+

+1. Wait for the user to provide the `verificationCode` claim type with the code sent to the user.

+1. Return the `email` to the self-asserted technical profile that has a reference to this display control.

+1. Using the `SendCode` action, generate an OTP code and send an email with the OTP code to the user.

+ 

+ Title: Configure Azure Active Directory B2C with Asignio

+description: Configure Azure Active Directory B2C with Asignio for multi-factor authentication

+zone_pivot_groups: b2c-policy-type

+# Configure Asignio with Azure Active Directory B2C for multi-factor authentication

+In this sample article, learn how to integrate Azure Active Directory (Azure AD B2C) authentication with [Asignio](https://www.asignio.com/). Using this integration, organizations can provide passwordless, soft biometric, and multi-factor authentication (MFA) experience to their customers. Asignio's user friendly, web-based solution is available on any device, anytime, and anywhere. Asignio uses a combination of the patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature eliminates passwords, fraud, phishing, and credential reuse through omni-channel authentication.

+## Prerequisites

+To get started, you'll need:

+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+- An [Azure AD B2C tenant](./tutorial-create-tenant.md) that's linked to your Azure subscription.

+- An Asignio Client ID and Client Secret that will be issued by [Asignio](https://www.asignio.com/). These tokens are obtained by registering your mobile or web applications with Asignio.

+- Complete the steps in the article [get started with custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).

+## Scenario description

+This integration includes the following components:

+- **Azure AD B2C**: The authorization server, responsible for verifying the user's credentials.

+- **Web or mobile applications:** The web or mobile applications you wish to secure with Asignio MFA.

+- **Asignio web application:** Signature biometric collection on the user's touch device.

+The following architecture diagram shows the implementation.

+

+| Step | Description |

+|:--|:--|

+| 1. | User opens Azure AD B2C's sign in page on their mobile or web application, and then signs in or signs up by entering their username.|

+| 2. | Azure AD B2C redirects the user to Asignio using an OpenID Connect (OIDC) request. |

+| 3. | The user is redirected to the Asignio web application to complete the biometric sign in. If the user hasn't registered their Asignio Signature, they can choose to use an SMS One-Time-Password (OTP) to authenticate the immediate request. Once authenticated, user will receive a registration link to finish creating their Asignio Signature. |

+| 4. | The user authenticates via Asignio using their Asignio Signature and facial verification or voice and facial verification.|

+|5. | The challenge response is then sent back to Asignio. |

+| 6. | Asignio returns the OIDC response to Azure AD B2C sign in. |

+| 7. | Azure AD B2C sends an authentication verification request to Asignio to confirm receipt of the authentication data. |

+| 8. | The user is either granted or denied access to the application based on the authentication results. |

+## Step 1: Configure an application with Asignio

+Configuring an application with Asignio is accomplished through Asignio's Partner Administration site. Contact Asignio to request access to https://partner.asignio.com for your organization. Once you've obtained credentials, sign into Asignio Partner Administration and complete the following steps:

+1. Create a record for your Azure AD B2C application using your Azure AD B2C tenant. When Azure AD B2C is used with Asignio, Azure AD B2C manages your connected applications. All apps in your Azure portal are represented by a single application within Asignio.

+1. In the Asignio Partner Administration site, generate a Client ID and Client Secret. Once generated, store Client ID and Client Secret in a secure place, you'll need them later to configure Asignio as an Identity provider. Asignio doesn't store the Client Secret.

+1. Supply redirect URI. This is the URI in your site to which the user is returned after a successful authentication. The URI that should be provided to Asignio for your Azure B2C follows the pattern - `[https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp]`.

+1. Upload a company logo. This logo is displayed to users on Asignio authentication when users sign into your site.

+## Step 2: Register a web application in Azure AD B2C

+Before your [applications](application-types.md) can interact with Azure AD B2C, they must be registered in a tenant that you manage.

+For testing purposes like this tutorial, you're registering `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser).

+Follow the steps mentioned in [this tutorial](tutorial-register-applications.md?tabs=app-reg-ga) to **register a web application** and **enable ID token implicit grant** for testing a user flow or custom policy. There's no need to create a Client Secret at this time.

+## Step 3: Configure Asignio as an identity provider in Azure AD B2C

+1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the global administrator of your Azure AD B2C tenant.

+1. Make sure you're using the Azure Active Directory (Azure AD) tenant that contains your Azure subscription:

+ 1. In the Azure portal toolbar, select the **Directories + subscriptions** (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::) icon.

+

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch** button next to it.

+1. Select **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.

+1. In the Azure portal, search for and select **Azure AD B2C**.

+1. In the left menu, select **Identity providers**.

+1. Select **New OpenID Connect Provider**.

+1. Select **Identity provider type** > **OpenID Connect**.

+1. Fill out the form to set up the Identity provider

+ | Property | Value |

+ |:--|:-|

+ |Name | Login with Asignio *(or a name of your choice)*

+ |Metadata URL | https://authorization.asignio.com/.well-known/openid-configuration|

+ | Client ID | enter the client ID that you previously generated in [step 1](#step-1-configure-an-application-with-asignio)|

+ |Client Secret | enter the Client secret that you previously generated in [step 1](#step-1-configure-an-application-with-asignio)|

+ | Scope | openid email profile |

+ | Response type | code |

+ | Response mode | query |

+ | Domain hint | https://asignio.com |

+1. Select **OK**.

+1. Select **Map this identity provider's claims**.

+1. Fill out the form to map the Identity provider:

+ | Property | Value |

+ |:--|:--|

+ |User ID | sub |

+ | Display Name | name |

+ | Given Name | given_name |

+ | Surname | family_name |

+ | Email | email |

+1. Select **Save**.

+## Step 4: Create a user flow policy

+1. In your Azure AD B2C tenant, under **Policies**, select **User flows**.

+1. Select **New user flow**.

+1. Select **Sign up and sign in** user flow type, select **Version Recommended** and then select **Create**.

+1. Enter a **Name** for your user flow such as `AsignioSignupSignin`.

+1. Under **Identity providers**:

+

+ a. For **Local Accounts**, select **None** to disable email and password-based authentication.

+

+ b. For **Custom identity providers**, select your newly created Asignio Identity provider such as **Login with Asignio**.

+1. Select **Create**.

+## Step 5: Test your user flow

+1. In your Azure AD B2C tenant, select **User flows**.

+1. Select the newly created user flow such as **AsignioSignupSignin**.

+1. For **Application**, select the web application that you previously registered in [step 2](#step-2-register-a-web-application-in-azure-ad-b2c). The **Reply URL** should show `https://jwt.ms`.

+1. Select the **Run user flow** button. Your browser should be redirected to the Asignio sign in page.

+1. A sign in screen will be shown; at the bottom should be a button to use **Asignio** authentication.

+1. If you already have an Asignio Signature, you'll be prompted to authenticate using it. If not, you'll be prompted to supply the phone number of your device to authenticate via SMS OTP and then receive a link to register your Asignio Signature.

+1. If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

+## Step 3: Create Asignio policy key

+Store the client secret that you previously generated in [step 1](#step-1-configure-an-application-with-asignio) in your Azure AD B2C tenant.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.

+1. On the Overview page, select **Identity Experience Framework**.

+1. Select **Policy Keys** and then select **Add**.

+1. For **Options**, choose `Manual`.

+1. Enter a **Name** for the policy key. For example, `AsignioClientSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.

+1. In **Secret**, enter your client secret that you previously recorded.

+1. For **Key usage**, select `Signature`.

+1. Select **Create**.

+## Step 4: Configure Asignio as an Identity provider

+>[!TIP]

+>You should have the Azure AD B2C policy configured at this point. If not, follow the [instructions](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) on how to set up your Azure AD B2C tenant and configure policies.

+To enable users to sign in using Asignio, you need to define Asignio as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using digital ID available on their device, proving the userΓÇÖs identity.

+Use the following steps to add Asignio as a claims provider:

+1. Get the custom policy starter packs from GitHub, then update the XML files in the LocalAccounts starter pack with your Azure AD B2C tenant name:

+ 1. [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository:

+ ```

+ git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack

+ ```

+

+ 1. In all of the files in the **LocalAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.

+1. Open the `LocalAccounts/ TrustFrameworkExtensions.xml`.

+1. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element, `TrustFrameworkPolicy`.

+1. Add a new **ClaimsProvider** similar to the one shown below:

+ ```xml

+ <ClaimsProvider>

+ <Domain>contoso.com</Domain>

+ <DisplayName>Asignio</DisplayName>

+ <TechnicalProfiles>

+ <TechnicalProfile Id="Asignio-Oauth2">

+ <DisplayName>Asignio</DisplayName>

+ <Description>Login with your Asignio account</Description>

+ <Protocol Name="OAuth2" />

+ <Metadata>

+ <Item Key="ProviderName">authorization.asignio.com</Item>

+ <Item Key="authorization_endpoint">https://authorization.asignio.com/authorize</Item>

+ <Item Key="AccessTokenEndpoint">https://authorization.asignio.com/token</Item>

+ <Item Key="ClaimsEndpoint">https://authorization.asignio.com/userinfo</Item>

+ <Item Key="ClaimsEndpointAccessTokenName">access_token</Item>

+ <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>

+ <Item Key="HttpBinding">POST</Item>

+ <Item Key="scope">openid profile email</Item>

+ <Item Key="UsePolicyInRedirectUri">0</Item>

+ <!-- Update the Client ID below to the Asignio Application ID -->

+ <Item Key="client_id">00000000-0000-0000-0000-000000000000</Item>

+ <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>

+ <!-- trying to add additional claim-->

+ <!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->

+ <Item Key="11111111-1111-1111-1111-111111111111"></Item>

+ <!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222-->

+ <Item Key="22222222-2222-2222-2222-222222222222"></Item>

+ <!-- The key below allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs below for each tenant. -->

+ <!--<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>-->

+ <!-- The commented key below specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. -->

+ <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>

+ </Metadata>

+ <CryptographicKeys>

+ <Key Id="client_secret" StorageReferenceId="B2C_1A_AsignioSecret" />

+ </CryptographicKeys>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />

+ <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />

+ <!-- <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> -->

+ <!-- <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />

+ <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> -->

+ <!-- <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /> -->

+ <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />

+ <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" DefaultValue="https://authorization.asignio.com" />

+ <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />

+ <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />

+ <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />

+ <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />

+ <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />

+ </OutputClaims>

+ <OutputClaimsTransformations>

+ <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />

+ <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />

+ <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />

+ <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />

+ </OutputClaimsTransformations>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />

+ </TechnicalProfile>

+ </TechnicalProfiles>

+ </ClaimsProvider>

+ ```

+1. Set **client_id** with the Asignio Application ID that you previously recorded in [step 1](#step-1-configure-an-application-with-asignio).

+1. Update **client_secret** section with the name of the policy key created in [step 3](#step-3-create-asignio-policy-key). For example, `B2C_1A_AsignioSecret`:

+ ```xml

+ <Key Id="client_secret" StorageReferenceId="B2C_1A_AsignioSecret" />

+ ```

+1. Save the changes.

+## Step 5: Add a user journey

+At this point, you've set up the identity provider, but it's not yet available in any of the sign in pages. If you've your own custom user journey continue to [step 7](#step-6-add-the-identity-provider-to-a-user-journey), otherwise, create a duplicate of an existing template user journey as follows:

+1. Open the `LocalAccounts/ TrustFrameworkBase.xml` file from the starter pack.

+1. Find and copy the entire contents of the **UserJourney** element that includes `Id=SignUpOrSignIn`.

+1. Open the `LocalAccounts/ TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.

+1. Paste the entire content of the UserJourney element that you copied as a child of the UserJourneys element.

+1. Rename the `Id` of the user journey. For example, `Id=AsignioSUSI`.

+## Step 6: Add the identity provider to a user journey

+Now that you have a user journey, add the new identity provider to the user journey.

+1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers that a user can sign in with. The order of the elements controls the order of the sign in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name, such as `AsignioExchange`.

+1. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier while adding the claims provider, for example, `Asignio-Oauth2`.

+The following XML demonstrates orchestration steps of a user journey with the identity provider:

+```xml

+ <UserJourney Id="AsignioSUSI">

+ <OrchestrationSteps>

+ <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">

+ <ClaimsProviderSelections>

+ <ClaimsProviderSelection TargetClaimsExchangeId="AsignioExchange" />

+ <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />

+ </ClaimsProviderSelections>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- Check if the user has selected to sign in using one of the social providers -->

+ <OrchestrationStep Order="2" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

+ <Value>objectId</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="AsignioExchange" TechnicalProfileReferenceId="Asignio-Oauth2" />

+ <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="3" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="true">

+ <Value>authenticationSource</Value>

+ <Value>localAccountAuthentication</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). This can only happen when authentication happened using a social IDP. If local account was created or authentication done using ESTS in step 2, then an user account must exist in the directory by this time. -->

+ <OrchestrationStep Order="4" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

+ <Value>objectId</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent in the token. -->

+ <OrchestrationStep Order="5" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="true">

+ <Value>authenticationSource</Value>

+ <Value>socialIdpAuthentication</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect from the user. So, in that case, create the user in the directory if one does not already exist (verified using objectId which would be set from the last step if account was created in the directory. -->

+ <OrchestrationStep Order="6" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

+ <Value>objectId</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

+ </OrchestrationSteps>

+ <ClientDefinition ReferenceId="DefaultWeb" />

+ </UserJourney>

+```

+Learn more about [User Journeys](custom-policy-overview.md#user-journeys).

+## Step 7: Configure the relying party policy

+The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C will execute. Find the **DefaultUserJourney** element within relying party. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider.

+In the following example, for the `AsignioSUSI` user journey, the **ReferenceId** is set to `AsignioSUSI`:

+```xml

+ <RelyingParty>

+ <DefaultUserJourney ReferenceId="AsignioSUSI" />

+ <TechnicalProfile Id="PolicyProfile">

+ <DisplayName>PolicyProfile</DisplayName>

+ <Protocol Name="OpenIdConnect" />

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="displayName" />

+ <OutputClaim ClaimTypeReferenceId="givenName" />

+ <OutputClaim ClaimTypeReferenceId="surname" />

+ <OutputClaim ClaimTypeReferenceId="email" />

+ <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>

+ <OutputClaim ClaimTypeReferenceId="identityProvider" />

+ <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />

+ <OutputClaim ClaimTypeReferenceId="correlationId" DefaultValue="{Context:CorrelationId}" />

+ </OutputClaims>

+ <SubjectNamingInfo ClaimType="sub" />

+ </TechnicalProfile>

+ </RelyingParty>

+```

+## Step 8: Upload the custom policy

+1. Sign in to the [Azure portal](https://portal.azure.com/#home).

+1. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ a. Select the **Directories + subscriptions** icon in the portal toolbar.

+ b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+1. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.

+1. Under Policies, select **Identity Experience Framework**.

+1. Select **Upload Custom Policy**, and then upload the two policy files that you changed, in the following order: the extension policy, for example `TrustFrameworkExtensions.xml`, then the relying party policy, such as `SignUpOrSignin.xml`.

+## Step 9: Test your custom policy

+1. In your Azure AD B2C tenant blade, and under **Policies**, select **Identity Experience Framework**.

+1. Under **Custom policies**, select **AsignioSUSI**.

+1. For **Application**, select the web application that you previously registered as part of this article's prerequisites. The **Reply URL** should show `https://jwt.ms`.

+1. Select **Run now**. Your browser should be redirected to the Asignio sign in page.

+1. A sign in screen will be shown; at the bottom should be a button to use **Asignio** authentication.

+1. If you already have an Asignio Signature, you'll be prompted to authenticate with your Asignio Signature. If not, you'll be prompted to supply the phone number of your device to authenticate via SMS OTP and then receive a link to register your Asignio Signature.

+1. If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

+## Next steps

+For additional information, review the following articles:

+- [Azure AD B2C docs](solution-articles.md)

+- [Ask your question on Stackoverflow](https://stackoverflow.com/questions/tagged/azure-ad-b2c)

+- [Azure AD B2C Samples](https://stackoverflow.com/questions/tagged/azure-ad-b2c)

+- [Azure AD B2C YouTube training playlist](https://www.youtube.com/playlist?list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0)

+- [Custom policies in Azure AD B2C](custom-policy-overview.md)

+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)

+ Title: Tutorial to configure Azure Active Directory B2C with Azure Web Application Firewall

+description: Tutorial to configure Azure Active Directory B2C with Azure Web application firewall to protect your applications from malicious attacks

+# Tutorial: Configure Azure Web Application Firewall with Azure Active Directory B2C

+In this sample tutorial, learn how to enable [Azure Web Application Firewall (WAF)](https://azure.microsoft.com/services/web-application-firewall/#overview) solution for Azure Active Directory (AD) B2C tenant with custom domain. Azure WAF provides centralized protection of your web applications from common exploits and vulnerabilities.

+>[!NOTE]

+>This feature is in public preview.

+## Prerequisites

+To get started, you'll need:

+- An Azure subscription ΓÇô If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+- [An Azure AD B2C tenant](tutorial-create-tenant.md) ΓÇô The authorization server, responsible for verifying the userΓÇÖs credentials using the custom policies defined in the tenant. It's also known as the identity provider.

+- [Azure Front Door (AFD)](../frontdoor/index.yml) ΓÇô Responsible for enabling custom domains for Azure AD B2C tenant.

+- [Azure WAF](https://azure.microsoft.com/services/web-application-firewall/#overview) ΓÇô Manages all traffic that is sent to the authorization server.

+## Azure AD B2C setup

+To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by AFD. Learn how to [enable Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).

+After custom domain for Azure AD B2C is successfully configured using AFD, [test the custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain) before proceeding further.

+## Onboard with Azure WAF

+To enable Azure WAF, configure a WAF policy and associate that policy to the AFD for protection.

+### Create a WAF policy

+Create a basic WAF policy with managed Default Rule Set (DRS) in the [Azure portal](https://portal.azure.com).

+1. Go to the [Azure portal](https://portal.azure.com). Select **Create a resource** and then search for Azure WAF. Select **Azure Web Application Firewall (WAF)** > **Create**.

+2. Go to the **Create a WAF policy** page, select the **Basics** tab. Enter the following information, accept the defaults for the remaining settings.

+| Value | Description |

+|:--|:-|

+| Policy for | Global WAF (Front Door)|

+| Front Door SKU | Select between Basic, Standard, or Premium SKU |

+|Subscription | Select your Front Door subscription name |

+| Resource group | Select your Front Door resource group name |

+| Policy name | Enter a unique name for your WAF policy |

+| Policy state | Set as Enabled |

+| Policy mode | Set as Detection |

+3. Select **Review + create**

+4. Go to the **Association** tab of the Create a WAF policy page, select + **Associate a Front Door profile**, enter the following settings

+| Value | Description |

+|:-|:|

+| Front Door | Select your Front Door name associated with Azure AD B2C custom domain |

+| Domains | Select the Azure AD B2C custom domains you want to associate the WAF policy to|

+5. Select **Add**.

+6. Select **Review + create**, then select **Create**.

+### Change policy mode from detection to prevention

+When a WAF policy is created, by default the policy is in Detection mode. In Detection mode, WAF doesn't block any requests, instead, requests matching the WAF rules are logged in the WAF logs. For more information about WAF logging, see [Azure WAF monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md).

+The sample query shows all the requests that were blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.

+

+

+It's recommended that you let the WAF capture requests in Detection mode. Review the WAF logs to determine if there are any rules in the policy that are causing false positive results. Then after [exclude the WAF rules based on the WAF logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs).

+To see WAF in action, use Switch to prevention mode to change from Detection to Prevention mode. All requests that match the rules defined in the Default Rule Set (DRS) are blocked and logged in the WAF logs.

+

+In case you want to switch back to the detection mode, you can do so by using Switch to detection mode option.

+

+## Next steps

+- [Azure WAF monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)

+- [WAF with Front Door service exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)

+|  is a passwordless, soft biometric, and MFA solution. Asignio uses a combination of the patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature eliminates passwords, fraud, phishing, and credential reuse through omni-channel authentication. |

+| solution BindID is a passwordless authentication service that uses strong FIDO2 biometric authentication for a reliable omni-channel authentication experience, which ensures a smooth login experience for customers across every device and channel eliminating fraud, phishing, and credential reuse. |

+|  provides centralized protection of your web applications from common exploits and vulnerabilities. |

+1. Under **Implicit grant and hybrid flows**, select both the **Access tokens (used for implicit flows)** and **ID tokens (used for implicit and hybrid flows)** check boxes.

+| OS | Chrome | Chrome | Chrome | Edge | Edge | Edge | Firefox | Firefox | Firefox | Safari | Safari | Safari

+|::|::|::|::|::|::|::|::|::|::|::|::|::|

+| | USB | NFC | BLE | USB | NFC | BLE | USB | NFC | BLE | USB | NFC | BLE |

+| **Windows** | ![Chrome supports USB on Windows for Azure AD accounts.][y] | ![Chrome supports NFC on Windows for Azure AD accounts.][y] | ![Chrome supports BLE on Windows for Azure AD accounts.][y] | ![Edge supports USB on Windows for Azure AD accounts.][y] | ![Edge supports NFC on Windows for Azure AD accounts.][y] | ![Edge supports BLE on Windows for Azure AD accounts.][y] | ![Firefox supports USB on Windows for Azure AD accounts.][y] | ![Firefox supports NFC on Windows for Azure AD accounts.][y] | ![Firefox supports BLE on Windows for Azure AD accounts.][y] | ![Safari supports USB on Windows for Azure AD accounts.][n] | ![Safari supports NFC on Windows for Azure AD accounts.][n] | ![Safari supports BLE on Windows for Azure AD accounts.][n] |

+| **macOS** | ![Chrome supports USB on macOS for Azure AD accounts.][y] | ![Chrome supports NFC on macOS for Azure AD accounts.][n] | ![Chrome supports BLE on macOS for Azure AD accounts.][n] | ![Edge supports USB on macOS for Azure AD accounts.][y] | ![Edge supports NFC on macOS for Azure AD accounts.][n] | ![Edge supports BLE on macOS for Azure AD accounts.][n] | ![Firefox supports USB on macOS for Azure AD accounts.][y] | ![Firefox supports NFC on macOS for Azure AD accounts.][n] | ![Firefox supports BLE on macOS for Azure AD accounts.][n] | ![Safari supports USB on macOS for Azure AD accounts.][y] | ![Safari supports NFC on macOS for Azure AD accounts.][n] | ![Safari supports BLE on macOS for Azure AD accounts.][n] |

+| **ChromeOS** | ![Chrome supports USB on ChromeOS for Azure AD accounts.][y] | ![Chrome supports NFC on ChromeOS for Azure AD accounts.][n] | ![Chrome supports BLE on ChromeOS for Azure AD accounts.][n] | ![Edge supports USB on ChromeOS for Azure AD accounts.][n] | ![Edge supports NFC on ChromeOS for Azure AD accounts.][n] | ![Edge supports BLE on ChromeOS for Azure AD accounts.][n] | ![Firefox supports USB on ChromeOS for Azure AD accounts.][n] | ![Firefox supports NFC on ChromeOS for Azure AD accounts.][n] | ![Firefox supports BLE on ChromeOS for Azure AD accounts.][n] | ![Safari supports USB on ChromeOS for Azure AD accounts.][n] | ![Safari supports NFC on ChromeOS for Azure AD accounts.][n] | ![Safari supports BLE on ChromeOS for Azure AD accounts.][n] |

+| **Linux** | ![Chrome supports USB on Linux for Azure AD accounts.][y] | ![Chrome supports NFC on Linux for Azure AD accounts.][n] | ![Chrome supports BLE on Linux for Azure AD accounts.][n] | ![Edge supports USB on Linux for Azure AD accounts.][n] | ![Edge supports NFC on Linux for Azure AD accounts.][n] | ![Edge supports BLE on Linux for Azure AD accounts.][n] | ![Firefox supports USB on Linux for Azure AD accounts.][n] | ![Firefox supports NFC on Linux for Azure AD accounts.][n] | ![Firefox supports BLE on Linux for Azure AD accounts.][n] | ![Safari supports USB on Linux for Azure AD accounts.][n] | ![Safari supports NFC on Linux for Azure AD accounts.][n] | ![Safari supports BLE on Linux for Azure AD accounts.][n] |

+| **iOS** | ![Chrome supports USB on iOS for Azure AD accounts.][n] | ![Chrome supports NFC on iOS for Azure AD accounts.][n] | ![Chrome supports BLE on iOS for Azure AD accounts.][n] | ![Edge supports USB on iOS for Azure AD accounts.][n] | ![Edge supports NFC on Linux for Azure AD accounts.][n] | ![Edge supports BLE on Linux for Azure AD accounts.][n] | ![Firefox supports USB on Linux for Azure AD accounts.][n] | ![Firefox supports NFC on iOS for Azure AD accounts.][n] | ![Firefox supports BLE on iOS for Azure AD accounts.][n] | ![Safari supports USB on iOS for Azure AD accounts.][n] | ![Safari supports NFC on iOS for Azure AD accounts.][n] | ![Safari supports BLE on iOS for Azure AD accounts.][n] |

+| **Android** | ![Chrome supports USB on Android for Azure AD accounts.][n] | ![Chrome supports NFC on Android for Azure AD accounts.][n] | ![Chrome supports BLE on Android for Azure AD accounts.][n] | ![Edge supports USB on Android for Azure AD accounts.][n] | ![Edge supports NFC on Android for Azure AD accounts.][n] | ![Edge supports BLE on Android for Azure AD accounts.][n] | ![Firefox supports USB on Android for Azure AD accounts.][n] | ![Firefox supports NFC on Android for Azure AD accounts.][n] | ![Firefox supports BLE on Android for Azure AD accounts.][n] | ![Safari supports USB on Android for Azure AD accounts.][n] | ![Safari supports NFC on Android for Azure AD accounts.][n] | ![Safari supports BLE on Android for Azure AD accounts.][n] |

+| iOS | Safari |

+

+>[!NOTE]

+>[Least privilege role in Azure Active Directory - Multi-factor Authentication](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task#multi-factor-authentication)

+- Application Administrator

+- Cloud Application Administrator

+- [Azure SQL Database and Azure Synapse Analytics](/azure/azure-sql/database/conditional-access-configure)

+ - [Azure SQL Database](/azure/azure-sql/database/conditional-access-configure)

+> [!NOTE]

+> Per section 3.7 of the [SAML 2.0 core specification](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf), there can be multiple participants (other applications) in a session besides your application. If one of the other participants sends a `LogoutRequest` to Microsoft identity platform (the session authority), then Microsoft identity platform will send a `LogoutRequest` back to all the session participants except the participant which sent the initial `LogoutRequest`. Additionally, if one of the other participants happened to initiate sign-out at the same time, there would be a race to see which `LogoutRequest` reaches Microsoft identity platform first. As a result, an application should always be prepared to handle a `LogoutRequest`.

+ Title: Recover from deletions in Azure Active Directory

+description: Learn how to recover from unintended deletions.

+# Recover from deletions

+This article addresses recovering from soft and hard deletions in your Azure AD tenant. If you havenΓÇÖt already done so, we recommend first reading the [Recoverability best practices article](recoverability-overview.md) for foundational knowledge.

+## Monitor for deletions

+The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0. ](/graph/api/directory-deleteditems-list?view=graph-rest-1.0&tabs=http)

+### Audit log

+The Audit Log always records a ΓÇ£Delete <object>ΓÇ¥ event when an object in the tenant is removed from an active state by either a soft or hard deletion.

+[](./media/recoverability/delete-audit-log.png#lightbox)

+A delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete. Track the occurrence of hard-delete events by comparing ΓÇ£Delete <object>ΓÇ¥ events with the type of object that has been deleted, noting those that do not support soft-delete. In addition, note "Hard Delete <object>" events.

+| Object type | Activity in log| Result |

+| - | - | - |

+| Application| Delete application| Soft deleted |

+| Application| Hard delete application| Hard deleted |

+| User| Delete user| Soft deleted |

+| User| Hard delete user| Hard deleted |

+| Microsoft 365 Group| Delete group| Soft deleted |

+| Microsoft 365 Group| Hard delete group| Hard deleted |

+| All other objects| Delete ΓÇ£objectTypeΓÇ¥| Hard deleted |

+> [!NOTE]

+> The audit log does not distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft-deleted. If you see a Delete group entry, it may be the soft delete of a M365 group, or the hard delete of another type of group. **It is therefore important that your documentation of your known good state include the group type for each group in your organization**. To learn more about documenting your known good state, see [Recoverability best practices](recoverability-overview.md).

+### Monitor support tickets

+A sudden increase in support tickets regarding access to a specific object may indicate that there has been a deletion. Because some objects have dependencies, deletion of a group used to access an application, an application itself, or a Conditional Access policy targeting an application can all cause broad sudden impact. If you see a trend like this, check to ensure that none of the objects required for access have been deleted.

+## Soft deletions

+When objects such as users, Microsoft 365 groups, or application registrations are ΓÇ£soft deleted,ΓÇ¥ they enter a suspended state in which they aren't available for use by other services. In this state, items retain their properties and can be restored for 30 days. After 30 days, objects in the soft-deleted state are permanently or ΓÇ£hardΓÇ¥ deleted.

+> [!NOTE]

+> Objects cannot be restored from a hard-deleted state. They must be recreated and reconfigured.

+

+### When soft deletes occur

+It's important to understand why object deletions occur in your environment to prepare for them. This section outlines frequent scenarios for soft deletion by object class. Keep in mind there may be scenarios your organization sees which are unique to your organization so a discovery process is key to preparation.

+### Users

+Users enter the soft delete state anytime the user object is deleted by using the Azure portal, Microsoft Graph, or PowerShell.

+The most frequent scenarios for user deletion are:

+* An administrator intentionally deletes a user in the Azure AD portal in response to a request, or as part of routine user maintenance.

+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you may have a script that removes users who haven't signed in for a specified time period.

+* A user is moved out of scope for synchronization with Azure Active Directory (Azure AD) connect.

+* A user is removed in an HR system and is deprovisioned via an automated workflow.

+### Microsoft 365 Groups

+The most frequent scenarios for Microsoft 365 Groups being deleted are:

+* An administrator intentionally deletes the group, for example in response to a support request.

+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you may have a script that deletes groups that haven't been accessed or attested to by the group owner for a specific period of time.

+* Non-adminsΓÇÖ unintentional deletion of a group they own.

+### Application objects and service principals

+The most frequent scenarios for application deletion are:

+* An administrator intentionally deletes the application, for example in response to a support request.

+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you may want a process for deleting abandoned applications that are no longer used or managed. In general, create an offboarding process for applications rather than scripting to avoid unintentional deletions.

+### Properties maintained with soft delete

+| Object type| Important properties maintained |

+| - | - |

+| Users (including external users)| **All properties maintained**, including ObjectID, group memberships, roles, licenses, application assignments. |

+| Microsoft 365 Groups| **All properties maintained**, including ObjectID, group memberships, licenses, application assignments |

+| Application Registration| **All properties maintained.** (See additional information following this table.) |

+When you delete an application, the application registration by default enters the soft-delete state. To understand the relationship between application registrations and service principals, see [Apps & service principals in Azure AD - Microsoft identity platform](../develop/app-objects-and-service-principals.md).

+## Recover from soft deletion

+You can restore soft deleted items in the Azure portal or with Microsoft Graph.

+### Users

+You can see soft-deleted users in the Azure portal on the Users ΓÇô Deleted users page.

+

+For details on restoring users, see the following documentation:

+* See [Restore or permanently remove recently deleted user](active-directory-users-restore.md) for restoring in the Azure portal.

+* See [Restore deleted item ΓÇô Microsoft Graph v1.0](%20/graph/api/directory-deleteditems-restore?view=graph-rest-1.0&tabs=http) for restoring with Microsoft Graph.

+### Groups

+You can see soft-deleted Microsoft 365 (Microsoft 365) Groups in the Azure portal in the Groups ΓÇô Deleted groups screen.

+

+For details on restoring soft deleted Microsoft 365 Groups, see the following documentation:

+* To restore from the Azure portal, see [Restore a deleted Microsoft 365 group. ](../enterprise-users/groups-restore-deleted.md)

+* To restore by using Microsoft Graph, see [Restore deleted item ΓÇô Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?view=graph-rest-1.0&tabs=http).

+### Applications

+Applications have two objects, the application registration and the service principle. For more information on the differences between the registration and the service principal, see [Apps & service principals in Azure AD.](/develop/app-objects-and-service-principals.md)

+To restore an application from the Azure portal, select App registrations, then deleted applications. Select the application registration to restore, and then select Restore app registration.

+[](./media/recoverability/deletion-restore-application.png#lightbox)

+

+## Hard deletions

+A ΓÇ£hard deletionΓÇ¥ is the permanent removal of an object from your Azure Active Directory (Azure AD) tenant. Objects that don't support soft delete are removed in this way. Similarly, soft deleted objects are hard deleted once the deletion time is 30 days ago. The only object types that support a soft delete are:

+* Users

+* Microsoft 365 Groups

+* Application registration

+> [!IMPORTANT]

+> All other item types are hard deleted. When an item is hard deleted it cannot be restored: it must be recreated. Neither administrators nor Microsoft can restore hard deleted items. It's important to prepare for this situation by ensuring that you have processes and documentation to minimize potential disruption from a hard delete.

+For information on preparing for and documenting current states, see [Recoverability best practices](recoverability-overview.md).

+### When hard deletes usually occur

+Hard deletes most often occur in the following circumstances.

+Moving from soft to hard delete

+* A soft-deleted object wasn't restored within 30 days.

+* An administrator intentionally deletes an object in the soft delete state

+Directly hard deleted

+* The object type deleted doesn't support soft delete.

+* An administrator chooses to permanently delete an item by using the portal, typically in response to a request.

+* An automation script triggers the deletion of the object by using Microsoft Graph or PowerShell. Use of an automation script to clean up stale objects isn't uncommon. Microsoft recommends a robust off-boarding process for objects in your tenant to avoid mistakes that may result in mass-deletion of critical objects.

+## Recover from hard deletion

+Hard deleted items must be recreated and reconfigured. It's best to avoid unwanted hard deletions.

+### Review soft-deleted objects

+Ensure you have a process to frequently review items in the soft delete state and restore them if appropriate. To do so, you should:

+* Frequently [list deleted items](/graph/api/directory-deleteditems-list?view=graph-rest-1.0&tabs=http).

+* Ensure that you have specific criteria for what should be restored.

+* Ensure that you have specific roles or users assigned to evaluating and restoring items as appropriate.

+* Develop and test a continuity management plan. For more information, see [Considerations for your Enterprise Business Continuity Management Plan. ](/compliance/assurance/assurance-developing-your-ebcm-plan)

+For more information on avoiding unwanted deletions, see the following topics in the [Recoverability best practices](recoverability-overview.md) article.

+* Business continuity and disaster planning

+* Document known good states

+* Monitoring and data retention

+ Title: Recover from misconfigurations in Azure Active Directory

+description: Learn how to recover from misconfigurations.

+# Recover from misconfiguration

+Configuration settings in Azure Active Directory (Azure AD) can affect any resource in the Azure AD tenant through targeted or tenant-wide management actions.

+## What is configuration?

+Configurations are any changes in Azure AD that alter the behavior or capabilities of an Azure AD service or feature. For example, when you configure a Conditional Access policy you alter who can access the targeted applications and under what circumstances.

+It's important to understand the configuration items that are important to your organization. The following configurations have a high impact on your security posture.

+### Tenant wide configurations

+* **External identities**: Global administrators for the tenant identify and control the external identities that can be provisioned in the tenant.

+ * Whether to allow external identities in the tenant.

+ * From which domain(s) external identities can be added.

+ * Whether users can invite users from other tenants.

+* **Named Locations**: Global administrators can create named locations, which can then be used to

+ * Block sign-ins from specific locations.

+ * Trigger conditional access policies such as MFA.

+* **Allowed authentication methods**: Global administrators set the authentication methods allowed for the tenant.

+* **Self-service options**. Global Administrators set self-service options such as self-service-password reset and create Office 365 groups at the tenant level.

+The implementation of some tenant-wide configurations can be scoped, provided they aren't overridden by global administration policies. For example:

+* If the tenant is configured to allow external identities, a resource administrator can still exclude those identities from accessing a resource.

+* If the tenant is configured to allow personal device registration, a resource administrator can exclude those devices from accessing specific resources.

+* If named locations are configured, a resource administrator can configure policies either allowing or excluding access from those locations.

+### Conditional Access configurations

+Conditional Access policies are access control configurations that bring together signals to make decisions and enforce organizational policies.

+

+To learn more about Conditional Access policies, see [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)

+> [!NOTE]

+> While configuration alters the behavior or capabilities of an object or policy, not all changes to an object are configuration. You can change the data or attributes associated with an item, such as changing a userΓÇÖs address, without affecting the capabilities of that user object.

+## What is misconfiguration

+A misconfiguration is a configuration of a resource or policy that diverges from your organizational policies or plans and causes unintended or unwanted consequences.

+A misconfiguration of tenant-wide settings or Conditional Access policies can seriously affect your security and the public image of your organization by:

+* Changing how administrators, tenant users, and external users interact with resources in your tenant.

+ * Unnecessarily limiting access to resources.

+ * Loosening access controls on sensitive resources.

+* Changing the ability of your users to interact with other tenants, and external users to interact with your tenant.

+* Causing denial of service, for example by not allowing customers to access their accounts.

+* Breaking dependencies among data, systems, and applications resulting in business process failures.

+### When does misconfiguration occur?

+Misconfiguration is most likely to occur when:

+* A mistake is made during ad-hoc changes.

+* A mistake is made as a result of troubleshooting exercises.

+* Malicious intent by a bad actor.

+## Prevent misconfiguration

+It's critical that alterations to the intended configuration of an Azure AD tenant are subject to robust change management processes, including:

+* Documenting the change, including prior state and intended post-change state.

+* Using Privileged Identity Management (PIM) to ensure that administrators with intent to change must deliberately escalate their privileges to do so. To learn more about PIM, see [What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md)

+* Using a strong approval workflow for changes, for example, requiring [approval of PIM escalation of privileges](../privileged-identity-management/azure-ad-pim-approval-workflow.md).

+## Monitor for configuration changes

+While you want to prevent misconfiguration, you can't set the bar for changes so high that it impacts administratorsΓÇÖ ability to perform their work efficiently.

+Closely monitor for configuration changes by watching for the following operations in your [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md).

+* Add

+* Create

+* Update

+* Set

+* Delete

+The following table includes informative entries in the Audit Log you can look for.

+### Conditional Access and authentication method configuration changes

+Conditional Access policies are created on the Conditional Access page in the Azure portal. Changes to policies are made in the Conditional Access policy details page for the policy.

+| Service filter| Activities| Potential impacts |

+| - | - | - |

+| Conditional Access| Add, Update, or Delete Conditional Access policy| User access is granted or blocked when it shouldnΓÇÖt be. |

+| Conditional Access| Add, Update, or Delete Named location| Network locations consumed by CA Policy aren't configured as intended, creating gaps in CA Policy conditions. |

+| Authentication Method| Update Authentication methods policy| Users can use weaker authentication methods or are blocked from a method they should use |

+### User and password reset configuration changes

+User settings changes are made in the Azure AD portal User settings page. Password Reset changes are made on the Password reset page. Changes made on these pages are captured in the audit log as detailed in the following table.

+| Service filter| Activities| Potential impacts |

+| - | - | - |

+| Core Directory| Update company settings| Users may or may not be able to register applications, contrary to intent. |

+| Core Directory| Set company information| Users may or may not be able to access the Azure AD administration portal contrary to intent. <br>Sign-in pages donΓÇÖt represent the company brand with potential damage to reputation |

+| Core Directory| **Activity**: Updated service principal<br>**Target**: 0365 LinkedIn connection| Users may/may not be able to connect their Azure AD account with LinkedIn contrary to intent. |

+| Self-service group Management| Update Myapps feature value| Users may/may not be able to use user features contrary to intent. |

+| Self-service group Management| Update ConvergedUXV2 feature value| Users may/may not be able to use user features contrary to intent. |

+| Self-service group Management| Update MyStaff feature value| Users may/may not be able to use user features contrary to intent. |

+| Core directory| **Activity**: Update service principal<br>**Target**: Microsoft password reset service| Users are able/unable to reset their password contrary to intent. <br>Users are required/not required to register for SSPR contrary to intent.<br> Users can reset their password using methods that are unapproved, for example by using security questions. |

+### External identities configuration changes

+You can make changes to these settings on the External identities or External collaboration settings pages in the Azure AD portal.

+| Service filter| Activities| Potential impacts |

+| - | - | - |

+| Core Directory| Add, update, or delete a partner to cross-tenant access setting| Users have outbound access to tenants that should be blocked.<br>Users from external tenants who should be blocked have inbound access |

+| B2C| Create or delete identity provider| Identity providers for users who should be able to collaborate are missing, blocking access for those users. |

+| Core directory| Set directory feature on tenant| External users have greater/less visibility of directory objects than intended.<br>External users may/may not invite other external users to your tenant contrary to intent. |

+| Core Directory| Set federation settings on domain| External user invitations may/may not be sent to users in other tenants contrary to intent. |

+| AuthorizationPolicy| Update authorization policy| External user invitations may/may not be sent to users in other tenants contrary to intent. |

+| Core Directory| Update Policy| External user invitations may/may not be sent to users in other tenants contrary to intent. |

+### Custom role and mobility definition configuration changes

+| Service filter| Activities / portal| Potential impacts |

+| - |- | -|

+| Core Directory| Add role definition| Custom role scope is narrower or broader than intended |

+| PIM| Update role setting| Custom role scope is narrower or broader than intended |

+| Core Directory| Update role definition| Custom role scope is narrower or broader than intended |

+| Core Directory| Delete role definition| Custom role are missing |

+| Core Directory| Add delegated permission grant| Mobile Device Management (MDM) and/or Mobile Application Management (MAM) configuration is missing or misconfigured leading to the failure of device or application management |

+### Audit log detail view

+Selecting some audit entries in the Audit Log will provide you with details on the old and new configuration values. For example, for Conditional Access policy configuration changes you can see the information in the following screenshot.

+

+## Use workbooks to track changes

+There are several Azure Monitor workbooks that can help you to monitor configuration changes.

+[The Sensitive Operations Report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that may indicate a compromise, including:

+* Modified application or service principal credentials or authentication methods

+* New permissions granted to service principals

+* Directory role and group membership updates for service principals

+* Modified federation settings

+The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing, and which applications I your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.

