+| **ChromeOS** | ![Chrome supports USB on ChromeOS for Azure AD accounts.][y]* | ![Chrome supports NFC on ChromeOS for Azure AD accounts.][n] | ![Chrome supports BLE on ChromeOS for Azure AD accounts.][n] | ![Edge supports USB on ChromeOS for Azure AD accounts.][n] | ![Edge supports NFC on ChromeOS for Azure AD accounts.][n] | ![Edge supports BLE on ChromeOS for Azure AD accounts.][n] | ![Firefox supports USB on ChromeOS for Azure AD accounts.][n] | ![Firefox supports NFC on ChromeOS for Azure AD accounts.][n] | ![Firefox supports BLE on ChromeOS for Azure AD accounts.][n] | ![Safari supports USB on ChromeOS for Azure AD accounts.][n] | ![Safari supports NFC on ChromeOS for Azure AD accounts.][n] | ![Safari supports BLE on ChromeOS for Azure AD accounts.][n] |

+*Key Registration is currently not supported with ChromeOS/Chrome Browser.

+ Title: Terms of use in Azure Active Directory

+- Azure AD Premium P1, P2, EMS E3, or EMS E5 licenses.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. Select, **New terms**.

+

+1. In the **Display name** box, enter a title that users see when they sign in.

+ It's possible to use the **Expire consents** and **Duration before re-acceptance required (days)** settings together, but typically you use one or the other.

+ > [!IMPORTANT]

+ > Conditional Access policy controls (including terms of use policies) do not support enforcement on service accounts. We recommend excluding all service accounts from the Conditional Access policy.

+1. Select **Create**.

+1. For a terms of use policy, select the numbers under **Accepted** or **Declined** to view the current state for users.

+1. To view the history for an individual user, select the ellipsis (**...**) and then **View History**.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. Select **View audit logs**.

+ You can also select **Download** to download the information in a .csv file for use locally.

+ If you select a log, a pane appears with more activity details.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. Select **Edit terms**.

+1. In the Edit terms of use pane, you can change the following options:

+ - **Name** ΓÇô the internal name of the ToU that isn't shared with end users

+ - **Display name** ΓÇô the name that end users can see when viewing the ToU

+ - **Require users to expand the terms of use** ΓÇô Setting this option to **On** will force the end user to expand the terms of use policy document before accepting it.

+1. Once you're done, select **Save** to save your changes.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. Select the terms of use policy you want to edit.

+1. Select **Edit terms**.

+1. For the language that you would like to update a new version, select **Update** under the action column

+1. In the pane on the right, upload the pdf for the new version

+1. There's also a toggle option here **Require reaccept** if you want to require your users to accept this new version the next time they sign in. If you require your users to reaccept, next time they try to access the resource defined in your conditional access policy they'll be prompted to accept this new version. If you donΓÇÖt require your users to reaccept, their previous consent will stay current and only new users who haven't consented before or whose consent expires will see the new version. Until the session expires, **Require reaccept** not require users to accept the new TOU. If you want to ensure reaccept, delete and recreate or create a new TOU for this case.

+1. Once you've uploaded your new pdf and decided on reaccept, select Add at the bottom of the pane.

+1. You'll now see the most recent version under the Document column.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. Select the terms of use policy for which you want to view a version history.

+1. Select **Languages and version history**

+1. Select **See previous versions.**

+1. You can select the name of the document to download that version

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. To see who has currently accepted the ToU, select the number under the **Accepted** column for the ToU you want.

+1. By default, the next page will show you the current state of each user's acceptance to the ToU

+1. If you would like to see the previous consent events, you can select **All** from the **Current State** drop-down. Now you can see each users events in details about each version and what happened.

+1. Alternatively, you can select a specific version from the **Version** drop-down to see who has accepted that specific version.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. Select **Edit Terms**

+1. Select **Add language** at the bottom of the page.

+1. Select **Add language**.

+1. Select **Save**

+1. Select **Add** to add the language.

+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

+1. Select **Delete terms**.

+1. In the message that appears asking if you want to continue, select **Yes**.

+A: On the Terms of use blade, select the number under **Accepted**. You can also view or search the accept activity in the Azure AD audit logs. For more information, see View report of who has accepted and declined and [View Azure AD audit logs](#view-azure-ad-audit-logs).

+A: Yes, end users are able to select hyperlinks to other pages but links to sections within the document aren't supported. Also, hyperlinks in terms of use policy PDFs don't work when accessed from the Azure AD MyApps/MyAccount portal.

+A: Terms of use utilize the following endpoints for authentication: https://tokenprovider.termsofuse.identitygovernance.azure.com and https://account.activedirectory.windowsazure.com. If your organization has an allowlist of URLs for enrollment, you'll need to add these endpoints to your allowlist, along with the Azure AD endpoints for sign-in.

+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]

+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>

+>

+> > [!div class="nextstepaction"]

+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>

+> > [Tutorial: Sign in users and call the Microsoft Graph from an Android application](tutorial-v2-android.md)

+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]

+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>

+> > [!div class="nextstepaction"]

+> > <button id="downloadsample_ios" class="download-sample-button">Download the code sample for iOS</button>

+>

+> > [!div class="nextstepaction"]

+> > <button id="downloadsample_macos" class="download-sample-button">Download the code sample for macOS</button>

+> > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)

+Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for [single page apps](reference-third-party-cookies-spas.md) and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.

+>[!IMPORTANT]

+> Refresh tokens sent to a redirect URI registered as `spa` expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users do not have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the log-in page in a top-level frame to show the login session. This is due to [privacy features in browsers that block third party cookies](reference-third-party-cookies-spas.md).

+POST https://graph.windows.net/{tenant-id}/domains/foo.contoso.com/promote

+- [ForceDelete a custom domain name with Microsoft Graph API](/graph/api/domain-forcedelete)

+# Tutorial: Configure Secure Hybrid Access with Azure Active Directory and Silverfort

+[Silverfort](https://www.silverfort.com/) uses innovative agent-less and proxy-less technology to connect all your assets on-premises and in the cloud to Azure AD. This solution enables organizations to apply identity protection, visibility, and user experience across all environments in Azure AD. It enables universal risk-based monitoring and assessment of authentication activity for on-premises and cloud environments, and proactively prevents threats.

+In this tutorial, learn how to integrate your existing on premises Silverfort implementation with Azure Active Directory (Azure AD) for [hybrid access](../devices/concept-azure-ad-join-hybrid.md).

+Silverfort seamlessly connects assets with Azure AD. These **bridged** assets appear as regular applications in Azure AD and can be protected with Conditional Access, single-sign-on (SSO), multifactor authentication, auditing and more. Use Silverfort to connect assets including:

+Silverfort integrates your corporate assets and third-party Identity and Access Management (IAM) platforms. This includes Active Directory, Active Directory Federation Services (ADFS), and Remote Authentication Dial-In User Service (RADIUS) on Azure AD, including hybrid and multi-cloud environments.

+Follow the steps in this tutorial to configure and test the Silverfort Azure AD bridge in your Azure AD tenant to communicate with your existing Silverfort implementation. Once configured, you can create Silverfort authentication policies that bridge authentication requests from various identity sources to Azure AD for SSO. After an application is bridged, it can be managed in Azure AD.

+## Silverfort with Azure AD Authentication Architecture

+The following diagram describes the authentication architecture orchestrated by Silverfort in a hybrid environment.

+You must already have Silverfort deployed in your tenant or infrastructure in order to perform this tutorial. To deploy Silverfort in your tenant or infrastructure, [contact Silverfort](https://www.silverfort.com/). You will need to install Silverfort Desktop app on relevant workstations.

+This tutorial requires you to set up Silverfort Azure AD Adapter in your Azure AD tenant. You'll need:

+- The Silverfort Azure AD Adapter application in the Azure AD gallery is pre-configured to support SSO. You'll need to add Silverfort Azure AD Adapter to your tenant as an Enterprise application from the gallery.

+2. In the main menu, navigate to **Settings** and then scroll to

+5. In the Silverfort admin console, navigate to the **Policies** page and select **Create Policy**.

+6. The **New Policy** dialog will appear. Enter a **Policy Name** that would indicate the application name that will be created in Azure. For example, if you're adding multiple servers or applications under this policy, name it to reflect the resources covered by the policy. In the example, we'll create a policy for the *SL-APP1* server.

+14. Return to the Azure AD console, and navigate to **Enterprise applications**. The new Silverfort application should now appear. This application can now be included in [Conditional Access policies](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json%23create-a-conditional-access-policy).

+- [Contact Silverfort](https://www.silverfort.com/company/contact/)

+ms.tool: azure-cli, azure-powershell

+ms.tool: azure-cli, azure-powershell

+| Alert | Severity | Trigger | Recommendation |

+| | | | |

+| **Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles. |

+| **Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use. |

+| **Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles. |

+The usage and insights report shows the list of applications with one or more sign-in attempts, and allows you to sort by the number of successful sign-ins, failed sign-ins, and the success rate. The sign-in graph per application only counts interactive user sign-ins.

+ Title: 'Tutorial: Azure AD SSO integration with Timeclock 365 SAML'

+# Tutorial: Azure AD SSO integration with Timeclock 365 SAML

+* Timeclock 365 SAML supports [Automated user provisioning](timeclock-365-saml-provisioning-tutorial.md).

+> Timeclock 365 SAML also supports automatic user provisioning, you can find more details [here](./timeclock-365-saml-provisioning-tutorial.md) on how to configure automatic user provisioning.

+ Title: 'Tutorial: Configure Whimsical for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Whimsical.

+writer: twimmers

+ms.assetid: 4457a724-ed81-4f7b-bb3e-70beea80cb51

+# Tutorial: Configure Whimsical for automatic user provisioning

+This tutorial describes the steps you need to perform in both Whimsical and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Whimsical](https://service-portaltest.benq.com/login) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities Supported

+> [!div class="checklist"]

+> * Create users in Whimsical

+> * Remove users in Whimsical when they do not require access anymore

+> * Keep user attributes synchronized between Azure AD and Whimsical

+> * [Single sign-on](benq-iam-tutorial.md) to Whimsical (recommended)

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* To use SCIM, SAML has to be enabled and correctly configured.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+3. Determine what data to [map between Azure AD and Whimsical](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Whimsical to support provisioning with Azure AD

+1. To enable SCIM, you must first set up SAML SSO with AAD.

+1. Go to "Workspace Settings", which you'll find under your workspace name in the top left.

+1. Enable SCIM provisioning and click "Reveal" to retrieve the token.

+1. In the "Provisioning" tab in AAD, set "Provisioning Mode" to "Automatic", and paste "https://whimsical.com/public-api/scim-v2/?aadOptscim062020" into "Tenant URL"

+## Step 3. Add Whimsical from the Azure AD application gallery

+Add Whimsical from the Azure AD application gallery to start managing provisioning to Whimsical. If you have previously setup Whimsical for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* When assigning users and groups to Whimsical, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+## Step 5. Configure automatic user provisioning to Whimsical

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Whimsical in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+2. In the applications list, select **Whimsical**.

+ 

+3. Select the **Provisioning** tab.

+ 

+4. Set the **Provisioning Mode** to **Automatic**.

+ 

+5. Under the **Admin Credentials** section, input your Whimsical Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Whimsical. If the connection fails, ensure your Whimsical account has Admin permissions and try again.

+ 

+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+7. Select **Save**.

+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Whimsical**.

+9. Review the user attributes that are synchronized from Azure AD to Whimsical in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Whimsical for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Whimsical API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|

+ ||||

+ |userName|String|&check;

+ |externalId|String|

+ |active|Boolean|

+ |displayName|String|

+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+11. To enable the Azure AD provisioning service for Whimsical, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+12. Define the users and/or groups that you would like to provision to Whimsical by choosing the desired values in **Scope** in the **Settings** section.

+ 

+13. When you are ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## Additional resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+## May 2022

+### Unlimited number of subscriptions

+It is easier now to get an overview of optimization opportunities available to your organization ΓÇô no need to spend time and effort to apply filters and process subscription in batches.

+To learn more, visit [Get started with Azure Advisor](advisor-get-started.md).

+### Tag filtering

+You can now get Advisor recommendations scoped to a business unit, workload, or team. Filter recommendations and calculate scores using tags you have already assigned to Azure resources, resource groups and subscriptions. Apply tag filters to:

+* Identify cost saving opportunities by business units

+* Compare scores for workloads to optimize critical ones first

+To learn more, visit [How to filter Advisor recommendations using tags](advisor-tag-filtering.md).

+ Title: Review optimization opportunities by workload, environment or team

+description: Review optimization opportunities by workload, environment or team

+# Review optimization opportunities by workload, environment or team

+You can now get Advisor recommendations and scores scoped to a workload, environment, or team using resource tag filters. Filter recommendations and calculate scores using tags you have already assigned to Azure resources, resource groups and subscriptions. Use tag filters to:

+* Identify cost saving opportunities by team

+* Compare scores for workloads to optimize the critical ones first

+> [!TIP]

+> For more information on how to use resource tags to organize and govern your Azure resources, please see the [Cloud Adoption FrameworkΓÇÖs guidance](/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging) and [Build a cloud governance strategy on Azure](/learn/modules/build-cloud-governance-strategy-azure/).

+## How to filter recommendations using tags

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Search for and select [Advisor](https://aka.ms/azureadvisordashboard) from any page.

+1. On the Advisor dashboard, click on the **Add Filter** button.

+1. Select the tag in the **Filter** field and value(s).

+1. Click **Apply**. Summary tiles will be updated to reflect the filter.

+1. Click on any of the categories to review recommendations.

+

+ [  ](./media/tags/overview-tag-filters.png#lightbox)

+

+

+## How to calculate scores using resource tags

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Search for and select [Advisor](https://aka.ms/azureadvisordashboard) from any page.

+1. Select **Advisor score (preview)** from the navigation menu on the left.

+1. Click on the **Add Filter** button.

+1. Select the tag in the **Filter** field and value(s).

+1. Click **Apply**. Advisor score will be updated to only include resources impacted by the filter.

+1. Click on any of the categories to review recommendations.

+

+ [  ](./media/tags/score-tag-filters.png#lightbox)

+> [!NOTE]

+> Not all capabilities are available when tag filters are used. For example, tag filters are not supported for security score and score history.

+## Next steps

+To learn more about tagging, see:

+- [Define your tagging strategy - Cloud Adoption Framework](/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging)

+- [Tag resources, resource groups, and subscriptions for logical organization - Azure Resource Manager](/azure/azure-resource-manager/management/tag-resources?tabs=json)

+ms.tool: azure-cli, azure-powershell

+ > To help ensure a globally unique name, prepend a disambiguation string such as your initials and the MMDD of today's date.

+1. Run the following command to print the current deployment file, using the `appDeploymentTemplateYamlEncoded` you saved above. The output contains all the variables we need.

+* The load balancer that's associated with the cluster

+* The AKS managed kubelet msi associated with the cluster

+* The AKS managed addon msi associated with the cluster

+* The private DNS zone associated with the private cluster

+* The private endpoint associated with the private cluster

+> [!NOTE]

+> Azure Private DNS only supports 15 tags. [tag resources](../azure-resource-manager/management/tag-resources.md).

+[install-azure-cli]: /cli/azure/install-azure-cli

+- **External-DNS controller**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.

+- An Azure Key Vault containing any application certificates.

+- A DNS solution.

+To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials][az-aks-get-credentials] command. The following example gets credentials for the AKS cluster named *myAKSCluster* in *myResourceGroup*:

+az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

+Obtain the vault URI for your Azure Key Vault:

+```azurecli

+az keyvault show --resource-group myResourceGroup --name myapp-contoso

+```

+Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_URI>` with the vault URI collected in the previous step of this article.

+The following example output shows the created resources:

+$ kubectl get ingress -n hello-web-app-routing

+[ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource

+ms.tool: azure-cli, azure-powershell

+ms.tool: terraform

+> [!NOTE]

+> As described, the HTTP protocol is used only to perform a handshake when establishing a WebSocket connection. Once the handshake is completed, a WebSocket connection gets opened for transmitting the data, and the Web Application Firewall (WAF) cannot parse any contents. Therefore, WAF does not perform any inspections on such data.

+After learning about WebSocket support, go to [create an application gateway](quick-create-powershell.md) to get started with a WebSocket enabled web application.

+> Steps 1-3 are not required if your Key Vault has a Private Endpoint enabled. The application gateway can access the Key Vault using the private IP address.

+## Configure readable secondaries

+When you deploy Azure Arc enabled SQL managed instance in `BusinessCritical` service tier with 2 or more replicas, by default, one secondary replica is automatically configured as `readableSecondary`. This setting can be changed, either to add or to remove the readable secondaries as follows:

+```azurecli

+az sql mi-arc update --name <sqlmi name> --readable-secondaries <value> --k8s-namespace <namespace> --use-k8s

+```

+For example, the following example will reset the readable secondaries to 0.

+```azurecli

+az sql mi-arc update --name sqlmi1 --readable-secondaries 0 --k8s-namespace mynamespace --use-k8s

+```

+## Configure replicas

+You can also scale up or down the number of replicas deployed in the `BusinessCritical` service tier as follows:

+```azurecli

+az sql mi-arc update --name <sqlmi name> --replicas <value> --k8s-namespace <namespace> --use-k8s

+```

+For example:

+The following example will scale down the number of replicas from 3 to 2.

+```azurecli

+az sql mi-arc update --name sqlmi1 --replicas 2 --k8s-namespace mynamespace --use-k8s

+```

+> [Note]

+> If you scale down from 2 replicas to 1 replica, you may run into a conflict with the pre-configured `--readable--secondaries` setting. You can first edit the `--readable--secondaries` before scaling down the replicas.

+This article describes how to enable transparent data encryption on a database created in an Azure Arc-enabled SQL Managed Instance. In this article, the term *managed instance* refers to a deployment of Azure Arc-enabled SQL Managed Instance.

+Before you proceed with this article, you must have an Azure Arc-enabled SQL Managed Instance resource created and connect to it.

+## Turn on transparent data encryption on a database in the managed instance

+Turning on transparent data encryption in the managed instance follows the same steps as SQL Server on-premises. Follow the steps described in [SQL Server's transparent data encryption guide](/sql/relational-databases/security/encryption/transparent-data-encryption#enable-tde).

+After you create the necessary credentials, back up any newly created credentials.

+## Back up a transparent data encryption credential

+When you back up credentials from the managed instance, the credentials are stored within the container. To store credentials on a persistent volume, specify the mount path in the container. For example, `var/opt/mssql/data`. The following example backs up a certificate from the managed instance:

+> If the `kubectl cp` command is run from Windows, the command may fail when using absolute Windows paths. Use relative paths or the commands specified below.

+### [Windows](#tab/windows)

+ ```console

+ kubectl exec -n <namespace> -c arc-sqlmi <pod-name> -- cat <pod-certificate-path> > <local-certificate-path>

+ ```

+ Example:

+ ```console

+ kubectl exec -n arc-ns -c arc-sqlmi sql-0 -- cat /var/opt/mssql/data/servercert.crt > $HOME\sqlcerts\servercert.crt

+ ```

+### [Linux](#tab/linux)

+ kubectl cp --namespace arc-ns --container arc-sqlmi sql-0:/var/opt/mssql/data/servercert.crt $HOME/sqlcerts/servercert.crt

+### [Windows](#tab/windows)

+ ```console

+ kubectl exec -n <namespace> -c arc-sqlmi <pod-name> -- cat <pod-private-key-path> > <local-private-key-path>

+ ```

+ Example:

+ ```console

+ kubectl exec -n arc-ns -c arc-sqlmi sql-0 -- cat /var/opt/mssql/data/servercert.key > $HOME\sqlcerts\servercert.key

+ ```

+### [Linux](#tab/linux)

+ kubectl cp --namespace arc-ns --container arc-sqlmi sql-0:/var/opt/mssql/data/servercert.key $HOME/sqlcerts/servercert.key

+## Restore a transparent data encryption credential to a managed instance

+Similar to above, to restore the credentials, copy them into the container and run the corresponding T-SQL afterwards.

+> If the `kubectl cp` command is run from Windows, the command may fail when using absolute Windows paths. Use relative paths or the commands specified below.

+### [Windows](#tab/windows)

+ ```console

+ type <local-certificate-path> | kubectl exec -i -n <namespace> -c arc-sqlmi <pod-name> -- tee <pod-certificate-path>

+ ```

+ Example:

+ ```console

+ type $HOME\sqlcerts\servercert.crt | kubectl exec -i -n arc-ns -c arc-sqlmi sql-0 -- tee /var/opt/mssql/data/servercert.crt

+ ```

+### [Linux](#tab/linux)

+ kubectl cp --namespace arc-ns --container arc-sqlmi $HOME/sqlcerts/servercert.crt sql-0:/var/opt/mssql/data/servercert.crt

+### [Windows](#tab/windows)

+ ```console

+ type <local-private-key-path> | kubectl exec -i -n <namespace> -c arc-sqlmi <pod-name> -- tee <pod-private-key-path>

+ ```

+ Example:

+ ```console

+ type $HOME\sqlcerts\servercert.key | kubectl exec -i -n arc-ns -c arc-sqlmi sql-0 -- tee /var/opt/mssql/data/servercert.key

+ ```

+### [Linux](#tab/linux)

+ kubectl cp --namespace arc-ns --container arc-sqlmi $HOME/sqlcerts/servercert.key sql-0:/var/opt/mssql/data/servercert.key

+az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --profile-name <profile name> --auto-upload-metrics true --custom-location <name of custom location> --storage-class <storageclass>

+az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --profile-name azure-arc-aks-premium-storage --auto-upload-metrics true --custom-location mycustomlocation --storage-class mystorageclass

+az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --custom-location <name of custom location>

+az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --custom-location mycustomlocation

+## Logs Upload related errors

+If you deployed Azure Arc data controller in the `direct` connectivity mode using `kubectl`, and have not created a secret for the Log Analytics workspace credentials, you may see the following error messages in the Data Controller CR (Custom Resource):

+```

+status": {

+ "azure": {

+ "uploadStatus": {

+ "logs": {

+ "lastUploadTime": "YYYY-MM-HHTMM:SS:MS.SSSSSSZ",

+ "message": "spec.settings.azure.autoUploadLogs is true, but failed to get log-workspace-secret secret."

+ },

+```

+To resolve the above error, create a secret with the Log Analytics Workspace credentials containing the `WorkspaceID` and the `SharedAccessKey` as follows:

+```

+apiVersion: v1

+data:

+ primaryKey: <base64 encoding of Azure Log Analytics workspace primary key>

+ workspaceId: <base64 encoding of Azure Log Analytics workspace Id>

+kind: Secret

+metadata:

+ name: log-workspace-secret

+ namespace: <your datacontroller namespace>

+type: Opaque

+```

+## Metrics upload related errors in direct connected mode

+If you configured automatic upload of metrics, in the direct connected mode and the permissions needed for the MSI have not been properly granted (as described in [Upload metrics](upload-metrics.md)), you might see an error in your logs as follows:

+```output

+'Metric upload response: {"error":{"code":"AuthorizationFailed","message":"Check Access Denied Authorization for AD object XXXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXXX over scope /subscriptions/XXXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXXX/resourcegroups/my-resource-group/providers/microsoft.azurearcdata/sqlmanagedinstances/arc-dc, User Tenant Id: XXXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXXX. Microsoft.Insights/Metrics/write was not allowed, Microsoft.Insights/Telemetry/write was notallowed. Warning: Principal will be blocklisted if the service principal is not granted proper access while it hits the GIG endpoint continuously."}}

+```

+To resolve above error, retrieve the MSI for the Azure Arc data controller extension, and grant the required roles as described in [Upload metrics](upload-metrics.md).

+## Usage upload related errors in direct connected mode

+If you deployed your Azure Arc data controller in the direct connected mode the permissions needed to upload your usage information are automatically granted for the Azure Arc data controller extension MSI. If the automatic upload process runs into permissions related issues you might see an error in your logs as follows:

+```

+identified that your data controller stopped uploading usage data to Azure. The error was:

+{"lastUploadTime":"2022-05-05T20:10:47.6746860Z","message":"Data controller upload response: {\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client 'XXXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXXX' with object id 'XXXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXXX' does not have authorization to perform action 'microsoft.azurearcdata/datacontrollers/write' over scope '/subscriptions/XXXXXXXXX-XXXX-XXXX-XXXXX-XXXXXXXXXXX/resourcegroups/my-resource-group/providers/microsoft.azurearcdata/datacontrollers/arc-dc' or the scope is invalid. If access was recently granted, please refresh your credentials.\"}}"}

+```

+To resolve the permissions issue, retrieve the MSI and grant the required roles as described in [Upload metrics](upload-metrics.md)).

+Periodically, you can export out usage information. The export and upload of this information creates and updates the data controller, SQL managed instance, and PostgreSQL resources in Azure.

+ This command creates a `usage.json` file with all the Azure Arc-enabled data resources such as SQL managed instances and PostgreSQL instances etc. that are created on the data controller.

+You will notice that there are two sets of data: `resources` and `data`. The `resources` are the data controller, PostgreSQL, and SQL Managed Instances. The `resources` records in the data capture the pertinent events in the history of a resource - when it was created, when it was updated, and when it was deleted. The `data` records capture how many cores were available to be used by a given instance for every hour.

+## Upload frequency

+In the **indirect** mode, usage information needs to be uploaded to Azure at least once in every 30 days. It is highly recommended to upload more frequently, such as daily or weekly. If usage information is not uploaded past 32 days, you will see some degradation in the service such as being unable to provision any new resources.

+There will be two types of notifications for delayed usage uploads - warning phase and degraded phase. In the warning phase there will be a message such as `Billing data for the Azure Arc data controller has not been uploaded in {0} hours. Please upload billing data as soon as possible.`.

+In the degraded phase, the message will look like `Billing data for the Azure Arc data controller has not been uploaded in {0} hours. Some functionality will not be available until the billing data is uploaded.`.

+The Azure portal Overview page for Data Controller and the Custom Resource status of the Data controller in your kubernetes cluster will both indicate the last upload date and the status message(s).

+ Title: "GitOps Flux v1 configurations with Azure Arc-enabled Kubernetes"

+# GitOps Flux v1 configurations with Azure Arc-enabled Kubernetes

+ Title: "GitOps Flux v2 configurations with AKS and Azure Arc-enabled Kubernetes"

+# GitOps Flux v2 configurations with AKS and Azure Arc-enabled Kubernetes

+Availability zone (AZ) support for Azure Functions is now available on Premium (Elastic Premium) and Dedicated (App Service) plans. A zone-redundant Functions application automatically balances its instances between availability zones for higher availability. This article focuses on zone redundancy support for Premium plans. For zone redundancy on Dedicated plans, refer [here](../app-service/how-to-zone-redundancy.md).

+An [availability zone](../availability-zones/az-overview.md#availability-zones) is a high-availability offering that protects your applications and data from datacenter failures. Availability zones are unique physical locations within an Azure region. Each zone comprises one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there's a minimum of three separate zones in all enabled regions. You can build high-availability into your application architecture by co-locating your compute, storage, networking, and data resources within a zone and replicating into other zones.

+A zone redundant function app automatically distributes the instances your app runs on between the availability zones in the region. For apps running in a zone-redundant Premium plan, even as the app scales in and out, the instances the app is running on are still evenly distributed between availability zones.

+When hosting in a zone-redundant Premium plan, the following requirements must be met.

+- You must use a [zone redundant storage account (ZRS)](../storage/common/storage-redundancy.md#zone-redundant-storage) for your function app's [storage account](storage-considerations.md#storage-account-requirements). If you use a different type of storage account, Functions may show unexpected behavior during a zonal outage.

+- Must be hosted on an [Elastic Premium](functions-premium-plan.md) or Dedicated hosting plan. Instructions on zone redundancy with Dedicated (App Service) hosting plan can be found [in this article](../app-service/how-to-zone-redundancy.md).

+- Zone redundant plans must specify a minimum instance count of three.

+- Function apps hosted on a Premium plan must also have a minimum [always ready instances](functions-premium-plan.md#always-ready-instances) count of three.

+Zone-redundant Premium plans can currently be enabled in any of the following regions:

+ - South Central US

+There are currently two ways to deploy a zone-redundant premium plan and function app. You can use either the [Azure portal](https://portal.azure.com) or an ARM template.

+# [Azure portal](#tab/azure-portal)

+1. Open the Azure portal and navigate to the **Create Function App** page. Information on creating a function app in the portal can be found [here](functions-create-function-app-portal.md#create-a-function-app).

+1. In the **Basics** page, fill out the fields for your function app. Pay special attention to the fields in the table below (also highlighted in the screenshot below), which have specific requirements for zone redundancy.

+ | Setting | Suggested value | Notes for Zone Redundancy |

+ | | - | -- |

+ | **Region** | Preferred region | The subscription under which this new function app is created. You must pick a region that is AZ enabled from the [list above](#requirements). |

+ 

+1. In the **Hosting** page, fill out the fields for your function app hosting plan. Pay special attention to the fields in the table below (also highlighted in the screenshot below), which have specific requirements for zone redundancy.

+ | Setting | Suggested value | Notes for Zone Redundancy |

+ | | - | -- |

+ | **Storage Account** | A [zone-redundant storage account](storage-considerations.md#storage-account-requirements) | As mentioned above in the [requirements](#requirements) section, we strongly recommend using a zone-redundant storage account for your zone redundant function app. |

+ | **Plan Type** | Functions Premium | This article details how to create a zone redundant app in a Premium plan. Zone redundancy isn't currently available in Consumption plans. Information on zone redundancy on app service plans can be found [in this article](../app-service/how-to-zone-redundancy.md). |

+ | **Zone Redundancy** | Enabled | This field populates the flag that determines if your app is zone redundant or not. You won't be able to select `Enabled` unless you have chosen a region supporting zone redundancy, as mentioned in step 2. |

+ 

+1. For the rest of the function app creation process, create your function app as normal. There are no fields in the rest of the creation process that affect zone redundancy.

+# [ARM template](#tab/arm-template)

+You can use an [ARM template](../azure-resource-manager/templates/quickstart-create-templates-use-visual-studio-code.md) to deploy to a zone-redundant Premium plan. A guide to hosting Functions on Premium plans can be found [here](functions-infrastructure-as-code.md#deploy-on-premium-plan).

+The only properties to be aware of while creating a zone-redundant hosting plan are the new `zoneRedundant` property and the plan's instance count (`capacity`) fields. The `zoneRedundant` property must be set to `true` and the `capacity` property should be set based on the workload requirement, but not less than `3`. Choosing the right capacity varies based on several factors and high availability/fault tolerance strategies. A good rule of thumb is to ensure sufficient instances for the application such that losing one zone of instances leaves sufficient capacity to handle expected load.

+> Azure Functions apps hosted on an elastic premium, zone-redundant plan must have a minimum [always ready instance](functions-premium-plan.md#always-ready-instances) count of 3. This make sure that a zone-redundant function app always has enough instances to satisfy at least one worker per zone.

+Below is an ARM template snippet for a zone-redundant, Premium plan showing the `zoneRedundant` field and the `capacity` specification.

+```json

+"resources": [

+ {

+ "type": "Microsoft.Web/serverfarms",

+ "apiVersion": "2021-01-15",

+ "name": "your_plan_name_here",

+ "location": "Central US",

+ "sku": {

+ "name": "EP3",

+ "tier": "ElasticPremium",

+ "size": "EP3",

+ "family": "EP",

+ "capacity": 3

+ },

+ "kind": "elastic",

+ "properties": {

+ "perSiteScaling": false,

+ "elasticScaleEnabled": true,

+ "maximumElasticWorkerCount": 20,

+ "isSpot": false,

+ "reserved": false,

+ "isXenon": false,

+ "hyperV": false,

+ "targetWorkerCount": 0,

+ "targetWorkerSizeId": 0,

+ "zoneRedundant": true

+ }

+]

+To learn more about these templates, see [Automate resource deployment in Azure Functions](functions-infrastructure-as-code.md).

+After the zone-redundant plan is created and deployed, any function app hosted on your new plan is considered zone-redundant.

+## Next steps

+> [!div class="nextstepaction"]

+> [Improve the performance and reliability of Azure Functions](performance-reliability.md)

+ &instanceIdPrefix={prefix}

+ &instanceIdPrefix={prefix}

+| **`instanceIdPrefix`** | Query string | Optional parameter. When specified, filters the list of returned instances to include only instances whose instance id starts with the specified prefix string. Available starting with [version 2.7.2](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask/2.7.2) of the extension. |

+Connection string for storage account where the function app code and configuration are stored in event-driven scaling plans. For more information, see [Create a function app](functions-infrastructure-as-code.md?tabs=windows#create-a-function-app).

+This setting is used for Consumption and Premium plan apps on both Windows and Linux. It's not used for Dedicated plan apps, which aren't dynamically scaled by Functions.

+Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).

+ Title: Create your function app resources in Azure using Bicep

+description: Create and deploy to Azure a simple HTTP triggered serverless function using Bicep.

+# Quickstart: Create and deploy Azure Functions resources using Bicep

+In this article, you use Bicep to create a function that responds to HTTP requests.

+Completing this quickstart incurs a small cost of a few USD cents or less in your Azure account.

+## Prerequisites

+### Azure account

+Before you begin, you must have an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/function-app-create-dynamic/).

+The following four Azure resources are created by this Bicep file:

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters appInsightsLocation=<app-location>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -appInsightsLocation "<app-location>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<app-location\>** with the region for Application Insights, which is usually the same as the resource group.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Validate the deployment

+Use Azure CLI or Azure PowerShell to validate the deployment.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Visit function app welcome page

+1. Use the output from the previous validation step to retrieve the unique name created for your function app.

+1. Open a browser and enter the following URL: **\<https://<appName.azurewebsites.net\>**. Make sure to replace **<\appName\>** with the unique name created for your function app.

+When you visit the URL, you should see a page like this:

+## Clean up resources

+If you continue to the next step and add an Azure Storage queue output binding, keep all your resources in place as you'll build on what you've already done.

+Otherwise, if you no longer need the resources, use Azure CLI, PowerShell, or Azure portal to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+Now that you've publish your first function, learn more by adding an output binding to your function.

+# [Visual Studio Code](#tab/visual-studio-code)

+> [!div class="nextstepaction"]

+> [Connect to an Azure Storage queue](functions-add-output-binding-storage-queue-vs-code.md)

+# [Visual Studio](#tab/visual-studio)

+> [!div class="nextstepaction"]

+> [Connect to an Azure Storage queue](functions-add-output-binding-storage-queue-vs.md)

+# [Command line](#tab/command-line)

+> [!div class="nextstepaction"]

+> [Connect to an Azure Storage queue](functions-add-output-binding-storage-queue-cli.md)

+While you're able to develop and test Azure Functions in the [Azure portal], many developers prefer a local development experience. When you use Functions, using your favorite code editor and development tools to create and test functions on your local computer becomes easier. Your local functions can connect to live Azure services, and you can debug them on your local computer using the full Functions runtime.

+| [Maven](./create-first-function-cli-java.md) (various) | [Java](functions-reference-java.md) | Maven archetype supports Core Tools to enable development of Java functions. Version 2.x supports development on Linux, macOS, and Windows. To learn more, see [Create your first function with Java and Maven](./create-first-function-cli-java.md). Also supports development using [Eclipse](functions-create-maven-eclipse.md) and [IntelliJ IDEA](functions-create-maven-intellij.md). |

+Each of these local development environments lets you create function app projects and use predefined function templates to create new functions. Each uses the Core Tools so that you can test and debug your functions against the real Functions runtime on your own machine just as you would any other app. You can also publish your function app project from any of these environments to Azure.

