+- [Azure Data Explorer](/azure/data-explorer/security-conditional-access)

+If you do find yourself locked out, see [What to do if you are locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal)

+> | Java </p> Spring |Azure AD Spring Boot Starter Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) <br/> &#8226; [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | &#8226; MSAL Java <br/> &#8226; Azure AD Boot Starter | Authorization code |

+> | Java </p> Servlets | Spring-less Servlet Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) | MSAL Java | Authorization code |

+> | Java | [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | MSAL Java | On-Behalf-Of (OBO) |

+> | Java | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Integrated-Windows-Auth-Flow) | MSAL Java | Integrated Windows authentication |

+> | Java | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-certificate)| MSAL Java | Client credentials grant|

+> | Java | [Sign in users and invoke protected API from text-only device](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Device-Code-Flow) | MSAL Java | Device code |

+> [!NOTE]

+> This is functionality is also available for [Azure Arc-enabled servers](../../azure-arc/servers/ssh-arc-overview.md).

+ > [!NOTE]

+ > The extension uninstall can fail if there are any Azure AD users currently logged in on the VM. Make sure all users are logged off first.

+Cause 1: The user isnΓÇÖt assigned to either of the Virtual Machine Administrator/User Login Azure RBAC roles within the scope of this VM.

+## Add the subdomain

+## Change subdomain to a root domain

+### Promote command error conditions

+> When users and groups are provisioned or de-provisioned we recommend to periodically restart provisioning to ensure that group memberships are properly updated. Doing a restart will force our service to re-evaluate all the groups and update the memberships. Please be aware that the restart can take time if you are syncing all users and groups in your tenant or have assigned large groups with 50K+ members.

+Use below command to update all secrets. Otherwise, the old secrets are not encrypted.

+```azurecli-interactive

+kubectl get secrets --all-namespaces -o json | kubectl replace -f -

+```

+* OpenAPI version 3.1 (import only)

+* Are ignored on import.

+* Aren't saved or preserved for export.

+* Are defined in the API scope.

+* Can be referenced in API operations request or response scopes.

+#### Definition restrictions

+<!-- Ref: 1851786 Query parameter handling -->

+When importing query parameters, only the default array serialization method (`style: form`, `explode: true`) is supported. For more details on query parameters in OpenAPI specifications, refer to [the serialization specification](https://swagger.io/docs/specification/serialization/).

+<!-- Ref: 1795433 Parameter limitations -->

+Parameters [defined in cookies](https://swagger.io/docs/specification/describing-parameters/#cookie-parameters) are not supported. You can still use policy to decode and validate the contents of cookies.

+<!-- Ref: 1795433 Parameter limitations -->

+["Form" type parameters](https://swagger.io/specification/v2/#parameter-object) are not supported. You can still use policy to decode and validate `application/x-www-form-urlencoded` and `application/form-data` payloads.

+### <a name="open-api-v3"> </a>OpenAPI version 3.x

+API Management supports the following specification versions:

+* [OpenAPI 3.0.3](https://swagger.io/specification/)

+* [OpenAPI 3.1.0](https://spec.openapis.org/oas/v3.1.0) (import only)

+* If multiple `servers` are specified, API Management will use the first HTTPS URL it finds.

+* If there aren't any HTTPS URLs, the server URL will be empty.

+

+* [Tutorial: Run a load test to identify performance bottlenecks in a web app](../load-testing/tutorial-identify-bottlenecks-azure-portal.md)

+|Error message |Description |Recommendation |

+|||-|

+|Migrate can only be called on an ASE in ARM VNET and this ASE is in Classic VNET. |App Service Environments in Classic VNets can't migrate using the migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). |

+|ASEv3 Migration is not yet ready. |The underlying infrastructure isn't ready to support App Service Environment v3. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to be available in your region. |

+|Migration cannot be called on this ASE, please contact support for help migrating. |Support will need to be engaged for migrating this App Service Environment. This is potentially due to custom settings used by this environment. |Engage support to resolve your issue. |

+|Migrate cannot be called on Zone Pinned ASEs. |App Service Environment v2s that are zone pinned can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to support this App Service Environment configuration. |

+|Migrate cannot be called if IP SSL is enabled on any of the sites|App Service Environments that have sites with IP SSL enabled can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to support this App Service Environment configuration. |

+|Migrate is not available for this kind|App Service Environment v1 can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to support this App Service Environment configuration. |

+|Full migration cannot be called before IP addresses are generated|You'll see this error if you attempt to migrate before finishing the pre-migration steps. |Ensure you've completed all pre-migration steps before you attempt to migrate. See the [step-by-step guide for migrating](how-to-migrate.md). |

+|Migration to ASEv3 is not allowed for this ASE|You won't be able to migrate using the migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). |

+|Subscription has too many App Service Environments. Please remove some before trying to create more.|The App Service Environment [quota for your subscription](/azure/azure-resource-manager/management/azure-subscription-service-limits#app-service-limits) has been met. |Remove unneeded environments or contact support to review your options. |

+|`<ZoneRedundant><DedicatedHosts><ASEv3/ASE>` is not available in this location|You'll see this error if you're trying to migrate an App Service Environment in a region that doesn't support one of your requested features. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to support this App Service Environment configuration. |

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+```

+## Sample reference

+description: Learn how to use the Azure CLI to automate deployment and management of your App Service app. This sample shows how to create an app and deploy it from GitHub.

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+```

+## Sample reference

+When you are finished, you will have a [Spring Boot](https://spring.io/projects/spring-boot) application storing data in [Azure Cosmos DB](../cosmos-db/index.yml) running on [Azure App Service on Linux](overview.md).

+In this tutorial, you'll deploy a data-driven Python web app (**[Django](https://www.djangoproject.com/)** or **[Flask](https://flask.palletsprojects.com/)**) with the **[Azure Database for PostgreSQL](../postgresql/index.yml)** relational database service. The Python app is hosted in a fully managed **[Azure App Service](./overview.md#app-service-on-linux)** which supports [Python 3.7 or higher](https://www.python.org/downloads/) in a Linux server environment. You can start with a basic pricing tier that can be scaled up at any later time.

+* An Azure account with an active subscription exists. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free/python).

+> [!NOTE]

+> If you are following along with this tutorial with your own app, look at the *requirements.txt* file description in each project's *README.md* file ([Flask](https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app/blob/main/README.md), [Django](https://github.com/Azure-Samples/msdocs-django-postgresql-sample-app/blob/main/README.md)) to see what packages you'll need.

+For Django, you can use SQLite locally instead of PostgreSQL by following the instructions in the comments of the [*settings.py*](https://github.com/Azure-Samples/msdocs-django-postgresql-sample-app/blob/main/azureproject/settings.py) file.

+| [!INCLUDE [A screenshot showing creating administrator account information for the PostgreSQL Flexible server in in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-6.md>)] | :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-6-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-6.png" alt-text="Creating administrator account information for the PostgreSQL Flexible server in the Azure portal." ::: |

+If you're working in VS Code, right-click the database server and select **Open in Portal** to go to the Azure portal. Or, go to the [Azure Cloud Shell](https://shell.azure.com) and run the Azure CLI commands.

+| [!INCLUDE [VS Code deploy step 3](<./includes/tutorial-python-postgresql-app/deploy-visual-studio-code-3.md>)] | :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-2.png" alt-text="A screenshot showing how to deploy a web app in VS Code: selecting the code to deploy." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-3-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-3.png" alt-text="A screenshot showing how to deploy a web app in VS Code: a dialog box to confirm deployment." ::: |

+With the code deployed and the database in place, the app is almost ready to use. First, you need to establish the necessary schema in the database itself. You do this by "migrating" the data models in the Django app to the database.

+When you deploy the Flask sample app to Azure App Service, the database tables are created automatically in Azure PostgreSQL. If the tables aren't created, try the following command:

+If you encounter any errors related to connecting to the database, check the values of the application settings of the App Service created in the previous section, namely `DBHOST`, `DBNAME`, `DBUSER`, and `DBPASS`. Without those settings, the migrate command can't communicate with the database.

+When you see your sample web app, it's running in a Linux container in App Service using a built-in image **Congratulations!** You've deployed your Python app to App Service.

+However, when you're finished with the sample app, you can remove all of the resources for the app from Azure to ensure you don't incur other charges and keep your Azure subscription uncluttered. Removing the resource group also removes all resources in the resource group and is the fastest way to remove all Azure resources for your app.

+Azure Application Gateway Standard v2 SKU supports buffering Requests (from clients) or Responses (from the backend servers). Based on the processing capabilities of the clients that interact with your Application Gateway, you can use these buffers to configure the speed of packet delivery.

+## Limitations

+- API version 2020-01-01 or later should be used to configure buffers.

+- Currently, these changes are supported only through ARM templates.

+- Request and Response Buffers cannot be disabled for WAF v2 SKU.

+## Version 1.12 - October 2021

+### Fixed

+- Improved reliability when validating signatures of extension packages.

+- `azcmagent_proxy remove` command on Linux now correctly removes environment variables on Red Hat Enterprise Linux and related distributions.

+- `azcmagent logs` now includes the computer name and timestamp to help disambiguate log files.

+## Version 1.17 - April 2022

+### New features

+- The default resource name for AWS EC2 instances is now the instance ID instead of the hostname. To override this behavior, use the `--resource-name PreferredResourceName` parameter to specify your own resource name when connecting a server to Azure Arc.

+- The network connectivity check during onboarding now verifies private endpoint configuration if you specify a private link scope. You can run the same check anytime by running [azcmagent check](manage-agent.md#check) with the new `--use-private-link` parameter.

+- You can now disable the extension manager with the [local agent security controls](security-overview.md#local-agent-security-controls).

+### Fixed

+- If you attempt to run `azcmagent connect` on a server that is already connected to Azure, the resource ID is now printed to the console to help you locate the resource in Azure.

+- The `azcmagent connect` timeout has been extended to 10 minutes.

+- `azcmagent show` no longer prints the private link scope ID. You can check if the server is associated with an Azure Arc private link scope by reviewing the machine details in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/servers), [CLI](/cli/azure/connectedmachine?view=azure-cli-latest#az-connectedmachine-show), [PowerShell](/powershell/module/az.connectedmachine/get-azconnectedmachine), or [REST API](/rest/api/hybridcompute/machines/get).

+- `azcmagent logs` collects only the 2 most recent logs for each service to reduce ZIP file size.

+- `azcmagent logs` collects Guest Configuration logs again.

+### Known issues

+- `azcmagent logs` doesn't collect Guest Configuration logs in this release. You can locate the log directories in the [agent installation details](deployment-options.md#agent-installation-details).

+If you expect your server to communicate with Azure through an Azure Arc Private Link Scope, use the `--use-private-link` parameter to run additional tests that verify the hostnames and IP addresses resolved for the Azure Arc services are private endpoints.

+`azcmagent check --location <regionName> --use-private-link --verbose`

+### Enable or disable the extension manager

+The extension manager is responsible for installing, updating, and removing [VM Extensions](manage-vm-extensions.md) on your server. You can disable the extension manager to prevent managing any extensions on your server, but we recommend using the [allow and blocklists](#extension-allowlists-and-blocklists) instead for more granular control.

+```bash

+azcmagent config set extensions.enabled false

+```

+Disabling the extension manager will not remove any extensions already installed on your server. Extensions that are hosted in their own Windows or Linux services, such as the Log Analytics Agent, may continue to run even if the extension manager is disabled. Other extensions that are hosted by the extension manager itself, like the Azure Monitor Agent, will not run if the extension manger is disabled. You should [remove any extensions](manage-vm-extensions-portal.md#remove-extensions) before disabling the extension manager to ensure no extensions continue to run on the server.

+ Title: (Preview) SSH access to Azure Arc-enabled servers

+description: Leverage SSH remoting to access and manage Azure Arc-enabled servers.

+# SSH access to Azure Arc-enabled servers

+SSH for Arc-enabled servers enables SSH based connections to Arc-enabled servers without requiring a public IP address or additional open ports.

+This functionality can be used interactively, automated, or with existing SSH based tooling,

+allowing existing management tools to have a greater impact on Azure Arc-enabled servers.

+> [!IMPORTANT]

+> SSH for Arc-enabled servers is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Key benefits

+SSH access to Arc-enabled servers provides the following key benefits:

+ - No public IP address or open SSH ports required

+ - Access to Windows and Linux machines

+ - Ability to log-in as a local user or an [Azure user (Linux only)](../../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md)

+ - Support for other OpenSSH based tooling with config file support

+## Prerequisites

+To leverage this functionality, please ensure the following:

+ - Ensure the Arc-enabled server has a hybrid agent version of "1.13.21320.014" or higher.

+ - Run: ```azcmagent show``` on your Arc-enabled Server.

+ - Ensure the Arc-enabled server has the "sshd" service enabled.

+ - Ensure you have the Virtual Machine Local User Login role assigned (role ID: 602da2baa5c241dab01d5360126ab525)

+### Availability

+SSH access to Arc-enabled servers is currently supported in the following regions:

+- eastus2euap, eastus, eastus2, westus2, southeastasia, westeurope, northeurope, westcentralus, southcentralus, uksouth, australiaeast, francecentral, japaneast, eastasia, koreacentral, westus3, westus, centralus, northcentralus.

+### Supported operating systems

+ - Windows: Windows 7+ and Windows Server 2012+

+ - Linux:

+ - CentOS: CentOS 7, CentOS 8

+ - RedHat Enterprise Linux (RHEL): RHEL 7.4 to RHEL 7.10, RHEL 8.3+

+ - SUSE Linux Enterprise Server (SLES): SLES 12, SLES 15.1+

+ - Ubuntu Server: Ubuntu Server 16.04 to Ubuntu Server 20.04

+## Getting started

+### Register the HybridConnectivity resource provider

+> [!NOTE]

+> This is a one-time operation that needs to be performed on each subscription.

+Check if the HybridConnectivity resource provider (RP) has been registered:

+```az provider show -n Microsoft.HybridConnectivity```

+If the RP has not been registered, run the following:

+```az provider register -n Microsoft.HybridConnectivity```

+This operation can take 2-5 minutes to complete. Before moving on, check that the RP has been registered.

+### Install az CLI extension

+This functionality is currently package in an az CLI extension.

+In order to install this extension, run:

+```az extension add --name ssh```

+If you already have the extension installed, it can be updated by running:

+```az extension update --name ssh```

+> [!NOTE]

+> The Azure CLI extension version must be greater than 1.0.1.

+### Create default connectivity endpoint

+> [!NOTE]

+> The following actions must be completed for each Arc-enabled server.

+Run the following commands:

+ ```az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{\"properties\": {\"type\": \"default\"}}'```

+ ```az rest --method get --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview```

+### Enable functionality on your Arc-enabled server

+In order to use the SSH connect feature, you must enable connections on the hybrid agent.

+> [!NOTE]

+> The following actions must be completed in an elevated terminal session.

+View your current incoming connections:

+```azcmagent config list```

+If you have existing ports, you will need to include them in the following command.

+To add access to SSH connections, run the following:

+```azcmagent config set incomingconnections.ports 22<,other open ports,...>```

+> [!NOTE]

+> If you are using a non-default port for your SSH connection, replace port 22 with your desired port in the previous command.

+## Examples

+To view examples of using the ```az ssh vm``` command, view the az CLI documentation page for [az ssh](/cli/azure/ssh).

+ Title: Troubleshoot SSH access to Azure Arc-enabled servers issues

+description: This article tells how to troubleshoot and resolve issues with the SSH access to Arc-enabled servers.

+# Troubleshoot SSH access to Azure Arc enabled servers

+This article provides information on troubleshooting and resolving issues that may occur while attempting to connect to Azure Arc enabled servers via SSH.

+For general information, see [SSH access to Arc enabled servers overview](./ssh-arc-overview.md).

+> [!IMPORTANT]

+> SSH for Arc-enabled servers is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Client-side issues

+These issues are due to errors that occur on the machine that the user is connecting from.

+### Incorrect Azure subscription

+This occurs when the active subscription for Azure CLI isn't the same as the server that is being connected to.

+Possible errors:

+ - "Unable to determine the target machine type as Azure VM or Arc Server"

+ - "Unable to determine that the target machine is an Arc Server"

+ - "Unable to determine that the target machine is an Azure VM"

+ - "The resource \<name\> in the resource group \<resource group\> was not found"

+Resolution:

+ - Run ```az account set -s <AzureSubscriptionId>``` where "AzureSubscriptionId" corresponds to the subscription that contains the target resource.

+### Unable to locate client binaries

+This issue occurs when the client side SSH binaries required to connect cannot be found.

+Error:

+ - "Failed to create ssh key file with error: \<ERROR\>."

+ - "Failed to run ssh command with error: \<ERROR\>."

+ - "Failed to get certificate info with error: \<ERROR\>."

+Resolution:

+ - Provide the path to the folder that contains the SSH client executables by using the ```--ssh-client-folder``` parameter.

+## Server-side issues

+### SSH traffic is not allowed on the server

+This issue occurs when SSHD isn't running on the server, or SSH traffic isn't allowed on the server.

+Possible errors:

+ - {"level":"fatal","msg":"sshproxy: error copying information from the connection: read tcp 192.168.1.180:60887-\u003e40.122.115.96:443: wsarecv: An existing connection was forcibly closed by the remote host.","time":"2022-02-24T13:50:40-05:00"}

+Resolution:

+ - Ensure that the SSHD service is running on the Arc-enabled server

+ - Ensure that port 22 (or other non-default port) is listed in allowed incoming connections. Run ```azcmagent config list``` on the Arc-enabled server in an elevated session

+## Azure permissions issues

+### Incorrect role assignments

+This issue occurs when the current user does not have the proper role assignment on the target resource, specifically a lack of "read" permissions.

+Possible errors:

+ - "Unable to determine the target machine type as Azure VM or Arc Server"

+ - "Unable to determine that the target machine is an Arc Server"

+ - "Unable to determine that the target machine is an Azure VM"

+ - "Permission denied (publickey)."

+ - "Request for Azure Relay Information Failed: (AuthorizationFailed) The client '\<user name\>' with object id '\<ID\>' does not have authorization to perform action 'Microsoft.HybridConnectivity/endpoints/listCredentials/action' over scope '/subscriptions/\<Subscription ID\>/resourceGroups/\<Resource Group\>/providers/Microsoft.HybridCompute/machines/\<Machine Name\>/providers/Microsoft.HybridConnectivity/endpoints/default' or the scope is invalid. If access was recently granted, please refresh your credentials."

+Resolution:

+ - Ensure that you have Contributor or Owner permissions on the resource you are connecting to.

+ - If using Azure AD login, ensure you have the Virtual Machine User Login or the Virtual Machine Administrator Login roles

+### HybridConnectiviry RP was not registered

+This issue occurs when the HybridConnectivity RP has not been registered for the subscription.

+Error:

+ - Request for Azure Relay Information Failed: (NoRegisteredProviderFound) Code: NoRegisteredProviderFound

+Resolution:

+ - Run ```az provider register -n Microsoft.HybridConnectivity```

+ - Confirm success by running ```az provider show -n Microsoft.HybridConnectivity```, verify that "registrationState" is set to "Registered"

+ - Restart the hybrid agent on the Arc-enabled server

+ ## Disable SSH to Arc-enabled servers

+ This functionality can be disabled by completing the following actions:

+ - Remove the SSH port from the allowedincoming ports: ```azcmagent config set incomingconnections.ports <other open ports,...>```

+ - Delete the default connectivity endpoint: ```az rest --method delete --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview```

+The fan-out work is distributed to multiple instances of the `F2` function. Please note the usage of the `NoWait` switch on the `F2` function invocation: this switch allows the orchestrator to proceed invoking `F2` without waiting for activity completion. The work is tracked by using a dynamic list of tasks. The `Wait-ActivityFunction` command is called to wait for all the called functions to finish. Then, the `F2` function outputs are aggregated from the dynamic task list and passed to the `F3` function.

+This extension version is available from the preview extension bundle v4 by adding the following lines in your `host.json` file:

+ "id": "Microsoft.Azure.Functions.ExtensionBundle.Preview",

+ "version": "[4.0.0, 5.0.0)"

+# [Bundle v2.x and v3.x](#tab/functionsv2)

+You can install this version of the extension in your function app by registering the [extension bundle], version 2.x or 3.x.

+# [Bundle v4.x (Preview)](#tab/extensionv4)

+You can add this version of the extension from the preview extension bundle v4 by adding or replacing the following code in your `host.json` file:

+ "id": "Microsoft.Azure.Functions.ExtensionBundle.Preview",

+ "version": "[4.0.0, 5.0.0)"

+You can add this version of the extension from the extension bundle v3 by adding or replacing the following configuration in your `host.json` file:

+This version allows you to bind to types from [Azure.Messaging.ServiceBus](/dotnet/api/azure.messaging.servicebus).

+This version allows you to bind to types from [Azure.Messaging.ServiceBus](/dotnet/api/azure.messaging.servicebus).

+This version allows you to bind to types from [Azure.Messaging.ServiceBus](/dotnet/api/azure.messaging.servicebus).

+This extension is available from the extension bundle v3 by adding the following lines in your `host.json` file:

+You can add this version of the extension from the extension bundle v3 by adding or replacing the following code in your `host.json` file:

+|**maxConcurrentCalls**|`16`|The maximum number of concurrent calls to the callback that should be initiated per scaled instance. By default, the Functions runtime processes multiple messages concurrently. This setting only applies for functions that receive a single message at a time.|

+When using the storage extension, there is built-in support for Event Grid in the Blob trigger, which requires setting the `source` parameter to Event Grid in your existing Blob trigger.

+This version allows you to bind to types from [Azure.Storage.Blobs](/dotnet/api/azure.storage.blobs). Learn more about how these new types are different from `WindowsAzure.Storage` and `Microsoft.Azure.Storage` and how to migrate to them from the [Azure.Storage.Blobs Migration Guide](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Azure.Storage.Blobs/AzureStorageNetMigrationV12.md).

+This extension is available by installing the [Microsoft.Azure.WebJobs.Extensions.Storage.Blobs NuGet package], version 5.x.

+Using the .NET CLI:

+```dotnetcli

+dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage.Blobs --version 5.0.0

+```

+Working with the trigger and bindings requires that you reference the appropriate NuGet package. Install the [Microsoft.Azure.WebJobs.Extensions.Storage NuGet package, version 4.x]. The package is used for .NET class libraries while the extension bundle is used for all other application types.

+This version allows you to bind to types from [Azure.Storage.Blobs](/dotnet/api/azure.storage.blobs). Learn more about how these new types are different from `WindowsAzure.Storage` and `Microsoft.Azure.Storage` and how to migrate to them from the [Azure.Storage.Blobs Migration Guide](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Azure.Storage.Blobs/AzureStorageNetMigrationV12.md).

+Add the extension to your project by installing the [Microsoft.Azure.Functions.Worker.Extensions.Storage.Blobs NuGet package], version 5.x.

+Using the .NET CLI:

+```dotnetcli

+dotnet add package Microsoft.Azure.Functions.Worker.Extensions.Storage.Blobs--version 5.0.0

+```

+Add the extension to your project by installing the [Microsoft.Azure.Functions.Worker.Extensions.Storage NuGet package, version 4.x].

+You can add this version of the extension from the extension bundle v3 by adding or replacing the following code in your `host.json` file:

+[Microsoft.Azure.WebJobs.Extensions.Storage.Blobs NuGet package]: https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs

+[Microsoft.Azure.Functions.Worker.Extensions.Storage.Blobs NuGet package]: https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Storage.Blobs

+[Microsoft.Azure.WebJobs.Extensions.Storage NuGet package, version 4.x]: https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/4.0.5

+[Microsoft.Azure.Functions.Worker.Extensions.Storage NuGet package, version 4.x]: https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Storage/4.0.4

+This version allows you to bind to types from [Azure.Storage.Queues](/dotnet/api/azure.storage.queues).

+This extension is available by installing the [Microsoft.Azure.WebJobs.Extensions.Storage.Queues NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage.Queues), version 5.x.

+Using the .NET CLI:

+```dotnetcli

+dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage.Queues --version 5.0.0

+```

+This version allows you to bind to types from [Azure.Storage.Queues](/dotnet/api/azure.storage.queues).

+Using the .NET CLI:

+```dotnetcli

+dotnet add package Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues --version 5.0.0

+```

+# [Table API extension](#tab/table-api/in-process)

+# [Table API extension](#tab/table-api/in-process)

+# [Table API extension](#tab/table-api/in-process)

+# [Table API extension](#tab/table-api/in-process)

+This version allows you to bind to types from [Azure.Data.Tables](/dotnet/api/azure.data.tables). It also introduces the ability to use Cosmos DB Table APIs.

