->[!NOTE]

->The Azure AD provisioning service currently drops everything in the URL after the hostname.

-Some of the supported combintaions are

-If a user is running an older version of Microsoft Authenticator that doesn't support number matching, authentication won't work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in if they use Android versions prior to 6.2006.4198, or iOS versions prior to 6.4.12.

-Older versions of Microsoft Authenticator prompt users to tap and select a number rather than enter the number in Microsoft Authenticator. These authentications won't fail, but Microsoft highly recommends that users upgrade to the latest version of Microsoft Authenticator if they use Android versions prior to 6.2108.5654, or iOS versions prior to 6.5.82, so they can use number match.

-Minimum Microsoft Authenticator version supporting number matching:

-Minimum Microsoft Authenticator version for number matching which prompts to enter a number:

-> To ensure no changes in behavior during migration, if your MFA Server is associated with an MFA Provider with no tenant reference, you'll need to update the default MFA settings (e.g. custom greetings) for the tenant you're migrating to match the settings in your MFA Provider. We recommend doing this before migrating any users.

-For a guided walkthrough of many of the recommendations in this article, see the [Plan your self-service password reset deployment](https://go.microsoft.com/fwlink/?linkid=2221600) guide.

-The Microsoft identity platform supports single sign-on (SSO) with most enterprise applications, including both applications pre-integrated in the Azure AD app gallery and custom applications. When a user authenticates to an application

- through the Microsoft identity platform using the OIDC protocol, the Microsoft identity platform sends a token to the application. And then, the application validates and uses the token to log the user in instead of prompting for a username and password.

-Claims customization may be required for various reasons by an application. A good example is when an application has been written to require a different set of claim URIs or claim values. Using the **Attributes & Claims** section you can add or remove a claim for your application. You can also create a custom claim that is specific for an application based on the use case.

-The constant value is displayed on the Attributes overview.

-| **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This function extracts only the first part of the user name being passed through (for example, "joe_smith" instead of joe_smith@contoso.com). |

-1. Select the function from the transformation dropdown. Depending on the function selected, you'll have to provide parameters and a constant value to evaluate in the transformation. Refer to the following table for more information about the available functions.

-1. **Treat source as multivalued** is a checkbox indicating whether the transform should be applied to all values or just the first. By default, transformations are only applied to the first element in a multi-value claim, by checking this box it ensures it's applied to all. This checkbox is only be enabled for multi-valued attributes, for example `user.proxyaddresses`.

-| **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This function extracts only the first part of the user name being passed through (for example, "joe_smith" instead of joe_smith@contoso.com). |

-| **Join()** | Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. For NameID claim transformation, the Join() function has specific behavior when the transformation input has a domain part. It removes the domain part from input before joining it with the separator and the selected parameter. For example, if the input of the transformation is 'joe_smith@contoso.com' and the separator is '@' and the parameter is 'fabrikam.com', this input combination results in 'joe_smith@fabrikam.com'. |

-| **Contains()** | Outputs an attribute or constant if the input matches the specified value. Otherwise, you can specify another output if there's no match. <br/>For example, if you want to emit a claim where the value is the user's email address if it contains the domain "@contoso.com", otherwise you want to output the user principal name. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.email<br/>*Value*: "@contoso.com"<br/>Parameter 2 (output): user.email<br/>Parameter 3 (output if there's no match): user.userprincipalname |

-| **Extract() - After matching** | Returns the substring after it matches the specified value.<br/>For example, if the input's value is "Finance_BSimon", the matching value is "Finance_", then the claim's output is "BSimon". |

-| **Extract() - Before matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is "BSimon_US", the matching value is "_US", then the claim's output is "BSimon". |

-| **Extract() - Between matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is "Finance_BSimon_US", the first matching value is "Finance\_", the second matching value is "\_US", then the claim's output is "BSimon". |

-| **ExtractAlpha() - Prefix** | Returns the prefix alphabetical part of the string.<br/>For example, if the input's value is "BSimon_123", then it returns "BSimon". |

-| **ExtractAlpha() - Suffix** | Returns the suffix alphabetical part of the string.<br/>For example, if the input's value is "123_Simon", then it returns "Simon". |

-| **ExtractNumeric() - Prefix** | Returns the prefix numerical part of the string.<br/>For example, if the input's value is "123_BSimon", then it returns "123". |

-| **ExtractNumeric() - Suffix** | Returns the suffix numerical part of the string.<br/>For example, if the input's value is "BSimon_123", then it returns "123". |

-| **IfEmpty()** | Outputs an attribute or constant if the input is null or empty.<br/>For example, if you want to output an attribute stored in an extensionattribute if the employee ID for a given user is empty. To perform this function, you configure the following values:<br/>Parameter 1(input): user.employeeid<br/>Parameter 2 (output): user.extensionattribute1<br/>Parameter 3 (output if there's no match): user.employeeid |

-| **IfNotEmpty()** | Outputs an attribute or constant if the input isn't null or empty.<br/>For example, if you want to output an attribute stored in an extensionattribute if the employee ID for a given user isn't empty. To perform this function, you configure the following values:<br/>Parameter 1(input): user.employeeid<br/>Parameter 2 (output): user.extensionattribute1 |

-| **Substring() - EndOfString** (Preview) | Extracts parts of a string claim type, beginning at the character at the specified position, and returns the rest of the claim from the specified start index. <br/>SourceClaim - The claim source of the transform that should be executed.<br/>StartIndex - The zero-based starting character position of a substring in this instance.<br/>For example:<br/>sourceClaim - PleaseExtractThisNow<br/>StartIndex - 6<br/>Output: ExtractThisNow |

-| **RegexReplace()** (Preview) | RegexReplace() transformation accepts as input parameters:<br/>- Parameter 1: a user attribute as regex input<br/>- An option to trust the source as multivalued<br/>- Regex pattern<br/>- Replacement pattern. The replacement pattern may contain static text format along with a reference that points to regex output groups and more input parameters.<br/><br/>More instructions about how to use the RegexReplace() transformation are described later in this article. |

-| 1 | Transformation | Select the **RegexReplace()** option from the **Transformation** options to use the regex-based claims transformation method for claims transformation. |

-| 2 | Parameter 1 | The input for the regular expression transformation. For example, user.mail that has a user email address such as `admin@fabrikam.com`. |

-| 3 | Treat source as multivalued | Some input user attributes can be multi-value user attributes. If the selected user attribute supports multiple values and the user wants to use multiple values for the transformation, they need to select **Treat source as multivalued**. If selected, all values are used for the regex match, otherwise only the first value is used. |

-| 4 | Regex pattern | A regular expression that is evaluated against the value of user attribute selected as *Parameter 1*. For example a regular expression to extract the user alias from the user's email address would be represented as `(?'domain'^.*?)(?i)(\@fabrikam\.com)$`. |

-| 5 | Add additional parameter | More than one user attribute can be used for the transformation. The values of the attributes would then be merged with regex transformation output. Up to five additional parameters are supported. |

-| 6 | Replacement pattern | The replacement pattern is the text template, which contains placeholders for regex outcome. All group names must be wrapped inside the curly braces such as {group-name}. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and `{domain}` is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

-The following image shows an example of the second level of transformation:

-| 1 | Transformation | Regex-based claims transformations aren't limited to the first transformation and can be used as the second level transformation as well. Any other transformation method can be used as the first transformation. |

-| 2 | Parameter 1 | If **RegexReplace()** is selected as a second level transformation, output of first level transformation is used as an input for the second level transformation. The second level regex expression should match the output of the first transformation or the transformation won't be applied. |

-| 3 | Regex pattern | **Regex pattern** is the regular expression for the second level transformation. |

-| 4 | Parameter input | User attribute inputs for the second level transformations. |

-| 5 | Parameter input | Administrators can delete the selected input parameter if they don't need it anymore. |

-| 6 | Replacement pattern | The replacement pattern is the text template, which contains placeholders for regex outcome group name, input parameter group name, and static text value. All group names must be wrapped inside the curly braces such as `{group-name}`. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and `{domain}` is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

-| 7 | Test transformation | The RegexReplace() transformation is evaluated only if the value of the selected user attribute for *Parameter 1* matches with the regular expression provided in the **Regex pattern** textbox. If they don't match, the default claim value is added to the token. To validate regular expression against the input parameter value, a test experience is available within the transform blade. This test experience operates on dummy values only. When additional input parameters are used, the name of the parameter is added to the test result instead of the actual value. To access the test section, select **Test transformation**. |

-| 1 | Test transformation | Select the close or (X) button to hide the test section and re-render the **Test transformation** button again on the blade. |

-| 2 | Test regex input | Accepts input that is used for the regular expression test evaluation. In case regex-based claims transformation is configured as a second level transformation, a value is provided that would be the expected output of the first transformation. |

-| 3 | Run test | After the test regex input is provided and the **Regex pattern**, **Replacement pattern** and **Input parameters** are configured, the expression can be evaluated by selecting **Run test**. |

-| 4 | Test transformation result | If evaluation succeeds, an output of test transformation will be rendered against the **Test transformation result** label. |

-| 5 | Remove transformation | The second level transformation can be removed by selecting **Remove transformation**. |

-| 6 | Specify output if no match | When a regex input value is configured against the *Parameter 1* that doesn't match the **Regular expression**, the transformation is skipped. In such cases, the alternate user attribute can be configured, which is added to the token for the claim by checking **Specify output if no match**. |

-| 7 | Parameter 3 | If an alternate user attribute needs to be returned when there's no match and **Specify output if no match** is checked, an alternate user attribute can be selected using the dropdown. This dropdown is available against **Parameter 3 (output if no match)**. |

-| 8 | Summary | At the bottom of the blade, a full summary of the format is displayed that explains the meaning of the transformation in simple text. |

-| 9 | Add | After the configuration settings for the transformation are verified, it can be saved to a claims policy by selecting **Add**. Changes won't be saved unless **Save** is selected on the **Manage Claim** blade. |

-When the following conditions occur after **Add** or **Run test** is selected, a message is displayed that provides more information about the issue:

-* Input parameters with duplicate user attributes aren't allowed.

-* The source for the groups into the replacement pattern isn't found.

-* **All guests**: User is brought over from an external organization with or without Azure AD.

-One scenario where the user type is helpful is when the source of a claim is different for a guest and an employee accessing an application. You can specify that if the user is an employee, the NameID is sourced from user.email. If the user is a guest, then the NameID is sourced from user.extensionattribute1.

-The order in which you add the conditions are important. Azure AD first evaluates all conditions with source `Attribute` and then evaluates all conditions with source `Transformation` to decide which value to emit in the claim. Conditions with the same source are evaluated from top to bottom. The last value, which matches the expression is emitted in the claim. Transformations such as `IsNotEmpty` and `Contains` act like restrictions.

-First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because this is true, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**, because this is also true, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta.

-As another example, consider when Britta Simon tries to sign in and the following configuration is used. Azure AD first evaluates all conditions with source `Attribute`. Because Britta's user type is **AAD guests**, `user.mail` is assigned as the source for the claim. Next, Azure AD evaluates the transformations. Because Britta is a guest, `user.extensionattribute1` is now the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is now the source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta.

-As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. In both cases the condition entry is ignored, and the claim falls back to `user.extensionattribute1` instead.

-Advanced claims options can be configured for OIDC applications to expose the same claim as SAML tokens and vice versa for applications that intend to use the same claim for both SAML2.0 and OIDC response tokens.

-Advanced claim options can be configured by checking the box under **Advanced Claims Options** in the **Manage claims** blade.

-* [Configure single sign-on on applications that aren't in the Azure AD application gallery](../manage-apps/configure-saml-single-sign-on.md)

-# Install the module. (You need admin on the machine.)

-# Install-Module AzureAD.

-# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).

-$TenantID="<tenant-id>"

-$resourceGroup = "securewebappresourcegroup"

-$webAppName="SecureWebApp-20201102125811"

-# Get the ID of the managed identity for the web app.

-$spID = (Get-AzWebApp -ResourceGroupName $resourceGroup -Name $webAppName).identity.principalid

-# Check the Microsoft Graph documentation for the permission you need for the operation.

-$PermissionName = "User.Read.All"

-Connect-AzureAD -TenantId $TenantID

-# Get the service principal for Microsoft Graph.

-# First result should be AppId 00000003-0000-0000-c000-000000000000

-$GraphServicePrincipal = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | Select-Object -first 1

-# Assign permissions to the managed identity service principal.

-$AppRole = $GraphServicePrincipal.AppRoles | `

-Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

-New-AzureAdServiceAppRoleAssignment -ObjectId $spID -PrincipalId $spID `

-using Azure.Identity;ΓÇï

-using Microsoft.Graph.Core;ΓÇïΓÇï

-using System.Net.Http.Headers;

- var token = credential.GetToken(

- new Azure.Core.TokenRequestContext(

- new[] { "https://graph.microsoft.com/.default" }));

- var accessToken = token.Token;

- var graphServiceClient = new GraphServiceClient(

- new DelegateAuthenticationProvider((requestMessage) =>

- {

- requestMessage

- .Headers

- .Authorization = new AuthenticationHeaderValue("bearer", accessToken);

- return Task.CompletedTask;

- }));

- // MSGraphUser is a DTO class being used to hold User information from the graph service client call

- var users =await graphServiceClient.Users.Request().GetAsync();

- foreach(var u in users)

- catch(Exception ex)

-Consider removing the original direct assignments. We recommend that you do it gradually, and monitor the outcome on a subset of users first. If you could leave the original direct assignments on users, but when the users leave their licensed groups they retain the directly assigned licenses, which might not be what you want.

-Azure Active Directory is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Azure AD account using either the invitation flow or a self-service sign-up user flow.

-For a guided walkthrough of many of the recommendations in this article, see the [Set up Azure AD](https://go.microsoft.com/fwlink/?linkid=2221308) guide.

-description: Learn about how to detect and handle user accounts in Azure AD that have become obsolete

-# How To: Manage inactive user accounts in Azure AD

-In large environments, user accounts are not always deleted when employees leave an organization. As an IT administrator, you want to detect and handle these obsolete user accounts because they represent a security risk.

-This article explains a method to handle obsolete user accounts in Azure AD.

-Inactive accounts are user accounts that are not required anymore by members of your organization to gain access to your resources. One key identifier for inactive accounts is that they haven't been used *for a while* to sign-in to your environment. Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last sign-in that was successful to detect them.

-The challenge of this method is to define what *for a while* means in the case of your environment. For example, users might not sign-in to an environment *for a while*, because they are on vacation. When defining what your delta for inactive user accounts is, you need to factor in all legitimate reasons for not signing in to your environment. In many organizations, the delta for inactive user accounts is between 90 and 180 days.

-

-## How to detect inactive user accounts

-You detect inactive accounts by evaluating the **lastSignInDateTime** property exposed by the **signInActivity** resource type of the **Microsoft Graph** API. The **lastSignInDateTime** property shows the last time a user made a successful interactive sign-in to Azure AD. Using this property, you can implement a solution for the following scenarios:

-> [!NOTE]

-> When you request the signInActivity property while listing users, the maximum page size is 120 users. Requests with $top set higher than 120 will fail. SignInActivity supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`) *but* not with any other filterable properties.

-> There may be the need to generate a report of the last sign in date of all users, if so you can use the following scenario.

-> **Last Sign In Date and Time for All Users**: In this scenario, you request a list of all users, and the last lastSignInDateTime for each respective user: `https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity`

-## What you need to know

-This section lists what you need to know about the lastSignInDateTime property.

-### How can I access this property?

-The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity) of the [Microsoft Graph API](/graph/overview#whats-in-microsoft-graph).

-### Is the lastSignInDateTime property available through the Get-AzureAdUser cmdlet?

-No.

-### What edition of Azure AD do I need to access the property?

-To access this property, you need an Azure Active Directory Premium edition.

-### What permission do I need to read the property?

-To read this property, you need to grant the app the following Microsoft Graph permissions:

-### When does Azure AD update the property?

-Each interactive sign-in that was successful results in an update of the underlying data store. Typically, successful sign-ins show up in the related sign-in report within 10 minutes.

-### What does a blank property value mean?

-To generate a lastSignInDateTime timestamp, you need a successful sign-in. Because the lastSignInDateTime property is a new feature, the value of the lastSignInDateTime property can be blank if:

-### For how long is the last sign-in retained?

-The last sign-in date is associated with the user object. The value is retained until the next sign-in of the user.

-1. In the **Admin Credentials** section, input your Alinto Protect Tenant URL as `https://cloud.cleanmail.{Domain}/api/v3/scim2` and corresponding Secret Token obtained from Step 2. Click **Test Connection** to ensure Azure AD can connect to Alinto Protect. If the connection fails, ensure your Alinto Protect account has Admin permissions and try again.

- >[!NOTE]

- >In the Tenant URL, **{Domain}** will be the country code top-level domain. For example, if the country is US, then the Tenant URL will be `https://cloud.cleanmail.com/api/v3/scim2`

-* Sign in to [Asana](https://app.asana.com/) by using your admin account.

-This tutorial describes the steps you need to perform in both askSpoke and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [askSpoke](https://www.askspoke.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

- > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [Evidence.com Client support team](https://communities.taser.com/support/SupportContactUs?typ=LE) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. Sign in to your [Harness Admin Console](https://app.harness.io/#/login), and then go to **Continuous Security** > **Access Management**.

-This tutorial describes the steps you need to perform in both Maptician and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Maptician](https://www.maptician.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-* A [Maptician](https://www.maptician.com/) tenant.

-This article describes the steps that you'll take in both ServiceNow and Azure Active Directory (Azure AD) to configure automatic user provisioning. When Azure AD is configured, it automatically provisions and deprovisions users and groups to [ServiceNow](https://www.servicenow.com/) by using the Azure AD provisioning service.

-> - Create users in ServiceNow

-> - Remove users in ServiceNow when they don't need access anymore

-> - Keep user attributes synchronized between Azure AD and ServiceNow

-> - Provision groups and group memberships in ServiceNow

-> - Allow [single sign-on](servicenow-tutorial.md) to ServiceNow (recommended)

-* An Azure AD tenant

-* [A Symantec Web Security Service (WSS) tenant](https://www.websecurity.symantec.com/buy-renew?inid=brmenu_nav_brhome)

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Whitesource

-In this tutorial, you'll learn how to integrate Whitesource with Azure Active Directory (Azure AD). When you integrate Whitesource with Azure AD, you can:

- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

- > These value is not real. Update these value with the actual Sign on URL. Contact [Whitesource Client support team](https://www.whitesourcesoftware.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-In this section, you'll create a test user in the Azure portal called B.Simon.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Whitesource.

-To configure single sign-on on **Whitesource** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Whitesource support team](https://www.whitesourcesoftware.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.

-1. Remove the deprecated API, which is listed in the error message. Check the past usage by enabling [container insights][container-insights] and exploring kube audit logs.

-2. Wait 12 hours from the time the last deprecated api usage was seen.

-The new **PremiumV3** pricing tier gives you faster processors, SSD storage, and quadruple the memory-to-core ratio of the existing pricing tiers (double the **PremiumV2** tier). With the performance advantage, you could save money by running your apps on fewer instances. In this article, you learn how to create an app in **PremiumV3** tier or scale up an app to **PremiumV3** tier.

-To scale-up an app to **PremiumV3**, you need to have an Azure App Service app that runs in a pricing tier lower than **PremiumV3**, and the app must be running in an App Service deployment that supports PremiumV3.

-> [!NOTE]

-> Any Windows containers running in the **Premium Container** tier during the preview period continue to function as is, but the **Premium Container** tier will continue to remain in preview. The **PremiumV3** tier is the official replacement for the **Premium Container** tier.

-**PremiumV3** is available in some Azure regions and availability in additional regions is being added continually. To see if it's available in your region, run the following Azure CLI command in the [Azure Cloud Shell](../cloud-shell/overview.md):

-Select **Production**, then select **P1V3**, **P2V3**, or **P3V3**, then click **Apply**.

-> If you don't see **P1V3**, **P2V3**, and **P3V3** as options, or if the options are greyed out, then **PremiumV3** likely isn't available in the underlying App Service deployment that contains the App Service plan. See [Scale up from an unsupported resource group and region combination](#unsupported) for more details.