+| **`Values`** | Collection of application settings used when a project is running locally. These key-value (string-string) pairs correspond to application settings in your function app in Azure, like [`AzureWebJobsStorage`]. Many triggers and bindings have a property that refers to a connection string app setting, like `Connection` for the [Blob storage trigger](functions-bindings-storage-blob-trigger.md#configuration). For these properties, you need an application setting defined in the `Values` array. See the subsequent table for a list of commonly used settings. <br/>Values must be strings and not JSON objects or arrays. Setting names can't include a double underline (`__`) and shouldn't include a colon (`:`). Double underline characters are reserved by the runtime, and the colon is reserved to support [dependency injection](functions-dotnet-dependency-injection.md#working-with-options-and-settings). |

+|**`AzureWebJobs.<FUNCTION_NAME>.Disabled`**| `true`\|`false` | To disable a function when running locally, add `"AzureWebJobs.<FUNCTION_NAME>.Disabled": "true"` to the collection, where `<FUNCTION_NAME>` is the name of the function. To learn more, see [How to disable functions in Azure Functions](disable-function.md#localsettingsjson). |

+| **`FUNCTIONS_WORKER_RUNTIME_VERSION`** | `~7` |Indicates to use PowerShell 7 when running locally. If not set, then PowerShell Core 6 is used. This setting is only used when running locally. The PowerShell runtime version is determined by the `powerShellVersion` site configuration setting, when it runs in Azure, which can be [set in the portal](functions-reference-powershell.md#changing-the-powershell-version). |

+Other resources that you need, like an Azure storage account, are created in your subscription when you [publish by using Visual Studio Code](#publish-to-azure).

+* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

+* The [C# extension](https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csharp) for Visual Studio Code.

+* [.NET Core CLI tools](/dotnet/core/tools/?tabs=netcore2x).

+* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

+* [Debugger for Java extension](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-java-debug).

+* [Java 8](/azure/developer/jav#java-versions).

+* [Maven 3 or later](https://maven.apache.org/).

+* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

+* [Node.js](https://nodejs.org/), Active LTS and Maintenance LTS versions (10.14.1 recommended). Use the `node --version` command to check your version.

+* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools include the entire Azure Functions runtime, so download and installation might take some time.

+* [PowerShell 7](/powershell/scripting/install/installing-powershell-core-on-windows) recommended. For version information, see [PowerShell versions](functions-reference-powershell.md#powershell-versions).

+* Both [.NET Core 3.1 runtime](https://dotnet.microsoft.com/download) and [.NET Core 2.1 runtime](https://dotnet.microsoft.com/download/dotnet/2.1).

+* The [PowerShell extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell).

+* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

+* [Python 3.x](https://www.python.org/downloads/). For version information, see [Python versions](functions-reference-python.md#python-version) by the Azure Functions runtime.

+* [Python extension](https://marketplace.visualstudio.com/items?itemName=ms-python.python) for Visual Studio Code.

+ :::image type="content" source="./media/functions-develop-vs-code/create-function.png" alt-text=" Screenshot for Create Function.":::

+ :::image type="content" source="./media/functions-develop-vs-code/select-http-trigger.png" alt-text="Screenshot for selecting H T T P trigger.":::

+ :::image type="content" source="./media/functions-develop-vs-code/create-function-auth.png" alt-text="Screenshot for creating function authorization.":::

+1. From the dropdown list, select **Add to workplace**.

+ :::image type="content" source="./media/functions-develop-vs-code/add-to-workplace.png" alt-text=" Screenshot for selectIng Add to workplace.":::

+1. In **Do you trust the authors of the files in this folder?** window, select **Yes**.

+ :::image type="content" source="./media/functions-develop-vs-code/select-author-file.png" alt-text="Screenshot to confirm trust in authors of the files.":::

+1. A function is created in your chosen language and in the template for an HTTP-triggered function.

+ :::image type="content" source="./media/functions-develop-vs-code/new-function-created.png" alt-text="Screenshot for H T T P-triggered function template in Visual Studio Code.":::

+* A pom.xml file in the root folder that defines the project and deployment parameters, including project dependencies and the [Java version](functions-reference-java.md#java-versions). The pom.xml also contains information about the Azure resources that are created during a deployment.

+* A [Functions.java file](functions-reference-java.md#triggers-and-annotations) in your src path that implements the function.

+At this point, you can [add input and output bindings](#add-input-and-output-bindings) to your function.

+You can add a new function to an existing project by using one of the predefined Functions triggers templates. To add a new function trigger, select F1 to open the command palette, and then search for and run the command **Azure Functions: Create Function**. Follow the prompts to choose your trigger type and define the required attributes of the trigger. If your trigger requires an access key or connection string to connect to a service, get it ready before you create the function trigger.

+To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=csharp) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=csharp).

+The `msg` parameter is an `OutputBinding<T>` type, where `T` is a string that is written to an output binding when the function completes. The following code sets the message in the output binding:

+To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=java) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=java).

+To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=javascript) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=javascript).

+To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=powershell) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=powershell).

+To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=python) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=python).

+When you publish from Visual Studio Code to a new function app in Azure, you can choose either a quick function app create path using defaults or an advanced path. This way you'll have more control over the remote resources created.

+When you publish from Visual Studio Code, you take advantage of the [Zip deploy](functions-deployment-technologies.md#zip-deploy) technology.

+1. If you have multiple subscriptions, **Select a subscription** for the function app, and then select **+ Create New Function App in Azure... _Advanced_**. This _Advanced_ option gives you more control over the resources you create in Azure.

+When the extension gets the URL of functions in Azure, it uses your Azure account to automatically retrieve the keys it needs to start the function. [Learn more about function access keys](security-concepts.md#function-access-keys). Starting non-HTTP triggered functions requires using the admin key.

+The Azure Functions extension lets you run individual functions. You can run functions either in your project on your local development computer or in your Azure subscription.

+### Run functions in Azure.

+To execute a function in Azure from Visual Studio Code.

+1. In the command pallet, enter **Azure Functions: Execute function now** and choose your Azure subscription.

+1. Choose your function app in Azure from the list. If you don't see your function app, make sure you're signed in to the correct subscription.

+1. Choose the function you want to run from the list and type the message body of the request in **Enter request body**. Press Enter to send this request message to your function. The default text in **Enter request body** should indicate the format of the body. If your function app has no functions, a notification error is shown with this error.

+When you run your functions in Azure from Visual Studio Code, the extension uses your Azure account to automatically retrieve the keys it needs to start the function. [Learn more about function access keys](security-concepts.md#function-access-keys). Starting non-HTTP triggered functions requires using the admin key.

+The local runtime is the same runtime that hosts your function app in Azure. Local settings are read from the [local.settings.json file](#local-settings). To run your Functions project locally, you must meet [more requirements](#run-local-requirements).

+To debug your functions, select F5. If you haven't already downloaded [Core Tools][Azure Functions Core Tools], you're prompted to do so. When Core Tools is installed and running, output is shown in the Terminal. This step is the same as running the `func host start` Core Tools command from the Terminal, but with extra build tasks and an attached debugger.

+When the project is running, you can use the **Execute Function Now...** feature of the extension to trigger your functions as you would when the project is deployed to Azure. With the project running in debug mode, breakpoints are hit in Visual Studio Code as you would expect.

+1. In the command pallet, enter **Azure Functions: Execute function now** and choose **Local project**.

+1. Choose the function you want to run in your project and type the message body of the request in **Enter request body**. Press Enter to send this request message to your function. The default text in **Enter request body** should indicate the format of the body. If your function app has no functions, a notification error is shown with this error.

+Running functions locally doesn't require using keys.

+> In Visual Studio 2017, the Azure development workload installs Azure Functions Tools as a separate extension. When you update your Visual Studio 2017 installation, make sure that you're using the [most recent version](#check-your-tools-version) of the Azure Functions Tools. The following sections show you how to check and (if needed) update your Azure Functions Tools extension in Visual Studio 2017.

+Azure Functions Core Tools lets you run Azure Functions project on your local development computer. When you press F5 to debug a Functions project, the local Functions host (func.exe) starts to listen on a local port (usually 7071). Any callable function endpoints are written to the output, and you can use these for testing your functions. For more information, see [Work with Azure Functions Core Tools](functions-run-local.md). You're prompted to install these tools the first time you start a function from Visual Studio.

+When you publish from Visual Studio, it uses one of the two deployment methods:

+Visual Studio doesn't upload these settings automatically when you publish the project. Any settings you add in the local.settings.json you must also add to the function app in Azure.

+This section describes how to create a C# function app project in Visual Studio and to run and test with [xUnit](https://github.com/xunit/xunit).

+You'll create a new class named `ListLogger`, which holds an internal list of messages to evaluate during testing. To implement the required `ILogger` interface, the class needs a scope. The following class mocks a scope for the test cases to pass to the `ListLogger` class.

+- **Timer_should_log_message**: This test creates an instance of `ListLogger` and passes it to a timer function. Once the function is run, then the log is checked to ensure the expected message is present.

+To run the tests, navigate to the **Test Explorer** and select **Run all**.

+To debug the tests, set a breakpoint on a test, navigate to the **Test Explorer** and select **Run > Debug Last Run**.

+For more information about developing functions as .NET class libraries, see [Azure Functions C# developer reference](functions-dotnet-class-library.md). This article also links to examples on how to use attributes to declare the various types of bindings supported by Azure Functions.

+ --functions-version 3

+ --functions-version 3

+You can also explicitly declare the attribute types and return type in the function using Python type annotations. This action helps you to use the IntelliSense and autocomplete features provided by many Python code editors.

+When you deploy your project to a function app in Azure, the entire contents of the main project (*<project_root>*) folder should be included in the package, but not the folder itself, which means `host.json` should be in the package root. We recommend that you maintain your tests in a folder along with other functions, in this example `tests/`. For more information, see [Unit Testing](#unit-testing).

+The following \_\_app\_\_ import and beyond top-level relative import are deprecated, since it isn't supported by static type checker and not supported by Python test frameworks:

+By default, the Functions runtime collects logs and other telemetry data generated by your functions. This telemetry ends up as traces in Application Insights. Request and dependency telemetry for certain Azure services are also collected by default by [triggers and bindings](functions-triggers-bindings.md#supported-bindings). To collect custom request and custom dependency telemetry outside of bindings, you can use the [OpenCensus Python Extensions](https://github.com/census-ecosystem/opencensus-python-extensions-azure). This extension sends custom telemetry data to your Application Insights instance. You can find a list of supported extensions at the [OpenCensus repository](https://github.com/census-instrumentation/opencensus-python/tree/master/contrib).

+You can apply WSGI and ASGI-compatible frameworks such as Flask and FastAPI with your HTTP-triggered Python functions. This section shows how to modify your functions to support these frameworks.

+Update the Python code file `init.py`, depending on the interface used by your framework. The following example shows either an ASGI handler approach or a WSGI wrapper approach for Flask:

+Context for distributed tracing. For more information, see [`Trace Context`](https://www.w3.org/TR/trace-context/).

+Context for retries to the function. For more information, see [`retry-policies`](./functions-bindings-errors.md#retry-policies-preview).

+It isn't guaranteed that the state of your app will be preserved for future executions. However, the Azure Functions runtime often reuses the same process for multiple executions of the same app. In order to cache the results of an expensive computation, declare it as a global variable.

+^*Official Python distributions

+The runtime uses the available Python version, when you run it locally.

+To set a Python function app to a specific language version, you need to specify the language and the version of the language in `LinuxFxVersion` field in site config. For example, to change Python app to use Python 3.8, set `linuxFxVersion` to `python|3.8`.

+To learn more about Azure Functions runtime support policy, refer [article](./language-support-policy.md).

+To see the full list of supported Python versions functions apps, refer [article](./supported-languages.md).

+Replace `<FUNCTION_APP>` with the name of your function app. Also replace `<RESOURCE_GROUP>` with the name of the resource group for your function app. Also, replace `<LINUX_FX_VERSION>` with the Python version you want to use, prefixed by `python|` for example, `python|3.9`.

+When you're ready to publish, make sure that all your publicly available dependencies are listed in the requirements.txt file. You can locate this file at the root of your project directory.

+Project files and folders that are excluded from publishing, including the virtual environment folder, you can find them in the root directory of your project.

+When you use remote build, dependencies restored on the server and native dependencies match the production environment. This results in a smaller deployment package to upload. Use remote build when developing Python apps on Windows. If your project has custom dependencies, you can [use remote build with extra index URL](#remote-build-with-extra-index-url).

+When you use the `--build local` option, project dependencies are read from the requirements.txt file and those dependent packages are downloaded and installed locally. Project files and dependencies are deployed from your local computer to Azure. This results in a larger deployment package being uploaded to Azure. If for some reason, you can't get requirements.txt file by Core Tools, you must use the custom dependencies option for publishing.

+When using custom dependencies, you should use the `--no-build` publishing option, since you've already installed the dependencies into the project folder.

+Functions written in Python can be tested like other Python code using standard testing frameworks. For most bindings, it's possible to create a mock input object by creating an instance of an appropriate class from the `azure.functions` package. Since the [`azure.functions`](https://pypi.org/project/azure-functions/) package isn't immediately available, be sure to install it via your `requirements.txt` file as described in the [package management](#package-management) section above.

+We recommend that you maintain your tests in a folder separate from the project folder. This action keeps you from deploying test code with your app.

+There are a few libraries that come with the Python Functions runtime.

+The Python Standard Library contains a list of built-in Python modules that are shipped with each Python distribution. Most of these libraries help you access system functionality, like file I/O. On Windows systems, these libraries are installed with Python. On the Unix-based systems, they're provided by package collections.

+Extensions implement a Python worker extension interface. This action lets the Python worker process call into the extension code during the function execution lifecycle. To learn more, see [Creating extensions](#creating-extensions).

+ + Locally: add `"PYTHON_ENABLE_WORKER_EXTENSIONS": "1"` in the `Values` section of your [local.settings.json file](functions-develop-local.md#local-settings-file).

+Extensions are created by third-party library developers who have created functionality that can be integrated into Azure Functions. An extension developer design, implements, and releases Python packages that contain custom logic designed specifically to be run in the context of function execution. These extensions can be published either to the PyPI registry or to GitHub repositories.

+To improve throughput, Functions let your out-of-process Python language worker share memory with the Functions host process. When your function app is hitting bottlenecks, you can enable shared memory by adding an application setting named [FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED](functions-app-settings.md#functions_worker_shared_memory_data_transfer_enabled) with a value of `1`. With shared memory enabled, you can then use the [DOCKER_SHM_SIZE](functions-app-settings.md#docker_shm_size) setting to set the shared memory to something like `268435456`, which is equivalent to 256 MB.

+

+* [Can't import 'cygrpc'](recover-python-functions.md#troubleshoot-cannot-import-cygrpc)

+1. Enable Application Insights and Profiler in `Startup.cs`:

+ ```csharp

+ public void ConfigureServices(IServiceCollection services)

+ {

+ services.AddApplicationInsightsTelemetry(); // Add this line of code to enable Application Insights.

+ services.AddServiceProfiler(); // Add this line of code to Enable Profiler

+ services.AddControllersWithViews();

+ }

+ ```

+The default data retention period is five days.

+## Enable Profiler using app settings

+The main differences in monitoring a Windows Server cluster with Container insights compared to a Linux cluster are described in [Feature of Container insights](container-insights-overview.md#features-of-container-insights) in the overview article.

+* How to estimate costs up-front before you enable Container Insights.

+This article describes how to enable AKS Monitoring Addon using Azure Custom Policy.

+## Permissions required

+Monitoring Addon Custom Policy can be assigned at either the subscription or resource group scope. If the Log Analytics workspace and AKS cluster are in different subscriptions, then the managed identity used by the policy assignment must have the required role permissions on both the subscriptions or on the Log Analytics workspace resource. Similarly, if the policy is scoped to the resource group, then the managed identity should have the required role permissions on the Log Analytics workspace if the workspace is not in the selected resource group scope.

+ Title: Monitor Azure Arc-enabled Kubernetes clusters

+description: Collect metrics and logs of Azure Arc-enabled Kubernetes clusters using Azure Monitor.

+- Pre-requisites listed under the [generic cluster extensions documentation](../../azure-arc/kubernetes/extensions.md#prerequisites).

+- og Analytics workspace. Azure Monitor Container Insights supports a Log Analytics workspace in the regions listed under Azure [products by region page](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=monitor). You can create your own workspace using [Azure Resource Manager](../logs/resource-manager-workspace.md), [PowerShell](../logs/powershell-workspace-configuration.md), or [Azure portal](../logs/quick-create-workspace.md).

+- [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role assignment on the Azure subscription containing the Azure Arc-enabled Kubernetes resource. If the Log Analytics workspace is in a different subscription, then [Log Analytics Contributor](../logs/manage-access.md#azure-rbac) role assignment is needed on the Log Analytics workspace.

+If you are [deploying a new AKS cluster using Terraform](/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks), you specify the arguments required in the profile [to create a Log Analytics workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) if you do not choose to specify an existing one.

+To add Container insights to the workspace, see [azurerm_log_analytics_solution](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) and complete the profile by including the [**addon_profile**](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) and specify **oms_agent**.

+ Title: Configure GPU monitoring with Container insights

+- [Log Analytics workspace](../logs/design-logs-deployment.md). Container insights supports a Log Analytics workspace in the regions listed in Azure [Products by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=monitor). To create your own workspace, it can be created through [Azure Resource Manager](../logs/resource-manager-workspace.md), through [PowerShell](../logs/powershell-workspace-configuration.md?toc=%2fpowershell%2fmodule%2ftoc.json), or in the [Azure portal](../logs/quick-create-workspace.md).

+ Title: View metrics in real-time with Container insights

+ Title: View Live Data with Container insights

+For help setting up or troubleshooting the Live Data feature, review our [setup guide](container-insights-livedata-setup.md). This feature directly accesses the Kubernetes API, and additional information about the authentication model can be found [here](https://kubernetes.io/docs/concepts/overview/kubernetes-api/).

+While viewing events, you can additionally limit the results using the **Filter** pill found to the right of the search bar. Depending on what resource you have selected, the pill lists a Pod, Namespace, or cluster to choose from.

+To suspend autoscroll and control the behavior of the pane, allowing you to manually scroll through the new data read, you can use the **Scroll** option. To re-enable autoscroll, simply select the **Scroll** option again. You can also pause retrieval of log or event data by selecting the **Pause** option, and when you are ready to resume, simply select **Play**.

+ Title: Configure live data in Container insights

+# How to configure Live Data in Container insights

+To view Live Data with Container insights from Azure Kubernetes Service (AKS) clusters, you need to configure authentication to grant permission to access to your Kubernetes data. This security configuration allows real-time access to your data through the Kubernetes API directly in the Azure portal.

+This article explains how to configure authentication to control access to the Live Data feature from the cluster:

+The Live Data features utilizes the Kubernetes API, identical to the `kubectl` command-line tool. The Kubernetes API endpoints utilize a self-signed certificate, which your browser will be unable to validate. This feature utilizes an internal proxy to validate the certificate with the AKS service, ensuring the traffic is trusted.

+To eliminate the need to apply additional configuration changes to allow the Kubernetes user role binding **clusterUser** access to the Live Data feature after [enabling Kubernetes RBAC](#configure-kubernetes-rbac-authorization) authorization, AKS has added a new Kubernetes cluster role binding called **clusterMonitoringUser**. This cluster role binding has all the necessary permissions out-of-the-box to access the Kubernetes API and the endpoints for utilizing the Live Data feature.

+In order to utilize the Live Data feature with this new user, you need to be a member of the [Azure Kubernetes Service Cluster User](../../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-user-role) or [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role on the AKS cluster resource. Container insights, when enabled, is configured to authenticate using the clusterMonitoringUser by default. If the clusterMonitoringUser role binding does not exist on a cluster, **clusterUser** is used for authentication instead. Contributor gives you access to the clusterMonitoringUser (if it exists) and Azure Kuberenetes Service Cluster User gives you access to the clusterUser. Any of these two roles give sufficient access to use this feature.

+Each Azure AD account must be granted permission to the appropriate APIs in Kubernetes in order to access the Live Data feature. The steps to grant the Azure Active Directory account are similar to the steps described in the [Kubernetes RBAC authentication](#configure-kubernetes-rbac-authorization) section. Before applying the yaml configuration template to your cluster, replace **clusterUser** under **ClusterRoleBinding** with the desired user.

+ Title: Enable Container insights

+This article provides an overview of the requirements and options that are available for configuring Container insights to monitor the performance of workloads that are deployed to Kubernetes environments. You can enable Container insights for a new deployment or for one or more existing deployments of Kubernetes by using a number of supported methods.

+## Supported configurations

+Container insights supports the following environments:

+## Supported Kubernetes versions

+The versions of Kubernetes and support policy are the same as those [supported in Azure Kubernetes Service (AKS)](../../aks/supported-kubernetes-versions.md).

+**Log Analytics workspace**

+Container insights supports a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md) in the regions that are listed in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=monitor). For a list of the supported mapping pairs to use for the default workspace, see [Region mappings supported by Container insights](container-insights-region-mapping.md).

+You can let the onboarding experience create a default workspace in the default resource group of the AKS cluster subscription. If you already have a workspace though, then you will most likely want to use that one. See [Designing your Azure Monitor Logs deployment](../logs/design-logs-deployment.md) for details.

+An AKS cluster can be attached to a Log Analytics workspace in a different Azure subscription in the same Azure AD Tenant. This cannot currently be done with the Azure portal, but can be done with Azure CLI or Resource Manager template.

+**Permissions**

+To enable container monitoring, you require the following permissions:

+- Member of the [Log Analytics contributor](../logs/manage-access.md#azure-rbac) role.

+- Member of the [*Owner* group](../../role-based-access-control/built-in-roles.md#owner) on any AKS cluster resources.

+To enable container monitoring, you require the following permissions:

+- Member of [Log Analytics reader](../logs/manage-access.md#azure-rbac) role if you aren't already a member of [Log Analytics contributor](../logs/manage-access.md#azure-rbac).

+**Prometheus**

+Prometheus metrics aren't collected by default. Before you [configure the agent](container-insights-prometheus-integration.md) to collect the metrics, it's important to review the [Prometheus documentation](https://prometheus.io/) to understand what data can be scraped and what methods are supported.

+**Kubelet secure port**

+Log Analytics Containerized Linux Agent (replicaset pod) makes API calls to all the Windows nodes on Kubelet Secure Port (10250) within the cluster to collect Node and Container Performance related Metrics. Kubelet secure port (:10250) should be opened in the cluster's virtual network for both inbound and outbound for Windows Node and container performance related metrics collection to work.

+If you have a Kubernetes cluster with Windows nodes, then please review and configure the Network Security Group and Network Policies to make sure the Kubelet secure port (:10250) is opened for both inbound and outbound in cluster's virtual network.

+## Agent

+Container insights relies on a containerized Log Analytics agent for Linux. This specialized agent collects performance and event data from all nodes in the cluster, and the agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.

+The agent version is *microsoft/oms:ciprod04202018* or later, and it's represented by a date in the following format: *mmddyyyy*. When a new version of the agent is released, it's automatically upgraded on your managed Kubernetes clusters that are hosted on Azure Kubernetes Service (AKS). To track which versions are released, see [agent release announcements](https://github.com/microsoft/docker-provider/tree/ci_feature_prod).

+> If you've already deployed an AKS cluster and enabled monitoring using either the Azure CLI or a Azure Resource Manager template, you can't use `kubectl` to upgrade, delete, redeploy, or deploy the agent. The template needs to be deployed in the same resource group as the cluster.

+## Installation options

+| Deployment state | Method |

+||--|

+| New Kubernetes cluster | [Enable monitoring for a new AKS cluster using the Azure CLI](../../aks/learn/quick-kubernetes-deploy-cli.md)|

+| | [Enable for a new AKS cluster by using the open-source tool Terraform](container-insights-enable-new-cluster.md#enable-using-terraform)|

+| | [Enable for a new OpenShift cluster by using an Azure Resource Manager template](container-insights-azure-redhat-setup.md#enable-for-a-new-cluster-using-an-azure-resource-manager-template) |

+| | [Enable for a new OpenShift cluster by using the Azure CLI](/cli/azure/openshift#az-openshift-create) |

+| Existing AKS cluster | [Enable monitoring for an existing AKS cluster using the Azure CLI](container-insights-enable-existing-clusters.md#enable-using-azure-cli) |

+| |[Enable for an existing AKS cluster using Terraform](container-insights-enable-existing-clusters.md#enable-using-terraform) |

+| | [Enable for an existing AKS cluster from Azure Monitor](container-insights-enable-existing-clusters.md#enable-from-azure-monitor-in-the-portal)|

+| | [Enable directly from an AKS cluster in the Azure portal](container-insights-enable-existing-clusters.md#enable-directly-from-aks-cluster-in-the-portal)|

+| | [Enable for AKS cluster using an Azure Resource Manager template](container-insights-enable-existing-clusters.md#enable-using-an-azure-resource-manager-template)|

+| Existing non-AKS Kubernetes cluster | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using the Azure CLI](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-cli). |

+| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using a preconfigured Azure Resource Manager template](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-resource-manager) |

+| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc from the multicluster page Azure Monitor](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-portal) |

+Once you've enabled monitoring, you can begin analyzing the performance of your Kubernetes clusters that are hosted on Azure Kubernetes Service (AKS), Azure Stack, or another environment. To learn how to use Container insights, see [View Kubernetes cluster performance](container-insights-analyze.md).

+Container insights gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API. After you enable monitoring from Kubernetes clusters, metrics and Container logs are automatically collected for you through a containerized version of the Log Analytics agent for Linux. Metrics are sent to the [metrics database in Azure Monitor](../essentials/data-platform-metrics.md), and log data is sent to your [Log Analytics workspace](../logs/log-analytics-workspace-overview.md).

+## Features of Container insights

+Container insights delivers a comprehensive monitoring experience to understand the performance and health of your Kubernetes cluster and container workloads.

+- Identify resource bottlenecks by identifying AKS containers running on the node and their average processor and memory utilization.

+- Identify processor and memory utilization of container groups and their containers hosted in Azure Container Instances.

+- View the controller's or pod's overall performance by identifying where the container resides in a controller or a pod.

+- Review the resource utilization of workloads running on the host that are unrelated to the standard processes that support the pod.

+- Identify capacity needs and determine the maximum load that the cluster can sustain by understanding the behavior of the cluster under average and heaviest loads.

+- Configure alerts to proactively notify you or record it when CPU and memory utilization on nodes or containers exceed your thresholds, or when a health state change occurs in the cluster at the infrastructure or nodes health rollup.

+- Integrate with [Prometheus](https://prometheus.io/docs/introduction/overview/) to view application and workload metrics it collects from nodes and Kubernetes using [queries](container-insights-log-query.md) to create custom alerts, dashboards, and perform detailed analysis.

+- Monitor container workloads [deployed to AKS Engine](https://github.com/Azure/aks-engine) on-premises and [AKS Engine on Azure Stack](/azure-stack/user/azure-stack-kubernetes-aks-engine-overview).

+- Monitor container workloads [deployed to Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/overview.md).

+Check out the following video providing an intermediate level deep dive to help you learn about monitoring your AKS cluster with Container insights. Note that the video refers to *Azure Monitor for Containers* which is the previous name for *Container insights*.

+[!VIDEO https://www.youtube.com/embed/XEdwGvS2AwA]

+## How to access Container insights

+Access Container insights in the Azure portal from Azure Monitor or directly from the selected AKS cluster. The Azure Monitor menu gives you the global perspective of all the containers deployed amd which are monitored, allowing you to search and filter across your subscriptions and resource groups. You can then drill into Container insights from the selected container. Access Container insights for a particular AKS container directly from the AKS page.

+## Differences between Windows and Linux clusters

+The main differences in monitoring a Windows Server cluster compared to a Linux cluster include the following:

+- Windows doesn't have a Memory RSS metric, and as a result it isn't available for Windows node and containers. The [Working Set](/windows/win32/memory/working-set) metric is available.

+- Disk storage capacity information isn't available for Windows nodes.

+- Only pod environments are monitored, not Docker environments.

+- With the preview release, a maximum of 30 Windows Server containers are supported. This limitation doesn't apply to Linux containers.

+ Title: Transition from the Container Monitoring Solution to using Container Insights

+Use the following steps to diagnose the problem if you can't view status information or no results are returned from a log query:

+4. Check the status of the pod to verify that it's running using the command: `kubectl get pods --namespace=kube-system`

+| Error Message `Error retrieving data` | While Azure Kubernetes Service cluster is setting up for health and performance monitoring, a connection is established between the cluster and Azure Log Analytics workspace. A Log Analytics workspace is used to store all monitoring data for your cluster. This error may occur when your Log Analytics workspace has been deleted. Check if the workspace was deleted. If it was, you'll need to re-enable monitoring of your cluster with Container insights and either specify an existing workspace or create a new one. To re-enable, you'll need to [disable](container-insights-optout.md) monitoring for the cluster and [enable](container-insights-enable-new-cluster.md) Container insights again. |

+| `Error retrieving data` after adding Container insights through az aks cli | When enable monitoring using `az aks cli`, Container insights may not be properly deployed. Check whether the solution is deployed. To verify, go to your Log Analytics workspace and see if the solution is available by selecting **Solutions** from the pane on the left-hand side. To resolve this issue, you'll need to redeploy the solution by following the instructions on [how to deploy Container insights](container-insights-onboard.md) |

+To help diagnose the problem, we've provided a [troubleshooting script](https://github.com/microsoft/Docker-Provider/tree/ci_dev/scripts/troubleshoot).

+## Container insights agent ReplicaSet Pods aren't scheduled on non-Azure Kubernetes cluster

+Container insights agent pods use the cAdvisor endpoint on the node agent to gather the performance metrics. Verify the containerized agent on the node is configured to allow `cAdvisor port: 10255` to be opened on all nodes in the cluster to collect performance metrics.

+## Non-Azure Kubernetes cluster aren't showing in Container insights

+ For clusters with MSI, the user assigned client ID for omsagent changes every time monitoring is enabled and disabled, so the role assignment should exist on the current msi client ID.

+The error _manifests contain a resource that already exists_ indicates that resources of the Container Insights agent already exist on the Azure Arc Enabled Kubernetes cluster. This indicates that the container insights agent is already installed, either through azuremonitor-containers HELM chart or Monitoring Addon if it's AKS Cluster that's connected Azure Arc. The solution to this issue is to clean up the existing resources of container insights agent if it exists. Then enable Azure Monitor Containers Extension.

+1. Against the K8s cluster that's connected to Azure Arc, run below command to verify whether the azmon-containers-release-1 helm chart release exists or not:

+1. Run the following commands and look for omsagent addon profile to verify whether the AKS monitoring addon is enabled:

+2. If the output includes an omsagent addon profile config with a log analytics workspace resource ID, this indicates that AKS Monitoring addon is enabled and needs to be disabled:

+If above steps didnΓÇÖt resolve the installation of Azure Monitor Containers Extension issues, create a ticket to Microsoft for further investigation.

+ms.tool: azure-cli

+This example configures the `ContainerLogV2` table for Basic Logs.

+Container Insights uses ContainerLog by default, to switch to using ContainerLogV2, please follow these [instructions](../containers/container-insights-logging-v2.md) before attempting to convert the table to Basic Logs.

+PATCH https://management.azure.com/subscriptions/ContosoSID/resourcegroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/ContosoWorkspace/tables/ContainerLogV2?api-version=2021-12-01-preview

+ "name": "ContainerLogV2"

+ az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name ContainerLogV2 --plan Basic

+ az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name ContainerLogV2 --plan Analytics

+GET https://management.azure.com/subscriptions/ContosoSID/resourcegroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/ContosoWorkspace/tables/ContainerLogV2?api-version=2021-12-01-preview

+ "name": "ContainerLogV2"

+1. If the TCP connection over the defined ADDS/AADDS LDAP service port is successful, then the Azure NetApp Files LDAP client attempts to ΓÇ£bindΓÇ¥ (sign in) to the ADDS/AADDS LDAP server (domain controller) by using the defined credentials in the LDAP client configuration.

+ 1. Select **Active Directory connections**. On an existing Active Directory connection, select the context menu (the three dots `…`), and select **Edit**.

+* [Configure an NFS client for Azure NetApp Files](configure-nfs-clients.md)

+The NFS client configuration described in this article is part of the setup when you [configure NFSv4.1 Kerberos encryption](configure-kerberos-encryption.md) or [create a dual-protocol volume](create-volumes-dual-protocol.md) or [NFSv3/NFSv4.1 with LDAP](configure-ldap-extended-groups.md). A wide variety of Linux distributions are available to use with Azure NetApp Files. This article describes configurations for two of the more commonly used environments: RHEL 8 and Ubuntu 18.04.

+* Learn more in [Azure Support FAQ](https://azure.microsoft.com/support/faq)

+Tags are metadata elements that you apply to your Azure resources. They're key-value pairs that help you identify resources based on settings that are relevant to your organization. If you want to track the deployment environment for your resources, add a key named Environment. To identify the resources deployed to production, give them a value of Production. Fully formed, the key-value pair becomes, Environment = Production.

+You can apply tags to your Azure resources, resource groups, and subscriptions.

+> Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved. However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports.

+- You can have write access to the `Microsoft.Resources/tags` resource type. This access lets you tag any resource, even if you don't have access to the resource itself. The [Tag Contributor](../../role-based-access-control/built-in-roles.md#tag-contributor) role grants this access. The tag contributor role, for example, can't apply tags to resources or resource groups through the portal. It can, however, apply tags to subscriptions through the portal. It supports all tag operations through Azure PowerShell and REST API.

+- You can have write access to the resource itself. The [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role grants the required access to apply tags to any entity. To apply tags to only one resource type, use the contributor role for that resource. To apply tags to virtual machines, for example, use the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor).

+Azure PowerShell offers two commands to apply tags: [New-AzTag](/powershell/module/az.resources/new-aztag) and [Update-AzTag](/powershell/module/az.resources/update-aztag). You need to have the `Az.Resources` module 1.12.0 version or later. You can check your version with `Get-InstalledModule -Name Az.Resources`. You can install that module or [install Azure PowerShell](/powershell/azure/install-az-ps) version 3.6.1 or later.

+The `New-AzTag` replaces all tags on the resource, resource group, or subscription. When you call the command, pass the resource ID of the entity you want to tag.

+If you run the command again, but this time with different tags, notice that the earlier tags disappear.

+Notice that the existing tags grow with the addition of the two new tags.

+Each tag name can have only one value. If you provide a new value for a tag, it replaces the old value even if you use the merge operation. The following example changes the `Status` tag from _Normal_ to _Green_.

+When you set the `-Operation` parameter to `Replace`, the new set of tags replaces the existing tags.

+The same commands also work with resource groups or subscriptions. Pass them in the identifier of the resource group or subscription you want to tag.

+To get the tags for a resource, resource group, or subscription, use the [Get-AzTag](/powershell/module/az.resources/get-aztag) command and pass the resource ID of the entity.