+## Next steps

+For foundational information on recoverability, see [Recoverability best practices](recoverability-overview.md)

+for information on recovering from deletions, see [Recover from deletions](recover-from-deletions.md)

+ Title: Recoverability best practices in Azure Active Directory

+description: Learn the best practices for increasing recoverability.

+# Recoverability best practices

+Unintended deletions and misconfigurations will happen to your tenant. To minimize the impact of these unintended events, you must prepare for their occurrence.

+Recoverability is the preparatory processes and functionality that enable you to return your services to a prior functioning state after an unintended change. Unintended changes include the soft- or hard-deletion or misconfiguration of applications, groups, users, policies, and other objects in your Azure Active Directory (Azure AD) tenant.

+Recoverability helps your organization be more resilient. Resilience while related, is different. Resilience is the ability to endure disruption to system components and recover with minimal impact to your business, users, customers, and operations. For more information about making your systems more resilient, see [Building resilient identity and access management with Azure Active Directory](resilience-overview.md).

+This article describes the best practices in preparing for deletions and misconfigurations to minimize the unintended consequences to your organizationΓÇÖs business.

+## Deletions and misconfigurations

+Deletions and misconfigurations have different impacts on your tenant.

+### Deletions

+The impact of deletions depends on the object type.

+Users, Microsoft 365 (Microsoft 365) Groups, and applications can be ΓÇ£soft deleted.ΓÇ¥ Soft deleted items are sent to the Azure AD recycle bin. While in the recycle bin, items are not available for use. However, they retain all their properties, and can be restored via a Microsoft Graph API call, or in the Azure AD portal. Items in the soft delete state that aren't restored within 30 days, are permanently or ΓÇ£hard deleted.ΓÇ¥

+

+> [!IMPORTANT]

+> All other object types are hard deleted immediately when selected for deletion. When an object is hard deleted, it cannot be recovered. It must be recreated and reconfigured.

+For more information on deletions and how to recover from them, see [Recover from deletions](recover-from-deletions.md).

+### Misconfigurations

+Configurations are any changes in Azure AD that alter the behavior or capabilities of an Azure AD service or feature. For example, when you configure a Conditional Access policy you alter who can access the targeted applications and under what circumstances. Tenant-wide configurations affect your entire tenant. Configurations of specific objects or services affect only that object and its dependencies.

+For more information on misconfigurations and how to recover from them, see [Recover from misconfigurations](recover-from-misconfigurations.md).

+## Shared responsibility

+Recoverability is a shared responsibility between Microsoft as your cloud service provider, and your organization.

+

+You can use the tools and services that Microsoft provides to prepare for deletions and misconfigurations.

+## Business continuity and disaster planning

+Restoring a hard deleted or misconfigured item is a resource-intensive process. You can minimize the resources needed by planning ahead. Consider having a specific team of admins in charge of restorations.

+### Test your restoration process

+You should rehearse your restoration process for different object types, and the communication that will go out as a result. Be sure to do rehearse with test objects, ideally in a test tenant.

+Testing your plan can help you to determine the following:

+- Validity and completeness of your object state documentation.

+- Typical time to resolution.

+- Appropriate communications and their audiences.

+- Expected successes and potential challenges.

+### Create the communication process

+Create a process of pre-defined communications to make others aware of the issue and timelines for restoration. Include the following in your restoration communication plan.

+- The types of communications to go out. Consider creating pre-defined templates.

+- Stakeholders to receive communications. Include the following as applicable:

+ - impacted business owners.

+ - operational admins who will perform recovery.

+ - Business and technical approvers.

+ - Impacted users.

+- Define the events that trigger communications, such as

+ - Initial deletion

+ - Impact assessment

+ - Time to resolution

+ - Restoration

+## Document known good states

+Document the state of your tenant and its objects regularly so that in the event of a hard delete or misconfiguration you have a road map to recovery. The following tools can help you in documenting your current state.

+- The [Microsoft Graph APIs](https://docs.microsoft.com/graph/overview?view=graph-rest-1.0) can be used to export the current state of many Azure AD configurations.

+- You can use the [Azure AD Exporter](https://github.com/microsoft/azureadexporter) to regularly export your configuration settings.

+- The [Microsoft 365 desired state configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module is a module of the PowerShell Desired State Configuration framework. It can be used to export the configurations for reference, and application of the prior state of many settings.

+- The [Conditional Access APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) can be used to manage your Conditional Access policies as code.

+### Commonly used Microsoft Graph APIs

+The Microsoft Graph APIs can be used to export the current state of many Azure AD configurations. The APIs cover most scenarios where reference material about the prior state, or the ability to apply that state from an exported copy, could become vital to keep your business running.

+Graph APIs are highly customizable based on your organizational needs. To implement a solution for backups or reference material requires developers to engineer code to query for, store, and display the data. Many implementations use online code repositories as part of this functionality.

+### Useful APIS for recovery

+| Resource types| Reference links |

+| - | - |

+| Users, groups, and other directory objects| [directoryObject API](/graph/api/resources/directoryObject?view=graph-rest-1.0) |

+| Directory roles| [directoryRole API](/graph/api/resources/directoryrole?view=graph-rest-1.0) |

+| Conditional Access policies| [Conditional Access policy API](/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0) |

+| Devices| [devices API](/graph/api/resources/device?view=graph-rest-1.0) |

+| Domains| [domains API](/graph/api/domain-list?view=graph-rest-1.0&tabs=http) |

+| Administrative Units| [administrativeUnit API)](/graph/api/resources/administrativeunit?view=graph-rest-1.0) |

+| Deleted Items*| [deletedItems API](/graph/api/resources/directory?view=graph-rest-1.0) |

+Securely store these configuration exports with access provided to a limited number of admins.

+The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you'll need.

+- Verify that you've implemented the desired configuration.

+- Use the exporter to capture current configurations.

+- Review the export, understand the settings for your tenant that aren't exported, and manually document them.

+- Store the output in a secure location with limited access.

+> [!NOTE]

+> Settings in the legacy MFA portal, for Application Proxy and federation settings may not be exported with the Azure AD Exporter, or with the Graph API.

+The [Microsoft 365 desired state configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module uses Microsoft Graph and PowerShell to retrieve the state of many of the configurations in Azure AD. This information can be used as reference information or, by using PowerShell Desired State Configuration scripting, to reapply a known-good state.

+ Use [Conditional Access Graph APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies.

+### Map the dependencies among objects.

+The deletion of some objects can cause a ripple effect due to dependencies. For example, deletion of a security group used for application assignment would result in users who were members of that group being unable to access the applications to which the group was assigned.

+#### Common dependencies

+| Object Type| Potential Dependencies |

+| - | - |

+| Application object| Service Principal (Enterprise Application). <br>Groups assigned to the application. <br>Conditional Access Policies affecting the application. |

+| Service principals| Application object |

+| Conditional Access Policies| Users assigned to the policy.<br>Groups assigned to the policy.<br>Service Principal (Enterprise Application) targeted by the policy. |

+| Groups other than Microsoft 365 Groups| Users assigned to the group.<br>Conditional access policies to which the group is assigned.<br>Applications to which the group is assigned access. |

+## Monitoring and data retention

+The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes, and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?view=graph-rest-1.0&tabs=http)

+### Audit logs

+The Audit Log always records a ΓÇ£Delete <object>ΓÇ¥ event when an object in the tenant is removed from an active state (either from active to soft-deleted or active to hard-deleted).

+A Delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type it's a hard delete.

+| | Activity in log| Result |

+| - | - | - |

+| Application| Delete application| Soft deleted |

+| Application| Hard delete application| Hard deleted |

+| User| Delete user| Soft deleted |

+| User| Hard delete user| Hard deleted |

+| Microsoft 365 Groups| Delete group| Soft deleted |

+| Microsoft 365 Group| Hard delete group| Hard deleted |

+| All other objects| Delete ΓÇ£objectTypeΓÇ¥| Hard deleted |

+> [!NOTE]

+> The audit log does not distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft-deleted. If you see a Delete group entry, it may be the soft delete of a M365 group, or the hard delete of another type of group. It is therefore important that your documentation of your known good state include the group type for each group in your organization.

+For information on monitoring configuration changes, see [Recover from misconfigurations](recover-from-misconfigurations.md).

+### Use workbooks to track configuration changes

+There are several Azure Monitor workbooks that can help you to monitor configuration changes.

+[The Sensitive Operations Report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that may indicate a compromise, including:

+- Modified application or service principal credentials or authentication methods

+- New permissions granted to service principals

+- Directory role and group membership updates for service principals

+- Modified federation settings

+The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing, and which applications I your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.

+## Operational security

+Preventing unwanted changes is far less difficult than needing to recreate and reconfigure objects. Include the following in your change management processes to minimize accidents:

+- Use a least privilege model. Ensure that each member of your team has the least privileges necessary to complete their usual tasks and require a process to escalate privileges for more unusual tasks.

+- Administrative control of an object enables configuration and deletion. Use Read Only admin roles, for example the Global Reader role, for any tasks that do not require operations to create, update, or delete (CRUD). When CRUD operations are required, use object specific roles when possible. For example, User Administrators can delete only users, and Application Administrators can delete only applications. Use these more limited roles whenever possible, instead of a Global Administrator role, which can delete anything, including the tenant.

+- [Use Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md). PIM enables just-in-time escalation of privileges to perform tasks like hard deletion. You can configure PIM to have notifications and or approvals for the privilege escalation.

+## Next steps

+[Recover from deletions](recover-from-deletions.md)

+[Recover from misconfigurations](recover-from-misconfigurations.md)

+| Azure SQL | [Azure SQL Transparent Data Encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) |

+| Azure SQL Managed Instance | [Azure SQL Transparent Data Encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) |

+| Azure SQL | [Use Azure Active Directory authentication](/azure/azure-sql/database/authentication-aad-overview) |

+| Azure SQL Managed Instance | [What is Azure SQL Managed Instance?](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview#azure-active-directory-integration) |

+To grant your VM access to a database in Azure SQL Database, you can use an existing [logical SQL server](/azure/azure-sql/database/logical-servers) or create a new one. To create a new server and database using the Azure portal, follow this [Azure SQL quickstart](/azure/azure-sql/database/single-database-create-quickstart). There are also quickstarts that use the Azure CLI and Azure PowerShell in the [Azure SQL documentation](/azure/sql-database/).

+**To [configure Azure AD authentication](/azure/azure-sql/database/authentication-aad-configure):**

+- [Universal Authentication with SQL Database and Azure Synapse Analytics (SSMS support for MFA)](/azure/azure-sql/database/authentication-mfa-ssms-overview)

+- [Configure and manage Azure Active Directory authentication with SQL Database or Azure Synapse Analytics](/azure/azure-sql/database/authentication-aad-configure)

+> [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview)

+For more information, see [SQL Database Advisor](/azure/azure-sql/database/database-advisor-implement-performance-recommendations).

+Learn more about [SQL virtual machine - UpgradeToFullMode (SQL IaaS Agent should be installed in full mode)](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management?tabs=azure-powershell).

+1. Create a single database in Azure SQL Database by following the steps in: [Quickstart: Create an Azure SQL Database single database](/azure/azure-sql/database/single-database-create-quickstart). Return to this document after creating and configuring the database server.

+ **Active Directory - Universal with MFA support** to use [non-interactive or multi-factor authentication](/azure/azure-sql/database/authentication-mfa-ssms-overview).

+ > Choosing Active Directory Universal with MFA Support is recommended. This type of authentication type supports [non-interactive and multi-factor authentication](/azure/azure-sql/database/authentication-mfa-ssms-overview).

+Learn how to set up a GitHub Actions workflow to deploy a ASP.NET Core application with an [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview) backend. When you're finished, you have an ASP.NET app running in Azure and connected to SQL Database. You'll first use an [ARM template](../azure-resource-manager/templates/overview.md) to create resources.

+This tutorial walks you through setting up a GitHub Actions workflow to deploy a containerized ASP.NET Core application with an [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview) backend. When you're finished, you have an ASP.NET app running in Azure and connected to SQL Database. You'll first create Azure resources with an [ARM template](../azure-resource-manager/templates/overview.md) GitHub Actions workflow.

+[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This tutorial shows you how to deploy a data-driven ASP.NET app in App Service and connect it to [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview). When you're finished, you have an ASP.NET app running in Azure and connected to SQL Database.

+Before creating a database, you need a [logical SQL server](/azure/azure-sql/database/logical-servers). A logical SQL server is a logical construct that contains a group of databases managed as a group.

+ For Linux apps, you can select the language runtime version and set an optional **Startup command** or a startup command file.

+#### Syntax Limitations

+- the "version x.x" always needs to be the first yaml statement in the file

+- the ports section must use quoted numbers

+- the image > volume section must be quoted and cannot have a permissions definitions

+- the volumes section must not have an empty curly brace after the volume name

+* Outbound network connectivity to Azure SQL Database endpoints that are located in the same region as App Service Environment. SQL Database endpoints resolve under the database.windows.net domain, which requires open access to ports 1433, 11000-11999, and 14000-14999. For details about SQL Database V12 port usage, see [Ports beyond 1433 for ADO.NET 4.5](/azure/azure-sql/database/adonet-v12-develop-direct-route-ports).

+The database backup for the app is stored in the root of the .zip file. For SQL Database, this is a BACPAC file (no file extension) and can be imported. To create a database in Azure SQL Database based on the BACPAC export, see [Import a BACPAC file to create a database in Azure SQL Database](/azure/azure-sql/database/database-import).

+ To scale up the related resource, see the documentation for the specific resource type. For example, to scale up a single SQL Database, see [Scale single database resources in Azure SQL Database](/azure/azure-sql/database/single-database-scale). To scale up a Azure Database for MySQL resource, see [Scale MySQL resources](../mysql/concepts-pricing-tiers.md#scale-resources).

+- [Connect to Azure SQL database with Java](/azure/azure-sql/database/connect-query-java?toc=%2fazure%2fjava%2ftoc.json)

+> [Connect to Azure SQL database with Java](/azure/azure-sql/database/connect-query-java?toc=%2fazure%2fjava%2ftoc.json)

+ Title: Tutorial - .NET Web app accesses Microsoft Graph as the user | Azure

+description: In this tutorial, you learn how to access data in Microsoft Graph for a signed-in user from a .NET web app.

+ms.devlang: csharp

+# Tutorial: Access Microsoft Graph from a secured .NET app as the user

+## Call Microsoft Graph with .NET

+### Call Microsoft Graph on behalf of the user

+// Index.cshtml.cs

+ Title: Tutorial - Add user authentication to a web app on Azure App Service | Azure

+description: In this tutorial, you learn how to enable user authentication and authorization for a web app running on Azure App Service. Limit access to the web app to users in your organizationΓÇï.

+#Customer intent: As an application developer, enable authentication and authorization for a web app running on Azure App Service.

+# Tutorial: Add user authentication to your web app running on Azure App Service

+## Connect to backend services as user

+User authentication can begin with authenticating the user to your app service as described in the previous section.

+Once the app service has the authenticated identity, your system needs to **connect to backend services as the user**:

+* A database example is a SQL database which imposes its own security for that identity on tables

+

+* A storage example is Blob Storage which imposes its own security for that identity on containers and blobs

+* A user needs access to Microsoft Graph to access their own email.

+> [!div class="nextstepaction"]

+> [App service accesses Graph](scenario-secure-app-authentication-app-service-as-user.md)

+ Title: Tutorial - Add app authentication to a web app on Azure App Service | Azure

+description: In this tutorial, you learn how to enable app authentication and authorization for a web app running on Azure App Service. Limit access to the web app to users in your organizationΓÇï.

+# Tutorial: Add app authentication to your web app running on Azure App Service

+## Connect to backend services as app

+User authentication can begin with authenticating the user to your app service as described in the previous section.

+Once the app service has the authenticated identity, your system needs to **connect to backend services as the app**:

+* Use [managed identity](tutorial-connect-overview.md#connect-to-azure-services-with-managed-identity). If managed identity isn't available, then use [Key Vault](tutorial-connect-overview.md#connect-to-key-vault-with-managed-identity).

+* The user identity doesn't need to flow further. Any additional security to reach backend services is handled with the app service's identity.

+|Use Microsoft Defender for Cloud's Microsoft Defender for App Service | [Microsoft Defender for App Service](../security-center/defender-for-app-service-introduction.md) is natively integrated with Azure App Service. Defender for Cloud assesses the resources covered by your App Service plan and generates security recommendations based on its findings. Use the detailed instructions in [these recommendations](../security-center/recommendations-reference.md#appservices-recommendations) to harden your App Service resources. Microsoft Defender for Cloud also provides threat protection and can detect a multitude of threats covering almost the complete list of MITRE ATT&CK tactics from pre-attack to command and control. For a full list of the Azure App Service alerts, see [Microsoft Defender for App Service alerts](../security-center/alerts-reference.md#alerts-azureappserv).|

+* Ensure that the back-end services can return responses quickly. For troubleshooting performance issues with Azure SQL Database, review [Troubleshoot Azure SQL Database performance issues with Intelligent Insights](/azure/azure-sql/database/intelligent-insights-troubleshoot-performance#recommended-troubleshooting-flow).

+## Call Microsoft Graph with Node.js

+Your web app now has the required permissions and also adds Microsoft Graph's client ID to the login parameters.

+To see this code as part of a sample application, see the:

+* [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/tree/main/3-WebApp-graphapi-managed-identity).

+> [!NOTE]

+> The [@azure/identity](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md) package isn't required in your web app for basic authentication/authorization or to authenticate requests with Microsoft Graph. It's possible to [securely call downstream APIs](tutorial-auth-aad.md#call-api-securely-from-server-code) with only the App Service authentication/authorization module enabled.

+>

+> However, the App Service authentication/authorization is designed for more basic authentication scenarios. For more complex scenarios (handling custom claims, for example), you need the [@azure/identity](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md) package. There's a little more setup and configuration work in the beginning, but the `@azure/identity` package can run alongside the App Service authentication/authorization module. Later, when your web app needs to handle more complex scenarios, you can disable the App Service authentication/authorization module and `@azure/identity` will already be a part of your app.

+### Install client library packages

+Install the [@azure/identity](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md) and the [@microsoft/microsoft-graph-client](https://www.npmjs.com/package/@microsoft/microsoft-graph-client?activeTab=readme) packages in your project with npm.

+```bash

+npm install @azure/identity @microsoft/microsoft-graph-client

+```

+### Configure authentication information

+Create an object to hold the [authentication settings](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/3-WebApp-graphapi-managed-identity/app.js):

+```javascript

+// partial code in app.js

+const appSettings = {

+ appCredentials: {

+ clientId: process.env.WEBSITE_AUTH_CLIENT_ID, // Enter the client Id here,

+ tenantId: "common", // Enter the tenant info here,

+ clientSecret: process.env.MICROSOFT_PROVIDER_AUTHENTICATION_SECRET // Enter the client secret here,

+ },

+ authRoutes: {

+ redirect: "/.auth/login/aad/callback", // Enter the redirect URI here

+ error: "/error", // enter the relative path to error handling route

+ unauthorized: "/unauthorized" // enter the relative path to unauthorized route

+ },

+}

+```

+### Call Microsoft Graph on behalf of the app

+The following code shows how to call [Microsoft Graph controller](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/2-WebApp-graphapi-on-behalf/controllers/graphController.js) as the app and get some user information.

+```javascript

+// graphController.js

+ // get app's access token scoped to Microsoft Graph

+ // use token to create Graph client

+ // return profiles of users in Graph

+The previous code relies on the following [getAuthenticatedClient](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/3-WebApp-graphapi-managed-identity/utils/graphHelper.js) function to return Microsoft Graph client.

+```javascript

+// utils/graphHelper.js

+const graph = require('@microsoft/microsoft-graph-client');

+ Title: Tutorial - Web app accesses Microsoft Graph as the user | Azure

+description: In this tutorial, you learn how to access data in Microsoft Graph for a signed-in user.

+ms.devlang: csharp

+#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph for a signed-in user.

+# Tutorial: Access Microsoft Graph from a secured JavaScript app as the user

+## Call Microsoft Graph from Node.js

+Your web app now has the required permissions and also adds Microsoft Graph's client ID to the login parameters.

+To see this code as part of a sample application, see the:

+* [Sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/tree/main/2-WebApp-graphapi-on-behalf).

+### Install client library packages

+Install the [@azure/identity](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/README.md) and the [@microsoft/microsoft-graph-client](https://www.npmjs.com/package/@microsoft/microsoft-graph-client?activeTab=readme) packages in your project with npm.

+```bash

+npm install @microsoft/microsoft-graph-client

+```

+### Configure authentication information

+Create an object to hold the [authentication settings](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/2-WebApp-graphapi-on-behalf/app.js):

+```javascript

+// partial code in app.js

+const appSettings = {

+ appCredentials: {

+ clientId: process.env.WEBSITE_AUTH_CLIENT_ID, // Enter the client Id here,

+ tenantId: "common", // Enter the tenant info here,

+ clientSecret: process.env.MICROSOFT_PROVIDER_AUTHENTICATION_SECRET // Enter the client secret here,

+ },

+ authRoutes: {

+ redirect: "/.auth/login/aad/callback", // Enter the redirect URI here

+ error: "/error", // enter the relative path to error handling route

+ unauthorized: "/unauthorized" // enter the relative path to unauthorized route

+ },

+ protectedResources: {

+ graphAPI: {

+ endpoint: "https://graph.microsoft.com/v1.0/me", // resource endpoint

+ scopes: ["User.Read"] // resource scopes

+ },

+ },

+}

+```

+### Call Microsoft Graph on behalf of the user

+The following code shows how to call [Microsoft Graph controller](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/2-WebApp-graphapi-on-behalf/controllers/graphController.js) as the app and get some user information.

+```javascript

+// controllers/graphController.js

+// get the name of the app service instance from environment variables

+const appServiceName = process.env.WEBSITE_SITE_NAME;

+const graphHelper = require('../utils/graphHelper');

+exports.getProfilePage = async(req, res, next) => {

+ try {

+ // get user's access token scoped to Microsoft Graph from session

+ // use token to create Graph client

+ const graphClient = graphHelper.getAuthenticatedClient(req.session.protectedResources["graphAPI"].accessToken);

+ // return user's profile

+ const profile = await graphClient

+ .api('/me')

+ .get();

+ res.render('profile', { isAuthenticated: req.session.isAuthenticated, profile: profile, appServiceName: appServiceName });

+ } catch (error) {

+ next(error);

+ }

+}

+```

+The previous code relies on the following [getAuthenticatedClient](https://github.com/Azure-Samples/ms-identity-easyauth-nodejs-storage-graphapi/blob/main/2-WebApp-graphapi-on-behalf/utils/graphHelper.js) function to return Microsoft Graph client.

+```javascript

+// utils/graphHelper.js

+const graph = require('@microsoft/microsoft-graph-client');

+getAuthenticatedClient = (accessToken) => {

+ // Initialize Graph client

+ const client = graph.Client.init({

+ // Use the provided access token to authenticate requests

+ authProvider: (done) => {

+ done(null, accessToken);

+ }

+ });

+ return client;

+}

+```

+To debug your app using SQL Database as the back end, make sure that you've allowed client connection from your computer. If not, add the client IP by following the steps at [Manage server-level IP firewall rules using the Azure portal](/azure/azure-sql/database/firewall-configure#use-the-azure-portal-to-manage-server-level-ip-firewall-rules).

+First, enable Azure Active Directory authentication to SQL Database by assigning an Azure AD user as the admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see [Azure AD features and limitations in SQL Database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations).

+For more information on adding an Active Directory admin, see [Provision an Azure Active Directory administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance)

+| **Read model** | **Text Extraction** | **[Language detection](language-support.md#detected-languages-read-api)** |

+Read API in v3.0 preview 2 adds [language detection](language-support.md#detected-languages-read-api) as a new feature for text lines. Read will predict the language at the text line level along with the confidence score.

+## Read, layout, and custom form (template) model

+The following lists include the currently GA languages in for the v2.1 version and the most recent v3.0 preview. These languages are supported by Read, Layout, and Custom form (template) model features.

+### Handwritten languages (preview and GA)

+The following table lists the supported languages for extracting handwritten texts.

+This section lists the supported languages for extracting printed texts in the latest preview.

+|Angika (Devanagari) | `anp`|Lakota | `lkt`

+|Awadhi-Hindi (Devanagari) | `awa`|Lithuanian | `lt`

+|Belarusian (Cyrillic) | `be`, `be-cyrl`|Mahasu Pahari (Devanagari) | `bfz`

+|Bhojpuri-Hindi (Devanagari) | `bho`|Malto (Devanagari) | `kmj`

+|Bodo (Devanagari) | `brx`|Maori | `mi`

+|Chhattisgarhi (Devanagari)| `hne`|Nogay | `nog`

+|Dhimal (Devanagari) | `dhi`|Pashto | `ps`

+|Dogri (Devanagari) | `doi`|Persian | `fa`

+|Gondi (Devanagari) | `gon`|Russian | `ru`

+|Gurung (Devanagari) | `gvr`|Sadri (Devanagari) | `sck`

+|Halbi (Devanagari) | `hlb`|Samoan (Latin) | `sm`

+|Ho(Devanagiri) | `hoc`|Sherpa (Devanagari) | `xsr`

+|Icelandic | `is`|Sirmauri (Devanagari) | `srx`

+|Jaunsari (Devanagari) | `Jns`|Slovak | `sk`

+|Kangri (Devanagari) | `xnr`|Somali (Arabic) | `so`

+|Kurukh (Devanagari) | `kru`|Welsh | `cy`

+This section lists the supported languages for extracting printed texts in the latest GA version.

+## Detected languages: Read API

+> [!NOTE]

+> **Language detection**

+>

+> Form Recognizer read model can _detect_ a wide range of languages, variants, dialects, and some regional/cultural languages and return a language code.

+>

+> This section lists the languages that can be detected using the Read API. To determine if text can also be _extracted_ for a given language, see [handwritten](#handwritten-languages-preview-and-ga), [print preview](#print-languages-preview), and [print GA](#print-languages-ga) language extraction lists (above).

+| Afrikaans | `af` |

+| Albanian | `sq` |

+| Amharic | `am` |

+| Armenian | `hy` |

+| Assamese | `as` |

+| Azerbaijani | `az` |

+| Basque | `eu` |

+| Belarusian | `be` |

+| Bengali | `bn` |

+| Bosnian | `bs` |

+| Bulgarian | `bg` |

+| Burmese | `my` |

+| Catalan | `ca` |

+| Central Khmer | `km` |

+| Chinese | `zh` |

+| Chinese Simplified | `zh_chs` |

+| Chinese Traditional | `zh_cht` |

+| Croatian | `hr` |

+| Danish | `da` |

+| Divehi | `dv` |

+| Dutch | `nl` |

+| Esperanto | `eo` |

+| Estonian | `et` |

+| Fijian | `fj` |

+| Finnish | `fi` |

+| French | `fr` |

+| Georgian | `ka` |

+| Greek | `el` |

+| Gujarati | `gu` |

+| Haitian | `ht` |

+| Hausa | `ha` |

+| Hebrew | `he` |

+| Hindi | `hi` |

+| Hmong Daw | `mww` |

+| Hungarian | `hu` |

+| Igbo | `ig` |

+| Inuktitut | `iu` |

+| Irish | `ga` |

+| Italian | `it` |

+| Japanese | `ja` |

+| Javanese | `jv` |

+| Kannada | `kn` |

+| Kazakh | `kk` |

+| Kinyarwanda | `rw` |

+| Kirghiz | `ky` |

+| Korean | `ko` |

+| Kurdish | `ku` |

+| Lao | `lo` |

+| Latin | `la` |

+| Latvian | `lv` |

+| Lithuanian | `lt` |

+| Luxembourgish | `lb` |

+| Macedonian | `mk` |

+| Malagasy | `mg` |

+| Malay | `ms` |

+| Malayalam | `ml` |

+| Maltese | `mt` |

+| Maori | `mi` |

+| Marathi | `mr` |

+| Mongolian | `mn` |

+| Nepali | `ne` |

+| Norwegian | `no` |

+| Norwegian Nynorsk | `nn` |

+| Oriya | `or` |

+| Pasht | `ps` |

+| Persian | `fa` |

+| Polish | `pl` |

+| Portuguese | `pt` |

+| Punjabi | `pa` |

+| Queretaro Otomi | `otq` |

+| Romanian | `ro` |

+| Russian | `ru` |

+| Samoan | `sm` |

+| Serbian | `sr` |

+| Shona | `sn` |

+| Sindhi | `sd` |

+| Sinhala | `si` |

+| Slovak | `sk` |

+| Slovenian | `sl` |

+| Somali | `so` |

+| Spanish | `es` |

+| Sundanese | `su` |

+| Swahili | `sw` |

+| Tagalog | `tl` |

+| Tahitian | `ty` |

+| Tajik | `tg` |

+| Tamil | `ta` |

+| Tatar | `tt` |

+| Telugu | `te` |

+| Thai | `th` |

+| Tigrinya | `ti` |

+| Tongan | `to` |

+| Turkish | `tr` |

+| Turkmen | `tk` |

+| Ukrainian | `uk` |

+| Urdu | `ur` |

+| Uzbek | `uz` |

+| Vietnamese | `vi` |

+| Welsh | `cy` |

+| Xhosa | `xh` |

+| Yiddish | `yi` |

+| Yoruba | `yo` |

+| Yucatec Maya | `yua` |

+| Zulu | `zu` |

+Enabling the Azure Firewall on [Azure Storage](../storage/common/storage-network-security.md), [Azure Key Vault](../key-vault/general/network-security.md), or [Azure SQL](/azure/azure-sql/database/firewall-configure) blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation is not a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a [virtual network service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md).

+>[!NOTE]

+>By default, the Azure contexts are saved for use between PowerShell sessions. It is possible that when a previous runbook on the Hybrid Runbook Worker has been authenticated with Azure, that context persists to the disk in the System PowerShell profile, as per [Azure contexts and sign-in credentials | Microsoft Docs](/powershell/azure/context-persistence?view=azps-7.3.2).

+For instance, a runbook with `Get-AzVM` can return all the VMs in the subscription with no call to `Connect-AzAccount`, and the user would be able to access Azure resources without having to authenticate within that runbook. You can disable context autosave in Azure PowerShell, as detailed [here](/powershell/azure/context-persistence?view=azps-7.3.2#save-azure-contexts-across-powershell-sessions).

+* To find out more about geo-replication, see [Creating and using active geo-replication](/azure/azure-sql/database/active-geo-replication-overview).

+Enabling the Azure Firewall on [Azure Storage](../storage/common/storage-network-security.md), [Azure Key Vault](../key-vault/general/network-security.md), or [Azure SQL](/azure/azure-sql/database/firewall-configure) blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation is not a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a [virtual network service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md).

+For details on provisioning access to an Azure SQL database, see [Provision Azure AD admin (SQL Database)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database).

+This scenario uses [Azure Storage](../../storage/common/storage-network-security.md) as an example; however, the information is equally applicable to [Azure Key Vault](../../key-vault/general/network-security.md) and [Azure SQL](/azure/azure-sql/database/firewall-configure).

+Enabling the Azure Firewall on [Azure Storage](../../storage/common/storage-network-security.md), [Azure Key Vault](../../key-vault/general/network-security.md), or [Azure SQL](/azure/azure-sql/database/firewall-configure) blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation is not a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a [virtual network service endpoint](../../virtual-network/virtual-network-service-endpoints-overview.md).

+| [Azure SQL](/azure/azure-sql/database/high-availability-sla) |  |

+| [SQL Server on Azure Virtual Machines](/azure/azure-sql/database/high-availability-sla) |  |

+- Security features - [Application roles](/sql/relational-databases/security/authentication-access/application-roles), [Dynamic data masking](/sql/relational-databases/security/dynamic-data-masking) ([Get started with SQL Database dynamic data masking with the Azure portal](/azure/azure-sql/database/dynamic-data-masking-configure-portal)), [Row Level Security](/sql/relational-databases/security/row-level-security)

+- For information on Azure SQL Managed Instance service tiers for the vCore model, see [Azure SQL Managed Instance - Compute Hardware in the vCore Service Tier](/azure/azure-sql/managed-instance/service-tiers-managed-instance-vcore)

+As part of of the family of Azure SQL products, Azure Arc-enabled SQL Managed Instance is available in two [vCore](/azure/azure-sql/database/service-tiers-vcore) service tiers.

+### Navigating the OSM dashboard

+1. Access your Arc connected Kubernetes cluster using this [link](https://aka.ms/azmon/osmux).

+2. Go to Azure Monitor and navigate to the Reports tab to access the OSM workbook.

+3. Select the time-range & namespace to scope your services.

+[  ](media/tutorial-arc-enabled-open-service-mesh/osm-workbook.jpg#lightbox)

+> Get started quickly with an [Azure Arc Jumpstart](https://aka.ms/arc-jumpstart-osm) scenario using Cluster API.

+|Azure SQL Database and Azure Synapse Analytics IP firewall rules | [https://docs.microsoft.com/azure/sql-database/sql-database-firewall-configure](/azure/azure-sql/database/firewall-configure)|

+|Controlling and granting database access to SQL Database and Azure Synapse Analytics | [https://docs.microsoft.com/azure/sql-database/sql-database-manage-logins](/azure/azure-sql/database/logins-create-manage)|

+The Microsoft SQL Server (MSSQL) storage provider persists all state into a Microsoft SQL Server database. It's compatible with both on-premise and cloud-hosted deployments of SQL Server, including [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview).

+Only used when deploying to a Windows or Linux Premium plan or to a Windows Consumption plan. Not supported for Linux Consumption plans or Windows or Linux Dedicated plans. When you change the setting, ensure the value is lowercased. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).

+This set of articles explains how to work with [Azure SQL](/azure/azure-sql/index) bindings in Azure Functions. Azure Functions supports input and output bindings for the Azure SQL and SQL Server products.

+First enable Azure AD authentication to SQL database by assigning an Azure AD user as the Active Directory admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see [Azure AD features and limitations in SQL database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations).

+Enabling Azure AD authentication can be completed via the Azure portal, PowerShell, or Azure CLI. Directions for Azure CLI are below and information completing this via Azure portal and PowerShell is available in the [Azure SQL documentation on Azure AD authentication](/azure/azure-sql/database/authentication-aad-configure).

+For more information on adding an Active Directory admin, see [Provision an Azure Active Directory administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)

+This article shows you how to use Azure Functions to create a scheduled job that connects to an Azure SQL Database or Azure SQL Managed Instance. The function code cleans up rows in a table in the database. The new C# function is created based on a pre-defined timer trigger template in Visual Studio 2019. To support this scenario, you must also set a database connection string as an app setting in the function app. For Azure SQL Managed Instance you need to [enable public endpoint](/azure/azure-sql/managed-instance/public-endpoint-configure) to be able to connect from Azure Functions. This scenario uses a bulk operation against the database.

+You need to get the connection string for the database you created when you completed [Create a database in Azure SQL Database using the Azure portal](/azure/azure-sql/database/single-database-create-quickstart).

+See [Active Geo-Replication for Azure SQL Database](/azure/azure-sql/database/auto-failover-group-overview)

+As mentioned previously, managed HSM supports [importing keys generated](../key-vault/managed-hsm/hsm-protected-keys-byok.md) in your on-premises HSMs, ensuring the keys never leave the HSM protection boundary, also known as *bring your own key (BYOK)* scenario. Managed HSM supports integration with Azure services such as [Azure Storage](../storage/common/customer-managed-keys-overview.md), [Azure SQL Database](/azure/azure-sql/database/transparent-data-encryption-byok-overview), [Azure Information Protection](/azure/information-protection/byok-price-restrictions), and others.

+Azure services such as Storage and SQL Database can be configured for geo-replication to help ensure durability and high availability especially for disaster recovery scenarios. Azure relies on [paired regions](../availability-zones/cross-region-replication-azure.md) to deliver [geo-redundant storage](../storage/common/storage-redundancy.md) (GRS) and paired regions are also recommended when configuring active [geo-replication](/azure/azure-sql/database/active-geo-replication-overview) for Azure SQL Database. Paired regions are located within the same geography; however, network traffic isn't guaranteed to always follow the same path from one Azure region to another. To provide the reliability needed for the Azure cloud, Microsoft has many physical networking paths with automatic routing around failures for optimal reliability.

+> You should review Azure **[best practices](../security/fundamentals/data-encryption-best-practices.md#protect-data-in-transit)** for the protection of data in transit to help ensure that all data in transit is encrypted. For key Azure PaaS storage services (for example, Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics), data encryption in transit is **[enforced by default](/azure/azure-sql/database/security-overview#information-protection-and-encryption)**.

+### [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview)

+| [SQL Database](/azure/azure-sql/database/sql-database-paas-overview) | &#x2705; | &#x2705; |

+| [SQL Database](/azure/azure-sql/database/sql-database-paas-overview) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+Follow these steps to [Manage firewall rules by using the Azure portal](/azure/azure-sql/database/firewall-configure#use-the-azure-portal-to-manage-server-level-ip-firewall-rules).

+- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see [Azure SQL transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-byok-overview). The instructions to enable this configuration for Azure Synapse Analytics are the same as the instructions to do so for Azure SQL Database.

+### [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview)

+- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see [Azure SQL transparent data encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview).

+- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see [Azure SQL transparent data encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview).

+Azure SQL Database provides [transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) (TDE) at rest by [default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/). TDE performs real-time encryption and decryption operations on the data and log files. Database Encryption Key (DEK) is a symmetric key stored in the database boot record for availability during recovery. It's secured via a certificate stored in the master database of the server or an asymmetric key called TDE Protector stored under your control in [Azure Key Vault](../key-vault/general/security-features.md). Key Vault supports [bring your own key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) (BYOK), which enables you to store the TDE Protector in Key Vault and control key management tasks including key rotation, permissions, deleting keys, enabling auditing/reporting on all TDE Protectors, and so on. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-premises HSM device](../key-vault/keys/hsm-protected-keys.md). You can also use the [Always Encrypted](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure) feature of Azure SQL Database, which is designed specifically to help protect sensitive data by allowing you to encrypt data inside your applications and [never reveal the encryption keys to the database engine](/sql/relational-databases/security/encryption/always-encrypted-database-engine). In this manner, Always Encrypted provides separation between those users who own the data and can view it and those users who manage the data but should have no access.

+Azure SQL Database provides [transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) (TDE) at rest by [default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/). TDE performs real-time encryption and decryption operations on the data and log files. Database Encryption Key (DEK) is a symmetric key stored in the database boot record for availability during recovery. It's secured via a certificate stored in the master database of the server or an asymmetric key called TDE Protector stored under your control in [Azure Key Vault](../key-vault/general/security-features.md). Key Vault supports [bring your own key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) (BYOK), which enables you to store the TDE Protector in Key Vault and control key management tasks including key rotation, permissions, deleting keys, enabling auditing/reporting on all TDE Protectors, and so on. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-premises HSM device](../key-vault/keys/hsm-protected-keys.md). You can also use the [Always Encrypted](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure) feature of Azure SQL Database, which is designed specifically to help protect sensitive data by allowing you to encrypt data inside your applications and [never reveal the encryption keys to the database engine](/sql/relational-databases/security/encryption/always-encrypted-database-engine). In this manner, Always Encrypted provides separation between those users who own the data (and can view it) and those users who manage the data (but should have no access).

+Azure Storage redundancy options can have implications on data residency as Azure relies on [paired regions](../availability-zones/cross-region-replication-azure.md) to deliver [geo-redundant storage](../storage/common/storage-redundancy.md#geo-redundant-storage) (GRS). For example, if you're concerned about geo-replication across regions that span country boundaries, you may want to choose LRS or ZRS to keep Azure Storage data at rest within the geographic boundaries of the country in which the primary region is located. Similarly, [geo replication for Azure SQL Database](/azure/azure-sql/database/active-geo-replication-overview) can be obtained by configuring asynchronous replication of transactions to any region in the world, although it's recommended that paired regions be used for this purpose as well. If you need to keep relational data inside the geographic boundaries of your country/region, you shouldn't configure Azure SQL Database asynchronous replication to a region outside that country.

+As described in *[Data at rest](#data-at-rest)* section, Azure services such as Storage and SQL Database can be configured for geo-replication to help ensure durability and high availability especially for disaster recovery scenarios. Azure relies on [paired regions](../availability-zones/cross-region-replication-azure.md) to deliver [geo-redundant storage](../storage/common/storage-redundancy.md#geo-redundant-storage) (GRS), and paired regions are also recommended when configuring active [geo-replication](/azure/azure-sql/database/active-geo-replication-overview) for Azure SQL Database. Paired regions are located within the same Geography.

+Azure SQL Database provides [transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) (TDE) at rest by [default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/). TDE performs real-time encryption and decryption operations on the data and log files. Database Encryption Key (DEK) is a symmetric key stored in the database boot record for availability during recovery. It's secured via a certificate stored in the master database of the server or an asymmetric key called TDE Protector stored under your control in [Azure Key Vault](../key-vault/general/security-features.md). Key Vault supports [bring your own key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) (BYOK), which enables you to store the TDE Protector in Key Vault and control key management tasks including key permissions, rotation, deletion, enabling auditing/reporting on all TDE Protectors, and so on. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-premises HSM device](../key-vault/keys/hsm-protected-keys.md). You can also use the [Always Encrypted](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure) feature of Azure SQL Database, which is designed specifically to help protect sensitive data by allowing you to encrypt data inside your applications and [never reveal the encryption keys to the database engine](/sql/relational-databases/security/encryption/always-encrypted-database-engine). In this manner, Always Encrypted provides separation between those users who own the data (and can view it) and those users who manage the data (but should have no access).

+- **Data encryption at rest and in transit:** Does Microsoft enforce data encryption by default? Does Microsoft support customer-managed encryption keys? **Answer:** Yes, many Azure services, including Azure Storage and Azure SQL Database, encrypt data by default and support customer-managed keys. Azure [Storage encryption for data at rest](../storage/common/storage-service-encryption.md) ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. You can use [your own encryption keys](../storage/common/customer-managed-keys-configure-key-vault.md) for Azure Storage encryption at rest and manage your keys in Azure Key Vault. Storage encryption is enabled by default for all new and existing storage accounts and it can't be disabled. When provisioning storage accounts, you can enforce ΓÇ£[secure transfer required](../storage/common/storage-require-secure-transfer.md)ΓÇ¥ option, which allows access only from secure connections. This option is enabled by default when creating a storage account in the Azure portal. Azure SQL Database enforces [data encryption in transit](/azure/azure-sql/database/security-overview#information-protection-and-encryption) by default and provides [transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) (TDE) at rest [by default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/) allowing you to use Azure Key Vault and *[bring your own key](/azure/azure-sql/database/transparent-data-encryption-byok-overview)* (BYOK) functionality to control key management tasks including key permissions, rotation, deletion, and so on.