-Before scaling an existing app to **PremiumV3** tier, make sure that **PremiumV3** is available. For information, see [PremiumV3 availability](#availability). If it's not available, see [Scale up from an unsupported resource group and region combination](#unsupported).

-Select **Production**, then select **P1V3**, **P2V3**, or **P3V3**, then click **Apply**.

-Some App Service plans can't scale up to the PremiumV3 tier if the underlying App Service deployment doesnΓÇÖt support PremiumV3. See [Scale up from an unsupported resource group and region combination](#unsupported) for more details.

-If your app runs in an App Service deployment where **PremiumV3** isn't available, or if your app runs in a region that currently does not support **PremiumV3**, you need to re-deploy your app to take advantage of **PremiumV3**. You have two options:

-## Moving from Premium Container to Premium V3 SKU

-The Premium Container SKU will be retired on **30th June 2022**. You should move your applications to the **Premium V3 SKU** ahead of this date. Use the clone functionality in the Azure App Service CLI experience to [move your application from your Premium Container App Service Plan to a new Premium V3 App Service plan](https://aka.ms/pcsku).

-The following command creates an App Service plan in _P1V3_. You can run it in the Cloud Shell. The options for `--sku` are P1V3, _P2V3_, and _P3V3_.

-> - Undelete functionality isn't supported for the Consumption plan.

-> - Apps Service apps running in an App Service Environment don't support snapshots. Therefore, undelete functionality and clone functionality aren't supported for App Service apps running in an App Service Environment.

->- `Restore-AzDeletedWebApp` isn't supported for function apps.

-Once the app you want to restore has been identified, you can restore it using `Restore-AzDeletedWebApp`, please see below examples

-> The new **PremiumV3** pricing tier guarantees machines with faster processors (minimum 195 [ACU](../virtual-machines/acu.md) per virtual CPU), SSD storage, and quadruple memory-to-core ratio compared to **Standard** tier. **PremiumV3** also supports higher scale via increased instance count while still providing all the advanced capabilities found in **Standard** tier. All features available in the existing **PremiumV2** tier are included in **PremiumV3**.

-> Similar to other dedicated tiers, three VM sizes are available for this tier:

->

-> - Small (2 CPU core, 8 GiB of memory)

-> - Medium (4 CPU cores, 16 GiB of memory)

-> - Large (8 CPU cores, 32 GiB of memory) 

- | P2v3, I2v2 | 32 |

- | P3v3, I3v2 | 64 |

-using Azure.Identity;ΓÇï

-using Microsoft.Graph.Core;ΓÇïΓÇï

-using System.Net.Http.Headers;

- var token = credential.GetToken(

- new Azure.Core.TokenRequestContext(

- new[] { "https://graph.microsoft.com/.default" }));

- var accessToken = token.Token;

- var graphServiceClient = new GraphServiceClient(

- new DelegateAuthenticationProvider((requestMessage) =>

- {

- requestMessage

- .Headers

- .Authorization = new AuthenticationHeaderValue("bearer", accessToken);

- return Task.CompletedTask;

- }));

- // MSGraphUser is a DTO class being used to hold User information from the graph service client call

- var users =await graphServiceClient.Users.Request().GetAsync();

- foreach(var u in users)

- catch(Exception ex)

-| [Azure Blobs][blob-sdk-types] | Preview support | Preview support | Not yet supported |

- [Sql("select [Id], [order], [title], [url], [completed] from dbo.ToDo where Id = @Id",

- CommandType = System.Data.CommandType.Text,

- Parameters = "@Id={Query.id}",

- ConnectionStringSetting = "SqlConnectionString")]

- [Sql("select [Id], [order], [title], [url], [completed] from dbo.ToDo where [Priority] > @Priority",

- CommandType = System.Data.CommandType.Text,

- Parameters = "@Priority={priority}",

- ConnectionStringSetting = "SqlConnectionString")]

- [Sql("select [Id], [order], [title], [url], [completed] from dbo.ToDo where Id = @Id",

- CommandType = System.Data.CommandType.Text,

- Parameters = "@Id={Query.id}",

- ConnectionStringSetting = "SqlConnectionString")]

- [Sql("select [Id], [order], [title], [url], [completed] from dbo.ToDo where [Priority] > @Priority",

- CommandType = System.Data.CommandType.Text,

- Parameters = "@Priority={priority}",

- ConnectionStringSetting = "SqlConnectionString")]

- [Sql("DeleteToDo", CommandType = System.Data.CommandType.StoredProcedure,

- Parameters = "@Id={Query.id}", ConnectionStringSetting = "SqlConnectionString")]

-<!-- Uncomment to support C# script examples.

- [Sql("dbo.ToDo", ConnectionStringSetting = "SqlConnectionString")] IAsyncCollector<ToDoItem> toDoItems,

- [Sql("dbo.RequestLog", ConnectionStringSetting = "SqlConnectionString")] IAsyncCollector<RequestLog> requestLogs)

- [Sql("dbo.ToDo", ConnectionStringSetting = "SqlConnectionString")] IAsyncCollector<ToDoItem> newItems)

- [Sql("dbo.ToDo", ConnectionStringSetting = "SqlConnectionString")] IAsyncCollector<ToDoItem> toDoItems,

- [Sql("dbo.RequestLog", ConnectionStringSetting = "SqlConnectionString")] IAsyncCollector<RequestLog> requestLogs)

- [Sql("dbo.ToDo", ConnectionStringSetting = "SqlConnectionString")] IAsyncCollector<ToDoItem> newItems)

-<!-- Uncomment to support C# script examples.

- [SqlTrigger("[dbo].[ToDo]", ConnectionStringSetting = "SqlConnectionString")]

-<!-- awaiting bundle support

-Functions run as C# script, which is supported primarily for C# portal editing. To update existing binding extensions for C# script apps running in the portal without having to republish your function app, see [Update your extensions].

-You can install this version of the extension in your function app by registering the [extension bundle], version 3.x, or a later version.

-The parameter type supported by the Event Grid trigger depends on the Functions runtime version, the extension package version, and the C# modality used.

-Only JSON string inputs are currently supported.

-Data is imperative for maps. Use the Data service to upload and store geospatial data for use with spatial operations or image composition. Bringing customer data closer to the Azure Maps service will reduce latency, increase productivity, and create new scenarios in your applications. For details on this service, see [Data service].

-For more details, read the [Geolocation service documentation](/rest/api/maps/geolocation).

-[Render service V2](/rest/api/maps/render-v2) introduces a new version of the [Get Map Tile V2 API](/rest/api/maps/render-v2/get-map-tile) that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 (where applicable) tile sizes and numerous map types such as road, weather, contour, or map tiles created using Azure Maps Creator. For a complete list, see [TilesetID] in the REST API documentation. It's recommended that you use Render service V2 instead of Render service V1. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service V2, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API](how-to-show-attribution.md).

-The route services can be used to calculate the estimated arrival times (ETAs) for each requested route. Route APIs consider factors, such as real-time traffic information and historic traffic data, like the typical road speeds on the requested day of the week and time of day. The APIs return the shortest or fastest routes available to multiple destinations at a time in sequence or in optimized order, based on time or distance. The service allows developers to calculate directions across several travel modes, such as car, truck, bicycle, or walking, and electric vehicle. The service also considers inputs, such as departure time, weight restrictions, or hazardous material transport.

-For details on the routing capabilities, read the [Route service documentation](/rest/api/maps/route).

-The Search service helps developers search for addresses, places, business listings by name or category, and other geographic information. Also, services can [reverse geocode](https://en.wikipedia.org/wiki/Reverse_geocoding) addresses and cross streets based on latitudes and longitudes.

-For more details on search capabilities, read the [Search service documentation](/rest/api/maps/search).

-The service enables customers to enhance their location intelligence with a library of common geospatial mathematical calculations. Common calculations include closest point, great circle distance, and buffers. To learn more about the service and the various features, read the [Spatial service documentation](/rest/api/maps/spatial).

-The Time zone service enables you to query current, historical, and future time zone information. You can use either latitude and longitude pairs or an [IANA ID](https://www.iana.org/) as an input. The Time zone service also allows for:

-For details on this service, read the [Time zone service documentation](/rest/api/maps/timezone).

-For more information, see the [Traffic service documentation](/rest/api/maps/traffic).

-### Weather services

-Weather services offer APIs that developers can use to retrieve weather information for a particular location. The information contains details such as observation date and time, brief description of the weather conditions, weather icon, precipitation indicator flags, temperature, and wind speed information. Other details such as RealFeelΓäó Temperature and UV index are also returned.

-Developers can use the [Get Weather along route API](/rest/api/maps/weather/getweatheralongroute) to retrieve weather information along a particular route. Also, the service supports the generation of weather notifications for waypoints that are affected by weather hazards, such as flooding or heavy rain.

-The [Get Map Tile V2 API](/rest/api/maps/render-v2/get-map-tile) allows you to request past, current, and future radar and satellite tiles.

-Azure Maps is built for mobility and can help you develop cross-platform applications. It uses a programming model that's language agnostic and supports JSON output through [REST APIs](/rest/api/maps/).

-Also, Azure Maps offers a convenient [JavaScript map control](/javascript/api/azure-maps-control) with a simple programming model. The development is quick and easy for both web and mobile applications.

-For more information, see the [Get started with Azure Maps Power BI visual](power-bi-visual-get-started.md) article.

-[Quickstart: Create a web app](quick-demo-map-app.md)

-[Data service]: /rest/api/maps/data-v2

-[Dataset service]: creator-indoor-maps.md#datasets

-[Tileset service]: creator-indoor-maps.md#tilesets

-[style service]: /rest/api/maps/v20220901preview/style

-[visual style editor]: https://azure.github.io/Azure-Maps-Style-Editor

-[WFS service]: creator-indoor-maps.md#web-feature-service-api

-[wayfinding API]: /rest/api/maps/v20220901preview/wayfinding

-[Open Geospatial Consortium API]: https://docs.opengeospatial.org/is/17-069r3/17-069r3.html

-[Azure portal]: https://portal.azure.com

-[Azure Maps account]: https://azure.microsoft.com/services/azure-maps/

-The `importDataFromUrl` method provides an easy way to load a GeoJSON feed into a data source but provides limited control on how the data is loaded and what happens after it's been loaded. The following code is a reusable class for importing data from the web or assets folder and returning it to the UI thread via a callback function. Next, add additional post load logic in the callback to process the data, add it to the map, calculate its bounding box, and update the maps camera.

-Azure Maps adheres to the [Mapbox Vector Tile Specification](https://github.com/mapbox/vector-tile-spec), an open standard. Azure Maps provides the following vector tiles services as part of the platform:

-Data is rendered on the map using rendering layers. A single data source can be referenced by one or more rendering layers. The following rendering layers require a data source:

-Alternatively the properties can be loaded into a dictionary (JSON) first then passed into the feature when creating it, as shown below.

-The feature collection, feature, and geometry classes all have `fromJson(_:)` and `toJson()` static methods, which help with serialization. The formatted valid JSON String passed through the `fromJson()` method will create the geometry object. This `fromJson()` method also means you can use `JSONSerialization` or other serialization/deserialization strategies. The following code shows how to take a stringified GeoJSON feature and deserialize it into the `Feature` class, then serialize it back into a GeoJSON string.

-The `DataSource` class has a built in method called `importData(fromURL:)` that can load in GeoJSON files using a URL to a file on the web or the device.

-The `importData(fromURL:)` method provides an easily way to load a GeoJSON feed into a data source but provides limited control on how the data is loaded and what happens after its been loaded. The following code is a reusable class for importing data from the web or assets folder and returning it to the UI thread via a callback function. In the callback you can then add additional post load logic to process the data, add it to the map, calculate its bounding box, and update the maps camera.

-The code below shows how to use this utility to import GeoJSON data as a string and return it to the main thread via a callback. In the callback, the string data can be serialized into a GeoJSON Feature collection and added to the data source. Optionally, update the maps camera to focus in on the data.

-The `DataSource` class makes its easy to add and remove features. Updating the geometry or properties of a feature requires replacing the feature in the data source. There are two methods that can be used to update a feature(s):

-Azure Maps adheres to the [Mapbox Vector Tile Specification](https://github.com/mapbox/vector-tile-spec), an open standard. Azure Maps provides the following vector tiles services as part of the platform:

-Data is rendered on the map using rendering layers. A single data source can be referenced by one or more rendering layers. The following rendering layers require a data source:

-There are additional rendering layers that don't connect to these data sources, but they directly load the data for rendering.

-With Azure Maps, all you need is a single polygon in a data source as shown in the code below.

-A GeoJSON based data source load and store data locally using the `DataSource` class. GeoJSON data can be manually created or created using the helper classes in the [atlas.data](/javascript/api/azure-maps-control/atlas.data) namespace. The `DataSource` class provides functions to import local or remote GeoJSON files. Remote GeoJSON files must be hosted on a CORs enabled endpoint. The `DataSource` class provides functionality for clustering point data. And, data can easily be added, removed, and updated with the `DataSource` class. The following code shows how GeoJSON data can be created in Azure Maps.

-Once created, data sources can be added to the map through the `map.sources` property, which is a [SourceManager](/javascript/api/azure-maps-control/atlas.sourcemanager). The following code shows how to create a `DataSource` and add it to the map.

-A vector tile source describes how to access a vector tile layer. Use the [VectorTileSource](/javascript/api/azure-maps-control/atlas.source.vectortilesource) class to instantiate a vector tile source. Vector tile layers are similar to tile layers, but they aren't the same. A tile layer is a raster image. Vector tile layers are a compressed file, in **PBF** format. This compressed file contains vector map data, and one or more layers. The file can be rendered and styled on the client, based on the style of each layer. The data in a vector tile contain geographic features in the form of points, lines, and polygons. There are several advantages of using vector tile layers instead of raster tile layers:

-Azure Maps adheres to the [Mapbox Vector Tile Specification](https://github.com/mapbox/vector-tile-spec), an open standard. Azure Maps provides the following vector tiles services as part of the platform:

-Data is rendered on the map using rendering layers. A single data source can be referenced by one or more rendering layers. The following rendering layers require a data source:

-* [Bubble layer](map-add-bubble-layer.md) - renders point data as scaled circles on the map.

-* [Symbol layer](map-add-pin.md) - renders point data as icons or text.

-* [Heat map layer](map-add-heat-map-layer.md) - renders point data as a density heat map.

-* [Line layer](map-add-shape.md) - render a line and or render the outline of polygons.

-* [Polygon layer](map-add-shape.md) - fills the area of a polygon with a solid color or image pattern.

-The following code shows how to create a data source, add it to the map, and connect it to a bubble layer. And then, import GeoJSON point data from a remote location into the data source.

-There are additional rendering layers that don't connect to these data sources, but they directly load the data for rendering.

-* [Image layer](map-add-image-layer.md) - overlays a single image on top of the map and binds its corners to a set of specified coordinates.

-* [Tile layer](map-add-tile-layer.md) - superimposes a raster tile layer on top of the map.

-With Azure Maps, all you need is a single polygon in a data source as shown in the code below.

-> [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource)

-> [DataSourceOptions](/javascript/api/azure-maps-control/atlas.datasourceoptions)

-> [VectorTileSource](/javascript/api/azure-maps-control/atlas.source.vectortilesource)

-> [VectorTileSourceOptions](/javascript/api/azure-maps-control/atlas.vectortilesourceoptions)

-> [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md)

-> [Add a symbol layer](map-add-pin.md)

-> [Add a bubble layer](map-add-bubble-layer.md)

-> [Add a line layer](map-add-line-layer.md)

-> [Add a polygon layer](map-add-shape.md)

-> [Add a heat map](map-add-heat-map-layer.md)

-> [Code samples](/samples/browse/?products=azure-maps)

-| Type of expressions | Description |

-||-|

-| [Aggregate expression](#aggregate-expression) | An expression that defines a calculation that is processed over a set of data and can be used with the `clusterProperties` option of a `DataSource`. |

-| [Boolean expressions](#boolean-expressions) | Boolean expressions provide a set of boolean operators expressions for evaluating boolean comparisons. |

-| [Color expressions](#color-expressions) | Color expressions make it easier to create and manipulate color values. |

-| [Conditional expressions](#conditional-expressions) | Conditional expressions provide logic operations that are like if-statements. |

-| [Data expressions](#data-expressions) | Provides access to the property data in a feature. |

-| [Interpolate and Step expressions](#interpolate-and-step-expressions) | Interpolate and step expressions can be used to calculate values along an interpolated curve or step function. |

-| [Layer specific expressions](#layer-specific-expressions) | Special expressions that are only applicable to a single layer. |

-| [Math expressions](#math-expressions) | Provides mathematical operators to perform data-driven calculations within the expression framework. |

-| [String operator expressions](#string-operator-expressions) | String operator expressions perform conversion operations on strings such as concatenating and converting the case. |

-| [Type expressions](#type-expressions) | Type expressions provide tools for testing and converting different data types like strings, numbers, and boolean values. |

-| [Variable binding expressions](#variable-binding-expressions) | Variable binding expressions store the results of a calculation in a variable and referenced elsewhere in an expression multiple times without having to recalculate the stored value. |

-| [Zoom expression](#zoom-expression) | Retrieves the current zoom level of the map at render time. |

-| `['index-of', boolean | string | number, array | string]`<br/><br/>`['index-of', boolean | string | number, array | string, number]` | number | Returns the first position at which an item can be found in an array or a substring can be found in a string, or `-1` if the input cannot be found. Accepts an optional index from where to begin the search. |

-The above example will work fine, if all the point features have the `zoneColor` property. If they don't, the color will likely fall back to "black". To modify the fallback color, use a `case` expression in combination with the `has` expression to check if the property exists. If the property doesn't exist, return a fallback color.

-Bubble and symbol layers will render the coordinates of all shapes in a data source, by default. This behavior can highlight the vertices of a polygon or a line. The `filter` option of the layer can be used to limit the geometry type of the features it renders, by using a `['geometry-type']` expression within a boolean expression. The following example limits a bubble layer so that only `Point` features are rendered.

-Similarly, the outline of Polygons will render in line layers. To disable this behavior in a line layer, add a filter that only allows `LineString` and `MultiLineString` features.

-Here are some additional examples of how to use data expressions:

-The `accumulated` expression gets the value of a cluster property accumulated so far. This can only be used in the `clusterProperties` option of a clustered `DataSource` source.

-When comparing values, the comparison is strictly typed. Values of different types are always considered unequal. Cases where the types are known to be different at parse time are considered invalid and will produce a parse error.

-| `['!=', value, value]` | boolean | Returns `true` if the input values are not equal, `false` otherwise. |

-The following example steps through different boolean conditions until it finds one that evaluates to `true`, and then returns that associated value. If no boolean condition evaluates to `true`, a fallback value will be returned.

-A `match` expression is a type of conditional expression that provides switch-statement like logic. The input can be any expression such as `['get', 'entityType']` that returns a string or a number. Each label must be either a single literal value or an array of literal values, whose values must be all strings or all numbers. The input matches if any of the values in the array match. Each label must be unique. If the input type doesn't match the type of the labels, the result will be the fallback value.

-The following example uses an array to list a set of labels that should all return the same value. This approach is much more efficient than listing each label individually. In this case, if the `entityType` property is "restaurant" or "grocery_store", the color "red" will be returned.

-The following example uses a `coalesce` expression to set the `textField` option of a symbol layer. If the `title` property is missing from the feature or set to `null`, the expression will then try looking for the `subTitle` property, if its missing or `null`, it will then fall back to an empty string.

