+ Title: Azure Active Directory B2C service limits and restrictions

+> [!NOTE]

+> To increase any of the service limits mentioned in this article, contact **[Support](find-help-open-support-ticket.md)**.

+The frequency of requests made to Azure AD B2C endpoints determines the overall token issuance capability. Azure AD B2C exposes endpoints, which consume a different number of requests. Review the [Authentication Protocols](./protocols-overview.md) article for more information on which endpoints are consumed by your application.

+|SocialAndLocalAccountsWithMfa| Local account sign up with MFA|SignUpOrSignIn |10|

+|SocialAndLocalAccountsWithMfa| Federated account sign up with MFA|SignUpOrSignIn |10|

+You can create your own Custom Policy to provide a unique authentication experience for your application. The number of requests consumed at the dynamic endpoint depends on which features a user traverses through your Custom Policy. The below table shows how many requests are consumed for each feature in a Custom Policy.

+- Caching the [OpenId Connect metadata](./openid-connect.md#validate-the-id-token) documents at your APIs.

+|Number of sign-out URLs per applicationΓÇ» |1 |

+> Accidental deletions are not supported for our Workday / SuccessFactors integrations. It is also not supported for changes in scoping (e.g. changing a scoping filter or changing from "sync all users and groups" to "sync assigned users and groups"). Until the accidental deletions prevention feature is fully released, you'll need to access the Azure portal using this URL: https://aka.ms/AccidentalDeletionsPreview

+threshold. Also, be sure the notification email address is completed. If the deletion threshold is met an email will be sent.

+- HR-driven provisioning from Workday and SuccessFactors don't support the accidental deletions feature.

+- Changes to your provisioning configuration (e.g. changing scoping) isn't supported by the accidental deletions feature.

+If you encounter an accidental deletion you'll see it on the provisioning status page. It will say **Provisioning has been quarantined. See quarantine details for more information.**.

+3. You'll see confirmation that the deletions were accepted and the status will return to healthy with the next cycle.

+If you don't want to allow the deletions, you need to do the following:

+- Once you've made the necessary changes to prevent the user / group from being deleted, restart provisioning. Please don't restart provisioning until you've made the necessary changes to prevent the users / groups from being deleted.

+Let the provisioning job run (20 ΓÇô 40 mins) and navigate back to the provisioning page. You'll see the provisioning job in quarantine and can choose to allow the deletions or review the provisioning logs to understand why the deletions occurred.

+It is evaluated each cycle. If the number of deletions doesn't exceed the threshold during a

+ - Performance of the workloads on the new SKU should not be impacted.

+ - Target for user-facing workloads:

+ - P95 of CPU and Outbound Network utilization at 40% or lower on the recommended SKU

+ - P100 of Memory utilization at 60% or lower on the recommended SKU

+ - Target for non user-facing workloads:

+ - P95 of the CPU and Outbound Network utilization at 80% or lower on the new SKU

+ - P100 of Memory utilization at 80% or lower on the new SKU

+> URL rewrite operations may cause a minor increase in the compute utilization of your WAF Application Gateway. In application gateway v1 deployments, it is recommended that you monitor the [CPU utilization metric](high-traffic-support.md) for a brief period of time after enabling the URL rewrite rules on your WAF Application Gateway.

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Contributor |

+ | Assign access to | User, group, or service principal |

+ | Members | \<Name of your Automanage account> |

+ 

+1. Repeat steps 2 through 4, selecting the **Resource Policy Contributor** role.

+1. Sign in to the [Azure portal](https://portal.azure.com/) and open your Automation account from the **Automation Accounts** page.

+1. Select **Access control (IAM)** and select a role from the list of available roles. You can choose any of the available built-in roles that an Automation account supports or any custom role you might have defined. Assign the role to a user to which you want to give permissions.

+ For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ > [!NOTE]

+ > You can only set role-based access control at the Automation account scope and not at any resource below the Automation account.

+#### Remove role assignments from a user

+You can remove the access permission for a user who isn't managing the Automation account, or who no longer works for the organization. The following steps show how to remove the role assignments from a user. For detailed steps, see [Remove Azure role assignments](../../articles/role-based-access-control/role-assignments-remove.md):

+1. Open **Access control (IAM)** at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

+1. Select the **Role assignments** tab to view all the role assignments at this scope.

+1. In the list of role assignments, add a checkmark next to the user with the role assignment you want to remove.

+1. Select **Remove**.

+* The Python **automationassets** package is not available on pypi.org, so it's not available for import onto a Windows machine.

+* To learn about Python runbooks, see [Tutorial: Create a Python runbook](./learn/automation-tutorial-runbook-textual-python-3.md).

+ms.custon: subject-rbac-steps

+1. Copy the value for the Azure Function App name that you specified during the deployment.

+1. In the Azure portal, navigate to your secondary subscription.

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Contributor |

+ | Assign access to | User, group, or service principal |

+ | Members | \<Your Azure Function App name> |

+ 

+> Azure Monitor recently launched a new agent, the [Azure Monitor agent](./azure-monitor-agent-overview.md), that provides all capabilities necessary to collect guest operating system monitoring data. **Use this new agent if you are not bound by [these limitations](./azure-monitor-agent-overview.md#current-limitations)**, as it consolidates the features of all the legacy agents listed below and provides additional benefits. If you do require the limitations today, you may continue using the other legacy agents listed below until **August 2024**. [Learn more](./azure-monitor-agent-overview.md)

+ Title: Collect text and IIS logs with Azure Monitor agent (preview)

+# Collect text and IIS logs with Azure Monitor agent (preview)

+This article describes how to configure the collection of file-based text logs, including logs generated by IIS on Windows computers, with the [Azure Monitor agent](azure-monitor-agent-overview.md). Many applications log information to text files instead of standard logging services such as Windows Event log or Syslog.

+To complete this procedure, you need the following:

+IIS logs must be in W3C format. Other log files must meet the following criteria to be collected:

+1. Create a new table in your workspace to receive the collected data. (not required for IIS logs)

+>[!NOTE]

+> This step isn't required to collect an IIS log. The table [W3CIISLog](/azure/azure-monitor/reference/tables/w3ciislog) will be used for IIS logs.

+Use the **Tables - Update** API to create the table with the PowerShell code below. This code creates a table called *MyTable_CL* with two columns. Modify this schema to collect a different table.

+3. Paste one of the Resource Manager templates below into the editor and then change the following values:

+ - `transformKql`: Specifies a [transformation](../logs/../essentials/data-collection-rule-transformations.md) to apply to the incoming data before it's sent to the workspace. Data collection rules for Azure Monitor agent don't yet support transformations, so this value should currently be `source`.

+ **Data collection rule for text log**

+ "properties": {

+ **Data collection rule for IIS log**

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "dataCollectionRuleName": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the name of the Data Collection Rule to create."

+ }

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "westus2",

+ "allowedValues": [

+ "westus2",

+ "eastus2",

+ "eastus2euap"

+ ],

+ "metadata": {

+ "description": "Specifies the location in which to create the Data Collection Rule."

+ }

+ },

+ "workspaceName": {

+ "type": "string",

+ "metadata": {

+ "description": "Name of the Log Analytics workspace to use."

+ }

+ },

+ "workspaceResourceId": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the Azure resource ID of the Log Analytics workspace to use."

+ }

+ },

+ "endpointResourceId": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the Azure resource ID of the Data Collection Endpoint to use."