+|:|:-|:|:|:|

+| **Environments supported** | Azure<br>Other cloud (Azure Arc)<br>On-premises (Azure Arc)<br>[Windows Client OS (preview)](./azure-monitor-agent-windows-client.md) | Azure | Azure<br>Other cloud<br>On-premises | Azure<br>Other cloud<br>On-premises |

+| **Data collected** | Event Logs<br>Performance<br>File based logs (preview)<br> | Event Logs<br>ETW events<br>Performance<br>File based logs<br>IIS logs<br>.NET app logs<br>Crash dumps<br>Agent diagnostics logs | Event Logs<br>Performance<br>File based logs<br>IIS logs<br>Insights and solutions<br>Other services | Process dependencies<br>Network connection metrics |

+| **Services and**<br>**features**<br>**supported** | Log Analytics<br>Metrics explorer<br>Microsoft Sentinel ([view scope](./azure-monitor-agent-overview.md#supported-services-and-features)) | Metrics explorer | VM insights<br>Log Analytics<br>Azure Automation<br>Microsoft Defender for Cloud<br>Microsoft Sentinel | VM insights<br>Service Map |

+|:|:-|:|:|:|:|

+| **Data collected** | Syslog<br>Performance<br>File based logs (preview)<br> | Syslog<br>Performance | Performance | Syslog<br>Performance| Process dependencies<br>Network connection metrics |

+| **Services and**<br>**features**<br>**supported** | Log Analytics<br>Metrics explorer<br>Microsoft Sentinel ([view scope](./azure-monitor-agent-overview.md#supported-services-and-features)) | | Metrics explorer | VM insights<br>Log Analytics<br>Azure Automation<br>Microsoft Defender for Cloud<br>Microsoft Sentinel | VM insights<br>Service Map |

+> [!WARNING]

+> The Log Analytics agents are on a deprecation path and will no longer be supported after August 31, 2024.

+| Windows 11 client OS | X² | | | |

+| Windows 10 1803 (RS4) and higher | X² | | | |

+| Windows 10 Enterprise<br>(including multi-session) and Pro<br>(Server scenarios only¹) | X | X | X | X |

+² Using the Azure Monitor agent [client installer (preview)](./azure-monitor-agent-windows-client.md)

+Alert rules and alert processing rules reference other Azure resources. Examples include [Azure VMs](../../site-recovery/azure-to-azure-tutorial-migrate.md), [Azure SQL](/azure/azure-sql/database/move-resources-across-regions), and [Azure Storage](../../storage/common/storage-account-move.md). When you move the resources those rules refer to, the rules are likely to stop working correctly because they can't find the resources they reference.

+* [JavaScript](./javascript.md#enable-correlation)

+## Enable Correlation

+Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

+In JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. To enable correlation please reference [JavaScript client-side correlation documentation](./javascript.md#enable-correlation).

+### Route tracking

+The Angular Plugin automatically tracks route changes and collects other Angular specific telemetry.

+> [!NOTE]

+> `enableAutoRouteTracking` should be set to `false` if it set to true then when the route changes duplicate PageViews may be sent.

+### PageView

+If a custom `PageView` duration is not provided, `PageView` duration defaults to a value of 0.

+## Enable Correlation

+Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

+In JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. To enable correlation please reference [JavaScript client-side correlation documentation](./javascript.md#enable-correlation).

+## Enable Correlation

+Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

+In JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. To enable correlation please reference [JavaScript client-side correlation documentation](./javascript.md#enable-correlation).

+### PageView

+If a custom `PageView` duration is not provided, `PageView` duration defaults to a value of 0.

+## Enable Correlation

+Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

+In JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. To enable correlation please reference [JavaScript client-side correlation documentation](./javascript.md#enable-correlation).

+### Route tracking

+The React Plugin automatically tracks route changes and collects other React specific telemetry.

+> [!NOTE]

+> `enableAutoRouteTracking` should be set to `false` if it set to true then when the route changes duplicate PageViews may be sent.

+For `react-router v6` or other scenarios where router history is not exposed, you can add `enableAutoRouteTracking: true` to your [setup configuration](#basic-usage).

+### PageView

+If a custom `PageView` duration is not provided, `PageView` duration defaults to a value of 0.

+In JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. The following examples show standard configuration options for enabling correlation.

+The following sample code shows the configurations required to enable correlation:

+# [Snippet](#tab/snippet)

+ instrumentationKey: "YOUR_INSTRUMENTATION_KEY_GOES_HERE"

+ correlationHeaderExcludedDomains: ['*.queue.core.windows.net']

+# [NPM](#tab/npm)

+```javascript

+// excerpt of the config section of the JavaScript SDK snippet with correlation

+// between client-side AJAX and server requests enabled.

+const appInsights = new ApplicationInsights({ config: { // Application Insights Configuration

+ instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE'

+ connectionString: "Copy connection string from Application Insights Resource Overview"

+ enableCorsCorrelation: true,

+ enableRequestHeaderTracking: true,

+ enableResponseHeaderTracking: true,

+ correlationHeaderExcludedDomains: ['*.queue.core.windows.net']

+ /* ...Other Configuration Options... */

+} });

+```

+> There are two distributed tracing modes/protocols - AI (Classic) and [W3C TraceContext](https://www.w3.org/TR/trace-context/) (New). In version 2.6.0 and later, they are _both_ enabled by default. For older versions, users need to [explicitly opt-in to WC3 mode](../app/correlation.md#enable-w3c-distributed-tracing-support-for-web-apps).

+### Route tracking

+### Single Page Applications

+For Single Page Applications, please reference plugin documentation for plugin specific guidance.

+| Plugins |

+||

+| [React](javascript-react-plugin.md#enable-correlation)|

+| [React Native](javascript-react-native-plugin.md#enable-correlation)|

+| [Angular](javascript-angular-plugin.md#enable-correlation)|

+| [Click Analytics Auto-collection](javascript-click-analytics-plugin.md#enable-correlation)|

+### Advanced Correlation

+When a page is first loading and the SDK has not fully initialized, we are unable to generate the Operation ID for the first request. As a result, distributed tracing is incomplete until the SDK fully initializes.

+To remedy this problem, you can include dynamic JavaScript on the returned HTML page and the SDK will use a callback function during initialization to retroactively pull the Operation ID from the serverside and populate the clientside with it.

+# [Snippet](#tab/snippet)

+Here's a sample of how to create a dynamic JS using Razor:

+```C#

+<script>

+!function(T,l,y){<removed snippet code>,{

+ src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js", // The SDK URL Source

+ onInit: function(appInsights) {

+ var serverId = "@this.Context.GetRequestTelemetry().Context.Operation.Id";

+ appInsights.context.telemetryContext.parentID = serverId;

+ },

+ cfg: { // Application Insights Configuration

+ instrumentationKey: "YOUR_INSTRUMENTATION_KEY_GOES_HERE"

+ }});

+</script>

+```

+# [NPM](#tab/npm)

+```js

+import { ApplicationInsights } from '@microsoft/applicationinsights-web'

+const appInsights = new ApplicationInsights({ config: {

+ instrumentationKey: 'YOUR_INSTRUMENTATION_KEY_GOES_HERE'

+ /* ...Other Configuration Options... */

+} });

+appInsights.context.telemetryContext.parentID = serverId;

+appInsights.loadAppInsights();

+```

+When using a npm based configuration, a location must be determined to store the Operation ID (generally global) to enable access for the SDK initialization bundle to `appInsights.context.telemetryContext.parentID` so it can populate it before the first page view event is sent.

+

+> [!CAUTION]

+>The application UX is not yet optimized to show these "first hop" advanced distributed tracing scenarios. However, the data will be available in the requests table for query and diagnostics.

+## Troubleshooting

+### I am getting an error message of Failed to get Request-Context correlation header as it may be not included in the response or not accessible

+The `correlationHeaderExcludedDomains` configuration property is an exclude list that disables correlation headers for specific domains, this is useful for when including those headers would cause the request to fail or not be sent due to third-party server configuration. This property supports wildcards.

+An example would be `*.queue.core.windows.net`, as seen in the code sample above.

+Adding the application domain to this property should be avoided as it stops the SDK from including the required distributed tracing `Request-Id`, `Request-Context` and `traceparent` headers as part of the request.

+### I'm not sure how to update my third-party server configuration

+The server-side needs to be able to accept connections with those headers present. Depending on the `Access-Control-Allow-Headers` configuration on the server-side it's often necessary to extend the server-side list by manually adding `Request-Id`, `Request-Context` and `traceparent` (W3C distributed header).

+Access-Control-Allow-Headers: `Request-Id`, `traceparent`, `Request-Context`, `<your header>`

+### I am receiving duplicate telemetry data from the Application Insights JavaScript SDK

+If the SDK reports correlation recursively enable the configuration setting of `excludeRequestFromAutoTrackingPatterns` to exclude the duplicate data, this can occur when using connection strings. The syntax for the configuration setting is `excludeRequestFromAutoTrackingPatterns: [<endpointUrl>]`.

+Some categories might be supported only for specific types of resources. See the resource-specific documentation if you feel you're missing a resource. For example, Microsoft.Sql/servers/databases categories aren't available for all types of databases. For more information, see [information on SQL Database diagnostic logging](/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure).

+| Azure SQL Database | [Azure SQL Database logging](/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure) |

+> Azure SQL Analytics (preview) is an integration with Azure Monitor, where many monitoring solutions are no longer in active development. For more monitoring options, see [Monitoring and performance tuning in Azure SQL Database and Azure SQL Managed Instance](/azure/azure-sql/database/monitor-tune-overview).

+- Enable Azure Diagnostics for your database to [stream diagnostics telemetry to Azure SQL Analytics](/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure).

+Azure SQL Database [Intelligent Insights](/azure/azure-sql/database/intelligent-insights-overview) lets you know what is happening with performance of all Azure SQL databases. All Intelligent Insights collected can be visualized and accessed through the Insights perspective.

+Data analysis in Azure SQL Analytics is based on [Log Analytics language](../logs/get-started-queries.md) for your custom querying and reporting. Find description of the available data collected from database resource for custom querying in [metrics and logs available](/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure#metrics-and-logs-available).

+> - **Low service tiers**: Metrics cannot be gathered for databases on Basic, S0, S1, and S2 [service tiers](/azure/azure-sql/database/resource-limits-dtu-single-databases)

+> - **Serverless tier**: Metrics can be gathered for databases using the [serverless compute tier](/azure/azure-sql/database/serverless-tier-overview). However, the process of gathering metrics will reset the auto-pause delay timer, preventing the database from entering an auto-paused state.

+Connect to an Azure SQL database with [SQL Server Management Studio](/azure/azure-sql/database/connect-query-ssms), [Query Editor (preview)](/azure/azure-sql/database/connect-query-portal) in the Azure portal, or any other SQL client tool.

+Connect to your Azure SQL Managed Instance using [SQL Server Management Studio](/azure/azure-sql/database/connect-query-ssms) or a similar tool, and execute the following script to create the monitoring user with the permissions needed. Replace *user* with a username and *mystrongpassword* with a strong password.

+Connect to SQL Server on your Azure virtual machine and use [SQL Server Management Studio](/azure/azure-sql/database/connect-query-ssms) or a similar tool to run the following script to create the monitoring user with the permissions needed. Replace *user* with a username and *mystrongpassword* with a strong password.

+For access via the public endpoint, you would add a rule under the **Firewall settings** page and the [IP firewall settings](/azure/azure-sql/database/network-access-controls-overview#ip-firewall-rules) section. For specifying access from a virtual network, you can set [virtual network firewall rules](/azure/azure-sql/database/network-access-controls-overview#virtual-network-firewall-rules) and set the [service tags required by the Azure Monitor agent](../agents/azure-monitor-agent-overview.md#networking). [This article](/azure/azure-sql/database/network-access-controls-overview#ip-vs-virtual-network-firewall-rules) describes the differences between these two types of firewall rules.

+If your monitoring virtual machine will be in the same VNet as your SQL MI resources, then see [Connect inside the same VNet](/azure/azure-sql/managed-instance/connect-application-instance#connect-inside-the-same-vnet). If your monitoring virtual machine will be in the different VNet than your SQL MI resources, then see [Connect inside a different VNet](/azure/azure-sql/managed-instance/connect-application-instance#connect-inside-a-different-vnet).

+If your monitoring virtual machine is in the same VNet as your SQL virtual machine resources, then see [Connect to SQL Server within a virtual network](/azure/azure-sql/virtual-machines/windows/ways-to-connect-to-sql#connect-to-sql-server-within-a-virtual-network). If your monitoring virtual machine will be in the different VNet than your SQL virtual machine resources, then see [Connect to SQL Server over the internet](/azure/azure-sql/virtual-machines/windows/ways-to-connect-to-sql#connect-to-sql-server-over-the-internet).

+TCP connections from the monitoring machine to the IP address and port used by the database must be allowed by any firewalls or [network security groups](../../virtual-network/network-security-groups-overview.md) (NSGs) that may exist on the network path. For details on IP addresses and ports, see [Azure SQL Database connectivity architecture](/azure/azure-sql/database/connectivity-architecture).

+TCP connections from the monitoring machine to the IP address and port used by the managed instance must be allowed by any firewalls or [network security groups](../../virtual-network/network-security-groups-overview.md) (NSGs) that may exist on the network path. For details on IP addresses and ports, see [Azure SQL Managed Instance connection types](/azure/azure-sql/managed-instance/connection-types-overview).

+Get the details from the **Connection strings** menu item for the managed instance. If using managed instance [public endpoint](/azure/azure-sql/managed-instance/public-endpoint-configure), replace port 1433 with 3342.

+SQL Insights (preview) is a comprehensive solution for monitoring any product in the [Azure SQL family](/azure/azure-sql/index). SQL Insights uses [dynamic management views](/azure/azure-sql/database/monitoring-with-dmvs) to expose the data that you need to monitor health, diagnose problems, and tune performance.

+The following diagram details the steps taken by information from the database engine and Azure resource logs, and how they can be surfaced. For a more detailed diagram of Azure SQL logging, see [Monitoring and diagnostic telemetry](/azure/azure-sql/database/monitor-tune-overview.md#monitoring-and-diagnostic-telemetry).

+- SQL Server on Azure Virtual Machines (SQL Server running on virtual machines registered with the [SQL virtual machine](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm) provider)

+- Azure VMs (SQL Server running on virtual machines not registered with the [SQL virtual machine](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm) provider)

+- **Azure SQL Database low service tiers**: Metrics can't be gathered for databases on Basic, S0, S1, and S2 [service tiers](/azure/azure-sql/database/resource-limits-dtu-single-databases).

+- **Authentication with Azure Active Directory**: The only supported method of [authentication](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) for monitoring is SQL authentication. For SQL Server on Azure Virtual Machines, authentication through Active Directory on a custom domain controller is not supported.

+- [Monitoring and performance tuning in Azure SQL Database and Azure SQL Managed Instance](/azure/azure-sql/database/monitor-tune-overview)

+ | parse RawData with

+- [Learn more about writing transformation queries](../essentials/data-collection-rule-transformations.md)

+ | [Azure SQL Managed Instance](/azure/azure-sql/database/monitoring-tuning-index) | Microsoft.Sql/managedInstances | [**Yes**](./essentials/metrics-supported.md#microsoftsqlmanagedinstances) | [**Yes**](./essentials/resource-logs-categories.md#microsoftsqlmanagedinstances) | [Azure SQL Insights (preview)](./insights/sql-insights-overview.md) | |

+ | [Azure SQL Database](/azure/azure-sql/database/index) | Microsoft.Sql/servers/databases | [**Yes**](./essentials/metrics-supported.md#microsoftsqlserversdatabases) | No | [Azure SQL Insights (preview)](./insights/sql-insights-overview.md) | |

+ | [Azure SQL Database](/azure/azure-sql/database/index) | Microsoft.Sql/servers/elasticpools | [**Yes**](./essentials/metrics-supported.md#microsoftsqlserverselasticpools) | No | [Azure SQL Insights (preview)](./insights/sql-insights-overview.md) | |

+| Microsoft.Sql | [Azure SQL Database](/azure/azure-sql/database/index)<br /> [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/index) <br />[Azure Synapse Analytics](/azure/sql-data-warehouse/) |

+| Microsoft.SqlVirtualMachine | [SQL Server on Azure Virtual Machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview) |

+For SQL Database limits, see [SQL Database resource limits for single databases](/azure/azure-sql/database/resource-limits-vcore-single-databases), [SQL Database resource limits for elastic pools and pooled databases](/azure/azure-sql/database/resource-limits-vcore-elastic-pools), and [SQL Database resource limits for SQL Managed Instance](/azure/azure-sql/managed-instance/resource-limits).

+> | managedinstances | No | No | Yes <br/><br/> [Learn more](/azure/azure-sql/database/move-resources-across-regions) about moving managed instances across regions. |

+> | servers / databases | Yes | Yes | Yes <br/><br/> [Learn more](/azure/azure-sql/database/move-resources-across-regions) about moving databases across regions.<br/><br/> [Learn more](../../resource-mover/tutorial-move-region-sql.md) about using Azure Resource Mover to move Azure SQL databases. |

+> | servers / elasticpools | Yes | Yes | Yes <br/><br/> [Learn more](/azure/azure-sql/database/move-resources-across-regions) about moving elastic pools across regions.<br/><br/> [Learn more](../../resource-mover/tutorial-move-region-sql.md) about using Azure Resource Mover to move Azure SQL elastic pools. |

+## Microsoft.LabServices

+> [!div class="mx-tableFixed"]

+> | Entity | Scope | Length | Valid Characters |

+> | | | | |

+> | labplans | resource group | 1-100 | Alphanumerics, hyphens, periods, and underscores.<br><br>Start with letter and end with alphanumeric. |

+> | labs | resource group | 1-100 | Alphanumerics, hyphens, periods, and underscores.<br><br>Start with letter and end with alphanumeric. |

+In this tutorial, you create a template to deploy a [logical SQL server](/azure/azure-sql/database/logical-servers) and a single database and import a BACPAC file. For information about how to deploy Azure virtual machine extensions by using ARM templates, see [Tutorial: Deploy virtual machine extensions with ARM templates](./template-tutorial-deploy-vm-extensions.md).

+A BACPAC file is shared in [GitHub](https://github.com/Azure/azure-docs-json-samples/raw/master/tutorial-sql-extension/SQLDatabaseExtension.bacpac). To create your own, see [Export a database from Azure SQL Database to a BACPAC file](/azure/azure-sql/database/database-export). If you choose to publish the file to your own location, you must update the template later in the tutorial.

+To access the server from your client computer, you need to add a firewall rule. Your client's IP address and the IP address that's used to connect to the server might be different because of network address translation (NAT). For more information, see [Create and manage IP firewall rules](/azure/azure-sql/database/firewall-configure#create-and-manage-ip-firewall-rules).

+ - An instance of SQL Server running on-premises, or an instance of SQL Server running in an Azure virtual machine. For more information, see [SQL Server on Azure Virtual Machines overview](/azure/azure-sql/virtual-machines/index). SQL Server instances must be using a version later than SQL Server 2016.

+Azure SQL Edge is built on the latest versions of the [SQL Server Database Engine](/sql/sql-server/sql-server-technical-documentation), which provides industry-leading performance, security and query processing capabilities. Since Azure SQL Edge is built on the same engine as [SQL Server](/sql/sql-server/sql-server-technical-documentation) and [Azure SQL](/azure/azure-sql/index), it provides the same Transact-SQL (T-SQL) programming surface area that makes development of applications or solutions easier and faster, and makes application portability between IoT Edge devices, data centers and the cloud straight forward.

+Authorization refers to the permissions assigned to a user within a database in Azure SQL Edge, and determines what the user is allowed to do. Permissions are controlled by adding user accounts to [database roles](/sql/relational-databases/security/authentication-access/database-level-roles) and assigning database-level permissions to those roles or by granting the user certain [object-level permissions](/sql/relational-databases/security/permissions-database-engine). For more information, see [Logins and users](/azure/azure-sql/database/logins-create-manage).

+In this tutorial, you'll learn how to use an Azure SQL Data Sync *sync group* to incrementally sync data from Azure SQL Edge to Azure SQL Database. SQL Data Sync is a service built on Azure SQL Database that lets you synchronize the data you select bi-directionally across multiple databases in Azure SQL Database and SQL Server instances. For more information on SQL Data Sync, see [Azure SQL Data Sync](/azure/azure-sql/database/sql-data-sync-data-sql-server-sql-database).

+This tutorial requires a Windows computer configured with the [Data Sync Agent for Azure SQL Data Sync](/azure/azure-sql/database/sql-data-sync-agent-overview).

+* Create a database in Azure SQL Database. For information on how to create a database by using the Azure portal, see [Create a single database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart?tabs=azure-portal).

+* Register the Azure SQL Edge instance with the Data Sync Agent for Azure SQL Data Sync. For more information, see [Add a SQL Server database](/azure/azure-sql/database/sql-data-sync-sql-server-configure#add-on-prem).

+1. Use the Azure portal to create a sync group. For more information, see [Create a sync group](/azure/azure-sql/database/sql-data-sync-sql-server-configure#create-sync-group). You can use a single *hub* database to create multiple sync groups to synchronize data from various SQL Edge instances to one or more databases in Azure SQL Database.

+2. Add sync members to the sync group. For more information, see [Add sync members](/azure/azure-sql/database/sql-data-sync-sql-server-configure#add-sync-members).

+3. Set up the sync group to select the tables that will be part of the synchronization. For more information, see [Configure a sync group](/azure/azure-sql/database/sql-data-sync-sql-server-configure#add-sync-members).

+* [Data Sync Agent for Azure SQL Data Sync](/azure/azure-sql/database/sql-data-sync-agent-overview)

+* [Best practices](/azure/azure-sql/database/sql-data-sync-best-practices) and [How to troubleshoot issues with Azure SQL Data Sync](/azure/azure-sql/database/sql-data-sync-troubleshoot)

+* [Monitor SQL Data Sync with Azure Monitor logs](/azure/azure-sql/database/monitor-tune-overview)

+* [Update the sync schema with Transact-SQL](/azure/azure-sql/database/sql-data-sync-update-sync-schema) or [PowerShell](/azure/azure-sql/database/scripts/update-sync-schema-in-sync-group)

+* [Use PowerShell to sync between Azure SQL Database and Azure SQL Edge](/azure/azure-sql/database/scripts/sql-data-sync-sync-data-between-azure-onprem). In this tutorial, replace the `OnPremiseServer` database details with the Azure SQL Edge details.

+An important aspect of the classification is the ability to monitor access to sensitive data. [Azure SQL Auditing](/azure/azure-sql/database/auditing-overview) has been enhanced to include a new field in the audit log called `data_sensitivity_information`. This field logs the sensitivity classifications (labels) of the data that was returned by a query. Here's an example:

+- Consider configuring [Azure SQL Auditing](/azure/azure-sql/database/auditing-overview) for monitoring and auditing access to your classified sensitive data.

+If auditing is required to access your database, you need to enable Auditing after the database recovery. For more information, see [Database auditing](/azure/azure-sql/database/auditing-overview).

+ - We recommend that you move to [Blob Auditing](/azure/azure-sql/database/auditing-overview).

+- DNS alias is subject to [naming restrictions](/azure/azure-resource-manager/management/resource-name-rules).

+> You can use [Database Auditing](/azure/azure-sql/database/auditing-overview) to audit server-level and database-level firewall changes.

+In Azure SQL Database and Azure Synapse Analytics, a server is a logical construct that acts as a central administrative point for a collection of databases. At the server level, you can administer [logins](logins-create-manage.md), [firewall rules](firewall-configure.md), [auditing rules](/azure/azure-sql/database/auditing-overview), [threat detection policies](threat-detection-configure.md), and [auto-failover groups](auto-failover-group-overview.md). A server can be in a different region than its resource group. The server must exist before you can create a database in Azure SQL Database or a data warehouse database in Azure Synapse Analytics. All databases managed by a single server are created within the same region as the server.

+* In Azure SQL Managed Instance, the gateway nodes are hosted [within the virtual cluster](/azure/azure-sql/managed-instance/connectivity-architecture-overview#virtual-cluster-connectivity-architecture) and have the same maintenance window as the managed instance, but using the redirect connection policy is still recommended to minimize number of disruptions during the maintenance event.

+For more on the client connection policy in Azure SQL Managed Instance, see [Azure SQL Managed Instance connection types](/azure/azure-sql/managed-instance/connection-types-overview).

+- Monitoring activity ([Auditing](/azure/azure-sql/database/auditing-overview) and [threat detection](threat-detection-configure.md)).

+[Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/) offers centralized security management across workloads running in Azure, on-premises, and in other clouds. You can view whether essential SQL Database protection such as [Auditing](/azure/azure-sql/database/auditing-overview) and [Transparent Data Encryption [TDE]](/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql) are configured on all resources, and create policies based on your own requirements.

+With SQL Database, you can turn ON Auditing to track database events. [SQL Database Auditing](/azure/azure-sql/database/auditing-overview) records database events and writes them into an audit log file in your Azure Storage Account. Auditing is especially useful if you intend to gain insight into potential security and policy violations, maintain regulatory compliance etc. It allows you to define and configure certain categories of events that you think need auditing and based on that you can get preconfigured reports and a dashboard to get an overview of events occurring on your database. You can apply these auditing policies either at the database level or at the server level. A guide on how to turn on auditing for your server/database, see: [Enable SQL Database Auditing](secure-database-tutorial.md#enable-security-features).

+ - Auditing is configured on the target server. For more information, see [Get started with SQL Database auditing](/azure/azure-sql/database/auditing-overview).

+ - Audit configuration is configured at the target server. For more information, see [SQL Database auditing](/azure/azure-sql/database/auditing-overview).

+|Max data size (GB)|512|756|1536|2048|2048|2048|2048|

+|Max data size (GB)|1024|1536|2048|2048|3072|3072|

+|Max data size (GB)|512|1024|1024|1024|2048|

+|Max data size (GB)|2048|3072|3072|3072|

+|Max data size (GB)|1024|1024|1536|2048|2048|3072|3072|

+|Max data size (GB)|1024|1024|1536|2048|2048|3072|3072|

+Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](/azure/azure-sql/database/az-cli-script-samples-content-guide).

+Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](/azure/azure-sql/database/az-cli-script-samples-content-guide).

+Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](/azure/azure-sql/database/az-cli-script-samples-content-guide).

+Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](/azure/azure-sql/database/az-cli-script-samples-content-guide).

+Azure SQL Database provides security features that are accessed using the Azure portal. These features are available for both the database and server, except for data masking, which is only available on the database. To learn more, see [Microsoft Defender for SQL](azure-defender-for-sql.md), [Auditing](/azure/azure-sql/database/auditing-overview), [Dynamic data masking](dynamic-data-masking-overview.md), and [Transparent data encryption](transparent-data-encryption-tde-overview.md).

+> See [SQL Database auditing](/azure/azure-sql/database/auditing-overview) on how to further customize audit events using PowerShell or REST API.

+- For a full investigation experience, it's recommended to enableΓÇ»[SQL Database Auditing](/azure/azure-sql/database/auditing-overview). With auditing, you can track database events and write them to an audit log in an Azure Storage account or Azure Log Analytics workspace.

+- EnableΓÇ»[SQL Database Auditing](/azure/azure-sql/database/auditing-overview) or [Managed Instance Auditing](../managed-instance/auditing-configure.md) to track database events and write them to an audit log in your Azure Storage account, Log Analytics workspace (preview), or Event Hubs (preview).

+- By configuring [SQL Database Auditing](/azure/azure-sql/database/auditing-overview) on your server or [Managed Instance Auditing](../managed-instance/auditing-configure.md) to audit events, all existing and newly created databases on that server will be audited.

+- [SQL Database Auditing](/azure/azure-sql/database/auditing-overview)

+ - In your [SQL Database Audit](/azure/azure-sql/database/auditing-overview) log, you can track access specifically to sensitive data. You can also view information such as the data that was accessed, as well as its sensitivity label. For more information, see [Data Discovery and Classification](data-discovery-and-classification-overview.md) and [Auditing access to sensitive data](data-discovery-and-classification-overview.md#audit-sensitive-data).

+SQL Database and SQL Managed Instance auditing tracks database activities and helps maintain compliance with security standards by recording database events to an audit log in a customer-owned Azure storage account. Auditing allows users to monitor ongoing database activities, as well as analyze and investigate historical activity to identify potential threats or suspected abuse and security violations. For more information, see Get started with [SQL Database Auditing](/azure/azure-sql/database/auditing-overview).

+- For a discussion of database auditing, see [auditing](/azure/azure-sql/database/auditing-overview).

+[Auditing](/azure/azure-sql/database/auditing-overview) tracks database events and writes them to an audit log in your Azure storage account. Auditing can help you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that might indicate business concerns or suspected security violations.

+For a full investigation experience, it is recommended to enable auditing, which writes database events to an audit log in your Azure storage account. To enable auditing, see [Auditing for Azure SQL Database and Azure Synapse](/azure/azure-sql/database/auditing-overview) or [Auditing for Azure SQL Managed Instance](../managed-instance/auditing-configure.md).

+- Learn more about [Azure SQL Database auditing](/azure/azure-sql/database/auditing-overview)

+- Try to [update statistics](/sql/t-sql/statements/update-statistics-transact-sql) or [rebuild indexes](/sql/relational-databases/indexes/reorganize-and-rebuild-indexes) to get the better plan. Enable [automatic plan correction](/azure/azure-sql/database/automatic-tuning-overview) in Azure SQL Database or Azure SQL Managed Instance to automatically mitigate these problems.

+- Force the plan by explicitly using the [USE PLAN](/sql/t-sql/queries/hints-transact-sql-query) query hint by rewriting the query and adding the hint in the query text. Or set a specific plan by using Query Store or by enabling [automatic tuning](/azure/azure-sql/database/automatic-tuning-overview).

+- For a full list of audit log consumption methods, refer to [Get started with Azure SQL Database auditing](/azure/azure-sql/database/auditing-overview).

+- For a full list of audit log consumption methods, refer to [Get started with Azure SQL Database auditing](/azure/azure-sql/database/auditing-overview).

+|[Endpoint policies](/azure/azure-sql/managed-instance/service-endpoint-policies-configure) | Configure which Azure Storage accounts can be accessed from a SQL Managed Instance subnet. Grants an extra layer of protection against inadvertent or malicious data exfiltration.|

+|**Endpoint policies preview** | It's now possible to configure an endpoint policy to restrict access from a SQL Managed Instance subnet to an Azure Storage account. This grants an extra layer of protection against inadvertent or malicious data exfiltration. See [Endpoint policies](/azure/azure-sql/managed-instance/service-endpoint-policies-configure) to learn more. |

+| **Service Tier** | Select one of the options. | Based on your scenario, select one of the following options: </br> <ul><li>**General Purpose**: for most production workloads, and the default option.</li><li>**Business Critical**: designed for low-latency workloads with high resiliency to failures and fast failovers.</li></ul><BR>For more information, review [service tiers](service-tiers-managed-instance-vcore.md) and [resource limits](/azure/azure-sql/managed-instance/resource-limits).|

+| **Storage in GB** | Select an option. | Storage size in GB, select based on expected data size. If migrating existing data from on-premises or on various cloud platforms, see [Migration overview: SQL Server to SQL Managed Instance](/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview).|

+| **Azure Hybrid Benefit** | Check option if applicable. | For leveraging an existing license for Azure. For more information, see [Azure Hybrid Benefit - Azure SQL Database & SQL Managed Instance](/azure/azure-sql/azure-hybrid-benefit). |

+It is worth noting the differences between SQL Agent available in SQL Server and as part of SQL Managed Instance. For more on the supported feature differences between SQL Server and SQL Managed Instance, see [Azure SQL Managed Instance T-SQL differences from SQL Server](/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server#sql-server-agent).

+[Transactional replication](../managed-instance/replication-transactional-overview.md) can replicate the changes from your tables into other databases in SQL Managed Instance, Azure SQL Database, or SQL Server. For information, see [Configure replication in Azure SQL Managed Instance](/azure/azure-sql/managed-instance/replication-between-two-instances-configure-tutorial).

+- [Azure SQL Managed Instance T-SQL differences from SQL Server](/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server#sql-server-agent)

+- [Features comparison: Azure SQL Database and Azure SQL Managed Instance](/azure/azure-sql/database/features-comparison)

+This Azure CLI script example creates an Azure SQL Managed Instance in a dedicated subnet within a new virtual network. It also configures a route table and a network security group for the virtual network. Once the script has been successfully run, the managed instance can be accessed from within the virtual network or from an on-premises environment. See [Configure Azure VM to connect to an Azure SQL Managed Instance](/azure/azure-sql/managed-instance/connect-vm-instance-configure) and [Configure a point-to-site connection to an Azure SQL Managed Instance from on-premises](/azure/azure-sql/managed-instance/point-to-site-p2s-configure).

+> For limitations, see [supported regions](/azure/azure-sql/managed-instance/resource-limits#supported-regions) and [supported subscription types](/azure/azure-sql/managed-instance/resource-limits#supported-subscription-types).

+Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](/azure/azure-sql/database/az-cli-script-samples-content-guide).

+Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](/azure/azure-sql/database/az-cli-script-samples-content-guide).

+This Azure CLI script example configures Transparent Data Encryption (TDE) with customer-managed key for Azure SQL Managed Instance, using a key from Azure Key Vault. This is often referred to as a Bring Your Own Key scenario for TDE. To learn more about the TDE with customer-managed key, see [TDE Bring Your Own Key to Azure SQL](/azure/azure-sql/database/transparent-data-encryption-byok-overview).

+Additional SQL Database CLI script samples can be found in the [Azure SQL Database documentation](/azure/azure-sql/database/az-cli-script-samples-content-guide).

+[Azure SQL Analytics](/azure/azure-sql/database/monitor-tune-overview) allows you to monitor a large set of managed instances in a centralized manner.

+4. Set up scheduled jobs and alerts that back up on-premises data in a virtual machine disk in Azure. For more information, see [SQL Server Backup and Restore with Azure Blob Storage](/sql/relational-databases/backup-restore/sql-server-backup-and-restore-with-microsoft-azure-blob-storage-service) and [Backup and Restore for SQL Server on Azure Virtual Machines](/azure/azure-sql/virtual-machines/windows/backup-restore).

+| **Backup and restore with Azure Blob storage** |Production databases backed up directly to Blob storage in a different datacenter for disaster recovery.<br/><br/>For more information, see [Backup and restore for SQL Server on Azure VMs](/azure/azure-sql/virtual-machines/windows/backup-restore). |

+| **Backup and restore with Azure Blob storage** |On-premises production databases backed up directly to Azure Blob storage for disaster recovery.<br/><br/>For more information, see [Backup and restore for SQL Server on Azure Virtual Machines](/azure/azure-sql/virtual-machines/windows/backup-restore). |

+| [Convert on-premises machine to Hyper-V VHDs, upload to Azure Blob storage, and then deploy a new virtual machine using uploaded VHD](#convert-to-a-vm-upload-to-a-url-and-deploy-as-a-new-vm) |SQL Server 2005 or greater |SQL Server 2005 or greater |[Azure VM storage limit](../../../index.yml) |Use when [bringing your own SQL Server license](/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview), when migrating a database that you'll run on an older version of SQL Server, or when migrating system and user databases together as part of the migration of database dependent on other user databases and/or system databases. |

+For a full walkthrough of how to create a SQL Server VM in the Azure portal, see [the provisioning tutorial](/azure/azure-sql/virtual-machines/windows/create-sql-vm-portal).

+**Restore special VMs such as SQL VMs** | If you're backing up a SQL VM using Azure VM backup and then use the restore VM option or create a VM after restoring disks, then the newly created VM must be registered with the SQL provider as mentioned [here](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm?tabs=azure-cli%2cbash). This will convert the restored VM into a SQL VM.

+>Protection of [SQL Server failover cluster instance with Storage Spaces Direct on Azure](/azure/azure-sql/virtual-machines/windows/failover-cluster-instance-storage-spaces-direct-manually-configure) and [SQL Server failover cluster instance with Azure shared disks](/azure/azure-sql/virtual-machines/windows/failover-cluster-instance-azure-shared-disks-manually-configure) is supported with this feature. The DPM server must be deployed in the Azure Virtual Machine to protect SQL FCI instance deployed on Azure VMs.

+1. Make sure you have a SQL Server instance running in Azure. You can [quickly create a SQL Server instance](/azure/azure-sql/virtual-machines/windows/sql-vm-create-portal-quickstart) in the marketplace.

+For more information about Azure Backup for SQL Server VMs (public preview), see [Azure Backup for SQL VMs](/azure/azure-sql/virtual-machines/windows/backup-restore#azbackup).

+* For SQL Database sources, read [Overview: Cloud business continuity and database disaster recovery with SQL Database](/azure/azure-sql/database/business-continuity-high-availability-disaster-recover-hadr-overview) to check on the options that are available based on the chosen replication model for your application.

+| 🆕Faroese | `fo` |✔|||||

+| 🆕Somali | `so` |✔|||✔||

+| 🆕Zulu | `zu` |✔|||||

+Question answering comprises of two capabilities:

+* Custom question answering: Using this capability users can customize different aspects like edit question and answer pairs extracted from the content source, define synonyms and metadata, accept question suggestions etc.

+* Prebuilt question answering: This capability allows users to get a response by querying a text passage without having the need to manage knowledgebases.

+> [!NOTE]

+> QnA pairs are not extracted in the "Edit sources" tab for unstructured sources.

+* [Tutorial: Create an FAQ bot](../tutorials/bot-service.md)

+> [!WARNING]

+> Note that it is not possible to create a resource group at the same time as a resource for Azure Communication Services. When creating a resource, a resource group that has been created already, must be used.

+* [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview)

+* [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview)

+* [SQL Server database](/sql/relational-databases/databases/create-a-database), [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart), or [SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).

+To access a SQL Managed Instance without using the on-premises data gateway or integration service environment, you have to [set up the public endpoint on the SQL Managed Instance](/azure/azure-sql/managed-instance/public-endpoint-configure). The public endpoint uses port 3342, so make sure that you specify this port number when you create the connection from your logic app.

+ | [**Azure AD Integrated**](/azure/azure-sql/database/authentication-aad-overview) | - Available only for the managed SQL Server connector and ISE SQL Server connector. <br><br>- Requires a valid managed identity in Azure Active Directory (Azure AD) that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. For more information, see these topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) <br>- [Azure SQL - Azure AD Integrated authentication](/azure/azure-sql/database/authentication-aad-overview) |

+ | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Available only for the managed SQL Server connector and ISE SQL Server connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server database. For more information, see the following topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) |

+ > For this task, you can use the [Azure Elastic Job Agent](/azure/azure-sql/database/elastic-jobs-overview)

+ > for [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview). For

+ > and [SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview),

+* The [Azure Container Registry](../container-registry/container-registry-vnet.md) must have [Public Access set to 'All Networks'](../container-registry/container-registry-access-selected-networks.md). To use an Azure container registry with Public Access set to 'Select Networks' or 'None', visit [ACI's article for using Managed-Identity based authentication with ACR](/using-azure-container-registry-mi.md).

+* Container groups running in Azure Virtual Networks don't support managed identity authentication image pulls with ACR.

+* The Azure container registry must have [Public Access set to either 'Select networks' or 'None'](../container-registry/container-registry-access-selected-networks.md). To set the Azure container registry's Public Access to 'All networks', visit ACI's article on [how to authenticate with ACR with service principal based authentication](container-instances-using-azure-container-registry.md).

+[cloud-shell-bash]: https://shell.azure.com/bash

+* <a id="max-connection"></a> **Use a singleton Azure Cosmos DB client for the lifetime of your application**

+* <a id="override-default-consistency-javav4"></a> **Use the lowest consistency level required for your application**

+<a id="direct-connection"></a>

+<a id="java4-noscheduler"></a>

+<a id="java4-scheduler"></a>

+## <a id="java4-indexing"></a><a id="indexing-policy"></a> Indexing policy

+> [!IMPORTANT]

+> This is *not* the latest Java Bulk Executor for Azure Cosmos DB! Consider using [Azure Cosmos DB Java SDK v4](bulk-executor-java.md) for performing bulk operations. To upgrade, follow the instructions in the [Migrate to Azure Cosmos DB Java SDK v4](migrate-java-v4-sdk.md) guide and the [Reactor vs RxJava](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples/blob/main/reactor-rxjava-guide.md) guide.

+>

+> [!IMPORTANT]

+> On February 29, 2024 the Azure Cosmos DB Sync Java SDK v2.x

+> will be retired; the SDK and all applications using the SDK including Bulk Executor

+> **will continue to function**; Azure Cosmos DB will simply cease

+> to provide further maintenance and support for this SDK.

+> We recommend following the instructions above to migrate to

+> Azure Cosmos DB Java SDK v4.

+>

+ ```azurecli

+ ```azurecli

+### Export runs twice a day for the first five days of the month

+If you've created a daily export, you'll have two runs per day for the first five days of each month. One run executes and creates a file with the current monthΓÇÖs cost data. It's the run that's available for you to see in the run history. A second run also executes to create a file with all the costs from the prior month. The second run isn't currently visible in the run history. Azure executes the second run to ensure that your latest file for the past month contains all charges exactly as seen on your invoice. It runs because there are cases where latent usage and charges are included in the invoice up to 72 hours after the calendar month has closed. To learn more about Cost Management usage data updates, see [Cost and usage data updates and retention](understand-cost-mgt-data.md#cost-and-usage-data-updates-and-retention).

+If you receive the following error when making your API call, then you may be incorrectly using the SPN object ID value located in App Registrations. To resolve this error, ensure you're using the SPN object ID from Enterprise Applications, not App Registrations.

+`The provided principal Tenant Id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and principal Object Id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx are not valid`

+ Title: Transfer Azure product billing ownership to a Microsoft Customer Agreement

+description: Learn how to transfer billing ownership of Azure subscriptions and reservations.

+# Transfer Azure product billing ownership for a Microsoft Customer Agreement

+Transfer billing ownership for your Azure products (subscriptions and reservations) to a Microsoft Customer Agreement when:

+- You want to move billing responsibilities for a product to a different billing owner.

+- You want to transfer your Azure products from one licensing agreement to another. For example, from an Enterprise Agreement or a Microsoft Online Subscription Agreement (MOSA) to a Microsoft Customer Agreement.

+- You want to transfer reservation ownership.

+The transition moves only the billing responsibility for your Azure products ΓÇô the Azure resources tied to your products don't move, so the transition won't interrupt your Azure services.

