Updates from: 04/20/2021 03:07:44
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Conditional Access Technical Profile https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/conditional-access-technical-profile.md
+
+ Title: Conditional Access technical profiles in custom policies
+
+description: Custom policy reference for Conditional Access technical profiles in Azure AD B2C.
+++++++ Last updated : 04/19/2021++++
+# Define a Conditional Access technical profile in an Azure Active Directory B2C custom policy
++
+Azure Active Directory (Azure AD) Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. Automating risk assessment with policy conditions means risky sign-ins are at once identified and remediated or blocked.
++
+## Protocol
+
+The **Name** attribute of the **Protocol** element needs to be set to `Proprietary`. The **handler** attribute must contain the fully qualified name of the protocol handler assembly that is used by Azure AD B2C:
+
+```
+Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
+```
+
+The following example shows a Conditional Access technical profile:
+
+```XML
+<TechnicalProfile Id="ConditionalAccessEvaluation">
+ <DisplayName>Conditional Access Provider</DisplayName>
+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+ <Metadata>
+ <Item Key="OperationType">Evaluation</Item>
+ </Metadata>
+```
+
+## Conditional Access evaluation
+
+For every sign-in, Azure AD B2C evaluates all policies and ensures all requirements are met before granting the user access. "Block access" overrides all other configuration settings. The **Evaluation** mode of the Conditional Access technical profile evaluates the signals collected by Azure AD B2C during the sign-in with a local account. The outcome of the Conditional Access technical profile is a set of claims that result from Conditional Access evaluation. The Azure AD B2C policy uses these claims in a next orchestration step to take an action, such as block the user or challenge the user with multi-factor authentication. The following options can be configured for this mode.
+
+### Metadata
+
+| Attribute | Required | Description |
+| | -- | -- |
+| OperationType | Yes | Must be **Evaluation**. |
+
+### Input claims
+
+The **InputClaims** element contains a list of claims to send to Conditional Access. You can also map the name of your claim to the name defined in the Conditional Access technical profile.
+
+| ClaimReferenceId | Required | Data Type | Description |
+| | -- | -- |-- |
+| UserId | Yes | string | The identifier of the user who signs in. |
+| AuthenticationMethodsUsed | Yes |stringCollection | The list of methods the user used to sign in. Possible values: `Password`, and `OneTimePasscode`. |
+| IsFederated | Yes |boolean | Indicates whether or not a user signed in with a federated account. The value must be `false`. |
+| IsMfaRegistered | Yes |boolean | Indicates whether the user already enrolled a phone number for multi-factor authentication. |
++
+The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before sending them to the Conditional Access service.
+
+### Output claims
+
+The **OutputClaims** element contains a list of claims generated by the ConditionalAccessProtocolProvider. You can also map the name of your claim to the name defined below.
+
+| ClaimReferenceId | Required | Data Type | Description |
+| | -- | -- |-- |
+| Challenges | Yes |stringCollection | List of actions to remediate the identified threat. Possible values: `block` |
+| MultiConditionalAccessStatus | Yes | stringCollection | |
+
+The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
+
+### Example: Evaluation
+
+The following example shows a Conditional Access technical profile that is used to evaluate the sign-in threat.
+
+```XML
+<TechnicalProfile Id="ConditionalAccessEvaluation">
+ <DisplayName>Conditional Access Provider</DisplayName>
+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+ <Metadata>
+ <Item Key="OperationType">Evaluation</Item>
+ </Metadata>
+ <InputClaimsTransformations>
+ <InputClaimsTransformation ReferenceId="IsMfaRegisteredCT" />
+ </InputClaimsTransformations>
+ <InputClaims>
+ <InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="UserId" />
+ <InputClaim ClaimTypeReferenceId="AuthenticationMethodsUsed" />
+ <InputClaim ClaimTypeReferenceId="IsFederated" DefaultValue="false" />
+ <InputClaim ClaimTypeReferenceId="IsMfaRegistered" />
+ </InputClaims>
+ <OutputClaims>
+ <OutputClaim ClaimTypeReferenceId="conditionalAccessClaimCollection" PartnerClaimType="Challenges" />
+ <OutputClaim ClaimTypeReferenceId="ConditionalAccessStatus" PartnerClaimType="MultiConditionalAccessStatus" />
+ </OutputClaims>
+</TechnicalProfile>
+```
+
+## Remediation
+
+The **Remediation** mode of the Conditional Access technical profile informs Azure AD B2C that the sign-in identified threat is remediated. The following options can be configured for the remediation mode.
+
+### Metadata
+
+| Attribute | Required | Description |
+| | -- | -- |
+| OperationType | Yes | Must be **Remediation**. |
+
+### Input claims
+
+The **InputClaims** element contains a list of claims to send to Conditional Access. You can also map the name of your claim to the name defined in the Conditional Access technical profile.
+
+| ClaimReferenceId | Required | Data Type | Description |
+| | -- | -- |-- |
+| ChallengesSatisfied | Yes | stringCollection| The list of satisfied challenges to remediate the identified threat as return from the evaluation mode, challenges claim.|
++
+The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before calling the Conditional Access service.
+
+### Output claims
+
+The Conditional Access protocol provider doesn't return any **OutputClaims**, so there's no need to specify output claims. You can, however, include claims that aren't returned by the Conditional Access protocol provider as long as you set the `DefaultValue` attribute.
+
+The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones.
+
+### Example: Remediation
+
+The following example shows a Conditional Access technical profile that is used to remediate the sign-in threat.
+
+```xml
+<TechnicalProfile Id="ConditionalAccessRemediation">
+ <DisplayName>Conditional Access Remediation</DisplayName>
+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ConditionalAccessProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
+ <Metadata>
+ <Item Key="OperationType">Remediation</Item>
+ </Metadata>
+ <InputClaims>
+ <InputClaim ClaimTypeReferenceId="conditionalAccessClaimCollection" PartnerClaimType="ChallengesSatisfied" />
+ </InputClaims>
+</TechnicalProfile>
+```
+
+## Next steps
+
+- Learn how to [Add Conditional Access to user flows in Azure Active Directory B2C](conditional-access-user-flow.md).
active-directory-b2c Custom Email Mailjet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-email-mailjet.md
Previously updated : 04/09/2021 Last updated : 04/19/2021 zone_pivot_groups: b2c-policy-type
Use custom email in Azure Active Directory B2C (Azure AD B2C) to send customized
Custom email verification requires the use of a third-party email provider like [Mailjet](https://Mailjet.com), [SendGrid](./custom-email-sendgrid.md), or [SparkPost](https://sparkpost.com), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses Mailjet. - ## Create a Mailjet account If you don't already have one, start by setting up a Mailjet account (Azure customers can unlock 6,000 emails with a limit of 200 emails/day).
If you don't already have one, start by setting up a Mailjet account (Azure cust
1. To be able to send email, [register and validate](https://www.mailjet.com/guides/azure-mailjet-developer-resource-user-guide/enabling-mailjet/#how-to-configure-mailjet-for-use) your Sender email address or domain. 2. Navigate to the [API Key Management page](https://app.mailjet.com/account/api_keys). Record the **API Key** and **Secret Key** for use in a later step. Both keys are generated automatically when your account is created.
+> [!IMPORTANT]
+> Mailjet offers customers the ability to send emails from shared IP and [dedicated IP addresses](https://documentation.mailjet.com/hc/articles/360043101973-What-is-a-dedicated-IP). When using dedicated IP addresses, you need to build your own reputation properly with an IP address warm-up. For more information, see [How do I warm up my IP ?](https://documentation.mailjet.com/hc/articles/1260803352789-How-do-I-warm-up-my-IP-).
++ ## Create Azure AD B2C policy key Next, store the Mailjet API key in an Azure AD B2C policy key for your policies to reference.
Under content definitions, still within `<BuildingBlocks>`, add the following [D
The `GenerateOtp` technical profile generates a code for the email address. The `VerifyOtp` technical profile verifies the code associated with the email address. You can change the configuration of the format and the expiration of the one-time password. For more information about OTP technical profiles, see [Define a one-time password technical profile](one-time-password-technical-profile.md).
+> [!NOTE]
+> OTP codes that are generated by the Web.TPEngine.Providers.OneTimePasswordProtocolProvider protocol are tied to the browser session. This means a user can generate unique OTP codes in different browser sessions that are each valid for their corresponding sessions. By contrast, an OTP code generated by the built-in user flow is independent of the browser session, so if a user generates a new OTP code in a new browser session, it replaces the previous OTP code.
+ Add the following technical profiles to the `<ClaimsProviders>` element. ```XML
You can find an example of a custom email verification policy on GitHub:
- [Custom email verification - DisplayControls](https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-email-verifcation-displaycontrol) - For information about using a custom REST API or any HTTP-based SMTP email provider, see [Define a RESTful technical profile in an Azure AD B2C custom policy](restful-technical-profile.md).
active-directory-b2c Custom Email Sendgrid https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-email-sendgrid.md
Previously updated : 04/09/2021 Last updated : 04/19/2021 zone_pivot_groups: b2c-policy-type
Use custom email in Azure Active Directory B2C (Azure AD B2C) to send customized
Custom email verification requires the use of a third-party email provider like [SendGrid](https://sendgrid.com), [Mailjet](https://Mailjet.com), or [SparkPost](https://sparkpost.com), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses SendGrid. - ## Create a SendGrid account If you don't already have one, start by setting up a SendGrid account (Azure customers can unlock 25,000 free emails each month). For setup instructions, see the [Create a SendGrid Account](../sendgrid-dotnet-how-to-send-email.md#create-a-sendgrid-account) section of [How to send email using SendGrid with Azure](../sendgrid-dotnet-how-to-send-email.md). Be sure to complete the section in which you [create a SendGrid API key](../sendgrid-dotnet-how-to-send-email.md#to-find-your-sendgrid-api-key). Record the API key for use in a later step.
+> [!IMPORTANT]
+> SendGrid offers customers the ability to send emails from shared IP and [dedicated IP addresses](https://sendgrid.com/docs/ui/account-and-settings/dedicated-ip-addresses/). When using dedicated IP addresses, you need to build your own reputation properly with an IP address warm-up. For more information, see [Warming Up An Ip Address](https://sendgrid.com/docs/ui/sending-email/warming-up-an-ip-address/).
+ ## Create Azure AD B2C policy key Next, store the SendGrid API key in an Azure AD B2C policy key for your policies to reference.
Under content definitions, still within `<BuildingBlocks>`, add the following [D
The `GenerateOtp` technical profile generates a code for the email address. The `VerifyOtp` technical profile verifies the code associated with the email address. You can change the configuration of the format and the expiration of the one-time password. For more information about OTP technical profiles, see [Define a one-time password technical profile](one-time-password-technical-profile.md).
+> [!NOTE]
+> OTP codes that are generated by the Web.TPEngine.Providers.OneTimePasswordProtocolProvider protocol are tied to the browser session. This means a user can generate unique OTP codes in different browser sessions that are each valid for their corresponding sessions. By contrast, an OTP code generated by the built-in user flow is independent of the browser session, so if a user generates a new OTP code in a new browser session, it replaces the previous OTP code.
+ Add the following technical profiles to the `<ClaimsProviders>` element. ```xml
You can find an example of a custom email verification policy on GitHub:
- [Custom email verification - DisplayControls](https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-email-verifcation-displaycontrol) - For information about using a custom REST API or any HTTP-based SMTP email provider, see [Define a RESTful technical profile in an Azure AD B2C custom policy](restful-technical-profile.md).
active-directory-b2c Customize Ui With Html https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/customize-ui-with-html.md
Previously updated : 03/16/2021 Last updated : 04/19/2021
To use the sample:
https://your-storage-account.blob.core.windows.net/your-container/templates/src/fonts/segoeui.WOFF ```
-1. Save the `\*.html` files and upload them to Blob storage.
+1. Save the `\*.html` files and upload them to the Blob storage.
1. Now modify the policy, pointing to your HTML file, as mentioned previously.
-1. If you see missing fonts, images, or CSS, check your references in the extensions policy and the \*.html files.
+1. If you see missing fonts, images, or CSS, check your references in the extensions policy and the `\*.html` files.
## Use company branding assets in custom HTML
active-directory-b2c Microsoft Graph Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/microsoft-graph-operations.md
Previously updated : 01/28/2021 Last updated : 04/19/2021
Note, the [list](/graph/api/authentication-list-phonemethods) operation returns
![Enable phone sign-in](./media/microsoft-graph-operations/enable-phone-sign-in.png)
+> [!NOTE]
+> In the current beta version, this API works only if the phone number is stored with a space between the country code and the phone number. The Azure AD B2C service doesn't currently add this space by default.
+ ## Self-service password reset email address (beta) An email address that can be used by a [username sign-in account](identity-provider-local.md#username-sign-in) to reset the password. For more information, see [Azure AD authentication methods API](/graph/api/resources/emailauthenticationmethod).
active-directory-b2c Policy Keys Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/policy-keys-overview.md
Previously updated : 09/08/2020 Last updated : 04/19/2021
+zone_pivot_groups: b2c-policy-type
# Overview of policy keys in Azure Active Directory B2C +++++ Azure Active Directory B2C (Azure AD B2C) stores secrets and certificates in the form of policy keys to establish trust with the services it integrates with. These trusts consist of: - External identity providers
The keys in a keyset are not replaceable or removable. If you need to change an
## Next steps -- Learn how to use Microsoft Graph to automate a [keyset](microsoft-graph-operations.md#trust-framework-policy-keyset) and [policy keys](microsoft-graph-operations.md#trust-framework-policy-key) deployment.
+- Learn how to use Microsoft Graph to automate a [keyset](microsoft-graph-operations.md#trust-framework-policy-keyset) and [policy keys](microsoft-graph-operations.md#trust-framework-policy-key) deployment.
+
active-directory-b2c Secure Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/secure-rest-api.md
Previously updated : 10/15/2020 Last updated : 04/19/2021
A claim provides temporary storage of data during an Azure AD B2C policy executi
### Acquiring an access token
-You can obtain an access token in one of several ways: by obtaining it [from a federated identity provider](idp-pass-through-user-flow.md), by calling a REST API that returns an access token, by using an [ROPC flow](../active-directory/develop/v2-oauth-ropc.md), or by using the [client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).
+You can obtain an access token in one of several ways: by obtaining it [from a federated identity provider](idp-pass-through-user-flow.md), by calling a REST API that returns an access token, by using an [ROPC flow](../active-directory/develop/v2-oauth-ropc.md), or by using the [client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). The client credentials flow is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
-The following example uses a REST API technical profile to make a request to the Azure AD token endpoint using the client credentials passed as HTTP basic authentication. To configure this in Azure AD, see [Microsoft identity platform and the OAuth 2.0 client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). You may need to modify this to interface with your Identity Provider.
+#### Acquiring an Azure AD access token
+
+The following example uses a REST API technical profile to make a request to the Azure AD token endpoint using the client credentials passed as HTTP basic authentication. For more information, see [Microsoft identity platform and the OAuth 2.0 client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).
+
+To acquire an Azure AD access token, create an application in your Azure AD tenant:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD tenant.
+1. In the left menu, select **Azure Active Directory**. Or, select **All services** and search for and select **Azure Active Directory**.
+1. Select **App registrations**, and then select **New registration**.
+1. Enter a **Name** for the application. For example, *Client_Credentials_Auth_app*.
+1. Under **Supported account types**, select **Accounts in this organizational directory only**.
+1. Select **Register**.
+2. Record the **Application (client) ID**.
++
+For a client credentials flow, you need to create an application secret. The client secret is also known as an application password. The secret will be used by your application to acquire an access token.
+
+1. In the **Azure AD B2C - App registrations** page, select the application you created, for example *Client_Credentials_Auth_app*.
+1. In the left menu, under **Manage**, select **Certificates & secrets**.
+1. Select **New client secret**.
+1. Enter a description for the client secret in the **Description** box. For example, *clientsecret1*.
+1. Under **Expires**, select a duration for which the secret is valid, and then select **Add**.
+1. Record the secret's **Value** for use in your client application code. This secret value is never displayed again after you leave this page. You use this value as the application secret in your application's code.
+
+#### Create Azure AD B2C policy keys
+
+You need to store the client ID and the client secret that you previously recorded in your Azure AD B2C tenant.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your tenant.
+3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+4. On the Overview page, select **Identity Experience Framework**.
+5. Select **Policy Keys** and then select **Add**.
+6. For **Options**, choose `Manual`.
+7. Enter a **Name** for the policy key, `SecureRESTClientId`. The prefix `B2C_1A_` is added automatically to the name of your key.
+8. In **Secret**, enter your client ID that you previously recorded.
+9. For **Key usage**, select `Signature`.
+10. Click **Create**.
+11. Create another policy key with the following settings:
+ - **Name**: `SecureRESTClientSecret`.
+ - **Secret**: enter your client secret that you previously recorded
For the ServiceUrl, replace your-tenant-name with the name of your Azure AD tenant. See the [RESTful technical profile](restful-technical-profile.md) reference for all options available.
For the ServiceUrl, replace your-tenant-name with the name of your Azure AD tena
</CryptographicKeys> <InputClaims> <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />
- <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://secureb2cfunction.azurewebsites.net/.default" />
+ <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" />
</InputClaims> <OutputClaims> <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
The following is an example of a RESTful technical profile configured to call an
## Next steps -- Learn more about the [Restful technical profile](restful-technical-profile.md) element in the IEF reference.
+- Learn more about the [Restful technical profile](restful-technical-profile.md) element in the IEF reference.
active-directory-b2c Tenant Management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tenant-management.md
+
+ Title: Manage your Azure Active Directory B2C
+
+description: Learn how to manage your Azure Active Directory B2C tenant. Learn which Azure AD features are supported in Azure AD B2C, how to use administrator roles to manage resources, and how to add work accounts and guest users to your Azure AD B2C tenant.
+++++++ Last updated : 04/19/2021+++++
+# Manage your Azure Active Directory B2C tenant
+
+In Azure Active Directory B2C (Azure AD B2C), a tenant represents your directory of consumer users. Each Azure AD B2C tenant is distinct and separate from any other Azure AD B2C tenant. An Azure AD B2C tenant is different than an Azure Active Directory tenant, which you may already have. In this article, you learn how to manage your Azure AD B2C tenant.
+
+## Supported Azure AD features
+
+Azure AD B2C relies the Azure AD platform. The following Azure AD features can be used in your Azure AD B2C tenant.
+
+|Feature |Azure AD | Azure AD B2C |
+||||
+| [Groups](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md) | Groups can be used to manage administrative and user accounts.| Groups can be used to manage administrative accounts. [Consumer accounts](user-overview.md#consumer-user) don't support groups. |
+| [Inviting External Identities guests](../active-directory//external-identities/add-users-administrator.md)| You can invite guest users and configure External Identities features such as federation and sign-in with Facebook and Google accounts. | You can invite only a Microsoft account or an Azure AD user as a guest to your Azure AD tenant for accessing applications or managing tenants. For [consumer accounts](user-overview.md#consumer-user), you use Azure AD B2C user flows and custom policies to manage users and sign-up or sign-in with external identity providers, such as Google or Facebook. |
+| [Roles and administrators](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md)| Fully supported for administrative and user accounts. | Roles are not supported with [consumer accounts](user-overview.md#consumer-user). Consumer accounts don't have access to any Azure resources.|
+| [Custom domain names](../active-directory/roles/permissions-reference.md#) | You can use Azure AD custom domains for administrative accounts only. | [Consumer accounts](user-overview.md#consumer-user) can sign in with a username, phone number, or any email address. You can use [custom domains](custom-domain.md) in your redirect URLs.|
+| [Conditional Access](../active-directory/roles/permissions-reference.md#) | Fully supported for administrative and user accounts. | A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user) Lean how to configure Azure AD B2C [custom domain](conditional-access-user-flow.md).|
+
+## Other Azure resources in your tenant
+
+In an Azure AD B2C tenant, you can't provision other Azure resources such as virtual machines, Azure web apps, or Azure functions. You must create these resources in your Azure AD tenant.
+
+## Azure AD B2C accounts overview
+
+The following types of accounts can be created in an Azure AD B2C tenant:
+
+In an Azure AD B2C tenant, there are several types of accounts that can be created as described in the [Overview of user accounts in Azure Active Directory B2C](user-overview.md) article.
+
+- **Work account** - A work account can access resources in a tenant, and with an administrator role, can manage tenants.
+- **Guest account** - A guest account can only be a Microsoft account or an Azure Active Directory user that can be used to access applications or manage tenants.
+- **Consumer account** - A consumer account is used by a user of the applications you've registered with Azure AD B2C.
+
+For details about these account types, see [Overview of user accounts in Azure Active Directory B2C](user-overview.md). Any user who will be assigned to manage your Azure AD B2C tenant must have an Azure AD user account so they can access Azure-related services. You can add such a user by [creating an account](#add-an-administrator-work-account) (work account) in your Azure AD B2C tenant, or by [inviting them](#invite-an-administrator-guest-account) to your Azure AD B2C tenant as a guest user.
+
+## Use roles to control resource access
+
+When planning your access control strategy, it's best to assign users the least privileged role required to access resources. The following table describes the primary resources in your Azure AD B2C tenant and the most suitable administrative roles for the users who manage them.
+
+|Resource |Description |Role |
+||||
+|[Application registrations](tutorial-register-applications.md) | Create and manage all aspects of your web, mobile, and native application registrations within Azure AD B2C.|[Application Administrator](../active-directory/roles/permissions-reference.md#global-administrator)|
+|[Identity providers](add-identity-provider.md)| Configure the [local identity provider](identity-provider-local.md) and external social or enterprise identity providers. | [External Identity Provider Administrator](../active-directory/roles/permissions-reference.md#external-identity-provider-administrator)|
+|[API connectors](add-api-connector.md)| Integrate your user flows with web APIs to customize the user experience and integrate with external systems.|[External ID User Flow Attribute Administrator](../active-directory/roles/permissions-reference.md#external-id-user-flow-administrator)|
+|[Company branding](customize-ui.md#configure-company-branding)| Customize your user flow pages.| [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator)|
+|[User attributes](user-flow-custom-attributes.md)| Add or delete custom attributes available to all user flows.| [External ID User Flow Attribute Administrator](../active-directory/roles/permissions-reference.md#external-id-user-flow-attribute-administrator)|
+|Manage users| Manage [consumer accounts](manage-users-portal.md) and administrative accounts as described in this article.| [User Administrator](../active-directory/roles/permissions-reference.md#user-administrator)|
+|Roles and administrators| Manage role assignments in Azure AD B2C directory. Create and manage groups that can be assigned to Azure AD B2C roles. |[Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator), [Privileged Role Administrator](../active-directory/roles/permissions-reference.md#privileged-role-administrator)|
+|[User flows](user-flow-overview.md)|For quick configuration and enablement of common identity tasks, like sign-up, sign-in, and profile editing.| [External ID User Flow Attribute Administrator](../active-directory/roles/permissions-reference.md#external-id-user-flow-administrator)|
+|[Custom policies](user-flow-overview.md)| Create, read, update, and delete all custom policies in Azure AD B2C.| [B2C IEF Policy Administrator](../active-directory/roles/permissions-reference.md#b2c-ief-policy-administrator)|
+|[Policy keys](policy-keys-overview.md)|Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords used in custom policies.|[B2C IEF Keyset Administrator](../active-directory/roles/permissions-reference.md#b2c-ief-keyset-administrator)|
++
+## Add an administrator (work account)
+
+To create a new administrative account, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Global Administrator or Privileged Role Administrator permissions.
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
+1. Under **Manage**, select **Users**.
+1. Select **New user**.
+1. On the **User** page, enter information for this user:
+
+ - **Name**. Required. The first and last name of the new user. For example, *Mary Parker*.
+ - **User name**. Required. The user name of the new user. For example, `mary@contoso.com`.
+ The domain part of the user name must use either the initial default domain name, *\<yourdomainname>.onmicrosoft.com*.
+ - **Groups**. Optionally, you can add the user to one or more existing groups. You can also add the user to groups at a later time.
+ - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [Use roles to control resource access](#use-roles-to-control-resource-access).
+ - **Job info**: You can add more information about the user here, or do it later.
+
+1. Copy the autogenerated password provided in the **Password** box. You'll need to give this password to the user to sign in for the first time.
+1. Select **Create**.
+
+The user is created and added to your Azure AD B2C tenant. It's preferable to have at least one work account native to your Azure AD B2C tenant assigned the Global Administrator role. This account can be considered a break-glass account.
+
+## Invite an administrator (guest account)
+
+You can also invite a new guest user to manage your tenant. The guest account is the preferred option when your organization also has Azure AD because the lifecycle of this identity can be managed externally.
+
+To invite a user, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Global Administrator or Privileged Role Administrator permissions.
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
+1. Under **Manage**, select **Users**.
+1. Select **New guest account**.
+1. On the **User** page, enter information for this user:
+
+ - **Name**. Required. The first and last name of the new user. For example, *Mary Parker*.
+ - **Email address**. Required. The email address of the user you would like to invite. For example, `mary@contoso.com`.
+ - **Personal message**: You add a personal message that will be included in the invite email.
+ - **Groups**. Optionally, you can add the user to one or more existing groups. You can also add the user to groups at a later time.
+ - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [Use roles to control resource access](#use-roles-to-control-resource-access).
+ - **Job info**: You can add more information about the user here, or do it later.
+
+1. Select **Create**.
+
+An invitation email is sent to the user. The user needs to accept the invitation to be able to sign in.
+
+### Resend the invitation email
+
+If the guest didn't receive the invitation email, or the invitation expired, you can resend the invite. As an alternative to the invitation email, you can give a guest a direct link to accept the invitation. To resend the invitation and get the direct link:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
+1. Under **Manage**, select **Users**.
+1. Search for and select the user you want to resend the invite to.
+1. In the **User | Profile** page, under **Identity**, select **(Manage)**.
+
+ ![Screenshot shows how to resend guest account invitation email.](./media/tenant-management/guest-account-resend-invite.png)
+
+1. For **Resend invite?**, select **Yes**. When **Are you sure you want to resend an invitation?** appears, select **Yes**.
+1. Azure AD B2C sends the invitation. You can also copy the invitation URL and provide it directly to the guest.
+
+ ![Screenshot shows how get the invitation URL.](./media/tenant-management/guest-account-invitation-url.png)
+
+## Add a role assignment
+
+You can assign a role when you [create a user](#add-an-administrator-work-account) or [invite a guest user](#invite-an-administrator-guest-account). You can add a role, change the role, or remove a role for a user:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Global Administrator or Privileged Role Administrator permissions.
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
+1. Under **Manage**, select **Users**.
+1. Select the user you want to change the roles for. Then select **Assigned roles**.
+1. Select **Add assignments**, select the role to assign (for example, *Application administrator*), and then choose **Add**.
+
+## Remove a role assignment
+
+If you need to remove a role assignment from a user, follow these steps:
+
+1. Select **Azure AD B2C**, select **Users**, and then search for and select the user.
+1. Select **Assigned roles**. Select the role you want to remove, for example *Application administrator*, and then select **Remove assignment**.
+
+## Review administrator account role assignments
+
+As part of an auditing process, you typically review which users are assigned to specific roles in the Azure AD B2C directory. Use the following steps to audit which users are currently assigned privileged roles.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Global Administrator or Privileged Role Administrator permissions.
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
+1. Under **Manage**, select **Roles and administrators**.
+1. Select a role, such as **Global administrator**. The **Role | Assignments** page lists the users with that role.
+
+## Delete an administrator account
+
+To delete an existing user, you must have a *Global administrator* role assignment. Global admins can delete any user, including other admins. *User administrators* can delete any non-admin user.
+
+1. In your Azure AD B2C directory, select **Users**, and then select the user you want to delete.
+1. Select **Delete**, and then **Yes** to confirm the deletion.
+
+The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/active-directory-users-restore.md).
+
+## Protect administrative accounts
+
+It's recommended that you protect all administrator accounts with multi-factor authentication (MFA) for more security. MFA is an identity verification process during sign-in that prompts the user for a more form of identification, such as a verification code on their mobile device or a request in their Microsoft Authenticator app.
+
+![Authentication methods in use at the sign-in screenshot](./media/tenant-management/sing-in-with-multi-factor-authentication.png)
+
+You can enable [Azure AD security defaults](../active-directory/fundamentals/concept-fundamentals-security-defaults.md) to force all administrative accounts to use MFA.
+++
+## Next steps
+
+- [Create an Azure Active Directory B2C tenant in the Azure portal](tutorial-create-tenant.md)
+
active-directory App Objects And Service Principals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/app-objects-and-service-principals.md
Previously updated : 02/15/2021 Last updated : 04/16/2021
The Microsoft Graph [Application entity][MS-Graph-App-Entity] defines the schema
## Service principal object To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
-A service principal is the local representation, or application instance, of a global application object in a single tenant or directory. A service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
+There are three types of service principal: application, managed identity, and legacy.
+
+The first type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
When an application is given permission to access resources in a tenant (upon registration or [consent](developer-glossary.md#consent)), a service principal object is created. You can also create service principal objects in a tenant using [Azure PowerShell](howto-authenticate-service-principal-powershell.md), [Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli), [Microsoft Graph](/graph/api/serviceprincipal-post-serviceprincipals?tabs=http), the [Azure portal][AZURE-Portal], and other tools. When using the portal, a service principal is created automatically when you register an application.
-The **Enterprise applications** blade in the portal is used to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.
+The second type of service principal is used to represent a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview). Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly.
-![Enterprise apps blade](./media/app-objects-and-service-principals/enterprise-apps-blade.png)
+The third type of service principal represents a legacy app (an app created before app registrations were introduced or created through legacy experiences). A legacy service principal can have credentials, service principal names, reply URLs, and other properties which are editable by an authorized user, but does not have an associated app registration. The service principal can only be used in the tenant where it was created.
The Microsoft Graph [ServicePrincipal entity][MS-Graph-Sp-Entity] defines the schema for a service principal object's properties.
+The **Enterprise applications** blade in the portal is used to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more.
+
+![Enterprise apps blade](./media/app-objects-and-service-principals/enterprise-apps-blade.png)
+ ## Relationship between application objects and service principals The application object is the *global* representation of your application for use across all tenants, and the service principal is the *local* representation for use in a specific tenant.
active-directory Msal Net Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-migration.md
To use MSAL.NET you will need to add the [Microsoft.Identity.Client](https://www
### Scopes not resources
-ADAL.NET acquires tokens for *resources*, but MSAL.NET acquires tokens for *scopes*. A number of MSAL.NET AcquireToken overrides require a parameter called scopes(`IEnumerable<string> scopes`). This parameter is a simple list of strings that declare the desired permissions and resources that are requested. Well-known scopes are the [Microsoft Graph's scopes](https://docs.microsoft.com/graph/permissions-reference).
+ADAL.NET acquires tokens for *resources*, but MSAL.NET acquires tokens for *scopes*. A number of MSAL.NET AcquireToken overrides require a parameter called scopes(`IEnumerable<string> scopes`). This parameter is a simple list of strings that declare the desired permissions and resources that are requested. Well-known scopes are the [Microsoft Graph's scopes](/graph/permissions-reference).
It's also possible in MSAL.NET to access v1.0 resources. See details in [Scopes for a v1.0 application](#scopes-for-a-web-api-accepting-v10-tokens).
active-directory Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/conditional-access.md
The resource tenant is always responsible for Azure AD Multi-Factor Authenticati
6. Fabrikam must have sufficient premium Azure AD licenses that support Azure AD Multi-Factor Authentication. The user from Contoso then consumes this license from Fabrikam. See [billing model for Azure AD external identities](./external-identities-pricing.md) for information on the B2B licensing. >[!NOTE]
->Azure AD Multi-Factor Authentication is done at resource tenancy to ensure predictability.
+>Azure AD Multi-Factor Authentication is done at resource tenancy to ensure predictability. When the guest user signs in, they'll see the resource tenant sign-in page displayed in the background, and their own home tenant sign-in page and company logo in the foreground, as shown in the following example.
+>
+>![Sign-in page example](./media/conditional-access-b2b/resource-tenant-mfa.png)
+ ### Set up Azure AD Multi-Factor Authentication for B2B users
For more information, see the following articles on Azure AD B2B collaboration:
- [What is Azure AD B2B collaboration?](./what-is-b2b.md) - [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md) - [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/)-- [Frequently Asked Questions (FAQs)](./faq.md)
+- [Frequently Asked Questions (FAQs)](./faq.md)
active-directory Concept All Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-all-sign-ins.md
description: Introduction to the sign-in activity reports in the Azure Active Di
documentationcenter: '' -+ editor: '' ms.assetid: 4b18127b-d1d0-4bdc-8f9c-6a4c991c5f75
na Previously updated : 04/16/2021 Last updated : 04/19/2021
# Azure Active Directory sign-in activity reports - preview
-The Azure Active Directory portal gives you access to three activity logs:
+As an IT administrator, you want to know how your IT environment is doing. The information about your systemΓÇÖs health enables you to assess whether and how you need to respond to potential issues.
+
+To support you with this goal, the Azure Active Directory portal gives you access to three activity logs:
- **Sign-ins** ΓÇô Information about sign-ins and how your resources are used by your users. - **[Audit](concept-audit-logs.md)** ΓÇô Information about changes applied to your tenant such as users and group management or updates applied to your tenantΓÇÖs resources.
active-directory Concept Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-sign-ins.md
description: Introduction to sign-in activity reports in the Azure Active Direct
documentationcenter: '' -+ editor: '' ms.assetid: 4b18127b-d1d0-4bdc-8f9c-6a4c991c5f75
na Previously updated : 04/16/2021 Last updated : 04/19/2021
# Sign-in activity reports in the Azure Active Directory portal
-The Azure Active Directory portal gives you access to three activity logs:
+As an IT administrator, you want to know how your IT environment is doing. The information about your systemΓÇÖs health enables you to assess whether and how you need to respond to potential issues.
+
+To support you with this goal, the Azure Active Directory portal gives you access to three activity logs:
- **Sign-ins** ΓÇô Information about sign-ins and how your resources are used by your users. - **[Audit](concept-audit-logs.md)** ΓÇô Information about changes applied to your tenant such as users and group management or updates applied to your tenantΓÇÖs resources.
active-directory Reference Sign Ins Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/reference-sign-ins-error-codes.md
- Title: Error codes in the Azure Active Directory portal | Microsoft Docs
-description: Reference of sign-in activity report error codes.
-------- Previously updated : 02/28/2020------
-# Sign-in activity report error codes
-
-With the information provided by the [user sign-ins report](concept-sign-ins.md), you find answers to questions such as:
--- Who signed in to my application?-- Which applications were signed in to?-- Which sign-ins failed and why?-
-When a sign-in fails, you see an error code corresponding to the failure. [Find the description for an error code](https://login.microsoftonline.com/error).
----
-
--
active-directory Issue Verify Verifiable Credentials Your Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/issue-verify-verifiable-credentials-your-tenant.md
Follow the same steps we followed in the previous tutorial to issue the verifiab
![add credential screen after authenticating](media/enable-your-tenant-verifiable-credentials/add-credential-not-verified-authenticated.png)
-We have now issued a verifiable credential using our tenant to generate our vc while still using our B2C tenant for authentication.
+We have now issued a verifiable credential using your tenant to generate your vc while still using the original B2C tenant for authentication.
![vc issued by your azure AD and authenticated by our Azure B2C instance](media/enable-your-tenant-verifiable-credentials/my-vc-b2c.png) ## Test verifying the VC using the sample app
-Now that we've issued the verifiable credential from our own tenant with claims from your Azure AD, let's verify it using our sample app.
+Now that we've issued the verifiable credential from your own tenant with claims from your Azure AD, let's verify it using the sample app.
1. Stop running your issuer ngrok service.
active-directory Issuer Openid https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/issuer-openid.md
# Issuer service communication examples (Preview)
-The verifiable credential issuer service can issue verifiable credentials by retrieving claims from an ID token generated by your organization's OpenID compliant identity provider. This article instructs you on how to set up your identity provider so Authenticator can communicate with it and retrieve the correct ID Token to pass to the issuing service.
+The Azure AD Verifiable Credential service can issue verifiable credentials by retrieving claims from an ID token generated by your organization's OpenID compliant identity provider. This article instructs you on how to set up your identity provider so Authenticator can communicate with it and retrieve the correct ID Token to pass to the issuing service.
> [!IMPORTANT] > Azure Active Directory Verifiable Credentials is currently in public preview.
To issue a Verifiable Credential, Authenticator is instructed through downloadin
| - | -- | | Grant type | Must support the authorization code grant type. | | Token format | Must produce unencrypted compact JWTs. |
-| Signature algorithm | Must produce JWTs signed using RSA 256. |
+| Signature algorithm | Must produce JWTs signed using RS 256. |
| Configuration document | Must support OpenID Connect configuration document and `jwks_uri`. |
-| Client registration | Must support public client registration using a `redirect_uri` value of `vclient://openid/`. |
+| Client registration | Must support public client registration using a `redirect_uri` value of `vcclient://openid/`. |
| PKCE | Recommended for security reasons, but not required. | Examples of the HTTP requests sent to your identity provider are included below. Your identity provider must accept and respond to these requests in accordance with the OpenID Connect authentication standard.
The ID token must use the JWT compact serialization format, and must not be encr
## Next steps -- [How to customize your Azure Active Directory Verifiable Credentials](credential-design.md)
+- [How to customize your Azure Active Directory Verifiable Credentials](credential-design.md)
aks Private Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/private-clusters.md
The following parameters can be leveraged to configure Private DNS Zone.
* The AKS Preview version 0.5.7 or later * The api version 2020-11-01 or later
-### Create a private AKS cluster with Private DNS Zone (Preview)
+### Create a private AKS cluster with Private DNS Zone
```azurecli-interactive az aks create -n <private-cluster-name> -g <private-cluster-resource-group> --load-balancer-sku standard --enable-private-cluster --enable-managed-identity --assign-identity <ResourceId> --private-dns-zone [system|none] ```
-### Create a private AKS cluster with a Custom Private DNS Zone (Preview)
+### Create a private AKS cluster with a Custom Private DNS Zone
```azurecli-interactive az aks create -n <private-cluster-name> -g <private-cluster-resource-group> --load-balancer-sku standard --enable-private-cluster --enable-managed-identity --assign-identity <ResourceId> --private-dns-zone <custom private dns zone ResourceId> --fqdn-subdomain <subdomain-name>
api-management How To Deploy Self Hosted Gateway Docker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-deploy-self-hosted-gateway-docker.md
editor: ''
Previously updated : 04/26/2020 Last updated : 04/19/2021
This article provides the steps for deploying self-hosted gateway component of A
2. Select the gateway resource you intend to deploy. 3. Select **Deployment**. 4. Note that an access token in the **Token** text box was autogenerated for you using the default **Expiry** and **Secret key** values. If needed, pick desired values in either or both controls to generate a new token.
-4. Make sure **Docker** is selected under **Deployment scripts**.
-5. Select **env.conf** file link next to the **Environment** to download the file.
-6. Select **copy** icon located at the right end of the **Run** text box to copy the Docker command to clipboard.
-7. Paste the command to the terminal (or command) window. Adjust the port mappings and container name as needed. Note that the command assumes that downloaded environment file is present in the current directory.
-```
- docker run -d -p 80:8080 -p 443:8081 --name <gateway-name> --env-file env.conf mcr.microsoft.com/azure-api-management/gateway:<tag>
-```
-8. Execute the command. The command instructs your Docker environment to run the container using [container image](https://aka.ms/apim/sputnik/dhub) downloaded from the Microsoft Container Registry, and to map the container's HTTP (8080) and HTTPS (8081) ports to ports 80 and 443 on the host.
-9. Run the below command to check if the gateway container is running:
-```console
-docker ps
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
-895ef0ecf13b mcr.microsoft.com/azure-api-management/gateway:latest "/bin/sh -c 'dotnet …" 5 seconds ago Up 3 seconds 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8081/tcp my-gateway
-```
+5. Make sure **Docker** is selected under **Deployment scripts**.
+6. Select **env.conf** file link next to the **Environment** to download the file.
+7. Select **copy** icon located at the right end of the **Run** text box to copy the Docker command to clipboard.
+8. Paste the command to the terminal (or command) window. Adjust the port mappings and container name as needed. Note that the command assumes that downloaded environment file is present in the current directory.
+ ```
+ docker run -d -p 80:8080 -p 443:8081 --name <gateway-name> --env-file env.conf mcr.microsoft.com/azure-api-management/gateway:<tag>
+ ```
+9. Execute the command. The command instructs your Docker environment to run the container using [container image](https://aka.ms/apim/sputnik/dhub) downloaded from the Microsoft Container Registry, and to map the container's HTTP (8080) and HTTPS (8081) ports to ports 80 and 443 on the host.
+10. Run the below command to check if the gateway container is running:
+ ```console
+ docker ps
+ CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
+ 895ef0ecf13b mcr.microsoft.com/azure-api-management/gateway:latest "/bin/sh -c 'dotnet …" 5 seconds ago Up 3 seconds 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8081/tcp my-gateway
+ ```
10. Go back to Azure portal, click on **Overview** and confirm that self-hosted gateway container you just deployed is reporting a healthy status.
-![gateway status](media/how-to-deploy-self-hosted-gateway-docker/status.png)
+ ![gateway status](media/how-to-deploy-self-hosted-gateway-docker/status.png)
> [!TIP] > Use <code>console docker container logs <gateway-name></code> command to view a snapshot of self-hosted gateway log.
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-java.md
Otherwise, your deployment method will depend on your archive type:
### Java SE
-To deploy .jar files to Java SE, use the `/api/zipdeploy/` endpoint of the Kudu site. For more information on this API, please see [this documentation](./deploy-zip.md#rest).
+To deploy .jar files to Java SE, use the `/api/zipdeploy/` endpoint of the Kudu site. For more information on this API, please see [this documentation](./deploy-zip.md#rest).
+
+> [!NOTE]
+> Your .jar application must be named `app.jar` for App Service to identify and run your application. The Maven Plugin (mentioned above) will automatically rename your application for you during deployment. If you do not wish to rename your JAR to *app.jar*, you can upload a shell script with the command to run your .jar app. Paste the absolute path to this script in the [Startup File](faq-app-service-linux.md#built-in-images) textbox in the Configuration section of the Portal. The startup script does not run from the directory into which it is placed. Therefore, always use absolute paths to reference files in your startup script (for example: `java -jar /home/myapp/myapp.jar`).
### Tomcat
application-gateway Application Gateway Metrics https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-metrics.md
Previously updated : 06/06/2020 Last updated : 04/19/2021
Application Gateway publishes data points, called metrics, to [Azure Monitor](..
Application Gateway provides several builtΓÇæin timing metrics related to the request and response, which are all measured in milliseconds.
-![Diagram of timing metrics, for the Application Gateway.](./media/application-gateway-metrics/application-gateway-metrics.jpg)
> [!NOTE] >
automation Deploy Updates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/deploy-updates.md
Title: How to create update deployments for Azure Automation Update Management
description: This article describes how to schedule update deployments and review their status. Previously updated : 03/19/2021 Last updated : 04/19/2021
To schedule a new update deployment, perform the following steps. Depending on t
7. Use the **Update classifications** region to specify [update classifications](view-update-assessments.md#work-with-update-classifications) for products. For each product, deselect all supported update classifications but the ones to include in your update deployment.
+ :::image type="content" source="./media/deploy-updates/update-classifications-example.png" alt-text="Example showing selection of specific update classifications.":::
+ If your deployment is meant to apply only a select set of updates, it is necessary to deselect all the pre-selected update classifications when configuring the **Include/exclude updates** option as described in the next step. This ensures only the updates you have specified to *include* in this deployment are installed on the target machines.
+ >[!NOTE]
+ > Deploying updates by update classification doesn't work on RTM versions of CentOS. To properly deploy updates for CentOS, select all classifications to make sure updates are applied. There's currently no supported method to enable native classification-data availability on CentOS. See the following for more information about [Update classifications](overview.md#update-classifications).
+ 8. Use the **Include/exclude updates** region to add or exclude selected updates from the deployment. On the **Include/Exclude** page, you enter KB article ID numbers to include or exclude for Windows updates. For supported Linux distros, you specify the package name.
+ :::image type="content" source="./media/deploy-updates/include-specific-updates-example.png" alt-text="Example showing how to include specific updates.":::
+ > [!IMPORTANT] > Remember that exclusions override inclusions. For instance, if you define an exclusion rule of `*`, Update Management excludes all patches or packages from the installation. Excluded patches still show as missing from the machines. For Linux machines, if you include a package that has a dependent package that has been excluded, Update Management doesn't install the main package. > [!NOTE] > You can't specify updates that have been superseded to include in the update deployment.
+ Here are some example scenarios to help you understand how to use inclusion/exclusion and update classification simultaneously in update deployments:
+
+ * If you only want to install a specific list of updates, you should not select any **Update classifications** and provide a list of updates to be applied using **Include** option.
+
+ * If you want to install only security and critical updates, along with one or more optional driver updates, you should select **Security** and **Critical** under **Update classifications**. Then for the **Include** option, specify the driver updates.
+
+ * If you want to install only security and critical updates, but skip one or more updates for python to avoid breaking your legacy application, you should select **Security** and **Critical** under **Update classifications**. Then for the **Exclude** option add the python packages to skip.
+ 9. Select **Schedule settings**. The default start time is 30 minutes after the current time. You can set the start time to any time from 10 minutes in the future. > [!NOTE]
azure-cache-for-redis Cache Dotnet How To Use Azure Redis Cache https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-dotnet-how-to-use-azure-redis-cache.md
Edit the *CacheSecrets.config* file and add the following contents:
```xml <appSettings>
- <add key="CacheConnection" value="<cache-name>.redis.cache.windows.net,abortConnect=false,ssl=true,allowAdmin=true,password=<access-key>"/>
+ <add key="CacheConnection" value="<host-name>,abortConnect=false,ssl=true,allowAdmin=true,password=<access-key>"/>
</appSettings> ```
-Replace `<cache-name>` with your cache host name.
+Replace `<host-name>` with your cache host name.
Replace `<access-key>` with the primary key for your cache.
In this quickstart, you learned how to use Azure Cache for Redis from a .NET app
Want to optimize and save on your cloud spending? > [!div class="nextstepaction"]
-> [Start analyzing costs with Cost Management](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn)
+> [Start analyzing costs with Cost Management](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn)
azure-cache-for-redis Cache High Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-high-availability.md
Azure Cache for Redis implements high availability by using multiple VMs, called
| Option | Description | Availability | Standard | Premium | Enterprise | | - | - | - | :: | :: | :: | | [Standard replication](#standard-replication)| Dual-node replicated configuration in a single datacenter with automatic failover | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |Γ£ö|Γ£ö|-|
-| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across AZs, with automatic failover | Up to 99.99% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |-|Preview|Preview|
+| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across AZs, with automatic failover | Up to 99.99% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |-|Preview|Γ£ö|
| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | Up to 99.999% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |-|Γ£ö|Preview| ## Standard replication
azure-functions Configure Networking How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/configure-networking-how-to.md
To set up a function with a storage account restricted to a private network:
1. Create or configure a different storage account. This will be the storage account we secure with service endpoints and connect our function.
-1. [Create a file share](../storage/files/storage-how-to-create-file-share.md#create-file-share) in the secured storage account.
+1. [Create a file share](../storage/files/storage-how-to-create-file-share.md#create-a-file-share) in the secured storage account.
1. Enable service endpoints or private endpoint for the storage account. * If using private endpoint connections, the storage account will need a private endpoint for the `file` and `blob` sub-resources. If using certain capabilities like Durable Functions, you will also need `queue` and `table` accessible through a private endpoint connection.
azure-functions Functions Triggers Bindings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-triggers-bindings.md
For languages that rely on function.json, the portal provides a UI for adding bi
In .NET and Java, the parameter type defines the data type for input data. For instance, use `string` to bind to the text of a queue trigger, a byte array to read as binary, and a custom type to de-serialize to an object. Since .NET class library functions and Java functions don't rely on *function.json* for binding definitions, they can't be created and edited in the portal. C# portal editing is based on C# script, which uses *function.json* instead of attributes.
-To learn more about how to adding bindings to existing functions, see [Connect functions to Azure services using bindings](add-bindings-existing-function.md).
+To learn more about how to add bindings to existing functions, see [Connect functions to Azure services using bindings](add-bindings-existing-function.md).
For languages that are dynamically typed such as JavaScript, use the `dataType` property in the *function.json* file. For example, to read the content of an HTTP request in binary format, set `dataType` to `binary`:
azure-maps Tutorial Iot Hub Maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-iot-hub-maps.md
The following figure highlights the geofence area in blue. The rental car's rout
## Create an Azure storage account
-To store car violation tracking data, create a [general-purpose v2 storage account](../storage/common/storage-account-overview.md#general-purpose-v2-accounts) in your resource group. If you haven't created a resource group, follow the directions in [create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups). In this tutorial, you'll name your resource group *ContosoRental*.
+To store car violation tracking data, create a [general-purpose v2 storage account](../storage/common/storage-account-overview.md) in your resource group. If you haven't created a resource group, follow the directions in [create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups). In this tutorial, you'll name your resource group *ContosoRental*.
To create a storage account, follow the instructions in [create a storage account](../storage/common/storage-account-create.md?tabs=azure-portal). In this tutorial, name the storage account *contosorentalstorage*, but in general you can name it anything you like.
azure-monitor Agent Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/agent-linux.md
The python2 executable must be aliased to *python*. Following is one method that
``` ## Supported Linux hardening
-The OMS Agent has limited customization support for Linux.
+The OMS Agent has limited customization and hardening support for Linux.
The following are currently supported: - FIPs
-The following are in consideration but not yet supported:
+The following are not supported:
- CIS - SELINUX
-Other hardening and customization methods are not supported nor planned for OMS Agent.
+CIS and SELINUX hardening support is planned for [Azure Monitoring Agent](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-overview). Further hardening and customization methods are not supported nor planned for OMS Agent.
## Agent prerequisites
azure-monitor Alerts Resource Move https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/alerts/alerts-resource-move.md
Last updated 02/14/2021
# How to update alert rules or action rules when their target resource moves to a different Azure region
-This article describes why existing [alert rules](./alerts-overview.md) and [action rules](./alerts-action-rules.md) may be impacted when you move other Azure resources between regions, and how to identify and resolve those issues. Check the main [resource move documentation](../../azure-resource-manager/management/move-region.md) for additional information on when is resource move between regions useful and a checklist of designing a move process.
+This article describes why existing [alert rules](./alerts-overview.md) and [action rules](./alerts-action-rules.md) may be impacted when you move other Azure resources between regions, and how to identify and resolve those issues. Check the main [resource move documentation](../../azure-resource-manager/management/move-resources-overview.md) for additional information on when is resource move between regions useful and a checklist of designing a move process.
## Why the problem exists
If **only some** of the resources in the scope have moved, you need to remove th
- **For alert rules** - Navigate to Alerts > Manage alert rules > filter by the containing subscription and the moved resource. > [!NOTE]
-> Activity Log alert rules do not support this process. ItΓÇÖs not possible to update the scope of an activity log alert rule and have it point to a resource in another subscription. Instead you can create a new rule that will replace the old one.
+> Activity Log alert rules do not support this process. It's not possible to update the scope of an activity log alert rule and have it point to a resource in another subscription. Instead you can create a new rule that will replace the old one.
- **For action rules** - Navigate to Alerts > Manage actions > Action rules (preview) > filter by the containing subscription and the moved resource.
Navigate to Alerts > Manage actions > Action rules (preview) > filter by the con
### Change the scope of a rule using Azure Resource Manager templates
-1. Obtain the Azure Resource Manager template of the rule. To export the template of a rule from the Azure portal:
+1. Obtain the Azure Resource Manager template of the rule. To export the template of a rule from the Azure portal:
1. Navigate to the Resource Groups section in the portal and open the resource group containing the rule. 2. In the Overview section, check the **Show hidden type** checkbox, and filter by the relevant type of the rule. 3. Select the relevant rule to view its details.
Navigate to Alerts > Manage actions > Action rules (preview) > filter by the con
### Change the scope of a rule using Azure CLI
-1. Get the existing rule ([metric alerts](/cli/azure/monitor/metrics/alert#az-monitor-metrics-alert-show), [activity log alerts](/cli/azure/monitor/activity-log/alert#az-monitor-activity-log-alert-list)).
-2. Update the rule scope directly ([metric alerts](/cli/azure/monitor/metrics/alert#az-monitor-metrics-alert-update), [activity log alerts](/cli/azure/monitor/activity-log/alert/scope))
-3. If needed, split into two rules (relevant for some cases of metric alerts, as noted above).
+1. Get the existing rule ([metric alerts](/cli/azure/monitor/metrics/alert#az-monitor-metrics-alert-show), [activity log alerts](/cli/azure/monitor/activity-log/alert#az-monitor-activity-log-alert-list)).
+2. Update the rule scope directly ([metric alerts](/cli/azure/monitor/metrics/alert#az-monitor-metrics-alert-update), [activity log alerts](/cli/azure/monitor/activity-log/alert/scope))
+3. If needed, split into two rules (relevant for some cases of metric alerts, as noted above).
## Next steps
azure-monitor Resource Manager Sql Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/resource-manager-sql-insights.md
+
+ Title: Resource Manager template samples for SQL insights
+description: Sample Azure Resource Manager templates to deploy and configure SQL insights.
+++ Last updated : 03/25/2021+++
+# Resource Manager template samples for SQL insights
+This article includes sample [Azure Resource Manager templates](../../azure-resource-manager/templates/template-syntax.md) to enable SQL insights for monitoring SQL running in Azure. See the [SQL insights documentation](sql-insights-overview.md) for details on the offering and versions of SQL we support. Each sample includes a template file and a parameters file with sample values to provide to the template.
+++
+## Create a SQL insights monitoring profile
+The following sample creates a SQL insights monitoring profile, which includes the SQL monitoring data to collect, frequency of data collection, and specifies the workspace the data will be sent to.
++
+### Template file
+
+View the [template file on git hub](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/SQL/Create%20new%20profile/CreateNewProfile.armtemplate).
+
+### Parameter file
+
+View the [parameter file on git hub](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/SQL/Create%20new%20profile/CreateNewProfile.parameters.json).
++
+## Add a monitoring VM to a SQL insights monitoring profile
+Once you have created a monitoring profile, you need to allocate Azure virtual machines that will be configured to remotely collect data from the SQL resources you specify in the configuration for that VM. Refer to the SQL insights enable documentation for more details.
+
+The following sample configures a monitoring VM to collect the data from the specified SQL resources.
++
+### Template file
+
+View the [template file on git hub](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/SQL/Add%20monitoring%20virtual%20machine/AddMonitoringVirtualMachine.armtemplate).
+
+### Parameter file
+
+View the [parameter file on git hub](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/SQL/Add%20monitoring%20virtual%20machine/AddMonitoringVirtualMachine.parameters.json).
++
+## Create an alert rule for SQL insights
+The following sample creates an alert rule that will cover the SQL resources within the scope of the specified monitoring profile. This alert rule will appear in the SQL insights UI in the alerts UI context panel.
+
+The parameter file has values from one of the alert templates we provide in SQL insights, you can modify it to alert on other data we collect for SQL. The template does not specify an action group for the alert rule.
++
+#### Template file
+
+View the [template file on git hub](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/Alerts/log-metric-noag.armtemplate).
+
+### Parameter file
+
+View the [parameter file on git hub](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/Alerts/sql-cpu-utilization-percent.parameters.json).
+++++
+## Next steps
+
+* [Get other sample templates for Azure Monitor](../resource-manager-samples.md).
+* [Learn more about SQL insights](sql-insights-overview.md).
azure-monitor Sql Insights Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/sql-insights-alerts.md
Last updated 03/12/2021
# Create alerts with SQL insights (preview) SQL insights includes a set of alert rule templates you can use to create [alert rules in Azure Monitor](../alert/../alerts/alerts-overview.md) for common SQL issues. The alert rules in SQL insights are log alert rules based on performance data stored in the *InsightsMetrics* table in Azure Monitor Logs.
+> [!NOTE]
+> To create an alert for SQL insights using a resource manager template, see [Resource Manager template samples for SQL insights](resource-manager-sql-insights.md#create-an-alert-rule-for-sql-insights).
++ > [!NOTE] > If you have requests for more SQL insights alert rule templates, please send feedback using the link at the bottom of this page or using the SQL insights feedback link in the Azure portal.
azure-monitor Sql Insights Enable https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/sql-insights-enable.md
Last updated 03/15/2021
# Enable SQL insights (preview) This article describes how to enable [SQL insights](sql-insights-overview.md) to monitor your SQL deployments. Monitoring is performed from an Azure virtual machine that makes a connection to your SQL deployments and uses Dynamic Management Views (DMVs) to gather monitoring data. You can control what datasets are collected and the frequency of collection using a monitoring profile.
+> [!NOTE]
+> To enable SQL insights by creating the monitoring profile and virtual machine using a resource manager template, see [Resource Manager template samples for SQL insights](resource-manager-sql-insights.md).
+ ## Create Log Analytics workspace SQL insights stores its data in one or more [Log Analytics workspaces](../logs/data-platform-logs.md#log-analytics-workspaces). Before you can enable SQL Insights, you need to either [create a workspace](../logs/quick-create-workspace.md) or select an existing one. A single workspace can be used with multiple monitoring profiles, but the workspace and profiles must be located in the same Azure region. To enable and access the features in SQL insights, you must have the [Log Analytics contributor role](../logs/manage-access.md) in the workspace. ## Create monitoring user You need a user on the SQL deployments that you want to monitor. Follow the procedures below for different types of SQL deployments.
+The instructions below cover the process per type of SQL that you can monitor. To accomplish this with a script on several SQL resouces at once, please refer to the following [README file](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/SQL/SQL%20Insights%20Onboarding%20Scripts/Permissions_LoginUser_Account_Creation-README.txt) and [example script](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Workloads/SQL/SQL%20Insights%20Onboarding%20Scripts/Permissions_LoginUser_Account_Creation.ps1).
++ ### Azure SQL database Open Azure SQL Database with [SQL Server Management Studio](../../azure-sql/database/connect-query-ssms.md) or [Query Editor (preview)](../../azure-sql/database/connect-query-portal.md) in the Azure portal.
Verify the user was created.
select name as username, create_date, modify_date,
- type_desc as type,
+ type_desc as type
from sys.server_principals where type not in ('A', 'G', 'R', 'X') and sid is not null
azure-monitor Private Link Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/private-link-security.md
The Private Endpoint you created should now have an four DNS zones configured:
#### Privatelink-monitor-azure-com This zone covers the global endpoints used by Azure Monitor, meaning these endpoints serve requests considering all resources, not a specific one. This zone should have endpoints mapped for:
-* `in.ai` - (Application Insights ingestion endpoint, you will see a global and a regional entry
+* `in.ai` - Application Insights ingestion endpoint (both a global and a regional entry)
* `api` - Application Insights and Log Analytics API endpoint * `live` - Application Insights live metrics endpoint * `profiler` - Application Insights profiler endpoint
This zone covers workspace-specific mapping to ODS endpoints - the ingestion end
This zone covers workspace-specific mapping to the agent service automation endpoints. You should see an entry for each workspace linked to the AMPLS connected with this Private Endpoint. [![Screenshot of Private DNS zone agent svc-azure-automation-net.](./media/private-link-security/dns-zone-privatelink-agentsvc-azure-automation-net.png)](./media/private-link-security/dns-zone-privatelink-agentsvc-azure-automation-net-expanded.png#lightbox)
+#### privatelink-blob-core-windows-net
+This zone configures connectivity to the global agents' solution packs storage account. Through it, agents can download new or updated solution packs (also known as management packs). Only one entry is required to handle to Log Analytics agents, no matter how many workspaces are used.
+[![Screenshot of Private DNS zone blob-core-windows-net.](./media/private-link-security/dns-zone-privatelink-blob-core-windows-net.png)](./media/private-link-security/dns-zone-privatelink-blob-core-windows-net-expanded.png#lightbox)
+> [!NOTE]
+> This entry is only added to Private Links setups created at or after April 19, 2021.
++ ### Validating you are communicating over a Private Link
-* To validate your requests are now sent through the Private Endpoint and to the private IP-mapped endpoints, you can review them with a network tracking to tools, or even your browser. For example, when attempting to query your workspace or application, make sure the request is sent to the private IP mapped to the API endpoint, in this example it's *172.17.0.9*.
+* To validate your requests are now sent through the Private Endpoint and the private IP-mapped endpoints, you can review them with a network tracking tool or even your browser. For example, when attempting to query your workspace or application, make sure the request is sent to the private IP mapped to the API endpoint, in this example it's *172.17.0.9*.
Note: Some browsers may use other DNS settings (see [Browser DNS settings](#browser-dns-settings)). Make sure your DNS settings apply.
Go to the Azure portal. In your Log Analytics workspace resource menu, there's a
All scopes connected to the workspace show up in this screen. Connecting to scopes (AMPLSs) allows network traffic from the virtual network connected to each AMPLS to reach this workspace. Creating a connection through here has the same effect as setting it up on the scope, as we did in [Connecting Azure Monitor resources](#connect-azure-monitor-resources). To add a new connection, select **Add** and select the Azure Monitor Private Link Scope. Select **Apply** to connect it. Note that a workspace can connect to 5 AMPLS objects, as mentioned in [Restrictions and limitations](#restrictions-and-limitations). ### Manage access from outside of private links scopes
-The settings on the bottom part of this page control access from public networks, meaning networks not connected through the scopes listed above. Setting **Allow public network access for ingestion** to **No** blocks ingestion of logs from machines outside of the connected scopes. Setting **Allow public network access for queries** to **No** blocks queries coming from machines outside of the scopes. That includes queries run via workbooks, dashboards, API-based client experiences, insights in the Azure portal, and more. Experiences running outside the Azure portal, and that query Log Analytics data also have to be running within the private-linked VNET.
+The settings on the bottom part of this page control access from public networks, meaning networks not connected through the listed scopes (AMPLSs). Setting **Allow public network access for ingestion** to **No** blocks ingestion of logs from machines outside of the connected scopes. Setting **Allow public network access for queries** to **No** blocks queries coming from machines outside of the scopes. That includes queries run via workbooks, dashboards, API-based client experiences, insights in the Azure portal, and more. Experiences running outside the Azure portal, and that query Log Analytics data also have to be running within the private-linked VNET.
### Exceptions Restricting access as explained above doesn't apply to the Azure Resource Manager and therefore has the following limitations:
Restricting access as explained above doesn't apply to the Azure Resource Manage
> Logs and metrics uploaded to a workspace via [Diagnostic Settings](../essentials/diagnostic-settings.md) go over a secure private Microsoft channel, and are not controlled by these settings. ### Log Analytics solution packs download
+Log Analytics agents need to access a global storage account to download solution packs. Private Link setups created at or after April 19, 2021 can reach the agents' solution packs storage over the private link. This is made possible through the new DNS zone created for [blob.core.windows.net](#privatelink-blob-core-windows-net).
-To allow the Log Analytics Agent to download solution packs, add the appropriate fully qualified domain names to your firewall allowlist.
--
-| Cloud environment | Agent Resource | Ports | Direction |
-|:--|:--|:--|:--|
-|Azure Public | scadvisorcontent.blob.core.windows.net | 443 | Outbound
-|Azure Government | usbn1oicore.blob.core.usgovcloudapi.net | 443 | Outbound
-|Azure China 21Vianet | mceast2oicore.blob.core.chinacloudapi.cn| 443 | Outbound
+If your Private Link setup was created before April 19, 2021, it won't reach the solution packs storage over a private link. To handle that you can do one of the following:
+* Re-create your AMPLS and the Private Endpoint connected to it
+* Allow your agents to reach the storage account through its public endpoint, by adding the following rules to your firewall allowlist:
+ | Cloud environment | Agent Resource | Ports | Direction |
+ |:--|:--|:--|:--|
+ |Azure Public | scadvisorcontent.blob.core.windows.net | 443 | Outbound
+ |Azure Government | usbn1oicore.blob.core.usgovcloudapi.net | 443 | Outbound
+ |Azure China 21Vianet | mceast2oicore.blob.core.chinacloudapi.cn| 443 | Outbound
->[!NOTE]
-> Starting April 19, 2021 the above setting won't be required, and you'll be able to reach the solution packs storage account through the private link. The new capability requires re-creating the AMPLS (on April 19th, 2021 or later) and the Private Endpoint connected to it. It will not apply to existing AMPLSs and Private Endpints.
## Configure Application Insights
azure-netapp-files Azure Netapp Files Create Volumes Smb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
na ms.devlang: na Previously updated : 03/29/2021 Last updated : 04/19/2021 # Create an SMB volume for Azure NetApp Files
Before creating an SMB volume, you need to create an Active Directory connection
* Select **SMB** as the protocol type for the volume. * Select your **Active Directory** connection from the drop-down list. * Specify the name of the shared volume in **Share name**.
+ * If you want to enable encryption for SMB3, select **Enable SMB3 Protocol Encryption**.
+ This feature enables encryption for in-flight SMB3 data. SMB clients not using SMB3 encryption will not be able to access this volume. Data at rest is encrypted regardless of this setting.
+ See [SMB Encryption FAQs](azure-netapp-files-faqs.md#smb-encryption-faqs) for additional information.
+
+ The **SMB3 Protocol Encryption** feature is currently in preview. If this is your first time using this feature, register the feature before using it:
+
+ ```azurepowershell-interactive
+ Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSMBEncryption
+ ```
+
+ Check the status of the feature registration:
+
+ > [!NOTE]
+ > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is `Registered` before continuing.
+
+ ```azurepowershell-interactive
+ Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSMBEncryption
+ ```
+
+ You can also use [Azure CLI commands](/cli/azure/feature?preserve-view=true&view=azure-cli-latest) `az feature register` and `az feature show` to register the feature and display the registration status.
* If you want to enable Continuous Availability for the SMB volume, select **Enable Continuous Availability**. > [!IMPORTANT]
azure-netapp-files Azure Netapp Files Faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-faqs.md
na ms.devlang: na Previously updated : 04/12/2021 Last updated : 04/19/2021 # FAQs About Azure NetApp Files
Management of `SMB Shares`, `Sessions`, and `Open Files` through Computer Manage
Use the **JSON View** link on the volume overview pane, and look for the **startIp** identifier under **properties** -> **mountTargets**.
