+To see this scenario in action, try one of the web application sign-in code samples in our [Getting started section](overview.md).

+For Azure AD B2C, the [OAuth 2.0 client credentials flow](./client-credentials-grant-flow.md) is currently in public preview. However, you can set up client credential flow using Azure AD and the Microsoft identity platform `/token` endpoint (`https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token`) for a [Microsoft Graph application](microsoft-graph-get-started.md) or your own application. For more information, check out the [Azure AD token reference](../active-directory/develop/id-tokens.md) article.

+**This feature is in public preview.**

+To enable your app to sign in with Azure AD B2C using client credentials flow, you can use an existing application or register a new one (**App 1**).

+If you're using an existing app, make sure the app's `accessTokenAcceptedVersion` is set to `2`:

+1. In the Azure portal, search for and select **Azure AD B2C**.

+1. Select **App registrations**, and then select the your existing app from the list.

+1. In the left menu, under **Manage**, select **Manifest** to open the manifest editor.

+1. Locate the `accessTokenAcceptedVersion` element, and set its value to `2`.

+1. At the top of the page, select **Save** to save the changes.

+To create a new web app registration, follow these steps:

+$body = "grant_type=client_credentials&scope=" + $scope + "&client_id=" + $appId + "&client_secret=" + $secret

+ | Environment| The SwissID OpenId well-known configuration endpoint. For example, `https://login.sandbox.pre.swissid.ch/idp/oauth2/.well-known/openid-configuration`. |

+ | Client ID | The SwissID client ID. For example, `11111111-2222-3333-4444-555555555555`. |

+description: Learn how to add single-page sign-in using the OAuth 2.0 implicit flow with Azure Active Directory B2C.

+We use the following figure to illustrate implicit sign-in flow. Each step is described in detail later in the article.

+| prompt | No | The type of user interaction that's required. Currently, the only valid value is `login`. This parameter forces the user to enter their credentials on that request. Single Sign-On doesn't take effect. |

+When you want to sign the user out of the app, redirect the user to Azure AD B2C's sign-out endpoint. You can then clear the user's session in the app. If you don't redirect the user, they might be able to reauthenticate to your app without entering their credentials again because they have a valid Single Sign-On session with Azure AD B2C.

+> Directing the user to the `end_session_endpoint` clears some of the user's Single Sign-On state with Azure AD B2C. However, it doesn't sign the user out of the user's social identity provider session. If the user selects the same identity provider during a subsequent sign in, the user is re-authenticated, without entering their credentials. If a user wants to sign out of your Azure AD B2C application, it doesn't necessarily mean they want to completely sign out of their Facebook account, for example. However, for local accounts, the user's session will be ended properly.

+Azure AD B2C authentication service directly supports OAuth 2.0 client credentials grant flow (**currently in public preview**), but you can't use it to manage your Azure AD B2C resources via Microsoft Graph API. However, you can set up [client credential flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) using Azure AD and the Microsoft identity platform `/token` endpoint for an application in your Azure AD B2C tenant.

+**Review the prerequisites required:**

+1. Verify the machine supports TLS1.2 ΓÇô All Windows versions after 2012 R2 should support TLS 1.2. If your connector machine is from a version of 2012 R2 or prior, make sure that the [required updates](https://support.microsoft.com/help/2973337/sha512-is-disabled-in-windows-when-you-use-tls-1.2) are installed.

+ Title: Microsoft Authenticator authentication method - Azure Active Directory

+description: Learn about using the Microsoft Authenticator in Azure Active Directory to help secure your sign-ins

+# Authentication methods in Azure Active Directory - Microsoft Authenticator app

+The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for [Android](https://go.microsoft.com/fwlink/?linkid=866594) and [iOS](https://go.microsoft.com/fwlink/?linkid=866594). With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or multifactor authentication events.

+To use the Authenticator app at a sign-in prompt rather than a username and password combination, see [Enable passwordless sign-in with the Microsoft Authenticator](howto-authentication-passwordless-phone.md).

+To get started with passwordless sign-in, see [Enable passwordless sign-in with the Microsoft Authenticator](howto-authentication-passwordless-phone.md).

+- To get started with passwordless sign-in, see [Enable passwordless sign-in with the Microsoft Authenticator](howto-authentication-passwordless-phone.md).

+description: Learn about options for passwordless sign-in to Azure Active Directory using FIDO2 security keys or Microsoft Authenticator

+- Microsoft Authenticator

+## Microsoft Authenticator

+

+The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm. Refer to [Download and install the Microsoft Authenticator](https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a) for installation details.

+description: Step-by-step guidance to migrate from MFA Server on-premises to Azure AD Multi-Factor Authentication

+# Migrate from MFA Server to Azure AD Multi-Factor Authentication

+Multifactor authentication (MFA) is important to securing your infrastructure and assets from bad actors. Azure AD Multi-Factor Authentication Server (MFA Server) isnΓÇÖt available for new deployments and will be deprecated. Customers who are using MFA Server should move to using cloud-based Azure Active Directory (Azure AD) Multi-Factor Authentication.

+|User authentication |Continue to use federation for Azure AD authentication. | Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** Seamless Single Sign-On (SSO).| Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** SSO. |

+For example, the Account name that appears under Mobile App on the MFA Server has been renamed to On-Premises MFA Server.

+As part of enrolling users to use Microsoft Authenticator as a second factor, we recommend you enable passwordless phone sign-in as part of their registration. For more information, including other passwordless methods such as FIDO and Windows Hello for Business, visit [Plan a passwordless authentication deployment with Azure AD](howto-authentication-passwordless-deployment.md#plan-for-and-deploy-microsoft-authenticator).

+ - Because the sign-in happens on non-Microsoft applications, it's unlikely that the user will see visual notification that multifactor authentication is required and that a request has been sent to their device.

+ - During the multifactor authentication requirement, the user must have access to their default authentication method to complete the requirement. They can't choose an alternative method. Their default authentication method will be used even if it's disabled in the tenant authentication methods and multifactor authentication policies.

+* [Microsoft Authenticator](./concept-authentication-passwordless.md#microsoft-authenticator) - turns any iOS or Android phone into a strong, passwordless credential by allowing users to sign into any platform or browser.

+| Dedicated non-windows devices| <li> **Microsoft Authenticator** <li> Security keys |

+| Dedicated Windows 10 computers (before version 1703)| <li> **Windows Hello for Business** <li> Microsoft Authenticator app |

+| Shared devices: tablets, and mobile devices| <li> **Microsoft Authenticator** <li> One-time password sign-in |

+| Kiosks (Legacy)| **Microsoft Authenticator** |

+| Kiosks and shared computers ΓÇÄ(Windows 10)| <li> **Security keys** <li> Microsoft Authenticator app |

+| Prerequisite| Microsoft Authenticator| FIDO2 Security Keys|

+* [Downloading Microsoft Authenticator](https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a)

+* [Registering in Microsoft Authenticator](howto-authentication-passwordless-phone.md)

+## Plan for and deploy Microsoft Authenticator

+[Microsoft Authenticator](concept-authentication-passwordless.md) turns any iOS or Android phone into a strong, passwordless credential. It's a free download from Google Play or the Apple App Store. Have users [download Microsoft Authenticator](https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a) and follow the directions to enable phone sign-in.

+**MFA server** - End users enabled for multi-factor authentication through an organization's on-premises MFA server can create and use a single passwordless phone sign-in credential. If the user attempts to upgrade multiple installations (5 or more) of the Authenticator app with the credential, this change may result in an error.

+> As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multi-factor authentication (MFA) during sign-in events should use cloud-based Azure AD Multi-Factor Authentication. Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. We recommend moving from MFA Server to Azure AD MFA.

+Follow the steps in the article, [Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md) to enable the Authenticator app as a passwordless authentication method in your organization.

+In ASP.NET Core web apps (and web APIs), the application is protected because you have a `[Authorize]` attribute on the controllers or the controller actions. This attribute checks that the user is authenticated. Prior to the release of .NET 6, the code that's initializing the application is in the *Startup.cs* file. New ASP.NET Core projects with .NET 6 no longer contain a *Startup.cs* file. Taking its place is the *Program.cs* file. The rest of this tutorial pertains to .NET 5 or lower.

+For more information about how Microsoft.Identity.Web enables you to create web apps, see [Web Apps in microsoft-identity-web](https://aka.ms/ms-id-web/webapp).

+ Title: Login to Linux virtual machine in Azure using Azure Active Directory and openSSH certificate-based authentication

+> This functionality is also available for [Azure Arc-enabled servers](../../azure-arc/servers/ssh-arc-overview.md).

+- SSH client must support OpenSSH based certificates for authentication. You can use Azure CLI (2.21.1 or higher) with OpenSSH (included in Windows 10 version 1803 or higher) or Azure Cloud Shell to meet this requirement.

+- SSH extension for Azure CLI. You can install this using `az extension add --name ssh`. You donΓÇÖt need to install this extension when using Azure Cloud Shell as it comes pre-installed.

+- If youΓÇÖre using any other SSH client other than Azure CLI or Azure Cloud Shell that supports OpenSSH certificates, youΓÇÖll still need to use Azure CLI with SSH extension to retrieve ephemeral SSH cert and optionally a config file and then use the config file with your SSH client.

+## Enabling Azure AD login for Linux VM in Azure

+To use Azure AD login for Linux VM in Azure, you need to first enable Azure AD login option for your Linux VM, configure Azure role assignments for users who are authorized to login to the VM and then use SSH client that supports OpensSSH such as Azure CLI or Azure Cloud Shell to SSH to your Linux VM. There are multiple ways you can enable Azure AD login for your Linux VM, as an example you can use:

+> [!NOTE]

+## Install SSH extension for Azure CLI

+If youΓÇÖre using Azure Cloud Shell, then no other setup is needed as both the minimum required version of Azure CLI and SSH extension for Azure CLI are already included in the Cloud Shell environment.

+Run the following command to add SSH extension for Azure CLI

+You can enforce Conditional Access policies such as require multi-factor authentication, require compliant or hybrid Azure AD joined device for the device running SSH client, and checking for risk before authorizing access to Linux VMs in Azure that are enabled with Azure AD login. The application that appears in Conditional Access policy is called "Azure Linux VM Sign-In".

+> Conditional Access policy enforcement requiring device compliance or Hybrid Azure AD join on the client device running SSH client only works with Azure CLI running on Windows and macOS. It is not supported when using Azure CLI on Linux or Azure Cloud Shell.

+### Using Azure CLI

+If prompted, enter your Azure AD login credentials at the login page, perform an MFA, and/or satisfy device checks. YouΓÇÖll only be prompted if your Azure CLI session doesnΓÇÖt already meet any required Conditional Access criteria. Close the browser window, return to the SSH prompt, and youΓÇÖll be automatically connected to the VM.

+### Using Azure Cloud Shell

+You can use Azure Cloud Shell to connect to VMs without needing to install anything locally to your client machine. Start Cloud Shell by clicking the shell icon in the upper right corner of the Azure portal.

+Azure Cloud Shell will automatically connect to a session in the context of the signed in user. During the Azure AD Login for Linux Preview, **you must run az login again and go through an interactive sign in flow**.

+> Conditional Access policy enforcement requiring device compliance or Hybrid Azure AD join is not supported when using Azure Cloud Shell.

+Once authentication with a service principal is complete, use the normal Azure CLI SSH commands to connect to the VM.

+Some common errors when you try to SSH with Azure AD credentials include no Azure roles assigned, and repeated prompts to sign-in. Use the following sections to correct these issues.

+You must run `az login` again and go through an interactive sign-in flow. Review the section [Using Azure Cloud Shell](#using-azure-cloud-shell).

+Managing permissions for external partners is a key part of your security posture. WeΓÇÖve added capabilities to the administrator portal experience in Azure Active Directory (Azure AD), part of Microsoft Entra, so that an administrator can see the relationships that their Azure AD tenant has with Microsoft Cloud Service Providers (CSP) who can manage the tenant. This permissions model is called delegated administration. This article introduces the Azure AD administrator to the relationship between the old Delegated Admin Permissions (DAP) permission model and the new Granular Delegated Admin Permissions (GDAP) permission model.

+When an organization (tenant) is deleted in Azure Active Directory (Azure AD), part of Microsoft Entra, all resources that are contained in the organization are also deleted. Prepare your organization by minimizing its associated resources before you delete. Only a global administrator in Azure AD can delete an Azure AD organization from the portal.

+This article introduces and administrator for Azure Active Directory (Azure AD), part of Microsoft Entra, to the relationship between top [identity management](../fundamentals/active-directory-whatis.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) tasks for users in terms of their groups, licenses, deployed enterprise apps, and administrator roles. As your organization grows, you can use Azure AD groups and administrator roles to:

+This article explains how to use self-service sign-up to populate an organization in Azure Active Directory (Azure AD), part of Microsoft Entra. If you want to take over a domain name from an unmanaged Azure AD organization, see [Take over an unmanaged tenant as administrator](domains-admin-takeover.md).

+This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD), part of Microsoft Entra, service. If youΓÇÖre looking for the full set of Microsoft Azure service limits, see [Azure Subscription and Service Limits, Quotas, and Constraints](../../azure-resource-manager/management/azure-subscription-service-limits.md).

+This article describes two ways to take over a DNS domain name in an unmanaged directory in Azure Active Directory (Azure AD), part of Microsoft Entra. When a self-service user signs up for a cloud service that uses Azure AD, they are added to an unmanaged Azure AD directory based on their email domain. For more about self-service or "viral" sign-up for a service, see [What is self-service sign-up for Azure Active Directory?](directory-self-service-signup.md)

+A domain name is an important part of the identifier for resources in many Azure Active Directory (Azure AD), part of Microsoft Entra: it's part of a user name or email address for a user, part of the address for a group, and is sometimes part of the app ID URI for an application. A resource in Azure AD can include a domain name that's owned by the Azure AD organization (sometimes called a tenant) that contains the resource. Only a Global Administrator can manage domains in Azure AD.

+After a root domain is added to Azure Active Directory (Azure AD), part of Microsoft Entra, all subsequent subdomains added to that root in your Azure AD organization automatically inherit the authentication setting from the root domain. However, if you want to manage domain authentication settings independently from the root domain settings, you can now with the Microsoft Graph API. For example, if you have a federated root domain such as contoso.com, this article can help you verify a subdomain such as child.contoso.com as managed instead of federated.

+Azure Active Directory (Azure AD), part of Microsoft Entra, supports applying sensitivity labels published by the [Microsoft Purview compliance portal](https://compliance.microsoft.com) to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see [Microsoft 365 support for sensitivity labels](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#support-for-the-sensitivity-labels).

+You can bulk download the members of a group in your organization to a comma-separated values (CSV) file in the portal for Azure Active Directory (Azure AD), part of Microsoft Entra. All admins and non-admin users can download group membership lists.

+You can download a list of all the groups in your organization to a comma-separated values (CSV) file in the portal for Azure Active Directory (Azure AD), part of Microsoft Entra. All admins and non-admin users can download group lists.

+You can add multiple members to a group by using a comma-separated values (CSV) file to bulk import group members in the portal for Azure Active Directory (Azure AD), part of Microsoft Entra.

+You can remove a large number of members from a group by using a comma-separated values (CSV) file to remove group members in bulk using the portal for Azure Active Directory (Azure AD), part of Microsoft Entra.

+You can change a group's membership from static to dynamic (or vice-versa) In Azure Active Directory (Azure AD), part of Microsoft Entra. Azure AD keeps the same group name and ID in the system, so all existing references to the group are still valid. If you create a new group instead, you would need to update those references. Dynamic group membership eliminates management overhead adding and removing users. This article tells you how to convert existing groups from static to dynamic membership using either Azure AD Admin center or PowerShell cmdlets.

+You can use rules to determine group membership based on user or device properties In Azure Active Directory (Azure AD), part of Microsoft Entra. This article tells how to set up a rule for a dynamic group in the Azure portal. Dynamic membership is supported for security groups and Microsoft 365 Groups. When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Users and devices are added or removed if they meet the conditions for a group. Security groups can be used for either devices or users, but Microsoft 365 Groups can be only user groups. Using Dynamic groups requires Azure AD premium P1 license or Intune for Education license. See [Dynamic membership rules for groups](./groups-dynamic-membership.md) for more details.

+You can create attribute-based rules to enable dynamic membership for a group in Azure Active Directory (Azure AD), part of Microsoft Entra. Dynamic group membership adds and removes group members automatically using membership rules based on member attributes. This article details the properties and syntax to create dynamic membership rules for users or devices. You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.

+When the attributes of a user or a device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they're added as a member of that group. If they no longer satisfy the rule, they're removed. You can't manually add or remove a member of a dynamic group.

+- [Rules with complex expressions](#rules-with-complex-expressions); for example, `(user.proxyAddresses -any (_ -contains "contoso"))`

+A single expression is the simplest form of a membership rule and only has the three parts mentioned above. A rule with a single expression looks similar to this example: `Property Operator Value`, where the syntax for the property is the name of object.property.

+The following example illustrates a properly constructed membership rule with a single expression:

+Parentheses are optional for a single expression. The total length of the body of your membership rule can't exceed 3072 characters.

+| usageLocation |Two letter country or region code | user.usageLocation -eq "US" |

+If you want to compare the value of a user attribute against multiple values, you can use the -in or -notIn operators. Use the bracket symbols "[" and "]" to begin and end the list of values.

+When specifying a value within an expression, it's important to use the correct syntax to avoid errors. Some syntax tips are:

+- String and regex operations aren't case sensitive.

+The following example illustrates operator precedence where two expressions are being evaluated for the user:

+Parentheses are needed only when precedence doesn't meet your requirements. For example, if you want department to be evaluated first, the following shows how parentheses can be used to determine order:

+The underscore (\_) syntax matches occurrences of a specific value in one of the multivalued string collection properties to add users or devices to a dynamic group. It's used with the -any or -all operators.

+Here's an example of a valid rule, where "62e19b97-8b3d-4d4a-a106-4ce66896a863" is the objectID of the

+The "All users" rule is constructed using single expression using the -ne operator and the null value. This rule adds B2B guest users and member users to the group.

+ profileType | a valid [profile type](/graph/api/resources/device?view=graph-rest-1.0#properties&preserve-view=true) in Azure AD | device.profileType -eq "RegisteredDevice"

+> When using deviceOwnership to create Dynamic Groups for devices, you need to set the value equal to "Company." On Intune the device ownership is represented instead as Corporate. For more information, see [OwnerTypes](/intune/reports-ref-devices#ownertypes) for more details.

+> When using extensionAttribute1-15 to create Dynamic Groups for devices you need to set the value for extensionAttribute1-15 on the device. Learn more on [how to write extensionAttributes on an Azure AD device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http#example-2--write-extensionattributes-on-a-device&preserve-view=true)

+This feature preview in Azure Active Directory (Azure AD), part of Microsoft Entra, enables admins to create dynamic groups that populate by adding members of other groups using the memberOf attribute. Apps that couldn't read group-based membership previously in Azure AD can now read the entire membership of these new memberOf groups. Not only can these groups be used for apps, they can also be used for licensing assignment and role-based access control. The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside of Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A.

+The team for Azure Active Directory (Azure AD), part of Microsoft Entra, receives reports of incidents related to dynamic groups and the processing time for their membership rules. This article uses that reported information to present the most common methods by which our engineering team helps customers to simplify their membership rules. Simpler and more efficient rules result in better dynamic group processing times. When writing membership rules for dynamic groups, follow these steps to ensure that your rules are as efficient as possible.

+Minimize the usage of the `match` operator in rules as much as possible. Instead, explore if it's possible to use the `contains`, `startswith`, or `-eq` operators. Considering using other properties that allow you to write rules to select the users you want to be in the group without using the `-match` operator. For example, if you want a rule for the group for all users whose city is Lagos, then instead of using rules like:

+description: How to test members against a membership rule for a dynamic group in Azure Active Directory.

+Azure Active Directory (Azure AD), part of Microsoft Entra, now provides the means to validate dynamic group rules (in public preview). On the **Validate rules** tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When you create or update dynamic group rules, you want to know whether a user or a device will be a member of the group. This knowledge helps you evaluate whether a user or device meets the rule criteria and help you troubleshoot when membership isn't expected.

+To evaluate the dynamic group rule membership feature, the administrator must have one of the following rules assigned directly: Global Administrator, Groups Administrator, or Intune Administrator.

+To get started, go to **Azure Active Directory** > **Groups**. Select an existing dynamic group or create a new dynamic group and select **Dynamic membership rules**. You can then see the **Validate Rules** tab.

+After you select users or devices from the picker, and **Select**, validation will automatically start and validation results will appear.

+The results tell whether a user is a member of the group or not. If the rule isn't valid or there's a network issue, the result will show as **Unknown**. If the value is **Unknown**, the detailed error message will describe the issue and actions needed.

+You can modify the rule and validation of memberships will be triggered. To see why user isn't a member of the group, select **View details** and verification details will show the result of each expression composing the rule. Select **OK** to exit.

+In Azure Active Directory (Azure AD), part of Microsoft Entra, you can automatically add or remove users to security groups or Microsoft 365 groups, so you don't always have to do it manually. Whenever any properties of a user or device change, Azure AD evaluates all dynamic group rules in your Azure AD organization to see if the change should add or remove members.

+This article tells you how to manage the lifecycle of Microsoft 365 groups by setting an expiration policy for them. You can set expiration policy only for Microsoft 365 groups in Azure Active Directory (Azure AD), part of Microsoft Entra.

+This article tells you how to search for members and owners of a group and how to use search filters in the portal for Azure Active Directory (Azure AD), part of Microsoft Entra. Search functions for groups include:

+To enforce consistent naming conventions for Microsoft 365 groups created or edited by your users, set up a group naming policy for your organizations in Azure Active Directory (Azure AD), part of Microsoft Entra. For example, you could use the naming policy to communicate the function of a group, membership, geographic region, or who created the group. You could also use the naming policy to help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases.

+> Azure Active Directory (Azure AD), part of Microsoft Entra, uses intelligence to automatically renew groups based on whether they have been in recent use. This renewal decision is based on user activity in groups across Microsoft 365 services like Outlook, SharePoint, Teams, Yammer, and others.

+In this quickstart, in Azure Active Directory (Azure AD), part of Microsoft Entra, you will set up naming policy in your Azure AD organization for user-created Microsoft 365 groups, to help you sort and search your groups. For example, you could use the naming policy to:

+When you delete a Microsoft 365 group in Azure Active Directory (Azure AD), part of Microsoft Entra, the deleted group is retained but not visible for 30 days from the deletion date. This behavior is so that the group and its contents can be restored if needed. This functionality is restricted exclusively to Microsoft 365 groups in Azure AD. It is not available for security groups and distribution groups. Please note that the 30-day group restoration period is not customizable.

+Using Azure Active Directory (Azure AD), part of Microsoft Entra, with an Azure AD Premium license plan, you can use groups to assign access to a SaaS application that's integrated with Azure AD. For example, if you want to assign access for the marketing department to use five different SaaS applications, you can create an Office 365 or security group that contains the users in the marketing department, and then assign that group to these five SaaS applications that are needed by the marketing department. This way you can save time by managing the membership of the marketing department in one place. Users then are assigned to the application when they are added as members of the marketing group, and have their assignments removed from the application when they are removed from the marketing group. This capability can be used with hundreds of applications that you can add from within the Azure AD Application Gallery.

+You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active Directory (Azure AD), part of Microsoft Entra. The owner of the group can approve or deny membership requests, and can delegate control of group membership. Self-service group management features are not available for mail-enabled security groups or distribution lists.

+This article contains instructions for using PowerShell cmdlets to create and update groups in Azure Active Directory (Azure AD), part of Microsoft Entra. This content applies only to Microsoft 365 groups (sometimes called unified groups).

+This article contains examples of how to use PowerShell to manage your groups in Azure Active Directory (Azure AD), part of Microsoft Entra. It also tells you how to get set up with the Azure AD PowerShell module. First, you must [download the Azure AD PowerShell module](https://www.powershellgallery.com/packages/AzureAD/).

+You can enable users in your organization in Active Directory (Azure AD), part of Microsoft Entra, to consent to connect their Microsoft work or school account with their LinkedIn account. After a user connects their accounts, information and highlights from LinkedIn are available in some Microsoft apps and services. Users can also expect their networking experience on LinkedIn to be improved and enriched with information from Microsoft.

+The Microsoft 365 sign-in page for Azure Active Directory (Azure AD), part of Microsoft Entra, supports work or school accounts and Microsoft accounts, but depending on the user's situation, it could be one or the other or both. For example, the Azure AD sign-in page supports:

+We are changing sign-in behavior in Azure Active Directory (Azure AD), part of Microsoft Entra, to make room for new authentication methods and improve usability. During sign-in, Azure AD determines where a user needs to authenticate. Azure AD makes intelligent decisions by reading organization and user settings for the username entered on the sign-in page. This is a step towards a password-free future that enables additional credentials like FIDO 2.0.

+Azure Active Directory (Azure AD), part of Microsoft Entra, supports bulk user create and delete operations and supports downloading lists of users. Just fill out comma-separated values (CSV) template you can download from the Azure AD portal.

+1. On the **Bulk create user** page, select **Download** to receive a valid comma-separated values (CSV) file of user properties, and then add users you want to create.

+Using the admin center in Azure Active Directory (Azure AD), part of Microsoft Entra, you can remove a large number of members to a group by using a comma-separated values (CSV) file to bulk delete users.

+Azure Active Directory (Azure AD), part of Microsoft Entra, supports bulk user list download operations.

+Azure Active Directory (Azure AD), part of Microsoft Entra, supports bulk user restore operations and supports downloading lists of users, groups, and group members.

+If you are a user in an unmanaged organization (tenant) in Azure Active Directory (Azure AD), part of Microsoft Entra, and you no longer need to use apps from that organization or maintain any association with it, you can close your account at any time. An unmanaged organization does not have a Global Administrator. Users in an unmanaged organization can close their accounts on their own, without having to contact an administrator.

+[Custom security attributes](../fundamentals/custom-security-attributes-overview.md) in Azure Active Directory (Azure AD), part of Microsoft Entra, are business-specific attributes (key-value pairs) that you can define and assign to Azure AD objects. For example, you can assign custom security attribute to filter your employees or to help determine who gets access to resources. This article describes how to assign, update, remove, or filter custom security attributes for Azure AD.

+Azure Active Directory (Azure AD), part of Microsoft Entra, allows you to restrict what external guest users can see in their organization in Azure AD. Guest users are set to a limited permission level by default in Azure AD, while the default for member users is the full set of user permissions. There's another guest user permission level in your Azure AD organization's external collaboration settings for even more restricted access, so that the guest access levels are:

+Secure Shell (SSH) is a network protocol that provides encryption for operating network services securely over an unsecured network. SSH also provides a command-line sign-in, executes remote commands, and securely transfer files. It's commonly used in Unix-based systems such as Linux®. SSH replaces the Telnet protocol, which doesn't provide encryption in an unsecured network.

+Azure Active Directory (Azure AD) provides a Virtual Machine (VM) extension for Linux®-based systems running on Azure, and a client extension that integrates with [Azure CLI](/cli/azure/) and the OpenSSH client.

+* Working with Linux®-based VMs that require remote sign-in

+* **User**: Starts Azure CLI and SSH client to set up a connection with the Linux® VMs and provides credentials for authentication.

+* **Azure CLI**: The component that the user interacts with to initiate their session with Azure AD, request short-lived OpenSSH user certificates from Azure AD, and initiate the SSH session.

+* **Web browser**: The component that the user interacts with to authenticate their Azure CLI session. It communicates with the Identity Provider (Azure AD) to securely authenticate and authorize the user.

+* **OpenSSH Client**: This client is used by Azure CLI, or (optionally) directly by the end user, to initiate a connection to the Linux VM.

+* **Azure AD**: Authenticates the identity of the user and issues short-lived OpenSSH user certificates to their Azure CLI client.

+* **Linux VM**: Accepts OpenSSH user certificate and provides successful connection.

+For more information on how to get started on this journey, see the [Azure AD deployment plans](https://aka.ms/deploymentplans). These plans provide end-to-end guidance for deploying Azure Active Directory (Azure AD) capabilities. Each plan explains the business value, planning considerations, design, and operational procedures needed to successfully roll out common Azure AD capabilities. Microsoft continually updates the deployment plans with best practices learned from customer deployments and other feedback when we add new capabilities to managing from the cloud with Azure AD.

+* [Microsoft identity platform ID tokens](../develop/id-tokens.md)

+[My Apps](https://myapps.microsoft.com) is a web-based portal that allows an end user with an organizational account in Azure Active Directory to view and launch applications to which they have been granted access by the Azure AD administrator. If you are an end user with [Azure Active Directory Premium](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing), you can also utilize self-service group management capabilities through My Apps.

+ - In the textbox, you see the supported pattern(s) as a placeholder, for example: `https://contoso.com`.

+Consider implementing [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md)

+ > These values are not real. Update these values with the actual Sign on URL and Reply URL. The Sign on URL and Reply URL can have the same value (`http://127.0.0.1:35001`). Refer to [AWS Client VPN Documentation](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#ad) for details. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. Contact [AWS ClientVPN support team](https://aws.amazon.com/contact-us/) for any configuration issues.

+ Title: 'Tutorial: Azure AD SSO integration with Keystone'

+description: Learn how to configure single sign-on between Azure Active Directory and Keystone.

+# Tutorial: Azure AD SSO integration with Keystone

+In this tutorial, you'll learn how to integrate Keystone with Azure Active Directory (Azure AD). When you integrate Keystone with Azure AD, you can:

+* Control in Azure AD who has access to Keystone.

+* Enable your users to be automatically signed-in to Keystone with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Keystone single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Keystone supports **SP** initiated SSO.

+## Add Keystone from the gallery

+To configure the integration of Keystone into Azure AD, you need to add Keystone from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Keystone** in the search box.

+1. Select **Keystone** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Keystone

+Configure and test Azure AD SSO with Keystone using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at Keystone.

+To configure and test Azure AD SSO with Keystone, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Keystone SSO](#configure-keystone-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Keystone test user](#create-keystone-test-user)** - to have a counterpart of B.Simon in Keystone that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Keystone** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `urn:auth0:irdeto:<InstanceName>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://irdeto.auth0.com/login/callback?connection=<InstanceName>`

+ c. In the **Sign-on URL** text box, type the URL:

+ `https://fms.live.fm.ks.irdeto.com/`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Keystone support team](mailto:soc@irdeto.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Keystone** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Keystone.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Keystone**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Keystone SSO

+To configure single sign-on on **Keystone** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Keystone support team](mailto:soc@irdeto.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Keystone test user

+In this section, you create a user called Britta Simon at Keystone. Work with [Keystone support team](mailto:soc@irdeto.com) to add the users in the Keystone platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Keystone Sign-On URL where you can initiate the login flow.

+* Go to Keystone Sign-On URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Keystone tile in the My Apps, this will redirect to Keystone Sign-On URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Keystone you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Preset'

+description: Learn how to configure single sign-on between Azure Active Directory and Preset.

+# Tutorial: Azure AD SSO integration with Preset

+In this tutorial, you'll learn how to integrate Preset with Azure Active Directory (Azure AD). When you integrate Preset with Azure AD, you can:

+* Control in Azure AD who has access to Preset.

+* Enable your users to be automatically signed-in to Preset with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Preset single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Preset supports **SP** and **IDP** initiated SSO.

+## Add Preset from the gallery

+To configure the integration of Preset into Azure AD, you need to add Preset from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Preset** in the search box.

+1. Select **Preset** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Preset

+Configure and test Azure AD SSO with Preset using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Preset.

+To configure and test Azure AD SSO with Preset, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Preset SSO](#configure-preset-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Preset test user](#create-preset-test-user)** - to have a counterpart of B.Simon in Preset that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Preset** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `urn:auth0:preset-io-prod:<ConnectionID>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://auth.app.preset.io/login/callback?connection=<ConnectionID>`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://manage.app.preset.io/login`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Preset support team](mailto:support@preset.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Preset application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Preset application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | firstName | user.givenname |

+ | lastName | user.surname |

+ | email | user.mail |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Preset** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Preset.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Preset**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Preset SSO

+To configure single sign-on on **Preset** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Preset support team](mailto:support@preset.io). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Preset test user

+In this section, you create a user called Britta Simon in Preset. Work with [Preset support team](mailto:support@preset.io) to add the users in the Preset platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Preset Sign on URL where you can initiate the login flow.

+* Go to Preset Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Preset for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Preset tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Preset for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Preset you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+1. Go to the [Azure portal](https://portal.azure.com).

+1. Go to the [Azure portal](https://portal.azure.com).

+1. Go to the [Azure portal](https://portal.azure.com).

+ Title: 'Tutorial: Azure AD SSO integration with Tendium'

+description: Learn how to configure single sign-on between Azure Active Directory and Tendium.

+# Tutorial: Azure AD SSO integration with Tendium

+In this tutorial, you'll learn how to integrate Tendium with Azure Active Directory (Azure AD). When you integrate Tendium with Azure AD, you can:

+* Control in Azure AD who has access to Tendium.

+* Enable your users to be automatically signed-in to Tendium with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Tendium single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Tendium supports **SP** initiated SSO.

+* Tendium supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Tendium from the gallery

+To configure the integration of Tendium into Azure AD, you need to add Tendium from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Tendium** in the search box.

+1. Select **Tendium** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Tendium

+Configure and test Azure AD SSO with Tendium using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Tendium.

+To configure and test Azure AD SSO with Tendium, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Tendium SSO](#configure-tendium-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Tendium test user](#create-tendium-test-user)** - to have a counterpart of B.Simon in Tendium that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Tendium** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type the value:

+ `urn:amazon:cognito:sp:eu-west-1_bIV0Yblnt`

+

+ b. In the **Reply URL** text box, type the URL:

+ `https://auth-prod.app.tendium.com/saml2/idpresponse`

+ c. In the **Sign-on URL** text box, type the URL:

+ `https://app.tendium.com/auth/sign-in`

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Tendium.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Tendium**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Tendium SSO

+To configure single sign-on on **Tendium** side, you need to send the **App Federation Metadata Url** to [Tendium support team](mailto:tech-partners@tendium.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Tendium test user

+In this section, a user called B.Simon is created in Tendium. Tendium supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Tendium, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Tendium Sign-on URL where you can initiate the login flow.

+* Go to Tendium Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Tendium tile in the My Apps, this will redirect to Tendium Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Tendium you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with Training Platform'

+description: Learn how to configure single sign-on between Azure Active Directory and Training Platform.

+# Tutorial: Azure AD SSO integration with Training Platform

+In this tutorial, you'll learn how to integrate Training Platform with Azure Active Directory (Azure AD). When you integrate Training Platform with Azure AD, you can:

+* Control in Azure AD who has access to Training Platform.

+* Enable your users to be automatically signed-in to Training Platform with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Training Platform single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Training Platform supports **SP** and **IDP** initiated SSO.

+* Training Platform supports **Just In Time** user provisioning.

+## Add Training Platform from the gallery

+To configure the integration of Training Platform into Azure AD, you need to add Training Platform from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Training Platform** in the search box.

+1. Select **Training Platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Training Platform

+Configure and test Azure AD SSO with Training Platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Training Platform.

+To configure and test Azure AD SSO with Training Platform, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Training Platform SSO](#configure-training-platform-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Training Platform test user](#create-training-platform-test-user)** - to have a counterpart of B.Simon in Training Platform that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Training Platform** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `urn:auth0:living-security:<ID>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://identity.livingsecurity.com/login/callback?connection=<ID>`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://app.livingsecurity.com`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Training Platform support team](mailto:support@livingsecurity.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Training Platform.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Training Platform**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Training Platform SSO

+1. Log in to your Training Platform company site as an administrator.

+1. Go to **Configuration** section and select **SAML SSO Configuration** tab.

+1. Make sure your application is set to **Metadata URL** Mode.

+1. In the **Identity Provider Metadata Url*** textbox, paste the **App Federation Metadata Url** which you have copied from the Azure portal.

+ 

+1. Click **Save**.

+### Create Training Platform test user

+In this section, a user called B.Simon is created in Training Platform. Training Platform supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Training Platform, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Training Platform Sign-on URL where you can initiate the login flow.

+* Go to Training Platform Sign on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Training Platform for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Training Platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Training Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Training Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Veza'

+description: Learn how to configure single sign-on between Azure Active Directory and Veza.

+# Tutorial: Azure AD SSO integration with Veza

+In this tutorial, you'll learn how to integrate Veza with Azure Active Directory (Azure AD). When you integrate Veza with Azure AD, you can:

+* Control in Azure AD who has access to Veza.

+* Enable your users to be automatically signed-in to Veza with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Veza single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD. For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Veza supports **SP** and **IDP** initiated SSO.

+* Veza supports **Just In Time** user provisioning.

+## Add Veza from the gallery

+To configure the integration of Veza into Azure AD, you need to add Veza from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Veza** in the search box.

+1. Select **Veza** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Veza

+Configure and test Azure AD SSO with Veza using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Veza.

+To configure and test Azure AD SSO with Veza, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Veza SSO](#configure-veza-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Veza test user](#create-veza-test-user)** - to have a counterpart of B.Simon in Veza that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Veza** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a value using one of the following patterns:

+ | **Identifier** |

+ |-|

+ `urn:auth0:<Cookie-auth0-instance-name>:saml-<customer-name>-cookie-connection` |

+ `urn:auth0:<Veza-auth0-instance-name>:saml-<customer-name>-cookie-connection` |

+ b. In the **Reply URL** text box, type a URL using one of the following patterns:

+ | **Reply URL** |

+ ||

+ | `https://<instancename>.veza.com` |

+ | `https://<instancename>.cookie.ai` |

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+

+ In the **Sign-on URL** text box, type a URL using one of the following patterns:

+ | **Sign-on URL** |

+ |--|

+ | `https://<instancename>.cookie.ai/login/callback?connection=saml-<customer-name>-cookie-connection` |

+ | `https://<instancename>.veza.com/ login/callback?connection=saml-<customer-name>-veza-connection` |

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Veza Client support team](mailto:support@veza.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Veza** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Veza.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Veza**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Veza SSO

+1. Log in to your Veza company site as an administrator.

+1. Go to **Administration** > **Sign-in Settings**, toggle **Enable MFA** button and choose to configure SSO.

+ 

+1. In the **Configure SSO** page, perform the following steps:

+ 

+ a. In the **Sign In Url** textbox, paste the **Login URL** value, which you've copied from the Azure portal.

+ b. Open the downloaded **Certificate (Base64)** from the Azure portal and upload the file into the **X509 Signing Certificate** by clicking **Choose File** option.

+ c. In the **Sign Out Url** textbox, paste the **Logout URL** value, which you've copied from the Azure portal.

+ d. Toggle **Enable Request Signing** button and select RSA-SHA-256 and SHA-256 as the **Sign Request Algorithm**.

+ e. Click **Save** on the Veza SSO configuration and toggle the option to **Enable SSO**.

+### Create Veza test user

+In this section, a user called B.Simon is created in Veza. Veza supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Veza, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Veza Sign-On URL where you can initiate the login flow.

+* Go to Veza Sign-On URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Veza for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Veza tile in the My Apps, if configured in SP mode you would be redirected to the application Sign-On page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Veza for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Veza you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+1. Go to the [Azure portal](https://portal.azure.com).

+1. Go to the [Azure portal](https://portal.azure.com).

+1. Go to the [Azure portal](https://portal.azure.com).

+* [Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager)

+[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)

+ΓÇÄ

+[Achieving NIST AAL3 by using Azure AD](nist-authenticator-assurance-level-3.md)

+[Achieve NIST AAL3 with Azure AD](nist-authenticator-assurance-level-3.md)

+[Configure Azure Active directory to meet FedRAMP High Impact level](configure-azure-active-directory-for-fedramp-high-impact.md)

+az aks nodepool snapshot create --name MySnapshot --resource-group MyResourceGroup --nodepool-id $NODEPOOL_ID --location eastus

+There are times when it's impractical to have all callers to your API use exactly the same version. When callers want to upgrade to a later version, they want an approach that's easy to understand. As shown in this tutorial, it is possible to provide multiple *versions* in Azure API Management.

+## Edit a version

+After adding the version, you can now edit and configure it as an API that is separate from an Original. Changes to one version do not affect another. For example, add or remove API operations, or edit the OpenAPI specification. For more information, see [Edit an API](edit-api.md).

+ 1. In **Authorization callback URL** (the redirect URL), enter `https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>`, substituting the API Management service name that is used.

+description: Learn how to use API Management to edit an API. Add, delete, or rename operations in the APIM instance, or edit the API's swagger.

+The steps in this tutorial show you how to use API Management to edit an API.

+## Edit an operation

+

+You can update your backend API from the Azure portal by following these steps:

+> [Transform and protect a published API](transform-api.md)

+Use the API Management [Purge](/rest/api/apimanagement/current-ga/deleted-services/purge) operation, substituting `{subscriptionId}`, `{location}`, and `{serviceName}` with your Azure subscription, resource location, and API Management name.

+> [!NOTE]

+> To purge a soft-deleted instance, you must have the following RBAC permissions at the subscription scope: Microsoft.ApiManagement/locations/deletedservices/delete, Microsoft.ApiManagement/deletedservices/read.

+ 1. An **OpenAPI link** for content in JSON format. For this example: `https://conferenceapi.azurewebsites.net?format=json`.

+1. If the `Dockerfile` isn't opened automatically, open it from the **Solution Explorer**.

+Your project is now set to run in a Windows container. A `Dockerfile` is added to the **CustomFontSample** project, and a **docker-compose** project is added to the solution.

+Sign in to the [Azure portal](https://portal.azure.com).

+`<protocol>://127.0.0.1:<port>`. For example, `http://127.0.0.1:80` for an HTTP probe on port 80. Only HTTP status codes of 200 through 399 are considered healthy. The protocol and destination port are inherited from the HTTP settings. If you want Application Gateway to probe on a different protocol, host name, or path and to recognize a different status code as Healthy, configure a custom probe and associate it with the HTTP settings.

+For example: You configure your application gateway to use back-end servers A, B, and C to receive HTTP network traffic on port 80. The default health monitoring tests the three servers every 30 seconds for a healthy HTTP response with a 30 second timeout for each request. A healthy HTTP response has a [status code](https://msdn.microsoft.com/library/aa287675.aspx) between 200 and 399. In this case, the HTTP GET request for the health probe will look like `http://127.0.0.1/`.

+Sign in to the [Azure portal](https://portal.azure.com).

+## Use cases

+| Container | Tags | Retrieve image |

+||:||

+| **Layout**| &bullet; `latest` </br> &bullet; `2.1-preview`| `docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout)`|

+| **Business Card** | &bullet; `latest` </br> &bullet; `2.1-preview` |`docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/receipt` |

+| **ID Document** | &bullet; `latest` </br> &bullet; `2.1-preview`| `docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/id-document`|

+| **Receipt**| &bullet; `latest` </br> &bullet; `2.1-preview`| `docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/receipt` |

+| **Invoice**| &bullet; `latest` </br> &bullet; `2.1-preview`|`docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/invoice` |

+| **Custom API** | &bullet; `latest` </br> &bullet; `2.1-preview`| `docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/custom-api`|

+| **Custom Supervised**| &bullet; `latest` </br> &bullet; `2.1-preview`|`docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/custom-supervised` |

+>

+>[!TIP]

+>

+> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio (preview)](https://formrecognizer.appliedai.azure.com/studio).

+> * The v3.0 Studio supports any model trained with v2.1 labeled data.

+> * You can refer to the API migration guide for detailed information about migrating from v2.1 to v3.0.

+> * *See* our [**REST API**](quickstarts/try-v3-rest-api.md) or [**C#**](quickstarts/try-v3-csharp-sdk.md), [**Java**](quickstarts/try-v3-java-sdk.md), [**JavaScript**](quickstarts/try-v3-javascript-sdk.md), or [Python](quickstarts/try-v3-python-sdk.md) SDK quickstarts to get started with the V3.0 preview.

+description: How to use the Form Recognizer sample tool to analyze documents, invoices, receipts etc. Label and create a custom model to extract text, tables, selection marks, structure and key-value pairs from documents.

+In this article, you'll use the Form Recognizer REST API with the Sample Labeling tool to train a custom model with manually labeled data.

+ You'll need the following resources to complete this project:

+ * You'll need the key and endpoint from the resource you create to connect your application to the Form Recognizer API. You'll paste your key and endpoint into the code below later in the quickstart.

+You'll need an Azure subscription ([create one for free](https://azure.microsoft.com/free/cognitive-services)) and a [Form Recognizer resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) endpoint and key to try out the Form Recognizer service.

+### Identify text and tables

+The labeling tool will also show which tables have been automatically extracted. Select the table/grid icon on the left hand of the document to see the extracted table. In this quickstart, because the table content is automatically extracted, we won't be labeling the table content, but rather rely on the automated extraction.

+In v2.1, if your training document doesn't have a value filled in, you can draw a box where the value should be. Use **Draw region** on the upper left corner of the window to make the region taggable.

+ * Formatted as a Floating point value.

+ * Example: 1234.98 on the document will be formatted into 1234.98 on the output

+ * Formatted as an integer value.

+ * Example: 1234.98 on the document will be formatted into 123498 on the output.

+At times, your data might lend itself better to being labeled as a table rather than key-value pairs. In this case, you can create a table tag by selecting **Add a new table tag**. Specify whether the table will have a fixed number of rows or variable number of rows depending on the document and define the schema.

+Once you've defined your table tag, tag the cell values.

+* **Average Accuracy** - The model's average accuracy. You can improve model accuracy by adding and labeling more forms, then retraining to create a new model. We recommend starting by labeling five forms and adding more forms as needed.

+Depending on the reported accuracy, you may want to do further training to improve the model. After you've done a prediction, examine the confidence values for each of the applied tags. If the average accuracy training value is high, but the confidence scores are low (or the results are inaccurate), add the prediction file to the training set, label it, and train again.

+When you want to resume your project, you first need to create a connection to the same blob storage container. To do so, repeat the steps above. Then, go to the application settings page (gear icon) and see if your project's security token is there. If it isn't, add a new security token and copy over your token name and key from the previous step. Select **Save** to retain your settings.

+Finally, go to the main page (house icon) and select **Open Cloud Project**. Then select the blob storage connection, and select your project's `.fott` file. The application will load all of the project's settings because it has the security token.

+>[!TIP]

+>

+> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio (preview)](https://formrecognizer.appliedai.azure.com/studio).

+> * The v3.0 Studio supports any model trained with v2.1 labeled data.

+> * You can refer to the API migration guide for detailed information about migrating from v2.1 to v3.0.

+> * *See* our [**REST API**](try-v3-rest-api.md) or [**C#**](try-v3-csharp-sdk.md), [**Java**](try-v3-java-sdk.md), [**JavaScript**](try-v3-javascript-sdk.md), or [Python](try-v3-python-sdk.md) SDK quickstarts to get started with the V3.0 preview.

+1. In the **Source** field, select **URL** from the dropdown menu, paste the selected URL, and select the **Fetch** button.

+ :::image type="content" source="../media/label-tool/fott-select-url.png" alt-text="Screenshot of source location dropdown menu.":::

+1. In the **Source** field, select **URL** from the dropdown menu, paste the following URL `https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/layout-page-001.jpg`, and select the **Fetch** button.

+* An Azure Storage blob container that contains a set of training data. Make sure all the training documents are of the same format. If you have forms in multiple formats, organize them into subfolders based on common format. For this project, you can use our [sample data set](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/curl/form-recognizer/sample_data_without_labels.zip). If you don't know how to create an Azure storage account with a container, follow the [Azure Storage quickstart for Azure portal](../../../storage/blobs/storage-quickstart-blobs-portal.md).

+ [CORS (Cross Origin Resource Sharing)](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) needs to be configured on your Azure storage account for it to be accessible from the Form Recognizer Studio. To configure CORS in the Azure portal, you'll need access to the CORS tab of your storage account.

+ 1. Select the CORS tab for the storage account.

+> * To analyze a given file at a URI, you'll use the `StartAnalyzeDocumentFromUri` method and pass `prebuilt-document` as the model ID. The returned value is an `AnalyzeResult` object containing data about the submitted document.

+> * We've added the file URI value to the `Uri invoiceUri` variable at the top of the Program.cs file.

+>[!TIP]

+>

+> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio (preview)](https://formrecognizer.appliedai.azure.com/studio).

+> * The v3.0 Studio supports any model trained with v2.1 labeled data.

+> * You can refer to the API migration guide for detailed information about migrating from v2.1 to v3.0.

+> * *See* our [**REST API**](quickstarts/try-v3-rest-api.md) or [**C#**](quickstarts/try-v3-csharp-sdk.md), [**Java**](quickstarts/try-v3-java-sdk.md), [**JavaScript**](quickstarts/try-v3-javascript-sdk.md), or [Python](quickstarts/try-v3-python-sdk.md) SDK quickstarts to get started with the V3.0 preview.

+- There's data you wish to extract that isn't presented in specific form fields but semantically, the data could fit in a two-dimensional grid. For instance, your form has a list of people, and includes, a first name, a last name, and an email address. You would like to extract this information. In this case, you could use a table tag with first name, last name, and email address as columns and each row is populated with information about a person from your list.

+1. On **Tags**, you can categorize resources. Select **Name** and **Value** and select **Review + create**.

+You're taken to the **Review + create** page where Azure validates your configuration. Once your changes to public Network Access and Private Link are applied, it can take up to 35 minutes for them to take effect.

+|Automation account name|Required |Enter a name unique for its location and resource group. Names for Automation accounts that have been deleted might not be immediately available. You can't change the account name once it has been entered in the user interface. |

+### Networking

+On the **Networking** tab, you can connect to your automation account either publicly, (via public IP addresses), or privately, using a private endpoint. The following image shows the connectivity configuration that you can define for a new automation account.

+- **Public Access** ΓÇô This default option provides a public endpoint for the Automation account that can receive traffic over the internet and does not require any additional configuration. However, we don't recommend it for private applications or secure environments. Instead, the second option **Private access**, a private Link mentioned below can be leveraged to restrict access to automation endpoints only from authorized virtual networks. Public access can simultaneously coexist with the private endpoint enabled on the Automation account. If you select public access while creating the Automation account, you can add a Private endpoint later from the Networking blade of the Automation Account.

+- **Private Access** ΓÇô This option provides a private endpoint for the Automation account that uses a private IP address from your virtual network. This network interface connects you privately and securely to the Automation account. You bring the service into your virtual network by enabling a private endpoint. This is the recommended configuration from a security point of view; however, this requires you to configure Hybrid Runbook Worker connected to an Azure virtual network & currently does not support cloud jobs.

+### Tags

+description: How to determine what versions of the Fluid Framework releases are compatible with Azure Fluid Relay

+> If building with any pre-release version of of **@fluidframework/azure-client** and **fluid-framework** we strongly recommend that you update to the latest 1.0 version. Earlier versions will not be

+> supported with the General Availability of Azure Fluid Relay. With this upgrade, youΓÇÖll make use of our new multi-region routing capability where

+> Azure Fluid Relay will host your session closer to your end users to improve customer experience. In the latest package, you will need to update your

+> serviceConfig object to the new Azure Fluid Relay service endpoint instead of the storage and orderer endpoints:

+> If your Azure Fluid Relay resource is in West US 2, please use **https://us.fluidrelay.azure.com**. If it is West Europe,

+> use **https://eu.fluidrelay.azure.com**. If it is in Southeast Asia, use **https://global.fluidrelay.azure.com**.

+> These values can also be found in the "Access Key" section of the Fluid Relay resource in the Azure portal. The orderer and storage endpoints will be deprecated soon.

+| @fluidframework/azure-client | [1.0.1][] | [API](https://fluidframework.com/docs/apis/azure-client/) |

+| fluid-framework | [1.0.1][] | [API](https://fluidframework.com/docs/apis/fluid-framework/) |

+| @fluidframework/azure-service-utils | [1.0.1][] | [API](https://fluidframework.com/docs/apis/azure-service-utils/) |

+| @fluidframework/test-client-utils | [1.0.1][] | [API](https://fluidframework.com/docs/apis/test-client-utils/) |

+[1.0.1]: https://fluidframework.com/docs/updates/v1.0.0/

+ endpoint: "https://myServiceEndpointUrl",

+ type: "remote",

+ endpoint: "https://myServiceEndpointUrl",

+ type: "remote",

+ endpoint: "https://myServiceEndpointUrl",

+ type: "remote",

+ endpoint: "http://localhost:7070",

+ type: "remote",

+ type: "remote",

+ endpoint: "https://myServiceEndpointUrl",

+ type: "local",

+ endpoint: "http://localhost:7070",

+To configure the Azure client, replace the local connection `serviceConfig` object in `app.js` with your Azure Fluid Relay

+service configuration values. These values can be found in the "Access Key" section of the Fluid Relay resource in the Azure portal. Your `serviceConfig` object should look like this with the values replaced

+ tenantId: "MY_TENANT_ID", // REPLACE WITH YOUR TENANT ID

+ endpoint: "https://myServiceEndpointUrl", // REPLACE WITH YOUR SERVICE ENDPOINT

+ type: "remote",

+# Azure Fluid Relay limits

+This article outlines known limitations of Azure Fluid Relay.

+## Fluid summaries

+## When will Azure Fluid Relay be Generally Available?

+Azure Fluid Relay will be Generally Available on 8/1/2022. At that point, the service will no longer be free. Charges will apply based on your usage of Azure Fluid Relay. The service will be metering 4 activities:

+- Operations in: As end users join, leave, and contribute to a collaborative session, the Fluid Framework client libraries send messages (also referred to as operations or ops) to the service. Each message incoming from one client is counted as one message. Heartbeat messages and other session messages are also counted. Messages larger than 2KB are counted as multiple messages of 2KB each (for example, 11KB message is counted as 6 messages).

+- Operations out: Once the service processes incoming messages, it broadcasts them to all participants in the collaborative session. Each message sent to each client is counted as one message (for example, in a 3-user session, one of the users sends an op, that will generate 3 ops out).

+- Client connectivity minutes: The duration of each user being connected to the session will be charged on a per user basis (for example, 3 users collaborate on a session for an hour, this is charged as 180 connectivity minutes).

+- Storage: Each collaborative Fluid session stores session artifacts in the service. Storage of this data will be charged on a per GB per month basis (prorated as appropriate).

+Reference the table below for the prices (in USD) we will start to charge at General Availability for each of these meters in the regions Azure Fluid Relay is currently offered. Additional regions and additional information about other currencies will be available on our pricing page soon.

+| Meter | Unit | West US 2 | West Europe | Southeast Asia

+|--|--|--|--|--|

+| Operations In | 1 million ops | 1.50 | 1.95 | 1.95 |

+| Operations Out | 1 million ops | 0.50 | 0.65 | 0.65 |

+| Client Connectivity Minutes | 1 million minutes | 1.50 | 1.95 | 1.95 |

+| Storage | 1 GB/month | 0.20 | 0.26 | 0.26 |

+# Help and support options for Azure Fluid Relay

+## Check out frequently asked questions

+## Create an Azure support request

+ - For Azure Functions 3.x, Core Tools **v3.0.4585** or newer is required.

+ - For Azure Functions 4.x, Core Tools **v4.0.4590** or newer is required.

+Supports the default Event Grid binding parameter type of [Microsoft.Azure.EventGrid.Models.EventGridEvent](/dotnet/api/microsoft.azure.eventgrid.models.eventgridevent). Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger.

+Functions 1.x apps automatically have a reference to the [Microsoft.Azure.WebJobs](https://www.nuget.org/packages/Microsoft.Azure.WebJobs) NuGet package, version 2.x. Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger.

+Add the extension to your project by installing the [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.EventGrid), version 2.x. Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger.

+Supports the default Event Grid binding parameter type of [Microsoft.Azure.EventGrid.Models.EventGridEvent](/dotnet/api/microsoft.azure.eventgrid.models.eventgridevent). Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger.

+Functions 1.x apps automatically have a reference to the [Microsoft.Azure.WebJobs](https://www.nuget.org/packages/Microsoft.Azure.WebJobs) NuGet package, version 2.x. Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger.

+You can install this version of the extension in your function app by registering the [extension bundle], version 2.x. Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger.

+The Event Grid output binding is only available for Functions 2.x and higher. Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger.

+description: Understand how to develop functions with Python.

+This article is an introduction to developing for Azure Functions by using Python. It assumes that you've already read the [Azure Functions developer guide](functions-reference.md).

+As a Python developer, you might also be interested in one of the following articles:

+> Although you can [develop your Python-based functions locally on Windows](create-first-function-vs-code-python.md#run-the-function-locally), Python functions are supported in Azure only when they're running on Linux. See the [list of supported operating system/runtime combinations](functions-scale.md#operating-systemruntime).

+Azure Functions expects a function to be a stateless method in your Python script that processes input and produces output. By default, the runtime expects the method to be implemented as a global method called `main()` in the *\__init\__.py* file. You can also [specify an alternate entry point](#alternate-entry-point).

+Data from triggers and bindings is bound to the function via method attributes that use the `name` property defined in the *function.json* file. For example, the following _function.json_ file describes a simple function triggered by an HTTP request named `req`:

+Based on this definition, the *\__init\__.py* file that contains the function code might look like the following example:

+You can also explicitly declare the attribute types and return type in the function by using Python type annotations. This action helps you to use the IntelliSense and autocomplete features that many Python code editors provide.

+Use the Python annotations included in the [azure.functions.*](/python/api/azure-functions/azure.functions) package to bind inputs and outputs to your methods.

+You can change the default behavior of a function by optionally specifying the `scriptFile` and `entryPoint` properties in the *function.json* file. For example, the following _function.json_ file tells the runtime to use the `customentry()` method in the _main.py_ file as the entry point for your function:

+The recommended folder structure for an Azure Functions project in Python looks like the following example:

+The main project folder (*<project_root>*) can contain the following files:

+* *local.settings.json*: Used to store app settings and connection strings when functions are running locally. This file isn't published to Azure. To learn more, see [Local settings file](functions-develop-local.md#local-settings-file).

+* *requirements.txt*: Contains the list of Python packages that the system installs when you're publishing to Azure.

+* *host.json*: Contains configuration options that affect all functions in a function app instance. This file is published to Azure. Not all options are supported when functions are running locally. To learn more, see the [host.json reference](functions-host-json.md).

+* *.vscode/*: (Optional) Contains stored Visual Studio Code configurations. To learn more, see [User and Workspace Settings](https://code.visualstudio.com/docs/getstarted/settings).

+* *.venv/*: (Optional) Contains a Python virtual environment that's used for local development.

+* *Dockerfile*: (Optional) Used when you're publishing your project in a [custom container](functions-create-function-linux-custom-image.md).

+* *.funcignore*: (Optional) Declares files that shouldn't be published to Azure. Usually, this file contains `.vscode/` to ignore your editor setting, `.venv/` to ignore the local Python virtual environment, `tests/` to ignore test cases, and `local.settings.json` to prevent local app settings from being published.

+Each function has its own code file and binding configuration file (*function.json*).

+When you deploy your project to a function app in Azure, the entire contents of the main project (*<project_root>*) folder should be included in the package, but not the folder itself. That means *host.json* should be in the package root. We recommend that you maintain your tests in a folder along with other functions. In this example, the folder is *tests/*. For more information, see [Unit testing](#unit-testing).

+You can import modules in your function code by using both absolute and relative references. Based on the folder structure shown earlier, the following imports work from within the function file *<project_root>\my\_first\_function\\_\_init\_\_.py*:

+> The *shared_code/* folder needs to contain an *\_\_init\_\_.py* file to mark it as a Python package when you're using absolute import syntax.

+The following *\_\_app\_\_* import and beyond top-level relative import are deprecated. The static type checker and the Python test frameworks don't support them.

+## Triggers and inputs

+Inputs are divided into two categories in Azure Functions: trigger input and other binding input. Although they're different in the *function.json* file, usage is identical in Python code. When functions are running locally, connection strings or secrets required by trigger and input sources are maintained in the `Values` collection of the *local.settings.json* file. When functions are running in Azure, those same connection strings or secrets are stored securely as [application settings](functions-how-to-use-azure-function-app-settings.md#settings).

+The following example code demonstrates the difference between the two:

+When the function is invoked, the HTTP request is passed to the function as `req`. An entry will be retrieved from Azure Blob Storage based on the ID in the route URL and made available as `obj` in the function body. Here, the storage account specified is the connection string found in the `AzureWebJobsStorage` app setting, which is the same storage account that the function app uses.

+Output can be expressed in the return value and in output parameters. If there's only one output, we recommend using the return value. For multiple outputs, you'll have to use output parameters.

+To use the return value of a function as the value of an output binding, set the `name` property of the binding to `$return` in *function.json*.

+To produce multiple outputs, use the `set()` method provided by the [azure.functions.Out](/python/api/azure-functions/azure.functions.out) interface to assign a value to the binding. For example, the following function can push a message to a queue and return an HTTP response:

+The following example logs an info message when the function is invoked via an HTTP trigger:

+| `critical(_message_)` | Writes a message with level CRITICAL on the root logger. |

+| `error(_message_)` | Writes a message with level ERROR on the root logger. |

+| `warning(_message_)` | Writes a message with level WARNING on the root logger. |

+| `info(_message_)` | Writes a message with level INFO on the root logger. |

+| `debug(_message_)` | Writes a message with level DEBUG on the root logger. |

+By default, the Azure Functions runtime collects logs and other telemetry data that your functions generate. This telemetry ends up as traces in Application Insights. By default, [triggers and bindings](functions-triggers-bindings.md#supported-bindings) also collect request and dependency telemetry for certain Azure services.

+To collect custom request and custom dependency telemetry outside bindings, you can use the [OpenCensus Python Extensions](https://github.com/census-ecosystem/opencensus-python-extensions-azure). The Azure Functions extension sends custom telemetry data to your Application Insights instance. You can find a list of supported extensions at the [OpenCensus repository](https://github.com/census-instrumentation/opencensus-python/tree/master/contrib).

+## HTTP trigger and bindings

+The HTTP trigger is defined in the *function.json* file. The `name` parameter of the binding must match the named parameter in the function.

+The previous examples use the binding name `req`. This parameter is an [HttpRequest] object, and an [HttpResponse] object is returned.

+From the `HttpRequest` object, you can get request headers, query parameters, route parameters, and the message body.

+The following example is from the [HTTP trigger template for Python](https://github.com/Azure/azure-functions-templates/tree/dev/Functions.Templates/Templates/HttpTrigger-Python):

+In this function, the value of the `name` query parameter is obtained from the `params` parameter of the `HttpRequest` object. The JSON-encoded message body is read using the `get_json` method.

+Likewise, you can set the `status_code` and `headers` information for the response message in the returned `HttpResponse` object.

+First, the *function.json* file must be updated to include `route` in the HTTP trigger, as shown in the following example:

+The *host.json* file must also be updated to include an HTTP `routePrefix` value, as shown in the following example:

+Update the Python code file *init.py*, based on the interface that your framework uses. The following example shows either an ASGI handler approach or a WSGI wrapper approach for Flask:

+For a full example, see [Using the Flask framework with Azure Functions](/samples/azure-samples/flask-app-on-azure-functions/azure-functions-python-create-flask-app/).

+## Scaling and performance

+For scaling and performance best practices for Python function apps, see [Improve throughput performance of Python apps in Azure Functions](python-scale-performance-reference.md).

+The [Context](/python/api/azure-functions/azure.functions.context) class has the following string attributes:

+- `function_directory`: Directory in which the function is running.

+- `function_name`: Name of the function.

+- `invocation_id`: ID of the current function invocation.

+- `trace_context`: Context for distributed tracing. For more information, see [Trace Context](https://www.w3.org/TR/trace-context/) on the W3C website.

+- `retry_context`: Context for retries to the function. For more information, see [Retry policies](./functions-bindings-errors.md#retry-policies).

+It isn't guaranteed that the state of your app will be preserved for future executions. However, the Azure Functions runtime often reuses the same process for multiple executions of the same app. To cache the results of an expensive computation, declare it as a global variable:

+In Azure Functions, [application settings](functions-app-settings.md), such as service connection strings, are exposed as environment variables during execution. There are two main ways to access these settings in your code:

+| `os.environ["myAppSetting"]` | Tries to get the application setting by key name. It raises an error when unsuccessful. |

+| `os.getenv("myAppSetting")` | Tries to get the application setting by key name. It returns `null` when unsuccessful. |

+Azure Functions supports the following Python versions. These are official Python distributions.

+| Functions version | Python versions |

+To request a specific Python version when you create your function app in Azure, use the `--runtime-version` option of the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command. The `--functions-version` option sets the Azure Functions runtime version. The Python version is set when the function app is created and can't be changed.

+To set a Python function app to a specific language version, you need to specify the language and the version of the language in `linuxFxVersion` field in site configuration. For example, to change Python app to use Python 3.8, set `linuxFxVersion` to `python|3.8`.

+To learn more about the Azure Functions runtime support policy, see [Language runtime support policy](./language-support-policy.md).

+To see the full list of supported Python versions for function apps, see [Supported languages in Azure Functions](./supported-languages.md).

+You can view and set `linuxFxVersion` from the Azure CLI by using the [az functionapp config show](/cli/azure/functionapp/config) command. Replace `<function_app>` with the name of your function app. Replace `<my_resource_group>` with the name of the resource group for your function app.

+You see `linuxFxVersion` in the following output, which has been truncated for clarity:

+You can update the `linuxFxVersion` setting in the function app by using the [az functionapp config set](/cli/azure/functionapp/config) command. In the following code:

+- Replace `<FUNCTION_APP>` with the name of your function app.

+- Replace `<RESOURCE_GROUP>` with the name of the resource group for your function app.

+- Replace `<LINUX_FX_VERSION>` with the Python version that you want to use, prefixed by `python|`. For example: `python|3.9`.

+You can run the command from [Azure Cloud Shell](../cloud-shell/overview.md) by selecting **Try it** in the preceding code sample. You can also use the [Azure CLI locally](/cli/azure/install-azure-cli) to run the command after you use [az login](/cli/azure/reference-index#az-login) to sign in.

+The function app restarts after you change the site configuration.

+When you're developing locally by using the Azure Functions Core Tools or Visual Studio Code, add the names and versions of the required packages to the *requirements.txt* file and install them by using `pip`.

+For example, you can use the following requirements file and `pip` command to install the `requests` package from PyPI:

+When you're ready to publish, make sure that all your publicly available dependencies are listed in the *requirements.txt* file. This file is at the root of your project directory.

+You can also find project files and folders that are excluded from publishing, including the virtual environment folder, in the root directory of your project.

+Three build actions are supported for publishing your Python project to Azure: remote build, local build, and builds that use custom dependencies.

+You can also use Azure Pipelines to build your dependencies and publish by using continuous delivery (CD). To learn more, see [Continuous delivery by using Azure DevOps](functions-how-to-azure-devops.md).

+When you use a remote build, dependencies restored on the server and native dependencies match the production environment. This results in a smaller deployment package to upload. Use a remote build when you're developing Python apps on Windows. If your project has custom dependencies, you can [use a remote build with an extra index URL](#remote-build-with-extra-index-url).

+Dependencies are obtained remotely based on the contents of the *requirements.txt* file. [Remote build](functions-deployment-technologies.md#remote-build) is the recommended build method. By default, Azure Functions Core Tools requests a remote build when you use the following [func azure functionapp publish](functions-run-local.md#publish) command to publish your Python project to Azure. Replace `<APP_NAME>` with the name of your function app in Azure.

+The [Azure Functions extension for Visual Studio Code](./create-first-function-vs-code-csharp.md#publish-the-project-to-azure) also requests a remote build by default.

+Dependencies are obtained locally based on the contents of the *requirements.txt* file. You can prevent a remote build by using the following [func azure functionapp publish](functions-run-local.md#publish) command to publish with a local build. Replace `<APP_NAME>` with the name of your function app in Azure.

+When you use the `--build local` option, project dependencies are read from the *requirements.txt* file. Those dependent packages are downloaded and installed locally. Project files and dependencies are deployed from your local computer to Azure. This results in the upload of a larger deployment package to Azure. If you can't get the *requirements.txt* file by using Core Tools, you must use the custom dependencies option for publishing.

+We don't recommend using local builds when you're developing locally on Windows.

+When your project has dependencies not found in the [Python Package Index](https://pypi.org/), there are two ways to build the project.

+When your packages are available from an accessible custom package index, use a remote build. Before publishing, make sure to [create an app setting](functions-how-to-use-azure-function-app-settings.md#settings) named `PIP_EXTRA_INDEX_URL`. The value for this setting is the URL of your custom package index. Using this setting tells the remote build to run `pip install` with the `--extra-index-url` option. To learn more, see the [Python pip install documentation](https://pip.pypa.io/en/stable/reference/pip_install/#requirements-file-format).

+#### Installing local packages

+If your project uses packages that aren't publicly available, you can make them available to your app by putting them in the *\_\_app\_\_/.python_packages* directory. Before publishing, run the following command to install the dependencies locally:

+When you're using custom dependencies, use the following `--no-build` publishing option because you've already installed the dependencies into the project folder. Replace `<APP_NAME>` with the name of your function app in Azure.

+## Unit testing

+You can test functions written in Python the same way that you test other Python code: through standard testing frameworks. For most bindings, it's possible to create a mock input object by creating an instance of an appropriate class from the [azure.functions](https://pypi.org/project/azure-functions/) package. Because the `azure.functions` package isn't immediately available, be sure to install it via your *requirements.txt* file as described in the earlier [Package management](#package-management) section.

+Take *my_second_function* as an example. Following is a mock test of an HTTP triggered function.

+First, to create the *<project_root>/my_second_function/function.json* file and define this function as an HTTP trigger, use the following code:

+Now, you can implement *my_second_function* and *shared_code.my_second_helper_function*:

+# Define an HTTP trigger that accepts the ?value=<int> query parameter

+You can start writing test cases for your HTTP trigger:

+Inside your *.venv* Python virtual environment, install your favorite Python test framework, such as `pip install pytest`. Then run `pytest tests` to check the test result.

+The `tempfile.gettempdir()` method returns a temporary folder, which on Linux is */tmp*. Your application can use this directory to store temporary files that your functions generate and use during execution.

+> Files written to the temporary directory aren't guaranteed to persist across invocations. During scale-out, temporary files aren't shared between instances.

+The following example creates a named temporary file in the temporary directory (*/tmp*):

+We recommend that you maintain your tests in a folder that's separate from the project folder. This action keeps you from deploying test code with your app.

+A few libraries come with the runtime for Azure Functions on Python.

+The Python Standard Library contains a list of built-in Python modules that are shipped with each Python distribution. Most of these libraries help you access system functionality, like file I/O. On Windows systems, these libraries are installed with Python. On Unix systems, package collections provide them.

+To view the full details of these libraries, use these links:

+### Worker dependencies

+The Python worker for Azure Functions requires a specific set of libraries. You can also use these libraries in your functions, but they aren't a part of the Python standard. If your functions rely on any of these libraries, they might not be available to your code when you're running outside Azure Functions. You can find a detailed list of dependencies in the `install\_requires` section in the [setup.py](https://github.com/Azure/azure-functions-python-worker/blob/dev/setup.py#L282) file.

+> If your function app's *requirements.txt* file contains an `azure-functions-worker` entry, remove it. The Azure Functions platform automatically manages this worker, and we regularly update it with new features and bug fixes. Manually installing an old version of the worker in *requirements.txt* might cause unexpected problems.

+> If your package contains certain libraries that might collide with the worker's dependencies (for example, protobuf, TensorFlow, or grpcio), configure [PYTHON_ISOLATE_WORKER_DEPENDENCIES](functions-app-settings.md#python_isolate_worker_dependencies-preview) to `1` in app settings to prevent your application from referring to the worker's dependencies. This feature is in preview.

+### Python library for Azure Functions

+Every Python worker update includes a new version of the [Python library for Azure Functions (azure.functions)](https://github.com/Azure/azure-functions-python-library). This approach makes it easier to continuously update your Python function apps, because each update is backward compatible. You can find a list of releases of this library in the [azure-functions information on the PyPi website](https://pypi.org/project/azure-functions/#history).

+The runtime library version is fixed by Azure, and *requirements.txt* can't override it. The `azure-functions` entry in *requirements.txt* is only for linting and customer awareness.

+Use the following code to track the version of the Python library for Azure Functions in your runtime:

+The following table lists preinstalled system libraries in Docker images for the Python worker:

+| **Application level** | When the extension is imported into any function trigger, it applies to every function execution in the app. |

+| **Function level** | Execution is limited to only the specific function trigger into which it's imported. |

+Review the information for an extension to learn more about the scope in which the extension runs.

+Extensions implement a Python worker extension interface. This action lets the Python worker process call into the extension code during the function execution lifecycle.

+1. Add the extension package in the *requirements.txt* file for your project.

+ + To add the setting locally, add `"PYTHON_ENABLE_WORKER_EXTENSIONS": "1"` in the `Values` section of your [local.settings.json file](functions-develop-local.md#local-settings-file).

+ + To add the setting in Azure, add `PYTHON_ENABLE_WORKER_EXTENSIONS=1` to your [app settings](functions-how-to-use-azure-function-app-settings.md#settings).

+1. Configure the extension instance, if needed. Configuration requirements should be called out in the extension's documentation.

+> Microsoft doesn't support or warranty third-party Python worker extension libraries. Make sure that any extensions you use in your function app are trustworthy. You bear the full risk of using a malicious or poorly written extension.

+Third parties should provide specific documentation on how to install and consume their specific extension in your function app. For a basic example of how to consume an extension, see [Consuming your extension](develop-python-worker-extensions.md#consume-your-extension-locally).

+# [Application level](#tab/application-level)

+# [Function level](#tab/function-level)

+Extensions are created by third-party library developers who have created functionality that can be integrated into Azure Functions. An extension developer designs, implements, and releases Python packages that contain custom logic designed specifically to be run in the context of function execution. These extensions can be published either to the PyPI registry or to GitHub repositories.

+| `init` | Called after the extension is imported. |

+| `configure` | Called from function code when it's needed to configure the extension. |

+| `post_function_load_app_level` | Called right after the function is loaded. The function name and function directory are passed to the extension. Keep in mind that the function directory is read-only. Any attempt to write to a local file in this directory fails. |

+| `pre_invocation_app_level` | Called right before the function is triggered. The function context and function invocation arguments are passed to the extension. You can usually pass other attributes in the context object for the function code to consume. |

+| `post_invocation_app_level` | Called right after the function execution finishes. The function context, function invocation arguments, and invocation return object are passed to the extension. This implementation is a good place to validate whether execution of the lifecycle hooks succeeded. |

+| `__init__` | Called when an extension instance is initialized in a specific function. This method is the constructor of the extension. When you're implementing this abstract method, you might want to accept a `filename` parameter and pass it to the parent's `super().__init__(filename)` method for proper extension registration. |

+| `post_function_load` | Called right after the function is loaded. The function name and function directory are passed to the extension. Keep in mind that the function directory is read-only. Any attempt to write to a local file in this directory fails. |

+| `pre_invocation` | Called right before the function is triggered. The function context and function invocation arguments are passed to the extension. You can usually pass other attributes in the context object for the function code to consume. |

+| `post_invocation` | Called right after the function execution finishes. The function context, function invocation arguments, and invocation return object are passed to the extension. This implementation is a good place to validate whether execution of the lifecycle hooks succeeded. |

+To improve throughput, Azure Functions lets your out-of-process Python language worker share memory with the host process. When your function app is hitting bottlenecks, you can enable shared memory by adding an application setting named [FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED](functions-app-settings.md#functions_worker_shared_memory_data_transfer_enabled) with a value of `1`. With shared memory enabled, you can then use the [DOCKER_SHM_SIZE](functions-app-settings.md#docker_shm_size) setting to set the shared memory to something like `268435456`, which is equivalent to 256 MB.

+For example, you might enable shared memory to reduce bottlenecks when using Azure Blob Storage bindings to transfer payloads larger than 1 MB.

+This functionality is available only for function apps running in Premium and Dedicated (Azure App Service) plans. To learn more, see [Shared memory](https://github.com/Azure/azure-functions-python-worker/wiki/Shared-Memory).

+## Known issues and FAQs

+Here's a list of troubleshooting guides for common issues:

+All known issues and feature requests are tracked through the [GitHub issues](https://github.com/Azure/azure-functions-python-worker/issues) list. If you run into a problem and can't find the issue in GitHub, open a new issue and include a detailed description of the problem.

+* [Blob Storage bindings](functions-bindings-storage-blob.md)

+* [HTTP and webhook bindings](functions-bindings-http-webhook.md)

+* [Azure Queue Storage bindings](functions-bindings-storage-queue.md)

+Door openings in an Azure Maps dataset are represented as a single-line segment that overlaps multiple unit boundaries. The following images show how Azure Maps converts door layer geometry into opening features in a dataset..

+* [Manually download and install](#install-the-agent-manually) the agent. This is required when the Linux computer doesn't have access to the Internet and will be communicating with Azure Monitor or Azure Automation through the [Log Analytics gateway](./gateway.md).

+Starting with versions released after August 2018, we're making the following changes to our support model:

+* Focus support on any of the [Azure Linux Endorsed distros](../../virtual-machines/linux/endorsed-distros.md). There may be some delay between a new distro/version being Azure Linux Endorsed and it being supported for the Log Analytics Linux agent.

+* Versions that have passed their manufacturer's end-of-support date aren't supported.

+* Only support VM images; containers, even those derived from official distro publishers' images, aren't supported.

+* New versions of AMI aren't supported.

+If you're using an older version of the agent, you must have the Virtual Machine use Python 2 by default. If your virtual machine is using a distro that doesn't include Python 2 by default, then you must install it. The following sample commands will install Python 2 on different distros.

+Again, only if you're using an older version of the agent, the python2 executable must be aliased to *python*. Following is one method that you can use to set this alias:

+The following aren't supported:

+CIS and SELinux hardening support is planned for [Azure Monitoring Agent](./azure-monitor-agent-overview.md). Further hardening and customization methods aren't supported nor planned for OMS Agent. For instance, OS images like GitHub Enterprise Server which include customizations such as limitations to user account privileges aren't supported.

+Regardless of the installation method used, you'll require the workspace ID and key for the Log Analytics workspace that the agent will connect to. Select the workspace from the **Log Analytics workspaces** menu in the Azure portal. Then select **Agents management** in the **Settings** section.

+After installing the Log Analytics agent for Linux packages, the following system-wide configuration changes are also applied. These artifacts are removed when the omsagent package is uninstalled.

+* A sudoers *include* file is created in `/etc/sudoers.d/omsagent`. This authorizes `omsagent` to restart the syslog and omsagent daemons. If sudo *include* directives aren't supported in the installed version of sudo, these entries will be written to `/etc/sudoers`.

+The agent attempts to upload every 20 seconds. If it fails, it waits an exponentially increasing length of time until it succeeds: 30 seconds before the second attempt, 60 seconds before the third, 120 seconds, and so on, up to a maximum of 16 minutes between retries until it successfully connects again. The agent retries up to 6 times for a given chunk of data before discarding and moving to the next one. This continues until the agent can successfully upload again. This means that data may be buffered up to approximately 30 minutes before being discarded.

+- [Associate endpoint to machines](../agents/data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association)

+ - This is not required for Azure Arc-enabled servers. The system identity will be enabled automatically if the agent is installed via [creating and assigning a data collection rule using the Azure portal](data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association).

+To install the Azure Monitor agent using the Azure portal, follow the process to [create a data collection rule](data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) in the Azure portal. This not only creates the rule, but it also associates it to the selected resources and installs the Azure Monitor agent on them if not already installed.

+See [create new data collection rules](./data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) to start collecting some of the existing data types. Once you validate data is flowing as expected with the Azure Monitor agent, check the `Category` column in the [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat) table for the value *Azure Monitor Agent* for AMA collected data. Ensure it matches data flowing through the existing Log Analytics agent.

+6. Existing data collection rule(s) you wish to associate with the devices. If it doesn't exist already, [follow the guidance here to create data collection rule(s)](./data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association). **Do not associate the rule to any resources yet**.

+Now we associate the Data Collection Rules (DCR) to the Monitored Object by creating Data Collection Rule Associations. If you haven't already, [follow instructions here](./data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) to create data collection rules first.

+ Title: Monitor data from virtual machines with Azure Monitor agent

+description: Describes how to collect events and performance data from virtual machines using the Azure Monitor agent.

+# Collect data from virtual machines with the Azure Monitor agent

+This article describes how to collect events and performance counters from virtual machines using the Azure Monitor agent.

+To collect data from virtual machines using the Azure Monitor agent, you'll:

+1. Create [data collection rules (DCR)](../essentials/data-collection-rule-overview.md) that define which data Azure Monitor agent sends to which destinations.

+1. Associate the data collection rule to specific virtual machines.

+## How data collection rule associations work

+You can associate virtual machines to multiple data collection rules. This allows you to define each data collection rule to address a particular requirement, and associate the data collection rules to virtual machines based on the specific data you want to collect from each machine.

+For example, consider an environment with a set of virtual machines running a line of business application and other virtual machines running SQL Server. You might have:

+- One default data collection rule that applies to all virtual machines.

+- Separate data collection rules that collect data specifically for the line of business application and for SQL Server.

+

+The following diagram illustrates the associations for the virtual machines to the data collection rules.

+

+## Create data collection rule and association

+To send data to Log Analytics, create the data collection rule in the **same region** where your Log Analytics workspace resides. You can still associate the rule to machines in other supported regions.

+### [Portal](#tab/portal)

+1. From the **Monitor** menu, select **Data Collection Rules**.

+1. Select **Create** to create a new Data Collection Rule and associations.

+ [](media/data-collection-rule-azure-monitor-agent/data-collection-rules-updated.png#lightbox)

+

+1. Provide a **Rule name** and specify a **Subscription**, **Resource Group**, **Region**, and **Platform Type**.

+ **Region** specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant.

+ **Platform Type** specifies the type of resources this rule can apply to. Custom allows for both Windows and Linux types.

+ [](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics-updated.png#lightbox)

+1. On the **Resources** tab, add the resources (virtual machines, virtual machine scale sets, Arc for servers) to which to associate the data collection rule. The portal will install Azure Monitor Agent on resources that don't already have it installed, and will also enable Azure Managed Identity.

+ > [!IMPORTANT]

+ > The portal enables System-Assigned managed identity on the target resources, in addition to existing User-Assigned Identities (if any). For existing applications, unless you specify the User-Assigned identity in the request, the machine will default to using System-Assigned Identity instead.

+ If you need network isolation using private links, select existing endpoints from the same region for the respective resources, or [create a new endpoint](../essentials/data-collection-endpoint-overview.md).

+ [](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox)

+1. On the **Collect and deliver** tab, select **Add data source** to add a data source and set a destination.

+1. Select a **Data source type**.

+1. Select which data you want to collect. For performance counters, you can select from a predefined set of objects and their sampling rate. For events, you can select from a set of logs and severity levels.

+ [](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic-updated.png#lightbox)

+1. Select **Custom** to collect logs and performance counters that are not [currently supported data sources](azure-monitor-agent-overview.md#data-sources-and-destinations) or to [filter events using XPath queries](#filter-events-using-xpath-queries). You can then specify an [XPath](https://www.w3schools.com/xml/xpath_syntax.asp) to collect any specific values. See [Sample DCR](data-collection-rule-sample-agent.md) for an example.

+ [](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom-updated.png#lightbox)

+1. On the **Destination** tab, add one or more destinations for the data source. You can select multiple destinations of the same or different types - for instance multiple Log Analytics workspaces (known as "multi-homing").

+ You can send Windows event and Syslog data sources can to Azure Monitor Logs only. You can send performance counters to both Azure Monitor Metrics and Azure Monitor Logs.

+ [](media/data-collection-rule-azure-monitor-agent/data-collection-rule-destination.png#lightbox)

+1. Select **Add Data Source** and then **Review + create** to review the details of the data collection rule and association with the set of virtual machines.

+1. Select **Create** to create the data collection rule.

+> It might take up to 5 minutes for data to be sent to the destinations after you create the data collection rule and associations.

+### [API](#tab/api)

+### [PowerShell](#tab/powershell)

+### [Azure CLI](#tab/cli)

+This is enabled as part of Azure CLI **monitor-control-service** Extension. [View all commands](/cli/azure/monitor/data-collection/rule)

+### [Resource Manager template](#tab/arm)

+See [Resource Manager template samples for data collection rules in Azure Monitor](./resource-manager-data-collection-rules.md) for sample templates.

+## Filter events using XPath queries

+Since you're charged for any data you collect in a Log Analytics workspace, collect only the data you need. The basic configuration in the Azure portal provides you with a limited ability to filter out events.

+To specify additional filters, use Custom configuration and specify an XPath that filters out the events you don't need. XPath entries are written in the form `LogName!XPathQuery`. For example, you may want to return only events from the Application event log with an event ID of 1035. The XPathQuery for these events would be `*[System[EventID=1035]]`. Since you want to retrieve the events from the Application event log, the XPath is `Application!*[System[EventID=1035]]`

+### Extracting XPath queries from Windows Event Viewer

+In Windows, you can use Event Viewer to extract XPath queries as shown below.

+When you paste the XPath query into the field on the **Add data source** screen, (step 5 in the picture below), you must append the log type category followed by '!'.

+[](media/data-collection-rule-azure-monitor-agent/data-collection-rule-extract-xpath.png#lightbox)

+See [XPath 1.0 limitations](/windows/win32/wes/consuming-events#xpath-10-limitations) for a list of limitations in the XPath supported by Windows event log.

+> [!TIP]

+> You can use the PowerShell cmdlet `Get-WinEvent` with the `FilterXPath` parameter to test the validity of an XPathQuery locally on your machine first. The following script shows an example.

+>

+> ```powershell

+> $XPath = '*[System[EventID=1035]]'

+> Get-WinEvent -LogName 'Application' -FilterXPath $XPath

+> ```

+>

+> - **In the cmdlet above, the value of the *-LogName* parameter is the initial part of the XPath query until the '!'. The rest of the XPath query goes into the *$XPath* parameter.**

+> - If the script returns events, the query is valid.

+> - If you receive the message *No events were found that match the specified selection criteria.*, the query may be valid, but there are no matching events on the local machine.

+> - If you receive the message *The specified query is invalid* , the query syntax is invalid.

+Examples of filtering events using a custom XPath:

+| Description | XPath |

+|:|:|

+| Collect only System events with Event ID = 4648 | `System!*[System[EventID=4648]]`

+| Collect Security Log events with Event ID = 4648 and a process name of consent.exe | `Security!*[System[(EventID=4648)]] and *[EventData[Data[@Name='ProcessName']='C:\Windows\System32\consent.exe']]` |

+| Collect all Critical, Error, Warning, and Information events from the System event log except for Event ID = 6 (Driver loaded) | `System!*[System[(Level=1 or Level=2 or Level=3) and (EventID != 6)]]` |

+| Collect all success and failure Security events except for Event ID 4624 (Successful logon) | `Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]` |

+> For an explanation of XPaths that are used to specify event collection in data collection rules, see [Limit data collection with custom XPath queries](../agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries)

+[CollectD](https://collectd.org/) is an open source Linux daemon that periodically collects performance metrics from applications and system level information. Example applications include the Java Virtual Machine (JVM), MySQL Server, and Nginx. This article provides information on collecting performance data from CollectD in Azure Monitor using the Log Analytics agent.

+

+> This article covers collecting IIS logs with the [Log Analytics agent](./log-analytics-agent.md), which **will be deprecated by August 2024**. Please be sure to [migrate to Azure Monitor agent](./azure-monitor-agent-manage.md) before August 2024 to continue ingesting data. See [Collect text logs with Azure Monitor agent (preview)](../agents/data-collection-text-log.md) for details on collecting IIS logs with [Azure Monitor agent](azure-monitor-agent-overview.md).

+> Log Analytics agent for Linux v1.1.0-217+ is required for Custom JSON Data.

+Windows Event logs are one of the most common [data sources](../agents/agent-data-sources.md) for Log Analytics agents on Windows virtual machines since many applications write to the Windows event log. You can collect events from standard logs, such as System and Application, and any custom logs created by applications you need to monitor.

+

+Azure Monitor only collects events from the Windows event logs that are specified in the settings. You can add an event log by typing in the name of the log and clicking **+**. For each log, only the events with the selected severities are collected. Check the severities for the particular log that you want to collect. You can't provide any additional criteria to filter events.

+As you type the name of an event log, Azure Monitor provides suggestions of common event log names. If the log you want to add doesn't appear in the list, you can still add it by typing in the full name of the log. You can find the full name of the log by using event viewer. In event viewer, open the *Properties* page for the log and copy the string from the *Full Name* field.

+[](media/data-sources-windows-events/configure.png#lightbox)

+Azure Monitor collects each event that matches a selected severity from a monitored event log as the event is created. The agent records its place in each event log that it collects from. If the agent goes offline for a while, it collects events from where it last left off, even if those events were created while the agent was offline. There's a potential for these events to not be collected if the event log wraps with uncollected events being overwritten while the agent is offline.

+>[!IMPORTANT]

+>The Log Analytics agent is on a **deprecation path** and won't be supported after **August 31, 2024**. If you use the Log Analytics agent to ingest data to Azure Monitor, make sure to [migrate to the new Azure Monitor agent](./azure-monitor-agent-migration.md) prior to that date.

+This article describes how to enable and configure the OpenTelemetry-based Azure Monitor Java offering. It can be used for any environment, including on-premises. After you finish the instructions in this article, you'll be able to use Azure Monitor Application Insights to monitor your application.

+Java auto-instrumentation is enabled through configuration changes; no code changes are required.

+- Review [Java auto-instrumentation configuration options](java-standalone-config.md).

+> [!NOTE]

+> We continue to assess the viability of OpenTelemetry for browser scenarios. The Application Insights JavaScript SDK is recommended for the forseeable future, which is fully compatible with OpenTelemetry distributed tracing.

+Find out about the performance and usage of your web page or app. If you add [Application Insights](app-insights-overview.md) to your page script, you get timings of page loads and AJAX calls, counts, and details of browser exceptions and AJAX failures, as well as users and session counts. All of this telemetry can be segmented by page, client OS and browser version, geo location, and other dimensions. You can set alerts on failure counts or slow page loading. And by inserting trace calls in your JavaScript code, you can track how the different features of your web page application are used.

+Application Insights can be used with any web pages - you just add a short piece of JavaScript, Node.js has a [standalone SDK](nodejs.md). If your web service is [Java](java-in-process-agent.md) or [ASP.NET](asp-net.md), you can use the server-side SDKs with the client-side JavaScript SDK to get an end-to-end understanding of your app's performance.

+Install via Node Package Manager (npm).

+Starting from version 2.5.5, the page view event will include a new tag "ai.internal.snippet" that contains the identified snippet version. This feature assists with tracking which version of the snippet your application is using.

+This version of the snippet detects and reports failures when loading the SDK from the CDN as an exception to the Azure Monitor portal (under the failures &gt; exceptions &gt; browser). The exception provides visibility into failures of this type so that you're aware your application isn't reporting telemetry (or other exceptions) as expected. This signal is an important measurement in understanding that you have lost telemetry because the SDK didn't load or initialize which can lead to:

+Reporting of SDK load failures isn't supported on Internet Explorer 8 or earlier. This behavior reduces the minified size of the snippet by assuming that most environments aren't exclusively IE 8 or less. If you have this requirement and you wish to receive these exceptions, you'll need to either include a fetch poly fill or create your own snippet version that uses ```XDomainRequest``` instead of ```XMLHttpRequest```, it's recommended that you use the [provided snippet source code](https://github.com/microsoft/ApplicationInsights-JS/blob/master/AISKU/snippet/snippet.js) as a starting point.

+All configuration options have been move towards the end of the script. This placement avoids accidentally introducing JavaScript errors that wouldn't just cause the SDK to fail to load, but also it would disable the reporting of the failure.

+By default, the Application Insights JavaScript SDK auto-collects many telemetry items that are helpful in determining the health of your application and the underlying user experience.

+This telemetry includes:

+| enableDebug | If true, **internal** debugging data is thrown as an exception **instead** of being logged, regardless of SDK logging settings. Default is false. <br>***Note:*** Enabling this setting will result in dropped telemetry whenever an internal error occurs. This setting can be useful for quickly identifying issues with your configuration or usage of the SDK. If you don't want to lose telemetry while debugging, consider using `loggingLevelConsole` or `loggingLevelTelemetry` instead of `enableDebug`. | boolean<br/>false |

+| samplingPercentage | Percentage of events that will be sent. Default is 100, meaning all events are sent. Set this option if you wish to preserve your data cap for large-scale applications. | numeric<br/>100 |

+| cookieDomain | Custom cookie domain. This option is helpful if you want to share Application Insights cookies across subdomains.<br>(Since v2.6.0) If `cookieCfg.domain` is defined it will take precedence over this value. | alias for [`cookieCfg.domain`](#icookiemgrconfig)<br>null |

+| cookiePath | Custom cookie path. This option is helpful if you want to share Application Insights cookies behind an application gateway.<br>If `cookieCfg.path` is defined it will take precedence over this value. | alias for [`cookieCfg.path`](#icookiemgrconfig)<br>(Since 2.6.0)<br/>null |

+| maxAjaxPerf&#8203;LookupAttempts | The maximum number of times to look for the window.performance timings (if available). This option is sometimes required as not all browsers populate the window.performance before reporting the end of the XHR request and for fetch requests this is added after its complete.| numeric<br/> 3 |

+| enablePerfMgr | When enabled (true) this will create local perfEvents for code that has been instrumented to emit perfEvents (via the doPerf() helper). This option can be used to identify performance issues within the SDK based on your usage or optionally within your own instrumented code. [More details are available by the basic documentation](https://github.com/microsoft/ApplicationInsights-JS/blob/master/docs/PerformanceMonitoring.md). Since v2.5.7 | boolean<br/>false |

+| domain | Custom cookie domain, which is helpful if you want to share Application Insights cookies across subdomains. If not provided uses the value from root `cookieDomain` value. | string<br/>null |

+# [npm](#tab/npm)

+For Single Page Applications, reference plugin documentation for plugin specific guidance.

+When a page is first loading and the SDK hasn't fully initialized, we're unable to generate the Operation ID for the first request. As a result, distributed tracing is incomplete until the SDK fully initializes.

+To remedy this problem, you can include dynamic JavaScript on the returned HTML page. The SDK will use a callback function during initialization to retroactively pull the Operation ID from the `serverside` and populate the `clientside` with it.

+# [npm](#tab/npm)

+When using an npm based configuration, a location must be determined to store the Operation ID to enable access for the SDK initialization bundle to `appInsights.context.telemetryContext.parentID` so it can populate it before the first page view event is sent.

+At just 36 KB gzipped, and taking only ~15 ms to initialize, Application Insights adds a negligible amount of loadtime to your website. Minimal components of the library are quickly loaded when using this snippet. In the meantime, the full script is downloaded in the background.

+Chrome Latest Γ£ö | Firefox Latest Γ£ö | IE 9+ & Microsoft Edge Γ£ö<br>IE 8- Compatible | Opera Latest Γ£ö | Safari Latest Γ£ö |

+As such we need to ensure that this SDK continues to "work" and doesn't break the JS execution when loaded by an older browser. It would be ideal to not support older browsers, but numerous large customers canΓÇÖt control which browser their end users choose to use.

+This statement does NOT mean that we'll only support the lowest common set of features. We need to maintain ES3 code compatibility and when adding new features, they'll need to be added in a manner that wouldn't break ES3 JavaScript parsing and added as an optional feature.

+### I'm getting an error message of Failed to get Request-Context correlation header as it may be not included in the response or not accessible

+The `correlationHeaderExcludedDomains` configuration property is an exclude list that disables correlation headers for specific domains. This option is useful when including those headers would cause the request to fail or not be sent due to third-party server configuration. This property supports wildcards.

+### I'm receiving duplicate telemetry data from the Application Insights JavaScript SDK

+If the SDK reports correlation recursively, enable the configuration setting of `excludeRequestFromAutoTrackingPatterns` to exclude the duplicate data. This scenario can occur when using connection strings. The syntax for the configuration setting is `excludeRequestFromAutoTrackingPatterns: [<endpointUrl>]`.

+* [Source map for JavaScript](source-map-support.md)

+| Event logs | Collect only required event logs and levels. For example, *Information* level events are rarely used and should typically not be collected. For Azure Monitor agent, filter particular event IDs that are frequent but not valuable. | Change the [event log configuration for the workspace](agents/data-sources-windows-events.md) | Change the [data collection rule](agents/data-collection-rule-azure-monitor-agent.md). Use [custom XPath queries](agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries) to filter specific event IDs. |

+| Syslog | Reduce the number of facilities collected and only collect required event levels. For example, *Info* and *Debug* level events are rarely used and should typically not be collected. | Change the [syslog configuration for the workspace](agents/data-sources-syslog.md). | Change the [data collection rule](agents/data-collection-rule-azure-monitor-agent.md). Use [custom XPath queries](agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries) to filter specific events. |

+| Performance counters | Collect only the performance counters required and reduce the frequency of collection. For Azure Monitor agent, consider sending performance data only to Metrics and not Logs. | Change the [performance counter configuration for the workspace](agents/data-sources-performance-counters.md). | Change the [data collection rule](agents/data-collection-rule-azure-monitor-agent.md). Use [custom XPath queries](agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries) to filter specific counters. |

+- [Associate endpoint to machines](../agents/data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association)

+Overrides are defined in a [Data Collection Rule (DCR)](../essentials/data-collection-rule-overview.md). You can create multiple DCRs with different sets of overrides and apply them to multiple virtual machines. You apply a DCR to a virtual machine by creating an association as described in [Configure data collection for the Azure Monitor agent (preview)](../agents/data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association).

+You can also remove the Data Collection Rule Association using [Azure PowerShell](../agents/data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) or [Azure CLI](/cli/azure/monitor/data-collection/rule/association#az-monitor-data-collection-rule-association-delete).

+To remove the data collection rule, click **Delete** from the DCR page in the Azure portal. You can also delete the Data Collection Rule using [Azure PowerShell](../agents/data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) or [Azure CLI](/cli/azure/monitor/data-collection/rule#az-monitor-data-collection-rule-delete).

+Azure NetApp Files supports [NFS client encryption in Kerberos](configure-kerberos-encryption.md) modes (krb5, krb5i, and krb5p) with AES-256 encryption. This article describes the performance impact of Kerberos on NFSv4.1 volumes. **Performance comparisons referenced in this article are made against the `sec=sys` security parameter, testing on a single volume with a single client.**

+There are two areas of focus: light load and upper limit. The following lists describe the performance impact security setting by security setting and scenario by scenario.

+**Testing Scope**

+* All comparisons are made against the `sec=sys` security parameter.

+* The test was done on a single volume, using a single client.

+**Performance impact of krb5:**

+**Performance impact of krb5i:**

+**Performance impact of krb5p:**

+ Title: Deploy associations for managed application using Azure Policy

+description: Learn about deploying associations for a managed application using Azure Policy.

+Deploy associations for a managed application is a built-in policy that associates a resource type to a managed application. The policy deployment doesn't support nested resource types. The policy accepts three parameters:

+- Association name prefix - This string is the prefix to be added to the name of the association resource being created. The default value is `DeployedByPolicy`.

+The policy uses `DeployIfNotExists` evaluation. It runs after a Resource Provider has handled a create or update resource request of the selected resource type and the evaluation has returned a success status code. After that, the association resource gets deployed using a template deployment.

+For more information, see [Deploy associations for a managed application](../../governance/policy/samples/built-in-policies.md#managed-application).

+## How to use the deploy associations built-in policy

+To use the built-in policy, create a policy assignment and assign the Deploy associations for a managed application policy. Once the policy has been assigned successfully,

+If you have questions about Azure Custom Resource Providers development, try asking them on [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-custom-providers). A similar question might have already been answered, so check first before posting. Use the tag `azure-custom-providers`.

+In this article, you learned about using built-in policy to deploy associations. See these articles to learn more:

+ Title: Manage resources through private link

+description: Restrict management access for resource to private link

+# Use APIs to create a private link for managing Azure resources

+This article explains how you can use [Azure Private Link](../../private-link/index.yml) to restrict access for managing resources in your subscriptions.

+## Create resource management private link

+To create resource management private link, send the following request:

+# [Azure CLI](#tab/azure-cli)

+ ### Example

+ ```azurecli

+ # Login first with az login if not using Cloud Shell

+ az resourcemanagement private-link create --location WestUS --resource-group PrivateLinkTestRG --name NewRMPL --public-network-access enabled

+ ```

+

+# [PowerShell](#tab/azure-powershell)

+ ### Example

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ New-AzResourceManagementPrivateLink -ResourceGroupName PrivateLinkTestRG -Name NewRMPL

+ ```

+

+# [REST](#tab/REST)

+ REST call

+ ```http

+ PUT

+ https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{rmplName}?api-version=2020-05-01

+ ```

+ In the request body, include the location you want for the resource:

+ ```json

+ {

+ "location":"{region}"

+ }

+ ```

+ The operation returns:

+ ```json

+ {

+ "id": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{name}",

+ "location": "{region}",

+ "name": "{rmplName}",

+ "properties": {

+ "privateEndpointConnections": []

+ },

+ "resourceGroup": "{rgName}",

+ "type": "Microsoft.Authorization/resourceManagementPrivateLinks"

+ }

+ ```

+

+Note the ID that is returned for the new resource management private link. You'll use it for creating the private link association.

+## Create private link association

+The resource name of a private link association resource must be a GUID, and it isn't yet supported to disable the publicNetworkAccess field.

+To create the private link association, use:

+# [Azure CLI](#tab/azure-cli)

+ ### Example

+ ```azurecli

+ # Login first with az login if not using Cloud Shell

+ az private-link association create --management-group-id fc096d27-0434-4460-a3ea-110df0422a2d --name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4 --privatelink "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PrivateLinkTestRG/providers/Microsoft.Authorization/resourceManagementPrivateLinks/newRMPL"

+ ```

+

+# [PowerShell](#tab/azure-powershell)

+ ### Example

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ New-AzPrivateLinkAssociation -ManagementGroupId fc096d27-0434-4460-a3ea-110df0422a2d -Name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4 -PrivateLink "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/PrivateLinkTestRG/providers/Microsoft.Authorization/resourceManagementPrivateLinks/newRMPL" -PublicNetworkAccess enabled | fl

+ ```

+

+# [REST](#tab/REST)

+ REST call

+ ```http

+ PUT

+ https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Authorization/privateLinkAssociations/{GUID}?api-version=2020-05-01

+ ```

+ In the request body, include:

+ ```json

+ {

+ "properties": {

+ "privateLink": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{rmplName}",

+ "publicNetworkAccess": "enabled"

+ }

+ }

+ ```

+ The operation returns:

+ ```json

+ {

+ "id": {plaResourceId},

+ "name": {plaName},

+ "properties": {

+ "privateLink": {rmplResourceId},

+ "publicNetworkAccess": "Enabled",

+ "tenantId": "{tenantId}",

+ "scope": "/providers/Microsoft.Management/managementGroups/{managementGroupId}"

+ },

+ "type": "Microsoft.Authorization/privateLinkAssociations"

+ }

+ ```

+## Add private endpoint

+This article assumes you already have a virtual network. In the subnet that will be used for the private endpoint, you must turn off private endpoint network policies. If you haven't turned off private endpoint network policies, see [Disable network policies for private endpoints](../../private-link/disable-private-endpoint-network-policy.md).

+To create a private endpoint, see Private Endpoint documentation for creating via [Portal](../../private-link/create-private-endpoint-portal.md), [PowerShell](../../private-link/create-private-endpoint-powershell.md), [CLI](../../private-link/create-private-endpoint-cli.md), [Bicep](../../private-link/create-private-endpoint-bicep.md), or [template](../../private-link/create-private-endpoint-template.md).

+In the request body, set the `privateServiceLinkId` to the ID from your resource management private link. The `groupIds` must contain `ResourceManagement`. The location of the private endpoint must be the same as the location of the subnet.

+```json

+{

+ "location": "westus2",

+ "properties": {

+ "privateLinkServiceConnections": [

+ {

+ "name": "{connection-name}",

+ "properties": {

+ "privateLinkServiceId": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{name}",

+ "groupIds": [

+ "ResourceManagement"

+ ]

+ }

+ }

+ ],

+ "subnet": {

+ "id": "/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Network/virtualNetworks/{vnet-name}/subnets/{subnet-name}"

+ }

+ }

+}

+```

+The next step varies depending whether you're using automatic or manual approval. For more information about approval, see [Access to a private link resource using approval workflow](../../private-link/private-endpoint-overview.md#access-to-a-private-link-resource-using-approval-workflow).

+The response includes approval state.

+```json

+"privateLinkServiceConnectionState": {

+ "actionsRequired": "None",

+ "description": "",

+ "status": "Approved"

+},

+```

+If your request is automatically approved, you can continue to the next section. If your request requires manual approval, wait for the network admin to approve your private endpoint connection.

+## Next steps

+To learn more about private links, see [Azure Private Link](../../private-link/index.yml).

+ Title: Manage resource management private links

+description: Use APIs to manage existing resource management private links

+# Manage resource management private links

+This article explains how you to work with existing resource management private links. It shows API operations for getting and deleting existing resources.

+If you need to create a resource management private link, see [Use portal to create private link for managing Azure resources](create-private-link-access-portal.md) or [Use APIs to create private link for managing Azure resources](create-private-link-access-commands.md).

+## Resource management private links

+To **get a specific** resource management private link, send the following request:

+# [Azure CLI](#tab/azure-cli)

+ ### Example

+ ```azurecli

+ # Login first with az login if not using Cloud Shell

+ az resourcemanagement private-link show --resource-group PrivateLinkTestRG --name NewRMPL

+ ```

+

+# [PowerShell](#tab/azure-powershell)

+ ### Example

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ Get-AzResourceManagementPrivateLink -ResourceGroupName PrivateLinkTestRG -Name NewRMPL

+ ```

+

+# [REST](#tab/REST)

+ REST call

+ ```http

+ GET https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{rmplName}?api-version=2020-05-01

+ ```

+The operation returns:

+```json

+{

+ "properties": {

+ "privateEndpointConnections": []

+ },

+ "id": {rmplResourceId},

+ "name": {rmplName},

+ "type": "Microsoft.Authorization/resourceManagementPrivateLinks",

+ "location": {region}

+}

+```

+To **get all** resource management private links in a subscription, use:

+# [Azure CLI](#tab/azure-cli)

+ ```azurecli

+ # Login first with az login if not using Cloud Shell

+ az resourcemanagement private-link list

+ ```

+

+# [PowerShell](#tab/azure-powershell)

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ Get-AzResourceManagementPrivateLink

+ ```

+

+# [REST](#tab/REST)

+ REST call

+ ```http

+ GET

+ https://management.azure.com/subscriptions/{subscriptionID}/providers/Microsoft.Authorization/resourceManagementPrivateLinks?api-version=2020-05-01

+ ```

+ The operation returns:

+ ```json

+ [

+ {

+ "properties": {

+ "privateEndpointConnections": []

+ },

+ "id": {rmplResourceId},

+ "name": {rmplName},

+ "type": "Microsoft.Authorization/resourceManagementPrivateLinks",

+ "location": {region}

+ },

+ {

+ "properties": {

+ "privateEndpointConnections": []

+ },

+ "id": {rmplResourceId},

+ "name": {rmplName},

+ "type": "Microsoft.Authorization/resourceManagementPrivateLinks",

+ "location": {region}

+ }

+ ]

+ ```

+To **delete a specific** resource management private link, use:

+# [Azure CLI](#tab/azure-cli)

+ ### Example

+ ```azurecli

+ # Login first with az login if not using Cloud Shell

+ az resourcemanagement private-link delete --resource-group PrivateLinkTestRG --name NewRMPL

+ ```

+

+# [PowerShell](#tab/azure-powershell)

+ ### Example

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ Remove-AzResourceManagementPrivateLink -ResourceGroupName PrivateLinkTestRG -Name NewRMPL

+ ```

+

+# [REST](#tab/REST)

+ REST call

+ ```http

+ DELETE

+ https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{rmplName}?api-version=2020-05-01

+ ```

+ The operation returns: `Status 200 OK`.

+## Private link association

+To **get a specific** private link association for a management group, use:

+# [Azure CLI](#tab/azure-cli)

+ ### Example

+ ```azurecli

+ # Login first with az login if not using Cloud Shell

+ az private-link association show --management-group-id fc096d27-0434-4460-a3ea-110df0422a2d --name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4

+ ```

+

+# [PowerShell](#tab/azure-powershell)

+ ### Example

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ Get-AzPrivateLinkAssociation -ManagementGroupId fc096d27-0434-4460-a3ea-110df0422a2d -Name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4 | fl

+ ```

+

+# [REST](#tab/REST)

+ REST call

+ ```http

+ GET

+ https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupID}/providers/Microsoft.Authorization/privateLinkAssociations?api-version=2020-05-01

+ ```

+ The operation returns:

+ ```json

+ {

+ "value": [

+ {

+ "properties": {

+ "privateLink": {rmplResourceID},

+ "tenantId": {tenantId},

+ "scope": "/providers/Microsoft.Management/managementGroups/{managementGroupId}"

+ },

+ "id": {plaResourceId},

+ "type": "Microsoft.Authorization/privateLinkAssociations",

+ "name": {plaName}

+ }

+ ]

+ }

+ ```

+To **delete** a private link association, use:

+# [Azure CLI](#tab/azure-cli)

+ ### Example

+ ```azurecli

+ # Login first with az login if not using Cloud Shell

+ az private-link association delete --management-group-id 24f15700-370c-45bc-86a7-aee1b0c4eb8a --name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4

+ ```

+

+# [PowerShell](#tab/azure-powershell)

+ ### Example

+ ```azurepowershell-interactive

+ # Login first with Connect-AzAccount if not using Cloud Shell

+ Remove-AzPrivateLinkAssociation -ManagementGroupId 24f15700-370c-45bc-86a7-aee1b0c4eb8a -Name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4

+ ```

+

+# [REST](#tab/REST)

+ REST call

+ ```http

+ DELETE

+ https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupID}/providers/Microsoft.Authorization/privateLinkAssociations/{plaID}?api-version=2020-05-01

+ ```

+The operation returns: `Status 200 OK`.

+## Next steps

+* To learn more about private links, see [Azure Private Link](../../private-link/index.yml).

+* To manage your private endpoints, see [Manage Private Endpoints](../../private-link/manage-private-endpoint.md).

+* To create a resource management private links, see [Use portal to create private link for managing Azure resources](create-private-link-access-portal.md) or [Use REST API to create private link for managing Azure resources](create-private-link-access-rest.md).

+You can now enable or disable the celebrity recognition model on the account level (on classic account only). To turn on or off the model, go to the **Model customization** > toggle on/off the model. Once you disable the model, Video Indexer insights will not include the output of celebrity model and will not run the celebrity model pipeline.

+| Rel 22-06 | [5011486] | IE Cumulative Updates | 2.124, 3.111, 4.104 | Mar 8, 2022 |

+| Rel 22-06 | [5013637] | .NET Framework 3.5 Security and Quality Rollup | 2.124 | Jun 14, 2022 |

+| Rel 22-06 | [5013644] | .NET Framework 4.6.2 Security and Quality Rollup | 2.124 | May 10, 2022 |

+| Rel 22-06 | [5013638] | .NET Framework 3.5 Security and Quality Rollup | 4.104 | Jun 14, 2022 |

+| Rel 22-06 | [5013643] | .NET Framework 4.6.2 Security and Quality Rollup | 4.104 | May 10, 2022 |

+| Rel 22-06 | [5013635] | .NET Framework 3.5 Security and Quality Rollup | 3.111 | Jun 14, 2022 |

+| Rel 22-06 | [5013642] | . NET Framework 4.6.2 Security and Quality Rollup | 3.111 | May 10, 2022 |

+| Rel 22-06 | [5014748] | Monthly Rollup | 2.124 | Jun 14, 2022 |

+| Rel 22-06 | [5014747] | Monthly Rollup | 3.111 | Jun 14, 2022 |

+| Rel 22-06 | [5014738] | Monthly Rollup | 4.104 | Jun 14, 2022 |

+| Rel 22-06 | [5014027] | Servicing Stack update | 3.111 | May 10, 2022 |

+| Rel 22-06 | [5014025] | Servicing Stack update | 4.104 | May 10, 2022 |

+| Rel 22-06 | [4578013] | Standalone Security Update | 4.104 | Aug 19, 2020 |

+| Rel 22-06 | [5011649] | Servicing Stack update | 2.124 | Mar 8, 2022 |

+[5011486]: https://support.microsoft.com/kb/5011486

+[5013637]: https://support.microsoft.com/kb/5013637

+[5013644]: https://support.microsoft.com/kb/5013644

+[5013638]: https://support.microsoft.com/kb/5013638

+[5013643]: https://support.microsoft.com/kb/5013643

+[5013635]: https://support.microsoft.com/kb/5013635

+[5013642]: https://support.microsoft.com/kb/5013642

+[5014748]: https://support.microsoft.com/kb/5014748

+[5014747]: https://support.microsoft.com/kb/5014747

+[5014738]: https://support.microsoft.com/kb/5014738

+[5014027]: https://support.microsoft.com/kb/5014027

+[5014025]: https://support.microsoft.com/kb/5014025

+[4578013]: https://support.microsoft.com/kb/4578013

+[5011649]: https://support.microsoft.com/kb/5011649

+.NET Framework installed: 3.5, 4.6.2

+.NET Framework installed: 3.5, 4.6.2

+.NET Framework installed: 3.5 (includes 2.0 and 3.0), 4.6.2

+> For pronunciation assessment, `en-US` and `en-GB` are available in all regions listed above, `zh-CN` is available in East Asia and Southeast Asia regions, `de-DE`, `es-ES`, and `fr-FR` are available in West Europe region, and `en-AU` is available in Australia East region.

+ Title: Built-in connector overview

+description: Learn about built-in connectors that run natively in Azure Logic Apps.

+The following table lists the current and expanding galleries of built-in connectors available for Consumption versus Standard logic app workflows. For Standard workflows, an asterisk (**\***) marks [built-in connectors based on the *service provider* model](#service-provider-interface-implementation), which is described in more detail later.

+<a name="service-provider-interface-implementation"></a>

+## Service provider-based built-in connectors

+In Standard logic app workflows, a built-in connector that has the following attributes is informally known as a *service provider*:

+* Is based on the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md).

+* Provides access from a Standard logic app workflow to a service, such as Azure Blob Storage, Azure Service Bus, Azure Event Hubs, SFTP, and SQL Server.

+ Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Azure Active Directory (Azure AD), or a managed identity.

+* Runs in the same process as the redesigned Azure Logic Apps runtime.

+These service provider-based built-in connectors are available alongside their [managed connector versions](managed.md).

+In contrast, a built-in connector that's *not a service provider* has the following attributes:

+* Isn't based on the Azure Functions extensibility model.

+* Is directly implemented as a job within the Azure Logic Apps runtime, such as Schedule, HTTP, Request, and XML operations.

+For Standard logic apps, you can create your own built-in connector with the same [built-in connector extensibility model](../logic-apps/custom-connector-overview.md#built-in-connector-extensibility-model) that's used by service provider-based built-in connectors, such as Azure Blob, Azure Event Hubs, Azure Service Bus, SQL Server, and more. This interface implementation is based on the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md) and provides the capability for you to create custom built-in connectors that anyone can use in Standard logic apps.

+For Consumption logic apps, you can't create your own built-in connectors, but you create your own managed connectors.

+* [Custom connectors in Azure Logic Apps](../logic-apps/custom-connector-overview.md#custom-connector-standard)

+ ![FTP icon][ftp-icon]

+ **FTP**<br>(*Standard logic app only*)

+ ![SFTP-SSH icon][sftp-ssh-icon]

+ **SFTP-SSH**<br>(*Standard logic app only*)

+## Built-in connectors for specific services and systems

+You can use the following built-in connectors to access specific services and systems. In Standard logic app workflows, some of these built-in connectors are also informally known as *service providers*, which can differ from their managed connector counterparts in some ways.

+ ![Azure Blob icon][azure-blob-storage-icon]

+ **Azure Blob**<br>(*Standard logic app only*)

+ ![Azure Cosmos DB icon][azure-cosmos-db-icon]

+ **Azure Cosmos DB**<br>(*Standard logic app only*)

+ ![Azure Event Hubs icon][azure-event-hubs-icon]

+ **Azure Event Hubs**<br>(*Standard logic app only*)

+ Consume and publish events through an event hub. For example, get output from your logic app with Event Hubs, and then send that output to a real-time analytics provider.

+ [![Azure Functions icon][azure-functions-icon]][azure-functions-doc]

+ [**Azure Functions**][azure-functions-doc]

+ Call [Azure-hosted functions](../azure-functions/functions-overview.md) to run your own *code snippets* (C# or Node.js) within your workflow.

+ [![Azure Logic Apps icon][azure-logic-apps-icon]][nested-logic-app-doc]

+ [**Azure Logic Apps**][nested-logic-app-doc]<br>(*Consumption logic app*) <br><br>-or-<br><br>**Workflow operations**<br>(*Standard logic app*)

+ Call other workflows that start with the Request trigger named **When a HTTP request is received**.

+ ![Azure Service Bus icon][azure-service-bus-icon]

+ **Azure Service Bus**<br>(*Standard logic app only*)

+ Manage asynchronous messages, queues, sessions, topics, and topic subscriptions.

+ ![Azure Table Storage icon][azure-table-storage-icon]

+ **Azure Table Storage**<br>(*Standard logic app only*)

+ Connect to your Azure Storage account so that you can create, update, query, and manage tables.

+ ![IBM DB2 icon][ibm-db2-icon]

+ **DB2**<br>(*Standard logic app only*)

+ ![IBM MQ icon][ibm-mq-icon]

+ **IBM MQ**<br>(*Standard logic app only*)

+You can define multiple containers in a single container app to implement the [sidecar pattern](/azure/architecture/patterns/sidecar). The containers in a container app share hard disk and network resources and experience the same [application lifecycle](./application-lifecycle-management.md).

+Examples of sidecar containers include:

+- An agent that reads logs from the primary app container on a [shared volume](storage-mounts.md?pivots=aca-cli#temporary-storage) and forwards them to a logging service.

+- A background process that refreshes a cache used by the primary app container in a shared volume.

+> [!NOTE]

+> Running multiple containers in a single container app is an advanced use case. You should use this pattern only in specific instances in which your containers are tightly coupled. In most situations where you want to run multiple containers, such as when implementing a microservice architecture, deploy each service as a separate container app.

+To run multiple containers in a container app, add more than one container in the containers array of the container app template.

+> [!NOTE]

+> Network address prefixes requires a CDIR range of `/23`.

+> You can use an existing virtual network, but a dedicated subnet with a CDIR range of `/23` is required for use with Container Apps.

+* Azure Synapse Link for Azure Cosmos DB is not supported for Gremlin API, Cassandra API, and Table API. It is supported for SQL API and API for Mongo DB.

+* Enabling Synapse Link on existing Cosmos DB containers is only supported for SQL API accounts. Synapse Link can be enabled on new containers for both SQL API and MongoDB API accounts.

+* Backup and restore:

+ * You can recreate your analytical store data in some scenarios as below. In this mode, your transactional store data will be automatically backed up. If `transactional TTL` is equal or greater than your `analytical TTL` on your container, you can fully recreate your analytical store data by enabling analytical store on the restored container:

+ - Azure Synapse Link can be enabled on accounts configured with periodic backups.

+ - If continuous backup (point-in-time restore) is enabled on your account, you can now restore your analytical data. To enable Synapse Link for such accounts, please reach out to cosmosdbsynapselink@microsoft.com. This is applicable only for SQL API.

+ * Restoring analytical data is not supported in following scenarios, for SQL API and API for Mongo DB:

+ - If you already enabled Synapse Link on your database account, you cannot enable point-in-time restore on such accounts.

+ - If `analytical TTL` is greater than `transactional TTL`, data that only exists in analytical store cannot be restored. You can continue to access full data from analytical store in the parent region.

+

+* Granular Role-based Access (RBAC)s isn't supported when querying from Synapse. Users that have access to your Synapse workspace and have access to the Cosmos DB account can access all containers within that account. We currently don't support more granular access to the containers.

+> For copy empowered by Self-hosted Integration Runtime e.g. between on-premises and cloud data stores, if you are not copying Parquet files **as-is**, you need to install the **64-bit JRE 8 (Java Runtime Environment) or OpenJDK** on your IR machine. Check the following paragraph with more details.

+- **To use OpenJDK**: It's supported since IR version 3.13. Package the jvm.dll with all other required assemblies of OpenJDK into Self-hosted IR machine, and set system environment variable JAVA_HOME accordingly, and then restart Self-hosted IR for taking effect immediately.

+Interactive authoring capabilities are used for functionalities like test connection, browse folder list and table list, get schema, and preview data. You can enable interactive authoring when creating or editing an Azure integration runtime, which is in Azure Data Factory managed virtual network. The backend service will pre-allocate compute for interactive authoring functionalities. Otherwise, the compute will be allocated every time any interactive operation is performed which will take more time. The time to live (TTL) for interactive authoring is 60 minutes by default, which means it will automatically become disabled after 60 minutes of the last interactive authoring operation. You can change the TTL value according to your actual needs.

+## Time to live

+### Copy activity

+By default, every copy activity spins up a new compute based upon the configuration in copy activity. With managed virtual network enabled, cold computes start-up time takes a few minutes and data movement can't start until it is complete. If your pipelines contain multiple sequential copy activities or you have a lot of copy activities in foreach loop and canΓÇÖt run them all in parallel, you can enable a time to live (TTL) value in the Azure integration runtime configuration. Specifying a time to live value and DIU numbers required for the copy activity keeps the corresponding computes alive for a certain period of time after its execution completes. If a new copy activity starts during the TTL time, it will reuse the existing computes and start-up time will be greatly reduced. After the second copy activity completes, the computes will again stay alive for the TTL time.

+> [!NOTE]

+> Reconfiguring the DIU number will not affect the current copy activity execution.

+### Pipeline and external activity

+Unlike copy activity, pipeline and external activity have a default time to live (TTL) of 60 minutes. You can change the default TTL on Azure integration runtime configuration according to your actual needs, but itΓÇÖs not supported to disable the TTL.

+> [!NOTE]

+> Time to live (TTL) is only applicable to managed virtual network.

+**Answer:** Gateway makes HTTP-based connections to open internet. The **outbound ports 443 and 80** must be opened for gateway to make this connection. Open **inbound port 8050** only at the machine level (not at corporate firewall level) for Credential Manager application. If Azure SQL Database or Azure Synapse Analytics is used as source or destination, then you need to open **port 1433** as well. For more information, see [Firewall configurations and filtering IP addresses](#firewall-configurations-and-filtering-ip-address-of-gateway) section.

+For information about performance of copy activity, see [Copy activity performance and tuning guide](data-factory-copy-activity-performance.md).

+ Title: Deploy the Nvidia DeepStream module on Ubuntu VM on Azure Stack Edge Pro with GPU | Microsoft Docs

+description: Learn how to deploy the Nvidia Deepstream module on an Ubuntu virtual machine that is running on your Azure Stack Edge Pro GPU device.

+# Deploy the Nvidia DeepStream module on Ubuntu VM on Azure Stack Edge Pro with GPU

+This article walks you through deploying NvidiaΓÇÖs DeepStream module on an Ubuntu VM running on your Azure Stack Edge device. The DeepStream module is supported only on GPU devices.

+## Prerequisites

+Before you begin, make sure you have:

+- Deployed an IoT Edge runtime on a GPU VM running on an Azure Stack Edge device. For detailed steps, see [Deploy IoT Edge on an Ubuntu VM on Azure Stack Edge](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md).

+## Get module from IoT Edge Module Marketplace

+1. In the [Azure portal](https://portal.azure.com), go to **Device management** > **IoT Edge**.

+1. Select the IoT Hub device that you configured while deploying the IoT Edge runtime.

+ 

+1. Select **Set modules**.

+ 

+1. Select **Add** > **Marketplace Module**.

+ 

+1. Search for **NVIDIA DeepStream SDK 5.1 for x86/AMD64** and then select it.

+ 

+1. Select **Review + Create**, and then select **Create module**.

+## Verify module runtime status

+1. Verify that the module is running.

+ 

+1. Verify that the module provides the following output in the troubleshooting page of the IoT Edge device on IoT Hub:

+ 

+After a certain period of time, the module runtime will complete and quit, causing the module status to return an error. This error condition is expected behavior.

+

+ Title: Deploy IoT Edge runtime on Ubuntu VM on Azure Stack Edge Pro with GPU | Microsoft Docs

+description: Learn how to deploy IoT Edge runtime and run IoT Edge module on an Ubuntu virtual machine that is running on your Azure Stack Edge Pro GPU device.

+# Deploy IoT Edge on an Ubuntu VM on Azure Stack Edge

+This article describes how to deploy an IoT Edge runtime on an Ubuntu VM running on your Azure Stack Edge device. For new development work, use the self-serve deployment method described in this article as it uses the latest software version.

+## High-level flow

+The high-level flow is as follows:

+1. Create or identify the IoT Hub or [Azure IoT Hub Device Provisioning Service (DPS)](../iot-dps/about-iot-dps.md) instance.

+1. Use Azure CLI to acquire the Ubuntu 20.04 LTS VM image.

+1. Upload the Ubuntu image onto the Azure Stack Edge VM image library.

+1. Deploy the Ubuntu image as a VM using the following steps:

+ 1. Provide the name of the VM, the username, and the password. Creating another disk is optional.

+ 1. Set up the network configuration.

+ 1. Provide a prepared *cloud-init* script on the *Advanced* tab.

+## Prerequisites

+Before you begin, make sure you have:

+- An Azure Stack Edge device that you've activated. For detailed steps, see [Activate Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-activate.md).

+- Access to the latest Ubuntu 20.04 VM image, either the image from Azure Marketplace or a custom image that you're bringing:

+ ```$urn = Canonical:0001-com-ubuntu-server-focal:20_04-lts:20.04.202007160```

+

+ Use steps in [Search for Azure Marketplace images](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md#search-for-azure-marketplace-images) to acquire the VM image.

+## Prepare the cloud-init script

+To deploy the IoT Edge runtime onto the Ubuntu VM, use a *cloud-init* script during the VM deployment.

+Use steps in one of the following sections:

+- [Prepare the cloud-init script with symmetric key provisioning](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md#use-symmetric-key-provisioning).

+- [Prepare the cloud-init script with IoT Hub DPS](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md#use-dps).

+### Use symmetric key provisioning

+To connect your device to IoT Hub without DPS, use the steps in this section to prepare a *cloud-init* script for the VM creation *Advanced* page to deploy the IoT Edge runtime and NvidiaΓÇÖs container runtime.

+1. Use an existing IoT Hub or create a new Hub. Use these steps to [create an IoT Hub](../iot-hub/iot-hub-create-through-portal.md).

+1. Use these steps to [register your Azure Stack Edge device in IoT Hub](../iot-edge/how-to-provision-single-device-linux-symmetric.md#register-your-device).

+1. Retrieve the Primary Connection String from IoT Hub for your device, and then paste it into the location below for *DeviceConnectionString*.

+

+**Cloud-init script for symmetric key provisioning**

+```azurecli

+#cloud-config

+runcmd:

+ - dcs="<DeviceConnectionString>"

+ - |

+ set -x

+ (

+ # Wait for docker daemon to start

+ while [ $(ps -ef | grep -v grep | grep docker | wc -l) -le 0 ]; do

+ sleep 3

+ done

+

+ if [ $(lspci | grep NVIDIA | wc -l) -gt 0 ]; then

+ #install Nvidia drivers

+ apt install -y ubuntu-drivers-common

+ ubuntu-drivers devices

+ ubuntu-drivers autoinstall

+ # Install NVIDIA Container Runtime

+ curl -s -L https://nvidia.github.io/nvidia-container-runtime/gpgkey | apt-key add -

+ distribution=$(. /etc/os-release;echo $ID$VERSION_ID)

+ curl -s -L https://nvidia.github.io/nvidia-container-runtime/$distribution/nvidia-container-runtime.list | tee /etc/apt/sources.list.d/nvidia-container-runtime.list

+ apt update

+ apt install -y nvidia-container-runtime

+ fi

+

+ # Restart Docker

+ systemctl daemon-reload

+ systemctl restart docker

+ # Install IoT Edge

+ apt install -y aziot-edge

+ if [ ! -z $dcs ]; then

+ iotedge config mp --connection-string $dcs

+ iotedge config apply

+ fi

+ if [ $(lspci | grep NVIDIA | wc -l) -gt 0 ]; then

+ reboot

+ fi ) &

+apt:

+ preserve_sources_list: true

+ sources:

+ msft.list:

+ source: "deb https://packages.microsoft.com/ubuntu/20.04/prod focal main"

+ key: |

+ --BEGIN PGP PUBLIC KEY BLOCK--

+ Version: GnuPG v1.4.7 (GNU/Linux)

+ mQENBFYxWIwBCADAKoZhZlJxGNGWzqV+1OG1xiQeoowKhssGAKvd+buXCGISZJwT

+ LXZqIcIiLP7pqdcZWtE9bSc7yBY2MalDp9Liu0KekywQ6VVX1T72NPf5Ev6x6DLV

+ 7aVWsCzUAF+eb7DC9fPuFLEdxmOEYoPjzrQ7cCnSV4JQxAqhU4T6OjbvRazGl3ag

+ OeizPXmRljMtUUttHQZnRhtlzkmwIrUivbfFPD+fEoHJ1+uIdfOzZX8/oKHKLe2j

+ H632kvsNzJFlROVvGLYAk2WRcLu+RjjggixhwiB+Mu/A8Tf4V6b+YppS44q8EvVr

+ M+QvY7LNSOffSO6Slsy9oisGTdfE39nC7pVRABEBAAG0N01pY3Jvc29mdCAoUmVs

+ ZWFzZSBzaWduaW5nKSA8Z3Bnc2VjdXJpdHlAbWljcm9zb2Z0LmNvbT6JATUEEwEC

+ AB8FAlYxWIwCGwMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJEOs+lK2+EinPGpsH

+ /32vKy29Hg51H9dfFJMx0/a/F+5vKeCeVqimvyTM04C+XENNuSbYZ3eRPHGHFLqe

+ MNGxsfb7C7ZxEeW7J/vSzRgHxm7ZvESisUYRFq2sgkJ+HFERNrqfci45bdhmrUsy

+ 7SWw9ybxdFOkuQoyKD3tBmiGfONQMlBaOMWdAsic965rvJsd5zYaZZFI1UwTkFXV

+ KJt3bp3Ngn1vEYXwijGTa+FXz6GLHueJwF0I7ug34DgUkAFvAs8Hacr2DRYxL5RJ

+ XdNgj4Jd2/g6T9InmWT0hASljur+dJnzNiNCkbn9KbX7J/qK1IbR8y560yRmFsU+

+ NdCFTW7wY0Fb1fWJ+/KTsC4=

+ =J6gs

+ --END PGP PUBLIC KEY BLOCK--

+packages:

+ - moby-cli

+ - moby-engine

+write_files:

+ - path: /etc/systemd/system/docker.service.d/override.conf

+ permissions: "0644"

+ content: |

+ [Service]

+ ExecStart=

+ ExecStart=/usr/bin/dockerd --host=fd:// --add-runtime=nvidia=/usr/bin/nvidia-container-runtime --log-driver local

+```

+### Use DPS

+Use steps in this section to connect your device to DPS and IoT Central. You'll prepare a *script.sh* file to deploy the IoT Edge runtime as you create the VM.

+1. Use the existing IoT Hub and DPS, or create a new IoT Hub.

+ - Use these steps to [create an IoT Hub](../iot-hub/iot-hub-create-through-portal.md).

+ - Use these steps to [create the DPS, and then link the IoT Hub to the DPS scope](../iot-dps/quick-setup-auto-provision.md).

+1. Go to the DPS resource and create an individual enrollment. 

+ 1. Go to **Device Provisioning Service** > **Manage enrollments** > **Add individual enrollment**.

+ 1. Make sure that the selection for **Symmetric Key for attestation type and IoT Edge device** is **True**. The default selection is **False**.

+ 1. Retrieve the following information from the DPS resource page:

+ - **Registration ID**. We recommend that you use the same ID as the **Device ID** for your IoT Hub.

+ - **ID Scope** which is available in the [Overview menu](../iot-dps/quick-create-simulated-device-symm-key.md#prepare-and-run-the-device-provisioning-code).

+ - **Primary SAS Key** from the Individual Enrollment menu.

+1. Copy and paste values from IoT Hub (IDScope) and DPS (RegistrationID, Symmetric Key) into the script arguments.

+**Cloud-init script for IoT Hub DPS**

+```azurecli

+#cloud-config

+runcmd:

+ - dps_idscope="<DPS IDScope>"

+ - registration_device_id="<RegistrationID>"

+ - key="<Symmetric Key>"

+ - |

+ set -x

+ (

+

+ wget https://github.com/Azure/iot-edge-config/releases/latest/download/azure-iot-edge-installer.sh -O azure-iot-edge-installer.sh \

+ && chmod +x azure-iot-edge-installer.sh \

+ && sudo -H ./azure-iot-edge-installer.sh -s $dps_idscope -r $registration_device_id -k $key \

+ && rm -rf azure-iot-edge-installer.sh

+

+ # Wait for docker daemon to start

+ while [ $(ps -ef | grep -v grep | grep docker | wc -l) -le 0 ]; do

+ sleep 3

+ done

+ systemctl stop aziot-edge

+ if [ $(lspci | grep NVIDIA | wc -l) -gt 0 ]; then

+ #install Nvidia drivers

+ apt install -y ubuntu-drivers-common

+ ubuntu-drivers devices

+ ubuntu-drivers autoinstall

+ # Install NVIDIA Container Runtime

+ curl -s -L https://nvidia.github.io/nvidia-container-runtime/gpgkey | apt-key add -

+ distribution=$(. /etc/os-release;echo $ID$VERSION_ID)

+ curl -s -L https://nvidia.github.io/nvidia-container-runtime/$distribution/nvidia-container-runtime.list | tee /etc/apt/sources.list.d/nvidia-container-runtime.list

+ apt update

+ apt install -y nvidia-container-runtime

+ fi

+ # Restart Docker

+ systemctl daemon-reload

+ systemctl restart docker

+ systemctl start aziot-edge

+ if [ $(lspci | grep NVIDIA | wc -l) -gt 0 ]; then

+ reboot

+ fi

+ ) &

+write_files:

+ - path: /etc/systemd/system/docker.service.d/override.conf

+ permissions: "0644"

+ content: |

+ [Service]

+ ExecStart=

+ ExecStart=/usr/bin/dockerd --host=fd:// --add-runtime=nvidia=/usr/bin/nvidia-container-runtime --log-driver local

+```

+## Deploy IoT Edge runtime

+Deploying the IoT Edge runtime is part of VM creation, using the *cloud-init* script mentioned above.

+Here are the high-level steps to deploy the VM and IoT Edge runtime:

+1. In the [Azure portal](https://portal.azure.com), go to Azure Marketplace.

+ 1. Connect to the Azure Cloud Shell or a client with Azure CLI installed. For detailed steps, see [Quickstart for Bash in Azure Cloud Shell](../cloud-shell/quickstart.md).

+ 1. Use steps in [Search for Azure Marketplace images](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md#search-for-azure-marketplace-images) to search the Azure Marketplace for the following Ubuntu 20.04 LTS image:

+

+ ```azurecli

+ $urn = Canonical:0001-com-ubuntu-server-focal:20_04-lts:20.04.202007160

+ ```

+ 1. Create a new managed disk from the Marketplace image.

+

+ 1. Export a VHD from the managed disk to an Azure Storage account.

+ For detailed steps, follow the instructions in [Use Azure Marketplace image to create VM image for your Azure Stack Edge](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md).

+1. Follow these steps to create an Ubuntu VM using the VM image.

+ 1. Specify the *cloud-init* script on the **Advanced** tab. To create a VM, see [Deploy GPU VM via Azure portal](azure-stack-edge-gpu-deploy-gpu-virtual-machine.md?tabs=portal) or [Deploy VM via Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).

+ 

+ 1. Specify the appropriate device connection strings in the *cloud-init* to connect to the IoT Hub or DPS device. For detailed steps, see [Provision with symmetric keys](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md#use-symmetric-key-provisioning) or [Provision with IoT Hub DPS](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md#use-dps).

+ 

+ If you didn't specify the *cloud-init* during VM creation, you'll have to manually deploy the IoT Edge runtime after the VM is created:

+ 1. Connect to the VM via SSH.

+ 1. Install the container engine on the VM. For detailed steps, see [Create and provision an IoT Edge device on Linux using symmetric keys](../iot-edge/how-to-provision-single-device-linux-symmetric.md#install-a-container-engine) or [Quickstart - Set up IoT Hub DPS with the Azure portal](../iot-dps/quick-setup-auto-provision.md).

+## Verify the IoT Edge runtime

+Use these steps to verify that your IoT Edge runtime is running.

+1. Go to IoT Hub resource in the Azure portal.

+1. Select the IoT Edge device.

+1. Verify that the IoT Edge runtime is running.

+ 

+## Update the IoT Edge runtime

+To update the VM, follow the instructions in [Update IoT Edge](../iot-edge/how-to-update-iot-edge.md?view=iotedge-2020-11&tabs=linux&preserve-view=true). To find the latest version of Azure IoT Edge, see [Azure IoT Edge releases](../iot-edge/how-to-update-iot-edge.md?view=iotedge-2020-11&tabs=linux&preserve-view=true).

+

+## Next steps

+To deploy and run an IoT Edge module on your Ubuntu VM, see the steps in [Deploy IoT Edge modules](../iot-edge/how-to-deploy-modules-portal.md?view=iotedge-2020-11&preserve-view=true).

+To deploy NvidiaΓÇÖs DeepStream module, see [Deploy the Nvidia DeepStream module on Ubuntu VM on Azure Stack Edge Pro with GPU](azure-stack-edge-deploy-nvidia-deepstream-module.md).

+- **PolicyVersion**: Policy version.

+ -PolicyVersion 1.0.0 `

+ -PolicyVersion 1.0.0 `

+ -PolicyVersion 1.0.0

+> [!IMPORTANT]

+> [!NOTE]

+> [!IMPORTANT]

+|Region server|All worker nodes |16020 ||&nbsp;|

+|Region server info Web UI&nbsp;|&nbsp;All worker nodes |16030|HTTP|The port for the HBase Region server Web UI|

+||| 2181 ||The port that clients use to connect to ZooKeeper |

+HDInsight 4.0 has several advantages over HDInsight 3.6. Here's an [overview of what's new in HDInsight 4.0](../hdinsight-version-release.md).

+* HDInsight 3.6 by default doesn't support ACID tables. If ACID tables are present, however, run 'MAJOR' compaction on them. See the [Hive Language Manual](https://cwiki.apache.org/confluence/display/Hive/LanguageManual+DDL#LanguageManualDDL-AlterTable/Partition/Compact) for details on compaction.

+ |Property | Value |

+ |||

+ |Bash script URI|`https://hdiconfigactions.blob.core.windows.net/linuxhivemigrationv01/hive-adl-expand-location-v01.sh`|

+ |Node type(s)|Head|

+ |Parameters||

+> [!WARNING]

+1. From the HDInsight 4.0 cluster, execute `schematool` to upgrade the target HDInsight 3.6 metastore. Edit the following shell script to add your SQL server name, database name, username, and password. Open an [SSH Session](../hdinsight-hadoop-linux-use-ssh-unix.md) on the headnode and run it.

+ ```sh

+ SERVER='servername.database.windows.net' # replace with your SQL Server

+ DATABASE='database' # replace with your 3.6 metastore SQL Database

+ USERNAME='username' # replace with your 3.6 metastore username

+ PASSWORD='password' # replace with your 3.6 metastore password

+ STACK_VERSION=$(hdp-select status hive-server2 | awk '{ print $3; }')

+ /usr/hdp/$STACK_VERSION/hive/bin/schematool -upgradeSchema -url "jdbc:sqlserver://$SERVER;databaseName=$DATABASE;trustServerCertificate=false;encrypt=true;hostNameInCertificate=*.database.windows.net;" -userName "$USERNAME" -passWord "$PASSWORD" -dbType "mssql" --verbose

+ ```

+ > [!NOTE]

+ > This utility uses client `beeline` to execute SQL scripts in `/usr/hdp/$STACK_VERSION/hive/scripts/metastore/upgrade/mssql/upgrade-*.mssql.sql`.

+ >

+ > SQL Syntax in these scripts is not necessarily compatible to other client tools. For example, [SSMS](/sql/ssms/download-sql-server-management-studio-ssms) and [Query Editor on Azure Portal](/azure/azure-sql/database/connect-query-portal) require keyword `GO` after each command.

+ >

+ > If any script fails due to resource capacity or transaction timeouts, scale up the SQL Database.

+ The output should match that of the following bash command from the HDInsight 4.0 cluster.

+ ```bash

+ grep . /usr/hdp/$(hdp-select --version)/hive/scripts/metastore/upgrade/mssql/upgrade.order.mssql | tail -n1 | rev | cut -d'-' -f1 | rev

+ ```

+ Use the following Hive command to identify table location:

+ ```sql

+ SHOW CREATE TABLE ([db_name.]table_name|view_name);

+ ```

+Refer to [HDInsight 4.0 Announcement](../hdinsight-version-release.md) for other changes.

+* [Hive 3 ACID Tables](https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/using-hiveql/content/hive_3_internals.html)

+> Azure App Service certificate configuration through Azure Portal does not support Key Vault RBAC permission model. It is supported using client libraries like Azure PowerShell, Azure CLI, ARM template deployments with **Key Vault Secrets User** and **Key Vault Reader** role assignemnts.

+When single-tenant Azure Logic Apps officially released, new built-in connectors included Azure Blob Storage, Azure Event Hubs, Azure Service Bus, and SQL Server. Over time, this list of built-in connectors continues to grow. However, if you need connectors that aren't available in Standard logic app workflows, you can [create your own built-in connectors](create-custom-built-in-connector-standard.md) using the same extensibility model that's used by *service provider-based* built-in connectors in Standard workflows.

+### Service provider-based built-in connectors

+In single-tenant Azure Logic Apps, a [built-in connector with specific attributes is informally known as a *service provider*](../connectors/built-in.md#service-provider-interface-implementation). For example, these connectors are based on the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md), which provide the capability for you to create your own custom built-in connectors to use in Standard logic app workflows.

+In contrast, non-service provider built-in connectors have the following attributes:

+* [Create custom built-in connectors for Standard logic apps in single-tenant Azure Logic Apps](create-custom-built-in-connector-standard.md)

+ * More managed connectors are now available as built-in connectors in Standard logic app workflows. The built-in versions run natively on the single-tenant Azure Logic Apps runtime. Some built-in connectors are also informally known as [*service provider* connectors](../connectors/built-in.md#service-provider-interface-implementation). For a list, review [Built-in connectors in Consumption and Standard](../connectors/built-in.md#built-in-connectors).

+In single-tenant Azure Logic Apps, [built-in connectors with specific attributes are informally known as *service providers*](../connectors/built-in.md#service-provider-interface-implementation). Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Azure Active Directory (Azure AD), or a managed identity. All built-in connectors run in the same process as the redesigned Azure Logic Apps runtime. For more information, review the [built-in connector list for Standard logic app workflows](../connectors/built-in.md#built-in-connectors).

+* There are some VM series, such as GPUs and other special SKUs, which may not initially appear in your list of available VMs. But you can still use them, once you request a quota change. For more information about requesting quotas, see [Request quota increases](how-to-manage-quotas.md#request-quota-increases).

+See the following table to learn more about supported series.

+ > If you use a firewall to block internet access into the VNet, you must configure the firewall to allow this traffic. For example, with Azure Firewall you can create user-defined routes. For more information, see [How to use Azure Machine Learning with a firewall](how-to-access-azureml-behind-firewall.md#inbound-configuration).

+ Title: Deploy ML models to FPGAs

+All [Azure Data Box Edge devices](../databox-online/azure-stack-edge-overview.md) contain an FPGA for running the model. Only one model can be running on the FPGA at one time. To run a different model, just deploy a new container. Instructions and sample code can be found in [this Azure Sample](https://github.com/Azure-Samples/aml-hardware-accelerated-models).

+| Nodes in a single Azure Machine Learning Compute (AmlCompute) **cluster** set up as a non communication-enabled pool (i.e. cannot run MPI jobs) | 100 nodes but configurable up to 65000 nodes |

+| Nodes in a single Parallel Run Step **run** on an Azure Machine Learning Compute (AmlCompute) cluster | 100 nodes but configurable up to 65000 nodes if your cluster is set up to scale per above |

+| Nodes in a single Azure Machine Learning Compute (AmlCompute) **cluster** set up as a communication-enabled pool | 300 nodes but configurable up to 4000 nodes |

+| Nodes in a single Azure Machine Learning Compute (AmlCompute) **cluster** set up as a communication-enabled pool on an RDMA enabled VM Family | 100 nodes |

+## View quotas in the studio

+1. When you create a new compute resource, by default you'll see only VM sizes that you already have quota to use. Switch the view to **Select from all options**.

+ :::image type="content" source="media/how-to-manage-quotas/select-all-options.png" alt-text="Screenshot shows select all options to see compute resources that need more quota":::

+1. Scroll down until you see the list of VM sizes you do not have quota for.

+ :::image type="content" source="media/how-to-manage-quotas/scroll-to-zero-quota.png" alt-text="Screenshot shows list of zero quota":::

+1. Use the link to go directly to the online customer support request for more quota.

+## View your usage and quotas in the Azure portal

+To view your quota for various Azure resources like virtual machines, storage, or network, use the [Azure portal](https://portal.azure.com):

+* The key vault that contains your customer-managed key must be in the same Azure subscription as the Azure Machine Learning workspace

+> [!IMPORTANT]

+> The key vault must be in the same Azure subscription that will contain your Azure Machine Learning workspace.

+> [!WARNING]

+> The key vault that contains your customer-managed key must be in the same Azure subscription as the workspace.

+1. In the **Principal ID** box, provide the Azure AD object ID of the user, group, or application that you want to be granted permission to the managed resource group. Identify the user by their Principal ID, which can be found at the [Azure Active Directory users blade](https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) on the Azure portal.

+ },

+ Disk Type | Mandatory | Specify the type of disk to be used.

+ Title: 'Tutorial: Build a PHP (Laravel) app with Azure Database for MySQL Flexible Server'

+description: This tutorial explains how to build a PHP app with flexible server.

+ms.devlang: php

+# Tutorial: Build a PHP (Laravel) and MySQL Flexible Server app in Azure App Service

+[Azure App Service](../../app-service/overview.md) provides a highly scalable, self-patching web hosting service using the Linux operating system. This tutorial shows how to create a PHP app in Azure and connect it to a MySQL database. When you're finished, you'll have a [Laravel](https://laravel.com/) app running on Azure App Service on Linux.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> * Setup a PHP (Laravel) app with local MySQL

+> * Create a MySQL Flexible Server

+> * Connect a PHP app to MySQL Flexible Server

+> * Deploy the app to Azure App Service

+> * Update the data model and redeploy the app

+> * Manage the app in the Azure portal

+## Prerequisites

+To complete this tutorial:

+1. [Install Git](https://git-scm.com/)

+2. [Install PHP 5.6.4 or above](https://php.net/downloads.php)

+3. [Install Composer](https://getcomposer.org/doc/00-intro.md)

+4. Enable the following PHP extensions Laravel needs: OpenSSL, PDO-MySQL, Mbstring, Tokenizer, XML

+5. [Install and start MySQL](https://dev.mysql.com/doc/refman/5.7/en/installing.html)

+## Prepare local MySQL

+In this step, you create a database in your local MySQL server for your use in this tutorial.

+### Connect to local MySQL server

+In a terminal window, connect to your local MySQL server. You can use this terminal window to run all the commands in this tutorial.

+```bash

+mysql -u root -p

+```

+If you're prompted for a password, enter the password for the `root` account. If you don't remember your root account password, see [MySQL: How to Reset the Root Password](https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html).

+If your command runs successfully, then your MySQL server is running. If not, make sure that your local MySQL server is started by following the [MySQL post-installation steps](https://dev.mysql.com/doc/refman/5.7/en/postinstallation.html).

+### Create a database locally

+At the `mysql` prompt, create a database.

+```sql

+CREATE DATABASE sampledb;

+```

+Exit your server connection by typing `quit`.

+```sql

+quit

+```

+<a name="step2"></a>

+## Create a PHP app locally

+In this step, you get a Laravel sample application, configure its database connection, and run it locally.

+### Clone the sample

+In the terminal window, navigate to an empty directory where you can clone the sample application. Run the following command to clone the sample repository.

+```bash

+git clone https://github.com/Azure-Samples/laravel-tasks

+```

+`cd` to your cloned directory.

+Install the required packages.

+```bash

+cd laravel-tasks

+composer install

+```

+### Configure MySQL connection

+In the repository root, create a file named *.env*. Copy the following variables into the *.env* file. Replace the _&lt;root_password>_ placeholder with the MySQL root user's password.

+```txt

+APP_ENV=local

+APP_DEBUG=true

+APP_KEY=

+DB_CONNECTION=mysql

+DB_HOST=127.0.0.1

+DB_DATABASE=sampledb

+DB_USERNAME=root

+DB_PASSWORD=<root_password>

+```

+For information on how Laravel uses the *.env* file, see [Laravel Environment Configuration](https://laravel.com/docs/5.4/configuration#environment-configuration).

+### Run the sample locally

+Run [Laravel database migrations](https://laravel.com/docs/5.4/migrations) to create the tables the application needs. To see which tables are created in the migrations, look in the *database/migrations* directory in the Git repository.

+```bash

+php artisan migrate

+```

+Generate a new Laravel application key.

+```bash

+php artisan key:generate

+```

+Run the application.

+```bash

+php artisan serve

+```

+Navigate to `http://localhost:8000` in a browser. Add a few tasks in the page.

+To stop PHP, type `Ctrl + C` in the terminal.

+## Create a MySQL Flexible Server

+In this step, you create a MySQL database in [Azure Database for MySQL Flexible Server](../index.yml). Later, you configure the PHP application to connect to this database. In the [Azure Cloud Shell](../../cloud-shell/overview.md), create a server in with the [`az flexible-server create`](/cli/azure/mysql/server#az-mysql-flexible-server-create) command.

+```azurecli-interactive

+az mysql flexible-server create --resource-group myResourceGroup --public-access <IP-Address>

+```

+> [!IMPORTANT]

+>

+>* Make a note of the **servername** and **connection string** to use it in the next step to connect and run laravel data migration.

+> * For **IP-Address** argument, provide the IP of your client machine. The server is locked when created and you need to permit access to your client machine to manage the server locally.

+### Configure server firewall to allow web app to connect to the server

+In the Cloud Shell, create a firewall rule for your MySQL server to allow client connections by using the az mysql server firewall-rule create command. When both starting IP and end IP are set to ```0.0.0.0```, the firewall is only opened for other Azure services that do not have a static IP to connect to the server.

+```azurecli

+az mysql flexible-server firewall-rule create --name allanyAzureIPs --server <mysql-server-name> --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0

+```

+### Connect to production MySQL server locally

+In the local terminal window, connect to the MySQL server in Azure. Use the value you specified previously for ```<admin-user>``` and ```<mysql-server-name>``` . When prompted for a password, use the password you specified when you created the database in Azure.

+```bash

+mysql -u <admin-user> -h <mysql-server-name>.mysql.database.azure.com -P 3306 -p

+```

+### Create a production database

+At the `mysql` prompt, create a database.

+```sql

+CREATE DATABASE sampledb;

+```

+### Create a user with permissions

+Create a database user called *phpappuser* and give it all privileges in the `sampledb` database. For simplicity of the tutorial, use *MySQLAzure2020* as the password.

+```sql

+CREATE USER 'phpappuser' IDENTIFIED BY 'MySQLAzure2020';

+GRANT ALL PRIVILEGES ON sampledb.* TO 'phpappuser';

+```

+Exit the server connection by typing `quit`.

+```sql

+quit

+```

+## Connect app to MySQL flexible server

+In this step, you connect the PHP application to the MySQL database you created in Azure Database for MySQL.

+<a name="devconfig"></a>

+### Configure the database connection

+In the repository root, create an *.env.production* file and copy the following variables into it. Replace the placeholder _&lt;mysql-server-name>_ in both *DB_HOST* and *DB_USERNAME*.

+```

+APP_ENV=production

+APP_DEBUG=true

+APP_KEY=

+DB_CONNECTION=mysql

+DB_HOST=<mysql-server-name>.mysql.database.azure.com

+DB_DATABASE=sampledb

+DB_USERNAME=phpappuser

+DB_PASSWORD=MySQLAzure2017

+MYSQL_SSL=true

+```

+Save the changes.

+> [!TIP]

+> To secure your MySQL connection information, this file is already excluded from the Git repository (See *.gitignore* in the repository root). Later, you learn how to configure environment variables in App Service to connect to your database in Azure Database for MySQL. With environment variables, you don't need the *.env* file in App Service.

+>

+### Configure TLS/SSL certificate

+By default, MySQL Flexible Server enforces TLS connections from clients. To connect to your MySQL database in Azure, you must use the [*.pem* certificate supplied by Azure Database for MySQL Flexible Server](https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem). Download [this certificate](https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem)) and place it in the **SSL** folder in the local copy of the sample app repository.

+Open *config/database.php* and add the `sslmode` and `options` parameters to `connections.mysql`, as shown in the following code.

+```php

+'mysql' => [

+ ...

+ 'sslmode' => env('DB_SSLMODE', 'prefer'),

+ 'options' => (env('MYSQL_SSL') && extension_loaded('pdo_mysql')) ? [

+ PDO::MYSQL_ATTR_SSL_KEY => '/ssl/DigiCertGlobalRootCA.crt.pem',

+ ] : []

+],

+```

+### Test the application locally

+Run Laravel database migrations with *.env.production* as the environment file to create the tables in your MySQL database in Azure Database for MySQL. Remember that _.env.production_ has the connection information to your MySQL database in Azure.

+```bash

+php artisan migrate --env=production --force

+```

+*.env.production* doesn't have a valid application key yet. Generate a new one for it in the terminal.

+```bash

+php artisan key:generate --env=production --force

+```

+Run the sample application with *.env.production* as the environment file.

+```bash

+php artisan serve --env=production

+```

+Navigate to `http://localhost:8000`. If the page loads without errors, the PHP application is connecting to the MySQL database in Azure.

+Add a few tasks in the page.

+To stop PHP, type `Ctrl + C` in the terminal.

+### Commit your changes

+Run the following Git commands to commit your changes:

+```bash

+git add .

+git commit -m "database.php updates"

+```

+Your app is ready to be deployed.

+## Deploy to Azure

+In this step, you deploy the MySQL-connected PHP application to Azure App Service.

+### Configure a deployment user

+FTP and local Git can deploy to an Azure web app by using a deployment user. Once you configure your deployment user, you can use it for all your Azure deployments. Your account-level deployment username and password are different from your Azure subscription credentials.

+To configure the deployment user, run the [az webapp deployment user set](/cli/azure/webapp/deployment/user#az-webapp-deployment-user-set) command in Azure Cloud Shell. Replace _&lt;username>_ and _&lt;password>_ with your deployment user username and password.

+The username must be unique within Azure, and for local Git pushes, must not contain the '@' symbol.

+The password must be at least eight characters long, with two of the following three elements: letters, numbers, and symbols.

+```azurecli

+az appservice plan create --name myAppServicePlan --resource-group myResourceGroup --sku F1 --is-linux

+```

+The JSON output shows the password as null. If you get a 'Conflict'. Details: 409 error, change the username. If you get a 'Bad Request'. Details: 400 error, use a stronger password. **Record your username and password to use to deploy your web apps.**

+### Create an App Service plan

+In the Cloud Shell, create an App Service plan in the resource group with the [az appservice plan create](/cli/azure/appservice/plan#az-appservice-plan-create) command. The following example creates an App Service plan named myAppServicePlan in the Free pricing tier (--sku F1) and in a Linux container (--is-linux).

+az appservice plan create --name myAppServicePlan --resource-group myResourceGroup --sku F1 --is-linux

+<a name="create"></a>

+### Create a web app

+Create a [web app](../../app-service/overview.md#app-service-on-linux) in the myAppServicePlan App Service plan.

+In the Cloud Shell, you can use the [az webapp create](/cli/azure/webapp#az-webapp-create) command. In the following example, replace _&lt;app-name>_ with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.0`. To see all supported runtimes, run [az webapp list-runtimes --os linux](/cli/azure/webapp#az-webapp-list-runtimes).

+```azurecli

+az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app-name> --runtime "PHP|7.3" --deployment-local-git

+```

+When the web app has been created, the Azure CLI shows output similar to the following example:

+```

+Local git is configured with url of 'https://<username>@<app-name>.scm.azurewebsites.net/<app-name>.git'

+{

+ "availabilityState": "Normal",

+ "clientAffinityEnabled": true,

+ "clientCertEnabled": false,

+ "cloningInfo": null,

+ "containerSize": 0,

+ "dailyMemoryTimeQuota": 0,

+ "defaultHostName": "<app-name>.azurewebsites.net",

+ "deploymentLocalGitUrl": "https://<username>@<app-name>.scm.azurewebsites.net/<app-name>.git",

+ "enabled": true,

+ < JSON data removed for brevity. >

+}

+```

+You've created an empty new web app, with git deployment enabled.

+> [!NOTE]

+> The URL of the Git remote is shown in the deploymentLocalGitUrl property, with the format `https://<username>@<app-name>.scm.azurewebsites.net/<app-name>.git`. Save this URL as you need it later.

+### Configure database settings

+In App Service, you set environment variables as *app settings* by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command.

+The following command configures the app settings `DB_HOST`, `DB_DATABASE`, `DB_USERNAME`, and `DB_PASSWORD`. Replace the placeholders _&lt;app-name>_ and _&lt;mysql-server-name>_.

+```azurecli-interactive

+az webapp config appsettings set --name <app-name> --resource-group myResourceGroup --settings DB_HOST="<mysql-server-name>.mysql.database.azure.com" DB_DATABASE="sampledb" DB_USERNAME="phpappuser" DB_PASSWORD="MySQLAzure2017" MYSQL_SSL="true"

+```

+You can use the PHP [getenv](https://www.php.net/manual/en/function.getenv.php) method to access the settings. the Laravel code uses an [env](https://laravel.com/docs/5.4/helpers#method-env) wrapper over the PHP `getenv`. For example, the MySQL configuration in *config/database.php* looks like the following code:

+```php

+'mysql' => [

+ 'driver' => 'mysql',

+ 'host' => env('DB_HOST', 'localhost'),

+ 'database' => env('DB_DATABASE', 'forge'),

+ 'username' => env('DB_USERNAME', 'forge'),

+ 'password' => env('DB_PASSWORD', ''),

+ ...

+],

+```

+### Configure Laravel environment variables

+Laravel needs an application key in App Service. You can configure it with app settings.

+In the local terminal window, use `php artisan` to generate a new application key without saving it to *.env*.

+```bash

+php artisan key:generate --show

+```

+In the Cloud Shell, set the application key in the App Service app by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command. Replace the placeholders _&lt;app-name>_ and _&lt;outputofphpartisankey:generate>_.

+```azurecli-interactive

+az webapp config appsettings set --name <app-name> --resource-group myResourceGroup --settings APP_KEY="<output_of_php_artisan_key:generate>" APP_DEBUG="true"

+```

+`APP_DEBUG="true"` tells Laravel to return debugging information when the deployed app encounters errors. When running a production application, set it to `false`, which is more secure.

+### Set the virtual application path

+[Laravel application lifecycle](https://laravel.com/docs/5.4/lifecycle) begins in the *public* directory instead of the application's root directory. The default PHP Docker image for App Service uses Apache, and it doesn't let you customize the `DocumentRoot` for Laravel. However, you can use `.htaccess` to rewrite all requests to point to */public* instead of the root directory. In the repository root, an `.htaccess` is added already for this purpose. With it, your Laravel application is ready to be deployed.

+For more information, see [Change site root](../../app-service/configure-language-php.md?pivots=platform-linux#change-site-root).

+### Push to Azure from Git

+Back in the local terminal window, add an Azure remote to your local Git repository. Replace _&lt;deploymentLocalGitUrl-from-create-step>_ with the URL of the Git remote that you saved from [Create a web app](#create-a-web-app).

+```bash

+git remote add azure <deploymentLocalGitUrl-from-create-step>

+```

+Push to the Azure remote to deploy your app with the following command. When Git Credential Manager prompts you for credentials, make sure you enter the credentials you created in **Configure a deployment user**, not the credentials you use to sign in to the Azure portal.

+```bash

+git push azure main

+```

+This command may take a few minutes to run. While running, it displays information similar to the following example:

+<pre>

+Counting objects: 3, done.

+Delta compression using up to 8 threads.

+Compressing objects: 100% (3/3), done.

+Writing objects: 100% (3/3), 291 bytes | 0 bytes/s, done.

+Total 3 (delta 2), reused 0 (delta 0)

+remote: Updating branch 'main'.

+remote: Updating submodules.

+remote: Preparing deployment for commit id 'a5e076db9c'.

+remote: Running custom deployment command...

+remote: Running deployment command...

+...

+&lt; Output has been truncated for readability &gt;

+</pre>

+### Browse to the Azure app

+Browse to `http://<app-name>.azurewebsites.net` and add a few tasks to the list.

+Congratulations, you're running a data-driven PHP app in Azure App Service.

+## Update model locally and redeploy

+In this step, you make a simple change to the `task` data model and the webapp, and then publish the update to Azure.

+For the tasks scenario, you modify the application so that you can mark a task as complete.

+### Add a column

+In the local terminal window, navigate to the root of the Git repository.

+Generate a new database migration for the `tasks` table:

+```bash

+php artisan make:migration add_complete_column --table=tasks

+```

+This command shows you the name of the migration file that's generated. Find this file in *database/migrations* and open it.

+Replace the `up` method with the following code:

+```php

+public function up()

+{

+ Schema::table('tasks', function (Blueprint $table) {

+ $table->boolean('complete')->default(False);

+ });

+}

+```

+The preceding code adds a boolean column in the `tasks` table called `complete`.

+Replace the `down` method with the following code for the rollback action:

+```php

+public function down()

+{

+ Schema::table('tasks', function (Blueprint $table) {

+ $table->dropColumn('complete');

+ });

+}

+```

+In the local terminal window, run Laravel database migrations to make the change in the local database.

+```bash

+php artisan migrate

+```

+Based on the [Laravel naming convention](https://laravel.com/docs/5.4/eloquent#defining-models), the model `Task` (see *app/Task.php*) maps to the `tasks` table by default.

+### Update application logic

+Open the *routes/web.php* file. The application defines its routes and business logic here.

+At the end of the file, add a route with the following code:

+```php

+/**

+ * Toggle Task completeness

+ */

+Route::post('/task/{id}', function ($id) {

+ error_log('INFO: post /task/'.$id);

+ $task = Task::findOrFail($id);

+ $task->complete = !$task->complete;

+ $task->save();

+ return redirect('/');

+});

+```

+The preceding code makes a simple update to the data model by toggling the value of `complete`.

+### Update the view

+Open the *resources/views/tasks.blade.php* file. Find the `<tr>` opening tag and replace it with:

+```html

+<tr class="{{ $task->complete ? 'success' : 'active' }}" >

+```

+The preceding code changes the row color depending on whether the task is complete.

+In the next line, you have the following code:

+```html

+<td class="table-text"><div>{{ $task->name }}</div></td>

+```

+Replace the entire line with the following code:

+```html

+<td>

+ <form action="{{ url('task/'.$task->id) }}" method="POST">

+ {{ csrf_field() }}

+ <button type="submit" class="btn btn-xs">

+ <i class="fa {{$task->complete ? 'fa-check-square-o' : 'fa-square-o'}}"></i>

+ </button>

+ {{ $task->name }}

+ </form>

+</td>

+```

+The preceding code adds the submit button that references the route that you defined earlier.

+### Test the changes locally

+In the local terminal window, run the development server from the root directory of the Git repository.

+```bash

+php artisan serve

+```

+To see the task status change, navigate to `http://localhost:8000` and select the checkbox.

+To stop PHP, type `Ctrl + C` in the terminal.

+### Publish changes to Azure

+In the local terminal window, run Laravel database migrations with the production connection string to make the change in the Azure database.

+```bash

+php artisan migrate --env=production --force

+```

+Commit all the changes in Git, and then push the code changes to Azure.

+```bash

+git add .

+git commit -m "added complete checkbox"

+git push azure main

+```

+Once the `git push` is complete, navigate to the Azure app and test the new functionality.

+If you added any tasks, they are retained in the database. Updates to the data schema leave existing data intact.

+## Clean up resources

+In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:

+```azurecli

+az group delete --name myResourceGroup

+```

+<a name="next"></a>

+## Next steps

+> [!div class="nextstepaction"]

+> [How to manage your resources in Azure portal](../../azure-resource-manager/management/manage-resources-portal.md) <br/>

+> [!div class="nextstepaction"]

+> [How to manage your server](how-to-manage-server-cli.md)

+ Title: 'Tutorial: Build a PHP app with Azure Database for MySQL - Flexible Server'

+description: This tutorial explains how to build a PHP app with flexible server and deploy it on Azure App Service.

+# Tutorial: Deploy a PHP and MySQL - Flexible Server app on Azure App Service

+[Azure App Service](../../app-service/overview.md) provides a highly scalable, self-patching web hosting service using the Linux operating system.

+This tutorial shows how to build and deploy a sample PHP application to Azure App Service, and integrate it with Azure Database for MySQL - Flexible Server on the back end.

+In this tutorial, you'll learn how to:

+> * Create a MySQL flexible server

+> * Connect a PHP app to the MySQL flexible server

+> * Update and redeploy the app

+- [Install Git](https://git-scm.com/).

+- The [Azure Command-Line Interface (CLI)](/cli/azure/install-azure-cli).

+- An Azure subscription [!INCLUDE [flexible-server-free-trial-note](../includes/flexible-server-free-trial-note.md)]

+## Create an Azure Database for MySQL flexible server

+First, we'll provision a MySQL flexible server with public access connectivity, configure firewall rules to allow the application to access the server, and create a production database.

+To learn how to use private access connectivity instead and isolate app and database resources in a virtual network, see [Tutorial: Connect an App Services Web app to an Azure Database for MySQL flexible server in a virtual network](tutorial-webapp-server-vnet.md).

+### Create a resource group

+An Azure resource group is a logical group in which Azure resources are deployed and managed. Let's create a resource group *rg-php-demo* using the [az group create](/cli/azure/group#az-group-create) command in the *centralus* location.

+1. Open command prompt.

+1. Sign in to your Azure account.

+ ```azurecli-interactive

+ az login

+ ```

+1. Choose your Azure subscription.

+ ```azurecli-interactive

+ az account set -s <your-subscription-ID>

+ ```

+1. Create the resource group.

+ ```azurecli-interactive

+ az group create --name rg-php-demo --location centralus

+ ```

+### Create a MySQL flexible server

+1. To create a MySQL flexible server with public access connectivity, run the following [`az flexible-server create`](/cli/azure/mysql/server#az-mysql-flexible-server-create) command. Replace your values for server name, admin username and password.

+ ```azurecli-interactive

+ az mysql flexible-server create \

+ --name <your-mysql-server-name> \

+ --resource-group rg-php-demo \

+ --location centralus \

+ --admin-user <your-mysql-admin-username> \

+ --admin-password <your-mysql-admin-password>

+ ```

+ YouΓÇÖve now created a flexible server in the CentralUS region. The server is based on the Burstable B1MS compute SKU, with 32 GB storage, a 7-day backup retention period, and configured with public access connectivity.

+1. Next, to create a firewall rule for your MySQL flexible server to allow client connections, run the following command. When both starting IP and end IP are set to 0.0.0.0, only other Azure resources (like App Services apps, VMs, AKS cluster, etc.) can connect to the flexible server.

+ ```azurecli-interactive

+ az mysql flexible-server firewall-rule create \

+ --name <your-mysql-server-name> \

+ --resource-group rg-php-demo \

+ --rule-name AllowAzureIPs \

+ --start-ip-address 0.0.0.0 \

+ --end-ip-address 0.0.0.0

+ ```

+1. To create a new MySQL production database *sampledb* to use with the PHP application, run the following command:

+ ```azurecli-interactive

+ az mysql flexible-server db create \

+ --resource-group rg-php-demo \

+ --server-name <your-mysql-server-name> \

+ --database-name sampledb

+ ```

+## Build your application

+For the purposes of this tutorial, we'll use a sample PHP application that displays and manages a product catalog. The application provides basic functionalities like viewing the products in the catalog, adding new products, updating existing item prices and removing products.

+To learn more about the application code, go ahead and explore the app in the [GitHub repository](https://github.com/Azure-Samples/php-mysql-app-service). To learn how to connect a PHP app to MySQL flexible server, refer [Quickstart: Connect using PHP](connect-php.md).

+In this tutorial, we'll directly clone the coded sample app and learn how to deploy it on Azure App Service.

+1. To clone the sample application repository and change to the repository root, run the following commands:

+ ```bash

+ git clone https://github.com/Azure-Samples/php-mysql-app-service.git

+ cd php-mysql-app-service

+ ```

+1. Run the following command to ensure that the default branch is `main`.

+ ```bash

+ git branch -m main

+ ```

+## Create and configure an Azure App Service Web App

+In Azure App Service (Web Apps, API Apps, or Mobile Apps), an app always runs in an App Service plan. An App Service plan defines a set of compute resources for a web app to run. In this step, we'll create an Azure App Service plan and an App Service web app within it, which will host the sample application.

+1. To create an App Service plan in the Free pricing tier, run the following command:

+ ```azurecli-interactive

+ az appservice plan create --name plan-php-demo \

+ --resource-group rg-php-demo \

+ --location centralus \

+ --sku FREE --is-linux

+ ```

+1. If you want to deploy an application to Azure web app using deployment methods like FTP or Local Git, you need to configure a deployment user with username and password credentials. After you configure your deployment user, you can take advantage of it for all your Azure App Service deployments.

+ ```azurecli-interactive

+ az webapp deployment user set \

+ --user-name <your-deployment-username> \

+ --password <your-deployment-password>

+ ```

+1. To create an App Service web app with PHP 8.0 runtime and to configure the Local Git deployment option to deploy your app from a Git repository on your local computer, run the following command. Replace `<your-app-name>` with a globally unique app name (valid characters are a-z, 0-9, and -).

+ ```azurecli-interactive

+ az webapp create \

+ --resource-group rg-php-demo \

+ --plan plan-php-demo \

+ --name <your-app-name> \

+ --runtime "PHP|8.0" \

+ --deployment-local-git

+ ```

+ > [!IMPORTANT]

+ > In the Azure CLI output, the URL of the Git remote is displayed in the deploymentLocalGitUrl property, with the format `https://<username>@<app-name>.scm.azurewebsites.net/<app-name>.git`. Save this URL, as you'll need it later.

+1. Next we'll configure the MySQL flexible server database connection settings on the Web App.

+ The `config.php` file in the sample PHP application retrieves the database connection information (server name, database name, server username and password) from environment variables using the `getenv()` function. In App Service, to set environment variables as **Application Settings** (*appsettings*), run the following command:

+ ```azurecli-interactive

+ az webapp config appsettings set \

+ --name <your-app-name> \

+ --resource-group rg-php-demo \

+ --settings DB_HOST="<your-server-name>.mysql.database.azure.com" \

+ DB_DATABASE="sampledb" \

+ DB_USERNAME="<your-mysql-admin-username>" \

+ DB_PASSWORD="<your-mysql-admin-password>" \

+ MYSQL_SSL="true"

+ ```

+

+ Alternatively, you can use Service Connector to establish a connection between the App Service app and the MySQL flexible server. For more details, see [Integrate Azure Database for MySQL with Service Connector](../../service-connector/how-to-integrate-mysql.md).

+## Deploy your application using Local Git

+Now, we'll deploy the sample PHP application to Azure App Service using the Local Git deployment option.

+1. Since you're deploying the main branch, you need to set the default deployment branch for your App Service app to main. To set the DEPLOYMENT_BRANCH under **Application Settings**, run the following command:

+ ```azurecli-interactive

+ az webapp config appsettings set \

+ --name <your-app-name> \

+ --resource-group rg-php-demo \

+ --settings DEPLOYMENT_BRANCH='main'

+ ```

+1. Verify that you are in the application repository's root directory.

+1. To add an Azure remote to your local Git repository, run the following command.

+ **Note:** Replace `<deploymentLocalGitUrl>` with the URL of the Git remote that you saved in the **Create an App Service web app** step.

+ ```azurecli-interactive

+ git remote add azure <deploymentLocalGitUrl>

+ ```

+1. To deploy your app by performing a `git push` to the Azure remote, run the following command. When Git Credential Manager prompts you for credentials, enter the deployment credentials that you created in **Configure a deployment user** step.

+ ```azurecli-interactive

+ git push azure main

+ ```

+The deployment may take a few minutes to succeed.

+## Test your application

+Finally, test the application by browsing to `https://<app-name>.azurewebsites.net`, and then add, view, update or delete items from the product catalog.

+Congratulations! You have successfully deployed a sample PHP application to Azure App Service and integrated it with Azure Database for MySQL - Flexible Server on the back end.

+## Update and redeploy the app

+To update the Azure app, make the necessary code changes, commit all the changes in Git, and then push the code changes to Azure.

+git commit -m "Update Azure app"

+Once the `git push` is complete, navigate to or refresh the Azure app to test the new functionality.

+In this tutorial, you created all the Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:

+```azurecli-interactive

+az group delete --name rg-php-demo

+> [How to manage your resources in Azure portal](../../azure-resource-manager/management/manage-resources-portal.md)

+ Title: 'Tutorial: Connect an App Services Web app to an Azure Database for MySQL flexible server in a virtual network'

+description: Tutorial to create and connect Web App to Azure Database for MySQL Flexible Server in a virtual network

+# Tutorial: Connect an App Services Web app to an Azure Database for MySQL flexible server in a virtual network

+This tutorial shows you how to create and connect an Azure App Service Web App to an Azure Database for MySQL flexible server isolated inside same or different [virtual networks](../../virtual-network/virtual-networks-overview.md).

+>

+> * Create a subnet to delegate to App Service and create a web app

+> * Connect to MySQL flexible server from the web app

+> * Connect a Web app and MySQL flexible server isolated in different VNets

+## App Service Web app and MySQL flexible server in different virtual networks

+If you have created the App Service app and the MySQL flexible server in different virtual networks (VNets), you will need to use one of the following methods to establish a seamless connection:

+- **Connect the two VNets using VNet peering** (local or global). See [Connect virtual networks with virtual network peering](../../virtual-network/tutorial-connect-virtual-networks-cli.md) guide.

+- **Link MySQL flexible server's Private DNS zone to the web app's VNet using virtual network links.** If you use the Azure portal or the Azure CLI to create MySQL flexible servers in a VNet, a new private DNS zone is auto-provisioned in your subscription using the server name provided. Navigate to the flexible server's private DNS zone and follow the [How to link the private DNS zone to a virtual network](../../dns/private-dns-getstarted-portal.md#link-the-virtual-network) guide to set up a virtual network link.

+|Windows Mixed Reality XR Plugin | 2.9.3 | 4.6.3 |

+1. In the Unity **Package Manager** window, ensure that the **Windows XR Plugin** is updated to version 2.9.3 or newer for Unity 2019, or version 4.6.3 or newer for Unity 2020.

+1. In the Unity **Project Settings** window, select the **XR Plug-in Management** section, select the **PC Standalone** tab, and ensure that the **Windows Mixed Reality** and **Initialize XR on Startup** checkboxes are checked.

+1. Place `.ou` model files in `%USERPROFILE%\AppData\LocalLow\<companyname>\<productname>` where `<companyname>` and `<productname>` match the values in the **Player** section of your project's **Project Settings** (for example, `Microsoft\AOABasicApp`). (See the **Windows Editor and Standalone Player** section of [Unity - Scripting API: Application.persistentDataPath](https://docs.unity3d.com/ScriptReference/Application-persistentDataPath.html).)

+1. Launch the **Holographic Remoting Player** app on your HoloLens. Your device's IP address will be displayed for convenient reference.

+1. Open the **Windows XR Plugin Remoting** window from the **Window/XR** menu, select **Remote to Device** from the drop-down, ensure your device's IP address is entered in the **Remote Machine** box, and make sure that the **Connect on Play** checkbox is checked.

+1. Enter and exit Play Mode as needed - Unity will connect to the Player app running on the device, and display your scene in real time! You can iterate on changes in the Editor, use Visual Studio to debug script execution, and do all the normal Unity development activities you're used to in Play Mode!

+* Some Object Anchors SDK features aren't supported since they rely on access to the HoloLens cameras, which isn't currently available via Remoting. These include <a href="/dotnet/api/microsoft.azure.objectanchors.objectobservationmode">Active Observation Mode</a> and <a href="/dotnet/api/microsoft.azure.objectanchors.objectinstancetrackingmode">High Accuracy Tracking Mode</a>.

+* The Object Anchors SDK currently only supports Unity Remoting while using the **Windows Mixed Reality XR Plugin**. If the **OpenXR XR Plugin** is used, <a href="/dotnet/api/microsoft.azure.objectanchors.objectobserver.issupported">`ObjectObserver.IsSupported`</a> will return `false` in **Play Mode** and other APIs may throw exceptions.

+ Title: Configure OVN-Kubernetes network provider for Azure Red Hat OpenShift clusters (preview)

+description: In this how-to article, learn how to configure OVN-Kubernetes network provider for Azure Red Hat OpenShift clusters (preview).

+topic: how-to

+keywords: azure, openshift, aro, red hat, azure CLI, azure portal, ovn, ovn-kubernetes, CNI, Container Network Interface

+Customer intent: I need to configure OVN-Kubernetes network provider for Azure Red Hat OpenShift clusters.

+# Configure OVN-Kubernetes network provider for Azure Red Hat OpenShift clusters

+This article explains how to Configure OVN-Kubernetes network provider for Azure Red Hat OpenShift clusters.

+## About the OVN-Kubernetes default Container Network Interface (CNI) network provider (preview)

+OVN-Kubernetes Container Network Interface (CNI) for Azure Red Hat OpenShift (ARO) cluster is now available for preview.

+The OpenShift Container Platform cluster uses a virtualized network for pod and service networks. The OVN-Kubernetes Container Network Interface (CNI) plug-in is a network provider for the default cluster network. OVN-Kubernetes, which is based on the Open Virtual Network (OVN), provides an overlay-based networking implementation.

+A cluster that uses the OVN-Kubernetes network provider also runs Open vSwitch (OVS) on each node. OVN configures OVS on each node to implement the declared network configuration.

+> [!IMPORTANT]

+> Currently, this Azure Red Hat OpenShift feature is being offered in preview only. Preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they are excluded from the service-level agreements and limited warranty. Azure Red Hat OpenShift previews are partially covered by customer support on a best-effort basis. As such, these features are not meant for production use.

+## OVN-Kubernetes features

+The OVN-Kubernetes CNI cluster network provider offers the following features:

+* Uses OVN to manage network traffic flows. OVN is a community developed, vendor-agnostic network virtualization solution.

+* Implements Kubernetes network policy support, including ingress and egress rules.

+* Uses the Generic Network Virtualization Encapsulation (Geneve) protocol rather than the Virtual Extensible LAN (VXLAN) protocol to create an overlay network between nodes.

+For more information about OVN-Kubernetes CNI network provider, see [About the OVN-Kubernetes default Container Network Interface (CNI) network provider](https://docs.openshift.com/container-platform/4.10/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.html).

+## Prerequisites

+Complete the following prerequisites.

+### Install and use the preview Azure Command-Line Interface (CLI)

+> [!NOTE]

+> The Azure CLI extension is required for the preview feature only.

+If you choose to install and use the CLI locally, ensure you're running Azure CLI version 2.37.0 or later. Run `az --version` to find the version. For details on installing or upgrading Azure CLI, see [Install Azure CLI](/cli/azure/install-azure-cli).

+1. Use the following URL to download both the Python wheel and the CLI extension:

+ [https://aka.ms/az-aroext-latest.whl](https://aka.ms/az-aroext-latest.whl)

+2. Run the following command:

+```azurecli-interactive

+az extension add --upgrade -s <path to downloaded .whl file>

+```

+3. Verify the CLI extension is being used:

+```azurecli-interactive

+az extension list

+[

+ {

+ "experimental": false,

+ "extensionType": "whl",

+ "name": "aro",

+ "path": "<path may differ depending on system>",

+ "preview": true,

+ "version": "1.0.6"

+ }

+]

+```

+4. Run the following command:

+```azurecli-interactive

+az aro create --help

+```

+The result should show the `ΓÇôsdn-type` option, as follows:

+```json

+--sdn-type --software-defined-network-type : SDN type either "OpenShiftSDN" (default) or "OVNKubernetes". Allowed values: OVNKubernetes, OpenShiftSDN

+```

+## Create an Azure Red Hat OpenShift cluster with OVN as the network provider

+The process to create an Azure Red Hat OpenShift cluster with OVN is exactly the same as the existing process explained in [Tutorial: Create an Azure Red Hat OpenShift 4 cluster](tutorial-create-cluster.md), with the following exception. You must also pass in the SDN type of `OVNKubernetes` in step 4 below.

+The following high-level procedure outlines the steps to create an Azure Red Hat OpenShift cluster with OVN as the network provider:

+1. Install the preview Azure CLI extension.

+2. Verify your permissions.

+3. Register the resource providers.

+4. Create a virtual network containing two empty subnets.

+5. Create an Azure Red Hat OpenShift cluster by using OVN CNI network provider.

+6. Verify the Azure Red Hat OpenShift cluster is using OVN CNI network provider.

+## Verify your permissions

+Using OVN CNI network provider for Azure Red Hat OpenShift clusters requires you to create a resource group, which will contain the virtual network for the cluster. You must have either Contributor and User Access Administrator permissions or have Owner permissions either directly on the virtual network or on the resource group or subscription containing it.

+You'll also need sufficient Azure Active Directory permissions (either a member user of the tenant, or a guest user assigned with role Application administrator) for the tooling to create an application and service principal on your behalf for the cluster. For more information about user roles, see [Member and guest users](../active-directory/fundamentals/users-default-permissions.md#member-and-guest-users) and [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).

+## Register the resource providers

+If you have multiple Azure subscriptions, you must register the resource providers. For information about the registration procedure, see [Register the resource providers](tutorial-create-cluster.md#register-the-resource-providers).

+## Create a virtual network containing two empty subnets

+If you have an existing virtual network that meets your needs, you can skip this step. To know the procedure of creating a virtual network, see [Create a virtual network containing two empty subnets](tutorial-create-cluster.md#create-a-virtual-network-containing-two-empty-subnets).

+## Create an Azure Red Hat OpenShift cluster by using OVN-Kubernetes CNI network provider

+Run the following command to create an Azure Red Hat OpenShift cluster that uses the OVN CNI network provider:

+```

+az aro create --resource-group $RESOURCEGROUP \

+ --name $CLUSTER \

+ --vnet aro-vnet \

+ --master-subnet master-subnet \

+ --worker-subnet worker-subnet \

+ --sdn-type OVNKubernetes \

+ --pull-secret @pull-secret.txt \

+```

+## Verify an Azure Red Hat OpenShift cluster is using the OVN CNI network provider

+After the cluster is successfully configured to use the OVN CNI network provider, sign in to your account and run the following command:

+```

+oc get network.config/cluster -o jsonpath='{.status.networkType}{"\n"}'

+```

+The value of `status.networkType` must be `OVNKubernetes`.

+ Title: Azure services and Confluent Cloud integration - Azure partner solutions

+description: This article describes how to use Azure services and install connectors for Confluent Cloud integration.

+# Azure services and Confluent Cloud integrations

+This article describes how to use Azure services like Azure Functions, and install connectors to Azure resources for Confluent Cloud.

+## Azure Cosmos DB connector

+**Azure Cosmos DB Self Managed connector** must be installed manually. First download an uber JAR from the [Cosmos DB Releases page](https://github.com/microsoft/kafka-connect-cosmosdb/releases). Or, you can [build your own uber JAR directly from the source code](https://github.com/microsoft/kafka-connect-cosmosdb/blob/dev/doc/README_Sink.md#install-sink-connector). Complete the installation by following the guidance described in the Confluent documentation for [installing connectors manually](https://docs.confluent.io/home/connect/install.html#install-connector-manually).

+## Azure Functions

+**Azure Functions Kafka trigger extension** is used to run your function code in response to messages in Kafka topics. You can also use a Kafka output binding to write from your function to a topic. For information about setup and configuration details, see [Apache Kafka bindings for Azure Functions overview](../../azure-functions/functions-bindings-kafka.md).

+>[!NOTE]

+> See the [HA limitation section](#high-availabilitylimitations) for a current restriction with same-zone HA deployment.

+>[!NOTE]

+> New server creates with **Same-zone HA** are currently restricted when you choose the primary server's AZ. Workarounds are to (a) create your same-zone HA server without choosing the primary AZ, or (b) create as a single instance (non-HA) server and then enable same-zone HA after the server is created.

+>[!NOTE]

+> See the [HA limitation section](concepts-high-availability.md#high-availabilitylimitations) for a current restriction with same-zone HA deployment.

+1. If you want to change the default compute and storage, click **Configure server**.

+2. If high availability option is checked, the burstable tier will not be available to choose. You can choose either

+3. Select **storage size** in GiB using the sliding bar and select the **backup retention period** between 7 days and 35 days.

+4. Click **Save**.

+## Enabling Zone redundant HA after the region supports AZ

+There are Azure regions that do not support availability zones. If you have already deployed non-HA servers, you cannot directly enable zone redundant HA on the server, but you can perform restore and enable HA in that server. Following steps shows how to enable Zone redundant HA for that server.

+1. From the overview page of the server, click **Restore** to [perform a PITR](how-to-restore-server-portal.md#restoring-to-the-latest-restore-point). Choose **Latest restore point**.

+2. Choose a server name, availability zone.

+3. Click **Review+Create**".

+4. A new Flexible server will be created from the backup.

+5. Once the new server is created, from the overview page of the server, follow the [guide](#enable-high-availability-post-server-creation) to enable HA.

+6. After data verification, you can optionally [delete](how-to-manage-server-portal.md#delete-a-server) the old server.

+7. Make sure your clients connection strings are modified to point to your new HA-enabled server.

+

+** Zone-redundant high availability can now be deployed when you provision new servers in these regions. Any existing servers deployed in AZ with *no preference* (which you can check on the Azure portal) prior to the region started to support AZ, even when you enable zone-redundant HA, the standby will be provisioned in the same AZ (same-zone HA) as the primary server. To enable zone-redundant high availability, [follow the steps.](how-to-manage-high-availability-portal.md#enabling-zone-redundant-ha-after-the-region-supports-az).

+You can use [Data-in Replication](./concepts-read-replicas.md) for failover scenarios. When you're using read replicas, no automated failover between source and replica servers occurs. You'll notice a lag between the source and the replica because the replication is asynchronous. Network lag can be influenced by many factors, like the size of the workload running on the source server and the latency between datacenters. In most cases, replica lag ranges from a few seconds to a couple of minutes.

+Pg_stat_statements is a PostgreSQL extension that's enabled by default in Azure Database for PostgreSQL. The extension provides a means to track execution statistics for all SQL statements executed by a server. See [how to use pg_statement](how-to-optimize-query-stats-collection.md).

+A connection pooler minimizes the cost and time associated with creating and closing new connections to the database. The pool is a collection of connections that can be reused.

+There are multiple connection poolers you can use with PostgreSQL. One of these is [PgBouncer](https://pgbouncer.github.io/). In the Microsoft Container Registry, we provide a lightweight containerized PgBouncer that can be used in a sidecar to pool connections from AKS to Azure Database for PostgreSQL. Visit the [docker hub page](https://hub.docker.com/r/microsoft/azureossdb-tools-pgbouncer/) to learn how to access and use this image.

+Create an AKS cluster [using the Azure CLI](../../aks/learn/quick-kubernetes-deploy-cli.md), [using Azure PowerShell](../../aks/learn/quick-kubernetes-deploy-powershell.md), or [using the Azure portal](../../aks/learn/quick-kubernetes-deploy-portal.md).

+In a subset of [Azure regions](./concepts-pricing-tiers.md#storage), all newly provisioned servers can support up to 16-TB storage. Backups on these large storage servers are snapshot-based. The first full snapshot backup is scheduled immediately after a server is created. That first full snapshot backup is retained as the server's base backup. Subsequent snapshot backups are differential backups only. Differential snapshot backups do not occur on a fixed schedule. In a day, multiple differential snapshot backups are performed, but only 3 backups are retained. Transaction log backups occur every five minutes.

+Backups are retained based on the backup retention period setting on the server. You can select a retention period of 7 to 35 days. The default retention period is 7 days. You can set the retention period during server creation or later by updating the backup configuration using [Azure portal](./how-to-restore-server-portal.md#set-backup-configuration) or [Azure CLI](./how-to-restore-server-cli.md#set-backup-configuration).

+You can use the [Backup Storage used](concepts-monitoring.md) metric in Azure Monitor available in the Azure portal to monitor the backup storage consumed by a server. The Backup Storage used metric represents the sum of storage consumed by all the full database backups, differential backups, and log backups retained based on the backup retention period set for the server. The frequency of the backups is service managed and explained earlier. Heavy transactional activity on the server can cause backup storage usage to increase irrespective of the total database size. For geo-redundant storage, backup storage usage is twice that of the locally redundant storage.

+In Azure Database for PostgreSQL, performing a restore creates a new server from the original server's backups.

+> If your source PostgreSQL server is encrypted with customer-managed keys, please see the [documentation](concepts-data-encryption-postgresql.md) for additional considerations.

+> It is recommended not to create multiple restores for the same server at the same time.

+- To learn more about business continuity, see theΓÇ»[business continuity overview](concepts-business-continuity.md).

+\* RTO and RPO **can be much higher** in some cases depending on various factors including latency between sites, the amount of data to be transmitted, and importantly primary database write workload.

+You can use cross region read replicas to enhance your business continuity and disaster recovery planning. Read replicas are updated asynchronously using PostgreSQL's physical replication technology, and may lag the primary. Learn more about read replicas, available regions, and how to fail over from the [read replicas concepts article](concepts-read-replicas.md).

+By default, Azure Database for PostgreSQL doesn't move or store customer data out of the region it is deployed in. However, customers can optionally chose to enable [geo-redundant backups](concepts-backup.md#backup-redundancy-options) or create [cross-region read replica](concepts-read-replicas.md#cross-region-replication) for storing data in another region.

+The new certificate is rolled out and in effect starting February 15, 2021 (02/15/2021).

+</br>(Root CA1: BaltimoreCyberTrustRoot.crt.pem)

+</br>--END CERTIFICATE--

+</br>--BEGIN CERTIFICATE--

+</br>(Root CA2: DigiCertGlobalRootG2.crt.pem)

+</br>--END CERTIFICATE--

+> Please do not drop or alter **Baltimore certificate** until the cert change is made. We will send a communication once the change is done, after which it is safe for them to drop the Baltimore certificate.

+We evaluated the customer readiness for this change and realized many customers were looking for additional lead time to manage this change. In the interest of providing more lead time to customers for readiness, we have decided to defer the certificate change to DigiCertGlobalRootG2 for at least a year providing sufficient lead time to the customers and end users.

+Our recommendations to users is, use the aforementioned steps to create a combined certificate and connect to your server but do not remove BaltimoreCyberTrustRoot certificate until we send a communication to remove it.

+No actions required if you are not using SSL/TLS.

+- If your connection string includes `sslmode=verify-ca` or `sslmode=verify-full`, you need to update the certificate.

+- If your connection string includes `sslmode=disable`, `sslmode=allow`, `sslmode=prefer`, or `sslmode=require`, you do not need to update certificates.

+- If your connection string does not specify sslmode, you do not need to update certificates.

+Since this update is a client-side change, if the client used to read data from the replica server, you will need to apply the changes for those clients as well.

+A new docker image which supports both [**Baltimore**](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) and [**DigiCert**](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) is published to below [here](https://hub.docker.com/_/microsoft-azure-oss-db-tools-pgbouncer-sidecar) (Latest tag). You can pull this new image to avoid any interruption in connectivity starting February 15, 2021.

+The gateway service is hosted on group of stateless compute nodes sitting behind an IP address, which your client would reach first when trying to connect to an Azure Database for PostgreSQL server.

+As part of ongoing service maintenance, we will periodically refresh compute hardware hosting the gateways to ensure we provide the most secure and performant connectivity experience. When the gateway hardware is refreshed, a new ring of the compute nodes is built out first. This new ring serves the traffic for all the newly created Azure Database for PostgreSQL servers and it will have a different IP address from older gateway rings in the same region to differentiate the traffic. The older gateway hardware continues serving existing servers but are planned for decommissioning in future. Before decommissioning a gateway hardware, customers running their servers and connecting to older gateway rings will be notified via email and in the Azure portal, three months in advance before decommissioning. The decommissioning of gateways can impact the connectivity to your servers if

+* **Gateway IP addresses (decommissioned):** This columns lists the IP addresses of the gateway rings, which are decommissioned and are no longer in operations. You can safely remove these IP addresses from your outbound firewall rule.

+You will receive an email to inform you when we will start the maintenance work. The maintenance can take up to one month depending on the number of servers we need to migrate in al regions. Please prepare your client to connect to the database server using the FQDN or using the new IP address from the table above.

+No, this is a gateway hardware decommission and have no relation to private link or private IP addresses, it will only affect public IP addresses mentioned under the decommissioning IP addresses.

+* [Create and manage Azure Database for PostgreSQL firewall rules using Azure CLI](quickstart-create-server-database-azure-cli.md#configure-a-server-based-firewall-rule)

+Once the network admin creates the private endpoint (PE), the PostgreSQL admin can manage the private endpoint Connection (PEC) to Azure Database for PostgreSQL. This separation of duties between the network admin and the DBA is helpful for management of the Azure Database for PostgreSQL connectivity.

+If you want to rely only on private endpoints for accessing their Azure Database for PostgreSQL Single server, you can disable setting all public endpoints ([firewall rules](concepts-firewall-rules.md) and [VNet service endpoints](concepts-data-access-and-security-vnet.md)) by setting the **Deny Public Network Access** configuration on the database server.

+**Virtual Network service endpoint:** A [Virtual Network service endpoint][vm-virtual-network-service-endpoints-overview-649d] is a subnet whose property values include one or more formal Azure service type names. In this article we are interested in the type name of **Microsoft.Sql**, which refers to the Azure service named SQL Database. This service tag also applies to the Azure Database for PostgreSQL and MySQL services. It is important to note when applying the **Microsoft.Sql** service tag to a VNet service endpoint it will configure service endpoint traffic for Azure Database

+[resource-manager-portal]: ../../azure-resource-manager/management/resource-providers-and-types.md

+The following extensions are available in Azure Database for PostgreSQL servers which have Postgres version 11.

+## Postgres 10 extensions

+## Postgres 9.6 extensions

+The [pgAudit extension](https://github.com/pgaudit/pgaudit/blob/master/README.md) provides session and object audit logging. To learn how to use this extension in Azure Database for PostgreSQL, visit the [auditing concepts article](concepts-audit.md).

+In Postgres 11 and above, you can configure prewarming to happen [automatically](https://www.postgresql.org/docs/current/pgprewarm.html). You need to include pg_prewarm in your `shared_preload_libraries` parameter's list and restart the server to apply the change. Parameters can be set from the [Azure portal](how-to-configure-server-parameters-using-portal.md), [CLI](how-to-configure-server-parameters-using-cli.md), REST API, or ARM template.

+5. Select **Save** to preserve your changes. You get a notification once the change is saved.

+> If you see an error, confirm that you [restarted your server](how-to-restart-server-portal.md) after saving shared_preload_libraries.

+While running `SELECT timescaledb_post_restore()` procedure listed above you may get permissions denied error updating timescaledb.restoring flag. This is due to limited ALTER DATABASE permission in Cloud PaaS database services. In this case you can perform alternative method using `timescaledb-backup` tool to backup and restore Timescale database. Timescaledb-backup is a program for making dumping and restoring a TimescaleDB database simpler, less error-prone, and more performant.

+To do so you should do following

+More details on these utilities can be found [here](https://github.com/timescale/timescaledb-backup).

+> When using `timescale-backup` utilities to restore to Azure is that since database user names for non-flexible Azure Database for PostgresQL must use the `<user@db-name>` format, you need to replace `@` with `%40` character encoding.

+If you don't see an extension that you'd like to use, let us know. Vote for existing requests or create new feedback requests in our [feedback forum](https://feedback.azure.com/d365community/forum/c5e32b97-ee24-ec11-b6e6-000d3a4f0da0).

+It is recommended that you find the outgoing IP address of any application or service and explicitly allow access to those individual IP addresses or ranges. For example, you can find the outgoing IP address of an Azure App Service or use a public IP tied to a virtual machine or other resource (see below for info on connecting with a virtual machine's private IP over service endpoints).

+>

+To connect securely to your Azure Database for PostgreSQL server from a VNet, consider using [VNet service endpoints](./concepts-data-access-and-security-vnet.md).

+Azure Database for PostgreSQL is suitable for running mission critical databases that require high uptime. Built on Azure architecture, the service has inherent high availability, redundancy, and resiliency capabilities to mitigate database downtime from planned and unplanned outages, without requiring you to configure any additional components.

+Azure Database for PostgreSQL is architected to provide high availability during planned downtime operations.

+Unplanned downtime can occur as a result of unforeseen failures, including underlying hardware fault, networking issues, and software bugs. If the database server goes down unexpectedly, a new database server is automatically provisioned in seconds. The remote storage is automatically attached to the new database server. PostgreSQL engine performs the recovery operation using WAL and database files, and opens up the database server to allow clients to connect. Uncommitted transactions are lost, and they have to be retried by the application. While an unplanned downtime cannot be avoided, Azure Database for PostgreSQL mitigates the downtime by automatically performing recovery operations at both database server and storage layers without requiring human intervention.

+- Learn how to [replicate your data with read replicas](how-to-read-replicas-portal.md)

+Infrastructure Layer encryption has the benefit of being implemented at the layer closest to the storage device or network wires. Azure Database for PostgreSQL implements the two layers of encryption using service-managed keys. Although still technically in the service layer, it is very close to hardware that stores the data at rest. You can still optionally enable data encryption at rest using [customer managed key](concepts-data-encryption-postgresql.md) for the provisioned PostgreSQL server.

+Implementation at the infrastructure layers also supports a diversity of keys. Infrastructure must be aware of different clusters of machine and networks. As such, different keys are used to minimize the blast radius of infrastructure attacks and a variety of hardware and network failures.

+| PostgreSQL 9.6, 10, 11 | Turning on the server parameter `pg_qs.replace_parameter_placeholders` might lead to a server shutdown in some rare scenarios. | Through Azure Portal, Server Parameters section, turn the parameter `pg_qs.replace_parameter_placeholders` value to `OFF` and save. |

+The maximum number of connections per pricing tier and vCores are shown below. The Azure system requires five connections to monitor the Azure Database for PostgreSQL server.

+For an overview of how Postgres logical decoding works, [visit our blog](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/change-data-capture-in-postgres-how-to-use-logical-decoding-and/ba-p/1396421).

+ ```

+3. If you are running Postgres 9.5 or 9.6, and use public network access, add the firewall rule to include the public IP address of the client from where you will run the logical replication. The firewall rule name must include **_replrule**. For example, *test_replrule*. To create a new firewall rule on the server, run the [az postgres server firewall-rule create](/cli/azure/postgres/server/firewall-rule) command.

+3. If you are running Postgres 9.5 or 9.6, and use public network access, add the firewall rule to include the public IP address of the client from where you will run the logical replication. The firewall rule name must include **_replrule**. For example, *test_replrule*. Then select **Save**.

+Using a replication slot requires Postgres's replication privileges. At this time, the replication privilege is only available for the server's admin user.

+Consuming changes using the streaming protocol is often preferable. You can create your own consumer / connector, or use a tool like [Debezium](https://debezium.io/).

+Visit the wal2json documentation for [an example using the streaming protocol with pg_recvlogical](https://github.com/eulerto/wal2json#pg_recvlogical).

+[Set alerts](how-to-alert-on-metric.md) on *Storage used* and *Max lag across replicas* metrics to notify you when the values increase past normal thresholds.

+> If you stop using logical decoding, change azure.replication_support back to `replica` or `off`. The WAL details retained by `logical` are more verbose, and should be disabled when logical decoding is not in use.

+The [Performance Recommendations](concepts-performance-recommendations.md) feature identifies opportunities to improve workload performance. Performance Recommendations provides you with recommendations for creating new indexes that have the potential to improve the performance of your workloads. To produce index recommendations, the feature takes into consideration various database characteristics, including its schema and the workload as reported by Query Store. After implementing any performance recommendation, customers should test performance to evaluate the impact of those changes.

+- Learn more about [planned maintenance notifications](./concepts-planned-maintenance-notification.md) in Azure Database for PostgreSQL - Single Server.

+The Performance Recommendations feature analyses your databases to create customized suggestions for improved performance. To produce the recommendations, the analysis looks at various database characteristics including schema. Enable [Query Store](concepts-query-store.md) on your server to fully utilize the Performance Recommendations feature. After implementing any performance recommendation, you should test performance to evaluate the impact of those changes.

+Select **Analyze** and choose a database, which will begin the analysis. Depending on your workload, th analysis may take several minutes to complete. Once the analysis is done, there will be a notification in the portal. Analysis performs a deep examination of your database. We recommend you perform analysis during off-peak periods.

+Recommendations are not automatically applied. To apply the recommendation, copy the query text and run it from your client of choice. Remember to test and monitor to evaluate the recommendation.

+- Learn more about [monitoring and tuning](concepts-monitoring.md) in Azure Database for PostgreSQL.

+You can either check the planned maintenance notification on Azure portal or configure alerts to receive notification.

+3. Select **Subscription**, **Region, and **Service** for which you want to check the planned maintenance notification.

+When the server is set to read-only, all existing sessions are disconnected and uncommitted transactions are rolled back. Any subsequent write operations and transaction commits fail. All subsequent read queries will work uninterrupted.

+# Query Performance Insight

+The [Query Performance Insight](concepts-query-performance-insight.md) view in the Azure portal will surface visualizations on key information from Query Store.

+You can select and drag in the chart to narrow down to a specific time window. Alternatively, use the zoom in and out icons to view a smaller or larger period of time respectively.

+- Learn more about [monitoring and tuning](concepts-monitoring.md) in Azure Database for PostgreSQL.

+Let Query Store capture the data that matters to you.

+Query Store also includes a store for wait statistics. There is an additional capture mode query that governs wait statistics: **pgms_wait_sampling.query_capture_mode** can be set to _none_ or _all_.

+> **pg_qs.query_capture_mode** supersedes **pgms_wait_sampling.query_capture_mode**. If pg_qs.query_capture_mode is _none_, the pgms_wait_sampling.query_capture_mode setting has no effect.

+The **pg_qs.retention_period_in_days** parameter specifies in days the data retention period for Query Store. Older query and statistics data is deleted. By default, Query Store is configured to retain the data for 7 days. Avoid keeping historical data you do not plan to use. Increase the value if you need to keep data longer.

+The **pgms_wait_sampling.history_period** parameter specifies how often (in milliseconds) wait events are sampled. The shorter the period, the more frequent the sampling. More information is retrieved, but that comes with the cost of greater resource consumption. Increase this period if the server is under load or you don't need the granularity

+- Learn how to get or set parameters using the [Azure portal](how-to-configure-server-parameters-using-portal.md) or the [Azure CLI](how-to-configure-server-parameters-using-cli.md).

+- Identifying and improving ad hoc workloads

+## Identify and tune expensive queries

+Use the [Query Performance Insight](concepts-query-performance-insight.md) view in the Azure portal to quickly identify the longest running queries. These queries typically tend to consume a significant amount resources. Optimizing your longest running questions can improve performance by freeing up resources for use by other queries running on your system.

+- Consider rewriting expensive queries. For example, take advantage of query parameterization and reduce use of dynamic SQL. Implement optimal logic when reading data like applying data filtering on database side, not on application side.

+- Creating missing indexes on tables referenced by expensive queries.

+5. Decide whether to keep the change or rollback.

+Some workloads do not have dominant queries that you can tune to improve overall application performance. Those workloads are typically characterized with a relatively large number of unique queries, each of them consuming a portion of system resources. Each unique query is executed infrequently, so individually their runtime consumption is not critical. On the other hand, given that the application is generating new queries all the time, a significant portion of system resources is spent on query compilation, which is not optimal. Usually, this situation happens if your application generates queries (instead of using stored procedures or parameterized queries) or if it relies on object-relational mapping frameworks that generate queries by default.

+If you are in control of the application code, you may consider rewriting the data access layer to use stored procedures or parameterized queries. However, this situation can be also improved without application changes by forcing query parameterization for the entire database (all queries) or for the individual query templates with the same query hash.

+- Learn more about the [best practices for using Query Store](concepts-query-store-best-practices.md)

+Query Store data is stored in the azure_sys database on your Postgres server.

+```

+When Query Store is enabled it saves data in 15-minute aggregation windows, up to 500 distinct queries per window.

+You can enable diagnostic settings for your Postgres server using the Azure portal, CLI, REST API, and PowerShell. The log categories to configure are **QueryStoreRuntimeStatistics** and **QueryStoreWaitStatistics**.

+| ResourceType | `Servers` |

+| ResourceType | `Servers` |

+The feature is meant for scenarios where the lag is acceptable and meant for offloading queries. It isn't meant for synchronous replication scenarios where the replica data is expected to be up-to-date. There will be a measurable delay between the primary and the replica. This can be in minutes or even hours depending on the workload and the latency between the primary and the replica. The data on the replica eventually becomes consistent with the data on the primary. Use this feature for workloads that can accommodate this delay.

+If you are using cross-region replicas for disaster recovery planning, we recommend you create the replica in the paired region instead of one of the other regions. Paired regions avoid simultaneous updates and prioritize physical isolation and data residency.

+There are limitations to consider:

+Set an alert to inform you when the replica lag reaches a value that isnΓÇÖt acceptable for your workload.

+You can stop the replication between a primary and a replica at any time. The stop action causes the replica to restart and promotes the replica to be an independent, standalone read-writeable server. The data in the standalone server is the data that was available on the replica server at the time the replication is stopped. Any subsequent updates at the primary are not propagated to the replica. However, replica server may have accumulated logs that are not applied yet. As part of the restart process, the replica applies all the pending logs before accepting client connections.

+In the event of a primary server failure, it is **not** automatically failed over to the read replica.

+Once you have decided you want to failover to a replica,

+When there is a major disaster event such as availability zone-level or regional failures, you can perform disaster recovery operation by promoting your read replica. From the UI portal, you can navigate to the read replica server. Then select the replication tab, and you can stop the replica to promote it to be an independent server. Alternatively, you can use the [Azure CLI](/cli/azure/postgres/server/replica#az-postgres-server-replica-stop) to stop and promote the replica server.

+* Learn how to [create and manage read replicas in the Azure CLI and REST API](how-to-read-replicas-cli.md).

+The Azure Database for PostgreSQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, including the temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.

+Connections to an Azure Database for PostgreSQL server are first routed through a regional gateway. The gateway has a publicly accessible IP, while the server IP addresses are protected. For more information about the gateway, visit the [connectivity architecture article](concepts-connectivity-architecture.md).

+A newly created Azure Database for PostgreSQL server has a firewall that blocks all external connections. Though they reach the gateway, they are not allowed to connect to the server.

+Private Link allows you to connect to your Azure Database for PostgreSQL Single server in Azure via a private endpoint. Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). The PaaS resources can be accessed using the private IP address just like any other resource in the VNet. For more information,see the [private link overview](concepts-data-access-and-security-private-link.md)

+[Audit logging](concepts-audit.md) is available to track activity in your databases.

+- Learn about [Azure Active Directory authentication](concepts-azure-ad-authentication.md) in Azure Database for PostgreSQL

+You can configure Postgres standard logging on your server using the logging server parameters. On each Azure Database for PostgreSQL server, `log_checkpoints` and `log_connections` are on by default. There are additional parameters you can adjust to suit your logging needs:

+To learn how to configure parameters in Azure Database for PostgreSQL, see the [portal documentation](how-to-configure-server-parameters-using-portal.md) or the [CLI documentation](how-to-configure-server-parameters-using-cli.md).

+> Configuring a high volume of logs, for example statement logging, can add significant performance overhead.

+Azure Database for PostgreSQL provides a short-term storage location for the .log files. A new file begins every 1 hour or 100 MB, whichever comes first. Logs are appended to the current file as they are emitted from Postgres.

+You can set the retention period for this short-term log storage using the `log_retention_period` parameter. The default value is 3 days; the maximum value is 7 days. The short-term storage location can hold up to 1 GB of log files. After 1 GB, the oldest files, regardless of retention period, will be deleted to make room for new logs.

+For longer-term retention of logs and log analysis, you can download the .log files and move them to a third-party service. You can download the files using the [Azure portal](how-to-configure-server-logs-in-portal.md), [Azure CLI](how-to-configure-server-logs-using-cli.md). Alternatively, you can configure Azure Monitor diagnostic settings which automatically emits your logs (in JSON format) to longer-term locations. Learn more about this option in the section below.

+Azure Database for PostgreSQL is integrated with Azure Monitor diagnostic settings. Diagnostic settings allows you to send your Postgres logs in JSON format to Azure Monitor Logs for analytics and alerting, Event Hubs for streaming, and Azure Storage for archiving.

+The following table describes the fields for the **PostgreSQLLogs** type. Depending on the output endpoint you choose, the fields included and the order in which they appear may vary.

+While creating a server, you set up the credentials for your admin user. The admin user is the highest privilege user you have on the server. It belongs to the role azure_pg_admin. This role does not have full superuser permissions.

+The PostgreSQL server parameters determine the configuration of the server. In Azure Database for PostgreSQL, the list of parameters can be viewed and edited using the Azure portal or the Azure CLI.

+As a managed service for Postgres, the configurable parameters in Azure Database for PostgreSQL are a subset of the parameters in a local Postgres instance (For more information on Postgres parameters, see the [PostgreSQL documentation](https://www.postgresql.org/docs/9.6/static/runtime-config.html)). Your Azure Database for PostgreSQL server is enabled with default values for each parameter on creation. Some parameters that would require a server restart or superuser access for changes to take effect cannot be configured by the user.

+For all Azure Database for PostgreSQL servers provisioned through the Azure portal and CLI, enforcement of TLS connections is enabled by default.

+Visit your Azure Database for PostgreSQL server and select **Connection security**. Use the toggle button to enable or disable the **Enforce SSL connection** setting. Then, select **Save**.

+In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. The certificate to connect to an Azure Database for PostgreSQL server is located at https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem. Download the certificate file and save it to your preferred location.

+The PostgreSQL project regularly issues minor releases to fix reported bugs. Azure Database for PostgreSQL automatically patches servers with minor releases during the service's monthly deployments.

+Azure Database for PostgreSQL automatically performs minor version upgrades to the Azure preferred PostgreSQL version as part of periodic maintenance.

+2. From the left-hand menu in Azure portal, select **All resources**, and then search for the server you have created (such as **mydemoserver**).

+3. Select the server name.

+2. From the left-hand menu in Azure portal, select **All resources**, and then search for the server you have created (such as **mydemoserver**).

+3. Select the server name.

+Replace the `HOST`, `DATABASE`, `USER`, and `PASSWORD` parameters with your own values.

+Use the following code to connect and read the data using a **SELECT** SQL statement.

+Replace the `HOST`, `DATABASE`, `USER`, and `PASSWORD` parameters with your own values.

+Use the following code to connect and delete the data using a **DELETE** SQL statement.

+The [pg.Client](https://github.com/brianc/node-postgres/wiki/Client) object is used to interface with the PostgreSQL server. The [pg.Client.connect()](https://github.com/brianc/node-postgres/wiki/Client#method-connect) function is used to establish the connection to the server. The [pg.Client.query()](https://github.com/brianc/node-postgres/wiki/Query) function is used to execute the SQL query against PostgreSQL database.

+Use the following code to connect and read the data using a **SELECT** SQL statement. The [pg.Client](https://github.com/brianc/node-postgres/wiki/Client) object is used to interface with the PostgreSQL server. The [pg.Client.connect()](https://github.com/brianc/node-postgres/wiki/Client#method-connect) function is used to establish the connection to the server. The [pg.Client.query()](https://github.com/brianc/node-postgres/wiki/Query) function is used to execute the SQL query against PostgreSQL database.

+Replace the host, dbname, user, and password parameters with the values that you specified when you created the server and database.

+Use the following code to connect and read the data using a **UPDATE** SQL statement. The [pg.Client](https://github.com/brianc/node-postgres/wiki/Client) object is used to interface with the PostgreSQL server. The [pg.Client.connect()](https://github.com/brianc/node-postgres/wiki/Client#method-connect) function is used to establish the connection to the server. The [pg.Client.query()](https://github.com/brianc/node-postgres/wiki/Query) function is used to execute the SQL query against PostgreSQL database.

+Replace the host, dbname, user, and password parameters with the values that you specified when you created the server and database.

+Use the following code to connect and read the data using a **DELETE** SQL statement. The [pg.Client](https://github.com/brianc/node-postgres/wiki/Client) object is used to interface with the PostgreSQL server. The [pg.Client.connect()](https://github.com/brianc/node-postgres/wiki/Client#method-connect) function is used to establish the connection to the server. The [pg.Client.query()](https://github.com/brianc/node-postgres/wiki/Query) function is used to execute the SQL query against PostgreSQL database.

+Replace the host, dbname, user, and password parameters with the values that you specified when you created the server and database.

+2. From the left-hand menu in Azure portal, select **All resources**, and then search for the server you have created (such as **mydemoserver**).

+3. Select the server name.

+Replace the `$host`, `$database`, `$user`, and `$password` parameters with your own values.

+Use the following code to connect and read the data using a **SELECT** SQL statement.

+The code call method [pg_connect()](https://secure.php.net/manual/en/function.pg-connect.php) to connect to Azure Database for PostgreSQL. Then it calls method [pg_query()](https://secure.php.net/manual/en/function.pg-query.php) to run the SELECT command, keeping the results in a result set, and [pg_last_error()](https://secure.php.net/manual/en/function.pg-last-error.php) to check the details if an error occurred. To read the result set, method [pg_fetch_row()](https://secure.php.net/manual/en/function.pg-fetch-row.php) is called in a loop, once per row, and the row data is retrieved in an array `$row`, with one data value per column in each array position. To free the result set, method [pg_free_result()](https://secure.php.net/manual/en/function.pg-free-result.php) is called. Then it calls method [pg_close()](https://secure.php.net/manual/en/function.pg-close.php) to close the connection.

+Replace the `$host`, `$database`, `$user`, and `$password` parameters with your own values.

+Replace the `$host`, `$database`, `$user`, and `$password` parameters with your own values.

+Use the following code to connect and read the data using a **DELETE** SQL statement.

+The code call method [pg_connect()](https://secure.php.net/manual/en/function.pg-connect.php) to connect to Azure Database for PostgreSQL. Then it calls method [pg_query()](https://secure.php.net/manual/en/function.pg-query.php) to run a command, and [pg_last_error()](https://secure.php.net/manual/en/function.pg-last-error.php) to check the details if an error occurred. Then it calls method [pg_close()](https://secure.php.net/manual/en/function.pg-close.php) to close the connection.

+Replace the `$host`, `$database`, `$user`, and `$password` parameters with your own values.

+2. From the left-hand menu in Azure portal, select **All resources**, and then search for the server you have created (such as **mydemoserver**).

+3. Select the server name.

+The `drop_create_table` function initially tries to `DROP` the `inventory` table before creating a new one. This makes it easier for learning/experimentation, as you always start with a known (clean) state. The [execute](https://docs.rs/postgres/0.19.0/postgres/struct.Client.html#method.execute) method is used for create and drop operations.

+`insert_data` adds entries to the `inventory` table. It creates a [prepared statement](https://docs.rs/postgres/0.19.0/postgres/struct.Statement.html) with [prepare](https://docs.rs/postgres/0.19.0/postgres/struct.Client.html#method.prepare) function.

+`query_data` function demonstrates how to retrieve data from the `inventory` table. The [query_one](https://docs.rs/postgres/0.19.0/postgres/struct.Client.html#method.query_one) method is used to get an item by its `id`.

+All rows in the inventory table are fetched using a `select * from` query with the [query](https://docs.rs/postgres/0.19.0/postgres/struct.Client.html#method.query) method. The returned rows are iterated over to extract the value for each column using [get](https://docs.rs/postgres/0.19.0/postgres/row/struct.Row.html#method.get).

+Finally, the `delete` function demonstrates how to remove an item from the `inventory` table by its `id`. The `id` is chosen randomly - it's a random integer between `1` to `5` (`5` inclusive) since the `insert_data` function had added `5` rows to start with.

+The alert triggers when the value of a specified metric crosses a threshold you assign. The alert triggers both when the condition is first met, and then afterwards when that condition is no longer being met.

+ :::image type="content" source="./media/how-to-alert-on-metric/11-name-description-severity.png" alt-text="Action group":::

+* Get an [overview of metrics collection](../../azure-monitor/data-platform.md) to make sure your service is available and responsive.

+## Enable storage auto grow

+2. On the PostgreSQL server page, under **Settings**, select **Pricing tier** to open the pricing tier page.

+4. Select **OK** to save the changes.

+> [How to create and manage read replicas in Azure Database for PostgreSQL using PowerShell](how-to-read-replicas-powershell.md).

+--name myVirtualNetwork \

+--resource-group myResourceGroup \

+--subnet-name mySubnet

+--name mySubnet \

+--resource-group myResourceGroup \

+--vnet-name myVirtualNetwork \

+--disable-private-endpoint-network-policies true

+Note the public IP address of the VM. You will use this address to connect to the VM from the internet in the next step.

+Create a Azure Database for PostgreSQL with the az postgres server create command. Remember that the name of your PostgreSQL Server must be unique across Azure, so replace the placeholder value with your own unique values that you used above:

+# Create a server in the resource group

+Create a private endpoint for the PostgreSQL server in your Virtual Network:

+```

+Create a Private DNS Zone for PostgreSQL server domain and create an association link with the Virtual Network.

+ --registration-enabled false

+1. Once the VM desktop appears, minimize it to go back to your local desktop.

+2. Enter ΓÇ»`nslookup mydemopostgresserver.privatelink.postgres.database.azure.com`.

+When no longer needed, you can use az group delete to remove the resource group and all the resources it has:

+In this section, you will create an Azure Database for PostgreSQL server in Azure.

+10. When you see the Validation passed message, select Create.

+In this section, you will create a PostgreSQL server and add a private endpoint to it.

+2. When you see the **Validation passed** message, select **Create**.

+After you've created **myVm**, connect to it from the internet as follows:

+2. EnterΓÇ»`nslookup mydemopostgresserver.privatelink.postgres.database.azure.com`.

+[resource-manager-portal]: ../../azure-resource-manager/management/resource-providers-and-types.md

+Configure access to the query logs and error logs.

+3. Under the **Monitoring** section in the sidebar, select **Server logs**.

+4. To see the server parameters, select **Select here to enable logs and configure log parameters**.

+ After you have changed the parameters, select **Save**. Or, you can discard your changes.

+After logging begins, you can view a list of available logs, and download individual log files.

+You can download the PostgreSQL server error logs by using the command-line interface (Azure CLI). However, access to transaction logs isn't supported.

+With the [az postgres server-logs download](/cli/azure/postgres/server-logs) command, you can download individual log files for your server.

+You can list, show, and update configuration parameters for an Azure PostgreSQL server using the Command Line Interface (Azure CLI). A subset of engine configurations is exposed at server-level and can be modified.

+You can also modify the value of a certain server configuration parameter, which updates the underlying configuration value for the PostgreSQL server engine. To update the configuration, use the [az postgres server configuration set](/cli/azure/postgres/server/configuration) command.

+# Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal

+> [Auto grow storage in Azure Database for PostgreSQL server using PowerShell](how-to-auto-grow-storage-powershell.md).

+> You can specify an Azure AD group instead of an individual user to have multiple administrators.

+3. From the browser menu, select connect to the Azure Database for PostgreSQL server

+You are now authenticated to your PostgreSQL server using Azure AD authentication.

+You can delete your server if you no longer need it.

+3. Edit and run the following SQL code. Replace your new user name for the placeholder value <new_user>, and replace the placeholder password with your own strong password.

+ For example:

+2. Select **Key permissions**, and select **Get**, **Wrap**, **Unwrap**, and the **Principal**, which is the name of the PostgreSQL server. If your server principal can't be found in the list of existing principals, you need to register it. You're prompted to register your server principal when you attempt to set up data encryption for the first time, and it fails.

+ In order to make the server **Available** against, you can revalidate the key.

+To learn more about data encryption, see [Azure Database for PostgreSQL Single server data encryption with customer-managed key](concepts-data-encryption-postgresql.md).

+1. On the PostgreSQL Single server page, under **Settings**, select **Connection security** to open the connection security configuration page.

+1. Select **Save** to save the changes.

+**APPLIES TO:** :::image type="icon" source="./media/applies-to/yes.png" border="false":::Azure Database for PostgreSQL - Single Server :::image type="icon" source="./media/applies-to/yes.png" border="false":::Azure Database for PostgreSQL - Flexible Server

+1. On the PostgreSQL server page, under Settings heading, select **Connection security** to open the Connection security page for the Azure Database for PostgreSQL.

+ :::image type="content" source="./media/how-to-manage-firewall-using-portal/1-connection-security.png" alt-text="Azure portal - select Connection Security":::

+2. Select **Add client IP** on the toolbar. This automatically creates a firewall rule with the public IP address of your computer, as perceived by the Azure system.

+ :::image type="content" source="./media/how-to-manage-firewall-using-portal/2-add-my-ip.png" alt-text="Azure portal - select Add My IP":::

+5. Select **Save** on the toolbar to save this server-level firewall rule. Wait for the confirmation that the update to the firewall rules was successful.

+ :::image type="content" source="./media/how-to-manage-firewall-using-portal/5-save-firewall-rule.png" alt-text="Azure portal - select Save":::

+>

+* To add the current computer, select the button to + **Add My IP**. Select **Save** to save the changes.

+* To add additional IP addresses, type in the Rule Name, Start IP Address, and End IP Address. Select **Save** to save the changes.

+* To modify an existing rule, select any of the fields in the rule and modify. Select **Save** to save the changes.

+* To delete an existing rule, select the ellipsis […] and select **Delete** to remove the rule. Select **Save** to save the changes.

+1. On the PostgreSQL server page, under the Settings heading, select **Connection Security** to open the Connection Security pane for Azure Database for PostgreSQL.

+3. Next, select on **+ Adding existing virtual network**. If you do not have an existing VNet you can select **+ Create new virtual network** to create one. See [Quickstart: Create a virtual network using the Azure portal](../../virtual-network/quick-create-portal.md)

+ :::image type="content" source="./media/how-to-manage-vnet-using-portal/1-connection-security.png" alt-text="Azure portal - select Connection security":::

+4. Enter a VNet rule name, select the subscription, Virtual network and Subnet name and then select **Enable**. This automatically enables VNet service endpoints on the subnet using the **Microsoft.SQL** service tag.

+ >

+5. Once enabled, select **OK** and you will see that VNet service endpoints are enabled along with a VNet rule.

+[resource-manager-portal]: ../../azure-resource-manager/management/resource-providers-and-types.md

+You can use an Azure Database for PostgreSQL [cross-region read replica](concepts-read-replicas.md#cross-region-replication) to complete the move to another region. To do so, first create a read replica in the target region. Next, stop replication to the read replica server to make it a standalone server that accepts both read and write traffic.

+> This article focuses on moving your server to a different region. If you want to move your server to a different resource group or subscription, refer to the [move](../../azure-resource-manager/management/move-resource-group-and-subscription.md) article.

+To prepare the source server for replication using the Azure portal, use the following steps:

+1. Confirm you want to stop replication by selecting **OK**.

+In this tutorial, you moved an Azure Database for PostgreSQL server from one region to another by using the Azure portal and then cleaned up the unneeded source resources.

+- Learn more about [business continuity](concepts-business-continuity.md) options

+Unlogged tables is a PostgreSQL feature that can be used effectively to optimize bulk inserts. PostgreSQL uses Write-Ahead Logging (WAL). It provides atomicity and durability, by default. Atomicity, consistency, isolation, and durability make up the ACID properties.

+- Convert an existing logged table to an unlogged table by using the syntax `ALTER TABLE <tableName> SET UNLOGGED`.

+# Optimize query time with the TOAST table storage strategy

+Review your workload for the previous characteristics.

+- [Chapter 68, Database physical storage](https://www.postgresql.org/docs/current/storage-toast.html)

+2. If `azure.replication_support` is not at least REPLICA, set it.

+> To learn more about which regions you can create a replica in, visit the [read replica concepts article](concepts-read-replicas.md).

+> To learn more about which regions you can create a replica in, visit the [read replica concepts article](concepts-read-replicas.md).

+2. From the server's menu, select **Replication**. If Azure replication support is set to at least **Replica**, you can create read replicas.

+1. Select an existing Azure Database for PostgreSQL server to use as the primary server.

+4. Enter a name for the read replica.

+ > To learn more about which regions you can create a replica in, visit the [read replica concepts article](concepts-read-replicas.md).

+To delete a primary server, you use the same steps as to delete a standalone Azure Database for PostgreSQL server.

+The **Max Lag Across Replicas** metric shows the lag in bytes between the primary server and the most-lagging replica.

+3. For your **Aggregation**, select **Max**.

+3. For your **Aggregation**, select **Max**.

+* Learn how to [create and manage read replicas in the Azure CLI and REST API](how-to-read-replicas-cli.md).

+> The time required to complete a restart depends on the PostgreSQL recovery process. To decrease the restart time, we recommend you minimize the amount of activity occurring on the server prior to the restart. You may also want to increase the checkpoint frequency. You can also tune checkpoint related parameter values including `max_wal_size`. It is also recommended to run `CHECKPOINT` command prior to restarting the server to enable faster recovery time. If the `CHECKPOINT` command is not performed prior to restarting the server then it may lead to longer recovery time.

+2. In the toolbar of the server's **Overview** page, select **Restart**.

+3. Select **Yes** to confirm restarting the server.

+> [Create an Azure Database for PostgreSQL server using PowerShell](quickstart-create-postgresql-server-database-using-azure-powershell.md)

+When a server is dropped, the database server backup can be retained up to five days in the service. The database backup can be accessed and restored only from the Azure subscription where the server originally resided. The following recommended steps can be followed to recover a dropped PostgreSQL server resource within 5 days from the time of server deletion. The recommended steps will work only if the backup for the server is still available and not deleted from the system.

+2. In Activity Log, select on **Add filter** as shown and set following filters for the following

+1. Browse to the PostgreSQL [Create Server REST API Page](/rest/api/postgresql/singleserver/servers/create) and select the **Try It** tab highlighted in green. Sign in with your Azure account.

+2. Provide the **resourceGroupName**, **serverName** (deleted server name), **subscriptionId** properties, based on the resourceId attribute JSON value captured in the preceding step 3. The api-version property is pre-populated and can be left as-is, as shown in the following image.

+3. Scroll below on Request Body section and paste the following replacing the "Dropped server Location"(e.g. CentralUS, EastUS etc.), "submissionTimestamp", and "resourceId". For "restorePointInTime", specify a value of "submissionTimestamp" minus **15 minutes** to ensure the command does not error out.

+4. If you see Response Code 201 or 202, the restore request is successfully submitted.

+- To prevent accidental deletion of servers, we highly recommend using [Resource Locks](https://techcommunity.microsoft.com/t5/azure-database-for-PostgreSQL/preventing-the-disaster-of-accidental-deletion-for-your-PostgreSQL/ba-p/825222).

+- This article requires version 2.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+You make the choice between configuring your server for either locally redundant backups or geographically redundant backups at server creation.

+While creating a server via the `az postgres server create` command, the `--geo-redundant-backup` parameter decides your Backup Redundancy Option. If `Enabled`, geo redundant backups are taken. Or if `Disabled` locally redundant backups are taken.

+The backup retention period is set by the parameter `--backup-retention-days`.

+You can restore the server to a previous point in time. The restored data is copied to a new server, and the existing server is left as is. For example, if a table is accidentally dropped at noon today, you can restore to the time just before noon. Then, you can retrieve the missing table and data from the restored copy of the server.

+The location and pricing tier values for the restored server remain the same as the original server.

+If you configured your server for geographically redundant backups, a new server can be created from the backup of that existing server. This new server can be created in any region that Azure Database for PostgreSQL is available.

+4. Select **OK** to confirm the change.

+The backup retention period governs how far back in time a point-in-time restore can be retrieved, since it's based on backups available. Point-in-time restore is described further in the following section.

+1. In the Azure portal, select your Azure Database for PostgreSQL server.

+ - **Pricing tier**: You cannot change these parameters when doing a point-in-time restore. It is same as the source server.

+4. Select **OK** to restore the server to restore to a point-in-time.

+If you configured your server for geographically redundant backups, a new server can be created from the backup of that existing server. This new server can be created in any region that Azure Database for PostgreSQL is available.

+3. Provide the subscription, resource group, and name of the new server.

+7. The server will default to values for number of **vCores**, **Backup Retention Period**, **Backup Redundancy Option**, **Engine version**, and **Admin credentials**. Select **Continue**.

+ :::image type="content" source="./media/how-to-restore-server-portal/8-create.png" alt-text="Fill form.":::

+9. Select **Review + create** to review your selections.

+- Learn more about [business continuity](concepts-business-continuity.md) options.

+> [How to generate an Azure Database for PostgreSQL connection string with PowerShell](how-to-connection-string-powershell.md)

+1. On the Azure Database for PostgreSQL - Single server page, under **Settings**, select **Connection security** to open the connection security configuration page.

+1. Select **Save** to save the changes.

+Learn about [how to create alerts on metrics](how-to-alert-on-metric.md)

+* If you see the connection error _sslmode value "***" invalid when SSL support is not compiled in_ error, it means your PostgreSQL client doesn't support SSL. Most probably, the client-side libpq hasn't been compiled with the "--with-openssl" flag. Try connecting with a PostgreSQL client that has SSL support.

+> The concepts explained in this documentation are applicable to both Azure Database for PostgreSQL - Single Server and Azure Database for PostgreSQL - Flexible Server.

+* **Online** method using [Database Migration Service](../../dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal.md) (DMS). This method provides a reduced downtime migration and keeps the target database in-sync with the source and you can choose when to cut-over. However, there are few prerequisites and restrictions to be addressed for using DMS. For details, see the [DMS documentation](../../dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal.md).

+The following table provides some recommendations based on database sizes and scenarios.

+> PostgreSQL dump and restore can be performed in many ways. You may choose to migrate using one of the methods provided in this guide or choose any alternate ways to suit your needs. For detailed dump and restore syntax with additional parameters, see the articles [pg_dump](https://www.postgresql.org/docs/current/static/app-pgdump.html) and [pg_restore](https://www.postgresql.org/docs/current/static/app-pgrestore.html).

+ - Alternatively, you can use [Azure Cloud Shell](https://shell.azure.com) or by selecting the Azure Cloud Shell on the menu bar at the upper right in the [Azure portal](https://portal.azure.com). You will have to login to your account `az login` before running the dump and restore commands.

+- Your PostgreSQL client preferably running in the same region as the source and target servers.

+- You can find the connection string to the source and target databases by selecting the ΓÇ£Connection StringsΓÇ¥ from the portal.

+- If you want to use Azure Cloud Shell, please note that the session times out after 20 minutes. If your database size is < 10 GB, you may be able to complete the upgrade without the session timing out. Otherwise, you may have to keep the session open by other means, such as pressing any key once in 10-15 minutes.

+| **Description** | **Value** |

+| - | - |

+| Source server (v9.5) | pg-95.postgres.database.azure.com |

+| Source database | bench5gb |

+| Source database size | 5 GB |

+| Source user name | pg@pg-95 |

+| Target server (v11) | pg-11.postgres.database.azure.com |

+| Target database | bench5gb |

+| Target user name | pg@pg-11 |

+In this method of upgrade, you first create a dump from the source server using `pg_dump`. Then you restore that dump file to the target server using `pg_restore`. Please see the [Migrate using dump and restore](how-to-migrate-using-dump-and-restore.md) documentation for details.

+If you do not have a PostgreSQL client or you want to use Azure Cloud Shell, then you can use this method. The database dump is streamed directly to the target database server and does not store the dump in the client. Hence, this can be used with a client with limited storage and even can be run from the Azure Cloud Shell.

+As an example, the following table illustrates the time it took to migrate using streaming dump method. The sample data is populated using [pgbench](https://www.postgresql.org/docs/10/pgbench.html). As your database can have different number of objects with varied sizes than pgbench generated tables and indexes, it is highly recommended to test dump and restore of your database to understand the actual time it takes to upgrade your database.

+### Method 4: Using parallel dump and restore

+Will Flexible Server replace Single Server or Will Single Server be retired soon?

+ example, **mydemoserver**. Select to connect to it.

+> [Design your first Azure Database for PostgreSQL using the Azure portal](tutorial-design-database-using-azure-portal.md)

+1. Select **Create a resource** in the upper left-hand corner of the Azure portal.

+ >

+ By default, a **postgres** database is created under your server. The [postgres](https://www.postgresql.org/docs/9.6/static/app-initdb.html) database is a default database that's meant for use by users, utilities, and third-party applications. (The other default database is **azure_maintenance**. Its function is to separate the managed service processes from user actions. You cannot access this database.)

+The Azure Database for PostgreSQL service uses a firewall at the server-level. By default, this firewall prevents all external applications and tools from connecting to the server and any databases on the server unless a firewall rule is created to open the firewall for a specific IP address range.

+1. After the deployment completes, select **All Resources** from the left-hand menu and type in the name **mydemoserver** to search for your newly created server. Select the server name listed in the search result. The **Overview** page for your server opens and provides options for further configuration.

+2. In the server page, select **Connection security**.

+3. Select in the text box under **Rule Name,** and add a new firewall rule to specify the IP range for connectivity. Enter your IP range. Select **Save**.

+4. Select **Save** and then select the **X** to close the **Connections security** page.

+1. From the left-hand menu in the Azure portal, select **All resources** and search for the server you just created.

+2. Select the server name **mydemoserver**.

+1. On the Azure Database for PostgreSQL **Overview** page for your server, select **Restore** on the toolbar. The **Restore** page opens.

+3. Select **OK** to [restore the server to a point-in-time](./how-to-restore-server-portal.md) before the table was deleted. Restoring a server to a different point in time creates a duplicate new server as the original server as of the point in time you specify, provided that it is within the retention period for your [pricing tier](./concepts-pricing-tiers.md).

+In the preceding steps, you created Azure resources in a server group. If you don't expect to need these resources in the future, delete the server group. Press the *Delete* button in the *Overview* page for your server group. When prompted on a pop-up page, confirm the name of the server group and select the final *Delete* button.

+>[Design your first Azure Database for PostgreSQL using Azure CLI](tutorial-design-database-using-azure-cli.md)

+In the preceding steps, you created Azure resources in a server group. If you don't expect to need these resources in the future, delete the server group. Press the *Delete* button in the *Overview* page for your server group. When prompted on a pop-up page, confirm the name of the server group and select the final *Delete* button.

+The [Query Performance Insight](concepts-query-performance-insight.md) view in the Azure portal will surface visualizations on key information from Query Store.

+2. The **Long running queries** tab shows the top 5 queries by average duration per execution, aggregated in 15 minute intervals.

+3. You can select and drag in the chart to narrow down to a specific time window.

+ :::image type="content" source="./media/tutorial-performance-intelligence/query-performance-insight-wait-statistics.png" alt-text="Query Performance Insight wait statistics":::

+4. The **Performance Recommendations** window will show a list of recommendations if any were found.

+In the preceding steps, you created Azure resources in a server group. If you don't expect to need these resources in the future, delete the server group. Press the *Delete* button in the *Overview* page for your server group. When prompted on a pop-up page, confirm the name of the server group and select the final *Delete* button.

+> Learn more about [monitoring and tuning](concepts-monitoring.md) in Azure Database for PostgreSQL.

+ Title: Classification best practices for the Microsoft Purview governance portal

+description: This article provides best practices for classification in the Microsoft Purview governance portal so you can effectively identify sensitive data across your environment.

+# Classification best practices in the Microsoft Purview governance portal

+Data classification in the Microsoft Purview governance portal is a way of categorizing data assets by assigning unique logical labels or classes to the data assets. Classification is based on the business context of the data. For example, you might classify assets by *Passport Number*, *Driver's License Number*, *Credit Card Number*, *SWIFT Code*, *PersonΓÇÖs Name*, and so on. To learn more about classification itself, see our [classification article](concept-classification.md).

+This article describes best practices to adopt when you're classifying data assets, so that your scans will be more effective and you have the most complete information possible about your entire data estate.

+## Scan rule set

+## Annotation management

+## Custom classifications

+* The Microsoft Purview governance portal supports the following two methods for creating custom classification rules:

+## Custom classification archetypes

+### How the "threshold" parameter works in the regular expression

+ If you have a threshold of 55%, only columns **Sample_col1** and **Sample_col2** will be classified. **Sample_col3** won't be classified, because it doesn't meet the 55% threshold criterion.

+### How to use both data and column patterns

+### How to use multiple column patterns

+* You can assign classifications at the asset or column level automatically by including relevant classifications in the scan rule, or you can assign them manually after you ingest the metadata into the Microsoft Purview Data Map.

+* For automatic assignment, see [supported data stores in the Microsoft Purview governance portal](./azure-purview-connector-overview.md).

+* Before you scan your data sources in the Microsoft Purview Data Map, it's important to understand your data and configure the appropriate scan rule set for it (for example, by selecting relevant system classification, custom classifications, or a combination of both), because it could affect your scan performance. For more information, see [supported classifications in the Microsoft Purview governance portal](./supported-classifications.md).

+* The Microsoft Purview scanner applies data sampling rules for deep scans (subject to classification) for both system and custom classifications. The sampling rule is based on the type of data sources. For more information, see the "Sampling within a file" section in [Supported data sources and file types in Microsoft Purview](./sources-and-scans.md#sampling-within-a-file).

+* The sampling rules apply to resource sets as well. For more information, see the "Resource set file sampling" section in [supported data sources and file types in the Microsoft Purview governance portal](./sources-and-scans.md#resource-set-file-sampling).

+ Title: Understand data classification in the Microsoft Purview governance portal

+description: This article explains the concepts behind data classification in the Microsoft Purview governance portal.

+# Data classification in the Microsoft Purview governance portal

+Data classification in the Microsoft Purview governance portal is a way of categorizing data assets by assigning unique logical tags or classes to the data assets. Classification is based on the business context of the data. For example, you might classify assets by *Passport Number*, *Driver's License Number*, *Credit Card Number*, *SWIFT Code*, *PersonΓÇÖs Name*, and so on.

+The Microsoft Purview Data Map provides an automated classification capability while you scan your data sources. You get more than 200+ built-in system classifications and the ability to create custom classifications for your data. You can classify assets automatically when they're configured as part of a scan, or you can edit them manually in the Microsoft Purview governance portal after they're scanned and ingested.

+Classification is the process of organizing data into *logical categories* that make the data easy to retrieve, sort, and identify for future use. This can be important for data governance. Among other reasons, classifying data assets is important because it helps you:

+The Microsoft Purview governance portal supports both system and custom classifications.

+* **System classifications**: 200+ system classifications supported out of the box. For the entire list of available system classifications, see [supported classifications in the Microsoft Purview governance portal](./supported-classifications.md).

+> Sensitivity labels are different from classifications. Sensitivity labels categorize assets in the context of data security and privacy, such as *Highly Confidential*, *Restricted*, *Public*, and so on. To use sensitivity labels in the Microsoft Purview Data Map, you'll need at least one Microsoft 365 license or account within the same Azure Active Directory (Azure AD) tenant as your Microsoft Purview Data Map. For more information about the differences between sensitivity labels and classifications, see [sensitivity labels in the Microsoft Purview governance portal FAQ](sensitivity-labels-frequently-asked-questions.yml#what-is-the-difference-between-classifications-and-sensitivity-labels).

+ 1. Condition to check if data source is registered for [data use management](how-to-enable-data-use-governance.md) (policy)

+ Title: Enable and capture audit logs and time series activity history for applications in the Microsoft Purview governance portal

+description: This tutorial lists the step-by-step configuration required to enable and capture audit logs for applications in the Microsoft Purview governance portal and time series activity history via Azure Diagnostics event hubs.

+# Audit logs, diagnostics, and activity history

+This tutorial lists the step-by-step configuration required to enable and capture audit and diagnostics logs for applications in the Microsoft Purview governance portal via Azure Event Hubs.

+A Microsoft Purview administrator or Microsoft Purview data-source admin needs the ability to monitor audit and diagnostics logs captured from [applications in the Microsoft Purview governance portal](https://azure.microsoft.com/services/purview/#get-started). Audit and diagnostics information consists of the timestamped history of actions taken and changes made to a Microsoft Purview account by every user. Captured activity history includes actions in the [Microsoft Purview governance portal](https://ms.web.purview.azure.com) and outside the portal. Actions outside the portal include calling [Microsoft Purview REST APIs](/rest/api/purview/) to perform write operations.

+This tutorial takes you through the steps to enable audit logging. It also shows you how to configure and capture streaming audit events from the Microsoft Purview governance portal via Azure Diagnostics event hubs.

+## Audit events categories

+Some of the important categories of Microsoft Purview governance portal audit events that are currently available for capture and analysis are listed in the table.

+More types and categories of activity audit events will be added.

+## Enable audit and diagnostics

+The following sections walk you through the process of enabling audit and diagnostics.

+Now that Event Hubs is deployed and created, connect your Microsoft Purview account diagnostics audit logging to Event Hubs.

+1. Go to your Microsoft Purview account home page. This page is where the overview information is displayed in the [Azure portal](https://portal.azure.com). It's not the Microsoft Purview governance portal home page.

+1. Select the **audit** and **allLogs** checkboxes to enable collection of audit logs. Optionally, select **AllMetrics** if you also want to capture Data Map capacity units and Data Map size metrics of the account.

+Now that diagnostics audit logging configuration is complete, configure the data capture and data retention settings for Event Hubs.

+1. At this stage, the Event Hubs configuration is complete. The Microsoft Purview governance portal will start streaming all its audit history and diagnostics data to this event hub. You can now proceed to read, extract, and perform further analytics and operations on the captured diagnostics and audit events.

+To analyze the captured audit and diagnostics log data:

+1. Go to **Process data** on the Event Hubs page to see a preview of the captured audit logs and diagnostics.

+A *custom analyzer* is a user-defined combination of tokenizer, one or more token filters, and one or more character filters. A custom analyzer is specified within a search index, and then referenced on field definitions that require custom analysis. A custom analyzer is invoked on a per-field basis. Attributes on the field will determine whether it's used for indexing, queries, or both.

+In a custom analyzer, character filters prepare the input text before it's processed by the tokenizer (for example, removing markup). Next, the tokenizer breaks text into tokens. Finally, token filters modify the tokens emitted by the tokenizer. For concepts and examples, see [Analyzers in Azure Cognitive Search](search-analyzers.md).

+## Why use a custom analyzer?

+- Disable lexical analysis. Use the Keyword analyzer to create searchable fields that aren't analyzed.

+> Custom analyzers aren't exposed in the Azure portal. The only way to add a custom analyzer is through code that defines an index.

+- Names in a custom analyzer must be unique and can't be the same as any of the built-in analyzers, tokenizers, token filters, or characters filters. It must only contain letters, digits, spaces, dashes or underscores, can only start and end with alphanumeric characters, and is limited to 128 characters.

+The analyzer definition is a part of the larger index. Definitions for char filters, tokenizers, and token filters are added to the index only if you're setting custom options. To use an existing filter or tokenizer as-is, specify it by name in the analyzer definition. For more information, see [Create Index (REST)](/rest/api/searchservice/create-index). For more examples, see [Add analyzers in Azure Cognitive Search](search-analyzers.md#examples).

+Once an analyzer, a tokenizer, a token filter, or a character filter is defined, it can't be modified. New ones can be added to an existing index only if the `allowIndexDowntime` flag is set to true in the index update request:

+If you want to use a built-in analyzer with custom options, creating a custom analyzer is the mechanism by which you specify those options. In contrast, to use a built-in analyzer as-is, you simply need to [reference it by name](search-analyzers.md) in the field definition.

+The analyzer_type is only provided for analyzers that can be customized. If there are no options, as is the case with the keyword analyzer, there's no associated #Microsoft.Azure.Search type.

+ <sup>1</sup> Char Filter Types are always prefixed in code with "#Microsoft.Azure.Search" such that "MappingCharFilter" would actually be specified as "#Microsoft.Azure.Search.MappingCharFilter. We removed the prefix to reduce the width of the table, but please remember to include it in your code. Notice that char_filter_type is only provided for filters that can be customized. If there are no options, as is the case with html_strip, there's no associated #Microsoft.Azure.Search type.

+| microsoft_language_stemming_tokenizer | MicrosoftLanguageStemmingTokenizer| Divides text using language-specific rules and reduces words to their base forms. This tokenizer performs lemmatization. </br></br>**Options** </br></br>maxTokenLength (type: int) - The maximum token length, default: 255, maximum: 300. Tokens longer than the maximum length are split. Tokens longer than 300 characters are first split into tokens of length 300 and then each of those tokens is split based on the maxTokenLength set. </br></br> isSearchTokenizer (type: bool) - Set to true if used as the search tokenizer, set to false if used as the indexing tokenizer. </br></br>language (type: string) - Language to use, default "english". Allowed values include: </br>"arabic", "bangla", "bulgarian", "catalan", "croatian", "czech", "danish", "dutch", "english", "estonian", "finnish", "french", "german", "greek", "gujarati", "hebrew", "hindi", "hungarian", "icelandic", "indonesian", "italian", "kannada", "latvian", "lithuanian", "malay", "malayalam", "marathi", "norwegianBokmaal", "polish", "portuguese", "portugueseBrazilian", "punjabi", "romanian", "russian", "serbianCyrillic", "serbianLatin", "slovak", "slovenian", "spanish", "swedish", "tamil", "telugu", "turkish", "ukrainian", "urdu" |

+ <sup>1</sup> Tokenizer Types are always prefixed in code with "#Microsoft.Azure.Search" such that "ClassicTokenizer" would actually be specified as "#Microsoft.Azure.Search.ClassicTokenizer". We removed the prefix to reduce the width of the table, but please remember to include it in your code. Notice that tokenizer_type is only provided for tokenizers that can be customized. If there are no options, as is the case with the letter tokenizer, there's no associated #Microsoft.Azure.Search type.

+A token filter is used to filter out or modify the tokens generated by a tokenizer. For example, you can specify a lowercase filter that converts all characters to lowercase. You can have multiple token filters in a custom analyzer. Token filters run in the order in which they're listed.

+|[asciifolding](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/miscellaneous/ASCIIFoldingFilter.html)|AsciiFoldingTokenFilter|Converts alphabetic, numeric, and symbolic Unicode characters which aren't in the first 127 ASCII characters (the "Basic Latin" Unicode block) into their ASCII equivalents, if one exists.<br /><br /> **Options**<br /><br /> preserveOriginal (type: bool) - If true, the original token is kept. The default is false.|

+|[elision](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/util/ElisionFilter.html)|ElisionTokenFilter|Removes elisions. For example, "l'avion" (the plane) is converted to "avion" (plane).<br /><br /> **Options**<br /><br /> articles (type: string array) - A set of articles to remove. The default is an empty list. If there's no list of articles set, by default all French articles are removed.|

+|[shingle](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/shingle/ShingleFilter.html)|ShingleTokenFilter|Creates combinations of tokens as a single token.<br /><br /> **Options**<br /><br /> maxShingleSize (type: int) - Defaults to 2.<br /><br /> minShingleSize (type: int) - Defaults to 2.<br /><br /> outputUnigrams (type: bool) - if true, the output stream contains the input tokens (unigrams) as well as shingles. The default is true.<br /><br /> outputUnigramsIfNoShingles (type: bool) - If true, override the behavior of outputUnigrams==false for those times when no shingles are available. The default is false.<br /><br /> tokenSeparator (type: string) - The string to use when joining adjacent tokens to form a shingle. The default is " ".<br /><br /> filterToken (type: string) - The string to insert for each position for which there is no token. The default is "_".|

+|[stopwords](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/core/StopFilter.html)|StopwordsTokenFilter|Removes stop words from a token stream. By default, the filter uses a predefined stop word list for English.<br /><br /> **Options**<br /><br /> stopwords (type: string array) - A list of stopwords. Can't be specified if a stopwordsList is specified.<br /><br /> stopwordsList (type: string) - A predefined list of stopwords. Can't be specified if "stopwords" is specified. Allowed values include:"arabic", "armenian", "basque", "brazilian", "bulgarian", "catalan", "czech", "danish", "dutch", "english", "finnish", "french", "galician", "german", "greek", "hindi", "hungarian", "indonesian", "irish", "italian", "latvian", "norwegian", "persian", "portuguese", "romanian", "russian", "sorani", "spanish", "swedish", "thai", "turkish", default: "english". Can't be specified if "stopwords" is specified. <br /><br /> ignoreCase (type: bool) - If true, all words are lower cased first. The default is false.<br /><br /> removeTrailing (type: bool) - If true, ignore the last search term if it's a stop word. The default is true.

+For example, in Chinese, Japanese, Korean (CJK), and other Asian languages, a space isn't necessarily a word delimiter. Consider the following Japanese string. Because it has no spaces, a language-agnostic analyzer would likely analyze the entire string as one token, when in fact the string is actually a phrase.

+Indexing with Microsoft analyzers is on average two to three times slower than their Lucene equivalents, depending on the language. Search performance shouldn't be significantly affected for average size queries.

+Set the analyzer during index creation before it's loaded with data.

+ The "analyzer" property is the only property that will accept a language analyzer, and it's used for both indexing and queries. Other analyzer-related properties ("searchAnalyzer" and "indexAnalyzer") won't accept a language analyzer.

+Language analyzers can't be customized. If an analyzer isn't meeting your requirements, create a [custom analyzer](cognitive-search-working-with-skillsets.md) with the microsoft_language_tokenizer or microsoft_language_stemming_tokenizer, and then add filters for pre- and post-tokenization processing.

+ Title: Configure scoring algorithm

+# Configure the scoring algorithm in Azure Cognitive Search

+Depending on the age of your search service, Azure Cognitive Search supports two [scoring algorithms](index-similarity-and-scoring.md) for assigning relevance to results in a full text search query:

+BM25 ranking is the default because it tends to produce search rankings that align better with user expectations. It includes [parameters](#set-bm25-parameters) for tuning results based on factors such as document size. For search services created after July 2020, BM25 is the sole scoring algorithm. If you try to set "similarity" to ClassicSimilarity on a new service, an HTTP 400 error will be returned because that algorithm is not supported by the service.

+ Title: Relevance and scoring

+description: Explains the concepts of relevance and scoring in Azure Cognitive Search, and what a developer can do to customize the scoring result.

+# Relevance and scoring in Azure Cognitive Search

+This article describes relevance and the scoring algorithms used to compute search scores in Azure Cognitive Search. A relevance score applies to matches returned in [full text search](search-lucene-query-architecture.md), where the most relevant matches appear first. Filter queries, autocomplete and suggested queries, wildcard search or fuzzy search queries are not scored or ranked for relevance.

+## Scoring algorithms in Search

+BM25 offers advanced customization options, such as allowing the user to decide how the relevance score scales with the term frequency of matched terms. For more information, see [Configure the scoring algorithm](index-ranking-similarity.md).

+> If you're using a search service that was created before July 2020, the scoring algorithm is most likely the previous default, `ClassicSimilarity`, which you an upgrade on a per-index basis. See [Enable BM25 scoring on older services](index-ranking-similarity.md#enable-bm25-scoring-on-older-services) for details.

+Query types that are *not* full text search, such as filters or fuzzy search, don't go through the analysis phase on the query side. Instead, the parser sends those strings directly to the search engine, using the pattern that you provide as the basis for the match. Typically, these query forms require whole-string tokens to make pattern matching work. To ensure whole terms tokens during indexing, you might need [custom analyzers](index-add-custom-analyzers.md). For more information about when and why query terms are analyzed, see [Full text search in Azure Cognitive Search](search-lucene-query-architecture.md).

+## Specifying analyzers

+1. If you're using a custom analyzer, add it to the search index under the "analyzer" section. For more information, see [Create Index](/rest/api/searchservice/create-index) and also [Add custom analyzers](index-add-custom-analyzers.md).

+1. When defining a field, set it's "analyzer" property to one of the following: a [built-in analyzer](index-add-custom-analyzers.md#built-in-analyzers) such as **keyword**, a [language analyzer](index-add-language-analyzers.md) such as `en.microsoft`, or a custom analyzer (defined in the same index schema).

+1. If you're using a [language analyzer](index-add-language-analyzers.md), you must use the "analyzer" property to specify it. The "searchAnalyzer" and "indexAnalyzer" properties don't apply to language analyzers.

+1. Alternatively, set "indexAnalyzer" and "searchAnalyzer" to vary the analyzer for each workload. These properties work together as a substitute for the "analyzer" property, which must be null. You might use different analyzers for indexing and queries if one of those activities required a specific transformation not needed by the other.

+Because analyzers are used to tokenize terms, you should assign an analyzer when the field is created. In fact, assigning an analyzer or indexAnalyzer to a field that has already been physically created isn't allowed (although you can change the searchAnalyzer property at any time with no impact to the index).

+To change the analyzer of an existing field, you'll have to drop and recreate the entire index (you can't rebuild individual fields). For indexes in production, you can defer a rebuild by creating a new field with the new analyzer assignment, and start using it in place of the old one. Use [Update Index](/rest/api/searchservice/update-index) to incorporate the new field and [mergeOrUpload](/rest/api/searchservice/addupdate-or-delete-documents) to populate it. Later, as part of planned index servicing, you can clean up the index to remove obsolete fields.

+A general rule is to use the same analyzer for both indexing and querying, unless specific requirements dictate otherwise. Be sure to test thoroughly. When text processing differs at search and indexing time, you run the risk of mismatch between query terms and indexed terms when the search and indexing analyzer configurations aren't aligned.

+The Standard analyzer is the default. Suppose you want to replace the default with a different predefined analyzer, such as the pattern analyzer. If you aren't setting custom options, you only need to specify it by name in the field definition.

+Fields containing strings in different languages can use a language analyzer, while other fields retain the default (or use some other predefined or custom analyzer). If you use a language analyzer, it must be used for both indexing and search operations. Fields that use a language analyzer can't have different analyzers for indexing and search.

+description: Create an alias to define a secondary name that can be used to refer to an index for querying, indexing, and other operations.

+Once you've created your alias, you're ready to start using it. Aliases can be used for all [document operations](/rest/api/searchservice/document-operations) including querying, indexing, suggestions, and autocomplete.

+> You can only use an alias with [document operations](/rest/api/searchservice/document-operations). Aliases can't be used to get or update an index definition, can't be used with the Analyze Text API, and can't be used as the `targetIndexName` on an indexer.

+In this article, learn the steps for defining and publishing a search index. Creating an index establishes the physical data structure (folders and files) on your search service. Once the index definition exists, [**loading the index**](search-what-is-data-import.md) follows as a separate task.

+1. Identify a [document key](#document-keys). A document key is an index requirement. It's a single string field and it will be populated from a source data field that contains unique values. For example, if you're indexing from Blob Storage, the metadata storage path is often used as the document key because it uniquely identifies each blob in the container.

+1. Determine whether you'll use the default analyzer (`"analyzer": null`) or a different analyzer. [Analyzers](search-analyzers.md) are used to tokenize text fields during indexing and query execution. If strings are descriptive and semantically rich, or if you have translated strings, consider overriding the default with a [language analyzer](index-add-language-analyzers.md).

+> [!NOTE]

+> Full text search is conducted over terms that are tokenized during indexing. If your queries fail to return the results you expect, [test for tokenization](/rest/api/searchservice/test-analyzer) to verify the string actually exists. You can try different analyzers on strings to see how tokens are produced for various analyzers.

+> [!TIP]

+State-of-the-art pretrained models are used for summarization and ranking. To maintain the fast performance that users expect from search, semantic summarization and ranking are applied to just the top 50 results, as scored by the [default scoring algorithm](index-similarity-and-scoring.md). Using those results as the document corpus, semantic ranking re-scores those results based on the semantic strength of the match.