-| `['collator', { 'case-sensitive': boolean, 'diacritic-sensitive': boolean, 'locale': string }]` | collator | Returns a collator for use in locale-dependent comparison operations. The case-sensitive and diacritic-sensitive options default to false. The locale argument specifies the IETF language tag of the locale to use. If none is provided, the default locale is used. If the requested locale is not available, the collator will use a system-defined fallback locale. Use resolved-locale to test the results of locale fallback behavior. |

-| `['literal', array]`<br/><br/>`['literal', object]` | array \| object | Returns a literal array or object value. Use this expression to prevent an array or object from being evaluated as an expression. This is necessary when an array or object needs to be returned by an expression. |

-| `['to-number', value]`<br/><br/>`['to-number', value1, value2, …]` | number | Converts the input value to a number, if possible. If the input is `null` or `false`, the result is 0. If the input is `true`, the result is 1. If the input is a string, it's converted to a number using the [ToNumber](https://tc39.github.io/ecma262/#sec-tonumber-applied-to-the-string-type) string function of the ECMAScript Language Specification. If multiple values are provided, each one is evaluated in order until the first successful conversion is obtained. If none of the inputs can be converted, the expression is an error. |

-| `['to-string', value]` | string | Converts the input value to a string. If the input is `null`, the result is `""`. If the input is a boolean, the result is `"true"` or `"false"`. If the input is a number, it's converted to a string using the [ToString](https://tc39.github.io/ecma262/#sec-tostring-applied-to-the-number-type) number function of the ECMAScript Language Specification. If the input is a color, it's converted to CSS RGBA color string `"rgba(r,g,b,a)"`. Otherwise, the input is converted to a string using the [JSON.stringify](https://tc39.github.io/ecma262/#sec-json.stringify) function of the ECMAScript Language Specification. |

-| `['rgb', number, number, number]` | color | Creates a color value from *red*, *green*, and *blue* components that must range between `0` and `255`, and an alpha component of `1`. If any component is out of range, the expression is an error. |

-| `['rgba', number, number, number, number]` | color | Creates a color value from *red*, *green*, *blue* components that must range between `0` and `255`, and an alpha component within a range of `0` and `1`. If any component is out of range, the expression is an error. |

-The following example creates an RGB color value that has a *red* value of `255`, and *green* and *blue* values that are calculated by multiplying `2.5` by the value of the `temperature` property. As the temperature changes, the color will change to different shades of *red*.

-| `['resolved-locale', string]` | string | Returns the IETF language tag of the locale being used by the provided collator. This can be used to determine the default system locale, or to determine if a requested locale was successfully loaded. |

-The above expression renders a pin on the map with the text "64┬░F" overlaid on top of it as shown in the image below.

-Here is an example of what these different types of interpolations look like.

-The following example uses a `linear interpolate` expression to set the `color` property of a bubble layer based on the `temperature` property of the point feature. If the `temperature` value is less than 60, "blue" will be returned. If it's between 60 and less than 70, yellow will be returned. If it's between 70 and less than 80, "orange" will be returned. If it's 80 or greater, "red" will be returned.

-A `step` expression can be used to calculate discrete, stepped result values by evaluating a [piecewise-constant function](https://mathworld.wolfram.com/PiecewiseConstantFunction.html) defined by stops.

-The following example uses a `step` expression to set the `color` property of a bubble layer based on the `temperature` property of the point feature. If the `temperature` value is less than 60, "blue" will be returned. If it's between 60 and less than 70, "yellow" will be returned. If it's between 70 and less than 80, "orange" will be returned. If it's 80 or greater, "red" will be returned.

-A heat map density expression retrieves the heat map density value for each pixel in a heat map layer and is defined as `['heatmap-density']`. This value is a number between `0` and `1`. It's used in combination with a `interpolation` or `step` expression to define the color gradient used to colorize the heat map. This expression can only be used in the [color option](/javascript/api/azure-maps-control/atlas.heatmaplayeroptions#color) of the heat map layer.

-For more information, see the [Add a heat map layer](map-add-heat-map-layer.md) documentation.

-A line progress expression retrieves the progress along a gradient line in a line layer and is defined as `['line-progress']`. This value is a number between 0 and 1. It's used in combination with an `interpolation` or `step` expression. This expression can only be used with the [strokeGradient option](/javascript/api/azure-maps-control/atlas.linelayeroptions#strokegradient) of the line layer.

-[See live example](map-add-line-layer.md#line-stroke-gradient)

-This layer will render the point feature as shown in the image below:

-The `number-format` expression can only be used with the `textField` option of a symbol layer. This expression converts the provided number into a formatted string. This expression wraps JavaScript's [Number.toLocalString](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Number/toLocaleString) function and supports the following set of options.

-This layer will render the point feature as shown in the image below:

-An image expression can be used with the `image` and `textField` options of a symbol layer, and the `fillPattern` option of the polygon layer. This expression checks that the requested image exists in the style and will return either the resolved image name or `null`, depending on whether or not the image is currently in the style. This validation process is synchronous and requires the image to have been added to the style before requesting it in the image argument.

-This layer will render the text field in the symbol layer as shown in the image below:

-By default, the radii of data points rendered in the heat map layer have a fixed pixel radius for all zoom levels. As the map is zoomed, the data aggregates together and the heat map layer looks different. A `zoom` expression can be used to scale the radius for each zoom level such that each data point covers the same physical area of the map. It will make the heat map layer look more static and consistent. Each zoom level of the map has twice as many pixels vertically and horizontally as the previous zoom level. Scaling the radius, such that it doubles with each zoom level, will create a heat map that looks consistent on all zoom levels. It can be accomplished using the `zoom` expression with a `base 2 exponential interpolation` expression, with the pixel radius set for the minimum zoom level and a scaled radius for the maximum zoom level calculated as `2 * Math.pow(2, minZoom - maxZoom)` as shown below.

-```javascript

-[See live example](map-add-heat-map-layer.md#consistent-zoomable-heat-map)

-Variable binding expressions store the results of a calculation in a variable. So, that the calculation results can be referenced elsewhere in an expression multiple times. It is a useful optimization for expressions that involve many calculations.

- //Evaluate the child expression in which the stored variable will be used.

-> [Add a heat map layer](map-add-heat-map-layer.md)

-In addition to log-based metrics, in late 2018, the Application Insights team shipped a public preview of metrics that are stored in a specialized repository that's optimized for time series. The new metrics are no longer kept as individual events with lots of properties. Instead, they're stored as pre-aggregated time series, and only with key dimensions. This change makes the new metrics superior at query time. Retrieving data happens much faster and requires less compute power. As a result, new scenarios are enabled, such as [near real time alerting on dimensions of metrics](../alerts/alerts-metric-near-real-time.md) and more responsive [dashboards](./overview-dashboard.md).

-The collection of custom metrics dimensions is turned off by default because in the future storing custom metrics with dimensions will be billed separately from Application Insights. Storing the non-dimensional custom metrics will remain free (up to a quota). You can learn about the upcoming pricing model changes on our official [pricing page](https://azure.microsoft.com/pricing/details/monitor/).

-| Without HostedServices | AspNetCore |

- 3. If you want to allow Microsoft services trusted by the Azure Relay service to bypass this firewall, select **Yes** for **Allow trusted Microsoft services to bypass this firewall?**.

-| When first logging into the vSphere Client, the **Cluster-n: vSAN health alarms are suppressed** alert is active | 2021 | This is should be considered an informational message, since Microsoft manages the service. Select the **Reset to Green** link to clear it. | 2021 |

-> Permissions below apply to NSX-T's Policy API. Manager API functionality may be limited.

-> The VMware NSX-T Data Center **System** > **Identity Firewall AD** configuration option isn't supported by the NSX custom role. The recommendation is to assign the **Security Operator** role to the user with the custom role to allow managing the Identity Firewall (IDFW) feature for that user.

-> VMware vRealize Automation(vRA) integration with the NSX-T Data Center component of the Azure VMware Solution requires the ΓÇ£auditorΓÇ¥ role to be added to the user with the NSX-T Manager cloudadmin role.

-## HCX

-See the following information for recommendations to secure your HCX deployment.

-| Stay current with HCX service updates | HCX service updates can include new features, software fixes, and security patches. Apply service updates during a maintenance window where no new HCX operations are queued up by following these [steps](https://docs.vmware.com/en/VMware-HCX/4.1/hcx-user-guide/GUID-F4AEAACB-212B-4FB6-AC36-9E5106879222.html). |

-| Microsoft - Azure VMware Solution | Physical infrastructure<ul><li>Azure regions</li><li>Azure availability zones</li><li>Express Route/Global reach</ul></li>Compute/Network/Storage<ul><li>Rack and power Bare Metal hosts</li><li>Rack and power network equipment</ul></li>Software defined Data Center (SDDC) deploy/lifecycle<ul><li>VMware ESXi deploy, patch, and upgrade</li><li>VMware vCenter Servers deploy, patch, and upgrade</li><li>VMware NSX-T Data Centers deploy, patch, and upgrade</li><li>vSAN deploy, patch, and upgrade</ul></li>SDDC Networking - VMware NSX-T Data Center provider config<ul><li>Microsoft Edge node/cluster, VMware NSX-T Data Center host preparation</li><li>Provider Tier-0 and Tenant Tier-1 Gateway</li><li>Connectivity from Tier-0 (using BGP) to Azure Network via Express Route</ul></li>SDDC Compute - VMware vCenter Server provider config<ul><li>Create default cluster</li><li>Configure virtual networking for vMotion, Management, vSAN, and others</ul></li>SDDC backup/restore<ul><li>Backup and restore VMware vCenter Server</li><li>Backup and restore VMware NSX-T Data Center NSX-T Manager</ul></li>SDDC health monitoring and corrective actions, for example: replace failed hosts</br><br>(optional) HCX deploys with fully configured compute profile on cloud side as add-on</br><br>(optional) SRM deploys, upgrade, and scale up/down</br><br>Support - SDDC platforms and HCX |

-| Customer | Request Azure VMware Solution host quote with Microsoft<br>Plan and create a request for SDDCs on Azure portal with:<ul><li>Host count</li><li>Management network range</li><li>Other information</ul></li>Configure SDDC network and security (VMware NSX-T Data Center)<ul><li>Network segments to host applications</li><li>Additional Tier -1 routers</li><li>Firewall</li><li>VMware NSX-T Data Center LB</li><li>IPsec VPN</li><li>NAT</li><li>Public IP addresses</li><li>Distributed firewall/gateway firewall</li><li>Network extension using HCX or VMware NSX-T Data Center</li><li>AD/LDAP config for RBAC</ul></li>Configure SDDC - VMware vCenter Server<ul><li>AD/LDAP config for RBAC</li><li>Deploy and lifecycle management of Virtual Machines (VMs) and application<ul><li>Install operating systems</li><li>Patch operating systems</li><li>Install antivirus software</li><li>Install backup software</li><li>Install configuration management software</li><li>Install application components</li><li>VM networking using VMware NSX-T Data Center segments</ul></li><li>Migrate Virtual Machines (VMs)<ul><li>HCX configuration</li><li>Live vMotion</li><li>Cold migration</li><li>Content library sync</ul></li></ul></li>Configure SDDC - vSAN<ul><li>Define and maintain vSAN VM policies</li><li>Add hosts to maintain adequate 'slack space'</ul></li>Configure HCX<ul><li>Download and deploy HCA connector OVA in on-premises</li><li>Pairing on-premises HCX connector</li><li>Configure the network profile, compute profile, and service mesh</li><li>Configure HCX network extension/MON</li><li>Upgrade/updates</ul></li>Network configuration to connect to on-premises, VNET, or internet</br><br>Add or delete hosts requests to cluster from Portal</br><br>Deploy/lifecycle management of partner (third party) solutions |

->This procedure assumes you have multiple domains, so we'll use examples of www.contoso.com and www.fabrikam.com.

-1. In your private cloud, create two different pools of VMs. One represents Contoso and the second Fabrikam.

-## Connect to the local vCenter of your private cloud

-1. From the jump box, sign in to vSphere Client with VMware vCenter Server SSO using a cloud admin username and verify that the user interface displays successfully.

-In your **on-premises edge router**, you should now see where the ExpressRoute connects the NSX-T network segments and the Azure VMware Solution management segments.

-1. On the **Roles** tab, select `Web PubSub App Server`.

-## Sample codes

-> func extensions install --package Microsoft.Azure.WebJobs.Extensions.WebPubSub --version 1.0.0

- [WebPubSubTrigger("<hub>", WebPubSubEventType.User, "message")]

- UserEventRequest request,

- WebPubSubConnectionContext context,

- string data,

- WebPubSubDataType dataType)

- Console.WriteLine($"Request from: {context.UserId}");

- Console.WriteLine($"Request message data: {data}");

- Console.WriteLine($"Request message dataType: {dataType}");

-[FunctionName("WebPubSubTriggerReturnValue")]

-public static MessageResponse Run(

- [WebPubSubTrigger("<hub>", WebPubSubEventType.User, "message")]

- UserEventRequest request,

- ConnectionContext context,

- string data,

- WebPubSubDataType dataType)

- return new UserEventResponse

- {

- Data = BinaryData.FromString("ack"),

- DataType = WebPubSubDataType.Text

- };

-WebPubSubConnectionContext context, ILogger log)

-<a name="ultra-disk-backup">Ultra SSD disks</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md). The support is currently in preview. <br><br> To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/1GLRnNCntU).

-To enable automatic scaling on a pool of compute nodes, you associate the pool with an *autoscale formula* that you define. The Batch service uses the autoscale formula to determine how many nodes are needed to execute your workload. These nodes may be dedicated nodes or [Azure Spot nodes](batch-spot-vms.md). Batch will then periodically review service metrics data and use it to adjust the number of nodes in the pool based on your formula and at an interval that you define.

-This example creates a pool that starts with 25 Spot nodes. Every time a Spot node is preempted, it is replaced with a dedicated node. As with the first example, the `maxNumberofVMs` variable prevents the pool from exceeding 25 VMs. This example is useful for taking advantage of Spot VMs while also ensuring that only a fixed number of preemptions will occur for the lifetime of the pool.

-You'll learn more about [how to create autoscale formulas](#write-an-autoscale-formula) and see additional [example autoscale formulas](#example-autoscale-formulas) later in this topic.

-The following tables show the read-write and read-only variables that are defined by the Batch service.

-| $NodeDeallocationOption |The action that occurs when compute nodes are removed from a pool. Possible values are:<ul><li>**requeue**: The default value. Ends tasks immediately and puts them back on the job queue so that they are rescheduled. This action ensures the target number of nodes is reached as quickly as possible. However, it may be less efficient, as any running tasks will be interrupted and will then have to be completely restarted. <li>**terminate**: Ends tasks immediately and removes them from the job queue.<li>**taskcompletion**: Waits for currently running tasks to finish and then removes the node from the pool. Use this option to avoid tasks being interrupted and requeued, wasting any work the task has done.<li>**retaineddata**: Waits for all the local task-retained data on the node to be cleaned up before removing the node from the pool.</ul> |

-> Job release tasks are not currently included in variables that provide task counts, such as $ActiveTasks and $PendingTasks. Depending on your autoscale formula, this can result in nodes being removed with no nodes available to run job release tasks.

-| $WallClockSeconds |The number of seconds consumed. |

-| $MemoryBytes |The average number of megabytes used. |

-| $DiskBytes |The average number of gigabytes used on the local disks. |

-| $DiskReadBytes |The number of bytes read. |

-| $DiskWriteBytes |The number of bytes written. |

-| $DiskReadOps |The count of read disk operations performed. |

-| $DiskWriteOps |The count of write disk operations performed. |

-| $NetworkInBytes |The number of inbound bytes. |

-| $NetworkOutBytes |The number of outbound bytes. |

-| $SampleNodeCount |The count of compute nodes. |

-| $ActiveTasks |The number of tasks that are ready to execute but are not yet executing. This includes all tasks that are in the active state and whose dependencies have been satisfied. Any tasks that are in the active state but whose dependencies have not been satisfied are excluded from the $ActiveTasks count. For a multi-instance task, $ActiveTasks will include the number of instances set on the task.|

-When testing a double with a ternary operator (`double ? statement1 : statement2`), nonzero is **true**, and zero is **false**.

-Autoscale formulas act on samples of metric data provided by the Batch service. A formula will grow or shrink the pool size based on the values that it obtains. Service-defined variables are objects that provide methods to access data that is associated with that object. For example, the following expression shows a request to get the last five minutes of CPU usage:

-| GetSample() |The `GetSample()` method returns a vector of data samples.<br/><br/>A sample is 30 seconds worth of metrics data. In other words, samples are obtained every 30 seconds. But as noted below, there is a delay between when a sample is collected and when it is available to a formula. As such, not all samples for a given time period may be available for evaluation by a formula.<ul><li>`doubleVec GetSample(double count)`: Specifies the number of samples to obtain from the most recent samples that were collected. `GetSample(1)` returns the last available sample. For metrics like `$CPUPercent`, however, `GetSample(1)` shouldn't be used, because it's impossible to know *when* the sample was collected. It could be recent, or, because of system issues, it might be much older. In such cases, it's better to use a time interval as shown below.<li>`doubleVec GetSample((timestamp or timeinterval) startTime [, double samplePercent])`: Specifies a time frame for gathering sample data. Optionally, it also specifies the percentage of samples that must be available in the requested time frame. For example, `$CPUPercent.GetSample(TimeInterval_Minute * 10)` would return 20 samples if all samples for the last 10 minutes are present in the `CPUPercent` history. If the last minute of history wasn't available, only 18 samples would be returned. In this case `$CPUPercent.GetSample(TimeInterval_Minute * 10, 95)` would fail because only 90 percent of the samples are available, but `$CPUPercent.GetSample(TimeInterval_Minute * 10, 80)` would succeed.<li>`doubleVec GetSample((timestamp or timeinterval) startTime, (timestamp or timeinterval) endTime [, double samplePercent])`: Specifies a time frame for gathering data, with both a start time and an end time. As mentioned above, there is a delay between when a sample is collected and when it becomes available to a formula. Consider this delay when you use the `GetSample` method. See `GetSamplePercent` below. |

-The Batch service periodically takes samples of task and resource metrics and makes them available to your autoscale formulas. These samples are recorded every 30 seconds by the Batch service. However, there is typically a delay between when those samples were recorded and when they are made available to (and can be read by) your autoscale formulas. Additionally, samples may not be recorded for a particular interval because of factors such as network or other infrastructure issues.

-When `samplePercent` is passed to the `GetSample()` method or the `GetSamplePercent()` method is called, _percent_ refers to a comparison between the total possible number of samples that are recorded by the Batch service and the number of samples that are available to your autoscale formula.

-Your autoscale formulas will grow and shrink your pools by adding or removing nodes. Because nodes cost you money, be sure that your formulas use an intelligent method of analysis that is based on sufficient data. We recommend that you use a trending-type analysis in your formulas. This type grows and shrinks your pools based on a range of collected samples.

-When the above line is evaluated by Batch, it returns a range of samples as a vector of values. For example:

-For additional security, you can force a formula evaluation to fail if less than a certain sample percentage is available for a particular time period. When you force a formula evaluation to fail, you instruct Batch to cease further evaluation of the formula if the specified percentage of samples is not available. In this case, no change is made to the pool size. To specify a required percentage of samples for the evaluation to succeed, specify it as the third parameter to `GetSample()`. Here, a requirement of 75 percent of samples is specified:

-> We strongly recommend that you **avoid relying *only* on `GetSample(1)` in your autoscale formulas**. This is because `GetSample(1)` essentially says to the Batch service, "Give me the last sample you have, no matter how long ago you retrieved it." Since it is only a single sample, and it may be an older sample, it may not be representative of the larger picture of recent task or resource state. If you do use `GetSample(1)`, make sure that it's part of a larger statement and not the only data point that your formula relies on.

-The first statement in our formula will increase the number of nodes during high CPU usage. We'll define a statement that populates a user-defined variable (`$totalDedicatedNodes`) with a value that is 110 percent of the current target number of dedicated nodes, but only if the minimum average CPU usage during the last 10 minutes was above 70 percent. Otherwise, it uses the value for the current number of dedicated nodes.

-Now, we'll limit the target number of dedicated compute nodes to a maximum of 400.

-Finally, we'll ensure that nodes aren't removed until their tasks are finished.

- - If you omit either the autoscale formula or interval, the Batch service will continue to use the current value of that setting.

-To ensure that your formula is performing as expected, we recommend that you periodically check the results of the autoscaling runs that Batch performs on your pool. To do so, get (or refresh) a reference to the pool, then examine the properties of its last autoscale run.

