+> Running against another domain by supplying the credential will connect over NTLM, and then it fails. If the users are in the Protected Users security group in Active Directory, complete these steps to resolve the issue: Sign in as another domain user in **ADConnect** and donΓÇÖt supply "-domainCredential". The Kerberos ticket of the user that's currently signed in is used. You can confirm by executing `whoami /groups` to validate whether the user has the required permissions in Active Directory to execute the preceding command.

+>

+> Users who connect to the NPS server using username and password will be required to complete a multi-factor authentication prompt.

+* All machines where the Azure AD Password Protection DC agent will be installed must have .NET 4.7.2 installed.

+| Include/exclude mode with positive operators (Equals, StartsWith, EndsWith, Contains, In) and use of attributes including extensionAttributes1-15 | Registered device not managed by Intune | Yes, if criteria are met. When extensionAttributes1-15 are used, the policy will apply if device is compliant or Hybrid Azure AD joined |

+| Include/exclude mode with negative operators (NotEquals, NotStartsWith, NotEndsWith, NotContains, NotIn) and use of any attributes including extensionAttributes1-15 | Registered device not managed by Intune | Yes, if criteria are met. When extensionAttributes1-15 are used, the policy will apply if device is compliant or Hybrid Azure AD joined |

+- Linux

+> **This preview feature has been deprecated.** Customers should use **Filter for devices** condition in Conditional Access to satisfy scenarios, previously achieved using device state (preview) condition.

+| `groups`| Optional formatting for group claims |JWT, SAML| |For details see [Group claims](#configuring-groups-optional-claims) below. For more information about group claims, see [How to configure group claims](../hybrid/how-to-connect-fed-group-claims.md). Used with the GroupMembershipClaims setting in the [application manifest](reference-app-manifest.md), which must be set as well.

+> Azure AD limits the number of groups emitted in a token to 150 for SAML assertions and 200 for JWT, including nested groups. For more details on group limits and important caveats for group claims from on-premises attributes, see [Configure group claims for applications with Azure AD](../hybrid/how-to-connect-fed-group-claims.md).

+1. Select the group types to return (**Security groups**, or **Directory roles**, **All groups**, and/or **Groups assigned to the application**):

+ - The **Groups assigned to the application** option includes only groups assigned to the application. The **Groups assigned to the application** option is recommended for large organizations due to the group number limit in token. To change the groups assigned to the application, select the application from the **Enterprise applications** list. Select **Users and groups** and then **Add user/group**. Select the group(s) you want to add to the application from **Users and groups**.

+ - The **All Groups** option includes **SecurityGroup**, **DirectoryRole**, and **DistributionList**, but not **Groups assigned to the application**.

+The implicit grant has been replaced by the [authorization code flow with PKCE](scenario-spa-overview.md) as the preferred and more secure token grant flow for client-side single page-applications (SPAs). If you're building a SPA, use the authorization code flow with PKCE instead.

+- [Troubleshoot pending device state](/troubleshoot/azure/active-directory/pending-devices)

+3. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle.

+- [Troubleshoot pending device state](/troubleshoot/azure/active-directory/pending-devices)

+## Why a device might be in a pending state

+When you configure a **Hybrid Azure AD join** task in the Azure AD Connect Sync for your on-premises devices, the task will sync the device objects to Azure AD, and temporarily set the registered state of the devices to "pending" before the device completes the device registration. This is because the device must be added to the Azure AD directory before it can be registered. For more information about the device registration process, see [How it works: Device registration](device-registration-how-it-works.md#hybrid-azure-ad-joined-in-managed-environments).

+ GET https://graph.microsoft.com/v1.0/domains/foo.contoso.com/

+POST https://graph.microsoft.com/v1.0/domains/foo.contoso.com/promote

+#### Promote command error conditions

+Scenario | Method | Code | Message

+-- | | - | -

+Invoking API with a subdomain whose parent domain is unverified | POST | 400 | Unverified domains cannot be promoted. Please verify the domain before promotion.

+Invoking API with a federated verified subdomain with user references | POST | 400 | Promoting a subdomain with user references is not allowed. Please migrate the users to the current root domain before promotion of the subdomain.

+ GET https://graph.microsoft.com/v1.0/domains/foo.contoso.com/

+> - Currently, you can add only one domain to your external federation. We're actively working on allowing additional domains.

+No, we block SAML/WS-Fed IdP federation for Azure AD verified domains in favor of native Azure AD managed domain capabilities. If you try to set up SAML/WS-Fed IdP federation with a domain that is DNS-verified in Azure AD, you'll see an error.

+|Issuer |The issuer URI of the partner's IdP, for example `http://www.example.com/exk10l6w90DHM0yi...` |

+|Issuer |The issuer URI of the partner's IdP, for example `http://www.example.com/exk10l6w90DHM0yi...` |

+Next, you'll configure federation with the IdP configured in step 1 in Azure AD. You can use either the Azure AD portal or the [Microsoft Graph API](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta). It might take 5-10 minutes before the federation policy takes effect. During this time, don't attempt to redeem an invitation for the federation domain. The following attributes are required:

+- Issuer URI of the partner's IdP

+1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**.

+ 

+4. On the **New SAML/WS-Fed IdP** page, enter the following:

+ - **Display name** - Enter a name to help you identify the partner's IdP.

+ - **Identity provider protocol** - Select **SAML** or **WS-Fed**.

+ - **Domain name of federating IdP** - Enter your partnerΓÇÖs IdP target domain name for federation. Currently, one domain name is supported, but we're working on allowing more.

+ 

+5. Select a method for populating metadata. You can **Input metadata manually**, or if you have a file that contains the metadata, you can automatically populate the fields by selecting **Parse metadata file** and browsing for the file.

+ - **Issuer URI** - The issuer URI of the partner's IdP.

+ - **Passive authentication endpoint** - The partner IdP's passive requestor endpoint.

+ - **Certificate** - The signing certificate ID.

+ - **Metadata URL** - The location of the IdP's metadata for automatic renewal of the signing certificate.

+ 

+ > [!NOTE]

+ > Metadata URL is optional, however we strongly recommend it. If you provide the metadata URL, Azure AD can automatically renew the signing certificate when it expires. If the certificate is rotated for any reason before the expiration time or if you do not provide a metadata URL, Azure AD will be unable to renew it. In this case, you'll need to update the signing certificate manually.

+6. Select **Save**.

+### To configure federation using the Microsoft Graph API

+You can use the Microsoft Graph API [samlOrWsFedExternalDomainFederation](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta) resource type to set up federation with an identity provider that supports either the SAML or WS-Fed protocol.

+## How do I update the certificate or configuration details?

+On the **All identity providers** page, you can view the list of SAML/WS-Fed identity providers you've configured and their certificate expiration dates. From this list, you can renew certificates and modify other configuration details.

+

+1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**.

+1. Select **External Identities**.

+1. Select **All identity providers**.

+1. Under **SAML/WS-Fed identity providers**, scroll to an identity provider in the list or use the search box.

+1. To update the certificate or modify configuration details:

+ - In the **Configuration** column for the identity provider, select the **Edit** link.

+ - On the configuration page, modify any of the following details:

+ - **Display name** - Display name for the partner's organization.

+ - **Identity provider protocol** - Select **SAML** or **WS-Fed**.

+ - **Passive authentication endpoint** - The partner IdP's passive requestor endpoint.

+ - **Certificate** - The ID of the signing certificate. To renew it, enter a new certificate ID.

+ - **Metadata URL** - The URL containing the partner's metadata, used for automatic renewal of the signing certificate.

+ - Select **Save**.

+ 

+1. To view the domain for the IdP, select the link in the **Domains** column to view the partner's target domain name for federation.

+ > [!NOTE]

+ > If you need to update the partner's domain, you'll need to [delete the configuration](#how-do-i-remove-federation) and reconfigure federation with the identity provider using the new domain.

+ 

+## How do I remove federation?

+You can remove your federation configuration. If you do, federation guest users who have already redeemed their invitations won't be able to sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).

+To remove a configuration for an IdP in the Azure AD portal:

+1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**.

+1. Select **External Identities**.

+1. Select **All identity providers**.

+1. Under **SAML/WS-Fed identity providers**, scroll to the identity provider in the list or use the search box.

+1. Select the link in the **Domains** column to view the IdP's domain details.

+1. Select **Delete Configuration**.

+ 

+1. Select **OK** to confirm deletion.

+You can also remove federation using the Microsoft Graph API [samlOrWsFedExternalDomainFederation](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta) resource type.

+> [!IMPORTANT]

+> The number of groups emitted in a token is limited to 150 for SAML assertions and 200 for JWT, including nested groups. In larger organizations, the number of groups where a user is a member might exceed the limit that Azure AD will add to a token. Exceeding a limit can lead to unpredictable results. For workarounds to these limits, read more in [Important caveats for this functionality](#important-caveats-for-this-functionality).

+- In order to avoid the number of groups limit if your users have large numbers of group memberships, you can restrict the groups emitted in claims to the relevant groups for the application. Read more about emitting groups assigned to the application for [JWT tokens](..\develop\active-directory-optional-claims.md#configuring-groups-optional-claims) and [SAML tokens](#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration). If assigning groups to your applications is not possible, you can also configure a [group filter](#group-filtering) to reduce the number of groups emitted in the claim. Group filtering applies to tokens emitted for apps where group claims and filtering was configured in the **Enterprise apps** blade in the portal.

+ | **Groups assigned to the application** | Emits only the groups that are explicitly assigned to the application and that the user is a member of. Recommended for large organizations due to the group number limit in token. |

+Group filtering allows for fine control of the list of groups that's included as part of the group claim. When a filter is configured, only groups that match the filter will be included in the group's claim that's sent to that application. The filter will be applied against all groups regardless of the group hierarchy.

+> [!NOTE]

+> Group filtering applies to tokens emitted for apps where group claims and filtering was configured in the **Enterprise apps** blade in the portal.

+- A user account with Global Administrator, Application Administrator, or Cloud Application Administrator

+ |active|Boolean||

+ |phonenumbers[type eq "work"].value|String||

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## Change Log

+04/06/2022 - Added support for **phoneNumbers[type eq "work"].value**. Removed support for **emails[type eq "work"].value** and **manager** . **name.givenName** and **name.familyName** made required attributes.

+Group-managed service account (gMSA) support is currently available in preview. See [Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster (Preview)](use-group-managed-service-accounts.md)

+Azure API Management (APIM) helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. APIM lets you create and manage modern API gateways for existing backend services hosted anywhere. For more information about APIM, see the [Overview](api-management-key-concepts.md).

+Azure API Management instances, like all Azure resources, must be deployed into a resource group. Resource groups let you organize and manage related Azure resources.

+Now that you have a resource group, you can create an API Management service instance. Create one by using the [az apim create](/cli/azure/apim#az-apim-create) command and provide a service name and publisher details. The service name must be unique within Azure.

+In the following example, *myapim* is used for the service name. Update the name to a unique value. Also update the name of the API publisher's organization and the email address to receive notifications.

+You can use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group and the API Management service instance when they aren't needed.

+Azure API Management (APIM) helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. APIM lets you create and manage modern API gateways for existing backend services hosted anywhere. For more information, see the [Overview](api-management-key-concepts.md).

+In the following example, *myapim* is used for the service name. Update the name to a unique value. Also, update the organization name of the API publisher and the admin email address to receive notifications.

+> This is a long-running action. It can take between 30 and 40 minutes to create and activate an API Management service in this tier.

+When the command returns, run [Get-AzApiManagement](/powershell/module/az.apimanagement/get-azapimanagement) to view the properties of the Azure API Management service. After activation, the setting up status is Succeeded and the service instance has several associated URLs. For example:

+az webapp list-runtimes --os windows | grep NODE

+Azure Automation orchestrates repetitive processes using graphical, PowerShell, and Python runbooks in the cloud or hybrid environments. It provides a persistent shared assets including variables, connections, objects that allow orchestration of complex jobs. [Learn more](/azure/automation/automation-runbook-gallery).

+There are more than 3,000 modules in the PowerShell Gallery, and the PowerShell community continues to grow. Azure Automation based on PowerShell modules can work with multiple applications and vendors, both 1st party and 3rd party. As more application vendors release PowerShell modules for integration, extensibility and automation tasks, you could use an existing PowerShell script as-is to execute it as a PowerShell runbook in an automation account without making any changes.

+ | Allows to write an [Automation PowerShell runbook](/azure/automation/learn/powershell-runbook-managed-identity) that deploys an Azure resource by using an [Azure Resource Manager template](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal).</br> </br> Schedule tasks, for example ΓÇô Stop dev/test VMs or services at night and turn on during the day. </br> </br> Response to alerts such as system alerts, service alerts, high CPU/memory alerts, create ServiceNow tickets, and so on. </br> </br> Hybrid automation where you can manage to automate on-premises servers such as SQL Server, Active Directory and so on. </br> </br> Azure resource life-cycle management and governance include resource provisioning, de-provisioning, adding correct tags, locks, NSGs and so on. | IT administrators, System administrators, IT operations administrators who are skilled at using PowerShell or Python based scripting. </br> </br> Infrastructure administrators manage the on-premises infrastructure using scripts or executing long-running jobs such as month-end operations on servers running on-premises.

+ | Respond to system alerts, service alerts, or high CPU/memory alerts from 1st party or 3rd party monitoring tools like Splunk or ServiceNow, create ServiceNow tickets basis alerts and so on. </br> </br> Hybrid automation scenarios where you can manage automate on-premises servers such as SQL Server, Active Directory and so on based on an external event.</br> </br> Azure resource life-cycle management and governance that includes Resource provisioning, deprovisioning, adding correct tags, locks, NSGs and so on based on Azure monitor alerts. | IT administrators, System administrators, IT operations administrators who are skilled at using PowerShell or Python based scripting.

+Provides a serverless event-driven compute platform for automation that allows you to write code to react to critical events from various sources, third-party services, and on-premises systems. For example, an HTTP trigger without worrying about the underlying platform. [Learn more](/azure/azure-functions/functions-overview).

+ - You can use a variety of languages to write functions in a language of your choice such as C#, Java, JavaScript, PowerShell, or Python and focus on specific pieces of code. Functions runtime is an open source.

+ - You can choose the hosting plan according to your function app scaling requirements, functionality, and resources required.

+ - You can orchestrate complex workflows through [durable functions](/azure-functions/durable/durable-functions-overview?tabs=csharp).

+ - You should avoid large, and long-running functions that can cause unexpected timeout issues. [Learn more](/azure/azure-functions/functions-best-practices?tabs=csharp#write-robust-functions).

+ - When you write Powershell scripts within the Function Apps, you must tweak the scripts to define how the function behaves such as - how it's triggered, its input and output parameters. [Learn more](/azure/azure-functions/functions-reference-powershell?tabs=portal).

+ | Respond to events on resources: such as add tags to resource group basis cost center, when VM is deleted etc. </br> </br> Set scheduled tasks such as setting a pattern to stop and start a VM at a specific time, reading blob storage content at regular intervals etc. </br> </br> Process Azure alerts to send the teamΓÇÖs event when the CPU activity spikes to 90%. </br> </br> Orchestrate with external systems such as Microsoft 365. </br> </br> Respond to database changes. | The Application developers who are skilled in coding languages such as C#, F#, PHP, Java, JavaScript, PowerShell, or Python. </br> </br> Cloud Architects who build serverless Micro-services based applications where a single or mutiple Azure Functions could be part of larger application workflow.

+Provides a serverless event-driven compute platform for automation that allows you to write code to react to critical events from various sources, third-party services, and on-premises systems. For example, an HTTP trigger without worrying about the underlying platform [Learn more](/azure/azure-functions/functions-overview).

+ - You can use a variety of languages to write functions in a language of your choice such as C#, Java, JavaScript, PowerShell, or Python and focus on specific pieces of code. Functions runtime is an open source.

+ - You can choose the hosting plan according to your function app scaling requirements, functionality, and resources required.

+ - You should avoid large, and long-running functions that can cause unexpected timeout issues. [Learn more](/azure/azure-functions/functions-best-practices?tabs=csharp#write-robust-functions).

+ - When you write Powershell scripts within the Function Apps, you must tweak the scripts to define how the function behaves such as - how it's triggered, its input and output parameters. [Learn more](/azure/azure-functions/functions-reference-powershell?tabs=portal).

+ | Respond to events on resources : such as add tags to resource group basis cost center, when VM is deleted etc. </br> </br> Set scheduled tasks such as setting a pattern to stop and start a VM at a specific time, reading blob storage content at regular intervals etc. </br> </br> Process Azure alerts where you can send teamΓÇÖs event when the CPU activity spikes to 90%. </br> </br> Orchestrate with external systems such as Microsoft 365. </br> </br>Executes Azure Function as part of Logic apps workflow through Azure Function Connector. | Application Developers who are skilled in coding languages such as C#, F#, PHP, Java, JavaScript, PowerShell, or Python. </br> </br> Cloud Architects who build serverless Micro-services based applications where a single or mutiple Azure Functions could be part of larger application workflow.

+

+# Azure Arc-enabled SQL Managed Instance with Active Directory authentication

+This article describes how to enable Azure Arc-enabled SQL Managed Instance with Active Directory (AD) Authentication. The article demonstrates two possible integration modes:

+- Bring your own keytab mode

+- Automatic mode

+In Active Directory, the integration mode describes the management the keytab file.

+Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication. Users need to do the following steps to enable Active Directory authentication for Arc-enabled SQL Managed Instance:

+- [Deploy data controller](create-data-controller-indirect-cli.md)

+- [Deploy a bring your own keytab AD connector](deploy-byok-active-directory-connector.md) or [Deploy an automatic AD connector](deploy-automatic-active-directory-connector.md)

+- [Deploy managed instances](deploy-active-directory-sql-managed-instance.md)

+The following diagram shows how to enable Active Directory authentication for Azure Arc-enabled SQL Managed Instance:

+

+## What is an Active Directory (AD) connector?

+In order to enable Active Directory authentication for SQL Managed Instance, the managed instance must be deployed in an environment that allows it to communicate with the Active Directory domain.

+To facilitate this, Azure Arc-enabled data services introduces a new Kubernetes-native [Custom Resource Definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) called `Active Directory Connector`, it provides Azure Arc-enabled managed instances running on the same data controller the ability to perform Active Directory authentication.

+## Compare AD integration modes

+What is the difference between the two AD integration modes?

+To enable Active Directory Authentication for Arc-enabled SQL Managed Instances, you need an Active Directory (AD) connector where you determine the mode of the AD deployment. The two modes are:

+- Bring your own keytab

+- Automatic

+The following sections describe the compare these modes.

+### Bring your own keytab mode

+In this mode, you provide:

+

+- An Active Directory account

+- Service Principal Names (SPNs) under that AD account

+- Your own [keytab file](/sql/linux/sql-server-linux-ad-auth-understanding#what-is-a-keytab-file)

+When you deploy the bring your own keytab AD connector, you need to create the AD account, register the service principal names (SPN), and create the keytab file. You can create the account using [Active Directory utility (`adutil`)](/sql/linux/sql-server-linux-ad-auth-adutil-introduction).

+For more information, see [deploy a bring your own keytab Active Directory (AD) connector](deploy-automatic-active-directory-connector.md)

+### AD automatic integration mode

+In automatic mode, you need an automatic Active Directory (AD) connector. You will bring an Organizational Unit (OU) and an AD domain service account has sufficient permissions in the Active Directory.

+Furthermore, the system:

+- Creates a domain service AD account for each managed instance.

+- Sets SPNs automatically on that AD account.

+- Creates and delivers a keytab file to the managed instance.

+The mode of the AD connector is determined by the value of `spec.activeDirectory.serviceAccountProvisioning`. Set to either `manual` for bring your own keytab, or `automatic`. Once this parameter is set to automatic, the following parameters become mandatory:

+- `spec.activeDirectory.ouDistinguishedName`

+- `spec.activeDirectory.domainServiceAccountSecret`

+When you deploy SQL Managed Instance with the intention to enable Active Directory Authentication, the deployment needs to reference the Active Directory Connector instance to use. Referencing the Active Directory Connector in managed instance specification automatically sets up the needed environment in the SQL Managed Instance container for the managed instance to authenticate with Active Directory.

+* [Deploy and bring your own keytab Active Directory (AD) connector](deploy-byok-active-directory-connector.md)

+* [Deploy an automatic Active Directory (AD) connector](deploy-automatic-active-directory-connector.md)

+## Deploy Arc data controller

+Creating an Azure Arc data controller in direct connectivity mode involves the following steps:

+1. Create an Azure Arc-enabled data services extension.

+1. Create a custom location.

+1. Create the data controller.

+You can create them individually or in a unified experience.

+## Deploy - unified experience

+In the unified experience, you can create the Arc data controller extension, custom location, and Arc data controller all in one command as follows:

+```az

+az arcdata dc create -n <name> -g <resource-group> --custom-location <custom-location> --cluster-name <cluster> --connectivity-mode direct --profile <the-deployment-profile>

+```

+## Deploy - individual experience

+

+### Step 1: Create an Azure Arc-enabled data services extension

+#### Set environment variables

+##### [Linux](#tab/linux)

+##### [Windows (PowerShell)](#tab/windows)

+#### Create the Arc data services extension

+##### [Linux](#tab/linux)

+##### [Windows (PowerShell)](#tab/windows)

+##### Deploy Azure Arc data services extension using private container registry and credentials

+#### Verify the Arc data services extension is created

+##### Check status from Azure portal

+##### Check status using kubectl CLI

+### Retrieve the managed identity and grant roles

+#### Retrieve managed identity of the Arc data controller extension

+#### Assign role to the managed identity

+### Step 2: Create a custom location using `customlocation` CLI extension

+#### Set environment variables

+##### [Linux](#tab/linux)

+##### [Windows (PowerShell)](#tab/windows)

+### Validate the custom location is created

+### Create certificates for logs and metrics UI dashboards

+### Step 3: Create the Azure Arc data controller

+ Title: Tutorial ΓÇô Deploy AD-integrated Azure Arc-enabled SQL Managed Instance

+description: Tutorial to deploy AD-integrated Azure Arc-enabled SQL Managed Instance

+# Tutorial ΓÇô deploy AD-integrated Azure Arc-enabled SQL Managed Instance

+Before you proceed, complete the steps explained in [Deploy bring your own keytab (BYOK) Active Directory (AD) connector](deploy-byok-active-directory-connector.md) or [Tutorial ΓÇô deploy an automatic AD connector](deploy-automatic-active-directory-connector.md)

+* An instance of data controller deployed

+## Azure Arc-enabled SQL Managed Instance specification for Active Directory Authentication

+To deploy an Azure Arc-enabled SQL Managed Instance for Azure Arc Active Directory Authentication, the deployment specification needs to reference the Active Directory Connector instance it wants to use. Referencing the Active Directory Connector in managed instance specification will automatically set up the managed instance to perform Active Directory authentication.

+To support Active Directory authentication on managed instance, the deployment specification uses the following fields:

+ - `spec.security.activeDirectory.connector.name`

+ - `spec.security.activeDirectory.accountName`

+ Name of the Active Directory (AD) account that was automatically generated for this instance.

+ - `spec.security.activeDirectory.keytabSecret`

+ Name of the Kubernetes secret hosting the pre-created keytab file by users. This secret must be in the same namespace as the managed instance. This parameter is only required for the AD deployment in bring your own keytab AD integration mode.

+ - `spec.services.primary.dnsName`

+ DNS name for the primary endpoint, this is the primary for the managed instance endpoint

+ - `spec.services.primary.port`

+ Port number for the primary endpoint, this is port number for the managed instance endpoint

+ - `spec.security.activeDirectory.connector.namespace`

+ Kubernetes namespace of the pre-existing Active Directory Connector instance to join for AD authentication. When not provided, system will assume the same namespace as the managed instance.

+### Prepare deployment specification for SQL Managed Instance for Azure Arc

+Prepare the following .yaml specification to deploy a managed instance. Set the fields described in the spec.

+> [!NOTE]

+> The *admin-login-secret* in the yaml example is used for basic authentication. You can use it to login into the SQL managed instance, and then create SQL logins for AD users and groups. Check out [Connect to AD-integrated Azure Arc-enabled SQL Managed Instance](connect-active-directory-sql-managed-instance.md) for further details.

+ name: admin-login-secret

+apiVersion: sql.arcdata.microsoft.com/v3

+ adminLoginSecret: admin-login-secret

+### Deploy a managed instance

+To deploy a managed instance using the prepared specification:

+1. Save the file. The example uses the name `sqlmi.yaml`. Use any name.

+1. Run the following command to deploy the instance according to the specification:

+ Title: Tutorial ΓÇô Deploy an automatic Active Directory (AD) Connector

+description: Tutorial to deploy an automatic Active Directory (AD) Connector

+# Tutorial ΓÇô deploy an automatic Active Directory (AD) connector

+This article explains how to deploy an automatic Active Directory (AD) connector custom resource. It is a key component to enable the Azure Arc-enabled SQL Managed Instance with Active Directory. It applies to either integration mode (bring your own keytab (BYOK) or automatic).

+## Prerequisites

+Before you proceed, you must have:

+* An instance of Data Controller deployed on a supported version of Kubernetes

+* An Active Directory (AD) domain

+* A pre-created organizational unit (OU) in the Active Directory

+* An Active Directory (AD) domain service account

+The AD domain service account should have sufficient permissions to create users, groups, and machine accounts automatically inside the provided organizational unit (OU) in the active directory.

+The sufficient permission including the following:

+

+- Read all properties

+- Write all properties

+- Create User objects

+- Delete User objects

+- Reset Password for Descendant User objects

+## Input for deploying an automatic Active Directory (AD) connector

+To deploy an instance of Active Directory connector, several inputs are needed from the Active Directory domain environment.

