide to enable data use governance for your resource group or subscription:

+- [How to enable data use governance](./how-to-enable-data-use-governance.md)

+In the end, your resource will have the **Data use governance** toggle to **Enabled**, as shown in the picture:

+## Create and publish a data owner policy

+Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish a policy similar to the example shown in the image: a policy that provides security group *sg-Finance* *modify* access to resource group *finance-rg*:

+>[!Important]

+> - Publish is a background operation. It can take up to **2 hours** for the changes to be reflected in Storage account(s).

+## Additional information

+- Creating a policy at subscription or resource group level will enable the Subjects to access Azure Storage system containers, for example, *$logs*. If this is undesired, first scan the data source and then create finer-grained policies for each (that is, at container or subcontainer level).

+### Limits

+The limit for Azure Purview policies that can be enforced by Storage accounts is 100 MB per subscription, which roughly equates to 5000 policies.

+## Next steps

+Check blog, demo and related tutorials:

+* [Concepts for Azure Purview data owner policies](./concept-data-owner-policies.md)

+* [Data owner policies on an Azure Storage account](./how-to-data-owner-policies-storage.md)

+* [Blog: resource group-level governance can significantly reduce effort](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-resource-group-level-governance-can/ba-p/3096314)

+* [Demo of data owner access policies for Azure Storage](/video/media/8ce7c554-0d48-430f-8f63-edf94946947c/purview-policy-storage-dataowner-scenario_mid.mp4)

+ Title: Access provisioning by data owner to Azure Storage datasets

+description: Step-by-step guide showing how data owners can create access policies to datasets in Azure Storage

+# Access provisioning by data owner to Azure Storage datasets (preview)

+[Policies](concept-data-owner-policies.md) in Azure Purview allow you to enable access to data sources that have been registered to a collection.

+This article describes how a data owner can use Azure Purview to enable access to datasets in Azure Storage. Currently, these Azure Storage sources are supported:

+- Blob storage

+- Azure Data Lake Storage (ADLS) Gen2

+## Prerequisites

+## Configuration

+### Register the data sources in Azure Purview for Data use governance

+The Azure Storage resources need to be registered with Azure Purview to later define access policies.

+To register your resources, follow the **Prerequisites** and **Register** sections of these guides:

+- [Register and scan Azure Storage Blob - Azure Purview](register-scan-azure-blob-storage-source.md#prerequisites)

+- [Register and scan Azure Data Lake Storage (ADLS) Gen2 - Azure Purview](register-scan-adls-gen2.md#prerequisites)

+After you've registered your resources, you'll need to enable data use governance. Data use governance affects the security of your data, as it allows your users to manage access to resources from within Azure Purview.

+To ensure you securely enable data use governance, and follow best practices, follow this guide to enable data use governance for your resource group or subscription:

+- [How to enable data use governance](./how-to-enable-data-use-governance.md)

+In the end, your resource will have the **Data use governance** toggle to **Enabled**, as shown in the picture:

+## Create and publish a data owner policy

+Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish a policy similar to the example shown in the image: a policy that provides group *Contoso Team* *read* access to Storage account *marketinglake1*:

+>[!Important]

+> - Publish is a background operation. It can take up to **2 hours** for the changes to be reflected in Storage account(s).

+## Additional information

+- Policy statements set below container level on a Storage account are supported. If no access has been provided at Storage account level or container level, then the App that requests the data must execute a direct access by providing a fully qualified name to the data object. If the App attempts to crawl down the hierarchy starting from the Storage account or Container, and there's no access at that level, the request will fail. The following documents show examples of how to do perform a direct access. See also blogs in the *Next steps* section of this tutorial.

+ - [*abfs* for ADLS Gen2](../hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2.md#access-files-from-the-cluster)

+ - [*az storage blob download* for Blob Storage](../storage/blobs/storage-quickstart-blobs-cli.md#download-a-blob)

+- Creating a policy at Storage account level will enable the Subjects to access system containers, for example *$logs*. If this is undesired, first scan the data source(s) and then create finer-grained policies for each (that is, at container or subcontainer level).

+### Limits

+- The limit for Azure Purview policies that can be enforced by Storage accounts is 100 MB per subscription, which roughly equates to 5000 policies.

+### Known issues

+> [!Warning]

+> **Known issues** related to Policy creation

+> - Do not create policy statements based on Azure Purview resource sets. Even if displayed in Azure Purview policy authoring UI, they are not yet enforced. Learn more about [resource sets](concept-resource-sets.md).

+### Policy action mapping

+This section contains a reference of how actions in Azure Purview data policies map to specific actions in Azure Storage.

+| **Azure Purview policy action** | **Data source specific actions** |

+||--|

+|||

+| *Read* |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/read |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |

+|||

+| *Modify* |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/read |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/write |

+| |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/delete |

+|||

+## Next steps

+Check blog, demo and related tutorials:

+* [Demo of access policy for Azure Storage](/video/media/8ce7c554-0d48-430f-8f63-edf94946947c/purview-policy-storage-dataowner-scenario_mid.mp4)

+* [Concepts for Azure Purview data owner policies](./concept-data-owner-policies.md)

+* [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./how-to-data-owner-policies-resource-group.md)

+* [Blog: What's New in Azure Purview at Microsoft Ignite 2021](https://techcommunity.microsoft.com/t5/azure-purview/what-s-new-in-azure-purview-at-microsoft-ignite-2021/ba-p/2915954)

+* [Blog: Accessing data when folder level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)

+* [Blog: Accessing data when file level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)

+- [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./how-to-data-owner-policies-resource-group.md)

+- [Enable Azure Purview data owner policies on an Azure Storage account](./how-to-data-owner-policies-storage.md)

+- [Enable Data Use Governance](./how-to-enable-data-use-governance.md)

+- [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./how-to-data-owner-policies-resource-group.md)

+- [Enable Azure Purview data owner policies on an Azure Storage account](./how-to-data-owner-policies-storage.md)

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Monitoring Reader |

+ | Assign access to | User, group, or service principal |

+ | Members | &lt;Azure AD account user&gt; |

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot showing Add role assignment page in Azure portal.":::

+- [Enable Data Use Governance](./how-to-enable-data-use-governance.md)

+* [Single storage account](./how-to-data-owner-policies-storage.md) - This guide will allow you to enable access policies on a single storage account in your subscription.