+To remove specific tags, use `Update-AzTag` and set `-Operation` to `Delete`. Pass the resource IDs of the tags you want to delete.

+Azure CLI offers two commands to apply tags: [az tag create](/cli/azure/tag#az-tag-create) and [az tag update](/cli/azure/tag#az-tag-update). You need to have the Azure CLI 2.10.0 version or later. You can check your version with `az version`. To update or install it, see [Install the Azure CLI](/cli/azure/install-azure-cli).

+The `az tag create` replaces all tags on the resource, resource group, or subscription. When you call the command, pass the resource ID of the entity you want to tag.

+If you run the command again, but this time with different tags, notice that the earlier tags disappear.

+Notice that the existing tags grow with the addition of the two new tags.

+Each tag name can have only one value. If you provide a new value for a tag, the new tag replaces the old value, even if you use the merge operation. The following example changes the `Status` tag from _Normal_ to _Green_.

+When you set the `--operation` parameter to `Replace`, the new set of tags replaces the existing tags.

+The same commands also work with resource groups or subscriptions. Pass them in the identifier of the resource group or subscription you want to tag.

+To get the tags for a resource, resource group, or subscription, use the [az tag list](/cli/azure/tag#az-tag-list) command and pass the resource ID of the entity.

+To remove specific tags, use `az tag update` and set `--operation` to `Delete`. Pass the resource ID of the tags you want to delete.

+You've removed the specified tags.

+If your tag names or values include spaces, enclose them in quotation marks.

+You can tag resources, resource groups, and subscriptions during deployment with an ARM template.

+You can define an object parameter that stores several tags and apply that object to the tag element. This approach provides more flexibility than the previous example because the object can have different properties. Each property in the object becomes a separate tag for the resource. The following example has a parameter named `tagValues` that's applied to the tag element.

+To apply tags from a resource group to a resource, use the [resourceGroup()](../templates/template-functions-resource.md#resourcegroup) function. When you get the tag value, use the `tags[tag-name]` syntax instead of the `tags.tag-name` syntax, because some characters aren't parsed correctly in the dot notation.

+You can add tags to a resource group or subscription by deploying the `Microsoft.Resources/tags` resource type. You can apply the tags to the target resource group or subscription you want to deploy. Each time you deploy the template you replace any previous tags.

+To apply the tags to a resource group, use either Azure PowerShell or Azure CLI. Deploy to the resource group that you want to tag.

+For examples of applying tags with SDKs, see:

+Resources don't inherit the tags you apply to a resource group or a subscription. To apply tags from a subscription or resource group to the resources, see [Azure Policies - tags](tag-policies.md).

+You can use tags to group your billing data. If you're running multiple VMs for different organizations, for example, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production environment.

+You can retrieve information about tags by downloading the usage file available from the Azure portal. For more information, see [Download or view your Azure billing invoice and daily usage data](../../cost-management-billing/manage/download-azure-invoice-daily-usage-date.md). For services that support tags with billing, the tags appear in the **Tags** column.

+* Each resource, resource group, and subscription can have a maximum of 50 tag name-value pairs. If you need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can contain many of the values that you apply to a single tag name. A resource group or subscription can contain many resources that each have 50 tag name-value pairs.

+* The tag name has a limit of 512 characters and the tag value has a limit of 256 characters. For storage accounts, the tag name has a limit of 128 characters and the tag value has a limit of 256 characters.

+* Classic resources such as Cloud Services don't support tags.

+* Azure IP Groups and Azure Firewall Policies don't support PATCH operations. PATCH API method operations, therefore, can't update tags through the portal. Instead, you can use the update commands for those resources. You can update tags for an IP group, for example, with the [az network ip-group update](/cli/azure/network/ip-group#az-network-ip-group-update) command.

+ > * Azure Domain Name System (DNS) zones don't support the use of spaces in the tag or a tag that starts with a number. Azure DNS tag names don't support special and unicode characters. The value can contain all characters.

+ > * Azure Content Delivery Network (CDN)

+Ready to start?

+> [!div class="nextstepaction"]

+> [Step by step build](#prerequisites)

+> [!div class="nextstepaction"]

+> [Try chat demo now](https://asrs-simplechat-live-demo.azurewebsites.net/)

+Ready to start?

+> [!div class="nextstepaction"]

+> [Step by step build](#prerequisites)

+> [!div class="nextstepaction"]

+> [Try Blazor demo now](https://asrs-blazorchat-live-demo.azurewebsites.net/chatroom)

+## Quick start

+> [!div class="nextstepaction"]

+> [Play with chat demo](https://azure.github.io/azure-webpubsub/demos/chat)

+> [!div class="nextstepaction"]

+> [Build a chat app](tutorial-build-chat.md)

+ const hub = "myHub1";

+- Avoid deleting and recreating protected folders with the same names in the top-level folder. Doing so could result in the backup completing with warnings with the error: *A critical inconsistency was detected, therefore changes cannot be replicated.* If you need to delete and recreate folders, then consider doing so in subfolders under the protected top-level folder.

+| <br />Error 34506. The encryption passphrase stored on this computer is not correctly configured. | <li> The scratch folder is located on a volume that doesn't have enough space. <li> The scratch folder has been incorrectly moved. <li> The OnlineBackup.KEK file is missing. | <li>Upgrade to the [latest version](https://aka.ms/azurebackup_agent) of the MARS Agent.<li>Move the scratch folder or cache location to a volume with free space that's between 5% and 10% of the total size of the backup data. To correctly move the cache location, refer to the steps in [Common questions about backing up files and folders](./backup-azure-file-folder-backup-faq.yml).<li> Ensure that the OnlineBackup.KEK file is present. <br>*The default location for the scratch folder or the cache path is C:\Program Files\Microsoft Azure Recovery Services Agent\Scratch*. <li> If you've recently moved your scratch folder, ensure that the path of your scratch folder location matches the values of the registry key entries shown below: <br><br> **Registry path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config` <br> **Registry Key**: ScratchLocation <br> **Value**: *New cache folder location* <br><br>**Registry path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Backup\Config\CloudBackupProvider` <br> **Registry Key**: ScratchLocation <br> **Value**: *New cache folder location* |

+ms.devlang: azurecli

+ms.tool: azure-cli

+| Rel 22-05 | [5013941] | Latest Cumulative Update(LCU) | [6.44] | May 10, 2022 |

+| Rel 22-05 | [5011486] | IE Cumulative Updates | [2.123], [3.110], [4.103] | Mar 8, 2022 |

+| Rel 22-05 | [5013944] | Latest Cumulative Update(LCU) | [7.12] | May 10, 2022 |

+| Rel 22-05 | [5013952] | Latest Cumulative Update(LCU) | [5.68] | May 10, 2022 |

+| Rel 22-05 | [5013637] | .NET Framework 3.5 Security and Quality Rollup | [2.123] | May 10, 2022 |

+| Rel 22-05 | [5012141] | .NET Framework 4.5.2 Security and Quality Rollup | [2.123] | Apr 12, 2022 |

+| Rel 22-05 | [5013638] | .NET Framework 3.5 Security and Quality Rollup | [4.103] | May 10, 2022 |

+| Rel 22-05 | [5012142] | .NET Framework 4.5.2 Security and Quality Rollup | [4.103] | Apr 12, 2022 |

+| Rel 22-05 | [5013635] | .NET Framework 3.5 Security and Quality Rollup | [3.110] | May 10, 2022 |

+| Rel 22-05 | [5012140] | . NET Framework 4.5.2 Security and Quality Rollup | [3.110] | Apr 12, 2022 |

+| Rel 22-05 | [5013641] | . NET Framework 3.5 and 4.7.2 Cumulative Update | [6.44] | May 10, 2022 |

+| Rel 22-05 | [5013630] | .NET Framework 4.8 Security and Quality Rollup | [7.12] | May 10, 2022 |

+| Rel 22-05 | [5014012] | Monthly Rollup | [2.123] | May 10, 2022 |

+| Rel 22-05 | [5014017] | Monthly Rollup | [3.110] | May 10, 2022 |

+| Rel 22-05 | [5014011] | Monthly Rollup | [4.103] | May 10, 2022 |

+| Rel 22-05 | [5014027] | Servicing Stack update | [3.110] | May 10, 2022 |

+| Rel 22-05 | [5014025] | Servicing Stack update | [4.103] | May 10, 2022 |

+| Rel 22-05 | [4578013] | Standalone Security Update | [4.103] | Aug 19, 2020 |

+| Rel 22-05 | [5014026] | Servicing Stack update | [5.68] | May 10, 2022 |

+| Rel 22-05 | [5011649] | Servicing Stack update | [2.123] | Mar 8, 2022 |

+| Rel 22-05 | [4494175] | Microcode | [5.68] | Sep 1, 2020 |

+| Rel 22-05 | [4494174] | Microcode | [6.44] | Sep 1, 2020 |

+[2.123]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.110]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.103]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.68]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.44]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.12]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+###### **May 26, 2022**

+The May Guest OS has released.

+| WA-GUEST-OS-7.12_202205-01 | May 26, 2022 | Post 7.14 |

+|~~WA-GUEST-OS-7.10_202203-01~| March 19, 2022 | May 26, 2022 |

+| WA-GUEST-OS-6.44_202205-01 | May 26, 2022 | Post 6.46 |

+|~~WA-GUEST-OS-6.42_202203-01~| March 19, 2022 | May 26, 2022 |

+| WA-GUEST-OS-5.68_202205-01 | May 26, 2022 | Post 5.70 |

+|~~WA-GUEST-OS-5.66_202203-01~~| March 19, 2022 | May 26, 2022 |

+| WA-GUEST-OS-4.103_202205-01 | May 26, 2022 | Post 4.105 |

+|~~WA-GUEST-OS-4.101_202203-01~| March 19, 2022 | May 26, 2022 |

+| WA-GUEST-OS-3.110_202205-01 | May 26, 2022 | Post 3.112 |

+|~~WA-GUEST-OS-3.108_202203-01~~| March 19, 2022 | May 26, 2022 |

+| WA-GUEST-OS-2.123_202205-01 | May 26, 2022 | Post 2.125 |

+|~~WA-GUEST-OS-2.121_202203-01~~| March 19, 2022 | May 26, 2022 |

+ms.tool: terraform

+You can adapt the neural text-to-speech engine to fit your needs. To create a custom neural voice, use [Speech Studio](https://aka.ms/speechstudio/customvoice) to upload the recorded audio and corresponding scripts, train the model, and deploy the voice to a custom endpoint. Custom Neural Voice can use text provided by the user to convert text into speech in real time, or generate audio content offline with text input. You can do this by using the [REST API](./rest-text-to-speech.md), the [Speech SDK](./get-started-text-to-speech.md), or the [web portal](https://speech.microsoft.com/audiocontentcreation).

+1. [Test recognition quality](how-to-custom-speech-inspect-data.md). Use the [Speech Studio](https://aka.ms/speechstudio/customspeech) to play back uploaded audio and inspect the speech recognition quality of your test data.

+> [!NOTE]

+> Exporting a Custom Commands application as a remote skill is a limited preview feature.

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Sign in to [Speech Studio](https://aka.ms/speechstudio/customvoice), and then select **Custom Voice**.

+1. Sign in to [Speech Studio](https://aka.ms/speechstudio/customvoice).

+After you've prepared the training data, go to [Speech Studio](https://aka.ms/speechstudio/customvoice) to create your custom neural voice. Select at least 300 utterances to create a custom neural voice. A series of data quality checks are automatically performed when you upload them. To build high-quality voice models, you should fix any errors and submit again.

+2. Once your application is approved, you will be provided with the access to the "neural" training feature. Make sure you log in to [Speech Studio](https://aka.ms/speechstudio/customvoice) using the same Azure subscription that you provide in your application.

+1. Go to **Real-time Speech-to-text** in [Speech Studio](https://aka.ms/speechstudio/speechtotexttool).

+1. In a web browser, go to [Speech Studio](https://aka.ms/speechstudio/customcommands).

+The Speech service allows your application to convert audio to text, perform speech translation, and convert text to speech. The service is available in multiple regions with unique endpoints for the Speech SDK and REST APIs. You can perform custom configurations to your speech experience, for all regions, at the [Speech Studio](https://aka.ms/speechstudio/).

+These assets are backed up regularly and automatically by the repositories themselves, so **no data loss will occur** if a region becomes unavailable. However, you must take steps to ensure service continuity if there's a region outage.

+If you use the default endpoints, you should configure your client code to monitor for errors. If errors persist, be prepared to redirect to another region where you have a service subscription.

+4. Each region has its own STS token service. For the primary region and any backup regions your client configuration file needs to know the:

+5. Configure your code to monitor for connectivity errors (typically connection timeouts and service unavailability errors). Here's sample code in C#: [GitHub: Adding Sample for showing a possible candidate for switching regions](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/fa6428a0837779cbeae172688e0286625e340942/samples/csharp/sharedcontent/console/speech_recognition_samples.cs#L965).

+The recovery from regional failures for this usage type can be instantaneous and at a low cost. All that is required is the development of this functionality on the client side. The data loss that will incur assuming no backup of the audio stream will be minimal.

+Data assets, models or deployments in one region can't be made visible or accessible in any other region.

+Custom Speech Service doesn't support automatic failover. We suggest the following steps to prepare for manual or automatic failover implemented in your client code. In these steps, you replicate custom models in a secondary region. With this preparation, your client code can switch to a secondary region when the primary region fails.

+Your client code can monitor availability of your deployed models in your primary region, and redirect their audio traffic to the secondary region when the primary fails. If you don't require real-time failover, you can still follow these steps to prepare for a manual failover.

+If you don't require real-time failover you can decide to import your data, create and deploy your models in the secondary region at a later time with the understanding that these tasks will take time to complete.

+It's nonetheless advisable to create keys for a primary and secondary region for production models with real-time requirements.

+Custom Voice doesn't support automatic failover. Handle real-time synthesis failures with these two options.

+2. Copy your custom voice model to another region (the secondary region) in [Speech Studio](https://aka.ms/speechstudio/).

+ - Each endpoint is subject to extra charges. [Check the pricing for model hosting here](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/).

+Speaker Recognition uses [Azure paired regions](../../availability-zones/cross-region-replication-azure.md) to automatically fail over operations. Speaker enrollments and voice signatures are backed up regularly to prevent data loss and to be used if there's an outage.

+During an outage, Speaker Recognition service will automatically fail over to a paired region and use the backed-up data to continue processing requests until the main region is back online.

+The custom speech-to-text container relies on a Custom Speech model. The custom model has to have been [trained](how-to-custom-speech-train-model.md) by using the [Speech Studio](https://aka.ms/speechstudio/customspeech).

+1. Go to the [Speech Studio](https://aka.ms/speechstudio/customspeech) portal.

+1. Go to the [Speech Studio](https://aka.ms/speechstudio/customvoice) portal.

+[Speech Studio](https://aka.ms/speechstudio/) is a set of UI-based tools for building and integrating features from Azure Cognitive Services Speech service in your applications. You create projects in Speech Studio by using a no-code approach, and then reference those assets in your applications by using the [Speech SDK](speech-sdk.md), the [Speech CLI](spx-overview.md), or the REST APIs.

+* [Real-time speech-to-text](https://aka.ms/speechstudio/speechtotexttool): Quickly test speech-to-text by dragging audio files here without having to use any code. This is a demo tool for seeing how speech-to-text works on your audio samples. To explore the full functionality, see [What is speech-to-text?](speech-to-text.md).

+* [Custom Speech](https://aka.ms/speechstudio/customspeech): Create speech recognition models that are tailored to specific vocabulary sets and styles of speaking. In contrast to the base speech recognition model, Custom Speech models become part of your unique competitive advantage because they're not publicly accessible. To get started with uploading sample audio to create a Custom Speech model, see [Upload training and testing datasets](how-to-custom-speech-upload-data.md).

+* [Pronunciation assessment](https://aka.ms/speechstudio/pronunciationassessment): Evaluate speech pronunciation and give speakers feedback on the accuracy and fluency of spoken audio. Speech Studio provides a sandbox for testing this feature quickly, without code. To use the feature with the Speech SDK in your applications, see the [Pronunciation assessment](how-to-pronunciation-assessment.md) article.

+* [Voice Gallery](https://aka.ms/speechstudio/voicegallery): Build apps and services that speak naturally. Choose from more than 170 voices in over 70 languages and variants. Bring your scenarios to life with highly expressive and human-like neural voices.

+* [Custom Voice](https://aka.ms/speechstudio/customvoice): Create custom, one-of-a-kind voices for text-to-speech. You supply audio files and create matching transcriptions in Speech Studio, and then use the custom voices in your applications. To create and use custom voices via endpoints, see [Create and use your voice model](how-to-custom-voice-create-voice.md).

+* [Audio Content Creation](https://aka.ms/speechstudio/audiocontentcreation): Build highly natural audio content for a variety of scenarios, such as audiobooks, news broadcasts, video narrations, and chat bots, with the easy-to-use [Audio Content Creation](how-to-audio-content-creation.md) tool. With Speech Studio, you can export these audio files to use in your applications.

+* [Custom Keyword](https://aka.ms/speechstudio/customkeyword): A custom keyword is a word or short phrase that you can use to voice-activate a product. You create a custom keyword in Speech Studio, and then generate a binary file to [use with the Speech SDK](custom-keyword-basics.md) in your applications.

+* [Custom Commands](https://aka.ms/speechstudio/customcommands): Easily build rich, voice-command apps that are optimized for voice-first interaction experiences. Custom Commands provides a code-free authoring experience in Speech Studio, an automatic hosting model, and relatively lower complexity. The feature helps you focus on building the best solution for your voice-command scenarios. For more information, see the [Develop Custom Commands applications](how-to-develop-custom-commands-application.md) guide. Also see [Integrate with a client application by using the Speech SDK](how-to-custom-commands-setup-speech-sdk.md).

+|Voice-command or simple task-oriented conversations with simplified authoring and hosting | [Custom Commands](custom-commands.md) | <ul><li>"Turn on the overhead light"</li><li>"Make it 5 degrees warmer"</li><li>More examples at [Speech Studio](https://aka.ms/speechstudio/customcommands)</li></ul>

+ Title: "Legacy: What are trainings and modeling? - Custom Translator"

+# What are training and modeling?

+You can view the custom translations of the testing set, and compare them to the translations provided in your testing set, by navigating to the test tab within a model.

+* Document summarization

+* Conversation summarization

+* Customer content detection

+* [**How-to guides**](how-to/conversation-summarization.md) contain instructions for using the service in more specific or customized ways.

+Due to the nature of **real-world** Reinforcement Learning, a Personalizer model can only be trained in a production environment. When deploying a new use case, the Personalizer model isn't performing efficiently because it takes time for the model to be sufficiently trained. **Apprentice mode** is a learning behavior that eases this situation and allows you to gain confidence in the model ΓÇô without the developer changing any code.

+* Mitigating **Cold Starts**: Apprentice mode helps manage and assess the cost of a "new" model's learning time - when it isn't returning the best action and not achieved a satisfactory level of effectiveness of around 60-80%.

+* You're implementing Personalizer in a new use case.

+* You've significantly changed the features you send in Context or Actions.

+* You've significantly changed when and how you calculate rewards.

+Apprentice mode isn't an effective way of measuring the impact Personalizer is having on reward scores. To measure how effective Personalizer is at choosing the best possible action for each Rank call, use [Offline evaluations](concepts-offline-evaluation.md).

+* **Business Decision Makers** can use Apprentice mode to assess the potential of Personalizer to improve results (i.e. rewards) compared to existing business logic. This allows them to make an informed decision impacting user experience, where real revenue and user satisfaction are at stake.

+|Learning effectiveness "Ceiling"|Personalizer can approximate, very rarely match, and never exceed the performance of your base business logic (the reward total achieved by the **default action** of each Rank call). This approximation ceiling is reduced by exploration. For example, with exploration at 20% it's very unlikely apprentice mode performance will exceed 80%, and 60% is a reasonable target at which to graduate to online mode.|Personalizer should exceed applications baseline, and over time where it stalls you should conduct on offline evaluation and feature evaluation to continue to get improvements to the model. |

+|Rank API value for rewardActionId|The users' experience doesnΓÇÖt get impacted, as _rewardActionId_ is always the first action you send in the Rank request. In other words, the Rank API does nothing visible for your application during Apprentice mode. Reward APIs in your application shouldn't change how it uses the Reward API between one mode and another.|Users' experience will be changed by the _rewardActionId_ that Personalizer chooses for your application. |

+In some scenarios such as news or entertainment, the baseline item could be manually assigned by an editorial team. This means humans are using their knowledge about the broader world, and understanding of what may be appealing content, to choose specific articles or media out of a pool, and flagging them as "preferred" or "hero" articles. Because these editors aren't an algorithm, and the factors considered by editors can be nuanced and not included as features of the context and actions, Apprentice mode is unlikely to be able to predict the next baseline action. In these situations you can:

+* Test Personalizer in Online Mode: Apprentice mode not predicting baselines doesn't imply Personalizer can't achieve as-good or even better results. Consider putting Personalizer in Online Mode for a period of time or in an A/B test if you have the infrastructure, and then run an Offline Evaluation to assess the difference.

+If apprentice mode is learning and attaining Matched rewards above zero but seems to be growing slowly (not getting to 60% to 80% matched rewards within two weeks), it's possible that the challenge is having too little data. Taking the following steps could accelerate the learning.

+4. Reducing Actions per Event: Personalizer will use the Explore % setting to discover preferences and trends. When a Rank call has more actions, the chance of an Action being chosen for exploration becomes lower. Reduce the number of actions sent in each Rank call to a smaller number, to less than 10. This can be a temporary adjustment to show that Apprentice Mode has the right data to match rewards.

+Set up the Personalizer in Apprentice Mode and create a script that calls Rank with the actions and context features from the historical data. Call the Reward API based on your calculations of the records in this data. You'll need approximately 50,000 historical events to see some results but 500,000 is recommended for higher confidence in the results.

+When training from historical data, it's recommended that the data sent in (features for context and actions, their layout in the JSON used for Rank requests, and the calculation of reward in this training data set), matches the data (features and calculation of reward) available from the existing application.

+It's only useful to do A/B tests of Personalizer treatments once it has been validated and is learning in Online mode. In Apprentice mode, only the **default action** is used, which means all users would effectively see the control experience.

+* See what features aren't important, and potentially remove them or further analyze what may be affecting usage.

+The feature importance results don't represent other policies and models tested or created during the evaluation. The evaluation won't include features sent to Personalizer after the end of the evaluation period.

+* Whether the feature comes from Context or Actions

+* Feature Key and Value

+For example, an ice cream shop ordering app may see `Context.Weather:Hot` as a very important feature.

+For example, you may see `Context.Weather:Hot` *with* `Action.MenuItem:IceCream` as well as `Context.Weather:Cold` *with* `Action.MenuItem:WarmTea:`.

+### See what features aren't important

+Potentially remove unimportant features or further analyze what may affect usage. Features may rank low for many reasons. One could be that genuinely the feature doesn't affect user behavior. But it could also mean that the feature isn't apparent to the user.

+Provide guidance about new content or products worth bringing into the catalog. Personalizer is designed to be a tool that augments human insight and teams. One way it does this is by providing information to editorial groups on what is it about products, articles or content that drives behavior. For example, the video application scenario may show that there's an important feature called "Action.VideoEntities.Cat:true", prompting the editorial team to bring in more cat videos.

+* Sending personally identifiable information (PII). PII specific to one individual (such as name, phone number, credit card numbers, IP Addresses) shouldn't be used with Personalizer. If your application needs to track users, use a non-identifying UUID or some other UserID number. In most scenarios this is also problematic.

+* With large numbers of users, it's unlikely that each user's interaction will weigh more than all the population's interaction, so sending user IDs (even if non-PII) will probably add more noise than value to the model.

+* Sending date-time fields as precise timestamps instead of featurized time values. Having features such as Context.TimeStamp.Day=Monday or "Context.TimeStamp.Hour"="13" is more useful. There will be at most 7 or 24 feature values for each. But `"Context.TimeStamp":"1985-04-12T23:20:50.52Z"` is so precise that there will be no way to learn from it because it will never happen again.

+Unlike some approaches to reinforcement learning, Personalizer doesn't require a simulation to work in. Its learning algorithms are designed to react to an outside world (versus control it) and learn from each data point with an understanding that it's a unique opportunity that cost time and money to create, and that there's a non-zero regret (loss of possible reward) if suboptimal performance happens.

+* Dudík et al. [2011a, b]

+ It's unlikely most applications will reach the maximum joining and training throughput of Personalizer. While reaching this maximum won't slow down the application, it would imply event hub queues are getting filled internally faster than they can be cleaned up.

+For example, if your average payload has 500 features and each is an estimated 20 characters, then each event is approximately 10 kb. With these estimates, 20,000,000 / 10,000 = 2,000 events/sec, which is about 173 million events/day.

+If you're reaching these limits, please contact our support team for architecture advice.

+1. In order to clear all data, and reset the learning loop to the original state, select all three check boxes.

+ |Logged personalization and reward data.|This logging data is used in offline evaluations. Clear the data if you're resetting your resource.|

+ |Set the learning policy to default.|If you've changed the learning policy as part of an offline evaluation, this resets to the original learning policy.|

+ Title: Use direct routing to connect existing telephony service

+description: Learn how to add a Session Border Controller and configure voice routing for Azure Communication Services direct routing.

+# Use direct routing to connect to existing telephony service

+2. Enter a fully qualified domain name and signaling port for the SBC.

+ - SBC certificate must match the name; wildcard certificates are supported.

+ - The *.onmicrosoft.com domain canΓÇÖt be used for the FQDN of the SBC.

+ For the full list of requirements, refer to [Azure direct routing infrastructure requirements](./direct-routing-infrastructure.md).

+ :::image type="content" source="../media/direct-routing-provisioning/add-session-border-controller.png" alt-text="Screenshot of Adding Session Border Controller.":::

+3. When you're done, select Next.

+ If everything is set up correctly, you should see an exchange of OPTIONS messages between Microsoft and your Session Border Controller. Use your SBC monitoring/logs to validate the connection.

+Azure Communication Services direct routing has a routing mechanism that allows a call to be sent to a specific SBC based on the called number pattern.

+When you add a direct routing configuration to a resource, all calls made from this resourceΓÇÖs instances (identities) will try a direct routing trunk first. The routing is based on a dialed number and a match in voice routes configured for the resource.

+- If there's a match, the call goes through the direct routing trunk.

+- If there's no match, the next step is to process the `alternateCallerId` parameter of the `callAgent.startCall` method.

+- If the resource is enabled for Voice Calling (PSTN) and has at least one number purchased from Microsoft, the `alternateCallerId` is checked.

+- If the `alternateCallerId` matches a purchased number for the resource, the call is routed through the Voice Calling (PSTN) using Microsoft infrastructure.

+- If `alternateCallerId` parameter doesn't match any of the purchased numbers, the call will fail.

+The diagram below demonstrates the Azure Communication Services voice routing logic.

+Give your voice route a name, specify the number pattern using regular expressions, and select SBC for that pattern.

+#### To delete a voice route:

+

+

+

+Make sure online meeting is enable for the calendar by going to https://outlook.office.com/bookings/services.

+

+And then make sure "Add online meeting" is enable.

+

+[ ](./media/virtual-visits/sample-builder-start.png#lightbox)

+[ ](./media/virtual-visits/sample-builder-landing.png#lightbox)

+

+

+

+Opening the App ServiceΓÇÖs URL and navigating to `https://<YOUR URL>/VISIT` allows you to try out the consumer experience and join a Teams meeting. `https://<YOUR URL>/BOOK` embeds the Booking experience for consumer scheduling.

+

+### Step 5 - Set deployed app URL in Bookings

+Copy your application url into your calendar Business information setting by going to https://outlook.office.com/bookings/businessinformation.

+

+Consumers want to jump directly to the virtual visit from the scheduling reminders they receive from Bookings. In Bookings, you can provide a URL prefix that will be used in reminders. If your prefix is `https://<YOUR URL>/VISIT`, Bookings will point users to `https://<YOUR URL>/VISIT?MEETINGURL=<MEETING URL>.`

+For more information, see the Gramine's [sample application and deployment on AKS](https://github.com/gramineproject/contrib/tree/master/Examples/aks-attestation)

+- [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md)

+ port: 8081

+You can use Apache Cassandra client drivers to connect to the Cassandra API. The Cassandra API enables you to interact with data using the Cassandra Query Language (CQL), and tools like CQL shell, Cassandra client drivers that you're already familiar with. Cassandra API currently only supports OLTP scenarios. Using Cassandra API, you can also use the unique features of Azure Cosmos DB such as [change feed](cassandra-change-feed.md). To learn more, see [Cassandra API](cassandra-introduction.md) article. If you're already familiar with Apache Cassandra, but new to Azure Cosmos DB, we recommend our article on [how to adapt to the Cassandra API if you are coming from Apache Cassandra](./cassandr).

+You also need to install the [Gremlin Console](https://tinkerpop.apache.org/download.html). The **recommended version is v3.4.13**. (To use Gremlin Console on Windows, you need to install [Java Runtime](https://www.oracle.com/technetwork/java/javase/overview/https://docsupdatetracker.net/index.html), minimum requires Java 8 but it is preferable to use Java 11).

+6. You can also install the Gremlin.Net@v3.4.13 driver manually using the NuGet package manager, or the [NuGet command-line utility](/nuget/install-nuget-client-tools):

+ nuget install Gremlin.NET -Version 3.4.13

+> The supported Gremlin.NET driver version for Gremlin API is available [here](gremlin-support.md#compatible-client-libraries). Latest released versions of Gremlin.NET may see incompatibilities, so please check the linked table for compatibility updates.

+- [Gremlin-driver 3.4.13](https://mvnrepository.com/artifact/org.apache.tinkerpop/gremlin-driver/3.4.13), this dependency is mentioned in the quickstart sample's pom.xml

+| Download | Source | Getting Started | Supported/Recommended connector version |

+| [.NET](https://tinkerpop.apache.org/docs/3.4.13/reference/#gremlin-DotNet) | [Gremlin.NET on GitHub](https://github.com/apache/tinkerpop/tree/master/gremlin-dotnet) | [Create Graph using .NET](create-graph-dotnet.md) | 3.4.13 |

+| [Java](https://mvnrepository.com/artifact/com.tinkerpop.gremlin/gremlin-java) | [Gremlin JavaDoc](https://tinkerpop.apache.org/javadocs/current/full/) | [Create Graph using Java](create-graph-java.md) | 3.4.13 |

+| [Python](https://tinkerpop.apache.org/docs/3.4.13/reference/#gremlin-python) | [Gremlin-Python on GitHub](https://github.com/apache/tinkerpop/tree/master/gremlin-python) | [Create Graph using Python](create-graph-python.md) | 3.4.13 |

+| [Gremlin console](https://tinkerpop.apache.org/download.html) | [TinkerPop docs](https://tinkerpop.apache.org/docs/current/reference/#gremlin-console) | [Create Graph using Gremlin Console](create-graph-console.md) | 3.4.13 |

+| [Node.js](https://www.npmjs.com/package/gremlin) | [Gremlin-JavaScript on GitHub](https://github.com/apache/tinkerpop/tree/master/gremlin-javascript) | [Create Graph using Node.js](create-graph-nodejs.md) | 3.4.13 |

+> [!NOTE]

+> Gremlin client driver versions for __3.5.*__, __3.6.*__ have known compatibility issues, so we recommend using the latest supported 3.4.* driver versions listed above.

+> This table will be updated when compatibility issues have been addressed for these newer driver versions.

+| [Role-based access control](#rbac) | Fine-grained, role-based permission model using Azure Active Directory (Azure AD) identities for authentication. |

+- Authenticate your data requests with an Azure Active Directory identity.

+// Create a user.

+Database database = client.GetDatabase("SalesDatabase");

+* **resourceTokenPermissionId** - This property indicates the resource token permission ID that you have specified.

+await user.CreatePermissionAsync(

+ id: "permissionUser1Orders",

+ permissionMode: PermissionMode.All,

+// Read a permission, create user client session.

+Permission permission = await user.GetPermission("permissionUser1Orders").ReadAsync();

+CosmosClient client = new CosmosClient(accountEndpoint: "MyEndpoint", authKeyOrResourceToken: permission.Resource.Token);

+| Token scope | An Azure AD token carries the identity of the requester. This identity is matched against all assigned role definitions to perform authorization. | A resource token carries the permission granted to a specific Azure Cosmos DB user on a specific Azure Cosmos DB resource. Authorization requests on different resources may require different tokens. |

+| Token refresh | The Azure AD token is automatically refreshed by the Azure Cosmos DB SDKs when it expires. | Resource token refresh is not supported. When a resource token expires, a new one needs to be issued. |

+- [Connect to Microsoft Cost Management data in Power BI Desktop](/power-bi/connect-data/desktop-connect-azure-cost-management).

+The Salesforce connector is built on top of the Salesforce REST/Bulk API. When copying data from Salesforce, the connector automatically chooses between REST and Bulk APIs based on the data size ΓÇô when the result set is large, Bulk API is used for better performance; You can explicitly set the API version used to read/write data via [`apiVersion` property](#linked-service-properties) in linked service. When copying data to Salesforce, the connector uses BULK API v1.

+|[Asana (Preview)](connector-asana.md#mapping-data-flow-properties) | | -/Γ£ô |

+|[Azure Blob Storage](connector-azure-blob-storage.md#mapping-data-flow-properties) | [Avro](format-avro.md#mapping-data-flow-properties)<br>[Delimited text](format-delimited-text.md#mapping-data-flow-properties)<br>[Delta](format-delta.md)<br>[Excel](format-excel.md#mapping-data-flow-properties)<br>[JSON](format-json.md#mapping-data-flow-properties) <br>[ORC](format-orc.md#mapping-data-flow-properties)<br/>[Parquet](format-parquet.md#mapping-data-flow-properties)<br>[XML](format-xml.md#mapping-data-flow-properties) | Γ£ô/Γ£ô<br>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô<br/>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô<br/>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô |

+ Title: Move a schedule to another region

+description: This article explains how to move a top level schedule to another Azure region.

+# Move a schedule to another region

+In this article, you'll learn how to move a schedule by using an Azure Resource Manager (ARM) template.

+catch (EventHubsException ex) when

+There are other exceptions that are documented in the [legacy article](event-hubs-messaging-exceptions.md). Some of them apply only to the legacy Event Hubs .NET client library.

+To meet your security or compliance requirements, Azure Front Door (AFD) supports end-to-end TLS encryption. Front Door TLS/SSL offload terminates the TLS connection, decrypts the traffic at the Azure Front Door, and re-encrypts the traffic before forwarding it to the backend. Since connections to the backend happen over the public IP, it is highly recommended you configure HTTPS as the forwarding protocol on your Azure Front Door to enforce end-to-end TLS encryption from the client to the backend. TLS/SSL offload is also supported if you deploy a private backend with AFD Premium using the [PrivateLink](private-link.md) feature.

+> 1. The default TTL for TXT record is 1 hour. When you need to regenerate the TXT record for re-validation, please pay attention to the TTL for the previous TXT record. If it doesn't expire, the validation will fail until the previous TXT record expires.

+> 2. If the **Regenerate** button doesn't work, delete and recreate the domain.

+> 3. If the domain state doesn't reflect as expected, select the **Refresh** button.