+This extension is available by installing the [Microsoft.Azure.WebJobs.Extensions.Tables NuGet package][table-api-package] into a project using version 5.x or higher of the extensions for [blobs](./functions-bindings-storage-blob.md?tabs=in-process%2Cextensionv5) and [queues](./functions-bindings-storage-queue.md?tabs=in-process%2Cextensionv5).

+dotnet add package Microsoft.Azure.WebJobs.Extensions.Tables --version 1.0.0

+# [Combined Azure Storage extension](#tab/storage-extension/in-process)

+Working with the bindings requires that you reference the appropriate NuGet package. Tables are included in a combined package for Azure Storage. Install the [Microsoft.Azure.WebJobs.Extensions.Storage NuGet package][storage-4.x], version 3.x or 4.x.

+> [!NOTE]

+> Tables have been moved out of this package starting in its 5.x version. You need to instead use version 4.x of the extension NuGet package or additionally include the [Table API extension](#table-api-extension) when using version 5.x.

+| Tools-based | &bull;&nbsp;[Visual&nbsp;Studio&nbsp;Code&nbsp;publish](functions-develop-vs-code.md#publish-to-azure)<br/>&bull;&nbsp;[Visual Studio publish](functions-develop-vs.md#publish-to-azure)<br/>&bull;&nbsp;[Core Tools publish](functions-run-local.md#publish) | Deployments during development and other ad hoc deployments. Deployments are managed locally by the tooling. |

+ Azure NetApp Files doesn't support multiple AD connections in a single *region*, even if the AD connections are in different NetApp accounts. However, you can have multiple AD connections in a single subscription if the AD connections are in different regions. If you need multiple AD connections in a single region, you can use separate subscriptions to do so.

+ The AD connection is visible only through the NetApp account it's created in. However, you can enable the Shared AD feature to allow NetApp accounts that are under the same subscription and same region to use an AD server created in one of the NetApp accounts. See [Map multiple NetApp accounts in the same subscription and region to an AD connection](#shared_ad). When you enable this feature, the AD connection becomes visible in all NetApp accounts that are under the same subscription and same region.

+* The admin account you use must have the capability to create machine accounts in the organizational unit (OU) path that you'll specify.

+* The admin account you use must have the capability to create machine accounts in the organizational unit (OU) path that you'll specify. In some cases, `msDS-SupportedEncryptionTypes` write permission is required to set account attributes within AD.

+* Group Managed Service Accounts (GMSA) can't be used with the Active Directory connection user account.

+* If you change the password of the Active Directory user account that is used in Azure NetApp Files, be sure to update the password configured in the [Active Directory Connections](#create-an-active-directory-connection). Otherwise, you won't be able to create new volumes, and your access to existing volumes might also be affected depending on the setup.

+ For example, if your Active Directory has only the AES-128 capability, you must enable the AES-128 account option for the user credentials. If your Active Directory has the AES-256 capability, you must enable the AES-256 account option (which also supports AES-128). If your Active Directory doesn't have any Kerberos encryption capability, Azure NetApp Files uses DES by default.

+* Azure NetApp Files supports [LDAP signing](/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server), which enables secure transmission of LDAP traffic between the Azure NetApp Files service and the targeted [Active Directory domain controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview). If you're following the guidance of Microsoft Advisory [ADV190023](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023) for LDAP signing, then you should enable the LDAP signing feature in Azure NetApp Files by checking the **LDAP Signing** box in the [Join Active Directory](#create-an-active-directory-connection) window.

+ Caches have a specific timeout period called *Time to Live*. After the timeout period, entries age out so that stale entries don't linger. The *negative TTL* value is where a lookup that has failed resides to help avoid performance issues due to LDAP queries for objects that might not exist.

+* Azure NetApp Files doesn't support the use of Active Directory Domain Services Read-Only Domain Controllers (RODC). To ensure that Azure NetApp Files doesn't try to use an RODC domain controller, configure the **AD Site** field of the Azure NetApp Files Active Directory connection with an Active Directory site that doesn't contain any RODC domain controllers.

+You can use your preferred [Active Directory Sites and Services](/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology) scope for Azure NetApp Files. This option enables reads and writes to Active Directory Domain Services (AD DS) domain controllers that are [accessible by Azure NetApp Files](azure-netapp-files-network-topologies.md). It also prevents the service from communicating with domain controllers that aren't in the specified Active Directory Sites and Services site.

+ If you select `Scoped`, ensure the correct Azure AD group is selected for accessing SMB shares. If you're uncertain, you can use the `All` synchronization type.

+ Azure NetApp Files supports only one Active Directory connection within the same region and the same subscription. If Active Directory is already configured by another NetApp account in the same subscription and region, you can't configure and join a different Active Directory from your NetApp account. However, you can enable the Shared AD feature to allow an Active Directory configuration to be shared by multiple NetApp accounts within the same subscription and the same region. See [Map multiple NetApp accounts in the same subscription and region to an AD connection](#shared_ad).

+ If you're using Azure NetApp Files with Azure Active Directory Domain Services, the organizational unit path is `OU=AADDC Computers` when you configure Active Directory for your NetApp account.

+ For example, user accounts used for installing SQL Server in certain scenarios must (temporarily) be granted elevated security privilege. If you're using a non-administrator (domain) account to install SQL Server and the account doesn't have the security privilege assigned, you should add security privilege to the account.

+ | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. |

+ | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. |

+ | `SeChangeNotifyPrivilege` | Bypass traverse checking. <br> Users with this privilege aren't required to have traverse (`x`) permissions to traverse folders or symlinks. |

+* Features that are now generally available (GA)

+ The following features are now GA. You no longer need to register the features before using them.

+ * [Dynamic change of service level](dynamic-change-volume-service-level.md)

+ * [Administrators privilege users](create-active-directory-connections.md#administrators-privilege-users)

+* accessReviewHistoryDefinitions

+* BenefitRecommendations

+* Pricesheets

+* Publish

+## Microsoft.DataProtection

+* backupInstances

+* apollo

+* insights

+* solutions

+* secureScoreControls

+* secureScores

+* fileImports

+* securityMLAnalyticsSettings

+* netAppAccounts/capacityPools/volumes/volumeQuotaRules

+> [!TIP]

+> For Azure SQL Managed Instance system updates will take precedence over database restores in progress. All pending restores in case of a system update on Managed Instance will be suspended and resumed once the update has been applied. This system behavior might prolong the time of restores and might be especially impactful to long-running restores. To achieve a predictable time of database restores, consider configuring [maintenance window](maintenance-window.md) allowing scheduling of system updates at a specific day/time, and consider running database restores outside of the scheduled maintenance window day/time.

+ Title: 'Copy and paste to and from a Windows virtual machine: Azure'

+This article helps you copy and paste text to and from virtual machines when using Azure Bastion.

+## Prerequisites

+Before you proceed, make sure you have the following items.

+* A VNet with [Azure Bastion](./tutorial-create-host-portal.md) deployed.

+* A Windows VM deployed to your VNet.

+## <a name="configure"></a> Configure the bastion host

+By default, Azure Bastion is automatically enabled to allow copy and paste for all sessions connected through the bastion resource. You don't need to configure anything additional. This applies to both the Basic and the Standard SKU tier. If you want to disable the copy and paste feature, the Standard SKU is required.

+1. To view or change your configuration, in the portal, go to your Bastion resource.

+1. Go to the **Configuration** page.

+ * To enable, select the **Copy and paste** checkbox if it isn't already selected.

+ * To disable, clear the checkbox. Disable is only available with the Standard SKU. You can upgrade the SKU if necessary.

+1. **Apply** changes. The bastion host will update.

+ :::image type="content" source="./media/bastion-vm-copy-paste/configure.png" alt-text="Screenshot that shows the configuration page." lightbox="./media/bastion-vm-copy-paste/configure.png":::

+## <a name="to"></a> Copy and paste

+For browsers that support the advanced Clipboard API access, you can copy and paste text between your local device and the remote session in the same way you copy and paste between applications on your local device. For other browsers, you can use the Bastion clipboard access tool palette.

+> [!NOTE]

+> Only text copy/paste is currently supported.

+>

+### <a name="advanced"></a> Advanced Clipboard API browsers

+1. Connect to your VM.

+1. For direct copy and paste, your browser may prompt you for clipboard access when the Bastion session is being initialized. **Allow** the web page to access the clipboard.

+ :::image type="content" source="./media/bastion-vm-copy-paste/copy-paste.png" alt-text="Screenshot that shows allow clipboard access." lightbox="./media/bastion-vm-copy-paste/copy-paste.png":::

+1. You can now use keyboard shortcuts as usual to copy and paste. If you're working from a Mac, the keyboard shortcut to paste is **SHIFT-CTRL-V**.

+### <a name="other"></a>Non-advanced Clipboard API browsers

+To copy text from your local computer to a VM, use the following steps.

+1. Connect to your VM.

+1. Copy the text/content from the local device into your local clipboard.

+1. On the VM, launch the Bastion clipboard access tool palette by selecting the two arrows. The arrows are located on the left center of the session.

+ :::image type="content" source="./media/bastion-vm-copy-paste/left.png" alt-text="Screenshot that shows the launch arrows for the clipboard access tool palette." lightbox="./media/bastion-vm-copy-paste/left.png":::

+1. Copy the text from your local computer. Typically, the copied text automatically shows on the Bastion clipboard access tool palette. If doesn't show up on the tool palette, then paste the text in the text area on the tool palette. Once the text is in the text area, you can paste it to the remote session. In this example, we copied text to the Bastion clipboard tool palette, then pasted it to the VM Notepad app.

+ :::image type="content" source="./media/bastion-vm-copy-paste/clipboard-paste.png" alt-text="Screenshot shows a clipboard for text copied in Bastion." lightbox="./media/bastion-vm-copy-paste/clipboard-paste.png":::

+1. If you want to copy the text from the VM to your local computer, copy the text to the clipboard access tool. Once your text is in the text area on the palette, paste it to your local computer.

+You can copy and paste text between your local device and the remote session. Only text copy/paste is supported. By default, this feature is enabled. If you want to disable this feature, you can change the setting on the configuration page for your bastion host. To disable, your bastion host must be configured with the Standard SKU tier.

+For FAQs, see [Bastion FAQ - VM connections and features](bastion-faq.md#vm).

+First, [create your user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) in the same tenant as your Batch account. You can create the identity using the Azure portal, the Azure Command-Line Interface (Azure CLI), PowerShell, Azure Resource Manager, or the Azure REST API. This managed identity does not need to be in the same resource group or even in the same subscription.

+After you've created one or more user-assigned managed identities, you can create a Batch pool with that identity or those identities. You can:

+- [Use the Azure portal to create the Batch pool](#create-batch-pool-in-azure-portal)

+- [Use the Batch .NET management library to create the Batch pool](#create-batch-pool-with-net)

+### Create Batch pool in Azure portal

+To create a Batch pool with a user-assigned managed identity through the Azure portal:

+1. [Sign in to the Azure portal](https://portal.azure.com/).

+1. In the search bar, enter and select **Batch accounts**.

+1. On the **Batch accounts** page, select the Batch account where you want to create a Batch pool.

+1. In the menu for the Batch account, under **Features**, select **Pools**.

+1. In the **Pools** menu, select **Add** to add a new Batch pool.

+1. For **Pool ID**, enter an identifier for your pool.

+1. For **Identity**, change the setting to **User assigned**.

+1. Under **User assigned managed identity**, select **Add**.

+1. Select the user assigned managed identity or identities you want to use. Then, select **Add**.

+1. Under **Operating System**, select the publisher, offer, and SKU to use.

+1. Optionally, enable the managed identity in the container registry:

+ 1. For **Container configuration**, change the setting to **Custom**. Then, select your custom configuration.

+ 1. For **Start task** select **Enabled**. Then, select **Resource files** and add your storage container information.

+ 1. Enable **Container settings**.

+ 1. Change **Container registry** to **Custom**

+ 1. For **Identity reference**, select the storage container.

+### Create Batch pool with .NET

+To create a Batch pool with a user-assigned managed identity with the [Batch .NET management library](/dotnet/api/overview/azure/batch#management-library), use the following example code:

+RTMP & SRT connectivity can be used for both input and output. Using RTMP/SRT input, a videography studio that emits RTMP/SRT can join an Azure Communication Services call. RTMP/SRT output allows you to stream media from Azure Communication Services into [Azure Media Services](/azure/media-services/latest/concepts-overview), YouTube Live, and many other broadcasting channels. The ability to attach industry standard RTMP/SRT emitters and to output content to RTMP/SRT subscribers for broadcasting transforms a small group call into a virtual event that reaches millions of people in real time.

+<!- [Tutorial - Media Composition Layouts](../../quickstarts/media-composition/media-composition-layouts.md) -->

+| Signaling, telemetry, registration| *.skype.com, *.microsoft.com, *.azure.net, *.azure.com, *.azureedge.net, *.office.com, *.trouter.io | TCP 443, 80 |

+- Visual Studio 2022 Preview 3 or higher, available as a [free download](https://visualstudio.microsoft.com/vs/preview/).

+Visual Studio launches the Docker Desktop for Windows installer. You can follow the installation instructions on this page to set up Docker, which requires a system reboot.

+ :::image type="content" source="media/visual-studio/container-apps-select-resource.png" alt-text="A screenshot showing how to select the created resource.":::

+When the app finishes deploying, Visual Studio opens a browser to the URL of your deployed site. This page may initially display an error if all of the proper resources have not finished provisioning. You can continue to refresh the browser periodically to check if the deployment has fully completed.

+ Title: Request access to Azure Cosmos DB previews

+description: Learn how to request access to Azure Cosmos DB previews

+# Access Azure Cosmos DB Preview Features

+## Steps to register for a preview feature from the portal

+Azure Cosmos DB offers several preview features that you can request access to. Here are the steps to request access to these preview features.

+1. Go to **Preview Features** area in your Azure subscription.

+2. Under **Type**, select "Microsoft.DocumentDBΓÇ¥.

+3. Click on the feature you would like access to in the list of available preview features.

+4. Click the **Register** button at the bottom of the page to join the preview.

+## Next steps

+- Learn [how to choose an API](choose-api.md) in Azure Cosmos DB

+- [Get started with Azure Cosmos DB SQL API](create-sql-api-dotnet.md)

+- [Get started with Azure Cosmos DB API for MongoDB](mongodb/create-mongodb-nodejs.md)

+- [Get started with Azure Cosmos DB Cassandra API](cassandr)

+- [Get started with Azure Cosmos DB Gremlin API](create-graph-dotnet.md)

+- [Get started with Azure Cosmos DB Table API](table/create-table-dotnet.md)

+| Maximum size of an item | 2 MB (UTF-8 length of JSON representation) ^* |

+^* Large document sizes up to 16 Mb are currently in preview with Azure Cosmos DB API for MongoDB only. Sign-up for the feature ΓÇ£Azure Cosmos DB API For MongoDB 16MB Document SupportΓÇ¥ from [Preview Features blade in the portal](./access-previews.md), to try it.

+#### Note

+Support for unique index on existing collections with data is available in preview. You can sign up for the feature ΓÇ£Azure Cosmos DB API for MongoDB New Unique Indexes in existing collectionΓÇ¥ through the [Preview Features blade in the portal](./../access-previews.md).

+To delete a partial unique index using from Mongo Shell, use the command `getIndexes()` to list the indexes in the collection.

+> * If the account is of type Table API or Gremlin API.

+Table API and Gremlin API are in preview and can be provisioned with PowerShell and Azure CLI.

+To provision an account with continuous backup, add the argument `-BackupPolicyType Continuous` along with the regular provisioning command.

+#### <a id="provision-powershell-table-api"></a>Table API account

+To provision an account with continuous backup, add an argument `-BackupPolicyType Continuous` along with the regular provisioning command.

+The following cmdlet is an example of a single region write account *Pitracct* with continuous backup policy created in *West US* region under *MyRG* resource group:

+```azurepowershell

+New-AzCosmosDBAccount `

+ -ResourceGroupName "MyRG" `

+ -Location "West US" `

+ -BackupPolicyType Continuous `

+ -Name "pitracct" `

+ -ApiKind "Table"

+

+```

+#### <a id="provision-powershell-graph-api"></a>Gremlin API account

+To provision an account with continuous backup, add an argument `-BackupPolicyType Continuous` along with the regular provisioning command.

+The following cmdlet is an example of a single region write account *Pitracct* with continuous backup policy created in *West US* region under *MyRG* resource group:

+```azurepowershell

+New-AzCosmosDBAccount `

+ -ResourceGroupName "MyRG" `

+ -Location "West US" `

+ -BackupPolicyType Continuous `

+ -Name "pitracct" `

+ -ApiKind "Gremlin"

+

+```

+The following command shows an example of a single region write account named *Pitracct* with continuous backup policy created in the *West US* region under *MyRG* resource group:

+### <a id="provision-cli-table-api"></a>Table API account

+The following command shows an example of a single region write account named *Pitracct* with continuous backup policy created in the *West US* region under *MyRG* resource group:

+```azurecli-interactive

+az cosmosdb create \

+ --name Pitracct \

+ --kind GlobalDocumentDB \

+ --resource-group MyRG \

+ --capabilities EnableTable \

+ --backup-policy-type Continuous \

+ --default-consistency-level Session \

+ --locations regionName="West US"

+```

+### <a id="provision-cli-graph-api"></a>Gremlin API account

+The following command shows an example of a single region write account named *Pitracct* with continuous backup policy created the *West US* region under *MyRG* resource group:

+```azurecli-interactive

+az cosmosdb create \

+ --name Pitracct \

+ --kind GlobalDocumentDB \

+ --resource-group MyRG \

+ --capabilities EnableGremlin \

+ --backup-policy-type Continuous \

+ --default-consistency-level Session \

+ --locations regionName="West US"

+```

+Next, deploy the template by using Azure PowerShell or CLI. The following example shows how to deploy the template with a CLI command:

+{"id": "3","name": "Taking over the world one JSON doc at a time", "pub-id": "mspress"}

+ Title: Quickstart - Create an Azure Cosmos DB and a container using Bicep

+description: Quickstart showing how to an Azure Cosmos database and a container using Bicep

+tags: azure-resource-manager, bicep

+#Customer intent: As a database admin who is new to Azure, I want to use Azure Cosmos DB to store and manage my data.

+# Quickstart: Create an Azure Cosmos DB and a container using Bicep

+Azure Cosmos DB is MicrosoftΓÇÖs fast NoSQL database with open APIs for any scale. You can use Azure Cosmos DB to quickly create and query key/value databases, document databases, and graph databases. This quickstart focuses on the process of deploying a Bicep file to create an Azure Cosmos database and a container within that database. You can later store data in this container.

+## Prerequisites

+An Azure subscription or free Azure Cosmos DB trial account.

+- [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/cosmosdb-sql/).

+Three Azure resources are defined in the Bicep file:

+- [Microsoft.DocumentDB/databaseAccounts](/azure/templates/microsoft.documentdb/databaseaccounts): Create an Azure Cosmos account.

+- [Microsoft.DocumentDB/databaseAccounts/sqlDatabases](/azure/templates/microsoft.documentdb/databaseaccounts/sqldatabases): Create an Azure Cosmos database.

+- [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers](/azure/templates/microsoft.documentdb/databaseaccounts/sqldatabases/containers): Create an Azure Cosmos container.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters primaryRegion=<primary-region> secondaryRegion=<secondary-region>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -primaryRegion "<primary-region>" -secondaryRegion "<secondary-region>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<primary-region\>** with the primary replica region for the Cosmos DB account, such as **WestUS**. Replace **\<secondary-region\>** with the secondary replica region for the Cosmos DB account, such as **EastUS**.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Validate the deployment

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place.

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart, you created an Azure Cosmos account, a database and a container by using a Bicep file and validated the deployment. To learn more about Azure Cosmos DB and Bicep, continue on to the articles below.

+- Read an [Overview of Azure Cosmos DB](../introduction.md).

+- Learn more about [Bicep](../../azure-resource-manager/bicep/overview.md).

+- Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.

+ - If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md).

+ - If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md).

+Different sub versions of .NET SDKs are available under the 2.x.x version. **The minimum recommended version is 2.18.0**.

+Below is a list of any known issues affecting the [recommended minimum version](#recommended-version):

+Different sub versions of .NET SDKs are available under the 2.x.x version. **The minimum recommended version is 2.18.0**.

+Below is a list of any known issues affecting the [recommended minimum version](#recommended-version):

+This connector currently supports MariaDB of version 10.0 to 10.5.

+> This article applies to version 1 of Data Factory. Version 1 is in maintenance mode. The document exists for legacy users. If you are using the current version of the Data Factory service, see [Quickstart: Create a data factory using Azure Data Factory](../quickstart-create-data-factory-powershell.md).

+|**2.**|HPN VMs |For this release, the Standard_F12_HPN can only support one network interface and cannot be used for Multi-Access Edge Computing (MEC) deployments. | |

+ Title: Install the password reset extension on VMs for your Azure Stack Edge Pro GPU device

+description: Describes how to install the password reset extension on virtual machines (VMs) on an Azure Stack Edge Pro GPU device.

+#Customer intent: As an IT admin, I need to understand how install the password reset extension on virtual machines (VMs) on my Azure Stack Edge Pro GPU device.

+# Install the password reset extension on VMs for your Azure Stack Edge Pro GPU device

+This article covers steps to install, verify, and remove the password reset extension using Azure Resource Manager templates on both Windows and Linux VMs.

+## Prerequisites

+Before you install the password reset extension on the VMs running on your device:

+1. Make sure to have access to an Azure Stack Edge device on which you've deployed one or more VMs. For more information, see [Deploy VMs on your Azure Stack Edge Pro GPU device via the Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).

+ Here's an example where Port 2 was used to enable the compute network. If Kubernetes isn't deployed on your environment, you can skip the Kubernetes node IP and external service IP assignment.

+ 

+1. [Download the templates](https://aka.ms/ase-vm-templates) to your client machine. Unzip the files into a directory youΓÇÖll use as a working directory.

+1. Verify that the client you'll use to access your device is connected to the local Azure Resource Manager over Azure PowerShell. For detailed instructions, see [Connect to Azure Resource Manager on your Azure Stack Edge device](azure-stack-edge-gpu-connect-resource-manager.md).

+ The connection to Azure Resource Manager expires every 1.5 hours or if your Azure Stack Edge device restarts. If your connection expires, any cmdlets that you execute will return error messages to the effect that you aren't connected to Azure. In this case, sign in again.

+## Edit parameters file

+Depending on the operating system for your VM, you can install the extension for Windows or for Linux. You'll find the parameter and template files in the *PasswordResetExtension* folder.

+### [Windows](#tab/windows)

+To change the password for an existing VM, edit the `addPasswordResetExtensionTemplate.parameters.json` parameters file and then deploy the template `addPasswordResetExtensionTemplate.json`.

+The file `addPasswordResetExtensionTemplate.parameters.json` takes the following parameters:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "vmName": {

+ "value": "<Name of the VM>"

+ },

+ "extensionType": {

+ "value": "<OS type of the VM, for example, Linux or Windows>"

+ },

+ "username": {

+ "value": "<Existing username for connecting to your VM>"

+ },

+ "Password": {

+ "value": "<New password for the user>"

+ }

+ }

+}

+```

+### [Linux](#tab/linux)

+To change the password for an existing VM, edit the `addPasswordResetExtensionTemplate.parameters.json` parameters file and then deploy the template `addPasswordResetExtensionTemplate.json`.

+The file `addPasswordResetExtensionTemplate.parameters.json` takes the following parameters:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "vmName": {

+ "value": "<Name of the VM>"

+ },

+ "extensionType": {

+ "value": "<OS type of the VM, for example, Linux or Windows>"

+ },

+ "username": {

+ "value": "<Existing username for connecting to your VM>"

+ },

+ "Password": {

+ "value": "<New password for the user>"

+ }

+ }

+}

+```

+## Deploy template

+### [Windows](#tab/windows)

+Set some parameters. Run the following command:

+```powershell

+$templateFile = "<Path to addPasswordResetExtensionTemplate.json file>"

+$templateParameterFile = "<Path to addPasswordResetExtensionTemplate.parameters.json file>"

+$RGName = "<Name of resource group>"

+New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile $templateFile -TemplateParameterFile $templateParameterFile -Name "<Deployment name>" -AsJob

+```

+The extension deployment is a long running job and takes about 10 minutes to complete.