+* [All sources in a subscription or resource group](./how-to-data-owner-policies-resource-group.md) - This guide will allow you to enable access policies on all enabled and available sources in a resource group, or across an Azure subscription.

+* [Single storage account](./how-to-data-owner-policies-storage.md) - This guide will allow you to enable access policies on a single storage account in your subscription.

+* [All sources in a subscription or resource group](./how-to-data-owner-policies-resource-group.md) - This guide will allow you to enable access policies on all enabled and available sources in a resource group, or across an Azure subscription.

+| [Yes](#register) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan)| [Yes](#scan)| [Yes](how-to-data-owner-policies-resource-group.md) | [Source Dependant](catalog-lineage-user-guide.md)|

+ Title: Tutorial to provision access for Azure Storage

+description: This tutorial describes how a data owner can create access policies for Azure Storage resources.

+[Policies](concept-data-owner-policies.md) in Azure Purview allow you to enable access to data sources that have been registered to a collection. This tutorial describes how a data owner can use Azure Purview to enable access to datasets in Azure Storage through Azure Purview.

+> * Prepare your Azure environment

+> * Configure permissions to allow Azure Purview to connect to your resources

+> * Register your Azure Storage resource for data use governance

+> * Create and publish a policy for your resource group or subscription

+### Register the data sources in Azure Purview for data use governance

+Your Azure Storage account needs to be registered in Azure Purview to later define access policies, and during registration we'll enable data use governance. **Data use governance** is an available feature in Azure Purview that allows users to manage access to a resource from within Azure Purview. This allows you to centralize data discovery and access management, however it's a feature that directly impacts your data security.

+> [!WARNING]

+> Before enabling data use governance for any of your resources, read through our [**data use governance article**](how-to-enable-data-use-governance.md).

+>

+> This article includes data use governance best practices to help you ensure that your information is secure.

+To register your resource and enable data use governance, follow these steps:

+> [!Note]

+> You need to be an owner of the subscription or resource group to be able to add a managed identity on an Azure resource.

+1. From the [Azure portal](https://portal.azure.com), find the Azure Blob storage account that you would like to register.

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/register-blob-storage-acct.png" alt-text="Screenshot that shows the storage account":::

+1. Select **Access Control (IAM)** in the left navigation and then select **+ Add** --> **Add role assignment**.

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/register-blob-access-control.png" alt-text="Screenshot that shows the access control for the storage account":::

+1. Set the **Role** to **Storage Blob Data Reader** and enter your _Azure Purview account name_ under the **Select** input box. Then, select **Save** to give this role assignment to your Azure Purview account.

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/register-blob-assign-permissions.png" alt-text="Screenshot that shows the details to assign permissions for the Azure Purview account":::

+1. If you have a firewall enabled on your Storage account, follow these steps as well:

+ 1. Go into your Azure Storage account in [Azure portal](https://portal.azure.com).

+ 1. Navigate to **Security + networking > Networking**.NET

+ 1. Choose **Selected Networks** under **Allow access from**.

+ 1. In the **Exceptions** section, select **Allow trusted Microsoft services to access this storage account** and select **Save**.

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/register-blob-permission.png" alt-text="Screenshot that shows the exceptions to allow trusted Microsoft services to access the storage account.":::

+1. Once you have set up authentication for your storage account, go to the [Azure Purview Studio](https://web.purview.azure.com/).

+1. Select **Data Map** on the left menu.

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/select-data-map.png" alt-text="Screenshot that shows the far left menu in the Azure Purview Studio open with Data Map highlighted.":::

+1. Select **Register**.

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/select-register.png" alt-text="Screenshot that shows Azure Purview Studio Data Map sources, with the register button highlighted at the top.":::

+1. On **Register sources**, select **Azure Blob Storage**.

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/select-azure-blob-storage.png" alt-text="Screenshot that shows the tile for Azure Multiple on the screen for registering multiple sources.":::

+1. Select **Continue**.

+1. On the **Register sources (Azure)** screen, do the following:

+ 1. In the **Name** box, enter a friendly name that the data source will be listed with in the catalog.

+ 1. In the **Subscription** dropdown list boxes, select the subscription where your storage account is housed. Then select your storage account under **Storage account name**. In **Select a collection** select the collection where you'd like to register your Azure Storage account.

+

+ :::image type="content" source="media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png" alt-text="Screenshot that shows the boxes for selecting a storage account.":::

+ 1. In the **Select a collection** box, select a collection or create a new one (optional).

+ 1. Set the *Data use governance* toggle to **Enabled**, as shown in the image below.

+ :::image type="content" source="./media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png" alt-text="Screenshot that shows Data use governance toggle set to active on the registered resource page.":::

+ >[!TIP]

+ >If the data use governance toggle is greyed out and unable to be selected:

+ > 1. Confirm you have followed all prerequisites to enable Data use governance across your resources.

