-In Azure Active Directory B2C (Azure AD B2C), social account identities are stored in a `userIdentities` attribute of a **alternativeSecurityIdCollection** claim type. Each item in the **alternativeSecurityIdCollection** specifies the issuer (identity provider name, such as facebook.com) and the `issuerUserId`, which is a unique user identifier for the issuer.

-"userIdentities": [{

-| **macOS** | ![Chrome supports USB on macOS for Azure AD accounts.][y] | ![Chrome supports NFC on macOS for Azure AD accounts.][n] | ![Chrome supports BLE on macOS for Azure AD accounts.][n] | ![Edge supports USB on macOS for Azure AD accounts.][y] | ![Edge supports NFC on macOS for Azure AD accounts.][n] | ![Edge supports BLE on macOS for Azure AD accounts.][n] | ![Firefox supports USB on macOS for Azure AD accounts.][y] | ![Firefox supports NFC on macOS for Azure AD accounts.][n] | ![Firefox supports BLE on macOS for Azure AD accounts.][n] | ![Safari supports USB on macOS for Azure AD accounts.][y] | ![Safari supports NFC on macOS for Azure AD accounts.][n] | ![Safari supports BLE on macOS for Azure AD accounts.][n] |

-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/federatedIdpMfaBehavior?view=graph-rest-beta&preserve-view=true).

- ...

- "_claim_names": {

- "groups": "src1"

- {

- "_claim_sources": {

- "src1": {

- "endpoint":"[Url to get this user's group membership from]"

- }

- }

- }

- ...

-* Learn about permission and consent ( [v1.0](../azuread-dev/v1-permissions-consent.md), [v2.0](v2-permissions-and-consent.md)).

-### To configure external collaboration settings:

- - **Automatically enable email one-time passcode for guests starting \<date\>** if you don't want to enable the feature immediately and want to wait for the automatic enablement date.

-If you've previously opted in to the email one-time passcode public preview, automatic feature enablement doesn't apply to you, so your related business processes won't be affected. Additionally, in the Azure portal, under the **Email one-time passcode for guests** properties, you won't see the option to **Automatically enable email one-time passcode for guests starting \<date\>**. Instead, you'll see the following **Yes** or **No** toggle:

-Before discovering the current state of your external collaboration, you should [determine your desired security posture](1-secure-access-posture.md). You'll considered your organizationΓÇÖs needs for centralized vs. delegated control, and any relevant governance, regulatory, and compliance targets.

-### Use allow or deny lists

-Consider whether your organization wants to allow collaboration with only specific organizations. Alternatively, consider if your organization wants to block collaboration with specific organizations. At the tenant level, there is an [allow or deny list](../external-identities/allow-deny-list.md), which can be used to control overall B2B invitations and redemptions regardless of source (such as Microsoft Teams, Microsoft SharePoint, or the Azure portal).

-

-# 3. Create a security plan for external access

-* Entitlement Management Access Packages enable you to create a single package of applications and other resources to which you can grant access.

-## Document sign-in conditions for external users.

-Today, you can [enforce multi-factor authentication for B2B users in your tenant](../external-identities/b2b-tutorial-require-mfa.md).

-Today, to use device state as an input to a policy, the device must be registered or joined to your tenant.

-

-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)

-You must decide whether to limit which organizations your users can collaborate with, and who within your organization can initiate collaboration. Most organizations take the approach of permitting business units to decide with whom they collaborate, and delegating the approval and oversight as needed. For example, some government, education, and financial services organizations don't permit open collaboration. You may wish to use the Azure AD features to scope collaboration, as discussed in the rest of this section.

-First, ensure you've documented the organizations you're currently collaborating with, and the domains for those organizations' users. One collaboration partner may have multiple domains. For example, a partner may have multiple business units with separate domains.

-* any domain (most inclusive)

-* all domains except those explicitly denied

-* only specific domains (most restrictive)

-There are circumstances in which you would want to only allow specific collaboration partners. For example, a university system may only want to allow their own faculty access to a resource tenant. Or a conglomerate may only want to allow specific subsidiaries to collaborate with each other to achieve compliance with a required framework.

-#### Using allow and deny lists

-You can use an allow list or deny list to [restrict invitations to B2B users](../external-identities/allow-deny-list.md) from specific organizations. You can use only an allow or a deny list, not both.

-* An [allow list](../external-identities/allow-deny-list.md) limits collaboration to only those domains listed; all other domains are effectively on the deny list.

-* A [deny list](../external-identities/allow-deny-list.md) allows collaboration with any domain not on the deny list.

-> These lists do not apply to users who are already in your directory. They also do not apply to OneDrive for Business and SharePoint allow deny lists which are separate.

-Some organizations use a list of known ΓÇÿbad actorΓÇÖ domains provided by their managed security provider for their deny list. For example, if the organization is legitimately doing business with Contoso and using a .com domain, there may be an unrelated organization that has been using the Contoso .org domain and attempting a phishing attack to impersonate Contoso employees.

-* Redeeming [an invitation sent via an email](../external-identities/redemption-experience.md), or [a direct link to share](../external-identities/redemption-experience.md) a resource.

-When you enable Azure AD B2B, you enable the ability to invite guest users via direct links and email invitations by default. Invitations via Email OTP and a self-service portal are currently in preview and must be enabled within the External Identities | External collaboration settings in the Azure AD portal.

-

-* If using an allow list and the userΓÇÖs domain isn't included in an allow list.

-| [Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md)| Azure AD Multi-Factor Authentication (MFA) is Microsoft's two-step verification solution. Using admin-approved authentication methods, Azure AD MFA helps safeguard access to your data and applications while meeting the demand for a simple sign in process. Watch this video on [How to configure and enforce multi-factor authentication in your tenant](https://www.youtube.com/watch?v=qNndxl7gqVM)|

-Widening the rollout to larger groups of users should be carried out by increasing the scope of the group(s) targeted. This can be done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).

-description: A guide for architects and IT administrators on securing external access to internal resources

-# Securing external collaboration in Azure Active Directory and Microsoft 365

-Secure collaboration with external partners ensures that the right external partners have appropriate access to internal resources for the right length of time. Through a holistic governance approach, you can reduce security risks, meet compliance goals, and ensure that you know who has access.

-* Empowering business owners to manage collaboration within IT-created guard rails.

-If you must meet compliance frameworks, governed collaboration enables you to attest to the appropriateness of access.

-* [An Atlassian Cloud tenant](https://www.atlassian.com/licensing/cloud)

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with FloQast

- In the **Identifier** text box, type the URL:

- `https://go.floqast.com/`

- In the **Sign-on URL** text box, type the URL:

- `https://go.floqast.com/login/sso`

-In this section, you create a user called B.Simon in FloQast. Work with [FloQast support team](mailto:support@floqast.com) to add the users in the FloQast platform. Users must be created and activated before you use single sign-on.

-Once you configure FloQast you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-Azure Blob Storage is an object storage solution for the cloud. Azure AD Verifiable Credentials uses [Azure Blob Storage](../../storage/blobs/storage-blobs-introduction.md) to store the configuration files when the service is issuing verifiable credentials.

-## Grant access to the container

-After you create your container, grant the signed-in user the correct role assignment so they can access the files in Blob Storage.

-1. From the list of containers, select **vc-container**.

-1. From the menu, select **Access Control (IAM)**.

-1. Select **+ Add,** and then select **Add role assignment**.

- 

-1. In **Add role assignment**:

- 1. For the **Role**, select **Storage Blob Data Reader**.

- 1. For the **Assign access to**, select **User, group, or service

- principal**.

- 1. Then, search the account that you're using to perform these steps, and

- select it.

- 

->[!IMPORTANT]

->By default, container creators get the owner role assigned. The owner role isn't enough on its own. Your account needs the storage blob data reader role. For more information, see [Use the Azure portal to assign an Azure role for access to blob and queue data](../../storage/blobs/assign-azure-role-data-access.md).

-Azure AD Verifiable Credentials uses two JSON configuration files, the rules file and the display file.

- 1. Under the **Display file**, select **Select display file**. In the Storage accounts section, select **vc-container**. Then select the **VerifiedCredentialExpertDisplay.json** file and click **Select**.

-> - Set up a service principal

-> - Create a key vault in Azure Key Vault

-> - Register an application in Azure AD

-> - Set up the Verifiable Credentials service

-subscription in your tenant.

-## Set up a service principal

-Create a service principal for the Request Service API. The service API is the Microsoft service that you use to issue or verify Azure AD Verifiable Credentials.

-To create the service principal:

-1. Run the following PowerShell commands. These commands install and import the `Az` module. For more information, see [Install the Azure Az PowerShell module](/powershell/azure/install-az-ps#installation).

- ```powershell

- if ((Get-Module -ListAvailable -Name "Az.Accounts") -eq $null) { Install-Module -Name "Az.Accounts" -Scope CurrentUser }

- if ((Get-Module -ListAvailable -Name "Az.Resources") -eq $null) { Install-Module "Az.Resources" -Scope CurrentUser }

- ```

-1. Run the following PowerShell command to connect to your Azure AD tenant. Replace \<*your-tenant-ID*> with your [Azure AD tenant ID](../../active-directory/fundamentals/active-directory-how-to-find-tenant.md).

- ```powershell

- Connect-AzAccount -TenantId <your-tenant-ID>

- ```

-1. Run the following command in the same PowerShell session. The `AppId` `bbb94529-53a3-4be5-a069-7eaf2712b826` refers to the Verifiable Credentials Microsoft service.

- ```powershell

- New-AzADServicePrincipal -ApplicationId "bbb94529-53a3-4be5-a069-7eaf2712b826" -DisplayName "Verifiable Credential Request Service"

- ```

-### Set access policies for the Verifiable Credentials Issuer and Request services

-1. Select **+ Add Access Policy** to add permission to the service principal of the **Verifiable Credential Request Service**.

-1. In **Add access policy**:

- 1. For **Key permissions**, select **Get** and **Sign**.

- 1. For **Select principal**, select **Verifiable Credential Request Service**.

- 1. Select **Add**.

-

- :::image type="content" source="media/verifiable-credentials-configure-tenant/request-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Issuer Service." :::

-The access policies for the Verifiable Credentials Issuer service should be added automatically. If the **Verifiable Credential Issuer Service** doesn't appear in the list of access policies, take the following steps to manually add access policies to the service.

-1. Select **+ Add Access Policy** to add permission to the service principal of the **Verifiable Credential Issuer Service**.

-1. In **Add access policy**:

- 1. For **Key permissions**, select **Get** and **Sign**.

- 1. For **Select principal**, select **Verifiable Credential Issuer Service**.

- 1. Select **Add**.

- :::image type="content" source="media/verifiable-credentials-configure-tenant/issuer-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Request Service." :::

-

-1. Select **Save** to save the new policy you created.

-In this step, you grant permissions to the Verifiable Credential Request Service principal created in [step 1](#set-up-a-service-principal).

-Credentials are a part of our daily lives; driver's licenses are used to assert that we're capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. Verifiable Credentials provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. [The W3C Verifiable Credentials spec](https://www.w3.org/TR/vc-data-model//) explains this in further detail.

-An Azure AD P2 license is required to use the preview of Verifiable Credentials. This is a temporary requirement, as we expect pricing for this service to be billed based on usage.

-### How do I reconfigure the Azure AD Verifiable credentials service?

-Reconfiguration requires that you opt out and opt back into the Azure Active Directory Verifiable Credentials service, your existing verifiable credentials configurations will reset and your tenant will obtain a new DID forAc use during issuance and presentation.

-### If I reconfigure the Azure AD Verifiable Credentials service, do I need to re-link my DID to my domain?

-> All Azure AD Verifiable Credential customers receiving a banner notice in the Azure portal need to go through a service reconfiguration before March 31st 2022. On March 31st 2022 tenants that have not been reconfigured will lose access to any previous configuration. Administrators will have to set up a new instance of the Azure AD Verifiable Credential service. Learn more about how to [reconfigure your tenant](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service).

-1. [Reconfigure the Verifiable Credentials service](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service) in your tenant.

-> On March 31st, 2022 European tenants that have not been [reconfigured](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service) in Europe will lose access to any previous configuration and will require to configure a new instance of the Azure AD Verifiable Credential service.

- 1. If not, [reconfigure the Verifiable Credentials service](verifiable-credentials-faq.md?#how-do-i-reconfigure-the-azure-ad-verifiable-credentials-service) in your tenant and go to the next step.

-helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace $NAMESPACE

-helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace $Namespace

-In an AKS cluster, your Kubernetes nodes run as Azure virtual machines (VMs). These Linux-based VMs use an Ubuntu image, with the OS configured to automatically check for updates every night. If security or kernel updates are available, they are automatically downloaded and installed.

-Unattended upgrades apply updates to the Linux node OS, but the image used to create nodes for your cluster remains unchanged. If a new Linux node is added to your cluster, the original image is used to create the node. This new node will receive all the security and kernel updates available during the automatic check every night but will remain unpatched until all checks and restarts are complete.

-1. Because TLS 1.0 currently is the default, set the application gateway to use the most recent [TLS 1.2 policy](../application-gateway/application-gateway-ssl-policy-overview.md#appgwsslpolicy20170401s).

- $policy = New-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName AppGwSslPolicy20170401S

-Azure API Management (APIM) helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. APIM enables you to create and manage modern API gateways for existing backend services hosted anywhere. For more information, see the [Overview](api-management-key-concepts.md) topic.

-This quickstart describes the steps for creating a new API Management instance using the *Azure API Management Extension* for Visual Studio Code. You can also use the extension to perform common management operations on your API Management instance.

-Additionally, ensure you have installed the following:

-In the pane that opens, supply a name for the new API Management instance. It must be globally unique within Azure and consist of 1-50 alphanumeric characters and/or hyphens, and start with a letter and end with an alphanumeric.

-> While the *Consumption* SKU takes less than a minute to provision, other SKUs typically take 30-40 minutes to create.

-At this point, you're ready to import and publish your first API. You can do that and also perform common API Management operations within the extension for Visual Studio Code. See [the tutorial](visual-studio-code-tutorial.md) for more.

-

-Alternately, you can select **Delete API Management** to only delete the API Management instance (this operation doesn't delete its resource group).

-

-| [Create an app and deploy files with FTP](./scripts/cli-deploy-ftp.md?toc=%2fcli%2fazure%2ftoc.json)| Creates an App Service app and deploys a file to it using FTP. |

-| [Create an app and deploy code from GitHub](./scripts/cli-deploy-github.md?toc=%2fcli%2fazure%2ftoc.json)| Creates an App Service app and deploys code from a public GitHub repository. |

-| [Create an app with continuous deployment from GitHub](./scripts/cli-continuous-deployment-github.md?toc=%2fcli%2fazure%2ftoc.json)| Creates an App Service app with continuous publishing from a GitHub repository you own. |

-| [Create an app and deploy code from a local Git repository](./scripts/cli-deploy-local-git.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and configures code push from a local Git repository. |

-| [Create an app and deploy code to a staging environment](./scripts/cli-deploy-staging-environment.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app with a deployment slot for staging code changes. |

-| [Create an ASP.NET Core app in a Docker container](./scripts/cli-linux-docker-aspnetcore.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app on Linux and loads a Docker image from Docker Hub. |

-| [Create an app and expose it with a Private Endpoint](./scripts/cli-deploy-privateendpoint.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and a Private Endpoint |

-| [Map a custom domain to an app](./scripts/cli-configure-custom-domain.md?toc=%2fcli%2fazure%2ftoc.json)| Creates an App Service app and maps a custom domain name to it. |

-| [Bind a custom TLS/SSL certificate to an app](./scripts/cli-configure-ssl-certificate.md?toc=%2fcli%2fazure%2ftoc.json)| Creates an App Service app and binds the TLS/SSL certificate of a custom domain name to it. |

-| [Scale an app manually](./scripts/cli-scale-manual.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and scales it across 2 instances. |

-| [Scale an app worldwide with a high-availability architecture](./scripts/cli-scale-high-availability.md?toc=%2fcli%2fazure%2ftoc.json) | Creates two App Service apps in two different geographical regions and makes them available through a single endpoint using Azure Traffic Manager. |

-| [Integrate with Azure Application Gateway](./scripts/cli-integrate-app-service-with-application-gateway.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and integrates it with Application Gateway using service endpoint and access restrictions. |

-| [Connect an app to a SQL Database](./scripts/cli-connect-to-sql.md?toc=%2fcli%2fazure%2ftoc.json)| Creates an App Service app and a database in Azure SQL Database, then adds the database connection string to the app settings. |

-| [Connect an app to a storage account](./scripts/cli-connect-to-storage.md?toc=%2fcli%2fazure%2ftoc.json)| Creates an App Service app and a storage account, then adds the storage connection string to the app settings. |

-| [Connect an app to an Azure Cache for Redis](./scripts/cli-connect-to-redis.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and an Azure Cache for Redis, then adds the redis connection details to the app settings.) |

-| [Connect an app to Cosmos DB](./scripts/cli-connect-to-documentdb.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and a Cosmos DB, then adds the Cosmos DB connection details to the app settings. |

-| [Backup an app](./scripts/cli-backup-onetime.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and creates a one-time backup for it. |

-| [Create a scheduled backup for an app](./scripts/cli-backup-scheduled.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app and creates a scheduled backup for it. |

-| [Restores an app from a backup](./scripts/cli-backup-restore.md?toc=%2fcli%2fazure%2ftoc.json) | Restores an App Service app from a backup. |

-| [Monitor an app with web server logs](./scripts/cli-monitor.md?toc=%2fcli%2fazure%2ftoc.json) | Creates an App Service app, enables logging for it, and downloads the logs to your local machine. |

-description: Learn how to use the Azure CLI to automate deployment and management of your App Service app. This sample shows how to back up an app.

-tags: azure-service-management

-# Back up an app using CLI

-This sample script creates an app in App Service with its related resources, and then creates a one-time backup for it.

