-Role definition objects contain the definition of the built-in or custom role, along with the permissions that are granted by that role assignment. This resource displays both custom role definitions and built-in directory roles (which are displayed in roleDefinition equivalent form). Today, an Azure AD organization can have a maximum of 30 unique custom role definitions defined.

-> * Disable users in Adobe Identity Management when they do not require access anymore

-> * [Single sign-on](adobe-identity-management-tutorial.md) to Adobe Identity Management (recommended)

-1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-1. Determine what data to [map between Azure AD and Adobe Identity Management](../app-provisioning/customize-application-attributes.md).

-1. Click **Add Sync**.

-1. Select **Sync users from Microsoft Azure** and click **Next**.

-1. Copy and save the **Tenant URL** and the **Secret token**. These values will be entered in the **Tenant URL** and **Secret Token** fields in the Provisioning tab of your Adobe Identity Management application in the Azure portal.

-1. In the applications list, select **Adobe Identity Management**.

-1. Select the **Provisioning** tab.

-1. Set the **Provisioning Mode** to **Automatic**.

-1. Under the **Admin Credentials** section, input your Adobe Identity Management Tenant URL and Secret Token retrieved earlier from Step 2. Click **Test Connection** to ensure Azure AD can connect to Adobe Identity Management. If the connection fails, ensure your Adobe Identity Management account has Admin permissions and try again.

-1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

-1. Select **Save**.

-1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Adobe Identity Management**.

-1. Review the user attributes that are synchronized from Azure AD to Adobe Identity Management in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Adobe Identity Management for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Adobe Identity Management API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

- |Attribute|Type|Supported for filtering|Required by Adobe Identity Management

- |||||

- |userName|String|✓|✓

- |active|Boolean||

- |emails[type eq "work"].value|String||

- |addresses[type eq "work"].country|String||

- |name.givenName|String||

- |name.familyName|String||

- |urn:ietf:params:scim:schemas:extension:Adobe:2.0:User:emailAliases|String||

-1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Adobe Identity Management**.

-1. Review the group attributes that are synchronized from Azure AD to Adobe Identity Management in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Adobe Identity Management for update operations. Select the **Save** button to commit any changes.

- |Attribute|Type|Supported for filtering|Required by Adobe Identity Management

- |||||

- |displayName|String|✓|✓

- |members|Reference||

-1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-1. To enable the Azure AD provisioning service for Adobe Identity Management, change the **Provisioning Status** to **On** in the **Settings** section.

-1. Define the users and/or groups that you would like to provision to Adobe Identity Management by choosing the desired values in **Scope** in the **Settings** section.

-1. When you are ready to provision, click **Save**.

-* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

-* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

-* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

-## More resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with CyberArk SAML Authentication

- 

-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:

- > These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact [CyberArk SAML Authentication Client support team](mailto:bizdevtech@cyberark.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

-To configure single sign-on on **CyberArk SAML Authentication** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [CyberArk SAML Authentication support team](mailto:support@cyberark.com). They set this setting to have the SAML SSO connection set properly on both sides.

-In this section, you create a user called B.Simon in CyberArk SAML Authentication. Work with [CyberArk SAML Authentication support team](mailto:support@cyberark.com) to add the users in the CyberArk SAML Authentication platform. Users must be created and activated before you use single sign-on.

-Once you configure CyberArk SAML Authentication you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with TravelPerk

- 

- > These values are not real. Update these values with the actual Identifier,Reply URL and Sign on URL. The values can be found inside your TravelPerk account: go to **Company Settings** > **Integrations** > **Single Sign On**. For assistance, visit the [TravelPerk helpcenter](https://support.travelperk.com/hc/articles/360052450271-How-can-I-setup-SSO-for-Azure-SAML).

- 

- 

- 

-To configure single sign-on on **TravelPerk** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [TravelPerk support team](mailto:trex@travelperk.com). They set this setting to have the SAML SSO connection set properly on both sides.

-Once you configure TravelPerk you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This quickstart tutorial shows how to deploy a PHP app to Azure App Service on Windows.

-[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This quickstart tutorial shows how to deploy a PHP app to Azure App Service on Linux.

-You create the web app using the [Azure CLI](/cli/azure/get-started-with-azure-cli) in Cloud Shell, and you use Git to deploy sample PHP code to the web app.

-## Prerequisites

-To complete this quickstart:

-* <a href="https://git-scm.com/" target="_blank">Install Git</a>

-* <a href="https://php.net/manual/install.php" target="_blank">Install PHP</a>

-## Download the sample locally

-

-1. Make sure the default branch is `main`.

- ```bash

- git branch -m main

- ```

-

- > [!TIP]

- > The branch name change isn't required by App Service. However, since many repositories are changing their default branch to `main`, this quickstart also shows you how to deploy a repository from `main`.

-

-## Run the app locally

-1. Run the application locally so that you see how it should look when you deploy it to Azure. Open a terminal window and use the `php` command to launch the built-in PHP web server.

-1. Open a web browser, and navigate to the sample app at `http://localhost:8080`.

- You see the **Hello World!** message from the sample app displayed in the page.

-## Create a web app

-1. In the Cloud Shell, create a web app in the `myAppServicePlan` App Service plan with the [`az webapp create`](/cli/azure/webapp#az-webapp-create) command.

- In the following example, replace `<app-name>` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.4`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp#az-webapp-list-runtimes).

- ```azurecli-interactive

- az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app-name> --runtime 'PHP:8.0' --deployment-local-git

- ```

-

- When the web app has been created, the Azure CLI shows output similar to the following example:

- <pre>

- Local git is configured with url of 'https://&lt;username&gt;@&lt;app-name&gt;.scm.azurewebsites.net/&lt;app-name&gt;.git'

- {

- "availabilityState": "Normal",

- "clientAffinityEnabled": true,

- "clientCertEnabled": false,

- "cloningInfo": null,

- "containerSize": 0,

- "dailyMemoryTimeQuota": 0,

- "defaultHostName": "&lt;app-name&gt;.azurewebsites.net",

- "enabled": true,

- &lt; JSON data removed for brevity. &gt;

- }

- </pre>

-

- You've created an empty new web app, with git deployment enabled.

- > [!NOTE]

- > The URL of the Git remote is shown in the `deploymentLocalGitUrl` property, with the format `https://<username>@<app-name>.scm.azurewebsites.net/<app-name>.git`. Save this URL as you need it later.

- >

-1. Browse to your newly created web app. Replace _&lt;app-name>_ with your unique app name created in the prior step.

- ```bash

- http://<app-name>.azurewebsites.net

- ```

- Here's what your new web app should look like:

- 

- <pre>

- Counting objects: 2, done.

- Delta compression using up to 4 threads.

- Compressing objects: 100% (2/2), done.

- Writing objects: 100% (2/2), 352 bytes | 0 bytes/s, done.

- Total 2 (delta 1), reused 0 (delta 0)

- remote: Updating branch 'main'.

- remote: Updating submodules.

- remote: Preparing deployment for commit id '25f18051e9'.

- remote: Generating deployment script.

- remote: Running deployment command...

- remote: Handling Basic Web Site deployment.

- remote: Kudu sync from: '/home/site/repository' to: '/home/site/wwwroot'

- remote: Copying file: '.gitignore'

- remote: Copying file: 'LICENSE'

- remote: Copying file: 'README.md'

- remote: Copying file: 'index.php'

- remote: Ignoring: .git

- remote: Finished successfully.

- remote: Running post deployment command(s)...

- remote: Deployment successful.

- To https://&lt;app-name&gt;.scm.azurewebsites.net/&lt;app-name&gt;.git

- cc39b1e..25f1805 main -> main

- </pre>

-## Browse to the app

-Browse to the deployed application using your web browser.

-```

-http://<app-name>.azurewebsites.net

-The PHP sample code is running in an Azure App Service web app.

-

-**Congratulations!** You've deployed your first PHP app to App Service.

-## Update locally and redeploy the code

-1. In the local terminal window, commit your changes in Git, and then push the code changes to Azure.

- ```bash

- git commit -am "updated output"

- git push azure main

-## Manage your new Azure app

-Next, update the appsettings.json file in our local app code with the Connection String of our Azure SQL Database. The update allows us to run migrations locally against our database hosted in Azure. Replace the username and password placeholders with the values you chose when creating your database.

- "MyDbConnection": "Server=tcp:coredbserver456.database.windows.net,1433;

-> The first two commands, `resourceID` and `workspaceID`, are variables to be used in the [az monitor diagnostic-settings create](/cli/azure/monitor/diagnostic-settings#az-monitor-diagnostic-settings-create) command. See [Create diagnostic settings using Azure CLI](../azure-monitor/essentials/diagnostic-settings.md#create-using-azure-cli) for more information on this command.

-|`*.servicebus.windows.net`, `guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com`, `sts.windows.net` | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. |

-`azcmagent disconnect --service-principal-id <serviceprincipalAppID> --service-principal-secret <serviceprincipalPassword> --tenant-id <tenantID>`

-| logging.logLeve.Host.Aggregator | AzureFunctionsJobHost__logging__logLevel__Host__Aggregator |

-| logging.logLevel.Function.Function1 | AzureFunctionsJobHost__logging__logLevel__Function1 |

-| logging.logLevel.Function.Function1.User | AzureFunctionsJobHost__logging__logLevel__Function1.User |

-For a more complete example of using custom middleware in your function app, see the [custom middleware reference sample](https://github.com/Azure/azure-functions-dotnet-worker/blob/main/samples/CustomMiddleware).

-|AzureWebJobsSecretStorageSa| `<BLOB_SAS_URL>` |

-| **`--authLevel`** | Lets you set the authorization level for an HTTP trigger. Supported values are: `function`, `anonymous`, `admin`. Authorization isn't enforced when running locally. For more information, see the [HTTP binding article](functions-bindings-http-webhook-trigger.md#authorization-keys). |

-The data that Azure Monitor collects from virtual machines with the [Log Analytics](./log-analytics-agent.md) agent is defined by the data sources that you configure on the [Log Analytics workspace](../logs/data-platform-logs.md). Each data source creates records of a particular type with each type having its own set of properties.

-> This article covers data sources for the legacy [Log Analytics agent](./log-analytics-agent.md) which is one of the agents used by Azure Monitor. This agent **will be deprecated by August, 2024**. Please plan to [migrate to Azure Monitor agent](./azure-monitor-agent-migration.md) before that. Other agents collect different data and are configured differently. See [Overview of Azure Monitor agents](agents-overview.md) for a list of the available agents and the data they can collect.

-Virtual machines and other compute resources require an agent to collect monitoring data required to measure the performance and availability of their guest operating system and workloads. This article describes the agents used by Azure Monitor and helps you determine which you need to meet the requirements for your particular environment.

-> [!NOTE]

-> Azure Monitor recently launched a new agent, the [Azure Monitor agent](./azure-monitor-agent-overview.md), that provides all capabilities necessary to collect guest operating system monitoring data. **Use this new agent if you are not bound by [these limitations](./azure-monitor-agent-overview.md#current-limitations)**, as it consolidates the features of all the legacy agents listed below and provides additional benefits. If you do require the limitations today, you may continue using the other legacy agents listed below until **August 2024**. [Learn more](./azure-monitor-agent-overview.md)

-Use the Azure Monitor agent if you need to:

-## Basic troubleshooting steps

- 2. If not, check if machine can reach Azure and find the extension to install using the command below:

- az vm extension image list-versions --location <machine-region> --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor

- ```

-## Basic troubleshooting steps

-The samples in this section install the Azure Monitor agent on Windows and Linux virtual machines and Azure Arc-enabled servers. To configure data collection for these agents, you must also deploy [Resource Manager templates data collection rules and associations](./resource-manager-data-collection-rules.md).

-| Built-in Role | Scope(s) | Reason |

-|:|:|:|

-### Windows Azure virtual machine

-The following sample installs the Azure Monitor agent on a Windows Azure virtual machine.

- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",

- "vmName": {

- "type": "string"

- },

- "location": {

- "type": "string"

- }

- {

- "name": "[concat(parameters('vmName'),'/AzureMonitorWindowsAgent')]",

- "type": "Microsoft.Compute/virtualMachines/extensions",

- "location": "[parameters('location')]",

- "apiVersion": "2020-06-01",

- "properties": {

- "publisher": "Microsoft.Azure.Monitor",

- "type": "AzureMonitorWindowsAgent",

- "typeHandlerVersion": "1.0",

- "autoUpgradeMinorVersion": true,

- "enableAutomaticUpgrade":true

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "vmName": {

- "value": "my-windows-vm"

- },

- "location": {

- "value": "eastus"

- }

- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",

- "vmName": {

- "type": "string"

- },

- "location": {

- "type": "string"

- }

- {

- "name": "[concat(parameters('vmName'),'/AzureMonitorLinuxAgent')]",

- "type": "Microsoft.Compute/virtualMachines/extensions",

- "location": "[parameters('location')]",

- "apiVersion": "2020-06-01",

- "properties": {

- "publisher": "Microsoft.Azure.Monitor",

- "type": "AzureMonitorLinuxAgent",

- "typeHandlerVersion": "1.5",

- "autoUpgradeMinorVersion": true,

- "enableAutomaticUpgrade":true

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "vmName": {

- "value": "my-linux-vm"

- },

- "location": {

- "value": "eastus"

- }

-### Windows Azure Arc-enabled server

-The following sample installs the Azure Monitor agent on a Windows Azure Arc-enabled server.

- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",

- "vmName": {

- "type": "string"

- },

- "location": {

- "type": "string"

- }

- {

- "name": "[concat(parameters('vmName'),'/AzureMonitorWindowsAgent')]",

- "type": "Microsoft.HybridCompute/machines/extensions",

- "location": "[parameters('location')]",

- "apiVersion": "2019-08-02-preview",

- "properties": {

- "publisher": "Microsoft.Azure.Monitor",

- "type": "AzureMonitorWindowsAgent",

- "autoUpgradeMinorVersion": true

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",

- "vmName": {

- "type": "string"

- },

- "location": {

- "type": "string"

- }

- {

- "name": "[concat(parameters('vmName'),'/AzureMonitorLinuxAgent')]",

- "type": "Microsoft.HybridCompute/machines/extensions",

- "location": "[parameters('location')]",

- "apiVersion": "2019-08-02-preview",

- "properties": {

- "publisher": "Microsoft.Azure.Monitor",

- "type": "AzureMonitorLinuxAgent",

- "autoUpgradeMinorVersion": true

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "vmName": {

- "value": "my-linux-vm"

- },

- "location": {

- "value": "eastus"

- }

-The following sample installs the Log Analytics agent on a Windows Azure virtual machine. This is done by enabling the [Log Analytics virtual machine extension for Windows](../../virtual-machines/extensions/oms-windows.md).

- "apiVersion": "2018-10-01",

- "resources": [

- {

- "type": "Microsoft.Compute/virtualMachines/extensions",

- "name": "[concat(parameters('vmName'), '/Microsoft.Insights.LogAnalyticsAgent')]",

- "apiVersion": "2015-06-15",

- "location": "[parameters('location')]",

- "dependsOn": [

- "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

- ],

- "properties": {

- "publisher": "Microsoft.EnterpriseCloud.Monitoring",

- "type": "MicrosoftMonitoringAgent",

- "typeHandlerVersion": "1.0",

- "autoUpgradeMinorVersion": true,

- "settings": {

- "workspaceId": "[parameters('workspaceId')]"

- },

- "protectedSettings": {

- "workspaceKey": "[parameters('workspaceKey')]"

- }

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "vmName": {

- "value": "my-windows-vm"

- },

- "location": {

- "value": "westus"

- },

- "workspaceId": {

- "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

- },

- "workspaceKey": {

- "value": "Tse-gj9CemT6A80urYa2hwtjvA5axv1xobXgKR17kbVdtacU6cEf+SNo2TdHGVKTsZHZd1W9QKRXfh+$fVY9dA=="

- }

- "apiVersion": "2018-10-01",

- "resources": [

- {

- "type": "Microsoft.Compute/virtualMachines/extensions",

- "name": "[concat(parameters('vmName'), '/Microsoft.Insights.LogAnalyticsAgent')]",

- "apiVersion": "2015-06-15",

- "location": "[parameters('location')]",

- "dependsOn": [

- "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

- ],

- "properties": {

- "publisher": "Microsoft.EnterpriseCloud.Monitoring",

- "type": "OmsAgentForLinux",

- "typeHandlerVersion": "1.7",

- "autoUpgradeMinorVersion": true,

- "settings": {

- "workspaceId": "[parameters('workspaceId')]"

- },

- "protectedSettings": {

- "workspaceKey": "[parameters('workspaceKey')]"

- }

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "vmName": {

- "value": "my-linux-vm"

- },

- "location": {

- "value": "westus"

- },

- "workspaceId": {

- "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

- },

- "workspaceKey": {

- "value": "Tse-gj9CemT6A80urYa2hwtjvA5axv1xobXgKR17kbVdtacU6cEf+SNo2TdHGVKTsZHZd1W9QKRXfh+$fVY9dA=="

- }

-The following sample enables and configures the diagnostic extension on a Windows Azure virtual machine. For details on the configuration, see [Windows diagnostics extension schema](./diagnostics-extension-schema-windows.md).

- "apiVersion": "2018-10-01",

- "resources": [

- {

- "type": "Microsoft.Compute/virtualMachines/extensions",

- "name": "[concat(parameters('vmName'), '/Microsoft.Insights.VMDiagnosticsSettings')]",

- "apiVersion": "2015-06-15",

- "location": "[parameters('location')]",

- "dependsOn": [

- "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

- ],

- "properties": {

- "publisher": "Microsoft.Azure.Diagnostics",

- "type": "IaaSDiagnostics",

- "typeHandlerVersion": "1.5",

- "autoUpgradeMinorVersion": true,

- "settings": {

- "WadCfg": {

- "DiagnosticMonitorConfiguration": {

- "overallQuotaInMB": 10000,

- "DiagnosticInfrastructureLogs": {

- "scheduledTransferLogLevelFilter": "Error"

- },

- "PerformanceCounters": {

- "scheduledTransferPeriod": "PT1M",

- "sinks": "AzureMonitorSink",

- "PerformanceCounterConfiguration": [

- {

- "counterSpecifier": "\\Processor(_Total)\\% Processor Time",

- "sampleRate": "PT1M",

- "unit": "percent"

- }

- ]

- },

- "WindowsEventLog": {

- "scheduledTransferPeriod": "PT5M",

- "DataSource": [

- {

- "name": "System!*[System[Provider[@Name='Microsoft Antimalware']]]"

- },

- {

- "name": "System!*[System[Provider[@Name='NTFS'] and (EventID=55)]]"

- },

- {

- "name": "System!*[System[Provider[@Name='disk'] and (EventID=7 or EventID=52 or EventID=55)]]"

- }

- ]

- }

- },

- "SinksConfig": {

- "Sink": [

- {

- "name": "AzureMonitorSink",

- "AzureMonitor":

- {

- "ResourceId": "[parameters('workspaceResourceId')]"

- }

- }

- ]

- }

- },

- "storageAccount": "[parameters('storageAccountName')]"

- },

- "protectedSettings": {

- "storageAccountName": "[parameters('storageAccountName')]",

- "storageAccountKey": "[listkeys(parameters('storageAccountId'), '2015-05-01-preview').key1]",

- "storageAccountEndPoint": "https://core.windows.net" }

- ]

- "type": "Microsoft.Compute/virtualMachines/extensions",

- "name": "[concat(parameters('vmName'),'/ManagedIdentityExtensionForWindows')]",

- "apiVersion": "2018-06-01",

- "location": "[parameters('location')]",

- "properties": {

- "publisher": "Microsoft.ManagedIdentity",

- "type": "ManagedIdentityExtensionForWindows",

- "typeHandlerVersion": "1.0",

- "autoUpgradeMinorVersion": true,

- "settings": {

- "port": 50342

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "apiVersion": "2018-10-01",

- "resources": [

- {

- "type": "Microsoft.Compute/virtualMachines/extensions",

- "name": "[concat(parameters('vmName'), '/Microsoft.Insights.VMDiagnosticsSettings')]",

- "apiVersion": "2015-06-15",

- "location": "[parameters('location')]",

- "dependsOn": [

- "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

- ],

- "properties": {

- "publisher": "Microsoft.Azure.Diagnostics",

- "type": "LinuxDiagnostic",

- "typeHandlerVersion": "3.0",

- "autoUpgradeMinorVersion": true,

- "settings": {

- "StorageAccount": "[parameters('storageAccountName')]",

- "ladCfg": {

- "sampleRateInSeconds": 15,

- "diagnosticMonitorConfiguration":

- {

- "performanceCounters":

- {

- "sinks": "MyMetricEventHub,MyJsonMetricsBlob",

- "performanceCounterConfiguration": [

- {

- "unit": "Percent",

- "type": "builtin",

- "counter": "PercentProcessorTime",

- "counterSpecifier": "/builtin/Processor/PercentProcessorTime",

- "annotation": [

- {

- "locale": "en-us",

- "displayName": "Aggregate CPU %utilization"

- }

- ],

- "condition": "IsAggregate=TRUE",

- "class": "Processor"

- },

- {

- "unit": "Bytes",

- "type": "builtin",

- "counter": "UsedSpace",

- "counterSpecifier": "/builtin/FileSystem/UsedSpace",

- "annotation": [

- {

- "locale": "en-us",

- "displayName": "Used disk space on /"

- }

- ],

- "condition": "Name=\"/\"",

- "class": "Filesystem"

- }

- ]

- },

- "metrics": {

- "metricAggregation": [

- {

- "scheduledTransferPeriod": "PT1H"

- },

- {

- "scheduledTransferPeriod": "PT1M"

- }

- ],

- "resourceId": "[parameters('vmId')]"

- },

- "eventVolume": "Large",

- "syslogEvents": {

- "sinks": "MySyslogJsonBlob,MyLoggingEventHub",

- "syslogEventConfiguration": {

- "LOG_USER": "LOG_INFO"

- }

- }

- }

- },

- "perfCfg": [

- "query": "SELECT PercentProcessorTime, PercentIdleTime FROM SCX_ProcessorStatisticalInformation WHERE Name='_TOTAL'",

- "table": "LinuxCpu",

- "frequency": 60,

- "sinks": "MyLinuxCpuJsonBlob,MyLinuxCpuEventHub"

- "fileLogs": [

- "file": "/var/log/myladtestlog",

- "table": "MyLadTestLog",

- "sinks": "MyFilelogJsonBlob,MyLoggingEventHub"

- ]

- "protectedSettings": {

- "storageAccountName": "yourdiagstgacct",

- "storageAccountSasToken": "[parameters('storageSasToken')]",

- "sinksConfig": {

- "sink": [

- {

- "name": "MySyslogJsonBlob",

- "type": "JsonBlob"

- },

- {

- "name": "MyFilelogJsonBlob",

- "type": "JsonBlob"

- },

- {

- "name": "MyLinuxCpuJsonBlob",

- "type": "JsonBlob"

- },

- {

- "name": "MyJsonMetricsBlob",

- "type": "JsonBlob"

- },

- {

- "name": "MyLinuxCpuEventHub",

- "type": "EventHub",

- "sasURL": "[parameters('eventHubUrl')]"

- },

- {

- "name": "MyMetricEventHub",

- "type": "EventHub",

- "sasURL": "[parameters('eventHubUrl')]"

- },

- {

- "name": "MyLoggingEventHub",

- "type": "EventHub",

- "sasURL": "[parameters('eventHubUrl')]"

- }

- ]

- }

- ]

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "vmName": {

- "value": "my-linux-vm"

- },

- "vmId": {

- "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/my-linux-vm"

- },

- "location": {

- "value": "westus"

- },

- "storageAccountName": {

- "value": "mystorageaccount"

- },

- "storageSasToken": {

- "value": "?sv=2019-10-10&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-04-26T23:06:44Z&st=2020-04-26T15:06:44Z&spr=https&sig=1QpoTvrrEW6VN2taweUq1BsaGkhDMnFGTfWakucZl4%3D"

- },

- "eventHubUrl": {

- "value": "https://my-eventhub-namespace.servicebus.windows.net/my-eventhub?sr=my-eventhub-namespace.servicebus.windows.net%2fmy-eventhub&sig=4VEGPTg8jxUAbTcyeF2kwOr8XZdfgTdMWEQWnVaMSqw=&skn=manage"

- }

- "location": {

- "value": "eastus"

- }

- "location": {

- "value": "eastus"

- }

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "alertName": {

- "type": "string",

- "minLength": 1,

- "metadata": {

- "description": "Name of the alert"

- }

- },

- "location": {

- "type": "string",

- "minLength": 1,

- "metadata": {

- "description": "Location of the alert"

- }

- },

- "alertDescription": {

- "type": "string",

- "defaultValue": "This is a metric alert",

- "metadata": {

- "description": "Description of alert"

- }

- },

- "alertSeverity": {

- "type": "int",

- "defaultValue": 3,

- "allowedValues": [

- 0,

- 1,

- 2,

- 3,

- 4

- ],

- "metadata": {

- "description": "Severity of alert {0,1,2,3,4}"

- }

- },

- "isEnabled": {

- "type": "bool",

- "defaultValue": true,

- "metadata": {

- "description": "Specifies whether the alert is enabled"

- }

- },

- "autoMitigate": {

- "type": "bool",

- "defaultValue": true,

- "metadata": {

- "description": "Specifies whether the alert will automatically resolve"

- }

- },

- "checkWorkspaceAlertsStorageConfigured": {

- "type": "bool",

- "defaultValue": false,

- "metadata": {

- "description": "Specifies whether to check linked storage and fail creation if the storage was not found"

- }

- },

- "resourceId": {

- "type": "string",

- "minLength": 1,

- "metadata": {

- "description": "Full Resource ID of the resource emitting the metric that will be used for the comparison. For example /subscriptions/00000000-0000-0000-0000-0000-00000000/resourceGroups/ResourceGroupName/providers/Microsoft.compute/virtualMachines/VM_xyz"

- }

- },

- "query": {

- "type": "string",

- "minLength": 1,

- "metadata": {

- "description": "Name of the metric used in the comparison to activate the alert."

- }

- },

- "metricMeasureColumn": {

- "type": "string",

- "metadata": {

- "description": "Name of the measure column used in the alert evaluation."

- }

- },

- "resourceIdColumn": {

- "type": "string",

- "metadata": {

- "description": "Name of the resource ID column used in the alert targeting the alerts."

- }

- },

- "operator": {

- "type": "string",

- "defaultValue": "GreaterThan",

- "allowedValues": [

- "Equals",

- "NotEquals",

- "GreaterThan",

- "GreaterThanOrEqual",

- "LessThan",

- "LessThanOrEqual"

- ],

- "metadata": {

- "description": "Operator comparing the current value with the threshold value."

- }

- },

- "threshold": {

- "type": "string",

- "defaultValue": "0",

- "metadata": {

- "description": "The threshold value at which the alert is activated."

- }

- },

- "numberOfEvaluationPeriods": {

- "type": "string",

- "defaultValue": "1",

- "metadata": {

- "description": "The number of periods to check in the alert evaluation."

- }

- },

- "minFailingPeriodsToAlert": {

- "type": "string",

- "defaultValue": "1",

- "metadata": {

- "description": "The number of unhealthy periods to alert on (must be lower or equal to numberOfEvaluationPeriods)."

- }

- },

- "timeAggregation": {

- "type": "string",

- "defaultValue": "Average",

- "allowedValues": [

- "Average",

- "Minimum",

- "Maximum",

- "Total",

- "Count"

- ],

- "metadata": {

- "description": "How the data that is collected should be combined over time."