-You can also check automatic scaling history by querying [PoolAutoScaleEvent](batch-pool-autoscale-event.md). This event is emitted by Batch Service to record each occurrence of autoscale formula evaluation and execution, which can be helpful to troubleshoot potential issues.

-> [!IMPORTANT]

-> In most cases, you should create custom images using the Azure Compute Gallery. By using the Azure Compute Gallery, you can provision pools faster, scale larger quantities of VMs, and have improved reliability when provisioning VMs. To learn more, see [Use the Azure Compute Gallery to create a custom pool](batch-sig-images.md).

-If you are creating a new VM for the image, use a first party Azure Marketplace image supported by Batch as the base image for your managed image. Only first party images can be used as a base image. To get a full list of Azure Marketplace image references supported by Azure Batch, see the [List node agent SKUs](/java/api/com.microsoft.azure.batch.protocol.accounts.listnodeagentskus) operation.

-If you plan to create a pool with hundreds of VMs or more using a custom image, it is important to follow the preceding guidance to use an image created from a VM snapshot.

-

-By using the [Azure Compute Gallery](batch-sig-images.md), you can create larger pools with your customized images along with more Shared Image replicas. Using Shared Images, the time it takes for the pool to reach the steady state is up to 25% faster, and the VM idle latency is up to 30% shorter.

-Creating a managed image resource directly with Packer can only be done with user subscription mode Batch accounts. For Batch service mode accounts, you need to create a VHD first, then import the VHD to a managed image resource. Depending on your pool allocation mode (user subscription, or Batch service), your steps to create a managed image resource will vary.

-If the image or the underlying resource is removed, you may get an error similar to: `There was an error encountered while performing the last resize on the pool. Please try resizing the pool again. Code: AllocationFailed`. If you get this error, ensure that the underlying resource has not been removed.

-# Run container applications on Azure Batch

-Using containers provides an easy way to run Batch tasks without having to manage an environment and dependencies to run applications. Containers deploy applications as lightweight, portable, self-sufficient units that can run in several different environments. For example, build and test a container locally, then upload the container image to a registry in Azure or elsewhere. The container deployment model ensures that the runtime environment of your application is always correctly installed and configured wherever you host the application. Container-based tasks in Batch can also take advantage of features of non-container tasks, including application packages and management of resource files and output files.

-## Supported virtual machine images

-Batch supports Windows server images that have container support designations. Typically these image sku names are suffixed with `-with-containers` or `-with-containers-smalldisk`. Additionally, [the API to list all supported images in Batch](batch-linux-nodes.md#list-of-virtual-machine-images) will denote a `DockerCompatible` capability if the image supports Docker containers.

-You can also create custom images from VMs running Docker on one of the Linux distributions that is compatible with Batch. If you choose to provide your own custom Linux image, see the instructions in [Use a managed custom image to create a pool of virtual machines](batch-custom-images.md).

-For Docker support on a custom image, install [Docker Community Edition (CE)](https://www.docker.com/community-edition) or [Docker Enterprise Edition (EE)](https://docs.docker.com/).

-To enable a Batch pool to run container workloads, you must specify [ContainerConfiguration](/dotnet/api/microsoft.azure.batch.containerconfiguration) settings in the pool's [VirtualMachineConfiguration](/dotnet/api/microsoft.azure.batch.virtualmachineconfiguration) object. (This article provides links to the Batch .NET API reference. Corresponding settings are in the [Batch Python](/python/api/overview/azure/batch) API.)

-You can create a container-enabled pool with or without prefetched container images, as shown in the following examples. The pull (or prefetch) process lets you pre-load container images from either Docker Hub or another container registry on the Internet. For best performance, use an [Azure container registry](../container-registry/container-registry-intro.md) in the same region as the Batch account.

-The advantage of prefetching container images is that when tasks first start running they don't have to wait for the container image to download. The container configuration pulls container images to the VMs when the pool is created. Tasks that run on the pool can then reference the list of container images and container run options.

-**Note**: Ubuntu server version used in the example is for illustration purposes. Feel free to change the node_agent_sku_id to the version you are using.

-To prefetch container images on the pool, add the list of container images (`container_image_names`, in Python) to the `ContainerConfiguration`.

-When accessing containers stored in [Azure Container Registry](https://azure.microsoft.com/services/container-registry), either a username/password or a managed identity can be used to authenticate with the service. To use a managed identity, first ensure that the identity has been [assigned to the pool](managed-identity-pools.md) and that the identity has the `AcrPull` role assigned for the container registry you wish to access. Then, simply tell Batch which identity to use when authenticating with ACR.

-As with non-container Batch tasks, you set a command line for a container task. Because Batch automatically creates the container, the command line only specifies the command or commands that will run in the container.

-A Batch container task executes in a working directory in the container that is very similar to the directory Batch sets up for a regular (non-container) task. Note that this working directory is different from the [WORKDIR](https://docs.docker.com/engine/reference/builder/#workdir) if configured in the image, or the default container working directory (`C:\` on a Windows container, or `/` on a Linux container).

-> [!IMPORTANT]

-> [!IMPORTANT]

-> [!IMPORTANT]

- * Plug-ins are available that allow Batch rendering to be used from directly within the client design and modeling applications. The plug-ins mainly invoke the Batch Explorer application with contextual information about the current 3D model and includes features to help manage assets.

-| Resource Type | Target name/type | Suggested role assignment |

-| - | - | - |

-| Microsoft.Cache/Redis (service-direct) | Microsoft-AzureCacheForRedis | Redis Cache Contributor |

-| Microsoft.ClassicCompute/domainNames (service-direct) | Microsoft-DomainNames | Classic Virtual Machine Contributor |

-| Microsoft.Compute/virtualMachines (agent-based) | Microsoft-Agent | Reader |

-| Microsoft.Compute/virtualMachineScaleSets (agent-based) | Microsoft-Agent | Reader |

-| Microsoft.Compute/virtualMachines (service-direct) | Microsoft-VirtualMachine | Virtual Machine Contributor |

-| Microsoft.Compute/virtualMachineScaleSets (service-direct) | Microsoft-VirtualMachineScaleSet | Virtual Machine Contributor |

-| Microsoft.ContainerService/managedClusters (service-direct) | Microsoft-AzureKubernetesServiceChaosMesh | Azure Kubernetes Service Cluster Admin Role |

-| Microsoft.DocumentDb/databaseAccounts (CosmosDB, service-direct) | Microsoft-CosmosDB | Cosmos DB Operator |

-| Microsoft.KeyVault/vaults (service-direct) | Microsoft-KeyVault | Key Vault Contributor |

-| Microsoft.Network/networkSecurityGroups (service-direct) | Microsoft-NetworkSecurityGroup | Network Contributor |

-| ada | N/A | South Central US ² | 2,049 | Oct 2019|

-| babbage | N/A | South Central US² | 2,049 | Oct 2019 |

-| curie | N/A | South Central US² | 2,049 | Oct 2019 |

-<br>² East US and West Europe were previously available, but due to high demand they are currently unavailable for new customers to use for fine-tuning. Please use US South Central region for fine-tuning.

-Different Azure OpenAI embedding models are specifically created to be good at a particular task. **Similarity embeddings** are good at capturing semantic similarity between two or more pieces of text. **Text search embeddings** help measure long documents are relevant to a short query. **Code search embeddings** are useful for embedding code snippets and embedding natural language search queries.

-Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md).

-| | Admit participants in the lobby into the Teams meeting | ❌ |

-| | Add and remove video stream from spotlight | ❌ |

-| | Allow video stream to be selected for spotlight | ❌ |

-| Engagement | Raise and lower hand | ❌ |

-| | Indicate other participants' raised and lowered hands | ❌ |

-description: Teams administrator controls to impact Azure Communication Services support for Teams external users

-Teams administrators control organization-wide policies and manage and assign user policies. Teams meeting policies are tied to the organizer of the Teams meeting. Teams meetings also have options to customize specific Teams meetings further.

-## Teams policies

-Teams administrators have the following policies to control the experience for Teams external users in Teams meetings.

-|Setting name|Policy scope|Description| Supported |

-| - | -| -| |

-| [Anonymous users can join a meeting](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) | organization-wide | If disabled, Teams external users can't join Teams meeting | ✔️ |

-| [Let anonymous people join a meeting](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) | per-organizer | If disabled, Teams external users can't join Teams meeting | ✔️ |

-| [Let anonymous people start a meeting](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings)| per-organizer | If enabled, Teams external users can start a Teams meeting without Teams user | ✔️ |

-| [Automatically admit people](/microsoftteams/meeting-policies-participants-and-guests#automatically-admit-people) | per-organizer | If set to "Everyone", Teams external users can bypass lobby. Otherwise, Teams external users have to wait in the lobby until an authenticated user admits them.| ✔️ |

-| [Who can present in meetings](/microsoftteams/meeting-policies-in-teams-general#designated-presenter-role-mode) | per-user | If set to "Everyone", Teams external users join Teams meeting as presenters. Otherwise, they join as attendees. | ✔️ |

-| [Blocked anonymous join client types](/powershell/module/skype/set-csteamsmeetingpolicy) | per-organizer | If property "BlockedAnonymousJoinClientTypes" is set to "Teams" or "Null", the Teams external users via Azure Communication Services can join Teams meeting | ✔️ |

-## Teams meeting options

-Teams meeting organizers can also configure the Teams meeting options to adjust the experience for participants. The following options are supported in Azure Communication Services for external users:

-| [Automatically admit people](/microsoftteams/meeting-policies-participants-and-guests#automatically-admit-people) | If set to "Everyone", Teams external users can bypass lobby. Otherwise, Teams external users have to wait in the lobby until an authenticated user admits them.| ✔️ |

-| [Choose co-organizers](https://support.microsoft.com/office/add-co-organizers-to-a-meeting-in-teams-0de2c31c-8207-47ff-ae2a-fc1792d466e2)| Not applicable to external users | ✔️ |

-|[Manage what attendees see](https://support.microsoft.com/office/spotlight-someone-s-video-in-a-teams-meeting-58be74a4-efac-4e89-a212-8d198182081e)|Teams organizer, co-organizer and presenter can spotlight videos for everyone. Azure Communication Services does not receive the spotlight signals. |❌|

-|[Allow mic for attendees](https://support.microsoft.com/office/manage-attendee-audio-and-video-permissions-in-teams-meetings-f9db15e1-f46f-46da-95c6-34f9f39e671a)|If external user is attendee, then this option controls whether external user can send local audio |✔️|

-|[Allow camera for attendees](https://support.microsoft.com/office/manage-attendee-audio-and-video-permissions-in-teams-meetings-f9db15e1-f46f-46da-95c6-34f9f39e671a)|If external user is attendee, then this option controls whether external user can send local video |✔️|

-| | Add and remove video stream from spotlight | ❌ |

-| | Allow video stream to be selected for spotlight | ❌ |

-| Engagement | Raise and lower hand | ❌ |

-| | Indicate other participants' raised and lowered hands | ❌ |

-| | Admit participants in the lobby into the Teams meeting | ❌ |

-| | Add and remove video stream from spotlight | ❌ |

-| | Allow video stream to be selected for spotlight | ❌ |

-| Engagement | Raise and lower hand | ❌ |

-| | Indicate other participants' raised and lowered hands | ❌ |

-## Pre-requisites

-1. A new **Problem subtype** option will appear. Select the problem subtype that most accurately describes your issue from the drop-down menu.

-If you're still unable to resolve the issue, continue creating your support request by selecting **Next**.

->[!NOTE]

-> The subnet associated with a Container App Environment requires a CIDR prefix of `/23` or larger.

-When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer. The resource group name can be configured during container app environment creation. In addition to the [Azure Container Apps billing](./billing.md), you're billed for:

- --workload-profile-name "consumption"

-To manage your service, the initial enterprise administrator opens the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/AllBillingScopes) and signs in using the email address from the invitation email.

-If you've been set up as the enterprise administrator, then go to the Azure portal and sign in with your work, school, or Microsoft account email address and password.

-Make sure that you have the user's email address and preferred authentication method handy, such as a work, school, or Microsoft account.

-1. Enter the email address and other required information.

-1. Sign in to the email account associated with the work, school, or Microsoft account that was set as the account owner.

-1. Open the email notification titled _Invitation to Activate your Account on the Microsoft Azure Service_.

-1. Select the **Activate Account** link in the invitation.

-### To activate an enrollment account with a .onmicrosoft.com email account

-If you're a new EA account owner with a .onmicrosoft.com email account, you might not have a forwarding email address by default. In that situation, you might not receive the activation email. If this situation applies to you, use the following steps to activate your account ownership.

-1. After the activation process completes, copy and paste the following link to your browser. The page will open and create a subscription that's associated with your enrollment.

-1. Sign into the email account associated with the work, school, or Microsoft account that you associated in the previous procedure.

-1. Open the email notification titled _Invitation to Activate your Account on the Microsoft Azure Service_.

-If your Enterprise Agreement doesn't have a support plan and try to transfer an existing Microsoft Online Support Agreement (MOSA) subscription that has a support plan, the subscription won't automatically transfer. You'll need to repurchase a support plan for your EA enrollment during the grace period, which is by the end of the following month.

-When a user is added as an account owner, any Azure subscriptions associated with the user that are based on either the pay-as-you-go Dev/Test offer or the monthly credit offers for Visual Studio subscribers get converted to the EA Dev/Test offer. Subscriptions based on other offer types, such as pay-as-you-go, that are associated with the account owner get converted to Microsoft Azure Enterprise offers.

-The Azure sponsorship offer is a limited sponsored Microsoft Azure account. It's available by e-mail invitation only to limited customers selected by Microsoft. If you're entitled to the Microsoft Azure sponsorship offer, you'll receive an e-mail invitation to your account ID.

-An amendment signed by an enterprise, which provides them access to Azure as part of their enterprise enrollment.

-This status is assigned to an enrollment that was created within 24 hours and will be updated to a Pending status within 24 hours.

-The enrollment administrator needs to sign in to the Azure portal. Once signed in, the enrollment will switch to an Active status.

-The enrollment is Active and accounts and subscriptions can be created in the Azure portal. The enrollment will remain active until the Enterprise Agreement end date.

-The Azure EA customer is opted out of the extended term, and the Azure EA enrollment has reached the Enterprise Agreement end date. The enrollment will expire, and all associated services will be disabled.

-The new centralized Azure Hybrid Benefit experience in the Azure portal supports SQL Server license assignments at the account level or at a particular subscription level. When the assignment is created at the account level, Azure Hybrid Benefit discounts are automatically applied to SQL resources in all subscriptions in the account up to the license count specified in the assignment.

-| Enterprise Agreement | _Enterprise Administrator_<p> If you are an Enterprise admin with read-only access, youΓÇÖll need your organization to give you **full** access to assign licenses using centrally managed Azure Hybrid Benefit. <p>If you're not an Enterprise admin, you must be assigned that role by your organization (with full access). For more information about how to become a member of the role, see [Add another enterprise administrator](../manage/ea-portal-administration.md#create-another-enterprise-administrator). | - MS-AZR-0017P (Microsoft Azure Enterprise)<br>- MS-AZR-USGOV-0017P (Azure Government Enterprise) |

-| Microsoft Customer Agreement | *Billing account owner*<br> *Billing account contributor* <br> *Billing profile owner*<br> *Billing profile contributor*<br> If you don't have one of the roles above, your organization must assign one to you. For more information about how to become a member of the roles, see [Manage billing roles](../manage/understand-mca-roles.md#manage-billing-roles-in-the-azure-portal). | MS-AZR-0017G (Microsoft Azure Plan)|

-In the following procedure, you navigate from **Cost Management + Billing** to **Reservations + Hybrid Benefit**. Don't navigate to **Reservations** from the Azure home page. By doing so you won't have the necessary scope to view the license assignment experience.

- If you don't see the page and instead see the message `You are not the Billing Admin on the selected billing scope` then you don't have the required permission to assign a license. If so, you need to get the required permission. For more information, see [Prerequisites](#prerequisites).

-Review your license situation before you cancel your license assignments. When you cancel a license assignment, you no longer receive discounts for them. Consequently, your Azure bill might increase. If you cancel the last remaining license assignment, Azure Hybrid Benefit management reverts to the individual resource level.

-## Issue: The debug cluster is not available from a warm pool.

-The debug cluster is not available from a warm pool. There will be a wait time in the order of 1+ minutes.

-Currently CDC resource supports delete operations for following sink types – Azure SQL Database & Delta. To achieve this, in the column mapping page, please select **keys** column that can be used to determine if a row from the source matches a row from the sink. 

-*_Cannot insert explicit value for identity column in table 'TableName' when IDENTITY_INSERT is set to OFF._*

-Run below query to determine if you have an identity column in your SQL based target.

-To resolve this user can follow either of the steps

-### Error code: DF-Executor-ColumnUnavailable

-### Error code: DF-Executor-ParseError

-You can configure a custom DNS server and enable DNS proxy for Azure Firewall policies. You can configure these settings when you deploy the firewall or later from the **DNS settings** page.

-A DNS server maintains and resolves domain names to IP addresses. By default, Azure Firewall uses Azure DNS for name resolution. The **DNS server** setting lets you configure your own DNS servers for Azure Firewall name resolution. You can configure a single or multiple servers.

-### Configure custom DNS servers

-1. Select your firewall policy.

-2. Under **Settings**, select **DNS Settings**.

-3. Under **DNS servers**, you can type or add existing DNS servers that have been previously specified in your Virtual Network.

-4. Select **Save**.

-5. The firewall now directs DNS traffic to the specified DNS server(s) for name resolution.

-### Configure DNS proxy

-To configure DNS proxy, you must configure your virtual network DNS servers setting to use the firewall private IP address. Then, enable DNS Proxy in Azure Firewall policy **DNS settings**.

-#### Configure virtual network DNS servers

-#### Enable DNS proxy

-1. Select your Azure Firewall policy.

-2. Under **Settings**, select **DNS settings**.

-3. By default, **DNS Proxy** is disabled. When enabled, the firewall listens on port 53 and forwards DNS requests to the configured DNS servers.

-4. Review the **DNS servers** configuration to make sure that the settings are appropriate for your environment.

-5. Select **Save**.

-> This new upgrade/downgrade capability also supports the Azure Firewall Basic SKU.

-In this article, you'll learn how to use the MedTech service Mapping debugger. The Mapping debugger is a self-service tool that is used for creating, updating, and troubleshooting the MedTech service device and FHIR destination mappings. The Mapping debugger enables you to easily view and make inline adjustments in real-time, without ever having to leave the Azure portal. The Mapping debugger can also be used for uploading test device messages to see how they'll look after being processed into normalized messages and transformed into FHIR Observations.

-1. To access the MedTech service's Mapping debugger, select **Mapping debugger** within your MedTech service on the Azure portal. For this article, we'll be using a MedTech service named **mt-azuredocsdemo**. You'll select your own MedTech service. From this screen, we can see the Mapping debugger is presenting the device and FHIR destination mappings associated with this MedTech service and has provided a **Validation** of those mappings.

-1. If there are errors with the device or FHIR destination mappings, the Mapping debugger will display the issues. In this example, we can see that there are error *warnings* at **Line 12** in the **Device mapping** and at **Line 20** in the **FHIR destination mapping**.

-2. If you place your mouse cursor over an error warning, the Mapping debugger will provide you with more error information.

-3. Using the suggestions provided by the Mapping debugger, we've now fixed the error warnings and are ready to select **Save** to commit our updated device and FHIR destination mappings to the MedTech service.

-4. Once the device and FHIR destination mappings are successfully saved, you'll receive confirmation from **Notifications** within the Azure portal.

-1. The Mapping debugger gives you the ability to view sample outputs of the normalization and FHIR transformation processes by supplying a test device message. Select **Upload** and **Test device message**.

-2. The **Select a file** box will open. For this example, we'll select **Enter manually**.

-4. Once a conforming test device message is uploaded, the **View normalized message** and **View FHIR observation** buttons will become available so that you may view the sample outputs of the normalization and FHIR transformation processes. These sample outputs can be used to validate your device and FHIR destination mappings are properly configured for processing events according to your requirement.

-In this article, you learned about how to use the Mapping debugger to edit/troubleshoot the MedTech service device and FHIR destination mappings and view normalized message and FHIR Observation from a test device message.