+### SMB encryption FAQs
+
+This section answers commonly asked questions about SMB encryption (SMB 3.0 and SMB 3.1.1).
+
+#### What is SMB encryption?
+
+[SMB encryption](/windows-server/storage/file-server/smb-security) provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on untrusted networks. SMB encryption is supported on SMB 3.0 and greater.
+
+#### How does SMB encryption work?
+
+When sending a request to the storage, the client encrypts the request, which the storage then decrypts. Responses are similarly encrypted by the server and decrypted by the client.
+
+#### Which clients support SMB encryption?
+
+Windows 10, Windows 2012, and later versions support SMB encryption.
+
+#### With Azure NetApp Files, at what layer is SMB encryption enabled?
+
+SMB encryption is enabled at the share level.
+
+#### What forms of SMB encryption are used by Azure NetApp Files?
+
+SMB 3.0 employs AES-CCM algorithm, while SMB 3.1.1 employs the AES-GCM algorithm
+
+#### Is SMB encryption required?
+
+SMB encryption is not required. As such, it is only enabled for a given share if the user requests that Azure NetApp Files enable it. Azure NetApp Files shares are never exposed to the internet. They are only accessible from within a given VNet, over VPN or express route, so Azure NetApp Files shares are inherently secure. The choice to enable SMB encryption is entirely up to the user. Be aware of the anticipated performance penalty before enabling this feature.
+
+#### <a name="smb_encryption_impact"></a>What is the anticipated impact of SMB encryption on client workloads?
+
+Although SMB encryption has impact to both the client (CPU overhead for encrypting and decrypting messages) and the storage (reductions in throughput), the following table highlights storage impact only. You should test the encryption performance impact against your own applications before deploying workloads into production.
+
+| I/O profile | Impact |
+|- |- |
+| Read and write workloads | 10% to 15% |
+| Metadata intensive | 5% |
+ ## Capacity management FAQs ### How do I monitor usage for capacity pool and volume of Azure NetApp Files?
azure-netapp-files Azure Netapp Files Smb Performance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-smb-performance.md
SMB Signing has a deleterious effect upon SMB performance. Among other potential
![Chart that shows SMB Signing performance impact.](../media/azure-netapp-files/azure-netapp-files-smb-signing-performance.png)
+## What is the anticipated impact of SMB encryption on client workloads?
+
+See [SMB encryption FAQs](azure-netapp-files-faqs.md#smb_encryption_impact).
## Next steps
azure-netapp-files Create Volumes Dual Protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/create-volumes-dual-protocol.md
na ms.devlang: na Previously updated : 04/05/2021 Last updated : 04/19/2021 # Create a dual-protocol (NFSv3 and SMB) volume for Azure NetApp Files
To create NFS volumes, see [Create an NFS volume](azure-netapp-files-create-volu
* Specify the **Security Style** to use: NTFS (default) or UNIX.
+ * If you want to enable SMB3 protocol encryption for the dual-protocol volume, select **Enable SMB3 Protocol Encryption**.
+
+ This feature enables encryption for only in-flight SMB3 data. It does not encrypt NFSv3 in-flight data. SMB clients not using SMB3 encryption will not be able to access this volume. Data at rest is encrypted regardless of this setting. See [SMB Encryption FAQs](azure-netapp-files-faqs.md#smb-encryption-faqs) for additional information.
+
+ The **SMB3 Protocol Encryption** feature is currently in preview. If this is your first time using this feature, register the feature before using it:
+
+ ```azurepowershell-interactive
+ Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSMBEncryption
+ ```
+
+ Check the status of the feature registration:
+
+ > [!NOTE]
+ > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is `Registered` before continuing.
+
+ ```azurepowershell-interactive
+ Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFSMBEncryption
+ ```
+
+ You can also use [Azure CLI commands](/cli/azure/feature?preserve-view=true&view=azure-cli-latest) `az feature register` and `az feature show` to register the feature and display the registration status.
+ * Optionally, [configure export policy for the volume](azure-netapp-files-configure-export-policy.md). ![Specify dual-protocol](../media/azure-netapp-files/create-volume-protocol-dual.png)
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/whats-new.md
na ms.devlang: na Previously updated : 04/05/2021 Last updated : 04/19/2021
Azure NetApp Files is updated regularly. This article provides a summary about t
## April 2021
+* [SMB3 Protocol Encryption](azure-netapp-files-create-volumes-smb.md#add-an-smb-volume) (Preview)
+
+ You can now enable SMB3 Protocol Encryption on Azure NetApp Files SMB and dual-protocol volumes. This feature enables encryption for in-flight SMB3 data, using the [AES-CCM algorithm on SMB 3.0, and the AES-GCM algorithm on SMB 3.1.1](/windows-server/storage/file-server/file-server-smb-overview#features-added-in-smb-311-with-windows-server-2016-and-windows-10-version-1607) connections. SMB clients not using SMB3 encryption will not be able to access this volume. Data at rest is encrypted regardless of this setting. SMB encryption further enhances security. However, it might impact the client (CPU overhead for encrypting and decrypting messages). It might also impact storage resource utilization (reductions in throughput). You should test the encryption performance impact against your applications before deploying workloads into production.
+ * [Active Directory Domain Services (ADDS) LDAP user-mapping with NFS extended groups](configure-ldap-extended-groups.md) (Preview) By default, Azure NetApp Files supports up to 16 group IDs when handling NFS user credentials, as defined in [RFC 5531](https://tools.ietf.org/html/rfc5531). With this new capability, you can now increase the maximum up to 1,024 if you have users who are members of more than the default number of groups. To support this capability, NFS volumes can now also be added to ADDS LDAP, which enables Active Directory LDAP users with extended groups entries (with up to 1024 groups) to access the volume. ## March 2021-
+
* [SMB Continuous Availability (CA) shares](azure-netapp-files-create-volumes-smb.md#add-an-smb-volume) (Preview) SMB Transparent Failover enables maintenance operations on the Azure NetApp Files service without interrupting connectivity to server applications storing and accessing data on SMB volumes. To support SMB Transparent Failover, Azure NetApp Files now supports the SMB Continuous Availability shares option for use with SQL Server applications over SMB running on Azure VMs. This feature is currently supported on Windows SQL Server. Linux SQL Server is not currently supported. Enabling this feature provides significant SQL Server performance improvements and scale and cost benefits for [Single Instance, Always-On Failover Cluster Instance and Always-On Availability Group deployments](azure-netapp-files-solution-architectures.md#sql-server). See [Benefits of using Azure NetApp Files for SQL Server deployment](solutions-benefits-azure-netapp-files-sql-server.md).
azure-portal Azure Portal Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/azure-portal-dashboards.md
Title: Create a dashboard in the Azure portal
description: This article describes how to create and customize a dashboard in the Azure portal. ms.assetid: ff422f36-47d2-409b-8a19-02e24b03ffe7 Previously updated : 03/16/2021 Last updated : 04/15/2021 # Create a dashboard in the Azure portal Dashboards are a focused and organized view of your cloud resources in the Azure portal. Use dashboards as a workspace where you can monitor resources and quickly launch tasks for day-to-day operations. Build custom dashboards based on projects, tasks, or user roles, for example.
-The Azure portal provides a default dashboard as a starting point. You can edit the default dashboard and create and customize additional dashboards. This article describes how to create a new dashboard and customize it. For information on sharing dashboards, see [Share Azure dashboards by using Azure role-based access control](azure-portal-dashboard-share-access.md).
+The Azure portal provides a default dashboard as a starting point. You can edit the default dashboard and create and customize additional dashboards.
+
+> [!NOTE]
+> Each user can create up to 100 private dashboards. If you [publish and share the dashboard](azure-portal-dashboard-share-access.md), it will be implemented as an Azure resource in your subscription and wonΓÇÖt count towards this limit.
+
+This article describes how to create a new dashboard and customize it. For information on sharing dashboards, see [Share Azure dashboards by using Azure role-based access control](azure-portal-dashboard-share-access.md).
## Create a new dashboard
-In this example, we create a new private dashboard and assign a name. Follow these steps to get started:
+This example shows how to create a new private dashboard with an assigned name. All dashboards are private when created, although you can choose to publish and share your dashboard with other users in your organization if you'd like.
1. Sign in to the [Azure portal](https://portal.azure.com). 1. From the Azure portal menu, select **Dashboard**. Your default view might already be set to dashboard.
- ![Open the dashboard](./media/azure-portal-dashboards/portal-menu-dashboard.png)
+ ![Screenshot of the Azure portal with Dashboard selected.](./media/azure-portal-dashboards/portal-menu-dashboard.png)
1. Select **New dashboard** then **Blank dashboard**.
- ![Screenshot of new dashboard](./media/azure-portal-dashboards/create-new-dashboard.png)
+ ![Screenshot of the New dashboard options.](./media/azure-portal-dashboards/create-new-dashboard.png)
- This action opens the **Tile Gallery**, from which you'll select tiles, and an empty grid where you'll arrange the tiles.
+ This action opens the **Tile Gallery**, from which you can select tiles, and an empty grid where you'll arrange the tiles.
1. Select the **My Dashboard** text in the dashboard label and enter a name that will help you easily identify the custom dashboard.
- ![Screenshot of tile gallery and empty grid](./media/azure-portal-dashboards/dashboard-name.png)
+ :::image type="content" source="media/azure-portal-dashboards/dashboard-name.png" alt-text="Screenshot of an empty grid with the Tile Gallery.":::
-1. In the page header select **Done customizing** to exit edit mode, then select **Save**.
-
- :::image type="content" source="media/azure-portal-dashboards/dashboard-save.png" alt-text="Screenshot of dashboard save process":::
+1. To save the dashboard as is, select **Done customizing** in the page header. Or, continue to the next section to add tiles and save your dashboard.
The dashboard view now shows your new dashboard. Select the arrow next to the dashboard name to see dashboards available to you. The list might include dashboards that other users have created and shared.
The dashboard view now shows your new dashboard. Select the arrow next to the da
Now, let's edit the dashboard to add, resize, and arrange tiles that represent your Azure resources.
-### Add tiles from the tile gallery
+### Add tiles from the Tile Gallery
To add tiles to a dashboard, follow these steps:
-1. Select ![edit icon](./media/azure-portal-dashboards/dashboard-edit-icon.png) **Edit** from the page header.
+1. Select ![edit icon](./media/azure-portal-dashboards/dashboard-edit-icon.png) **Edit** from the dashboard's page header.
- ![Screenshot of dashboard highlighting edit](./media/azure-portal-dashboards/dashboard-edit.png)
+ ![Screenshot of dashboard highlighting the Edit option.](./media/azure-portal-dashboards/dashboard-edit.png)
-1. Browse the **Tile Gallery** or use the search field to find the tile you want.
+1. Browse the **Tile Gallery** or use the search field to find a certain tile. Select the tile you want to add to your dashboard.
+
+ :::image type="content" source="media/azure-portal-dashboards/dashboard-tile-gallery.png" alt-text="Screenshot of the Tile Gallery.":::
1. Select **Add** to add the tile to the dashboard with a default size and location. Or, drag the tile to the grid and place it where you want. Add any tiles you want, but here are a couple of ideas:
To add tiles to a dashboard, follow these steps:
- If you work with more than one organization, add the **Organization identity** tile to your dashboard to clearly show which organization the resources belong to.
-1. In the page header select **Save**.
+1. If desired, resize the tile by dragging and dropping the lower right hand corner of the tile.
+
+1. To save your changes, select **Save** in the page header. You can also preview the changes without saving by selecting **Preview** in the page header. From the preview screen, you can select **Save** to keep the changes, **Discard** to remove them, or **Edit** to go back to the editing options and make further changes.
+
+ :::image type="content" source="media/azure-portal-dashboards/dashboard-save.png" alt-text="Screenshot of the Preview, Save, and Discard options.":::
-### Add tiles from a resource page
+### Pin content from a resource page
-There is an alternative way to add tiles to your dashboard. Many resource pages include a pushpin icon in the command bar. If you select the icon, a tile representing the source page is pinned to the dashboard that is currently active.
+Another way to add tiles to your dashboard is directly from a resource page.
+
+Many resource pages include a pin icon in the command bar. If you select this icon, you can pin a tile representing the source page to an existing dashboard, or to a new dashboard that you create.
![Screenshot of page command bar with pin icon](./media/azure-portal-dashboards/dashboard-pin-blade.png)
+In some cases, a pin icon may also appear by specific content within a page, which means you can pin a tile for that specific content rather than the entire page.
+ ### Resize or rearrange tiles To change the size of a tile or to rearrange the tiles on a dashboard, follow these steps:
To change the size of a tile or to rearrange the tiles on a dashboard, follow th
1. Select the context menu in the upper right corner of a tile. Then, choose a tile size. Tiles that support any size also include a "handle" in the lower right corner that lets you drag the tile to the size you want.
- ![Screenshot of dashboard with tile size menu open](./media/azure-portal-dashboards/dashboard-tile-resize.png)
+ :::image type="content" source="media/azure-portal-dashboards/dashboard-tile-resize.png" alt-text="Screenshot of dashboard with tile size menu open.":::
1. Select a tile and drag it to a new location on the grid to arrange your dashboard.
Data on the dashboard automatically shows activity for the past 24 hours. To sho
1. Select **Customize tile data** from the context menu or from the ![filter icon](./media/azure-portal-dashboards/dashboard-filter.png) filter in the upper left corner of the tile.
- ![Screenshot of tile context menu](./media/azure-portal-dashboards/dashboard-customize-tile-data.png)
+ ![Screenshot of tile context menu.](./media/azure-portal-dashboards/dashboard-customize-tile-data.png)
1. Select the checkbox to **Override the dashboard time settings at the tile level**.
- ![Screenshot of dialog to configure tile time settings](./media/azure-portal-dashboards/dashboard-override-time-settings.png)
+ ![Screenshot of dialog to configure tile time settings.](./media/azure-portal-dashboards/dashboard-override-time-settings.png)
1. Choose the time span to show for this tile. You can choose from the past 30 minutes to the past 30 days or define a custom range.
Data on the dashboard automatically shows activity for the past 24 hours. To sho
## Delete a tile
-To remove a tile from a dashboard, follow these steps:
+To remove a tile from a dashboard, do one of the following:
-* Select the context menu in the upper right corner of the tile, then select **Remove from dashboard**. Or,
+- Select the context menu in the upper right corner of the tile, then select **Remove from dashboard**.
-* Select ![edit icon](./media/azure-portal-dashboards/dashboard-edit-icon.png) **Edit** to enter customization mode. Hover in the upper right corner of the tile, then select the ![delete icon](./media/azure-portal-dashboards/dashboard-delete-icon.png) delete icon to remove the tile from the dashboard.
+- Select ![edit icon](./media/azure-portal-dashboards/dashboard-edit-icon.png) **Edit** to enter customization mode. Hover in the upper right corner of the tile, then select the ![delete icon](./media/azure-portal-dashboards/dashboard-delete-icon.png) delete icon to remove the tile from the dashboard.
- ![Screenshot showing how to remove tile from dashboard](./media/azure-portal-dashboards/dashboard-delete-tile.png)
+ ![Screenshot showing how to remove tile from dashboard.](./media/azure-portal-dashboards/dashboard-delete-tile.png)
## Clone a dashboard
To permanently delete a private or shared dashboard, follow these steps:
1. For a private dashboard, select **OK** on the confirmation dialog to remove the dashboard. For a shared dashboard, on the confirmation dialog, select the checkbox to confirm that the published dashboard will no longer be viewable by others. Then, select **OK**.
- ![Screenshot of delete confirmation](./media/azure-portal-dashboards/dashboard-delete-dash.png)
+ ![Screenshot of delete confirmation.](./media/azure-portal-dashboards/dashboard-delete-dash.png)
## Recover a deleted dashboard
-If you're in the global Azure cloud, and you delete a _published_ dashboard in the Azure portal, you can recover that dashboard within 14 days of the delete. For information, see [Recover a deleted dashboard in the Azure portal](recover-shared-deleted-dashboard.md).
+If you're in the global Azure cloud, and you delete a _published_ dashboard in the Azure portal, you can recover that dashboard within 14 days of the delete. For more information, see [Recover a deleted dashboard in the Azure portal](recover-shared-deleted-dashboard.md).
## Next steps
-* [Share Azure dashboards by using Azure role-based access control](azure-portal-dashboard-share-access.md)
-* [Programmatically create Azure dashboards](azure-portal-dashboards-create-programmatically.md)
+- [Share Azure dashboards by using Azure role-based access control](azure-portal-dashboard-share-access.md)
+- [Programmatically create Azure dashboards](azure-portal-dashboards-create-programmatically.md)
azure-resource-manager Microsoft Resources Move Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/microsoft-resources-move-regions.md
Title: Move regions for resources in Microsoft.Resources description: Show how to move resources that are in the Microsoft.Resources namespace to new regions. Previously updated : 08/25/2020 Last updated : 08/25/2020 # Move Microsoft.Resources resources to new region
If you have a [template spec](../templates/template-specs.md) in one region and
## Next steps * To learn about moving resources to a new resource group or subscription, see [Move resources to a new resource group or subscription](move-resource-group-and-subscription.md).
-* To learn about moving resources to a new region, see [Moving Azure resources across regions](move-region.md).
+* To learn about moving resources to a new region, see [Move resources across regions](move-resources-overview.md#move-resources-across-regions).
azure-resource-manager Move Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-region.md
- Title: Move Azure resources to another region
-description: Provides an overview of moving Azure resources across Azure regions.
--- Previously updated : 09/10/2020---
-# Moving Azure resources across regions
-
-This article provides information about moving Azure resources across Azure regions.
-
-Azure geographies, regions, and availability zones form the foundation of the Azure global infrastructure. Azure [geographies](https://azure.microsoft.com/global-infrastructure/geographies/) typically contain two or more [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). A region is an area within a geography, containing Availability Zones, and multiple data centers.
-
-After deploying resources in specific Azure region, there are a number of reasons that you might want to move resources to a different region.
--- **Align to a region launch**: Move your resources to a newly introduced Azure region that wasn't previously available.-- **Align for services/features**: Move resources to take advantage of services or features that are available in a specific region.-- **Respond to business developments**: Move resources to a region in response to business changes, such as mergers or acquisitions.-- **Align for proximity**: Move resources to a region local to your business.-- **Meet data requirements**: Move resources in order to align with data residency requirements, or data classification needs. [Learn more](https://azure.microsoft.com/mediahandler/files/resourcefiles/achieving-compliant-data-residency-and-security-with-azure/Achieving_Compliant_Data_Residency_and_Security_with_Azure.pdf).-- **Respond to deployment requirements**: Move resources that were deployed in error, or move in response to capacity needs. -- **Respond to decommissioning**: Move resources due to decommissioning of regions.-
-## Move resources with Resource Mover
-
-You can move resources to a different region with [Azure Resource Mover](../../resource-mover/overview.md). Resource Mover provides:
--- A single hub for moving resources across regions.-- Reduced move time and complexity. Everything you need is in a single location.-- A simple and consistent experience for moving different types of Azure resources.-- An easy way to identify dependencies across resources you want to move. This helps you to move related resources together, so that everything works as expected in the target region, after the move.-- Automatic cleanup of resources in the source region, if you want to delete them after the move.-- Testing. You can try out a move, and then discard it if you don't want to do a full move.-
-You can move resources to another region using a couple of different methods:
--- **Start moving resources from a resource group**: With this method you kick off the region move from within a resource group. After selecting the resources you want to move, the process continues in the Resource Mover hub, to check resource dependencies, and orchestrate the move process. [Learn more](../../resource-mover/move-region-within-resource-group.md).-- **Start moving resources directly from the Resource Mover hub**: With this method you kick off the region move process directly in the hub. [Learn more](../../resource-mover/tutorial-move-region-virtual-machines.md).--
-## Support for region move
-
-You can currently use Resource Mover to move these resources to another region:
--- Azure VMs and associated disks-- NICs-- Availability sets-- Azure virtual networks-- Public IP addresses-- Network security groups (NSGs)-- Internal and public load balancers-- Azure SQL databases and elastic pools-
-## Region move process
-
-The actual process for moving resources across regions depends on the resources you're moving. However, there are some common key steps:
-
-1. **Verify prerequisites**: Prerequisites include making sure that the resources you need are available in the target region, checking that you have enough quota, and verifying that your subscription can access the target region.
-2. **Analyze dependencies**: Your resources might have dependencies on other resources. Before moving, figure out dependencies so that moved resources continue to function as expected after the move.
-3. **Prepare for move**: These are the steps you take in your primary region before the move. For example, you might need to export an Azure Resource Manager template, or start replicating resources from source to target.
-4. **Move the resources**: How you move resources depends on what they are. You might need to deploy a template in the target region, or fail resources over to the target.
-5. **Discard target resources**: After moving resources, you might want to take a look at the resources now in the target region, and decide if there's anything you don't need.
-6. **Commit the move**: After verifying resources in the target region, some resources might require a final commit action. For example, in a target region that's now the primary region, you might need to set up disaster recovery to a new secondary region.
-7. **Clean up the source**: Finally, after everything's up and running in the new region, you can clean up and decommission resources you created for the move, and resources in your primary region.
---
-## Next steps
-
-[Learn more](../../resource-mover/about-move-process.md) about the move process in Resource Mover.
azure-resource-manager Move Resource Group And Subscription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-resource-group-and-subscription.md
Title: Move resources to a new subscription or resource group description: Use Azure Resource Manager to move resources to a new resource group or subscription. Previously updated : 03/23/2021 Last updated : 04/16/2021
retry-after: 15
... ```
-The 202 status code indicates the validation request was accepted, but it hasn't yet determined if the move operation will succeed. The `location` value contains a URL that you use to check the status of the long-running operation.
+The 202 status code indicates the validation request was accepted, but it hasn't yet determined if the move operation will succeed. The `location` value contains a URL that you use to check the status of the long-running operation.
To check the status, send the following request:
After validating that the resources can be moved, you see a notification that th
When it has completed, you're notified of the result.
-If you get an error, see [Troubleshoot moving Azure resources to new resource group or subscription](troubleshoot-move.md).
- ## Use Azure PowerShell To move existing resources to another resource group or subscription, use the [Move-AzResource](/powershell/module/az.resources/move-azresource) command. The following example shows how to move several resources to a new resource group.
Move-AzResource -DestinationResourceGroupName NewRG -ResourceId $webapp.Resource
To move to a new subscription, include a value for the `DestinationSubscriptionId` parameter.
-If you get an error, see [Troubleshoot moving Azure resources to new resource group or subscription](troubleshoot-move.md).
- ## Use Azure CLI To move existing resources to another resource group or subscription, use the [az resource move](/cli/azure/resource#az-resource-move) command. Provide the resource IDs of the resources to move. The following example shows how to move several resources to a new resource group. In the `--ids` parameter, provide a space-separated list of the resource IDs to move.
az resource move --destination-group newgroup --ids $webapp $plan
To move to a new subscription, provide the `--destination-subscription-id` parameter.
-If you get an error, see [Troubleshoot moving Azure resources to new resource group or subscription](troubleshoot-move.md).
- ## Use REST API To move existing resources to another resource group or subscription, use the [Move resources](/rest/api/resources/resources/moveresources) operation.
In the request body, you specify the target resource group and the resources to
} ```
-If you get an error, see [Troubleshoot moving Azure resources to new resource group or subscription](troubleshoot-move.md).
- ## Frequently asked questions **Question: My resource move operation, which usually takes a few minutes, has been running for almost an hour. Is there something wrong?**
Another common example involves moving a virtual network. You may have to move s
Currently, not all resources in Azure support move. For a list of resources that support move, see [Move operation support for resources](move-support-resources.md).
+**Question: How many resources can I move in a single operation?**
+
+When possible, break large moves into separate move operations. Resource Manager immediately returns an error when there are more than 800 resources in a single operation. However, moving less than 800 resources may also fail by timing out.
+
+**Question: What is the meaning of the error that a resource isn't in succeeded state?**
+
+When you get an error message that indicates a resource can't be moved because it isn't in a succeeded state, it may actually be a dependent resource that is blocking the move. Typically, the error code is **MoveCannotProceedWithResourcesNotInSucceededState**.
+
+If the source or target resource group contains a virtual network, the states of all dependent resources for the virtual network are checked during the move. The check includes those resources directly and indirectly dependent on the virtual network. If any of those resources are in a failed state, the move is blocked. For example, if a virtual machine that uses the virtual network has failed, the move is blocked. The move is blocked even when the virtual machine isn't one of the resources being moved and isn't in one of the resource groups for the move.
+
+When you receive this error, you have two options. Either move your resources to a resource group that doesn't have a virtual network, or [contact support](../../azure-portal/supportability/how-to-create-azure-support-request.md).
+ ## Next steps For a list of which resources support move, see [Move operation support for resources](move-support-resources.md).
azure-resource-manager Move Resources Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-resources-overview.md
+
+ Title: Move Azure resources across resource groups, subscriptions, or regions.
+description: Overview of Azure resource types that can be moved across resource groups, subscriptions, or regions.
+ Last updated : 04/16/2021++
+# Move Azure resources across resource groups, subscriptions, or regions
+
+Azure resources can be moved to a new resource group or subscription, or across regions.
+
+## Move resources across resource groups or subscriptions
+
+You can move Azure resources to either another Azure subscription or another resource group under the same subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API to move resources. To learn more, see [Move resources to a new resource group or subscription](move-resource-group-and-subscription.md).
+
+### Upgrade a subscription
+
+If you actually want to upgrade your Azure subscription (such as switching from free to pay-as-you-go), you need to convert your subscription.
+
+- To upgrade a free trial, see [Upgrade your Free Trial or Microsoft Imagine Azure subscription to Pay-As-You-Go](../../cost-management-billing/manage/upgrade-azure-subscription.md).
+- To change a pay-as-you-go account, see [Change your Azure Pay-As-You-Go subscription to a different offer](../../cost-management-billing/manage/switch-azure-offer.md).
+
+If you can't convert the subscription, [create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Select **Subscription Management** for the issue type.
+
+## Move resources across regions
+
+Azure geographies, regions, and availability zones form the foundation of the Azure global infrastructure. Azure [geographies](https://azure.microsoft.com/global-infrastructure/geographies/) typically contain two or more [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). A region is an area within a geography, containing Availability Zones, and multiple data centers.
+
+After deploying resources in specific Azure region, there are many reasons that you might want to move resources to a different region.
+
+- **Align to a region launch**: Move your resources to a newly introduced Azure region that wasn't previously available.
+- **Align for services/features**: Move resources to take advantage of services or features that are available in a specific region.
+- **Respond to business developments**: Move resources to a region in response to business changes, such as mergers or acquisitions.
+- **Align for proximity**: Move resources to a region local to your business.
+- **Meet data requirements**: Move resources to align with data residency requirements, or data classification needs. [Learn more](https://azure.microsoft.com/mediahandler/files/resourcefiles/achieving-compliant-data-residency-and-security-with-azure/Achieving_Compliant_Data_Residency_and_Security_with_Azure.pdf).
+- **Respond to deployment requirements**: Move resources that were deployed in error, or move in response to capacity needs.
+- **Respond to decommissioning**: Move resources because of decommissioned regions.
+
+### Move resources with Resource Mover
+
+You can move resources to a different region with [Azure Resource Mover](../../resource-mover/overview.md). Resource Mover provides:
+
+- A single hub for moving resources across regions.
+- Reduced move time and complexity. Everything you need is in a single location.
+- A simple and consistent experience for moving different types of Azure resources.
+- An easy way to identify dependencies across resources you want to move. This identification helps you to move related resources together, so that everything works as expected in the target region, after the move.
+- Automatic cleanup of resources in the source region, if you want to delete them after the move.
+- Testing. You can try out a move, and then discard it if you don't want to do a full move.
+
+You can move resources to another region using a couple of different methods:
+
+- **Start moving resources from a resource group**: With this method, you kick off the region move from within a resource group. After selecting the resources you want to move, the process continues in the Resource Mover hub, to check resource dependencies, and orchestrate the move process. [Learn more](../../resource-mover/move-region-within-resource-group.md).
+- **Start moving resources directly from the Resource Mover hub**: With this method, you kick off the region move process directly in the hub. [Learn more](../../resource-mover/tutorial-move-region-virtual-machines.md).
+
+## Next steps
+
+- To check if a resource type supports being moved, see [Move operation support for resources](move-support-resources.md).
+- To learn more about the region move process, see [About the move process](../../resource-mover/about-move-process.md).
azure-resource-manager Move Support Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/move-support-resources.md
Title: Move operation support by resource type
-description: Lists the Azure resource types that can be moved to a new resource group or subscription.
+description: Lists the Azure resource types that can be moved to a new resource group, subscription, or region.
Previously updated : 04/08/2021 Last updated : 04/16/2021 # Move operation support for resources
Jump to a resource provider namespace:
## Microsoft.AAD > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | domainservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | domainservices | No | No | No |
## microsoft.aadiam > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | diagnosticsettings | No | No |
-> | diagnosticsettingscategories | No | No |
-> | privatelinkforazuread | Yes | Yes |
-> | tenants | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | diagnosticsettings | No | No | No |
+> | diagnosticsettingscategories | No | No | No |
+> | privatelinkforazuread | Yes | Yes | No |
+> | tenants | Yes | Yes | No |
## Microsoft.Addons > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | supportproviders | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | supportproviders | No | No | No |
## Microsoft.ADHybridHealthService > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | aadsupportcases | No | No |
-> | addsservices | No | No |
-> | agents | No | No |
-> | anonymousapiusers | No | No |
-> | configuration | No | No |
-> | logs | No | No |
-> | reports | No | No |
-> | servicehealthmetrics | No | No |
-> | services | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | aadsupportcases | No | No | No |
+> | addsservices | No | No | No |
+> | agents | No | No | No |
+> | anonymousapiusers | No | No | No |
+> | configuration | No | No | No |
+> | logs | No | No | No |
+> | reports | No | No | No |
+> | servicehealthmetrics | No | No | No |
+> | services | No | No | No |
## Microsoft.Advisor > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | configurations | No | No |
-> | generaterecommendations | No | No |
-> | metadata | No | No |
-> | recommendations | No | No |
-> | suppressions | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | configurations | No | No | No |
+> | generaterecommendations | No | No | No |
+> | metadata | No | No | No |
+> | recommendations | No | No | No |
+> | suppressions | No | No | No |
## Microsoft.AlertsManagement > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | actionrules | Yes | Yes |
-> | alerts | No | No |
-> | alertslist | No | No |
-> | alertsmetadata | No | No |
-> | alertssummary | No | No |
-> | alertssummarylist | No | No |
-> | smartdetectoralertrules | Yes | Yes |
-> | smartgroups | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | actionrules | Yes | Yes | No |
+> | alerts | No | No | No |
+> | alertslist | No | No | No |
+> | alertsmetadata | No | No | No |
+> | alertssummary | No | No | No |
+> | alertssummarylist | No | No | No |
+> | smartdetectoralertrules | Yes | Yes | No |
+> | smartgroups | No | No | No |
## Microsoft.AnalysisServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | servers | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | servers | Yes | Yes | No |
## Microsoft.ApiManagement
Jump to a resource provider namespace:
> An API Management service that is set to the Consumption SKU can't be moved. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | reportfeedback | No | No |
-> | service | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | reportfeedback | No | No | No |
+> | service | Yes | Yes | Yes (using template) <br/><br/> [Move API Management across regions](../../api-management/api-management-howto-migrate.md). |
## Microsoft.AppConfiguration > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | configurationstores | Yes | Yes |
-> | configurationstores / eventgridfilters | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | configurationstores | Yes | Yes | No |
+> | configurationstores / eventgridfilters | No | No | No |
## Microsoft.AppPlatform > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | spring | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | spring | Yes | Yes | No |
## Microsoft.AppService
Jump to a resource provider namespace:
> See [App Service move guidance](./move-limitations/app-service-move-limitations.md). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | apiapps | No | No |
-> | appidentities | No | No |
-> | gateways | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | apiapps | No | No | Yes (using template)<br/><br/> [Move an App Service app to another region](../../app-service/manage-move-across-regions.md) |
+> | appidentities | No | No | No |
+> | gateways | No | No | No |
## Microsoft.Attestation > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | attestationproviders | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | attestationproviders | Yes | Yes | No |
## Microsoft.Authorization > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | classicadministrators | No | No |
-> | dataaliases | No | No |
-> | denyassignments | No | No |
-> | elevateaccess | No | No |
-> | findorphanroleassignments | No | No |
-> | locks | No | No |
-> | permissions | No | No |
-> | policyassignments | No | No |
-> | policydefinitions | No | No |
-> | policysetdefinitions | No | No |
-> | privatelinkassociations | No | No |
-> | resourcemanagementprivatelinks | No | No |
-> | roleassignments | No | No |
-> | roleassignmentsusagemetrics | No | No |
-> | roledefinitions | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | classicadministrators | No | No | No |
+> | dataaliases | No | No | No |
+> | denyassignments | No | No | No |
+> | elevateaccess | No | No | No |
+> | findorphanroleassignments | No | No | No |
+> | locks | No | No | No |
+> | permissions | No | No | No |
+> | policyassignments | No | No | No |
+> | policydefinitions | No | No | No |
+> | policysetdefinitions | No | No | No |
+> | privatelinkassociations | No | No | No |
+> | resourcemanagementprivatelinks | No | No | No |
+> | roleassignments | No | No | No |
+> | roleassignmentsusagemetrics | No | No | No |
+> | roledefinitions | No | No | No |
## Microsoft.Automation
Jump to a resource provider namespace:
> For information, see [Move your Azure Automation account to another subscription](../../automation/how-to/move-account.md?toc=/azure/azure-resource-manager/toc.json). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | automationaccounts | Yes | Yes |
-> | automationaccounts / configurations | Yes | Yes |
-> | automationaccounts / runbooks | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | automationaccounts | Yes | Yes | Yes (using template) <br/><br/> [Using geo-replication](../../automation/automation-managing-data.md#geo-replication-in-azure-automation) |
+> | automationaccounts / configurations | Yes | Yes | No |
+> | automationaccounts / runbooks | Yes | Yes | No |
## Microsoft.AVS > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | privateclouds | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | privateclouds | Yes | Yes | No |
## Microsoft.AzureActiveDirectory > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | b2cdirectories | Yes | Yes |
-> | b2ctenants | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | b2cdirectories | Yes | Yes | No |
+> | b2ctenants | No | No | No |
## Microsoft.AzureData > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | datacontrollers | No | No |
-> | hybriddatamanagers | No | No |
-> | postgresinstances | No | No |
-> | sqlinstances | No | No |
-> | sqlmanagedinstances | No | No |
-> | sqlserverinstances | No | No |
-> | sqlserverregistrations | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | datacontrollers | No | No | No |
+> | hybriddatamanagers | No | No | No |
+> | postgresinstances | No | No | No |
+> | sqlinstances | No | No | No |
+> | sqlmanagedinstances | No | No | No |
+> | sqlserverinstances | No | No | No |
+> | sqlserverregistrations | Yes | Yes | No |
## Microsoft.AzureStack > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | cloudmanifestfiles | No | No |
-> | registrations | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | cloudmanifestfiles | No | No | No |
+> | registrations | Yes | Yes | No |
## Microsoft.AzureStackHCI > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | clusters | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | clusters | No | No | No |
## Microsoft.Batch > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | batchaccounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | batchaccounts | Yes | Yes | Batch accounts can't be moved directly from one region to another, but you can use a template to export a template, modify it, and deploy the template to the new region. <br/><br/> Learn about [moving a Batch account across regions](../../batch/best-practices.md#moving-batch-accounts-across-regions) |
## Microsoft.Billing > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | billingaccounts | No | No |
-> | billingperiods | No | No |
-> | billingpermissions | No | No |
-> | billingproperty | No | No |
-> | billingroleassignments | No | No |
-> | billingroledefinitions | No | No |
-> | departments | No | No |
-> | enrollmentaccounts | No | No |
-> | invoices | No | No |
-> | transfers | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | billingaccounts | No | No | No |
+> | billingperiods | No | No | No |
+> | billingpermissions | No | No | No |
+> | billingproperty | No | No | No |
+> | billingroleassignments | No | No | No |
+> | billingroledefinitions | No | No | No |
+> | departments | No | No | No |
+> | enrollmentaccounts | No | No | No |
+> | invoices | No | No | No |
+> | transfers | No | No | No |
## Microsoft.BingMaps > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | mapapis | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | mapapis | No | No | No |
## Microsoft.BizTalkServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | biztalk | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | biztalk | No | No | No |
## Microsoft.Blockchain > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | blockchainmembers | No | No |
-> | cordamembers | No | No |
-> | watchers | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | blockchainmembers | No | No | No <br/><br/> The blockchain network can't have nodes in different regions. |
+> | cordamembers | No | No | No |
+> | watchers | No | No | No |
## Microsoft.BlockchainTokens > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | tokenservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | tokenservices | No | No | No |
## Microsoft.Blueprint > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | blueprintassignments | No | No |
-> | blueprints | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | blueprintassignments | No | No | No |
+> | blueprints | No | No | No |
## Microsoft.BotService > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | botservices | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | botservices | Yes | Yes | No |
## Microsoft.Cache
Jump to a resource provider namespace:
> If the Azure Cache for Redis instance is configured with a virtual network, the instance can't be moved to a different subscription. See [Networking move limitations](./move-limitations/networking-move-limitations.md). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | redis | Yes | Yes |
-> | redisenterprise | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | redis | Yes | Yes | No |
+> | redisenterprise | No | No | No |
## Microsoft.Capacity > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | appliedreservations | No | No |
-> | calculateexchange | No | No |
-> | calculateprice | No | No |
-> | calculatepurchaseprice | No | No |
-> | catalogs | No | No |
-> | commercialreservationorders | No | No |
-> | exchange | No | No |
-> | reservationorders | No | No |
-> | reservations | No | No |
-> | resources | No | No |
-> | validatereservationorder | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | appliedreservations | No | No | No |
+> | calculateexchange | No | No | No |
+> | calculateprice | No | No | No |
+> | calculatepurchaseprice | No | No | No |
+> | catalogs | No | No | No |
+> | commercialreservationorders | No | No | No |
+> | exchange | No | No | No |
+> | reservationorders | No | No | No |
+> | reservations | No | No | No |
+> | resources | No | No | No |
+> | validatereservationorder | No | No | No |
## Microsoft.Cdn > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | cdnwebapplicationfirewallmanagedrulesets | No | No |
-> | cdnwebapplicationfirewallpolicies | Yes | Yes |
-> | edgenodes | No | No |
-> | profiles | Yes | Yes |
-> | profiles / endpoints | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | cdnwebapplicationfirewallmanagedrulesets | No | No | No |
+> | cdnwebapplicationfirewallpolicies | Yes | Yes | No |
+> | edgenodes | No | No | No |
+> | profiles | Yes | Yes | No |
+> | profiles / endpoints | Yes | Yes | No |
## Microsoft.CertificateRegistration
Jump to a resource provider namespace:
> See [App Service move guidance](./move-limitations/app-service-move-limitations.md). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | certificateorders | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | certificateorders | Yes | Yes | No |
## Microsoft.ClassicCompute
Jump to a resource provider namespace:
> See [Classic deployment move guidance](./move-limitations/classic-model-move-limitations.md). Classic deployment resources can be moved across subscriptions with an operation specific to that scenario. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | capabilities | No | No |
-> | domainnames | Yes | No |
-> | quotas | No | No |
-> | resourcetypes | No | No |
-> | validatesubscriptionmoveavailability | No | No |
-> | virtualmachines | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | capabilities | No | No | No |
+> | domainnames | Yes | No | No |
+> | quotas | No | No | No |
+> | resourcetypes | No | No | No |
+> | validatesubscriptionmoveavailability | No | No | No |
+> | virtualmachines | Yes | Yes | No |
## Microsoft.ClassicInfrastructureMigrate
Jump to a resource provider namespace:
> See [Classic deployment move guidance](./move-limitations/classic-model-move-limitations.md). Classic deployment resources can be moved across subscriptions with an operation specific to that scenario. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | classicinfrastructureresources | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | classicinfrastructureresources | No | No | No |
## Microsoft.ClassicNetwork
Jump to a resource provider namespace:
> See [Classic deployment move guidance](./move-limitations/classic-model-move-limitations.md). Classic deployment resources can be moved across subscriptions with an operation specific to that scenario. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | capabilities | No | No |
-> | expressroutecrossconnections | No | No |
-> | expressroutecrossconnections / peerings | No | No |
-> | gatewaysupporteddevices | No | No |
-> | networksecuritygroups | No | No |
-> | quotas | No | No |
-> | reservedips | No | No |
-> | virtualnetworks | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | capabilities | No | No | No |
+> | expressroutecrossconnections | No | No | No |
+> | expressroutecrossconnections / peerings | No | No | No |
+> | gatewaysupporteddevices | No | No | No |
+> | networksecuritygroups | No | No | No |
+> | quotas | No | No | No |
+> | reservedips | No | No | No |
+> | virtualnetworks | No | No | No |
## Microsoft.ClassicStorage
Jump to a resource provider namespace:
> See [Classic deployment move guidance](./move-limitations/classic-model-move-limitations.md). Classic deployment resources can be moved across subscriptions with an operation specific to that scenario. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | disks | No | No |
-> | images | No | No |
-> | osimages | No | No |
-> | osplatformimages | No | No |
-> | publicimages | No | No |
-> | quotas | No | No |
-> | storageaccounts | Yes | No |
-> | vmimages | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | disks | No | No | No |
+> | images | No | No | No |
+> | osimages | No | No | No |
+> | osplatformimages | No | No | No |
+> | publicimages | No | No | No |
+> | quotas | No | No | No |
+> | storageaccounts | Yes | No | Yes |
+> | vmimages | No | No | No |
## Microsoft.ClassicSubscription
Jump to a resource provider namespace:
> See [Classic deployment move guidance](./move-limitations/classic-model-move-limitations.md). Classic deployment resources can be moved across subscriptions with an operation specific to that scenario. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | operations | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | operations | No | No | No |
## Microsoft.CognitiveServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | Yes | Yes | No |
+> | Cognitive Search | **pending** | **pending** | Supported with manual steps.<br/><br/> Learn about [moving your Azure Cognitive Search service to another region](../../search/search-howto-move-across-regions.md) |
## Microsoft.Commerce > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | ratecard | No | No |
-> | usageaggregates | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | ratecard | No | No | No |
+> | usageaggregates | No | No | No |
## Microsoft.Compute
Jump to a resource provider namespace:
> See [Virtual Machines move guidance](./move-limitations/virtual-machines-move-limitations.md). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | availabilitysets | Yes | Yes |
-> | diskaccesses | No | No |
-> | diskencryptionsets | No | No |
-> | disks | Yes | Yes |
-> | galleries | No | No |
-> | galleries / images | No | No |
-> | galleries / images / versions | No | No |
-> | hostgroups | No | No |
-> | hostgroups / hosts | No | No |
-> | images | Yes | Yes |
-> | proximityplacementgroups | Yes | Yes |
-> | restorepointcollections | No | No |
-> | restorepointcollections / restorepoints | No | No |
-> | sharedvmextensions | No | No |
-> | sharedvmimages | No | No |
-> | sharedvmimages / versions | No | No |
-> | snapshots | Yes | Yes |
-> | sshpublickeys | No | No |
-> | virtualmachines | Yes | Yes |
-> | virtualmachines / extensions | Yes | Yes |
-> | virtualmachinescalesets | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | availabilitysets | Yes | Yes | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move availability sets. |
+> | diskaccesses | No | No | No |
+> | diskencryptionsets | No | No | No |
+> | disks | Yes | Yes | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move Azure VMs and related disks. |
+> | galleries | No | No | No |
+> | galleries / images | No | No | No |
+> | galleries / images / versions | No | No | No |
+> | hostgroups | No | No | No |
+> | hostgroups / hosts | No | No | No |
+> | images | Yes | Yes | No |
+> | proximityplacementgroups | Yes | Yes | No |
+> | restorepointcollections | No | No | No |
+> | restorepointcollections / restorepoints | No | No | No |
+> | sharedvmextensions | No | No | No |
+> | sharedvmimages | No | No | No |
+> | sharedvmimages / versions | No | No | No |
+> | snapshots | Yes | Yes | No |
+> | sshpublickeys | No | No | No |
+> | virtualmachines | Yes | Yes | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move Azure VMs. |
+> | virtualmachines / extensions | Yes | Yes | No |
+> | virtualmachinescalesets | Yes | Yes | No |
## Microsoft.Consumption > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | aggregatedcost | No | No |
-> | balances | No | No |
-> | budgets | No | No |
-> | charges | No | No |
-> | costtags | No | No |
-> | credits | No | No |
-> | events | No | No |
-> | forecasts | No | No |
-> | lots | No | No |
-> | marketplaces | No | No |
-> | pricesheets | No | No |
-> | products | No | No |
-> | reservationdetails | No | No |
-> | reservationrecommendationdetails | No | No |
-> | reservationrecommendations | No | No |
-> | reservationsummaries | No | No |
-> | reservationtransactions | No | No |
-> | tags | No | No |
-> | tenants | No | No |
-> | terms | No | No |
-> | usagedetails | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | aggregatedcost | No | No | No |
+> | balances | No | No | No |
+> | budgets | No | No | No |
+> | charges | No | No | No |
+> | costtags | No | No | No |
+> | credits | No | No | No |
+> | events | No | No | No |
+> | forecasts | No | No | No |
+> | lots | No | No | No |
+> | marketplaces | No | No | No |
+> | pricesheets | No | No | No |
+> | products | No | No | No |
+> | reservationdetails | No | No | No |
+> | reservationrecommendationdetails | No | No | No |
+> | reservationrecommendations | No | No | No |
+> | reservationsummaries | No | No | No |
+> | reservationtransactions | No | No | No |
+> | tags | No | No | No |
+> | tenants | No | No | No |
+> | terms | No | No | No |
+> | usagedetails | No | No | No |
## Microsoft.ContainerInstance > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | containergroups | No | No |
-> | serviceassociationlinks | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | containergroups | No | No | No |
+> | serviceassociationlinks | No | No | No |
## Microsoft.ContainerRegistry > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | registries | Yes | Yes |
-> | registries / agentpools | Yes | Yes |
-> | registries / buildtasks | Yes | Yes |
-> | registries / replications | Yes | Yes |
-> | registries / tasks | Yes | Yes |
-> | registries / webhooks | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | registries | Yes | Yes | No |
+> | registries / agentpools | Yes | Yes | No |
+> | registries / buildtasks | Yes | Yes | No |
+> | registries / replications | Yes | Yes | No |
+> | registries / tasks | Yes | Yes | No |
+> | registries / webhooks | Yes | Yes | No |
## Microsoft.ContainerService > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | containerservices | No | No |
-> | managedclusters | No | No |
-> | openshiftmanagedclusters | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | containerservices | No | No | No |
+> | managedclusters | No | No | No |
+> | openshiftmanagedclusters | No | No | No |
## Microsoft.ContentModerator > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | applications | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | applications | No | No | No |
## Microsoft.CortanaAnalytics > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | No | No | No |
## Microsoft.CostManagement > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | alerts | No | No |
-> | billingaccounts | No | No |
-> | budgets | No | No |
-> | cloudconnectors | No | No |
-> | connectors | Yes | Yes |
-> | departments | No | No |
-> | dimensions | No | No |
-> | enrollmentaccounts | No | No |
-> | exports | No | No |
-> | externalbillingaccounts | No | No |
-> | forecast | No | No |
-> | query | No | No |
-> | register | No | No |
-> | reportconfigs | No | No |
-> | reports | No | No |
-> | settings | No | No |
-> | showbackrules | No | No |
-> | views | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | alerts | No | No | No |
+> | billingaccounts | No | No | No |
+> | budgets | No | No | No |
+> | cloudconnectors | No | No | No |
+> | connectors | Yes | Yes | No |
+> | departments | No | No | No |
+> | dimensions | No | No | No |
+> | enrollmentaccounts | No | No | No |
+> | exports | No | No | No |
+> | externalbillingaccounts | No | No | No |
+> | forecast | No | No | No |
+> | query | No | No | No |
+> | register | No | No | No |
+> | reportconfigs | No | No | No |
+> | reports | No | No | No |
+> | settings | No | No | No |
+> | showbackrules | No | No | No |
+> | views | No | No | No |
## Microsoft.CustomerInsights > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | hubs | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | hubs | No | No | No |
## Microsoft.CustomerLockbox > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | requests | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | requests | No | No | No |
## Microsoft.CustomProviders > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | associations | No | No |
-> | resourceproviders | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | associations | No | No | No |
+> | resourceproviders | Yes | Yes | No |
## Microsoft.DataBox > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | jobs | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | jobs | No | No | No |
## Microsoft.DataBoxEdge > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | availableskus | No | No |
-> | databoxedgedevices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | availableskus | No | No | No |
+> | databoxedgedevices | No | No | No |
## Microsoft.Databricks > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | workspaces | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | workspaces | No | No | No |
## Microsoft.DataCatalog > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | catalogs | Yes | Yes |
-> | datacatalogs | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | catalogs | Yes | Yes | No |
+> | datacatalogs | No | No | No |
## Microsoft.DataConnect > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | connectionmanagers | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | connectionmanagers | No | No | No |
## Microsoft.DataExchange > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | packages | No | No |
-> | plans | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | packages | No | No | No |
+> | plans | No | No | No |
## Microsoft.DataFactory > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | datafactories | Yes | Yes |
-> | factories | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | datafactories | Yes | Yes | No |
+> | factories | Yes | Yes | No |
## Microsoft.DataLake > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | datalakeaccounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | datalakeaccounts | No | No | No |
## Microsoft.DataLakeAnalytics > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | Yes | Yes | No |
## Microsoft.DataLakeStore > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | Yes | Yes | No |
## Microsoft.DataMigration > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | services | No | No |
-> | services / projects | No | No |
-> | slots | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | services | No | No | No |
+> | services / projects | No | No | No |
+> | slots | No | No | No |
## Microsoft.DataProtection > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | backupvaults | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | - |
+> | backupvaults | No | No | No |
## Microsoft.DataShare > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | Yes | Yes | No |
## Microsoft.DBforMariaDB > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | servers | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | servers | Yes | Yes | You can use a cross-region read replica to move an existing server. [Learn more](../../postgresql/howto-move-regions-portal.md).<br/><br/> If the service is provisioned with geo-redundant backup storage, you can use geo-restore to restore in other regions. [Learn more](../../mariadb/concepts-business-continuity.md#recover-from-an-azure-regional-data-center-outage).
## Microsoft.DBforMySQL > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | flexibleServers | No | No |
-> | servers | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | flexibleServers | No | No | No |
+> | servers | Yes | Yes | You can use a cross-region read replica to move an existing server. [Learn more](../../mysql/howto-move-regions-portal.md).
## Microsoft.DBforPostgreSQL > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | flexibleServers | No | No |
-> | servergroups | No | No |
-> | servers | Yes | Yes |
-> | serversv2 | Yes | Yes |
-> | singleservers | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | flexibleServers | No | No | No |
+> | servergroups | No | No | No |
+> | servers | Yes | Yes | You can use a cross-region read replica to move an existing server. [Learn-more](../../postgresql/howto-move-regions-portal.md).
+> | serversv2 | Yes | Yes | No |
+> | singleservers | Yes | Yes | No |
## Microsoft.DeploymentManager > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | artifactsources | Yes | Yes |
-> | rollouts | Yes | Yes |
-> | servicetopologies | Yes | Yes |
-> | servicetopologies / services | Yes | Yes |
-> | servicetopologies / services / serviceunits | Yes | Yes |
-> | steps | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | artifactsources | Yes | Yes | No |
+> | rollouts | Yes | Yes | No |
+> | servicetopologies | Yes | Yes | No |
+> | servicetopologies / services | Yes | Yes | No |
+> | servicetopologies / services / serviceunits | Yes | Yes | No |
+> | steps | Yes | Yes | No |
## Microsoft.DesktopVirtualization > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | applicationgroups | Yes | Yes |
-> | hostpools | Yes | Yes |
-> | workspaces | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | applicationgroups | Yes | Yes | No |
+> | hostpools | Yes | Yes | No |
+> | workspaces | Yes | Yes | No |
## Microsoft.Devices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | elasticpools | No | No |
-> | elasticpools / iothubtenants | No | No |
-> | iothubs | Yes | Yes |
-> | provisioningservices | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | elasticpools | No | No | No. Resource isn't exposed. |
+> | elasticpools / iothubtenants | No | No | No. Resource isn't exposed. |
+> | iothubs | Yes | Yes | Yes. [Learn more](../../iot-hub/iot-hub-how-to-clone.md) |
+> | provisioningservices | Yes | Yes | No |
## Microsoft.DevOps > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | pipelines | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | pipelines | Yes | Yes | No |
+> | controllers | **pending** | **pending** | No |
## Microsoft.DevSpaces > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | controllers | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | controllers | Yes | Yes | No |
+> | AKS cluster | **pending** | **pending** | No<br/><br/> [Learn more](../../dev-spaces/faq.md#can-i-migrate-my-aks-cluster-with-azure-dev-spaces-to-another-region) about moving to another region.