- }

- },

- "windowSize": {

- "type": "string",

- "defaultValue": null,

- "allowedValues": [

- "PT1M",

- "PT5M",

- "PT15M",

- "PT30M",

- "PT1H",

- "PT6H",

- "PT12H",

- "PT24H"

- ],

- "metadata": {

- "description": "Period of time used to monitor alert activity based on the threshold. Must be between one minute and one day. ISO 8601 duration format."

- }

- },

- "evaluationFrequency": {

- "type": "string",

- "defaultValue": "PT5M",

- "allowedValues": [

- "PT5M",

- "PT15M",

- "PT30M",

- "PT1H"

- ],

- "metadata": {

- "description": "how often the metric alert is evaluated represented in ISO 8601 duration format"

- }

- },

- "muteActionsDuration": {

- "type": "string",

- "allowedValues": [

- "PT1M",

- "PT5M",

- "PT15M",

- "PT30M",

- "PT1H",

- "PT6H",

- "PT12H",

- "PT24H"

- ],

- "metadata": {

- "description": "Mute actions for the chosen period of time (in ISO 8601 duration format) after the alert is fired."

- }

- },

- "actionGroupId": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "The ID of the action group that is triggered when the alert is activated or deactivated"

- }

- }

- "variables": { },

- "resources": [

- {

- "name": "[parameters('alertName')]",

- "type": "Microsoft.Insights/scheduledQueryRules",

- "location": "[parameters('location')]",

- "apiVersion": "2021-08-01",

- "tags": {},

- "properties": {

- "description": "[parameters('alertDescription')]",

- "severity": "[parameters('alertSeverity')]",

- "enabled": "[parameters('isEnabled')]",

- "scopes": ["[parameters('resourceId')]"],

- "evaluationFrequency":"[parameters('evaluationFrequency')]",

- "windowSize": "[parameters('windowSize')]",

- "criteria": {

- "allOf": [

- {

- "query": "[parameters('query')]",

- "metricMeasureColumn": "[parameters('metricMeasureColumn')]",

- "resourceIdColumn": "[parameters('resourceIdColumn')]",

- "dimensions":[],

- "operator": "[parameters('operator')]",

- "threshold" : "[parameters('threshold')]",

- "timeAggregation": "[parameters('timeAggregation')]",

- "failingPeriods": {

- "numberOfEvaluationPeriods": "[parameters('numberOfEvaluationPeriods')]",

- "minFailingPeriodsToAlert": "[parameters('minFailingPeriodsToAlert')]"

- }

- }

- ]

- },

- "muteActionsDuration": "[parameters('muteActionsDuration')]",

- "autoMitigate": "[parameters('autoMitigate')]",

- "checkWorkspaceAlertsStorageConfigured": "[parameters('checkWorkspaceAlertsStorageConfigured')]",

- "actions": {

- "actionGroups": "[parameters('actionGroupId')]",

- "customProperties": {

- "key1": "value1",

- "key2": "value2"

- }

- }

- ]

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "alertName": {

- "value": "New Alert"

- },

- "location": {

- "value": "eastus"

- },

- "alertDescription": {

- "value": "New alert created via template"

- },

- "alertSeverity": {

- "value":3

- },

- "isEnabled": {

- "value": true

- },

- "resourceId": {

- "value": "/subscriptions/replace-with-subscription-id/resourceGroups/replace-with-resourceGroup-name/providers/Microsoft.Compute/virtualMachines/replace-with-resource-name"

- },

- "query": {

- "value": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\""

- },

- "metricMeasureColumn": {

- "value": "AggregatedValue"

- },

- "operator": {

- "value": "GreaterThan"

- },

- "threshold": {

- "value": "80"

- },

- "timeAggregation": {

- "value": "Average"

- },

- "actionGroupId": {

- "value": "/subscriptions/replace-with-subscription-id/resourceGroups/resource-group-name/providers/Microsoft.Insights/actionGroups/replace-with-action-group"

- }

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "sourceId": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Resource ID of the Log Analytics workspace."

- }

- },

- "location": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Location for the alert. Must be the same location as the workspace."

- }

- },

- "actionGroupId": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "The ID of the action group that is triggered when the alert is activated."

- }

- }

- "resources":[

- {

- "type":"Microsoft.Insights/scheduledQueryRules",

- "name":"Sample log query alert",

- "apiVersion": "2018-04-16",

- "location": "[parameters('location')]",

- "properties":{

- "description": "Sample log query alert",

- "enabled": "true",

- "source": {

- "query": "Event | where EventLevelName == \"Error\" | summarize count() by Computer",

- "dataSourceId": "[parameters('sourceId')]",

- "queryType":"ResultCount"

- },

- "schedule":{

- "frequencyInMinutes": 15,

- "timeWindowInMinutes": 60

- },

- "action":{

- "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",

- "severity": "4",

- "aznsAction":{

- "actionGroup": "[array(parameters('actionGroupId'))]",

- "emailSubject": "Alert mail subject",

- "customWebhookPayload":"{ \"alertname\":\"#alertrulename\", \"IncludeSearchResults\":true }"

- },

- "trigger":{

- "thresholdOperator": "GreaterThan",

- "threshold": 1

- }

- }

- }

- ]

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "sourceId": {

- "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/bw-samples-arm/providers/microsoft.operationalinsights/workspaces/bw-arm-01"

- },

- "location": {

- "value": "westus"

- },

- "actionGroupId": {

- "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/bw-samples-arm/providers/microsoft.insights/actionGroups/ARM samples group 01"

- }

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "sourceId": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Resource ID of the Log Analytics workspace."

- }

- },

- "location": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "Location for the alert. Must be the same location as the workspace."

- }

- },

- "actionGroupId": {

- "type": "string",

- "defaultValue": "",

- "metadata": {

- "description": "The ID of the action group that is triggered when the alert is activated."

- }

- }

- "resources":[

- {

- "type":"Microsoft.Insights/scheduledQueryRules",

- "name":"Sample metric measurement log query alert",

- "apiVersion": "2018-04-16",

- "location": "[parameters('location')]",

- "properties":{

- "description": "Sample metric measurement query alert rule",

- "enabled": "true",

- "source": {

- "query": "Event | where EventLevelName == \"Error\" | summarize AggregatedValue = count() by bin(TimeGenerated,1h), Computer",

- "dataSourceId": "[parameters('sourceId')]",

- "queryType":"ResultCount"

- },

- "schedule":{

- "frequencyInMinutes": 15,

- "timeWindowInMinutes": 60

- },

- "action":{

- "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",

- "severity": "4",

- "aznsAction":{

- "actionGroup": "[array(parameters('actionGroupId'))]",

- "emailSubject": "Alert mail subject"

- },

- "trigger":{

- "thresholdOperator": "GreaterThan",

- "threshold": 10,

- "metricTrigger":{

- "thresholdOperator": "Equal",

- "threshold": 1,

- "metricTriggerType": "Consecutive",

- "metricColumn": "Computer"

- }

- }

- }

- ]

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "sourceId": {

- "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/bw-samples-arm/providers/microsoft.operationalinsights/workspaces/bw-arm-01"

- },

- "location": {

- "value": "westus"

- },

- "actionGroupId": {

- "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/bw-samples-arm/providers/microsoft.insights/actionGroups/ARM samples group 01"

- }

-* [Get other sample templates for Azure Monitor](../resource-manager-samples.md).

-* [Learn more about alert rules](./alerts-overview.md).

-<!-- This note duplicates information in pricing.md. Understanding workspace-based usage and costs has been added as a migration prerequisite.

-> [!NOTE]

-> Data ingestion and retention for workspace-based Application Insights resources are [billed through the Log Analytics workspace](../logs/manage-cost-storage.md) where the data is located. Pay-as-you-go data ingestion and data retention are billed similarly in Log Anaytics as they are in Application Insights. If youΓÇÖve selected data retention greater than 90 days on data ingested into the Classic Application Insights resource prior to migration, data retention will continue to be billed to through that Application Insights resource until that data exceeds the retention period. [Learn more]( ./pricing.md#workspace-based-application-insights) about billing for workspace-based Application Insights resources.

- > Diagnostics settings uses a different export format/schema than continuous export, migrating will break any existing integrations with Stream Analytics.

-> There are currently no additional charges for the telemetry export. Pricing information for this feature will be available on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/). Prior to the start of billing, notifications will be sent. Should you choose to continue using telemetry export after the notice period, you will be billed at the applicable rate.

-> Continuous export has been deprecated. When [migrating to a workspace-based Application Insights resource](convert-classic-resource.md), you must use [diagnostic settings](#diagnostic-settings-based-export) for exporting telemetry.

-> [!NOTE]

-> Continuous export is only supported for classic Application Insights resources. [Workspace-based Application Insights resources](./create-workspace-resource.md) must use [diagnostic settings](./create-workspace-resource.md#export-telemetry).

->

-Diagnostic settings based export uses a different schema than continuous export. It also supports features that continuous export doesn't like:

-* Azure storage accounts with virtual networks, firewalls, and private links.

-* Export to Event Hubs.

-See [Create diagnostic setting to collect resource logs and metrics in Azure](essentials/diagnostic-settings.md#create-in-azure-portal) to create a diagnostic setting for an Azure resource.

-See [Create at scale using Azure Policy](essentials/diagnostic-settings.md#create-at-scale-using-azure-policy) for a process for creating policy definitions for a particular Azure service and details for creating diagnostic settings at scale.

-# Create diagnostic settings to send Azure Monitor platform logs and metrics to different destinations

-## Create in Azure portal

-## Create using PowerShell

-## Create using Azure CLI

-Following is an example CLI command to create a diagnostic setting using all three destinations. The syntax is slightly difference depending on your client.

-# [CMD](#tab/CMD)

-# [PowerShell](#tab/PowerShell)

-# [Bash](#tab/Bash)

-## Create using Resource Manager template

-## Create using REST API

-## Create at scale using Azure Policy

-Since a diagnostic setting needs to be created for each Azure resource, Azure Policy can be used to automatically create a diagnostic setting as each resource is created. Each Azure resource type has a unique set of categories that need to be listed in the diagnostic setting. Because of this fact, each resource type requires a separate policy definition. Some resource types have built-in policy definitions that you can assign without modification. For other resource types, you need to create a custom definition.

-With the addition of resource log category groups, you can now choose options that dynamically update as the log categories change. For more information, see [diagnostic settings sources](#sources) listed earlier in this article. All resource types have the "All" category. Some have the "Audit" category.

-### Built-in policy definitions for Azure Monitor

-There are two built-in policy definitions for each resource type: one to send to a Log Analytics workspace and another to send to an event hub. If you need only one location, assign that policy for the resource type. If you need both, assign both policy definitions for the resource.

-For example, the following image shows the built-in diagnostic setting policy definitions for Azure Data Lake Analytics.

-

-### Custom policy definitions

-For resource types that don't have a built-in policy, you need to create a custom policy definition. You could do this manually in the Azure portal by copying an existing built-in policy and then modifying it for your resource type. It's more efficient, though, to create the policy programmatically by using a script in the PowerShell Gallery.

-The script [Create-AzDiagPolicy](https://www.powershellgallery.com/packages/Create-AzDiagPolicy) creates policy files for a particular resource type that you can install by using PowerShell or the Azure CLI. Use the following procedure to create a custom policy definition for diagnostic settings:

-1. Ensure that you have [Azure PowerShell](/powershell/azure/install-az-ps) installed.

-2. Install the script by using the following command:

-

- ```azurepowershell

- Install-Script -Name Create-AzDiagPolicy

- ```

-3. Run the script by using the parameters to specify where to send the logs. You'll be prompted to specify a subscription and resource type.

- For example, to create a policy definition that sends logs to a Log Analytics workspace and an event hub, use the following command:

- ```azurepowershell

- Create-AzDiagPolicy.ps1 -ExportLA -ExportEH -ExportDir ".\PolicyFiles"

- ```

- Alternatively, you can specify a subscription and resource type in the command. For example, to create a policy definition that sends logs to a Log Analytics workspace and an event hub for SQL Server databases, use the following command:

- ```azurepowershell

- Create-AzDiagPolicy.ps1 -SubscriptionID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -ResourceType Microsoft.Sql/servers/databases -ExportLA -ExportEH -ExportDir ".\PolicyFiles"

- ```

-5. The script creates separate folders for each policy definition. Each folder contains three files named *azurepolicy.json*, *azurepolicy.rules.json*, and *azurepolicy.parameters.json*. If you want to create the policy manually in the Azure portal, you can copy and paste the contents of *azurepolicy.json* because it includes the entire policy definition. Use the other two files with PowerShell or the Azure CLI to create the policy definition from a command line.

- The following examples show how to install the policy definition from both PowerShell and the Azure CLI. Each example includes metadata to specify a category of **Monitoring** to group the new policy definition with the built-in policy definitions.

- ```azurepowershell

- New-AzPolicyDefinition -name "Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace" -policy .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json -parameter .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json -mode All -Metadata '{"category":"Monitoring"}'

- ```

- ```azurecli

- az policy definition create --name 'deploy-diag-setting-sql-database--workspace' --display-name 'Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace' --rules 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json' --params 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json' --subscription 'AzureMonitor_Docs' --mode All

- ```

-### Initiative

-Rather than create an assignment for each policy definition, a common strategy is to create an initiative that includes the policy definitions to create diagnostic settings for each Azure service. Create an assignment between the initiative and a management group, subscription, or resource group, depending on how you manage your environment. This strategy offers the following benefits:

-For details on creating an initiative, see [Create and assign an initiative definition](../../governance/policy/tutorials/create-and-manage.md#create-and-assign-an-initiative-definition). Consider the following recommendations:

-

-### Assignment

-Assign the initiative to an Azure management group, subscription, or resource group, depending on the scope of your resources to monitor. A [management group](../../governance/management-groups/overview.md) is useful for scoping policy, especially if your organization has multiple subscriptions.

-

-By using initiative parameters, you can specify the workspace or any other details once for all of the policy definitions in the initiative.

-

-### Remediation

-The initiative will apply to each virtual machine as it's created. A [remediation task](../../governance/policy/how-to/remediate-resources.md) deploys the policy definitions in the initiative to existing resources, so you can create diagnostic settings for any resources that were already created.