+ > 1. Confirm that you have selected a storage account to be registered.

+ > 1. It may be that this resource is already registered in another Azure Purview account. Hover over it to know the name of the Azure Purview account that has registered the data resource.first. Only one Azure Purview account can register a resource for data use governance at at time.

+ 1. Select **Register** to register the resource group or subscription with Azure Purview with data use governance enabled.

+>[!TIP]

+> For more information about data use governance, including best practices or known issues, see our [data use governance article](how-to-enable-data-use-governance.md).

+## Create a data owner policy

+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).

+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.

+1. Select the **New Policy** button in the policy page.

+ :::image type="content" source="./media/access-policies-common/policy-onboard-guide-1.png" alt-text="Data owner can access the Policy functionality in Azure Purview when it wants to create policies.":::

+1. The new policy page will appear. Enter the policy **Name** and **Description**.

+1. To add policy statements to the new policy, select the **New policy statement** button. This will bring up the policy statement builder.

+ :::image type="content" source="./media/access-policies-common/create-new-policy.png" alt-text="Data owner can create a new policy statement.":::

+1. Select the **Effect** button and choose *Allow* from the drop-down list.

+1. Select the **Action** button and choose *Read* or *Modify* from the drop-down list.

+1. Select the **Data Resources** button to bring up the window to enter Data resource information, which will open to the right.

+1. Under the **Data Resources** Panel do one of two things depending on the granularity of the policy:

+ - To create a broad policy statement that covers an entire data source, resource group, or subscription that was previously registered, use the **Data sources** box and select its **Type**.

+ - To create a fine-grained policy, use the **Assets** box instead. Enter the **Data Source Type** and the **Name** of a previously registered and scanned data source. See example in the image.

+ :::image type="content" source="./media/access-policies-common/select-data-source-type.png" alt-text="Screenshot showing the policy editor, with Data Resources selected, and Data source Type highlighted in the data resources menu.":::

+1. Select the **Continue** button and transverse the hierarchy to select and underlying data-object (for example: folder, file, etc.). Select **Recursive** to apply the policy from that point in the hierarchy down to any child data-objects. Then select the **Add** button. This will take you back to the policy editor.

+ :::image type="content" source="./media/access-policies-common/select-asset.png" alt-text="Screenshot showing the Select asset menu, and the Add button highlighted.":::

+1. Select the **Subjects** button and enter the subject identity as a principal, group, or MSI. Then select the **OK** button. This will take you back to the policy editor

+ :::image type="content" source="./media/access-policies-common/select-subject.png" alt-text="Screenshot showing the Subject menu, with a subject select from the search and the OK button highlighted at the bottom.":::

+1. Repeat the steps #5 to #11 to enter any more policy statements.

+1. Select the **Save** button to save the policy.

+ :::image type="content" source="./media/tutorial-data-owner-policies-storage/data-owner-policy-example-storage.png" alt-text="Screenshot showing a sample data owner policy giving access to an Azure Storage account.":::

+## Publish a data owner policy

+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).

+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.

+ :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Screenshot showing the Azure Purview studio with the leftmost menu open, Policy Management highlighted, and Data Policies selected on the next page.":::

+1. The Policy portal will present the list of existing policies in Azure Purview. Locate the policy that needs to be published. Select the **Publish** button on the right top corner of the page.

+ :::image type="content" source="./media/access-policies-common/publish-policy.png" alt-text="Screenshot showing the policy editing menu with the Publish button highlighted in the top right of the page.":::

+1. A list of data sources is displayed. You can enter a name to filter the list. Then, select each data source where this policy is to be published and then select the **Publish** button.

+ :::image type="content" source="./media/access-policies-common/select-data-sources-publish-policy.png" alt-text="Screenshot showing with Policy publish menu with a data resource selected and the publish button highlighted.":::

+## Clean up resources

+To delete a policy in Azure Purview, follow these steps:

+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).

+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.

+ :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Screenshot showing the leftmost menu open, Policy Management highlighted, and Data Policies selected on the next page.":::

+1. The Policy portal will present the list of existing policies in Azure Purview. Select the policy that needs to be updated.

+1. The policy details page will appear, including Edit and Delete options. Select the **Edit** button, which brings up the policy statement builder. Now, any parts of the statements in this policy can be updated. To delete the policy, use the **Delete** button.

+ :::image type="content" source="./media/access-policies-common/edit-policy.png" alt-text="Screenshot showing an open policy with the Edit button highlighted in the top menu on the page.":::

+Check our demo and related tutorials:

+> [!div class="nextstepaction"]

+> [Demo of access policy for Azure Storage](https://docs.microsoft.com/video/media/8ce7c554-0d48-430f-8f63-edf94946947c/purview-policy-storage-dataowner-scenario_mid.mp4)

+> [Concepts for Azure Purview data owner policies](./concept-data-owner-policies.md)

+> [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./how-to-data-owner-policies-resource-group.md)

+| Azure SDK for Python | [**azure-search-documents**](/python/api/overview/azure/search-documents-readme) is for data plane operations, including all operations related to indexing, queries, and AI enrichment. You can also use this client library to retrieve system information and statistics. <br/><br/>[**azure-mgmt-search**](/python/api/azure-mgmt-search/) is for service creation and provisioning through Azure Resource Manager. You can also use this API to manage keys and capacity. |

+description: Create an alias to define a secondary name that can be used to refer to an index for querying and indexing.

+Once you've created your alias, you're ready to start using it. Aliases can be used for [querying](/rest/api/searchservice/search-documents) and [indexing](/rest/api/searchservice/addupdate-or-delete-documents).