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-## Sample script

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/backup-onetime/backup-onetime.sh?highlight=3-7 "Back up an app")]

-## Script explanation

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |

-| [`az storage account create`](/cli/azure/storage/account#az-storage-account-create) | Creates a storage account. |

-| [`az storage container create`](/cli/azure/storage/container#az-storage-container-create) | Creates an Azure storage container. |

-| [`az storage container generate-sas`](/cli/azure/storage/container#az-storage-container-generate-sas) | Generates an SAS token for an Azure storage container. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |

-| [`az webapp config backup create`](/cli/azure/webapp/config/backup#az-webapp-config-backup-create) | Creates a backup for an App Service app. |

-| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az-webapp-config-backup-list) | Gets a list of backups for an App Service app. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional App Service CLI script samples can be found in the [Azure App Service documentation](../samples-cli.md).

-description: Learn how to use the Azure CLI to automate deployment and management of your App Service app. This sample shows how to create a scheduled backup for an app.

-tags: azure-service-management

-# Create a scheduled backup for an App Service app using CLI

-This sample script creates an app in App Service with its related resources, and then creates a scheduled backup for it.

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-## Sample script

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/backup-scheduled/backup-scheduled.sh?highlight=3-7 "Create a scheduled backup for an app")]

-## Script explanation

-This script uses the following commands. Each command in the table links to command specific documentation.

-| Command | Notes |

-|||

-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |

-| [`az storage account create`](/cli/azure/storage/account#az-storage-account-create) | Creates a storage account. |

-| [`az storage container create`](/cli/azure/storage/container#az-storage-container-create) | Creates an Azure storage container. |

-| [`az storage container generate-sas`](/cli/azure/storage/container#az-storage-container-generate-sas) | Generates an SAS token for an Azure storage container. |

-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |

-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |

-| [`az webapp config backup update`](/cli/azure/webapp/config/backup#az-webapp-config-backup-update) | Configures a new backup schedule for an App Service app. |

-| [`az webapp config backup show`](/cli/azure/webapp/config/backup#az-webapp-config-backup-show) | Shows the backup schedule for an App Service app. |

-| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az-webapp-config-backup-list) | Gets a list of backups for an App Service app. |

-## Next steps

-For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).

-Additional App Service CLI script samples can be found in the [Azure App Service documentation](../samples-cli.md).

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/configure-custom-domain/configure-custom-domain.sh?highlight=3 "Map a custom domain to an app")]

-## Script explanation

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/configure-ssl-certificate/configure-ssl-certificate.sh?highlight=3-5 "Bind a custom TLS/SSL certificate to an app")]

-## Script explanation

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/connect-to-documentdb/connect-to-documentdb.sh "Azure Cosmos DB")]

-## Script explanation

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/connect-to-redis/connect-to-redis.sh "Azure Cache for Redis")]

-## Script explanation

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/connect-to-sql/connect-to-sql.sh?highlight=9-10 "SQL Database")]

-## Script explanation

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-## Sample script

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/connect-to-storage/connect-to-storage.sh "Azure Storage")]

-## Script explanation

-If you choose to install and use the CLI locally, you need Azure CLI version 2.0 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/deploy-github-continuous/deploy-github-continuous.sh?highlight=3-4 "Create an app with continuous deployment from GitHub")]

-## Script explanation

-# Create an App Service app with continuous deployment using Azure CLI

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/deploy-vsts-continuous/deploy-vsts-continuous.sh?highlight=3-4 "Create an app with continuous deployment from Azure DevOps")]

-## Script explanation

-description: Learn how to use the Azure CLI to automate deployment and management of your App Service app. This sample shows how to deploy code from a local Git repository.

-# Create an App Service app and deploy code from a local Git repository using Azure CLI

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/deploy-local-git/deploy-local-git.sh?highlight=3-5 "Create an app and deploy code from a local Git repository")]

-## Script explanation

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/deploy-deployment-slot/deploy-deployment-slot.sh "Create an app and deploy code to a staging environment")]

-## Script explanation

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/integrate-with-app-gateway/integrate-with-app-gateway.sh "Integrate with Application Gateway")]

-## Script explanation

-You need Azure CLI version 2.0.52 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/deploy-linux-acr/deploy-linux-acr.sh "Linux Azure Container Registry")]

-## Script explanation

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/deploy-linux-docker/deploy-linux-docker.sh?highlight=6 "Linux Docker")]

-## Script explanation

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/monitor-with-logs/monitor-with-logs.sh "Monitor Logs")]

-## Script explanation

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/scale-geographic/scale-geographic.sh "Geographic Scale")]

-## Script explanation

-[!code-azurecli-interactive[main](../../../cli_scripts/app-service/scale-manual/scale-manual.sh "Manual Scale")]

-## Script explanation

-To set up a listener-specific SSL policy, you'll need to first go to the **SSL settings** tab in the Portal and create a new SSL profile. When you create an SSL profile, you'll see two tabs: **Client Authentication** and **SSL Policy**. The **SSL Policy** tab is to configure a listener-specific SSL policy. The **Client Authentication** tab is where to upload a client certificate(s) for mutual authentication - for more information, check out [Configuring a mutual authentication](./mutual-authentication-portal.md).

-> [!NOTE]

-> We recommend using TLS 1.2 as TLS 1.2 will be mandated in the future.

- > [!NOTE]

- > You don't have to configure client authentication on an SSL profile to associate it to a listener. You can have only client authentication configure, or only listener specific SSL policy configured, or both configured in your SSL profile.

- /subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/Applic

- /subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/Applic

- /subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/Applic

-Application gateway comes with three pre-defined policies that can be used. The `Get-AzApplicationGatewaySslPredefinedPolicy` cmdlet retrieves these policies. Each policy has different protocol versions and cipher suites enabled. These pre-defined policies can be used to quickly configure a TLS policy on your application gateway. By default **AppGwSslPolicy20150501** is selected if no specific TLS policy is defined.

-When configuring a custom TLS policy, you pass the following parameters: PolicyType, MinProtocolVersion, CipherSuite, and ApplicationGateway. If you attempt to pass other parameters, you get an error when creating or updating the Application Gateway.

-> [!IMPORTANT]

-> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 must be selected when configuring a custom TLS policy. Application gateway uses this cipher suite for backend management. You can use this in combination with any other suites, but this one must be selected as well.

-## Predefined TLS policy

-Application Gateway has three predefined security policies. You can configure your gateway with any of these policies to get the appropriate level of security. The policy names are annotated by the year and month in which they were configured. Each policy offers different TLS protocol versions and cipher suites. We recommend that you use the newest TLS policies to ensure the best TLS security.

-## Known issue

-Application Gateway v2 does not support the following DHE ciphers and these won't be used for the TLS connections with clients even though they are mentioned in the predefined policies. Instead of DHE ciphers, secure and faster ECDHE ciphers are recommended.

-### AppGwSslPolicy20150501

-|Property |Value |

-|||

-|Name | AppGwSslPolicy20150501 |

-|MinProtocolVersion | TLSv1_0 |

-|Default| True (if no predefined policy is specified) |

-|CipherSuites |TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<br>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256<br>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256<br>TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br>TLS_DHE_RSA_WITH_AES_128_CBC_SHA<br>TLS_RSA_WITH_AES_256_GCM_SHA384<br>TLS_RSA_WITH_AES_128_GCM_SHA256<br>TLS_RSA_WITH_AES_256_CBC_SHA256<br>TLS_RSA_WITH_AES_128_CBC_SHA256<br>TLS_RSA_WITH_AES_256_CBC_SHA<br>TLS_RSA_WITH_AES_128_CBC_SHA<br>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256<br>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256<br>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<br>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA<br>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256<br>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256<br>TLS_DHE_DSS_WITH_AES_256_CBC_SHA<br>TLS_DHE_DSS_WITH_AES_128_CBC_SHA<br>TLS_RSA_WITH_3DES_EDE_CBC_SHA<br>TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |

-

-### AppGwSslPolicy20170401

-

-|Property |Value |

-| | |

-|Name | AppGwSslPolicy20170401 |

-|MinProtocolVersion | TLSv1_1 |

-|Default| False |

-|CipherSuites |TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256<br>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA<br>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<br>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256<br>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br>TLS_RSA_WITH_AES_256_GCM_SHA384<br>TLS_RSA_WITH_AES_128_GCM_SHA256<br>TLS_RSA_WITH_AES_256_CBC_SHA256<br>TLS_RSA_WITH_AES_128_CBC_SHA256<br>TLS_RSA_WITH_AES_256_CBC_SHA<br>TLS_RSA_WITH_AES_128_CBC_SHA |

-

-### AppGwSslPolicy20170401S

-|Property |Value |

-|||

-|Name | AppGwSslPolicy20170401S |

-|MinProtocolVersion | TLSv1_2 |

-|Default| False |

-|CipherSuites |TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 <br> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 <br> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA <br>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA <br>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256<br>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br>TLS_RSA_WITH_AES_256_GCM_SHA384<br>TLS_RSA_WITH_AES_128_GCM_SHA256<br>TLS_RSA_WITH_AES_256_CBC_SHA256<br>TLS_RSA_WITH_AES_128_CBC_SHA256<br>TLS_RSA_WITH_AES_256_CBC_SHA<br>TLS_RSA_WITH_AES_128_CBC_SHA<br> |

-If a predefined TLS policy needs to be configured for your requirements, you must define your own custom TLS policy. With a custom TLS policy, you have complete control over the minimum TLS protocol version to support, as well as the supported cipher suites and their priority order.

-> If you are using a custom SSL policy in Application Gateway v1 SKU (Standard or WAF), make sure that you add the mandatory cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" to the list. This cipher is required to enable metrics and logging in the Application Gateway v1 SKU.

-### TLS/SSL protocol versions

-* SSL 2.0 and 3.0 are disabled by default for all application gateways. These protocol versions are not configurable.

-* A custom TLS policy gives you the option to select any one of the following three protocols as the minimum TLS protocol version for your gateway: TLSv1_0, TLSv1_1, and TLSv1_2.

-* If no TLS policy is defined, all three protocols (TLSv1_0, TLSv1_1, and TLSv1_2) are enabled.

-> [!NOTE]

-> TLS cipher suites used for the connection are also based on the type of the certificate being used. In client to application gateway connections, the cipher suites used are based on the type of server certificates on the application gateway listener. In application gateway to backend pool connections, the cipher suites used are based on the type of server certificates on the backend pool servers.

-Ensure you're using the latest TLS policy version ([AppGwSslPolicy20170401S](./application-gateway-ssl-policy-overview.md#appgwsslpolicy20170401s)). This enforces TLS 1.2 and stronger ciphers. For more information, see [configuring TLS policy versions and cipher suites via PowerShell](./application-gateway-configure-ssl-policy-powershell.md).

-The following is the [Search - Get Search Address](/rest/api/maps/search/get-search-address) command:

- "logFiles ": [

-Certain work item types can use templates that you define in the ITSM tool. By using templates, you can define fields that will be automatically populated according to fixed values for an action group. You can define which template you want to use as a part of the definition of an action group. You can find in ServiceNow docs information about how to create templates - (here)[https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/form-administration/task/t_CreateATemplateUsingTheTmplForm.html].

-description: This article provides an overview of IT Service Management Connector (ITSMC).

-# IT Service Management Connector Overview

-IT Service Management Connector allows you to connect Azure Monitor to supported IT Service Management (ITSM) products or services using either ITSM actions or Secure webhook actions.

-Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service. The ITSM Connector provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster. You can create work items in your ITSM tool, based on your Azure alerts (Metric Alerts, Activity Log Alerts, and Log Analytics alerts).

-The ITSM Connector supports connections with the following ITSM tools:

-## ITSM Connector Workflow

-Depending on your integration, start using the ITSM Connector with these steps:

- 1. (Optional) Set up the IP Ranges. In order to list the ITSM IP addresses in order to allow ITSM connections from partners ITSM tools, we recommend the to list the whole public IP range of Azure region where their LogAnalytics workspace belongs. [details here](https://www.microsoft.com/en-us/download/details.aspx?id=56519). For regions EUS/WEU/EUS2/WUS2/US South Central the customer can list ActionGroup network tag only.)

- 1. [Configure Azure ITSM Solution](./itsmc-definition.md#add-it-service-management-connector)

- 1. [Configure Azure ITSM connector for your ITSM environment.](./itsmc-definition.md#create-an-itsm-connection)

- tracer = Tracer(exporter=AzureExporter(connection_string=f'InstrumentationKey={APPINSIGHTS_INSTRUMENTATIONKEY}'),sampler=ProbabilitySampler(1.0))

- async def middlewareOpencensus(request: Request, call_next):

-description: Identify the hot path in your web server code with a low-footprint profiler.

-Azure Application Insights Profiler provides performance traces for applications that are running in production in Azure. Profiler captures the data automatically at scale without negatively affecting your users. Profiler helps you identify the ΓÇ£hotΓÇ¥ code path that takes the longest time when it's handling a particular web request.

-Profiler works with .NET applications that are deployed on the following Azure services. Specific instructions for enabling Profiler for each service type are in the links below.

-* [Azure App Service](profiler.md?toc=/azure/azure-monitor/toc.json)

-* [Azure Cloud Services](profiler-cloudservice.md?toc=/azure/azure-monitor/toc.json)

-* [Azure Service Fabric](profiler-servicefabric.md?toc=/azure/azure-monitor/toc.json)

-* [Azure Virtual Machines and virtual machine scale sets](profiler-vm.md?toc=/azure/azure-monitor/toc.json)

-* [**PREVIEW** ASP.NET Core Azure Linux Web Apps](profiler-aspnetcore-linux.md?toc=/azure/azure-monitor/toc.json)

-For Profiler to upload traces, your application must be actively handling requests. If you're doing an experiment, you can generate requests to your web app by using [Application Insights performance testing](/vsts/load-test/app-service-web-app-performance-test). If you've newly enabled Profiler, you can run a short load test. While the load test is running, select the **Profile Now** button on the [**Profiler Settings** pane](profiler-settings.md). When Profiler is running, it profiles randomly about once per hour and for a duration of two minutes. If your application is handling a steady stream of requests, Profiler uploads traces every hour.

-After your application receives some traffic and Profiler has had time to upload the traces, you should have traces to view. This process can take 5 to 10 minutes. To view traces, in the **Performance** pane, select **Take Actions**, and then select the **Profiler Traces** button.

-![Application Insights Performance pane preview Profiler traces][performance-blade]

-Select a sample to display a code-level breakdown of time spent executing the request.

-![Application Insights trace explorer][trace-explorer]

-* **Show Hot Path**: Opens the biggest leaf node, or at least something close. In most cases, this node is near a performance bottleneck.

-* **Label**: The name of the function or event. The tree displays a mix of code and events that occurred, such as SQL and HTTP events. The top event represents the overall request duration.

-* **Elapsed**: The time interval between the start of the operation and the end of the operation.

-* **When**: The time when the function or event was running in relation to other functions.

-## How to read performance data

-The Microsoft service profiler uses a combination of sampling methods and instrumentation to analyze the performance of your application. When detailed collection is in progress, the service profiler samples the instruction pointer of each machine CPU every millisecond. Each sample captures the complete call stack of the thread that's currently executing. It gives detailed information about what that thread was doing, at both a high level and a low level of abstraction. The service profiler also collects other events to track activity correlation and causality, including context switching events, Task Parallel Library (TPL) events, and thread pool events.

-The call stack that's displayed in the timeline view is the result of the sampling and instrumentation. Because each sample captures the complete call stack of the thread, it includes code from Microsoft .NET Framework and from other frameworks that you reference.

-**clr!JIT\_New** and **clr!JIT\_Newarr1** are helper functions in .NET Framework that allocate memory from a managed heap. **clr!JIT\_New** is invoked when an object is allocated. **clr!JIT\_Newarr1** is invoked when an object array is allocated. These two functions are usually fast and take relatively small amounts of time. If **clr!JIT\_New** or **clr!JIT\_Newarr1** takes a lot of time in your timeline, the code might be allocating many objects and consuming significant amounts of memory.

-**clr!ThePreStub** is a helper function in .NET Framework that prepares the code to execute for the first time. This execution usually includes, but isn't limited to, just-in-time (JIT) compilation. For each C# method, **clr!ThePreStub** should be invoked at most once during a process.

-If **clr!ThePreStub** takes a long time for a request, the request is the first one to execute that method. The time for .NET Framework runtime to load the first method is significant. You might consider using a warmup process that executes that portion of the code before your users access it, or consider running Native Image Generator (ngen.exe) on your assemblies.

-**clr!JITutil\_MonContention** or **clr!JITutil\_MonEnterWorker** indicates that the current thread is waiting for a lock to be released. This text is often displayed when you execute a C# **LOCK** statement, invoke the **Monitor.Enter** method, or invoke a method with the **MethodImplOptions.Synchronized** attribute. Lock contention usually occurs when thread _A_ acquires a lock and thread _B_ tries to acquire the same lock before thread _A_ releases it.

-If the method name contains **[COLD]**, such as **mscorlib.ni![COLD]System.Reflection.CustomAttribute.IsDefined**, .NET Framework runtime is executing code for the first time that isn't optimized by [profile-guided optimization](/cpp/build/profile-guided-optimizations). For each method, it should be displayed at most once during the process.

-If loading code takes a substantial amount of time for a request, the request is the first one to execute the unoptimized portion of the method. Consider using a warmup process that executes that portion of the code before your users access it.

-**AWAIT\_TIME** indicates that the code is waiting for another task to finish. This delay usually happens with the C# **AWAIT** statement. When the code does a C# **AWAIT**, the thread unwinds and returns control to the thread pool, and there's no thread that is blocked waiting for the **AWAIT** to finish. However, logically, the thread that did the **AWAIT** is "blocked," and it's waiting for the operation to finish. The **AWAIT\_TIME** statement indicates the blocked time waiting for the task to finish.

-**BLOCKED_TIME** indicates that the code is waiting for another resource to be available. For example, it might be waiting for a synchronization object, for a thread to be available, or for a request to finish.

