-| [Azure AD MFA authentication](multi-factor-auth-technical-profile.md) | Preview | |

-| [Application Insights user journey logs](troubleshoot-with-application-insights.md) | Preview | Used for troubleshooting during development. |

-| [Application Insights event logs](analytics-with-application-insights.md) | Preview | Used to monitor user flows in production. |

-During the first sign-up or sign-in, the user scans a QR code, opens a deep link, or enters the code manually using the authenticator app. To verify the TOTP code, use the [Begin verify OTP](#begin-verify-totp) followed by [Verify TOTP](#verify-totp) validation technical profiles.

-For subsequent sign-ins, use the [Get available devices](#get-available-devices) method to check if the user has already enrolled their device. If the number of available devices is greater than zero, this indicates the user has enrolled before. In this case, the user needs to type the TOTP code that appears in the authenticator app.

-The display claims feature is currently in **preview**.

-| DisplayClaims | 0:1 | A list of previously defined references to claim types that are presented by the [self-asserted technical profile](self-asserted-technical-profile.md). The DisplayClaims feature is currently in preview. |

-Azure AD Connect cloud sync is new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application. However, it can be used alongside Azure AD Connect sync and it provides the following benefits:

-> 3rd party identity providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 or newer devices. Without WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. On ADFS only usernamemixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and **must NOT be exposed** as extranet facing endpoints through the Web Application Proxy

-> Azure AD Conditional Access policies are not evaluated when PRTs are issued

-To address this, we have bundled as many of these newer components into a new, single release, so you only have to update once. This release is Azure AD Connect V2. This release is a new version of the same software used to accomplish your hybrid identity goals, built using the latest foundational components.

-SQL Server 2019 requires the Visual C++ Redist 14 runtime, so we are updating the C++ runtime library to use this version. This redistributable will be installed with the Azure AD Connect V2 package, so you do not have to take any action for the C++ runtime update.

-All versions of Windows Server that are supported for Azure AD Connect V2 already default to TLS 1.2. If your server does not support TLS 1.2 you will need to enable this before you can deploy Azure AD Connect V2. For more information, see [TLS 1.2 enforcement for Azure AD Connect](reference-connect-tls-enforcement.md).

-We noticed that some components had SHA1 signed binaries. We no longer support SHA1 for downloadable binaries and we upgraded all binaries to SHA2 signing. The digital signatures are used to ensure that the updates come directly from Microsoft and were not tampered with during delivery. Because of weaknesses in the SHA-1 algorithm and to align to industry standards, we have changed the signing of Windows updates to use the more secure SHA-2 algorithm."ΓÇ»

-SQL Server 2019 requires Windows Server 2016 or newer as a server operating system. Since AAD Connect v2 contains SQL Server 2019 components, we no longer can support older Windows Server versions.

-You cannot install this version on an older Windows Server version. We suggest you upgrade your Azure AD Connect server to Windows Server 2019, which is the most recent version of the Windows Server operating system.

- >PowerShell 5 is already part of Windows Server 2016 so you probably do not have to take action as long as you are on a recent Window Server version.

-This upgrade is especially important since we have had to update our prerequisites for Azure AD Connect and you may need additional time to plan and update your servers to the newer versions of these prerequisites

-No ΓÇô the V2.0 release does not contain any new functionality. This release only contains updates of some of the foundational components on Azure AD Connect. However, later releases of Azure AD Connect V2 may contain new functionality.

-Yes - your Azure AD Connect server will be upgraded to the latest release if you have enabled the auto-upgrade feature. Note that we have no yet release an auto upgrade version for Azure AD Connect.

-**I use an external SQL database and do not use SQL 2012 LocalDb ΓÇô do I still have to upgrade?** </br>

-Yes, you still need to upgrade to remain in a supported state even if you do not use SQL Server 2012, due to the TLS1.0/1.1 and ADAL deprecation. Note that SQL Server 2012 can still be used as an external SQL database with Azure AD Connect V2. The SQL 2019 drivers in Azure AD Connect V2 are compatible with SQL Server 2012.

-No, the upgrade to SQL 2019 does not remove any SQL 2012 components from your server. If you no longer need these components then you should follow [the SQL Server uninstallation instructions](/sql/sql-server/install/uninstall-an-existing-instance-of-sql-server-setup).

-**What happens if I do not upgrade?** </br>

-We expect TLS 1.0/1.1 to be deprecated in 2022, and you need to make sure you are not using these protocols by that date as your service may stop working unexpectedly. You can manually configure your server for TLS 1.2 though, and that does not require an update of Azure AD Connect to V2

-In June 2022, ADAL is planned to go out of support. When ADAL goes out of support, authentication may stop working unexpectedly, and this will block the Azure AD Connect server from working properly. We strongly advise you to upgrade to Azure AD Connect V2 before June 2022. You cannot upgrade to a supported authentication library with your current Azure AD Connect version.

-**After upgrading to 2 the ADSync PowerShell cmdlets do not work?** </br>

->Starting April, 2022 the CLI-preview extension commands for node pool snapshot has changed. In preview CLI please use az aks nodepool snapshot commands, refer [CLI Node Pool Snapshot][az-aks-nodepool-snapshot].

-* Managed HSM Support

-description: Learn how to authorize users using OAuth 2.0 in API Management. OAuth 2.0 secures the API so that users can only access resources to which they're entitled.

-# How to authorize developer accounts using OAuth 2.0 in Azure API Management

-Many APIs support [OAuth 2.0](https://oauth.net/2/) to secure the API and ensure that only valid users have access, and they can only access resources to which they're entitled. To use Azure API Management's interactive developer console with such APIs, the service allows you to configure your service instance to work with your OAuth 2.0 enabled API.

-Configuring OAuth 2.0 user authorization in the test console of the developer portal provides developers with a convenient way to acquire an OAuth 2.0 access token. From the test console, the token is simply passed to the backend with the API call. Token validation must be configured separately - either using a [JWT validation policy](api-management-access-restriction-policies.md#ValidateJWT), or in the backend service.

-This guide shows you how to configure your API Management service instance to use OAuth 2.0 authorization for developer accounts, but does not show you how to configure an OAuth 2.0 provider.

-The configuration for each OAuth 2.0 provider is different, although the steps are similar, and the required pieces of information used to configure OAuth 2.0 in your API Management service instance are the same. This topic shows examples using Azure Active Directory as an OAuth 2.0 provider.

-If you have not yet created an API Management service instance, see [Create an API Management service instance][Create an API Management service instance].

-> [!NOTE]

-> For more information on configuring OAuth 2.0 using Azure Active Directory, see [Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md).

-|Implicit | Returns access token immediately without an extra authorization code exchange step | Clients that can't protect a secret or token such as mobile apps and single-page apps<br/><br/>Generally not recommended because of inherent risks of returning access token in HTTP redirect without confirmation that it is received by client |

-|Client credentials | Authenticates and authorizes an app rather than a user | Machine-to-machine applications that do not require a specific user's permissions to access data, such as CLIs, daemons, or services running on your backend |

-1. Under the **OAuth 2.0 tab**, select **+Add**.

- If your OAuth 2.0 provider does not have user management of accounts configured, enter a placeholder URL here such as the URL of your company, or a URL such as `https://placeholder.contoso.com`.

- * Specify the **Authorization grant types** by checking the desired types. **Authorization code** is specified by default. [Learn more](#authorization-grant-types).

- * Enter the **Authorization endpoint URL**. For Azure Active Directory, this URL will be similar to the following URL, where `<tenant_id>` is replaced with the ID of your Azure AD tenant.

- `https://login.microsoftonline.com/<tenant_id>/oauth2/authorize`

- * The **Authorization request method** specifies how the authorization request is sent to the OAuth 2.0 server. By default **GET** is selected.

- * For an Azure Active Directory OAuth 2.0 server, the **Token endpoint URL** has the following format, where `<TenantID>` has the format of `yourapp.onmicrosoft.com`.

- `https://login.microsoftonline.com/<TenantID>/oauth2/token`

- * The default setting for **Client authentication methods** is **In the body**, and **Access token sending method** is **Authorization header**. These values are configured on this section of the form, along with the **Default scope**.

-6. The **Client credentials** section contains the **Client ID** and **Client secret**, which are obtained during the creation and configuration process of your OAuth 2.0 server.

- After the **Client ID** and **Client secret** are specified, the **redirect_uri** for the **authorization code** is generated. This URI is used to configure the reply URL in your OAuth 2.0 server configuration.

-After the server configuration is saved, you can configure APIs to use this configuration, as shown in the next section.

-Once you have configured your OAuth 2.0 authorization server and configured your API to use that server, you can test it by going to the Developer Portal and calling an API. Click **Developer portal (legacy)** in the top menu from your Azure API Management instance **Overview** page.

-When **Authorization code** is selected, a pop-up window is displayed with the sign-in form of the OAuth 2.0 provider. In this example the sign-in form is provided by Azure Active Directory.

-Once you have signed in, the **Request headers** are populated with an `Authorization : Bearer` header that authorizes the request.

-For more information about using OAuth 2.0 and API Management, see the following video and accompanying [article](api-management-howto-protect-backend-with-aad.md).

-[Next steps]: #next-steps

-description: Learn how to secure user access to a web API backend in Azure API Management and the developer portal with OAuth 2.0 user authorization and Azure Active Directory.

-# Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory

-In this article, you'll learn how to configure your [Azure API Management](api-management-key-concepts.md) instance to protect an API, by using the [OAuth 2.0 protocol with Azure Active Directory (Azure AD)](../active-directory/develop/active-directory-v2-protocols.md).

-You can configure authorization for developer accounts using other OAuth 2.0 providers. For more information, see [How to authorize developer accounts using OAuth 2.0 in Azure API Management](api-management-howto-oauth2.md).

-> [!NOTE]

-> This feature is available in the **Developer**, **Basic**, **Standard**, and **Premium** tiers of API Management.

->

-> You can follow every step below in the **Consumption** tier, except for calling the API from the developer portal.

-1. Register an application (backend-app) in Azure AD to represent the API.

-1. Register another application (client-app) in Azure AD to represent a client application that needs to call the API.

-1. In Azure AD, grant permissions to allow the client-app to call the backend-app.

-1. Configure the developer console in the developer portal to call the API using OAuth 2.0 user authorization.

-1. Add the **validate-jwt** policy to validate the OAuth token for every incoming request.

-## 1. Register an application in Azure AD to represent the API

-Using the Azure portal, protect an API with Azure AD by registering an application that represents the API in Azure AD.

-1. Under the **Manage** section of the side menu, select **Expose an API** and set the **Application ID URI** with the default value. Record this value for later.

-1. Repeat steps 8 and 9 to add all scopes supported by your API.

-1. Once the scopes are created, make a note of them for use in a subsequent step.

-## 2. Register another application in Azure AD to represent a client application

-Register every client application that calls the API as an application in Azure AD. In this example, the client application is the **developer console** in the API Management developer portal.

-To register another application in Azure AD to represent the Developer Console:

-1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.

-1. Select **New registration**.

-1. When the **Register an application page** appears, enter your application's registration information:

- - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, such as *client-app*.

- - In the **Supported account types** section, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**.

-1. In the **Redirect URI** section, select `Web` and leave the URL field empty for now.

-1. Select **Register** to create the application.

-1. On the app **Overview** page, find the **Application (client) ID** value and record it for later.

-1. Create a client secret for this application to use in a subsequent step.

- 1. Under the **Manage** section of the side menu, select **Certificates & secrets**.

- 1. Under **Client secrets**, select **New client secret**.

- 1. Under **Add a client secret**, provide a **Description** and choose when the key should expire.

- 1. Select **Add**.

-When the secret is created, note the key value for use in a subsequent step.

-## 3. Grant permissions in Azure AD

-Now that you have registered two applications to represent the API and the Developer Console, grant permissions to allow the client-app to call the backend-app.

-1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.

-1. Choose your client app. Then in the list of pages for the app, select **API permissions**.

-1. Select **Add a Permission**.

-1. Under **Select an API**, select **My APIs**, and then find and select your backend-app.

-1. Select **Delegated Permissions**, then select the appropriate permissions to your backend-app.

-1. Select **Add permissions**.

-Optionally:

-1. Navigate to your client app's **API permissions** page.

-1. Select **Grant admin consent for \<your-tenant-name>** to grant consent on behalf of all users in this directory.

-## 4. Enable OAuth 2.0 user authorization in the Developer Console

-At this point, you have created your applications in Azure AD, and have granted proper permissions to allow the client-app to call the backend-app.

-In this example, you enable OAuth 2.0 user authorization in the developer console (the client app).

-1. In the Azure portal, find the **Authorization endpoint URL** and **Token endpoint URL** and save them for later.

- 1. Open the **App registrations** page.

- 1. Select **Endpoints**.

- 1. Copy the **OAuth 2.0 Authorization Endpoint** and the **OAuth 2.0 Token Endpoint**.

-1. Browse to your API Management instance.

-1. Under the **Developer portal** section in the side menu, select **OAuth 2.0 + OpenID Connect**.

-1. Under the **OAuth 2.0** tab, select **Add**.

-1. Provide a **Display name** and **Description**.

-1. For the **Client registration page URL**, enter a placeholder value, such as `http://localhost`.

- * The **Client registration page URL** points to a page where users create and configure their own accounts supported by OAuth 2.0 providers.

- * We use a placeholder, since, in this example, users do not create and configure their own accounts.

-1. For **Authorization grant types**, select **Authorization code**.

-1. Specify the **Authorization endpoint URL** and **Token endpoint URL** you saved earlier:

- 1. Copy and paste the **OAuth 2.0 Authorization Endpoint** into the **Authorization endpoint URL** text box.

- 1. Select **POST** under Authorization request method.

- 1. Enter the **OAuth 2.0 Token Endpoint**, and paste it into the **Token endpoint URL** text box.

- * If you use the **v1** endpoint:

- * Add a body parameter named **resource**.

- * Enter the back-end app **Application ID** for the value.

- * If you use the **v2** endpoint:

- * Use the back-end app scope you created in the **Default scope** field.

- * Set the value for the [`accessTokenAcceptedVersion`](../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute) property to `2` in your [application manifest](../active-directory/develop/reference-app-manifest.md).

-

- >[!IMPORTANT]

- > While you can use either **v1** or **v2** endpoints, we recommend using v2 endpoints.

-1. Specify the client app credentials:

- * For **Client ID**, use the **Application ID** of the client-app.

- * For **Client secret**, use the key you created for the client-app earlier.

-1. Make note of the **Redirect URI** for the authorization code grant type.

-1. Select **Create**.

-1. Return to your client-app registration.

-

-1. Under **Manage**, select **Authentication**.

-1. Under **Platform configurations**:

- * Click on **Add a platform**.

- * Select the type as **Web**.

- * Paste the redirect URI you saved earlier under **Redirect URIs**.

- * Click on **Configure** button to save.

- Now that the developer console can obtain access tokens from Azure AD via your OAuth 2.0 authorization server, enable OAuth 2.0 user authorization for your API. This enables the developer console to know that it needs to obtain an access token on behalf of the user, before making calls to your API.

-1. Browse to your API Management instance, and go to **APIs**.

-1. Select the API you want to protect. For example, `Echo API`.

-1. Go to **Settings**.

-1. Under **Security**:

- 1. Choose **OAuth 2.0**.

- 1. Select the OAuth 2.0 server you configured earlier.

-1. Select **Save**.

-> [!NOTE]

-> To see the latest configuration of your portal, publish the portal. You can publish the portal in the portal's administrative interface or from the Azure portal.

-## 5. Successfully call the API from the developer portal

-> [!NOTE]

-> This section does not apply to the **Consumption** tier, as it does not support the developer portal.

-## 6. Configure a JWT validation policy to pre-authorize requests

-So far:

-* You've tried to make a call from the developer console.

-* You've been prompted and have signed into the Azure AD tenant.

-* The developer console obtains an access token on your behalf, and includes the token in the request made to the API.

-However, what if someone calls your API without a token or with an invalid token? For example, if you call the API without the `Authorization` header, the call will still go through, since API Management does not validate the access token. It simply passes the `Authorization` header to the back-end API.

-Pre-authorize requests in API Management with the [Validate JWT](./api-management-access-restriction-policies.md#ValidateJWT) policy, by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it.

-The following example policy, when added to the `<inbound>` policy section, checks the value of the audience claim in an access token obtained from Azure AD, and returns an error message if the token is not valid.

-```xml

-<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">

- <openid-config url="https://login.microsoftonline.com/{aad-tenant}/v2.0/.well-known/openid-configuration" />

- <required-claims>

- <claim name="aud">

- <value>{backend-api-application-client-id}</value>

- </claim>

- </required-claims>

-</validate-jwt>

-```

-> [!NOTE]

-> The above `openid-config` URL corresponds to the v2 endpoint. For the v1 `openid-config`endpoint, use `https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration`.

-> [!TIP]

-> Find the **{aad-tenant}** value as your Azure AD tenant ID in the Azure portal, either on:

-> * The overview page of your Azure AD resource, or

-> * The **Manage > Properties** page of your Azure AD resource.

-For information on how to configure policies, see [Set or edit policies](./set-edit-policies.md).

-## Build an application to call the API

-In this guide, you used the developer console in API Management as the sample client application to call the `Echo API` protected by OAuth 2.0. To learn more about how to build an application and implement OAuth 2.0, see [Azure AD code samples](../active-directory/develop/sample-v2-code.md).

-## Next steps

-description: Protect an API with OAuth 2.0 by using Azure Active Directory B2C, Azure API Management and Easy Auth to be called from a JavaScript SPA using the PKCE enabled SPA Auth Flow.

-# Protect SPA backend with OAuth 2.0, Azure Active Directory B2C and Azure API Management

-1. Create the sign up and sign in policies to allow users to sign in with Azure AD B2C

-1. Now set the Display Name and AppID URI, choose something unique and relevant to the Frontend application that will use this AAD B2C app registration. In this example, you can use "Frontend Application"

-## Create a "Sign up and Sign in" user flow

-1. Choose the 'Sign up and sign in' user flow type, and select 'Recommended' and then 'Create'

-1. Under 'Identity providers' and "Local accounts", check 'Email sign up' (or 'User ID sign up' depending on the config of your B2C tenant) and click OK. This configuration is because we'll be registering local B2C accounts, not deferring to another identity provider (like a social identity provider) to use an user's existing social media account.

- > In this case we configured a sign up or sign in flow (policy). This also exposed a well-known configuration endpoint, in both cases our created policy was identified in the URL by the "p=" query string parameter.

-1. Paste the Well-known open-id configuration endpoint from the sign up and sign in policy into the Issuer URL box (we recorded this configuration earlier).

- > You added additional defense-in-depth security in EasyAuth by configuring the 'Login With Azure AD' option to handle unauthenticated requests. Be aware that this will change the unauthorized request behavior between the Backend Function App and Frontend SPA as EasyAuth will issue a 302 redirect to AAD instead of a 401 Not Authorized response, we will correct this by using API Management later.

- clientId: "{CLIENTID}", // This is the client ID of your FRONTEND application that you registered with the SPA type in AAD B2C

-1. Click ΓÇ£Sign InΓÇ¥ in the top-right-hand corner, this click will pop up your Azure AD B2C sign up or sign in profile.

-If the above features don't support your apps or you're looking to take a more manual route, you have the option of deploying your apps following the same process you used for your existing App Service Environment. At this time, all deployment methods except FTP are supported on App Service Environment v3. You don't need to make updates when you deploy your apps to your new environment unless you want to make changes or take advantage of App Service Environment v3's dedicated features.

-> [Migrate to App Service Environment v3 by using the migration feature](migrate.md)

-The Form Recognizer v3.0 preview includes the new Read API. Read extracts printed and handwritten from documents. The read model can detect lines, words, locations, and languages and is the core of all the other Form Recognizer models. Layout, general document, custom, and prebuilt models all use the read model as a foundation for extracting texts from documents.

-Read API extracts text from documents and images with multiple text angles and colors. It accepts photos of documents, faxes, printed and/or handwritten (English only) text, and mixed modes. Text is extracted from data provided in lines, words, bounding boxes, confidence scores, and style.

-### Language detection (v3.0 preview)

-Read API in v3.0 preview 2 adds [language detection](language-support.md#detected-languages-read-api) as a new feature for text lines. Read will predict the language at the text line level along with the confidence score.

-App Configuration has two libraries for Spring. `azure-spring-cloud-appconfiguration-config` requires Spring Boot and takes a dependency on `spring-cloud-context`. `azure-spring-cloud-appconfiguration-config-web` requires Spring Web along with Spring Boot. Both libraries support manual triggering to check for refreshed configuration values. `azure-spring-cloud-appconfiguration-config-web` also adds support for automatic checking of configuration refresh.