+> You can only use an alias for [querying](/rest/api/searchservice/search-documents) and [indexing](/rest/api/searchservice/addupdate-or-delete-documents). Aliases can't be used to get or update an index definition, can't be used with the Analyze Text API, and can't be used as the `targetIndexName` on an indexer.

+| **starttime** | datetime | Filter only authentication events that ran at or after this time. |

+| **endtime** | datetime | Filter only authentication events that finished running at or before this time. |

+For example, to filter only authentication events from the last day to a specific user, use:

+Costs are one of the main considerations when determining Microsoft Sentinel architecture. For more information, see [Microsoft Sentinel costs and billing](billing.md).

+> >

+> >

+> >

+ - [Bandwidth pricing](https://azure.microsoft.com/pricing/details/bandwidth/)

+ - [Data transfers charges using Log Analytics ](../azure-monitor/usage-estimated-costs.md#data-transfer-charges).

+> >

+If you have different entities, subsidiaries, or geographies within your organization, each with their own security teams that need access to Microsoft Sentinel, use separate workspaces for each entity or subsidiary. Implement the separate workspaces within a single Azure AD tenant, or across multiple tenants using Azure Lighthouse.

+Don't apply a resource lock to a Log Analytics workspace you'll use for Microsoft Sentinel. A resource lock on a workspace can cause many Microsoft Sentinel operations to fail.

+## Next steps

+> >[Design your Microsoft Sentinel workspace architecture](design-your-workspace-architecture.md)

+> >[Microsoft Sentinel sample workspace designs](sample-workspace-designs.md)

+> >[On-board Microsoft Sentinel](quickstart-onboard.md)

+> >[Get visibility into alerts](get-visibility.md)

+> - Use system property names from [Microsoft.Azure.ServiceBus.Message](/dotnet/api/microsoft.azure.servicebus.message#properties) in your filters even when you use [ServiceBusMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessage) from the new [Azure.Messaging.ServiceBus](/dotnet/api/azure.messaging.servicebus) namespace to send and receive messages.

+> - `Subject` from [Azure.Messaging.ServiceBus.ServiceBusMessage](/dotnet/api/azure.messaging.servicebus.servicebusmessage) maps to `Label` in [Microsoft.Azure.ServiceBus.Message](/dotnet/api/microsoft.azure.servicebus.message#properties).

+Here are the examples of using application or user properties in a filter. You can access application properties set by using [Azure.Messaging.ServiceBus.ServiceBusMessage.ApplicationProperties](/dotnet/api/azure.messaging.servicebus.servicebusmessage.applicationproperties)) (latest) or user properties set by [Microsoft.Azure.ServiceBus.Message.UserProperty](/dotnet/api/microsoft.azure.servicebus.message.userproperties) (deprecated) using the syntax: `user.property-name` or just `property-name`.

+user.SuperHero like 'SuperMan%'

+## .NET example for creating subscription filters

+Here's a .NET C# example that creates the following Service Bus entities:

+- Service Bus topic named `topicfiltersampletopic`

+- Subscription to the topic named `AllOrders` with a True Rule filter, which is equivalent to a SQL rule filter with expression `1=1`.

+- Subscription named `ColorBlueSize10Orders` with a SQL filter expression `color='blue' AND quantity=10`

+- Subscription named `ColorRed` with a SQL filter expression `color='red'` and an action

+- Subscription named `HighPriorityRedOrders` with a correlation filter expression `Subject = "red", CorrelationId = "high"`

+See the inline code comments for more details.

+```csharp

+namespace CreateTopicsAndSubscriptionsWithFilters

+{

+ using Azure.Messaging.ServiceBus.Administration;

+ using System;

+ using System.Threading.Tasks;

+ public class Program

+ {

+ // Service Bus Administration Client object to create topics and subscriptions

+ static ServiceBusAdministrationClient adminClient;

+ // connection string to the Service Bus namespace

+ static readonly string connectionString = "<YOUR SERVICE BUS NAMESPACE - CONNECTION STRING>";

+ // name of the Service Bus topic

+ static readonly string topicName = "topicfiltersampletopic";

+ // names of subscriptions to the topic

+ static readonly string subscriptionAllOrders = "AllOrders";

+ static readonly string subscriptionColorBlueSize10Orders = "ColorBlueSize10Orders";

+ static readonly string subscriptionColorRed = "ColorRed";

+ static readonly string subscriptionHighPriorityRedOrders = "HighPriorityRedOrders";

+ public static async Task Main()

+ {

+ try

+ {

+ Console.WriteLine("Creating the Service Bus Administration Client object");

+ adminClient = new ServiceBusAdministrationClient(connectionString);

+

+ Console.WriteLine($"Creating the topic {topicName}");

+ await adminClient.CreateTopicAsync(topicName);

+ Console.WriteLine($"Creating the subscription {subscriptionAllOrders} for the topic with a True filter ");

+ // Create a True Rule filter with an expression that always evaluates to true

+ // It's equivalent to using SQL rule filter with 1=1 as the expression

+ await adminClient.CreateSubscriptionAsync(

+ new CreateSubscriptionOptions(topicName, subscriptionAllOrders),

+ new CreateRuleOptions("AllOrders", new TrueRuleFilter()));

+ Console.WriteLine($"Creating the subscription {subscriptionColorBlueSize10Orders} with a SQL filter");

+ // Create a SQL filter with color set to blue and quantity to 10

+ await adminClient.CreateSubscriptionAsync(

+ new CreateSubscriptionOptions(topicName, subscriptionColorBlueSize10Orders),

+ new CreateRuleOptions("BlueSize10Orders", new SqlRuleFilter("color='blue' AND quantity=10")));

