+In addition, we recommend that you also block your own domain name from being embedded in an iframe by setting the `Content-Security-Policy` and `X-Frame-Options` headers respectively on your application pages. This will mitigate security concerns around older browsers related to nested embedding of iframes.

+With Azure AD B2C [user interface customization](customize-ui.md), you have almost full control over the HTML and CSS content presented to users. Follow the steps for customizing an HTML page using content definitions. To fit the Azure AD B2C user interface into the iframe size, provide clean HTML page without a background and extra spaces.

+In some cases, you may want to notify your application about the Azure AD B2C page that's currently being presented. For example, when a user selects the sign-up option, you may want the application to respond by hiding the links for signing in with a social account or adjusting the iframe size.

+To notify your application about the current Azure AD B2C page, [enable your policy for JavaScript](./javascript-and-page-layout.md), and then use HTML5 to post messages. The following JavaScript code sends a post message to the app with `signUp`:

+To support embedded login, the iframe `src` attribute points to the sign-in controller, such as `/account/SignUpSignIn`, which generates the authorization request and redirects the user to Azure AD B2C policy.

+For a single-page application, you'll also need a second "sign-in" HTML page that loads into the iframe. This sign-in page hosts the authentication library code that generates the authorization code and returns the token.

+When the single-page application needs the access token, use JavaScript code to obtain the access token from the iframe and the object that contains it.

+Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md) and [Azure AD B2C developer release notes](custom-policy-developer-notes.md)

+* A managed domain must be deployed in its own subnet. Using an existing subnet, gateway subnet, or remote gateways settings in the virtual network peering is unsupported.

+> - Filtering is not supported for multi-valued attributes.

+> - Scoping filters will return "false" if the value is null / empty.

+PATCH https://graph.microsoft.com/beta/applications/{<object-id-of--the-complex-app-under-APP-Registrations}

+| Providers | This will show any existing authentication providers that you've associated with your account. Adding new providers is disabled as of September 1, 2018. |

+| Managed |**Specific range of IP addresses**: Administrators specify a range of IP addresses that can bypass multi-factor authentications for users who sign in from the company intranet. A maximum of 50 trusted IP ranges can be configured.|

+| Federated |**All Federated Users**: All federated users who sign in from inside the organization can bypass multi-factor authentications. Users bypass verifications by using a claim that's issued by Active Directory Federation Services (AD FS).<br/>**Specific range of IP addresses**: Administrators specify a range of IP addresses that can bypass multi-factor authentication for users who sign in from the company intranet. |

+Regardless of whether trusted IPs are defined, multi-factor authentication is required for browser flows. App passwords are required for older rich-client applications.

+ * **For requests from federated users originating from my intranet**: To choose this option, select the checkbox. All federated users who sign in from the corporate network bypass multi-factor authentications by using a claim that's issued by AD FS. Ensure that AD FS has a rule to add the intranet claim to the appropriate traffic. If the rule doesn't exist, create the following rule in AD FS:

+ `c:[Type== "https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"] => issue(claim = c);`

+ * Enter up to 50 IP address ranges. Users who sign in from these IP addresses bypass multi-factor authentications.

+ `c:[Type== "https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"] => issue(claim = c);`

+ * Enter up to 50 IP address ranges. Users who sign in from these IP addresses bypass multi-factor authentications.

+1. Set the number of days to allow trusted devices to bypass multi-factor authentications. For the optimal user experience, extend the duration to 90 or more days.

+The What If tool requires only a **User** or **Workload identity** to get started.

+* Cloud apps, actions, or authentication context

+* Client apps

+* Device state

+* User risk level

+* Service principal risk (Preview)

+* Filter for devices

+This list will show which Conditional Access policies would apply given the conditions. The list will include both the grant and session controls that apply including those from policies in report-only mode. Examples include requiring multi-factor authentication to access a specific application.

+This list will show Conditional Access policies that wouldn't apply if the conditions applied. The list will include any policies and the reason why they don't apply including those from policies in report-only mode. Examples include users and groups that may be excluded from a policy.

+* [What is Conditional Access report-only mode?](concept-conditional-access-report-only.md)

+| Common Base Linux Mariner (CBL-Mariner) | CBL-Mariner 1, CBL-Mariner 2 |

+| Debian | Debian 9, Debian 10, Debian 11 |

+| Ubuntu Server | Ubuntu Server 16.04 to Ubuntu Server 22.04 |

+- SSH client must support OpenSSH based certificates for authentication. You can use Az CLI (2.21.1 or higher) with OpenSSH (included in Windows 10 version 1803 or higher) or Azure Cloud Shell to meet this requirement.

+- SSH extension for Az CLI. You can install this using `az extension add --name ssh`. You donΓÇÖt need to install this extension when using Azure Cloud Shell as it comes pre-installed.

+- If youΓÇÖre using any other SSH client other than Az CLI or Azure Cloud Shell that supports OpenSSH certificates, youΓÇÖll still need to use Az CLI with SSH extension to retrieve ephemeral SSH cert and optionally a config file and then use the config file with your SSH client.

+To use Azure AD login in for Linux VM in Azure, you need to first enable Azure AD login option for your Linux VM, configure Azure role assignments for users who are authorized to login in to the VM and then use SSH client that supports OpensSSH such as Az CLI or Az Cloud Shell to SSH to your Linux VM. There are multiple ways you can enable Azure AD login for your Linux VM, as an example you can use:

+## Install SSH extension for Az CLI

+If youΓÇÖre using Azure Cloud Shell, then no other setup is needed as both the minimum required version of Az CLI and SSH extension for Az CLI are already included in the Cloud Shell environment.

+Run the following command to add SSH extension for Az CLI

+> Conditional Access policy enforcement requiring device compliance or Hybrid Azure AD join on the client device running SSH client only works with Az CLI running on Windows and macOS. It is not supported when using Az CLI on Linux or Azure Cloud Shell.

+### Using Az CLI

+If prompted, enter your Azure AD login credentials at the login page, perform an MFA, and/or satisfy device checks. YouΓÇÖll only be prompted if your az CLI session doesnΓÇÖt already meet any required Conditional Access criteria. Close the browser window, return to the SSH prompt, and youΓÇÖll be automatically connected to the VM.

+Once authentication with a service principal is complete, use the normal Az CLI SSH commands to connect to the VM.

+Use Azure Policy to ensure Azure AD login is enabled for your new and existing Linux virtual machines and assess compliance of your environment at scale on your Azure Policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Linux VMs within your environment that donΓÇÖt have Azure AD login enabled. You can also use Azure Policy to deploy the Azure AD extension on new Linux VMs that donΓÇÖt have Azure AD login enabled, as well as remediate existing Linux VMs to the same standard. In addition to these capabilities, you can also use Azure Policy to detect and flag Linux VMs that have non-approved local accounts created on their machines. To learn more, review [Azure Policy](../../governance/policy/overview.md).

+Cause 1: If sshd_config contains either AllowGroups or DenyGroups statements, the very first login fails for Azure AD users. If the statement was added after a user already has a successful login, they can log in.

+>This information last updated on June 20th, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Dynamics 365 for Customer Service Enterprise Edition | DYN365_ENTERPRISE_CUSTOMER_SERVICE | 749742bf-0d37-4158-a120-33567104deeb | D365_CSI_EMBED_CSEnterprise (5b1e5982-0e88-47bb-a95e-ae6085eda612)<br/>DYN365_ENTERPRISE_CUSTOMER_SERVICE (99340b49-fb81-4b1e-976b-8f2ae8e9394f)<br/>Forms_Pro_Service (67bf4812-f90b-4db9-97e7-c0bbbf7b2d09)<br/>NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Dynamics 365 Customer Service Insights for CS Enterprise (5b1e5982-0e88-47bb-a95e-ae6085eda612)<br/>Dynamics 365 for Customer Service (99340b49-fb81-4b1e-976b-8f2ae8e9394f)<br/>Microsoft Dynamics 365 Customer Voice for Customer Service Enterprise (67bf4812-f90b-4db9-97e7-c0bbbf7b2d09)<br/>Microsoft Social Engagement (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) |

+| Dynamics 365 for Field Service Attach to Qualifying Dynamics 365 Base Offer | D365_FIELD_SERVICE_ATTACH | a36cdaa2-a806-4b6e-9ae0-28dbd993c20e | D365_FIELD_SERVICE_ATTACH (55c9148b-d5f0-4101-b5a0-b2727cfc0916)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Field Service Attach (55c9148b-d5f0-4101-b5a0-b2727cfc0916)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 for Marketing USL | D365_MARKETING_USER | 4b32a493-9a67-4649-8eb9-9fc5a5f75c12 | DYN365_MARKETING_MSE_USER (2824c69a-1ac5-4397-8592-eae51cb8b581)<br/>DYN365_MARKETING_USER (5d7a6abc-eebd-46ab-96e1-e4a2f54a2248)<br/>Forms_Pro_Marketing (76366ba0-d230-47aa-8087-b6d55dae454f)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>MCOMEETBASIC (9974d6cf-cd24-4ba2-921c-e2aa687da846) | Dynamics 365 for Marketing MSE User (2824c69a-1ac5-4397-8592-eae51cb8b581)<br/>Dynamics 365 for Marketing USL (5d7a6abc-eebd-46ab-96e1-e4a2f54a2248)<br/>Microsoft Dynamics 365 Customer Voice for Marketing (76366ba0-d230-47aa-8087-b6d55dae454f)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Teams Audio Conferencing with dial-out to select geographies (9974d6cf-cd24-4ba2-921c-e2aa687da846) |

+| Microsoft 365 Apps for enterprise | OFFICESUBSCRIPTION | c2273bd0-dff7-4215-9ef5-2c7bcfb06425 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft 365 Apps for enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Forms (Plan E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OneDrive for Business (Plan 1) (13696edf-5a08-49f6-8134-03083ed8ba30)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft 365 Apps for enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>OneDrive for Business (Plan 1) (13696edf-5a08-49f6-8134-03083ed8ba30) |

+| Microsoft 365 F3 | SPE_F1 | 66b55226-6b4f-492c-910c-a3b7a3c9d993 | RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>CDS_O365_F1 (90db65a7-bf11-4904-a79f-ef657605145b)<br/>EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>FORMS_PLAN_K (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)<br/>KAIZALA_O365_P1 (73b2a583-6a59-42e3-8e83-54db46bc3278)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>PROJECT_O365_F3 (7f6f28c2-34bb-4d4b-be36-48ca2e77e1ec)<br/>SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_FIRSTLINE (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_FIRSTLINE1 (36b29273-c6d0-477a-aca6-6fbe24f538e3)<br/>WIN10_ENT_LOC_F1 (e041597c-9c7f-4ed9-99b0-2663301576f7)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>UNIVERSAL_PRINT_01 (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>DYN365_CDS_O365_F1 (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>STREAM_O365_K (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>POWERAPPS_O365_S1 (e0287f9f-e222-4f98-9a83-f379e249159a)<br/>FLOW_O365_S1 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)<br/>POWER_VIRTUAL_AGENTS_O365_F1 (ba2fdb48-290b-4632-b46a-e4ecc58ac11a) | Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Common Data Service for Teams (90db65a7-bf11-4904-a79f-ef657605145b)<br/>Exchange Online Kiosk (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Forms (Plan F1) (f07046bd-2a3c-4b96-b0be-dea79d7cbfb8)<br/>Microsoft Kaizala Pro (73b2a583-6a59-42e3-8e83-54db46bc3278)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Office Mobile Apps for Office 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>Project for Office (Plan F) (7f6f28c2-34bb-4d4b-be36-48ca2e77e1ec)<br/>SharePoint Kiosk (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>Skype for Business Online (Plan 1) (afc06cb0-b4f4-4473-8286-d644f70d8faf)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Firstline) (80873e7a-cd2a-4e67-b061-1b5381a676a5)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Firstline) (36b29273-c6d0-477a-aca6-6fbe24f538e3)<br/>Windows 10 Enterprise E3 (Local Only) (e041597c-9c7f-4ed9-99b0-2663301576f7)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>Universal Print (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Windows Update for Business Deployment Service (7bf960f6-2cd9-443a-8046-5dbff9558365)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>Common Data Service (ca6e61ec-d4f4-41eb-8b88-d96e0e14323f)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Stream for Office 365 F3 (3ffba0d2-38e5-4d5e-8ec0-98f2b05c09d9)<br/>Power Apps for Office 365 F3 (e0287f9f-e222-4f98-9a83-f379e249159a)<br/>Power Automate for Office 365 F3 (bd91b1a4-9f94-4ecf-b45b-3a65e5c8128a)<br/>Power Virtual Agents for Office 365 (ba2fdb48-290b-4632-b46a-e4ecc58ac11a) |

+| Microsoft 365 F5 Security + Compliance Add-on | SPE_F5_SECCOMP | 32b47245-eb31-44fc-b945-a8b1576c439f | LOCKBOX_ENTERPRISE (9f431833-0334-42de-a7dc-70aa40db46db)<br/>BPOS_S_DlpAddOn (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>EXCHANGE_S_ARCHIVE_ADDON (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>DATA_INVESTIGATIONS (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>THREAT_INTELLIGENCE (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>INSIDER_RISK (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>ML_CLASSIFICATION (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>EQUIVIO_ANALYTICS (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>PAM_ENTERPRISE (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>WINDEFATP (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>MICROSOFTENDPOINTDLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>RMS_S_PREMIUM2 (5689bec4-755d-4753-8b61-40975025187c)<br/>ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) | Customer Lockbox (9f431833-0334-42de-a7dc-70aa40db46db)<br/>Data Loss Prevention (9bec7e34-c9fa-40b7-a9d1-bd6d1165c7ed)<br/>Exchange Online Archiving (176a09a6-7ec5-4039-ac02-b2791c6ba793)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics - Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Information Protection for Office 365 - Premium (efb0351d-3b08-4503-993d-383af8de41e3)<br/>Microsoft 365 Advanced Auditing (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>Microsoft 365 Communication Compliance (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>Microsoft 365 Defender (bf28f719-7844-4079-9c78-c1307898e192)<br/>Microsoft Communications DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>Microsoft Customer Key (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>Microsoft Data Investigations (46129a58-a698-46f0-aa5b-17f6586297d9)<br/>Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939)<br/>Microsoft Defender for Office 365 (Plan 2) (8e0c0a52-6a6c-4d40-8370-dd62790dcd70)<br/>Microsoft Information Governance (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>Microsoft Insider Risk Management (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>Microsoft ML-Based Classification (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>Microsoft Records Management (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>Office 365 Advanced eDiscovery (4de31727-a228-4ec3-a5bf-8e45b5ca48cc)<br/>Office 365 Privileged Access Management (b1188c4c-1b36-4018-b48b-ee07604f6feb)<br/>Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>Microsoft Defender for Endpoint (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>Microsoft Endpoint DLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>Azure Active Directory Premium P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>Azure Information Protection Premium P2 (5689bec4-755d-4753-8b61-40975025187c)<br/>Microsoft Defender for Cloud Apps (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>Microsoft Defender for Identity (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f) |

+| Microsoft Teams Audio Conferencing select dial-out | Microsoft_Teams_Audio_Conferencing_select_dial_out | 1c27243e-fb4d-42b1-ae8c-fe25c9616588 | MCOMEETBASIC (9974d6cf-cd24-4ba2-921c-e2aa687da846) | Microsoft Teams Audio Conferencing with dial-out to select geographies (9974d6cf-cd24-4ba2-921c-e2aa687da846) |

+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](/powershell/module/microsoft.powershell.core/about/about_commonparameters).

+## Get-ADSyncToolsDuplicateUsersSourceAnchor

+### SYNOPSIS

+Gets a list of all the objects with "Source anchor has changed" error.

+### SYNTAX

+```

+Get-ADSyncToolsDuplicateUsersSourceAnchor [-ADConnectorName] <Object> [<CommonParameters>]

+```

+### DESCRIPTION

+There are certain scenarios like M&A where Customers add a new forest to Azure AD Connect with duplicate user objects.

+This causes multiple sync errors if the new connector precedence is higher for the newly joined users. This cmdlet will provide a list of all the objects with "Source anchor has changed" errors.

+### EXAMPLES

+#### EXAMPLE 1

+```

+Get-ADSyncToolsDuplicateUsersSourceAnchor -ADConnectorName Contoso.com

+```

+### PARAMETERS

+#### -ADConnectorName

+AD connector name for which user source anchors needs to be repaired

+```yaml

+Type: Object

+Parameter Sets: (All)

+Aliases:

+Required: true

+Position: 1

+Default value:

+Accept pipeline input: True (ByPropertyName)

+Accept wildcard characters: False

+```

+#### CommonParameters

+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](/powershell/module/microsoft.powershell.core/about/about_commonparameters).