-Refresh allows you to refresh your configuration values without having to restart your application, though it will cause all beans in the `@RefreshScope` to be recreated. The client library caches a hash ID of the currently loaded configurations to avoid too many calls to the configuration store. The refresh operation doesn't update the value until the cached value has expired, even when the value has changed in the configuration store. The default expiration time for each request is 30 seconds. It can be overridden if necessary.

-`azure-spring-cloud-appconfiguration-config-web`'s automated refresh is triggered based off activity, specifically Spring Web's `ServletRequestHandledEvent`. If a `ServletRequestHandledEvent` is not triggered, `azure-spring-cloud-appconfiguration-config-web`'s automated refresh will not trigger a refresh even if the cache expiration time has expired.

-```java

-import com.azure.spring.cloud.config.AppConfigurationRefresh;

-...

-@Autowired

-private AppConfigurationRefresh appConfigurationRefresh;

-...

-public void myConfigurationRefreshCheck() {

- Future<Boolean> triggeredRefresh = appConfigurationRefresh.refreshConfigurations();

-}

-```

-`AppConfigurationRefresh`'s `refreshConfigurations()` returns a `Future` that is true if a refresh has been triggered, and false if not. False means either the cache expiration time hasn't expired, there was no change, or another thread is currently checking for a refresh.

- <version>2.0.0</version>

-1. Refresh the browser page to see the new message displayed.

-In this tutorial, you enabled your Spring Boot app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial.

- <version>2.0.0</version>

-1. Setup [Maven App Service Deployment](../app-service/quickstart-java.md?tabs=javase) so the application can be deployed to Azure App Service via Maven.

-1. Click on `Event Subscriptions` in the `Events` pane to validated that the subscription was created successfully.

-In this tutorial, you enabled your Java app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial.

- <version>2.0.0-beta.2</version>

- <version>2.0.0-beta.2</version>

-When you are completely moved to the new version, you can removed the old keys by running:

-* A supported [Java Development Kit SDK](/java/azure/jdk) with version 8.

- <version>2.0.0</version>

- <version>2.0.0</version>

-1. In the App Configuration portal for your config store, select `Access keys` from the sidebar. Select the Read-only keys tab. Copy the value of the primary connection string.

-1. Add the primary connection string as an environment variable using the variable name `APP_CONFIGURATION_CONNECTION_STRING`.

-1. Open the main application Java file, and add `@EnableConfigurationProperties` to enable this feature.

- ```java

- package com.example.demo;

- import org.springframework.boot.SpringApplication;

- import org.springframework.boot.context.properties.ConfigurationProperties;

- import org.springframework.boot.context.properties.EnableConfigurationProperties;

- import org.springframework.boot.autoconfigure.SpringBootApplication;

- @SpringBootApplication

- @EnableConfigurationProperties(MessageProperties.class)

- public class DemoApplication {

- public static void main(String[] args) {

- SpringApplication.run(DemoApplication.class, args);

- }

- }

-1. Create a new Java file named *MessageProperties.java* in the package directory of your app.

- ```java

- package com.example.demo;

- import org.springframework.boot.context.properties.ConfigurationProperties;

- import org.springframework.context.annotation.Configuration;

- @Configuration

- @ConfigurationProperties(prefix = "config")

- public class MessageProperties {

- private String message;

- public String getMessage() {

- return message;

- }

- public void setMessage(String message) {

- this.message = message;

- }

- }

- <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>

- <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>

- <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>

-In this quickstart, you created a new App Configuration store and used it to manage features in a Spring Boot web app via the [Feature Management libraries](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration).

- **Spring Boot 2.4**

- <version>2.0.0</version>

-1. Create a new file named `bootstrap.properties` under the resources directory of your app, and add the following lines to the file. Replace the sample values with the appropriate properties for your App Configuration store.

-1. Build your Spring Boot application with Maven and run it, for example:

-In this quickstart, you created a new App Configuration store and used it with a Java Spring app. For more information, see [Spring on Azure](/java/azure/spring-framework/). To learn how to enable your Java Spring app to dynamically refresh configuration settings, continue to the next tutorial.

- <version>2.0.0</version>

- feature-set:

- feature-a: true

- feature-b: false

- feature-c:

- enabled-for:

- -

- name: Percentage

- parameters:

- value: 50

-* `feature-c` specifies a filter named `Percentage` with a `parameters` property. `Percentage` is a configurable filter. In this example, `Percentage` specifies a 50-percent probability for the `feature-c` flag to be *on*.

-In this tutorial, you learned how to implement feature flags in your Spring Boot application by using the `azure-spring-cloud-feature-management-web` libraries. For more information about feature management support in Spring Boot and App Configuration, see the following resources:

-* A supported [Java Development Kit (JDK)](/java/azure/jdk) with version 8.

-In this tutorial, you created an App Configuration key that references a value stored in Key Vault. To learn how to use feature flags in your Java Spring application, continue to the next tutorial.

-[az arcdata dc](reference-az-arcdata-dc.md) | Create, delete, and manage data controllers.

-[az arcdata resource-kind](reference-az-arcdata-resource-kind.md) | Resource-kind commands to define and template custom resources on your cluster.

-[az sql_mi-arc](reference-az-sql-mi-arc.md) | Manage Azure Arc-enabled SQL managed instances.

-[az sql midb-arc](reference-az-sql-midb-arc.md) | Manage databases for Azure Arc-enabled SQL managed instances.

-[az postgres arc-server](reference-az-postgres-arc-server.md) | Manage Azure Arc enabled PostgreSQL Hyperscale server groups.

-description: Reference article for az sql mi-arc dag commands.

-# az sql mi-arc dag

-## Commands

-| Command | Description|

-| | |

-[az sql mi-arc dag create](#az-sql-mi-arc-dag-create) | Create a distributed availability group custom resource

-[az sql mi-arc dag delete](#az-sql-mi-arc-dag-delete) | Delete a distributed availability group custom resource on a sqlmi instance.

-[az sql mi-arc dag show](#az-sql-mi-arc-dag-show) | show a distributed availability group custom resource.

-## az sql mi-arc dag create

-Create a distributed availability group custom resource to create a distributed availability group

-```azurecli

-az sql mi-arc dag create

-```

-### Examples

-Ex 1 - Create a distributed availability group custom resource dagCr1 to create distributed availability group dagName1 between local sqlmi instance sqlmi1 and remote sqlmi instance sqlmi2. It requires remote sqlmi primary mirror remotePrimary:5022 and remote sqlmi mirror endpoint certificate file ./sqlmi2.cer.

-```azurecli

-az sql mi-arc dag create --name dagCr1 --dag-name dagName1 --local-instance-name sqlmi1 --local-primary local --remote-instance-name sqlmi2 --remote-mirroring-url remotePrimary:5022 --remote-mirroring-cert-file ./sqlmi2.cer --use-k8s

-```

-### Global Arguments

-#### `--debug`

-Increase logging verbosity to show all debug logs.

-#### `--help -h`

-Show this help message and exit.

-#### `--output -o`

-Output format. Allowed values: json, jsonc, table, tsv. Default: json.

-#### `--query -q`

-JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more information and examples.

-#### `--verbose`

-Increase logging verbosity. Use `--debug` for full debug logs.

-## az sql mi-arc dag delete

-Delete a distributed availability group custom resource on a sqlmi instance to delete a distributed availability group. It requires a custom resource name.

-```azurecli

-az sql mi-arc dag delete

-```

-### Examples

-Ex 1 - delete distributed availability group resources named dagCr1.

-```azurecli

-az sql mi-arc dag delete --name dagCr1 --use-k8s

-```

-### Global Arguments

-#### `--debug`

-Increase logging verbosity to show all debug logs.

-#### `--help -h`

-Show this help message and exit.

-#### `--output -o`

-Output format. Allowed values: json, jsonc, table, tsv. Default: json.

-#### `--query -q`

-JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more information and examples.

-#### `--verbose`

-Increase logging verbosity. Use `--debug` for full debug logs.

-## az sql mi-arc dag show

-show a distributed availability group custom resource. It requires a custom resource name

-```azurecli

-az sql mi-arc dag show

-```

-### Examples

-Ex 1 - show distributed availability group resources named dagCr1.

-```azurecli

-az sql mi-arc dag show --name dagCr1 --use-k8s

-```

-### Global Arguments

-#### `--debug`

-Increase logging verbosity to show all debug logs.

-#### `--help -h`

-Show this help message and exit.

-#### `--output -o`

-Output format. Allowed values: json, jsonc, table, tsv. Default: json.

-#### `--query -q`

-JMESPath query string. See [http://jmespath.org/](http://jmespath.org) for more information and examples.

-#### `--verbose`

-Increase logging verbosity. Use `--debug` for full debug logs.

-[az sql mi-arc dag](reference-az-sql-mi-arc-dag.md) | Create or Delete a Distributed Availability Group.

-az sql mi-arc upgrade -n sqlmi1 --k8s-namespace arc --desired-version v1.1.0 --use-k8s

-## April 2022

-| CPU |The CPU utilization of the Azure Cache for Redis server as a percentage during the specified reporting interval. This value maps to the operating system `\Processor(_Total)\% Processor Time` performance counter. |

-The Azure SQL input binding retrieves data from a database and passes it to the input parameter of the function.

-<a id="example" name="example"></a>

-# [C#](#tab/csharp)

-### HTTP trigger, look up ID from query string

-### HTTP trigger, get multiple items from route data

-### HTTP trigger, delete one or multiple rows

-# [JavaScript](#tab/javascript)

-The Azure SQL binding for Azure Functions does not currently support JavaScript.

-# [Python](#tab/python)

-The Azure SQL binding for Azure Functions does not currently support Python.

-

-## Attributes and annotations

-# [C#](#tab/csharp)

-In [C# class libraries](functions-dotnet-class-library.md), use the [Sql](https://github.com/Azure/azure-functions-sql-extension/blob/main/src/SqlAttribute.cs) attribute.

-The attribute's constructor takes the SQL command text, the command type, parameters, and the connection string setting name. The command can be a Transact-SQL (T-SQL) query with the command type `System.Data.CommandType.Text` or stored procedure name with the command type `System.Data.CommandType.StoredProcedure`. The connection string setting name corresponds to the application setting (in `local.settings.json` for local development) that contains the [connection string](/dotnet/api/microsoft.data.sqlclient.sqlconnection.connectionstring?view=sqlclient-dotnet-core-3.0&preserve-view=true#Microsoft_Data_SqlClient_SqlConnection_ConnectionString) to the Azure SQL or SQL Server instance.

-Here's a `Sql` attribute example in a method signature:

-```csharp

- [FunctionName("GetToDoItems")]

- public static IActionResult Run(

- [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "gettodoitems/{priority}")]

- HttpRequest req,

- [Sql("select * from dbo.ToDo where [Priority] > @Priority",

- CommandType = System.Data.CommandType.Text,

- Parameters = "@Priority={priority}",

- ConnectionStringSetting = "SqlConnectionString")]

- IEnumerable<ToDoItem> toDoItems)

- {

- ...

- }

-```

-# [JavaScript](#tab/javascript)

-The Azure SQL binding for Azure Functions does not currently support JavaScript.

-# [Python](#tab/python)

-The Azure SQL binding for Azure Functions does not currently support Python.

-<a id="example" name="example"></a>

-# [C#](#tab/csharp)

-# [JavaScript](#tab/javascript)

-The Azure SQL binding for Azure Functions does not currently support JavaScript.

-# [Python](#tab/python)

-The Azure SQL binding for Azure Functions does not currently support Python.

-## Attributes and annotations

-# [C#](#tab/csharp)

-In [C# class libraries](functions-dotnet-class-library.md), use the [Sql](https://github.com/Azure/azure-functions-sql-extension/blob/main/src/SqlAttribute.cs) attribute.

-The attribute's constructor takes the SQL command text and the connection string setting name. For an output binding, the SQL command string is a table name where the data is to be stored. The connection string setting name corresponds to the application setting (in `local.settings.json` for local development) that contains the [connection string](/dotnet/api/microsoft.data.sqlclient.sqlconnection.connectionstring?view=sqlclient-dotnet-core-3.0&preserve-view=true#Microsoft_Data_SqlClient_SqlConnection_ConnectionString) to the Azure SQL or SQL Server instance.

-Here's a `Sql` attribute example in a method signature:

-```csharp

- [FunctionName("HTTPtoSQL")]

- public static IActionResult Run(

- [HttpTrigger(AuthorizationLevel.Function, "get", Route = "addtodo")] HttpRequest req,

- [Sql("dbo.ToDo", ConnectionStringSetting = "SqlConnectionString")] out ToDoItem newItem)

- {

- ...

- }

-```

-# [JavaScript](#tab/javascript)

-The Azure SQL binding for Azure Functions does not currently support JavaScript.

-# [Python](#tab/python)

-The Azure SQL binding for Azure Functions does not currently support Python.

-> This reference is for [Azure Functions version 2.x and higher](functions-versions.md).

->

-> This binding requires connectivity to an Azure SQL or SQL Server database.

-## Add to your Functions app

-### Functions

-Working with the trigger and bindings requires you reference the appropriate package. The NuGet package is used for .NET class libraries while the extension bundle is used for all other application types.

-| Language | Add by... | Remarks

-|-||-|

-| C# | Installing the [preview NuGet package] | |

-<!--| C# Script, Java, JavaScript, Python, PowerShell | Registering the [extension bundle] | The [Azure Tools extension] is recommended to use with Visual Studio Code. | -->

-[preview NuGet package]: https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Sql

-[core tools]: ./functions-run-local.md

-[extension bundle]: ./functions-bindings-register.md#extension-bundles

-[Azure Tools extension]: https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack

-## Known issues

-## Open source

-The Azure SQL bindings for Azure Functions are open-source and available on the repository at [https://github.com/Azure/azure-functions-sql-extension](https://github.com/Azure/azure-functions-sql-extension).

-The following table explains the binding configuration properties that you set in the *function.json* file and the `Table` attribute.

-The connection string setting name is identified in our Functions code as the binding attribute "ConnectionStringSetting", as seen in the SQL input binding [attributes and annotations](./functions-bindings-azure-sql-input.md?tabs=csharp#attributes-and-annotations).

-To migrate an app from 3.x to 4.x, set the `FUNCTIONS_EXTENSION_VERSION` application setting to `~4` with the following Azure CLI or Azure PowerShell commands:

-az functionapp config appsettings set --settings FUNCTIONS_EXTENSION_VERSION=~4 -n <APP_NAME> -g <RESOURCE_GROUP_NAME>

-az functionapp config set --net-framework-version v6.0 -n <APP_NAME> -g <RESOURCE_GROUP_NAME>

-description: Learn about the new table structure and schema for Azure Monitor Application Insights workspace-based resources.

-# Workspace-based resource changes

-Prior to the introduction of [workspace-based Application Insights resources](create-workspace-resource.md), Application Insights data was stored separate from other log data in Azure Monitor. Both are based on Azure Data Explorer and use the same Kusto Query Language (KQL). With workspace-based Application Insights resources data is stored in a Log Analytics workspace with other monitoring data and application data. This simplifies your configuration by allowing you to more easily analyze data across multiple solutions and to leverage the capabilities of workspaces.

-## Classic data structure

-The structure of a Log Analytics workspace is described in [Log Analytics workspace overview](../logs/log-analytics-workspace-overview.md). For a classic application, the data is not stored in a Log Analytics workspace. It uses the same query language, and you create and run queries by using the same Log Analytics tool in the Azure portal. Data items for classic applications are stored separately from each other. The general structure is the same as for workspace-based applications, although the table and column names are different.

-> [!NOTE]

-> The classic Application Insights experience includes backward compatibility for your resource queries, workbooks, and log-based alerts. To query or view against the [new workspace-based table structure or schema](../app/apm-tables.md), you must first go to your Log Analytics workspace. During the preview, selecting **Logs** from within the Application Insights panes will give you access to the classic Application Insights query experience. For more information, see [Query scope](../logs/scope.md).

-[](../logs/media/data-platform-logs/logs-structure-ai.png#lightbox)

-## Table structure

-| Legacy table name | New table name | Description |

-|:|:|:|

-| availabilityResults | AppAvailabilityResults | Summary data from availability tests.|

-| browserTimings | AppBrowserTimings | Data about client performance, such as the time taken to process the incoming data.|

-| dependencies | AppDependencies | Calls from the application to other components (including external components) recorded via TrackDependency() ΓÇô for example, calls to REST API, database or a file system. |

-| customEvents | AppEvents | Custom events created by your application. |

-| customMetrics | AppMetrics | Custom metrics created by your application. |

-| pageViews | AppPageViews| Data about each website view with browser information. |

-| performanceCounters | AppPerformanceCounters | Performance measurements from the compute resources supporting the application, for example, Windows performance counters. |

-| requests | AppRequests | Requests received by your application. For example, a separate request record is logged for each HTTP request that your web app receives. |

-| exceptions | AppExceptions | Exceptions thrown by the application runtime, captures both server side and client-side (browsers) exceptions. |

-| traces | AppTraces | Detailed logs (traces) emitted through application code/logging frameworks recorded via TrackTrace(). |

-## Table schemas

-The following sections show the mapping between the classic property names and the new workspace-based Application Insights property names. Use this information to convert any queries using legacy tables.

-Most of the columns have the same name with different capitalization. Since KQL is case-sensitive, you will need to change each column name along with the table names in existing queries. Columns with changes in addition to capitalization are highlighted. You can still use your classic Application Insights queries within the **Logs** pane of your Application Insights resource, even if it is a workspace-based resource. The new property names are required for when querying from within the context of the Log Analytics workspace experience.