+This process contains the following primary tasks, which weΓÇÖll guide you through step by step:

+2. Review and approve the transfer request

+There are three options to transfer products:

+- Transfer only subscriptions

+- Transfer only reservations

+- Transfer both subscriptions and reservations

+Before you transfer billing products, read [Supplemental information about transfers](subscription-transfer.md#supplemental-information-about-transfers).

+## Prerequisites

+Before you begin, make sure that the people involved in the product transfer have the required permissions.

+You can also go along with the following video that outlines each step of the process for subscription transfer. However, it doesn't cover reservation transfer.

+### Required permission for the transfer requestor

+For both subscriptions and reservations, the product transfer requestor must have one of the following permissions:

+For a Microsoft Customer Agreement, the person must have an owner or contributor role for the billing account or for the relevant billing profile or invoice section. For more information, see [Billing roles and tasks](understand-mca-roles.md#invoice-section-roles-and-tasks).

+### Required permission for the subscription transfer recipient

+The subscription product owner (transfer request recipient) must have one of the following permissions:

+- For a Microsoft Customer Agreement, the person must have an owner or contributor role for the billing account or for the relevant billing profile or invoice section. For more information, see [Billing roles and tasks](understand-mca-roles.md#invoice-section-roles-and-tasks).

+- For an Enterprise Agreement, the person must be an account owner or EA administrator.

+- For a Microsoft Online Subscription Agreement, the person must be an Account Administrator.

+### Required permission for the reservation transfer recipient

+The reservation product owner (transfer request recipient) must have one of the following permissions:

+- For a Microsoft Customer Agreement, the person must have an owner or contributor role for the billing account or for the relevant billing profile or invoice section. For more information, see [Billing roles and tasks](understand-mca-roles.md#invoice-section-roles-and-tasks).

+- For an Enterprise Agreement, the person must be an EA administrator.

+- For a Microsoft Online Subscription Agreement, the person must be an Account Administrator.

+## Create the product transfer request

+The person creating the transfer request uses the following procedure to create the transfer request. The transfer request essentially asks the owner of the product to allow subscriptions and or reservations associated with a subscription to be transferred.

+When the request is created, an email is sent to the target recipient.

+1. On the billing scopes page, select **Billing scopes** and then select the billing account, which would be used to pay for Azure usage in your products. Select the billing account labeled **Microsoft Customer Agreement**.

+1. Select **Billing profiles** from the left-hand side and then select a **Billing profile** from the list. Once you take over the ownership of the products, their usage will be billed to this billing profile.

+ *If you don't see Billing profiles, you aren't in the right billing scope.* You need to select a billing account for a Microsoft Customer Agreement and then select Billing profiles. To learn how to change scopes, see [Switch billing scopes in the Azure portal](view-all-accounts.md#switch-billing-scope-in-the-azure-portal).

+1. Select **Invoice sections** from the left-hand side and then select an invoice section from the list. Each billing profile contains on invoice section by default. Select the invoice where you want to move your Azure product billing - that's where the Azure product consumption is transferred to.

+1. Select **Transfer requests** from the lower-left side and then select **Add a new request**. Enter the email address of the user you're requesting billing ownership from. The user must have an account administrator role for the old products.

+The recipient of the transfer request uses the following procedure to review and approve the transfer request. They can choose to:

+- Transfer one or more subscriptions only

+- Transfer one or more reservations only

+- Transfer both subscriptions and reservations

+ :::image type="content" source="./media/mca-request-billing-ownership/mca-review-transfer-request-email.png" alt-text="Screenshot that shows review transfer request email." lightbox="./media/mca-request-billing-ownership/mca-review-transfer-request-email.png" :::

+ If the transfer recipientΓÇÖs user account doesnΓÇÖt have email enabled, the person that created the request can manually give the target recipient a link to accept the transfer request after the request is created. The person that created the request can navigate to Transfer status page, copy it, and then manually give it to the recipient.

+ :::image type="content" source="./media/mca-request-billing-ownership/transfer-status-pending-link.png" alt-text="Screenshot showing the Transfer status where you can copy the transfer link sent to the recipient." lightbox="./media/mca-request-billing-ownership/transfer-status-pending-link.png" :::

+1. In the Azure portal, the user selects the billing account that they want to transfer Azure products from. Then they select eligible subscriptions on the **Subscriptions** tab. If the owner doesnΓÇÖt want to transfer subscriptions and instead wants to transfer reservations only, make sure that no subscriptions are selected.

+ *Disabled subscriptions can't be transferred.*

+1. If there are reservations available to transfer, select the **Reservations** tab and then select them. If reservations wonΓÇÖt be transferred, make sure that no reservations are selected.

+If reservations are transferred, they're applied to the scope thatΓÇÖs set in the request. If you want to change the scope of the reservation after itΓÇÖs transferred, see [Change the reservation scope](../reservations/manage-reserved-vm-instance.md#change-the-reservation-scope).

+1. Select the **Review request** tab and verify the information about the products to transfer. If there are Warnings or Failed status messages, see the following information. When you're ready to continue, select **Transfer**.

+* **Warnings** - There's a warning for the selected Azure product. While the product can still be transferred, doing so will have some consequence that the user should be aware of in case they want to take mitigating actions. For example, the Azure subscription being transferred is benefitting from a reservation. After transfer, the subscription will no longer receive that benefit. To maximize savings, ensure that the reservation is associated to another subscription that can use its benefits. Instead, the user can also choose to go back to the selection page and unselect this Azure subscription. Select **Check details** for more information.

+The transfer request can have one of the following states:

+|Processing|The user approved the transfer request. Billing for the products that the user selected is getting transferred to your invoice section.|

+|Completed| The billing for products that the user selected is transferred to your invoice section.|

+|Finished with errors|The request completed but billing for some products that the user selected couldn't be transferred.|

+You can request billing ownership of products for the subscription types listed below.

+<sup>2</sup> Only supported for products in accounts that are created during sign-up on the Azure website.

+- The billing ownership of the Azure products is transferred to your invoice section. Keep track of the charges for these subscriptions in the [Azure portal](https://portal.azure.com).

+- Give others permissions to view and manage billing for transferred products. For more information, see [Invoice section roles and tasks](understand-mca-roles.md#invoice-section-roles-and-tasks).

+ Title: Transfer Azure product billing ownership to your Microsoft Partner Agreement (MPA)

+description: Learn how to request billing ownership of Azure billing products from other users for a Microsoft Partner Agreement (MPA).

+# Transfer Azure product billing ownership to your Microsoft Partner Agreement (MPA)

+An Azure Expert MSP can request to transfer their customer's Enterprise subscriptions and reservations to the Microsoft Partner Agreement (MPA) that they manage.

+Supported product (subscriptions and reservations) billing ownership transfer options include:

+- A direct Enterprise Agreement transfer to an Azure plan under the MPA

+- An enterprise Microsoft Customer Agreement transfer to an Azure plan under the MPA

+> Indirect Enterprise Agreement transfers to an Azure plan under an MPA aren't supported.

+When you send or accept a transfer request, you agree to terms and conditions. For more information, see [Transfer terms and conditions](subscription-transfer.md#transfer-terms-and-conditions).

+There are three options to transfer products:

+- Transfer only subscriptions

+- Transfer only reservations

+- Transfer both subscriptions and reservations

+1. Establish [reseller relationship](/partner-center/request-a-relationship-with-a-customer) with the customer.

+ 1. Make sure that both the customer and Partner tenants are within the same authorized region. Check [CSP Regional Authorization Overview](/partner-center/regional-authorization-overview).

+ 1. [Confirm that the customer has accepted the Microsoft Customer Agreement](/partner-center/confirm-customer-agreement).

+Before you begin, make sure that the people involved in the product transfer have the required permissions.

+### Required permission for the transfer requestor

+To request the billing ownership, you must have **Global Admin** or **Admin Agents** role. To learn more, see [Partner Center - Assign users roles and permissions](/partner-center/permissions-overview).

+### Required permission for the subscription transfer recipient

+The subscription product owner (transfer request recipient) must have one of the following permissions:

+- For a Microsoft Customer Agreement, the person must have an owner or contributor role for the billing account or for the relevant billing profile or invoice section. For more information, see [Billing roles and tasks](understand-mca-roles.md#invoice-section-roles-and-tasks).

+- For an Enterprise Agreement, the person must be an account owner or EA administrator.

+### Required permission for the reservation transfer recipient

+The reservation product owner (transfer request recipient) must have one of the following permissions:

+- For a Microsoft Customer Agreement, the person must have an owner or contributor role for the billing account or for the relevant billing profile or invoice section. For more information, see [Billing roles and tasks](understand-mca-roles.md#invoice-section-roles-and-tasks).

+- For an Enterprise Agreement, the person must be an EA administrator.

+1. Enter the email address of the user in the customer organization who will accept the transfer request. Select **Send transfer request**.

+## Review and approve transfer request

+The recipient of the transfer request uses the following procedure to review and approve the transfer request. They can choose to:

+- Transfer one or more subscriptions only

+- Transfer one or more reservations only

+- Transfer both subscriptions and reservations

+1. The user gets an email with instructions to review your transfer request. Select **Review the request** to open it in the Azure portal.

+ :::image type="content" source="./media/mpa-request-ownership/mpa-review-transfer-request-email.png" alt-text="Screenshot that shows review transfer request email." lightbox="./media/mpa-request-ownership/mpa-review-transfer-request-email.png" :::

+ If the transfer recipientΓÇÖs user account doesnΓÇÖt have email enabled, the person that created the request can manually give the target recipient a link to accept the transfer request after the request is created. The person that created the request can navigate to Transfer status page, copy it, and then manually give it to the recipient.

+ :::image type="content" source="./media/mpa-request-ownership/transfer-status-pending-link.png" alt-text="Screenshot showing the Transfer status where you can copy the transfer link sent to the recipient." lightbox="./media/mpa-request-ownership/transfer-status-pending-link.png" :::

+1. In the Azure portal, the user selects the billing account that they want to transfer Azure products from. Then they select eligible subscriptions on the **Subscriptions** tab. If the owner doesnΓÇÖt want to transfer subscriptions and instead wants to transfer reservations only, make sure that no subscriptions are selected.

+ :::image type="content" source="./media/mpa-request-ownership/review-transfer-request-subscriptions-select.png" alt-text="Screenshot showing the Subscriptions tab." lightbox="./media/mpa-request-ownership/review-transfer-request-subscriptions-select.png" :::

+ *Disabled subscriptions can't be transferred.*

+1. If there are reservations available to transfer, select the **Reservations** tab and then select them. If reservations wonΓÇÖt be transferred, make sure that no reservations are selected.

+If reservations are transferred, they're applied to the scope thatΓÇÖs set in the request. If you want to change the scope of the reservation after itΓÇÖs transferred, see [Change the reservation scope](../reservations/manage-reserved-vm-instance.md#change-the-reservation-scope).

+ :::image type="content" source="./media/mpa-request-ownership/review-transfer-request-reservations-select.png" alt-text="Screenshot showing the Reservations tab." lightbox="./media/mpa-request-ownership/review-transfer-request-reservations-select.png" :::

+1. Select the **Review request** tab and verify the information about the products to transfer. If there are Warnings or Failed status messages, see the following information. When you're ready to continue, select **Transfer**.

+ :::image type="content" source="./media/mpa-request-ownership/review-transfer-request-complete.png" alt-text="Screenshot showing the Review request tab where you review your transfer selections." lightbox="./media/mpa-request-ownership/review-transfer-request-complete.png" :::

+1. You'll briefly see a `Transfer is in progress` message. When the transfer is completed successfully, you'll see the Transfer details page with the `Transfer completed successfully` message.

+ :::image type="content" source="./media/mpa-request-ownership/transfer-completed-successfully.png" alt-text="Screenshot showing the Transfer completed successfully page." lightbox="./media/mpa-request-ownership/transfer-completed-successfully.png" :::

+On the Review request tab, the following status messages might be displayed.

+* **Ready to transfer** - Validation for this Azure product has passed and can be transferred.

+* **Warnings** - There's a warning for the selected Azure product. While the product can still be transferred, doing so will have some consequence that the user should be aware of in case they want to take mitigating actions. For example, the Azure subscription being transferred is benefitting from a reservation. After transfer, the subscription will no longer receive that benefit. To maximize savings, ensure that the reservation is associated to another subscription that can use its benefits. Instead, the user can also choose to go back to the selection page and unselect this Azure subscription. Select **Check details** for more information.

+* **Failed** - The selected Azure product can't be transferred because of an error. User will need to go back to the selection page and unselect this product to transfer the other selected Azure products.

+ The transfer request can have one of the following states:

+ |Processing|The user approved the transfer request. Billing for the products that the user selected is getting transferred to your account|

+ |Completed| The billing for products that the user selected is transferred to your account|

+ |Finished with errors|The request completed but billing for some products that the user selected couldn't be transferred|

+ |Transfer link sent to recipient|The URL that was sent to the user to review the transfer request|

+<sup>1</sup> You must convert an EA Dev/Test subscription to an EA Enterprise offer using a support ticket and respectively, an Azure Plan Dev/Test offer to Azure plan. A Dev/Test subscription will be billed at a pay-as-you-go rate after conversion. There's no discount currently available through the Dev/Test offer to CSP partners.

+Access for existing users, groups, or service principals that was assigned using [Azure role-based access control (Azure RBAC role)](../../role-based-access-control/overview.md) isn't affected during the transition. The partner wonΓÇÖt get any new Azure RBAC role access to the subscriptions.

+* The billing ownership of the Azure products is transferred to you. Keep track of the charges for these products in the [Azure portal](https://portal.azure.com).

+* Work with the customer to get access to the transferred Azure products. [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+> * For Microsoft Online Services Program accounts, if you switch to pay by check or wire transfer, you can't switch back to paying by credit or debit card.

+When only billing ownership is changing, then resources aren't affected. All resources from the subscriptions like VMs, disks, and websites transfer. However, when you do a resource move or change the service tenant, then resources could be affected.

+## Supplemental information about transfers

+The following sections provide additional information about transferring subscriptions.

+### Cancel a prior support plan

+If you have an Azure support plan and you transfer all of your Azure subscriptions to a new agreement, then you must cancel the support plan because it doesn't transfer with the subscriptions. For example, when you transfer a Microsoft Online Subscription Agreement (an Azure subscription purchased on the web) to the Microsoft Customer Agreement. To cancel your support plan:

+Use your account administrator credentials for your old account if the credentials differ from the ones used to access your new Microsoft Customer Agreement account.

+1. Sign in to the Azure portal at https://portal.azure.com.

+1. Navigate to **Cost Management + Billing**.

+1. Select **Billing Scopes** in the left pane.

+1. Select the billing account associated with your Microsoft support plan.

+ - For a Microsoft Customer Agreement:

+ - Select **Recurring charges** in the left pane.

+ - In the right pane, to the right of the support plan line item, select the ellipsis (**...**) and then select **Turn off auto-renewal**.

+ - For a Microsoft Online Subscription Agreement (MOSA):

+ - Select **Subscriptions** in the left pane.

+ - Select the support plan subscription in the right pane and then select **Cancel**.

+### Access your historical invoices

+You may want to access your invoices for your old Microsoft Online Subscription Agreement account (an Azure subscription purchased on the web) after you transfer billing ownership to your new Microsoft Customer Agreement account. To do so, use the following steps:

+Use your account administrator credentials for your old account if the credentials differ from the ones used to access your new Microsoft Customer Agreement account.

+1. Sign in to the Azure portal at https://portal.azure.com/.

+1. Navigate to **Cost Management + Billing**.

+1. Select **Billing Scopes** in the left pane.

+1. Select the billing account associated with your Microsoft Online Subscription Agreement account.

+1. Select **Invoices** in the left pane to access your historical invoices.

+### Disabled subscriptions

+Disabled subscriptions can't be transferred. Subscriptions must be in active state to transfer their billing ownership.

+### Azure Marketplace products transfer

+Azure Marketplace products transfer along with their respective subscriptions.

+### Azure Reservations transfer

+If you're transferring Enterprise Agreement (EA) subscriptions or Microsoft Customer Agreements, Azure Reservations automatically move with the subscriptions.

+### Access to Azure services

+Access for existing users, groups, or service principals that was assigned using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) isn't affected during the transition.

+### Charges for transferred subscription

+The original billing owner of the subscriptions is responsible for any charges that were reported up to the point that the transfer is completed. Your invoice section is responsible for charges reported from the time of transfer onwards. There may be some charges that took place before transfer but was reported afterwards. These charges show up on your invoice section.

+### Cancel a transfer request

+You can cancel the transfer request until the request is approved or declined. To cancel the transfer request, go to the [transfer details page](mca-request-billing-ownership.md#check-the-transfer-request-status) and select cancel from the bottom of the page.

+### Software as a Service (SaaS) transfer

+SaaS products don't transfer with the subscriptions. Ask the user to [Contact Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to transfer billing ownership of SaaS products. Along with the billing ownership, the user can also transfer resource ownership. Resource ownership lets you conduct management operations like deleting and viewing the details of the product. The user must be a resource owner on the SaaS product to transfer resource ownership.

+- [Prepay for SQL Database compute resources with Azure SQL Database reserved capacity](/azure/azure-sql/database/reserved-capacity-overview)

+Learn how to [cancel a previous support plan](../manage/subscription-transfer.md?toc=/azure/cost-management-billing/microsoft-customer-agreement/toc.json#cancel-a-prior-support-plan).

+- [SQL Database](/azure/azure-sql/database/reserved-capacity-overview?toc=/azure/cost-management-billing/reservations/toc.json)

+- [SQL Database](/azure/azure-sql/database/reserved-capacity-overview?toc=/azure/cost-management-billing/reservations/toc.json)

+ - [SQL Database compute resources with Azure SQL Database reserved capacity](/azure/azure-sql/database/reserved-capacity-overview)

+* [Prepay for SQL Database compute resources with Azure SQL Database reserved capacity](/azure/azure-sql/database/reserved-capacity-overview)

+- [Prepay for SQL Database compute resources with Azure SQL Database reserved capacity](/azure/azure-sql/database/reserved-capacity-overview)

+- [Prepay for SQL Database compute resources with Azure SQL Database reserved capacity](/azure/azure-sql/database/reserved-capacity-overview)

+- [Prepay for SQL Database compute resources with Azure SQL Database reserved capacity](/azure/azure-sql/database/reserved-capacity-overview)

+- Your organization is enrolled to automatic registration of the Azure SQL VMs with the IaaS extension. To learn more, see [Automatic registration with SQL IaaS Agent extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms).

+1. First, confirm that all your SQL Server VMs are visible to you and Azure by enabling automatic registration of the self-installed SQL server images with the IaaS extension. For more information, see [Register multiple SQL VMs in Azure with the SQL IaaS Agent extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-vms-bulk).

+The original resource-level way to enable Azure Hybrid Benefit is still available for SQL Server and is currently the only option for Windows Server. It involves a DevOps role selecting the benefit for each individual resource (like a SQL Database or Windows Server VM) when creating or managing it. Doing so results in the hourly cost of that resource being discounted. For more information, see [Azure Hybrid Benefit for Windows Server](/azure/azure-sql/azure-hybrid-benefit).

+Verify that your self-installed virtual machines running SQL Server in Azure are registered before you start to use the new experience. Doing so ensures that Azure resources that are running SQL Server are visible to you and Azure. For more information about registering SQL VMs in Azure, see [Register SQL Server VM with SQL IaaS Agent Extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm) and [Register multiple SQL VMs in Azure with the SQL IaaS Agent extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-vms-bulk).

+You register data assets (tables) from a [database sample](/azure/azure-sql/database/single-database-create-quickstart) for Azure SQL Database, but you can use any supported data source if you prefer to work with data that is familiar and relevant to your role. For a list of supported data sources, see [Supported data sources](data-catalog-dsr.md).

+**AzureSSISLocation** is the location for the integration runtime worker node. The worker node maintains a constant connection to the SSIS Catalog database (SSISDB) in Azure SQL Database. Set the **AzureSSISLocation** to the same location as [logical SQL server](/azure/azure-sql/database/logical-servers) that hosts SSISDB, which lets the integration runtime to work as efficiently as possible.

+You can also adjust the database pricing tier based on [database transaction unit](/azure/azure-sql/database/service-tiers-dtu) (DTU) usage information available on the Azure portal.

+For business continuity and disaster recovery (BCDR), Azure SQL Database/Managed Instance can be configured with a [geo-replication/failover group](/azure/azure-sql/database/auto-failover-group-overview), where SSISDB in a primary Azure region with read-write access (primary role) will be continuously replicated to a secondary region with read-only access (secondary role). When a disaster occurs in the primary region, a failover will be triggered, where the primary and secondary SSISDBs will swap roles.

+1. Using Azure portal, you can check whether the primary SSISDB has been created on the **Overview** page of your primary Azure SQL Database server. Once it's created, you can [create a failover group for your primary and secondary Azure SQL Database servers and add SSISDB to it](/azure/azure-sql/database/failover-group-add-single-database-tutorial?tabs=azure-portal#2create-the-failover-group) on the **Failover groups** page. Once your failover group is created, you can check whether the primary SSISDB has been replicated to a secondary one with read-only access on the **Overview** page of your secondary Azure SQL Database server.

+1. You can [test your Azure SQL Database failover group](/azure/azure-sql/database/failover-group-add-single-database-tutorial?tabs=azure-portal#3test-failover) and check on [Azure-SSIS IR monitoring page in ADF portal](./monitor-integration-runtime.md#monitor-the-azure-ssis-integration-runtime-in-azure-portal) whether your primary and secondary Azure-SSIS IRs have swapped roles.

+1. Using Azure portal, you can [create a failover group for your primary and secondary Azure SQL Managed Instances](/azure/azure-sql/managed-instance/failover-group-add-instance-tutorial?tabs=azure-portal) on the **Failover groups** page of your primary Azure SQL Managed Instance.

+1. You can [test your Azure SQL Managed Instance failover group](/azure/azure-sql/managed-instance/failover-group-add-instance-tutorial?tabs=azure-portal#test-failover) and check on [Azure-SSIS IR monitoring page in ADF portal](./monitor-integration-runtime.md#monitor-the-azure-ssis-integration-runtime-in-azure-portal) whether your primary and secondary Azure-SSIS IRs have swapped roles.

+1. Store the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15&preserve-view=true) in an [Azure Key Vault](../key-vault/general/overview.md). Learn more on [how to configure Always Encrypted by using Azure Key Vault](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell)

+>If you use PolyBase or COPY statement to load data from Blob storage (as a source or as staging) into Azure Synapse Analytics, when you use managed identity authentication for Blob storage, make sure you also follow steps 1 to 3 in [this guidance](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage). Those steps will register your server with Azure AD and assign the Storage Blob Data Contributor role to your server. Data Factory handles the rest. If you configure Blob storage with an Azure Virtual Network endpoint, you also need to have **Allow trusted Microsoft services to access this storage account** turned on under Azure Storage account **Firewalls and Virtual networks** settings menu as required by Azure Synapse.

+>If you use PolyBase or COPY statement to load data from Data Lake Storage Gen2 into Azure Synapse Analytics, when you use managed identity authentication for Data Lake Storage Gen2, make sure you also follow steps 1 to 3 in [this guidance](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage). Those steps will register your server with Azure AD and assign the Storage Blob Data Contributor role to your server. Data Factory handles the rest. If you configure Blob storage with an Azure Virtual Network endpoint, you also need to have **Allow trusted Microsoft services to access this storage account** turned on under Azure Storage account **Firewalls and Virtual networks** settings menu as required by Azure Synapse.

+| Select user DB schema | By default, a temporary table will be created under the sink schema as staging. You can alternatively uncheck the **Use sink schema** option and instead, specify a schema name under which Data Factory will create a staging table to load upstream data and automatically clean them up upon completion. Make sure you have create table permission in the database and alter permission on the schema. | No | String | stagingSchemaName |

+> If you copy data by using an Azure Integration Runtime, configure a [server-level firewall rule](/azure/azure-sql/database/firewall-configure) so that Azure services can access the [logical SQL server](/azure/azure-sql/database/logical-servers).

+2. **[Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server in the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or Azure AD group. If you grant the group with managed identity an admin role, skip steps 3 and 4. The administrator will have full access to the database.

+3. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the service principal. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:

+1. **[Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or Azure AD group. If you grant the group with system-assigned managed identity an admin role, skip steps 3 and 4. The administrator will have full access to the database.

+2. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the system-assigned managed identity. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL.

+1. **[Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or Azure AD group. If you grant the group with user-assigned managed identity an admin role, skip steps 3. The administrator will have full access to the database.

+2. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the user-assigned managed identity. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL.

+ >- If your Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).

+>- If your staging Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).

+ >- If your Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).

+>- If your staging Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).

+- If your Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).

+- If your Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).

+**Use sink schema**: By default, a temporary table will be created under the sink schema as staging. You can alternatively uncheck the **Use sink schema** option and instead, in **Select user DB schema**, specify a schema name under which Data Factory will create a staging table to load upstream data and automatically clean them up upon completion. Make sure you have create table permission in the database and alter permission on the schema.

+If you use Azure SQL Database [serverless tier](/azure/azure-sql/database/serverless-tier-overview), note when the server is paused, activity run fails instead of waiting for the auto resume to be ready. You can add activity retry or chain additional activities to make sure the server is live upon the actual execution.

+> If you copy data by using the Azure integration runtime, configure a [server-level firewall rule](/azure/azure-sql/database/firewall-configure) so that Azure services can access the server.

+2. [Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Azure AD administrator must be an Azure AD user or Azure AD group, but it can't be a service principal. This step is done so that, in the next step, you can use an Azure AD identity to create a contained database user for the service principal.

+3. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the service principal. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:

+1. [Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or an Azure AD group. If you grant the group with managed identity an admin role, skip steps 3 and 4. The administrator has full access to the database.

+2. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the managed identity. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:

+1. [Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or an Azure AD group. If you grant the group with user-assigned managed identity an admin role, skip steps 3. The administrator has full access to the database.

+2. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the user-assigned managed identity. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:

+1. Store the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15&preserve-view=true) in an [Azure Key Vault](../key-vault/general/overview.md). Learn more on [how to configure Always Encrypted by using Azure Key Vault](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell)

+To access the SQL Managed Instance [public endpoint](/azure/azure-sql/managed-instance/public-endpoint-overview), you can use a managed Azure integration runtime. Make sure that you enable the public endpoint and also allow public endpoint traffic on the network security group so that the service can connect to your database. For more information, see [this guidance](/azure/azure-sql/managed-instance/public-endpoint-configure).

+To access the SQL Managed Instance private endpoint, set up a [self-hosted integration runtime](create-self-hosted-integration-runtime.md) that can access the database. If you provision the self-hosted integration runtime in the same virtual network as your managed instance, make sure that your integration runtime machine is in a different subnet than your managed instance. If you provision your self-hosted integration runtime in a different virtual network than your managed instance, you can use either a virtual network peering or a virtual network to virtual network connection. For more information, see [Connect your application to SQL Managed Instance](/azure/azure-sql/managed-instance/connect-application-instance).

+1. Follow the steps to [Provision an Azure Active Directory administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).

+4. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the service principal. Connect to the database from or to which you want to copy data, run the following T-SQL:

+1. Follow the steps to [Provision an Azure Active Directory administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).

+3. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the system-assigned managed identity. Connect to the database from or to which you want to copy data, run the following T-SQL:

+1. Follow the steps to [Provision an Azure Active Directory administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).

+3. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the user-assigned managed identity. Connect to the database from or to which you want to copy data, run the following T-SQL:

+1. Store the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15&preserve-view=true) in an [Azure Key Vault](../key-vault/general/overview.md). Learn more on [how to configure Always Encrypted by using Azure Key Vault](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell)

+1. Store the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15&preserve-view=true) in an [Azure Key Vault](../key-vault/general/overview.md). Learn more on [how to configure Always Encrypted by using Azure Key Vault](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell)

+ | For Azure SQL, if the error message contains the string "SqlErrorNumber=47073", it means that public network access is denied in the connectivity setting. | On the Azure SQL firewall, set the **Deny public network access** option to *No*. For more information, see [Azure SQL connectivity settings](/azure/azure-sql/database/connectivity-settings#deny-public-network-access). |

+ | For Azure SQL, if the error message contains an SQL error code such as "SqlErrorNumber=[errorcode]", see the Azure SQL troubleshooting guide. | For a recommendation, see [Troubleshoot connectivity issues and other errors with Azure SQL Database and Azure SQL Managed Instance](/azure/azure-sql/database/troubleshoot-common-errors-issues). |

+ | If the error message contains the string "Client with IP address '...' is not allowed to access the server", and you're trying to connect to Azure SQL Database, the error is usually caused by an Azure SQL Database firewall issue. | In the Azure SQL Server firewall configuration, enable the **Allow Azure services and resources to access this server** option. For more information, see [Azure SQL Database and Azure Synapse IP firewall rules](/azure/azure-sql/database/firewall-configure). |

+staging.linkedService | If you're using an Azure Synapse Analytics source or sink, specify the storage account used for PolyBase staging.<br/><br/>If your Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage). Also learn the needed configurations for [Azure Blob](connector-azure-blob-storage.md#managed-identity) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#managed-identity) respectively.<br/> | LinkedServiceReference | Only if the data flow reads or writes to an Azure Synapse Analytics

+| [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) | √ | √ | √ |

+ - Azure SQL Database DTU usage is close to 100%. You can [monitor the performance](/azure/azure-sql/database/monitor-tune-overview) and consider to upgrade the Azure SQL Database tier.

+* Azure SQL Database: You can [monitor the performance](/azure/azure-sql/database/monitor-tune-overview) and check the Database Transaction Unit (DTU) percentage.

+> If you use Azure SQL Database server to host SSISDB, your data will be stored in geo-redundant storage for backups by default. If you don't want your data to be replicated in other regions, please follow the instructions to [Configure backup storage redundancy by using PowerShell](/azure/azure-sql/database/automated-backups-overview?tabs=single-database#configure-backup-storage-redundancy-by-using-powershell).

+If you use managed instance to host SSISDB, you can omit the `CatalogPricingTier` parameter or pass an empty value for it. Otherwise, you can't omit it and must pass a valid value from the list of supported pricing tiers for Azure SQL Database. For more information, see [SQL Database resource limits](/azure/azure-sql/database/resource-limits-logical-server).

+ - Confirm that the **Allow access to Azure services** setting is enabled for the database server. This setting is not applicable when you use an Azure SQL Database server with IP firewall rules/virtual network service endpoints or a SQL managed instance with private endpoint to host SSISDB. For more information, see [Secure Azure SQL Database](/azure/azure-sql/database/secure-database-tutorial#create-firewall-rules). To enable this setting by using PowerShell, see [New-AzSqlServerFirewallRule](/powershell/module/az.sql/new-azsqlserverfirewallrule).

+ - Add the IP address of the client machine, or a range of IP addresses that includes the IP address of the client machine, to the client IP address list in the firewall settings for the database server. For more information, see [Azure SQL Database server-level and database-level firewall rules](/azure/azure-sql/database/firewall-configure).

+| **Virtual network** | Your Azure-SSIS IR can join an Azure Resource Manager virtual network if you use an Azure SQL Database server with IP firewall rules/virtual network service endpoints. | Your Azure-SSIS IR can join an Azure Resource Manager virtual network if you use a managed instance with private endpoint. The virtual network is required when you don't enable a public endpoint for your managed instance.<br/><br/>If you join your Azure-SSIS IR to the same virtual network as your managed instance, make sure that your Azure-SSIS IR is in a different subnet from your managed instance. If you join your Azure-SSIS IR to a different virtual network from your managed instance, we recommend either a virtual network peering or a network-to-network connection. See [Connect your application to an Azure SQL Database Managed Instance](/azure/azure-sql/managed-instance/connect-application-instance). |

+| **Distributed transactions** | This feature is supported through elastic transactions. Microsoft Distributed Transaction Coordinator (MSDTC) transactions are not supported. If your SSIS packages use MSDTC to coordinate distributed transactions, consider migrating to elastic transactions for Azure SQL Database. For more information, see [Distributed transactions across cloud databases](/azure/azure-sql/database/elastic-transactions-overview). | Not supported. |

+- If the SQL pool is a dedicated SQL pool (formerly SQL DW) pre-dating Azure Synapse, only enable MI for your SQL server and assign the permission of the staging store to the MI of your SQL Server. You can refer to the steps in this article as an example: [Use virtual network service endpoints and rules for servers in Azure SQL Database](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#steps).

+For Cause 1, you can refer to the following document: [Use virtual network service endpoints and rules for servers in Azure SQL Database-Steps](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#steps) to solve this issue.

+* [Azure SQL Database](/azure/azure-sql/database/firewall-configure)

+You can [Configure and manage Azure AD authentication for Azure SQL Database](/azure/azure-sql/database/authentication-aad-configure) using the following steps:

+3. In the **Authentication** field, select **Active Directory - Universal with MFA support** (you can also use the other two Active Directory authentication types, see [Configure and manage Azure AD authentication for Azure SQL Database](/azure/azure-sql/database/authentication-aad-configure)).

+Follow the steps in [Provision an Azure AD administrator for Azure SQL Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).

+For more info, see [Manage groups of databases with Elastic Database Jobs](/azure/azure-sql/database/elastic-jobs-overview).

+The following Azure PowerShell scripts create a new Elastic Job that invokes your selected SSISDB log clean-up stored procedure. For more info, see [Create an Elastic Job agent using PowerShell](/azure/azure-sql/database/elastic-jobs-powershell-create).

+The following T-SQL scripts create a new Elastic Job that invokes your selected SSISDB log clean-up stored procedure. For more info, see [Use T-SQL to create and manage Elastic Database Jobs](/azure/azure-sql/database/elastic-jobs-tsql-create-manage).

+4. Create SSISDB log clean-up user from login in SSISDB and grant it permissions to invoke SSISDB log clean-up stored procedure. For detailed guidance, see [Manage logins](/azure/azure-sql/database/logins-create-manage).

+ For more info on SQL Managed Instance connectivity, see [Connect your application to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/connect-application-instance).

+ Azure SQL Managed Instances can provide connectivity over [public endpoints](/azure/azure-sql/managed-instance/public-endpoint-configure). Inbound and outbound requirements need to meet to allow traffic between SQL Managed Instance and Azure-SSIS IR:

+ For more information, see [Allow public endpoint traffic on the network security group](/azure/azure-sql/managed-instance/public-endpoint-configure#allow-public-endpoint-traffic-on-the-network-security-group).

+ |TCP|VirtualNetwork|*|[SQL Managed Instance public endpoint IP address](/azure/azure-sql/managed-instance/management-endpoint-find-ip-address)|3342|

+If you host SSISDB in Azure SQL Managed Instance that joins a virtual network, make sure that you join your Azure-SSIS IR to the same virtual network, but in a different subnet than the managed instance. To join your Azure-SSIS IR to a different virtual network than the managed instance, we recommend either virtual network peering (which is limited to the same region) or virtual network-to-virtual network connection. For more information, see [Connect your application to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/connect-application-instance).

+* **Azure SQL Database**: If you don't have a SQL DB, learn how to [create a SQL DB account](/azure/azure-sql/database/single-database-create-quickstart?tabs=azure-portal)

+* Azure SQL Database: This tutorial copies data from the Adventure Works LT sample dataset in Azure SQL Database. You can create this sample database in SQL Database by following the instructions in [Create a sample database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).

+* Consider increasing the DTU of your database. You can find details in [SQL Database limits for a logical server](/azure/azure-sql/database/resource-limits-logical-server).

+If many packages are running in parallel in the SSIS integration runtime, this error might occur because SSISDB has hit its request limit. Consider increasing the DTU of SSISDB to resolve this issue. You can find details in [SQL Database limits for a logical server](/azure/azure-sql/database/resource-limits-logical-server).

+* **Azure SQL Database**. This database contains the source data. Create a database in SQL Database with Adventure Works LT sample data following [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) article. This tutorial copies all the tables from this sample database to an Azure Synapse Analytics.

+Create a database with the Adventure Works LT sample data in SQL Database by following [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) article. This tutorial copies all the tables from this sample database to Azure Synapse Analytics.

+* **Azure SQL Database**. You use the database as **sink** data store. If you don't have a database in Azure SQL Database, see the [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) article for steps to create one.

+* Azure SQL Database. You use the database as a sink data store. If you don't have a database in Azure SQL Database, see the [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).

+* *Azure SQL Database*. You use the database as *sink* data store. If you don't have a database in Azure SQL Database, see the [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).

+* **Azure SQL Database**. You use the database as a *sink* data store. If you don't have an Azure SQL database, see [Create a SQL database](/azure/azure-sql/database/single-database-create-quickstart) for steps to create one. *Ensure the SQL Database account allows access only from selected networks.*

+* **Azure SQL Database**. You use the database as a *sink* data store. If you don't have a database in Azure SQL Database, see the [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) for steps to create one.

+* **Azure SQL Database**: Use a SQL Database as the _sink_ data store. If you don't have a SQL Database, see the instructions in [Create a SQL Database](/azure/azure-sql/database/single-database-create-quickstart).

+ > The option to **Allow Azure services and resources to access this server** enables network access to your SQL Server from any Azure resource, not just those in your subscription. For more information, see [Azure SQL Server Firewall rules](/azure/azure-sql/database/firewall-configure). Instead, you can use [Private endpoints](../private-link/private-endpoint-overview.md) to connect to Azure PaaS services without using public IPs.

+ - Confirm that the **Allow access to Azure services** setting is enabled for the database server. This setting is not applicable when you use an Azure SQL Database server with IP firewall rules/virtual network service endpoints or a managed instance with private endpoint to host SSISDB. For more information, see [Secure Azure SQL Database](/azure/azure-sql/database/secure-database-tutorial#create-firewall-rules). To enable this setting by using PowerShell, see [New-AzSqlServerFirewallRule](/powershell/module/az.sql/new-azsqlserverfirewallrule).

+ - Add the IP address of the client machine, or a range of IP addresses that includes the IP address of the client machine, to the client IP address list in the firewall settings for the database server. For more information, see [Azure SQL Database server-level and database-level firewall rules](/azure/azure-sql/database/firewall-configure).

+ - Confirm that the **Allow access to Azure services** setting is enabled for the database server. This setting is not applicable when you use an Azure SQL Database server with IP firewall rules/virtual network service endpoints or a managed instance with private endpoint to host SSISDB. For more information, see [Secure Azure SQL Database](/azure/azure-sql/database/secure-database-tutorial#create-firewall-rules). To enable this setting by using PowerShell, see [New-AzSqlServerFirewallRule](/powershell/module/az.sql/new-azsqlserverfirewallrule).

+ - Add the IP address of the client machine, or a range of IP addresses that includes the IP address of the client machine, to the client IP address list in the firewall settings for the database server. For more information, see [Azure SQL Database server-level and database-level firewall rules](/azure/azure-sql/database/firewall-configure).

+* **Azure SQL Database Managed Instance**. You use the database as the **source** data store. If you don't have an Azure SQL Database Managed Instance, see the [Create an Azure SQL Database Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart) article for steps to create one.

+* **Azure SQL Database**. You use the database as the **source** data store. If you don't have a database in Azure SQL Database, see the [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) article for steps to create one.

+* **Azure SQL Database**. You use the database as the **source** data store. If you don't have a database in Azure SQL Database, see the [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) article for steps to create one.

+* **Azure SQL Database**. You use a database in Azure SQL Database as the sink data store. If you don't have a database in SQL Database, see [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) for steps to create one.

+* **Azure SQL Database**. You use a database in Azure SQL Database as the sink data store. If you don't have a SQL database, see [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) for steps to create one.

+* **Azure SQL Database**. You use the database as the source data store. If you don't have a database in Azure SQL Database, see [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) for steps to create one.

+* **Azure SQL Database**. You use the database as the source data store. If you don't have a database in Azure SQL Database, see [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) for steps to create one.

+* Learn about [Azure Batch basics](/azure/azure-sql/database/sql-database-paas-overview).

+* Azure SQL Database: You can [monitor the performance](/azure/azure-sql/database/monitor-tune-overview) and check the database transaction unit (DTU) percentage

+* **Azure SQL Database**. You use Azure SQL Database as a **destination** data store in this tutorial. If you don't have a database in Azure SQL Database that you can use in the tutorial, See [How to create and configure a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) to create one.

+ **If you have SQL Server 2012/2014 installed on your computer:** follow instructions from [Managing Azure SQL Database using SQL Server Management Studio](/azure/azure-sql/database/single-database-manage) to connect to your server and run the SQL script.

+ If your client is not allowed to access the logical SQL server, you need to configure firewall for your server to allow access from your machine (IP Address). See [this article](/azure/azure-sql/database/firewall-configure) for steps to configure the firewall for your server.

+All you need to access and try out this simple use case is an [Azure subscription](https://azure.microsoft.com/pricing/free-trial/), an [Azure Blob storage account](../../storage/common/storage-account-create.md), and an [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart). You deploy the customer profiling pipeline from the **Sample pipelines** tile on the home page of your data factory.

+> 2. For some Cloud Databases (For example: [Azure SQL Database](/azure/azure-sql/database/firewall-configure), [Azure Data Lake](../../data-lake-store/data-lake-store-secure-data.md#set-ip-address-range-for-data-access), etc.), you may need to allow IP address of Gateway machine on their firewall configuration.

+- [Azure SQL Database](/azure/azure-sql/database/firewall-configure)

+* [Basics of Batch](/azure/azure-sql/database/sql-database-paas-overview)

+ * [Basics of Batch](/azure/azure-sql/database/sql-database-paas-overview)

+[batch-technical-overview]:/azure/azure-sql/database/sql-database-paas-overview

+U-SQL provides data source and external tables as well as direct queries against Azure SQL Database. While Spark does not offer the same object abstractions, it provides [Spark connector for Azure SQL Database](/azure/azure-sql/database/spark-connector) that can be used to query SQL databases.

+* **Azure SQL Database**. For instructions on how to create a database in Azure SQL Database, see [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart)

+1. To start, create two sample tables in the database. Use [SQL Server Management Studio](/azure/azure-sql/database/connect-query-ssms) or Visual Studio to connect to the database and then run the following queries.

+1. Verify that the data was uploaded to the SQL Database table. Use [SQL Server Management Studio](/azure/azure-sql/database/connect-query-ssms) or Visual Studio to connect to the Azure SQL Database and then run the following query.

+- An [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) or [Azure Synapse Analytics (formerly Azure SQL DW)](../synapse-analytics/get-started-create-workspace.md) with tables and views that you want to share.

+ 1. Connect to the Azure SQL Database/Data Warehouse using the [Query Editor](/azure/azure-sql/database/connect-query-portal#connect-using-azure-active-directory) or SQL Server Management Studio with Azure Active Directory authentication.

+ - [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart)

+- An [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) or [Azure Synapse Analytics (formerly Azure SQL DW)](../synapse-analytics/get-started-create-workspace.md).