## Microsoft.DevTestLab > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | labcenters | No | No |
-> | labs | Yes | No |
-> | labs / environments | Yes | Yes |
-> | labs / servicerunners | Yes | Yes |
-> | labs / virtualmachines | Yes | No |
-> | schedules | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | labcenters | No | No | No |
+> | labs | Yes | No | No |
+> | labs / environments | Yes | Yes | No |
+> | labs / servicerunners | Yes | Yes | No |
+> | labs / virtualmachines | Yes | No | No |
+> | schedules | Yes | Yes | No |
## Microsoft.DigitalTwins > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | digitaltwinsinstances | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | digitaltwinsinstances | No | No | Yes, by recreating resources in new region. [Learn more](../../digital-twins/how-to-move-regions.md) |
## Microsoft.DocumentDB > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | databaseaccountnames | No | No |
-> | databaseaccounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | databaseaccountnames | No | No | No |
+> | databaseaccounts | Yes | Yes | No |
## Microsoft.DomainRegistration > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | domains | Yes | Yes |
-> | generatessorequest | No | No |
-> | topleveldomains | No | No |
-> | validatedomainregistrationinformation | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | domains | Yes | Yes | No |
+> | generatessorequest | No | No | No |
+> | topleveldomains | No | No | No |
+> | validatedomainregistrationinformation | No | No | No |
## Microsoft.EnterpriseKnowledgeGraph > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | services | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | services | Yes | Yes | No |
## Microsoft.EventGrid > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | domains | Yes | Yes |
-> | eventsubscriptions | No - can't be moved independently but automatically moved with subscribed resource. | No - can't be moved independently but automatically moved with subscribed resource. |
-> | extensiontopics | No | No |
-> | partnernamespaces | Yes | Yes |
-> | partnerregistrations | No | No |
-> | partnertopics | Yes | Yes |
-> | systemtopics | Yes | Yes |
-> | topics | Yes | Yes |
-> | topictypes | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | domains | Yes | Yes | No |
+> | eventsubscriptions | No - can't be moved independently but automatically moved with subscribed resource. | No - can't be moved independently but automatically moved with subscribed resource. | No |
+> | extensiontopics | No | No | No |
+> | partnernamespaces | Yes | Yes | No |
+> | partnerregistrations | No | No | No |
+> | partnertopics | Yes | Yes | No |
+> | systemtopics | Yes | Yes | No |
+> | topics | Yes | Yes | No |
+> | topictypes | No | No | No |
## Microsoft.EventHub > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | clusters | Yes | Yes |
-> | namespaces | Yes | Yes |
-> | sku | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | clusters | Yes | Yes | No |
+> | namespaces | Yes | Yes | Yes (with template)<br/><br/> [Move an Event Hub namespace to another region](../../event-hubs/move-across-regions.md) |
+> | sku | No | No | No |
## Microsoft.Experimentation > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | experimentworkspaces | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | experimentworkspaces | No | No | No |
## Microsoft.Falcon > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | namespaces | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | namespaces | Yes | Yes | No |
## Microsoft.Features > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | featureproviders | No | No |
-> | features | No | No |
-> | providers | No | No |
-> | subscriptionfeatureregistrations | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | featureproviders | No | No | No |
+> | features | No | No | No |
+> | providers | No | No | No |
+> | subscriptionfeatureregistrations | No | No | No |
## Microsoft.Genomics > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | No | No | No |
## Microsoft.GuestConfiguration > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | automanagedaccounts | No | No |
-> | automanagedvmconfigurationprofiles | No | No |
-> | guestconfigurationassignments | No | No |
-> | software | No | No |
-> | softwareupdateprofile | No | No |
-> | softwareupdates | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | automanagedaccounts | No | No | No |
+> | automanagedvmconfigurationprofiles | No | No | No |
+> | guestconfigurationassignments | No | No | No |
+> | software | No | No | No |
+> | softwareupdateprofile | No | No | No |
+> | softwareupdates | No | No | No |
## Microsoft.HanaOnAzure > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | hanainstances | No | No |
-> | sapmonitors | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | hanainstances | No | No | No |
+> | sapmonitors | No | No | No |
## Microsoft.HardwareSecurityModules > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | dedicatedhsms | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | dedicatedhsms | No | No | No |
## Microsoft.HDInsight
Jump to a resource provider namespace:
> When moving an HDInsight cluster to a new subscription, first move other resources (like the storage account). Then, move the HDInsight cluster by itself. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | clusters | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | clusters | Yes | Yes | No |
## Microsoft.HealthcareApis > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | services | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | services | Yes | Yes | No |
## Microsoft.HybridCompute > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | machines | Yes | Yes |
-> | machines / extensions | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | machines | Yes | Yes | No |
+> | machines / extensions | Yes | Yes | No |
## Microsoft.HybridData > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | datamanagers | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | datamanagers | Yes | Yes | No |
## Microsoft.HybridNetwork > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | devices | No | No |
-> | vnfs | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | devices | No | No | No |
+> | vnfs | No | No | No |
## Microsoft.Hydra > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | components | No | No |
-> | networkscopes | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | components | No | No | No |
+> | networkscopes | No | No | No |
## Microsoft.ImportExport > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | jobs | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | jobs | Yes | Yes | No |
-## microsoft.insights
+## Microsoft.Insights
> [!IMPORTANT] > Make sure moving to new subscription doesn't exceed [subscription quotas](azure-subscription-service-limits.md#azure-monitor-limits). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | actiongroups | Yes | Yes |
-> | activitylogalerts | No | No |
-> | alertrules | Yes | Yes |
-> | autoscalesettings | Yes | Yes |
-> | baseline | No | No |
-> | components | Yes | Yes |
-> | datacollectionrules | No | No |
-> | diagnosticsettings | No | No |
-> | diagnosticsettingscategories | No | No |
-> | eventcategories | No | No |
-> | eventtypes | No | No |
-> | extendeddiagnosticsettings | No | No |
-> | guestdiagnosticsettings | No | No |
-> | listmigrationdate | No | No |
-> | logdefinitions | No | No |
-> | logprofiles | No | No |
-> | logs | No | No |
-> | metricalerts | No | No |
-> | metricbaselines | No | No |
-> | metricbatch | No | No |
-> | metricdefinitions | No | No |
-> | metricnamespaces | No | No |
-> | metrics | No | No |
-> | migratealertrules | No | No |
-> | migratetonewpricingmodel | No | No |
-> | myworkbooks | No | No |
-> | notificationgroups | No | No |
-> | privatelinkscopes | No | No |
-> | rollbacktolegacypricingmodel | No | No |
-> | scheduledqueryrules | Yes | Yes |
-> | topology | No | No |
-> | transactions | No | No |
-> | vminsightsonboardingstatuses | No | No |
-> | webtests | Yes | Yes |
-> | webtests / gettestresultfile | No | No |
-> | workbooks | Yes | Yes |
-> | workbooktemplates | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | **pending** | **pending** | No. [Learn more](../../azure-monitor/faq.md#how-do-i-move-an-application-insights-resource-to-a-new-region). |
+> | actiongroups | Yes | Yes | No |
+> | activitylogalerts | No | No | No |
+> | alertrules | Yes | Yes | No |
+> | autoscalesettings | Yes | Yes | No |
+> | baseline | No | No | No |
+> | components | Yes | Yes | No |
+> | datacollectionrules | No | No | No |
+> | diagnosticsettings | No | No | No |
+> | diagnosticsettingscategories | No | No | No |
+> | eventcategories | No | No | No |
+> | eventtypes | No | No | No |
+> | extendeddiagnosticsettings | No | No | No |
+> | guestdiagnosticsettings | No | No | No |
+> | listmigrationdate | No | No | No |
+> | logdefinitions | No | No | No |
+> | logprofiles | No | No | No |
+> | logs | No | No | No |
+> | metricalerts | No | No | No |
+> | metricbaselines | No | No | No |
+> | metricbatch | No | No | No |
+> | metricdefinitions | No | No | No |
+> | metricnamespaces | No | No | No |
+> | metrics | No | No | No |
+> | migratealertrules | No | No | No |
+> | migratetonewpricingmodel | No | No | No |
+> | myworkbooks | No | No | No |
+> | notificationgroups | No | No | No |
+> | privatelinkscopes | No | No | No |
+> | rollbacktolegacypricingmodel | No | No | No |
+> | scheduledqueryrules | Yes | Yes | No |
+> | topology | No | No | No |
+> | transactions | No | No | No |
+> | vminsightsonboardingstatuses | No | No | No |
+> | webtests | Yes | Yes | No |
+> | webtests / gettestresultfile | No | No | No |
+> | workbooks | Yes | Yes | No |
+> | workbooktemplates | Yes | Yes | No |
## Microsoft.IoTCentral > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | apptemplates | No | No |
-> | iotapps | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | apptemplates | No | No | No |
+> | iotapps | Yes | Yes | No |
+
+## Microsoft.IoTHub
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | iothub | **pending** | **pending** | Yes (clone hub) <br/><br/> [Clone an IoT hub to another region](../../iot-hub/iot-hub-how-to-clone.md) |
## Microsoft.IoTSpaces > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | graph | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region Move |
+> | - | -- | - | -- |
+> | graph | Yes | Yes | No |
## Microsoft.KeyVault
Jump to a resource provider namespace:
> Key Vaults used for disk encryption can't be moved to a resource group in the same subscription or across subscriptions. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | deletedvaults | No | No |
-> | hsmpools | No | No |
-> | managedhsms | No | No |
-> | vaults | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | deletedvaults | No | No | No |
+> | hsmpools | No | No | No |
+> | managedhsms | No | No | No |
+> | vaults | Yes | Yes | No |
## Microsoft.Kubernetes > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | connectedclusters | Yes | Yes |
-> | registeredsubscriptions | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | connectedclusters | Yes | Yes | No |
+> | registeredsubscriptions | No | No | No |
## Microsoft.KubernetesConfiguration > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | sourcecontrolconfigurations | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | sourcecontrolconfigurations | No | No | No |
## Microsoft.Kusto > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | clusters | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | clusters | Yes | Yes | No |
## Microsoft.LabServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | labaccounts | No | No |
-> | users | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | labaccounts | No | No | No |
+> | users | No | No | No |
## Microsoft.LocationBasedServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | No | No | No |
## Microsoft.LocationServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | No | No | No, it's a global service. |
## Microsoft.Logic > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | hostingenvironments | No | No |
-> | integrationaccounts | Yes | Yes |
-> | integrationserviceenvironments | Yes | No |
-> | integrationserviceenvironments / managedapis | Yes | No |
-> | isolatedenvironments | No | No |
-> | workflows | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | hostingenvironments | No | No | No |
+> | integrationaccounts | Yes | Yes | No |
+> | integrationserviceenvironments | Yes | No | No |
+> | integrationserviceenvironments / managedapis | Yes | No | No |
+> | isolatedenvironments | No | No | No |
+> | workflows | Yes | Yes | No |
## Microsoft.MachineLearning > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | commitmentplans | No | No |
-> | webservices | Yes | No |
-> | workspaces | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | commitmentplans | No | No | No |
+> | webservices | Yes | No | No |
+> | workspaces | Yes | Yes | No |
## Microsoft.MachineLearningCompute > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | operationalizationclusters | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | operationalizationclusters | No | No | No |
## Microsoft.MachineLearningExperimentation > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
-> | teamaccounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | No | No | No |
+> | teamaccounts | No | No | No |
## Microsoft.MachineLearningModelManagement > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | No | No | No |
## Microsoft.MachineLearningServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | workspaces | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | workspaces | No | No | No |
## Microsoft.Maintenance > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | configurationassignments | No | No |
-> | maintenanceconfigurations | Yes | Yes |
-> | updates | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | configurationassignments | No | No | Yes. [Learn more](../../virtual-machines/move-region-maintenance-configuration.md) |
+> | maintenanceconfigurations | Yes | Yes | Yes. [Learn more](../../virtual-machines/move-region-maintenance-configuration-resources.md) |
+> | updates | No | No | No |
## Microsoft.ManagedIdentity > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | identities | No | No |
-> | userassignedidentities | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | identities | No | No | No |
+> | userassignedidentities | No | No | No |
## Microsoft.ManagedNetwork > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | managednetworks | No | No |
-> | managednetworks / managednetworkgroups | No | No |
-> | managednetworks / managednetworkpeeringpolicies | No | No |
-> | notification | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | managednetworks | No | No | No |
+> | managednetworks / managednetworkgroups | No | No | No |
+> | managednetworks / managednetworkpeeringpolicies | No | No | No |
+> | notification | No | No | No |
## Microsoft.ManagedServices > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | marketplaceregistrationdefinitions | No | No |
-> | registrationassignments | No | No |
-> | registrationdefinitions | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | marketplaceregistrationdefinitions | No | No | No |
+> | registrationassignments | No | No | No |
+> | registrationdefinitions | No | No | No |
## Microsoft.Management > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | getentities | No | No |
-> | managementgroups | No | No |
-> | managementgroups / settings | No | No |
-> | resources | No | No |
-> | starttenantbackfill | No | No |
-> | tenantbackfillstatus | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | getentities | No | No | No |
+> | managementgroups | No | No | No |
+> | managementgroups / settings | No | No | No |
+> | resources | No | No | No |
+> | starttenantbackfill | No | No | No |
+> | tenantbackfillstatus | No | No | No |
## Microsoft.Maps > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | Yes | Yes |
-> | accounts / privateatlases | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | Yes | Yes | No, Azure Maps is a geospatial service. |
+> | accounts / privateatlases | Yes | Yes | No |
## Microsoft.Marketplace > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | offers | No | No |
-> | offertypes | No | No |
-> | privategalleryitems | No | No |
-> | privatestoreclient | No | No |
-> | privatestores | No | No |
-> | products | No | No |
-> | publishers | No | No |
-> | register | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | offers | No | No | No |
+> | offertypes | No | No | No |
+> | privategalleryitems | No | No | No |
+> | privatestoreclient | No | No | No |
+> | privatestores | No | No | No |
+> | products | No | No | No |
+> | publishers | No | No | No |
+> | register | No | No | No |
## Microsoft.MarketplaceApps > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | classicdevservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | classicdevservices | No | No | No |
## Microsoft.MarketplaceOrdering > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | agreements | No | No |
-> | offertypes | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | agreements | No | No | No |
+> | offertypes | No | No | No |
## Microsoft.Media > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | mediaservices | Yes | Yes |
-> | mediaservices / liveevents | Yes | Yes |
-> | mediaservices / streamingendpoints | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | mediaservices | Yes | Yes | No |
+> | mediaservices / liveevents | Yes | Yes | No |
+> | mediaservices / streamingendpoints | Yes | Yes | No |
## Microsoft.Microservices4Spring > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | appclusters | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | appclusters | No | No | No |
## Microsoft.Migrate > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | assessmentprojects | No | No |
-> | migrateprojects | No | No |
-> | movecollections | No | No |
-> | projects | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | assessmentprojects | No | No | No |
+> | migrateprojects | No | No | No |
+> | movecollections | No | No | No |
+> | projects | No | No | No |
## Microsoft.MixedReality > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | holographicsbroadcastaccounts | No | No |
-> | objectunderstandingaccounts | No | No |
-> | remoterenderingaccounts | Yes | Yes |
-> | spatialanchorsaccounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | - |
+> | holographicsbroadcastaccounts | No | No | No |
+> | objectunderstandingaccounts | No | No | No |
+> | remoterenderingaccounts | Yes | Yes | No |
+> | spatialanchorsaccounts | Yes | Yes | No |
## Microsoft.NetApp > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | netappaccounts | No | No |
-> | netappaccounts / capacitypools | No | No |
-> | netappaccounts / capacitypools / volumes | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | netappaccounts | No | No | No |
+> | netappaccounts / capacitypools | No | No | No |
+> | netappaccounts / capacitypools / volumes | No | No | No |
+> | netappaccounts / capacitypools / volumes / mounttargets | No | No | No |
+> | netappaccounts / capacitypools / volumes / snapshots | No | No | No |
## Microsoft.Network
Jump to a resource provider namespace:
> See [Networking move guidance](./move-limitations/networking-move-limitations.md). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | applicationgateways | No | No |
-> | applicationgatewaywebapplicationfirewallpolicies | No | No |
-> | applicationsecuritygroups | Yes | Yes |
-> | azurefirewalls | No | No |
-> | bastionhosts | No | No |
-> | bgpservicecommunities | No | No |
-> | connections | Yes | Yes |
-> | ddoscustompolicies | Yes | Yes |
-> | ddosprotectionplans | No | No |
-> | dnszones | Yes | Yes |
-> | expressroutecircuits | No | No |
-> | expressroutegateways | No | No |
-> | expressrouteserviceproviders | No | No |
-> | firewallpolicies | Yes | Yes |
-> | frontdoors | No | No |
-> | ipallocations | Yes | Yes |
-> | ipgroups | Yes | Yes |
-> | loadbalancers | Yes - Basic SKU<br> Yes - Standard SKU | Yes - Basic SKU<br>No - Standard SKU |
-> | localnetworkgateways | Yes | Yes |
-> | natgateways | No | No |
-> | networkexperimentprofiles | No | No |
-> | networkintentpolicies | Yes | Yes |
-> | networkinterfaces | Yes | Yes |
-> | networkprofiles | No | No |
-> | networksecuritygroups | Yes | Yes |
-> | networkwatchers | No | No |
-> | networkwatchers / connectionmonitors | Yes | No |
-> | networkwatchers / flowlogs | Yes | No |
-> | networkwatchers / pingmeshes | Yes | No |
-> | p2svpngateways | No | No |
-> | privatednszones | Yes | Yes |
-> | privatednszones / virtualnetworklinks | Yes | Yes |
-> | privatednszonesinternal | No | No |
-> | privateendpointredirectmaps | No | No |
-> | privateendpoints | No | No |
-> | privatelinkservices | No | No |
-> | publicipaddresses | Yes - Basic SKU<br>Yes - Standard SKU | Yes - Basic SKU<br>No - Standard SKU |
-> | publicipprefixes | Yes | Yes |
-> | routefilters | No | No |
-> | routetables | Yes | Yes |
-> | securitypartnerproviders | Yes | Yes |
-> | serviceendpointpolicies | Yes | Yes |
-> | trafficmanagergeographichierarchies | No | No |
-> | trafficmanagerprofiles | Yes | Yes |
-> | trafficmanagerprofiles / heatmaps | No | No |
-> | trafficmanagerusermetricskeys | No | No |
-> | virtualhubs | No | No |
-> | virtualnetworkgateways | Yes | Yes |
-> | virtualnetworks | Yes | Yes |
-> | virtualnetworktaps | No | No |
-> | virtualrouters | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | applicationgateways | No | No | No |
+> | applicationgatewaywebapplicationfirewallpolicies | No | No | No |
+> | applicationsecuritygroups | Yes | Yes | No |
+> | azurefirewalls | No | No | No |
+> | bastionhosts | No | No | No |
+> | bgpservicecommunities | No | No | No |
+> | connections | Yes | Yes | No |
+> | ddoscustompolicies | Yes | Yes | No |
+> | ddosprotectionplans | No | No | No |
+> | dnszones | Yes | Yes | No |
+> | expressroutecircuits | No | No | No |
+> | expressroutegateways | No | No | No |
+> | expressrouteserviceproviders | No | No | No |
+> | firewallpolicies | Yes | Yes | No |
+> | frontdoors | No | No | No |
+> | ipallocations | Yes | Yes | No |
+> | ipgroups | Yes | Yes | No |
+> | loadbalancers | Yes - Basic SKU<br> Yes - Standard SKU | Yes - Basic SKU<br>No - Standard SKU | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move internal and external load balancers. |
+> | localnetworkgateways | Yes | Yes | No |
+> | natgateways | No | No | No |
+> | networkexperimentprofiles | No | No | No |
+> | networkintentpolicies | Yes | Yes | No |
+> | networkinterfaces | Yes | Yes | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move NICs. |
+> | networkprofiles | No | No | No |
+> | networksecuritygroups | Yes | Yes | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move network security groups (NGSs). |
+> | networkwatchers | No | No | No |
+> | networkwatchers / connectionmonitors | Yes | No | No |
+> | networkwatchers / flowlogs | Yes | No | No |
+> | networkwatchers / pingmeshes | Yes | No | No |
+> | p2svpngateways | No | No | No |
+> | privatednszones | Yes | Yes | No |
+> | privatednszones / virtualnetworklinks | Yes | Yes | No |
+> | privatednszonesinternal | No | No | No |
+> | privateendpointredirectmaps | No | No | No |
+> | privateendpoints | No | No | No |
+> | privatelinkservices | No | No | No |
+> | publicipaddresses | Yes - Basic SKU<br>Yes - Standard SKU | Yes - Basic SKU<br>No - Standard SKU | Yes<br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move public IP addresses. |
+> | publicipprefixes | Yes | Yes | No |
+> | routefilters | No | No | No |
+> | routetables | Yes | Yes | No |
+> | securitypartnerproviders | Yes | Yes | No |
+> | serviceendpointpolicies | Yes | Yes | No |
+> | trafficmanagergeographichierarchies | No | No | No |
+> | trafficmanagerprofiles | Yes | Yes | No |
+> | trafficmanagerprofiles / heatmaps | No | No | No |
+> | trafficmanagerusermetricskeys | No | No | No |
+> | virtualhubs | No | No | No |
+> | virtualnetworkgateways | Yes | Yes | No |
+> | virtualnetworks | Yes | Yes | No |
+> | virtualnetworktaps | No | No | No |
+> | virtualrouters | Yes | Yes | No |
> | virtualwans | No | No |
-> | vpngateways (Virtual WAN) | No | No |
-> | vpnserverconfigurations | No | No |
-> | vpnsites (Virtual WAN) | No | No |
+> | vpngateways (Virtual WAN) | No | No | No |
+> | vpnserverconfigurations | No | No | No |
+> | vpnsites (Virtual WAN) | No | No | No |
## Microsoft.NotificationHubs > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | namespaces | Yes | Yes |
-> | namespaces / notificationhubs | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | namespaces | Yes | Yes | No |
+> | namespaces / notificationhubs | Yes | Yes | No |
## Microsoft.ObjectStore > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | osnamespaces | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | osnamespaces | Yes | Yes | No |
## Microsoft.OffAzure > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | hypervsites | No | No |
-> | importsites | No | No |
-> | serversites | No | No |
-> | vmwaresites | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | hypervsites | No | No | No |
+> | importsites | No | No | No |
+> | serversites | No | No | No |
+> | vmwaresites | No | No | No |
## Microsoft.OperationalInsights
Jump to a resource provider namespace:
> Workspaces that have a linked automation account can't be moved. Before you begin a move operation, be sure to unlink any automation accounts. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | clusters | No | No |
-> | deletedworkspaces | No | No |
-> | linktargets | No | No |
-> | storageinsightconfigs | No | No |
-> | workspaces | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | clusters | No | No | No |
+> | deletedworkspaces | No | No | No |
+> | linktargets | No | No | No |
+> | storageinsightconfigs | No | No | No |
+> | workspaces | Yes | Yes | No |
## Microsoft.OperationsManagement > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | managementassociations | No | No |
-> | managementconfigurations | Yes | Yes |
-> | solutions | Yes | Yes |
-> | views | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | managementassociations | No | No | No |
+> | managementconfigurations | Yes | Yes | No |
+> | solutions | Yes | Yes | No |
+> | views | Yes | Yes | No |
## Microsoft.Peering > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | legacypeerings | No | No |
-> | peerasns | No | No |
-> | peeringlocations | No | No |
-> | peerings | No | No |
-> | peeringservicecountries | No | No |
-> | peeringservicelocations | No | No |
-> | peeringserviceproviders | No | No |
-> | peeringservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | legacypeerings | No | No | No |
+> | peerasns | No | No | No |
+> | peeringlocations | No | No | No |
+> | peerings | No | No | No |
+> | peeringservicecountries | No | No | No |
+> | peeringservicelocations | No | No | No |
+> | peeringserviceproviders | No | No | No |
+> | peeringservices | No | No | No |
## Microsoft.PolicyInsights > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | policyevents | No | No |
-> | policystates | No | No |
-> | policytrackedresources | No | No |
-> | remediations | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | policyevents | No | No | No |
+> | policystates | No | No | No |
+> | policytrackedresources | No | No | No |
+> | remediations | No | No | No |
## Microsoft.Portal > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | consoles | No | No |
-> | dashboards | Yes | Yes |
-> | usersettings | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | consoles | No | No | No |
+> | dashboards | Yes | Yes | No |
+> | usersettings | No | No | No |
## Microsoft.PowerBI > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | workspacecollections | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | workspacecollections | Yes | Yes | No |
## Microsoft.PowerBIDedicated > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | capacities | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | capacities | Yes | Yes | No |
## Microsoft.ProjectBabylon > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | - |
+> | accounts | No | No | No |
+
+## Microsoft.Purview
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | - |
+> | accounts | **pending** | **pending** | No |
## Microsoft.ProviderHub > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | availableaccounts | No | No |
-> | providerregistrations | No | No |
-> | rollouts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | availableaccounts | No | No | No |
+> | providerregistrations | No | No | No |
+> | rollouts | No | No | No |
## Microsoft.Quantum > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | workspaces | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | workspaces | No | No | No |
## Microsoft.RecoveryServices
Jump to a resource provider namespace:
> See [Recovery Services move guidance](../../backup/backup-azure-move-recovery-services-vault.md?toc=/azure/azure-resource-manager/toc.json). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | replicationeligibilityresults | No | No |
-> | vaults | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | replicationeligibilityresults | No | No | No |
+> | vaults | Yes | Yes | No.<br/><br/> Moving Recovery Services vaults for Azure Backup across Azure regions isn't supported.<br/><br/> In Recovery Services vaults for Azure Site Recovery, you can [disable and recreate the vault](../../site-recovery/move-vaults-across-regions.md) in the target region. |
## Microsoft.RedHatOpenShift > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | openshiftclusters | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | openshiftclusters | No | No | No |
## Microsoft.Relay > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | namespaces | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | namespaces | Yes | Yes | No |
## Microsoft.ResourceGraph > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | queries | Yes | Yes |
-> | resourcechangedetails | No | No |
-> | resourcechanges | No | No |
-> | resources | No | No |
-> | resourceshistory | No | No |
-> | subscriptionsstatus | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | queries | Yes | Yes | No |
+> | resourcechangedetails | No | No | No |
+> | resourcechanges | No | No | No |
+> | resources | No | No | No |
+> | resourceshistory | No | No | No |
+> | subscriptionsstatus | No | No | No |
## Microsoft.ResourceHealth > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | childresources | No | No |
-> | emergingissues | No | No |
-> | events | No | No |
-> | metadata | No | No |
-> | notifications | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | childresources | No | No | No |
+> | emergingissues | No | No | No |
+> | events | No | No | No |
+> | metadata | No | No | No |
+> | notifications | No | No | No |
## Microsoft.Resources > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | deployments | No | No |
-> | deploymentscripts | No | No |
-> | deploymentscripts / logs | No | No |
-> | links | No | No |
-> | providers | No | No |
-> | resourcegroups | No | No |
-> | resources | No | No |
-> | subscriptions | No | No |
-> | tags | No | No |
-> | templatespecs | No | No |
-> | templatespecs / versions | No | No |
-> | tenants | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | deployments | No | No | No |
+> | deploymentscripts | No | No | Yes<br/><br/>[Move Microsoft.Resources resources to new region](microsoft-resources-move-regions.md) |
+> | deploymentscripts / logs | No | No | No |
+> | links | No | No | No |
+> | providers | No | No | No |
+> | resourcegroups | No | No | No |
+> | resources | No | No | No |
+> | subscriptions | No | No | No |
+> | tags | No | No | No |
+> | templatespecs | No | No | Yes<br/><br/>[Move Microsoft.Resources resources to new region](microsoft-resources-move-regions.md) |
+> | templatespecs / versions | No | No | No |
+> | tenants | No | No | No |
## Microsoft.SaaS > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | applications | Yes | No |
-> | saasresources | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | applications | Yes | No | No |
+> | saasresources | No | No | No |
## Microsoft.Search
Jump to a resource provider namespace:
> You can't move several Search resources in different regions in one operation. Instead, move them in separate operations. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | resourcehealthmetadata | No | No |
-> | searchservices | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | resourcehealthmetadata | No | No | No |
+> | searchservices | Yes | Yes | No |
## Microsoft.Security > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | adaptivenetworkhardenings | No | No |
-> | advancedthreatprotectionsettings | No | No |
-> | alerts | No | No |
-> | allowedconnections | No | No |
-> | applicationwhitelistings | No | No |
-> | assessmentmetadata | No | No |
-> | assessments | No | No |
-> | autodismissalertsrules | No | No |
-> | automations | Yes | Yes |
-> | autoprovisioningsettings | No | No |
-> | complianceresults | No | No |
-> | compliances | No | No |
-> | datacollectionagents | No | No |
-> | devicesecuritygroups | No | No |
-> | discoveredsecuritysolutions | No | No |
-> | externalsecuritysolutions | No | No |
-> | informationprotectionpolicies | No | No |
-> | iotsecuritysolutions | Yes | Yes |
-> | iotsecuritysolutions / analyticsmodels | No | No |
-> | iotsecuritysolutions / analyticsmodels / aggregatedalerts | No | No |
-> | iotsecuritysolutions / analyticsmodels / aggregatedrecommendations | No | No |
-> | jitnetworkaccesspolicies | No | No |
-> | policies | No | No |
-> | pricings | No | No |
-> | regulatorycompliancestandards | No | No |
-> | regulatorycompliancestandards / regulatorycompliancecontrols | No | No |
-> | regulatorycompliancestandards / regulatorycompliancecontrols / regulatorycomplianceassessments | No | No |
-> | securitycontacts | No | No |
-> | securitysolutions | No | No |
-> | securitysolutionsreferencedata | No | No |
-> | securitystatuses | No | No |
-> | securitystatusessummaries | No | No |
-> | servervulnerabilityassessments | No | No |
-> | settings | No | No |
-> | subassessments | No | No |
-> | tasks | No | No |
-> | topologies | No | No |
-> | workspacesettings | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | adaptivenetworkhardenings | No | No | No |
+> | advancedthreatprotectionsettings | No | No | No |
+> | alerts | No | No | No |
+> | allowedconnections | No | No | No |
+> | applicationwhitelistings | No | No | No |
+> | assessmentmetadata | No | No | No |
+> | assessments | No | No | No |
+> | autodismissalertsrules | No | No | No |
+> | automations | Yes | Yes | No |
+> | autoprovisioningsettings | No | No | No |
+> | complianceresults | No | No | No |
+> | compliances | No | No | No |
+> | datacollectionagents | No | No | No |
+> | devicesecuritygroups | No | No | No |
+> | discoveredsecuritysolutions | No | No | No |
+> | externalsecuritysolutions | No | No | No |
+> | informationprotectionpolicies | No | No | No |
+> | iotsecuritysolutions | Yes | Yes | No |
+> | iotsecuritysolutions / analyticsmodels | No | No | No |
+> | iotsecuritysolutions / analyticsmodels / aggregatedalerts | No | No | No |
+> | iotsecuritysolutions / analyticsmodels / aggregatedrecommendations | No | No | No |
+> | jitnetworkaccesspolicies | No | No | No |
+> | policies | No | No | No |
+> | pricings | No | No | No |
+> | regulatorycompliancestandards | No | No | No |
+> | regulatorycompliancestandards / regulatorycompliancecontrols | No | No | No |
+> | regulatorycompliancestandards / regulatorycompliancecontrols / regulatorycomplianceassessments | No | No | No |
+> | securitycontacts | No | No | No |
+> | securitysolutions | No | No | No |
+> | securitysolutionsreferencedata | No | No | No |
+> | securitystatuses | No | No | No |
+> | securitystatusessummaries | No | No | No |
+> | servervulnerabilityassessments | No | No | No |
+> | settings | No | No | No |
+> | subassessments | No | No | No |
+> | tasks | No | No | No |
+> | topologies | No | No | No |
+> | workspacesettings | No | No | No |
## Microsoft.SecurityInsights > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | aggregations | No | No |
-> | alertrules | No | No |
-> | alertruletemplates | No | No |
-> | automationrules | No | No |
-> | bookmarks | No | No |
-> | cases | No | No |
-> | dataconnectors | No | No |
-> | entities | No | No |
-> | entityqueries | No | No |
-> | incidents | No | No |
-> | officeconsents | No | No |
-> | settings | No | No |
-> | threatintelligence | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | aggregations | No | No | No |
+> | alertrules | No | No | No |
+> | alertruletemplates | No | No | No |
+> | automationrules | No | No | No |
+> | bookmarks | No | No | No |
+> | cases | No | No | No |
+> | dataconnectors | No | No | No |
+> | entities | No | No | No |
+> | entityqueries | No | No | No |
+> | incidents | No | No | No |
+> | officeconsents | No | No | No |
+> | settings | No | No | No |
+> | threatintelligence | No | No | No |
## Microsoft.SerialConsole > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | consoleservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | consoleservices | No | No | No |
## Microsoft.ServerManagement > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | gateways | No | No |
-> | nodes | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | gateways | No | No | No |
+> | nodes | No | No | No |
## Microsoft.ServiceBus > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | namespaces | Yes | Yes |
-> | premiummessagingregions | No | No |
-> | sku | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | namespaces | Yes | Yes | No |
+> | premiummessagingregions | No | No | No |
+> | sku | No | No | No |
## Microsoft.ServiceFabric > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | applications | No | No |
-> | clusters | Yes | Yes |
-> | containergroups | No | No |
-> | containergroupsets | No | No |
-> | edgeclusters | No | No |
-> | managedclusters | No | No |
-> | networks | No | No |
-> | secretstores | No | No |
-> | volumes | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | applications | No | No | No |
+> | clusters | Yes | Yes | No |
+> | containergroups | No | No | No |
+> | containergroupsets | No | No | No |
+> | edgeclusters | No | No | No |
+> | managedclusters | No | No | No |
+> | networks | No | No | No |
+> | secretstores | No | No | No |
+> | volumes | No | No | No |
## Microsoft.ServiceFabricMesh > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | applications | Yes | Yes |
-> | containergroups | No | No |
-> | gateways | Yes | Yes |
-> | networks | Yes | Yes |
-> | secrets | Yes | Yes |
-> | volumes | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | applications | Yes | Yes | No |
+> | containergroups | No | No | No |
+> | gateways | Yes | Yes | No |
+> | networks | Yes | Yes | No |
+> | secrets | Yes | Yes | No |
+> | volumes | Yes | Yes | No |
## Microsoft.Services > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | rollouts | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | rollouts | No | No | No |
## Microsoft.SignalRService > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | signalr | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | signalr | Yes | Yes | No |
## Microsoft.SoftwarePlan > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | hybridusebenefits | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | hybridusebenefits | No | No | No |
## Microsoft.Solutions > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | applicationdefinitions | No | No |
-> | applications | No | No |
-> | jitrequests | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | applicationdefinitions | No | No | No |
+> | applications | No | No | No |
+> | jitrequests | No | No | No |
## Microsoft.Sql
Jump to a resource provider namespace:
> A database and server must be in the same resource group. When you move a SQL server, all its databases are also moved. This behavior applies to Azure SQL Database and Azure Synapse Analytics databases. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | instancepools | No | No |
-> | locations | Yes | Yes |
-> | managedinstances | No | No |
-> | servers | Yes | Yes |
-> | servers / databases | Yes | Yes |
-> | servers / databases / backuplongtermretentionpolicies | Yes | Yes |
-> | servers / elasticpools | Yes | Yes |
-> | servers / jobaccounts | Yes | Yes |
-> | servers / jobagents | Yes | Yes |
-> | virtualclusters | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | instancepools | No | No | No |
+> | locations | Yes | Yes | No |
+> | managedinstances | No | No | Yes <br/><br/> [Learn more](../../azure-sql/database/move-resources-across-regions.md) about moving managed instances across regions. |
+> | managedinstances / databases | No | No | Yes |
+> | servers | Yes | Yes |Yes |
+> | servers / databases | Yes | Yes | Yes <br/><br/> [Learn more](../../azure-sql/database/move-resources-across-regions.md) about moving databases across regions.<br/><br/> [Learn more](../../resource-mover/tutorial-move-region-sql.md) about using Azure Resource Mover to move Azure SQL databases. |
+> | servers / databases / backuplongtermretentionpolicies | Yes | Yes | No |
+> | servers / elasticpools | Yes | Yes | Yes <br/><br/> [Learn more](../../azure-sql/database/move-resources-across-regions.md) about moving elastic pools across regions.<br/><br/> [Learn more](../../resource-mover/tutorial-move-region-sql.md) about using Azure Resource Mover to move Azure SQL elastic pools. |
+> | servers / jobaccounts | Yes | Yes | No |
+> | servers / jobagents | Yes | Yes | No |
+> | virtualclusters | Yes | Yes | Yes |
## Microsoft.SqlVirtualMachine > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | sqlvirtualmachinegroups | Yes | Yes |
-> | sqlvirtualmachines | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | sqlvirtualmachinegroups | Yes | Yes | No |
+> | sqlvirtualmachines | Yes | Yes | No |
## Microsoft.Storage > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | storageaccounts | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | storageaccounts | Yes | Yes | Yes<br/><br/> [Move an Azure Storage account to another region](../../storage/common/storage-account-move.md) |
## Microsoft.StorageCache > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | caches | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | caches | No | No | No |
## Microsoft.StorageSync > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | storagesyncservices | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | storagesyncservices | Yes | Yes | No |
## Microsoft.StorageSyncDev > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | storagesyncservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | storagesyncservices | No | No | No |
## Microsoft.StorageSyncInt > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | storagesyncservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | storagesyncservices | No | No | No |
## Microsoft.StorSimple > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | managers | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | managers | No | No | No |
## Microsoft.StreamAnalytics
Jump to a resource provider namespace:
> Stream Analytics jobs can't be moved when in running state. > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | clusters | No | No |
-> | streamingjobs | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | clusters | No | No | No |
+> | streamingjobs | Yes | Yes | No |
## Microsoft.StreamAnalyticsExplorer > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | environments | No | No |
-> | instances | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | environments | No | No | No |
+> | instances | No | No | No |
## Microsoft.Subscription > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | subscriptions | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | subscriptions | No | No | No |
-## microsoft.support
+## Microsoft.Support
> [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | services | No | No |
-> | supporttickets | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | services | No | No | No |
+> | supporttickets | No | No | No |
## Microsoft.Synapse > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | workspaces | No | No |
-> | workspaces / bigdatapools | No | No |
-> | workspaces / sqlpools | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | workspaces | No | No | No |
+> | workspaces / bigdatapools | No | No | No |
+> | workspaces / sqlpools | No | No | No |
## Microsoft.TimeSeriesInsights > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | environments | Yes | Yes |
-> | environments / eventsources | Yes | Yes |
-> | environments / referencedatasets | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | environments | Yes | Yes | No |
+> | environments / eventsources | Yes | Yes | No |
+> | environments / referencedatasets | Yes | Yes | No |
## Microsoft.Token > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | stores | Yes | Yes |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | stores | Yes | Yes | No |
## Microsoft.VirtualMachineImages > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | imagetemplates | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | imagetemplates | No | No | No |
-## microsoft.visualstudio
+## Microsoft.VisualStudio
> [!IMPORTANT] > To change the subscription for Azure DevOps, see [change the Azure subscription used for billing](/azure/devops/organizations/billing/change-azure-subscription?toc=/azure/azure-resource-manager/toc.json). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | account | No | No |
-> | account / extension | No | No |
-> | account / project | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | account | No | No | No |
+> | account / extension | No | No | No |
+> | account / project | No | No | No |
## Microsoft.VMware > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | arczones | No | No |
-> | resourcepools | No | No |
-> | vcenters | No | No |
-> | virtualmachines | No | No |
-> | virtualmachinetemplates | No | No |
-> | virtualnetworks | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | arczones | No | No | No |
+> | resourcepools | No | No | No |
+> | vcenters | No | No | No |
+> | virtualmachines | No | No | No |
+> | virtualmachinetemplates | No | No | No |
+> | virtualnetworks | No | No | No |
## Microsoft.VMwareCloudSimple > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | dedicatedcloudnodes | No | No |
-> | dedicatedcloudservices | No | No |
-> | virtualmachines | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | dedicatedcloudnodes | No | No | No |
+> | dedicatedcloudservices | No | No | No |
+> | virtualmachines | No | No | No |
## Microsoft.VnfManager > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | devices | No | No |
-> | vnfs | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | devices | No | No | No |
+> | vnfs | No | No | No |
## Microsoft.VSOnline > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | accounts | No | No |
-> | plans | No | No |
-> | registeredsubscriptions | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | accounts | No | No | No |
+> | plans | No | No | No |
+> | registeredsubscriptions | No | No | No |
## Microsoft.Web
Jump to a resource provider namespace:
> See [App Service move guidance](./move-limitations/app-service-move-limitations.md). > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | availablestacks | No | No |
-> | billingmeters | No | No |
-> | certificates | No | Yes |
-> | connectiongateways | Yes | Yes |
-> | connections | Yes | Yes |
-> | customapis | Yes | Yes |
-> | deletedsites | No | No |
-> | deploymentlocations | No | No |
-> | georegions | No | No |
-> | hostingenvironments | No | No |
-> | kubeenvironments | Yes | Yes |
-> | publishingusers | No | No |
-> | recommendations | No | No |
-> | resourcehealthmetadata | No | No |
-> | runtimes | No | No |
-> | serverfarms | Yes | Yes |
-> | serverfarms / eventgridfilters | No | No |
-> | sites | Yes | Yes |
-> | sites / premieraddons | Yes | Yes |
-> | sites / slots | Yes | Yes |
-> | sourcecontrols | No | No |
-> | staticsites | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | availablestacks | No | No | No |
+> | billingmeters | No | No | No |
+> | certificates | No | Yes | No |
+> | connectiongateways | Yes | Yes | No |
+> | connections | Yes | Yes | No |
+> | customapis | Yes | Yes | No |
+> | deletedsites | No | No | No |
+> | deploymentlocations | No | No | No |
+> | georegions | No | No | No |
+> | hostingenvironments | No | No | No |
+> | kubeenvironments | Yes | Yes | No |
+> | publishingusers | No | No | No |
+> | recommendations | No | No | No |
+> | resourcehealthmetadata | No | No | No |
+> | runtimes | No | No | No |
+> | serverfarms | Yes | Yes | No |
+> | serverfarms / eventgridfilters | No | No | No |
+> | sites | Yes | Yes | No |
+> | sites / premieraddons | Yes | Yes | No |
+> | sites / slots | Yes | Yes | No |
+> | sourcecontrols | No | No | No |
+> | staticsites | No | No | No |
## Microsoft.WindowsESU > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | multipleactivationkeys | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | multipleactivationkeys | No | No | No |
## Microsoft.WindowsIoT > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | deviceservices | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | deviceservices | No | No | No |
## Microsoft.WorkloadBuilder > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | workloads | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | workloads | No | No | No |
## Microsoft.WorkloadMonitor > [!div class="mx-tableFixed"]
-> | Resource type | Resource group | Subscription |
-> | - | -- | - |
-> | components | No | No |
-> | componentssummary | No | No |
-> | monitorinstances | No | No |
-> | monitorinstancessummary | No | No |
-> | monitors | No | No |
+> | Resource type | Resource group | Subscription | Region move |
+> | - | -- | - | -- |
+> | components | No | No | No |
+> | componentssummary | No | No | No |
+> | monitorinstances | No | No | No |
+> | monitorinstancessummary | No | No | No |
+> | monitors | No | No | No |
## Third-party services
Third-party services currently don't support the move operation.
## Next steps
-For commands to move resources, see [Move resources to new resource group or subscription](move-resource-group-and-subscription.md).
-
-To get the same data as a file of comma-separated values, download [move-support-resources.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/move-support-resources.csv).
+- For commands to move resources, see [Move resources to new resource group or subscription](move-resource-group-and-subscription.md).
+- [Learn more](../../resource-mover/overview.md) about the Resource Mover service.
+- To get the same data as a file of comma-separated values, download [move-support-resources.csv](https://github.com/tfitzmac/resource-capabilities/blob/master/move-support-resources.csv).
azure-resource-manager Region Move Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/region-move-support.md
- Title: Support for moving Azure resources across regions
-description: Lists the Azure resource types that can be moved across Azure regions
--- Previously updated : 08/25/2020---
-# Support for moving Azure resources across regions
-
-This article confirms whether an Azure resource type is supported for moving to another Azure region.
-
-Jump to a resource provider namespace:
-> [!div class="op_single_selector"]
-> - [Microsoft.AAD](#microsoftaad)
-> - [microsoft.aadiam](#microsoftaadiam)
-> - [Microsoft.Addons](#microsoftaddons)
-> - [Microsoft.ADHybridHealthService](#microsoftadhybridhealthservice)
-> - [Microsoft.Advisor](#microsoftadvisor)
-> - [Microsoft.AlertsManagement](#microsoftalertsmanagement)
-> - [Microsoft.AnalysisServices](#microsoftanalysisservices)
-> - [Microsoft.ApiManagement](#microsoftapimanagement)
-> - [Microsoft.AppConfiguration](#microsoftappconfiguration)
-> - [Microsoft.AppPlatform](#microsoftappplatform)
-> - [Microsoft.AppService](#microsoftappservice)
-> - [Microsoft.Attestation](#microsoftattestation)
-> - [Microsoft.Authorization](#microsoftauthorization)
-> - [Microsoft.Automation](#microsoftautomation)
-> - [Microsoft.AVS](#microsoftavs)
-> - [Microsoft.AzureActiveDirectory](#microsoftazureactivedirectory)
-> - [Microsoft.AzureData](#microsoftazuredata)
-> - [Microsoft.AzureStack](#microsoftazurestack)
-> - [Microsoft.AzureStackHCI](#microsoftazurestackhci)
-> - [Microsoft.Batch](#microsoftbatch)
-> - [Microsoft.Billing](#microsoftbilling)
-> - [Microsoft.BingMaps](#microsoftbingmaps)
-> - [Microsoft.BizTalkServices](#microsoftbiztalkservices)
-> - [Microsoft.Blockchain](#microsoftblockchain)
-> - [Microsoft.BlockchainTokens](#microsoftblockchaintokens)
-> - [Microsoft.Blueprint](#microsoftblueprint)
-> - [Microsoft.BotService](#microsoftbotservice)
-> - [Microsoft.Cache](#microsoftcache)
-> - [Microsoft.Capacity](#microsoftcapacity)
-> - [Microsoft.Cdn](#microsoftcdn)
-> - [Microsoft.CertificateRegistration](#microsoftcertificateregistration)
-> - [Microsoft.ClassicCompute](#microsoftclassiccompute)
-> - [Microsoft.ClassicInfrastructureMigrate](#microsoftclassicinfrastructuremigrate)
-> - [Microsoft.ClassicNetwork](#microsoftclassicnetwork)
-> - [Microsoft.ClassicStorage](#microsoftclassicstorage)
-> - [Microsoft.ClassicSubscription](#microsoftclassicsubscription)
-> - [Microsoft.CognitiveServices](#microsoftcognitiveservices)
-> - [Microsoft.Commerce](#microsoftcommerce)
-> - [Microsoft.Compute](#microsoftcompute)
-> - [Microsoft.Consumption](#microsoftconsumption)
-> - [Microsoft.ContainerInstance](#microsoftcontainerinstance)
-> - [Microsoft.ContainerRegistry](#microsoftcontainerregistry)
-> - [Microsoft.ContainerService](#microsoftcontainerservice)
-> - [Microsoft.ContentModerator](#microsoftcontentmoderator)
-> - [Microsoft.CortanaAnalytics](#microsoftcortanaanalytics)
-> - [Microsoft.CostManagement](#microsoftcostmanagement)
-> - [Microsoft.CustomerInsights](#microsoftcustomerinsights)
-> - [Microsoft.CustomerLockbox](#microsoftcustomerlockbox)
-> - [Microsoft.CustomProviders](#microsoftcustomproviders)
-> - [Microsoft.DataBox](#microsoftdatabox)
-> - [Microsoft.DataBoxEdge](#microsoftdataboxedge)
-> - [Microsoft.Databricks](#microsoftdatabricks)
-> - [Microsoft.DataCatalog](#microsoftdatacatalog)
-> - [Microsoft.DataConnect](#microsoftdataconnect)
-> - [Microsoft.DataExchange](#microsoftdataexchange)
-> - [Microsoft.DataFactory](#microsoftdatafactory)
-> - [Microsoft.DataLake](#microsoftdatalake)
-> - [Microsoft.DataLakeAnalytics](#microsoftdatalakeanalytics)
-> - [Microsoft.DataLakeStore](#microsoftdatalakestore)
-> - [Microsoft.DataMigration](#microsoftdatamigration)
-> - [Microsoft.DataProtection](#microsoftdataprotection)
-> - [Microsoft.DataShare](#microsoftdatashare)
-> - [Microsoft.DBforMariaDB](#microsoftdbformariadb)
-> - [Microsoft.DBforMySQL](#microsoftdbformysql)
-> - [Microsoft.DBforPostgreSQL](#microsoftdbforpostgresql)
-> - [Microsoft.DeploymentManager](#microsoftdeploymentmanager)
-> - [Microsoft.DesktopVirtualization](#microsoftdesktopvirtualization)
-> - [Microsoft.Devices](#microsoftdevices)
-> - [Microsoft.DevOps](#microsoftdevops)
-> - [Microsoft.DevSpaces](#microsoftdevspaces)
-> - [Microsoft.DevTestLab](#microsoftdevtestlab)
-> - [Microsoft.DigitalTwins](#microsoftdigitaltwins)
-> - [Microsoft.DocumentDB](#microsoftdocumentdb)
-> - [Microsoft.DomainRegistration](#microsoftdomainregistration)
-> - [Microsoft.EnterpriseKnowledgeGraph](#microsoftenterpriseknowledgegraph)
-> - [Microsoft.EventGrid](#microsofteventgrid)
-> - [Microsoft.EventHub](#microsofteventhub)
-> - [Microsoft.Experimentation](#microsoftexperimentation)
-> - [Microsoft.Falcon](#microsoftfalcon)
-> - [Microsoft.Features](#microsoftfeatures)
-> - [Microsoft.Genomics](#microsoftgenomics)
-> - [Microsoft.GuestConfiguration](#microsoftguestconfiguration)
-> - [Microsoft.HanaOnAzure](#microsofthanaonazure)
-> - [Microsoft.HardwareSecurityModules](#microsofthardwaresecuritymodules)
-> - [Microsoft.HDInsight](#microsofthdinsight)
-> - [Microsoft.HealthcareApis](#microsofthealthcareapis)
-> - [Microsoft.HybridCompute](#microsofthybridcompute)
-> - [Microsoft.HybridData](#microsofthybriddata)
-> - [Microsoft.HybridNetwork](#microsofthybridnetwork)
-> - [Microsoft.Hydra](#microsofthydra)
-> - [Microsoft.ImportExport](#microsoftimportexport)
-> - [microsoft.insights](#microsoftinsights)
-> - [Microsoft.IoTCentral](#microsoftiotcentral)
-> - [Microsoft.IoTSpaces](#microsoftiotspaces)
-> - [Microsoft.KeyVault](#microsoftkeyvault)
-> - [Microsoft.Kubernetes](#microsoftkubernetes)
-> - [Microsoft.KubernetesConfiguration](#microsoftkubernetesconfiguration)
-> - [Microsoft.Kusto](#microsoftkusto)
-> - [Microsoft.LabServices](#microsoftlabservices)
-> - [Microsoft.LocationBasedServices](#microsoftlocationbasedservices)
-> - [Microsoft.LocationServices](#microsoftlocationservices)
-> - [Microsoft.Logic](#microsoftlogic)
-> - [Microsoft.MachineLearning](#microsoftmachinelearning)
-> - [Microsoft.MachineLearningCompute](#microsoftmachinelearningcompute)
-> - [Microsoft.MachineLearningExperimentation](#microsoftmachinelearningexperimentation)
-> - [Microsoft.MachineLearningModelManagement](#microsoftmachinelearningmodelmanagement)
-> - [Microsoft.MachineLearningServices](#microsoftmachinelearningservices)
-> - [Microsoft.Maintenance](#microsoftmaintenance)
-> - [Microsoft.ManagedIdentity](#microsoftmanagedidentity)
-> - [Microsoft.ManagedNetwork](#microsoftmanagednetwork)
-> - [Microsoft.ManagedServices](#microsoftmanagedservices)
-> - [Microsoft.Management](#microsoftmanagement)
-> - [Microsoft.Maps](#microsoftmaps)
-> - [Microsoft.Marketplace](#microsoftmarketplace)
-> - [Microsoft.MarketplaceApps](#microsoftmarketplaceapps)
-> - [Microsoft.MarketplaceOrdering](#microsoftmarketplaceordering)
-> - [Microsoft.Media](#microsoftmedia)
-> - [Microsoft.Microservices4Spring](#microsoftmicroservices4spring)
-> - [Microsoft.Migrate](#microsoftmigrate)
-> - [Microsoft.MixedReality](#microsoftmixedreality)
-> - [Microsoft.NetApp](#microsoftnetapp)
-> - [Microsoft.Network](#microsoftnetwork)
-> - [Microsoft.NotificationHubs](#microsoftnotificationhubs)
-> - [Microsoft.ObjectStore](#microsoftobjectstore)
-> - [Microsoft.OffAzure](#microsoftoffazure)
-> - [Microsoft.OperationalInsights](#microsoftoperationalinsights)
-> - [Microsoft.OperationsManagement](#microsoftoperationsmanagement)
-> - [Microsoft.Peering](#microsoftpeering)
-> - [Microsoft.PolicyInsights](#microsoftpolicyinsights)
-> - [Microsoft.Portal](#microsoftportal)
-> - [Microsoft.PowerBI](#microsoftpowerbi)
-> - [Microsoft.PowerBIDedicated](#microsoftpowerbidedicated)
-> - [Microsoft.Purview](#microsoftpurview)
-> - [Microsoft.ProviderHub](#microsoftproviderhub)
-> - [Microsoft.Quantum](#microsoftquantum)
-> - [Microsoft.RecoveryServices](#microsoftrecoveryservices)
-> - [Microsoft.RedHatOpenShift](#microsoftredhatopenshift)
-> - [Microsoft.Relay](#microsoftrelay)
-> - [Microsoft.ResourceGraph](#microsoftresourcegraph)
-> - [Microsoft.ResourceHealth](#microsoftresourcehealth)
-> - [Microsoft.Resources](#microsoftresources)
-> - [Microsoft.SaaS](#microsoftsaas)
-> - [Microsoft.Search](#microsoftsearch)
-> - [Microsoft.Security](#microsoftsecurity)
-> - [Microsoft.SecurityInsights](#microsoftsecurityinsights)
-> - [Microsoft.SerialConsole](#microsoftserialconsole)
-> - [Microsoft.ServerManagement](#microsoftservermanagement)
-> - [Microsoft.ServiceBus](#microsoftservicebus)
-> - [Microsoft.ServiceFabric](#microsoftservicefabric)
-> - [Microsoft.ServiceFabricMesh](#microsoftservicefabricmesh)
-> - [Microsoft.Services](#microsoftservices)
-> - [Microsoft.SignalRService](#microsoftsignalrservice)
-> - [Microsoft.SoftwarePlan](#microsoftsoftwareplan)
-> - [Microsoft.Solutions](#microsoftsolutions)
-> - [Microsoft.Sql](#microsoftsql)
-> - [Microsoft.SqlVirtualMachine](#microsoftsqlvirtualmachine)
-> - [Microsoft.Storage](#microsoftstorage)
-> - [Microsoft.StorageCache](#microsoftstoragecache)
-> - [Microsoft.StorageSync](#microsoftstoragesync)
-> - [Microsoft.StorageSyncDev](#microsoftstoragesyncdev)
-> - [Microsoft.StorageSyncInt](#microsoftstoragesyncint)
-> - [Microsoft.StorSimple](#microsoftstorsimple)
-> - [Microsoft.StreamAnalytics](#microsoftstreamanalytics)
-> - [Microsoft.StreamAnalyticsExplorer](#microsoftstreamanalyticsexplorer)
-> - [Microsoft.Subscription](#microsoftsubscription)
-> - [microsoft.support](#microsoftsupport)
-> - [Microsoft.Synapse](#microsoftsynapse)
-> - [Microsoft.TimeSeriesInsights](#microsofttimeseriesinsights)
-> - [Microsoft.Token](#microsofttoken)
-> - [Microsoft.VirtualMachineImages](#microsoftvirtualmachineimages)
-> - [microsoft.visualstudio](#microsoftvisualstudio)
-> - [Microsoft.VMware](#microsoftvmware)
-> - [Microsoft.VMwareCloudSimple](#microsoftvmwarecloudsimple)
-> - [Microsoft.VnfManager](#microsoftvnfmanager)
-> - [Microsoft.VSOnline](#microsoftvsonline)
-> - [Microsoft.Web](#microsoftweb)
-> - [Microsoft.WindowsESU](#microsoftwindowsesu)
-> - [Microsoft.WindowsIoT](#microsoftwindowsiot)
-> - [Microsoft.WorkloadBuilder](#microsoftworkloadbuilder)
-> - [Microsoft.WorkloadMonitor](#microsoftworkloadmonitor)
-
-## Microsoft.AAD
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | domainservices | No |
--
-## microsoft.aadiam
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | diagnosticsettings | No |
-> | diagnosticsettingscategories | No |
-> | privatelinkforazuread | No |
-> | tenants | No |
-
-## microsoft.Addons
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | supportproviders | No |
-
-## Microsoft.ADHybridHealthService
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | aadsupportcases | No |
-> | addsservices | No |
-> | agents | No |
-> | anonymousapiusers | No |
-> | configuration | No |
-> | logs | No |
-> | reports | No |
-> | servicehealthmetrics | No |
-> | services | No |
-
-## Microsoft.Advisor
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | configurations | No |
-> | generaterecommendations | No |
-> | metadata | No |
-> | recommendations | No |
-> | suppressions | No |
-
-## Microsoft.AlertsManagement
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | actionrules | No |
-> | alerts | No |
-> | alertslist | No |
-> | alertsmetadata | No |
-> | alertssummary | No |
-> | alertssummarylist | No |
-> | smartdetectoralertrules | No |
-> | smartgroups | No |
-
-## Microsoft.AnalysisServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | servers | No |
-
-## Microsoft.ApiManagement
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | reportfeedback | No |
-> | service | Yes (using template) <br/><br/> [Move API Management across regions](../../api-management/api-management-howto-migrate.md). |
-
-## Microsoft.AppConfiguration
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | configurationstores | No |
-> | configurationstores / eventgridfilters | No |
-
-## Microsoft.AppPlatform
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | spring | No |
-
-## Microsoft.AppService
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | apiapps | Yes (using template)<br/><br/> [Move an App Service app to another region](../../app-service/manage-move-across-regions.md) |
-> | appidentities | No |
-> | gateways | No |
-
-## Microsoft.Attestation
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | attestationproviders | No |
-
-## Microsoft.Authorization
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | classicadministrators | No |
-> | dataaliases | No |
-> | denyassignments | No |
-> | elevateaccess | No |
-> | findorphanroleassignments | No |
-> | locks | No |
-> | permissions | No |
-> | policyassignments | No |
-> | policydefinitions | No |
-> | policysetdefinitions | No |
-> | privatelinkassociations | No |
-> | resourcemanagementprivatelinks | No |
-> | roleassignments | No |
-> | roleassignmentsusagemetrics | No |
-> | roledefinitions | No |
-
-## Microsoft.Automation
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | automationaccounts | Yes (using template) <br/><br/> [Using geo-replication](../../automation/automation-managing-data.md#geo-replication-in-azure-automation) |
-> | automationaccounts / configurations | No |
-> | automationaccounts / runbooks | No |
-
-## Microsoft.AVS
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move | Subscription |
-> | - | -- |
-> | privateclouds | No |
--
-## Microsoft.AzureActiveDirectory
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | b2cdirectories | No |
-> | b2ctenants | No |
-
-## Microsoft.AzureData
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | datacontrollers | No |
-> | hybriddatamanagers | No |
-> | postgresinstances | No |
-> | sqlinstances | No |
-> | sqlmanagedinstances | No |
-> | sqlserverinstances | No |
-> | sqlserverregistrations | No |
-
-## Microsoft.AzureStack
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | cloudmanifestfiles | No |
-> | registrations | No |
-
-## Microsoft.AzureStackHCI
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | clusters | No |
-
-## Microsoft.Batch
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | batchaccounts | Batch accounts can't be moved directly from one region to another, but you can use a template to export a template, modify it, and deploy the template to the new region. <br/><br/> Learn about [moving a Batch account across regions](../../batch/best-practices.md#moving-batch-accounts-across-regions) |
-
-## Microsoft.Billing
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | billingaccounts | No |
-> | billingperiods | No |
-> | billingpermissions | No |
-> | billingproperty | No |
-> | billingroleassignments | No |
-> | billingroledefinitions | No |
-> | departments | No |
-> | enrollmentaccounts | No |
-> | invoices | No |
-> | transfers | No |
-
-## Microsoft.BingMaps
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | mapapis | No |
-
-## Microsoft.BizTalkServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | biztalk | No |
-
-## Microsoft.Blockchain
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | blockchainmembers | No <br/><br/> The blockchain network can't have nodes in different regions.
-> | cordamembers | No |
-> | watchers | No |
-
-## Microsoft.BlockchainTokens
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | tokenservices | No |
--
-## Microsoft.Blueprint
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | blueprintassignments | No |
-> | blueprints | No |
-
-## Microsoft.BotService
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | botservices | No |
-
-## Microsoft.Cache
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | redis | No |
-> | redisenterprise | No |
-
-## Microsoft.Capacity
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | appliedreservations | No |
-> | calculateexchange | No |
-> | calculateprice | No |
-> | calculatepurchaseprice | No |
-> | catalogs | No |
-> | commercialreservationorders | No |
-> | exchange | No |
-> | reservationorders | No |
-> | reservations | No |
-> | resources | No |
-> | validatereservationorder | No |
-
-## Microsoft.Cdn
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | cdnwebapplicationfirewallpolicies | No |
-> | edgenodes | No
-> | profiles | No |
-> | profiles / endpoints | No |
-
-## Microsoft.CertificateRegistration
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | certificateorders | No |
--
-## Microsoft.ClassicCompute
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | capabilities | No |
-> | domainnames | No |
-> | quotas | No |
-> | resourcetypes | No |
-> | validatesubscriptionmoveavailability | No |
-> | virtualmachines | No
-
-## Microsoft.ClassicInfrastructureMigrate
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | classicinfrastructureresources | No |
-
-## Microsoft.ClassicNetwork
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | capabilities | No |
-> | expressroutecrossconnections | No |
-> | expressroutecrossconnections / peerings | No |
-> | gatewaysupporteddevices | No |
-> | networksecuritygroups | No |
-> | quotas | No |
-> | reservedips | No |
-> | virtualnetworks | No |
-
-## Microsoft.ClassicStorage
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | disks | No |
-> | images | No |
-> | osimages | No |
-> | osplatformimages | No |
-> | publicimages | No |
-> | quotas | No |
-> | storageaccounts | Yes |
-> | vmimages | No |
-
-## Microsoft.ClassicSubscription
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | operations | No |
-
-## Microsoft.CognitiveServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-> | Cognitive Search | Supported with manual steps.<br/><br/> Learn about [moving your Azure Cognitive Search service to another region](../../search/search-howto-move-across-regions.md)
-
-## Microsoft.Commerce
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | ratecard | No |
-> | usageaggregates | No |
-
-## Microsoft.Compute
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | availabilitysets | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move availability sets. |
-> | diskaccesses | No |
-> | diskencryptionsets | No |
-> | disks | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move Azure VMs and related disks. |
-> | galleries | No |
-> | galleries / images | No |
-> | galleries / images / versions | No |
-> | hostgroups | No |
-> | hostgroups / hosts | No |
-> | images | No |
-> | proximityplacementgroups | No |
-> | restorepointcollections | No |
-> | sharedvmimages | No |
-> | sharedvmimages / versions | No |
-> | snapshots | No |
-> | sshpublickeys | No |
-> | virtualmachines | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move Azure VMs. |
-> | virtualmachines / extensions | No |
-> | virtualmachinescalesets | No |
-
-## Microsoft.Consumption
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | aggregatedcost | No |
-> | balances | No |
-> | budgets | No |
-> | charges | No |
-> | costtags | No |
-> | credits | No |
-> | events | No |
-> | forecasts | No |
-> | lots | No |
-> | marketplaces | No |
-> | pricesheets | No |
-> | products | No |
-> | reservationdetails | No |
-> | reservationrecommendationdetails | No |
-> | reservationrecommendations | No |
-> | reservationsummaries | No |
-> | reservationtransactions | No |
-> | tags | No |
-> | tenants | No |
-> | terms | No |
-> | usagedetails | No |
--
-## Microsoft.ContainerInstance
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | containergroups | No |
-> | serviceassociationlinks | No |
--
-## Microsoft.ContainerRegistry
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | registries | No |
-> | registries / agentpools | No |
-> | registries / buildtasks | No |
-> | registries / replications | No |
-> | registries / tasks | No |
-> | registries / webhooks | No |
-
-## Microsoft.ContainerService
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | containerservices | No |
-> | managedclusters | No |
-> | openshiftmanagedclusters | No |
-
-## Microsoft.ContentModerator
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | applications | No |
-
-## Microsoft.CortanaAnalytics
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-
-## Microsoft.CostManagement
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | alerts | No |
-> | billingaccounts | No |
-> | budgets | No |
-> | cloudconnectors | No |
-> | connectors | No |
-> | departments | No |
-> | dimensions | No |
-> | enrollmentaccounts | No |
-> | exports | No |
-> | externalbillingaccounts | No |
-> | forecast | No |
-> | query | No |
-> | register | No |
-> | reportconfigs | No |
-> | reports | No |
-> | settings | No |
-> | showbackrules | No |
-> | views | No |
-
-## Microsoft.CustomerInsights
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | hubs | No |
-
-## Microsoft.CustomerLockbox
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | requests | No |
-
-## Microsoft.CustomProviders
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | associations | No |
-> | resourceproviders | No |
-
-## Microsoft.DataBox
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | jobs | No |
-
-## Microsoft.DataBoxEdge
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | availableskus | No |
-> | databoxedgedevices | No |
-
-## Microsoft.Databricks
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | workspaces | No |
-
-## Microsoft.DataCatalog
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | catalogs | No |
-> | datacatalogs | No |
-
-## Microsoft.DataConnect
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | connectionmanagers | No |
-
-## Microsoft.DataExchange
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | packages | No |
-> | plans | No |
-
-## Microsoft.DataFactory
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | datafactories | No |
-> | factories | No |
-
-## Microsoft.DataLake
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | datalakeaccounts | No |
-
-## Microsoft.DataLakeAnalytics
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-
-## Microsoft.DataLakeStore
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-
-## Microsoft.DataMigration
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | services | No |
-> | services / projects | No |
-> | slots | No |
-
-## Microsoft.DataProtection
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- | - |
-> | backupvaults | No |
-
-## Microsoft.DataShare
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-
-## Microsoft.DBforMariaDB
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | servers | You can use a cross-region read replica to move an existing server. [Learn more](../../postgresql/howto-move-regions-portal.md).<br/><br/> If the service is provisioned with geo-redundant backup storage, you can use geo-restore to restore in other regions. [Learn more](../../mariadb/concepts-business-continuity.md#recover-from-an-azure-regional-data-center-outage).
-
-## Microsoft.DBforMySQL
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | servers | You can use a cross-region read replica to move an existing server. [Learn more](../../mysql/howto-move-regions-portal.md).
-
-## Microsoft.DBforPostgreSQL
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | servergroups | No |
-> | servers | You can use a cross-region read replica to move an existing server. [Learn-more](../../postgresql/howto-move-regions-portal.md).
-> | serversv2 | No |
-
-## Microsoft.DeploymentManager
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | artifactsources | No |
-> | rollouts | No |
-> | servicetopologies | No |
-> | servicetopologies / services | No |
-> | servicetopologies / services / serviceunits | No |
-> | steps | No |
--
-## Microsoft.DesktopVirtualization
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | applicationgroups | No |
-> | workspaces | No |
-
-## Microsoft.Devices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | elasticpools | No. Resource isn't exposed.
-> | elasticpools / iothubtenants | No. Resource isn't exposed.
-> | iothubs | Yes. [Learn more](../../iot-hub/iot-hub-how-to-clone.md)
-> | provisioningservices | No |
-
-## Microsoft.DevOps
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | controllers | No |
--
-## Microsoft.DevSpaces
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | controllers | No |
-> | AKS cluster | No<br/><br/> [Learn more](../../dev-spaces/faq.md#can-i-migrate-my-aks-cluster-with-azure-dev-spaces-to-another-region) about moving to another region.
-
-## Microsoft.DevTestLab
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | labcenters | No |
-> | labs | No |
-> | labs / environments | No |
-> | labs / servicerunners | No |
-> | labs / virtualmachines | No |
-> | schedules | No |
-
-## Microsoft.DigitalTwins
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | digitaltwinsinstances | Yes, by recreating resources in new region. [Learn more](../../digital-twins/how-to-move-regions.md) |
-
-## Microsoft.DocumentDB
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | databaseaccounts | No |
-> | databaseaccounts | No |
-
-## Microsoft.DomainRegistration
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | domains | No |
-> | generatessorequest | No |
-> | topleveldomains | No |
-> | validatedomainregistrationinformation | No |
-
-## Microsoft.EnterpriseKnowledgeGraph
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | services | No |
-
-## Microsoft.EventGrid
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | domains | No |
-> | eventsubscriptions | No |
-> | extensiontopics | No |
-> | partnernamespaces | No |
-> | partnerregistrations | No |
-> | partnertopics | No |
-> | systemtopics | No |
-> | topics | No |
-> | topictypes | No |
-
-## Microsoft.EventHub
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | clusters | No |
-> | namespaces | Yes (with template)<br/><br/> [Move an Event Hub namespace to another region](../../event-hubs/move-across-regions.md) |
-> | sku | No |
-
-## Microsoft.Experimentation
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | experimentworkspaces | No |
-
-## Microsoft.Falcon
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | namespaces | No |
-
-## Microsoft.Features
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | featureproviders | No |
-> | features | No |
-> | providers | No |
-> | subscriptionfeatureregistrations | No |
-
-## Microsoft.Genomics
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-
-## Microsoft.GuestConfiguration
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | automanagedaccounts | No |
-> | automanagedvmconfigurationprofiles | No |
-> | guestconfigurationassignments | No |
-> | software | No |
-> | softwareupdateprofile | No |
-> | softwareupdates | No |
-
-## Microsoft.HanaOnAzure
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | hanainstances | No |
-> | sapmonitors | No |
-
-## Microsoft.HardwareSecurityModules
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | dedicatedhsms | No |
--
-## Microsoft.HDInsight
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | clusters | No |
-
-## Microsoft.HealthcareApis
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | services | No |
-
-## Microsoft.HybridCompute
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | machines | No |
-> | machines / extensions | No |
-
-## Microsoft.HybridData
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | datamanagers | No |
-
-## Microsoft.HybridNetwork
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | devices | No |
-> | vnfs | No |
-
-## Microsoft.Hydra
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | components | No |
-> | networkscopes | No |
-
-## Microsoft.ImportExport
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | jobs | No |
-
-## microsoft.insights
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No. [Learn more](../../azure-monitor/faq.md#how-do-i-move-an-application-insights-resource-to-a-new-region). |
-> | actiongroups | No |
-> | activitylogalerts | No |
-> | alertrules | No |
-> | autoscalesettings | No |
-> | baseline | No |
-> | components | No |
-> | datacollectionrules | No |
-> | diagnosticsettings | No |
-> | diagnosticsettingscategories | No |
-> | eventcategories | No |
-> | eventtypes | No |
-> | extendeddiagnosticsettings | No |
-> | guestdiagnosticsettings | No |
-> | listmigrationdate | No |
-> | logdefinitions | No |
-> | logprofiles | No |
-> | logs | No |
-> | metricalerts | No |
-> | metricbaselines | No |
-> | metricbatch | No |
-> | metricdefinitions | No |
-> | metricnamespaces | No |
-> | metrics | No |
-> | migratealertrules | No |
-> | migratetonewpricingmodel | No |
-> | myworkbooks | No |
-> | notificationgroups | No |
-> | privatelinkscopes | No |
-> | rollbacktolegacypricingmodel | No |
-> | scheduledqueryrules | No |
-> | topology | No |
-> | transactions | No |
-> | vminsightsonboardingstatuses | No |
-> | webtests | No |
-> | webtests / gettestresultfile | No |
-> | workbooks | No |
-> | workbooktemplates | No |
--
-## Microsoft.IoTCentral
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | apptemplates | No |
-> | iotapps | No |
---
-## Microsoft.IoTHub
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | iothub | Yes (clone hub) <br/><br/> [Clone an IoT hub to another region](../../iot-hub/iot-hub-how-to-clone.md)
-
-## Microsoft.IoTSpaces
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region Move |
-> | - | -- |
-> | graph | No |
-
-## Microsoft.KeyVault
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | deletedvaults | No |
-> | hsmpools | No |
-> | managedhsms | No |
-> | vaults | No |
-
-## Microsoft.Kubernetes
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | connectedclusters | No |
-> | registeredsubscriptions | No |
-
-## Microsoft.KubernetesConfiguration
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | sourcecontrolconfigurations | No |
-
-## Microsoft.Kusto
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | clusters | No |
-
-## Microsoft.LabServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | labaccounts | No |
-> | users | No |
-
-## Microsoft.LocationBasedServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-
-## Microsoft.LocationServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No, it's a global service.
-
-## Microsoft.Logic
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | hostingenvironments | No |
-> | integrationaccounts | No |
-> | integrationserviceenvironments | No |
-> | integrationserviceenvironments / managedapis | No |
-> | isolatedenvironments | No |
-> | workflows | No |
-
-## Microsoft.MachineLearning
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | commitmentplans | No |
-> | webservices | No |
-> | workspaces | No |
-
-## Microsoft.MachineLearningCompute
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | operationalizationclusters | No |
-
-## Microsoft.MachineLearningExperimentation
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-> | teamaccounts | No |
--
-## Microsoft.MachineLearningModelManagement
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
--
-## Microsoft.MachineLearningServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | workspaces | No |
-
-## Microsoft.Maintenance
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | configurationassignments | Yes. [Learn more](../../virtual-machines/move-region-maintenance-configuration.md) |
-> | maintenanceconfigurations | Yes. [Learn more](../../virtual-machines/move-region-maintenance-configuration-resources.md) |
-> | updates | No |
-
-## Microsoft.ManagedIdentity
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | identities | No |
-> | userassignedidentities | No |
-
-## Microsoft.ManagedNetwork
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | managednetworks | No |
-> | managednetworks / managednetworkgroups | No |
-> | managednetworks / managednetworkpeeringpolicies | No |
-> | notification | No |
-
-## Microsoft.ManagedServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | marketplaceregistrationdefinitions | No |
-> | registrationassignments | No |
-> | registrationdefinitions | No |
-
-## Microsoft.Management
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | getentities | No |
-> | managementgroups | No |
-> | managementgroups / settings | No |
-> | resources | No |
-> | starttenantbackfill | No |
-> | tenantbackfillstatus | No |
-
-## Microsoft.Maps
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No, Azure Maps is a geospatial service.