+ Console.WriteLine($"Creating the subscription {subscriptionColorRed} with a SQL filter");

+ // Create a SQL filter with color equals to red and a SQL action with a set of statements

+ await adminClient.CreateSubscriptionAsync(topicName, subscriptionColorRed);

+ // remove the $Default rule

+ await adminClient.DeleteRuleAsync(topicName, subscriptionColorRed, "$Default");

+ // now create the new rule. notice that user. prefix is used for the user/application property

+ await adminClient.CreateRuleAsync(topicName, subscriptionColorRed, new CreateRuleOptions

+ {

+ Name = "RedOrdersWithAction",

+ Filter = new SqlRuleFilter("user.color='red'"),

+ Action = new SqlRuleAction("SET quantity = quantity / 2; REMOVE priority;SET sys.CorrelationId = 'low';")

+ }

+ );

+ Console.WriteLine($"Creating the subscription {subscriptionHighPriorityRedOrders} with a correlation filter");

+ // Create a correlation filter with color set to Red and priority set to High

+ await adminClient.CreateSubscriptionAsync(

+ new CreateSubscriptionOptions(topicName, subscriptionHighPriorityRedOrders),

+ new CreateRuleOptions("HighPriorityRedOrders", new CorrelationRuleFilter() {Subject = "red", CorrelationId = "high"} ));

+ // delete resources

+ //await adminClient.DeleteTopicAsync(topicName);

+ }

+ catch (Exception e)

+ {

+ Console.WriteLine(e.ToString());

+ }

+ }

+ }

+}

+```

+## .NET example for sending receiving messages

+```csharp

+namespace SendAndReceiveMessages

+{

+ using System;

+ using System.Text;

+ using System.Threading.Tasks;

+ using Azure.Messaging.ServiceBus;

+ using Newtonsoft.Json;

+

+ public class Program

+ {

+ const string TopicName = "TopicFilterSampleTopic";

+ const string SubscriptionAllMessages = "AllOrders";

+ const string SubscriptionColorBlueSize10Orders = "ColorBlueSize10Orders";

+ const string SubscriptionColorRed = "ColorRed";

+ const string SubscriptionHighPriorityOrders = "HighPriorityRedOrders";

+ // connection string to your Service Bus namespace

+ static string connectionString = "<YOUR SERVICE BUS NAMESPACE - CONNECTION STRING>";

+ // the client that owns the connection and can be used to create senders and receivers

+ static ServiceBusClient client;

+ // the sender used to publish messages to the topic

+ static ServiceBusSender sender;

+ // the receiver used to receive messages from the subscription

+ static ServiceBusReceiver receiver;

+ public async Task SendAndReceiveTestsAsync(string connectionString)

+ {

+ // This sample demonstrates how to use advanced filters with ServiceBus topics and subscriptions.

+ // The sample creates a topic and 3 subscriptions with different filter definitions.

+ // Each receiver will receive matching messages depending on the filter associated with a subscription.

+ // Send sample messages.

+ await this.SendMessagesToTopicAsync(connectionString);

+ // Receive messages from subscriptions.

+ await this.ReceiveAllMessageFromSubscription(connectionString, SubscriptionAllMessages);

+ await this.ReceiveAllMessageFromSubscription(connectionString, SubscriptionColorBlueSize10Orders);

+ await this.ReceiveAllMessageFromSubscription(connectionString, SubscriptionColorRed);

+ await this.ReceiveAllMessageFromSubscription(connectionString, SubscriptionHighPriorityOrders);

+ }

+ async Task SendMessagesToTopicAsync(string connectionString)

+ {

+ // Create the clients that we'll use for sending and processing messages.

+ client = new ServiceBusClient(connectionString);

+ sender = client.CreateSender(TopicName);

+ Console.WriteLine("\nSending orders to topic.");

+ // Now we can start sending orders.

+ await Task.WhenAll(

+ SendOrder(sender, new Order()),

+ SendOrder(sender, new Order { Color = "blue", Quantity = 5, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "red", Quantity = 10, Priority = "high" }),

+ SendOrder(sender, new Order { Color = "yellow", Quantity = 5, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "blue", Quantity = 10, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "blue", Quantity = 5, Priority = "high" }),

+ SendOrder(sender, new Order { Color = "blue", Quantity = 10, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "red", Quantity = 5, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "red", Quantity = 10, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "red", Quantity = 5, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "yellow", Quantity = 10, Priority = "high" }),

+ SendOrder(sender, new Order { Color = "yellow", Quantity = 5, Priority = "low" }),

+ SendOrder(sender, new Order { Color = "yellow", Quantity = 10, Priority = "low" })

+ );

+ Console.WriteLine("All messages sent.");

+ }

+ async Task SendOrder(ServiceBusSender sender, Order order)

+ {

+ var message = new ServiceBusMessage(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(order)))

+ {

+ CorrelationId = order.Priority,

+ Subject = order.Color,

+ ApplicationProperties =

+ {

+ { "color", order.Color },

+ { "quantity", order.Quantity },

+ { "priority", order.Priority }

+ }

+ };

+ await sender.SendMessageAsync(message);

+ Console.WriteLine("Sent order with Color={0}, Quantity={1}, Priority={2}", order.Color, order.Quantity, order.Priority);

+ }

+ async Task ReceiveAllMessageFromSubscription(string connectionString, string subsName)

+ {

+ var receivedMessages = 0;

+ receiver = client.CreateReceiver(TopicName, subsName, new ServiceBusReceiverOptions() { ReceiveMode = ServiceBusReceiveMode.ReceiveAndDelete } );

+

+ // Create a receiver from the subscription client and receive all messages.

