+Below are the common reasons your application may go into quarantine

+No, the Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).

+Once fully onboarded with data collection setup, customers can access permissions usage insights within hours. Our machine-learning engine refreshes the Permission Creep Index every hour so that customers can start their risk assessment right away.

+## What is the data destruction/decommission process?

+If a customer initiates a free Permissions Management 90-day trial, but does not follow up and convert to a paid license within 90 days of the free trial expiration, we will delete all collected data on or just before 90 days.

+If a customer decides to discontinue licensing the service, we will also delete all previously collected data within 90 days of license termination.

+We also have the ability to remove, export or modify specific data should the Global Admin using the Entra Permissions Management service file an official Data Subject Request. This can be initiated by opening a ticket in the Azure portal [New support request - Microsoft Entra admin center](https://entra.microsoft.com/#blade/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical), or alternately contacting your local Microsoft representative.

+## Do I require a license to use Entra Permissions Management?

+Yes, as of July 1st, 2022, new customers must acquire a free 90-trial license or a paid license to use the service. You can enable a trial or purchase licenses here: [https://aka.ms/TryPermissionsManagement](https://aka.ms/TryPermissionsManagement)

+

+## What do I do if IΓÇÖm using Public Preview version of Entra Permissions Management?

+If you are using the Public Preview version of Entra Permissions Management, your current deployment(s) will continue to work through October 1st.

+After October 1st you will need to move over to use the newly released version of the service and enable a 90-day trial or purchase licenses to continue using the service.

+## What do I do if IΓÇÖm using the legacy version of the CloudKnox service?

+We are currently working on developing a migration plan to help customers on the original CloudKnox service move to the new Entra Permissions Management service later in 2022.

+## Can I use Entra Permissions Management in the EU?

+Yes, the product is compliant.

+## How to I enable one of the new 18 languages supported in the GA release?

+We are now localized in 18 languages. We respect your browser setting or you can manually enable your language of choice by adding a query string suffix to your Entra Permissions Management URL:

+`?lang=xx-XX`

+Where xx-XX is one of the following available language parameters: 'cs-CZ', 'de-DE', 'en-US', 'es-ES', 'fr-FR', 'hu-HU', 'id-ID', 'it-IT', 'ja-JP', 'ko-KR', 'nl-NL', 'pl-PL', 'pt-BR', 'pt-PT', 'ru-RU', 'sv-SE', 'tr-TR', 'zh-CN', or 'zh-TW'.

+- For more information about Microsoft's privacy and security terms, seeΓÇ»[Commercial Licensing Terms](https://www.microsoft.com/licensing/terms/product/ForallOnlineServices/all).

+- For more information about Microsoft's data processing and security terms when you subscribe to a product, see [Microsoft Products and Services Data Protection Addendum (DPA)](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

+- For more information about MicrosoftΓÇÖs policy and practices for Data Subject Requests for GDPR and CCPA: [https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-dsr-azure](https://docs.microsoft.com/compliance/regulatory/gdpr-dsr-azure).

+- For an overview of Permissions Management, see [What's Permissions Management?](overview.md).

+Select **Enable AWS SSO checkbox**, if the AWS account access is configured through AWS SSO.

+Choose from 3 options to manage AWS accounts.

+#### Option 1: Automatically manage

+Choose this option to automatically detect and add to monitored account list, without additional configuration. Steps to detect list of accounts and onboard for collection:

+- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs.

+- If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details.

+- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection.

+Any current or future accounts found get onboarded automatically.

+To view status of onboarding after saving the configuration:

+- Navigate to data collectors tab.

+- Click on the status of the data collector.

+- View accounts on the In Progress page

+#### Option 2: Enter authorization systems

+

+#### Option 3: Select authorization systems

+This option detects all AWS accounts that are accessible through OIDC role access created earlier.

+- Deploy Master account CFT (Cloudformation template) which creates organization account role that grants permission to OIDC role created earlier to list accounts, OUs and SCPs.

+- If AWS SSO is enabled, organization account CFT also adds policy needed to collect AWS SSO configuration details.

+- Deploy Member account CFT in all the accounts that need to be monitored by Entra Permissions Management. This creates a cross account role that trusts the OIDC role created earlier. The SecurityAudit policy is attached to the role created for data collection.

+- Click Verify and Save.

+- Navigate to newly create Data Collector row under AWSdata collectors.

+- Click on Status column when the row has ΓÇ£PendingΓÇ¥ status

+- To onboard and start collection, choose specific ones from the detected list and consent for collection.

+Choose from 3 options to manage Azure subscriptions.

+#### Option 1: Automatically manage

+This option allows subscriptions to be automatically detected and monitored without additional configuration. Steps to detect list of subscriptions and onboard for collection:

+- Grant Reader role to Cloud Infrastructure Entitlement Management application at management group or subscription scope.

+Any current or future subscriptions found get onboarded automatically.

+ To view status of onboarding after saving the configuration:

+1. In the MEPM portal, click the cog on the top right-hand side.

+1. Navigate to data collectors tab.

+1. Click ΓÇÿCreate ConfigurationΓÇÖ

+1. For onboarding mode, select ΓÇÿAutomatically ManageΓÇÖ

+1. Click ΓÇÿVerify Now & SaveΓÇÖ

+1. Collectors will now be listed and change through status types. For each collector listed with a status of ΓÇ£Collected InventoryΓÇ¥, click on that status to view further information.

+1. You can then view subscriptions on the In Progress page

+#### Option 2: Enter authorization systems

+You have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 10 per collector). Follow the steps below to configure these subscriptions to be monitored:

+1. For each subscription you wish to manage, ensure that the ΓÇÿReaderΓÇÖ role has been granted to Cloud Infrastructure Entitlement Management application for this subscription.

+1. In the MEPM portal, click the cog on the top right-hand side.

+1. Navigate to data collectors tab

+1. Click ΓÇÿCreate ConfigurationΓÇÖ

+1. Select ΓÇÿEnter Authorization SystemsΓÇÖ

+1. Under the Subscription IDs section, enter a desired subscription ID into the input box. Click the ΓÇ£+ΓÇ¥ up to 9 additional times, putting a single subscription ID into each respective input box.

+1. Once you have input all of the desired subscriptions, click next

+1. Click ΓÇÿVerify Now & SaveΓÇÖ

+1. Once the access to read and collect data is verified, collection will begin.

+To view status of onboarding after saving the configuration:

+1. Navigate to data collectors tab.

+1. Click on the status of the data collector.

+1. View subscriptions on the In Progress page

+#### Option 3: Select authorization systems

+This option detects all subscriptions that are accessible by the Cloud Infrastructure Entitlement Management application.

+1. Grant Reader role to Cloud Infrastructure Entitlement Management application at management group or subscription(s) scope.

+1. Click Verify and Save.

+1. Navigate to newly create Data Collector row under Azure data collectors.

+1. Click on Status column when the row has ΓÇ£PendingΓÇ¥ status

+1. To onboard and start collection, choose specific ones subscriptions from the detected list and consent for collection.

+- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md).

+ 1. Go to [Entra services](https://entra.microsoft.com) and use your credentials to sign in to [Azure Active Directory](https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).

+ 1. In the Azure AD portal, select **Permissions Management**, and then select the link to purchase a license or begin a trial.

+> [!NOTE]

+> There are two ways to enable a trial or a full product license, self-service and volume licensing.

+> For self-service, navigate to the M365 portal at [https://aka.ms/TryPermissionsManagement](https://aka.ms/TryPermissionsManagement) and purchase licenses or sign up for a free trial. The second way is through Volume Licensing or Enterprise agreements. If your organization falls under a volume license or enterprise agreement scenario, please contact your Microsoft representative.

+Permissions Management launches with the **Data Collectors** dashboard.

+Choose from 3 options to manage GCP projects.

+#### Option 1: Automatically manage

+This option allows projects to be automatically detected and monitored without additional configuration. Steps to detect list of projects and onboard for collection:

+- Grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope.

+Any current or future projects found get onboarded automatically.

+To view status of onboarding after saving the configuration:

+- Navigate to data collectors tab.

+- Click on the status of the data collector.

+- View projects on the In Progress page

+#### Option 2: Enter authorization systems

+#### Option 3: Select authorization systems

+This option detects all projects that are accessible by the Cloud Infrastructure Entitlement Management application.

+- Grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope.

+- Click Verify and Save.

+- Navigate to newly create Data Collector row under GCP data collectors.

+- Click on Status column when the row has ΓÇ£PendingΓÇ¥ status

+- To onboard and start collection, choose specific ones from the detected list and consent for collection.

+The purpose of this document is to describe the Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Azure AD Connect cloud sync applies all permissions similar to Azure AD Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install.

+`Set-AADCloudSyncRestrictedPermissions`

+ Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"

+3. These cmdlets require a parameter called `Credential` which can be passed, or will prompt the user if not provided in the command line. Depending on the cmdlet syntax used, these credentials must be an enterprise admin account or, at a minimum, a domain administrator of the target domain where you're setting the permissions.

+4. To create a variable for credentials, use:

+

+5. To set Active Directory permissions for cloud provisioning agent, you can use the following cmdlet. This will grant permissions in the root of the domain allowing the service account to manage on-premises Active Directory objects. See [Using Set-AADCloudSyncPermissions](#using-set-aadcloudsyncpermissions) below for examples on setting the permissions.

+ `Set-AADCloudSyncPermissions -EACredential $credential`

+6. To restrict Active Directory permissions set by default on the cloud provisioning agent account, you can use the following cmdlet. This will increase the security of the service account by disabling permission inheritance and removing all existing permissions, except SELF and Full Control for administrators. See [Using Set-AADCloudSyncRestrictedPermission](#using-set-aadcloudsyncrestrictedpermission) below for examples on restricting the permissions.

+ `Set-AADCloudSyncRestrictedPermission -Credential $credential`

+`Set-AADCloudSyncPermissions` supports the following permission types which are identical to the permissions used by Azure AD Connect Classic Sync (ADSync). The following permission types are supported:

+|All| Applies all the above permissions|

+- [Grant permissions to all configured domains](#grant-permissions-to-all-configured-domains)

+- [Grant permissions to a specific domain](#grant-permissions-to-a-specific-domain)

+## Grant permissions to all configured domains

+$credential = Get-Credential

+Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -EACredential $credential

+## Grant permissions to a specific domain

+Granting certain permissions to a specific domain will require the use of a TargetDomainCredential that is enterprise admin or, domain admin of the target domain. The TargetDomain has to be already configured through wizard.

+$credential = Get-Credential

+Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -TargetDomain "FQDN of domain" -TargetDomainCredential $credential

+## Using Set-AADCloudSyncRestrictedPermissions

+For increased security, `Set-AADCloudSyncRestrictedPermissions` will tighten the permissions set on the cloud provisioning agent account itself. Hardening permissions on the cloud provisioning agent account involves the following changes:

+- Disable inheritance

+- Remove all default permissions, except ACEs specific to SELF.

+- Set Full Control permissions for SYSTEM, Administrators, Domain Admins, and Enterprise Admins.

+- Set Read permissions for Authenticated Users and Enterprise Domain Controllers.

+

+ The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the cloud provisioning agent account. This is typically the domain or enterprise administrator.

+

+For Example:

+``` powershell

+$credential = Get-Credential

+Set-AADCloudSyncRestrictedPermissions -Credential $credential

+```

+## June 2022

+### Updated articles

+- [B2B direct connect overview](b2b-direct-connect-overview.md)

+- [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md)

+- [Overview: Cross-tenant access with Azure AD External Identities](cross-tenant-access-overview.md)

+- [Configure cross-tenant access settings for B2B collaboration](cross-tenant-access-settings-b2b-collaboration.md)

+- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)

+- [External Identities in Azure Active Directory](external-identities-overview.md)

+- [Azure Active Directory B2B collaboration FAQs](faq.yml)

+- [External Identities documentation](index.yml)

+- [Leave an organization as an external user](leave-the-organization.md)

+- [B2B collaboration overview](what-is-b2b.md)

+- [Azure Active Directory External Identities: What's new](whats-new-docs.md)

+- [Quickstart: Add a guest user and send an invitation](b2b-quickstart-add-guest-users-portal.md)

+- [Authentication and Conditional Access for External Identities](authentication-conditional-access.md)

+In Azure Active Directory (Azure AD), you can add users, groups, or devices to an administrative unit to restrict the scope of role permissions. Adding a group to an administrative unit brings the group itself into the management scope of any group administrator who is also scoped to that administrative unit. For additional details on what scoped administrators can do, see [Administrative units in Azure Active Directory](administrative-units.md).

+## Constraints

+Here are some of the constraints for administrative units.

+- Administrative units can't be nested.

+- Administrative unit-scoped user account administrators can't create or delete users.

+- Administrative units are currently not available in [Azure AD Identity Governance](../governance/identity-governance-overview.md).

+## Groups

+Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but **not** the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).

+For example, a [User Administrator](permissions-reference.md#user-administrator) scoped to an administrative unit that contains a group can and can't do the following:

+| Permissions | Can do |

+| | |

+| Manage the name of the group | :heavy_check_mark: |

+| Manage the membership of the group | :heavy_check_mark: |

+| Manage the user properties for individual **members** of the group | :x: |

+| Manage the user authentication methods of individual **members** of the group | :x: |

+| Reset the passwords of individual **members** of the group | :x: |

+In order for the [User Administrator](permissions-reference.md#user-administrator) to manage the user properties or user authentication methods of individual members of the group, the group members (users) must be added directly as members of the administrative unit.

+| Read BitLocker recovery keys | :heavy_check_mark: | :heavy_check_mark: | :x: |

+Users with this role can set or reset any authentication method (including passwords) for non-administrators and some roles. Authentication Administrators can require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke **remember MFA on the device**, which prompts for MFA on the next sign-in. For a list of the roles that an Authentication Administrator can read or update authentication methods, see [Who can reset passwords](#who-can-reset-passwords).

+Authentication Administrators can update sensitive attributes for some users. For a list of the roles that an Authentication Administrator can update sensitive attributes, see [Who can update sensitive attributes](#who-can-update-sensitive-attributes).

+| Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive attributes |

+| - | - | - | - | - | - | - |

+| Authentication Administrator | Yes for some users (see above) | Yes for some users (see above) | No | No | No | Yes for some users (see above) |

+| Privileged Authentication Administrator| Yes for all users | Yes for all users | No | No | No | Yes for all users |

+| Authentication Policy Administrator | No |No | Yes | Yes | Yes | No |

+> | microsoft.directory/users/authenticationMethods/standard/read | Read standard properties of authentication methods for users |

+> | microsoft.directory/deletedItems.users/restore | Restore soft deleted users to original state |

+> | microsoft.directory/users/delete | Delete users |

+> | microsoft.directory/users/disable | Disable users |

+> | microsoft.directory/users/enable | Enable users |

+> | microsoft.directory/users/restore | Restore deleted users |

+> | microsoft.directory/users/basic/update | Update basic properties on users |

+> | microsoft.directory/users/manager/update | Update manager for users |

+> | microsoft.directory/users/userPrincipalName/update | Update User Principal Name of users |

+Users with this role can configure the authentication methods policy, tenant-wide MFA settings, and password protection policy. This role grants permission to manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list. Authentication Policy Administrators cannot update sensitive attributes for users.

+| Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive attributes |

+| - | - | - | - | - | - | - |

+| Authentication Administrator | Yes for some users (see above) | Yes for some users (see above) | No | No | No | Yes for some users (see above) |

+| Privileged Authentication Administrator| Yes for all users | Yes for all users | No | No | No | Yes for all users |

+| Authentication Policy Administrator | No | No | Yes | Yes | Yes | No |

+> | microsoft.commerce.billing/allEntities/allProperties/allTasks | Manage all aspects of Office 365 billing |

+> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/basic/update | Update basic settings of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners |

+> | microsoft.commerce.billing/allEntities/allProperties/allTasks | Manage all aspects of Office 365 billing |

+> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |

+> | microsoft.commerce.billing/allEntities/allProperties/read | Read all resources of Office 365 billing |

+Users with this role can change passwords, invalidate refresh tokens, create and manage support requests with Microsoft for Azure and Microsoft 365 services, and monitor service health. Invalidating a refresh token forces the user to sign in again. Whether a Helpdesk Administrator can reset a user's password and invalidate refresh tokens depends on the role the user is assigned. For a list of the roles that a Helpdesk Administrator can reset passwords for and invalidate refresh tokens, see [Who can reset passwords](#who-can-reset-passwords).

+- Create, manage, and run queries

+> | microsoft.commerce.billing/partners/read | |

+> | microsoft.directory/deletedItems.users/restore | Restore soft deleted users to original state |

+> | microsoft.directory/deletedItems.users/restore | Restore soft deleted users to original state |

+Users with this role have limited ability to manage passwords. This role does not grant the ability to manage service requests or monitor service health. Whether a Password Administrator can reset a user's password depends on the role the user is assigned. For a list of the roles that a Password Administrator can reset passwords for, see [Who can reset passwords](#who-can-reset-passwords).

+Users with this role can set or reset any authentication method (including passwords) for any user, including Global Administrators. Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next sign-in of all users. Privileged Authentication Administrators can update sensitive attributes for all users.

+| Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive attributes |

+| - | - | - | - | - | - | - |

+| Authentication Administrator | Yes for some users (see above) | Yes for some users (see above) | No | No | No | Yes for some users (see above) |

+| Privileged Authentication Administrator| Yes for all users | Yes for all users | No | No | No | Yes for all users |

+| Authentication Policy Administrator | No | No | Yes | Yes | Yes | No |

+> | microsoft.directory/deletedItems.users/restore | Restore soft deleted users to original state |

+> | microsoft.directory/users/delete | Delete users |

+> | microsoft.directory/users/disable | Disable users |

+> | microsoft.directory/users/enable | Enable users |

+> | microsoft.directory/users/restore | Restore deleted users |

+> | microsoft.directory/users/basic/update | Update basic properties on users |

+> | microsoft.directory/users/manager/update | Update manager for users |

+> | microsoft.directory/users/userPrincipalName/update | Update User Principal Name of users |

+> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/basic/update | Update basic settings of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/basic/update | Update basic settings of cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy |

+> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |

+> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners |

+| Invalidate refresh Tokens<br/>Reset password | For a list of the roles that a User Administrator can reset passwords for and invalidate refresh tokens, see [Who can reset passwords](#who-can-reset-passwords). |

+| Update sensitive attributes | For a list of the roles that a User Administrator can update sensitive attributes for, see [Who can update sensitive attributes](#who-can-update-sensitive-attributes). |

+> | microsoft.directory/users/authenticationMethods/create | Create authentication methods for users |

+> | microsoft.directory/users/authenticationMethods/delete | Delete authentication methods for users |

+> | microsoft.directory/users/authenticationMethods/standard/read | Read standard properties of authentication methods for users |

+> | microsoft.directory/users/authenticationMethods/basic/update | Update basic properties of authentication methods for users |

+> | microsoft.directory/deletedItems.users/restore | Restore soft deleted users to original state |

+## Who can reset passwords

+In the following table, the columns list the roles that can reset passwords. The rows list the roles for which their password can be reset.

+Role that password can be reset | Password Admin | Helpdesk Admin | Auth Admin | User Admin | Privileged Auth Admin | Global Admin

+Auth Admin | &nbsp; | &nbsp; | :heavy_check_mark: | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+Privileged Auth Admin | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+## Who can update sensitive attributes

+Some administrators can update the following sensitive attributes for some users. All users can read these sensitive attributes.

+- accountEnabled

+- businessPhones

+- mobilePhone

+- onPremisesImmutableId

+- otherMails

+- passwordProfile

+- userPrincipalName

+In the following table, the columns list the roles that can update the sensitive attributes. The rows list the roles for which their sensitive attributes can be updated.

+The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](admin-units-assign-roles.md#roles-that-can-be-assigned-with-administrative-unit-scope).

+Role that sensitive attributes can be updated | Auth Admin | User Admin | Privileged Auth Admin | Global Admin

+ | | | |

+Auth Admin | :heavy_check_mark: | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+Directory Readers | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+Global Admin | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+Groups Admin | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+Guest Inviter | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+Helpdesk Admin | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+Message Center Reader | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+Password Admin | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+Privileged Auth Admin | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+Privileged Role Admin | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+Reports Reader | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+User<br/>(no admin role) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+User Admin | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+Usage Summary Reports Reader | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

+OPERATOR_VERSION=0.8.2

+wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/overlays/watch-all-namespaces/olo-all-namespaces.yaml -q -P ./overlays/watch-all-namespaces

+wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/overlays/watch-all-namespaces/cluster-roles.yaml -q -P ./overlays/watch-all-namespaces

+wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/overlays/watch-all-namespaces/kustomization.yaml -q -P ./overlays/watch-all-namespaces

+wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/base/kustomization.yaml -q -P ./base

+wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/base/open-liberty-crd.yaml -q -P ./base

+wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/base/open-liberty-operator.yaml -q -P ./base

+az aks create -g myResourceGroup -n myAKSCluster --enable-managed-identity --node-count 1 --enable-addons monitoring

+[aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?WT.mc_id=AKSDOCSPAGE

+- [Self-hosted gateway configuration settings](self-hosted-gateway-settings-reference.md)

+ Title: Reference - Self-hosted gateway settings - Azure API Management

+description: Reference for the required and optional settings to configure the Azure API Management self-hosted gateway.

+# Reference: Self-hosted gateway configuration settings

+This article provides a reference for required and optional settings that are used to configure the API Management [self-hosted gateway](self-hosted-gateway-overview.md).

+> [!IMPORTANT]

+> This reference applies only to the self-hosted gateway v2.

+## Deployment

+| Name | Description | Required | Default |

+|-||-|-|

+| config.service.endpoint | Configuration endpoint in Azure API Management for the self-hosted gateway. Find this value in the Azure portal under **Gateways** > **Deployment**. | Yes | N/A |

+| config.service.auth | Access token (authentication key) of the self-hosted gateway. Find this value in the Azure portal under **Gateways** > **Deployment**. | Yes | N/A |

+## Metrics

+| Name | Description | Required | Default |

+|-||-|-|

+| telemetry.metrics.local | Enable [local metrics collection](how-to-configure-local-metrics-logs.md) through StatsD. Value is one of the following: `none`, `statsd`. | No | `none` |

+| telemetry.metrics.local.statsd.endpoint | StatsD endpoint. | Yes, if `telemetry.metrics.local` is set to `statsd`; otherwise no. | N/A |

+| telemetry.metrics.local.statsd.sampling | StatsD metrics sampling rate. Value must be between 0 and 1, for example, 0.5. | No | N/A |

+| telemetry.metrics.local.statsd.tag-format | StatsD exporter [tagging format](https://github.com/prometheus/statsd_exporter#tagging-extensions). Value is one of the following: `ibrato`, `dogStatsD`, `influxDB`. | No | N/A |

+| telemetry.metrics.cloud | Whether or not to [enable emitting metrics to Azure Monitor](how-to-configure-cloud-metrics-logs.md). | No | `true` |

+| observability.opentelemetry.enabled | Whether or not to enable [emitting metrics to an OpenTelemetry collector](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md) on Kubernetes. | No | `false` |

+| observability.opentelemetry.collector.uri | URI of the OpenTelemetry collector to send metrics to. | Yes, if `observability.opentelemetry.enabled` is set to `true`; otherwise no. | N/A |

+| observability.opentelemetry.histogram.buckets | Histogram buckets in which OpenTelemetry metrics should be reported. Format: "*x,y,z*,...". | No | "5,10,25,50,100,250,500,1000,2500,5000,10000" |

+## Logs

+| Name | Description | Required | Default |

+| - | - | - | -|

+| telemetry.logs.std |[Enable logging](how-to-configure-local-metrics-logs.md#logs) to a standard stream. Value is one of the following: `none`, `text`, `json`. | No | `text` |

+| telemetry.logs.local | [Enable local logging](how-to-configure-local-metrics-logs.md#logs). Value is one of the following: `none`, `auto`, `localsyslog`, `rfc5424`, `journal`, `json` | No | `auto` |

+| telemetry.logs.local.localsyslog.endpoint | localsyslog endpoint. | Yes if `telemetry.logs.local` is set to `localsyslog`; otherwise no. | N/A |

+| telemetry.logs.local.localsyslog.facility | Specifies localsyslog [facility code](https://en.wikipedia.org/wiki/Syslog#Facility), for example, `7`. | No | N/A |

+| telemetry.logs.local.rfc5424.endpoint | rfc5424 endpoint. | Yes if `telemetry.logs.local` is set to `rfc5424`; otherwise no. | N/A |

+| telemetry.logs.local.rfc5424.facility | Facility code per [rfc5424](https://tools.ietf.org/html/rfc5424), for example, `7` | No | N/A |

+| telemetry.logs.local.journal.endpoint | Journal endpoint. |Yes if `telemetry.logs.local` is set to `journal`; otherwise no. | N/A |

+| telemetry.logs.local.json.endpoint | UDP endpoint that accepts JSON data, specified as file path, IP:port, or hostname:port. | Yes if `telemetry.logs.local` is set to `json`; otherwise no. | 127.0.0.1:8888 |

+## Ciphers

+| Name | Description | Required | Default |

+| - | - | - | -|

+| net.server.tls.ciphers.allowed-suites | Comma-separated list of ciphers to use for TLS connection between API client and the self-hosted gateway. | No | N/A |

+| net.client.tls.ciphers.allowed-suites | Comma-separated list of ciphers to use for TLS connection between the self-hosted gateway and the backend. | No | N/A |

+## How to configure settings

+### Kubernetes YAML file

+When deploying the self-hosted gateway to Kubernetes using a [YAML file](how-to-deploy-self-hosted-gateway-kubernetes.md), configure settings as name-value pairs in the `data` element of the gateway's ConfigMap. For example:

+```yml

+apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: contoso-gateway-environment

+ data:

+ config.service.endpoint: "contoso.configuration.azure-api.net"

+ telemetry.logs.std: "text"

+ telemetry.logs.local.localsyslog.endpoint: "/dev/log"

+ telemetry.logs.local.localsyslog.facility: "7"

+[...]

+```

+### Helm chart

+When using [Helm](how-to-deploy-self-hosted-gateway-kubernetes-helm.md) to deploy the self-hosted gateway to Kubernetes, pass [chart configuration settings](https://artifacthub.io/packages/helm/azure-api-management/azure-api-management-gateway) as parameters to the `helm install` command. For example:

+```

+helm install azure-api-management-gateway \

+ --set gateway.configuration.uri='contoso.configuration.azure-api.net' \

+ --set gateway.auth.key='GatewayKey contosogw&xxxxxxxxxxxxxx...' \

+ --set secret.createSecret=false \

+ --set secret.existingSecretName=`mysecret` \

+ azure-apim-gateway/azure-api-management-gateway

+```

+## Next steps

+- Learn more about guidance for [running the self-hosted gateway on Kubernetes in production](how-to-self-hosted-gateway-on-kubernetes-in-production.md)

+- [Deploy self-hosted gateway to Docker](how-to-deploy-self-hosted-gateway-docker.md)

+- [Deploy self-hosted gateway to Kubernetes](how-to-deploy-self-hosted-gateway-kubernetes.md)

+- [Deploy self-hosted gateway to Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md)

+Back up and restore **Standard**, **Premium**, **Isolated**. For more information about scaling your App Service plan to use a higher tier, see [Scale up an app in Azure](manage-scale-up.md).

+ To restore app content only and not the app configuration, use the `--restore-content-only` parameter. For more information, see [az webapp config snapshot restore](/cli/azure/webapp/config/snapshot#az-webapp-config-snapshot-restore).

+ --runtime 'NODE|14-lts'

+ --deployment-container-image-name mcr.microsoft.com/appsvc/node:14-lts

+> This should take you to the new fork. Your fork URL will look something like this: `https://github.com/YOUR_GITHUB_ACCOUNT_NAME/php-docs-hello-world`

+## Why can't I create new Automation job in West Europe region?

+You might experience a delay or failure of job creation because of scalability issues in West Europe region. For more information, see [creation of new Automation job in West Europe region](./troubleshoot/runbooks.md#scenario-unable-to-create-new-automation-job-in-west-europe-region).

+1. If the following permissions are not assigned for Custom users, jobs might get suspended. Add these permission to the Hybrid Runbook Worker account on the runbook worker machine, instead of adding the account to **Administrators** group because the `Filtered Token` feature of UAC would grant standard user rights to this account when logging-in. For more details, refer to - [Information about UAC on Windows Server](/troubleshoot/windows-server/windows-security/disable-user-account-control#more-information).

+* For a PowerShell cmdlet reference, see [Az.Automation](/powershell/module/az.automation).

+## Scenario: Unable to create new Automation job in West Europe region

+### Issue

+When creating new Automation jobs, you might experience a delay or failure of job creation.

+### Cause

+This is because of scalability limits with the Automation service in the West Europe region.

+### Resolution

+Do one of the following actions if it is feasible as per your requirement and environment to reduce the chance of failure:

+- During the peak hours of job creation, typically on the hour, and half hour, move the job start time to five minutes before or after the hour/half hour.

+- Run the Automation jobs from alternate data centres until the transition work is complete.

+>[!NOTE]

+> The optimization of existing load and transitioning the load to a new design by the product group is in progress.

+# [Azure Cloud](#tab/azure-cloud)

+# [Azure Government](#tab/azure-government)

+| Agent resource | Description | When required| Endpoint used with private link |

+|||--||

+|`aka.ms`|Used to resolve the download script during installation|At installation time, only| Public |

+|`download.microsoft.com`|Used to download the Windows installation package|At installation time, only| Public |

+|`packages.microsoft.com`|Used to download the Linux installation package|At installation time, only| Public |

+|`login.microsoftonline.us`|Azure Active Directory|Always| Public |

+|`pasff.usgovcloudapi.net`|Azure Active Directory|Always| Public |

+|`management.usgovcloudapi.net`|Azure Resource Manager - to create or delete the Arc server resource|When connecting or disconnecting a server, only| Public, unless a [resource management private link](../../azure-resource-manager/management/create-private-link-access-portal.md) is also configured |

+|`*.his.arc.azure.us`|Metadata and hybrid identity services|Always| Private |

+|`*.guestconfiguration.azure.us`| Extension management and guest configuration services |Always| Private |

+|`*.blob.core.usgovcloudapi.net`|Download source for Azure Arc-enabled servers extensions|Always, except when using private endpoints| Not used when private link is configured |

+|`dc.applicationinsights.us`|Agent telemetry|Optional| Public |

+* Distributed In Memory Session State Provider such as Azure Cache for Redis Session State Provider - This provider gives you the best of both worlds. Your Web App can have a simple, fast, and scalable Session State Provider. Because this provider stores the Session state in a Cache, your app has to take in consideration all the characteristics associated when talking to a Distributed In Memory Cache, such as transient network failures. For best practices on using Cache, see [Caching guidance](/azure/architecture/best-practices/caching) from Microsoft Patterns & Practices Azure Cloud Application Design and Implementation Guidance.

+description: Learn about how Azure Functions Consumption plan hosting lets you run your code in an environment that scales dynamically, but you only pay for resources used during execution.

+> [!WARNING]

+> Be aware that the Azure Functions v4 preview bundles do not yet support Cosmos DB bindings for Java function apps. For more information, see [Azure Cosmos DB trigger and bindings reference documentation](../functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4&pivots=programming-language-java#install-bundle).

+## WEBSITE\_OVERRIDE\_STICKY\_EXTENSION\_VERSIONS

+By default, the version settings for function apps are specific to each slot. This setting is used when upgrading functions by using [deployment slots](functions-deployment-slots.md). This prevents unanticipated behavior due to changing versions after a swap. Set to `0` in production and in the slot to make sure that all version settings are also swapped. For more information, see [Migrate using slots](functions-versions.md#migrate-using-slots).

+|Key|Sample value|

+|||

+|WEBSITE\_OVERRIDE\_STICKY\_EXTENSION\_VERSIONS|`0`|

+## WEBSITE\_SKIP\_CONTENTSHARE\_VALIDATION

+The [WEBSITE_CONTENTAZUREFILECONNECTIONSTRING](#website_contentazurefileconnectionstring) and [WEBSITE_CONTENTSHARE](#website_contentshare) settings have additional validation checks to ensure that the app can be properly started. Creation of application settings will fail if the Function App cannot properly call out to the downstream Storage Account or Key Vault due to networking constraints or other limiting factors. When WEBSITE_SKIP_CONTENTSHARE_VALIDATION is set to `1`, the validation check is skipped; otherwise the value defaults to `0` and the validation will take place.

+|Key|Sample value|

+|||

+|WEBSITE_SKIP_CONTENTSHARE_VALIDATION|`1`|

+If validation is skipped and either the connection string or content share are not valid, the app will be unable to start properly and will only serve HTTP 500 errors.

+ logging.warn(

+- **Minimize restarts**: Changing app settings in a production slot requires a restart of the running app. You can instead change settings in a staging slot and swap the settings change into productions with a prewarmed instance. This is the recommended way to upgrade between Functions runtime versions while maintaining the highest availability. To learn more, see [Minimum downtime upgrade](functions-versions.md#minimum-downtime-upgrade).

+ JAVA_VERSION: '1.8.x' # set this to the java version to use

+| 4.x (recommended) | PowerShell 7.2 (preview)<br/>PowerShell 7 (recommended) | .NET 6 |

+| 3.x | PowerShell 7<br/>PowerShell Core 6 | .NET Core 3.1<br/>.NET Core 2.1 |

+To request a specific Python version when you create your function app in Azure, use the `--runtime-version` option of the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command. The `--functions-version` option sets the Azure Functions runtime version.

+### Local Python version

+When running locally, the Azure Functions Core Tools uses the available Python version.

+> Beginning on December 3, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime can no longer be supported. Before that time, please test, verify, and migrate your function apps to version 4.x of the Functions runtime. For more information, see [Migrating from 3.x to 4.x](#migrating-from-3x-to-4x).

+>End of support for these runtime versions is due to the ending of support for .NET Core 3.1, which is required by these older runtime versions. This requirement affects all Azure Functions runtime languages.

+Before making a change to the major version of the runtime, you should first test your existing code on the new runtime version. You can verify your app runs correctly after the upgrade by deploying to another function app running on the latest major version. You can also verify your code locally by using the runtime-specific version of the [Azure Functions Core Tools](functions-run-local.md), which includes the Functions runtime.

+To resolve issues your function app may have when running on the latest major version, you have to temporarily pin your app to a specific minor version. Pinning gives you time to get your app running correctly on the latest major version. The way that you pin to a minor version differs between Windows and Linux. To learn more, see [How to target Azure Functions runtime versions](set-runtime-version.md).

+If you receive a warning about a package not meeting a minimum required version, you should update that NuGet package to the minimum version as you normally would. The minimum version requirements for extensions used in Functions v4.x can be found in [the linked configuration file](https://github.com/Azure/azure-functions-host/blob/v4.x/src/WebJobs.Script/extensionrequirements.json).

+Azure Functions version 4.x is highly backwards compatible to version 3.x. Most apps should safely upgrade to 4.x without requiring significant code changes. An upgrade is initiated when you set the `FUNCTIONS_EXTENSION_VERSION` app setting to a value of `~4`. For function apps running on Windows, you also need to set the `netFrameworkVersion` site setting to target .NET 6.

+Before you upgrade your app to version 4.x of the Functions runtime, you should do the following tasks:

+* Review the list of [breaking changes between 3.x and 4.x](#breaking-changes-between-3x-and-4x).

+* [Run the pre-upgrade validator](#run-the-pre-upgrade-validator).

+* When possible, [upgrade your local project environment to version 4.x](#upgrade-your-local-project). Fully test your app locally using version 4.x of the [Azure Functions Core Tools](functions-run-local.md). When you use Visual Studio to publish a version 4.x project to an existing function app at a lower version, you're prompted to let Visual Studio upgrade the function app to version 4.x during deployment. This upgrade uses the same process defined in [Migrate without slots](#migrate-without-slots).

+* Consider using a [staging slot](functions-deployment-slots.md) to test and verify your app in Azure on the new runtime version. You can then deploy your app with the updated version settings to the production slot. For more information, see [Migrate using slots](#migrate-using-slots).

+### Run the pre-upgrade validator

+Azure Functions provides a pre-upgrade validator to help you identify potential issues when migrating your function app to 4.x. To run the pre-upgrade validator:

+1. In the [Azure portal](https://portal.azure.com), navigate to your function app.

+1. Open the **Diagnose and solve problems** page.

+1. In **Function App Diagnostics**, start typing `Functions 4.x Pre-Upgrade Validator` and then choose it from the list.

+1. After validation completes, review the recommendations and address any issues in your app. If you need to make changes to your app, make sure to validate the changes against version 4.x of the Functions runtime, either [locally using Azure Functions Core Tools v4](#upgrade-your-local-project) or by [using a staging slot](#migrate-using-slots).

+### Migrate without slots

+The simplest way to upgrade to v4.x is to set the `FUNCTIONS_EXTENSION_VERSION` application setting to `~4` on your function app in Azure. When your function app runs on Windows, you also need to update the `netFrameworkVersion` site setting in Azure. You must follow a [different procedure](#migrate-using-slots) on a site with slots.

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az functionapp config appsettings set --settings FUNCTIONS_EXTENSION_VERSION=~4 -g <RESOURCE_GROUP_NAME> -n <APP_NAME>

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+Update-AzFunctionAppSetting -AppSetting @{FUNCTIONS_EXTENSION_VERSION = "~4"} -Name <APP_NAME> -ResourceGroupName <RESOURCE_GROUP_NAME> -Force

+```

+When running on Windows, you also need to enable .NET 6.0, which is required by version 4.x of the runtime.

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az functionapp config set --net-framework-version v6.0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME>

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+Set-AzWebApp -NetFrameworkVersion v6.0 -Name <APP_NAME> -ResourceGroupName <RESOURCE_GROUP_NAME>

+```

+In these examples, replace `<APP_NAME>` with the name of your function app and `<RESOURCE_GROUP_NAME>` with the name of the resource group.

+### Migrate using slots

+Using [deployment slots](functions-deployment-slots.md) is a good way to migrate your function app to the v4.x runtime from a previous version. By using a staging slot, you can run your app on the new runtime version in the staging slot and switch to production after verification. Slots also provide a way to minimize downtime during upgrade. If you need to minimize downtime, follow the steps in [Minimum downtime upgrade](#minimum-downtime-upgrade).

+After you've verified your app in the upgraded slot, you can swap the app and new version settings into production. This swap requires setting [`WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0`](functions-app-settings.md#website_override_sticky_extension_versions) in the production slot. How you add this setting affects the amount of downtime required for the upgrade.

+#### Standard upgrade

+If your slot-enabled function app can handle the downtime of a full restart, you can update the `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS` setting directly in the production slot. Because changing this setting directly in the production slot causes a restart that impacts availability, consider doing this change at a time of reduced traffic. You can then swap in the upgraded version from the staging slot.

+The [`Update-AzFunctionAppSetting`](/powershell/module/az.functions/update-azfunctionappsetting) PowerShell cmdlet doesn't currently support slots. You must use Azure CLI or the Azure portal.

+1. Use the following command to set `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0` in the production slot:

+ ```azurecli

+ az functionapp config appsettings set --settings WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME>

+ ```

+ This command causes the app running in the production slot to restart.

+1. Use the following command to also set `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS` in the staging slot:

+ ```azurecli

+ az functionapp config appsettings set --settings WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+1. Use the following command to change `FUNCTIONS_EXTENSION_VERSION` and upgrade the staging slot to the new runtime version:

+ ```azurecli

+ az functionapp config appsettings set --settings FUNCTIONS_EXTENSION_VERSION=~4 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+1. (Windows only) For function apps running on Windows, use the following command so that the runtime can run on .NET 6:

+

+ ```azurecli

+ az functionapp config set --net-framework-version v6.0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+ Version 4.x of the Functions runtime requires .NET 6 when running on Windows.

+1. If your code project required any updates to run on version 4.x, deploy those updates to the staging slot now.

+1. Confirm that your function app runs correctly in the upgraded staging environment before swapping.

+1. Use the following command to swap the upgraded staging slot to production:

+ ```azurecli

+ az functionapp deployment slot swap -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME> --target-slot production

+ ```

+#### Minimum downtime upgrade

+To minimize the downtime in your production app, you can swap the `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS` setting from the staging slot into production. After that, you can swap in the upgraded version from a prewarmed staging slot.

+1. Use the following command to set `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0` in the staging slot:

+ ```azurecli

+ az functionapp config appsettings set --settings WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+1. Use the following commands to swap the slot with the new setting into production, and at the same time restore the version setting in the staging slot.

+ ```azurecli

+ az functionapp deployment slot swap -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME> --target-slot production

+ az functionapp config appsettings set --settings FUNCTIONS_EXTENSION_VERSION=~3 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+ You may see errors from the staging slot during the time between the swap and the runtime version being restored on staging. This can happen because having `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0` only in staging during a swap removes the `FUNCTIONS_EXTENSION_VERSION` setting in staging. Without the version setting, your slot is in a bad state. Updating the version in the staging slot right after the swap should put the slot back into a good state, and you call roll back your changes if needed. However, any rollback of the swap also requires you to directly remove `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0` from production before the swap back to prevent the same errors in production seen in staging. This change in the production setting would then cause a restart.

+1. Use the following command to again set `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0` in the staging slot:

+ ```azurecli

+ az functionapp config appsettings set --settings WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+ At this point, both slots have `WEBSITE_OVERRIDE_STICKY_EXTENSION_VERSIONS=0` set.

+1. Use the following command to change `FUNCTIONS_EXTENSION_VERSION` and upgrade the staging slot to the new runtime version:

+ ```azurecli

+ az functionapp config appsettings set --settings FUNCTIONS_EXTENSION_VERSION=~4 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+1. (Windows only) For function apps running on Windows, use the following command so that the runtime can run on .NET 6:

+

+ ```azurecli

+ az functionapp config set --net-framework-version v6.0 -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME>

+ ```

+ Version 4.x of the Functions runtime requires .NET 6 when running on Windows.

+1. If your code project required any updates to run on version 4.x, deploy those updates to the staging slot now.

+1. Confirm that your function app runs correctly in the upgraded staging environment before swapping.

+1. Use the following command to swap the upgraded and prewarmed staging slot to production:

+ ```azurecli

+ az functionapp deployment slot swap -g <RESOURCE_GROUP_NAME> -n <APP_NAME> --slot <SLOT_NAME> --target-slot production

+ ```

+### Upgrade your local project

+Upgrading instructions are language dependent. If you don't see your language, choose it from the switcher at the [top of the article](#top).

+To update a C# class library project to .NET 6 and Azure Functions 4.x:

+1. Update your local installation of [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) to version 4.

+1. Update the `TargetFramework` and `AzureFunctionsVersion`, as follows:

+ ```xml

+ <TargetFramework>net6.0</TargetFramework>

+ <AzureFunctionsVersion>v4</AzureFunctionsVersion>

+ ```

+1. Update the NuGet packages referenced by your app to the latest versions. For more information, see [breaking changes](#breaking-changes-between-3x-and-4x).

+ Specific packages depend on whether your functions run in-process or out-of-process.

+ # [In-process](#tab/in-process)

+

+ * [Microsoft.NET.Sdk.Functions](https://www.nuget.org/packages/Microsoft.NET.Sdk.Functions/) 4.0.0 or later

+

+ # [Isolated process](#tab/isolated-process)

+

+ * [Microsoft.Azure.Functions.Worker](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker/) 1.5.2 or later

+ * [Microsoft.Azure.Functions.Worker.Sdk](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Sdk/) 1.2.0 or later

+

+To update your project to Azure Functions 4.x:

+1. Update your local installation of [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) to version 4.x.

+1. Update your app's [Azure Functions extensions bundle](functions-bindings-register.md#extension-bundles) to 2.x or above. For more information, see [breaking changes](#breaking-changes-between-3x-and-4x).

+1. If you're using Node.js version 10 or 12, move to one of the [supported version](functions-reference-node.md#node-version).

+1. If you're using PowerShell Core 6, move to one of the [supported versions](functions-reference-powershell.md#powershell-versions).

+1. If you're using Python 3.6, move to one of the [supported versions](functions-reference-python.md#python-version).

+- Azure Functions Proxies are no longer supported in 4.x. You're recommended to use [Azure API Management](../api-management/import-function-app-as-api.md).

+- Node.js versions 10 and 12 aren't supported in Azure Functions 4.x. ([#1999](https://github.com/Azure/Azure-Functions/issues/1999))

+- PowerShell 6 isn't supported in Azure Functions 4.x. ([#1999](https://github.com/Azure/Azure-Functions/issues/1999))

+- Default thread count has been updated. Functions that aren't thread-safe or have high memory usage may be impacted. ([#1962](https://github.com/Azure/Azure-Functions/issues/1962))

+- Python 3.6 isn't supported in Azure Functions 4.x. ([#1999](https://github.com/Azure/Azure-Functions/issues/1999))

+- Default thread count has been updated. Functions that aren't thread-safe or have high memory usage may be impacted. ([#1962](https://github.com/Azure/Azure-Functions/issues/1962))

+* HTTP concurrency throttles are implemented by default for Consumption plan functions, with a default of 100 concurrent requests per instance. You can change this behavior in the [`maxConcurrentRequests`](functions-host-json.md#http) setting in the host.json file.

+You can also choose `net6.0` or `net48` as the target framework if you're using [.NET isolated process functions](dotnet-isolated-process-guide.md). Support for `net48` is currently in preview.

+You can also choose `net5.0` as the target framework if you're using [.NET isolated process functions](dotnet-isolated-process-guide.md).

+You can open an existing function targeting 2.x and move to 3.x by editing the `.csproj` file and updating the values above. Visual Studio manages runtime versions automatically for you based on project metadata. However, it's possible if you've never created a 3.x app before that Visual Studio doesn't yet have the templates and runtime for 3.x on your machine. This issue may present itself with an error like "no Functions runtime available that matches the version specified in the project." To fetch the latest templates and runtime, go through the experience to create a new function project. When you get to the version and template select screen, wait for Visual Studio to complete fetching the latest templates. After the latest .NET Core 3 templates are available and displayed, you can run and debug any project configured for version 3.x.

+For Visual Studio Code development, you may also need to update the user setting for the `azureFunctions.projectRuntime` to match the version of the tools installed. This setting also updates the templates and languages used during function app creation. To create apps in `~3`, you update the `azureFunctions.projectRuntime` user setting to `~3`.

+Except for HTTP and timer triggers, all bindings must be explicitly added to the function app project, or registered in the portal. For more information, see [Register binding extensions](./functions-bindings-expressions-patterns.md).

+- Scheduled - Start and stop actions are based on a schedule you specify against Azure Resource Manager and classic VMs. **ststv2_vms_Scheduled_start** and **ststv2_vms_Scheduled_stop** configure the scheduled start and stop.

+ Title: Set up availability alerts with Application Insights - Azure Monitor | Microsoft Docs

+### Alert frequency

+Availability alerts which are created through this experience are state-based. When the alert criteria is met, a single alert gets generated when the website is detected as unavailable. If the website is still down the next time the alert criteria is evaluated, it will not generate a new alert.

+For example, if your website is down for an hour and you have set up an e-mail alert with an evaluation frequency of 15 minutes, you will only receive an e-mail when the website goes down, and a subsequent e-mail when it is back up. You will not receive continuous alerts every 15 minutes reminding you that the website is still unavailable.

+> If you don't want to receive notifications when your website is down for only a short period of time (e.g. during maintenance) you can change the evaluation frequency to a higher value than the expected downtime, up to 15 minutes. You can also increase the alert location threshold, so it only triggers an alert if the website is down for a certain amount of regions.

+To make changes to location threshold, aggregation period, and test frequency, select the condition on the edit page of the alert rule, which will open the **Configure signal logic** window.

+

+> [!TIP]

+> For longer downtimes, we recommend to temporarily deactivate the alert rule, or to create a custom rule as shown below. This will give you more options to account for the downtime.

+### Custom alert rule

+Auto-generated alerts from availability tests have a limited set of options to change the logic. If you need advanced capabilities, you can create a custom alert rule from the **Alerts** tab. Click on **Create** and select **Alert rule**. Choose **Metrics** for **Signal type** to show all available signals, and select **Availability**.

+A custom alert rule offers higher values for aggregation period (up to 24 hours instead of 6 hours) and test frequency (up to 1 hour instead of 15 minutes). It also adds options to further define the logic by selecting different operators, aggregation types, and threshold values.

+

+ Title: Migrate an Application Insights classic resource to a workspace-based resource - Azure Monitor | Microsoft Docs

+description: Learn about the steps required to upgrade your Application Insights classic resource to the new workspace-based model.

+If you don't need to migrate an existing resource and instead want to create a new workspace-based Application Insights resource, use the [workspace-based resource creation guide](create-workspace-resource.md).

+If you have multiple Application Insights resources store their telemetry in one Log Analytics workspace, but you only want to query data from one specific Application Insights resource, you have two options:

+> [!NOTE]

+> Older versions of Application Insights SDKs used to report standard deviation (valueStdDev) in the metrics pre-aggregation. Due to little adoption in metrics analysis, the field was removed and is no longer aggregated by the SDKs. If the value is received by the Application Insights data collection end point, it gets dropped during ingestion and is not sent to the Log Analytics workspace. If you are interested in using standard deviation in your analysis, we recommend using queries against Application Insights raw events.

+> * On February 29, 2024, continuous export will be deprecated as part of the classic Application Insights deprecation.

+* Use of [VNET/Azure Storage firewalls](../../storage/common/storage-network-security.md) with Azure Blob storage.

+Diagnostic settings export is preferred because it provides extra features.

+To migrate to diagnostic settings export:

+| Telemetry | dc.applicationinsights.azure.com<br/>dc.applicationinsights.microsoft.com<br/>dc.services.visualstudio.com<br/>*.in.applicationinsights.azure.com<br/><br/> || 443 |

+| Live Metrics | live.applicationinsights.azure.com<br/>rt.applicationinsights.microsoft.com<br/>rt.services.visualstudio.com<br/><br/>{region}.livediagnostics.monitor.azure.com<br/>*Example for {region}: westus2*<br/><br/> |20.49.111.32/29<br/>13.73.253.112/29| 443 |

+> [!NOTE]

+> These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like `51.144.56.112/28` is equivalent to 16 IPs that start at `51.144.56.112` and end at `51.144.56.127`.

+If you're looking for the actual IP addresses so that you can add them to the list of allowed IPs in your firewall, download the JSON file that describes Azure IP ranges. These files contain the most up-to-date information. After you download the appropriate file, open it by using your favorite text editor. Search for **ApplicationInsightsAvailability** to go straight to the section of the file that describes the service tag for availability tests.

+For Azure public cloud, you need to allow both the global IP ranges and the ones specific for the region of your Application Insights resource which receives live data. You can find the global IP ranges in the [Outgoing ports](#outgoing-ports) table at the top of this document, and the regional IP ranges in the [Addresses grouped by region](#addresses-grouped-by-region-azure-public-cloud) table below.

+#### Addresses grouped by region (Azure public cloud)

+| Continent/Country | Region | IP |

+| | | |

+|Asia|East Asia|52.229.216.48/28<br/>20.189.111.16/29|

+||Southeast Asia|52.139.250.96/28<br/>23.98.106.152/29|

+|Australia|Australia Central|20.37.227.104/29<br/><br/>|

+||Australia Central 2|20.53.60.224/31<br/><br/>|

+||Australia East|20.40.124.176/28<br/>20.37.198.232/29|

+||Australia Southeast|20.42.230.224/29<br/><br/>|

+|Brazil|Brazil South|191.233.26.176/28<br/>191.234.137.40/29|

+||Brazil Southeast|20.206.0.196/31<br/><br/>|

+|Canada|Canada Central|52.228.86.152/29<br/><br/>|

+||Canada East|52.242.40.208/31<br/><br/>|

+|Europe|North Europe|52.158.28.64/28<br/>20.50.68.128/29|

+||West Europe|51.144.56.96/28<br/>40.113.178.32/29|

+|France|France Central|20.40.129.32/28<br/>20.43.44.216/29|

+||France South|20.40.129.96/28<br/>52.136.191.12/31|

+|Germany|Germany North|51.116.75.92/31<br/><br/>|

+||Germany West Central|20.52.95.50/31<br/><br/>|

+|India|Central India|52.140.108.216/29<br/><br/>|

+||South India|20.192.153.106/31<br/><br/>|

+||West India|20.192.84.164/31<br/><br/>|

+||Jio India Central|20.192.50.200/29<br/><br/>|

+||Jio India West|20.193.194.32/29<br/><br/>|

+|Israel|Israel Central|20.217.44.250/31<br/><br/>|

+|Japan|Japan East|52.140.232.160/28<br/>20.43.70.224/29|

+||Japan West|20.189.194.102/31<br/><br/>|

+|Korea|Korea Central|20.41.69.24/29<br/><br/>|

+|Norway|Norway East|51.120.235.248/29<br/><br/>|

+||Norway West|51.13.143.48/31<br/><br/>|

+|Poland|Poland Central|20.215.4.250/31<br/><br/>|

+|Qatar|Qatar Central|20.21.39.224/29<br/><br/>|

+|South Africa|South Africa North|102.133.219.136/29<br/><br/>|

+||South Africa West|102.37.86.196/31<br/><br/>|

+|Sweden|Sweden Central|51.12.25.192/29<br/><br/>|

+||Sweden South|51.12.17.128/29<br/><br/>|

+|Switzerland|Switzerland North|51.107.52.200/29<br/><br/>|

+||Switzerland West|51.107.148.8/29<br/><br/>|

+|Taiwan|Taiwan North|51.53.28.214/31<br/><br/>|

+||Taiwan Northwest|51.53.172.214/31<br/><br/>|

+|United Arab Emirates|UAE Central|20.45.95.68/31<br/><br/>|

+||UAE North|20.38.143.44/31<br/>40.120.87.204/31|

+|United Kingdom|UK South|51.105.9.128/28<br/>51.104.30.160/29|

+||UK West|20.40.104.96/28<br/>51.137.164.200/29|

+|United States|Central US|13.86.97.224/28<br/>20.40.206.232/29|

+||East US|20.42.35.32/28<br/>20.49.111.32/29|

+||East US 2|20.49.102.24/29<br/><br/>|

+||North Central US|23.100.224.16/28<br/>20.49.114.40/29|

+||South Central US|20.45.5.160/28<br/>13.73.253.112/29|

+||West Central US|52.150.154.24/29<br/><br/>|

+||West US|40.91.82.48/28<br/>52.250.228.8/29|

+||West US 2|40.64.134.128/29<br/><br/>|

+||West US 3|20.150.241.64/29<br/><br/>|

+- Incur no data ingestion or retention charges for activity log data stored in a Log Analytics workspace.

+- The default retention period in Log Analytics is 90 days

+ Title: Tutorial - Editing Data Collection Rules

+description: This article describes how to make changes in Data Collection Rule definition using command line tools and simple API calls.

+# Tutorial: Editing Data Collection Rules

+This tutorial will describe how to edit the definition of Data Collection Rule (DCR) that has been already provisioned using command line tools.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Leverage existing portal functionality to pre-create DCRs

+> * Get the content of a Data Collection Rule using ARM API call

+> * Apply changes to a Data Collection Rule using ARM API call

+> * Automate the process of DCR update using PowerShell scripts

+## Prerequisites

+To complete this tutorial you need the following:

+- Log Analytics workspace where you have at least [contributor rights](../logs/manage-access.md#azure-rbac).

+- [Permissions to create Data Collection Rule objects](data-collection-rule-overview.md#permissions) in the workspace.

+- Up to date version of PowerShell. Using Azure Cloud Shell is recommended.

+## Overview of tutorial

+While going through the wizard on the portal is the simplest way to set up the ingestion of your custom data to Log Analytics, in some cases you might want to update your Data Collection Rule later to:

+- Change data collection settings (e.g. Data Collection Endpoint, associated with the DCR)

+- Update data parsing or filtering logic for your data stream

+- Change data destination (e.g. send data to an Azure table, as this option is not directly offered as part of the DCR-based custom log wizard)

+In this tutorial, you will, first, set up ingestion of a custom log, then. you will modify the KQL transformation for your custom log to include additional filtering and apply the changes to your DCR. Finally, we are going to combine all editing operations into a single PowerShell script, which can be used to edit any DCR for any of the above mentioned reasons.

+## Set up new custom log

+Start by setting up a new custom log. Follow [Tutorial: Send custom logs to Azure Monitor Logs using the Azure portal (preview)]( ../logs/tutorial-custom-logs.md). Note the resource ID of the DCR created.

+## Retrieve DCR content

+In order to update DCR, we are going to retrieve its content and save it as a file, which can be further edited.

+1. Click the **Cloud Shell** button in the Azure portal and ensure the environment is set to **PowerShell**.

+ :::image type="content" source="../logs/media/tutorial-ingestion-time-transformations-api/open-cloud-shell.png" lightbox="../logs/media/tutorial-ingestion-time-transformations-api/open-cloud-shell.png" alt-text="Screenshot of opening cloud shell":::

+2. Execute the following commands to retrieve DCR content and save it to a file. Replace `<ResourceId>` with DCR ResourceID and `<FilePath>` with the name of the file to store DCR.

+ ```PowerShell

+ $ResourceId = ΓÇ£<ResourceId>ΓÇ¥ # Resource ID of the DCR to edit

+ $FilePath = ΓÇ£<FilePath>ΓÇ¥ # Store DCR content in this file

+ $DCR = Invoke-AzRestMethod -Path ("$ResourceId"+"?api-version=2021-09-01-preview") -Method GET

+ $DCR.Content | ConvertFrom-Json | ConvertTo-Json -Depth 20 | Out-File -FilePath $FilePath

+ ```

+## Edit DCR

+Now, when DCR content is stored as a JSON file, you can use an editor of your choice to make changes in the DCR. You may [prefer to download the file from the Cloud Shell environment](../../cloud-shell/using-the-shell-window.md#upload-and-download-files), if you are using one.

+Alternatively you can use code editors supplied with the environment. For example, if you saved your DCR in a file named `temp.dcr` on your Cloud Drive, you could use the following command to open DCR for editing right in the Cloud Shell window:

+```PowerShell

+code "temp.dcr"

+```

+LetΓÇÖs modify the KQL transformation within DCR to drop rows where RequestType is anything, but ΓÇ£GETΓÇ¥.

+1. Open the file created in the previous part for editing using an editor of your choice.

+2. Locate the line containing `ΓÇ¥transformKqlΓÇ¥` attribute, which, if you followed the tutorial for custom log creation, should look similar to this:

+ ``` JSON

+ "transformKql": " source\n | extend TimeGenerated = todatetime(Time)\n | parse RawData with \n ClientIP:string\n ' ' *\n ' ' *\n ' [' * '] \"' RequestType:string\n \" \" Resource:string\n \" \" *\n '\" ' ResponseCode:int\n \" \" *\n | where ResponseCode != 200\n | project-away Time, RawData\n"

+ ```

+3. Modify KQL transformation to include additional filter by RequestType

+ ``` JSON

+ "transformKql": " source\n | where RawData contains \"GET\"\n | extend TimeGenerated = todatetime(Time)\n | parse RawData with \n ClientIP:string\n ' ' *\n ' ' *\n ' [' * '] \"' RequestType:string\n \" \" Resource:string\n \" \" *\n '\" ' ResponseCode:int\n \" \" *\n | where ResponseCode != 200\n | project-away Time, RawData\n"

+ ```

+4. Save the file with modified DCR content.

+## Apply changes

+Our final step is to update DCR back in the system. This is accomplished by ΓÇ£PUTΓÇ¥ HTTP call to ARM API, with updated DCR content sent in the HTTP request body.

+1. If you are using Azure Cloud Shell, save the file and close the embedded editor, or [upload modified DCR file back to the Cloud Shell environment](../../cloud-shell/using-the-shell-window.md#upload-and-download-files).

+2. Execute the following commands to load DCR content from the file and place HTTP call to update the DCR in the system. Replace `<ResourceId>` with DCR ResourceID and `<FilePath>` with the name of the file modified in the previous part of the tutorial. You can omit first two lines if you read and write to the DCR within the same PowerShell session.

+ ```PowerShell

+ $ResourceId = ΓÇ£<ResourceId>ΓÇ¥ # Resource ID of the DCR to edit

+ $FilePath = ΓÇ£<FilePath>ΓÇ¥ # Store DCR content in this file

+ $DCRContent = Get-Content $FilePath -Raw

+ Invoke-AzRestMethod -Path ("$ResourceId"+"?api-version=2021-09-01-preview") -Method PUT -Payload $DCRContent

+ ```

+3. Upon successful call, you should get the response with status code ΓÇ£200ΓÇ¥, indicating that your DCR is now updated.

+4. You can now navigate to your DCR and examine its content on the portal via ΓÇ£JSON ViewΓÇ¥ function, or you could repeat the first part of the tutorial to retrieve DCR content into a file.

+## Putting everything together

+Now, when we know how to read and update the content of a DCR, letΓÇÖs put everything together into utility script, which can be used to perform both operations together.

+```PowerShell

+param ([Parameter(Mandatory=$true)] $ResourceId)

+# get DCR content and put into a file

+$FilePath = "temp.dcr"

+$DCR = Invoke-AzRestMethod -Path ("$ResourceId"+"?api-version=2021-09-01-preview") -Method GET

+$DCR.Content | ConvertFrom-Json | ConvertTo-Json -Depth 20 | Out-File $FilePath

+# Open DCR in code editor

+code $FilePath | Wait-Process

+#Wait for confirmation to apply changes

+$Output = Read-Host "Apply changes to DCR (Y/N)? "

+if ("Y" -eq $Output.toupper())

+{

+ #write DCR content back from the file

+ $DCRContent = Get-Content $FilePath -Raw

+ Invoke-AzRestMethod -Path ("$ResourceId"+"?api-version=2021-09-01-preview") -Method PUT -Payload $DCRContent

+}

+#Delete temporary file

+Remove-Item $FilePath

+```

+### How to use this utility

+ Assuming you saved the script as a file, named `DCREditor.ps1` and need to modify a Data Collection Rule with resource ID of `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo/providers/Microsoft.Insights/dataCollectionRules/bar`, this could be accomplished by running the following command:

+```PowerShell

+.\DCREditor.ps1 "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/foo/providers/Microsoft.Insights/dataCollectionRules/bar"

+```

+DCR content will open in embedded code editor. Once editing is complete, entering "Y" on script prompt will apply changes back to the DCR.

+## Next steps

+- [Read more about data collection rules and options for creating them.](data-collection-rule-overview.md)

+ Title: Use DFS-N and DFS Root Consolidation with Azure NetApp Files | Microsoft Docs

+description: Learn how to configure DFS-N and DFS Root Consolidation with Azure NetApp Files

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# How to use DFS Namespaces with Azure NetApp Files

+[Distributed File Systems Namespaces](/windows-server/storage/dfs-namespaces/dfs-overview), commonly referred to as DFS Namespaces or DFS-N, is a Windows Server server role that is widely used to simplify the deployment and maintenance of SMB file shares in production. DFS Namespaces is a storage namespace virtualization technology, which means that it enables you to provide a layer of indirection between the UNC path of your file shares and the actual file shares themselves. DFS Namespaces works with SMB file shares, agnostic of where those file shares are hosted: it can be used with SMB shares hosted on an on-premises Windows File Server with or without Azure File Sync, Azure file shares directly, SMB file shares hosted in Azure NetApp Files, and even with file shares hosted in other clouds.

+At its core, DFS Namespaces provide a mapping between a user-friendly UNC path, like `\\contoso\shares\ProjectX` and the underlying UNC path of the SMB share like `\\Server01-Prod\ProjectX` or `\\anf-xxxx\projectx`. When the end user wants to navigate to their file share, they type in the user-friendly UNC path, but their SMB client accesses the underlying SMB path of the mapping. You can also extend this basic concept to take over an existing file server name, such as `\\MyServer\ProjectX` using DFS root consolidation. You can use these capabilities to achieve the following scenarios:

+- **Provide a migration-proof name for a logical set of data**

+In this example, you have a mapping like `\\contoso\shares\Engineering` that maps to `\\OldServer\Engineering`. When you complete your migration to Azure NetApp Files, you can change your mapping so your user-friendly UNC path points to `\\anf-xxxx\engineering`. When an end user accesses the user-friendly UNC path, they will be seamlessly redirected to the Azure NetApp Files share path.

+- **Extend a logical set of data across size, IO, or other scale thresholds**

+This is common when dealing with corporate shares, where different folders have different performance requirements, or with scratch shares, where users get arbitrary space to handle temporary data needs. With DFS Namespaces, you stitch together multiple folders into a cohesive namespace. For example, `\\contoso\shares\engineering` maps to `\\anf-xxxx\engineering` (Azure NetApp Files, ultra tier), `\\contoso\shares\sales` maps to `\\anf-yyyy\sales` (Azure NetApp Files, standard tier), and so on.

+- **Preserve the logical name of one or more legacy file servers after the data has been migrated to Azure NetApp Files**

+Using DFS-N with root consolidation allows you to take over the hostname and share paths exactly as they are. This leaves document shortcuts, embedded document links, and UNC paths unchanged after the migration.

+If you already have a DFS Namespace in place, no special steps are required to use it with Azure NetApp Files. If you're accessing your Azure NetApp Files share from on-premises, normal networking considerations apply; see [Guidelines for Azure NetApp Files network planning](./azure-netapp-files-network-topologies.md) for more information.

+## Applies to

+| File share type | SMB | NFS | dual-protocol* |

+|-|:-:|:-:|:-:|

+| Azure NetApp Files |  |  |  |

+> [!IMPORTANT]

+> This functionality applies to the SMB side of Azure NetApp Files dual-protocol volumes.

+## Namespace types

+DFS Namespaces provides three namespace types:

+- **Domain-based namespace**:

+A namespace hosted as part of your Windows Server AD domain. Namespaces hosted as part of AD will have a UNC path containing the name of your domain, for example, `\\contoso.com\shares\myshare`, if your domain is `contoso.com`. Domain-based namespaces support larger scale limits and built-in redundancy through AD. Domain-based namespaces can't be a clustered resource on a failover cluster.

+- **Standalone namespace**:

+A namespace hosted on an individual server or a Windows Server failover cluster, not hosted as part of Windows Server AD. Standalone namespaces will have a name based on the name of the standalone server, such as `\\MyStandaloneServer\shares\myshare`, where your standalone server is named `MyStandaloneServer`. Standalone namespaces support lower scale targets than domain-based namespaces but can be hosted as a clustered resource on a failover cluster.

+- **Standalone namespace with root consolidation**:

+One or more namespaces hosted on an individual server or on a Windows Server failover cluster, not hosted as part of Windows Server AD. Standalone namespaces with root consolidation will have a UNC path that matches the name of the old file server you would like to take over, such as `\\oldserver`, where your namespace is named `#oldserver`. Standalone namespaces support lower scale targets than domain-based namespaces but can be hosted as a clustered resource on a Windows Server failover cluster.

+## Requirements

+To use DFS Namespaces with Azure NetApp Files, you must have the following resources:

+- An Active Directory domain. This can be hosted anywhere you like: an on-premises environment, an Azure virtual machine (VM), or even in another cloud.

+- A Windows Server that can host the namespace. For domain-based namespaces, a common deployment pattern is to use the Active Directory domain controller to host the namespaces, however the namespaces can be setup from any server with the DFS Namespaces server role installed. DFS Namespaces are available on all supported Windows Server versions.

+- For namespace root consolidation, Active Directory domain controllers can not be used to host the namespace. It is required to use a dedicated standalone Windows Server or a Windows Server failover cluster to host the namespace(s).

+- One or more Azure NetApp Files SMB file shares hosted in a domain-joined environment.

+## Install the DFS Namespaces server role

+For all DFS Namespace types, the **DFS Namespaces** server role must be installed. If you are already using DFS Namespaces, you may skip these steps.

+# [GUI](#tab/windows-gui)

+1. Open **Server Manager**

+2. Select **Manage**

+3. Select **Add Roles and Features**.

+4. For the **Installation Type**, select **Role-based or feature-based installation**

+5. Click **Next**.

+6. For **Server Selection**, select the desired server(s) on which you would like to install the DFS Namespaces server role

+7. Click **Next**.

+8. In the **Server Roles** section, select and check the **DFS Namespaces** role from role list under **File and Storage Services** > **File and iSCSI Services**.

+

+9. Click **Next** until the **Install** button is available

+10. Click **Install**

+# [PowerShell](#tab/azure-powershell)

+From an elevated PowerShell session (or using PowerShell remoting), execute the following command:

+```PowerShell

+Install-WindowsFeature -Name "FS-DFS-Namespace", "RSAT-DFS-Mgmt-Con"

+```

+## Configure a DFS-N Namespace with Azure NetApp Files SMB volumes

+If you do not need to take over an existing legacy file server, a domain-based namespace is recommended. Domain-based namespaces are hosted as part of AD and will have a UNC path containing the name of your domain, for example, `\\contoso.com\corporate\finance`, if your domain is `contoso.com`. An example of this architecture is shown in the graphic below.

+

+>[!IMPORTANT]

+>If you wish to use DFS Namespaces to take over an existing server name with root consolidation, skip to [Take over existing server names with root consolidation](#take-over-existing-server-names-with-root-consolidation).

+### Create a namespace

+The basic unit of management for DFS Namespaces is the namespace. The namespace root, or name, is the starting point of the namespace, such that in the UNC path `\\contoso.com\corporate\`, the namespace root is `corporate`.

+# [GUI](#tab/windows-gui)

+1. From a domain controller, open the **DFS Management** console. This can be found by selecting the **Start** button and typing **DFS Management**. The resulting management console has two sections **Namespaces** and **Replication**, which refer to DFS Namespaces and DFS Replication (DFS-R) respectively.

+2. Select the **Namespaces** section, and select the **New Namespace** button (you may also right-click on the **Namespaces** section). The resulting **New Namespace Wizard** walks you through creating a namespace.

+3. The first section in the wizard requires you to pick the DFS Namespace server to host the namespace. Multiple servers can host a namespace, but you will need to set up DFS Namespaces with one server at a time. Enter the name of the desired DFS Namespace server and select **Next**.

+

+4. In the **Namespace Name and Settings** section, you can enter the desired name of your namespace and select **Next**.

+5. The **Namespace Type** section allows you to choose between a **Domain-based namespace** and a **Stand-alone namespace**. Select a domain-based namespace. Refer to [namespace types](#namespace-types) above for more information on choosing between namespace types.

+

+6. Select **Create** to create the namespace and **Close** when the dialog completes.

+# [PowerShell](#tab/azure-powershell)

+From a PowerShell session on the DFS Namespace server, execute the following PowerShell commands, populating `$namespace` and `$type` with the relevant values for your environment:

+```PowerShell

+# Variables

+$namespace = "corporate"

+$type = "DomainV2"

+$dfsnServer = $env:ComputerName

+$namespaceServer = Get-CimInstance -ClassName "Win32_ComputerSystem" | `

+Select-Object -ExpandProperty Domain

+# Create share for DFS-N namespace

+$smbShare = "C:\DFSRoots\$namespace"

+if (!(Test-Path -Path $smbShare)) { New-Item -Path $smbShare -ItemType Directory }

+New-SmbShare -Name $namespace -Path $smbShare -FullAccess Everyone

+# Create DFS-N namespace

+Import-Module -Name DFSN

+$namespacePath = "\\$namespaceServer\$namespace"

+$targetPath = "\\$dfsnServer\$namespace"

+New-DfsnRoot -Path $namespacePath -TargetPath $targetPath -Type $type

+```

+### Configure folders and folder targets

+For a namespace to be useful, it must have folders and folder targets. Each folder can have one or more folder targets, which are pointers to the SMB file share(s) that host that content. When users browse a folder with folder targets, the client computer receives a referral that transparently redirects the client computer to one of the folder targets. You can also have folders without folder targets to add structure and hierarchy to the namespace.

+You can think of DFS Namespaces folders as analogous to file shares.

+# [GUI](#tab/windows-gui)

+1. In the DFS Management console, select the namespace you just created and select **New Folder**. The resulting **New Folder** dialog will allow you to create both the folder and its targets.

+

+2. In the textbox labeled **Name** provide the name of the share.

+3. Select **Add...** to add folder targets for this folder. The resulting **Add Folder Target** dialog provides a textbox labeled **Path to folder target** where you can provide the UNC path to your Azure NetApp Files SMB share.

+

+4. Select **OK** on the **Add Folder Target** dialog.

+

+5. Select **OK** on the **New Folder** dialog to create the folder and folder targets.

+# [PowerShell](#tab/azure-powershell)

+```PowerShell

+# Variables

+$shareName = "finance"

+$targetUNC = "\\anf-xxxx.contoso.com\finance"

+# Create folder and folder targets

+$sharePath = "$namespacePath\$shareName"

+New-DfsnFolder -Path $sharePath -TargetPath $targetUNC

+```

+Now that you have created a namespace, a folder, and a folder target, you should be able to mount your file share through DFS Namespaces. The full path for your share should be `\\contoso.com\corporate\finance`.

+## Take over existing server names with root consolidation

+An important use for DFS Namespaces is to take over an existing server name for the purposes of refactoring the physical layout of the file shares. For example, you may wish to consolidate file shares from multiple old file servers together on Azure NetApp Files volume(s) during a modernization migration. Traditionally, end user familiarity and document-linking limit your ability to consolidate file shares from disparate file servers together on one host, but the DFS Namespace root consolidation feature allows you to stand-up a single server or failover cluster to take over multiple server names and route to the appropriate Azure NetApp Files share name(s).

+Although useful for various datacenter migration scenarios, root consolidation is especially useful for adopting Azure NetApp Files shares because Azure NetApp Files shares don't allow you to keep existing on-premises server names.

+Root consolidation may only be used with standalone namespaces. If you already have an existing domain-based namespace for your file shares, you do not need to create a root consolidated namespace.

+This section outlines the steps to configure DFS Namespace root consolidation on a standalone server. For a highly available architecture please work with your Microsoft technical team to configure Windows Server failover clustering and an Azure Load Balancer as required. An example of a highly available architecture is shown in the graphic below.

+

+### Enabling root consolidation

+Root consolidation can be enabled by setting the following registry keys from an elevated PowerShell session (or using PowerShell remoting) on the standalone DFS Namespace server or on the failover cluster.

+```PowerShell

+New-Item `

+ -Path "HKLM:SYSTEM\CurrentControlSet\Services\Dfs" `

+ -Type Registry `

+ -ErrorAction SilentlyContinue

+New-Item `

+ -Path "HKLM:SYSTEM\CurrentControlSet\Services\Dfs\Parameters" `

+ -Type Registry `

+ -ErrorAction SilentlyContinue

+New-Item `

+ -Path "HKLM:SYSTEM\CurrentControlSet\Services\Dfs\Parameters\Replicated" `

+ -Type Registry `

+ -ErrorAction SilentlyContinue

+Set-ItemProperty `

+ -Path "HKLM:SYSTEM\CurrentControlSet\Services\Dfs\Parameters\Replicated" `

+ -Name "ServerConsolidationRetry" `

+ -Value 1

+```

+### Creating DNS entries for existing file server names

+In order for DFS Namespaces to respond to existing file server names, **you must** create alias (CNAME) records for your existing file servers that point at the DFS Namespaces server name. The exact procedure for updating your DNS records may depend on what servers your organization is using and if your organization is using custom tooling to automate the management of DNS. The following steps are shown for the DNS server included with Windows Server and automatically used by Windows AD. In this example, the DFS-N server name is `mydfscluster`.

+# [GUI](#tab/windows-gui)

+1. From a Windows DNS server, open the DNS management console.

+2. Navigate to the forward lookup zone for your domain. For example, if your domain is `contoso.com`, the forward lookup zone can be found under **Forward Lookup Zones** > **`contoso.com`** in the management console. The exact hierarchy shown in this dialog will depend on the DNS configuration for your network.

+3. Right-click on your forward lookup zone and select **New Alias (CNAME)**.

+4. In the resulting dialog, enter the short name for the file server you're replacing (the fully qualified domain name will be auto-populated in the textbox labeled **Fully qualified domain name**)

+5. In the textbox labeled **Fully qualified domain name (FQDN) for the target host**, enter the name of the DFS-N server you have set up. You can use the **Browse** button to help you select the server if desired.

+

+6. Select **OK** to create the CNAME record for your server.

+# [PowerShell](#tab/azure-powershell)

+On a Windows DNS server, open a PowerShell session (or use PowerShell remoting) to execute the following commands, populating `$oldServer` and `$dfsnServer`, with the relevant values for your environment (`$domain` will auto-populate with the domain name, but you can also manually type this out as well).

+```PowerShell

+# Variables

+$oldServer = "fileserver01"

+$domain = Get-CimInstance -ClassName "Win32_ComputerSystem" | `

+ Select-Object -ExpandProperty Domain

+$dfsnServer = "mydfscluster.$domain"

+# Create CNAME record

+Import-Module -Name DnsServer

+Add-DnsServerResourceRecordCName `

+ -Name $oldServer `

+ -HostNameAlias $dfsnServer `

+ -ZoneName $domain

+```

+### Create a namespace

+The basic unit of management for DFS Namespaces is the namespace. The namespace root, or name, is the starting point of the namespace, such that in the UNC path `\\contoso.com\Public\`, the namespace root is `Public`.

+To take over an existing server name with root consolidation, the name of the namespace should be the name of server name you want to take over, prepended with the `#` character. For example, if you wanted to take over an existing server named `MyServer`, you would create a DFS-N namespace called `#MyServer`. The PowerShell section below takes care of prepending the `#`, but if you create via the DFS Management console, you will need to prepend as appropriate.

+# [GUI](#tab/windows-gui)

+1. Open the **DFS Management** console. This can be found by selecting the **Start** button and typing **DFS Management**. The resulting management console has two sections **Namespaces** and **Replication**, which refer to DFS Namespaces and DFS Replication (DFS-R) respectively.

+2. Select the **Namespaces** section, and select the **New Namespace** button (you may also right-click on the **Namespaces** section). The resulting **New Namespace Wizard** walks you through creating a namespace.

+3. The first section in the wizard requires you to pick the DFS Namespace server to host the namespace. Multiple servers can host a namespace, but you will need to set up DFS Namespaces with one server at a time. Enter the name of the desired DFS Namespace server and select **Next**.

+

+4. In the **Namespace Name and Settings** section, you can enter the desired name of your namespace and select **Next**.

+5. The **Namespace Type** section allows you to choose between a **Domain-based namespace** and a **Stand-alone namespace**. If you intend to use DFS Namespaces to preserve an existing file server/NAS device name, you should select the standalone namespace option. For any other scenarios, you should select a domain-based namespace. Refer to [namespace types](#namespace-types) above for more information on choosing between namespace types.

+6. Select the desired namespace type for your environment and select **Next**. The wizard will then summarize the namespace to be created.

+

+7. Select **Create** to create the namespace and **Close** when the dialog completes.

+# [PowerShell](#tab/azure-powershell)

+From a PowerShell session on the DFS Namespace server, execute the following PowerShell commands, populating `$namespace` and `$type` with the relevant values for your environment:

+```PowerShell

+# Variables

+$namespace = "#fileserver01"

+$type = "Standalone"

+$dfsnServer = $env:ComputerName

+$namespaceServer = $dfsnServer

+# Create share for DFS-N namespace

+$smbShare = "C:\DFSRoots\$namespace"

+if (!(Test-Path -Path $smbShare)) { New-Item -Path $smbShare -ItemType Directory }

+New-SmbShare -Name $namespace -Path $smbShare -FullAccess Everyone

+# Create DFS-N namespace

+Import-Module -Name DFSN

+$namespacePath = "\\$namespaceServer\$namespace"

+$targetPath = "\\$dfsnServer\$namespace"

+New-DfsnRoot -Path $namespacePath -TargetPath $targetPath -Type $type

+```

+### Configure folders and folder targets

+For a namespace to be useful, it must have folders and folder targets. Each folder can have one or more folder targets, which are pointers to the SMB file share(s) that host that content. When users browse a folder with folder targets, the client computer receives a referral that transparently redirects the client computer to one of the folder targets. You can also have folders without folder targets to add structure and hierarchy to the namespace.

+You can think of DFS Namespaces folders as analogous to file shares.

+# [GUI](#tab/windows-gui)

+1. In the DFS Management console, select the namespace you just created and select **New Folder**. The resulting **New Folder** dialog will allow you to create both the folder and its targets.

+

+2. In the textbox labeled **Name** provide the name of the share.

+3. Select **Add...** to add folder targets for this folder. The resulting **Add Folder Target** dialog provides a textbox labeled **Path to folder target** where you can provide the UNC path to your Azure NetApp Files SMB share.

+

+4. Select **OK** on the **Add Folder Target** dialog.

+

+5. Select **OK** on the **New Folder** dialog to create the folder and folder targets.

+# [PowerShell](#tab/azure-powershell)

+```PowerShell

+# Variables

+$shareName = "finance"

+$targetUNC = "\\anf-xxxx.contoso.com\finance"

+# Create folder and folder targets

+$sharePath = "$namespacePath\$shareName"

+New-DfsnFolder -Path $sharePath -TargetPath $targetUNC

+```

+Now that you have created a namespace, a folder, and a folder target, you should be able to mount your file share through DFS Namespaces. Using a standalone namespace with root consolidation, you can access directly through your old server name, such as `\\fileserver01\finance`.

+## See also

+- [Create an SMB volume for Azure NetApp Files](./azure-netapp-files-create-volumes-smb.md)

+- [Guidelines for Azure NetApp Files network planning](./azure-netapp-files-network-topologies.md)

+- [Windows Server Distributed File System Namespaces](/windows-server/storage/dfs-namespaces/dfs-overview)

+This function requires **Bicep version 0.4.412 or later**.

+## loadJsonContent

+`loadJsonContent(filePath, [jsonPath], [encoding])`

+Loads the specified JSON file as an Any object.

+Namespace: [sys](bicep-functions.md#namespaces-for-functions).

+### Parameters

+| Parameter | Required | Type | Description |

+|: |: |: |: |

+| filePath | Yes | string | The path to the file to load. The path is relative to the deployed Bicep file. |

+| jsonPath | No | string | JSONPath expression to take only a part of the JSON into ARM. |

+| encoding | No | string | The file encoding. The default value is `utf-8`. The available options are: `iso-8859-1`, `us-ascii`, `utf-16`, `utf-16BE`, or `utf-8`. |

+### Remarks

+Use this function when you have JSON content or minified JSON content that is stored in a separate file. Rather than duplicating the JSON content in your Bicep file, load the content with this function. You can load a part of a JSON file by specifying a JSON path. The file is loaded when the Bicep file is compiled to the JSON template. During deployment, the JSON template contains the contents of the file as a hard-coded string.

+In VS Code, the properties of the loaded object are available intellisense. For example, you can create a file with values to share across many Bicep files. An example is shown in this article.

+This function requires **Bicep version 0.7.4 or later**.

+### Return value

+The contents of the file as an Any object.

+### Examples

+The following example creates a JSON file that contains values for a network security group.

+You load that file and convert it to a JSON object. You use the object to assign values to the resource.

+You can reuse the file of values in other Bicep files that deploy a network security group.

+Loads the content of the specified file as a string.

+Use the [`loadJsonContent()`](#loadjsoncontent) function to load JSON files.

+* [loadJsonContent](bicep-functions-files.md#loadjsoncontent)

+Create a JSON file that includes the variables you need to share. Use the [`loadJsonContent()` function](bicep-functions-files.md#loadjsoncontent) to load the file and access the variables. For array variables, use the [`concat()` function](bicep-functions-array.md#concat) to combine the shared values with any custom values for the specific resource.

+Diagnostic settings enable you to configure Azure Monitor to export your logs and metrics to a number of destinations, including Log Analytics and Azure Storage.

+When creating diagnostic settings in Bicep, you need to apply the scope of the diagnostic setting. The diagnostic setting can be applied at the management, subscription, or resource group level. [Use the scope property on this resource to set the scope for this resource](../../azure-resource-manager/bicep/scope-extension-resources.md).

+Log types differ between resources, so ensure that the logs you want to export are applicable for the resource you're using.

+### Activity log diagnostic settings

+To use Bicep to configure diagnostic settings to export the Azure activity log, deploy a diagnostic setting resource at the [subscription scope](deploy-to-subscription.md).

+The following example shows how to export several activity log types to a Log Analytics workspace:

+ Title: Add Contributor role on the Media Services account

+description: This topic explains how to add contributor role on the Media Services account.

+# Add contributor role to Media Services

+This article describes how to assign contributor role on the Media Services account.

+### [Azure portal](#tab/portal/)

+### Add Contributor role to Media Services using Azure portal

+## Next steps

+[Create a new Azure Resource Manager based account](create-account-portal.md)

+- Follow the [Zerto Virtual Replication Azure Enterprise Guidelines](https://www.zerto.com/wp-content/uploads/2016/11/Zerto-Virtual-Replication-5.0-for-Azure.pdf) for the rest of the prerequisites.

+ Title: About NC2 on Azure Public Preview

+description: Learn about NC2 on Azure Public Preview and the benefits it offers.

+# About NC2 on Azure Public Preview

+The articles in this section are intended for the professionals participating in the Public Preview of NC2 on Azure.

+ To provide input, email [NC2-on-Azure Docs](mailto:AzNutanixPM@microsoft.com).

+In particular, this article highlights Public Preview features.

+## Unlock the benefits of Azure

+* Establish a consistent hybrid deployment strategy

+* Operate seamlessly with on-premise Nutanix Clusters in Azure

+* Build and scale without constraints

+* Invent for today and be prepared for tomorrow with NC2 on Azure

+### Scale and flexibility that align with your needs

+Get scale, automation, and fast provisioning for your Nutanix workloads on global Azure infrastructure to invent with purpose.

+### Optimize your investment

+Keep using your existing Nutanix investments, skills, and tools to quickly increase business agility with Azure cloud services.

+### Gain cloud cost efficiencies

+Manage your cloud spending with license portability to significantly reduce the cost of running workloads in the cloud.

+### Modernize through the power of Azure

+Adapt quicker with unified data governance and gain immediate insights with transformative analytics to drive innovation.

+### SKUs

+We offer two SKUs: AN36 and AN36P. For specifications, see [SKUs](skus.md).

+### More benefits

+* Microsoft Azure Consumption Contract (MACC) credits

+* Nutanix Bring your own License (BYOL)

+> [!NOTE]

+> During the public preview, RI is not supported.

+An additional discount may be available.

+## Support

+Nutanix (for software-related issues) and Microsoft (for infrastructure-related issues) will provide end-user support.

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [Use cases and supported scenarios](use-cases-and-supported-scenarios.md)

+ Title: Architecture of BareMetal Infrastructure for NC2

+description: Learn about the architecture of several configurations of BareMetal Infrastructure for NC2.

+# Architecture of BareMetal Infrastructure for Nutanix

+In this article, we look at the architectural options for BareMetal Infrastructure for Nutanix and the features each option supports.

+## Deployment example

+The image in this section shows one example of an NC2 on Azure deployment.

+### Cluster Management virtual network

+* Contains the Nutanix Ready Nodes

+* Nodes reside in a delegated subnet (special BareMetal construct)

+### Hub virtual network

+* Contains a gateway subnet and VPN Gateway

+* VPN Gateway is entry point from on-premises to cloud

+### PC virtual network

+* Contains Prism Central - Nutanix's software appliance that enables advanced functionality within the Prism portal.

+## Connect from cloud to on-premises

+Connecting from cloud to on-premises is supported by two traditional products: Express Route and VPN Gateway.

+One example deployment is to have a VPN gateway in the Hub virtual network.

+This virtual network is peered with both the PC virtual network and Cluster Management virtual network, providing connectivity across the network and to your on-premises site.

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [Requirements](requirements.md)

+ Title: FAQ

+description: Questions frequently asked about NC2 on Azure

+# Frequently asked questions about NC2 on Azure

+This article addresses questions most frequently asked about NC2 on Azure.

+## What is Hyperconverged Infrastructure (HCI)?

+Hyper-converged infrastructure (HCI) uses locally attached storage resources to combine common data center hardware with intelligent software to create flexible building blocks that replace legacy infrastructure consisting of separate servers, storage networks, and storage arrays. [Video explanation](https://www.youtube.com/watch?v=OPYA5-V0yRo)

+## How can I create a VM on a node?

+After a customer provisions a cluster of Nutanix Ready Nodes, they can spin up a VM through the Nutanix Prism Portal.

+This operation should be exactly the same as on-premises in the prism portal.

+## Is NC2 on Azure a third party or first party offering?

+NC2 on Azure is a 3rd-party offering on Azure Marketplace.

+However, we're working hand in hand with Nutanix to offer the best product experience.

+## How will I be billed?

+Customers will be billed on a pay-as-you-go basis. Additionally, customers are able to use their existing Microsoft Azure Consumption Contract (MACC).

+## What software advantages does Nutanix have over competitors?

+Data locality

+Shadow Clones (which lead to faster boot time)

+Cluster level microservices that lead to world-class performance

+## Will this solution integrate with the rest of the Azure cloud?

+Yes! You can use the products and services in Azure that you already have and love.

+## Who supports NC2 on Azure?

+Microsoft delivers support for BareMetal infrastructure of NC2 on Azure.

+You can submit a support request. For Cloud Solution Provider (CSP) managed subscriptions, the first level of support provides the Solution Provider in the same fashion as CSP does for other Azure services.

+Nutanix delivers support for Nutanix software of NC2 on Azure.

+Nutanix offers a support tier called Production Support for NC2.

+For more information about Production Support tiers and SLAs, see Product Support Programs under Cloud Services Support.

+## Can I use my existing VPN or ER gateway for the DR scenario?

+Technically, yes. Raise a support ticket from Azure portal to get this functionality enabled.

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [Getting started](get-started.md)

+ Title: Getting started

+description: Learn how to sign up, set up, and use NC2 on Azure Public Preview.

+# Getting started with NC2 on Azure

+Learn how to sign up for, set up, and use NC2 on Azure Public Preview.

+## Sign up for the Public Preview

+Once you've satisfied the [requirements](requirements.md), go to [Nutanix Cloud Clusters

+on Azure Deployment

+and User Guide](https://download.nutanix.com/documentation/hosted/Nutanix-Cloud-Clusters-Azure.pdf) to sign up for the Preview.

+## Set up NC2 on Azure

+To set up NC2 on Azure, go to [Nutanix Cloud Clusters

+on Azure Deployment and User Guide](https://download.nutanix.com/documentation/hosted/Nutanix-Cloud-Clusters-Azure.pdf).

+## Use NC2 on Azure

+For more information about using NC2 on Azure, see [Nutanix Cloud Clusters

+on Azure Deployment

+and User Guide](https://download.nutanix.com/documentation/hosted/Nutanix-Cloud-Clusters-Azure.pdf).

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [About the Public Preview](about-the-public-preview.md)

+ Title: What is BareMetal Infrastructure for NC2 on Azure?

+description: Learn about the features BareMetal Infrastructure offers for NC2 workloads.

+# What is BareMetal Infrastructure for NC2 on Azure?

+In this article, we'll give an overview of the features BareMetal Infrastructure offers for Nutanix workloads.

+Nutanix Cloud Clusters (NC2) on Microsoft Azure provides a hybrid cloud solution that operates as a single cloud, allowing you to manage applications and infrastructure in your private cloud and Azure. With NC2 running on Azure, you can seamlessly move your applications between on-premises and Azure using a single management console. With NC2 on Azure, you can use your existing Azure accounts and networking setup (VPN, VNets, and Subnets), eliminating the need to manage any complex network overlays. With this hybrid offering, you use the same Nutanix software and licenses across your on-premises cluster and Azure to optimize your IT investment efficiently.

+You use the NC2 console to create a cluster, update the cluster capacity (the number of nodes), and delete a Nutanix cluster. After you create a Nutanix cluster in Azure using NC2, you can operate the cluster in the same manner as you operate your on-premises Nutanix cluster with minor changes in the Nutanix command-line interface (nCLI), Prism Element and Prism Central web consoles, and APIs.

+## Supported protocols

+The following protocols are used for different mount points within BareMetal servers for Nutanix workload.

+- OS mount ΓÇô internet small computer systems interface (iSCSI)

+- Data/log ΓÇô [Network File System version 3 (NFSv3)](/windows-server/storage/nfs/nfs-overview#nfs-version-3-continuous-availability)

+- Backup/archive ΓÇô [Network File System version 4 (NFSv4)](/windows-server/storage/nfs/nfs-overview#nfs-version-41)

+## Licensing

+You can bring your own on-premises capacity-based Nutanix licenses (CBLs).

+Alternatively, you can purchase licenses from Nutanix or from Azure Marketplace.

+## Operating system and hypervisor

+NC2 runs Nutanix Acropolis Operating System (AOS) and Nutanix Acropolis Hypervisor (AHV).

+- Servers are pre-loaded with [AOS 6.1](https://www.nutanixbible.com/4-book-of-aos.html).

+- AHV 6.1 is built into this product as the default hypervisor at no extra cost.

+- AHV hypervisor is based on open source Kernel-based Virtual Machine (KVM).

+- AHV will determine the lowest processor generation in the cluster and constrain all Quick Emulator (QEMU) domains to that level.

+This functionality allows mixing of processor generations within an AHV cluster and ensures the ability to live-migrate between hosts.

+AOS abstracts kvm, virsh, qemu, libvirt, and iSCSI from the end-user and handles all backend configuration.

+Thus users can use Prism to manage everything they would want to manage, while not needing to be concerned with low-level management.

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [Getting started with NC2 on Azure](get-started.md)

+ Title: Requirements

+description: Learn what you need to run NC2 on Azure, including Azure, Nutanix, networking, and other requirements.

+# Requirements

+This article assumes prior knowledge of the Nutanix stack and Azure services to operate significant deployments on Azure.

+The following sections identify the requirements to use Nutanix Clusters on Azure:

+## Azure account requirements

+* An Azure account with a new subscription

+* An Azure Active Directory

+## My Nutanix account requirements

+For more information, see "NC2 on Azure Subscription and Billing" in [Nutanix Cloud Clusters on Azure Deployment and User Guide](https://download.nutanix.com/documentation/hosted/Nutanix-Cloud-Clusters-Azure.pdf).

+## Networking requirements

+* Connectivity between your on-premises datacenter and Azure. Both ExpressRoute and VPN are supported.

+* After a cluster is created, you'll need Virtual IP addresses for both the on-premises cluster and the cluster running in Azure.

+* Outbound internet access on your Azure portal.

+* Azure Directory Service resolves the FQDN:

+gateway-external-api.console.nutanix.com.

+## Other requirements

+* Minimum of three (or more) Azure Nutanix Ready nodes per cluster

+* Only the Nutanix AHV hypervisor on Nutanix clusters running in Azure

+* Prism Central instance deployed on NC2 on Azure to manage the Nutanix clusters in Azure

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [Supported instances and regions](supported-instances-and-regions.md)

+ Title: SKUs

+description: Learn about SKU options for NC2 on Azure Public Preview, including core, RAM, storage, and network.

+# SKUs

+This article identifies options associated with SKUs available for NC2 on Azure Public Preview, including core, RAM, storage, and network.

+## Options

+The following table presents component options for each available SKU.

+| Component |Ready Node for Nutanix AN36|Ready Node for Nutanix AN36P|

+| :- | -: |::|

+|Core|Intel 6140, 36 Core, 2.3 GHz|Intel 6240, 36 Core, 2.6 GHz|

+|vCPUs|72|72|

+|RAM|576 GB|768 GB|

+|Storage|18.56 TB (8 x 1.92 TB SATA SSD, 2x1.6TB NVMe)|19.95 TB (2x375G Optane, 6x3.2TB NVMe)|

+|Network|100 Gbps (four links * 25 Gbps)|100 Gbps (four links * 25 Gbps)|

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [FAQ](faq.md)

+ Title: Solution design

+description: Learn about topologies and constraints for NC2 on Azure Public Preview.

+# Solution design

+This article identifies topologies and constraints for NC2 on Azure Public Preview.

+## Supported topologies

+The following table describes the network topologies supported by each network features configuration of NC2 on Azure.

+|Topology |Basic network features |

+| :- |::|

+|Connectivity to BareMetal (BM) in a local VNet| Yes |

+|Connectivity to BM in a peered VNet (Same region)|Yes |

+|Connectivity to BM in a peered VNet (Cross region or global peering)|No |

+|Connectivity to a BM over ExpressRoute gateway |Yes|

+|ExpressRoute (ER) FastPath |No |

+|Connectivity from on-premises to a BM in a spoke VNet over ExpressRoute gateway and VNet peering with gateway transit|Yes |

+|Connectivity from on-premises to a BM in a spoke VNet over VPN gateway| Yes |

+|Connectivity from on-premises to a BM in a spoke VNet over VPN gateway and VNet peering with gateway transit| Yes |

+|Connectivity over Active/Passive VPN gateways| Yes |

+|Connectivity over Active/Active VPN gateways| No |

+|Connectivity over Active/Active Zone Redundant gateways| No |

+|Connectivity over Virtual WAN (VWAN)| No |

+## Constraints

+The following table describes whatΓÇÖs supported for each network features configuration:

+|Features |Basic network features |

+| :- | -: |

+|Delegated subnet per VNet |1|

+|[Network Security Groups](/azure/virtual-network/network-security-groups-overview) on NC2 on Azure-delegated subnets|No|

+|[User-defined routes (UDRs)](/azure/virtual-network/virtual-networks-udr-overview#user-defined) on NC2 on Azure-delegated subnets|No|

+|Connectivity to [private endpoints](/azure/private-link/private-endpoint-overview)|No|

+|Load balancers for NC2 on Azure traffic|No|

+|Dual stack (IPv4 and IPv6) virtual network|IPv4 only supported|

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [Architecture](architecture.md)

+ Title: Supported instances and regions

+description: Learn about instances and regions supported for NC2 on Azure Public Preview.

+# Supported instances and regions

+Learn about instances and regions supported for NC2 on Azure Public Preview.

+## Supported instances

+Nutanix Clusters on Azure supports:

+* Minimum of three bare metal nodes per cluster.

+* Maximum of nine bare metal nodes for public preview.

+* Only the Nutanix AHV hypervisor on Nutanix clusters running in Azure.

+* Prism Central instance deployed on Nutanix Clusters on Azure to manage the Nutanix clusters in Azure.

+## Supported regions

+This public preview release supports the following Azure regions:

+|Region name |Ready Node for Nutanix AN36 |Ready Node for Nutanix AN36P |

+| :- | -: |::|

+|East US (Virginia)|ΓÇïYes|No|

+|West US 2 (Washington)ΓÇï|Yes|No|

+|East US 2 (Virginia)|No|Yes|

+|North Central US (Illinois)ΓÇï|No|Yes|

+|UK South (London)*|No|Yes|

+|Germany West Central (Frankfurt)ΓÇï|No|Yes|

+|Australia East|No|Yes|

+|West Europe (Amsterdam)No|Yes|

+|Southeast Asia (Singapore)|No|Yes|

+## Next steps

+Learn more:

+> [!div class="nextstepaction"]

+> [SKUs](skus.md)

+ Title: Use cases and supported scenarios

+description: Learn about use cases and supported scenarios for NC2 on Azure, including cluster management, disaster recovery, on-demand elasticity, and lift-and-shift.

+# Use cases and supported scenarios

+ Learn about use cases and supported scenarios for NC2 on Azure, including cluster management, disaster recovery, on-demand elasticity, and lift-and-shift.

+## Unified management experience - cluster management

+That operations and cluster management be nearly identical to on-premises is critical to customers.

+Customers can update capacity, monitor alerts, replace hosts, monitor usage, and more by combining the respective strengths of Microsoft and Nutanix.

+## Disaster recovery

+Disaster recovery is critical to cloud functionality.

+A disaster can be any of the following:

+- Cyber attack

+- Data breach

+- Equipment failure

+- Natural disaster

+- Data loss

+- Human error

+- Malware and viruses

+- Network and internet blips

+- Hardware and/or software failure

+- Weather catastrophes

+- Flooding

+- Office vandalism

+ ...or anything else that puts your operations at risk.

+When a disaster strikes, the goal of any DR plan is to ensure operations run as normally as possible.

+While the business will be aware of the crisis, ideally, its customers and end-users shouldn't be affected.

+## On-demand elasticity

+Scale up and scale out as you like.

+We provide the flexibility that means you don't have to procure hardware yourself - with just a click of a button you can get additional nodes in the cloud nearly instantly.

+## Lift and shift

+Move applications to the cloud and modernize your infrastructure.

+Applications move with no changes, allowing for flexible operations and minimum downtime.

+> [!div class="nextstepaction"]

+> [Solution design](solution-design.md)

+| Neural text-to-speech | Converts text to natural-sounding speech by using deep neural network technology, which allows for more natural synthesized speech. | 2.2.0 | Generally available |

+Release notes for `v2.2.0`:

+* Support `sv-se-hillevineural` and `sv-se-mattiasneural` and `sv-se-sofieneural`.

+| `2.2.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `2.2.0-amd64-en-us-arianeural`. |

+| v2.2.0 Locales and voices | Notes |

+| `am-et-amehaneural`| Container image with the `am-ET` locale and `am-ET-amehaneural` voice.|

+| `am-et-mekdesneural`| Container image with the `am-ET` locale and `am-ET-mekdesneural` voice.|

+| `ar-bh-lailaneural`| Container image with the `ar-BH` locale and `ar-BH-lailaneural` voice.|

+| `ar-eg-salmaneural`| Container image with the `ar-EG` locale and `ar-EG-salmaneural` voice.|

+| `ar-eg-shakirneural`| Container image with the `ar-EG` locale and `ar-EG-shakirneural` voice.|

+| `ar-sa-hamedneural`| Container image with the `ar-SA` locale and `ar-SA-hamedneural` voice.|

+| `ar-sa-zariyahneural`| Container image with the `ar-SA` locale and `ar-SA-zariyahneural` voice.|

+| `cs-cz-antoninneural`| Container image with the `cs-CZ` locale and `cs-CZ-antoninneural` voice.|

+| `cs-cz-vlastaneural`| Container image with the `cs-CZ` locale and `cs-CZ-vlastaneural` voice.|

+| `de-ch-janneural`| Container image with the `de-CH` locale and `de-CH-janneural` voice.|

+| `de-ch-lenineural`| Container image with the `de-CH` locale and `de-CH-lenineural` voice.|

+| `de-de-conradneural`| Container image with the `de-DE` locale and `de-DE-conradneural` voice.|

+| `de-de-katjaneural`| Container image with the `de-DE` locale and `de-DE-katjaneural` voice.|

+| `en-au-natashaneural`| Container image with the `en-AU` locale and `en-AU-natashaneural` voice.|

+| `en-au-williamneural`| Container image with the `en-AU` locale and `en-AU-williamneural` voice.|

+| `en-ca-claraneural`| Container image with the `en-CA` locale and `en-CA-claraneural` voice.|

+| `en-ca-liamneural`| Container image with the `en-CA` locale and `en-CA-liamneural` voice.|

+| `en-gb-libbyneural`| Container image with the `en-GB` locale and `en-GB-libbyneural` voice.|

+| `en-gb-ryanneural`| Container image with the `en-GB` locale and `en-GB-ryanneural` voice.|

+| `en-gb-sonianeural`| Container image with the `en-GB` locale and `en-GB-sonianeural` voice.|

+| `en-us-arianeural`| Container image with the `en-US` locale and `en-US-arianeural` voice.|

+| `en-us-guyneural`| Container image with the `en-US` locale and `en-US-guyneural` voice.|

+| `en-us-jennyneural`| Container image with the `en-US` locale and `en-US-jennyneural` voice.|

+| `es-es-alvaroneural`| Container image with the `es-ES` locale and `es-ES-alvaroneural` voice.|

+| `es-es-elviraneural`| Container image with the `es-ES` locale and `es-ES-elviraneural` voice.|

+| `es-mx-dalianeural`| Container image with the `es-MX` locale and `es-MX-dalianeural` voice.|

+| `es-mx-jorgeneural`| Container image with the `es-MX` locale and `es-MX-jorgeneural` voice.|

+| `fr-ca-antoineneural`| Container image with the `fr-CA` locale and `fr-CA-antoineneural` voice.|

+| `fr-ca-jeanneural`| Container image with the `fr-CA` locale and `fr-CA-jeanneural` voice.|

+| `fr-ca-sylvieneural`| Container image with the `fr-CA` locale and `fr-CA-sylvieneural` voice.|

+| `fr-fr-deniseneural`| Container image with the `fr-FR` locale and `fr-FR-deniseneural` voice.|

+| `fr-fr-henrineural`| Container image with the `fr-FR` locale and `fr-FR-henrineural` voice.|

+| `hi-in-madhurneural`| Container image with the `hi-IN` locale and `hi-IN-madhurneural` voice.|

+| `hi-in-swaraneural`| Container image with the `hi-IN` locale and `hi-IN-swaraneural` voice.|

+| `it-it-diegoneural`| Container image with the `it-IT` locale and `it-IT-diegoneural` voice.|

+| `it-it-elsaneural`| Container image with the `it-IT` locale and `it-IT-elsaneural` voice.|

+| `it-it-isabellaneural`| Container image with the `it-IT` locale and `it-IT-isabellaneural` voice.|

+| `ja-jp-keitaneural`| Container image with the `ja-JP` locale and `ja-JP-keitaneural` voice.|

+| `ja-jp-nanamineural`| Container image with the `ja-JP` locale and `ja-JP-nanamineural` voice.|

+| `ko-kr-injoonneural`| Container image with the `ko-KR` locale and `ko-KR-injoonneural` voice.|

+| `ko-kr-sunhineural`| Container image with the `ko-KR` locale and `ko-KR-sunhineural` voice.|

+| `pt-br-antonioneural`| Container image with the `pt-BR` locale and `pt-BR-antonioneural` voice.|

+| `pt-br-franciscaneural`| Container image with the `pt-BR` locale and `pt-BR-franciscaneural` voice.|

+| `so-so-muuseneural`| Container image with the `so-SO` locale and `so-SO-muuseneural` voice.|

+| `so-so-ubaxneural`| Container image with the `so-SO` locale and `so-SO-ubaxneural` voice.|

+| `sv-se-hillevineural`| Container image with the `sv-SE` locale and `sv-SE-hillevineural` voice.|

+| `sv-se-mattiasneural`| Container image with the `sv-SE` locale and `sv-SE-mattiasneural` voice.|

+| `sv-se-sofieneural`| Container image with the `sv-SE` locale and `sv-SE-sofieneural` voice.|

+| `tr-tr-ahmetneural`| Container image with the `tr-TR` locale and `tr-TR-ahmetneural` voice.|

+| `tr-tr-emelneural`| Container image with the `tr-TR` locale and `tr-TR-emelneural` voice.|

+| `zh-cn-xiaochenneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaochenneural` voice.|

+| `zh-cn-xiaohanneural`| Container image with the `zh-CN` locale and `zh-CN-xiaohanneural` voice.|

+| `zh-cn-xiaomoneural`| Container image with the `zh-CN` locale and `zh-CN-xiaomoneural` voice.|

+| `zh-cn-xiaoqiuneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoqiuneural` voice.|

+| `zh-cn-xiaoruineural`| Container image with the `zh-CN` locale and `zh-CN-xiaoruineural` voice.|

+| `zh-cn-xiaoshuangneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoshuangneural` voice.|

+| `zh-cn-xiaoxiaoneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoxiaoneural` voice.|

+| `zh-cn-xiaoxuanneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoxuanneural` voice.|

+| `zh-cn-xiaoyanneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoyanneural` voice.|

+| `zh-cn-xiaoyouneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoyouneural` voice.|

+| `zh-cn-yunxineural`| Container image with the `zh-CN` locale and `zh-CN-yunxineural` voice.|

+| `zh-cn-yunyangneural`| Container image with the `zh-CN` locale and `zh-CN-yunyangneural` voice.|

+| `zh-cn-yunyeneural`| Container image with the `zh-CN` locale and `zh-CN-yunyeneural` voice.|

+Release notes for `v2.1.0`:

+**Features**

+* Security upgrade.

+Before you get started, try out [Personalizer with this interactive demo](https://personalizerdevdemo.azurewebsites.net/).

+* [Use the interactive demo](https://personalizerdevdemo.azurewebsites.net/)

+Call recording currently supports mixed audio+video MP4 and mixed audio-only MP3/WAV output formats in Public Preview. The mixed audio+video output media matches meeting recordings produced via Microsoft Teams recording.

+| Content Type | Content Format | Channel Type | Video | Audio |

+| :-- | :- | :-- | :- | : |

+| audioVideo | mp4 | mixed | 1920x1080 8 FPS video of all participants in default tile arrangement | 16kHz mp4a mixed audio of all participants |

+| audioOnly| mp3/wav | mixed | N/A | 16kHz mp3/wav mixed audio of all participants |

+| audioOnly| wav | unmixed | N/A | 16kHz wav, 0-5 channels for each participant |

+## Channel types

+> [!NOTE]

+> **Unmixed audio-only** is still in a **Private Preview** and NOT enabled for Teams Interop meetings.

+| Channel type | Content format | Output | Scenario |

+||--|||

+| Mixed audio-video | Mp4 | Single file, single channel | Keeping records and meeting notes Coaching and Training |

+| Mixed audio-only | Mp3 (lossy)/ wav (lossless) | Single file, single channel | Compliance & Adherence Coaching and Training |

+| **Unmixed audio-only** | Mp3/wav | Single file, multiple channels maximum number of channels is 6 for mp3 and 50 for wav | Quality Assurance Analytics |

+>[!VIDEO https://www.youtube.com/embed/chMHVHLFcao]

+> [!NOTE]

+> **Unmixed audio-only** is still in a **Private Preview** and NOT enabled for Teams Interop meetings.

+- [Azure Container Apps](#azure-container-apps)

+### Azure Spring Apps

+[Azure Spring Apps](../spring-cloud/overview.md) makes it easy to deploy Spring Boot microservice applications to Azure without any code changes. The service manages the infrastructure of Spring Cloud applications so developers can focus on their code. Azure Spring Cloud provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. If your team or organization is predominantly Spring, Azure Spring Apps is an ideal option.

+> [!NOTE]

+> Docker Hub [limits](https://docs.docker.com/docker-hub/download-rate-limit/) the number of Docker image downloads. When the limit is reached, containers in your app will fail to start. You're recommended to use a registry with sufficient limits, such as [Azure Container Registry](../container-registry/container-registry-intro.md).

+> [!NOTE]

+> You will need to [enable an admin user account](../container-registry/container-registry-authentication.md) in your Azure

+> Container Registry even when you use an Azure managed identity. You will not need to use the ACR admin credentials to pull images into Azure

+> Container Apps, however, it is a prequisite to have the ACR admin user account enabled in the registry Azure Container Apps is pulling from.

+- Enable external or internal ingress

+> [!Note]

+> Your GitHub personal access token needs to have the `workflow` scope selected.

+> [!Note]

+> Before you proceed with the example below, you must have your first container app already deployed.

+ --context-path "./dockerfile" \

+ --content-path "./dockerfile" `

+# Microservices with Azure Container Apps

+ENVIRONMENT_DEFAULT_DOMAIN=`az containerapp env show --name ${CONTAINERAPPS_ENVIRONMENT} --resource-group ${RESOURCE_GROUP} --query properties.defaultDomain --out json | tr -d '"'`

+ENVIRONMENT_STATIC_IP=`az containerapp env show --name ${CONTAINERAPPS_ENVIRONMENT} --resource-group ${RESOURCE_GROUP} --query properties.staticIp --out json | tr -d '"'`

+$ENVIRONMENT_DEFAULT_DOMAIN=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.defaultDomain -o tsv)

+$ENVIRONMENT_STATIC_IP=(az containerapp env show --name $CONTAINERAPPS_ENVIRONMENT --resource-group $RESOURCE_GROUP --query properties.staticIp -o tsv)

+> Network address prefixes requires a CIDR range of `/23`.

+Get your existing capabilities. Capabilities are account features. Some are optional and some can't be changed.

+az cosmosdb show -n <account_name> -g <azure_resource_group>

+You should see a capability section similar to this

+```powershell

+"capabilities": [

+ {

+ "name": "EnableMongo"

+ },

+ {

+ "name": "DisableRateLimitingResponses"

+ }

+```

+Copy the existing capabilities and add the RBAC capability (EnableMongoRoleBasedAccessControl) to the list:

+```powershell

+az cosmosdb update -n <account_name> -g <azure_resource_group> --capabilities EnableMongoRoleBasedAccessControl, EnableMongo, DisableRateLimitingResponses

+```

+If you prefer a new database account instead, create a new database account with the RBAC capability set to true. Your subscription must be allow-listed in order to create an account with the EnableMongoRoleBasedAccessControl capability.

+ Title: Nested activities

+description: Learn about nested activities in Azure Data Factory and Azure Synapse Analytics.

+# Nested activities in Azure Data Factory and Azure Synapse Analytics

+This article helps you understand nested activities in Azure Data Factory and Azure Synapse Analytics and how to use them, limitations, and best practices.

+## Overview

+A Data Factory or Synapse Workspace pipeline can contain control flow activities that allow for other activities to be contained inside of them. Think of these nested activities as containers that hold one or more other activities that can execute depending on the top level control flow activity.

+See the following example with an If activity that has one activity contained.

+## Control flow activities

+The following control flow activities support nested activities:

+Control activity | Description

+- | --

+[For Each](control-flow-for-each-activity.md) | ForEach Activity defines a repeating control flow in your pipeline. This activity is used to iterate over a collection and executes specified activities in a loop. The loop implementation of this activity is similar to the Foreach looping structure in programming languages.

+[If Condition Activity](control-flow-if-condition-activity.md) | The If Condition can be used to branch based on condition that evaluates to true or false. The If Condition activity provides the same functionality that an if statement provides in programming languages. It evaluates a set of activities when the condition evaluates to `true` and another set of activities when the condition evaluates to `false.`

+[Until Activity](control-flow-until-activity.md) | Implements Do-Until loop that is similar to Do-Until looping structure in programming languages. It executes a set of activities in a loop until the condition associated with the activity evaluates to true. You can specify a timeout value for the until activity.

+[Switch Activity](control-flow-switch-activity.md) | The Switch activity provides the same functionality that a switch statement provides in programming languages. It evaluates a set of activities corresponding to a case that matches the condition evaluation.

+## Navigating nested activities

+There are two primary ways to navigate to the contained activities in a nested activity.

+1. Each control flow activity that supports nested activities has an activity tab. Selecting the activity tab will then give you a pencil icon you can select to drill down into the inner activities panel.

+2. From the activity on the pipeline canvas, you can select the pencil icon to drill down into the inner activities panel. Additionally, the ForEach and Until activities support double-clicking on the activity to drill down to the inner activities panel.

+Your pipeline canvas will then switch to the context of the inner activity container that you selected. There will also be a breadcrumb trail at the top you can select to navigate back to the parent pipeline.

+## Nested activity embedding limitations

+Activities that support nesting (ForEach, Until, Switch, and If Condition) can't be embedded inside of another nested activity. Essentially, the current support for nesting is one level deep. See the best practices section below on how to use other pipeline activities to enable this scenario. In addition, the

+[Validation Activity](control-flow-validation-activity.md) can't be placed inside of a nested activity.

+## Best practices for multiple levels of nested activities

+In order to have logic that supports nesting more than one level deep, you can use the [Execute Pipeline Activity](control-flow-execute-pipeline-activity.md) inside of your nested activity to call another pipeline that then can have another level of nested activities. A common use case for this pattern is with the ForEach loop where you need to additionally loop based off logic in the inner activities.

+An example of this pattern would be if you had a file system that had a list of folders and each folder there are multiple files you want to process. You would accomplish this pattern, generally, by performing the following.

+1. Using a [Get Metadata Activity](control-flow-get-metadata-activity.md) first to get a list of just the folders.

+2. Pass the result of the Get Metadata activity into the Items list of a ForEach activity. Each iteration then represents a single folder to process.

+3. In the inner activities panel of the ForEach activity, use another Get Metadata activity to get a list of files inside of the folder.

+4. Call an Execute Pipeline activity that has an array parameter and pass it an array of those filenames.

+5. In the child pipeline, you could then use another nested activity (such as ForEach) with the passed in array list to iterate over the files and perform one or more sets of inner activities.

+

+The parent pipeline would look similar to the below example.

+[  ](media/concepts-pipelines-activities/nested-activity-execute-pipeline.png#lightbox)

+The child pipeline would look similar to the below example.

+ :::image type="content" source="media/concepts-pipelines-activities/nested-activity-execute-child-pipeline.png" alt-text="Screenshot showing an example child pipeline with a ForEach loop.":::

+## Next steps

+See the following tutorials for step-by-step instructions for creating pipelines and datasets.

+- [Tutorial: Copy multiple tables in bulk by using Azure Data Factory in the Azure portal](tutorial-bulk-copy-portal.md)

+- [Tutorial: Incrementally load data from a source data store to a destination data store](tutorial-incremental-copy-overview.md)

+1. Select the **Partition SAP data to extract and load into Azure Data Lake Store Gen2 in parallel** template.

+[Auto-generate a pipeline from the SAP data replication template](sap-change-data-capture-data-replication-template.md).

+1. Select the **Replicate SAP data to Azure Synapse Analytics and persist raw data in Azure Data Lake Store Gen2** template.

+1. If you want to replicate SAP data to ADLS Gen2 in Delta format, complete the same steps as above, except using the **Replicate SAP data to Azure Data Lake Store Gen2 in Delta format and persist raw data in CSV format** template.

+## Current limitations

+The following are the current limitations of SAP CDC solution in ADF:

+- Resetting and deleting ODQ subscriptions from ADF aren't supported for now.

+- SAP hierarchies aren't supported for now.

+This article describes how to create a GPU VM in the Azure portal or by using the Azure Resource Manager templates.

+ - On the **Basics** tab, select a [VM size from N-series, optimized for GPUs](azure-stack-edge-gpu-virtual-machine-sizes.md#n-series-gpu-optimized). Based on the GPU model on your device, Nvidia T4 or Nvidia A2, the dropdown list will display the corresponding supported GPU VM sizes.

+ - To install the GPU extension during deployment, on the **Advanced** tab, choose **Select an extension to install**. Then select a GPU extension to install. GPU extensions are only available for a virtual machine with a [VM size from N-series](azure-stack-edge-gpu-virtual-machine-sizes.md#n-series-gpu-optimized).

+ - When specifying GPU VM sizes, make sure to use the NCasT4-v3-series in the `CreateVM.parameters.json`, which are supported for GPU VMs. For more information, see [Supported VM sizes for GPU VMs](azure-stack-edge-gpu-virtual-machine-sizes.md#n-series-gpu-optimized).

+ GPU extensions are only available for a virtual machine with a [VM size from N-series](azure-stack-edge-gpu-virtual-machine-sizes.md#n-series-gpu-optimized). If you prefer, you can [install the GPU extension after deployment](azure-stack-edge-gpu-deploy-gpu-virtual-machine.md#install-gpu-extension-after-deployment).

+ |Size | Choose from the [Supported VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md).<br>For a GPU VM, select a [VM size from NCasT4-v3-series](azure-stack-edge-gpu-virtual-machine-sizes.md#n-series-gpu-optimized). |

+**Suggested solution:** Create a VM with the Standard_NC4as_T4_v3 or Standard_NC8as_T4_v3 VM size. For more information, see [Supported VM sizes for GPU VMs](azure-stack-edge-gpu-virtual-machine-sizes.md#n-series-gpu-optimized). For information about specifying the size, see [Create GPU VMs](./azure-stack-edge-gpu-deploy-gpu-virtual-machine.md#create-gpu-vms).

+For a GPU virtual machine, you must use a [VM size from the NCasT4-v3-series](azure-stack-edge-gpu-virtual-machine-sizes.md#n-series-gpu-optimized).

+- One 100-GbE QSFP28 passive direct attached cable (Microsoft validated) for each data network interface Port 3 and Port 4 to be configured. Here is an example of the QSFP28 DAC connector:

+- A 100-GbE QSFP28 passive direct attached cable (Microsoft validated) for each data network interface Port 3 and Port 4 to be configured on each device. The total number needed would depend on the network topology you will deploy. Here is an example QSFP28 DAC connector:

+On your device:

+- The front panel has disk drives and a power button. The front panel has:

+ - Has 2, 4, or 6 data disks in the 6 available slots depending on the specific hardware configuration.

+On your device:

+- The back plane has:

+ - Two 100-Gbps interfaces, Port 3 and Port 4.

+ - Two, one, or no Graphical Processing Units (GPUs).

+ 

+|Accelerated AI inferencing| Enabled by the compute acceleration card. Depending on your compute needs, you may choose a model that comes with one, two or no Graphical Processing Units (GPUs). <br> For more information, see [Technical specifications for Azure Stack Edge Pro 2](azure-stack-edge-pro-2-technical-specifications-compliance.md).|

+ * For models with GPU(s), derate allowable max operating temperature by 1┬░C/210m (2.6┬░F/1000ft) above 950m (3,117ft).

+# [Model 64G2T](#tab/sku-a)

+| Memory type | 2 x 32 GB DDR4-2933 RDIMM |

+| Memory: raw | 64 GB RAM |

+| Memory: usable | 51 GB RAM |

+# [Model 128G4T1GPU](#tab/sku-b)

+| Specification | Value |

+|-|--|

+| CPU type | Intel® Xeon ® Gold 6209U CPU @ 2.10 GHz (Cascade Lake) CPU|

+| CPU: raw | 20 total cores, 40 total vCPUs |

+| CPU: usable | 32 vCPUs |

+| Memory type | 4 x 32 GB DDR4-2933 RDIMM |

+| Memory: raw | 128 GB RAM |

+| Memory: usable | 102 GB RAM |

+# [Model 256G6T2GPU](#tab/sku-c)

+| Specification | Value |

+|-|--|

+| CPU type | Intel® Xeon ® Gold 6209U CPU @ 2.10 GHz (Cascade Lake) CPU|

+| CPU: raw | 20 total cores, 40 total vCPUs |

+| CPU: usable | 32 vCPUs |

+| Memory type | 4 x 64 GB DDR4-2933 RDIMM |

+| Memory: raw | 256 GB RAM |

+| Memory: usable | 204 GB RAM |

+# [Model 64G2T](#tab/sku-a)

+| Total capacity | 2 TB |

+| Total usable capacity | 720 GB |

+| RAID configuration | [Storage Spaces Direct with mirroring](/windows-server/storage/storage-spaces/storage-spaces-fault-tolerance#mirroring) |

+# [Model 128G4T1GPU](#tab/sku-b)

+| Specification | Value |

+|-|--|

+| Boot disk | 1 NVMe SSD |

+| Boot disk capacity | 960 GB |

+| Number of data disks | 4 SATA SSDs |

+| Single data disk capacity | 960 GB |

+| Total capacity | 4 TB |

+| Total usable capacity | 1.6 TB |

+# [Model 256G6T2GPU](#tab/sku-c)

+| Specification | Value |

+|-|--|

+| Boot disk | 1 NVMe SSD |

+| Boot disk capacity | 960 GB |

+| Number of data disks | 6 SATA SSDs |

+| Single data disk capacity | 960 GB |

+| Total capacity | 6 TB |

+| Total usable capacity | 2.5 TB |

+| RAID configuration | [Storage Spaces Direct with mirroring](/windows-server/storage/storage-spaces/storage-spaces-fault-tolerance#mirroring) |

+The following tables list the various enclosure specifications for dimensions and weight.

+The Azure Stack Edge Pro 2 is designed to fit in a standard 19" equipment rack and is two rack units high (2U).

+The enclosure dimensions are identical across all models of Azure Stack Edge Pro 2.

+The following table lists the dimensions of the 2U device enclosure in millimeters and inches.

+| Height | 87.0 | 3.43 |

+# [Model 642GT](#tab/sku-a)

+| 1 | Model 642GT | 21.0 |

+| 4 | Shipping weight, with 2-post mount | 32.1 |

+| 5 | Model 642GT install handling, 2-post (without bezel and with inner rails attached) | 20.4 |

+| | | |

+| 6 | Shipping weight with wall mount | 31.1 |

+| 7 | Model 642GT install handling without bezel | 19.8 |

+| | | |

+| 4 | 4-post in box | 6.28 |

+| 10 | Wallmount as packaged | 2.16 |

+# [Model 128G4T1GPU](#tab/sku-b)

+| Line # | Hardware | Weight lbs |

+|--|||

+| 1 | Model 128G4T1GPU | 21.9 |

+| | | |

+| 2 | Shipping weight, with 4-post mount | 36.2 |

+| 3 | Model 128G4T1GPU install handling, 4-post (without bezel and with inner rails attached) | 21.3 |

+| 4 | Shipping weight, with 2-post mount | 33.0 |

+| 5 | Model 128G4T1GPU install handling, 2-post (without bezel and with inner rails attached) | 21.3 |

+| | | |

+| 6 | Shipping weight with wall mount | 32.0 |

+| 7 | Model 128G4T1GPU install handling without bezel | 20.7 |

+| | | |

+| 8 | 4-post in box | 6.28 |

+| 9 | 2-post in box | 3.08 |

+| 10 | Wallmount as packaged | 2.16 |

+# [Model 256G6T2GPU](#tab/sku-c)

+| Line # | Hardware | Weight lbs |

+|--|--||

+| 1 | Model 256G6T2GPU | 22.9 |

+| | | |

+| 2 | Shipping weight, with 4-post mount | 37.1 |

+| 3 | Model 256G6T2GPU install handling, 4-post (without bezel and with inner rails attached)|22.3 |

+| | | |

+| 4 | Shipping weight, with 2-post mount | 33.9 |

+| 5 | Model 256G6T2GPU install handling, 2-post (without bezel and with inner rails attached) | 22.3 |

+| | | |

+| 6 | Shipping weight with wall mount | 33.0 |

+| 7 | Model 256G6T2GPU install handling without bezel | 21.7 |

+| | | |

+| 8 | 4-post in box | 6.28 |

+| 9 | 2-post in box | 3.08 |

+| 10 | Wallmount as packaged | 2.16 |

+Digital twin data can be sent to most Azure services using *endpoints*. If your destination is [Azure Data Explorer](/azure/data-explorer/data-explorer-overview), you can use *data history* instead to automatically send twin property updates to an Azure Data Explorer cluster, where they are stored as historical data and can be queried as such. The rest of this section describes these capabilities in more detail.

+To send twin data to [Azure Data Explorer](/azure/data-explorer/data-explorer-overview), set up a [data history connection](concepts-data-history.md) that automatically stores digital twin property updates from your Azure Digital Twins instance in an Azure Data Explorer cluster as historical data. The data history connection requires an [event hub](../event-hubs/event-hubs-about.md), but doesn't require an explicit endpoint.

+Once historical data is being collected, you can query this data in Azure Data Explorer using the [Azure Digital Twins query plugin for Azure Data Explorer](concepts-data-explorer-plugin.md).

+You can also use data history in combination with [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md) to aggregate data from disparate sources. This can be useful in many scenarios. Here are two examples:

+* Combine information technology (IT) data from ERP or CRM systems (like Dynamics 365, SAP, or Salesforce) with operational technology (OT) data from IoT devices and production management systems. For an example that illustrates how a company might combine this data, see the following blog post: [Integrating IT and OT Data with Azure Digital Twins, Azure Data Explorer, and Azure Synapse](https://techcommunity.microsoft.com/t5/internet-of-things-blog/integrating-it-and-ot-data-with-azure-digital-twins-azure-data/ba-p/3401981).

+* Integrate with the Azure AI and Cognitive Services [Multivariate Anomaly Detector](/azure/cognitive-services/anomaly-detector/overview-multivariate), to quickly connect your Azure Digital Twins data with a downstream AI/machine learning solution that specializes in anomaly detection. The [Azure Digital Twins Multivariate Anomaly Detection Toolkit](/samples/azure-samples/digital-twins-mvad-integration/adt-mvad-integration/) is a sample project that provides a workflow for training multiple Multivariate Anomaly Detector models for several scenario analyses, based on historical digital twin data. It then leverages the trained models to detect abnormal operations and anomalies in modeled Azure Digital Twins environments, in near real-time.

+Dedicated clusters are provisioned and billed by **Capacity Units (CUs)**, a pre-allocated amount of CPU and memory resources. You can purchase 1, 2, 4, 8, 12, 16 or 20 CUs for each cluster. In this quickstart, we'll walk you through creating a 1 CU Event Hubs cluster through the Azure portal.

+ 1. Select the **Support Scaling** option to create a cluster that you can scale out or scale in yourself. For more information about

+ 1. Select a **location** for the cluster. If your preferred region is grayed out or it's temporarily out of capacity, you can submit a [support request](#submit-a-support-request) to the Event Hubs team.

+ 1. Select the **Next: Tags** button at the bottom of the page. You may have to wait a few minutes for the system to fully provision the resources.

+## Scale Event Hubs dedicated cluster

+For clusters created with the **Support Scaling** option set, use the following steps to scale out or scale in your cluster.

+1. On the **Event Hubs Cluster** page for your dedicated cluster, select **Scale** on the left menu.

+ :::image type="content" source="./media/event-hubs-dedicated-cluster-create-portal/scale-page.png" alt-text="Screenshot showing the Scale tab of the Event Hubs Cluster page.":::

+1. Use the slider to increase (scale out) or decrease (scale in) capacity units assigned to the cluster.

+1. Then, select **Save** on the command bar.

+The **Scale** tab is available only for the Event Hubs clusters created with the **Support scaling** option checked. You don't see the **Scale** tab for clusters that were created before this feature was released or for the clusters you created without selecting the **Support scaling** option. If you wish to change the size of a cluster that you can't scale yourself, or if your preferred region isn't available, submit a support request by using the following steps.

+### Submit a support request

+ 5. For **Problem type**, select **Quota or Configuration changes**.

+ 1. Select **Dedicated Cluster SKU requests** to request for the feature to be supported in your region.

+ 2. Select **Scale up or down a dedicated Cluster** if you want to scale up or scale down your dedicated cluster.

+# Overview of Azure Event Hubs dedicated tier

+*Event Hubs clusters* offer **single-tenant** deployments for customers with the most demanding streaming needs. This single-tenant offering has a guaranteed 99.99% SLA and is available only on our dedicated pricing tier. An Event Hubs cluster can ingress millions of events per second with guaranteed capacity and subsecond latency. Namespaces and event hubs created within the dedicated cluster include all features of the premium offering and more, but without any ingress limits. It also includes the popular [Event Hubs Capture](event-hubs-capture-overview.md) feature at no additional cost. The Event Hubs Capture feature allows you to automatically batch and log data streams to Azure Storage or Azure Data Lake Storage.

+Clusters are provisioned and billed by **capacity units (CUs)**, a pre-allocated amount of CPU and memory resources. You can purchase 1, 2, 4, 8, 12, 16 or 20 CUs for each cluster. How much you can ingest and stream per CU depends on various factors, such as the following ones:

+> All Event Hubs clusters are Kafka-enabled by default and support Kafka endpoints that can be used by your existing Kafka based applications. Having Kafka enabled on your cluster does not affect your non-Kafka use cases. There is no option or need to disable Kafka on a cluster.

+## Why dedicated tier?

+The dedicated tier of Event Hubs offers three compelling benefits for customers who need enterprise-level capacity:

+### Single-tenancy guarantees capacity for better performance

+### Inclusive and exclusive access to features

+The dedicated offering includes features like [Event Hubs Capture](event-hubs-capture-overview.md) at no additional cost and exclusive access to features like [Bring Your Own Key (BYOK)](configure-customer-managed-key.md). The service also manages load balancing, operating system updates, security patches, and partitioning. So, you can spend less time on infrastructure maintenance and more time on building client-side features.

+### Self-Serve scaling capabilitiesΓÇ»

+The dedicated tier offers self-serve scaling capabilities that allow you to adjust the capacity of the cluster according to dynamic loads and to facilitate business operations. You can scale out during spikes in usage and scale in when the usage is low. To learn how to scale your dedicated cluster, see [Scale Event Hubs dedicated clusters](event-hubs-dedicated-cluster-create-portal.md).

+## Quotas and limits

+The Event Hubs dedicated offering is billed at a fixed monthly price, with a **minimum of 4 hours of usage**. The dedicated tier offers all the features of the premium plan, but with enterprise-scale capacity and limits for customers with demanding workloads.

+For more information about quotas and limits, see [Event Hubs quotas and limits](event-hubs-quotas.md)

+```

+```azurecli-interactive

+```

+```azurecli-interactive

+### Create an origin group

+Your Front Door profile would become fully functional with the last step.

+ Title: 'Create an Azure Front Door Standard/Premium with Azure PowerShell'

+description: Learn how to create an Azure Front Door Standard/Premium with Azure PowerShell. Use Azure Front Door to deliver content to your global user base and protect your web apps against vulnerabilities.

+documentationcenter: na

+ na

+# Quickstart: Create an Azure Front Door Standard/Premium - Azure PowerShell

+In this quickstart, you'll learn how to create an Azure Front Door Standard/Premium profile using Azure PowerShell. You'll create this profile using two Web Apps as your origin. You can then verify connectivity to your Web Apps using the Azure Front Door endpoint hostname.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure PowerShell installed locally or Azure Cloud Shell

+## Create resource group

+In Azure, you allocate related resources to a resource group. You can either use an existing resource group or create a new one.

+Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup):

+```azurepowershell-interactive

+New-AzResourceGroup -Name myRGFD -Location centralus

+```

+## Create two instances of a web app

+This quickstart requires two instances of a web application that run in different Azure regions. Both the web application instances run in Active/Active mode, so either one can take traffic. This configuration differs from an Active/Stand-By configuration, where one acts as a failover.

+If you don't already have a web app, use [New-AzWebApp](/powershell/module/az.websites/new-azwebapp) to set up two example web apps.

+```azurepowershell-interactive

+# Create first web app in Central US region.

+$webapp1 = New-AzWebApp `

+ -Name "WebAppContoso-01" `

+ -Location centralus `

+ -ResourceGroupName myRGFD `

+ -AppServicePlan myAppServicePlanCentralUS

+# Create second web app in South Central US region.

+$webapp2 = New-AzWebApp `

+ -Name "WebAppContoso-02" `

+ -Location EastUS `

+ -ResourceGroupName myRGFD `

+ -AppServicePlan myAppServicePlanEastUS

+```

+## Create a Front Door

+This section details how you can create and configure the components of a Front Door.

+### Create a Front Door profile

+Run [New-AzFrontDoorCdnProfile](/powershell/module/az.cdn/new-azfrontdoorcdnprofile) to create an Azure Front Door profile.

+> [!NOTE]

+> If you want to deploy Azure Front Door Standard instead of Premium substitute the value of the sku parameter with `Standard_AzureFrontDoor`. You won't be able to deploy managed rules with WAF Policy, if you choose Standard SKU. For detailed comparison, view [Azure Front Door tier comparison](standard-premium/tier-comparison.md).

+```azurepowershell-interactive

+#Create the profile

+$fdprofile = New-AzFrontDoorCdnProfile `

+ -ResourceGroupName myRGFD `

+ -Name contosoAFD `

+ -SkuName Premium_AzureFrontDoor `

+ -Location Global

+```

+### Add an endpoint

+Run [New-AzFrontDoorCdnEndpoint](/powershell/module/az.cdn/new-azfrontdoorcdnendpoint) to create an endpoint in your profile. You can create multiple endpoints in your profile after finishing the create experience.

+```azurepowershell-interactive

+#Create the endpoint

+$FDendpoint = New-AzFrontDoorCdnEndpoint `

+ -EndpointName contosofrontend `

+ -ProfileName contosoAFD `

+ -ResourceGroupName myRGFD `

+ -Location Global

+```

+### Create an origin group

+Use [New-AzFrontDoorCdnOriginGroupHealthProbeSettingObject](/powershell/module/az.cdn/new-azfrontdoorcdnorigingrouphealthprobesettingobject) and [New-AzFrontDoorCdnOriginGroupLoadBalancingSettingObject](/powershell/module/az.cdn/new-azfrontdoorcdnorigingrouploadbalancingsettingobject) to create in-memory objects for storing health probe and load balancing settings.

+Run [New-AzFrontDoorCdnOriginGroup](/powershell/module/az.cdn/new-azfrontdoorcdnorigingroup) to create an origin group that will contain your two web apps.

+```azurepowershell-interactive

+# Create health probe settings

+$HealthProbeSetting = New-AzFrontDoorCdnOriginGroupHealthProbeSettingObject `

+ -ProbeIntervalInSecond 60 `

+ -ProbePath "/" `

+ -ProbeRequestType GET `

+ -ProbeProtocol Http

+# Create load balancing settings

+$LoadBalancingSetting = New-AzFrontDoorCdnOriginGroupLoadBalancingSettingObject `

+ -AdditionalLatencyInMillisecond 50 `

+ -SampleSize 4 `

+ -SuccessfulSamplesRequired 3

+# Create origin group

+$originpool = New-AzFrontDoorCdnOriginGroup `

+ -OriginGroupName og `

+ -ProfileName contosoAFD `

+ -ResourceGroupName myRGFD `

+ -HealthProbeSetting $HealthProbeSetting `

+ -LoadBalancingSetting $LoadBalancingSetting

+```

+

+### Add an origin to the group

+Run [New-AzFrontDoorCdnOrigin](/powershell/module/az.cdn/new-azfrontdoorcdnorigin) to add your Web App origins to your origin group.

+```azurepowershell-interactive

+# Add first web app origin to origin group.

+$origin1 = New-AzFrontDoorCdnOrigin `

+ -OriginGroupName og `

+ -OriginName contoso1 `

+ -ProfileName contosoAFD `

+ -ResourceGroupName myRGFD `

+ -HostName webappcontoso-01.azurewebsites.net `

+ -OriginHostHeader webappcontoso-01.azurewebsites.net `

+ -HttpPort 80 `

+ -HttpsPort 443 `

+ -Priority 1 `

+ -Weight 1000

+# Add second web app origin to origin group.

+$origin2 = New-AzFrontDoorCdnOrigin `

+ -OriginGroupName og `

+ -OriginName contoso2 `

+ -ProfileName contosoAFD `

+ -ResourceGroupName myRGFD `

+ -HostName webappcontoso-02.azurewebsites.net `

+ -OriginHostHeader webappcontoso-02.azurewebsites.net `

+ -HttpPort 80 `

+ -HttpsPort 443 `

+ -Priority 1 `

+ -Weight 1000

+```

+### Add a route

+Run [New-AzFrontDoorCdnRoute](/powershell/module/az.cdn/new-azfrontdoorcdnroute) to map your endpoint to the origin group. This route forwards requests from the endpoint to your origin group.

+```azurepowershell-interactive

+# Create a route to map the endpoint to the origin group

+$Route = New-AzFrontDoorCdnRoute `

+ -EndpointName contosofrontend `

+ -Name defaultroute `

+ -ProfileName contosoAFD `

+ -ResourceGroupName myRGFD `

+ -ForwardingProtocol MatchRequest `

+ -HttpsRedirect Enabled `

+ -LinkToDefaultDomain Enabled `

+ -OriginGroupId $originpool.Id `

+ -SupportedProtocol Http,Https

+```

+Your Front Door profile has become fully functional with the last step.

+## Test the Front Door

+When you create the Azure Front Door Standard/Premium profile, it takes a few minutes for the configuration to be deployed globally. Once completed, you can access the frontend host you created.

+Run [Get-AzFrontDoorCdnEndpoint](/powershell/module/az.cdn/get-azfrontdoorcdnendpoint) to get the hostname of the Front Door endpoint.

+```azurepowershell-interactive

+$fd = Get-AzFrontDoorCdnEndpoint `

+ -EndpointName contosofrontend-1234 `

+ -ProfileName contosoafd `

+ -ResourceGroupName myRGFD

+$fd.hostname

+```

+In a browser, go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`. Your request will automatically get routed to the web app with the lowest latency in the origin group.

+To test instant global failover, we'll use the following steps:

+1. Open a browser, as described above, and go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`.

+1. Stop one of the Web Apps by running [Stop-AzWebApp](/powershell/module/az.websites/stop-azwebapp)

+ ```azurepowershell-interactive

+ Stop-AzWebApp -ResourceGroupName myRGFD -Name "WebAppContoso-01"

+ ```

+1. Refresh your browser. You should see the same information page.

+ > [!TIP]

+ > There is a little bit of delay for these actions. You might need to refresh again.

+1. Find the other web app, and stop it as well.

+ ```azurepowershell-interactive

+ Stop-AzWebApp -ResourceGroupName myRGFD -Name "WebAppContoso-02"

+ ```

+1. Refresh your browser. This time, you should see an error message.

+ :::image type="content" source="./media/create-front-door-portal/web-app-stopped-message.png" alt-text="Screenshot of the message: Both instances of the web app stopped.":::

+1. Restart one of the Web Apps by running [Start-AzWebApp](/powershell/module/az.websites/start-azwebapp). Refresh your browser and the page will go back to normal.

+ ```azurepowershell-interactive

+ Start-AzWebApp -ResourceGroupName myRGFD -Name "WebAppContoso-01"

+ ```

+## Clean up resources

+When you no longer need the resources that you created with the Front Door, delete the resource group. When you delete the resource group, you also delete the Front Door and all its related resources.

+To delete the resource group, Run [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup):

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name myRGFD

+```

+## Next steps

+To learn how to add a custom domain to your Front Door, continue to the Front Door tutorials.

+> [!div class="nextstepaction"]

+> [Add a custom domain](front-door-custom-domain.md)

+Azure IoT Hub Device Provisioning Service (DPS) SDKs help you build backend and device applications that leverage DPS to provide zero-touch, just-in-time provisioning to one or more IoT hubs. The SDKs are published in a variety of popular languages and handle the underlying transport and security protocols between your devices or backend apps and DPS, freeing developers to focus on application development. Additionally, using the SDKs provides you with support for future updates to DPS, including security updates.

+There are three categories of software development kits (SDKs) for working with DPS:

+- [DPS service SDKs](#service-sdks) provide data plane operations for backend apps. You can use the service SDKs to create and manage individual enrollments and enrollment groups, and to query and manage device registration records.

+- [DPS management SDKs](#management-sdks) provide control plane operations for backend apps. You can use the management SDKs to create and manage DPS instances and metadata. For example, to create and manage DPS instances in your subscription, to upload and verify certificates with a DPS instance, or to create and manage authorization policies or allocation policies in a DPS instance.

+- [DPS device SDKs](#device-sdks) provide data plane operations for devices. You use the device SDK to provision a device through DPS.

+Azure IoT SDKs are also available for the following

+- [IoT Hub SDKs](../iot-hub/iot-hub-devguide-sdks.md): To help you build devices and backend apps that communicate with Azure IoT Hub.

+- [Device Update for IoT Hub SDKs](../iot-hub-device-update/understand-device-update.md): To help you deploy over-the-air (OTA) updates for IoT devices.

+- [IoT Plug and Play SDKs](../iot-develop/libraries-sdks.md): To help you build IoT Plug and Play solutions.

+The DPS device SDKs provide code that runs on your IoT devices and simplifies provisioning with DPS.

+The DPS service SDKs help you build backend applications to manage enrollments and registration records in DPS instances.

+The DPS management SDKs help you build backend applications that manage the DPS instances and their metadata in your Azure subscription.

+| .NET|[NuGet](https://www.nuget.org/packages/Microsoft.Azure.Management.DeviceProvisioningServices) |[GitHub](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/deviceprovisioningservices/Microsoft.Azure.Management.DeviceProvisioningServices)| [Reference](/dotnet/api/overview/azure/deviceprovisioningservice/management) |

+| Java|[Maven](https://mvnrepository.com/artifact/com.azure.resourcemanager/azure-resourcemanager-deviceprovisioningservices) |[GitHub](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/deviceprovisioningservices/azure-resourcemanager-deviceprovisioningservices)| [Reference](/java/api/com.azure.resourcemanager.deviceprovisioningservices) |

+The Device Provisioning Service documentation provides [tutorials](how-to-legacy-device-symm-key.md) and [additional samples](quick-create-simulated-device-tpm.md) that you can use to try out the SDKs and libraries.

+In this tutorial, you'll learn how to provision groups of IoT devices that use X.509 certificates for authentication. Sample device code from the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c) will be executed on your development machine to simulate provisioning of X.509 devices. On real devices, device code would be deployed and run from the IoT device.

+You'll use an enrollment group to provision a set of devices that authenticate using X.509 certificates. To learn how to provision a set of devices using [symmetric keys](./concepts-symmetric-key-attestation.md), see [How to provision devices using symmetric key enrollment groups](how-to-legacy-device-symm-key.md). If you're unfamiliar with the process of autoprovisioning, review the [provisioning](about-iot-dps.md#provisioning-process) overview.

+This tutorial uses the [custom HSM sample](https://github.com/Azure/azure-iot-sdk-c/tree/master/provisioning_client/samples/custom_hsm_example), which provides a stub implementation for interfacing with hardware-based secure storage. A [Hardware Security Module (HSM)](./concepts-service.md#hardware-security-module) is used for secure, hardware-based storage of device secrets. An HSM can be used with symmetric key, X.509 certificate, or TPM attestation to provide secure storage for secrets. Hardware-based storage of device secrets isn't required, but strongly recommended to help protect sensitive information like your device certificate's private key.

+In this tutorial you'll complete the following objectives:

+>

+* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.

+* Complete the steps in [Set up IoT Hub Device Provisioning Service with the Azure portal](./quick-setup-auto-provision.md).

+* Install [Visual Studio](https://visualstudio.microsoft.com/vs/) 2022 with the ['Desktop development with C++'](/cpp/ide/using-the-visual-studio-ide-for-cpp-desktop-development) workload enabled. Visual Studio 2015, Visual Studio 2017, and Visual Studio 19 are also supported.

+* Install the latest [CMake build system](https://cmake.org/download/). Make sure you check the option that adds the CMake executable to your path.

+ >[!IMPORTANT]

+ >Confirm that the Visual Studio prerequisites (Visual Studio and the 'Desktop development with C++' workload) are installed on your machine, **before** starting the `CMake` installation. Once the prerequisites are in place, and the download is verified, install the CMake build system. Also, be aware that older versions of the CMake build system fail to generate the solution file used in this article. Make sure to use the latest version of CMake.

+* Install the latest version of [Git](https://git-scm.com/download/). Make sure that Git is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/download/) for the latest version of `git` tools to install, which includes *Git Bash*, the command-line app that you can use to interact with your local Git repository.

+* Make sure [OpenSSL](https://www.openssl.org/) is installed on your machine. On Windows, your installation of Git includes an installation of OpenSSL. You can access OpenSSL from the Git Bash prompt. To verify that OpenSSL is installed, open a Git Bash prompt and enter `openssl version`.

+ >[!NOTE]

+ > Unless you're familiar with OpenSSL and already have it installed on your Windows machine, we recommend using OpenSSL from the Git Bash prompt. Alternatively, you can choose to download the source code and build OpenSSL. To learn more, see the [OpenSSL Downloads](https://www.openssl.org/source/) page. Or, you can download OpenSSL pre-built from a third-party. To learn more, see the [OpenSSL wiki](https://wiki.openssl.org/index.php/Binaries). Microsoft makes no guarantees about the validity of packages downloaded from third-parties. If you do choose to build or download OpenSSL make sure that the OpenSSL binary is accessible in your path and that the `OPENSSL_CNF` environment variable is set to the path of your *openssl.cnf* file.

+* Open both a Windows command prompt and a Git Bash prompt.

+ The steps in this tutorial assume that you're using a Windows machine and the OpenSSL installation that is installed as part of Git. You'll use the Git Bash prompt to issue OpenSSL commands and the Windows command prompt for everything else. If you're using Linux, you can issue all commands from a Bash shell.

+In this section, you'll prepare a development environment used to build the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c). The SDK includes sample code and tools used by X.509 devices provisioning with DPS.

+1. Open a web browser, and go to the [Release page of the Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c/releases/latest).

+2. Select the **Tags** tab at the top of the page.

+3. Copy the tag name for the latest release of the Azure IoT C SDK.

+4. In your Windows command prompt, run the following commands to clone the latest release of the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c) GitHub repository. Replace `<release-tag>` with the tag you copied in the previous step.

+ ```cmd

+ This operation could take several minutes to complete.

+5. When the operation is complete, run the following commands from the `azure-iot-sdk-c` directory:

+ ```cmd

+6. The code sample uses an X.509 certificate to provide attestation via X.509 authentication. Run the following command to build a version of the SDK specific to your development platform that includes the device provisioning client. A Visual Studio solution for the simulated device is generated in the `cmake` directory.

+ When specifying the path used with `-Dhsm_custom_lib` in the command below, make sure to use the absolute path to the library in the `cmake` directory you previously created. The path shown below assumes that you cloned the C SDK in the root directory of the C drive. If you used another directory, adjust the path accordingly.

+ cmake -Duse_prov_client:BOOL=ON -Dhsm_custom_lib=c:/azure-iot-sdk-c/cmake/provisioning_client/samples/custom_hsm_example/Debug/custom_hsm_example.lib ..

+ >[!TIP]

+ >If `cmake` doesn't find your C++ compiler, you may get build errors while running the above command. If that happens, try running the command in the [Visual Studio command prompt](/dotnet/framework/tools/developer-command-prompt-for-vs).

+7. When the build succeeds, the last few output lines look similar to the following output:

+ ```output

+ cmake -Duse_prov_client:BOOL=ON -Dhsm_custom_lib=c:/azure-iot-sdk-c/cmake/provisioning_client/samples/custom_hsm_example/Debug/custom_hsm_example.lib ..

+ -- Building for: Visual Studio 17 2022

+ -- Selecting Windows SDK version 10.0.19041.0 to target Windows 10.0.22000.

+ -- The C compiler identification is MSVC 19.32.31329.0

+ -- The CXX compiler identification is MSVC 19.32.31329.0

+

+ -- Build files have been written to: C:/azure-iot-sdk-c/cmake

+[Root certificate](concepts-x509-attestation.md#root-certificate): You'll complete [proof of possession](how-to-verify-certificates.md) to verify the root certificate. This verification will enable DPS to trust that certificate and verify certificates signed by it.

+[Device certificates](concepts-x509-attestation.md#end-entity-leaf-certificate): The device (leaf) certificates will be signed by the intermediate certificate and stored on the device along with its private key. Ideally these sensitive items would be stored securely with an HSM. Each device will present its certificate and private key, along with the certificate chain when attempting provisioning.

+### Set up the X.509 OpenSSL environment

+In this section, you'll create the Openssl configuration files, directory structure, and other files used by the Openssl commands.

+1. In your Git Bash command prompt, navigate to a folder where you want to generate the X.509 certificates and keys you'll use in this tutorial.

+1. Create an OpenSSL configuration file for your root CA certificate. OpenSSL configuration files contain policies and definitions that are consumed by OpenSSL commands. Copy and paste the following text into a file named *openssl_root_ca.cnf*:

+ ```text

+ # OpenSSL root CA configuration file.

+ [ ca ]

+ default_ca = CA_default

+ [ CA_default ]

+ # Directory and file locations.

+ dir = .

+ certs = $dir/certs

+ crl_dir = $dir/crl

+ new_certs_dir = $dir/newcerts

+ database = $dir/index.txt

+ serial = $dir/serial

+ RANDFILE = $dir/private/.rand

+ # The root key and root certificate.

+ private_key = $dir/private/azure-iot-test-only.root.ca.key.pem

+ certificate = $dir/certs/azure-iot-test-only.root.ca.cert.pem

+ # For certificate revocation lists.

+ crlnumber = $dir/crlnumber

+ crl = $dir/crl/azure-iot-test-only.intermediate.crl.pem

+ crl_extensions = crl_ext

+ default_crl_days = 30

+ # SHA-1 is deprecated, so use SHA-2 instead.

+ default_md = sha256

+ name_opt = ca_default

+ cert_opt = ca_default

+ default_days = 375

+ preserve = no

+ policy = policy_loose

+ [ policy_strict ]

+ # The root CA should only sign intermediate certificates that match.

+ countryName = optional

+ stateOrProvinceName = optional

+ organizationName = optional

+ organizationalUnitName = optional

+ commonName = supplied

+ emailAddress = optional

+ [ policy_loose ]

+ # Allow the intermediate CA to sign a more diverse range of certificates.

+ countryName = optional

+ stateOrProvinceName = optional

+ localityName = optional

+ organizationName = optional

+ organizationalUnitName = optional

+ commonName = supplied

+ emailAddress = optional

+ [ req ]

+ default_bits = 2048

+ distinguished_name = req_distinguished_name

+ string_mask = utf8only

+ # SHA-1 is deprecated, so use SHA-2 instead.

+ default_md = sha256

+ # Extension to add when the -x509 option is used.

+ x509_extensions = v3_ca

+ [ req_distinguished_name ]

+ # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.

+ countryName = Country Name (2 letter code)

+ stateOrProvinceName = State or Province Name

+ localityName = Locality Name

+ 0.organizationName = Organization Name

+ organizationalUnitName = Organizational Unit Name

+ commonName = Common Name

+ emailAddress = Email Address

+ # Optionally, specify some defaults.

+ countryName_default = US

+ stateOrProvinceName_default = WA

+ localityName_default =

+ 0.organizationName_default = My Organization

+ organizationalUnitName_default =

+ emailAddress_default =

+ [ v3_ca ]

+ # Extensions for a typical CA.

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid:always,issuer

+ basicConstraints = critical, CA:true

+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign

+ [ v3_intermediate_ca ]

+ # Extensions for a typical intermediate CA.

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid:always,issuer

+ basicConstraints = critical, CA:true

+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign

+ [ usr_cert ]

+ # Extensions for client certificates.

+ basicConstraints = CA:FALSE

+ nsComment = "OpenSSL Generated Client Certificate"

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid,issuer

+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment

+ extendedKeyUsage = clientAuth

+ [ server_cert ]

+ # Extensions for server certificates.

+ basicConstraints = CA:FALSE

+ nsComment = "OpenSSL Generated Server Certificate"

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid,issuer:always

+ keyUsage = critical, digitalSignature, keyEncipherment

+ extendedKeyUsage = serverAuth

+ [ crl_ext ]

+ # Extension for CRLs.

+ authorityKeyIdentifier=keyid:always

+ [ ocsp ]

+ # Extension for OCSP signing certificates.

+ basicConstraints = CA:FALSE

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid,issuer

+ keyUsage = critical, digitalSignature

+ extendedKeyUsage = critical, OCSPSigning

+ ```

+1. Create an OpenSSL configuration file to use for intermediate and device certificates. Copy and paste the following text into a file named *openssl_device_intermediate_ca.cnf*:

+ ```text

+ # OpenSSL root CA configuration file.

+ [ ca ]

+ default_ca = CA_default

+ [ CA_default ]

+ # Directory and file locations.

+ dir = .

+ certs = $dir/certs

+ crl_dir = $dir/crl

+ new_certs_dir = $dir/newcerts

+ database = $dir/index.txt

+ serial = $dir/serial

+ RANDFILE = $dir/private/.rand

+ # The root key and root certificate.

+ private_key = $dir/private/azure-iot-test-only.intermediate.key.pem

+ certificate = $dir/certs/azure-iot-test-only.intermediate.cert.pem

+ # For certificate revocation lists.

+ crlnumber = $dir/crlnumber

+ crl = $dir/crl/azure-iot-test-only.intermediate.crl.pem

+ crl_extensions = crl_ext

+ default_crl_days = 30

+ # SHA-1 is deprecated, so use SHA-2 instead.

+ default_md = sha256

+ name_opt = ca_default

+ cert_opt = ca_default

+ default_days = 375

+ preserve = no

+ policy = policy_loose

+ [ policy_strict ]

+ # The root CA should only sign intermediate certificates that match.

+ countryName = optional

+ stateOrProvinceName = optional

+ organizationName = optional

+ organizationalUnitName = optional

+ commonName = supplied

+ emailAddress = optional

+ [ policy_loose ]

+ # Allow the intermediate CA to sign a more diverse range of certificates.

+ countryName = optional

+ stateOrProvinceName = optional

+ localityName = optional

+ organizationName = optional

+ organizationalUnitName = optional

+ commonName = supplied

+ emailAddress = optional

+ [ req ]

+ default_bits = 2048

+ distinguished_name = req_distinguished_name

+ string_mask = utf8only

+ # SHA-1 is deprecated, so use SHA-2 instead.

+ default_md = sha256

+ # Extension to add when the -x509 option is used.

+ x509_extensions = v3_ca

+ [ req_distinguished_name ]

+ # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.

+ countryName = Country Name (2 letter code)

+ stateOrProvinceName = State or Province Name

+ localityName = Locality Name

+ 0.organizationName = Organization Name

+ organizationalUnitName = Organizational Unit Name

+ commonName = Common Name

+ emailAddress = Email Address

+ # Optionally, specify some defaults.

+ countryName_default = US

+ stateOrProvinceName_default = WA

+ localityName_default =

+ 0.organizationName_default = My Organization

+ organizationalUnitName_default =

+ emailAddress_default =

+ [ v3_ca ]

+ # Extensions for a typical CA.

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid:always,issuer

+ basicConstraints = critical, CA:true

+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign

+ [ v3_intermediate_ca ]

+ # Extensions for a typical intermediate CA.

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid:always,issuer

+ basicConstraints = critical, CA:true

+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign

+ [ usr_cert ]

+ # Extensions for client certificates.

+ basicConstraints = CA:FALSE

+ nsComment = "OpenSSL Generated Client Certificate"

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid,issuer

+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment

+ extendedKeyUsage = clientAuth

+ [ server_cert ]

+ # Extensions for server certificates.

+ basicConstraints = CA:FALSE

+ nsComment = "OpenSSL Generated Server Certificate"

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid,issuer:always

+ keyUsage = critical, digitalSignature, keyEncipherment

+ extendedKeyUsage = serverAuth

+ [ crl_ext ]

+ # Extension for CRLs.

+ authorityKeyIdentifier=keyid:always

+ [ ocsp ]

+ # Extension for OCSP signing certificates.

+ basicConstraints = CA:FALSE

+ subjectKeyIdentifier = hash

+ authorityKeyIdentifier = keyid,issuer

+ keyUsage = critical, digitalSignature

+ extendedKeyUsage = critical, OCSPSigning

+ ```

+1. Create the directory structure, the database file (index.txt), and the serial number file (serial) used by OpenSSL commands in this article:

+ ```bash

+ mkdir certs csr newcerts private

+ touch index.txt

+ openssl rand -hex 16 > serial

+ ```

+### Create the root CA certificate

+Run the following commands to create the root CA private key and the root CA certificate. You'll use this certificate and key to sign your intermediate certificate.

+1. Create the root CA private key:

+ ```bash

+ openssl genrsa -aes256 -passout pass:1234 -out ./private/azure-iot-test-only.root.ca.key.pem 4096

+ ```

+1. Create the root CA certificate:

+ # [Windows](#tab/windows)

+ ```bash

+ openssl req -new -x509 -config ./openssl_root_ca.cnf -passin pass:1234 -key ./private/azure-iot-test-only.root.ca.key.pem -subj '//CN=Azure IoT Hub CA Cert Test Only' -days 30 -sha256 -extensions v3_ca -out ./certs/azure-iot-test-only.root.ca.cert.pem

+ ```

+ > [!IMPORTANT]

+ > The extra forward slash given for the subject name (`//CN=Azure IoT Hub CA Cert Test Only`) is only required to escape the string with Git on Windows platforms.

+ # [Linux](#tab/linux)

+ ```bash

+ openssl req -new -x509 -config ./openssl_root_ca.cnf -passin pass:1234 -key ./private/azure-iot-test-only.root.ca.key.pem -subj '/CN=Azure IoT Hub CA Cert Test Only' -days 30 -sha256 -extensions v3_ca -out ./certs/azure-iot-test-only.root.ca.cert.pem

+ ```

+

+1. Examine the root CA certificate:

+ ```bash

+ openssl x509 -noout -text -in ./certs/azure-iot-test-only.root.ca.cert.pem

+ ```

+ Observe that the **Issuer** and the **Subject** are both the root CA.

+ 1d:93:13:0e:54:07:95:1d:8c:57:4f:12:14:b9:5e:5f:15:c3:a9:d4

+ Signature Algorithm: sha256WithRSAEncryption

+ Issuer: CN = Azure IoT Hub CA Cert Test Only

+ Not Before: Jun 20 22:52:23 2022 GMT

+ Not After : Jul 20 22:52:23 2022 GMT

+ Subject: CN = Azure IoT Hub CA Cert Test Only

+ Subject Public Key Info:

+ Public Key Algorithm: rsaEncryption

+ RSA Public-Key: (4096 bit)

+ ```

+### Create the intermediate CA certificate

+Run the following commands to create the intermediate CA private key and the intermediate CA certificate. You'll use this certificate and key to sign your device certificate(s).

+1. Create the intermediate CA private key:

+ ```bash

+ openssl genrsa -aes256 -passout pass:1234 -out ./private/azure-iot-test-only.intermediate.key.pem 4096

+ ```

+1. Create the intermediate CA certificate signing request (CSR):

+ # [Windows](#tab/windows)

+ ```bash

+ openssl req -new -sha256 -passin pass:1234 -config ./openssl_device_intermediate_ca.cnf -subj '//CN=Azure IoT Hub Intermediate Cert Test Only' -key ./private/azure-iot-test-only.intermediate.key.pem -out ./csr/azure-iot-test-only.intermediate.csr.pem

+ ```

+ > [!IMPORTANT]

+ > The extra forward slash given for the subject name (`//CN=Azure IoT Hub Intermediate Cert Test Only`) is only required to escape the string with Git on Windows platforms.

+ # [Linux](#tab/linux)

+ ```bash

+ openssl req -new -sha256 -passin pass:1234 -config ./openssl_device_intermediate_ca.cnf -subj '/CN=Azure IoT Hub Intermediate Cert Test Only' -key ./private/azure-iot-test-only.intermediate.key.pem -out ./csr/azure-iot-test-only.intermediate.csr.pem

+ ```

+

+1. Sign the intermediate certificate with the root CA certificate

+ ```bash

+ openssl ca -batch -config ./openssl_root_ca.cnf -passin pass:1234 -extensions v3_intermediate_ca -days 30 -notext -md sha256 -in ./csr/azure-iot-test-only.intermediate.csr.pem -out ./certs/azure-iot-test-only.intermediate.cert.pem

+ ```

+1. Examine the intermediate CA certificate:

+ ```bash

+ openssl x509 -noout -text -in ./certs/azure-iot-test-only.intermediate.cert.pem

+ ```

+ Observe that the **Issuer** is the root CA, and the **Subject** is the intermediate CA.

+ Serial Number:

+ d9:55:87:57:41:c8:4c:47:6c:ee:ba:83:5d:ae:db:39

+ Signature Algorithm: sha256WithRSAEncryption

+ Issuer: CN = Azure IoT Hub CA Cert Test Only

+ Not Before: Jun 20 22:54:01 2022 GMT

+ Not After : Jul 20 22:54:01 2022 GMT

+ Subject: CN = Azure IoT Hub Intermediate Cert Test Only

+ Subject Public Key Info:

+ Public Key Algorithm: rsaEncryption

+ RSA Public-Key: (4096 bit)

+ ```

+### Create the device certificates

+In this section you create the device certificates and the full chain device certificates. The full chain certificate contains the device certificate, the intermediate CA certificate, and the root CA certificate. The device must present its full chain certificate when it registers with DPS.

+1. Create the device private key.

+ ```bash

+ openssl genrsa -out ./private/device-01.key.pem 4096

+1. Create the device certificate CSR.

+ The subject common name (CN) of the device certificate must be set to the [Registration ID](./concepts-service.md#registration-id) that your device will use to register with DPS. The registration ID is a case-insensitive string (up to 128 characters long) of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The common name must adhere to this format. For group enrollments, the registration ID is also used as the device ID in IoT Hub. The subject common name is set in the `-subj` parameter in the following command.

+ # [Windows](#tab/windows)

+ ```bash

+ openssl req -config ./openssl_device_intermediate_ca.cnf -key ./private/device-01.key.pem -subj '//CN=device-01' -new -sha256 -out ./csr/device-01.csr.pem

+ ```

+ > [!IMPORTANT]

+ > The extra forward slash given for the subject name (`//CN=device-01`) is only required to escape the string with Git on Windows platforms.

+ # [Linux](#tab/linux)

+ ```bash

+ openssl req -config ./openssl_device_intermediate_ca.cnf -key ./private/device-01.key.pem -subj '/CN=device-01' -new -sha256 -out ./csr/device-01.csr.pem

+ ```

+

+1. Sign the device certificate.

+ ```bash

+ openssl ca -batch -config ./openssl_device_intermediate_ca.cnf -passin pass:1234 -extensions usr_cert -days 30 -notext -md sha256 -in ./csr/device-01.csr.pem -out ./certs/device-01.cert.pem

+ ```

+1. Examine the device certificate:

+ ```bash

+ openssl x509 -noout -text -in ./certs/device-01.cert.pem

+ ```

+ Observe that the **Issuer** is the intermediate CA, and the **Subject** is the device registration ID, `device-01`.

+ Serial Number:

+ d9:55:87:57:41:c8:4c:47:6c:ee:ba:83:5d:ae:db:3a

+ Signature Algorithm: sha256WithRSAEncryption

+ Issuer: CN = Azure IoT Hub Intermediate Cert Test Only

+ Not Before: Jun 20 22:55:39 2022 GMT

+ Not After : Jul 20 22:55:39 2022 GMT

+ Subject: CN = device-01

+ Subject Public Key Info:

+ Public Key Algorithm: rsaEncryption

+ RSA Public-Key: (4096 bit)

+ ```

+1. The device must present the full certificate chain when it authenticates with DPS.

+ ```bash

+ cat ./certs/device-01.cert.pem ./certs/azure-iot-test-only.intermediate.cert.pem ./certs/azure-iot-test-only.root.ca.cert.pem > ./certs/device-01-full-chain.cert.pem

+ ```

+ Use a text editor and open the certificate chain file, *./certs/device-01-full-chain.cert.pem*. The certificate chain text contains the full chain of all three certificates. You'll use this text as the certificate chain with in the custom HSM device code later in this tutorial for `device-01`.

+ ```output

+1. To create the private key, X.509 certificate, and full chain certificate for the second device, copy and paste this script into your GitBash command prompt. To create additional devices, you can modify the `registration_id` variable declared at the beginning of the script.

+ registration_id=device-02

+ echo $registration_id

+ openssl genrsa -out ./private/${registration_id}.key.pem 4096

+ openssl req -config ./openssl_device_intermediate_ca.cnf -key ./private/${registration_id}.key.pem -subj "//CN=$registration_id" -new -sha256 -out ./csr/${registration_id}.csr.pem

+ openssl ca -batch -config ./openssl_device_intermediate_ca.cnf -passin pass:1234 -extensions usr_cert -days 30 -notext -md sha256 -in ./csr/${registration_id}.csr.pem -out ./certs/${registration_id}.cert.pem

+ cat ./certs/${registration_id}.cert.pem ./certs/azure-iot-test-only.intermediate.cert.pem ./certs/azure-iot-test-only.root.ca.cert.pem > ./certs/${registration_id}-full-chain.cert.pem

+ >[!NOTE]

+ > This script uses the registration ID as the base filename for the private key and certificate files. If your registration ID contains characters that aren't valid filename characters, you'll need to modify the script accordingly.

+ > The text for the certificates only contains public key information.

+ > However, the device must also have access to the private key for the device certificate. This is necessary because the device must perform verification using that key at runtime when it attempts to provision. The sensitivity of this key is one of the main reasons it is recommended to use hardware-based storage in a real HSM to help secure private keys.

+You'll use the following files in the rest of this tutorial:

+| Certificate | File | Description |

+| - | | - |

+| root CA certificate. | *certs/azure-iot-test-only.root.ca.cert.pem* | Will be uploaded to DPS and verified. |

+| intermediate CA certificate | *certs/azure-iot-test-only.intermediate.cert.pem* | Will be used to create an enrollment group in DPS. |

+| device-01 private key | *private/device-01.key.pem* | Used by the device to verify ownership of the device certificate during authentication with DPS. |

+| device-01 full chain certificate | *certs/device-01-full-chain.cert.pem* | Presented by the device to authenticate and register with DPS. |

+| device-02 private key | *private/device-02.key.pem* | Used by the device to verify ownership of the device certificate during authentication with DPS. |

+| device-02 full chain certificate | *certs/device-01-full-chain.cert.pem* | Presented by the device to authenticate and register with DPS. |

+For DPS to be able to validate the device's certificate chain during authentication, you must upload and verify ownership of the root CA certificate. Because you created the root CA certificate in the last section, you'll auto-verify that it's valid when you upload it. Alternatively, you can do manual verification of the certificate if you're using a CA certificate from a 3rd-party. To learn more about verifying CA certificates, see [How to do proof-of-possession for X.509 CA certificates with your Device Provisioning Service](how-to-verify-certificates.md).

+To add the root CA certificate, follow these steps:

+1. Sign in to the Azure portal, select the **All resources** button on the left-hand menu and open your Device Provisioning Service.

+1. Open **Certificates** from the left-hand menu and then select **+ Add** at the top of the panel to add a new certificate.

+1. Enter a friendly display name for your certificate. Browse to the location of the root CA certificate file `certs/azure-iot-test-only.root.ca.cert.pem`. Select **Upload**.

+1. Select the box next to **Set certificate status to verified on upload*.

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/add-root-certificate.png" alt-text="Screenshot that shows adding adding the root C A certificate and the set certificate status to verified on upload box selected.":::

+1. Select **Save**.

+1. Make sure your certificate is shown in the certificate tab with a status of *Verified*.

+

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/verify-root-certificate.png" alt-text="Screenshot that shows the verified root C A certificate in the list of certificates.":::

+> It's also possible to use OpenSSL instead of secure channel (Schannel) with the C SDK. For more information on using OpenSSL, see [Using OpenSSL in the SDK](https://github.com/Azure/azure-iot-sdk-c/blob/master/doc/devbox_setup.md#using-openssl-in-the-sdk).

+1. In a Git bash prompt, convert your signing certificates to `.pfx` as follows.

+ root CA certificate:

+ openssl pkcs12 -inkey ./private/azure-iot-test-only.root.ca.key.pem -in ./certs/azure-iot-test-only.root.ca.cert.pem -export -passin pass:1234 -passout pass:1234 -out ./certs/root.pfx

+ intermediate CA certificate:

+ openssl pkcs12 -inkey ./private/azure-iot-test-only.intermediate.key.pem -in ./certs/azure-iot-test-only.intermediate.cert.pem -export -passin pass:1234 -passout pass:1234 -out ./certs/intermediate.pfx

+1. From your DPS in Azure portal, select the **Manage enrollments** tab. then select the **Add enrollment group** button at the top.

+1. In the **Add Enrollment Group** panel, enter the following information, then select **Save**.

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/custom-hsm-enrollment-group-x509.png" alt-text="Screenshot that shows adding an enrollment group in the portal.":::

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/copy-id-scope.png" alt-text="Screenshot that shows the ID scope on the DPS overview pane.":::

+3. In Solution Explorer for Visual Studio, navigate to **Provision_Samples > prov_dev_client_sample > Source Files** and open *prov_dev_client_sample.c*.

+6. Save your changes.

+7. Right-click the **prov\_dev\_client\_sample** project and select **Set as Startup Project**.

+The specifics of interacting with actual secure hardware-based storage vary depending on the device hardware. The certificate chains used by the simulated devices in this tutorial will be hardcoded in the custom HSM stub code. In a real-world scenario, the certificate chain would be stored in the actual HSM hardware to provide better security for sensitive information. Methods similar to the stub methods used in this sample would then be implemented to read the secrets from that hardware-based storage.

+While HSM hardware isn't required, it is recommended to protect sensitive information, like the certificate's private key. If an actual HSM was being called by the sample, the private key wouldn't be present in the source code. Having the key in the source code exposes the key to anyone that can view the code. This is only done in this article to assist with learning.

+To update the custom HSM stub code to simulate the identity of the device with ID `device-01`, perform the following steps:

+1. In Solution Explorer for Visual Studio, navigate to **Provision_Samples > custom_hsm_example > Source Files** and open *custom_hsm_example.c*.

+ static const char* const COMMON_NAME = "device-01";

+3. Update the string value of the `CERTIFICATE` constant string using the certificate chain you saved in *./certs/device-01-full-chain.cert.pem* after generating your certificates.

+ Updating this string value manually can be prone to error. To generate the proper syntax, you can copy and paste the following command into your **Git Bash prompt**, and press **ENTER**. This command will generate the syntax for the `CERTIFICATE` string constant value and write it to the output.

+ sed -e 's/^/"/;$ !s/$/""\\n"/;$ s/$/"/' ./certs/device-01-full-chain.cert.pem

+ Copy and paste the output certificate text for the constant value.

+4. Update the string value of the `PRIVATE_KEY` constant with the private key for your device certificate.

+ Updating this string value manually can be prone to error. To generate the proper syntax, you can copy and paste the following command into your **Git Bash prompt**, and press **ENTER**. This command will generate the syntax for the `PRIVATE_KEY` string constant value and write it to the output.

+ sed -e 's/^/"/;$ !s/$/""\\n"/;$ s/$/"/' ./private/device-01.key.pem

+ Copy and paste the output private key text for the constant value.

+5. Save your changes.

+6. Right-click the **custom_hsm_-_example** project and select **Build**.

+ > [!IMPORTANT]

+ > You must build the **custom_hsm_example** project before you build the rest of the solution in the next section.

+### Run the sample

+1. On the Visual Studio menu, select **Debug** > **Start without debugging** to run the solution. When prompted to rebuild the project, select **Yes** to rebuild the project before running.

+ The following output is an example of simulated device `device-01` successfully booting up, and connecting to the provisioning service. The device was assigned to an IoT hub and registered:

+ ```output

+ Provisioning API Version: 1.8.0

+ Registration Information received from service: contoso-hub-2.azure-devices.net, deviceId: device-01

+1. Repeat the steps in [Configure the custom HSM stub code](#configure-the-custom-hsm-stub-code) for your second device (`device-02`) and run the sample again. Use the following values for that device:

+ | Common name | `"device-02"` |

+ | Full certificate chain | Generate the text using *./certs/device-02-full-chain.cert.pem* |

+ | Private key | Generate the text using *./private/device-02.key.pem* |

+ The following output is an example of simulated device `device-02` successfully booting up, and connecting to the provisioning service. The device was assigned to an IoT hub and registered:

+ ```output

+ Provisioning API Version: 1.8.0

+ Registration Information received from service: contoso-hub-2.azure-devices.net, deviceId: device-02

+## Confirm your device provisioning registration

+Examine the registration records of the enrollment group to see the registration details for your devices:

+1. In Azure portal, go to your Device Provisioning Service.

+1. In the **Settings** menu, select **Manage enrollments**.

+1. Select **Enrollment Groups**. The X.509 enrollment group entry that you created previously, *custom-hsm-devices*, should appear in the list.

+1. Select the enrollment entry. Then select the **Registration Records** tab to see the devices that have been registered through the enrollment group. The IoT hub that each of your devices was assigned to, their device IDs, and the dates and times they were registered appear in the list.

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/enrollment-group-registration-records.png" alt-text="Screenshot that shows the registration records tab for the enrollment group on Azure portal.":::

+1. You can select one of the devices to see further details for that device.

+To verify the devices on your IoT hub:

+1. In Azure portal, go to the IoT hub that your device was assigned to.

+1. In the **Device management** menu, select **Devices**.

+1. If your devices were provisioned successfully, their device IDs, *device-01* and *device-02*, should appear in the list, with **Status** set as *enabled*. If you don't see your devices, select **Refresh**.

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/hub-provisioned-custom-hsm-x509-device.png" alt-text="Screenshot that shows the devices are registered with the I o T hub in Azure portal.":::

+1. From the left-hand menu in the Azure portal, select **All resources** and then select your Device Provisioning Service. Open **Manage Enrollments** for your service, and then select the **Enrollment Groups** tab. Select the check box next to the *Group Name* of the device group you created in this tutorial, and press the **Delete** button at the top of the pane.

+Note that the Windows versions on both the container and host must match. For more information, see [Could not start module due to OS mismatch](troubleshoot-common-errors.md#could-not-start-module-due-to-os-mismatch).

+<!-- 1.1 -->

+## Could not start module due to OS mismatch

+ **Observed behavior:**

+The edgeHub module fails to start in IoT Edge version 1.1.

+**Root cause:**

+Windows module uses a version of Windows that is incompatible with the version of Windows on the host. IoT Edge Windows version 1809 build 17763 is needed as the base layer for the module image, but a different version is in use.

+**Resolution:**

+Check the version of your various Windows operating systems in [Troubleshoot host and container image mismatches](/virtualization/windowscontainers/deploy-containers/update-containers#troubleshoot-host-and-container-image-mismatches). If the operating systems are different, update them to IoT Edge Windows version 1809 build 17763 and rebuild the Docker image used for that module.

+<!-- end 1.1 -->

+* **Receive twin notifications**. This operation allows the solution back end to be notified when the twin is modified. To do so, your IoT solution needs to create a route and to set the Data Source equal to *twinChangeEvents*. By default, no such route exists, so no twin notifications are sent. If the rate of change is too high, or for other reasons such as internal failures, the IoT Hub might send only one notification that contains all changes. Therefore, if your application needs reliable auditing and logging of all intermediate states, you should use device-to-cloud messages. To learn more about the properties and body returned in the twin notification message, see [Non-telemetry event schemas](iot-hub-non-telemetry-event-schema.md).

+IoT Hub can notify your IoT solution when a device identity is created or deleted by sending lifecycle notifications. To do so, your IoT solution needs to create a route and to set the Data Source equal to *DeviceLifecycleEvents*. By default, no lifecycle notifications are sent, that is, no such routes pre-exist. By creating a route with Data Source equal to *DeviceLifecycleEvents*, lifecycle events will be sent for both device identities and module identities; however, the message contents will differ depending on whether the events are generated for module identities or device identities. It should be noted that for IoT Edge modules, the module identity creation flow is different than for other modules, as a result for IoT Edge modules the create notification is only sent if the corresponding IoT Edge Device for the updated IoT Edge module identity is running. For all other modules, lifecycle notifications are sent whenever the module identity is updated on the IoT Hub side. To learn more about the properties and body returned in the notification message, see [Non-telemetry event schemas](iot-hub-non-telemetry-event-schema.md).

+* To learn how to create and read IoT Hub messages in various programming languages, see the [Quickstarts](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-nodejs).

+* To learn about the structure of non-telemetry events generated by IoT Hub, see [IoT Hub non-telemetry event schemas](iot-hub-non-telemetry-event-schema.md).

+* **Receive twin notifications**. This operation allows the solution back end to be notified when the twin is modified. To do so, your IoT solution needs to create a route and to set the Data Source equal to *twinChangeEvents*. By default, no such route exists, so no twin notifications are sent. If the rate of change is too high, or for other reasons such as internal failures, the IoT Hub might send only one notification that contains all changes. Therefore, if your application needs reliable auditing and logging of all intermediate states, you should use device-to-cloud messages. To learn more about the properties and body returned in the twin notification message, see [Non-telemetry event schemas](iot-hub-non-telemetry-event-schema.md).

+ Title: Azure IoT Hub non-telemetry event schemas

+description: This article provides the properties and schema for Azure IoT Hub non-telemetry events. It lists the available event types, an example event, and event properties.

+# Azure IoT Hub non-telemetry event schemas

+This article provides the properties and schemas for non-telemetry events emitted by Azure IoT Hub. Non-telemetry events are different from device-to-cloud and cloud-to-device messages in that they are emitted directly by IoT Hub in response to specific kinds of state changes associated with your devices. For example, lifecycle changes like a device or module being created or deleted, or connection state changes like a device or module connecting or disconnecting. To observe non-telemetry events, you must have an appropriate message route configured. To learn more about IoT Hub message routing, see [IoT Hub message routing](iot-hub-devguide-messages-d2c.md).

+## Available event types

+Azure IoT Hub emits the non-telemetry events in the following categories:

+| Event category | Description |

+| - | -- |

+| Device connection state events | Emitted when a device connects to or disconnects from an IoT hub. |

+| Device lifecycle events | Emitted when a device or module is created on or deleted from an IoT hub. |

+| Device twin change events | Emitted when a device or module twin is changed or replaced. |

+| Digital twin change events | Emitted when a device or module's digital twin is changed or replaced. |

+## Common event properties

+Non-telemetry events share several common properties.

+### System properties

+The following system properties are set by IoT Hub on each event.

+| Property | Type |Description | Keyword for routing query |

+| -- | - | - | - |

+| content-encoding | string | utf-8 | $contentEncoding |

+| content-type | string | application/json | $contentType |

+| correlation-id | string | A unique ID that identifies the event. | $correlationId |

+| user-id | string | The name of IoT Hub that generated the event. | $userId |

+| iothub-connection-device-id | string | The device ID. | $connectionDeviceId |

+| iothub-connection-module-id | string | The module ID. This property is output only for module life cycle and twin events. | $connectionModuleId |

+| iothub-enqueuedtime | number | Date and time when the notification was sent. In routing queries, use an [ISO8601](https://en.wikipedia.org/wiki/ISO_8601) timestamp; for example, `$enqueuedTime > "2022-06-06T22:56:06Z"` | $enqueuedTime |

+| iothub-message-source | string | The event category that identifies the message source. For example, *deviceLifecycleEvents*. | N/A |

+### Application properties

+The following application properties are set by IoT Hub on each event.

+| Property | Type |Description |

+| -- | - | - |

+| deviceId | string | The device ID. |

+| hubName | string | The name of the IoT Hub that generated the event. |

+| iothub-message-schema | string | The message schema associated with the event category; for example, *deviceLifecycleNotification*. |

+| moduleId | string | The module ID. This property is output only for module lifecycle and twin change events. |

+| operationTimestamp | string | The [ISO8601](https://en.wikipedia.org/wiki/ISO_8601) timestamp of the operation. |

+| opType | string | The identifier for the operation that generated the event. For example, *createDeviceIdentity* or *deleteDeviceIdentity*. |

+In routing queries, use the property name. For example, `deviceId = "my-device"`.

+## Connection state events

+Connection state events are emitted whenever a device or module connects or disconnects from the IoT hub.

+**Application properties**: The following table shows how application properties are set for connection state events:

+| Property | Value |

+| - | -- |

+| iothub-message-schema | deviceConnectionStateNotification |

+| opType | One of the following values: deviceConnected, deviceDisconnected, moduleConnected, or moduleDisconnected. |

+**System properties**: The following table shows how system properties are set for connection state events:

+| Property | Value |

+| - | -- |

+| iothub-message-source | deviceConnectionStateEvents |

+**Body**: The body contains a sequence number. The sequence number is a string representation of a hexadecimal number. You can use string compare to identify the larger number. If you're converting the string to hex, then the number will be a 256-bit number. The sequence number is strictly increasing, and the latest event will have a higher number than other events. This is useful if you have frequent device connects and disconnects, and want to ensure only the latest event is used to trigger a downstream action.

+### Example

+The following JSON shows a device connection state event emitted when a device disconnects.

+```json

+{

+ "event": {

+ "origin": "contoso-device-1",

+ "module": "",

+ "interface": "",

+ "component": "",

+ "properties": {

+ "system": {

+ "content_encoding": "utf-8",

+ "content_type": "application/json",

+ "correlation_id": "98dcbcf6-3398-c488-c62c-06330e65ea98",

+ "user_id": "contoso-routing-hub"

+ },

+ "application": {

+ "hubName": "contoso-routing-hub",

+ "deviceId": "contoso-device-1",

+ "opType": "deviceDisconnected",

+ "iothub-message-schema": "deviceConnectionStateNotification",

+ "operationTimestamp": "2022-06-01T18:43:04.5561024Z"

+ }

+ },

+ "annotations": {

+ "iothub-connection-device-id": "contoso-device-1",

+ "iothub-enqueuedtime": 1654109018051,

+ "iothub-message-source": "deviceConnectionStateEvents",

+ "x-opt-sequence-number": 72,

+ "x-opt-offset": "37344",

+ "x-opt-enqueued-time": 1654109018176

+ },

+ "payload": {

+ "sequenceNumber": "000000000000000001D8713FF7E0851400000002000000000000000000000007"

+ }

+ }

+}

+```

+## Device lifecycle events

+Device lifecycle events are emitted whenever a device or module is created or deleted from the identity registry. For more detail about when device lifecycle events are generated, see [Device and module lifecycle notifications](iot-hub-devguide-identity-registry.md#device-and-module-lifecycle-notifications).

+**Application properties**: The following table shows how application properties are set for device lifecycle events:

+| Property | Value |

+| - | -- |

+| iothub-message-schema | deviceLifecycleNotification |

+| opType | One of the following values: createDeviceIdentity, deleteDeviceIdentity, createModuleIdentity, or deleteModuleIdentity. |

+**System properties**: The following table shows how system properties are set for device lifecycle events:

+| Property | Value |

+| - | -- |

+| iothub-message-source | deviceLifecycleEvents |

+**Body**: The body contains a representation of the device twin or module twin. It includes the device ID and module ID, the twin etag, the version property, and the tags, properties and associated metadata of the twin.

+### Example

+The following JSON shows a device lifecycle event emitted when a module is created. The event is captured using the `az iot hub monitor-events` Azure CLI command.

+```json

+{

+ "event": {

+ "origin": "contoso-device-2",

+ "module": "module-1",

+ "interface": "",

+ "component": "",

+ "properties": {

+ "system": {

+ "content_encoding": "utf-8",

+ "content_type": "application/json",

+ "correlation_id": "c5a4e6986c",

+ "user_id": "contoso-routing-hub"

+ },

+ "application": {

+ "hubName": "contoso-routing-hub",

+ "deviceId": "contoso-device-2",

+ "operationTimestamp": "2022-05-27T18:49:38.4904785Z",

+ "moduleId": "module-1",

+ "opType": "createModuleIdentity",

+ "iothub-message-schema": "moduleLifecycleNotification"

+ }

+ },

+ "annotations": {

+ "iothub-connection-device-id": "contoso-device-2",

+ "iothub-connection-module-id": "module-1",

+ "iothub-enqueuedtime": 1653677378534,

+ "iothub-message-source": "deviceLifecycleEvents",

+ "x-opt-sequence-number": 62,

+ "x-opt-offset": "31768",

+ "x-opt-enqueued-time": 1653677378643

+ },

+ "payload": {

+ "deviceId": "contoso-device-2",

+ "moduleId": "module-1",

+ "etag": "AAAAAAAAAAE=",

+ "version": 2,

+ "properties": {

+ "desired": {

+ "$metadata": {

+ "$lastUpdated": "0001-01-01T00:00:00Z"

+ },

+ "$version": 1

+ },

+ "reported": {

+ "$metadata": {

+ "$lastUpdated": "0001-01-01T00:00:00Z"

+ },

+ "$version": 1

+ }

+ }

+ }

+ }

+}

+```

+## Device twin change events

+Device twin change events are emitted whenever a device twin or a module twin is updated or replaced. In some cases, several changes may be packaged in a single event. To learn more, see [Device twin backend operations](iot-hub-devguide-device-twins.md#back-end-operations) or [Module twin backend operations](iot-hub-devguide-module-twins.md#back-end-operations).

+**Application properties**: The following table shows how application properties are set for device twin change events:

+| Property | Value |

+| - | -- |

+| iothub-message-schema | twinChangeNotification |

+| opType | One of the following values: replaceTwin or updateTwin. |

+**System properties**: The following table shows how system properties are set for device twin change events:

+| Property | Value |

+| - | -- |

+| iothub-message-source | twinChangeEvents |

+**Body**: On an update, the body contains the version property of the twin and the updated tags and properties and their associated metadata. On a replace, the body contains the device ID and module ID, the twin etag, the version property, and all the tags, properties and associated metadata of the device or module twin.

+### Example

+The following JSON shows a twin change event emitted for an update of a desired property and a tag on a module twin. The event is captured using the `az iot hub monitor-events` Azure CLI command.

+```json

+{

+ "event": {

+ "origin": "contoso-device-3",

+ "module": "module-1",

+ "interface": "",

+ "component": "",

+ "properties": {

+ "system": {

+ "content_encoding": "utf-8",

+ "content_type": "application/json",

+ "correlation_id": "4d1f1e2e74f",

+ "user_id": "contoso-routing-hub"

+ },

+ "application": {

+ "hubName": "contoso-routing-hub",

+ "deviceId": "contoso-device-3",

+ "operationTimestamp": "2022-06-01T22:27:50.2612586Z",

+ "moduleId": "module-1",

+ "iothub-message-schema": "twinChangeNotification",

+ "opType": "updateTwin"

+ }

+ },

+ "annotations": {

+ "iothub-connection-device-id": "contoso-device-3",

+ "iothub-connection-module-id": "module-1",

+ "iothub-enqueuedtime": 1654122470282,

+ "iothub-message-source": "twinChangeEvents",

+ "x-opt-sequence-number": 17,

+ "x-opt-offset": "12352",

+ "x-opt-enqueued-time": 1654122470329

+ },

+ "payload": {

+ "version": 7,

+ "tags": {

+ "tag1": "new value"

+ },

+ "properties": {

+ "desired": {

+ "property1": "new value",

+ "$metadata": {

+ "$lastUpdated": "2022-06-01T22:27:50.2612586Z",

+ "$lastUpdatedVersion": 6,

+ "property1": {

+ "$lastUpdated": "2022-06-01T22:27:50.2612586Z",

+ "$lastUpdatedVersion": 6

+ }

+ },

+ "$version": 6

+ }

+ }

+ }

+ }

+}

+```

+## Next steps

+- To learn about message routing, see [IoT Hub message routing](iot-hub-devguide-messages-d2c.md).

+- To learn how to add queries to your message routes, see [IoT Hub message routing query syntax](iot-hub-devguide-routing-query-syntax.md).

+- To learn about the structure of device-to-cloud and cloud-to-device messages, see [Create and read IoT Hub messages](iot-hub-devguide-messages-construct.md).

+Use [message routing](iot-hub-devguide-messages-d2c.md) in Azure IoT Hub to send telemetry data from your IoT devices to Azure services such as blob storage, Service Bus Queues, Service Bus Topics, and Event Hubs.

+The [az monitor metrics](/cli/azure/monitor/metrics/) command is used to view Azure resource metrics. To see the metric definitions available for a Standard Load Balancer, you run the [az monitor metrics list-definitions](/cli/azure/monitor/metrics#az-monitor-metrics-list-definitions) command.

+To retrieve Standard Load Balancer metrics for a resource, you can use the [az monitor metrics list](/cli/azure/monitor/metrics#az-monitor-metrics-list) command. For example, use the `--metric DipAvailability` option to collect the Health Probe Status metric from a Standard Load Balancer.

+To send resource logs to a Log Analytics workspace, enter these commands. Replace the bracketed values with your values:

+To send resource logs to a storage account, enter these commands. Replace the bracketed values with your values:

+To send resource logs to an event hub namespace, enter these commands. Replace the bracketed values with your values:

+To send resource logs to a Log Analytics workspace, enter these commands. Replace the bracketed values with your values:

+To send resource logs to a storage account, enter these commands. Replace the bracketed values with your values:

+To send resource logs to an event hub namespace, enter these commands. Replace the bracketed values with your values:

+* Use the [Azure portal](quickstart-create-resources.md) for a point-and-click interface to walk you through each step.

+* A Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](quickstart-create-resources.md).

+# Set up AutoML to train a natural language processing model (preview)

+* An Azure Machine Learning workspace with a GPU training compute. To create the workspace, see [Create workspace resources](quickstart-create-resources.md). See [GPU optimized virtual machine sizes](../virtual-machines/sizes-gpu.md) for more details of GPU instances provided by Azure.

+* An Azure Machine Learning workspace with a GPU training compute. To create the workspace, see [Create workspace resources](quickstart-create-resources.md). See [GPU optimized virtual machine sizes](../virtual-machines/sizes-gpu.md) for more details of GPU instances provided by Azure.

+Unlike multi-class or multi-label, which takes `.csv` format datasets, named entity recognition requires CoNLL format. The file must contain exactly two columns and in each row, the token and the label is separated by a single space.

+* An Azure Machine Learning workspace. For more information, see the [Create workspace resources](quickstart-create-resources.md) article.

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](quickstart-create-resources.md).

+Azure Machine Learning workspace. To create one, use the steps in the [Create workspace resources](quickstart-create-resources.md) article.

+- An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+* An [Azure Machine Learning workspace](quickstart-create-resources.md)

+> This code snippet expects the workspace configuration json file to be saved in the current directory or its parent. For more information on creating a workspace, see [Create workspace resources](quickstart-create-resources.md). For more information on saving the configuration to file, see [Create a workspace configuration file](how-to-configure-environment.md#workspace).

+- An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+- [Install and set up the Azure CLI extension for Machine Learning](how-to-configure-cli.md).

+* An Azure Machine Learning workspace[Create workspace resources](quickstart-create-resources.md).

+* [Install and set up the Azure CLI extension for Machine Learning](how-to-configure-cli.md).

+* An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+* [Create an Azure Machine Learning workspace](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. For more information, see [Create workspace resources](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. For more information, see [Create workspace resources](quickstart-create-resources.md).

+- An [Azure Machine Learning workspace](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. For more information, see [Create an Azure Machine Learning workspace](quickstart-create-resources.md).

+> This code snippet expects the workspace configuration to be saved in the current directory or its parent. For more information on creating a workspace, see [Create workspace resources](quickstart-create-resources.md). For more information on saving the configuration to file, see [Create a workspace configuration file](how-to-configure-environment.md#workspace).

+- An Azure Machine Learning workspace. For more information, see [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. For more information, see [Create workspace resources](quickstart-create-resources.md).

+* [An Azure Machine Learning workspace](quickstart-create-resources.md)

+* Create an [Azure Machine Learning workspace](quickstart-create-resources.md) to hold all your pipeline resources

+- An [Azure Machine Learning workspace](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](quickstart-create-resources.md).

+* [Create an Azure Machine Learning workspace](quickstart-create-resources.md).

+* Follow the steps to create an [Azure Machine Learning workspace](quickstart-create-resources.md) and [create your first pipeline](./how-to-create-machine-learning-pipelines.md)

+* An [Azure Machine Learning workspace](quickstart-create-resources.md).

+* A Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+- An [Azure Machine Learning Workspace](quickstart-create-resources.md).

+* An [Azure Machine Learning workspace](quickstart-create-resources.md).

+ * [Create an Azure Machine Learning workspace](quickstart-create-resources.md).

+ Either [create an Azure Machine Learning workspace](quickstart-create-resources.md) or use an existing one via the Python SDK. Import the `Workspace` and `Datastore` class, and load your subscription information from the file `config.json` using the function `from_config()`. This function looks for the JSON file in the current directory by default, but you can also specify a path parameter to point to the file using `from_config(path="your/file/path")`.

+- An Azure Machine Learning workspace in the source subscription. For more information, see [Create workspace resources](quickstart-create-resources.md).

+* A Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+* [Create an Azure Machine Learning Workspace](quickstart-create-resources.md).

+* An [Azure Machine Learning workspace](quickstart-create-resources.md).

+- An [Azure Machine Learning workspace](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+* An [Azure Machine Learning workspace](quickstart-create-resources.md)

+* A Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. For more information, see [Create workspace resources](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. For more information, see [Create workspace resources](quickstart-create-resources.md).

+* [Create an Azure Machine Learning Workspace](quickstart-create-resources.md).

+* [Create an Azure Machine Learning Workspace](quickstart-create-resources.md).

+* An Azure Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+ * An [Azure Machine Learning workspace](quickstart-create-resources.md)

+* Create an [Azure Machine Learning workspace](quickstart-create-resources.md) to hold all your pipeline resources.

+- An [Azure Machine Learning workspace](concept-workspace.md). Retrieve an existing one by running the following code, or [create a new workspace](quickstart-create-resources.md).

+4. [Create an Azure Machine Learning workspace](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+- An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+The [architecture](v1/concept-azure-machine-learning-architecture.md) was redesigned for ease of use. Instead of multiple Azure resources and accounts, you only need an [Azure Machine Learning Workspace](concept-workspace.md). You can create workspaces quickly in the [Azure portal](quickstart-create-resources.md). By using a workspace, multiple users can store training and deployment compute targets, model experiments, Docker images, deployed models, and so on.

+All the latest capabilities are available by using this <a href="/python/api/overview/azure/ml/intro" target="_blank">SDK</a>, the [CLI](v1/reference-azure-machine-learning-cli.md), and the [Azure portal](quickstart-create-resources.md).

+The Azure Machine Learning studio is supported on Microsoft Edge, Chrome, and Firefox browsers only:

+[](./media/overview-what-happened-to-workbench/jobs-experiments.png#lightbox)

+* An Azure Machine Learning workspace. See [Create workspace resources](quickstart-create-resources.md).

+You need an Azure Machine Learning workspace to use the designer. The workspace is the top-level resource for Azure Machine Learning, it provides a centralized place to work with all the artifacts you create in Azure Machine Learning. For instruction on creating a workspace, see [Create workspace resources](quickstart-create-resources.md).

+> Learn more about [Azure ML logging](/azure/machine-learning/how-to-use-mlflow-cli-runs).

+- An Azure Machine Learning workspace. If you don't already have a workspace, see [Create workspace resources](quickstart-create-resources.md).

+* [Create an Azure Machine Learning workspace](../quickstart-create-resources.md)

+ Either [create an Azure Machine Learning workspace](../quickstart-create-resources.md) or use an existing one via the Python SDK.

+* An Azure Machine Learning workspace. For more information, see [Create workspace resources](../quickstart-create-resources.md).

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](../quickstart-create-resources.md).

+* An Azure Machine Learning workspace with a GPU training compute. To create the workspace, see [Create workspace resources](../quickstart-create-resources.md). See [GPU optimized virtual machine sizes](../../virtual-machines/sizes-gpu.md) for more details of GPU instances provided by Azure.

+Unlike multi-class or multi-label, which takes `.csv` format datasets, named entity recognition requires CoNLL format. The file must contain exactly two columns and in each row, the token and the label is separated by a single space.

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](../quickstart-create-resources.md).

+* An [Azure Machine Learning workspace](../quickstart-create-resources.md).

+* An [Azure Machine Learning workspace](../quickstart-create-resources.md).

+* An [Azure Machine Learning workspace](../quickstart-create-resources.md)

+- An Azure Machine Learning workspace. For more information, see [Create workspace resources](../quickstart-create-resources.md).

+* [Create an Azure Machine Learning Workspace](../quickstart-create-resources.md).

+> This code snippet expects the workspace configuration to be saved in the current directory or its parent. For more information on creating a workspace, see [Create workspace resources](../quickstart-create-resources.md). For more information on saving the configuration to file, see [Create a workspace configuration file](../how-to-configure-environment.md#workspace).

+| Incorrect column name | 400| The name of the column in the query is incorrect. Recheck the column name by calling the ΓÇ£Get All DatasetsΓÇ¥ API or refer to the column names in the following tables:<br><ul><li>[Orders details table](orders-dashboard.md#orders-details-table)</li><li>[Usage details table](usage-dashboard.md#usage-details-table)</li><li>[Customer details table](customer-dashboard.md#customer-details-table)</li><li>[Marketplace insights details table](insights-dashboard.md#marketplace-insights-details-table)</li><li>[Revenue dashboard](revenue-dashboard.md)</li><li>[Quality of Service dashboard](quality-of-service-dashboard.md)</li><li>[Customer retention dashboard](customer-retention-dashboard.md#dictionary-of-data-terms)</li></UL> |

+**I receive API response 200 when I download the report from the secure location. Why am I getting no records?**

+- [Revenue dashboard](revenue-dashboard.md)

+- [Quality of Service dashboard](quality-of-service-dashboard.md)

+- [Customer retention dashboard](customer-retention-dashboard.md#dictionary-of-data-terms)

+For Azure Application Managed Apps plans, the `resourceUri` is the Managed Application `resourceId`. An example script for fetching it can be found in [using the Azure-managed identities token](marketplace-metering-service-authentication.md#using-the-azure-managed-identities-token).

+**Storage vMotion** | Supported.

+**VMware vSphere ESXI host** | Version 5.5, 6.0, 6.5, 6.7 or 7.0.

+ - List some of the commonly occurring replication errors and suggest steps to remediate them.

+ 1. Navigate to the "Replicating machines" page by selecting **Replicating servers** in the Server Migration tile.

+ 1. You'll see a list of replicating servers along with additional information such as status, health, last sync time, etc. The health column indicates the current replication health of the VM. A 'Critical' or 'Warning' value in the health column typically indicates that the previous replication cycle for the VM failed. To get more details, right-click on the VM, and select **Error Details**. The Error Details page contains information on the error and additional details on how to troubleshoot. You'll also see a "Recent Events" link that can be used to navigate to the events page for the VM.

+ 1. Select **Recent Events** to see the previous replication cycle failures for the VM. In the events page, look for the most recent event of type *Replication cycle failed* or *Replication cycle failed* for disk" for the VM.

+ 1. Select the event to understand the possible causes of the error and recommended remediation steps. Use the information provided to troubleshoot and remediate the error.

+**Error:** ΓÇ£Key Vault operation failed. Operation: Configure managed storage account, Key Vault: Key-vault-name, Storage Account: storage account name failed with the error:ΓÇ¥

+**Error:** ΓÇ£Key Vault operation failed. Operation: Generate shared access signature definition, Key Vault: Key-vault-name, Storage Account: storage account name failed with the error:ΓÇ¥

+When the portal creates the key vault, it also adds a user access policy granting the currently logged in user permissions to configure storage accounts to be Key Vault managed. This can fail for two reasons

+- The logged in user is a remote principal on the customer's Azure tenant (CSP subscription - and the logged in user is the partner admin). The work-around in this case is to delete the key vault, sign out from the portal, and then sign in with a user account from the customer's tenant (not a remote principal) and retry the operation. The CSP partner will typically have a user account in the customers Azure Active Directory tenant that they can use. If not, they can create a new user account for themselves in the customers Azure Active Directory tenant, sign in to the portal as the new user, and then retry the replicate operation. The account used must have either Owner or Contributor+User Access Administrator permissions granted to the account on the resource group (Migrate project resource group)

+- The other case where this may happen is when one user (user1) attempted to set up replication initially and encountered a failure, but the key vault has already been created (and user access policy appropriately assigned to this user). Now at a later point a different user (user2) tries to set up replication, but the Configure Managed Storage Account or Generate SAS definition operation fails as there's no user access policy corresponding to user2 in the key vault.

+**Resolution**: To work around this issue, create a user access policy for user2 in the keyvault granting user2 permission to configure managed storage account and generate SAS definitions. User2 can do this from Azure PowerShell using the below cmdlets:

+Set-AzureRmKeyVaultAccessPolicy -VaultName "keyvaultname" -ObjectId $userPrincipalId -PermissionsToStorage get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, back up, restore, purge

+- The gateway service is experiencing connectivity issues to Service Bus/Event hubs/Appliance Storage account.

+ 1. Sign in to the Azure Migrate appliance using remote desktop and do the following.

+ 2. Open the Microsoft services MMC snap-in (run > services.msc), and check if the "Microsoft Azure Gateway Service" is running. If the service is stopped or not running, start the service. Alternatively, you can open command prompt or PowerShell and enter 'Net Start asrgwy'.

+ 3. Search for your storage account in the Azure portal. Ensure that the subscription you use to search is the same subscription (target subscription) in which the storage account is created. Go to Containers in the Blob Service section. Select **+Container** and create a Container. Leave Public Access Level to default selected value.

+ 4. Go to Shared Access Signature under Settings. Select Container in **Allowed Resource Type**.Select Generate SAS and connection string. Copy the SAS value.

+ Alternatively, [download](https://go.microsoft.com/fwlink/?linkid=2138967) the Azure Storage Explore on to the appliance and try to upload 10 blobs of ~64 MB into the storage accounts. If there's no issue, the upload should be successful.

+ This test checks if the Azure Migrate appliance can communicate to the Azure Migrate Cloud Service backend. The appliance communicates to the service backend through Service Bus and Event Hubs message queues. To validate connectivity from the appliance to the Service Bus, [download](https://go.microsoft.com/fwlink/?linkid=2139104) the Service Bus Explorer, try to connect to the appliance Service Bus and perform send message/receive message. If there's no issue, this should be successful.

+ 1. Copy the connection string from the Service Bus that got created in the Migrate Project.

+ 2. Open the Service Bus Explorer.

+ 3. Go to File then Connect.

+ 4. Paste the connection string and select **Connect**.

+ 5. This will open Service Bus Name Space.

+ 6. Select Snapshot Manager. Right-click on Snapshot Manager, select **Receive Messages** > **peek**, and select **OK**.

+ 7. If the connection is successful, you'll see "[x] messages received" on the console output. If the connection isn't successful, you'll see a message stating that the connection failed.

+ - In the output, check the field "_TcpTestSucceeded_". If the value is "_True_", there's no connectivity issue between the Azure Migrate Appliance and the Azure Key Vault. If the value is "False", there's a connectivity issue.

+**Error Message:** The upload of data for disk DiskPath, DiskId of virtual machine VMName; VMId didn't complete within the expected time.

+- The replication gateway service on the appliance isn't running.

+- The replication gateway service is experiencing connectivity issues to one of the following Azure service components that are used for replication: Service Bus/Event Hubs/Azure cache Storage Account/Azure Key Vault.

+ 1. Sign in to the Azure Migrate appliance using remote desktop and do the following.

+ 2. Open the Microsoft services MMC snap-in (run > services.msc), and check if the "Microsoft Azure Gateway Service" is running. If the service is stopped or not running, start the service. Alternatively, you can open command prompt or PowerShell and enter 'Net Start asrgwy'.

+ 3. Search for your storage account in the Azure portal. Ensure that the subscription you use to search is the same subscription (target subscription) in which the storage account is created. Go to Containers in the Blob Service section. Select **+Container** and create a Container. Leave Public Access Level to default selected value.

+ 4. Go to **Settings** > **Shared Access Signature**. Select Container in **Allowed Resource Type**. Select Generate SAS and connection string. Copy the SAS value.

+ Alternatively, [download](https://go.microsoft.com/fwlink/?linkid=2138967) the Azure Storage Explore on to the appliance and try to upload 10 blobs of ~64 MB into the storage accounts. If there's no issue, the upload should be successful.

+ This test will check whether the Azure Migrate appliance can communicate to the Azure Migrate Cloud Service backend. The appliance communicates to the service backend through Service Bus and Event Hubs message queues. To validate connectivity from the appliance to the Service Bus, [download](https://go.microsoft.com/fwlink/?linkid=2139104) the Service Bus Explorer, try to connect to the appliance Service Bus and perform send message/receive message. If there's no issue, this should be successful.

+ 1. Copy the connection string from the Service Bus that got created in the Resource Group corresponding to Azure Migrate Project.

+ 1. Open Service Bus Explorer.

+ 1. Go to **File** > **Connect**.

+ 1. Paste the connection string you copied in step 1, and select **Connect**.

+ 1. Select Snapshot Manager in namespace. Right-click on Snapshot Manager, select **Receive Messages** > **peek**, and select OK.

+ 1. In the output, check the field "_TcpTestSucceeded_". If the value is "_True_", there's no connectivity issue between the Azure Migrate Appliance and the Azure Key Vault. If the value is "False", there's a connectivity issue.

+- If you had opted for "Automatically repair replication" by selecting "Yes" when you triggered replication of VM, the tool will try to repair it for you. Right-click on the VM, and select **Repair Replication**.

+- If you didn't opt for "Automatically repair replication" or the above step didn't work for you, then stop replication for the virtual machine, [reset changed block tracking](https://go.microsoft.com/fwlink/?linkid=2139203) on the virtual machine, and then reconfigure replication.

+One such known issue that may cause a CBT reset of virtual machine on VMware vSphere 5.5 is described in [VMware KB 1020128: Changed Block Tracking](https://kb.vmware.com/s/article/1020128) is reset after a storage vMotion operation in vSphere 5.x. If you are on VMware vSphere 5.5, ensure that you apply the updates described in this KB.

+1. Press Windows + R and open services.msc. Select **Microsoft Azure Gateway Service**, and stop it.

+2. Alternatively, you can open command prompt or PowerShell and enter 'Net Stop asrgwy'. Ensure you wait until you get the message that service is no longer running.

+1. Press Windows + R, open services.msc. Right-click on **Microsoft Azure Gateway Service**, and start it.

+2. Alternatively, you can open command prompt or PowerShell and enter 'Net Start asrgwy'.

+This happens when ESXi hosts can't connect to the network. Follow the resolution given in the [VMware KB](https://kb.vmware.com/s/article/1004109).

+**Error Message:** VM: 'VMName'. Error: No disksnapshots were found for the snapshot replication with snapshot ID: 'SnapshotID'.

+- One or more included disks is no longer attached to the VM.

+- Restore the included disks to the original path using storage vMotion and try replication again.

+- [Review](./agent-based-migration-architecture.md) the migration architecture.

+- [Review](/site-recovery/migrate-tutorial-windows-server-2008.md#limitations-and-known-issues) the limitations related to migrating Windows Server 2008 servers to Azure.

+- Support for Storage vMotion during replication for agentless VMware VM migrations.

+This article provides the necessary details that allow you to secure outbound traffic from your Azure Red Hat OpenShift cluster (ARO). With the release of the [Egress Lockdown Feature](./concepts-egress-lockdown.md), all of the required connections for a private cluster will be proxied through the service. There are additional destinations that you may want to allow to use features such as Operator Hub, or Red Hat telemetry. An [example](#private-aro-cluster-setup) will be provided at the end on how to configure these requirements with Azure Firewall. Keep in mind, you can apply this information to Azure Firewall or to any outbound restriction method or appliance.

+## Minimum Required FQDN - Proxied through ARO service

+The following FQDNs are proxied through the service, and will not need additional firewall rules. They are here for informational purposes.

+| **`*.monitor.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |

+| **`*.monitoring.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |

+## List of optional FQDNs

+### INSTALLING AND DOWNLOADING PACKAGES AND TOOLS

+- **`registry.redhat.io`**: Used to provide images for things such as Operator Hub.

+### TELEMETRY

+- **`cert-api.access.redhat.com`**: Used for Red Hat telemetry.

+- **`api.access.redhat.com`**: Used for Red Hat telemetry.

+- **`infogw.api.openshift.com`**: Used for Red Hat telemetry.

+- **`https://cloud.redhat.com/api/ingress`**: Use in the cluster for the insights operator who integrates with Red Hat Insights.

+### OTHER POSSIBLE OPENSHIFT REQUIREMENTS

+- **`quay.io`**: May be used to download images from the Red Hat managed Quay registry. Also a possible fall-back target for ARO required system images.

+- **`mirror.openshift.com`**: Required to access mirrored installation content and images. This site is also a source of release image signatures.

+- **`*.apps.<cluster_name>.<base_domain>`** (OR EQUIVALENT ARO URL): When allowlisting domains, this is used in your corporate network to reach applications deployed in OpenShift, or to access the OpenShift console.

+- **`api.openshift.com`**: Used by the cluster for release graph parsing. https://access.redhat.com/labs/ocpupgradegraph/ can be used as an alternative.

+Example rule for telemetry to work. Additional possibilities can be found on this [list](https://docs.openshift.com/container-platform/4.3/installing/install_config/configuring-firewall.html#configuring-firewall_configuring-firewall):

+ --target-fqdns 'cert-api.access.redhat.com' 'api.openshift.com' 'api.access.redhat.com' 'infogw.api.openshift.com'

+Log in to a jumpbox VM and install `azure-cli`, `oc-cli`, and `jq` utils. For the installation of openshift-cli, check the Red Hat customer portal.

+### Log in to the ARO cluster

+ Title: Row level security ΓÇô Hyperscale (Citus) - Azure Database for PostgreSQL

+description: Multi-tenant security through database roles

+# Row-level security in Hyperscale (Citus)

+PostgreSQL [row-level security

+policies](https://www.postgresql.org/docs/current/ddl-rowsecurity.html)

+restrict which users can modify or access which table rows. Row-level security

+can be especially useful in a multi-tenant Hyperscale (Citus) server group. It

+allows individual tenants to have full SQL access to the database while hiding

+each tenantΓÇÖs information from other tenants.

+## Implementing for multi-tenant apps

+We can implement the separation of tenant data by using a naming convention for

+database roles that ties into table row-level security policies. WeΓÇÖll assign

+each tenant a database role in a numbered sequence: `tenant1`, `tenant2`,

+etc. Tenants will connect to Citus using these separate roles. Row-level

+security policies can compare the role name to values in the `tenant_id`

+distribution column to decide whether to allow access.

+Here's how to apply the approach on a simplified events table distributed by

+`tenant_id`. First [create the roles](howto-create-users.md) `tenant1` and

+`tenant2`. Then run the following SQL commands as the `citus` administrator

+user:

+```postgresql

+CREATE TABLE events(

+ tenant_id int,

+ id int,

+ type text

+);

+SELECT create_distributed_table('events','tenant_id');

+INSERT INTO events VALUES (1,1,'foo'), (2,2,'bar');

+-- assumes that roles tenant1 and tenant2 exist

+GRANT select, update, insert, delete

+ ON events TO tenant1, tenant2;

+```

+As it stands, anyone with select permissions for this table can see both rows.

+Users from either tenant can see and update the row of the other tenant. We can

+solve the data leak with row-level table security policies.

+Each policy consists of two clauses: USING and WITH CHECK. When a user tries to

+read or write rows, the database evaluates each row against these clauses.

+PostgreSQL checks existing table rows against the expression specified in the

+USING clause, and rows that would be created via INSERT or UPDATE against the

+WITH CHECK clause.

+```postgresql

+-- first a policy for the system admin "citus" user

+CREATE POLICY admin_all ON events

+ TO citus -- apply to this role

+ USING (true) -- read any existing row

+ WITH CHECK (true); -- insert or update any row

+-- next a policy which allows role "tenant<n>" to

+-- access rows where tenant_id = <n>

+CREATE POLICY user_mod ON events

+ USING (current_user = 'tenant' || tenant_id::text);

+ -- lack of CHECK means same condition as USING

+-- enforce the policies

+ALTER TABLE events ENABLE ROW LEVEL SECURITY;

+```

+Now roles `tenant1` and `tenant2` get different results for their queries:

+**Connected as tenant1:**

+```sql

+SELECT * FROM events;

+```

+```

+ΓöîΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö¼ΓöÇΓöÇΓöÇΓöÇΓö¼ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÉ

+Γöé tenant_id Γöé id Γöé type Γöé

+Γö£ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö╝ΓöÇΓöÇΓöÇΓöÇΓö╝ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöñ

+Γöé 1 Γöé 1 Γöé foo Γöé

+ΓööΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö┤ΓöÇΓöÇΓöÇΓöÇΓö┤ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÿ

+```

+**Connected as tenant2:**

+```sql

+SELECT * FROM events;

+```

+```

+ΓöîΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö¼ΓöÇΓöÇΓöÇΓöÇΓö¼ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÉ

+Γöé tenant_id Γöé id Γöé type Γöé

+Γö£ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö╝ΓöÇΓöÇΓöÇΓöÇΓö╝ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöñ

+Γöé 2 Γöé 2 Γöé bar Γöé

+ΓööΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö┤ΓöÇΓöÇΓöÇΓöÇΓö┤ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÿ

+```

+```sql

+INSERT INTO events VALUES (3,3,'surprise');

+/*

+ERROR: new row violates row-level security policy for table "events_102055"

+*/

+```

+## Next steps

+Learn how to [create roles](howto-create-users.md) in a Hyperscale (Citus)

+server group.

+ Title: "Quickstart: Assign an Azure role using Bicep - Azure RBAC"

+description: Learn how to grant access to Azure resources for a user at resource group scope using Bicep and Azure role-based access control (Azure RBAC).

+#Customer intent: As a new user, I want to see how to grant access to resources using Bicep so that I can start automating role assignment processes.

+# Quickstart: Assign an Azure role using Bicep

+[Azure role-based access control (Azure RBAC)](overview.md) is the way that you manage access to Azure resources. In this quickstart, you create a resource group and grant a user access to create and manage virtual machines in the resource group. This quickstart uses Bicep to grant the access.

+## Prerequisites

+To assign Azure roles and remove role assignments, you must have:

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as [User Access Administrator](built-in-roles.md#user-access-administrator) or [Owner](built-in-roles.md#owner).

+- To assign a role, you must specify three elements: security principal, role definition, and scope. For this quickstart, the security principal is you or another user in your directory, the role definition is [Virtual Machine Contributor](built-in-roles.md#virtual-machine-contributor), and the scope is a resource group that you specify.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/rbac-builtinrole-resourcegroup/). The Bicep file has two parameters and a resources section. In the resources section, notice that it has the three elements of a role assignment: security principal, role definition, and scope.

+The resource defined in the Bicep file is:

+- [Microsoft.Authorization/roleAssignments](/azure/templates/Microsoft.Authorization/roleAssignments)

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters roleDefinitionID=9980e02c-c2be-4d73-94e8-173b1dc7cf3c principalId=<principal-id>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -roleDefinitionID "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" -principalId "<principal-id>"

+ ```

+

+> [!NOTE]

+> Replace **\<principal-id\>** with the principal ID assigned to the role.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az role assignment list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzRoleAssignment -ResourceGroupName exampleRG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to remove the role assignment. For more information, see [Remove Azure role assignments](role-assignments-remove.md).

+Use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Grant a user access to Azure resources using Azure PowerShell](tutorial-role-assignments-user-powershell.md)

+*AI enrichment* is the application of machine learning models over content that isn't full text searchable in its raw form. Through enrichment, analysis and inference are used to create searchable content and structure where none previously existed.

+Because Azure Cognitive Search is a full text search solution, the purpose of AI enrichment is to improve the utility of your content in search-related scenarios:

+AI enrichment is an extension of an [**indexer pipeline**](search-indexer-overview.md). An enrichment pipeline has all of the components of an indexer pipeline (indexer, data source, index), plus a [**skillset**](cognitive-search-working-with-skillsets.md) that specifies atomic enrichment steps.

+**Exploration** is the last step. Output is always a [search index](search-what-is-an-index.md) that you can query from a client app. Output can optionally be a [knowledge store](knowledge-store-concept-intro.md) consisting of blobs and tables in Azure Storage that are accessed through data exploration tools or downstream processes. If you're creating a knowledge store, [projections](knowledge-store-projection-overview.md) determine the data path for enriched content. The same enriched content can appear in both indexes and knowledge stores.

+Enrichment is useful if raw content is unstructured text, image content, or content that needs language detection and translation. Applying AI through the [**built-in skills**](cognitive-search-predefined-skills.md) can unlock this content for full text search and data science applications.

+You can also create [**custom skills**](cognitive-search-create-custom-skill-example.md) to provide external processing.

+Open-source, third-party, or first-party code can be integrated into the pipeline as a custom skill. Classification models that identify salient characteristics of various document types fall into this category, but any external package that adds value to your content could be used.

+An enrichment pipeline consists of [*indexers*](search-indexer-overview.md) that have [*skillsets*](cognitive-search-working-with-skillsets.md). Post-indexing, you can query an index to validate your results.

+Start with a subset of data in a [supported data source](search-indexer-overview.md#supported-data-sources). Indexer and skillset design is an iterative process. The work goes faster with a small representative data set.

+1. [Create a skillset](cognitive-search-defining-skillset.md). Unless your project is small, you'll want to [attach a Cognitive Services resource](cognitive-search-attach-cognitive-services.md). If you're [creating a knowledge store](knowledge-store-create-rest.md), define it within the skillset.

+1. [Create an index schema](search-how-to-create-search-index.md) that defines a search index.

+1. [Create and run the indexer](search-howto-create-indexers.md) to bring all of the above components together. This step retrieves the data, runs the skillset, and loads the index.

+ An indexer is also where you specify field mappings and output field mappings that set up the data path to a search index.

+ Optionally, [enable enrichment caching](cognitive-search-incremental-indexing-conceptual.md) in the indexer configuration. This step allows you to reuse existing enrichments later on.

+1. [Run queries](search-query-create.md) to evaluate results or [start a debug session](cognitive-search-how-to-debug-skillset.md) to work through any skillset issues.

+To repeat any of the above steps, [reset the indexer](search-howto-reindex.md) before you run it. Or, delete and recreate the objects on each run (recommended if youΓÇÖre using the free tier). If you enabled caching the indexer will pull from the cache if data is unchanged at the source, and if your edits to the pipeline don't invalidate the cache.

+Search is foundational to any app that surfaces text content to users, with common scenarios including catalog or document search, online retail, or data exploration over proprietary content.

+Functionality is exposed through simple [REST APIs](/rest/api/searchservice/), or Azure SDKs like the [Azure SDK for .NET](search-howto-dotnet-sdk.md), that mask the inherent complexity of information retrieval. You can also use the Azure portal for service administration and content management, with tools for prototyping and querying your indexes and skillsets. Because the service runs in the cloud, infrastructure and availability are managed by Microsoft.

+In this tutorial, you'll learn how to:

+You'll also learn how straightforward a search call is. The key statements in the code are encapsulated in the following few lines:

+Just one call queries the search index and returns results.

+This tutorial uses the Azure.Search.Documents (version 11) package. For an earlier version of the .NET SDK, see [Microsoft.Azure.Search (version 10) code sample](https://github.com/Azure-Samples/azure-search-dotnet-samples/tree/master/create-first-app/v10).

+* [Sample index (hotels-sample-index)](search-get-started-portal.md), hosted on your search service.

+* [Azure.Cognitive.Search client library (version 11)](https://www.nuget.org/packages/Azure.Search.Documents/)

+1. This is a hotels index, so type in some words that you might use to search for hotels (for example, "wifi", "view", "bar", "parking"). Examine the results.

+The essential components for more sophisticated searches are included in this one app. If you're new to search development, you can recreate this app step by step to learn the workflow. The following sections show you how.

+To create this project from scratch, and thus reinforce the concepts of Azure Cognitive Search, start with a Visual Studio project.

+1. In Visual Studio, select **New** > **Project**, then **ASP.NET Core Web App (Model-View-Controller)**.

+1. Give the project a name such as "FirstSearchApp" and set the location. Select **Next**.

+1. Accept the defaults for target framework, authentication type, and HTTPS. Select **Create**.

+In this step, set the endpoint and access key for connecting to the search service that provides the [hotels sample index](search-get-started-portal.md).

+ ```json

+Models (C# classes) are used to communicate data between the client (the view), the server (the controller), and also the Azure cloud using the MVC (model, view, controller) architecture. Typically, these models reflect the structure of the data that is being accessed.

+In this step, you'll model the data structures of the search index, as well as the search string used in view/controller communications. In the hotels index, each hotel has many rooms, and each hotel has a multi-part address. Altogether, the full representation of a hotel is a hierarchical and nested data structure. You'll need three classes to create each component.

+1. Select **Class** and name the item Hotel.cs. Replace all the contents of Hotel.cs with the following code. Notice the **Address** and **Room** members of the class, these fields are classes themselves so you'll need models for them too.

+Project templates come with a number of client views located in the **Views** folder. The exact views depend on the version of Core .NET you're using (3.1 is used in this sample). For this tutorial, you'll modify **Index.cshtml** to include the elements of a search page.

+1. It's standard practice to enter a title for the view, so the next lines should be:

+1. Following the title, enter a reference to an HTML stylesheet, which you'll create shortly.

+ Replace the default code with the following. We won't be going into this file in any more detail, the styles are standard HTML.

+ The **catch** block uses the default error model that was created.

+Depending on which version of .NET Core you're using, a slightly different set of default views is created. For .NET Core 3.1 the default views are Index, Privacy, and Error. You can view these default pages when running the app, and examine how they're handled in the controller.

+You'll be testing the Error view later on in this tutorial.

+ In this method, first ensure our Azure configuration is initiated, then set some search options. The **Select** option specifies which fields to return in results, and thus match the property names in the **hotel** class. If you omit **Select**, all unhidden fields are returned, which can be inefficient if you're only interested in a subset of all possible fields.

+ The asynchronous call to search formulates the request (modeled as **searchText**) and response (modeled as **searchResult**). If you're debugging this code, the **SearchResult** class is a good candidate for setting a break point if you need to examine the contents of **model.resultList**. You should find that it's intuitive, providing just the data you asked for, and not much else.

+1. Try entering "hot" as search text. It doesn't return entries with the word "hotel" in them. Our search is only locating whole words, though a few results are returned.

+1. Try other words: "pool", "sunshine", "view", and whatever. You'll see Azure Cognitive Search working at its simplest, but still convincing level.

+It's important to verify that our error handling features work as they should, even when things are working perfectly.

+ > It's considered a security risk to return internal error numbers in error pages. If your app is intended for general use, follow security best practices of what to return when an error occurs.

+3. Remove **Throw new Exception()** when you're satisfied the error handling works as it should.

+* An Azure Cognitive Search call is concise, and it's easy to interpret the results.

+* Asynchronous calls add a small amount of complexity to the controller, but are a best practice that improves performance.

+* This app performed a straightforward text search, defined by what's set up in **searchOptions**. However, this one class can be populated with many members that add sophistication to a search. With a bit more work, you can make this app considerably more powerful.

+To improve upon the user experience, add more features, notably paging (either using page numbers, or infinite scrolling), and autocomplete/suggestions. You can also consider other search options (for example, geographical searches on hotels within a specified radius of a given point) and search results ordering.

+Install npm dependencies and build the app into the _dist/angular-basic_ folder.

+npm install

+Install npm dependencies and build the app into the _build_ folder.

+npm install

+Install npm dependencies and build the app into the _dist_ folder.

+npm install

+> The integration with Azure App Service is currently in preview and requires the Static Web Apps Standard plan.

+To link a container app as the API backend for a static web app, follow these steps:

+In addition to the Static Web Apps API [constraints](apis-overview.md#constraints), the following restrictions are also applicable to Azure Functions APIs:

+## <a name="constraints"></a>API constraints

+The following constraints apply to all API backends:

+- Each static web app environment can only be configured with one type of backend API at a time.

+- The API route prefix must be `/api`.

+- Route rules for APIs only support [redirects](configuration.md#defining-routes) and [securing routes with roles](configuration.md#securing-routes-with-roles).

+- Only HTTP requests are supported for APIs. WebSocket, for example, is not supported.

+- The maximum duration of each API request 45 seconds.

+console.log(await getUserInfo());

+- **Git-mode:** If you have Git permissions that let you commit changes to the current branch, then the commit action will be permitted if you have permission to publish changes to the live service (Synapse Artifact Publisher role).

+### Configure access to Azure Data Lake Storage Gen2

+Synapse notebooks use Azure Active Directory (Azure AD) pass-through to access the ADLS Gen2 accounts. You need to be a **Storage Blob Data Contributor** to access the ADLS Gen2 account (or folder).

+### Configure access to Azure Blob Storage

+7. Select **Create** first and click **Publish all** to save your changes.

+You can add an Azure Key Vault as a linked service to manage your credentials in Synapse.

+6. Select **Create** first and click **Publish all** to save your change.

+1. Open the [Azure portal](https://portal.azure.com/) and the Azure Key Vault you want to access.

+3. Select **Add Access Policy**:

+ - Select **your Azure AD account** and **your workspace identity** (same as your workspace name) in the select principal or make sure it is already assigned.

+5. Select the **Save** button to commit changes.

+mssparkutils.fs.rm('file path', True) # Set the last parameter as True to remove all files and directories recursively

+mssparkutils.fs.rm("file path", true) // Set the last parameter as True to remove all files and directories recursively

+FS.Rm("file path", true) // Set the last parameter as True to remove all files and directories recursively

+## Notebook utilities

+You can use the MSSparkUtils Notebook Utilities to run a notebook or exit a notebook with a value.

+Reference a notebook and returns its exit value. You can run nesting function calls in a notebook interactively or in a pipeline. The notebook being referenced will run on the Spark pool of which notebook calls this function.

+Exits a notebook with a value. You can run nesting function calls in a notebook interactively or in a pipeline.

+- When you orchestrate a notebook that calls an `exit()` function in a Synapse pipeline, Azure Synapse will return an exit value, complete the pipeline run, and stop the Spark session.

+- When you call an `exit()` function in a notebook being referenced, Azure Synapse will stop the further execution in the notebook being referenced, and continue to run next cells in the notebook that call the `run()` function. For example: Notebook1 has three cells and calls an `exit()` function in the second cell. Notebook2 has five cells and calls `run(notebook1)` in the third cell. When you run Notebook2, Notebook1 will be stopped at the second cell when hitting the `exit()` function. Notebook2 will continue to run its fourth cell and fifth cell.

+**Sample1** notebook locates under **folder/** with following two cells:

+- cell 2 exits the notebook with **input** as exit value.

+You can use the MSSparkUtils Notebook Utilities to run a notebook or exit a notebook with a value.

+Reference a notebook and returns its exit value. You can run nesting function calls in a notebook interactively or in a pipeline. The notebook being referenced will run on the Spark pool of which notebook calls this function.

+Exits a notebook with a value. You can run nesting function calls in a notebook interactively or in a pipeline.

+- When you orchestrate a notebook that calls an `exit()` function in a Synapse pipeline, Azure Synapse will return an exit value, complete the pipeline run, and stop the Spark session.

+- When you call an `exit()` function in a notebook being referenced, Azure Synapse will stop the further execution in the notebook being referenced, and continue to run next cells in the notebook that call the `run()` function. For example: Notebook1 has three cells and calls an `exit()` function in the second cell. Notebook2 has five cells and calls `run(notebook1)` in the third cell. When you run Notebook2, Notebook1 will be stopped at the second cell when hitting the `exit()` function. Notebook2 will continue to run its fourth cell and fifth cell.

+**Sample1** notebook locates under **mssparkutils/folder/** with following two cells:

+- cell 2 exits the notebook with **input** as exit value.

+You can use the MSSparkUtils Credentials Utilities to get the access tokens of linked services and manage secrets in Azure Key Vault.

+Returns Azure AD token for a given audience, name (optional). The table below list all the available audience types:

+Returns connection string or credentials for linked service.

+Returns Azure Key Vault secret for a given Azure Key Vault name, secret name, and linked service name using user credentials.

+Puts Azure Key Vault secret for a given Azure Key Vault name, secret name, and linked service name using user credentials.

+Puts Azure Key Vault secret for a given Azure Key Vault name, secret name, and linked service name using user credentials.

+## Environment utilities

+## Session management

+### Stop an interactive session

+Instead of manually click stop button, sometimes it's more convenient to stop an interactive session by calling an API in the code. For such cases, we provide an API `mssparkutils.session.stop()` to support stopping the interactive session via code, it's available for Scala and Python.

+```python

+mssparkutils.session.stop()

+```

+```scala

+mssparkutils.session.stop()

+```

+`mssparkutils.session.stop()` API will stop the current interactive session asynchronously in the background, it stops the Spark session and release resources occupied by the session so they are available to other sessions in the same pool.

+> [!NOTE]

+> We don't recommend call language built-in APIs like `sys.exit` in Scala or `sys.exit()` in Python in your code, because such APIs just

+> kill the interpreter process, leaving Spark session alive and resources not released.

+### Delta tables on partitioned folders

+External tables in serverless SQL pools do not support partitioning on Delta Lake format. Use [Delta partitioned views](create-use-views.md#delta-lake-partitioned-views) instead of tables if you have partitioned Delta Lake data sets.

+

+> [!IMPORTANT]

+> Do not create external tables on partitioned Delta Lake folders even if you see that they might work in some cases. Using unsupported features like external tables on partitioned delta folders might cause issues or instability of the serverless pool. Azure support will not be able to resolve any issue if it is using tables on partitioned folders. You would be asked to transition to [Delta partitioned views](create-use-views.md#delta-lake-partitioned-views) and rewrite your code to use only the supported feature before proceeding with issue resolution.

+| [Folder partition elimination](#folder-partition-elimination) | No | Partition elimination is available only in the partitioned tables created on Parquet or CSV formats that are synchronized from Apache Spark pools. You might create external tables on Parquet partitioned folders, but the partitioning columns will be inaccessible and ignored, while the partition elimination will not be applied. Do not create [external tables on Delta Lake folders](create-use-external-tables.md#delta-tables-on-partitioned-folders) because they are not supported. Use [Delta partitioned views](create-use-views.md#delta-lake-partitioned-views) if you need to query partitioned Delta Lake data. |

+| Custom format for location | No | Yes, using wildcards like `/year=*/month=*/day=*` for Parquet or CSV formats. Custom folder paths are not available in Delta Lake. In the serverless SQL pool you can also use recursive wildcards `/logs/**` to reference Parquet or CSV files in any sub-folder beneath the referenced folder. |

+ It is recommended that you enable Continuous Availability on the SMB volume for use with FsLogix profile containers, so select **Enable Continuous Availability**. For more information see [Enable Continuous Availability on existing SMB volumes](../azure-netapp-files/enable-continuous-availability-existing-smb.md).

+## Version 1.0.4574.1600

+This update was released in June 2022 and includes the following changes:

+- Fixed broker URL cache to address Agent Telemetry calls.

+- Fixed some network-related issues.

+- Created two new mechanisms to trigger health checks.

+- Additional general bug fixes and agent upgrades.

+> [!NOTE]

+> Virtual machine scale set encryption is supported with API version `2017-03-30` onwards. If you are using templates to enable scale set encryption, update the API version for virtual machine scale sets and the ADE extension inside the template. See this [sample template](https://github.com/Azure/azure-quickstart-templates/blob/master/201-encrypt-running-vmss-windows/azuredeploy.json) for more information.

+If you want to prevent the installation of certain extensions on your Linux VMs, you can create an Azure Policy definition using the Azure CLI to restrict extensions for VMs within a resource group. To learn the basics of Azure VM extensions for Linux, see [Virtual machine extensions and features for Linux](/azure/virtual-machines/extensions/features-linux).

+This tutorial uses the CLI within the Azure Cloud Shell, which is constantly updated to the latest version. If you want to run the Azure CLI locally, you need to install version 2.0.26 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

+In order to restrict what extensions are available, you need to create a [rule](../../governance/policy/concepts/definition-structure.md#policy-rule) to identify the extension.

+This example demonstrates how to deny the installation of disallowed VM extensions by defining a rules file in Azure Cloud Shell. However, if you're working in Azure CLI locally, you can create a local file and replace the path (~/clouddrive) with the path to the file on your local file system.

+Copy and paste the following `.json` data into the file.

+ "equals": "Microsoft.Compute/virtualMachines/extensions"

+ "field": "Microsoft.Compute/virtualMachines/extensions/publisher",

+ "equals": "Microsoft.Compute"

+ "field": "Microsoft.Compute/virtualMachines/extensions/type",

+When you're finished, press **Esc**, and then type **:wq** to save and close the file.

+You also need a [parameters](../../governance/policy/concepts/definition-structure.md#parameters) file that creates a structure for you to use for passing in a list of the unauthorized extensions.

+This example shows you how to create a parameter file for Linux VMs in Cloud Shell.

+Copy and paste the following `.json` data into the file.

+When you're finished, press **Esc**, and then type **:wq** to save and close the file.

+A _policy definition_ is an object used to store the configuration that you would like to use. The policy definition uses the rules and parameters files to define the policy. Create the policy definition using [az policy definition create](/cli/azure/role/assignment).

+In this example, the rules and parameters are the files you created and stored as .json files in Cloud Shell or in your local file system.

+This example assigns the policy to a resource group using [`az policy assignment create`](/cli/azure/policy/assignment). Any VM created in the **myResourceGroup** resource group will be unable to install the Linux VM Access or the Custom Script Extensions for Linux.

+> [!NOTE]

+> The resource group must exist before you can assign the policy.

+Use [`az account list`](/cli/azure/account) to find your subscription ID and replace the placeholder in the following example:

+Test the policy by creating a new VM and adding a new user.

+Create a file named *ubuntu.json* and paste the following content. Enter your own values for the following parameters:

+You can also create a filed named *ubuntu.pkr.hcl* and paste the following content with your own values as used for the above parameters table.

+```HCL

+source "azure-arm" "autogenerated_1" {

+ azure_tags = {

+ dept = "Engineering"

+ task = "Image deployment"

+ }

+ client_id = "f5b6a5cf-fbdf-4a9f-b3b8-3c2cd00225a4"

+ client_secret = "0e760437-bf34-4aad-9f8d-870be799c55d"

+ image_offer = "UbuntuServer"

+ image_publisher = "Canonical"

+ image_sku = "16.04-LTS"

+ location = "East US"

+ managed_image_name = "myPackerImage"

+ managed_image_resource_group_name = "myResourceGroup"

+ os_type = "Linux"

+ subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

+ tenant_id = "72f988bf-86f1-41af-91ab-2d7cd011db47"

+ vm_size = "Standard_DS2_v2"

+}

+build {

+ sources = ["source.azure-arm.autogenerated_1"]

+ provisioner "shell" {

+ execute_command = "chmod +x {{ .Path }}; {{ .Vars }} sudo -E sh '{{ .Path }}'"

+ inline = ["apt-get update", "apt-get upgrade -y", "apt-get -y install nginx", "/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"]

+ inline_shebang = "/bin/sh -x"

+ }

+}

+```

+You can also build the image by specifying the *ubuntu.pkr.hcl* file as follows:

+```bash

+packer build ubuntu.pkr.hcl

+```

+You can now create a VM from your Image with [az vm create](/cli/azure/vm). Specify the Image you created with the `--image` parameter. The following example creates a VM named *myVM* from *myPackerImage* and generates SSH keys if they don't already exist:

+- Managed image

+$sp = New-AzADServicePrincipal -DisplayName "PackerPrincipal" -role Contributor -scope /subscriptions/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyy

+You can also create a filed named *windows.pkr.hcl* and paste the following content with your own values as used for the above parameters table.

+```HCL

+source "azure-arm" "autogenerated_1" {

+ azure_tags = {

+ dept = "Engineering"

+ task = "Image deployment"

+ }

+ build_resource_group_name = "myPackerGroup"

+ client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

+ client_secret = "ppppppp-pppp-pppp-pppp-ppppppppppp"

+ communicator = "winrm"

+ image_offer = "WindowsServer"

+ image_publisher = "MicrosoftWindowsServer"

+ image_sku = "2016-Datacenter"

+ managed_image_name = "myPackerImage"

+ managed_image_resource_group_name = "myPackerGroup"

+ os_type = "Windows"

+ subscription_id = "yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyy"

+ tenant_id = "zzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz"

+ vm_size = "Standard_D2_v2"

+ winrm_insecure = true

+ winrm_timeout = "5m"

+ winrm_use_ssl = true

+ winrm_username = "packer"

+}

+build {

+ sources = ["source.azure-arm.autogenerated_1"]

+ provisioner "powershell" {

+ inline = ["Add-WindowsFeature Web-Server", "while ((Get-Service RdAgent).Status -ne 'Running') { Start-Sleep -s 5 }", "while ((Get-Service WindowsAzureGuestAgent).Status -ne 'Running') { Start-Sleep -s 5 }", "& $env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /quiet /quit", "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10 } else { break } }"]

+ }

+}

+```

+You can also build the image by specifying the *windows.pkr.hcl* file as follows:

+```

+packer build windows.pkr.hcl

+```

+| Variable | Description | Type |

+| `tfstate_resource_id` | Azure resource identifier for the Storage account in the SAP Library that will contain the Terraform state files | Required |

+| `deployer_tfstate_key` | The name of the state file for the Deployer | Required |

+1. On the download page, select **EAPTLS**, then **Generate and download profile**. A profile package (zip file) containing the client configuration settings is generated and downloads to your computer. The contents of the package depend on the authentication and tunnel type choices for your configuration.

+1. Go to the **virtual hub**.

+1. On the download page, select **EAPTLS**, then **Generate and download profile**. A profile package (zip file) containing the client configuration settings is generated and downloads to your computer. The contents of the package depend on the authentication and tunnel type choices for your configuration.

+The User VPN (P2S) configuration defines the parameters for remote clients to connect. You create User VPN configurations before you create the P2S gateway in the hub. You can create multiple User VPN configurations. When you create the P2S gateway, you select the User VPN configuration that you want to use.

+The instructions you follow depend on the authentication method you want to use. For this exercise, we select **OpenVpn and IKEv2** and certificate authentication. However, other configurations are available. Each authentication method has specific requirements.

+When you connect to VNet using User VPN (P2S), you can use the VPN client that is natively installed on the operating system from which you're connecting. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients. The VPN client configuration files that you generate are specific to the User VPN configuration for your gateway. In this section, you generate and download the files used to configure your VPN clients.

+There are two different types of configuration profiles that you can download: global and hub. The global profile is a WAN-level configuration profile. When you download the WAN-level configuration profile, you get a built-in Traffic Manager-based User VPN profile. When you use a global profile, if for some reason a hub is unavailable, the built-in traffic management provided by the service ensures connectivity (via a different hub) to Azure resources for point-to-site users. For more information, or to download a hub-level profile VPN client configuration package, see [Global and hub profiles](global-hub-profile.md).

+Use the downloaded profile package to configure the native VPN client on your computer. The procedure for each operating system is different. Follow the instructions that apply to your system.

+> * NAT is supported on the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.

+## <a name="ikev2-macOS"></a>IKEv2 - macOS steps

+## <a name="openvpn-macOS"></a>OpenVPN - macOS steps

+## <a name="OpenVPN-iOS"></a>OpenVPN - iOS steps