- 1. Confirm that **Auto Check Updates** and **Auto Update** are selected.

-By default, the following settings are enabled and set for the Azure Logic Apps (Standard) extension:

-* **Azure Logic Apps Standard: Project Runtime**, which is set to version **~3**

- > [!NOTE]

- > This version is required to use the [Inline Code Operations actions](../logic-apps/logic-apps-add-run-inline-code.md).

-* **Azure Logic Apps Standard: Experimental View Manager**, which enables the latest designer in Visual Studio Code. If you experience problems on the designer, such as dragging and dropping items, turn off this setting.

-To find and confirm these settings, follow these steps:

-1. On the **File** menu, go to **Preferences** **>** **Settings**.

-1. On the **User** tab, go to **>** **Extensions** **>** **Azure Logic Apps (Standard)**.

- For example, you can find the **Azure Logic Apps Standard: Project Runtime** setting here or use the search box to find other settings:

- 

-> MLflow models don't require a scoring script as it is autogenerated for you. For more details about how batch endpoints work with MLflow models, see the dedicated tutorial [Using MLflow models in batch deployments](how-to-mlflow-batch.md). If you want to change the default inference routine, write an scoring script for your MLflow models as explained at [Using MLflow models with a scoring script](how-to-mlflow-batch.md#customizing-mlflow-models-deployments-with-a-scoring-script).

-The scoring script is a Python file (`.py`) that contains the logic about how to run the model and read the input data submitted by the batch deployment executor driver. Each model deployment has to provide a scoring script, however, an endpoint may host multiple deployments using different scoring script versions.

-> Use __arrays__ when you need to output a single prediction. Use __pandas DataFrames__ when you need to return multiple pieces of information. For instance, for tabular data, you may want to append your predictions to the original record. Use a pandas DataFrame for this case. For file datasets, __we still recommend to output a pandas DataFrame__ as they provide a more robust approach to read the results.

->

-> Although pandas DataFrame may contain column names, they are not included in the output file. If needed, please see [Customize outputs in batch deployments](how-to-deploy-model-custom-output.md).

-When authoring scoring scripts, the environment variable `AZUREML_MODEL_DIR` is typically used in the `init()` function to load the model. However, some models may contain its files inside of a folder. When reading the files in this variable, you may need to account for that. You can identify the folder where your MLflow model is placed as follows:

-from azure.ai.ml.entities import ComputeInstance, AmlCompute, ComputeSchedules, ComputeStartStopSchedule, RecurrencePattern, RecurrenceTrigger

-from dateutil import tz

-import datetime

-# Enter details of your Azure Machine Learning workspace

-subscription_id = "<guid>"

-resource_group = "sample-rg"

-workspace = "sample-ws"

-ci_minimal_name = "sampleCI"

-mytz = tz.gettz("Asia/Kolkata")

-now = datetime.datetime.now(tz = mytz)

-starttime = now + datetime.timedelta(minutes=25)

-triggers = RecurrenceTrigger(frequency="day", interval=1, schedule=RecurrencePattern(hours=17, minutes=30))

-myschedule = ComputeStartStopSchedule(start_time=starttime, time_zone=TimeZone.INDIA_STANDARD_TIME, trigger=triggers, action="Stop")

-ci_minimal = ComputeInstance(name=ci_minimal_name, schedules=com_sch)

-ml_client.begin_create_or_update(ci_minimal)

-> [!Note]

-> Currently the discovery of ASP.NET web apps is only available with appliance used for discovery of servers running in your VMware enviornment. These feature is not available for servers running in your Hyper-V enviornment and for physical servers or servers running on other clouds like AWS, GCP etc.

-# Major Version Upgrade with PostgreSQL Flexible Server Preview

-# Query Performance Insight (Preview)

-> The **Query Store data is not being transmitted to the log analytics workspace**. The PostgreSQL logs (Sessions data / Query Store Runtime / Query Store Wait Statistics) is not being sent to the log analytics workspace, which is necessary to use Query Performance Insight . To configure the logging settings for category PostgreSQL sessions and send the data to a log analytics workspace.

-| [Oracle to Azure PostgreSQL migration cookbook](https://github.com/Microsoft/DataMigrationTeam/blob/master/Whitepapers/Oracle%20to%20Azure%20PostgreSQL%20Migration%20Cookbook.pdf) | This document helps architects, consultants, database administrators, and related roles quickly migrate workloads from Oracle to Azure Database for PostgreSQL by using ora2pg. |

-The following table contains the ports you need to open for Azure Private 5G Core local access. This includes local management access and control plane signaling.

-The following table contains the ports you need to open for Azure Private 5G Core local access. This includes local management access and control plane signaling.

-You must set these up in addition to the [ports required for Azure Stack Edge (ASE)](../databox-online/azure-stack-edge-gpu-system-requirements.md#networking-port-requirements).

-| 5. | Configure the network for your Azure Stack Edge Pro 2 device. When carrying out the *Enable compute network* step of this procedure, ensure you use the port you've connected to your management network. </br></br>**Do not** configure virtual switches, virtual networks or compute IPs.| [Tutorial: Configure network for Azure Stack Edge Pro 2](/azure/databox-online/azure-stack-edge-pro-2-deploy-configure-network-compute-web-proxy?pivots=single-node.md)|

-| 7. | Configure certificates and configure encryption-at-rest for your Azure Stack Edge Pro 2 device. After changing the certificates, you may have to reopen the local UI in a new browser window to prevent the old cached certificates from causing problems.| [Tutorial: Configure certificates for your Azure Stack Edge Pro 2](/azure/databox-online/azure-stack-edge-pro-2-deploy-configure-certificates) |

-| 5. | Configure the network for your Azure Stack Edge Pro device. When carrying out the *Enable compute network* step of this procedure, ensure you use the port you've connected to your management network. </br></br>**Do not** configure virtual switches, virtual networks or compute IPs.</br></br> In addition, you can configure your Azure Stack Edge Pro device to run behind a web proxy. | [Tutorial: Configure network for Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy?pivots=single-node.md) </br></br> [(Optionally) Configure web proxy for Azure Stack Edge Pro](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy?pivots=single-node#configure-web-proxy)|

-| Azure API Management (Microsoft.ApiManagement/service) / gateway | privatelink.azure-api.net </br> privatelink.developer.azure-api.net | azure-api.net </br> developer.azure-api.net |

-# Available metadata

-As shown in the following image, it's possible to apply classifications at both the asset level and the schema level for the *Customers* table in Azure SQL Database.

-# Connect to and manage Azure Arc-enabled SQL Server in Microsoft Purview (public preview)

-| [Yes](#register) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan) | [Yes - GA](#access-policy) | Limited** | No |

-Person's Gender machine learning model has been trained using US Census data and other public data sources in English language.

-$vnetInfo = Get-AzVirtualNetwork -Name myVirtualNetwork

-The ΓÇ£your_nva_ipΓÇ¥ is the virtual network IP assigned to the NVA. The ΓÇ£your_nva_asnΓÇ¥ is the Autonomous System Number (ASN) configured in the NVA. The ASN can be any 16-bit number other than the ones in the range of 65515-65520. This range of ASNs are reserved by Microsoft.

- PeerName = 'myNVA"

- PeerIp = '192.168.0.1'

- PeerAsn = '65501'

-The output will look like the following:

-# Tutorial: Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel

-This tutorial describes how to run the **Getting Started Guide For Microsoft Sentinel ML Notebooks** notebook, which sets up basic configurations for running Jupyter notebooks in Microsoft Sentinel and running simple data queries.

-The steps in this tutorial describe how to run the **Getting Started Guide for Microsoft Sentinel ML Notebooks** notebook in your Azure ML workspace via Microsoft Sentinel. You can also use this tutorial as guidance for performing similar steps to run notebooks in other environments, including locally.

-> If you use the notebook described in this tutorial in another Jupyter environment, you can use any kernel that supports Python 3.6 or later.

-# Tutorial: Create a Power BI report from Microsoft Sentinel data

-In this tutorial, you:

-> This tutorial provides a scenario-based procedure for a top customer ask: viewing analysis reports in PowerBI for your Microsoft Sentinel data. For more information, see [Connect data sources](connect-data-sources.md) and [Visualize collected data](get-visibility.md).

-To complete this tutorial, you need:

- You can also find more information from the application log by using the Azure CLI [az spring app logs](/cli/azure/spring/app#az-spring-app-logs) command.

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnetv11)

-```csharp

-public void DemonstrateOptimisticConcurrencyBlob(string containerName, string blobName)

-{

- Console.WriteLine("Demonstrate optimistic concurrency");

- // Parse connection string and create container.

- CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);

- CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

- CloudBlobContainer container = blobClient.GetContainerReference(containerName);

- container.CreateIfNotExists();

- // Create test blob. The default strategy is last writer wins, so

- // write operation will overwrite existing blob if present.

- CloudBlockBlob blockBlob = container.GetBlockBlobReference(blobName);

- blockBlob.UploadText("Hello World!");

- // Retrieve the ETag from the newly created blob.

- string originalETag = blockBlob.Properties.ETag;

- Console.WriteLine("Blob added. Original ETag = {0}", originalETag);

- /// This code simulates an update by another client.

- string helloText = "Blob updated by another client.";

- // No ETag was provided, so original blob is overwritten and ETag updated.

- blockBlob.UploadText(helloText);

- Console.WriteLine("Blob updated. Updated ETag = {0}", blockBlob.Properties.ETag);

- // Now try to update the blob using the original ETag value.

- try

- {

- Console.WriteLine(@"Attempt to update blob using original ETag

- to generate if-match access condition");

- blockBlob.UploadText(helloText, accessCondition: AccessCondition.GenerateIfMatchCondition(originalETag));

- }

- catch (StorageException ex)

- {

- if (ex.RequestInformation.HttpStatusCode == (int)HttpStatusCode.PreconditionFailed)

- {

- Console.WriteLine(@"Precondition failure as expected.

- Blob's ETag does not match.");

- }

- else

- {

- throw;

- }

- }

- Console.WriteLine();

-}

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnetv11)

-```csharp

-public void DemonstratePessimisticConcurrencyBlob(string containerName, string blobName)

-{

- Console.WriteLine("Demonstrate pessimistic concurrency");

- // Parse connection string and create container.

- CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);

- CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

- CloudBlobContainer container = blobClient.GetContainerReference(containerName);

- container.CreateIfNotExists();

- CloudBlockBlob blockBlob = container.GetBlockBlobReference(blobName);

- blockBlob.UploadText("Hello World!");

- Console.WriteLine("Blob added.");

- // Acquire lease for 15 seconds.

- string lease = blockBlob.AcquireLease(TimeSpan.FromSeconds(15), null);

- Console.WriteLine("Blob lease acquired. Lease = {0}", lease);

- // Update blob using lease. This operation should succeed.

- const string helloText = "Blob updated";

- var accessCondition = AccessCondition.GenerateLeaseCondition(lease);

- blockBlob.UploadText(helloText, accessCondition: accessCondition);

- Console.WriteLine("Blob updated using an exclusive lease");

- // Simulate another client attempting to update to blob without providing lease.

- try

- {

- // Operation will fail as no valid lease was provided.

- Console.WriteLine("Now try to update blob without valid lease.");

- blockBlob.UploadText("Update operation will fail without lease.");

- }

- catch (StorageException ex)

- {

- if (ex.RequestInformation.HttpStatusCode == (int)HttpStatusCode.PreconditionFailed)

- {

- Console.WriteLine(@"Precondition failure error as expected.

- Blob lease not provided.");

- }

- else

- {

- throw;

- }

- }

- // Release lease proactively.

- blockBlob.ReleaseLease(accessCondition);

- Console.WriteLine();

-}

-```

-### [.NET v12 SDK](#tab/dotnet)

-### [.NET v11 SDK](#tab/dotnetv11)

-To create a service SAS for a container, call the [CloudBlobContainer.GetSharedAccessSignature](/dotnet/api/microsoft.azure.storage.blob.cloudblobcontainer.getsharedaccesssignature) method.

-```csharp

-private static string GetContainerSasUri(CloudBlobContainer container,

- string storedPolicyName = null)

-{

- string sasContainerToken;

- // If no stored policy is specified, create a new access policy and define its constraints.

- if (storedPolicyName == null)

- {

- // Note that the SharedAccessBlobPolicy class is used both to define

- // the parameters of an ad hoc SAS, and to construct a shared access policy

- // that is saved to the container's shared access policies.

- SharedAccessBlobPolicy adHocPolicy = new SharedAccessBlobPolicy()

- {

- // When the start time for the SAS is omitted, the start time is assumed

- // to be the time when the storage service receives the request. Omitting

- // the start time for a SAS that is effective immediately helps to avoid clock skew.

- SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),

- Permissions = SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List

- };

- // Generate the shared access signature on the container,

- // setting the constraints directly on the signature.

- sasContainerToken = container.GetSharedAccessSignature(adHocPolicy, null);

- Console.WriteLine("SAS for blob container (ad hoc): {0}", sasContainerToken);

- Console.WriteLine();

- }

- else

- {

- // Generate the shared access signature on the container. In this case,

- // all of the constraints for the shared access signature are specified

- // on the stored access policy, which is provided by name. It is also possible

- // to specify some constraints on an ad hoc SAS and others on the stored access policy.

- sasContainerToken = container.GetSharedAccessSignature(null, storedPolicyName);

- Console.WriteLine("SAS for container (stored access policy): {0}", sasContainerToken);

- Console.WriteLine();

- }

- // Return the URI string for the container, including the SAS token.

- return container.Uri + sasContainerToken;

-}

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnetv11)

-To create a service SAS for a blob, call the [CloudBlob.GetSharedAccessSignature](/dotnet/api/microsoft.azure.storage.blob.cloudblob.getsharedaccesssignature) method.

-```csharp

-private static string GetBlobSasUri(CloudBlobContainer container,

- string blobName,

- string policyName = null)

-{

- string sasBlobToken;

- // Get a reference to a blob within the container.

- // Note that the blob may not exist yet, but a SAS can still be created for it.

- CloudBlockBlob blob = container.GetBlockBlobReference(blobName);

- if (policyName == null)

- {

- // Create a new access policy and define its constraints.

- // Note that the SharedAccessBlobPolicy class is used both to define the parameters

- // of an ad hoc SAS, and to construct a shared access policy that is saved to

- // the container's shared access policies.

- SharedAccessBlobPolicy adHocSAS = new SharedAccessBlobPolicy()

- {

- // When the start time for the SAS is omitted, the start time is assumed to be

- // the time when the storage service receives the request. Omitting the start time

- // for a SAS that is effective immediately helps to avoid clock skew.

- SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),

- Permissions = SharedAccessBlobPermissions.Read |

- SharedAccessBlobPermissions.Write |

- SharedAccessBlobPermissions.Create

- };

- // Generate the shared access signature on the blob,

- // setting the constraints directly on the signature.

- sasBlobToken = blob.GetSharedAccessSignature(adHocSAS);

- Console.WriteLine("SAS for blob (ad hoc): {0}", sasBlobToken);

- Console.WriteLine();

- }

- else

- {

- // Generate the shared access signature on the blob. In this case, all of the constraints

- // for the SAS are specified on the container's stored access policy.

- sasBlobToken = blob.GetSharedAccessSignature(null, policyName);

- Console.WriteLine("SAS for blob (stored access policy): {0}", sasBlobToken);

- Console.WriteLine();

- }

- // Return the URI string for the container, including the SAS token.

- return blob.Uri + sasBlobToken;

-}

-```

-The following example shows how to create a service SAS for a directory with the v12 client library for .NET:

-# [.NET v12 SDK](#tab/dotnet)

-To create a snapshot of a block blob using version 12.x of the Azure Storage client library for .NET, use one of the following methods:

-The following code example shows how to create a snapshot with version 12.x. Include a reference to the [Azure.Identity](https://www.nuget.org/packages/azure.identity) library to use your Azure AD credentials to authorize requests to the service. For more information about using the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class to authorize a managed identity to access Azure Storage, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme).

-# [.NET v11 SDK](#tab/dotnet11)

-To create a snapshot of a block blob using version 11.x of the Azure Storage client library for .NET, use one of the following methods:

-The following code example shows how to create a snapshot with version 11.x. This example specifies additional metadata for the snapshot when it is created.

-```csharp

-private static async Task CreateBlockBlobSnapshot(CloudBlobContainer container)

-{

- // Create a new block blob in the container.

- CloudBlockBlob baseBlob = container.GetBlockBlobReference("sample-base-blob.txt");

- // Add blob metadata.

- baseBlob.Metadata.Add("ApproxBlobCreatedDate", DateTime.UtcNow.ToString());

- try

- {

- // Upload the blob to create it, with its metadata.

- await baseBlob.UploadTextAsync(string.Format("Base blob: {0}", baseBlob.Uri.ToString()));

- // Sleep 5 seconds.

- System.Threading.Thread.Sleep(5000);

- // Create a snapshot of the base blob.

- // You can specify metadata at the time that the snapshot is created.

- // If no metadata is specified, then the blob's metadata is copied to the snapshot.

- Dictionary<string, string> metadata = new Dictionary<string, string>();

- metadata.Add("ApproxSnapshotCreatedDate", DateTime.UtcNow.ToString());

- await baseBlob.CreateSnapshotAsync(metadata, null, null, null);

- Console.WriteLine(snapshot.SnapshotQualifiedStorageUri.PrimaryUri);

- }

- catch (StorageException e)

- {

- Console.WriteLine(e.Message);

- Console.ReadLine();

- throw;

- }

-}

-```

-# [.NET v12 SDK](#tab/dotnet)

-To delete a blob and its snapshots using version 12.x of the Azure Storage client library for .NET, use one of the following methods, and include the [DeleteSnapshotsOption](/dotnet/api/azure.storage.blobs.models.deletesnapshotsoption) enum:

-The following code example shows how to delete a blob and its snapshots in .NET, where `blobClient` is an object of type [BlobClient](/dotnet/api/azure.storage.blobs.blobclient)):

-# [.NET v11 SDK](#tab/dotnet11)

-To delete a blob and its snapshots using version 11.x of the Azure Storage client library for .NET, use one of the following blob deletion methods, and include the [DeleteSnapshotsOption](/dotnet/api/microsoft.azure.storage.blob.deletesnapshotsoption) enum:

-The following code example shows how to delete a blob and its snapshots in .NET, where `blockBlob` is an object of type [CloudBlockBlob][dotnet_CloudBlockBlob]:

-```csharp

-await blockBlob.DeleteIfExistsAsync(DeleteSnapshotsOption.IncludeSnapshots, null, null, null);

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-To create a page blob, we first create a **CloudBlobClient** object, with the base URI for accessing the blob storage for your storage account (*pbaccount* in figure 1) along with the **StorageCredentialsAccountAndKey** object, as shown in the following example. The example then shows creating a reference to a **CloudBlobContainer** object, and then creating the container (*testvhds*) if it doesn't already exist. Then using the **CloudBlobContainer** object, create a reference to a **CloudPageBlob** object by specifying the page blob name (os4.vhd) to access. To create the page blob, call [CloudPageBlob.Create](/dotnet/api/microsoft.azure.storage.blob.cloudpageblob.create), passing in the max size for the blob to create. The *blobSize* must be a multiple of 512 bytes.

-```csharp

-using Microsoft.Azure;

-using Microsoft.Azure.Storage;

-using Microsoft.Azure.Storage.Blob;

-long OneGigabyteAsBytes = 1024 * 1024 * 1024;

-// Retrieve storage account from connection string.

-CloudStorageAccount storageAccount = CloudStorageAccount.Parse(

- CloudConfigurationManager.GetSetting("StorageConnectionString"));

-// Create the blob client.

-CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

-// Retrieve a reference to a container.

-CloudBlobContainer container = blobClient.GetContainerReference("testvhds");

-// Create the container if it doesn't already exist.

-container.CreateIfNotExists();

-CloudPageBlob pageBlob = container.GetPageBlobReference("os4.vhd");

-pageBlob.Create(16 * OneGigabyteAsBytes);

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-To resize a page blob after creation, use the [Resize](/dotnet/api/microsoft.azure.storage.blob.cloudpageblob.resize) method. The requested size should be a multiple of 512 bytes.