-### AppAvailabilityResults

-Legacy table: availability

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|Dynamic|

-|customMeasurements|dynamic|Measurements|Dynamic|

-|duration|real|DurationMs|real|

-|`id`|string|`Id`|string|

-|iKey|string|IKey|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|String|

-|location|string|Location|string|

-|message|string|Message|string|

-|name|string|Name|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|performanceBucket|string|PerformanceBucket|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|size|real|Size|real|

-|success|string|Success|Bool|

-|timestamp|datetime|TimeGenerated|datetime|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-### AppBrowserTimings

-Legacy table: browserTimings

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|Dynamic|

-|customMeasurements|dynamic|Measurements|Dynamic|

-|iKey|string|IKey|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|string|

-|name|string|Name|datetime|

-|networkDuration|real|NetworkDurationMs|real|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|performanceBucket|string|PerformanceBucket|string|

-|processingDuration|real|ProcessingDurationMs|real|

-|receiveDuration|real|ReceiveDurationMs|real|

-|sdkVersion|string|SdkVersion|string|

-|sendDuration|real|SendDurationMs|real|

-|session_Id|string|SessionId|string|

-|timestamp|datetime|TimeGenerated|datetime|

-|totalDuration|real|TotalDurationMs|real|

-|url|string|Url|string|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-### AppDependencies

-Legacy table: dependencies

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|Dynamic|

-|customMeasurements|dynamic|Measurements|Dynamic|

-|data|string|Data|string|

-|duration|real|DurationMs|real|

-|`id`|string|`Id`|string|

-|iKey|string|IKey|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|String|

-|name|string|Name|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|performanceBucket|string|PerformanceBucket|string|

-|resultCode|string|ResultCode|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|success|string|Success|Bool|

-|target|string|Target|string|

-|timestamp|datetime|TimeGenerated|datetime|

-|type|string|DependencyType|string|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-### AppEvents

-Legacy table: customEvents

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|Dynamic|

-|customMeasurements|dynamic|Measurements|Dynamic|

-|iKey|string|IKey|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|string|

-|name|string|Name|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|timestamp|datetime|TimeGenerated|datetime|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-### AppMetrics

-Legacy table: customMetrics

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|Dynamic|

-|iKey|string|IKey|string|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|string|

-|name|string|Name|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|timestamp|datetime|TimeGenerated|datetime|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-|value|real|(removed)||

-|valueCount|int|ValueCount|int|

-|valueMax|real|ValueMax|real|

-|valueMin|real|ValueMin|real|

-|valueStdDev|real|ValueStdDev|real|

-|valueSum|real|ValueSum|real|

-### AppPageViews

-Legacy table: pageViews

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|Dynamic|

-|customMeasurements|dynamic|Measurements|Dynamic|

-|duration|real|DurationMs|real|

-|`id`|string|`Id`|string|

-|iKey|string|IKey|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|String|

-|name|string|Name|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|performanceBucket|string|PerformanceBucket|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|timestamp|datetime|TimeGenerated|datetime|

-|url|string|Url|string|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-### AppPerformanceCounters

-Legacy table: performanceCounters

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|category|string|Category|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|counter|string|(removed)||

-|customDimensions|dynamic|Properties|Dynamic|

-|iKey|string|IKey|string|

-|instance|string|Instance|string|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|string|

-|name|string|Name|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|timestamp|datetime|TimeGenerated|datetime|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-|value|real|Value|real|

-### AppRequests

-Legacy table: requests

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|Dynamic|

-|customMeasurements|dynamic|Measurements|Dynamic|

-|duration|real|DurationMs|Real|

-|`id`|string|`Id`|String|

-|iKey|string|IKey|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|String|

-|name|string|Name|String|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|performanceBucket|string|PerformanceBucket|String|

-|resultCode|string|ResultCode|String|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|source|string|Source|String|

-|success|string|Success|Bool|

-|timestamp|datetime|TimeGenerated|datetime|

-|url|string|Url|String|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-### AppExceptions

-Legacy table: exceptions

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|assembly|string|Assembly|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|dynamic|

-|customMeasurements|dynamic|Measurements|dynamic|

-|details|dynamic|Details|dynamic|

-|handledAt|string|HandledAt|string|

-|iKey|string|IKey|string|

-|innermostAssembly|string|InnermostAssembly|string|

-|innermostMessage|string|InnermostMessage|string|

-|innermostMethod|string|InnermostMethod|string|

-|innermostType|string|InnermostType|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|string|

-|message|string|Message|string|

-|method|string|Method|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|outerAssembly|string|OuterAssembly|string|

-|outerMessage|string|OuterMessage|string|

-|outerMethod|string|OuterMethod|string|

-|outerType|string|OuterType|string|

-|problemId|string|ProblemId|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|severityLevel|int|SeverityLevel|int|

-|timestamp|datetime|TimeGenerated|datetime|

-|type|string|ExceptionType|string|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-### AppTraces

-Legacy table: traces

-|ApplicationInsights|Type|LogAnalytics|Type|

-|:|:|:|:|

-|appId|string|\_ResourceGUID|string|

-|application_Version|string|AppVersion|string|

-|appName|string|\_ResourceId|string|

-|client_Browser|string|ClientBrowser|string|

-|client_City|string|ClientCity|string|

-|client_CountryOrRegion|string|ClientCountryOrRegion|string|

-|client_IP|string|ClientIP|string|

-|client_Model|string|ClientModel|string|

-|client_OS|string|ClientOS|string|

-|client_StateOrProvince|string|ClientStateOrProvince|string|

-|client_Type|string|ClientType|string|

-|cloud_RoleInstance|string|AppRoleInstance|string|

-|cloud_RoleName|string|AppRoleName|string|

-|customDimensions|dynamic|Properties|dynamic|

-|customMeasurements|dynamic|Measurements|dynamic|

-|iKey|string|IKey|string|

-|itemCount|int|ItemCount|int|

-|itemId|string|\_ItemId|string|

-|itemType|string|Type|string|

-|message|string|Message|string|

-|operation_Id|string|OperationId|string|

-|operation_Name|string|OperationName|string|

-|operation_ParentId|string|OperationParentId|string|

-|operation_SyntheticSource|string|OperationSyntheticSource|string|

-|sdkVersion|string|SdkVersion|string|

-|session_Id|string|SessionId|string|

-|severityLevel|int|SeverityLevel|int|

-|timestamp|datetime|TimeGenerated|datetime|

-|user_AccountId|string|UserAccountId|string|

-|user_AuthenticatedId|string|UserAuthenticatedId|string|

-|user_Id|string|UserId|string|

-## Next steps

-* [Explore metrics](../essentials/metrics-charts.md)

-* [Write Analytics queries](../logs/log-query-overview.md)

-To write queries against the [new workspace-based table structure/schema](apm-tables.md), you must first navigate to your Log Analytics workspace.

-To ensure the queries successfully run, validate that the query's fields align with the [new schema fields](apm-tables.md#appmetrics).

-> We still provide full backwards compatibility for your Application Insights classic resource queries, workbooks, and log-based alerts within the Application Insights experience. To query/view against the [new workspace-based table structure/schema](apm-tables.md) you must first navigate to your Log Analytics workspace. Selecting **Logs (Analytics)** from within the Application Insights panes will give you access to the classic Application Insights query experience.

-You can confirm if there is an Application Insights CDN outage by attempting to access the CDN endpoint directly from the browser (for example, https://az416426.vo.msecnd.net/scripts/b/ai.2.min.js or https://js.monitor.azure.com/scripts/b/ai.2.min.js) from a different location than your end users' probably from your own development machine (assuming that your organization has not blocked this domain).

-If you confirm there is an outage, you can [create a new support ticket](https://azure.microsoft.com/support/create-ticket/) or try changing the URL used to download the SDK.

-### Change the CDN endpoint

-

-As the snippet and its configuration are returned by your application as part of each generated page, you can change the snippet `src` configuration to use a different URL for the SDK. By using this approach, you could bypass the CDN blocked issue as the new URL should not be blocked.

-Current Application Insights JavaScript SDK CDN endpoints

-> [!NOTE]

-> The `https://js.monitor.azure.com/` endpoint is an alias that allows us to switch between CDN providers within approximately 5 minutes, without the need for you to change any config. This is to enable us to fix detected CDN related issues more rapidly if a CDN provider is having regional or global issues without requiring everyone to adjust their settings.

-To *potentially* bypass this issue more rapidly, you can [change the SDK CDN endpoint](#change-the-cdn-endpoint).

-Application Insights can be used with any web pages - you just add a short piece of JavaScript. If your web service is [Java](java-in-process-agent.md) or [ASP.NET](asp-net.md), you can use the server-side SDKs with the client-side JavaScript SDK to get an end-to-end understanding of your app's performance.

-## Visualizations

-### Shared Image Gallery limits

-There are limits, per subscription, for deploying resources using Shared Image Galleries:

-> | snapshots | Yes | Yes | No |

-| Microsoft.ContainerService/managedClusters (service-direct) | Microsoft-AzureKubernetesServiceChaosMesh | Azure Kubernetes Service Cluster User Role |

-* Release notes for version `1.6.1`:

- * Added new languages: Ukrainian

-| `1.6.1-amd64-preview` | |

-> Azure Container Apps resources are in the process of migrating from the `Microsoft.Web` namespace to the `Microsoft.App` namespace. Refer to [Namespace migration from Microsoft.Web to Microsoft.App in March 2022](https://github.com/microsoft/azure-container-apps/issues/109) for more details.

-> Azure Container Apps resources are in the process of migrating from the `Microsoft.Web` namespace to the `Microsoft.App` namespace. Refer to [Namespace migration from Microsoft.Web to Microsoft.App in March 2022](https://github.com/microsoft/azure-container-apps/issues/109) for more details.

-Azure Container Apps manages automatic horizontal scaling through a set of declarative scaling rules. As a container app scales out, new instances of the container app are created on-demand. These instances are known as replicas.

-Scaling rules are defined in `resources.properties.template.scale` section of the [configuration](overview.md). There are two scale properties that apply to all rules in your container app.

-Container Apps supports a large number of scale triggers. For more information about supported scale triggers, see [KEDA Scalers](https://keda.sh/docs/scalers/).

-The KEDA documentation shows code examples in YAML, while the Container Apps ARM template is in JSON. As you transform examples from KEDA for your needs, make sure to switch property names from [kebab](https://en.wikipedia.org/wiki/Naming_convention_(programming)#Delimiter-separated_words) case to [camel](https://en.wikipedia.org/wiki/Naming_convention_(programming)#Letter_case-separated_words) casing.

-| `concurrentRequests`| Once the number of requests exceeds this value, then more replicas are added, up to the `maxReplicas` amount. | 50 | 1 | n/a |

-In this example, the container app scales out up to five replicas and can scale down to zero instances. The scaling threshold is set to 100 concurrent requests per second.

-In this example, the container app scales according to the following behavior:

-The SQL API in Azure Cosmos DB supports registering and invoking stored procedures, triggers, and user-defined functions (UDFs) written in JavaScript. You can use the SQL API [.NET](sql-api-sdk-dotnet.md), [.NET Core](sql-api-sdk-dotnet-core.md), [Java](sql-api-sdk-java.md), [JavaScript](sql-api-sdk-node.md), [Node.js](sql-api-sdk-node.md), or [Python](sql-api-sdk-python.md) SDKs to register and invoke the stored procedures. Once you have defined one or more stored procedures, triggers, and user-defined functions, you can load and view them in the [Azure portal](https://portal.azure.com/) by using Data Explorer.

-## <a id="stored-procedures"></a>How to run stored procedures

-### Stored procedures - .NET SDK V2

-The following example shows how to register a stored procedure by using the .NET SDK V2:

-The following code shows how to call a stored procedure by using the .NET SDK V2:

-### Stored procedures - .NET SDK V3

-The following example shows how to register a stored procedure by using the .NET SDK V3:

-The following code shows how to call a stored procedure by using the .NET SDK V3:

-### Stored procedures - Java SDK

-### Stored procedures - JavaScript SDK

-### Stored procedures - Python SDK

-## <a id="pre-triggers"></a>How to run pre-triggers

-When executing, pre-triggers are passed in the RequestOptions object by specifying `PreTriggerInclude` and then passing the name of the trigger in a List object.

-### Pre-triggers - .NET SDK V2

-The following code shows how to register a pre-trigger using the .NET SDK V2:

-The following code shows how to call a pre-trigger using the .NET SDK V2:

-### Pre-triggers - .NET SDK V3

-The following code shows how to register a pre-trigger using the .NET SDK V3:

-The following code shows how to call a pre-trigger using the .NET SDK V3:

-### Pre-triggers - Java SDK

-### Pre-triggers - JavaScript SDK

-### Pre-triggers - Python SDK

-## <a id="post-triggers"></a>How to run post-triggers

-### Post-triggers - .NET SDK V2

-The following code shows how to register a post-trigger using the .NET SDK V2:

-The following code shows how to call a post-trigger using the .NET SDK V2:

-### Post-triggers - .NET SDK V3

-The following code shows how to register a post-trigger using the .NET SDK V3:

-The following code shows how to call a post-trigger using the .NET SDK V3:

-### Post-triggers - Java SDK

-### Post-triggers - JavaScript SDK

-### Post-triggers - Python SDK

-## <a id="udfs"></a>How to work with user-defined functions

-### User-defined functions - .NET SDK V2

-The following code shows how to register a user-defined function using the .NET SDK V2:

-The following code shows how to call a user-defined function using the .NET SDK V2:

-### User-defined functions - .NET SDK V3

-The following code shows how to register a user-defined function using the .NET SDK V3:

-The following code shows how to call a user-defined function using the .NET SDK V3:

-### User-defined functions - Java SDK

-### User-defined functions - JavaScript SDK

-### User-defined functions - Python SDK

-* [How to register and use stored procedures in Azure Cosmos DB](how-to-use-stored-procedures-triggers-udfs.md#stored-procedures)

-* How to register and use [pre-triggers](how-to-use-stored-procedures-triggers-udfs.md#pre-triggers) and [post-triggers](how-to-use-stored-procedures-triggers-udfs.md#post-triggers) in Azure Cosmos DB

-* [How to register and use user-defined functions in Azure Cosmos DB](how-to-use-stored-procedures-triggers-udfs.md#udfs)

-Once written, the stored procedure must be registered with a collection. To learn more, see [How to use stored procedures in Azure Cosmos DB](how-to-use-stored-procedures-triggers-udfs.md#stored-procedures) article.

-Azure Cosmos DB supports pre-triggers and post-triggers. Pre-triggers are executed before modifying a database item and post-triggers are executed after modifying a database item. Triggers are not automatically executed, they must be specified for each database operation where you want them to execute. After you define a trigger, you should [register and call a pre-trigger](how-to-use-stored-procedures-triggers-udfs.md#pre-triggers) by using the Azure Cosmos DB SDKs.

-For examples of how to register and call a pre-trigger, see [pre-triggers](how-to-use-stored-procedures-triggers-udfs.md#pre-triggers) and [post-triggers](how-to-use-stored-procedures-triggers-udfs.md#post-triggers) articles.

-For examples of how to register and call a pre-trigger, see [pre-triggers](how-to-use-stored-procedures-triggers-udfs.md#pre-triggers) and [post-triggers](how-to-use-stored-procedures-triggers-udfs.md#post-triggers) articles.

-For examples of how to register and use a user-defined function, see [How to use user-defined functions in Azure Cosmos DB](how-to-use-stored-procedures-triggers-udfs.md#udfs) article.

-> Registered triggers don't run automatically when their corresponding operations (create / delete / replace / update) happen. They have to be explicitly called when executing these operations. To learn more, see [how to run triggers](how-to-use-stored-procedures-triggers-udfs.md#pre-triggers) article.

-Currently, the only SDK that returns the RU charge for table operations is the [.NET Standard SDK](https://www.nuget.org/packages/Microsoft.Azure.Cosmos.Table). The `TableResult` object exposes a `RequestCharge` property that is populated by the SDK when you use it against the Azure Cosmos DB Table API:

-* [Optimize query cost in Azure Cosmos DB](../optimize-cost-reads-writes.md)

-description: This article helps you understand the steps to transfer a Microsoft Customer Agreement or MOSP subscription to an Enterprise Agreement.

-This article helps you understand the steps needed to transfer a Microsoft Customer Agreement or MOSP (pay-as-you-go) subscription to an EA. The transfer has no downtime, however there are many steps to follow to enable the transfer.

-You can have multiple enterprise administrators in an enterprise enrollment. You can grant read-only access to enterprise administrators. They all inherit the department administrator role.

-# External call transformation in mapping data flow

-The external call transformation enables data engineers to call out to external REST end points row-by-row in order to add custom or 3rd party results into your data flow streams.

-In the external call transformation configuration panel, you will first pick the type of external endpoint you wish to connect to, then map incoming columns, and finally define an output data structure which will be consumed by downstream transformations.

-Here is where you will define the data structure for the output of the external call, which will be consumed by downstream data transformations. You can define the data structure manually using ADF data flow syntax to define the column names and data types or click on "import projection" and allow ADF to detect the schema output from the external call. Here is an example schema definition structure as output from a weather REST API GET call:

-4. Provide a **Storage account** where the share lives. A container is created in the storage account with the share name if the container already does not exist. If the container already exists, then the existing container is used.

-6. This step depends on whether you are creating an SMB or an NFS share.

-7. To easily access the shares from Edge compute modules, use the local mount point. Select **Use the share with Edge compute** so that the share is automatically mounted after it is created. When this option is selected, the Edge module can also use the compute with the local mount point.

-8. Click **Create** to create the share. You are notified that the share creation is in progress. After the share is created with the specified settings, the **Shares** blade updates to reflect the new share.

- > Make sure that the Azure Storage account that you use does not have immutability policies set on it if you are using it with a Azure Stack Edge Pro or Data Box Gateway device. For more information, see [Set and manage immutability policies for blob storage](../storage/blobs/immutable-policy-configure-version-scope.md).

-If you created a share before you configured compute on your Azure Stack Edge Pro device, you will need to mount the share. Take the following steps to mount a share.

-1. In the Azure portal, go to your Azure Stack Edge resource and then go to **Cloud storage gateway > Shares**. From the list of the shares, select the share that you want to unmount. You want to make sure that the share you unmount is not used by any modules. If the share is used by a module, then you will see issues with the corresponding module.

-Do the following steps in the Azure portal to delete a share.

- 

-2. Click **Delete**.

- 

-3. When prompted for confirmation, click **Yes**.

-> - Permissions and access control lists (ACLs) are not preserved across a refresh operation.

-2. Click **Refresh**.

- 

-3. When prompted for confirmation, click **Yes**. A job starts to refresh the contents of the on-premises share.

-4. While the refresh is in progress, the refresh option is grayed out in the context menu. Click the job notification to view the refresh job status.

-5. The time to refresh depends on the number of files in the Azure container as well as the files on the device. Once the refresh has successfully completed, the share timestamp is updated. Even if the refresh has partial failures, the operation is considered successful and the timestamp is updated. The refresh error logs are also updated.

-If there is a failure, an alert is raised. The alert details the cause and the recommendation to fix the issue. The alert also links to a file that has the complete summary of the failures including the files that failed to update or delete.

-5. From the Azure portal, browse to the container which you created. Upload the file which you want to be pinned into the newcontainer which has the metadata set to pinned.

-1. Go to **Overview** in your resource. From the list of shares, choose and click a share associated with the storage account that you need to sync.

-2. Click **Sync storage key**. Click **Yes** when prompted for confirmation.

-|Corporate | [HPE ProLiant DL360](appliance-catalog/hpe-proliant-dl360.md) | **Max bandwidth**: 3Gbp/s <br>**Max devices**: 12,000 | **Mounting**: 1U <br>**Ports**: 15x RJ45 or 8x SFP (OPT) |

-|Enterprise | [HPE ProLiant DL20/DL20 Plus](appliance-catalog/hpe-proliant-dl20-plus-enterprise.md) <br> (4SFF) | **Max bandwidth**: 1 Gbp/s<br>**Max devices**: 10,000 | **Mounting**: 1U <br>**Ports**: 8x RJ45 or 6x SFP (OPT) |

-|SMB | [HPE ProLiant DL20/DL20 Plus](appliance-catalog/hpe-proliant-dl20-plus-smb.md) <br> (NHP 2LFF) | **Max bandwidth**: 200Mbp/s<br>**Max devices**: 1,000 | **Mounting**: 1U<br>**Ports**: 4x RJ45 |

-|SMB | [Dell Edge 5200](appliance-catalog/dell-edge-5200.md) <br> (Rugged MIL-STD-810G) | **Max bandwidth**: 60Mbp/s<br>**Max devices**: 1,000 | **Mounting**: Wall Mount<br>**Ports**: 3x RJ45 |

-|Office | [YS-Techsystems YS-FIT2](appliance-catalog/ys-techsystems-ys-fit2.md) <br>(Rugged MIL-STD-810G) | **Max bandwidth**: 10Mbp/s <br>**Max devices**: 100 | **Mounting**: DIN/VESA<br>**Ports**: 2x RJ45 |

-|**Rugged** | **Max bandwidth**: 10 Mb/sec <br>**Max monitored assets**: 100 | **vCPU**: 4 <br>**Memory**: 8 GB <br>**Storage**: 60 GB (150 IOPS) |

-description: Configure Azure Policy to audit compliance of Azure Event Hubs for using a minimum version of Transport Layer Security (TLS).

-# Use Azure Policy to audit for compliance of minimum TLS version for an Azure Event Hubs namespace (Preview)

-If you have a large number of Microsoft Azure Event Hubs namespaces, you may want to perform an audit to make sure that all namespaces are configured for the minimum version of TLS that your organization requires. To audit a set of Event Hubs namespaces for their compliance, use Azure Policy. Azure Policy is a service that you can use to create, assign, and manage policies that apply rules to Azure resources. Azure Policy helps you to keep those resources compliant with your corporate standards and service level agreements. For more information, see [Overview of Azure Policy](../governance/policy/overview.md).

-## Create a policy with an audit effect

-Azure Policy supports effects that determine what happens when a policy rule is evaluated against a resource. The audit effect creates a warning when a resource is not in compliance, but does not stop the request. For more information about effects, see [Understand Azure Policy effects](../governance/policy/concepts/effects.md).

-To create a policy with an audit effect for the minimum TLS version with the Azure portal, follow these steps:

-1. In the Azure portal, navigate to the Azure Policy service.

-2. Under the **Authoring** section, select **Definitions**.

-3. Select **Add policy definition** to create a new policy definition.

-4. For the **Definition location** field, select the **More** button to specify where the audit policy resource is located.

-5. Specify a name for the policy. You can optionally specify a description and category.

-6. Under **Policy rule** , add the following policy definition to the **policyRule** section.

- ```json

- {

- "policyRule": {

- "if": {

- "allOf": [

- {

- "field": "type",

- "equals": "Microsoft.EventHub/namespaces"

- },

- {

- "not": {

- "field": " Microsoft.EventHub/namespaces/minimumTlsVersion",

- "equals": "1.2"

- }

- }

- ]

- },

- "then": {

- "effect": "audit"

- }

- }

- }

- ```

-7. Save the policy.

-### Assign the policy

-Next, assign the policy to a resource. The scope of the policy corresponds to that resource and any resources beneath it. For more information on policy assignment, see [Azure Policy assignment structure](../governance/policy/concepts/assignment-structure.md).