+These inputs are provided in a .yaml specification for an AD connector instance.

+The following metadata about the AD domain must be available before deploying an instance of AD connector:

+* Name of the Active Directory domain

+* List of the domain controllers (fully qualified domain names)

+* List of the DNS server IP addresses

+The following input fields are exposed to the users in the Active Directory Connector specification:

+- **Required**

+ - `spec.activeDirectory.realm`

+ Name of the Active Directory domain in uppercase. This is the AD domain that this instance of AD Connector will be associated with.

+ - `spec.activeDirectory.domainControllers.primaryDomainController.hostname`

+ Fully-qualified domain name of the Primary Domain Controller (PDC) in the AD domain.

+ If you do not know which domain controller in the domain is primary, you can find out by running this command on any Windows machine joined to the AD domain: `netdom query fsmo`.

+

+ - `spec.activeDirectory.dns.nameserverIpAddresses`

+ List of Active Directory DNS server IP addresses. DNS proxy service will forward DNS queries in the provided domain name to these servers.

+- **Optional**

+ - `spec.activeDirectory.serviceAccountProvisioning` This is an optional field defines your AD connector deployment mode with possible value `bring your own keytab (BYOK)` or `automatic`. This field indicating whether the service account provisioning including SPN and keytab generation should be automatic or bring your own keytab (BYOK). The default is bring your own keytab (BYOK). When set to bring your own keytab (BYOK), the system will not take care of AD service account generation, SPN registration and keytab generation. When set to automatic, the service AD account is automatically generated and SPNs are registered on that account. A keytab file is generated then transported to SQL Managed Instance.

+ - `spec.activeDirectory.ouDistinguishedName` This is an optional field. Though it becomes conditionally mandatory when the value of `serviceAccountProvisioning` is set to `automatic`. This field accepts the Distinguished Name (DN) of an Organizational Unit (OU) that the users must create in Active Directory domain before deploying AD Connector. It stores the system-generated AD accounts in active directory for AD LDAP server. The example of the value would look like: `OU=arcou,DC=contoso,DC=local`.

+ - `spec.activeDirectory.domainServiceAccountSecret` This is an optional field. it becomes conditionally mandatory when the value of `serviceAccountProvisioning` is set to automatic. This field accepts a name of the Kubernetes secret that contains the username and password of the service Domain Service Account that was created prior to the AD deployment, the Security Support Service will use it to generate other AD users in the OU and perform actions on those AD accounts.

+ - `spec.activeDirectory.netbiosDomainName`

+ NETBIOS name of the Active Directory domain. This is the short domain name that represents the Active Directory domain.

+ This is often used to qualify accounts in the AD domain. e.g. if the accounts in the domain are referred to as CONTOSO\admin, then CONTOSO is the NETBIOS domain name.

+

+ This field is optional. When not provided, it defaults to the first label of the `spec.activeDirectory.realm` field.

+ In most domain environments, this is set to the default value but some domain environments may have a non-default value.

+ - `spec.activeDirectory.domainControllers.secondaryDomainControllers[*].hostname`

+ List of the fully qualified domain names of the secondary domain controllers in the AD domain.

+ If your domain is served by multiple domain controllers, it is a good practice to provide some of their fully qualified domain names in this list. This allows high-availability for Kerberos operations.

+ This field is optional and not needed if your domain is served by only one domain controller.

+ - `spec.activeDirectory.dns.domainName`

+ DNS domain name for which DNS lookups should be forwarded to the Active Directory DNS servers.

+ A DNS lookup for any name belonging to this domain or its descendant domains will get forwarded to Active Directory.

+ This field is optional. When not provided, it defaults to the value provided for `spec.activeDirectory.realm` converted to lowercase.

+ - `spec.activeDirectory.dns.replicas`

+ Replica count for DNS proxy service. This field is optional and defaults to 1 when not provided.

+ - `spec.activeDirectory.dns.preferK8sDnsForPtrLookups`

+ Flag indicating whether to prefer Kubernetes DNS server response over AD DNS server response for IP address lookups.

+ DNS proxy service relies on this field to determine which upstream group of DNS servers to prefer for IP address lookups.

+ This field is optional. When not provided, it defaults to true i.e. the DNS lookups of IP addresses will be first forwarded to Kubernetes DNS servers.

+ If Kubernetes DNS servers fail to answer the lookup, the query is then forwarded to AD DNS servers.

+## Deploy an Automatic Active Directory (AD) connector

+To deploy an AD connector, create a YAML specification file called `active-directory-connector.yaml`.

+The following example is an example of an Automatic AD connector uses an AD domain of name `CONTOSO.LOCAL`. Ensure to replace the values with the ones for your AD domain. The `adarc-dsa-secret` contains the AD domain service account that was created prior to the AD deployment.

+> [!NOTE]

+> Make sure the password of provided domain service AD acccount here doesn't contain `!` as special characters.

+>

+```yaml

+apiVersion: v1

+kind: Secret

+type: Opaque

+metadata:

+ name: adarc-dsa-secret

+ namespace: <namespace>

+data:

+ password: <your base64 encoded password>

+ username: <your base64 encoded username>

+apiVersion: arcdata.microsoft.com/v1beta2

+kind: ActiveDirectoryConnector

+metadata:

+ name: adarc

+ namespace: <namespace>

+spec:

+ activeDirectory:

+ realm: CONTOSO.LOCAL

+ serviceAccountProvisioning: automatic

+ ouDistinguishedName: "OU=arcou,DC=contoso,DC=local"

+ domainServiceAccountSecret: adarc-dsa-secret

+ domainControllers:

+ primaryDomainController:

+ hostname: dc1.contoso.local

+ secondaryDomainControllers:

+ - hostname: dc2.contoso.local

+ - hostname: dc3.contoso.local

+ dns:

+ preferK8sDnsForPtrLookups: false

+ nameserverIPAddresses:

+ - <DNS Server 1 IP address>

+ - <DNS Server 2 IP address>

+```

+The following command deploys the AD connector instance. Currently, only kube-native approach of deploying is supported.

+```console

+kubectl apply ΓÇôf active-directory-connector.yaml

+```

+After submitting the deployment for the AD connector instance, you may check the status of the deployment using the following command.

+```console

+kubectl get adc -n <namespace>

+```

+## Next steps

+* [Deploy an Bring your own keytab (BYOK) Active Directory (AD) connector](deploy-byok-active-directory-connector.md)

+* [Deploy SQL Managed Instance with Active Directory Authentication](deploy-active-directory-sql-managed-instance.md).

+* [Connect to AD-integrated Azure Arc-enabled SQL Managed Instance](connect-active-directory-sql-managed-instance.md).

+ Title: Tutorial ΓÇô Deploy a bring your own keytab (BYOK) Active Directory (AD) connector

+description: Tutorial to deploy a bring your own keytab (BYOK) Active Directory (AD) connector

+# Tutorial ΓÇô Deploy a bring your own keytab (BYOK) Active Directory (AD) connector

+This article explains how to deploy an automatic Active Directory (AD) connector custom resource. It is a key component to enable the Azure Arc-enabled SQL Managed Instance with Active Directory. It applies to both integration modes (bring your own keytab (BYOK) or automatic).

+## Prerequisites

+Before you proceed, you must have:

+* An instance of Data Controller deployed on a supported version of Kubernetes

+* An Active Directory (AD) domain

+The following instructions expect that the users can bring in the Active Directory domain and provide to the AD bring your own keytab (BYOK) deployment.

+* An Active Directory user account for the managed instance

+* Service Principal Names (SPNs) under the user account

+* DNS record for the endpoint DNS name for managed instance

+## Before you deploy the managed instance

+1. Identify a DNS name for the managed instance endpoint.

+ The DNS name for the endpoint the managed instance will listen on for connections coming from outside the Kubernetes cluster.

+ This DNS name should be in the Active Directory domain or its descendant domains.

+ The examples in these instructions use `sqlmi.contoso.local` for the DNS name.

+2. Identify the port number for the managed instance endpoint.

+ You must decide a port number for the endpoint managed instance will listen on for connections coming from outside the Kubernetes cluster.

+ This port number must be in the acceptable range of port numbers to Kubernetes cluster.

+ The examples in these instructions use `31433` for the port number.

+3. Create an Active Directory account for the managed instance.

+ Choose a name for the Active Directory account that will represent your managed instance. This name should be unique in the Active Directory domain.

+ Use `Active Directory Users and Computers` on the Domain Controllers, create an account for the managed instance name.

+ Provide a complex password to this account that is acceptable to the Active Directory domain password policy. This password will be needed in some of the next steps.

+ The account does not need any special permissions. Ensure that the account is enabled.

+ The examples in these instructions use `sqlmi-account` for the AD account name.

+4. Create a DNS record for the managed instance endpoint in the Active Directory DNS servers.

+ In one of the Active Directory DNS servers, create an A record (forward lookup record) for the DNS name chosen in step 1. This DNS record should point to the IP address that the managed instance endpoint will listen on for connections from outside the Kubernetes cluster.

+ You do not need to create a PTR record (reverse lookup record) in association with the A record.

+5. Create Service Principal Names (SPNs)

+ In order for managed instance to be able to accept AD authentication against the managed instance endpoint DNS name, we need to register two SPNs under the account generated in the previous step. These two SPNs should be of the following format:

+ ```output

+ MSSQLSvc/<DNS name>

+ MSSQLSvc/<DNS name>:<port>

+ ```

+ To register the SPNs, run the following commands on one of the domain controllers.

+ ```console

+ setspn -S MSSQLSvc/<DNS name> <account>

+ setspn -S MSSQLSvc/<DNS name>:<port> <account>

+ ```

+ With the chosen example DNS name, port number and the account name in this document, the commands should look like the following:

+ ```console

+ setspn -S MSSQLSvc/sqlmi.contoso.local sqlmi-account

+ setspn -S MSSQLSvc/sqlmi.contoso.local:31433 sqlmi-account

+ ```

+6. Generate a keytab file containing entries for the account and SPNs

+ For the managed instance to be able to authenticate itself to Active Directory and accept authentication from Active Directory users, provide a keytab file using a Kubernetes secret.

+ The keytab file contains encrypted entries for the Active Directory account generated for the managed instance and the SPNs.

+ SQL Server will use this file as its credential against Active Directory.

+ There are multiple tools available to generate a keytab file.

+ - `ktutil`: This tool is available on Linux

+ - `ktpass`: This tool is available on Windows

+ - `adutil`: This tool is available for Linux. See [Introduction to `adutil` - Active Directory utility](/sql/linux/sql-server-linux-ad-auth-adutil-introduction).

+ To generate the keytab file specifically for the managed instance, use a bash shell script we have published. It wraps `ktutil` and `adutil` together. It is for use on Linux.

+ A bash script works on Linux-based OS can be found here: [create-sql-keytab.sh](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/scripts/create-sql-keytab.sh).

+ A PowerShell script works on Windows server based OS can be found here: [create-sql-keytab.ps1](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/scripts/create-sql-keytab.ps1).

+ This script accepts several parameters and will output a keytab file and a yaml specification file for the Kubernetes secret containing the keytab.

+ Use the following command to run the script after replacing the parameter values with the ones for your managed instance deployment.

+ ```console

+ AD_PASSWORD=<password> ./create-sql-keytab.sh --realm <AD domain in uppercase> --account <AD account name> --port <endpoint port> --dns-name <endpoint DNS name> --keytab-file <keytab file name/path> --secret-name <keytab secret name> --secret-namespace <keytab secret namespace>

+ ```

+ The input parameters are expecting the following values:

+ * `--realm` expects the uppercase of the AD domain, such as CONTOSO.LOCAL

+ * `--account` expects the AD account under where the SPNs are registered, such sqlmi-account

+ * `--port` expects the SQL endpoint port number 31433

+ * `--dns-name` expects the DNS name for the SQL endpoint

+ * `--keytab-file` expects the path to the keytab file

+ * `--secret-name` expects the name of the keytab secret to generate a specification for

+ * `--secret-namespace` expects the Kubernetes namespace containing the keytab secret

+ Choose a name for the Kubernetes secret hosting the keytab. The namespace should be the same as what the managed instance will be deployed in.

+ The following command creates a keytab. It uses values that this article describes:

+ ```console

+ AD_PASSWORD=<password> ./create-sql-keytab.sh --realm CONTOSO.LOCAL --account sqlmi-account --port 31433 --dns-name sqlmi.contoso.local --keytab-file sqlmi.keytab --secret-name sqlmi-keytab-secret --secret-namespace sqlmi-ns

+ ```

+ To verify that the keytab is correct, you may run the following command:

+ ```console

+ klist -kte <keytab file>

+ ```

+## Deploy Kubernetes secret for the keytab

+Use the Kubernetes secret specification file generated in the previous step to deploy the secret.

+The specification file should look like the following:

+```yaml

+apiVersion: v1

+kind: Secret

+type: Opaque

+metadata:

+ name: <secret name>

+ namespace: <secret namespace>

+data:

+ keytab: <keytab content in base64>

+```

+Deploy the Kubernetes secret with `kubectl apply -f <file>`. For example:

+```console

+kubectl apply ΓÇôf sqlmi-keytab-secret.yaml

+```

+## Active directory (AD) bring your own keytab (BYOK) integration mode

+The following are the steps for user to set up:

+1. Creating and providing an Active Directory account for each managed instance that must accept AD authentication.

+1. Providing a DNS name belonging to the Active Directory DNS domain for the managed instance endpoint.

+1. Creating a DNS record in Active Directory for the SQL endpoint.

+1. Providing a port number for the managed instance endpoint.

+1. Registering Service Principal Names (SPNs) under the AD account in Active Directory domain for the SQL endpoint.

+1. Creating and providing a keytab file for managed instance containing entries for the AD account and SPNs.

+An Active Directory Connector instance stores the information needed to enable connections to DNS and AD for purposes of authenticating users and service accounts and it deploys a DNS proxy service that proxies the DNS requests coming from the managed instance to either of the two upstream DNS

+* Active Directory DNS Servers

+* Kubernetes DNS Servers

+The following diagram Active Directory Connector and SQL Managed Instance describes how the AD bring your own keytab (BYOK) integration mode works:

+

+## Input for deploying Active Directory (AD) Connector

+To deploy an instance of Active Directory Connector, several inputs are needed from the Active Directory domain environment.

+These inputs are provided in a YAML specification of AD Connector instance.

+Following metadata about the AD domain must be available before deploying an instance of AD Connector:

+* Name of the Active Directory domain

+* List of the domain controllers (fully qualified domain names)

+* List of the DNS server IP addresses

+Following input fields are exposed to the users in the Active Directory Connector spec:

+- **Required**

+ - `spec.activeDirectory.realm`

+ Name of the Active Directory domain in uppercase. This is the AD domain that this instance of AD Connector will be associated with.

+ - `spec.activeDirectory.domainControllers.primaryDomainController.hostname`

+ Fully qualified domain name of the primary domain controller in the AD domain.

+ To identify the primary domain controller, run this command on any Windows machine joined to the AD domain:

+ ```console

+ netdom query fsmo

+ ```

+

+ - `spec.activeDirectory.dns.nameserverIpAddresses`

+ List of Active Directory DNS server IP addresses. DNS proxy service will forward DNS queries in the provided domain name to these servers.

+- **Optional**

+ - `spec.activeDirectory.netbiosDomainName`

+ NETBIOS name of the Active Directory domain. This is the short domain name that represents the Active Directory domain.

+ This is often used to qualify accounts in the AD domain. e.g. if the accounts in the domain are referred to as CONTOSO\admin, then CONTOSO is the NETBIOS domain name.

+

+ This field is optional. When not provided, it defaults to the first label of the `spec.activeDirectory.realm` field.

+ In most domain environments, this is set to the default value but some domain environments may have a non-default value.

+ - `spec.activeDirectory.domainControllers.secondaryDomainControllers[*].hostname`

+ List of the fully qualified domain names of the secondary domain controllers in the AD domain.

+ If your domain is served by multiple domain controllers, it is a good practice to provide some of their fully qualified domain names in this list. This allows high-availability for Kerberos operations.

+ This field is optional and not needed if your domain is served by only one domain controller.

+ - `spec.activeDirectory.dns.domainName`

+ DNS domain name for which DNS lookups should be forwarded to the Active Directory DNS servers.

+ A DNS lookup for any name belonging to this domain or its descendant domains will get forwarded to Active Directory.

+ This field is optional. When not provided, it defaults to the value provided for `spec.activeDirectory.realm` converted to lowercase.

+ - `spec.activeDirectory.dns.replicas`

+ Replica count for DNS proxy service. This field is optional and defaults to 1 when not provided.

+ - `spec.activeDirectory.dns.preferK8sDnsForPtrLookups`

+ Flag indicating whether to prefer Kubernetes DNS server response over AD DNS server response for IP address lookups.

+ DNS proxy service relies on this field to determine which upstream group of DNS servers to prefer for IP address lookups.

+ This field is optional. When not provided, it defaults to true i.e. the DNS lookups of IP addresses will be first forwarded to Kubernetes DNS servers.

+ If Kubernetes DNS servers fail to answer the lookup, the query is then forwarded to AD DNS servers.

+## Deploy a bring your own keytab (BYOK) Active Directory (AD) connector

+To deploy an AD connector, create a .yaml specification file called `active-directory-connector.yaml`.

+The following example is an example of a bring your own keytab (BYOK) AD connector uses an AD domain of name `CONTOSO.LOCAL`. Ensure to replace the values with the ones for your AD domain.

+```yaml

+apiVersion: arcdata.microsoft.com/v1beta1

+kind: ActiveDirectoryConnector

+metadata:

+ name: adarc

+ namespace: <namespace>

+spec:

+ activeDirectory:

+ realm: CONTOSO.LOCAL

+ domainControllers:

+ primaryDomainController:

+ hostname: dc1.contoso.local

+ secondaryDomainControllers:

+ - hostname: dc2.contoso.local

+ - hostname: dc3.contoso.local

+ dns:

+ preferK8sDnsForPtrLookups: false

+ nameserverIPAddresses:

+ - <DNS Server 1 IP address>

+ - <DNS Server 2 IP address>

+```

+The following command deploys the AD connector instance. Currently, only kube-native approach of deploying is supported.

+```console

+kubectl apply ΓÇôf active-directory-connector.yaml

+```

+After submitting the deployment of AD Connector instance, you may check the status of the deployment using the following command.

+```console

+kubectl get adc -n <namespace>

+```

+## Next steps

+* [Deploy an Automatic Active Directory (AD) connector](deploy-automatic-active-directory-connector.md)

+* [Deploy SQL Managed Instance with Active Directory Authentication](deploy-active-directory-sql-managed-instance.md).

+* [Connect to AD-integrated Azure Arc-enabled SQL Managed Instance](connect-active-directory-sql-managed-instance.md).

+ Title: Maintenance window - Azure Arc-enabled data services

+description: Article describes how to set a maintenance window

+# Maintenance window - Azure Arc-enabled data services

+Configure a maintenance window on a data controller to define a time period for upgrades. In this time period, the Arc-enabled SQL Managed Instances on that data controller which have the `desiredVersion` property set to `auto` will be upgraded.

+During setup, specify a duration, recurrence, and start date and time. After the maintenance window starts, it will run for the period of time set in the duration. The instances attached to the data controller will begin upgrades (in parallel). At the end of the set duration, any upgrades that are in progress will continue to completion. Any instances that did not begin upgrading in the window will begin upgrading in the following recurrence.

+## Prerequisites

+An Azure Arc-enabled SQL Managed Instance with the [`desiredVersion` property set to `auto`](upgrade-sql-managed-instance-auto.md).

+## Limitations

+The maintenance window duration can be from 2 hours to 8 hours.

+Only one maintenance window can be set per data controller.

+## Configure a maintenance window

+The maintenance window has these settings:

+- Duration - The length of time the window will run, expressed in hours and minutes (HH:mm).

+- Recurrence - how often the window will occur. All words are case sensitive and must be capitalized. You can set weekly or monthly windows.

+ - Weekly

+ - [Week | Weekly][day of week]

+ - Examples:

+ - `--recurrence "Week Thursday"`

+ - `--recurrence "Weekly Saturday"`

+ - Monthly

+ - [Month | Monthly] [First | Second | Third | Fourth | Last] [day of week]

+ - Examples:

+ - `--recurrence "Month Fourth Saturday"`

+ - `--recurrence "Monthly Last Monday"`

+ - If recurrence isn't specified, it will be a one-time maintenance window.

+- Start - the date and time the first window will occur, in the format `YYYY-MM-DDThh:mm` (24-hour format).

+ - Example:

+ - `--start "2022-02-01T23:00"`

+- Time Zone - the [time zone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) associated with the maintenance window.

+#### CLI

+To create a maintenance window, use the following command:

+```cli

+az arcdata dc update --maintenance-start <date and time> --maintenance-duration <time> --maintenance-recurrence <interval> --maintenance-time-zone <time zone> --k8s-namespace <namespace> --use-k8s

+```

+Example:

+```cli

+az arcdata dc update --maintenance-start "2022-01-01T23:00" --maintenance-duration 3:00 --maintenance-recurrence "Monthly First Saturday" --maintenance-time-zone US/Pacific --k8s-namespace arc --use-k8s

+```

+## Monitor the upgrades

+During the maintenance window, you can view the status of upgrades.

+```kubectl

+kubectl -n <namespace> get sqlmi -o yaml

+```

+The `status.runningVersion` and `status.lastUpdateTime` fields will show the latest version and when the status changed.

+## View existing maintenance window

+You can view the maintenance window in the `datacontroller` spec.

+```kubectl

+kubectl describe datacontroller -n <namespace>

+```

+Output:

+```text

+Spec:

+ Settings:

+ Maintenance:

+ Duration: 3:00

+ Recurrence: Monthly First Saturday

+ Start: 2022-01-01T23:00

+ Time Zone: US/Pacific

+```

+## Failed upgrades

+There is no automatic rollback for failed upgrades. If an instance failed to upgrade automatically, manual intervention will be needed to pin the instance to its current running version, using `az sql mi-arc update`. After the issue is resolved, the version can be set back to "auto".

+```cli

+az sql mi-arc upgrade --name <instance name> --desired-version <version>

+```

+Example:

+```cli

+az sql mi-arc upgrade --name sql01 --desired-version v1.2.0_2021-12-15

+```

+## Disable maintenance window

+When the maintenance window is disabled, automatic upgrades will not run.

+```cli

+az arcdata dc update --maintenance-enabled false --k8s-namespace <namespace> --use-k8s

+```

+Example:

+```cli

+az arcdata dc update --maintenance-enabled false --k8s-namespace arc --use-k8s

+```

+## Enable maintenance window

+When the maintenance window is enabled, automatic upgrades will resume.

+```cli

+az arcdata dc update --maintenance-enabled true --k8s-namespace <namespace> --use-k8s

+```

+Example:

+```cli

+az arcdata dc update --maintenance-enabled true --k8s-namespace arc --use-k8s

+```

+## Change maintenance window start time

+The update command can be used to change the maintenance start time.

+```cli

+az arcdata dc update --maintenance-start <date and time> --k8s-namespace arc --use-k8s

+```

+Example:

+```cli

+az arcdata dc update --maintenance-start "2022-04-15T23:00" --k8s-namespace arc --use-k8s

+```

+## Next steps

+[Enable automatic upgrades of a SQL Managed Instance](upgrade-sql-managed-instance-auto.md)

+To configure disaster recovery in Azure Arc-enabled SQL Managed Instance, set up failover groups.

+ az sql mi-arc create --name <primaryinstance> --tier bc --replicas 3 --k8s-namespace <namespace> --use-k8s

+ az sql mi-arc create --name <secondaryinstance> --tier bc --replicas 3 --disaster-recovery-site true --k8s-namespace <namespace> --use-k8s

+4. Create the failover group resource on both sites.

+ If the managed instance names are identical between the two sites, you do not need to use the `--shared-name <name of failover group>` parameter.

+ If the managed instance names are different between the two sites, use the `--shared-name <name of failover group>` parameter.

+ The following examples use the `--shared-name <name of failover group>...` to complete the task. The command seeds system databases in the disaster recovery instance, from the primary instance.

+ > The `shared-name` value should be identical on both sites.

+

+ ```azurecli

+ az sql instance-failover-group-arc create --shared-name <name of failover group> --name <name for primary DAG resource> --mi <local SQL managed instance name> --role primary --partner-mi <partner SQL managed instance name> --partner-mirroring-url tcp://<secondary IP> --partner-mirroring-cert-file <secondary.pem> --k8s-namespace <namespace> --use-k8s

+ az sql instance-failover-group-arc create --shared-name <name of failover group> --name <name for secondary DAG resource> --mi <local SQL managed instance name> --role secondary --partner-mi <partner SQL managed instance name> --partner-mirroring-url tcp://<primary IP> --partner-mirroring-cert-file <primary.pem> --k8s-namespace <namespace> --use-k8s

+ ```

+ Example:

+ ```azurecli

+ az sql instance-failover-group-arc create --shared-name myfog --name primarycr --mi sqlinstance1 --role primary --partner-mi sqlinstance2 --partner-mirroring-url tcp://10.20.5.20:970 --partner-mirroring-cert-file $HOME/sqlcerts/sqlinstance2.pem --k8s-namespace my-namespace --use-k8s

+ az sql instance-failover-group-arc create --shared-name myfog --name secondarycr --mi sqlinstance2 --role primary --partner-mi sqlinstance1 --partner-mirroring-url tcp://10.10.5.20:970 --partner-mirroring-cert-file $HOME/sqlcerts/sqlinstance1.pem --k8s-namespace my-namespace --use-k8s

+ ```

+Use `az sql instance-failover-group-arc ...` to initiate a failover from primary to secondary. The following command initiates a failover from the primary instance to the secondary instance. Any pending transactions on the geo-primary instance are replicated over to the geo-secondary instance before the failover.