-> | accounts / privateatlases | No
-
-## Microsoft.Marketplace
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | offers | No |
-> | offertypes | No |
-> | privategalleryitems | No |
-> | privatestoreclient | No |
-> | privatestores | No |
-> | products | No |
-> | publishers | No |
-> | register | No |
-
-## Microsoft.MarketplaceApps
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | classicdevservices | No |
-
-## Microsoft.MarketplaceOrdering
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | agreements | No |
-> | offertypes | No |
-
-## Microsoft.Media
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | mediaservices | No |
-> | mediaservices / liveevents | No |
-> | mediaservices / streamingendpoints | No |
-
-## Microsoft.Microservices4Spring
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | appclusters | No |
-
-## Microsoft.Migrate
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | assessmentprojects | No |
-> | migrateprojects | No |
-> | movecollections | No
-> | projects | No |
-
-## Microsoft.MixedReality
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- | - |
-> | holographicsbroadcastaccounts | No |
-> | objectunderstandingaccounts | No |
-> | remoterenderingaccounts | No |
-> | spatialanchorsaccounts | No |
-
-## Microsoft.NetApp
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | netappaccounts | No |
-> | netappaccounts / capacitypools | No |
-> | netappaccounts / capacitypools / volumes | No |
-> | netappaccounts / capacitypools / volumes / mounttargets | No |
-> | netappaccounts / capacitypools / volumes / snapshots | No |
-
-## Microsoft.Network
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | applicationgateways | No |
-> | applicationgatewaywebapplicationfirewallpolicies | No |
-> | applicationsecuritygroups | No |
-> | azurefirewalls | No |
-> | bastionhosts | No |
-> | bgpservicecommunities | No |
-> | connections | No |
-> | ddoscustompolicies | No |
-> | ddosprotectionplans | No |
-> | dnszones | No |
-> | expressroutecircuits | No |
-> | expressroutegateways | No |
-> | expressrouteserviceproviders | No |
-> | firewallpolicies | No |
-> | frontdoors | No |
-> | ipallocations | No |
-> | ipgroups | No |
-> | loadbalancers | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move internal and external load balancers. |
-> | localnetworkgateways | No |
-> | natgateways | No |
-> | networkexperimentprofiles | No |
-> | networkintentpolicies | No |
-> | networkinterfaces | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move NICs. |
-> | networkprofiles | No |
-> | networksecuritygroups | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move network security groups (NGSs). |
-> | networkwatchers | No |
-> | networkwatchers / connectionmonitors | No |
-> | networkwatchers / flowlogs | No |
-> | networkwatchers / pingmeshes | No |
-> | p2svpngateways | No |
-> | privatednszones | No |
-> | privatednszones / virtualnetworklinks | No |
-> | privatednszonesinternal | No |
-> | privateendpointredirectmaps | No |
-> | privateendpoints | No |
-> | privatelinkservices | No |
-> | publicipaddresses | Yes<br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move public IP addresses. |
-> | publicipprefixes | No |
-> | routefilters | No |
-> | routetables | No |
-> | securitypartnerproviders | No |
-> | serviceendpointpolicies | No |
-> | trafficmanagergeographichierarchies | No |
-> | trafficmanagerprofiles | No |
-> | trafficmanagerusermetricskeys | No |
-> | virtualhubs | No |
-> | virtualnetworkgateways | No |
-> | virtualnetworks | No |
-> | virtualnetworktaps | No |
-> | virtualwans | No |
-> | vpngateways (Virtual WAN) | No |
-> | vpnsites (Virtual WAN) | No |
-> | vpnsites (Virtual WAN) | No |
--
-## Microsoft.NotificationHubs
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | namespaces | No |
-> | namespaces / notificationhubs | No |
-
-## Microsoft.ObjectStore
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | osnamespaces | No |
-
-## Microsoft.OffAzure
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | hypervsites | No |
-> | importsites | No |
-> | serversites | No |
-> | vmwaresites | No |
-
-## Microsoft.OperationalInsights
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | clusters | No |
-> | deletedworkspaces | No |
-> | linktargets | No |
-> | storageinsightconfigs | No |
-> | workspaces | No |
---
-## Microsoft.OperationsManagement
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | managementassociations | No |
-> | managementconfigurations | No |
-> | solutions | No |
-> | views | No |
-
-## Microsoft.Peering
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | legacypeerings | No |
-> | peerasns | No |
-> | peeringlocations | No |
-> | peerings | No |
-> | peeringservicecountries | No |
-> | peeringservicelocations | No |
-> | peeringserviceproviders | No |
-> | peeringservices | No |
-
-## Microsoft.PolicyInsights
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | policyevents | No |
-> | policystates | No |
-> | policytrackedresources | No |
-> | remediations | No |
-
-## Microsoft.Portal
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | consoles | No |
-> | dashboards | No |
-> | usersettings | No |
--
-## Microsoft.PowerBI
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | workspacecollections | No |
-
-## Microsoft.PowerBIDedicated
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | capacities | No |
-
-## Microsoft.Purview
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-
-## Microsoft.ProviderHub
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | availableaccounts | No |
-> | providerregistrations | No |
-> | rollouts | No |
-
-## Microsoft.Quantum
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | workspaces | No |
-
-## Microsoft.RecoveryServices
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | replicationeligibilityresults | No |
-> | vaults | No.<br/><br/> Moving Recovery Services vaults for Azure Backup across Azure regions isn't supported.<br/><br/> In Recovery Services vaults for Azure Site Recovery, you can [disable and recreate the vault](../../site-recovery/move-vaults-across-regions.md) in the target region. |
-
-## Microsoft.RedHatOpenShift
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | openshiftclusters | No |
-
-## Microsoft.Relay
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | namespaces | No |
-
-## Microsoft.ResourceGraph
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | queries | No |
-> | resourcechangedetails | No |
-> | resourcechanges | No |
-> | resources | No |
-> | resourceshistory | No |
-> | subscriptionsstatus | No |
-
-## Microsoft.ResourceHealth
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | childresources | No |
-> | emergingissues | No |
-> | events | No |
-> | metadata | No |
-> | notifications | No |
-
-## Microsoft.Resources
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | deploymentScripts | Yes<br/><br/>[Move Microsoft.Resources resources to new region](microsoft-resources-move-regions.md) |
-> | templateSpecs | Yes<br/><br/>[Move Microsoft.Resources resources to new region](microsoft-resources-move-regions.md) |
-
-## Microsoft.SaaS
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | applications | No |
-> | saasresources | No |
--
-## Microsoft.Search
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | resourcehealthmetadata | No |
-> | searchservices | No |
--
-## Microsoft.Security
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | adaptivenetworkhardenings | No |
-> | advancedthreatprotectionsettings | No |
-> | alerts | No |
-> | allowedconnections | No |
-> | applicationwhitelistings | No |
-> | assessmentmetadata | No |
-> | assessments | No |
-> | autodismissalertsrules | No |
-> | automations | No |
-> | autoprovisioningsettings | No |
-> | complianceresults | No |
-> | compliances | No |
-> | datacollectionagents | No |
-> | devicesecuritygroups | No |
-> | discoveredsecuritysolutions | No |
-> | externalsecuritysolutions | No |
-> | informationprotectionpolicies | No |
-> | iotsecuritysolutions | No |
-> | iotsecuritysolutions / analyticsmodels | No |
-> | iotsecuritysolutions / analyticsmodels / aggregatedalerts | No |
-> | iotsecuritysolutions / analyticsmodels / aggregatedrecommendations | No |
-> | jitnetworkaccesspolicies | No |
-> | policies | No |
-> | pricings | No |
-> | regulatorycompliancestandards | No |
-> | regulatorycompliancestandards / regulatorycompliancecontrols | No |
-> | regulatorycompliancestandards / regulatorycompliancecontrols / regulatorycomplianceassessments | No |
-> | securitycontacts | No |
-> | securitysolutions | No |
-> | securitysolutionsreferencedata | No |
-> | securitystatuses | No |
-> | securitystatusessummaries | No |
-> | servervulnerabilityassessments | No |
-> | settings | No |
-> | subassessments | No |
-> | tasks | No |
-> | topologies | No |
-> | workspacesettings | No |
-
-## Microsoft.SecurityInsights
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | aggregations | No |
-> | alertrules | No |
-> | alertruletemplates | No |
-> | automationrules | No |
-> | cases | No |
-> | dataconnectors | No |
-> | entities | No |
-> | entityqueries | No |
-> | incidents | No |
-> | officeconsents | No |
-> | settings | No |
-> | threatintelligence | No |
-
-## Microsoft.SerialConsole
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | consoleservices | No |
-
-## Microsoft.ServerManagement
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | gateways | No |
-> | nodes | No |
-
-## Microsoft.ServiceBus
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | namespaces | No |
-> | premiummessagingregions | No |
-> | sku | No |
-
-## Microsoft.ServiceFabric
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | applications | No |
-> | clusters | No |
-> | containergroups | No |
-> | containergroupsets | No |
-> | edgeclusters | No |
-> | managedclusters | No |
-> | networks | No |
-> | secretstores | No |
-> | volumes | No |
-
-## Microsoft.ServiceFabricMesh
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | applications | No |
-> | containergroups | No |
-> | gateways | No |
-> | networks | No |
-> | secrets | No |
-> | volumes | No |
-
-## Microsoft.Services
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | rollouts | No |
-
-## Microsoft.SignalRService
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | signalr | No |
-
-## Microsoft.SoftwarePlan
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | hybridusebenefits | No |
-
-## Microsoft.Solutions
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | appliancedefinitions | No |
-> | appliances | No |
-> | jitrequests | No |
-
-## Microsoft.Sql
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | instancepools | No |
-> | locations | No |
-> | managedinstances | Yes <br/><br/> [Learn more](../../azure-sql/database/move-resources-across-regions.md) about moving managed instances across regions. |
-> | managedinstances / databases | Yes |
-> | servers | Yes |
-> | servers / databases | Yes <br/><br/> [Learn more](../../azure-sql/database/move-resources-across-regions.md) about moving databases across regions.<br/><br/> [Learn more](../../resource-mover/tutorial-move-region-sql.md) about using Azure Resource Mover to move Azure SQL databases. |
-> | servers / elasticpools | Yes <br/><br/> [Learn more](../../azure-sql/database/move-resources-across-regions.md) about moving elastic pools across regions.<br/><br/> [Learn more](../../resource-mover/tutorial-move-region-sql.md) about using Azure Resource Mover to move Azure SQL elastic pools. |
-> | virtualclusters | Yes |
-
-## Microsoft.SqlVirtualMachine
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | sqlvirtualmachinegroups | No |
-> | sqlvirtualmachines | No |
--
-## Microsoft.Storage
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | storageaccounts | Yes<br/><br/> [Move an Azure Storage account to another region](../../storage/common/storage-account-move.md) |
-
-## Microsoft.StorageCache
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | caches | No |
-
-## Microsoft.StorageSync
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | storagesyncservices | No |
-
-## Microsoft.StorageSyncDev
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | storagesyncservices | No |
-
-## Microsoft.StorageSyncInt
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | storagesyncservices | No |
-
-## Microsoft.StorSimple
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | managers | No |
-
-## Microsoft.StreamAnalytics
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | clusters | No |
-> | streamingjobs | No |
--
-## Microsoft.StreamAnalyticsExplorer
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | environments | No |
-> | instances | No |
-
-## Microsoft.Subscription
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | subscriptions | No |
-
-## microsoft.support
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | services | No |
-> | supporttickets | No |
-
-## Microsoft.Synapse
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | workspaces | No |
-> | workspaces / bigdatapools | No |
-> | workspaces / sqlpools | No |
--
-## Microsoft.TimeSeriesInsights
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | environments | No |
-> | environments / eventsources | No |
-> | environments / referencedatasets | No |
-
-## Microsoft.Token
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | stores | No |
-
-## Microsoft.VirtualMachineImages
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | imagetemplates | No |
-
-## microsoft.visualstudio
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | account | No |
-> | account / extension | No |
-> | account / project | No |
-
-## Microsoft.VMware
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | arczones | No |
-> | resourcepools | No |
-> | vcenters | No |
-> | virtualmachines | No |
-> | virtualmachinetemplates | No |
-> | virtualnetworks | No |
-
-## Microsoft.VMwareCloudSimple
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | dedicatedcloudnodes | No |
-> | dedicatedcloudservices | No |
-> | virtualmachines | No |
-
-## Microsoft.VnfManager
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | devices | No |
-> | vnfs | No |
-
-## Microsoft.VSOnline
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | accounts | No |
-> | plans | No |
-> | registeredsubscriptions | No |
--
-## Microsoft.Web
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | availablestacks | No |
-> | billingmeters | No |
-> | certificates | No |
-> | connectiongateways | No |
-> | connections | No |
-> | customapis | No |
-> | deletedsites | No |
-> | deploymentlocations | No |
-> | georegions | No |
-> | hostingenvironments | No |
-> | kubeenvironments | No |
-> | publishingusers | No |
-> | recommendations | No |
-> | resourcehealthmetadata | No |
-> | runtimes | No |
-> | serverfarms | No |
-> | serverfarms / eventgridfilters | N
-> | sites | No |
-> | sites / premieraddons | No |
-> | sites / slots | No |
-> | sourcecontrols | No |
-> | staticsites | No |
-
-## Microsoft.WindowsESU
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | multipleactivationkeys | No |
-
-## Microsoft.WindowsIoT
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | deviceservices | No |
-
-## Microsoft.WorkloadBuilder
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | workloads | No |
-
-## Microsoft.WorkloadMonitor
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | components | No |
-> | componentssummary | No |
-> | monitorinstances | No |
-> | monitorinstancessummary | No |
-> | monitors | No |
-## Third-party services
-
-Third-party services currently don't support the move operation.
-
-## Next steps
-
-[Learn more](../../resource-mover/overview.md) about the Resource Mover service.
-
azure-resource-manager Troubleshoot Move https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/troubleshoot-move.md
- Title: Troubleshoot move errors
-description: Troubleshoot moving resources to a new resource group or subscription.
- Previously updated : 08/27/2019--
-# Troubleshoot moving Azure resources to new resource group or subscription
-
-This article provides suggestions to help resolve problems when moving resources.
-
-## Upgrade a subscription
-
-If you actually want to upgrade your Azure subscription (such as switching from free to pay-as-you-go), you need to convert your subscription.
-
-* To upgrade a free trial, see [Upgrade your Free Trial or Microsoft Imagine Azure subscription to Pay-As-You-Go](../../cost-management-billing/manage/upgrade-azure-subscription.md).
-* To change a pay-as-you-go account, see [Change your Azure Pay-As-You-Go subscription to a different offer](../../cost-management-billing/manage/switch-azure-offer.md).
-
-If you can't convert the subscription, [create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Select **Subscription Management** for the issue type.
-
-## Service limitations
-
-Some services require additional considerations when moving resources. If you're moving the following services, make sure you check the guidance and limitations.
-
-* [App Services](./move-limitations/app-service-move-limitations.md)
-* [Azure DevOps Services](/azure/devops/organizations/billing/change-azure-subscription?toc=/azure/azure-resource-manager/toc.json)
-* [Classic deployment model](./move-limitations/classic-model-move-limitations.md)
-* [Networking](./move-limitations/networking-move-limitations.md)
-* [Recovery Services](../../backup/backup-azure-move-recovery-services-vault.md?toc=/azure/azure-resource-manager/toc.json)
-* [Virtual Machines](./move-limitations/virtual-machines-move-limitations.md)
-
-## Large requests
-
-When possible, break large moves into separate move operations. Resource Manager immediately returns an error when there are more than 800 resources in a single operation. However, moving less than 800 resources may also fail by timing out.
-
-## Resource not in succeeded state
-
-When you get an error message that indicates a resource can't be moved because it isn't in a succeeded state, it may actually be a dependent resource that is blocking the move. Typically, the error code is **MoveCannotProceedWithResourcesNotInSucceededState**.
-
-If the source or target resource group contains a virtual network, the states of all dependent resources for the virtual network are checked during the move. The check includes those resources directly and indirectly dependent on the virtual network. If any of those resources are in a failed state, the move is blocked. For example, if a virtual machine that uses the virtual network has failed, the move is blocked. The move is blocked even when the virtual machine isn't one of the resources being moved and isn't in one of the resource groups for the move.
-
-When you receive this error, you have two options. Either move your resources to a resource group that doesn't have a virtual network, or [contact support](../../azure-portal/supportability/how-to-create-azure-support-request.md).
-
-## Next steps
-
-For commands to move resources, see [Move resources to new resource group or subscription](move-resource-group-and-subscription.md).
azure-sql Azure Sql Iaas Vs Paas What Is Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/azure-sql-iaas-vs-paas-what-is-overview.md
Azure SQL Database offers the following deployment options:
### SQL Server on Azure VM [SQL Server on Azure VM](virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md) falls into the industry category *Infrastructure-as-a-Service (IaaS)* and allows you to run SQL Server inside a fully managed virtual machine (VM) in Azure.
+- SQL Server installed and hosted in the cloud runs on Windows Server or Linux virtual machines running on Azure, also known as an infrastructure as a service (IaaS). SQL virtual machines are a good option for migrating on-premises SQL Server databases and applications without any database change. All recent versions and editions of SQL Server are available for installation in an IaaS virtual machine.
- Best for migrations and applications requiring OS-level access. SQL virtual machines in Azure are lift-and-shift ready for existing applications that require fast migration to the cloud with minimal changes or no changes. SQL virtual machines offer full administrative control over the SQL Server instance and underlying OS for migration to Azure.
+- The most significant difference from SQL Database and SQL Managed Instance is that SQL Server on Azure Virtual Machines allows full control over the database engine. You can choose when to start maintenance/patching, change the recovery model to simple or bulk-logged, pause or start the service when needed, and you can fully customize the SQL Server database engine. With this additional control comes the added responsibility to manage the virtual machine.
- Rapid development and test scenarios when you do not want to buy on-premises non-production SQL Server hardware. SQL virtual machines also run on standardized hardware that is owned, hosted, and maintained by Microsoft. When using SQL virtual machines, you can either pay-as-you-go for a SQL Server license already included in a SQL Server image or easily use an existing license. You can also stop or resume the VM as needed. -- SQL Server installed and hosted in the cloud runs on Windows Server or Linux virtual machines running on Azure, also known as an infrastructure as a service (IaaS). SQL virtual machines are a good option for migrating on-premises SQL Server databases and applications without any database change. All recent versions and editions of SQL Server are available for installation in an IaaS virtual machine. -
- The most significant difference from SQL Database and SQL Managed Instance is that SQL Server on Azure Virtual Machines allows full control over the database engine. You can choose when to start maintenance/patching, change the recovery model to simple or bulk-logged, pause or start the service when needed, and you can fully customize the SQL Server database engine. With this additional control comes the added responsibility to manage the virtual machine.
- Optimized for migrating existing applications to Azure or extending existing on-premises applications to the cloud in hybrid deployments. In addition, you can use SQL Server in a virtual machine to develop and test traditional SQL Server applications. With SQL virtual machines, you have the full administrative rights over a dedicated SQL Server instance and a cloud-based VM. It is a perfect choice when an organization already has IT resources available to maintain the virtual machines. These capabilities allow you to build a highly customized system to address your applicationΓÇÖs specific performance and availability requirements.
-Additional differences are listed in the following table, but *both SQL Database and SQL Managed Instance are optimized to reduce overall management costs to the minimum for provisioning and managing many databases.* Ongoing administration costs are reduced since you do not have to manage any virtual machines, operating system, or database software. You do not have to manage upgrades, high availability, or [backups](database/automated-backups-overview.md).
-
-In general, SQL Database and SQL Managed Instance can dramatically increase the number of databases managed by a single IT or development resource. [Elastic pools](database/elastic-pool-overview.md) also support SaaS multi-tenant application architectures with features including tenant isolation and the ability to scale to reduce costs by sharing resources across databases. [SQL Managed Instance](managed-instance/sql-managed-instance-paas-overview.md) provides support for instance-scoped features enabling easy migration of existing applications, as well as sharing resources among databases.
### Comparison table
+Additional differences are listed in the following table, but *both SQL Database and SQL Managed Instance are optimized to reduce overall management costs to a minimum for provisioning and managing many databases.* Ongoing administration costs are reduced since you do not have to manage any virtual machines, operating system, or database software. You do not have to manage upgrades, high availability, or [backups](database/automated-backups-overview.md).
+
+In general, SQL Database and SQL Managed Instance can dramatically increase the number of databases managed by a single IT or development resource. [Elastic pools](database/elastic-pool-overview.md) also support SaaS multi-tenant application architectures with features including tenant isolation and the ability to scale to reduce costs by sharing resources across databases. [SQL Managed Instance](managed-instance/sql-managed-instance-paas-overview.md) provides support for instance-scoped features enabling easy migration of existing applications, as well as sharing resources among databases. Whereas, [SQL Server on Azure VMs](virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md) provide DBAs with an experience most similar to the on-premises environment they're familiar with.
++ | Azure SQL Database | Azure SQL Managed Instance | SQL Server on Azure VM | | : | : | : | |Supports most on-premises database-level capabilities. The most commonly used SQL Server features are available.<br/>99.995% availability guaranteed.<br/>Built-in backups, patching, recovery.<br/>Latest stable Database Engine version.<br/>Ability to assign necessary resources (CPU/storage) to individual databases.<br/>Built-in advanced intelligence and security.<br/>Online change of resources (CPU/storage).| Supports almost all on-premises instance-level and database-level capabilities. High compatibility with SQL Server.<br/>99.99% availability guaranteed.<br/>Built-in backups, patching, recovery.<br/>Latest stable Database Engine version.<br/>Easy migration from SQL Server.<br/>Private IP address within Azure Virtual Network.<br/>Built-in advanced intelligence and security.<br/>Online change of resources (CPU/storage).| You have full control over the SQL Server engine. Supports all on-premises capabilities.<br/>Up to 99.99% availability.<br/>Full parity with the matching version of on-premises SQL Server.<br/>Fixed, well-known Database Engine version.<br/>Easy migration from SQL Server.<br/>Private IP address within Azure Virtual Network.<br/>You have the ability to deploy application or services on the host where SQL Server is placed.|
For **SQL on Azure VM**, Microsoft provides an availability SLA of 99.95% that c
- See [Your first Azure SQL Managed Instance](managed-instance/instance-create-quickstart.md) to get started with SQL Managed Instance. - See [SQL Database pricing](https://azure.microsoft.com/pricing/details/sql-database/). - See [Provision a SQL Server virtual machine in Azure](virtual-machines/windows/create-sql-vm-portal.md) to get started with SQL Server on Azure VMs.-- [Identify the right SQL Database or SQL Managed Instance SKU for your on-premises database](/sql/dma/dma-sku-recommend-sql-db/).
+- [Identify the right SQL Database or SQL Managed Instance SKU for your on-premises database](/sql/dma/dma-sku-recommend-sql-db/).
azure-sql Frequently Asked Questions Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/frequently-asked-questions-faq.md
This article provides answers to some of the most common questions about running
1. Uninstall SQL Server completely, including the SQL IaaS extension (if present). 1. Install the free [SQL Express edition](https://www.microsoft.com/sql-server/sql-server-downloads). 1. Register with the SQL IaaS Agent extension in [lightweight mode](sql-agent-extension-manually-register-single-vm.md).
+ 1. [Change the edition of SQL Server](change-sql-server-edition.md#change-edition-in-portal) in the [Azure portal](https://portal.azure.com) to Express to stop billing.
1. (optional) Disable the Express SQL Server service by disabling service startup. 1. **Can I use the Azure portal to manage multiple instances on the same VM?**
azure-vmware Azure Vmware Solution On Premises https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/azure-vmware-solution-on-premises.md
Title: Connect Azure VMware Solution to your on-premises environment description: Learn how to connect Azure VMware Solution to your on-premises environment. Previously updated : 03/13/2021 Last updated : 04/19/2021 # Connect Azure VMware Solution to your on-premises environment In this article, you'll continue using the [information gathered during planning](production-ready-deployment-steps.md) to connect Azure VMware Solution to your on-premises environment.
-Before you begin, there are two prerequisites for connecting Azure VMware Solution to your on-premises environment:
+Before you begin, you must have an ExpressRoute circuit from your on-premises environment to Azure.
-- An ExpressRoute circuit from your on-premises environment to Azure.-- A /29 non-overlapping CIDR network address block for the ExpressRoute Global Reach peering, which you defined as part of the [planning phase](production-ready-deployment-steps.md). >[!NOTE] > You can connect through VPN, but that's out of scope for this quick start document.
backup Backup Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-architecture.md
Back up deduplicated disks | | | ![Partially][yellow]<br/><br/> For DPM/MABS ser
## Architecture: Built-in Azure VM Backup
-1. When you enable backup for an Azure VM, a backup runs according to the schedule you specify.
-1. During the first backup, a backup extension is installed on the VM if the VM is running.
- - For Windows VMs, the VMSnapshot extension is installed.
- - For Linux VMs, the VMSnapshot Linux extension is installed.
-1. The extension takes a storage-level snapshot.
- - For Windows VMs that are running, Backup coordinates with the Windows Volume Shadow Copy Service (VSS) to take an app-consistent snapshot of the VM. By default, Backup takes full VSS backups. If Backup is unable to take an app-consistent snapshot, then it takes a file-consistent snapshot.
- - For Linux VMs, Backup takes a file-consistent snapshot. For app-consistent snapshots, you need to manually customize pre/post scripts.
- - Backup is optimized by backing up each VM disk in parallel. For each disk being backed up, Azure Backup reads the blocks on disk and stores only the changed data.
-1. After the snapshot is taken, the data is transferred to the vault.
- - Only blocks of data that changed since the last backup are copied.
- - Data isn't encrypted. Azure Backup can back up Azure VMs that were encrypted by using Azure Disk Encryption.
- - Snapshot data might not be immediately copied to the vault. At peak times, the backup might take some hours. Total backup time for a VM will be less than 24 hours for daily backup policies.
-1. After the data is sent to the vault, a recovery point is created. By default, snapshots are retained for two days before they are deleted. This feature allows restore operation from these snapshots, thereby cutting down the restore times. It reduces the time that's required to transform and copy data back from the vault. See [Azure Backup Instant Restore Capability](./backup-instant-restore-capability.md).
-
-You don't need to explicitly allow internet connectivity to back up your Azure VMs.
-
-![Backup of Azure VMs](./media/backup-architecture/architecture-azure-vm.png)
## Architecture: Direct backup of on-premises Windows Server machines or Azure VM files or folders
backup Backup Azure Microsoft Azure Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-microsoft-azure-backup.md
Title: Use Azure Backup Server to back up workloads description: In this article, learn how to prepare your environment to protect and back up workloads using Microsoft Azure Backup Server (MABS). Previously updated : 11/13/2018 Last updated : 04/14/2021 # Install and upgrade Azure Backup Server
This article explains how to prepare your environment to back up workloads using
> >
-MABS deployed in an Azure VM can back up VMs in Azure but they should be in same domain to enable backup operation. The process to back an Azure VM remains same as backing up VMs on premises, however deploying MABS in Azure has some limitations. For more information on limitation, see [DPM as an Azure virtual machine](/system-center/dpm/install-dpm#setup-prerequisites)
+MABS deployed in an Azure VM can back up VMs in Azure but they should be in same domain to enable backup operation. The process to back an Azure VM remains same as backing up VMs on premises, however deploying MABS in Azure has some limitations. For more information on limitation, see [DPM as an Azure virtual machine](/system-center/dpm/install-dpm#setup-prerequisites).
> [!NOTE] > Azure has two deployment models for creating and working with resources: [Resource Manager and classic](../azure-resource-manager/management/deployment-models.md). This article provides the information and procedures for restoring VMs deployed using the Resource Manager model.
Azure Backup Server inherits much of the workload backup functionality from Data
The first step towards getting the Azure Backup Server up and running is to set up a Windows Server. Your server can be in Azure or on-premises.
-* To protect on-premises workloads, the MABS server must be located on-premises.
-* To protect workloads running on Azure VMs, the MABS server must be located in Azure, running as an Azure VM.
+* To protect on-premises workloads, the MABS server must be located on-premises, and connected to a domain.
+* To protect workloads running on Azure VMs, the MABS server must be located in Azure, running as an Azure VM, and connected to a domain.
### Using a server in Azure
You can deduplicate the DPM storage using Windows Server Deduplication. Learn mo
> > Installing Azure Backup Server isn't supported on Windows Server Core or Microsoft Hyper-V Server.
-Always join Azure Backup Server to a domain. If you plan to move the server to a different domain, install Azure Backup Server first, then join the server to the new domain. Moving an existing Azure Backup Server machine to a new domain after deployment is *not supported*.
+Always join Azure Backup Server to a domain. Moving an existing Azure Backup Server machine to a new domain after deployment is *not supported*.
Whether you send backup data to Azure, or keep it locally, Azure Backup Server must be registered with a Recovery Services vault.
Once the extraction process complete, check the box to launch the freshly extrac
The scratch location is a requirement for back up to Azure. Ensure the scratch location is at least 5% of the data planned to be backed up to the cloud. For disk protection, separate disks need to be configured once the installation completes. For more information about storage pools, see [Prepare data storage](/system-center/dpm/plan-long-and-short-term-data-storage).
- Capacity requirements for disk storage depends primarily on the size of the protected data, the daily recovery point size, expected volume data growth rate, and retention range objectives. We recommend you make the disk storage twice size of the protected data. This assumes a daily recovery point size that's 10% of the protected data size and a 10 days retention range. To get a good estimate of size, review the [DPM Capacity Planner](https://www.microsoft.com/download/details.aspx?id=54301).
+ Capacity requirements for disk storage depend primarily on the size of the protected data, the daily recovery point size, expected volume data growth rate, and retention range objectives. We recommend you make the disk storage twice size of the protected data. This assumes a daily recovery point size that's 10% of the protected data size and a 10 days retention range. To get a good estimate of size, review the [DPM Capacity Planner](https://www.microsoft.com/download/details.aspx?id=54301).
5. Provide a strong password for restricted local user accounts and select **Next**.
Here are the steps if you need to move MABS to a new server, while retaining the
7. Restore the DPMDB taken in step 1. 8. Attach the storage from the original backup server to the new server. 9. From SQL, restore the DPMDB.
-10. Run CMD (as an administrator) on the new server. Go to the Microsoft Azure Backup install location and bin folder
+10. Run CMD (as an administrator) on the new server. Go to the Microsoft Azure Backup install location and bin folder.
Path example: `C:\windows\system32>cd "c:\Program Files\Microsoft Azure Backup\DPM\DPM\bin\"`
-11. To connect to Azure Backup, run `DPMSYNC -SYNC`
+11. To connect to Azure Backup, run `DPMSYNC -SYNC`.
If you've added **new** disks to the DPM Storage pool instead of moving the old ones, then run `DPMSYNC -Reallocatereplica`.
Use the following steps to upgrade MABS:
## Troubleshooting If Microsoft Azure Backup server fails with errors during the setup phase (or backup or restore), refer to this [error codes document](https://support.microsoft.com/kb/3041338) for more information.
-You can also refer to [Azure Backup related FAQs](backup-azure-backup-faq.yml)
+
+You can also refer to [Azure Backup related FAQs](backup-azure-backup-faq.yml).
## Next steps
backup Backup Azure Vms Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-vms-introduction.md
Azure Backup also has specialized offerings for database workloads like [SQL Ser
Here's how Azure Backup completes a backup for Azure VMs:
-1. For Azure VMs that are selected for backup, Azure Backup starts a backup job according to the backup schedule you specify.
-1. During the first backup, a backup extension is installed on the VM if the VM is running.
- - For Windows VMs, the [VMSnapshot extension](../virtual-machines/extensions/vmsnapshot-windows.md) is installed.
- - For Linux VMs, the [VMSnapshotLinux extension](../virtual-machines/extensions/vmsnapshot-linux.md) is installed.
-1. For Windows VMs that are running, Backup coordinates with Windows Volume Shadow Copy Service (VSS) to take an app-consistent snapshot of the VM.
- - By default, Backup takes full VSS backups.
- - If Backup can't take an app-consistent snapshot, then it takes a file-consistent snapshot of the underlying storage (because no application writes occur while the VM is stopped).
-1. For Linux VMs, Backup takes a file-consistent backup. For app-consistent snapshots, you need to manually customize pre/post scripts.
-1. After Backup takes the snapshot, it transfers the data to the vault.
- - The backup is optimized by backing up each VM disk in parallel.
- - For each disk that's being backed up, Azure Backup reads the blocks on the disk and identifies and transfers only the data blocks that changed (the delta) since the previous backup.
- - Snapshot data might not be immediately copied to the vault. It might take some hours at peak times. Total backup time for a VM will be less than 24 hours for daily backup policies.
-1. Changes made to a Windows VM after Azure Backup is enabled on it are:
- - Microsoft Visual C++ 2013 Redistributable(x64) - 12.0.40660 is installed in the VM
- - Startup type of Volume Shadow Copy service (VSS) changed to automatic from manual
- - IaaSVmProvider Windows service is added
-
-1. When the data transfer is complete, the snapshot is removed, and a recovery point is created.
-
-![Azure virtual machine backup architecture](./media/backup-azure-vms-introduction/vmbackup-architecture.png)
## Encryption of Azure VM backups
backup Encryption At Rest With Cmk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/encryption-at-rest-with-cmk.md
Title: Encryption of backup data using customer-managed keys description: Learn how Azure Backup allows you to encrypt your backup data using customer-managed keys (CMK). Previously updated : 04/01/2021 Last updated : 04/19/2021 # Encryption of backup data using customer-managed keys
This article discusses the following:
>Use Az module 5.3.0 or greater to use customer managed keys for backups in the Recovery Services vault. >[!Warning]
- >If you are using PowerShell for managing encryption keys for Backup, we do not recommend to update the keys from the portal.<br></br>If you update the key from the portal, you canΓÇÖt use PowerShell to update the encryption key further, till a PowerShell update to support the new model is available. However, you can continue updating the key from the Azure portal.
+ >If you are using PowerShell for managing encryption keys for Backup, we do not recommend to update the keys from the portal.<br>If you update the key from the portal, you canΓÇÖt use PowerShell to update the encryption key further, till a PowerShell update to support the new model is available. However, you can continue updating the key from the Azure portal.
If you haven't created and configured your Recovery Services vault, you can [read how to do so here](backup-create-rs-vault.md).
Using the **Select from Key Vault** option helps to enable auto-rotation for the
- Key version update may take up to an hour to take effect. - When a new version of the key takes effect, the old version should also be available (in enabled state) for at least one subsequent backup job after the key update has taken effect.
+### Using Azure Policies for auditing and enforcing encryption utilizing customer-managed keys (in preview)
+
+Azure Backup allows you to use Azure Polices to audit and enforce encryption, using customer-managed keys, of data in the Recovery Services vault. Using the Azure Policies:
+
+- The audit policy can be used for auditing vaults with encryption using customer-managed keys that are enabled after 04/01/2021. For vaults with the CMK encryption enabled before this date, the policy may fail to apply or may show false negative results (that is, these vaults may be reported as non-compliant, despite having **CMK encryption** enabled).
+- To use the audit policy for auditing vaults with **CMK encryption** enabled before 04/01/2021, use the Azure portal to update an encryption key. This helps to upgrade to the new model. If you do not want to change the encryption key, provide the same key again through the key URI or the key selection option.
+
+ >[!Warning]
+ >If you are using PowerShell for managing encryption keys for Backup, we do not recommend to update the keys from the portal.<br>If you update the key from the portal, you canΓÇÖt use PowerShell to update the encryption key further, till a PowerShell update to support the new model is available. However, you can continue updating the key from the Azure portal.
+ ## Frequently asked questions ### Can I encrypt an existing Backup vault with customer-managed keys?
backup Sql Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/sql-support-matrix.md
Copy-Only Full | Secondary
Azure Backup supports a consistent data transfer rate of 200 Mbps for full and differential backups of large SQL databases (of 500 GB). To utilize the optimum performance, ensure that: -- The underlying VM (containing the SQL Server instance, which hosts the database) is configured with the required network throughput. If the maximum throughput of the VM is less than 200 Mbps, Azure Backup canΓÇÖt transfer data at the optimum speed.<br></br>Also, the disk that contains the database files must have enough throughput provisioned. [Learn more](../virtual-machines/disks-performance.md) about disk throughput and performance in Azure VMs.
+- The underlying VM (containing the SQL Server instance, which hosts the database) is configured with the required network throughput. If the maximum throughput of the VM is less than 200 Mbps, Azure Backup canΓÇÖt transfer data at the optimum speed.<br>Also, the disk that contains the database files must have enough throughput provisioned. [Learn more](../virtual-machines/disks-performance.md) about disk throughput and performance in Azure VMs.
- Processes, which are running in the VM, are not consuming the VM bandwidth. - The backup schedules are spread across a subset of databases. Multiple backups running concurrently on a VM shares the network consumption rate between the backups. [Learn more](faq-backup-sql-server.yml#can-i-control-how-many-concurrent-backups-run-on-the-sql-server-) about how to control the number of concurrent backups.
baremetal-infrastructure Know Baremetal Terms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/baremetal-infrastructure/know-baremetal-terms.md
Last updated 04/06/2021
In this article, we'll cover some important terms related to the BareMetal Infrastructure. -- **Revision**: There's an original stamp revision known as Revision 3 (Rev 3), and two additional stamp revisions for BareMetal instance stamps. Each stamp differs in architecture and proximity to Azure virtual machine hosts:
- - **Revision 4** (Rev 4): A newer design that provides closer proximity to the Azure virtual machine (VM) hosts and lowers the latency between Azure VMs and SAP HANA instances.
- - **Revision 4.2** (Rev 4.2): The latest rebranded BareMetal Infrastructure using the existing Rev 4 architecture. Rev 4 provides closer proximity to the Azure virtual machine (VM) hosts. It has significant improvements in network latency between Azure VMs and BareMetal instances deployed in Rev 4 stamps or rows. You can access and manage your BareMetal instances through the Azure portal.
+- **Revision**: There are two different stamp revisions for BareMetal Infrastructure (HANA Large Instance) stamps. These differ in architecture and proximity to Azure virtual machine hosts:
+ - "Revision 3" (Rev 3): The original design deployed mid-2016.
+ - "Revision 4.2" (Rev 4.2): A new design that provides closer proximity to Azure virtual machine hosts, with ultra-low network latency between Azure VMs and HANA Large Instances. Resources in the Azure portal are referred to as "BareMetal Infrastructure," and customers can access their resources as BareMetal instances from the Azure portal.
- **Stamp**: Defines the Microsoft internal deployment size of BareMetal instances. Before instances can be deployed, a BareMetal instance stamp consisting of compute, network, and storage racks must be deployed in a datacenter location. Such a deployment is called a BareMetal instance stamp.
batch Disk Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/disk-encryption.md Binary files differ
cloud-services-extended-support Deploy Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-powershell.md
Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services
$virtualNetwork = New-AzVirtualNetwork -Name ΓÇ£ContosoVNetΓÇ¥ -Location ΓÇ£East USΓÇ¥ -ResourceGroupName ΓÇ£ContosOrgΓÇ¥ -AddressPrefix "10.0.0.0/24" -Subnet $subnet ```
-7. Create a public IP address and set the DNS label property of the public IP address. Cloud Services (extended support) only supports [Basic] (https://docs.microsoft.com/azure/virtual-network/public-ip-addresses#basic) SKU Public IP addresses. Standard SKU Public IPs do not work with Cloud Services.
+7. Create a public IP address and set the DNS label property of the public IP address. Cloud Services (extended support) only supports [Basic](https://docs.microsoft.com/azure/virtual-network/public-ip-addresses#basic) SKU Public IP addresses. Standard SKU Public IPs do not work with Cloud Services.
If you are using a Static IP you need to reference it as a Reserved IP in Service Configuration (.cscfg) file ```powershell
cloud-services-extended-support Schema Cscfg Networkconfiguration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/schema-cscfg-networkconfiguration.md
The following table describes the child elements of the `NetworkConfiguration` e
| VirtualNetworkSite | Optional. Specifies the name of the Virtual Network site in which you want deploy your Cloud Service. This setting does not create a Virtual Network Site. It references a site that has been previously defined in the network file for your Virtual Network. A Cloud Service can only be a member of one Virtual Network. If you do not specify this setting, the Cloud Service will not be deployed to a Virtual Network. The name of the Virtual Network site is defined by a string for the `name` attribute.| | InstanceAddress | Optional. Specifies the association of a role to a subnet or set of subnets in the Virtual Network. When you associate a role name to an instance address, you can specify the subnets to which you want this role to be associated. The `InstanceAddress` contains a Subnets element. The name of the role that is associated with the subnet or subnets is defined by a string for the `roleName` attribute.| | Subnet | Optional. Specifies the subnet that corresponds to the subnet name in the network configuration file. The name of the subnet is defined by a string for the `name` attribute.|
-| ReservedIP | Optional. Specifies the reserved IP address that should be associated with the deployment. You must use Create Reserved IP Address to create the reserved IP address. Each deployment in a Cloud Service can be associated with one reserved IP address. The name of the reserved IP address is defined by a string for the `name` attribute.|
+| ReservedIP | Optional. Specifies the reserved IP address that should be associated with the deployment. The allocation method for a reserved IP needs to be specified as `Static` for template and powershell deployments. Each deployment in a Cloud Service can be associated with only one reserved IP address. The name of the reserved IP address is defined by a string for the `name` attribute.|
## See also
-[Cloud Service (extended support) Configuration Schema](schema-cscfg-file.md).
+[Cloud Service (extended support) Configuration Schema](schema-cscfg-file.md).
cognitive-services Client Library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/quickstarts-sdk/client-library.md
Previously updated : 03/21/2020 Last updated : 03/29/2021 zone_pivot_groups: programming-languages-computer-vision
cognitive-services Image Analysis Client Library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/quickstarts-sdk/image-analysis-client-library.md
Previously updated : 03/21/2020 Last updated : 03/29/2021 zone_pivot_groups: programming-languages-computer-vision
cognitive-services Client Libraries https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Content-Moderator/client-libraries.md
zone_pivot_groups: programming-languages-set-conmod
Previously updated : 12/15/2020 Last updated : 04/19/2021 keywords: content moderator, azure content moderator, online moderator, content filtering software
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Content-Moderator/overview.md
Previously updated : 12/15/2020 Last updated : 04/16/2021 keywords: content moderator, azure content moderator, online moderator, content filtering software, content moderation service, content moderation
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Content-Moderator/whats-new.md
Previously updated : 11/23/2020 Last updated : 04/19/2021 # What's new in Content Moderator
-Learn what's new in the service. These items may release notes, videos, blog posts, and other types of information. Bookmark this page to keep up-to-date with the service.
+Learn what's new in the service. These items may be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with the service.
## August 2020
cognitive-services Image Classification https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Custom-Vision-Service/quickstarts/image-classification.md
Previously updated : 02/25/2021 Last updated : 04/19/2021 keywords: custom vision, image recognition, image recognition app, image analysis, image recognition software zone_pivot_groups: programming-languages-set-cusvis
cognitive-services Object Detection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Custom-Vision-Service/quickstarts/object-detection.md
Previously updated : 02/25/2021 Last updated : 04/19/2021 keywords: custom vision zone_pivot_groups: programming-languages-set-one
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Face/Overview.md
Previously updated : 11/23/2020 Last updated : 04/19/2021 keywords: facial recognition, facial recognition software, facial analysis, face matching, face recognition app, face search by image, facial recognition search
For more information about person identification, see the [Facial recognition](c
## Find similar faces
-The Find Similar API does face matching between target face and a set of candidate faces, finding a smaller set of faces that look similar to the target face. This is useful for doing a face search by image.
+The Find Similar API does face matching between target face and a set of candidate faces, finding a smaller set of faces that look similar to the target face. This operation is useful for doing a face search by image.
Two working modes, **matchPerson** and **matchFace**, are supported. The **matchPerson** mode returns similar faces after filtering for the same person by using the [Verify API](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523a). The **matchFace** mode ignores the same-person filter. It returns a list of similar candidate faces that may or may not belong to the same person.
cognitive-services Enrollment Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Face/enrollment-overview.md
Previously updated : 11/17/2020 Last updated : 04/19/2021 # Best practices for adding users to a Face service
-In order to use the Cognitive Services Face API for face verification or identification, you need to enroll faces into a **LargePersonGroup**. This deep-dive demonstrates best practices for gathering meaningful consent from users as well as example logic to create high-quality enrollments that will optimize recognition accuracy.
+In order to use the Cognitive Services Face API for face verification or identification, you need to enroll faces into a **LargePersonGroup** or similar data structure. This deep-dive demonstrates best practices for gathering meaningful consent from users and example logic to create high-quality enrollments that will optimize recognition accuracy.
## Meaningful consent
Before you design an enrollment flow, think about how the application you're bui
|Category | Recommendations | ||| |Hardware | Consider the camera quality of the enrollment device. |
-|Recommended enrollment features | Include a log-on step with multi-factor authentication.</br></br>Link user information like an alias or identification number with their face template ID from the Face API (known as person ID). This mapping is necessary to retrieve and manage a user's enrollment. Note: person ID should be treated as a secret in the application.</br></br>Set up an automated process to delete all enrollment data, including the face templates and enrollment photos of people who are no longer users of facial recognition technology, such as former employees.</br></br>Avoid auto-enrollment, as it does not give the user the awareness, understanding, freedom of choice, or control that is recommended for obtaining consent. </br></br>Ask users for permission to save the images used for enrollment. This is useful when there is a model update since new enrollment photos will be required to re-enroll in the new model about every 10 months. If the original images aren't saved, users will need to go through the enrollment process from the beginning.</br></br>Allow users to opt out of storing photos in the system. To make the choice clearer, you can add a second consent request screen for saving the enrollment photos. </br></br>If photos are saved, create an automated process to re-enroll all users when there is a model update. Those who saved their enrollment photos will not have to enroll themselves again. </br></br>Create an app feature that allows designated administrators to override certain quality filters if a user has trouble enrolling. |
-|Security | Cognitive Services follow [best practices](../cognitive-services-virtual-networks.md?tabs=portal) for encrypting user data at rest and in transit. The following are additional practices that can help uphold the security promises you make to users during the enrollment experience. </br></br>Take security measures to ensure that no one has access to the person ID at any point during enrollment. Note: PersonID should be treated as a secret in the enrollment system. </br></br>Use [role-based access control](../../role-based-access-control/overview.md) with Cognitive Services. </br></br>Use token-based authentication and/or shared access signatures (SAS) over keys and secrets to access resources like databases. By using request or SAS tokens, you can grant limited access to data without compromising your account keys, and you can specify an expiry time on the token. </br></br>Never store any secrets, keys, or passwords in your app. |
+|Recommended enrollment features | Include a log-on step with multi-factor authentication. </br></br>Link user information like an alias or identification number with their face template ID from the Face API (known as person ID). This mapping is necessary to retrieve and manage a user's enrollment. Note: person ID should be treated as a secret in the application.</br></br>Set up an automated process to delete all enrollment data, including the face templates and enrollment photos of people who are no longer users of facial recognition technology, such as former employees. </br></br>Avoid auto-enrollment, as it does not give the user the awareness, understanding, freedom of choice, or control that is recommended for obtaining consent. </br></br>Ask users for permission to save the images used for enrollment. This is useful when there is a model update since new enrollment photos will be required to re-enroll in the new model about every 10 months. If the original images aren't saved, users will need to go through the enrollment process from the beginning.</br></br>Allow users to opt out of storing photos in the system. To make the choice clearer, you can add a second consent request screen for saving the enrollment photos. </br></br>If photos are saved, create an automated process to re-enroll all users when there is a model update. Users who saved their enrollment photos will not have to enroll themselves again. </br></br>Create an app feature that allows designated administrators to override certain quality filters if a user has trouble enrolling. |
+|Security | Cognitive Services follow [best practices](../cognitive-services-virtual-networks.md?tabs=portal) for encrypting user data at rest and in transit. The following are other practices that can help uphold the security promises you make to users during the enrollment experience. </br></br>Take security measures to ensure that no one has access to the person ID at any point during enrollment. Note: PersonID should be treated as a secret in the enrollment system. </br></br>Use [role-based access control](../../role-based-access-control/overview.md) with Cognitive Services. </br></br>Use token-based authentication and/or shared access signatures (SAS) over keys and secrets to access resources like databases. By using request or SAS tokens, you can grant limited access to data without compromising your account keys, and you can specify an expiry time on the token. </br></br>Never store any secrets, keys, or passwords in your app. |
|User privacy |Provide a range of enrollment options to address different levels of privacy concerns. Do not mandate that people use their personal devices to enroll into a facial recognition system. </br></br>Allow users to re-enroll, revoke consent, and delete data from the enrollment application at any time and for any reason. | |Accessibility |Follow accessibility standards (for example, [ADA](https://www.ada.gov/regs2010/2010ADAStandards/2010ADAstandards.htm) or [W3C](https://www.w3.org/TR/WCAG21/)) to ensure the application is usable by people with mobility or visual impairments. |
cognitive-services How To Custom Commands Send Activity To Client https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-commands-send-activity-to-client.md
connector.ActivityReceived += async (sender, activityReceivedEventArgs) =>
## Next steps > [!div class="nextstepaction"]
-> [How to: set up web endpoints (Preview)](./how-to-custom-commands-setup-web-endpoints.md)
+> [How to: set up web endpoints](./how-to-custom-commands-setup-web-endpoints.md)
cognitive-services How To Custom Commands Setup Web Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-commands-setup-web-endpoints.md
Title: 'Set up web endpoints (Preview)'
+ Title: 'Set up web endpoints'
-description: set up web endpoints for custom commands
+description: set up web endpoints for Custom Commands
In this article, you will learn how to setup web endpoints in a Custom Commands
> * [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) > * An Azure subscription key for Speech service: [Get one for free](overview.md#try-the-speech-service-for-free) or create it on the [Azure portal](https://portal.azure.com)
-> * A previously [created Custom Commands app](quickstart-custom-commands-application.md)
-> * A Speech SDK enabled client app:
-[How-to: end activity to client application](./how-to-custom-commands-setup-speech-sdk.md)
+> * A Custom Commands app (see [Create a voice assistant using Custom Commands](quickstart-custom-commands-application.md))
+> * A Speech SDK enabled client app (see [Integrate with a client application using Speech SDK](how-to-custom-commands-setup-speech-sdk.md))
-## Deploy an external web endpoint using Azure Function App
+## Deploy an external web endpoint using Azure Function app
-* For the sake of this tutorial, you need an HTTP endpoint which maintains states for all the devices which you set up in the **TurnOnOff** command of your custom commands application.
+For this tutorial, you need an HTTP endpoint that maintains states for all the devices you set up in the **TurnOnOff** command of your Custom Commands application.
-* If you already have a web endpoint you want to call, skip to the [next section](#setup-web-endpoints-in-custom-commands). Alternatively, in the next section, we have provided you with a default hosted web endpoint which you can use if you want to skip this section.
+If you already have a web endpoint you want to call, skip to the [next section](#setup-web-endpoints-in-custom-commands).
+Alternatively, the next section provides details about a default hosted web endpoint you can use if you want to skip this section.
-### Input format of Azure Function
-* Next, you will deploy an endpoint using [Azure Functions](../../azure-functions/index.yml).
-The following is the general format of an Custom Commands event that is passed to your Azure function. Use this information when you're writing you function app.
+### Input format of Azure function
- ```json
- {
- "conversationId": "string",
- "currentCommand": {
- "name": "string",
- "parameters": {
- "SomeParameterName": "string",
- "SomeOtherParameterName": "string"
- }
- },
- "currentGlobalParameters": {
- "SomeGlobalParameterName": "string",
- "SomeOtherGlobalParameterName": "string"
- }
+Next, you will deploy an endpoint using [Azure Functions](../../azure-functions/index.yml).
+The following is the format of a Custom Commands event that is passed to your Azure function. Use this information when you're writing your Azure Function app.
+
+```json
+{
+ "conversationId": "string",
+ "currentCommand": {
+ "name": "string",
+ "parameters": {
+ "SomeParameterName": "string",
+ "SomeOtherParameterName": "string"
}
- ```
+ },
+ "currentGlobalParameters": {
+ "SomeGlobalParameterName": "string",
+ "SomeOtherGlobalParameterName": "string"
+ }
+}
+```
-* Let's review the key attributes of this input:
+The following table describes the key attributes of this input:
- | Attribute | Explanation |
- | - | |
- | **conversationId** | The unique identifier of the conversation. Note that this ID can be generated from the client app. |
- | **currentCommand** | The command that's currently active in the conversation. |
- | **name** | The name of the command. The `parameters` attribute is a map with the current values of the parameters. |
- | **currentGlobalParameters** | A map like `parameters`, but used for global parameters. |
+| Attribute | Explanation |
+| - | |
+| **conversationId** | The unique identifier of the conversation. Note that this ID can be generated by the client app. |
+| **currentCommand** | The command that's currently active in the conversation. |
+| **name** | The name of the command. The `parameters` attribute is a map with the current values of the parameters. |
+| **currentGlobalParameters** | A map like `parameters`, but used for global parameters. |
-* For the **DeviceState** Azure Function, an example Custom Commands event will look like following. This will act as an **input** to the function app.
+For the **DeviceState** Azure Function, an example Custom Commands event will look like following. This will act as an **input** to the function app.
- ```json
- {
- "conversationId": "someConversationId",
- "currentCommand": {
- "name": "TurnOnOff",
- "parameters": {
- "item": "tv",
- "value": "on"
- }
- }
+```json
+{
+ "conversationId": "someConversationId",
+ "currentCommand": {
+ "name": "TurnOnOff",
+ "parameters": {
+ "item": "tv",
+ "value": "on"
}
- ```
+ }
+}
+```
-### Output format of Azure Function
+### Azure Function output for a Custom Command app
-#### Output consumed by a Custom Commands application
-In this case you can set the output format must adhere to the following format. Follow [Update a command from a web endpoint](./how-to-custom-commands-update-command-from-web-endpoint.md) for more details.
+If output from your Azure Function is consumed by a Custom Commands app, it should appear in the following format. See [Update a command from a web endpoint](./how-to-custom-commands-update-command-from-web-endpoint.md) for details.
```json {
In this case you can set the output format must adhere to the following format.
} ```
-#### Output consumed by a client application
-In this case you can set the output format to suit your client's need.
-* For our **DeviceState** endpoint, output of the Azure function is consumed by a client application instead of the Custom Commands application. Example **output** of the Azure function should like following:
+### Azure Function output for a client application
+
+If output from your Azure Function is consumed by a client application, the output can take whatever form the client application requires.
+
+For our **DeviceState** endpoint, output of your Azure function is consumed by a client application instead of the Custom Commands application. Example output of the Azure function should look like the following:
- ```json
- {
- "TV": "on",
- "Fan": "off"
- }
- ```
+```json
+{
+ "TV": "on",
+ "Fan": "off"
+}
+```
-* Also, this output should be written to an external storage, so that you can accordingly maintain the state of devices. The external storage state will be used in the [Integrate with client application section](#integrate-with-client-application).
+This output should be written to an external storage, so that you can maintain the state of devices. The external storage state will be used in the [Integrate with client application](#integrate-with-client-application) section below.
-### Host Azure Function
+### Deploy Azure function
-1. Create table storage account to save device state.
- 1. Go to Azure portal and create a new resource of type **Storage account** by name **devicestate**.
- 1. Copy the **Connection string** value from **devicestate -> Access keys**.
- 1. You will need to add this string to the downloaded sample Function App code.
- 1. Download sample [Function App code](https://aka.ms/speech/cc-function-app-sample).
- 1. Open the downloaded solution in VS 2019. In file **Connections.json**, replace **STORAGE_ACCOUNT_SECRET_CONNECTION_STRING** value to the copied secret from *step a*.
+We provide a sample you can configure and deploy as an Azure Functions app. To create a storage account for our sample, follow these steps.
+
+1. Create table storage to save device state. In the Azure portal, create a new resource of type **Storage account** by name **devicestate**.
+1. Copy the **Connection string** value from **devicestate -> Access keys**. You will need to add this string secret to the downloaded sample Function App code.
+1. Download sample [Function App code](https://github.com/Azure-Samples/Cognitive-Services-Voice-Assistant/tree/main/custom-commands/quick-start).
+1. Open the downloaded solution in Visual Studio 2019. In **Connections.json**, replace **STORAGE_ACCOUNT_SECRET_CONNECTION_STRING** with the secret from Step 2.
1. Download the **DeviceStateAzureFunction** code.
-1. [Deploy](../../azure-functions/index.yml) the Functions App to Azure.
-
- 1. Wait for deployment to succeed and go the deployed resource on the Azure portal.
- 1. Select **Functions** in the left pane, and then select **DeviceState**.
- 1. In the new window, select **Code + Test** and then select **Get function URL**.
+
+To deploy the sample app to Azure Functions, follow these steps.
+
+1. [Deploy](../../azure-functions/index.yml) the Azure Functions app.
+1. Wait for deployment to succeed and go the deployed resource on the Azure portal.
+1. Select **Functions** in the left pane, and then select **DeviceState**.
+1. In the new window, select **Code + Test** and then select **Get function URL**.
## Setup web endpoints in Custom Commands+ Let's hook up the Azure function with the existing Custom Commands application.
-In this section, you will use an existing default **DeviceState** endpoint. If you created your own web-endpoint using Azure Function or otherwise, use that instead of the default https://webendpointexample.azurewebsites.net/api/DeviceState.
+In this section, you will use an existing default **DeviceState** endpoint. If you created your own web endpoint using Azure Function or otherwise, use that instead of the default `https://webendpointexample.azurewebsites.net/api/DeviceState`.
1. Open the Custom Commands application you previously created.
-1. Go to "Web endpoints", click "New web endpoint".
+1. Go to **Web endpoints**, click **New web endpoint**.
> [!div class="mx-imgBorder"] > ![New web endpoint](media/custom-commands/setup-web-endpoint-new-endpoint.png)
In this section, you will use an existing default **DeviceState** endpoint. If y
| Headers | Key: app, Value: take the first 8 digits of your applicationId | The header parameters to include in the request header.| > [!NOTE]
- > - The example web endpoint created using [Azure function](../../azure-functions/index.yml), which hooks up with the database that saves the device state of the tv and fan
- > - The suggested header is only needed for the example endpoint
- > - To make sure the value of the header is unique in our example endpoint, take the first 8 digits of your applicationId
- > - In real world, the web endpoint can be the endpoint to the [IOT hub](../../iot-hub/about-iot-hub.md) that manages your devices
+ > - The example web endpoint created using [Azure Functions](../../azure-functions/index.yml), which hooks up with the database that saves the device state of the tv and fan.
+ > - The suggested header is only needed for the example endpoint.
+ > - To make sure the value of the header is unique in our example endpoint, take the first 8 digits of your **applicationId**.
+ > - In real world, the web endpoint can be the endpoint to the [IOT hub](../../iot-hub/about-iot-hub.md) that manages your devices.
1. Click **Save**.
In this section, you will use an existing default **DeviceState** endpoint. If y
> - Within our example endpoint, we send back http response with detailed error messages for common errors such as missing header parameters. ### Try it out in test portal-- On Success response\
-Save, train and test
+- On Success response, save, train and test.
> [!div class="mx-imgBorder"] > ![Screenshot that shows the On Success response.](media/custom-commands/setup-web-endpoint-on-success-response.png)-- On Fail response\
-Remove one of the query parameters, save, retrain, and test
+- On Fail response, remove one of the query parameters, save, retrain, and test.
> [!div class="mx-imgBorder"] > ![Call web endpoints action On Success](media/custom-commands/setup-web-endpoint-on-fail-response.png) ## Integrate with client application
-In [How-to: Send activity to client application](./how-to-custom-commands-send-activity-to-client.md), you added a **Send activity to client** action. The activity is sent to the client application whether or not **Call web endpoint** action is successful or not.
-However, in most of the cases you only want to send activity to the client application when the call to the web endpoint is successful. In this example, this is when the device's state is successfully updated.
+In [Send Custom Commands activity to client application](./how-to-custom-commands-send-activity-to-client.md), you added a **Send activity to client** action. The activity is sent to the client application whether or not **Call web endpoint** action is successful or not.
+However, typically you only want to send activity to the client application when the call to the web endpoint is successful. In this example, this is when the device's state is successfully updated.
1. Delete the **Send activity to client** action you previously added. 1. Edit call web endpoint:
However, in most of the cases you only want to send activity to the client appli
} } ```
-Now you only send activity to client when the request to web endpoint is successful.
+Now you only send activity to the client when the request to the web endpoint is successful.
### Create visuals for syncing device state
-Add the following XML to `MainPage.xaml` above the `"EnableMicrophoneButton"` block.
+
+Add the following XML to `MainPage.xaml` above the **EnableMicrophoneButton** block.
```xml <Button x:Name="SyncDeviceStateButton" Content="Sync Device State"
Add the following XML to `MainPage.xaml` above the `"EnableMicrophoneButton"` bl
### Sync device state
-In `MainPage.xaml.cs`, add the reference `using Windows.Web.Http;`. Add the following code to the `MainPage` class. This method will send a GET request to the example endpoint, and extract the current device state for your app. Make sure to change `<your_app_name>` to what you used in the **header** in Custom Command Web endpoint
+In `MainPage.xaml.cs`, add the reference `using Windows.Web.Http;`. Add the following code to the `MainPage` class. This method will send a GET request to the example endpoint, and extract the current device state for your app. Make sure to change `<your_app_name>` to what you used in the **header** in Custom Command web endpoint.
```C# private async void SyncDeviceState_ButtonClicked(object sender, RoutedEventArgs e)
private async void SyncDeviceState_ButtonClicked(object sender, RoutedEventArgs
## Try it out
-1. Start the application
+1. Start the application.
1. Click Sync Device State.\
-If you tested out the app with `turn on tv` in previous section, you would see the TV shows as "on".
+If you tested out the app with `turn on tv` in previous section, you would see the TV shows as **on**.
> [!div class="mx-imgBorder"] > ![Sync device state](media/custom-commands/setup-web-endpoint-sync-device-state.png)
-1. Select Enable microphone
-1. Select the Talk button
-1. Say `turn on the fan`
-1. The visual state of the fan should change to "on"
+1. Select **Enable microphone**.
+1. Select the **Talk** button.
+1. Say `turn on the fan`. The visual state of the fan should change to **on**.
> [!div class="mx-imgBorder"] > ![Turn on fan](media/custom-commands/setup-web-endpoint-turn-on-fan.png)
If you tested out the app with `turn on tv` in previous section, you would see t
> [!div class="nextstepaction"] > [Export Custom Commands application as a remote skill](./how-to-custom-commands-integrate-remote-skills.md)-
cognitive-services How To Use Codec Compressed Audio Input Streams https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-use-codec-compressed-audio-input-streams.md
zone_pivot_groups: programming-languages-set-twenty-two
# Use codec compressed audio input with the Speech SDK
-The Speech service SDK **Compressed Audio Input Stream** API provides a way to stream compressed audio to the Speech service using either a `PullStream` or `PushStream`.
+The Speech service SDK provides a way to directly send compressed audio formats to the Speech service using either a `PullStream` or `PushStream` (neither approach streams directly to the back end, a raw PCM is still sent to the service).
Platform | Languages | Supported GStreamer version | : | : | ::
cognitive-services Rest Text To Speech https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/rest-text-to-speech.md
This table lists required and optional headers for text-to-speech requests.
This is a list of supported audio formats that are sent in each request as the `X-Microsoft-OutputFormat` header. Each incorporates a bitrate and encoding type. The Speech service supports 24 kHz, 16 kHz, and 8 kHz audio outputs. ```output
-raw-16khz-16bit-mono-pcm raw-8khz-8bit-mono-mulaw
-riff-8khz-8bit-mono-alaw riff-8khz-8bit-mono-mulaw
-riff-16khz-16bit-mono-pcm audio-16khz-128kbitrate-mono-mp3
-audio-16khz-64kbitrate-mono-mp3 audio-16khz-32kbitrate-mono-mp3
+raw-16khz-16bit-mono-pcm riff-16khz-16bit-mono-pcm
raw-24khz-16bit-mono-pcm riff-24khz-16bit-mono-pcm
-audio-24khz-160kbitrate-mono-mp3 audio-24khz-96kbitrate-mono-mp3
-audio-24khz-48kbitrate-mono-mp3 ogg-24khz-16bit-mono-opus
raw-48khz-16bit-mono-pcm riff-48khz-16bit-mono-pcm
+raw-8khz-8bit-mono-mulaw riff-8khz-8bit-mono-mulaw
+raw-8khz-8bit-mono-alaw riff-8khz-8bit-mono-alaw
+audio-16khz-32kbitrate-mono-mp3 audio-16khz-64kbitrate-mono-mp3
+audio-16khz-128kbitrate-mono-mp3 audio-24khz-48kbitrate-mono-mp3
+audio-24khz-96kbitrate-mono-mp3 audio-24khz-160kbitrate-mono-mp3
audio-48khz-96kbitrate-mono-mp3 audio-48khz-192kbitrate-mono-mp3
+raw-16khz-16bit-mono-truesilk raw-24khz-16bit-mono-truesilk
webm-16khz-16bit-mono-opus webm-24khz-16bit-mono-opus
+ogg-16khz-16bit-mono-opus ogg-24khz-16bit-mono-opus
+ogg-48khz-16bit-mono-opus
``` > [!NOTE]
cognitive-services Sentence Alignment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/sentence-alignment.md
- Title: Sentence pairing and alignment - Custom Translator-
-description: During the training execution, sentences present in parallel documents are paired or aligned. Custom Translator learns translations one sentence at a time, by reading a sentence, the translation of this sentence. Then it aligns words and phrases in these two sentences to each other.
---- Previously updated : 08/17/2020--
-#Customer intent: As a Custom Translator user, I want to know how sentence alignment works, so that I can have better understanding of underlying process of sentence extraction, pairing, filtering, aligning.
--
-# Sentence pairing and alignment in parallel documents
-
-After documents are uploaded, sentences present in parallel documents are
-paired or aligned. Custom Translator reports the number of sentences it was
-able to pair as the Aligned Sentences in each of the data sets.
-
-## Pairing and alignment process
-
-Custom Translator learns translations of sentences one sentence at a time. It reads a sentence from the source text , and then the translation of this sentence from the target text. Then it aligns words and phrases in these two sentences to each other. This process enables it to create a map of the words and phrases in one sentence to the equivalent words and phrases in the translation of his sentence. Alignment tries to ensure that the system trains on sentences that are translations of each other.
-
-## Pre-aligned documents
-
-If you know you have parallel documents, you may override the
-sentence alignment by supplying pre-aligned text files. You can extract all
-sentences from both documents into text file, organized one sentence per line,
-and upload with an `.align` extension. The `.align` extension signals Custom
-Translator that it should skip sentence alignment.
-
-For best results, try to make sure that you have one sentence per line in your
-files. Don't have newline characters within a sentence as this will cause poor
-alignments.
-
-## Suggested minimum number of sentences
-
-For a training to succeed, the table below shows the minimum number of sentences required in each document type. This limitation is a safety net to ensure your parallel sentences contain enough unique vocabulary to successfully train a translation model. The general guideline is having more in-domain parallel sentences of human translation quality should produce higher quality models.
-
-| Document type | Suggested minimum sentence count | Maximum sentence count |
-||--|--|
-| Training | 10,000 | No upper limit |
-| Tuning | 500 | 2,500 |
-| Testing | 500 | 2,500 |
-| Dictionary | 0 | No upper limit |
-
-> [!NOTE]
-> - Training will not start and will fail if the 10,000 minimum sentence count for Training is not met.
-> - Tuning and Testing are optional. If you do not provide them, the system will remove an appropriate percentage from Training to use for validation and testing.
-> - You can train a model using only dictionary data. Please refer to [What is Dictionary](./what-is-dictionary.md).
-
-## Next steps
--- Learn how to use a [dictionary](what-is-dictionary.md) in Custom Translator.+
+ Title: Sentence pairing and alignment - Custom Translator
+
+description: During the training execution, sentences present in parallel documents are paired or aligned. Custom Translator learns translations one sentence at a time, by reading a sentence, the translation of this sentence. Then it aligns words and phrases in these two sentences to each other.
++++ Last updated : 04/19/2021++
+#Customer intent: As a Custom Translator user, I want to know how sentence alignment works, so that I can have better understanding of underlying process of sentence extraction, pairing, filtering, aligning.
++
+# Sentence pairing and alignment in parallel documents
+
+After documents are uploaded, sentences present in parallel documents are
+paired or aligned. Custom Translator reports the number of sentences it was
+able to pair as the Aligned Sentences in each of the data sets.
+
+## Pairing and alignment process
+
+Custom Translator learns translations of sentences one sentence at a time. It reads a sentence from the source text, and then the translation of this sentence from the target text. Then it aligns words and phrases in these two sentences to each other. This process enables it to create a map of the words and phrases in one sentence to the equivalent words and phrases in the translation of the sentence. Alignment tries to ensure that the system trains on sentences that are translations of each other.
+
+## Pre-aligned documents
+
+If you know you have parallel documents, you may override the
+sentence alignment by supplying pre-aligned text files. You can extract all
+sentences from both documents into text file, organized one sentence per line,
+and upload with an `.align` extension. The `.align` extension signals Custom
+Translator that it should skip sentence alignment.
+
+For best results, try to make sure that you have one sentence per line in your
+files. Don't have newline characters within a sentence as this will cause poor
+alignments.