-```csharp

-pageBlob.Resize(32 * OneGigabyteAsBytes);

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-To write pages, use the [CloudPageBlob.WritePages](/dotnet/api/microsoft.azure.storage.blob.cloudpageblob.beginwritepages) method.

-```csharp

-pageBlob.WritePages(dataStream, startingOffset);

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-To read pages, use the [CloudPageBlob.DownloadRangeToByteArray](/dotnet/api/microsoft.azure.storage.blob.icloudblob.downloadrangetobytearray) method to read a range of bytes from the page blob.

-```csharp

-byte[] buffer = new byte[rangeSize];

-pageBlob.DownloadRangeToByteArray(buffer, bufferOffset, pageBlobOffset, rangeSize);

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-To determine which pages are backed by data, use [CloudPageBlob.GetPageRanges](/dotnet/api/microsoft.azure.storage.blob.cloudpageblob.getpageranges). You can then enumerate the returned ranges and download the data in each range.

-```csharp

-IEnumerable<PageRange> pageRanges = pageBlob.GetPageRanges();

-foreach (PageRange range in pageRanges)

-{

- // Calculate the range size

- int rangeSize = (int)(range.EndOffset + 1 - range.StartOffset);

- byte[] buffer = new byte[rangeSize];

- // Read from the correct starting offset in the page blob and

- // place the data in the bufferOffset of the buffer byte array

- pageBlob.DownloadRangeToByteArray(buffer, bufferOffset, range.StartOffset, rangeSize);

- // Then use the buffer for the page range just read

-}

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-The application reads the containers located in the storage account specified in the **storageconnectionstring**. It iterates through the blobs 10 at a time using the [ListBlobsSegmentedAsync](/dotnet/api/microsoft.azure.storage.blob.cloudblobclient.listblobssegmentedasync) method in the containers and downloads them to the local machine using the [DownloadToFileAsync](/dotnet/api/microsoft.azure.storage.blob.cloudblob.downloadtofileasync) method.

-The following table shows the [BlobRequestOptions](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions) defined for each blob as it is downloaded.

-|Property|Value|Description|

-||||

-|[DisableContentMD5Validation](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.disablecontentmd5validation)| true| This property disables checking the MD5 hash of the content uploaded. Disabling MD5 validation produces a faster transfer. But does not confirm the validity or integrity of the files being transferred. |

-|[StoreBlobContentMD5](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.storeblobcontentmd5)| false| This property determines if an MD5 hash is calculated and stored. |

-```csharp

-private static async Task DownloadFilesAsync()

-{

- CloudBlobClient blobClient = GetCloudBlobClient();

- // Define the BlobRequestOptions on the download, including disabling MD5

- // hash validation for this example, this improves the download speed.

- BlobRequestOptions options = new BlobRequestOptions

- {

- DisableContentMD5Validation = true,

- StoreBlobContentMD5 = false

- };

- // Retrieve the list of containers in the storage account.

- // Create a directory and configure variables for use later.

- BlobContinuationToken continuationToken = null;

- List<CloudBlobContainer> containers = new List<CloudBlobContainer>();

- do

- {

- var listingResult = await blobClient.ListContainersSegmentedAsync(continuationToken);

- continuationToken = listingResult.ContinuationToken;

- containers.AddRange(listingResult.Results);

- }

- while (continuationToken != null);

- var directory = Directory.CreateDirectory("download");

- BlobResultSegment resultSegment = null;

- Stopwatch time = Stopwatch.StartNew();

- // Download the blobs

- try

- {

- List<Task> tasks = new List<Task>();

- int max_outstanding = 100;

- int completed_count = 0;

- // Create a new instance of the SemaphoreSlim class to

- // define the number of threads to use in the application.

- SemaphoreSlim sem = new SemaphoreSlim(max_outstanding, max_outstanding);

- // Iterate through the containers

- foreach (CloudBlobContainer container in containers)

- {

- do

- {

- // Return the blobs from the container, 10 at a time.

- resultSegment = await container.ListBlobsSegmentedAsync(null, true, BlobListingDetails.All, 10, continuationToken, null, null);

- continuationToken = resultSegment.ContinuationToken;

- {

- foreach (var blobItem in resultSegment.Results)

- {

- if (((CloudBlob)blobItem).Properties.BlobType == BlobType.BlockBlob)

- {

- // Get the blob and add a task to download the blob asynchronously from the storage account.

- CloudBlockBlob blockBlob = container.GetBlockBlobReference(((CloudBlockBlob)blobItem).Name);

- Console.WriteLine("Downloading {0} from container {1}", blockBlob.Name, container.Name);

- await sem.WaitAsync();

- tasks.Add(blockBlob.DownloadToFileAsync(directory.FullName + "\\" + blockBlob.Name, FileMode.Create, null, options, null).ContinueWith((t) =>

- {

- sem.Release();

- Interlocked.Increment(ref completed_count);

- }));

- }

- }

- }

- }

- while (continuationToken != null);

- }

- // Creates an asynchronous task that completes when all the downloads complete.

- await Task.WhenAll(tasks);

- }

- catch (Exception e)

- {

- Console.WriteLine("\nError encountered during transfer: {0}", e.Message);

- }

- time.Stop();

- Console.WriteLine("Download has been completed in {0} seconds. Press any key to continue", time.Elapsed.TotalSeconds.ToString());

- Console.ReadLine();

-}

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-The minimum and maximum number of threads are set to 100 to ensure that a large number of concurrent connections are allowed.

-```csharp

-private static async Task UploadFilesAsync()

-{

- // Create five randomly named containers to store the uploaded files.

- CloudBlobContainer[] containers = await GetRandomContainersAsync();

- var currentdir = System.IO.Directory.GetCurrentDirectory();

- // Path to the directory to upload

- string uploadPath = currentdir + "\\upload";

- // Start a timer to measure how long it takes to upload all the files.

- Stopwatch time = Stopwatch.StartNew();

- try

- {

- Console.WriteLine("Iterating in directory: {0}", uploadPath);

- int count = 0;

- int max_outstanding = 100;

- int completed_count = 0;

- // Define the BlobRequestOptions on the upload.

- // This includes defining an exponential retry policy to ensure that failed connections

- // are retried with a back off policy. As multiple large files are being uploaded using

- // large block sizes, this can cause an issue if an exponential retry policy is not defined.

- // Additionally, parallel operations are enabled with a thread count of 8.

- // This should be a multiple of the number of processor cores in the machine.

- // Lastly, MD5 hash validation is disabled for this example, improving the upload speed.

- BlobRequestOptions options = new BlobRequestOptions

- {

- ParallelOperationThreadCount = 8,

- DisableContentMD5Validation = true,

- StoreBlobContentMD5 = false

- };

- // Create a new instance of the SemaphoreSlim class to

- // define the number of threads to use in the application.

- SemaphoreSlim sem = new SemaphoreSlim(max_outstanding, max_outstanding);

- List<Task> tasks = new List<Task>();

- Console.WriteLine("Found {0} file(s)", Directory.GetFiles(uploadPath).Count());

- // Iterate through the files

- foreach (string path in Directory.GetFiles(uploadPath))

- {

- var container = containers[count % 5];

- string fileName = Path.GetFileName(path);

- Console.WriteLine("Uploading {0} to container {1}", path, container.Name);

- CloudBlockBlob blockBlob = container.GetBlockBlobReference(fileName);

- // Set the block size to 100MB.

- blockBlob.StreamWriteSizeInBytes = 100 * 1024 * 1024;

- await sem.WaitAsync();

- // Create a task for each file to upload. The tasks are

- // added to a collection and all run asynchronously.

- tasks.Add(blockBlob.UploadFromFileAsync(path, null, options, null).ContinueWith((t) =>

- {

- sem.Release();

- Interlocked.Increment(ref completed_count);

- }));

- count++;

- }

- // Run all the tasks asynchronously.

- await Task.WhenAll(tasks);

- time.Stop();

- Console.WriteLine("Upload has been completed in {0} seconds. Press any key to continue", time.Elapsed.TotalSeconds.ToString());

- Console.ReadLine();

- }

- catch (DirectoryNotFoundException ex)

- {

- Console.WriteLine("Error parsing files in the directory: {0}", ex.Message);

- }

- catch (Exception ex)

- {

- Console.WriteLine(ex.Message);

- }

-}

-```

-In addition to setting the threading and connection limit settings, the [BlobRequestOptions](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions) for the [UploadFromStreamAsync](/dotnet/api/microsoft.azure.storage.blob.cloudblockblob.uploadfromstreamasync) method are configured to use parallelism and disable MD5 hash validation. The files are uploaded in 100-mb blocks, this configuration provides better performance but can be costly if using a poorly performing network as if there is a failure the entire 100-mb block is retried.

-|Property|Value|Description|

-||||

-|[ParallelOperationThreadCount](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.paralleloperationthreadcount)| 8| The setting breaks the blob into blocks when uploading. For highest performance, this value should be eight times the number of cores. |

-|[DisableContentMD5Validation](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.disablecontentmd5validation)| true| This property disables checking the MD5 hash of the content uploaded. Disabling MD5 validation produces a faster transfer. But does not confirm the validity or integrity of the files being transferred. |

-|[StoreBlobContentMD5](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.storeblobcontentmd5)| false| This property determines if an MD5 hash is calculated and stored with the file. |

-| [RetryPolicy](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.retrypolicy)| 2-second backoff with 10 max retry |Determines the retry policy of requests. Connection failures are retried, in this example an [ExponentialRetry](/dotnet/api/microsoft.azure.batch.common.exponentialretry) policy is configured with a 2-second backoff, and a maximum retry count of 10. This setting is important when your application gets close to hitting the scalability targets for Blob storage. For more information, see [Scalability and performance targets for Blob storage](../blobs/scalability-targets.md). |

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

- 

-# [Python v12 SDK](#tab/python)

-# [Python v2.1](#tab/python2)

-# [Node.js v12 SDK](#tab/nodejs)

-# [Node.js v11 SDK](#tab/nodejs11)

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-Download the [sample project](https://github.com/Azure-Samples/storage-dotnet-circuit-breaker-pattern-ha-apps-using-ra-grs/archive/master.zip), extract (unzip) the storage-dotnet-circuit-breaker-pattern-ha-apps-using-ra-grs.zip file, then navigate to the v11 folder to find the project files.

-You can also use [git](https://git-scm.com/) to download a copy of the application to your development environment. The sample project in the v11 folder contains a console application.

-```bash

-git clone https://github.com/Azure-Samples/storage-dotnet-circuit-breaker-pattern-ha-apps-using-ra-grs.git

-```

-# [Python v12 SDK](#tab/python)

-# [Python v2.1](#tab/python2)

-[Download the sample project](https://github.com/Azure-Samples/storage-python-circuit-breaker-pattern-ha-apps-using-ra-grs/archive/master.zip) and extract (unzip) the storage-python-circuit-breaker-pattern-ha-apps-using-ra-grs.zip file. You can also use [git](https://git-scm.com/) to download a copy of the application to your development environment. The sample project contains a basic Python application.

-```bash

-git clone https://github.com/Azure-Samples/storage-python-circuit-breaker-pattern-ha-apps-using-ra-grs.git

-```

-# [Node.js v12 SDK](#tab/nodejs)

-# [Node.js v11 SDK](#tab/nodejs11)

-[Download the sample project](https://github.com/Azure-Samples/storage-node-v10-ha-ra-grs) and unzip the file. You can also use [git](https://git-scm.com/) to download a copy of the application to your development environment. The sample project contains a basic Node.js application.

-```bash

-git clone https://github.com/Azure-Samples/storage-node-v10-ha-ra-grs

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-In the application, you must provide the connection string for your storage account. You can store this connection string within an environment variable on the local machine running the application. Follow one of the examples below depending on your Operating System to create the environment variable.

-In the Azure portal, navigate to your storage account. Select **Access keys** under **Settings** in your storage account. Copy the **connection string** from the primary or secondary key. Run one of the following commands based on your operating system, replacing \<yourconnectionstring\> with your actual connection string. This command saves an environment variable to the local machine. In Windows, the environment variable isn't available until you reload the **Command Prompt** or shell you're using.

-### Linux

-```

-export storageconnectionstring=<yourconnectionstring>

-```

-### Windows

-```powershell

-setx storageconnectionstring "<yourconnectionstring>"

-```

-# [Python v12 SDK](#tab/python)

-# [Python v2.1](#tab/python2)

-In the application, you must provide your storage account credentials. You can store this information in environment variables on the local machine running the application. Follow one of the examples below depending on your Operating System to create the environment variables.

-In the Azure portal, navigate to your storage account. Select **Access keys** under **Settings** in your storage account. Paste the **Storage account name** and **Key** values into the following commands, replacing the \<youraccountname\> and \<youraccountkey\> placeholders. This command saves the environment variables to the local machine. In Windows, the environment variable isn't available until you reload the **Command Prompt** or shell you're using.

-### Linux

-```

-export accountname=<youraccountname>

-export accountkey=<youraccountkey>

-```

-### Windows

-```powershell

-setx accountname "<youraccountname>"

-setx accountkey "<youraccountkey>"

-```

-# [Node.js v12 SDK](#tab/nodejs)

-# [Node.js v11 SDK](#tab/nodejs11)

-To run this sample, you must add your storage account credentials to the `.env.example` file and then rename it to `.env`.

-```

-AZURE_STORAGE_ACCOUNT_NAME=<replace with your storage account name>

-AZURE_STORAGE_ACCOUNT_ACCESS_KEY=<replace with your storage account access key>

-```

-You can find this information in the Azure portal by navigating to your storage account and selecting **Access keys** in the **Settings** section.

-Install the required dependencies by opening a command prompt, navigating to the sample folder, then entering `npm install`.

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-In Visual Studio, press **F5** or select **Start** to begin debugging the application. Visual Studio automatically restores missing NuGet packages if package restore is configured, visit [Installing and reinstalling packages with package restore](/nuget/consume-packages/package-restore#package-restore-overview) to learn more.

-A console window launches and the application begins running. The application uploads the **HelloWorld.png** image from the solution to the storage account. The application checks to ensure the image has replicated to the secondary RA-GZRS endpoint. It then begins downloading the image up to 999 times. Each read is represented by a **P** or an **S**. Where **P** represents the primary endpoint and **S** represents the secondary endpoint.

-

-In the sample code, the `RunCircuitBreakerAsync` task in the `Program.cs` file is used to download an image from the storage account using the [DownloadToFileAsync](/dotnet/api/microsoft.azure.storage.blob.cloudblob.downloadtofileasync) method. Prior to the download, an [OperationContext](/dotnet/api/microsoft.azure.cosmos.table.operationcontext) is defined. The operation context defines event handlers that fire when a download completes successfully, or if a download fails and is retrying.

-# [Python v12 SDK](#tab/python)

-# [Python v2.1](#tab/python2)

-To run the application on a terminal or command prompt, go to the **circuitbreaker.py** directory, then enter `python circuitbreaker.py`. The application uploads the **HelloWorld.png** image from the solution to the storage account. The application checks to ensure the image has replicated to the secondary RA-GZRS endpoint. It then begins downloading the image up to 999 times. Each read is represented by a **P** or an **S**. Where **P** represents the primary endpoint and **S** represents the secondary endpoint.

-

-In the sample code, the `run_circuit_breaker` method in the `circuitbreaker.py` file is used to download an image from the storage account using the [get_blob_to_path](/python/api/azure-storage-blob/azure.storage.blob.baseblobservice.baseblobservice#get-blob-to-path-container-name--blob-name--file-path--open-mode--wbsnapshot-none--start-range-none--end-range-none--validate-content-false--progress-callback-none--max-connections-2--lease-id-none--if-modified-since-none--if-unmodified-since-none--if-match-none--if-none-match-none--timeout-none-) method.

-The Storage object retry function is set to a linear retry policy. The retry function determines whether to retry a request, and specifies the number of seconds to wait before retrying the request. Set the **retry\_to\_secondary** value to true, if request should be retried to secondary in case the initial request to primary fails. In the sample application, a custom retry policy is defined in the `retry_callback` function of the storage object.

-Before the download, the Service object [retry_callback](/python/api/azure-storage-common/azure.storage.common.storageclient.storageclient) and [response_callback](/python/api/azure-storage-common/azure.storage.common.storageclient.storageclient) function is defined. These functions define event handlers that fire when a download completes successfully or if a download fails and is retrying.

-# [Node.js v12 SDK](#tab/nodejs)

-# [Node.js v11 SDK](#tab/nodejs11)

-To run the sample, open a command prompt, navigate to the sample folder, then enter `node index.js`.

-The sample creates a container in your Blob storage account, uploads **HelloWorld.png** into the container, then repeatedly checks whether the container and image have replicated to the secondary region. After replication, it prompts you to enter **D** or **Q** (followed by ENTER) to download or quit. Your output should look similar to the following example:

-```

-Created container successfully: newcontainer1550799840726

-Uploaded blob: HelloWorld.png

-Checking to see if container and blob have replicated to secondary region.

-[0] Container has not replicated to secondary region yet: newcontainer1550799840726 : ContainerNotFound

-[1] Container has not replicated to secondary region yet: newcontainer1550799840726 : ContainerNotFound

-...

-[31] Container has not replicated to secondary region yet: newcontainer1550799840726 : ContainerNotFound

-[32] Container found, but blob has not replicated to secondary region yet.

-...

-[67] Container found, but blob has not replicated to secondary region yet.

-[68] Blob has replicated to secondary region.

-Ready for blob download. Enter (D) to download or (Q) to quit, followed by ENTER.

-> D

-Attempting to download blob...

-Blob downloaded from primary endpoint.

-> Q

-Exiting...

-Deleted container newcontainer1550799840726

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-### Retry event handler

-The `OperationContextRetrying` event handler is called when the download of the image fails and is set to retry. If the maximum number of retries defined in the application are reached, the [LocationMode](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.locationmode) of the request is changed to `SecondaryOnly`. This setting forces the application to attempt to download the image from the secondary endpoint. This configuration reduces the time taken to request the image as the primary endpoint isn't retried indefinitely.

-```csharp

-private static void OperationContextRetrying(object sender, RequestEventArgs e)

-{

- retryCount++;

- Console.WriteLine("Retrying event because of failure reading the primary. RetryCount = " + retryCount);

- // Check if we have had more than n retries in which case switch to secondary.

- if (retryCount >= retryThreshold)

- {

- // Check to see if we can fail over to secondary.

- if (blobClient.DefaultRequestOptions.LocationMode != LocationMode.SecondaryOnly)

- {

- blobClient.DefaultRequestOptions.LocationMode = LocationMode.SecondaryOnly;

- retryCount = 0;

- }

- else

- {

- throw new ApplicationException("Both primary and secondary are unreachable. Check your application's network connection. ");

- }

- }

-}

-```

-### Request completed event handler

-The `OperationContextRequestCompleted` event handler is called when the download of the image is successful. If the application is using the secondary endpoint, the application continues to use this endpoint up to 20 times. After 20 times, the application sets the [LocationMode](/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.locationmode) back to `PrimaryThenSecondary` and retries the primary endpoint. If a request is successful, the application continues to read from the primary endpoint.

-```csharp

-private static void OperationContextRequestCompleted(object sender, RequestEventArgs e)

-{

- if (blobClient.DefaultRequestOptions.LocationMode == LocationMode.SecondaryOnly)

- {

- // You're reading the secondary. Let it read the secondary [secondaryThreshold] times,

- // then switch back to the primary and see if it's available now.

- secondaryReadCount++;

- if (secondaryReadCount >= secondaryThreshold)

- {

- blobClient.DefaultRequestOptions.LocationMode = LocationMode.PrimaryThenSecondary;

- secondaryReadCount = 0;

- }

- }

-}

-```

-# [Python v12 SDK](#tab/python)

-# [Python v2.1](#tab/python2)

-### Retry event handler

-The `retry_callback` event handler is called when the download of the image fails and is set to retry. If the maximum number of retries defined in the application are reached, the [LocationMode](/python/api/azure-storage-common/azure.storage.common.models.locationmode) of the request is changed to `SECONDARY`. This setting forces the application to attempt to download the image from the secondary endpoint. This configuration reduces the time taken to request the image as the primary endpoint isn't retried indefinitely.