-When you create the assignment by using the Azure portal, you have the option of creating a remediation task at the same time. See [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md) for details on the remediation.

-

-## Destinations

-You can send platform logs to one or more of the destinations in the following table depending on your monitoring requirements. Configure destinations for platform logs by [creating a Diagnostic setting](../essentials/diagnostic-settings.md).

-Azure resource logs are [platform logs](../essentials/platform-logs-overview.md) that provide insight into operations that were performed within an Azure resource. The content of resource logs varies by the Azure service and resource type. Resource logs are not collected by default. You must create a diagnostic setting for each Azure resource to send its resource logs to a Log Analytics workspace to use with [Azure Monitor Logs](../logs/data-platform-logs.md), Azure Event Hubs to forward outside of Azure, or to Azure Storage for archiving.

-See [Create diagnostic settings to send platform logs and metrics to different destinations](../essentials/diagnostic-settings.md) for details on creating a diagnostic setting and [Deploy Azure Monitor at scale using Azure Policy](../best-practices.md) for details on using Azure Policy to automatically create a diagnostic setting for each Azure resource you create.

-### Azure diagnostics mode

-In this mode, all data from any diagnostic setting will be collected in the [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) table. This is the legacy method used today by most Azure services. Since multiple resource types send data to the same table, its schema is the superset of the schemas of all the different data types being collected. See [AzureDiagnostics reference](/azure/azure-monitor/reference/tables/azurediagnostics) for details on the structure of this table and how it works with this potentially large number of columns.

-Consider the following example where diagnostic settings are being collected in the same workspace for the following data types:

-The AzureDiagnostics table will look as follows:

-| ResourceProvider | Category | A | B | C | D | E | F | G | H | I |

-| -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- |

-| Microsoft.Service1 | AuditLogs | x1 | y1 | z1 | | | | | | |

-| Microsoft.Service1 | ErrorLogs | | | | q1 | w1 | e1 | | | |

-| Microsoft.Service2 | AuditLogs | | | | | | | j1 | k1 | l1 |

-| Microsoft.Service1 | ErrorLogs | | | | q2 | w2 | e2 | | | |

-| Microsoft.Service2 | AuditLogs | | | | | | | j3 | k3 | l3 |

-| Microsoft.Service1 | AuditLogs | x5 | y5 | z5 | | | | | | |

-| ... |

-Send resource logs to Azure storage to retain it for archiving. Once you have created the diagnostic setting, a storage container is created in the storage account as soon as an event occurs in one of the enabled log categories. The blobs within the container use the following naming convention:

-1. To save the dashboard as is, select **Done customizing** in the page header. Or, continue to Step 2 of the next section to add tiles and save your dashboard.

-1. To save your changes, select **Save** in the page header. You can also preview the changes without saving by selecting **Preview** in the page header. This preview mode also allows you to see how [filters](#set-and-override-dashboard-filters) affect your tiles. From the preview screen, you can select **Save** to keep the changes, **Discard** to remove them, or **Edit** to go back to the editing options and make further changes.

-1. Select **Customize tile data** from the context menu or from the  in the upper left corner of the tile.

-Bicep enables you to organize deployments into modules. A module is just a Bicep file that is deployed from another Bicep file. With modules, you improve the readability of your Bicep files by encapsulating complex details of your deployment. You can also easily reuse modules for different deployments.

-To share modules with other people in your organization, create a [template spec](../templates/template-specs.md), [public registry](https://github.com/Azure/bicep-registry-modules), or [private registry](private-module-registry.md). Template specs and modules in the registry are only available to users with the correct permissions.

-The path can be either a local file or a file in a registry. For more information, see [Path to module](#path-to-module).

-# Integrate Azure NetApp Files with Azure VMware Solution

-| SQL Server in Azure Virtual Machines/ SAP HANA in Azure Virtual Machines | None | All regions, except West US 3, West India, UAE North, Switzerland North, Switzerland West, Sweden Central, Sweden South, Australia Central, Australia Central 2, Brazil Southeast, Norway West, Germany Central, Germany North, Germany Northeast, South Africa North, South Africa West. |

-| Azure Virtual Machines | East US, East US 2, Central US, South Central US, West US, West US 2, West Central US, North Central US, Brazil South, Canada East, Canada Central, West Europe, UK South, UK West, East Asia, Japan East, South India, South East Asia, Australia East, Central India, North Europe, Australia South East, France Central, France South, Japan West, Korea Central, Korea South, UAE North, Germany West Central, Norway East. | Australia East, South Central US, West Central US, Southeast Asia, Central India. |

-# Call the detect API

-> For pronunciation assessment feature, the released en-US language is available in all [Speech-to-Text regions](regions.md#speech-to-text-pronunciation-assessment-text-to-speech-and-translation), and preview languages are available in one region: West US.

-> For pronunciation assessment feature, the released en-US language is available in all speech-to-text regions, and [preview languages](language-support.md#pronunciation-assessment) are available in one region: West US.

-# Quickstart: Deploy an AKS cluster with confidential computing nodes by using the Azure CLI

-> DCsv2/DCsv3 VMs use specialized hardware that's subject to higher pricing and region availability. For more information, see the [available SKUs and supported regions](virtual-machine-solutions-sgx.md). DCsv3 VM's are currently in preview in limited regions. Please refer to above mentioned page for details.

- By default, the quota for confidential computing per Azure subscription is eight VM cores. If you plan to provision a cluster that requires more than eight cores, follow [these instructions](../azure-portal/supportability/per-vm-quota-requests.md) to raise a quota-increase ticket.

-## Create an AKS cluster with enclave-aware confidential computing nodes and add-on

-Use the following instructions to create an AKS cluster with the confidential computing add-on enabled, add a node pool to the cluster, and verify what you created.

-First, create a resource group for the cluster by using the [az group create][az-group-create] command. The following example creates a resource group named *myResourceGroup* in the *westus2* region:

-az group create --name myResourceGroup --location westus2

-### Add a user node pool with confidential computing capabilities to the AKS cluster

-Run the following command to add a user node pool of `Standard_DC2s_v2` size with three nodes to the AKS cluster. You can choose another larger sized SKU from the [list of supported DCsv2/Dcsv3 SKUs and regions](../virtual-machines/dcv2-series.md).

-az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --resource-group myResourceGroup --node-vm-size Standard_DC2s_v2

-After you run the command, a new node pool with DCsv2 should be visible with confidential computing add-on DaemonSets ([SGX device plug-in](confidential-nodes-aks-overview.md#confidential-computing-add-on-for-aks)).

-### Add a DCsv2/DCsv3 user node pool to the cluster

-> To use the confidential computing capability, your existing AKS cluster needs to have a minimum of one node pool that's based on a DCsv2/DCsv3 VM SKU. To learn more about DCs-v2 VMs SKUs for confidential computing, see the [available SKUs and supported regions](virtual-machine-solutions-sgx.md).

-az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --resource-group myResourceGroup --node-count 1 --node-vm-size Standard_DC4s_v2

-[Azure confidential computing](overview.md) allows you to protect your sensitive data while it's in use. The underlying confidential computing infrastructure protects this data from other applications, administrators, and cloud providers with a hardware backed trusted execution container environments. Adding confidential computing nodes allow you to target container application to run in an isolated, hardware protected, integrity protected in an attestable environment.

-Azure Kubernetes Service (AKS) supports adding [DCsv2 confidential computing nodes](confidential-computing-enclaves.md) powered by Intel SGX. These nodes allow you to run sensitive workloads within a hardware-based trusted execution environment (TEE). TEEs allow user-level code from containers to allocate private regions of memory to execute the code with CPU directly. These private memory regions that execute directly with CPU are called enclaves. Enclaves help protect the data confidentiality, data integrity and code integrity from other processes running on the same nodes, as well as Azure operator. The Intel SGX execution model also removes the intermediate layers of Guest OS, Host OS and Hypervisor thus reducing the attack surface area. The *hardware based per container isolated execution* model in a node allows applications to directly execute with the CPU, while keeping the special block of memory encrypted per container. Confidential computing nodes with confidential containers are a great addition to your zero-trust security planning and defense-in-depth container strategy.

-The following quotas exist per subscription for Azure Container Apps Preview.

-| Environments per region | 2 |

-| Replicas per container app | 25 |

-| Cores per environment | 50 |

-| `concurrentRequests`| Once the number of requests exceeds this then another replica is added. Replicas will continue to be added up to the `maxReplicas` amount as the number of concurrent requests increase. | 100 | 1 | n/a |

-## Enable OCI support

-Set the following environment variable to enable OCI support in the Helm 3 client. Currently, this support is experimental and subject to change.

-```console

-export HELM_EXPERIMENTAL_OCI=1

-```

-# Using the graph bulk executor .NET library to perform bulk operations in Azure Cosmos DB Gremlin API

-This tutorial provides instructions about using Azure Cosmos DB's bulk executor .NET library to import and update graph objects into an Azure Cosmos DB Gremlin API container. This process makes use of the Graph class in the [bulk executor library](../bulk-executor-overview.md) to create Vertex and Edge objects programmatically to then insert multiple of them per network request. This behavior is configurable through the bulk executor library to make optimal use of both database and local memory resources.

-As opposed to sending Gremlin queries to a database, where the command is evaluated and then executed one at a time, using the bulk executor library will instead require to create and validate the objects locally. After creating the objects, the library allows you to send graph objects to the database service sequentially. Using this method, data ingestion speeds can be increased up to 100x, which makes it an ideal method for initial data migrations or periodical data movement operations. Learn more by visiting the GitHub page of the [Azure Cosmos DB Graph bulk executor sample application](https://github.com/Azure-Samples/azure-cosmosdb-graph-bulkexecutor-dotnet-getting-started).

-## Bulk operations with graph data

-The [bulk executor library](/dotnet/api/microsoft.azure.cosmosdb.bulkexecutor.graph) contains a `Microsoft.Azure.CosmosDB.BulkExecutor.Graph` namespace to provide functionality for creating and importing graph objects.

-The following process outlines how data migration can be used for a Gremlin API container:

-1. Retrieve records from the data source.

-2. Construct `GremlinVertex` and `GremlinEdge` objects from the obtained records and add them into an `IEnumerable` data structure. In this part of the application the logic to detect and add relationships should be implemented, in case the data source isn't a graph database.

-3. Use the [Graph BulkImportAsync method](/dotnet/api/microsoft.azure.cosmosdb.bulkexecutor.graph.graphbulkexecutor.bulkimportasync) to insert the graph objects into the collection.

-This mechanism will improve the data migration efficiency as compared to using a Gremlin client. This improvement is experienced because inserting data with Gremlin will require the application send a query at a time that will need to be validated, evaluated, and then executed to create the data. The bulk executor library will handle the validation in the application and send multiple graph objects at a time for each network request.

-### Creating Vertices and Edges

-`GraphBulkExecutor` provides the `BulkImportAsync` method that requires a `IEnumerable` list of `GremlinVertex` or `GremlinEdge` objects, both defined in the `Microsoft.Azure.CosmosDB.BulkExecutor.Graph.Element` namespace. In the sample, we separated the edges and vertices into two BulkExecutor import tasks. See the example below:

-```csharp

-IBulkExecutor graphbulkExecutor = new GraphBulkExecutor(documentClient, targetCollection);

-BulkImportResponse vResponse = null;

-BulkImportResponse eResponse = null;

-try

-{

- // Import a list of GremlinVertex objects

- vResponse = await graphbulkExecutor.BulkImportAsync(

- Utils.GenerateVertices(numberOfDocumentsToGenerate),

- enableUpsert: true,

- disableAutomaticIdGeneration: true,

- maxConcurrencyPerPartitionKeyRange: null,

- maxInMemorySortingBatchSize: null,

- cancellationToken: token);

- // Import a list of GremlinEdge objects

- eResponse = await graphbulkExecutor.BulkImportAsync(

- Utils.GenerateEdges(numberOfDocumentsToGenerate),

- enableUpsert: true,

- disableAutomaticIdGeneration: true,

- maxConcurrencyPerPartitionKeyRange: null,

- maxInMemorySortingBatchSize: null,

- cancellationToken: token);

-}

-catch (DocumentClientException de)

-{

- Trace.TraceError("Document client exception: {0}", de);

-}

-catch (Exception e)

-{

- Trace.TraceError("Exception: {0}", e);

-}

-```

-For more information about the parameters of the bulk executor library, see [BulkImportData to Azure Cosmos DB article](../bulk-executor-dot-net.md#bulk-import-data-to-an-azure-cosmos-account).

-The payload needs to be instantiated into `GremlinVertex` and `GremlinEdge` objects. Here's how these objects can be created:

-**Vertices**:

-```csharp

-// Creating a vertex

-GremlinVertex v = new GremlinVertex(

- "vertexId",

- "vertexLabel");

-// Adding custom properties to the vertex

-v.AddProperty("customProperty", "value");

-// Partitioning keys must be specified for all vertices

-v.AddProperty("partitioningKey", "value");

-**Edges**:

-```csharp

-// Creating an edge

-GremlinEdge e = new GremlinEdge(

- "edgeId",

- "edgeLabel",

- "targetVertexId",

- "sourceVertexId",

- "targetVertexLabel",

- "sourceVertexLabel",

- "targetVertexPartitioningKey",

- "sourceVertexPartitioningKey");

-// Adding custom properties to the edge

-e.AddProperty("customProperty", "value");

-> [!NOTE]

-> The bulk executor utility doesn't automatically check for existing Vertices before adding Edges. This needs to be validated in the application before running the BulkImport tasks.

-## Sample application

-### Prerequisites

-* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

-* An Azure subscription. You can create [a free Azure account here](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=cosmos-db). Alternatively, you can create a Cosmos database account with [Try Azure Cosmos DB for free](https://azure.microsoft.com/try/cosmosdb/) without an Azure subscription.

-* An Azure Cosmos DB Gremlin API database with an **unlimited collection**. This guide shows how to get started with [Azure Cosmos DB Gremlin API in .NET](./create-graph-dotnet.md).