+
+## Suggested minimum number of sentences
+
+For a training to succeed, the table below shows the minimum number of sentences required in each document type. This limitation is a safety net to ensure your parallel sentences contain enough unique vocabulary to successfully train a translation model. The general guideline is having more in-domain parallel sentences of human translation quality should produce higher-quality models.
+
+| Document type | Suggested minimum sentence count | Maximum sentence count |
+||--|--|
+| Training | 10,000 | No upper limit |
+| Tuning | 500 | 2,500 |
+| Testing | 500 | 2,500 |
+| Dictionary | 0 | 250,000 |
+
+> [!NOTE]
+>
+> - Training will not start and will fail if the 10,000 minimum sentence count for Training is not met.
+> - Tuning and Testing are optional. If you do not provide them, the system will remove an appropriate percentage from Training to use for validation and testing.
+> - You can train a model using only dictionary data. Please refer to [What is Dictionary](./what-is-dictionary.md).
+> - If your dictionary contains more than 250,000 sentences, **[Document Translator](https://docs.microsoft.com/azure/cognitive-services/translator/document-translation/overview)** is likely a better choice.
+
+## Next steps
+
+- Learn how to use a [dictionary](what-is-dictionary.md) in Custom Translator.
cognitive-services Request Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/request-limits.md
Title: Request limits - Translator
-description: This article lists request limits for the Translator. Charges are incurred based on character count, not request frequency with a limit of 5,000 characters per request. Character limits are subscription based, with F0 limited to 2 million characters per hour.
+description: This article lists request limits for the Translator. Charges are incurred based on character count, not request frequency with a limit of 5,000 characters per request. Character limits are subscription-based, with F0 limited to 2 million characters per hour.
Previously updated : 08/06/2020 Last updated : 04/19/2021 # Request limits for Translator
-This article provides throttling limits for the Translator. Services include translation, transliteration, sentence length detection, language detection, and alternate translations.
+This article provides throttling limits for the Translator translation, transliteration, sentence length detection, language detection, and alternate translations.
## Character and array limits per request
-Each translate request is limited to 10,000 characters, across all the target languages you are translating to. For example, sending a translate request of 3,000 characters to translate to 3 different languages results in a request size of 3000x3 = 9,000 characters, which satisfies the request limit. You're charged per character, not by the number of requests. It's recommended to send shorter requests.
+Each translate request is limited to 10,000 characters, across all the target languages you are translating to. For example, sending a translate request of 3,000 characters to translate to three different languages results in a request size of 3000x3 = 9,000 characters, which satisfy the request limit. You're charged per character, not by the number of requests. It's recommended to send shorter requests.
The following table lists array element and character limits for each operation of the Translator. | Operation | Maximum Size of Array Element | Maximum Number of Array Elements | Maximum Request Size (characters) | |:-|:-|:-|:-|
-| Translate | 10,000 | 100 | 10,000 |
-| Transliterate | 5,000 | 10 | 5,000 |
-| Detect | 50,000 | 100 | 50,000 |
-| BreakSentence | 50,000 | 100 | 50,000 |
-| Dictionary Lookup| 100 | 10 | 1,000 |
-| Dictionary Examples | 100 for text and 100 for translation (200 total)| 10| 2,000 |
+| Translate | 10,000| 100| 10,000 |
+| Transliterate | 5,000| 10| 5,000 |
+| Detect | 50,000 |100 |50,000 |
+| BreakSentence | 50,000| 100 |50,000 |
+| Dictionary Lookup| 100 |10| 1,000 |
+| Dictionary Examples | 100 for text and 100 for translation (200 total)| 10|2,000 |
## Character limits per hour
-Your character limit per hour is based on your Translator subscription tier.
+Your character limit per hour is based on your Translator subscription tier.
The hourly quota should be consumed evenly throughout the hour. For example, at the F0 tier limit of 2 million characters per hour, characters should be consumed no faster than roughly 33,300 characters per minute sliding window (2 million characters divided by 60 minutes).
If you reach or surpass these limits, or send too large of a portion of the quot
Limits for [multi-service subscriptions](./reference/v3-0-reference.md#authentication) are the same as the S1 tier.
-These limits are restricted to Microsoft's standard translation models. Custom translation models that use Custom Translator are limited to 1,800 characters per second.
+These limits are restricted to Microsoft's standard translation models. Custom translation models that use Custom Translator are limited to 1,800 characters per second, per model.
## Latency
-The Translator has a maximum latency of 15 seconds using standard models and 120 seconds when using custom models. Typically, responses *for text within 100 characters* are returned in 150 milliseconds to 300 milliseconds. The custom translator models have similar latency characteristics on sustained request rate and may have a higher latency when your request rate is intermittent. Response times will vary based on the size of the request and language pair. If you don't receive a translation or an [error response](./reference/v3-0-reference.md#errors) within that timeframe, please check your code, your network connection and retry.
+The Translator has a maximum latency of 15 seconds using standard models and 120 seconds when using custom models. Typically, responses *for text within 100 characters* are returned in 150 milliseconds to 300 milliseconds. The custom translator models have similar latency characteristics on sustained request rate and may have a higher latency when your request rate is intermittent. Response times will vary based on the size of the request and language pair. If you don't receive a translation or an [error response](./reference/v3-0-reference.md#errors) within that timeframe, check your code, your network connection, and retry.
## Sentence length limits
cognitive-services Text Analytics How To Call Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/how-tos/text-analytics-how-to-call-api.md
Starting in v3.1-preview.3, the Text Analytics API provides two asynchronous end
* The `/health` endpoint for Text Analytics for health, which can extract and label relevant medical information from clinical documents.
+Please note the /analyze and /health endpoints are only available in the following regions: West US 2, East US 2, Central US, North Europe and West Europe.
+ See the table below to see which features can be used asynchronously. Note that only a few features can be called from the `/analyze` endpoint. | Feature | Synchronous | Asynchronous |
communication-services Call Recording https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/voice-video-calling/call-recording.md
+
+ Title: Azure Communication Services Call Recording overview
+
+description: Provides an overview of the Call Recording feature and APIs.
+++++ Last updated : 04/13/2021+++
+# Calling Recording overview
++
+> [!NOTE]
+> Many countries and states have laws and regulations that apply to the recording of PSTN, voice, and video calls, which often require that users consent to the recording of their communications. It is your responsibility to use the call recording capabilities in compliance with the law. You must obtain consent from the parties of recorded communications in a manner that complies with the laws applicable to each participant.
+
+> [!NOTE]
+> Regulations around the maintenance of personal data require the ability to export user data. In order to support these requirements, recording metadata files include the participantId for each call participant in the `participants` array. You can cross-reference the MRIs in the `participants` array with your internal user identities to identify participants in a call. An example of a recording metadata file is provided below for reference.
+
+Call Recording provides a set of APIs to start, stop, pause and resume recording. These APIs can be accessed from server-side business logic or via events triggered by user actions. Recorded media output is in `MP4 Audio+Video` format, which is the same format that Teams uses to record media. Notifications related to media and metadata are emitted via Event Grid. Recordings are stored for 48 hours on built-in temporary storage for retrieval and movement to a long-term storage solution of choice.
+
+## Run-time Control APIs
+Run-time control APIs can be used to manage recording via internal business logic triggers, such as an application creating a group call and recording the conversation, or from a user-triggered action that tells the server application to start recording. In either scenario, `<conversation-id>` is required to record a specific meeting or call.
+
+#### Getting Conversation ID from a server initiated call
+
+A `ConversationId` is returned via the `Microsoft.Communication.CallLegStateChanged` event. This event notification is emitted after a call has been established. It can be found in the `data.ConversationId` field. This value can be used directly as the `{conversationId}` parameter in run-time control APIs:
+```
+ {
+ "id": null,
+ "topic": null,
+ "subject": "callLeg/<callLegId>/callState",
+ "data": {
+-> "ConversationId": "<conversation-id>", <-
+ "CallLegId": "<callLegId>",
+ "CallState": "Established"
+ },
+ "eventType": "Microsoft.Communication.CallLegStateChanged",
+ "eventTime": "2021-04-14T16:32:34.1115003Z",
+ "metadataVersion": null,
+ "dataVersion": null
+ }
+```
+
+#### Getting the conversation ID from a user triggered event on the client
+
+From the JavaScript `@azure/communication-calling` library, after establishing a call invoke `let result = call.info.getConversationUrl()` to get the `conversationUrl`, then
+**Base64Url encode the `conversationUrl` to get the `{conversationId}` for use in the run-time control APIs**. Encoding can be done either on the client before sending the event to the server, or server side.
+
+Note that the `conversationUrl` *must* be Base64Url encoded, not to be confused with just Base64 encoding (i.e. btoa).
+
+### Start recording
+
+#### Request
+
+**HTTP**
+<!-- {
+ "blockType": "request",
+ "name": "start-recording"
+}-->
+```
+POST /conversations/{conversationId}/Recordings
+Content-Type: application/json
+
+{
+ "operationContext": "string", // developer provided string for correlation context on each operation
+ "recordingStateCallbackUri": "string"
+}
+```
+**C# SDK**
+<!-- {
+ "blockType": "request",
+ "name": "start-recording"
+}-->
+```C#
+string connectionString = "YOUR_CONNECTION_STRING";
+ConversationClient conversationClient = new ConversationClient(connectionString);
+
+/// start call recording
+StartRecordingResponse startRecordingResponse = await conversationClient.StartRecordingAsync(
+ conversationId: "<conversation-id>"
+ operationContext: "<operation-context>", /// developer provided string for correlation context on each operation
+ recordingStateCallbackUri: "<recording-state-callback-uri>").ConfigureAwait(false);
+
+string recordingId = startRecordingResponse.RecordingId;
+```
+
+#### Response
+
+**HTTP**
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+} -->
+
+```http
+HTTP/1.1 200 Success
+Content-Type: application/json
+
+{
+ "recordingId": "string"
+}
+```
+```
+HTTP/1.1 400 Bad request
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 404 Not found
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 500 Internal server error
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+
+### Get call recording state
+
+#### Request
+
+**HTTP**
+<!-- {
+ "blockType": "request",
+ "name": "get-recording-state"
+}-->
+```http
+GET /conversations/{conversationId}/recordings/{recordingId}
+Content-Type: application/json
+
+{
+}
+```
+**C# SDK**
+<!-- {
+ "blockType": "request",
+ "name": "start-recording"
+}-->
+```C#
+string connectionString = "YOUR_CONNECTION_STRING";
+ConversationClient conversationClient = new ConversationClient(connectionString);
+
+/// get recording state
+GetCallRecordingStateResponse recordingState = await conversationClient.GetRecordingStateAsync(
+ conversationId: "<conversation-id>",
+ recordingId: <recordingId>).ConfigureAwait(false);
+```
+#### Response
+
+**HTTP**
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+} -->
+
+```http
+HTTP/1.1 200 Success
+Content-Type: application/json
+
+{
+ "recordingState": "active"
+}
+```
+```
+HTTP/1.1 400 Bad request
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 500 Internal server error
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+
+### Stop recording
+#### Request
+**HTTP**
+<!-- {
+ "blockType": "request",
+ "name": "stop-recording"
+}-->
+```
+DELETE /conversations/{conversationId}/recordings/{recordingId}
+Content-Type: application/json
+
+{
+ "operationContext": "string" // developer provided string for correlation context on each operation
+}
+```
+**C# SDK**
+<!-- {
+ "blockType": "request",
+ "name": "start-recording"
+}-->
+```C#
+string connectionString = "YOUR_CONNECTION_STRING";
+ConversationClient conversationClient = new ConversationClient(connectionString);
+
+/// stop recording
+StopRecordingResponse response = conversationClient.StopRecordingAsync(
+ conversationId: "<conversation-id>",
+ recordingId: <recordingId>,
+ operationContext: "<operation-context>").ConfigureAwait(false);
+```
+#### Response
+**HTTP**
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+} -->
+
+```http
+HTTP/1.1 200 Success
+Content-Type: application/json
+
+{
+}
+```
+```
+HTTP/1.1 400 Bad request
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 500 Internal server error
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+
+### Pause recording
+Pausing and resuming call recording enables you to skip recording a portion of a call or meeting, and resume recording to a single file.
+#### Request
+**HTTP**
+<!-- {
+ "blockType": "request",
+ "name": "pause-recording"
+}-->
+```
+POST /conversations/{conversationId}/recordings/{recordingId}/Pause
+Content-Type: application/json
+
+{
+ "operationContext": "string" // developer provided string for correlation context on each operation
+}
+```
+**C# SDK**
+<!-- {
+ "blockType": "request",
+ "name": "start-recording"
+}-->
+```C#
+string connectionString = "YOUR_CONNECTION_STRING";
+ConversationClient conversationClient = new ConversationClient(connectionString);
+
+/// pause recording
+PauseRecordingResponse response = conversationClient.PauseRecordingAsync(
+ conversationId: "<conversation-id>",
+ recordingId: <recordingId>,
+ operationContext: "<operation-context>").ConfigureAwait(false);
+```
+#### Response
+**HTTP**
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+} -->
+
+```http
+HTTP/1.1 200 Success
+Content-Type: application/json
+
+{
+}
+```
+```
+HTTP/1.1 400 Bad request
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 500 Internal server error
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+
+### Resume recording
+#### Request
+**HTTP**
+<!-- {
+ "blockType": "request",
+ "name": "resume-recording"
+}-->
+```
+POST /conversations/{conversationId}/recordings/{recordingId}/Resume
+Content-Type: application/json
+
+{
+ "operationContext": "string" // developer provided string for correlation context on each operation
+}
+```
+**C# SDK**
+<!-- {
+ "blockType": "request",
+ "name": "start-recording"
+}-->
+```C#
+string connectionString = "YOUR_CONNECTION_STRING";
+ConversationClient conversationClient = new ConversationClient(connectionString);
+
+/// resume recording
+ResumeRecordingResponse response = conversationClient.ResumeRecordingAsync(
+ conversationId: "<conversation-id>",
+ recordingId: <recordingId>,
+ operationContext: "<operation-context>").ConfigureAwait(false);
+```
+#### Response
+**HTTP**
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+} -->
+
+```http
+HTTP/1.1 200 Success
+Content-Type: application/json
+
+{
+}
+```
+```
+HTTP/1.1 400 Bad request
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 500 Internal server error
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+
+## Media output types
+Call recording currently supports mixed audio+video MP4 output format. The output media matches meeting recordings produced via Microsoft Teams recording.
+
+| Channel Type | Content Format | Video | Audio |
+| :-- | :- | :- | : |
+| audioVideo | mp4 | 1920x1080 8 FPS video of all participants in default tile arrangement | 16kHz mp4a mixed audio of all participants |
+
+## Event Grid notifications
+An Event Grid notification `Microsoft.Communication.RecordingFileStatusUpdated` is published when a recording is ready for retrieval, typically 1-2 minutes after the recording process has completed (e.g. meeting ended, recording stopped). Recording event notifications include a document ID, which can be used to retrieve both recorded media and a recording metadata file:
+
+- <Azure_Communication_Service_Endpoint>/recording/download/{documentId}
+- <Azure_Communication_Service_Endpoint>/recording/download/{documentId}/metadata
+
+Sample code for handling event grid notifications and downloading recording and metadata files can be found [here](../../quickstarts/voice-video-calling/download-recording-file-sample.md).
+
+### Notification Schema
+```
+{
+ "id": string, // Unique guid for event
+ "topic": string, // Azure Communication Services resource id
+ "subject": string, // /recording/call/{call-id}
+ "data": {
+ "recordingStorageInfo": {
+ "recordingChunks": [
+ {
+ "documentId": string, // Document id for retrieving from storage
+ "index": int, // Index providing ordering for this chunk in the entire recording
+ "endReason": string, // Reason for chunk ending: "SessionEnded",ΓÇ»"ChunkMaximumSizeExceededΓÇ¥, etc.
+ }
+ ]
+ },
+ "recordingStartTime": string, // ISO 8601 date time for the start of the recording
+ "recordingDurationMs": int, // Duration of recording in milliseconds
+ "sessionEndReason": string // Reason for call ending: "CallEnded",ΓÇ»"InitiatorLeft", etc.
+ },
+ "eventType": string, // "Microsoft.Communication.RecordingFileStatusUpdated"
+ "dataVersion": string, // "1.0"
+ "metadataVersion": string, // "1"
+ "eventTime": string // ISO 8601 date time for when the event was created
+}
+```
+## File Download
+
+> Azure Communication Services provides short term media storage for recordings. **Export any recorded content you wish to preserve within 48 hours.** After 48 hours, recordings will no longer be available.
+
+### Download recording
+#### Request
+**HTTP**
+<!-- {
+ "blockType": "request",
+ "name": "download-recording"
+}-->
+```http
+GET /recording/download/{documentId}
+Content-Type: application/json
+
+{
+}
+```
+#### Response
+**HTTP**
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+} -->
+
+```
+HTTP/1.1 200 Success
+Content-Type: video/mp4
+
+{
+string // Recording file bytes
+}
+```
+```
+HTTP/1.1 400 Bad request
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 500 Internal server error
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+### Download recording metadata
+#### Request
+**HTTP**
+<!-- {
+ "blockType": "request",
+ "name": "download-recording-metadata"
+}-->
+```http
+GET /recording/download/{documentId}/metadata
+Content-Type: application/json
+
+{
+}
+```
+#### Response
+**HTTP**
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+} -->
+
+```http
+HTTP/1.1 200 Success
+Content-Type: application/json
+
+{
+ "resourceId": "string",
+ "callId": "string",
+ "chunkDocumentId": "string",
+ "chunkIndex": 0,
+ "chunkStartTime": "string",
+ "chunkDuration": 0,
+ "pauseResumeIntervals": [
+ {
+ "startTime": "string",
+ "duration": 0
+ }
+ ],
+ "recordingInfo": {
+ "contentType": "string",
+ "channelType": "string",
+ "format": "string",
+ "audioConfiguration": {
+ "sampleRate": "string",
+ "bitRate": 0,
+ "channels": 0
+ },
+ "videoConfiguration": {
+ "longerSideLength": 0,
+ "shorterSideLength": 0,
+ "framerate": 0,
+ "bitRate": 0
+ }
+ },
+ "participants": [
+ {
+ "participantId": "string"
+ }
+ ]
+}
+```
+```
+HTTP/1.1 400 Bad request
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
+```
+HTTP/1.1 500 Internal server error
+Content-Type: application/json
+
+{
+ "code": "string",
+ "message": "string",
+ "target": "string",
+ "details": [
+ null
+ ]
+}
+```
communication-services Download Recording File Sample https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/quickstarts/voice-video-calling/download-recording-file-sample.md
+
+ Title: Record and download calls with Event Grid - An Azure Communication Services quickstart
+
+description: In this quickstart, you'll learn how to record and download calls using Event Grid.
+++++ Last updated : 04/14/2021++++
+# Record and download calls with Event Grid
++
+Get started with Azure Communication Services by recording your Communication Services calls using Azure Event Grid.
+
+## Prerequisites
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- An active Communication Services resource. [Create a Communication Services resource](../create-communication-resource.md?pivots=platform-azp&tabs=windows).
+- The [`Microsoft.Azure.EventGrid`](https://www.nuget.org/packages/Microsoft.Azure.EventGrid/) NuGet package.
+
+## Create a webhook and subscribe to the recording events
+We'll use *webhooks* and *events* to facilitate call recording and media file downloads.
+
+First, we'll create a webhook. Your Communication Services resource will use Event Grid to notify this webhook when the `recording` event is triggered, and then again when recorded media is ready to be downloaded.
+
+You can write your own custom webhook to receive these event notifications. It's important for this webhook to respond to inbound messages with the validation code to successfully subscribe the webhook to the event service.
+
+```
+[HttpPost]
+public async Task<ActionResult> PostAsync([FromBody] object request)
+ {
+ //Deserializing the request
+ var eventGridEvent = JsonConvert.DeserializeObject<EventGridEvent[]>(request.ToString())
+ .FirstOrDefault();
+ var data = eventGridEvent.Data as JObject;
+
+ // Validate whether EventType is of "Microsoft.EventGrid.SubscriptionValidationEvent"
+ if (string.Equals(eventGridEvent.EventType, EventTypes.EventGridSubscriptionValidationEvent, StringComparison.OrdinalIgnoreCase))
+ {
+ var eventData = data.ToObject<SubscriptionValidationEventData>();
+ var responseData = new SubscriptionValidationResponseData
+ {
+ ValidationResponse = eventData.ValidationCode
+ };
+ if (responseData.ValidationResponse != null)
+ {
+ return Ok(responseData);
+ }
+ }
+
+ // Implement your logic here.
+ ...
+ ...
+ }
+```
++
+The above code depends on the `Microsoft.Azure.EventGrid` NuGet package. To learn more about Event Grid endpoint validation, visit the [endpoint validation documentation](https://docs.microsoft.com/azure/event-grid/receive-events#endpoint-validation)
+
+We'll then subscribe this webhook to the `recording` event:
+
+1. Select the `Events` blade from your Azure Communication Services resource.
+2. Select `Event Subscription` as shown below.
+![Screenshot showing event grid UI](./media/call-recording/image1-event-grid.png)
+3. Configure the event subscription and select `Call Recording File Status Update` as the `Event Type`. Select `Webhook` as the `Endpoint type`.
+![Create Event Subscription](./media/call-recording/image2-create-subscription.png)
+4. Input your webhook's URL into `Subscriber Endpoint`.
+![Subscribe to Event](./media/call-recording/image3-subscribe-to-event.png)
+
+Your webhook will now be notified whenever your Communication Services resource is used to record a call.
+
+## Notification schema
+When the recording is available to download, your Communication Services resource will emit a notification with the following event schema. The document IDs for the recording can be fetched from the `documentId` fields of each `recordingChunk`.
+
+```
+{
+ "id": string, // Unique guid for event
+ "topic": string, // Azure Communication Services resource id
+ "subject": string, // /recording/call/{call-id}
+ "data": {
+ "recordingStorageInfo": {
+ "recordingChunks": [
+ {
+ "documentId": string, // Document id for retrieving from AMS storage
+ "index": int, // Index providing ordering for this chunk in the entire recording
+ "endReason": string, // Reason for chunk ending: "SessionEnded",ΓÇ»"ChunkMaximumSizeExceededΓÇ¥, etc.
+ }
+ ]
+ },
+ "recordingStartTime": string, // ISO 8601 date time for the start of the recording
+ "recordingDurationMs": int, // Duration of recording in milliseconds
+ "sessionEndReason": string // Reason for call ending: "CallEnded",ΓÇ»"InitiatorLeftΓÇ¥, etc.
+ },
+ "eventType": string, // "Microsoft.Communication.RecordingFileStatusUpdated"
+ "dataVersion": string, // "1.0"
+ "metadataVersion": string, // "1"
+ "eventTime": string // ISO 8601 date time for when the event was created
+}
+
+```
+
+## Download the recorded media files
+
+Once we get the document ID for the file we want to download, we'll call the below Azure Communication Services APIs to download the recorded media and metadata using HMAC authentication.
+
+The maximum recording file size is 1.5GB. When this file size is exceeded, the recorder will automatically split recorded media into multiple files.
+
+The client should be able to download all media files with a single request. If there's an issue, the client can retry with a range header to avoid redownloading segments that have already been downloaded.
+
+To download recorded media:
+- Method: `GET`
+- URL: https://contoso.communication.azure.com/recording/download/{documentId}?api-version=2021-04-15-preview1
+
+To download recorded media metadata:
+- Method: `GET`
+- URL: https://contoso.communication.azure.com/recording/download/{documentId}/metadata?api-version=2021-04-15-preview1
++
+### Authentication
+To download recorded media and metadata, use HMAC authentication to authenticate the request against Azure Communication Services APIs.
+
+Create an `HttpClient` and add the necessary headers using the `HmacAuthenticationUtils` provided below:
+
+```
+ var client = new HttpClient();
+
+ // Set Http Method
+ var method = HttpMethod.Get;
+ StringContent content = null;
+
+ // Build request
+ var request = new HttpRequestMessage
+ {
+ Method = method, // Http GET method
+ RequestUri = new Uri(<Download_Recording_Url>), // Download recording Url
+ Content = content // content if required for POST methods
+ };
+
+ // Question: Why do we need to pass String.Empty to CreateContentHash() method?
+ // Answer: In HMAC authentication, the hash of the content is one of the parameters used to generate the HMAC token.
+ // In our case our recording download APIs are GET methods and do not have any content/body to be passed in the request.
+ // However in this case we still need the SHA256 hash for the empty content and hence we pass an empty string.
++
+ string serializedPayload = string.Empty;
+
+ // Hash the content of the request.
+ var contentHashed = HmacAuthenticationUtils.CreateContentHash(serializedPayload);
+
+ // Add HAMC headers.
+ HmacAuthenticationUtils.AddHmacHeaders(request, contentHashed, accessKey, method);
+
+ // Make a request to the Azure Communication Services APIs mentioned above
+ var response = await client.SendAsync(request).ConfigureAwait(false);
+```
+
+#### HmacAuthenticationUtils
+The below utilities can be used to manage your HMAC workflow.
+
+**Create content hash**
+
+```
+public static string CreateContentHash(string content)
+{
+ var alg = SHA256.Create();
+
+ using (var memoryStream = new MemoryStream())
+ using (var contentHashStream = new CryptoStream(memoryStream, alg, CryptoStreamMode.Write))
+ {
+ using (var swEncrypt = new StreamWriter(contentHashStream))
+ {
+ if (content != null)
+ {
+ swEncrypt.Write(content);
+ }
+ }
+ }
+
+ return Convert.ToBase64String(alg.Hash);
+}
+```
+
+**Add HMAC headers**
+
+```
+public static void AddHmacHeaders(HttpRequestMessage requestMessage, string contentHash, string accessKey)
+{
+ var utcNowString = DateTimeOffset.UtcNow.ToString("r", CultureInfo.InvariantCulture);
+ var uri = requestMessage.RequestUri;
+ var host = uri.Authority;
+ var pathAndQuery = uri.PathAndQuery;
+
+ var stringToSign = $"{requestMessage.Method}\n{pathAndQuery}\n{utcNowString};{host};{contentHash}";
+ var hmac = new HMACSHA256(Convert.FromBase64String(accessKey));
+ var hash = hmac.ComputeHash(Encoding.ASCII.GetBytes(stringToSign));
+ var signature = Convert.ToBase64String(hash);
+ var authorization = $"HMAC-SHA256 SignedHeaders=date;host;x-ms-content-sha256&Signature={signature}";
+
+ requestMessage.Headers.Add("x-ms-content-sha256", contentHash);
+ requestMessage.Headers.Add("Date", utcNowString);
+ requestMessage.Headers.Add("Authorization", authorization);
+}
+```
+
+## Clean up resources
+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md?pivots=platform-azp&tabs=windows#clean-up-resources).
++
+## Next steps
+For more information, see the following articles:
+
+- Check out our [web calling sample](https://docs.microsoft.com/azure/communication-services/samples/web-calling-sample)
+- Learn about [Calling SDK capabilities](https://docs.microsoft.com/azure/communication-services/quickstarts/voice-video-calling/calling-client-samples?pivots=platform-web)
+- Learn more about [how calling works](https://docs.microsoft.com/azure/communication-services/concepts/voice-video-calling/about-call-types)
container-registry Container Registry Transfer Images https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-transfer-images.md
az resource delete \
* **Template deployment failures or errors** * If a pipeline run fails, look at the `pipelineRunErrorMessage` property of the run resource. * For common template deployment errors, see [Troubleshoot ARM template deployments](../azure-resource-manager/templates/template-tutorial-troubleshoot.md)
+* **Problems accessing storage**<a name="problems-accessing-storage"></a>
+ * If you see a `403 Forbidden` error from storage, you likely have a problem with your SAS token.
+ * The SAS token might not currently be valid. The SAS token might be expired or the storage account keys might have changed since the SAS token was created. Verify that the SAS token is valid by attempting to use the SAS token to authenticate for access to the storage account container. For example, put an existing blob endpoint followed by the SAS token in the address bar of a new Microsoft Edge InPrivate window or upload a blob to the container with the SAS token by using `az storage blob upload`.
+ * The SAS token might not have sufficient Allowed Resource Types. Verify that the SAS token has been given permissions to Service, Container, and Object under Allowed Resource Types (`srt=sco` in the SAS token).
+ * The SAS token might not have sufficient permissions. For export pipelines, the required SAS token permissions are Read, Write, List, and Add. For import pipelines, the required SAS token permissions are Read, Delete, and List. (The Delete permission is required only if the import pipeline has the `DeleteSourceBlobOnSuccess` option enabled.)
+ * The SAS token might not be configured to work with HTTPS only. Verify that the SAS token is configured to work with HTTPS only (`spr=https` in the SAS token).
* **Problems with export or import of storage blobs**
- * SAS token may be expired, or may have insufficient permissions for the specified export or import run
+ * SAS token may be invalid, or may have insufficient permissions for the specified export or import run. See [Problems accessing storage](#problems-accessing-storage).
* Existing storage blob in source storage account might not be overwritten during multiple export runs. Confirm that the OverwriteBlob option is set in the export run and the SAS token has sufficient permissions. * Storage blob in target storage account might not be deleted after successful import run. Confirm that the DeleteBlobOnSuccess option is set in the import run and the SAS token has sufficient permissions. * Storage blob not created or deleted. Confirm that container specified in export or import run exists, or specified storage blob exists for manual import run.
cosmos-db How To Setup Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/how-to-setup-rbac.md
description: Learn how to configure role-based access control with Azure Active
Previously updated : 04/16/2021 Last updated : 04/19/2021
The Azure Cosmos DB data plane RBAC is built on concepts that are commonly found
> - [ARM templates](manage-with-templates.md) > - [Azure PowerShell scripts](manage-with-powershell.md), > - [Azure CLI scripts](manage-with-cli.md),
-> - [Azure management libraries](https://azure.github.io/azure-sdk/releases/latest/https://docsupdatetracker.net/index.html).
+> - Azure management libraries available in
+> - [.NET](https://www.nuget.org/packages/Azure.ResourceManager.CosmosDB)
+> - [Java](https://search.maven.org/artifact/com.azure.resourcemanager/azure-resourcemanager-cosmos)
+> - [Python](https://pypi.org/project/azure-mgmt-cosmosdb/)
The table below lists all the actions exposed by the permission model.
cost-management-billing Allocate Costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/allocate-costs.md
Here's a video that demonstrates how to create a cost allocation rule.
You can edit a cost allocation rule to change the source or the target or if you want to update the prefilled percentage for either compute, storage, or network options. Edit the rules in the same way you create them. Modifying existing rules can take up to two hours to reprocess.
-## Frequently asked questions (FAQ)
-
-The following sections contain common questions people have about cost allocation.
-
-### What are the current limitations with cost allocation in public preview?
-<a name="limitations"></a>
+## Current limitations
Currently, cost allocation is supported in Cost Management by Cost analysis, budgets, and forecast views. Allocated costs are also shown in the subscriptions list and on the Subscriptions overview page.
The following items are currently unsupported by the cost allocation public prev
- [Cost Management Power BI App](https://appsource.microsoft.com/product/power-bi/costmanagement.azurecostmanagementapp) - [Power BI Desktop connector](/power-bi/connect-data/desktop-connect-azure-cost-management)
-### Are costs factored into budgets and forecast views?
-<a name="budgets-forecast"></a>
-
-Yes. Allocated costs are factored into and supported by budgets and forecasts. Budget and forecast views show costs allocated to them, as configured by cost allocation rules.
-
-### If a cost allocation rule is deleted, what happens?
-<a name="delete-rule"></a>
-
-When a cost allocation rule is deleted, all open and current billing month costs being allocated to the targets are removed. If the cost allocation rule has existed for several months, the historical previous months of allocation data remain as originally set by the allocation rule.
-
-### Why is an enrollment admin or a billing account admin needed to create cost allocation rules?
-<a name="why-admin"></a>
-
-Cost allocation rules are created at either the enrollment scope (Enterprise Agreement) or the Billing account scope (Microsoft Customer Agreement). Permissions to make changes at these scopes requires billing administrator privileges.
-
-### Why are sources and targets limited to 25 per rule?
-<a name="source-target-rule-limit"></a>
-
-The limit is a preview limitation to ensure good cost allocation performance and scalability. The limits will likely increase or get removed when cost allocation transitions to general availability (GA).
-
-### What can happen if cost allocation rules (sources/targets) overlap?
-<a name="rule-overlap"></a>
-
-Rules that have either overlapping sources or overlapping targets aren't recommended. Cost Allocation rules are applied in order by their creation date, so if any cost allocation rules overlap the allocation rule with the earliest creation date will take precedence.
## Next steps
+- Read the [Cost Management + Billing FAQ](../cost-management-billing-faq.yml) for questions and answers about cost allocation.
- Create or update allocation rules using the [Cost allocation Rest API](/rest/api/cost-management/costallocationrules) - Learn more about [How to optimize your cloud investment with Azure Cost Management](cost-mgt-best-practices.md)
cost-management-billing Ea Azure Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/ea-azure-marketplace.md
The following services are billed hourly under an Enterprise Agreement instead o
If you have an Enterprise Agreement, you pay for Azure RemoteApp based on your Enterprise Agreement price level. There aren't additional charges. The standard price includes an initial 40 hours. The unlimited price covers an initial 80 hours. RemoteApp stops emitting usage over 80 hours.
-## Azure Marketplace FAQ
-
-This section explains how your Azure Prepayment might apply to some third-party reseller services in Azure Marketplace.
-
-### What changed with Azure Marketplace services and Azure EA Prepayment?
-
-As of March 1, 2018, some third-party reseller services consume Azure EA Prepayment. Except for Azure reserved VM instances (RIs), services were previously billed outside Azure EA Prepayment and were invoiced separately.
-
-We expanded the use of Azure Prepayment to include some of the third party published Azure Marketplace services that are purchased most frequently. Azure EA Prepayment for these services in Azure Marketplace helps simplify your purchase and payment management.
-
-### Why did we make this change?
-
-Customers are continually looking for additional ways to leverage the upfront Azure Prepayment. This change was frequently requested by customers, and it impacted a large portion of Azure Marketplace customers.
-
-### How do you benefit?
-
-You get a simpler billing experience and are better able to spend your Azure EA Prepayment. Because these services are included in your Azure Prepayment, your Azure EA Prepayment becomes more valuable.
-
-### What Azure Marketplace services use Azure EA Prepayment, and how do I know?
-
-When you purchase a service that uses Azure Prepayment, Azure Marketplace presents a disclaimer. Supported are some services published by Red Hat, SUSE, Autodesk, and Oracle. Currently, similarly named services published by other parties don't deduct from Azure Prepayment. A full list is available at the end of this FAQ.
-
-### What if my Azure EA Prepayment runs out?
-
-If you consume all your Azure Prepayment and go into overage, charges related to these services will appear on your next overage invoice along with any other consumption services. Before the March 1, 2018 change, these charges were invoiced with other Azure Marketplace services.
-
-### Why don't all Azure Marketplaces consume Azure EA Prepayment?
-
-We frequently work to deliver the best customer experience related to Azure EA Prepayment. This change addressed a large number of customers and a significant portion of the total spend in Azure Marketplace. Other services might be added in the future.
-
-### How does this impact indirect enrollment and partners?
-
-There's no impact to our indirect enrollment customers or partners. These services are subject to the same partner markup capabilities as other consumption services. The only change is that the charges appear on a different invoice, and the payment of the charges comes out of the customer's Azure EA Prepayment.
-
-### Is there a list of Azure Marketplace services that consume Azure EA Prepayment?
-
-Specific Azure Marketplace offers can use Azure Prepayment funds. See [third-party services that use Azure Prepayment](https://azure.microsoft.com/updates/azure-marketplace-third-party-reseller-services-now-use-azure-monetary-commitment) for a complete list of products participating in this program.
-- ## Next steps -- Get more information about [Pricing](ea-pricing-overview.md).
+- Get more information about [Pricing](ea-pricing-overview.md).
+- Read the [Cost Management + Billing FAQ](../cost-management-billing-faq.yml) to see a list of questions and answers about Azure Marketplace services and Azure EA Prepayment.
cost-management-billing Ea Portal Administration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/ea-portal-administration.md
To begin:
1. Now the Microsoft account should be free from any active subscriptions and can be deleted. 1. Any deleted account will remain in view in the portal in an inactive status for historic billing reasons. You can filter it out of the view by selecting a check box to show only active accounts.
-## Account subscription ownership FAQ
-
-This document answers commonly asked questions relating to account subscription ownership.
-
-### Can I associate my existing Azure account to Azure EA enrollment?
-
-Yes. All Azure subscriptions for which you're the account owner will be converted to your Enterprise Agreement. Included are subscriptions that use monthly credit such as Visual Studio, AzurePass, MPN, BizSpark, and more. You will lose monthly credit when converting such subscriptions.
-
-### How many Azure account owners can you have per subscription?
-
-Only one account owner is permitted per subscription. Additional roles can be added using Role-Based Access or (Access Control (IAM)) in the subscription tab in the upper left corner of the page of the [Azure portal](https://portal.azure.com).
-
-### Is it possible to transfer subscription ownership to another account?
-
-Yes, you can transfer subscription ownership to different account. For example, if an Account A has three subscriptions, the enterprise administrator is able to transfer one subscription to Account B, one to Account C, and one to Account D. Or they can transfer all subscriptions to Account E.
-
-To transfer subscriptions:
-
-1. In the Azure Enterprise portal, select **Manage** > **Account**.
-1. Hover over **Account** on the far right to see the **Transfer Ownership** (person icon) and **Transfer Subscription** (list icon) options. These options are only visible for active accounts.
-
-### Can an Azure account owner be listed under more than one department?
-
-No, an account owner can only be associated to a single department. The policy helps ensure accurate monitoring and apportioning of costs and spending associated to the department it's aligned with under the EA enrollment in the Azure EA Portal.
-
-### Can an Azure account owner be listed as a security group?
-
-No, a subscription owner must be a unique Microsoft account (MSA) or Azure Active Directory (Azure AD) authentication. To account for succession within your organization, you may consider creating generic accounts and using Azure AD to manage subscription access.
-
-### Can an individual user own multiple subscriptions?
-
-An Azure account owner can create and manage an unlimited number of subscriptions.
-
-### How can I access/view all my organization's subscriptions?
-
-Today this must be done by policy; meaning you would need to require that for every subscription created, your account is added to a subscription role using role-based access.
-
-### Where do I go to create a subscription?
-
-Before you can create an enterprise Azure (EA) offer subscription, your account must be added to the role of account owner by your EA enrollment's administrator in the Azure EA Portal. You'll then need to sign in to the Azure EA Portal to obtain your entitlement to create EA offer type subscriptions. We recommend that your first EA subscription is created from the '+ Add Subscription' link in the subscription tab on the EA Portal. However, once your account is entitled it may be easier to create subscriptions in portal.azure.com in the subscription tab in the upper left corner of the page, where you can both create and rename your subscription in a single step.
-
-### Who can create a subscription?
-
-To create an enterprise Azure offer type subscription, you must be entitled in the role of account owner on the [EA portal](https://ea.azure.com).
- ## Azure EA term glossary - **Account**: An organizational unit on the Azure Enterprise portal. It is used to administer subscriptions and for reporting.
To create an enterprise Azure offer type subscription, you must be entitled in t
## Next steps - Read about how [virtual machine reservations](ea-portal-vm-reservations.md) can help save you money.-- If you need help with troubleshooting Azure EA portal issues, see [Troubleshoot Azure EA portal access](ea-portal-troubleshoot.md).
+- If you need help with troubleshooting Azure EA portal issues, see [Troubleshoot Azure EA portal access](ea-portal-troubleshoot.md).
+- Read the [Cost Management + Billing FAQ](../cost-management-billing-faq.yml) for questions about EA subscription ownership.
cost-management-billing Ea Portal Get Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/ea-portal-get-started.md
For information on which REST APIs to use with your Azure enterprise enrollment
For explanations regarding the common tasks that a partner EA administrator accomplishes in the Azure EA portal, see [Azure EA portal administration for partners](./ea-partner-portal-administration.md).
-## Get started on Azure EA - FAQ
-
-This section provides details on typical questions asked by customers during the onboarding process.
-
-### I accidentally associated my existing Azure account with Azure EA enrollment. As a result, I lost my monthly credit. Can I get my monthly credit back?
-
-If you've signed in as an Azure EA account owner with the same credentials as your Visual Studio subscription, you can recover your individual Visual Studio subscription Azure benefit by performing one of the following actions:
--- Delete your account owner from the Azure Enterprise portal, after removing or moving any associated Azure subscriptions. Then, sign up for individual Visual Studio Azure benefits anew.-- Delete the Visual Studio subscriber from the administration site in VLSC, and reassign the subscription to an account with different credentials this time. Then, sign up for individual Visual Studio Azure benefits anew.-
-### What type of subscription should I create?
-
-The Azure Enterprise portal offers two types of subscriptions for enterprise customers:
--- Microsoft Azure Enterprise, which is ideal for:
- - All production usage
- - Best prices based on infrastructure spend
-
- For more information, [contact Azure sales](https://azure.microsoft.com/pricing/enterprise-agreement/).
--- Enterprise Dev/Test, which is ideal for:
- - All team dev/test workloads
- - Medium-to-heavy individual dev/test workloads
- - Access to special MSDN images and preferential service rates
-
- For more information, see [Enterprise Dev/Test offer](https://azure.microsoft.com/offers/ms-azr-0148p/).
-
-### My subscription name is the same as the offer name. Should I change the subscription name to something meaningful to my organization?
-
-When you create a subscription, the name defaults to the offer type you choose. We recommend that you change the subscription name to something that makes it easy for you to track the subscription.
-
-To change the name:
-
-1. Sign in to [https://account.windowsazure.com](https://account.windowsazure.com).
-1. Select the subscription list.
-1. Select the subscription you want to edit.
-1. Select the **Manage Subscription** icon.
-1. Edit subscription details.
-
-### How can I track costs incurred by a cost center?
-
-To track cost by cost center, you need to define the cost center at one of the following levels:
--- Department-- Account-- Subscription-
-Based on your needs, you can use the same cost center to track usage and costs associated with a particular cost center.
-
-For example, to track costs for a special project where multiple departments are involved, you might want to define the cost center at a subscription level to track the usage and costs.
-
-You can't define a cost center at the service level. If you want to track usage at the service level, you can use the _Tag_ feature available at the service level.
-
-### How do I track usage and spend by different departments in my organization?
-
-You can create as many departments as you need under your Azure EA enrollment. In order to track the usage correctly, ensure that you're not sharing subscriptions across departments.
-
-After you have created departments and subscriptions, you can see data in the usage report. This information can help you track usage and manage cost and spend at the department level.
-
-You can also access usage data via the reporting API. For detailed information and sample code, see [Azure Enterprise REST APIs](./ea-portal-rest-apis.md).
-
-### Can I set a spending quota and get alerts as I approach my limit?
-
-You can set a spending quota at department level and the system will automatically notify you as your spending limits meet 50%, 75%, 90%, and 100% of the quota you define.
-
-To define your spending quota, select a department and then select the edit icon. After you edit the spending limit details, select **Save**.
-
-### I used resource groups to implement RBAC and track usage. How can I view the associated usage details?
-
-If you use _resource groups_ and _tags_, this information is tracked at service level, and you can access it in the detailed usage download (CSV) file. See the [download usage report](https://ea.azure.com/report/downloadusage) in the Azure Enterprise portal.
-
-You can also access usage via API. For detailed information and sample code, see [Azure Enterprise REST APIs](./ea-portal-rest-apis.md).
-
-> [!NOTE]
-> You can only apply tags to resources that support Azure Resource Manager operations. If you created a virtual machine, virtual network, or storage through the classic deployment model (such as through the classic portal), you cannot apply a tag to that resource. You must re-deploy these resources through the Resource Manager to support tagging. All other resources support tagging.
-
-### Can I perform analyses using Power BI?
-
-Yes. With the Microsoft Azure Enterprise content pack for Power BI, you can:
--- Quickly import and analyze Azure consumption for your enterprise enrollment.-- Find out which department, account, or subscription consumed the most usage.-- Learn which service your organization used most.-- Track spending and usage trends.-
-To use Power BI:
-
-1. Go to the Power BI website.
-1. Sign in with a valid work or school account.
-
- The work or school account can be the same or different than what is used to access the enrollment through the Azure Enterprise portal.
-1. On the dashboard of services, choose the Microsoft Azure Enterprise tile, and select **Connect**.
-1. On the **Connect to Azure Enterprise** screen, enter:
- - Azure Environment URL: [https://ea.azure.com](https://ea.azure.com)
- - Number of Months: between 1 and 36
- - Enrollment Number: your enrollment number
-1. Select **Next**.
-1. Enter the API Key in the **Account Key** box.
-
- You can find the API key in the Azure Enterprise portal. Look under the **Download Usage** tab, and then select **API Access Key**. Copy it, and then paste the key into **Account Key** box in Power BI.
-
-Depending on the size of the data set, it can take between five and 30 minutes for the data to load in Power BI.
-
-Power BI reporting is available for Azure EA direct, partner, and indirect customers who are able to view billing information.
- ## Next steps
+- Read the [Cost Management + Billing FAQ](../cost-management-billing-faq.yml) for questions and answers about getting started with the EA portal.
- Azure Enterprise portal administrators should read [Azure Enterprise portal administration](ea-portal-administration.md) to learn about common administrative tasks. - If you need help with troubleshooting Azure Enterprise portal issues, see [Troubleshoot Azure Enterprise portal access](ea-portal-troubleshoot.md).
cost-management-billing Ea Portal Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/ea-portal-troubleshoot.md
Title: Troubleshoot Azure EA portal access
description: This article describes some common issues that can occur with an Azure Enterprise Agreement (EA) in the Azure EA portal. Previously updated : 08/20/2020 Last updated : 03/26/2021
Or, if you get an _Invalid User_ error, it might be because the wrong account ty
- If you need to check the primary alias, go to [https://account.live.com](https://account.live.com). Then, click **Your Info** and then click **Manage how to sign in to Microsoft**. Follow the prompts to verify an alternate email address and obtain a code to access sensitive information. Enter the security code. Select **Set it up later** if you don't want to set up two-factor authentication. - You'll see the **Manage how to sign in to Microsoft** page where you can view your account aliases. Check that the primary alias is the one that you're using to sign in to the Azure EA portal. If it isn't, you can make it your primary alias. Or, you can use the primary alias for Azure EA portal instead.
-## Azure EA Activation FAQ
-
-This section of the article outlines solutions to common issues around Azure EA Activation.
-
-### I didn't receive an activation email
-
-An activation email from the Azure EA portal is sent from *waep@microsoft.com*. If you didn't receive an activation email, check your spam or junk folder for the email. It's sent with _Invitation to View/Manage the Microsoft Azure service_subject_. It's sent to every newly added EA administrator.
-
-If you're sure that you've been set up as the EA administrator, you don't have to wait to receive the activation email to sign in to the Azure EA portal. Instead, you can go to https://ea.azure.com and sign in with your email address (work, school, or Microsoft account) and your password.
-
-### I would like to add a new EA administrator to my enrollment
-
-A new enterprise admin can be added by existing enterprise admins. If you are the EA administrator, please sign in to the EA portal > Click **Manage** > Click **+ Add Administrator** in the top-right corner to add a new EA administrator. Please ensure you have their email address and a preferred sign-in method, such as via work/school authentication or Microsoft Live ID to have the users added.
-
-If you are not the EA administrator, please reach out to your EA administrators in your company to request that they have you added to the enrollment. Once they have added you to the enrollment, you will receive an activation email.
-
-However, if the EA administrators are not able to assist you, we will be able to add you on their behalf if you can provide us with:
-- the enrollment number.-- email address to be added and authentication type (work/school/MS).-- an email approval from the EA administrator.-
-Once you have all the required information, please submit a request at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport).
-
-### I would like to update the first EA admin on the enrollment
-
-The first EA admin can be updated in volume licensing service center by updating the notice contact and online admin on the portal. It will take about 24 hours for the EA portal to update. Once it is updated, the new EA admin will receive activation email.
-
-If you do not have VLSC portal access or if your initial EA administrator can no longer manage the enrollment and has no access to EA portal, please submit a request at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport) to request for an update and provide the following information:
-- Enrollment number-- Email address to be added and authentication type (work/school/MS)-- Reason for changing initial EA administrator-- Email approval from initial EA administrator-
-### My current EA admin is no longer with the company
-
-An EA enrollment can have multiple EA administrators, you can reach out to another EA administrator to have new EA administrator/account owners/department admin added. However, if you are not clear on who is the EA administrator in your company or there is no other available EA administrator on the enrollment, please reach out to us with the following information:
-- Enrollment number-- Email address to be added and authentication type (work/school/MS)-- Providing information that current EA admin is no longer with the company-
-Please note that if there are other EA administrators on the enrollment, we will reach out to the EA administrators to request for approval on administrative changes on the enrollment.
-
-### My enrollment is showing in pending status. How do I activate my enrollment?
-
-Enrollments will be in pending status if the initial EA administrator has not logged on to the enrollment before. If you are the EA administrator, please sign in to the Azure EA portal. On the landing page with all your enrollment numbers, you may not see your pending enrollment. Please uncheck the "active" box on the top-right corner of your EA portal, this action would display the pending enrollment. Please click on the enrollment to access the information and once you have reached the Manage page of the enrollment, the status will be updated from Pending to Active.
-
-### Why is my account stuck in pending status?
-
-When new Account Owners (AO) are added to the enrollment for the first time, they will always show as "pending" under status. Upon receiving the activation welcome email, AO can sign in to activate their account. Signing in will update the account status from "pending" to "active".
-
-### I received an error when signing in to Azure EA portal
-
-There are a few possible reasons for an error message on Azure EA portal during signing in, please follow these troubleshooting steps:
-
- 1. Please ensure you are using the correct EA portal URL at [https://ea.azure.com](https://ea.azure.com).
- 1. Determine if your access to Azure EA portal is added as a work or school account or Microsoft Live ID. If you are using your work account, please enter your work email and work password. If you are using Microsoft Live ID, please enter your Live ID email and Microsoft Live ID password. If you have forgotten your Microsoft Live ID password, please have it reset at [https://account.live.com/password/reset](https://account.live.com/password/reset).
- 1. It is recommended that you use a private browser to sign in so that no cookies or cache from previous/existing sessions are retained. Clear cache, and use private browsing mode/incognito window to open [https://ea.azure.com](https://ea.azure.com).
- 1. If you are getting an Invalid User error when using a Microsoft account, it may be because you have multiple Microsoft accounts and the one that you are trying to sign in with is not the primary alias. To check the primary alias, go to account.live.com:
- - Go to "Your Info" > "Manage your sign-in email or phone number".
- - Follow the prompt on the screen to verify alternate email address and obtain a code to access sensitive information.
- - Enter the security code.
- - If you prefer to set up two-step authentication later, select "Set it up later".
- - You will land on the "Manage your account aliases" page where you will see the account aliases that you have. Double check that the primary alias is the one that you are using to log into Azure EA portal. If it is not, you can either make it your primary alias, or you will use the primary alias for EA portal instead.
-
-If the above troubleshooting steps failed, please submit a request at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport) with information such as:
-- The browsers and version used.-- Screenshot of the error message.-- URL of the page showing error. -- Date, time, and time zone of when the error occurs.-- In addition, it will help if you obtain a log file. Here are the steps to capture a network trace using the information below:
- 1. Open Internet Explorer.
- 1. Press F12, which will open a box at the bottom of IE.
- 1. Select the **Network** Tab.
- 1. Click on **Start Capturing**.
- 1. Perform the action that is causing the error.
- 1. Once you get the error, click on **Stop Capturing**.
- 1. Save the file and include the information in the support request.
- 1. Ensure that you provide your enrollment number and email address within the support request.
-
-### What is the difference between a work/school account and Microsoft account?
-
-**Microsoft account:** Accounts that have been associate to Live ID on [https://signup.live.com](https://signup.live.com).
-
-**Work/School account:** Only available to companies that have set up active directory with Federation to the Cloud and all accounts are on a single tenant. Users can be added with work/school authorization type if the company's internal active directory is federated to the cloud.
-
- From September 2016, Microsoft no longer allows work or school email addressed to be registered as Microsoft accounts. For more details, reference the following materials: [https://blogs.technet.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/](https://blogs.technet.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/).
-
- If your organization is not federated to the cloud, you will not be able to use your work or school email address. Please register or create a new email address and register it as a Microsoft account instead.
-
-### I forgot my password to Azure EA portal
-
-If you have forgotten your Microsoft Live ID password, please have it reset at [https://account.live.com/password/reset](https://account.live.com/password/reset).
-
-If you have forgotten your work password, please contact your company's IT administrator.
-
-### I have a valid work or school account but I can't add it to the EA Portal
-
-If you have a work or school account under a different tenant, please change the authorization level under enrollment details page to "Work or School Account Cross Tenant" and you will be able to add the account.
- ## Next steps - Azure EA portal administrators should read [Azure EA portal administration](ea-portal-administration.md) to learn about common administrative tasks.
+- Read the [Cost Management + Billing FAQ](../cost-management-billing-faq.yml) for questions and answers about common issues for Azure EA Activation.
cost-management-billing Link Partner Id Power Apps Accounts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/link-partner-id-power-apps-accounts.md
Delete the linked partner ID
az managementpartner delete --partner-id 12345 ```
-## Frequently asked questions (FAQ)
-
-The following sections cover frequently asked questions about linking a partner ID to Power Apps accounts.
-
-### Who should link the partner ID?
-
-Any user from the partner organization who works on a customer's Power Apps resources can link the partner ID to the account. Ideally, the association in PAL should be done at the beginning of the project. However, it can be performed whenever you have access in the customer's directory.
-
-### Can a partner ID be changed after it's linked?
-
-Yes. A linked partner ID can be changed, added, or removed. One example for this situation might be when an employee from your company leaves your organization. Another example might be when a project or contract with the customer ends.
-
-### What if a user has an account in more than one customer tenant?
-
-The link between the partner ID and the account is done for each customer tenant. Link the partner ID in each customer tenant.
-
-### Can other partners or customers edit or remove the link to the partner ID?
-
-The link is associated at the user account level. Only you can edit or remove the link to the partner ID. The customer and other partners can't change the link to the partner ID.
-
-### Which MPN ID should I use if my company has multiple?
-
-Be sure to use the **Associated MPN ID** shown in your partner profile. It's usually the local account ID association with your organization.
-
-### How do I explain PAL to my customer?
-
-PAL enables Microsoft to identify and recognize those partners who are helping customers achieve business goals and realize value in the cloud. Customers must first provide a partner access to their Power Apps resource. Once access is granted, the partner's Microsoft Partner Network ID (MPN ID) is associated. This association helps Microsoft understand service providers and to refine the tools and programs needed to best support customers.
-
-### What data does PAL collect?
-
-The PAL association to existing credentials provides no new customer data to Microsoft. It provides the information to Microsoft where a partner is actively involved in a customer's Power Apps environments. Microsoft can attribute usage and influence from customer environment to partner organization based on the account's permissions (Power Apps role) and scope (tenant, Resource Group, Resource) provided to the partner by customer.
-
-### Does PAL association affect the security of a customer's Power Apps environment?
-
-PAL association only adds partner's MPN ID to the credential already provisioned. It doesn't alter any permissions (Power Apps role) or provide extra Power Apps service data to the partner or Microsoft.
- ### Next steps
+- Read the [Cost Management + Billing FAQ](../cost-management-billing-faq.yml) for questions and answers about linking a partner ID to Power Apps accounts.
- Join the discussion in the [Microsoft Partner Community](https://aka.ms/PALdiscussion) to receive updates or send feedback. - Read the [Low Code Application Development advanced specialization FAQ](https://assetsprod.microsoft.com/mpn/faq-low-code-app-development-advanced-specialization.pdf) for PAL-based Power Apps association for Low code application development advanced specialization.
cost-management-billing Review Enterprise Agreement Bill https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/understand/review-enterprise-agreement-bill.md
See [Power BI self-service sign up](https://powerbi.microsoft.com/documentation/
You can get the API key in the Azure Enterprise portal under the **Download Usage** tab. Select **API Access Key**, and then paste the key into the **Account Key** box. 1. Data takes approximately 5-30 minutes to load in Power BI, depending on the size of the data sets.
-## Reports FAQ
-
-This section addresses common questions about reports.
-
-### Why is my cost showing as $0?
-
-For **direct enrollment** customers, enterprise administrators can provide account owners and department administrators with access to cost/pricing information on the usage reports. Follow these steps:
-
-1. In the Azure Enterprise portal, select **Manage** on the left navigation.
-1. Select the blue pencil next to DA (department administrator) view charges.
-1. Select **Enabled** and save.
-1. Select the blue pencil next to AO (account owner) view charges.
-1. Select **Enabled** and save.
-
-> [!NOTE]
-> If you're an account owner or department administrator, contact your enterprise administrator to enable the pricing feature.
-
-For **indirect enrollment** customers, contact your partner to check that they've enabled the pricing feature for you. This can only be done by the partner. After you're enabled, you can view the cost and pricing on your enrollment as an enterprise administrator.
-
-Partners, if you want to enable the view charges feature for an account owner or a department administrator, follow the steps under **direct enrollment**.
-
-### Why is there no SKU information on my usage detail report?
-
-The usage detail report doesn't contain SKU information. The report does, however, contain usage information so you can download the price sheet report to obtain the SKU information.
-
-### Why doesn't the total amount on Azure Marketplace match the reports for usage summary and detail?
-
-The Azure Marketplace charges report shows only the usage-based charges. One-time fees aren't shown. See the usage summary page for the most up-to-date usage-based charges and one-time fees.
-
-### Why is there no information on my API report?
-
-API keys expire every six months. If you're having an issue, an enterprise administrator should generate a new API key. Remember to follow the steps on the API Report FAQ.
-
-### Why isn't my Power BI report working?
-
-For issues with Power BI, log a ticket with the [Power BI support team](https://support.powerbi.com).
-
-### Why don't my resource tags show on my reports
-
-Resource tags are managed on the Azure portal. You can contact the Azure subscription team in the [Azure portal](https://portal.azure.com). Follow the steps in the [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md) article.
-
-### Why does my resource rate change every day?
-
-The resource rate shown in the detailed usage report is a calculated value. It represents the average monthly rate that was charged for the service. The resource rate is calculated from the average of your monthly commitment and your monthly overage charges for a unit of service. The portion of usage charged against your commitment and overage rates change to the day the month closes. Thus, the listed resource rate also changes during the month. The resource rate locks on the fifth day following the end of the month.
- ### Glossary of processes for calculating the resource rate - **Total RAW Units:** Consumed quantity in the detailed usage report.
data-factory Connector Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-troubleshoot-guide.md
description: Learn how to troubleshoot connector issues in Azure Data Factory.
Previously updated : 02/08/2021 Last updated : 04/13/2021
Azure Cosmos DB calculates RUs, see [Request units in Azure Cosmos DB](../cosmos
- **Cause**: The Dynamics server is instable or inaccessible, or the network is experiencing issues. - **Recommendation**: For more details, check network connectivity or check the Dynamics server log. For further help, contact Dynamics support.++
+### Error code: DynamicsFailedToConnect
+
+ - **Message**: `Failed to connect to Dynamics: %message;`
+
+
+ - **Cause**: If you see `Office 365 auth with OAuth failed` in the error message, it means that your server might have some configurations not compatible with OAuth.
+
+ - **Recommendation**:
+ 1. Contact Dynamics support team with the detailed error message for help.
+ 1. Use the service principal authentication, and you can refer to this article: [Example: Dynamics online using Azure AD service-principal and certificate authentication](https://docs.microsoft.com/azure/data-factory/connector-dynamics-crm-office-365#example-dynamics-online-using-azure-ad-service-principal-and-certificate-authentication).
+
+
+ - **Cause**: If you see `Unable to retrieve authentication parameters from the serviceUri` in the error message, it means that either you input the wrong Dynamics service URL or proxy/firewall to intercept the traffic.
+
+ - **Recommendation**:
+ 1. Make sure you have put the correct service URI in the linked service.
+ 1. If you use the Self Hosted IR, make sure that the firewall/proxy does not intercept the requests to the Dynamics server.
+
+
+ - **Cause**: If you see `An unsecured or incorrectly secured fault was received from the other party` in the error message, it means that unexpected responses were gotten from the server side.
+
+ - **Recommendation**:
+ 1. Make sure your username and password are correct if you use the Office 365 authentication.
+ 1. Make sure you have input the correct service URI.
+ 1. If you use regional CRM URL (URL has a number after 'crm'), make sure you use the correct regional identifier.
+ 1. Contact the Dynamics support team for help.
+
+
+ - **Cause**: If you see `No Organizations Found` in the error message, it means that either your organization name is wrong or you used a wrong CRM region identifier in the service URL.
+
+ - **Recommendation**:
+ 1. Make sure you have input the correct service URI.
+ 1. If you use the regional CRM URL (URL has a number after 'crm'), make sure that you use the correct regional identifier.
+ 1. Contact the Dynamics support team for help.
+
+
+ - **Cause**: If you see `401 Unauthorized` and AAD-related error message, it means that there's an issue with the service principal.
+
+ - **Recommendation**: Follow the guidance in the error message to fix the service principal issue.
+
+
+ - **Cause**: For other errors, usually the issue is on the server side.
+
+ - **Recommendation**: Use [XrmToolBox](https://www.xrmtoolbox.com/) to make connection. If the error persists, contact the Dynamics support team for help.
+
+
+### Error code: DynamicsOperationFailed
+
+- **Message**: `Dynamics operation failed with error code: %code;, error message: %message;.`
+
+- **Cause**: The operation failed on the server side.
+
+- **Recommendation**: Extract the error code of the dynamics operation from the error message: `Dynamics operation failed with error code: {code}`, and refer to the article [Web service error codes](https://docs.microsoft.com/powerapps/developer/data-platform/org-service/web-service-error-codes) for more detailed information. You can contact the Dynamics support team if necessary.
+
+
+### Error code: DynamicsInvalidFetchXml
+- **Message**: `The Fetch Xml query specified is invalid.`
+
+- **Cause**: There is an error existed in the fetch XML.
+
+- **Recommendation**: Fix the error in the fetch XML.
+
+
+### Error code: DynamicsMissingKeyColumns
+
+- **Message**: `Input DataSet must contain keycolumn(s) in Upsert/Update scenario. Missing key column(s): %column;`
+
+- **Cause**: The source data does not contain the key column for the sink entity.
+
+- **Recommendation**: Confirm that key columns are in the source data or map a source column to the key column on the sink entity.
+
+
+### Error code: DynamicsPrimaryKeyMustBeGuid
+
+- **Message**: `The primary key attribute '%attribute;' must be of type guid.`
+
+- **Cause**: The type of the primary key column is not 'Guid'.
+
+- **Recommendation**: Make sure that the primary key column in the source data is of 'Guid' type.
+
+
+### Error code: DynamicsAlternateKeyNotFound
+
+- **Message**: `Cannot retrieve key information of alternate key '%key;' for entity '%entity;'.`
+
+- **Cause**: The provided alternate key does not exist, which may be caused by wrong key names or insufficient permissions.
+
+- **Recommendation**: <br/>
+ 1. Fix typos in the key name.<br/>
+ 1. Make sure that you have sufficient permissions on the entity.
+
+
+### Error code: DynamicsInvalidSchemaDefinition
+
+- **Message**: `The valid structure information (column name and type) are required for Dynamics source.`
+
+- **Cause**: Sink columns in the column mapping miss the 'type' property.
+
+- **Recommendation**: You can add the 'type' property to those columns in the column mapping by using JSON editor on the portal.
+ ## FTP
data-factory Data Flow Troubleshoot Connector Format https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-troubleshoot-connector-format.md
+
+ Title: Troubleshoot connector and format issues in mapping data flows
+description: Learn how to troubleshoot data flow problems related to connector and format in Azure Data Factory.
++++ Last updated : 04/12/2021+++
+# Troubleshoot connector and format issues in mapping data flows in Azure Data Factory
++
+This article explores troubleshooting methods related to connector and format for mapping data flows in Azure Data Factory (ADF).
++
+## Cosmos DB & JSON
+
+### Support customized schemas in the source
+
+#### Symptoms
+When you want to use the ADF data flow to move or transfer data from Cosmos DB/JSON into other data stores, some columns of the source data may be missed. 
+
+#### Cause 
+For the schema free connectors (the column number, column name and column data type of each row can be different when comparing with others), by default, ADF uses sample rows (for example, top 100 or 1000 rows data) to infer the schema, and the inferred result will be used as a schema to read data. So if your data stores have extra columns that don't appear in sample rows, the data of these extra columns are not read, moved or transferred into sink data stores.
+
+#### Recommendation
+To overwrite the default behavior and bring in additional fields, ADF provides options for you to customize the source schema. You can specify additional/missing columns that could be missing in schema-infer-result in the data flow source projection to read the data, and you can apply one of the following options to set the customized schema. Usually, **Option-1** is more preferred.
+
+- **Option-1**: Compared with the original source data that may be one large file, table or container that contains millions of rows with complex schemas, you can create a temporary table/container with a few rows that contain all the columns you want to read, and then move on to the following operation: 
+
+ 1. Use the data flow source **Debug Settings** to have **Import projection** with sample files/tables to get the complete schema. You can follow the steps in the following picture:<br/>
+
+ ![Screenshot that shows the Option-1-1 of the Recommendation](./media/data-flow-troubleshoot-connector-format/customize-schema-option-1-1.png)<br/>
+ 1. Select **Debug settings** in the data flow canvas.
+ 1. In the pop-up pane, select **Sample table** under the **cosmosSource** tab.
+ 1. Enter the name of your table in the **Table** block.
+ 1. Select **Save** to save your settings.
+ 1. Select **Import projection**.<br/>
+
+ 1. Change the **Debug Settings** back to use the source dataset for the remaining data movement/transformation. You can move on with the steps in the following picture:<br/>
+
+ ![Screenshot that shows the Option-1-2 of the Recommendation](./media/data-flow-troubleshoot-connector-format/customize-schema-option-1-2.png) <br/>
+ 1. Select **Debug settings** in the data flow canvas.
+ 1. In the pop-up pane, select **Source dataset** under the **cosmosSource** tab.