+ Console.WriteLine("\nReceiving messages from subscription {0}.", subsName);

+ while (true)

+ {

+ var receivedMessage = await receiver.ReceiveMessageAsync(TimeSpan.FromSeconds(10));

+ if (receivedMessage != null)

+ {

+ foreach (var prop in receivedMessage.ApplicationProperties)

+ {

+ Console.Write("{0}={1},", prop.Key, prop.Value);

+ }

+ Console.WriteLine("CorrelationId={0}", receivedMessage.CorrelationId);

+ receivedMessages++;

+ }

+ else

+ {

+ // No more messages to receive.

+ break;

+ }

+ }

+ Console.WriteLine("Received {0} messages from subscription {1}.", receivedMessages, subsName);

+ }

+ public static async Task Main()

+ {

+ try

+ {

+ Program app = new Program();

+ await app.SendAndReceiveTestsAsync(connectionString);

+ }

+ catch (Exception e)

+ {

+ Console.WriteLine(e.ToString());

+ }

+ }

+ }

+ class Order

+ {

+ public string Color

+ {

+ get;

+ set;

+ }

+ public int Quantity

+ {

+ get;

+ set;

+ }

+ public string Priority

+ {

+ get;

+ set;

+ }

+ }

+}

+```

+ Service Fabric supports clusters that span across [Availability Zones](../availability-zones/az-overview.md) by deploying node types that are pinned to specific zones, ensuring high-availability of your applications. Availability Zones require additional node type planning and minimum requirements. For details, see [Topology for spanning a primary node type across Availability Zones](service-fabric-cross-availability-zones.md#topology-for-spanning-a-primary-node-type-across-availability-zones).

+## Topology for spanning a primary node type across Availability Zones

+>[!NOTE]

+>The benefit of spanning the primary node type across availability zones is really only seen for three zones and not just two.

+ > GitHub has removed support for password authentication, so you'll need to use a personal access token instead of password authentication for GitHub. For more information, see [Token authentication](https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/).

+ Title: Create an Azure Spring Cloud instance with availability zone enabled

+description: How to create an Azure Spring Cloud instance with availability zone enabled.

+# Create Azure Spring Cloud instance with availability zone enabled

+**This article applies to:** ✔️ Standard tier ✔️ Enterprise tier

+> [!NOTE]

+> This feature is not available in Basic tier.

+This article explains availability zones in Azure Spring Cloud, and how to enable them.

+In Microsoft Azure, [Availability Zones (AZ)](../availability-zones/az-overview.md) are unique physical locations within an Azure region. Each zone is made up of one or more data centers that are equipped with independent power, cooling, and networking. Availability zones protect your applications and data from data center failures.

+When a service in Azure Spring Cloud has availability zone enabled, Azure automatically spreads the application's deployment instance across all three zones in the selected region. If the application's deployment instance count is larger than three and is divisible by three, the instances will be spread evenly. Otherwise, the extra instance counts are spread across the remaining zones.

+## How to create an instance in Azure Spring Cloud with availability zone enabled

+>[!NOTE]

+> You can only enable availability zone when creating your instance. You can't enable or disable availability zone after creation of the service instance.

+You can enable availability zone in Azure Spring Cloud using the [Azure CLI](/cli/azure/install-azure-cli) or [Azure portal](https://portal.azure.com).

+# [Azure CLI](#tab/azure-cli)

+To create a service in Azure Spring Cloud with availability zone enabled using the Azure CLI, include the `--zone-redundant` parameter when you create your service in Azure Spring Cloud.

+```azurecli

+az spring-cloud create -name <MyService> \

+ -group <MyResourceGroup> \

+ -location <MyLocation> \

+ --zone-redundant true

+```

+# [Azure portal](#tab/portal)

+To create a service in Azure Spring Cloud with availability zone enabled using the Azure portal, enable the Zone Redundant option when creating the instance.

+

+## Region availability

+Azure Spring Cloud currently supports availability zones in the following regions:

+- Central US

+- West US 2

+- East US

+- Australia East

+- North Europe

+- East US 2

+- West Europe

+- South Central US

+- UK South

+- Brazil South

+- France Central

+## Pricing

+There's no extra cost for enabling the availability zone.

+## Next steps

+* [Plan for disaster recovery](disaster-recovery.md)

+ Title: "Tutorial: Deploy Spring Boot applications using Maven"

+description: Use Maven to deploy applications to Azure Spring Cloud.

+# Deploy Spring Boot applications using Maven

+**This article applies to:** ✔️ Java ❌ C#

+**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier

+This article shows you how to use the Azure Spring Cloud Maven plugin to configure and deploy applications to Azure Spring Cloud.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An already provisioned Azure Spring Cloud instance.

+* [JDK 8 or JDK 11](/azure/developer/java/fundamentals/java-jdk-install)

+* [Apache Maven](https://maven.apache.org/download.cgi)

+* [Azure CLI version 2.0.67 or higher](/cli/azure/install-azure-cli) with the Azure Spring Cloud extension. You can install the extension by using the following command: `az extension add --name spring-cloud`

+## Generate a Spring Cloud project

+To create a Spring Cloud project for use in this article, use the following steps:

+1. Navigate to [Spring Initializr](https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.5.7&packaging=jar&jvmVersion=1.8&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client) to generate a sample project with the recommended dependencies for Azure Spring Cloud. This link uses the following URL to provide default settings for you.

+ ```url

+ https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.5.7&packaging=jar&jvmVersion=1.8&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client

+ ```

+ The following image shows the recommended Spring Initializr setup for this sample project.