-.NET framework emits ETW events and passes activity ids between threads so that async calls can be tracked across threads. Unmanaged code (native code) and some older styles of asynchronous code are missing these events and activity ids, so the profiler cannot tell what thread and what functions are running on the thread. This is labeled 'Unmanaged Async' in the call stack. If you download the ETW file, you may be able to use [PerfView](https://github.com/Microsoft/perfview/blob/master/documentation/Downloading.md) to get more insight into what is happening.

-The **When** column is a visualization of how the INCLUSIVE samples collected for a node vary over time. The total range of the request is divided into 32 time buckets. The inclusive samples for that node are accumulated in those 32 buckets. Each bucket is represented as a bar. The height of the bar represents a scaled value. For nodes that are marked **CPU_TIME** or **BLOCKED_TIME**, or where there is an obvious relationship to consuming a resource (for example, a CPU, disk, or thread), the bar represents the consumption of one of the resources during the bucket. For these metrics, it's possible to get a value of greater than 100 percent by consuming multiple resources. For example, if you use, on average, two CPUs during an interval, you get 200 percent.

-The default data retention period is five days. The maximum data that's ingested per day is 10 GB.

-There are no charges for using the Profiler service. For you to use it, your web app must be hosted in at least the basic tier of the Web Apps feature of Azure App Service.

-Profiler randomly runs two minutes every hour on each virtual machine that hosts the application that has Profiler enabled for capturing traces. When Profiler is running, it adds from 5 to 15 percent CPU overhead to the server.

- - [Add user context](./usage-overview.md)

-Sending data to Azure Monitor can incur data bandwidth charges. As described in the [Azure Bandwidth pricing page](https://azure.microsoft.com/pricing/details/bandwidth/), data transfer between Azure services located in two regions charged as outbound data transfer at the normal rate. Inbound data transfer is free. However, this charge is typically very small compared to the costs for data ingestion and retention. Controlling costs for Log Analytics should focus on your ingested data volume.

-You can also configure the credential precedence for authenticating to Azure from Bicep CLI and Visual Studio Code. The credentials are used to publish modules to registries and to restore external modules to the local cache when using the insert resource function.

-The following shows a network interface with an implicit dependency on a network security group. It references the network security group with `nsg.id`.

- id: nsg.id

-This article shows you how to use Visual Studio Code to create Bicep files

-Open or create a Bicep file in VS Code, select the **View** menu and then select **Command Palette**. You can also use the key combination **[CTRL]+[SHIFT]+P** to bring up the command palette.

-### Build

-### Open Visualizer

-> | workspaces / sqlPools | workspace | 1-15 | Can contain only letters, numbers, or underscore.<br><br>Can't contain [reserved word](../troubleshooting/error-reserved-resource-name.md). |

-* Select the VM.

-* Choose a recovery point.

-* Restore the disks.

-* Create the VM from stored disks.

- "threshold": 16.00,

- "threshold": 16.00,

-| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. The default value is 16. This is the recommended value to achieve maximum accuracy. |

- "threshold": 48.00,

- "threshold": 16.00,

-| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. The default value is 48 when the type is `zonecrossing` and 16 when time is `DwellTime`. These are the recommended values to achieve maximum accuracy. |

- "threshold": 16.00,

- "threshold": 16.00,

- "threshold": 16.00,

- "threshold": 16.00,

- "threshold": 48.00,

- "threshold": 16.00,

-* [Transcribe audio in batches](batch-transcription.md)

-* [Transcribe audio in batches](batch-transcription.md)

-# What is Translator?

-Translator is a cloud-based neural machine translation service that is part of the [Azure Cognitive Services](../what-are-cognitive-services.md) family of REST APIs. Translator can be used with any operating system and powers many Microsoft products and services used by thousands of businesses worldwide to perform language translation and other language-related operations. In this overview, you'll learn how Translator can enable you to build intelligent, multi-language solutions for your applications across all [supported languages](./language-support.md).

-# What's new in Translator

-Review the latest updates to the text Translator service. Bookmark this page to stay up to date with release notes, feature enhancements, and documentation updates.

-### [Document Translation client libraries for C#/.NET and Python](document-translation/client-sdks.md)ΓÇönow available in prerelease.

-### [Document Translation ΓÇò now in general availability](https://www.microsoft.com/translator/blog/2021/05/25/translate-full-documents-with-document-translation-%e2%80%95-now-in-general-availability/)

-### [Text translation support for nine added languages](https://www.microsoft.com/translator/blog/2021/02/22/microsoft-translator-releases-nine-new-languages-for-international-mother-language-day-2021/)

-* Translator service has [text translation language support](language-support.md) for the following languages:

-### [Text translation support for Inuktitut](https://www.microsoft.com/translator/blog/2021/01/27/inuktitut-is-now-available-in-microsoft-translator/)

-* Translator service has [text translation language support](language-support.md) for **Inuktitut**, one of the principal Inuit languages of Canada. Inuktitut is one of eight official aboriginal languages in the Northwest Territories.

-### [Text translation support for Canadian French](https://www.microsoft.com/translator/blog/2020/10/20/cest-tiguidou-ca-translator-adds-canadian-french/)

-* Translator service has [text translation language support](language-support.md) for **Canadian French**. Canadian French and European French are similar to one another and are mutually understandable. However, there can be significant differences in vocabulary, grammar, writing, and pronunciation. Over 7 million Canadians (20 percent of the population) speak French as their first language.

-### [Text translation support for Assamese and Axomiya](https://www.microsoft.com/translator/blog/2020/09/29/assamese-text-translation-is-here/)

-* Translator service has [text translation language support](language-support.md) for **Assamese** also knows as **Axomiya**. Assamese / Axomiya is primarily spoken in Eastern India by approximately 14 million people.

-### [Text translation support for two Kurdish dialects](https://www.microsoft.com/translator/blog/2020/08/20/translator-adds-two-kurdish-dialects-for-text-translation/)

-### [Text translation support for two Afghan languages](https://www.microsoft.com/translator/blog/2020/08/17/translator-adds-dari-and-pashto-text-translation/)

-### [Text translation support for Odia](https://www.microsoft.com/translator/blog/2020/08/13/odia-language-text-translation-is-now-available-in-microsoft-translator/)

-The following snippets are all taken from the *cosmos_get_started.py* file.

-> - Debit cards are not currently accepted in Hong Kong and Brazil.

-There are a few countries that don't allow the use of debit cards, however in general, you can use them to pay your Azure bill. Virtual and prepaid debit cards can't be used to pay your Azure bill.

-description: Describes how to create and manage virtual machines (VMs) on a Azure Stack Edge Pro device using templates.

-To deploy Azure Stack Edge Pro VMs across many device, you can use a single sysprepped VHD for your full fleet, the same template for deployment, and just make minor changes to the parameters to that template for each deployment location (these changes could be by hand as weΓÇÖre doing here, or programmatic.)

-1. [Download Storage Explorer](https://azure.microsoft.com/features/storage-explorer/) if you are using it to upload a VHD. Alternatively, you can download AzCopy to upload a VHD. You may need to configure TLS 1.2 on your client machine if running older versions of AzCopy.

-A sample output is shown below.

-KeyName Value Permissions

-Make sure that you have already added the blob URI in hosts file for the client that you are using to connect to Blob storage. **Run Notepad as administrator** and add the following entry for the blob URI in the `C:\windows\system32\drivers\etc\hosts`:

-Skip this step if you will connect via Storage Explorer using *http*. If you are using *https*, then you need to install appropriate certificates in Storage Explorer. In this case, install the blob endpoint certificate. For more information, see how to create and upload certificates in [Manage certificates](azure-stack-edge-gpu-manage-certificates.md).

- - If you are using device generated certificates, download and convert the blob storage endpoint `.cer` certificate to a `.pem` format. Run the following command.

- - If you are bringing your own certificate, use the signing chain root certificate in `.pem` format.

-3. After you have imported the certificate, restart Storage Explorer for the changes to take effect.

-9. Select the container you just created and in the right-pane, select **Upload > Upload files**.

-12. Copy and save the **Uri**, which you will use in later steps.

-1. Provide the OS type corresponding to the VHD you will upload. The OS type can be Windows or Linux.

- Here is a sample json that is used in this article.

-### Deploy template

- -ResourceGroupName $RGName `

- This command deploys an image resource. To query the resource, run the following command:

- Here is a sample output of a successfully created image.

-1. When you enabled the network interface for compute, a virtual switch and a virtual network was automatically created on that network interface. You can query the existing virtual network to get the Vnet name, Subnet name, and Vnet resource group name.

- Here is the sample output:

-4. Save the parameters file.