+ 1. Select **Save** to save your settings.<br/>
+
+ Afterwards, the ADF data flow runtime will honor and use the customized schema to read data from the original data store. <br/>
+
+- **Option-2**: If you are familiar with the schema and DSL language of the source data, you can manually update the data flow source script to add additional/missed columns to read the data. An example is shown in the following picture:
+
+ ![Screenshot that shows the Option-2 of the Recommendation](./media/data-flow-troubleshoot-connector-format/customize-schema-option-2.png)
+
+## Next steps
+For more help with troubleshooting, see these resources:
+
+* [Troubleshoot mapping data flows in Azure Data Factory](data-flow-troubleshoot-guide.md)
+* [Data Factory blog](https://azure.microsoft.com/blog/tag/azure-data-factory/)
+* [Data Factory feature requests](https://feedback.azure.com/forums/270578-data-factory)
+* [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory)
+* [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)
+* [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)
data-factory Parameters Data Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/parameters-data-flow.md
Previously updated : 05/01/2020 Last updated : 04/19/2021 # Parameterizing mapping data flows [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
-Mapping data flows in Azure Data Factory support the use of parameters. Define parameters inside of your data flow definition and use them throughout your expressions. The parameter values are set by the calling pipeline via the Execute Data Flow activity. You have three options for setting the values in the data flow activity expressions:
+Mapping data flows in Azure Data Factory and Azure Synapse Analytics support the use of parameters. Define parameters inside of your data flow definition and use them throughout your expressions. The parameter values are set by the calling pipeline via the Execute Data Flow activity. You have three options for setting the values in the data flow activity expressions:
* Use the pipeline control flow expression language to set a dynamic value * Use the data flow expression language to set a dynamic value
ddos-protection Ddos Disaster Recovery Guidance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/ddos-disaster-recovery-guidance.md
+
+ Title: Azure DDoS Protection Standard business continuity | Microsoft Docs
+description: Learn what to do in the event of an Azure service disruption impacting Azure DDoS Protection Standard.
+
+documentationcenter: na
++
+ms.devlang: na
+ na
+ Last updated : 04/16/2021+++
+# Azure DDoS Protection Standard ΓÇô business continuity
+
+Business continuity and disaster recovery in Azure DDoS Protection Standard enables your business to continue operating in the face of a disruption. This article discusses availability (intra-region) and disaster recovery.
+
+## Overview
+Azure DDoS Protection Standard protects public IP addresses in virtual networks. Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes.
+
+A Virtual Network (VNet) is a logical representation of your network in the cloud. VNets serve as a trust boundary to host your resources such as Azure Application Gateway, Azure Firewall and Azure Virtual Machines. It is created within the scope of a region. You can *create* VNets with same address space in two different regions (For example, US East and US West), but because they have the same address space, you can't connect them together.
+
+## Business continuity
+
+There could be several different ways that your application could be disrupted. A region could be completely cut off due to a natural disaster, or a partial disaster, due to a failure of multiple devices or services. The impact on your protected VNets is different in each of these situations.
+
+**Q: If an outage occurs for an entire region, what do I do? For example, if a region is completely cut off due to a natural disaster? What happens to the virtual networks hosted in the region?**
+
+A: The virtual network and the resources in the affected region remains inaccessible during the time of the service disruption.
+
+![Simple Virtual Network Diagram.](../virtual-network/media/virtual-network-disaster-recovery-guidance/vnet.png)
+
+**Q: What can I to do re-create the same virtual network in a different region?**
+
+A: Virtual networks are fairly lightweight resources. You can invoke Azure APIs to create a VNet with the same address space in a different region. To recreate the same environment that was present in the affected region, you make API calls to redeploy the resources in the VNets that you had. If you have on-premises connectivity, such as in a hybrid deployment, you have to deploy a new VPN Gateway, and connect to your on-premises network.
+
+To create a virtual network, see [Create a virtual network](../virtual-network/manage-virtual-network.md#create-a-virtual-network).
+
+**Q: Can a replica of a VNet in a given region be re-created in another region ahead of time?**
+
+A: Yes, you can create two VNets using the same private IP address space and resources in two different regions ahead of time. If you are hosting internet-facing services in the VNet, you could have set up Traffic Manager to geo-route traffic to the region that is active. However, you cannot connect two VNets with the same address space to your on-premises network, as it would cause routing issues. At the time of a disaster and loss of a VNet in one region, you can connect the other VNet in the available region, with the matching address space to your on-premises network.
+
+To create a virtual network, see [Create a virtual network](../virtual-network/manage-virtual-network.md#create-a-virtual-network).
+
+## Next steps
+
+- Learn how to [create a DDoS protection plan](manage-ddos-protection.md).
digital-twins How To Integrate Logic Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-integrate-logic-apps.md
Next, you'll configure the connector you've created to reach Azure Digital Twins
First, download a custom Azure Digital Twins Swagger that has been modified to work with Logic Apps. Download the **Azure Digital Twins custom Swaggers (Logic Apps connector)** sample from [**this link**](/samples/azure-samples/digital-twins-custom-swaggers/azure-digital-twins-custom-swaggers/) by hitting the *Download ZIP* button. Navigate to the downloaded *Azure_Digital_Twins_custom_Swaggers__Logic_Apps_connector_.zip* folder and unzip it.
-The custom Swagger for this tutorial is located in the _**Azure_Digital_Twins_custom_Swaggers__Logic_Apps_connector_\LogicApps**_ folder. This folder contains subfolders called *stable* and *preview*, both of which hold different versions of the Swagger organized by date. The folder with the most recent date will contain the latest copy of the Swagger. Whichever version you select, the Swagger file is named _**digitaltwins.json**_.
+The custom Swagger for this tutorial is located in the ***Azure_Digital_Twins_custom_Swaggers__Logic_Apps_connector_\LogicApps*** folder. This folder contains subfolders called *stable* and *preview*, both of which hold different versions of the Swagger organized by date. The folder with the most recent date will contain the latest copy of the Swagger. Whichever version you select, the Swagger file is named _**digitaltwins.json**_.
> [!NOTE] > Unless you're working with a preview feature, it's generally recommended to use the most recent *stable* version of the Swagger. However, earlier versions and preview versions of the Swagger are also still supported.
For more about querying your Azure Digital Twins instance, see [*How-to: Query t
In this article, you created a logic app that regularly updates a twin in your Azure Digital Twins instance with a patch that you provided. You can try out selecting other APIs in the custom connector to create Logic Apps for a variety of actions on your instance.
-To read more about the APIs operations available and the details they require, visit [*How-to: Use the Azure Digital Twins APIs and SDKs*](how-to-use-apis-sdks.md).
+To read more about the APIs operations available and the details they require, visit [*How-to: Use the Azure Digital Twins APIs and SDKs*](how-to-use-apis-sdks.md).
digital-twins Reference Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/reference-service-limits.md
description: Chart showing the limits of the Azure Digital Twins service. Previously updated : 05/05/2020 Last updated : 04/08/2021
expressroute Expressroute Monitoring Metrics Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-monitoring-metrics-alerts.md
Title: 'Azure ExpressRoute: Monitoring, Metrics, and Alerts'
description: Learn about Azure ExpressRoute monitoring, metrics, and alerts using Azure Monitor, the one stop shop for all metrics, alerting, diagnostic logs across Azure. - Previously updated : 01/11/2020 Last updated : 04/07/2021
This article helps you understand ExpressRoute monitoring, metrics, and alerts u
## ExpressRoute metrics
-To view **Metrics**, navigate to the *Azure Monitor* page and click *Metrics*. To view **ExpressRoute** metrics, filter by Resource Type *ExpressRoute circuits*. To view **Global Reach** metrics, filter by Resource Type *ExpressRoute circuits* and select an ExpressRoute circuit resource that has Global Reach enabled. To view **ExpressRoute Direct** metrics, filter Resource Type by *ExpressRoute Ports*.
+To view **Metrics**, navigate to the *Azure Monitor* page and select *Metrics*. To view **ExpressRoute** metrics, filter by Resource Type *ExpressRoute circuits*. To view **Global Reach** metrics, filter by Resource Type *ExpressRoute circuits* and select an ExpressRoute circuit resource that has Global Reach enabled. To view **ExpressRoute Direct** metrics, filter Resource Type by *ExpressRoute Ports*.
Once a metric is selected, the default aggregation will be applied. Optionally, you can apply splitting, which will show the metric with different dimensions.
+### Aggregation Types:
+
+Metrics explorer supports SUM, MAX, MIN, AVG and COUNT as [aggregation types](../azure-monitor/essentials/metrics-charts.md#aggregation). You should use the recommended Aggregation type when reviewing the insights for each ExpressRoute metrics.
+
+* Sum: The sum of all values captured during the aggregation interval.
+* Count: The number of measurements captured during the aggregation interval.
+* Average: The average of the metric values captured during the aggregation interval.
+* Min: The smallest value captured during the aggregation interval.
+* Max: The largest value captured during the aggregation interval.
+ ### Available Metrics |**Metric**|**Category**|**Dimension(s)**|**Feature(s)**| | | | | | |ARP Availability|Availability|<ui><li>Peer (Primary/Secondary ExpressRoute router)</ui></li><ui><li> Peering Type (Private/Public/Microsoft)</ui></li>|ExpressRoute|
-|Bgp Availability|Availability|<ui><li> Peer (Primary/Secondary ExpressRoute router)</ui></li><ui><li> Peering Type</ui></li>|ExpressRoute|
+|BGP Availability|Availability|<ui><li> Peer (Primary/Secondary ExpressRoute router)</ui></li><ui><li> Peering Type</ui></li>|ExpressRoute|
|BitsInPerSecond|Traffic|<ui><li> Peering Type (ExpressRoute)</ui></li><ui><li>Link (ExpressRoute Direct)</ui></li>|<li>ExpressRoute</li><li>ExpressRoute Direct</li><ui><li>ExpressRoute Gateway Connection</ui></li>| |BitsOutPerSecond|Traffic| <ui><li>Peering Type (ExpressRoute)</ui></li><ui><li> Link (ExpressRoute Direct) |<ui><li>ExpressRoute<ui><li>ExpressRoute Direct</ui></li><ui><li>ExpressRoute Gateway Connection</ui></li>| |CPU Utilization|Performance| <ui><li>Instance</ui></li>|ExpressRoute Virtual Network Gateway|
Once a metric is selected, the default aggregation will be applied. Optionally,
### Bits In and Out - Metrics across all peerings
+Aggregation type: *Avg*
+ You can view metrics across all peerings on a given ExpressRoute circuit. :::image type="content" source="./media/expressroute-monitoring-metrics-alerts/ermetricspeering.jpg" alt-text="circuit metrics"::: ### Bits In and Out - Metrics per peering
+Aggregation type: *Avg*
+ You can view metrics for private, public, and Microsoft peering in bits/second. :::image type="content" source="./media/expressroute-monitoring-metrics-alerts/erpeeringmetrics.jpg" alt-text="metrics per peering"::: ### BGP Availability - Split by Peer
-You can view near to real-time availability of BGP across peerings and peers (Primary and Secondary ExpressRoute routers). This dashboard shows the Primary BGP session up for private peering and the Second BGP session down for private peering.
+Aggregation type: *Avg*
+
+You can view near to real-time availability of BGP (Layer-3 connectivity) across peerings and peers (Primary and Secondary ExpressRoute routers). This dashboard shows the Primary BGP session status is up for private peering and the Second BGP session status is down for private peering.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/erBgpAvailabilityMetrics.jpg" alt-text="BGP availability per peer"::: ### ARP Availability - Split by Peering
-You can view near to real-time availability of [ARP](./expressroute-troubleshooting-arp-resource-manager.md) across peerings and peers (Primary and Secondary ExpressRoute routers). This dashboard shows the Private Peering ARP session up across both peers, but complete down for Microsoft peering across peerings. The default aggregation (Average) was utilized across both peers.
+Aggregation type: *Avg*
+
+You can view near to real-time availability of [ARP](./expressroute-troubleshooting-arp-resource-manager.md) (Layer-3 connectivity) across peerings and peers (Primary and Secondary ExpressRoute routers). This dashboard shows the Private Peering ARP session status is up across both peers, but down for Microsoft peering for both peers. The default aggregation (Average) was utilized across both peers.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/erArpAvailabilityMetrics.jpg" alt-text="ARP availability per peer":::
You can view near to real-time availability of [ARP](./expressroute-troubleshoot
### Admin State - Split by link
-You can view the admin state for each link of the ExpressRoute Direct port pair.
+Aggregation type: *Avg*
+
+You can view the Admin state for each link of the ExpressRoute Direct port pair. The Admin state represents if the physical port is on or off. This state is required to pass traffic across the ExpressRoute Direct connection.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/adminstate-per-link.jpg" alt-text="ER Direct admin state"::: ### Bits In Per Second - Split by link
-You can view the bits in per second across both links of the ExpressRoute Direct port pair.
+Aggregation type: *Avg*
+
+You can view the bits in per second across both links of the ExpressRoute Direct port pair. Monitor this dashboard to compare inbound bandwidth for both links.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/bits-in-per-second-per-link.jpg" alt-text="ER Direct bits in per second"::: ### Bits Out Per Second - Split by link
-You can also view the bits out per second across both links of the ExpressRoute Direct port pair.
+Aggregation type: *Avg*
+
+You can also view the bits out per second across both links of the ExpressRoute Direct port pair. Monitor this dashboard to compare outbound bandwidth for both links.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/bits-out-per-second-per-link.jpg" alt-text="ER Direct bits out per second"::: ### Line Protocol - Split by link
-You can view the line protocol across each link of the ExpressRoute Direct port pair.
+Aggregation type: *Avg*
+
+You can view the line protocol across each link of the ExpressRoute Direct port pair. The Line Protocol indicates if the physical link is up and running over ExpressRoute Direct. Monitor this dashboard and set alerts to know when the physical connection has gone down.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/line-protocol-per-link.jpg" alt-text="ER Direct line protocol"::: ### Rx Light Level - Split by link
-You can view the Rx light level (the light level that the ExpressRoute Direct port is **receiving**) for each port. Healthy Rx light levels generally fall within a range of -10 to 0 dBm
+Aggregation type: *Avg*
+
+You can view the Rx light level (the light level that the ExpressRoute Direct port is **receiving**) for each port. Healthy Rx light levels generally fall within a range of -10 dBm to 0 dBm. Set alerts to be notified if the Rx light level falls outside of the healthy range.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/rxlight-level-per-link.jpg" alt-text="ER Direct line Rx Light Level"::: ### Tx Light Level - Split by link
-You can view the Tx light level (the light level that the ExpressRoute Direct port is **transmitting**) for each port. Healthy Tx light levels generally fall within a range of -10 to 0 dBm
+Aggregation type: *Avg*
+
+You can view the Tx light level (the light level that the ExpressRoute Direct port is **transmitting**) for each port. Healthy Tx light levels generally fall within a range of -10 dBm to 0 dBm. Set alerts to be notified if the Tx light level falls outside of the healthy range.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/txlight-level-per-link.jpg" alt-text="ER Direct line Tx Light Level"::: ## ExpressRoute Virtual Network Gateway Metrics
+Aggregation type: *Avg*
+
+When you deploy an ExpressRoute gateway, Azure manages the compute and functions of your gateway. There are six gateway metrics available to you to better understand the performance of your gateway:
+
+* CPU Utilization
+* Packets per seconds
+* Count of routes advertised to peers
+* Count of routes learned from peers
+* Frequency of routes changed
+* Number of VMs in the virtual network
+
+It's highly recommended you set alerts for each of these metrics so that you are aware of when your gateway could be seeing performance issues.
+ ### CPU Utilization - Split Instance
-You can view CPU utilization of the gateway instances.
+Aggregation type: *Avg*
+
+You can view the CPU utilization of each gateway instance. The CPU utilization may spike briefly during routine host maintenance but prolong high CPU utilization could indicate your gateway is reaching a performance bottleneck. Increasing the size of the ExpressRoute gateway may resolve this issue. Set an alert for how frequent the CPU utilization exceeds a certain threshold.
### Packets Per Second - Split by Instance
-You can view packets per second traversing the gateway.
+Aggregation type: *Avg*
+
+This metric captures the number of inbound packets traversing the ExpressRoute gateway. You should expect to see a consistent stream of data here if your gateway is receiving traffic from your on-premises network. Set an alert for when the number of packets per second drops below a threshold indicating that your gateway is no longer receiving traffic.
### Count of Routes Advertised to Peer - Split by Instance
-You can view the number of routes advertised to the ExpressRoute circuit.
+Aggregation type: *Count*
+This metric is the count for the number of routes the ExpressRoute gateway is advertising to the circuit. The address spaces may include virtual networks that are connected using VNet peering and uses remote ExpressRoute gateway. You should expect the number of routes to remain consistent unless there are frequent changes to the virtual network address spaces. Set an alert for when the number of advertised routes drop below the threshold for the number of virtual network address spaces you're aware of.
+ ### Count of Routes Learned from Peer - Split by Instance
-You can view the number of routes received from the ExpressRoute circuit.
+Aggregation type: *Max*
+
+This metric shows the number of routes the ExpressRoute gateway is learning from peers connected to the ExpressRoute circuit. These routes can be either from another virtual network connected to the same circuit or learned from on-premises. Set an alert for when the number of learned routes drop below a certain threshold. This could indicate either the gateway is seeing a performance problem or remote peers are no longer advertising routes to the ExpressRoute circuit.
### Frequency of Routes change - Split by Instance
-You can view the frequency of which the route changes on the gateway.
+Aggregation type: *Sum*
+
+This metric shows the frequency of routes being learned from or advertised to remote peers. You should first investigate your on-premises devices to understand why the network is changing so frequently. A high frequency in routes change could indicate a performance problem on the ExpressRoute gateway where scaling the gateway SKU up may resolve the problem. Set an alert for a frequency threshold to be aware of when your ExpressRoute gateway is seeing abnormal route changes.
### Number of VMs in the Virtual Network
-You can view the number of virtual machines in the virtual network.
+Aggregation type: *Max*
+This metric shows the number of virtual machines that are using the ExpressRoute gateway. The number of virtual machines may include VMs from peered virtual networks that use the same ExpressRoute gateway. Set an alert for this metric if the number of VMs goes above a certain threshold that could affect the gateway performance.
+ ## ExpressRoute gateway connections in bits/seconds
+Aggregation type: *Avg*
+
+This metric shows the bandwidth usage for a specific connection to an ExpressRoute circuit.
+ ## Alerts for ExpressRoute gateway connections
-1. In order to configure alerts, navigate to **Azure Monitor**, then select **Alerts**.
+1. To configure alerts, navigate to **Azure Monitor**, then select **Alerts**.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/eralertshowto.jpg" alt-text="alerts":::
-2. Click **+Select Target** and select the ExpressRoute gateway connection resource.
+2. Select **+Select Target** and select the ExpressRoute gateway connection resource.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/alerthowto2.jpg" alt-text="target"::: 3. Define the alert details.
In the **Alert Criteria**, you can select **Activity Log** for the Signal Type a
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/alertshowto6activitylog.jpg" alt-text="activity logs":::
-## Additional metrics in Log Analytics
+## More metrics in Log Analytics
You can also view ExpressRoute metrics by navigating to your ExpressRoute circuit resource and selecting the *Logs* tab. For any metrics you query, the output will contain the columns below.
frontdoor Quickstart Create Front Door Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/quickstart-create-front-door-cli.md
ms.devlang: na
na Previously updated : 09/21/2020 Last updated : 4/19/2021
Get started with Azure Front Door by using Azure CLI to create a highly availabl
The Front Door directs web traffic to specific resources in a backend pool. You defined the frontend domain, add resources to a backend pool, and create a routing rule. This article uses a simple configuration of one backend pool with two web app resources and a single routing rule using default path matching "/*". + ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
az group create \
--location centralus az group create \
- --name myRGFDSouthCentral \
- --location southcentralus
+ --name myRGFDEast \
+ --location eastus
``` ## Create two instances of a web app
If you don't already have a web app, use the following script to set up two exam
### Create app service plans
-Before you can create the web apps you will need two app service plans, one in *Central US* and the second in *South Central US*.
+Before you can create the web apps you will need two app service plans, one in *Central US* and the second in *East US*.
Create app service plans with [az appservice plan create](/cli/azure/appservice/plan#az_appservice_plan_create&preserve-view=true):
az appservice plan create \
--resource-group myRGFDCentral az appservice plan create \name myAppServicePlanSouthCentralUS \resource-group myRGFDSouthCentral
+--name myAppServicePlanEastUS \
+--resource-group myRGFDEast
``` ### Create web apps
Create web app with [az webapp create](/cli/azure/webapp#az_webapp_create&preser
```azurecli-interactive az webapp create \name WebAppContoso1 \
+--name WebAppContoso-1 \
--resource-group myRGFDCentral \ --plan myAppServicePlanCentralUS az webapp create \name WebAppContoso2 \resource-group myRGFDSouthCentral \plan myAppServicePlanSouthCentralUS
+--name WebAppContoso-2 \
+--resource-group myRGFDEast \
+--plan myAppServicePlanEastUS
``` Make note of the default host name of each web app so you can define the backend addresses when you deploy the Front Door in the next step.
az network front-door create \
--resource-group myRGFDCentral \ --name contoso-frontend \ --accepted-protocols http https \backend-address webappcontoso1.azurewebsites.net webappcontoso2.azurewebsites.net
+--backend-address webappcontoso-1.azurewebsites.net webappcontoso-2.azurewebsites.net
``` **--resource-group:** Specify a resource group where you want to deploy the Front Door.
az group delete \
--name myRGFDCentral az group delete \name myRGFDSouthCentral
+--name myRGFDEast
``` ## Next steps
frontdoor Quickstart Create Front Door https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/frontdoor/quickstart-create-front-door.md
documentationcenter: na
Previously updated : 09/16/2020 Last updated : 04/19/2021
Get started with Azure Front Door by using the Azure portal to set up high avail
In this quickstart, Azure Front Door pools two instances of a web application that run in different Azure regions. You create a Front Door configuration based on equal weighted and same priority backends. This configuration directs traffic to the nearest site that runs the application. Azure Front Door continuously monitors the web application. The service provides automatic failover to the next available site when the nearest site is unavailable. + ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
After your deployment is complete, create a second web app. Use the same procedu
| | | | **Resource group** | Select **Create new** and enter *FrontDoorQS_rg2* | | **Name** | Enter a unique name for your Web App, in this example, *WebAppContoso-2* |
-| **Region** | A different region, in this example, *South Central US* |
-| **App Service plan** > **Windows Plan** | Select **New** and enter *myAppServicePlanSouthCentralUS*, and then select **OK** |
+| **Region** | A different region, in this example, *East US* |
+| **App Service plan** > **Windows Plan** | Select **New** and enter *myAppServicePlanEastUS*, and then select **OK** |
## Create a Front Door for your application
governance General https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/troubleshoot/general.md
Title: Troubleshoot common errors description: Learn how to troubleshoot problems with creating policy definitions, the various SDKs, and the add-on for Kubernetes. Previously updated : 01/26/2021 Last updated : 04/19/2021 # Troubleshoot errors with using Azure Policy
IDs. If the error information in the message is missed, it's also available in t
information to get more details to understand the resource restrictions and adjust the resource properties in your request to match allowed values.
+### Scenario: Definition targets multiple resource types
+
+#### Issue
+
+A policy definition that includes multiple resource types fails validation during creation or update
+with the following error:
+
+```error
+The policy definition '{0}' targets multiple resource types, but the policy rule is authored in a way that makes the policy not applicable to the target resource types '{1}'.
+```
+
+#### Cause
+
+The policy definition rule has one or more conditions that don't get evaluated by the target
+resource types.
+
+#### Resolution
+
+If an alias is used, make sure that the alias gets evaluated against only the resource type it
+belongs to by adding a type condition before it. An alternative is to split the policy definition
+into multiple definitions to avoid targeting multiple resource types.
+ ## Template errors ### Scenario: Policy supported functions processed by template
hpc-cache Cache Usage Models https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/cache-usage-models.md
If you have questions about the best usage model for your Azure HPC Cache workfl
In some situations, you might need to remount clients if you change a storage target's usage model. This is needed because of the way different usage models handle Network Lock Manager (NLM) requests.
-The HPC Cache sits between clients and the back-end storage system. Usually the cache passes NLM requests through to the back-end storage system, but in some situations, the cache itself acknowledges the NLM request and returns a value to the client. In Azure HPC Cache, this only happens when you use the usage model **Read heavy, infrequent writes** (or in a standard blob storage target, which doesn't have configurable usage models).
+The HPC Cache sits between clients and the back-end storage system. Usually the cache passes NLM requests through to the back-end storage system, but in some situations, the cache itself acknowledges the NLM request and returns a value to the client. In Azure HPC Cache, this only happens when you use the usage model **Read heavy, infrequent writes** (or with a standard blob storage target, which doesn't have configurable usage models).
There is a small risk of file conflict if you change between the **Read heavy, infrequent writes** usage model and a different usage model. There's no way to transfer the current NLM state from the cache to the storage system or vice versa. So the client's lock status is inaccurate.
hpc-cache Hpc Cache Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hpc-cache/hpc-cache-prerequisites.md
description: Prerequisites for using Azure HPC Cache
Previously updated : 03/15/2021 Last updated : 04/14/2021
The best practice is to create a new subnet for each cache. You can create a new
The cache needs DNS to access resources outside of its virtual network. Depending on which resources you are using, you might need to set up a customized DNS server and configure forwarding between that server and Azure DNS servers: * To access Azure Blob storage endpoints and other internal resources, you need the Azure-based DNS server.
-* To access on-premises storage, you need to configure a custom DNS server that can resolve your storage hostnames. You must do this **before** you create the cache.
+* To access on-premises storage, you need to configure a custom DNS server that can resolve your storage hostnames. You must do this before you create the cache.
If you only use Blob storage, you can use the default Azure-provided DNS server for your cache. However, if you need access to storage or other resources outside of Azure, you should create a custom DNS server and configure it to forward any Azure-specific resolution requests to the Azure DNS server.
To use a custom DNS server, you need to do these setup steps before you create y
Follow these steps to add the DNS server to the virtual network in the Azure portal: 1. Open the virtual network in the Azure portal.
- 1. Choose **DNS servers** from the **Settings** menu in the sidebar.
- 1. Select **Custom**
+ 1. Choose DNS servers from the Settings menu in the sidebar.
+ 1. Select Custom
1. Enter the DNS server's IP address in the field. A simple DNS server also can be used to load balance client connections among all the available cache mount points.
If you want to use Azure Blob storage with your cache, you need a compatible sto
Create the account before attempting to add a storage target. You can create a new container when you add the target.
-To create a compatible storage account, use these settings:
+To create a compatible storage account, use one of these combinations:
-* Performance: **Standard**
-* Account kind: **StorageV2 (general purpose v2)**
-* Replication: **Locally redundant storage (LRS)**
-* Access tier (default): **Hot**
+| Performance | Type | Replication | Access tier |
+|--|--|--|--|
+| Standard | StorageV2 (general purpose v2)| Locally redundant storage (LRS) or Zone-redundant storage (ZRS) | Hot |
+| Premium | Block blobs | Locally redundant storage (LRS) | Hot |
-It's a good practice to use a storage account in the same location as your cache.
+The storage account must be accessible from your cache's private subnet. If your account uses a private endpoint or a public endpoint that is restricted to specific virtual networks, make sure to enable access from the cache's subnet. (An open public endpoint is not recommended.)
+
+It's a good practice to use a storage account in the same Azure region as your cache.
You also must give the cache application access to your Azure storage account as mentioned in [Permissions](#permissions), above. Follow the procedure in [Add storage targets](hpc-cache-add-storage.md#add-the-access-control-roles-to-your-account) to give the cache the required access roles. If you are not the storage account owner, have the owner do this step.
If using an NFS storage system (for example, an on-premises hardware NAS system)
More information is included in [Troubleshoot NAS configuration and NFS storage target issues](troubleshoot-nas.md).
-* **Network connectivity:** The Azure HPC Cache needs high-bandwidth network access between the cache subnet and the NFS system's data center. [ExpressRoute](../expressroute/index.yml) or similar access is recommended. If using a VPN, you might need to configure it to clamp TCP MSS at 1350 to make sure large packets are not blocked. Read [VPN packet size restrictions](troubleshoot-nas.md#adjust-vpn-packet-size-restrictions) for additional help troubleshooting VPN settings.
+* Network connectivity: The Azure HPC Cache needs high-bandwidth network access between the cache subnet and the NFS system's data center. [ExpressRoute](../expressroute/index.yml) or similar access is recommended. If using a VPN, you might need to configure it to clamp TCP MSS at 1350 to make sure large packets are not blocked. Read [VPN packet size restrictions](troubleshoot-nas.md#adjust-vpn-packet-size-restrictions) for additional help troubleshooting VPN settings.
-* **Port access:** The cache needs access to specific TCP/UDP ports on your storage system. Different types of storage have different port requirements.
+* Port access: The cache needs access to specific TCP/UDP ports on your storage system. Different types of storage have different port requirements.
To check your storage system's settings, follow this procedure.
More information is included in [Troubleshoot NAS configuration and NFS storage
* Check firewall settings to be sure that they allow traffic on all of these required ports. Be sure to check firewalls used in Azure as well as on-premises firewalls in your data center.
-* **Root access** (read/write): The cache connects to the back-end system as user ID 0. Check these settings on your storage system:
+* Root access (read/write): The cache connects to the back-end system as user ID 0. Check these settings on your storage system:
* Enable `no_root_squash`. This option ensures that the remote root user can access files owned by root.
This is a general overview of the steps. These steps might change, so always ref
* Instead of the using the storage account settings for a standard blob storage account, follow the instructions in the [how-to document](../storage/blobs/network-file-system-protocol-support-how-to.md). The type of storage account supported might vary by Azure region.
- * In the **Networking** section, choose a private endpoint in the secure virtual network you created (recommended), or choose a public endpoint with restricted access from the secure VNet.
+ * In the Networking section, choose a private endpoint in the secure virtual network you created (recommended), or choose a public endpoint with restricted access from the secure VNet.
- * Do not forget to complete the **Advanced** section, where you enable NFS access.
+ * Do not forget to complete the Advanced section, where you enable NFS access.
* Give the cache application access to your Azure storage account as mentioned in [Permissions](#permissions), above. You can do this the first time you create a storage target. Follow the procedure in [Add storage targets](hpc-cache-add-storage.md#add-the-access-control-roles-to-your-account) to give the cache the required access roles.
iot-accelerators About Iot Accelerators https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/about-iot-accelerators.md
The original solution accelerators were written using .NET using a model-view-co
| Solution accelerator | Architecture | Languages | | - | - | - | | Connected Factory | MVC | [.NET](https://github.com/Azure/azure-iot-connected-factory) |
-| Device Simulation | Microservices | [.NET](https://github.com/Azure/device-simulation-dotnet) |
+| Device Simulation | Microservices | [.NET](https://github.com/Azure/azure-iot-pcs-device-simulation) |
To learn more about the microservices architecture, see [Introduction to the Azure IoT reference architecture](/azure/architecture/reference-architectures/iot/).
iot-accelerators Iot Accelerators Device Simulation Advanced Device https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-device-simulation-advanced-device.md
If you don't have an Azure subscription, create a [free account](https://azure.m
To follow the steps in this how-to guide, you need a deployed instance of Device Simulation in your Azure subscription.
-If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md) on GitHub.
+If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md) on GitHub.
### Open Device Simulation
-If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md) on GitHub.
+If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md) on GitHub.
## Device models
iot-accelerators Iot Accelerators Device Simulation Create Custom Device https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-device-simulation-create-custom-device.md
If you don't have an Azure subscription, create a [free account](https://azure.m
To follow this tutorial, you need a deployed instance of Device Simulation in your Azure subscription.
-If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md) on GitHub.
+If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md) on GitHub.
## View your device models
iot-accelerators Iot Accelerators Device Simulation Create Simulation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-device-simulation-create-simulation.md
If you don't have an Azure subscription, create a [free account](https://azure.m
To follow this tutorial, you need a deployed instance of the Device Simulation in your Azure subscription.
-If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md) on GitHub.
+If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md) on GitHub.
## View simulations
iot-accelerators Iot Accelerators Device Simulation Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-device-simulation-overview.md
With Device Simulation, you can define device models to simulate your real devic
You can run simulations for one to thousands of devices connecting to any IoT hub. To help with testing, you can optionally deploy an IoT hub along with Device Simulation for a standalone environment.
-Device Simulation is free. However, Device Simulation deploys to your Azure subscription in the cloud and does consume Azure resources. If Device Simulation doesn't meet your requirements, the [source code is also available on GitHub](https://github.com/Azure/device-simulation-dotnet) for you to copy and modify.
+Device Simulation is free. However, Device Simulation deploys to your Azure subscription in the cloud and does consume Azure resources. If Device Simulation doesn't meet your requirements, the [source code is also available on GitHub](https://github.com/Azure/azure-iot-pcs-device-simulation) for you to copy and modify.
## Sample simulations
-When you deploy Device Simulation, you get some sample simulations and sample devices. You can use these samples to learn how to use Device Simulation. To get started, run a [sample simulation](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md). You can also [create your own simulation using one of the many sample devices provided](iot-accelerators-device-simulation-create-simulation.md).
+When you deploy Device Simulation, you get some sample simulations and sample devices. You can use these samples to learn how to use Device Simulation. To get started, run a [sample simulation](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md). You can also [create your own simulation using one of the many sample devices provided](iot-accelerators-device-simulation-create-simulation.md).
![Simulation configuration](media/iot-accelerators-device-simulation-overview/samplesimulation1.png)
Advanced device models let you:
In this article, you learned about the Device Simulation solution accelerator and its capabilities. To deploy the solution accelerator, visit the GitHub repository: > [!div class="nextstepaction"]
-> [Deploy and run an IoT device simulation in Azure](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md)
+> [Deploy and run an IoT device simulation in Azure](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md)
iot-accelerators Iot Accelerators Device Simulation Protobuf https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-device-simulation-protobuf.md
The instructions in this article assume you're using Windows. If you're using an
Download and unzip the [Remote Monitoring Microservices](https://github.com/Azure/remote-monitoring-services-dotnet/archive/master.zip) from GitHub to a suitable location on your local machine. This repository includes the storage adapter microservice you need for this how-to.
-Download and unzip the [device simulation microservice](https://github.com/Azure/device-simulation-dotnet/archive/master.zip) from GitHub to a suitable location on your local machine.
+Download and unzip the [device simulation microservice](https://github.com/Azure/azure-iot-pcs-device-simulation/archive/master.zip) from GitHub to a suitable location on your local machine.
### Run the storage adapter microservice
route based on message headers.
## Next steps
-Now you've learned how to customize Device Simulation to use Protobuf to send telemetry, the next step is visit the GitHub repository to learn more [Device simulation](https://github.com/Azure/device-simulation-dotnet).
+Now you've learned how to customize Device Simulation to use Protobuf to send telemetry, the next step is visit the GitHub repository to learn more [Device simulation](https://github.com/Azure/azure-iot-pcs-device-simulation).
iot-accelerators Iot Accelerators Device Simulation Time Series Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-device-simulation-time-series-insights.md
The Device Simulation solution accelerator lets you generate telemetry from simu
To follow the steps in this how-to guide, you need an active Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
-The steps in this how-to guide assume you've deployed the Device Simulation solution accelerator to your Azure subscription. If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md) on GitHub.
+The steps in this how-to guide assume you've deployed the Device Simulation solution accelerator to your Azure subscription. If you haven't deployed Device Simulation yet, see [Device Simulation deployment](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md) on GitHub.
This article assumes the name of your solution accelerator is **contoso-simulation**. Replace **contoso-simulation** with the name of your solution accelerator as you complete the following steps.
iot-accelerators Iot Accelerators Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-accelerators/iot-accelerators-faq.md
See also, the [Connected Factory-specific FAQ](iot-accelerators-faq-cf.md).
The source code is stored in the following GitHub repositories: * [Connected Factory solution accelerator](https://github.com/Azure/azure-iot-connected-factory)
-* [Device simulation solution accelerator](https://github.com/Azure/device-simulation-dotnet)
+* [Device simulation solution accelerator](https://github.com/Azure/azure-iot-pcs-device-simulation)
### Where can I find the remote monitoring and predictive maintenance solution accelerators?
Existing deployments aren't impacted by the removal of the remote monitoring and
### How do I deploy device simulation solution accelerator?
-To deploy the device simulation solution accelerator, see the the [device simulation](https://github.com/Azure/device-simulation-dotnet/blob/master/README.md) GitHub repository.
+To deploy the device simulation solution accelerator, see the [device simulation](https://github.com/Azure/azure-iot-pcs-device-simulation/blob/master/README.md) GitHub repository.
### Where can I find information about the removed solution accelerators?
iot-central Concepts Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/concepts-architecture.md
# Azure IoT Central architecture
-This article provides an overview of the Microsoft Azure IoT Central architecture.
-
-![Top-level architecture](media/concepts-architecture/architecture.png)
+This article provides an overview of the key concepts in the Azure IoT Central architecture.
## Devices
Devices exchange data with your Azure IoT Central application. A device can:
- Send measurements such as telemetry. - Synchronize settings with your application.
-In Azure IoT Central, the data that a device can exchange with your application is specified in a device template. For more information about device templates, see [Metadata management](#metadata-management).
+In Azure IoT Central, the data that a device can exchange with your application is specified in a device template. For more information about device templates, see [Device Templates](concepts-device-templates.md).
To learn more about how devices connect to your Azure IoT Central application, see [Device connectivity](concepts-get-connected.md).
Azure IoT Central stores application data in the cloud. Application data stored
Azure IoT Central uses a time series store for the measurement data sent from your devices. Time series data from devices used by the analytics service.
-## Analytics
-
-The analytics service is responsible for generating the custom reporting data that the application displays. An operator can [customize the analytics](howto-create-analytics.md) displayed in the application. The analytics service is built on top of [Azure Time Series Insights](https://azure.microsoft.com/services/time-series-insights/) and processes the measurement data sent from your devices.
-
-## Rules and actions
-
-[Rules and actions](tutorial-create-telemetry-rules.md) work closely together to automate tasks within the application. A builder can define rules based on device telemetry such as the temperature exceeding a defined threshold. Azure IoT Central uses a stream processor to determine when the rule conditions are met. When a rule condition is met, it triggers an action defined by the builder. For example, an action can send an email to notify an engineer that the temperature in a device is too high.
-
-## Metadata management
-
-In an Azure IoT Central application, device templates define the behavior and capability of types of device. For example, a refrigerator device template specifies the telemetry a refrigerator sends to your application.
-
-![Template architecture](media/concepts-architecture/template-architecture.png)
-
-In an IoT Central [device template](concepts-device-templates.md) contains:
--- A **device model** to specify the capabilities of a device such as the telemetry it sends, the properties that define the device state, and the commands the device responds to. Device capabilities are organized into one or more interfaces.-- **Cloud properties** specify the properties IoT Central stores for a device. These properties are only stored in IoT Central and are never sent to a device.-- **Views** specify the dashboards and forms the builder creates to let the operator monitor and manage the devices.-- **Customizations** let the builder override some of the definitions in the device model to make them more relevant to the IoT Central application.-
-An application can have one or more simulated and real devices based on each device template.
- ## Data export In an Azure IoT Central application, you can [continuously export your data](howto-export-data.md) to your own Azure Event Hubs and Azure Service Bus instances. You can also periodically export your data to your Azure Blob storage account. IoT Central can export measurements, devices, and device templates.
Security features within Azure IoT Central include:
- Full tenant isolation. - Device level security.
-## UI shell
-
-The UI shell is a modern, responsive, HTML5 browser-based application.
-An administrator can customize the UI of the application by applying custom themes and modifying the help links to point to your own custom help resources. To learn more about UI customization, see [Customize the Azure IoT Central UI](howto-customize-ui.md) article.
-
-An operator can create personalized application dashboards. You can have several dashboards that display different data and switch between them.
- ## Next steps Now that you've learned about the architecture of Azure IoT Central, the suggested next step is to learn about [device connectivity](concepts-get-connected.md) in Azure IoT Central.
iot-central How To Roll X509 Certificates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/how-to-roll-x509-certificates.md
If you have a security breach, rolling certificates is a security best practice
## Obtain new X.509 certificates
-You can create your own X.509 certificates using a tool like OpenSSL. This approach is great for testing X.509 certificates but provides few guarantees around security. Only use this approach for testing unless you prepared to act as your own CA provider.
+You can create your own X.509 certificates using a tool like OpenSSL. This approach is great for testing X.509 certificates but provides few guarantees around security. Only use this approach for testing unless you are prepared to act as your own CA provider.
## Enrollment groups and security breaches
iot-central Howto Build Iotc Device Bridge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-build-iotc-device-bridge.md
# Mandatory fields. See more on aka.ms/skyeye/meta. Title: Build the Azure IoT Central device bridge | Microsoft Docs
-description: Build the IoT Central device bridge to connect other IoT clouds (Sigfox, Particle, The Things Network etc.) to your IoT Central app.
+ Title: Deploy the Azure IoT Central device bridge | Microsoft Docs
+description: Deploy the IoT Central device bridge to connect other IoT clouds to your IoT Central app. Other IoT clouds include Sigfox, Particle Device Cloud, and The Things Network.
-- Previously updated : 07/09/2019++ Last updated : 04/19/2021 --
-# Build the IoT Central device bridge to connect other IoT clouds to IoT Central
+# Use the IoT Central device bridge to connect other IoT clouds to IoT Central
-*This topic applies to administrators.*
+*This article applies to administrators.*
-The IoT Central device bridge is an open-source solution that connects your Sigfox, Particle, The Things Network, and other clouds to your IoT Central app. Whether you are using asset tracking devices connected to Sigfox's Low-Power-Wide Area Network, or using air quality monitoring devices on the Particle Device Cloud, or using soil moisture monitoring devices on TTN, you can directly leverage the power of IoT Central using the IoT Central device bridge. The device bridge connects other IoT clouds with IoT Central by forwarding the data your devices send to the other clouds through to your IoT Central app. In your IoT Central app, you can build rules and run analytics on that data, create workflows in Power Automate and Azure Logic apps, export that data, and much more. Get the [IoT Central device bridge](https://aka.ms/iotcentralgithubdevicebridge) from GitHub
+## Azure IoT Central device bridge
-## What is it and how does it work?
-The IoT Central device bridge is an open-source solution in GitHub. It is ready to go with a "Deploy to Azure" button that deploys a custom Azure Resource Manager template with several Azure resources into your Azure subscription. The resources include:
-- Azure Function app-- Azure Storage Account-- Consumption Plan-- Azure Key Vault
+The IoT Central device bridge is an open-source solution that connects other IoT clouds to your IoT Central application. Examples of other IoT clouds include [Sigfox](https://www.sigfox.com/), [Particle Device Cloud](https://www.particle.io/), and [The Things Network](https://www.thethingsnetwork.org/). The device bridge works by forwarding data from devices connected to other IoT clouds through to your IoT Central application. The device bridge only forwards data to IoT Central, it doesn't send commands or property updates from IoT Central back to the devices.
-The function app is the critical piece of the device bridge. It receives HTTP POST requests from other IoT platforms or any custom platforms via a simple webhook integration. We have provided examples that show how to connect to Sigfox, Particle, and TTN clouds. You can easily extend this solution to connect to your custom IoT cloud if your platform can send HTTP POST requests to your function app.
-The Function app transforms the data into a format accepted by IoT Central and forwards it along via DPS APIs.
+The device bridge lets you combine the power of IoT Central with devices such as asset tracking devices connected to Sigfox's low-power wide area network, air quality monitoring devices on the Particle Device Cloud, or soil moisture monitoring devices on The Things Network. You can use IoT Central application features such as rules and analytics on the data, create workflows in Power Automate and Azure Logic apps, or export the data.
-![Azure functions screenshot](media/howto-build-iotc-device-bridge/azfunctions.png)
+The device bridge solution provisions several Azure resources into your Azure subscription that work together to transform and forward device messages to IoT Central.
-If your IoT Central app recognizes the device by device ID in the forwarded message, a new measurement will appear for that device. If the device ID has never been seen by your IoT Central app, your function app will attempt to register a new device with that device ID, and it will appear as an "Unassociated device" in your IoT Central app.
+## Prerequisites
-## How do I set it up?
-The instructions are listed in detail in the README file in the GitHub repo.
+To complete the steps in this how-to guide, you need an active Azure subscription.
-## Pricing
-The Azure resources will be hosted in your Azure subscription. You can learn more about pricing in the [README file](https://aka.ms/iotcentralgithubdevicebridge).
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+Complete the [Create an Azure IoT Central application](./quick-deploy-iot-central.md) quickstart to create an IoT Central application using the **Custom app > Custom application** template.
+
+## Overview
+
+The IoT Central device bridge is an open-source solution in GitHub. It uses a custom Azure Resource Manager template deploy several resources to your Azure subscription, including an Azure function app.
+
+The function app is the core piece of the device bridge. It receives HTTP POST requests from other IoT platforms through a simple webhook. The [Azure IoT Central Device Bridge](https://github.com/Azure/iotc-device-bridge) repository includes examples that show how to connect Sigfox, Particle, and The Things Network clouds. You can extend this solution to connect to your custom IoT cloud if your platform can send HTTP POST requests to your function app.
+
+The function app transforms the data into a format accepted by IoT Central and forwards it using the device provisioning service and device client APIs:
++
+If your IoT Central application recognizes the device ID in the forwarded message, the telemetry from the device appears in IoT Central. If the device ID isn't recognized by your IoT Central application, the function app attempts to register a new device with the device ID. The new device appears as an **Unassociated device** on the **Devices** page in your IoT Central application. From the **Devices** page, you can associate the new device with a device template and then view the telemetry.
+
+## Deploy the device bridge
+
+To deploy the device bridge to your subscription:
+
+1. In your IoT Central application, navigate to the **Administration > Device Connection** page.
+
+ 1. Make a note of the **ID Scope**. You use this value when you deploy the device bridge.
+
+ 1. In the same page, open the **SAS-IoT-Devices** enrollment group. On the **SAS-IoT-Devices** group page, copy the **Primary key**. You use this value when you deploy the device bridge.
+
+1. Use the **Deploy to Azure** button below to open the custom Resource Manager template that deploys the function app to your subscription. Use the **ID Scope** and **Primary key** from the previous step:
+
+ [![Deploy to Azure](http://azuredeploy.net/deploybutton.png)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fiotc-device-bridge%2Fmaster%2Fazuredeploy.json)
+
+After the deployment is completed, you need to install the NPM packages the function requires:
+
+1. In the Azure portal, open the function app that was deployed to your subscription. Then navigate to **Development Tools > Console**. In the console, run the following commands to install the packages:
+
+ ```bash
+ cd IoTCIntegration
+ npm install
+ ```
+
+ These commands may take several minutes to run. You can safely ignore any warning messages.
+
+1. After the package installation finishes, Select **Restart** on the **Overview** page of the function app:
+
+ :::image type="content" source="media/howto-build-iotc-device-bridge/restart.png" alt-text="Screenshot of Restart.":::
+
+1. The function is now ready to use. External systems can use HTTP POST requests to send device data through the device bridge into your IoT Central application. To get the function URL, navigate to **Functions > IoTCIntegration > Code + Test > Get function URL**:
+
+ :::image type="content" source="media/howto-build-iotc-device-bridge/get-function-url.png" alt-text="Screenshot of Get Function URL.":::
+
+Messages bodies sent to the device bridge must have the following format:
+
+```json
+"device": {
+ "deviceId": "my-cloud-device"
+},
+"measurements": {
+ "temp": 20.31,
+ "pressure": 50,
+ "humidity": 8.5,
+ "ledColor": "blue"
+}
+```
+
+Each key in the `measurements` object must match the name of a telemetry type in the device template in the IoT Central application. This solution doesn't support specifying the interface ID in the message body. So if two different interfaces have a telemetry type with the same name, the measurement appears in both telemetry streams in your IoT Central application.
+
+You can include a `timestamp` field in the body to specify the UTC date and time of the message. This field must be in ISO 8601 format. For example, `2020-06-08T20:16:54.602Z`. If you don't include a timestamp, the current date and time is used.
+
+You can include a `modelId` field in the body. Use this field to associate the device with a device template during provisioning. This functionality is only supported by [V3 applications](howto-get-app-info.md).
+
+The `deviceId` must be alphanumeric, lowercase, and may contain hyphens.
+
+If you don't include the `modelId` field, or if IoT Central doesn't recognize the model ID, then a message with an unrecognized `deviceId` creates a new _unassociated device_ in IoT Central. An operator can manually migrate the device to the correct device template. To learn more, see [Manage devices in your Azure IoT Central application > Migrating devices to a template](howto-manage-devices.md).
+
+In [V2 applications](howto-get-app-info.md), the new device appears on the **Device Explorer > Unassociated devices** page. Select **Associate** and choose a device template to start receiving incoming telemetry from the device.
+
+> [!NOTE]
+> Until the device is associated to a template, all HTTP calls to the function return a 403 error status.
+
+To switch on logging for the function app with Application Insights, navigate to **Monitoring > Logs** in your function app in the Azure portal. Select **Turn on Application Insights**.
+
+## Provisioned resources
+
+The Resource Manager template provisions the following resources in your Azure subscription:
+
+* Function App
+* App Service plan
+* Storage account
+* Key vault
+
+The key vault stores the SAS group key for your IoT Central application.
+
+The Function App runs on a [consumption plan](https://azure.microsoft.com/pricing/details/functions/). While this option doesn't offer dedicated compute resources, it enables the device bridge to handle hundreds of device messages per minute, suitable for smaller fleets of devices or devices that send messages less frequently. If your application depends on streaming a large number of device messages, replace the consumption plan with a dedicated a [App service plan](https://azure.microsoft.com/pricing/details/app-service/windows/). This plan offers dedicated compute resources, which give faster server response times. Using a standard App Service Plan, the maximum observed performance of the Azure function in this repository was around 1,500 device messages per minute. To learn more, see [Azure Function hosting options](../../azure-functions/functions-scale.md).
+
+To use a dedicated App Service Plan instead of a consumption plan, edit the custom template before deploying. Select **Edit template**.
++
+Replace the following segment:
+
+```json
+{
+ "type": "Microsoft.Web/serverfarms",
+ "apiVersion": "2015-04-01",
+ "name": "[variables('planName')]",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "name": "[variables('planName')]",
+ "computeMode": "Dynamic",
+ "sku": "Dynamic"
+ }
+},
+```
+
+with
+
+```json
+{
+ "type": "Microsoft.Web/serverfarms",
+ "sku": {
+ "name": "S1",
+ "tier": "Standard",
+ "size": "S1",
+ "family": "S",
+ "capacity": 1
+ },
+ "kind": "app",
+ "name": "[variables('planName')]",
+ "apiVersion": "2016-09-01",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "iotCentral": "device-bridge",
+ "iotCentralDeviceBridge": "app-service-plan"
+ },
+ "properties": {
+ "name": "[variables('planName')]"
+ }
+},
+```
+
+Next, edit the template to include `"alwaysOn": true` in the configuration for the `functionapp` resource under `"properties": {"SiteConfig": {...}}` The [alwaysOn configuration](https://github.com/Azure/Azure-Functions/wiki/Enable-Always-On-when-running-on-dedicated-App-Service-Plan) ensures the function app is always running.
+
+## Examples
+
+The following examples outline how to configure the device bridge for various IoT clouds:
+
+### Example 1: Connecting Particle devices through the device bridge
+
+To connect a Particle device through the device bridge to IoT Central, go to the Particle console and create a new webhook integration. Set the **Request Format** to **JSON**. Under **Advanced Settings**, use the following custom body format:
+
+```json
+{
+ "device": {
+ "deviceId": "{{{PARTICLE_DEVICE_ID}}}"
+ },
+ "measurements": {
+ "{{{PARTICLE_EVENT_NAME}}}": {{{PARTICLE_EVENT_VALUE}}}
+ }
+}
+```
+
+Paste in the **function URL** from your Azure function app, and you see Particle devices appear as unassociated devices in IoT Central. To learn more, see the [Here's how to integrate your Particle-powered projects with Azure IoT Central](https://blog.particle.io/2019/09/26/integrate-particle-with-azure-iot-central/) blog post.
+
+### Example 2: Connecting Sigfox devices through the device bridge
+
+Some platforms may not allow you to specify the format of device messages sent through a webhook. For such systems, you must convert the message payload to the expected body format before the device bridge processes it. You can do the conversion in same Azure function that runs the device bridge.
+
+This section shows how to convert the payload of a Sigfox webhook integration to the body format expected by the device bridge. The Sigfox cloud transmits device data in a hexadecimal string format. For convenience, the device bridge includes a conversion function for this format, which accepts a subset of the possible field types in a Sigfox device payload: `int` and `uint` of 8, 16, 32, or 64 bits; `float` of 32 bits or 64 bits; little-endian and big-endian. To process messages from a Sigfox webhook integration, make the following changes to the _IoTCIntegration/index.js_ file in the function app.
+
+To convert the message payload, add the following code before the call to `handleMessage` on line 21, replacing `payloadDefinition` with your Sigfox payload definition:
+
+```javascript
+const payloadDefinition = 'gforce::uint:8 lat::uint:8 lon::uint:16'; // Replace this with your payload definition
+
+req.body = {
+ device: {
+ deviceId: req.body.device
+ },
+ measurements: require('./converters/sigfox')(payloadDefinition, req.body.data)
+};
+```
+
+Sigfox devices expect a `204` response code. Add the following code after the call to `handleMessage` in line 21:
+
+```javascript
+context.res = {
+ status: 204
+};
+```
+
+### Example 3: Connecting devices from The Things Network through the device bridge
+
+To connect The Things Network devices to IoT Central:
+
+* Add a new HTTP integration to your application in The Things Network: **Application > Integrations > add integration > HTTP Integration**.
+* Make sure your application includes a decoder function that automatically converts the payload of your device messages to JSON before it's sent to the Azure Function: **Application > Payload Functions > decoder**.
+
+The following sample shows a JavaScript decoder function you can use to decode common numeric types from binary data:
+
+```javascript
+function Decoder(bytes, port) {
+ function bytesToFloat(bytes, decimalPlaces) {
+ var bits = (bytes[3] << 24) | (bytes[2] << 16) | (bytes[1] << 8) | bytes[0];
+ var sign = (bits >>> 31 === 0) ? 1.0 : -1.0;
+ var e = bits >>> 23 & 0xff;
+ var m = (e === 0) ? (bits & 0x7fffff) << 1 : (bits & 0x7fffff) | 0x800000;
+ var f = Math.round((sign * m * Math.pow(2, e - 150)) * Math.pow(10, decimalPlaces)) / Math.pow(10, decimalPlaces);
+ return f;
+ }
+
+ function bytesToInt32(bytes, signed) {
+ var bits = bytes[0] | (bytes[1] << 8) | (bytes[2] << 16) | (bytes[3] << 24);
+ var sign = 1;
+
+ if (signed && bits >>> 31 === 1) {
+ sign = -1;
+ bits = bits & 0x7FFFFFFF;
+ }
+
+ return bits * sign;
+ }
+
+ function bytesToShort(bytes, signed) {
+ var bits = bytes[0] | (bytes[1] << 8);
+ var sign = 1;
+
+ if (signed && bits >>> 15 === 1) {
+ sign = -1;
+ bits = bits & 0x7FFF;
+ }
+
+ return bits * sign;
+ }
+
+ return {
+ temperature: bytesToFloat(bytes.slice(0, 4), 2),
+ presscounter: bytesToInt32(bytes.slice(4, 8), true),
+ blueLux: bytesToShort(bytes.slice(8, 10), false)
+ };
+}
+```
+
+After you define the integration, add the following code before the call to `handleMessage` in line 21 of the *IoTCIntegration/index.js* file of your Azure function app. This code translates the body of your HTTP integration to the expected format.
+
+```javascript
+device: {
+ deviceId: req.body.hardware_serial.toLowerCase()
+},
+measurements: req.body.payload_fields
+};
+```
+
+## Limitations
+
+The device bridge only forwards messages to IoT Central, and doesn't send messages back to devices. That's why, properties and commands don't work for devices that connect to IoT Central through this device bridge. Because device twin operations aren't supported, it's not possible to update device properties through the device bridge. To use these features, a device must connect directly to IoT Central using one of the [Azure IoT device SDKs](../../iot-hub/iot-hub-devguide-sdks.md).
## Next steps
-Now that you've learned how to build the IoT Central device bridge, here is the suggested next step:
+Now that you've learned how to deploy the IoT Central device bridge, here's the suggested next step:
> [!div class="nextstepaction"] > [Manage your devices](howto-manage-devices.md)
iot-central Howto Manage Iot Central From Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-manage-iot-central-from-portal.md
Title: Manage IoT Central from the Azure portal | Microsoft Docs
description: This article describes how to create and manage your IoT Central applications from the Azure portal. --++ Last updated 04/17/2021 - # Manage IoT Central from the Azure portal [!INCLUDE [iot-central-selector-manage](../../../includes/iot-central-selector-manage.md)]
-You can use the [Azure portal](https://portal.azure.com) to create and manage IoT Central applications, similar to the functionality in IoT Central's [application manager](https://apps.azureiotcentral.com/myapps).
+You can use the [Azure portal](https://portal.azure.com) to create and manage IoT Central applications.
## Create IoT Central applications [!INCLUDE [Warning About Access Required](../../../includes/iot-central-warning-contribitorrequireaccess.md)]
-To create an application, navigate to the [Create IoT Central Application](https://ms.portal.azure.com/#create/Microsoft.IoTCentral) page in the Azure portal and fill in the form.
+To create an application, navigate to the [IoT Central Application](https://ms.portal.azure.com/#create/Microsoft.IoTCentral) page in the Azure portal:
![Create IoT Central form](media/howto-manage-iot-central-from-portal/image6a.png)
To create an application, navigate to the [Create IoT Central Application](https
* **Application URL** is the URL you can use to access your application. * **Location** is the [geography](https://azure.microsoft.com/global-infrastructure/geographies/) where you'd like to create your application. Typically, you should choose the location that's physically closest to your devices to get optimal performance. Azure IoT Central is currently available in the following locations:
- * Asia Pacific
- * Australia
- * Europe
- * Japan
- * United Kingdom
- * United States
- Once you choose a location, you can't move your application to a different location later.
+ * Asia Pacific
+ * Australia
+ * Europe
+ * Japan
+ * United Kingdom
+ * United States
-After filling out all fields, select **Create**. For more information, see the [Create an IoT Central application](quick-deploy-iot-central.md) quickstart.
+ Once you choose a location, you can't later move your application to a different location.
+
+After filling out all fields, select **Create**. To learn more, see the [Create an IoT Central application](quick-deploy-iot-central.md) quickstart.
## Manage existing IoT Central applications
If you already have an Azure IoT Central application, you can delete it, or move
> [!NOTE] > Applications created using the *free* plan do not require an Azure subscriptions, and therefore you won't find them listed in your Azure subscription on the Azure portal. You can only see and manage free apps from the IoT Central portal.
-To get started, search for your application in the search bar at the top of the Azure portal. You can also view all your applications by searching for "IoT Central Applications" and selecting the service:
+To get started, search for your application in the search bar at the top of the Azure portal. You can also view all your applications by searching for _IoT Central Applications_ and selecting the service:
![Screenshot that shows the search results for "IoT Central Applications" with the first service selected.](media/howto-manage-iot-central-from-portal/search-iot-central.png)
-Once you select an application in the search results, the Azure portal shows you its overview. You can navigate to the actual application by selecting the **IoT Central Application URL**:
+When you select an application in the search results, the Azure portal shows you its overview. You can navigate to the application by selecting the **IoT Central Application URL**:
![Screenshot that shows the "Overview" page with the "IoT Central Application URL" highlighted.](media/howto-manage-iot-central-from-portal/image3.png)
iot-central Howto Manage Users Roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-manage-users-roles.md
Title: Manage users and roles in Azure IoT Central application | Microsoft Docs description: As an administrator, how to manage users and roles in your Azure IoT Central application--++ Last updated 04/16/2021
This article describes how, as an administrator, you can add, edit, and delete users in your Azure IoT Central application. The article also describes how to manage roles in your application.
+To access and use the **Administration** section, you must be in the **Administrator** role for an Azure IoT Central application. If you create an Azure IoT Central application, you're automatically added to the **Administrator** role for that application.
+ ## Add users Every user must have a user account before they can sign in and access an application. IoT Central currently supports Microsoft accounts and Azure Active Directory accounts, but not Azure Active Directory groups.
Every user must have a user account before they can sign in and access an applic
For more information, see [Microsoft account help](https://support.microsoft.com/products/microsoft-account?category=manage-account) and [Quickstart: Add new users to Azure Active Directory](../../active-directory/fundamentals/add-users-azure-active-directory.md). 1. To add a user to an IoT Central application, go to the **Users** page in the **Administration** section.
-
- > [!div class="mx-imgBorder"]
- >![Manage users](media/howto-manage-users-roles/manage-users-pnp.png)
+
+ :::image type="content" source="media/howto-manage-users-roles/manage-users-pnp.png" alt-text="Manage users":::
1. To add a user, on the **Users** page, choose **+ Add user**. 1. Choose a role for the user from the **Role** drop-down menu. Learn more about roles in the [Manage roles](#manage-roles) section of this article.
- > [!div class="mx-imgBorder"]
- >![Add user and select a role](media/howto-manage-users-roles/add-user-pnp.png)
+ :::image type="content" source="media/howto-manage-users-roles/add-user-pnp.png" alt-text="Add a user and select a role.":::
+
+ > [!NOTE]
+ > A user who is in a custom role that grants them the permission to add other users, can only add users to a role with same or fewer permissions than their own role.
- > [!NOTE]
- > A user who is in a custom role that grants them the permission to add other users, can only add users to a role with same or fewer permissions than their own role.
- >
- > If a user is deleted from Azure Active Directory and then added back, they won't be able to sign into the IoT Central application automatically. To re-enable access, the application's administrator should delete and re-add the user in the application as well.
+ > [!NOTE]
+ > If a user is deleted from Azure Active Directory and then added back, they won't be able to sign into the IoT Central application. To re-enable access, the application's administrator should delete and re-add the user in the application as well.
### Edit the roles that are assigned to users
Users in the **Builder** role can manage every part of the app, but can't make c
### Operator
-Users in the **Operator** role can monitor device health and status. They aren't allowed to make changes to device templates or to administer the application. Operators can add and delete devices, manage device sets, and run analytics and jobs.
+Users in the **Operator** role can monitor device health and status. They aren't allowed to make changes to device templates or to administer the application. Operators can add and delete devices, manage device sets, and run analytics and jobs.
## Create a custom role
You can add users to your custom role in the same way that you add users to a bu
### Custom role options
-When you define a custom role, you choose the set of permissions that a user is granted if they're a member of the role. Some permissions are dependent on others. For example, if you add the **Update application dashboards** permission to a role, you also need the **View application dashboards** permission. The following tables summarize the available permissions, and their dependencies, you can use when creating custom roles.
+When you define a custom role, you choose the set of permissions that a user is granted if they're a member of the role. Some permissions are dependent on others. For example, if you add the **Update personal dashboards** permission to a role, the **View personal dashboards** permission is added automatically. The following tables summarize the available permissions, and their dependencies, you can use when creating custom roles.
#### Managing devices
iot-central Howto Transform Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-transform-data.md
+
+ Title: Transform data for Azure IoT Central | Microsoft Docs
+description: IoT devices send data in various formats that you may need to transform. This article describes how to transform data both on the way into IoT Central and on the way out. The scenarios described use IoT Edge and Azure Functions.
++ Last updated : 04/09/2021+++++
+# Transform data for IoT Central
+
+*This topic applies to solution builders.*
+
+IoT devices send data in various formats. To use the device data with your IoT Central application, you may need to use a transformation to:
+
+- Make the format of the data compatible with your IoT Central application.
+- Convert units.
+- Compute new metrics.
+- Enrich the data from other sources.
+
+This article shows you how to transform device data outside of IoT Central either at ingress or egress.
+
+The following diagram shows three routes for data that include transformations:
++
+The following table shows three example transformation types:
+
+| Transformation | Description | Example | Notes |
+||-|-|-|
+| Message Format | Convert to or manipulate JSON messages. | CSV to JSON | At ingress. IoT Central only accepts value JSON messages. To learn more, see [Telemetry, property, and command payloads](concepts-telemetry-properties-commands.md). |
+| Computations | Math functions that [Azure Functions](../../azure-functions/index.yml) can execute. | Unit conversion from Fahrenheit to Celsius. | Transform using the egress pattern to take advantage of scalable device ingress through direct connection to IoT Central. Transforming the data lets you use IoT Central features such as visualizations and jobs. |
+| Message Enrichment | Enrichments from external data sources not found in device properties or telemetry. To learn more about internal enrichments, see [Export IoT data to cloud destinations using data export](howto-export-data.md) | Add weather information to messages using location data from devices. | Transform using the egress pattern to take advantage of scalable device ingress through direct connection to IoT Central. |
+
+## Prerequisites
+
+To complete the steps in this article, you need an active Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+To set up the solution, you need an IoT Central application. To learn how to create an IoT Central application, see [Create an Azure IoT Central application](quick-deploy-iot-central.md).
+
+## Data transformation at ingress
+
+To transform device data at ingress, there are two options:
+
+- **IoT Edge**: Use an IoT Edge module to transform data from downstream devices before sending the data to your IoT Central application.
+
+- **IoT Central device bridge**: The [IoT Central device bridge](https://github.com/Azure/iotc-device-bridge) connects other IoT device clouds, such as Sigfox, Particle, and The Things Network, to IoT Central. The device bridge uses an Azure function to forward the data and you can customize the function to transform the device data.
+
+### Use IoT Edge to transform device data
++
+In this scenario, an IoT Edge module transforms the data from downstream devices before forwarding it to your IoT Central application. At a high level, the steps to configure this scenario are:
+
+1. **Set up an IoT Edge device**: Install and provision an IoT Edge device as a gateway and connect the gateway to your IoT Central application.