-To assign the policy with the Azure portal, follow these steps:

-1. In the Azure portal, navigate to the Azure Policy service.

-2. Under the **Authoring** section, select **Assignments**.

-3. Select **Assign policy** to create a new policy assignment.

-4. For the **Scope** field, select the scope of the policy assignment.

-5. For the **Policy definition** field, select the **More** button, then select the policy you defined in the previous section from the list.

-6. Provide a name for the policy assignment. The description is optional.

-7. Leave **Policy enforcement** set to _Enabled_. This setting has no effect on the audit policy.

-8. Select **Review + create** to create the assignment.

-### View compliance report

-After you have assigned the policy, you can view the compliance report. The compliance report for an audit policy provides information on which Event Hubs namespaces are not in compliance with the policy. For more information, see [Get policy compliance data](../governance/policy/how-to/get-compliance-data.md).

-It may take several minutes for the compliance report to become available after the policy assignment is created.

-To view the compliance report in the Azure portal, follow these steps:

-1. In the Azure portal, navigate to the Azure Policy service.

-2. Select **Compliance**.

-3. Filter the results for the name of the policy assignment that you created in the previous step. The report shows how many resources are not in compliance with the policy.

-4. You can drill down into the report for additional details, including a list of Event Hubs namespaces that are not in compliance.

-## Use Azure Policy to enforce the minimum TLS version

-Azure Policy supports cloud governance by ensuring that Azure resources adhere to requirements and standards. To enforce a minimum TLS version requirement for the Event Hubs namespaces in your organization, you can create a policy that prevents the creation of a new Event Hubs namespace that sets the minimum TLS requirement to an older version of TLS than that which is dictated by the policy. This policy will also prevent all configuration changes to an existing namespace if the minimum TLS version setting for that namespace is not compliant with the policy.

-The enforcement policy uses the deny effect to prevent a request that would create or modify an Event Hubs namespace so that the minimum TLS version no longer adheres to your organization's standards. For more information about effects, see [Understand Azure Policy effects](../governance/policy/concepts/effects.md).

-To create a policy with a deny effect for a minimum TLS version that is less than TLS 1.2, provide the following JSON in the **policyRule** section of the policy definition:

-```json

-{

- "policyRule": {

- "if": {

- "allOf": [

- {

- "field": "type",

- "equals": " Microsoft.EventHub/namespaces"

- },

- {

- "not": {

- "field": " Microsoft.EventHub/namespaces/minimumTlsVersion",

- "equals": "1.2"

- }

- }

- ]

- },

- "then": {

- "effect": "deny"

- }

- }

-}

-```

-After you create the policy with the deny effect and assign it to a scope, a user cannot create an Event Hubs namespace with a minimum TLS version that is older than 1.2. Nor can a user make any configuration changes to an existing Event Hubs namespace that currently requires a minimum TLS version that is older than 1.2. Attempting to do so results in an error. The required minimum TLS version for the Event Hubs namespace must be set to 1.2 to proceed with namespace creation or configuration.

-An error will be shown if you try to create an Event Hubs namespace with the minimum TLS version set to TLS 1.0 when a policy with a deny effect requires that the minimum TLS version be set to TLS 1.2.

-## Next steps

-See the following documentation for more information.

-description: Configure a client application to communicate with Azure Event Hubs using a minimum version of Transport Layer Security (TLS).

-# Configure Transport Layer Security (TLS) for an Event Hubs client application (Preview)

-For security purposes, an Azure Event Hubs namespace may require that clients use a minimum version of Transport Layer Security (TLS) to send requests. Calls to Azure Event Hubs will fail if the client is using a version of TLS that is lower than the minimum required version. For example, if a namespace requires TLS 1.2, then a request sent by a client who is using TLS 1.1 will fail.

-This article describes how to configure a client application to use a particular version of TLS. For information about how to configure a minimum required version of TLS for an Azure Event Hubs namespace, see [Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace](transport-layer-security-configure-minimum-version.md).

-## Configure the client TLS version

-In order for a client to send a request with a particular version of TLS, the operating system must support that version.

-The following example shows how to set the client's TLS version to 1.2 from .NET. The .NET Framework used by the client must support TLS 1.2. For more information, see [Support for TLS 1.2](/dotnet/framework/network-programming/tls#support-for-tls-12).

-# [.NET](#tab/dotnet)

-The following sample shows how to enable TLS 1.2 in a .NET client using the Azure.Messaging.ServiceBus client library of Event Hubs:

-```csharp

-{

- // Enable TLS 1.2 before connecting to Event Hubs

- System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

- // Connection string to your Event Hubs namespace

- string connectionString = "<NAMESPACE CONNECTION STRING>";

-

- // Name of your Event Hub

- string eventHubName = "<EVENT HUB NAME>";

-

- // The sender used to publish messages to the queue

- var producer = new EventHubProducerClient(connectionString, eventHubName);

-

- // Use the producer client to send a message to the Event Hubs queue

- using EventDataBatch eventBatch = await producer.CreateBatchAsync();

- var eventData = new EventData("This is an event body");

- if (!eventBatch.TryAdd(eventData))

- {

- throw new Exception($"The event could not be added.");

- }

-}

-```

-## Verify the TLS version used by a client

-To verify that the specified version of TLS was used by the client to send a request, you can use [Fiddler](https://www.telerik.com/fiddler) or a similar tool. Open Fiddler to start capturing client network traffic, then execute one of the examples in the previous section. Look at the Fiddler trace to confirm that the correct version of TLS was used to send the request.

-## Next steps

-See the following documentation for more information.

-description: Configure an Azure Event Hubs namespace to use a minimum version of Transport Layer Security (TLS).

-# Configure the minimum TLS version for an Event Hubs namespace using ARM (Preview)

-To configure the minimum TLS version for an Event Hubs namespace, set the `MinimumTlsVersion` version property. When you create an Event Hubs namespace with an Azure Resource Manager template, the `MinimumTlsVersion` property is set to 1.2 by default, unless explicitly set to another version.

-> [!NOTE]

-> Namespaces created using an api-version prior to 2022-01-01-preview will have 1.0 as the value for `MinimumTlsVersion`. This behavior was the prior default, and is still there for backwards compatibility.

-## Create a template to configure the minimum TLS version

-To configure the minimum TLS version for an Event Hubs namespace with a template, create a template with the `MinimumTlsVersion` property set to 1.0, 1.1, or 1.2. The following steps describe how to create a template in the Azure portal.

-1. In the Azure portal, choose **Create a resource**.

-2. In **Search the Marketplace** , type **custom deployment** , and then press **ENTER**.

-3. Choose **Custom deployment (deploy using custom templates) (preview)**, choose **Create** , and then choose **Build your own template in the editor**.

-4. In the template editor, paste in the following JSON to create a new namespace and set the minimum TLS version to TLS 1.2. Remember to replace the placeholders in angle brackets with your own values.

- ```json

- {

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {},

- "variables": {

- "eventHubNamespaceName": "[concat(uniqueString(subscription().subscriptionId), 'tls')]"

- },

- "resources": [

- {

- "name": "[variables('eventHubNamespaceName')]",

- "type": "Microsoft.EventHub/namespaces",

- "apiVersion": "2022-01-01-preview",

- "location": "westeurope",

- "properties": {

- "minimumTlsVersion": "1.2"

- },

- "dependsOn": [],

- "tags": {}

- }

- ]

- }

- ```

-5. Save the template.

-6. Specify resource group parameter, then choose the **Review + create** button to deploy the template and create a namespace with the `MinimumTlsVersion` property configured.

-> [!NOTE]

-> After you update the minimum TLS version for the Event Hubs namespace, it may take up to 30 seconds before the change is fully propagated.

-Configuring the minimum TLS version requires api-version 2022-01-01-preview or later of the Azure Event Hubs resource provider.

-## Check the minimum required TLS version for multiple namespaces

-To check the minimum required TLS version across a set of Event Hubs namespaces with optimal performance, you can use the Azure Resource Graph Explorer in the Azure portal. To learn more about using the Resource Graph Explorer, see [Quickstart: Run your first Resource Graph query using Azure Resource Graph Explorer](../governance/resource-graph/first-query-portal.md).

-Running the following query in the Resource Graph Explorer returns a list of Event Hubs namespaces and displays the minimum TLS version for each namespace:

-```kusto

-resources

-| where type =~ 'Microsoft.EventHub/namespaces'

-| extend minimumTlsVersion = parse\_json(properties).minimumTlsVersion

-| project subscriptionId, resourceGroup, name, minimumTlsVersion

-```

-## Test the minimum TLS version from a client

-To test that the minimum required TLS version for an Event Hubs namespace forbids calls made with an older version, you can configure a client to use an older version of TLS. For more information about configuring a client to use a specific version of TLS, see [Configure Transport Layer Security (TLS) for a client application](transport-layer-security-configure-client-version.md).

-When a client accesses an Event Hubs namespace using a TLS version that does not meet the minimum TLS version configured for the namespace, Azure Event Hubs returns error code 401 (Unauthorized) and a message indicating that the TLS version that was used is not permitted for making requests against this Event Hubs namespace.

-> [!NOTE]

-> Due to limitations in the confluent library, errors coming from an invalid TLS version will not surface when connecting through the Kafka protocol. Instead a general exception will be shown.

-> [!NOTE]

-> When you configure a minimum TLS version for an Event Hubs namespace, that minimum version is enforced at the application layer. Tools that attempt to determine TLS support at the protocol layer may return TLS versions in addition to the minimum required version when run directly against the Event Hubs namespace endpoint.

-## Next steps

-See the following documentation for more information.

-description: Configure a service bus namespace to require a minimum version of Transport Layer Security (TLS) for clients making requests against Azure Event Hubs.

-# Enforce a minimum required version of Transport Layer Security (TLS) for requests to an Event Hubs namespace (Preview)

-Communication between a client application and an Azure Event Hubs namespace is encrypted using Transport Layer Security (TLS). TLS is a standard cryptographic protocol that ensures privacy and data integrity between clients and services over the Internet. For more information about TLS, see [Transport Layer Security](https://datatracker.ietf.org/wg/tls/about/).

-Azure Event Hubs supports choosing a specific TLS version for namespaces. Currently Azure Event Hubs uses TLS 1.2 on public endpoints by default, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.

-Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail.

-> [!IMPORTANT]

-> If you are using a service that connects to Azure Event Hubs, make sure that that service is using the appropriate version of TLS to send requests to Azure Event Hubs before you set the required minimum version for an Event Hubs namespace.

-## Permissions necessary to require a minimum version of TLS

-To set the `MinimumTlsVersion` property for the Event Hubs namespace, a user must have permissions to create and manage Event Hubs namespaces. Azure role-based access control (Azure RBAC) roles that provide these permissions include the **Microsoft.EventHub/namespaces/write** or **Microsoft.EventHub/namespaces/\*** action. Built-in roles with this action include:

-Role assignments must be scoped to the level of the Event Hubs namespace or higher to permit a user to require a minimum version of TLS for the Event Hubs namespace. For more information about role scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).

-Be careful to restrict assignment of these roles only to those who require the ability to create an Event Hubs namespace or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../role-based-access-control/best-practices.md).

-> [!NOTE]

-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [**Owner**](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage Event Hubs namespaces. For more information, see [**Classic subscription administrator roles, Azure roles, and Azure AD administrator roles**](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).

-## Network considerations

-When a client sends a request to Event Hubs namespace, the client establishes a connection with the public endpoint of the Event Hubs namespace first, before processing any requests. The minimum TLS version setting is checked after the connection is established. If the request uses an earlier version of TLS than that specified by the setting, the connection will continue to succeed, but the request will eventually fail.

-> [!NOTE]

-> Due to limitations in the confluent library, errors coming from an invalid TLS version will not surface when connecting through the Kafka protocol. Instead a general exception will be shown.

-## Next steps

-See the following documentation for more information.

-> [!IMPORTANT]

-> Azure Front Door Standard/Premium (Preview) is currently in public preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

- For example, use the utility ``prime.py`` with arguments ```prime.py --directory /path/to/some/directory``` (available by downloading <https://github.com/Azure/Avere/blob/master/src/clientapps/dataingestor/prime.py>).

-If your workflow includes moving data to Azure Blob storage, make sure you are using an efficient strategy. You can either pre-load data in a new blob container before defining it as a storage target, or add the container and then copy your data using Azure HPC Cache.

-> This article does not apply to NFS-mounted blob storage (ADLS-NFS storage targets). You can use any NFS-based method to populate an ADLS-NFS blob container before adding it to the HPC Cache. Read [Pre-load data with NFS protocol](nfs-blob-considerations.md#pre-load-data-with-nfs-protocol) to learn more.

-A Python-based utility is available to load content into a blob storage container. Read [Pre-load data in blob storage](#pre-load-data-in-blob-storage-with-clfsload) to learn more.

-If you don't want to use the loading utility, or if you want to add content to an existing storage target, follow the parallel data ingest tips in [Copy data through the Azure HPC Cache](#copy-data-through-the-azure-hpc-cache).

-## Pre-load data in blob storage with CLFSLoad

-You can use the Avere CLFSLoad utility to copy data to a new blob storage container before you add it as a storage target. This utility runs on a single Linux system and writes data in the proprietary format needed for Azure HPC Cache. CLFSLoad is the most efficient way to populate a blob storage container for use with the cache.

-The Avere CLFSLoad utility is available by request from your Azure HPC Cache team. Ask your team contact for it, or open a [support ticket](hpc-cache-support-ticket.md) to request assistance.

-This option works with new, empty containers only. Create the container before using Avere CLFSLoad.

-Detailed information is included in the Avere CLFSLoad distribution, which is available on request from the Azure HPC Cache team.

-A general overview of the process:

-1. Prepare a Linux system (VM or physical) with Python version 3.6 or later. Python 3.7 is recommended for better performance.

-1. Install the Avere-CLFSLoad software on the Linux system.

-1. Execute the transfer from the Linux command line.

-The Avere CLFSLoad utility needs the following information:

-* The storage account ID that contains your blob storage container

-* The name of the empty blob storage container

-* A shared access signature (SAS) token that allows the utility to write to the container

-* A local path to the data source - either a local directory that contains the data to copy, or a local path to a mounted remote system with the data

-If you don't want to use the Avere CLFSLoad utility, or if you want to add a large amount of data to an existing blob storage target, you can copy it through the cache. Azure HPC Cache is designed to serve multiple clients simultaneously, so to copy data through the cache, you should use parallel writes from multiple clients.

-### Strategic planning

-The data to be analyzed has been copied to an Azure Blob storage container named "sourcecollection" by using the [CLFSLoad utility](hpc-cache-ingest.md#pre-load-data-in-blob-storage-with-clfsload).

- Keep these tips in mind:

- * If you use [AzCopy](../storage/common/storage-use-azcopy-v10.md), you must use AzCopy V10 or later; earlier versions are unsupported for some types of HPC Cache storage.

- * If you move an NFS-enabled blob container (ADLS-NFS storage target), be aware of the risk of mixing blob-style writes with NFS writes. Read more about this in [Use NFS-mounted blob storage with Azure HPC Cache](nfs-blob-considerations.md#pre-load-data-with-nfs-protocol).

-> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework. To meet with compliance obligations and to improve security posture, Key Vault will disallow connections via TLS 1.0 & 1.1 starting on 31st May 2022.

-> Turning on a student VM will not affect the quota for the student. Make sure to stop all VMs manually or using a [schedule](how-to-create-schedules.md) to avoid unexpected costs.

-description: Using the CLI, create and manage logic app workflows in multi-tenant Azure Logic Apps.

-# Quickstart: Create and manage workflows using Azure CLI in multi-tenant Azure Logic Apps

-This quickstart shows you how to create and manage logic apps by using the [Azure CLI Logic Apps extension](/cli/azure/logic) (`az logic`). From the command line, you can create a logic app by using the JSON file for a logic app workflow definition. You can then manage your logic app by running operations such as `list`, `show` (`get`), `update`, and `delete` from the command line.

-If you're new to Logic Apps, you can also learn how to create your first logic apps [through the Azure portal](quickstart-create-first-logic-app-workflow.md), [in Visual Studio](quickstart-create-logic-apps-with-visual-studio.md), and [in Visual Studio Code](quickstart-create-logic-apps-visual-studio-code.md).

-* The [Logic Apps Azure CLI extension](/cli/azure/azure-cli-extensions-list) installed on your computer. To install this extension, use this command: `az extension add --name logic`

-### Prerequisite check

-Validate your environment before you begin:

- * If you don't have the latest version, update your installation by following the [installation guide for your operating system or platform](/cli/azure/install-azure-cli).

-### Example - create resource group

-You can create a logic app workflow from the Azure CLI using the command [`az logic workflow create`](/cli/azure/logic/workflow#az-logic-workflow-create) with a JSON file for the definition.

-### Example - create logic app

-You can also update a logic app's workflow from the Azure CLI using the command [`az logic workflow create`](/cli/azure/logic/workflow#az-logic-workflow-create).

-### Example - update logic app

-You can delete a logic app's workflow from the Azure CLI using the command [`az logic workflow delete`](/cli/azure/logic/workflow#az-logic-workflow-delete).

-You can confirm a logic app's deletion by [listing your logic apps in the CLI](#list-logic-apps-in-cli), or by viewing your logic apps in the Azure portal.

-### Example - delete logic app

-### Considerations - delete logic app

-* The Logic Apps service makes a best effort to cancel any in-progress and pending runs.

-* The Logic Apps service doesn't create or run new workflow instances.

-You can get a specific logic app workflow using the command [`az logic workflow show`](/cli/azure/logic/workflow#az-logic-workflow-show).

-### Example - get logic app

-You can list your logic apps by subscription using the command [`az logic workflow list`](/cli/azure/logic/workflow#az-logic-workflow-list). This command returns the JSON code for your logic apps' workflows.

-### Example - list logic apps

-The following error indicates that the Azure Logic Apps CLI extension isn't installed. Follow the steps in the prerequisites to [install the Logic Apps extension](#prerequisites) on your computer.

-You can find additional Logic Apps CLI script samples in [Microsoft's code samples browser](/samples/browse/?products=azure-logic-apps).

-description: Using PowerShell, create and manage logic app workflows in multi-tenant Azure Logic Apps.

-# Quickstart: Create and manage workflows using Azure PowerShell in multi-tenant Azure Logic Apps

-This quickstart shows you how to create and manage logic apps by using [Azure PowerShell](/powershell/azure/install-az-ps). From PowerShell, you can create a logic app by using the JSON file for a logic app workflow definition. You can then manage your logic app by running the cmdlets in the [Az.LogicApp](/powershell/module/az.logicapp/) PowerShell module.

-If you're new to Azure Logic Apps, you can also learn how to create your first logic apps [through the Azure portal](quickstart-create-first-logic-app-workflow.md), [in Visual Studio](quickstart-create-logic-apps-with-visual-studio.md), and [in Visual Studio Code](quickstart-create-logic-apps-visual-studio-code.md).

-### Prerequisite check

-Validate your environment before you begin:

- * If you don't have the latest version, update your installation by following [Update the Azure PowerShell module](/powershell/azure/install-az-ps#update-the-azure-powershell-module).

-### Example - create resource group

-You can create a logic app workflow from Azure PowerShell using the cmdlet [`New-AzLogicApp`](/powershell/module/az.logicapp/new-azlogicapp) with a JSON file for the definition.

-### Example - create logic app

-You can also update a logic app's workflow from Azure PowerShell using the cmdlet [`Set-AzLogicApp`](/powershell/module/az.logicapp/set-azlogicapp).

-### Example - update logic app

-You can delete a logic app's workflow from Azure PowerShell using the cmdlet [`Remove-AzLogicApp`](/powershell/module/az.logicapp/remove-azlogicapp).

-### Example - delete logic app

-### Considerations - delete logic app

-* The Logic Apps service makes a best effort to cancel any in-progress and pending runs.

-* The Logic Apps service doesn't create or run new workflow instances.

-You can get a specific logic app workflow using the command [`Get-AzLogicApp`](/powershell/module/az.logicapp/get-azlogicapp).

-### Example - get logic app

- - Brazil South

- - Canada Central

- - France Central

-# How to configure data sources for Azure Managed Grafana Preview with Managed Identity

-## Default data sources in an Azure Managed Grafana workspace

-## Manually assign permissions for Managed Grafana to access data in Azure

-Azure Managed Grafana automatically configures the **Monitoring Reader** role for accessing all the Azure Monitor data and Log Analytics resources in your subscription. To change this:

-1. Go to the Log Analytics resource that contains the monitoring data you want to visualize.