- Here is a sample json that is used in this article.

- ```

- The VM creation will take 15-20 minutes. Here is a sample output of a successfully created VM.

- You can also run the `New-AzureRmResourceGroupDeployment` command asynchronously with `ΓÇôAsJob` parameter. Here is a sample output when the cmdlet runs in the background. You can then query the status of job that is created using the `Get-Job` cmdlet.

-7. Check if the VM is successfully provisioned. Run the following command:

-At the bottom of this page, there's a table describing the Microsoft Defender for Cloud kill chain aligned with version 7 of the [MITRE ATT&CK matrix](https://attack.mitre.org/versions/v7/).

-Defender for Cloud's supported kill chain intents are based on [version 7 of the MITRE ATT&CK matrix](https://attack.mitre.org/versions/v7/) and described in the table below.

- 

- 

-Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the **regulatory compliance dashboard**.

-Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you've applied to your subscriptions. The dashboard reflects the status of your compliance with these standards.

-### I made the suggested changed based on the recommendation, yet it isn't being reflected in the dashboard

-Microsoft Defender for Servers is now offered in two incremental plans.

-While Microsoft Defender for Servers Plan 2 continues to provide, complete protections from threats and vulnerabilities to your cloud and on-premises workloads, Microsoft Defender for Servers Plan 1 provides endpoint protection only, powered by Microsoft Defender for Endpoint and natively integrated with Defender for Cloud. Read more about the [Microsoft Defender for Servers plans](defender-for-servers-introduction.md#what-are-the-microsoft-defender-for-server-plans).

-If you have been using Defender for Servers until now ΓÇô no action is required.

-

-In addition, Defender for Cloud also begins gradual support for the [Defender for Endpoint unified agent for Windows Server 2012 R2 and 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292). Defender for Servers Plan 1 deploys the new unified agent to Windows Server 2012 R2 and 2016 workloads. Defender for Servers Plan 2 deploys the legacy agent to Windows Server 2012 R2 and 2016 workloads, and will start deploying the unified agent soon.

-As part of the actions you can take to [triage a security alert](managing-and-responding-alerts.md#respond-to-security-alerts), you can find the related platform logs in **Inspect resource context** to gain context about the affected resource.

-The platform logs can help you evaluate the security threat and identify steps that you can take to mitigate risk.

-The [Azure SQL migration extension for Azure Data Studio](/sql/azure-data-studio/extensions/azure-sql-migration-extension) enables you to assess, get Azure recommendations and migrate your SQL Server databases to Azure. Using automation with [Azure PowerShell](/powershell/module/az.datamigration) or [Azure CLI](/cli/azure/datamigration), you can leverage the capabilities of the extension with Azure Database Migration Service to migrate one or more databases at scale (including databases across multiple SQL Server instances).

-|PowerShell |SQL Server to Azure SQL Managed Instance (using file share) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-mi-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-mi-fileshare.md) |

-|PowerShell |SQL Server to Azure SQL Managed Instance (using Azure storage) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-mi-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-mi-blob.md) |

-|PowerShell |SQL Server to SQL Server on Azure Virtual Machines (using file share) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-vm-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-vm-fileshare.md) |

-|PowerShell |SQL Server to SQL Server on Azure Virtual Machines (using Azure Storage) |[Azure-Samples/data-migration-sql/PowerShell/sql-server-to-sql-vm-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/PowerShell/sql-server-to-sql-vm-blob.md) |

-|CLI |SQL Server to Azure SQL Managed Instance (using file share) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-mi-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-mi-fileshare.md) |

-|CLI |SQL Server to Azure SQL Managed Instance (using Azure storage) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-mi-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-mi-blob.md) |

-|CLI |SQL Server to SQL Server on Azure Virtual Machines (using file share) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-vm-fileshare](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-vm-fileshare.md) |

-|CLI |SQL Server to SQL Server on Azure Virtual Machines (using Azure Storage) |[Azure-Samples/data-migration-sql/CLI/sql-server-to-sql-vm-blob](https://github.com/Azure-Samples/data-migration-sql/tree/main/CLI/sql-server-to-sql-vm-blob.md) |

- - Contributor for the target Azure SQL Managed Instance (and Storage Account to upload your database backup files from SMB network share).

- - Reader role for the Azure Resource Groups containing the target Azure SQL Managed Instance or the Azure storage account.

-* Create a target [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/create-configure-managed-instance-powershell-quickstart) or [SQL Server on Azure Virtual Machine](/azure/azure-sql/virtual-machines/windows/sql-vm-create-powershell-quickstart)

- > If you have an existing Azure Virtual Machine, it should be registered with [SQL IaaS Agent extension in Full management mode](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management#management-modes).

-* The source SQL Server instance certificate from a database protected by Transparent Data Encryption (TDE) needs to be migrated to the target Azure SQL Managed Instance or SQL Server on Azure Virtual Machine before migrating data. To learn more, see [Migrate a certificate of a TDE-protected database to Azure SQL Managed Instance](/azure/azure-sql/managed-instance/tde-certificate-migrate) and [Move a TDE Protected Database to Another SQL Server](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).

-> [!TIP]

-> If you receive the error "The subscription is not registered to use namespace 'Microsoft.DataMigration'. See https://aka.ms/rps-not-found for how to register subscriptions.", run

-> ```azurepowershell Register-AzResourceProvider -ProviderNamespace "Microsoft.DataMigration". ```

-| **[AARNet](https://www.aarnet.edu.au/network-and-services/connectivity-services/azure-expressroute)** |Supported |Supported |Melbourne, Sydney |

-| **[Aryaka Networks](https://www.aryaka.com/)** |Supported |Supported |Amsterdam, Chicago, Dallas, Hong Kong SAR, Sao Paulo, Seattle, Silicon Valley, Singapore, Tokyo, Washington DC |

-| **[AT&T NetBond](https://www.synaptic.att.com/clouduser/html/productdetail/ATT_NetBond.htm)** |Supported |Supported |Amsterdam, Chicago, Dallas, Frankfurt, London, Silicon Valley, Singapore, Sydney, Tokyo, Toronto, Washington DC |

-| **[BBIX](https://www.bbix.net/en/service/ix/)** | Supported | Supported | Osaka, Tokyo |

-| **[BCX](https://www.bcx.co.za/solutions/connectivity/data-networks)** |Supported |Supported |Cape Town, Johannesburg|

-| **[Bell Canada](https://business.bell.ca/shop/enterprise/cloud-connect-access-to-cloud-partner-services)** |Supported |Supported |Montreal, Toronto, Quebec City, Vancouver |

-| **[British Telecom](https://www.globalservices.bt.com/en/solutions/products/cloud-connect-azure)** |Supported |Supported |Amsterdam, Amsterdam2, Chicago, Frankfurt, Hong Kong SAR, Johannesburg, London, London2, Newport(Wales), Paris, Sao Paulo, Silicon Valley, Singapore, Sydney, Tokyo, Washington DC |

-| **[BSNL](https://www.bsnl.co.in/opencms/bsnl/BSNL/services/enterprises/cloudway.html)** |Supported |Supported |Chennai, Mumbai |

-| **[C3ntro](https://www.c3ntro.com/)** |Supported |Supported |Miami |

-| **[CenturyLink Cloud Connect](https://www.centurylink.com/cloudconnect)** |Supported |Supported |Amsterdam2, Bogota, Chicago, Dublin, Frankfurt, Hong Kong, Las Vegas, London, London2, Montreal, New York, Paris, Phoenix, San Antonio, Seattle, Silicon Valley, Singapore2, Tokyo, Toronto, Washington DC, Washington DC2 |

-| **[Colt](https://www.colt.net/direct-connect/azure/)** |Supported |Supported | Amsterdam, Amsterdam2, Berlin, Chicago, Dublin, Frankfurt, Geneva, Hong Kong, London, London2, Marseille, Milan, Munich, Newport, Osaka, Paris, Silicon Valley, Silicon Valley2, Singapore2, Tokyo, Tokyo2, Washington DC, Zurich |

-| **[DE-CIX](https://www.de-cix.net/en/de-cix-service-world/cloud-exchange/find-a-cloud-service/detail/microsoft-azure)** | Supported |Supported | Amsterdam2, Chennai, Dubai2, Frankfurt, Frankfurt2, Madrid, Marseille, Mumbai, Munich, New York, Singapore2 |

-| **[eir](https://www.eirevo.ie/cloud-services/cloud-connectivity)** |Supported |Supported |Dublin|

-| **Etisalat UAE** |Supported |Supported |Dubai|

-| **[Fibrenoire](https://fibrenoire.ca/en/services/cloudextn-2/)** |Supported |Supported | Montreal, Toronto2 |

-| **GTT** |Supported |Supported |London2 |

-| **[Internet2](https://internet2.edu/services/cloud-connect/#service-cloud-connect)** |Supported |Supported |Chicago, Dallas, Silicon Valley, Washington DC |

-| **[Internet Initiative Japan Inc. - IIJ](https://www.iij.ad.jp/en/news/pressrelease/2015/1216-2.html)** |Supported |Supported |Osaka, Tokyo |

-| **[Internet Solutions - Cloud Connect](https://www.is.co.za/solution/cloud-connect/)** |Supported |Supported |Cape Town, Johannesburg, London |

-| **[Interxion](https://www.interxion.com/why-interxion/colocate-with-the-clouds/Microsoft-Azure/)** |Supported |Supported |Amsterdam, Amsterdam2, Copenhagen, Dublin, Dublin2, Frankfurt, London, London2, Madrid, Marseille, Paris, Zurich |

-| **Jaguar Network** |Supported |Supported |Marseille, Paris |

-| **[Jisc](https://www.jisc.ac.uk/microsoft-azure-expressroute)** |Supported |Supported | London, Newport(Wales) |

-| **[Megaport](https://www.megaport.com/services/microsoft-expressroute/)** |Supported |Supported | Amsterdam, Atlanta, Auckland, Chennai, Chicago, Dallas, Denver, Dubai2, Dublin, Frankfurt, Geneva, Hong Kong, Hong Kong2, Las Vegas, London, London2, Los Angeles, Madrid, Melbourne, Miami, Minneapolis, Montreal, Munich, New York, Osaka, Oslo, Paris, Perth, Phoenix, Quebec City, San Antonio, Seattle, Silicon Valley, Singapore, Singapore2, Stavanger, Stockholm, Sydney, Sydney2, Tokyo, Tokyo2 Toronto, Vancouver, Washington DC, Washington DC2, Zurich |

-| **[MTN](https://www.mtnbusiness.co.za/en/Cloud-Solutions/Pages/microsoft-express-route.aspx)** |Supported |Supported |London |

-| **MTN Global Connect** |Supported |Supported |Cape Town, Johannesburg|

-| **[National Telecom](https://www.nc.ntplc.co.th/cat/category/264/855/CAT+Direct+Cloud+Connect+for+Microsoft+ExpressRoute?lang=en_EN)** |Supported |Supported |Bangkok |

-| **[Neutrona Networks](https://flo.net/)** |Supported |Supported |Dallas, Los Angeles, Miami, Sao Paulo, Washington DC |

-| **[NOS](https://www.nos.pt/empresas/corporate/cloud/cloud/Pages/nos-cloud-connect.aspx)** |Supported |Supported | Amsterdam2 |

-| **[NTT Communications](https://www.ntt.com/en/services/network/virtual-private-network.html)** |Supported |Supported | Amsterdam, Hong Kong SAR, Jakarta, London, Los Angeles, Osaka, Singapore, Sydney, Tokyo, Washington DC |

-| **[Ooredoo Cloud Connect](https://www.ooredoo.com.kw/portal/en/b2bOffConnAzureExpressRoute)** |Supported |Supported | Marseille |

-| **[Orange](https://www.orange-business.com/en/products/business-vpn-galerie)** |Supported |Supported | Amsterdam, Amsterdam2, Dallas, Dubai2, Frankfurt, Hong Kong SAR, Johannesburg, London, London2, Mumbai2, Melbourne, Paris, Sao Paulo, Silicon Valley, Singapore, Sydney, Tokyo, Washington DC |

-| **[PacketFabric](https://www.packetfabric.com/cloud-connectivity/microsoft-azure)** |Supported |Supported | Chicago, Dallas, Denver, Las Vegas, Silicon Valley, Washington DC |

-| **[Sejong Telecom](https://www.sejongtelecom.net/en/pages/service/cloud_ms)** |Supported |Supported |Seoul |

-| **[SIFY](http://telecom.sify.com/azure-expressroute.html)** |Supported |Supported |Chennai, Mumbai2 |

-| **[Sohonet](https://www.sohonet.com/fastlane/)** |Supported |Supported |London2 |

-| **[Spark NZ](https://www.sparkdigital.co.nz/solutions/connectivity/cloud-connect/)** |Supported |Supported |Auckland, Sydney |

-| **[Telia Carrier](https://www.teliacarrier.com/)** | Supported | Supported | Amsterdam, Chicago, Dallas, Frankfurt, Hong Kong, London, Oslo, Paris, Silicon Valley, Stockholm, Washington DC |

-| **[Telin](https://www.telin.net/product/data-connectivity/telin-cloud-exchange)** | Supported | Supported |Jakarta |

-| **[Telus](https://www.telus.com)** |Supported |Supported | Montreal, Seattle, Quebec City, Toronto, Vancouver |

-| **[T-Mobile](https://www.t-mobile.com/business/solutions/networking/cloud-networking )** |Supported |Supported |Chicago, Silicon Valley, Washington DC |

-| **[UOLDIVEO](https://www.uoldiveo.com.br/)** |Supported |Supported |Sao Paulo |

-| **Vodacom** |Supported |Supported |Cape Town, Johannesburg|

-| **[Vodafone](https://www.vodafone.com/business/global-enterprise/global-connectivity/vodafone-ip-vpn-cloud-connect)** |Supported |Supported | Amsterdam2, London, Singapore |

-| **[Vodafone Idea](https://www.vodafone.in/business/enterprise-solutions/connectivity/vpn-extended-connect)** | Supported | Supported | Mumbai2 |

- * Run the script with username and password

-> The [preview API](/rest/api/iotcentral/1.1-previewdataplane/api-tokens) includes support for the new [organizations feature](howto-create-organizations.md).

-> The [preview API](/rest/api/iotcentral/1.1-previewdataplane/devices) includes support for the new [organizations feature](howto-create-organizations.md).

-> You can also use the REST API to [create and manage organizations](/rest/api/iotcentral/1.1-previewdataplane/organizations).

-PUT https://{subdomain}.{baseDomain}/api/dataExport/destinations/{destinationId}?api-version=1.1-preview

-GET https://{subdomain}.{baseDomain}/api/dataExport/destinations/{destinationId}?api-version=1.1-preview

-GET https://{subdomain}.{baseDomain}/api/dataExport/destinations?api-version=1.1-preview

-PATCH https://{subdomain}.{baseDomain}/api/dataExport/destinations/{destinationId}?api-version=1.1-preview

-DELETE https://{subdomain}.{baseDomain}/api/dataExport/destinations/{destinationId}?api-version=1.1-preview

-PUT https://{subdomain}.{baseDomain}/api/dataExport/exports/{exportId}?api-version=1.1-preview

-GET https://{subdomain}.{baseDomain}/api/dataExport/exports/{exportId}?api-version=1.1-preview

-GET https://{subdomain}.{baseDomain}/api/dataExport/exports?api-version=1.1-preview

-PATCH https://{subdomain}.{baseDomain}/dataExport/exports/{exportId}?api-version=1.1-preview

-DELETE https://{subdomain}.{baseDomain}/api/dataExport/destinations/{destinationId}?api-version=1.1-preview

-> Currently, ODATA support is only available for `api-version=1.1-preview`.

-GET https://{subdomain}.{baseDomain}/api/deviceTemplates?api-version=1.1-preview&$top=10

- "nextLink": "https://custom-12qmyn6sm0x.azureiotcentral.com/api/deviceTemplates?api-version=1.1-preview&%24top=1&%24skiptoken=%7B%22token%22%3A%22%2BRID%3A%7EJWYqAKZQKp20qCoAAAAACA%3D%3D%23RT%3A1%23TRC%3A1%23ISV%3A2%23IEO%3A65551%23QCF%3A4%22%2C%22range%22%3A%7B%22min%22%3A%2205C1DFFFFFFFFC%22%2C%22max%22%3A%22FF%22%7D%7D"

-GET https://{subdomain}.{baseDomain}/api/deviceTemplates?api-version=1.1-preview&$filter=contains(displayName, 'thermostat')

-GET https://{subdomain}.{baseDomain}/api/deviceTemplates?api-version=1.1-preview&$orderby=displayName

-GET https://{subdomain}.{baseDomain}/api/deviceTemplates?api-version=1.1-preview&$filter=contains(displayName, 'thermostat')&$top=2

-> Currently, ODATA support is only available for `api-version=1.1-preview`

-GET https://{subdomain}.{baseDomain}/api/devices?api-version=1.1-preview&$top=10

- "nextLink": "https://custom-12qmyn6sm0x.azureiotcentral.com/api/devices?api-version=1.1-preview&%24top=1&%24skiptoken=%257B%2522token%2522%253A%2522%252BRID%253A%7EJWYqAOis7THQbBQAAAAAAg%253D%253D%2523RT%253A1%2523TRC%253A1%2523ISV%253A2%2523IEO%253A65551%2523QCF%253A4%2522%252C%2522range%2522%253A%257B%2522min%2522%253A%2522%2522%252C%2522max%2522%253A%252205C1D7F7591D44%2522%257D%257D"

-GET https://{subdomain}.{baseDomain}/api/deviceTemplates?api-version=1.1-preview&$filter=index(displayName, 'thermostat')

-GET https://{subdomain}.{baseDomain}/api/devices?api-version=1.1-preview&$orderby=displayName

-GET https://{subdomain}.{baseDomain}/api/deviceTemplates?api-version=1.1-preview&$filter=contains(displayName, 'thermostat')&$top=2

-> The jobs API is currently in preview. All The REST API calls described in this article should include `?api-version=preview`.

-> The [preview API](/rest/api/iotcentral/1.1-previewdataplane/jobs) includes support for the new [organizations feature](howto-create-organizations.md).

-GET https://{your app subdomain}.azureiotcentral.com/api/jobs?api-version=preview

-GET https://{your app subdomain}.azureiotcentral.com/api/jobs/job-004?api-version=preview

-GET https://{your app subdomain}.azureiotcentral.com/api/jobs/job-004/devices?api-version=preview

-PUT https://{your app subdomain}.azureiotcentral.com/api/jobs/job-006?api-version=preview

-POST https://{your app subdomain}.azureiotcentral.com/api/jobs/job-006/stop?api-version=preview

-POST https://{your app subdomain}.azureiotcentral.com/api/jobs/job-006/resume?api-version=preview

-PUT https://{your app subdomain}.azureiotcentral.com/api/jobs/job-006/rerun/rerun-001?api-version=preview

-> The [organizations feature](howto-create-organizations.md) is currently available in [preview API](/rest/api/iotcentral/1.1-previewdataplane/users).

-PUT https://{subdomain}.{baseDomain}/api/organizations/{organizationId}?api-version=1.1-preview

-GET https://{subdomain}.{baseDomain}/api/organizations/{organizationId}?api-version=1.1-preview

-PATCH https://{subdomain}.{baseDomain}/api/organizations/{organizationId}?api-version=1.1-preview

-GET https://{your app subdomain}.azureiotcentral.com/api/organizations?api-version=1.1-preview

-DELETE https://{your app subdomain}.azureiotcentral.com/api/organizations/{organizationId}?api-version=1.1-preview

-> The [preview API](/rest/api/iotcentral/1.1-previewdataplane/users) includes support for the new [organizations feature](howto-create-organizations.md).

-POST https://{your app subdomain}.azureiotcentral.com/api/query?api-version=1.1-preview

- "query": "SELECT $id, $ts, temperature, humidity FROM urn:modelDefinition:fupmoiu28b:ymju9efv9 WHERE WITHIN_WINDOW(P1D)"

-The `urn:modelDefinition:fupmoiu28b:ymju9efv9` value in the `FROM` clause is a *device template ID*. To find a device template ID, navigate to the **Devices** page in your IoT Central application and hover over a device that uses the template. The card includes the device template ID:

- "query": "SELECT deviceInformation.model, deviceInformation.swVersion FROM urn:modelDefinition:fupmoiu28b:ymju9efv9"

- "query": "SELECT $id as ID, $ts as timestamp, temperature as t, pressure as p FROM urn:modelDefinition:fupmoiu28b:ymju9efv9 WHERE WITHIN_WINDOW(P1D) AND t > 0 AND p > 50"

- "query": "SELECT TOP 10 $id as ID, $ts as timestamp, temperature, humidity FROM urn:modelDefinition:fupmoiu28b:ymju9efv9"

-You can also use the [Devices - Get](/rest/api/iotcentral/1.1-previewdataplane/devices/get) REST API call to get the device template ID for a device.

- "query": "SELECT $id, $ts, temperature, humidity FROM urn:modelDefinition:fupmoiu28b:ymju9efv9 WHERE WITHIN_WINDOW(P1D)"

- "query": "SELECT $id, $ts, temperature AS t, pressure AS p FROM urn:modelDefinition:fupmoiu28b:ymju9efv9 WHERE WITHIN_WINDOW(P1D) AND t > 0 AND p > 50 AND $id IN ['sample-002', 'sample-003']"

- "query": "SELECT AVG(temperature), AVG(pressure) FROM urn:modelDefinition:fupmoiu28b:ymju9efv9 WHERE WITHIN_WINDOW(P1D) AND $id='{{DEVICE_ID}}' GROUP BY WINDOW(PT10M)"

- "query": "SELECT $id as ID, $ts as timestamp, temperature, humidity FROM urn:modelDefinition:fupmoiu28b:ymju9efv9 ORDER BY timestamp DESC"

-> You must enable soft-delete on your key vaults immediately. The ability to opt out of soft-delete is deprecated and will be removed in February 202. See full details [here](soft-delete-change.md)

-[React](https://reactjs.org/) is a popular JavaScript library for building user interfaces (UI). React is a declarative way to create reusable components for your website. There are many other popular libraries for JavaScript-based front-end development. We'll use a few of these libraries while creating our lab. [Redux](https://redux.js.org/) is a library that provides predictable state container for JavaScript apps and is often used in compliment with React. [JSX](https://reactjs.org/docs/introducing-jsx.html) is a library syntax extension to JavaScript often used with React to describe what the UI should look like. [NodeJS](https://nodejs.org/) is a convenient way to run a webserver for your React application.

-Once you get have Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see the tutorial on [how to set up a lab plan](./tutorial-setup-lab-plan.md). You can also use an existing lab plan.

-For instructions on how to create a lab, see [Tutorial: Set up a lab](tutorial-setup-lab.md). Use the following settings when creating the lab.

-LetΓÇÖs cover an example cost estimate for this class. The virtual machine size we chose was **Small**, which is 20 lab units.

-Schedules allow you to configure a lab such that VMs in the lab automatically start and shut down at a specified time. You can define a one-time schedule or a recurring schedule. The article covers the procedures to create and manage schedules for a lab.

-> The scheduled running time of VMs does not count against the quota allotted to a user. The quota is for the time outside of schedule hours that a student spends on VMs.

-A lab created within Teams can be deleted in the [Lab Services portal](https://labs.azure.com) directly. For more information, see [Delete a lab](manage-labs.md#delete-a-lab).

-Lab deletion is also triggered when the team is deleted. If the associated team is deleted, the lab will be automatically deleted 24 hours later when the automatic user list sync is triggered.

-If the *tab* is deleted in Teams, users can still access the lab VMs on the Lab Services web portal: [https://labs.azure.com](https://labs.azure.com). When the team is deleted or the lab is explicitly deleted, users can no longer access their VMs through the Lab Services web portal: [https://labs.azure.com](https://labs.azure.com).

-Virtual Machine (VM) creation starts as soon as the template VM is first published. VMs equaling the number of users in the lab user list will be created. VMs are automatically assigned to students when they first access the Azure Lab Services lab.

-To publish the template, go to the Teams Lab Services window, select **Template** tab > **...** > **Publish**.

-Once the lab is published and VMs are created, users will be automatically registered to the lab. Lab VMs will be assigned to users the first time they first access the tab having **Azure Lab Services** App.

-Team membership and lab user list are kept in sync. The lab capacity (number of VMs in the lab) will be automatically updated based on the changes to the team membership. New VMs will be created as new users are added to the team. VMs assigned to the users removed from the team will be deleted. For more information, see [How to manage users within Teams](how-to-manage-user-lists-within-teams.md).

-Educators can continue to access student VMs directly from the VM Pool tab. And educators can access VMs assigned to themselves either from the **Virtual machine pool** tab or by clicking on the **My Virtual Machines** button (top-right corner of the screen).

- :::image type="content" source="./media/lab-account-owner-support-information/internal-support-page.png" alt-text="Screenshot of Internal support page.":::

-* To use the [Inline Code Operations action](../logic-apps/logic-apps-add-run-inline-code.md) that runs JavaScript, install [Node.js versions 10.x.x, 11.x.x, or 12.x.x](https://nodejs.org/en/download/releases/).

-The **Logic App (Standard)** resource type is powered by the redesigned single-tenant Azure Logic Apps runtime. This runtime uses the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md) and is hosted as an extension on the Azure Functions runtime. This design provides portability, flexibility, and more performance for your logic app workflows plus other capabilities and benefits inherited from the Azure Functions platform and Azure App Service ecosystem. For example, you can create, deploy, and run single-tenant based logic apps and their workflows in [Azure App Service Environment v3](../app-service/environment/overview.md).