+Here's a sample output:

+```powershell

+PS C:\WINDOWS\system32> $templateFile = "C:\PasswordResetVmExtensionTemplates\addPasswordResetExtensionTemplate.json"

+PS C:\WINDOWS\system32> $templateParameterFile = "C:\PasswordResetVmExtensionTemplates\addPasswordResetExtensionTemplate.parameters.json"

+PS C:\WINDOWS\system32> $RGName = "myasepro2rg"

+PS C:\WINDOWS\system32> New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile $templateFile -TemplateParameterFile $templateParameterFile -Name "windowsvmdeploy" -AsJob

+Id Name PSJobTypeName State HasMoreData Location Command

+-- - - -- -- -- -

+9 Long Running... AzureLongRun... Running True localhost New-AzResourceGro...

+

+PS C:\WINDOWS\system32>

+```

+### [Linux](#tab/linux)

+Set some parameters. Run the following command:

+```powershell

+$templateFile = "<Path to addPasswordResetExtensionTemplate.json file>"

+$templateParameterFile = "<Path to addPasswordResetExtensionTemplate.parameters.json file>"

+$RGName = "<Name of resource group>"

+New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile $templateFile -TemplateParameterFile $templateParameterFile -Name "<Deployment name>" -AsJob

+```

+The extension deployment is a long running job and takes about 10 minutes to complete.

+Here's a sample output:

+```powershell

+PS C:\WINDOWS\system32> $templateFile = "C:\PasswordResetVmExtensionTemplates\addPasswordResetExtensionTemplate.json"

+PS C:\WINDOWS\system32> $templateParameterFile = "C:\PasswordResetVmExtensionTemplates\addPasswordResetExtensionTemplate.parameters.json"

+PS C:\WINDOWS\system32> $RGName = "myasepro2rg"

+PS C:\WINDOWS\system32> New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile $templateFile -TemplateParameterFile $templateParameterFile -Name "linuxvmdeploy" -AsJob

+Id Name PSJobTypeName State HasMoreData Location Command

+-- - - -- -- -- -

+4 Long Running... AzureLongRun... Running True localhost New-AzResourceGroupDep...

+```

+## Track deployment

+### [Windows](#tab/windows)

+To check the deployment status of extensions for a given VM, run the following command:

+```powershell

+Get-AzVMExtension -ResourceGroupName <MyResourceGroup> -VMName <MyWindowsVM> -Name <Name of the extension>

+```

+Here's a sample output:

+```powershell

+PS C:\WINDOWS\system32>

+Get-AzVMExtension -ResourceGroupName myasepro2rg -VMName mywindowsvm -Name windowsVMAccessExt

+

+ResourceGroupName : myasepro2rg

+VMName : mywindowsvm

+Name : windowsVMAccessExt

+Location : dbelocal

+Etag : null

+Publisher : Microsoft.Compute

+ExtensionType : VMAccessAgent

+TypeHandlerVersion : 2.4

+Id : /subscriptions/04a485ed-7a09-44ab-6671-66db7f111122/resourceGroups/myasepro2rg/provi

+ ders/Microsoft.Compute/virtualMachines/mywindowsvm/extensions/windowsVMAccessExt

+PublicSettings : {

+ "username": "azureuser"

+ }

+ProtectedSettings :

+ProvisioningState : Succeeded

+Statuses :

+SubStatuses :

+AutoUpgradeMinorVersion : True

+ForceUpdateTag :

+

+PS C:\WINDOWS\system32>

+```

+You can see below that the extension has been installed successfully.

+ 

+### [Linux](#tab/linux)

+To check the deployment status of extensions for a given VM, run the following command:

+```powershell

+Get-AzVMExtension -ResourceGroupName <MyResourceGroup> -VMName <MyLinuxVM> -Name <Name of the extension>

+```

+Here's a sample output:

+```powershell

+PS C:\WINDOWS\system32>

+Get-AzVMExtension -ResourceGroupName myasepro2rg -VMName mylinuxvm5 -Name linuxVMAccessExt

+ResourceGroupName : myasepro2rg

+VMName : mylinuxvm5

+Name : linuxVMAccessExt

+Location : dbelocal

+Etag : null

+Publisher : Microsoft.OSTCExtensions

+ExtensionType : VMAccessForLinux

+TypeHandlerVersion : 1.5

+Id : /subscriptions/04a485ed-7a09-44ab-6671-66db7f111122/resourceGroups

+ /myasepro2rg/providers/Microsoft.Compute/virtualMachines/mylinuxvm

+ 5/extensions/linuxVMAccessExt

+PublicSettings : {}

+ProtectedSettings :

+ProvisioningState : Succeeded

+Statuses :

+SubStatuses :

+AutoUpgradeMinorVersion : True

+ForceUpdateTag :

+

+PS C:\WINDOWS\system32>

+```

+You can see below that the extension has been installed successfully.

+ 

+## Verify the updated VM password

+### [Windows](#tab/windows)

+To verify the VM password update, connect to the VM using the new password. For detailed instructions, see [Connect to a Windows VM.](azure-stack-edge-gpu-deploy-virtual-machine-portal.md#connect-to-a-windows-vm)

+ 

+### [Linux](#tab/linux)

+To verify the VM password update, connect to the VM using the new password. For detailed instructions, see [Connect to a Linux VM.](azure-stack-edge-gpu-deploy-virtual-machine-portal.md#connect-to-a-linux-vm)

+Here's a sample output:

+```powershell

+

+Microsoft Windows [Version 10.0.22000.556]

+(c) Microsoft Corporation. All rights reserved.

+

+C:\WINDOWS\system32>ssh -l azureuser 10.57.51.13

+azureuser@10.57.51.13's password:

+Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-1027-azure x86_64)

+

+* Documentation: https://help.ubuntu.com

+* Management: https://landscape.canonical.com

+* Support: https://ubuntu.com/advantage

+

+ System information as of Wed Mar 30 21:22:24 UTC 2022

+

+ System load: 1.06 Processes: 113

+ Usage of /: 5.4% of 28.90GB Users logged in: 0

+ Memory usage: 14% IP address for eth0: 10.57.51.13

+ Swap usage: 0%

+

+* Super-optimized for small spaces - read how we shrank the memory

+ footprint of MicroK8s to make it the smallest full K8s around.

+

+ https://ubuntu.com/blog/microk8s-memory-optimisation

+

+230 packages can be updated.

+160 updates are security updates.

+

+New release '20.04.4 LTS' available.

+Run 'do-release-upgrade' to upgrade to it.

+

+*** System restart required ***

+Last login: Wed Mar 30 21:16:52 2022 from 10.191.227.85

+To run a command as administrator (user "root"), use "sudo <command>".

+See "man sudo_root" for details.

+

+azureuser@mylinuxvm5:~$

+```

+## Remove the extension

+### [Windows](#tab/windows)

+To remove the password reset extension, run the following command:

+```powershell

+Remove-AzVMExtension -ResourceGroupName <Resource group name> -VMName <VM name> -Name <Name of the extension>

+```

+Here's a sample output:

+```powershell

+PS C:\WINDOWS\system32> Remove-AzVMExtension -ResourceGroupName myasepro2rg -VMName mywindowsvm5 -Name windowsVMAccessExt

+

+Virtual machine extension removal operation

+This cmdlet will remove the specified virtual machine extension. Do you want to continue?

+[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Yes

+

+RequestId IsSuccessStatusCode StatusCode ReasonPhrase

+ - -

+ True OK OK

+

+PS C:\WINDOWS\system32>

+```

+### [Linux](#tab/linux)

+To remove the password reset extension, run the following command:

+```powershell

+Remove-AzVMExtension -ResourceGroupName <Resource group name> -VMName <VM name> -Name <Name of the extension>

+```

+Here's a sample output:

+```powershell

+PS C:\WINDOWS\system32> Remove-AzVMExtension -ResourceGroupName myasepro2rg -VMName mylinuxvm5 -Name linuxVMAccessExt

+

+Virtual machine extension removal operation

+This cmdlet will remove the specified virtual machine extension. Do you want to continue?

+[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Yes

+

+RequestId IsSuccessStatusCode StatusCode ReasonPhrase

+ - -

+ True OK OK

+

+PS C:\WINDOWS\system32>

+```

+## Next steps

+Learn how to:

+- [Monitor VM activity on your device](azure-stack-edge-gpu-monitor-virtual-machine-activity.md)

+- [Manage VM disks](azure-stack-edge-gpu-manage-virtual-machine-disks-portal.md)

+- [Manage VM network interfaces](azure-stack-edge-gpu-manage-virtual-machine-network-interfaces-portal.md)

+- [Manage VM sizes](azure-stack-edge-gpu-manage-virtual-machine-resize-portal.md)

+## Create a local storage account

+ To create and access a local storage account, see the sections [Create a storage account](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#create-a-local-storage-account) through [Upload a VHD](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#upload-a-vhd) in the article: [Deploy VMs on your Azure Stack Edge device via Azure PowerShell](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md).

+This article describes how to manage Edge storage accounts and local storage accounts on your Azure Stack Edge. You can manage the Azure Stack Edge Pro device via the Azure portal or via the local web UI. Use the Azure portal to add or delete Edge storage accounts on your device. Use Azure PowerShell to add local storage accounts on your device.

+## Create a local storage account

+## Get access keys for a local storage account

+Before you get the access keys, you must configure your client to connect to the device via Azure Resource Manager over Azure PowerShell. For detailed instructions, seeΓÇ»[Connect to Azure Resource Manager on your Azure Stack Edge device](azure-stack-edge-gpu-connect-resource-manager.md).

+Get started with Azure DDoS Protection Standard by using Azure CLI.

+A DDoS protection plan defines a set of virtual networks that have DDoS protection standard enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan.

+In this quickstart, you'll create a DDoS protection plan and link it to a virtual network.

+If you choose to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.56 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

+ --ddos-protection-plan MyDdosProtectionPlan \

+ --name MyDdosProtectionPlan

+ --ddos-protection-plan MyDdosProtectionPlan \

+You can keep your resources for the next tutorial. If no longer needed, delete the _MyResourceGroup_ resource group. When you delete the resource group, you also delete the DDoS protection plan and all its related resources.

+ --ddos-protection-plan MyDdosProtectionPlan \

+

+If you want to delete a DDoS protection plan, you must first dissociate all virtual networks from it.

+Get started with Azure DDoS Protection Standard by using Azure PowerShell.

+A DDoS protection plan defines a set of virtual networks that have DDoS protection standard enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan.

+In this quickstart, you'll create a DDoS protection plan and link it to a virtual network.

+You can enable DDoS protection when creating a virtual network. In this example, we'll name our virtual network _MyVnet_:

+#Gets the DDoS protection plan ID

+$ddosProtectionPlanID = Get-AzDdosProtectionPlan -ResourceGroupName MyResourceGroup -Name MyDdosProtectionPlan

+#Creates the virtual network

+New-AzVirtualNetwork -Name MyVnet -ResourceGroupName MyResourceGroup -Location "East US" -AddressPrefix 10.0.0.0/16 -DdosProtectionPlan $ddosProtectionPlanID -EnableDdosProtection

+#Gets the DDoS protection plan ID

+$ddosProtectionPlanID = Get-AzDdosProtectionPlan -ResourceGroupName MyResourceGroup -Name MyDdosProtectionPlan

+$vnet.DdosProtectionPlan.Id = $ddosProtectionPlanID.Id

+```

+Check the details of your DDoS protection plan and verify that the command returns the correct details of your DDoS protection plan.

+Check the details of your vNet and verify the DDoS protection plan is enabled.

+```azurepowershell-interactive

+Get-AzVirtualNetwork -Name MyVnet -ResourceGroupName MyResourceGroup

+```

+You can keep your resources for the next tutorial. If no longer needed, delete the _MyResourceGroup_ resource group. When you delete the resource group, you also delete the DDoS protection plan and all its related resources.

+To disable DDoS protection for a virtual network:

+ >This action is irreversible.

+1. For the lab to handle encryption for all the lab disks, lab owner needs to explicitly grant the labΓÇÖs **system-assigned identity** reader role on the disk encryption set as well as virtual machine contributor role on the underlying Azure subscription. The lab owner can do so by completing the following steps:

+ 1. Ensure you are a member of [User Access Administrator role](../role-based-access-control/built-in-roles.md#user-access-administrator) at the Azure subscription level so that you can manage user access to Azure resources.

+ 1. On the **Disk Encryption Set** page, assign at least the Reader role to the lab name for which the disk encryption set will be used.

+ For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+ 1. Navigate to the **Subscription** page in the Azure portal.

+ 1. Assign the Virtual Machine Contributor role to the lab name (system-assigned identity for the lab).

+5. In the Azure portal, navigate to Azure Database Migration Service.

+6. In the navigation menu, select **Access control (IAM)**.

+7. Select **Add** > **Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::

+8. On the **Role** tab, select the **Contributor** role.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::

+9. On the **Members** tab, select **User, group, or service principal**, and then select the App ID name.

+10. On the **Review + assign** tab, select **Review + assign** to assign the role.

+ For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+> During the preview, Event Grid on Kubernetes features are supported through API version [2020-10-15-Preview](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update).

+You can also specify retry policy limits on a per subscription basis. See our [API documentation](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update) for information on configuring defaults per subscriber. Subscription level defaults override the Event Grid module on Kubernetes level configurations.

+The way to configure Event Grid to send events to a destination is through the creation of an event subscription. It can be done through [Azure CLI](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create), [management SDK](../sdk-overview.md#management-sdks), or using direct HTTPs calls using the [2020-10-15-preview API](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update) version.

+Event Grid on Kubernetes offers a good level of feature parity with Azure Event Grid's support for event subscriptions. The following list enumerates the main differences in event subscription functionality. Apart from those differences, you can use Azure Event Grid's [REST api version 2020-10-15-preview](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions) as a reference when managing event subscriptions on Event Grid on Kubernetes.

+1. Use [REST api version 2020-10-15-preview](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions).

+5. Only CloudEvents schema is supported. The supported schema value is "[CloudEventSchemaV1_0](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update#eventdeliveryschema)". Cloud Events schema is extensible and based on open standards.

+6. Labels ([properties.labels](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update#request-body)) aren't applicable to Event Grid on Kubernetes. Hence, they are not available.

+7. [Delivery with resource identity](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update#deliverywithresourceidentity) isn't supported. So, all properties for [Event Subscription Identity](/rest/api/eventgrid/controlplane-version2021-10-15-preview/event-subscriptions/create-or-update#eventsubscriptionidentity) aren't supported.

+Event Grid on Kubernetes offers a rich set of features that help you integrate your Kubernetes workloads and realize hybrid architectures. It shares the same [rest API](/rest/api/eventgrid/controlplane-version2021-10-15-preview/topics) (starting with version 2020-10-15-preview), [Event Grid CLI](/cli/azure/eventgrid), Azure portal experience, [management SDKs](../sdk-overview.md#management-sdks), and [data plane SDKs](../sdk-overview.md#data-plane-sdks) with Azure Event Grid, the other edition of the same service. When you're ready to publish events, you can use the [data plane SDK examples provided in different languages](https://devblogs.microsoft.com/azure-sdk/event-grid-ga/) that work for both editions of Event Grid.

+| [Event Grid Topics](/rest/api/eventgrid/controlplane-version2021-10-15-preview/topics) | Γ£ö | Γ£ö |

+**Feature** that helps you realize above requirement: [Event Grid Topics](/rest/api/eventgrid/controlplane-version2021-10-15-preview/topics).

+Event Grid on Kubernetes supports [Event Grid Topics](/rest/api/eventgrid/controlplane-version2021-10-15-preview/topics), which is a feature also offered by [Azure Event Grid](../custom-topics.md). Event Grid topics help you realize the [primary integration use case](#use-case) where your requirements call for integrating your system with another workload that you own or otherwise is made accessible to your system.

+object to get the JSON for. The **Name** property is often a _GUID_ (Globally Unique Identifier) and isn't the **displayName** of

+Here is an example of getting the JSON for a policy definition with **Name** (as mentioned previously, GUID) of

+_d7fff7ea-9d47-4952-b854-b7da261e48f2_:

+Get-AzPolicyDefinition -Name 'd7fff7ea-9d47-4952-b854-b7da261e48f2' | ConvertTo-Json -Depth 10

+## Service quotas and limits

+All Azure services set default limits and quotas for resources and features. The following table describes the maximum limits for Azure Load Testing.

+|Resource |Limit |

+|||

+|Maximum concurrent engine instances that can be utilized per region per subscription | 100 |

+|Maximum concurrent test runs per region per subscription | 25 |

+You can increase the default limits and quotas by requesting the increase through an [Azure support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).

+1. Select **create a support ticket**.

+1. Provide a summary of your issue.

+1. Select **Issue type** as *Technical*.

+1. Select your subscription. Then, select **Service Type** as *Azure Load Testing - Preview*.

+1. Select **Problem type** as *Test Execution*.

+1. Select **Problem subtype** as *Provisioning stalls or fails*.

+For information on this process, see [Create an Azure ML workspace from Microsoft Sentinel](../sentinel/notebooks-hunt.md?tabs=public-endpoint#create-an-azure-ml-workspace-from-microsoft-sentinel)

+For more information on this configuration, see [Create an Azure ML workspace from Microsoft Sentinel](../sentinel/notebooks-hunt.md?tabs=private-endpoint#create-an-azure-ml-workspace-from-microsoft-sentinel)

+The dataset consists of about 120 training images each for turkeys and chickens, with 100 validation images for each class. We'll download and extract the dataset as part of our training script `pytorch_train.py`. The images are a subset of the [Open Images v5 Dataset](https://storage.googleapis.com/openimages/web/https://docsupdatetracker.net/index.html). For more steps on creating a JSONL to train with your own data, see this [Jupyter notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/image-classification-multiclass/auto-ml-image-classification-multiclass.ipynb).

+| SQL, Azure Cosmos DB, and HDInsight integrations | GA | YES | YES |

+| [Azure Stack Edge with FPGA](how-to-deploy-fpga-web-service.md#deploy-to-a-local-edge-server) | Public Preview | NO | NO |

+| Create and run experiments in studio web experience | Preview | YES | N/A |

+| Large data support (up to 100 GB) | Preview | YES | N/A |

+| Azure Databricks Integration | GA | YES | N/A |

+| SQL, Azure Cosmos DB, and HDInsight integrations | GA | YES | N/A |

+| Azure Databricks Integration with ML Pipeline | GA | YES | N/A |

+| Virtual Network support | Preview | YES | N/A |

+| Scoring endpoint authentication | Preview | YES | N/A |

+| Workplace Private Endpoint | GA | YES | N/A |

+| ACI behind VNet | Preview | NO | N/A |

+| Private IP of AKS cluster | Preview | NO | N/A |

+| View, edit, or delete dataset drift monitors from the SDK | Preview | YES | N/A |

+| View, edit, or delete dataset drift monitors from the UI | Preview | YES | N/A |

+| Model profiling | GA | YES | N/A |

+| FPGA-based Hardware Accelerated Models | Deprecating | Deprecating | N/A |

+| Visual Studio Code integration | Preview | NO | N/A |

+| Event Grid integration | Preview | YES | N/A |

+| Integrate Azure Stream Analytics with Azure Machine Learning | Preview | NO | N/A |

+| ML assisted labeling (Image classification and object detection) | Preview | YES | N/A |

+| Explainability in UI | Preview | NO | N/A |

+| custom tags in Azure Machine Learning to implement datasheets | GA | YES | N/A |

+| Fairness AzureML Integration | Preview | NO | N/A |

+| Reinforcement Learning | Deprecating | Deprecating | N/A |

+| Azure Stack Edge with FPGA | Deprecating | Deprecating | N/A |

+| Open Datasets | Preview | YES | N/A |

+| Custom Cognitive Search | Preview | YES | N/A |

+To learn more about the regions that Azure Machine learning is available in, see [Products by region](https://azure.microsoft.com/global-infrastructure/services/).

+ Title: Grafana UI

+description: Learn about the Grafana UI components--panels, visualizations and dashboards.

+

+# Grafana UI

+This reference covers the Grafana web application's main UI components, including panels, visualizations, and dashboards. For consistency, it links to the corresponding topics in the Grafana documentation.

+## Panels

+A Grafana panel is a basic building block in Grafana. Each panel displays a dataset from a data source query using a [visualization](#visualizations). For more information about panels, refer to the following items:

+* [Working with Grafana panels](https://grafana.com/docs/grafana/latest/panels/working-with-panels/)

+* [Query a data source](https://grafana.com/docs/grafana/latest/panels/query-a-data-source/)

+* [Modify visualization text and background colors](https://grafana.com/docs/grafana/latest/panels/specify-thresholds/)

+* [Override field values](https://grafana.com/docs/grafana/latest/panels/override-field-values/)

+* [Transform data](https://grafana.com/docs/grafana/latest/panels/transform-data/)

+* [Format data using value mapping](https://grafana.com/docs/grafana/latest/panels/format-data/)

+* [Create reusable Grafana panels](https://grafana.com/docs/grafana/latest/panels/library-panels/)

+* [Enable template variables to add panels dynamically](https://grafana.com/docs/grafana/latest/panels/add-panels-dynamically/)

+* [Reference: Query options](https://grafana.com/docs/grafana/latest/panels/reference-query-options/)

+* [Reference: Calculation types](https://grafana.com/docs/grafana/latest/panels/reference-calculation-types/)

+* [Reference: Standard field definitions](https://grafana.com/docs/grafana/latest/panels/reference-standard-field-definitions/)

+## Visualizations

+Grafana [panels](#panels) support various visualizations, which are visual representations of underlying data. These representations are often graphical and include:

+* Graphs and charts

+ * [Time series](https://grafana.com/docs/grafana/latest/visualizations/time-series/)

+ * [State timeline](https://grafana.com/docs/grafana/latest/visualizations/state-timeline/)

+ * [Status history](https://grafana.com/docs/grafana/latest/visualizations/status-history/)

+ * [Bar chart](https://grafana.com/docs/grafana/latest/visualizations/bar-chart/)

+ * [Histogram](https://grafana.com/docs/grafana/latest/visualizations/histogram/)

+ * [Heatmap](https://grafana.com/docs/grafana/latest/visualizations/heatmap/)

+ * [Pie chart](https://grafana.com/docs/grafana/latest/visualizations/pie-chart-panel/)

+ * [Candlestick](https://grafana.com/docs/grafana/latest/visualizations/candlestick/)

+* Stats and numbers

+ * [Stat](https://grafana.com/docs/grafana/latest/visualizations/stat-panel/)

+ * [Gauge](https://grafana.com/docs/grafana/latest/visualizations/gauge-panel/)

+ * [Bar gauge](https://grafana.com/docs/grafana/latest/visualizations/bar-gauge-panel/)

+* Others

+ * [Table](https://grafana.com/docs/grafana/latest/visualizations/table/)

+ * [Logs](https://grafana.com/docs/grafana/latest/visualizations/logs-panel/)

+ * [Node graph](https://grafana.com/docs/grafana/latest/visualizations/node-graph/)

+ * [Text](https://grafana.com/docs/grafana/latest/visualizations/text-panel/)

+ * [News](https://grafana.com/docs/grafana/latest/visualizations/news-panel/)

+ * [Alert list](https://grafana.com/docs/grafana/latest/visualizations/alert-list-panel/)

+ * [Dashboard list](https://grafana.com/docs/grafana/latest/visualizations/dashboard-list-panel/)

+## Dashboards

+A Grafana dashboard is a collection of [panels](#panels) arranged in rows and columns. Panels typically show datasets that are related. You can create multiple dashboards in Grafana. For more information about dashboards, refer to the following links:

+* [Working with Grafana dashboard UI](https://grafana.com/docs/grafana/latest/dashboards/dashboard-ui/)

+* [Dashboard folders](https://grafana.com/docs/grafana/latest/dashboards/)

+* [Create dashboard](https://grafana.com/docs/grafana/latest/dashboards/dashboard-create/)

+* [Manage dashboards](https://grafana.com/docs/grafana/latest/dashboards/dashboard-manage/)

+* [Annotations](https://grafana.com/docs/grafana/latest/dashboards/annotations/)

+* [Playlist](https://grafana.com/docs/grafana/latest/dashboards/playlist/)

+* [Search](https://grafana.com/docs/grafana/latest/dashboards/search/)

+* [Keyboard shortcuts](https://grafana.com/docs/grafana/latest/dashboards/shortcuts/)

+* [Reporting](https://grafana.com/docs/grafana/latest/dashboards/reporting/)

+* [Time range controls](https://grafana.com/docs/grafana/latest/dashboards/time-range-controls/)

+* [Dashboard version history](https://grafana.com/docs/grafana/latest/dashboards/)

+* [Dashboard export and import](https://grafana.com/docs/grafana/latest/dashboards/export-import/)

+* [Dashboard JSON model](https://grafana.com/docs/grafana/latest/dashboards/json-model/)

+* [Scripted dashboards](https://grafana.com/docs/grafana/latest/dashboards/scripted-dashboards/)

+## Next steps

+> [!div class="nextstepaction"]

+> [How to share an Azure Managed Grafana Preview workspace](./how-to-share-grafana-workspace.md)

+ Title: 'How to call Grafana APIs in your automation: Azure Managed Grafana Preview'

+description: Learn how to call Grafana APIs in your automation with Azure Active Directory (Azure AD) and an Azure service principal

+# How to call Grafana APIs in your automation within Azure Managed Grafana Preview

+In this article, you'll learn how to call Grafana APIs within Azure Managed Grafana Preview using a service principal.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+- An Azure Managed Grafana workspace. If you don't have one yet, [create a workspace](/quickstart-managed-grafana-workspace.md).