+az sql instance-failover-group-arc update --name <name of DAG resource> --role secondary --k8s-namespace <namespace> --use-k8s

+az sql instance-failover-group-arc update --name myfog --role secondary --k8s-namespace my-namespace --use-k8s

+az sql instance-failover-group-arc update --k8s-namespace my-namespace --name primarycr --use-k8s --role force-secondary

+az sql instance-failover-group-arc update --k8s-namespace my-namespace --name secondarycr --use-k8s --role force-primary-allow-data-loss

+|SANs| None required | `metricsui-svc.${NAMESPACE}.${K8S_DNS_DOMAIN_NAME}`|

+> [!NOTE]

+> Default K8S_DNS_DOMAIN_NAME is `svc.cluster.local`, though it may differ depending on environment and configuration.

+## April 2022

+This release is published April 6, 2022.

+### Image tag

+`v1.5.0_2022-04-05`

+For complete release version information, see [Version log](version-log.md).

+### Data controller

+- Logs are retained in ElasticSearch for 2 weeks by default now.

+- Upgrades are now limited to only upgrading to the next incremental minor or major version. For example:

+ - Supported version upgrades:

+ - 1.1 -> 1.2

+ - 1.3 -> 2.0

+ - Not supported version upgrade.

+ - 1.1. -> 1.4

+ Not supported because one or more minor versions are skipped.

+- Updates to open source projects included in Azure Arc-enabled data services to patch vulnerabilities.

+### Azure Arc-enabled SQL Managed Instance

+You can create a maintenance window on the data controller, and if you have SQL managed instances with a desired version set to `auto`, they will be upgraded in the next maintenance windows after a data controller upgrade.

+Metrics for each replica in a business critical instance are now sent to the Azure portal so you can view them in the monitoring charts.

+AD authentication connectors can now be set up in an `automatic mode` which will use a service account to automatically create SQL service accounts, SPNs, and DNS entries as an alternative to the AD authentication connectors which use the `Bring Your Own Keytab` mode.

+Backup and point-in-time-restore when a database has Transparent Data Encryption (TDE) enabled is now supported.

+Change Data Capture (CDC) is now enabled in Azure Arc-enabled SQL Managed Instance.

+Bug fixes for replica scaling in Arc SQL MI Business Critical and database restore when there is insufficient disk space.

+Distributed availability groups have been renamed to failover groups. The `az sql mi-arc dag` command group has been moved to `az sql instance-failover-group-arc`. Before upgrade, delete all resources of the `dag` resource type.

+### User experience improvements

+You can now use the Azure CLI `az arcdata dc create` command to create:

+- A custom location

+- A data services extension

+- A data controller in one command.

+New enforcements of constraints:

+- The data controller and managed instance resources it manages must be in the same resource group.

+- There can only be one data controller in a given custom location.

+#### Azure Data Studio

+During direct connected mode data controller creation, you can now specify the log analytics workspace information for auto sync upload of the logs.

+- Removed block on data controller upgrade if there are business critical instances that exist

+- Custom metrics in Azure portal - preview.

+- Backup and restore no longer work in the July 30 release. This is a temporary limitation. Use the June 2021 release for now if you need to do to back up or restore. This will be fixed in a future release.

+- Renaming a database is currently not supported, for point in time restore purposes.

+- Default recovery point objective (RPO): 5 minutes. Can't be modified in current release.

+- Kubernetes native deployment templates have been modified for data controller, bootstrapper, & SQL Managed Instance. Update your .yaml templates. [Sample yaml files](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/yaml)

+- The status (health state) is reported for each of the PostgreSQL instances in a sever group

+Azure Arc-enabled data services allow you to manage data services anywhere. This is a preview release.

+## April 6, 2022

+|Component |Value |

+|--||

+|Container images tag |`v1.5.0_2022-04-05`|

+|CRD names and versions |`datacontrollers.arcdata.microsoft.com`: v1beta1, v1, v2, v3, v4</br>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2</br>`kafkas.arcdata.microsoft.com`: v1beta1</br>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2</br>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1, v2, v3, v4</br>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2</br>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1</br>`failovergroups.sql.arcdata.microsoft.com`: v1beta1, v1beta2</br>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1, v1beta2|

+|ARM API version|2021-11-01|

+|`arcdata` Azure CLI extension version| 1.3.0|

+|Arc enabled Kubernetes helm chart extension version|1.1.19091004|

+|Arc Data extension for Azure Data Studio|1.0|

+|Container images tag |`v1.3.0_2022-01-27`

+|Container images tag | `v1.2.0_2021-12-15` |

+|Container images tag | `v1.1.0_2021-11-02` |

+|Container images tag | `v1.0.0_2021-07-30` |

+| Expired | Managed identity certificate of the cluster has an expiration window of 90 days after it is issued. Once this certificate expires, the resource is considered `Expired` and all features such as configuration, monitoring, and policy stop working on this cluster. More information on how to address expired Azure Arc-enabled Kubernetes resources can be found [in the FAQ article](./faq.md#how-do-i-address-expired-azure-arc-enabled-kubernetes-resources). |

+## How do I address expired Azure Arc-enabled Kubernetes resources?

+The system assigned managed identity associated with your Azure Arc-enabled Kubernetes cluster is only used by the Azure Arc agents to communicate with the Azure Arc services. The certificate associated with this system assigned managed identity has an expiration window of 90 days, and the agents will attempt to renew this certificate between Day 46 to Day 90. Once this certificate expires, the resource is considered `Expired` and all features (such as configuration, monitoring, and policy) stop working on this cluster and you'll then need to delete and connect the cluster to Azure Arc once again. It is thus advisable to have the cluster come online at least once between Day 46 to Day 90 time window to ensure renewal of the managed identity certificate.

+### Drift reconciliation

+### Apply GitOps at scale

+CI/CD pipelines are useful for event-driven deployments to your Kubernetes cluster (for example, a push to a Git repository). However, if you want to deploy the same configuration to all of your Kubernetes clusters, you would need to manually configure each Kubernetes cluster's credentials to the CI/CD pipeline.

+### Cluster compliance

+The feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. For all other regions, customer data is stored in Geo. This is applicable for Azure Arc-enabled Open Service Mesh and Azure Key Vault Secrets Provider extensions supported in Azure Arc-enabled Kubernetes. For other cluster extensions, please see their documentation to learn how they store customer data. For more information, see [Trust Center](https://azure.microsoft.com/global-infrastructure/data-residency/).

+You can scale your cache instances in the Azure portal. Also, you can programatically scale your cache using PowerShell cmdlets, Azure CLI, and by using the Microsoft Azure Management Libraries (MAML).

+## Minimizing your data helps scaling complete quicker

+If preserving the data in the cache isn't a requirement, consider flushing the data prior to scaling. Flushing the cache helps the scaling operation complete more quickly so the new capacity is available sooner.

+ const documentId = (req.query.documentId || (req.body && req.body.documentId)) as string | undefined;

+- [How to: Validate a User Created a Document](validate-document-creator.md)

+ Title: "How to: Validate a User Created a Document"

+description: How to validate that the user who created a document is the same user who is claiming to be creating the document.

+fluid.url: https://fluidframework.com/docs/apis/azure-client/itokenprovider/

+# How to: Validate a User Created a Document

+> [!NOTE]

+> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+When creating a document in Azure Fluid Relay, the JWT provided by the `ITokenProvider` for the creation request can only be used once. After creating a document, the client must generate a new JWT that contains the document ID provided by the service at creation time. If an application has an authorization service that manages document access control, it will need to know who created a document with a given ID in order to authorize the generation of a new JWT for access to that document.

+## Inform an Authorization Service when a document is Created

+An application can tie into the document creation lifecycle by implementing a public `documentPostCreateCallback()` property in its `TokenProvider`. This callback will be triggered directly after creating the document, before a client requests the new JWT it needs to gain read/write permissions to the document that was created.

+The `documentPostCreateCallback()` receives 2 parameters: 1) the ID of the document that was created and 2) a JWT signed by the service with no permission scopes. The authorization service can verify the given JWT and use the information in the JWT to grant the correct user permissions for the newly created document.

+### Create an endpoint for your document creation callback

+This example below is an [Azure Function](../../azure-functions/functions-overview.md) based off the example in [How to: Write a TokenProvider with an Azure Function](azure-function-token-provider.md#create-an-endpoint-for-your-tokenprovider-using-azure-functions).

+```typescript

+import { AzureFunction, Context, HttpRequest } from "@azure/functions";

+import { ITokenClaims, IUser } from "@fluidframework/protocol-definitions";

+import * as jwt from "jsonwebtoken";

+// NOTE: retrieve the key from a secure location.

+const key = "myTenantKey";

+const httpTrigger: AzureFunction = async function (context: Context, req: HttpRequest): Promise<void> {

+ const token = (req.query.token || (req.body && req.body.token)) as string;

+ const documentId = (req.query.documentId || (req.body && req.body.documentId)) as string;

+ if (!token) {

+ context.res = {

+ status: 400,

+ body: "No token provided in request",

+ };

+ return;

+ }

+ if (!documentId) {

+ context.res = {

+ status: 400,

+ body: "No documentId provided in request",

+ };

+ return;

+ }

+

+ const claims = jwt.decode(token) as ITokenClaims;

+ if (!claims) {

+ context.res = {

+ status: 403,

+ body: "Missing token claims",

+ };

+ return;

+ }

+ const tenantId = claims.tenantId;

+ if (!claims) {

+ context.res = {

+ status: 400,

+ body: "No tenantId provided in token claims",

+ };

+ return;

+ }

+ if (!key) {

+ context.res = {

+ status: 404,

+ body: `No key found for the provided tenantId: ${tenantId}`,

+ };

+ return;

+ }

+ try {

+ jwt.verify(token, key);

+ } catch (e) {

+ if (e instanceof jwt.TokenExpiredError) {

+ context.res = {

+ status: 401,

+ body: `Token is expired`,

+ };

+ return

+ }

+ context.res = {

+ status: 403,

+ body: `Token signed with invalid key`,

+ }

+ return;

+ }

+ const user: IUser = claims.user;

+ // Pseudo-function: implement according to your needs

+ giveUserPermissionsForDocument(documentId, user);

+ context.res = {

+ status: 200,

+ body: "OK",

+ };

+};

+export default httpTrigger;

+```

+### Implement the `documentPostCreateCallback`

+This example implementation below extends the [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider/) and uses the [axios](https://www.npmjs.com/package/axios) library to make a simple HTTP request to the Azure Function used for generating tokens.

+```typescript

+import { AzureFunctionTokenProvider, AzureMember } from "@fluidframework/azure-client";

+import axios from "axios";

+/**

+ * Token Provider implementation for connecting to an Azure Function endpoint for

+ * Azure Fluid Relay token resolution.

+ */

+export class AzureFunctionTokenProviderWithDocumentCreateCallback extends AzureFunctionTokenProvider {

+ /**

+ * Creates a new instance using configuration parameters.

+ * @param azFunctionUrl - URL to Azure Function endpoint

+ * @param user - User object

+ */

+ constructor(

+ private readonly authAzFunctionUrl: string,

+ azFunctionUrl: string,

+ user?: Pick<AzureMember, "userId" | "userName" | "additionalDetails">,

+ ) {

+ super(azFunctionUrl, user);

+ }

+ public async documentPostCreateCallback?(documentId: string, creationToken: string): Promise<void> {

+ await axios.post(this.authAzFunctionUrl, {

+ params: {

+ documentId,

+ token: creationToken,

+ },

+ });

+ }

+}

+```

+## See also

+- [Add custom data to an auth token](connect-fluid-azure-service.md#adding-custom-data-to-tokens)

+- [Azure Fluid Relay token contract](fluid-json-web-token.md)

+In [C# class libraries](functions-dotnet-class-library.md), use the [RabbitMQAttribute](https://github.com/Azure/azure-functions-rabbitmq-extension/blob/dev/extension/WebJobs.Extensions.RabbitMQ/RabbitMQAttribute.cs).

+In [C# class libraries](functions-dotnet-class-library.md), use the [RabbitMQTrigger](https://github.com/Azure/azure-functions-rabbitmq-extension/blob/dev/extension/WebJobs.Extensions.RabbitMQ/Trigger/RabbitMQTriggerAttribute.cs) attribute.

+In [C# class libraries](functions-dotnet-class-library.md), use the [RabbitMQTrigger](https://github.com/Azure/azure-functions-rabbitmq-extension/blob/dev/extension/WebJobs.Extensions.RabbitMQ/Trigger/RabbitMQTriggerAttribute.cs) attribute.

+In [C# class libraries](functions-dotnet-class-library.md), use the [RabbitMQTrigger](https://github.com/Azure/azure-functions-rabbitmq-extension/blob/dev/extension/WebJobs.Extensions.RabbitMQ/Trigger/RabbitMQTriggerAttribute.cs) attribute.

+|East US | 100 | 60 |

+This Azure Functions sample script creates a function app using the [Consumption plan](../consumption-plan.md) and creates a share in Azure Files. It then mounts the share so that the data can be accessed by your functions.

+- Microsoft will notify you of any breach of your data ΓÇô customer or personal ΓÇô within 72 hours of incident declaration.

+Agriculture plays a vital role in most economies worldwide. In the US, over 70% of the rural households depend on agriculture as it contributes about 17% to the total GDP and provides employment to over 60% of the population. In project [Farm Beats](https://www.microsoft.com/research/project/farmbeats-iot-agriculture/), we gather numerous data from farms that we couldnΓÇÖt get before, and then by applying AI and ML algorithms we're able to turn this data into actionable insights for farmers. We call this technique data-driven farming. What we mean by data-driven farming is the ability to map every farm and overlay it with data. For example, what is the soil moisture level 15 cm below surface, what is the soil temperature 15 cm below surface, and so on. These maps can then enable techniques, such as Precision Agriculture, which has been shown to improve yield, reduce costs, and benefit the environment. Despite the fact the Precision Agriculture as a technique was proposed more than 30 years ago, it hasnΓÇÖt taken off. The biggest reason is the inability to capture numerous data from farms to accurately represent the conditions in the farm. Our goal as part of the Farm Beats project is to be able to accurately construct precision maps at a fraction of the cost.

+The exponential growth of unstructured data gathering in recent years has created many analytical problems for government agencies. This problem intensifies when data sets come from diverse sources such as text, audio, video, imaging, and so on. [Knowledge mining](/learn/modules/azure-artificial-intelligence/2-knowledge-mining) is the process of discovering useful knowledge from a collection of diverse data sources. This widely used data mining technique is a process that includes data preparation and selection, data cleansing, incorporation of prior knowledge on data sets, and interpretation of accurate solutions from the observed results. This process has proven to be useful for large volumes of data in different government agencies.

+**Azure Policy regulatory compliance built-in initiatives** map to compliance domains and controls in key standards, including:

+- [Australian Government ISM PROTECTED](../governance/policy/samples/australia-ism.md)

+- [Canada Federal PBMM](../governance/policy/samples/canada-federal-pbmm.md)

+- [ISO/IEC 27001](../governance/policy/samples/iso-27001.md)

+- [US Government FedRAMP High](../governance/policy/samples/fedramp-high.md)

+- And others

+For more regulatory compliance built-in initiatives, see [Azure Policy samples](../governance/policy/samples/index.md#regulatory-compliance).

+Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility ΓÇô customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each control is associated with one or more Azure Policy definitions. These policies may help you [assess compliance](../governance/policy/how-to/get-compliance-data.md) with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

+- **Audit documentation:** Does Microsoft make all audit documentation readily available to customers to download and examine? **Answer:** Yes, Microsoft makes independent third-party audit reports and other related documentation available for download under a non-disclosure agreement from the Azure portal. You'll need an existing Azure subscription or [free trial subscription](https://azure.microsoft.com/free/) to access the Microsoft Defender for Cloud [audit reports blade](https://portal.azure.com/#blade/Microsoft_Azure_Security/AuditReportsBlade). Extra compliance documentation is available from the Service Trust Portal (STP) [Audit Reports](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3) section. You must log in to access audit reports on the STP. For more information, see [Get started with the Microsoft Service Trust Portal](/microsoft-365/compliance/get-started-with-service-trust-portal).

+For links to extra Azure Government compliance assurances, see [Azure compliance](../compliance/index.yml). For example, Azure Government can help you meet your compliance obligations with many US government requirements, including:

+For extra customer assistance, Microsoft provides Azure Policy regulatory compliance built-in initiatives, which map to **compliance domains** and **controls** in key US government standards, including:

+- And others

+For more regulatory compliance built-in initiatives that pertain to Azure Government, see [Azure Policy samples](../governance/policy/samples/index.md#regulatory-compliance).

+Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of the controls and compliance domains based on responsibility ΓÇô customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each control is associated with one or more Azure Policy definitions. These policies may help you [assess compliance](../governance/policy/how-to/get-compliance-data.md) with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

+Activity log alerts allow you to be notified on events and operations that are logged in [Azure Activity Log](../essentials/activity-log.md). An alert is fired when a new [activity log event](../essentials/activity-log-schema.md) occurs that matches the conditions specified in the alert rule. Activity log alert rules are Azure resources, so they can be created by using an Azure Resource Manager template. They also can be created, updated, or deleted in the Azure portal. This article introduces the concepts behind activity log alerts. For more information on creating or usage of activity log alert rules, see [Create and manage activity log alerts](./alerts-activity-log.md).

+## Alerting on activity log event categories

+You can create activity log alert rules to receive notifications on one of the following activity log event categories :

+* **Administrative events** - get notified when a create, update, delete, or action operation occur on resources in your Azure subscription, resource group, or on a specific resource. For example, you might want to be notified when any virtual machine in myProductionResourceGroup is deleted. Or, you might want to be notified if any new roles are assigned to a user in your subscription.

+* **Service Health events** - get notified on Azure incidents, such as an outage or a maintenance event, occurred in a specific Azure region and may impact services in your subscription.

+* **Resource health events** - get notified when the health of a specific Azure resource you are using is degraded, or if the resource becomes unavailable.

+* **Autoscale events** - get notified when events related to the operation of the configured [autoscale operations](../autoscale/autoscale-overview.md) in your subscription. An example of an Autoscale event is Autoscale scale up action failed.

+* **Recommendation** - get notified when a new [Azure Advisor recommendation](../../advisor/advisor-overview.md) is available for your subscription.

+* **Security** - get notified on events generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.

+* **Policy** - get notified on effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny.

+> Alerts **cannot** be created for events in Alert category of activity log.

+## Configuring activity log alert rules

+You can configure an activity log alert based on any top-level property in the JSON object for an activity log event. For more information, see [Categories in the Activity Log](../essentials/activity-log.md#view-the-activity-log).

+An alternative simple way for creating conditions for activity log alerts is to explore or filter events via [Activity log in Azure portal](../essentials/activity-log.md#view-the-activity-log). In Azure Monitor - Activity log, one can filter and locate a required event and then create an alert to notify on similar by using the **New alert rule** button.

+> [!NOTE]

+> An activity log alert rule monitors only for events in the subscription in which the alert rule is created.

+Activity log events have a few common properties which can be used to define a the activity log alert rule condition:

+- **Category**: Administrative, Service Health, Resource Health, Autoscale, Security, Policy, or Recommendation.

+- **Event initiated by**: Also known as the "caller." The email address or Azure Active Directory identifier of the user (or application) who performed the operation.

+In addition to these comment properties, different activity log events categories have categpry-specific properties that can be used to define an alert rule for events of this category. For example, when creating a service health alert rule you can configure a condition on the impacted region name or service name that appear in the event.

+## Using action groups

+When an activity log alert is fired, it uses an action group to generate actions or notifications. An action group is a reusable set of notification receivers, such as email addresses, webhook URLs, or SMS phone numbers. The receivers can be referenced from multiple alerts to centralize and group your notification channels. When you define your activity log alert rule, you have two options. You can:

+* Use an existing action group in your activity log alert rule.

+## Activity log alert rules limit

+You can create up to 100 active activity log alert rules per subscription (including alert rules all activity log categories, such as resource health or service health ). This limit can't be increased.

+If you are reaching near this limit, there are several guidelines you can follow to optimize the use of activity log alerts rules so that you can cover more resources and events with the same number of rules:

+* A single activity log alert rule can be configured to cover the scope of a single resource, a resource group, or an entire subscription. To reduce the number of rules you're using, consider to replace multiple rules covering a narrow scope with a single rule covering a broad scope. For example, if you have multiple VMs in a subscription, and you want an alert to be triggered whenever one of them is restarted, you can use a single activity log alert rule to cover all the VMs in your subscription. The alert will be triggered whenever any VM in the subscription is restarted.

+* A single service health alert rule can cover all the services and Azure regions used by your subscription. If you're using multiple service health alert rules per subscription, you can replace them with a single rule (or with a small number of rules, if you prefer).

+* A single resource health alert rule can cover multiple resource types and resources in your subscription. If you're using multiple resource health alert rules per subscription, you can replace them with a smaller number of rules (or even a single rule) that covers multiple resource types.

+- Learn more about [service health alerts](../../service-health/service-notifications.md).

+- Learn more about [Resource health alerts](../../service-health/resource-health-alert-monitor-guide.md).

+- Learn more about [Recommendation alerts](../../advisor/advisor-alerts-portal.md).

+ Although you can provide a connection string as part of the `ApplicationInsightsServiceOptions` argument to AddApplicationInsightsTelemetry, we recommend that you specify the connection string in configuration. The following code sample shows how to specify a connection string in `appsettings.json`. Make sure `appsettings.json` is copied to the application root folder during publishing.

+## [1.4.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.3)

+A point release to address user-reported bugs.

+### Bug fixes

+- Fix [Hide the IDMS dependency from dependency tracker.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/17)

+- Fix [ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/19)

+<br>Snapshot Collector used via SDK is not supported when Interop feature is enabled. [See more not supported scenarios.](https://docs.microsoft.com/azure/azure-monitor/app/snapshot-debugger-troubleshoot#not-supported-scenarios)

+## Does Azure NetApp Files support SMB change notification and file locking?

+Yes.

+Azure NetApp Files supports [`CHANGE_NOTIFY` response](/openspecs/windows_protocols/ms-smb2/14f9d050-27b2-49df-b009-54e08e8bf7b5). This response is for the clientΓÇÖs request that comes in the form of a [`CHANGE_NOTIFY` request](/openspecs/windows_protocols/ms-smb2/598f395a-e7a2-4cc8-afb3-ccb30dd2df7c).

+Azure NetApp Files also supports [`LOCK` response](/openspecs/windows_protocols/ms-smb2/e215700a-102c-450a-a598-7ec2a99cd82c). This response is for the clientΓÇÖs request that comes in the form of a [`LOCK` request](/openspecs/windows_protocols/ms-smb2/6178b960-48b6-4999-b589-669f88e9017d).

+## items

+`items(object)`

+Converts a dictionary object to an array.

+Namespace: [sys](bicep-functions.md#namespaces-for-functions).

+### Parameters

+| Parameter | Required | Type | Description |

+|: |: |: |: |

+| object |Yes |object |The dictionary object to convert to an array. |

+### Return value

+An array of objects for the converted dictionary. Each object in the array has a `key` property that contains the key value for the dictionary. Each object also has a `value` property that contains the properties for the object.

+### Example

+The following example converts a dictionary object to an array. For each object in the array, it creates a new object with modified values.

+```bicep

+var entities = {

+ item002: {

+ enabled: false

+ displayName: 'Example item 2'

+ number: 200

+ }

+ item001: {

+ enabled: true

+ displayName: 'Example item 1'

+ number: 300

+ }

+}

+var modifiedListOfEntities = [for entity in items(entities): {

+ key: entity.key

+ fullName: entity.value.displayName

+ itemEnabled: entity.value.enabled

+}]

+output modifiedResult array = modifiedListOfEntities

+```

+The preceding example returns:

+```json

+"modifiedResult": {

+ "type": "Array",

+ "value": [

+ {

+ "fullName": "Example item 1",

+ "itemEnabled": true,

+ "key": "item001"

+ },

+ {

+ "fullName": "Example item 2",

+ "itemEnabled": false,

+ "key": "item002"

+ }

+ ]

+}

+```

+The following example shows the array that is returned from the items function.

+```bicep

+var entities = {

+ item002: {

+ enabled: false

+ displayName: 'Example item 2'

+ number: 200

+ }

+ item001: {

+ enabled: true

+ displayName: 'Example item 1'

+ number: 300

+ }

+}

+var entitiesArray = items(entities)

+output itemsResult array = entitiesArray

+```

+The example returns:

+```json

+"itemsResult": {

+ "type": "Array",

+ "value": [

+ {

+ "key": "item001",

+ "value": {

+ "displayName": "Example item 1",

+ "enabled": true,

+ "number": 300

+ }

+ },

+ {

+ "key": "item002",

+ "value": {

+ "displayName": "Example item 2",

+ "enabled": false,

+ "number": 200

+ }

+ }

+ ]

+}

+```

+The items() function sorts the objects in the alphabetical order. For example, **item001** appears before **item002** in the outputs of the two preceding samples.

+// Must use sys namespace to call the function.

+* [items](./bicep-functions-object.md#items)

+- Using **items in a dictionary object**. This option works when your scenario is: "I want to create an instance for each item in an object." The [items function](bicep-functions-object.md#items) converts the object to an array. Within the loop, you can use properties from the object to create values. For more information, see [Dictionary object](#dictionary-object).

+To iterate over elements in a dictionary object, use the [items function](bicep-functions-object.md#items), which converts the object to an array. Use the `value` property to get properties on the objects.

+To iterate over elements in a dictionary object, use the [items function](./bicep-functions-object.md#items), which converts the object to an array. Use the `value` property to get properties on the objects.