+## Set-ADSyncToolsDuplicateUsersSourceAnchor

+### SYNOPSIS

+Fixes all the objects with "Source Anchor has changed" error.

+### SYNTAX

+```

+et-ADSyncToolsDuplicateUsersSourceAnchor [-DuplicateUserSourceAnchorInfo] <DuplicateUserSourceAnchorInfo> [-ActiveDirectoryCredential <PSCredential>] [-OverridePrompt <Boolean>] [<CommonParameters>]

+```

+### DESCRIPTION

+This cmdlet takes in the list of objects from Get-ADSyncToolsDuplicateUsersSourceAnchor as pipeline input. It then fixes the sync errors by updating the msDS-ConsistencyGuid attribute with the sourceAnchor/immutableID of the original object.

+The cmdlet has an optional parameter - "Override prompt", which is False by default. If it is set to True, then the user will not be prompted when updating the msDS-ConsistencyGuid attribute.

+### EXAMPLES

+#### EXAMPLE 1

+```

+Get-ADSyncToolsDuplicateUsersSourceAnchor -ADConnectorName Contoso.lab | Set-ADSyncToolsDuplicateUsersSourceAnchor

+```

+#### EXAMPLE 2

+```

+Get-ADSyncToolsDuplicateUsersSourceAnchor -ADConnectorName Contoso.lab | Set-ADSyncToolsDuplicateUsersSourceAnchor -OverridePrompt $true

+```

+### PARAMETERS

+#### -DuplicateUserSourceAnchorInfo

+User list for which the source anchor needs to be fixed

+```yaml

+Type: DuplicateUserSourceAnchorInfo

+Parameter Sets: (All)

+Aliases:

+Required: True

+Position: 1

+Default value:

+Accept pipeline input: True (ByValue, ByPropertyName)

+Accept wildcard characters: False

+```

+#### -ActiveDirectoryCredential

+AD EA/DA Admin Credentials, If not provided default credentials will be used

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases:

+Required: False

+Position: Named

+Default value:

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+#### -OverridePrompt

+```yaml

+Type: Boolean

+Parameter Sets: (All)

+Aliases:

+Required: False

+Position: Named

+Default value: False

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+#### CommonParameters

+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](/powershell/module/microsoft.powershell.core/about/about_commonparameters).

+3. Authorize the managed identity to have access to the "target" service.

+This article shows you how to use API server authorized IP address ranges, using the Azure CLI, to limit which IP addresses and CIDRs can access control plane.

+- You need the Azure CLI version 2.0.76 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+- To learn what IP addresses to include when integrating your AKS cluster with Azure DevOps, see the Azure DevOps [Allowed IP addresses and domain URLs][azure-devops-allowed-network-cfg] article.

+- On clusters created after API server authorized IP address ranges moved out of preview in October 2019, API server authorized IP address ranges are only supported on the *Standard* SKU load balancer. Existing clusters with the *Basic* SKU load balancer and API server authorized IP address ranges configured will continue work as is, but they cann't be migrated to a *Standard* SKU load balancer. Existing clusters will also continue to work if their Kubernetes version or control plane are upgraded.

+- API server authorized IP address ranges aren't supported with private clusters.

+- When using this feature with clusters that use [Public IP per Node](use-multiple-node-pools.md#assign-a-public-ip-per-node-for-your-node-pools), those node pools with public IP per node enabled must use public IP prefixes, and those prefixes must be added as authorized ranges.

+> The rules can take up to two minutes to propagate. Please allow up to that time when testing the connection.

+While creating an AKS cluster, if you specify the outbound IP addresses or prefixes for the cluster, they are allowed as well. For example:

+You must add your development machines, tooling, or automation IP addresses to the AKS cluster list of approved IP ranges to access the API server from there.

+Another option is to configure a jumpbox with the necessary tooling inside a separate subnet in the firewall's virtual network. This assumes your environment has a firewall with the respective network, and you've added the firewall IPs to authorized ranges. Similarly, if you've forced tunneling from the AKS subnet to the firewall subnet, having the jumpbox in the cluster subnet is also okay.

+To add another IP address to the approved ranges, use the following commands.

+> The above example appends the API server authorized IP ranges on the cluster. To disable authorized IP ranges, use `az aks update` and specify an empty range "".

+Another option is to use the following command on Windows systems to get the public IPv4 address, or you can follow the steps in [Find your IP address](https://support.microsoft.com/en-gb/help/4026518/windows-10-find-your-ip-address).

+You can also find this address by searching on *what is my IP address* in an internet browser.

+In this article, you enabled API server authorized IP ranges. This approach is one part of how you can securely run an AKS cluster. For more information, see [Security concepts for applications and clusters in AKS][concepts-security] and [Best practices for cluster security and upgrades in AKS][operator-best-practices-cluster-security].

+[azure-devops-allowed-network-cfg]: /azure/devops/organizations/security/allow-list-ip-url

+By default, Azure automatically replicates the operating system disk for a virtual machine to Azure storage to avoid data loss if the VM needs to be relocated to another host. However, since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks, including slower node provisioning and higher read/write latency.

+* It isn't supported to update agent pool from host group A to host group B.

+A host group is a resource that represents a collection of dedicated hosts. You create a host group in a region and an availability zone, and add hosts to it. When planning for high availability, there are more options. You can use one or both of the following options with your dedicated hosts:

+* Span across multiple availability zones. In this case, you're required to have a host group in each of the zones you wish to use.

+In either case, you need to provide the fault domain count for your host group. If you don't want to span fault domains in your group, use a fault domain count of 1.

+> [!NOTE]

+> First, when using host group, the nodepool fault domain count is always the same as the host group fault domain count. In order to use cluster auto-scaling to work with ADH and AKS, please make sure your host group fault domain count and capacity is enough.

+> Secondly, only change fault domain count from the default of 1 to any other number if you know what they are doing as a misconfiguration could lead to a unscalable configuration.

+Now create a dedicated host in the host group. In addition to a name for the host, you're required to provide the SKU for the host. Host SKU captures the supported VM series and the hardware generation for your dedicated host.

+Use az vm host create to create a host. If you set a fault domain count for your host group, you'll be asked to specify the fault domain for your host.

+In this example, we'll use [az vm host group create][az-vm-host-group-create] to create a host group using both availability zones and fault domains.

+Now create a dedicated host in the host group. In addition to a name for the host, you're required to provide the SKU for the host. Host SKU captures the supported VM series and the hardware generation for your dedicated host.

+If you set a fault domain count for your host group, you'll need to specify the fault domain for your host.

+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add

+[az-aks-nodepool-list]: /cli/azure/aks/nodepool#az-aks-nodepool-list

+[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az-aks-nodepool-update

+[az-aks-nodepool-upgrade]: /cli/azure/aks/nodepool#az-aks-nodepool-upgrade

+[az-aks-nodepool-scale]: /cli/azure/aks/nodepool#az-aks-nodepool-scale

+[az-aks-nodepool-delete]: /cli/azure/aks/nodepool#az-aks-nodepool-delete

+[az-extension-add]: /cli/azure/extension#az-extension-add

+[az-extension-update]: /cli/azure/extension#az-extension-update

+[az-group-create]: /cli/azure/group#az-group-create

+[az-group-delete]: /cli/azure/group#az-group-delete

+[az-deployment-group-create]: /cli/azure/deployment/group#az-deployment-group-create

+az appservice plan create --resource-group MyResourceGroup --name MyPlan --sku P1v2 --zone-redundant --number-of-workers 6

+An existing backend certificate is required to generate the authentication certificates or trusted root certificates required for allowing backend instances with Application Gateway. The backend certificate can be the same as the TLS/SSL certificate or different for added security. Application Gateway doesn't provide you any mechanism to create or purchase a TLS/SSL certificate. For testing purposes, you can create a self-signed certificate but you shouldn't use it for production workloads.

+Now you have the authentication certificate/trusted root certificate in Base-64 encoded X.509(.CER) format. You can add this to the application gateway to allow your backend servers for end to end TLS encryption. See [Configure end to end TLS by using Application Gateway with PowerShell](./application-gateway-end-to-end-ssl-powershell.md).

+| **Model ID** | **Text extraction** | **Language detection** | **Selection Marks** | **Tables** | **Paragraphs** | **Paragraph roles** | **Key-Value pairs** | **Fields** |

+|:--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+1. Open a PowerShell window as an Administrator and go to the folder where you've downloaded the PowerShell script.

+> [!NOTE]

+> On Windows workstations, the script must be run in PowerShell window and not in PowerShell Integrated Script Editor (ISE) as PowerShell ISE doesn't display the input prompts from Azure CLI commands. If the script is run on PowerShell ISE, it could appear as though the script is stuck while it is waiting for input.

+Go to `.python_packages/lib/python3.6/site-packages/<package-name>-<version>-dist-info` or `.python_packages/lib/site-packages/<package-name>-<version>-dist-info`. Using a text editor, open the METADATA file and check the **Classifiers:** section. If the section doesn't contains `Python :: 3`, `Python :: 3.6`, `Python :: 3.7`, `Python :: 3.8`, or `Python :: 3.9`, this means the package version is either too old, or most likely, the package is already out of maintenance.

+Browse the latest package version in `https://pypi.org/project/<package-name>` and check the **Classifiers:** section. The package should be `OS Independent`, or compatible with `POSIX` or `POSIX :: Linux` in **Operating System**. Also, the Programming Language should contains `Python :: 3`, `Python :: 3.6`, `Python :: 3.7`, `Python :: 3.8`, or `Python :: 3.9`.

+Sometimes, the package may have been integrated into [Python Standard Library](https://docs.python.org/3/library/) (such as pathlib). If so, since we provide a certain Python distribution in Azure Functions (Python 3.6, Python 3.7, Python 3.8, and Python 3.9), the package in your requirements.txt should be removed.

+If you're running on an x64 operating system, please ensure your Python 3.6, 3.7, 3.8, or 3.9 interpreter is also on 64-bit version.

+The Azure Functions Python Worker only supports Python 3.6, 3.7, 3.8, and 3.9.

+Please check if your Python interpreter matches our expected version by `py --version` in Windows or `python3 --version` in Unix-like systems. Ensure the return result is Python 3.6.x, Python 3.7.x, Python 3.8.x, or Python 3.9.x.

+If your Python interpreter version does not meet our expectation, please download the Python 3.6, 3.7, 3.8, or 3.9 interpreter from [Python Software Foundation](https://www.python.org/downloads).

+ms.revewer: issahn

+ms.revewer: issahn

+ |Override query time range| Enter a value in this field if the alert evaluation period is different than the query time range.<br> The alert time range is limited to a maximum of two days. Even if the query contains an **ago** command with a time range of longer than 2 days, the 2 day maximum time range is applied. For example, even if the query text contains **ago(7d)**, the query only scans up to 2 days of data.<br> If the query requires more data than the alert evaluation, and there is no **ago** command in the query, you can change the time range manually.|

+ :::image type="content" source="media/alerts-log/alerts-create-alert-rule-preview.png" alt-text="Screenshot of a preview of a new alert rule.":::

+ms. reviewer: nolavime

+

+We then right-click on any record with event ID 7036 and select **Extract fields from \`Event`**.

+

+The **Field Extraction Wizard** opens with the **EventLog** and **EventID** fields selected in the **Main Example** column. This indicates that the custom field will be defined for events from the System log with an event ID of 7036. This is sufficient so we donΓÇÖt need to select any other fields.

+* Add the reference to the `Microsoft.ApplicationInsights.Profiler.AspNetCore` NuGet package.

+1. Add the NuGet package to collect the Profiler traces:

+ ```console

+ dotnet add package Microsoft.ApplicationInsights.Profiler.AspNetCore

+ ```

+>[!NOTE]

+>Usage for Azure Monitor Logs (Log Analytics) can be billed with the **Log Analytics** service (for Pay-as-you-go data ingestion and data retention), or with the **Azure Monitor** service (for Commitment Tiers, Basic Logs and Data Export) or with the **Insight and Analytics** service when using the legacy Per Node pricing tier. Except for a small set of legacy resources, Application Insights data ingestion and retention are billed as the **Log Analytics** service.

+- [Azure CLI](/cli/azure/deployment/group#az-deployment-group-create)

+@description('principalId of the user that will be given contributor access to the resourceGroup')

+## Azure Load Testing limits

+For Azure Load Testing limits, see [Service limits in Azure Load Testing](../../load-testing/resource-limits-quotas-capacity.md).

+description: Describes how to enable debug logging to troubleshoot Azure resources deployed with Bicep files or Azure Resource Manager templates (ARM templates).

+To troubleshoot a deployment error, enable debug logging to get more information. Debug logging works for deployments using Bicep files or Azure Resource Manager templates (ARM templates). You can get data about a deployment's request and response to learn the cause of a problem.

+> [!WARNING]

+> Debug logging can expose secrets like passwords or `listKeys`. Only enable debug logging when you need to troubleshoot a deployment error.

+## Set up debug logging

+Use Azure PowerShell to enable debug logging and view the results with Azure PowerShell or Azure CLI.

+For a resource group deployment, use [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) to set the `DeploymentDebugLogLevel` parameter to `All`, `ResponseContent`, or `RequestContent`.

+When debug logging is enabled, a warning is displayed that secrets like passwords or `listKeys` can be logged and displayed when you get deployment operations with commands like `Get-AzResourceGroupDeploymentOperation`.

+ -TemplateFile main.bicep `

+The output shows the debug logging level.

+The `DeploymentDebugLogLevel` parameter is available for other deployment scopes: subscription, management group, and tenant.

+- [New-AzDeployment](/powershell/module/az.resources/new-azdeployment)

+- [New-AzManagementGroupDeployment](/powershell/module/az.resources/new-azmanagementgroupdeployment)

+- [New-AzTenantDeployment](/powershell/module/az.resources/new-aztenantdeployment)

+# [Azure CLI](#tab/azure-cli)

+You can't enable debug logging with Azure CLI but you can get debug logging data using the `request` and `response` properties.

+## Get debug information

+After debug logging is enabled, you can get more information from the deployment operations.

+# [PowerShell](#tab/azure-powershell)

+For a resource group deployment, use [Get-AzResourceGroupDeploymentOperation](/powershell/module/az.resources/get-azresourcegroupdeploymentoperation) to get deployment operations.

+For more information, see the documentation for deployment operation scopes: subscription, management group, and tenant.

+- [Get-AzDeploymentOperation](/powershell/module/az.resources/get-azdeploymentoperation)

+- [Get-AzManagementGroupDeploymentOperation](/powershell/module/az.resources/get-azmanagementgroupdeploymentoperation)

+- [Get-AzTenantDeploymentOperation](/powershell/module/az.resources/get-aztenantdeploymentoperation)

+For a resource group deployment, use [az deployment operation group list](/cli/azure/deployment/operation/group#az-deployment-operation-group-list) to get deployment operations.

+Use a query to get the `request` property's content.

+Use a query to get the `response` property's content.

+For more information, see the documentation for deployment operation scopes: subscription, management group, and tenant.

+- [az deployment operation sub list](/cli/azure/deployment/operation/sub#az-deployment-operation-sub-list)

+- [az deployment operation mg list](/cli/azure/deployment/operation/mg#az-deployment-operation-mg-list)

+- [az deployment operation tenant list](/cli/azure/deployment/operation/tenant#az-deployment-operation-tenant-list)

+## Remove debug deployment history

+When you're finished debugging, you can remove deployment history to prevent anyone who has access from seeing sensitive information that might have been logged. If you used multiple deployment names during debugging, run the command for each deployment name.

+# [PowerShell](#tab/azure-powershell)

+To remove deployment history for a resource group deployment, use [Remove-AzResourceGroupDeployment](/powershell/module/az.resources/remove-azresourcegroupdeployment).

+```azurepowershell

+Remove-AzResourceGroupDeployment -ResourceGroupName examplegroup -Name exampledeployment

+```

+The command returns `True` when it's successful.

+For more information about deployment history, see the documentation for the deployment scopes: subscription, management group, and tenant.

+- [Remove-AzDeployment](/powershell/module/az.resources/remove-azdeployment)

+- [Remove-AzManagementGroupDeployment](/powershell/module/az.resources/remove-azmanagementgroupdeployment)

+- [Remove-AzTenantDeployment](/powershell/module/az.resources/remove-aztenantdeployment)

+# [Azure CLI](#tab/azure-cli)

+To remove deployment history for a resource group deployment, use [az deployment group delete](/cli/azure/deployment/group#az-deployment-group-delete).

+```azurecli

+az deployment group delete --resource-group examplegroup --name exampledeployment

+```

+For more information, see the documentation for deployment scopes: subscription, management group, and tenant.

+- [az deployment sub delete](/cli/azure/deployment/sub#az-deployment-sub-delete)

+- [az deployment mg delete](/cli/azure/deployment/mg#az-deployment-mg-delete)

+- [az deployment tenant delete](/cli/azure/deployment/tenant#az-deployment-tenant-delete)

+To log debug information for a [nested](../templates/linked-templates.md#nested-template) ARM template, use the [Microsoft.Resources/deployments](/azure/templates/microsoft.resources/deployments) `debugSetting` property.

+Bicep uses [modules](../bicep/modules.md) rather than nested templates.

+ Title: Azure SignalR service data plane REST API reference

+description: Describes the REST APIs Azure SignalR service supports to manage the connections and send messages to them.

+# Azure SignalR service data plane REST API reference

+> [!NOTE]

+>

+> Azure SignalR Service only supports using REST API to manage clients connected using ASP.NET Core SignalR. Clients connected using ASP.NET SignalR use a different data protocol that is not currently supported.

+On top of the classical client-server pattern, Azure SignalR Service provides a set of REST APIs so that you can easily integrate real-time functionality into your server-less architecture.

+<a name="serverless"></a>

+## Typical Server-less Architecture with Azure Functions

+The following diagram shows a typical server-less architecture using Azure SignalR Service with Azure Functions.

+- `negotiate` function returns a negotiation response and redirects all clients to SignalR Service.

+- `broadcast` function calls SignalR Service's REST API. Then SignalR Service will broadcast the message to all connected clients.

+In a server-less architecture, clients still have persistent connections to the SignalR Service.

+Since there's no application server to handle traffic, clients are in `LISTEN` mode, which means they can only receive messages but can't send messages.

+SignalR Service will disconnect any client that sends messages because it's an invalid operation.

+You can find a complete sample of using SignalR Service with Azure Functions at [here](https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/RealtimeSignIn).

+## API

+The following table shows all versions of REST API we have for now. You can also find the swagger file for each version of REST API.

+API Version | Status | Port | Doc | Spec

+||||

+`1.0` | Latest | Standard | [Doc](./swagger/signalr-data-plane-rest-v1.md) | [swagger](https://github.com/Azure/azure-signalr/blob/dev/docs/swagger/v1.json)

+`1.0-preview` | Obsolete | Standard | [Doc](./swagger/signalr-data-plane-rest-v1-preview.md) | [swagger](https://github.com/Azure/azure-signalr/blob/dev/docs/swagger/v1-preview.json)

+The latest available APIs are listed as following.

+| API | Path |

+| - | - |

+| [Broadcast a message to all clients connected to target hub.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-connected-to-target-hub) | `POST /api/v1/hubs/{hub}` |

+| [Broadcast a message to all clients belong to the target user.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-belong-to-the-target-user) | `POST /api/v1/hubs/{hub}/users/{id}` |

+| [Send message to the specific connection.](./swagger/signalr-data-plane-rest-v1.md#send-message-to-the-specific-connection) | `POST /api/v1/hubs/{hub}/connections/{connectionId}` |

+| [Check if the connection with the given connectionId exists](./swagger/signalr-data-plane-rest-v1.md#check-if-the-connection-with-the-given-connectionid-exists) | `GET /api/v1/hubs/{hub}/connections/{connectionId}` |

+| [Close the client connection](./swagger/signalr-data-plane-rest-v1.md#close-the-client-connection) | `DELETE /api/v1/hubs/{hub}/connections/{connectionId}` |

+| [Broadcast a message to all clients within the target group.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-within-the-target-group) | `POST /api/v1/hubs/{hub}/groups/{group}` |

+| [Check if there are any client connections inside the given group](./swagger/signalr-data-plane-rest-v1.md#check-if-there-are-any-client-connections-inside-the-given-group) | `GET /api/v1/hubs/{hub}/groups/{group}` |

+| [Check if there are any client connections connected for the given user](./swagger/signalr-data-plane-rest-v1.md#check-if-there-are-any-client-connections-connected-for-the-given-user) | `GET /api/v1/hubs/{hub}/users/{user}` |

+| [Add a connection to the target group.](./swagger/signalr-data-plane-rest-v1.md#add-a-connection-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

+| [Remove a connection from the target group.](./swagger/signalr-data-plane-rest-v1.md#remove-a-connection-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

+| [Check whether a user exists in the target group.](./swagger/signalr-data-plane-rest-v1.md#check-whether-a-user-exists-in-the-target-group) | `GET /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

+| [Add a user to the target group.](./swagger/signalr-data-plane-rest-v1.md#add-a-user-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

+| [Remove a user from the target group.](./swagger/signalr-data-plane-rest-v1.md#remove-a-user-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

+| [Remove a user from all groups.](./swagger/signalr-data-plane-rest-v1.md#remove-a-user-from-all-groups) | `DELETE /api/v1/hubs/{hub}/users/{user}/groups` |

+## Using REST API

+### Authenticate via Azure SignalR Service AccessKey

+In each HTTP request, an authorization header with a [JSON Web Token (JWT)](https://en.wikipedia.org/wiki/JSON_Web_Token) is required to authenticate with SignalR Service.

+#### Signing Algorithm and Signature

+`HS256`, namely HMAC-SHA256, is used as the signing algorithm.

+Use the `AccessKey` in Azure SignalR Service instance's connection string to sign the generated JWT token.

+#### Claims

+The following claims are required to be included in the JWT token.

+Claim Type | Is Required | Description

+||

+`aud` | true | Needs to be the same as your HTTP request url, trailing slash and query parameters not included. For example, a broadcast request's audience should look like: `https://example.service.signalr.net/api/v1/hubs/myhub`.

+`exp` | true | Epoch time when this token expires.

+### Authenticate via Azure Active Directory Token (Azure AD Token)

+Similar to authenticating using `AccessKey`, when authenticating using Azure AD Token, a [JSON Web Token (JWT)](https://en.wikipedia.org/wiki/JSON_Web_Token) is also required to authenticate the HTTP request.

+The difference is, in this scenario the JWT Token is generated by Azure Active Directory.

+[Learn how to generate Azure AD Tokens](/azure/active-directory/develop/reference-v2-libraries)

+You could also use **Role Based Access Control (RBAC)** to authorize the request from your client/server to SignalR Service.

+[Learn how to configure Role-based access control roles for your resource](/azure/azure-signalr/authorize-access-azure-active-directory)

+### Implement Negotiate Endpoint

+As shown in the [architecture section](#serverless), you should implement a `negotiate` function that returns a redirect negotiation response so that client can connect to the service.

+A typical negotiation response looks as follows:

+```json

+{

+ "url":"https://<service_name>.service.signalr.net/client/?hub=<hub_name>",

+ "accessToken":"<a typical JWT token>"

+}

+```

+The `accessToken` is generated using the same algorithm described in [authentication section](#authenticate-via-azure-signalr-service-accesskey). The only difference is the `aud` claim should be same as `url`.

+You should host your negotiate API in `https://<hub_url>/negotiate` so you can still use SignalR client to connect to the hub url.

+Read more about redirecting client to Azure SignalR Service at [here](./signalr-concept-internals.md#client-connections).

+### User-related REST API

+In order to call user-related REST API, each of your clients should identify itself to SignalR Service.

+Otherwise SignalR Service can't find target connections from a given user ID.

+Client identification can be achieved by including a `nameid` claim in each client's JWT token when they're connecting to SignalR Service.

+Then SignalR Service will use the value of `nameid` claim as the user ID of each client connection.

+### Sample

+You can find a complete console app to demonstrate how to manually build a REST API HTTP request in SignalR Service [here](https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/Serverless).

+You can also use [Microsoft.Azure.SignalR.Management](<https://www.nuget.org/packages/Microsoft.Azure.SignalR.Management>) to publish messages to SignalR Service using the similar interfaces of `IHubContext`. Samples can be found [here](<https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/Management>). For more information, see [How to use Management SDK](https://github.com/Azure/azure-signalr/blob/dev/docs/management-sdk-guide.md).

+## Limitation

+Currently, we have the following limitation for REST API requests:

+* Header size is a maximum of 16 KB.

+* Body size is a maximum of 1 MB.

+If you want to send message larger than 1 MB, use the Management SDK with `persistent` mode.

+ Title: Azure SignalR service data plane REST API reference - v1-preview

+description: Describes REST APIs version v1-preview Azure SignalR service supports to manage the connections and send messages to them.

+# Azure SignalR Service data plane REST API - v1-preview

+This article contains the obsoleted v1-preview version REST APIs for Azure SignalR Service data plane. Please use the [latest version](./signalr-data-plane-rest-v1.md) instead.

+## Available APIs

+| API | Path |

+| - | - |

+| [post /api/v1-preview/hub/{hub}/user/{id}](#post-apiv1-previewhubhubuserid) | `POST /api/v1-preview/hub/{hub}/user/{id}` |

+| [post /api/v1-preview/hub/{hub}/users/{userList}](#post-apiv1-previewhubhubusersuserlist) | `POST /api/v1-preview/hub/{hub}/users/{userList}` |

+| [post /api/v1-preview/hub/{hub}](#post-apiv1-previewhubhub) | `POST /api/v1-preview/hub/{hub}` |

+| [post /api/v1-preview/hub/{hub}/group/{group}](#post-apiv1-previewhubhubgroupgroup) | `POST /api/v1-preview/hub/{hub}/group/{group}` |

+| [post /api/v1-preview/hub/{hub}/groups/{groupList}](#post-apiv1-previewhubhubgroupsgrouplist) | `POST /api/v1-preview/hub/{hub}/groups/{groupList}` |

+### post /api/v1-preview/hub/{hub}/user/{id}

+`POST /api/v1-preview/hub/{hub}/user/{id}`

+##### Description:

+Send a message to a single user.

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which should start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| id | path | Target user Id. | Yes | string |

+| message | body | | Yes | [Message](#message) |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Accepted |

+### post /api/v1-preview/hub/{hub}/users/{userList}

+`POST /api/v1-preview/hub/{hub}/users/{userList}`

+##### Description:

+Send a message to multiple users.

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which should start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| userList | path | Comma-separated list of user Ids. | Yes | string |

+| message | body | | Yes | [Message](#message) |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Accepted |

+### post /api/v1-preview/hub/{hub}

+`POST /api/v1-preview/hub/{hub}`

+##### Description:

+Broadcast a message to all clients connected to target hub.

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which should start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| message | body | | Yes | [Message](#message) |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Accepted |

+### post /api/v1-preview/hub/{hub}/group/{group}

+`POST /api/v1-preview/hub/{hub}/group/{group}`

+##### Description:

+Broadcast a message to all clients within the target group.

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and contain only alpha-numeric characters or underscore. | Yes | string |

+| group | path | Target group name, which must start with alphabetic characters and contain only alpha-numeric characters or underscore. | Yes | string |

+| message | body | | Yes | [Message](#message) |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Accepted |

+### post /api/v1-preview/hub/{hub}/groups/{groupList}

+`POST /api/v1-preview/hub/{hub}/groups/{groupList}`

+##### Description:

+Broadcast a message to all clients within the target groups.

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| groupList | path | Comma-separated list of group names. Each group name must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| message | body | | Yes | [Message](#message) |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Accepted |

+### Models

+#### Message

+Method invocation message.

+| Name | Type | Description | Required |

+| - | - | -- | -- |

+| target | string | Target method name. | No |

+| arguments | [ object ] | Target method arguments. | No |

+ Title: Azure SignalR service data plane REST API reference - v1

+description: Describes the REST APIs version v1 Azure SignalR service supports to manage the connections and send messages to them.

+# Azure SignalR Service data plane REST API - v1

+This article contains the v1 version REST APIs for Azure SignalR Service data plane.

+## Available APIs

+| API | Path |

+| - | - |

+| [Broadcast a message to all clients connected to target hub.](#broadcast-a-message-to-all-clients-connected-to-target-hub) | `POST /api/v1/hubs/{hub}` |

+| [Broadcast a message to all clients belong to the target user.](#broadcast-a-message-to-all-clients-belong-to-the-target-user) | `POST /api/v1/hubs/{hub}/users/{id}` |

+| [Send message to the specific connection.](#send-message-to-the-specific-connection) | `POST /api/v1/hubs/{hub}/connections/{connectionId}` |

+| [Check if the connection with the given connectionId exists](#check-if-the-connection-with-the-given-connectionid-exists) | `GET /api/v1/hubs/{hub}/connections/{connectionId}` |

+| [Close the client connection](#close-the-client-connection) | `DELETE /api/v1/hubs/{hub}/connections/{connectionId}` |

+| [Broadcast a message to all clients within the target group.](#broadcast-a-message-to-all-clients-within-the-target-group) | `POST /api/v1/hubs/{hub}/groups/{group}` |

+| [Check if there are any client connections inside the given group](#check-if-there-are-any-client-connections-inside-the-given-group) | `GET /api/v1/hubs/{hub}/groups/{group}` |

+| [Check if there are any client connections connected for the given user](#check-if-there-are-any-client-connections-connected-for-the-given-user) | `GET /api/v1/hubs/{hub}/users/{user}` |

+| [Add a connection to the target group.](#add-a-connection-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

+| [Remove a connection from the target group.](#remove-a-connection-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

+| [Check whether a user exists in the target group.](#check-whether-a-user-exists-in-the-target-group) | `GET /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

+| [Add a user to the target group.](#add-a-user-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

+| [Remove a user from the target group.](#remove-a-user-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

+| [Remove a user from all groups.](#remove-a-user-from-all-groups) | `DELETE /api/v1/hubs/{hub}/users/{user}/groups` |

+### Broadcast a message to all clients connected to target hub.

+`POST /api/v1/hubs/{hub}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| excluded | query | Excluded connection Ids | No | [ string ] |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Success |

+| 400 | Bad Request |

+### Broadcast a message to all clients belong to the target user.

+`POST /api/v1/hubs/{hub}/users/{id}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| id | path | The user Id. | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Success |

+| 400 | Bad Request |

+### Send message to the specific connection.

+`POST /api/v1/hubs/{hub}/connections/{connectionId}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| connectionId | path | The connection Id. | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Success |

+| 400 | Bad Request |

+### Check if the connection with the given connectionId exists

+`GET /api/v1/hubs/{hub}/connections/{connectionId}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | | Yes | string |

+| connectionId | path | | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 200 | Success |

+| 400 | Bad Request |

+| 404 | Not Found |

+### Close the client connection

+`DELETE /api/v1/hubs/{hub}/connections/{connectionId}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | | Yes | string |

+| connectionId | path | | Yes | string |

+| reason | query | | No | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Success |

+| 400 | Bad Request |

+### Broadcast a message to all clients within the target group.

+`POST /api/v1/hubs/{hub}/groups/{group}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| group | path | Target group name, whose length must be greater than 0 and less than 1025. | Yes | string |

+| excluded | query | Excluded connection Ids | No | [ string ] |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Success |

+| 400 | Bad Request |

+### Check if there are any client connections inside the given group

+`GET /api/v1/hubs/{hub}/groups/{group}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | | Yes | string |

+| group | path | | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 200 | Success |

+| 400 | Bad Request |

+| 404 | Not Found |

+### Check if there are any client connections connected for the given user

+`GET /api/v1/hubs/{hub}/users/{user}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | | Yes | string |

+| user | path | | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 200 | Success |

+| 400 | Bad Request |

+| 404 | Not Found |

+### Add a connection to the target group.

+`PUT /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| group | path | Target group name, whose length must be greater than 0 and less than 1025. | Yes | string |

+| connectionId | path | Target connection Id | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 200 | Success |

+| 400 | Bad Request |

+| 404 | Not Found |

+### Remove a connection from the target group.

+`DELETE /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| group | path | Target group name, whose length must be greater than 0 and less than 1025. | Yes | string |

+| connectionId | path | Target connection Id | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 200 | Success |

+| 400 | Bad Request |

+| 404 | Not Found |

+### Check whether a user exists in the target group.

+`GET /api/v1/hubs/{hub}/groups/{group}/users/{user}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| group | path | Target group name, whose length must be greater than 0 and less than 1025. | Yes | string |

+| user | path | Target user Id | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 200 | Success |

+| 400 | Bad Request |

+| 404 | Not Found |

+### Add a user to the target group.

+`PUT /api/v1/hubs/{hub}/groups/{group}/users/{user}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| group | path | Target group name, whose length must be greater than 0 and less than 1025. | Yes | string |

+| user | path | Target user Id | Yes | string |

+| ttl | query | Specifies the seconds that the user exists in the group. If not set, the user lives in the group for at most 1 year. Note that when ttl is not set, the service preserves 100 user-group relationships per user and old user-group relationship are overwritten by newly added ones. | No | integer |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Success |

+| 400 | Bad Request |

+### Remove a user from the target group.

+`DELETE /api/v1/hubs/{hub}/groups/{group}/users/{user}`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| group | path | Target group name, whose length must be greater than 0 and less than 1025. | Yes | string |

+| user | path | Target user Id | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 202 | Success |

+| 400 | Bad Request |

+### Remove a user from all groups.

+`DELETE /api/v1/hubs/{hub}/users/{user}/groups`

+##### Parameters

+| Name | Located in | Description | Required | Schema |

+| - | - | -- | -- | - |

+| hub | path | Target hub name, which must start with alphabetic characters and only contain alpha-numeric characters or underscore. | Yes | string |

+| user | path | Target user Id | Yes | string |

+##### Responses

+| Code | Description |

+| - | -- |

+| 200 | The user is deleted |

+| 202 | The delete request is accepted and the service is handling the request in the background |

+| 400 | Bad Request |

+### Models

+#### PayloadMessage

+| Name | Type | Description | Required |

+| - | - | -- | -- |

+| Target | string | | No |

+| Arguments | [ object ] | | No |

+ Title: Limited Access features of Azure Video Indexer

+description: This article talks about the limited access features of Azure Video Indexer.

+# Limited Access features of Azure Video Indexer

+Our vision is to empower developers and organizations to leverage AI to transform society in positive ways. We encourage responsible AI practices to protect the rights and safety of individuals. Microsoft facial recognition services are Limited Access in order to help prevent the misuse of the services in accordance with our [AI Principles](https://www.microsoft.com/ai/responsible-ai?SilentAuth=1&wa=wsignin1.0&activetab=pivot1%3aprimaryr6) and [facial recognition](https://blogs.microsoft.com/on-the-issues/2018/12/17/six-principles-to-guide-microsofts-facial-recognition-work/) principles. The Face Identify and Celebrity Recognition operations in Azure Video Indexer are Limited Access features that require registration.

+Since the announcement on June 11th, 2020, Azure face recognition services are strictly prohibited for use by or for U.S. police departments.

+## Application process

+Limited Access features of Azure Video Indexer are only available to customers managed by Microsoft, and only for use cases selected at the time of registration. Other Azure Video Indexer features do not require registration to use.

+Customers and partners who wish to use Limited Access features of Azure Video Indexer are required to [submit an intake form](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUQjA5SkYzNDM4TkcwQzNEOE1NVEdKUUlRRCQlQCN0PWcu). Access is subject to MicrosoftΓÇÖs sole discretion based on eligibility criteria and a vetting process. Microsoft may require customers and partners to reverify this information periodically.

+The Azure Video Indexer service is made available to customers and partners under the terms governing their subscription to Microsoft Azure Services (including the [Service Specific Terms](https://www.microsoft.com/licensing/terms/productoffering/MicrosoftAzure/MCA#ServiceSpecificTerms)). Please review these terms carefully as they contain important conditions and obligations governing your use of Azure Video Indexer.

+## Help and support

+FAQ about Limited Access can be found [here](https://aka.ms/limitedaccesscogservices).

+If you need help with Azure Video Indexer, find support [here](/azure/cognitive-services/cognitive-services-support-options.md).

+[Report Abuse](https://msrc.microsoft.com/report/abuse) of Azure Video Indexer.

+## Next steps

+Learn more about the legal terms that apply to this service [here](https://azure.microsoft.com/support/legal/).

+

+This quickstart shows you how to get started easily with a [Pub/Sub live demo](https://aka.ms/awps/quicktry).

+The sizes listed in the left column below are deprecated in Azure Resource Manager. However, if you want to continue to use them update the `vmsize` name with the associated Azure Resource Manager naming convention.

+ Title: "Quickstart: Build an image classification model with the Custom Vision portal"

+# Quickstart: Build an image classification model with the Custom Vision portal

+In this quickstart, you'll learn how to use the Custom Vision web portal to create an image classification model. Once you build a model, you can test it with new images and eventually integrate it into your own image recognition app.

+- A set of images with which to train your classification model. You can use the set of [sample images](https://github.com/Azure-Samples/cognitive-services-sample-data-files/tree/master/CustomVision/ImageClassification/Images) on GitHub. Or, you can choose your own images using the tips below.

+1. Next, select one of the available domains. Each domain optimizes the model for specific types of images, as described in the following table. You can change the domain later if you wish.

+Azure Custom Vision is an image recognition service that lets you build, deploy, and improve your own image identifier models. An image identifier applies labels to images, according to their visual characteristics. Each label represents a classification or object. Unlike the [Computer Vision](../computer-vision/overview.md) service, Custom Vision allows you to specify your own labels and train custom models to detect them.

+The Custom Vision service uses a machine learning algorithm to analyze images. You submit groups of images that have and don't have the characteristics in question. You label the images yourself with your own custom labels (tags) at the time of submission. Then the algorithm trains to this data and calculates its own accuracy by testing itself on the same images. Once you've trained the model, you can test, retrain, and eventually use it in your image recognition app to [classify images](getting-started-build-a-classifier.md) or [detect objects](get-started-build-detector.md). You can also [export the model](export-your-model.md) itself for offline use.

+Follow the [Build a classifier](getting-started-build-a-classifier.md) quickstart to get started using Custom Vision on the web portal, or complete an [SDK quickstart](quickstarts/image-classification.md) to implement the basic scenarios with code.

+You have easy access to a broad portfolio of [languages and voices](language-support.md#text-to-speech). These voices include state-of-the-art prebuilt neural voices and your custom neural voice, if you've built one.

+1. After you get the Azure account and the Speech resource, sign in to [Speech Studio](https://aka.ms/speechstudio/), and then select **Audio Content Creation**.

+ To switch your Speech resource at any time, select **Settings** at the top of the page.

+1. [Create an audio tuning file](#create-an-audio-tuning-file) by using plain text or SSML scripts. Enter or upload your content into Audio Content Creation.

+ 1. Select **New** > **Text file** to create a new audio tuning file.

+ 1. Enter or paste your content into the editing window. The allowable number of characters for each file is 20,000 or fewer. If your script contains more than 20,000 characters, you can use Option 2 to automatically split your content into multiple files.

+

+ 1. Select **Upload** > **Text file** to import one or more text files. Both plain text and SSML are supported.

+ We recommend **Export to Audio library** to easily store, find, and search audio output in the cloud. You can better integrate with your applications through Azure blob storage. You can also download the audio to your local disk directly.

+

+1. To view the status of the task, select the **Task list** tab.

+1. When the task is complete, your audio is available for download on the **Audio library** pane.

+1. Select the file you want to download and **Download**.

+ Now you're ready to use your custom tuned audio in your apps or products.

+> [!NOTE]

+> When using SSML text, be sure to use the [supported SSML elements](speech-synthesis-markup.md?tabs=csharp#supported-ssml-elements) except the `audio` and `mstts:backgroundaudio` elements. The `audio` and `mstts:backgroundaudio` elements are not supported by Long Audio API. The `audio` element will be ignored without any error message. The `mstts:backgroundaudio` element will cause the systhesis task failure. If your synthesis task fails, download the audio result (.zip file) and check the error report with suffix name "err.txt" within the zip file for details.

+* [Voice Gallery](https://aka.ms/speechstudio/voicegallery): Build apps and services that speak naturally. Choose from a broad portfolio of [languages, voices, and variants](language-support.md#prebuilt-neural-voices). Bring your scenarios to life with highly expressive and human-like neural voices.

+> [!NOTE]

+> The 'audio' element is not supported by the Long Audio API.

+> [!NOTE]

+> The `mstts:backgroundaudio` element is not supported by the Long Audio API.

+- [SDK](/dotnet/api/microsoft.azure.cognitiveservices.knowledge.qnamaker)

+Learn more about the [Question Answering Get Answers REST API](/rest/api/cognitiveservices/questionanswering/question-answering/get-answers)

+Run the following [az deployment group create](/cli/azure/deployment/group#az-deployment-group-create) command to create the registry using the preceding template file. Where indicated, provide:

+az deployment group create -g <ResourceGroup> --template-file <ProvisionTemplateFilePath>

+az deployment group create -g <ResourceGroup> --template-file <ProvisionTemplateFilePath>

+az deployment group create -g <ResourceGroup> --template-file <RestoreTemplateFilePath>

+- The total canceled commitment can't exceed 50,000 USD in a 12-month rolling window for a billing profile or single enrollment. For example, for a three-year reservation (36 months) that's 100 USD per month and it's refunded in the 12th month, the canceled commitment is 2,400 USD (for the remaining 24 months). After the refund, your new available limit for refund will be 47,600 USD (50,000-2,400). In 365 days from the refund, the 47,600 USD limit will be increased by 2,400 USD and your new pool will be 50,000 USD. Any other reservation cancellation for the billing profile or EA enrollment will deplete the same pool, and the same replenishment logic will apply.

+When using Azure Synapse Analytics, a setting called **Enable staging** exists in the source options. This allows the service to read from Synapse using ```Staging``` which greatly improves read performance by using the most performant bulk loading capability such as CETAS and COPY command. Enabling ```Staging``` requires you to specify an Azure Blob Storage or Azure Data Lake Storage gen2 staging location in the data flow activity settings.

+| authenticationType | Type of authentication used to connect to the REST service. Allowed values are **Anonymous**, **Basic**, **AadServicePrincipal**, **OAuth2ClientCredential**, and **ManagedServiceIdentity**. You can additionally configure authentication headers in `authHeader` property. Refer to corresponding sections below on more properties and examples respectively.| Yes |

+For different authentication types, see the corresponding sections for details.

+- [Basic authentication](#use-basic-authentication)

+- [AAD service principal authentication](#use-aad-service-principal-authentication)

+- [OAuth2 Client Credential authentication](#use-oauth2-client-credential-authentication)

+- [User-assigned managed identity authentication](#use-user-assigned-managed-identity-authentication)

+- [Anonymous authentication](#using-authentication-headers)

+**Example**

+### Use OAuth2 Client Credential authentication

+Set the **authenticationType** property to **OAuth2ClientCredential**. In addition to the generic properties that are described in the preceding section, specify the following properties:

+| Property | Description | Required |

+|: |: |: |

+| tokenEndpoint| The token endpoint of the authorization server to acquire the access token. | Yes |

+| clientId | The client ID associated with your application. | Yes |

+| clientSecret| The client secret associated with your application. Mark this field as a **SecureString** type to store it securely in Data Factory. You can also [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |

+| scope | The scope of the access required. It describes what kind of access will be requested. | No |

+| resource | The target service or resource to which the access will be requested. | No |

+**Example**

+```json

+{

+ "name": "RESTLinkedService",

+ "properties": {

+ "type": "RestService",

+ "typeProperties": {

+ "url": "<REST endpoint e.g. https://www.example.com/>",

+ "enableServerCertificateValidation": true,

+ "authenticationType": "OAuth2ClientCredential",

+ "clientId": "<client ID>",

+ "clientSecret": {

+ "type": "SecureString",

+ "value": "<client secret>"

+ },

+ "tokenEndpoint": "<token endpoint>",

+ "scope": "<scope>",

+ "resource": "<resource>"

+ }

+ }

+}

+```

+- [Script activity](transform-data-using-script.md)

+## Prerequisites

+If your data store is located inside an on-premises network, an Azure virtual network, or Amazon Virtual Private Cloud, you need to configure a [self-hosted integration runtime](create-self-hosted-integration-runtime.md) to connect to it. Make sure to add the IP addresses that the self-hosted integration runtime uses to the allowed list.

+If your data store is a managed cloud data service, you can use the Azure Integration Runtime. If the access is restricted to IPs that are approved in the firewall rules, you can add [Azure Integration Runtime IPs](azure-integration-runtime-ip-addresses.md) to the allowed list.

+For more information about the network security mechanisms and options supported by Data Factory, see [Data access strategies](data-access-strategies.md).

+> The staging Azure Blob storage linked service must use shared access signature authentication, as required by the Snowflake COPY command. Make sure you grant proper access permission to Snowflake in the staging Azure Blob storage. To learn more about this, see this [article](https://docs.snowflake.com/en/user-guide/data-load-azure-config.html#option-2-generating-a-sas-token).

+* **[Private Link](../private-link/private-link-overview.md)** - You can create an Azure Integration Runtime within Azure Data Factory Managed Virtual Network and it will leverage private endpoints to securely connect to supported data stores. Traffic between Managed Virtual Network and data sources travels the Microsoft backbone network and is not exposed to the public network.

+This article lists the security alerts you might get from Microsoft Defender for Cloud and any Microsoft Defender plans you've enabled. The alerts shown in your environment depend on the resources and services you're protecting, and your customized configuration.

+## <a name="alerts-azurecosmos"></a>Alerts for Azure Cosmos DB

+| **Access from a Tor exit node** <br> (CosmosDB_TorAnomaly) | This Azure Cosmos DB account was successfully accessed from an IP address known to be an active exit node of Tor, an anonymizing proxy. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. | Initial Access | High/Medium |

+| **Access from a suspicious IP**<br>(CosmosDB_SuspiciousIp) | This Azure Cosmos DB account was successfully accessed from an IP address that was identified as a threat by Microsoft Threat Intelligence. | Initial Access | Medium |

+| **Access from an unusual location**<br>(CosmosDB_GeoAnomaly) | This Azure Cosmos DB account was accessed from a location considered unfamiliar, based on the usual access pattern. <br><br> Either a threat actor has gained access to the account, or a legitimate user has connected from a new or unusual geographic location | Initial Access | Low |

+| **Unusual volume of data extracted**<br>(CosmosDB_DataExfiltrationAnomaly) | An unusually large volume of data has been extracted from this Azure Cosmos DB account. This might indicate that a threat actor exfiltrated data. | Exfiltration | Medium |

+| **Extraction of Azure Cosmos DB accounts keys via a potentially malicious script**<br>(CosmosDB_SuspiciousListKeys.MaliciousScript) | A PowerShell script was run in your subscription and performed a suspicious pattern of key-listing operations to get the keys of Azure Cosmos DB accounts in your subscription. Threat actors use automated scripts, like Microburst, to list keys and find Azure Cosmos DB accounts they can access. <br><br> This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise Azure Cosmos DB accounts in your environment for malicious intentions. <br><br> Alternatively, a malicious insider could be trying to access sensitive data and perform lateral movement. | Collection | High |

+| **SQL injection: potential data exfiltration**<br>(CosmosDB_SqlInjection.DataExfiltration) | A suspicious SQL statement was used to query a container in this Azure Cosmos DB account. <br><br> The injected statement might have succeeded in exfiltrating data that the threat actor isnΓÇÖt authorized to access. <br><br> Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts cannot work. However, the variation used in this attack may work and threat actors can exfiltrate data. | Exfiltration | Medium |

+| **SQL injection: fuzzing attempt**<br>(CosmosDB_SqlInjection.FailedFuzzingAttempt) | A suspicious SQL statement was used to query a container in this Azure Cosmos DB account. <br><br> Like other well-known SQL injection attacks, this attack wonΓÇÖt succeed in compromising the Azure Cosmos DB account. <br><br> Nevertheless, itΓÇÖs an indication that a threat actor is trying to attack the resources in this account, and your application may be compromised. <br><br> Some SQL injection attacks can succeed and be used to exfiltrate data. This means that if the attacker continues performing SQL injection attempts, they may be able to compromise your Azure Cosmos DB account and exfiltrate data. <br><br> You can prevent this threat by using parameterized queries. | Pre-attack | Low |

+> [!NOTE]

+> Log analytics supports records that are only up to 32KB in size. When the data limit is reached, you will see an alert telling you that the `Data limit has been exceeded`.

+- [Microsoft Defender for Azure Cosmos DB](concept-defender-for-cosmos.md)

+Learn more about Defender for Containers:

+- [Demonstrating Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-to-demonstrate-the-new-containers-features-in-microsoft/ba-p/3281172)

+- The release state of Defender for Containers is broken down by two dimensions: environment and feature. So, for example:

+ - **Kubernetes data plane recommendations** for AKS clusters are GA

+ - **Kubernetes data plane recommendations** for EKS clusters are preview

+ To view the status of the full matrix of features and environments, see [Microsoft Defender for Containers feature availability](supported-machines-endpoint-solutions-clouds-containers.md).

+## Threat protection for Azure Cosmos DB<a name="cosmos-db"></a>

+- [Advanced threat protection for Azure Cosmos DB](../cosmos-db/cosmos-db-advanced-threat-protection.md)

+- [The list of threat protection alerts for Azure Cosmos DB](alerts-reference.md#alerts-azurecosmos)

+This article explains how to enable Microsoft Defender for Cloud's database (DB) protection for the most common database types that exist on your subscription.

+- [Microsoft Defender for Azure Cosmos DB](concept-defender-for-cosmos.md)

+ - If you want to manually install Azure Arc on your existing and future EC2 instances, use the [EC2 instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/231dee23-84db-44d2-bd9d-c32fbcfb42a3) recommendation to identify instances that don't have Azure Arc installed.

+1. By default the **Containers** plan is set to **On**. This is necessary to have Defender for Containers protect your AWS EKS clusters. Ensure you've fulfilled the [network requirements](./defender-for-containers-enable.md?pivots=defender-for-container-eks&source=docs&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#network-requirements) for the Defender for Containers plan.

+1. Using the downloaded CloudFormation template, create the stack in AWS as instructed on screen. If you're onboarding a management account, you'll need to run the CloudFormation template both as Stack and as StackSet. Connectors will be created for the member accounts up to 24 hours after the onboarding.

+### For the CSPM plan, what IAM permissions are needed to discover AWS resources?

+The following IAM permissions are needed to discover AWS resources:

+| DataCollector | AWS Permissions |

+|--|--|

+| API Gateway | apigateway:GET |

+| Application Auto Scaling | application-autoscaling:Describe* |

+| Auto scaling | autoscaling-plans:Describe* <br> autoscaling:Describe* |

+| Certificate manager | acm-pca:Describe* <br> acm-pca:List* <br> acm:Describe* <br>acm:List* |

+| CloudFormation | cloudformation:Describe* <br> cloudformation:List* |

+| CloudFront | cloudfront:DescribeFunction <br> cloudfront:GetDistribution <br> cloudfront:GetDistributionConfig <br>cloudfront:List* |

+| CloudTrail | cloudtrail:Describe* <br> cloudtrail:GetEventSelectors <br> cloudtrail:List* <br> cloudtrail:LookupEvents |

+| CloudWatch | cloudwatch:Describe* <br> cloudwatch:List* |

+| CloudWatch logs | logs:DescribeLogGroups <br> logs:DescribeMetricFilters |

+| CodeBuild | codebuild:DescribeCodeCoverages <br> codebuild:DescribeTestCases <br> codebuild:List* |

+| Config Service | config:Describe* <br> config:List* |

+| DMS ΓÇô database migration service | dms:Describe* <br> dms:List* |

+| DAX | dax:Describe* |

+| DynamoDB | dynamodb:Describe* <br> dynamodb:List* |

+| Ec2 | ec2:Describe* <br> ec2:GetEbsEncryptionByDefault |

+| ECR | ecr:Describe* <br> ecr:List* |

+| ECS | ecs:Describe* <br> ecs:List* |

+| EFS | elasticfilesystem:Describe* |

+| EKS | eks:Describe* <br> eks:List* |

+| Elastic Beanstalk | elasticbeanstalk:Describe* <br> elasticbeanstalk:List* |

+| ELB ΓÇô elastic load balancing (v1/2) | elasticloadbalancing:Describe* |

+| Elastic search | es:Describe* <br> es:List* |

+| EMR ΓÇô elastic map reduce | elasticmapreduce:Describe* <br> elasticmapreduce:GetBlockPublicAccessConfiguration <br> elasticmapreduce:List* <br> elasticmapreduce:View* |

+| GuardDute | guardduty:DescribeOrganizationConfiguration <br> guardduty:DescribePublishingDestination <br> guardduty:List* |

+| IAM | iam:Generate* <br> iam:Get* <br> iam:List*<br> iam:Simulate* |

+| KMS | kms:Describe* <br> kms:List* |

+| LAMDBA | lambda:GetPolicy <br> lambda:List* |

+| Network firewall | network-firewall:DescribeFirewall <br> network-firewall:DescribeFirewallPolicy <br> network-firewall:DescribeLoggingConfiguration <br> network-firewall:DescribeResourcePolicy <br> network-firewall:DescribeRuleGroup <br> network-firewall:DescribeRuleGroupMetadata <br> network-firewall:ListFirewallPolicies <br> network-firewall:ListFirewalls <br> network-firewall:ListRuleGroups <br> network-firewall:ListTagsForResource |

+| RDS | rds:Describe* <br> rds:List* |

+| RedShift | redshift:Describe* |

+| S3 and S3Control | s3:DescribeJob <br> s3:GetEncryptionConfiguration <br> s3:GetBucketPublicAccessBlock <br> s3:GetBucketTagging <br> s3:GetBucketLogging <br> s3:GetBucketAcl <br> s3:GetBucketLocation <br> s3:GetBucketPolicy <br> s3:GetReplicationConfiguration <br> s3:GetAccountPublicAccessBlock <br> s3:GetObjectAcl <br> s3:GetObjectTagging <br> s3:List* |

+| SageMaker | sagemaker:Describe* <br> sagemaker:GetSearchSuggestions <br> sagemaker:List* <br> sagemaker:Search |

+| Secret manager | secrets

+| Simple notification service ΓÇô SNS | sns:Check* <br> sns:List* |

+| SSM | ssm:Describe* <br> ssm:List* |

+| SQS | sqs:List* <br> sqs:Receive* |

+| STS | sts:GetCallerIdentity |

+| WAF | waf-regional:Get* <br> waf-regional:List* <br> waf:List* <br> wafv2:CheckCapacity <br> wafv2:Describe* <br> wafv2:List* |

+- [Connect your GCP projects to Microsoft Defender for Cloud](quickstart-onboard-gcp.md)

+- [General availability (GA) for Microsoft Defender for Azure Cosmos DB](#general-availability-ga-for-microsoft-defender-for-azure-cosmos-db)

+Defender for SQL, enterprises can now protect their entire database estate, hosted in Azure, AWS, GCP and on-premises machines.

+Using the multicloud onboarding experience, you can enable and enforce databases protection for SQL servers running on AWS EC2, RDS Custom for SQL Server and GCP compute engine. Once you've enabled either of these plans, all supported resources that exist within the subscription are protected. Future resources created on the same subscription will also be protected.

+### General availability (GA) for Microsoft Defender for Azure Cosmos DB

+Microsoft Defender for Azure Cosmos DB is now generally available (GA) and supports SQL (core) API account types.

+This new release to GA is a part of the Microsoft Defender for Cloud database protection suite, which includes different types of SQL databases, and MariaDB. Microsoft Defender for Azure Cosmos DB is an Azure native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts.

+By enabling this plan, you'll be alerted to potential SQL injections, known bad actors, suspicious access patterns, and potential explorations of your database through compromised identities, or malicious insiders.

+When potentially malicious activities are detected, security alerts are generated. These alerts provide details of suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations.

+Microsoft Defender for Azure Cosmos DB continuously analyzes the telemetry stream generated by the Azure Cosmos DB services and crosses them with Microsoft Threat Intelligence and behavioral models to detect any suspicious activity. Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data and doesn't have any effect on your database's performance.

+Learn more about [Microsoft Defender for Azure Cosmos DB](concept-defender-for-cosmos.md).

+With the addition of support for Azure Cosmos DB, Defender for Cloud now provides one of the most comprehensive workload protection offerings for cloud-based databases. Security teams and database owners can now have a centralized experience to manage their database security of their environments.

+Learn how to [enable database protection](quickstart-enable-database-protections.md) for your databases today.

+Defender for Containers now displays vulnerabilities that have medium and low severities that aren't patchable.

+Custom recommendations are those created by users and have no effect on the secure score. The custom recommendations can now be found under the All recommendations tab.

+Microsoft Defender for Storage's alerts notifies you when threat actors attempt to scan and expose, successfully or not, misconfigured, publicly open storage containers to try to exfiltrate sensitive information.

+| Service principals should be used to protect your subscriptions instead of Management Certificates | Management certificates allow anyone who authenticates with them to manage the subscription(s) they're associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. <br />(Related policy: [Service principals should be used to protect your subscriptions instead of management certificates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f6646a0bd-e110-40ca-bb97-84fcee63c414)) |Medium |

+- [Workflow of Microsoft Azure classic VM Architecture - including RDFE workflow basics](../cloud-services/cloud-services-workflow-process.md)

+All of Microsoft's Defender for IoT device alerts are no longer visible in Microsoft Defender for Cloud. These alerts are still available on Microsoft Defender for IoT's Alert page, and in Microsoft Sentinel.

+| Malicious Domain Name Request | Medium | Defender-IoT-micro-agent | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Disconnect the source from the network. Perform incident response. | IoT_MaliciousNameQueriesDetection |

+> [Configure Microsoft Defender for IoT agent-based solution](tutorial-configure-agent-based-solution.md)

+ | Confirm password | Reenter the password. |

+1. Select **Server Roles** or select **Next** three times. On the **Server Roles** screen, select **Web Server (IIS)**.

+ :::image type="content" source="./media/tutorial-alias-pip/iis-web-server-installation.png" alt-text="Screenshot of Add Roles and Features Wizard in Windows Server 2019 showing how to install the I I S Web Server by adding Web Server role.":::

+ :::image type="content" source="./media/tutorial-alias-pip/iis-web-server.png" alt-text="Screenshot of Internet Explorer showing the I I S Web Server default web page.":::

+1. From a web browser, browse to `web01.contoso.com`, which is the fully qualified domain name of the **Web-01** virtual machine. You now see the IIS default web page.

+ | Confirm password | Reenter the password. |

+1. Select **Server Roles** or select **Next** three times. On the **Server Roles** screen, select **Web Server (IIS)**.

+ :::image type="content" source="./media/tutorial-alias-tm/iis-web-server-installation.png" alt-text="Screenshot of Add Roles and Features Wizard in Windows Server 2019 showing how to install the I I S Web Server by adding the Web Server role.":::

+1. Go to *C:\inetpub\wwwroot* and open *iisstart.htm* with Notepad or any editor of your choice to edit the default IIS web page.

+1. Replace all the text in the file with `Hello World from Web-01` and save the changes to *iisstart.htm*.

+1. Open a web browser. Browse to **localhost** to verify that the default IIS web page appears.

+1. Repeat previous steps to install IIS web server on **Web-02** virtual machine. Use `Hello World from Web-02` to replace all the text in *iisstart.htm*.

+- Learn more about [Traffic Manager routing methods](../traffic-manager/traffic-manager-routing-methods.md).

+| **Abu Dhabi** | Etisalat KDC | 3 | UAE Central | Supported | |

+| **Dubai** | [PCCS](https://www.pacificcontrols.net/cloudservices/https://docsupdatetracker.net/index.html) | 3 | UAE North | Supported | Etisalat UAE |

+| **Stockholm** | [Equinix SK1](https://www.equinix.com/locations/europe-colocation/sweden-colocation/stockholm-data-centers/sk1/) | 1 | Sweden Central | Supported | Equinix, Interxion, Megaport, Telia Carrier |

+| **Tokyo3** | [NEC](https://www.nec.com/en/global/solutions/cloud/inzai_datacenter.html) | 2 | Japan East | Supported | |

+> This documentation is for Azure Front Door Standard/Premium. Looking for information on Azure Front Door? View [here](../front-door-overview.md).

+ npm install @azure/identity

+ > Verify in _package.json_ `@azure/arm-managementgroups` is version **2.0.1** or higher and

+ > `@azure/identity` is version **2.0.4** or higher.

+ const argv = require("yargs").argv;

+ const { InteractiveBrowserCredential } = require("@azure/identity");

+ const { ManagementGroupsAPI } = require("@azure/arm-managementgroups");

+ if (argv.groupID && argv.displayName) {

+ const createMG = async () => {

+ const credentials = new InteractiveBrowserCredential();

+ const client = new ManagementGroupsAPI(credentials);

+ const result = await client.managementGroups.beginCreateOrUpdateAndWait(

+ argv.groupID,

+ {

+ displayName: argv.displayName

+ }

+ );

+ console.log(result);

+ };

+ createMG();

+npm uninstall @azure/arm-managementgroups @azure/identity yargs

+description: In this tutorial, you implement an Azure Policy as Code workflow with export, GitHub Actions, and GitHub workflows

+> - Trigger a compliance scan from the GitHub Actions

+ [GitHub Actions](https://github.com/features/actions) needs in the new window that opens and

+ :::image type="content" source="../media/policy-as-code-github/updated-definition-metadata.png" alt-text="Screenshot of the Azure Policy definition in Azure portal updated with metadata specific to the GitHub Actions.":::

+### Trigger compliance scans using GitHub Actions

+> - Triggered a compliance scan from the GitHub Actions

+- [Understanding the Azure Resource Graph query language](#understanding-the-azure-resource-graph-query-language)

+ - [Resource Graph tables](#resource-graph-tables)

+ - [Extended properties (preview)](#extended-properties-preview)

+ - [Resource Graph custom language elements](#resource-graph-custom-language-elements)

+ - [Shared query syntax (preview)](#shared-query-syntax-preview)

+ - [Supported KQL language elements](#supported-kql-language-elements)

+ - [Supported tabular/top level operators](#supported-tabulartop-level-operators)

+ - [Query scope](#query-scope)

+ - [Escape characters](#escape-characters)

+ - [Next steps](#next-steps)

+## Extended properties (preview)

+### Shared query syntax (preview)

+The `AuthorizationScopeFilter` parameter enables you to list Azure Policy assignments inherited from upper scopes. The `AuthorizationScopeFilter` parameter accepts the following values:

+- **AtScopeAndBelow** (default if not specified): Returns policy assignments for the given scope and all child scopes

+- **AtScopeAndAbove**: Returns policy assignments for the given scope and all parent scopes, but not child scopes

+- **AtScopeAboveAndBelow**: Returns policy assignments for the given scope, all parent scopes and all child scopes

+- **AtScopeExact**: Returns policy assignments only for the given scope; no parent or child scopes are included

+> [!NOTE]

+> To use the `AuthorizationScope` parameter, be sure to reference the **2021-06-01-preview** API version in your requests.

+Example: Get all policy assignments at the **myMG** management group and Tenant Root (parent) scopes.

+- REST API URI

+ ```http

+ POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-06-01-preview

+ ```

+- Request Body Sample

+ ```json

+ {

+ "authorizationScopeFilter": "AtScopeAndAbove",

+ "query": "PolicyResources | where type =~ 'Microsoft.Authorization/PolicyAssignments'",

+ "managementGroups": ["myMG"]

+ }

+ ```

+Example: Get all policy assignments at the **mySubscriptionId** subscription, management group, and Tenant Root scopes.

+- REST API URI

+ ```http

+ POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-06-01-preview

+ ```

+- Request Body Sample

+ ```json

+ {

+ "authorizationScopeFilter": "AtScopeAndAbove",

+ "query": "PolicyResources | where type =~ 'Microsoft.Authorization/PolicyAssignments'",

+ "subscriptions": ["mySubscriptionId"]

+ }

+ ```

+> [Guest Configuration for VMs](../../policy/concepts/guest-configuration.md). To view examples of how to query Guest Configuration resources in Resource Graph, view [Azure Resource Graph queries by category - Azure Policy Guest Configuration](../samples/samples-by-category.md#azure-policy-guest-configuration).

+> Resource configuration changes only supports changes to resource types from the [Resources table](..//reference/supported-tables-resources.md#resources) in Resource Graph. This does not yet include changes to the resource container resources, such as Subscriptions and Resource groups. Changes are queryable for fourteen days. For longer retention, you can [integrate your Resource Graph query with Azure Logic Apps](../tutorials/logic-app-calling-arg.md) and export query result to any of the Azure data stores (e.g., Log Analytics) for your desired retention.

+> [Extended properties (preview)](./concepts/query-language.md#extended-properties-preview).

+This query uses the [extended properties](../concepts/query-language.md#extended-properties-preview) on

+information, see [Shared query syntax](../concepts/query-language.md#shared-query-syntax-preview).

+* Communication inside the subnet must be unrestricted. If you use a network security group for the cache subnet, make sure that it permits all services between internal IP addresses.

+- More information about [service limits and quotas in Azure Load Testing](./resource-limits-quotas-capacity.md).

+ Title: Service limits

+description: 'Service limits used for capacity planning and configuring high-scale load tests in Azure Load Testing.'

+# Service limits in Azure Load Testing Preview

+This section lists basic quotas and limits for Azure Load Testing Preview.

+> [!IMPORTANT]

+> Azure Load Testing is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Limits

+|Resource |Limit |

+|||

+|Maximum concurrent engine instances that can be utilized per region per subscription | 100 |

+|Maximum concurrent test runs per region per subscription | 25 |

+## Increase quotas

+You can increase the default limits and quotas by requesting the increase through an [Azure support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).

+1. Select **create a support ticket**.

+1. Provide a summary of your issue.

+1. Select **Issue type** as *Technical*.

+1. Select your subscription. Then, select **Service Type** as *Azure Load Testing - Preview*.

+1. Select **Problem type** as *Test Execution*.

+1. Select **Problem subtype** as *Provisioning stalls or fails*.

+## Next steps

+- Learn how to [set up a high-scale load test](./how-to-high-scale-load.md).

+- Learn how to [configure automated performance testing](./tutorial-cicd-azure-pipelines.md).

+| Managed connector | Single-authentication: <br>- Azure Automation <br>- Azure Event Grid <br>- Azure Key Vault <br>- Azure Resource Manager <br>- HTTP with Azure AD <p>Multi-authentication: <br>- Azure Blob Storage <br>- Azure Event Hubs <br>- Azure Service Bus <br>- SQL Server |

+| Managed connector | Single-authentication: <br>- Azure Automation <br>- Azure Event Grid <br>- Azure Key Vault <br>- Azure Resource Manager <br>- HTTP with Azure AD <p>Multi-authentication: <br>- Azure Blob Storage <br>- Azure Event Hubs <br>- Azure Service Bus <br>- SQL Server |

+To automate creating and deploying logic app resources, you can use an [ARM template](logic-apps-azure-resource-manager-templates-overview.md). To enable the system-assigned managed identity for your logic app resource in the template, add the `identity` object and the `type` child property to the logic app's resource definition in the template, for example:

+To automate creating and deploying logic app resources, you can use an [ARM template](logic-apps-azure-resource-manager-templates-overview.md). These templates support [user-assigned identities for authentication](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-arm.md).

+When the template creates a logic app resource, the `identity` object includes the following properties:

+The next section discusses using a managed identity to authenticate access for a trigger or action. The example continues with the steps from an earlier section where you set up access for a managed identity using RBAC and doesn't use Azure Key Vault as the example. However, the general steps to use a managed identity for authentication are the same.

+ * **Managed connector operations that support managed identity authentication**

+ 1. On the tenant selection page, select **Connect with managed identity**, for example:

+ * **Managed connector operations that support managed identity authentication**

+ 1. On the tenant selection page, select **Connect with managed identity**, for example:

+| **Queries** | No | Any query parameters that you need or want to include in the request. For example, query parameters for a specific operation or for the API version of the operation that you want to run. |

+ For example, if you want to authenticate access to a [Key Vault resource in the global Azure cloud](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-key-vault), you must set the **Audience** property to *exactly* the following resource ID: `https://vault.azure.net`. This specific resource ID *doesn't* have any trailing slashes. In fact, including a trailing slash might produce either a `400 Bad Request` error or a `401 Unauthorized` error.

+ For example, if you want to authenticate access to a [Key Vault resource in the global Azure cloud](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-key-vault), you must set the **Audience** property to *exactly* the following resource ID: `https://vault.azure.net`. This specific resource ID *doesn't* have any trailing slashes. In fact, including a trailing slash might produce either a `400 Bad Request` error or a `401 Unauthorized` error.

+The Azure Resource Manager managed connector has an action named **Read a resource**, which can use the managed identity that you enable on your logic app resource. This example shows how to use the system-assigned managed identity.

+1. After you add the action to your workflow and select your Azure AD tenant, select **Connect with managed identity**.

+1. After you add the action to your workflow, on the action's **Create Connection** pane, select your Azure AD tenant, and then select **Connect with managed identity**.

+ }

+}

+ }

+}

+* The first `authentication` section maps to connection #1. This section describes the authentication used for communicating with the internal token store. In the past, this section was always set to `ManagedServiceIdentity` for an app that deploys to Azure and had no configurable options.

+* The second `authentication` section maps to connection #2. This section describes the authentication used for communicating with the target resource can vary, based on the authentication type that you select for that connection.

+> this problem, you need to recreate the connections so that they use the current object ID for the

+ * **Automated ML** steps you through creating a machine learning model without writing code.

+| South Central US | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+Azure Database for PostgreSQL Flexible server supports two high availability deployment models. One is zone-redundant HA and the other is same-zone HA. In both deployment models, when the application performs writes or commits, using PostgreSQL streaming replication, transaction logs (write-ahead logs a.k.a WAL) are written to the local disk and also replicated in *synchronous* mode to the standby replica. Once the logs are persisted on the standby replica, the application is acknowledged of the writes or commits. The standby server will be in recovery mode which keeps applying the logs, but the primary server doesn't wait for the apply to complete at the standby server.

+This high availability deployment enables Flexible server to be highly available across availability zones. You can choose the region, availability zones for the primary and standby servers. The standby replica server is provisioned in the chosen availability zone in the same region with similar compute, storage, and network configuration as the primary server. Data files and transaction log files (write-ahead logs a.k.a WAL) are stored on locally redundant storage (LRS) within each availability zone, which automatically stores **three** data copies. This provides physical isolation of the entire stack between primary and standby servers.

+## Components and workflow

+### Transaction completion

+Application transaction triggered writes and commits are first logged to the WAL on the primary server. It is then streamed to the standby server using Postgres streaming protocol. Once the logs are persisted on the standby server storage, the primary server is acknowledged of write completion. Only then and the application is confirmed of the writes. This additional round-trip adds more latency to your application. The percentage of impact depends on the application. This acknowledgement process does not wait for the logs to be applied at the standby server. The standby server is permanently in recovery mode until it is promoted.

+### Health check

+Flexible server has a health monitoring in place that checks for the primary and standby health periodically. If that detects primary server is not reachable after multiple pings, it makes the decision to initiate an automatic failover or not. The algorithm is based on multiple data points to avoid any false positive situation.

+### Failover modes

+There are two failover modes.

+ 1. With [**planned failovers**](#failover-processplanned-downtimes) (example: During maintenance window) where the failover is triggered with a known state in which the primary connections are drained, a clean shutdown is performed before the replication is severed. You can also use this to bring the primary server back to your preferred AZ.

+

+ 2. With [**unplanned failover**](#failover-processunplanned-downtimes) (example: Primary server node crash), the primary is immediately fenced and hence any in-flight transactions are lost and to be retried by the application.

+In both the failover modes, once the replication is severed, the standby server runs the recovery before being promoted as a primary, and opened for read/write. With automatic DNS entries updated with the new primary server endpoint, applications can connect to the server using the same server endpoint. A new standby server is established in the background and that donΓÇÖt block your application connectivity.

+### Downtime

+In all cases, you must observe any downtime from your application/client side. Your application will be able to reconnect after a failover as soon as the DNS is updated. We take care of a few more aspects including LSN comparisons between primary and standby before fencing the writes. But with unplanned failovers, the time taken for the standby can be longer than 2 minutes in some cases due to the volume of logs to recover before opening for read/write.

+This feature brings the primary server down and initiates the failover workflow in which the standby promote operation is performed. Once the standby completes the recovery process till the last committed data, it is promoted to be the primary server. DNS records are updated and your application can connect to the promoted primary server. Your application can continue to write to the primary while a new standby server is established in the background and that doesn't impact the uptime.

+* Planned events such as scale compute and scale storage happens in the standby first and then on the primary server. Currently the server doesn't fail over for these planned operations.

+ Zone-redundant HA is available in regions that support multiple AZs in the region. For the latest region support, please see [this documentation](overview.md#azure-regions). We are continuously adding more regions and enabling multiple AZs. Same-zone HA is available in all supported regions.

+2. In case Azure CLI is already installed, check the version by issuing **az version** command. The version should be **2.28.0 or above** to use the migration CLI commands. If not, update your Azure CLI using this [link](/cli/azure/update-azure-cli).

+3. Once you have the right Azure CLI version, run the **az login** command. A browser page is opened with Azure sign-in page to authenticate. Provide your Azure credentials to do a successful authentication. For other ways to sign with Azure CLI, visit this [link](/cli/azure/authenticate-azure-cli).

+| <li> [Threat protection for Cosmos DB](../../defender-for-cloud/other-threat-protections.md#threat-protection-for-azure-cosmos-db) | GA | Not Available |

+> [!NOTE]

+> The **Status** for Azure DDoS Protection Data Connector changes to **Connected** only when the protected resources are under a DDoS attack.

+| <a name="dvcaction"></a>**DvcAction** | Recommended | Enumerated | The action taken on the network session. Supported values are:<br>- `Allow`<br>- `Deny`<br>- `Drop`<br>- `Drop ICMP`<br>- `Reset`<br>- `Reset Source`<br>- `Reset Destination`<br>- `Encrypt`<br>- `Decrypt`<br>- `VPNroute`<br><br>**Note**: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction) field.<br><br>Example: `drop` |

+| <a name="dvcaction"></a>**DvcAction** | Recommended | String | For reporting security systems, the action taken by the system, if applicable. <br><br>Example: `Blocked` |

+| **Blast radius**<br>*(BlastRadius)* | The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Azure Active Directory roles and permissions. User must have *Manager* property populated in Azure Active Directory for *BlastRadius* to be calculated. | Low, Medium, High |

+The Web Session normalization schema represents any HTTP network session, and is suitable to provide support for common source types, including:

+| **srcipaddr_has_any_prefix** | dynamic | Filter only Web sessions for which the [source IP address field](network-normalization-schema.md#srcipaddr) prefix is in one of the listed values. The list of values can include IP addresses and IP address prefixes. Prefixes should end with a `.`, for example: `10.0.`. The length of the list is limited to 10,000 items.|

+| **url_has_any** | dynamic | Filter only Web sessions for which the [URL field](#url) has any of the values listed. The parser may ignore the schema of the URL passed as a parameter, if the source does not report it. If specified, and the session is not a web session, no result will be returned. The length of the list is limited to 10,000 items.|

+| **EventResult** | Mandatory | Enumerated | Describes the event result, normalized to one of the following values: <br> - `Success` <br> - `Partial` <br> - `Failure` <br> - `NA` (not applicable) <br><br>For an HTTP session, `Success` is defined as a status code lower than `400`, and `Failure` is defined as a status code higher than `400`. For a list of HTTP status codes, refer to [W3 Org](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).<br><br>The source may provide only a value for the [EventResultDetails](#eventresultdetails) field, which must be analyzed to get the **EventResult** value. |

+Web Session events are commonly reported by intermediate devices that terminate the HTTP connection from the client and initiate a new connection, acting as a proxy, with the server. To represent the intermediate device, use the [ASIM Network Session schema](network-normalization-schema.md) [Intermediary device fields](network-normalization-schema.md#Intermediary)

+| <a name="httpcontenttype"></a>**HttpContentType** | Optional | String | The HTTP Response content type header. <br><br>**Note**: The **HttpContentType** field may include both the content format and extra parameters, such as the encoding used to get the actual format.<br><br> Example: `text/html; charset=ISO-8859-4` |

+The Web Session schema relies on the Network Session schema. Therefore, [Network Session schema updates](network-normalization-schema.md#schema-updates) apply to the Web Session schema as well. The WebSession schema version has been updated to reflect this dependancy.

+## AMQP disposition and Service Bus operation mapping

+Here's how an AMQP disposition translates to a Service Bus operation:

+```Output

+ACCEPTED = 1; -> Complete()

+REJECTED = 2; -> DeadLetter()

+RELEASED = 3; (just unlock the message in service bus, will then get redelivered)

+MODIFIED_FAILED = 4; -> Abandon() which increases delivery count

+MODIFIED_FAILED_UNDELIVERABLE = 5; -> Defer()

+```

+Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.

+When you create a Service Bus namespace, a policy rule named **RootManageSharedAccessKey** is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative **root** account and don't use it in your application. You can create more policy rules in the **Configure** tab for the namespace in the portal, via PowerShell or Azure CLI.

+It is recommended that you periodically regenerate the keys used in the [SharedAccessAuthorizationRule](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule) object. The primary and secondary key slots exist so that you can rotate keys gradually. If your application generally uses the primary key, you can copy the primary key into the secondary key slot, and only then regenerate the primary key. The new primary key value can then be configured into the client applications, which have continued access using the old primary key in the secondary slot. Once all clients are updated, you can regenerate the secondary key to finally retire the old primary key.

+If you know or suspect that a key is compromised and you have to revoke the keys, you can regenerate both the [PrimaryKey](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule) and the [SecondaryKey](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule) of a [SharedAccessAuthorizationRule](/dotnet/api/microsoft.servicebus.messaging.sharedaccessauthorizationrule), replacing them with new keys. This procedure invalidates all tokens signed with the old keys.

+ Title: Integrate Azure Web PubSub with service connector

+description: Integrate Azure Web PubSub into your application with Service Connector

+# Integrate Azure Web PubSub with service connector

+This page shows all the supported compute services, clients, and authentication types to connect services to Azure Web PubSub instances, using Service Connector. This page also shows the default environment variable names and application properties needed to create service connections. You might still be able to connect to an Azure Web PubSub instance using other programming languages, without using Service Connector. Learn more about the [service connector environment variable naming conventions](concept-service-connector-internals.md).

+## Supported compute services

+- Azure App Service

+- Azure Container Apps

+- Azure Spring Cloud

+## Supported authentication types and clients

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+|-|::|::|::|::|

+| .NET |  |  |  |  |

+| Java |  |  |  |  |

+| Node.js |  |  |  |  |

+| Python |  |  |  |  |

+## Default environment variable names or application properties

+Use the environment variable names and application properties listed below to connect an Azure service to Web PubSub using .NET, Java, Node.js, or Python. For each example below, replace the placeholder texts `<name>`, `<client-id>`, `<client-secret`, `<access-key>`, and `<tenant-id>` with your resource name, client ID, client secret, access-key, and tenant ID.

+### System-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | | - |

+| AZURE_WEBPUBSUB_HOST | Azure Web PubSub host | `<name>.webpubsub.azure.com` |

+### User-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | | |

+| AZURE_WEBPUBSUB_HOST | Azure Web PubSub host | `<name>.webpubsub.azure.com` |

+| AZURE_WEBPUBSUB_CLIENTID | Azure Web PubSub client ID | `<client-id>` |

+### Secret/connection string

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | --| -|

+> | AZURE_WEBPUBSUB_CONNECTIONSTRING | Azure Web PubSub connection string | `Endpoint=https://<name>.webpubsub.azure.com;AccessKey=<access-key>;Version=1.0;` |

+### Service principal

+| Default environment variable name | Description | Sample value |

+| | -| --|

+| AZURE_WEBPUBSUB_HOST | Azure Web PubSub host | `<name>.webpubsub.azure.com` |

+| AZURE_WEBPUBSUB_CLIENTID | Azure Web PubSub client ID | `<client-id>` |

+| AZURE_WEBPUBSUB_CLIENTSECRET | Azure Web PubSub client secret | `<client-secret>` |

+| AZURE_WEBPUBSUB_TENANTID | Azure Web PubSub tenant ID | `<tenant-id>` |

+## Next steps

+Read the article listed below to learn more about Service Connector.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+| Custom format for location | No | Yes, using wildcards like `/year=*/month=*/day=*` |

+| Recursive folder scan | Yes | Only in serverless SQL pools when specified `/**` at the end of the location path |

+See the [CETAS](develop-tables-cetas.md) article for how to save query results to an external table in Azure Storage. Or you can start querying [Apache Spark for Azure Synapse external tables](develop-storage-files-spark-tables.md).

+## Apr 2022 update

+The following updates are new to Azure Synapse Analytics this month.

+### SQL

+* Cross-subscription restore for Azure Synapse SQL is now generally available. Previously, it took many undocumented steps to restore a dedicated SQL pool to another subscription. Now, with the PowerShell Az.Sql module 3.8 update, the Restore-AzSqlDatabase cmdlet can be used for cross-subscription restore. To learn more, see [Restore a dedicated SQL pool (formerly SQL DW) to a different subscription](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-april-update-2022/ba-p/3280185).

+* It is now possible to recover a SQL pool from a dropped server or workspace. With the PowerShell Restore cmdlets in Az.Sql and Az.Synapse modules, you can now restore from a deleted server or workspace without filing a support ticket. For more information, read [Synapse workspace SQL pools](./backuprestore/restore-sql-pool-from-deleted-workspace.md) or [standalone SQL pools (formerly SQL DW)](./sql-data-warehouse/sql-data-warehouse-restore-from-deleted-server.md), depending on your scenario.

+### Synapse database templates and database designer

+* Based on popular customer feedback, we've made significant improvements to our exploration experience when creating a lake database using an industry template. To learn more, read [Quickstart: Create a new Lake database leveraging database templates](./database-designer/quick-start-create-lake-database.md).

+* We've added the option to clone a lake database. This unlocks additional opportunities to manage new versions of databases or support schemas that evolve in discrete steps. You can quickly clone a database using the action menu available on the lake database. To learn more, read [How-to: Clone a lake database](./database-designer/clone-lake-database.md).

+* You can now use wildcards to specify custom folder hierarchies. Lake databases sit on top of data that is in the lake and this data can live in nested folders that donΓÇÖt fit into clean partition patterns. Previously, querying lake databases required that your data exists in a simple directory structure that you could browse using the folder icon without the ability to manually specify directory structure or use wildcard characters. To learn more, read [How-to: Modify a datalake](./database-designer/modify-lake-database.md).

+### Apache Spark for Synapse

+* We are excited to announce the preview availability of Apache SparkΓäó 3.2 on Synapse Analytics. This new version incorporates user-requested enhancements and resolves 1,700+ Jira tickets. Please review the [official release notes](https://spark.apache.org/releases/spark-release-3-2-0.html) for the complete list of fixes and features and review the [migration guidelines between Spark 3.1 and 3.2](https://spark.apache.org/docs/latest/sql-migration-guide.html#upgrading-from-spark-sql-31-to-32) to assess potential changes to your applications. For more details, read [Apache Spark version support and Azure Synapse Runtime for Apache Spark 3.2](./spark/apache-spark-version-support.md).

+* Assigning parameters dynamically based on variables, metadata, or specifying Pipeline specific parameters has been one of your top feature requests. Now, with the release of parameterization for the Spark job definition activity, you can do just that. For more details, read [Transform data using Apache Spark job definition](quickstart-transform-data-using-spark-job-definition.md#settings-tab).

+* We often receive customer requests to access the snapshot of the Notebook when there is a Pipeline Notebook run failure or there is a long-running Notebook job. With the release of the Synapse Notebook snapshot feature, you can now view the snapshot of the Notebook activity run with the original Notebook code, the cell output, and the input parameters. You can also access the snapshot of the referenced Notebook from the referencing Notebook cell output if you refer to other Notebooks through Spark utils. To learn more, read [Transform data by running a Synapse notebook](synapse-notebook-activity.md?tabs=classical#see-notebook-activity-run-history) and [Introduction to Microsoft Spark utilities](./spark/microsoft-spark-utilities.md?pivots=programming-language-scala#reference-a-notebook-1).

+### Security

+* The Synapse Monitoring Operator RBAC role is now generally available. Since the GA of Synapse, customers have asked for a fine-grained RBAC (role-based access control) role that allows a user persona to monitor the execution of Synapse Pipelines and Spark applications without having the ability to run or cancel the execution of these applications. Now, customers can assign the Synapse Monitoring Operator role to such monitoring personas. This allows organizations to stay compliant while having flexibility in the delegation of tasks to individuals or teams. Learn more by reading [Synapse RBAC Roles](security/synapse-workspace-synapse-rbac-roles.md).

+### Data integration

+* Microsoft has added Dataverse as a source and sink connector to Synapse Data Flows so that you can now build low-code data transformation ETL jobs in Synapse directly accessing your Dataverse environment. For more details on how to use this new connector, read [Mapping data flow properties](../data-factory/connector-dynamics-crm-office-365.md#mapping-data-flow-properties).

+* We heard from you that a 1-minute timeout for Web activity was not long enough, especially in cases of synchronous APIs. Now, with the response timeout property 'httpRequestTimeout', you can define timeout for the HTTP request up to 10 minutes. Learn more by reading [Web activity response timeout improvements](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/web-activity-response-timeout-improvement/ba-p/3260307).

+

+### Developer experience

+* Previously, if you wanted to reference a notebook in another notebook, you could only reference published or committed content. Now, when using %run notebooks, you can enable ΓÇÿunpublished notebook referenceΓÇÖ which will allow you to reference unpublished notebooks. When enabled, notebook run will fetch the current contents in the notebook web cache, meaning the changes in your notebook editor can be referenced immediately by other notebooks without having to be published (Live mode) or committed (Git mode). To learn more, read [Reference unpublished notebook](spark/apache-spark-development-using-notebooks.md#reference-unpublished-notebook).

+## General

+**Get connected with the new Azure Synapse Influencer program!** [Join a community of Azure Synapse Influencers](https://aka.ms/synapseinfluencers) who are helping each other achieve more with cloud analytics! The Azure Synapse Influencer program recognizes Azure Synapse Analytics users and advocates who actively support the community by sharing Synapse-related content, announcements, and product news via social media.

+* **Data Warehouse Migration guide for Dedicated SQL Pools in Azure Synapse Analytics** - With the benefits that cloud migration offers, we hear that you often look for steps, processes, or guidelines to follow for quick and easy migrations from existing data warehouse environments. We just released a set of [Data Warehouse migration guides](/azure/synapse-analytics/migration-guides/) to make your transition to dedicated SQL Pools in Azure Synapse Analytics easier.

+* **Automatic character column length calculation** - It's no longer necessary to define character column lengths! Serverless SQL pools let you query files in the data lake without knowing the schema upfront. The best practice was to specify the lengths of character columns to get optimal performance. Not anymore! With this new feature, you can get optimal query performance without having to define the schema. The serverless SQL pool will calculate the average column length for each inferred character column or character column defined as larger than 100 bytes. The schema will stay the same, while the serverless SQL pool will use the calculated average column lengths internally. It will also automatically calculate the cardinality estimation in case there was no previously created statistic.

+## Apache Spark for Synapse

+* **Azure Synapse Dedicated SQL Pool Connector for Apache Spark Now Available in Python** - Previously, the Azure Synapse Dedicated SQL Pool connector was only available using Scala. Now, it can be used with Python on Spark 3. The only difference between the Scala and Python implementations is the optional Scala callback handle, which allows you to receive post-write metrics.

+ The following are now supported in Python on Spark 3:

+ * Read using Azure Active Directory (AD) Authentication or Basic Authentication

+ * Write to Internal Table using Azure AD Authentication or Basic Authentication

+ * Write to External Table using Azure AD Authentication or Basic Authentication

+ To learn more about the connector in Python, read [Azure Synapse Dedicated SQL Pool Connector for Apache Spark](./spark/synapse-spark-sql-pool-import-export.md).

+* **Manage Azure Synapse Apache Spark configuration** - Apache Spark configuration management is always a challenging task because Spark has hundreds of properties. It is also challenging for you to know the optimal value for Spark configurations. With the new Spark configuration management feature, you can create a standalone Spark configuration artifact with auto-suggestions and built-in validation rules. The Spark configuration artifact allows you to share your Spark configuration within and across Azure Synapse workspaces. You can also easily associate your Spark configuration with a Spark pool, a Notebook, and a Spark job definition for reuse and minimize the need to copy the Spark configuration in multiple places. To learn more about the new Spark configuration management feature, read [Manage Apache Spark configuration](./spark/apache-spark-azure-create-spark-configuration.md).

+## Synapse Data Explorer

+* **Synapse Data Explorer live query in Excel** - Using the new Data Explorer web experience Open in Excel feature, you can now provide access to live results of your query by sharing the connected Excel Workbook with colleagues and team members.  You can open the live query in an Excel Workbook and refresh it directly from Excel to get the most up to date query results. To learn more about Excel live query, read [Open live query in Excel](https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/open-live-kusto-query-in-excel/ba-p/3198500).

+* **Use Managed Identities for External SQL Server Tables** - One of the key benefits of Azure Synapse is the ability to bring together data integration, enterprise data warehousing, and big data analytics. With Managed Identity support, Synapse Data Explorer table definition is now simpler and more secure. You can now use managed identities instead of entering in your credentials.

+

+ An external SQL table is a schema entity that references data stored outside the Synapse Data Explorer database. Using the Create and alter SQL Server external tables command, External SQL tables can easily be added to the Synapse Data Explorer database schema.

+ To learn more about managed identities, read [Managed identities overview](/azure/data-explorer/managed-identities-overview).

+ To learn more about external tables, read [Create and alter SQL Server external tables](/azure/data-explorer/kusto/management/external-sql-tables).

+* **New KQL Learn module (2 out of 3) is live!** - The power of Kusto Query Language (KQL) is its simplicity to query structured, semi-structured, and unstructured data together. To make it easier for you to learn KQL, we are releasing Learn modules. Previously, we released [Write your first query with Kusto Query Language](/learn/modules/write-first-query-kusto-query-language/). New this month is [Gain insights from your data by using Kusto Query Language](/learn/modules/gain-insights-data-kusto-query-language/).

+ KQL is the query language used to query Synapse Data Explorer big data. KQL has a fast-growing user community, with hundreds of thousands of developers, data engineers, data analysts, and students.

+ Check out the newest [KQL Learn Model](/learn/modules/gain-insights-data-kusto-query-language/) and see for yourself how easy it is to become a KQL master.

+ To learn more about KQL, read [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/).

+* **Azure Synapse Data Explorer connector for Microsoft Power Automate, Logic Apps, and Power Apps [Generally Available]** - The Azure Data Explorer connector for Power Automate enables you to orchestrate and schedule flows, send notifications, and alerts, as part of a scheduled or triggered task. To learn more, read [Azure Data Explorer connector for Microsoft Power Automate](/azure/data-explorer/flow) and [Usage examples for Azure Data Explorer connector to Power Automate](/azure/data-explorer/flow-usage).

+* **Dynamic events routing from event hub to multiple databases** - Routing events from Event Hub/IOT Hub/Event Grid is an activity commonly performed by Azure Data Explorer (ADX) users. Previously, you could route events only to a single database per defined connection. If you wanted to route the events to multiple databases, you needed to create multiple ADX cluster connections.

+ To simplify the experience, we now support routing events data to multiple databases hosted in a single ADX cluster. To learn more about dynamic routing, read [Ingest from event hub](/azure/data-explorer/ingest-data-event-hub-overview#events-routing).

+* **Configure a database using a KQL inline script as part of JSON ARM deployment template** - Previously, Azure Data Explorer supported running a Kusto Query Language (KQL) script to configure your database during Azure Resource Management (ARM) template deployment. Now, this can be done using an inline script provided inline as a parameter to a JSON ARM template. To learn more about using a KQL inline script, read [Configure a database using a Kusto Query Language script](/azure/data-explorer/database-script).

+## Data Integration

+* **Export pipeline monitoring as a CSV** - The ability to export pipeline monitoring to CSV has been added after receiving many community requests for the feature. Simply filter the Pipeline runs screen to the data you want and click ΓÇÿExport to CSVΓÇÖ. To learn more about exporting pipeline monitoring and other monitoring improvements, read [Azure Data Factory monitoring improvements](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/adf-monitoring-improvements/ba-p/3295531).

+* **Incremental data loading made easy for Synapse and Azure Database for PostgreSQL and MySQL** - In a data integration solution, incrementally loading data after an initial full data load is a widely used scenario. Automatic incremental source data loading is now natively available for Synapse SQL and Azure Database for PostgreSQL and MySQL. With a simple click, users can ΓÇ£enable incremental extractΓÇ¥ and only inserted or updated rows will be read by the pipeline. To learn more about incremental data loading, read [Incrementally copy data from a source data store to a destination data store](../data-factory/tutorial-incremental-copy-overview.md).

+* **User-Defined Functions for Mapping Data Flows [Public Preview]** - We hear you that you can find yourself doing the same string manipulation, math calculations, or other complex logic several times. Now, with the new user-defined function feature, you can create customized expressions that can be reused across multiple mapping data flows. User-defined functions will be grouped in libraries to help developers group common sets of functions. Once youΓÇÖve created a data flow library, you can add in your user-defined functions. You can even add in multiple arguments to make your function more reusable. To learn more about user-defined functions, read [User defined functions in mapping data flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-user-defined-functions-preview-for-mapping-data/ba-p/3414628).

+* **Assert Error Handling** - Error handling has now been added to sinks following an assert transformation. Assert transformations enable you to build custom rules for data quality and data validation. You can now choose whether to output the failed rows to the selected sink or to a separate file. To learn more about error handling, read [Assert data transformation in mapping data flow](../data-factory/data-flow-assert.md).

+* **Mapping data flows projection editing** - New UI updates have been made to source projection editing in mapping data flows. You can now update source projection column names and column types with the click of a button. To learn more about source projection editing, read [Source transformation in mapping data flow](../data-factory/data-flow-source.md).

+## Synapse Link

+**Azure Synapse Link for SQL [Public Preview]** - At Microsoft Build 2022, we announced the Public Preview availability of Azure Synapse Link for SQL, for both SQL Server 2022 and Azure SQL Database. Data-driven, quality insights are critical for companies to stay competitive. The speed to achieve those insights can make all the difference. The costly and time-consuming nature of traditional ETL and ELT pipelines is no longer enough. With this release, you can now take advantage of low- and no-code, near real-time data replication from your SQL-based operational stores into Azure Synapse Analytics. This makes it easier to run BI reporting on operational data in near real-time, with minimal impact on your operational store. To learn more, read [Announcing the Public Preview of Azure Synapse Link for SQL](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/announcing-the-public-preview-of-azure-synapse-link-for-sql/ba-p/3372986) and watch our YouTube video.

+> [!VIDEO https://www.youtube.com/embed/pgusZy34-Ek]

+[Get started with Azure Synapse Analytics](get-started.md)

+>To successfully install the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent, you must unblock all the URLs listed in the [Required URL list](safe-url-list.md#session-host-virtual-machines). Unblocking these URLs is required to use the Azure Virtual Desktop service.

+- To schedule agent updates, see the [Scheduled Agent Updates (preview) document](scheduled-agent-updates.md).

+ Title: Use the Required URL Check tool for Azure Virtual Desktop

+description: The Required URL Check tool enables you to check your session host virtual machines can access the required URLs to ensure Azure Virtual Desktop works as intended.

+# Required URL Check tool

+In order to deploy and make Azure Virtual Desktop available to your users, you must allow specific URLs that your session host virtual machines (VMs) can access them anytime. You can find the list of URLs in [Required URL list](safe-url-list.md). The Required URL Check tool will validate these URLs and show whether your session host VMs can access them. If not, then the tool will list the inaccessible URLs so you can unblock them and then retest, if needed.

+> [!NOTE]

+> - You can only use the Required URL Check tool for deployments in the Azure public cloud, it does not check access for sovereign clouds.

+> - The Required URL Check tool can't verify URLs that wildcard entries are unblocked, only specific entries within those wildcards, so make sure the wildcard entries are unblocked first.

+## Prerequisites

+You need the following things to use the Required URL Check tool:

+- Your session host VM must have a .NET 4.6.2 framework

+- RDAgent version 1.0.2944.400 or higher

+- The `WVDAgentUrlTool.exe` file must be in the same folder as the `WVDAgentUrlTool.config` file

+## Use the Required URL Check tool

+To use the Required URL Check tool:

+1. Open a command prompt as an administrator on one of your session host VMs.

+1. Run the following command to change the directory to the same folder as the current build agent (RDAgent_1.0.2944.1200 in this example):

+ ```console

+ cd "C:\Program Files\Microsoft RDInfra\RDAgent_1.0.2944.1200"

+ ```

+1. Run the following command:

+ ```console

+ WVDAgentUrlTool.exe

+ ```

+

+1. Once you run the file, you'll see a list of accessible and inaccessible URLs.

+ For example, the following screenshot shows a scenario where you'd need to unblock two required non-wildcard URLs:

+ > [!div class="mx-imgBorder"]

+ > 

+

+ Here's what the output should look like once you've unblocked all required non-wildcard URLs:

+ > [!div class="mx-imgBorder"]

+ > 

+1. You can repeat these steps on your other session host VMs, particularly if they are in a different Azure region or use a different virtual network.

+ Title: Required URLs for Azure Virtual Desktop

+# Required URLs for Azure Virtual Desktop

+In order to deploy and make Azure Virtual Desktop available to your users, you must allow specific URLs that your session host virtual machines (VMs) can access them anytime. Users also need to be able to connect to certain URLs to access their Azure Virtual Desktop resources. This article lists the required URLs you need to allow for your session hosts and users. Azure Virtual Desktop doesn't support deployments that block the URLs listed in this article.

+You can validate that your session host VMs can connect to these URLs by following the steps to run the [Required URL Check tool](required-url-check-tool.md). The Required URL Check tool will validate each URL and show whether your session host VMs can access them. You can only use for deployments in the Azure public cloud, it does not check access for sovereign clouds.

+## Session host virtual machines

+Below is the list of URLs your session host VMs need to access for Azure Virtual Desktop. Select the relevant tab based on which cloud you're using.

+# [Azure cloud](#tab/azure)

+| Address | Outbound TCP port | Purpose | Service Tag |

+|||||

+| `*.wvd.microsoft.com` | 443 | Service traffic | WindowsVirtualDesktop |

+| `*.prod.warm.ingest.monitor.core.windows.net` | 443 | Agent traffic | AzureMonitor |

+| `catalogartifact.azureedge.net` | 443 | Azure Marketplace | AzureFrontDoor.Frontend |

+| `kms.core.windows.net` | 1688 | Windows activation | Internet |

+| `mrsglobalsteus2prod.blob.core.windows.net` | 443 | Agent and SXS stack updates | AzureCloud |

+| `wvdportalstorageblob.blob.core.windows.net` | 443 | Azure portal support | AzureCloud |

+| `169.254.169.254` | 80 | [Azure Instance Metadata service endpoint](../virtual-machines/windows/instance-metadata-service.md) | N/A |

+| `168.63.129.16` | 80 | [Session host health monitoring](../virtual-network/network-security-groups-overview.md#azure-platform-considerations) | N/A |

+| `oneocsp.microsoft.com` | 80 | Certificates | N/A |

+| `www.microsoft.com` | 80 | Certificates | N/A |

+> [!IMPORTANT]

+> We have finished transitioning the URLs we use for Agent traffic. We no longer support the URLs below. To avoid your session host VMs from showing *Needs Assistance* related to this, please allow `\*.prod.warm.ingest.monitor.core.windows.net` if you have not already. Please remove these URLs if you have previously explicitly allowed them:

+>

+> | Address | Outbound TCP port | Purpose | Service Tag |

+> |--|--|--|--|

+> | `gcs.prod.monitoring.core.windows.net` | 443 | Agent traffic | AzureCloud |

+> | `production.diagnostics.monitoring.core.windows.net` | 443 | Agent traffic | AzureCloud |

+> | `*xt.blob.core.windows.net` | 443 | Agent traffic | AzureCloud |

+> | `*eh.servicebus.windows.net` | 443 | Agent traffic | AzureCloud |

+> | `*xt.table.core.windows.net` | 443 | Agent traffic | AzureCloud |

+> | `*xt.queue.core.windows.net` | 443 | Agent traffic | AzureCloud |

+The following table lists optional URLs that your session host virtual machines might also need to access for other

+| Address | Outbound TCP port | Purpose |

+|--|--|--|

+| `login.microsoftonline.com` | 443 | Authentication to Microsoft Online Services |

+| `login.windows.net` | 443 | Sign in to Microsoft Online Services and Microsoft 365 |

+| `*.events.data.microsoft.com` | 443 | Telemetry Service |

+| `www.msftconnecttest.com` | 443 | Detects if the OS is connected to the internet |

+| `*.prod.do.dsp.mp.microsoft.com` | 443 | Windows Update |

+| `*.sfx.ms` | 443 | Updates for OneDrive client software |

+| `*.digicert.com` | 443 | Certificate revocation check |

+| `*.azure-dns.com` | 443 | Azure DNS resolution |

+| `*.azure-dns.net` | 443 | Azure DNS resolution |

+# [Azure for US Government](#tab/azure-for-us-government)

+| Address | Outbound TCP port | Purpose | Service Tag |

+|--|--|--|--|

+| `*.wvd.azure.us` | 443 | Service traffic | WindowsVirtualDesktop |

+| `*.prod.warm.ingest.monitor.core.usgovcloudapi.net` | 443 | Agent traffic | AzureMonitor |

+| `kms.core.usgovcloudapi.net` | 1688 | Windows activation | Internet |

+| `mrsglobalstugviffx.blob.core.usgovcloudapi.net` | 443 | Agent and SXS stack updates | AzureCloud |

+| `wvdportalstorageblob.blob.core.usgovcloudapi.net` | 443 | Azure portal support | AzureCloud |

+| `169.254.169.254` | 80 | [Azure Instance Metadata service endpoint](../virtual-machines/windows/instance-metadata-service.md) | N/A |

+| `168.63.129.16` | 80 | [Session host health monitoring](../virtual-network/network-security-groups-overview.md#azure-platform-considerations) | N/A |

+| `ocsp.msocsp.com` | 80 | Certificates | N/A |

+> [!IMPORTANT]

+> We have finished transitioning the URLs we use for Agent traffic. We no longer support the URLs below. To avoid your session host VMs from showing *Needs Assistance* related to this, please allow `\*.prod.warm.ingest.monitor.core.usgovcloudapi.net`, if you have not already. Please remove these URLs if you have previously explicitly allowed them:

+>

+> | Address | Outbound TCP port | Purpose | Service Tag |

+> |--|--|--|--|

+> | `gcs.monitoring.core.usgovcloudapi.net` | 443 | Agent traffic | AzureCloud |

+> | `monitoring.core.usgovcloudapi.net` | 443 | Agent traffic | AzureCloud |

+> | `fairfax.warmpath.usgovcloudapi.net` | 443 | Agent traffic | AzureCloud |

+> | `*xt.blob.core.usgovcloudapi.net` | 443 | Agent traffic | AzureCloud |

+> | `*.servicebus.usgovcloudapi.net` | 443 | Agent traffic | AzureCloud |

+> | `*xt.table.core.usgovcloudapi.net` | 443 | Agent traffic | AzureCloud |

+The following table lists optional URLs that your session host virtual machines might also need to access for other

+| Address | Outbound TCP port | Purpose |

+|--|--|--|

+| `login.microsoftonline.us` | 443 | Authentication to Microsoft Online Services and Microsoft 365 |

+| `*.events.data.microsoft.com` | 443 | Telemetry Service |

+| `www.msftconnecttest.com` | 443 | Detects if the OS is connected to the internet |

+| `*.prod.do.dsp.mp.microsoft.com` | 443 | Windows Update |

+| `oneclient.sfx.ms` | 443 | Updates for OneDrive client software |

+| `*.digicert.com` | 443 | Certificate revocation check |

+| `*.azure-dns.com` | 443 | Azure DNS resolution |

+| `*.azure-dns.net` | 443 | Azure DNS resolution |

+> [!TIP]

+> You must use the wildcard character (\*) for URLs involving service traffic. If you prefer not to use this for agent-related traffic, here's how to find those specific URLs to use without specifying wildcards:

+>

+> 1. Ensure your session host virtual machines are registered to a host pool.

+> 1. Open **Event viewer**, then go to **Windows logs** > **Application** > **WVD-Agent** and look for event ID **3701**.

+> 1. Unblock the URLs that you find under event ID 3701. The URLs under event ID 3701 are region-specific. You'll need to repeat this process with the relevant URLs for each Azure region you want to deploy your session host virtual machines in.

+This list doesn't include URLs for other services like Azure Active Directory or Office 365. Azure Active Directory URLs can be found under ID 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).

+### Service tags and FQDN tags

+A [virtual network service tag](../virtual-network/service-tags-overview.md) represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service tags can be used in both Network Security Group ([NSG](../virtual-network/network-security-groups-overview.md)) and [Azure Firewall](../firewall/service-tags.md) rules to restrict outbound network access. Service tags can be also used in User Defined Route ([UDR](../virtual-network/virtual-networks-udr-overview.md#user-defined)) to customize traffic routing behavior.

+Azure Firewall supports Azure Virtual Desktop as a [FQDN tag](../firewall/fqdn-tags.md). For more information, see [Use Azure Firewall to protect Azure Virtual Desktop deployments](../firewall/protect-azure-virtual-desktop.md).

+We recommend you use FQDN tags or service tags instead of URLs to prevent service issues. The listed URLs and tags only correspond to Azure Virtual Desktop sites and resources. They don't include URLs for other services like Azure Active Directory. For other services, see [Available service tags](../virtual-network/service-tags-overview.md#available-service-tags).

+Azure Virtual Desktop currently doesn't have a list of IP address ranges that you can unblock to allow network traffic. We only support unblocking specific URLs. If you're using a Next Generation Firewall (NGFW), you'll need to use a dynamic list specifically made for Azure IPs to make sure you can connect.

+## Remote Desktop clients

+Any [Remote Desktop clients](user-documentation/connect-windows-7-10.md?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json) you use to connect to Azure Virtual Desktop must have access to the URLs below. Select the relevant tab based on which cloud you're using. Opening these URLs is essential for a reliable client experience. Blocking access to these URLs is unsupported and will affect service functionality.

+# [Azure cloud](#tab/azure)

+| Address | Outbound TCP port | Purpose | Client(s) |

+|--|--|--|--|

+| `\*.wvd.microsoft.com` | 443 | Service traffic | All |

+| `\*.servicebus.windows.net` | 443 | Troubleshooting data | All |

+| `go.microsoft.com` | 443 | Microsoft FWLinks | All |

+| `aka.ms` | 443 | Microsoft URL shortener | All |

+| `docs.microsoft.com` | 443 | Documentation | All |

+| `privacy.microsoft.com` | 443 | Privacy statement | All |

+| `query.prod.cms.rt.microsoft.com` | 443 | Client updates | Windows Desktop |

+# [Azure for US Government](#tab/azure-for-us-government)

+| Address | Outbound TCP port | Purpose | Client(s) |

+|--|--|--|--|

+| `\*.wvd.microsoft.us` | 443 | Service traffic | All |

+| `\*.servicebus.usgovcloudapi.net` | 443 | Troubleshooting data | All |

+| `go.microsoft.com` | 443 | Microsoft FWLinks | All |

+| `aka.ms` | 443 | Microsoft URL shortener | All |

+| `docs.microsoft.com` | 443 | Documentation | All |

+| `privacy.microsoft.com` | 443 | Privacy statement | All |

+| `query.prod.cms.rt.microsoft.com` | 443 | Client updates | Windows Desktop |

+These URLs only correspond to client sites and resources. This list doesn't include URLs for other services like Azure Active Directory or Office 365. Azure Active Directory URLs can be found under IDs 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).

+> We recommend using Azure Compute Gallery images for production environments because of their enhanced capabilities, such as replication and image versioning.

+|Stratodesk |[Stratodesk client documentation](https://kb.stratodesk.com/microsoft-windows-virtual-desktop-wvd)|[Stratodesk support](https://www.stratodesk.com/support/)|

+The Azure Virtual Desktop agent, version 1.0.2944.400 includes a tool that validates URLs and displays whether the virtual machine can access the URLs it needs to function. If any required URLs are accessible, the tool will list them so you can unblock them, if needed. Learn more at [Required URL Check tool](required-url-check-tool.md).

+Capacity Reservations are priced at the same rate as the underlying VM size. For example, if you create a reservation for ten D2s_v3 VMs then you will start getting billed for ten D2s_v3 VMs, even if the reservation is not being used.

+> [Create a Capacity Reservation](capacity-reservation-create.md)

+> [!NOTE]

+> **The Dsv3-Type1 will be retired on March 31, 2023**. Refer to the [dedicated host retirement guide](dedicated-host-retirement.md) to learn more.

+> [!NOTE]

+> **The Dsv3-Type2 will be retired on March 31, 2023**. Refer to the [dedicated host retirement guide](dedicated-host-retirement.md) to learn more.

+> [!NOTE]

+> **The Esv3-Type1 will be retired on March 31, 2023**. Refer to the [dedicated host retirement guide](dedicated-host-retirement.md) to learn more.

+> [!NOTE]

+> **The Esv3-Type2 will be retired on March 31, 2023**. Refer to the [dedicated host retirement guide](dedicated-host-retirement.md) to learn more.

+Add the `--automatic-placement true` parameter to have your VMs and scale set instances automatically placed on hosts, within a host group. For more information, see [Manual vs. automatic placement](dedicated-hosts.md#manual-vs-automatic-placement).

+Add the `-SupportAutomaticPlacement true` parameter to have your VMs and scale set instances automatically placed on hosts, within a host group. For more information, see [Manual vs. automatic placement ](dedicated-hosts.md#manual-vs-automatic-placement).

+ - Subnet delegation: Select Microsoft.StoragePool/diskPools

+The Windows VM agent can be manually installed with a Windows installer package. Manual installation may be necessary when you create a custom VM image that is deployed to Azure. To manually install the Windows VM Agent, [download the VM Agent installer](https://github.com/Azure/WindowsVMAgent) and select the latest release. You can also search a specific version in the [GitHub Windows IaaS VM Agent releases](https://github.com/Azure/WindowsVMAgent/releases). The VM Agent is supported on Windows Server 2008 (64 bit) and later.

+1. In the search box, enter **Virtual Network**. Select **Virtual Network** in the search results.

+1. In the **Virtual Network** page, select **Create**.

+1. In **Create virtual network**, enter or select this information in the **Basics** tab:

+ :::image type="content" source="./media/quick-create-portal/example-basics-tab.png" alt-text="Screenshot of creating a virtual network in Azure portal." border="true":::

+1. Select the **IP Addresses** tab, or select the **Next: IP Addresses** button at the bottom of the page and enter in the following information then select **Add**:

+ | Setting | Value |

+ |--|-|

+ | IPv4 address space | Enter **10.1.0.0/16**. |

+ | **Add subnet** |

+ | Subnet name | Enter **MySubnet**. |

+ | Subnet address range | Enter **10.1.0.0/24**. |

+ | Select **Add**. | |

+

+ :::image type="content" source="./media/quick-create-portal/example-ip-address-tab.png" alt-text="Screenshot of editing ip address tab for virtual network." border="true":::

+1. Select the **Security** tab, or select the **Next: Security** button at the bottom of the page.

+1. Under **BastionHost**, select **Enable**. Enter this information:

+ :::image type="content" source="./media/quick-create-portal/example-security-tab.png" alt-text="Screenshot of editing security tab for virtual network." border="true":::

+1. Select the **Review + create** tab or select the **Review + create** button.

+1. Select **Create**.

+1. In **Create a virtual machine**, type or select the values in the **Basics** tab:

+ | Setting | Value |

+ | Image | Select **Windows Server 2019 Datacenter - Gen2** |

+

+

+ :::image type="content" source="./media/quick-create-portal/azure-virtual-machine-basic-settings.png" alt-text="screenshot of creating basic settings for virtual machine." border="true":::

+1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+1. In the Networking tab, select or enter:

+1. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+1. Review the settings, and then select **Create**.

+1. In **Create a virtual machine**, type or select the values in the **Basics** tab:

+ | Image | Select **Windows Server 2019 Datacenter - Gen2** |

+

+1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+1. In the Networking tab, select or enter:

+1. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+1. Review the settings, and then select **Create**.

+1. Pick the name of your private virtual machine **myVM1**.

+1. In the VM menu bar, select **Connect**, then select **Bastion**.

+ :::image type="content" source="./media/quick-create-portal/connect-to-virtual-machine.png" alt-text="Screenshot of connecting to myVM1 with Azure Bastion." border="true":::

+1. In the **Connect** page, select the blue **Use Bastion** button.

+1. In the **Bastion** page, enter the username and password you created for the virtual machine previously.

+1. Select **Connect**.

+For more information about Azure Bastion, see [Azure Bastion](~/articles/bastion/bastion-overview.md).

+1. Enter `ping myVM2`.

+ The ping fails, because it uses the Internet Control Message Protocol (ICMP). By default, ICMP isn't allowed through your Windows firewall.

+1. Close the bastion connection to **myVM1**.

+1. Complete the steps in [Connect to myVM1](#connect-to-myvm1), but connect to **myVM2**.

+1. Open PowerShell on **myVM2**, enter `ping myvm1`.

+1. Close the bastion connection to **myVM2**.