-1. Select **Access Control (IAM)**.

-1. Search for your Managed Grafana workspace and change the permission.

-description: Learn how to manually configure access permissions with roles for your Azure Managed Grafana Preview workspace

-# How to configure permissions for Azure Managed Grafana Preview

-## Assign permissions for an Azure Managed Grafana workspace to access data in Azure

-To edit permissions for a specific resource, follow these steps:

-> [Configure data source plugins for Azure Managed Grafana with Managed Identity](./how-to-data-source-plugins-managed-identity.md)

-Grafana user roles and assignments are fully integrated with the Azure Active Directory. You can manage these permissions from the Azure portal or the command line. This section explains how to assign users to the Viewer or Editor role in the Azure portal.

-> [Configure permissions for Managed Grafana](./how-to-data-source-plugins-managed-identity.md)

-> [Configure data source plugins for Azure Managed Grafana with Managed Identity](./how-to-data-source-plugins-managed-identity.md)

-> [How to call Grafana APIs in your automation with Azure Managed Grafana Preview](./how-to-api-calls.md)

-> [Configure permissions for Azure Managed Grafana Preview](./how-to-data-source-plugins-managed-identity.md)

-> [Configure data source plugins for Azure Managed Grafana Preview with Managed Identity](./how-to-data-source-plugins-managed-identity.md)

-The Azure Migrate VMware migration automation scripts are available for download at [Azure PowerShell Samples](https://github.com/Azure/azure-docs-powershell-samples/tree/master/azure-migrate/migrate-at-scale-vmware-agentles) repo on GitHub. The scripts can be used to migrate VMware VMs to Azure using the agentless migration method. The Azure Migrate PowerShell commands used in these scripts are documented [here](./tutorial-migrate-vmware-powershell.md).

-Azure Migrate PowerShell module is available in preview. You'll need to install the PowerShell module using the following command.

-Once you have all the pre-requisites completed, you need to create a CSV file that has data for each source VM that you want to migrate. All the scripts are designed to work on the same CSV file. A sample CSV template is available in the scripts folder for your reference.

-SOURCE_MACHINE_NAME | Provide the friendly name (display name) for the discovered VM in the Azure Migrate project.

-AZMIGRATEASSESSMENT_NAME | Provide the name of assessment that needs to be leveraged for migration.

-TARGET_RESOURCE_GROUP_NAME | Provide the name of the Azure resource group to that the VM needs to be migrated to.

-TARGET_SUBNET_NAME | Provide the name of the subnet in the target virtual network that the migrated VM should use. If left blank, then ΓÇ£defaultΓÇ¥ subnet will be used.

-TARGET_MACHINE_NAME | Provide the name that the migrated VM should use in Azure. If left blank, then the source machine name will be used.

-TARGET_MACHINE_SIZE | Provide the SKU that the VM should use in Azure. To migrate a VM to D2_v2 VM in Azure, specify the value in this field as "Standard_D2_v2". If you use an assessment, then this value will be derived based on assessment recommendation.

-LICENSE_TYPE | Specify if you want to use Azure Hybrid Benefit for Windows Server VMs. Use value "WindowsServer" to take advantage of Azure Hybrid Benefit. Otherwise leave blank or use "NoLicenseType".

-TARGET_DISKTYPE | Provide the disk type to be used for all disks of the VM in Azure. Use 'Premium_LRS' for premium-managed disks, 'StandardSSD_LRS' for standard SSD disks and 'Standard_LRS' to use standard HDD disks. If you choose to use an assessment, then the script will prioritize using recommended disk types for each disk of the VM. If you don't use assessment or specify any value, the script will use standard HDD disks by default.

-AVAILABILITYZONE_NUMBER | Specify the availability zone number to be used for the migrated VM. You can leave this blank in case you don't want to use availability zones.

-AVAILABILITYSET_NAME | Specify the name of the availability set to be used for the migrated VM. You can leave this blank in case you don't want to use availability set.

-TURNOFF_SOURCESERVER | Specify 'Y' if you want to turn off source VM at the time of migration. Use 'N' otherwise. If left blank, then the script assumes the value as 'N'.

-UPDATED_TARGET_RESOURCE_GROUP_NAME | If you want to update the resource group to be used by the migrated VM in Azure, then specify the name of the Azure resource group, else leave blank.

-UPDATED_TARGET_VNET_NAME | If you want to update the Virtual Network to be used by the migrated VM in Azure, then specify the name of the Azure Virtual Network, else leave blank.

-UPDATED_TARGET_MACHINE_NAME | If you want to update the name to be used by the migrated VM in Azure, then specify the new name to be used, else leave blank.

-UPDATED_TARGET_MACHINE_SIZE | If you want to update the SKU to be used by the migrated VM in Azure, then specify the new SKU to be used, else leave blank.

-UPDATED_AVAILABILITYZONE_NUMBER | If you want to update the availability zone to be used by the migrated VM in Azure, then specify the new availability zone to be used, else leave blank.

-UPDATED_AVAILABILITYSET_NAME | If you want to update the availability set to be used by the migrated VM in Azure, then specify the new availability set to be used, else leave blank.

-UPDATE_NIC1_ID | Specify the ID of the NIC to be updated. If left blank, then the script assumes the value to be the first NIC of the discovered VM. If you don't want to update the NIC of the VM, then leave all the fields containing NIC name blank.

-UPDATED_TARGET_NIC1_SELECTIONTYPE | Specify the value to be used for this NIC. Use "Primary","Secondary" or "DoNotCreate" to specify if this NIC should be the primary, secondary, or should not be created on the migrated VM. Only one NIC can be specified as the primary NIC for the VM. Leave blank if you don't want to update.

-Once the CSV is ready, you can execute the following steps to migrate your on-premise VMware VMs.

-If you want to execute the script to start replication for VMs using the Input.csv file, then use the following syntax.

-Once you have all the pre-requisites completed, you need to create a CSV file, which has data for each source machine that you want to migrate. The input CSV must have a header line with the input details and a row with details for each machine that needs to be migrated. All the scripts are designed to work on the same CSV file. A sample CSV template is available in the scripts folder for your reference.

-You can't upgrade projects or components in the previous version to the new version. You need to [create a new Azure Migrate project](create-manage-projects.md), and [add assessment and migration tools](./create-manage-projects.md) to it. Use the tutorials to understand how to use the assessment and migration tools available. If you had a Log Analytics workspace attached to a Classic project, you can attach it to a project of current version after you delete the Classic project.

-Not ready for Azure | The VM won't boot in Azure. For example, if a VM has a disk that's more than 4 TB, it can't be hosted on Azure. | Azure Migrate explains the readiness issues, and provides remediation steps.

-**Memory** | The machine memory size <= the maximum memory (3892 GB on Azure M series Standard_M128m&nbsp;²) for an Azure VM. [Learn more](../virtual-machines/sizes.md).<br/><br/> If performance history is available, Azure Migrate considers the utilized memory.<br/><br/>If a comfort factor is specified, the utilized memory is multiplied by the comfort factor.<br/><br/> If there's no history the allocated memory is used, without applying the comfort factor.<br/><br/> | Ready if within limits.

-Windows Server 2003, 2003 R2 | Out-of-support and need a [Custom Support Agreement (CSA)](/troubleshoot/azure/virtual-machines/server-software-support) for support in Azure. | Conditionally ready for Azure, consider upgrading the OS before migrating to Azure.

-Windows 2000, 98, 95, NT, 3.1, MS-DOS | Out-of-support. The machine might boot in Azure, but no OS support is provided by Azure. | Conditionally ready for Azure, it is recommended to upgrade the OS before migrating to Azure.

-Windows Client 7, 8 and 10 | Azure provides support with [Visual Studio subscription only.](../virtual-machines/windows/client-images.md) | Conditionally ready for Azure

-Windows 10 Pro Desktop | Azure provides support with [Multitenant Hosting Rights.](../virtual-machines/windows/windows-desktop-multitenant-hosting-deployment.md) | Conditionally ready for Azure

-Windows Vista, XP Professional | Out-of-support. The machine might boot in Azure, but no OS support is provided by Azure. | Conditionally ready for Azure, it is recommended to upgrade the OS before migrating to Azure.

-Other operating systems<br/><br/> For example, Oracle Solaris, Apple macOS etc., FreeBSD, etc. | Azure doesn't endorse these operating systems. The machine may boot in Azure, but no OS support is provided by Azure. | Conditionally ready for Azure, it is recommended to install a supported OS before migrating to Azure.

-1. To attach a Log Analytics workspace to a project, in **Overview**, > **Essentials**, click **Requires configuration**.

- - To create a new workspace, specify a name. The workspace is created in a region in the same [Azure geography](https://azure.microsoft.com/global-infrastructure/geographies/) as the migration project.

- - When you attach an existing workspace, you can pick from all the available workspaces in the same subscription as the migration project. Only those workspaces are listed which were created in a [supported Service Map region](../azure-monitor/vm/vminsights-configure-workspace.md#supported-regions). To attach a workspace, ensure that you have 'Reader' access to the workspace.

-> To automate the installation of agents you can use a deployment tool such as Configuration Manager or a partner tool such as, Intigua, that provides an agent deployment solution for Azure Migrate.

-For machines monitored by System Center Operations Manager 2012 R2 or later, there is no need to install the MMA agent. Service Map integrates with the Operations Manager MMA to gather the necessary dependency data. [Learn more](../azure-monitor/vm/service-map-scom.md#prerequisites). The Dependency agent does need to be installed.

-1. After you install the agents, go to the portal and click **Manage** > **Machines**.

- - Machine properties, including the FQDN, operating System, MAC address are shown. You can click on each machine box to view details.

-4. You can view dependencies for different time durations by clicking on the time duration in the time range label. By default the range is an hour. You can modify the time range, or specify start and end dates, and duration.

-This article describes how to assess large numbers of on-premises servers in Hyper-V environment for migration to Azure, using the Azure Migrate Discovery and assessment tool.

-> * Configure Azure permissions, and prepare Hyper-V for assessment.

-> * Create an Azure Migrate project, and create an assessment.

-> If you want to try out a proof-of-concept to assess a couple of servers before assessing at scale, follow our [tutorial series](./tutorial-discover-hyper-v.md)

-When planning for assessment of large number of servers in Hyper-V environment, there are a couple of things to think about:

-Prepare Azure and Hyper-V for Discovery and assessment tool:

-2. Set up permissions for your Azure account to interact with Azure Migrate

-3. Prepare Hyper-V hosts and servers

-[Learn more](./create-manage-projects.md)

-1. Create assessments for servers in Hyper-V environment.

-This article describes how to assess large numbers of on-premises physical servers for migration to Azure, using the Azure Migrate Discovery and assessment tool.

-> * Configure Azure permissions, and prepare physical servers for assessment.

-[Learn more](./create-manage-projects.md)

-This article describes how to assess large numbers (1000-35,000) of on-premises servers in VMware environment for migration to Azure, using the Azure Migrate Discovery and assessment tool.

-> * Configure Azure permissions, and prepare VMware for assessment.

-> * Create an Azure Migrate project, and create an assessment.

-> If you want to try out a proof-of-concept to assess a couple of servers before assessing at scale, follow our [tutorial series](./tutorial-discover-vmware.md)

-**Azure Migrate appliance** | An appliance can discover up to 10,000 servers on a vCenter Server.<br/> An appliance can connect up to 10 vCenter Servers.<br/> An appliance can only be associated with a single Azure Migrate project.<br/> Any number of appliances can be associated with a single Azure Migrate project. <br/><br/>

-One | > 10,000 | One Azure Migrate project.<br><br> One appliance can discover up to 10,000 servers running on up to 10 vCenter Servers.<br><br> Provide one or more vCenter Server accounts for discovery. | Set up an appliance to connect up to 10 vCenter Servers mapped to one or more vCenter Server accounts, scoped to discover less than 10,000 servers. You need to deploy additional appliances for every 10,000 servers.<br><br> If the number of servers is greater than 10,000, set up additional appliances with the vCenter Server accounts scoped accordingly. <br><br> You can analyze dependencies on servers across vCenter Servers discovered from the same appliance.<br> <br> Ensure there is no overlap among the servers on the vCenter accounts provided. A discovery with such an overlap is an unsupported scenario. If a server is discovered by more than one appliance, this results in a duplicates in discovery and in issues while enabling replication for the server using the Azure portal in Server Migration. |

-Multiple | > 10,000 | One Azure Migrate project.<br><br> One appliance can discover up to 10,000 servers running on up to 10 vCenter Servers.<br><br> Provide one or more vCenter Server accounts for discovery. | Set up an appliance to discover VMs from up to 10 vCenter Servers mapped to one or more vCenter Server accounts, scoped to discover less than 10,000 servers. You need to deploy additional appliances for every 10 vCenter Servers. <br><br> If the number of servers is greater than 10,000, set up additional appliances with the vCenter Server accounts scoped accordingly. <br><br> You can analyze dependencies on servers across vCenter Servers discovered from the same appliance. <br><br> Ensure there is no overlap among the servers on the vCenter accounts provided. A discovery with such an overlap is an unsupported scenario. If a server is discovered by more than one appliance, this results in a duplicates in discovery and in issues while enabling replication for the server using the Azure portal in Server Migration. |

-[Learn more](./create-manage-projects.md)

-The Azure Migrate: App Containerization tool currently supports -

-The Azure Migrate: App Containerization tool helps you to -

-> The Azure Migrate: App Containerization tool helps you discover specific application types (ASP.NET and Java web apps on Apache Tomcat) and their components on an application server. To discover servers and the inventory of apps, roles, and features running on on-premises machines, use Azure Migrate: Discovery and assessment capability. [Learn more](./tutorial-discover-vmware.md)

-**Application servers** | - Enable Secure Shell (SSH) connection on port 22 on the server(s) running the Java application(s) to be containerized. <br/>

-**Java web application** | The tool currently supports <br/><br/> - Applications running on Tomcat 8 or later.<br/> - Application servers on Ubuntu Linux 16.04/18.04/20.04, Debian 7/8, CentOS 6/7, Red Hat Enterprise Linux 5/6/7. <br/> - Applications using Java version 7 or later. <br/><br/> The tool currently doesn't support <br/><br/> - Applications servers running multiple Tomcat instances <br/>

-6. In **Add role assignment**, select the Owner role, and select the account (azmigrateuser in our example). Then click **Save**.

-7. Your Azure account also needs **permissions to register Azure Active Directory apps.**

-8. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.

-9. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).

- 

-10. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).

-1. Open a browser on any machine that can connect to the Windows machine running the App Containerization tool, and open the tool URL: **https://*machine name or IP address*: 44369**.

-2. If you see a warning stating that says your connection isnΓÇÖt private, click Advanced and choose to proceed to the website. This warning appears as the web interface uses a self-signed TLS/SSL certificate.

-1. Accept the **license terms**, and read the third-party information.

- - Click on **Set up proxy** to specify the proxy address (in the form IP address or FQDN) and listening port.

- - If you've added proxy details or disabled the proxy and/or authentication, click on **Save** to trigger connectivity check again.

-1. You'll need a device code to authenticate with Azure. Clicking on sign in will open a modal with the device code.

-2. Click on **Copy code & sign in** to copy the device code and open an Azure sign in prompt in a new browser tab. If it doesn't appear, make sure you've disabled the pop-up blocker in the browser.

- - You can run application discovery for upto five servers at a time.

-1. Click **app configurations** to review detected configurations.

-> Only Azure container registries with admin user enabled are displayed. The admin account is currently required for deploying an image from an Azure container registry to Azure App Service. [Learn more](../container-registry/container-registry-authentication.md#admin-account)

-4. **Trigger build process**: Select the applications to build images for and click **Build**. Clicking build will start the container image build for each application. The tool keeps monitoring the build status continuously and will let you proceed to the next step upon successful completion of the build.

-5. **Track build status**: You can also monitor progress of the build step by clicking the **Build in Progress** link under the status column. The link takes a couple of minutes to be active after you've triggered the build process.

-6. Once the build is completed, click **Continue** to specify deployment settings.

- - If you donΓÇÖt have an App Service plan or would like to create a new App Service plan to use, you can choose to create on from the tool by clicking **Create new App Service plan**.

-2. **Specify secret store and monitoring workspace**: If you had opted to parameterize application configurations, then specify the secret store to be used for the application. You can choose Azure Key Vault or App Service application settings for managing your application secrets. [Learn more](../app-service/configure-common.md#configure-connection-strings)

- - If you donΓÇÖt have an Azure Key Vault or would like to create a new Key Vault, you can choose to create on from the tool by clicking **Create new**.

-To troubleshoot any issues with the tool, you can look at the log files on the Windows machine running the App Containerization tool. Tool log files are located at *C:\ProgramData\Microsoft Azure Migrate App Containerization\Logs* folder.

-> Tutorials show the quickest path for trying out a scenario, and use default options where possible.

-Decide whether you want to run an assessment using sizing criteria based on server configuration data/metadata that's collected as-is on-premises, or based on performance data.

-1. On the **Overview** page > **Windows, Linux and SQL Server**, click **Assess and migrate servers**.

-1. In **Assessment properties** > **Target Properties**:

- - In Azure Government, you can target assessments in [these regions](migrate-support-matrix.md#azure-government)

- - If you want to use performance-based data in the assessment, select **Automatic** for Azure Migrate to recommend a storage type, based on disk IOPS and throughput.

- - In **Reserved Instances**, specify whether you want to use reserve instances for the VM when you migrate it.

- - [Learn more](https://aka.ms/azurereservedinstances).

- - In **Sizing criterion**, select if you want to base the assessment on server configuration data/metadata, or on performance-based data. If you use performance data:

- - In **Performance history**, indicate the data duration on which you want to base the assessment

- - Tweak settings as needed. For example, if you don't have a production environment that needs A-series VMs in Azure, you can exclude A-series from the list of series.

- - In **Comfort factor**, indicate the buffer you want to use during assessment. This accounts for issues like seasonal usage, short performance history, and likely increases in future usage. For example, if you use a comfort factor of two:

- - In **VM Uptime**, specify the duration (days per month/hour per day) that VMs will run.

-1. In **Assess Servers** > click **Next**.

-1. In **Select servers to assess** > **Assessment name** > specify a name for the assessment.

-1. In **Select or create a group** > select **Create New** and specify a group name.

-1. Select the appliance, and select the VMs you want to add to the group. Then click **Next**.

-1. Click **Export assessment**, to download it as an Excel file.

-1. In **Windows, Linux and SQL Server** > **Azure Migrate: Discovery and assessment**, click the number next to **Assessments**.

-3. Review the assessment summary. You can also edit the assessment properties, or recalculate the assessment.

-3. Select an **Azure readiness** status. You can view VM readiness details. You can also drill down to see VM details, including compute, storage, and network settings.

-In this tutorial, you learn how to:

-> Tutorials show the quickest path for trying out a scenario, and use default options where possible.

-1. On the **Overview** page > **Servers, databases and web apps**, click **Assess and migrate servers**.

- - In **Reserved Instances**, specify whether you want to use reserve instances for Azure VMware Solution nodes when you migrate your VMs.

- - If you select to use a reserved instance, you can't specify '**Discount (%)**

- - [Learn more](../azure-vmware/reserved-instance.md)

- - In **Dedupe and compression factor**, specify the anticipated dedupe and compression factor for your workloads. Actual value can be obtained from on-premises vSAN or storage config and this may vary by workload. A value of 3 would mean 3x so for 300GB disk only 100GB storage would be used. A value of 1 would mean no dedupe or compression. You can only add values from 1 to 10 up to one decimal place.

- - In **Sizing criterion**, select if you want to base the assessment on static metadata, or on performance-based data. If you use performance data:

- - In **Offer**, [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) you're enrolled in is displayed. The Assessment estimates the cost for that offer.

-1. Select the appliance, and select the servers you want to add to the group. Then click **Next**.

- - Utilization includes up front factoring in the following cluster management overheads such as the vCenter Server, NSX Manager (large),

-You can click on **Sizing assumptions** to understand the assumptions that went in node sizing and resource utilization calculations. You can also edit the assessment properties, or recalculate the assessment.

-1. In **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**, click the number next to ** Azure VMware Solution**.

- - **Ready with conditions**: There might be some compatibility issues example internet protocol or deprecated OS in VMware and need to be remediated before migrating to Azure VMware Solution. To fix any readiness problems, follow the remediation guidance the assessment suggests.

- - **Not ready for AVS**: The VM will not start in AVS. For example, if the on-premises VMware VM has an external device attached such as a cd-rom the VMware VMotion operation will fail (if using VMware VMotion).