+ {

+ "name": "nameApi",

+ "type": "Microsoft.Solutions.ArmApiControl",

+ "request": {

+ "method": "POST",

+ "path": "[concat(subscription().id, '/providers/Microsoft.Storage/checkNameAvailability?api-version=2021-04-01')]",

+ "body": {

+ "name": "[basics('txtStorageName')]",

+ "type": "Microsoft.Storage/storageAccounts"

+ }

+ }

+ },

+ {

+ "name": "txtStorageName",

+ "type": "Microsoft.Common.TextBox",

+ "label": "Storage account name",

+ "constraints": {

+ "validations": [

+ {

+ "isValid": "[basics('nameApi').nameAvailable]",

+ "message": "[basics('nameApi').message]"

+ }

+ ]

+> | privateendpoints | Yes | Yes | Yes |

+- When you configure the auditing in Azure SQL Server or Azure SQL Database with log destination as the storage account, the target storage account must be enabled with access to storage account keys. If the storage account is configured to use Azure AD authentication only and not configured for access key usage, the auditing cannot be configured. <!-- REST API reference: - https://docs.microsoft.com/rest/api/sql/2021-08-01-preview/server-blob-auditing-policies/create-or-update -->

+1. In the [Azure portal](https://portal.azure.com), in the upper-right corner select your account, and then choose **Switch directories** to confirm which Active Directory is currently your active directory. Switch directories, if necessary.

+ :::image type="content" source="media/authentication-aad-configure/switch-directory.png" alt-text="Screenshot of the Azure portal showing where to switch your directory":::

+ :::image type="content" source="./media/authentication-aad-configure/aad.png" alt-text="Screenshot of the Azure portal showing the Active Directory admin page open for the selected SQL managed instance.":::

+ :::image type="content" source="./media/authentication-aad-configure/grant-permissions.png" alt-text="Screenshot of the dialog for granting permissions to a SQL managed instance for accessing Active Directory. The Grant permissions button is selected.":::

+ :::image type="content" source="./media/authentication-aad-configure/success.png" alt-text="Screenshot of a notification confirming that active directory read permissions have been successfully updated for the managed instance.":::

+ :::image type="content" source="./media/authentication-aad-configure/set-admin.png" alt-text="Screenshot showing the Set admin command highlighted on the Active Directory admin page for the selected SQL managed instance.":::

+ :::image type="content" source="./media/authentication-aad-configure/add-azure-active-directory-admin.png" alt-text="Add Azure Active Directory admin":::

+ :::image type="content" source="./media/authentication-aad-configure/save.png" alt-text="Screenshot of the Active Directory admin page with the Save button in the top row next to the Set admin and Remove admin buttons.":::

+ :::image type="content" source="./media/authentication-aad-configure/search-for-and-select-sql-servers.png" alt-text="Search for and select SQL servers":::

+ :::image type="content" source="./media/authentication-aad-configure/sql-servers-set-active-directory-admin.png" alt-text="SQL servers set Active Directory admin":::

+ :::image type="content" source="./media/authentication-aad-configure/select-azure-active-directory-admin.png" alt-text="Select Azure Active Directory admin":::

+ :::image type="content" source="./media/authentication-aad-configure/save-admin.png" alt-text="save admin":::

+## Granular permission example

+Prevent unauthorized access to sensitive data and gain control by masking it to an unauthorized user at different levels of the database. You can grant or revoke UNMASK permission at the database-level, schema-level, table-level or at the column-level to a user. Using UNMASK permission provides a more granular way to control and limit unauthorized access to data stored in the database and improve data security management.

+1. Create schema to contain user tables

+ ```sql

+ CREATE SCHEMA Data;

+ GO

+ ```

+1. Create table with masked columns

+ ```sql

+ CREATE TABLE Data.Membership (

+ MemberID int IDENTITY(1,1) NOT NULL PRIMARY KEY CLUSTERED,

+ FirstName varchar(100) MASKED WITH (FUNCTION = 'partial(1, "xxxxx", 1)') NULL,

+ LastName varchar(100) NOT NULL,

+ Phone varchar(12) MASKED WITH (FUNCTION = 'default()') NULL,

+ Email varchar(100) MASKED WITH (FUNCTION = 'email()') NOT NULL,

+ DiscountCode smallint MASKED WITH (FUNCTION = 'random(1, 100)') NULL,

+ BirthDay datetime MASKED WITH (FUNCTION = 'default()') NULL

+ );

+ ```

+1. Insert sample data

+ ```sql

+ INSERT INTO Data.Membership (FirstName, LastName, Phone, Email, DiscountCode, BirthDay)

+ VALUES

+ ('Roberto', 'Tamburello', '555.123.4567', 'RTamburello@contoso.com', 10, '1985-01-25 03:25:05'),

+ ('Janice', 'Galvin', '555.123.4568', 'JGalvin@contoso.com.co', 5,'1990-05-14 11:30:00'),

+ ('Shakti', 'Menon', '555.123.4570', 'SMenon@contoso.net', 50,'2004-02-29 14:20:10'),

+ ('Zheng', 'Mu', '555.123.4569', 'ZMu@contoso.net', 40,'1990-03-01 06:00:00');

+ ```

+1. Create schema to contain service tables

+ ```sql

+ CREATE SCHEMA Service;

+ GO

+ ```

+1. Create service table with masked columns

+ ```sql

+ CREATE TABLE Service.Feedback (

+ MemberID int IDENTITY(1,1) NOT NULL PRIMARY KEY CLUSTERED,

+ Feedback varchar(100) MASKED WITH (FUNCTION = 'default()') NULL,

+ Rating int MASKED WITH (FUNCTION='default()'),

+ Received_On datetime)

+ );

+ ```

+1. Insert sample data

+ ```sql

+ INSERT INTO Service.Feedback(Feedback,Rating,Received_On)

+ VALUES

+ ('Good',4,'2022-01-25 11:25:05'),

+ ('Excellent', 5, '2021-12-22 08:10:07'),

+ ('Average', 3, '2021-09-15 09:00:00');

+ ```

+1. Create different users in the database

+ ```sql

+ CREATE USER ServiceAttendant WITHOUT LOGIN;

+ GO

+

+ CREATE USER ServiceLead WITHOUT LOGIN;

+ GO

+

+ CREATE USER ServiceManager WITHOUT LOGIN;

+ GO

+

+ CREATE USER ServiceHead WITHOUT LOGIN;

+ GO

+ ```

+1. Grant read permissions to the users in the database

+ ```sql

+ ALTER ROLE db_datareader ADD MEMBER ServiceAttendant;

+

+ ALTER ROLE db_datareader ADD MEMBER ServiceLead;

+

+ ALTER ROLE db_datareader ADD MEMBER ServiceManager;

+

+ ALTER ROLE db_datareader ADD MEMBER ServiceHead;

+ ```

+1. Grant different UNMASK permissions to users

+ ```sql

+ --Grant column level UNMASK permission to ServiceAttendant

+ GRANT UNMASK ON Data.Membership(FirstName) TO ServiceAttendant;

+

+ -- Grant table level UNMASK permission to ServiceLead

+ GRANT UNMASK ON Data.Membership TO ServiceLead;

+

+ -- Grant schema level UNMASK permission to ServiceManager

+ GRANT UNMASK ON SCHEMA::Data TO ServiceManager;

+ GRANT UNMASK ON SCHEMA::Service TO ServiceManager;

+

+ --Grant database level UNMASK permission to ServiceHead;

+ GRANT UNMASK TO ServiceHead;

+ ```

+1. Query the data under the context of user `ServiceAttendant`

+ ```sql

+ EXECUTE AS USER='ServiceAttendant';

+ SELECT MemberID,FirstName,LastName,Phone,Email,BirthDay FROM Data. Membership;

+ SELECT MemberID,Feedback,Rating FROM Service.Feedback;

+ REVERT;

+ ```

+1. Query the data under the context of user `ServiceLead`

+ ```sql

+ EXECUTE AS USER='ServiceLead';

+ SELECT MemberID,FirstName,LastName,Phone,Email,BirthDay FROM Data. Membership;

+ SELECT MemberID,Feedback,Rating FROM Service.Feedback;

+ REVERT;

+ ```

+

+1. Query the data under the context of user `ServiceManager`

+ ```sql

+ EXECUTE AS USER='ServiceManager';

+ SELECT MemberID,FirstName,LastName,Phone,Email FROM Data.Membership;

+ SELECT MemberID,Feedback,Rating FROM Service.Feedback;

+ REVERT;

+ ```

+

+1. Query the data under the context of user `ServiceHead`

+ ```sql

+ EXECUTE AS USER='ServiceHead';

+ SELECT MemberID,FirstName,LastName,Phone,Email,BirthDay FROM Data.Membership;

+ SELECT MemberID,Feedback,Rating FROM Service.Feedback;

+ REVERT;

+ ```

+

+1. To revoke UNMASK permissions, use the following T-SQL statements:

+ ```sql

+ REVOKE UNMASK ON Data.Membership(FirstName) FROM ServiceAttendant;

+

+ REVOKE UNMASK ON Data.Membership FROM ServiceLead;

+

+ REVOKE UNMASK ON SCHEMA::Data FROM ServiceManager;

+

+ REVOKE UNMASK ON SCHEMA::Service FROM ServiceManager;

+

+ REVOKE UNMASK FROM ServiceHead;

+ ```

+ Title: Outbound firewall rules

+description: Overview of the outbound firewall rules feature for Azure SQL Database and Azure Synapse Analytics.

+Outbound firewall rules limit network traffic from the Azure SQL [logical server](logical-servers.md) to a customer defined list of Azure Storage accounts and Azure SQL logical servers. Any attempt to access storage accounts or databases not in this list is denied. The following [Azure SQL Database](sql-database-paas-overview.md) features support this feature:

+- [Import/Export service](database-import-export-azure-services-off.md)

+- [OPENROWSET](/sql/t-sql/functions/openrowset-transact-sql)

+- [Bulk Insert](/sql/t-sql/statements/bulk-insert-transact-sql)

+> Outbound firewall rules are defined at the [logical SQL server](logical-servers.md). Geo-replication and Auto-failover groups require the same set of rules to be defined on the primary and all secondaries.

+- For an overview of Azure SQL Database security, see [Securing your database](security-overview.md).

+- For an overview of Azure SQL Database connectivity, see [Azure SQL Connectivity Architecture](connectivity-architecture.md).

+- Learn more about [Azure SQL Database and Azure Synapse Analytics network access controls](network-access-controls-overview.md).

+- Learn about [Azure Private Link for Azure SQL Database and Azure Synapse Analytics](private-endpoint-overview.md).

+ Title: Attach Azure disk pools to Azure VMware Solution hosts (Preview)

+description: Learn how to attach an Azure disk pool surfaced through an iSCSI target as the VMware vSphere datastore of an Azure VMware Solution private cloud. Once the datastore is configured, you can create volumes on it and consume them from your Azure VMware Solution private cloud.

+#Customer intent: As an Azure service administrator, I want to scale my AVS hosts using disk pools instead of scaling clusters. So that I can use block storage for active working sets and tier less frequently accessed data from vSAN to disks. I can also replicate data from on-premises or primary VMware vSphere environment to disk storage for the secondary site.

+[Azure disk pools](../virtual-machines/disks-pools.md) offer persistent block storage to applications and workloads backed by Azure Disks. You can use disks as the persistent storage for Azure VMware Solution for optimal cost and performance. For example, you can scale up by using disk pools instead of scaling clusters if you host storage-intensive workloads. You can also use disks to replicate data from on-premises or primary VMware vSphere environments to disk storage for the secondary site. To scale storage independent of the Azure VMware Solution hosts, we support surfacing [ultra disks](../virtual-machines/disks-types.md#ultra-disks), [premium SSD](../virtual-machines/disks-types.md#premium-ssds) and [standard SSD](../virtual-machines/disks-types.md#standard-ssds) as the datastores.

+> * Set up a secure channel so that Azure Backup Server can communicate with VMware vCenter Server over HTTPS.

+> * Add the vCenter Server to Azure Backup Server.

+By default, Azure Backup Server communicates with VMware vCenter Server over HTTPS. To set up the HTTPS connection, download the VMware certificate authority (CA) certificate and import it on the Azure Backup Server.

+1. After the certificate import is confirmed, sign in to the vCenter Server to confirm that your connection is secure.

+VMware vSphere 6.7 onwards has TLS enabled as the communication protocol.

+## Add the vCenter Server to Azure Backup Server

+1. Specify the IP address of the vCenter Server.

+ :::image type="content" source="../backup/media/backup-azure-backup-server-vmware/add-vmware-server-provide-server-name.png" alt-text="Screenshot showing the Production Server Addition Wizard showing how to add a VMware vCenter Server or ESXi host server and its credentials.":::

+1. In the **SSL Port** box, enter the port used to communicate with the vCenter Server.

+ > Port 443 is the default port, but you can change it if your vCenter Server listens on a different port.

+1. Select **Add** to add the vCenter Server to the servers list, and select **Next**.

+ :::image type="content" source="../backup/media/backup-azure-backup-server-vmware/add-vmware-server-credentials.png" alt-text="Screenshot showing the Production Server Addition Wizard showing the VMware vCenter Server and credentials defined.":::

+1. On the **Summary** page, select **Add** to add the vCenter Server to Azure Backup Server.

+ The new vCenter Server gets added immediately. vCenter Server doesn't need an agent.

+ :::image type="content" source="../backup/media/backup-azure-backup-server-vmware/tasks-screen.png" alt-text="Screenshot showing the Production Server Addition Wizard showing the summary of the VMware vCenter Server and credentials defined and the Add button selected.":::

+ :::image type="content" source="../backup/media/backup-azure-backup-server-vmware/summary-screen.png" alt-text="Screenshot showing the Production Server Addition Wizard showing the summary of the VMware vCenter Server and credentials added.":::

+ You see the vCenter Server listed under **Production Server** with:

+ - The only limit is that you can't have more than 9,999 recovery points per protected instance. In this example, the protected instance is the VMware vCenter Server.

+ :::image type="content" source="../backup/media/restore-azure-backup-server-vmware/recovery-points.png" alt-text="Screenshot showing the available recovery points for VMware vCenter Server.":::

+ > VMware vSphere workloads don't support enabling network bandwidth throttling.

+ :::image type="content" source="../backup/media/restore-azure-backup-server-vmware/vmware-rp-disk.png" alt-text="Screenshot showing the recovery points for VMware vCenter Server.":::

+ In our example, we've selected **Percentage Datastore Disk Used**, which is relevant from an [Azure VMware Solution SLA](https://azure.microsoft.com/support/legal/sla/azure-vmware/v1_1/) perspective.

+# Deploy Azure Traffic Manager to balance Azure VMware Solution workloads

+- **Azure cloud**: For both short-term and long-term storage off-premises, Azure Backup Server data stored in disk pools can be backed up to the Microsoft Azure cloud by using Azure Backup.

+- **Agentless backup:** Azure Backup Server doesn't require an agent to be installed on the vCenter Server or ESXi server to back up the VM. Instead, provide the IP address or fully qualified domain name (FQDN) and the sign in credentials used to authenticate the VMware vCenter Server with Azure Backup Server.

+- **Detect and protect VMs managed by vCenter:** Azure Backup Server detects and protects VMs deployed on a vCenter Server or ESXi hosts. Azure Backup Server also detects VMs managed by vCenter Server so that you can protect large deployments.

+- **Folder-level auto protection:** vCenter Server lets you organize your VMs in VM folders. Azure Backup Server detects these folders. You can use it to protect VMs at the folder level, including all subfolders. When protecting folders, Azure Backup Server protects the VMs in that folder and protects VMs added later. Azure Backup Server detects new VMs daily, protecting them automatically. As you organize your VMs in recursive folders, Azure Backup Server automatically detects and protects the new VMs deployed in the recursive folders.

+Use the [MABS Capacity Planner](https://www.microsoft.com/en-us/download/details.aspx?id=54301) to determine the correct VM size. Based on your inputs, the capacity planner will give you the required memory size and CPU core count. Use this information to choose the appropriate Azure VM size. The capacity planner also provides total disk size required for the VM along with the required disk IOPS. We recommend using a standard SSD disk for the VM. By pooling more than one SSD, you can achieve the required IOPS.

+In this quickstart, you enable Azure Content Delivery Network (CDN) by creating a new CDN profile, which is a collection of one or more CDN endpoints. After you've created a profile and an endpoint, you can start delivering content to your customers.

+> For *Verizon CDN endpoints*, when an endpoint is **disabled** or **stopped** for any reason, all resources configured through the Verizon supplemental portal will be cleaned up. These configurations can't be restored automatically by restarting the endpoint. You will need to make the configuration change again.

+2. On the **Resource group** page, select **Delete resource group**, enter *CDNQuickstart-rg* in the text box, then select **Delete**. This action deletes the resource group, profile, and endpoint that you created in this quickstart.

+A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency.

+Source pattern | Define the source pattern in the URL path to replace. To match all URL paths, use a forward slash (**/**) as the source pattern value.

+> To check whether your files are being returned compressed, you need to use a tool like [Fiddler](https://www.telerik.com/fiddler) or your browser's [developer tools](https://developer.microsoft.com/microsoft-edge/platform/documentation/f12-devtools-guide/). Check the HTTP response headers returned with your cached CDN content. If there is a header named `Content-Encoding` with a value of **gzip**, **bzip2**, **brotli**, or **deflate**, your content is compressed.

+* Verify the request contains an **Accept-Encoding** header, and the value for that header contains **gzip**, **deflate**, **brotli**, or **bzip2**.

+> At this time, viseme events are available only for [neural voices](language-support.md#text-to-speech).

+Visemes vary by language and locale. Each locale has a set of visemes that correspond to its specific phonemes. The [SSML phonetic alphabets](speech-ssml-phonetic-sets.md) documentation maps viseme IDs to the corresponding International Phonetic Alphabet (IPA) phonemes.

+ Title: Role-based access control for Speech resources - Speech service

+description: Learn how to assign access roles for a Speech resource.

+# Role-based access control for Speech resources

+You can manage access and permissions to your Speech resources with Azure role-based access control (Azure RBAC). Assigned roles can vary across Speech resources. For example, you can assign a role to a Speech resource that should only be used to train a Custom Speech model. You can assign another role to a Speech resource that is used to transcribe audio files. Depending on who can access each Speech resource, you can effectively set a different level of access per application or user. For more information on Azure RBAC, see the [Azure RBAC documentation](../../role-based-access-control/overview.md).

+> [!NOTE]

+> A Speech resource can inherit or be assigned multiple roles. The final level of access to this resource is a combination of all roles permissions from the operation level.

+## Roles for Speech resources

+A role definition is a collection of permissions. When you create a Speech resource, the built-in roles in this table are assigned by default.

+| Role | Can list resource keys | Access to data, models, and endpoints|

+| | | |

+|**Owner** |Yes |View, create, edit, and delete |

+|**Contributor** |Yes |View, create, edit, and delete |

+|**Cognitive Services Contributor** |Yes |View, create, edit, and delete |

+|**Cognitive Services User** |Yes |View, create, edit, and delete |

+|**Cognitive Services Speech Contributor** |No | View, create, edit, and delete |

+|**Cognitive Services Speech User** |No |View only |

+|**Cognitive Services Data Reader (Preview)** |No |View only |

+> [!IMPORTANT]

+> Whether a role can list resource keys is important for [Speech Studio authentication](#speech-studio-authentication). To list resource keys, a role must have permission to run the `Microsoft.CognitiveServices/accounts/listKeys/action` operation. Please note that if key authentication is disabled in the Azure Portal, then none of the roles can list keys.

+Keep the built-in roles if your Speech resource can have full read and write access to the projects.

+For finer-grained resource access control, you can [add or remove roles](../../role-based-access-control/role-assignments-portal.md?tabs=current) using the Azure portal. For example, you could create a custom role with permission to upload Custom Speech datasets, but without permission to deploy a Custom Speech model to an endpoint.

+## Authentication with keys and tokens

+The [roles](#roles-for-speech-resources) define what permissions you have. Authentication is required to use the Speech resource.

+To authenticate with Speech resource keys, all you need is the key and region. To authenticate with an Azure AD token, the Speech resource must have a [custom subdomain](speech-services-private-link.md#create-a-custom-domain-name) and use a [private endpoint](speech-services-private-link.md#turn-on-private-endpoints). The Speech service uses custom subdomains with private endpoints only.

+### Speech SDK authentication

+For the SDK, you configure whether to authenticate with a Speech resource key or Azure AD token. For details, see [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md).

+### Speech Studio authentication

+Once you're signed into [Speech Studio](speech-studio-overview.md), you select a subscription and Speech resource. You don't choose whether to authenticate with a Speech resource key or Azure AD token. Speech Studio gets the key or token automatically from the Speech resource. If one of the assigned [roles](#roles-for-speech-resources) has permission to list resource keys, Speech Studio will authenticate with the key. Otherwise, Speech Studio will authenticate with the Azure AD token.

+If Speech Studio uses your Azure AD token, but the Speech resource doesn't have a custom subdomain and private endpoint, then you can't use some features in Speech Studio. In this case, for example, the Speech resource can be used to train a Custom Speech model, but you can't use a Custom Speech model to transcribe audio files.

+| Authentication credential | Feature availability |

+| | |

+|Speech resource key|Full access limited only by the assigned role permissions.|

+|Azure AD token with custom subdomain and private endpoint|Full access limited only by the assigned role permissions.|

+|Azure AD token without custom subdomain and private endpoint (not recommended)|Features are limited. For example, the Speech resource can be used to train a Custom Speech model or Custom Neural Voice. But you can't use a Custom Speech model or Custom Neural Voice.|

+## Next steps

+* [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md).

+* [Speech service encryption of data at rest](speech-encryption-of-data-at-rest.md).

+For some locales, Speech service defines its own phonetic alphabets, which ordinarily map to the [International Phonetic Alphabet (IPA)](https://en.wikipedia.org/wiki/International_Phonetic_Alphabet). The eight locales that support the Microsoft Speech API (SAPI, or `sapi`) are en-US, fr-FR, de-DE, es-ES, ja-JP, zh-CN, zh-HK, and zh-TW. For those eight locales, you set `sapi` or `ipa` as the `alphabet` in [SSML](speech-synthesis-markup.md#use-phonemes-to-improve-pronunciation).

+Once you have [built a schema](build-schema.md) for your project, you should add training utterances to your project. The utterances should be similar to what your users will use when interacting with the project. When you add an utterance, you have to assign which intent it belongs to. After the utterance is added, label the words within your utterance with the entities in your project. Your labels for entities should be consistent across the different utterances.

+When you enable multiple languages in your project, you must also specify the language of the utterance you're adding. As part of the multilingual capabilities of Conversational Language Understanding, you can train your project in a dominant language, and then predict in the other available languages. Adding examples to other languages increases the model's performance in these languages if you determine it isn't doing well, but avoid duplicating your data across all the languages you would like to support.

+*Section 1* is where you choose which dataset you're viewing. You can add utterances in the training set or testing set.

+Your utterances are split into two sets:

+* Training set: These utterances are used to create your conversational model during training. The training set is processed as part of the training job to produce a trained model.

+* Testing set: These utterances are used to test the performance of your conversation model when the model is created. Testing set is also used to output the evaluation of the model.

+When adding utterances, you have the option to add to a specific set explicitly (training or testing). If you choose to do this you need to set your split type in train model page to **manual split of training and testing data**, otherwise keep all your utterances in the train set and use **Automatically split the testing set from training data**. See [How to train your model](train-model.md#train-model) for more information.

+*Section 2* is where you add your utterances. You must select one of the intents from the drop-down list, the language of the utterance (if applicable), and the utterance itself. Press the enter key in the utterance's text box to add the utterance.

+*Section 3* includes your project's entities and distribution of intents and entities across your training set and testing set.

+You can select the highlight button next to any of the entities you've added, and then hover over the text to label the entities within your utterances, shown in *section 4*. You can also add new entities here by clicking the **+ Add Entity** button.

+When you select your distribution, you can also view tag distribution across:

+* Total instances per tagged entity: The distribution of each of your entities across the training and testing sets.

+* Unique utterances per tagged entity: How your entities are distributed among the different utterances you have.

+* Utterances per intent: The distribution of utterances among intents across your training and testing sets.

+*Section 4* includes the utterances you've added. You can drag over the text you want to label, and a contextual menu of the entities will appear.

+> list and prebuilt components are not shown in the tag utterances page, and all labels here only apply to the learned component.

+After you have completed [tagging your utterances](tag-utterances.md), you can train your model. Training is the process of converting the current state of your project's training data to build a model that can be used for predictions. Every time you train, you must name your training instance.

+To train a model, you need to start a training job. The output of a successful training job is your trained model. Training jobs will be automatically deleted after seven days from creation, but the output trained model will not be deleted.

+The training times can be anywhere from a few seconds when dealing with orchestration workflow projects, up to a couple of hours when you reach the [maximum limit](../service-limits.md) of utterances. Before training, you will have the option to enable evaluation, which lets you view how your model performs.

+## Train model

+1. Go to your project page in Language Studio.

+2. Select **Train** from the left side menu.

+3. Select **Start a training job** from the top menu.

+4. To train a new model, select **Train a new model** and type in the model name in the text box below. You can **overwrite an existing model** by selecting this option and select the model you want from the dropdown below.

+Choose if you want to evaluate and measure your model's performance. The **Run evaluation with training toggle** is enabled by default, meaning you want to measure your model's performance and you will have the option to choose how you want to split your training and testing utterances. You are provided with the two options below:

+* **Automatically split the testing set from training data**: A selected stratified sample from all training utterances according to the percentages that you configure in the text box. The default value is set to 80% for training and 20% for testing. Any utterances already assigned to the testing set will be ignored completely if you choose this option.

+* **Use a manual split of training and testing data**: The training and testing utterances that youΓÇÖve provided and assigned during tagging to create your custom model and measure its performance. Note that this option will only be enabled if you add utterances to the testing set in the tag data page. Otherwise, it will be disabled.