-When you create logic apps using the **Logic App (Standard)** resource type, you can deploy and run your workflows in other environments, such as [Azure App Service Environment v3](../app-service/environment/overview.md). If you use Visual Studio Code with the **Azure Logic Apps (Standard)** extension, you can *locally* develop, build, and run your workflows in your development environment without having to deploy to Azure. If your scenario requires containers, [create single-tenant based logic apps using Azure Arc-enabled Logic Apps](azure-arc-enabled-logic-apps-create-deploy-workflows.md). For more information, review [What is Azure Arc enabled Logic Apps?](azure-arc-enabled-logic-apps-overview.md)

- > Compute cluster and compute instance can be created with or without a public IP address. If created with a public IP address, they communicate with the Azure Batch Services over the public IP. If created without a public IP, they communicate with Azure Batch Services over the private IP. When using a private IP, you need to allow inbound communications from Azure Batch.

-description: Configure a managed application plan for your Azure application offer in Partner Center (Azure Marketplace).

-Review your prices carefully before publishing, as there are some restrictions on what can change after a plan is published.

-> [!NOTE]

-> After a price for a market in your plan is published, it can't be changed later.

-The other attributes of a dimension are specific to each plan and can have different values from plan to plan. Before you publish the plan, you can edit these values and only this plan will be affected. Once you publish the plan, these attributes will no longer be editable. The attributes are:

-* Price per unit

-* Included quantity for monthly customers

-* Included quantity for annual customers

->[!Note]

->The following scenarios are explicitly supported: <br> - You can add a new dimension to a new plan. The new dimension will not be enabled for any already published plans. <br> - You can publish a plan with a fixed monthly fee and without any dimensions, then add a new plan and configure a new dimension for that plan. The new dimension will not be enabled for already published plans.

-A dimension used with the Marketplace metering service represents an understanding of how a customer will be paying for the service. All details of a dimension are no longer editable once an offer is published. Before publishing your offer, it's important that you have your dimensions fully defined.

-* Price per unit

- [  ](./media/workspaces/partner-center-home.png#lightbox)

-1. In the left-nav, select **Pricing and availability**.

-1. Select **Save draft** and then select **Review and publish**. After the offer is republished, the new core sizes will be available to your customers at the prices that you have set.

-description: Configure pricing and availability for a virtual machine offer in the Microsoft commercial marketplace.

-For the **License model**, select **Usage-based monthly billed plan** to configure pricing for this plan, or **Bring your own license** to let customers use this plan with their existing license.

-For a usage-based monthly billed plan, Microsoft will charge the customer for their hourly usage and they're billed monthly. This is our _Pay-as-you-go_ plan, where customers are only billed for the hours that they've used. When you select this plan, choose one of the following pricing options:

-For **Per core size** and **Per market and core size**, enter a **Price per core**, and then select **Generate prices**. The tables of price/hour calculations are populated for you. You can then adjust the price per core, if you choose. If using the _Per market and core size_ pricing option, you can additionally customize the price/hour calculation tables for each market thatΓÇÖs selected for this plan.

-> To ensure that the prices are right before you publish them, export the pricing spreadsheet and review the prices in each market. Before you export pricing data, first select **Save draft** near the bottom of the page to save pricing changes.

-Any Azure customer can deploy the offer using either PowerShell or CLI. If you wish to make this offer available to a limited set of customers, then set the plan to **Private**.

-## Next step

-description: Learn how to Configuring prices for VM.

-Publishers receive an email when the price is set for new core sizes and will have some time to review and make adjustments as needed. After the deadline passes microsoft publishes the prices for the newly added core sizes.

-If the publisher chose Free, Flat or Per core size, then the publisher has already provided the necessary details on how to price the offer for new core sizes and no further action is needed. However, if the publisher previously selected the Per core size, or Per market and core size, then they would need to contact Microsoft with their updated pricing information.

-When you create a transactable offer, it's important to understand the pricing, billing, invoicing, and payout considerations before you select an offer type and create your offer. To learn more, see [Commercial marketplace online stores](overview.md#commercial-marketplace-online-stores).

-To choose an offer type to create, see [Publishing guide by offer type](publisher-guide-by-offer-type.md).

-Private Offers can be created for all transactable marketplace offer types: SaaS, Azure Virtual Machines, and Azure Applications.

-Create and manage private offers from the **Private Offers** dashboard in Partner Center's left-nav menu. This dashboard has two tabs:

-3. Select **Private Offers** from the left-nav menu.

-5. Select **+ New Private Offer**.

-1. Select **Private Offers** from the left-nav menu.

-1. Select **Private Offers** from the left-nav menu.

-1. Select **Private Offers** from the left-nav menu.

-1. Select **Private Offers** from the left-nav menu.

-Publishers who want to change the usage fees associated with an offer, should first remove the offer (or the specific plan within the offer) from the commercial marketplace. Removal should be done in accordance with the requirements of the [Microsoft Publisher Agreement](/legal/marketplace/msft-publisher-agreement). Then the publisher can publish a new offer (or plan within an offer) that includes the new usage fees. For information, about removing an offer or plan, see [Stop distribution of an offer or plan](./update-existing-offer.md#stop-distribution-of-an-offer-or-plan).

-> After a price for a market in your plan is published, it can't be changed. To ensure that the prices are right before you publish them, export the pricing spreadsheet and review the prices in each market.

-The price of an offer is always shown to customers in their local currency. The price you select in Partner Center is converted to the local currency of customers according to the exchange rate at the time you saved the price in Partner Center. The price shown to customers in the online stores doesn't change, unless you republish your offer.

-This article provides information on the Orders dashboard in Partner Center. This dashboard displays information about your offer - subscriptions, orders, pricing model including growth trends, presented in a graphical and downloadable format.

-The [Orders dashboard](https://go.microsoft.com/fwlink/?linkid=2165914) displays the current orders for all your offers, including software as a service (SaaS), with subscription-based billing model. You can view graphical representations of the following items:

-You can find a month range selection at the top-right corner of each page. Customize the output of the **Orders** page graphs by selecting a month range based on the past 6 or 12 months, or by selecting a custom month range with a maximum duration of 12 months. The default month range is six months.

-you can choose to view subscription and order details of public offers, private offers, or both by selecting the **Public offer** sub-tab, **Private offer** sub-tab, and the **All** sub-tab respectively.

-> All metrics in the visualization widgets and export reports are as per the month range selected by the user.

-In this section, you will find the **Subscription** chart that shows the trend of your active and canceled subscriptions for the selected month range. Metrics and growth trends are represented by a line chart and will display the value for each month by hovering over the line on the chart. The percentage value below the subscription metrics in the widget represents the amount of growth or decline during the selected month range.

-### Subscription by per seat and site trend

-The **Subscriptions by per seat and site-based** line chart represents the metric and trend of per-site (flat rate pricing) and per-seat (per user pricing) customer subscriptions for the selected month range.

-**Tooltips:**

-[](./media/orders-dashboard/seats-per-site.png#lightbox)

-Subscription offers can use one of two pricing models with each plan: either site-based (flat rate) or seat-based (per user).

-For more details on seat, site, and metered-based billing, see [How to plan a SaaS offer for the commercial marketplace](plan-saas-offer.md).

-The Orders by offers widget shows information about offers and SKU. This chart shows the measures and trends of all offers. Orders are categorized under different statuses: New, Convert, Renewed, Canceled.

-For different statuses, the _Orders_ sub-tab provides information about the count of orders, _Quantity_ sub-tab provides information about the number of seats added and/or removed by customers for existing subscription assets, and the _Revenue_ sub-tab provides information about the billed revenue of orders for the selected month range. Each order is categorized with one of below statuses:

-### Order by offers - Orders subtab

-In this widget you can view information of All offers with different order statuses under the **Orders** subtab.

-In this widget you can view information of **a selected offer and its SKU or offer plans** (from the drop-down) with different order statuses under the **Orders** subtab.

-In this widget you can view information of **All offers** (from the drop-down) with seats/sites added or removed for existing subscriptions.

-In this widget you can view information of a selected offer and its SKU or offer plans (from the drop-down) with seats and sites added or removed for existing subscriptions.

-[  ](./media/orders-dashboard/orders-tab-selected-offers-2.png#lightbox)

-In this widget you can view information of **a selected offer and its offer plans** (from the drop-down) with billed revenue of orders purchased in the selected month range.

-For the selected month range, the heatmap displays the total number of subscriptions, and the growth percentage of newly added subscriptions against a geography. The light to dark color on the map represents the low to high value of the subscriptions count. Select a record in the table to zoom in on a specific country or region.

-[](./media/orders-dashboard/views-across-countries.png#lightbox)

-The Order details table displays a numbered list of the 500 top orders sorted by date of acquisition.

-| Is Preview SKU | Is Preview SKU | The value will let you know if you have tagged the SKU as "preview". Value will be "Yes" if the SKU has been tagged accordingly, and only Azure subscriptions authorized by you can deploy and use this image. Value will be "No" if the SKU has not been identified as "preview". | IsPreviewSKU |

-| Order Status | Order Status | The status of a commercial marketplace order at the time the data was last refreshed. Possible values are: <ul><li>**Active**: Subscription asset is active and used by customer</li><li>**Cancelled**: Subscription of an asset is canceled by customer</li><li>**Expired**: Subscription for an offer expired in the system automatically post trial period</li><li>**Abandoned**: Indicates a system error during offer creation or subscription fulfillment was not completed<li><li>**Warning**: </li>Subscription order is still active but customer has defaulted in payments</ul> | OrderStatus |

-| Billed Revenue USD | EstimatedCharges | The price the customer will be charged for all order units before taxation. This is calculated in customer transaction currency. In tax inclusive countries, this price includes the tax, otherwise it does not. | EstimatedCharges |

-|||||

-The **Orders** page filters are applied at the Orders page level. You can select one or multiple filters to render the chart for the criteria you choose to view and the data you want to see in 'Detailed orders data' grid / export. Filters are applied on the data extracted for the month range that you have selected on the top-right corner of the orders page.

-description: Learn about flexible billing models for SaaS offers using the commercial marketplace metering service.

-The [Summary dashboard](https://go.microsoft.com/fwlink/?linkid=2165765) presents an overview of Azure Marketplace and Microsoft AppSource offersΓÇÖ business performance. The dashboard provides a broad overview of the following:

-### Month range

-You can find a month range selection at the top-right corner of each page. Customize the output of the **Summary** page graphs by selecting a month range based on the past specified number of months, or by selecting a custom month range with a maximum duration of 12 months. The default month range (computation period) is six months.

-[  ](./media/summary-dashboard/summary-dashboard-filters.png#lightbox)

-> All metrics in the visualization widgets and export reports honor the computation period selected by the user.

-[](./media/summary-dashboard/orders-widget.png#lightbox)

-You can also go to the Orders report by selecting the **Orders Dashboard** link in the lower-left corner of the widget.

-[](./media/summary-dashboard/customers-widget.png#lightbox)

-You can also go to the detailed Customers report by selecting the **Customers dashboard** link in the lower-left corner of the widget.

-[](./media/summary-dashboard/usage-widget.png#lightbox)

-You can also go to the Usage report by selecting the **Usage dashboard** link in the lower-left corner of the widget.

-[](./media/summary-dashboard/page-visit-count.png#lightbox)

-You can also go to the Marketplace Insights report by selecting the **Marketplace insights dashboard** link in the lower-left corner of the widget.

-For the selected computation period, the heatmap displays the total number of customers, orders, and normalized usage hours against geography dimension.

-> [!TIP]

-> You can use the download icon in the upper-right corner of any widget to download the data. You can provide feedback on each of the widgets by selecting the ΓÇ£thumbs upΓÇ¥ or ΓÇ£thumbs downΓÇ¥ icon.

-After a virtual machine plan is published, its price canΓÇÖt be changed. To offer the same plan at a different price, you must hide the plan and create a new one with the updated price. First, hide the plan with the price you want to change:

-Now that you have hidden the plan with the old price, create a copy of that plan with the updated price:

-2. Select **Create new plan**. Enter a **Plan ID** and a **Plan name**, then select **Create**.

-3. Complete all the required sections for the new plan, including the new price.

-Learn about important updates in the commercial marketplace program of Partner Center. This page is updated monthly, so be sure to check back!

-| | - | - |

-| Offers | We have updated the names of [Dynamics 365](./marketplace-dynamics-365.md#licensing-options) offer types: <br><br> - Dynamics 365 for Customer Engagement &amp; PowerApps is now **Dynamics 365 apps on Dataverse and Power Apps** <br> - Dynamics 365 for operations is now **Dynamics 365 Operations Apps** <br> - Dynamics 365 business central is now **Dynamics 365 Business Central** | 2021-12-03 |

-While this state can mean that the thread is sending data through the network, it can also indicate that the query is reading data from the disk or memory. This state can be caused by a sequential table scan. You should check the values of the innodb_buffer_pool_reads and innodb_buffer_pool_read_requests to determine whether a large number of pages are being served from the disk into the memory.

-| [MainOne](https://www.mainone.net/connectivity-services/microsoft-azure-peering-service/) |Africa|

-Before creating any credentials, consider your data source types and networking requirements to decide which authentication method you need for your scenario. Review the following decision tree to find which credential is most suitable:

- :::image type="content" source="media/manage-credentials/manage-credentials-decision-tree-small.png" alt-text="Manage credentials decision tree" lightbox="media/manage-credentials/manage-credentials-decision-tree.png":::

-* Lineage extraction scan is scheduled and defaulted to run every six hours. Frequency can't be changed

-* If sql views are referenced in stored procedures, they're captured as sql tables currently

-* **SQL Authentication** - connect to the SQL database with a username and password. For more information about SQL Authentication, you can [follow the SQL authentication documenation](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication).If you need to create a login, follow this [guide to query an Azure SQL database](../azure-sql/database/connect-query-portal.md), and use [this guide to create a login using T-SQL.](/sql/t-sql/statements/create-login-transact-sql)

-Azure SDK for .NET includes a [**Azure.Search.Documents**](/dotnet/api/overview/azure/search) client library from the Azure SDK team that is functionally equivalent to the previous client library, [Microsoft.Azure.Search](/dotnet/api/overview/azure/search/client10), but utilizes common approaches and conventions where applicable. Some examples include [`AzureKeyCredential`](/dotnet/api/azure.azurekeycredential) key authentication, and [System.Text.Json.Serialization](/dotnet/api/system.text.json.serialization) for JSON serialization.

-The next step in `Main` populates the newly-created "hotels" index. This index population is done in the following method:

-This method has four parts. The first creates an array of 3 `Hotel` objects each with 3 `Room` objects that will serve as our input data to upload to the index. This data is hard-coded for simplicity. In an actual application, data will likely come from an external data source such as a SQL database.

-The third part of this method is a catch block that handles an important error case for indexing. If your search service fails to index some of the documents in the batch, an `IndexBatchException` is thrown by `IndexDocuments`. This exception can happen if you are indexing documents while your service is under heavy load. **We strongly recommend explicitly handling this case in your code.** You can delay and then retry indexing the documents that failed, or you can log and continue like the sample does, or you can do something else depending on your application's data consistency requirements.

-1. On the Basics tab, provide a name for the custom role, such as "Search Index Explorer", and then click **Next**.

-1. Set the permissions for your custom role:

- "roleName": "search index explorer",

-The PowerShell example shows the JSON syntax for creating a custom role.

-1. Review the [list of atomic permissions](../role-based-access-control/resource-provider-operations.md#microsoftsearch) to determine which ones you need.

- "Name": "Search Index Manager",

- "Description": "Can manage search indexes and read or write to them",

- "Microsoft.Search/searchServices/indexes/*",

-

- "Microsoft.Search/searchServices/indexes/documents/*"

-| Semantic search (rank, captions, highlights, answers) | Standard tier (S1, S2, S3) | Australia East, East US, East US 2, North Central US, South Central US, West US, West US 2, North Europe, UK South, West Europe | Required | [Cognitive Search pricing page](https://azure.microsoft.com/pricing/details/search/) |

-| Spell check | Basic<sup>1</sup> and above | All | None | None (free) |

-<sup>1</sup> Due to the provisioning mechanisms and lifespan of shared (free) search services, a small number of services happen to have spell check on the free tier. However, spell check availability on free tier services is not guaranteed and should not be expected.

- Semantic Search's free plan is capped at 1,000 queries per month. After the first 1,000 queries in the free plan, you'll receive an error message letting you know you've exhausted your quota whenever you issue a semantic query. When this happens, you'll need to upgrade to the standard plan to continue using semantic search.

-For full protection against accidental usage and charges, you can [disable semantic search](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update#searchsemanticsearch) using the Create or Update Service API on your search service. After the feature is disabled, any requests that include the semantic query type will be rejected.

-> [!IMPORTANT]

->

-> - The alert details feature is in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

- Example: `Alert from {{ProviderName}}: {{AccountName}} failed to log on to computer {{ComputerName}} with IP address {{IPAddress}}.`

-

-You can use the [Jupyter notebook](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/BehaviorAnalytics/UserSecurityMetadata) provided in the Microsoft Sentinel GitHub repository to visualize the user peers metadata. For detailed instructions on how to use the notebook, see the [Guided Analysis - User Security Metadata](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/BehaviorAnalytics/UserSecurityMetadata/Guided%20Analysis%20-%20User%20Security%20Metadata.ipynb) notebook.

-You can use the [Jupyter notebook](https://github.com/Azure/Azure-Sentinel-Notebooks/tree/master/BehaviorAnalytics/UserSecurityMetadata) (the same notebook mentioned above) from the Microsoft Sentinel GitHub repository to visualize the permission analytics data. For detailed instructions on how to use the notebook, see the [Guided Analysis - User Security Metadata](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/master/BehaviorAnalytics/UserSecurityMetadata/Guided%20Analysis%20-%20User%20Security%20Metadata.ipynb) notebook.

-> Multiple Workspace View currently supports a maximum of 30 concurrently displayed workspaces.

-description: Learn about managing certificates in a Service Fabric cluster secured with X.509 certificates.

-# Certificate management in Service Fabric clusters

-This article addresses the management aspects of certificates used to secure communication in Azure Service Fabric clusters, and complements the introduction to [Service Fabric cluster security](service-fabric-cluster-security.md) as well as the explainer on [X.509 certificate-based authentication in Service Fabric](cluster-security-certificates.md). We assume the reader is familiar with fundamental security concepts, and also with the controls that Service Fabric exposes to configure the security of a cluster.

-Aspects covered under this Title:

-* What exactly is 'certificate management'?

-* Roles and entities involved in certificate management

-* The journey of a certificate

-* Deep dive into an example

-* Troubleshooting and Frequently Asked Questions

-But first - a disclaimer: this article attempts to pair its theoretical side with hands-on examples, which require, well, specifics of services, technologies, and so on. Since a sizeable part of the audience is Microsoft-internal, we'll refer to services, technologies, and products specific to Microsoft Azure. Feel free to ask in the comments section for clarifications or guidance, where the Microsoft-specific details do not apply in your case.

-As we've seen in the [companion article](cluster-security-certificates.md), a certificate is a cryptographic object essentially binding an asymmetric key pair with attributes describing the entity it represents. However, it is also a 'perishable' object, in that its lifetime is finite and is susceptible to compromises - accidental disclosure or a successful exploit can render a certificate useless from a security standpoint. This implies the need to change certificates - either routinely or in response to a security incident. Another aspect of management (and is an entire topic on its own) is the safeguarding of certificate private keys, or of secrets protecting the identities of the entities involved in procuring and provisioning certificates. We refer to the processes and procedures used to obtain certificates and to safely (and securely) transport them to where they are needed as 'certificate management'. Some of the management operations - such as enrollment, policy setting, and authorization controls - are beyond the scope of this article. Still others - such as provisioning, renewal, re-keying, or revocation - are only incidentally related to Service Fabric; nonetheless, we'll address them here to some degree, as understanding these operations can help with properly securing one's cluster.