+## Sign in to Azure

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+## Assign roles to the service principal of your application and of your Azure Managed Grafana workspace

+1. Start by [Creating an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This guide takes you through creating an application and assigning a role to its service principal. For simplicity, use an application located in the same Azure Active Directory (Azure AD) tenant as your Grafana workspace.

+1. Assign the role of your choice to the service principal for your Grafana resource. Refer to [How to share a Managed Grafana workspace](how-to-share-grafana-workspace.md) to learn how to grant access to a Grafana instance. Instead of selecting a user, select **Service principal**.

+## Get an access token

+To access Grafana APIs, you first need to get an access token. Here's an example showing how you can call Azure AD to retrieve a token:

+```bash

+curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \

+-d 'grant_type=client_credentials&client_id=<client-id>&client_secret=<application-secret>&resource=ce34e7e5-485f-4d76-964f-b3d2b16d1e4f' \

+https://login.microsoftonline.com/<tenant-id>/oauth2/token

+```

+Replace `<tenant-id>` with your own Azure AD tenant ID, replace `<client-id>` with your client ID and `<application-secret>` with the application secret of the application you want to share.

+Here's an example of response:

+```bash

+{

+ "token_type": "Bearer",

+ "expires_in": "599",

+ "ext_expires_in": "599",

+ "expires_on": "1575500555",

+ "not_before": "1575499766",

+ "resource": "ce34...1e4f",

+ "access_token": "eyJ0eXAiOiJ......AARUQ"

+}

+```

+## Call a Grafana API

+You can now call the Grafana API using the access token retrieved in the previous step as the Authorization header. For example:

+```bash

+curl -X GET \

+-H 'Authorization: Bearer <access-token>' \

+https://<grafana-url>/api/user

+```

+Replace `<access-token>` with the access token retrieved in the previous step and replace `<grafana-url>` with the URL of your Grafana instance. For example `https://grafanaworkspace-abcd.cuse.grafana.azure.com`. This URL is displayed in the Azure platform, in the **Overview** page of your Managed Grafana workspace.

+## Next steps

+> [!div class="nextstepaction"]

+> [Grafana UI](./grafana-app-ui.md)

+ Title: How to configure data sources for Azure Managed Grafana Preview with Managed Identity

+description: In this how-to guide, discover how you can configure data sources for Azure Managed Grafana using Managed Identity.

+# How to configure data sources for Azure Managed Grafana Preview with Managed Identity

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+- An Azure Managed Grafana workspace. If you don't have one yet, [create a workspace](/how-to-permissions.md).

+- A resource including monitoring data with Managed Grafana monitoring permissions. Read [how to configure permissions](how-to-permissions.md) for more information.

+## Sign in to Azure

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+## Supported Grafana data sources

+By design, Grafana can be configured with multiple data sources. A data source is an externalized storage backend that holds your telemetry information. Azure Managed Grafana supports many popular data sources. Azure-specific data sources are:

+- [Azure Data Explorer](https://github.com/grafana/azure-data-explorer-datasource?utm_source=grafana_add_ds)

+- [Azure Monitor](https://grafana.com/docs/grafana/latest/datasources/azuremonitor/)

+Other data sources include:

+- [Alertmanager](https://grafana.com/docs/grafana/latest/datasources/alertmanager/)

+- [CloudWatch](https://grafana.com/docs/grafana/latest/datasources/aws-cloudwatch/)

+- Direct Input

+- [Elasticsearch](https://grafana.com/docs/grafana/latest/datasources/elasticsearch/)

+- [Google Cloud Monitoring](https://grafana.com/docs/grafana/latest/datasources/google-cloud-monitoring/)

+- [Graphite](https://grafana.com/docs/grafana/latest/datasources/graphite/)

+- [InfluxDB](https://grafana.com/docs/grafana/latest/datasources/influxdb/)

+- [Jaeger](https://grafana.com/docs/grafana/latest/datasources/jaeger/)

+- [Loki](https://grafana.com/docs/grafana/latest/datasources/loki/)

+- [Microsoft SQL Server](https://grafana.com/docs/grafana/latest/datasources/mssql/)

+- [MySQL](https://grafana.com/docs/grafana/latest/datasources/mysql/)

+- [OpenTSDB](https://grafana.com/docs/grafana/latest/datasources/opentsdb/)

+- [PostgreSQL](https://grafana.com/docs/grafana/latest/datasources/postgres/)

+- [Prometheus](https://grafana.com/docs/grafana/latest/datasources/prometheus/)

+- [Tempo](https://grafana.com/docs/grafana/latest/datasources/tempo/)

+- [TestData DB](https://grafana.com/docs/grafana/latest/datasources/testdata/)

+- [Zipkin](https://grafana.com/docs/grafana/latest/datasources/zipkin/)

+You can find all available Grafana data sources by going to your workspace and selecting this page from the left menu: **Configuration** > **Data sources** > **Add a data source** . Search for the data source you need from the available list. For more information about data sources, go to [Data sources](https://grafana.com/docs/grafana/latest/datasources/) on the Grafana Labs website.

+ :::image type="content" source="media/managed-grafana-how-to-source-plugins.png" alt-text="Screenshot of the Add data source page.":::

+## Default data sources in an Azure Managed Grafana workspace

+The Azure Monitor data source is automatically added to all new Managed Grafana resources. To review or modify its configuration, follow these steps in your workspace endpoint:

+1. From the left menu, select **Configuration** > **Data sources**.

+ :::image type="content" source="media/managed-grafana-how-to-source-configuration.png" alt-text="Screenshot of the Add data sources page.":::

+1. Azure Monitor should be listed as a built-in data source for your workspace. Select **Azure Monitor**.

+1. In **Settings**, authenticate through **Managed Identity** and select your subscription from the dropdown list or enter your **App Registration** details

+ :::image type="content" source="media/managed-grafana-how-to-source-configuration-Azure-Monitor-settings.png" alt-text="Screenshot of the Azure Monitor page in data sources.":::

+Authentication and authorization are subsequently made through the provided managed identity. With Managed Identity, you can assign permissions for your Managed Grafana workspace to access Azure Monitor data without having to manually manage service principals in Azure Active Directory (Azure AD).

+## Manually assign permissions for Managed Grafana to access data in Azure

+Azure Managed Grafana automatically configures the **Monitoring Reader** role for accessing all the Azure Monitor data and Log Analytics resources in your subscription. To change this:

+1. Go to the Log Analytics resource that contains the monitoring data you want to visualize.

+1. Select **Access Control (IAM)**.

+1. Search for your Managed Grafana workspace and change the permission.

+## Next steps

+> [!div class="nextstepaction"]

+> [Share an Azure Managed Grafana workspace](./how-to-share-grafana-workspace.md)

+ Title: 'How to monitor your workspace with logs in Azure Managed Grafana Preview'

+description: Learn how to monitor your workspace in Azure Managed Grafana Preview with logs

+# How to monitor your workspace with logs in Azure Managed Grafana Preview

+In this article, you'll learn how to monitor an Azure Managed Grafana Preview workspace by configuring diagnostic settings and accessing event logs.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+- An Azure Managed Grafana workspace with access to at least one data source. If you don't have a workspace yet, [create an Azure Managed Grafana workspace](/how-to-permissions.md) and [add a data source](how-to-data-source-plugins-managed-identity.md).

+## Sign in to Azure

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+## Add diagnostic settings

+To monitor an Azure Managed Grafana workspace, the first step to take is to configure diagnostic settings. In this process, you'll configure the streaming export of your workspace's logs to a destination of your choice.

+You can create up to five different diagnostic settings to send different logs to independent destinations.

+1. Open a Managed Grafana workspace, and go to **Diagnostic settings**, under **Monitoring**

+ :::image type="content" source="media/managed-grafana-monitoring-diagnostic-overview.png" alt-text="Screenshot of the Azure platform. Diagnostic settings.":::

+1. Select **+ Add diagnostic setting**

+ :::image type="content" source="media/managed-grafana-monitoring-add-settings.png" alt-text="Screenshot of the Azure platform. Add diagnostic settings.":::

+1. Enter a unique **diagnostic setting name** for your diagnostic

+1. Select a category. You can select **allLogs**, to stream all logs, **audit** to stream audit logs, or select the **GrafanaLoginEvents** category to stream log in events. Select **allLogs**.

+1. Under **Destination details**, select one or more destinations, fill out details and select **Save**.

+ | Destination | Description | Settings |

+ |-|-|-|

+ | Log Analytics workspace | Send data to a Log Analytics workspace | Select the **subscription** containing an existing Log Analytics workspace, then select the **Log Analytics workspace** |

+ | Storage account | Archive data to a storage account | Select the **subscription** containing an existing storage account, then select the **storage account**. Only storage accounts in the same region as the Grafana workspace are displayed in the dropdown menu. |

+ | Event hub | Stream to an event hub | Select a **subscription** and an existing Azure Event Hub **namespace**. Optionally also choose an existing **event hub**. Lastly, choose an **event hub policy** from the list. Only event hubs in the same region as the Grafana workspace are displayed in the dropdown menu. |

+ | Partner solution | Send to a partner solution | Select a **subscription** and a **destination**. For more information about available destinations, go to [partner destinations](/azure/azure-monitor/partners). |

+ :::image type="content" source="media/managed-grafana-monitoring-settings.png" alt-text="Screenshot of the Azure platform. Diagnostic settings configuration.":::

+## Access logs

+Now that you've configured your diagnostic settings, Azure will stream all new events to your selected destinations and generate logs. You can now create queries and access logs to monitor your application.

+1. In your Managed Grafana workspace, select **Logs** from the left menu. The Azure platform displays a **Queries** page, with suggestions of queries to choose from.

+ :::image type="content" source="media/managed-grafana-monitoring-logs-menu.png" alt-text="Screenshot of the Azure platform. Open Logs.":::

+1. Select a query from the suggestions displayed under the **Queries** page, or close the page to create your own query.

+ 1. To use a suggested query, select a query and select **Run**, or select **Load to editor** to review the code.

+ 1. To create your own query, enter your query in the code editor and select **Run**. You can also perform some actions, such as editing the scope and the range of the query, as well as saving and sharing the query. The result of the query is displayed in the lower part of the screen.

+ :::image type="content" source="media/managed-grafana-monitoring-logs-query.png" alt-text="Screenshot of the Azure platform. Log query editing." lightbox="media/managed-grafana-monitoring-logs-query-expanded.png":::

+1. Select **Schema and Filter** on the left side of the screen to access tables, queries and functions. You can also filter and group results, as well as find your favorites.

+1. Select **Columns** on the right of **Results** to edit the columns of the results table, and manage the table like a pivot table.

+ :::image type="content" source="media/managed-grafana-monitoring-logs-filters.png" alt-text="Screenshot of the Azure platform. Log query filters and columns." lightbox="media/managed-grafana-monitoring-logs-filters-expanded.png":::

+## Next steps

+> [!div class="nextstepaction"]

+> [Grafana UI](./grafana-app-ui.md)

+> [How to share an Azure Managed Grafana workspace](./how-to-share-grafana-workspace.md)

+ Title: How to configure permissions for Azure Managed Grafana

+description: Learn how to manually configure access permissions with roles for your Azure Managed Grafana Preview workspace

+# How to configure permissions for Azure Managed Grafana Preview

+By default, when a Grafana workspace is created, Azure Managed Grafana grants it the Monitoring Reader role for all Azure Monitor data and Log Analytics resources within a subscription.

+This means that the new Grafana workspace can access and search all monitoring data in the subscription, including viewing the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.

+In this article, you'll learn how to manually edit permissions for a specific resource.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+- An Azure Managed Grafana workspace. If you don't have one yet, [create a workspace](/how-to-permissions.md).

+- An Azure resource with monitoring data and write permissions, such as [User Access Administrator](../../articles/role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../../articles/role-based-access-control/built-in-roles.md#owner)

+## Sign in to Azure

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+## Assign permissions for an Azure Managed Grafana workspace to access data in Azure

+To edit permissions for a specific resource, follow these steps:

+1. Open a resource that contains the monitoring data you want to retrieve. In this example, we're configuring an Application Insights resource.

+1. Select **Access Control (IAM)**.

+1. Under **Grant access to this resource**, select **Add role assignment**.

+ :::image type="content" source="media/managed-grafana-how-to-permissions-iam.png" alt-text="Screenshot of the Azure platform to add role assignment in App Insights.":::

+1. The portal lists various roles you can give to your Managed Grafana resource. Select a role. For instance, **Monitoring Reader**. Select this role.

+1. Click **Next**.

+ :::image type="content" source="media/managed-grafana-how-to-permissions-role.png" alt-text="Screenshot of the Azure platform and choose Monitor Reader.":::

+1. For **Assign access to**, select **Managed Identity**.

+1. Click **Select members**.

+ :::image type="content" source="media/managed-grafana-how-to-permissions-members.png" alt-text="Screenshot of the Azure platform selecting members.":::

+1. Select the **Subscription** containing your Managed Grafana workspace

+1. Select a **Managed identity** from the options in the dropdown list

+1. Select your Managed Grafana workspace from the list.

+1. Click **Select** to confirm

+ :::image type="content" source="media/managed-grafana-how-to-permissions-identity.png" alt-text="Screenshot of the Azure platform selecting the workspace.":::

+1. Click **Next**, then **Review + assign** to confirm the application of the new permission

+## Next steps

+> [!div class="nextstepaction"]

+> [Configure data source plugins for Azure Managed Grafana with Managed Identity](./how-to-data-source-plugins-managed-identity.md)

+ Title: How to share an Azure Managed Grafana Preview workspace

+description: 'Azure Managed Grafana: learn how you can share access permissions and dashboards with your team and customers.'

+# How to share an Azure Managed Grafana Preview workspace

+A DevOps team may build dashboards to monitor and diagnose an application or infrastructure that it manages. Likewise, a support team may use a Grafana monitoring solution for troubleshooting customer issues. In these scenarios, multiple users will be accessing one Grafana workspace. Azure Managed Grafana enables such sharing by allowing you to set the custom permissions on a workspace that you own. This article explains what permissions are supported and how to grant permissions to share dashboards with your internal teams or external customers.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+- An Azure Managed Grafana workspace. If you don't have one yet, [create a workspace](/how-to-permissions.md).

+## Supported Grafana roles

+Azure Managed Grafana supports the Admin, Viewer and Editor roles:

+- The Admin role provides full control of the workspace including viewing, editing, and configuring data sources.

+- The Editor role provides read-write access to the dashboards in the workspace

+- The Viewer role provides read-only access to dashboards in the workspace.

+The Admin role is automatically assigned to the creator of a Grafana workspace. More details on Admin, Editor, and Viewer roles can be found at [Grafana organization roles](https://grafana.com/docs/grafana/latest/permissions/organization_roles/#compare-roles).

+Grafana user roles and assignments are fully integrated with the Azure Active Directory. You can manage these permissions from the Azure portal or the command line. This section explains how to assign users to the Viewer or Editor role in the Azure portal.

+## Sign in to Azure

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+## Assign an Admin, Viewer or Editor role to a user

+1. Open your Managed Grafana workspace.

+1. Select **Access control (IAM)** in the navigation menu.

+1. Click **Add**, then **Add role assignment**

+ :::image type="content" source="media/managed-grafana-how-to-share-IAM.png" alt-text="Screenshot of Add role assignment in the Azure platform.":::

+1. Select one of the Grafana roles to assign to a user or security group. The available roles are:

+ - Grafana Admin

+ - Grafana Editor

+ - Grafana Viewer

+ :::image type="content" source="media/managed-grafana-how-to-share-role-assignment.png" alt-text="Screenshot of the Grafana roles in the Azure platform.":::

+> [!NOTE]

+> Dashboard and data source level sharing will be done from within the Grafana application. Fore more details, refer to [Grafana permissions](https://grafana.com/docs/grafana/latest/permissions/).

+## Next steps

+> [!div class="nextstepaction"]

+> [Configure permissions for Managed Grafana](./how-to-data-source-plugins-managed-identity.md)

+> [Configure data source plugins for Azure Managed Grafana with Managed Identity](./how-to-data-source-plugins-managed-identity.md)

+> [How to call Grafana APIs in your automation with Azure Managed Grafana Preview](./how-to-api-calls.md)

+ Title: What is Azure Managed Grafana Preview?

+description: Read an overview of Azure Managed Grafana. Understand why and how to use Managed Grafana.

+

+# What is Azure Managed Grafana Preview?

+Azure Managed Grafana is a data visualization platform built on top of the Grafana software by Grafana Labs. It's built as a fully managed Azure service operated and supported by Microsoft. Grafana helps you bring together metrics, logs and traces into a single user interface. With its extensive support for data sources and graphing capabilities, you can view and analyze your application and infrastructure telemetry data in real-time.

+Azure Managed Grafana is optimized for the Azure environment. It works seamlessly with many Azure services. Specifically, for the current preview, it provides with the following integration features:

+* Built-in support for Azure Monitor and Azure Data Explorer

+* User authentication and access control using Azure Active Directory identities

+* Direct import of existing charts from Azure portal

+To learn more about how Grafana works, visit the [Getting Started documentation](https://grafana.com/docs/grafana/latest/getting-started/) on the Grafana Labs website.

+## Why use Azure Managed Grafana Preview?

+Managed Grafana lets you bring together all your telemetry data into one place. It can access a wide variety of data sources supported, including your data stores in Azure and elsewhere. By combining charts, logs and alerts into one view, you can get a holistic view of your application and infrastructure, and correlate information across multiple datasets.

+As a fully managed service, Azure Managed Grafana lets you deploy Grafana without having to deal with setup. The service provides high availability, SLA guarantees and automatic software updates.

+You can share Grafana dashboards with people inside and outside of your organization and allow others to join in for monitoring or troubleshooting.

+Managed Grafana uses Azure Active Directory (Azure AD)ΓÇÖs centralized identity management, which allows you to control which users can use a Grafana instance, and you can use managed identities to access Azure data stores, such as Azure Monitor.

+You can create dashboards instantaneously by importing existing charts directly from the Azure portal or by using prebuilt dashboards.

+## Next steps

+> [!div class="nextstepaction"]

+> [Create a workspace in Azure Managed Grafana Preview using the Azure portal](./quickstart-managed-grafana-portal.md).

+ Title: 'Quickstart: create a workspace in Azure Managed Grafana Preview using the Azure portal'

+description: Learn how to create a Managed Grafana workspace using the Azure portal

+

+# Quickstart: Create a workspace in Azure Managed Grafana Preview using the Azure portal

+Get started by using the Azure portal to create a new workspace in Azure Managed Grafana Preview.

+## Prerequisite

+An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+## Create a Managed Grafana workspace

+1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure account.

+1. In the upper-left corner of the home page, select **Create a resource**. In the **Search services and Marketplace** box, enter *Grafana* and select **Enter**.

+1. Select **Grafana Workspaces** from the search results, and then **Create**.

+ :::image type="content" source="media/managed-grafana-quickstart-portal-grafana-create.png" alt-text="Screenshot of the Azure portal. Create Grafana workspace.":::

+1. In the Create Grafana Workspace pane, enter the following settings.

+ :::image type="content" source="media/managed-grafana-quickstart-portal-form.png" alt-text="Screenshot of the Azure portal. Create workspace form.":::

+ | Setting | Sample value | Description |

+ ||||

+ | Subscription ID | mysubscription | Select the Azure subscription you want to use. |

+ | Resource group name | myresourcegroup | Select or create a resource group for your Azure Managed Grafana resources. |

+ | Location | East US | Use Location to specify the geographic location in which to host your resource. Choose the location closest to you. |

+ | Name | mygrafanaworkspace | Enter a unique resource name. It will be used as the domain name in your workspace URL. |

+1. Select **Next : Permission >** to access rights for your Grafana dashboard and data sources:

+ 1. Make sure the **System assigned identity** is set to **On**. The box **Add role assignment to this identity with 'Monitoring Reader' role on target subscription** should also be checked for this Managed Identity to get access to your current subscription.

+ 1. Make sure that you're listed as a Grafana administrator. You can also add more users as administrators at this point or later.

+ If you uncheck this option (or if the option grays out for you), someone with the Owner role on the subscription can do the role assignment to give you the Grafana Admin permission.

+ > [!NOTE]

+ > If creating a Grafana workspace fails the first time, please try again. The failure might be due to a limitation in our backend, and we are actively working to fix.

+1. Optionally select **Next : Tags** and add tags to categorize resources.

+1. Select **Next : Review + create >** and then **Create**. Your Azure Managed Grafana resource is deploying.

+## Connect to your Managed Grafana workspace

+1. Once the deployment is complete, select **Go to resource** to open your resource.

+ :::image type="content" source="media/managed-grafana-quickstart-portal-deployment-complete.png" alt-text="Screenshot of the Azure portal. Message: Your deployment is complete.":::

+1. In the **Overview** tab's Essentials section, note the **Endpoint** URL. Open it to access the newly created Managed Grafana workspace. Single sign-on via Azure Active Directory should have been configured for you automatically. If prompted, enter your Azure account.

+ :::image type="content" source="media/managed-grafana-quickstart-workspace-overview.png" alt-text="Screenshot of the Azure portal. Endpoint URL display.":::

+ :::image type="content" source="media/managed-grafana-quickstart-portal-grafana-workspace.png" alt-text="Screenshot of a Managed Grafana dashboard.":::

+You can now start interacting with the Grafana application to configure data sources, create dashboards, reporting and alerts.

+## Next steps

+> [!div class="nextstepaction"]

+> [Configure permissions for Azure Managed Grafana Preview](./how-to-data-source-plugins-managed-identity.md)

+> [Configure data source plugins for Azure Managed Grafana Preview with Managed Identity](./how-to-data-source-plugins-managed-identity.md)

+| OfferName | OfferName | The name of the commercial marketplace offer | OfferName|

+| PlanID | PlanID | The display name of the plan entered when the offer was created in Partner Center | PlanID |

+| SKU | SKU | The plan associated with the offer | SKU |

+| N/A | lastModifiedAt | The latest timestamp for customer purchases. Use this field, via programmatic API access, to pull the latest snapshot of all customer purchase transactions since a specific date | lastModifiedAt |

+ Title: Deprecate or restore a virtual machine offer from Azure Marketplace

+description: Deprecate or restore a virtual machine, image, plan, or offer.

+# Deprecate or restore a virtual machine offer

+This article describes how to deprecate or restore virtual machine images, plans, and offers. The deprecation feature replaces the _stop sell_ feature. It complies with the Azure 90-day wind down period as it allows deprecation to be scheduled in advance.

+## What is deprecation?

+Deprecation is the delisting of a VM offer or a subset of the offer from Azure Marketplace so that it is no longer available for customers to deploy additional instances. Reasons to deprecate may vary. Common examples are due to security issues or end of life. You can deprecate image versions, plans, or an entire VM offer:

+- **Deprecation of an image version** ΓÇô The removal of an individual VM image version

+- **Deprecation of a plan** ΓÇô The removal of a plan and subsequently all images within the plan

+- **Deprecation of an offer** ΓÇô The removal of an entire VM offer, including all plans within the offer and subsequently all images within each plan

+To ensure your customers are provided with ample notification, deprecation is scheduled in advance.

+> [!IMPORTANT]

+> Existing deployments are not impacted by deprecation.

+## How deprecation affects customers

+Here are some important things to understand about the deprecation process.

+Before the scheduled deprecation date:

+- Customers with active deployments are notified.

+- Customers can continue to deploy new instances up until the deprecation date.

+- If deprecating an offer or plan, the offer or plan will no longer be available in the marketplace. This is to reduce the discoverability of the offer or plan.

+After the scheduled deprecation date:

+- Customers will not be able to deploy new instances using the affected images. If deprecating a plan, all images within the plan will no longer be available and if deprecating an offer, all images within the offer will no longer be available following deprecation.

+- Active VM instances will not be impacted.

+- Existing virtual machine scale sets (VMSS) deployments cannot be scaled out if configured with any of the impacted images. If deprecating a plan or offer, all existing VMSS deployments pinned to any image within the plan or offer respectively cannot be scaled out.