+ }

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "name": "[parameters('dataCollectionRuleName')]",

+ "location": "[parameters('location')]",

+ "apiVersion": "2021-09-01-preview",

+ "properties": {

+ "dataCollectionEndpointId": "[parameters('endpointResourceId')]",

+ "dataSources": {

+ "iisLogs": [

+ {

+ "streams": [

+ "Microsoft-W3CIISLog"

+ ],

+ "logDirectories": [

+ "C:\\inetpub\\logs\\LogFiles\\*.log"

+ ],

+ "name": "myIisLogsDataSource"

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "[parameters('workspaceResourceId')]",

+ "name": "[parameters('workspaceName')]"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Microsoft-W3CIISLog"

+ ],

+ "destinations": [

+ "[parameters('workspaceName')]"

+ ],

+ "transformKql": "source"

+ }

+ ]

+ }

+ }

+ ],

+ "outputs": {

+ "dataCollectionRuleId": {

+ "type": "string",

+ "value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]"

+ }

+ }

+ }

+ ```

+## Pricing model

+Each Metrics Alert rule is billed based for time series monitored. Prices for Metric Alert rules are available on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).

+### Calculating the price for a Log Alert rule without dimensions

+The price of an alert rule which queries 1 resource event every 15-minutes can be calculated as:

+Total monthly price = 1 resource * 1 log alert rule * price per 15-minute internal log alert rule per month.

+### Calculating the price for a Log Alert rule with dimensions

+The price of an alert rule which monitors 10 VM resources at 1-minute frequency, using resource centric log monitoring, can be calculated as Price of alert rule + Price of number of dimensions. For example:

+Total monthly price = price per 1-minute log alert rule per month + ( 10 time series - 1 included free time series ) * price per 1-min interval monitored per month.

+Pricing of at scale log monitoring is applicable from Scheduled Query Rules API version 2021-02-01.

+ > - If the retention setting for your Application Insights instance under **Configure** > **Usage and estimated costs** > **Data Retention** is enabled, then use that setting to control the retention days for the telemetry data still saved in your classic resource's storage.

+3. Right-click on the record, and select **Extract fields from**.

+## LogicMonitor

+

+For more information, see the [LogicMonitor documentation](https://www.logicmonitor.com/lp/azure-monitoring/).

+- [Stream resource logs to a non-Microsoft service](essentials/resource-logs.md#send-to-azure-event-hubs)

+1. Assign the Storage Blob Data Contributor role to the server hosting the database that you registered with Azure Active Directory (Azure AD) in the previous step.

+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+1. Configure the [server's blob auditing policy](/rest/api/sql/server%20auditing%20settings/createorupdate), without specifying a *storageAccountAccessKey*:

+## April 2022 Guest OS

+>[!NOTE]

+>The April Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the April Guest OS. This list is subject to change.

+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |

+| | | | | |

+| Rel 22-04 | [5012647] | Latest Cumulative Update(LCU) | 6.43 | Apr 12, 2022 |

+| Rel 22-04 | [5011486] | IE Cumulative Updates | 2.122, 3.109, 4.102 | Apr 12, 2022 |

+| Rel 22-04 | [5012604] | Latest Cumulative Update(LCU) | 7.11 | Apr 12, 2022 |

+| Rel 22-04 | [5012596] | Latest Cumulative Update(LCU) | 5.67 | Apr 12, 2022 |

+| Rel 22-04 | [5012138] | .NET Framework 3.5 Security and Quality Rollup | 2.122 | Apr 12, 2022 |

+| Rel 22-04 | [5012141] | .NET Framework 4.5.2 Security and Quality Rollup | 2.122 | Apr 12, 2022 |

+| Rel 22-04 | [5012139] | .NET Framework 3.5 Security and Quality Rollup | 4.102 | Apr 12, 2022 |

+| Rel 22-04 | [5012142] | .NET Framework 4.5.2 Security and Quality Rollup | 4.102 | Apr 12, 2022 |

+| Rel 22-04 | [5012136] | .NET Framework 3.5 Security and Quality Rollup | 3.109 | Apr 12, 2022 |

+| Rel 22-04 | [5012140] | . NET Framework 4.5.2 Security and Quality Rollup | 3.109 | Apr 12, 2022 |

+| Rel 22-04 | [5012128] | . NET Framework 3.5 and 4.7.2 Cumulative Update | 6.43 | Apr 12, 2022 |

+| Rel 22-04 | [5012123] | .NET Framework 4.8 Security and Quality Rollup | 7.11 | Apr 12, 2022 |

+| Rel 22-04 | [5012626] | Monthly Rollup | 2.122 | Apr 12, 2022 |

+| Rel 22-04 | [5012650] | Monthly Rollup | 3.109 | Apr 12, 2022 |

+| Rel 22-04 | [5012670] | Monthly Rollup | 4.102 | Apr 12, 2022 |

+| Rel 22-04 | [5013270] | Servicing Stack update | 3.109 | Apr 12, 2022 |

+| Rel 22-04 | [5012672] | Servicing Stack update | 4.102 | Apr 12, 2022 |

+| Rel 22-04 | [4578013] | Standalone Security Update | 4.102 | Aug 19, 2020 |

+| Rel 22-04 | [5011570] | Servicing Stack update | 5.67 | Mar 8, 2021 |

+| Rel 22-04 | [5011649] | Servicing Stack update | 2.122 | Mar 8, 2022 |

+| Rel 22-04 | [4494175] | Microcode | 5.67 | Sep 1, 2020 |

+| Rel 22-04 | [4494174] | Microcode | 6.43 | Sep 1, 2020 |

+[5012647]: https://support.microsoft.com/kb/5012647

+[5011486]: https://support.microsoft.com/kb/5011486

+[5012604]: https://support.microsoft.com/kb/5012604

+[5012596]: https://support.microsoft.com/kb/5012596

+[5012138]: https://support.microsoft.com/kb/5012138

+[5012141]: https://support.microsoft.com/kb/5012141

+[5012139]: https://support.microsoft.com/kb/5012139

+[5012142]: https://support.microsoft.com/kb/5012142

+[5012136]: https://support.microsoft.com/kb/5012136

+[5012140]: https://support.microsoft.com/kb/5012140

+[5012128]: https://support.microsoft.com/kb/5012128

+[5012123]: https://support.microsoft.com/kb/5012123

+[5012626]: https://support.microsoft.com/kb/5012626

+[5012650]: https://support.microsoft.com/kb/5012650

+[5012670]: https://support.microsoft.com/kb/5012670

+[5013270]: https://support.microsoft.com/kb/5013270

+[5012672]: https://support.microsoft.com/kb/5012672

+[4578013]: https://support.microsoft.com/kb/4578013

+[5011570]: https://support.microsoft.com/kb/5011570

+[5011649]: https://support.microsoft.com/kb/5011649

+[4494175]: https://support.microsoft.com/kb/4494175

+[4494174]: https://support.microsoft.com/kb/4494174

+ [![Batch icon][batch-icon]][batch-doc]

+ [**Batch**][batch-doc]<br>(*Consumption logic app only*)

+ :::column:::

+ [![FTP icon][ftp-icon]][ftp-doc]

+ \

+ \

+ [**FTP**][ftp-doc]<br>(*Standard logic app only*)

+ \

+ \

+ Connect to FTP or FTPS servers you can access from the internet so that you can work with your files and folders.

+ :::column-end:::

+ Connect to your Azure Blob Storage account so you can create and manage blob content.

+ :::column:::

+ ![Azure Table Storage icon][azure-table-storage-icon]

+ \

+ \

+ **Azure Table Storage**<br>(*Standard logic app only*)

+ \

+ \

+ Connect to your Azure Table Storage account so you can create and manage tables.

+ :::column-end:::

+[azure-table-storage-icon]: ./media/apis-list/azure-table-storage.png

+[ftp-icon]: ./media/apis-list/ftp.png

+[ftp-doc]: ./connectors-create-api-ftp.md "Connect to an FTP or FTPS server for FTP tasks, like uploading, getting, deleting files, and more"

+1. Navigate to your Azure Cosmos account.

+1. Assign the Contributor role to the sample app you created in the previous section.

+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+**For IoT device builders**, Microsoft Defender for IoT also offers a lightweight, micro-agent that supports standard IoT operating systems, such as Linux and RTOS. The Microsoft Defender device builder agent helps you ensure that security is built into your IoT/OT projects, from the cloud. For more information, see [Microsoft Defender for IoT for device builders documentation](/azure/defender-for-iot/device-builders/overview).

+ Title: Configure import settings in the FHIR service - Azure Health Data Services

+description: This article describes how to configure import settings in the FHIR service

+# Configure bulk import settings (Preview)

+The FHIR service supports $import operation that allows you to import data into FHIR service account from a storage account.

+The three steps below are used in configuring import settings in the FHIR service:

+- Enable managed identity for the FHIR service.

+- Create an Azure storage account or use an existing storage account, and then grant permissions to the FHIR service to access it.

+- Set the import configuration in the FHIR service.

+## Enable managed identity on the FHIR service

+The first step in configuring the FHIR service for import is to enable system wide managed identity on the service, which will be used to grant the service to access the storage account. For more information about managed identities in Azure, see [About managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).

+In this step, browse to your FHIR service in the Azure portal, and select the **Identity** blade. Select the **Status** option to **On** , and then select **Save**. The **Yes** and **No** buttons will display. Select **Yes** to enable the managed identity for FHIR service. After the system identity has been enabled, you'll see a system assigned GUID value.

+[  ](media/export-data/fhir-mi-enabled.png#lightbox)

+## Assign permissions to the FHIR service to access the storage account