-```python

-def retry_callback(retry_context):

- global retry_count

- retry_count = retry_context.count

- sys.stdout.write(

- "\nRetrying event because of failure reading the primary. RetryCount= {0}".format(retry_count))

- sys.stdout.flush()

- # Check if we have more than n-retries in which case switch to secondary

- if retry_count >= retry_threshold:

- # Check to see if we can fail over to secondary.

- if blob_client.location_mode != LocationMode.SECONDARY:

- blob_client.location_mode = LocationMode.SECONDARY

- retry_count = 0

- else:

- raise Exception("Both primary and secondary are unreachable. "

- "Check your application's network connection.")

-```

-### Request completed event handler

-The `response_callback` event handler is called when the download of the image is successful. If the application is using the secondary endpoint, the application continues to use this endpoint up to 20 times. After 20 times, the application sets the [LocationMode](/python/api/azure-storage-common/azure.storage.common.models.locationmode) back to `PRIMARY` and retries the primary endpoint. If a request is successful, the application continues to read from the primary endpoint.

-```python

-def response_callback(response):

- global secondary_read_count

- if blob_client.location_mode == LocationMode.SECONDARY:

- # You're reading the secondary. Let it read the secondary [secondaryThreshold] times,

- # then switch back to the primary and see if it is available now.

- secondary_read_count += 1

- if secondary_read_count >= secondary_threshold:

- blob_client.location_mode = LocationMode.PRIMARY

- secondary_read_count = 0

-```

-# [Node.js v12 SDK](#tab/nodejs)

-# [Node.js v11 SDK](#tab/nodejs11)

-With the Node.js V10 SDK, callback handlers are unnecessary. Instead, the sample creates a pipeline configured with retry options and a secondary endpoint. This configuration allows the application to automatically switch to the secondary pipeline if it fails to reach your data through the primary pipeline.

-```javascript

-const accountName = process.env.AZURE_STORAGE_ACCOUNT_NAME;

-const storageAccessKey = process.env.AZURE_STORAGE_ACCOUNT_ACCESS_KEY;

-const sharedKeyCredential = new SharedKeyCredential(accountName, storageAccessKey);

-const primaryAccountURL = `https://${accountName}.blob.core.windows.net`;

-const secondaryAccountURL = `https://${accountName}-secondary.blob.core.windows.net`;

-const pipeline = StorageURL.newPipeline(sharedKeyCredential, {

- retryOptions: {

- maxTries: 3,

- tryTimeoutInMs: 10000,

- retryDelayInMs: 500,

- maxRetryDelayInMs: 1000,

- secondaryHost: secondaryAccountURL

- }

-});

-```

-## What resources are available for this migration?

-## What actions should I take?

-To migrate your classic storage accounts, you should:

-1. Identify all classic storage accounts in your subscription.

-1. Migrate any classic storage accounts to Azure Resource Manager.

-1. Check your applications and logs to determine whether you are dynamically creating, updating, or deleting classic storage accounts from your code, scripts, or templates. If you are, then you need to update your applications to use Azure Resource Manager accounts instead.

-For step-by-step instructions, see [How to migrate your classic storage accounts to Azure Resource Manager](classic-account-migrate.md).

-The data plane is unaffected by migration from the classic deployment model to the Azure Resource Manager model. The data in your migrated storage account will be identical to the data in the original storage account.

-1. **Prepare**. In the Prepare phase, Azure creates a new general-purpose v1 storage account and alerts you to any problems that may have occurred. The new account is created in a new resource group in the same region as your classic account. All of your data has been migrated to the new account.

- At this point your classic storage account still exists and contains all of your data. If there are any problems reported, you can correct them or abort the process.

-The Validation step does not check for virtual machine (VM) disks that may be associated with the storage account. You must check your storage accounts manually to determine whether they support VM disks.

-If the storage account is capable of migration, Azure blocks management plane operations for the storage account under migration. For example, you cannot regenerate the storage account keys while the Prepare phase is underway. Azure then creates a new resource group as the classic storage account. The name of the new resource group follows the pattern `<classic-account-name>-Migrated`.

-Finally, Azure migrates the storage account and all of its data and configurations to a new storage account in Azure Resource Manager in the same region as the classic storage account. At this point your classic storage account still exists and contains all of your data. If there are any problems reported during the Prepare step, you can correct them or abort the process.

-There is no set window of time before which you need to commit or abort the migration. You can take as much time as you need for the Check phase. However, management plane operations are blocked for the classic storage account until you either abort or commit.

-After the migration is complete, your new storage account is ready for use. You can resume write operations at this point to the storage account.

-### [.NET v12 SDK](#tab/dotnet)

-### [.NET v11 SDK](#tab/dotnet11)

-```csharp

-var storageAccount = CloudStorageAccount.Parse(connStr);

-var queueClient = storageAccount.CreateCloudQueueClient();

-var serviceProperties = queueClient.GetServiceProperties();

-serviceProperties.Logging.LoggingOperations = LoggingOperations.All;

-serviceProperties.Logging.RetentionDays = 2;

-queueClient.SetServiceProperties(serviceProperties);

-```

-### [.NET v12 SDK](#tab/dotnet)

-### [.NET v11 SDK](#tab/dotnet11)

-The following example prints to the console the retention period for blob and queue storage services.

-```csharp

-var storageAccount = CloudStorageAccount.Parse(connectionString);

-var blobClient = storageAccount.CreateCloudBlobClient();

-var queueClient = storageAccount.CreateCloudQueueClient();

-var blobserviceProperties = blobClient.GetServiceProperties();

-var queueserviceProperties = queueClient.GetServiceProperties();

-Console.WriteLine("Retention period for logs from the blob service is: " +

- blobserviceProperties.Logging.RetentionDays.ToString());

-Console.WriteLine("Retention period for logs from the queue service is: " +

- queueserviceProperties.Logging.RetentionDays.ToString());

-```

-The following example changes the retention period for logs for the blob and queue storage services to 4 days.

-```csharp

-blobserviceProperties.Logging.RetentionDays = 4;

-queueserviceProperties.Logging.RetentionDays = 4;

-blobClient.SetServiceProperties(blobserviceProperties);

-queueClient.SetServiceProperties(queueserviceProperties);

-```

-### [.NET v12 SDK](#tab/dotnet)

-### [.NET v11 SDK](#tab/dotnet11)

-```csharp

-var storageAccount = CloudStorageAccount.Parse(connStr);

-var queueClient = storageAccount.CreateCloudQueueClient();

-var serviceProperties = queueClient.GetServiceProperties();

-serviceProperties.HourMetrics.MetricsLevel = MetricsLevel.Service;

-serviceProperties.HourMetrics.RetentionDays = 10;

-queueClient.SetServiceProperties(serviceProperties);

-```

-For more information about using a .NET language to configure storage metrics, see [Azure Storage client libraries for .NET](/dotnet/api/overview/azure/storage).

-For general information about configuring storage metrics by using the REST API, see [Enabling and configuring Storage Analytics](/rest/api/storageservices/Enabling-and-Configuring-Storage-Analytics).

-Application requests to Azure Storage must be authenticated using either account access keys or passwordless connections. However, you should prioritize passwordless connections in your applications when possible. Traditional authentication methods that use passwords or secret keys create additional security risks and complications. Visit the [passwordless connections for Azure services](/azure/developer/intro/passwordless-overview) hub to learn more about the advantages of moving to passwordless connections.

-Next you need to update your code to use passwordless connections.

-1. To use `DefaultAzureCredential` in a .NET application, add the **Azure.Identity** NuGet package to your application.

-1. At the top of your `Program.cs` file, add the following `using` statement:

-1. Identify the locations in your code that currently create a `BlobServiceClient` to connect to Azure Storage. This task is often handled in `Program.cs`, potentially as part of your service registration with the .NET dependency injection container. Update your code to match the following example:

- // TODO: Update <storage-account-name> placeholder to your account name

- new DefaultAzureCredential());

-1. Make sure to update the storage account name in the URI of your `BlobServiceClient`. You can find the storage account name on the overview page of the Azure portal.

- :::image type="content" source="../blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png" alt-text="Screenshot showing how to find the storage account name.":::

-* Azure Kubernetes Service.

-You need to configure your application code to look for the specific managed identity you created when it is deployed to Azure. In some scenarios, explicitly setting the managed identity for the app also prevents other environment identities from accidentally being detected and used automatically.

-## [.NET](#tab/dotnet)

-1. Update the `DefaultAzureCredential` object in the `Program.cs` file of your app to specify this managed identity client ID.

- // TODO: Update the <your-storage-account-name> and <your-managed-identity-client-id> placeholders

- var blobServiceClient = new BlobServiceClient(

- new Uri("https://<your-storage-account-name>.blob.core.windows.net"),

- new DefaultAzureCredential(

- new DefaultAzureCredentialOptions()

- {

- ManagedIdentityClientId = "<your-managed-identity-client-id>"

- }));

-3. Redeploy your code to Azure after making this change in order for the configuration updates to be applied.

-### [.NET v12 SDK](#tab/dotnet)

-A account SAS is signed with the account access key. Use the [StorageSharedKeyCredential](/dotnet/api/azure.storage.storagesharedkeycredential) class to create the credential that is used to sign the SAS. Next, create a new [AccountSasBuilder](/dotnet/api/azure.storage.sas.accountsasbuilder) object and call the [ToSasQueryParameters](/dotnet/api/azure.storage.sas.accountsasbuilder.tosasqueryparameters) to get the SAS token string.

-### [.NET v11 SDK](#tab/dotnetv11)

-To create an account SAS for a container, call the [CloudStorageAccount.GetSharedAccessSignature](/dotnet/api/microsoft.azure.storage.cloudstorageaccount.getsharedaccesssignature) method.

-The following code example creates an account SAS that is valid for the Blob and File services, and gives the client permissions read, write, and list permissions to access service-level APIs. The account SAS restricts the protocol to HTTPS, so the request must be made with HTTPS. Remember to replace placeholder values in angle brackets with your own values:

-```csharp

-static string GetAccountSASToken()

-{

- // To create the account SAS, you need to use Shared Key credentials. Modify for your account.

- const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<account-key>";

- CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);

- // Create a new access policy for the account.

- SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()

- {

- Permissions = SharedAccessAccountPermissions.Read |

- SharedAccessAccountPermissions.Write |

- SharedAccessAccountPermissions.List,

- Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.File,

- ResourceTypes = SharedAccessAccountResourceTypes.Service,

- SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),

- Protocols = SharedAccessProtocol.HttpsOnly

- };

- // Return the SAS token.

- return storageAccount.GetSharedAccessSignature(policy);

-}

-```

-### [.NET v12 SDK](#tab/dotnet)

-### [.NET v11 SDK](#tab/dotnetv11)

-In this snippet, replace the `<storage-account>` placeholder with the name of your storage account.

-```csharp

-static void UseAccountSAS(string sasToken)

-{

- // Create new storage credentials using the SAS token.

- StorageCredentials accountSAS = new StorageCredentials(sasToken);

- // Use these credentials and the account name to create a Blob service client.

- CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, "<storage-account>", endpointSuffix: null, useHttps: true);

- CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();

- // Now set the service properties for the Blob client created with the SAS.

- blobClientWithSAS.SetServiceProperties(new ServiceProperties()

- {

- HourMetrics = new MetricsProperties()

- {

- MetricsLevel = MetricsLevel.ServiceAndApi,

- RetentionDays = 7,

- Version = "1.0"

- },

- MinuteMetrics = new MetricsProperties()

- {

- MetricsLevel = MetricsLevel.ServiceAndApi,

- RetentionDays = 7,

- Version = "1.0"

- },

- Logging = new LoggingProperties()

- {

- LoggingOperations = LoggingOperations.All,

- RetentionDays = 14,

- Version = "1.0"

- }

- });

- // The permissions granted by the account SAS also permit you to retrieve service properties.

- ServiceProperties serviceProperties = blobClientWithSAS.GetServiceProperties();

- Console.WriteLine(serviceProperties.HourMetrics.MetricsLevel);

- Console.WriteLine(serviceProperties.HourMetrics.RetentionDays);

- Console.WriteLine(serviceProperties.HourMetrics.Version);

-}

-```

-If you are familiar with Windows performance monitoring, you can think of Storage Metrics as being an Azure Storage equivalent of Windows Performance Monitor counters. In Storage Metrics, you will find a comprehensive set of metrics (counters in Windows Performance Monitor terminology) such as service availability, total number of requests to service, or percentage of successful requests to service. For a full list of the available metrics, see [Storage Analytics Metrics Table Schema](/rest/api/storageservices/Storage-Analytics-Metrics-Table-Schema). You can specify whether you want the storage service to collect and aggregate metrics every hour or every minute. For more information about how to enable metrics and monitor your storage accounts, see [Enabling storage metrics and viewing metrics data](../blobs/monitor-blob-storage.md).

-We recommend you review [Azure Monitor for Storage](./storage-insights-overview.md?toc=/azure/azure-monitor/toc.json) (preview). It is a feature of Azure Monitor that offers comprehensive monitoring of your Azure Storage accounts by delivering a unified view of your Azure Storage services performance, capacity, and availability. It does not require you to enable or configure anything, and you can immediately view these metrics from the pre-defined interactive charts and other visualizations included.

-You should continuously monitor your Azure applications to ensure they are healthy and performing as expected by:

-Storage Metrics only stores capacity metrics for the blob service because blobs typically account for the largest proportion of stored data (at the time of writing, it is not possible to use Storage Metrics to monitor the capacity of your tables and queues). You can find this data in the **$MetricsCapacityBlob** table if you have enabled monitoring for the Blob service. Storage Metrics records this data once per day, and you can use the value of the **RowKey** to determine whether the row contains an entity that relates to user data (value **data**) or analytics data (value **analytics**). Each stored entity contains information about the amount of storage used (**Capacity** measured in bytes) and the current number of containers (**ContainerCount**) and blobs (**ObjectCount**) in use in the storage account. For more information about the capacity metrics stored in the **$MetricsCapacityBlob** table, see [Storage Analytics Metrics Table Schema](/rest/api/storageservices/Storage-Analytics-Metrics-Table-Schema).

-> You should monitor these values for an early warning that you are approaching the capacity limits of your storage account. In the Azure portal, you can add alert rules to notify you if aggregate storage use exceeds or falls below thresholds that you specify.

-Any value less than 100% indicates that some storage requests are failing. You can see why they are failing by examining the other columns in the metrics data that show the numbers of requests with different error types such as **ServerTimeoutError**. You should expect to see **Availability** fall temporarily below 100% for reasons such as transient server timeouts while the service moves partitions to better load-balance request; the retry logic in your client application should handle such intermittent conditions. The article [Storage Analytics Logged Operations and Status Messages](/rest/api/storageservices/Storage-Analytics-Logged-Operations-and-Status-Messages) lists the transaction types that Storage Metrics includes in its **Availability** calculation.

-Typically, you will monitor for unexpected changes in any of these values as an indicator that you have an issue that requires investigation.

-The performance of an application can be subjective, especially from a user perspective. Therefore, it is important to have baseline metrics available to help you identify where there might be a performance issue. Many factors might affect the performance of an Azure storage service from the client application perspective. These factors might operate in the storage service, in the client, or in the network infrastructure; therefore it is important to have a strategy for identifying the origin of the performance issue.

-After you have identified the likely location of the cause of the performance issue from the metrics, you can then use the log files to find detailed information to diagnose and troubleshoot the problem further.

-When viewing logs from client applications, network traces, and server-side storage logging it is critical to be able to correlate requests across the different log files. The log files include a number of different fields that are useful as correlation identifiers. The client request ID is the most useful field to use to correlate entries in the different logs. However sometimes, it can be useful to use either the server request ID or timestamps. The following sections provide more details about these options.

-> It is possible for multiple requests to share the same client request ID because the client can assign this value (although the Storage Client Library assigns a

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-If the Storage Client Library throws a **StorageException** in the client, the **RequestInformation** property contains a **RequestResult** object that includes a **ServiceRequestID** property. You can also access a **RequestResult** object from an **OperationContext** instance.

-The code sample below demonstrates how to set a custom **ClientRequestId** value by attaching an **OperationContext** object the request to the storage service. It also shows how to retrieve the **ServerRequestId** value from the response message.

-```csharp

-//Parse the connection string for the storage account.

-const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=account-name;AccountKey=account-key";

-CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);

-CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

-// Create an Operation Context that includes custom ClientRequestId string based on constants defined within the application along with a Guid.

-OperationContext oc = new OperationContext();

-oc.ClientRequestID = String.Format("{0} {1} {2} {3}", HOSTNAME, APPNAME, USERID, Guid.NewGuid().ToString());

-try

-{

- CloudBlobContainer container = blobClient.GetContainerReference("democontainer");

- ICloudBlob blob = container.GetBlobReferenceFromServer("testImage.jpg", null, null, oc);

- var downloadToPath = string.Format("./{0}", blob.Name);

- using (var fs = File.OpenWrite(downloadToPath))

- {

- blob.DownloadToStream(fs, null, null, oc);

- Console.WriteLine("\t Blob downloaded to file: {0}", downloadToPath);

- }

-}

-catch (StorageException storageException)

-{

- Console.WriteLine("Storage exception {0} occurred", storageException.Message);

- // Multiple results may exist due to client side retry logic - each retried operation will have a unique ServiceRequestId

- foreach (var result in oc.RequestResults)

- {

- Console.WriteLine("HttpStatus: {0}, ServiceRequestId {1}", result.HttpStatusCode, result.ServiceRequestID);

- }

-}

-```

-You can also use timestamps to locate related log entries, but be careful of any clock skew between the client and server that may exist. Search plus or minus 15 minutes for matching server-side entries based on the timestamp on the client. Remember that the blob metadata for the blobs containing metrics indicates the time range for the metrics stored in the blob. This time range is useful if you have many metrics blobs for the same minute or hour.

-[You are encountering problems installing the Azure SDK for .NET]

-For the table and queue services, the Nagle algorithm can also cause high **AverageE2ELatency** as compared to **AverageServerLatency**: for more information, see the post [Nagle's Algorithm is Not Friendly towards Small Requests](/archive/blogs/windowsazurestorage/nagles-algorithm-is-not-friendly-towards-small-requests). You can disable the Nagle algorithm in code by using the **ServicePointManager** class in the **System.Net** namespace. You should do this before you make any calls to the table or queue services in your application since this does not affect connections that are already open. The following example comes from the **Application_Start** method in a worker role.

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-```csharp

-var storageAccount = CloudStorageAccount.Parse(connStr);

-ServicePoint queueServicePoint = ServicePointManager.FindServicePoint(storageAccount.QueueEndpoint);

-queueServicePoint.UseNagleAlgorithm = false;

-```

-If you are seeing high **AverageServerLatency** for blob download requests when there are repeated requests the same blob or set of blobs, then you should consider caching these blobs using Azure Cache or the Azure Content Delivery Network (CDN). For upload requests, you can improve the throughput by using a larger block size. For queries to tables, it is also possible to implement client-side caching on clients that perform the same query operations and where the data doesn't change frequently.

-### <a name="you-are-experiencing-unexpected-delays-in-message-delivery"></a>You are experiencing unexpected delays in message delivery on a queue

-If you are experiencing a delay between the time an application adds a message to a queue and the time it becomes available to read from the queue, then you should take the following steps to diagnose the issue:

-An increase in **PercentThrottlingError** often occurs at the same time as an increase in the number of storage requests, or when you are initially load testing your application. This may also manifest itself in the client as "503 Server Busy" or "500 Operation Timeout" HTTP status messages from storage operations.

-If you are seeing spikes in the value of **PercentThrottlingError** that coincide with periods of high activity for the application, you implement an exponential (not linear) back-off strategy for retries in your client. Back-off retries reduce the immediate load on the partition and help your application to smooth out spikes in traffic. For more information about how to implement retry policies using the Storage Client Library, see the [Microsoft.Azure.Storage.RetryPolicies namespace](/dotnet/api/microsoft.azure.storage.retrypolicies).