+- An [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) or [Azure Synapse Analytics (formerly Azure SQL DW)](../synapse-analytics/get-started-create-workspace.md).

+ 1. Connect to the Azure SQL Database/Data Warehouse using the [Query Editor](/azure/azure-sql/database/connect-query-portal#connect-using-azure-active-directory) or SQL Server Management Studio with Azure Active Directory authentication.

+```azurecli

+```

+```output

+ ```azurecli

+ ```azurecli

+Microsoft Defender for SQL includes two Microsoft Defender plans that extend Microsoft Defender for Cloud's [data security package](/azure/azure-sql/database/azure-defender-for-sql) to secure your databases and their data wherever they're located. Microsoft Defender for SQL includes functionalities for discovering and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your databases.

+|Protected SQL versions:|[SQL on Azure virtual machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview)<br>[SQL Server on Azure Arc-enabled servers](/sql/sql-server/azure-arc/overview)<br>On-premises SQL servers on Windows machines without Azure Arc<br>Azure SQL [single databases](/azure/azure-sql/database/single-database-overview) and [elastic pools](/azure/azure-sql/database/elastic-pool-overview)<br>[Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview)<br>[Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md)|

+ - [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview)

+ - [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview)

+- Learn more about [vulnerability assessment for Azure SQL Database](/azure/azure-sql/database/sql-vulnerability-assessment).

+An advanced threat protection service continuously monitors your SQL servers for threats such as SQL injection, brute-force attacks, and privilege abuse. This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity, guidance on how to mitigate to the threats, and options for continuing your investigations with Microsoft Sentinel. Learn more about [advanced threat protection](/azure/azure-sql/database/threat-detection-overview).

+- Some of our detectors, including an [extended events trace](/azure/azure-sql/database/xevent-db-diff-from-svr) named `SQLAdvancedThreatProtectionTraffic`, run on the machine for real-time speed advantages.

+The integrated [vulnerability assessment scanner](/azure/azure-sql/database/sql-vulnerability-assessment) discovers, tracks, and helps you remediate potential database vulnerabilities. Assessment scans findings provide an overview of your SQL machines' security state, and details of any security findings.

+- **SQL Server on Azure VM** - Register your SQL Server VM with the SQL IaaS Agent extension as explained in [Register SQL Server VM with SQL IaaS Agent Extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm).

+- [If a Log Analytics agent reports to multiple workspaces, is the 500 MB free data ingestion available on all of them?](#if-a-log-analytics-agent-reports-to-multiple-workspaces-is-the-500-mb-free-data-ingestion-available-on-all-of-them)

+- [Is the 500 MB free data ingestion calculated for an entire workspace or strictly per machine?](#is-the-500-mb-free-data-ingestion-calculated-for-an-entire-workspace-or-strictly-per-machine)

+- [What data types are included in the 500 MB data daily allowance?](#what-data-types-are-included-in-the-500-mb-data-daily-allowance)

+### If a Log Analytics agent reports to multiple workspaces, is the 500 MB free data ingestion available on all of them?

+Yes. If you've configured your Log Analytics agent to send data to two or more different Log Analytics workspaces (multi-homing), you'll get 500 MB free data ingestion. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500 MB limit.

+### Is the 500 MB free data ingestion calculated for an entire workspace or strictly per machine?

+You'll get 500 MB free data ingestion per day, for every Windows machine connected to the workspace. Specifically for security data types directly collected by Defender for Cloud.

+This data is a daily rate averaged across all nodes. So even if some machines send 100-MB and others send 800-MB, if the total doesn't exceed the **[number of machines] x 500 MB** free limit, you won't be charged extra.

+### What data types are included in the 500 MB data daily allowance?

+1. As a user with **Security Admin** permissions, open Azure Policy and search for the definition `Enable Azure Security Center on your subscription`.

+ :::image type="content" source="./media/get-started/enable-microsoft-defender-for-cloud-policy.png" alt-text="Screenshot showing the Azure Policy definition Enable Defender for Cloud on your subscription." lightbox="media/get-started/enable-microsoft-defender-for-cloud-policy-extended.png":::

+ :::image type="content" source="./media/get-started/assign-policy.png" alt-text="Screenshot showing how to assign the definition Enable Defender for Cloud on your subscription.":::

+1. Select **Remediation**, and select **Create a remediation task** to ensure all existing subscriptions that don't have Defender for Cloud enabled, will get onboarded.

+ :::image type="content" source="./media/get-started/remediation-task.png" alt-text="Screenshot that shows how to create a remediation task for the Azure Policy definition Enable Defender for Cloud on your subscription.":::

+[Vulnerability assessment](/azure/azure-sql/database/sql-vulnerability-assessment) is an easy to configure service that can discover, track, and help you remediate potential database vulnerabilities. It provides visibility into your security posture as part of secure score and includes the steps to resolve security issues and enhance your database fortifications.

+[Advanced threat protection](/azure/azure-sql/database/threat-detection-overview) detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your SQL server. It continuously monitors your database for suspicious activities and provides action-oriented security alerts on anomalous database access patterns. These alerts provide the suspicious activity details and recommended actions to investigate and mitigate the threat.

+SQL information protection's [data discovery and classification mechanism](/azure/azure-sql/database/data-discovery-and-classification-overview) provides advanced capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases. It's built into [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview), [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview), and [Azure Synapse Analytics](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md).

+In this article, you learned about defining an information protection policy in Microsoft Defender for Cloud. To learn more about using SQL Information Protection to classify and protect sensitive data in your SQL databases, see [Azure SQL Database Data Discovery and Classification](/azure/azure-sql/database/data-discovery-and-classification-overview).

+| Vulnerability Assessment | View vulnerabilities for running images | AKS | Preview | Γ£ô (Preview) | Defender profile | Defender for Containers | Commercial clouds |

+ Lab Services does all infrastructure management, from spinning up VMs and scaling infrastructure to handling errors. After an IT administrator creates a Lab Services lab account, instructors can [create labs](../lab-services/quick-create-lab-portal.md) in the account. An instructor specifies the number and type of VMs they need for the class, and adds users to the class. Once users register in the class, they can access the VMs to do class exercises and homework.

+* A SQL Managed Instance to host SSISDB. If you need to create one, follow the detail in the article [Create a Azure SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).

+* An instance of your target database server to host SSISDB. If you don't already have one, create a [logical SQL server](/azure/azure-sql/database/logical-servers) (without a database) using the Azure portal by navigating to the SQL Server (logical server only) [form](https://portal.azure.com/#create/Microsoft.SQLServer).

+* A SQL Managed Instance. You can create a SQL Managed Instance by following the detail in the article [Create a ASQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).

+* A SQL Managed Instance. You can create a SQL Managed Instance by following the detail in the article [Create a ASQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).

+* An Azure SQL Database instance. You can create an Azure SQL Database instance by following the detail in the article [Create a database in Azure SQL Database in the Azure portal](/azure/azure-sql/database/single-database-create-quickstart).

+* Create a server-level [firewall rule](/azure/azure-sql/database/firewall-configure) or [configure VNET service endpoints](../mysql/howto-manage-vnet-using-portal.md) for target Azure Database for MySQL to allow Virtual Network for Azure Database Migration Service access to the target databases.

+* Create a target [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/create-configure-managed-instance-powershell-quickstart) or [SQL Server on Azure Virtual Machine](/azure/azure-sql/virtual-machines/windows/sql-vm-create-powershell-quickstart)

+ > If you have an existing Azure Virtual Machine, it should be registered with [SQL IaaS Agent extension in Full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes).

+* The source SQL Server instance certificate from a database protected by Transparent Data Encryption (TDE) needs to be migrated to the target Azure SQL Managed Instance or SQL Server on Azure Virtual Machine before migrating data. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/tde-certificate-migrate) and [Move a TDE Protected Database to Another SQL Server](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).

+1. **Target Azure SQL**: Supported Azure SQL targets are Azure SQL Managed Instance or SQL Server on Azure Virtual Machines (registered with SQL IaaS Agent extension in [Full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes))

+* Create a target [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart) or [SQL Server on Azure Virtual Machine](/azure/azure-sql/virtual-machines/windows/create-sql-vm-portal)

+ > If you have an existing Azure Virtual Machine, it should be registered with [SQL IaaS Agent extension in Full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes).

+* The source SQL Server instance certificate from a database protected by Transparent Data Encryption (TDE) needs to be migrated to the target Azure SQL Managed Instance or SQL Server on Azure Virtual Machine before migrating data. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/tde-certificate-migrate) and [Move a TDE Protected Database to Another SQL Server](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).

+* Create an instance of Azure SQL Database instance, which you do by following the detail in the article [Create a database in Azure SQL Database in the Azure portal](/azure/azure-sql/database/single-database-create-quickstart).

+* Create a server-level [firewall rule](/azure/azure-sql/database/firewall-configure) for SQL Database to allow the Azure Database Migration Service access to the target databases. Provide the subnet range of the virtual network used for the Azure Database Migration Service.

+* Create a SQL Managed Instance by following the detail in the article [Create a Azure SQL Managed Instance in the Azure portal](/azure/azure-sql/managed-instance/instance-create-quickstart).

+* Create a server-level [firewall rule](/azure/azure-sql/database/firewall-configure) for Azure Database for PostgreSQL source to allow Azure Database Migration Service to access to the source databases. Provide the subnet range of the virtual network used for Azure Database Migration Service.

+* Create a server-level [firewall rule](/azure/azure-sql/database/firewall-configure) for Azure Database for PostgreSQL target to allow Azure Database Migration Service to access to the target databases. Provide the subnet range of the virtual network used for Azure Database Migration Service.

+* Create a server-level [firewall rule](/azure/azure-sql/database/firewall-configure) or [configure VNET service endpoints](../mysql/howto-manage-vnet-using-portal.md) for target Azure Database for MySQL to allow Virtual Network for Azure Database Migration Service access to the target databases.

+You can use the Azure SQL migration extension in Azure Data Studio to migrate the database(s) from a SQL Server instance to Azure SQL Managed Instance. For methods that may require some manual effort, see the article [SQL Server instance migration to Azure SQL Managed Instance](/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide).

+* Create a target [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).

+* If you're migrating a database protected by Transparent Data Encryption (TDE), the certificate from the source SQL Server instance needs to be migrated to your target Azure SQL Managed Instance before database restore. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/tde-certificate-migrate).

+> After the migration, availability of SQL Managed Instance with Business Critical service tier can take significantly longer than General Purpose as three secondary replicas have to be seeded for AlwaysOn High Availability group. This operation duration depends on the size of data, for more information, see [Management operations duration](/azure/azure-sql/managed-instance/management-operations-overview#duration).

+* For a tutorial showing you how to migrate a database to SQL Managed Instance using the T-SQL RESTORE command, see [Restore a backup to SQL Managed Instance using the restore command](/azure/azure-sql/managed-instance/restore-sample-database-quickstart).

+* For information about SQL Managed Instance, see [What is SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview).

+* For information about connecting apps to SQL Managed Instance, see [Connect applications](/azure/azure-sql/managed-instance/connect-application-instance).

+Use the Azure SQL migration extension in Azure Data Studio to migrate database(s) from a SQL Server instance to an [Azure SQL Managed Instance](../azure-sql/managed-instance/sql-managed-instance-paas-overview.md) with minimal downtime. For methods that may require some manual effort, see the article [SQL Server instance migration to Azure SQL Managed Instance](/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide).

+* Create a target [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).

+* The source SQL Server instance certificate from a database protected by Transparent Data Encryption (TDE) needs to be migrated to the target Azure SQL Managed Instance or SQL Server on Azure Virtual Machine before migrating data. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/tde-certificate-migrate) and [Move a TDE Protected Database to Another SQL Server](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).

+> After the cutover, availability of SQL Managed Instance with Business Critical service tier only can take significantly longer than General Purpose as three secondary replicas have to be seeded for AlwaysOn High Availability group. This operation duration depends on the size of data, for more information, see [Management operations duration](/azure/azure-sql/managed-instance/management-operations-overview#duration).

+* For a tutorial showing you how to migrate a database to SQL Managed Instance using the T-SQL RESTORE command, see [Restore a backup to SQL Managed Instance using the restore command](/azure/azure-sql/managed-instance/restore-sample-database-quickstart).

+* For information about SQL Managed Instance, see [What is SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview).

+* For information about connecting apps to SQL Managed Instance, see [Connect applications](/azure/azure-sql/managed-instance/connect-application-instance).

+You can use Azure Database Migration Service to migrate the databases from a SQL Server instance to an [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) with minimal downtime. For additional methods that may require some manual effort, see the article [SQL Server instance migration to Azure SQL Managed Instance](/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide).

+* Create a SQL Managed Instance by following the detail in the article [Create a SQL Managed Instance in the Azure portal](/azure/azure-sql/managed-instance/instance-create-quickstart).

+ > When you migrate a database that's protected by [Transparent Data Encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) to a managed instance by using online migration, the corresponding certificate from the on-premises or Azure VM SQL Server instance must be migrated before the database restore. For detailed steps, see [Migrate a TDE cert to a managed instance](/azure/azure-sql/database/transparent-data-encryption-tde-overview).

+ If you haven't already provisioned the SQL Managed Instance, select the [link](/azure/azure-sql/managed-instance/instance-create-quickstart) to help you provision the instance. When the SQL Managed Instance is ready, return to this specific project to execute the migration.

+ > After the cutover, availability of SQL Managed Instance with Business Critical service tier only can take significantly longer than General Purpose as three secondary replicas have to be seeded for AlwaysOn High Availability group. This operation duration depends on the size of data, for more information see [Management operations duration](/azure/azure-sql/managed-instance/management-operations-overview#duration).

+* For a tutorial showing you how to migrate a database to SQL Managed Instance using the T-SQL RESTORE command, see [Restore a backup to SQL Managed Instance using the restore command](/azure/azure-sql/managed-instance/restore-sample-database-quickstart).

+* For information about SQL Managed Instance, see [What is SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview).

+* For information about connecting apps to SQL Managed Instance, see [Connect applications](/azure/azure-sql/managed-instance/connect-application-instance).

+- Create a database in Azure SQL Database, which you do by following the details in the article [Create a database in Azure SQL Database using the Azure portal](/azure/azure-sql/database/single-database-create-quickstart). For purposes of this tutorial, the name of the Azure SQL Database is assumed to be **AdventureWorksAzure**, but you can provide whatever name you wish.

+- Create a server-level IP [firewall rule](/azure/azure-sql/database/firewall-configure) for Azure SQL Database to allow Azure Database Migration Service access to the target databases. Provide the subnet range of the virtual network used for Azure Database Migration Service.

+- For information about Azure SQL Database, see the article [What is the Azure SQL Database service?](/azure/azure-sql/database/sql-database-paas-overview).

+You can use Azure Database Migration Service to migrate the databases from a SQL Server instance to an [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview). For additional methods that may require some manual effort, see the article [SQL Server to Azure SQL Managed Instance](/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide).

+- Create a SQL Managed Instance by following the detail in the article [Create a SQL Managed Instance in the Azure portal](/azure/azure-sql/managed-instance/instance-create-quickstart).

+ If you haven't already provisioned the SQL Managed Instance, select the [link](/azure/azure-sql/managed-instance/instance-create-quickstart) to help you provision the instance. You can still continue with project creation and then, when the SQL Managed Instance is ready, return to this specific project to execute the migration.

+- For a tutorial showing you how to migrate a database to SQL Managed Instance using the T-SQL RESTORE command, see [Restore a backup to SQL Managed Instance using the restore command](/azure/azure-sql/managed-instance/restore-sample-database-quickstart).

+- For information about SQL Managed Instance, see [What is SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview).

+- For information about connecting apps to SQL Managed Instance, see [Connect applications](/azure/azure-sql/managed-instance/connect-application-instance).

+Use the Azure SQL migration extension in Azure Data Studio to migrate the databases from a SQL Server instance to a [SQL Server on Azure Virtual Machine (SQL Server 2016 and above)](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview) with minimal downtime. For methods that may require some manual effort, see the article [SQL Server instance migration to SQL Server on Azure Virtual Machine](/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview).

+* Create a target [SQL Server on Azure Virtual Machine](/azure/azure-sql/virtual-machines/windows/create-sql-vm-portal).

+ > If you have an existing Azure Virtual Machine, it should be registered with [SQL IaaS Agent extension in Full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes).

+* For a tutorial showing you how to migrate a database to SQL Server on Azure Virtual Machines using the T-SQL RESTORE command, see [Migrate a SQL Server database to SQL Server on a virtual machine](/azure/azure-sql/virtual-machines/windows/migrate-to-vm-from-sql-server).

+* For information about SQL Server on Azure Virtual Machines, see [Overview of SQL Server on Azure Windows Virtual Machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview).

+* For information about connecting apps to SQL Server on Azure Virtual Machines, see [Connect applications](/azure/azure-sql/virtual-machines/windows/ways-to-connect-to-sql).

+Use the Azure SQL migration extension in Azure Data Studio to migrate the databases from a SQL Server instance to a [SQL Server on Azure Virtual Machine (SQL Server 2016 and above)](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview) with minimal downtime. For methods that may require some manual effort, see the article [SQL Server instance migration to SQL Server on Azure Virtual Machine](/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview).

+* Create a target [SQL Server on Azure Virtual Machine](/azure/azure-sql/virtual-machines/windows/create-sql-vm-portal).

+ > If you have an existing Azure Virtual Machine, it should be registered with [SQL IaaS Agent extension in Full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes).

+* How to migrate a database to SQL Server on Azure Virtual Machines using the T-SQL RESTORE command, see [Migrate a SQL Server database to SQL Server on a virtual machine](/azure/azure-sql/virtual-machines/windows/migrate-to-vm-from-sql-server).

+* For information about SQL Server on Azure Virtual Machines, see [Overview of SQL Server on Azure Windows Virtual Machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview).

+* For information about connecting apps to SQL Server on Azure Virtual Machines, see [Connect applications](/azure/azure-sql/virtual-machines/windows/ways-to-connect-to-sql).

+For more information on additional design considerations of a multitenant application, see [Hosting a Multi-Tenant Application on Azure][Hosting a Multi-Tenant Application on Azure]. For information on common data architecture patterns of multi-tenant software-as-a-service (SaaS) database applications, see [Design Patterns for Multi-tenant SaaS Applications with Azure SQL Database](/azure/azure-sql/database/saas-tenancy-app-design-patterns).

+If you need to publish events to a specific partition within an event hub, set the `PartitionKey` property on your event subscription to specify the partition key that identifies the target event hub partition.

+ ```azurecli

+ ```azurecli

+ ```azurecli

+ ```azurecli

+* If you are using public peering and currently have IP Network rules for public IP addresses that are used to access [Azure Storage](../storage/common/storage-network-security.md) or [Azure SQL Database](/azure/azure-sql/database/vnet-service-endpoint-rule-overview), you need to make sure that the NAT IP pool configured with Microsoft peering is included in the list of public IP addresses for the Azure storage account or Azure SQL account.

+SQL FQDN filtering is supported in [proxy-mode](/azure/azure-sql/database/connectivity-architecture#connection-policy) only (port 1433). *Proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using FQDN in firewall network rules.

+SQL FQDN filtering is supported in [proxy-mode](/azure/azure-sql/database/connectivity-architecture#connection-policy) only (port 1433). If you use SQL in the default redirect mode, you can filter access using the SQL service tag as part of [network rules](features.md#network-traffic-filtering-rules).

+2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).

+2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).

+2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).

+To learn about SQL proxy and redirect modes, see [Azure SQL Database connectivity architecture](/azure/azure-sql/database/connectivity-architecture).

+* The remote address represents the original client IP that is either from the network connection or typically the X-Forwarded-For request header if the user is behind a proxy. Use the [socket address](#socket-address) match condition (available in Standard/Premium), if you need to match based on the TCP request's IP address.

+Azure's [SQL Vulnerability Assessment service](/azure/azure-sql/database/sql-vulnerability-assessment)

+ - An [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview) server

+[SQL Vulnerability Assessment service](/azure/azure-sql/database/sql-vulnerability-assessment)

+```azurecli

+```azurecli

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse](https://aka.ms/disksse) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |

+ > **Get started**: [Create a database in Azure SQL Database in minutes by using the Azure portal](/azure/azure-sql/database/single-database-create-quickstart).

+HDInsight creates a database in SQL Database under the hood to serve as the database for Ambari server. The default [service tier is S0](/azure/azure-sql/database/elastic-pool-scale).

+> Only tenant administrators have the privileges to enable Azure AD DS. If the cluster storage is Azure Data Lake Storage Gen1 or Gen2, you must disable Azure AD Multi-Factor Authentication only for users who will need to access the cluster by using basic Kerberos authentication. If your organization requires Multi-Factor Authentication, try using the [HDInsight ID Broker feature](identity-broker.md).

+> You can use [trusted IPs](../../active-directory/authentication/howto-mfa-mfasettings.md#trusted-ips) or [Conditional Access](../../active-directory/conditional-access/overview.md) to disable Multi-Factor Authentication for specific users *only* when they're accessing the IP range for the HDInsight cluster's virtual network.

+| | Configure [Azure virtual network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md) for Cosmos DB and [Azure SQL DB](/azure/azure-sql/database/vnet-service-endpoint-rule-overview) | Customer |

+* [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview) is an implementation of Microsoft SQL Server. For more information on performance, see [Tuning Performance in Azure SQL Database](/azure/azure-sql/database/performance-guidance).

+* A client to query the Azure SQL Database. Consider using [SQL Server Management Studio](/azure/azure-sql/database/connect-query-ssms) or [Visual Studio Code](/azure/azure-sql/database/connect-query-vscode).

+ The [logical SQL server](/azure/azure-sql/database/logical-servers) name will be `<ClusterName>dbserver`. The database name will be `<ClusterName>db`. The default storage account name will be `e6qhezrh2pdqu`.

+* [Azure SQL DTU Connection Limits](/azure/azure-sql/database/resource-limits-dtu-single-databases): Learn about Azure SQL database limits using DTU.

+* [Azure SQL vCore Connection Limits](/azure/azure-sql/database/resource-limits-vcore-elastic-pools): Learn about Azure SQL database limits using vCores.

+HDInsight uses [Azure SQL Database](https://azure.microsoft.com/support/legal/sla/azure-sql-database/v1_4/) as a metastore, which provides an SLA of 99.99%. Three replicas of data persist within a data center with synchronous replication. If there is a replica loss, an alternate replica is served seamlessly. [Active geo-replication](/azure/azure-sql/database/active-geo-replication-overview) is supported out of the box with a maximum of four data centers. When there is a failover, either manual or data center, the first replica in the hierarchy will automatically become read-write capable. For more information, see [Azure SQL Database business continuity](/azure/azure-sql/database/business-continuity-high-availability-disaster-recover-hadr-overview).

+In normal cluster creation, as described in other articles such as [Set up clusters in HDInsight](hdinsight-hadoop-provision-linux-clusters.md), Ambari is deployed in an [S0 Azure SQL Database](/azure/azure-sql/database/resource-limits-dtu-single-databases#standard-service-tier) that is managed by HDInsight and is not accessible to users.

+- Turn on the option to [Allow access to Azure services](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#azure-portal-steps) on the server where you will host Ambari.

+- Back up your custom Ambari DB periodically. Azure SQL Database generates backups automatically, but the backup retention time-frame varies. For more information, see [Learn about automatic SQL Database backups](/azure/azure-sql/database/automated-backups-overview).

+1. Create an Azure SQL Database. See [Create an Azure SQL Database in the Azure portal](/azure/azure-sql/database/single-database-create-quickstart).

+1. To make sure that your HDInsight cluster can access the connected Azure SQL Database, configure Azure SQL Database firewall rules to allow Azure services and resources to access the server. You can enable this option in the Azure portal by selecting **Set server firewall**, and selecting **ON** underneath **Allow Azure services and resources to access this server** for Azure SQL Database. For more information, see [Create and manage IP firewall rules](/azure/azure-sql/database/firewall-configure#use-the-azure-portal-to-manage-server-level-ip-firewall-rules).

+1. Use [Query editor](/azure/azure-sql/database/single-database-create-quickstart#query-the-database) to execute the following SQL statements to create the `dailyflights` table that will store the summarized data from each run of the pipeline.

+ | Rule_6 | TCP | * | SQL | 1433 , 11000-11999 | If you are using the default sql servers provided by HDInsight, configure a network rule in the Service Tags section for SQL that will allow you to log and audit SQL traffic. Unless you configured Service Endpoints for SQL Server on the HDInsight subnet, which will bypass the firewall. If you are using custom SQL server for Ambari, Oozie, Ranger and Hive metastores then you only need to allow the traffic to your own custom SQL Servers. Refer to [Azure SQL Database and Azure Synapse Analytics connectivity architecture](/azure/azure-sql/database/connectivity-architecture) to see why 11000-11999 port range is also needed in addition to 1433. |

+For more information about database backup and restore, see [Recover a database in Azure SQL Database by using automated database backups](/azure/azure-sql/database/recovery-using-backups).

+Create or have an existing Azure SQL Database before setting up a custom Hive metastore for a HDInsight cluster. For more information, see [Quickstart: Create a single database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart?tabs=azure-portal).

+While creating the cluster, HDInsight service needs to connect to the external metastore and verify your credentials. Configure Azure SQL Database firewall rules to allow Azure services and resources to access the server. Enable this option in the Azure portal by selecting **Set server firewall**. Then select **No** underneath **Deny public network access**, and **Yes** underneath **Allow Azure services and resources to access this server** for Azure SQL Database. For more information, see [Create and manage IP firewall rules](/azure/azure-sql/database/firewall-configure#use-the-azure-portal-to-manage-server-level-ip-firewall-rules)

+* Back up your custom metastore periodically. Azure SQL Database generates backups automatically, but the backup retention timeframe varies. For more information, see [Learn about automatic SQL Database backups](/azure/azure-sql/database/automated-backups-overview).

+* **An Azure SQL Database**. See [Create a database in Azure SQL Database in the Azure portal](/azure/azure-sql/database/single-database-create-quickstart). This article uses a database named **oozietest**.

+2. Edit the code below to replace `<serverName>` with your [logical SQL server](/azure/azure-sql/database/logical-servers) name, and `<sqlLogin>` with the server login. Enter the command to connect to the prerequisite SQL database. Enter the password at the prompt.

+* If the cluster uses an external Hive metastore, create a copy of it. Options include [export/import](/azure/azure-sql/database/database-export) and [point-in-time restore](/azure/azure-sql/database/recovery-using-backups#point-in-time-restore).

+ > SQL Syntax in these scripts is not necessarily compatible to other client tools. For example, [SSMS](/sql/ssms/download-sql-server-management-studio-ssms) and [Query Editor on Azure Portal](/azure/azure-sql/database/connect-query-portal) require keyword `GO` after each command.

+4. Import the BACPAC file to a new database with steps listed [here](/azure/azure-sql/database/database-import).

+* A database in Azure SQL Database. You use the database as a destination data store. If you don't have a database in Azure SQL Database, see [Create a database in Azure SQL Database in the Azure portal](/azure/azure-sql/database/single-database-create-quickstart).

+* Azure SQL Database. Follow the instructions at [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart). Make sure you create a database with the sample **AdventureWorksLT** schema and data. Also, make sure you create a server-level firewall rule to allow your client's IP address to access the SQL database. The instructions to add the firewall rule is available in the same article. Once you've created your SQL database, make sure you keep the following values handy. You need them to connect to the database from a Spark cluster.

+* SQL Server Management Studio (SSMS). Follow the instructions at [Use SSMS to connect and query data](/azure/azure-sql/database/connect-query-ssms).

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+>Azure AD access from the Azure portal is currently not available during preview.

+ > [!IMPORTANT]

+ > * Do not change the second half of the storage mount value, which points to a specific location in the Blob Storage on IoT Edge module. The storage mount must always end with **:/blobroot** for Linux containers and **:C:/BlobRoot** for Windows containers.

+ >

+ > * IoT Edge does not remove volumes attached to module containers. This behavior is by design, as it allows persisting the data across container instances such as upgrade scenarios. However, if these volumes are left unused, then it may lead to disk space exhaustion and subsequent system errors. If you use docker volumes in your scenario, then we encourage you to use docker tools such as [docker volume prune](https://docs.docker.com/engine/reference/commandline/volume_prune/) and [docker volume rm](https://docs.docker.com/engine/reference/commandline/volume_rm/) to remove the unused volumes, especially for production scenarios.

+ > [!IMPORTANT]

+ > * Do not change the second half of the storage mount value, which points to a specific location in the Blob Storage on IoT Edge module. The storage mount must always end with **:/blobroot** for Linux containers and **:C:/BlobRoot** for Windows containers.

+ >

+ > * IoT Edge does not remove volumes attached to module containers. This behavior is by design, as it allows persisting the data across container instances such as upgrade scenarios. However, if these volumes are left unused, then it may lead to disk space exhaustion and subsequent system errors. If you use docker volumes in your scenario, then we encourage you to use docker tools such as [docker volume prune](https://docs.docker.com/engine/reference/commandline/volume_prune/) and [docker volume rm](https://docs.docker.com/engine/reference/commandline/volume_rm/) to remove the unused volumes, especially for production scenarios.

+ * Manage volumes

+### Manage volumes

+IoT Edge does not remove volumes attached to module containers. This behavior is by design, as it allows persisting the data across container instances such as upgrade scenarios. However, if these volumes are left unused, then it may lead to disk space exhaustion and subsequent system errors. If you use docker volumes in your scenario, then we encourage you to use docker tools such as [docker volume prune](https://docs.docker.com/engine/reference/commandline/volume_prune/) and [docker volume rm](https://docs.docker.com/engine/reference/commandline/volume_rm/) to remove the unused volumes, especially for production scenarios.

+> [!TIP]

+> For guidance on interactive debugging in Visual Studio Code or Visual Studio 2019:

+>* [Use Visual Studio Code to develop and debug modules for Azure IoT Edge](how-to-vs-code-develop-module.md)

+>* [Use Visual Studio 2019 to develop and debug modules for Azure IoT Edge](how-to-visual-studio-develop-module.md)

+>

+>This tutorial teaches the development steps for Visual Studio Code.

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+ ```azurecli

+|Azure SQL Database|[Transparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Azure Synapse Analytics](/azure/azure-sql/database/transparent-data-encryption-byok-overview).|

+```azurecli

+```azurecli

+```azurecli

+- Generate (or import using [BYOK](hsm-protected-keys-byok.md)) keys and use them to encrypt your data at rest in Azure services such as [Azure Storage](../../storage/common/customer-managed-keys-overview.md), [Azure SQL](/azure/azure-sql/database/transparent-data-encryption-byok-overview), [Azure Information Protection](/azure/information-protection/byok-price-restrictions), and [Customer Key for Microsoft 365](/microsoft-365/compliance/customer-key-set-up). For a more complete list of Azure services which work with Managed HSM, see [Data Encryption Models](../../security/fundamentals/encryption-models.md#supporting-services).

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+ Title: Accelerated lab account setup guide (deprecated)

+description: This guide helps administrators quickly set up a lab account for use within their school. (deprecated)

+# Lab account setup guide (deprecated)

+- Prerequisites

+- Plan your lab account settings

+- Set up your lab account

+The following sections outline what you need to do before you can set up a lab account.

+To create a lab account, you need access to an Azure subscription that's already set up for your school. Your school might have one or more subscriptions. You use a subscription to manage billing and security for all your Azure resources and services, including lab accounts. Azure subscriptions are managed by your IT department. For more information, see [Azure Lab Services - Administrator guide](./administrator-guide-1.md#subscription).

+It's important to know how many [virtual machines (VMs) and which VM sizes](./administrator-guide-1.md#vm-sizing) your school lab requires.

+For more information on how to structure labs, see the "Lab" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#lab).

+To get started quickly, create a single lab account within its own resource group. Later, you can create more lab accounts and resource groups, as needed. For example, you might eventually have one lab account and resource group per department as a way to clearly separate costs.

+- The "Resource group" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#resource-group)

+- The "Lab account" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#lab-account)

+Your school's IT administrators ordinarily take on the Owner and Contributor roles for a lab account. These roles are responsible for managing the policies that apply to all the labs in the lab account. The person who creates the lab account is automatically an Owner. You can add more Owners and Contributors from the Azure Active Directory (Azure AD) tenant that's associated with your subscription.

+For more information about the lab account Owner and Contributor roles, see the "Manage identity" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#manage-identity).

+For more information about the Lab Creator role, see the "Manage identity" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#manage-identity).

+You can also choose to have IT and faculty members own\manage labs *without* giving them the ability to create labs. In this case, users from your subscription's Azure AD tenant are assigned either the Owner or Contributor for existing labs.

+For more information about the lab Owner and Contributor roles, see the "Manage identity" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#manage-identity).

+Shared Image Gallery is a service that you can use for saving and sharing images. For classes that need to use the same image, Lab Creators can create the image and then export it to a shared image gallery. After an image is exported to the shared image gallery, it can be used to create new labs.

+- The "Shared image gallery" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#shared-image-gallery)

+- The "Pricing" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#pricing)

+Azure Marketplace provides hundreds of images that you can enable so that Lab Creators can use them for creating their labs. Some images might include everything that a lab already needs. In other cases, you might use an image as a starting point, and then the Lab Creator can customize it by installing more applications or tools.

+If you don't know which images you need, you can come back later to enable them. The best way to see which images are available is to create a lab account. Lab account creation will also give you access to review the list of available images and their contents.

+When you set up a lab account, you also can peer your lab account with a virtual network. Keep in mind that both your virtual network and the lab account must be located in the same region. To decide whether you need to peer with a virtual network, consider the following scenarios:

+ When you use Azure Marketplace images, the cost of the operating system license is bundled into the pricing for lab services. However, you don't need to provide licenses for the operating system itself. For any other software and applications that are installed, you do need to provide a license, as appropriate. To access a license server:

+ - You may choose to connect to an on-premises license server. Connecting to an on-premises license server requires additional setup.

+ - Another option, which is faster to set up, is to create a license server that you host on an Azure VM. The Azure VM is located within a virtual network that you peer with your lab account.

+ You can access the Azure resources that *aren't* secured in a virtual network through the public internet, without having to do any virtual network peering.

+ - The "Virtual network" section of [Architecture fundamentals in Azure Lab Services](./classroom-labs-fundamentals.md#virtual-network)

+ - [Connect your lab network with a peer virtual network in Azure Lab Services](./how-to-connect-peer-virtual-network.md)

+ - [Create a lab with a shared resource in Azure Lab Services](./how-to-create-a-lab-with-shared-resource.md)

+ For information about naming conventions, see the "Naming" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#naming).

+ :::image type="content" source="./media/setup-guide/review-azure-marketplace-images.png" alt-text="Screenshot of a list of images available for review in Azure Marketplace.":::

+ :::image type="content" source="./media/setup-guide/enable-azure-compute-gallery-images.png" alt-text="Screenshot of a list of enabled custom images.":::

+description: This article shows how to add a user to the Lab Creator role for a lab plan in Azure Lab Services. The lab creators can create labs within this lab plan.

+# Add lab creators to a lab plan in Azure Lab Services

+This article shows you how to add users as lab creators to a lab account or lab plan in Azure Lab Services. These users then can create labs and manage those labs.

+## Add Azure AD user account to Lab Creator role

+The user account you used to create the lab account or lab plan is automatically able to create labs. Otherwise, the user must be a member of the **Lab Creator** role. If using a lab plan, user must be a **Lab Creator** on the lab plan or the resource group that contains the lab plan. If using a lab account, the user must be a **Lab Creator** on the lab account. If you are planning to use the same user account to create a lab as you did creating the lab plan or lab account, you can skip this step. To use another user account to create a lab, do the following steps:

+To provide educators the permission to create labs for their classes, add them to the **Lab Creator** role: For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

+1. On the **Lab Plan** resource, select **Access control (IAM)**

+ > If you are adding a non-Microsoft account user as a lab creator, see [Adding a guest user as a lab creator](#adding-a-guest-user-as-a-lab-creator).

+## Adding a guest user as a lab creator

+You might need to add an external user as a lab creator. If that is the case, you'll need to add them as a guest account on the Azure AD attached to the subscription. The following types of email accounts might be used:

+For instructions to add someone as a guest account in Azure AD, see [Quickstart: Add guest users in the Azure portal - Azure AD](/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal). If using an email account that's provided by your universityΓÇÖs Azure AD, you don't have to add them as a guest account.

+Once the user has an Azure AD account, [add the Azure AD user account to Lab Creator role](#add-azure-ad-user-account-to-lab-creator-role).

+> [!IMPORTANT]

+> Only lab creators need an account in Azure AD connected to the subscription. For account requirements for students see [Tutorial: Access a lab in Azure Lab Services](tutorial-connect-lab-virtual-machine.md).

+Educators can use non-Microsoft email accounts to register and sign in to a lab. However, the sign-in to the Lab Services portal requires that educators first create a Microsoft account that's linked to their non-Microsoft email address.

+Many educators might already have a Microsoft account linked to their non-Microsoft email addresses. For example, educators already have a Microsoft account if they have used their email address with MicrosoftΓÇÖs other products or services, such as Office, Skype, OneDrive, or Windows.

+When educators sign in to the Lab Services portal, they are prompted for their email address and password. If the educator attempts to sign in with a non-Microsoft account that does not have a Microsoft account linked, the educator will receive the following error message:

+

+To sign up for a Microsoft account, educators should go to [http://signup.live.com](http://signup.live.com).

+Educators can also use an existing GitHub account to register and sign in to a lab. If the educator already has a Microsoft account linked to their GitHub account, then they can sign in and provide their password as shown in the previous section. If they have not yet linked their GitHub account to a Microsoft account, they should select **Sign-in options**:

+Finally, they are prompted to create a Microsoft account that's linked to their GitHub account. It happens automatically when the educator selects **Next**. The educator is then immediately signed in and connected to the lab.

+- [As a lab owner, create and manage labs](how-to-manage-labs.md)

+- [As a lab user, access labs](how-to-use-lab.md)

+ Title: Administrator guide (deprecated) | Microsoft Docs

+description: This guide helps administrators who create and manage lab accounts by using Azure Lab Services.

+# Azure Lab Services - Administrator guide (deprecated)

+Information technology (IT) administrators who manage a university's cloud resources are ordinarily responsible for setting up the lab account for their school. After they've set up a lab account, administrators or educators create the labs that are contained within the account. This article provides a high-level overview of the Azure resources that are involved and the guidance for creating them.

+

+- Labs are hosted within an Azure subscription that's owned by Azure Lab Services.

+- Lab accounts, a shared image gallery, and image versions are hosted within your subscription.

+- You can have your lab account and the shared image gallery in the same resource group. In this diagram, they are in different resource groups.

+For more information about the architecture, see [Labs architecture fundamentals](./classroom-labs-fundamentals.md).

+## Subscription

+Your university might have one or more Azure subscriptions. You use subscriptions to manage billing and security for all Azure resources and services that are used within it, including lab accounts.

+The relationship between a lab account and its subscription is important because:

+- Billing is reported through the subscription that contains the lab account.

+- You can grant users in the subscription's Azure Active Directory (Azure AD) tenant access to Azure Lab Services. You can add a user as a lab account Owner or Contributor, or as a Lab Creator or lab Owner.

+Labs and their virtual machines (VMs) are managed and hosted for you within a subscription that's owned by Azure Lab Services.

+## Resource group

+A subscription contains one or more resource groups. Resource groups are used to create logical groupings of Azure resources that are used together within the same solution.

+When you create a lab account, you must configure the resource group that contains the lab account.

+A resource group is also required when you create a [shared image gallery](#shared-image-gallery). You can place your lab account and shared image gallery in the same resource group or in two separate resource groups. You might want to take this second approach if you plan to share the image gallery across various solutions.

+When you create a lab account, you can automatically create and attach a shared image gallery at the same time. This option results in the lab account and the shared image gallery being created in separate resource groups. You'll see this behavior when you follow the steps that are described in the [Configure shared image gallery at the time of lab account creation](how-to-attach-detach-shared-image-gallery-1.md#configure-at-the-time-of-lab-account-creation) tutorial. The image at the beginning of this article uses this configuration.

+We recommend that you invest time up front to plan the structure of your resource groups, because it's *not* possible to change a lab account or shared image gallery resource group once it's created. If you need to change the resource group for these resources, you'll need to delete and re-create your lab account or shared image gallery.

+## Lab account

+A lab account serves as a container for one or more labs. When you're getting started with Azure Lab Services, it's most common to have a single lab account. As your lab usage scales up, you can choose to create more lab accounts later.

+The following list highlights scenarios where more than one lab account might be beneficial:

+- **Manage different policy requirements across labs**

+ When you set up a lab account, you set policies that apply to *all* labs under the lab account, such as:

+ - The Azure virtual network with shared resources that the lab can access. For example, you might have a set of labs that need access to a shared data set within a virtual network.

+ - The virtual machine images that the labs can use to create VMs. For example, you might have a set of labs that need access to the [Data Science VM for Linux](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804) Azure Marketplace image.

+ If each of your labs has unique policy requirements, it might be beneficial to create separate lab accounts for managing each lab separately.

+- **Assign a separate budget to each lab account**

+

+ Instead of reporting all lab costs through a single lab account, you might need a more clearly apportioned budget. For example, you can create separate lab accounts for your university's Math department, Computer Science department, and so forth, to distribute the budget across departments. You can then view the cost for each individual lab account by using [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md).

+- **Isolate pilot labs from active or production labs**

+

+ You might have cases where you want to pilot policy changes for a lab account without potentially affecting your active or production labs. In this type of scenario, creating a separate lab account for piloting purposes allows you to isolate changes.

+## Lab

+A lab contains VMs that are each assigned to a single student. In general, you can expect to:

+- Have one lab for each class.

+- Create a new set of labs for each semester, quarter, or other academic system you're using. For classes that need to use the same image, you should use a [shared image gallery](#shared-image-gallery). This way, you can reuse images across labs and academic periods.

+When you're determining how to structure your labs, consider the following points:

+- **All VMs within a lab are deployed with the same image that's published**

+ As a result, if you have a class that requires different lab images to be published at the same time, a separate lab must be created for each image.

+

+- **The usage quota is set at the lab level and applies to all users within the lab**

+ To set different quotas for users, you must create separate labs. However, it's possible to add more hours to specific users after you've set the quota.

+

+- **The startup or shutdown schedule is set at the lab level and applies to all VMs within the lab**

+ Similar to quota setting, if you need to set different schedules for users, you need to create a separate lab for each schedule.

+By default, each lab has its own virtual network. If you have virtual network peering enabled, each lab will have its own subnet peered with the specified virtual network.