+> [!TIP]

+> Before you deprecate an offer or plan, make sure you understand the current usage by reviewing the [Usage dashboard in commercial marketplace analytics](usage-dashboard.md). If usage is high, consider hiding the plan or offer to minimize discoverability within the commercial marketplace. This will steer new customers towards other available options.

+## Deprecate an image

+Keep the following things in mind when deprecating an image:

+- You can deprecate any image within a plan.

+- Each plan must have at least one image.

+- Publish the offer after scheduling the deprecation of an image.

+- Images that are published to preview can be deprecated or deleted immediately.

+**To deprecate an image**:

+1. On the [Marketplace offers](https://partner.microsoft.com/dashboard/marketplace-offers/overview) page, in the **Offer alias** column, select the offer with the image you want to deprecate.

+1. On the **Offer overview** page, under **Plan overview**, select the plan with the image.

+1. In the left nav, select the **Technical Configuration** page.

+1. Under **VM images**, select the **Active** tab.

+1. In the **Action** column, select **Deprecate** for the image you want to deprecate. Upon confirming the deprecation, the image is listed on the **Deprecated** tab.

+1. Save your changes on the **Technical configuration** page.

+1. For the change to take effect and for customers to be notified, select **Review and publish** and publish the offer.

+## Restore a deprecated image

+Keep the following things in mind when restoring a deprecated image:

+- Publish the offer after restoring an image for it to become available to customers.

+- You can undo or cancel the deprecation anytime up until the scheduled date.

+- You can restore an image for a period of time after deprecation. After the window has expired, the image can no longer be restored.

+**To restore a deprecated image**:

+1. On the [Marketplace offers](https://partner.microsoft.com/dashboard/marketplace-offers/overview) page, in the **Offer alias** column, select the offer with the image you want to restore.

+1. On the **Offer overview** page, under **Plan overview**, select the plan with the image.

+1. In the left nav, select the **Technical configuration** page.

+1. Under **VM images**, select the **Deprecated** tab. The status is shown in the **Status** column.

+1. In the **Action** column, select one of the following:

+ - If the deprecation date shown in the **Status** column is in the future, you can select **Cancel deprecation**. The image version will then be listed under the Active tab.

+ - If the deprecation date shown in the **Status** column is in the past, select **Restore image**. The image is then listed on the **Active** tab.

+ > [!NOTE]

+ > If the image can no longer be restored, then no actions will be available.

+1. Save your changes on the **Technical configuration** page.

+1. For the change to take effect, select **Review and publish** and publish the offer.

+## Deprecate a plan

+Keep the following things in ming when deprecating a plan:

+- Publish the offer after scheduling the deprecation of a plan.

+- Upon scheduling the deprecation of a plan, free trials are disabled immediately.

+- If a test drive is enabled on your offer and itΓÇÖs configured to use the plan thatΓÇÖs being deprecated, be sure to reconfigure the test drive to use another plan in the offer. Otherwise, disable the test drive on the **Offer Setup** page.

+**To deprecate a plan**:

+1. On the [Marketplace offers](https://partner.microsoft.com/dashboard/marketplace-offers/overview) page, in the **Offer alias** column, select the offer with the plan you want to deprecate.

+1. On the **Offer overview** page, under **Plan overview**, in the **Action** column, select **Deprecate plan**.

+1. In the confirmation box that appears, enter the Plan ID and confirm that you want to deprecate the plan.

+1. For the change to take effect and for customers to be notified, select **Review and publish** and publish the offer.

+## Restore a deprecated plan

+Keep the following things in mind when restoring a plan:

+- Ensure that there is at least one active image version available on the **Technical Configuration** page of the plan. You can either restore a deprecated image or provide a new one.

+- Publish the offer after restoring a plan for it to become available to customers.

+**To restore a plan**:

+1. On the [Marketplace offers](https://partner.microsoft.com/dashboard/marketplace-offers/overview) page, in the **Offer alias** column, select the offer with the plan you want to restore.

+1. On the **Offer overview** page, under **Plan overview**, in the **Action** column of the plan you want to restore, select **Restore plan**.

+1. In the confirmation dialog box that appears, confirm that you want to restore the plan.

+1. Ensure that there is at least one active image version available on the **Technical Configuration** page of the plan. Note that all deprecated images are listed under **VM Images** on the **Deprecated** tab. You can either [restore a deprecated image](#restore-a-deprecated-image) or [add a new VM image](azure-vm-plan-technical-configuration.md#vm-images). Remember, if the restore window has expired, the image can no longer be restored.

+1. Save your changes on the **Technical configuration** page.

+1. For the change to take effect, select **Review and publish** and publish the offer.

+## Deprecate an offer

+On the **Offer Overview** page, you can deprecate the entire offer. This deprecates all plans and images within the offer.

+Keep the following things in mind when deprecating an offer:

+- The deprecation will be scheduled 90 days into the future and customers will be notified.

+- Test drive and any free trials will be disabled immediately upon scheduling deprecation of an offer.

+**To deprecate an offer**:

+1. On the [Marketplace offers](https://partner.microsoft.com/dashboard/marketplace-offers/overview) page, in the **Offer alias** column, select the offer you want to deprecate.

+1. On the **Offer overview** page, in the upper right, select **Deprecate offer**.

+1. In the confirmation dialog box that appears, enter the Offer ID and then confirm that you want to deprecate the offer.

+ > [!NOTE]

+ > On the [Marketplace offers](https://partner.microsoft.com/dashboard/marketplace-offers/overview) page, the **Status column** of the offer will say **Deprecation scheduled**. On the **Offer overview** page, under **Publish status**, the scheduled deprecation date is shown.

+## Restore a deprecated offer

+You can restore an offer only if the offer contains at least one active plan and at least one active image.

+**To restore a deprecated offer**:

+1. On the [Marketplace offers](https://partner.microsoft.com/dashboard/marketplace-offers/overview) page, in the **Offer alias** column, select the offer you want to restore.

+1. In the left nav, select **Plan overview**.

+1. In the **Action** column of the plan you want to restore, select **Restore**. You can optionally [create a new plan](azure-vm-plan-overview.md) within the offer.

+1. Ensure that there is at least one active image version available on the **Technical Configuration** page of the plan. Note that all deprecated images are listed under **VM Images** on the **Deprecated** tab. You can either [restore a deprecated image](#restore-a-deprecated-image) or [add a new VM image](azure-vm-plan-technical-configuration.md#vm-images). Remember, if the restore window has expired, the image can no longer be restored.

+1. Save your changes on the **Technical configuration** page.

+1. For the changes to take effect, select **Review and publish** and publish the offer.

+| Column name in user interface | Definition |

+| PlanId | The display name of the plan entered when the offer was created in Partner Center. Note that PlanId was originally a numeric number. |

+| Policy | We've updated the [Microsoft Publisher Agreement](/legal/marketplace/msft-publisher-agreement). For change history, see [Change history for Microsoft Publisher Agreement version 8.0 ΓÇô May 2022 update](/legal/marketplace/mpa-change-history-may-2022). | 2022-04-15 |

+ Title: Replicate data over ExpressRoute for Azure Migrate projects with public endpoint connectivity

+# Replicate data over ExpressRoute for Azure Migrate projects with public endpoint connectivity

+In this article, you'll learn how to configure the [Azure Migrate: Server Migration](./migrate-services-overview.md#azure-migrate-server-migration-tool) tool to replicate data over an Azure ExpressRoute circuit while you migrate servers to Azure. This document is to be referenced if you want to use ExpressRoute for your replications when using an Azure Migrate project with public endpoint connectivity. To use private endpoint support, create a new Azure Migrate project with private endpoint connectivity. See [Using Azure Migrate with private endpoints](./how-to-use-azure-migrate-with-private-endpoints.md).

+> [!Important]

+> This document is to be referenced if you want to use ExpressRoute for your replications when using an Azure Migrate project with public endpoint connectivity.<br>

+> To use private endpoint support end-to-end, create a new Azure Migrate project with private endpoint connectivity. See [Using Azure Migrate with private endpoints](./how-to-use-azure-migrate-with-private-endpoints.md).

+ Flexible Server CLI now allows customers to automate workflows to deploy updates with GitHub actions. This feature helps set up and deploy database updates with MySQL GitHub Actions workflow. These CLI commands assist with setting up a repository to enable continuous deployment for ease of development. [Learn more](/cli/azure/mysql/flexible-server/deploy).

+ 

+ 

+ 

+ 

+ 

+ 

+* **How do I manually back up my PostgreSQL servers?**

+After you've registered your resources, you'll need to enable data use governance. Data use governance affects the security of your data, as it delegates to certain users to manage access to data resources from within Azure Purview.

+[Access policies](concept-data-owner-policies.md) allow you to enable access to data sources that have been registered for *Data use governance* in Azure Purview.

+After you've registered your resources, you'll need to enable *Data use governance*. Data use governance can affect the security of your data, as it delegates to certain Azure Purview roles to manage access to data sources that have been registered. Secure practices related to *Data use governance* are described in this guide:

+Once your data source has the **Data use governance** toggle **Enabled**, it will look like this picture:

+Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish an access policy similar to the example shown in the image: a policy that provides group *Contoso Team* *read* access to Storage account *marketinglake1*:

+Access policies allow a data owner to delegate in Azure Purview access management to a data source. These policies can be authored directly in Azure Purview Studio, and after publishing, they get enforced by the data source. This tutorial describes how to create, update, and publish access policies in Azure Purview Studio.

+## Configuration

+*Data use governance* (DUG) is an option (enabled/disabled) that gets displayed when registering a data source in Azure Purview. Its purpose is to make that data source available in the policy authoring experience of Azure Purview Studio. In other words, access policies can only be written on data sources that have been previously registered with the DUG toggle set to enable.

+- To disable a source for *Data use governance*, remove it first from being bound (i.e., published) in any policy.

+## Advanced resource sets

+A set of features activated at the Azure Purview instance level that, when enabled, enrich resource set assets by computing additional aggregations on the metadata to provide information such as partition counts, total size, and schema counts. Resource set pattern rules are also included.

+The state given to any request that has been accepted as satisfactory by the designated individual or group who has authority to change the state of the request.

+A cloud solution that supports labeling of documents and emails to classify and protect information. Labeled items can be protected by encryption, marked with a watermark, or restricted to specific actions or users, and is bound to the item. This cloud-based solution relies on Azure Rights Management Service (RMS) for enforcing restrictions.

+## Capacity unit

+A measure of data map usage. All Azure Purview data maps include one capacity unit by default, which provides up to 2GB of metadata storage and has a throughput of 25 data map operations/second.

+## Collection admin

+A role that can assign roles in Azure Purview. Collection admins can add users to roles on collections where they're admins. They can also edit collections, their details, and add subcollections.

+An operation that manages resources in your subscription, such as role-based access control and Azure policy, that are sent to the Azure Resource Manager end point. Control plane operations can also apply to resources outside of Azure across on-premises, multicloud, and SaaS sources.

+## Data curator

+A role that provides access to the data catalog to manage assets, configure custom classifications, set up glossary terms, and view insights. Data curators can create, read, modify, move, and delete assets. They can also apply annotations to assets.

+## Data map operation

+A create, read, update, or delete action performed on an entity in the data map. For example, creating an asset in the data map is considered a data map operation.

+## Data owner

+An individual or group responsible for managing a data asset.

+## Data reader

+A role that provides read-only access to data assets, classifications, classification rules, collections, glossary terms, and insights.

+## Data source admin

+A role that can manage data sources and scans. A user in the Data source admin role doesn't have access to Azure Purview studio. Combining this role with the Data reader or Data curator roles at any collection scope provides Azure Purview studio access.

+## Data steward

+An individual or group responsible for maintaining nomenclature, data quality standards, security controls, compliance requirements, and rules for the associated object.

+## Data dictionary

+A list of canonical names of database columns and their corresponding data types. It is often used to describe the format and structure of a database, and the relationship between its elements.

+A path that defines the location of an asset within its data source.

+## Management

+An area within Azure Purview where you can manage connections, users, roles, and credentials. Also referred to as "Management center."

+## Policy

+A statement or collection of statements that controls how access to data and data sources should be authorized.

+## Object type

+A categorization of assets based upon common data structures. For example, an Azure SQL Server table and Oracle database table both have an object type of table.

+Glossary terms that are linked to other terms within the organization.

+## Scan rule set

+## Schema classification

+A classification applied to one of the columns in an asset schema.

+A feature that allows users to find items in the data catalog by entering in a set of keywords.

+## Workflow

+An automated process that coordinates the creation and modification of catalog entities, including validation and approval. Workflows define repeatable business processes to achieve high quality data, policy compliance, and user collaboration across an organization.

+> Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) extension will be retired. Existing MSCA customers will retain their access to MSCA through December 31, 2022. Please refer to the [OWASP Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) for alternative options in Azure DevOps. For customers planning to migrate to GitHub, you can check out [GitHub Advanced Security](https://docs.github.com/github/getting-started-with-github/about-github-advanced-security).

+> Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) extension will be retired. Existing MSCA customers will retain their access to MSCA through December 31, 2022. Please refer to the [OWASP Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) for alternative options in Azure DevOps. For customers planning to migrate to GitHub, you can check out [GitHub Advanced Security](https://docs.github.com/github/getting-started-with-github/about-github-advanced-security).

+> Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) extension will be retired. Existing MSCA customers will retain their access to MSCA through December 31, 2022. Please refer to the [OWASP Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) for alternative options in Azure DevOps. For customers planning to migrate to GitHub, you can check out [GitHub Advanced Security](https://docs.github.com/github/getting-started-with-github/about-github-advanced-security).

+> Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) extension will be retired. Existing MSCA customers will retain their access to MSCA through December 31, 2022. Please refer to the [OWASP Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) for alternative options in Azure DevOps. For customers planning to migrate to GitHub, you can check out [GitHub Advanced Security](https://docs.github.com/github/getting-started-with-github/about-github-advanced-security).

+> Effective December 31, 2022, the Microsoft Security Code Analysis (MSCA) extension will be retired. Existing MSCA customers will retain their access to MSCA through December 31, 2022. Please refer to the [OWASP Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools) for alternative options in Azure DevOps. For customers planning to migrate to GitHub, you can check out [GitHub Advanced Security](https://docs.github.com/github/getting-started-with-github/about-github-advanced-security).

+ Title: Hunt for security threats with Jupyter notebooks - Microsoft Sentinel

+description: Launch and run notebooks with the Microsoft Sentinel hunting capabilities.

+#Customer intent: As a security analyst, I want to deploy and launch a Jupyter notebook to hunt for security threats.

+# Hunt for security threats with Jupyter notebooks

+As part of your security investigations and hunting, launch and run Jupyter notebooks to programmatically analyze your data.

+In this how-to guide, you'll create an Azure Machine Learning (ML) workspace, launch notebook from Sentinel portal to your Azure ML workspace, and run code in the notebook.

+## Prerequisites

+We recommend that you learn about Microsoft Sentinel notebooks in general before completing the steps in this article. See [Use Jupyter notebooks to hunt for security threats](notebooks.md).

+To use Microsoft Sentinel notebooks, you must have the following roles and permissions:

+|Type |Details |

+|||

+|**Microsoft Sentinel** |- The **Microsoft Sentinel Contributor** role, in order to save and launch notebooks from Microsoft Sentinel |

+|**Azure Machine Learning** |- A resource group-level **Owner** or **Contributor** role, to create a new Azure Machine Learning workspace if needed. <br>- A **Contributor** role on the Azure Machine Learning workspace where you run your Microsoft Sentinel notebooks. <br><br>For more information, see [Manage access to an Azure Machine Learning workspace](../machine-learning/how-to-assign-roles.md). |

+## Create an Azure ML workspace from Microsoft Sentinel

+To create your workspace, select one of the following tabs, depending on whether you'll be using a public or private endpoint.

+- We recommend using a *public endpoint* if your Microsoft Sentinel workspace has one, to avoid potential issues in the network communication.

+- If you want to use an Azure ML workspace in a virtual network, use a *private endpoint*.

+# [Public endpoint](#tab/public-endpoint)

+1. From the Azure portal, go to **Microsoft Sentinel** > **Threat management** > **Notebooks** and then select **Create a new AML workspace**.

+1. Enter the following details, and then select **Next**.

+ |Field|Description|

+ |--|--|

+ |**Subscription**|Select the Azure subscription that you want to use.|

+ |**Resource group**|Use an existing resource group in your subscription or enter a name to create a new resource group. A resource group holds related resources for an Azure solution.|

+ |**Workspace name**|Enter a unique name that identifies your workspace. Names must be unique across the resource group. Use a name that's easy to recall and to differentiate from workspaces created by others.|

+ |**Region**|Select the location closest to your users and the data resources to create your workspace.|

+ |**Storage account**| A storage account is used as the default datastore for the workspace. You may create a new Azure Storage resource or select an existing one in your subscription.|

+ |**KeyVault**| A key vault is used to store secrets and other sensitive information that is needed by the workspace. You may create a new Azure Key Vault resource or select an existing one in your subscription.|

+ |**Application insights**| The workspace uses Azure Application Insights to store monitoring information about your deployed models. You may create a new Azure Application Insights resource or select an existing one in your subscription.|

+ |**Container registry**| A container registry is used to register docker images used in training and deployments. To minimize costs, a new Azure Container Registry resource is created only after you build your first image. Alternatively, you may choose to create the resource now or select an existing one in your subscription, or select **None** if you don't want to use any container registry.|

+ | | |

+1. On the **Networking** tab, select **Public endpoint (all networks)**.

+ Define any relevant settings in the **Advanced** or **Tags** tabs, and then select **Review + create**.

+1. On the **Review + create** tab, review the information to verify that it's correct, and then select **Create** to start deploying your workspace. For example:

+ :::image type="content" source="media/notebooks/machine-learning-create-last-step.png" alt-text="Review + create your Machine Learning workspace from Microsoft Sentinel.":::

+ It can take several minutes to create your workspace in the cloud. During this time, the workspace **Overview** page shows the current deployment status, and updates when the deployment is complete.

+# [Private endpoint](#tab/private-endpoint)

+The steps in this procedure reference specific articles in the Azure Machine Learning documentation when relevant. For more information, see [How to create a secure Azure ML workspace](../machine-learning/tutorial-create-secure-workspace.md).

+1. Create a VM jump box within a VNet. Since the VNet restricts access from the public internet, the jump box is used as a way to connect to resources behind the VNet.

+1. Access the jump box, and then go to your Microsoft Sentinel workspace. We recommend using [Azure Bastion](../bastion/bastion-overview.md) to access the VM.

+1. In Microsoft Sentinel, select **Threat management** > **Notebooks** and then select **Create a new AML workspace**.

+1. Enter the following details, and then select **Next**.

+ |Field|Description|

+ |--|--|

+ |**Subscription**|Select the Azure subscription that you want to use.|

+ |**Resource group**|Use an existing resource group in your subscription or enter a name to create a new resource group. A resource group holds related resources for an Azure solution.|

+ |**Workspace name**|Enter a unique name that identifies your workspace. Names must be unique across the resource group. Use a name that's easy to recall and to differentiate from workspaces created by others.|

+ |**Region**|Select the location closest to your users and the data resources to create your workspace.|

+ |**Storage account**| A storage account is used as the default datastore for the workspace. You may create a new Azure Storage resource or select an existing one in your subscription.|

+ |**KeyVault**| A key vault is used to store secrets and other sensitive information that is needed by the workspace. You may create a new Azure Key Vault resource or select an existing one in your subscription.|

+ |**Application insights**| The workspace uses Azure Application Insights to store monitoring information about your deployed models. You may create a new Azure Application Insights resource or select an existing one in your subscription.|

+ |**Container registry**| A container registry is used to register docker images used in training and deployments. To minimize costs, a new Azure Container Registry resource is created only after you build your first image. Alternatively, you may choose to create the resource now or select an existing one in your subscription, or select **None** if you don't want to use any container registry.|

+ | | |

+1. On the **Networking** tab, select **Private endpoint**. Make sure to use the same VNet as you have in the VM jump box. For example:

+ :::image type="content" source="media/notebooks/create-private-endpoint.png" alt-text="Screenshot of the Create private endpoint page in Microsoft Sentinel." lightbox="media/notebooks/create-private-endpoint.png":::

+1. Define any relevant settings in the **Advanced** or **Tags** tabs, and then select **Review + create**.

+1. On the **Review + create** tab, review the information to verify that it's correct, and then select **Create** to start deploying your workspace. For example:

+ :::image type="content" source="media/notebooks/machine-learning-create-last-step.png" alt-text="Review + create your Machine Learning workspace from Microsoft Sentinel.":::

+ It can take several minutes to create your workspace in the cloud. During this time, the workspace **Overview** page shows the current deployment status, and updates when the deployment is complete.

+1. In the Azure Machine Learning studio, on the **Compute** page, create a new compute. On the **Advanced Settings** tab, make sure to select the same VNet that you'd used for your VM jump box. For more information, see [Create and manage an Azure Machine Learning compute instance](../machine-learning/how-to-create-manage-compute-instance.md?tabs=python).

+1. Configure your network traffic to access Azure ML from behind a firewall. For more information, see [Configure inbound and outbound network traffic](../machine-learning/how-to-access-azureml-behind-firewall.md?tabs=ipaddress%2cpublic).

+Continue with one of the following sets of steps:

+- **If you have one private link only**: You can now access the notebooks via any of the following methods:

+ - Clone and launch notebooks from Microsoft Sentinel to Azure Machine Learning

+ - Upload notebooks to Azure Machine Learning manually

+ - Clone the [Microsoft Sentinel notebooks GitHub repository](https://github.com/Azure/Azure-Sentinel-Notebooks) on the Azure Machine learning terminal

+- **If you have another private link, that uses a different VNET**, do the following:

+ 1. In the Azure portal, go to the resource group of your Azure Machine Learning workspace, and then search for the **Private DNS zone** resources named **privatelink.api.azureml.ms** and **privatelink.notebooks.azure.ms**. For example:

+ :::image type="content" source="media/notebooks/select-private-dns-zone.png" alt-text="Screenshot of a private DNS zone resource selected." lightbox="media/notebooks/select-private-dns-zone.png":::

+ 1. For each resource, including both **privatelink.api.azureml.ms** and **privatelink.notebooks.azure.ms**, add a virtual network link.

+ Select the resource > **Virtual network links** > **Add**. For more information, see [Link the virtual network](../dns/private-dns-getstarted-portal.md).

+For more information, see:

+- [Network traffic flow when using a secured workspace](../machine-learning/concept-secure-network-traffic-flow.md)

+- [Secure Azure Machine Learning workspace resources using virtual networks (VNets)](../machine-learning/how-to-network-security-overview.md)

+After your deployment is complete, you can go back to the Microsoft Sentinel **Notebooks** and launch notebooks from your new Azure ML workspace.

+If you have multiple notebooks, make sure to select a default AML workspace to use when launching your notebooks. For example:

+## Launch a notebook in your Azure ML workspace

+After you've created an AML workspace, start launching your notebooks in your Azure ML workspace, from Microsoft Sentinel.

+1. From the Azure portal, navigate to **Microsoft Sentinel** > **Threat management** > **Notebooks**, where you can see notebooks that Microsoft Sentinel provides.

+1. Select a notebook to view its description, required data types, and data sources.

+ When you've found the notebook you want to use, select **Save notebook** to clone it into your own workspace.

+ Edit the name as needed. If the notebook already exists in your workspace, you can overwrite the existing notebook or create a new one.

+ :::image type="content" source="media/notebooks/save-notebook.png" alt-text="Save a notebook to clone it to your own workspace.":::

+1. After the notebook is saved, the **Save notebook** button changes to **Launch notebook**. Select **Launch notebook** to open it in your AML workspace.

+ For example:

+ :::image type="content" source="media/notebooks/sentinel-notebooks-on-machine-learning.png" alt-text="Launch your notebook in your AML workspace.":::

+1. At the top of the page, select a **Compute** instance to use for your notebook server.

+ If you don't have a compute instance, [create a new one](../machine-learning/how-to-create-manage-compute-instance.md?tabs=#use-the-script-in-the-studio). If your compute instance is stopped, make sure to start it. For more information, see [Run a notebook in the Azure Machine Learning studio](../machine-learning/how-to-run-jupyter-notebooks.md).

+ Only you can see and use the compute instances you create. Your user files are stored separately from the VM and are shared among all compute instances in the workspace.

+ If you are creating a new compute instance in order to test your notebooks, create your compute instance with the **General Purpose** category.

+

+ The kernel is also shown at the top right of your Azure ML window. If the kernel you need isn't selected, select a different version from the dropdown list.