-* Git. For more information check out the [Git Downloads page](https://git-scm.com/downloads).

-### Clone the sample application

-In this tutorial, we'll follow through the steps for getting started by using the [Azure Cosmos DB Graph bulk executor sample](https://github.com/Azure-Samples/azure-cosmosdb-graph-bulkexecutor-dotnet-getting-started) hosted on GitHub. This application consists of a .NET solution that randomly generates vertex and edge objects and then executes bulk insertions to the specified graph database account. To get the application, run the `git clone` command below:

-git clone https://github.com/Azure-Samples/azure-cosmosdb-graph-bulkexecutor-dotnet-getting-started.git

-This repository contains the GraphBulkExecutor sample with the following files:

-File|Description

-|

-`App.config`|This is where the application and database-specific parameters are specified. This file should be modified first to connect to the destination database and collections.

-`Program.cs`| This file contains the logic behind creating the `DocumentClient` collection, handling the cleanups and sending the bulk executor requests.

-`Util.cs`| This file contains a helper class that contains the logic behind generating test data, and checking if the database and collections exist.

-In the `App.config` file, the following are the configuration values that can be provided:

-Setting|Description

-|

-`EndPointUrl`|This is **your .NET SDK endpoint** found in the Overview page of your Azure Cosmos DB Gremlin API database account. This has the format of `https://your-graph-database-account.documents.azure.com:443/`

-`AuthorizationKey`|This is the Primary or Secondary key listed under your Azure Cosmos DB account. Learn more about [Securing Access to Azure Cosmos DB data](../secure-access-to-data.md#primary-keys)

-`DatabaseName`, `CollectionName`|These are the **target database and collection names**. When `ShouldCleanupOnStart` is set to `true` these values, along with `CollectionThroughput`, will be used to drop them and create a new database and collection. Similarly, if `ShouldCleanupOnFinish` is set to `true`, they'll be used to delete the database as soon as the ingestion is over. The target collection must be **an unlimited collection**.

-`CollectionThroughput`|This is used to create a new collection if the `ShouldCleanupOnStart` option is set to `true`.

-`ShouldCleanupOnStart`|This will drop the database account and collections before the program is run, and then create new ones with the `DatabaseName`, `CollectionName` and `CollectionThroughput` values.

-`ShouldCleanupOnFinish`|This will drop the database account and collections with the specified `DatabaseName` and `CollectionName` after the program is run.

-`NumberOfDocumentsToImport`|This will determine the number of test vertices and edges that will be generated in the sample. This number will apply to both vertices and edges.

-`NumberOfBatches`|This will determine the number of test vertices and edges that will be generated in the sample. This number will apply to both vertices and edges.

-`CollectionPartitionKey`|This will be used to create the test vertices and edges, where this property will be auto-assigned. This will also be used when re-creating the database and collections if the `ShouldCleanupOnStart` option is set to `true`.

-### Run the sample application

-1. Add your specific database configuration parameters in `App.config`. This will be used to create a DocumentClient instance. If the database and container haven't been created yet, they'll be created automatically.

-2. Run the application. This will call `BulkImportAsync` two times, one to import Vertices and one to import Edges. If any of the objects generates an error when they're inserted, they'll be added to either `.\BadVertices.txt` or `.\BadEdges.txt`.

-3. Evaluate the results by querying the graph database. If the `ShouldCleanupOnFinish` option is set to true, then the database will automatically be deleted.

-* To learn about NuGet package details and release notes of bulk executor .NET library, see [bulk executor SDK details](../sql-api-sdk-bulk-executor-dot-net.md).

-* Check out the [Performance Tips](../bulk-executor-dot-net.md#performance-tips) to further optimize the usage of bulk executor.

-* Review the [BulkExecutor.Graph Reference article](/dotnet/api/microsoft.azure.cosmosdb.bulkexecutor.graph) for more details about the classes and methods defined in this namespace.

-This connector is specialized for [Azure Database for MySQL service](../mysql/overview.md). To copy data from generic MySQL database located on-premises or in the cloud, use [MySQL connector](connector-mysql.md).

-Start by opening the [Azure Digital Twins Data Simulator](https://explorer.digitaltwins.azure.net/tools/data-pusher) web application in your browser.

-Enter the host name of your Azure Digital Twins instance in the Instance URL field. The host name can be found in the [portal](https://portal.azure.com) page for your instance, and has a format like `<Azure-Digital-Twins-instance-name>.api.<region-code>.digitaltwins.azure.net`. Select **Generate Environment**.

-You'll see confirmation messages on the screen as models, twins, and relationships are created in your environment. When the simulation is ready, the **Start simulation** button will become enabled. Select **Start simulation** to push simulated data to your Azure Digital Twins instance. To continuously update the twins in your Azure Digital Twins instance, keep this browser window in the foreground on your desktop (and complete other browser actions in a separate window).

-# Azure Digital Twins query language reference: MATCH clause (preview)

-This document contains reference information on the *MATCH clause* for the [Azure Digital Twins query language](concepts-query-language.md). This clause is currently in preview.

-Here's an example that combines relationship direction, relationship name, and number of hops The following query finds twins Floor and Room where the relationship between Floor and Room meets these conditions:

-* MATCH queries that traverse the same twin multiple times may unexpectedly remove this twin from results.

-Rule collection groups have a maximum size of 2 Mb. If you need more than 2 Mb, you can split the rules into multiple rule collection groups. A Firewall Policy can contain 50 rule collection groups.

- > [Authenticate using the Azure management libraries for Python](/azure/developer/python/azure-sdk-authenticate).

-description: Index of built-ins for Azure Policy. Categories Tags, Regulatory Compliance, Key Vault, Kubernetes, Guest Configuration, and more.

- > [Authenticate using the Azure management libraries for Python](/azure/developer/python/azure-sdk-authenticate).

-Getting an OOM error doesn't necessarily mean the container size is too small. Instead, you should configure the memory settings so that the heap size is increased and is at least 80% of the container memory size. For optimizing Hive queries, see [Optimize Apache Hive queries for Apache Hadoop in HDInsight](hdinsight-hadoop-optimize-hive-query.md).

-* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

-* [Azure Data Lake Storage Gen2 overview](./overview-data-lake-storage-gen2.md)

-Use the following request to retrieve the details of the devices in a job:

- "group": "833d7a7d-8f99-4e04-9e56-745806bdba6e",

- "group": "833d7a7d-8f99-4e04-9e56-745806bdba6e",

-Learn how to [deploy and monitor IoT Edge modules at scale by using the Azure portal](how-to-deploy-at-scale.md) or [the Azure CLI](how-to-deploy-cli-at-scale.md).

-| registrationId | The registration ID of an existing IoT Edge device | Registration ID for provisioning an IoT Edge device (**DpsSymmetricKey**). |

-_Note that the same exact set of compatibility properties cannot be re-used with a different Provider and Name combination._

- **Communicate expectations clearly in the Statement of Work (SOW) with suppliers.**

- - An SOW which lacks requirements for responsible data collection work may result in low-quality or poorly collected data.

-* Changed NVIDIA Drivers to version 495.29.05

-* Changed NVIDIA SMI to version 495.29.05

-A compute cluster with **No public IP** enabled has **no inbound communication requirements** from public internet. Specifically, neither inbound NSG rule (`BatchNodeManagement`, `AzureMachineLearning`) is required. You still need to allow inbound from source of **VirtualNetwork** and any port source, to destination of **VirtualNetwork**, and destination port of **29876, 29877**.

-* [Use a firewall](how-to-access-azureml-behind-firewall.md)

-|||

-||||

-|||||

-|||

-|||

-||||

-|||||

-|||

-|||

-||||

-|||||

-|||

-|||

-||||

-|||||

-|||

-|||

-|||

-|||

-|||

-||||

-|||||

-|||||

-|||

-|||

-|||

-|||

-|||

-|||

-| | |

-|||

-|||

-||||

-|||||

-|||

-|||

-||||

-|||||

-|||

-|||

-||||

-|||||

-|||

-||||

-|||

-|||

-|||

-|||

-|||

-|||

-|||

-|||

-||||

-||||

-||||

-|

-|||

-|

-|

-If you later decide to publish different changes between your plans, you can detach them. Detach the plan reusing the technical configuration by deselecting this option with your plan. Once detached, your plan will carry the same technical configuration settings at the place of your last setting and your plans may diverge in configuration. A plan that has been published independently in the past cannot reuse a technical configuration later.

-Add open public or private ports on a deployed virtual machine.

-Here is a list of properties that can be selected for your VM.

- - Virtual machines deployed with these images don't allow customers to access it using Remote Desktop or SSH. Learn more about [locked VM images](./azure-vm-certification-faq.yml#locked-down-or-ssh-disabled-offer).

- - Image does not support _sampleuser_ while deploying.

- - Image has limited access.

- - Image does not comply with the [Certification Test Tool](azure-vm-image-test.md#use-certification-test-tool-for-azure-certified).

- - Image requires setup during initial login which causes automation to not connect to the virtual machine.

- - Image does not support port 22.

-## Generations

-Generating a virtual machine defines the virtual hardware it uses. Based on your customerΓÇÖs needs, you can publish a Generation 1 VM, Generation 2 VM, or both.

-1. When creating a new offer, select a **Generation type** and enter the requested details:

- :::image type="content" source="./media/create-vm/azure-vm-generations-image-details-1.png" alt-text="A view of the Generation detail section in Partner Center.":::

-2. To add another generation to a plan, select **Add generation**...

- :::image type="content" source="./media/create-vm/azure-vm-generations-add.png" alt-text="A view of the 'Add Generation' link.":::

- ...and enter the requested details:

- :::image type="content" source="./media/create-vm/azure-vm-generations-image-details-3.png" alt-text="A view of the generation details window.":::

-<!-- The **Generation ID** you choose will be visible to customers in places such as product URLs and ARM templates (if applicable). Use only lowercase, alphanumeric characters, dashes, or underscores; it cannot be modified once published.

-3. To update an existing VM that has a Generation 1 already published, edit details on the **Technical configuration** page.

-To learn more about the differences between Generation 1 and Generation 2 capabilities, see [Support for generation 2 VMs on Azure](../virtual-machines/generation-2.md).

-> A published generation requires at least one image version to remain available for customers. To remove the entire plan (along with all its generations and images), select **Deprecate plan** on the **Plan Overview** page (see first section in this article).

-Provide a disk version and the shared access signature (SAS) URI for the virtual machine images. Add up to 16 data disks for each VM image. Provide only one new image version per plan in a specified submission. After an image has been published, you can't edit it, but you can delete it. Deleting a version prevents both new and existing users from deploying a new instance of the deleted version.

-These two required fields are shown in the prior image above:

-Data disks (select **Add data disk (maximum 16)**) are also VHD shared access signature URIs that are stored in their Azure storage accounts. Add only one image per submission in a plan.

-Regardless of which operating system you use, add only the minimum number of data disks that the solution requires. During deployment, customers can't remove disks that are part of an image, but they can always add disks during or after deployment.

-> If you provide your images using SAS and have data disks, you also need to provide them as SAS URI. If you are using a shared image, they are captured as part of your image in Azure Compute Gallery. Once your offer is published to Azure Marketplace, you can delete the image from your Azure storage or Azure Compute Gallery.

-Once your VM image has published, you can delete the image from your Azure storage.

-|||

-|||

-| | | |

-| | |

-| | |

-| | |

-| | |

-| | | |

-| | |

-| | |

-||||

-||||

-|||

-| | | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | |

-| | | |

-| | |

-| | |

-| | |

-| | |

-| | | |

-| | |

-| | |

-| | |

-| | |

-| | | |

-||||||

-||||||

-|||||||

-|||

-|

-|||

-|

-|

-|||||

-||

-||

-||

-||

-||

-|

-|||

-|||

-|||

-|||

-||||

-|||

-|||

-|

-| Zimbabwe | ZW | USD | EUR, USD|

-| | | |

-|

-| | |

-| | |

-| | |

-|||

-|||

-|||

-| | | |

-| | | |

-| | | |

-| | | |

-|

-|

-|

-| | |

-| `subscriptionId` | The unique identifier of the purchased SaaS subscription. This ID is obtained after resolving the commercial marketplace authorization token by using the [Resolve API](#resolve-a-purchased-subscription).

- |

-|||

-|||

-|||

-| | |

-| | |

-||||

-|||

-|||

-|||||

-|

-|||||

-|

-|||

-|

-|

-|

-|

-|||

-2. Select **Publish** to submit the updated offer for publishing. Your offer will then go through the standard [validation and publishing steps](review-publish-offer.md#validation-and-publishing-steps).

-|||||

-|||

- West US 2

- West US 3

-| South India | :heavy_check_mark: | :x: | :heavy_check_mark: |

-| Switzerland North | :heavy_check_mark: | :heavy_check_mark: ** | :x: |

-| West US 2 | :heavy_check_mark: | :x: $ | :x: |

-To pick the shard key for a high-throughput transactional (HTAP) application,

-follow these guidelines:

-| Compute, vCores | 2, 4, 8 |

-* [Video: Demo of data owner access policies for Azure Storage](https://docs.microsoft.com/video/media/8ce7c554-0d48-430f-8f63-edf94946947c/purview-policy-storage-dataowner-scenario_mid.mp4)

-* [Demo of access policy for Azure Storage](/video/media/8ce7c554-0d48-430f-8f63-edf94946947c/purview-policy-storage-dataowner-scenario_mid.mp4)

-+ Remove non-essential words (stopwords) and punctuation

-description: Create an alias to define a secondary name that can be used to refer to an index for querying and indexing.

-In Azure Cognitive Search, an alias is a secondary name that can be used to refer to an index for querying, indexing, and other operations. You can create an alias that maps to a search index and substitute the alias name in places where you would otherwise reference an index name. This gives you added flexibility if you ever need to change which index your application is pointing to. Instead of updating the references to the index name in your application, you can just update the mapping for your alias.