+An example of noncompliance is a `POST` request sent without either a **Content-Length** or a **Transfer-Encoding** header. An example would be using `curl -X POST https://example-front-door.domain.com`. This request doesn't meet the requirements set out in [RFC 7230](https://tools.ietf.org/html/rfc7230#section-3.3.2). Azure Front Door would block it with an HTTP 411 response. Such requests will not be logged.

+ms.tool: azure-cli

+ms.tool: terraform

+- [Infrastructure best practices for on-premises to Azure HDInsight Hadoop migration](apache-hadoop-on-premises-migration-best-practices-infrastructure.md)

+* [Manage HDInsight clusters by using the Apache Ambari REST API](./hdinsight-hadoop-manage-ambari-rest-api.md)

+* [What is Apache Hive and HiveQL on Azure HDInsight?](./hadoop/hdinsight-use-hive.md)

+For a video that demonstrates using Spark & Hive for Visual Studio Code, see [Spark & Hive for Visual Studio Code](https://go.microsoft.com/fwlink/?linkid=858706).

+ms.tool: azure-powershell

+ Title: HDInsight Interactive Query Autoscale(bchedule-based) guide and best practices

+# Azure HDInsight interactive query cluster (Hive LLAP) schedule based autoscale

+### **Next steps**

+## **Other references:**

+ * [Hive Warehouse Connector in Azure HDInsight](./apache-hive-warehouse-connector.md)

+* [Azure Data Lake Storage Gen1 overview](./overview-data-lake-storage-gen1.md)

+- If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

+Root squash settings can disrupt file access if they are improperly configured. You should check that the settings on each storage export and on the matching HPC Cache client access policies are appropriate.

+If your storage system export squashes root, you should update the HPC Cache client access rule for that storage target to also squash root. If not, you can have access problems when you try to read or write to the back-end storage system through the HPC Cache.

+This table illustrates the behavior for different root squash scenarios when a client request is sent as UID 0 (root). The scenario marked with * is ***not recommended*** because it can cause access problems.

+| root squash at HPC Cache only | 0 (root) | 65534 (nobody) | 65534 (nobody) |

+<!-- check if this is still accurate - 05-2022 -->

+ms.tool: azure-cli

+ Title: Use the REST API to add upload storage account configuration in Azure IoT Central

+description: How to use the IoT Central REST API to add upload storage account configuration in an application

+# How to use the IoT Central REST API to upload a file

+IoT Central lets you upload media and other files from connected devices to cloud storage. You configure the file upload capability in your IoT Central application, and then implement file uploads in your device code. In this article, learn how to:

+* Use the REST API to configure the file upload capability in your IoT Central application.

+* Test the file upload by running some sample device code.

+The IoT Central REST API lets you:

+* Add a file upload storage account configuration

+* Update a file upload storage account configuration

+* Get the file upload storage account configuration

+* Delete the file upload storage configuration

+Every IoT Central REST API call requires an authorization header. To learn more, see [How to authenticate and authorize IoT Central REST API calls](howto-authorize-rest-api.md).

+For the reference documentation for the IoT Central REST API, see [Azure IoT Central REST API reference](/rest/api/iotcentral/).

+## Prerequisites

+To test the file upload, install the following prerequisites in your local development environment:

+* [Node.js](https://nodejs.org/en/download/)

+* [Visual Studio Code](https://code.visualstudio.com/Download)

+## Add a file upload storage account configuration

+### Create a storage account

+To use the Azure Storage REST API, you need a bearer token for the `management.azure.com` resource. To get a bearer token, you can use the Azure CLI:

+```azurecli

+az account get-access-token --resource https://management.azure.com

+```

+If you don't have a storage account for your blobs, you can use the following request to create one in your subscription:

+```http

+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}?api-version=2021-09-01

+```

+The request headers have the following fields:

+* `subscriptionId` : The ID of the target subscription.

+* `resourceGroupName`: The name of the resource group in your subscription. The name is case insensitive.

+* `accountName` : The name of the storage account within the specified resource group. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.

+The request body has the following required fields:

+* `kind` : Type of storage account

+* `location` : The geo-location where the resource lives

+* `sku`: The SKU name.

+```json

+{

+ "kind": "BlockBlobStorage",

+ "location": "West US",

+ "sku": "Premium_LRS"

+}

+```

+### Create a container

+Use the following request to create a container called `fileuploads` in your storage account for your blobs:

+```http

+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/blobServices/default/containers/fileuploads?api-version=2021-09-01

+```

+* `containerName` : Blob container names must be between 3 and 63 characters in length and use numbers, lower-case letters and dash (-) only. Every dash (-) character must be immediately preceded and followed by a letter or number.

+Send an empty request body with this request that looks like the following example:

+```json

+{

+}

+```

+The response to this request looks like the following example:

+```json

+{

+ "id": "/subscriptions/your-subscription-id/resourceGroups/yourResourceGroupName/providers/Microsoft.Storage/storageAccounts/yourAccountName/blobServices/default/containers/fileuploads",

+ "name": "fileuploads",

+ "type": "Microsoft.Storage/storageAccounts/blobServices/containers"

+}

+```

+### Get the storage account keys

+Use the following request to retrieve that storage account keys that you need when you configure the upload in IoT Central:

+```http

+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/listKeys?api-version=2021-09-01

+```

+The response to this request looks like the following example:

+```json

+{

+ "keys": [

+ {

+ "creationTime": "2022-05-19T19:22:40.9132287Z",

+ "keyName": "key1",

+ "value": "j3UTm**************==",

+ "permissions": "FULL"

+ },

+ {

+ "creationTime": "2022-05-19T19:22:40.9132287Z",

+ "keyName": "key2",

+ "value": "Nbs3W**************==",

+ "permissions": "FULL"

+ }

+ ]

+}

+```

+### Create the upload configuration

+Use the following request to create a file upload blob storage account configuration in your IoT Central application:

+```http

+PUT https://{your-app-subdomain}.azureiotcentral.com/api/fileUploads?api-version=1.2-preview

+```

+The request body has the following fields:

+* `account`: The storage account name where to upload the file to.

+* `connectionString`: The connection string to connect to the storage account. Use one of the `value` values from the previous `listKeys` request as the `AccountKey` value.

+* `container`: The name of the container inside the storage account. The following example uses the name `fileuploads`.

+* `etag`: ETag to prevent conflict with multiple uploads

+* `sasTtl`: ISO 8601 duration standard, The amount of time the deviceΓÇÖs request to upload a file is valid before it expires.

+```json

+{

+ "account": "yourAccountName",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;BlobEndpoint=https://yourAccountName.blob.core.windows.net/",

+ "container": "fileuploads",

+ "sasTtl": "PT1H"

+}

+```

+The response to this request looks like the following example:

+```json

+{

+ "account": "yourAccountName",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;BlobEndpoint=https://yourAccountName.blob.core.windows.net/",

+ "container": "fileuploads",

+ "sasTtl": "PT1H",

+ "state": "pending",

+ "etag": "\"7502ac89-0000-0300-0000-627eaf100000\""

+}

+```

+## Get the file upload storage account configuration

+Use the following request to retrieve details of a file upload blob storage account configuration in your IoT Central application:

+```http

+GET https://{your-app-subdomain}.azureiotcentral.com/api/fileUploads?api-version=1.2-preview

+```

+The response to this request looks like the following example:

+```json

+{

+ "account": "yourAccountName",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;BlobEndpoint=https://yourAccountName.blob.core.windows.net/",

+ "container": "yourContainerName",

+ "state": "succeeded",

+ "etag": "\"7502ac89-0000-0300-0000-627eaf100000\""

+}

+```

+## Update the file upload storage account configuration

+Use the following request to update a file upload blob storage account configuration in your IoT Central application:

+```http

+PATCH https://{your-app-subdomain}.azureiotcentral.com/api/fileUploads?api-version=1.2-preview

+```

+```json

+{

+ "account": "yourAccountName",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;BlobEndpoint=https://yourAccountName.blob.core.windows.net/",

+ "container": "yourContainerName2",

+ "sasTtl": "PT1H"

+}

+```

+The response to this request looks like the following example:

+```json

+{

+ "account": "yourAccountName",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;BlobEndpoint=https://yourAccountName.blob.core.windows.net/",

+ "container": "yourContainerName2",

+ "sasTtl": "PT1H",

+ "state": "succeeded",

+ "etag": "\"7502ac89-0000-0300-0000-627eaf100000\""

+}

+```

+## Remove the file upload storage account configuration

+Use the following request to delete a storage account configuration:

+```http

+DELETE https://{your-app-subdomain}.azureiotcentral.com/api/fileUploads?api-version=1.2-preview

+```

+## Test file upload

+After you [configure file uploads](#add-a-file-upload-storage-account-configuration) in your IoT Central application, you can test it with the sample code. If you haven't already cloned the file upload sample repository, use the following commands to clone it to a suitable location on your local machine and install the dependent packages:

+```

+git clone https://github.com/azure-Samples/iot-central-file-upload-device

+cd iotc-file-upload-device

+npm i

+npm build

+```

+### Create the device template and import the model

+To test the file upload you run a sample device application. Create a device template for the sample device to use.

+1. Open your application in IoT Central UI.

+1. Navigate to the **Device Templates** tab in the left pane, select **+ New**:

+1. Choose **IoT device** as the template type.

+1. On the **Customize** page of the wizard, enter a name such as *File Upload Device Sample* for the device template.

+1. On the **Review** page, select **Create**.

+1. Select **Import a model** and upload the *FileUploadDeviceDcm.json* manifest file from the folder `iotc-file-upload-device\setup` in the repository you downloaded previously.

+1. Select **Publish** to publish the device template.

+### Add a device

+To add a device to your Azure IoT Central application:

+1. Choose **Devices** on the left pane.

+1. Select the *File Upload Device Sample* device template which you created earlier.

+1. Select + **New** and select **Create**.

+1. Select the device which you created and Select **Connect**

+Copy the values for `ID scope`, `Device ID`, and `Primary key`. You'll use these values in the device sample code.

+### Run the sample code

+Open the git repository you downloaded in VS code. Create an ".env" file at the root of your project and add the values you copied above. The file should look like the sample below with the values you made a note of previously.

+```

+scopeId=<YOUR_SCOPE_ID>

+deviceId=<YOUR_DEVICE_ID>

+deviceKey=<YOUR_PRIMARY_KEY>

+modelId=dtmi:IoTCentral:IotCentralFileUploadDevice;1

+```

+Open the git repository you downloaded in VS code. Press F5 to run/debug the sample. In your terminal window you see that the device is registered and is connected to IoT Central:

+```

+Starting IoT Central device...

+ > Machine: Windows_NT, 8 core, freemem=6674mb, totalmem=16157mb

+Starting device registration...

+DPS registration succeeded

+Connecting the device...

+IoT Central successfully connected device: 7z1xo26yd8

+Sending telemetry: {

+ "TELEMETRY_SYSTEM_HEARTBEAT": 1

+}

+Sending telemetry: {

+ "TELEMETRY_SYSTEM_HEARTBEAT": 1

+}

+Sending telemetry: {

+ "TELEMETRY_SYSTEM_HEARTBEAT": 1

+}

+```

+The sample project comes with a sample file named *datafile.json*. This is the file that's uploaded when you use the **Upload File** command in your IoT Central application.

+To test this open your application and select the device you created. Select the **Command** tab and you see a button named **Run**. When you select that button the IoT Central app calls a direct method on your device to upload the file. You can see this direct method in the sample code in the /device.ts file. The method is named *uploadFileCommand*.

+Select the **Raw data** tab to verify the file upload status.

+You can also make a [REST API](/rest/api/storageservices/list-blobs) call to verify the file upload status in the storage container.

+## Next steps

+Now that you've learned how to configure file uploads with the REST API, a suggested next step is to [How to create device templates from IoT Central GUI.](howto-set-up-template.md#create-a-device-template)

+ > [!IMPORTANT]

+ > Once your IoT Edge device is deployed, it currently won't display correctly in the Azure portal with schema version 1.2 (version 1.1 will be fine). This is a known bug and will be fixed soon. However, this won't affect your device, as it's still connected in IoT Hub and can be communicated with at any time using the Azure CLI.

+ :::image type="content" source="./media/how-to-publish-subscribe/unsupported-1.2-schema.png" alt-text="Screenshot of Azure portal error on the IoT Edge device page.":::

+The IoT Edge security daemon is a native component that needs to be updated using the package manager on the IoT Edge device. View the [Update the security daemon](how-to-update-iot-edge.md#update-the-security-daemon) tutorial for a walk-through on Linux-based devices.

+# Use Visual Studio 2022 to develop and debug modules for Azure IoT Edge

+This article shows you how to use Visual Studio 2022 to develop and debug Azure IoT Edge modules.

+The **Azure IoT Edge Tools for Visual Studio** extension provides the following benefits:

+* Code your Azure IoT modules in C or C# with the benefits of Visual Studio development.

+* Manage IoT Edge devices and modules with the UI.

+Visual Studio 2022 provides support for modules written in C and C#. The supported device architectures are Windows x64 and Linux x64 or ARM32, while ARM64 is in preview. For more information about supported operating systems, languages, and architectures, see [Language and architecture support](module-development.md#language-and-architecture-support).

+This article assumes that you use a machine running Windows as your development machine.

+* On Windows computers, you can develop either Windows or Linux modules.

+ * To develop modules with **Windows containers**, use a Windows computer running version 1809/build 17763 or newer.

+ * To develop modules with **Linux containers**, use a Windows computer that meets the [requirements for Docker Desktop](https://docs.docker.com/docker-for-windows/install/#what-to-know-before-you-install).

+* Install Visual Studio on your development machine. Make sure you include the **Azure development** and **Desktop development with C++** workloads in your Visual Studio 2022 installation. Alternatively, you can [Modify Visual Studio 2022](/visualstudio/install/modify-visual-studio?view=vs-2022&preserve-view=true) to add the required workloads, if Visual Studio is already installed on your machine.

+* Install the Azure IoT Edge Tools either from the Marketplace or from Visual Studio:

+ * Download and install [Azure IoT Edge Tools](https://marketplace.visualstudio.com/items?itemName=vsc-iot.vs17iotedgetools) from the Visual Studio Marketplace.

+ > [!TIP]

+ > If you are using Visual Studio 2019, download and install [Azure IoT Edge Tools for VS 2019](https://marketplace.visualstudio.com/items?itemName=vsc-iot.vs16iotedgetools) from the Visual Studio marketplace

+ * Or, in Visual Studio go to **Tools > Get Tools and Features**. The Visual Studio Installer will open. From the **Individual components** tab, select **Azure IoT Edge Tools for VS 2022**, then select **Install** in the lower right of the popup. Close the popup when finished.

+ If you only need to update your tools, go to the **Manage Extensions** window, expand **Updates > Visual Studio Marketplace**, select **Azure IoT Edge Tools** then select **Update**.

+

+ After the update is complete, select **Close** and restart Visual Studio.

+* Download and install [Docker Community Edition](https://docs.docker.com/install/) on your development machine to build and run your module images. Set Docker CE to run in either Linux container mode or Windows container mode, depending on the type of modules you are developing.

+* Set up your local development environment to debug, run, and test your IoT Edge solution by installing the [Azure IoT EdgeHub Dev Tool](https://pypi.org/project/iotedgehubdev/). Install [Python (3.5/3.6/3.7/3.8) and Pip](https://www.python.org/) and then install the **iotedgehubdev** package by running the following command in your terminal.

+

+ > [!TIP]

+ >Make sure your Azure IoT EdgeHub Dev Tool version is greater than 0.3.0. You'll need to have a pre-existing IoT Edge device in the Azure portal and have your connection string ready during setup.

+ You may need to restart Visual Studio to complete the installation.

+* Install the **Vcpkg** library manager

+ Install the **azure-iot-sdk-c** package for Windows

+* To test your module on a device, you'll need an active IoT Hub with at least one IoT Edge device. To create an IoT Edge device for testing you can create one in the Azure portal or with the CLI:

+ * Creating one in the [Azure portal](https://portal.azure.com/) is the quickest. From the Azure portal, go to your IoT Hub resource. Select **IoT Edge** from the menu on the left and then select **Add IoT Edge Device**.

+ :::image type="content" source="./media/how-to-visual-studio-develop-module/create-new-iot-edge-device.png" alt-text="Screenshot of how to add a new I o T Edge device":::

+

+ A new popup called **Create a device** will appear. Add a name to your device (known as the Device ID), then select **Save** in the lower left.

+

+ Finally, confirm that your new device exists in your IoT Hub, from the **Device management > IoT Edge** menu. For more information on creating an IoT Edge device through the Azure portal, read [Create and provision an IoT Edge device on Linux using symmetric keys](how-to-provision-single-device-linux-symmetric.md).

+ * To create an IoT Edge device with the CLI follow the steps in the quickstart for [Linux](quickstart-linux.md#register-an-iot-edge-device) or [Windows](quickstart.md#register-an-iot-edge-device). In the process of registering an IoT Edge device, you create an IoT Edge device.

+ If you are running the IoT Edge daemon on your development machine, you might need to stop EdgeHub and EdgeAgent before you start development in Visual Studio.

+The IoT Edge project template in Visual Studio creates a solution that can be deployed to IoT Edge devices. In summary, first you'll create an Azure IoT Edge solution, and then you'll generate the first module in that solution. Each IoT Edge solution can contain more than one module.

+In all, we're going to build three projects in our solution. The main module that contains EdgeAgent and EdgeHub, in addition to the temperature sensor module, then you'll add two more IoT Edge modules.

+> The IoT Edge project structure created by Visual Studio is not the same as the one in Visual Studio Code.

+1. In the **Create a new project** window, search for **Azure IoT Edge**. Select the project that matches the platform and architecture for your IoT Edge device, and click **Next**.

+1. In the **Configure your new project** window, enter a name for your project and specify the location, then select **Create**.

+1. In the **Add Module** window, select the type of module you want to develop. You can also select **Existing module** to add an existing IoT Edge module to your deployment. Specify your module name and module image repository.

+ Visual Studio autopopulates the repository URL with **localhost:5000/<module name\>**. If you use a local Docker registry for testing, then **localhost** is fine. If you use Azure Container Registry, then replace **localhost:5000** with the login server from your registry's settings.

+

+ The login server looks like **_\<registry name\>_.azurecr.io**.The final result should look like **\<*registry name*\>.azurecr.io/_\<module name\>_**, for example **my-registry-name.azurecr.io/my-module-name**.

+ > [!NOTE]

+ >If you have an existing IoT Edge project, you can still change the repository URL by opening the **module.json** file. The repository URL is located in the 'repository' property of the JSON file.

+#### Project structure

+In your solution is a main project folder and a single module folder. Both are on the project level. The main project folder contains your deployment manifest.

+The module project folder contains a file for your module code named either `program.cs` or `main.c` depending on the language you chose. This folder also contains a file named `module.json` that describes the metadata of your module. Various Docker files included here provide the information needed to build your module as a Windows or Linux container.

+#### Deployment manifest of your project

+The deployment manifest you'll edit is called `deployment.debug.template.json`. This file is a template of an IoT Edge deployment manifest, which defines all the modules that run on a device along with how they communicate with each other. For more information about deployment manifests, see [Learn how to deploy modules and establish routes](module-composition.md).

+If you open this deployment template, you see that the two runtime modules, **edgeAgent** and **edgeHub** are included, along with the custom module that you created in this Visual Studio project. A fourth module named **SimulatedTemperatureSensor** is also included. This default module generates simulated data that you can use to test your modules, or delete if it's not necessary. To see how the simulated temperature sensor works, view the [SimulatedTemperatureSensor.csproj source code](https://github.com/Azure/iotedge/tree/master/edge-modules/SimulatedTemperatureSensor).

+1. In the Solution Explorer, right-click the name of your main project and select **Set IoT Edge runtime version**.

+ :::image type="content" source="./media/how-to-visual-studio-develop-module/set-iot-edge-runtime-version.png" alt-text="Screenshot of how to find and select the menu item named 'Set I o T Edge Runtime version'.":::

+1. Use the drop-down menu to choose the runtime version that your IoT Edge devices are running, then select **OK** to save your changes. If no change was made, select **Cancel** to exit.

+1. If you changed the version, re-generate your deployment manifest by right-clicking the name of your project and select **Generate deployment for IoT Edge**. This will generate a deployment manifest based on your deployment template and will appear in the **config** folder of your Visual Studio project.

+## Module infrastructure & development options

+The Azure IoT EdgeHub Dev Tool provides a local development and debug experience. The tool helps start IoT Edge modules without the IoT Edge runtime so that you can create, develop, test, run, and debug IoT Edge modules and solutions locally. You don't have to push images to a container registry and deploy them to a device for testing.

+To initialize the tool in Visual Studio:

+1. Retrieve the connection string of your IoT Edge device (found in your IoT Hub) from the [Azure portal](https://portal.azure.com/) or from the Azure CLI.

+ If using the CLI to retrieve your connection string, use this command, replacing "**[device_id]**" and "**[hub_name]**" with your own values:

+ ```Azure CLI

+ az iot hub device-identity connection-string show --device-id [device_id] --hub-name [hub_name]

+ ```

+1. From the **Tools** menu in Visual Studio, select **Azure IoT Edge Tools** > **Setup IoT Edge Simulator**.

+>Depending on the type of IoT Edge module you are developing, you may need to enable the correct Docker container mode: either Linux or Windows. From the Docker Desktop menu, you can toggle between the two types of modes. Select **Switch to Windows containers** or select **Switch to Linux containers**. For this tutorial, we use Linux.

+>

+>:::image type="content" source="./media/how-to-visual-studio-develop-module/system-tray.png" alt-text="Screenshot of how to find and select the menu item named 'Switch to Windows containers'.":::

+1. In **Solution Explorer**, right-click the module project folder and select **Set as StartUp Project** from the menu.

+ :::image type="content" source="./media/how-to-visual-studio-develop-module/module-start-up-project.png" alt-text="Screenshot of how to set project as startup project.":::

+1. Press **F5** or click the run button in the toolbar to run the module. It may take 10&ndash;20 seconds the first time you do so. Be sure you don't have other Docker containers running that might bind the port you need for this project.

+ :::image type="content" source="./media/how-to-visual-studio-develop-module/run-module.png" alt-text="Screenshot of how to run a module.":::

+1. You should see a .NET Core console app window appear if the module has been initialized successfully.

+ :::image type="content" source="./media/how-to-visual-studio-develop-csharp-module/debug-single-module.png" alt-text="Screenshot of the output console, Visual Studio project, and Bash window." lightbox="./media/how-to-visual-studio-develop-csharp-module/debug-single-module.png":::

+ The breakpoint should be triggered. You can watch variables in the Visual Studio **Locals** window, found when the debugger is running. Go to Debug > Windows > Locals.

+ In your Bash or shell, you should see a `{"message":"accepted"}` confirmation.

+ In your .NET console you should see:

+

+ ```dotnetcli

+ IoT Hub module client initialized.

+ Received message: 1, Body: [hello world]

+ ```

+1. In **Solution Explorer**, add a second module to the solution by right-clicking the main project folder. On the menu, select **Add** > **New IoT Edge Module**.

+ :::image type="content" source="./media/how-to-visual-studio-develop-module/add-new-module.png" alt-text="Screenshot of how to add a 'New I o T Edge Module' from the menu." lightbox="./media/how-to-visual-studio-develop-module/add-new-module.png":::

+1. In the `Add module` window give your new module a name and replace the `localhost:5000` portion of the repository URL with your Azure Container Registry login server, like you did before.

+1. Open the file `deployment.debug.template.json` to see that the new module has been added in the **modules** section. A new route was also added to the **routes** section in `EdgeHub` to send messages from the new module to IoT Hub. To send data from the simulated temperature sensor to the new module, add another route with the following line of `JSON`. Replace `<NewModuleName>` (in two places) with your own module name.

+1. Right-click the main project (for example, `IoTEdgeProject`) and select **Set as StartUp Project**.

+1. Create breakpoints in each module and then press **F5** to run and debug multiple modules simultaneously. You should see multiple .NET Core console app windows, with each window representing a different module.

+ :::image type="content" source="./media/how-to-visual-studio-develop-csharp-module/debug-multiple-modules.png" alt-text="Screenshot of Visual Studio with two output consoles.":::

+1. Make sure the main IoT Edge project is the start-up project, not one of the individual modules. Select either **Debug** or **Release** as the configuration to build for your module images.

+1. If you're using a private registry like Azure Container Registry (ACR), use the following Docker command to sign in to it. You can get the username and password from the **Access keys** page of your registry in the Azure portal.

+1. Let's add the Azure Container Registry login information to the runtime settings found in the file `deployment.debug.template.json`. There are two ways to do this. You can either add your registry credentials to your `.env` file (most secure) or add them directly to your `deployment.debug.template.json` file.

+ **Add credentials to your `.env` file:**

+ In the Solution Explorer, click the button that will **Show All Files**. The `.env` file will appear. Add your Azure Container Registry username and password to your `.env` file. These credentials can be found on the **Access Keys** page of your Azure Container Registry in the Azure portal.

+

+ :::image type="content" source="./media/how-to-visual-studio-develop-module/show-env-file.png" alt-text="Screenshot of button that will show all files in the Solution Explorer.":::

+ ```env

+ DEFAULT_RT_IMAGE=1.2

+ CONTAINER_REGISTRY_USERNAME_myregistry=<my-registry-name>

+ CONTAINER_REGISTRY_PASSWORD_myregistry=<my-registry-password>

+ ```

+ **Add credentials directly to `deployment.debug.template.json`:**

+ If you'd rather add your credentials directly to your deployment template, replace the placeholders with your actual ACR admin username, password, and registry name.

+1. If you're using a local registry, you can [run a local registry](https://docs.docker.com/registry/deploying/#run-a-local-registry).

+1. Finally, in the **Solution Explorer**, right-click the main project folder and select **Build and Push IoT Edge Modules** to build and push the Docker image for each module. This might take a minute. When you see `Finished Build and Push IoT Edge Modules.` in your Output console of Visual Studio, you are done.

+In the quickstart article that you used to set up your IoT Edge device, you deployed a module by using the Azure portal. You can also deploy modules using the CLI in Visual Studio. You already have a deployment manifest template you've been observing throughout this tutorial. Let's generate a deployment manifest from that, then use an Azure CLI command to deploy your modules to your IoT Edge device in Azure.

+1. Right-click on your main project in Visual Studio Solution Explorer and choose **Generate Deployment for IoT Edge**.

+ :::image type="content" source="./media/how-to-visual-studio-develop-module/generate-deployment.png" alt-text="Screenshot of location of the 'generate deployment' menu item.":::

+1. Go to your local Visual Studio main project folder and look in the `config` folder. The file path might look like this: `C:\Users\<YOUR-USER-NAME>\source\repos\<YOUR-IOT-EDGE-PROJECT-NAME>\config`. Here you'll find the generated deployment manifest such as `deployment.amd64.debug.json`.

+1. Check your `deployment.amd64.debug.json` file to confirm the `edgeHub` schema version is set to 1.2.

+ ```json

+ "$edgeHub": {

+ "properties.desired": {

+ "schemaVersion": "1.2",

+ "routes": {

+ "IotEdgeModule2022ToIoTHub": "FROM /messages/modules/IotEdgeModule2022/outputs/* INTO $upstream",

+ "sensorToIotEdgeModule2022": "FROM /messages/modules/SimulatedTemperatureSensor/outputs/temperatureOutput INTO BrokeredEndpoint(\"/modules/IotEdgeModule2022/inputs/input1\")",

+ "IotEdgeModule2022bToIoTHub": "FROM /messages/modules/IotEdgeModule2022b/outputs/* INTO $upstream"

+ },

+ "storeAndForwardConfiguration": {

+ "timeToLiveSecs": 7200

+ }

+ }

+ }

+ ```

+ > [!TIP]

+ > The deployment template for Visual Studio 2022 requires the 1.2 schema version. If you need it to be 1.1 or 1.0, wait until after the deployment is generated (do not change it in `deployment.debug.template.json`). Generating a deployment will create a 1.2 schema by default. However, you can manually change `deployment.amd64.debug.json`, the generated manifest, if needed before deploying it to Azure.

+ > [!IMPORTANT]

+ > Once your IoT Edge device is deployed, it currently won't display correctly in the Azure portal with schema version 1.2 (version 1.1 will be fine). This is a known bug and will be fixed soon. However, this won't affect your device, as it's still connected in IoT Hub and can be communicated with at any time using the Azure CLI.

+ >

+ >:::image type="content" source="./media/how-to-publish-subscribe/unsupported-1.2-schema.png" alt-text="Screenshot of Azure portal error on the I o T Edge device page.":::

+1. Now let's deploy our manifest with an Azure CLI command. Open the Visual Studio **Developer Command Prompt** and change to the **config** directory.

+ ```cmd

+ cd config

+ ```

+1. From your **config** folder, execute the following deployment command. Replace the `[device id]`, `[hub name]`, and `[file path]` with your values.

+ ```cmd

+ az iot edge set-modules --device-id [device id] --hub-name [hub name] --content [file path]

+ ```

+ For example, your command might look like this:

+

+ ```cmd

+ az iot edge set-modules --device-id my-device-name --hub-name my-iot-hub-name --content deployment.amd64.debug.json

+ ```

+1. After running the command, you'll see a confirmation of deployment printed in `JSON` in your command prompt.

+### Confirm the deployment to your device

+To check that your IoT Edge modules were deployed to Azure, sign in to your device (or virtual machine), for example through SSH or Azure Bastion, and run the IoT Edge list command.

+```azurecli

+ iotedge list

+```

+You should see a list of your modules running on your device or virtual machine.

+```azurecli

+ NAME STATUS DESCRIPTION CONFIG

+ SimulatedTemperatureSensor running Up a day mcr.microsoft.com/azureiotedge-simulated-temperature-sensor:1.0

+ edgeAgent running Up a day mcr.microsoft.com/azureiotedge-agent:1.2

+ edgeHub running Up a day mcr.microsoft.com/azureiotedge-hub:1.2

+ myIotEdgeModule running Up 2 hours myregistry.azurecr.io/myiotedgemodule:0.0.1-amd64.debug

+ myIotEdgeModule2 running Up 2 hours myregistry.azurecr.io/myiotedgemodule2:0.0.1-amd64.debug

+```

+## View generated data

+To monitor the device-to-cloud (D2C) messages for a specific IoT Edge device, review the [Tutorial: Monitor IoT Edge devices](tutorial-monitor-with-workbooks.md) to get started.

+[Device Update for IoT Hub](../iot-hub-device-update/index.yml) (Preview) is a service that enables you to deploy over-the-air updates (OTA) for your IoT Edge devices.

+Alternative methods for updating IoT Edge require physical or SSH access to the IoT Edge device. For more information, see [Update the IoT Edge runtime](how-to-update-iot-edge.md). To update multiple devices, consider adding the update steps to a script or use an automation tool like Ansible.

+| customSsh | None | Determines whether user wants to use their custom OpenSSH.Client installation. If present, ssh.exe must be available to the EFLOW PSM |

+| customSsh | None | Determines whether user wants to use their custom OpenSSH.Client installation. If present, ssh.exe must be available to the EFLOW PSM |

+| [1.2](https://github.com/Azure/azure-iotedge/releases/tag/1.2.0) | Stable | April 2021 | [IoT Edge devices behind gateways](how-to-connect-downstream-iot-edge-device.md?view=iotedge-2020-11&preserve-view=true)<br>[IoT Edge MQTT broker (preview)](how-to-publish-subscribe.md?view=iotedge-2020-11&preserve-view=true)<br>New IoT Edge packages introduced, with new installation and configuration steps. For more information, see [Update from 1.0 or 1.1 to 1.2](how-to-update-iot-edge.md#special-case-update-from-10-or-11-to-12).<br>Includes [Microsoft Defender for IoT micro-agent for Edge](../defender-for-iot/device-builders/overview.md).<br> Integration with Device Update. For more information, see [Update IoT Edge](how-to-update-iot-edge.md).

+To verify educators can use the lab, navigate to the Azure Lab Services website: [https://labs.azure.com](https://labs.azure.com). For more information about managing labs, see [View all labs](/azure/lab-services/how-to-manage-labs).

+> [Tutorial: Create and deploy your first ARM template](../azure-resource-manager/templates/template-tutorial-create-first-template.md)

+The way that any integration architecture appropriately handles downtime or issues caused by dependent systems can pose a challenge. To help you create robust and resilient integrations that gracefully handle problems and failures, Azure Logic Apps provides a first-class experience for handling errors and exceptions.

+For the most basic exception and error handling, you can use the *retry policy* when supported on a trigger or action, such as the [HTTP action](logic-apps-workflow-actions-triggers.md#http-trigger). If the trigger or action's original request times out or fails, resulting in a 408, 429, or 5xx response, the retry policy specifies that the trigger or action resend the request per policy settings.

+### Retry policy types

+By default, the retry policy is set to the **Default** type.

+| Retry policy | Description |

+|--|-|

+| **Default** | This policy sends up to 4 retries at *exponentially increasing* intervals, which scale by 7.5 seconds but are capped between 5 and 45 seconds. For more information, review the [Default](#default) policy type. |

+| **None** | Don't resend the request. For more information, review the [None](#none) policy type. |

+| **Exponential Interval** | This policy waits a random interval, which is selected from an exponentially growing range before sending the next request. For more information, review the [Exponential Interval](#exponential-interval) policy type. |

+| **Fixed Interval** | This policy waits the specified interval before sending the next request. For more information, review the [Fixed Interval](#fixed-interval) policy type. |

+<a name="retry-policy-limits"></a>

+### Retry policy limits

+For more information about retry policies, settings, limits, and other options, review [Retry policy limits](logic-apps-limits-and-config.md#retry-policy-limits).

+### Change retry policy type in the designer

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

+1. Based on your [logic app type](logic-apps-overview.md#resource-environment-differences), open the trigger or action's **Settings**.

+ * **Consumption**: On the action shape, open the ellipses menu (**...**), and select **Settings**.

+ * **Standard**: On the designer, select the action. On the details pane, select **Settings**.

+1. If the trigger or action supports retry policies, under **Retry Policy**, select the policy type that you want.

+### Change retry policy type in the code view editor

+1. If necessary, confirm whether the trigger or action supports retry policies by completing the earlier steps in the designer.

+1. Open your logic app workflow in the code view editor.