+## Shared image gallery

+A shared image gallery is attached to a lab account and serves as a central repository for storing images. An image is saved in the gallery when an educator chooses to export it from a lab's template VM. Each time an educator makes changes to the template VM and exports it, new image definitions and\or versions are created in the gallery.

+Educators can publish an image version from the shared image gallery when they create a new lab. Although the gallery stores multiple versions of an image, educators can select only the most recent version during lab creation. The most recent version is chosen based on the highest value of MajorVersion, then MinorVersion, then Patch. For more information about versioning, see [Image versions](../virtual-machines/shared-image-galleries.md#image-versions).

+The shared image gallery service is an optional resource that you might not need immediately if you're starting with only a few labs. However, shared image gallery offers many benefits that are helpful as you scale up to more labs:

+- **You can save and manage versions of a template VM image**

+ It's useful to create a custom image or make changes (software, configuration, and so on) to an image from the Azure Marketplace gallery. For example, it's common for educators to require different software or tooling be installed. Rather than requiring students to manually install these prerequisites on their own, different versions of the template VM image can be exported to a shared image gallery. You can then use these image versions when you create new labs.

+- **You can share and reuse template VM images across labs**

+ You can save and reuse an image so that you don't have to configure it from scratch each time that you create a new lab. For example, if multiple classes need to use the same image, you can create it once and export it to the shared image gallery so that it can be shared across labs.

+- **You can upload your own custom images from other environments outside of labs**

+ You can [upload custom images other environments outside of the context of labs](how-to-attach-detach-shared-image-gallery-1.md). For example, you can upload images from your own physical lab environment or from an Azure VM into shared image gallery. Once an image is imported into the gallery, you can then use the images to create labs.

+To logically group shared images, you can do either of the following:

+- Create multiple shared image galleries. Each lab account can connect to only one shared image gallery, so this option also requires you to create multiple lab accounts.

+- Use a single shared image gallery that's shared by multiple lab accounts. In this case, each lab account can enable only images that are applicable to the labs in that account.

+## Naming

+As you get started with Azure Lab Services, we recommend that you establish naming conventions for Azure and Azure Lab Services related resources. Although the naming conventions that you establish will be unique to the needs of your organization, the following table provides general guidelines:

+| Resource type | Role | Suggested pattern | Examples |

+| - | - | -- | -- |

+| Resource group | Contains one or more lab plans, labs and/or shared image galleries. |{org-name}labs-{env}-rg, {dept-name}labs-rg | contosolabs-rg, contosolabs-pilot-rg, contosolabs-prod-rg, mathdept-rg |

+| Lab account | Contains one or more labs. | {org-name}-{env}-la, {dept-name}-{env}-la | contoso-la, mathdept-la, cs-pilot-la |

+| Lab | Contains one or more student VMs. | {class-name}-{time}-{educator} | CS101-Fall2021, CS101-Fall2021-JohnDoe |

+| Shared image gallery | Contains one or more VM image versions | {org-name}-sig, {dept-name}-sig | contoso-sig, mathdept-sig |

+In the proceeding table, we used some terms and tokens in the suggested name patterns. Let's go over those terms in a little more detail.

+| Pattern term/token | Definition | Example |

+| | - | - |

+| {org-name} | Token for organization short name with no spaces. | contoso |

+| {dept-name} | Token for short name of department in organization. | math, bio, cs |

+| {env} | Token for environment name | prod for production, pilot for small test |

+| {class-name} | Token for short name or code for class being supported. | CS101, Bio101 |

+| {educator} | Alias of educator running the lab. | johndoe |

+| {time} | Token for short name (with no spaces) for time the class is being offered. | Spring2021, Dec 2021|

+| rg | Indicates resource is a resource group. | |

+| la | Indicates resource is a lab account. | |

+| sig | Indicates resource is a shared image gallery. | |

+For more information about naming other Azure resources, see [Naming conventions for Azure resources](/azure/architecture/best-practices/naming-conventions).

+## Regions/locations

+When you set up your Azure Lab Services resources, you're required to provide a region or location of the datacenter that will host the resources. The next sections describe how a region or location might affect each resource that's involved with setting up a lab.

+### Resource group

+The region specifies the datacenter where information about a resource group is stored. Azure resources contained within the resource group can be in a different region from that of their parent.

+### Lab account

+A lab account's location indicates the region that a resource exists in.

+### Lab

+The location that a lab exists in varies, depending on the following factors:

+- **The lab account is peered with a virtual network**

+

+ You can [peer a lab account with a virtual network](./how-to-connect-peer-virtual-network.md) when they're in the same region. When a lab account is peered with a virtual network, labs are automatically created in the same region as both the lab account and the virtual network.

+ > [!NOTE]

+ > When a lab account is peered with a virtual network, the **Allow lab creator to pick lab location** setting is disabled. For more information, see [Allow lab creator to pick location for the lab](./allow-lab-creator-pick-lab-location.md).

+- **No virtual network is peered *and* Lab Creators aren't allowed to pick the lab location**

+

+ When *no* virtual network is peered with the lab account and [Lab Creators are *not allowed* to pick the lab location](./allow-lab-creator-pick-lab-location.md), labs are automatically created in a region that has available VM capacity. Specifically, Azure Lab Services looks for availability in [regions that are within the same geography as the lab account](https://azure.microsoft.com/global-infrastructure/regions).

+- **No virtual network is peered *and* Lab Creators are allowed to pick the lab location**

+ When *no* virtual network is peered and [Lab Creators *are allowed* to pick the lab location](./allow-lab-creator-pick-lab-location.md), the locations that can be selected by the Lab Creator depend on available capacity.

+> [!NOTE]

+> To help ensure that a region has sufficient VM capacity, it's important to first request capacity through the lab account when you're creating the lab.

+A general rule is to set a resource's region to one that's closest to its users. For labs, this means creating the lab that's closest to your students. For online courses whose students are located all over the world, use your best judgment to create a lab that's centrally located. Or you can split a class into multiple labs according to your students' regions.

+## VM sizing

+When administrators or Lab Creators create a lab, they can choose from various VM sizes, depending on the needs of their classroom. Remember that the size availability depends on the region that your lab account is located in.

+In the following table, notice that several of the VM sizes map to more than one VM series. Depending on capacity availability, Lab Services may use any of the VM series that are listed for a VM size. For example, the *Small* VM size maps to using either the [Standard_A2_v2](../virtual-machines/av2-series.md) or the [Standard_A2](../virtual-machines/sizes-previous-gen.md#a-series) VM series. When you choose *Small* as the VM size for your lab, Lab Services will first attempt to use the *Standard_A2_v2* series. However, when there isn't sufficient capacity available, Lab Services will instead use the *Standard_A2* series. The pricing is determined by the VM size and is the same regardless of which VM series Lab Services uses for that specific size. For more information on pricing for each VM size, read the [Lab Services pricing guide](https://azure.microsoft.com/pricing/details/lab-services/).

+| Size | Minimum vCPUs | Minimum RAM | Series | Suggested use |

+| - | -- | -- | | - |

+| Small| 2 vCPUs | 3.5 GB RAM | [Standard_A2_v2](../virtual-machines/av2-series.md), [Standard_A2](../virtual-machines/sizes-previous-gen.md#a-series) | Best suited for command line, opening web browser, low-traffic web servers, small to medium databases. |

+| Medium | 4 vCPUs | 7 GB RAM | [Standard_A4_v2](../virtual-machines/av2-series.md), [Standard_A3](../virtual-machines/sizes-previous-gen.md#a-series) | Best suited for relational databases, in-memory caching, and analytics. |

+| Medium (nested virtualization) | 4 vCPUs | 16 GBs RAM | [Standard_D4s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) | Best suited for relational databases, in-memory caching, and analytics. This size also supports nested virtualization.

+| Large | 8 vCPUs | 16 GB RAM | [Standard_A8_v2](../virtual-machines/av2-series.md), [Standard_A7](../virtual-machines/sizes-previous-gen.md#a-series) | Best suited for applications that need faster CPUs, better local disk performance, large databases, large memory caches. |

+| Large (nested virtualization) | 8 vCPUs | 32 GB RAM | [Standard_D8s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) | Best suited for applications that need faster CPUs, better local disk performance, large databases, large memory caches. This size also supports nested virtualization. |

+| Small GPU (visualization) | 6 vCPUs | 56 GB RAM | [Standard_NV6](../virtual-machines/nv-series.md) | Best suited for remote visualization, streaming, gaming, and encoding using frameworks such as OpenGL and DirectX. |

+| Small GPU (Compute) | 6 vCPUs | 56 GB RAM | [Standard_NC6](../virtual-machines/nc-series.md), [Standard_NC6s_v3](../virtual-machines/ncv3-series.md) |Best suited for computer-intensive applications such as AI and deep learning. |

+| Medium GPU (visualization) | 12 vCPUs | 112 GB RAM | [Standard_NV12](../virtual-machines/nv-series.md), [Standard_NV12s_v3](../virtual-machines/nvv3-series.md), [Standard_NV12s_v2](../virtual-machines/sizes-previous-gen.md#nvv2-series) | Best suited for remote visualization, streaming, gaming, and encoding using frameworks such as OpenGL and DirectX. |

+## Manage identity

+By using [Azure role-based access control (RBAC)](../role-based-access-control/overview.md) for access to lab accounts and labs, you can assign the following roles:

+- Lab account **Owner**

+ An administrator who creates a lab account is automatically assigned the lab account Owner role. The Owner role can:

+ - Change the lab account settings.

+ - Grant other administrators access to the lab account as an Owner or Contributor.

+ - Grant educators access to labs as a Creator, Owner, or Contributor.

+ - Create and manage all labs in the lab account.

+- Lab account **Contributor**

+ An administrator who's assigned the Contributor role can:

+ - Change the lab account settings.

+ - Create and manage all labs in the lab account.

+ However, the Contributor *can't* grant other users access to either lab accounts or labs.

+- **Lab Creator**

+ To create labs within a lab account, an educator must be a member of the Lab Creator role. An educator who creates a lab is automatically added as a lab Owner. For more information, see [Add a user to the Lab Creator role](./tutorial-setup-lab-account.md#add-a-user-to-the-lab-creator-role).

+- Lab **Owner** or **Contributor**

+

+ An educator in either a lab Owner or Contributor role can view and change a lab's settings. The person must also be a member of the lab account Reader role.

+ A key difference between the lab Owner and Contributor roles is that only an Owner can grant other users access to manage a lab. A Contributor *can't* grant other users access to manage a lab.

+- **Shared image gallery**

+ When you attach a shared image gallery to a lab account, lab account Owners and Contributors and Lab Creators, lab Owners, and lab Contributors are automatically granted access to view and save images in the gallery.

+When you're assigning roles, it helps to follow these tips:

+- Ordinarily, only administrators should be members of a lab account Owner or Contributor role. The lab account might have more than one Owner or Contributor.

+- To give educators the ability to create new labs and manage the labs that they create, you need only assign them the Lab Creator role.

+- To give educators the ability to manage specific labs, but *not* the ability to create new labs, assign them either the Owner or Contributor role for each lab that they'll manage. For example, you might want to allow a professor and a teaching assistant to co-own a lab. For more information, see [Add Owners to a lab](./how-to-add-user-lab-owner.md).

+## Content filtering

+Your school may need to do content filtering to prevent students from accessing inappropriate websites. For example, to comply with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act). Lab Services doesn't offer built-in support for content filtering.

+There are two approaches that schools typically consider for content filtering:

+- Configure a firewall to filter content at the network level.

+- Install 3rd party software directly on each computer that performs content filtering.

+The first approach isn't currently supported by Lab Services. Lab Services hosts each lab's virtual network within a Microsoft-managed Azure subscription. As a result, you don't have access to the underlying virtual network to do content filtering at the network level. For more information on Lab Services' architecture, read the article [Architecture Fundamentals](./classroom-labs-fundamentals.md).

+Instead, we recommend the second approach which is to install 3rd party software on each lab's template VM. There are a few key points to highlight as part of this solution:

+- If you plan to use the [auto-shutdown settings](./cost-management-guide.md#automatic-shutdown-settings-for-cost-control), you will need to unblock several Azure host names with the 3rd party software. The auto-shutdown settings use a diagnostic extension that must be able to communicate back to Lab Services. Otherwise, the auto-shutdown settings will fail to enable for the lab.

+- You may also want to have each student use a non-admin account on their VM so that they can't uninstall the content filtering software. By default, Lab Services creates an admin account that each student uses to sign into their VM. It is possible to add a non-admin account using a specialized image, but there are some known limitations.

+If your school needs to do content filtering, contact us via the [Azure Lab Services' forums](https://techcommunity.microsoft.com/t5/azure-lab-services/bd-p/AzureLabServices) for more information.

+## Endpoint management

+Many endpoint management tools, such as [Microsoft Endpoint Manager](https://techcommunity.microsoft.com/t5/azure-lab-services/configuration-manager-azure-lab-services/ba-p/1754407), require Windows VMs to have unique machine security identifiers (SIDs). Using SysPrep to create a *generalized* image typically ensures that each Windows machine will have a new, unique machine SID generated when the VM boots from the image.

+With Lab Services, even if you use a *generalized* image to create a lab, the template VM and student VMs will all have the same machine SID. The VMs have the same SID because the template VM's image is in a *specialized* state when it's published to create the student VMs.

+For example, the Azure Marketplace images are generalized. If you create a lab from the Win 10 marketplace image and publish the template VM, all of the student VMs within a lab will have the same machine SID as the template VM. The machine SIDs can be verified by using a tool such as [PsGetSid](/sysinternals/downloads/psgetsid).

+If you plan to use an endpoint management tool or similar software, we recommend that you test it with lab VMs to ensure that it works properly when machine SIDs are the same.

+## Pricing

+### Azure Lab Services

+To learn about pricing, see [Azure Lab Services pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+### Shared Image Gallery

+You also need to consider the pricing for the Shared Image Gallery service if you plan to use shared image galleries for storing and managing image versions.

+Creating a shared image gallery and attaching it to your lab account is free. No cost is incurred until you save an image version to the gallery. The pricing for using a shared image gallery is ordinarily fairly negligible, but it's important to understand how it's calculated, because it isn't included in the pricing for Azure Lab Services.

+#### Storage charges

+To store image versions, a shared image gallery uses standard hard disk drive (HDD) managed disks by default. We recommend using HDD-managed disks when using shared image gallery with Lab Services. The size of the HDD-managed disk that's used depends on the size of the image version that's being stored. Lab Services supports image and disk sizes up to 128 GB. To learn about pricing, see [Managed disks pricing](https://azure.microsoft.com/pricing/details/managed-disks/).

+#### Replication and network egress charges

+When you save an image version by using a lab template VM, Azure Lab Services first stores it in a source region and then automatically replicates the source image version to one or more target regions.

+It's important to note that Azure Lab Services automatically replicates the source image version to all [target regions within the geography](https://azure.microsoft.com/global-infrastructure/regions/) where the lab is located. For example, if your lab is in the US geography, an image version is replicated to each of the eight regions that exist within the US.

+A network egress charge occurs when an image version is replicated from the source region to additional target regions. The amount charged is based on the size of the image version when the image's data is initially transferred outbound from the source region. For pricing details, see [Bandwidth pricing details](https://azure.microsoft.com/pricing/details/bandwidth/).

+Egress charges might be waived for [Education Solutions](https://www.microsoft.com/licensing/licensing-programs/licensing-for-industries?rtc=1&activetab=licensing-for-industries-pivot:primaryr3) customers. To learn more, contact your account manager.

+For more information, see "What data transfer programs exist for academic customers and how do I qualify?" in the FAQ section of the [Programs for educational institutions](https://azure.microsoft.com/pricing/details/bandwidth/) page.

+#### Pricing example

+Let's look at an example of the cost of saving a template VM image to a shared image gallery. Assume the following scenarios:

+- You have one custom VM image.

+- You're saving two versions of the image.

+- Your lab is in the US, which has a total of eight regions.

+- Each image version is 32 GB in size; as a result, the HDD-managed disk price is $1.54 per month.

+The total cost per month is estimated as:

+* *Number of images &times; number of versions &times; number of replicas &times; managed disk price = total cost per month*

+In this example, the cost is:

+* 1 custom image (32 GB) &times; 2 versions &times; 8 US regions &times; $1.54 = $24.64 per month

+> [!NOTE]

+> The preceding calculation is for example purposes only. It covers storage costs associated with using Shared Image Gallery and does *not* include egress costs. For actual pricing for storage, see [Managed Disks pricing](https://azure.microsoft.com/pricing/details/managed-disks/).

+#### Cost management

+It's important for lab account administrators to manage costs by routinely deleting unneeded image versions from the gallery.

+Don't delete replication to specific regions as a way to reduce the costs, though this option exists in the shared image gallery. Replication changes might have adverse effects on the ability of Azure Lab Services to publish VMs from images saved within a shared image gallery.

+## Next steps

+For more information about setting up and managing labs, see:

+- [Lab account setup guide](account-setup-guide.md)

+- [Lab setup guide](setup-guide.md)

+- [Cost management for labs](cost-management-guide.md)

+- [Use Azure Lab Services in Teams](lab-services-within-teams-overview.md)

+description: This guide helps administrators who create and manage lab plans by using Azure Lab Services.

+> [!NOTE]

+> If using a version of Azure Lab Services prior to the [April 2022 Update (preview)](lab-services-whats-new.md), see [Azure Lab Services - Administrator guide (deprecated)](administrator-guide-1.md).

+Information technology (IT) administrators who manage a university's cloud resources are ordinarily responsible for setting up the lab plan for their school. After they have set up a lab plan, administrators or educators create the labs that are associated with the lab plan. This article provides a high-level overview of the Azure resources that are involved and the guidance for creating them.

+Depending on settings chosen when creating lab plans, some resources will be hosted in your subscription and some will be hosted in a subscription managed by Azure Lab Services.

+- Lab VMs are hosted within an Azure subscription that is owned by Azure Lab Services.

+- Lab plans, labs, compute galleries, and image versions and are hosted within your subscription.

+- If using advanced networking, the virtual network and network-related resources for lab VMs are hosted within your subscription. Otherwise, the virtual network is hosted in a subscription managed by Azure Lab Services.

+- You can have your lab plans, labs, and the compute galleries in the same or different resource group.

+Your university might have one or more Azure subscriptions. You use subscriptions to manage billing and security for all Azure resources and services that are used within it, including lab plans and labs.

+The relationship between a lab plan and its subscription is important because:

+- Billing is reported through the subscription that contains the lab plan.

+- You can grant users in the subscription's Azure Active Directory (Azure AD) tenant the ability to manage Azure Lab Services lab plans and labs. You can add someone as a lab plan owner, lab plan contributor, lab creator, or lab owner. For more information about built-in RBAC roles, see [Manage identity](#rbac-roles).

+Labs virtual machines (VMs) are managed and hosted for you within a subscription that is owned by Azure Lab Services.

+A subscription contains one or more resource groups. Resource groups are used to create logical groupings of Azure resources that are used together within the same solution.

+When you create a lab plan, you must configure the resource group that contains the lab plan. Name your resource group carefully. Labs are grouped by resource group name in the Lab Services web portal: [https://labs.azure.com](https://labs.azure.com).

+A resource group is also required when you create an [Azure Compute Gallery](#azure-compute-gallery). You can place your lab plan and compute gallery in the same resource group or in two separate resource groups. You might want to take this second approach if you plan to share the compute gallery across various solutions.

+We recommend that you invest time up front to plan the structure of your resource groups. It's *not* possible to change a lab plan or compute gallery resource group once itΓÇÖs created. If you need to change the resource group for these resources, youΓÇÖll need to delete and re-create them.

+## Lab plan

+A lab plan set of configurations that influence the creation of a lab. A lab plan can be associated with zero or more labs. When youΓÇÖre getting started with Azure Lab Services, itΓÇÖs most common to have a single lab plan. As your lab usage scales up, you can choose to create more lab plans later.

+The following list highlights scenarios where more than one lab plan might be beneficial:

+ When you create a lab plan, you set policies that apply to all newly created labs, such as:

+ - The Azure virtual network with shared resources that the lab can access. For example, you might have a set of labs that need access to a license server within a virtual network.

+ - The virtual machine images that the labs can use to create VMs. For example, you might have a set of labs that need access to the [Data Science VM for Linux](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804) Azure Marketplace image.

+ If each of your labs has unique policy requirements, it might be beneficial to create separate lab plans for managing each lab separately.

+ You might have cases where you want to pilot policy changes for a lab plan without potentially affecting your active labs. In this type of scenario, creating a separate lab plan for piloting purposes allows you to isolate changes.

+- Create a new set of labs for each semester, quarter, or other academic system youΓÇÖre using. For classes that need to use the same image, you should use a [compute gallery](#azure-compute-gallery). This way, you can reuse images across labs and academic periods.

+When youΓÇÖre determining how to structure your labs, consider the following points:

+- **All VMs within a lab are deployed with the same image that's published.**

+ To set different quotas for users, you must create separate labs. However, itΓÇÖs possible to add more hours to specific users after you have set the quota.

+By default, each lab has its own virtual network. If you have [advanced networking enabled](how-to-connect-vnet-injection.md), each lab will use the specified network.

+## Azure Compute Gallery

+An Azure Compute Gallery is attached to a lab plan and serves as a central repository for storing images. An image is saved in the gallery when an educator chooses to export it from a lab's template VM. Each time an educator makes changes to the template VM and exports it, new image definitions and\or versions are created in the gallery.

+Educators can publish an image version from the compute gallery when they create a new lab. Although the gallery stores multiple versions of an image, educators can select only the most recent version during lab creation. The most recent version is chosen based on the highest value of MajorVersion, then MinorVersion, then Patch. For more information about versioning, see [Image versions](../virtual-machines/shared-image-galleries.md#image-versions).

+The compute gallery is an optional resource that you might not need immediately if youΓÇÖre starting with only a few labs. However, a compute gallery offers many benefits that are helpful as you scale up to more labs:

+ ItΓÇÖs useful to create a custom image or make changes (software, configuration, and so on) to an image from the Azure Marketplace gallery. For example, itΓÇÖs common for educators to require different software or tooling be installed. Rather than requiring students to manually install these prerequisites on their own, different versions of the template VM image can be exported to the compute gallery. You can then use these image versions when you create new labs.

+ You can save and reuse an image so that you donΓÇÖt have to configure it from scratch each time that you create a new lab. For example, if multiple classes need to use the same image, you can create it once and export it to the compute gallery so that it can be shared across labs.

+ You can [upload custom images other environments outside of the context of labs](how-to-attach-detach-shared-image-gallery.md). For example, you can upload images from your own physical lab environment or from an Azure VM into compute gallery. Once an image is imported into the gallery, you can then use the images to create labs.

+To logically group compute gallery images, you can do either of the following methods:

+- Create multiple compute galleries. Each lab plan can connect to only one compute gallery, so this option also requires you to create multiple lab plans.

+- Use a single compute gallery that is shared by multiple lab plans. In this case, each lab plan can enable only images that are applicable to the labs in that plan.

+As you get started with Azure Lab Services, we recommend that you establish naming conventions for Azure and Azure Lab Services related resources. For resource naming restrictions, see [Microsoft.LabServices naming rules and restrictions](../azure-resource-manager/management/resource-name-rules.md#microsoftlabservices). Although the naming conventions that you establish will be unique to the needs of your organization, the following table provides general guidelines:

+| - | - | -- | -- |

+| Resource group | Contains one or more lab plans, labs and/or compute galleries. | rg-labs-{org-name}-{env}-{instance}, rg-labs-{dept-name}-{env}-{instance} | rg-labs-contoso-pilot, rg-labs--math-prod-001 |

+| Lab plan | Template for newly created labs. | lp-{org-name}-{env}-{instance}, lp-{dept-name}-{env}-{instance} | lp-contoso, lp-contoso-pilot, lp-math-001 |

+| Lab | Contains one or more student VMs. | {class-name}-{time}-{educator} | CS101-Fall2021, CS101-Fall2021-JohnDoe |

+| Azure Compute Gallery | Contains one or more VM image versions | sig-{org-name}-{env}-{instance}, sig-{dept-name}-{env}-{instance} | sig-contoso-001, sig-math-prod |

+In the proceeding table, we used some terms and tokens in the suggested name patterns. Let's go over those terms in a little more detail.

+| Pattern term/token | Definition | Example |

+| | - | - |

+| {org-name} | Token for organization short name with no spaces. | contoso |

+| {dept-name} | Token for short name of department in organization. | math, bio, cs |

+| {env} | Token for environment name | prod for production, pilot for small test |

+| {instance} | Number to identify instance if multiple resources created. | 001, 123 |

+| {class-name} | Token for short name or code for class being supported. | CS101, Bio101 |

+| {educator} | Alias of educator running the lab. | johndoe |

+| {time} | Token for short name (with no spaces) for time the class is being offered. | Spring2021, Dec2021|

+| rg | Indicates resource is a resource group. | |

+| lp | Indicates resource is a lab plan. | |

+| sig | Indicates resource is a compute gallery. | |

+## Regions

+When you set up your Azure Lab Services resources, youΓÇÖre required to provide a region or location of the data center that will host the resources. Lab plans can enable one or more regions in which labs may be created. The next sections describe how a region or location might affect each resource that is involved with setting up a lab.

+- **Resource group**. The region specifies the datacenter where information about a resource group is stored. Azure resources contained within the resource group can be in a different region from that of their parent.

+- **Lab plan**. A lab plan's location indicates the region that a resource exists in. When a lab plan is connected to your own virtual network, the network must be in the same region as the lab plan. Also, labs will be created in the same Azure region as that virtual network.

+- **Lab**. The location that a lab exists in varies, and doesnΓÇÖt need to be in the same location as the lab plan. Administrators control which regions labs can be created in through the lab plan settings. A general rule is to set a resource's region to one that is closest to its users. For labs, this means creating the lab that is closest to your students. For online courses whose students are located all over the world, use your best judgment to create a lab that is centrally located. Or you can split a class into multiple labs according to your students' regions.

+> [!NOTE]

+> To help ensure that a region has sufficient VM capacity, it's important to first [request capacity](capacity-limits.md#request-a-limit-increase).

+## VM sizing

+When administrators or Lab Creators create a lab, they can choose from various VM sizes, depending on the needs of their classroom. Remember that the size availability depends on the region that your lab plan is located in.

+For information on VM sizes and their cost, see the [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+| Size | Minimum vCPUs | Minimum memory: GiB | Series | Suggested use |

+| - | -- | -- | | - |

+| Small| 2 | 4 | [Standard_F2s_v2](../virtual-machines/fsv2-series.md) | Best suited for command line, opening web browser, low-traffic web servers, small to medium databases. |

+| Medium | 4 | 8 | [Standard_F4s_v2](../virtual-machines/fsv2-series.md) | Best suited for relational databases, in-memory caching, and analytics. |

+| Medium (nested virtualization) | 4 | 16 | [Standard_D4s_v4](../virtual-machines/dv4-dsv4-series.md) | Best suited for relational databases, in-memory caching, and analytics. This size also supports nested virtualization.

+| Large | 8 | 16 | [Standard_F8s_v2](../virtual-machines/fsv2-series.md) | Best suited for applications that need faster CPUs, better local disk performance, large databases, large memory caches. |

+| Large (nested virtualization) | 8 | 32 | [Standard_D8s_v4](../virtual-machines/dv4-dsv4-series.md) | Best suited for applications that need faster CPUs, better local disk performance, large databases, large memory caches. This size also supports nested virtualization. |

+| Small GPU (visualization) | 8 | 28 | [Standard_NVas_v4](../virtual-machines/nvv4-series.md) **Windows only* | Best suited for remote visualization, streaming, gaming, and encoding using frameworks such as OpenGL and DirectX. |

+| Medium GPU (visualization) | 12 | 112 | [Standard_NV12s_v3](../virtual-machines/nvv3-series.md) | Best suited for remote visualization, streaming, gaming, and encoding using frameworks such as OpenGL and DirectX. |

+> [!NOTE]

+> You may not see some of the expected VM sizes in the list when creating a lab. The list is populated based on the current capacity in the selected region.

+## RBAC roles

+By using [Azure role-based access control (RBAC)](../role-based-access-control/overview.md) for access to lab plans and labs, you can assign the following roles:

+- **Owner**

+ An administrator who creates a lab plan is automatically assigned the lab plan Owner role. The Owner role can:

+ - Change the lab plan settings.

+ - Grant other administrators access to the lab plan as an Owner or Contributor.

+ - Grant educators access to labs as a Creator, Owner, or Contributor.

+ - Create and manage all labs in the lab plan.

+- **Contributor**

+ An administrator who is assigned the Contributor role can:

+ - Change the lab plan settings.

+ - Create and manage all labs in the lab plan.

+ However, the Contributor *canΓÇÖt* grant other users access to either lab plans or labs.

+- **Lab Creator**

+ When set on the lab plan, this role enables the user account to create labs from the lab plan. The user account can also see existing labs that are in the same resource group as the lab plan. When applied to a resource group, this role enables the user to view existing lab and create new labs. TheyΓÇÖll have full control over any labs they create as theyΓÇÖre assigned as Owner to those created labs. For more information, see [Add a user to the Lab Creator role](./tutorial-setup-lab-plan.md#add-a-user-to-the-lab-creator-role).

+- **Lab Contributor**

+ When applied to an existing lab, this role enables the user to fully manage the lab. When applied to a resource group, this role enables the user account to fully manage existing labs and create new labs in that resource group.

+ A key difference between the lab Owner and Contributor roles is that only an Owner can grant other users access to manage a lab. A Contributor *canΓÇÖt* grant other users access to manage a lab.

+- **Lab Operator**

+ When applied to a resource group or a lab, this role enables the user to have limited ability to manage existing labs. This role wonΓÇÖt give the user the ability to create new labs. In an existing lab, the user can manage users, adjust individual usersΓÇÖ quota, manage schedules, and start/stop VMs. The user account will be able to publish a lab. The user wonΓÇÖt have the ability to change lab capacity or change quota at the lab level. The user wonΓÇÖt be able to change the template title or description.

+- **Lab Assistant**

+ When applied to a resource group or a lab, this role enables the user to view an existing lab. Lab assistants can only perform actions on the lab VMs (reset, start, stop, connect) and send invitations to the lab. They don't have the ability to change a lab, create a lab, publish a lab, change lab capacity, or manage lab quota, individual quota nor schedules.

+- **Lab Services Contributor**

+ When applied to a resource group, enables the user to fully control all Lab Services scenarios in that resource group.

+- **Lab Services Reader**

+ When applied to a resource group, enables the user to view, but not change, all lab plans and lab resources. External resources like image galleries and virtual networks that may be connected to a lab plan arenΓÇÖt included.

+When youΓÇÖre assigning roles, it helps to follow these tips:

+- Ordinarily, only administrators should be members of a lab plan Owner or Contributor role. The lab plan might have more than one Owner or Contributor.

+- To give educators the ability to create new labs and manage the labs that they create, you need only assign them the Lab Creator role.

+- To give educators the ability to manage specific labs, but *not* the ability to create new labs, assign them either the Owner or Contributor role for each lab that theyΓÇÖll manage. For example, you might want to allow a professor and a teaching assistant to co-own a lab.

+Your school may need to do content filtering to prevent students from accessing inappropriate websites. For example, to comply with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act). Lab Services doesnΓÇÖt offer built-in support for content filtering.

+- Install third-party software directly on each computer that performs content filtering.

+By default, Azure Lab Services hosts each lab's virtual network within a Microsoft-managed Azure subscription. YouΓÇÖll need to use [advanced networking](how-to-connect-vnet-injection.md) in the lab plan. Make sure to check known limitations of VNet injection before proceeding.

+We recommend the second approach, which is to install third-party software on each lab's template VM. There are a few key points to highlight as part of this solution:

+- If you plan to use the [auto-shutdown settings](./cost-management-guide.md#automatic-shutdown-settings-for-cost-control), youΓÇÖll need to unblock several Azure host names with the 3rd party software. The auto-shutdown settings use a diagnostic extension that must be able to communicate back to Lab Services. Otherwise, the auto-shutdown settings will fail to enable for the lab.

+- You may also want to have each student use a non-admin account on their VM so that they canΓÇÖt uninstall the content filtering software. Adding a non-admin account must be done when creating the lab.

+If your school needs to do content filtering, contact us via the [Azure Lab Services' Q&A](https://aka.ms/azlabs/questions) for more information.

+With Lab Services, if you create a lab with a template, the lab VMs will have the same SID. Even if you use a *generalized* image to create a lab, the template VM and student VMs will all have the same machine SID. The VMs have the same SID because the template VM's image is in a *specialized* state when itΓÇÖs published to create the student VMs.

+To obtain lab VMs with unique SID, create a lab without a template VM. You must use a *generalized* image from the Azure Marketplace or an attached Azure Compute Gallery. To use your own Azure Compute Gallery, see [Attach or detach a compute gallery in Azure Lab Services](how-to-attach-detach-shared-image-gallery.md). The machine SIDs can be verified by using a tool such as [PsGetSid](/sysinternals/downloads/psgetsid).

+If you plan to use an endpoint management tool or similar software, we recommend that you donΓÇÖt use template VMs for your labs.

+Billing entries in Azure Cost Management are per lab VM. Tags for lab plan ID and lab name are automatically added to each entry for more flexible analysis and budgeting.

+### Azure Compute gallery

+You also need to consider the pricing for the compute gallery service if you plan to use compute galleries for storing and managing image versions.

+Creating a compute gallery and attaching it to your lab plan is free. No cost is incurred until you save an image version to the gallery. The pricing for using a compute gallery is ordinarily fairly negligible, but itΓÇÖs important to understand how itΓÇÖs calculated, because it isnΓÇÖt included in the pricing for Azure Lab Services.

+To store image versions, a compute gallery uses standard hard disk drive (HDD) managed disks by default. We recommend using HDD-managed disks when using compute gallery with Lab Services. The size of the HDD-managed disk that is used depends on the size of the image version that is being stored. Lab Services supports image and disk sizes up to 128 GB. To learn about pricing, see [Managed disks pricing](https://azure.microsoft.com/pricing/details/managed-disks/).

+When you save an image version by using a lab template VM, Azure Lab Services first stores it in a source region. However, youΓÇÖll most likely need to replicate the source image version to one or more target regions.

+A network egress charge occurs when an image version is replicated from the source region to other target regions. The amount charged is based on the size of the image version when the image's data is initially transferred outbound from the source region. For pricing details, see [Bandwidth pricing details](https://azure.microsoft.com/pricing/details/bandwidth/).

+Egress charges might be waived for [Education Solutions](https://www.microsoft.com/licensing/licensing-programs/licensing-for-industries?rtc=1&activetab=licensing-for-industries-pivot:primaryr3) customers. To learn more, contact your account manager.

+For information about costs to store images and their replications, see [billing in an Azure Compute Gallery](/azure/virtual-machines/shared-image-galleries).

+ItΓÇÖs important for lab plan administrators to manage costs by routinely deleting unneeded image versions from the gallery.

+Be wary of removing replication to specific regions as a way to reduce the costs. Replication changes might have adverse effects on the ability of Azure Lab Services to publish VMs from images saved within a compute gallery.

+- [Configure a lab plan](lab-plan-setup-guide.md)

+- [Configure a lab](setup-guide.md)

+- [Manage costs for labs](cost-management-guide.md)

+ Title: Allow lab creator to pick location in Azure Lab Services (deprecated)

+# Allow lab creator to pick location for the lab in Azure Lab Services (deprecated)

+In Azure Lab Services, a lab account owner can allow lab creators (educators) to pick a location for the lab they create. This location can be different from the location of the lab account. A location is a group of Azure regions. For example, United States location is a group of regions such as East US, West US, and so on.

+You, as a lab account owner, can select the **Allow lab creator to pick lab location** option when you create a lab account and after you create the lab account (or an existing lab account).

+When you create a lab account, you see this option on the first screen (**Basics** tab).

+After you create the lab account, you can enable or disable this option by following these steps:

+2. Select the **Allow lab creator to pick lab location** option if you want to allow the lab creator to select a location for the lab. If it's disabled, the labs are automatically created in the same location in which the lab account exists.

+ This field is disabled when you select a virtual network for the **Peer virtual network** field. It's because labs in the lab account must be in the same region as the lab account for them to access resources in the peer virtual network.

+1. Select **Save** on the toolbar.

+In this scenario, you haven't enabled the **Allow lab creator to pick lab location** option.

+Then, lab creators (educators) don't see an option to pick a location for the lab. They will see the price per hour for every size option available to them. When they create a lab, it will be created in an Azure region that's in the same location as the Azure region that their lab account is in. For example, if the lab account is in **West US**, then the lab might be created in **South Central US** but would not be created in **Canada East**. We don't guarantee anything about the region we choose aside from that it's in the location. If a size is currently constrained, then the lab creator will see a checkbox where they can see the sizes that we normally support but are currently unavailable.

+In this scenario, the **Allow lab creator to pick lab location** option is disabled because you have selected a peer virtual network for the lab account. Then, lab creators will see the same screen as with the previous option. Because all VMs have to be in the same Azure region as the virtual network, the lab will be created in the same Azure region that the virtual network is in. If that particular region is constrained for a size, the size will appear as unavailable.

+When you select **Allow lab creator to pick lab location**, lab creators (educators) see an option to select a location when creating a lab.

+If a location is constrained, it's not shown in the list by default. Expand the drop-down list, and select **Show unavailable locations for this size**.

+Earlier, the pricing was based on the VM size that you choose for the lab. Now, the price is based on the combination of Operating System (OS), Size, and location.

+- [Attach a shared image gallery to a lab](how-to-attach-detach-shared-image-gallery-1.md)

+- [Configure other settings for a lab](how-to-configure-lab-accounts.md)

+For example, you can start with one of the Azure Marketplace images and then install the software applications and tooling that are needed for a class. After you've finished setting up the image, you can save it in the [connected compute gallery](how-to-attach-detach-shared-image-gallery.md) so that you and other educators can use the image to create new labs.

+### Use a lab's template VM to save a custom image

+You can use a lab's template VM to create either Windows or Linux custom images. For more information, see [Save an image a compute gallery](how-to-use-shared-image-gallery.md#save-an-image-to-a-compute-gallery)

+Another approach is to use an Azure VM to set up a custom image. After you've finished setting up the image, you can save it to a compute gallery so that you and your colleagues can use the image to create new labs.

+1. When you've finished setting up the image, [save the VM's image to a compute gallery](../virtual-machines/image-version.md). As part of this step, you'll also need to create the image's definition and version.

+The third approach to consider is to bring a custom image from a VHD in your physical lab environment to a compute gallery. After the image is in a compute gallery, you and other educators can use the image to create new labs.

+1. From the managed disk, create the [image's definition](../virtual-machines/shared-image-galleries.md#image-definitions) and version in a compute gallery.

+* [Azure Compute gallery overview](../virtual-machines/shared-image-galleries.md)

+* [Attach or detach an Azure Compute Gallery](how-to-attach-detach-shared-image-gallery.md)

+* [Use an Azure Compute Gallery](how-to-use-shared-image-gallery.md)

+description: Learn about VM capacity limits in Azure Lab Services.

+Azure Lab Services has default capacity limits on Azure subscriptions that adhere to Azure Compute quota limitations and to mitigate fraud. All Azure subscriptions will have an initial capacity limit, which can vary based on subscription type, number of standard compute cores, and GPU cores available inside Azure Lab Services. It restricts how many virtual machines you can create inside your lab before you need to request for a limit increase.

+If youΓÇÖre close to or have reached your subscriptionΓÇÖs core limit, youΓÇÖll see messages from Azure Lab Services. Actions that are affected by core limits include:

+- Increase lab capacity

+These actions may be disabled if there no more cores that can be enabled for your subscription.

+## Request a limit increase

+If you reach the cores limit, you can request a limit increase to continue using Azure Lab Services. The request process is a checkpoint to ensure your subscription isnΓÇÖt involved in any cases of fraud or unintentional, sudden large-scale deployments.

+To create a support request, you must be an [Owner](/azure/role-based-access-control/built-in-roles), [Contributor](/azure/role-based-access-control/built-in-roles), or be assigned to the [Support Request Contributor](/azure/role-based-access-control/built-in-roles) role at the subscription level. For information about creating support requests in general, see how to create a [How to create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request).

+1. Open your [lab plan](how-to-manage-lab-plans.md) or [lab account](how-to-manage-lab-accounts.md).

+1. On the **Overview** page of the lab plan, select the **Request core limit increase** button from the menu bar at the top.

+1. On the **Basics** page of **New support request** wizard, enter a short summary that will help you remember the support request in the **Summary** textbox. The issue type, subscription, and quota type information are automatically filled out for you. Select **Next: Solutions**.

+ :::image type="content" source="./media/capacity-limits/new-support-request.png" alt-text="Screenshot of new support request to request more core capacity.":::

+1. The **New support request** wizard will automatically advance from the **Solutions** page to the **Details** page.

+1. One the **Details** page, enter the following information in the **Description** page.

+ - VM size. For size details, see [VM sizing](administrator-guide.md#vm-sizing).

+ - Number of VMs.

+ - Location. Location will be a [geography](https://azure.microsoft.com/global-infrastructure/geographies/#geographies) or region, if using the [April 2022 Update (preview)](lab-services-whats-new.md).

+1. Under **Advanced diagnostic information**, select **No**.

+1. Under **Support method** section, select your preferred contact method. Verify contact information is correct.

+1. Select **Next: Review + create**

+1. On the **Review + create** page, select **Create** to submit the support request.

+Once you submit the support request, weΓÇÖll review the request. If necessary, weΓÇÖll contact you to get more details.

+## Subscriptions with default limit of zero cores

+Some rare subscription types that are more commonly used for fraud can have a default limit of zero standard cores and zero GPU cores. If youΓÇÖre using one of these subscription types, your admin needs to request a limit increase before you can use Azure Lab Services.

+## Per-customer assigned capacity

+Azure Lab Services hosts lab resources, including VMs, within special Microsoft-managed Azure subscriptions that arenΓÇÖt visible to customers. With the [April 2022 Update (preview)](lab-services-whats-new.md), VM capacity is dedicated to each customer. Previous to this update, VM capacity was available from a large pool shared by customers.

+Before you set up a large number of VMs across your labs, we recommend that you open a support ticket to pre-request VM capacity. Requests should include VM size, number, and location. Requesting capacity before lab creation helps us to ensure that you create your labs in a region that has a sufficient number of VM cores for the VM size that you need for your labs.

+See the following articles:

+- [As an admin, see VM sizing](administrator-guide.md#vm-sizing).

+- [Frequently asked questions](classroom-labs-faq.yml).