+

+1. Once your notebook server is created and started, you can starting running your notebook cells. In each cell, select the **Run** icon to run your notebook code.

+ For more information, see [Command mode shortcuts.](../machine-learning/how-to-run-jupyter-notebooks.md)

+1. If your notebook hangs or you want to start over, you can restart the kernel and rerun the notebook cells from the beginning. If you restart the kernel, variables and other state are deleted. Rerun any initialization and authentication cells after you restart.

+ To start over, select **Kernel operations** > **Restart kernel**. For example:

+ :::image type="content" source="media/notebooks/sentinel-notebooks-restart-kernel.png" alt-text="Restart a notebook kernel.":::

+## Run code in your notebook

+Always run notebook code cells in sequence. Skipping cells can result in errors.

+In a notebook:

+- **Markdown** cells have text, including HTML, and static images.

+- **Code** cells contain code. After you select a code cell, run the code in the cell by selecting the **Play** icon to the left of the cell, or by pressing **SHIFT+ENTER**.

+For example, run the following code cell in your notebook:

+```python

+# This is your first code cell. This cell contains basic Python code.

+# You can run a code cell by selecting it and then selecting

+# the Play button to the left of the cell, or by pressing SHIFT+ENTER.

+# Code output displays below the code.

+print("Congratulations, you just ran this code cell")

+y = 2 + 2

+print("2 + 2 =", y)

+```

+The sample code shown above produces this output:

+```python

+Congratulations, you just ran this code cell

+2 + 2 = 4

+```

+Variables set within a notebook code cell persist between cells, so you can chain cells together. For example, the following code cell uses the value of `y` from the previous cell:

+```python

+# Note that output from the last line of a cell is automatically

+# sent to the output cell, without needing the print() function.

+y + 2

+```

+The output is:

+```output

+6

+```

+## Download all Microsoft Sentinel notebooks

+This section describes how to use Git to download all the notebooks available in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel-Notebooks/), from inside a Microsoft Sentinel notebook, directly to your Azure ML workspace.

+Having Microsoft Sentinel notebooks stored in your Azure ML workspace allows you to keep them updated easily.

+1. From a Microsoft Sentinel notebook, enter the following code into an empty cell, and then run the cell:

+ ```python

+ !git clone https://github.com/Azure/Azure-Sentinel-Notebooks.git azure-sentinel-nb

+ ```

+ A copy of the GitHub repository contents is created in the **azure-Sentinel-nb** directory on your user folder in your Azure ML workspace.

+1. Copy the notebooks you want from this folder to your working directory.

+1. To update your notebooks with any recent changes from GitHub, run:

+ ```python

+ !cd azure-sentinel-nb && git pull

+ ```

+## Next steps

+- [Tutorial: Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel](notebook-get-started.md)

+- [Integrate notebooks with Azure Synapse (Public preview)](notebooks-with-synapse.md)

+Other resources:

+- Use notebooks shared in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel-Notebooks) as useful tools, illustrations, and code samples that you can use when developing your own notebooks.

+- Submit feedback, suggestions, requests for features, contributed notebooks, bug reports or improvements and additions to existing notebooks. Go to the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel) to create an issue or fork and upload a contribution.

+- Learn more about using notebooks in threat hunting and investigation by exploring some notebook templates, such as [Credential Scan on Azure Log Analytics](https://www.youtube.com/watch?v=OWjXee8o04M) and Guided Investigation - Process Alerts.

+ Find more notebook templates in the Microsoft Sentinel > **Notebooks** > **Templates** tab.

+- **Find more notebooks** in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel-Notebooks):

+ - The [`Sample-Notebooks`](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/Sample-Notebooks) directory includes sample notebooks that are saved with data that you can use to show intended output.

+ - The [`HowTos`](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/HowTos) directory includes notebooks that describe concepts such as setting your default Python version, creating Microsoft Sentinel bookmarks from a notebook, and more.

+For more information, see:

+- [Create your first Microsoft Sentinel notebook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/creating-your-first-microsoft-sentinel-notebook/ba-p/2977745) (Blog series)

+- [Tutorial: Microsoft Sentinel notebooks - Getting started](https://www.youtube.com/results?search_query=azazure+sentinel+notebooks) (Video)

+- [Tutorial: Edit and run Jupyter notebooks without leaving Azure ML studio](https://www.youtube.com/watch?v=AAj-Fz0uCNk) (Video)

+- [Webinar: Microsoft Sentinel notebooks fundamentals](https://www.youtube.com/watch?v=rewdNeX6H94)

+- [Proactively hunt for threats](hunting.md)

+- [Use bookmarks to save interesting information while hunting](bookmarks.md)

+- [Jupyter, msticpy, and Microsoft Sentinel](https://msticpy.readthedocs.io/en/latest/getting_started/JupyterAndAzureSentinel.html)

+ Title: Troubleshoot Jupyter notebooks - Microsoft Sentinel

+description: Troubleshoot errors for Jupyter notebooks in Microsoft Sentinel.

+# Troubleshoot Jupyter notebooks

+Usually, a notebook creates or attaches to a kernel seamlessly, and you don't need to make any manual changes. If you get errors, or the notebook doesn't seem to be running, you might need to check the version and state of the kernel.

+If you run into issues with your notebooks, see the [Azure Machine Learning notebook troubleshooting](../machine-learning/how-to-run-jupyter-notebooks.md#troubleshooting).

+## Force caching for user accounts and credentials between notebook runs

+By default, user accounts and credentials are not cached between notebook runs, even for the same session.

+**To force caching for the duration of your session**:

+1. Authenticate using Azure CLI. In an empty notebook cell, enter and run the following code:

+ ```python

+ !az login

+ ```

+ The following output appears:

+ ```python

+ To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the 9-digit device code to authenticate.

+ ```

+1. Select and copy the nine-character token from the output, and select the `devicelogin` URL to go to the indicated page.

+1. Paste the token into the dialog and continue with signing in as prompted.

+ When sign-in successfully completes, you see the following output:

+ ```python

+ Subscription <subscription ID> 'Sample subscription' can be accessed from tenants <tenant ID>(default) and <tenant ID>. To select a specific tenant when accessing this subscription, use 'az login --tenant TENANT_ID'.

+> [!NOTE]

+> The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access.

+>

+> ```

+> <tenant ID> 'foo'

+><tenant ID> 'bar'

+>[

+> {

+> "cloudName": "AzureApp",

+> "homeTenantId": "<tenant ID>",

+> "id": "<ID>",

+> "isDefault": true,

+> "managedByTenants": [

+> ....

+>```

+>

+## Error: *Runtime dependency of PyGObject is missing*

+If the *Runtime dependency of PyGObject is missing* error appears when you load a query provider, try troubleshooting using the following steps:

+1. Proceed to the cell with the following code and run it:

+ ```python

+ qry_prov = QueryProvider("AzureSentinel")

+ ```

+ A warning similar to the following message is displayed, indicating a missing Python dependency (`pygobject`):

+ ```output

+ Runtime dependency of PyGObject is missing.

+ Depends on your Linux distribution, you can install it by running code similar to the following:

+ sudo apt install python3-gi python3-gi-cairo gir1.2-secret-1

+ If necessary, see PyGObject's documentation: https://pygobject.readthedocs.io/en/latest/getting_started.html

+ Traceback (most recent call last):

+ File "/anaconda/envs/azureml_py36/lib/python3.6/site-packages/msal_extensions/libsecret.py", line 21, in <module>

+ import gi # https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/Encryption-on-Linux

+ ModuleNotFoundError: No module named 'gi'

+ ```

+1. Use the [aml-compute-setup.sh](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/HowTos/aml-compute-setup.sh) script, located in the Microsoft Sentinel Notebooks GitHub repository, to automatically install the `pygobject` in all notebooks and Anaconda environments on the Compute instance.

+> [!TIP]

+> You can also fix this Warning by running the following code from a notebook:

+>

+> ```python

+> !conda install --yes -c conda-forge pygobject

+> ```

+>

+## Next steps

+We welcome feedback, suggestions, requests for features, contributed notebooks, bug reports or improvements and additions to existing notebooks. Go to the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel) to create an issue or fork and upload a contribution.

+ The notebook opens in your Azure ML workspace, inside Microsoft Sentinel. For more information, see [Launch a notebook in your Azure ML workspace](notebooks-hunt.md#launch-a-notebook-in-your-azure-ml-workspace).

+ The notebook opens in your Azure ML workspace, from inside Microsoft Sentinel. For more information, see [Launch a notebook in your Azure ML workspace](notebooks-hunt.md#launch-a-notebook-in-your-azure-ml-workspace).

+description: Learn about Jupyter notebooks with the Microsoft Sentinel hunting capabilities.

+Jupyter notebooks combine full programmability with a huge collection of libraries for machine learning, visualization, and data analysis. These attributes make Jupyter a compelling tool for security investigation and hunting.

+The foundation of Microsoft Sentinel is the data store; it combines high-performance querying, dynamic schema, and scales to massive data volumes. The Azure portal and all Microsoft Sentinel tools use a common API to access this data store. The same API is also available for external tools such as [Jupyter](https://jupyter.org/) notebooks and Python.

+## When to use Jupyter notebooks

+While many common tasks can be carried out in the portal, Jupyter extends the scope of what you can do with this data.

+Other notebooks may also be imported from the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel-Notebooks/).

+## How Jupyter notebooks work

+The Microsoft Sentinel notebook's kernel runs on an Azure virtual machine (VM). The VM instance can support running many notebooks at once. If your notebooks include complex machine learning models, several licensing options exist to use more powerful virtual machines.

+## Understand Python packages

+## Find notebooks

+From the Azure portal, go to **Microsoft Sentinel** > **Threat management** > **Notebooks**, to see notebooks that Microsoft Sentinel provides. For more notebooks built by Microsoft or contributed from the community, go to [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel-Notebooks/).

+- [Hunt for security threats with Jupyter notebooks](notebooks-hunt.md)

+- [Tutorial: Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel](notebook-get-started.md)

+- [Integrate notebooks with Azure Synapse (Public preview)](notebooks-with-synapse.md)

+Other resources:

+- Use notebooks shared in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel-Notebooks) as useful tools, illustrations, and code samples that you can use when developing your own notebooks.

+- Submit feedback, suggestions, requests for features, contributed notebooks, bug reports or improvements and additions to existing notebooks. Go to the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel) to create an issue or fork and upload a contribution.

+- Learn more about using notebooks in threat hunting and investigation by exploring some notebook templates, such as [Credential Scan on Azure Log Analytics](https://www.youtube.com/watch?v=OWjXee8o04M) and Guided Investigation - Process Alerts.

+We recommend that when you set up your Microsoft Sentinel workspace, [create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md) that's dedicated to Microsoft Sentinel and the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on.

+| **Notification date** | Timestamp - day <br><br>We recommend using the UTC format | `2020-12-1` | Optional |

+| **Termination date** | Timestamp - day <br><br>We recommend using the UTC format | `2021-01-01` | Mandatory |

+## 1. Enable multiple Availability Zones in single virtual machine scale set

+To configure Stateless node type spanning across multiple availability zones follow the documentation [here](./service-fabric-cross-availability-zones.md#1-enable-multiple-availability-zones-in-single-virtual-machine-scale-set), along with the few changes as follows:

+ :::image type="content" source="media/enterprise/getting-started-enterprise/create-instance-tanzu-settings-public-preview.png" alt-text="Azure portal screenshot of Azure Spring Cloud creation page with V M ware Tanzu Settings section showing." lightbox="media/enterprise/getting-started-enterprise/create-instance-tanzu-settings-public-preview.png":::

+ Title: "Tutorial: Deploy Bitbucket repositories on Azure Static Web Apps"

+description: Use Bitbucket with Azure Static Web Apps

+# Tutorial: Deploy Bitbucket repositories on Azure Static Web Apps

+Azure Static Web Apps has flexible deployment options that allow to work with various providers. In this tutorial, you deploy a web application hosted in Bitbucket to Azure Static Web Apps using a Linux virtual machine.

+> [!NOTE]

+> The Static Web Apps pipeline task currently only works on Linux machines.

+In this tutorial, you learn to:

+> [!div class="checklist"]

+> * Import a repository to Bitbucket

+> * Create a static web app

+> * Configure the Bitbucket repo to deploy to Azure Static Web Apps

+## Prerequisites

+- [Bitbucket](https://bitbucket.org) account

+ - Ensure you have enabled [two-step verification](https://bitbucket.org/account/settings/two-step-verification/manage)

+- [Azure](https://portal.azure.com) account

+ - If you don't have an Azure subscription, [create a free trial account](https://azure.microsoft.com/free).

+## Create a repository

+This article uses a GitHub repository as the source to import code into a Bitbucket repository.

+1. Sign in to [Bitbucket](https://bitbucket.org).

+1. Navigate to [https://bitbucket.org/repo/import](https://bitbucket.org/repo/import) to begin the import process.

+1. Under the *Old repository* label, in the *URL* box, enter the repository URL for your choice of framework.

+ # [No Framework](#tab/vanilla-javascript)

+ [https://github.com/staticwebdev/vanilla-basic.git](https://github.com/staticwebdev/vanilla-basic.git)

+ # [Angular](#tab/angular)

+ [https://github.com/staticwebdev/angular-basic.git](https://github.com/staticwebdev/angular-basic.git)

+ # [Blazor](#tab/blazor)

+ [https://github.com/staticwebdev/blazor-basic.git](https://github.com/staticwebdev/blazor-basic.git)

+ # [React](#tab/react)

+ [https://github.com/staticwebdev/react-basic.git](https://github.com/staticwebdev/react-basic.git)

+ # [Vue](#tab/vue)

+ [https://github.com/staticwebdev/vue-basic.git](https://github.com/staticwebdev/vue-basic.git)

+

+1. Next to the *Project* label, select **Create new project**.

+1. Enter **MyStaticWebApp**.

+1. Select the **Import repository** button and wait a moment while the website creates your repository.

+### Set main branch

+From time to time the template repository have more than one branch. Use the following steps to ensure Bitbucket maps the *main* tag to the main branch in the repository.

+1. Select **Repository settings**.

+1. Expand the **Advanced** section.

+1. Under the *Main branch* label, ensure **main** is selected in the drop down.

+1. If you made a change, select **Save changes**.

+1. Select the **Back** button on the left.

+## Create a static web app

+Now that the repository is created, you can create a static web app from the Azure portal.

+1. Navigate to the [Azure portal](https://portal.azure.com).

+1. Select **Create a Resource**.

+1. Search for **Static Web Apps**.

+1. Select **Static Web Apps**.

+1. Select **Create**.

+1. In the _Basics_ section, begin by configuring your new app.

+ | Setting | Value |

+ |--|--|

+ | Azure subscription | Select your Azure subscription. |

+ | Resource Group | Select the **Create new** link and enter **static-web-apps-bitbucket**. |

+ | Name | Enter **my-first-static-web-app**. |

+ | Plan type | Select **Free**. |

+ | Region for Azure Functions API and staging environments | Select the region closest to you. |

+ | Source | Select **Other**. |

+1. Select **Review + create**.

+1. Select **Create**.

+1. Select the **Go to resource** button.

+1. Select the **Manage deployment token** button.

+1. Copy the deployment token value and set it aside in an editor for later use.

+1. Select the **Close** button on the *Manage deployment token* window.

+## Create the pipeline task in Bitbucket

+1. Navigate to the repository in Bitbucket.

+1. Select the **Source** menu item.

+1. Ensure the **main** branch is selected in the branch drop down.

+1. Select **Pipelines**.

+1. Select text link **Create your first pipeline**.

+1. On the *Starter pipeline* card, select the **Select** button.

+1. Enter the following YAML into the configuration file.

+ # [No Framework](#tab/vanilla-javascript)

+ ```yml

+ pipelines:

+ branches:

+ main:

+ - step:

+ name: Deploy to test

+ deployment: test

+ script:

+ - pipe: microsoft/azure-static-web-apps-deploy:main

+ variables:

+ APP_LOCATION: '$BITBUCKET_CLONE_DIR/src'

+ OUTPUT_LOCATION: '$BITBUCKET_CLONE_DIR/src'

+ API_TOKEN: $deployment_tokenΓÇï

+ ```

+ # [Angular](#tab/angular)

+ ```yml

+ pipelines:

+ branches:

+ main:

+ - step:

+ name: Deploy to test

+ deployment: test

+ script:

+ - pipe: microsoft/azure-static-web-apps-deploy:main

+ variables:

+ APP_LOCATION: '$BITBUCKET_CLONE_DIR'

+ OUTPUT_LOCATION: '$BITBUCKET_CLONE_DIR/dist/angular-basic'

+ API_TOKEN: $deployment_tokenΓÇï

+ ```

+ # [Blazor](#tab/blazor)

+ ```yml

+ pipelines:

+ branches:

+ main:

+ - step:

+ name: Deploy to test

+ deployment: test

+ script:

+ - pipe: microsoft/azure-static-web-apps-deploy:main

+ variables:

+ APP_LOCATION: '$BITBUCKET_CLONE_DIR/Client'

+ OUTPUT_LOCATION: '$BITBUCKET_CLONE_DIR/wwwroot'

+ API_TOKEN: $deployment_tokenΓÇï

+ ```

+ # [React](#tab/react)

+ ```yml

+ pipelines:

+ branches:

+ main:

+ - step:

+ name: Deploy to test

+ deployment: test

+ script:

+ - pipe: microsoft/azure-static-web-apps-deploy:main

+ variables:

+ APP_LOCATION: '$BITBUCKET_CLONE_DIR'

+ OUTPUT_LOCATION: '$BITBUCKET_CLONE_DIR/build'

+ API_TOKEN: $deployment_tokenΓÇï

+ ```

+ # [Vue](#tab/vue)

+ ```yml

+ pipelines:

+ branches:

+ main:

+ - step:

+ name: Deploy to test

+ deployment: test

+ script:

+ - pipe: microsoft/azure-static-web-apps-deploy:main

+ variables:

+ APP_LOCATION: '$BITBUCKET_CLONE_DIR'

+ OUTPUT_LOCATION: '$BITBUCKET_CLONE_DIR/dist'