+1. In the trigger or action definition, add the `retryPolicy` JSON object to that trigger or action's `inputs` object. Otherwise, if no `retryPolicy` object exists, the trigger or action uses the `default` retry policy.

+ ```json

+ <...>,

+ // The following properties apply to specific retry policies.

+ "interval": "<retry-interval>",

+ "maximumInterval": "<maximum-interval>",

+ "minimumInterval": "<minimum-interval>"

+ <...>

+ ```

+ *Required*

+ | Property | Value | Type | Description |

+ |-|-||-|

+ | `type` | <*retry-policy-type*> | String | The retry policy type to use: `default`, `none`, `fixed`, or `exponential` |

+ | `count` | <*retry-attempts*> | Integer | For `fixed` and `exponential` policy types, the number of retry attempts, which is a value from 1 - 90. For more information, review [Fixed Interval](#fixed-interval) and [Exponential Interval](#exponential-interval). |

+ | `interval`| <*retry-interval*> | String | For `fixed` and `exponential` policy types, the retry interval value in [ISO 8601 format](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations). For the `exponential` policy, you can also specify [optional maximum and minimum intervals](#optional-max-min-intervals). For more information, review [Fixed Interval](#fixed-interval) and [Exponential Interval](#exponential-interval). <br><br>**Consumption**: 5 seconds (`PT5S`) to 1 day (`P1D`). <br>**Standard**: For stateful workflows, 5 seconds (`PT5S`) to 1 day (`P1D`). For stateless workflows, 1 second (`PT1S`) to 1 minute (`PT1M`). |

+ |||||

+ <a name="optional-max-min-intervals"></a>

+ *Optional*

+ | Property | Value | Type | Description |

+ |-|-||-|

+ | `maximumInterval` | <*maximum-interval*> | String | For the `exponential` policy, the largest interval for the randomly selected interval in [ISO 8601 format](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations). The default value is 1 day (`P1D`). For more information, review [Exponential Interval](#exponential-interval). |

+ | `minimumInterval` | <*minimum-interval*> | String | For the `exponential` policy, the smallest interval for the randomly selected interval in [ISO 8601 format](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations). The default value is 5 seconds (`PT5S`). For more information, review [Exponential Interval](#exponential-interval). |

+ |||||

+<a name="default"></a>

+#### Default retry policy

+If you don't specify a retry policy, the action uses the default policy. The default is actually an [exponential interval policy](#exponential-interval) that sends up to four retries at exponentially increasing intervals, which scales by 7.5 seconds. The interval is capped between 5 and 45 seconds.

+Though not explicitly defined in your action or trigger, the following example shows how the default policy behaves in an example HTTP action:

+<a name="none"></a>

+### None - No retry policy

+<a name="fixed-interval"></a>

+### Fixed interval retry policy

+### Exponential interval retry policy

+The exponential interval retry policy specifies that the trigger or action waits a random interval before sending the next request. This random interval is selected from an exponentially growing range. Optionally, you can override the default minimum and maximum intervals by specifying your own minimum and maximum intervals, based on whether you have a [Consumption or Standard logic app workflow](logic-apps-overview.md#resource-environment-differences).

+| Name | Consumption limit | Standard limit | Notes |

+||-|-|-|

+| Maximum delay | Default: 1 day | Default: 1 hour | To change the default limit in a Consumption logic app workflow, use the [retry policy parameter](logic-apps-exception-handling.md#retry-policies). <p><p>To change the default limit in a Standard logic app workflow, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+| Minimum delay | Default: 5 sec | Default: 5 sec | To change the default limit in a Consumption logic app workflow, use the [retry policy parameter](logic-apps-exception-handling.md#retry-policies). <p><p>To change the default limit in a Standard logic app workflow, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+|||||

+For the exponential interval retry policy, the following table shows the general algorithm that Azure Logic Apps uses to generate a uniform random variable in the specified range for each retry. The specified range can be up to and including the number of retries.

+## Manage the "run after" behavior

+When you add actions in the workflow designer, you implicitly declare the order to use for running those actions. After an action finishes running, that action is marked with a status such as **Succeeded**, **Failed**, **Skipped**, or **TimedOut**. By default, an action that you add in the designer runs only after the predecessor completes with **Succeeded** status. In an action's underlying definition, the `runAfter` property specifies that the predecessor action that must first finish and the statuses permitted for that predecessor before the successor action can run.

+When an action throws an unhandled error or exception, the action is marked **Failed**, and any successor action is marked **Skipped**. If this behavior happens for an action that has parallel branches, the Azure Logic Apps engine follows the other branches to determine their completion statuses. For example, if a branch ends with a **Skipped** action, that branch's completion status is based on that skipped action's predecessor status. After the workflow run completes, the engine determines the entire run's status by evaluating all the branch statuses. If any branch ends in failure, the entire workflow run is marked **Failed**.

+

+To make sure that an action can still run despite its predecessor's status, you can change an action's "run after" behavior to handle the predecessor's unsuccessful statuses. That way, the action runs when the predecessor's status is **Succeeded**, **Failed**, **Skipped**, **TimedOut**, or all these statuses.

+For example, to run the Office 365 Outlook **Send an email** action after the Excel Online **Add a row into a table** predecessor action is marked **Failed**, rather than **Succeeded**, change the "run after" behavior using either the designer or code view editor.

+> [!NOTE]

+>

+> In the designer, the "run after" setting doesn't apply to the action that immediately

+> follows the trigger as the trigger must run successfully before the first action can run.

+<a name="change-run-after-designer"></a>

+### Change "run after" behavior in the designer

+### [Consumption](#tab/consumption)

+1. In the [Azure portal](https://portal.azure.com), open the logic app workflow in the designer.

+1. On the action shape, open the ellipses menu (**...**), and select **Configure run after**.

+ 

+ The action shape expands and shows the predecessor action for the currently selected action.

+ 

+1. Expand the predecessor action node to view all the "run after" statuses.

+ By default, the "run after" status is set to **is successful**. So, the predecessor action must run successfully before the currently selected action can run.

+ 

+1. Change the "run after" behavior to the status that you want. Make sure that you first select an option before you clear the default option. You have to always have at least one option selected.

+ The following example selects **has failed**.

+ 

+1. To specify that the current action runs whether the predecessor action is marked as **Failed**, **Skipped**, or **TimedOut**, select the other statuses.

+ 

+1. When you're ready, select **Done**.

+### [Standard](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open the logic app workflow in the designer.

+1. On the designer, select the action shape. On the details pane, select **Run After**.

+ 

+ The **Run After** pane shows the predecessor action for the currently selected action.

+ 

+1. Expand the predecessor action node to view all the "run after" statuses.

+ By default, the "run after" status is set to **is successful**. So, the predecessor action must run successfully before the currently selected action can run.

+ 

+1. Change the "run after" behavior to the status that you want. Make sure that you first select an option before you clear the default option. You have to always have at least one option selected.

+ The following example selects **has failed**.

+ 

+1. To specify that the current action runs whether the predecessor action is marked as **Failed**, **Skipped**, or **TimedOut**, select the other statuses.

+ 

+1. To require that more than one predecessor action runs, each with their own "run after" statuses, expand the **Select actions** list. Select the predecessor actions that you want, and specify their required "run after" statuses.

+ 

+1. When you're ready, select **Done**.

+### Change "run after" behavior in the code view editor

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the code view editor.

+1. In the action's JSON definition, edit the `runAfter` property, which has the following syntax:

+ ```json

+ "<action-name>": {

+ "inputs": {

+ "<action-specific-inputs>"

+ },

+ "runAfter": {

+ "<preceding-action>": [

+ "Succeeded"

+ ]

+ },

+ "type": "<action-type>"

+ }

+ ```

+1. For this example, change the `runAfter` property from `Succeeded` to `Failed`:

+ ```json

+ "Send_an_email_(V2)": {

+ "inputs": {

+ "body": {

+ "Body": "<p>Failed to add row to table: @{body('Add_a_row_into_a_table')?['Terms']}</p>",

+ "Subject": "Add row to table failed: @{body('Add_a_row_into_a_table')?['Terms']}",

+ "To": "Sophia.Owen@fabrikam.com"

+ },

+ "host": {

+ "connection": {

+ "name": "@parameters('$connections')['office365']['connectionId']"

+ }

+ },

+ "method": "post",

+ "path": "/v2/Mail"

+ },

+ "runAfter": {

+ "Add_a_row_into_a_table": [

+ "Failed"

+ ]

+ },

+ "type": "ApiConnection"

+ }

+ ```

+1. To specify that the action runs whether the predecessor action is marked as `Failed`, `Skipped` or `TimedOut`, add the other statuses:

+ ```json

+ "runAfter": {

+ "Add_a_row_into_a_table": [

+ "Failed", "Skipped", "TimedOut"

+ ]

+ },

+ ```

+Similar to running steps after individual actions with the "run after" setting, you can group actions together inside a [scope](logic-apps-control-flow-run-steps-group-scopes.md). You can use scopes when you want to logically group actions together, assess the scope's aggregate status, and perform actions based on that status. After all the actions in a scope finish running, the scope itself gets its own status.

+To check a scope's status, you can use the same criteria that you use to check a workflow run status, such as **Succeeded**, **Failed**, and so on.

+By default, when all the scope's actions succeed, the scope's status is marked **Succeeded**. If the final action in a scope is marked **Failed** or **Aborted**, the scope's status is marked **Failed**.

+To catch exceptions in a **Failed** scope and run actions that handle those errors, you can use the "run after" setting that **Failed** scope. That way, if *any* actions in the scope fail, and you use the "run after" setting for that scope, you can create a single action to catch failures.

+For limits on scopes, see [Limits and config](logic-apps-limits-and-config.md).

+Although catching failures from a scope is useful, you might also want more context to help you learn the exact failed actions plus any errors or status codes. The [`result()` function](workflow-definition-language-functions-reference.md#result) returns the results from the top-level actions in a scoped action. This function accepts the scope's name as a single parameter, and returns an array with the results from those top-level actions. These action objects have the same attributes as the attributes returned by the `actions()` function, such as the action's start time, end time, status, inputs, correlation IDs, and outputs.

+>

+> The `result()` function returns the results *only* from the top-level actions

+> and not from deeper nested actions such as switch or condition actions.

+To get context about the actions that failed in a scope, you can use the `@result()` expression with the scope's name and the "run after" setting. To filter down the returned array to actions that have **Failed** status, you can add the [**Filter Array** action](logic-apps-perform-data-operations.md#filter-array-action). To run an action for a returned failed action, take the returned filtered array and use a [**For each** loop](logic-apps-control-flow-loops.md).

+The following JSON example sends an HTTP POST request with the response body for any actions that failed within the scope action named **My_Scope**. A detailed explanation follows the example.

+The following steps describe what happens in this example:

+1. To get the result from all actions inside **My_Scope**, the **Filter Array** action uses this filter expression: `@result('My_Scope')`

+1. The condition for **Filter Array** is any `@result()` item that has a status equal to `Failed`. This condition filters the array that has all the action results from **My_Scope** down to an array with only the failed action results.

+The previous patterns are useful ways to handle errors and exceptions that happen within a run. However, you can also identify and respond to errors that happen independently from the run. [Azure Monitor](../azure-monitor/overview.md) provides a streamlined way to send all workflow events, including all run and action statuses, to a destination. For example, you can send events to a [Log Analytics workspace](../azure-monitor/logs/data-platform-logs.md), [Azure storage account](../storage/blobs/storage-blobs-overview.md), or [Azure Event Hubs](../event-hubs/event-hubs-about.md).

+* [See how a customer builds error handling with Azure Logic Apps](logic-apps-scenario-error-and-exception-handling.md)

+* [Find more Azure Logic Apps examples and scenarios](logic-apps-examples-and-scenarios.md)

+| Run history retention in storage | 90 days | 90 days <br>(Default) | 366 days | The amount of time to keep a workflow's run history in storage after a run starts. <p><p>**Note**: If the workflow's run duration exceeds the retention limit, this run is removed from the run history in storage. If a run isn't immediately removed after reaching the retention limit, the run is removed within 7 days. <p><p>Whether a run completes or times out, run history retention is always calculated by using the run's start time and the current limit specified in the workflow setting, [**Run history retention in days**](#change-retention). No matter the previous limit, the current limit is always used for calculating retention. <p><p>For more information, review [Change duration and run history retention in storage](#change-retention). |

+<a name="retry-policy-limits"></a>

+## Retry policy limits

+The following table lists the retry policy limits for a trigger or action, based on whether you have a [Consumption or Standard logic app workflow](logic-apps-overview.md#resource-environment-differences).

+| Name | Consumption limit | Standard limit | Notes |

+||-|-|-|

+| Retry attempts | - Default: 4 attempts <br> - Max: 90 attempts | - Default: 4 attempts | To change the default limit in Consumption logic app workflows, use the [retry policy parameter](logic-apps-exception-handling.md#retry-policies). To change the default limit in Standard logic app workflows, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+| Retry interval | None | Default: 7 sec | To change the default limit in Consumption logic app workflows, use the [retry policy parameter](logic-apps-exception-handling.md#retry-policies). <p><p>To change the default limit in Standard logic app workflows, review [Edit host and app settings for logic apps in single-tenant Azure Logic Apps](edit-app-settings-host-settings.md). |

+|||||

+ms.tool: azure-powershell

+| <*converted-timestamp*> | String | The timestamp converted to the target time zone without the timezone UTC offset. |

+ms.tool: terraform

+ git clone --depth 1 https://github.com/Azure/azureml-examples

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=import-mlclient)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=ml_client)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=credit_data)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=update-credit_data)]

+## Create a compute resource to run your pipeline

+Each step of an Azure ML pipeline can use a different compute resource for running the specific job of that step. It can be single or multi-node machines with Linux or Windows OS, or a specific compute fabric like Spark.

+In this section, you'll provision a Linux compute cluster.

+For this tutorial you only need a basic cluster, so we'll use a Standard_DS3_v2 model with 2 vCPU cores, 7 GB RAM and create an Azure ML Compute.

+> [!TIP]

+> If you already have a compute cluster, replace "cpu-cluster" in the code below with the name of your cluster. This will keep you from creating another one.

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=cpu_cluster)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=dependencies_dir)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=conda.yml)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=custom_env_name)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=data_prep_src_dir)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=def-main)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=data_prep_component)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=train_src_dir)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=train.yml)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=train_component)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=update-train_component)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=pipeline)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=registered_model_name)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=returned_job)]

+* Some code to run as a service. The code executes the model on a given input request. This entry script receives data submitted to a deployed web service and passes it to the model, then returns the model's response to the client. The script is specific to your model. The entry script must understand the data that the model expects and returns. When using a MLFlow model, as in this tutorial, this script is automatically created for you

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=online_endpoint_name)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=endpoint)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=update-endpoint)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=latest_model_version)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=model)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=sample-request.json)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=write-sample-request)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=ml_client.online_endpoints.invoke)]

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=ml_client.online_endpoints.begin_delete)]

+description: Plan a new software as a service (SaaS) offer for selling in Microsoft AppSource, Azure Marketplace, or through the Cloud Solution Provider (CSP) program using the commercial marketplace program in Microsoft Partner Center.

+> SaaS offers with [metered billing](partner-center-portal/saas-metered-billing.md) are available through Azure Marketplace and the Azure portal. SaaS offers with only private plans are only available through the Azure portal.

+| No | No | Yes | Azure portal only |

+&#42; The private plan of the offer will only be available via the Azure portal.

+- Our recommendation is to have a primary key in each table. If we have table without primary key, you might face slowness in replication. To create primary keys for tables you can use [invisible column](https://dev.mysql.com/doc/refman/8.0/en/invisible-columns.html) if your MySQL version is greater than 8.0.23.

+>* If there's a failure, the time needed for the standby replica to take over the role of primary depends on the binary log application on the standby. So we recommend that you use primary keys on all tables to reduce failover time. Failover times are typically between 60 and 120 seconds.To create primary keys for tables you can use [invisible column](https://dev.mysql.com/doc/refman/8.0/en/invisible-columns.html) if your MySQL version is greater than 8.0.23.

+ms.tool: azure-cli

+> [!NOTE]

+> If you are using PHP driver with [enableRedirect](./how-to-redirection.md) kindly follow the steps mentioned under [Create a combined CA certificate](#create-a-combined-ca-certificate) to avoid connection failures.

+No change is required on client side. If you followed steps mentioned under [Create a combined CA certificate](#create-a-combined-ca-certificate) below, you can continue to connect as long as **BaltimoreCyberTrustRoot certificate is not removed** from the combined CA certificate. **To maintain connectivity, we recommend that you retain the BaltimoreCyberTrustRoot in your combined CA certificate until further notice.**

+###### Create a combined CA certificate

+#### Why do I need to update my root certificate if I am using PHP driver with [enableRedirect](./how-to-redirection.md) ?

+To address compliance requirements, the CA certificates of the host server were changed from BaltimoreCyberTrustRoot to DigiCertGlobalRootG2. With this update, database connections using the PHP Client driver with enableRedirect can no longer connect to the server, as the client devices are unaware of the certificate change and the new root CA details. Client devices that use PHP redirection drivers connect directly to the host server, bypassing the gateway. Refer this [link](single-server-overview.md#high-availability) for more on architecture of Azure Database for MySQL Single Server.

+For successful connection to Azure database for MySQL Single server using `mysqlnd_azure.enableRedirect` you need to follow mandatory steps of combining your root certificate as per the compliance requirements. For more details on please visit [link](./concepts-certificate-rotation.md#do-i-need-to-make-any-changes-on-my-client-to-maintain-connectivity).

+ Title: Enable FIPS on an Azure Red Hat OpenShift cluster

+description: Learn how to enable FIPS on an Azure Red Hat OpenShift cluster.

+keywords: aro, openshift, az aro, red hat, cli, azure, FIPS

+#Customer intent: I need to understand how to enable FIPS on an Azure Red Hat OpenShift cluster.

+# Enable FIPS for an Azure Red Hat OpenShift cluster

+This article explains how to enable Federal Information Processing Standard (FIPS) for an Azure Red Hat OpenShift cluster.

+The Federal Information Processing Standard (FIPS) 140 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products, and systems. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment (CSE) of Canada.

+## Support for FIPS cryptography

+Starting with Release 4.10, you can deploy an Azure Red Hat OpenShift cluster in FIPS mode. FIPS mode ensures the control plane is using FIPS 140-2 cryptographic modules. All workloads and operators deployed on a cluster need to use FIPS 140-2 in order to be FIPS compliant.

+

+You can install an Azure Red Hat OpenShift cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the x86_64 architecture.

+> [!NOTE]

+> If you're using Azure File storage, you can't enable FIPS mode.

+## To enable FIPS on your Azure Red Hat OpenShift cluster

+To enable FIPs on your Azure Red Hat OpeShift cluster, define the following parameters as environment variables:

+```azurecli-interactive

+az aro create \

+ --resource-group $RESOURCEGROUP \

+ --name $CLUSTER \

+ --vnet aro-vnet \

+ --master-subnet master-subnet \

+ --worker-subnet worker-subnet

+ --fips

+```

+ms.tool: azure-cli

+ms.tool: azure-powershell

+## Collect packet core configuration values

+Collect all the values in the following table for the packet core instance that will run in the site.

+ |Value |Field name in Azure portal |

+ |||

+ |The core technology type the packet core instance should support (5G or 4G). |**Technology type**|

+ |The custom location that targets the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device in the site. You commissioned the AKS-HCI cluster as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices).</br></br> If you're going to create your site using the Azure portal, collect the name of the custom location.</br></br> If you're going to create your site using an ARM template, collect the full resource ID of the custom location.|**Custom location**|

+Collect all the values in the following table to define the packet core instance's connection to the access network over the control plane and user plane interfaces. The field name displayed in the Azure portal will depend on the value you have chosen for **Technology type**, as described in [Collect packet core configuration values](#collect-packet-core-configuration-values).

+> For all values in this table, you must use the same values you used when deploying the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device for this site. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices).

+ | The IP address for the control plane interface on the access network. For 5G, this interface is the N2 interface, whereas for 4G, it's the S1-MME interface. |**N2 address (signaling)** (for 5G) or **S1-MME address** (for 4G).|

+ | The IP address for the user plane interface on the access network. For 5G, this interface is the N3 interface, whereas for 4G, it's the S1-U interface. |N/A. You'll only need this value if you're using an ARM template to create the site.|

+ | The network address of the access subnet in Classless Inter-Domain Routing (CIDR) notation. |**N2 subnet** and **N3 subnet** (for 5G), or **S1-MME subnet** and **S1-U subnet** (for 4G).|

+ | The access subnet default gateway. |**N2 gateway** and **N3 gateway** (for 5G), or **S1-MME gateway** and **S1-U gateway** (for 4G).|

+Collect all the values in the following table to define the packet core instance's connection to the data network over the user plane interface.

+ | The IP address for the user plane interface on the data network. For 5G, this interface is the N6 interface, whereas for 4G, it's the SGi interface. You identified the IP address for this interface in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |N/A. You'll only need this value if you're using an ARM template to create the site.|

+ |The network address of the data subnet in CIDR notation. You identified this address in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N6/SGi subnet**|

+ |The data subnet default gateway. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N6/SGi gateway**|

+ | The network address of the subnet from which dynamic IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You won't need this address if you don't want to support dynamic IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`198.51.100.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Dynamic UE IP pool prefixes**|

+ | The network address of the subnet from which static IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You won't need this address if you don't want to support static IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`198.51.100.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Static UE IP pool prefixes**|

+| The MBR for downlink traffic (traveling towards UEs) across all SDFs that match data flow policy rules configured on this service. The MBR must be given in the following form: `<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Mbps`. | **Maximum bit rate (MBR) - Downlink** | Yes|

+| The default Allocation and Retention Policy (ARP) priority level for this service. Flows with a higher ARP priority level preempt flows with a lower ARP priority level. The ARP priority level must be an integer between 1 (highest priority) and 15 (lowest priority). | **Allocation and Retention Priority level** |No. Defaults to 9.|

+| The default 5G QoS Indicator (5QI) or QoS class identifier (QCI) value for this service. The 5QI (for 5G networks) or QCI (for 4G networks) value identifies a set of QoS characteristics that control QoS forwarding treatment for QoS flows or EPS bearers. </br></br>We recommend you choose a 5QI or QCI value that corresponds to a non-GBR QoS flow or EPS bearer. These values are in the following ranges: 5-9; 69-70; 79-80. For more details, see 3GPP TS 23.501 for 5QI or 3GPP TS 23.203 for QCI.</br></br>You can also choose a non-standardized 5QI or QCI value.</p><p>Azure Private 5G Core doesn't support 5QI or QCI values corresponding to GBR or delay-critical GBR QoS flows or EPS bearers. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5G QoS Indicator (5QI)** |No. Defaults to 9.|

+| The default preemption capability for QoS flows or EPS bearers for this service. The preemption capability of a QoS flow or EPS bearer controls whether it can preempt another QoS flow or EPS bearer with a lower priority level. You can choose from the following values: </br></br>- **May not preempt** </br>- **May preempt** | **Preemption capability** |No. Defaults to **May not preempt**.|

+| The default preemption vulnerability for QoS flows or EPS bearers for this service. The preemption vulnerability of a QoS flow or EPS bearer controls whether it can be preempted by another QoS flow or EPS bearer with a higher priority level. You can choose from the following values: </br></br>- **Preemptable** </br>- **Not preemptable** | **Preemption vulnerability** |No. Defaults to **Preemptable**.|

+| The UE-AMBR for traffic traveling away from UEs across all non-GBR QoS flows or EPS bearers. The UE-AMBR must be given in the following form: </br></br>`<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. | **Total bandwidth allowed - Uplink** |Yes|

+| The UE-AMBR for traffic traveling towards UEs across all non-GBR QoS flows or EPS bearers. The UE-AMBR must be given in the following form: </br></br>`<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. | **Total bandwidth allowed - Downlink** |Yes|

+Within each SIM policy, you'll have a *network scope*. The network scope represents the data network to which SIMs assigned to the SIM policy will have access. It allows you to define the QoS policy settings used for the default QoS flow for PDU sessions involving these SIMs. These settings include the session aggregated maximum bit rate (Session-AMBR), 5G QoS identifier (5QI) or QoS class identifier (QCI) value, and Allocation and Retention Policy (ARP) priority level. You can also determine the services that will be offered to SIMs.

+|The maximum bitrate for traffic traveling away from UEs across all non-GBR QoS flows or EPS bearers of a given PDU session or PDN connection. The bitrate must be given in the following form: `<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. | **Session aggregate maximum bit rate - Uplink** | Yes |

+|The maximum bitrate for traffic traveling towards UEs across all non-GBR QoS flows or EPS bearers of a given PDU session or PDN connection. The bitrate must be given in the following form: `<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. | **Session aggregate maximum bit rate - Downlink** | Yes |

+|The default 5QI (for 5G) or QCI (for 4G) value for this data network. These values identify a set of QoS characteristics that control QoS forwarding treatment for QoS flows or EPS bearers.</br></br>We recommend you choose a 5QI or QCI value that corresponds to a non-GBR QoS flow or EPS bearer. These values are in the following ranges: 5-9; 69-70; 79-80. For more details, see 3GPP TS 23.501 for 5QI or 3GPP TS 23.203 for QCI.</br></br>You can also choose a non-standardized 5QI or QCI value. </br></br>Azure Private 5G Core Preview doesn't support 5QI or QCI values corresponding to GBR or delay-critical GBR QoS flows or EPS bearers. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5G QoS Indicator (5QI)** | No. Defaults to 9. |

+|The default Allocation and Retention Policy (ARP) priority level for this data network. Flows with a higher ARP priority level preempt flows with a lower ARP priority level. The ARP priority level must be an integer between 1 (highest priority) and 15 (lowest priority). | **Allocation and Retention Priority level** | No. Defaults to 1. |

+|The default preemption capability for QoS flows or EPS bearers on this data network. The preemption capability of a QoS flow or EPS bearer controls whether it can preempt another QoS flow or EPS bearer with a lower priority level. </br></br>You can choose from the following values: </br></br>- **May preempt** </br>- **May not preempt** | **Preemption capability** | No. Defaults to **May not preempt**.|

+|The default preemption vulnerability for QoS flows or EPS bearers on this data network. The preemption vulnerability of a QoS flow or EPS bearer controls whether it can be preempted by another QoS flow or EPS bearer with a higher priority level. </br></br>You can choose from the following values: </br></br>- **Preemptable** </br>- **Not preemptable** | **Preemption vulnerability** | No. Defaults to **Preemptable**.|

+|The default PDU session or PDN connection type for SIMs using this data network. Azure Private 5G Core will use this type by default if the SIM doesn't request a specific type. </br></br>You can choose from the following values: </br></br>- **IPv4** </br>- **IPv6** | **Default session type** | No. Defaults to **IPv4**.|

+|An additional PDU session or PDN connection type that Azure Private 5G Core supports for this data network. This type must not match the default type mentioned above. </br></br>You can choose from the following values: </br></br>- **IPv4** </br>- **IPv6** | **Additional allowed session types** |No. Defaults to no value.|

+## Choose the core technology type (5G or 4G)

+Choose whether each site in the private mobile network should provide coverage for 5G or 4G user equipment (UEs). A single site cannot support 5G and 4G UEs simultaneously. If you're deploying multiple sites, you can choose to have some sites support 5G UEs and others support 4G UEs.

+- One IP address for the control plane interface. For 5G, this interface is the N2 interface, whereas for 4G, it's the S1-MME interface.

+- One IP address for the user plane interface. For 5G, this interface is the N3 interface, whereas for 4G, it's the S1-U interface.

+- One IP address for the user plane interface. For 5G, this interface is the N6 interface, whereas for 4G, it's the SGi interface.

+- If you're not enabling NAPT as described in [Allocate user equipment (UE) IP address pools](#allocate-user-equipment-ue-ip-address-pools), configure the data network to route traffic destined for the UE IP address pools via the IP address you allocated to the packet core instance's user plane interface on the data network.

+- Carry out the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md) for your new site.

+## Create the mobile network site resource

+In this step, you'll create the mobile network site resource representing the physical enterprise location of your Azure Stack Edge device, which will host the packet core instance.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a mobile network resource.":::

+ - Use the information you collected in [Collect packet core configuration values](collect-required-information-for-a-site.md#collect-packet-core-configuration-values) to fill out the **Technology type** and **Custom location** fields.

+ - Use the same value for both the **N2 subnet** and **N3 subnet** fields (if this site will support 5G user equipment (UEs)).

+ - Use the same value for both the **N2 gateway** and **N3 gateway** fields (if this site will support 5G UEs).

+ - Use the same value for both the **S1-MME subnet** and **S1-U subnet** fields (if this site will support 4G UEs).

+ - Use the same value for both the **S1-MME gateway** and **S1-U gateway** fields (if this site will support 4G UEs).

+- Carry out the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md) for your new site.

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have the built-in Contributor or Owner role at the subscription scope.

+- [**Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks**](/azure/templates/microsoft.mobilenetwork/packetcorecontrolplanes/packetcoredataplanes/attacheddatanetworks): a resource providing configuration for the packet core instance's connection to a data network.

+- [**Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes**](/azure/templates/microsoft.mobilenetwork/packetcorecontrolplanes/packetcoredataplanes): a resource providing configuration for the user plane Network Functions of the packet core instance, including IP configuration for the user plane interface on the access network.

+- [**Microsoft.MobileNetwork/packetCoreControlPlanes**](/azure/templates/microsoft.mobilenetwork/packetcorecontrolplanes): a resource providing configuration for the control plane Network Functions of the packet core instance, including IP configuration for the control plane interface on the access network.

+ | **Control Plane Access Ip Address** | Enter the IP address for the control plane interface on the access network. |

+ | **User Plane Access Interface Name** | Enter the name of the interface that corresponds to port 5 on your Azure Stack Edge Pro device. |

+ | **User Plane Access Interface Ip Address** | Enter the IP address for the user plane interface on the access network. |

+ | **User Plane Data Interface Ip Address** | Enter the IP address for the user plane interface on the data network. |

+ | **Core Network Technology** | Enter `5GC` for 5G, or `EPC` for 4G. |

+- [**Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks**](/azure/templates/microsoft.mobilenetwork/packetcorecontrolplanes/packetcoredataplanes/attacheddatanetworks): a resource providing configuration for the packet core instance's connection to a data network.

+- [**Microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes**](/azure/templates/microsoft.mobilenetwork/packetcorecontrolplanes/packetcoredataplanes): a resource providing configuration for the user plane Network Functions of the packet core instance, including IP configuration for the user plane interface on the access network.

+- [**Microsoft.MobileNetwork/packetCoreControlPlanes**](/azure/templates/microsoft.mobilenetwork/packetcorecontrolplanes): a resource providing configuration for the control plane Network Functions of the packet core instance, including IP configuration for the control plane interface on the access network.

+ |**Control Plane Access Ip Address** | Enter the IP address for the control plane interface on the access network. |

+ |**User Plane Access Interface Ip Address** | Enter the IP address for the user plane interface on the access network. |

+ |**User Plane Data Interface Ip Address** | Enter the IP address for the user plane interface on the data network. |

+ |**Core Network Technology** | Enter `5GC` for 5G, or `EPC` for 4G. |

+- **SUPI** - Allows you to search for activity involving a particular subscriber using their subscription permanent identifier (SUPI) or, in 4G networks, their international mobile subscriber identity (IMSI). This tab also provides an **Errors** panel, which allows you to filter the results by error condition. To search for activity for a particular subscriber, enter all of the initial digits of the subscriber's SUPI or IMSI into the text box on the **SUPI search** panel.

+> In addition to the tabs described below, the distributed tracing web GUI also includes a **User Experience** tab. This tab is not used by Azure Private 5G Core and will not display any information.

+Each private mobile network contains one or more *sites*. A site is a physical enterprise location (for example, Contoso Corporation's Chicago Factory) that will provide coverage for user equipment (UEs). The following diagram shows the main components of a single site.

+- Each packet core instance connects to a radio access network (RAN) to provide coverage for UEs. You'll source your RAN from a third party.

+> [!IMPORTANT]

+> Log Analytics currently can only be used to monitor private mobile networks that support 5G UEs. You can still monitor private mobile networks supporting 4G UEs from the local network using the [packet core dashboards](packet-core-dashboards.md).

+ > [!IMPORTANT]

+ > The **Device and Session Statistics dashboard** only displays metrics for packet core instances that support 5G UEs. It does not currently display any metrics related to 4G activity.

+## 5G quality of service (QoS) and QoS flows

+In 5G networks, the packet core instance is a key component in establishing *protocol data unit (PDU)* sessions, which are used to transport user plane traffic between a UE and the data network. Within each PDU session, there are one or more *service data flows (SDFs)*. Each SDF is a single IP flow or a set of aggregated IP flows of UE traffic that is used for a specific service.

+To ensure the correct QoS characteristics are applied, each SDF is bound to a *QoS flow*. Each QoS flow has a unique *QoS profile*, which identifies the QoS characteristics that should be applied to any SDFs bound to the QoS flow. Multiple SDFs with the same QoS requirements can be bound to the same QoS flow.

+- A *5G QoS identifier (5QI)*. The 5QI value corresponds to a set of QoS characteristics that should be used for the QoS flow. These characteristics include guaranteed and maximum bitrates, priority levels, and limits on latency, jitter, and error rate. The 5QI is given as a scalar number.

+ You can find more information on 5QI values and each of the QoS characteristics in 3GPP TS 23.501. You can also find definitions for standardized (or non-dynamic) 5QI values.

+> Azure Private 5G Core does not support dynamically assigned 5QI, where specific QoS characteristics are signalled to the gNB during QoS flow creation.

+- An *allocation and retention priority (ARP) value*. The ARP value defines a QoS flow's importance. It controls whether a particular QoS flow should be retained or preempted when there's resource constraint in the network, based on its priority compared to other QoS flows. The QoS profile may also define whether the QoS flow can preempt or be preempted by another QoS flow.

+Each unique QoS flow is assigned a unique *QoS flow ID (QFI)*, which is used by network elements to map SDFs to QoS flows.

+## 4G QoS and EPS bearers

+The packet core instance performs a very similar role in 4G networks to that described in [5G quality of service (QoS) and QoS flows](#5g-quality-of-service-qos-and-qos-flows).

+In 4G networks, the packet core instance helps to establish *packet data network (PDN) connections* to transport user plane traffic. PDN connections also contain one or more SDFs.

+The SDFs are bound to *Evolved Packet System (EPS) bearers*. EPS bearers are also assigned a QoS profile, which comprises two components.

+- A *QoS class identifier (QCI)*, which is the equivalent of a 5QI in 5G networks.

+ You can find more information on QCI values in 3GPP 23.203. Each standardized QCI value is mapped to a 5QI value.

+- An ARP value. This works in the same way as in 5G networks to define an EPS bearer's importance.

+Each EPS bearer is assigned an *EPS bearer ID (EBI)*, which is used by network elements to map SDFs to EPS bearers.

+Azure Private 5G Core provides configuration to allow you to determine the QoS flows or EPS bearers the packet core instance will create and bind to SDFs when establishing PDU sessions or PDN connections. You can configure two primary resource types - *services* and *SIM policies*.

+- A set of QoS characteristics that should be applied on SDFs matching the service. The packet core instance will use these characteristics to create a QoS flow or EPS bearer to bind to matching SDFs. You can specify the following QoS settings on a service:

+ - A 5QI value. This is mapped to a QCI value when used in 4G networks.

+ - A preemption capability setting. This setting determines whether the QoS flow or EPS bearer created for this service can preempt another QoS flow or EPS bearer with a lower ARP priority level.

+ - A preemption vulnerability setting. This setting determines whether the QoS flow or EPS bearer created for this service can be preempted by another QoS flow or EPS bearer with a higher ARP priority level.

+ - A set of QoS characteristics that will be used to form the default QoS flow for PDU sessions (or EPS bearer for PDN connections in 4G networks).

+## QoS flow and EPS bearer creation and assignment

+This section describes how the packet core instance uses policy control configuration to create and assign QoS flows and EPS bearers. We describe the steps using 5G concepts for clarity, but the packet core instance takes the same steps in 4G networks. The table below gives the equivalent 4G concepts for reference.