-## Create an alias

-## Send requests

-> An update to an alias may take up to 10 seconds to propogate through the system so you should wait at least 10 seconds before deleting the index that the alias was previously mapped to.

-* Removing non-essential words (stopwords, such as "the" or "and" in English)

-All access attempts are monitored and can be displayed via a basic set of reports.

-When you're configuring an automation rule and adding a **run playbook** action, a drop-down list of playbooks will appear. Playbooks to which Microsoft Sentinel does not have permissions will show as unavailable ("grayed out"). You can grant Microsoft Sentinel permission to the playbooks' resource groups on the spot by selecting the **Manage playbook permissions** link.

- To enable the queries availiable as templates in the **Analytics** blade, go to the **Rule templates** tab, select the rule name in the templates gallery, and click **Create rule** in the details pane.

- To add queries that are not currently availiable as a rule template, see [create a custom analytics rule with a scheduled query](detect-threats-custom.md#create-a-custom-analytics-rule-with-a-scheduled-query).

- By default, a new LRS v1 type storage account will be created by Azure Site Recovery for the first enable replication operation in a vault. For the next operations, same cache storage account will be re-used.

- The policy will be created and can used for protecting the chosen source machines.

-**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier

-description: Clients making requests against Azure Blob storage have the option to provide an encryption key on a per-request basis. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations.

-Clients making requests against Azure Blob storage have the option to provide an AES-256 encryption key on a per-request basis. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. Customer-provided keys can be stored in Azure Key Vault or in another key store.

-Azure Storage does not store or manage the encryption key that the client sends with the request. The key is securely discarded as soon as the encryption or decryption process is complete.

-When a client creates or updates a blob using a customer-provided key on the request, then subsequent read and write requests for that blob must also provide the key. If the key is not provided on a request for a blob that has already been encrypted with a customer-provided key, then the request fails with error code 409 (Conflict).

-Each blob snapshot can have its own encryption key.

-To rotate an encryption key that was used to encrypt a blob, download the blob and then re-upload it with the new encryption key.

-This table shows how this feature is supported in your account and the impact on support when you enable certain capabilities.

-Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts. Lifecycle management does not affect system containers such as the *$logs* or *$web* containers.

-| `enabled` | Boolean | An optional boolean to allow a rule to be temporary disabled. Default value is true if it's not set. | False |

-| blobTypes | An array of predefined enum values. | The current release supports `blockBlob` and `appendBlob`. Only delete is supported for `appendBlob`, set tier is not supported. | Yes |

-¹ When applied to an account with a hierarchical namespace enabled, a delete action removes empty directories. If the directory is not empty, then the delete action removes objects that meet the policy conditions within the first 24-hour cycle. If that action results in an empty directory that also meets the policy conditions, then that directory will be removed within the next 24-hour cycle, and so on.

-When last access time tracking is enabled, the blob property called `LastAccessTime` is updated when a blob is read or written. A [Get Blob](/rest/api/storageservices/get-blob) operation is considered an access operation. [Get Blob Properties](/rest/api/storageservices/get-blob-properties), [Get Blob Metadata](/rest/api/storageservices/get-blob-metadata), and [Get Blob Tags](/rest/api/storageservices/get-blob-tags) are not access operations, and therefore don't update the last access time.

-To minimize the impact on read access latency, only the first read of the last 24 hours updates the last access time. Subsequent reads in the same 24-hour period do not update the last access time. If a blob is modified between reads, the last access time is the more recent of the two values.

-In the following example, blobs are moved to cool storage if they haven't been accessed for 30 days. The `enableAutoTierToHotFromCool` property is a Boolean value that indicates whether a blob should automatically be tiered from cool back to hot if it is accessed again after being tiered to cool.

-Some data stays idle in the cloud and is rarely, if ever, accessed. The following lifecycle policy is configured to archive data shortly after it is ingested. This example transitions block blobs in a container named `archivecontainer` into an archive tier. The transition is accomplished by acting on blobs 0 days after last modified time:

-Some data is expected to expire days or months after creation. You can configure a lifecycle management policy to expire data by deletion based on data age. The following example shows a policy that deletes all block blobs that have not been modified in the last 365 days.

-For data that is modified and accessed regularly throughout its lifetime, you can enable blob storage versioning to automatically maintain previous versions of an object. You can create a policy to tier or delete previous versions. The version age is determined by evaluating the version creation time. This policy rule tiers previous versions within container `activedata` that are 90 days or older after version creation to cool tier, and deletes previous versions that are 365 days or older.

-This table shows how this feature is supported in your account and the impact on support when you enable certain capabilities.

-Lifecycle management policies are free of charge. Customers are billed for standard operation costs for the [Set Blob Tier](/rest/api/storageservices/set-blob-tier) API calls. Delete operations are free.

-The updated policy takes up to 24 hours to go into effect. Once the policy is in effect, it could take up to 24 hours for the actions to run. Therefore, the policy actions may take up to 48 hours to complete. If the update is to disable or delete a rule, and enableAutoTierToHotFromCool was used, auto-tiering to Hot tier will still happen. For example, set a rule including enableAutoTierToHotFromCool based on last access. If the rule is disabled/deleted, and a blob is currently in cool and then accessed, it will move back to Hot as that is applied on access outside of lifecycle management. The blob will not then move from Hot to Cool given the lifecycle management rule is disabled/deleted. The only way to prevent autoTierToHotFromCool is to turn off last access time tracking.

-### The blob prefix match string did not apply the policy to the expected blobs

-Unfortunately, there is no way to track the time at which the policy will be executing, as it is a background scheduling process. However, the platform will run the policy once per day.

-## Prerequisites for object replication

-Enabling change feed and blob versioning may incur additional costs. For more details, refer to the [Azure Storage pricing page](https://azure.microsoft.com/pricing/details/storage/).

-Object replication is supported for general-purpose v2 storage accounts and premium block blob accounts. Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append blobs and page blobs are not supported.

-Customer-managed failover is not supported for either the source or the destination account in an object replication policy.

-When a blob in the source account is deleted, the current version of the blob becomes a previous version, and there is no longer a current version. All existing previous versions of the blob are preserved. This state is replicated to the destination account. For more information about how delete operations affect blob versions, see [Versioning on delete operations](versioning-overview.md#versioning-on-delete-operations).

-Object replication does not support blob snapshots. Any snapshots on a blob in the source account are not replicated to the destination account.

-The source and destination containers must both exist before you can specify them in a rule. After you create the replication policy, write operations to the destination container are not permitted. Any attempts to write to the destination container fail with error code 409 (Conflict). To write to a destination container for which a replication rule is configured, you must either delete the rule that is configured for that container, or remove the replication policy. Read and delete operations to the destination container are permitted when the replication policy is active.

-| Full resource ID | Same-tenant policies can be created.<br /><br /> Cross-tenant policies can be created. | Same-tenant policies can be created.<br /><br /> Cross-tenant policies cannot be created. |

-| Account name only | Same-tenant policies can be created.<br /><br /> Cross-tenant policies can be created. | Neither same-tenant nor cross-tenant policies can be created. An error occurs, because Azure Storage cannot verify that source and destination accounts are in the same tenant. The error indicates that you must specify the full resource ID for the **sourceAccount** and **destinationAccount** entries in the policy definition file. |

-| When you are creating the policy definition file for this account... | Set the policy ID to this value | Set rule IDs to this value |

-An Azure Active Directory (Azure AD) tenant is a dedicated instance of Azure AD that represents an organization for the purpose of identity and access management. Each Azure subscription has a trust relationship with a single Azure AD tenant. All resources in a subscription, including storage accounts, are associated with the same Azure AD tenant. For more information, see [What is Azure Active Directory?](../../active-directory/fundamentals/active-directory-whatis.md)

-To disallow cross-tenant object replication for a storage account, set the **AllowCrossTenantReplication** property to *false*. If the storage account does not currently participate in any cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* prevents future configuration of cross-tenant object replication policies with this storage account as the source or destination.

-If the storage account currently does participates in one or more cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* is not permitted. You must delete the existing cross-tenant policies before you can disallow cross-tenant replication.

-By default, the **AllowCrossTenantReplication** property is not set for a storage account, and its value is *null*, which is equivalent to *true*. When the value of the **AllowCrossTenantReplication** property for a storage account is *null* or *true*, then authorized users can configure cross-tenant object replication policies with this account as the source or destination. For more information about how to configure cross-tenant policies, see [Configure object replication for block blobs](object-replication-configure.md).

-This table shows how this feature is supported in your account and the impact on support when you enable certain capabilities.

-1. Search for the **Deploy Microsoft Defender for Storage accounts** policy.

- :::image type="content" source="media/azure-defender-storage-configure/storage-atp-policy-definitions.png" alt-text="Apply policy to enable Microsoft Defender for Storage accounts":::

-1. Select an Azure subscription or resource group.

- :::image type="content" source="media/azure-defender-storage-configure/storage-atp-policy2.png" alt-text="Select subscription or resource group for scope of policy ":::

-1. Assign the policy.

- :::image type="content" source="media/azure-defender-storage-configure/storage-atp-policy1.png" alt-text="Assign policy to enable Microsoft Defender for Storage":::

-Azure Storage always stores multiple copies of your data so that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures.

-### Locally-redundant storage

-With ZRS, your data is still accessible for both read and write operations even if a zone becomes unavailable. If a zone becomes unavailable, Azure undertakes networking updates, such as DNS re-pointing. These updates may affect your application if you access data before the updates have completed. When designing applications for ZRS, follow practices for transient fault handling, including implementing retry policies with exponential back-off.

-Microsoft recommends using ZRS in the primary region for scenarios that require high availability. ZRS is also recommended for restricting replication of data to within a country or region to meet data governance requirements.

-The Archive tier for Blob Storage is not currently supported for ZRS accounts. Unmanaged disks don't support ZRS or GZRS.

-With GRS or GZRS, the data in the secondary region isn't available for read or write access unless there is a failover to the secondary region. For read access to the secondary region, configure your storage account to use read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS). For more information, see [Read access to data in the secondary region](#read-access-to-data-in-the-secondary-region).

-Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against regional outages. However, that data is available to be read only if the customer or Microsoft initiates a failover from the primary to secondary region. When you enable read access to the secondary region, your data is available to be read at all times, including in a situation where the primary region becomes unavailable. For read access to the secondary region, enable read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).

-Because data is replicated to the secondary region asynchronously, the secondary region is often behind the primary region. If a failure happens in the primary region, it's likely that all writes to the primary will not yet have been replicated to the secondary.

-To determine which write operations have been replicated to the secondary region, your application can check the **Last Sync Time** property for your storage account. All write operations written to the primary region prior to the last sync time have been successfully replicated to the secondary region, meaning that they are available to be read from the secondary. Any write operations written to the primary region after the last sync time may or may not have been replicated to the secondary region, meaning that they may not be available for read operations.

-| Blob storage <br/>Queue storage <br/>Table storage <br/>Azure Files^1,² <br/>Azure managed disks | Blob storage <br/>Queue storage <br/>Table storage <br/>Azure Files^1,² <br/>Azure managed disks³ | Blob storage <br/>Queue storage <br/>Table storage <br/>Azure Files¹ | Blob storage <br/>Queue storage <br/>Table storage <br/> | Blob storage <br/>Queue storage <br/>Table storage <br/>Azure Files¹ | Blob storage <br/>Queue storage <br/>Table storage <br/> |

-¹ Standard file shares are supported on LRS and ZRS. Standard file shares are supported on GRS and GZRS as long as they are less than or equal to five TiB in size.<br/>

-| **Recommended** | Standard general-purpose v2 (`StorageV2`)¹<br/><br/> Premium block blobs (`BlockBlobStorage`)¹<br/><br/> Premium file shares (`FileStorage`) | Standard general-purpose v2 (`StorageV2`)¹<br/><br/> Premium block blobs (`BlockBlobStorage`)¹<br/><br/> Premium file shares (`FileStorage`) | Standard general-purpose v2 (`StorageV2`)¹ | Standard general-purpose v2 (`StorageV2`)¹ |

-Azure Storage regularly verifies the integrity of data stored using cyclic redundancy checks (CRCs). If data corruption is detected, it is repaired using redundant data. Azure Storage also calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data.

-If the client authentication certificate is expired, perform the following steps to resolve the issue:

-1. Verify Azure File Sync agent version 4.0.1.0 or later is installed.

-2. Run the following PowerShell command on the server:

- ```powershell

- Reset-AzStorageSyncServerCertificate -ResourceGroupName <string> -StorageSyncServiceName <string>

- ```

-To resolve this issue, perform the following steps:

-1. Verify Azure File Sync agent version 4.0.1.0 or later is installed.

-2. Run the following PowerShell command on the server:

- ```powershell

- Reset-AzStorageSyncServerCertificate -ResourceGroupName <string> -StorageSyncServiceName <string>

- ```

-Make sure you have the latest Azure File Sync agent. As of agent V10, Azure File Sync supports moving the subscription to a different Azure Active Directory tenant.

-

-Once you have the latest agent version, you must give the Microsoft.StorageSync application access to the storage account (see [Ensure Azure File Sync has access to the storage account](#troubleshoot-rbac)).

-| 0x80c80261 | -2134375839 | ECS_E_GHOSTING_MIN_FILE_SIZE | The file failed to tier because the file size is less than the supported size. | If the agent version is less than 9.0, the minimum supported file size is 64 KiB. If agent version is 9.0 and newer, the minimum supported file size is based on the file system cluster size (double file system cluster size). For example, if the file system cluster size is 4 KiB, the minimum file size is 8 KiB. |

-1. Verify Azure File Sync agent version v5.1 or later is installed.

-2. Run the following PowerShell commands to list orphaned tiered files:

-3. Save the OrphanTieredFiles.txt output file in case files need to be restored from backup after they are deleted.

-1. Verify Azure File Sync agent version v5.1 or later is installed.

-2. Back up the Azure file share and server endpoint location.

-3. Remove the server endpoint in the sync group (if exists) by following the steps documented in [Remove a server endpoint](file-sync-server-endpoint-delete.md).