+Click the **Train** button and wait for training to complete. You will see the training status of your training job. Only successfully completed jobs will generate models.

+* [A custom text classification project](create-project.md) with a configured Azure blob storage account,

+You will need to use the REST API. Click on the **REST API** tab above for more information.

+### Get the results for a custom text classification task

+You can train multiple models on the same dataset within the same project. After you have trained your model successfully, you can [view its evaluation](how-to/view-model-evaluation.md). You can [deploy and test](quickstart.md#deploy-your-model) your model within [Language studio](https://aka.ms/languageStudio). You can add or remove tags from your data and train a **new** model and test it as well. View [service limits](service-limits.md)to learn about maximum number of trained models with the same project. When you [train your data](how-to/train-model.md) you can determine how your dataset is split into training and testing sets. You can also have your data split randomly into training and testing set where there is no guarantee that the reflected model evaluation is about the same test set, and the results are not comparable. It's recommended that you develop your own test set and use it to evaluate both models so you can measure improvement.

+* When you [train your model](how-to/train-model.md), you can determine if you want your data to be split randomly into train and test sets. If you do, so there is no guarantee that the reflected model evaluation is on the same test set, so results are not comparable.

+> This guide focuses on data from the [validation set](train-model.md) that was created during training.

+4. To start tagging, click **Add entities** in the top-right corner. You can either view all files or only tagged files by changing the view from the **Viewing** drop down filter.

+ :::image type="content" source="../media/tagging-screen.png" alt-text="A screenshot showing the Language Studio screen for tagging data." lightbox="../media/tagging-screen.png":::

+ In the image above:

+

+ * *Section 1*: is where the content of the text file is displayed and tagging takes place. You have [two options for tagging](#tagging-options) your files.

+

+ * *Section 2*: includes your project's entities and distribution across your files and tags.

+ If you click **Distribution**, you can view your tag distribution across:

+

+ * Files: View the distribution of files across one single entity.

+ * Tags: view the distribution of tags across all files.

+

+ :::image type="content" source="../media/distribution-ner.png" alt-text="A screenshot showing the distribution section." lightbox="../media/distribution-ner.png":::

+

+

+ * *Section 3*: This is the split project data toggle. You can choose to add a selected text file to your training set or the testing set. By default, the toggle is off, and all text files are added to your training set.

+

+To add a text file to a training or testing set, simply choose from the radio buttons to which set it belongs.

+>It is recommended to define your testing set.

+ :::image type="content" source="../media/train-model.png" alt-text="Create a new training job" lightbox="../media/train-model.png":::

+

+If you have enabled [your project data to be split manually](tag-data.md) when you were tagging your data, you will see two training options:

+* **Automatic split the testing**: The data will be randomly split for each class between training and testing sets, according to the percentages you choose. The default value is 80% for training and 20% for testing. To change these values, choose which set you want to change and write the new value.

+* **Use a manual split**: Assign each document to either the training or testing set, this required first adding files in the test dataset.

+6. You can check the status of the training job in the same page. Only successfully completed training jobs will generate models.

+After your model has finished training, you can view the model details and see how well does it perform against the test set, which contains 10% of your data at random, which is created during [training](train-model.md). The test set consists of data that was not introduced to the model during the training process. For the evaluation process to complete there must be at least 10 files in your dataset. You must also have a [custom NER project](../quickstart.md) with a [trained model](train-model.md).

+3. In this page you can only view the successfully trained models. You can click on the model name for more details.

+* Your [training dataset](how-to/train-model.md) should include at least 10 files and not more than 100,000 files.

+* The Authoring API has a maximum of 10 POST requests and 100 GET requests per minute.

+* The Analyze API has a maximum of 20 GET or POST requests per minute.

+* Model names must only contain alphanumeric characters, only letters and numbers, no spaces or special characters are allowed). Model name must have a maximum of 50 characters.

+ Title: Smart URL refresh - question answering

+description: Use the question answering smart URL refresh feature to keep your knowledge base up to date.

+# Use smart URL refresh with a project

+Custom question answering gives you the ability to refresh your source contents by getting the latest content from a source URL and updating the corresponding knowledge base with one click. The service will ingest content from the URL and either create, merge, or delete question-and-answer pairs in the knowledge base.

+This functionality is provided to support scenarios where the content in the source URL changes frequently, such as the FAQ page of a product that's updated often. The service will refresh the source and update the knowledge base to the latest content while retaining any manual edits made previously.

+> [!NOTE]

+> This feature is only applicable to URL sources, and they must be refreshed individually, not in bulk.

+> [!IMPORTANT]

+> This feature is only available in the `2021-10-01` version of the Language API.

+## How it works

+If you have a knowledge base with a URL source that has changed, you can trigger a smart URL refresh to keep your knowledge base up to date. The service will scan the URL for updated content and generate QnA pairs. It will add any new QnA pairs to your knowledge base and also delete any pairs that have disappeared from the source (with exceptions&mdash;see below). It also merges old and new QnA pairs in some situations (see below).

+> [!IMPORTANT]

+> Because smart URL refresh can involve deleting old content from your knowledge base, you may want to [create a backup](./export-import-refresh.md) of your knowledge base before you do any refresh operations.

+You can trigger a URL refresh in Language Studio by opening your project, selecting the source in the **Manage sources** list, and selecting **Refresh URL**.

+You can also trigger a refresh programmatically using the REST API. See the **[Update Sources](/rest/api/cognitiveservices/questionanswering/question-answering-projects/update-sources)** reference documentation for parameters and a sample request.

+## Smart refresh behavior

+When the user refreshes content using this feature, the knowledge base of QnA pairs may be updated in the following ways:

+### Delete old pair

+If the content of the URL is updated so that an existing QnA pair from the old content of the URL is no longer found in the source, that pair is deleted from the refreshed knowledge base. For example, if a QnA pair Q1A1 existed in the old knowledge base, but after refreshing, there's no A1 answer generated by the newly refreshed source, then the pair Q1A1 is considered outdated and is dropped from the knowledge base altogether.

+However, if the old QnA pairs have been manually edited in the authoring portal, they won't be deleted.

+### Add new pair

+If the content of the URL is updated in such a way that a new QnA pair exists which didn't exist in the old KB, then it's added to the KB. For example, if the service finds that a new answer A2 can be generated, then the QnA pair Q2A2 is inserted into the KB.

+### Merge pairs

+If the answer of a new QnA pair matches the answer of an old QnA pair, the two pairs are merged. The new pair's question is added as an alternate question to the old QnA pair. For example, consider Q3A3 exists in the old source. When you refresh the source, a new QnA pair Q3'A3 is introduced. In that case, the two QnA pairs are merged: Q3' is added to Q3 as an alternate question.

+If the old QnA pair has a metadata value, that data is retained and persisted in the newly merged pair.

+

+If the old QnA pair has follow-up prompts associated with it, then the following scenarios may arise:

+* If the prompt attached to the old pair is from the source being refreshed, then it's deleted, and the prompt of the new pair (if any exists) is appended to the newly merged QnA pair.

+* If the prompt attached to the old pair is from a different source, then it's maintained as-is and the prompt from the new question (if any exists) is appended to the newly merged QnA pair.

+#### Merge example

+See the following example of a merge operation with differing questions and prompts:

+|Source iteration|Question |Answer |Prompts |

+||||--|

+|old |"What is the new HR policy?" | "You may have to choose among the following options:" | P1, P2 |

+|new |"What is the new payroll policy?" | "You may have to choose among the following options:" | P3, P4 |

+The prompts P1 and P2 come from the original source and are different from prompts P3 and P4 of the new QnA pair. They both have the same answer, `You may have to choose among the following options:`, but it leads to different prompts. In this case, the resulting QnA pair would look like this:

+|Question |Answer |Prompts |

+|||--|

+|"What is the new HR policy?" </br>(alternate question: "What is the new payroll policy?") | "You may have to choose among the following options:" | P3, P4 |

+#### Duplicate answers scenario

+When the original source has two or more QnA pairs with the same answer (as in, Q1A1 and Q2A1), the merge behavior may be more complex.

+If these two QnA pairs have individual prompts attached to them (for example, Q1A1+P1 and Q2A1+P2), and the refreshed source content has a new QnA pair generated with the same answer A1 and a new prompt P3 (Q1'A1+P3), then the new question will be added as an alternate question to the original pairs (as described above). But all of the original attached prompts will be overwritten by the new prompt. So the final pair set will look like this:

+|Question |Answer |Prompts |

+|||--|

+|Q1 </br>(alternate question: Q1') | A1 | P3 |

+|Q2 </br>(alternate question: Q1') | A1 | P3 |

+## Next steps

+* [Question answering quickstart](/azure/cognitive-services/language-service/question-answering/quickstart/sdk?pivots=studio)

+* [Update Sources API reference](/rest/api/cognitiveservices/questionanswering/question-answering-projects/update-sources)

+### How to send shortened URLs in messages?

+Shortened URLs are a good way to keep messages short and readable. However, US carriers prohibit the use of free publicly available URL shortener services. This is because the ΓÇÿfree-publicΓÇÖ URL shorteners are used by bad-actors to evade detection and get their SPAM messages passed through text messaging platforms. When sending messages in US, we encourage using custom URL shorteners to create URLs with dedicated domain that belongs to your brand. Many US carriers block SMS traffic if they contain publicly available URL shorteners.

+Below is a list with examples of common URL shorteners you should avoid to maximize deliverability:

+- bit.ly

+- goo.gl

+- tinyurl.com

+- Tiny.cc

+- lc.chat

+- is.gd

+- soo.gd

+- s2r.co

+- Clicky.me

+- budurl.com

+- bc.vc

+ Title: Azure Communication Services Pre-Call diagnostics

+description: Overview of Pre-Call Diagnostic APIs

+# Pre-Call diagnostic

+The Pre-Call API enables developers to programmatically validate a clientΓÇÖs readiness to join an Azure Communication Services Call. The Pre-Call APIs can be accessed through the Calling SDK. They provide multiple diagnostics including device, connection, and call quality. Pre-Call APIs are available only for Web (JavaScript). We will be enabling these capabilities across platforms in the future, please provide us feedback on what platforms you would like to see Pre-Call APIs on.

+## Accessing Pre-Call APIs

+To Access the Pre-Call API, you will need to initialize a `callClient` and provision an Azure Communication Services access token. Then you can access the `NetworkTest` feature and run it.

+```javascript

+import { CallClient, Features} from "@azure/communication-calling";

+import { AzureCommunicationTokenCredential } from '@azure/communication-common';

+const tokenCredential = new AzureCommunicationTokenCredential();

+const networkTest = await callClient.feature(Features.NetworkTest).beginTest(tokenCredential);

+```

+Once it finishes running, developers can access the result object.

+## Diagnostic results

+The Pre-Call API returns a full diagnostic of the device including details like device permissions, availability and compatibility, call quality stats and in-call diagnostics. The results are returned as a `CallDiagnosticsResult` object.

+```javascript

+export declare type CallDiagnosticsResult = {

+ deviceAccess: Promise<DeviceAccess>;

+ deviceEnumeration: Promise<DeviceEnumeration>;

+ inCallDiagnostics: Promise<InCallDiagnostics>;

+ browserSupport?: Promise<DeviceCompatibility>;

+ callMediaStatistics?: Promise<MediaStatsCallFeature>;

+};

+```

+Individual result objects can be accessed as such using the `networkTest` constant above.

+### Browser support

+Browser compatibility check. Checks for `Browser` and `OS` compatibility and provides a `Supported` or `NotSupported` value back.

+```javascript

+const browserSupport = await networkTest.browserSupport;

+ if(browserSupport) {

+ console.log(browserSupport.browser)

+ console.log(browserSupport.os)

+ }

+```

+In the case that the test fails and the browser being used by the user is `NotSupported`, the easiest way to fix that is by asking the user to switch to a supported browser. Refer to the supported browsers in our [documentation](./calling-sdk-features.md#javascript-calling-sdk-support-by-os-and-browser).

+### Device access

+Permission check. Checks whether video and audio devices are available from a permissions perspective. Provides `boolean` value for `audio` and `video` devices.

+```javascript

+ const deviceAccess = await networkTest.deviceAccess;

+ if(deviceAccess) {

+ console.log(deviceAccess.audio)

+ console.log(deviceAccess.video)

+ }

+```

+In the case that the test fails and the permissions are false for audio and video, the user shouldn't continue into joining a call. Rather you will need to prompt the user to enable the permissions. To do this, it is best to provide specific instruction on how to access permission access based on the OS, version and browser they are on. For more information on permissions check out our [recommendations](https://techcommunity.microsoft.com/t5/azure-communication-services/checklist-for-advanced-calling-experiences-in-mobile-web/ba-p/3266312).

+### Device enumeration

+Device availability. Checks whether microphone, camera and speaker devices are detected in the system and ready to use. Provides an `Available` or `NotAvailable` value back.

+```javascript

+ const deviceEnumeration = await networkTest.deviceEnumeration;

+ if(deviceEnumeration) {

+ console.log(deviceEnumeration.microphone)

+ console.log(deviceEnumeration.camera)

+ console.log(deviceEnumeration.speaker)

+ }

+```

+In the case that devices are not available, the user shouldn't continue into joining a call. Rather the user should be prompted to check device connections to ensure any headsets, cameras or speakers are properly connected. For more information on device management check out our [documentation](../../how-tos/calling-sdk/manage-video.md?pivots=platform-web#device-management)

+### InCall diagnostics

+Performs a quick call to check in-call metrics for audio and video and provides results back. Includes connectivity (`connected`, boolean), bandwidth quality (`bandWidth`, `'Bad' | 'Average' | 'Good'`) and call diagnostics for audio and video (`diagnostics`). Diagnostic are provided `jitter`, `packetLoss` and `rtt` and results are generated using a simple quality grade (`'Bad' | 'Average' | 'Good'`).

+```javascript

+ const inCallDiagnostics = await networkTest.inCallDiagnostics;

+ if(inCallDiagnostics) {

+ console.log(inCallDiagnostics.connected)

+ console.log(inCallDiagnostics.bandWidth)

+ console.log(inCallDiagnostics.diagnostics.audio)

+ console.log(inCallDiagnostics.diagnostics.video)

+ }

+```

+At this step, there are multiple failure points to watch out for:

+- If connection fails, the user should be prompted to recheck their network connectivity. Connection failures can also be attributed to network conditions like DNS, Proxies or Firewalls. For more information on recommended network setting check out our [documentation](network-requirements.md).

+- If bandwidth is `Bad`, the user should be prompted to try out a different network or verify the bandwidth availability on their current one. Ensure no other high bandwidth activities might be taking place.

+### Media stats

+For granular stats on quality metrics like jitter, packet loss, rtt, etc. `callMediaStatistics` are provided as part of the `NetworkTest` feature. You can subscribe to the call media stats to get full collection of them.

+## Pricing

+When the Pre-Call diagnostic test runs, behind the scenes it uses calling minutes to run the diagnostic. The test lasts for roughly 1 minute, using up 1 minute of calling which is charged at the standard rate of $0.004 per participant per minute. For the case of Pre-Call diagnostic, the charge will be for 1 participant x 1 minutes = $0.004.

+## Next steps

+This feature is currently in private preview. Please provide feedback on the API design, capabilities and pricing. Feedback is key for the team to move forward and push the feature into public preview and general availability.

+* [Enable analytical store in an existing container](#update-analytical-ttl)

+* [Optional - Update analytical store ttl for a container](#update-analytical-ttl)

+* [Optional - Disable analytical store in a container](#disable-analytical-store)

+## <a id="update-analytical-ttl"></a> Enable analytical store in an existing container

+## <a id="disable-analytical-store"></a> Optional - Disable analytical store in a container

+Analytical store can be disabled in SQL API containers using PowerShell, by updating `-AnalyticalStorageTtl` (analytical Time-To-Live) to `0`. Please note that currently this action can't be undone. If analytical store is disabled in a container, it can never be re-enabled.

+Currently you can't be disabled in MongoDB API collections.

+Currently, you can restore the Azure Cosmos DB account for SQL API or MongoDB contents point in time to another account via the [Azure portal](restore-account-continuous-backup.md#restore-account-portal), the [Azure CLI](restore-account-continuous-backup.md#restore-account-cli) (az CLI), [Azure PowerShell](restore-account-continuous-backup.md#restore-account-powershell), or [Azure Resource Manager templates](restore-account-continuous-backup.md#restore-arm-template). Table API or Gremlin APIs are in preview and supported through [Azure CLI](restore-account-continuous-backup.md#restore-account-cli) (az CLI) and [Azure PowerShell](restore-account-continuous-backup.md#restore-account-powershell).

+* Azure Cosmos DB APIs for SQL and MongoDB are supported for continuous backup. Cassandra API is not supported at present

+* Table API and Gremlin API are in preview and supported via PowerShell and Azure CLI.

+This article describes how to get the [latest restorable timestamp](latest-restore-timestamp-continuous-backup.md) for accounts with continuous backup mode. It explains how to get the latest restorable time for SQL containers, Table API Tables (in Preview), Graph API graphs(in Preview), and MongoDB collections using Azure PowerShell and Azure CLI. You can see the request and response format for the PowerShell and CLI commands.

+## Gremlin Graph Backup information

+### PowerShell

+```powershell

+Get-AzCosmosDBGremlinGraphBackupInformation `

+ -AccountName <System.String> `

+ -GremlinDatabaseName <System.String> `

+ [-DefaultProfile <Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer>] `

+ -Location <System.String> `

+ -Name <System.String> `

+ -ResourceGroupName <System.String> [<CommonParameters>]

+```

+**Sample request:**

+```powershell

+Get-AzCosmosDBGremlinGraphBackupInformation `

+ -ResourceGroupName "rg" `

+ -AccountName "amisigremlinpitracc1" `

+ -GremlinDatabaseName "db1" `

+ -Name "graph1" `

+ -Location "eastus"

+```

+**Sample response (In UTC Format):**

+```console

+LatestRestorableTimestamp

+-

+3/1/2022 2:19:14 AM

+```

+### CLI

+```azurecli

+az cosmosdb gremlin retrieve-latest-backup-time \

+ -g {resourcegroup} \

+ -a {accountname} \

+ -d {db_name} \

+ -c {graph_name} \

+ -l {location}

+```

+**Sample request:**

+```azurecli

+az cosmosdb gremlin retrieve-latest-backup-time \

+ -g "rg" \

+ -a "amisigremlinpitracc1" \

+ -d "db1" \

+ -c "graph1" \

+ -l "eastus"

+```

+**Sample response:**

+```console

+{

+ "continuousBackupInformation": {

+ "latestRestorableTimestamp": "3/2/2022 5:31:13 AM"

+ }

+}

+```

+## Table Backup information

+### PowerShell

+```powershell

+Get-AzCosmosDBTableBackupInformation `

+ -AccountName <System.String> `

+ [-DefaultProfile <Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer>] `

+ -Location <System.String> `

+ -Name <System.String> `

+ -ResourceGroupName <System.String> [<CommonParameters>]

+```

+**Sample request:**

+```powershell

+Get-AzCosmosDBTableBackupInformation `

+ -ResourceGroupName "rg" `

+ -AccountName "amisitablepitracc1" `

+ -Name "table1" `

+ -Location "eastus"

+```

+**Sample response (In UTC Format):**

+```console

+LatestRestorableTimestamp

+-

+3/2/2022 2:19:15 AM

+```

+### CLI

+```azurecli

+az cosmosdb table retrieve-latest-backup-time \

+ -g {resourcegroup} \

+ -a {accountname} \

+ -c {table_name} \

+ -l {location}

+```

+**Sample request:**

+```azurecli

+az cosmosdb table retrieve-latest-backup-time \

+ -g "rg" \

+ -a "amisitablepitracc1" \

+ -c "table1" \

+ -l "eastus"

+```

+**Sample response:**

+```console

+{

+ "continuousBackupInformation": {

+ "latestRestorableTimestamp": "3/2/2022 5:33:47 AM"

+ }

+}

+```

+By default, the API only works at the container level, but it can be easily extended to work at the database or account level. This article helps you understand the semantics of latest restorable timestamp api, how it gets calculated and use cases for it. To learn more, see [how to get the latest restore timestamp](get-latest-restore-timestamp.md) for SQL, Table (preview), Graph API (preview), and MongoDB accounts.

+* How to work with the Azure Cosmos DB service using the [Azure Cosmos DB Java SDK](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-cosmos).

+# Azure Cosmos DB Async Java SDK for SQL API (legacy): Release notes and resources

+> * [Async Java SDK v2 (legacy)](sql-api-sdk-async-java.md)

+> * [Sync Java SDK v2 (legacy)](sql-api-sdk-java.md)

+> * [Spring Data v2 (legacy)](sql-api-sdk-java-spring-v2.md)

+To learn more about Cosmos DB, see [Microsoft Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/) service page.

+# Spring Data Azure Cosmos DB v2 for Core (SQL) API (legacy): Release notes and resources

+> * [Async Java SDK v2 (legacy)](sql-api-sdk-async-java.md)

+> * [Sync Java SDK v2 (legacy)](sql-api-sdk-java.md)

+> * [Spring Data v2 (legacy)](sql-api-sdk-java-spring-v2.md)

+Learn more about [Spring Data](https://spring.io/projects/spring-data).

+# Azure Cosmos DB Java SDK for SQL API (legacy): Release notes and resources

+> * [Async Java SDK v2 (legacy)](sql-api-sdk-async-java.md)

+> * [Sync Java SDK v2 (legacy)](sql-api-sdk-java.md)

+> * [Spring Data v2 (legacy)](sql-api-sdk-java-spring-v2.md)

+**Account overview** - The report shows the current billing month summary of information, including:

+ Title: View amortized reservation costs

+description: This article helps you understand what amortized reservation costs are and how to view them in cost analysis.

+# View amortized reservation costs

+This article helps you understand what amortized reservation costs are and how to view them in cost analysis. When you buy a reservation, you're normally committing to a one-year or three-years plan to save money compared to pay-as-you-go costs. You can choose to pay for the reservation up front or with monthly payments. If you pay up front, the one-time payment is charged to your subscription. If your organization needs to charge back or show back partial costs of the reservation to users or departments that use it, then you might need to determine what the monthly or daily cost of the reservation is. _Amortization_ is the process of breaking the one-time cost into periodic costs.

+However, if your organization doesn't charge back or show back reservation use to the users or departments that use them, then you might not need to worry about amortized costs.

+## How Azure calculates amortized costs

+To understand how amortized costs are shown in cost analysis, let's look at some examples.

+First, let's look at a one-year virtual machine reservation that was purchased on January 1. Depending on your view, instead of seeing a $365 purchase on January 1, 2022, you'll see a $1.00 purchase every day from January 1, 2022 to December 31, 2022. In addition to basic amortization, the costs are also reallocated and associated to the specific resources that used the reservation. For example, if the $1.00 daily charge was split between two virtual machines, you'd see two $0.50 charges for the day. If part of the reservation isn't utilized for the day, you'd see one $0.50 charge associated with the applicable virtual machine and another $0.50 charge with a charge type of _UnusedReservation_. Unused reservation costs can be seen only when viewing amortized cost.

+Now, let's look at a one-year reservation purchased at some other point in a month. For example, if you buy a reservation on May 26, 2022 with an upfront payment, the amortized cost is divided by 365 (assuming it's not a leap year) and spread from May 26, 2022 through May 25, 2023. In this example, the daily cost would be the same for every day. However, the monthly cost will vary because of the varying number of days in a month. Also, if the reservation period includes a leap year, costs for the leap year are divided evenly by 366.

+If you pay monthly, the monthly fee is divided by the number of days in that month and spread evenly across May 26, 2022 through June 25, 2022, with the next month's fee spread across June 26, 2022 through July 25, 2022, and so on. An upfront (one time) reservation purchase is shown as an example in this article. However, the amortization of daily costs is the same as a reservation bought with monthly payments.

+Because of the change in how costs are represented, it's important to note that actual cost and amortized cost views will show different total numbers. Depending on your view in Cost analysis, the total cost of months with a reservation purchase will decrease when viewing amortized costs, and months following a reservation purchase will increase. Amortization is available only for reservation purchases and doesn't apply to Azure Marketplace purchases currently.

+## Metrics affect how costs are shown

+In Cost analysis, you view costs with a metric. They include Actual cost and Amortized cost. Each metric affects how data is shown for your reservation charges.

+**Actual cost** - Shows the purchase as it appears on your bill. For example, if you bought a one-year reservation for $1200 in January 2022, cost analysis shows a $1200 cost in the month of January for the reservation. It doesn't show a reservation cost for other months of the year. If you group your actual costs by VM, then a VM that received the reservation benefit for a given month would have zero cost for the month.

+**Amortized cost** - Shows a reservation purchase split as an amortized cost over the duration of the reservation term. With the same example above, cost analysis shows a different amount for each month depending on the number of days in the month. If you group costs by VM in this example, you'd see cost attributed to each VM that received the reservation benefit. However, _used reservation_ costs are attributed to the subscription used to buy the reservation because the unused portion isn't attributable to any specific resource or subscription.

+## View amortized costs

+By default, cost analysis shows charges as they appear on your bill. The charges are shown as actual costs or amortized over the course of your reservation period.

+> [!NOTE]

+> You can buy a reservation with a pay-as-you-go (MS-AZR-0003P) subscription. However, Cost Analysis doesn't support viewing amortized reservation costs for a pay-as-you-go subscription.

+Depending on the view you use in cost analysis, you'll see different reservation costs. For example:

+When you use the **DailyCosts** view with a date filter applied, you'll easily see when a reservation was purchased with an increase in actual daily costs. If you try to view costs with the **Amortized cost** metric, you'll see the same results as **Actual Cost**.