-The goal is to automate certificate management as much as possible to ensure uninterrupted availability of the cluster and offer security assurances, given that the process is user-touch-free. This goal is attainable currently in Azure Service Fabric clusters; the remainder of the article will first deconstruct certificate management, and later will focus on enabling autorollover.

-Specifically, the topics in scope are:

- - Assumptions related to the separation of attributions between owner and platform, in the context of managing certificates

- - The long pipeline of certificates from issuance to consumption

- - Certificate rotation - why, how and when

- - What could possibly go wrong?

-Aspects such as securing/managing domain names, enrolling into certificates, or setting up authorization controls to enforce certificate issuance are beyond the scope of this article. Refer to the Registration Authority (RA) of your favorite Public Key Infrastructure (PKI) service. Microsoft-internal consumers: please reach out to Azure Security.

-The security approach in a Service Fabric cluster is a case of "cluster owner declares it, Service Fabric runtime enforces it". By that we mean that almost none of the certificates, keys, or other credentials of identities participating in a cluster's functioning come from the service itself; they are all declared by the cluster owner. Furthermore, the cluster owner is also responsible for provisioning the certificates into the cluster, renewing them as needed, and ensuring the security of the certificates at all times. More specifically, the cluster owner must ensure that:

- - Certificates declared in the NodeType section of the cluster manifest can be found on each node of that type, according to the [presentation rules](cluster-security-certificates.md#presentation-rules)

- - Certificates declared above are installed with their corresponding private keys included.

- - Certificates declared in the presentation rules should pass the [validation rules](cluster-security-certificates.md#validation-rules)

- - Granting access to the corresponding private keys to Service Fabric-controlled entities on a 'need' basis

-It follows that the certificate management burden (as active operations) falls solely on the cluster owner. In the following sections, we'll take a closer look at each of the management operations, with available mechanisms and their impact on the cluster.

-Let us quickly revisit the progression of a certificate from issuance to consumption in the context of a Service Fabric cluster:

- 1. A domain owner registers with the RA of a PKI a domain or subject that they'd like to associate with ensuing certificates; the certificates will, in turn, constitute proofs of ownership of said domain or subject.

- 2. The domain owner also designates in the RA the identities of authorized requesters - entities that are entitled to request the enrollment of certificates with the specified domain or subject; in Microsoft Azure, the default identity provider is Azure Active Directory, and authorized requesters are designated by their corresponding AAD identity (or via security groups)

- 3. An authorized requester then enrolls into a certificate via a Secret Management Service; in Microsoft Azure, the SMS of choice is Azure Key Vault (AKV), which securely stores and allows the retrieval of secrets and certificates by authorized entities. AKV also renews/re-keys the certificate as configured in the associated certificate policy (AKV uses AAD as the identity provider).

- 4. An authorized retriever - which we'll refer to as a 'provisioning agent' - retrieves the certificate, inclusive of its private key, from the vault, and installs it on the machines hosting the cluster.

- 5. The Service Fabric service (running elevated on each node) grants access to the certificate to allowed Service Fabric entities; these are designated by local groups, and split between ServiceFabricAdministrators and ServiceFabricAllowedUsers

- 6. The Service Fabric runtime accesses and uses the certificate to establish federation, or to authenticate to inbound requests from authorized clients

- 7. The provisioning agent monitors the vault certificate, and triggers the provisioning flow upon detecting renewal; subsequently, the cluster owner updates the cluster definition, if needed, to indicate the intent to roll over the certificate.

- 8. The provisioning agent or the cluster owner is also responsible for cleaning up/deleting unused certificates

-For our purposes, the first two steps in the sequence above are largely unrelated; the only connection is that the subject common name of the certificate is the DNS name declared in the cluster definition.

-These steps are illustrated below; note the differences in provisioning between certificates declared by thumbprint and common name, respectively.

-*Fig. 1.* Issuance and provisioning flow of certificates declared by thumbprint.

-![Provisioning certificates declared by thumbprint][Image1]

-*Fig. 2.* Issuance and provisioning flow of certificates declared by subject common name.

-![Provisioning certificates declared by subject common name][Image2]

-This topic is covered in detail in the [Key Vault documentation](../key-vault/certificates/create-certificate.md); we're including a synopsis here for continuity and easier reference. Continuing with Azure as the context, and using Azure Key Vault as the secret management service, an authorized certificate requester must have at least certificate management permissions on the vault, granted by the vault owner; the requester would then enroll into a certificate as follows:

- - Under `{vaultUri}/certificates/{name}`: The certificate including the public key and metadata.

- - Under `{vaultUri}/keys/{name}`: The certificate's private key, available for cryptographic operations (wrap/unwrap, sign/verify).

- - Under `{vaultUri}/secrets/{name}`: The certificate inclusive of its private key, available for downloading as an unprotected pfx or pem file.

-Recall that a certificate in the vault contains a chronological list of certificate instances that share a policy. Certificate versions will be created according to the lifetime and renewal attributes of this policy. It is highly recommended that vault certificates not share subjects or domains/DNS names, as it can be disruptive in a cluster to provision certificate instances from different vault certificates, with identical subjects but substantially different other attributes, such as issuer, key usages etc.

-At this point, a certificate exists in the vault, ready for consumption. Onward to:

-We mentioned a 'provisioning agent', which is the entity that retrieves the certificate, inclusive of its private key, from the vault and installs it on to each of the hosts of the cluster. (Recall that Service Fabric does not provision certificates.) In our context, the cluster will be hosted on a collection of Azure VMs and/or virtual machine scale sets. In Azure, provisioning a certificate from a vault to a VM/VMSS can be achieved with the following mechanisms - assuming, as above, that the provisioning agent was previously granted 'get' permissions on the vault by the vault owner:

- - Ad-hoc: an operator retrieves the certificate from the vault (as pfx/PKCS #12 or pem) and installs it on each node

- - As a virtual machine scale set 'secret' during deployment: Using its first party identity on behalf of the operator, the Compute service retrieves the certificate from a template-deployment-enabled vault and installs it on each node of the virtual machine scale set ([like so](../virtual-machine-scale-sets/virtual-machine-scale-sets-faq.yml)); note this allows the provisioning of versioned secrets only

- - Using the [Key Vault VM extension](../virtual-machines/extensions/key-vault-windows.md); this allows the provisioning of certificates using version-less declarations, with periodic refreshing of observed certificates. In this case, the VM/VMSS is expected to have a [managed identity](../virtual-machines/security-policy.md#managed-identities-for-azure-resources), an identity that has been granted access to the vault(s) containing the observed certificates.

-The ad-hoc mechanism is not recommended for multiple reasons, ranging from security to availability, and won't be discussed here further; for details, refer to [certificates in virtual machine scale sets](../virtual-machine-scale-sets/virtual-machine-scale-sets-faq.yml).

-The VMSS-/Compute-based provisioning presents security and availability advantages, but it also presents restrictions. It requires - by design - declaring certificates as versioned secrets, which makes it suitable only for clusters secured with certificates declared by thumbprint. In contrast, the Key Vault VM extension-based provisioning will always install the latest version of each observed certificate, which makes it suitable only for clusters secured with certificates declared by subject common name. To emphasize, do not use an autorefresh provisioning mechanism (such as the KVVM extension) for certificates declared by instance (that is, by thumbprint) - the risk of losing availability is considerable.

-Other provisioning mechanisms may exist; the above are currently accepted for Azure Service Fabric clusters.

-As mentioned earlier, the Service Fabric runtime is responsible for locating and using the certificates declared in the cluster definition. The article on [certificate-based authentication](cluster-security-certificates.md) explained in detail how Service Fabric implements the presentation and validation rules, respectively, and won't be revisited here. We are going to look at access and permission granting, as well as monitoring.

-Recall that certificates in Service Fabric are used for a multitude of purposes, from mutual authentication in the federation layer to TLS authentication for the management endpoints; this requires various components or system services to have access to the certificate's private key. The Service Fabric runtime regularly scans the certificate store, looking for matches for each of the known presentation rules; for each of the matching certificates, the corresponding private key is located, and its discretionary access control list is updated to include permissions - typically Read and Execute - granted to the respective identity that requires them. (This process is informally referred to as 'ACLing'.) The process runs on a 1-minute cadence, and also covers 'application' certificates, such as those used to encrypt settings or as endpoint certificates. ACLing follows the presentation rules, so it's important to keep in mind that certificates declared by thumbprint and which are autorefreshed without the ensuing cluster configuration update will not be accessible.

-As a side note: IETF [RFC 3647](https://tools.ietf.org/html/rfc3647) formally defines [renewal](https://tools.ietf.org/html/rfc3647#section-4.4.6) as the issuance of a certificate with the same attributes as the certificate being replaced - the issuer, the subject's public key and information is preserved, and [re-keying](https://tools.ietf.org/html/rfc3647#section-4.4.7) as the issuance of a certificate with a new key pair, and no restrictions on whether or not the issuer may change. Given the distinction may be important (consider the case of certificates declared by subject common name with issuer pinning), we'll opt for the neutral term 'rotation' to cover both scenarios. (Do keep in mind that, when informally used, 'renewal' refers, in fact, to re-keying.)

-We've seen earlier that Azure Key Vault supports automatic certificate rotation: the associate certificate policy defines the point in time, whether by days before expiration or percentage of total lifetime, when the certificate is rotated in the vault. The provisioning agent must be invoked after this point in time, and prior to the expiration of the now-previous certificate, to distribute this new certificate to all of the nodes of the cluster. Service Fabric will assist by raising health warnings when the expiration date of a certificate (and which is currently in use in the cluster) occurs sooner than a predetermined interval. An automatic provisioning agent (i.e. the KeyVault VM extension), configured to observe the vault certificate, will periodically poll the vault, detect the rotation, and retrieve and install the new certificate. Provisioning done via VM/VMSS 'secrets' feature will require an authorized operator to update the VM/VMSS with the versioned KeyVault URI corresponding to the new certificate.

-In either case, the rotated certificate is now provisioned to all of the nodes, and we have described the mechanism Service Fabric employs to detect rotations; let us examine what happens next - assuming the rotation applied to the cluster certificate declared by subject common name

- - for new connections within, as well as into the cluster, the Service Fabric runtime will find and select the most recently issued matching certificate (largest value of the 'NotBefore' property). Note this is a change from previous versions of the Service Fabric runtime.

- - existing connections will be kept alive/allowed to naturally expire or otherwise terminate; an internal handler will have been notified that a new match exists

-> Currently (7.2 CU4+), Service Fabric selects the cert with the largest 'NotBefore' property value (most recently issued). Prior to 7.2CU4 Service Fabric picked the valid cert with the largest NotAfter (furthest expiring).

- - The renewal certificate may be ignored if its expiration date is sooner than that of the certificate currently in use.

- - The availability of the cluster, or of the hosted applications, takes precedence over the directive to rotate the certificate; the cluster will converge on the new certificate eventually, but without timing guarantees. It follows that:

- - It may not be immediately obvious to an observer that the rotated certificate completely replaced its predecessor; the only way to ensure that is (for cluster certificates) to reboot the host machines. Note it is not sufficient to restart the Service Fabric nodes, as kernel mode components which form lease connections in a cluster will not be affected. Also note that restarting the VM/VMSS may cause temporary loss of availability. (For application certificates, it is sufficient to restart the respective application instances only.)

- - Introducing a re-keyed certificate that does not meet the validation rules can effectively break the cluster. The most common example of this is the case of an unexpected issuer: the cluster certificates are declared by subject common name with issuer pinning, but the rotated certificate was issued by a new/undeclared issuer.

-At this time, there are no provisions in Azure for explicit removal of certificates. It is often a non-trivial task to determine whether or not a given certificate is being used at a given time. This is more difficult for application certificates than for cluster certificates. Service Fabric itself, not being the provisioning agent, will not delete a certificate declared by the user under any circumstance. For the standard provisioning mechanisms:

- - Certificates declared as VM/VMSS secrets will be provisioned as long as they are referenced in the VM/VMSS definition, and they are retrievable from the vault (deleting a vault secret/certificate will fail subsequent VM/VMSS deployments; similarly, disabling a secret version in the vault will also fail VM/VMSS deployments, which reference that secret version)

- - Previous versions of certificates provisioned via the KeyVault VM extension may or may not be present on a VM/VMSS node. The agent only retrieves and installs the current version, and does not remove any certificates. Reimaging a node (which typically occurs every month) will reset the certificate store to the content of the OS image, and so previous versions will implicitly be removed. Consider, though, that scaling up a virtual machine scale set will result in only the current version of observed certificates being installed; do not assume homogeneity of nodes with regard to installed certificates.

-## Simplifying management - an autorollover example

-We've described mechanisms, restrictions, outlined intricate rules and definitions, and made dire predictions of outages. It is, perhaps, time to show how to set up automatic certificate management to avoid all of these concerns. We're doing so in the context of an Azure Service Fabric cluster running on an PaaSv2 virtual machine scale set, using Azure Key Vault for secrets management and leveraging managed identities, as follows:

- - Validation of certificates is changed from thumbprint-pinning to subject + issuer pinning: any certificate with a given subject from a given issuer is equally trusted

- - Certificates are enrolled into and obtained from a trusted store (Key Vault), and refreshed by an agent - in this case, the KeyVault VM extension

- - Provisioning of certificates is changed from deployment-time and version-based (as done by ComputeRP) to post-deployment and using version-less KeyVault URIs

- - Access to KeyVault is granted via user-assigned managed identities; the UA identity is created and assigned to the virtual machine scale set during deployment

- - After deployment, the agent (the KV VM extension) will poll and refresh observed certificates on each node of the virtual machine scale set; certificate rotation is thus fully automated, as SF will automatically pick up the farthest valid certificate

-The sequence is fully scriptable/automated and allows a user-touch-free initial deployment of a cluster configured for certificate autorollover. Detailed steps are provided below. We'll use a mix of PowerShell cmdlets and fragments of json templates. The same functionality is achievable with all supported means of interacting with Azure.

-> This example assumes a certificate exists already in the vault; enrolling and renewing a KeyVault-managed certificate requires prerequisite manual steps as described earlier in this article. For production environments, use KeyVault-managed certificates - a sample script specific to a Microsoft-internal PKI is included below.

-> Certificate autorollover only makes sense for CA-issued certificates; using self-signed certificates, including those generated when deploying a Service Fabric cluster in the Azure portal, is nonsensical, but still possible for local/developer-hosted deployments, by declaring the issuer thumbprint to be the same as of the leaf certificate.

-For brevity, we will assume the following starting state:

- - The Service Fabric cluster exists, and is secured with a CA-issued certificate declared by thumbprint.

- - The certificate is stored in a vault, and provisioned as a virtual machine scale set secret

- - The same certificate will be used to convert the cluster to common name-based certificate declarations, and so can be validated by subject and issuer; if this is not the case, obtain the CA-issued certificate intended for this purpose, and add it to the cluster definition by thumbprint as explained [here](service-fabric-cluster-security-update-certs-azure.md)

-Here is a json excerpt from a template corresponding to such a state - note this omits many required settings, and only illustrates the certificate-related aspects:

-The above essentially says that certificate with thumbprint ```json [parameters('primaryClusterCertificateTP')] ``` and found at KeyVault URI ```json [parameters('clusterCertificateUrlValue')] ``` is declared as the cluster's sole certificate, by thumbprint. Next we'll set up the additional resources needed to ensure the autorollover of the certificate.

-### Setting up prerequisite resources

-As mentioned before, a certificate provisioned as a virtual machine scale set secret is retrieved from the vault by the Microsoft.Compute Resource Provider service, using its first-party identity and on behalf of the deployment operator. For autorollover, that will change - we'll switch to using a managed identity, assigned to the virtual machine scale set, and which is granted permissions to the vault's secrets.

-All of the subsequent excerpts should be deployed concomitantly - they are listed individually for play-by-play analysis and explanations.

-First define a user assigned identity (default values are included as examples) - refer to the [official documentation](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-arm.md#create-a-user-assigned-managed-identity) for up-to-date information:

-Then grant this identity access to the vault secrets - refer to the [official documentation](/rest/api/keyvault/keyvault/vaults/update-access-policy) for current information:

-In the next step, we'll:

- - assign the user-assigned identity to the virtual machine scale set

- - declare the virtual machine scale set' dependency on the creation of the managed identity, and on the result of granting it access to the vault

- - declare the KeyVault VM extension, requiring that it retrieves observed certificates on startup ([official documentation](../virtual-machines/extensions/key-vault-windows.md))

- - update the definition of the Service Fabric VM extension to depend on the KVVM extension, and to convert the cluster cert to common name

-(We're making these changes in a single step since they fall under the scope of the same resource.)

-Note, although not explicitly listed above, that we removed the vault certificate URL from the 'OsProfile' section of the virtual machine scale set.

-The last step is to update the cluster definition to change the certificate declaration from thumbprint to common name - here we are also pinning the issuer thumbprints:

-At this point, you can run the updates mentioned above in a single deployment; for its part, the Service Fabric Resource Provider service will split the cluster upgrade in several steps, as described in the segment on [converting cluster certificates from thumbprint to common name](cluster-security-certificates.md#converting-a-cluster-from-thumbprint--to-common-name-based-certificate-declarations).

-This section is a catch-all for explaining steps detailed above, as well as drawing attention to important aspects.

-#### Certificate provisioning, explained

-The KVVM extension, as a provisioning agent, runs continuously on a predetermined frequency. On failing to retrieve an observed certificate, it would continue to the next in line, and then hibernate until the next cycle. The SFVM extension, as the cluster bootstrapping agent, will require the declared certificates before the cluster can form. This, in turn, means that the SFVM extension can only run after the successful retrieval of the cluster certificate(s), denoted here by the ```json "provisionAfterExtensions" : [ "KVVMExtension" ]"``` clause, and by the KeyVaultVM extension's ```json "requireInitialSync": true``` setting. This indicates to the KVVM extension that on the first run (after deployment or a reboot) it must cycle through its observed certificates until all are downloaded successfully. Setting this parameter to false, coupled with a failure to retrieve the cluster certificate(s) would result in a failure of the cluster deployment. Conversely, requiring an initial sync with an incorrect/invalid list of observed certificates would result in a failure of the KVVM extension, and so, again, a failure to deploy the cluster.

-You may have noticed the KVVM extension's 'linkOnRenewal' flag, and the fact that it is set to false. We're addressing here in depth the behavior controlled by this flag and its implications on the functioning of a cluster. Note this behavior is specific to Windows.

-"linkOnRenewal": <Only Windows. This feature enables auto-rotation of SSL certificates, without necessitating a re-deployment or binding. e.g.: false>,

-Certificates used to establish a TLS connection are typically [acquired as a handle](/windows/win32/api/sspi/nf-sspi-acquirecredentialshandlea) via the S-channel Security Support Provider ΓÇô that is, the client does not directly access the private key of the certificate itself. S-channel supports redirection (linking) of credentials in the form of a certificate extension ([CERT_RENEWAL_PROP_ID](/windows/win32/api/wincrypt/nf-wincrypt-certsetcertificatecontextproperty#cert_renewal_prop_id)): if this property is set, its value represents the thumbprint of the ΓÇÿrenewalΓÇÖ certificate, and so S-channel will instead attempt to load the linked certificate. In fact, it will traverse this linked (and hopefully acyclic) list until it ends up with the ΓÇÿfinalΓÇÖ certificate ΓÇô one without a renewal mark. This feature, when used judiciously, is a great mitigation against loss of availability caused by expired certificates (for instance). In other cases, it can be the cause of outages that are difficult to diagnose and mitigate. S-channel executes the traversal of certificates on their renewal properties unconditionally - irrespective of subject, issuers, or any other specific attributes that participate in the validation of the resulting certificate by the client. It is possible, indeed, that the resulting certificate has no associated private key, or the key has not been ACLed to its prospective consumer.