+To set up this lab, you need an Azure subscription and lab account to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Lab plan settings

+Once you get have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+Enable the settings described in the table below for the lab plan. For more information about how to enable marketplace images, see the article on [how to specify Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| Marketplace image | Enable the Windows 10 image, if not done already.|

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+The size of VM that you need to use for your lab depends on the types of projects that your students will create. Most [Creative Cloud apps](https://helpx.adobe.com/creative-cloud/system-requirements.html) support GPU-based acceleration and require a GPU for features to work properly. To ensure that you select the appropriate VM size, we recommend that you test the projects that your students will create to ensure adequate performance. The below table shows the recommended [VM size](./administrator-guide.md#vm-sizing) to use with Creative Cloud.

+> [!WARNING]

+## Template machine configuration

+- Create a self-service package.

+- Create a managed package with self-service elevated privileges turned on.

+- You can avoid republishing the template VM because students can install more apps on their VM at any point during the lifetime of the lab. Otherwise, either IT or the teacher would need to install more apps on the template VM and republish. Republishing causes the studentsΓÇÖ VMs to be reset and any work that isnΓÇÖt saved externally is lost.

+1. Once the template VM is set up, [publish the template VMΓÇÖs image](how-to-create-manage-template.md) that is used to create all of the studentsΓÇÖ VMs in the lab.

+As mentioned earlier, Azure Lab VMs have a disk size of 128 GB. If your students need extra storage for saving large media assets or they need to access shared media assets, you should consider using external file storage. For more information, read the following articles:

+- [Using external file storage in Lab Services](how-to-attach-external-storage.md)

+- [Install and configure OneDrive](./how-to-prepare-windows-template.md#install-and-configure-onedrive)

+Consider saving your template VM for future use. To save the template VM, see [Save an image to a compute gallery](how-to-use-shared-image-gallery.md#save-an-image-to-a-compute-gallery).

+[ArcGIS](https://www.esri.com/en-us/arcgis/products/arcgis-solutions/overview) is a type of geographic information system (GIS). ArcGIS is used to make\analyze maps and work with geographic data that is provided by the [Environmental Systems Research Institute](https://www.esri.com/home) (ESRI). Although ArcGIS Desktop includes several applications, this article shows how to set up labs for using ArcMap. [ArcMap](https://desktop.arcgis.com/en/arcmap/latest/map/main/what-is-arcmap-.htm) is used to make, edit, and analyze 2D maps.

+To set up this lab, you need an Azure subscription and lab account to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+## Licensing server

+One type of licensing that ArcGIS Desktop offers is [concurrent use licenses](https://desktop.arcgis.com/en/license-manager/latest/license-manager-basics.htm). This licensing requires you to install ArcGIS License Manager on your license server. The License Manager keeps track of the number of copies of software that can be run at the same time. For more information on setting up the License Manager on your server, see the [License Manager Guide](https://desktop.arcgis.com/en/license-manager/latest/welcome.htm).

+The license server is located in either your on-premises network or hosted on an Azure virtual machine within an Azure virtual network. After your license server is set up, you'll need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) with your [lab plan](./tutorial-setup-lab-plan.md).

+> [!IMPORTANT]

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can't be added later.

+For more information, see [Set up a license server as a shared resource](how-to-create-a-lab-with-shared-resource.md).

+## Lab configuration

+When you get an Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). If you're using a ArcGIS License Manager on a license server, enable [advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) when creating your lab plan. You can also use an existing lab plan.

+### Lab plan settings

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| - | |

+|Marketplace image| Enable the Windows 10 Pro or Windows 10 Pro N image, if not done already.|

+### Lab settings

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+The recommended size of the virtual machine (VM) for using ArcGIS Desktop depends on the applications, extensions, and the specific versions that students will use. The VM size also depends on the workloads that students are expected to perform. For more information on how to identify the VM size, see [ArcGIS Desktop system requirements](https://desktop.arcgis.com/en/system-requirements/latest/arcgis-desktop-system-requirements.htm) article. When you've identified a potential VM size, we recommend that you test your students' workloads to ensure adequate performance.

+In this article, we recommend that you use [**Medium** VM size](administrator-guide.md#vm-sizing) for version [10.7.1 of ArcMap](https://desktop.arcgis.com/en/system-requirements/10.7/arcgis-desktop-system-requirements.htm), assuming that no other ArcGIS Desktop extensions are used. However, depending on the needs of your class, you might require a **Large**, **Small GPU (Visualization)**, or **Medium GPU (Visualization)** VM size. For example, the [Spatial Analyst extension](https://desktop.arcgis.com/en/arcmap/latest/tools/spatial-analyst-toolbox/gpu-processing-with-spatial-analyst.htm) that is included with ArcGIS Desktop supports a GPU for enhanced performance, but doesn't require using a GPU.

+### Auto-shutdown and disconnect settings

+A lab's [auto-shutdown and disconnect settings](cost-management-guide.md#automatic-shutdown-settings-for-cost-control) ensure a student's VM is shut down when it's not being used. These settings should be set according to the types of workloads that your student performs so that their VM doesn't shut down in the middle of their work. For example, the **Disconnect users when virtual machines are idle** setting disconnects the student from their RDP session after no mouse or keyboard inputs have been detected for a specified amount of time. This setting must allow sufficient time for workloads where the student isn't actively using the mouse or keyboard, such as to run long queries or wait for rendering.

+For ArcGIS, we recommend the following values for these settings:

+| Setting | Value |

+|-|-|

+| Disconnect users when virtual machines are idle | 30 minutes after idle state is detected |

+| Shut down virtual machines when users disconnect | 15 minutes after user disconnects |

+## Template machine configuration

+1. Start the template VM and connect to the machine using RDP.

+2. Download and install the ArcGIS Desktop components using instructions from by ESRI. These steps include assigning the license manager for concurrent use licensing:

+3. Set up external backup storage for students. Students can save files directly to their assigned VM since all changes that they make are saved across sessions. However, we recommend that students back up their work to storage that is external from their VM for a few reasons:

+ - In case the student gets their VM into a bad state and their image needs to be [reset](how-to-manage-vm-pool.md#reset-vms).

+ - Any other data that the student might be using such as raster files, shapefiles, GeoTIFF, etc.

+ We recommend using OneDrive for backup storage. To set up OneDrive on the template VM, follow the steps in the article [Install and configure OneDrive](how-to-prepare-windows-template.md#install-and-configure-onedrive).

+Let's cover a possible cost estimate for this class. This estimate doesn't include the cost of running the license server. We'll use a class of 25 students. There are 20 hours of scheduled class time. Also, each student gets 10 hours quota for homework or assignments outside scheduled class time. The virtual machine size we selected was **Medium**, which is 42 lab units.

+> [!IMPORTANT]

+This article describes how to set up Autodesk Inventor and Autodesk Revit software for engineering classes.

+## License server

+You'll need to access a license server if you plan to use the Autodesk network licensing model. Read Autodesk's article on [Network License Administration](https://knowledge.autodesk.com/customer-service/network-license-administration/network-deployment/preparing-for-deployment/determining-installation-type) for more information.

+To use network licensing with Autodesk software, [AutoDesk provides detailed steps](https://knowledge.autodesk.com/customer-service/network-license-administration/install-and-configure-network-license) to install Autodesk Network License Manager on your license server. This license server is ordinarily located in either your on-premises network or hosted on an Azure virtual machine (VM) within in Azure virtual network.

+After your license server is set up, you'll need to enable [advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) when creating your lab plan.

+Autodesk-generated license files embed the MAC address of the license server. If you decide to host your license server by using an Azure VM, itΓÇÖs important to make sure that your license serverΓÇÖs MAC address doesnΓÇÖt change. If the MAC address changes, you'll need to regenerate your licensing files. To prevent your MAC address from changing:

+- [Set a static private IP and MAC address](how-to-create-a-lab-with-shared-resource.md#tips) for the Azure VM that hosts your license server.

+- Be sure to create both your lab plan and the license serverΓÇÖs virtual network in the same region. Also, verify the region has sufficient VM capacity so that you donΓÇÖt have to move these resources to a new region later.

+For more information, see [Set up a license server as a shared resource](./how-to-create-a-lab-with-shared-resource.md).

+> [!IMPORTANT]

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can not be added later.

+## Lab configuration

+### Lab plan settings

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| - | |

+|Marketplace image| Enable the Windows 10 Pro or Windows 10 Pro N image, if not done already.|

+### Lab settings

+| Lab setting | Value and description |

+| | |

+| Virtual Machine Size | **Small GPU (Visualization)**. Best suited for remote visualization, streaming, gaming, and encoding with frameworks such as OpenGL and DirectX. |

+> The **Small GPU (Visualization)** virtual machine size is configured to enable a high-performing graphics experience and meets [AdobeΓÇÖs system requirements for each application](https://helpx.adobe.com/creative-cloud/system-requirements.html). Make sure to choose **Small GPU (Visualization)** not **Small GPU (Compute)**. For more information about this virtual machine size, see the article on [how to set up a lab with GPUs](./how-to-setup-lab-gpu.md).

+## Template machine configuration

+1. Finally, [publish the template VM](how-to-create-manage-template.md#publish-the-template-vm) to create the studentsΓÇÖ VMs.

+LetΓÇÖs cover an example cost estimate for this class. This estimate doesnΓÇÖt include the cost of running a license server. Suppose you have a class of 25 students, each of whom has 20 hours of scheduled class time. Each student also has an extra 10 quota hours for homework or assignments outside of scheduled class time. The virtual machine size we chose was **Small GPU (Visualization)**, which is 160 lab units.

+> [!IMPORTANT]

+This article shows you how to set up a lab to teach a big data analytics class. A big data analytics class teaches students to learn how to handle large volumes of data. It also teaches them to apply machine and statistical learning algorithms to derive data insights. A key objective for students is to learn how to use data analytics tools, such as [Apache Hadoop's open-source software package](https://hadoop.apache.org/). The software package provides tools for storing, managing, and processing big data.

+In this lab, students will use a popular commercial version of Hadoop provided by [Cloudera](https://www.cloudera.com/), called [Hortonworks Data Platform (HDP)](https://www.cloudera.com/products/hdp.html). Specifically, students will use [HDP Sandbox 3.0.1](https://www.cloudera.com/tutorials/getting-started-with-hdp-sandbox/1.html) that's a simplified, easy-to-use version of the platform. HDP Sandbox 3.0.1 is also free of cost and is intended for learning and experimentation. Although this class may use either Windows or Linux virtual machines (VM) with HDP Sandbox deployed. This article will show you how to use Windows.

+Another interesting aspect is that we'll deploy HDP Sandbox on the lab VMs using [Docker](https://www.docker.com/) containers. Each Docker container provides its own isolated environment for software applications to run inside. Conceptually, Docker containers are like nested VMs and can be used to easily deploy and run a wide variety of software applications based on container images provided on [Docker Hub](https://www.docker.com/products/docker-hub). Cloudera's deployment script for HDP Sandbox automatically pulls the [HDP Sandbox 3.0.1 Docker image](https://hub.docker.com/r/hortonworks/sandbox-hdp) from Docker Hub and runs two Docker containers:

+- sandbox-hdp

+- sandbox-proxy

+To set up this lab, you need an Azure subscription to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Lab plan settings

+Once you've an Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+|Marketplace image| Enable the **Windows 10 Pro** image.|

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+|Virtual Machine Size| **Medium (Nested Virtualization)**. This VM size is best suited for relational databases, in-memory caching, and analytics. The size also supports nested virtualization.|

+> [!NOTE]

+> We need to use Medium (Nested Virtualization) since deploying HDP Sandbox using Docker requires Windows Hyper-V with nested virtualization and at least 10 GB of RAM.

+To set up the template machine, we'll:

+The steps in this section are based on [Cloudera's instructions for deploying with Docker containers](https://www.cloudera.com/tutorials/sandbox-deployment-and-install-guide/3.html).

+1. Follow the steps in the [Prerequisites section](https://www.cloudera.com/tutorials/sandbox-deployment-and-install-guide/3.html#prerequisites) to install [Docker for Windows](https://docs.docker.com/docker-for-windows/install/).

+ > [!IMPORTANT]

+ :::image type="content" source="./media/class-type-big-data-analytics/windows-hyperv-features.png" alt-text="Turn Windows features on or off.":::

+ > If you inadvertently check the **Use Windows containers instead of Linux containers** option when installing Docker, you won't see the memory configuration settings. To fix this, you can switch to using Linux containers by [clicking on the Docker icon in Windows System tray](https://docs.docker.com/docker-for-windows/#docker-settings-dialog); when the Docker Desktop menu opens, select **Switch to Linux containers**.

+In this section, you'll deploy HDP Sandbox and then access HDP Sandbox using the browser.

+1. Ensure that you have installed [Git Bash](https://gitforwindows.org/) as listed in the [Prerequisites section](https://www.cloudera.com/tutorials/sandbox-deployment-and-install-guide/3.html#prerequisites) of the guide. It's recommended for completing the next steps.

+ - Deploy HDP Sandbox

+ - Verify HDP Sandbox

+ > [!WARNING]

+ > When you download the latest .zip file for HDP, ensure that you *don't* save the .zip file in a directory path that includes whitespace.

+ > [!NOTE]

+ > If you receive an exception during deployment stating **Drive has not been shared**, you need to share your C drive with Docker so that HDP's Linux containers can access local Windows files. To fix this, [click on the Docker icon in Windows System tray](https://docs.docker.com/docker-for-windows/#docker-settings-dialog) to open the Docker Desktop menu and select **Settings**. When **Docker's Settings** dialog opens, select **Resources > File Sharing** and check the **C** drive. You can then repeat the steps to deploy HDP Sandbox.

+1. When the Docker containers for HDP Sandbox are deployed and running, you can access the environment by launching your browser. Follow Cloudera's instructions for opening the [Sandbox Welcome Page](https://www.cloudera.com/tutorials/learning-the-ropes-of-the-hdp-sandbox.html#welcome-page) and launching the HDP Dashboard.

+ > [!NOTE]

+ > These instructions assume that you have first mapped the local IP address of the sandbox environment to the sandbox-hdp.hortonworks.com in the host file on your template VM. If you **don't** do this mapping, you can access the Sandbox Welcome page by navigating to `http://localhost:8080`.

+To provide an easy to use, experience for students, we'll use a PowerShell script that automatically:

+- Starts the HDP Sandbox Docker containers when a student starts and connects to their lab VM.

+- Launches the browser and navigates to the Sandbox Welcome Page.

+To set up a Task Scheduler, follow these steps: [Big Data Analytics scripting](https://aka.ms/azlabs/scripts/BigDataAnalytics).

+If you would like to estimate the cost of this lab, you can use the following example:

+

+25 students \* (20 + 10) hours \* 55 Lab Units \* 0.01 USD per hour = 412.50 USD

+>[!IMPORTANT]

+>Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+This article walked you through the steps necessary to create a lab for a big data analytics class. The big data analytics class uses the Hortonworks Data Platform deployed with Docker. The setup for this class type might be used for similar data analytics classes. This setup might also be applicable to other types of classes that use Docker for deployment.

+This article describes how to set up a lab for a basic database management class in Azure Lab Services. Database concepts are one of the introductory courses taught in most of the Computer Science departments in college. Structured Query Language (SQL) is an international standard. SQL is the standard language for relation database management including adding, accessing, and managing content in a database. It's most noted for its quick processing, proven reliability, ease, and flexibility of use.

+In this article, you learn how to set up a virtual machine template in a lab with both MySQL Database Server and SQL Server 2019 server. [MySQL](https://www.mysql.com/) is a freely available open source Relational Database Management System (RDBMS). [SQL Server 2019](https://www.microsoft.com/sql-server/sql-server-2019) is the latest version of MicrosoftΓÇÖs RDBMS.

+To set up this lab, you need an Azure subscription and lab account. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+When you get an Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+### Lab plan settings

+Enable the settings described in the table below for the lab plan. For more information about enabling marketplace images, see [Specify Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+|Marketplace image| Enable the ΓÇÿSQL Server 2019 Standard on Windows Server 2019ΓÇÖ image.|

+Use the settings in the table below when setting up a lab. For more information about creating a lab, see [set up a lab tutorial](tutorial-setup-lab.md).

+SQL Server 2019 is pre-installed in the virtual machine image we selected when creating the new lab.

+Following is an example of a possible cost estimate for this class:

+>[!IMPORTANT]

+> Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+This article shows you how to set up a lab focused on deep learning in Natural Language Processing (NLP) using Azure Lab Services. NLP is a form of Artificial Intelligence (AI) that enables computers with translation, speech recognition, and other language understanding capabilities.

+Students taking an NLP class get a Linux virtual machine (VM) to learn how to apply neural network algorithms. The algorithms teach students to develop deep learning models that are used for analyzing written human language.

+To set up this lab, you need an Azure subscription and lab account to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+Once you have an Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+### Lab plan settings

+Enable the settings described in the table below for the lab plan. For more information about how to enable marketplace images, see the article on [how to specify Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| Marketplace images | Enable the Data Science Virtual Machine for Linux (Ubuntu) image. |

+### Lab settings

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab:

+| Lab settings | Value |

+| VM image | [Data Science Virtual Machine for Linux (Ubuntu)](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804). This image provides deep learning frameworks and tools for machine learning and data science. To view the full list of installed tools on this image, see [WhatΓÇÖs included on the DSVM?](../machine-learning/data-science-virtual-machine/overview.md#whats-included-on-the-dsvm). |

+| Enable remote desktop connection | Optionally, check **Enable remote desktop connection**. The Data Science image is already configured to use X2Go so that teachers and students can connect using a GUI remote desktop. X2Go *doesn't* require the **Enable remote desktop connection** setting to be enabled. |

+| Template Virtual Machine Settings | Optionally, choose **Use a virtual machine image without customization**. If you're using the [April 2022 Update (preview)](lab-services-whats-new.md) and the DSVM has all the tools that your class requires, you can skip the template customization step. |

+> [!IMPORTANT]

+> We recommend that you use the X2Go with the Data Science image. However, if you choose to use RDP instead, you'll need to connect to the Linux VM using SSH and install the RDP and GUI packages before publishing the lab. Then, students can connect to the Linux VM using RDP later. For more information, see [Enable graphical remote desktop for Linux VMs](how-to-enable-remote-desktop-linux.md).

+## Template machine configuration

+The Data Science Virtual Machine for Linux image provides the necessary deep learning frameworks and tools required for this type of class. If you chose **Use a virtual machine image without customization** when creating the lab, the ability to customize the template machine will be disabled. You can [publish the lab](tutorial-setup-lab.md#publish-a-lab) when you're ready.

+Let's cover a possible cost estimate for this class. The virtual machine size we chose was Small GPU (Compute), which is 139 lab units.

+For a class of 25 students with 20 hours of scheduled class time and 10 hours of quota for homework or assignments, the cost estimate would be:

+25 students \* (20 scheduled hours + 10 quota hours) \* 139 Lab Units \* 0.01 USD per hour = 1042.5 USD

+>[!IMPORTANT]

+> Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+This article walked you through the steps to create a lab for Natural Language Processing class. You can use a similar setup for other deep learning classes.

+## Next steps

+This article has two main sections. The first section covers how to create the lab. The second section covers how to create the template machine with nested virtualization enabled and with the tools and images needed. In this case, a Metasploitable image and a Kali Linux image on a machine that has Hyper-V enabled to host the images.

+### Lab settings

+| Lab settings | Value |

+| | |

+| Virtual machine (VM) size | Medium (Nested Virtualization) |

+| VM image | Windows Server 2019 Datacenter |

+## Template machine configuration

+To configure the template VM, we'll complete the following three major tasks.

+You can complete the tasks above by executing the [Lab Services Hyper-V Script](https://aka.ms/azlabs/scripts/hyperV) and [Lab Services Ethical Hacking Script](https://aka.ms/azlabs/scripts/EthicalHacking) PowerShell scripts on the template machine. Once scripts have been executed, continue to [Next steps](#next-steps).

+If you choose to set up the template machine manually, continue reading. The rest of this article will cover the manual completion of template configuration tasks.

+ 1. On the **Converting** page, wait for the image to be converted. Conversion may take several minutes. Select **Finish** when the conversion is completed.

+ 1. On the **Converting** page, wait for the image to be converted. Conversion may take several minutes. Select **Finish** when the conversion is completed.

+ :::image type="content" source="./media/class-type-ethical-hacking/new-vm-wizard-1.png" alt-text="Screenshot of New Virtual Machine Wizard in Hyper V.":::

+ :::image type="content" source="./media/class-type-ethical-hacking/assign-memory-page.png" alt-text="Screenshot of Assign Memory page of New Virtual Machine Wizard in Hyper V.":::

+ :::image type="content" source="./media/class-type-ethical-hacking/connect-virtual-network-disk.png" alt-text="Screenshot of Connect Virtual Hard Disk page of New Virtual Machine Wizard in Hyper V.":::

+ :::image type="content" source="./media/class-type-ethical-hacking/network-adapter-page.png" alt-text="Screenshot of settings dialog for Hyper V VM.":::

+ :::image type="content" source="./media/class-type-ethical-hacking/legacy-network-adapter-page.png" alt-text="Screenshot of Legacy Network adapter settings page for Hyper V VM.":::

+The template is now updated and has images needed for an ethical hacking penetration testing class, an image with tools to do the penetration testing and another image with security vulnerabilities to discover. The template image can now be [published](how-to-create-manage-template.md#publish-the-template-vm) to the class.

+This article outlines how to set up a template virtual machine (VM) in Azure Lab Services with the tools needed to teach students to use [Jupyter Notebooks](http://jupyter-notebook.readthedocs.io/). We'll also show how students can connect to their notebooks on their virtual machines (VMs).

+## Lab configuration

+### Lab plan settings

+Enable settings described in the table below for the lab plan. For more information on enabling marketplace images, see [specify Marketplace images available to lab creators](specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| Marketplace image | Inside your lab account, enable either **Data Science Virtual Machine ΓÇô Windows Server 2019** or **Data Science Virtual Machine ΓÇô Ubuntu 18.04** depending on your OS needs. |

+This article uses the Data Science virtual machine images available on the Azure Marketplace because they are already configured with Jupyter Notebook. These images, however, also include many other development and modeling tools for data science. If you don't want those extra tools and want a lightweight setup with only Jupyter notebooks, create a custom VM image. For an example, [Installing JupyterHub on Azure](http://tljh.jupyter.org/en/latest/install/azure.html). Once the custom image is created, you can upload it to a compute gallery to use the image inside Azure Lab Services. Learn more about [using compute gallery in Azure Lab Services](how-to-attach-detach-shared-image-gallery.md).

+| Lab settings | Value |

+| | |

+| Virtual machine size | Select **Small** or **Medium** for a basic setup accessing Jupyter Notebooks. Select **Small GPU (Compute)** for compute-intensive and network-intensive applications used in Artificial Intelligence and Deep Learning classes. |

+| Virtual machine image | Choose **[Data Science Virtual Machine ΓÇô Windows Server 2019](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019)** or **[Data Science Virtual Machine ΓÇô Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=Overview)** depending on your OS needs. |

+| Template virtual machine settings | Select **Use virtual machine without customization.**.

+When you create a lab with the **Small GPU (Compute)** size, you can [install GPU drivers](./how-to-setup-lab-gpu.md#ensure-that-the-appropriate-gpu-drivers-are-installed). This option installs recent NVIDIA drivers and Compute Unified Device Architecture (CUDA) toolkit, which is required to enable high-performance computing with the GPU. For more information, see the article [Set up a lab with GPU virtual machines](./how-to-setup-lab-gpu.md).

+## Template machine configuration

+The Data Science VM images come with many of data science frameworks and tools required for this type of class. For example, the images include:

+The **Data Science Virtual Machine ΓÇô Ubuntu** image is already provisioned with X2GO server and to enable students to use a graphical desktop experience. No further steps are required when setting up the template VM.

+### Enabling tools to use GPUs

+If you're using the **Small GPU (Compute)** size, we recommend that you verify that the Data Science frameworks and libraries are properly set up to use GPUs. You may need to install a different version of the NVIDIA drivers and CUDA toolkit. To properly configure the GPUs, you should consult the framework's or library's documentation.

+For example, to validate that the GPU is configured for TensorFlow, connect to the template VM and run the following Python-TensorFlow code in Jupyter Notebooks:

+If the output from the above code looks like the following, the GPU isn't configured for TensorFlow:

+Continuing with the above example, see [TensorFlow GPU Support](https://www.tensorflow.org/install/gpu) for guidance. TensorFlow guidance covers:

+- Required version of the [NVIDIA drivers](https://www.nvidia.com/drivers)

+- Required version of the [CUDA Toolkit](https://developer.nvidia.com/cuda-toolkit-archive).

+- Instructions to install [NVIDIA CUDA Deep Neural Network library (cudDNN)](https://developer.nvidia.com/cudnn).

+After you've followed TensorFlow's steps to configure the GPU, when you rerun the test code, you should see output similar to the following output.

+The next task is to provide students with notebooks that you want them to use. Notebooks can be saved locally on the template VM so each student has their own copy. If you want to use sample notebooks from Azure Machine Learning, see [how to configure an environment with Jupyter Notebooks](../machine-learning/how-to-configure-environment.md#jupyter).

+When you [publish the template](how-to-create-manage-template.md#publish-the-template-vm), each student registered in the lab will get a copy of the template VM with all the local tools and notebooks youΓÇÖve set up on it.

+## How students connect to Jupyter Notebooks?

+Once you publish the template, each student will have access to a VM that comes with everything youΓÇÖve already configured for the class, including the Jupyter Notebooks. The following sections show different ways for students to connect to Jupyter Notebooks.

+### For Windows VMs

+If youΓÇÖve provided students with Windows VMs, they need to connect to their lab VMs to use Jupyter Notebooks. To connect to a Windows VM, a student can use a remote desktop connection (RDP). For more information, see [Connect to a Windows lab VM](connect-virtual-machine.md#connect-to-a-windows-lab-vm).

+If youΓÇÖve provided students with Linux VMs, students can Access Jupyter Notebooks locally after connecting to the VM. For instructions to SSH or connect using X2Go, see [Connect to a Linux lab VM](connect-virtual-machine.md#connect-to-a-linux-lab-vm).

+#### SSH tunnel to Jupyter server on the VM

+Some students may want to connect directly from their local computer directly to the Jupyter server inside their lab VMs. The SSH protocol enables port forwarding between the local computer and a remote server (in our case, the studentΓÇÖs lab VM), so that an application running on a certain port on the server is **tunneled** to the mapping port on the local computer. Students should follow these steps to SSH tunnel to the Jupyter server on their lab VMs:

+1. In the Lab Services web portal ([https://labs.azure.com](https://labs.azure.com)), make sure that the Linux VM that you want to connect to is [started](how-to-use-lab.md#start-or-stop-the-vm).

+2. Once the VM is running, [get the SSH connection command](connect-virtual-machine.md#connect-to-a-linux-lab-vm-using-ssh) by selecting **Connect**, which will show a window that provides the SSH command string, which will look like the following string:

+ ```shell

+ ssh -p 12345 student@ml-lab-00000000-0000-0000-0000-000000000000.eastus2.cloudapp.azure.com

+3. On your local computer, launch a terminal or command prompt, and copy the SSH connection string to it. Then, add `-L 8888:localhost:8888` to the command string, which creates the **tunnel** between the ports. The final string should look like:

+ ```shell

+ ssh ΓÇôL 8888:localhost:8888 -p 12345 student@ml-lab-00000000-0000-0000-0000-000000000000.eastus.cloudapp.azure.com

+ ```

+4. Press **ENTER** to run the command.

+5. When prompted, provide the password to connect to the lab VM.

+6. Once youΓÇÖre connected to the VM, start the Jupyter server using this command:

+ jupyter notebook

+ ```

+7. Running the command will provide you with a URL in the terminal. The URL should look like:

+ http://localhost:8888/?token=8c09ecfc93e6a8cbedf9c66dffdae19670a64acc1d37

+ ```

+8. Paste this URL into a browser on your local computer to connect and work on your Jupyter Notebook.

+ > Visual Studio Code also enables a great [Jupyter Notebook editing experience](https://code.visualstudio.com/docs/python/jupyter-support). You can follow the instructions on [how to connect to a remote Jupyter server](https://code.visualstudio.com/docs/python/jupyter-support#_connect-to-a-remote-jupyter-server) and use the same URL from the previous step to connect from VS Code instead of from the browser.

+25 students \* (20 scheduled hours + 10 quota hours) \* 139 lab units \* 0.01 USD per hour = 1042.5 USD

+>[!IMPORTANT]

+>Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+[MATLAB](https://www.mathworks.com/products/matlab.html) is a programming platform from [MathWorks](https://www.mathworks.com/), which combines computational power and visualization. MATLAB is a popular tool for mathematics, engineering, physics, and chemistry.

+In this article, we'll show you how to set up a class that uses MATLAB client software with a license server.

+To set up this lab, you need an Azure subscription and lab account to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+Before creating the lab plan, you'll need to set up the server to run the [Network License Manager](https://www.mathworks.com/help/install/administer-network-licenses.html) software. These instructions are only applicable for institutions that choose the networking licensing option for MATLAB, which allows users to share a pool of license keys. You'll also need to save the license file and file installation key for later. For detailed instructions on how to download a license file, see the first step in [Install Network License Manager with Internet Connection](https://www.mathworks.com/help/install/ug/install-network-license-manager-with-internet-connection.html).

+For detailed instructions on how to install a licensing server, see [Install Network License Manager with Internet Connection](https://www.mathworks.com/help/install/ug/install-network-license-manager-with-internet-connection.html). To enable borrowing, see [Borrow License](https://www.mathworks.com/help/install/license/borrow-licenses.html).

+Assuming the license server is located in an on-premise network or a private network within Azure, youΓÇÖll need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) when creating your [lab plan](./tutorial-setup-lab-plan.md).

+> [!IMPORTANT]

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can't be added later.

+Once you have an Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). If you're using a [Network License Manager](https://www.mathworks.com/help/install/administer-network-licenses.html) on a license server, enable [advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) when creating your lab plan. You can also use an existing lab plan.

+### Lab settings

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab:

+| Lab settings | Value |

+| | |

+| Virtual machine (VM) size | Medium |

+| VM image | Windows 10 |

+MATLAB is supported on more operating systems than Windows 10. For more information, see [MATLAB system requirements](https://www.mathworks.com/support/requirements/matlab-system-requirements.html).

+## Template machine configuration

+After the template machine is created, start the machine and connect to the template machine to complete the following major tasks:

+Installing MATLAB will be a multi-part process:

+1. Download the files for MATLAB and any other products you want to install. Ensure that all the installation files for products to be installed are pre-downloaded before you use a file installation key.

+1. Install the MATLAB software on the template VM and activating the software. If the template VM is configured to activate using the license server, the student VMs will do the same.

+You must be a license administrator to get the installation files, license file, and the file installation key. Steps to download the installation files are below:

+1. Sign into your MathWorks account at https://www.mathworks.com.

+1. Choose **My Account**.

+1. Under the **My Software** section of the account page, select the license attached to the Network License Manager setup for the lab.

+1. On the license detail page, select **Download Products**.

+1. Wait for the installer to self-extract.

+1. Start the installer.

+1. On the **Sign in to your MathWorks Account** page, enter your MathWorks account details.

+1. On the **MathWorks License Agreement** page, accept the terms and select the **Next** button.

+1. Select the **Advanced Options** drop-down and choose the **I want to download without installing** option.

+1. On the **Select destination folder**, select **Next**.

+1. Select **Windows** as the computer platform to install MATLAB.

+1. On the **Select product** page, ensure that MATLAB is selected along with any other MathWorks products you want to install.

+1. On the **Confirm Selections and Download** page, select **Begin Download**.

+1. Wait for the selected products to download, and then select **Finish**.

+1. Sign into your MathWorks account at https://www.mathworks.com.

+1. Go to [https://www.mathworks.com/downloads](https://www.mathworks.com/downloads).

+1. Select the MATLAB release you want to install.

+1. Select the ΓÇ£Get {version}.iso imageΓÇ¥ link present below the Related links. For example, here the {version} is R2022a.

+1. Select the blue **Download Release** link for Windows.

+Once the files are downloaded, the second step is to run the installer. Once again, you must be a license administrator to complete this step. Only the license administrators can install MATLAB with a file installation key.

+1. Check the downloaded license file and verify that the SERVER line lists the license server correctly. For more information on how to format the license file, see [update network license](https://www.mathworks.com/help/install/ug/network-license-files.html), [license borrowing](https://www.mathworks.com/help/install/license/borrow-licenses.html), and [find host ID](https://www.mathworks.com/matlabcentral/answers/101892-what-is-a-host-id-how-do-i-find-my-host-id-in-order-to-activate-my-license).

+1. Launch the MATLAB Installer.

+1. On the **Sign in to your MathWorks Account** page, enter your MathWorks account details.

+1. On the **MathWorks License Agreement** page, accept the terms and select the **Next** button.

+1. Select the **Advanced Options** drop-down and choose **I have a File Installation Key** option.

+1. On the **Install using File Installation Key** page, enter the file installation key for the license server, and then select **Next**.

+1. On the **Select License File** page, navigate to the license file saved while downloading the installation files earlier.

+1. On the **Select Destination Folder** page, select **Next**.

+1. On the **Select Products** page, select **Next**.

+1. On the **Select Options** page, select **Next**.

+1. On the **Confirm Selections and Install** page, select **Begin Install**.

+1. On the **Installation Complete** page, verify **Activate MATLAB** is checked, and then select **Finish**.

+Let's cover a possible cost estimate for this class. This estimate doesn't include the cost of running the license server. The virtual machine size we chose was medium, which is 55 lab units.

+For a class of 25 students with 20 hours of scheduled class time and 10 hours of quota for homework or assignments, the cost estimate would be:

+> Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+# Set up a lab to teach a networking class

+This article shows you how to set up a class that focuses on allowing students to emulate, configure, test, and troubleshoot virtual and real networks using [GNS3](https://www.gns3.com/) software.

+This article has two main sections. The first section covers how to create the lab. The second section covers how to create the template machine with nested virtualization enabled and with GNS3 installed and configured.

+### Lab settings

+| Lab settings | Value |

+| | |

+| Virtual machine (VM) size | Medium (Nested Virtualization) |

+| VM image | Windows 10 Pro, Version 1909 |

+## Template machine configuration

+To configure the template VM, we'll complete the following major tasks.

+Follow instructions to [enable nested virtualization](how-to-enable-nested-virtualization-template-vm.md) to prepare your template virtual machine for nested virtualization.

+ This option will download the PowerShell script and VHD files to create the GNS3 VM in the Hyper-V manager. Continue installation using the default values.

+ > [!IMPORTANT]

+ > Once the setup is complete, don't start GNS3.

+- **Run with PowerShell** on the "create-vm.ps1" PowerShell script by right-clicking on the file.

+- Use the **Run appliances from virtual machine** option. Use the defaults for the rest of the wizard until you hit the **VMware vmrun tool cannot be found** error.

+### Prepare to publish template

+>[!IMPORTANT]

+>Publishing while the VM is still running will corrupt the template VMs and create unusable lab VMs.

+If you would like to estimate the cost of this lab, you can use the following example:

+For a class of 25 students with 20 hours of scheduled class time and 10 hours of quota for homework or assignments, the price for the lab would be:

+25 students \* (20 + 10) hours \* 84 Lab Units \* 0.01 USD per hour = 630 USD.

+> [!IMPORTANT]

+> Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+[Project Lead The Way (PLTW)](https://www.pltw.org/) is a nonprofit organization that provides PreK&ndash;12 curriculum across the United States in computer science, engineering, and biomedical science. In each PLTW class, students use various software applications as part of their hands-on learning experience. Many of the software applications require either a fast CPU or, in some cases, a GPU. This article shows you how to set up labs for the following PLTW classes. The classes are typically offered to students in grades 9&ndash;12:

+ Students learn about engineering mechanisms, structural and material strength, and automation. This class uses software such as [MD Solids](https://s3.amazonaws.com/support-downloads.pltw.org/2020-21/MD+Solids/MD+Solids+Software+Installation+Guide.pdf), [West Point Bridge Designer](https://s3.amazonaws.com/support-downloads.pltw.org/2020-21/West+Point+Bridge+Builder/Installation+Guide+for+West+Point+Bridge+Designer.pdf), and [AmericaΓÇÖs Army simulation](https://s3.amazonaws.com/support-downloads.pltw.org/2020-21/America's+Army/Installation+Guide+for+Americas+Army+Simulation+17-18.pdf).

+ Students explore modern manufacturing processes that involve robotics and automation. In this class, students use [Autodesk Inventor CAD](https://www.autodesk.com/products/inventor/new-features) and [Autodesk Inventor computer-aided manufacturing (CAM)](https://www.autodesk.com/products/inventor-cam/overview) software.

+ Students contribute to an end-to-end solution by combining research, design, and testing that they present to a panel of engineers. In this class, students use [Autodesk Inventor CAD](https://www.autodesk.com/products/inventor/new-features) software.

+ Students are introduced to computational concepts and tools. They start with block-based programming and then move to text-based coding by using coding environments such as [VEXcode V5 blocks](https://s3.amazonaws.com/support-downloads.pltw.org/2020-21/VEXcode+V5+Blocks/VexCode+V5+Blocks+Installation+Guide.pdf).

+ Students grow their programming expertise with [Python](https://www.python.org/) by using the [Microsoft Visual Studio Code development environment](https://code.visualstudio.com/).

+ Students expand their programming competence in this class by learning mobile app development. In this class, they learn [Java](https://www.java.com/) by using the [Microsoft Visual Studio Code development environment](https://code.visualstudio.com/). Students also use an emulator that allows them to run and test their mobile app code. For information about how to set up an emulator in Azure Lab Services, contact us via the [Azure Lab Services' forums](https://techcommunity.microsoft.com/t5/azure-lab-services/bd-p/AzureLabServices) for more information.

+To begin setting up labs for PLTW, you need access to an Azure subscription and a lab plan. Discuss with your organization's admin to see if you can get access to an existing Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+## License server

+Most of the software that's used in the earlier-mentioned PLTW classes *don't* require access to a license server. However, you'll need to access a license server if you plan to use the Autodesk network licensing model for the following software:

+- Revit

+- Inventor CAD

+- Inventor CAM

+To use network licensing with Autodesk software, [PLTW provides detailed steps](https://www.pltw.org/pltw-software) to install Autodesk Network License Manager on your license server. This license server is ordinarily located in either your on-premises network or hosted on an Azure virtual machine (VM) within Azure virtual network.

+After your license server is set up, you need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) when creating your [lab plan](./tutorial-setup-lab-plan.md).

+> [!IMPORTANT]

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can't be added later.

+Autodesk-generated license files embed the MAC address of the license server. If you decide to host your license server by using an Azure VM, itΓÇÖs important to ensure that your license serverΓÇÖs MAC address doesnΓÇÖt change. If the MAC address changes, you'll need to regenerate your licensing files. Following are the steps to prevent your MAC address from changing:

+- [Set a static private IP and MAC address](how-to-create-a-lab-with-shared-resource.md#tips) for the Azure VM that hosts your license server.

+- Ensure to set up both your lab plan and the license serverΓÇÖs virtual network are in a region or location that has sufficient VM capacity so that you donΓÇÖt have to move these resources to a new region or location later.

+For more information, see [Set up a license server as a shared resource](./how-to-create-a-lab-with-shared-resource.md).

+## Lab configuration

+Once you have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md).

+After you set up a lab plan, create a separate lab for each PLTW class session that your school offers. We also recommend that you create separate images for each type of PLTW class. For more information about how to structure your labs and images, see the blog post [Moving from a Physical Lab to Azure Lab Services](https://techcommunity.microsoft.com/t5/azure-lab-services/moving-from-a-physical-lab-to-azure-lab-services/ba-p/1654931).

+### Lab plan settings

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab account setting | Instructions |

+| -- | -- |

+| Marketplace image | Enable the Windows 10 Pro image for use within your lab account. |

+### Lab settings

+The recommended size of the virtual machine (VM) for using PLTW classes depends on the types of workloads that your students are doing in the class. For the earlier-listed classes, we recommend using Small GPU (Visualization) and Large VM sizes. As you set up labs for your PLTW classes, refer to the guidance in the following table:

+| Lab setting | Value and description | Class recommendation |

+| | | |

+| Virtual Machine Size | **Small GPU (Visualization)**. Best suited for remote visualization, streaming, gaming, and encoding with frameworks such as OpenGL and DirectX. | We recommend using this size for the following PLTW classes: Civil Engineering and Architecture, Digital Electronics, Computer Integrated Manufacturing, Engineering Design and Development, and Introduction to Engineering Design.

+| Virtual Machine Size | **Large**. Best suited for applications that need faster CPUs, better local disk performance, large databases, and large memory caches. | We recommend using this size for the following PLTW classes: Principles of Engineering, Computer Science Essentials, Computer Science Principles, and Computer Science A. |

+### Template machine configuration

+Instead of downloading installation files to the template machine and installing everything there, we recommend creating your PLTW images in your physical environment. You can then import the custom images into a compute gallery so that you can use them to create your labs. For more information, see [Recommended approaches for creating custom images](approaches-for-custom-image-creation.md).

+ a. Use PLTWΓÇÖs detailed steps for downloading the installation files and installing the required software.

+ > [!NOTE]

+ > When you install the Autodesk applications, the computer that you're installing them on needs to be able to communicate with your license server. The Autodesk installation wizard will prompt you to specify the computer name of the machine that the license server is hosted on. If you're hosting your license server on an Azure VM, you might need to wait to install Autodesk on the lab template VM so that the installation wizard can access your license server.

+ b. [Install and configure OneDrive](./how-to-prepare-windows-template.md#install-and-configure-onedrive) or other backup options that your school might use.

+ c. [Install and configure Windows updates](./how-to-prepare-windows-template.md#install-and-configure-updates).

+1. Upload the custom image to the [compute gallery that's attached to your lab account](./how-to-attach-detach-shared-image-gallery.md).

+1. Create a lab, and then select the custom image that you uploaded in the preceding step.

+1. After the lab is created, start and connect to the template VM to validate that the image works as expected.

+1. Finally, publish the template VM to create the studentsΓÇÖ VMs.

+> If your school needs to perform content filtering, such as for compliance with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act), you'll need to use 3rd party software. For more information, read guidance on [content filtering with Lab Services](./administrator-guide.md#content-filtering).

+- [Connect from Windows](./how-to-use-lab.md#connect-to-the-vm)

+LetΓÇÖs cover an example cost estimate for the PLTW classes. This estimate doesnΓÇÖt include the cost of running a license server or using a compute gallery.

+Suppose you have a class of 25 students, each of whom has 20 hours of scheduled class time. Each student also has an extra 10 quota hours for homework or assignments outside of scheduled class time. Here are the estimated costs:

+> [!IMPORTANT]

+> The cost estimate is for example purposes only. For current pricing information, see [Azure Lab Services pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+> [!NOTE]

+> Many of the PLTW classes use applications that are accessed via a browser, such as MIT App Inventor. These browser-based applications donΓÇÖt require a fast CPU or GPU, and you can access them from any device that has an internet connection. When students are using these types of applications, we recommend that they use the browser on their physical device instead the browser on their lab VM. Students can help keep costs down by using their lab VM only for applications that require a fast CPU or GPU.

+This article shows you how to install [Visual Studio Code](https://code.visualstudio.com/) for your development environment, the tools, and libraries needed for a React web development class.

+To set up this lab, you need an Azure subscription to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Lab plan settings

+Once you get have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| Marketplace images | Enable the 'Ubuntu Server 18.04 LTS' image. |

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+| Lab setting | Value |

+| Virtual Machine Size | **Small** |

+We recommend that you test your workloads to see if a larger size is needed. For more information about each size, see [VM sizing](administrator-guide.md#vm-sizing).

+[Create React App](https://create-react-app.dev/) is an officially supported way to create a React app and requires no further configuration if you're using npm 5.2 and above. For more instructions on how to use Create React App, see their [getting started](https://create-react-app.dev/docs/getting-started) documentation.

+To run the app in development mode, use the `npm start` built-in command. The local and network urls will be listed in the command output. For more information on how to use HTTPS instead of HTTP, see [Create React App: Using HTTPS in Development](https://create-react-app.dev/docs/using-https-in-development).

+Official Ubuntu builds have [iptables](https://help.ubuntu.com/community/IptablesHowTo) installed and will allow all incoming traffic by default. However, if you're using a VM that has a more restrictive firewall, add an inbound rule to allow traffic to the NodeJS server. The example below uses [iptables](https://help.ubuntu.com/community/IptablesHowTo) to allow traffic to port 3000.

+>Educators must use the template VM or another lab VM to access a student's website.

+LetΓÇÖs cover an example cost estimate for this class. The virtual machine size we chose was **Small**, which is 20 lab units.

+For a class of 25 students with 20 hours of scheduled class time and 10 hours of quota for homework or assignments, the cost estimate would be:

+25 students &times; (20 scheduled hours + 10 quota hours) &times; 20 Lab Units &times; USD0.01 per hour = 150.00 USD

+> The cost estimate is for example purposes only. For current pricing information, see [Azure Lab Services pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+To set up this lab, you need an Azure subscription and lab plan to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Lab plan settings

+Once you get have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Marketplace image | Enable 'Visual Studio 2019 Community (latest release) on Windows Server 2019 (x64)' image. |

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+| Lab setting | Value |

+- [React Developer Tools add-on for Microsoft Edge](https://microsoftedge.microsoft.com/addons/detail/react-developer-tools/gpphkfbcpidddadnkolkpfckpihlkkil)

+>Educators must use the template VM or another lab VM to access a student's website.

+## Lab configuration

+To set up this lab, you need an Azure subscription and lab plan to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### External resource configuration

+Some classes require files, such as large data files, to be stored externally. See [use external file storage in Azure Lab Services](how-to-attach-external-storage.md) for options and setup instructions.

+If you choose to have a shared R Server for the students, the server should be set up before the lab is created. For more information on how to set up a shared server, see [how to create a lab with a shared resource in Azure Lab Services](how-to-create-a-lab-with-shared-resource.md). For instructions to create an RStudio Server, see [Download RStudio Server for Debian & Ubuntu](https://www.rstudio.com/products/rstudio/download-server/debian-ubuntu/) and [Accessing RStudio Server Open-Source](https://support.rstudio.com/hc/en-us/articles/200552306-Getting-Started).

+If you choose to use any external resources, youΓÇÖll need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) with your [lab plan](./tutorial-setup-lab-plan.md)

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can't be added later.

+### Lab plan settings

+Once you get have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| -- | -- |

+| Marketplace images | Enable **Ubuntu Server 18.04 LTS** image. |

+### Lab settings

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+| Enable remote desktop connection | This setting should be enabled if you choose to use RDP. This setting isn't needed if you choose [X2Go to connect to lab machines](connect-virtual-machine-linux-x2go.md). |

+If you choose to instead use RDP, you will need to connect to the Linux VM using SSH and install the RDP and GUI packages before publishing the lab. Then, students can connect to the Linux VM using RDP later. For more information, see [Enable graphical remote desktop for Linux VMs](how-to-enable-remote-desktop-linux.md).

+If you choose to use X2Go, [install the server](https://aka.ms/azlabs/scripts/LinuxDesktop). You'll first need to [Connect to a Linux lab VM using SSH](connect-virtual-machine.md#connect-to-a-linux-lab-vm-using-ssh) to install the server component. Once that is completed, the rest of the setup can be completed after [connecting using the X2Go client](connect-virtual-machine-linux-x2go.md).

+[R](https://www.r-project.org/https://docsupdatetracker.net/about.html) is an open-source language used for statistical computing and graphics. It's used in the statistical analysis of genetics to natural language processing to analyzing financial data. R provides an [interactive command line](https://cran.r-project.org/doc/manuals/r-release/R-intro.html#Invoking-R-from-the-command-line) experience. [RStudio](https://www.rstudio.com/products/rstudio/) is an interactive development environment (IDE) available for the R language. The free version provides code-editing tools, an integrated debugging experience, and package development tools.

+class types set up RStudio differently. Each article describes how to use the [Data Science Virtual Machine for Linux (Ubuntu)](https://azuremarketplace.microsoft.com/en-US/marketplace/apps/microsoft-dsvm.ubuntu-1804) marketplace image, which has many [data science related tools](../machine-learning/data-science-virtual-machine/tools-included.md), including RStudio, pre-installed.

+## Lab configuration

+To set up this lab, you need an Azure subscription and lab plan to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### External resource configuration

+Some classes require files, such as large data files, to be stored externally. See [use external file storage in Azure Lab Services](how-to-attach-external-storage.md) for options and setup instructions.

+If you choose to have a shared R Server for the students, the server should be set up before the lab is created. For more information on how to set up a shared server, see [how to create a lab with a shared resource in Azure Lab Services](how-to-create-a-lab-with-shared-resource.md). For instructions to create an RStudio Server, see [Download RStudio Server for Debian & Ubuntu](https://www.rstudio.com/products/rstudio/download-server/debian-ubuntu/) and [Accessing RStudio Server Open-Source](https://support.rstudio.com/hc/en-us/articles/200552306-Getting-Started).

+If you choose to use any external resources, youΓÇÖll need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) with your [lab plan](./tutorial-setup-lab-plan.md)

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can't be added later.

+### Lab plan settings

+Once you get have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+### Lab settings

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+This article shows you how to set up a lab to teach shell scripting on Linux. Scripting is a useful part of system administration that allows administrators to avoid repetitive tasks. In this sample scenario, the class covers traditional bash scripts and enhanced scripts. Enhanced scripts are scripts that combine bash commands and Ruby. This approach lets Ruby pass the data around and bash commands to interact with the shell.

+To set up the lab, you need access to an Azure subscription and a lab account. Discuss with your organization's admin to see if you can get access to an existing Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Lab plan settings

+When you have an Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| Marketplace images | Enable the 'Ubuntu Server 18.04 LTS' image. |

+### Lab settings

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+| Lab settings | Value/instructions |

+| Enable remote desktop connection | **Enable**. Enabling this setting will allow teachers and students to connect to their VMs using the remote desktop (RDP). For more information, see [Enable remote desktop for Linux virtual machines in a lab in Azure Lab Services](how-to-enable-remote-desktop-linux.md). </p>|

+## Template machine configuration

+### Install desktop and RDP

+The Ubuntu Server 18.04 LTS image doesn't have the RDP remote desktop server installed by default. To install the packages that are needed on the template machine to connect via remote desktop protocol (RDP), follow instructions in the [Install and configure Remote Desktop to connect to a Linux VM in Azure](../virtual-machines/linux/use-remote-desktop.md) article.

+### Install Ruby

+1. Install [Ruby](https://www.ruby-lang.org/). Ruby is an open-source dynamic language that can be combined with bash scripts.

+1. When prompted, type **Y** and press **Enter** to confirm the installation.

+### Install development tools

+1. Install [Visual Studio Code](https://code.visualstudio.com/). Visual Studio code can be installed using the Snap Store. For alternate installation options, see [Visual Studio Code alternate downloads](https://code.visualstudio.com/#alt-downloads).

+## Cost

+For a class of 25 students with 20 hours of scheduled class time and 10 hours of quota for homework or assignments, the price for the lab would be:

+25 students \* (20 + 10) hours \* 20 Lab Units \* 0.01 USD per hour = 150 USD

+> [!IMPORTANT]

+> The cost estimate is for example purposes only. For current pricing information, see [Azure Lab Services pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+SOLIDWORKS Network Licensing requires that you have SolidNetWork License Manager installed and activated on your license server. This license server is typically located in either your on-premise network or a private network within Azure. For more information on how to set up SolidNetWork License Manager on your server, see [Installing and Activating a License Manager](https://help.solidworks.com/2019/English/Installation/install_guide/t_installing_snl_lic_mgr.htm) in the SOLIDWORKS install guide. Remember the **port number** and [**serial number**](https://help.solidworks.com/2019/english/installation/install_guide/r_hid_state_serial_number.htm) that are used since they'll be needed in later steps.

+After your license server is set up, youΓÇÖll need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) in your [lab plan](./tutorial-setup-lab-plan.md)

+> [!IMPORTANT]

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can't be added later.

+> You should verify that the appropriate ports are opened on your firewalls to allow communication between the lab virtual machines and the license server.

+See the instructions on [Modifying License Manager Computer Ports for Windows Firewall](http://help.solidworks.com/2019/english/installation/install_guide/t_mod_ports_on_lic_mgr_for_firewall.htm) that show how to add inbound and outbound rules to the license server's firewall. You may also need to open up ports to the lab virtual machines. Follow more information on firewall settings and finding the lab's public IP, see [firewall settings for labs](./how-to-configure-firewall-settings.md).

+### Lab plan settings

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+|Marketplace image| Enable the **Windows 10 Pro** image.|

+SOLIDWORKS supports other versions of Windows besides Windows 10. See [SOLIDWORKS system requirements](https://www.solidworks.com/sw/support/SystemRequirements.html) for details.

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+| Virtual Machine Size | **Small GPU (Visualization)**. This VM is best suited for remote visualization, streaming, gaming, encoding using frameworks such as OpenGL and DirectX.|

+| Virtual Machine Image | Windows 10 Pro |

+## Template configuration

+This article describes how to set up a lab for a basic SQL Server management and development class in Azure Lab Services. Database concepts are one of the introductory courses taught in most of the Computer Science departments in college. Structured Query Language (SQL) is an international standard. SQL is the standard language for relation database management including adding, accessing, and managing content in a database. It is most noted for its quick processing, proven reliability, ease, and flexibility of use.

+In this article, we'll show how to set up a virtual machine template in a lab with [Visual Studio 2019](https://visualstudio.microsoft.com/vs/), [SQL Server Management Studio](/sql/ssms/download-sql-server-management-studio-ssms), and [Azure Data Studio](https://github.com/microsoft/azuredatastudio). For this lab, we will use one shared [SQL Server Database](/azure/azure-sql/database/sql-database-paas-overview) for the entire lab. [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview) is Platform as a Service (PaaS) Database Engine offering from Azure.

+## External resource configuration

+To use any external resources, youΓÇÖll need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) with your [lab plan](./tutorial-setup-lab-plan.md)

+> [!IMPORTANT]

+> [Advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation) must be enabled during the creation of your lab plan. It can't be added later.

+Now that the networking side of things is handled, lets create a SQL Server Database. We are going to create a [single database](/azure/azure-sql/database/single-database-create-quickstart?tabs=azure-portal) as it is the quickest deployment option for Azure SQL Database. For other deployment options, create an [elastic pool](/azure/azure-sql/database/elastic-pool-overview#create-a-new-sql-database-elastic-pool-by-using-the-azure-portal), [managed instance](/azure/azure-sql/managed-instance/instance-create-quickstart), or [SQL virtual machine](/azure/azure-sql/virtual-machines/windows/sql-vm-create-portal-quickstart).

+2. Choose **SQL Database** and select the **Create** button.

+5. Under the **Server** setting, select **Create new** to create a new server to hold the database.

+6. On the **New server** flyout, enter the Server name. We'll use *classlabdbserver*. The server name must be globally unique.

+10. Select **OK** to return to the **Create SQL Database** form.

+11. Select **Configure database** link under the **Compute + storage** setting.

+12. Modify database settings as needed for the class. You can choose between Provisioned and Serverless options. For this example, we'll use the autoscaled Serverless option with max vCores of 4, min vCores of 1. We'll keep the autopause setting at the minimum of 1 hour. Select **Apply**.

+13. Select **Next: Networking** button.

+15. Under the **Private endpoints** section, Select **Add private endpoint**.

+23. Select **OK**.

+24. Select **Next: Additional settings**.

+26. Select **Review + create**.

+27. Select **Create**.

+## Lab configuration

+To set up this lab, you need an Azure subscription to get started. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Lab plan settings

+Once you get have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

+Enable your lab plan settings as described in the following table. For more information about how to enable Azure Marketplace images, see [Specify the Azure Marketplace images available to lab creators](./specify-marketplace-images.md).

+| Lab plan setting | Instructions |

+| - | |

+| Marketplace image | Enable the 'Visual Studio 2019 Community (latest release) on Windows 10 Enterprise N (x64)' image. |

+For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

+## Template configuration

+### Visual Studio

+Visual Studio includes the **Data storage and processing** tool set, which includes SQL Server Data Tools (SSDT). For more information about SSDT's capabilities, see [SQL Server Data Tools overview](/sql/ssdt/sql-server-data-tools). To verify connection to the shared SQL Server for the class will be successful, see [connect to a database and browse existing objects](/sql/ssdt/how-to-connect-to-a-database-and-browse-existing-objects). If prompted add the template machine IP to the [list of allowed computers](/azure/azure-sql/database/firewall-configure) that can connect to your SQL Server instance.

+### Install Azure Data Studio

+2. On the **License Agreement** page, select **I accept the agreement**. Select **Next**.

+3. On the **Select Destination Location** page, elect **Next**.

+4. On the **Select Start Menu Folder** page, select **Next**.

+5. On the **Select Additional Tasks** page, check **Create a desktop icon** if you want a desktop icon. Select **Next**.

+6. On the **Ready to Install**, select **Next**.

+7. Wait for the installer to run. Select **Finish**.

+1. On the **Welcome** page for Azure Data Studio, select the **New Connection** link.

+3. Select **Connect**.

+### Install SQL Server Management Studio

+2. On the **Welcome** page, select **Install**.

+3. On the **Setup Completed** page, select **Close**.

+5. On the **Dependency Configuration process** page, select **Close**.

+Azure Lab Services enables you to quickly set up lab environments in the cloud. Articles in this section provide guidance on how to set up several types of labs using Azure Lab Services.

+[ArcGIS](https://www.esri.com/en-us/arcgis/products/arcgis-solutions/overview) is a type of geographic information system (GIS). You can set up a lab that uses ArcGIS Desktop's various applications. For example, [ArcMap](https://desktop.arcgis.com/en/arcmap/latest/map/main/what-is-arcmap-.htm) can make, edit, and analyze 2D maps.

+For detailed information on how to set up this type of lab, see [Set up a lab for Autodesk](class-type-autodesk.md).

+You can set up a GPU lab to teach a big data analytics class. With this type of class, students learn how to handle large volumes of data, and apply machine and statistical learning algorithms to derive data insights. A key goal for students is to learn to use data analytics tools, such as Apache Hadoop's open-source software package that provides tools for storing, managing, and processing big data.

+You can set up a lab for a class that focuses on allowing students to emulate, configure, test, and troubleshoot virtual and real networks using [GNS3](https://www.gns3.com/) software.

+For detailed information on how to set up this type of lab on Linux using [Visual Studio Code](https://code.visualstudio.com/) for your development environment, see [Set up lab for React on Linux](class-type-react-linux.md). For detailed information on how to set up this type of lab on Windows using [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) for your development environment, see [Set up lab for React on Windows](class-type-react-windows.md).

+[R](https://www.r-project.org/https://docsupdatetracker.net/about.html) is an open-source language used for statistical computing and graphics. It's used in the statistical analysis of genetics, natural language processing, analyzing financial data, and more. R provides an [interactive command line](https://cran.r-project.org/doc/manuals/r-release/R-intro.html#Invoking-R-from-the-command-line) experience. [RStudio](https://www.rstudio.com/products/rstudio/) is an interactive development environment (IDE) available for the R language. The free version provides code-editing tools, an integrated debugging experience, and package development tools. This class type will focus on solely RStudio and R as a building block for a class that requires the use of statistical computing.

+For detailed information on how to set up this type of lab, see [Set up a lab for Shell scripting on Linux](class-type-shell-scripting-linux.md).

+You can set up a GPU lab that gives engineering students access to [SolidWorks](https://www.solidworks.com/). SolidWorks provides a 3D CAD environment for modeling solid objects. With SolidWorks, engineers can easily create, visualize, simulate, and document their designs.

+This article describes key Azure Lab Services concepts and definitions.

+## Schedules

+Schedules are the time slots that an educator creates so the lab VMs are available for class time. Schedules can be one-time or recurring. Any scheduled time doesn't count against extra time students may be given to complete homework. A lab can use [quota](#quota) time, scheduled time, or a combination of both.

+Scheduled time is commonly used when students are following the educator's directions during class hours. For more information about schedules, see [Create and manage schedules for labs in Azure Lab Services](how-to-create-schedules.md).

+All the student VMs are started with schedules. (Unclaimed VMs aren't started when schedules run.) VMs are started even if a student doesn't sign into a VM. To help reduce likelihood of accruing costs when a VM isn't being used, see [Configure automatic shutdown of VMs for a lab](how-to-enable-shutdown-disconnect.md).

+There are two types of schedules.

+- **Standard**. This schedule will start all student VMs at the specified start time and shut down all lab VMs at the specified stop time.

+- **Stop only**. This schedule will stop all lab VMs at the specified time, even if the VM was manually started by an educator or student.

+Quota is the limit of time a student may use their VM outside of class. Allowing time for homework is done by using quota hours. If no quota is assigned, students can only use their VM during scheduled time or if the educator starts the VM for them.

+A lab can use either quota time, [scheduled time](#schedules), or a combination of both.

+## Automatic shut-down

+Anytime a machine is **Running**, costs are being incurred, even if no one is connected to the VM. You can enable several auto-shutdown features to avoid extra costs when the VMs aren't being used. The are three auto-shutdown policies available in Azure Lab Services.

+- Disconnect idle virtual machines.

+- Shut down virtual machines when students disconnect from the virtual machine.

+- Shut down virtual machines when students don't connect a recently started virtual machine.

+For more information, see [Configure automatic shutdown of VMs for a lab plan](how-to-configure-auto-shutdown-lab-plans.md).

+A template VM in a lab is a base image from which all students' VMs are created. Educators configure the template VM with the software needed to complete the lab. When educators [publish a template VM](tutorial-setup-lab.md#publish-a-lab), Azure Lab Services creates or updates student lab VMs to match the template VM.

+Labs can be created without needing a template VM, if using the [April 2022 Update (preview)](lab-services-whats-new.md). The Marketplace or Azure Compute Gallery image is used as-is to create the student's VMs.

+## Lab plans

+Lab plans are an Azure resource and contain settings used when creating new labs. Lab plans control the networking setup, which VM images are available and if [Canvas integration](lab-services-within-canvas-overview.md) can be used for a lab. To create a lab plan, see [Quickstart: Create a lab plan using the Azure portal](quick-create-lab-plan-portal.md).

+Azure Lab Services was designed with three major personas in mind: administrators, educators, and students. You'll see these three roles mentioned throughout Azure Lab Services documentation. This section describes each persona and the tasks theyΓÇÖre typically responsible for.

+### Administrator

+An IT administrator for organization is typically the lab plan owner. The lab plan owner is often the one owns the Azure subscription and does the following tasks:

+- Creates and organizes resource groups to contain lab plans and labs.

+- Creates lab plans for your organization.

+- Gives permissions to educators in the organization to create a lab using the lab plan.

+Educators, often a teacher or an online trainer, creates labs using a pre-created lab plan. An educator does the following tasks:

+- Creates a lab.

+- Installs the appropriate software on virtual machines template.

+- Publishes the lab to create VMs for the students.

+- Specifies which students can access the lab.

+- Sends registration link to the lab to students, if necessary.

+- Use the lab to teach their course.

+Some organizations may opt to have their administrators complete the previous tasks to create and manage labs on behalf of the educators.

+- Registers for the lab, if needed.

+- Connects to a VM in the lab and uses it for completing assigned work.

+The first action to take to use Azure Lab Services is to create a lab plan. Labs can be created only after a lab plan is created.

+- [As an admin, create a lab plan](tutorial-setup-lab-plan.md)

+- [As an educator, create a lab](tutorial-setup-lab.md)

+Azure Lab Services is a SaaS (software as a service) solution, which means that the resources needed by Lab Services are handled for you. This article will cover the fundamental resources used by Lab Services and basic architecture of a lab.

+Azure Lab Services does provide a couple of areas that allow you to use your own resources in conjunction with Lab Services. For more information about using VMs on your own network, see how to [peer a virtual network](how-to-connect-peer-virtual-network.md). If using the April 2022 Update, see [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) to use virtual network injection instead of virtual network peering. To reuse images from an Azure Compute Gallery, see how to [attach a compute gallery](how-to-attach-detach-shared-image-gallery.md).

+Below is the basic architecture of a lab. The lab account or lab plan is hosted in your subscription. The student VMs, along with the resources needed to support the VMs are hosted in a subscription owned by Azure Lab Services. LetΓÇÖs talk about what is in Azure Lab Service's subscriptions in more detail.

+The resources required to run a lab are hosted in one of the Microsoft-managed Azure subscriptions. Resources include a template virtual machine for the educator, virtual machine for each student, and network-related items such as a load balancer, virtual network, and network security group. These subscriptions are monitored for suspicious activity. It is important to note that this monitoring is done externally to the virtual machines through VM extension or network pattern monitoring. If [shutdown on disconnect](how-to-enable-shutdown-disconnect.md) is enabled, a diagnostic extension is enabled on the virtual machine. The extension allows Lab Services to be informed of the remote desktop protocol (RDP) session disconnect event.

+> [!NOTE]

+> For the latest experience in Azure Lab Services using your virtual network, see [Connect to your virtual network](how-to-connect-vnet-injection.md). This experience replaces the peer virtual network experience.

+Student VMs that are hosted in the lab have a username and password set by the creator of the lab. Alternately, the creator of the lab can allow registered students to choose their own password on first sign-in.

+Azure Labs Services allows educators (teachers, professors, trainers, or teaching assistants, etc.) to quickly and easily create an online lab to provision pre-configured learning environments for the trainees. Each trainee would be able use identical and isolated environments for the training. Policies can be applied to ensure that the training environments are available to each trainee only when they need them and contain enough resources - such as virtual machines - required for the training.

+

+Labs meet the following requirements that are required to conduct training in any virtual environment:

+- Trainees can't see VMs created by other trainees

+## Create the lab plan as a lab plan administrator

+The first step in using Azure Lab Services is to create a lab plan in the Azure portal. After a lab plan administrator creates the lab plan, the admin adds users who want to create labs to the **Lab Creator** role. The educators create labs with virtual machines for students to do exercises for the course they are teaching. For details, see [Create and manage lab plan](how-to-manage-lab-plans.md).

+An educator, who is a member of the Lab Creator role in a lab plan, can create one or more labs in the lab plan. You create and configure a template VM with all the required software for doing exercises in your course. You pick a ready-made image from the available images for creating a lab and then optionally customize it by installing the software required for the lab. For details, see [Create and manage labs](how-to-manage-labs.md).

+## Set up and publish a template VM

+A template in a lab is a base virtual machine image from which all usersΓÇÖ virtual machines are created. Set up the template VM so that it is configured with exactly what you want to provide to the training attendees. You can provide a name and description of the template that the lab users see. Then, you publish the template to make instances of the template VM available to your lab users. When you publish a template, Azure Lab Services creates VMs in the lab by using the template. The number of VMs created in this process is same as the maximum number of users allowed into the lab, which you can set in the usage policy of the lab. All virtual machines have the same configuration as the template. For details, see [Set up and publish template virtual machines](how-to-create-manage-template.md).

+Schedules allow you to configure a lab such that VMs in the lab automatically start and shut down at a specified time. You can define a one-time schedule or a recurring schedule. For details, see [Create and manage schedules for labs](how-to-create-schedules.md).

+## Use VMs in the lab

+A student or training attendee registers to the lab, and connects to the VM to do exercises for the course. For details, see [How to access a lab](how-to-use-lab.md).

+Start with creating a lab plan in labs by following instructions in the article: [Tutorial: Setup a lab plan with Azure Lab Services](tutorial-setup-lab-plan.md).

+This section shows how a student can connect to a lab VM from a Chromebook by using Remote Desktop Protocol (RDP).

+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/install-remote-desktop-chromebook.png" alt-text="Screenshot of Microsoft Remote Desktop app.":::

+1. Install the latest version of **Remote Desktop** by Microsoft Corporation.

+1. On the tile for your VM, ensure the [VM is running](how-to-use-lab.md#start-or-stop-the-vm) and select the **Connect** icon.

+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services. The connect icon button on the VM tile is highlighted.":::

+1. If youΓÇÖre connecting *to a Linux VM*, you'll see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting *to a Windows VM*, you don't need to choose an connection option. The RDP file will automatically start downloading.

+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/student-vm-connect-options.png" alt-text="Screenshot that shows V M tile for student. The R D P and S S H connection options are highlighted.":::

+1. Open the **RDP** file that's downloaded on your computer with **Microsoft Remote Desktop** installed. It should start connecting to the VM.

+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm-chromebook.png" alt-text="Screenshot of the Microsoft Remote Desktop app connecting to V M.":::

+1. When prompted, enter your password.

+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/password-chromebook.png" alt-text="Screenshot that shows the Logon screen where you enter your username and password.":::

+1. Select **Continue** if you receive a warning about the certificate not being verified.

+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/certificate-error-chromebook.png" alt-text="Screenshot that shows certificate warning when connecting to lab V M.":::

+1. Once the connection is complete you'll see the desktop of your lab VM.

+- As an educator, [configure RDP for Linux VMs](how-to-enable-remote-desktop-linux.md#rdp-setup)

+- As a student, [stop the VM](how-to-use-lab.md#start-or-stop-the-vm)

+ Title: Connect to a Linux VM using X2Go in Azure Lab Services | Microsoft Docs

+description: Learn how to use X2Go for Linux virtual machines in a lab in Azure Lab Services.

+# Connect to a VM using X2Go

+Students can use X2Go to connect to their Linux VMs after their educator sets up their lab with X2Go and the GUI packages for a Linux graphical desktop environment

+Students need to find out from their educator which Linux graphical desktop environment their educator has installed. This information is needed in the next steps to connect using the X2Go client.

+## Install X2Go client

+Install the [X2Go client](https://wiki.x2go.org/doku.php/doc:installation:x2goclient) on your local computer. Follow the instructions that match the client OS you are using.

+## Connect to the VM using X2Go client

+1. Copy SSH connection information for VM. For instructions to get the SSH command, see [Connect to a Linux lab VM Using SSH](connect-virtual-machine.md#connect-to-a-linux-lab-vm-using-ssh). You need this information to connect using the X2Go client.

+1. Once you have the SSH connection information, open the X2Go client and select **Session** > **New Session**.

+ :::image type="content" source="./media/how-to-use-classroom-lab/x2go-new-session.png" alt-text="Screenshot of X 2 Go client Session menu.":::

+1. Enter the values in the **Session Preferences** pane based on your SSH connection information. For example, your connection information will look similar to following command.

+ ```bash

+ ssh -p 12345 student@ml-lab-00000000-0000-0000-0000-000000000000.eastus2.cloudapp.azure.com

+ ```

+ Using this example, the following values are entered:

+ - **Session name** - Specify a name, such as the name of your VM.

+ - **Host** - The ID of your VM; for example, **`ml-lab-00000000-0000-0000-0000-000000000000.eastus2.cloudapp.azure.com`**.

+ - **Login** - The username for your VM; for example, **student**.

+ - **SSH port** - The unique port assigned to your VM; for example, **12345**.

+ - **Session type** - Select the Linux graphical desktop environment that your educator configured your VM. You need to get this information from your educator. For example, select `XFCE` if you're using either XFCE or Xubuntu graphical desktop environments.

+ Finally, select **OK** to create the session.

+ :::image type="content" source="./media/how-to-use-classroom-lab/x2go-session-preferences.png" alt-text="Screenshot of new session window in X 2 Go client. The session name, server information and session type settings are highlighted.":::

+1. Select on your session in the right-hand pane.

+ :::image type="content" source="./media/how-to-use-classroom-lab/x2go-start-session.png" alt-text="Screenshot of X 2 Go with saved session.":::

+ > [!NOTE]

+ > If you are prompted with a message about authenticity, select **yes** to continue to entering your password. Message will be similar to "The authenticity of host '[`00000000-0000-0000-0000-000000000000.eastus2.cloudapp.eastus.cloudapp.azure.com`]:12345' can't be established. ECDSA key fingerprint is SHA256:00000000000000000000000000000000000000000000.Are you sure you want to continue connecting (yes/no)?"

+1. When prompted, enter your password and select **OK**. You'll now be remotely connected to your VM's GUI desktop environment.

+## Next steps

+- [As an educator, configure X2Go on a template VM](how-to-enable-remote-desktop-linux.md#x2go-setup)

+- [As a student, stop the VM](how-to-use-lab.md#start-or-stop-the-vm)

+This section shows how a student can connect to a lab VM from a Mac by using RDP.

+1. Open the App Store on your Mac, and search for **Microsoft Remote Desktop**.

+ :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop\install-remote-desktop.png" alt-text="Screenshot of Microsoft Remote Desktop app in the App Store.":::

+1. Install the latest version of Microsoft Remote Desktop.

+1. On the tile for your VM, ensure the [VM is running](how-to-use-lab.md#start-or-stop-the-vm) and select the **Connect** icon.

+ :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services. The connect icon button on the VM tile is highlighted.":::

+1. If youΓÇÖre connecting *to a Linux VM*, you'll see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting *to a Windows VM*, you don't need to choose an connection option. The RDP file will automatically start downloading.

+ :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop/student-vm-connect-options.png" alt-text="Screenshot that shows V M tile for student. The R D P and S S H connection options are highlighted.":::

+1. Open the **RDP** file that's downloaded on your computer with **Microsoft Remote Desktop** app previously installed. It should start connecting to the VM.

+ :::image type="content" source="./media/how-to-use-classroom-lab/connect-linux-vm.png" alt-text="Screenshot of Microsoft Remote Desktop app connecting to a remote VM.":::

+1. Select **Continue** if you receive the following warning.

+ :::image type="content" source="./media/how-to-use-classroom-lab/certificate-error.png" alt-text="Screenshot of certificate error for Microsoft Remote Desktop app.":::

+1. You should see the VM desktop. The following example is for a CentOS Linux VM.

+ :::image type="content" source="./media/how-to-use-classroom-lab/vm-ui.png" alt-text="Screenshot of desktop for CentOs Linux VM.":::

+## Next steps

+- As a student, learn to [connect to a VM using X2Go](connect-virtual-machine-linux-x2go.md).

+- As a student, [stop the VM](how-to-use-lab.md#start-or-stop-the-vm).

+ Title: Connect to a VM using Remote Desktop Protocol on Windows in Azure Lab Services | Microsoft Docs

+description: Learn how to connect from Windows to a Linux VM using Remote Desktop Protocol

+# Connect to a VM using Remote Desktop Protocol on Windows

+This article shows how a student can connect from Windows to a lab VM using Remote Desktop Protocol (RDP).

+## Connect to VM from Windows using RDP

+Students can use RDP to connect to their lab VMs. If the lab VM is a Windows VM, no extra configuration is required by the educator. If the lab VM is a Linux VM, the educator must [enable RDP](how-to-enable-remote-desktop-linux.md) and install GUI packages for a Linux graphical desktop.

+Typically, the [Remote Desktop client](/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients) is already installed and configured on Windows. As a result, all you need to do is select on the RDP file to open it and start the remote session.

+1. On the tile for your VM, ensure the [VM is running](how-to-use-lab.md#start-or-stop-the-vm) and select the **Connect** icon.

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services. The connect icon button on the VM tile is highlighted.":::

+1. If youΓÇÖre connecting *to a Linux VM*, you'll see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting *to a Windows VM*, you don't need to choose a connection option. The RDP file will automatically start downloading.

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/student-vm-connect-options.png" alt-text="Screenshot that shows V M tile for student. The R D P and S S H connection options are highlighted.":::

+1. When the RDP file is downloaded onto your machine, open it to launch the RDP client.

+1. After adjusting RDP connection settings as needed, select **Connect** to start the remote session.

+## Optimize RDP client settings

+The RDP client includes various settings that can be adjusted to optimize the user's connection experience. Typically, these settings don't need to be changed. By default, the settings are already configured to choose the right experience based on your network connection. For more information on these settings, see [RDP client's **Experience** settings](/windows-server/administration/performance-tuning/role/remote-desktop/session-hosts#client-experience-settings).

+If your educator has configured the GNOME graphical desktop on a Linux VM with the RDP client, we recommend the following settings to optimize performance:

+- Under the **Display** tab, set the color depth to **High Color (15 bit)**.

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/rdp-display-settings.png" alt-text="Screenshot of display tab of the Windows R D P client. The color depth setting is highlighted.":::

+- Under the **Experience** tab, set the connection speed to **Modem (56 kbps)**.

+ :::image type="content" source="./media/connect-virtual-machine-windows-rdp/rdp-experience-settings.png" alt-text="Screenshot of experience tab of the Windows R D P client. The connection speed setting is highlighted.":::

+## Next steps

+- [As an educator, enabled RDP on Linux](how-to-enable-remote-desktop-linux.md#rdp-setup)

+- [As a student, stop the VM](how-to-use-lab.md#start-or-stop-the-vm)

+ Title: How to connect to an Azure Lab Services VM | Microsoft Docs

+description: Learn how to connect to a VM in Azure Lab Services

+# Connect to a lab VM

+As a student, you'll need to [start](how-to-use-lab.md#start-or-stop-the-vm) and then connect to your lab VM to complete your lab work. How you connect to your VM will depend on the operating system (OS) of the machine your using and the OS of the VM your connecting to.

+## Connect to a Windows lab VM

+If connecting *to a Windows VM*, follow the instructions based on the type of OS you're using.

+| Client OS | Instructions |

+| | |

+| Windows | [Connect to a VM using RDP on Windows](connect-virtual-machine-windows-rdp.md). |

+| Mac | [Connect to a VM using RDP on a Mac](connect-virtual-machine-mac-remote-desktop.md). |

+| Chromebook | [Connect to a VM using RDP on a Chromebook](connect-virtual-machine-chromebook-remote-desktop.md). |

+## Connect to a Linux lab VM

+This section shows students how to connect to a Linux VM in a lab using secure shell protocol (SSH), remote desktop protocol (RDP), or X2Go.

+SSH is configured automatically for Linux VMs. Both students and educators can SSH into Linux VMs without any extra setup. However, if students need to connect to using a GUI, the educators may need to do extra setup on the template VM.

+> [!WARNING]

+> If you need to use [GNOME](https://www.gnome.org/) or [MATE](https://mate-desktop.org/) you should coordinate with your educator to ensure your lab VM is properly configured. For details, see [Using GNOME or MATE graphical desktops](how-to-enable-remote-desktop-linux.md#using-gnome-or-mate-graphical-desktops).

+### Connect to a Linux lab VM Using RDP

+An educator must first [enable remote desktop connection for Linux VMs](how-to-enable-remote-desktop-linux.md#rdp-setup).

+To connect *to a Linux VM using RDP*, follow the instructions based on the type of OS you're using.

+| Client OS | Instructions |

+| | |

+| Windows | [Connect to a VM using RDP on Windows](connect-virtual-machine-windows-rdp.md). |

+| Mac | [Connect to a VM using RDP on a Mac](connect-virtual-machine-mac-remote-desktop.md).|

+| Chromebook | [Connect to a VM using RDP on a Chromebook](connect-virtual-machine-chromebook-remote-desktop.md). |

+### Connect to a Linux lab VM Using X2Go

+Linux VMs can have X2Go enabled and a graphical desktop installed. For more information, see [X2Go Setup](how-to-enable-remote-desktop-linux.md#x2go-setup) and [Using GNOME or MATE graphical desktops](how-to-enable-remote-desktop-linux.md#using-gnome-or-mate-graphical-desktops).

+For instructions to connect *to a Linux VM using X2Go*, see [Connect to a VM using X2Go](connect-virtual-machine-linux-x2go.md).

+### Connect to a Linux lab VM using SSH

+By default Linux VMs have SSH installed. To connect *to a Linux VM using SSH*, do the following actions:

+1. If using a Windows machine to connect to a Linux VM, first install an ssh client like [PuTTY](https://www.putty.org/) or enable [OpenSSH in Windows](/windows-server/administration/openssh/openssh_install_firstuse).

+1. [Start the VM](how-to-use-lab.md#start-or-stop-the-vm), if not done already.

+1. Once the VM is running, select **Connect**, which will show a dialog box that provides the SSH command string. The connection command will look like the following sample:

+ ```bash

+ ssh -p 12345 student@ml-lab-00000000-0000-0000-0000-000000000000.eastus2.cloudapp.azure.com

+ ```

+1. Copy the command.

+1. Go to your command prompt or terminal, paste in the command, and then press **ENTER**.

+1. Enter the password to sign in to the lab VM.

+## Next steps

+- [As a student, stop the VM](how-to-use-lab.md#start-or-stop-the-vm)

+Each lab dashboard has a **Costs & Billing** section that lays out a rough estimate of what the lab will cost for the lab. The estimate uses the number [schedules](classroom-labs-concepts.md#schedules), [quota hours](classroom-labs-concepts.md#quota), [extra quota for individual students](how-to-configure-student-usage.md#set-additional-quotas-for-specific-users), and [lab capacity](how-to-manage-vm-pool.md#set-lab-capacity) when calculating the cost estimate. Changes to the number of quota hours, schedules or lab capacity will affect the cost estimate value.

+- The [template VM preparation](how-to-create-manage-template.md#update-a-template-vm) cost. It can vary significantly in the amount of time needed to create the template. The cost to run the template is the same as running any lab VM.

+- Any [compute gallery](how-to-use-shared-image-gallery.md) costs. Compute galleries can be shared among multiple labs.

+- Cost incurred when the lab creator starts a virtual machine (VM).

+- Networking costs if the lab is using [advanced networking](how-to-connect-vnet-injection.md).

+## Cost analysis

+The cost analysis is for reviewing the previous month's usage to help you determine any adjustments you need to make for a lab. You can find the breakdown of past costs in the [subscription cost analysis](../cost-management-billing/costs/quick-acm-cost-analysis.md).

+1. In the [Azure portal](https://portal.azure.com), select **All services**. Select **Cost management** from the quick access list or select **Cost management + billing** from the **General** category.

+ :::image type="content" source="./media/cost-management-guide/all-services-cost-management.png" alt-text="Screenshot that shows the All services page. The Cost management icon and Cost manage plus billing icon are highlighted.":::

+1. Select the **Subscription** page and select subscription you wish to analyze.

+ :::image type="content" source="./media/cost-management-guide/subscription-select.png" alt-text="Screenshot that shows the Subscriptions page in Cost Management + Billing. The Subscriptions menu is highlighted.":::

+1. Select **Cost analysis** in the left pane under the **Cost management** heading.

+ :::image type="content" source="./media/cost-management-guide/subscription-cost-analysis.png" alt-text="Screenshot that shows a subscription cost analysis on a graph.":::

+The Cost analysis dashboard allows in-depth cost analysis, including the ability to export to different file types on a schedule. For more information, see [Cost Management + Billing overview](../cost-management-billing/cost-management-billing-overview.md).

+You can filter by service or resource type. To see only costs associated with Azure Lab Services, set the **service name** filter equal to **azure lab services**. If filtering on **resource type**, include `Microsoft.Labservices/labaccounts` resource type. If using the [April 2022 Update (preview)](lab-services-whats-new.md), also include the `Microsoft.LabServices/labs` resource type.

+### Understand the entries

+Changing the view on **Cost Analysis** page to **Cost by resource** shows the individual charges. By default, there are six columns: **Resource**, **Resource type**, **Location**, **Resource group name**, **Tags**, and **Cost**. The **Resource** column contains the information about the lab plan, lab name, and VM. If the cost is associated with a template VM, the resource will be in the form `{lab account}/{lab name}/default`. If the cost is associated with a student lab VM, the resource will be in the form `{lab account}/{lab name}/default/{vm name}`.

+In this example, adding the first and second rows (both start with "aaalab / dockerlab") will give you the total cost for the lab "dockerlab" in the "aaalab" lab account or lab plan.

+If you're using the [April 2022 Update (preview)](lab-services-whats-new.md), the entries in are formatted differently. The **Resource** column will show entries in the form `{lab name}/{number}` for Azure Lab Services. Some tags are added automatically to each entry when using the April 2022 Update.

+| Tag name | Value |

+| -- | -- |

+| ms-istemplate | Set to true if cost associated with a template VM in a lab. Set to false, otherwise. |

+| ms-labname | Name of the lab. |

+| ms-labplanid | Full resource ID of the lab plan used when creating the lab. |

+To get the cost for the entire lab, don't forget to include external resources. Azure Compute Gallery related charges are under the `Microsoft.Compute` namespace. The advanced networking charges are under the `Microsoft.Network` namespace.

+> A compute gallery and virtual network can be connected to multiple labs.

+### Separate the costs

+Since cost entries are tied to the lab account, some schools use the lab account and the resource group as ways to separate the classes. Each class has its own lab plan and resource group.

+In the cost analysis pane, add a filter based on the resource group name for the class. Then, only the costs for that class will be visible. Grouping by resource group allows a clearer delineation between the classes when you're viewing the costs. You can use the [scheduled export](../cost-management-billing/costs/tutorial-export-acm-data.md) feature of the cost analysis to download the costs of each class in separate files.

+In the [April 2022 Update (preview)](lab-services-whats-new.md):

+- Cost entries are tied to a lab VM, *not* the lab plan.

+- Cost entries get tagged with the name of the lab the VM is tied to. You can filter by the lab name tag to view total cost across VM in that lab.

+- Cost entries get tagged with the ID of the lab plan when creating the lab. You can filter by the lab plan tag to view total cost across labs created from a lab plan.