+|5G |4G |

+|||

+|PDU session | PDN connection |

+|QoS flow | EPS bearer |

+| gNodeB | eNodeB |

+During PDU session establishment, the packet core instance takes the following steps:

+1. Identifies the SIM resource representing the UE involved in the PDU session and its associated SIM policy (as described in [SIM policies](#sim-policies)).

+1. Creates a default QoS flow for the PDU session using the configured values on the SIM policy.

+1. Identifies whether the SIM policy has any associated services (as described in [Services](#services)). If it does, the packet core instance creates extra QoS flows using the QoS characteristics defined on these services.

+1. Signals the QoS flows and any non-default characteristics to the gNodeB.

+1. Sends a set of QoS rules (including SDF definitions taken from associated services) to the UE. The UE uses these rules to take the following steps:

+ - Checks uplink packets against the SDFs.

+ - Applies any necessary traffic control.

+ - Identifies the QoS flow to which each SDF should be bound.

+ - In 5G networks only, the UE marks packets with the appropriate QFI. The QFI ensures packets receive the correct QoS handling between the UE and the packet core instance without further inspection.

+1. Inspects downlink packets to check their properties against the data flow templates of the associated services, and then takes the following steps based on this matching:

+ - Applies any necessary traffic control.

+ - Identifies the QoS flow to which each SDF should be bound.

+ - Applies any necessary QoS treatment.

+ - In 5G networks only, the packet core instance marks packets with the QFI corresponding to the correct QoS flow. The QFI ensures the packets receive the correct QoS handling between the packet core instance and data network without further inspection.

+The following diagram shows the network functions supported by a packet core instance. It also shows the interfaces these network functions use to interoperate with third-party components.

+ Diagram displaying the packet core architecture. The packet core includes the following 5G network functions: the A M F, the S M F, the U P F, the U D R, the N R F, the P C F, the U D M, and the A U S F. The A M F communicates with 5G user equipment over the N1 interface. A G Node B provided by a Microsoft partner communicates with the A M F over the N2 interface and the U P F over the N3 interface. The U P F communicates with the data network over the N6 interface. When operating in 4G mode, the packet core includes M M E Proxy and M M E network functions. The M M E Proxy communicates with the M M E over the S 11 interface. An E Node B provided by a Microsoft partner communicates with the M M E over the S 1 M M E interface.

+## Feature support

+### Supported 4G network functions

+Azure Private 5G Core uses the following network functions when supporting 4G UEs, in addition to the 5G network functions listed above.

+- Mobile Management Entity (MME)

+- MME-Proxy - The MME-Proxy works to allow 4G UEs to be served by 5G network functions.

+The following 5G network functions perform specific roles when supporting 4G UEs.

+- The UDR operates as a Home Subscriber Store (HSS).

+- The UPF operates as a System Architecture Evolution Gateway (SAEGW-U).

+### Supported 5G and 4G procedures

+For information on Azure Private 5G Core's support for standards-based 5G and 4G procedures, see [Statement of compliance - Azure Private 5G Core](statement-of-compliance.md).

+- Authentication using Subscription Permanent Identifiers (SUPI) and 5G Globally Unique Temporary Identities (5G-GUTI) for 5G user equipment (UEs).

+- Authentication using International Mobile Subscriber Identities (IMSI) and Globally Unique Temporary Identities (GUTI) for 4G UEs.

+- 5G Authentication and Key Agreement (5G-AKA) for mutual authentication between 5G UEs and the network.

+- Evolved Packet System based Authentication and Key Agreement (EPS-AKA) for mutual authentication between 4G UEs and the network.

+- TS 33.401: 3GPP System Architecture Evolution (SAE); Security architecture.

+- IETF RFC 2279: UTF-8, a transformation format of ISO 10646.

+- IETF RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers.

+- IETF RFC 3748: Extensible Authentication Protocol (EAP).

+- IETF RFC 3986: Uniform Resource Identifier (URI): Generic Syntax.

+- IETF RFC 4187: Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA).

+- IETF RFC 5448: Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA').

+- IETF RFC 6458: Sockets API Extensions for the Stream Control Transmission Protocol (SCTP).

+- IETF RFC 6733: Diameter Base Protocol.

+- IETF RFC 6749: The OAuth 2.0 Authorization Framework.

+|| [Azure SQL Managed Instance](register-scan-azure-sql-managed-instance.md)| [Yes](register-scan-azure-sql-managed-instance.md#scan) | [Yes](register-scan-azure-sql-managed-instance.md#scan) | No* | No |

+For all [system supported file types](#file-types-supported-for-scanning), if there's nested JSON content in a column, then the scanner parses the nested JSON data and surfaces it within the schema tab of the asset.

+Nested data, or nested schema parsing, isn't supported in SQL. A column with nested data will be reported and classified as is, and subdata won't be parsed.

+ - If a document file is larger than 20 MB, then it isn't subject to a deep scan (subject to classification). In that case, Microsoft Purview captures only basic meta data like file name and fully qualified name.

+- Azure SQL Managed Instance

+A Managed Virtual Network in Microsoft Purview is a virtual network that is deployed and managed by Azure inside the same region as Microsoft Purview account to allow scanning Azure data sources inside a managed network, without having to deploy and manage any self-hosted integration runtime virtual machines by the customer in Azure.

+You can deploy an Azure Managed Integration Runtime within a Microsoft Purview Managed Virtual Network. From there, the Managed VNet Runtime will use private endpoints to securely connect to and scan supported data sources.

+Interactive authoring capabilities are used for functionalities like test connection, browse folder list and table list, get schema, and preview data. You can enable interactive authoring when creating or editing an Azure Integration Runtime that is in Purview-Managed Virtual Network. The backend service will pre-allocate compute for interactive authoring functionalities. Otherwise, the compute will be allocated every time any interactive operation is performed which will take more time. The Time To Live (TTL) for interactive authoring is 60 minutes, which means it will automatically become disabled after 60 minutes of the last interactive authoring operation.

+1. A Microsoft Purview account deployed in one of the [supported regions](#supported-regions).

+5. Deploying the Managed VNet Runtime for the first time triggers multiple workflows in the Microsoft Purview governance portal for creating managed private endpoints for Microsoft Purview and its Managed Storage Account. Select on each workflow to approve the private endpoint for the corresponding Azure resource.

+6. In Azure portal, from your Microsoft Purview account resource window, approve the managed private endpoint. From Managed storage account page approve the managed private endpoints for blob and queue

+3. From the list of supported data sources, select the type that corresponds to the data source you're planning to scan using Managed VNet Runtime.

+4. Provide a name for the managed private endpoint, select the Azure subscription and the data source from the drop-down lists. Select **create**.

+5. From the list of managed private endpoints, select on the newly created managed private endpoint for your data source and then select on **Manage approvals in the Azure portal**, to approve the private endpoint in Azure portal.

+6. By clicking on the link, you're redirected to Azure portal. Under private endpoints connection, select the newly created private endpoint and select **approve**.

+It's important to register the data source in Microsoft Purview prior to setting up a scan for the data source. Follow these steps to register data source if you haven't yet registered it.

+6. Provide a name for the managed private endpoint, select the Azure subscription and the Azure Key Vault from the drop-down lists. Select **create**.

+7. From the list of managed private endpoints, select on the newly created managed private endpoint for your Azure Key Vault and then select on **Manage approvals in the Azure portal**, to approve the private endpoint in Azure portal.

+8. By clicking on the link, you're redirected to Azure portal. Under private endpoints connection, select the newly created private endpoint for your Azure Key Vault and select **approve**.

+15. For **Credential** Select the credential you've registered earlier, choose the appropriate collection for the scan, and select **Test connection**. On a successful connection, select **Continue**.

+For example, you scan in an Azure Blob with the qualified name `https://myaccount.file.core.windows.net/myshare/folderA/folderB/my-file.parquet`. This blob is also consumed by an Azure Data Factory pipeline that will then add lineage information to the asset. The ADF pipeline may be configured to read the file as `https://myAccount.file.core.windows.net//myshare/folderA/folderB/my-file.parquet`. While the qualified name is different, this ADF pipeline is consuming the same piece of data. Normalization ensures that all the metadata from both Azure Blob Storage and Azure Data Factory is visible on a single asset, `https://myaccount.file.core.windows.net/myshare/folderA/folderB/my-file.parquet`.

+Applies to: Azure Blob, Azure Files, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure Data Factory, Azure SQL Database, Azure SQL Managed Instance, Azure SQL pool, Azure Cosmos DB, Azure Cognitive Search, Azure Data Explorer, Azure Data Share, Amazon S3

+Applies to: Azure Blob, Azure Files, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure SQL Database, Azure SQL Managed Instance, Azure SQL pool, Azure Cosmos DB, Azure Cognitive Search, Azure Data Explorer, Azure Data Share, Amazon S3

+Applies to: Azure SQL Database, Azure SQL Managed Instance, Azure SQL pool

+Applies to: Azure Blob, Azure Files, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure SQL Database, Azure SQL Managed Instance, Azure SQL pool, Azure Cosmos DB, Azure Cognitive Search, Azure Data Explorer, Amazon S3

+Applies to: Azure Blob, Azure Files, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure SQL Database, Azure SQL Managed Instance, Azure SQL pool, Azure Cosmos DB, Azure Cognitive Search, Azure Data Explorer, Amazon S3

+Applies to: Azure Blob, Azure Files, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure Data Factory, Azure SQL Database, Azure SQL Managed Instance, Azure SQL pool, Azure Cosmos DB, Azure Cognitive Search, Azure Data Explorer, Azure Data Share, Amazon S3

+Remove the trailing slash from higher level assets for Azure Blob, ADLS Gen1, and ADLS Gen2

+|Automatic labeling for schematized data assets | - SQL server</br>- Azure SQL database</br>- Azure SQL Managed Instance</br>- Azure Synapse Analytics workspaces</br>- Azure Cosmos Database (SQL API)</br> - Azure database for MySQL</br> - Azure database for PostgreSQL</br> - Azure Data Explorer</br> |

+|**database columns** | [Register and scan an Azure SQL Database](register-scan-azure-sql-database.md) </br>[Register and scan an Azure SQL Managed Instance](register-scan-azure-sql-managed-instance.md) </br> [Register and scan Dedicated SQL pools](register-scan-azure-synapse-analytics.md)</br> [Register and scan Azure Synapse Analytics workspaces](register-scan-azure-synapse-analytics.md) </br> [Register and scan Azure Cosmos Database (SQL API)](register-scan-azure-cosmos-database.md) </br> [Register and scan an Azure MySQL database](register-scan-azure-mysql-database.md) </br> [Register and scan an Azure database for PostgreSQL](register-scan-azure-postgresql.md) |

+ Title: Resource group and subscription access provisioning by data owner (preview)

+# Resource group and subscription access provisioning by data owner (Preview)

+ Title: Access provisioning by data owner to Azure Storage datasets (preview)

+# Access provisioning by data owner to Azure Storage datasets (Preview)

+ Title: Authoring and publishing data owner access policies (preview)

+To take advantage of this [enrichment in Microsoft Defender for Cloud](../security-center/information-protection.md), no more steps are needed in Microsoft Purview. Start exploring the security enrichments with Microsoft Defender for Cloud's [Inventory page](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/25) where you can see the list of data sources with classifications and sensitivity labels.

+- [Azure SQL Managed Instance](./register-scan-azure-sql-managed-instance.md)

+In Microsoft Purview, there are few options to use as authentication method to scan data sources such as the following options. Learn from each [data source article](azure-purview-connector-overview.md) for its supported authentication.

+- [Azure SQL Managed Instance](register-scan-azure-sql-managed-instance.md#authentication-for-registration)

+* [Azure SQL Managed Instance](register-scan-azure-sql-managed-instance.md)

+Any single object that is stored within a Microsoft Purview Data Catalog.

+## Data Catalog

+A searchable inventory of assets and their associated metadata that allows users to find and curate data across a data estate. The Data Catalog also includes a business glossary where subject matter experts can provide terms and definitions to add a business context to an asset.

+An area of the Microsoft Purview governance portal that provides up-to-date reports and actionable insights about the data estate.

+* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

+- [Azure SQL Managed Instance](register-scan-azure-sql-managed-instance.md#authentication-for-registration)

+ - If you select specific storage accounts or SQL databases, then future resources of that type created within this subscription or resource group won't be included for scans, unless the scan is explicitly edited in the future.

+ :::image type="content" source="media/register-scan-azure-multiple-sources/test-connection.png" alt-text="Screenshot showing the scan setup slider, with the Test Connection button highlighted.":::

+1. After your test connection has passed, select **Continue** to proceed.

+Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.

+ Title: 'Connect to and manage Azure SQL Managed Instance'

+description: This guide describes how to connect to Azure SQL Managed Instance in Microsoft Purview, and use Microsoft Purview's features to scan and manage your Azure SQL Managed Instance source.

+# Connect to and manage an Azure SQL Managed Instance in Microsoft Purview

+This article outlines how to register and Azure SQL Managed Instance, as well as how to authenticate and interact with the Azure SQL Managed Instance in Microsoft Purview. For more information about Microsoft Purview, read the [introductory article](overview.md)

+## Supported capabilities

+|**Metadata Extraction**| **Full Scan** |**Incremental Scan**|**Scoped Scan**|**Classification**|**Access Policy**|**Lineage**|

+||||||||

+| [Yes](#register) | [Yes](#scan)| [Yes](#scan) | [Yes](#scan) | [Yes](#scan) | No | No** |

+\** Lineage is supported if dataset is used as a source/sink in [Data Factory Copy activity](how-to-link-azure-data-factory.md)

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An active [Microsoft Purview account](create-catalog-portal.md).

+* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

+* [Configure public endpoint in Azure SQL Managed Instance](/azure/azure-sql/managed-instance/public-endpoint-configure)

+ > [!Note]

+ > We now support scanning Azure SQL Managed Instances over the private connection using Microsoft Purview ingestion private endpoints and a self-hosted integration runtime VM.

+ > For more information related to prerequisites, see [Connect to your Microsoft Purview and scan data sources privately and securely](./catalog-private-link-end-to-end.md)

+## Register

+This section describes how to register an Azure SQL Managed Instance in Microsoft Purview using the [Microsoft Purview governance portal](https://web.purview.azure.com/).

+### Authentication for registration

+If you need to create new authentication, you need to [authorize database access to SQL Database Managed Instance](/azure/azure-sql/database/logins-create-manage). There are three authentication methods that Microsoft Purview supports today:

+- [System or user assigned managed identity](#system-or-user-assigned-managed-identity-to-register)

+- [Service Principal](#service-principal-to-register)

+- [SQL authentication](#sql-authentication-to-register)

+#### System or user assigned managed identity to register

+You can use either your Microsoft Purview system-assigned managed identity (SAMI), or a [user-assigned managed identity](manage-credentials.md#create-a-user-assigned-managed-identity) (UAMI) to authenticate. Both options allow you to assign authentication directly to Microsoft Purview, like you would for any other user, group, or service principal. The Microsoft Purview system-assigned managed identity is created automatically when the account is created and has the same name as your Microsoft Purview account. A user-assigned managed identity is a resource that can be created independently. To create one, you can follow our [user-assigned managed identity guide](manage-credentials.md#create-a-user-assigned-managed-identity).

+You can find your managed identity Object ID in the Azure portal by following these steps:

+For Microsoft Purview accountΓÇÖs system-assigned managed identity:

+1. Open the Azure portal, and navigate to your Microsoft Purview account.

+1. Select the **Properties** tab on the left side menu.

+1. Select the **Managed identity object ID** value and copy it.

+For user-assigned managed identity (preview):

+1. Open the Azure portal, and navigate to your Microsoft Purview account.

+1. Select the Managed identities tab on the left side menu

+1. Select the user assigned managed identities, select the intended identity to view the details.

+1. The object (principal) ID is displayed in the overview essential section.

+Either managed identity will need permission to get metadata for the database, schemas and tables, and to query the tables for classification.

+- Create an Azure AD user in Azure SQL Managed Instance by following the prerequisites and tutorial on [Create contained users mapped to Azure AD identities](/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities)

+- Assign `db_datareader` permission to the identity.

+#### Service Principal to register

+There are several steps to allow Microsoft Purview to use service principal to scan your Azure SQL Managed Instance.

+#### Create or use an existing service principal

+To use a service principal, you can use an existing one or create a new one. If you're going to use an existing service principal, skip to the next step.

+If you have to create a new Service Principal, follow these steps:

+ 1. Navigate to the [Azure portal](https://portal.azure.com).

+ 1. Select **Azure Active Directory** from the left-hand side menu.

+ 1. Select **App registrations**.

+ 1. Select **+ New application registration**.

+ 1. Enter a name for the **application** (the service principal name).

+ 1. Select **Accounts in this organizational directory only**.

+ 1. For Redirect URI, select **Web** and enter any URL you want; it doesn't have to be real or work.

+ 1. Then select **Register**.

+#### Configure Azure AD authentication in the database account

+The service principal must have permission to get metadata for the database, schemas, and tables. It must also be able to query the tables to sample for classification.

+- [Configure and manage Azure AD authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure)

+- Create an Azure AD user in Azure SQL Managed Instance by following the prerequisites and tutorial on [Create contained users mapped to Azure AD identities](/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities)

+- Assign `db_datareader` permission to the identity.

+#### Add service principal to key vault and Microsoft Purview's credential

+It's required to get the service principal's application ID and secret:

+1. Navigate to your Service Principal in the [Azure portal](https://portal.azure.com)

+1. Copy the values the **Application (client) ID** from **Overview** and **Client secret** from **Certificates & secrets**.

+1. Navigate to your key vault

+1. Select **Settings > Secrets**

+1. Select **+ Generate/Import** and enter the **Name** of your choice and **Value** as the **Client secret** from your Service Principal

+1. Select **Create** to complete

+1. If your key vault isn't connected to Microsoft Purview yet, you'll need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-microsoft-purview-account)

+1. Finally, [create a new credential](manage-credentials.md#create-a-new-credential) using the Service Principal to set up your scan.

+#### SQL authentication to register

+> [!Note]

+> Only the server-level principal login (created by the provisioning process) or members of the `loginmanager` database role in the master database can create new logins. It takes about **15 minutes** after granting permission, the Microsoft Purview account should have the appropriate permissions to be able to scan the resource(s).

+You can follow the instructions in [CREATE LOGIN](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true#examples-1) to create a login for Azure SQL Managed Instance if you don't have this login available. You'll need **username** and **password** for the next steps.

+1. Navigate to your key vault in the Azure portal

+1. Select **Settings > Secrets**

+1. Select **+ Generate/Import** and enter the **Name** and **Value** as the *password* from your Azure SQL Managed Instance

+1. Select **Create** to complete

+1. If your key vault isn't connected to Microsoft Purview yet, you'll need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-microsoft-purview-account)

+1. Finally, [create a new credential](manage-credentials.md#create-a-new-credential) using the **username** and **password** to set up your scan.

+### Steps to register

+1. Navigate to your [Microsoft Purview governance portal](https://web.purview.azure.com/resource/)

+1. Select **Data Map** on the left navigation.

+1. Select **Register**

+1. Select **Azure SQL Managed Instance** and then **Continue**.

+1. Select **From Azure subscription**, select the appropriate subscription from the **Azure subscription** drop-down box and the appropriate server from the **Server name** drop-down box.

+1. Provide the **public endpoint fully qualified domain name** and **port number**. Then select **Register** to register the data source.

+ :::image type="content" source="media/register-scan-azure-sql-managed-instance/add-azure-sql-database-managed-instance.png" alt-text="Screenshot of register sources screen, with Name, subscription, server name, and endpoint filled out.":::

+ For Example: `foobar.public.123.database.windows.net,3342`

+## Scan

+Follow the steps below to scan an Azure SQL Managed Instance to automatically identify assets and classify your data. For more information about scanning in general, see our [introduction to scans and ingestion](concept-scans-and-ingestion.md)

+### Create and run scan

+To create and run a new scan, complete the following steps:

+1. Select the **Data Map** tab on the left pane in the Microsoft Purview governance portal.

+1. Select the Azure SQL Managed Instance source that you registered.

+1. Select **New scan**

+1. Select the credential to connect to your data source.

+ :::image type="content" source="media/register-scan-azure-sql-managed-instance/set-up-scan-sql-mi.png" alt-text="Screenshot of new scan window, with the Purview MSI selected as the credential, but a service principal, or SQL authentication also available.":::

+1. You can scope your scan to specific tables by choosing the appropriate items in the list.

+ :::image type="content" source="media/register-scan-azure-sql-managed-instance/scope-your-scan.png" alt-text="Screenshot of the scope your scan window, with a subset of tables selected for scanning.":::

+1. Then select a scan rule set. You can choose between the system default, existing custom rule sets, or create a new rule set inline.

+ :::image type="content" source="media/register-scan-azure-sql-managed-instance/scan-rule-set.png" alt-text="Screenshot of scan rule set window, with the system default scan rule set selected.":::

+1. Choose your scan trigger. You can set up a schedule or run the scan once.

+ :::image type="content" source="media/register-scan-azure-sql-managed-instance/trigger-scan.png" alt-text="Screenshot of the set scan trigger window, with the recurring tab selected.":::

+1. Review your scan and select **Save and run**.

+## Next steps

+Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.

+- [Data Estate Insights in Microsoft Purview](concept-insights.md)

+- [Lineage in Microsoft Purview](catalog-lineage-user-guide.md)

+- [Search Data Catalog](how-to-search-catalog.md)

+|No. |Prerequisite / Action |Required permission |More guidance and recommendations |

+|5 |Update Azure Policy to allow deployment of the following resources in your Azure subscription: <ul><li>Microsoft Purview</li><li>Azure Storage</li><li>Azure Event Hubs (optional)</li></ul> |*Subscription Owner* |Use this step if an existing Azure Policy prevents deploying such Azure resources. If a blocking policy exists and needs to remain in place, follow our [Microsoft Purview exception tag guide](create-azure-purview-portal-faq.md) and follow the steps to create an exception for Microsoft Purview accounts. |

+|11 |Deploy a Microsoft Purview Account |Subscription Owner / Contributor |Purview account is deployed with one Capacity Unit and will scale up based [on demand](concept-elastic-data-map.md). |

+|12 |Deploy a Managed Integration Runtime and Managed private endpoints for Azure data sources. |*Data source admin* to set up Managed VNet inside Microsoft Purview. <br> *Network Contributor* to approve managed private endpoint for each Azure data source. |Perform this step if you're planning to use [Managed VNet](catalog-managed-vnet.md). within your Microsoft Purview account for scanning purposes. |

+|13 |Deploy Self-hosted integration runtime VMs inside your network. |Azure: *Virtual Machine Contributor* <br> On-premises: Application owner |Use this step if you're planning to perform any scans using [Self-hosted Integration Runtime](manage-integration-runtimes.md). |

+|15 |Register your Self-hosted integration runtime | Virtual machine administrator |Use this step if you have **on-premises** or **VM-based data sources** (for example, SQL Server). <br> Use this step are using **Private Endpoint** to scan to **any** data sources. |

+|16 |Grant Azure RBAC **Reader** role to **Microsoft Purview MSI** at data sources' Subscriptions |*Subscription owner* or *User Access Administrator* |Use this step if you're planning to register [multiple](register-scan-azure-multiple-sources.md) or **any** of the following data sources: <ul><li>[Azure Blob Storage](register-scan-azure-blob-storage-source.md)</li><li>[Azure Data Lake Storage Gen1](register-scan-adls-gen1.md)</li><li>[Azure Data Lake Storage Gen2](register-scan-adls-gen2.md)</li><li>[Azure SQL Database](register-scan-azure-sql-database.md)</li><li>[Azure SQL Managed Instance](register-scan-azure-sql-managed-instance.md)</li><li>[Azure Synapse Analytics](register-scan-synapse-workspace.md)</li></ul> |

+|17 |Grant Azure RBAC **Storage Blob Data Reader** role to **Microsoft Purview MSI** at data sources Subscriptions. |*Subscription owner* or *User Access Administrator* | **Skip** this step if you're using Private Endpoint to connect to data sources. Use this step if you have these data sources:<ul><li>[Azure Blob Storage](register-scan-azure-blob-storage-source.md#using-a-system-or-user-assigned-managed-identity-for-scanning)</li><li>[Azure Data Lake Storage Gen2](register-scan-adls-gen2.md#using-a-system-or-user-assigned-managed-identity-for-scanning)</li></ul> |

+|18 |Enable network connectivity to allow AzureServices to access data sources: <br> for example, Enable "**Allow trusted Microsoft services to access this storage account**". |*Owner* or *Contributor* at Data source |Use this step if **Service Endpoint** is used in your data sources. (Don't use this step if Private Endpoint is used) |

+|19 |Enable **Azure Active Directory Authentication** on **Azure SQL Servers**, **Azure SQL Managed Instance** and **Azure Synapse Analytics** |Azure SQL Server Contributor |Use this step if you have **Azure SQL DB** or **Azure SQL Managed Instance** or **Azure Synapse Analytics** as data source. **Skip** this step if you're using **Private Endpoint** to connect to data sources. |

+|20 |Grant **Microsoft Purview MSI** account with **db_datareader** role to Azure SQL databases and Azure SQL Managed Instance databases |Azure SQL Administrator |Use this step if you have **Azure SQL DB** or **Azure SQL Managed Instance** as data source. **Skip** this step if you're using **Private Endpoint** to connect to data sources. |

+|21 |Grant Azure RBAC **Storage Blob Data Reader** to **Synapse SQL Server** for staging Storage Accounts |Owner or User Access Administrator at data source |Use this step if you have **Azure Synapse Analytics** as data sources. **Skip** this step if you're using Private Endpoint to connect to data sources. |

+|22 |Grant Azure RBAC **Reader** role to **Microsoft Purview MSI** at **Synapse workspace** resources |Owner or User Access Administrator at data source |Use this step if you have **Azure Synapse Analytics** as data sources. **Skip** this step if you're using Private Endpoint to connect to data sources. |

+|23 |Grant Azure **Purview MSI account** with **db_datareader** role |Azure SQL Administrator |Use this step if you have **Azure Synapse Analytics (Dedicated SQL databases)**. <br> **Skip** this step if you're using **Private Endpoint** to connect to data sources. |

+|24 |Grant **Microsoft Purview MSI** account with **sysadmin** role |Azure SQL Administrator |Use this step if you have Azure Synapse Analytics (Serverless SQL databases). **Skip** this step if you're using **Private Endpoint** to connect to data sources. |

+|25 |Create an app registration or service principal inside your Azure Active Directory tenant | Azure Active Directory *Global Administrator* or *Application Administrator* | Use this step if you're planning to perform a scan on a data source using Delegated Author [Service Principal](create-service-principal-azure.md).|

+|26 |Create an **Azure Key Vault** and a **Secret** to save data source credentials or service principal secret. |*Contributor* or *Key Vault Administrator* |Use this step if you have **on-premises** or **VM-based data sources** (for example, SQL Server). <br> Use this step are using **ingestion private endpoints** to scan a data source. |

+|27 |Grant Key **Vault Access Policy** to Microsoft Purview MSI: **Secret: get/list** |*Key Vault Administrator* |Use this step if you have **on-premises** / **VM-based data sources** (for example, SQL Server) <br> Use this step if **Key Vault Permission Model** is set to [Vault Access Policy](../key-vault/general/assign-access-policy.md). |

+|28 |Grant **Key Vault RBAC role** Key Vault Secrets User to Microsoft Purview MSI. | *Owner* or *User Access Administrator* |Use this step if you have **on-premises** or **VM-based data sources** (for example, SQL Server) <br> Use this step if **Key Vault Permission Model** is set to [Azure role-based access control](../key-vault/general/rbac-guide.md). |

+|29 | Create a new connection to Azure Key Vault from the Microsoft Purview governance portal | *Data source admin* | Use this step if you're planning to use any of the following [authentication options](manage-credentials.md#create-a-new-credential) to scan a data source in Microsoft Purview: <ul><li>Account key</li><li>Basic Authentication</li><li>Delegated Auth</li><li>SQL Authentication</li><li>Service Principal</li><li>Consumer Key</li></ul>

+|33 |Consent "**Extend labeling to assets in Microsoft Purview Data Map**" |Compliance Administrator <br> Azure Information Protection Administrator |Use this step if you're interested in extending sensitivity labels to your data in the data map. <br> For more information, see [Labeling in the Microsoft Purview Data Map](create-sensitivity-label.md). |

+ Title: "Tutorial: How to use Microsoft Purview Python SDK"

+description: This tutorial describes how to use the Microsoft Purview Python SDK to scan data and search the catalog.

+# Customer intent: I can use the scanning and catalog Python SDKs to perform CRUD operations on data sources and scans, trigger scans and also to search the catalog.

+# Tutorial: Use the Microsoft Purview Python SDK

+This tutorial will introduce you to using the Microsoft Purview Python SDK. You can use the SDK to do all the most common Microsoft Purview operations programmatically, rather than through the Microsoft Purview governance portal.

+In this tutorial, you'll learn how us the SDK to:

+> [!div class="checklist"]

+>* Grant the required rights to work programmatically with Microsoft Purview

+>* Register a Blob Storage container as a data source in Microsoft Purview

+>* Define and run a scan

+>* Search the catalog

+>* Delete a data source

+## Prerequisites

+For this tutorial, you'll need:

+* [Python 3.6 or higher](https://www.python.org/downloads/)

+* An active Azure Subscription. [If you don't have one, you can create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure Active Directory tenant associated with your subscription.

+* An Azure Storage account. If you don't already have one, you can [follow our quickstart guide to create one](../storage/common/storage-account-create.md).

+* A Microsoft Purview account. If you don't already have one, you can [follow our quickstart guide to create one](create-catalog-portal.md).

+* A [service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) with a [client secret](../active-directory/develop/howto-create-service-principal-portal.md#authentication-two-options).

+## Give Microsoft Purview access to the Storage account

+Before being able to scan the content of the Storage account, you need to give Microsoft Purview the right role.

+1. Go to your Storage Account through the [Azure portal](https://portal.azure.com).

+1. Select Access Control (IAM).

+1. Select the Add button and select **Add role assignment**.

+ :::image type="content" source="media/tutorial-using-python-sdk/add-role-assignment-storage.png" alt-text="Screenshot of the Access Control menu in the Storage Account with the add button selected and then add role assignment selected.":::

+1. In the next window, search for the **Storage blob Reader** role and select it:

+ :::image type="content" source="media/tutorial-using-python-sdk/storage-blob-reader-role.png" alt-text="Screenshot of the add role assignment menu, with Storage Blob Data Reader selected from the list of available roles.":::

+1. Then go on the **Members** tab and select **Select members**:

+ :::image type="content" source="media/tutorial-using-python-sdk/select-members-blob-reader-role.png" alt-text="Screenshot of the add role assignment menu with the + Select members button selected.":::

+1. A new pane appears on the right. Search and select the name of your existing Microsoft Purview instance.

+1. You can then select **Review + Assign**.

+Microsoft Purview now has the required reading right to scan your Blob Storage.

+## Grant your application the access to your Microsoft Purview account

+1. First, you'll need the Client ID, Tenant ID, and Client secret from your service principal. To find this information, select your **Azure Active Directory**.

+1. Then, select **App registrations**.

+1. Select your application and locate the required information:

+ * Name

+ * Client ID (or Application ID)

+ * Tenant ID (or Directory ID)

+ :::image type="content" source="media/tutorial-using-python-sdk/app-registration-info.png" alt-text="Screenshot of the service principal page in the Azure portal with the Client ID and Tenant ID highlighted.":::

+ * [Client secret](../active-directory/develop/howto-create-service-principal-portal.md#authentication-two-options)

+ :::image type="content" source="media/tutorial-using-python-sdk/get-service-principal-secret.png" alt-text="Screenshot of the service principal page in the Azure portal, with the Certificates & secrets tab selected, showing the available client certificates and secrets.":::

+1. You now need to give the relevant Microsoft Purview roles to your service principal. To do so, access your Microsoft Purview instance. Select **Open Microsoft Purview governance portal** or open [the Microsoft Purview's governance portal directly](https://web.purview.azure.com/) and choose the instance that you deployed.

+1. Inside the Microsoft Purview governance portal, select **Data map**, then **Collections**:

+ :::image type="content" source="media/tutorial-using-python-sdk/purview-collections.png" alt-text="Screenshot of the Microsoft Purview governance portal left menu. The data map tab is selected, then the collections tab is selected.":::

+1. Select the collection you want to work with, and go on the **Role assignments** tab. Add the service principal in the following roles:

+ * Collection admins

+ * Data source admins

+ * Data curators

+ * Data readers

+

+1. For each role, select the **Edit role assignments** button and select the role you want to add the service principal to. Or select the **Add** button next to each role, and add the service principal by searching its name or Client ID as shown below:

+ :::image type="content" source="media/tutorial-using-python-sdk/add-role-purview.png" alt-text="Screenshot of the Role assignments menu under a collection in the Microsoft Purview governance portal. The add user button is select next to the Collection admins tab. The add or remove collection admins pane is shown, with a search for the service principal in the text box.":::

+## Install the Python packages

+1. Open a new command prompt or terminal

+1. Install the Azure identity package for authentication:

+ ```bash

+ pip install azure-identity

+ ```

+1. Install the Microsoft Purview Scanning Client package:

+ ```bash

+ pip install azure-purview-scanning

+ ```

+1. Install the Microsoft Purview Administration Client package:

+ ```bash

+ pip install azure-purview-administration

+ ```

+1. Install the Microsoft Purview Client package:

+ ```bash

+ pip install azure-purview-catalog

+ ```

+1. Install the Microsoft Purview Account package:

+ ```bash

+ pip install azure-purview-account

+ ```

+1. Install the Azure Core package:

+ ```bash

+ pip install azure-core

+ ```

+## Create Python script file

+Create a plain text file, and save it as a python script with the suffix .py.

+For example: tutorial.py.

+## Instantiate a Scanning, Catalog, and Administration client

+In this section, you learn how to instantiate:

+* A scanning client useful to registering data sources, creating and managing scan rules, triggering a scan, etc.

+* A catalog client useful to interact with the catalog through searching, browsing the discovered assets, identifying the sensitivity of your data, etc.

+* An administration client is useful for interacting with the Microsoft Purview Data Map itself, for operations like listing collections.

+First you need to authenticate to your Azure Active Directory. For this, you'll use the [client secret you created](../active-directory/develop/howto-create-service-principal-portal.md#option-2-create-a-new-application-secret).

+1. Start with required import statements: our three clients, the credentials statement, and an Azure exceptions statement.

+ ```python

+ from azure.purview.scanning import PurviewScanningClient

+ from azure.purview.catalog import PurviewCatalogClient

+ from azure.purview.administration.account import PurviewAccountClient

+ from azure.identity import ClientSecretCredential

+ from azure.core.exceptions import HttpResponseError

+ ```

+1. Specify the following information in the code:

+ * Client ID (or Application ID)

+ * Tenant ID (or Directory ID)

+ * Client secret

+

+ ```python

+ client_id = "<your client id>"

+ client_secret = "<your client secret>"

+ tenant_id = "<your tenant id>"

+ ```

+1. You also need to specify the name of your Microsoft Purview account:

+ ```python

+ reference_name_purview = "<name of your Microsoft Purview account>"

+ ```

+1. You can now instantiate the three clients:

+ ```python

+ def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+ def get_purview_client():

+ credentials = get_credentials()

+ client = PurviewScanningClient(endpoint=f"https://{reference_name_purview}.scan.purview.azure.com", credential=credentials, logging_enable=True)

+ return client

+

+ def get_catalog_client():

+ credentials = get_credentials()

+ client = PurviewCatalogClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+ def get_admin_client():

+ credentials = get_credentials()

+ client = PurviewAccountClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+ ```

+

+Many of our scripts will start with these same steps, as we'll need these clients to interact with the account.

+## Register a data source

+In this section, you'll register your Blob Storage.

+1. Like we discussed in the previous section, first you'll import the clients you'll need to access your Microsoft Purview account. Also import the Azure error response package so you can troubleshoot, and the ClientSecretCredential to construct your Azure credentials.