+Browse to the **Access Control (IAM)** in the storage account, and then select **Add role assignment**. If the add role assignment option is grayed out, you'll need to ask your Azure Administrator to assign you permission to perform this task.

+For more information about assigning roles in the Azure portal, see [Azure built-in roles](../../role-based-access-control/role-assignments-portal.md).

+Add the role [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) to the FHIR service, and then select **Save**.

+[ ](media/bulk-import/add-role-assignment-page.png#lightbox)

+Now you're ready to select the storage account in the FHIR service as a default storage account for import.

+## Set import configuration of the FHIR service

+The final step is to set the import configuration of the FHIR service, which contains specify storage account, enable import and enable initial import mode.

+> [!NOTE]

+> If you haven't assigned storage access permissions to the FHIR service, the import operations ($import) will fail.

+To specify the Azure Storage account, you need to use [Rest API](https://docs.microsoft.com/rest/api/healthcareapis/services/create-or-update) to update the FHIR service.

+To get the request URL and body, browse to the Azure portal of your FHIR service. Select **Overview**, and then **JSON View**.

+[  ](media/bulk-import/fhir-json-view.png#lightbox)

+Copy the URL as request URL and do following changes of the JSON as body:

+- Set enabled in importConfiguration to **true**

+- add or change the integrationDataStore with target storage account name

+- Set initialImportMode in importConfiguration to **true**

+- Drop off provisioningState.

+[  ](media/bulk-import/importer-url-and-body.png#lightbox)

+After you've completed this final step, you're ready to import data using $import.

+## Next steps

+In this article, you've learned the FHIR service supports $import operation and how it allows you to import data into FHIR service account from a storage account. You also learned about the three steps used in configuring import settings in the FHIR service. For more information about converting data to FHIR, exporting settings to set up a storage account, and moving data to Azure Synapse, see

+>[!div class="nextstepaction"]

+>[Converting your data to FHIR](convert-data.md)

+>[!div class="nextstepaction"]

+>[Configure export settings and set up a storage account](configure-export-data.md)

+>[!div class="nextstepaction"]

+>[Copy data from FHIR service to Azure Synapse Analytics](copy-to-synapse.md)

+ Title: Executing the import by invoking $import operation on FHIR service in Azure Health Data Services

+description: This article describes how to import FHIR data using $import

+# Bulk import FHIR data (Preview)

+The Bulk import feature enables importing FHIR data to the FHIR server at high throughput using the $import operation. This feature is suitable for initial data load into the FHIR server.

+## Current limitations

+* Conditional references in resources aren't supported.

+* If multiple resources share the same resource ID, then only one of those resources will be imported at random and an error will be logged corresponding to the remaining resources sharing the ID.

+* The data to be imported must be in the same Tenant as that of the FHIR service.

+## Using $import operation

+To use $import, you'll need to configure the FHIR server using the instructions in the [Configure bulk import settings](configure-import-data.md) article and set the **initialImportMode** to *true*. Doing so also suspends write operations (POST and PUT) on the FHIR server. You should set the **initialImportMode** to *false* to reenable write operations after you have finished importing your data.

+The FHIR data to be imported must be stored in resource specific files in FHIR NDJSON format on the Azure blob store. All the resources in a file must be of the same type. You may have multiple files per resource type.

+### Calling $import

+Make a ```POST``` call to ```<<FHIR service base URL>>/$import``` with the following required headers and body, which contains a FHIR [Parameters](http://hl7.org/fhir/parameters.html) resource.

+As `$import` is an async operation, a **callback** link will be returned in the `Content-location` header of the response together with ```202-Accepted``` status code. You can use this callback link to check import status.

+#### Request Header

+```http

+Prefer:respond-async

+Content-Type:application/fhir+json

+```

+#### Body

+| Parameter Name | Description | Card. | Accepted values |

+| -- | -- | -- | -- |

+| inputFormat | String representing the name of the data source format. Currently only FHIR NDJSON files are supported. | 1..1 | ```application/fhir+ndjson``` |

+| mode | Import mode. Currently only initial load mode is supported. | 1..1 | ```InitialLoad``` |

+| input | Details of the input files. | 1..* | A JSON array with three parts described in the table below. |

+| Input part name | Description | Card. | Accepted values |

+| -- | -- | -- | -- |

+| type | Resource type of input file | 1..1 | A valid [FHIR resource type](https://www.hl7.org/fhir/resourcelist.html) that match the input file. |

+|URL | Azure storage url of input file | 1..1 | URL value of the input file that can't be modified. |

+| etag | Etag of the input file on Azure storage used to verify the file content hasn't changed. | 0..1 | Etag value of the input file that can't be modified. |

+**Sample body:**

+```json

+{

+ "resourceType": "Parameters",

+ "parameter": [

+ {

+ "name": "inputFormat",

+ "valueString": "application/fhir+ndjson"

+ },

+ {

+ "name": "mode",

+ "valueString": "InitialLoad"

+ },

+ {

+ "name": "input",

+ "part": [

+ {

+ "name": "type",

+ "valueString": "Patient"

+ },

+ {

+ "name": "url",

+ "valueUri": "https://example.blob.core.windows.net/resources/Patient.ndjson"

+ },

+ {

+ "name": "etag",

+ "valueUri": "0x8D92A7342657F4F"

+ }

+ ]

+ },

+ {

+ "name": "input",

+ "part": [

+ {

+ "name": "type",

+ "valueString": "CarePlan"

+ },

+ {

+ "name": "url",

+ "valueUri": "https://example.blob.core.windows.net/resources/CarePlan.ndjson"

+ }

+ ]

+ }

+ ]

+}

+```

+### Checking import status

+Make the REST call with the ```GET``` method to the **callback** link returned in the previous step. You can interpret the response using the following table:

+| Response code | Response body |Description |

+| -- | -- |-- |

+| 202 Accepted | |The operation is still running.|

+| 200 OK |The response body doesn't contain any error.url entry|All resources were imported successfully.|

+| 200 OK |The response body contains some error.url entry|Error occurred while importing some of the resources. See the files located at error.url for the details. Rest of the resources were imported successfully.|

+| Other||A fatal error occurred and the operation has stopped. Successfully imported resources haven't been rolled back.|

+Below are some of the important fields in the response body:

+| Field | Description |

+| -- | -- |

+|transactionTime|Start time of the bulk import operation.|

+|output.count|Count of resources that were successfully imported|

+|error.count|Count of resources that weren't imported due to some error|

+|error.url|URL of the file containing details of the error. Each error.url is unique to an input URL. |

+**Sample response:**

+```json

+{

+ "transactionTime": "2021-07-16T06:46:52.3873388+00:00",

+ "request": "https://importperf.azurewebsites.net/$Import",

+ "output": [

+ {

+ "type": "Patient",

+ "count": 10000,

+ "inputUrl": "https://example.blob.core.windows.net/resources/Patient.ndjson"

+ },

+ {

+ "type": "CarePlan",

+ "count": 199949,

+ "inputUrl": "https://example.blob.core.windows.net/resources/CarePlan.ndjson"

+ }

+ ],

+ "error": [

+ {

+ "type": "OperationOutcome",

+ "count": 51,

+ "inputUrl": "https://example.blob.core.windows.net/resources/CarePlan.ndjson",

+ "url": "https://example.blob.core.windows.net/fhirlogs/CarePlan06b88c6933a34c7c83cb18b7dd6ae3d8.ndjson"

+ }

+ ]

+}

+```

+## Next steps

+In this article, you've learned about how the Bulk import feature enables importing FHIR data to the FHIR server at high throughput using the $import operation. For more information about converting data to FHIR, exporting settings to set up a storage account, and moving data to Azure Synapse, see

+>[!div class="nextstepaction"]

+>[Converting your data to FHIR](convert-data.md)

+>[!div class="nextstepaction"]

+>[Configure export settings and set up a storage account](configure-export-data.md)

+>[!div class="nextstepaction"]

+>[Copy data from Azure API for FHIR to Azure Synapse Analytics](copy-to-synapse.md)

+> You can create datastores with credential-based authentication for accessing storage services, like a service principal or shared access signature (SAS) token. These credentials can be accessed by users who have *Reader* access to the workspace. <br><br>If this is a concern, [create a datastore that uses identity-based data access](how-to-identity-based-data-access.md) to connect to storage services.