+
+1. **Connect downstream device to the IoT Edge device:** Connect downstream devices to the IoT Edge device and provision them to your IoT Central application.
+
+1. **Transform device data in IoT Edge:** Create an IoT Edge module to transform the data. Deploy the module to the IoT Edge gateway device that forwards the transformed device data to your IoT Central application.
+
+1. **Verify**: Send data from a downstream device to the gateway and verify the transformed device data reaches your IoT Central application.
+
+In the example described in the following sections, the downstream device sends CSV data in the following format to the IoT Edge gateway device:
+
+```csv
+"<temperature >, <pressure>, <humidity>"
+```
+
+You want to use an IoT Edge module to transform the data to the following JSON format before it's sent to IoT Central:
+
+```json
+{
+ "device": {
+ "deviceId": "<downstream-deviceid>"
+ },
+ "measurements": {
+ "temp": <temperature>,
+ "pressure": <pressure>,
+ "humidity": <humidity>,
+ }
+}
+```
+
+The following steps show you how to set up and configure this scenario:
+
+### Build the custom module
+
+In this scenario, the IoT Edge device runs a custom module that transforms the data from the downstream device. Before you deploy and configure the IoT Edge device, you need to:
+
+- Build the custom module.
+- Add the custom module to a container registry.
+
+The IoT Edge runtime downloads custom modules from a container registry such as an Azure container registry or Docker Hub. The [Azure Cloud Shell](../../cloud-shell/overview.md) has all the tools you need to create a container registry, build the module, and upload the module to the registry:
+
+To create a container registry:
+
+1. Open the [Azure Cloud Shell](https://shell.azure.com/) and sign in to your Azure subscription.
+
+1. Run the following commands to create an Azure container registry:
+
+ ```azurecli
+ REGISTRY_NAME="{your unique container registry name}"
+ az group create --name ingress-scenario --location eastus
+ az acr create -n $REGISTRY_NAME -g ingress-scenario --sku Standard --admin-enabled true
+ az acr credential show -n $REGISTRY_NAME
+ ```
+
+ Make a note of the `username` and `password` values, you use them later.
+
+To build the custom module in the [Azure Cloud Shell](https://shell.azure.com/):
+
+1. In the [Azure Cloud Shell](https://shell.azure.com/), navigate to a suitable folder.
+1. To clone the GitHub repository that contains the module source code, run the following command:
+
+ ```azurecli
+ git clone https://github.com/iot-for-all/iot-central-transform-with-iot-edge
+ ```
+
+1. To build the custom module, run the following commands in the Azure Cloud Shell:
+
+ ```azurecli
+ cd iot-central-transform-with-iot-edge/custommodule/transformmodule
+ az acr build --registry $REGISTRY_NAME --image transformmodule:0.0.1-amd64 -f Dockerfile.amd64 .
+ ```
+
+ The previous commands may take several minutes to run.
+
+### Set up an IoT Edge device
+
+This scenario uses an IoT Edge gateway device to transform the data from any downstream devices. This section describes how to create IoT Central device templates for the gateway and downstream devices in your IoT Central application. IoT Edge devices use a deployment manifest to configure their modules.
+
+To create a device template for the downstream device, this scenario uses a simple thermostat device model:
+
+1. Download the [device model for the thermostat](https://raw.githubusercontent.com/Azure/iot-plugandplay-models/main/dtmi/com/example/thermostat-2.json) device to your local machine.
+
+1. Sign in to your IoT Central application and navigate to the **Device templates** page.
+
+1. Select **+ New**, select **IoT Device**, and select **Next: Customize**.
+
+1. Enter *Thermostat* as the template name and select **Next: Review**. Then select **Create**.
+
+1. Select **Import a model** and import the *thermostat-2.json* file you downloaded previously.
+
+1. Select **Publish** to publish the new device template.
+
+To create a device template for the IoT Edge gateway device:
+
+1. Save a copy of the deployment manifest to your local development machine: [moduledeployment.json](https://raw.githubusercontent.com/iot-for-all/iot-central-transform-with-iot-edge/main/edgemodule/moduledeployment.json).
+
+1. Open your local copy of the *moduledeployment.json* manifest file in a text editor.
+
+1. Find the `registryCredentials` section and replace the placeholders with the values you made a note of when you created the Azure container registry. The `address` value looks like `<username>.azurecr.io`.
+
+1. Find the `settings` section for the `transformmodule`. Replace `<acr or docker repo>` with the same `address` value you used in the previous step. Save the changes.
+
+1. In your IoT Central application, navigate to the **Device templates** page.
+
+1. Select **+ New**, select **Azure IoT Edge**, and then select **Next: Customize**.
+
+1. Enter *IoT Edge gateway device* as the device template name. Select **This is a gateway device**. Select **Browse** to upload the *moduledeployment.json* deployment manifest file you edited previously.
+
+1. When the deployment manifest is validated, select **Next: Review**, then select **Create**.
+
+1. Under **Model**, select **Relationships**. Select **+ Add relationship**. Enter *Downstream device* as the display name, and select **Thermostat** as the target. Select **Save**.
+
+1. Select **Publish** to publish the device template.
+
+You now have two device templates in your IoT Central application. The **IoT Edge gateway device** template, and the **Thermostat** template as the downstream device.
+
+To register a gateway device in IoT Central:
+
+1. In your IoT Central application, navigate to the **Devices** page.
+
+1. Select **IoT Edge gateway device** and select **Create a device**. Enter *IoT Edge gateway device* as the device name, enter *gateway-01* as the device ID, make sure **IoT Edge gateway device** is selected as the device template. Select **Create**.
+
+1. In the list of devices, click on the **IoT Edge gateway device**, and then select **Connect**.
+
+1. Make a note of the **ID scope**, **Device ID**, and **Primary key** values for the **IoT Edge gateway device**. You use them later.
+
+To register a downstream device in IoT Central:
+
+1. In your IoT Central application, navigate to the **Devices** page.
+
+1. Select **Thermostat** and select **Create a device**. Enter *Thermostat* as the device name, enter *downstream-01* as the device ID, make sure **Thermostat** is selected as the device template. Select **Create**.
+
+1. In the list of devices, select the **Thermostat** and then select **Attach to Gateway**. Select the **IoT Edge gateway device** template and the **IoT Edge gateway device** instance. Select **Attach**.
+
+1. In the list of devices, click on the **Thermostat**, and then select **Connect**.
+
+1. Make a note of the **ID scope**, **Device ID**, and **Primary key** values for the **Thermostat** device. You use them later.
+
+### Deploy the gateway and downstream devices
+
+For convenience, this article uses Azure virtual machines to run the gateway and downstream devices. To create the two Azure virtual machines, select the **Deploy to Azure** button below and use the information in the following table to complete the **Custom deployment** form:
+
+| Field | Value |
+| -- | -- |
+| Resource group | `ingress-scenario` |
+| DNS Label Prefix Gateway | A unique DNS name for this machine such as `<your name>edgegateway` |
+| DNS Label Prefix Downstream | A unique DNS name for this machine such as `<your name>downstream` |
+| Scope ID | The ID scope you made a note of previously |
+| Device ID IoT Edge Gateway | `gateway-01` |
+| Device Key IoT Edge Gateway | The primary key value you made a note of previously |
+| Authentication Type | Password |
+| Admin Password Or Key | Your choice of password for the **AzureUser** account on both virtual machines. |
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fiot-central-docs-samples%2Fmaster%2Ftransparent-gateway%2FDeployGatewayVMs.json" target="_blank">
+ <img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.png" alt="Deploy to Azure button" />
+</a>
+
+Select **Review + Create**, and then **Create**. It takes a couple of minutes to create the virtual machines in the **ingress-scenario** resource group.
+
+To check that the IoT Edge device is running correctly:
+
+1. Open your IoT Central application. Then navigate to the **IoT Edge Gateway device** on the list of devices on the **Devices** page.
+
+1. Select the **Modules** tab and check the status of the three modules. It takes a few minutes for the IoT Edge runtime to start up in the virtual machine. When it's started, the status of the three modules is **Running**. If the IoT Edge runtime doesn't start, see [Troubleshoot your IoT Edge device](../../iot-edge/troubleshoot.md).
+
+For your IoT Edge device to function as a gateway, it needs some certificates to prove its identity to any downstream devices. This article uses demo certificates. In a production environment, use certificates from your certificate authority.
+
+To generate the demo certificates and install them on your gateway device:
+
+1. Use SSH to connect to and sign in on your gateway device virtual machine. You can find the DNS name for this virtual machine in the Azure portal. Navigate to the **edgegateway** virtual machine in the **ingress-scenario** resource group.
+
+ > [!TIP]
+ > You may need to open the port 22 for SSH access on both your virtual machines before you can use SSH to connect from your local machine or the Azure Cloud Shell.
+
+1. Run the following commands to clone the IoT Edge repository and generate your demo certificates:
+
+ ```bash
+ # Clone the repo
+ cd ~
+ git clone https://github.com/Azure/iotedge.git
+
+ # Generate the demo certificates
+ mkdir certs
+ cd certs
+ cp ~/iotedge/tools/CACertificates/*.cnf .
+ cp ~/iotedge/tools/CACertificates/certGen.sh .
+ ./certGen.sh create_root_and_intermediate
+ ./certGen.sh create_edge_device_ca_certificate "mycacert"
+ ```
+
+ After you run the previous commands, the following files are ready to use in the next steps:
+
+ - *~/certs/certs/azure-iot-test-only.root.ca.cert.pem* - The root CA certificate used to make all the other demo certificates for testing an IoT Edge scenario.
+ - *~/certs/certs/iot-edge-device-mycacert-full-chain.cert.pem* - A device CA certificate that's referenced from the *config.yaml* file. In a gateway scenario, this CA certificate is how the IoT Edge device verifies its identity to downstream devices.
+ - *~/certs/private/iot-edge-device-mycacert.key.pem* - The private key associated with the device CA certificate.
+
+ To learn more about these demo certificates, see [Create demo certificates to test IoT Edge device features](../../iot-edge/how-to-create-test-certificates.md).
+
+1. Open the *config.yaml* file in a text editor. For example:
+
+ ```bash
+ sudo nano /etc/iotedge/config.yaml
+ ```
+
+1. Locate the `Certificate settings` settings. Uncomment and modify the certificate settings as follows:
+
+ ```text
+ certificates:
+ device_ca_cert: "file:///home/AzureUser/certs/certs/iot-edge-device-ca-mycacert-full-chain.cert.pem"
+ device_ca_pk: "file:///home/AzureUser/certs/private/iot-edge-device-ca-mycacert.key.pem"
+ trusted_ca_certs: "file:///home/AzureUser/certs/certs/azure-iot-test-only.root.ca.cert.pem"
+ ```
+
+ The example shown above assumes you're signed in as **AzureUser** and created a device CA certificated called "mycacert".
+
+1. Save the changes and restart the IoT Edge runtime:
+
+ ```bash
+ sudo systemctl restart iotedge
+ ```
+
+If the IoT Edge runtime starts successfully after your changes, the status of the **$edgeAgent** and **$edgeHub** modules changes to **Running**. You can see these status values on the **Modules** page for your gateway device in IoT Central.
+
+If the runtime doesn't start, check the changes you made in *config.yaml* and see [Troubleshoot your IoT Edge device](../../iot-edge/troubleshoot.md).
+
+### Connect downstream device to IoT Edge device
+
+To connect a downstream device to the IoT Edge gateway device:
+
+1. Use SSH to connect to and sign in on your downstream device virtual machine. You can find the DNS name for this virtual machine in the Azure portal. Navigate to the **leafdevice** virtual machine in the **ingress-scenario** resource group.
+
+ > [!TIP]
+ > You may need to open the port 22 for SSH access on both your virtual machines before you can use SSH to connect from your local machine or the Azure Cloud Shell.
+
+1. To clone the GitHub repository with the source code for the sample downstream device, run the following command:
+
+ ```bash
+ cd ~
+ git clone https://github.com/iot-for-all/iot-central-transform-with-iot-edge
+ ```
+
+1. To copy the required certificate from the gateway device, run the following `scp` commands. This `scp` command uses the hostname `edgegateway` to identify the gateway virtual machine. You'll be prompted for your password:
+
+ ```bash
+ cd ~/iot-central-transform-with-iot-edge
+ scp AzureUser@edgegateway:/home/AzureUser/certs/certs/azure-iot-test-only.root.ca.cert.pem leafdevice/certs
+ ```
+
+1. Navigate to the *leafdevice* folder and install the required packages. Then run the `build` and `start` scripts to provision and connect the device to the gateway:
+
+ ```bash
+ cd ~/iot-central-transform-with-iot-edge/leafdevice
+ sudo apt update
+ sudo apt install nodejs npm node-typescript
+ npm install
+ npm run-script build
+ npm run-script start
+ ```
+
+1. Enter the device ID, scope ID, and SAS key for the downstream device you created previously. For the hostname, enter `edgegateway`. The output from the command looks like:
+
+ ```output
+ Registering device downstream-01 with scope 0ne00284FD9
+ Registered device downstream-01.
+ Connecting device downstream-01
+ Connected device downstream-01
+ Sent telemetry for device downstream-01
+ Sent telemetry for device downstream-01
+ Sent telemetry for device downstream-01
+ Sent telemetry for device downstream-01
+ Sent telemetry for device downstream-01
+ Sent telemetry for device downstream-01
+ ```
+
+### Verify
+
+To verify the scenario is running, navigate to your **IoT Edge gateway device** in IoT Central:
++
+- Select **Modules**. Verify that the three IoT Edge modules **$edgeAgent**, **$edgeHub** and **transformmodule** are running.
+- Select the **Downstream Devices** and verify that the downstream device is provisioned.
+- Select **Raw data**. The telemetry data in the **Unmodeled data** column looks like:
+
+ ```json
+ {"device":{"deviceId":"downstream-01"},"measurements":{"temperature":85.21208,"pressure":59.97321,"humidity":77.718124,"scale":"farenheit"}}
+ ```
+
+Because the IoT Edge device is transforming the data from the downstream device, the telemetry is associated with the gateway device in IoT Central. To visualize the telemetry, create a new version of the **IoT Edge gateway device** template with definitions for the telemetry types.
+
+## Data transformation at egress
+
+You can connect your devices to IoT Central, export the device data to a compute engine to transforms it, and then send the transformed data back to IoT Central for device management and analysis. For example:
+
+- Your devices send location data to IoT Central.
+- IoT Central exports the data to a compute engine that enhances the location data with weather information.
+- The compute engine sends the enhanced data back to IoT Central.
+
+You can use the [IoT Central device bridge](https://github.com/Azure/iotc-device-bridge) as compute engine to transform data exported from IoT Central.
+
+An advantage of transforming data at egress is that your devices connect directly to IoT Central, which makes it easy to send commands to devices or update device properties. However, with this method, you may use more messages than your monthly allotment and increase the cost of using Azure IoT Central.
+
+### Use the IoT Central device bridge to transform device data
++
+In this scenario, a compute engine transforms device data exported from IoT Central before sending it back to your IoT Central application. At a high level, the steps to configure this scenario are:
+
+1. **Set up the compute engine:** Create an IoT Central device bridge to act as a compute engine for data transformation.
+
+1. **Transform device data in the device bridge:** Transform data in the device bridge by modifying the device bridge function code for your data transformation use case.
+
+1. **Enable data flow from IoT Central to the device bridge:** Export the data from IoT Central to device bridge for transformation. Then, forward the transformed data back to IoT Central. When you create the data export, use message property filters to only export untransformed data.
+
+1. **Verify**: Connect your device to the IoT Central app and check for both raw device data and transformed data in IoT Central.
+
+<!-- To Do - doesn't the device send JSON data? -->
+In the example described in the following sections, the device sends CSV data in the following format to the IoT Edge gateway device:
+
+```csv
+"<temperature in degrees C>, <humidity>, <latitude>, <longitude>"
+```
+
+You use the device bridge to transform the device data by:
+
+- Changing the unit of temperature from centigrade to fahrenheit.
+- Enriching the device data with weather data pulled from the [Open Weather](https://openweathermap.org/) service for the latitude and longitude values.
+
+The device bridge then sends the transformed data to IoT Central in the following format:
+
+```json
+{
+ "temp": <temperature in degrees F>,
+ "humidity": <humidity>,
+ "lat": <latitude>,
+ "lon": <logitude>,
+ "weather": {
+ "weather_temp": <temperature at lat/lon>,
+ "weather_humidity": <humidity at lat/lon>,
+ "weather_pressure": <pressure at lat/lon>,
+ "weather_windspeed": <wind speed at lat/lon>,
+ "weather_clouds": <cloud cover at lat/lon>,
+ "weather_uvi": <UVI at lat/lon>
+ }
+}
+```
+
+The following steps show you how to set up and configure this scenario:
+
+### Retrieve your IoT Central connection settings
+
+Before you set up this scenario, you need to get some connection settings from your IoT Central application:
+
+1. Sign in to your IoT Central application.
+
+1. Navigate to **Administration > Device connection**.
+
+1. Make a note of the **ID scope**. You use this value later.
+
+1. Select the **SaS-IoT-Devices** enrollment group. Make a note of the shared access signature primary key. You use this value later.
+
+### Set up a compute engine
+
+This scenario uses the same Azure Functions deployment as the IoT Central device bridge. To deploy the device bridge, select the **Deploy to Azure** button below and use the information in the following table to complete the **Custom deployment** form:
+
+| Field | Value |
+| -- | -- |
+| Resource group | Create a new resource group called `egress-scenario` |
+| Region | Select the region closest to you. |
+| Scope ID | Use the **ID scope** you made a note of previously. |
+| IoT Central SAS Key | Use the shared access signature primary key for the **SaS-IoT-Devices** enrollment group. You made a note of this value previously. |
+
+[![Deploy to Azure](http://azuredeploy.net/deploybutton.png)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fiotc-device-bridge%2Fmaster%2Fazuredeploy.json).
+
+Select **Review + Create**, and then **Create**. It takes a couple of minutes to create the Azure function and related resources in the **egress-scenario** resource group.
+
+### Transform device data in the device bridge
+
+To configure the device bridge to transform the exported device data:
+
+1. Obtain an application API key from the Open Weather service. An account is free with limited usage of the service. To create an application API key, create an account in the [Open Weather service portal](https://openweathermap.org/) and follow the instructions. You use your Open Weather API key later.
+
+1. In the Azure portal, navigate to Function App in the **egress-scenario** resource group.
+
+1. In the left navigation, in **Development Tools**, select **App Service Editor (Preview)**.
+
+1. Select **Go &rarr;** to open the **App Service Editor** page. Make the following changes:
+
+ 1. Open the *wwwroot/IoTCIntegration/index.js* file. Replace all the code in this file with the code in [index.js](https://raw.githubusercontent.com/iot-for-all/iot-central-compute/main/Azure_function/index.js).
+
+ 1. In the new *index.js*, update the `openWeatherAppId` variable file with Open Weather API key you obtained previously.
+
+ ```javascript
+ const openWeatherAppId = '<Your Open Weather API Key>'
+ ```
+
+ 1. Add a message property to the data sent by the function to IoT Central. IoT Central uses this property to prevent exporting the transformed data. To make this change, open the *wwwroot/IoTCIntegration/lib/engine.js* file. Locate the following code:
+
+ ```javascript
+ if (timestamp) {
+ message.properties.add('iothub-creation-time-utc', timestamp);
+ }
+ ```
+
+ Add the following code just after the code in the previous snippet:
+
+ ```javascript
+ // add a message property that we can look for in data export to not re-compute computed telemetry
+ message.properties.add('computed', true);
+ ```
+
+ For reference, you can view a completed example of the [engine.js](https://raw.githubusercontent.com/iot-for-all/iot-central-compute/main/Azure_function/lib/engine.js) file.
+
+1. In the **App Service Editor**, select **Console** in the left navigation. Run the following commands to install the required packages:
+
+ ```bash
+ cd IoTCIntegration
+ npm install
+ ```
+
+ This command may take a few minutes to run.
+
+1. Return to the **Azure Function Overview** page and restart the function:
+
+ :::image type="content" source="media/howto-transform-data/azure-function.png" alt-text="Restart the function":::
+
+1. Select **Functions** in the left navigation. Then select **IoTCIntegration**. Select **Code + Test**.
+
+1. Make a note of the function URL, you need this value later:
+
+ :::image type="content" source="media/howto-transform-data/get-function-url.png" alt-text="Get the function URL":::
+
+### Enable data flow from IoT Central to the device bridge
+
+This section describes how to set up the Azure IoT Central application.
+
+First, save the [device model](https://raw.githubusercontent.com/iot-for-all/iot-central-compute/main/model.json) file to your local machine.
+
+To add a device template to your IoT Central application, navigate to your IoT Central application and then:
+
+1. Sign in to your IoT Central application and navigate to the **Device templates** page.
+
+1. Select **+ New**, select **IoT Device**, select **Next: Customize**, enter *Compute model* as the template name. Select **Next: Review**. Then select **Create**.
+
+1. Select **Import a model** and browse to the *model.json* file you downloaded previously.
+
+1. After the model is imported, select **Publish** to publish the **Compute model** device template.
+
+To set up the data export to send data to your Device bridge:
+
+1. In your IoT Central application, select **Data export**.
+
+1. Select **+ New destination** to create a destination to use with the device bridge. Call the destination *Compute function*, for **Destination type** select **Webhook**. For the Callback URL, select paste in the function URL you made a note of previously. Leave the **Authorization** as **No Auth**.
+
+1. Save the changes.
+
+1. Select the **+ New export** and create a data export called *Compute export*.
+
+1. Add a filter to only export device data for the device template you're using. Select **+ Filter**, select item **Device template**, select the operator **Equals**, and select the **Compute model** device template you just created.
+
+1. Add a message filter to differentiate between transformed and untransformed data. This filter prevents sending transformed values back to the device bridge. Select **+ Message property filter** and enter the name value *computed*, then select the operator **Does not exist**. The string `computed` is used as a keyword in the device bridge example code.
+
+1. For the destination, select the **Compute function** destination you created previously.
+
+1. Save the changes. After a minute or so, the **Export status** shows as **Healthy**.
+
+### Verify
+
+The sample device you use to test the scenario is written in Node.js. Make sure you have Node.js and NPM installed on your local machine. If you don't want to install these prerequisites, use the[Azure Cloud Shell](https://shell.azure.com/) that has them preinstalled.
+
+To run a sample device that tests the scenario:
+
+1. Clone the GitHub repository that contains the sample code, run the following command:
+
+ ```bash
+ git clone https://github.com/iot-for-all/iot-central-compute
+ ```
+
+1. To connect the sample device to your IoT Central application, edit the connection settings in the *iot-central-compute/device/device.js* file. Replace the scope ID and group SAS key with the values you made a note of previously:
+
+ ```javascript
+ // These values need to be filled in from your Azure IoT Central application
+ //
+ const scopeId = "<IoT Central Scope Id value>";
+ const groupSasKey = "<IoT Central Group SAS key>";
+ //
+ ```
+
+ Save the changes.
+
+1. Use the following commands to install the required packages and run the device:
+
+ ```bash
+ cd ~/iot-central-compute/device
+ npm install
+ node device.js
+ ```
+
+1. The result of this command looks like the following output:
+
+ ```output
+ registration succeeded
+ assigned hub=iotc-2bd611b0....azure-devices.net
+ deviceId=computeDevice
+ Client connected
+ send status: MessageEnqueued [{"data":"33.23, 69.09, 30.7213, -61.1192"}]
+ send status: MessageEnqueued [{"data":"2.43, 75.86, -2.6358, 162.935"}]
+ send status: MessageEnqueued [{"data":"6.19, 76.55, -14.3538, -82.314"}]
+ send status: MessageEnqueued [{"data":"33.26, 48.01, 71.9172, 48.6606"}]
+ send status: MessageEnqueued [{"data":"40.5, 36.41, 14.6043, 14.079"}]
+ ```
+
+1. In your IoT Central application, navigate to the device called **computeDevice**. On the **Raw data** view there are two different telemetry streams that show up around every five seconds. The stream with un-modeled data is the original telemetry, the stream with modeled data is the data that the function transformed:
+
+ :::image type="content" source="media/howto-transform-data/egress-telemetry.png" alt-text="Screenshot that shows original and transformed raw data.":::
+
+## Clean up resources
+
+If you no longer need the Azure resources you created while following the steps in this guide, delete the [resource groups in the Azure portal](https://portal.azure.com/?r=1#blade/HubsExtension/BrowseResourceGroups).
+
+The two resource groups you used in this guide are **ingress-scenario** and **egress-scenario**.
+
+## Next steps
+
+In this article, you learned about the different options for transforming device data for IoT Central, both at ingress and egress. The article included walkthroughs for two specific scenarios:
+
+- Use an IoT Edge module to transform data from downstream devices before the data is sent to your IoT Central application.
+- Use Azure Functions to transform data outside of IoT Central. In this scenario, IoT Central uses a data export to send incoming data to an Azure function to be transformed. The function sends the transformed data back to your IoT Central application.
+
+Now that you've learned how to transform device data outside of your Azure IoT Central application, you can learn [How to use analytics to analyze device data in IoT Central](howto-create-analytics.md).
iot-central Howto Version Device Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/howto-version-device-template.md
To version a device template:
## Version an interface
-Versioning an interface allows you to add, update, and remove the capabilities inside the interface you had already created.
+Versioning an interface allows you to add and update capabilities inside the interface you had already created.
To version an interface:
iot-central Overview Iot Central Developer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central-developer.md
To learn more about the IoT Plug and Play conventions, see [IoT Plug and Play co
### Device SDKs
-Use one of the [Azure IoT device SDKs](#languages-and-sdks) to implement the behavior of your device. The code should:
+Use one of the [Azure IoT device SDKs](../../iot-hub/iot-hub-devguide-sdks.md#azure-iot-hub-device-sdks) to implement the behavior of your device. The code should:
- Register the device with DPS and use the information from DPS to connect to the internal IoT hub in your IoT Central application. - Announce the DTMI of the model the device implements.
iot-central Overview Iot Central Solution Builder https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central-solution-builder.md
IoT Central has built-in analytics capabilities that an operator can use to anal
As a solution builder, you can use the data export and rules capabilities in IoT Central to integrate with other service. To learn more, see: - [Export IoT data to cloud destinations using data export](howto-export-data.md)
+- [Transform data for IoT Central](howto-transform-data.md)
- [Use workflows to integrate your Azure IoT Central application with other cloud services](howto-configure-rules-advanced.md) - [Extend Azure IoT Central with custom rules using Stream Analytics, Azure Functions, and SendGrid](howto-create-custom-rules.md) - [Extend Azure IoT Central with custom analytics using Azure Databricks](howto-create-custom-analytics.md)
iot-central Overview Iot Central Tour https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central-tour.md
The [IoT Central homepage](https://aka.ms/iotcentral-get-started) page is the pl
### Create an application
-In the Build section you can browse the list of industry-relevant IoT Central templates, or start from scratch using a Custom app template.
+In the **Build** section you can browse the list of industry-relevant IoT Central templates, or start from scratch using a Custom app template.
:::image type="content" source="media/overview-iot-central-tour/iot-central-build.png" alt-text="IoT Central build page":::
Once you're inside your IoT application, use the left pane to access various fea
:::column-end::: :::column span="2":::
- **Dashboards** displays all application and personal dashboards.
+ **Dashboard** displays all application and personal dashboards.
- **Devices** enables you to manage all your devices.
+ **Devices** lets you manage all your devices.
**Device groups** lets you view and create collections of devices specified by a query. Device groups are used through the application to perform bulk operations.
- **Rules** enables you to create and edit rules to monitor your devices. Rules are evaluated based on device data and trigger customizable actions.
+ **Rules** lets you create and edit rules to monitor your devices. Rules are evaluated based on device data and trigger customizable actions.
**Analytics** exposes rich capabilities to analyze historical trends and correlate various telemetries from your devices.
- **Jobs** enables you to manage your devices at scale by running bulk operations.
+ **Jobs** lets you manage your devices at scale by running bulk operations.
- **Device templates** enables you to create and manage the characteristics of devices that connect to your application.
+ **Device templates** lets you create and manage the characteristics of devices that connect to your application.
- **Data export** enables you to configure a continuous export to external services such as storage and queues.
+ **Data export** lets you configure a continuous export to external services such as storage and queues.
**Administration** lets you manage your application's settings, customization, billing, users, and roles.
You can choose between a light theme or a dark theme for the UI:
:::image type="content" source="Media/overview-iot-central-tour/dashboard.png" alt-text="Screenshot of IoT Central Dashboard.":::
-* Dashboard is the first page you see when you sign in to your IoT Central application. You can create and customize multiple application dashboards. Learn more about [adding tiles to your dashboard](howto-add-tiles-to-your-dashboard.md)
+* **Dashboard** is the first page you see when you sign in to your IoT Central application. You can create and customize multiple application dashboards. Learn more about [adding tiles to your dashboard](howto-add-tiles-to-your-dashboard.md)
* Personal dashboards can also be created to monitor what you care about. To learn more, see the [Create Azure IoT Central personal dashboards](howto-create-personal-dashboards.md) how-to article.
You can choose between a light theme or a dark theme for the UI:
:::image type="content" source="Media/overview-iot-central-tour/devices.png" alt-text="Screenshot of Devices Page.":::
-This page shows the devices in your IoT Central application grouped by _device template_.
+This page shows the devices in your IoT Central application grouped by _device template_.
* A device template defines a type of device that can connect to your application. * A device represents either a real or simulated device in your application.
This page lets you create and view device groups in your IoT Central application
### Rules :::image type="content" source="Media/overview-iot-central-tour/rules.png" alt-text="Screenshot of Rules Page.":::
-This page lets you view and create rules based on device data. When a rule fires, it can trigger one or more actions such as send an email or invoke a webhook. To learn, see the [Configuring rules](tutorial-create-telemetry-rules.md) tutorial.
+This page lets you view and create rules based on device data. When a rule fires, it can trigger one or more actions such as sending an email or invoking a webhook. To learn, see the [Configuring rules](tutorial-create-telemetry-rules.md) tutorial.
### Analytics
This page lets you view and create jobs that can be used for bulk device managem
:::image type="content" source="Media/overview-iot-central-tour/templates.png" alt-text="Screenshot of Device Templates.":::
-The device templates page is where you can view and create device templates in the application. To learn more, see the [Define a new device type in your Azure IoT Central application](howto-set-up-template.md) tutorial.
+The device templates page is where you can view and create device templates in the application. To learn more, see the [Define a new device type in your Azure IoT Central application](howto-set-up-template.md) tutorial.
### Data export
iot-central Overview Iot Central https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/overview-iot-central.md
Title: What is Azure IoT Central | Microsoft Docs
-description: IoT Central is a hosted IoT app platform that's secure, scales with you as your business grows, and integrates with your existing business apps. This article provides an overview of the features of Azure IoT Central.
-- Previously updated : 04/16/2021
+description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions and helps to reduce the burden and cost of IoT management operations, and development. This article provides an overview of the features of Azure IoT Central.
++ Last updated : 04/19/2021
# What is Azure IoT Central?
-IoT Central is a hosted IoT app platform that's secure, scales with you as your business grows, and integrates with your existing business apps. Choosing to build with IoT Central gives you the opportunity to focus time, money, and energy on transforming your business with IoT data, rather than just maintaining and updating a complex and continually evolving IoT infrastructure.
+IoT Central is an IoT application platform that reduces the burden and cost of developing, managing, and maintaining enterprise-grade IoT solutions. Choosing to build with IoT Central gives you the opportunity to focus time, money, and energy on transforming your business with IoT data, rather than just maintaining and updating a complex and continually evolving IoT infrastructure.
-IoT Central lets you quickly connect devices, monitor device conditions, create rules, and manage millions of devices and their data throughout their lifecycle. Furthermore, it enables you to act on device insights by extending IoT intelligence into line-of-business applications.
+The web UI lets you quickly connect devices, monitor device conditions, create rules, and manage millions of devices and their data throughout their life cycle. Furthermore, it enables you to act on device insights by extending IoT intelligence into line-of-business applications.
+
+This article outlines, for IoT Central:
+
+- The typical user roles associated with a project.
+- How to create your application.
+- How to connect your devices to your application
+- How to manage your application.
+- Azure IoT Edge capabilities in IoT Central.
+- How to connect your Azure IoT Edge runtime powered devices to your application.
+
+## User roles
+
+The IoT Central documentation refers to four user roles that interact with an IoT Central application:
+
+- A _solution builder_ is responsible for [creating an application](quick-deploy-iot-central.md), [configuring rules and actions](quick-configure-rules.md), [defining integrations with other services](howto-export-data.md), and further customizing the application for operators and device developers.
+- An _operator_ [manages the devices](howto-manage-devices.md) connected to the application.
+- An _administrator_ is responsible for administrative tasks such as managing [user roles and permissions](howto-administer.md) within the application.
+- A _device developer_ [creates the code that runs on a device](concepts-telemetry-properties-commands.md) or [IoT Edge module](concepts-iot-edge.md) connected to your application.
## Create your IoT Central application
-You can quickly create a new IoT Central application and then customize it to your unique requirements. You can either start with a generic _application template_ or with one of the industry-focused application templates for [Retail](../retail/overview-iot-central-retail.md), [Energy](../energy/overview-iot-central-energy.md), [Government](../government/overview-iot-central-government.md), or [Healthcare](../healthcare/overview-iot-central-healthcare.md).
+You can quickly deploy a new IoT Central application and then customize it to your specific requirements. Start with a generic _application template_ or with one of the industry-focused application templates:
+
+- [Retail](../retail/overview-iot-central-retail.md)
+- [Energy](../energy/overview-iot-central-energy.md)
+- [Government](../government/overview-iot-central-government.md)
+- [Healthcare](../healthcare/overview-iot-central-healthcare.md).
+
+See the [Create a new application](quick-deploy-iot-central.md) quickstart for a walk-through of how to create your first application.
+
+## Connect devices
+
+After creating your application, the first step is to create and connect devices. Every device connected to IoT Central uses a _device template_. A device template is the blueprint that defines the characteristics and behavior of a type of device such as the:
+
+- Telemetry it sends. Examples include temperature and humidity. Telemetry is streaming data.
+- Business properties that an operator can modify. Examples include a customer address and a last serviced date.
+- Device properties that are set by a device and are read-only in the application. For example, the state of a valve as either open or shut.
+- Properties, that an operator sets, that determine the behavior of the device. For example, a target temperature for the device.
+- Commands, that an operator can call, that run on a device. For example, a command to remotely reboot a device.
+
+Every [device template](howto-set-up-template.md) includes:
-See the [create a new application](quick-deploy-iot-central.md) quickstart for a walk-through of how to create your first application.
+- A _device model_ describing the capabilities a device should implement. The device capabilities include:
-## Connect your devices
-After creating your application, the first step is to connect your devices. See the [device development overview](./overview-iot-central-developer.md) for an introduction to connecting devices to your IoT Central application.
+ - The telemetry it streams to IoT Central.
+ - The read-only properties it uses to report state to IoT Central.
+ - The writable properties it receives from IoT Central to set device state.
+ - The commands called from IoT Central.
-### Device templates
+- Cloud properties that aren't stored on the device.
+- Customizations, dashboards, and forms that are part of your IoT Central application.
-Devices in IoT Central are associated with a _device template_. A device template is like a blueprint: it defines the characteristics and behaviors of your devices, such as:
+You have several options for creating device templates:
-- Telemetries, which represent measurements from sensors, for example temperature or humidity.-- Properties, which represent the durable state of a device. Examples include state of a coolant pump or target temperature for a device. You can declare properties as read-only or writable. Only devices can update the value of a read-only property. An operator can set the value of a writable property to send to a device.-- Commands, operations that can be triggered on a device, for example, a command to remotely reboot a device.-- Cloud properties, which are device metadata to store in the IoT Central application, for example customer address or last serviced date.
+- Design the device template in IoT Central and then implement its device model in your device code.
+- Create a device model using Visual Studio code and publish the model to a repository. Implement your device code from the model, and connect your device to your IoT Central application. IoT Central finds the device model from the repository and creates a simple device template for you.
+- Create a device model using Visual Studio code. Implement your device code from the model. Manually import the device model into your IoT Central application and then add any cloud properties, customizations, and dashboards your IoT Central application needs.
-See the [create a device template](howto-set-up-template.md) article to learn more.
+See the [Add a simulated device](quick-create-simulated-device.md) quickstart for a walk-through of how to create and connect your first device.
### Customize the UI
-You can customize the IoT Central application for the operators who are responsible for the day-to-day use of the application, for example:
+You can also customize the IoT Central application UI for the operators who are responsible for the day-to-day use of the application. Customizations you can make include:
- Configuring custom dashboards to help operators discover insights and resolve issues faster.-
+- Configuring custom analytics to explore time series data from your connected devices.
+- Defining the layout of properties and settings on a device template.
## Manage your devices
+As an operator, you use the IoT Central application to [manage the devices](howto-manage-devices.md) in your IoT Central solution. Operators do tasks such as:
-With any IoT solution designed to operate at scale, a structured approach to device management is important. It's not enough just to connect your devices to the cloud, you need to keep your devices connected and healthy.
+- Monitoring the devices connected to the application.
+- Troubleshooting and remediating issues with devices.
+- Provisioning new devices.
-You can [manage the devices](howto-manage-devices.md) using your IoT Central application to do tasks such as:
+You can [define custom rules and actions](howto-configure-rules.md) that operate over data streaming from connected devices. An operator can enable or disable these rules at the device level to control and automate tasks within the application.
-- Monitoring the devices.-- Troubleshooting and remediating issues with devices.-- Perform bulk updates on devices.
+As with any IoT solution designed to operate at scale, a structured approach to device management is important. It's not enough just to connect your devices to the cloud, you need to keep your devices connected and healthy. Use the following IoT Central capabilities to manage your devices throughout the application life cycle:
### Dashboards
Build [custom rules](tutorial-create-telemetry-rules.md) based on device state a
[Jobs](howto-run-a-job.md) let you apply single or bulk updates to devices by setting properties or calling commands.
-### Analytics
-[Analytics](howto-create-analytics.md) exposes rich capabilities to analyze historical trends and correlate various telemetries from your devices.
- ## Integrate with other services As an application platform, IoT Central lets you transform your IoT data into the business insights that drive actionable outcomes. [Rules](./tutorial-create-telemetry-rules.md), [data export](./howto-export-data.md), and the [public REST API](/learn/modules/manage-iot-central-apps-with-rest-api/) are examples of how you can integrate IoT Central with line-of-business applications: ![How IoT Central can transform your IoT data](media/overview-iot-central/transform.png)
-You can generate business insights, such as determining machine efficiency trends or predicting future energy usage on a factory floor, by building custom analytics pipelines to process telemetry from your devices and store the results. Configure data exports in your IoT Central application to export your data to other services where you can analyze, store, and visualize it with your preferred tools.
+You can generate business insights, such as determining machine efficiency trends or predicting future energy usage on a factory floor, by building custom analytics pipelines to process telemetry from your devices and store the results. Configure data exports in your IoT Central application to export telemetry, device property changes, and device template changes to other services where you can analyze, store, and visualize the data with your preferred tools.
### Build custom IoT solutions and integrations with the REST APIs
IoT Central applications are fully hosted by Microsoft, which reduces the admini
## Pricing
-You can create an IoT Central application using a 7-day free trial, or use a standard pricing plan.
+You can create IoT Central application using a 7-day free trial, or use a standard pricing plan.
- Applications you create using the *free* plan are free for seven days and support up to five devices. You can convert them to use a standard pricing plan at any time before they expire.-- Applications you create using the *standard* plan are billed on a per device basis. You can choose either the **Standard 0**, **Standard 1**, or **Standard 2** pricing plan with the first two devices being free. Learn more about [IoT Central pricing](https://aka.ms/iotcentral-pricing).
+- Applications you create using the *standard* plan are billed on a per device basis, you can choose either **Standard 0**, **Standard 1**, or **Standard 2** pricing plan with the first two devices being free. Learn more about [IoT Central pricing](https://aka.ms/iotcentral-pricing).
+
+## Quotas
+
+Each Azure subscription has default quotas that could impact the scope of your IoT solution. Currently, IoT Central limits the number of applications you can deploy in a subscription to 10. If you need to increase this limit, contact [Microsoft support](https://azure.microsoft.com/support/options/).
+
+## Known issues
+
+- Continuous data export doesn't support the Avro format (incompatibility).
+- GeoJSON isn't currently supported.
+- Map tile isn't currently supported.
+- Array schema types aren't supported.
+- Only the C device SDK and the Node.js device and service SDKs are supported.
+- IoT Central is currently available in the United States, Europe, Asia Pacific, Australia, United Kingdom, and Japan locations.
## Next steps Now that you have an overview of IoT Central, here are some suggested next steps: -- Get started by [creating an Azure IoT Central application](quick-deploy-iot-central.md).
+- If you're a device developer and want to dive into some code, the suggested next step is to [Create and connect a client application to your Azure IoT Central application](./tutorial-connect-device.md).
- Familiarize yourself with the [Azure IoT Central UI](overview-iot-central-tour.md).-- If you're a device developer and want to dive into some code, [create and connect a client application to your Azure IoT Central application](./tutorial-connect-device.md).
+- Get started by [creating an Azure IoT Central application](quick-deploy-iot-central.md).
iot-central Quick Create Simulated Device https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/quick-create-simulated-device.md
Default views are a quick way to get started with visualizing your important dev
* The **Overview** view uses charts and metrics to display device telemetry. * The **About** view displays device properties.
-Select the **Views** node in the device template. You can see that IoT Central generated an **Overview** and an **About** view for you when you added the template.
+Select the **Views** node in the device template. You can see that IoT Central generated the **Overview**, **About**, and **Raw Data** views for you when you added the template.
To add a new form to manage the device:
Now you can interact with the views that created earlier using simulated data:
## Next steps
-In this quickstart, you learned how to you create a **Sensor Controller** device template for an ESP32 device and add a simulated device to your application.
+In this quickstart, you learned how to create a **Sensor Controller** device template for an ESP32 device and add a simulated device to your application.
To learn more about monitoring devices connected to your application, continue to the quickstart:
iot-central Quick Deploy Iot Central https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/quick-deploy-iot-central.md
This quickstart shows you how to create an Azure IoT Central application.
## Prerequisite
-You'll need an Azure subscription with *Contributor* access.
+ - An Azure account with an active subscription. Create an account for [free](https://aka.ms/createazuresubscription).
+ - Your Azure subscription should have Contributor access
## Create an application Navigate to the [Azure IoT Central Build](https://aka.ms/iotcentral) site. Then sign in with a Microsoft personal, work, or school account.
-You create a new application either from the list of industry-relevant IoT Central templates to help you get started quickly, or start from scratch using a **Custom apps** template. In this quickstart, you use the **Custom application** template.
+You can create a new application either from the list of industry-relevant IoT Central templates to help you get started quickly, or start from scratch using a **Custom app** template. In this quickstart, you use the **Custom application** template.
To create a new Azure IoT Central application from the **Custom application** template:
To create a new Azure IoT Central application from the **Custom application** te
:::image type="content" source="media/quick-deploy-iot-central/iotcentralcreate-new-application.png" alt-text="Build your IoT application page":::
-1. Choose **Custom apps** and make sure that the **Custom application** template is selected.
+1. Choose **Custom app**
-1. Azure IoT Central automatically suggests an **application name** based on the application template you've selected. You can use this name or enter your own friendly application name.
+1. On the **New application** page, make sure that **Custom application** is selected under the **Application template**.
-1. Azure IoT Central also generates a unique **application URL** prefix for you, based on the application name. You use this URL to access your application. Change this URL prefix to something more memorable if you'd like.
+1. Azure IoT Central automatically suggests an **Application name** based on the application template you've selected. You can use this name or enter your own friendly application name.
+
+1. Azure IoT Central also generates a unique **URL** prefix for you, based on the application name. You use this URL to access your application. Change this URL prefix to something more memorable if you'd like.
:::image type="content" source="media/quick-deploy-iot-central/iotcentralcreate-custom.png" alt-text="Azure IoT Central Create an application page":::
To create a new Azure IoT Central application from the **Custom application** te
- An *Azure Subscription* enables you to create instances of Azure services. IoT Central provisions resources in your subscription. If you don't have an Azure subscription, you can create one for free on the [Azure sign-up page](https://aka.ms/createazuresubscription). After you create the Azure subscription, navigate back to the **New application** page. Your new subscription now appears in the **Azure Subscription** drop-down. - *Location* is the [geography](https://azure.microsoft.com/global-infrastructure/geographies/) where you'd like to create your application. Typically, you should choose the location that's physically closest to your devices to get optimal performance. Once you choose a location, you can't later move your application to a different location.
-1. Review the Terms and Conditions, and select **Create** at the bottom of the page. After a few minutes, you IoT Central application is ready to use:
+1. Review the Terms and Conditions, and select **Create** at the bottom of the page. After a few minutes, your IoT Central application will be ready to use:
:::image type="content" source="media/quick-deploy-iot-central/iotcentral-application.png" alt-text="Azure IoT Central application":::
In this quickstart, you created an IoT Central application. Here's the suggested
If you're a device developer and want to dive into some code, the suggested next step is to: > [!div class="nextstepaction"]
-> [Create and connect a client application to your Azure IoT Central application](./tutorial-connect-device.md)
+> [Create and connect a client application to your Azure IoT Central application](./tutorial-connect-device.md)
iot-central Tutorial Water Consumption Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/government/tutorial-water-consumption-monitoring.md
The water consumption monitoring application you created has three preconfigured
![Rules pane](./media/tutorial-waterconsumptionmonitoring/waterconsumptionmonitoring-rules.png)
-1. Select **High pH alert**, which is one of the preconfigured rules in the application.
+1. Select **High water flow alert**, which is one of the preconfigured rules in the application.
![High pH alert](./media/tutorial-waterconsumptionmonitoring/waterconsumptionmonitoring-highflowalert.png)
- The `High flow alert` rule is configured to check against the condition `Acidity (pH)` is `greater than` the `Max flow threshold`. Max flow threshold is a cloud property defined in the **Smart Valve** device template. The value of `Max flow threshold` is set per device instance.
+ The `High water flow alert` rule is configured to check against the condition `Flow` is `greater than` the `Max flow threshold`. Max flow threshold is a cloud property defined in the **Smart Valve** device template. The value of `Max flow threshold` is set per device instance.
Now let's create an email action. To add an action to the rule: 1. Select **+ Email**.
-1. Enter **High pH alert** as the friendly **Display name** for the action.
+1. Enter **High flow alert** as the friendly **Display name** for the action.
1. Enter the email address associated with your Azure IoT Central account in **To**. 1. Optionally, enter a note to include in the text of the email. 1. Select **Done** to complete the action.
-1. Select **Save** to save and activate the new rule.
+1. Select **Save** to save the new rule.
+1. Enable the rule.
Within a few minutes, you should receive an email after the configured condition is met.
iot-edge Quickstart Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-edge/quickstart-linux.md
Use the following CLI command to create your IoT Edge device based on the prebui
<!-- 1.2 --> :::moniker range=">=iotedge-2020-11"
-Use the following CLI command to create your IoT Edge device based on the prebuilt [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.2.0-rc4) template.
+Use the following CLI command to create your IoT Edge device based on the prebuilt [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.2.0) template.
* For bash or Cloud Shell users, copy the following command into a text editor, replace the placeholder text with your information, then copy into your bash or Cloud Shell window: ```azurecli-interactive az deployment group create \ --resource-group IoTEdgeResources \
- --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.2.0-rc4/edgeDeploy.json" \
+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.2.0/edgeDeploy.json" \
--parameters dnsLabelPrefix='<REPLACE_WITH_VM_NAME>' \ --parameters adminUsername='azureUser' \ --parameters deviceConnectionString=$(az iot hub device-identity connection-string show --device-id myEdgeDevice --hub-name <REPLACE_WITH_HUB_NAME> -o tsv) \
Use the following CLI command to create your IoT Edge device based on the prebui
```azurecli az deployment group create ` --resource-group IoTEdgeResources `
- --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.2.0-rc4/edgeDeploy.json" `
+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.2.0/edgeDeploy.json" `
--parameters dnsLabelPrefix='<REPLACE_WITH_VM_NAME>' ` --parameters adminUsername='azureUser' ` --parameters deviceConnectionString=$(az iot hub device-identity connection-string show --device-id myEdgeDevice --hub-name <REPLACE_WITH_HUB_NAME> -o tsv) `
iot-edge Tutorial Nested Iot Edge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-edge/tutorial-nested-iot-edge.md
When you run `iotedge check` from the lower layer, the program tries to pull the
In this tutorial, we use port 8000, so we need to specify it: ```bash
-sudo iotedge check --diagnostics-image-name $upstream:8000/azureiotedge-diagnostics:1.2.0-rc4
+sudo iotedge check --diagnostics-image-name $upstream:8000/azureiotedge-diagnostics:1.2
``` The `azureiotedge-diagnostics` value is pulled from the container registry that's linked with the registry module. This tutorial has it set by default to https://mcr.microsoft.com:
iot-hub-device-update Import Update https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub-device-update/import-update.md
Title: How to import a new update | Microsoft Docs
-description: How-To guide for importing a new update into IoT Hub Device Update for IoT Hub.
+ Title: How to add a new update | Microsoft Docs
+description: How-To guide for adding a new update into Device Update for IoT Hub.
Previously updated : 2/11/2021 Last updated : 4/19/2021
-# Import New Update
-Learn how to import a new update into Device Update for IoT Hub. If you haven't already done so, be sure to familiarize yourself with the basic [import concepts](import-concepts.md).
+# Add an update to Device Update for IoT Hub
+Learn how to add a new update into Device Update for IoT Hub.
## Prerequisites
-* An existing update file that you want to deploy to devices. It can be an image file for image-based updating or an [APT Manifest file](device-update-apt-manifest.md) for package-based updating. ([How do I choose?](understand-device-update.md#support-for-a-wide-range-of-update-artifacts))
* [Access to an IoT Hub with Device Update for IoT Hub enabled](create-device-update-account.md). * An IoT device (or simulator) provisioned for Device Update within IoT Hub. * [PowerShell 5](/powershell/scripting/install/installing-powershell) or later (includes Linux, macOS and Windows installs)
Learn how to import a new update into Device Update for IoT Hub. If you haven't
> [!NOTE] > Some data submitted to this service might be processed in a region outside the region this instance was created in.
-## Create Device Update Import Manifest
+## Obtain an update for your devices
-1. If you haven't already done so, obtain an image file or APT manifest file that you want to deploy to devices. This might be from the manufacturer of your devices or a system integrator you work with, or even a group within your organization. Ensure that the update image file or APT Manifest file is located in a directory accessible from PowerShell.
+Now that Device Update is [set up](create-device-update-account.md), youΓÇÖre ready to update your devices. But first, you need the actual update file(s) for those devices that you will be deploying.
+
+If youΓÇÖve purchased devices from an OEM or solution integrator, that organization will most likely provide update files for you, without you needing to create the updates. Contact the OEM or solution integrator to find out how they make updates available.
+
+If your organization already creates software for the devices you use, that same group will be the ones to create the updates for that software. When creating an update to be deployed using Device Update for IoT Hub, start with either the [image-based or package-based approach](understand-device-update.md#support-for-a-wide-range-of-update-artifacts) depending on your scenario. Note: if you want to create your own updates but are just starting out, GitHub is an excellent option to manage your development. You can store and manage your source code, and do Continuous Integration (CI) and Continuous Deployment (CD) using [GitHub Actions](https://docs.github.com/en/actions/guides/about-continuous-integration).
+
+## Create a Device Update import manifest
+
+If you haven't already done so, be sure to familiarize yourself with the basic [import concepts](import-concepts.md).
+
+1. Ensure that your update file(s) are located in a directory accessible from PowerShell.
2. Create a text file named **AduUpdate.psm1** in the directory where your update image file or APT Manifest file is located. Then open the [AduUpdate.psm1](https://github.com/Azure/iot-hub-device-update/tree/main/tools/AduCmdlets) PowerShell cmdlet, copy the contents to your text file, and then save the text file.
Learn how to import a new update into Device Update for IoT Hub. If you haven't
| updateFilePath(s) | Path to the update file(s) on your computer
-## Review Generated Import Manifest
+## Review the generated import manifest
Example: ```json
Example:
} ```
-## Import update
+## Import an update
-[!NOTE]
-The instructions below show how to import an update via the Azure portal UI. You can also use the [Device Update for IoT Hub APIs](https://github.com/Azure/iot-hub-device-update/tree/main/docs/publish-api-reference) to import an update.
+> [!NOTE]
+> The instructions below show how to import an update via the Azure portal UI. You can also use the [Device Update for IoT Hub APIs](https://github.com/Azure/iot-hub-device-update/tree/main/docs/publish-api-reference) to import an update.
1. Log in to the [Azure portal](https://portal.azure.com) and navigate to your IoT Hub with Device Update.
iot-hub Virtual Network Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/virtual-network-support.md
Trusted Microsoft first party services exception feature is free of charge. Char
### Egress connectivity to storage account endpoints for routing
-IoT Hub can route messages to a customer-owned storage account. To allow the routing functionality to access a storage account while firewall restrictions are in place, your IoT Hub needs to have a [managed identity](#turn-on-managed-identity-for-iot-hub). Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your storage account.
+IoT Hub can route messages to a customer-owned storage account. To allow the routing functionality to access a storage account while firewall restrictions are in place, your hub needs to use a managed identity to access the storage account. First your hub will need a [managed identity](#turn-on-managed-identity-for-iot-hub). Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your storage account.
1. In the Azure portal, navigate to your storage account's **Access control (IAM)** tab and click **Add** under the **Add a role assignment** section.
Now your custom storage endpoint is set up to use your hub's system assigned ide
### Egress connectivity to event hubs endpoints for routing
-IoT Hub can be configured to route messages to a customer-owned event hubs namespace. To allow the routing functionality to access an event hubs resource while firewall restrictions are in place, your IoT Hub needs to have a managed identity. Once a managed identity is created, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your event hubs.
+IoT Hub can be configured to route messages to a customer-owned event hubs namespace. To allow the routing functionality to access an event hubs resource while firewall restrictions are in place, your IoT Hub needs to use a managed identity to access the event hubs resource. First your hub will need a managed identity. Once a managed identity is created, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your event hubs.
1. In the Azure portal, navigate to your event hubs **Access control (IAM)** tab and click **Add** under the **Add a role assignment** section.
Now your custom event hubs endpoint is set up to use your hub's system assigned
### Egress connectivity to service bus endpoints for routing
-IoT Hub can be configured to route messages to a customer-owned service bus namespace. To allow the routing functionality to access a service bus resource while firewall restrictions are in place, your IoT Hub needs to have a managed identity. Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your service bus.
+IoT Hub can be configured to route messages to a customer-owned service bus namespace. To allow the routing functionality to access a service bus resource while firewall restrictions are in place, your IoT Hub needs to use a managed identity to access the service bus resource. First your hub will need a managed identity. Once a managed identity is provisioned, follow the steps below to give Azure RBAC permission to your hub's resource identity to access your service bus.
1. In the Azure portal, navigate to your service bus' **Access control (IAM)** tab and click **Add** under the **Add a role assignment** section.
iot-pnp Howto Manage Digital Twin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-pnp/howto-manage-digital-twin.md
Title: How to manage IoT Plug and Play digital twins
description: How to manage IoT Plug and Play device using digital twin APIs Previously updated : 07/20/2020 Last updated : 12/17/2020
iot-pnp Overview Iot Plug And Play https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-pnp/overview-iot-plug-and-play.md
Title: Introduction to IoT Plug and Play | Microsoft Docs
description: Learn about IoT Plug and Play. IoT Plug and Play is based on an open modeling language that enables smart IoT devices to declare their capabilities. IoT devices present that declaration, called a device model, when they connect to cloud solutions. The cloud solution can then automatically understand the device and start interacting with it, all without writing any code. Previously updated : 07/06/2020 Last updated : 03/21/2021
key-vault Basic Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/general/basic-concepts.md
# Azure Key Vault basic concepts
-Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed HSM pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys. See [Azure Key Vault REST API overview](about-keys-secrets-certificates.md) for complete details.
+Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed hardware security module(HSM) pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys. See [Azure Key Vault REST API overview](about-keys-secrets-certificates.md) for complete details.
Here are other important terms:
Developers can also manage the keys directly, by using APIs. For more informatio
<!--Image references--> [1]: ../media/key-vault-whatis/AzureKeyVault_overview.png
-Azure Key Vault is available in most regions. For more information, see the [Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/).
+Azure Key Vault is available in most regions. For more information, see the [Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/).
key-vault Quick Create Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/secrets/quick-create-cli.md
Use the Azure CLI [az keyvault secret set](/cli/azure/keyvault/secret#az_keyvaul
az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "ExamplePassword" --value "hVFkk965BuUv" ```
+## Retrieve a secret from Key Vault
+ You can now reference this password that you added to Azure Key Vault by using its URI. Use **'https://<your-unique-keyvault-name>.vault.azure.net/secrets/ExamplePassword'** to get the current version. To view the value contained in the secret as plain text:
machine-learning Concept Workspace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/concept-workspace.md
When you create a new workspace, it automatically creates several Azure resource
> By default, the storage account is a general-purpose v1 account. You can [upgrade this to general-purpose v2](../storage/common/storage-account-upgrade.md) after the workspace has been created. > Do not enable hierarchical namespace on the storage account after upgrading to general-purpose v2.
- To use an existing Azure Storage account, it cannot be a premium account (Premium_LRS and Premium_GRS). It also cannot have a hierarchical namespace (used with Azure Data Lake Storage Gen2). Neither premium storage or hierarchical namespaces are supported with the _default_ storage account of the workspace. You can use premium storage or hierarchical namespace with _non-default_ storage accounts.
+ To use an existing Azure Storage account, it cannot be of type BlobStorage or a premium account (Premium_LRS and Premium_GRS). It also cannot have a hierarchical namespace (used with Azure Data Lake Storage Gen2). Neither premium storage or hierarchical namespaces are supported with the _default_ storage account of the workspace. You can use premium storage or hierarchical namespace with _non-default_ storage accounts.
+ [Azure Container Registry](https://azure.microsoft.com/services/container-registry/): Registers docker containers that you use during training and when you deploy a model. To minimize costs, ACR is **lazy-loaded** until deployment images are created.
machine-learning How To Configure Private Link https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/machine-learning/how-to-configure-private-link.md
Azure Private Link enables you to connect to your workspace using a private endp
> [!IMPORTANT] > Azure Private Link does not effect Azure control plane (management operations) such as deleting the workspace or managing compute resources. For example, creating, updating, or deleting a compute target. These operations are performed over the public Internet as normal. Data plane operations, such as using Azure Machine Learning studio, APIs (including published pipelines), or the SDK use the private endpoint. >
-> You may encounter problems trying to access the private endpoint for your workspace if you are using Mozilla Firefox. This problem may be related to DNS over HTTPS in Mozilla. We recommend using Microsoft Edge of Google Chrome as a workaround.
+> You may encounter problems trying to access the private endpoint for your workspace if you are using Mozilla Firefox. This problem may be related to DNS over HTTPS in Mozilla. We recommend using Microsoft Edge or Google Chrome as a workaround.
## Prerequisites
marketplace Azure Vm Create Using Approved Base https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-using-approved-base.md
Previously updated : 03/10/2021 Last updated : 04/16/2021 # How to create a virtual machine using an approved base
marketplace Azure Vm Create Using Own Image https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/marketplace/azure-vm-create-using-own-image.md
Previously updated : 03/10/2021 Last updated : 04/16/2021 # How to create a virtual machine using your own image
All images in the Azure Marketplace must be reusable in a generic fashion. To ac
## Bring your image into Azure
+> [!NOTE]
+> The Azure subscription containing the SIG must be under the same tenant as the publisher account in order to publish. Also, the publisher account must have at least Contributor access to the subscription containing SIG.
+ There are three ways to bring your image into Azure: 1. Upload the vhd to a Shared Image Gallery (SIG).
media-services Stream Live Tutorial With Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/media-services/latest/stream-live-tutorial-with-nodejs.md
+
+ Title: Stream live with Media Services v3 Node.js
+
+description: Learn how to stream live using Node.js.
+
+documentationcenter: ''
++
+editor: ''
+++
+ na
+ms.devlang: na
++ Last updated : 04/15/2021++++
+# Tutorial: Stream live with Media Services using Node.js and TypeScript
+
+> [!NOTE]
+> Even though the tutorial uses Node.js examples, the general steps are the same for [REST API](/rest/api/medi#sdks).
+
+In Azure Media Services, [Live Events](/rest/api/media/liveevents) are responsible for processing live streaming content. A Live Event provides an input endpoint (ingest URL) that you then provide to a live encoder. The Live Event receives live input streams from the live encoder and makes it available for streaming through one or more [Streaming Endpoints](/rest/api/media/streamingendpoints). Live Events also provide a preview endpoint (preview URL) that you use to preview and validate your stream before further processing and delivery. This tutorial shows how to use Node.js to create a **pass-through** type of a live event and broadcast a live stream to it using [OBS Studio](https://obsproject.com/download).
+
+The tutorial shows you how to:
+
+> [!div class="checklist"]
+> * Download the sample code described in the topic.
+> * Examine the code that configures and performs live streaming.
+> * Watch the event with [Azure Media Player](https://amp.azure.net/libs/amp/latest/docs/https://docsupdatetracker.net/index.html) at [https://ampdemo.azureedge.net](https://ampdemo.azureedge.net).
+> * Clean up resources.
+++
+## Prerequisites
+
+The following items are required to complete the tutorial:
+
+- Install [Node.js](https://nodejs.org/en/download/)
+- Install [TypeScript](https://www.typescriptlang.org/)
+- [Create a Media Services account](./create-account-howto.md).<br/>Make sure to remember the values that you used for the resource group name and Media Services account name.
+- Follow the steps in [Access Azure Media Services API with the Azure CLI](./access-api-howto.md) and save the credentials. You will need to use them to access the API and configure your environment variables file.
+- Walk through the [Configure and Connect with Node.js](./configure-connect-nodejs-howto.md) how-to first to understand how to use the Node.js client SDK
+- Install Visual Studio Code or Visual Studio.
+- [Setup your Visual Studio Code environment](https://code.visualstudio.com/Docs/languages/typescript) to support the TypeScript language.
+
+## Additional settings for live streaming software
+
+- A camera or a device (like a laptop) that's used to broadcast an event.
+- An on-premises software encoder that encodes your camera stream and sends it to the Media Services live streaming service using the RTMP protocol, see [recommended on-premises live encoders](encode-recommended-on-premises-live-encoders.md). The stream has to be in **RTMP** or **Smooth Streaming** format.
+- For this sample, it is recommended to start with a software encoder like the free [Open Broadcast Software OBS Studio](https://obsproject.com/download) to make it simple to get started.
+
+This sample assumes that you will use OBS Studio to broadcast RTMP to the ingest endpoint. Install OBS Studio first.
+Use the following encoding settings in OBS Studio:
+
+- Encoder: NVIDIA NVENC (if available) or x264
+- Rate Control: CBR
+- Bitrate: 2500 Kbps (or something reasonable for your laptop)
+- Keyframe Interval: 2 s, or 1 s for low latency
+- Preset: Low-latency Quality or Performance (NVENC) or "veryfast" using x264
+- Profile: high
+- GPU: 0 (Auto)
+- Max B-frames: 2
+
+> [!TIP]
+> Make sure to review [Live streaming with Media Services v3](stream-live-streaming-concept.md) before proceeding.
+
+## Download and configure the sample
+
+Clone the following Git Hub repository that contains the live streaming Node.js sample to your machine using the following command:
+
+ ```bash
+ git clone https://github.com/Azure-Samples/media-services-v3-node-tutorials.git
+ ```
+
+The live streaming sample is located in the [Live](https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/main/AMSv3Samples/Live) folder.
+
+In the [AMSv3Samples](https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/main/AMSv3Samples) folder copy the file named "sample.env" to a new file called ".env" to store your environment variable settings that you gathered in the article [Access Azure Media Services API with the Azure CLI](./access-api-howto.md).
+Make sure that the file includes the "dot" (.) in front of .env" for this to work with the code sample correctly.
+
+The [.env file](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/sample.env) contains your AAD Application key and secret along with account name and subscription information required to authenticate SDK access to your Media Services account. The .gitignore file is already configured to prevent publishing this file into your forked repository. Do not allow these credentials to be leaked as they are important secrets for your account.
+
+> [!IMPORTANT]
+> This sample uses a unique suffix for each resource. If you cancel the debugging or terminate the app without running it through, you'll end up with multiple Live Events in your account. <br/>Make sure to stop the running Live Events. Otherwise, you'll be **billed**! Run the program all the way through to completion to clean-up resources automatically. If the program crashes, or you inadvertently stop the debugger and break out of the program execution, you should double check the portal to confirm that you have not left any live events in the Running or Stand-by states that would result in unwanted billing charges.
+
+## Examine the TypeScript code for live streaming
+
+This section examines functions defined in the [index.ts](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/Live/index.ts) file of the *Live* project.
+
+The sample creates a unique suffix for each resource so that you don't have name collisions if you run the sample multiple times without cleaning up.
+
+### Start using Media Services SDK for Node.js with TypeScript
+
+To start using Media Services APIs with Node.js, you need to first add the [@azure/arm-mediaservices](https://www.npmjs.com/package/@azure/arm-mediaservices) SDK module using the npm package manager
+
+```bash
+npm install @azure/arm-mediaservices
+```
+
+In the package.json, this is already configured for you, so you just need to run *npm install* to load the modules and dependencies.
+
+1. Open a **command prompt**, browse to the sample's directory.
+1. Change directory into the AMSv3Samples folder.
+
+ ```bash
+ cd AMSv3Samples
+ ```
+
+1. Install the packages used in the *packages.json* file.
+
+ ```bash
+ npm install
+ ```
+
+1. Launch Visual Studio Code from the *AMSv3Samples* Folder. (This is required to launch from the folder where the *.vscode* folder and *tsconfig.json* files are located.)
+
+ ```bash
+ cd ..
+ code .
+ ```
+
+Open the folder for *Live*, and open the *index.ts* file in the Visual Studio Code editor.