- - VMware HCX or Enterprise: For VMware servers, VMware Hybrid Cloud Extension (HCX) solution is the suggested migration tool to migrate your on-premises workload to your Azure VMware Solution (AVS) private cloud. Learn More.

-4. Click on an AVS readiness status. You can view server readiness details, and drill down to see server details, including compute, storage, and network settings.

- - The cost estimation is for running the on-premises servers in AVS. AVS assessment doesn't consider PaaS or SaaS costs.

-> Tutorials show the quickest path for trying out a scenario, and use default options.

-1. To register the appliance, your Azure account needs **permissions to register Azure Active Directory apps.**

-1. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.

-1. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).

-> If you have already created a project, you can use the same project to register additional appliances to discover and assess more no of servers.[Learn more](create-manage-projects.md#find-a-project)

-To set up the appliance you:

-1. Configure the appliance for the first time, and register it with the project using the project key.

-2. In **Discover servers** > **Are your servers virtualized?**, select **Physical or other (AWS, GCP, Xen, etc.)**.

-4. Click on **Generate key** to start the creation of the required Azure resources. Do not close the Discover servers page during the creation of resources.

-In **2: Download Azure Migrate appliance**, click on **Download**.

-Check that the zipped file is secure, before you deploy it.

-1. Open a browser on any machine that can connect to the appliance, and open the URL of the appliance web app: **https://*appliance name or IP address*: 44368**.

-2. Accept the **license terms**, and read the third-party information.

-5. On clicking Save, appliance will try validating the connection to the servers added and show the **Validation status** in the table against each server.

-Click on **Start discovery**, to kick off discovery of the successfully validated servers. After the discovery has been successfully initiated, you can check the discovery status against each server in the table.

-2. In **Azure Migrate - Windows, Linux and SQL Servers** > **Azure Migrate: Discovery and assessment** page, click the icon that displays the count for **Discovered servers**.

- Use [Azure premium fileshare](../storage/files/storage-how-to-create-file-share.md?tabs=azure-portal) for persistent storage that can be used by one or many pods, and can be dynamically or statically provisioned. Azure premium fileshare gives you best performance for your application if you expect large number of I/O operations on the file storage. To learn more , see [how to enable Azure Files](../aks/azure-files-dynamic-pv.md).

-Create an AKS cluster [using the Azure CLI](./learn/quick-kubernetes-deploy-cli), [using Azure PowerShell](./learn/quick-kubernetes-deploy-powershell), or [using the Azure portal](./learn/quick-kubernetes-deploy-portal).

-In this quickstart you deploy a virtual machine (VM), and then check communications to an IP address and URL and from an IP address. You determine the cause of a communication failure and how you can resolve it.

-After several seconds, the result returned informs you that access is allowed by a security rule named **AllowInternetOutbound**.

-The result returned informs you that access is denied by a security rule named **DefaultOutboundDenyAll**.

-The result returned informs you that access is denied because of a security rule named **DefaultInboundDenyAll**. Now that you know which security rules are allowing or denying traffic to or from a VM, you can determine how to resolve the problems.

-When you ran the `az network watcher test-ip-flow` command to test outbound communication to 172.131.0.100 in [Use IP flow verify](#use-ip-flow-verify), the output informed you that the **DefaultOutboundDenyAll** rule denied the communication. The **DefaultOutboundDenyAll** rule equates to the **DenyAllOutBound** rule listed in the following output from the `az network nic list-effective-nsg` command:

-When you ran the `az network watcher test-ip-flow` command in [Use IP flow verify](#use-ip-flow-verify) to test inbound communication from 172.131.0.100, the output informed you that the **DefaultInboundDenyAll** rule denied the communication. The **DefaultInboundDenyAll** rule equates to the **DenyAllInBound** rule listed in the following output from the `az network nic list-effective-nsg` command:

-The result returned informs you that access is denied by a security rule named **DefaultOutboundDenyAll**.

-The result returned informs you that access is denied because of a security rule named **DefaultInboundDenyAll**. Now that you know which security rules are allowing or denying traffic to or from a VM, you can determine how to resolve the problems.

-When you ran the `Test-AzNetworkWatcherIPFlow` command to test outbound communication to 172.131.0.100 in [Use IP flow verify](#use-ip-flow-verify), the output informed you that the **DefaultOutboundDenyAll** rule denied the communication. The **DefaultOutboundDenyAll** rule equates to the **DenyAllOutBound** rule listed in the following output from the `Get-AzEffectiveNetworkSecurityGroup` command:

-When you ran the `Test-AzNetworkWatcherIPFlow` command to test inbound communication from 172.131.0.100 in [Use IP flow verify](#use-ip-flow-verify), the output informed you that the **DefaultInboundDenyAll** rule denied the communication. The **DefaultInboundDenyAll** rule equates to the **DenyAllInBound** rule listed in the following output from the `Get-AzEffectiveNetworkSecurityGroup` command:

-description: This how-to guide describes how to view and use Microsoft Purview Insights asset reporting on your data.

-> Microsoft Purview Insights are currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> * View insights from your Microsoft Purview account.

-Before getting started with Microsoft Purview insights, make sure that you've completed the following steps:

-1. On the Microsoft Purview **Home** page, select **Insights** on the left menu.

- :::image type="content" source="./media/asset-insights/view-insights.png" alt-text="View your insights in the Azure portal":::

-1. In the **Insights** area, select **Assets** to display the Microsoft Purview **Asset insights** report.

-> As of November 8th, 2021, ***Insights*** is accessible to Data Curators. Data Readers do not have access to Insights.

-# Customer intent: As a security officer, I need to understand how to use Microsoft Purview Insights to learn about sensitive data identified and classified and labeled during scanning.

-> Microsoft Purview Insights are currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Before getting started with Microsoft Purview insights, make sure that you've completed the following steps:

-## Use Microsoft Purview classification insights

-1. In Microsoft Purview, select the **Insights** :::image type="icon" source="media/insights/ico-insights.png" border="false"::: menu item on the left to access your **Insights** area.

-1. In the **Insights** :::image type="icon" source="media/insights/ico-insights.png" border="false"::: area, select **Classification** to display the Microsoft Purview **Classification insights** report.

-> Microsoft Purview Insights are currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-description: This how-to guide describes how to view and use Microsoft Purview Insights glossary reporting on your data.

-> Microsoft Purview Insights are currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Before getting started with Microsoft Purview insights, make sure that you've completed the following steps:

-1. On the Microsoft Purview **Home** page, select **Insights** on the left menu.

- :::image type="content" source="./media/glossary-insights/view-insights.png" alt-text="View your insights in the Azure portal":::

-1. In the **Insights** area, select **Glossary** to display the Microsoft Purview **Glossary insights** report.

-|[Data Insights](#data-insights) | Gives you an overview of your data estate to help you discover what kinds of data you have and where. |

-Microsoft Purview Data Map powers the Microsoft Purview Data Catalog and Microsoft Purview data insights as unified experiences within the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).

-## Data Insights

-With the Microsoft Purview data insights, data officers and security officers can get a birdΓÇÖs eye view and at a glance understand what data is actively scanned, where sensitive data is and how it moves.

-For more information, see our [introduction to Data Insights](concept-insights.md).

-* [Data insights in Microsoft Purview](concept-insights.md)

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html) is installed on the virtual machine where the self-hosted integration runtime is installed.

- * Manually download a Db2 JDBC driver from [here](https://www.ibm.com/support/pages/db2-jdbc-driver-versions-and-downloads) onto your virtual machine where self-hosted integration runtime is running.

- > The driver should be accessible to all accounts in the VM. Do not install it in a user account.

- 1. **Driver location**: Specify the path to the JDBC driver location in your VM where self-host integration runtime is running. This should be the path to valid JAR folder location.

- > [!Note]

- > The driver should be accessible to all accounts in the VM. Please do not install in a user account.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the virtual machine where the self-hosted integration runtime is installed.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the virtual machine where the self-hosted integration runtime is installed.

- * Download and unzip BigQuery's JDBC driver on the machine where your self-hosted integration runtime is running. You can find the driver [here](https://cloud.google.com/bigquery/providers/simba-drivers).

- > The driver should be accessible to all accounts in the machine. Don't put it in a path under user account.

- 1. **Driver location**: Specify the path to the JDBC driver location in your VM where self-host integration runtime is running. This should be the path to valid JAR folder location.

- > [!Note]

- > The driver should be accessible to all accounts in the machine. Don't put it in a path under user account.

- * Ensure that [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the machine where the self-hosted integration runtime is running.

- * Download the Hive Metastore database's JDBC driver on the machine where your self-hosted integration runtime is running. For example, if the database is *mssql*, download [Microsoft's JDBC driver for SQL Server](/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server). If you scan Azure Databricks's Hive Metastore, download the MariaDB Connector/J version 2.7.5 from [here](https://dlm.mariadb.com/1965742/Connectors/java/connector-java-2.7.5/mariadb-java-client-2.7.5.jar); version 3.0.3 isn't supported.

- > [!Note]

- > The driver should be accessible to all accounts in the machine. Don't install it in a user account.

- 1. **Metastore JDBC Driver Location**: Specify the path to the JDBC driver location on your machine where the self-hosted integration runtime is running. This should be a valid path to the folder for JAR files.

- > The driver should be accessible to all accounts in the machine. Don't install it in a user account.

- >

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

-* You need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the virtual machine where the self-hosted integration runtime is installed.

- * Manually download an Oracle JDBC driver from [here](https://www.oracle.com/database/technologies/appdev/jdbc-downloads.html) onto your virtual machine where self-hosted integration runtime is running.

- > The driver should be accessible to all accounts in the VM. Do not install it in a user account.

- * A host name used by JDBC to connect to the database server. For example: `MyDatabaseServer.com`

-1. Enter the **Port number** used by JDBC to connect to the database server (1521 by default for Oracle).

-1. Enter the **Oracle service name** used by JDBC to connect to the database server.

- * Provide the user name used by JDBC to connect to the database server in the User name input field.

- * Store the user password used by JDBC to connect to the database server in the secret key.

- 1. **Driver location**: Specify the path to the JDBC driver location in your VM where self-host integration runtime is running. This should be the path to valid JAR folder location.

- > [!Note]

- > The driver should be accessible to all accounts in the VM. Please do not install in a user account.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

-## Troubleshooting tips

-If delegated auth is used:

- 5. App registration exists in your Azure Active Directory tenant.

- 6. Under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

- 1. **JCo library path**: The directory path where the JCo libraries are located.

- * Ensure that [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the machine where the self-hosted integration runtime is running.

- * Download the SAP HANA JDBC driver ([JAR ngdbc](https://mvnrepository.com/artifact/com.sap.cloud.db.jdbc/ngdbc)) on the machine where your self-hosted integration runtime is running.

- > The driver should be accessible to all accounts in the machine. Don't put it in a path under user account.

- 1. **Driver location**: Specify the path to the JDBC driver location in your machine where self-host integration runtime is running. This should be the path to valid JAR folder location. Don't include the name of the driver in the path.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the virtual machine where the self-hosted integration runtime is installed.

- * The connector reads metadata from SAP using the [SAP Java Connector (JCo)](https://support.sap.com/en/product/connectors/jco.html) 3.0 API. Make sure the Java Connector is available on your virtual machine where self-hosted integration runtime is installed. Make sure that you're using the correct JCo distribution for your environment. For example: on a Microsoft Windows machine, make sure the sapjco3.jar and sapjco3.dll files are available.

- > The driver should be accessible to all accounts in the VM. Do not install it in a user account.

- 1. **JCo library path**: The directory path where the JCo libraries are located.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the virtual machine where the self-hosted integration runtime is installed.

- * The connector reads metadata from SAP using the [SAP Java Connector (JCo)](https://support.sap.com/en/product/connectors/jco.html) 3.0 API. Hence make sure the Java Connector is available on your virtual machine where self-hosted integration runtime is installed. Make sure that you're using the correct JCo distribution for your environment. For example, on a Microsoft Windows machine, make sure the sapjco3.jar and sapjco3.dll files are available.

- >The driver should be accessible to all accounts in the VM. Do not install it in a user account.

- 1. **JCo library path**: Specify the path to the folder where the JCo libraries are located.

-* You need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html) is installed on the machine where the self-hosted integration runtime is installed.

-* You'll need to be a Data Source Administrator and Data Reader to register a source and manage it in the Microsoft Purview governance portal. See our [Microsoft Purview Permissions page](catalog-permissions.md) for details.

- * Ensure [JDK 11](https://www.oracle.com/java/technologies/javase-jdk11-downloads.html) is installed on the virtual machine where the self-hosted integration runtime is installed.

- * You'll have to manually download Teradata's JDBC Driver on your virtual machine where self-hosted integration runtime is running. The executable JAR file can be downloaded from the Teradata [website](https://downloads.teradata.com/).

- > The driver should be accessible to all accounts in the VM. Please do not install in a user account.

- 1. **Driver location**: Specify the path to the JDBC driver location in your VM where self-host integration runtime is running. This should be the path to valid JAR folder location.

-# Customer intent: As a security officer, I need to understand how to use Microsoft Purview Insights to learn about sensitive data identified and classified and labeled during scanning.

-> Sensitivity labels in Microsoft Purview Insights are currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Before getting started with Microsoft Purview Insights, make sure that you've completed the following steps:

-## Use Microsoft Purview Insights for sensitivity labels

-Microsoft Purview Insights uses the same classifications, also known as [sensitive information types](/microsoft-365/compliance/sensitive-information-type-entity-definitions), as those used with Microsoft 365 apps and services. This enables you to extend your existing sensitivity labels to assets in the data map.

-1. In Microsoft Purview, select the **Insights** :::image type="icon" source="media/insights/ico-insights.png" border="false"::: menu item on the left to access your **Insights** area.

-1. In the **Insights** :::image type="icon" source="media/insights/ico-insights.png" border="false"::: area, select **Sensitivity labels** to display the Microsoft Purview **Sensitivity labeling insights** report.

-description: Explains how spatial object bounds can be queried

-Object bounds represent the volume that an [entity](entities.md) and its children occupy. In Azure Remote Rendering, object bounds are always given as *axis aligned bounding boxes* (AABB). Object bounds can be either in *local space* or in *world space*. Either way, they are always axis-aligned, which means the extents and volume may differ between the local and world space representation.

-The local axis aligned bounding box of a [mesh](meshes.md) can be queried directly from the mesh resource. These bounds can be transformed into the local space or world space of an entity using the entity's transform.

-It's possible to compute the bounds of an entire object hierarchy this way, but that requires to traverse the hierarchy, query the bounds for each mesh, and combine them manually. This operation is both tedious and inefficient.

-A better way is to call `QueryLocalBoundsAsync` or `QueryWorldBoundsAsync` on an entity. The computation is then offloaded to the server and returned with minimal delay.

-description: Explains the material overriding workflow at conversion time

-The material settings in the source model are used to define the [PBR materials](../../overview/features/pbr-materials.md) used by the renderer.

-Sometimes the [default conversion](../../reference/material-mapping.md) doesn't give the desired results and you need to make changes.

-If a file called `<modelName>.MaterialOverrides.json` is found in the input container beside the input model `<modelName>.<ext>`, then it will be used as the material override file.

-As a simple example, let's say that a box model has a single material, called "Default".

-Additionally, let's say its albedo color needs to be adjusted for use in ARR.

-In this case, a `box.MaterialOverrides.json` file can be created as follows:

-The `box.MaterialOverrides.json` file is placed in the input container beside `box.fbx`, which tells the conversion service to apply the new settings.

-The [color material](../../overview/features/color-materials.md) model describes a constantly shaded surface that is independent of lighting.

-Color materials are useful for assets made by Photogrammetry algorithms, for example.

-Sometimes you might want the conversion process to ignore specific texture maps. This might be the case when your model was generated by a tool that generates special maps not understood correctly by the renderer. For example, an "OpacityMap" that is used to define something other than opacity, or a model where the "NormalMap" is stored as "BumpMap". (In the latter case you want to ignore "NormalMap", which will cause the converter to use "BumpMap" as "NormalMap".)

-The principle is simple. Just add a property called `ignoreTextureMaps` and add any texture map you want to ignore:

-For the full list of texture maps you can ignore, see the JSON schema below.

-Since it's quite common that the same override should apply to multiple materials, you can optionally provide a regular expression as the entry name.

-The syntax used is the same as that used for JavaScript.

-The following example shows an override which applies to materials with names like "Material2", "Material01" and "Material999".

-At most one entry in a material override file applies to a single material.

-If there is an exact match (i.e. `nameMatching` is absent or equals `exact`) for the material name, then that entry is chosen.

-The [info file](get-information.md#information-about-a-converted-model-the-info-file) written to the output container carries information about the number of overrides provided, and the number of materials that were overridden.

-The full JSON schema for materials files is given here. With the exception of `unlit` and `ignoreTextureMaps`, the properties available are a subset of the properties described in the sections on the [color material](../../overview/features/color-materials.md) and [PBR material](../../overview/features/pbr-materials.md) models.

-description: Describes techniques to mitigate z-fighting artifacts

-When two surfaces overlap, it is not clear which one should be rendered on top of the other. The result even varies per pixel, resulting in camera view-dependent artifacts. Consequently, when the camera or the mesh moves, these patterns flicker noticeably. This artifact is called *z-fighting*. For AR and VR applications, the problem is intensified because head-mounted devices naturally always move. To prevent viewer discomfort z-fighting mitigation functionality is available in Azure Remote Rendering.

-|Regular z-fighting ||

-|Z-fighting mitigation enabled ||

-|Checkerboard highlighting enabled||

-1. when surfaces are very far away from the camera, the precision of their depth values degrades and the values become indistinguishable

-1. when surfaces in a mesh physically overlap

-The first problem can always happen and is difficult to eliminate. If this happens in your application, make sure that the ratio of the *near plane* distance to the *far plane* distance is as low as practical. For example, a near plane at distance 0.01 and far plane at distance 1000 will create this problem much earlier, than having the near plane at 0.1 and the far plane at distance 20.

-The second problem is an indicator for badly authored content. In the real world, two objects can't be in the same place at the same time. Depending on the application, users might want to know whether overlapping surfaces exist and where they are. For example, a CAD scene of a building that is the basis for a real world construction, shouldn't contain physically impossible surface intersections. To allow for visual inspection, the highlighting mode is available, which displays potential z-fighting as an animated checkerboard pattern.

-The provided z-fighting mitigation is a best effort. There is no guarantee that it removes all z-fighting. Also it will automatically prefer one surface over another. Thus when you have surfaces that are too close to each other, it might happen that the "wrong" surface ends up on top. A common problem case is when text and other decals are applied to a surface. With z-fighting mitigation enabled these details could easily just vanish.

-description: Quickstart that shows how to run the native C++ HolographicApp tutorial on HoloLens

-This quickstart covers how to deploy and run the native C++ WMR (Windows Mixed Reality) tutorial application on a HoloLens 2.

-In this quickstart you will learn how to:

->* Change the ARR credentials in the source code.

-To get access to the Azure Remote Rendering service, you first need to [create an account](../../../how-tos/create-an-account.md).

-* Windows SDK 10.0.18362.0 [(download)](https://developer.microsoft.com/windows/downloads/windows-10-sdk)

-* The latest version of Visual Studio 2019 [(download)](https://visualstudio.microsoft.com/vs/older-downloads/)

-* [Visual Studio tools for Mixed Reality](/windows/mixed-reality/install-the-tools). Specifically, the following *Workload* installations are mandatory:

-* GIT [(download)](https://git-scm.com/downloads)

-## Clone the ARR samples repository

-As a first step, we clone the Git repository, which houses the global Azure Remote Rendering samples. Open a command prompt (type `cmd` in the Windows start menu) and change to a directory where you want to store the ARR sample project.

-The last command creates a subdirectory in the ARR directory containing the various sample projects for Azure Remote Rendering.

-The C++ HoloLens tutorial can be found in the subdirectory *NativeCpp/HoloLens-Wmr*.

-Open the solution file *HolographicApp.sln* located in the *NativeCpp/HoloLens-Wmr* subdirectory with Visual Studio 2019.

-Switch the build configuration to *Debug* (or *Release*) and *ARM64*. Also make sure the debugger mode is set to *Device* as opposed to *Remote Machine*:

-

-Since the account credentials are hardcoded in the tutorial's source code, change them to valid credentials. For that, open the file `HolographicAppMain.cpp` inside Visual Studio and change the part where the client is created inside the constructor of class `HolographicAppMain`:

-* `init.AccountId`, `init.AccountKey`, and `init.AccountDomain` to use your account data. See the paragraph about how to [retrieve account information](../../../how-tos/create-an-account.md#retrieve-the-account-information).