+You can use the overrides section in component job to change the resource and distribution settings. See [this example using TensorFlow](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components/basics/6a_tf_hello_world) or [this example using PyTorch](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components/basics/6b_pytorch_hello_world).

+ * Be sure to follow the steps in "Connect using the OpenShift CLI" with the `kubeadmin` credentials.

+### Create an OpenShift namespace for the Java app

+Follow the instructions below to create an OpenShift namespace for use with your app.

+1. Make sure you have signed in to the OpenShift web console from your browser using the `kubeadmin` credentials.

+2. Navigate to **Administration** > **Namespaces** > **Create Namespace**.

+3. Fill in `open-liberty-demo` for **Name** and select **Create**, as shown next.

+ 

+export DB_USER=<Server admin username>@<Server name>

+Since you have already successfully run the app in the Liberty Docker container, you're going to build the image remotely on the cluster by executing the following commands.

+1. Make sure you have already signed in to the OpenShift CLI using the `kubeadmin` credentials.

+When you're satisfied with the state of the application, you're going to build the image remotely on the cluster by executing the following commands.

+1. Make sure you have already signed in to the OpenShift CLI using the `kubeadmin` credentials.

+1. Sign in to the OpenShift web console from your browser using the `kubeadmin` credentials.

+1. Make sure you have already signed in to the OpenShift CLI using the `kubeadmin` credentials.

+1. Sign in to the OpenShift web console from your browser using the `kubeadmin` credentials.

+1. Make sure you have already signed in to the OpenShift CLI using the `kubeadmin` credentials.

+1. Change directory to `2-simple` of your local clone, and run the following commands to deploy your Liberty application to the ARO 4 cluster. Command output is also shown inline.

+1. Check to see `1/1` under the `READY` column before you continue. If not, investigate and resolve the problem before continuing.

+1. Discover the host of route to the application with the `oc get route` command, as shown here.

+[Policies](concept-data-owner-policies.md) allow you to enable access to data sources that have been registered for *Data use governance* in Azure Purview.

+You can also [register an entire resource group or subscription](register-scan-azure-multiple-sources.md), and create a single policy that will manage access to **all** data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards.

+This article describes how this is done.

+> Currently, these are the available data sources for access policies in Public Preview:

+[Policies](concept-data-owner-policies.md) allow you to enable access to data sources that have been registered for *Data use governance* in Azure Purview.

+This article describes how a data owner can delegate in Azure Purview management of access to Azure Storage datasets. Currently, these two Azure Storage sources are supported:

+The Azure Storage resources need to be registered first with Azure Purview to later define access policies.

+After you've registered your resources, you'll need to enable *Data use governance*. Data use governance can affect the security of your data, as it allows certain Azure Purview roles to manage access to data sources that have been registered. Secure practices related to *Data use governance* are described in this guide:

+The expected outcome is that your data source will have the **Data use governance** toggle **Enabled**, as shown in the picture:

+- Policy statements set below container level on a Storage account are supported. If no access has been provided at Storage account level or container level, then the App that requests the data must execute a direct access by providing a fully qualified name to the data object. If the App attempts to crawl down the hierarchy starting from the Storage account or Container (like Storage Explorer does), and there's no access at that level, the request will fail. The following documents show examples of how to perform a direct access. See also the blogs in the *Next steps* section of this how-to-guide.

+**Known issues** related to Policy creation

+- Do not create policy statements based on Azure Purview resource sets. Even if displayed in Azure Purview policy authoring UI, they are not yet enforced. Learn more about [resource sets](concept-resource-sets.md).

+Playbooks using [either version of Logic Apps (Standard or Consumption)](automate-responses-with-playbooks.md#two-types-of-logic-apps) will be available to run from automation rules.

+#### Two types of Logic Apps

+Microsoft Sentinel now supports two Logic Apps resource types:

+- **Logic App (Consumption)**, based on the classic, original Logic Apps engine, and

+- **Logic App (Standard)**, based on the new Logic Apps engine.

+**Logic Apps Standard** features a single-tenant, containerized environment that provides higher performance, fixed pricing, single apps containing multiple workflows, easier API connections management, native network capabilities such as virtual networking (VNet) and private endpoints support, built-in CI/CD features, better Visual Studio integration, a new version of the Logic Apps Designer, and more.

+You can leverage this powerful new version of Logic Apps by creating new Standard playbooks in Microsoft Sentinel, and you can use them the same ways you use the classic Logic App Consumption playbooks:

+- Attach them to automation rules and/or analytics rules.

+- Run them on demand, from both incidents and alerts.

+- Manage them in the Active Playbooks tab.

+There are many differences between these two resource types, some of which affect some of the ways they can be used in playbooks in Microsoft Sentinel. In such cases, the documentation will point out what you need to know.

+See [Resource type and host environment differences](../logic-apps/logic-apps-overview.md#resource-type-and-host-environment-differences) in the Logic Apps documentation for a detailed summary of the two resource types.

+> [!IMPORTANT]

+> - While the **Logic App (Standard)** resource type is generally available, Microsoft Sentinel's support for this resource type is in **Preview**.

+> [!NOTE]

+> - You'll notice an indicator in Standard workflows that presents as either *stateful* or *stateless*. Microsoft Sentinel does not support stateless workflows at this time. Learn about the differences between [**stateful and stateless workflows**](../logic-apps/single-tenant-overview-compare.md#stateful-and-stateless-workflows).

+> - Logic Apps Standard does not currently support Playbook templates. This means that you can't create a Standard workflow from within Microsoft Sentinel. Rather, you must create it in Logic Apps, and once it's created, you'll see it in Microsoft Sentinel.

+They are designed to be run automatically, and ideally that is how they should be run in the normal course of operations. You [run a playbook automatically](tutorial-respond-threats-playbook.md#automate-threat-responses) by defining it as an [automated response in an analytics rule](detect-threats-custom.md#set-automated-responses-and-create-the-rule) (for alerts), or as an [action in an automation rule](automate-incident-handling-with-automation-rules.md) (for incidents).

+There are circumstances, though, that call for running playbooks manually. For example, when creating a new playbook, you'll want to test it before putting it in production. Or, there may be situations where you'll want to have more control and human input into when and whether a certain playbook runs. You [run a playbook manually](tutorial-respond-threats-playbook.md#run-a-playbook-on-demand) by opening an incident or alert and selecting and running the associated playbook displayed there. Currently this feature is generally available for alerts, and in preview for incidents.

+For playbooks that are triggered by alert creation and receive alerts as their inputs (their first step is ΓÇ£Microsoft Sentinel alert"), attach the playbook to an analytics rule:

+For playbooks that are triggered by incident creation and receive incidents as their inputs (their first step is ΓÇ£Microsoft Sentinel incident"), create an automation rule and define a **Run playbook** action in it. This can be done in 2 ways:

+- Edit the analytics rule that generates the incident you want to define an automated response for. Under **Incident automation** in the **Automated response** tab, create an automation rule. This will create an automated response only for this analytics rule.

+In the **Active playbooks** tab, there appears a list of all the playbooks which you have access to, filtered by the subscriptions which are currently displayed in Azure. The subscriptions filter is available from the **Directory + subscription** menu in the global page header.

+The **Plan** column indicates whether the playbook uses the **Standard** or **Consumption** resource type in Azure Logic Apps. You can filter the list by plan type to see only one type of playbook. You'll notice that playbooks of the Standard type use the `LogicApp/Workflow` naming convention. This convention reflects the fact that a Standard playbook represents a workflow that exists *alongside other workflows* in a single Logic App.