+Let's look at an example one-year reservation purchased for $12,016.00, purchased on October 23, 2019. The term ends on October 23, 2020, and a leap year day is included in the term, so the term's duration is 366 days.

+In the Azure portal, navigate to cost analysis for your scope. For example, **Cost Management** > **Cost analysis**.

+1. Select a date range that includes a period of the reservation term.

+2. Add a filter for **Pricing Model: Reservation** to see only reservation costs.

+3. Then, set **Granularity** to **Daily**. Here's an example showing the purchase with the date range set from October through November 2019.

+ :::image type="content" source="./media/reservation-amortization/reservation-purchase.png" alt-text="Screenshot showing a reservation purchase in Cost analysis." lightbox="./media/reservation-amortization/reservation-purchase.png" :::

+4. Under **Scope** and next to the cost shown, select the down arrow symbol and then select **Amortized cost** metric. Here's an example showing the daily cost of all reservations for the selected date range. For the highlighted day, the daily cost is about $37.90. Azure accounts for costs to further decimal places, but only shows costs to two decimal places.

+ :::image type="content" source="./media/reservation-amortization/daily-cost-all-reservations-amortized.png" alt-text="Screenshot showing daily amortized cost for all reservations in Cost analysis." lightbox="./media/reservation-amortization/daily-cost-all-reservations-amortized.png" :::

+5. If you have multiple reservations (the example above does), then use the **Group by** list to group the results by **Reservation name**. Here's an example showing the daily amortized cost of the reservation named `VM_WUS_DS3_Upfront` for $32.83. In this example, Azure determined the cost by: $12,016 / 366 = $32.83 per day. Because the reservation term includes a leap year (2020), 366 is used to divide the total cost, not 365.

+ :::image type="content" source="./media/reservation-amortization/daily-cost-amortized-specific-reservation.png" alt-text="Screenshot showing the daily amortized cost for a specific reservation in Cost analysis." lightbox="./media/reservation-amortization/daily-cost-amortized-specific-reservation.png" :::

+6. Next, change the **Granularity** to **Monthly** and expand the date range. The following example shows varying monthly costs for reservations. The cost varies because the number of days in each month differs. November has 30 days, so the daily cost of $32.83 \* 30 = ~$984.90.

+ :::image type="content" source="./media/reservation-amortization/monthly-cost-amortized-reservations.png" alt-text="Screenshot showing the monthly amortized cost for a specific reservation in Cost analysis." lightbox="./media/reservation-amortization/monthly-cost-amortized-reservations.png" :::

+## View reservation resource amortized costs

+To charge back or show back costs for a reservation, you need to know which resources used a reservation. Use the following steps to see amortized costs for individual resources. In this example, we'll examine November 2019, which was the first month of full reservation use.

+1. Select a date range in the reservation term where you want to view resources that used the reservation.

+2. Add a filter for **Pricing Model: Reservation** to see only reservation costs.

+3. Set **Granularity** to **Monthly**.

+4. Under **Scope** and next to the cost shown, select the down arrow symbol and then select the **Amortized** cost metric.

+5. If you have multiple reservations, use the **Group by** list to group the results by **Reservation name**.

+6. In the chart, select a reservation. A filter is added for the reservation name.

+7. In the **Group by** list, select **Resource**. The chart shows the resources that used the reservation. In the following example image, November 2019 had eight resources that used the reservation. There's one unused item, which is the subscription that was used to buy the reservation.

+ :::image type="content" source="./media/reservation-amortization/reservation-cost-resource-chart.png" alt-text="Screenshot showing the amortized cost of all the reservations for a specific month." lightbox="./media/reservation-amortization/reservation-cost-resource-chart.png" :::

+8. To see the cost more easily for individual resources, select **Table** in the chart list. Expand items as needed. Here's an example for November 2019 showing the amortized reservation costs for the eight resources that used the reservation. The highlighted cost is the unused portion of the reservation.

+ :::image type="content" source="./media/reservation-amortization/reservation-cost-resource-table.png" alt-text="Screenshot showing the amortized cost of all resources that used a reservation for a specific month." lightbox="./media/reservation-amortization/reservation-cost-resource-table.png" :::

+Another easy way to view reservation amortized cost is to use the **Reservations** preview view. To easily navigate to it, in Cost analysis in the top menu under **Cost by resource**, select the **Reservations (preview)** view.

+## Next steps

+- Read [Charge back Azure Reservation costs](charge-back-usage.md) to learn more about charge back processes.

+- [New Defender for Servers plans](#new-defender-for-servers-plans)

+- [Relocation of custom recommendations](#relocation-of-custom-recommendations)

+### Relocation of custom recommendations

+Custom recommendations are those created by users and have no impact on the secure score. The custom recommendations can now be found under the All recommendations tab.

+Use the new "recommendation type" filter, to locate custom recommendations.

+Learn more in [Create custom security initiatives and policies](custom-security-policies.md).

+- [Legacy implementation of ISO 27001 replaced with new ISO 27001:2013 initiative](#legacy-implementation-of-iso-27001-replaced-with-new-iso-270012013-initiative)

+### Legacy implementation of ISO 27001 replaced with new ISO 27001:2013 initiative

+ | **Minimum** | To support up to 1 Gbps: <br><br>- 4 CPUs, each with 2.4 GHz or more<br>- 16 GB RAM of DDR4 or better<br>- 250 GB HDD |

+After you exhaust your available credit or reach the end of 12 months, your Azure subscription becomes disabled.

+If you've reached the end of your 12 months and are still a student, you'll be able to renew your Azure for Students offer.

+We'll notify you shortly before your 12-month anniversary to let you know how to renew.

+If your student status is no longer valid after the offer expired, you will not be able to renew.

+In such case, if you wish to continue using Azure services, you may upgrade to a pay-as-you-go subscription in the Azure portal.

+- [Microsoft Learn: a free online learning platform](/learn/)

+Contact the Event Grid team at [GridPartner@microsoft.com](mailto:GridPartner@microsoft.com) communicating your interest in becoming a partner. We'll have a conversation with you providing detailed information on Partner EventsΓÇÖ use cases, personas, onboarding process, functionality, pricing, and more.

+> [!NOTE]

+> IPv6 support for ExpressRoute Global Reach is now in Public Preview.

+1. Select the **Overview** tab of your ExpressRoute circuit and then select **Add Global Reach** to open the *Add Global Reach* configuration page.

+ :::image type="content" source="./media/expressroute-howto-set-global-reach-portal/overview.png" alt-text="Screenshot of ExpressRoute overview page.":::

+1. On the *Add Global Reach* configuration page, give a name to this configuration. Select the *ExpressRoute circuit* you want to connect this circuit to and enter in a **/29 IPv4** for the *Global Reach IPv4 subnet*. We use IP addresses in this subnet to establish connectivity between the two ExpressRoute circuits. DonΓÇÖt use the addresses in this subnet in your Azure virtual networks, private peering subnet, or on-premises network. Select **Add** to add the circuit to the private peering configuration.

+ > [!NOTE]

+ > IPv6 support for ExpressRoute Global Reach is now in Public Preview. If you want to enable this feature for test workloads, select "Both" for the *Subnets* field and include a **/125 IPv6** subnet for the *Global Reach IPv6 subnet*.

+ :::image type="content" source="./media/expressroute-howto-set-global-reach-portal/add-global-reach-configuration.png" alt-text="Screenshot of adding Global Reach in Overview tab.":::

+1. Select the **Overview** tab of ExpressRoute circuit 1. Select **Add Global Reach** to open the *Add Global Reach* configuration page.

+ :::image type="content" source="./media/expressroute-howto-set-global-reach-portal/overview.png" alt-text="Screenshot of Global Reach button on the overview page.":::

+1. On the *Add Global Reach* configuration page, give a name to this configuration. Check the **Redeem authorization** box. Enter the **Authorization Key** and the **ExpressRoute circuit ID** generated and obtained in Step 1. Then provide a **/29 IPv4** for the *Global Reach IPv4 subnet*. We use IP addresses in this subnet to establish connectivity between the two ExpressRoute circuits. DonΓÇÖt use the addresses in this subnet in your Azure virtual networks, or in your on-premises network. Select **Add** to add the circuit to the private peering configuration.

+ > [!NOTE]

+ > IPv6 support for ExpressRoute Global Reach is now in Public Preview. If you want to enable this feature for test workloads, select "Both" for the *Subnets* field and include a **/125 IPv6** subnet for the *Global Reach IPv6 subnet*.

+Verify the Global Reach configuration by reviewing the list of Global Reach connections in the **Overview** tab of your ExpressRoute circuit. When configured correctly your configuration should look as follows:

+To disable connectivity between an individual circuit, select the delete button to the right of the Global Reach connection to remove connectivity between them. Then select **Save** to complete the operation.

+ SP_ID=$(az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8 --query objectId -o tsv)

+ az role assignment create --assignee $SP_ID --role Contributor

+Azure Front Door private link is available in the following regions:

+ | Name | Enter a name to identify this custom origin. |

+ | Origin Type | Custom |

+ | ID/alias | If you select **By ID or alias**, specify the resource ID of the Private Link Service resource you want to enable private link to. |

+ Describes an Azure architecture which is achieved by deploying the C A F Foundation blueprint. It's applicable to a subscription with resource groups which consists of a storage account for storing logs, Log Analytics configured to store in the storage account. It also depicts Azure Key Vault configured with Microsoft Defender for Cloud standard setup. All these core infrastructures are accessed using Azure Active Directory and enforced using Azure Policy.

+- Deploy [Microsoft Defender for Cloud](../../../../security-center/security-center-introduction.md) (standard

+ - Enable Monitoring in Microsoft Defender for Cloud (100+ policy definitions)

+ Support for subscription management and billing is included with your Microsoft Azure subscription. Technical support is available through the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

+The following three minute video explains why you should start with IoT Central:

+> [!VIDEO https://aka.ms/docs/player?id=1c6d5f00-a66f-4ff9-a681-4e04614d70b4]

+This article shows how to create a managed identity in the Azure portal. You can also use the Azure CLI to create a manged identity. To learn more, see [Assign a managed identity access to a resource using Azure CLI](../../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md).

+This article shows how to create a managed identity in the Azure portal. You can also use the Azure CLI to create a manged identity. To learn more, see [Assign a managed identity access to a resource using Azure CLI](../../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md).

+This article shows how to create a managed identity in the Azure portal. You can also use the Azure CLI to create a manged identity. To learn more, see [Assign a managed identity access to a resource using Azure CLI](../../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md).

+The following video walks you through exporting data to Azure Data Explorer:

+> [!VIDEO https://aka.ms/docs/player?id=9e0c0e58-2753-42f5-a353-8ae602173d9b]

+### Connection options

+Azure Data Explorer destinations let you configure the connection with a *service principal* or a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

+Use the **Devices** page to monitor and manage your devices.

+The following video walks you through monitoring device connectivity status:

+> [!VIDEO https://aka.ms/docs/player?id=75d0de58-9cc0-4505-9fa1-a0a7da8bb466]

+The following video walks you through the data mapping process:

+> [!VIDEO https://aka.ms/docs/player?id=d8e684a7-deda-47d1-9d6c-36939adc57bb]

+The following video introduces you to IoT Central data transformations:

+> [!VIDEO https://aka.ms/docs/player?id=f1752a73-89e6-42c2-8298-e9d6ce212daa]

+You can quickly deploy a new IoT Central application and then customize it to your specific requirements. Application templates in Azure IoT Central are a tool to help you kickstart your IoT solution development. You can use application templates for everything from getting a feel for what is possible, to fully customizing your application to resell to your customers.

+See the [Use your smartphone as a device to send telemetry to an IoT Central application](quick-deploy-iot-central.md) quickstart to learn how to create your first application and connect a device.

+After you create your application, the next step is to create and connect devices. The following video walks you through the process of connecting a device to an IoT Central application:

+> [!VIDEO https://aka.ms/docs/player?id=66834fbb-7006-4f2b-b73f-540239fd2784]

+Every device connected to IoT Central uses a _device template_. A device template is the blueprint that defines the characteristics and behavior of a type of device such as the:

+ symmetric_key = { value = "PASTE_YOUR_PRIMARY_KEY_OR_DERIVED_KEY_HERE" }

+The IoT Edge hub module acts like IoT Hub, so it can handle connections from other devices that have an identity with the same IoT hub. This type of gateway pattern is called *transparent* because messages can pass from downstream devices to IoT Hub as though there were not a gateway between them.

+> [!NOTE]

+> In IoT Edge version 1.1 and older, IoT Edge devices cannot be downstream of an IoT Edge gateway.

+> Beginning with version 1.2 of IoT Edge, transparent gateways can handle connections from downstream IoT Edge devices. For more information, switch to the [IoT Edge 1.2](?view=iotedge-2020-11&preserve-view=true) version of this article.

+> [!NOTE]

+> Setting the parent device in IoT Hub used to be an optional step for downstream devices that use symmetric key authentication. However, starting with version 1.1.0 every downstream device must be assigned to a parent device.

+> You can configure the IoT Edge hub to go back to the previous behavior by setting the environment variable **AuthenticationMode** to the value **CloudAndScope**.

+| Rattle | <span class='red-x'>&#10060;</span> | <span class='red-x'>&#10060;</span> | |

+| [Blob FUSE driver](https://github.com/Azure/azure-storage-fuse) | <span class='red-x'>&#10060;</span> | <span class='red-x'>&#10060;</span></br> | [blobfuse on the DSVM](./dsvm-tools-ingestion.md#blobfuse) |

+* Python3.8-default</br>ΓÇ»

+* Python3.8-Tensorflow-Pytorch</br>ΓÇ»

+* Python3.8-AzureML</br>ΓÇ»

+* Julia 1.6.0</br>ΓÇ»

+* Python3.8-defaultΓÇ» </br>

+* Python3.8-Tensorflow-PytorchΓÇ»</br>

+* Python3.8-AzureMLΓÇ» </br>

+When creating a workspace, you can bring your own [user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli.md) that will be used to access the associated resources: ACR, KeyVault, Storage, and App Insights.

+> [!IMPORTANT]

+> When creating workspace with user-assigned managed identity, you must create the associated resources yourself, and grant the managed identity roles on those resources. Use the [role assignment ARM template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/machine-learning-dependencies-role-assignment) to make the assignments.

+Use Azure CLI or Python SDK to create the workspace. When using the CLI, specify the ID using the `--primary-user-assigned-identity` parameter. When using the SDK, use `primary_user_assigned_identity`. The following are examples of using the Azure CLI and Python to create a new workspace using these parameters:

+## Limitations

+The steps in this article put Azure Container Registry behind the VNet. In this configuration, you can't deploy models to Azure Container Instances inside the VNet. For more information, see [Secure the inference environment](how-to-secure-inferencing-vnet.md).

+> [!IMPORTANT]

+> The steps in this article put Azure Container Registry behind the VNet. In this configuration, you cannot deploy a model to Azure Container Instances inside the VNet. We do not recommend using Azure Container Instances with Azure Machine Learning in a virtual network. For more information, see [Secure the inference environment](how-to-secure-inferencing-vnet.md).

+Create and manage private offers from the **Private offers** dashboard in Partner CenterΓÇÖs left-nav menu. This dashboard has two tabs:

+- **Customers**: Create a private offer for a customer in Azure Marketplace. See [ISV to customer private offers](isv-customer.md).

+- **CSP partners**: Create a private offer for a CSP partner in Azure Marketplace. This opens the **CSP Partner** private offer dashboard, which lets you:

+## Create a private offer for a CSP partner

+### Offer setup

+2. Provide up to five emails as **Notification Contacts** to receive email updates on the status of your private offer. These emails are sent when your private offer moves to **Live**, **Ended**, or is **Withdrawn**.

+3. Configure the percentage-based margins or absolute **Pricing** for up to ten offers/plans in a private offer.

+ - *Percentage-based* margin can be given at an offer level so it applies to all plans within the offer, or it can be given only for a specific plan. The margin the CSP partner receives will be a percentage off your plan's list price in the marketplace.

+ - *Absolute price* can be used to specify a price point higher, lower, or equal to the publicly listed plan price; it can only be applied at a plan level and does not apply to Virtual Machine offer types. You can only customize the price based on the same pricing model, billing term, and dimensions of the public offer; you cannot change to a new pricing model or billing term or add dimensions.<br><br>

+ 1. Select **+ Add Offers/plans** to choose the offers/plans you want to provide a private offer for.

+ 1. Choose to provide a custom price or margin at either an offer level (all current and future plans under that offer will have a margin associated to it) or at a plan level (only the plan you selected will have a private price associated with it).

+ 1. Choose up to ten offers/plans and select **Add**.

+ 1. Enter the margin percentage or configure the absolute price for each item in the pricing table.

+### Review and submit

+This page is where you can review all the information you've provided. Once submitted, private offers cannot be modified. Ensure your information is accurate.

+- **Draft** ΓÇô You have started the process of creating a private offer but have not yet submitted it.

+- **In Progress** ΓÇô You have submitted a private offer and it is currently being published in our systems.

+- **Live** ΓÇô Your private offer is discoverable and transactable by CSP partners.

+- **Ended** ΓÇô Your private offer has expired or passed its end date.

+- **CSP partner authorization in progress** ΓÇô We are currently authorizing the given CSP partner to be able to sell your offer.

+- **Private offer publish in progress** ΓÇô We are currently publishing the given CSP partner's private price.

+- **Live** ΓÇô The private offer is now Live for this CSP partner.

+ Title: Configure ISV to customer private offers in Microsoft Partner Center for Azure Marketplace

+description: Configure ISV to customer private offers in Microsoft Partner Center for Azure Marketplace.

+# ISV to customer private offers

+Private offers allow publishers and customers to transact one or more products in Azure Marketplace by creating time-bound pricing with customized terms. This article explains the requirements and steps for a publisher to create a private offer for a customer in Azure Marketplace. Private offers aren't yet available in Microsoft AppSource.

+This is what the private offer experience looks like from the publisher's perspective:

+This is what the private offer experience looks like from the customer's perspective:

+## Benefits of private offers

+Private offers provide new deal-making capabilities to the marketplace that can't be achieved with private plans.

+- **Time-bound discount** ΓÇô Specify a start/end date for the discounted price. When the private offer ends, customers fall back to the publicly listed price.

+- **Custom terms and contract upload** ΓÇô Extend unique terms to each customer privately. By accepting your offer, the customer is accepting your terms. Attaching a PDF of your contract to the private offer is easy; no more plain text or amending the Microsoft Standard Contract.

+- **Send by email** ΓÇô Rather than coaching customers on where to find their offer in the Azure portal, email customers a link directly to their private offer. Save time by sending this email to anyone in the customer's company responsible for accepting the offer.

+- **Deals expire** ΓÇô Add urgency to the sales process by specifying the date by which the customer must accept the offer or it expires.

+- **Faster arrival** ΓÇô Private offers are available for purchase within 15 minutes (private plans take up to 48 hours to arrive).

+- **Bundle discounts** ΓÇô Select multiple products/plans to receive a discount; customers can accept the private offer for all of them at once.

+- **Target a company** ΓÇô Private offers are sent to an organization, not a tenant.

+## Private offer prerequisites

+Creating a private offer for a customer has these prerequisites:

+- You've created a [commercial marketplace account](create-account.md) in Partner Center.

+- Your account is enrolled in the commercial marketplace program.

+- The offer you want to sell privately has been published to the marketplace and is publicly transactable.

+## Supported offer types

+Private Offers can be created for all transactable marketplace offer types: SaaS, Azure Virtual Machines, and Azure Applications.

+> [!NOTE]

+> Discounts are applied on all custom meter dimensions your offer may use. They are only applied on the software charges set by you, not on the associated Azure infrastructure hardware charges.

+## Private offers dashboard

+Create and manage private offers from the **Private Offers** dashboard in Partner Center's left-nav menu. This dashboard has two tabs:

+- **Customers** ΓÇô Create a private offer for a customer in Azure Marketplace. This opens the Customers private offer dashboard, which lets you:

+ - Create new private offers

+ - View the status of all your private offers

+ - Clone existing private offers

+ - Withdraw private offers

+ - Delete private offers

+- **CSP Partners** ΓÇô Create a private offer for a CSP partner. See [ISV to CSP partner private offers](isv-csp-reseller.md).

+ The **Customers** tab looks like this:

+ :::image type="content" source="media/isv-customer/customer-tab.png" alt-text="Shows the private offers customer tab in Partner Center.":::

+## Create a private offer for a customer

+1. Sign in to [Partner Center](https://partner.microsoft.com/dashboard/commercial-marketplace/overview).

+2. Select the **Marketplace offers** workspace.

+3. Select **Private Offers** from the left-nav menu.

+4. Select the **Customers** tab.

+5. Select **+ New Private Offer**.

+6. Enter a private offer name. This is a descriptive name for use within Partner Center and will be visible to your customer in the Azure portal.

+### Offer setup

+Use this page to define private offer terms, notification contacts, and pricing for your customer.

+- **Customer Information** ΓÇô Specify the billing account for the customer receiving this private offer. This will only be available to the configured customer billing account and the customer will need to be an owner or contributor or signatory on the billing account to accept the offer.

+ > [!NOTE]

+ > Customers can find their billing account in the [Azure portal ](https://aka.ms/PrivateOfferAzurePortal) under **Cost Management + Billing** > **Properties** > **ID**. A user in the customer organization should have access to the billing account to see the ID in Azure Portal. See [Billing account scopes in the Azure portal](/azure/cost-management-billing/manage/view-all-accounts).

+ :::image type="content" source="media/isv-customer/customer-properties.png" alt-text="Shows the offer Properties tab in Partner Center.":::

+- **Private offer terms** ΓÇô Specify the duration, accept-by date, and terms:

+ - **Start date** ΓÇô Choose **Accepted date** if you want the private offer to start as soon as the customer accepts it. If a private offer is extended to an existing customer of a Pay-as-you-go product, this will make the private price applicable for the entire month. To have your private offer start in an upcoming month, select **Specific month** and choose one. The start date for this option will always be the first day of the selected month.

+ - **End date** ΓÇô Choose the month for your private offer's **End date**. This will always be the last day of the selected month.

+ - **Accept by** ΓÇô Choose the expiration date for your private offer. Your customer must accept the private offer prior to this date.

+ - **Terms and conditions** ΓÇô Optionally, upload a PDF with terms and conditions your customer must accept as part of the private offer.

+ > [!NOTE]

+ > Your terms and conditions must adhere to Microsoft supported billing models, offer types, and the [Microsoft Publisher Agreement](https://aka.ms/PrivateOfferPublisherAgreement).

+- **Notification Contacts** ΓÇô Provide up to five emails in your organization as **Notification Contacts** to receive email updates on the status of your private offer. These emails are sent when your offer status changes to **Pending acceptance**, **Accepted**, or **Expired**. You must also provide a **Prepared by** email address, which will be displayed to the customer in the private offer listing in the Azure portal.

+- **Pricing** ΓÇô Configure the percentage-based discount or absolute price for up to 10 offers/plans in a private offer. For a percentage-based discount, the customer will receive this discount off your plan's list price in the marketplace.

+ - Select **+ Add Offers/plans** to choose the offers/plans you want to provide a private offer for.

+ - Choose to provide a custom price or discount at either an offer level (all current and future plans under that offer will have a discount associated to it) or at a plan level (only the plan you selected will have a private price associated with it).

+ - Choose up to 10 offers/plans and select **Add**.

+ - Enter the discount percentage or configure the absolute price for each item in the pricing table.

+ > [!NOTE]

+ > Only public offers/plans that are transactable in Microsoft Azure Marketplace appear in the selection menu.

+### Review and submit

+Use this page to review the information you've provided. Once submitted, a private offer is locked for edits. You can still withdraw a private offer while it's pending acceptance by the customer.

+When you're ready, select **Submit**. You'll be returned to the dashboard where you can view the offer's status. The notification contact(s) will be emailed once the offer is ready to be shared with your customer.

+> [!NOTE]

+> Microsoft will not send an email to your customer. You can copy the private offer link and share it with your customer for acceptance. Your customer will also be able to see the private offer under the **Private Offer Management** blade in the Azure portal.

+## Clone a private offer

+You can clone an existing offer and update its customer information to send it to different customers so you don't have to start from scratch. Or, update the offer/plan pricing to send additional discounts to the same customer.

+1. Select **Private Offers** from the left-nav menu.

+2. Select the **Customers** tab.

+3. Check the box of the private offer to clone.

+4. Select **Clone**.

+5. Enter a new private offer name.

+6. Select **Clone**.

+7. Edit the details on the **Offer setup** page as needed.

+8. **Submit** the new private offer.

+## Withdraw a private offer

+Withdrawing a private offer means your customer will no longer be able to access it. A private offer can only be withdrawn if your customer hasn't accepted it.

+To withdraw a private offer:

+1. Select **Private Offers** from the left-nav menu.

+2. Select the **Customers** tab.

+3. Check the box of the private offer to withdraw.

+4. Select **Withdraw**.

+5. Select **Request withdraw**.

+6. Your offer status will be updated to **Draft** and can now be edited, if desired.

+Once you withdraw a private offer, your customer will no longer be able to access it in the commercial marketplace.

+## Delete a private offer

+To delete a private offer in **Draft** status:

+1. Select **Private Offers** from the left-nav menu.

+2. Select the **Customers** tab.

+3. Check the box of the private offer to delete.

+4. Select **Delete**.

+5. Select **Confirm**.

+This action will permanently delete your private offer. You can only delete private offers in **Draft** status.

+## View private offer status

+To view the status of a private offer:

+1. Select **Private Offers** from the left-nav menu.

+2. Select the **Customer** tab.

+3. Check the **Status** column.

+The status of the private offer will be one of the following:

+- **Draft** ΓÇô You've started the process of creating a private offer but haven't submitted it yet.