-If you are seeing a consistently high value for **PercentThrottlingError** following a permanent increase in your transaction volumes, or when you are performing your initial load tests on your application, then you need to evaluate how your application is using storage partitions and whether it is approaching the scalability targets for a storage account. For example, if you are seeing throttling errors on a queue (which counts as a single partition), then you should consider using additional queues to spread the transactions across multiple partitions. If you are seeing throttling errors on a table, you need to consider using a different partitioning scheme to spread your transactions across multiple partitions by using a wider range of partition key values. One common cause of this issue is the prepend/append anti-pattern where you select the date as the partition key and then all data on a particular day is written to one partition: under load, this can result in a write bottleneck. Either consider a different partitioning design or evaluate whether using blob storage might be a better solution. Also check whether throttling is occurring as a result of spikes in your traffic and investigate ways of smoothing your pattern of requests.

-If you distribute your transactions across multiple partitions, you must still be aware of the scalability limits set for the storage account. For example, if you used ten queues each processing the maximum of 2,000 1KB messages per second, you will be at the overall limit of 20,000 messages per second for the storage account. If you need to process more than 20,000 entities per second, you should consider using multiple storage accounts. You should also bear in mind that the size of your requests and entities has an impact on when the storage service throttles your clients: if you have larger requests and entities, you may be throttled sooner.

-Server timeouts indicate a problem with the storage service that requires further investigation. You can use metrics to see if you are hitting the scalability limits for the service and to identify any spikes in traffic that might be causing this problem. If the problem is intermittent, it may be due to load-balancing activity in the service. If the problem is persistent and is not caused by your application hitting the scalability limits of the service, you should raise a support issue. For client timeouts, you must decide if the timeout is set to an appropriate value in the client and either change the timeout value set in the client or investigate how you can improve the performance of the operations in the storage service, for example by optimizing your table queries or reducing the size of your messages.

-If your client application is throwing HTTP 403 (Forbidden) errors, a likely cause is that the client is using an expired Shared Access Signature (SAS) when it sends a storage request (although other possible causes include clock skew, invalid keys, and empty headers). If an expired SAS key is the cause, you will not see any entries in the server-side Storage Logging log data. The following table shows a sample from the client-side log generated by the Storage Client Library that illustrates this issue occurring:

-If you are using the Storage Client Library to generate SAS tokens, then it is easy to build a valid token. However, if you are using the Storage REST API and constructing the SAS tokens by hand, see [Delegating Access with a Shared Access Signature](/rest/api/storageservices/delegate-access-with-shared-access-signature).

-If the client application receives an HTTP 404 (Not found) message from the server, this implies that the object the client was attempting to use (such as an entity, table, blob, container, or queue) does not exist in the storage service. There are a number of possible reasons for this, such as:

-In scenarios where the client is attempting to read, update, or delete data in a storage service it is usually easy to identify in the server-side logs a previous operation that deleted the object in question from the storage service. Often, the log data shows that another user or process deleted the object. In the server-side Storage Logging log, the operation-type and requested-object-key columns show when a client deleted an object.

-The following client-side log generated by the Storage Client library illustrates the problem when the client cannot find the container for the blob it is creating. This log includes details of the following storage operations:

-If the client application attempts to use a SAS key that does not include the necessary permissions for the operation, the storage service returns an HTTP 404 (Not found) message to the client. At the same time, you will also see a non-zero value for **SASAuthorizationError** in the metrics.

-#### <a name="JavaScript-code-does-not-have-permission"></a>Client-side JavaScript code does not have permission to access the object

-If you are using a JavaScript client and the storage service is returning HTTP 404 messages, you check for the following JavaScript errors in the browser:

-> You can use the F12 Developer Tools in Internet Explorer to trace the messages exchanged between the browser and the storage service when you are troubleshooting client-side JavaScript issues.

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-```csharp

-CloudBlobClient client = new CloudBlobClient(blobEndpoint, new StorageCredentials(accountName, accountKey));

-// Set the service properties.

-ServiceProperties sp = client.GetServiceProperties();

-sp.DefaultServiceVersion = "2013-08-15";

-CorsRule cr = new CorsRule();

-cr.AllowedHeaders.Add("*");

-cr.AllowedMethods = CorsHttpMethods.Get | CorsHttpMethods.Put;

-cr.AllowedOrigins.Add("http://www.contoso.com");

-cr.ExposedHeaders.Add("x-ms-*");

-cr.MaxAgeInSeconds = 5;

-sp.Cors.CorsRules.Clear();

-sp.Cors.CorsRules.Add(cr);

-client.SetServiceProperties(sp);

-```

-The most likely cause of this scenario is that the client sent a delete request for the entity to the table service, which succeeded, but did not receive an acknowledgment from the server (perhaps due to a temporary network issue). The client then automatically retried the operation (using the same **client-request-id**), and this retry failed because the entity had already been deleted.

-The code in the client application deletes and then immediately recreates a blob container using the same name: the **CreateIfNotExists** method (Client request ID bc881924-…) eventually fails with the HTTP 409 (Conflict) error. When a client deletes blob containers, tables, or queues there is a brief period before the name becomes available again.

-It is important to note that these operations have completed successfully and therefore do not affect other metrics such as availability. Some examples of operations that execute successfully but that can result in unsuccessful HTTP status codes include:

-If you see sudden, unexpected changes in capacity usage in your storage account, you can investigate the reasons by first looking at your availability metrics; for example, an increase in the number of failed delete requests might lead to an increase in the amount of blob storage you are using as application-specific cleanup operations you might have expected to be freeing up space may not be working as expected (for example, because the SAS tokens used for freeing up space have expired).

-You typically use the storage emulator during development and test to avoid the requirement for an Azure storage account. The common issues that can occur when you are using the storage emulator are:

-#### <a name="feature-X-is-not-working"></a>Feature "X" is not working in the storage emulator

-The storage emulator does not support all of the features of the Azure storage services such as the file service. For more information, see [Use the Azure Storage Emulator for Development and Testing](storage-use-emulator.md).

-For those features that the storage emulator does not support, use the Azure storage service in the cloud.

-#### <a name="error-HTTP-header-not-correct-format"></a>Error "The value for one of the HTTP headers is not in the correct format" when using the storage emulator

-You are testing your application that uses the Storage Client Library against the local storage emulator and method calls such as **CreateIfNotExists** fail with the error message "The value for one of the HTTP headers is not in the correct format." This indicates that the version of the storage emulator you are using does not support the version of the storage client library you are using. The Storage Client Library adds the header **x-ms-version** to all the requests it makes. If the storage emulator does not recognize the value in the **x-ms-version** header, it rejects the request.

-You can use the Storage Library Client logs to see the value of the **x-ms-version header** it is sending. You can also see the value of the **x-ms-version header** if you use Fiddler to trace the requests from your client application.

-You are prompted for administrator credentials when you run the storage emulator. This only occurs when you are initializing the storage emulator for the first time. After you have initialized the storage emulator, you do not need administrative privileges to run it again.

-### <a name="you-are-encountering-problems-installing-the-Windows-Azure-SDK"></a>You are encountering problems installing the Azure SDK for .NET

-If the previous troubleshooting sections do not include the issue you are having with a storage service, you should adopt the following approach to diagnosing and troubleshooting your issue.

-The appendices describe several tools that you may find useful when you are diagnosing and troubleshooting issues with Azure Storage (and other services). These tools are not part of Azure Storage and some are third-party products. As such, the tools discussed in these appendices are not covered by any support agreement you may have with Microsoft Azure or Azure Storage, and therefore as part of your evaluation process you should examine the licensing and support options available from the providers of these tools.

-[Fiddler](https://www.telerik.com/fiddler) is a useful tool for analyzing the HTTP and HTTPS traffic between your client application and the Azure storage service you are using.

-Many tools enable you to download the Storage Metrics data from Azure table storage in a delimited format that makes it easy to load the data into Excel for viewing and analysis. Storage Logging data from Azure Blob Storage is already in a delimited format that you can load into Excel. However, you will need to add appropriate column headings based in the information at [Storage Analytics Log Format](/rest/api/storageservices/Storage-Analytics-Log-Format) and [Storage Analytics Metrics Table Schema](/rest/api/storageservices/Storage-Analytics-Metrics-Table-Schema).

-[You are experiencing unexpected delays in message delivery on a queue]: #you-are-experiencing-unexpected-delays-in-message-delivery

-[Client-side JavaScript code does not have permission to access the object]: #JavaScript-code-does-not-have-permission

-[You are encountering problems installing the Azure SDK for .NET]: #you-are-encountering-problems-installing-the-Windows-Azure-SDK

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-To create a stored access policy on a container with version 12 of the .NET client library for Azure Storage, call one of the following methods:

-The following example creates a stored access policy that is in effect for one day and that grants read, write, and list permissions:

-```csharp

-private static async Task CreateStoredAccessPolicyAsync(CloudBlobContainer container, string policyName)

-{

- // Create a new stored access policy and define its constraints.

- // The access policy provides create, write, read, list, and delete permissions.

- SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()

- {

- // When the start time for the SAS is omitted, the start time is assumed to be the time when Azure Storage receives the request.

- SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),

- Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.List |

- SharedAccessBlobPermissions.Write

- };

- // Get the container's existing permissions.

- BlobContainerPermissions permissions = await container.GetPermissionsAsync();

- // Add the new policy to the container's permissions, and set the container's permissions.

- permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);

- await container.SetPermissionsAsync(permissions);

-}

-```

-# [.NET v12 SDK](#tab/dotnet)

-# [.NET v11 SDK](#tab/dotnet11)

-The following sample shows how to enable TLS 1.2 in a .NET client using version 11 of the Azure Storage client library:

-```csharp

-static void EnableTls12()

-{

- // Enable TLS 1.2 before connecting to Azure Storage

- System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

- // Add your connection string here.

- string connectionString = "";

- // Connect to Azure Storage and create a new container.

- CloudStorageAccount storageAccount = CloudStorageAccount.Parse(connectionString);

- CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

- CloudBlobContainer container = blobClient.GetContainerReference("sample-container");

- container.CreateIfNotExists();

-}

-```

-| V16.0 Release - [KB5013877](https://support.microsoft.com/topic/ffdc8fe2-c653-43c8-8b47-0865267fd520)| 16.0.0.0 | January 30, 2023 | Supported - Flighting |

-### Cause 3: nfs-common package isn't installed

-Before running the `mount` command, install the nfs-common package.

-To check if the NFS package is installed, run: `rpm qa | grep nfs-utils`

-##### Ubuntu or Debian

-sudo apt update

-sudo apt install nfs-common

-##### Fedora, Red Hat Enterprise Linux 8+, CentOS 8+

-Use the dnf package

-Older versions of Red Hat Enterprise Linux and CentOS use the yum package

-##### openSUSE

-Use the zypper package

-Verify that port 2049 is open on your client by running the following command: `telnet <storageaccountnamehere>.file.core.windows.net 2049`. If the port isn't open, open it.

-ln -s linked -n t

-```

-```

-```

-Some Linux distributions don't yet support encryption features in SMB 3.x. Users might receive a "115" error message if they try to mount Azure Files by using SMB 3.x because of a missing feature. SMB 3.x with full encryption is supported only when you're using Ubuntu 16.04 or later.

-The Custom Script Extension handler prevents rerunning a script if the *exact* same settings have been passed. This behavior prevents accidental rerunning, which might cause unexpected behaviors if the script isn't idempotent. To confirm whether the handler blocked the rerunning, look at *C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension\<HandlerVersion>\CustomScriptHandler.log*. Searching for a warning like this one:

-Use Azure CLI to reset identity on the image template. Ensure you [update](/azure/update-azure-cli) Azure CLI to the 2.45.0 version or later.

-You can list all of your proximity placement groups using [az ppg list](/cli/azure/ppg#az-ppg-list).

-You can see the proximity placement group details and resources using [az ppg show](/cli/azure/ppg#az-ppg-show)

-You can see the VM in the proximity placement group using [az ppg show](/cli/azure/ppg#az-ppg-show).

-You can also create an availability set in your proximity placement group. Use the same `--ppg` parameter with [az vm availability-set create](/cli/azure/vm/availability-set#az-vm-availability-set-create) to create an availability set and all of the VMs in the availability set will also be created in the same proximity placement group.

-You can also create a scale set in your proximity placement group. Use the same `--ppg` parameter with [az vmss create](/cli/azure/vmss#az-vmss-create) to create a scale set and all of the instances will be created in the same proximity placement group.

-A full continuous integration and continuous deployment (CiCd) infrastructure on Azure requires certain servers to be static or long-lived servers. It is recommended that Azure assets like the virtual networks and Network Security Groups are static and long lived resources that are rarely deployed. Once a virtual network has been deployed, it can be reused by new deployments without any adverse affects to the infrastructure. You can later add a Git repository server or a Jenkins automation server delivers CiCd to this virtual network for your development or test environments.

-Internal DNS names are only resolvable inside an Azure virtual network. Because the DNS names are internal, they are not resolvable to the outside internet, providing additional security to the infrastructure.

-Azure is very flexible, but to use DNS names for VM name resolution, you need to create virtual network interface cards (vNics) that include a DNS label. vNics are important as you can reuse them by connecting them to different VMs over the infrastructure lifecycle. This approach keeps the vNic as a static resource while the VMs can be temporary. By using DNS labeling on the vNic, we are able to enable simple name resolution from other VMs in the VNet. Using resolvable names enables other VMs to access the automation server by the DNS name `Jenkins` or the Git server as `gitrepo`.

-description: PUT calls for create or update operations on compute resources

-# PUT calls for creation or updates on compute resources

-**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

-`Microsoft.Compute` resources do not support the conventional definition of *HTTP PUT* semantics. Instead, these resources use PATCH semantics for both the PUT and PATCH verbs.

-**Create** operations apply default values when appropriate. However, resource **updates** done through PUT or PATCH, do not apply any default properties. **Update** operations apply apply strict PATCH semantics.

-For example, the disk `caching` property of a virtual machine defaults to `ReadWrite` if the resource is an OS disk.

-```json

- "storageProfile": {

- "osDisk": {

- "name": "myVMosdisk",

- "image": {

- "uri": "http://{existing-storage-account-name}.blob.core.windows.net/{existing-container-name}/{existing-generalized-os-image-blob-name}.vhd"

- },

- "osType": "Windows",

- "createOption": "FromImage",

- "caching": "ReadWrite",

- "vhd": {

- "uri": "http://{existing-storage-account-name}.blob.core.windows.net/{existing-container-name}/myDisk.vhd"

- }

- }

- },

-```

-However, for **update** operations when a property is left out or a *null* value is passed, it will remain unchanged and there no defaulting values.

-This is important when sending update operations to a resource with the intention of removing an association. If that resource is a `Microsoft.Compute` resource, the corresponding property you want to remove needs to be explicitly called out and a value assigned. To achieve this, users can pass an empty string such as **" "**. This will instruct the platform to remove that association.

-> [!IMPORTANT]

-> There is no support for "patching" an array element. Instead, the client has to do a PUT or PATCH request with the entire contents of the updated array. For example, to detach a data disk from a VM, do a GET request to get the current VM model, remove the disk to be detached from `properties.storageProfile.dataDisks`, and do a PUT request with the updated VM entity.

-## Examples

-### Correct payload to remove a Proximity Placement Groups association

-`

-{ "location": "westus", "properties": { "platformFaultDomainCount": 2, "platformUpdateDomainCount": 20, "proximityPlacementGroup": "" } }

-`

-### Incorrect payloads to remove a Proximity Placement Groups association

-`

-{ "location": "westus", "properties": { "platformFaultDomainCount": 2, "platformUpdateDomainCount": 20, "proximityPlacementGroup": null } }

-`

-`

-{ "location": "westus", "properties": { "platformFaultDomainCount": 2, "platformUpdateDomainCount": 20 } }

-`

-## Next Steps

-Learn more about Create or Update calls for [Virtual Machines](/rest/api/compute/virtualmachines/createorupdate) and [Virtual Machine Scale Sets](/rest/api/compute/virtualmachinescalesets/createorupdate)

-This article shows you how to deploy a dual stack (IPv4 + IPv6) application in Azure that includes a dual stack virtual network with a dual stack subnet, a load balancer with dual (IPv4 + IPv6) front-end configurations, VMs with NICs that have a dual IP configuration, dual network security group rules, and dual public IPs.

-You can execute the script from the Azure [Cloud Shell](https://shell.azure.com/powershell), or from a local PowerShell installation. If you use PowerShell locally, this script requires the Azure Az PowerShell module version 1.0.0 or later. To find the installed version, run `Get-Module -ListAvailable Az`. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you are running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

-Before you deploy a dual stack application in Azure, you must configure your subscription only once for this preview feature using the following Azure PowerShell:

-Register as follows:

-```azurepowershell

-Register-AzProviderFeature -FeatureName AllowIPv6VirtualNetwork -ProviderNamespace Microsoft.Network

-Register-AzProviderFeature -FeatureName AllowIPv6CAOnStandardLB -ProviderNamespace Microsoft.Network

-```

-It takes up to 30 minutes for feature registration to complete. You can check your registration status by running the following Azure PowerShell command:

-Check on the registration as follows:

-```azurepowershell

-Get-AzProviderFeature -FeatureName AllowIPv6VirtualNetwork -ProviderNamespace Microsoft.Network

-Get-AzProviderFeature -FeatureName AllowIPv6CAOnStandardLB -ProviderNamespace Microsoft.Network

-```

-After the registration is complete, run the following command:

-```azurepowershell

-Register-AzResourceProvider -ProviderNamespace Microsoft.Network

-```

-## Sample script

-| [New-AzLoadBalancerProbeConfig](/powershell/module/az.network/new-azloadbalancerprobeconfig) | Creates a load balancer probe. A load balancer probe is used to monitor each VM in the load balancer set. If any VM becomes inaccessible, traffic is not routed to the VM. |

-| [New-AzLoadBalancerRuleConfig](/powershell/module/az.network/new-azloadbalancerruleconfig) | Creates a load balancer rule. In this sample, a rule is created for port 80. As HTTP traffic arrives at the load balancer, it is routed to port 80 one of the VMs in the load balancer set. |

-| [New-AzAvailabilitySet](/powershell/module/az.compute/new-azavailabilityset) | Creates an availability set. Availability sets ensure application uptime by spreading the virtual machines across physical resources such that if failure occurs, the entire set is not affected. |

-Additional networking PowerShell script samples can be found in the [Azure Networking Overview documentation](../powershell-samples.md?toc=%2fazure%2fnetworking%2ftoc.json).

-$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block

-$rule2 = New-AzApplicationGatewayFirewallCustomRule -Name allowUS -Priority 14 -RuleType MatchRule -MatchCondition $condition2 -Action Allow

-You know there's a bot named *evilbot* that you want to block from crawling your website. In this case, youΓÇÖll block on the User-Agent *evilbot* in the request headers.

- -Action Block

-And here is the corresponding JSON:

- -Action Block

-You want to allow traffic only from the US using the GeoMatch operator and still have the managed rules apply:

- -Action Block

-In this example, you'll block all traffic that comes from an IP addresses range. The name of the rule is *myrule1* and the priority is set to 10.

- -Action Block

-For this example, you want to block User-Agent *evilbot*, and traffic in the range 192.168.5.0/24. To accomplish this, you can create two separate match conditions, and put them both in the same rule. This ensures that if both *evilbot* in the User-Agent header **and** IP addresses from the range 192.168.5.0/24 are matched, then the request is blocked.

- -Action Block

- -Action Block

- -Action Block

- -Action Block

-It is not uncommon to see Azure Front Door deployed in front of Application Gateway. In order to make sure the traffic received by Application Gateway comes from the Front Door deployment, the best practice is to check if the `X-Azure-FDID` header contains the expected unique value. For more information on this, please see [How to lock down the access to my backend to only Azure Front Door](../../frontdoor/front-door-faq.yml#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-)

- -Action Block

-And here is the corresponding JSON:

-Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow, block, or log). If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated.

-For example, you can block all requests from an IP address in the range 192.168.5.0/24. In this rule, the operator is *IPMatch*, the matchValues is the IP address range (192.168.5.0/24), and the action is to block the traffic. You also set the rule's name and priority.

- -Action Allow

- -Action Block