+ ```python

+ from azure.purview.administration.account import PurviewAccountClient

+ from azure.purview.scanning import PurviewScanningClient

+ from azure.core.exceptions import HttpResponseError

+ from azure.identity import ClientSecretCredential

+ ```

+1. Gather the resource ID for your storage account by following this guide: [get the resource ID for a storage account.](../storage/common/storage-account-get-info.md#get-the-resource-id-for-a-storage-account)

+1. Then, in your python file, define the following information to be able to register the Blob storage programmatically:

+ ```python

+ storage_name = "<name of your Storage Account>"

+ storage_id = "<id of your Storage Account>"

+ rg_name = "<name of your resource group>"

+ rg_location = "<location of your resource group>"

+ reference_name_purview = "<name of your Microsoft Purview account>"

+ ```

+1. Provide the name of the collection where you'd like to register your blob storage. (It should be the same collection where you applied permissions earlier. If it isn't, first apply permissions to this collection.) If it's the root collection, use the same name as your Microsoft Purview instance.

+ ```python

+ collection_name = "<name of your collection>"

+ ```

+1. Create a function to construct the credentials to access your Microsoft Purview account:

+ ```python

+ client_id = "<your client id>"

+ client_secret = "<your client secret>"

+ tenant_id = "<your tenant id>"

+ def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+ ```

+1. All collections in the Microsoft Purview data map have a **friendly name** and a **name**.

+ * The **friendly name** name is the one you see on the collection. For example: Sales.

+ * The **name** for all collections (except the root collection) is a six-character name assigned by the data map.

+

+ Python needs this six-character name to reference any sub collections. To convert your **friendly name** automatically to the six-character collection name needed in your script, add this block of code:

+ ```python

+ def get_admin_client():

+ credentials = get_credentials()

+ client = PurviewAccountClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+ try:

+ admin_client = get_admin_client()

+ except ValueError as e:

+ print(e)

+ collection_list = client.collections.list_collections()

+ for collection in collection_list:

+ if collection["friendlyName"].lower() == collection_name.lower():

+ collection_name = collection["name"]

+ ```

+1. For both clients, and depending on the operations, you also need to provide an input body. To register a source, you'll need to provide an input body for data source registration:

+ ```python

+ ds_name = "<friendly name for your data source>"

+

+ body_input = {

+ "kind": "AzureStorage",

+ "properties": {

+ "endpoint": "endpoint": f"https://{storage_name}.blob.core.windows.net/",

+ "resourceGroup": rg_name,

+ "location": rg_location,

+ "resourceName": storage_name,

+ "resourceId": storage_id,

+ "collection": {

+ "type": "CollectionReference",

+ "referenceName": collection_name

+ },

+ "dataUseGovernance": "Disabled"

+ }

+ }

+ ```

+1. Now you can call your Microsoft Purview clients and register the data source.

+ ```python

+ def get_purview_client():

+ credentials = get_credentials()

+ client = PurviewScanningClient(endpoint=f"https://{reference_name_purview}.scan.purview.azure.com", credential=credentials, logging_enable=True)

+ return client

+ try:

+ client = get_purview_client()

+ except ValueError as e:

+ print(e)

+ try:

+ response = client.data_sources.create_or_update(ds_name, body=body_input)

+ print(response)

+ print(f"Data source {ds_name} successfully created or updated")

+ except HttpResponseError as e:

+ print(e)

+ ```

+When the registration process succeeds, you can see an enriched body response from the client.

+In the following sections, you'll scan the data source you registered and search the catalog. Each of these scripts will be very similarly structured to this registration script.

+### Full code

+```python

+from azure.purview.scanning import PurviewScanningClient

+from azure.identity import ClientSecretCredential

+from azure.core.exceptions import HttpResponseError

+from azure.purview.administration.account import PurviewAccountClient

+client_id = "<your client id>"

+client_secret = "<your client secret>"

+tenant_id = "<your tenant id>"

+reference_name_purview = "<name of your Microsoft Purview account>"

+storage_name = "<name of your Storage Account>"

+storage_id = "<id of your Storage Account>"

+rg_name = "<name of your resource group>"

+rg_location = "<location of your resource group>"

+collection_name = "<name of your collection>"

+ds_name = "<friendly data source name>"

+def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+def get_purview_client():

+ credentials = get_credentials()

+ client = PurviewScanningClient(endpoint=f"https://{reference_name_purview}.scan.purview.azure.com", credential=credentials, logging_enable=True)

+ return client

+def get_admin_client():

+ credentials = get_credentials()

+ client = PurviewAccountClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+try:

+ admin_client = get_admin_client()

+except ValueError as e:

+ print(e)

+collection_list = admin_client.collections.list_collections()

+for collection in collection_list:

+ if collection["friendlyName"].lower() == collection_name.lower():

+ collection_name = collection["name"]

+body_input = {

+ "kind": "AzureStorage",

+ "properties": {

+ "endpoint": f"https://{storage_name}.blob.core.windows.net/",

+ "resourceGroup": rg_name,

+ "location": rg_location,

+ "resourceName": storage_name,

+ "resourceId": storage_id,

+ "collection": {

+ "type": "CollectionReference",

+ "referenceName": collection_name

+ },

+ "dataUseGovernance": "Disabled"

+ }

+}

+try:

+ client = get_purview_client()

+except ValueError as e:

+ print(e)

+try:

+ response = client.data_sources.create_or_update(ds_name, body=body_input)

+ print(response)

+ print(f"Data source {ds_name} successfully created or updated")

+except HttpResponseError as e:

+ print(e)

+```

+## Scan the data source

+Scanning a data source can be done in two steps:

+1. Create a scan definition

+1. Trigger a scan run

+In this tutorial, you'll use the default scan rules for Blob Storage containers. However, you can also [create custom scan rules programmatically with the Microsoft Purview Scanning Client](/python/api/azure-purview-scanning/azure.purview.scanning.operations.scanrulesetsoperations).

+Now let's scan the data source you registered above.

+1. Add an import statement to generate [unique identifier](https://en.wikipedia.org/wiki/Universally_unique_identifier), call the Microsoft Purview scanning client, the Microsoft Purview administration client, the Azure error response package to be able to troubleshoot, and the client secret credential to gather your Azure credentials.

+ ```python

+ import uuid

+ from azure.purview.scanning import PurviewScanningClient

+ from azure.purview.administration.account import PurviewAccountClient

+ from azure.core.exceptions import HttpResponseError

+ from azure.identity import ClientSecretCredential

+ ```

+1. Create a scanning client using your credentials:

+ ```python

+ client_id = "<your client id>"

+ client_secret = "<your client secret>"

+ tenant_id = "<your tenant id>"

+ def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+ def get_purview_client():

+ credentials = get_credentials()

+ client = PurviewScanningClient(endpoint=f"https://{reference_name_purview}.scan.purview.azure.com", credential=credentials, logging_enable=True)

+ return client

+ try:

+ client = get_purview_client()

+ except ValueError as e:

+ print(e)

+ ```

+1. Add the code to gather the internal name of your collection. (For more information, see the previous section):

+ ```python

+ collection_name = "<name of the collection where you will be creating the scan>"

+ def get_admin_client():

+ credentials = get_credentials()

+ client = PurviewAccountClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+ try:

+ admin_client = get_admin_client()

+ except ValueError as e:

+ print(e)

+ collection_list = client.collections.list_collections()

+ for collection in collection_list:

+ if collection["friendlyName"].lower() == collection_name.lower():

+ collection_name = collection["name"]

+ ```

+1. Then, create a scan definition:

+ ```python

+ ds_name = "<name of your registered data source>"

+ scan_name = "<name of the scan you want to define>"

+ reference_name_purview = "<name of your Microsoft Purview account>"

+ body_input = {

+ "kind":"AzureStorageMsi",

+ "properties": {

+ "scanRulesetName": "AzureStorage",

+ "scanRulesetType": "System", #We use the default scan rule set

+ "collection":

+ {

+ "referenceName": collection_name,

+ "type": "CollectionReference"

+ }

+ }

+ }

+ try:

+ response = client.scans.create_or_update(data_source_name=ds_name, scan_name=scan_name, body=body_input)

+ print(response)

+ print(f"Scan {scan_name} successfully created or updated")

+ except HttpResponseError as e:

+ print(e)

+ ```

+1. Now that the scan is defined you can trigger a scan run with a unique ID:

+ ```python

+ run_id = uuid.uuid4() #unique id of the new scan

+ try:

+ response = client.scan_result.run_scan(data_source_name=ds_name, scan_name=scan_name, run_id=run_id)

+ print(response)

+ print(f"Scan {scan_name} successfully started")

+ except HttpResponseError as e:

+ print(e)

+ ```

+### Full code

+```python

+import uuid

+from azure.purview.scanning import PurviewScanningClient

+from azure.purview.administration.account import PurviewAccountClient

+from azure.identity import ClientSecretCredential

+ds_name = "<name of your registered data source>"

+scan_name = "<name of the scan you want to define>"

+reference_name_purview = "<name of your Microsoft Purview account>"

+client_id = "<your client id>"

+client_secret = "<your client secret>"

+tenant_id = "<your tenant id>"

+collection_name = "<name of the collection where you will be creating the scan>"

+def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+def get_purview_client():

+ credentials = get_credentials()

+ client = PurviewScanningClient(endpoint=f"https://{reference_name_purview}.scan.purview.azure.com", credential=credentials, logging_enable=True)

+ return client

+def get_admin_client():

+ credentials = get_credentials()

+ client = PurviewAccountClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+try:

+ admin_client = get_admin_client()

+except ValueError as e:

+ print(e)

+collection_list = admin_client.collections.list_collections()

+for collection in collection_list:

+ if collection["friendlyName"].lower() == collection_name.lower():

+ collection_name = collection["name"]

+try:

+ client = get_purview_client()

+except AzureError as e:

+ print(e)

+body_input = {

+ "kind":"AzureStorageMsi",

+ "properties": {

+ "scanRulesetName": "AzureStorage",

+ "scanRulesetType": "System",

+ "collection": {

+ "type": "CollectionReference",

+ "referenceName": collection_name

+ }

+ }

+}

+try:

+ response = client.scans.create_or_update(data_source_name=ds_name, scan_name=scan_name, body=body_input)

+ print(response)

+ print(f"Scan {scan_name} successfully created or updated")

+except HttpResponseError as e:

+ print(e)

+run_id = uuid.uuid4() #unique id of the new scan

+try:

+ response = client.scan_result.run_scan(data_source_name=ds_name, scan_name=scan_name, run_id=run_id)

+ print(response)

+ print(f"Scan {scan_name} successfully started")

+except HttpResponseError as e:

+ print(e)

+```

+## Search catalog

+Once a scan is complete, it's likely that assets have been discovered and even classified. This process can take some time to complete after a scan, so you may need to wait before running this next portion of code. Wait for your scan to show **completed**, and the assets to appear in the Microsoft Purview Data Catalog.

+Once the assets are ready, you can use the Microsoft Purview Catalog client to search the whole catalog.

+1. This time you need to import the **catalog** client instead of the scanning one. Also include the HTTPResponse error and ClientSecretCredential.

+ ```python

+ from azure.purview.catalog import PurviewCatalogClient

+ from azure.identity import ClientSecretCredential

+ from azure.core.exceptions import HttpResponseError

+ ```

+1. Create a function to get the credentials to access your Microsoft Purview account, and instantiate the catalog client.

+ ```python

+ client_id = "<your client id>"

+ client_secret = "<your client secret>"

+ tenant_id = "<your tenant id>"

+ reference_name_purview = "<name of your Microsoft Purview account>"

+ def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+ def get_catalog_client():

+ credentials = get_credentials()

+ client = PurviewCatalogClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+ try:

+ client_catalog = get_catalog_client()

+ except ValueError as e:

+ print(e)

+ ```

+1. Configure your search criteria and keywords in the input body:

+ ```python

+ keywords = "keywords you want to search"

+ body_input={

+ "keywords": keywords

+ }

+ ```

+ Here you only specify keywords, but keep in mind [you can add many other fields to further specify your query](/python/api/azure-purview-catalog/azure.purview.catalog.operations.discoveryoperations#azure-purview-catalog-operations-discoveryoperations-query).

+

+1. Search the catalog:

+ ```python

+ try:

+ response = client_catalog.discovery.query(search_request=body_input)

+ print(response)

+ except HttpResponseError as e:

+ print(e)

+ ```

+### Full code

+```python

+from azure.purview.catalog import PurviewCatalogClient

+from azure.identity import ClientSecretCredential

+from azure.core.exceptions import HttpResponseError

+client_id = "<your client id>"

+client_secret = "<your client secret>"

+tenant_id = "<your tenant id>"

+reference_name_purview = "<name of your Microsoft Purview account>"

+keywords = "<keywords you want to search for>"

+def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+def get_catalog_client():

+ credentials = get_credentials()

+ client = PurviewCatalogClient(endpoint=f"https://{reference_name_purview}.purview.azure.com/", credential=credentials, logging_enable=True)

+ return client

+body_input={

+ "keywords": keywords

+}

+try:

+ catalog_client = get_catalog_client()

+except ValueError as e:

+ print(e)

+try:

+ response = catalog_client.discovery.query(search_request=body_input)

+ print(response)

+except HttpResponseError as e:

+ print(e)

+```

+## Delete a data source

+In this section, you'll learn how to delete the data source you registered earlier. This operation is fairly simple, and is done with the scanning client.

+1. Import the **scanning** client. Also include the HTTPResponse error and ClientSecretCredential.

+ ```python

+ from azure.purview.scanning import PurviewScanningClient

+ from azure.identity import ClientSecretCredential

+ from azure.core.exceptions import HttpResponseError

+ ```

+1. Create a function to get the credentials to access your Microsoft Purview account, and instantiate the scanning client.

+ ```python

+ client_id = "<your client id>"

+ client_secret = "<your client secret>"

+ tenant_id = "<your tenant id>"

+ reference_name_purview = "<name of your Microsoft Purview account>"

+ def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+ def get_scanning_client():

+ credentials = get_credentials()

+ PurviewScanningClient(endpoint=f"https://{reference_name_purview}.scan.purview.azure.com", credential=credentials, logging_enable=True)

+ return client

+ try:

+ client_scanning = get_scanning_client()

+ except ValueError as e:

+ print(e)

+ ```

+1. Delete the data source:

+ ```python

+ ds_name = "<name of the registered data source you want to delete>"

+ try:

+ response = client_scanning.data_sources.delete(ds_name)

+ print(response)

+ print(f"Data source {ds_name} successfully deleted")

+ except HttpResponseError as e:

+ print(e)

+ ```

+### Full code

+```python

+from azure.purview.scanning import PurviewScanningClient

+from azure.identity import ClientSecretCredential

+from azure.core.exceptions import HttpResponseError

+client_id = "<your client id>"

+client_secret = "<your client secret>"

+tenant_id = "<your tenant id>"

+reference_name_purview = "<name of your Microsoft Purview account>"

+ds_name = "<name of the registered data source you want to delete>"

+def get_credentials():

+ credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret, tenant_id=tenant_id)

+ return credentials

+def get_scanning_client():

+ credentials = get_credentials()

+ client = PurviewScanningClient(endpoint=f"https://{reference_name_purview}.scan.purview.azure.com", credential=credentials, logging_enable=True)

+ return client

+try:

+ client_scanning = get_scanning_client()

+except ValueError as e:

+ print(e)

+try:

+ response = client_scanning.data_sources.delete(ds_name)

+ print(response)

+ print(f"Data source {ds_name} successfully deleted")

+except HttpResponseError as e:

+ print(e)

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn more about the Python Microsoft Purview Scanning Client](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-purview-scanning/1.0.0b2/https://docsupdatetracker.net/index.html)

+> [Learn more about the Python Microsoft Purview Catalog Client](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-purview-catalog/1.0.0b2/https://docsupdatetracker.net/index.html)

+- Az PowerShell module

+- [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/) - a convenient UI to upload/download/manage files on Azure blob storage

+- [Using the Azure Remote Rendering Toolkit (ARRT)](../../samples/azure-remote-rendering-asset-tool.md)

+> [!NOTE]

+>

+ Title: Azure Remote Rendering Toolkit

+description: Learn about the Azure Remote Rendering Toolkit (ARRT) which is an open-source desktop application developed in C++/Qt.

+# Azure Remote Rendering Toolkit (ARRT)

+Azure Remote Rendering Toolkit (ARRT) is an open-source desktop application developed in C++/Qt that is meant to help getting start with Azure Remote Rendering. Additionally it's meant as a sample application for how to integrate Remote Rendering into your own product.

+* Upload files into an Azure Storage account.

+* Convert 3D models for ARR

+* Start a new ARR session or connect to an existing one.

+* Render converted 3D models using ARR.

+* See basic performance numbers.

+## GitHub Repository

+The [ARRT GitHub repository](https://github.com/Azure/azure-remote-rendering-asset-tool) contains full C++ source, documentation and [pre-built binaries](https://github.com/Azure/azure-remote-rendering-asset-tool/releases).

+There are no longer any document limits per service in Azure Cognitive Search, however, there is a limit of approximately 24 billion documents per index on Basic, S1, S2, and S3 search services. For S3 HD, the limit is 2 billion documents per index. Each element of a complex collection counts as a separate document in terms of these limits.

+- An application deployed to Container Apps in a [region supported by Service Connector](./concept-region-support.md). If you don't have one yet, [create and deploy a container to Container Apps](/azure/container-apps/quickstart-portal).

+- Set up the web app's `AZURE_APPCONFIGURATION_CONNECTIONSTRING` to let the application access it and get the App Configuration connection string. Access [sample code](https://github.com/Azure-Samples/serviceconnector-webapp-appconfig-dotnet/blob/main/connection-string/ServiceConnectorSample/Program.cs#L9-L12).

+- Activate the web app's system-assigned managed authentication and grant App Configuration a Data Reader role to let the application authenticate to the App Configuration using DefaultAzureCredential from Azure.Identity. Access [sample code](https://github.com/Azure-Samples/serviceconnector-webapp-appconfig-dotnet/blob/main/connection-string/ServiceConnectorSample/Program.cs#L43).

+ms.tool: azure-powershell

+[Mongoose](https://mongoosejs.com/) is the most popular ODM (Object Document Mapping) client for Node.js. Allowing you to design a data structure and enforce validation, Mongoose provides all the tooling necessary to interact with databases that support the MongoDB API. [Cosmos DB](../cosmos-db/mongodb-introduction.md) supports the necessary MongoDB APIs and is available as a back-end server option on Azure.

+2. Select **Create a resource**

+4. Select **Azure Cosmos DB**

+5. Select **Create**

+ - Resource: Select **Create new**, and set the name to **aswa-mongoose**

+8. Select **Review + create**

+9. Select **Create**

+4. Select **Create repository from template**

+6. Select **Create a resource**

+9. Select **Create**

+ - Select **Sign in with GitHub**

+ - Select **Authorize** if prompted to allow Azure Static Web Apps to create the GitHub Action to enable deployment

+ - Build presets: Choose **React**

+ - App location: **/**

+ - Output location: **build**

+11. Select **Review and create**

+12. Select **Create**

+13. The creation process takes a few moments; select **Go to resource** once the static web app is provisioned

+1. Select **Home** in the upper left corner of the Azure portal (or navigate back to [https://portal.azure.com](https://portal.azure.com))

+2. Select **Resource groups**

+3. Select **aswa-mongoose**

+4. Select the name of your database account - it will have a type of **Azure Cosmos DB API for Mongo DB**

+5. Under **Settings** select **Connection String**

+7. In the breadcrumbs, select **aswa-mongoose**

+8. Select **aswa-mongoose-tutorial** to return to the website instance

+9. Under **Settings** select **Configuration**

+10. Select **Add** and create a new Application Setting with the following values

+ - Name: **AZURE_COSMOS_CONNECTION_STRING**

+ - Value: \<Paste the connection string you copied earlier\>

+11. Select **OK**

+12. Select **Add** and create a new Application Setting with the following values for name of the database

+ - Name: **AZURE_COSMOS_DATABASE_NAME**

+ - Value: **todo**

+13. Select **Save**

+1. Select **Overview**

+1. Select the URL displayed in the upper right

+1. Select **Please login to see your list of tasks**

+1. Select **Grant consent** to access the application

+1. Create a new lists by typing a name into the textbox labeled **create new list** and selecting **Save**

+1. Create a new task by typing in a title in the textbox labeled **create new item** and selecting **Save**

+1. Mark the task as complete by **selecting the check**; the task will be moved to the **Done items** section of the page

+2. Select **Resource groups**

+3. Select **aswa-mongoose**

+4. Select **Delete resource group**

+6. Select **Delete**

+- BlobServiceClient.[deleteContainer](/javascript/api/@azure/storage-blob/blobserviceclient#@azure-storage-blob-blobserviceclient-deletecontainer#@azure-storage-blob-blobserviceclient-deletecontainer)

+- ContainerClient.[delete](/javascript/api/@azure/storage-blob/blobserviceclient#@azure-storage-blob-blobserviceclient-deletecontainer)

+- ContainerClient.[deleteIfExists](/javascript/api/@azure/storage-blob/blobserviceclient#@azure-storage-blob-containerclient-deleteifexists)

+- BlobServiceClient.[undeleteContainer](/javascript/api/@azure/storage-blob/blobserviceclient#@azure-storage-blob-blobserviceclient-deletecontainert#@azure-storage-blob-blobserviceclient-undeletecontainer)

+# azcopy bench

+Runs a performance benchmark by uploading or downloading test data to or from a specified destination. For uploads, the test data is automatically generated.

+- Instead of requiring both source and destination parameters, benchmark takes just one. This is the blob container, Azure Files Share, or Azure Data Lake Storage Gen2 file system that you want to upload to or download from.

+- The 'mode' parameter describes whether AzCopy should test uploads to or downloads from given target. Valid values ar`e 'Upload'

+- For upload benchmarks, the payload is described by command line parameters, which control how many files are auto-generated and

+ how big they are. The generation process takes place entirely in memory. Disk isn't used.

+- For downloads, the payload consists of whichever files already exist at the source. (See example below about how to generate

+

+- Only a few of the optional parameters that are available to the copy command are supported.

+

+- Additional diagnostics are measured and reported.

+

+- For uploads, the default behavior is to delete the transferred data at the end of the test run. For downloads, the data is never actually saved locally.

+Benchmark mode will automatically tune itself to the number of parallel TCP connections that gives the maximum throughput. It will display that number at the end. To prevent auto-tuning, set the COPY_CONCURRENCY_VALUE environment variable to a specific number of connections.

+

+azcopy bench [destination] [flags]

+## Examples

+Run an upload benchmark with default parameters (suitable for benchmarking networks up to 1 Gbps):

+`azcopy bench "https://[account].blob.core.windows.net/[container]?<SAS>"`

+Run a benchmark test that uploads 100 files, each 2 GiB in size: (suitable for benchmarking on a fast network, e.g. 10 Gbps):'

+`azcopy bench "https://[account].blob.core.windows.net/[container]?<SAS>" --file-count 100 --size-per-file 2G`

+Same as above, but use 50,000 files, each 8 MiB in size and compute their MD5 hashes (in the same way that the --put-md5 flag does this

+in the copy command). The purpose of --put-md5 when benchmarking is to test whether MD5 computation affects throughput for the selected file count and size:

+`azcopy bench --mode='Upload' "https://[account].blob.core.windows.net/[container]?<SAS>" --file-count 50000 --size-per-file 8M --put-md5`

+`azcopy bench --mode='Download' "https://[account].blob.core.windows.net/[container]?<SAS?"`

+Run an upload that doesn't delete the transferred files. (These files can then serve as the payload for a download test)

+`azcopy bench "https://[account].blob.core.windows.net/[container]?<SAS>" --file-count 100 --delete-test-data=false`

+`--blob-type string` defines the type of blob at the destination. Used to allow benchmarking different blob types. Identical to the same-named parameter in the copy command (default "Detect")

+`--block-size-mb float` Use this block size (specified in MiB). Default is automatically calculated based on file size. Decimal fractions are allowed - for example, 0.25. Identical to the same-named parameter in the copy command

+`--check-length` Check the length of a file on the destination after the transfer. If there's a mismatch between source and destination, the transfer is marked as failed. (default true)

+`--delete-test-data` If true, the benchmark data will be deleted at the end of the benchmark run. Set it to false if you want to keep the data at the destination - for example, to use it for manual tests outside benchmark mode (default true)

+`--file-count` (uint) number of auto-generated data files to use (default 100)

+`-h`, `--help` help for bench

+`--log-level` (string) define the log verbosity for the log file, available levels: INFO(all requests/responses), WARNING(slow responses), ERROR(only failed requests), and NONE(no output logs). (default "INFO")

+`--mode` (string) Defines if Azcopy should test uploads or downloads from this target. Valid values are 'upload' and 'download'. Defaulted option is 'upload'. (default "upload")

+`--number-of-folders` (uint) If larger than 0, create folders to divide up the data.

+`--put-md5` Create an MD5 hash of each file, and save the hash as the Content-MD5 property of the destination blob/file. (By default the hash is NOT created.) Identical to the same-named parameter in the copy command

+`--size-per-file` (string) Size of each auto-generated data file. Must be a number immediately followed by K, M or G. E.g. 12k or 200G (default "250M")

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+- local <-> Azure Blob (SAS or OAuth authentication)

+- local <-> Azure Files (Share/directory SAS authentication)

+- local <-> Azure Data Lake Storage Gen2 (SAS, OAuth, or SharedKey authentication)

+- Azure Blob (SAS or public) -> Azure Blob (SAS or OAuth authentication)

+- Azure Blob (SAS or public) -> Azure Files (SAS)

+- Azure Files (SAS) -> Azure Files (SAS)

+- Azure Files (SAS) -> Azure Blob (SAS or OAuth authentication)

+- AWS S3 (Access Key) -> Azure Block Blob (SAS or OAuth authentication)

+- Google Cloud Storage (Service Account Key) -> Azure Block Blob (SAS or OAuth authentication)

+Refer to the examples for more information.

+### Advanced

+AzCopy automatically detects the content type of the files when uploading from the local disk, based on the file extension or content (if no extension is specified).

+The built-in lookup table is small, but on Unix, it's augmented by the local system's mime.types file(s) if available under one or more of these names:

+On Windows, MIME types are extracted from the registry. This feature can be turned off with the help of a flag. Refer to the flag section.

+If you set an environment variable by using the command line, that variable will be readable in your command line history. Consider clearing variables that contain credentials from your command line history. To keep variables from appearing in your history, you can use a script to prompt the user for their credentials, and to set the environment variable.

+```azcopy

+Upload a single file by using OAuth authentication. If you haven't yet logged into AzCopy, please run the azcopy login command before you run the following command.

+`azcopy cp "/path/to/file.txt" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"`

+Same as above, but this time also compute MD5 hash of the file content and save it as the blob's Content-MD5 property:

+`azcopy cp "/path/to/file.txt" "https://[account].blob.core.windows.net/[container]/[path/to/blob]" --put-md5`

+`azcopy cp "/path/to/file.txt" "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]"`

+

+`cat "/path/to/file.txt" | azcopy cp "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" --from-to PipeBlob`

+Upload a single file by using OAuth and piping (block blobs only):

+`cat "/path/to/file.txt" | azcopy cp "https://[account].blob.core.windows.net/[container]/[path/to/blob]" --from-to PipeBlob`

+Upload an entire directory by using a SAS token:

+

+`azcopy cp "/path/to/dir" "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true`

+`azcopy cp "/path/to/dir" "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true --put-md5`

+`azcopy cp "/path/*foo/*bar/*.pdf" "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]"`

+`azcopy cp "/path/*foo/*bar*" "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true`

+- To set tags {key = "bla bla", val = "foo"} and {key = "bla bla 2", val = "bar"}, use the following syntax:

+- `azcopy cp "/path/*foo/*bar*" "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --blob-tags="bla%20bla=foo&bla%20bla%202=bar"`

+Download a single file by using OAuth authentication. If you haven't yet logged into AzCopy, please run the azcopy login command before you run the following command.

+`azcopy cp "https://[account].blob.core.windows.net/[container]/[path/to/blob]" "/path/to/file.txt"`

+`azcopy cp "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "/path/to/file.txt"`

+

+`azcopy cp "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" --from-to BlobPipe > "/path/to/file.txt"`

+Download a single file by using OAuth and then piping the output to a file (block blobs only):

+

+`azcopy cp "https://[account].blob.core.windows.net/[container]/[path/to/blob]" --from-to BlobPipe > "/path/to/file.txt"`

+

+`azcopy cp "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" "/path/to/dir" --recursive=true`

+- You can use one just after the final forward slash (/) of a URL. This copies all of the files in a directory directly to the destination without placing them into a subdirectory.

+- You can also use one in the name of a container as long as the URL refers only to a container and not to a blob. You can use this approach to obtain files from a subset of containers.

+`azcopy cp "https://[srcaccount].blob.core.windows.net/[container]/[path/to/folder]/*?[SAS]" "/path/to/dir"`

+`azcopy cp "https://[srcaccount].blob.core.windows.net/" "/path/to/dir" --recursive`

+`azcopy cp "https://[srcaccount].blob.core.windows.net/[container*name]" "/path/to/dir" --recursive`

+Download all the versions of a blob from Azure Storage to local directory. Ensure that source is a valid blob, destination is a local folder and `versionidsFile` which takes in a path to the file where each version is written on a separate line. All the specified versions will get downloaded in the destination folder specified.

+`azcopy cp "https://[srcaccount].blob.core.windows.net/[containername]/[blobname]" "/path/to/dir" --list-of-versions="/another/path/to/dir/[versionidsFile]"`

+`azcopy cp "https://[srcaccount].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[destaccount].blob.core.windows.net/[container]/[path/to/blob]?[SAS]"`

+Copy a single blob to another blob by using a SAS token and an OAuth token. You have to use a SAS token at the end of the source account URL, but the destination account doesn't need one if you log into AzCopy by using the azcopy login command.

+`azcopy cp "https://[srcaccount].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[destaccount].blob.core.windows.net/[container]/[path/to/blob]"`

+`azcopy cp "https://[srcaccount].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" "https://[destaccount].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true`

+`azcopy cp "https://[srcaccount].blob.core.windows.net?[SAS]" "https://[destaccount].blob.core.windows.net?[SAS]" --recursive=true`

+Copy a single object to Blob Storage from Amazon Web Services (AWS) S3 by using an access key and a SAS token. First, set the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for AWS S3 source.

+

+`azcopy cp "https://s3.amazonaws.com/[bucket]/[object]" "https://[destaccount].blob.core.windows.net/[container]/[path/to/blob]?[SAS]"`

+Copy an entire directory to Blob Storage from AWS S3 by using an access key and a SAS token. First, set the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for AWS S3 source.

+`azcopy cp "https://s3.amazonaws.com/[bucket]/[folder]" "https://[destaccount].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true`

+Refer to https://docs.aws.amazon.com/AmazonS3/latest/user-guide/using-folders.html to better understand the [folder] placeholder.

+Copy all buckets to Blob Storage from Amazon Web Services (AWS) by using an access key and a SAS token. First, set the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for AWS S3 source.

+`azcopy cp "https://s3.amazonaws.com/" "https://[destaccount].blob.core.windows.net?[SAS]" --recursive=true`

+Copy all buckets to Blob Storage from an Amazon Web Services (AWS) region by using an access key and a SAS token. First, set the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for AWS S3 source.

+`azcopy cp "https://s3-[region].amazonaws.com/" "https://[destaccount].blob.core.windows.net?[SAS]" --recursive=true`

+Copy a subset of buckets by using a wildcard symbol (*) in the bucket name. Like the previous examples, you'll need an access key and a SAS token. Make sure to set the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for AWS S3 source.

+`azcopy cp "https://s3.amazonaws.com/[bucket*name]/" "https://[destaccount].blob.core.windows.net?[SAS]" --recursive=true`

+Copy blobs from one blob storage to another and preserve the tags from source. To preserve tags, use the following syntax:

+`azcopy cp "https://[account].blob.core.windows.net/[source_container]/[path/to/directory]?[SAS]" "https://[account].blob.core.windows.net/[destination_container]/[path/to/directory]?[SAS]" --s2s-preserve-blob-tags=true`

+- To set tags {key = "bla bla", val = "foo"} and {key = "bla bla 2", val = "bar"}, use the following syntax:

+ `azcopy cp "https://[account].blob.core.windows.net/[source_container]/[path/to/directory]?[SAS]" "https://[account].blob.core.windows.net/[destination_container]/[path/to/directory]?[SAS]" --blob-tags="bla%20bla=foo&bla%20bla%202=bar"`

+Copy a single object to Blob Storage from Google Cloud Storage (GCS) by using a service account key and a SAS token. First, set the environment variable GOOGLE_APPLICATION_CREDENTIALS for GCS source.

+

+`azcopy cp "https://storage.cloud.google.com/[bucket]/[object]" "https://[destaccount].blob.core.windows.net/[container]/[path/to/blob]?[SAS]"`

+Copy an entire directory to Blob Storage from Google Cloud Storage (GCS) by using a service account key and a SAS token. First, set the environment variable GOOGLE_APPLICATION_CREDENTIALS for GCS source.

+`azcopy cp "https://storage.cloud.google.com/[bucket]/[folder]" "https://[destaccount].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true`

+Copy an entire bucket to Blob Storage from Google Cloud Storage (GCS) by using a service account key and a SAS token. First, set the environment variable GOOGLE_APPLICATION_CREDENTIALS for GCS source.