+ :::image type="content" source="media/how-to-maven-deploy-apps/initializr-page.png" alt-text="Screenshot of Spring Initializr.":::

+ This example uses Java version 8. If you want to use Java version 11, change the option under **Project Metadata**.

+1. Select **Generate** when all the dependencies are set.

+1. Download and unpack the package, then create a web controller for a web application. Add the file *src/main/java/com/example/hellospring/HelloController.java* with the following contents:

+ ```java

+ package com.example.hellospring;

+ import org.springframework.web.bind.annotation.RestController;

+ import org.springframework.web.bind.annotation.RequestMapping;

+ @RestController

+ public class HelloController {

+ @RequestMapping("/")

+ public String index() {

+ return "Greetings from Azure Spring Cloud!";

+ }

+ }

+ ```

+## Build the Spring applications locally

+To build the project by using Maven, run the following commands:

+```azurecli

+cd hellospring

+mvn clean package -DskipTests -Denv=cloud

+```

+Compiling the project takes several minutes. After it's completed, you should have individual JAR files for each service in their respective folders.

+## Provision an instance of Azure Spring Cloud

+The following procedure creates an instance of Azure Spring Cloud using the Azure portal.

+1. In a new tab, open the [Azure portal](https://portal.azure.com/).

+2. From the top search box, search for **Azure Spring Cloud**.

+3. Select **Azure Spring Cloud** from the results.

+ 

+4. On the Azure Spring Cloud page, select **Create**.

+ 

+5. Fill out the form on the Azure Spring Cloud **Create** page. Consider the following guidelines:

+ - **Subscription**: Select the subscription you want to be billed for this resource.

+ - **Resource group**: Creating new resource groups for new resources is a best practice. You will use this resource group in later steps as **\<resource group name\>**.

+ - **Service Details/Name**: Specify the **\<service instance name\>**. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number.

+ - **Location**: Select the region for your service instance.

+ 

+6. Select **Review and create**.

+## Generate configurations and deploy to the Azure Spring Cloud

+To generate configurations and deploy the app, follow these steps:

+1. Run the following command from the *hellospring* root folder, which contains the POM file. If you've already signed-in with Azure CLI, the command will automatically pick up the credentials. Otherwise, the command will prompt you with sign-in instructions. For more information, see [Authentication](https://github.com/microsoft/azure-maven-plugins/wiki/Authentication) in the [azure-maven-plugins](https://github.com/microsoft/azure-maven-plugins) repository on GitHub.

+ ```azurecli

+ mvn com.microsoft.azure:azure-spring-cloud-maven-plugin:1.7.0:config

+ ```

+ You'll be asked to select:

+ * **Subscription ID** - the subscription you used to create an Azure Spring Cloud instance.

+ * **Service instance** - the name of your Azure Spring Cloud instance.

+ * **App name** - an app name of your choice, or use the default value `artifactId`.

+ * **Public endpoint** - *true* to expose the app to public access; otherwise, *false*.

+1. Verify that the `appName` element in the POM file has the correct value. The relevant portion of the POM file should look similar to the following example.

+ ```xml

+ <build>

+ <plugins>

+ <plugin>

+ <groupId>com.microsoft.azure</groupId>

+ <artifactId>azure-spring-cloud-maven-plugin</artifactId>

+ <version>1.7.0</version>

+ <configuration>

+ <subscriptionId>xxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx</subscriptionId>

+ <clusterName>v-spr-cld</clusterName>

+ <appName>customers-service</appName>

+ ```

+ The POM file now contains the plugin dependencies and configurations.

+1. Deploy the app using the following command.

+ ```azurecli

+ mvn azure-spring-cloud:deploy

+ ```

+## Verify the services

+After deployment has completed, you can access the app at `https://<service instance name>-hellospring.azuremicroservices.io/`.

+## Clean up resources

+If you plan to continue working with the example application, you might want to leave the resources in place. When no longer needed, delete the resource group containing your Azure Spring Cloud instance. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+## Next steps

+* [Prepare Spring application for Azure Spring Cloud](how-to-prepare-app-deployment.md)

+* [Learn more about Azure Spring Cloud Maven Plugin](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Spring-Cloud)

+ "WasBlobSoftDeleted": "true",

+ "WasBlobSoftDeleted": "true",

+ "WasBlobSoftDeleted": "true",

+ Title: Authorize operations for data access

+Each time you access data in your storage account, your client application makes a request over HTTP/HTTPS to Azure Storage. By default, every resource in Azure Storage is secured, and every request to a secure resource must be authorized. Authorization ensures that the client application has the appropriate permissions to access a particular resource in your storage account.

+## Understand authorization for data operations

+ Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Azure AD or a user delegation SAS to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md).

+- **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).

+> We recommend that you use Azure Storage logs in Azure Monitor instead of Storage Analytics logs. See any of the following articles:

+We recommend you review [Azure Monitor for Storage](./storage-insights-overview.md?toc=%2fazure%2fazure-monitor%2ftoc.json). It is a feature of Azure Monitor that offers comprehensive monitoring of your Azure Storage accounts by delivering a unified view of your Azure Storage services performance, capacity, and availability. It does not require you to enable or configure anything, and you can immediately view these metrics from the pre-defined interactive charts and other visualizations included.

+- [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md)

+> We recommend that you use Azure Storage logs in Azure Monitor instead of Storage Analytics logs. To learn more, see any of the following articles:

+> [!Warning]

+> AzCopy sync is supported but not fully recommended for Azure Files. AzCopy sync doesn't support differential copies at scale, and some file fidelity might be lost. To learn more, see [Migrate to Azure file shares](https://docs.microsoft.com/azure/storage/files/storage-files-migration-overview#file-copy-tools).