-* In addition, `m_sessionOverride` can be changed to an existing session ID. Sessions can be created outside this sample, for instance by using [the PowerShell script](../../../samples/powershell-example-scripts.md#script-renderingsessionps1) or using the [session REST API](../../../how-tos/session-rest-api.md) directly.

-Creating a session outside the sample is recommended when the sample should run multiple times. If no session is passed in, the sample will create a new session upon each startup, which may take several minutes.

-Now the application can be compiled.

-1. Start the Debugger in Visual Studio (F5). It will automatically deploy the app to the device.

-The sample app should launch and a text panel should appear that informs you about the current application state. The status at startup time is either starting a new session or connecting to an existing session. After model loading has completed, the built-in engine model appears right at your head position. Occlusion-wise, the engine model interacts properly with the spinning cube that is rendered locally.

- If you want to launch the sample a second time later, you can also find it from the HoloLens start menu, but note it may have an expired session ID compiled into it.

-description: User manual of the ArrInspector tool

-The ArrInspector is a web-based tool used to inspect a running Azure Remote Rendering session. It is meant to be used for debugging purposes, to inspect the structure of the scene being rendered, show the log messages, and monitor the live performance on the server.

-

-Once you obtain the hostname (ending in `mixedreality.azure.com`) of your ARR server, connect using [ConnectToArrInspectorAsync](../../how-tos/frontend-apis.md#connect-to-arr-inspector). This function creates a `StartArrInspector.html` on the device on which the application is running. To launch ArrInspector, open that file with a browser (Edge, Firefox, or Chrome) on a PC. The file is only valid for 24 hours.

-* If you are using the Unity integration, it may get launched automatically for you.

-* Otherwise, you will find the file in *User Folders\\LocalAppData\\[your_app]\\AC\\Temp*.

-

-To visualize one of these parameters, click the **Add New** button and select one of the available values shown in the dialog. This action adds a new scrolling chart to the panel, tracing the values in real time. On its right you can see the *minimum*, *maximum* and *current* value.

-Holding CTRL while dragging, allows you to zoom. Horizontal zoom can also be controlled with the slider at the bottom.

-The vertical range is by default computed based on the values currently displayed, and min and max values are shown in the text-boxes on the right. When the values are set manually, either by typing them directly into the textbox, or by panning/zooming, the graph will use those values. To restore the automatic vertical framing, click the icon in the top-right corner.

-

-

-The log panel shows a list of log messages generated on the server side. On connection it will show up to 200 previous log messages, and will print new ones as they happen.

-

-

-

-This panel shows the structure of the rendered scene. The object hierarchy is on the left, the content of the selected object is on the right. The panel is read-only and is updated in real time.

-

-This panel offers some debug functionality.

-The **Restart Service** button restarts the runtime on the virtual machine that arrInspector is connected to. Any attached client will get disconnected and the arrInspector page must be reloaded to connect to the restarted service.

-The **Collect Debug Information for VM** button opens a dialog that allows you to trigger the ARR instance to collect debug information on the VM:

-

-Debug information helps the Azure Remote Rendering team to analyze any issues that occur in a running ARR instance. The dialog has a text field to provide additional details, for example steps to reproduce an issue.

-After clicking the **Start Collecting** button, the dialog will close and the collection process begins. Collecting the information on the VM can take a few minutes.

-

-Once the collection is finished, you will receive a notification in the ArrInspector window. This notification contains an ID that identifies this particular collection. Be sure to save this ID to pass it on to the Azure Remote Rendering team.

-

-> You can't download or otherwise access VM debug information. Only the Azure Remote Rendering team has access to the collected data. You need to contact us and send the collection ID along, for us to investigate the issue you are seeing.

-

-When re-enabling live update, all panels are reset.

-**Target resource group** | The resource group to which VMs belong after failover.<br/><br/> It can be in any Azure region except the source region.<br/><br/> Site Recovery creates a new resource group in the target region, with an "asr" suffix.<br/><br/>

-When you enable Azure VM replication, by default Site Recovery creates a new replication policy with the default settings summarized in the table.

-**Recovery point retention** | Specifies how long Site Recovery keeps recovery points | 1 day

-You can manage and modify the default replication policies settings as follows:

- - [Learn more](../virtual-machines/extensions/azure-disk-enc-windows.md#extension-schema). about the extension schemas.

-Currently, in the portal, you can only select an automation account in the same resource group as the vault. You can select an automation account from a different resource group using PowerShell. [Learn more](azure-to-azure-autoupdate.md#enable-automatic-updates).

-Yes, you can exclude disks when you set up replication, using PowerShell. [Learn more](azure-to-azure-exclude-disks.md).

-Replication is continuous when replicating Azure VMs to another Azure region. [Learn more](./azure-to-azure-architecture.md#replication-process) about how replication works.

-This quickstart describes how to set up disaster recovery for an Azure VM by replicating it to a secondary Azure region. In general, default settings are used to enable replication.

-1. In **Operations** select **Disaster recovery**.

-1. To start the job that enables VM replication select **Start replication**.

-After the replication job finishes, you can check the replication status, modify replication settings, and test the deployment.

-1. In **Operations** select **Disaster recovery**.

-To disable replication, do these steps:

-1. In **Operations** select **Disaster recovery**.

-1. From the **Overview**, select **Disable Replication**.

-This article describes how to troubleshoot common errors in Azure Site Recovery during replication and recovery of Azure virtual machines (VM) from one region to another. For more information about supported configurations, see the [support matrix for replicating Azure VMs](azure-to-azure-support-matrix.md).

-Contact [Azure billing support](../azure-portal/supportability/regional-quota-requests.md) to enable your subscription to create VMs of the required sizes in the target location. Then, retry the failed operation.

-When you enable replication for a VM to set up disaster recovery, the Site Recovery Mobility service extension installs on the VM, and registers it with Azure Site Recovery. During replication, VM disk writes are sent to a cache storage account in the source region. Data is sent from there to the target region, and recovery points are generated from the data. When you fail over a VM during disaster recovery, a recovery point is used to restore the VM in the target region.

-Check permissions, and settings in the target region.

-If you're using network security groups (NSGs) to control connectivity, create service-tag based NSG rules that allow HTTPS outbound to port 443 for these [service tags](../virtual-network/service-tags-overview.md#available-service-tags)(groups of IP addresses):

-This tutorial shows you how to set up disaster recovery of on-premises physical Windows and Linux servers to Azure. In this tutorial, you learn how to:

-As an organization you need to adopt a business continuity and disaster recovery (BCDR) strategy that keeps your data safe, and your apps and workloads online, when planned and unplanned outages occur.

-**Data resilience** | Site Recovery orchestrates replication without intercepting application data. When you replicate to Azure, data is stored in Azure storage, with the resilience that provides. When failover occurs, Azure VMs are created, based on the replicated data.

-Virtual machines that are replicated under Site Recovery aren't available in the Azure portal if there are duplicate entries in the system. To learn how to delete stale entries and resolve the issue, refer to [Azure Site Recovery VMware-to-Azure: How to clean up duplicate or stale entries](https://social.technet.microsoft.com/wiki/contents/articles/32026.asr-vmware-to-azure-how-to-cleanup-duplicatestale-entries.aspx).

-This is the third tutorial in a series that shows you how to set up disaster recovery to Azure for on-premises VMware VMs. In the previous tutorial, we [prepared the on-premises VMware environment](vmware-azure-tutorial-prepare-on-premises.md) for disaster recovery to Azure.

-3. In this tutorial we show you how to replicate a single VM. If you're deploying multiple VMware VMs you should use the [Deployment Planner Tool](https://aka.ms/asr-deployment-planner). [Learn more](site-recovery-deployment-planner.md) about this tool.

-Note: In VMware-to-Azure scenario the crash-consistent snapshot is taken at 5 min interval.

-In preview, replication is done by the Azure Site Recovery replication appliance. For detailed information about replication appliance, see [this article](deploy-vmware-azure-replication-appliance-preview.md)

-Machine name | Ensure that the display name of machine does not fall into [Azure reserved resource names](../azure-resource-manager/templates/error-reserved-resource-name.md)<br/><br/> Logical volume names are not case-sensitive. Ensure that no two volumes on a device have same name. Ex: Volumes with names "voLUME1", "volume1" cannot be protected through Azure Site Recovery.

-**Note: For Ubuntu 20.04, we had initially rolled out support for kernels 5.8.* but we have since found issues with support for this kernel and hence have redacted these kernels from our support statement for the time being.

-Boot directory | - Boot disks with GPT partition format are supported. GPT disks are also supported as data disks.<br/><br/> Multiple boot disks on a VM aren't supported<br/><br/> - /boot on an LVM volume across more than one disk isn't supported.<br/> - A machine without a boot disk can't be replicated.

-When you set up disaster recovery for VMware virtual machines (VM) and physical servers using [Azure Site Recovery](site-recovery-overview.md), you install the Site Recovery Mobility service on each on-premises VMware VM and physical server. The Mobility service captures data writes on the machine, and forwards them to the Site Recovery process server. The Mobility service is installed by the Mobility service agent software that you can deploy using the following methods:

-For more information about version 9.23 see [Update Rollup 35 for Azure Site Recovery](https://support.microsoft.com/help/4494485/update-rollup-35-for-azure-site-recovery).

-1. The agent is pushed to the source machine. Copying the agent to the source machine can fail due to multiple environmental errors. Visit [our guidance](vmware-azure-troubleshoot-push-install.md) to troubleshoot push installation failures.

- - The installation fails if one or more of the [prerequisites](vmware-physical-azure-support-matrix.md) aren't met.

-On the configuration server go to the folder _%ProgramData%\ASR\home\svsystems\pushinstallsvc\repository_. Check which installer you need based on the operating system. The following table summarizes the installer files for each VMware VM and physical server operating system. Before you begin, you can review the [supported operating systems](vmware-physical-azure-support-matrix.md#replicated-machines).

- use the following steps to generate mobility service configuration file:

-This will download the Mobility Service configuration file. Copy this file to a local folder in your source machine. You can place it in the same folder as the Mobility Service installer.

-| Protocols | Premium<br><ul><li>SMB 2.1, 3.0, 3.1.1</li><li>NFS 4.1</li><li>REST</li></ul><br>Standard<br><ul><li>SMB 2.1, 3.0, 3.1.1</li><li>REST</li></ul><br> To learn more, see [available file share protocols](./storage-files-planning.md#available-protocols). | All tiers<br><ul><li>SMB 2.x, 3.x</li><li>NFS 3.0, 4.1</li><li>Dual protocol access (NFSv3/SMB)</li></ul><br> To learn more, see how to create [NFS](../../azure-netapp-files/azure-netapp-files-create-volumes.md), [SMB](../../azure-netapp-files/azure-netapp-files-create-volumes-smb.md), or [dual-protocol](../../azure-netapp-files/create-volumes-dual-protocol.md) volumes. |

-| Region Availability | Premium<br><ul><li>30+ Regions</li></ul><br>Standard<br><ul><li>All regions</li></ul><br> To learn more, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=storage). | All tiers<br><ul><li>28+ Regions</li></ul><br> To learn more, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=storage). |

-| Identity-Based Authentication and Authorization | SMB<br><ul><li>Active Directory Domain Services (AD DS)</li><li>Azure Active Directory Domain Services (Azure AD DS)</li></ul><br> Note that identify-based authentication is only supported when using SMB protocol. To learn more, see [FAQ](./storage-files-faq.md#security-authentication-and-access-control). | SMB<br><ul><li>Active Directory Domain Services (AD DS)</li><li>Azure Active Directory Domain Services (Azure AD DS)</li></ul><br> NFS/SMB dual protocol<ul><li>ADDS/LDAP integration</li></ul><br>NFSv3/NFSv4.1<ul><li>ADDS/LDAP integration with NFS extended groups [(preview)](../../azure-netapp-files/configure-ldap-extended-groups.md)</li></ul><br> To learn more, see [Azure NetApp Files NFS FAQ](../../azure-netapp-files/faq-nfs.md) and [Azure NetApp Files SMB FAQ](../../azure-netapp-files/faq-smb.md). |

-| Access Options | <ul><li>Internet</li><li>Secure VNet access</li><li>VPN Gateway</li><li>ExpressRoute</li><li>Azure File Sync</li></ul><br> To learn more, see [network considerations](./storage-files-networking-overview.md). | <ul><li>Secure VNet access</li><li>VPN Gateway</li><li>ExpressRoute</li><li>[Global File Cache](https://cloud.netapp.com/global-file-cache/azure)</li><li>[HPC Cache](../../hpc-cache/hpc-cache-overview.md)</li></ul><br> To learn more, see [network considerations](../../azure-netapp-files/azure-netapp-files-network-topologies.md). |

-| Data Protection | <ul><li>Incremental snapshots</li><li>File/directory user self-restore</li><li>Restore to new location</li><li>In-place revert</li><li>Share-level soft delete</li><li>Azure Backup integration</li></ul><br> To learn more, see [Azure Files enhances data protection capabilities](https://azure.microsoft.com/blog/azure-files-enhances-data-protection-capabilities/). | <ul><li>Snapshots (255/volume)</li><li>File/directory user self-restore</li><li>Restore to new volume</li><li>In-place revert</li><li>[Cross-Region Replication](../../azure-netapp-files/cross-region-replication-introduction.md) </li></ul><br> To learn more, see [How Azure NetApp Files snapshots work](../../azure-netapp-files/snapshots-introduction.md). |

-# Use managed identities to access Azure SQL Database or Azure Synapse Analytics from an Azure Stream Analytics job (Preview)

-Accessibility has always been important to us, so we are pleased to announce that Teams for Azure Virtual Desktop now supports real-time captions. Learn how to use live captions at [Use live captions in a Teams meeting](https://support.microsoft.com/en-us/office/use-live-captions-in-a-teams-meeting-4be2d304-f675-4b57-8347-cbd000a21260). For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/microsoft-teams-live-captions-is-now-generally-available-on/ba-p/3264148).

-We've released a new version of the FSLogix client with many fixes and improvements. Learn more at [our blog post](https://social.msdn.microsoft.com/Forums/en-US/defe5828-fba4-4715-a68c-0e4d83eefa6b/release-notes-for-fslogix-apps-release-2009-29762130127?forum=FSLogix).

-For a more complex example, here is what multiple data disks looks like in the portal:

-### Partition a new disk

-If you are using an existing disk that contains data, skip to mounting the disk. If you are attaching a new disk, you need to partition the disk.

-The `parted` utility can be used to partition and to format a data disk.

-> [!NOTE]

-> It is recommended that you use the latest version `parted` that is available for your distro.

-> If the disk size is 2 tebibytes (TiB) or larger, you must use GPT partitioning. If disk size is under 2 TiB, then you can use either MBR or GPT partitioning.

-1. When the **Generate new key pair** window opens, select **Download private key and create resource**. Your key file will be download as **myKey.pem**. Make sure you know where the `.pem` file was downloaded, you will need the path to it in the next step.

-Starting in early calendar 2021, the most current Azure Marketplace images with Linux are being changed to use chronyd as the time sync service,

-and chronyd is configured to synchronize against the Azure host rather than an external NTP time source. The Azure host time is usually the best time source to synchronize

-against, as it is maintained very accurately and reliably, and is accessible without the variable network delays inherent in accessing an external NTP time source

-over the public internet.

-In Linux VMs with Accelerated Networking enabled, you may see multiple PTP devices listed because the Mellanox mlx5 driver also creates a /dev/ptp device.

-Because the initialization order can be different each time Linux boots, the PTP device corresponding to the Azure host might be /dev/ptp0 or it might be /dev/ptp1, which makes

-it difficult to configure chronyd with the correct clock source. To solve this problem, the most recent Linux images have a udev rule that creates the

-symlink /dev/ptp_hyperv to whichever /dev/ptp entry corresponds to the Azure host. Chrony should be configured to use this symlink instead of /dev/ptp0 or /dev/ptp1.

-$vm = Set-AzVmSecurityType -VM $vm `

-| Additive Features | One or more lower case letters denote additive features, such as: <br> a = AMD-based processor <br> d = diskful (i.e., a local temp disk is present); this is for newer Azure VMs, see [Ddv4 and Ddsv4-series](./ddv4-ddsv4-series.md) <br> i = isolated size <br> l = low memory; a lower amount of memory than the memory intensive size <br> m = memory intensive; the most amount of memory in a particular size <br> t = tiny memory; the smallest amount of memory in a particular size <br> s = Premium Storage capable, including possible use of [Ultra SSD](./disks-types.md#ultra-disks) (Note: some newer sizes without the attribute of s can still support Premium Storage e.g. M128, M64, etc.)<br> |

-1. Go to one of the virtual networks in the portal and select **Peerings** under *Settings*. You should see a new peering connection create between the hub and the spokes virtual network with *AVNM* in the name.

-1. Select **Network groups** under *Settings*, and then select **+ Add** to create a new network group.

- :::image type="content" source="./media/tutorial-create-secured-hub-and-spoke/add-network-group.png" alt-text="Screenshot of add a network group button.":::

-1. On the *Basics* tab, enter a **Name** and a **Description** for the network group.

- :::image type="content" source="./media/how-to-create-hub-and-spoke/basics.png" alt-text="Screenshot of basics tab for add a network group.":::

-1. To add virtual network manually, select the **Static group members** tab. For more information, see [static members](concept-network-groups.md#static-membership).

- :::image type="content" source="./media/how-to-create-hub-and-spoke/static-group.png" alt-text="Screenshot of static group members tab.":::

-1. To add virtual networks dynamically, select the **Conditional statements** tab. For more information, see [dynamic membership](concept-network-groups.md#dynamic-membership).

- :::image type="content" source="./media/how-to-create-hub-and-spoke/conditional-statements.png" alt-text="Screenshot of conditional statements tab.":::

-1. Once you're satisfied with the virtual networks selected for the network group, select **Review + create**. Then select **Create** once validation has passed.

-1. Select **Configuration** under *Settings*, then select **+ Add a configuration**.

- :::image type="content" source="./media/how-to-create-hub-and-spoke/configuration-list.png" alt-text="Screenshot of the configurations list.":::

-1. Select **Connectivity** from the drop-down menu.

-1. On the *Add a connectivity configuration* page, enter, or select the following information:

- :::image type="content" source="./media/how-to-create-hub-and-spoke/connectivity-configuration.png" alt-text="Screenshot of add a connectivity configuration page.":::

- | Topology | Select the **Hub and spoke** topology. |

- | Hub | Select a virtual network that will act as the hub virtual network. |

- | Existing peerings | Select this checkbox if you want to remove all previously created VNet peering between virtual networks in the network group defined in this configuration. |

-1. Then select **+ Add network groups**.

-1. On the *Add network groups* page, select the network groups you want to add to this configuration. Then select **Add** to save.

-1. You'll see the following three options appear next to the network group name under *Spoke network groups*:

-

- * *Direct connectivity*: Select **Enable peering within network group** if you want to establish VNet peering between virtual networks in the network group of the same region.

- * *Global Mesh*: Select **Enable mesh connectivity across regions** if you want to establish VNet peering for all virtual networks in the network group across regions.

- * *Gateway*: Select **Use hub as a gateway** if you have a virtual network gateway in the hub virtual network that you want this network group to use to pass traffic to on-premises.

-1. Finally, select **Add** to create the hub-and-spoke connectivity configuration.

-To have this configuration take effect in your environment, you'll need to deploy the configuration to the regions where your selected virtual network are created.

-1. Select **Deployments** under *Settings*, then select **Deploy a configuration**.

- | Configuration type | Select **Connectivity**. |

- | Configurations | Select the name of the configuration you created in the previous section. |

- | Target regions | Select all the regions that apply to virtual networks you select for the configuration. |

-1. Select **Deploy** and then select **OK** to commit the configuration to the selected regions.

-1. The deployment of the configuration can take up to 15-20 minutes, select the **Refresh** button to check on the status of the deployment.

-1. See [view applied configuration](how-to-view-applied-configurations.md).

-1. Select **Configuration** under *Settings*, then select **+ Create**.

- :::image type="content" source="media/tutorial-create-secured-hub-and-spoke/select-network-group.png" alt-text="Screenshot of Add network groups page.":::

-1. Select **Next: Review + create >** and then create the connectivity configuration.

-1. Select **Deploy**. You should now see the deployment show up in the list for those regions. The deployment of the configuration can take several minutes to complete.