+- **In Progress** ΓÇô A private offer you submitted is currently being published; this can take up to 15 minutes.

+- **Pending acceptance** ΓÇô Your private offer is pending customer acceptance. Ensure you've sent the private offer link to your customer.

+- **Accepted** ΓÇô Your private offer was accepted by your customer. Once accepted, the private offer can't be changed.

+- **Expired** ΓÇô Your private offer expired before the customer accepted it. You can withdraw the private offer to make changes and submit it again.

+- **Ended** ΓÇô Your private offer has passed its end date.

+## Reporting on private offers

+The payout amount and agency fee that Microsoft charges is based on the private price after the percentage-based discount or absolute price was applied to the products in your private offer.

+## Next steps

+- [Frequently Asked Questions](isv-customer-faq.yml) about configuring ISV to customer private offers

+|MySQL Version 5.7 | [5.7.32](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-32.html) | [5.7.37](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-37.html)|

+|MySQL Version 8.0 | [8.0.15](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-15.html) | [8.0.28](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html)|

+|MySQL Version 5.7 | [5.7.29](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html) | [5.7.37](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-37.html)|

+|MySQL Version 8.0 | [8.0.15](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-15.html) | [8.0.28](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html)|

+|Enforce SSL with TLS version < 1.2 | require_secure_transport = ON and tls_version = TLSV1 or TLSV1.1| If your legacy application supports encrypted connections but requires TLS version < 1.2, you can enable encrypted connections but configure your flexible server to allow connections with the tls version (v1.0 or v1.1) supported by your application. Supported only with Azure Database for MySQL ΓÇô Flexible Server version v5.7|

+|Enforce SSL with TLS version = 1.3| require_secure_transport = ON and tls_version = TLSV1.3| This is useful and recommended for new applications development. Supported only with Azure Database for MySQL ΓÇô Flexible Server version v8.0|

+> * Changes to SSL Cipher on flexible server is not supported. FIPS cipher suites is enforced by default when tls_version is set to TLS version 1.2 . For TLS versions other than version 1.2, SSL Cipher is set to default settings which comes with MySQL community installation.

+> * MySQL open-source community editions starting with the release of MySQL versions 8.0.26 and 5.7.35, the TLSv1 and TLSv1.1 protocols are deprecated. These protocols released in 1996 and 2006, respectively to encrypt data in motion, are considered weak, outdated, and vulnerable to security threats. For more information, see [Removal of Support for the TLSv1 and TLSv1.1 Protocols.](https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-deprecated-protocols).Azure Database for MySQL – Flexible Server will also stop supporting TLS versions once the community stops the support for the protocol, to align with modern security standards.

+In this article, you'll learn how to:

+ * With SSL enforced with TLS version

+If your client application doesn't support encrypted connections, you'll need to disable encrypted connections enforcement on your flexible server. To disable encrypted connections enforcement, you'll need to set require_secure_transport server parameter to OFF as shown in the screenshot and save the server parameter configuration for it to take effect. require_secure_transport is a **dynamic server parameter** which takes effect immediately and doesn't require server restart to take effect.

+It's important to note that setting require_secure_transport to OFF doesn't mean encrypted connections won't supported on server side. If you set require_secure_transport to OFF on flexible server but if the client connects with encrypted connection, it will still be accepted. The following connection using mysql client to a flexible server configured with require_secure_transport=OFF will also work as shown below.

+## Enforce SSL with TLS version

+To set TLS versions on your flexible server, you'll need to set *tls_version* server parameter. The default setting for TLS protocol is TLSv1.2. If your application supports connections to MySQL server with SSL, but require any protocol other than TLSv1.2, you'll require to set the TLS versions in [server parameter](./how-to-configure-server-parameters-portal.md). *tls_version* is a **static server parameter** which will require a server restart for the parameter to take effect. Following are the Supported protocols for the available versions of Azure Database for MySQL ΓÇô Flexible Server

+| Flexible Server version | Supported Values of tls_version | Default Setting |

+||--||

+|MySQL 5.7 |TLSv1, TLSv1.1, TLSv1.2 | TLSv1.2|

+|MySQL 8.0 | TLSv1.2, TLSv1.3 | TLSv1.2|

+To use encrypted connections with your client applications,you'll need to download the [public SSL certificate](https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem) which is also available in Azure portal Networking blade as shown in the screenshot below.

+If you created your flexible server with *Private access (VNet Integration)*, you'll need to connect to your server from a resource within the same VNet as your server. You can create a virtual machine and add it to the VNet created with your flexible server.

+If you try to connect to your server with unencrypted connections, you'll see error stating connections using insecure transport are prohibited similar to one below:

+Execute the mysql **status** command to verify that you've connected to your MySQL server using TLS/SSL:

+**How to identify the TLS protocols configured on your server ?**

+You can run the command SHOW GLOBAL VARIABLES LIKE 'tls_version'; and check the value to understand what all protocols are configured.

+```sql

+mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';

+```

+**How to find which TLS protocol are being used by my clients to connect to the server ?**

+You can run the below command and look at tls_version for the session to identify which TLS version is used to connect

+```sql

+SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher,

+processlist_user AS user, processlist_host AS host

+FROM performance_schema.status_by_thread AS sbt

+JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id

+JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id

+WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;

+```

+## April 2022

+- **Minor version upgrade for Azure Database for MySQL - Flexible server to 8.0.28**

+ Azure Database for MySQL - Flexible Server 8.0 now is running on minor version 8.0.28*, to learn more about changes coming in this minor version [visit Changes in MySQL 8.0.28 (2022-01-18, General Availability)](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html)

+- **Minor version upgrade for Azure Database for MySQL - Single server to 5.7.37**

+ Azure Database for MySQL - Flexible Server 5.7 now is running on minor version 5.7.37*, to learn more about changes coming in this minor version [visit Changes in MySQL 5.7.37 (2022-01-18, General Availability](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-37.html)

+* Please note that some regions are still running older minor versions of the Azure Database for MySQL and will be patched by end of April 2022.

+- **Deprecation of TLSv1 or TLSv1.1 protocols with Azure Database for MySQL - Flexible Server (8.0.28)**

+ Starting version 8.0.28, MySQL community edition supports TLS protocol TLSv1.2 or TLSv1.3 only. Azure Database for MySQL ΓÇô Flexible Server will also stop supporting TLSv1 and TLSv1.1 protocols, to align with modern security standards. You will no longer be able to configure TLSv1 or TLSv1.1 from the server parameter blade for newly created resources as well as for resources created previously. The default will be TLSv1.2. Resources created before the upgrade will still support communication through TLS protocol TLSv1 or TLSv1.1 through 1 May 2022.

+1. The Elastic Stack from version 5.0 and above requires Java 8. Run the command `java -version` to check your version. If you do not have Java installed, refer to documentation on the [Azure-supported JDKs](/azure/developer/java/fundamentals/java-support-on-azure).

+* A Windows machine with <a href="https://www.visualstudio.com/downloads/" target="_blank">Visual Studio 2022</a>.

+* The <a href="https://dotnet.microsoft.com/download/dotnet/6.0">.NET 6.0 SDK</a>.

+This article shows you how to deploy a Red Hat JBoss Enterprise Application Platform (JBoss EAP) app to an Azure Red Hat OpenShift (ARO) 4 cluster. The application is a Jakarta EE application that uses Microsoft SQL server database. The app is deployed using [JBoss EAP Helm Charts](https://jbossas.github.io/eap-charts).

+The guide takes a traditional Jakarta EE application and walks you through the process of migrating it to a container orchestrator such as Azure Red Hat OpenShift. First, it describes how you can package your application as a [Bootable JAR](https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html/using_jboss_eap_xp_3.0.0/the-bootable-jar_default) to run it locally. Finally, it shows you how you can deploy on OpenShift with three replicas of the JBoss EAP application by using Helm Charts.

+> This article assumes you have access to a Microsoft SQL Server instance accessible to your ARO cluster. Please review the [support policy for SQL Server Containers](https://support.microsoft.com/help/4047326/support-policy-for-microsoft-sql-server) to ensure that you are running on a supported configuration.

+At this stage, you have cloned the `Todo-list` demo application and your local repository is on the `main` branch. The demo application is a simple Jakarta EE 8 application that creates, reads, updates, and deletes records on a Microsoft SQL Server. This application can be deployed as it is on a JBoss EAP server installed in your local machine. You just need to configure the server with the required database driver and data source. You also need a database server accessible from your local environment.

+* We have added the `wildfly-jar-maven` plugin to provision the server and the application in a single executable JAR file. The OpenShift deployment unit is our server with our application.

+* On the maven plugin, we have specified a set of Galleon layers. This configuration allows us to trim the server capabilities to only what we need. For complete documentation on Galleon, see [the WildFly documentation](https://docs.wildfly.org/galleon/).

+* Our application uses Jakarta Faces with Ajax requests, which means there will be information stored in the HTTP Session. We don't want to lose such information if a pod is removed. We could save this information on the client and send it back on each request. However, there are cases where you may decide not to distribute certain information to the clients. For this demo, we have chosen to replicate the session across all pod replicas. To do it, we have added `<distributable />` to the `web.xml`. That, together with the server clustering capabilities will make the HTTP Session distributable across all pods.

+* We have added two MicroProfile Health Checks that allow identifying when the application is live and ready to receive requests.

+Before deploying the application on OpenShift, we are going to run it locally to verify how it works. The following steps assume you have a Microsoft SQL Server running and available from your local environment. This database must be created using the following information:

+* Database name: `todos_db`

+* SA password: `Passw0rd!`

+To create the database, follow the steps in [Quickstart: Create an Azure SQL Database single database](/azure/azure-sql/database/single-database-create-quickstart?tabs=azure-portal), but use the following substitutions.

+* For **Database name** use `todos_db`.

+* For **Password** use `Passw0rd!`.

+On the **Additional settings** page, you don't have to choose the option to pre-populate the database with sample data, but there is no harm in doing so.

+Once the database has been created with the above database name and password, obtain the value for the `MSSQLSERVER_HOST` from the overview page for the database resource in the portal. Hover the mouse over the value of the **Server name** field and select the copy icon that appears beside the value. Save this aside for use later.

+ MSSQLSERVER_HOST=<server name saved aside earlier> \

+ MSSQLSERVER_HOST=<server name saved aside earlier> \

+To deploy the application, we are going to use the JBoss EAP Helm Charts already available in ARO. We also need to supply the desired configuration, for example, the database user, the database password, the driver version we want to use, and the connection information used by the data source. The following steps assume you have a MicrosoftSQL database server running and exposed by an OpenShift service, and you have stored the database user name, password and database name in an [OpenShift Secret object](https://docs.openshift.com/container-platform/4.8/nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-about_nodes-pods-secrets) under the following name `mssqlserver-secret`.

+- We have added a set of configuration files in the _jboss-on-aro-jakartaee/deployment_ directory. In this directory, you will find the configuration files to deploy the application.

+We can deploy the demo application via JBoss EAP Helm Charts. The Helm Chart application configuration file is available at _deployment/application/todo-list-helm-chart.yaml_. You could deploy this file via the command line; however, to do so you would need to have Helm Charts installed on your local machine. Instead of using the command line, the next steps explain how you can deploy this Helm Chart by using the OpenShift web console.

+Before deploying the application, let's create the expected Secret object that will hold specific application configuration. The Helm Chart will get the database user, password and name from a secret named `mssqlserver-secret`, and the driver version, the datasource JNDI name and the cluster password from the following Secret:

+ > You may have noticed from the above Secret that we are not supplying the database Hostname and Port. That's not necessary. If you take a closer look at the Helm Chart application file, you will see that the database Hostname and Port are passed by using the following notations \$(MSSQLSERVER_SERVICE_HOST) and \$(MSSQLSERVER_SERVICE_PORT). This is a standard OpenShift notation that will ensure the application variables (MSSQLSERVER_HOST, MSSQLSERVER_PORT) get assigned to the values of the pod environment variables (MSSQLSERVER_SERVICE_HOST, MSSQLSERVER_SERVICE_PORT) that are available at runtime. These pod environment variables are passed by OpenShift when the pod is launched. These variables are available to any pod when you create an OpenShift service exposing the database server.

+5. Since our application uses MicroProfile capabilities, we are going to select for this demo the Helm Chart for EAP XP (at the time of this writing, the exact version of the Helm Chart is **EAP Xp3 v1.0.0**). The `Xp3` stands for Expansion Pack version 3.0.0. With the JBoss Enterprise Application Platform expansion pack, developers can use Eclipse MicroProfile application programming interfaces (APIs) to build and deploy microservices-based applications.

+# Secure access to Azure Red Hat OpenShift with Azure Front Door

+1. On [Microsoft Azure Compare offerings](https://ms.portal.azure.com/#create/Microsoft.AFDX) select **Azure Front Door**, and then select **Continue to create a Front Door**.

+2. On the **Create a front door profile** page in the **Subscription** > **Resource group**, select the resource group in which your Azure Red Hat OpenShift cluster was deployed to house your Azure Front Door Premium resource.

+9. Select **Review + create** to create the Azure Front Door Premium resource, and then wait for the process to complete.

+The current minor release is 11.12. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/11/static/release-11-12.html) to learn more about improvements and fixes in this minor release.

+The current minor release is 10.17. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/10/static/release-10-17.html) to learn more about improvements and fixes in this minor release.

+Aligning with Postgres community's [versioning policy](https://www.postgresql.org/support/versioning/), Azure Database for PostgreSQL has retired PostgreSQL version 9.6 as of November 11, 2021. See [Azure Database for PostgreSQL versioning policy](concepts-version-policy.md) for more details and restrictions. If you're running this major version, upgrade to a higher version, preferably to PostgreSQL 11 at your earliest convenience.

+Aligning with Postgres community's [versioning policy](https://www.postgresql.org/support/versioning/), Azure Database for PostgreSQL has retired PostgreSQL version 9.5 as of February 11, 2021. See [Azure Database for PostgreSQL versioning policy](concepts-version-policy.md) for more details and restrictions. If you're running this major version, upgrade to a higher version, preferably to PostgreSQL 11 at your earliest convenience.

+ | Setting | Value |

+ |||

+ | **Project&nbsp;details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Create New**. </br> Enter **CreatePrivateEndpointQS-rg**. </br> Select **OK**. |

+ | **Instance&nbsp;details** | |

+ | Name | Enter **myVNet**. |

+ | Region | Select **West Europe**. |

+ | Setting | Value |

+ |--||

+1. Under **Subnet name**, select the **Add subnet** link.

+ | Setting | Value |

+ |-||

+ | Subnet name | Enter **mySubnet**. |

+1. Select **Add**.

+ | Setting | Value |

+ |-|-|

+ | Bastion name | Enter **myBastionHost**. |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/24**. |

+ | Public IP Address | Select **Create new** and then, for **Name**, enter **myBastionIP**, and then select **OK**. |

+ | Setting | Value |

+ |--||

+ | **Project&nbsp;details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **CreatePrivateEndpointQS-rg**. |

+ | **Instance&nbsp;details** | |

+ | Virtual machine name | Enter **myVM**. |

+ | Region | Select **West Europe**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Image | Select **Windows Server 2019 Datacenter - Gen2**. |

+ | Azure Spot instance | Clear the checkbox. |

+ | Size | Select the VM size or use the default setting. |

+ | **Administrator&nbsp;account** | |

+ | Authentication type | Select **Password** |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Reenter the password. |

+ |Setting | Value |

+ |-||

+ | **Network&nbsp;interface** | |

+ | Virtual network | Enter **myVNet**. |

+ | Subnet | Enter **mySubnet**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **None**. |

+ | Setting | Value |

+ ||--|

+ | **Project&nbsp;details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **CreatePrivateEndpointQS-rg**. You created this resource group in an earlier section. |

+ | **Instance&nbsp;details** | |

+ | Name | Enter **myPrivateEndpoint**. |

+ | Region | Select **West Europe**. |

+ | Setting | Value |

+ |||

+ | Connection method | Select **Connect to an Azure resource in my directory**. |

+ | Subscription | Select your subscription. |

+ | Resource type | Select **Microsoft.Web/sites**. |

+ | Resource | Select **\<your-web-app-name>**. </br> Select the name of the web app that you created in the "Prerequisites" section. |

+ | Target sub-resource | Select **sites**. |

+1. Click **Next** to the **Virtual Network** tab.

+1. On the **Virtual Network** pane, enter the following values:

+ | Setting | Value |

+ ||--|

+ | **Networking** | |

+ | Virtual network | Select **myVNet**. |

+ | Subnet | Select **mySubnet**. |

+ | **Private&nbsp;DNS&nbsp;integration** | |

+ | Integrate with private DNS zone | Keep the default of **Yes**. |

+ | Subscription | Select your subscription. |

+ | Resource Group | Select Resource Group **CreatePrivateEndpointQS-rg**. |

+ | Private DNS zones | Keep the default of **(New) privatelink.azurewebsites.net**. |

+1. Click **Next** to **Review + create**.

+#### Automated scanning, classification and ingestion

+There are two major automated processes that can trigger ingestion of metadata into Azure Purview:

+1. Automatic scans using native [connectors](/azure-purview-connector-overview.md). This process includes three main steps:

+ - Metadata scan

+ - Automatic classification

+ - Ingestion of metadata into Azure Purview

+2. Automated ingestion using Azure Data Factory and/or Azure Synapse pipelines. This process includes:

+ - Ingestion of metadata and lineage into Azure Purview if Azure Purview account is connected to any Azure Data Factory or Azure Synapse pipelines.

+##### 1. Automatic scans using native connectors

+##### 2. Automated ingestion using Azure Data Factory and/or Azure Synapse pipelines

+- metadata and lineage is ingested from Azure Data Factory or Azure Synapse pipelines every time the pipelines run in the source system.

+We also require customers to create an inbound rule that allows requests from the [multi-tenant execution environment](search-indexer-securing-resources.md#indexer-execution-environment) to ensure we optimize the resource availability for search services. This step explains how to get the range of IP addresses needed for this inbound rule.

+For optimum processing, a search service will determine an internal execution environment to set up the operation. Depending on the number and types of tasks assigned, the indexer will run in one of two environments:

+- A multi-tenant environment hosting indexers that are resource intensive - such as indexers with skillsets, indexers processing big documents, indexers processing a lot of documents and so on. This environment is used to offload computationally intensive processing, leaving service-specific resources available for routine operations. This multi-tenant environment is managed and secured by Microsoft, at no extra cost to the customer.

+You might find some variation in maximum limits if your service happens to be provisioned on a more powerful cluster. The limits here represent the common denominator. Indexes built to the above specifications will be portable across equivalent service tiers in any region.

+## Issues approving the backing private endpoint

+A private endpoint is created to the target Azure resource as specified in the shared private link creation request. This is one of the final steps in the asynchronous Azure Resource Manager deployment operation, but Azure Cognitive Search needs to link the private endpoint's private IP address as part of its network configuration. Once this link is done, the `provisioningState` of the shared private link resource will go to a terminal success state `Succeeded`. Customers should only approve or deny(or in general modify the configuration of the backing private endpoint) after the state has transitioned to `Succeeded`. Modifying the private endpoint in any way before this could result in an incomplete deployment operation and can cause the shared private link resource to end up (either immediately, or usually within a few hours) in a `Failed` state.

+In rare circumstances, Azure Cognitive Search can fail to correctly mark the state of the shared private link resource to a terminal state (`Succeeded` or `Failed`). This usually occurs due to an unexpected or catastrophic failure in the search RP. Shared private link resources are automatically transitioned to a `Failed` state if it has been "stuck" in a non-terminal state for more than a few hours.