+* COPY schema discovery for complex data ingestion. To learn more, see the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_12) or [how GitHub leveraged this functionality in Introducing Automatic Schema Discovery with auto table creation for complex datatypes](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/introducing-automatic-schema-discovery-with-auto-table-creation/ba-p/3068927).

+>[!IMPORTANT]

+>You must have global admin permissions in order to assign the RBAC role to the service principal.

+Before you can configure the Start VM on Connect feature, you'll need to assign a subscription-level custom RBAC (role-based access control) role to the Azure Virtual Desktop service principal. This role will let Azure Virtual Desktop manage the VMs in your subscription. This role grants Azure Virtual Desktop the permissions to turn on VMs, check their status, and report diagnostic info. If you want to know more about Azure custom RBAC roles, take a look at [Azure custom roles](../role-based-access-control/custom-roles.md).

+>[!IMPORTANT]

+>You must have global admin permissions in order to assign the RBAC role to the service principal.

+## Version 1.1.10

+This update was released in February 2022 and has the following changes:

+- We added support for [category groups](../azure-monitor/essentials/diagnostic-settings.md#resource-logs) for resource logs.

+## Version 1.1.8

+This update was released in November 2021 and has the following changes:

+- We added a dynamic check for host pool and workspaces Log Analytics tables to show instances where diagnostics may not be configured.

+- Updated the source table for session history and calculations for users per core.

+## Version 1.1.7

+This update was released in November 2021 and has the following changes:

+- We increased the session host limit to 1000 for the configuration workbook to allow for larger deployments.

+## Version 1.1.6

+This update was released in October 2021 and has the following changes:

+- We updated contents to reflect change from *Windows Virtual Desktop* to *Azure Virtual Desktop*.

+## Version 1.1.4

+This update was released in October 2021 and has the following changes:

+- We updated data usage reporting in the configuration workbook to include the agent health table.

+## Version 1.1.3

+This update was released in September 2021 and has the following changes:

+- We updated filtering behavior to make use of resource IDs.

+## Version 1.1.2

+This update was released in August 2021 and has the following changes:

+- We updated some formatting in the workbooks.

+## Version 1.1.1

+This update was released in July 2021 and has the following changes:

+- We added the Workbooks gallery for quick access to Azure Virtual Desktop related Azure workbooks.

+## Version 1.1.0

+This update was released July 2021 and has the following changes:

+- We added a **Data Generated** tab to the configuration workbook for detailed data on storage space usage for Azure Virtual Desktop Insights to allow more insight into Log Analytics usage.

+## Version 1.0.4

+This update was released in June 2021 and has the following changes:

+- We made some changes to formatting and layout for better use of whitespace.

+- We changed the sort order for **User Input Delay** details in **Host Performance** to descending.

+## Version 1.0.3

+This update was released in May 2021 and has the following changes:

+- We updated formatting to prevent truncation of text.

+## Version 1.0.2

+This update was released in May 2021 and has the following changes:

+- We resolved an issue with user per core calculation in the **Utilization** tab.

+## Version 1.0.1

+This update was released in April 2021 and has the following changes:

+- We made a formatting update for columns containing sparklines.

+## Version 1.0.0

+This update was released in March 2021 and has the following changes:

+- Red Hat Enterprise Linux (RHEL) 8, 7, 6.7+

+ --publisher Canonical \

+ --offer UbuntuServer \

+- [Azure proximity placement group](../../windows/proximity-placement-groups.md) is not required for Azure shared disk. But if you are using PPG for SAP system, all virtual machines sharing a disk must be part of the same PPG.

+- [Azure proximity placement group](../../windows/proximity-placement-groups.md) is not required for Azure shared disk. But if you are using PPG for SAP system, all virtual machines sharing a disk must be part of the same PPG.

+> [Azure proximity placement group](../../windows/proximity-placement-groups.md) is not required for Azure shared disk. But if you are using PPG for SAP system, all virtual machines sharing a disk must be part of the same PPG.

+ - **Resource group**: Select **Create new**, type **CreateVNetQS-rg** for the resource group name, and select **OK**.

+1. When deployment completes, click on **Go to resource** button to review the resources deployed.

+Explore the resources that were created with the virtual network by browsing the settings blades for **VNet1**.

+1. On the **Overview** tab, you will see the defined address space of **10.0.0.0/16**.

+2. On the **Subnets** tab, you will see the deployed subnets of **Subnet1** and **Subnet2** with the appropriate values from the template.

+You can use service tags to define network access controls on [network security groups](./network-security-groups-overview.md#security-rules), [Azure Firewall](../firewall/service-tags.md), and [user-defined routes](./virtual-networks-udr-overview.md#service-tags-for-user-defined-routes). Use service tags in place of specific IP addresses when you create security rules and routes. By specifying the service tag name, such as **ApiManagement**, in the appropriate *source* or *destination* field of a security rule, you can allow or deny the traffic for the corresponding service. By specifying the service tag name in the address prefix of a route, you can route traffic intended for any of the prefixes encapsulated by the service tag to a desired next hop type.

+### Service Tags for user-defined routes

+* [Determine the next hop type](../network-watcher/diagnose-vm-network-routing-problem.md?toc=%2fazure%2fvirtual-network%2ftoc.json) between a virtual machine and a destination IP address. The Azure Network Watcher next hop feature enables you to determine whether traffic is leaving a subnet and being routed to where you think it should be.