-If linking is enabled, the KeyVault VM extension, upon retrieving an observed certificate from the vault, will attempt to find matching, existing certificates in order to link them via the renewal extension property. The matching is (exclusively) based on Subject Alternative Name (SAN), and works as exemplified below.

-Assume two existing certificates, as follows:

- A: CN = ΓÇ£Alice's accessoriesΓÇ¥, SAN = {ΓÇ£alice.universalexports.comΓÇ¥}, renewal = ΓÇÿΓÇÖ

-Assume a certificate C is retrieved by the KVVM ext: CN = ΓÇ£Mallory's malwareΓÇ¥, SAN = {ΓÇ£alice.universalexports.comΓÇ¥, ΓÇ£bob.universalexports.comΓÇ¥, ΓÇ£mallory.universalexports.comΓÇ¥}

-AΓÇÖs SAN list is fully included in CΓÇÖs, and so A.renewal = C.thumbprint; BΓÇÖs SAN list has a common intersection with CΓÇÖs, but is not fully included in it, so B.renewal remains empty.

-Any attempt to invoke AcquireCredentialsHandle (S-channel) in this state on certificate A will actually end up sending C to the remote party. In the case of Service Fabric, the [Transport subsystem](service-fabric-architecture.md#transport-subsystem) of a cluster uses S-channel for mutual authentication, and so the behavior described above affects the clusterΓÇÖs fundamental communication directly. Continuing the example above, and assuming A is the cluster certificate, what happens next depends:

- - if CΓÇÖs private key is not ACLd to the account that Fabric is running as, weΓÇÖll see failures to acquire the private key (SEC_E_UNKNOWN_CREDENTIALS or similar)

- - if CΓÇÖs private key is accessible, then weΓÇÖll see authorization failures returned by the other nodes (CertificateNotMatched, unauthorized etc.)

-In either case, transport fails and the cluster may go down; the symptoms vary. To make things worse, the linking depends on the order of renewal ΓÇô which is dictated by the order of the list of observed certificates of the KVVM extension, the renewal schedule in the vault or even transient errors that would alter the order of retrieval.

-To mitigate against such incidents, we recommend:

- - do not mix the SANs of different vault certificates; each vault certificate should serve a distinct purpose, and their subject and SAN should reflect that with specificity

- - include the subject common name in the SAN list (as, literally, `CN=<subject common name>`)

- - if unsure, disable linking on renewal for certificates provisioned with the KVVM extension

-#### Why use a user-assigned managed identity? What are the implications of using it?

-As it emerged from the json snippets above, a specific sequencing of the operations/updates is required to guarantee the success of the conversion, and to maintain the availability of the cluster. Specifically, the virtual machine scale set resource declares and uses its identity to retrieve secrets in a single (from the user's perspective) update. The Service Fabric VM extension (which bootstraps the cluster) depends on the completion of KeyVault VM extension, which depends on the successful retrieval of observed certificates. The KVVM extension uses the virtual machine scale set's identity to access the vault, which means that the access policy on the vault must have been already updated prior to the deployment of the virtual machine scale set.

-To dispose the creation of a managed identity, or to assign it to another resource, the deployment operator must have the required role (ManagedIdentityOperator) in the subscription or the resource group, in addition to the roles required to manage the other resources referenced in the template.

-From a security standpoint, recall that the virtual machine (scale set) is considered a security boundary with regard to its Azure identity. That means that any application hosted on the VM could, in principle, obtain an access token representing the VM - managed identity access tokens are obtained from the unauthenticated IMDS endpoint. If you consider the VM to be a shared, or multi-tenant environment, then perhaps this method of retrieving cluster certificates is not indicated. It is, however, the only provisioning mechanism suitable for certificate autorollover.

-*Q*: How to programmatically enroll into a KeyVault-managed certificate?

-*A*: Find out the name of the issuer from the KeyVault documentation, then replace it in the script below.

-*Q*: What happens when a certificate is issued by an undeclared/unspecified issuer? Where can I obtain the exhaustive list of active issuers of a given PKI?

-*A*: If the certificate declaration specifies issuer thumbprints, and the direct issuer of the certificate is not included in the list of pinned issuers, the certificate will be considered invalid - irrespective of whether or not its root is trusted by the client. Therefore it is critical to ensure the list of issuers is current/up to date. The introduction of a new issuer is a rare event, and should be widely publicized prior to it beginning to issue certificates.

-In general, a PKI will publish and maintain a certification practice statement, in accordance with IETF [RFC 7382](https://tools.ietf.org/html/rfc7382). Among other information, it will include all active issuers. Retrieving this list programmatically may differ from a PKI to another.

-For Microsoft-internal PKIs, please consult the internal documentation on the endpoints/SDKs used to retrieve the authorized issuers; it is the cluster owner's responsibility to probe this list periodically, and ensure their cluster definition includes *all* expected issuers.

-*Q*: Are multiple PKIs supported?

-*A*: Yes; you may not declare multiple CN entries in the cluster manifest with the same value, but can list issuers from multiple PKIs corresponding to the same CN. It is not a recommended practice, and certificate transparency practices may prevent such certificates from being issued. However, as means to migrate from one PKI to another, this is an acceptable mechanism.

-*Q*: What if the current cluster certificate is not CA-issued, or does not have the intended subject?

-*A*: Obtain a certificate with the intended subject, and add it to the cluster's definition as a secondary, by thumbprint. Once the upgrade completed successfully, initiate another cluster configuration upgrade to convert the certificate declaration to common name.

-

- "virtualMachineProfile": {

- "properties": {

- "upgradePolicy": {

- "automaticOSUpgradePolicy": {

- "enableAutomaticOSUpgrade": true

- }

- }

- "virtualMachineProfile": {

- "osProfile": {

- "windowsConfiguration": {

- "enableAutomaticUpdates": false

- }

-description: This article explains how to use service-fabric KeyVaultReference support for application secrets.

-A common challenge when building cloud applications is how to securely distribute secrets to your applications. For example, you might want to deploy a database key to your application without exposing the key during the pipeline or to the operator. Service Fabric KeyVaultReference support makes it easy to deploy secrets to your applications simply by referencing the URL of the secret that is stored in Key Vault. Service Fabric will handle fetching that secret on behalf of your application's Managed Identity, and activating the application with the secret.

-> [!NOTE]

-> KeyVaultReference support for Service Fabric Applications is GA (out-of-preview) starting with Service Fabric version 7.2 CU5. It is recommended that you upgrade to this version before using this feature.

-> [!NOTE]

-> KeyVaultReference support for Service Fabric Applications supports only [versioned](../key-vault/general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning) secrets. Versionless secrets are not supported. The Key Vault needs to be in the same subscription as your service fabric cluster.

- Service Fabric KeyVaultReference support uses an application's Managed Identity to fetch secrets on behalf of the application, so your application must be deployed via

- and assigned a managed identity. Follow this [document](concepts-managed-identity.md) to enable managed identity for your application.

- Central Secrets Store (CSS) is Service Fabric's encrypted local secrets cache. This feature uses CSS to protect and persist secrets after they are fetched from Key Vault. Enabling this optional system service is also required to consume this feature. Follow this [document](service-fabric-application-secret-store.md) to enable and configure CSS.

- Reference this [document](how-to-grant-access-other-resources.md) to see how to grant managed identity access to keyvault. Also note if you are using system assigned managed identity, the managed identity is created only after application deployment. This can create race conditions where the application tries to access the secret before the identity can be given access to the vault. The system assigned identity's name will be `{cluster name}/{application name}/{service name}`.

-

-KeyVaultReferences can be consumed in a number of ways

- > [!NOTE]

-* [Azure KeyVault Documentation](../key-vault/index.yml)

-* [Learn about Central Secret Store](service-fabric-application-secret-store.md)

-* [Learn about Managed identity for Service Fabric Applications](concepts-managed-identity.md)

-2. These events occur in parallel:

- - `StatelessService.createServiceInstanceListeners()` is invoked, and any returned listeners are opened. `CommunicationListener.openAsync()` is called on each listener.

-3. If present, the service's own `onOpenAsync` method is called. Specifically, `StatelessService.onOpenAsync()` is called. This is an uncommon override, but it is available.

-It's important to note that there is no ordering between the call to create and open the listeners and the call to `runAsync`. The listeners might open before `runAsync` is started. Similarly, `runAsync` might be invoked before the communication listeners are open, or before they have even been constructed. If any synchronization is required, it must be done by the implementer. Here are some common solutions:

-* Sometimes listeners can't function until other information is created or other work is done. For stateless services, that work usually can be done in the service's constructor. It can be done during the `createServiceInstanceListeners()` call, or as part of the construction of the listener itself.

-* Sometimes the code in `runAsync` won't start until the listeners are open. In this case, additional coordination is necessary. A common solution is to add a flag in the listeners. The flag indicates when the listeners have finished. The `runAsync` method checks this before continuing the actual work.

-1. These events occur in parallel:

- - Any open listeners are closed. `CommunicationListener.closeAsync()` is called on each listener.

- - The cancellation token that was passed to `runAsync()` is canceled. Checking the cancellation token's `isCancelled` property returns `true`, and if called, the token's `throwIfCancellationRequested` method throws a `CancellationException`.

-2. When `closeAsync()` finishes on each listener and `runAsync()` also finishes, the service's `StatelessService.onCloseAsync()` method is called, if it's present. Again, this is not a common override, but it can be used to safely close resources, stop background processing, finish saving external state, or close down existing connections.

-3. After `StatelessService.onCloseAsync()` finishes, the service object is destructed.

-3. These events occur in parallel:

- - `StatefulServiceBase.createServiceReplicaListeners()` is invoked.

-4. After all the replica listener's `openAsync()` calls finish and `runAsync()` is called, `StatefulServiceBase.onChangeRoleAsync()` is called. This call is not commonly overridden in the service.

-Similar to stateless services, in stateful service, there's no coordination between the order in which the listeners are created and opened and when `runAsync` is called. If you need coordination, the solutions are much the same. But there's one additional case for stateful service. Say that the calls that arrive at the communication listeners require information kept inside some [Reliable Collections](service-fabric-reliable-services-reliable-collections.md). Because the communication listeners might open before the Reliable Collections are readable or writeable, and before `runAsync` starts, some additional coordination is necessary. The simplest and most common solution is for the communication listeners to return an error code. The client uses the error code to know to retry the request.

-1. These events occur in parallel:

- - Any open listeners are closed. `CommunicationListener.closeAsync()` is called on each listener.

- - The cancellation token that was passed to `runAsync()` is canceled. A call to the cancellation token's `isCancelled()` method returns `true`, and if called, the token's `throwIfCancellationRequested()` method throws an `OperationCanceledException`.

-2. After `closeAsync()` finishes on each listener and `runAsync()` also finishes, the service's `StatefulServiceBase.onChangeRoleAsync()` is called. This call is not commonly overridden in the service.

- > [!NOTE]

- > Waiting for `runAsync` to finish is necessary only if this replica is a primary replica.

-3. After the `StatefulServiceBase.onChangeRoleAsync()` method finishes, the `StatefulServiceBase.onCloseAsync()` method is called. This call is an uncommon override, but it is available.

-3. After `StatefulServiceBase.onCloseAsync()` finishes, the service object is destructed.

-1. These events occur in parallel:

- - Any open listeners are closed. `CommunicationListener.closeAsync()` is called on each listener.

- - The cancellation token that was passed to `runAsync()` is canceled. A check of the cancellation token's `isCancelled()` method returns `true`. If called, the token's `throwIfCancellationRequested()` method throws an `OperationCanceledException`.

-2. After `closeAsync()` finishes on each listener and `runAsync()` also finishes, the service's `StatefulServiceBase.onChangeRoleAsync()` is called. This call is not commonly overridden in the service.

-1. These events occur in parallel:

- - `StatefulServiceBase.createServiceReplicaListeners()` is invoked and any returned listeners are opened. `CommunicationListener.openAsync()` is called on each listener.

-2. After all the replica listener's `openAsync()` calls finish and `runAsync()` is called, `StatefulServiceBase.onChangeRoleAsync()` is called. This call is not commonly overridden in the service.

-2. Then, in parallel, two things happen:

- - `StatelessService.CreateServiceInstanceListeners()` is invoked and any returned listeners are opened. `ICommunicationListener.OpenAsync()` is called on each listener.

-3. If present, the service's `StatelessService.OnOpenAsync()` method is called. This call is an uncommon override, but it is available. Extended service initialization tasks can be started at this time.

-Keep in mind that there is no ordering between the calls to create and open the listeners and **RunAsync**. The listeners can open before **RunAsync** is started. Similarly, you can invoke **RunAsync** before the communication listeners are open or even constructed. If any synchronization is required, it is left as an exercise to the implementer. Here are some common solutions:

- - Sometimes listeners can't function until some other information is created or work is done. For stateless services, that work can usually be done in other locations, such as the following:

- - In the service's constructor.

- - During the `CreateServiceInstanceListeners()` call.

- - As a part of the construction of the listener itself.

- - Sometimes the code in **RunAsync** doesn't start until the listeners are open. In this case, additional coordination is necessary. One common solution is that there is a flag within the listeners that indicates when they have finished. This flag is then checked in **RunAsync** before continuing to actual work.

-1. In parallel:

- - Any open listeners are closed. `ICommunicationListener.CloseAsync()` is called on each listener.

- - The cancellation token passed to `RunAsync()` is canceled. A check of the cancellation token's `IsCancellationRequested` property returns true, and if called, the token's `ThrowIfCancellationRequested` method throws an `OperationCanceledException`.

-2. After `CloseAsync()` finishes on each listener and `RunAsync()` also finishes, the service's `StatelessService.OnCloseAsync()` method is called, if present. OnCloseAsync is called when the stateless service instance is going to be gracefully shut down. This can occur when the service's code is being upgraded, the service instance is being moved due to load balancing, or a transient fault is detected. It is uncommon to override `StatelessService.OnCloseAsync()`, but it can be used to safely close resources, stop background processing, finish saving external state, or close down existing connections.

-3. After `StatelessService.OnCloseAsync()` finishes, the service object is destructed.

-3. The following things happen in parallel:

- - `StatefulServiceBase.CreateServiceReplicaListeners()` is invoked.

-4. After all the replica listener's `OpenAsync()` calls finish and `RunAsync()` is called, `StatefulServiceBase.OnChangeRoleAsync()` is called. This call is not commonly overridden in the service.

-Similar to stateless services, there's no coordination between the order in which the listeners are created and opened and when **RunAsync** is called. If you need coordination, the solutions are much the same. There is one additional case for stateful service. Say that the calls that arrive at the communication listeners require information kept inside some [Reliable Collections](service-fabric-reliable-services-reliable-collections.md).

- > Because the communication listeners could open before the reliable collections are readable or writeable, and before **RunAsync** could start, some additional coordination is necessary. The simplest and most common solution is for the communication listeners to return an error code that the client uses to know to retry the request.

-1. In parallel:

- - Any open listeners are closed. `ICommunicationListener.CloseAsync()` is called on each listener.

- - The cancellation token passed to `RunAsync()` is canceled. A check of the cancellation token's `IsCancellationRequested` property returns true, and if called, the token's `ThrowIfCancellationRequested` method throws an `OperationCanceledException`.

-2. After `CloseAsync()` finishes on each listener and `RunAsync()` also finishes, the service's `StatefulServiceBase.OnChangeRoleAsync()` is called. This call is not commonly overridden in the service.

-3. After the `StatefulServiceBase.OnChangeRoleAsync()` method finishes, the `StatefulServiceBase.OnCloseAsync()` method is called. This call is an uncommon override, but it is available.

-3. After `StatefulServiceBase.OnCloseAsync()` finishes, the service object is destructed.

-1. In parallel:

- - Any open listeners are closed. `ICommunicationListener.CloseAsync()` is called on each listener.

- - The cancellation token passed to `RunAsync()` is canceled. A check of the cancellation token's `IsCancellationRequested` property returns true, and if called, the token's `ThrowIfCancellationRequested` method throws an `OperationCanceledException`.

-2. After `CloseAsync()` finishes on each listener and `RunAsync()` also finishes, the service's `StatefulServiceBase.OnChangeRoleAsync()` is called. This call is not commonly overridden in the service.

-1. In parallel:

- - `StatefulServiceBase.CreateServiceReplicaListeners()` is invoked and any returned listeners are opened. `ICommunicationListener.OpenAsync()` is called on each listener.

-2. After all the replica listener's `OpenAsync()` calls finish and `RunAsync()` is called, `StatefulServiceBase.OnChangeRoleAsync()` is called. This call is not commonly overridden in the service.

-* [AzureDeploy.json][template]

-* [AzureDeploy.Parameters.json][parameters]

-* [AzureDeploy.json][template2]

-* [AzureDeploy.Parameters.json][parameters2]

-For Ubuntu 18.04 LTS the difference between the two templates are

-* the **vmImageSku** attribute being set to "18.04-LTS"

-* each node's **typeHandlerVersion** being set to 1.1

-* Microsoft.ServiceFabric/clusters resource's

- - **apiVersion** being set to "2019-03-01" or higher

- - **vmImage** property being set to "Ubuntu18_04"

-This template deploys a secure cluster of seven virtual machines and three node types into a virtual network. Other sample templates can be found on [GitHub](https://github.com/Azure-Samples/service-fabric-cluster-templates). The [AzureDeploy.json][template] deploys a number resources, including the following.

-Azure Spatial Anchors SDK versions 2.10.0 or later provide support for both the Mixed Reality OpenXR plugin ([com.microsoft.mixedreality.openxr](https://dev.azure.com/aipmr/MixedReality-Unity-Packages/_packaging?_a=package&feed=Unity-packages&view=overview&package=com.microsoft.mixedreality.openxr&protocolType=Npm)) and the Windows XR plugin ([com.unity.xr.windowsmr](https://docs.unity3d.com/Manual/com.unity.xr.windowsmr.html)). You need to include either the `com.microsoft.mixedreality.openxr` package or the `com.unity.xr.windowsmr` package in your project depending on your choice.

-> [How To: Create and locate anchors in Unity](./create-locate-anchors-unity.md)

-Before you configure object replication, create the source and destination storage accounts if they do not already exist. The source and destination accounts can be either general-purpose v2 storage accounts or premium block blob accounts (preview). For more information, see [Create an Azure Storage account](../common/storage-account-create.md).

-> [!IMPORTANT]

-> Object replication for premium block blob accounts is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-1. In the **Container pairs** section, select a source container from the source account, and a destination container from the destination account. You can create up to 10 container pairs per replication policy.

-## Configure object replication with access to only the destination account

-If you do not have permissions to the source storage account, then you can configure object replication on the destination account and provide a JSON file that contains the policy definition to another user to create the same policy on the source account. For example, if the source account is in a different Azure AD tenant from the destination account, then you can use this approach to configure object replication.

-Object replication is supported for general-purpose v2 storage accounts, and for premium block blob accounts in preview. Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append blobs and page blobs are not supported.

-> [!IMPORTANT]

-> Object replication for premium block blob accounts is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Replication rules specify how Azure Storage will replicate blobs from a source container to a destination container. You can specify up to 10 replication rules for each replication policy. Each replication rule defines a single source and destination container, and each source and destination container can be used in only one rule, meaning that a maximum of 10 source containers and 10 destination containers may participate in a single replication policy.

-| Premium block blobs |  <sup>2</sup> | |  |  |

-<sup>2</sup> Feature is supported in preview.

-This error code means the source file is not in storage.

-There are reasons why this can happen:

-If the issue is non-transient or you confirmed the problem is not related to high concurrency or query complexity, create a support ticket.

-When reading Parquet files, the query will not recover automatically. It needs to be retried by the client application.

-This error can occur when reading data from Synapse Link for Dataverse, when Synapse Link is syncing data to the lake and the data is being queried at the same time. The product group has a goal to improve this.

-To read or download a blob in the Archive tier, rehydrate it to an online tier: [Archive access tier](/azure/storage/blobs/access-tiers-overview.md#archive-access-tier)

-The error message might also resemble the following:

-This error code can occur when there is a transient issue in the serverless SQL pool.