-1. Select **Configuration** under *Settings* again, then select **+ Create**, and select **SecurityAdmin** from the menu to begin creating a SecurityAdmin configuration..

-1. Select **Next** and then **Deploy**.You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take about 15-20 minutes to complete.

-Learn about how Azure routes traffic between Azure, on-premises, and Internet resources. Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. To learn more about virtual networks and subnets, see [Virtual network overview](virtual-networks-overview.md). You can override some of Azure's system routes with [custom routes](#custom-routes), and add additional custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes in a subnet's route table.

-Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. You can't create system routes, nor can you remove system routes, but you can override some system routes with [custom routes](#custom-routes). Azure creates default system routes for each subnet, and adds additional [optional default routes](#optional-default-routes) to specific subnets, or every subnet, when you use specific Azure capabilities.

-* **Virtual network**: Routes traffic between address ranges within the [address space](manage-virtual-network.md#add-or-remove-an-address-range) of a virtual network. Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets using the routes created for each address range. You don't need to define gateways for Azure to route traffic between subnets. Though a virtual network contains subnets, and each subnet has a defined address range, Azure does *not* create default routes for subnet address ranges, because each subnet address range is within an address range of the address space of a virtual network.<br>

-* **Internet**: Routes traffic specified by the address prefix to the Internet. The system default route specifies the 0.0.0.0/0 address prefix. If you don't override Azure's default routes, Azure routes traffic for any address not specified by an address range within a virtual network, to the Internet, with one exception. If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. You can override Azure's default system route for the 0.0.0.0/0 address prefix with a [custom route](#custom-routes).<br>

-* **None**: Traffic routed to the **None** next hop type is dropped, rather than routed outside the subnet. Azure automatically creates default routes for the following address prefixes:<br>

- * **10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16**: Reserved for private use in RFC 1918.<br>

-Azure adds additional default system routes for different Azure capabilities, but only if you enable the capabilities. Depending on the capability, Azure adds optional default routes to either specific subnets within the virtual network, or to all subnets within a virtual network. The additional system routes and next hop types that Azure may add when you enable different capabilities are:

-* **Virtual network (VNet) peering**: When you create a virtual network peering between two virtual networks, a route is added for each address range within the address space of each virtual network a peering is created for. Learn more about [virtual network peering](virtual-network-peering-overview.md).<br>

-* **Virtual network gateway**: One or more routes with *Virtual network gateway* listed as the next hop type are added when a virtual network gateway is added to a virtual network. The source is also *virtual network gateway*, because the gateway adds the routes to the subnet. If your on-premises network gateway exchanges border gateway protocol ([BGP](#border-gateway-protocol)) routes with an Azure virtual network gateway, a route is added for each route propagated from the on-premises network gateway. It's recommended that you summarize on-premises routes to the largest address ranges possible, so the fewest number of routes are propagated to an Azure virtual network gateway. There are limits to the number of routes you can propagate to an Azure virtual network gateway. For details, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#networking-limits).<br>

-* **VirtualNetworkServiceEndpoint**: The public IP addresses for certain services are added to the route table by Azure when you enable a service endpoint to the service. Service endpoints are enabled for individual subnets within a virtual network, so the route is only added to the route table of a subnet a service endpoint is enabled for. The public IP addresses of Azure services change periodically. Azure manages the addresses in the route table automatically when the addresses change. Learn more about [virtual network service endpoints](virtual-network-service-endpoints-overview.md), and the services you can create service endpoints for.<br>

- > The **VNet peering** and **VirtualNetworkServiceEndpoint** next hop types are only added to route tables of subnets within virtual networks created through the Azure Resource Manager deployment model. The next hop types are not added to route tables that are associated to virtual network subnets created through the classic deployment model. Learn more about Azure [deployment models](../azure-resource-manager/management/deployment-models.md?toc=%2fazure%2fvirtual-network%2ftoc.json).

-You can create custom, or user-defined(static), routes in Azure to override Azure's default system routes, or to add additional routes to a subnet's route table. In Azure, you create a route table, then associate the route table to zero or more virtual network subnets. Each subnet can have zero or one route table associated to it. To learn about the maximum number of routes you can add to a route table and the maximum number of user-defined route tables you can create per Azure subscription, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#networking-limits). If you create a route table and associate it to a subnet, the routes within it are combined with, or override, the default routes Azure adds to a subnet by default.

-* **Virtual appliance**: A virtual appliance is a virtual machine that typically runs a network application, such as a firewall. To learn about a variety of pre-configured network virtual appliances you can deploy in a virtual network, see the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/category/networking?page=1&subcategories=appliances). When you create a route with the **virtual appliance** hop type, you also specify a next hop IP address. The IP address can be:

- * The [private IP address](./ip-services/private-ip-addresses.md) of a network interface attached to a virtual machine. Any network interface attached to a virtual machine that forwards network traffic to an address other than its own must have the Azure *Enable IP forwarding* option enabled for it. The setting disables Azure's check of the source and destination for a network interface. Learn more about how to [enable IP forwarding for a network interface](virtual-network-network-interface.md#enable-or-disable-ip-forwarding). Though *Enable IP forwarding* is an Azure setting, you may also need to enable IP forwarding within the virtual machine's operating system for the appliance to forward traffic between private IP addresses assigned to Azure network interfaces. If the appliance must route traffic to a public IP address, it must either proxy the traffic, or network address translate the private IP address of the source's private IP address to its own private IP address, which Azure then network address translates to a public IP address, before sending the traffic to the Internet. To determine required settings within the virtual machine, see the documentation for your operating system or network application. To understand outbound connections in Azure, see [Understanding outbound connections](../load-balancer/load-balancer-outbound-connections.md?toc=%2fazure%2fvirtual-network%2ftoc.json).<br>

- > Deploy a virtual appliance into a different subnet than the resources that route through the virtual appliance are deployed in. Deploying the virtual appliance to the same subnet, then applying a route table to the subnet that routes traffic through the virtual appliance, can result in routing loops, where traffic never leaves the subnet.

-* **Virtual network gateway**: Specify when you want traffic destined for specific address prefixes routed to a virtual network gateway. The virtual network gateway must be created with type **VPN**. You cannot specify a virtual network gateway created as type **ExpressRoute** in a user-defined route because with ExpressRoute, you must use BGP for custom routes. You cannot specify Virtual Network Gateways if you have VPN and ExpressRoute coexisting connections either. You can define a route that directs traffic destined for the 0.0.0.0/0 address prefix to a [route-based](../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md?toc=%2fazure%2fvirtual-network%2ftoc.json#vpntype) virtual network gateway. On your premises, you might have a device that inspects the traffic and determines whether to forward or drop the traffic. If you intend to create a user-defined route for the 0.0.0.0/0 address prefix, read [0.0.0.0/0 address prefix](#default-route) first. Instead of configuring a user-defined route for the 0.0.0.0/0 address prefix, you can advertise a route with the 0.0.0.0/0 prefix via BGP, if you've [enabled BGP for a VPN virtual network gateway](../vpn-gateway/vpn-gateway-bgp-resource-manager-ps.md?toc=%2fazure%2fvirtual-network%2ftoc.json).<br>

-* **None**: Specify when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination. If you haven't fully configured a capability, Azure may list *None* for some of the optional system routes. For example, if you see *None* listed as the **Next hop IP address** with a **Next hop type** of *Virtual network gateway* or *Virtual appliance*, it may be because the device isn't running, or isn't fully configured. Azure creates system [default routes](#default) for reserved address prefixes with **None** as the next hop type.<br>

-* **Virtual network**: Specify when you want to override the default routing within a virtual network. See [Routing example](#routing-example), for an example of why you might create a route with the **Virtual network** hop type.<br>

-You cannot specify **VNet peering** or **VirtualNetworkServiceEndpoint** as the next hop type in user-defined routes. Routes with the **VNet peering** or **VirtualNetworkServiceEndpoint** next hop types are only created by Azure, when you configure a virtual network peering, or a service endpoint.

-You can now specify a [service tag](service-tags-overview.md) as the address prefix for a user-defined route instead of an explicit IP range. A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to user-defined routes and reducing the number of routes you need to create. You can currently create 25 or less routes with service tags in each route table. With this release, using service tags in routing scenarios for containers is also supported. </br>

-When there is an exact prefix match between a route with an explicit IP prefix and a route with a Service Tag, preference is given to the route with the explicit prefix. When multiple routes with Service Tags have matching IP prefixes, routes will be evaluated in the following order:

- 1. Regional tags (eg. Storage.EastUS, AppService.AustraliaCentral)

- 2. Top level tags (eg. Storage, AppService)

- 3. AzureCloud regional tags (eg. AzureCloud.canadacentral, AzureCloud.eastasia)

-To use this feature specify a Service Tag name for the address prefix parameter in route table commands. For example, in PowerShell you can create a new route to direct traffic sent to an Azure Storage IP prefix to a virtual appliance by using: </br></br>

-The same command for CLI will be: </br>

-</br>

-#### Known Issues (April 2021)

-When BGP routes are present or a Service Endpoint is configured on your subnet, routes may not be evaluated with the correct priority. This feature does not currently work for dual stack (IPv4+IPv6) virtual networks. A fix for these scenarios is currently in progress </br>

-> [!NOTE]

-> While in Public Preview, there are several limitations. The feature is not currently supported in the Azure Portal and is only available through PowerShell and CLI. There is no support for use with containers.

-|Virtual network |VNetLocal |VNETLocal (not available in the classic CLI in asm mode)|

-|Internet |Internet |Internet (not available in the classic CLI in asm mode)|

-|None |None |Null (not available in the classic CLI in asm mode)|

-* **ExpressRoute**: You must use BGP to advertise on-premises routes to the Microsoft Edge router. You cannot create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as type: ExpressRoute. You can use user-defined routes for forcing traffic from the Express Route to, for example, a Network Virtual Appliance.<br>

-ER and VPN Gateway route propagation can be disabled on a subnet using a property on a route table. When you do so, routes are not added to the route table of all subnets with Virtual network gateway route propagation disabled (both static routes and BGP routes). Connectivity with VPN connections is achieved using [custom routes](#custom-routes) with a next hop type of *Virtual network gateway*. **Route propagation should not be disabled on the GatewaySubnet. The gateway will not function with this setting disabled.** For details, see [How to disable Virtual network gateway route propagation](manage-route-table.md#create-a-route-table).

-A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP address that is not within the address prefix of any other route in a subnet's route table. When a subnet is created, Azure creates a [default](#default) route to the 0.0.0.0/0 address prefix, with the **Internet** next hop type. If you don't override this route, Azure routes all traffic destined to IP addresses not included in the address prefix of any other route, to the Internet. The exception is that traffic to the public IP addresses of Azure services remains on the Azure backbone network, and is not routed to the Internet. If you override this route, with a [custom](#custom-routes) route, traffic destined to addresses not within the address prefixes of any other route in the route table is sent to a network virtual appliance or virtual network gateway, depending on which you specify in a custom route.

-* Azure sends all traffic to the next hop type specified in the route, including traffic destined for public IP addresses of Azure services. When the next hop type for the route with the 0.0.0.0/0 address prefix is **Internet**, traffic from the subnet destined to the public IP addresses of Azure services never leaves Azure's backbone network, regardless of the Azure region the virtual network or Azure service resource exist in. When you create a user-defined or BGP route with a **Virtual network gateway** or **Virtual appliance** next hop type however, all traffic, including traffic sent to public IP addresses of Azure services you haven't enabled [service endpoints](virtual-network-service-endpoints-overview.md) for, is sent to the next hop type specified in the route. If you've enabled a service endpoint for a service, traffic to the service is not routed to the next hop type in a route with the 0.0.0.0/0 address prefix, because address prefixes for the service are specified in the route that Azure creates when you enable the service endpoint, and the address prefixes for the service are longer than 0.0.0.0/0.

-* You are no longer able to directly access resources in the subnet from the Internet. You can indirectly access resources in the subnet from the Internet, if inbound traffic passes through the device specified by the next hop type for a route with the 0.0.0.0/0 address prefix before reaching the resource in the virtual network. If the route contains the following values for next hop type:<br>

- * **Virtual appliance**: The appliance must:<br>

- * Be accessible from the Internet<br>

- * Have a public IP address assigned to it,<br>

- * Not have a network security group rule associated to it that prevents communication to the device<br>

- * Not deny the communication<br>

-If your virtual network is connected to an Azure VPN gateway, do not associate a route table to the [gateway subnet](../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md?toc=%2fazure%2fvirtual-network%2ftoc.json#gwsub) that includes a route with a destination of 0.0.0.0/0. Doing so can prevent the gateway from functioning properly. For details, see the *Why are certain ports opened on my VPN gateway?* question in the [VPN Gateway FAQ](../vpn-gateway/vpn-gateway-vpn-faq.md?toc=%2fazure%2fvirtual-network%2ftoc.json#gatewayports).

-* A scenario, with requirements<br>

-* The custom routes necessary to meet the requirements<br>

-> This example is not intended to be a recommended or best practice implementation. Rather, it is provided only to illustrate concepts in this article.

- * Force all outbound traffic from the subnet, except to Azure Storage and within the subnet, to flow through a network virtual appliance, for inspection and logging.<br>

- * Do not inspect traffic between private IP addresses within the subnet; allow traffic to flow directly between all resources.<br>

- * Drop any outbound traffic destined for the other virtual network.<br>

-An explanation of each route ID follows:

-1. Azure automatically added this route for all subnets within *Virtual-network-1*, because 10.0.0.0/16 is the only address range defined in the address space for the virtual network. If the user-defined route in route ID2 weren't created, traffic sent to any address between 10.0.0.1 and 10.0.255.254 would be routed within the virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. Azure automatically changed the state from *Active* to *Invalid*, when ID2, a user-defined route, was added, since it has the same prefix as the default route, and user-defined routes override default routes. The state of this route is still *Active* for *Subnet2*, because the route table that user-defined route, ID2 is in, isn't associated to *Subnet2*.

-2. Azure added this route when a user-defined route for the 10.0.0.0/16 address prefix was associated to the *Subnet1* subnet in the *Virtual-network-1* virtual network. The user-defined route specifies 10.0.100.4 as the IP address of the virtual appliance, because the address is the private IP address assigned to the virtual appliance virtual machine. The route table this route exists in is not associated to *Subnet2*, so doesn't appear in the route table for *Subnet2*. This route overrides the default route for the 10.0.0.0/16 prefix (ID1), which automatically routed traffic addressed to 10.0.0.1 and 10.0.255.254 within the virtual network through the virtual network next hop type. This route exists to meet [requirement](#requirements) 3, to force all outbound traffic through a virtual appliance.

-3. Azure added this route when a user-defined route for the 10.0.0.0/24 address prefix was associated to the *Subnet1* subnet. Traffic destined for addresses between 10.0.0.1 and 10.0.0.254 remains within the subnet, rather than being routed to the virtual appliance specified in the previous rule (ID2), because it has a longer prefix than the ID2 route. This route was not associated to *Subnet2*, so the route does not appear in the route table for *Subnet2*. This route effectively overrides the ID2 route for traffic within *Subnet1*. This route exists to meet [requirement](#requirements) 3.

-4. Azure automatically added the routes in IDs 4 and 5 for all subnets within *Virtual-network-1*, when the virtual network was peered with *Virtual-network-2.* *Virtual-network-2* has two address ranges in its address space: 10.1.0.0/16 and 10.2.0.0/16, so Azure added a route for each range. If the user-defined routes in route IDs 6 and 7 weren't created, traffic sent to any address between 10.1.0.1-10.1.255.254 and 10.2.0.1-10.2.255.254 would be routed to the peered virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. Azure automatically changed the state from *Active* to *Invalid*, when the routes in IDs 6 and 7 were added, since they have the same prefixes as the routes in IDs 4 and 5, and user-defined routes override default routes. The state of the routes in IDs 4 and 5 are still *Active* for *Subnet2*, because the route table that the user-defined routes in IDs 6 and 7 are in, isn't associated to *Subnet2*. A virtual network peering was created to meet [requirement](#requirements) 1.

-5. Same explanation as ID4.

-6. Azure added this route and the route in ID7, when user-defined routes for the 10.1.0.0/16 and 10.2.0.0/16 address prefixes were associated to the *Subnet1* subnet. Traffic destined for addresses between 10.1.0.1-10.1.255.254 and 10.2.0.1-10.2.255.254 is dropped by Azure, rather than being routed to the peered virtual network, because user-defined routes override default routes. The routes are not associated to *Subnet2*, so the routes do not appear in the route table for *Subnet2*. The routes override the ID4 and ID5 routes for traffic leaving *Subnet1*. The ID6 and ID7 routes exist to meet [requirement](#requirements) 3 to drop traffic destined to the other virtual network.

-7. Same explanation as ID6.

-8. Azure automatically added this route for all subnets within *Virtual-network-1* when a VPN type virtual network gateway was created within the virtual network. Azure added the public IP address of the virtual network gateway to the route table. Traffic sent to any address between 10.10.0.1 and 10.10.255.254 is routed to the virtual network gateway. The prefix is longer than 0.0.0.0/0 and not within the address prefixes of any of the other routes. A virtual network gateway was created to meet [requirement](#requirements) 2.

-9. Azure added this route when a user-defined route for the 10.10.0.0/16 address prefix was added to the route table associated to *Subnet1*. This route overrides ID8. The route sends all traffic destined for the on-premises network to an NVA for inspection, rather than routing traffic directly on-premises. This route was created to meet [requirement](#requirements) 3.

-10. Azure automatically added this route to the subnet when a service endpoint to an Azure service was enabled for the subnet. Azure routes traffic from the subnet to a public IP address of the service, over the Azure infrastructure network. The prefix is longer than 0.0.0.0/0 and not within the address prefixes of any of the other routes. A service endpoint was created to meet [requirement](#requirements) 3, to enable traffic destined for Azure Storage to flow directly to Azure Storage.

-11. Azure automatically added this route to the route table of all subnets within *Virtual-network-1* and *Virtual-network-2.* The 0.0.0.0/0 address prefix is the shortest prefix. Any traffic sent to addresses within a longer address prefix are routed based on other routes. By default, Azure routes all traffic destined for addresses other than the addresses specified in one of the other routes to the Internet. Azure automatically changed the state from *Active* to *Invalid* for the *Subnet1* subnet when a user-defined route for the 0.0.0.0/0 address prefix (ID12) was associated to the subnet. The state of this route is still *Active* for all other subnets within both virtual networks, because the route isn't associated to any other subnets within any other virtual networks.

-12. Azure added this route when a user-defined route for the 0.0.0.0/0 address prefix was associated to the *Subnet1* subnet. The user-defined route specifies 10.0.100.4 as the IP address of the virtual appliance. This route is not associated to *Subnet2*, so the route does not appear in the route table for *Subnet2*. All traffic for any address not included in the address prefixes of any of the other routes is sent to the virtual appliance. The addition of this route changed the state of the default route for the 0.0.0.0/0 address prefix (ID11) from *Active* to *Invalid* for *Subnet1*, because a user-defined route overrides a default route. This route exists to meet the third [requirement](#requirements).

-* [Create a user-defined route table with routes and a network virtual appliance](tutorial-create-route-table-portal.md)<br>

-* [Configure BGP for an Azure VPN Gateway](../vpn-gateway/vpn-gateway-bgp-resource-manager-ps.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br>

-* [Use BGP with ExpressRoute](../expressroute/expressroute-routing.md?toc=%2fazure%2fvirtual-network%2ftoc.json#route-aggregation-and-prefix-limits)<br>

-* [View all routes for a subnet](diagnose-network-routing-problem.md). A user-defined route table only shows you the user-defined routes, not the default, and BGP routes for a subnet. Viewing all routes shows you the default, BGP, and user-defined routes for the subnet a network interface is in.<br>

-Each User VPN P2S gateway has two instances. Each instance supports up to a certain number of connections as the scale units change. Scale unit 1-3 supports 500 connections, scale unit 4-6 supports 1000 connections, scale unit 7-12 supports 5000 connections, and scale unit 13-18 supports up to 10,000 connections.

-For example, let's say the user chooses 1 scale unit. Each scale unit would imply an active-active gateway deployed and each of the instances (in this case 2) would support up to 500 connections. Since you can get 500 connections * 2 per gateway, it doesn't mean that you plan for 1000 instead of the 500 for this scale unit. Instances may need to be serviced during which connectivity for the extra 500 may be interrupted if you surpass the recommended connection count. Also, be sure to plan for downtime in case you decide to scale up or down on the scale unit, or change the point-to-site configuration on the VPN gateway.