+ - [Block an Azure AD user](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser)

+ - [Reset an Azure AD user password](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Reset-AADUserPassword/)

+1. Use the [aml-compute-setup.sh](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/tutorials-and-examples/how-tos/aml-compute-setup.sh) script, located in the Microsoft Sentinel Notebooks GitHub repository, to automatically install the `pygobject` in all notebooks and Anaconda environments on the Compute instance.

+ - The [`Sample-Notebooks`](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/tutorials-and-examples/example-notebooks) directory includes sample notebooks that are saved with data that you can use to show intended output.

+ - The [`HowTos`](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/tutorials-and-examples/how-tos) directory includes notebooks that describe concepts such as setting your default Python version, creating Microsoft Sentinel bookmarks from a notebook, and more.

+- [Jupyter, msticpy, and Microsoft Sentinel](https://msticpy.readthedocs.io/en/latest/getting_started/JupyterAndAzureSentinel.html)

+1. From the top menu, select **Create**.

+1. The drop-down menu that appears under **Create** gives you three choices for creating playbooks:

+ 1. If you're creating a **Standard** playbook (the new kind - see [Two types of Logic Apps](automate-responses-with-playbooks.md#two-types-of-logic-apps)), select **Blank playbook** and then follow the steps in the **Logic Apps Standard** tab below.

+ 1. If you're creating a **Consumption** playbook (the original, classic kind), then, depending on which trigger you want to use, select either **Playbook with incident trigger** or **Playbook with alert trigger**. Then, continue following the steps in the **Logic Apps Consumption** tab below.

+ > [!NOTE]

+ > Remember that only playbooks based on the **incident trigger** can be called by automation rules. Playbooks based on the **alert trigger** must be defined to run directly in [analytics rules](detect-threats-custom.md#set-automated-responses-and-create-the-rule). Both types can also be run manually.

+ >

+ > For more about which trigger to use, see [**Use triggers and actions in Microsoft Sentinel playbooks**](playbook-triggers-actions.md)

+# [Logic Apps Consumption](#tab/LAC)

+### Prepare the playbook and Logic App

+Regardless of which trigger you chose to create your playbook with in the previous step, the **Create playbook** wizard will appear.

+ :::image type="content" source="./media/tutorial-respond-threats-playbook/create-playbook-LAC.png" alt-text="Create a logic app":::

+1. In the **Basics** tab:

+ 1. Select the **Subscription**, **Resource group**, and **Region** of your choosing from their respective drop-down lists. The chosen region is where your Logic App information will be stored.

+ 1. Enter a name for your playbook under **Playbook name**.

+ 1. If you want to monitor this playbook's activity for diagnostic purposes, mark the **Enable diagnostics logs in Log Analytics** check box, and choose your **Log Analytics workspace** from the drop-down list.

+ 1. If your playbooks need access to protected resources that are inside or connected to an Azure virtual network, [you may need to use an integration service environment (ISE)](../logic-apps/connect-virtual-network-vnet-isolated-environment-overview.md). If so, mark the **Associate with integration service environment** check box, and select the desired ISE from the drop-down list.

+ 1. Select **Next : Connections >**.

+1. In the **Connections** tab:

+ Ideally you should leave this section as is, configuring Logic Apps to connect to Microsoft Sentinel with managed identity. [Learn about this and other authentication alternatives](authenticate-playbooks-to-sentinel.md).

+ Select **Next : Review and create >**.

+1. In the **Review and create** tab:

+ Review the configuration choices you have made, and select **Create and continue to designer**.

+1. Your playbook will take a few minutes to be created and deployed, after which you will see the message "Your deployment is complete" and you will be taken to your new playbook's [Logic App Designer](../logic-apps/logic-apps-overview.md). The trigger you chose at the beginning will have automatically been added as the first step, and you can continue designing the workflow from there.

+ :::image type="content" source="media/tutorial-respond-threats-playbook/logic-app-blank-LAC.png" alt-text="Screenshot of logic app designer screen with opening trigger." lightbox="media/tutorial-respond-threats-playbook/logic-app-blank-LAC.png":::

+# [Logic Apps Standard](#tab/LAS)

+### Prepare the Logic App and workflow

+There are three steps to getting started creating a Logic Apps Standard playbook:

+1. [Create a Logic App](#create-a-logic-app).

+1. [Create a workflow](#create-a-workflow-playbook) (this is the actual playbook).

+1. [Choose the trigger](#choose-the-trigger).

+#### Create a Logic App

+Since you selected **Blank playbook**, a new browser tab will open and take you to the **Create Logic App** wizard.

+ :::image type="content" source="./media/tutorial-respond-threats-playbook/create-logic-app-basics.png" alt-text="Create a Standard logic app.":::

+1. In the **Basics** tab:

+ 1. Select the **Subscription** and **Resource Group** of your choosing from their respective drop-down lists.

+ 1. Enter a name for your Logic App. For **Publish**, choose **Workflow**. Select the **Region** where you wish to deploy the logic app.

+ 1. For **Plan type**, choose **Standard**.

+ 1. Select **Next : Hosting >**.

+1. In the **Hosting** tab:

+ 1. For **Storage type**, choose **Azure Storage**, and choose or create a **Storage account**.

+ 1. Choose a **Windows Plan**.

+1. Select **Next : Monitoring >**.

+1. In the **Monitoring** tab:

+ 1. If you want to enable performance monitoring in Azure Monitor for this application, leave the toggle on Yes. Otherwise, toggle it to No.

+

+ > [!NOTE]

+ > This monitoring is **not required for Microsoft Sentinel** and **will cost you extra**.

+ 1. If you want you can select **Next : Tags >** to apply tags to this Logic App for resource categorization and billing purposes. Otherwise, select **Review + create**.

+1. In the **Review + create** tab:

+ Review the configuration choices you have made, and select **Create**.

+1. Your playbook will take a few minutes to be created and deployed, during which you will see some deployment messages. At the end of the process you will be taken to the final deployment screen where you'll see the message "Your deployment is complete".

+ Select **Go to resource**. You will be taken to the main page of your new Logic App.

+ Unlike with classic Consumption playbooks, you're not done yet. Now you must create a workflow.

+#### Create a workflow (playbook)

+1. Select **Workflows** from the navigation menu of your Logic App page.

+1. Select **+ Add** from the button bar at the top (it might take a few seconds for the button to be active).

+1. The **New workflow** panel will appear. Enter a name for your workflow.

+1. Under **State type**, select **Stateful**.

+ > [!NOTE]

+ > Microsoft Sentinel does not currently support the use of *Stateless* workflows as playbooks.

+1. Select **Create**. Your workflow will be saved and will appear in the list of workflows in your Logic App. Select the workflow to proceed.

+1. You'll enter your workflow's page. Here you can see all the information about your workflow, including a record of all the times it will have run. From the navigation menu, select **Designer**.

+1. The Designer screen will open and you will immediately be prompted to add a trigger and continue designing the workflow.

+ :::image type="content" source="media/tutorial-respond-threats-playbook/logic-app-standard-designer.png" alt-text="Screenshot of Logic App Standard designer." lightbox="media/tutorial-respond-threats-playbook/logic-app-standard-designer.png":::

+#### Choose the trigger

+1. Select the **Azure** tab and enter "Sentinel" in the Search line.

+1. In the **Triggers** tab below, you will see the two triggers offered by Microsoft Sentinel:

+ - Microsoft Sentinel alert (preview)

+ - Microsoft Sentinel incident (preview)

+ Select the trigger that matches the type of playbook you are creating.

+ > Remember that only playbooks based on the **incident trigger** can be called by automation rules. Playbooks based on the **alert trigger** must be defined to run directly in [analytics rules](detect-threats-custom.md#set-automated-responses-and-create-the-rule). Both types can also be run manually.

+ :::image type="content" source="./media/tutorial-respond-threats-playbook/sentinel-triggers.png" alt-text="Choose a trigger for your playbook":::

+1. In the **Analytics rule wizard - Edit existing scheduled rule** page, select the **Automated response** tab.

+1. In the **Review and update** tab, select **Save**.

+ :::image type="content" source="media/use-playbook-templates/view-api-connections.png" alt-text="Screenshot showing how to view A P I connections.":::

+

+> [!NOTE]