- ```azcopy

- "Microsoft.Insights/eventtypes/values/read"

- "Microsoft.Compute/virtualMachines/deallocate/action"

- "Microsoft.Compute/virtualMachines/restart/action"

- "Microsoft.Compute/virtualMachines/powerOff/action"

- "Microsoft.Compute/virtualMachines/start/action"

- "Microsoft.Compute/virtualMachines/read"

- "Microsoft.DesktopVirtualization/hostpools/read"

- "Microsoft.DesktopVirtualization/hostpools/write"

- "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read"

- "Microsoft.DesktopVirtualization/hostpools/sessionhosts/write"

- "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete"

- "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read"

- "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action"

-# Microsoft Endpoint Manager and Intune for Azure Virtual Desktop

-We recommend using [Microsoft Endpoint Manager](https://www.microsoft.com/endpointmanager) to manage your Azure Virtual Desktop environment after deployment. Microsoft Endpoint Manager is a unified management platform that includes Microsoft Endpoint Configuration Manager and Microsoft Intune.

-> [!NOTE]

-> Managing Azure Virtual Desktop session hosts using Microsoft Endpoint Manager is currently only supported in the Azure Public cloud.

-Microsoft Endpoint Configuration Manager versions 1906 and later can manage your Azure Virtual Desktop devices. For more information, see [Supported OS versions for clients and devices for Configuration Manager](/mem/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices#windows-virtual-desktop).

-Intune supports Windows 10 Enterprise virtual machines (VMs) for Azure Virtual Desktop. For more information about support, see [Using Windows 10 Enterprise with Intune](/mem/intune/fundamentals/windows-virtual-desktop).

-Intune support for Windows 10 Enterprise multi-session VMs on Azure Virtual Desktop is currently in public preview. To see what the public preview version currently supports, check out [Using Windows 10 Enterprise multi-session with Intune](/mem/intune/fundamentals/windows-virtual-desktop-multi-session).

- :::image type="content" source="media/linux-vm-connect/create-rule.png" alt-text="Screenshot showing where to choose S S H.":::

-| STREAM Triad | 330-350 GB/s (~82-86 GB/s per NUMA) |

-An [HBv3-series](../../hbv3-series.md) server features 2 * 64-core EPYC 7V13 CPUs for a total of 128 physical "Zen3" cores. Simultaneous Multithreading (SMT) is disabled on HBv3. These 128 cores are divided into 16 sections (8 per socket), each section containing 8 processor cores with uniform access to a 32 MB L3 cache. Azure HBv3 servers also run the following AMD BIOS settings:

-Standard_HB120rs_v3 | 4 | 30 | Dual-socket EPYC 7713 |

-Standard_HB120r-64s_v3 | 4 | 16 | Dual-socket EPYC 7543 |

-Standard_HB120r-32s_v3 | 4 | 8 | Dual-socket EPYC 7313 |

-| CPU | AMD EPYC 7V13 |

-| CPU Frequency (non-AVX) | 3.1 GHz (all cores), 3.675 GHz (up to 10 cores) |

-* A Route Origin Authorization (ROA) document that authorizes Microsoft to advertise the address range must be filled out by the customer on the appropriate Routing Internet Registry website. ARIN, RIPE, and APNIC.

- * After the ROA is complete and submitted, allow at least 24 hours for it to become available to Microsoft.

-* A Route Origin Authorization (ROA) document that authorizes Microsoft to advertise the address range must be filled out by the customer on the appropriate Routing Internet Registry website. ARIN, RIPE, and APNIC.

- * After the ROA is complete and submitted, allow at least 24 hours for it to become available to Microsoft.

-* A Route Origin Authorization (ROA) document that authorizes Microsoft to advertise the address range must be filled out by the customer on the appropriate Routing Internet Registry website. ARIN, RIPE, and APNIC.

- * After the ROA is complete and submitted, allow at least 24 hours for it to become available to Microsoft.

-You can post your questions about your migration issues to theΓÇ»[Microsoft Q&A](/answers/topics/azure-virtual-network.html) page. It's recommended that you post all your questions on this forum. If you have a support contract, you can also file a support request.

-description: Learn how to to connect classic VNets to Resource Manager VNets using PowerShell.

-This article helps you connect classic VNets to Resource Manager VNets to allow the resources located in the separate deployment models to communicate with each other. The steps in this article use PowerShell, but you can also create this configuration using the Azure portal by selecting the article from this list.

-> [!div class="op_single_selector"]

-> * [Portal](vpn-gateway-connect-different-deployment-models-portal.md)

-> * [PowerShell](vpn-gateway-connect-different-deployment-models-powershell.md)

->

->

-Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can create a connection between VNets that are in different subscriptions and in different regions. You can also connect VNets that already have connections to on-premises networks, as long as the gateway that they have been configured with is dynamic or route-based. For more information about VNet-to-VNet connections, see the [VNet-to-VNet FAQ](#faq) at the end of this article.

-If you do not already have a virtual network gateway and do not want to create one, you may want to instead consider connecting your VNets using VNet Peering. VNet peering does not use a VPN gateway. For more information, see [VNet peering](../virtual-network/virtual-network-peering-overview.md).

-## <a name="before"></a>Before you begin

-The following steps walk you through the settings necessary to configure a dynamic or route-based gateway for each VNet and create a VPN connection between the gateways. This configuration does not support static or policy-based gateways.

-### <a name="pre"></a>Prerequisites

-* Both VNets have already been created. If you need to create a resource manager virtual network, see [Create a resource group and a virtual network](../virtual-network/quick-create-powershell.md#create-a-resource-group-and-a-virtual-network). To create a classic virtual network, see [Create a classic VNet](/previous-versions/azure/virtual-network/create-virtual-network-classic).

-* The address ranges for the VNets do not overlap with each other, or overlap with any of the ranges for other connections that the gateways may be connected to.

-* You have installed the latest PowerShell cmdlets. See [How to install and configure Azure PowerShell](/powershell/azure/) for more information. Make sure you install both the Service Management (SM) and the Resource Manager (RM) cmdlets.

-You can use these values to create a test environment, or refer to them to better understand the examples in this article.

-**Classic VNet settings**

-Virtual Network Address Spaces = 10.0.0.0/24 <br>

-Subnet-1 = 10.0.0.0/27 <br>

-GatewaySubnet = 10.0.0.32/29 <br>

-Local Network Name = RMVNetLocal <br>

-GatewayType = DynamicRouting

-**Resource Manager VNet settings**

-Resource Group = RG1 <br>

-Subnet-1 = 192.168.1.0/24 <br>

-GatewaySubnet = 192.168.0.0/26 <br>

-Gateway public IP name = gwpip <br>

-Local Network Gateway = ClassicVNetLocal <br>

-## <a name="createsmgw"></a>Section 1 - Configure the classic VNet

-1. Log in to your Azure account in the PowerShell console with elevated rights. The following cmdlet prompts you for the login credentials for your Azure Account. After logging in, it downloads your account settings so that they are available to Azure PowerShell. The classic Service Management (SM) Azure PowerShell cmdlets are used in this section.

-2. Export your Azure network configuration file by running the following command. You can change the location of the file to export to a different location if necessary.

-3. Open the .xml file that you downloaded to edit it. For an example of the network configuration file, see the [Network Configuration Schema](/previous-versions/azure/reference/jj157100(v=azure.100)).

-In the **VirtualNetworkSites** element, add a gateway subnet to your VNet if one has not already been created. When working with the network configuration file, the gateway subnet MUST be named "GatewaySubnet" or Azure cannot recognize and use it as a gateway subnet.

- <AddressPrefix>10.0.0.0/24</AddressPrefix>

- <Subnet name="Subnet-1">

- <AddressPrefix>10.0.0.0/27</AddressPrefix>

- <AddressPrefix>10.0.0.32/29</AddressPrefix>

-The local network site you add represents the RM VNet to which you want to connect. Add a **LocalNetworkSites** element to the file if one doesn't already exist. At this point in the configuration, the VPNGatewayAddress can be any valid public IP address because we haven't yet created the gateway for the Resource Manager VNet. Once we create the gateway, we replace this placeholder IP address with the correct public IP address that has been assigned to the RM gateway.

- <LocalNetworkSite name="RMVNetLocal">

- <VPNGatewayAddress>13.68.210.16</VPNGatewayAddress>

-In this section, we specify the local network site that you want to connect the VNet to. In this case, it is the Resource Manager VNet that you referenced earlier. Make sure the names match. This step does not create a gateway. It specifies the local network that the gateway will connect to.

- <LocalNetworkSiteRef name="RMVNetLocal">

-You will see a similar result showing that the import succeeded.

-Before running this example, refer to the network configuration file that you downloaded for the exact names that Azure expects to see. The network configuration file contains the values for your classic virtual networks. Sometimes the names for classic VNets are changed in the network configuration file when creating classic VNet settings in the Azure portal due to the differences in the deployment models. For example, if you used the Azure portal to create a classic VNet named 'Classic VNet' and created it in a resource group named 'ClassicRG', the name that is contained in the network configuration file is converted to 'Group ClassicRG Classic VNet'. When specifying the name of a VNet that contains spaces, use quotation marks around the value.

-## <a name="creatermgw"></a>Section 2 - Configure the RM VNet gateway

-The prerequisites assume that you already have created an RM VNet. In this step, you create a VPN gateway for the RM VNet. Don't start these steps until after you have retrieved the public IP address for the classic VNet's gateway.

-1. Sign in to your Azure account in the PowerShell console. The following cmdlet prompts you for the login credentials for your Azure Account. After signing in, your account settings are downloaded so that they are available to Azure PowerShell. You can optionally use the "Try It" feature to launch Azure Cloud Shell in the browser.

- ```

- To verify that you are using the right subscription, run the following cmdlet:

-

-2. Create a local network gateway. In a virtual network, the local network gateway typically refers to your on-premises location. In this case, the local network gateway refers to your Classic VNet. Give it a name by which Azure can refer to it, and also specify the address space prefix. Azure uses the IP address prefix you specify to identify which traffic to send to your on-premises location. If you need to adjust the information here later, before creating your gateway, you can modify the values and run the sample again.

-

- New-AzLocalNetworkGateway -Name ClassicVNetLocal `

- -Location "West US" -AddressPrefix "10.0.0.0/24" `

- -GatewayIpAddress "n.n.n.n" -ResourceGroupName RG1

-3. Request a public IP address to be allocated to the virtual network gateway for the Resource Manager VNet. You can't specify the IP address that you want to use. The IP address is dynamically allocated to the virtual network gateway. However, this does not mean the IP address changes. The only time the virtual network gateway IP address changes is when the gateway is deleted and recreated. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of the gateway.

- $ipaddress = New-AzPublicIpAddress -Name gwpip `

- -ResourceGroupName RG1 -Location 'EastUS' `

-4. Verify that your virtual network has a gateway subnet. If no gateway subnet exists, add one. Make sure the gateway subnet is named *GatewaySubnet*.

-5. Retrieve the subnet used for the gateway by running the following command. In this step, we also set a variable to be used in the next step.

-

- -VirtualNetwork (Get-AzVirtualNetwork -Name RMVNet -ResourceGroupName RG1)

- ```

-6. Create the gateway IP addressing configuration. The gateway configuration defines the subnet and the public IP address to use. Use the following sample to create your gateway configuration.

- In this step, the **-SubnetId** and **-PublicIpAddressId** parameters must be passed the id property from the subnet, and IP address objects, respectively. You can't use a simple string. These variables are set in the step to request a public IP and the step to retrieve the subnet.

-7. Create the Resource Manager virtual network gateway by running the following command. The `-VpnType` must be *RouteBased*. It can take 45 minutes or more for the gateway to create.

- New-AzVirtualNetworkGateway -Name RMGateway -ResourceGroupName RG1 `

-8. Copy the public IP address once the VPN gateway has been created. You use it when you configure the local network settings for your Classic VNet. You can use the following cmdlet to retrieve the public IP address. The public IP address is listed in the return as *IpAddress*.

- Get-AzPublicIpAddress -Name gwpip -ResourceGroupName RG1

-## <a name="localsite"></a>Section 3 - Modify the classic VNet local site settings

-In this section, you work with the classic VNet. You replace the placeholder IP address that you used when specifying the local site settings that will be used to connect to the Resource Manager VNet gateway. Because you are working with the classic VNet, use PowerShell installed locally to your computer, not the Azure Cloud Shell TryIt.

-2. Using a text editor, modify the value for VPNGatewayAddress. Replace the placeholder IP address with the public IP address of the Resource Manager gateway and then save the changes.

- ```

-3. Import the modified network configuration file to Azure.

-## <a name="connect"></a>Section 4 - Create a connection between the gateways

-1. In the PowerShell console, set your shared key. Before running the cmdlets, refer to the network configuration file that you downloaded for the exact names that Azure expects to see. When specifying the name of a VNet that contains spaces, use single quotation marks around the value.<br><br>In following example, **-VNetName** is the name of the classic VNet and **-LocalNetworkSiteName** is the name you specified for the local network site. The **-SharedKey** is a value that you generate and specify. In the example, we used 'abc123', but you can generate and use something more complex. The important thing is that the value you specify here must be the same value that you specify in the next step when you create your connection. The return should show **Status: Successful**.

- -LocalNetworkSiteName RMVNetLocal -SharedKey abc123

-2. Create the VPN connection by running the following commands:

-

- $vnet01gateway = Get-AzLocalNetworkGateway -Name ClassicVNetLocal -ResourceGroupName RG1

- $vnet02gateway = Get-AzVirtualNetworkGateway -Name RMGateway -ResourceGroupName RG1

-

- New-AzVirtualNetworkGatewayConnection -Name RM-Classic -ResourceGroupName RG1 `

-## <a name="verify"></a>Section 5 - Verify your connections

-### To verify the connection from your classic VNet to your Resource Manager VNet

-#### PowerShell

-#### Azure portal

-### To verify the connection from your Resource Manager VNet to your classic VNet

-#### PowerShell

-#### Azure portal

-## <a name="faq"></a>VNet-to-VNet FAQ