-4. Run the following PowerShell commands to list orphaned tiered files:

-5. Save the OrphanTieredFiles.txt output file in case files need to be restored from backup after they are deleted.

-6. Run the following PowerShell commands to delete orphaned tiered files:

-7. Optional: Recreate the server endpoint if deleted in step 3.

-To run AFSDiag, perform the steps below.

-For agent version v11 and later:

-For agent version v10 and earlier:

-1. Create a directory where the AFSDiag output will be saved (for example, C:\Output).

- > [!NOTE]

- >AFSDiag will delete all content in the output directory prior to collecting logs. Specify an output location which does not contain data.

-2. Open an elevated PowerShell window, and then run the following commands (press Enter after each command):

- ```powershell

- cd "c:\Program Files\Azure\StorageSyncAgent"

- Import-Module .\afsdiag.ps1

- Debug-Afs c:\output # Note: Use the path created in step 1.

- ```

-3. For the Azure File Sync kernel mode trace level, enter **1** (unless otherwise specified, to create more verbose traces), and then press Enter.

-4. For the Azure File Sync user mode trace level, enter **1** (unless otherwise specified, to create more verbose traces), and then press Enter.

-5. Reproduce the issue. When you're finished, enter **D**.

-6. A .zip file that contains logs and trace files is saved to the output directory that you specified.

-|BUILTIN\Administrators|All users who are domain administrators of the on-prem AD DS environment.

-|BUILTIN\Users|Built-in security group in AD. It includes NT AUTHORITY\Authenticated Users by default. For a traditional file server, you can configure the membership definition per server. For Azure Files, there isn't a hosting server, hence BUILTIN\Users includes the same set of users as NT AUTHORITY\Authenticated Users.|

-|NT AUTHORITY\SYSTEM|The service account of the operating system of the file server. Such service account doesn't apply in Azure Files context. It is included in the root directory to be consistent with Windows Files Server experience for hybrid scenarios.|

-|NT AUTHORITY\Authenticated Users|All users in AD that can get a valid Kerberos token.|

-|CREATOR OWNER|Each object either directory or file has an owner for that object. If there are ACLs assigned to "CREATOR OWNER" on that object, then the user that is the owner of this object has the permissions to the object defined by the ACL.|

-Finally, we can set up an alert. The first step is to enable logs via the [Diagnostic settings](../azure-monitor/essentials/diagnostic-settings.md?tabs=CMD#create-in-azure-portal) of the Automation Account. The second step is to capture errors via a query like we did for Functions.

-Partitioning lets you divide data into subsets based on a [partition key](../event-hubs/event-hubs-scalability.md#partitions). If your input (for example Event Hubs) is partitioned by a key, it is highly recommended to specify this partition key when adding input to your Stream Analytics job. Scaling a Stream Analytics job takes advantage of partitions in the input and output. A Stream Analytics job can consume and write different partitions in parallel, which increases throughput.

-All Azure Stream Analytics input can take advantage of partitioning:

-1. If your query logic depends on the same key being processed by the same query instance, you must make sure that the events go to the same partition of your input. For Event Hubs or IoT Hub, this means that the event data must have the **PartitionKey** value set. Alternatively, you can use partitioned senders. For blob storage, this means that the events are sent to the same partition folder. An example would be a query instance that aggregates data per userID where input event hub is partitioned using userID as partition key. However, if your query logic does not require the same key to be processed by the same query instance, you can ignore this requirement. An example of this logic would be a simple select-project-filter query.

-2. The next step is to make your query is partitioned. For jobs with compatibility level 1.2 or higher (recommended), custom column can be specified as Partition Key in the input settings and the job will be paralellized automatically. Jobs with compatibility level 1.0 or 1.1, requires you to use **PARTITION BY PartitionId** in all the steps of your query. Multiple steps are allowed, but they all must be partitioned by the same key.

-3. Most of the outputs supported in Stream Analytics can take advantage of partitioning. If you use an output type that doesn't support partitioning your job won't be *embarrassingly parallel*. For Event Hub outputs, ensure **Partition key column** is set to the same partition key used in the query. Refer to the [output section](#outputs) for more details.

- * 8 event hub input partitions and 8 event hub output partitions

- * 8 event hub input partitions and blob storage output

- * 8 event hub input partitions and blob storage output partitioned by a custom field with arbitrary cardinality

- * 8 blob storage input partitions and blob storage output

- * 8 blob storage input partitions and 8 event hub output partitions

-* Input: Event hub with 8 partitions

-* Output: Event hub with 8 partitions ("Partition key column" must be set to use "PartitionId")

-* Input: Event hub with 8 partitions

-This query has a grouping key. Therefore, the events grouped together must be sent to the same Event Hub partition. Since in this example we group by TollBoothID, we should be sure that TollBoothID is used as the partition key when the events are sent to Event Hub. Then in ASA, we can use **PARTITION BY PartitionId** to inherit from this partition scheme and enable full parallelization. Since the output is blob storage, we don't need to worry about configuring a partition key value, as per requirement #4.

-* Input: Event hub with 8 partitions

-If the input partition count doesn't match the output partition count, the topology isn't embarrassingly parallel irrespective of the query. However we can still get some level or parallelization.

-* Input: Event hub with 8 partitions

-Power BI output doesn't currently support partitioning. Therefore, this scenario is not embarrassingly parallel.

-* Input: Event hub with 8 partitions

-* Output: Event hub with 8 partitions

-As you can see, the second step uses **TollBoothId** as the partitioning key. This step is not the same as the first step, and it therefore requires us to do a shuffle.

-* Input: Event hub with 8 partitions

-* Output: Event hub with 8 partitions ("Partition key column" must be set to use "TollBoothId")

-Compatibility level 1.2 or above enables parallel query execution by default. For example, query from the previous section will be partitioned as long as "TollBoothId" column is set as input Partition Key. PARTITION BY PartitionId clause is not required.

-All non-partitioned steps together can scale up to six streaming units (SUs) for a Stream Analytics job. In addition to this, you can add 6 SUs for each partition in a partitioned step.

-| <ul><li>The query contains one step.</li><li>The step is not partitioned.</li></ul> | 6 |

-| <ul><li>The input data stream is partitioned by 3.</li><li>The query contains two steps. The input step is partitioned and the second step is not.</li><li>The <strong>SELECT</strong> statement reads from the partitioned input.</li></ul> | 24 (18 for partitioned steps + 6 for non-partitioned steps |

-When a query is partitioned, the input events are processed and aggregated in separate partition groups. Output events are also generated for each of the groups. Partitioning can cause some unexpected results when the **GROUP BY** field is not the partition key in the input data stream. For example, the **TollBoothId** field in the previous query is not the partition key of **Input1**. The result is that the data from TollBooth #1 can be spread in multiple partitions.

-An [embarrassingly parallel](#embarrassingly-parallel-jobs) job is necessary but not sufficient to sustain a higher throughput at scale. Every storage system and its corresponding Stream Analytics output has variations on how to achieve the best possible write throughput. As with any at-scale scenario, there are some challenges which can be solved by using the right configurations. This section discusses configurations for a few common outputs and provides samples for sustaining ingestion rates of 1K, 5K and 10K events per second.

-The following observations use a Stream Analytics job with stateless (passthrough) query, a basic JavaScript UDF which writes to Event Hub, Azure SQL DB, or Cosmos DB.

-#### Event Hub

-| 1K | 1 | 2 TU |

-| 5K | 6 | 6 TU |

-| 10K | 12 | 10 TU |

-The [Event Hub](https://github.com/Azure-Samples/streaming-at-scale/tree/main/eventhubs-streamanalytics-eventhubs) solution scales linearly in terms of streaming units (SU) and throughput, making it the most efficient and performant way to analyze and stream data out of Stream Analytics. Jobs can be scaled up to 192 SU, which roughly translates to processing up to 200 MB/s, or 19 trillion events per day.

-| 1K | 3 | S3 |

-| 5K | 18 | P4 |

-| 10K | 36 | P6 |

-| 1K | 3 | 20K RU |

-| 5K | 24 | 60K RU |

-| 10K | 48 | 120K RU |

-[Cosmos DB](https://github.com/Azure-Samples/streaming-at-scale/tree/main/eventhubs-streamanalytics-cosmosdb) output from Stream Analytics has been updated to use native integration under [compatibility level 1.2](./stream-analytics-documentdb-output.md#improved-throughput-with-compatibility-level-12). Compatibility level 1.2 enables significantly higher throughput and reduces RU consumption compared to 1.1, which is the default compatibility level for new jobs. The solution uses CosmosDB containers partitioned on /deviceId and the rest of solution is identically configured.

-All [Streaming at Scale Azure samples](https://github.com/Azure-Samples/streaming-at-scale) use an Event Hub as input that is fed by load simulating test clients. Each input event is a 1KB JSON document, which translates configured ingestion rates to throughput rates (1MB/s, 5MB/s and 10MB/s) easily. Events simulate an IoT device sending the following JSON data (in a shortened form) for up to 1K devices:

-Use the Metrics pane in your Azure Stream Analytics job to identify bottlenecks in your pipeline. Review **Input/Output Events** for throughput and ["Watermark Delay"](https://azure.microsoft.com/blog/new-metric-in-azure-stream-analytics-tracks-latency-of-your-streaming-pipeline/) or **Backlogged Events** to see if the job is keeping up with the input rate. For Event Hub metrics, look for **Throttled Requests** and adjust the Threshold Units accordingly. For Cosmos DB metrics, review **Max consumed RU/s per partition key range** under Throughput to ensure your partition key ranges are uniformly consumed. For Azure SQL DB, monitor **Log IO** and **CPU**.

-[stream.analytics.rest.api.reference]: /rest/api/streamanalytics/

-| Max number of Synapse workspaces per subscription | 20 |

-Once you know your account's location, you can use it in a cmdlet. For example, here's a cmdlet that creates a host pool in the "southeastasia" location:

-New-AzWvdHostPool -ResourceGroupName <resourcegroupname> -Name <hostpoolname> -WorkspaceName <workspacename> -Location ΓÇ£southeastasiaΓÇ¥

-|gcs.prod.monitoring.core.windows.net|443|Agent traffic (optional)|AzureCloud|

-|production.diagnostics.monitoring.core.windows.net|443|Agent traffic (optional)|AzureCloud|

-|*xt.blob.core.windows.net|443|Agent traffic (optional)|AzureCloud|

-|*eh.servicebus.windows.net|443|Agent traffic (optional)|AzureCloud|

-|*xt.table.core.windows.net|443|Agent traffic (optional)|AzureCloud|

-|*xt.queue.core.windows.net|443|Agent traffic (optional)|AzureCloud|

-A [Service Tag](https://docs.microsoft.com/azure/virtual-network/service-tags-overview) represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service Tags can be used in both Network Security Group ([NSG](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)) and [Azure Firewall](https://docs.microsoft.com/azure/firewall/service-tags) rules to restrict outbound network access. Service Tags can be also used in User Defined Route ([UDR](https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview#user-defined)) to customize traffic routing behavior.

->[!IMPORTANT]

-|Kms.core.usgovcloudapi.net|1688|Windows activation|Internet|

-|gcs.monitoring.core.usgovcloudapi.net|443|Agent traffic (optional)|AzureCloud|

-|monitoring.core.usgovcloudapi.net|443|Agent traffic (optional)|AzureCloud|

-|fairfax.warmpath.usgovcloudapi.net|443|Agent traffic (optional)|AzureCloud|

-|*xt.blob.core.usgovcloudapi.net|443|Agent traffic (optional)|AzureCloud|

-|*.servicebus.usgovcloudapi.net|443|Agent traffic (optional)|AzureCloud|

-|*xt.table.core.usgovcloudapi.net|443|Agent traffic (optional)|AzureCloud|

-> If your machine will include an antivirus app, it may cause issues when you start sysprep. To avoid this, disable all antivirus programs before running sysprep.

-"error": {

- "code": "ValidationFailed",

- "message": "Validation failed: 'ImageTemplate.properties.source': Field 'imageId' has a bad value: '/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.Compute//images//imageName'. Please review http://aka.ms/azvmimagebuildertmplref for details on fields requirements in the Image Builder Template."

- "error": {

- "message": "Validation failed: 'ImageTemplate.properties.source': Field 'imageId' has a bad value: '/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.Compute//images//imageName'. Please review http://aka.ms/azvmimagebuildertmplref for details on fields requirements in the Image Builder Template."

- }

-}

-Learn more about [Image Builder](image-builder-overview.md).

-For SAP ASCS / SCS cluster deploy two VMs in Azure availability set or Azure availability zones based on the type of your deployment. If you are using [Azure proximity placement groups (PPG)](./sap-proximity-placement-scenarios.md), make sure all virtual machines sharing a disk must be part of the same PPG. Once the VMs are deployed:

-> [Azure proximity placement group](../../windows/proximity-placement-groups.md) is not required for Azure shared disk. But if you are using PPG for SAP system, all virtual machines sharing a disk must be part of the same PPG.

-When you're using RADIUS authentication, there are multiple authentication options: username/password authentication, certificate authentication, and other authentication types. To configure a VPN client, you use client configuration files that contain the required settings. The VPN client configuration is different for each type of authentication.

-description: Create Windows, macOS, and Linux VPN client configuration files for connections that use RADIUS authentication.

-# Create and install VPN client configuration files for P2S RADIUS authentication

-To connect to a virtual network over point-to-site (P2S), you need to configure the client device that you'll connect from. You can create P2S VPN connections from Windows, macOS, and Linux client devices.

-When you're using RADIUS authentication, there are multiple authentication options: username/password authentication, certificate authentication, and other authentication types. The VPN client configuration is different for each type of authentication. To configure the VPN client, you use client configuration files that contain the required settings. This article helps you create and install the VPN client configuration for the RADIUS authentication type that you want to use.

->[!IMPORTANT]

->[!INCLUDE [TLS](../../includes/vpn-gateway-tls-change.md)]

->

-The configuration workflow for P2S RADIUS authentication is as follows:

-1. [Set up the Azure VPN gateway for P2S connectivity](point-to-site-how-to-radius-ps.md).