+While in the *index.ts* file, press F5 to launch the debugger.
+
+### Create the Media Services client
+
+The following code snippet shows how to create the Media Services client in Node.js.
+Notice that in this code we are first setting the **longRunningOperationRetryTimeout** property of the AzureMediaServicesOptions to 2 seconds to reduce the time it takes to poll for the status of a long running operation on the Azure Resource Management endpoint. Since most of the operations on Live Events are going to be asynchronous, and could take some time to complete, you should reduce this polling interval on the SDK from the default value of 30 seconds to speed up the time it takes to complete major operations like creating Live Events, Starting and Stopping which are all asynchronous calls. Two seconds is the recommended value for most use case scenarios.
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#CreateMediaServicesClient)]
+
+### Create a live event
+
+This section shows how to create a **pass-through** type of Live Event (LiveEventEncodingType set to None). For more information about the other available types of Live Events, see [Live Event types](live-event-outputs-concept.md#live-event-types). In addition to pass-through, you can use a live transcoding Live Event for 720P or 1080P adaptive bitrate cloud encoding.
+
+Some things that you might want to specify when creating the live event are:
+
+* The ingest protocol for the Live Event (currently, the RTMP(S) and Smooth Streaming protocols are supported).<br/>You can't change the protocol option while the Live Event or its associated Live Outputs are running. If you require different protocols, create separate Live Event for each streaming protocol.
+* IP restrictions on the ingest and preview. You can define the IP addresses that are allowed to ingest a video to this Live Event. Allowed IP addresses can be specified as either a single IP address (for example '10.0.0.1'), an IP range using an IP address and a CIDR subnet mask (for example, '10.0.0.1/22'), or an IP range using an IP address and a dotted decimal subnet mask (for example, '10.0.0.1(255.255.252.0)').<br/>If no IP addresses are specified and there's no rule definition, then no IP address will be allowed. To allow any IP address, create a rule and set 0.0.0.0/0.<br/>The IP addresses have to be in one of the following formats: IpV4 address with four numbers or CIDR address range.
+* When creating the event, you can specify to autostart it. <br/>When autostart is set to true, the Live Event will be started after creation. That means the billing starts as soon as the Live Event starts running. You must explicitly call Stop on the Live Event resource to halt further billing. For more information, see [Live Event states and billing](live-event-states-billing-concept.md).
+There are also standby modes available to start the Live Event in a lower cost 'allocated' state that makes it faster to move to a 'Running' state. This is useful for situations like hot pools that need to hand out channels quickly to streamers.
+* For an ingest URL to be predictive and easier to maintain in a hardware based live encoder, set the "useStaticHostname" property to true, as well as use a custom unique GUID in the "accessToken". For detailed information, see [Live Event ingest URLs](live-event-outputs-concept.md#live-event-ingest-urls).
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#CreateLiveEvent)]
+
+### Create an Asset to record and archive the live event
+
+In this block of code, you will create an empty Asset to use as the "tape" to record your live event archive to.
+When learning these concepts, it is best to think of the "Asset" object as the tape that you would insert into a video tape recorder in the old days. The "Live Output" is the tape recorder machine. The "Live Event" is just the video signal coming into the back of the machine.
+
+Keep in mind tha the Asset, or "tape", can be created at any time. It is just an empty "Asset" that you will hand to the Live Output object, the tape recorder in this analogy.
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#CreateAsset)]
+
+### Create the Live Output
+
+In this section, we create a Live Output that uses the Asset name as input to tell where to record the live event to. In addition, we set up the time-shifting (DVR) window to be used in the recording.
+The sample code shows how to set up a 1 hour time-shifting window. This will allow clients to play back anywhere in the last hour of the event. In addition, only the last 1 hour of the live event will remain in the archive. You can extend this to be up to 25 hours long if needed. Also note that you are able to control the output manifest naming used the HLS and DASH manifests in your URL paths when published.
+
+The Live Output, or "tape recorder" in our analogy, can be created at any time as well. Meaning you can create a Live Output before starting the signal flow, or after. If you need to speed up things, it is often helpful to create it before you start the signal flow.
+
+Live Outputs start on creation and stop when deleted. When you delete the Live Output, you're not deleting the underlying Asset or content in the asset. Think of it as ejecting the tape. The Asset with the recording will last as long as you like, and when it is ejected (meaning, when the Live Output is deleted) it will be available for on-demand viewing immediately.
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#CreateLiveOutput)]
++
+### Get ingest URLs
+
+Once the Live Event is created, you can get ingest URLs that you'll provide to the live encoder. The encoder uses these URLs to input a live stream using the RTMP protocol
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#GetIngestURL)]
+
+### Get the preview URL
+
+Use the previewEndpoint to preview and verify that the input from the encoder is actually being received.
+
+> [!IMPORTANT]
+> Make sure that the video is flowing to the Preview URL before continuing.
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#GetPreviewURL)]
+
+### Create and manage Live Events and Live Outputs
+
+Once you have the stream flowing into the Live Event, you can begin the streaming event by publishing a Streaming Locator for your client players to use. This will make it available to viewers through the Streaming Endpoint.
+
+You first create the signal by creating the "Live Event". The signal is not flowing until you start that Live Event and connect your encoder to the input.
+
+To stop the "tape recorder", you call delete on the LiveOutput. This does not actually delete the **contents** of your archive on the tape "Asset", it only deletes the "tape recorder" and stops the archiving. The Asset is always kept with the archived video content until you call delete explicitly on the Asset itself. As soon as you delete the liveOutput, the recorded content of the "Asset" is still available to play back through any already published Streaming Locator URLs. If you wish to remove the ability for a customer to play back the archived content you would first need to remove all locators from the asset and also flush the CDN cache on the URL path if you are using a CDN for delivery. Otherwise the content will live in the CDN's cache for the standard time-to-live setting on the CDN (which could be up to 72 hours.)
+
+#### Create a Streaming Locator to publish HLS and DASH manifests
+
+> [!NOTE]
+> When your Media Services account is created, a **default** streaming endpoint is added to your account in the **Stopped** state. To start streaming your content and take advantage of [dynamic packaging](encode-dynamic-packaging-concept.md) and dynamic encryption, the streaming endpoint from which you want to stream content has to be in the **Running** state.
+
+When you publish the Asset using a Streaming Locator, the Live Event (up to the DVR window length) will continue to be viewable until the Streaming Locator's expiry or deletion, whichever comes first. This is how you make the virtual "tape" recording available for your viewing audience to see live and on-demand. The same URL can be used to watch the live event, DVR window, or the on-demand asset when the recording is complete (when the Live Output is deleted.)
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#CreateStreamingLocator)]
+
+#### Build the paths to the HLS and DASH manifests
+
+The method BuildManifestPaths in the sample shows how to deterministically create the streaming paths to use for DASH or HLS delivery to various clients and player frameworks.
+
+[!code-typescript[Main](../../../media-services-v3-node-tutorials/AMSv3Samples/Live/index.ts#BuildManifestPaths)]
+
+## Watch the event
+
+To watch the event, copy the streaming URL that you got when you ran code described in Create a Streaming Locator. You can use a media player of your choice. [Azure Media Player](https://amp.azure.net/libs/amp/latest/docs/https://docsupdatetracker.net/index.html) is available to test your stream at https://ampdemo.azureedge.net.
+
+Live Event automatically converts events to on-demand content when stopped. Even after you stop and delete the event, users can stream your archived content as a video on demand for as long as you don't delete the asset. An asset can't be deleted if it's used by an event; the event must be deleted first.
+
+### Cleaning up resources in your Media Services account
+
+If you run the application all the way through, it will automatically clean up all of the resources used in the function called "cleanUpResources". Make sure that the application or debugger runs all the way to completion or you may leak resources and end up with running live events in your account. Double check in the Azure portal to confirm that all resources are cleaned up in your Media Services account.
+
+In the sample code, refer to the **cleanUpResources** method for details.
+
+> [!IMPORTANT]
+> Leaving the Live Event running incurs billing costs. Be aware, if the project/program crashes or is closed out for any reason, it could leave the Live Event running in a billing state.
+
+## Ask questions, give feedback, get updates
+
+Check out the [Azure Media Services community](media-services-community.md) article to see different ways you can ask questions, give feedback, and get updates about Media Services.
+
+## More developer documentation for Node.js on Azure
+
+- [Azure for JavaScript & Node.js developers](/azure/developer/javascript/)
+- [Media Services source code in the @azure/azure-sdk-for-js Git Hub repo](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/mediaservices/arm-mediaservices)
+- [Azure Package Documentation for Node.js developers](/javascript/api/overview/azure/)
++
+## Next steps
+
+[Stream files](stream-files-tutorial-with-api.md)
migrate Create Manage Projects https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/create-manage-projects.md
Set up a new project in an Azure subscription.
5. In **Create project**, select the Azure subscription and resource group. Create a resource group if you don't have one. 6. In **Project Details**, specify the project name and the geography in which you want to create the project. - The geography is only used to store the metadata gathered from on-premises servers. You can select any target region for migration.
- - Review supported geographies for [public](migrate-support-matrix.md#supported-geographies-public-cloud) and [government clouds](migrate-support-matrix.md#supported-geographies-azure-government).
+ - Review supported geographies for [public](migrate-support-matrix.md#supported-geographies-public-cloud) and [government clouds](migrate-support-matrix.md#supported-geographies-azure-government).
-8. Select **Create**.
+
+ > [!Note]
+ > Use the **Advanced** configuration section to create an Azure Migrate project with private endpoint connectivity. [Learn more](how-to-use-azure-migrate-with-private-endpoints.md#create-a-project-with-private-endpoint-connectivity)
+
+7. Select **Create**.
:::image type="content" source="./media/create-manage-projects/project-details.png" alt-text="Page to input project settings":::
migrate Deploy Appliance Script Government https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/deploy-appliance-script-government.md
Follow this article to deploy an [Azure Migrate appliance](./migrate-appliance-a
The script sets up the Azure Migrate appliance on an existing physical server or on a virtualized server. -- The server that will act as the appliance must be running Windows Server 2016, with 32 GB of memory, eight vCPUs, around 80 GB of disk storage, and an external virtual switch. It requires a static or dynamic IP address, and access to the internet.
+- The server that will act as the appliance must be running Windows Server 2016, with 32 GB of memory, eight vCPUs, around 80 GB of disk storage, and an external virtual switch. It requires a static or dynamic IP address.
- Before you deploy the appliance, review detailed appliance requirements for [servers on VMware](migrate-appliance.md#appliancevmware), [on Hyper-V](migrate-appliance.md#appliancehyper-v), and [physical servers](migrate-appliance.md#appliancephysical). - Don't run the script on an existing Azure Migrate appliance.
migrate Deploy Appliance Script https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/deploy-appliance-script.md
Scenario | Requirements
VMware | Windows Server 2016, with 32 GB of memory, eight vCPUs, around 80 GB of disk storage Hyper-V | Windows Server 2016, with 16 GB of memory, eight vCPUs, around 80 GB of disk storage -- The server also needs an external virtual switch. It requires a static or dynamic IP address, and access to the internet.
+- The server also needs an external virtual switch. It requires a static or dynamic IP address.
- Before you deploy the appliance, review detailed appliance requirements for [servers on VMware](migrate-appliance.md#appliancevmware), [on Hyper-V](migrate-appliance.md#appliancehyper-v). - Don't run the script on an existing Azure Migrate appliance.
migrate How To Create Group Machine Dependencies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/how-to-create-group-machine-dependencies.md
This article describes how to set up agent-based dependency analysis in Azure Mi
![Add a new workspace](./media/how-to-create-group-machine-dependencies/workspace.png)
+> [!Note]
+> [Learn how](https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security) to configure the OMS workspace for private endpoint connectivity.
## Download and install the VM agents
migrate How To Delete Project https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/how-to-delete-project.md
These tables summarize the resources created for discovery, assessment, and migr
> [!NOTE] > Delete the key vault with caution because it might contain security keys.
-### VMware/physical server
+### Projects with public endpoint connectivity
+
+#### VMware/physical server
**Resource** | **Type** |
migrateappligwsa* | Storage account
migrateapplilsa* | Storage account migrateapplicsa* | Storage account migrateapplikv* | Key vault
-migrateapplisbns16041 | Service Bus Namespace
+migrateapplisbns* | Service Bus Namespace
-### Hyper-V VM
+#### Hyper-V VM
**Resource** | **Type** |
HyperV*kv | Key vault
HyperV*Site | Microsoft.OffAzure/HyperVSites "ProjectName"-MigrateVault-* | Recovery Services vault
+<br/>
+The following tables summarize the resources created by Azure Migrate to discover, assess, and migrate servers over a private network using [Azure private link](./how-to-use-azure-migrate-with-private-endpoints.md).
+
+### Projects with private endpoint connectivity
+
+#### VMware VMs - agentless migrations
+
+**Type** | **Resource** | **Private endpoint <br/>** |
+ | |
+Microsoft.Migrate/migrateprojects | "ProjectName" | "ProjectName"\*pe
+Discovery site (master site) | "ProjectName"*mastersite | "ProjectName"\*mastersite\*pe
+Microsoft.Migrate/assessmentProjects | "ApplianceName"*project | "ApplianceName"\*project\*pe
+Key vault | "ProjectName"*kv | "ProjectName"\*kv\*pe
+Microsoft.OffAzure/VMwareSites | "ApplianceName"*site | NA
+Recovery Services vault | "ApplianceName"*vault | NA
+Storage account | "ApplianceName"*usa | "ApplianceName"\*usa\*pe
+Recovery Services vault | "ProjectName"-MigrateVault-* | NA
+Storage account | migrateappligwsa* | NA
+Storage account | migrateapplilsa* | NA
+Key vault | migrateapplikv* | NA
+Service Bus Namespace | migrateapplisbns* | NA
+
+#### Hyper-V VMs
+
+**Type** | **Resource** | **Private endpoint <br/>** |
+ | |
+Microsoft.Migrate/migrateprojects | "ProjectName" | "ProjectName"\*pe
+Discovery site (master site) | "ProjectName"*mastersite | "ProjectName"\*mastersite\*pe
+Microsoft.Migrate/assessmentProjects | "ApplianceName"*project | "ApplianceName"\*project\*pe
+Key vault | "ProjectName"*kv | "ProjectName"\*kv\*pe
+Microsoft.OffAzure/HyperVSites | "ApplianceName"*site | NA
+Recovery Services vault | "ProjectName"-MigrateVault-* | "ProjectName"-MigrateVault-*pe
+
+#### Physical servers / AWS VMs / GCP VMs
+
+**Type** | **Resource** | **Private endpoint <br/>** |
+ | |
+Microsoft.Migrate/migrateprojects | "ProjectName" | "ProjectName"\*pe
+Discovery site (master site) | "ProjectName"*mastersite | "ProjectName"\*mastersite\*pe
+Microsoft.Migrate/assessmentProjects | "ApplianceName"*project | "ApplianceName"\*project\*pe
+Key vault | "ProjectName"*kv | "ProjectName"\*kv\*pe
+Microsoft.OffAzure/serversites | "ApplianceName"*site | NA
+Recovery Services vault | "ProjectName"-MigrateVault-* | "ProjectName"-MigrateVault-*pe
+ ## Next steps
migrate How To Use Azure Migrate With Private Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/how-to-use-azure-migrate-with-private-endpoints.md
+
+ Title: Using Azure Migrate with private endpoints
+description: Use Azure Migrate private link support to discover, assess, and migrate using private link.
++
+ms.
+ Last updated : 04/07/2020++
+# Using Azure Migrate with private endpoints
+
+This article describes how to use Azure Migrate to discover, assess, and migrate servers over a private network using [Azure private link](https://docs.microsoft.com/azure/private-link/private-endpoint-overview).
+
+You can use the [Azure Migrate: Discovery and Assessment](https://docs.microsoft.com/azure/migrate/migrate-services-overview#azure-migrate-discovery-and-assessment-tool) and [Azure Migrate: Server Migration](https://docs.microsoft.com/azure/migrate/migrate-services-overview#azure-migrate-server-migration-tool) tools to connect privately and securely to the Azure Migrate service over an ExpressRoute private peering or a site to site VPN connection, using Azure private link.
+
+The private endpoint connectivity method is recommended when there is an organizational requirement to access the Azure Migrate service and other Azure resources without traversing public networks. You can also use the private link support to use your existing ExpressRoute private peering circuits for better bandwidth or latency requirements.
+
+## Support requirements
+
+### Required permissions
+
+**Contributor + User Access Administrator** or **Owner** permissions on the subscription.
+
+### Supported scenarios and tools
+
+**Deployment** | **Details** | **Tools**
+ | |
+**Discovery and Assessment** | Perform an agentless, at-scale discovery and assessment of your servers running on any platform ΓÇô hypervisor platforms such as [VMware vSphere](https://docs.microsoft.com/azure/migrate/tutorial-discover-vmware) or [Microsoft Hyper-V](https://docs.microsoft.com/azure/migrate/tutorial-discover-hyper-v), public clouds such as [AWS](https://docs.microsoft.com/azure/migrate/tutorial-discover-aws) or [GCP](https://docs.microsoft.com/azure/migrate/tutorial-discover-gcp), or even [bare metal servers](https://docs.microsoft.com/azure/migrate/tutorial-discover-physical). | Azure Migrate: Discovery and Assessment <br/>
+**Software inventory** | Discover apps, roles, and features running on VMware VMs. | Azure Migrate: Discovery and Assessment
+**Dependency visualization** | Use the dependency analysis capability to identify and understand dependencies across servers. <br/> [Agentless dependency visualization](https://docs.microsoft.com/azure/migrate/how-to-create-group-machine-dependencies-agentless) is supported natively with Azure Migrate private link support. <br/>[Agent-based dependency visualization](https://docs.microsoft.com/azure/migrate/how-to-create-group-machine-dependencies) requires Internet connectivity. [learn how](https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security) to to use private endpoints for agent-based dependency visualization. | Azure Migrate: Discovery and Assessment |
+**Migration** | Perform [agentless Hyper-V migrations](https://docs.microsoft.com/azure/migrate/tutorial-migrate-hyper-v) or use the agent-based approach to migrate your [VMware VMs](./tutorial-migrate-vmware-agent.md), [Hyper-V VMs](./tutorial-migrate-physical-virtual-machines.md), [physical servers](./tutorial-migrate-physical-virtual-machines.md), [VMs running on AWS](./tutorial-migrate-aws-virtual-machines.md), [VMs running on GCP](https://docs.microsoft.com/azure/migrate/tutorial-migrate-gcp-virtual-machines), or VMs running on a different virtualization provider. | Azure Migrate: Server Migration
+
+>[!Note]
+>
+> [Agentless VMware migrations](https://docs.microsoft.com/azure/migrate/tutorial-migrate-vmware) require Internet access or connectivity via ExperessRoute Microsoft peering. <br/> [Learn how](https://docs.microsoft.com/azure/migrate/replicate-using-expressroute) to use private endpoints to perform replications over ExpressRoute private peering or a site-to-site (S2S) VPN connection. <br/><br/>
+
+#### Other integrated tools
+
+Some migration tools may not be able to upload usage data to the Azure Migrate project if public network access is disabled. The Azure Migrate project should be configured to allow traffic from all networks to receive data from other Microsoft or external [independent software vendor (ISV)](https://docs.microsoft.com/azure/migrate/migrate-services-overview#isv-integration) offerings.
++
+To enable public network access for the Azure Migrate project, go to the Azure Migrate **properties page** on the Azure portal, select **No**, and select **Save**.
+
+![Diagram that shows how to change the network access mode.](./media/how-to-use-azure-migrate-with-private-endpoints/migration-project-properties.png)
+
+### Other considerations
+
+**Considerations** | **Details**
+ |
+**Pricing** | For pricing information, see [Azure blob pricing](https://azure.microsoft.com/pricing/details/storage/page-blobs/) and [Azure private link pricing](https://azure.microsoft.com/pricing/details/private-link/).
+**Virtual network requirements** | The ExpressRoute/VPN gateway endpoint should reside in the selected virtual network or a virtual network connected to it. You may need ~15 IP addresses in the virtual network.
+
+## Create a project with private endpoint connectivity
+
+Use this [article](https://docs.microsoft.com/azure/migrate/create-manage-projects#create-a-project-for-the-first-time) to set up a new Azure Migrate project.
+
+> [!Note]
+> You cannot change the connectivity method to private endpoint connectivity for existing Azure Migrate projects.
+
+In the **Advanced** configuration section, provide the below details to create a private endpoint for your Azure Migrate project.
+- In **Connectivity method**, choose **Private endpoint**.
+- In **Disable public endpoint access**, keep the default setting **No**. Some migration tools may not be able to upload usage data to the Azure Migrate project if public network access is disabled. [Learn more.](#other-integrated-tools)
+- In **Virtual network subscription**, select the subscription for the private endpoint virtual network.
+- In **Virtual network**, select the virtual network for the private endpoint. The Azure Migrate appliance and other software components that need to connect to the Azure Migrate project must be on this network or a connected virtual network.
+- In **Subnet**, select the subnet for the private endpoint.
+
+Select **Create**. Wait a few minutes for the Azure Migrate project to deploy. Do not close this page while the project creation is in progress.
+
+![Create project](./media/how-to-use-azure-migrate-with-private-endpoints/create-project.png)
+
+
+This creates a migrate project and attaches a private endpoint to it.
+
+## Discover and assess servers for migration using Azure private link
+
+### Set up the Azure Migrate appliance
+
+1. In **Discover machines** > **Are your machines virtualized?**, select the server type.
+2. In **Generate Azure Migrate project key**, provide a name for the Azure Migrate appliance.
+3. Select **Generate key** to create the required Azure resources.
+
+ > [!Important]
+ > Do not close the Discover machines page during the creation of resources.
+ - At this step, Azure Migrate creates a key vault, storage account, Recovery Services vault (only for agentless VMware migrations), and a few internal resources and attaches a private endpoint to each resource. The private endpoints are created in the virtual network selected during the project creation.
+ - Once the private endpoints are created, the DNS CNAME resource records for the Azure Migrate resources are updated to an alias in a subdomain with the prefix 'privatelink'. By default, Azure Migrate also creates a private DNS zone corresponding to the 'privatelink' subdomain for each resource type and inserts DNS A records for the associated private endpoints. This enables the Azure Migrate appliance and other software components residing in the source network to reach the Azure Migrate resource endpoints on private IP addresses.
+ - Azure Migrate also enables a [managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) for the migrate project, and grants permissions to the managed identity to securely access the storage account.
+
+4. After the key is successfully generated, copy the key details to configure and register the appliance.
+
+#### Download the appliance installer file
+
+Azure Migrate: Discovery and assessment use a lightweight Azure Migrate appliance. The appliance performs server discovery and sends server configuration and performance metadata to Azure Migrate.
+
+To set up the appliance, download the zipped file containing the installer script from the portal. Copy the zipped file on the server that will host the appliance.
+
+Make sure the server meets the [hardware requirements](https://docs.microsoft.com/azure/migrate/migrate-appliance) for the chosen scenario (VMware/Hyper-V/Physical or other) and can connect to the required Azure URLs - [public](./migrate-appliance.md#public-cloud-urls-for-private-link-connectivity) and [government](./migrate-appliance.md#government-cloud-urls-for-private-link-connectivity) clouds.
+
+After downloading the zipped file, verify the file security and run the installer script to deploy the appliance.
+
+#### Verify file security
+
+Check that the zipped file is secure before you deploy it.
+
+1. Open an administrator command window on the server to which you downloaded the file.
+2. Run the following command to generate the hash for the zipped file
+ - ```C:\>CertUtil -HashFile <file_location> [Hashing Algorithm]```
+ - Example: ```C:\>CertUtil -HashFile C:\Users\administrator\Desktop\AzureMigrateInstaller-VMware-PrivateEndPoint.zip SHA256```
+3. Verify the latest appliance version and script for Azure public cloud:
+
+ **Algorithm** | **Download** | **SHA256**
+ | |
+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2116601) | 85b74d93dfcee43412386141808d82147916330e6669df94c7969fe1b3d0fe72
+ Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2116601) | 85b74d93dfcee43412386141808d82147916330e6669df94c7969fe1b3d0fe72
+ Physical or other (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2116601) | 85b74d93dfcee43412386141808d82147916330e6669df94c7969fe1b3d0fe72
+
+#### Run the script
+
+1. Extract the zipped file to a folder on the server that will host the appliance.
+2. Launch PowerShell on the machine, with administrator (elevated) privileges.
+3. Change the PowerShell directory to the folder containing the contents extracted from the downloaded zipped file.
+4. Run the script **AzureMigrateInstaller.ps1**, as follows:
+
+ ``` PS C:\Users\administrator\Desktop\AzureMigrateInstaller-Server-Public> .\AzureMigrateInstaller.ps1```
+
+5. After the script runs successfully, it launches the appliance configuration manager so that you can configure the appliance. If you encounter any issues, review the script logs at C:\ProgramData\Microsoft Azure\Logs\AzureMigrateScenarioInstaller_<em>Timestamp</em>.log.
+
+### Configure the appliance and start continuous discovery
+
+Open a browser on any machine that can connect to the appliance server, and open the URL of the appliance configuration
+
+#### Set up prerequisites
+
+1. Read the third-party information and accept the **license terms**.
+
+2. In the configuration manager > **Set up prerequisites**, do the following:
+ - **Connectivity**: The appliance checks for access to the required URLs. If the server uses a proxy:
+ - Select **Set up proxy** to specify the proxy address `http://ProxyIPAddress` or `http://ProxyFQDN` and listening port.
+ - Specify credentials if the proxy needs authentication. Only HTTP proxy is supported.
+ - If you want, you can add a list of URLs/IP addresses that should bypass the proxy server. If you are using ExpressRoute private peering, ensure that you bypass these [URLs](https://docs.microsoft.com/azure/migrate/replicate-using-expressroute#configure-proxy-bypass-rules-on-the-azure-migrate-appliance-for-vmware-agentless-migrations).
+ - You need to select **Save** to register the configuration if you have updated the proxy server details or added URLs/IP addresses to bypass proxy.
+
+ > [!Note]
+ > If you are getting an error with aka.ms/* link during connectivity check and you do not want the appliance to access this URL over the internet, you need to disable the auto update service on the appliance by following the steps [**here**](https://docs.microsoft.com/azure/migrate/migrate-appliance#turn-off-auto-update). After the auto-update has been disabled, the aka.ms/* URL connectivity check will be skipped.
+
+ - **Time sync**: The time on the appliance should be in sync with internet time for discovery to work properly.
+ - **Install updates**: The appliance ensures that the latest updates are installed. After the check completes, you can select **View appliance services** to see the status and versions of the services running on the appliance server.
+ > [!Note]
+ > If you have chosen to disable auto update service on the appliance, you can update the appliance services manually to get the latest versions of the services by following the steps [**here**](https://docs.microsoft.com/azure/migrate/migrate-appliance#manually-update-an-older-version).
+ - **Install VDDK**: (_Needed only for VMware appliance)_ The appliance checks that VMware vSphere Virtual Disk Development Kit (VDDK) is installed. If it isn't installed, download VDDK 6.7 from VMware, and extract the downloaded zip contents to the specified location on the appliance, as provided in the **Installation instructions**.
+
+#### Register the appliance and start continuous discovery
+
+After the prerequisites check has completed, follow these steps to register the appliance and start continuous discovery for respective scenarios:
+[VMware VMs](https://docs.microsoft.com/azure/migrate/tutorial-discover-vmware#register-the-appliance-with-azure-migrate),
+[Hyper-V VMs](https://docs.microsoft.com/azure/migrate/tutorial-discover-hyper-v#register-the-appliance-with-azure-migrate),
+[Physical Servers](https://docs.microsoft.com/azure/migrate/tutorial-discover-physical#register-the-appliance-with-azure-migrate),
+[AWS VMs](https://docs.microsoft.com/azure/migrate/tutorial-discover-aws#register-the-appliance-with-azure-migrate),
+[GCP VMs](https://docs.microsoft.com/azure/migrate/tutorial-discover-gcp#register-the-appliance-with-azure-migrate).
++
+>[!Note]
+> If you are getting DNS resolution issues during appliance registration or at the time of starting discovery, ensure that Azure Migrate resources created during the **Generate key** step on portal are reachable from the on-premises server hosting the Azure Migrate appliance. [Learn more on how to verify network connectivity](#troubleshoot-network-connectivity).
+
+### Assess your servers for migration to Azure
+After the discovery is complete, assess your servers ([VMware VMs](https://docs.microsoft.com/azure/migrate/tutorial-assess-vmware-azure-vm), [Hyper-V VMs](https://docs.microsoft.com/azure/migrate/tutorial-assess-hyper-v), [physical servers](https://docs.microsoft.com/azure/migrate/tutorial-assess-vmware-azure-vm), [AWS VMs](https://docs.microsoft.com/azure/migrate/tutorial-assess-aws), [GCP VMs](https://docs.microsoft.com/azure/migrate/tutorial-assess-gcp)) for migration to Azure VMs or Azure VMware Solution (AVS), using the Azure Migrate: Discovery and Assessment tool.
+
+You can also [assess your on-premises machines](https://docs.microsoft.com/azure/migrate/tutorial-discover-import#prepare-the-csv) with the Azure Migrate: Discovery and Assessment tool using an imported comma-separated values (CSV) file.
+
+## Migrate servers to Azure using Azure private link
+
+The following sections describe the steps required to use Azure Migrate with [private endpoints](https://docs.microsoft.com/azure/private-link/private-endpoint-overview) for migrations using ExpressRoute private peering or VPN connections.
+
+This article shows a proof-of-concept deployment path for agent-based replications to migrate your [VMware VMs](./tutorial-migrate-vmware-agent.md), [Hyper-V VMs](./tutorial-migrate-physical-virtual-machines.md), [physical servers](./tutorial-migrate-physical-virtual-machines.md), [VMs running on AWS](./tutorial-migrate-aws-virtual-machines.md), [VMs running on GCP](https://docs.microsoft.com/azure/migrate/tutorial-migrate-gcp-virtual-machines), or VMs running on a different virtualization provider using Azure private endpoints. You can use a similar approach for performing [agentless Hyper-V migrations](https://docs.microsoft.com/azure/migrate/tutorial-migrate-hyper-v) using private link.
+
+>[!Note]
+>[Agentless VMware migrations](https://docs.microsoft.com/azure/migrate/tutorial-assess-physical) require Internet access or connectivity via ExperessRoute Microsoft peering.
+
+### Set up a replication appliance for migration
+
+The following diagram illustrates the agent-based replication workflow with private endpoints using the Azure Migrate: Server Migration tool.
+
+![Replication architecture](./media/how-to-use-azure-migrate-with-private-endpoints/replication-architecture.png)
+
+The tool uses a replication appliance to replicate your servers to Azure. Use this article to [prepare and set up a machine for the replication appliance. ](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#prepare-a-machine-for-the-replication-appliance)
+
+After you set up the replication appliance, use the following instructions to create the required resources for migration.
+
+1. In **Discover machines** > **Are your machines virtualized?**, select **Not virtualized/Other**.
+2. In **Target region**, select and confirm the Azure region to which you want to migrate the machines.
+3. Select **Create resources** to create the required Azure resources. Do not close the page during the creation of resources.
+ - This creates a Recovery Services vault in the background and enables a managed identity for the vault. A Recovery Services vault is an entity that contains the replication information of servers and is used to trigger replication operations.
+ - If the Azure Migrate project has private endpoint connectivity, a private endpoint is created for the Recovery Services vault. This adds five fully qualified private names (FQDNs) to the private endpoint, one for each microservice linked to the Recovery Services vault.
+ - The five domain names are formatted in this pattern: <br/> _{Vault-ID}-asr-pod01-{type}-.{target-geo-code}_.privatelink.siterecovery.windowsazure.com
+ - By default, Azure Migrate automatically creates a private DNS zone and adds DNS A records for the Recovery Services vault microservices. The private DNS zone is then linked to the private endpoint virtual network. This allows the on-premises replication appliance to resolve the fully qualified domain names to their private IP addresses.
+
+4. Before you register the replication appliance, ensure that the vault's private link FQDNs are reachable from the machine hosting the replication appliance. [Learn more on how to verify network connectivity.](#troubleshoot-network-connectivity)
+
+5. Once you verify the connectivity, download the appliance setup and key file, run the installation process, and register the appliance to Azure Migrate. Review the [detailed steps here](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#set-up-the-replication-appliance). After you set up the replication appliance, follow these instructions to [install the mobility service](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#install-the-mobility-service) on the machines you want to migrate.
+
+### Replicate servers to Azure using Azure private link
+
+Now, follow [these steps](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#replicate-machines) to select servers for replication.
+
+In **Replicate** > **Target settings** > **Cache/Replication storage account**, use the drop-down to select a storage account to replicate over a private link.
+
+If your Azure Migrate project has private endpoint connectivity, you must [grant permissions to the Recovery Services vault managed identity](#grant-access-permissions-to-the-recovery-services-vault) to access the storage account required by Azure Migrate.
+
+Additionally, to enable replications over a private link, [create a private endpoint for the storage account.](#create-a-private-endpoint-for-the-storage-account-optional)
+
+#### Grant access permissions to the Recovery Services vault
+
+The Recovery Services vault managed identity requires permissions for authenticated access to the cache/replication storage account.
+
+Use the guidance below to identify the Recovery Services vault created by Azure Migrate and grant the required permissions.
+
+**_Identify the recovery services vault and the managed identity object ID_**
+
+You can find the details of the Recovery Services vault on the Azure Migrate: Server Migration **properties** page.
+
+1. Go to the **Azure Migrate hub**, select **Overview** on the Azure Migrate: Server Migration tile.
+
+ ![Overview page on the Azure Migrate hub](./media/how-to-use-azure-migrate-with-private-endpoints/hub-overview.png)
+
+2. On the left pane, select **Properties**. Make note of the Recovery Services vault name and managed identity ID. The vault will have _Private endpoint_ as the **connectivity type** and _Other_ as the **replication type**. You will need this information while providing access to the vault.
+
+ ![Azure Migrate: Server Migration properties page](./media/how-to-use-azure-migrate-with-private-endpoints/vault-info.png)
+
+**_Grant the required permissions to access the storage account_**
+
+ The managed identity of the vault must be granted the following role permissions on the storage account required for replication. In this case, you must create the storage account in advance.
+
+>[!Note]
+> For migrating Hyper-V VMs to Azure using private link, you must grant access to both the replication storage account and cache storage account.
+
+The role permissions vary depending on the type of the storage account.
+
+- Resource Manager-based storage accounts (Standard type):
+ - [Contributor](../role-based-access-control/built-in-roles.md#contributor) _and_
+ - [Storage Blob Data Contributor](../role-based-access-control/built-in-roles.md#storage-blob-data-contributor)
+- Resource Manager-based storage accounts (Premium type):
+ - [Contributor](../role-based-access-control/built-in-roles.md#contributor) _and_
+ - [Storage Blob Data Owner](../role-based-access-control/built-in-roles.md#storage-blob-data-owner)
+
+1. Go to the replication/cache storage account selected for replication. Select **Access control (IAM)** in the left pane.
+
+1. In the **Add a role assignment** section, select **Add**:
+
+ ![Add a role assignment](./media/how-to-use-azure-migrate-with-private-endpoints/storage-role-assignment.png)
++
+1. On the **Add role assignment** page, in the **Role**
+ field, select the appropriate role from the permissions list mentioned above. Enter the name of the vault noted previously and select **Save**.
+
+ ![Provide role based access](./media/how-to-use-azure-migrate-with-private-endpoints/storage-role-assignment-select-role.png)
+
+4. In addition to these permissions, you must also allow access to Microsoft trusted services. If your network access is restricted to selected networks, select **Allow trusted Microsoft services to access this storage account** in **Exceptions** section in the **Networking** tab.
+
+![Allow trusted Microsoft services for storage account](./media/how-to-use-azure-migrate-with-private-endpoints/exceptions.png)
++
+### Create a private endpoint for the storage account (optional)
+
+To replicate using ExpressRoute with private peering, [create a private endpoint](https://docs.microsoft.com/azure/private-link/tutorial-private-endpoint-storage-portal#create-storage-account-with-a-private-endpoint) for the cache/replication storage accounts (target subresource: **_blob_**).
+
+>[!Note]
+>
+> - You can create private endpoints only on a General Purpose v2 (GPv2) storage account. For pricing information, see [Azure Page Blobs pricing](https://azure.microsoft.com/pricing/details/storage/page-blobs/) and [Azure private link pricing](https://azure.microsoft.com/pricing/details/private-link/)
+
+The private endpoint for the storage account should be created in the same virtual network as the Azure Migrate project private endpoint or another virtual network connected to this network.
+
+Select **Yes** and integrate with a private DNS zone. The private DNS zone helps in routing the connections from the virtual network to the storage account over a private link. Selecting **Yes** automatically links the DNS zone to the virtual network and adds the DNS records for the resolution of new IPs and fully qualified domain names created. Learn more about [private DNS zones.](https://docs.microsoft.com/azure/dns/private-dns-overview)
+
+If the user creating the private endpoint is also the owner of the storage account, the private endpoint will be auto-approved. Otherwise, the owner of the storage account must approve the private endpoint for usage. To approve or reject a requested private endpoint connection, go to **Private endpoint connections** under **Networking** on the storage account page.
+
+Review the status of the private endpoint connection state before proceeding.
+
+![Private Endpoint approval status](./media/how-to-use-azure-migrate-with-private-endpoints/private-endpoint-connection-state.png)
+
+After you've created the private endpoint, use the drop-down in **Replicate** > **Target settings** > **Cache storage account** to select the storage account for replicating over a private link.
+
+Ensure that the on-premises replication appliance has network connectivity to the storage account on its private endpoint. [Learn more on how to verify network connectivity.](#troubleshoot-network-connectivity)
+
+>[!Note]
+>
+> - For Hyper-V VM migrations to Azure, if the replication storage account is of _Premium_ type, you must select another storage account of _Standard_ type for the cache storage account. In this case, you must create private endpoints for both the replication and cache storage account.
+
+Next, follow these instructions to [review and start replication](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#replicate-machines) and [perform migrations](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#run-a-test-migration).
+
+## Troubleshoot network connectivity
+
+### Validate private endpoints configuration
+
+Make sure the private endpoint is an approved state.
+
+1. Go to Azure Migrate: Discovery and Assessment and Server Migration properties page.
+2. The properties page contains the list of private endpoints and private link FQDNs that were automatically created by Azure Migrate.
+
+3. Select the private endpoint you want to diagnose.
+ 1. Validate that the connection state is Approved.
+ 2. If the connection is in a Pending state, you need to get it approved.
+ 3. You may also navigate to the private endpoint resource and review if the virtual network matches the Migrate project private endpoint virtual network.
+
+ ![View Private Endpoint connection](./media/how-to-use-azure-migrate-with-private-endpoints/private-endpoint-connection.png)
+
+### Verify DNS resolution
+
+The on-premises appliance (or replication provider) will access the Azure Migrate resources using their fully qualified private link domain names (FQDNs). You may require additional DNS settings to resolve the private IP address of the private endpoints from the source environment. [Use this article](https://docs.microsoft.com/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder) to understand the DNS configuration scenarios that can help troubleshoot any network connectivity issues.
+
+To validate the private link connection, perform a DNS resolution of the Azure Migrate resource endpoints (private link resource FQDNs) from the on-premises server hosting the Migrate appliance and ensure that it resolves to a private IP address.
+The private endpoint details and private link resource FQDNs' information is available in the Discovery and Assessment and Server Migration properties pages. Select **Download DNS settings** to view the list.
+
+ ![Azure Migrate: Discovery and Assessment Properties](./media/how-to-use-azure-migrate-with-private-endpoints/server-assessment-properties.png)
+
+ ![Azure Migrate: Server Migration Properties](./media/how-to-use-azure-migrate-with-private-endpoints/azure-migrate-server-migration-properties.png)
+
+An illustrative example for DNS resolution of the storage account private link FQDN.
+
+- Enter _nslookup<storage-account-name>_.blob.core.windows.net. Replace <storage-account-name> with the name of the storage account used for Azure Migrate.
+
+ You'll receive a message like this:
+
+ ![DNS resolution example](./media/how-to-use-azure-migrate-with-private-endpoints/dns-resolution-example.png)
+
+- A private IP address of 10.1.0.5 is returned for the storage account. This address belongs to the private endpoint virtual network subnet.
+
+You can verify the DNS resolution for other Azure Migrate artifacts using a similar approach.
+
+If the DNS resolution is incorrect, follow these steps:
+
+- If you use a custom DNS, review your custom DNS settings, and validate that the DNS configuration is correct. For guidance, see [private endpoint overview: DNS configuration](https://docs.microsoft.com/azure/private-link/private-endpoint-overview#dns-configuration).
+- If you use Azure-provided DNS servers, refer to the below section for further troubleshooting.
+
+> [!Tip]
+> You can manually update your source environment DNS records by editing the DNS hosts file on your on-premises appliance with the private link resource FQDNs and their associated private IP addresses. This option is recommended only for testing. <br/>
++
+### Validate the Private DNS Zone
+If the DNS resolution is not working as described in the previous section, there might be an issue with your Private DNS Zone.
+
+#### Confirm that the required Private DNS Zone resource exists
+By default, Azure Migrate also creates a private DNS zone corresponding to the 'privatelink' subdomain for each resource type. The private DNS zone will be created in the same Azure resource group as the private endpoint resource group. The Azure resource group should contain private DNS zone resources with the following format:
+- privatelink.vaultcore.azure.net for the key vault
+- privatelink.blob.core.windows.net for the storage account
+- privatelink.siterecovery.windowsazure.com for the recovery services vault (for Hyper-V and agent-based replications)
+- privatelink.prod.migration.windowsazure.com - migrate project, assessment project, and discovery site.
+
+The private DNS zone will be automatically created by Azure Migrate (except for the cache/replication storage account selected by the user). You can locate the linked private DNS zone by navigating to the private endpoint page and selecting DNS configurations. You should see the private DNS zone under the private DNS integration section.
+
+![DNS configuration screenshot](./media/how-to-use-azure-migrate-with-private-endpoints/dns-configuration.png)
+
+If the DNS zone is not present (as shown below), [create a new Private DNS Zone resource.](https://docs.microsoft.com/azure/dns/private-dns-getstarted-portal)
+
+![Create a Private DNS Zone](./media/how-to-use-azure-migrate-with-private-endpoints/create-dns-zone.png)
+
+#### Confirm that the Private DNS Zone is linked to the virtual network
+The private DNS zone should be linked to the virtual network that contains the private endpoint for the DNS query to resolve the private IP address of the resource endpoint. If the private DNS zone is not linked to the correct Virtual Network, any DNS resolution from that virtual network will ignore the private DNS zone.
+
+Navigate to the private DNS zone resource in the Azure portal and select the virtual network links from the left menu. You should see the virtual networks linked.
+
+![View virtual network links](./media/how-to-use-azure-migrate-with-private-endpoints/virtual-network-links.png)
+
+This will show a list of links, each with the name of a virtual network in your subscription. The virtual network that contains the Private Endpoint resource must be listed here. Else, [follow this article](https://docs.microsoft.com/azure/dns/private-dns-getstarted-portal#link-the-virtual-network) to link the private DNS zone to a virtual network.
+
+Once the private DNS zone is linked to the virtual network, DNS requests originating from the virtual network will look for DNS records in the private DNS zone. This is required for correct address resolution to the virtual network where the private endpoint was created.
+
+#### Confirm that the private DNS zone contains the right A records
+
+Go to the private DNS zone you want to troubleshoot. The Overview page shows all DNS records for that private DNS zone. Verify that a DNS A record exists for the resource. The value of the A record (the IP address) must be the resourcesΓÇÖ private IP address. If you find the A record with the wrong IP address, you must remove the wrong IP address and add a new one. It's recommended that you remove the entire A record and add a new one, and do a DNS flush on the on-premises source appliance.
+
+An illustrative example for the storage account DNS A record in the private DNS zone:
+
+![DNS records](./media/how-to-use-azure-migrate-with-private-endpoints/dns-a-records.png)
+
+An illustrative example for the Recovery Services vault microservices DNS A records in the private DNS zone:
+
+![DNS records for Recovery Services vault](./media/how-to-use-azure-migrate-with-private-endpoints/rsv-a-records.png)
+
+>[!Note]
+> When you remove or modify an A record, the machine may still resolve to the old IP address because the TTL (Time To Live) value might not have expired yet.
+
+#### Other things that may affect private link connectivity
+
+This is a non-exhaustive list of items that can be found in advanced or complex scenarios:
+
+- Firewall settings, either the Azure Firewall connected to the Virtual network or a custom firewall solution deploying in the appliance machine.
+- Network peering, which may impact which DNS servers are used and how traffic is routed.
+- Custom gateway (NAT) solutions may impact how traffic is routed, including traffic from DNS queries.
+
+For more information, review the [troubleshooting guide for Private Endpoint connectivity problems.](https://docs.microsoft.com/azure/private-link/troubleshoot-private-endpoint-connectivity)
+
+## Next steps
+- [Complete the migration process](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#complete-the-migration) and review the [post-migration best practices](https://docs.microsoft.com/azure/migrate/tutorial-migrate-physical-virtual-machines#post-migration-best-practices).
migrate Migrate Appliance Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/migrate-appliance-architecture.md
The appliance communicates with the discovery sources using the following proces
||| **Start discovery** | The appliance communicates with the vCenter server on TCP port 443 by default. If the vCenter server listens on a different port, you can configure it in the appliance configuration manager. | The appliance communicates with the Hyper-V hosts on WinRM port 5985 (HTTP). | The appliance communicates with Windows servers over WinRM port 5985 (HTTP) with Linux servers over port 22 (TCP). **Gather configuration and performance metadata** | The appliance collects the metadata of servers running on vCenter Server using vSphere APIs by connecting on port 443 (default port) or any other port vCenter Server listens on. | The appliance collects the metadata of servers running on Hyper-V hosts using a Common Information Model (CIM) session with hosts on port 5985.| The appliance collects metadata from Windows servers using Common Information Model (CIM) session with servers on port 5985 and from Linux servers using SSH connectivity on port 22.
-**Send discovery data** | The appliance sends the collected data to Azure Migrate: Discovery and assessment and Azure Migrate: Server Migration over SSL port 443.<br/><br/> The appliance can connect to Azure over the internet or via ExpressRoute (requires Microsoft peering). | The appliance sends the collected data to Azure Migrate: Discovery and assessment over SSL port 443.<br/><br/> The appliance can connect to Azure over the internet or via ExpressRoute (requires Microsoft peering).| The appliance sends the collected data to Azure Migrate: Discovery and assessment over SSL port 443.<br/><br/> The appliance can connect to Azure over the internet or via ExpressRoute (requires Microsoft peering).
+**Send discovery data** | The appliance sends the collected data to Azure Migrate: Discovery and assessment and Azure Migrate: Server Migration over SSL port 443.<br/><br/> The appliance can connect to Azure over the internet or via ExpressRoute private peering or Microsoft peering circuits. | The appliance sends the collected data to Azure Migrate: Discovery and assessment over SSL port 443.<br/><br/> The appliance can connect to Azure over the internet or via ExpressRoute private peering or Microsoft peering circuits. | The appliance sends the collected data to Azure Migrate: Discovery and assessment over SSL port 443.<br/><br/> The appliance can connect to Azure over the internet or via ExpressRoute private peering or Microsoft peering circuits.
**Data collection frequency** | Configuration metadata is collected and sent every 30 minutes. <br/><br/> Performance metadata is collected every 20 seconds and is aggregated to send a data point to Azure every 10 minutes. <br/><br/> Software inventory data is sent to Azure once every 12 hours. <br/><br/> Agentless dependency data is collected every 5 mins, aggregated on appliance and sent to Azure every 6 hours. <br/><br/> The SQL Server configuration data is updated once every 24 hours and the performance data is captured every 30 seconds.| Configuration metadata is collected and sent every 30 mins. <br/><br/> Performance metadata is collected every 30 seconds and is aggregated to send a data point to Azure every 10 minutes.| Configuration metadata is collected and sent every 30 mins. <br/><br/> Performance metadata is collected every 5 minutes and is aggregated to send a data point to Azure every 10 minutes. **Assess and migrate** | You can create assessments from the metadata collected by the appliance using Azure Migrate: Discovery and assessment tool.<br/><br/>In addition, you can also start migrating servers running in your VMware environment using Azure Migrate: Server Migration tool to orchestrate agentless server replication.| You can create assessments from the metadata collected by the appliance using Azure Migrate: Discovery and assessment tool. | You can create assessments from the metadata collected by the appliance using Azure Migrate: Discovery and assessment tool.
migrate Migrate Appliance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/migrate-appliance.md
download.microsoft.com/download | Allow downloads from Microsoft download center
*.discoverysrv.windowsazure.us <br/> *.migration.windowsazure.us | Connect to Azure Migrate service URLs. *.hypervrecoverymanager.windowsazure.us | **Used for VMware agentless migration**<br/><br/> Connect to Azure Migrate service URLs. *.blob.core.usgovcloudapi.net | **Used for VMware agentless migration**<br/><br/>Upload data to storage for migration.
-*.applicationinsights.us | Upload appliance logs used for internal monitoring.
+*.applicationinsights.us | Upload appliance logs used for internal monitoring.
+
+### Public cloud URLs for private link connectivity
+
+The appliance needs access to the following URLs (directly or via proxy) over and above private link access.
+
+**URL** | **Details**
+ | |
+*.portal.azure.com | Navigate to the Azure portal.
+*.windows.net <br/> *.msftauth.net <br/> *.msauth.net <br/> *.microsoft.com <br/> *.live.com <br/> *.office.com | Sign in to your Azure subscription.
+*.microsoftonline.com <br/> *.microsoftonline-p.com | Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Migrate.
+management.azure.com | Create Azure AD apps for the appliance to communicate with the Azure Migrate.
+*.services.visualstudio.com (optional) | Upload appliance logs used for internal monitoring.
+aka.ms/* (optional) | Allow access to aka links; used to download and install the latest updates for appliance services.
+download.microsoft.com/download | Allow downloads from Microsoft download center.
+*.servicebus.windows.net | **Used for VMware agentless migration**<br/><br/> Communication between the appliance and the Azure Migrate service.
+*.vault.azure.net | **Used for VMware agentless migration**<br/><br/> Ensure servers to replicate have access to this.
+*.hypervrecoverymanager.windowsazure.com | **Used for VMware agentless migration**<br/><br/> Connect to Azure Migrate service URLs.
+*.blob.core.windows.net | **Used for VMware agentless migration**<br/><br/>Upload data to storage for migration.
+
+### Government cloud URLs for private link connectivity
+
+The appliance needs access to the following URLs (directly or via proxy) over and above private link access.
+
+**URL** | **Details**
+ | |
+*.portal.azure.us | Navigate to the Azure portal.
+graph.windows.net | Sign in to your Azure subscription.
+login.microsoftonline.us | Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Migrate.
+management.usgovcloudapi.net | Create Azure AD apps for the appliance to communicate with the Azure Migrate service.
+*.services.visualstudio.com (optional) | Upload appliance logs used for internal monitoring.
+aka.ms/* (optional) | Allow access to aka links; used to download and install the latest updates for appliance services.
+download.microsoft.com/download | Allow downloads from Microsoft download center.
+*.servicebus.usgovcloudapi.net | **Used for VMware agentless migration**<br/><br/> Communication between the appliance and the Azure Migrate service.
+*.vault.usgovcloudapi.net | **Used for VMware agentless migration**<br/><br/> Manage secrets in the Azure Key Vault.
+*.hypervrecoverymanager.windowsazure.us | **Used for VMware agentless migration**<br/><br/> Connect to Azure Migrate service URLs.
+*.blob.core.usgovcloudapi.net | **Used for VMware agentless migration**<br/><br/>Upload data to storage for migration.
+*.applicationinsights.us (optional) | Upload appliance logs used for internal monitoring.
## Collected data - VMware
migrate Migrate Replication Appliance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/migrate-replication-appliance.md
Title: Azure Migrate replication appliance
-description: Learn about the Azure Migrate replication appliance for agent-based VMWare migration.
+description: Learn about the Azure Migrate replication appliance for agent-based VMware migration.
ms.
MySQL must be installed on the replication appliance machine. It can be installe
**Method** | **Details** | Download and install manually | Download MySQL application & place it in the folder C:\Temp\ASRSetup, then install manually.<br/> When you set up the appliance MySQL will show as already installed.
-Without online download | Place the MySQL installer application in the folder C:\Temp\ASRSetup. When you install the appliance and click to download and install MySQL, setup will use the installer you added.
+Without online download | Place the MySQL installer application in the folder C:\Temp\ASRSetup. When you install the appliance and select download and install MySQL, setup will use the installer you added.
Download and install in Azure Migrate | When you install the appliance and are prompted for MySQL, select **Download and install**. ## URL access
The replication appliance needs access to these URLs in the Azure public cloud.
\*.blob.core.windows.net | Used to access storage account that stores replicated data \*.hypervrecoverymanager.windowsazure.com | Used for replication management operations and coordination https:\//management.azure.com | Used for replication management operations and coordination
-*.services.visualstudio.com | Used for telemetry purposes (It is optional)
+*.services.visualstudio.com | Used for logging purposes (It is optional)
time.windows.com | Used to check time synchronization between system and global time. https:\//login.microsoftonline.com <br/> https:\//secure.aadcdn.microsoftonline-p.com <br/> https:\//login.live.com <br/> https:\//graph.windows.net <br/> https:\//login.windows.net <br/> https:\//www.live.com <br/> https:\//www.microsoft.com | Appliance setup needs access to these URLs. They are used for access control and identity management by Azure Active Directory https:\//dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-5.7.20.0.msi | To complete MySQL download. In a few regions, the download might be redirected to the CDN URL. Ensure that the CDN URL is also allowed if needed.
The replication appliance needs access to these URLs in Azure Government.
\*.blob.core.windows.net | Used to access storage account that stores replicated data \*.hypervrecoverymanager.windowsazure.us | Used for replication management operations and coordination https:\//management.usgovcloudapi.net | Used for replication management operations and coordination
-*.services.visualstudio.com | Used for telemetry purposes (It is optional)
+*.services.visualstudio.com | Used for logging purposes (It is optional)
time.nist.gov | Used to check time synchronization between system and global time. https:\//login.microsoftonline.com <br/> https:\//secure.aadcdn.microsoftonline-p.com <br/> https:\//login.live.com <br/> https:\//graph.windows.net <br/> https:\//login.windows.net <br/> https:\//www.live.com <br/> https:\//www.microsoft.com | Appliance setup with OVA needs access to these URLs. They are used for access control and identity management by Azure Active Directory.
-https:\//dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-5.7.20.0.msi | To complete MySQL download. In a few regions, the download might be redirected to the CDN URL. Ensure that the CDN URL is also allowed if needed.
+https:\//dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-5.7.20.0.msi | To complete MySQL download. In a few regions, the download might be redirected to the CDN URL. Ensure that the CDN URL is also allowed if needed.
+
+>[!Note]
+>
+> If you Migrate project has private endpoint connectivity, you will need access to following URLs over and above private link access:
+> - *.blob.core.windows.com - To access storage account that stores replicated data. This is optional and is not required if the storage account has a private endpoint attached.
+> - https:\//management.azure.com for replication management operations and coordination.
+>- https:\//login.microsoftonline.com <br/>https:\//login.windows.net <br/> https:\//www.live.com _and_ <br/> https:\//www.microsoft.com for access control and identity management by Azure Active Directory
## Port access
Process server | The process server receives replication data, optimizes, and en
The appliance is upgraded manually from the Azure Migrate hub. We recommend that you always run the latest version.
-1. In Azure Migrate > Servers > Azure Migrate: Server Assessment, Infrastructure servers, click **Configuration servers**.
+1. In Azure Migrate > Servers > Azure Migrate: Server Assessment, Infrastructure servers, select **Configuration servers**.
2. In **Configuration servers**, a link appears in **Agent Version** when a new version of the replication appliance is available. 3. Download the installer to the replication appliance machine, and install the upgrade. The installer detects the version current running on the appliance.
migrate Migrate Support Matrix Hyper V Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/migrate-support-matrix-hyper-v-migration.md
backup.windowsazure.us | Replication data transfer and coordination.
*.hypervrecoverymanager.windowsazure.us | Used for replication management. *.blob.core.usgovcloudapi.net | Upload data to storage accounts. dc.services.visualstudio.com | Upload app logs used for internal monitoring.
-time.nist.gov | Verifies time synchronization between system and global time.
+time.nist.gov | Verifies time synchronization between system and global time.
+
+>[!Note]
+>
+> If you Migrate project has **private endpoint connectivity**, the replication provider software on the Hyper-V hosts will need access to these URLs for private link support.
+> - *.blob.core.windows.com - To access storage account that stores replicated data. This is optional and is not required if the storage account has a private endpoint attached.
+> - login.windows.net for access control and identity management using Active Directory.
## Azure VM requirements
migrate Server Migrate Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/server-migrate-overview.md
Use these selected comparisons to help you decide which method to use. You can a
**Target disk** | Managed disks | Managed disks **Disk limits** | OS disk: 2 TB<br/><br/> Data disk: 32 TB<br/><br/> Maximum disks: 60 | OS disk: 2 TB<br/><br/> Data disk: 32 TB<br/><br/> Maximum disks: 63 **Passthrough disks** | Not supported | Supported
-**UEFI boot** | Supported. | Supported.
+**UEFI boot** | Supported. | Supported.
+**Connectivity** | Public internet <br/> ExpressRoute with Microsoft peering <br/> <br/> [Learn how](./replicate-using-expressroute.md) to use private endpoints for replication over an ExpressRoute private peering or a S2S VPN connection. |Public internet <br/> ExpressRoute with Private peering <br/> ExpressRoute with Microsoft peering <br/> Site-to-site VPN
## Compare deployment steps
migrate Tutorial Discover Import https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-discover-import.md
If you just created a free Azure account, you're the owner of your subscription.
2. In the **Subscriptions** page, select the subscription in which you want to create an Azure Migrate project. 3. In the subscription, select **Access control (IAM)** > **Check access**. 4. In **Check access**, search for the relevant user account.
-5. In **Add a role assignment**, click **Add**.
+5. In **Add a role assignment**, select **Add**.
![Search for a user account to check access and assign a role](./media/tutorial-discover-import/azure-account-access.png)
-6. In **Add role assignment**, select the Contributor or Owner role, and select the account (azmigrateuser in our example). Then click **Save**.
+6. In **Add role assignment**, select the Contributor or Owner role, and select the account (azmigrateuser in our example). Then select **Save**.
![Opens the Add Role assignment page to assign a role to the account](./media/tutorial-discover-import/assign-role.png)
Set up a new Azure Migrate project if you don't have one.
5. In **Create project**, select your Azure subscription and resource group. Create a resource group if you don't have one. 6. In **Project Details**, specify the project name and the geography in which you want to create the project. Review supported geographies for [public](migrate-support-matrix.md#supported-geographies-public-cloud) and [government clouds](migrate-support-matrix.md#supported-geographies-azure-government).
- ![Boxes for project name and region](./media/tutorial-discover-import/new-project.png)
+ ![Boxes for project name and region](./media/tutorial-discover-import/new-project.png)
+ > [!Note]
+ > Use the **Advanced** configuration section to create an Azure Migrate project with private endpoint connectivity. [Learn more](how-to-use-azure-migrate-with-private-endpoints.md#create-a-project-with-private-endpoint-connectivity)
7. Select **Create**. 8. Wait a few minutes for the Azure Migrate project to deploy.
Operating system names provided in the CSV must contain and match. If they don't
**A-H** | **I-R** | **S-T** | **U-Z** | | |
-Apple Mac OS X 10<br/>Asianux 3<br/>Asianux 4<br/>Asianux 5<br/>CentOS<br/>CentOS 4/5<br/>CoreOS Linux<br/>Debian GNU/Linux 4<br/>Debian GNU/Linux 5<br/>Debian GNU/Linux 6<br/>Debian GNU/Linux 7<br/>Debian GNU/Linux 8<br/>FreeBSD | IBM OS/2<br/>MS-DOS<br/>Novell NetWare 5<br/>Novell NetWare 6<br/>Oracle Linux<br/>Oracle Linux 4/5<br/>Oracle Solaris 10<br/>Oracle Solaris 11<br/>Red Hat Enterprise Linux 2<br/>Red Hat Enterprise Linux 3<br/>Red Hat Enterprise Linux 4<br/>Red Hat Enterprise Linux 5<br/>Red Hat Enterprise Linux 6<br/>Red Hat Enterprise Linux 7<br/>Red Hat Fedora | SCO OpenServer 5<br/>SCO OpenServer 6<br/>SCO UnixWare 7<br/> Serenity Systems eComStation 1<br/>Serenity Systems eComStation <br/>Sun Microsystems Solaris 8<br/>Sun Microsystems Solaris 9<br/><br/>SUSE Linux Enterprise 10<br/>SUSE Linux Enterprise 11<br/>SUSE Linux Enterprise 12<br/>SUSE Linux Enterprise 8/9<br/>SUSE Linux Enterprise 11<br/>SUSE openSUSE | Ubuntu Linux<br/>VMware ESXi 4<br/>VMware ESXi 5<br/>VMware ESXi 6<br/>Windows 10<br/>Windows 2000<br/>Windows 3<br/>Windows 7<br/>Windows 8<br/>Windows 95<br/>Windows 98<br/>Windows NT<br/>Windows Server (R) 2008<br/>Windows Server 2003<br/>Windows Server 2008<br/>Windows Server 2008 R2<br/>Windows Server 2012<br/>Windows Server 2012 R2<br/>Windows Server 2016<br/>Windows Server 2019<br/>Windows Server Threshold<br/>Windows Vista<br/>Windows Web Server 2008 R2<br/>Windows XP Professional
+Asianux 3<br/>Asianux 4<br/>Asianux 5<br/>CentOS<br/>CentOS 4/5<br/>CoreOS Linux<br/>Debian GNU/Linux 4<br/>Debian GNU/Linux 5<br/>Debian GNU/Linux 6<br/>Debian GNU/Linux 7<br/>Debian GNU/Linux 8<br/>FreeBSD | IBM OS/2<br/>macOS X 10<br/>MS-DOS<br/>Novell NetWare 5<br/>Novell NetWare 6<br/>Oracle Linux<br/>Oracle Linux 4/5<br/>Oracle Solaris 10<br/>Oracle Solaris 11<br/>Red Hat Enterprise Linux 2<br/>Red Hat Enterprise Linux 3<br/>Red Hat Enterprise Linux 4<br/>Red Hat Enterprise Linux 5<br/>Red Hat Enterprise Linux 6<br/>Red Hat Enterprise Linux 7<br/>Red Hat Fedora | SCO OpenServer 5<br/>SCO OpenServer 6<br/>SCO UnixWare 7<br/> Serenity Systems eComStation 1<br/>Serenity Systems eComStation <br/>Sun Microsystems Solaris 8<br/>Sun Microsystems Solaris 9<br/><br/>SUSE Linux Enterprise 10<br/>SUSE Linux Enterprise 11<br/>SUSE Linux Enterprise 12<br/>SUSE Linux Enterprise 8/9<br/>SUSE Linux Enterprise 11<br/>SUSE openSUSE | Ubuntu Linux<br/>VMware ESXi 4<br/>VMware ESXi 5<br/>VMware ESXi 6<br/>Windows 10<br/>Windows 2000<br/>Windows 3<br/>Windows 7<br/>Windows 8<br/>Windows 95<br/>Windows 98<br/>Windows NT<br/>Windows Server (R) 2008<br/>Windows Server 2003<br/>Windows Server 2008<br/>Windows Server 2008 R2<br/>Windows Server 2012<br/>Windows Server 2012 R2<br/>Windows Server 2016<br/>Windows Server 2019<br/>Windows Server Threshold<br/>Windows Vista<br/>Windows Web Server 2008 R2<br/>Windows XP Professional
## Next steps
migrate Tutorial Migrate Aws Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/migrate/tutorial-migrate-aws-virtual-machines.md
The first step of migration is to set up the replication appliance. To set up th
5. Click **Create resources**. This creates an Azure Site Recovery vault in the background. - If you've already set up migration with Azure Migrate Server Migration, the target option can't be configured, since resources were set up previously. - You can't change the target region for this project after clicking this button.
- - To migrate your VMs to a different region, you'll need to create a new/different Azure Migrate project.
+ - To migrate your VMs to a different region, you'll need to create a new/different Azure Migrate project.
+ > [!NOTE]
+ > If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault will also be configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance. [**Learn more**](how-to-use-azure-migrate-with-private-endpoints.md#troubleshoot-network-connectivity)
6. In **Do you want to install a new replication appliance?**, select **Install a replication appliance**. 7. In **Download and install the replication appliance software**, download the appliance installer, and the registration key. You need to the key in order to register the appliance. The key is valid for five days after it's downloaded.
A Mobility service agent must be installed on the source AWS VMs to be migrated.
![Select VMs](./media/tutorial-migrate-physical-virtual-machines/select-vms.png) 8. In **Target settings**, select the subscription, and target region to which you'll migrate, and specify the resource group in which the Azure VMs will reside after migration.
-9. In **Virtual Network**, select the Azure VNet/subnet to which the Azure VMs will be joined after migration.
-10. In **Availability options**, select:
+9. In **Virtual Network**, select the Azure VNet/subnet to which the Azure VMs will be joined after migration.
+10. In **Cache storage account**, keep the default option to use the cache storage account that is automatically created for the project. Use the drop down if you'd like to specify a different storage account to use as the cache storage account for replication. <br/>
+ > [!NOTE]
+ >
+ > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [**Learn more**](how-to-use-azure-migrate-with-private-endpoints.md#grant-access-permissions-to-the-recovery-services-vault)
+ > - To replicate using ExpressRoute with private peering, create a private endpoint for the cache storage account. [**Learn more**](how-to-use-azure-migrate-with-private-endpoints.md#create-a-private-endpoint-for-the-storage-account-optional)
+11. In **Availability options**, select:
- Availability Zone to pin the migrated machine to a specific Availability Zone in the region. Use this option to distribute servers that form a multi-node application tier across Avail