+> You can query data up to 1 year using the QueryStartTime parameter of [Events](https://docs.microsoft.com/rest/api/resourcehealth/events/list-by-subscription-id) REST API.

+

+You can access up to 30 days of history in the **Health history** section of Resource Health from Azure Portal.

+- [Azure CLI version 2.30.0 or higher](/cli/azure/install-azure-cli).

+- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]

+- [Azure CLI version 2.30.0 or higher](/cli/azure/install-azure-cli).

+- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]

+### [Portal](#tab/azure-portal)

+### [Azure CLI](#tab/azure-cli)

+### Enable system-assigned managed identity during creation of an app

+ --system-assigned

+### Enable system-assigned managed identity on an existing app**

+ --service <service-instance-name> \

+ --system-assigned

+### [Portal](#tab/azure-portal)

+### [Azure CLI](#tab/azure-cli)

+ --service <service-instance-name> \

+ --system-assigned

+```

+## Get the client ID from the object ID (principal ID)

+Use the following command to get the client ID from the object/principle ID value:

+```azurecli

+az ad sp show --id <object-ID> --query appId

+- [Learn more about managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)

+- [How to use managed identities with Java SDK](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples)

+ Title: Managed identities for applications in Azure Spring Cloud

+description: Home page for managed identities for applications.

+zone_pivot_groups: spring-cloud-tier-selection

+# Use managed identities for applications in Azure Spring Cloud

+**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier

+This article shows you how to use system-assigned and user-assigned managed identities for applications in Azure Spring Cloud.

+Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory (Azure AD) to an Azure resource such as your application in Azure Spring Cloud. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+## Feature status

+| System-assigned | User-assigned |

+| - | - |

+| GA | Preview |

+## Manage managed identity for an application

+For system-assigned managed identities, see [How to enable and disable system-assigned managed identity](./how-to-enable-system-assigned-managed-identity.md).

+For user-assigned managed identities, see [How to assign and remove user-assigned managed identities](./how-to-manage-user-assigned-managed-identities.md).

+## Obtain tokens for Azure resources

+An application can use its managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.

+You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md).

+Azure Spring Cloud shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md).

+## Examples of connecting Azure services in application code

+The following table provides links to articles that contain examples:

+| Azure service | tutorial |

+|--||

+| Key Vault | [Tutorial: Use a managed identity to connect Key Vault to an Azure Spring Cloud app](tutorial-managed-identities-key-vault.md) |

+| Azure Functions | [Tutorial: Use a managed identity to invoke Azure Functions from an Azure Spring Cloud app](tutorial-managed-identities-functions.md) |

+| Azure SQL | [Use a managed identity to connect Azure SQL Database to an Azure Spring Cloud app](connect-managed-identity-to-azure-sql.md) |

+## Best practices when using managed identities

+We highly recommend that you use system-assigned and user-assigned managed identities separately unless you have a valid use case. If you use both kinds of managed identity together, failure might happen if an application is using system-assigned managed identity and the application gets the token without specifying the client ID of that identity. This scenario may work fine until one or more user-assigned managed identities are assigned to that application, then the application may fail to get the correct token.

+## Limitations

+### Maximum number of user-assigned managed identities per application

+For the maximum number of user-assigned managed identities per application, see [Quotas and Service Plans for Azure Spring Cloud](./quotas.md).

+### Azure services that aren't supported

+The following services do not currently support managed identity-based access:

+- Azure Redis Cache

+- Azure Flexible MySQL

+- Azure Flexible PostgreSQL

+- Azure Database for MariaDB

+- Azure Cosmos DB - Mongo DB

+- Azure Cosmos DB - Cassandra

+- Azure Databricks

+## Concept mapping

+The following table shows the mappings between concepts in Managed Identity scope and Azure AD scope:

+| Managed Identity scope | Azure AD scope |

+||-|

+| Principal ID | Object ID |

+| Client ID | Application ID |

+## Next steps

+- [Access Azure Key Vault with managed identities in Spring boot starter](https://github.com/Azure/azure-sdk-for-jav#use-msi--managed-identities)

+- [Learn more about managed identities for Azure resources](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/managed-identities-azure-resources/overview.md)

+- [How to use managed identities with Java SDK](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples)

+# Quotas and service plans for Azure Spring Cloud

+All Azure services set default limits and quotas for resources and features. Azure Spring Cloud offers two pricing tiers: Basic and Standard. We will detail limits for both tiers in this article.

+| Resource | Scope | Basic | Standard/Enterprise |

+|--|--|--|-|

+| vCPU | per app instance | 1 | 4 |

+| Memory | per app instance | 2 GB | 8 GB |

+| Azure Spring Cloud service instances | per region per subscription | 10 | 10 |

+| Total app instances | per Azure Spring Cloud service instance | 25 | 500 |

+| Custom Domains | per Azure Spring Cloud service instance | 0 | 25 |

+| Persistent volumes | per Azure Spring Cloud service instance | 1 GB/app x 10 apps | 50 GB/app x 10 apps |

+| Inbound Public Endpoints | per Azure Spring Cloud service instance | 10 ¹ | 10 ¹ |

+| User-assigned managed identities | per app instance | 20 | 20 |

+The following error message might appear in your logs: `org.springframework.context.ApplicationContextException: Unable to start web server`

+When you're debugging application crashes, start by checking the running status and discovery status of the application. To do so, go to *App management* in the Azure portal to ensure that the statuses of all the applications are *Running* and *UP*.

+* If the status is *Running* but the discovery status is not *UP*, go to the ["My application can't be registered"](#my-application-cant-be-registered) section.

+* If the discovery status is *UP*, go to Metrics to check the application's health. Inspect the following metrics:

+ * `TomcatErrorCount` (*tomcat.global.error*):

+ All Spring application exceptions are counted here. If this number is large, go to Azure Log Analytics to inspect your application logs.

+ * `AppMemoryMax` (*jvm.memory.max*):

+ The maximum amount of memory available to the application. The amount might be undefined, or it might change over time if it is defined. If it's defined, the amount of used and committed memory is always less than or equal to max. However, a memory allocation might fail with an `OutOfMemoryError` message if the allocation attempts to increase the used memory such that *used > committed*, even if *used <= max* is still true. In such a situation, try to increase the maximum heap size by using the `-Xmx` parameter.

+ * `AppMemoryUsed` (*jvm.memory.used*):

+ The amount of memory in bytes that's currently used by the application. For a normal load Java application, this metric series forms a *sawtooth* pattern, where the memory usage steadily increases and decreases in small increments and suddenly drops a lot, and then the pattern recurs. This metric series occurs because of garbage collection inside Java virtual machine, where collection actions represent drops on the sawtooth pattern.

+* We recommended that you disable or remove the embedded *Config Server* and *Spring Service Registry* services from the application package.

+* If any Azure resources are to be bound via *Service Binding*, make sure the target resources are up and running.

+```azurecli

+az spring-cloud app show-deploy-log --name <app-name>

+```

+Ensure that your application is packaged in the correct [executable JAR format](https://docs.spring.io/spring-boot/docs/current/reference/html/executable-jar.html). If it isn't packaged correctly, you will receive an error message similar to the following: `Error: Invalid or corrupt jarfile /jar/38bc8ea1-a6bb-4736-8e93-e8f3b52c8714`

+```azurecli

+az spring-cloud app show-deploy-log --name <app-name>

+```

+If you're migrating an existing Spring Cloud-based solution to Azure, ensure that your ad-hoc *Service Registry* and *Config Server* instances are removed (or disabled) to avoid conflicting with the managed instances provided by Azure Spring Cloud.

+You can also check the *Service Registry* client logs in Azure Log Analytics. For more information, see [Analyze logs and metrics with diagnostics settings](diagnostic-services.md)

+ * A response similar to `{"status":"UP"}` indicates that the endpoint has been enabled.

+ * If the response is negative, include the following dependency in your *POM.xml* file:

+ ```xml

+ <dependency>

+ <groupId>org.springframework.boot</groupId>

+ <artifactId>spring-boot-starter-actuator</artifactId>

+ </dependency>

+ ```

+ ```json

+ {

+ "activeProfiles": [],

+ "propertySources": {,

+ "name": "server.ports",

+ "properties": {

+ "local.server.port": {

+ "value": 1025

+ }

+ }

+ }

+ }

+ ```

+Go to **App management** to ensure that the application statuses are *Running* and *UP*.

+Check to see whether *JMX* is enabled in your application package. This feature can be enabled with the configuration property `spring.jmx.enabled=true`.

+## Enterprise tier

+* **"Failed to purchase on Azure Marketplace because the Microsoft.SaaS RP is not registered on the Azure subscription."** : Azure Spring Cloud Enterprise tier purchase a SaaS offer from VMware.

+* **"Failed to load catalog product vmware-inc.azure-spring-cloud-vmware-tanzu-2 in the Azure subscription market."**: Your Azure subscription's billing account address is not in the supported location.

+* **"Failed to purchase on Azure Marketplace due to signature verification on Marketplace legal agreement. Check the Azure subscription has agree terms vmware-inc.azure-spring-cloud-vmware-tanzu-2.tanzu-asc-ent-mtr"**: Your Azure subscription has not signed the terms for the offer and plan to be purchased.

+ az term accept \

+ --publisher vmware-inc \

+ --product azure-spring-cloud-vmware-tanzu-2 \

+ --plan tanzu-asc-ent-mtr

+ * `AZURE_TENANT_ID`: the Azure tenant ID that hosts the Azure subscription

+ * `AZURE_SUBSCRIPTION_ID`: the Azure subscription ID used to create the Spring Cloud instance

+ * `SPRING_CLOUD_NAME`: the failed instance name

+ * `ERROR_MESSAGE`: the observed error message

+### I need VMware Spring Runtime Support (Enterprise tier only)

+az keyvault create \

+ --resource-group <your-resource-group-name> \

+ --name "<your-keyvault-name>"

+az keyvault secret set \

+ --vault-name "<your-keyvault-name>" \

+az spring-cloud create \

+ --resource-group <your-resource-group-name> \

+ --name <your-Azure-Spring-Cloud-instance-name>

+### [System-assigned managed identity](#tab/system-assigned-managed-identity)

+The following example creates an app named `springapp` with a system-assigned managed identity, as requested by the `--system-assigned` parameter.

+az spring-cloud app create \

+ --resource-group <your-resource-group-name> \

+ --name "springapp" \

+ --service <your-Azure-Spring-Cloud-instance-name> \

+ --assign-endpoint true \

+ --system-assigned

+### [User-assigned managed identity](#tab/user-assigned-managed-identity)

+First, create a user-assigned managed identity in advance with its resource ID set to `$USER_IDENTITY_RESOURCE_ID`.

+```azurecli

+export SERVICE_IDENTITY={principal ID of user-assigned managed identity}

+export USER_IDENTITY_RESOURCE_ID={resource ID of user-assigned managed identity}

+export USER_IDENTITY_CLIENT_ID={client ID of user-assigned managed identity}

+```

+The following example creates an app named `springapp` with a user-assigned managed identity, as requested by the `--user-assigned` parameter.

+```azurecli

+az spring-cloud app create \

+ --resource-group <your-resource-group-name> \

+ --name "springapp" \

+ --service <your-Azure-Spring-Cloud-instance-name> \

+ --assign-endpoint true \

+ --user-assigned $USER_IDENTITY_RESOURCE_ID

+az spring-cloud app show \

+ --resource-group <your-resource-group-name> \

+ --name "springapp" \

+ --service <your-Azure-Spring-Cloud-instance-name>

+```

+Make a note of the returned URL, which will be in the format `https://<your-app-name>.azuremicroservices.io`. This URL will be used in the following step.

+Use the following command to grant proper access in Key Vault for your app:

+az keyvault set-policy \

+ --name "<your-keyvault-name>" \

+ --object-id ${SERVICE_IDENTITY} \

+ --secret-permissions set get list

+> For system-assigned managed identity case, use `az keyvault delete-policy --name "<your-keyvault-name>" --object-id ${SERVICE_IDENTITY}` to remove the access for your app after system-assigned managed identity is disabled.

+1. Use the following command to generate a sample project from `start.spring.io` with Azure Key Vault Spring Starter.

+ ```azurecli

+ curl https://start.spring.io/starter.tgz -d dependencies=web,azure-keyvault-secrets -d baseDir=springapp -d bootVersion=2.3.1.RELEASE -d javaVersion=1.8 | tar -xzvf -

+ ```

+1. Specify your Key Vault in your app.

+ ```azurecli

+ cd springapp

+ vim src/main/resources/application.properties

+ ```

+1. To use managed identity for Azure Spring Cloud apps, add properties with the following content to the *src/main/resources/application.properties* file.

+### [System-assigned managed identity](#tab/system-assigned-managed-identity)

+```properties

+azure.keyvault.enabled=true

+azure.keyvault.uri=https://<your-keyvault-name>.vault.azure.net

+```

+### [User-assigned managed identity](#tab/user-assigned-managed-identity)

+```properties

+azure.keyvault.enabled=true

+azure.keyvault.uri=https://<your-keyvault-name>.vault.azure.net

+azure.keyvault.client-id={Client ID of user-assigned managed identity}

+```

+ > [!NOTE]

+ > You must add the key vault URL in the *application.properties* file as shown above. Otherwise, the key vault URL may not be captured during runtime.

+1. Add the following code example to *src/main/java/com/example/demo/DemoApplication.java*. This code retrieves the connection string from the key vault.

+ ```Java

+ package com.example.demo;

+ import org.springframework.boot.SpringApplication;

+ import org.springframework.boot.autoconfigure.SpringBootApplication;

+ import org.springframework.beans.factory.annotation.Value;

+ import org.springframework.boot.CommandLineRunner;

+ import org.springframework.web.bind.annotation.GetMapping;

+ import org.springframework.web.bind.annotation.RestController;

+ @SpringBootApplication

+ @RestController

+ public class DemoApplication implements CommandLineRunner {

+ @Value("${connectionString}")

+ private String connectionString;

+ public static void main(String[] args) {

+ SpringApplication.run(DemoApplication.class, args);

+ }

+ @GetMapping("get")

+ public String get() {

+ return connectionString;

+ }

+ public void run(String... varl) throws Exception {

+ System.out.println(String.format("\nConnection String stored in Azure Key Vault:\n%s\n",connectionString));

+ }

+ }

+ ```

+ If you open the *pom.xml* file, you'll see the dependency of `azure-keyvault-secrets-spring-boot-starter`. Add this dependency to your project in your *pom.xml* file.

+ ```xml

+ <dependency>

+ <groupId>com.microsoft.azure</groupId>

+ <artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId>

+ </dependency>

+ ```

+1. Use the following command to package your sample app.

+ ```azurecli

+ mvn clean package

+ ```

+1. Now you can deploy your app to Azure with the following command:

+ ```azurecli

+ az spring-cloud app deploy \

+ --resource-group <your-resource-group-name> \

+ --name "springapp" \

+ --service <your-Azure-Spring-Cloud-instance-name> \

+ --jar-path target/demo-0.0.1-SNAPSHOT.jar

+ ```

+1. To test your app, access the public endpoint or test endpoint by using the following command:

+ ```azurecli

+ curl https://myspringcloud-springapp.azuremicroservices.io/get

+ ```

+ You'll see the message `Successfully got the value of secret connectionString from Key Vault https://<your-keyvault-name>.vault.azure.net/: jdbc:sqlserver://SERVER.database.windows.net:1433;database=DATABASE;`.

+## Build the sample Spring Boot app with Java SDK

+This sample can set and get secrets from Azure Key Vault. The [Azure Key Vault Secret client library for Java](/java/api/overview/azure/security-keyvault-secrets-readme) provides Azure Active Directory token authentication support across the Azure SDK. The library provides a set of `TokenCredential` implementations that you can use to construct Azure SDK clients to support Azure AD token authentication.

+The Azure Key Vault Secret client library enables you to securely store and control the access to tokens, passwords, API keys, and other secrets. The library offers operations to create, retrieve, update, delete, purge, back up, restore, and list the secrets and its versions.

+To build the sample, use the following steps:

+1. Clone the sample project.

+ ```azurecli

+ git clone https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples.git

+ ```

+1. Specify your key vault in your app.

+ ```azurecli

+ cd Azure-Spring-Cloud-Samples/managed-identity-keyvault

+ vim src/main/resources/application.properties

+ ```

+ To use managed identity for Azure Spring Cloud apps, add properties with the following content to *src/main/resources/application.properties*.