+If you observe that the shared private link resource has not transitioned to a terminal state, wait for a few hours to ensure that it becomes `Failed` before you can delete it and re-create it. Alternatively, instead of waiting you can try to create another shared private link resource with a different name (keeping all other parameters the same).

+ ```bash

+ sudo -u omsagent python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable

+ Customers who have built IoT services by using Service Fabric include [PCL Construction](https://customers.microsoft.com/story/pcl-construction-professional-services-azure), [Citrix](https://customers.microsoft.com/story/citrix), [ASOS](https://customers.microsoft.com/story/asos-retail-and-consumer-goods-azure),

+[Oman Data Park](https://customers.microsoft.com/story/821095-oman-data-park-partner-professional-services-azure),

+[Kohler](https://customers.microsoft.com/story/kohler-konnect-azure-iot), and

+[Dover Fueling Systems](https://customers.microsoft.com/story/775087-microsoft-country-corner-dover-fueling-solutions-oil-and-gas-azure).

+ Customers who have built gaming services include [Next Games](https://customers.microsoft.com/story/next-games-media-telecommunications-azure).

+ Customers who have built interactive sessions include [Honeywell with Hololens](https://customers.microsoft.com/story/honeywell-manufacturing-hololens).

+ Customers who have built business workflow services include [Zeiss Group](https://customers.microsoft.com/story/1366745613299736251-zeiss-group-focuses-on-azure-service-fabric-for-key-integration-platform) and

+ [PCL Construction](https://customers.microsoft.com/story/pcl-construction-professional-services-azure).

+ Customers who have built computation services include [ASOS](https://customers.microsoft.com/story/asos-retail-and-consumer-goods-azure) and [CCC](https://customers.microsoft.com/story/862085-ccc-information-services-partner-professional-services-azure-service-fabric).

+Restricted Regions reserved for in-country disaster recovery |Switzerland West reserved for Switzerland North, France South reserved for France Central, Norway West for Norway East customers, JIO India Central for JIO India West customers, Brazil Southeast for Brazil South customers, South Africa West for South Africa North customers, Germany North for Germany West Central customers.<br/><br/> To use restricted regions as your primary or recovery region, please get yourselves allowlisted by raising a request [here](https://docs.microsoft.com/troubleshoot/azure/general/region-access-request-process).

+## Pre-requisites

+### Hardware requirements

+### Software requirements

+### Network requirements

+#### Allow URLs

+### Folder exclusions from Antivirus program

+#### If Antivirus Software is active on appliance

+#### If Antivirus software is active on Source machine

+## Sizing and capacity

+An appliance that uses an in-built process server to protect the workload can handle up to 200 virtual machines, based on the following configurations:

+ |CPU | Memory | Cache disk size | Data change rate | Protected machines |

+ ||-|--||-|

+ |16 vCPUs (2 sockets * 8 cores @ 2.5 GHz) | 32 GB | 1 TB | >1 TB to 2 TB | Use to replicate 151 to 200 machines.|

+- You can perform discovery of all the machines in a vCenter server, using any of the replication appliances in the vault.

+- You can [switch a protected machine](switch-replication-appliance-preview.md), between different appliances in the same vault, given the selected appliance is healthy.

+For detailed information about how to use multiple appliances and failover a replication appliance, see [this article](switch-replication-appliance-preview.md)

+## Required permissions

+5. Ensure the [prerequisites](#pre-requisites) are met, proceed with registration.

+## Known unsupported clients

+The following clients are known to be incompatible with SFTP for Azure Blob Storage (preview). See [Supported algorithms](secure-file-transfer-protocol-support.md#supported-algorithms) for more information.

+- Axway

+- Five9

+- Kemp

+- Moveit

+- Mule

+- Salesforce

+- SSH.NET 2016.1.0

+- Workday

+- XFB.Gateway

+> The unsupported client list above is not exhaustive and may change over time.

+## Unsupported operations

+| Category | Unsupported operations |

+|||

+| ACLs | <li>`chgrp` - change group<li>`chmod` - change permissions/mode<li>`chown` - change owner<li>`put/get -p` - preserving permissions |

+| Resume operations |<li>`reget`, `get -a`- resume download<li>`reput`. `put -a` - resume upload |

+| Random writes and appends | <li>Operations that include both READ and WRITE flags. For example: [SSH.NET create API](https://github.com/sshnet/SSH.NET/blob/develop/src/Renci.SshNet/SftpClient.cs#:~:text=public%20SftpFileStream-,Create,-(string%20path))<li>Operations that include APPEND flag. For example: [SSH.NET append API](https://github.com/sshnet/SSH.NET/blob/develop/src/Renci.SshNet/SftpClient.cs#:~:text=public%20void-,AppendAllLines,-(string%20path%2C%20IEnumerable%3Cstring%3E%20contents)). |

+| Links |<li>`symlink` - creating symbolic links<li>`ln` - creating hard links<li>Reading links not supported |

+| Capacity Information | `df` - usage info for filesystem |

+| Extensions | Unsupported extensions include but are not limited to: fsync@openssh.com, limits@openssh.com, lsetstat@openssh.com, statvfs@openssh.com |

+| SSH Commands | SFTP is the only supported subsystem. Shell requests after the completion of the key exchange will fail. |

+| Multi-protocol writes | Random writes and appends (`PutBlock`,`PutBlockList`, `GetBlockList`, `AppendBlock`, `AppendFile`) are not allowed from other protocols on blobs that are created by using SFTP. Full overwrites are allowed.|

+### Known supported clients

+The following clients have compatible algorithm support with SFTP for Azure Blob Storage (preview). See [Limitations and known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage](secure-file-transfer-protocol-known-issues.md) if you are having trouble connecting.

+- AsyncSSH 2.1.0+

+- Cyberduck 7.8.2+

+- edtFTPjPRO 7.0.0+

+- FileZilla 3.53.0+

+- libssh 0.9.5+

+- Maverick Legacy 1.7.15+

+- OpenSSH 7.4+

+- paramiko 2.8.1+

+- PuTTY 0.74+

+- QualysML 12.3.41.1+

+- RebexSSH 5.0.7119.0+

+- ssh2js 0.1.20+

+- sshj 0.27.0+

+- SSH.NET 2020.0.0+

+- WinSCP 5.10+

+> [!NOTE]

+> The supported client list above is not exhaustive and may change over time.

+3. Under **Security + networking**, choose **Networking**.

+2. Under **Security + networking**, choose **Networking**.

+1. Under **Settings**, choose **Endpoints**.

+## Disallow Shared Key authorization to use Azure AD Conditional Access

+To protect an Azure Storage account with Azure AD [Conditional Access](../../active-directory/conditional-access/overview.md) policies, you must disallow Shared Key authorization for the storage account. Follow the steps described in [Detect the type of authorization used by client applications](#detect-the-type-of-authorization-used-by-client-applications) to analyze the potential impact of this change for existing storage accounts before disallowing Shared Key authorization.

+Now that you've created a storage account, you can create your first Azure file share by using the [New-AzRmStorageShare](/powershell/module/az.storage/New-AzRmStorageShare) cmdlet. This example creates a share named **myshare** with a quota of 1024 GiB. The quota can be a maximum of 5 TiB, or 100 TiB with large file shares enabled on the storage account.

+Now that you've created a storage account, you can create your first Azure file share by using the [az storage share-rm create](/cli/azure/storage/share-rm#az-storage-share-rm-create) command. This example creates a share named **myshare** with a quota of 1024 GiB. The quota can be a maximum of 5 TiB, or 100 TiB with large file shares enabled on the storage account.

+$queue.CloudQueue.AddMessageAsync($queueMessage)

+$queue.CloudQueue.AddMessageAsync($queueMessage)

+$queue.CloudQueue.AddMessageAsync($queueMessage)

+ Title: Restore a dedicated SQL pool from a dropped workspace

+description: How-to guide for restoring a dedicated SQL pool from a dropped workspace.

+# Restore a dedicated SQL pool from a deleted workspace

+In this article, you learn how to restore a dedicated SQL pool in Azure Synapse Analytics after an accidental drop of a workspace using PowerShell.

+> [!NOTE]

+> This guidance is for Synapse Workspace dedicated sql pools only. For standalone dedicated sql pool (formerly SQL DW) please follow guidance [Restore sql pool from deleted server](../sql-data-warehouse/sql-data-warehouse-restore-from-deleted-server.md).

+## Before you begin

+## Restore the SQL pool from the dropped workspace

+1. Open PowerShell

+2. Connect to your Azure account.

+3. Set the context to the subscription that contains the workspace that was dropped.

+4. Specify the approximate datetime the workspace was dropped.

+5. Construct the resource ID for the database you wish to recover from the dropped workspace.

+6. Restore the database from the dropped workspace

+7. Verify the status of the recovered database as 'online'.

+```powershell

+$SubscriptionID="<YourSubscriptionID>"

+$ResourceGroupName="<YourResourceGroupName>"

+$WorkspaceName="<YourWorkspaceNameWithoutURLSuffixSeeNote>" # Without sql.azuresynapse.net

+$DatabaseName="<YourDatabaseName>"

+$TargetResourceGroupName="<YourTargetResourceGroupName>"

+$TargetWorkspaceName="<YourtargetServerNameWithoutURLSuffixSeeNote>"

+$TargetDatabaseName="<YourDatabaseName>"

+Connect-AzAccount

+Set-AzContext -SubscriptionID $SubscriptionID

+# Define the approximate point in time the workspace was dropped as DroppedDateTime "yyyy-MM-ddThh:mm:ssZ" (ex. 2022-01-01T16:15:00Z)

+$PointInTime=ΓÇ¥<DroppedDateTime>ΓÇ¥

+$DroppedDateTime = Get-Date -Date $PointInTime

+# construct the resource ID of the sql pool you wish to recover. The format required Microsoft.Sql. This includes the approximate date time the server was dropped.

+$SourceDatabaseID = "/subscriptions/"+$SubscriptionID+"/resourceGroups/"+$ResourceGroupName+"/providers/Microsoft.Sql/servers/"+$WorkspaceName+"/databases/"+$DatabaseName

+# Restore to the target workspace with the source SQL pool.

+$RestoredDatabase = Restore-AzSynapseSqlPool -FromDroppedSqlPool -DeletionDate $DroppedDateTime -TargetSqlPoolName $TargetDatabaseName -ResourceGroupName $TargetResourceGroupName -WorkspaceName $TargetWorkspaceName -ResourceId $SourceDatabaseID

+# Verify the status of restored database

+$RestoredDatabase.status

+```

+## Troubleshooting

+If "An unexpected error occurred while processing the request." message is received, the original database may not have any recovery points available due to the original workspace being short lived. Typically this is when the workspace existed for less than one hour.

+## Next Steps

+- [Create a restore point](sqlpool-create-restore-point.md)

+- [Restore a SQL pool](restore-sql-pool.md)

+ Title: Restore a dedicated SQL pool (formerly SQL DW) from a deleted server

+description: How-to guide for restoring a dedicated SQL pool from a deleted server.

+# Restore a dedicated SQL pool (formerly SQL DW) from a deleted server

+In this article, you learn how to restore a dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics after an accidental drop of a server using PowerShell.

+> [!NOTE]

+> This guidance is for standalone dedicated sql pools (formerly SQL DW) only. For synapse workspace dedicated sql pools please follow guidance [Restore SQL pool from deleted workspace](../backuprestore/restore-sql-pool-from-deleted-workspace.md).

+## Before you begin

+## Restore the SQL pool from the deleted server

+1. Open PowerShell

+2. Connect to your Azure account.

+3. Set the context to the subscription that contains the server that was dropped.

+4. Specify the approximate datetime the server was dropped.

+5. Construct the resource ID for the database you wish to recover from the dropped server.

+6. Restore the database from the dropped server

+7. Verify the status of the recovered database as 'online'.

+```powershell

+$SubscriptionID="<YourSubscriptionID>"

+$ResourceGroupName="<YourResourceGroupName>"

+$ServereName="<YourServerNameWithoutURLSuffixSeeNote>" # Without database.windows.net

+$DatabaseName="<YourDatabaseName>"

+$TargetServerName="<YourtargetServerNameWithoutURLSuffixSeeNote>"

+$TargetDatabaseName="<YourDatabaseName>"

+Connect-AzAccount

+Set-AzContext -SubscriptionId $SubscriptionID

+# Define the approximate point in time the server was dropped as DroppedDateTime "yyyy-MM-ddThh:mm:ssZ" (ex. 2022-01-01T16:15:00Z)

+$PointInTime=ΓÇ¥<DroppedDateTime>ΓÇ¥

+$DroppedDateTime = Get-Date -Date $PointInTime

+# construct the resource ID of the database you wish to recover. The format required Microsoft.Sql. This includes the approximate date time the server was dropped.

+$SourceDatabaseID = "/subscriptions/"+$SubscriptionID+"/resourceGroups/"+$ResourceGroupName+"/providers/Microsoft.Sql/servers/"+$ServerName+"/restorableDroppedDatabases/"+$DatabaseName+","+$DroppedDateTime.ToUniversalTime().ToFileTimeUtc().ToString()

+# Restore to target workspace with the source database.

+$RestoredDatabase = Restore-AzSqlDatabase -FromDeletedDatabaseBackup -DeletionDate $DroppedDateTime -ResourceGroupName $ResourceGroupName -ServerName $TargetServerName -TargetDatabaseName $TargetDatabaseName -ResourceId $SourceDatabaseID

+# Verify the status of restored database

+$RestoredDatabase.status

+```

+## Troubleshooting

+If "An unexpected error occurred while processing the request." message is received, the original database may not have any recovery points available due to the original server being short lived. Typically this is when the server existed for less than one hour.

+|Operating system |User access rights|

+|<ul><li>Windows 11 Enterprise multi-session</li><li>Windows 11 Enterprise</li><li>Windows 10 Enterprise multi-session, version 1909 and later</li><li>Windows 10 Enterprise, version 1909 and later</li><li>Windows 7 Enterprise</li></ul>|License entitlement:<ul><li>Microsoft 365 E3, E5, A3, A5, F3, Business Premium, Student Use Benefit</li><li>Windows Enterprise E3, E5</li><li>Windows VDA E3, E5</li><li>Windows Education A3, A5</li></ul>External users can use [per-user access pricing](https://azure.microsoft.com/pricing/details/virtual-desktop/) instead of license entitlement.</li></ul>|

+|<ul><li>Windows Server 2022</li><li>Windows Server 2019</li><li>Windows Server 2016</li><li>Windows Server 2012 R2</li></ul>|License entitlement:<ul><li>Remote Desktop Services (RDS) Client Access License (CAL) with Software Assurance (per-user or per-device), or RDS User Subscription Licenses.</li></ul>Per-user access pricing is not available for Windows Server operating systems.|

+## Error: SessionHostPool could not be deleted

+This error usually happens when you run the following command to try to remove a session host.

+```powershell

+Remove-RdsHostPool -TenantName <TenantName> -Name <HostPoolName>

+```

+**Cause:** If you run the command before deleting the host pool's leaf objects, it won't work.

+**Fix:** Run the following command to delete the session host.

+```powershell

+Get-RdsSessionHost-TenantName <TenantName> -Hostpook <HostPoolName> | remove-RdsSessionhost -Force

+```

+Using the force command will let you delete the session host even if it has assigned users.

+3. Choose **Scaling** from the menu on the left-hand side of the scale set window. Select the button to **Custom autoscale**:

+ :::image type="content" source="media/virtual-machine-scale-sets-autoscale-portal/enable-autoscale.png" alt-text="Enable autoscale in the Azure portal":::

+4. Select the option to **Add a rule**.

+ :::image type="content" source="media/virtual-machine-scale-sets-autoscale-portal/add-autoscale-rule.png" alt-text="Add autoscale rule in the Azure portal":::

+ :::image type="content" source="media/virtual-machine-scale-sets-autoscale-portal/rule-increase.png" alt-text="Create an autoscale rule to increase the number of VM instances":::

+1. Choose **Scaling** from the menu on the left-hand side of the scale set window.

+ :::image type="content" source="media/virtual-machine-scale-sets-autoscale-portal/rename-rule.png" alt-text="Rename the default autoscale rule":::

+ :::image type="content" source="media/virtual-machine-scale-sets-autoscale-portal/schedule-autoscale.png" alt-text="Create autoscale rules that scale on a schedule":::

+# Ebdsv5 and Ebsv5 series

+| Standard_E2bs_v5 | 2 | 16 | 4 | 9000/125 | 5500/156 | 10000/1200 | 2 | 10000 |

+| Standard_E4bs_v5 | 4 | 32 | 8 | 19000/250 | 11000/350 | 20000/1200 | 2 | 10000 |

+| Standard_E8bs_v5 | 8 | 64 | 16 | 38000/500 | 22000/625 | 40000/1200 | 4 | 10000 |

+| Standard_E16bs_v5 | 16 | 128 | 32 | 75000/1000 | 44000/1250 | 64000/2000 | 8 | 12500

+| Standard_E32bs_v5 | 32 | 256 | 32 | 150000/1250 | 88000/2500 | 120000/4000 | 8 | 16000 |

+| Standard_E48bs_v5 | 48 | 384 | 32 | 225000/2000 | 120000/4000 | 120000/4000 | 8 | 16000 |

+| Standard_E64bs_v5 | 64 | 512 | 32 | 300000/4000 | 120000/4000 | 120000/4000 | 8 | 20000 |

+- Use the Azure [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+The VM does not need to be stopped\deallocated. The resource ID of the managed disk can be replaced with the resource ID of a different managed disk.

+(Optional) Use [az vm stop](/cli/azure/vm) to stop\deallocate the VM before swapping the disks.

+<sup>2</sup> Isolation feature retired on 2/28/2022. For information, see the [retirement announcement](https://azure.microsoft.com/updates/the-g5-and-gs5-azure-vms-will-no-longer-be-hardwareisolated-on-28-february-2022/).

+<sup>1</sup> Isolation feature retired on 2/28/2022. For information, see the [retirement announcement](https://azure.microsoft.com/updates/the-g5-and-gs5-azure-vms-will-no-longer-be-hardwareisolated-on-28-february-2022/).

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+The VM does not need to be stopped\deallocated. The resource ID of the managed disk can be replaced with the resource ID of a different managed disk.

+# (Optional) Stop/ deallocate the VM

+You can use service tags to define network access controls on [network security groups](./network-security-groups-overview.md#security-rules), [Azure Firewall](../firewall/service-tags.md), and [user-defined routes](./virtual-networks-udr-overview.md#service-tags-for-user-defined-routes-preview). Use service tags in place of specific IP addresses when you create security rules and routes. By specifying the service tag name, such as **ApiManagement**, in the appropriate *source* or *destination* field of a security rule, you can allow or deny the traffic for the corresponding service. By specifying the service tag name in the address prefix of a route, you can route traffic intended for any of the prefixes encapsulated by the service tag to a desired next hop type.

+> As of March 2022, using service tags in place of explicit address prefixes in [user defined routes](./virtual-networks-udr-overview.md#user-defined) is out of preview and generally available.

+ Title: 'Configure forced tunneling for Virtual WAN Point-to-site VPN'

+description: Learn to configure forced tunneling for P2S VPN in Virtual WAN.

+# Configure forced tunneling for Virtual WAN Point-to-site VPN

+Forced tunneling allows you to send **all** traffic (including Internet-bound traffic) from remote users to Azure. In Virtual WAN, forced tunneling for Point-to-site VPN remote users signifies that the 0.0.0.0/0 default route is advertised to remote VPN users.

+## Creating a Virtual WAN hub

+The steps in this article assume that you've already deployed a virtual WAN with one or more hubs.

+To create a new virtual WAN and a new hub, use the steps in the following articles:

+* [Create a virtual WAN](virtual-wan-site-to-site-portal.md#openvwan)

+* [Create a virtual hub](virtual-wan-site-to-site-portal.md#hub)

+## Setting up Point-to-site VPN

+The steps in this article also assume that you already deployed a Point-to-site VPN gateway in the Virtual WAN hub. It also assumes you have created Point-to-site VPN profiles to assign to the gateway.

+To create the Point-to-site VPN gateway and related profiles, see [Create a Point-to-site VPN gateway](virtual-wan-point-to-site-portal.md).

+## Advertising default route to clients

+There are a couple ways to configure forced-tunneling and advertise the default route (0.0.0.0/0) to your remote user VPN clients connected to Virtual WAN.

+* You can specify a static 0.0.0.0/0 route in the defaultRouteTable with next hop Virtual Network Connection. This will force all internet-bound traffic to be sent to a Network Virtual Appliance deployed in that spoke Virtual Network. For more detailed instructions, consider the alternate workflow described in [Route through NVAs](scenario-route-through-nvas-custom.md).

+* You can use Azure Firewall Manager to configure Virtual WAN to send all internet-bound traffic via Azure Firewall deployed in the Virtual WAN hub. For configuration steps and a tutorial, see the Azure Firewall Manager documentation [Securing virtual hubs](../firewall-manager/secure-cloud-network.md). Alternatively, this can also be configured via using an Internet Traffic Routing Policy. For more information, see [Routing Intent and Routing Policies](how-to-routing-policies.md).

+* You can use Firewall Manager to send internet traffic via a third-party security provider. For more information on this capability, see [Trusted security providers](../firewall-manager/deploy-trusted-security-partner.md).

+* You can configure one of your branches (Site-to-site VPN, ExpressRoute circuit) to advertise the 0.0.0.0/0 route to Virtual WAN.

+After configuring one of the above four methods, make sure the EnableInternetSecurity flag is turned on for your Point-to-site VPN gateway. This flag must be set to true for your clients to be properly configured for forced-tunneling.

+To turn on the EnableInternetSecurity flag, use the following PowerShell command, substituting the appropriate values for your environment.

+```azurepowershell-interactive

+Update-AzP2sVpnGateway -ResourceGroupName "sampleRG" -Name "p2sgwsamplename" -EnableInternetSecurityFlag

+```

+## Downloading the Point-to-site VPN profile

+To download the Point-to-site VPN profile, see [global and hub profiles](global-hub-profile.md). The information in the zip-file downloaded from Azure portal is critical to properly configuring your clients.

+## Configuring forced-tunneling for Azure VPN clients (OpenVPN)

+The steps to configure forced-tunneling are different, depending on the operating system of the end user device.

+## Windows clients

+> [!NOTE]

+> For Windows clients, forced tunneling with the Azure VPN client is only available with software version 2:1900:39.0 or newer.

+1. Validate the version of your Azure VPN client is compatible with forced tunneling. To do this, click on the three dots at the bottom of the Azure VPN client, and click on Help. Alternatively, the keyboard short cut to navigate to Help is Ctrl-H. The version number can be found towards the top of the screen. Ensure your version number is **2:1900:39.0** or later.

+ :::image type="content" source="./media/virtual-wan-forced-tunnel/vpn-client-version.png"alt-text="Screenshot showing how to configure N V A private routing policies."lightbox="./media/virtual-wan-forced-tunnel/vpn-client-version.png":::

+1. Open the zip-file downloaded from the previous section. You should see a folder titled **AzureVPN**. Open the folder and open **azurevpnconfig.xml** in your favorite XML editing tool.

+1. In **azureconfig.xml**, there's a field called **version**. If the number between the version tags is **1**, change the **version** number to **2**.

+ ```xml

+ <version>2</version>

+ ```

+1. Import the profile into the Azure VPN client. For more information on how to import a profile, see [Azure VPN client import instructions](openvpn-azure-ad-client.md).

+1. Connect to the newly added connection. You are now force-tunneling all traffic to Azure Virtual WAN.

+## MacOS clients

+Once a macOS client learns the default route from Azure, forced tunneling is automatically configured on the client device. There are no extra steps to take. For instructions on how to use the macOS Azure VPN client to connect to the Virtual WAN Point-to-site VPN gateway, see the [macOS Configuration Guide](openvpn-azure-ad-client-mac.md).

+## Configuring forced-tunneling for IKEv2 clients

+For IKEv2 clients, you **cannot** directly use the executable profiles downloaded from Azure portal. To properly configure the client, you'll need to run a PowerShell script or distribute the VPN profile via Intune.

+Based on the authentication method configured on your Point-to-site VPN gateway, use a different EAP Configuration file. Sample EAP Configuration files are provided below.

+### IKEv2 with user certificate authentication

+To use user certificates to authenticate remote users, use the sample PowerShell script below. To properly import the contents of the VpnSettings and EAP XML files into PowerShell, navigate to the appropriate directory before running the **Get-Content** PowerShell command.

+```azurepowershell-interactive

+# specify the name of the VPN Connection to be installed on the client

+$vpnConnectionName = "SampleConnectionName"

+# get the VPN Server FQDN from the profile downloaded from Azure Portal

+$downloadedXML = [xml] (Get-Content VpnSettings.xml)

+$vpnserverFQDN = $downloadedXML.VpnProfile.VpnServer

+# use the appropriate EAP XML file based on the authentication method specified on the Point-to-site VPN gateway

+$EAPXML = [xml] (Get-Content EapXML.xml)

+# create the VPN Connection

+Add-VpnConnection -Name $vpnConnectionName -ServerAddress $vpnserverFQDN -TunnelType Ikev2 -AuthenticationMethod Eap -EapConfigXmlStream $EAPXML

+# enabled forced tunneling

+Set-VpnConnection -Name $vpnConnectionName -SplitTunneling $false

+```

+The following example shows an EAP XML file for user-certificate based authentication. Replace the *IssuerHash* field with the Thumbprint of the Root Certificate to ensure your client device selects the correct certificate to present to the VPN server for authentication.

+```xml

+<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

+ <EapMethod>

+ <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>

+ <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>

+ <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>

+ <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>

+ </EapMethod>

+ <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

+ <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">

+ <Type>13</Type>

+ <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">

+ <CredentialsSource>

+ <CertificateStore>

+ <SimpleCertSelection>true</SimpleCertSelection>

+ </CertificateStore>

+ </CredentialsSource>

+ <ServerValidation>

+ <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>

+ <ServerNames></ServerNames>

+ </ServerValidation>

+ <DifferentUsername>false</DifferentUsername>

+ <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>

+ <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>

+ <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">

+ <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">

+ <CAHashList Enabled="true">

+ <IssuerHash> REPLACE THIS WITH ROOT CERTIFICATE THUMBPRINT </IssuerHash>

+ </CAHashList>

+ </FilteringInfo>

+ </TLSExtensions>

+ </EapType>

+ </Eap>

+ </Config>

+</EapHostConfig>

+```

+### IKEv2 with machine certificate authentication

+To use machine certificates to authenticate remote users, use the sample PowerShell script below. To properly import the contents of the VpnSettings and EAP XML files into PowerShell, navigate to the appropriate directory before running the **Get-Content** PowerShell command.

+```azurepowershell-interactive

+# specify the name of the VPN Connection to be installed on the client

+$vpnConnectionName = "UserCertVPNConnection"

+# get the VPN Server FQDN from the profile downloaded from Azure portal

+$downloadedXML = [xml] (Get-Content VpnSettings.xml)

+$vpnserverFQDN = $downloadedXML.VpnProfile.VpnServer

+# create the VPN Connection

+Add-VpnConnection -Name $vpnConnectionName -ServerAddress $vpnserverFQDN -TunnelType Ikev2 -AuthenticationMethod MachineCertificate

+# enabled forced tunneling

+Set-VpnConnection -Name $vpnConnectionName -SplitTunneling $false

+```

+### IKEv2 with RADIUS server authentication with username and password (EAP-MSCHAPv2)

+To use username and password-based RADIUS authentication (EAP-MASCHAPv2) to authenticate remote users, use the sample PowerShell script below. To properly import the contents of the VpnSettings and EAP XML files into PowerShell, navigate to the appropriate directory before running the **Get-Content** PowerShell command.

+```azurepowershell-interactive

+# specify the name of the VPN Connection to be installed on the client

+$vpnConnectionName = "SampleConnectionName"

+# get the VPN Server FQDN from the profile downloaded from Azure portal

+$downloadedXML = [xml] (Get-Content VpnSettings.xml)

+$vpnserverFQDN = $downloadedXML.VpnProfile.VpnServer

+# use the appropriate EAP XML file based on the authentication method specified on the Point-to-site VPN gateway

+$EAPXML = [xml] (Get-Content EapXML.xml)

+# create the VPN Connection

+Add-VpnConnection -Name $vpnConnectionName -ServerAddress $vpnserverFQDN -TunnelType Point-to-sitev2 -AuthenticationMethod Eap -EapConfigXmlStream $EAPXML

+# enabled forced tunneling

+Set-VpnConnection -Name $vpnConnectionName -SplitTunneling $false

+```

+An example EAP XML file is the following.

+```xml

+<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

+ <EapMethod>

+ <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>

+ <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>

+ <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>

+ <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>

+ </EapMethod>

+ <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

+ <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">

+ <Type>26</Type>

+ <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">

+ <UseWinLogonCredentials>false</UseWinLogonCredentials>

+ </EapType>

+ </Eap>

+ </Config>

+</EapHostConfig>

+```

+### IKEv2 with RADIUS server authentication with user certificates (EAP-TLS)

+To use certificate-based RADIUS authentication (EAP-TLS) to authenticate remote users, use the sample PowerShell script below. Note that in order to import the contents of the VpnSettings and EAP XML files into PowerShell, you will have to navigate to the appropriate directory before running the **Get-Content** PowerShell command.

+```azurepowershell-interactive

+# specify the name of the VPN Connection to be installed on the client

+$vpnConnectionName = "SampleConnectionName"

+# get the VPN Server FQDN from the profile downloaded from Azure portal

+$downloadedXML = [xml] (Get-Content VpnSettings.xml)

+$vpnserverFQDN = $downloadedXML.VpnProfile.VpnServer

+# use the appropriate EAP XML file based on the authentication method specified on the Point-to-site VPN gateway

+$EAPXML = [xml] (Get-Content EapXML.xml)

+# create the VPN Connection

+Add-VpnConnection -Name $vpnConnectionName -ServerAddress $vpnserverFQDN -TunnelType Ikev2 -AuthenticationMethod Eap -EapConfigXmlStream $EAPXML

+# enabled forced tunneling

+Set-VpnConnection -Name $vpnConnectionName -SplitTunneling $false

+```

+Below is a sample EAP XML file. Change the *TrustedRootCA* field to the thumbprint of your Certificate Authority's certificate and the *IssuerHash* to be the thumbprint of the Root Certificate.

+```xml

+<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

+ <EapMethod>

+ <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>

+ <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>

+ <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>

+ <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>

+ </EapMethod>

+ <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">

+ <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">

+ <Type>13</Type>

+ <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">

+ <CredentialsSource>

+ <CertificateStore>

+ <SimpleCertSelection>false</SimpleCertSelection>

+ </CertificateStore>

+ </CredentialsSource>

+ <ServerValidation>

+ <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>

+ <ServerNames></ServerNames>

+ <TrustedRootCA> CERTIFICATE AUTHORITY THUMBPRINT </TrustedRootCA>

+ </ServerValidation>

+ <DifferentUsername>true</DifferentUsername>

+ <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>

+ <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>

+ <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">

+ <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">

+ <CAHashList Enabled="true">

+ <IssuerHash> ROOT CERTIFCATE THUMBPRINT </IssuerHash>

+ </CAHashList>

+ </FilteringInfo>

+ </TLSExtensions>

+ </EapType>

+ </Eap>

+ </Config>

+</EapHostConfig>

+```

+## Next steps

+For more information about Virtual WAN, see the [FAQ](virtual-wan-faq.md).

+The custom configured traffic selectors will be proposed only when an Azure VPN gateway initiates the connection. A VPN gateway will accept any traffic selectors proposed by a remote gateway (on-premises VPN device). This behavior is consistent between all connection modes (Default, InitiatorOnly, and ResponderOnly).

+No, Azure by default generates different pre-shared keys for different VPN connections. However, you can use the Set VPN Gateway Key REST API or PowerShell cmdlet to set the key value you prefer. The key MUST only contain printable ASCII characters except space, hyphen (-) or tilde (~).