+ API_TOKEN: $deployment_tokenΓÇï

+ ```

+

+ > [!NOTE]

+ > In this example the value for `pipe` is set to `microsoft/azure-static-web-apps-deploy:main`. Replace `main` with your desired branch name if you want your pipeline to work with a different branch.

+ The following configuration properties are used in the configuration file for your static web app.

+ The `$BITBUCKET_CLONE_DIR` variable maps to the repository's root folder location during the build process.

+ | Property | Description | Example | Required |

+ |--|--|--|--|

+ | `app_location` | Location of your application code. | Enter `/` if your application source code is at the root of the repository, or `/app` if your application code is in a directory named `app`. | Yes |

+ | `api_location` | Location of your Azure Functions code. | Enter `/api` if your api code is in a folder named `api`. If no Azure Functions app is detected in the folder, the build doesn't fail, the workflow assumes you don't want an API. | No |

+ | `output_location` | Location of the build output directory relative to the `app_location`. | If your application source code is located at `/app`, and the build script outputs files to the `/app/build` folder, then set build as the `output_location` value. | No |

+Next, define value for the `API_TOKEN` variable.

+1. Select **Add variables**.

+1. In the *Name* box, enterΓÇ»**deployment_token**, which matches the name in the workflow.

+1. In the *Value* box, paste in the deployment token value you set aside in a previous step.

+1. Check the **Secured** checkbox.

+1. Select the **Add** button.

+1. Select **Commit file** and return to your pipelines tab.

+Wait a moment on the *Pipelines* window and you'll see your deployment status appear. Once the deployment is finished running, you can view the website in your browser.

+## View the website

+There are two aspects to deploying a static app. The first step creates the underlying Azure resources that make up your app. The second is a Bitbucket workflow that builds and publishes your application.

+Before you can navigate to your new static site, the deployment build must first finish running.

+The Static Web Apps overview window displays a series of links that help you interact with your web app.

+1. Return to your static web app in the Azure portal.

+1. Navigate to the **Overview** window.

+1. Select the link under the *URL* label. Your website will load in a new tab.

+## Clean up resources

+If you're not going to continue to use this application, you can delete the Azure Static Web Apps instance and all the associated services by removing the resource group.

+1. Select the **static-web-apps-bitbucket** resource group from the *Overview* section.

+1. Select the **Delete resource group** button at the top of the resource group *Overview*.

+1. Enter the resource group name **static-web-apps-bitbucket** in the *Are you sure you want to delete "static-web-apps-bitbucket"?* confirmation dialog.

+1. Select **Delete**.

+The process to delete the resource group may take a few minutes to complete.

+## Next steps

+> [!div class="nextstepaction"]

+> [Add an API](add-api.md)

+> [!NOTE]

+> You also can make your own Azure custom roles to access blob data. For more information, see [Azure custom roles](../../role-based-access-control/custom-roles.md).

+**The blob prefix match string did not apply your actions to the blobs that you expected it to**

+The blob prefix match field of a policy is a full or partial blob path, which is used to match the blobs you want the policy actions to apply to. The path must start with the blob container name. If no prefix match is specified, then the policy will apply to all the blobs in the storage account. The prefix match string format is [container name]/[blob name], where the container name or blob name can be a full or partial container name.

+Here are some common misconceptions about the prefix match string:

+- A prefix match string of container1/ applies to all blobs in the blob container named container1. A prefix match string of container1 (note that there is no trailing / character in the prefix string) applies to all blobs in all containers where the blob container name starts with the string container1. This includes blob containers named container11, container1234, container1ab, and so on.

+- A prefix match string of container1/sub1/ would apply to all blobs in the container with the name container1, whose blob names that start with the string sub1/ like container1/sub1/test.txt or container1/sub1/sub2/test.txt.

+- Wildcard character * - This doesn't mean 'matches one or more occurrences of any character'. The asterisk character * is a valid character in a blob name in Azure Storage. If added in a rule, it means match the blobs with the asterisk in the blob name.

+- Wildcard character ? - This doesn't mean 'match a single occurrence of any character'. The question mark character ? is a valid character in a blob name in Azure Storage. If added in a rule, it means match the blobs with a question mark in the blob name.

+- prefixMatch with != - The prefixMatch rules only consider positive (=) logical comparisons. Therefore, negative (!=) logical comparisons are ignored.

+| Premium block blobs |  ² | |  |  |

+² Feature is supported at the preview level.

+Blobfuse is published in the Linux repo for Ubuntu versions: 16.04, 18.04, and 20.04, RHELversions: 7.5, 7.8, 7.9, 8.0, 8.1, 8.2, CentOS versions: 7.0, 8.0, Debian versions: 9.0, 10.0, SUSE version: 15, OracleLinux 8.1 . Run this command to make sure that you have one of those versions deployed:

+In Azure, you may use the ephemeral disks (SSD) available on your VMs to provide a low-latency buffer for blobfuse. Depending on the provisioning agent used, the ephemeral disk would be mounted on '/mnt' for cloud-init or '/mnt/resource' for waagent VMs.

+- If possible, use blob or block sizes greater than 256 KiB for standard and premium storage accounts. Larger blob or block sizes automatically activate high-throughput block blobs. High-throughput block blobs provide high-performance ingest that is not affected by partition naming.

+> [!TIP]

+> The [ABFS driver](data-lake-storage-abfs-driver.md) was designed to overcome the inherent deficiencies of WASB. Favor using the ABFS driver over the WASB driver, as the ABFS driver is optimized specifically for big data analytics.

+- [Use the Azurite emulator for local Azure Storage development](storage-use-azurite.md)

+- [Grant limited access to Azure Storage resources using shared access signatures (SAS)](storage-sas-overview.md)

+## SMB over QUIC on a server endpoint

+Although the Azure file share (cloud endpoint) is a full SMB endpoint capable of direct access from the cloud or on-premises, customers that desire accessing the file share data cloud-side often deploy an Azure File Sync server endpoint on a Windows Server instance hosted on an Azure VM. The most common reason to have an additional server endpoint rather than accessing the Azure file share directly is that changes made directly on the Azure file share may take up to 24 hours or longer to be discovered by Azure File Sync, while changes made on a server endpoint are discovered nearly immediately and synced to all other server and cloud-endpoints.

+This configuration is extremely common in environments where a substantial portion of users are not on-premises, such as when users are working from home or from the road. Traditionally, accessing any file share with SMB over the public internet, including both file shares hosted on Windows File Server or on Azure Files directly, is very difficult since most organizations and ISPs block port 445. You can work around this limitation with [private endpoints and VPNs](file-sync-networking-overview.md#private-endpoints), however Windows Server 2022 Azure Edition provides an additional access strategy: SMB over the QUIC transport protocol.

+SMB over QUIC communicates over port 443, which most organizations and ISPs have open to support HTTPS traffic. Using SMB over QUIC greatly simplifies the networking required to access a file share hosted on an Azure File Sync server endpoint for clients using Windows 11 or greater. To learn more about how to setup and configure SMB over QUIC on Windows Server Azure Edition, see [SMB over QUIC for Windows File Server](/windows-server/storage/file-server/smb-over-quic).

+ Title: Comparing the costs of StorSimple to Azure File Sync | Microsoft Docs

+description: Learn how you can save money and modernize your storage infrastructure by migrating from StorSimple to Azure File Sync.

+# Comparing the costs of StorSimple to Azure File Sync

+StorSimple is a discontinued physical and virtual appliance product offered by Microsoft to help customers manage their on-premises storage footprint by tiering data to Azure. The [StorSimple 8000 series appliance](/lifecycle/products/azure-storsimple-8000-series) and the [StorSimple 1200 series appliance](/lifecycle/products/azure-storsimple-1200-series) will reach their end of life on December 31, 2022. It is imperative that you begin planning and executing your migration from StorSimple now.

+For most use cases of StorSimple, Azure File Sync is the recommended migration target for file shares being used with StorSimple. Azure File Sync supports similar capabilities to StorSimple, such as the ability to tier to the cloud. However, it provides additional features that StorSimple does not have, such as:

+- Storing data in a native file format accessible to administrators and users (Azure file shares) instead of a proprietary format only accessible through the StorSimple device

+- Multi-site sync

+- Integration with Azure services such as Azure Backup and Microsoft Defender for Storage

+To learn more about Azure File Sync, see [Introduction to Azure File Sync](file-sync-introduction.md). To learn how to seamlessly migrate to Azure File Sync from StorSimple, see [StorSimple 8100 and 8600 migration to Azure File Sync](../files/storage-files-migration-storsimple-8000.md) or [StorSimple 1200 migration to Azure File Sync](../files/storage-files-migration-storsimple-1200.md).

+Although Azure File Sync supports additional functionality not supported by StorSimple, administrators familiar with StorSimple may be concerned about how much Azure File Sync will cost relative to their current solution. This document covers how to compare the costs of StorSimple to Azure File Sync to correctly determine the costs of each. Although the cost situation may vary by customer depending on the customer's usage and configuration of StorSimple, most customers will pay the same or less with Azure File Sync than they currently pay with StorSimple.

+## Cost comparison principles

+To ensure a fair comparison of StorSimple to Azure File Sync and other services, you must consider the following principles:

+- **All costs of the solutions are accounted for.** Both StorSimple and Azure File Sync have multiple cost components. To do a fair comparison, all cost components must be considered.

+- **Cost comparison doesn't include the cost of features StorSimple doesn't support.** Azure File Sync supports multiple features that StorSimple does not. Some of the features of Azure File Sync, like multi-site sync, might increase the total cost of ownership of an Azure File Sync solution. It is reasonable to take advantage of new features as part of a migration; however, this should be viewed as an upgrade benefit of moving to Azure File Sync. Therefore, you should compare the costs of StorSimple and Azure File Sync *before* considering adopting new capabilities of Azure File Sync that StorSimple doesn't have.

+- **Cost comparison considers as-is configuration of StorSimple.** StorSimple supports multiple configurations that might increase or decrease the price of a StorSimple solution. To perform a fair cost comparison to Azure File Sync, you should consider only your current configuration of StorSimple. For example:

+ - **Use the same redundancy settings when comparing StorSimple and Azure File Sync.** If your StorSimple solution uses locally redundant storage (LRS) for its storage usage in Azure Blob storage, you should compare it to the cost of locally redundant storage in Azure Files, even if you would like to switch to zonally redundant (ZRS) or geo-redundant (GRS) storage when you adopt Azure File Sync.

+ - **Use the Azure Blob storage pricing you are currently using.** Azure Blob storage supports a v1 and a v2 pricing model. Most StorSimple customers would save money if they adopted the v2 pricing; however, most StorSimple customers are currently using the v1 pricing. Because StorSimple is going away, to perform a fair comparison, use the pricing for the pricing model you are currently using.

+## StorSimple pricing components

+StorSimple has the following pricing components that you should consider in the cost comparison analysis:

+- **Capital and operational costs of servers fronting/running StorSimple.** Capital costs relate to the upfront cost of the physical, on-premises hardware, while operating costs relate to ongoing costs you must bear to run your solution, such as labor, maintenance, and power costs. Capital costs vary slightly depending on whether you have a StorSimple 8000 series appliance or a StorSimple 1200 series appliance:

+ - **StorSimple 8000 series.** StorSimple 8000 series appliances are physical appliances that provide an iSCSI target that must be fronted by a file server. Although you may have purchased and configured this file server a long time ago, you should consider the capital and operational costs of running this server, in addition to the operating costs of running the StorSimple appliance. If your file server is hosted as a virtual machine (VM) on an on-premises hypervisor that hosts other workloads, to capture the opportunity cost of running the file server instead of other workloads, you should consider the file server VM as a fractional cost of the capital expenditure and operating costs for the host, in addition to the operating costs of the file server VM. Finally, you should include the cost of any StorSimple 8000 series virtual appliances and other VMs you might have deployed in Azure.

+ - **StorSimple 1200 series.** StorSimple 1200 series appliances are virtual appliances that you can run on-premises in the hypervisor of your choice. StorSimple 1200 series appliances can be an iSCSI target for a file server or can directly be a file server without the need for an additional server. If you have the StorSimple 1200 series appliance configured as an iSCSI target, you should include both the cost of hosting the virtual appliance and the cost of the file server fronting it. Although your StorSimple 1200 series appliance may be hosted on a hypervisor that hosts other workloads, to capture the opportunity cost of running the StorSimple 1200 series appliance instead of other workloads, you should consider the virtual appliance as a fractional cost of the capital expenditure of the host, in addition to the operating costs of the virtual appliance.

+- **StorSimple service costs.** The StorSimple management service in Azure is a major component of most customers' Azure bill for StorSimple. There are two billing models for the StorSimple management service. Which one you are using likely depends on how and when you purchased your StorSimple appliance (consult your bill for more detail):

+ - **StorSimple management fee per GiB of storage.** The StorSimple management fee per GiB of storage is the older billing model, and the one that most customers are using. In this model, you are charged for every logical GiB stored in StorSimple. You can see the price of management fee per GiB of storage on [the StorSimple pricing page](https://azure.microsoft.com/pricing/details/storsimple/), beneath the first table in the text (described as the "old pricing model"). It is important to note that the pricing page commentary is incorrect - customers were not transitioned to the per device billing model in December 2021.

+ - **StorSimple management fee per device.** The StorSimple management fee per device is the newer model, but fewer customers are using it. In this model, you are charged a daily fee for each day you have your device active. The fee expense depends on whether you have a physical or virtual appliance, and which specific appliance you have. You can see the price of management fee per device on [the StorSimple pricing page](https://azure.microsoft.com/pricing/details/storsimple/) (first table).

+- **Azure Blob storage costs.** StorSimple stores all of the data in its proprietary format in Azure Blob storage. When considering your Azure Blob storage costs, you should consider the storage utilization, which may be less or equal to the logical size of your data due to deduplication and compression done as part of StorSimple's proprietary data format, and also the transaction on storage, which is done whenever files are changed or ranges are recalled to on-premises from the device. Depending on when you deployed your StorSimple appliance, you may be subject to one of two blob storage pricing models:

+ - **Blob storage pricing v1, available in general purpose version 1 storage accounts.** Based on the age of most StorSimple deployments, most StorSimple customers are using the v1 Azure Blob storage pricing. This pricing has higher per GiB prices and lower transaction prices than the v2 model, and lacks the storage tiers that the Blob storage v2 pricing has. To see the Blob storage v1 prices, visit the [Azure Blob storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) and select the *Other* tab.

+ - **Blob storage pricing v2, available in general purpose version 2 storage accounts.** Blob storage v2 has lower GiB prices and higher transaction prices than the v1 model. Although some StorSimple customers could save money by switching to the v2 pricing, most StorSimple customers are currently using the v1 pricing. Since StorSimple is reaching end of life, you should stay with the pricing model that you are currently using, rather than pricing out the cost comparison with the v2 pricing. To see the Blob storage v2 prices, visit the [Azure Blob storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) and select the **Recommended** tab (the default when you load the page).

+## Azure File Sync pricing components

+Azure File Sync has the following pricing components you should consider in the cost comparison analysis:

+### Translating quantities from StorSimple

+If you are trying to estimate the costs of Azure File Sync based on the expenses you see in StorSimple, be careful with the following items:

+- **Azure Files bills on logical size (standard file shares).** Unlike StorSimple, which encodes your data in the StorSimple proprietary format before storing it to Azure Blob storage, Azure Files stores the data from Azure File Sync in the same form as you see it on your Windows File Server. This means that if you are trying to figure out how much storage you will consume in Azure Files, you should look at the logical size of the data from StorSimple, rather than the amount stored in Azure Blob storage. Although this may look like it will cause you to pay more when using Azure File Sync, you need to do the complete analysis including all aspects of StorSimple costs to see the true comparison. Additionally, Azure Files offers capacity reservations that enable you to buy storage at an up-to 36% discount over the list price. See [Capacity reservations in Azure Files](../files/understanding-billing.md#reserve-capacity).

+- **Don't assume a 1:1 ratio between transactions on StorSimple and transactions in Azure File Sync.** It might be tempting to look at the number of transactions done by StorSimple in Azure Blob storage and assume that number will be similar to the number of transactions that Azure File Sync will do on Azure Files. This number may overstate or understate the number of transactions Azure File Sync will do, so it's not a good way to estimate transaction costs. The best way to estimate transaction costs is to do a small proof-of-concept in Azure File Sync with a live file share similar to the file shares stored in StorSimple.

+## See also

+- [Azure Files pricing page](https://azure.microsoft.com/pricing/details/storage/files/)

+- [Planning for an Azure File Sync deployment](../file-sync/file-sync-planning.md)

+- [Create a file share](../files/storage-how-to-create-file-share.md?toc=/azure/storage/file-sync/toc.json) and [Deploy Azure File Sync](../file-sync/file-sync-deployment-guide.md)

+- [A restricted public endpoint](storage-files-networking-overview.md#public-endpoint-firewall-settings)

+# Azure Files networking considerations

+You can access your Azure file shares over the public internet accessible endpoint, over one or more private endpoints on your network(s), or by caching your Azure file share on-premises with Azure File Sync (SMB file shares only). This article focuses on how to configure Azure Files for direct access over the public and/or private endpoints. To learn more about how to cache your Azure file share on-premises with Azure File Sync, see [Introduction to Azure File Sync](../file-sync/file-sync-introduction.md).

+We recommend reading [Planning for an Azure Files deployment](storage-files-planning.md) prior to reading this conceptual guide.

+Directly accessing the Azure file share often requires additional thought with respect to networking:

+- SMB file shares communicate over port 445, which many organizations and internet service providers (ISPs) block for outbound (internet) traffic. This practice originates from legacy security guidance about deprecated and non-internet safe versions of the SMB protocol. Although SMB 3.x is an internet-safe protocol, organizational or ISP policies may not be possible to change. Therefore, mounting an SMB file share often requires additional networking configuration to use outside of Azure.

+- NFS file shares rely on network-level authentication and are therefore only accessible via restricted networks. Using an NFS file share always requires some level of networking configuration.

+Configuration of the public and private endpoints for Azure Files is done on the top-level management object for Azure Files, the Azure storage account. A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple Azure file shares, as well as the storage resources for other Azure storage services, such as blob containers or queues.

+## Secure transfer

+By default, Azure storage accounts require secure transfer, regardless of data access is done over the public or private endpoint. For Azure Files, the **require secure transfer** setting is enforced for all protocol access to the data stored on Azure file shares, inclusive of SMB, NFS, and FileREST. The **require secure transfer** setting may be disabled to allow unencrypted traffic. You may also see this mislabeled as "require secure transfer for REST API operations".

+The SMB, NFS, and FileREST protocols have slightly different behavior with respect to the **require secure transfer** setting:

+- When require secure transfer is enabled on a storage account, all SMB file shares in that storage account will require the SMB 3.x protocol with AES-128-CCM, AES-128-GCM, or AES-256-GCM encryption algorithms, depending on the available/required encryption negotiation between the SMB client and Azure Files. You can toggle which SMB encryption algorithms are allowed via the [SMB security settings](files-smb-protocol.md#smb-security-settings). Disabling the **require secure transfer** setting enables SMB 2.1 and SMB 3.x mounts without encryption.

+- NFS file shares do not support an encryption mechanism, so in order to use the NFS protocol to access an Azure file share, you must disable **require secure transfer** for the storage account.

+- When secure transfer is required, the FileREST protocol may only be used with HTTPS. FileREST is only supported on SMB file shares today.

+## Public endpoint

+The public endpoint for the Azure file shares within a storage account is an internet exposed endpoint. The public endpoint is the default endpoint for a storage account, however, it can be disabled if desired.

+The SMB, NFS, and the FileREST protocols can all use the public endpoint. However, each has slightly different rules for access:

+- SMB file shares are accessible from anywhere in the world via the storage account's public endpoint with SMB 3.x with encryption. This means that authenticated requests, such as requests authorized by a user's logon identity, can originate securely from inside or outside of Azure region. If SMB 2.1 or SMB 3.x without encryption is desired, two conditions must be met:

+ 1. The storage account's **require secure transfer** setting must be disabled.

+ 2. The request must originate from inside of the Azure region. As previously mentioned, encrypted SMB requests are allowed from anywhere, inside or outside of the Azure region.

+- NFS file shares are accessible from the storage account's public endpoint if and only if the storage account's public endpoint is restricted to specific virtual networks using *service endpoints*. See [public endpoint firewall settings](#public-endpoint-firewall-settings) for additional information on *service endpoints*.

+- FileREST is accessible via the public endpoint. If secure transfer is required, only HTTPS requests are accepted. If secure transfer is disabled, HTTP requests are accepted by the public endpoint regardless of origin

+### Public endpoint firewall settings

+The storage account firewall restricts access to the public endpoint for a storage account. Using the storage account firewall, you can restrict access to certain IP addresses/IP address ranges, to specific virtual networks, or disable the public endpoint entirely.

+When you restrict the traffic of the public endpoint to one or more virtual networks, you are using a capability of the virtual network called *service endpoints*. Requests directed to the service endpoint of Azure Files are still going to the storage account public IP address, however the networking layer is doing additional verification of the request to validate that it is coming from an authorized virtual network. SMB, NFS, and FileREST all support service endpoints, however, unlike SMB and FileREST, NFS file shares can only be access with the public endpoint through use of a service endpoint.

+To learn more about how to configure the storage account firewall, see [configure Azure storage firewalls and virtual networks](storage-files-networking-endpoints.md#restrict-access-to-the-public-endpoint-to-specific-virtual-networks).

+### Public endpoint network routing

+Azure Files supports multiple network routing options. The default option, Microsoft routing, works with all Azure Files configurations. The internet routing option does not support AD domain join scenarios or Azure File Sync.

+## Private endpoints

+To create a private endpoint, see [Configuring private endpoints for Azure Files](storage-files-networking-endpoints.md#create-a-private-endpoint).

+### Tunneling traffic over a virtual private network or ExpressRoute

+To make use of private endpoints to access SMB or NFS file shares from on-premises, you must establish a network tunnel between your on-premises network and Azure. A [virtual network](../../virtual-network/virtual-networks-overview.md), or VNet, is similar to a traditional network that you'd operate on-premises. Like an Azure storage account or an Azure VM, a VNet is an Azure resource that is deployed in a resource group.

+Azure Files supports the following mechanisms to tunnel traffic between your on-premises workstations and servers and Azure SMB/NFS file shares:

+- [Azure VPN Gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md): A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an alternate location (such as on-premises) over the internet. An Azure VPN Gateway is an Azure resource that can be deployed in a resource group along side of a storage account or other Azure resources. VPN gateways expose two different types of connections:

+ - [Point-to-Site (P2S) VPN](../../vpn-gateway/point-to-site-about.md) gateway connections, which are VPN connections between Azure and an individual client. This solution is primarily useful for devices that are not part of your organization's on-premises network, such as telecommuters who want to be able to mount their Azure file share from home, a coffee shop, or hotel while on the road. To use a P2S VPN connection with Azure Files, a P2S VPN connection will need to be configured for each client that wants to connect. To simplify the deployment of a P2S VPN connection, see [Configure a Point-to-Site (P2S) VPN on Windows for use with Azure Files](storage-files-configure-p2s-vpn-windows.md) and [Configure a Point-to-Site (P2S) VPN on Linux for use with Azure Files](storage-files-configure-p2s-vpn-linux.md).

+ - [Site-to-Site (S2S) VPN](../../vpn-gateway/design.md#s2smulti), which are VPN connections between Azure and your organization's network. A S2S VPN connection enables you to configure a VPN connection once, for a VPN server or device hosted on your organization's network, rather than doing for every client device that needs to access your Azure file share. To simplify the deployment of a S2S VPN connection, see [Configure a Site-to-Site (S2S) VPN for use with Azure Files](storage-files-configure-s2s-vpn.md).

+- [ExpressRoute](../../expressroute/expressroute-introduction.md), which enables you to create a defined route between Azure and your on-premises network that doesn't traverse the internet. Because ExpressRoute provides a dedicated path between your on-premises datacenter and Azure, ExpressRoute may be useful when network performance is a consideration. ExpressRoute is also a good option when your organization's policy or regulatory requirements require a deterministic path to your resources in the cloud.

+> [!Note]

+> Although we recommend using private endpoints to assist in extending your on-premises network into Azure, it is technically possible to route to the public endpoint over the VPN connection, however this requires hard-coding the IP address for the public endpoint for Azure storage cluster that serves your storage account. Since storage accounts may be moved between storage clusters at any time and new clusters are added and removed all the time, this requires regularly hard-coding all possible the Azure storage IP addresses into your routing rules.

+### DNS configuration

+- Forward the `core.windows.net` zone from your on-premises DNS servers to your Azure private DNS zone. The Azure private DNS host can be reached through a special IP address (`168.63.129.16`) that is only accessible inside virtual networks that are linked to the Azure private DNS zone. To work around this limitation, you can run additional DNS servers within your virtual network that will forward `core.windows.net` on to the Azure private DNS zone. To simplify this set up, we have provided PowerShell cmdlets that will auto-deploy DNS servers in your Azure virtual network and configure them as desired. To learn how to set up DNS forwarding, see [Configuring DNS with Azure Files](storage-files-networking-dns.md).

+## SMB over QUIC

+Windows Server 2022 Azure Edition supports a new transport protocol called QUIC for the SMB server provided by the File Server role. QUIC is a replacement for TCP that is built on top of UDP, providing numerous advantages over TCP while still providing a reliable transport mechanism. Although there are multiple advantages to QUIC as a transport protocol, one key advantage for the SMB protocol is that all transport is done over port 443, which is widely open outbound to support HTTPS. This effectively means that SMB over QUIC offers a "SMB VPN" for file sharing over the public internet. Windows 11 ships with a SMB over QUIC capable client.

+Unfortunately, Azure Files does not directly support SMB over QUIC, however, you can create a lightweight cache of your Azure file shares on a Windows Server 2022 Azure Edition VM using Azure File Sync. To learn more about this option, see [Deploy Azure File Sync](../file-sync/file-sync-deployment-guide.md) and [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic).

+description: Understand planning for an Azure Files deployment. You can either direct mount an Azure file share, or cache Azure file shares on-premises with Azure File Sync.

+- **Direct mount of an Azure file share**: Because Azure Files provides either Server Message Block (SMB) or Network File System (NFS) access, you can mount Azure file shares on-premises or in the cloud using the standard SMB or NFS clients available in your OS. Because Azure file shares are serverless, deploying for production scenarios does not require managing a file server or NAS device. This means you don't have to apply software patches or swap out physical disks.

+- **Cache Azure file share on-premises with Azure File Sync**: [Azure File Sync](../file-sync/file-sync-introduction.md) enables you to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms an on-premises (or cloud) Windows Server into a quick cache of your SMB Azure file share.

+Directly mounting your Azure file share often requires some thought about networking configuration because:

+- The port that SMB file shares use for communication, port 445, is frequently blocked by many organizations and internet service providers (ISPs) for outbound (internet) traffic.

+- NFS file shares rely on network-level authentication and are therefore only accessible via restricted networks. Using an NFS file share always requires some level of networking configuration.

+To configure networking, Azure Files provides an internet accessible public endpoint and integration with Azure networking features like *service endpoints*, which help restrict the public endpoint to specified virtual networks, and *private endpoints*, which give your storage account a private IP address from within a virtual network IP address space.

+From a practical perspective, this means you will need to consider the following network configurations:

+- If the required protocol is SMB, and all access over SMB is from clients in Azure, no special networking configuration is required.

+- If the required protocol is SMB, and the access is from clients on-premises, a VPN or ExpressRoute connection from on-premises to your Azure network is required, with Azure Files exposed on your internal network using private endpoints.

+- If the required protocol is NFS, you can use either service endpoints or private endpoints to restrict the network to specified virtual networks.

+To learn more about how to configure networking for Azure Files, see [Azure Files networking considerations](storage-files-networking-overview.md).