+`azcopy cp "https://storage.cloud.google.com/[bucket]" "https://[destaccount].blob.core.windows.net/?[SAS]" --recursive=true`

+Copy all buckets to Blob Storage from Google Cloud Storage (GCS) by using a service account key and a SAS token. First, set the environment variables GOOGLE_APPLICATION_CREDENTIALS and `GOOGLE_CLOUD_PROJECT=<project-id>` for GCS source

+`azcopy cp "https://storage.cloud.google.com/" "https://[destaccount].blob.core.windows.net/?[SAS]" --recursive=true`

+Copy a subset of buckets by using a wildcard symbol (*) in the bucket name from Google Cloud Storage (GCS) by using a service account key and a SAS token for destination. First, set the environment variables `GOOGLE_APPLICATION_CREDENTIALS and GOOGLE_CLOUD_PROJECT=<project-id>` for GCS source

+`azcopy cp "https://storage.cloud.google.com/[bucket*name]/" "https://[destaccount].blob.core.windows.net/?[SAS]" --recursive=true`

+`--as-subdir` True by default. Places folder sources as subdirectories under the destination. (default true)

+`--backup` Activates Windows' SeBackupPrivilege for uploads, or SeRestorePrivilege for downloads, to allow AzCopy to see read all files, regardless of their file system permissions, and to restore all permissions. Requires that the account running AzCopy already has these permissions (for example, has Administrator rights or is a member of the 'Backup Operators' group). This flag activates privileges that the account already has

+`--blob-tags` (string) Set tags on blobs to categorize data in your storage account

+`--blob-type` (string) Defines the type of blob at the destination. This is used for uploading blobs and when copying between accounts (default 'Detect'). Valid values include 'Detect', 'BlockBlob', 'PageBlob', and 'AppendBlob'. When copying between accounts, a value of 'Detect' causes AzCopy to use the type of source blob to determine the type of the destination blob. When uploading a file, 'Detect' determines if the file is a VHD or a VHDX file based on the file extension. If the file is either a VHD or VHDX file, AzCopy treats the file as a page blob. (default "Detect")

+`--block-blob-tier` (string) upload block blob to Azure Storage using this blob tier. (default "None")

+`--block-size-mb` (float) Use this block size (specified in MiB) when uploading to Azure Storage, and downloading from Azure Storage. The default value is automatically calculated based on file size. Decimal fractions are allowed (For example: 0.25).

+`--cache-control` (string) Set the cache-control header. Returned on download.

+`--check-length` Check the length of a file on the destination after the transfer. If there's a mismatch between source and destination, the transfer is marked as failed. (default true)

+`--check-md5` (string) Specifies how strictly MD5 hashes should be validated when downloading. Only available when downloading. Available options: NoCheck, LogOnly, FailIfDifferent, FailIfDifferentOrMissing. (default 'FailIfDifferent') (default "FailIfDifferent")

+`--content-disposition` (string) Set the content-disposition header. Returned on download.

+`--content-encoding` (string) Set the content-encoding header. Returned on download.

+`--content-language` (string) Set the content-language header. Returned on download.

+`--content-type` (string) Specifies the content type of the file. Implies no-guess-mime-type. Returned on download.

+`--cpk-by-name` (string) Client provided key by name that lets clients making requests against Azure Blob storage an option to provide an encryption key on a per-request basis. Provided key name will be fetched from Azure Key Vault and will be used to encrypt the data

+`--cpk-by-value` Client provided key by name that let clients making requests against Azure Blob storage an option to provide an encryption key on a per-request basis. Provided key and its hash will be fetched from environment variables

+`--decompress` Automatically decompress files when downloading, if their content-encoding indicates that they're compressed. The supported content-encoding values are 'gzip' and 'deflate'. File extensions of '.gz'/'.gzip' or '.zz' aren't necessary, but will be removed if present.

+`--disable-auto-decoding` False by default to enable automatic decoding of illegal chars on Windows. Can be set to true to disable automatic decoding.

+`--dry-run` Prints the file paths that would be copied by this command. This flag doesn't copy the actual files.

+`--exclude-attributes` (string) (Windows only) Exclude files whose attributes match the attribute list. For example: A;S;R

+`--exclude-blob-type` (string) Optionally specifies the type of blob (BlockBlob/ PageBlob/ AppendBlob) to exclude when copying blobs from the container or the account. Use of this flag isn't applicable for copying data from non azure-service to service. More than one blob should be separated by ';'.

+`--exclude-path` (string) Exclude these paths when copying. This option doesn't support wildcard characters (*). Checks relative path prefix(For example: myFolder;myFolder/subDirName/file.pdf). When used in combination with account traversal, paths don't include the container name.

+`--exclude-pattern` (string) Exclude these files when copying. This option supports wildcard characters (*)

+`--exclude-regex` (string) Exclude all the relative path of the files that align with regular expressions. Separate regular expressions with ';'.

+`--follow-symlinks` Follow symbolic links when uploading from local file system.

+`--force-if-read-only` When overwriting an existing file on Windows or Azure Files, force the overwrite to work even if the existing file has its read-only attribute set

+`--from-to` (string) Optionally specifies the source destination combination. For Example: LocalBlob, BlobLocal, LocalBlobFS. Piping: BlobPipe, PipeBlob

+`-h`, `--help` help for copy

+`--include-after` (string) Include only those files modified on or after the given date/time. The value should be in ISO8601 format. If no timezone is specified, the value is assumed to be in the local timezone of the machine running AzCopy. E.g., `2020-08-19T15:04:00Z` for a UTC time, or `2020-08-19` for midnight (00:00) in the local timezone. As of AzCopy 10.5, this flag applies only to files, not folders, so folder properties won't be copied when using this flag with `--preserve-smb-info` or `--preserve-smb-permissions`.

+`--include-attributes` (string) (Windows only) Include files whose attributes match the attribute list. For example: A;S;R

+`--include-before` (string) Include only those files modified before or on the given date/time. The value should be in ISO8601 format. If no timezone is specified, the value is assumed to be in the local timezone of the machine running AzCopy. for example, `2020-08-19T15:04:00Z` for a UTC time, or `2020-08-19` for midnight (00:00) in the local timezone. As of AzCopy 10.7, this flag applies only to files, not folders, so folder properties won't be copied when using this flag with `--preserve-smb-info` or `--preserve-smb-permissions`.

+`--include-directory-stub` False by default to ignore directory stubs. Directory stubs are blobs with metadata `hdi_isfolder:true`. Setting value to true will preserve directory stubs during transfers.

+`--include-path` (string) Include only these paths when copying. This option doesn't support wildcard characters (*). Checks relative path prefix (For example: myFolder;myFolder/subDirName/file.pdf).

+`--include-pattern` (string) Include only these files when copying. This option supports wildcard characters (*). Separate files by using a ';'.

+`--include-regex` (string) Include only the relative path of the files that align with regular expressions. Separate regular expressions with ';'.

+`--list-of-versions` (string) Specifies a file where each version ID is listed on a separate line. Ensure that the source must point to a single blob and all the version IDs specified in the file using this flag must belong to the source blob only. AzCopy will download the specified versions in the destination folder provided.

+`--log-level` (string) Define the log verbosity for the log file, available levels: INFO(all requests/responses), WARNING(slow responses), ERROR(only failed requests), and NONE(no output logs). (default 'INFO'). (default "INFO")

+`--metadata` (string) Upload to Azure Storage with these key-value pairs as metadata.

+`--no-guess-mime-type` Prevents AzCopy from detecting the content-type based on the extension or content of the file.

+`--overwrite` (string) Overwrite the conflicting files and blobs at the destination if this flag is set to true. (default 'true') Possible values include 'true', 'false', 'prompt', and 'ifSourceNewer'. For destinations that support folders, conflicting folder-level properties will be overwritten this flag is 'true' or if a positive response is provided to the prompt. (default "true")

+`--page-blob-tier` (string) Upload page blob to Azure Storage using this blob tier. (default 'None'). (default "None")

+`--preserve-last-modified-time` Only available when destination is file system.

+`--preserve-owner` Only has an effect in downloads, and only when `--preserve-smb-permissions` is used. If true (the default), the file Owner and Group are preserved in downloads. If set to false,

+`--preserve-smb-permissions` will still preserve ACLs but Owner and Group will be based on the user running AzCopy (default true)

+`--preserve-permissions` False by default. Preserves ACLs between aware resources (Windows and Azure Files, or Azure Data Lake Storage Gen2 to Azure Data Lake Storage Gen2). For Hierarchical Namespace accounts, you'll need a container SAS or OAuth token with Modify Ownership and Modify Permissions permissions. For downloads, you'll also need the `--backup` flag to restore permissions where the new Owner won't be the user running AzCopy. This flag applies to both files and folders, unless a file-only filter is specified (for example, include-pattern).

+`--preserve-smb-info` For SMB-aware locations, flag will be set to true by default. Preserves SMB property info (last write time, creation time, attribute bits) between SMB-aware resources (Windows and Azure Files). Only the attribute bits supported by Azure Files will be transferred; any others will be ignored. This flag applies to both files and folders, unless a file-only filter is specified (for example, include-pattern). The info transferred for folders is the same as that for files, except for `Last Write Time` which is never preserved for folders. (default true)

+`--put-md5` Create an MD5 hash of each file, and save the hash as the Content-MD5 property of the destination blob or file. (By default the hash is NOT created.) Only available when uploading.

+`--recursive` Look into subdirectories recursively when uploading from local file system.

+`--s2s-detect-source-changed` Detect if the source file/blob changes while it is being read. (This parameter only applies to service-to-service copies, because the corresponding check is permanently enabled for uploads and downloads.)

+`--s2s-handle-invalid-metadata` (string) Specifies how invalid metadata keys are handled. Available options: ExcludeIfInvalid, FailIfInvalid, RenameIfInvalid. (default 'ExcludeIfInvalid'). (default "ExcludeIfInvalid")

+`--s2s-preserve-access-tier` Preserve access tier during service to service copy. Refer to [Azure Blob storage: hot, cool, and archive access tiers](/azure/storage/blobs/storage-blob-storage-tiers) to ensure destination storage account supports setting access tier. In the cases that setting access tier isn't supported, make sure to use s2sPreserveAccessTier=false to bypass copying access tier. (default true). (default true)

+`--s2s-preserve-blob-tags` Preserve index tags during service to service transfer from one blob storage to another

+`--s2s-preserve-properties` Preserve full properties during service to service copy. For AWS S3 and Azure File non-single file source, the list operation doesn't return full properties of objects and files. To

+preserve full properties, AzCopy needs to send one more request per object or file. (default true)

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+`-h`, `--help` help for doc

+`--output-location` (string) where to put the generated markdown files (default "./doc")

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text").

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.

+Shows the environment variables that you can use to configure the behavior of AzCopy.

+If you set an environment variable by using the command line, that variable will be readable in your command line history. Consider clearing variables that contain credentials from your command line history. To keep variables from appearing in your history, you can use a script to prompt the user for their credentials, and to set the environment variable.

+`-h`, `--help` help for env

+`--show-sensitive` Shows sensitive/secret environment variables.

+`--cap-mbps float` Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;

+*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+```azcopy

+```azcopy

+azcopy jobs clean --with-status=completed

+`-h`, `--help` help for clean

+`--with-status` (string) only remove the jobs with this status, available values: All, Canceled, Failed, Completed CompletedWithErrors, CompletedWithSkipped, CompletedWithErrorsAndSkipped (default "All")

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+`-h`, `--help` help for list

+`--with-status` (string) List the jobs with given status, available values: All, Canceled, Failed, InProgress, Completed, CompletedWithErrors, CompletedWithFailures, CompletedWithErrorsAndSkipped (default "All")

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+```azcopy

+```azcopy

+`--help` Help for remove.

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+### Options

+`--destination-sas` (string) destination SAS token of the destination for a given Job ID.

+`--exclude` (string) Filter: exclude these failed transfer(s) when resuming the job. Files should be separated by ';'.

+`-h`, `--help` help for resume

+`--include` (string) Filter: only include these failed transfer(s) when resuming the job. Files should be separated by ';'.

+`--source-sas` (string) Source SAS token of the source for a given Job ID.

+### Options inherited from parent commands

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+`-h`, `--help` Help for show

+`--with-status` (string) Only list the transfers of job with this status, available values: Started, Success, Failed.

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+`-h`, `--help` Help for jobs

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+azcopy list [containerURL] --properties [semicolon(;) separated list of attributes (LastModifiedTime, VersionId, BlobType, BlobAccessTier, ContentType, ContentEncoding, LeaseState, LeaseDuration, LeaseStatus) enclosed in double quotes (")]

+`-h`, `--help` Help for list

+`--machine-readable` Lists file sizes in bytes.

+`--mega-units` Displays units in orders of 1000, not 1024.

+`--properties` (string) delimiter (;) separated values of properties required in list output.

+`--running-tally` Counts the total number of files and their sizes.

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+ Title: azcopy login status | Microsoft Docs

+description: This article provides reference information for the azcopy login status command.

+# azcopy login status

+Lists the entities in a given resource.

+## Synopsis

+Prints if you're currently logged in to your Azure Storage account.

+```azcopy

+azcopy login status [flags]

+```

+## Related conceptual articles

+- [Get started with AzCopy](storage-use-azcopy-v10.md)

+- [Transfer data with AzCopy and Blob storage](./storage-use-azcopy-v10.md#transfer-data)

+- [Transfer data with AzCopy and file storage](storage-use-azcopy-files.md)

+### Options

+`--endpoint` Prints the Azure Active Directory endpoint that is being used in the current session.

+`-h`, `--help` Help for status

+`--tenant` Prints the Azure Active Directory tenant ID that is currently being used in session.

+### Options inherited from parent commands

+`--aad-endpoint` (string) The Azure Active Directory endpoint to use. The default (https://login.microsoftonline.com) is correct for the global Azure cloud. Set this parameter when authenticating in a national cloud. Not needed for Managed Service Identity

+`--application-id` (string) Application ID of user-assigned identity. Required for service principal auth.

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--certificate-path` (string) Path to certificate for SPN authentication. Required for certificate-based service principal auth.

+`--identity` Log in using virtual machine's identity, also known as managed service identity (MSI).

+`--identity-client-id` (string) Client ID of user-assigned identity.

+`--identity-object-id` (string) Object ID of user-assigned identity.

+`--identity-resource-id` (string) Resource ID of user-assigned identity.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--service-principal` Log in via Service Principal Name (SPN) by using a certificate or a secret. The client secret or certificate password must be placed in the appropriate environment variable.

+Type AzCopy env to see names and descriptions of environment variables.

+`--tenant-id` (string) The Azure Active Directory tenant ID to use for OAuth device interactive login.

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+## See also

+- [azcopy](storage-ref-azcopy.md)

+`azcopy login`

+`azcopy login --tenant-id "[TenantID]"`

+`azcopy login --identity`

+`azcopy login --identity --identity-client-id "[ServiceIdentityClientID]"`

+`azcopy login --identity --identity-object-id "[ServiceIdentityObjectID]"`

+`azcopy login --identity --identity-resource-id "/subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID"`

+`azcopy login --service-principal --application-id <your service principal's application ID>`

+Set the environment variable `AZCOPY_SPA_CERT_PASSWORD` to the certificate's password for cert based service principal auth

+`azcopy login --service-principal --certificate-path /path/to/my/cert --application-id <your service principal's application ID>`

+Treat /path/to/my/cert as a path to a PEM or PKCS12 file--. AzCopy doesn't reach into the system cert store to obtain your certificate. `--certificate-path` is mandatory when doing cert-based service principal auth.

+Subcommand for login to check the login status of your current session.

+`azcopy login status`

+`--aad-endpoint` (string) The Azure Active Directory endpoint to use. The default (https://login.microsoftonline.com) is correct for the global Azure cloud. Set this parameter when authenticating in a national cloud. Not needed for Managed Service Identity

+`--application-id` (string) Application ID of user-assigned identity. Required for service principal auth.

+`--certificate-path` (string) Path to certificate for SPN authentication. Required for certificate-based service principal auth.

+`-h`, `--help` Help for login

+`--identity` Log in using virtual machine's identity, also known as managed service identity (MSI).

+`--identity-client-id` (string) Client ID of user-assigned identity.

+`--identity-object-id` (string) Object ID of user-assigned identity.

+`--identity-resource-id` (string) Resource ID of user-assigned identity.

+`--service-principal` Log in via Service Principal Name (SPN) by using a certificate or a secret. The client secret or certificate password must be placed in the appropriate environment variable. Type

+AzCopy env to see names and descriptions of environment variables.

+`--tenant-id` (string) The Azure Active Directory tenant ID to use for OAuth device interactive login.

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+### Options

+`-h`, `--help` help for logout

+### Options inherited from parent commands

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+`-h`, `--help` help for make

+`--quota-gb` (uint32) Specifies the maximum size of the share in gigabytes (GiB), 0 means you accept the file service's default quota.

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+`azcopy rm "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]"`

+`azcopy rm "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true`

+`azcopy rm "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]" --recursive=false`

+Remove a subset of blobs in a virtual directory (For example: remove only jpg and pdf files, or if the blob name is "exactName"):

+`azcopy rm "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true --include-pattern="*.jpg;*.pdf;exactName"`

+`azcopy rm "https://[account].blob.core.windows.net/[container]/[path/to/directory]?[SAS]" --recursive=true --exclude-pattern="foo*;*bar"`

+Remove specified version IDs of a blob from Azure Storage. Ensure that source is a valid blob and `versionidsfile` which takes in a path to the file where each version is written on a separate line. All the specified versions will be removed from Azure Storage.

+`azcopy rm "https://[srcaccount].blob.core.windows.net/[containername]/[blobname]" "/path/to/dir" --list-of-versions="/path/to/dir/[versionidsfile]"`

+`azcopy rm "https://[account].blob.core.windows.net/[container]/[path/to/parent/dir]" --recursive=true --list-of-files=/usr/bar/list.txt`

+`azcopy rm "https://[account].dfs.core.windows.net/[container]/[path/to/file]?[SAS]"`

+`azcopy rm "https://[account].dfs.core.windows.net/[container]/[path/to/directory]?[SAS]"`

+`--delete-snapshots` (string) By default, the delete operation fails if a blob has snapshots. Specify 'include' to remove the root blob and all its snapshots; alternatively specify 'only' to remove only the snapshots but keep the root blob.

+`--dry-run` Prints the path files that would be removed by the command. This flag doesn't trigger the removal of the files.

+`--exclude-path` (string) Exclude these paths when removing. This option doesn't support wildcard characters (*). Checks relative path prefix. For example: myFolder;myFolder/subDirName/file.pdf

+`--exclude-pattern` (string) Exclude files where the name matches the pattern list. For example: *.jpg;*.pdf;exactName

+`--force-if-read-only` When deleting an Azure Files file or folder, force the deletion to work even if the existing object has its read-only attribute set

+`--from-to` (string) Optionally specifies the source destination combination. For Example: BlobTrash, FileTrash, BlobFSTrash

+`-h`, `--help` help for remove

+`--include-path` (string) Include only these paths when removing. This option doesn't support wildcard characters (*). Checks relative path prefix. For example: myFolder;myFolder/subDirName/file.pdf

+`--include-pattern` (string) Include only files where the name matches the pattern list. For example: *.jpg;*.pdf;exactName

+`--list-of-files` (string) Defines the location of a file which contains the list of files and directories to be deleted. The relative paths should be delimited by line breaks, and the paths should NOT be URL-encoded.

+`--list-of-versions` (string) Specifies a file where each version ID is listed on a separate line. Ensure that the source must point to a single blob and all the version IDs specified in the file using this flag must belong to the source blob only. Specified version IDs of the given blob will get deleted from Azure Storage.

+`--log-level` (string) Define the log verbosity for the log file. Available levels include: INFO(all requests/responses), WARNING(slow responses), ERROR(only failed requests), and NONE(no output logs). (default 'INFO') (default "INFO")

+`--permanent-delete` (string) This is a preview feature that PERMANENTLY deletes soft-deleted snapshots/versions. Possible values include 'snapshots', 'versions', 'snapshotsandversions', 'none'. (default "none")

+`--recursive` Look into subdirectories recursively when syncing between directories.

+`--cap-mbps float` Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+The last modified times are used for comparison. The file is skipped if the last modified time in the destination is more recent. The supported pairs are:

+

+- Local <-> Azure Blob / Azure File (either SAS or OAuth authentication can be used)

+ 1. By default, the recursive flag is true and sync copies all subdirectories. Sync only copies the top-level files inside a directory if the recursive flag is false.

+ 2. When syncing between virtual directories, add a trailing slash to the path (refer to examples) if there's a blob with the same name as one of the virtual directories.

+ 3. If the 'deleteDestination' flag is set to true or prompt, then sync will delete files and blobs at the destination that aren't present at the source.

+Advanced:

+Note that if you don't specify a file extension, AzCopy automatically detects the content type of the files when uploading from the local disk, based on the file extension or content.

+The built-in lookup table is small but on Unix it's augmented by the local system's mime.types file(s) if available under one or more of these names:

+

+Also note that sync works off of the last modified times exclusively. So in the case of Azure File <-> Azure File,

+the header field Last-Modified is used instead of x-ms-file-change-time, which means that metadata changes at the source can also trigger a full copy.

+azcopy sync [flags]

+`azcopy sync "/path/to/file.txt" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"`

+`azcopy sync "/path/to/file.txt" "https://[account].blob.core.windows.net/[container]/[path/to/blob]" --put-md5`

+`azcopy sync "/path/to/dir" "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]"`

+`azcopy sync "/path/to/dir" "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]" --put-md5`

+`azcopy sync "/path/to/dir" "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]" --recursive=false`

+Sync a subset of files in a directory (For example: only jpg and pdf files, or if the file name is "exactName"):

+`azcopy sync "/path/to/dir" "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]" --include-pattern="*.jpg;*.pdf;exactName"`

+`azcopy sync "/path/to/dir" "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]" --exclude-pattern="foo*;*bar"`

+`azcopy sync "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"`

+`azcopy sync "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]" --recursive=true`

+`azcopy sync "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]/?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/virtual/dir]/" --recursive=true`

+Sync an Azure File directory (same syntax as Blob):

+`azcopy sync "https://[account].file.core.windows.net/[share]/[path/to/dir]?[SAS]" "https://[account].file.core.windows.net/[share]/[path/to/dir]" --recursive=true`

+Note: if include and exclude flags are used together, only files matching the include patterns are used, but those matching the exclude patterns are ignored.

+`--block-size-mb` (float) Use this block size (specified in MiB) when uploading to Azure Storage or downloading from Azure Storage. Default is automatically calculated based on file size. Decimal fractions are allowed (For example: 0.25).

+`--check-md5` (string) Specifies how strictly MD5 hashes should be validated when downloading. This option is only available when downloading. Available values include: NoCheck, LogOnly, FailIfDifferent, FailIfDifferentOrMissing. (default 'FailIfDifferent'). (default "FailIfDifferent")

+`--cpk-by-name` (string) Client provided key by name let clients that make requests against Azure Blob storage an option to provide an encryption key on a per-request basis. Provided key name will be fetched from Azure Key Vault and will be used to encrypt the data

+`--cpk-by-value` Client provided key by name let clients that make requests against Azure Blob storage an option to provide an encryption key on a per-request basis. Provided key and its hash will be fetched from environment variables

+`--delete-destinatio` (string) Defines whether to delete extra files from the destination that aren't present at the source. Could be set to true, false, or prompt. If set to prompt, the user will be asked a question before scheduling files and blobs for deletion. (default 'false'). (default "false")

+`--dry-run` Prints the path of files that would be copied or removed by the sync command. This flag doesn't copy or remove the actual files.

+`--exclude-attributes` (string) (Windows only) Exclude files whose attributes match the attribute list. For example: A;S;R

+`--exclude-path` (string) Exclude these paths when comparing the source against the destination. This option doesn't support wildcard characters (*). Checks relative path prefix(For example: myFolder;myFolder/subDirName/file.pdf).

+`--exclude-pattern` (string) Exclude files where the name matches the pattern list. For example: *.jpg;*.pdf;exactName

+`--exclude-regex` (string) Exclude the relative path of the files that match with the regular expressions. Separate regular expressions with ';'.

+`--from-to` (string) Optionally specifies the source destination combination. For Example: LocalBlob, BlobLocal, LocalFile, FileLocal, BlobFile, FileBlob, etc.

+`-h`, `--help` help for sync

+`--include-attributes` (string) (Windows only) Include only files whose attributes match the attribute list. For example: A;S;R

+`--include-pattern` (string) Include only files where the name matches the pattern list. For example: *.jpg;*.pdf;exactName

+`--include-regex` (string) Include the relative path of the files that match with the regular expressions. Separate regular expressions with ';'.

+`--log-level` (string) Define the log verbosity for the log file, available levels: INFO(all requests and responses), WARNING(slow responses), ERROR(only failed requests), and NONE(no output logs). (default INFO). (default "INFO")

+`--mirror-mode` Disable last-modified-time based comparison and overwrites the conflicting files and blobs at the destination if this flag is set to true. Default is false

+`--preserve-permissions` False by default. Preserves ACLs between aware resources (Windows and Azure Files, or ADLS Gen 2 to ADLS Gen 2). For Hierarchical Namespace accounts, you'll need a container SAS or OAuth token with Modify Ownership and Modify Permissions permissions. For downloads, you'll also need the `--backup` flag to restore permissions where the new Owner won't be the user running AzCopy. This flag applies to both files and folders, unless a file-only filter is specified (for example, include-pattern).

+`--preserve-smb-info` For SMB-aware locations, flag will be set to true by default. Preserves SMB property info (last write time, creation time, attribute bits) between SMB-aware resources (Azure Files). This flag applies to both files and folders, unless a file-only filter is specified (for example, include-pattern). The info transferred for folders is the same as that for files, except for Last Write Time that isn't preserved for folders. (default true)

+`--put-md5` Create an MD5 hash of each file, and save the hash as the Content-MD5 property of the destination blob or file. (By default the hash is NOT created.) Only available when uploading.

+`--recursive` True by default, look into subdirectories recursively when syncing between directories. (default true). (default true)

+`--s2s-preserve-access-tier` Preserve access tier during service to service copy. Refer to [Azure Blob storage: hot, cool, and archive access tiers](../blobs/storage-blob-storage-tiers.md) to ensure destination storage account supports setting access tier. In the cases that setting access tier isn't supported, please use `s2sPreserveAccessTier=false` to bypass copying access tier. (default true). (default true)

+`--s2s-preserve-blob-tags` Preserve index tags during service to service sync from one blob storage to another

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it's omitted, the throughput isn't capped.

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies other domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+Current version: 10.15.0

+`--cap-mbps` (float) Caps the transfer rate, in megabits per second. Moment-by-moment throughput might vary slightly from the cap. If this option is set to zero, or it is omitted, the throughput isn't capped.

+`-h`, `--help` help for azcopy

+`--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text")

+`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons.

+1. An **Azure file share** in the same region that you want to deploy Azure File Sync. For more information, see:

+2. **SMB security settings** on the storage account must allow **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+3. At least one supported instance of **Windows Server** to sync with Azure File Sync. For more information about supported versions of Windows Server and recommended system resources, see [Windows file server considerations](file-sync-planning.md#windows-file-server-considerations).

+4. **Optional**: If you intend to use Azure File Sync with a Windows Server Failover Cluster, the **File Server for general use** role must be configured prior to installing the Azure File Sync agent on each node in the cluster. For more information on how to configure the **File Server for general use** role on a Failover Cluster, see [Deploying a two-node clustered file server](https://docs.microsoft.com/windows-server/failover-clustering/deploy-two-node-clustered-file-server).

+ > [!NOTE]

+ > The only scenario supported by Azure File Sync is Windows Server Failover Cluster with Clustered Disks. See [Failover Clustering](file-sync-planning.md#failover-clustering) for Azure File Sync.

+1. An **Azure file share** in the same region that you want to deploy Azure File Sync. For more information, see:

+2. **SMB security settings** on the storage account must allow **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+3. At least one supported instance of **Windows Server** to sync with Azure File Sync. For more information about supported versions of Windows Server and recommended system resources, see [Windows file server considerations](file-sync-planning.md#windows-file-server-considerations).

+4. **Optional**: If you intend to use Azure File Sync with a Windows Server Failover Cluster, the **File Server for general use** role must be configured prior to installing the Azure File Sync agent on each node in the cluster. For more information on how to configure the **File Server for general use** role on a Failover Cluster, see [Deploying a two-node clustered file server](https://docs.microsoft.com/windows-server/failover-clustering/deploy-two-node-clustered-file-server).

+ > [!NOTE]

+ > The only scenario supported by Azure File Sync is Windows Server Failover Cluster with Clustered Disks. See [Failover Clustering](file-sync-planning.md#failover-clustering) for Azure File Sync.

+5. The Az PowerShell module may be used with either PowerShell 5.1 or PowerShell 6+. You may use the Az PowerShell module for Azure File Sync on any supported system, including non-Windows systems, however the server registration cmdlet must always be run on the Windows Server instance you are registering (this can be done directly or via PowerShell remoting). On Windows Server 2012 R2, you can verify that you are running at least PowerShell 5.1.\* by looking at the value of the **PSVersion** property of the **$PSVersionTable** object:

+6. If you have opted to use PowerShell 5.1, ensure that at least .NET 4.7.2 is installed. Learn more about [.NET Framework versions and dependencies](/dotnet/framework/migration-guide/versions-and-dependencies) on your system.

+7. The Az PowerShell module, which can be installed by following the instructions here: [Install and configure Azure PowerShell](/powershell/azure/install-Az-ps).

+1. An **Azure file share** in the same region that you want to deploy Azure File Sync. For more information, see:

+2. **SMB security settings** on the storage account must allow **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+3. At least one supported instance of **Windows Server** to sync with Azure File Sync. For more information about supported versions of Windows Server and recommended system resources, see [Windows file server considerations](file-sync-planning.md#windows-file-server-considerations).

+4. **Optional**: If you intend to use Azure File Sync with a Windows Server Failover Cluster, the **File Server for general use** role must be configured prior to installing the Azure File Sync agent on each node in the cluster. For more information on how to configure the **File Server for general use** role on a Failover Cluster, see [Deploying a two-node clustered file server](https://docs.microsoft.com/windows-server/failover-clustering/deploy-two-node-clustered-file-server).

+ > [!NOTE]

+ > The only scenario supported by Azure File Sync is Windows Server Failover Cluster with Clustered Disks. See [Failover Clustering](file-sync-planning.md#failover-clustering) for Azure File Sync.

+5. [Install the Azure CLI](/cli/azure/install-azure-cli)

+6. Sign in.

+7. Install the [az filesync](/cli/azure/storagesync) Azure CLI extension.

+> If you are using Azure File Sync with a Failover Cluster, the Azure File Sync agent must be installed on every node in the cluster. Each node in the cluster must be registered to work with Azure File Sync.

+VSS snapshots by default can consume up to 10% of the volume space. To adjust the amount of storage that can be used for VSS snapshots, use the [vssadmin resize shadowstorage](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788050(v=ws.11)) command.

+1. Windows Server Failover Clustering is supported by Azure File Sync for the "File Server for general use" deployment option. For more information on how to configure the "File Server for general use" role on a Failover Cluster, see [Deploying a two-node clustered file server](https://docs.microsoft.com/windows-server/failover-clustering/deploy-two-node-clustered-file-server).

+<a id="cloud-endpoint-mgmtinternalerror"></a>**Cloud endpoint creation fails, with this error: "MgmtInternalError"**

+This error can occur if the Azure File Sync service cannot access the storage account due to SMB security settings. To enable Azure File Sync to access the storage account, the SMB security settings on the storage account must allow **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+<a id="cloud-endpoint-using-share"></a>**Cloud endpoint creation fails, with this error: "The specified Azure FileShare is already in use by a different CloudEndpoint"**

+This error occurs if the Azure file share is already in use by another cloud endpoint.

+If you see this message and the Azure file share currently is not in use by a cloud endpoint, complete the following steps to clear the Azure File Sync metadata on the Azure file share:

+> [!Warning]

+> Deleting the metadata on an Azure file share that is currently in use by a cloud endpoint causes Azure File Sync operations to fail. If you then use this file share for sync in a different sync group, data loss for files in the old sync group is almost certain.

+1. In the Azure portal, go to your Azure file share.  

+2. Right-click the Azure file share, and then select **Edit metadata**.

+3. Right-click **SyncService**, and then select **Delete**.

+<a id="-2147024891"></a>**Sync failed with access denied due to security settings on the storage account or NTFS permissions on the server.**

+This error can occur if the Azure File Sync cannot access the storage account due to security settings or if the NT AUTHORITY\SYSTEM account does not have permissions to the System Volume Information folder on the volume where the server endpoint is located. Note, if individual files are failing to sync with ERROR_ACCESS_DENIED, perform the steps documented in the [Troubleshooting per file/directory sync errors](?tabs=portal1%252cazure-portal#troubleshooting-per-filedirectory-sync-errors) section.

+1. Verify the **SMB security settings** on the storage account are allowing **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+2. [Verify the firewall and virtual network settings on the storage account are configured properly (if enabled)](file-sync-deployment-guide.md?tabs=azure-portal#configure-firewall-and-virtual-network-settings)

+3. Verify the **NT AUTHORITY\SYSTEM** account has permissions to the System Volume Information folder on the volume where the server endpoint is located by performing the following steps:

+ a. Download [Psexec](/sysinternals/downloads/psexec) tool.

+ b. Run the following command from an elevated command prompt to launch a command prompt using the system account: `PsExec.exe -i -s -d cmd`

+ c. From the command prompt running under the system account, run the following command to confirm the NT AUTHORITY\SYSTEM account does not have access to the System Volume Information folder: `cacls "drive letter:\system volume information" /T /C`

+ d. If the NT AUTHORITY\SYSTEM account does not have access to the System Volume Information folder, run the following command: `cacls "drive letter:\system volume information" /T /E /G "NT AUTHORITY\SYSTEM:F"`

+ - If step #d fails with access denied, run the following command to take ownership of the System Volume Information folder and then repeat step #d: `takeown /A /R /F "drive letter:\System Volume Information"`

+- A [gateway subnet](/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) must be created on the virtual network.

+In order to set up the point-to-site VPN, we first need to collect some information about your environment for use throughout the guide. See the [prerequisites](#prerequisites) section if you have not already created a storage account, virtual network, gateway subnet, and/or private endpoints.

+The Azure virtual network gateway is the service that your on-premises Windows machines will connect to. Before deploying the virtual network gateway, a [gateway subnet](/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) must be created on the virtual network.

+Deploying this service requires two basic components:

+1. A public IP address that will identify the gateway to your clients wherever they are in the world

+2. The root certificate you created earlier, which will be used to authenticate your clients

+Remember to replace `<desired-vpn-name-here>` and `<desired-region-here>` in the below script with the proper values for these variables.

+$region = "<desired-region-here>"

+ ```output

+* **Storage account name**: To mount an Azure file share, you'll need the name of the storage account.

+* **Storage account key**: To mount an Azure file share, you'll need the primary (or secondary) storage key. SAS keys are not currently supported for mounting.

+* **Ensure port 445 is open**: SMB communicates over TCP port 445. On your client machine (the Mac), check to make sure your firewall isn't blocking TCP port 445. If your organization or ISP is blocking port 445, you may need to set up a VPN from on-premises to your Azure storage account with Azure Files exposed on your internal network using private endpoints, so that the traffic will go through a secure tunnel as opposed to over the internet. For more information, see [Networking considerations for direct Azure file share access](storage-files-networking-overview.md). To see the summary of ISPs that allow or disallow access from port 445, go to [TechNet](https://social.technet.microsoft.com/wiki/contents/articles/32346.azure-summary-of-isps-that-allow-disallow-access-from-port-445.aspx).

+1. **Open Finder**: Finder is open on macOS by default, but you can ensure that it's the currently selected application by clicking the "macOS face icon" on the dock:

+Rather than Azure Synapse Analytics, consider other options for operational online transaction processing (OLTP) workloads that have:

+description: Learn how Netezza and Azure Synapse Analytics SQL databases differ in their approach to high query performance on exceptionally large data volumes.

+Due to end of support from IBM, many existing users of Netezza data warehouse systems want to take advantage of the innovations provided by newer environments such as cloud, IaaS, and PaaS, and to delegate tasks like infrastructure maintenance and platform development to the cloud provider.