+ ```properties

+ azure.keyvault.enabled=true

+ azure.keyvault.uri=https://<your-keyvault-name>.vault.azure.net

+ ```

+1. Include [ManagedIdentityCredentialBuilder](/java/api/com.azure.identity.managedidentitycredentialbuilder) to get a token from Azure Active Directory and [SecretClientBuilder](/java/api/com.azure.security.keyvault.secrets.secretclientbuilder) to set or get secrets from Key Vault in your code.

+ Get the example from the [MainController.java](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples/blob/master/managed-identity-keyvault/src/main/java/com/microsoft/azure/MainController.java#L28) file of the cloned sample project.

+ Include `azure-identity` and `azure-security-keyvault-secrets` as a dependency in your *pom.xml* file. Get the example from the [pom.xml](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples/blob/master/managed-identity-keyvault/pom.xml#L21) file of the cloned sample project.

+1. Use the following command to package your sample app.

+ ```azurecli

+ mvn clean package

+ ```

+1. Now deploy the app to Azure with the following command:

+ ```azurecli

+ az spring-cloud app deploy \

+ --resource-group <your-resource-group-name> \

+ --name "springapp" \

+ --service <your-Azure-Spring-Cloud-instance-name> \

+ --jar-path target/asc-managed-identity-keyvault-sample-0.1.0.jar

+ ```

+1. Access the public endpoint or test endpoint to test your app.

+ First, get the value of your secret that you set in Azure Key Vault.

+ ```azurecli

+ curl https://myspringcloud-springapp.azuremicroservices.io/secrets/connectionString

+ ```

+ You'll see the message `Successfully got the value of secret connectionString from Key Vault https://<your-keyvault-name>.vault.azure.net/: jdbc:sqlserver://SERVER.database.windows.net:1433;database=DATABASE;`.

+ Now create a secret and then retrieve it using the Java SDK.

+ ```azurecli

+ curl -X PUT https://myspringcloud-springapp.azuremicroservices.io/secrets/test?value=success

+ curl https://myspringcloud-springapp.azuremicroservices.io/secrets/test

+ ```

+ You'll see the message `Successfully got the value of secret test from Key Vault https://<your-keyvault-name>.vault.azure.net: success`.

+Copying a blob from the Archive tier can take hours to complete depending on the rehydration priority selected. Behind the scenes, a blob copy operation reads your archived source blob to create a new online blob in the selected destination tier. The new blob may be visible when you list the blobs in the parent container before the rehydration operation is complete, but its tier will be set to Archive. The data is not available until the read operation from the source blob in the Archive tier is complete and the blob's contents have been written to the new destination blob in an online tier. The new blob is an independent copy, so modifying or deleting it does not affect the source blob in the Archive tier.

+Rehydrating an archived blob by copying it to an online destination tier is supported within the same storage account only for service versions prior to 2021-02-12. Beginning with service version 2021-02-12, you can rehydrate an archived blob by copying it to a different storage account, as long as the destination account is in the same region as the source account. Rehydration across storage accounts enables you to segregate your production data from your backup data, by maintaining them in separate accounts. Isolating archived data in a separate account can also help to mitigate costs from unintentional rehydration.

+The target blob for the copy operation must be in an online tier (Hot or Cool). You cannot copy an archived blob to a destination blob that is also in the Archive tier.

+| **Hot tier destination** | Supported | Supported | Supported across accounts in the same region with version 2021-02-12 and later. Supported within the same storage account only for earlier versions. Requires blob rehydration. |

+| **Cool tier destination** | Supported | Supported | Supported across accounts in the same region with version 2021-02-12 and later. Supported within the same storage account only for earlier versions. Requires blob rehydration. |

+| **Archive tier destination** | Supported | Supported | Not supported |

+Copying an archived blob to an online destination tier is supported within the same storage account. Beginning with service version 2021-02-12, you can copy an archived blob to a different storage account, as long as the destination account is in the same region as the source account.

+### Rehydrate a blob to the same storage account

+The following examples show how to copy an archived blob to a blob in the Hot tier in the same storage account.

+#### [Portal](#tab/azure-portal)

+#### [PowerShell](#tab/azure-powershell)

+#### [Azure CLI](#tab/azure-cli)

+### Rehydrate a blob to a different storage account in the same region

+The following examples show how to copy an archived blob to a blob in the Hot tier in a different storage account.

+#### [Portal](#tab/azure-portal)

+N/A

+#### [PowerShell](#tab/azure-powershell)

+To copy an archived blob to a blob in an online tier in a different storage account with PowerShell, make sure you have installed the [Az.Storage](https://www.powershellgallery.com/packages/Az.Storage/) module, version 4.4.0 or higher. Next, call the [Start-AzStorageBlobCopy](/powershell/module/az.storage/start-azstorageblobcopy) command and specify the target online tier and the rehydration priority. You must specify a shared access signature (SAS) with read permissions for the archived source blob.

+The following example shows how to copy an archived blob to the Hot tier in a different storage account. Remember to replace placeholders in angle brackets with your own values:

+```powershell

+$rgName = "<resource-group>"

+$srcAccount = "<source-account>"

+$destAccount = "<dest-account>"

+$srcContainer = "<source-container>"

+$destContainer = "<dest-container>"

+$srcBlob = "<source-blob>"

+$destBlob = "<destination-blob>"

+# Get the destination account context

+$destCtx = New-AzStorageContext -StorageAccountName $destAccount -UseConnectedAccount

+# Get the source account context

+$srcCtx = New-AzStorageContext -StorageAccountName $srcAccount -UseConnectedAccount

+# Get the SAS URI for the source blob

+$srcBlobUri = New-AzStorageBlobSASToken -Container $srcContainer `

+ -Blob $srcBlob `

+ -Permission rwd `

+ -ExpiryTime (Get-Date).AddDays(1) `

+ -FullUri `

+ -Context $srcCtx

+# Start the cross-account copy operation

+Start-AzStorageBlobCopy -AbsoluteUri $srcBlobUri `

+ -DestContainer $destContainer `

+ -DestBlob $destBlob `

+ -DestContext $destCtx `

+ -StandardBlobTier Hot `

+ -RehydratePriority Standard

+```

+#### [Azure CLI](#tab/azure-cli)

+To copy an archived blob to a blob in an online tier in a different storage account with the Azure CLI, make sure you have installed version 2.35.0 or higher. Next, call the [az storage blob copy start](/cli/azure/storage/blob/copy#az-storage-blob-copy-start) command and specify the target online tier and the rehydration priority. You must specify a shared access signature (SAS) with read permissions for the archived source blob.

+The following example shows how to copy an archived blob to the Hot tier in a different storage account. Remember to replace placeholders in angle brackets with your own values:

+```azurecli

+# Specify the expiry interval

+end=`date -u -d "1 day" '+%Y-%m-%dT%H:%MZ'`

+# Get a SAS for the source blob

+srcBlobUri=$(az storage blob generate-sas \

+ --account-name <source-account> \

+ --container <source-container> \

+ --name <archived-source-blob> \

+ --permissions rwd \

+ --expiry $end \

+ --https-only \

+ --full-uri \

+ --as-user \

+ --auth-mode login | tr -d '"')

+# Copy to the destination blob in the Hot tier

+az storage blob copy start \

+ --source-uri $srcBlobUri \

+ --account-name <dest-account> \

+ --destination-container <dest-container> \

+ --destination-blob <dest-blob> \

+ --tier Hot \

+ --rehydrate-priority Standard \

+ --auth-mode login

+```

+1. Open the storage account you created in [Set up a storage account](#set-up-a-storage-account).

+1. Select **File shares**, then select the name of the file share you plan to use.

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Storage File Data SMB Share Elevated Contributor |

+ | Assign access to | User, group, or service principal |

+ | Members | \<Name of the administrator account> |

+ To assign users permissions for their FSLogix profiles, select the **Storage File Data SMB Share Contributor** role instead.

+ 

+1. Select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ | Setting | Value |

+ | | |

+ | Role | Storage File Data SMB Share Contributor |

+ | Assign access to | User, group, or service principal |

+ | Members | \<Name or email address for the target Azure Active Directory identity> |

+ 

+The following steps describe how to assign the custom role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+1. In the navigation menu of the subscription, select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. On the **Role** tab, search for and select the role you just created.

+1. On the **Members** tab, search for and select **Windows Virtual Desktop**.

+ > [!NOTE]

+ > If you've deployed Azure Virtual Desktop (classic), both the Windows Virtual Desktop and Windows Virtual Desktop Azure Resource Manager Provider first party applications might appear. If so, assign the role to both apps.

+ >

+ 

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+ _For Active/Acive gateways use the following to check the second public IP:_ <br>

+ `https://<YourVirtualNetworkGatewayIP2>:8083/healthprobe`