+In addition to directly connecting to the file share using the public endpoint or using a VPN/ExpressRoute connection with a private endpoint, SMB provides an additional client access strategy: SMB over QUIC. SMB over QUIC offers zero-config "SMB VPN" for SMB access over the QUIC transport protocol. Although Azure Files does not directly support SMB over QUIC, you can create a lightweight cache of your Azure file shares on a Windows Server 2022 Azure Edition VM using Azure File Sync. To learn more about this option, see [SMB over QUIC with Azure File Sync](storage-files-networking-overview.md#smb-over-quic).

+## Storage units

+Azure Files uses the base-2 units of measurement to represent storage capacity: KiB, MiB, GiB, and TiB.

+| Acronym | Definition | Unit |

+|||-|

+| KiB | 1,024 bytes | kibibyte |

+| MiB | 1,024 KiB (1,048,576 bytes) | mebibyte |

+| GiB | 1024 MiB (1,073,741,824 bytes) | gibibyte |

+| TiB | 1024 GiB (1,099,511,627,776 bytes) | tebibyte |

+Although these are the units commonly used by most operating systems and tools, they are frequently mislabeled as the base-10 units, which you may be more familiar with: KB, MB, GB, and TB. Although the rationale may vary, the common reason why operating systems like Windows mislabel the storage units is because many operating systems began using these acronyms before they were standardized by the IEC, BIPM, and NIST.

+The following table shows how common operating systems measure and label storage:

+| Operating system | Measurement system | Labeling |

+|-|-|-|-|

+| Windows | Base-2 | Consistently mislabels as base-10. |

+| Linux distributions | Commonly base-2, some software may use base-10 | Inconsistent labeling, alignment between measurement and labeling depends on the software package. |

+| macOS, iOS, and iPad OS | Base-10 | [Consistently labels as base-10](https://support.apple.com/HT201402). |

+Check with your operating system vendor if your operating system is not listed.

+## File share total cost of ownership checklist

+If you are migrating to Azure Files from on-premises or comparing Azure Files to other cloud storage solutions, you should consider the following factors to ensure a fair, apples-to-apples comparison:

+- **How do you pay for storage, IOPS, and bandwidth?** With Azure Files, the billing model you use depends on whether you are deploying [premium](#provisioned-model) or [standard](#pay-as-you-go-model) file shares. Most cloud solutions have models that align with the principles of either provisioned storage (price determinism, simplicity) or pay-as-you-go storage (pay only for what you actually use). Of particular interest for provisioned models are minimum provisioned share size, the provisioning unit, and the ability to increase and decrease provisioning.

+- **Are there any methods to optimized storage costs?** With Azure Files, you can use [capacity reservations](#reserve-capacity) to achieve an up to 36% discount on storage. Other solutions may employ storage efficiency strategies like deduplication or compression to optionally optimized storage, but remember, these storage optimization strategies often have non-monetary costs, such as reducing performance. Azure Files capacity reservations have no side-effects on performance.

+- **How do you achieve storage resiliency and redundancy?** With Azure Files, storage resiliency and redundancy are baked into the product offering. All tiers and redundancy levels ensure that data is highly available and at least three copies of your data are accessible. When considering other file storage options, consider whether storage resiliency and redundancy is built-in or something you must assemble yourself.

+- **What do you need to manage?** With Azure Files, the basic unit of management is a storage account. Other solutions may require additional management, such as operating system updates or virtual resource management (VMs, disks, network IP addresses, etc.).

+- **What are the costs of value-added products, like backup, security, etc.?** Azure Files supports integrations with multiple first- and third-party [value-added services](#value-added-services), such as Azure Backup, Azure File Sync, and Azure Defender that provide backup, replication and caching, and additional security functionality for Azure Files. Value-added solutions on-premises or with other cloud storage solutions will have their own licensing and product costs, and should be considered consistently as part of the total cost of ownership for file storage.

+### Choosing a tier

+Regardless of how you migrate existing data into Azure Files, we recommend initially creating the file share in transaction optimized tier due to the large number of transactions incurred during migration. After your migration is complete and you've operated for a few days/weeks with regular usage, you can plug in your transaction counts into the [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to figure out which tier is best suited for your workload.

+Because standard file shares only show transaction information at the storage account level, using the storage metrics to estimate which tier is cheaper at the file share level is an imperfect science. If possible, we recommend deploying only one file share in each storage account to ensure full visibility into billing.

+To see previous transactions:

+1. Go to your storage account and select **Metrics** in the left navigation bar.

+2. Select **Scope** as your storage account name, **Metric Namespace** as "File", **Metric** as "Transactions", and **Aggregation** as "Sum".

+3. Select **Apply Splitting**.

+4. Select **Values** as "API Name". Select your desired **Limit** and **Sort**.

+5. Select your desired time period.

+> [!Note]

+> Make sure you view transactions over a period of time to get a better idea of average number of transactions. Ensure that the chosen time period does not overlap with initial provisioning. Multiply the average number of transactions during this time period to get the estimated transactions for an entire month.

+## Provisioned/quota, logical size, and physical size

+Azure Files tracks three distinct quantities with respect to share capacity:

+- **Provisioned size or quota**: With both premium and standard file shares, you specify the maximum size that the file share is allowed to grow to. In premium file shares, this value is called the provisioned size of the file share and whatever you amount you provision is what you pay for, regardless of how much you actually use. In standard file shares, this value is called quota and does not directly affect your bill. Provisioned size is a required field for premium file shares, while standard file shares will default if not directly specified to the maximum value supported by the storage account, either 5 TiB or 100 TiB, depending on the storage account type and settings.

+- **Logical size**: The logical size of a file share or of a particular file relates to how big the file is without considering how the file is actually stored, where additional optimizations may be applied. One way to think about this is that the logical size of the file is how many KiB/MiB/GiB will be transferred over the wire if you copy it to a different location. In both premium and standard file shares, the total logical size of the file share is what is used for enforcement against provisioned size/quota. In standard file shares, the logical size is the quantity used for the data at-rest usage billing. Logical size is referred to as "size" in the Windows properties dialog for a file/folder and as "content length" by Azure Files metrics.

+- **Physical size**: The physical size of the file relates to the size of the file as encoded on disk. This may align with the file's logical size, or it may be smaller, depending on how the file has been written to by the operating system. A common reason for the logical size and physical size to be different is through the use of [sparse files](/windows/win32/fileio/sparse-files). The physical size of the files in the share is used for snapshot billing, although allocated ranges are shared between snapshots if they are unchanged (differential storage). To learn more about how snapshots are billed in Azure Files, see [Snapshots](#snapshots).

+## Snapshots

+Azure Files supports snapshots, which are similar to volume shadow copies (VSS) on Windows File Server. Snapshots are always differential from the live share and from each other, meaning that you are always paying only for what's different in each snapshot. For more information on share snapshots, see [Overview of snapshots for Azure Files](storage-snapshots-files.md).

+Snapshots do not count against file share size limits, although you are limited to a specific number of snapshots. To see the current snapshot limits, see [Azure file share scale targets](storage-files-scale-targets.md#azure-file-share-scale-targets).

+Snapshots are always billed based on the differential storage utilization of each snapshot, however this looks slightly different between premium file shares and standard file shares:

+- In premium file shares, snapshots are billed against their own snapshot meter, which has a reduced price over the provisioned storage price. This means that you will see a separate line item on your bill representing snapshots for premium file shares for each FileStorage storage account on your bill.

+- In standard file shares, snapshots are billed as part of the normal used storage meter, although you are still only billed for the differential cost of the snapshot. This means that you will not see a separate line item on your bill representing snapshots for each standard storage account containing Azure file shares. This also means that differential snapshot usage counts against capacity reservations that are purchased for standard file shares.

+Value-added services for Azure Files may use snapshots as part of their value proposition. See [value-added services for Azure Files](#value-added-services) for more information on how snapshots are used.

+## Value-added services

+Like on-premises storage solutions which offer first- and third-party features/product integrations to bring additional value to the hosted file shares, Azure Files provides integration points for first- and third-party products to integrate with customer-owned file shares. Although these solutions may provide considerable extra value to Azure Files, you should consider the additional costs that these services add to the total cost of an Azure Files solution.

+Costs are generally broken down into three buckets:

+- **Licensing costs for the value-added service.** These may come in the form of a fixed cost per customer, end-user (sometimes referred to as a "head cost"), Azure file share or storage account, or in units of storage utilization, such as a fixed cost for every 500 GiB chunk of data in the file share.

+- **Transaction costs for the value-added service.** Some value-added services have their own concept of transactions distinct from what Azure Files views as a transaction. These transactions will show up on your bill under the value-added service's charges; however, relate directly to how you use the value-added service with your file share.

+- **Azure Files costs for using a value-added service.** Azure Files does not directly charge customers costs for adding value-added services, but as part of adding value to the Azure file share, the value-added service might increase the costs that you see on your Azure file share. This is really easy to see with standard file shares, because standard file shares have a pay-as-you-go model with transaction charges. If the value-added service does transactions against the file share on your behalf, they will show up in your Azure Files transaction bill even though you didn't directly do those transactions yourself. This applies to premium file shares as well, although it may be less noticeable. Additional transactions against premium file shares from value-added services count against your provisioned IOPS numbers, meaning that value-added services may require provisioning additional storage to have enough IOPS or throughput available for your workload.

+When computing the total cost of ownership for your file share, you should consider the costs of Azure Files and of all value-added services that you would like to use with Azure Files.

+There are multiple value-added first- and third-party services. This document covers a subset of the common first-party services customers use with Azure file shares. You can learn more about services not listed here by reading the pricing page for that service.

+Azure File Sync is a value-added service for Azure Files that synchronizes one or more on-premises Windows file shares with an Azure file share. Because the cloud Azure file share has a complete copy of the data in a synchronized file share that is available on-premises, you can transform your on-premises Windows File Server into a cache of the Azure file share to reduce your on-premises footprint. Learn more by reading [Introduction to Azure File Sync](../file-sync/file-sync-introduction.md).

+When considering the total cost of ownership for a solution deployed using Azure File Sync, you should consider the following cost aspects:

+To optimize costs for Azure Files with Azure File Sync, you should consider the tier of your file share. For more information on how to pick the tier for each file share, see [choosing a file share tier](#choosing-a-tier).

+If you are migrating to Azure File Sync from StorSimple, see [Comparing the costs of StorSimple to Azure File Sync](../file-sync/file-sync-storsimple-cost-comparison.md).

+### Azure Backup

+Azure Backup provides a serverless backup solution for Azure Files that seamlessly integrates with your file shares, as well as other value-added services such as Azure File Sync. Azure Backup for Azure Files is a snapshot-based backup solution, meaning that Azure Backup provides a scheduling mechanism for automatically taking snapshots on an administrator-defined schedule and a user-friendly interface for restoring deleted files/folders or the entire share to a particular point in time. To learn more about Azure Backup for Azure Files, see [About Azure file share backup](../../backup/azure-file-share-backup-overview.md?toc=/azure/storage/files/toc.json).

+When considering the costs of using Azure Backup to backup your Azure file shares, you should consider the following:

+- **Protected instance licensing cost for Azure file share data.** Azure Backup charges a protected instance licensing cost per storage account containing backed up Azure file shares. A protected instance is defined as 250 GiB of Azure file share storage. Storage accounts containing less than 250 GiB of Azure file share storage are subject to a fractional protected instance cost. See [Azure Backup pricing](https://azure.microsoft.com/pricing/details/backup/) for more information (note that you must select *Azure Files* from the list of services Azure Backup can protect).

+- **Azure Files costs.** Azure Backup increases the costs of Azure Files in the following ways:

+ - **Differential costs from Azure file share snapshots.** Azure Backup automates taking Azure file share snapshots on an administrator-defined schedule. Snapshots are always differential; however, the additional cost added to the total bill depends on the length of time snapshots are kept and the amount of churn on the file share during that time, because that dictates how different the snapshot is from the live file share and therefore how much additional data is stored by Azure Files.

+ - **Transaction costs from restore operations.** Restore operations from the snapshot to the live share will cause transactions. For standard file shares, this means that reads from snapshots/writes from restores will be billed as normal file share transactions. For premium file shares, these operations are counted against the provisioned IOPS for the file share.

+### Microsoft Defender for Storage

+Microsoft Defender provides support for Azure Files as part of its Microsoft Defender for Storage product. Microsoft Defender for Storage detects unusual and potentially harmful attempts to access or exploit your Azure file shares over SMB or FileREST. Microsoft Defender for Storage is enabled on the subscription level for all file shares in storage accounts in that subscription.

+Microsoft Defender for Storage does not support antivirus capabilities for Azure file shares.

+The main cost from Microsoft Defender for Storage is an additional set of transaction costs that the product levies on top of the transactions that are done against the Azure file share. Although these costs are based on the transactions incurred in Azure Files, they are not part of the billing for Azure Files, but rather are part of the Microsoft Defender pricing. Microsoft Defender for Storage charges a transaction rate even on premium file shares, where Azure Files includes transactions as part of IOPS provisioning. The current transaction rate can be found on [Microsoft Defender for Cloud pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/) under the *Microsoft Defender for Storage* table row.

+Transaction heavy file shares will incur significant costs using Microsoft Defender for Storage. Based on these costs, you may wish to opt-out of Microsoft Defender for Storage for specific storage accounts. For more information, see [Exclude a storage account from Microsoft Defender for Storage protections](../../defender-for-cloud/defender-for-storage-exclude.md).

+Standard Azure support does not cover StorSimple hardware support. If you are covered under Premier or Unified Microsoft support, you must still purchase Standard StorSimple support renewal. StorSimple support renewal can be aligned with EA anniversary date by acquiring the required support SKU with the license quantity equal to the number of the appliances and the unit quantity ordered being the remaining number of months of support needed until the EA anniversary date if all the units have the same support contract expiration date. If the units have different support contract expiration dates, each appliance must be covered with one support SKU with the unit quantity ordered being the remaining number of months of support needed until the EA anniversary date per each appliance.

+> [!NOTE]

+> StorSimple 8000 series reaches its end-of-life in December 2022. Purchase hardware support for only the months you need, not the full year. Any support purchased after December 2022 will not be used and is not eligible for refund.

+You can use the [GitHub Actions for Azure Resource Manager template](https://github.com/marketplace/actions/deploy-azure-resource-manager-arm-template) to automate deploying an ARM template to Azure for the workspace and compute pools.

+## Feb 2022 update

+The following updates are new to Azure Synapse Analytics this month.

+### SQL

+* Serverless SQL Pools now support more consistent query execution times. [Learn how Serverless SQL pools automatically detect spikes in read latency and support consistent query execution time.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_2)

+* [The `OPENJSON` function makes it easy to get array element indexes](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_3). To learn more, see how the OPENJSON function in a serverless SQL pool allows you to [parse nested arrays and return one row for each JSON array element with the index of each element](/sql/t-sql/functions/openjson-transact-sql?view=azure-sqldw-latest&preserve-view=true#array-element-identity).

+### Data integration

+* [Upserting data is now supported by the copy activity](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_5). See how you can natively load data into a temporary table and then merge that data into a sink table with [upsert.](../data-factory/connector-azure-sql-database.md?tabs=data-factory#upsert-data)

+* [Transform Dynamics Data Visually in Synapse Data Flows.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_6) Learn more on how to use a [Dynamics dataset or an inline dataset as source and sink types to transform data at scale.](../data-factory/connector-dynamics-crm-office-365.md?tabs=data-factory#mapping-data-flow-properties)

+* [Connect to your SQL sources in data flows using Always Encrypted](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_7). To learn more, see [how to securely connect to your SQL databases from Synapse data flows using Always Encrypted.](../data-factory/connector-azure-sql-database.md?tabs=data-factory)

+* [Capture descriptions from asserts in Data Flows](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_8) To learn more, see [how to define your own dynamic descriptive messages](../data-factory/data-flow-expressions-usage.md#assertErrorMessages) in the assert data flow transformation at the row or column level.

+* [Easily define schemas for complex type fields.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_9) To learn more, see how you can make the engine to [automatically detect the schema of an embedded complex field inside a string column](../data-factory/data-flow-parse.md).

+* TLS 1.2 is now required for newly created Synapse Workspaces. To learn more, see how [TLS 1.2 provides enhanced security using this article](./security/connectivity-settings.md) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_6). Login attempts to a newly created Synapse workspace from connections using TLS versions lower than 1.2 will fail.

+* Data quality validation rules using Assert transformation - You can now easily add data quality, data validation, and schema validation to your Synapse ETL jobs by using Assert transformation in Synapse data flows. To learn more, see the [Assert transformation in mapping data flow article](../data-factory/data-flow-assert.md) or [the blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_8).

+* Serverless SQL pools now support the HASHBYTES function. HASHBYTES is a T-SQL function, which hashes values. Learn how to use [hash values in distributing data using this article](/sql/t-sql/functions/hashbytes-transact-sql) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_13).

+* More notebook export formats: HTML, Python, and LaTeX [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-december-2021-update/ba-p/3042904#REF3)

+* Serverless SQL queries can now return up to 200 GB of results [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1110860013) [article](./sql/resources-self-help-sql-on-demand.md)

+* Apply User-Assigned Managed Identities for Double Encryption [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics/azure-synapse-analytics-october-update/ba-p/2875372#user-assigned-managed-identities) [article](./security/workspaces-encryption.md)

+This article lists updates to Azure Synapse Analytics that are published in Mar 2022. Each update links to the Azure Synapse Analytics blog and an article that provides more information. For previous months releases, check out [Azure Synapse Analytics - updates archive](whats-new-archive.md).

+## Developer Experience

+* Code cells in Synapse notebooks that result in exception will now show standard output along with the exception message. This feature is supported for Python and Scala languages. To learn more, see the [example output when a code statement fails](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_1).

+* Synapse notebooks now support partial output when running code cells. To learn more, see the [examples at this blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_1)

+* You can now dynamically control Spark session configuration for the notebook activity with pipeline parameters. To learn more, see the [variable explorer feature of Synapse notebooks.](./spark/apache-spark-development-using-notebooks.md?tabs=classical#parameterized-session-configuration-from-pipeline)

+* You can now reuse and manage notebook sessions without having to start a new one. You can easily connect a selected notebook to an active session in the list started from another notebook. You can detach a session from a notebook, stop the session, and monitor it. To learn more, see [how to manage your active notebook sessions.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_3)

+* Synapse notebooks now capture anything written through the Python logging module, in addition to the driver logs. To learn more, see [support for Python logging.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_4)

+* Column Level Encryption for Azure Synapse dedicated SQL Pools is now Generally Available. With column level encryption, you can use different protection keys for each column with each key having its own access permissions. The data in CLE-enforced columns are encrypted on disk and remain encrypted in memory until the DECRYPTBYKEY function is used to decrypt it. To learn more, see [how to encrypt a data column](/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=azure-sqldw-latest&preserve-view=true).

+* Serverless SQL pools now support better performance for CETAS (Create External Table as Select) and subsequent SELECT queries. The performance improvements include, a parallel execution plan resulting in faster CETAS execution and outputting multiple files. To learn more, see [CETAS with Synapse SQL](./sql/develop-tables-cetas.md) article and the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_7)

+## Apache Spark for Synapse

+* Synapse Spark Common Data Model (CDM) Connector is now Generally Available. The CDM format reader/writer enables a Spark program to read and write CDM entities in a CDM folder via Spark dataframes. To learn more, see [how the CDM connector supports reading, writing data, examples, & known issues](./spark/data-sources/apache-spark-cdm-connector.md).

+* Synapse Spark Dedicated SQL Pool (DW) Connector now supports improved performance. The new architecture eliminates redundant data movement and uses COPY-INTO instead of PolyBase. You can authenticate through SQL basic authentication or opt into the Azure Active Directory/Azure AD based authentication method. It now has ~5x improvements over the previous version. To learn more, see [Azure Synapse Dedicated SQL Pool Connector for Apache Spark](./spark/synapse-spark-sql-pool-import-export.md)

+* Synapse Spark Dedicated SQL Pool (DW) Connector now supports all Spark Dataframe SaveMode choices. It supports Append, Overwrite, ErrorIfExists, and Ignore modes. The Append and Overwrite are critical for managing data ingestion at scale. To learn more, see [DataFrame write SaveMode support](./spark/synapse-spark-sql-pool-import-export.md#dataframe-write-savemode-support)

+* Accelerate Spark execution speed using the new Intelligent Cache feature. This feature is currently in public preview. Intelligent Cache automatically stores each read within the allocated cache storage space, detecting underlying file changes and refreshing the files to provide the most recent data. To learn more, see how to [Enable/Disable the cache for your Apache Spark pool](./spark/apache-spark-intelligent-cache-concept.md) or see the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_12)

+## Security

+* Azure Synapse Analytics now supports Azure Active Directory (Azure AD) authentication. You can turn on Azure AD authentication during the workspace creation or after the workspace is created. To learn more, see [how to use Azure AD authentication with Synapse SQL](./sql/active-directory-authentication.md).

+* API support to raise or lower minimal TLS version for workspace managed SQL Server Dedicated SQL. To learn more, see [how to update the minimum TLS setting](/rest/api/synapse/sqlserver/workspace-managed-sql-server-dedicated-sql-minimal-tls-settings/update) or read the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_15) for more details.

+## Data Integration

+* Flowlets and CDC Connectors are now Generally Available. Flowlets in Synapse Data Flows allow for reusable and composable ETL logic. To learn more, see [Flowlets in mapping data flow](../data-factory/concepts-data-flow-flowlet.md) or see the [blog post.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_17)

+* sFTP connector for Synapse data flows. You can read and write data while transforming data from sftp using the visual low-code data flows interface in Synapse. To learn more, see [source transformation](../data-factory/connector-sftp.md#source-transformation)

+* Data flow improvements to Data Preview. To learn more, see [Data Preview and debug improvements in Mapping Data Flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/data-preview-and-debug-improvements-in-mapping-data-flows/ba-p/3268254?wt.mc_id=azsynapseblog_mar2022_blog_azureeng)

+* Pipeline script activity. The Script Activity enables data engineers to build powerful data integration pipelines that can read from and write to Synapse databases, and other database types. To learn more, see [Transform data by using the Script activity in Azure Data Factory or Synapse Analytics](../data-factory/transform-data-using-script.md)

+ "typeHandlerVersion": "9.10",

+| typeHandlerVersion | 9.10 |

+ "typeHandlerVersion": "9.10",

+ "typeHandlerVersion": "9.10",

+ -TypeHandlerVersion 9.10 `

+HBv3-series VMs are optimized for HPC applications such as fluid dynamics, explicit and implicit finite element analysis, weather modeling, seismic processing, reservoir simulation, and RTL simulation. HBv3 VMs feature up to 120 AMD EPYCΓäó 7V73X (Milan-X) CPU cores, 448 GB of RAM, and no hyperthreading. HBv3-series VMs also provide 350 GB/sec of memory bandwidth (amplified up to 630 GB/s), up to 96 MB of L3 cache per core (1.536 GB total per VM), up to 7 GB/s of block device SSD performance, and clock frequencies up to 3.5 GHz.

+|Standard_HB120rs_v3 |120 |AMD EPYC 7V73X |448 |350 |1.9 |3.0 |3.5 |200 |All |2 * 960 |32 |8 |

+|Standard_HB120-96rs_v3 |96 |AMD EPYC 7V73X |448 |350 |1.9 |3.0 |3.5 |200 |All |2 * 960 |32 |8 |

+|Standard_HB120-64rs_v3 |64 |AMD EPYC 7V73X |448 |350 |1.9 |3.0 |3.5 |200 |All |2 * 960 |32 |8 |

+|Standard_HB120-32rs_v3 |32 |AMD EPYC 7V73X |448 |350 |1.9 |3.0 |3.5 |200 |All |2 * 960 |32 |8 |

+|Standard_HB120-16rs_v3 |16 |AMD EPYC 7V73X |448 |350 |1.9 |3.0 |3.5 |200 |All |2 * 960 |32 |8 |

+Refer this documentation: [OS backup and restore for Type II SKUs of Revision 3 stamps](./os-backup-hli-type-ii-skus.md)

+ Title: 'Configure High Availability connections for P2S User VPN clients'

+description: Learn how to configure High Availability connections for Virtual WAN P2S User VPN clients.

+# Configure High Availability connections for Virtual WAN P2S User VPN clients

+This article helps you configure and connect using the High Availability setting for Virtual WAN point-to-site (P2S) User VPN clients. This feature is only available for P2S clients connecting to Virtual WAN VPN gateways using the OpenVPN protocol.

+By default, every Virtual WAN VPN gateway consists of two instances in an active-active configuration. If anything happens to the gateway instance that the VPN client is connected to, the tunnel will be disconnected. P2S VPN clients must then initiate a connection to the new active instance.

+When **High Availability** is configured for the Azure VPN Client, if a failover occurs, the client connection isn't interrupted.

+> [!NOTE]

+> High Availability is supported for OpenVPN® protocol connections only and requires the Azure VPN Client.

+## <a name = "windows"></a>Windows

+### <a name = "download"></a>Download the Azure VPN Client

+To use this feature, you must install version **2.1901.41.0** or later of the Azure VPN Client.

+### <a name = "import"></a>Configure VPN client settings

+1. Use the [Point-to-site VPN for Azure AD authentication](virtual-wan-point-to-site-azure-ad.md#download-profile) article as a general guideline to generate client profile files. The OpenVPN® tunnel type is required for High Availability. If the generated client profile files don't contain an **OpenVPN** folder, your point-to-site User VPN configuration settings need to be modified to use the OpenVPN tunnel type.

+1. Configure the Azure VPN Client using the steps in the [Configure the Azure VPN Client](virtual-wan-point-to-site-azure-ad.md#configure-client) article as a guideline.

+### <a name = "HA"></a>Configure High Availability settings

+1. Open the Azure VPN Client and go to **Settings**.

+ :::image type="content" source="./media/high-availability-vpn-client/settings.png" alt-text="Screenshot shows VPN client with settings selected." lightbox="./media/high-availability-vpn-client/settings-expand.png":::

+1. On the **Settings** page, select **Enable High Availability**.

+ :::image type="content" source="./media/high-availability-vpn-client/enable.png" alt-text="Screenshot shows High Availability checkbox." lightbox="./media/high-availability-vpn-client/enable-expand.png":::

+1. On the home page for the client, save your settings.

+1. Connect to the VPN. After connecting, you'll see **Connected (HA)** in the left pane. You can also see the connection in the **Status logs**.

+ :::image type="content" source="./media/high-availability-vpn-client/ha-logs.png" alt-text="Screenshot shows High Availability in left pane and in status logs." lightbox="./media/high-availability-vpn-client/ha-logs-expand.png":::

+1. If you later decide that you don't want to use HA, deselect the **Enable High Availability** checkbox on the Azure VPN Client and reconnect to the VPN.

+## <a name = "macOS"></a>macOS

+1. Use the steps in the [Azure AD - macOS](openvpn-azure-ad-client-mac.md) article as a configuration guideline. The settings you configure may be different than the configuration example in the article, depending on what type of authentication you're using. Configure the Azure VPN Client with the settings specified in the VPN client profile.

+1. Open the **Azure VPN Client** and click **Settings** at the bottom of the page.

+ :::image type="content" source="./media/high-availability-vpn-client/mac-settings.png" alt-text="Screenshot click Settings button." lightbox="./media/high-availability-vpn-client/mac-settings.png":::

+1. On the **Settings** page, select **Enable High Availability**. Settings are automatically saved.

+ :::image type="content" source="./media/high-availability-vpn-client/mac-ha-settings.png" alt-text="Screenshot shows Enable High Availability." lightbox="./media/high-availability-vpn-client/mac-ha-settings-expand.png":::

+1. Click **Connect**. Once you're connected, you can view the connection status in the left pane and in the **Status logs**.

+ :::image type="content" source="./media/high-availability-vpn-client/mac-connected.png" alt-text="Screenshot mac logs and H A connection status." lightbox="./media/high-availability-vpn-client/mac-connected-expand.png":::

+## Next steps

+For VPN client profile information, see [Global and hub-based profiles](global-hub-profile.md).