-2. [Set up your RADIUS server for authentication](point-to-site-how-to-radius-ps.md#radius). 

-3. **Obtain the VPN client configuration for the authentication option of your choice and use it to set up the VPN client** (this article).

-4. [Complete your P2S configuration and connect](point-to-site-how-to-radius-ps.md).

->[!IMPORTANT]

->If there are any changes to the point-to-site VPN configuration after you generate the VPN client configuration profile, such as the VPN protocol type or authentication type, you must generate and install a new VPN client configuration on your users' devices.

->

->

-To use the sections in this article, first decide which type of authentication you want to use: username/password, certificate, or other types of authentication. Each section has steps for Windows, macOS, and Linux (limited steps available at this time).

-## <a name="adeap"></a>Username/password authentication

-You can configure username/password authentication to either use Active Directory or not use Active Directory. With either scenario, make sure that all connecting users have username/password credentials that can be authenticated through RADIUS.

-When you configure username/password authentication, you can only create a configuration for the EAP-MSCHAPv2 username/password authentication protocol. In the commands, `-AuthenticationMethod` is `EapMSChapv2`.

-### <a name="usernamefiles"></a> 1. Generate VPN client configuration files

-You can generate the VPN client configuration files by using the Azure portal, or by using Azure PowerShell.

-#### Azure portal

-1. Navigate to the virtual network gateway.

-2. Click **Point-to-Site configuration**.

-3. Click **Download VPN client**.

-4. Select the client and fill out any information that is requested.

-5. Click **Download** to generate the .zip file.

-6. The .zip file will download, typically to your Downloads folder.

-#### Azure PowerShell

-Generate VPN client configuration files for use with username/password authentication. You can generate the VPN client configuration files by using the following command:

-```azurepowershell-interactive

-New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapMSChapv2"

-```

-

-Running the command returns a link. Copy and paste the link to a web browser to download **VpnClientConfiguration.zip**. Unzip the file to view the following folders: 

-

-* **WindowsAmd64** and **WindowsX86**: These folders contain the Windows 64-bit and 32-bit installer packages, respectively. 

-* **Generic**: This folder contains general information that you use to create your own VPN client configuration. You don't need this folder for username/password authentication configurations.

-* **Mac**: If you configured IKEv2 when you created the virtual network gateway, you see a folder named **Mac** that contains a **mobileconfig** file. You use this file to configure Mac clients.

-If you already created client configuration files, you can retrieve them by using the `Get-AzVpnClientConfiguration` cmdlet. But if you make any changes to your P2S VPN configuration, such as the VPN protocol type or authentication type, the configuration isn’t updated automatically. You must run the `New-AzVpnClientConfiguration` cmdlet to create a new configuration download.

-To retrieve previously generated client configuration files, use the following command:

-```azurepowershell-interactive

-Get-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW"

-```

-### <a name="setupusername"></a> 2. Configure VPN clients

-You can configure the following VPN clients:

-* [Windows](#adwincli)

-* [Mac (macOS)](#admaccli)

-* [Linux using strongSwan](#adlinuxcli)

-

-#### <a name="adwincli"></a>Windows VPN client setup

-You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the [FAQ](vpn-gateway-vpn-faq.md#P2S).

-Use the following steps to configure the native Windows VPN client for certificate authentication:

-1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the **VpnClientSetupAmd64** installer package. For a 32-bit processor architecture, choose the **VpnClientSetupX86** installer package.

-2. To install the package, double-click it. If you see a SmartScreen pop-up, select **More info** > **Run anyway**.

-3. On the client computer, browse to **Network Settings** and select **VPN**. The VPN connection shows the name of the virtual network that it connects to. 

-#### <a name="admaccli"></a>Mac (macOS) VPN client setup

-1. Select the **VpnClientSetup mobileconfig** file and send it to each of the users. You can use email or another method.

-2. Locate the **mobileconfig** file on the Mac.

- 

-3. Optional Step - If you want to specify a custom DNS, add the following lines to the **mobileconfig** file:

- ```xml

- <key>DNS</key>

- <dict>

- <key>ServerAddresses</key>

- <array>

- <string>10.0.0.132</string>

- </array>

- <key>SupplementalMatchDomains</key>

- <array>

- <string>TestDomain.com</string>

- </array>

- </dict>

- ```

-4. Double-click the profile to install it, and select **Continue**. The profile name is the same as the name of your virtual network.

- 

-5. Select **Continue** to trust the sender of the profile and proceed with the installation.

- 

-6. During profile installation, you have the option to specify the username and password for VPN authentication. It's not mandatory to enter this information. If you do, the information is saved and automatically used when you initiate a connection. Select **Install** to proceed.

- 

-7. Enter a username and password for the privileges that are required to install the profile on your computer. Select **OK**.

- 

-8. After the profile is installed, it's visible in the **Profiles** dialog box. You can also open this dialog box later from **System Preferences**.

- 

-9. To access the VPN connection, open the **Network** dialog box from **System Preferences**.

- 

-10. The VPN connection appears as **IkeV2-VPN**. You can change the name by updating the **mobileconfig** file.

- 

-11. Select **Authentication Settings**. Select **Username** in the list and enter your credentials. If you entered the credentials earlier, then **Username** is automatically chosen in the list and the username and password are pre-populated. Select **OK** to save the settings.

- 

-12. Back in the **Network** dialog box, select **Apply** to save the changes. To initiate the connection, select **Connect**.

-#### <a name="adlinuxcli"></a>Linux VPN client setup through strongSwan

-The following instructions were created through strongSwan 5.5.1 on Ubuntu 17.0.4. Actual screens might be different, depending on your version of Linux and strongSwan.

-1. Open the **Terminal** to install **strongSwan** and its Network Manager by running the command in the example. If you receive an error that's related to `libcharon-extra-plugins`, replace it with `strongswan-plugin-eap-mschapv2`.

- ```Terminal

- sudo apt-get install strongswan libcharon-extra-plugins moreutils iptables-persistent network-manager-strongswan

- ```

-2. Select the **Network Manager** icon (up-arrow/down-arrow), and select **Edit Connections**.

- 

-3. Select the **Add** button to create a new connection.

- 

-4. Select **IPsec/IKEv2 (strongswan)** from the drop-down menu, and then select **Create**. You can rename your connection in this step.

- 

-5. Open the **VpnSettings.xml** file from the **Generic** folder of the downloaded client configuration files. Find the tag called `VpnServer` and copy the name, beginning with `azuregateway` and ending with `.cloudapp.net`.

- 

-6. Paste this name into the **Address** field of your new VPN connection in the **Gateway** section. Next, select the folder icon at the end of the **Certificate** field, browse to the **Generic** folder, and select the **VpnServerRoot** file.

-7. In the **Client** section of the connection, select **EAP** for **Authentication**, and enter your username and password. You might have to select the lock icon on the right to save this information. Then, select **Save**.

- 

-8. Select the **Network Manager** icon (up-arrow/down-arrow) and hover over **VPN Connections**. You see the VPN connection that you created. To initiate the connection, select it.

- 

-## <a name="certeap"></a>Certificate authentication

-

-You can create VPN client configuration files for RADIUS certificate authentication that uses the EAP-TLS protocol. Typically, an enterprise-issued certificate is used to authenticate a user for VPN. Make sure that all connecting users have a certificate installed on their devices, and that your RADIUS server can validate the certificate.

->[!NOTE]

->[!INCLUDE [TLS](../../includes/vpn-gateway-tls-change.md)]

->

-In the commands, `-AuthenticationMethod` is `EapTls`. During certificate authentication, the client validates the RADIUS server by validating its certificate. `-RadiusRootCert` is the .cer file that contains the root certificate that's used to validate the RADIUS server.

-Each VPN client device requires an installed client certificate. Sometimes a Windows device has multiple client certificates. During authentication, this can result in a pop-up dialog box that lists all the certificates. The user must then choose the certificate to use. The correct certificate can be filtered out by specifying the root certificate that the client certificate should chain to.

-`-ClientRootCert` is the .cer file that contains the root certificate. It's an optional parameter. If the device that you want to connect from has only one client certificate, you don't have to specify this parameter.

-### <a name="certfiles"></a>1. Generate VPN client configuration files

-Generate VPN client configuration files for use with certificate authentication. You can generate the VPN client configuration files by using the following command:

-

-```azurepowershell-interactive

-New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapTls" -RadiusRootCert <full path name of .cer file containing the RADIUS root> -ClientRootCert <full path name of .cer file containing the client root> | fl

-```

-Running the command returns a link. Copy and paste the link to a web browser to download VpnClientConfiguration.zip. Unzip the file to view the following folders:

-* **WindowsAmd64** and **WindowsX86**: These folders contain the Windows 64-bit and 32-bit installer packages, respectively. 

-* **GenericDevice**: This folder contains general information that's used to create your own VPN client configuration.

-If you already created client configuration files, you can retrieve them by using the `Get-AzVpnClientConfiguration` cmdlet. But if you make any changes to your P2S VPN configuration, such as the VPN protocol type or authentication type, the configuration isn’t updated automatically. You must run the `New-AzVpnClientConfiguration` cmdlet to create a new configuration download.

-To retrieve previously generated client configuration files, use the following command:

-```azurepowershell-interactive

-Get-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" | fl

-```

-

-### <a name="setupusername"></a> 2. Configure VPN clients

-You can configure the following VPN clients:

-* [Windows](#certwincli)

-* [Mac (macOS)](#certmaccli)

-* Linux (supported, no article steps yet)

-#### <a name="certwincli"></a>Windows VPN client setup

-1. Select a configuration package and install it on the client device. For a 64-bit processor architecture, choose the **VpnClientSetupAmd64** installer package. For a 32-bit processor architecture, choose the **VpnClientSetupX86** installer package. If you see a SmartScreen pop-up, select **More info** > **Run anyway**. You can also save the package to install on other client computers.

-2. Each client requires a client certificate for authentication. Install the client certificate. For information about client certificates, see [Client certificates for point-to-site](vpn-gateway-certificates-point-to-site.md). To install a certificate that was generated, see [Install a certificate on Windows clients](point-to-site-how-to-vpn-client-install-azure-cert.md).

-3. On the client computer, browse to **Network Settings** and select **VPN**. The VPN connection shows the name of the virtual network that it connects to.

-#### <a name="certmaccli"></a>Mac (macOS) VPN client setup

-You must create a separate profile for every Mac device that connects to the Azure virtual network. This is because these devices require the user certificate for authentication to be specified in the profile. The **Generic** folder has all the information that's required to create a profile:

-* **VpnSettings.xml** contains important settings such as server address and tunnel type.

-* **VpnServerRoot.cer** contains the root certificate that's required to validate the VPN gateway during P2S connection setup.

-* **RadiusServerRoot.cer** contains the root certificate that's required to validate the RADIUS server during authentication.

-Use the following steps to configure the native VPN client on a Mac for certificate authentication:

-1. Import the **VpnServerRoot** and **RadiusServerRoot** root certificates to your Mac. Copy each file to your Mac, double-click it, and then select **Add**.

- 

- 

-2. Each client requires a client certificate for authentication. Install the client certificate on the client device.

-3. Open the **Network** dialog box under **Network Preferences**. Select **+** to create a new VPN client connection profile for a P2S connection to the Azure virtual network.

- The **Interface** value is **VPN**, and the **VPN Type** value is **IKEv2**. Specify a name for the profile in the **Service Name** box, and then select **Create** to create the VPN client connection profile.

- 

-4. In the **Generic** folder, from the **VpnSettings.xml** file, copy the **VpnServer** tag value. Paste this value in the **Server Address** and **Remote ID** boxes of the profile. Leave the **Local ID** box blank.

- 

-5. Select **Authentication Settings**, and select **Certificate**. 

- 

-6. Click **Select** to choose the certificate that you want to use for authentication.

- 

-7. **Choose An Identity** displays a list of certificates for you to choose from. Select the proper certificate, and then select **Continue**.

- 

-8. In the **Local ID** box, specify the name of the certificate (from Step 6). In this example, it's **ikev2Client.com**. Then, select the **Apply** button to save the changes.

- 

-9. In the **Network** dialog box, select **Apply** to save all changes. Then, select **Connect** to start the P2S connection to the Azure virtual network.

-## <a name="otherauth"></a>Working with other authentication types or protocols

-To use a different authentication type (for example, OTP), or to use a different authentication protocol (such as PEAP-MSCHAPv2 instead of EAP-MSCHAPv2), you must create your own VPN client configuration profile. To create the profile, you need information such as the virtual network gateway IP address, tunnel type, and split-tunnel routes. You can get this information by using the following steps:

-1. Use the `Get-AzVpnClientConfiguration` cmdlet to generate the VPN client configuration for EapMSChapv2.

-2. Unzip the VpnClientConfiguration.zip file and look for the **GenericDevice** folder. Ignore the folders that contain the Windows installers for 64-bit and 32-bit architectures.

-

-3. The **GenericDevice** folder contains an XML file called **VpnSettings**. This file contains all the required information:

- * **VpnServer**: FQDN of the Azure VPN gateway. This is the address that the client connects to.

- * **VpnType**: Tunnel type that you use to connect.

- * **Routes**: Routes that you have to configure in your profile so that only traffic that's bound for the Azure virtual network is sent over the P2S tunnel.

-

- The **GenericDevice** folder also contains a .cer file called **VpnServerRoot**. This file contains the root certificate that's required to validate the Azure VPN gateway during P2S connection setup. Install the certificate on all devices that will connect to the Azure virtual network.

-## Next steps

-Return to the article to [complete your P2S configuration](point-to-site-how-to-radius-ps.md).

-For P2S troubleshooting information, see [Troubleshooting Azure point-to-site connections](vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems.md).

-[FrontdoorAccessLog](../../frontdoor/front-door-diagnostics.md) logs all requests. FrontdoorWebApplicationFirewallLog logs any request that matches a WAF rule having the below schema: