- <OrchestrationSteps>

- <OrchestrationStep Order="1" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

- </OrchestrationSteps>

-</UserJourney>

-| [System-preferred MFA](concept-system-preferred-multifactor-authentication.md) | Disabled |

-Users in Azure AD can have a multivalued attribute named **certificateUserIds**. The attribute allows up to four values, and each value can be of 120-character length. It can store any value, and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.

-For cloud only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds.

-For sync'd users, AD users with role **Hybrid Identity Administrator** can write into the attribute.

->Active Directory Administrators (including accounts with delegated administrative privilege over sync'd user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Azure AD for any sync'd accounts.

-

-To synchronize X509:\<RFC822>RFC822Name, create an outbound synchronization rule, choose **Expression** in the flow type. Choose the target attribute as **certificateUserIds**, and in the source field, add the following expression. If your source attribute isn't userPrincipalName, you can change the expression accordingly.

- |Connected System | Your Azure AD doamin |

-## Look up certificateUserIds using Microsoft Graph queries

-Authorized callers can run Microsoft Graph queries to find all the users with a given certificateUserId value. On the Microsoft Graph [user](/graph/api/resources/user) object, the collection of certificateUserIds are stored in the **authorizationInfo** property.

-

-To retrieve all user objects that have the value 'bob@contoso.com' in certificateUserIds:

-```msgraph-interactive

-GET https://graph.microsoft.com/v1.0/users?$filter=authorizationInfo/certificateUserIds/any(x:x eq 'bob@contoso.com')&$count=true

-ConsistencyLevel: eventual

-```

-You can also use the `not` and `startsWith` operators to match the filter condition. To filter against the certificateUserIds object, the request must include the `$count=true` query string and the **ConsistencyLevel** header set to `eventual`.

-

-## Update certificateUserIds using Microsoft Graph queries

-Run a PATCH request to update the certificateUserIds for a given user.

-#### Request body:

-```http

-PATCH https://graph.microsoft.com/v1.0/users/{id}

-Content-Type: application/json

-{

- "authorizationInfo": {

- "certificateUserIds": [

- "X509:<PN>123456789098765@mil"

- ]

- }

-}

-```

->System-preferred MFA is an important security enhancement for users authenticating by using telecom transports. Starting July 07, 2023, the Microsoft managed value of system-preferred MFA will change from **Disabled** to **Enabled**. If you don't want to enable system-peeferred MFA, change the state from **Default** to **Disabled**, or exclude users and groups from the policy.

- Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook.

->

-> 

-| Microsoft 365 Business Voice | BUSINESS_VOICE_MED2 | a6051f20-9cbc-47d2-930d-419183bf6cf1 | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOPSTN1 (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Domestic Calling Plan (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) |

-| Microsoft 365 Business Voice (US) | BUSINESS_VOICE_MED2_TELCO | 08d7bce8-6e16-490e-89db-1d508e5e9609 | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOPSTN1 (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Domestic Calling Plan (4ed3ff63-69d7-4fb7-b984-5aec7f605ca8)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) |

-| Microsoft 365 Business Voice (without calling plan) | BUSINESS_VOICE_DIRECTROUTING | d52db95a-5ecb-46b6-beb0-190ab5cda4a8 | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) |

-| Microsoft 365 Business Voice (without Calling Plan) for US | BUSINESS_VOICE_DIRECTROUTING_MED | 8330dae3-d349-44f7-9cad-1b23c64baabe | MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) | Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7) |

-|[System-preferred authentication methods](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|Sometime after GA|

-|[Azure AD Authentication Library (ADAL)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Jun 30, 2023|

-|[My Apps improvements](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|Jun 30, 2023|

-> | Submit support ticket | [Service Support Administrator](permissions-reference.md#service-support-administrator) | [Application Administrator](permissions-reference.md#application-administrator)<br/>[Azure Information Protection Administrator](permissions-reference.md#azure-information-protection-administrator)<br/>[Billing Administrator](permissions-reference.md#billing-administrator)<br/>[Cloud Application Administrator](permissions-reference.md#cloud-application-administrator)<br/>[Compliance Administrator](permissions-reference.md#compliance-administrator)<br/>[Dynamics 365 Administrator](permissions-reference.md#dynamics-365-administrator)<br/>[Desktop Analytics Administrator](permissions-reference.md#desktop-analytics-administrator)<br/>[Exchange Administrator](permissions-reference.md#exchange-administrator)<br/>[Intune Administrator](permissions-reference.md#intune-administrator)<br/>[Password Administrator](permissions-reference.md#password-administrator)<br/>[Power BI Administrator](permissions-reference.md#power-bi-administrator)<br/>[Privileged Authentication Administrator](permissions-reference.md#privileged-authentication-administrator)<br/>[SharePoint Administrator](permissions-reference.md#sharepoint-administrator)<br/>[Skype for Business Administrator](permissions-reference.md#skype-for-business-administrator)<br/>[Teams Administrator](permissions-reference.md#teams-administrator)<br/>[Teams Communications Administrator](permissions-reference.md#teams-communications-administrator)<br/>[User Administrator](permissions-reference.md#user-administrator) |

-> | [Power BI Administrator](#power-bi-administrator) | Can manage all aspects of the Power BI product. | a9ea8996-122f-4c74-9520-8edcd192826c |

-> | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Power BI |

-* **Self-service purchase in Microsoft 365 admin center** ΓÇô Self-service purchase gives users a chance to try out new products by buying or signing up for them on their own. These products are managed in the admin center. Users who make a self-service purchase are assigned a role in the commerce system, and the Modern Commerce User role so they can manage their purchases in admin center. Admins can block self-service purchases (for Power BI, Power Apps, Power automate) through [PowerShell](/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell). For more information, see [Self-service purchase FAQ](/microsoft-365/commerce/subscriptions/self-service-purchase-faq).

-## Power BI Administrator

-Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. For more information, see [Understanding Power BI administrator roles](/power-bi/admin/service-admin-role).

-> [!NOTE]

-> In the Microsoft Graph API and Azure AD PowerShell, this role is named Power BI Service Administrator. In the [Azure portal](../../azure-portal/azure-portal-overview.md), it is named Power BI Administrator.

-> [!div class="mx-tableFixed"]

-> | Actions | Description |

-> | | |

-> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |

-> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |

-> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |

-> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |

-> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |

-> | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Power BI |

-Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets.

-description: Learn how to configure single sign-on between Azure Active Directory and R and D Tax Credit Services.

-# Tutorial: Azure AD SSO integration with R and D Tax Credit Services : 10-wk Implementation

-In this tutorial, you'll learn how to integrate R and D Tax Credit Services with Azure Active Directory (Azure AD). When you integrate R and D Tax Credit Services with Azure AD, you can:

-* Control in Azure AD who has access to R and D Tax Credit Services.

-* Enable your users to be automatically signed-in to R and D Tax Credit Services with their Azure AD accounts.

-* Manage your accounts in one central location - the Azure portal.

-## Prerequisites

-To get started, you need the following items:

-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

-* R and D Tax Credit Services single sign-on (SSO) enabled subscription.

-## Scenario description

-In this tutorial, you configure and test Azure AD SSO in a test environment.

-* R and D Tax Credit Services supports **SP** initiated SSO.

-> [!NOTE]

-> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

-## Add R and D Tax Credit Services from the gallery

-To configure the integration of R and D Tax Credit Services into Azure AD, you need to add R and D Tax Credit Services from the gallery to your list of managed SaaS apps.

-1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

-1. On the left navigation pane, select the **Azure Active Directory** service.

-1. Navigate to **Enterprise Applications** and then select **All Applications**.

-1. To add new application, select **New application**.

-1. In the **Add from the gallery** section, type **R and D Tax Credit Services** in the search box.

-1. Select **R and D Tax Credit Services** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

-## Configure and test Azure AD SSO for R and D Tax Credit Services

-Configure and test Azure AD SSO with R and D Tax Credit Services using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in R and D Tax Credit Services.

-To configure and test Azure AD SSO with R and D Tax Credit Services, perform the following steps:

-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

-1. **[Configure R and D Tax Credit Services SSO](#configure-r-and-d-tax-credit-services-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create R and D Tax Credit Services test user](#create-r-and-d-tax-credit-services-test-user)** - to have a counterpart of B.Simon in R and D Tax Credit Services that is linked to the Azure AD representation of user.

-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

-## Configure Azure AD SSO

-Follow these steps to enable Azure AD SSO in the Azure portal.

-1. In the Azure portal, on the **R and D Tax Credit Services** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Select a single sign-on method** page, select **SAML**.

-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section, perform the following steps:

- a. In the **Identifier (Entity ID)** text box, type the value:

- `urn:pwcid:saml:sp:p`

- b. In the **Reply URL** textbox, type the URL:

- `https://login.pwc.com/openam/PWCIAuthConsumer/metaAlias/pwc/sp3`

- c. In the **Sign on URL** text box, type the URL:

- `https://researchcreditsolution.pwc.com/`

-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

- 

-1. On the **Set up R and D Tax Credit Services** section, copy the appropriate URL(s) based on your requirement.

- 

-### Create an Azure AD test user

-In this section, you'll create a test user in the Azure portal called B.Simon.

-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

-1. Select **New user** at the top of the screen.

-1. In the **User** properties, follow these steps:

- 1. In the **Name** field, enter `B.Simon`.

- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

- 1. Click **Create**.

-### Assign the Azure AD test user

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to R and D Tax Credit Services.

-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

-1. In the applications list, select **R and D Tax Credit Services**.

-1. In the app's overview page, find the **Manage** section and select **Users and groups**.

-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

-1. In the **Add Assignment** dialog, click the **Assign** button.

-## Configure R and D Tax Credit Services SSO

-To configure single sign-on on **R and D Tax Credit Services** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [R and D Tax Credit Services support team](https://www.pwc.com/us/en/services/tax/specialized-tax/research-development-credit.html). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create R and D Tax Credit Services test user

-In this section, you create a user called Britta Simon in R and D Tax Credit Services. Work with [R and D Tax Credit Services support team](https://www.pwc.com/us/en/services/tax/specialized-tax/research-development-credit.html) to add the users in the R and D Tax Credit Services platform. Users must be created and activated before you use single sign-on.

-## Test SSO

-In this section, you test your Azure AD single sign-on configuration with following options.

-* Click on **Test this application** in Azure portal. This will redirect to R and D Tax Credit Services Sign-on URL where you can initiate the login flow.

-* Go to R and D Tax Credit Services Sign-on URL directly and initiate the login flow from there.

-* You can use Microsoft My Apps. When you click the R and D Tax Credit Services tile in the My Apps, this will redirect to R and D Tax Credit Services Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-## Next steps

-Once you configure R and D Tax Credit Services you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-description: Learn how to automatically provision and de-provision user accounts from Azure AD to SAP Analytics Cloud.

-This tutorial describes the steps you need to perform in both SAP Analytics Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [SAP Analytics Cloud](https://www.sapanalytics.cloud/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-> * Keep user attributes synchronized between Azure AD and SAP Analytics Cloud

-* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

-* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

-> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

-2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-3. Determine what data to [map between Azure AD and SAP Analytics Cloud](../app-provisioning/customize-application-attributes.md).

-## Step 2. Configure SAP Analytics Cloud to support provisioning with Azure AD

-1. Sign into the SAP Identity Provisioning admin console with your administrator account and then select **Proxy Systems**.

- 

-2. Select **Properties**.

- 

-3. Copy the **URL** and append `/api/v1/scim` to the URL. Save this for later to use in the **Tenant URL** field.

- 

-4. Use [POSTMAN](https://www.postman.com/) to perform a POST HTTPS call to the address: `<Token URL>?grant_type=client_credentials` where `Token URL` is the URL in the **OAuth2TokenServiceURL** field. This step is needed to generate an access token to be used in the Secret Token field when configuring automatic provisioning.

- 

-5. In Postman, use **Basic Authentication**, and set the OAuth client ID as the user and the secret as the password. This call returns an access token. Keep this copied for later to use in the **Secret Token** field.

- 

-## Step 3. Add SAP Analytics Cloud from the Azure AD application gallery

-Add SAP Analytics Cloud from the Azure AD application gallery to start managing provisioning to SAP Analytics Cloud. If you have previously setup SAP Analytics Cloud for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

-## Step 4. Define who will be in scope for provisioning

-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

-## Step 5. Configure automatic user provisioning to SAP Analytics Cloud

-This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

-### To configure automatic user provisioning for SAP Analytics Cloud in Azure AD:

-1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

- 

-2. In the applications list, select **SAP Analytics Cloud**.

- 

-3. Select the **Provisioning** tab.

- 

-4. Set the **Provisioning Mode** to **Automatic**.

- 

-5. Under the **Admin Credentials** section, input the tenant URL value retrieved earlier in **Tenant URL**. Input the access token value retrieved earlier in **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to SAP Analytics Cloud. If the connection fails, ensure your SAP Analytics Cloud account has Admin permissions and try again.

- 

-6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

- 

-7. Select **Save**.

-8. Under the **Mappings** section, select **Provision Azure Active Directory Users**.

-9. Review the user attributes that are synchronized from Azure AD to SAP Analytics Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in SAP Analytics Cloud for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the SAP Analytics Cloud API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

- |Attribute|Type|Supported for filtering|

- ||||

- |userName|String|&check;|

- |name.givenName|String|

- |name.familyName|String|

- |active|Boolean|

- |emails[type eq "work"].value|String|

- |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String|

-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-11. To enable the Azure AD provisioning service for SAP Analytics Cloud, change the **Provisioning Status** to **On** in the **Settings** section.

- 

-12. Define the users and/or groups that you would like to provision to SAP Analytics Cloud by choosing the desired values in **Scope** in the **Settings** section.

- 

-13. When you are ready to provision, click **Save**.

- 

-This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

-## Step 6. Monitor your deployment

-Once you've configured provisioning, use the following resources to monitor your deployment:

-1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

-2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

-## Additional resources

-* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

-* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

-## Next steps

-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

-> - The firewall public IP address

-[azure-devops-allowed-network-cfg]: /azure/devops/organizations/security/allow-list-ip-url

-| audiences | Contains a list of acceptable audience claims that can be present on the token. If multiple audience values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one audience must be specified. | No |

-| backend-application-ids | Contains a list of acceptable backend application IDs. This is only required in advanced cases for the configuration of options and can generally be removed. | No |

-| client-application-ids | Contains a list of acceptable client application IDs. If multiple application-id elements are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one application-id must be specified. | Yes |

-| required-claims | Contains a list of `claim` elements for claim values expected to be present on the token for it to be considered valid. When the `match` attribute is set to `all`, every claim value in the policy must be present in the token for validation to succeed. When the `match` attribute is set to `any`, at least one claim must be present in the token for validation to succeed. | No |

-| certificate-id | Identifier of a certificate entity [uploaded](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-certificate-entity#Add) to API Management, used to specify the public key to verify an RS256 signed token. | No | N/A |

-| n | Modulus of the public key used to verify the issuer of an RS256 signed token. Must be specified with the value of the exponent `e`.| No | N/A|

-| e | Exponent of the public key used to verify the issuer an RS256 signed token. Must be specified with the value of the modulus `n`. | No | N/A|

-The slot's URL has the format `http://sitename-slotname.azurewebsites.net`. To keep the URL length within necessary DNS limits, the site name is truncated at 40 characters, the slot name is truncated at 19 characters, and 4 extra random characters are appended to ensure the resulting domain name is unique.

-1. **Outbound to the Internet** - Allow outbound traffic to the Internet for all destinations. This rule is created by default for [network security group](../virtual-network/network-security-groups-overview.md), and you must not override it with a manual Deny rule to ensure smooth operations of your application gateway.

-`v1.20.0_2023-07-11`

-    EventType = "testEvent"

-    Subject = "testapp/testPublish"

-    EventTime = "2020-08-27T21:03:07+00:00"

-    Data = @{

-    DataVersion = "1.0"

-The following table lists the currently available versions of the default *Microsoft.Azure.Functions.ExtensionBundle* bundle and links to the extensions they include.

-| 1.x | `[1.*, 2.0.0)` | See [extensions.json](https://github.com/Azure/azure-functions-extension-bundles/blob/v1.x/src/Microsoft.Azure.Functions.ExtensionBundle/extensions.json) used to generate the bundle |

-| 2.x | `[2.*, 3.0.0)` | See [extensions.json](https://github.com/Azure/azure-functions-extension-bundles/blob/v2.x/src/Microsoft.Azure.Functions.ExtensionBundle/extensions.json) used to generate the bundle |

-| 3.x | `[3.3.0, 4.0.0)` | See [extensions.json](https://github.com/Azure/azure-functions-extension-bundles/blob/4f5934a18989353e36d771d0a964f14e6cd17ac3/src/Microsoft.Azure.Functions.ExtensionBundle/extensions.json) used to generate the bundle¹ |

-| 4.x | `[4.0.0, 5.0.0)` | See [extensions.json](https://github.com/Azure/azure-functions-extension-bundles/blob/v4.x/src/Microsoft.Azure.Functions.ExtensionBundle/extensions.json) used to generate the bundle¹ |

-¹ Version 4.x of the extension bundle currently doesn't include the [Web PubSub bindings](https://learn.microsoft.com/azure/azure-web-pubsub/reference-functions-bindings?tabs=csharp#add-to-your-functions-app ). If your app requires Web PubSub, you'll need to continue using the 3.x version for now.

-> Even though host.json supports custom ranges for `version`, you should use a version value from this table.

-A *function* is the primary concept in Azure Functions. A function contains two important pieces - your code, which can be written in a variety of languages, and some config, the function.json file. For compiled languages, this config file is generated automatically from annotations in your code. For scripting languages, you must provide the config file yourself.

-A function app provides an execution context in Azure in which your functions run. As such, it is the unit of deployment and management for your functions. A function app is composed of one or more individual functions that are managed, deployed, and scaled together. All of the functions in a function app share the same pricing plan, deployment method, and runtime version. Think of a function app as a way to organize and collectively manage your functions. To learn more, see [How to manage a function app](functions-how-to-use-azure-function-app-settings.md).

-You can configure the version of the Functions runtime using the `FUNCTIONS_EXTENSION_VERSION` app setting. For example, the value "~3" indicates that your function app will use 3.x as its major version. Function apps are upgraded to each new minor version as they are released. For more information, including how to view the exact version of your function app, see [How to target Azure Functions runtime versions](set-runtime-version.md).

-Here is a table of all supported bindings.

-Your function project references connection information by name from its configuration provider. It does not directly accept the connection details, allowing them to be changed across environments. For example, a trigger definition might include a `connection` property. This might refer to a connection string, but you cannot set the connection string directly in a `function.json`. Instead, you would set `connection` to the name of an environment variable that contains the connection string.

-For example, the `connection` property for an Azure Blob trigger definition might be "Storage1". As long as there is no single string value configured by an environment variable named "Storage1", an environment variable named `Storage1__blobServiceUri` could be used to inform the `blobServiceUri` property of the connection. The connection properties are different for each service. Refer to the documentation for the component that uses the connection.

-Some connections in Azure Functions can be configured to use an identity instead of a secret. Support depends on the extension using the connection. In some cases, a connection string may still be required in Functions even though the service to which you are connecting supports identity-based connections. For a tutorial on configuring your function apps with managed identities, see the [creating a function app with identity-based connections tutorial](./functions-identity-based-connections-tutorial.md).

-| Token Credential | `<CONNECTION_NAME_PREFIX>__credential` | Defines how a token should be obtained for the connection. This setting should be set to "managedidentity" if your deployed Azure Function intends to use managed identity authentication. This value is only valid when a managed identity is available in the hosting environment. |

-| Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | When `credential` is set to "managedidentity", this property can be set to specify the user-assigned identity to be used when obtaining a token. The property accepts a client ID corresponding to a user-assigned identity assigned to the application. It is invalid to specify both a Resource ID and a client ID. If not specified, the system-assigned identity is used. This property is used differently in [local development scenarios](#local-development-with-identity-based-connections), when `credential` should not be set. |

-| Resource ID | `<CONNECTION_NAME_PREFIX>__managedIdentityResourceId` | When `credential` is set to "managedidentity", this property can be set to specify the resource Identifier to be used when obtaining a token. The property accepts a resource identifier corresponding to the resource ID of the user-defined managed identity. It is invalid to specify both a resource ID and a client ID. If neither are specified, the system-assigned identity is used. This property is used differently in [local development scenarios](#local-development-with-identity-based-connections), when `credential` should not be set.

-When you are running your function project locally, the above configuration tells the runtime to use your local developer identity. The connection attempts to get a token from the following locations, in order:

-If none of these options are successful, an error will occur.

-Your identity may already have some role assignments against Azure resources used for development, but those roles may not provide the necessary data access. Management roles like [Owner](../role-based-access-control/built-in-roles.md#owner) are not sufficient. Double-check what permissions are required for connections for each component, and make sure that you have them assigned to yourself.

-Here is an example of `local.settings.json` properties required for identity-based connection to Azure Blobs:

-The Azure Functions host uses the "AzureWebJobsStorage" connection for core behaviors such as coordinating singleton execution of timer triggers and default app key storage. This can be configured to leverage an identity as well.

-> Other components in Functions rely on "AzureWebJobsStorage" for default behaviors. You should not move it to an identity-based connection if you are using older versions of extensions that do not support this type of connection, including triggers and bindings for Azure Blobs, Event Hubs, and Durable Functions. Similarly, `AzureWebJobsStorage` is used for deployment artifacts when using server-side build in Linux Consumption, and if you enable this, you will need to deploy via [an external deployment package](run-functions-from-deployment-package.md).

-> In addition, some apps reuse "AzureWebJobsStorage" for other storage connections in their triggers, bindings, and/or function code. Make sure that all uses of "AzureWebJobsStorage" are able to use the identity-based connection format before changing this connection from a connection string.

-To use an identity-based connection for "AzureWebJobsStorage", configure the following app settings:

-If you are configuring "AzureWebJobsStorage" using a storage account that uses the default DNS suffix and service name for global Azure, following the `https://<accountName>.blob/queue/file/table.core.windows.net` format, you can instead set `AzureWebJobsStorage__accountName` to the name of your storage account. The endpoints for each storage service will be inferred for this account. This will not work if the storage account is in a sovereign cloud or has a custom DNS.

-| `AzureWebJobsStorage__accountName` | The account name of a storage account, valid only if the account is not in a sovereign cloud and does not have a custom DNS. This syntax is unique to "AzureWebJobsStorage" and cannot be used for other identity-based connections. | <storage_account_name> |

-# Interact with the map

-This article shows you how to use [map events class](/javascript/api/azure-maps-control/atlas.map#events). The property highlight events on the map and on different layers of the map. You can also highlight events when you interact with an HTML marker.

-| `close` | Fired when the popup is closed manually or programatically.|

-| `keypress` | Fired when a key that produces a typable character (an ANSI key) is pressed.|

-| `open` | Fired when the popup is opened manually or programatically.|

-> [Using the Azure Maps Services module](./how-to-use-services-module.md)

-> [Code samples](/samples/browse/?products=azure-maps)

-* If this is not the first span in the trace, then the parent sampling decision is used.

-Note that only attributes set at the start of the span are available for sampling,

-so attributes such as `http.status_code` which are captured later on cannot be used for sampling.

-* [Tracking incoming requests](./opencensus-python-dependency.md)

-* [Tracking outgoing requests](./opencensus-python-request.md)

-* [Application map](./app-map.md)

-* [End-to-end performance monitoring](../app/tutorial-performance.md)

-The Per Node pricing tier charges per monitored VM (node) on an hour granularity. For each monitored node, the workspace is allocated 500 MB of data per day that's not billed. This allocation is calculated with hourly granularity and is aggregated at the workspace level each day. Data ingested above the aggregate daily data allocation is billed per GB as data overage. The Per Node pricing tier should only be used by customers with active Operations Management Suite (OMS) licenses.

-description: Log Analytics workspace data export in Azure Monitor lets you continuously export data per selected tables in your workspace. You can export to an Azure Storage account or Azure Event Hubs as it's collected.

-Data export in a Log Analytics workspace lets you continuously export data per selected tables in your workspace. You can export to an Azure Storage account or Azure Event Hubs as the data arrives to an Azure Monitor pipeline. This article provides details on this feature and steps to configure data export in your workspaces.

-* **Tamper-protected store compliance:** Data can't be altered in Log Analytics after it's ingested, but it can be purged. Export to a storage account set with [immutability policies](../../storage/blobs/immutable-policy-configure-version-scope.md) to keep data tamper protected.

-* **Integration with Azure services and other tools:** Export to event hubs as data arrives and is processed in Azure Monitor.

-* **Long-term retention of audit and security data:** Export to a storage account in the workspace's region. Or you can replicate data to other regions by using any of the [Azure Storage redundancy options](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region) including GRS and GZRS.

-After you've configured data export rules in a Log Analytics workspace, new data for tables in rules is exported from the Azure Monitor pipeline to your storage account or event hubs as it arrives.

-You need to have write permissions to both workspace and destination to configure a data export rule on any table in a workspace. The shared access policy for the Event Hubs namespace defines the permissions that the streaming mechanism has. Streaming to event hubs requires manage, send, and listen permissions. To update the export rule, you must have the ListKey permission on that event hubs authorization rule.

-### Storage account

-Don't use an existing storage account that has other non-monitoring data to better control access to the data and prevent reaching storage ingress rate limit, failures, and latency.

-To send data to an immutable storage account, set the immutable policy for the storage account as described in [Set and manage immutability policies for Azure Blob Storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this article, including enabling protected append blobs writes.

-The Storage Account can't be Premium, must be StorageV1 or later, and located in the same region as your workspace. If you need to replicate your data to other storage accounts in other regions, you can use any of the [Azure Storage redundancy options](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region), including GRS and GZRS.

-Data is sent to storage accounts as it reaches Azure Monitor and exported to destinations located in a workspace region. A container is created for each table in the storage account with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would send to a container named *am-SecurityEvent*.

-Blobs are stored in 5-minute folders in the following path structure: *WorkspaceResourceId=/subscriptions/subscription-id/resourcegroups/\<resource-group\>/providers/microsoft.operationalinsights/workspaces/\<workspace\>/y=\<four-digit numeric year\>/m=\<two-digit numeric month\>/d=\<two-digit numeric day\>/h=\<two-digit 24-hour clock hour\>/m=\<two-digit 60-minute clock minute\>/PT05M.json*. Appends to blobs are limited to 50-K writes. More blobs will be added in the folder as *PT05M_#.json**, where # is the incremental blob count.

-The format of blobs in a storage account is in [JSON lines](/previous-versions/azure/azure-monitor/essentials/resource-logs-blob-format), where each record is delimited by a new line, with no outer records array and no commas between JSON records.

-### Event hubs

-Don't use an existing event hub that has non-monitoring data to prevent reaching the Event Hubs namespace ingress rate limit, failures, and latency.

-Data is sent to your event hub as it reaches Azure Monitor and is exported to destinations located in a workspace region. You can create multiple export rules to the same Event Hubs namespace by providing a different `event hub name` in the rule. When an `event hub name` isn't provided, a default event hub is created for tables that you export with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would be sent to an event hub named *am-SecurityEvent*.

-The [number of supported event hubs in Basic and Standard namespace tiers is 10](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). When you're exporting more than 10 tables to these tiers, either split the tables between several export rules to different Event Hubs namespaces or provide an event hub name to export all tables to it.

-> - The Basic Event Hubs namespace tier is limited. It supports [lower event size](../../event-hubs/event-hubs-quotas.md#basic-vs-standard-vs-premium-vs-dedicated-tiers) and no [Auto-inflate](../../event-hubs/event-hubs-auto-inflate.md) option to automatically scale up and increase the number of throughput units. Because data volume to your workspace increases over time and as a consequence event hub scaling is required, use Standard, Premium, or Dedicated Event Hubs tiers with the **Auto-inflate** feature enabled. For more information, see [Automatically scale up Azure Event Hubs throughput units](../../event-hubs/event-hubs-auto-inflate.md).

-> - Data export can't reach Event Hubs resources when virtual networks are enabled. You have to select the **Allow Azure services on the trusted services list to access this storage account** checkbox to bypass this firewall setting in an event hub to grant access to your event hubs.

-If you've configured your storage account to allow access from selected networks, you need to add an exception to allow Azure Monitor to write to the account. From **Firewalls and virtual networks** for your storage account, select **Allow Azure services on the trusted services list to access this storage account**.

-> Export destinations have limits and should be monitored to minimize throttling, failures, and latency. For more information, see [Storage account scalability](../../storage/common/scalability-targets-standard-account.md#scale-targets-for-standard-storage-accounts) and [Event Hubs namespace quotas](../../event-hubs/event-hubs-quotas.md).

-#### Monitor a storage account

-1. Use a separate storage account for export.

- - Use a separate storage account for export that isn't shared with non-monitoring data.

- - Split tables between more storage accounts.

-#### Monitor event hubs

-A data export rule defines the destination and tables for which data is exported. You can create 10 rules in the **Enabled** state in your workspace. More rules are allowed in the **Disabled** state. The storage account must be unique across rules in the workspace. Multiple rules can use the same Event Hubs namespace when you're sending to separate event hubs.

-> - Export to a storage account: A separate container is created in the storage account for each table.

-> - Export to event hubs: If an event hub name isn't provided, a separate event hub is created for each table. The [number of supported event hubs in Basic and Standard namespace tiers is 10](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). When you're exporting more than 10 tables to these tiers, either split the tables between several export rules to different Event Hubs namespaces or provide an event hub name in the rule to export all tables to it.

-Use the following command to create a data export rule to a storage account by using PowerShell. A separate container is created for each table.

-Use the following command to create a data export rule to a specific event hub by using PowerShell. All tables are exported to the provided event hub name and can be filtered by the **Type** field to separate tables.

-Use the following command to create a data export rule to an event hub by using PowerShell. When a specific event hub name isn't provided, a separate container is created for each table, up to the [number of event hubs supported in each Event Hubs tier](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). To export more tables, provide an event hub name in the rule. Or you can set another rule and export the remaining tables to another Event Hubs namespace.

-Use the following command to create a data export rule to a storage account by using the CLI. A separate container is created for each table.

-Use the following command to create a data export rule to a specific event hub by using the CLI. All tables are exported to the provided event hub name and can be filtered by the **Type** field to separate tables.

-Use the following command to create a data export rule to an event hub by using the CLI. When a specific event hub name isn't provided, a separate container is created for each table up to the [number of supported event hubs for your Event Hubs tier](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). If you have more tables to export, provide an event hub name to export any number of tables. Or you can set another rule to export the remaining tables to another Event Hubs namespace.

-Use the following request to create a data export rule to a storage account by using the REST API. A separate container is created for each table. The request should use bearer token authorization and content type application/json.

-The following example is a sample body for the REST request for an event hub.

-The following example is a sample body for the REST request for an event hub where the event hub name is provided. In this case, all exported data is sent to it.

-Use the following command to create a data export rule to a storage account by using an Azure Resource Manager template.

-Use the following command to create a data export rule to an event hub by using a Resource Manager template. A separate event hub is created for each table.

-Use the following command to create a data export rule to a specific event hub by using a Resource Manager template. All tables are exported to it.

-Linking a Log Analytics workspace to a dedicated cluster in Azure Monitor provides advanced capabilities and higher query utilization. Clusters require a minimum ingestion commitment of 100 GB per day. You can link and unlink workspaces from a dedicated cluster without any data loss or service interruption.

-Log Analytics Dedicated Clusters use a commitment tier pricing model of at least 100 GB/day. Any usage above the tier level incurs charges based on the per-GB rate of that commitment tier. See [Azure Monitor Logs pricing details](cost-logs.md#dedicated-clusters) for pricing details for dedicated clusters. The commitment tiers have a 31-day commitment period from the time a commitment tier is selected.

- "Capacity": 100

- "capacity": 100

- "minCapacity": 100

- "capacity": 100

- "minCapacity": 100

-When the data volume to linked workspaces changes over time, you can update the Commitment Tier level appropriately to optimize cost. The tier is specified in units of Gigabytes (GB) and can have values of 100, 200, 300, 400, 500, 1000, 2000 or 5000 GB per day. You don't have to provide the full REST request body, but you must include the sku.

-az monitor log-analytics cluster update --resource-group "resource-group-name" --name "cluster-name" --sku-capacity 100

-Update-AzOperationalInsightsCluster -ResourceGroupName "resource-group-name" -ClusterName "cluster-name" -SkuCapacity 100

- const { isAggregateLogsUploadError, DefaultAzureCredential } = require("@azure/identity");

- const { LogsIngestionClient } = require("@azure/monitor-ingestion");

- You can identify the vCenter Server and NSX-T Manager console's IP addresses and credentials in the Azure portal. Select your private cloud and then **Manage** > **Identity**.

-VMware HCX has two component

- :::image type="content" source="media/tutorial-vmware-hcx/add-hcx-workload-mobility.png" alt-text="Screenshot showing the Get started button for HCX Workload Mobility." lightbox="media/tutorial-vmware-hcx/add-hcx-workload-mobility.png":::

- :::image type="content" source="media/tutorial-vmware-hcx/configure-hcx-appliance-for-migration-using-hcx-tab.png" alt-text="Screenshot showing the Migration using HCX tab under Connectivity." lightbox="media/tutorial-vmware-hcx/configure-hcx-appliance-for-migration-using-hcx-tab.png":::

-## HCX license edition

- :::image type="content" source="media/tutorial-vmware-hcx/upgrade-to-hcx-enterprise-on-migration-using-hcx-tab.png" alt-text="Screenshot showing upgrade to HCX Enterprise using HCX tab under Add-ons." lightbox="media/tutorial-vmware-hcx/upgrade-to-hcx-enterprise-on-migration-using-hcx-tab.png":::

- :::image type="content" source="media/tutorial-vmware-hcx/update-to-hcx-enterprise-edition-on-migration-using-hcx-tab.png" alt-text="Screenshot showing confirmation to update to HCX Enterprise using HCX tab under Add-ons." lightbox="media/tutorial-vmware-hcx/update-to-hcx-enterprise-edition-on-migration-using-hcx-tab.png":::

- > If you upgraded HCX from advanced to Enterprise, enable the new features in the compute profile and perform resync in service mesh to select a new feature like, Replication Assisted vMotion (RAV).

- 2. Select services you want activated like, Replication Assisted vMotion (RAV) and OS assisted Migration, which is available with HCX Enterprise only.

- 3. Select **Continue**, review the settings, then select **Finish** to create the Compute Profile.

-## Download and deploy the VMware HCX Connector in on-premises

- const fetch = require('node-fetch');

-### Backup architecture for database with HANA System Replication (preview)

-**Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk. The snapshot is copied to the vault and retained in accordance with the retention policy.　<br/><br/> When choosing a Vault-Standard recovery point, a VHD file with the content of the chosen recovery point is also created in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point. <br/><br/> After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs, including VMs [created using custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's unsupported for classic VMs, unmanaged VMs, and [generalized VMs](../virtual-machines/windows/upload-generalized-managed.md).<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is also supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) or [Key Vault](../key-vault/general/overview.md).

-# Quickstart: Back up SAP HANA System Replication on Azure VMs using Azure CLI (preview)

-# Quickstart: Restore SAP HANA System Replication on Azure VMs using Azure CLI (preview)

-## Back up a HANA system with replication enabled (preview)

-Azure Backup now supports backup and restore of SAP HANA System Replication (HSR) instance (preview).

->- Original Location Recovery (OLR) is currently not supported for HSR.

-# Back up SAP HANA System Replication databases on Azure VMs (preview)

-You can also switch the protection of SAP HANA database on Azure VM (standalone) on Azure Backup to HSR. [Learn more](#switch-database-protection-from-standalone-to-hsr-on-azure-backup).

-## Switch database protection from standalone to HSR on Azure Backup

-Follow these steps:

-1. On standalone VM, Primary node, or Secondary node (once protected using Azure Backup), go to *vault* > **Backup Items** > **SAP HANA in Azure VM** > **View Details** > **Stop backup**, and then select **Retain backup data** > **Stop backup** to stop backup and retain data.

-2. (Mandatory) [Run the latest preregistration script](sap-hana-database-with-hana-system-replication-backup.md#run-the-preregistration-script) on both primary and condary VM nodes

- The preregistration script contains the HSR attributes.

-3. [Configure HSR manually](sap-hana-database-with-hana-system-replication-backup.md#configure-backup).

-You can also configure the backup with clustering tools, such as **Pacemaker**.

- Skip this step if HSR configuration is complete.

-4. Add the Primary and secondary nodes to Azure Backup, [rediscover the databases](sap-hana-database-with-hana-system-replication-backup.md#discover-the-databases), and [resume protection](sap-hana-database-manage.md#resume-protection-for-an-sap-hana-database-or-hana-instance).

- >For HSR deployments, Protected Instance cost is charged to HSR container. Two nodes (primary and secondary) will form a single HSR logical container and storage cost is charged as applicable.

-5. Before a planned failover, [ensure that both VMs/Nodes are registered to the vault (physical and logical registration)](sap-hana-database-manage.md#verify-the-registration-status-of-vms-or-nodes-to-the-vault).

-For more information, see [Cross Region Restore support for PostgreSQL using Azure Backup (preview)](backup-vault-overview.md#cross-region-restore-support-for-postgresql-using-azure-backup-preview).

-For more information, see [Back up a HANA system with replication enabled (preview)](sap-hana-database-about.md#back-up-a-hana-system-with-replication-enabled-preview).

-Use the `setLogLevel` method from the `@azure/logger` package to configure the log output:

-import { setLogLevel } from '@azure/logger';

-const callClient = new CallClient();

-import { AzureLogger } from '@azure/logger';

- console.log(...args); // to console, file, buffer, REST API..

-| Environments | Region | Up to 15 | Yes | Limit up to 15 environments per subscription, per region.<br><br>For example, if you deploy to three regions you can get up to 45 environments for a single subscription. |

-| Batchsize in bytes | Specify the size in bytes if you would like to batch the change data capture feeds |

-Increase `System.Net MaxConnections` per host when you use Gateway mode. Azure Cosmos DB requests are made over HTTPS/REST when you use Gateway mode. They're subject to the default connection limit per hostname or IP address. You might need to set `MaxConnections` to a higher value (from 100 through 1,000) so that the client library can use multiple simultaneous connections to Azure Cosmos DB. In .NET SDK 1.8.0 and later, the default value for `ServicePointManager.DefaultConnectionLimit` is 50. To change the value, you can set `Documents.Client.ConnectionPolicy.MaxConnectionLimit` to a higher value.

-* If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-* Configure the [CosmosClientOptions.IdleConnectionTimeout](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.idletcpconnectiontimeout) property as greater than or equal to 10 minutes. The recommended values are from 20 minutes to 24 hours.

-Each `CosmosClient` instance is thread-safe and performs efficient connection management and address caching when it operates in Direct mode. To allow efficient connection management and better SDK client performance, we recommend that you use a single instance per `AppDomain` for the lifetime of the application.

-IIF(<bool_expr>, <true_expr>, <false_expr>)

-| **`false_expr`** | The expression to return if the boolean expression evaluated to `false`. |

- evalFalse: IIF(false, 123, 456)

- "evalFalse": 456

-For a list of data stores supported as sources and sinks by the copy activity, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).

-## Pre- and post-deployment script

-When running a pre-deployment script, you will need to specify a variation of the following parameters in the **Script Arguments** field.

-When running a post-deployment script, you will need to specify a variation of the following parameters in the **Script Arguments** field.

-1. After you configure you trigger, click on **Next: Data preview**. This screen shows the existing blobs matched by your storage event trigger configuration. Make sure you've specific filters. Configuring filters that are too broad can match a large number of files created/deleted and may significantly impact your cost. Once your filter conditions have been verified, click **Finish**.

- > [!NOTE]

- > If you are creating your pipeline and trigger in [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md), you must use `@trigger().outputs.body.fileName` and `@trigger().outputs.body.folderPath` as parameters. Those two properties capture blob information. Use those properties instead of using `@triggerBody().fileName` and `@triggerBody().folderPath`.

- "uri": "@{concat('https://synapse.azure.com/monitoring/pipelineruns/',pipeline().parameters.runId,'?factory=/subscriptions/',pipeline().parameters.subscription,'/resourceGroups/',pipeline().parameters.resourceGroup,'/providers/Microsoft.DataFactory/factories/',pipeline().DataFactory)}"

-* **Azure SQL Database Managed Instance**. You use the database as the **source** data store. If you don't have an Azure SQL Database Managed Instance, see the [Create an Azure SQL Database Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart) article for steps to create one.

- @role_name = 'null',

-Azure Data Factory and Synapse Pipeline orchestration allows conditional logic and enables user to take different based upon outcomes of a previous activity. Using different paths allow users to build robust pipelines and incorporates error handling in ETL/ELT logic. In total, we allow four conditional paths,

-1. Next to the API you want to offboard from Defender for APIs, select the ellipsis (...) > **Remove**.

- $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview&systemDatabaseName=master"

- $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview"

- $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview"

- $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/defualt/initiateScan?api-version=2022-02-01-preview&systemDatabaseName=$DatabaseName"

- $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/databases/$DatabaseName/sqlVulnerabilityAssessments/defualt/scans/latest?api-version=2022-02-01-preview"

- $Uri = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Sql/servers/$ServerName/sqlVulnerabilityAssessments/defualt/scans/latest?api-version=2022-02-01-preview&systemDatabaseName=$DatabaseName"

- LogError "An error occurred: $($_.Exception.Message) while hndling $($database.DatabaseName) database."

- LogError "An error occurred: $($_.Exception.Message) while hndling master database."

- Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed

- Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed

- Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed

- Write-Progress -Activity "Proccessing" -Status "Progress:" -PercentComplete $completed

- LogMessage -LogMessage "The migration process completed successfuly."

- LogMessage -LogMessage "The migration process completed. The migration was seccessful for $($successMigration -join ',') and unseccessful for $($failedMigration -join ',')"

-Workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Amazon Web Services (AWS), but you need to set up the connection between them to your Azure subscription.

-Workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Google Cloud Platform (GCP), but you need to set up the connection between them to your Azure subscription.

-This article provides the properties and schema for communication services telephony and SMS events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md).

-# Azure Schema Registry in Azure Event Hubs

-With schema-driven serialization frameworks like Apache Avro, moving serialization metadata into shared schemas can also help with **reducing the per-message overhead**. That's because each message won't need to have the metadata (type information and field names) as it's the case with tagged formats such as JSON.

-| **Amsterdam2** | [Interxion AMS8](https://www.interxion.com/Locations/amsterdam/schiphol/) | 1 | West Europe | Supported | BICS<br/>British Telecom<br/>CenturyLink Cloud Connect<br/>Colt<br/>DE-CIX<br/>Equinix<br/>euNetworks<br/>GÉANT<br/>Interxion<br/>NL-IX<br/>NOS<br/>NTT Global DataCenters EMEA<br/>Orange<br/>Vodafone |

-| **[NOS](https://www.nos.pt/empresas/corporate/cloud/cloud/Pages/nos-cloud-connect.aspx)** | Supported | Supported | Amsterdam2<br/>Madrid |

-### Germany

-| Service provider | Microsoft Azure | Office 365 | Locations |

-| | | | |

-| **[Colt](https://www.colt.net/direct-connect/azure/)** |Supported |Not Supported |Frankfurt |

-| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** |Supported |Not Supported |Frankfurt |

-| **e-shelter** |Supported |Not Supported |Berlin |

-| **Interxion** |Supported |Not Supported |Frankfurt |

-| **[Megaport](https://www.megaport.com/services/microsoft-expressroute/)** |Supported | Not Supported | Berlin |

-| **[T-Systems](https://geschaeftskunden.telekom.de/vernetzung-digitalisierung/produkt/intraselect)** |Supported |Not Supported |Berlin |

-| **[Proximus](https://www.proximus.be/en/id_b_cl_proximus_external_cloud_connect/companies-and-public-sector/discover/magazines/expert-blog/proximus-external-cloud-connect.html)**| Equinix | Amsterdam<br/>Dublin<br/>London<br/>Paris |

-| **[MOQdigital](https://www.moqdigital.com/insights)** | Australia |

-In the case of a region down scenario, customers should see no downtime as Defender EASM uses technologies that replicate data to a backup region. Defender EASM processes customer data. By default, customer data is replicated to the paired region.

-1. The AKS cluster must be version _1.14_ or higher. Use the following script to validate your AKS

- * For the event hub, the **Azure Events Hubs Data Receiver** role is assigned in the [Access control section (IAM)](../../role-based-access-control/overview.md) of the device message event hub.

-If no Device resource for a given device identifier exists in the FHIR service, the outcome depends upon the value of [**Resolution type**](deploy-new-config.md#configure-the-destination-tab) set at the time of the MedTech service deployment. When set to **Lookup**, the specific message is ignored, and the pipeline continues to process other incoming device messages. If set to **Create**, the MedTech service creates minimal Device and Patient resources in the FHIR service.

- - [Sample](https://aka.ms/IoTDPSJavaSDKRBACSample)

-| US Gov Arizona | 52.244.67.164, 52.244.67.64, 52.244.66.82, 52.126.52.254, 52.126.53.145 |

-| US DoD Central | 52.182.48.215, 52.182.92.143 |

- # submit component job and get the run name

- job_out=$(az ml job create --file single-job-pipeline.yml -g $(resource-group) -w $(workspace) --query name)

- # Remove quotes around job name

- job_name=$(sed -e 's/^"//' -e 's/"$//' <<<"$job_out")

- echo $job_name

- # Set output variable for next task

- echo "##vso[task.setvariable variable=JOB_NAME;isOutput=true;]$job_name"

- # submit component job and get the run name

- job_out=$(az ml job create --file single-job-pipeline.yml -g $(resource-group) -w $(workspace) --query name)

- # Remove quotes around run name

- job_name=$(sed -e 's/^"//' -e 's/"$//' <<<"$job_out")

- echo $job_name

- # Set output variable for next task

- echo "##vso[task.setvariable variable=JOB_NAME;isOutput=true;]$job_name"

- # Get a bearer token to authenticate the request in the next job

- export aadToken=$(az account get-access-token --resource=https://management.azure.com --query accessToken -o tsv)

- echo "##vso[task.setvariable variable=AAD_TOKEN;isOutput=true;issecret=true]$aadToken"

-In this article, you learn how to start, stop, restart, delete) a compute instance. See [Create an Azure Machine Learning compute instance](how-to-create-compute-instance.md) to learn how to create a compute instance.

-> This article shows CLI v2 in the sections below. If you are still using CLI v1, see [Create an Azure Machine Learning compute cluster CLI v1)](v1/how-to-create-manage-compute-instance.md?view=azureml-api-1&preserve-view=true).

-1. Now use CLI to submit the job. If you are doing this on a compute instance in your workspace, you can use environment variables for the workspace name and resource group as show in the following code. If you are not on a compute instance, replace these values with your workspace name and resource group.

-1. Select **Unspecified type** for the **Model type**.

-1. Select the folder which contains the model.

-You'll see a confirmation that the model is registered.

- > - To build your custom environment, please use an image from public docker hub. We do not support custom environments built with images from ACR at this time.

-If you used a custom environment, you need to rebuild it using latest Prompt flow image first, and then update your runtime with the new custom environment.

-First, go to the Compute Instance terminal and run `docker ps` to find the root cause. You can follow the steps in the [Manually customize conda packages in CI runtime](how-to-customize-environment-runtime.md#manually-customize-conda-packages-in-ci-runtime) section.

-#### Compute instance behind vnet

-We have following approaches to customize environment for runtime:

-Meanwhile, you can also create custom application on compute instance and managed online endpoint then use them as runtime.

-## Manually customize conda packages in CI runtime

-1. Go to runtime list page find the compute instance linked with runtime.

- :::image type="content" source="./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-link.png" alt-text="Screenshot of flows highlighting the linked compute column. " lightbox = "./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-link.png":::

-1. Under `applications` in the detail page of the compute instance, select `terminal`.

- :::image type="content" source="./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-terminal.png" alt-text="Screenshot of compute detail page with terminal highlighted. " lightbox = "./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-terminal.png":::

-1. Jump to terminal on this compute instance

- :::image type="content" source="./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-jump-to-terminal.png" alt-text="Screenshot of notebooks with the compute highlighted. " lightbox = "./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-jump-to-terminal.png":::

-1. Retrieve the container name of the runtime using the command `docker ps`.

- :::image type="content" source="./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-terminal-docker-ps.png" alt-text="Screenshot of notebooks highlighting the container name of the runtime. " lightbox = "./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-terminal-docker-ps.png":::

-1. Jump into the container using the command `docker exec -it <container_id/container_name> /bin/bash`.

- :::image type="content" source="./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-terminal-docker-exec.png" alt-text="Screenshot of notebooks showing the docker command. " lightbox = "./media/how-to-customize-environment-runtime/runtime-creation-ci-runtime-list-compute-terminal-docker-exec.png":::

-1. You can now install packages using `conda install` or `pip install` in this conda environment.

-> [!NOTE]

-> Any package installed in this way may be lost after a compute instance restart. If you want to keep these packages,follow the instructions in the section titled [Customize Environment with Docker Context for Runtime](#customize-environment-with-docker-context-for-runtime).

-> This docker image should be built from Prompt flow base image that is `mcr.microsoft.com/azureml/promptflow/promptflow-runtime:<newest_version>`. If possible use the [latest version of the base image](https://mcr.microsoft.com/v2/azureml/promptflow/promptflow-runtime/tags/list).

-#### Create a custom Azure Machine Learning environment for runtime in docker hub - compute instance runtime

-> [!NOTE]

-> Compute instance only support image in public docker hub or MCR, so you need push the image to docker hub or MCR, then use them to create custom environment.

-```shell

-docker login <the_acr_you_build_image_in_previous_step>

-docker pull <image_build_in_acr>

-docker login <your_public_docker_hub>

-docker tag <image_build_in_acr> <image_in_your_public_docker_hub>

-docker push <image_in_your_public_docker_hub>

-```

-Open the `environment.yaml` file and add the following content. Replace the `<environment_name>` placeholder with your desired environment name and change `<image_build_in_acr>` to the ACR image found in the previous step.

-```yaml

-$schema: https://azuremlschemas.azureedge.net/latest/environment.schema.json

-name: <environment_name>

-image: <image_in_your_public_docker_hub>

-inference_config:

- liveness_route:

- port: 8080

- path: /health

- readiness_route:

- port: 8080

- path: /health

- scoring_route:

- port: 8080

- path: /score

-```

-Using following CLI command to create the environment:

-```bash

-cd image_build # optional if you already in this folder

-az login(optional)

-az ml environment create -f environment.yaml --subscription <sub-id> -g <resource-group> -w <workspace>

-```

-#### Create a custom Azure Machine Learning environment for runtime in ACR - Managed online deployment runtime

-> - You can set one Key-Value pair as **secret** by **is secret** checked, which will be encrypted and stored in your key value.

-> - You can also set the whole connection as **workspace level key**, which will be shared to all members in the workspace. If not set as workspace level key, it can only be accessed by the creator.

-1. In the python tools, need to access LLM Key and other credentials, import custom connection library `from promptflow.connections import CustomConnection`.

-1. Add an input parameter of type `connection` to the tool function.

-description: Users are empowered by the Python Tool to offer customized code snippets as self-contained executable nodes in Prompt flow.

-Users are empowered by the Python Tool to offer customized code snippets as self-contained executable nodes in Prompt flow. Users can effortlessly create Python tools, edit code, and verify results with ease.

-```

-| Adult Census Income Binary Classification dataset | A subset of the 1994 Census database, using working adults over the age of 16 with an adjusted income index of > 100.<br/>**Usage**: Classify people using demographics to predict whether a person earns over 50K a year.<br/> **Related Research**: Kohavi, R., Becker, B., (1996). [UCI Machine Learning Repository](https://archive.ics.uci.edu/ml). Irvine, CA: University of California, School of Information and Computer Science|

-|Automobile price data (Raw)|Information about automobiles by make and model, including the price, features such as the number of cylinders and MPG, as well as an insurance risk score.<br/> The risk score is initially associated with auto price. It is then adjusted for actual risk in a process known to actuaries as symboling. A value of +3 indicates that the auto is risky, and a value of -3 that it is probably safe.<br/>**Usage**: Predict the risk score by features, using regression or multivariate classification.<br/>**Related Research**: Schlimmer, J.C. (1987). [UCI Machine Learning Repository](https://archive.ics.uci.edu/ml). Irvine, CA: University of California, School of Information and Computer Science. |

-|German Credit Card UCI dataset|The UCI Statlog (German Credit Card) dataset ([Statlog+German+Credit+Data](https://archive.ics.uci.edu/ml/datasets/Statlog+(German+Credit+Data))), using the german.data file.<br/>The dataset classifies people, described by a set of attributes, as low or high credit risks. Each example represents a person. There are 20 features, both numerical and categorical, and a binary label (the credit risk value). High credit risk entries have label = 2, low credit risk entries have label = 1. The cost of misclassifying a low risk example as high is 1, whereas the cost of misclassifying a high risk example as low is 5.|

-|Restaurant Feature Data| A set of metadata about restaurants and their features, such as food type, dining style, and location. <br/>**Usage**: Use this dataset, in combination with the other two restaurant datasets, to train and test a recommender system.<br/> **Related Research**: Bache, K. and Lichman, M. (2013). [UCI Machine Learning Repository](https://archive.ics.uci.edu/ml). Irvine, CA: University of California, School of Information and Computer Science.|

-|Restaurant Ratings| Contains ratings given by users to restaurants on a scale from 0 to 2.<br/>**Usage**: Use this dataset, in combination with the other two restaurant datasets, to train and test a recommender system. <br/>**Related Research**: Bache, K. and Lichman, M. (2013). [UCI Machine Learning Repository](https://archive.ics.uci.edu/ml). Irvine, CA: University of California, School of Information and Computer Science.|

-|Restaurant Customer Data| A set of metadata about customers, including demographics and preferences. <br/>**Usage**: Use this dataset, in combination with the other two restaurant datasets, to train and test a recommender system. <br/> **Related Research**: Bache, K. and Lichman, M. (2013). [UCI Machine Learning Repository](https://archive.ics.uci.edu/ml) Irvine, CA: University of California, School of Information and Computer Science.|

-| India West | 104.211.160.80 | | |

-1. Verify permissions for your Azure account - Your Azure account needs permissions to create a VM, and write to an Azure managed disk.

-1. Click **Create resources**. This creates an Azure Site Recovery vault in the background.

- - Select **Register** to register this server in Azure Site Recovery vault.

-| MySQL Version 8.0 | [8.0.15](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-15.html) | [8.0.31](https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-31.html) |

-| India West | 104.211.160.80 | | |

-NAT gateway supports the use of IPv4 public IP addresses for outbound connectivity whereas load balancer supports both IPv4 and IPv6 public IP addresses. When NAT gateway with an IPv4 public IP is present with a load balancer using an IPv4 public IP address, NAT gateway takes precedence over load balancer for providing outbound connectivity. When a NAT gateway is deployed in a dual-stack network with a IPv6 load balancer, IPv4 outbound traffic is handled by the NAT gateway, and IPv6 outbound traffic is handled by the load balancer.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-## Create virtual network

-In this section, create a virtual network for the virtual machine and load balancer.

-1. Sign-in to the [Azure portal](https://portal.azure.com).

-1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

-1. Select **+ Create**.

-1. In the **Basics** tab of **Create virtual network**, enter or select the following information.

- | Setting | Value |

- | - | -- |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **Create new**. </br> Enter **TutorialIPv6NATLB-rg**. </br> Select **OK**. |

- | **Instance details** | |

- | Name | Enter **myVNet**. |

- | Region | Select **West US 2**. |

-1. Select the **IP Addresses** tab, or **Next: IP Addresses**.

-1. Leave the default IPv4 address space of **10.1.0.0/16**. If the default is absent or different, enter an IPv4 address space of **10.1.0.0/16**.

-1. Select **default** under **Subnet name**. If default is missing, select **+ Add subnet**.

-1. In **Subnet name**, enter **myBackendSubnet**.

-1. Leave the default IPv4 subnet of **10.1.0.0/24**.

-1. Select **Save**. If creating a subnet, select **Add**.

-1. Select the **Security** tab or select **Next: Security**.

-1. In **BastionHost**, select **Enable**.

-1. Enter or select the following information:

- | Setting | Value |

- | - | -- |

- | Bastion name | **myBastion** |

- | AzureBastionSubnet address space | Enter **10.1.1.0/26**. |

- | Public IP address | Select **Create new**. </br> Enter **myPublicIP-Bastion** in **Name**. </br> Select **OK**. |

-1. Select the **Review + create**.

-1. Select **Create**.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

-1. Select **+ Create**.

-1. In the **Basics** tab of **Create network address translation (NAT) gateway**, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **TutorialIPv6NATLB-rg**. |

- | **Instance details** | |

- | NAT gateway name | Enter **myNATgateway**. |

- | Region | Select **West US 2**. |

- | Availability zone | Select a zone or **No Zone**. |

- | TCP idle timeout (minutes) | Leave the default of **4**. |

-1. Select **Next: Outbound IP**.

-1. In **Public IP addresses**, select **Create a new public IP address**.

-1. Enter **myPublicIP-NAT** in **Name**. Select **OK**.

-1. Select **Next: Subnet**.

-1. In **Virtual network**, select **myVNet**.

-1. In the list of subnets, select the box for **myBackendSubnet**.

-1. Select **Review + create**.

-1. Select **Create**.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-1. Select **myVNet**.

-1. Select **myBackendSubnet** in the list of subnets.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

-1. Select **+ Create** then **Azure virtual machine**.

-1. In the **Basics** tab of **Create a virtual machine**, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **TutorialIPv6NATLB-rg**. |

- | **Instance details** | |

- | Virtual machine name | Enter **myVM**. |

- | Region | Select **(US) West US 2**. |

- | Availability options | Leave the default of **No infrastructure redundancy required**. |

- | Security type | Leave the default of **Standard**. |

- | Image | Select **Windows Server 2022 Datacenter - x64 Gen2**. |

- | Size | Select a size. |

- | **Administrator account** | |

- | Username | Enter a username. |

- | Password | Enter a password. |

- | Confirm password | Confirm password. |

- | **Inbound port rules** | |

- | Public inbound ports | Select **None**. |

-1. Select the **Networking** tab, or **Next: Disks** then **Next: Networking**.

-1. In the **Networking tab**, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | **Network interface** | |

- | Virtual network | Select **myVNet**. |

- | Subnet | Select **myBackendSubnet (10.1.0.0/24,2404:f800:8000:122::/64)**. |

- | Public IP | Select **None**. |

- | NIC network security group | Select **Basic**. |

- | Public inbound ports | Select **None**. |

-1. Select **Review + create**.

-1. Select **Create**.

-1. Select **myVM**.

-1. Select the name of the network interface in the **Network Interface:** field. The name of the network interface is the virtual machine name plus a random number. In this example, it's **myVM202**.

- | Name | Enter **ipv6config**. |

-1. Leave the rest of the settings at the defaults and select **OK**.

-# [**CLI**](#tab/dual-stack-outbound--cli)

- | Resource group | Select **TutorialIPv6NATLB-rg**. |

- | Name | Enter **myLoadBalancer**. |

- | Region | Select **West US 2**. |

- | Name | Enter **myFrontend-IPv6**. |

- | Public IP address | Select **Create new**. </br> In **Name** enter **myPublicIP-IPv6**. </br> Select **OK**. |

- | Name | Enter **myBackendPool**. |

- | Virtual network | Select **myVNet (TutorialIPv6NATLB-rg)**. |

- | Name | Enter **myOutboundRule**. |

- | Frontend IP address | Select **myFrontend-IPv6**. |

- | Backend pool | Select **myBackendPool**. |

-1. Select **myLoadBalancer**.

-1. Select **myBackendPool**.

-1. In **Virtual network** select **myVNet (TutorialIPv6NATLB-rg)**.

-1. Select the checkbox for **myVM** that corresponds with the **IP configuration** of **ipv6config**. Don't select **ipconfig1**.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-1. Select **myPublicIP-NAT**.

-1. Select **myPublicIP-IPv6**.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-1. Select **myVM**.

-1. In the **Overview** of **myVM**, select **Connect** then **Bastion**.

-1. On the desktop of **myVM**, open **Microsoft Edge**.

-1. To confirm the IPv4 address, enter `http://v4.testmyipv6.com` in the address bar.

-1. You should see the IPv4 address displayed. In this example, the IP of **20.230.191.5** is displayed.

- :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/portal-verify-ipv4.png" alt-text="Screenshot of outbound IPv4 public IP address from portal steps.":::

-1. In the address bar, enter `http://v6.testmyipv6.com`

-1. You should see the IPv6 address displayed. In this example, the IP of **2603:1030:c02:8::14** is displayed.

- :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/portal-verify-ipv6.png" alt-text="Screenshot of outbound IPv6 public IP address from portal steps.":::

-1. Close the bastion connection to **myVM**.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-1. In the search box at the top of the portal, enter **TutorialIPv6NATLB-rg**. Select **TutorialIPv6NATLB-rg** in the search results in **Resource groups**.

-1. Select **Delete resource group**.

-1. Enter **TutorialIPv6NATLB-rg** for **TYPE THE RESOURCE GROUP NAME** and select **Delete**.

-# [**CLI**](#tab/dual-stack-outbound--cli)

-FWPRIVATE_IP=$(az network firewall show -g $RESOURCEGROUP -n aro-private --query "ipConfigurations[0].privateIpAddress" -o tsv)

-|Partner |Description |

-||-|

-|[Datadog - An Azure Native ISV Service](datadog/overview.md) | Monitoring and analytics platform for large scale applications. |

-|[Elastic](elastic/overview.md) | Build modern search experiences and maximize visibility into health, performance, and security of your infrastructure, applications, and data. |

-|[Logz.io](logzio/overview.md) | Observability platform that centralizes log, metric, and tracing analytics. |

-|[Azure Native Dynatrace Service](dynatrace/dynatrace-overview.md) | Provides deep cloud observability, advanced AIOps, and continuous runtime application security. |

-|[Azure Native New Relic Service Preview](new-relic/new-relic-overview.md) | A cloud-based end-to-end observability platform for analyzing and troubleshooting the performance of applications, infrastructure, logs, real-user monitoring, and more. |

-|Partner |Description |

-||-|

-|[Apache Kafka for Confluent Cloud](apache-kafka-confluent-cloud/overview.md) | Fully managed event streaming platform powered by Apache Kafka. |

-|[Azure Native Qumulo Scalable File Service](qumulo/qumulo-overview.md) | Multi-petabyte scale, single namespace, multi-protocol file data platform with the performance, security, and simplicity to meet the most demanding enterprise workloads. |

-|Partner |Description |

-||-|

-|[NGINXaaS - Azure Native ISV Service](nginx/nginx-overview.md) | Use NGINXaaS as a reverse proxy within your Azure environment. |

-|[Cloud NGFW by Palo Alto Networks Preview](palo-alto/palo-alto-overview.md) | Use Palo Alto Networks as a firewall in the Azure environment. |

-## PostgreSQL version 15 (Preview)

-PostgreSQL version 15 is now available in public preview in limited regions (West Europe, East US, West US2, South East Asia, UK South, North Europe, Japan east).The current minor release is **15.2**.Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/release/15.2/) to learn more about improvements and fixes in this release. New servers will be created with this minor version.

-You can also use [Azure Resource Manager templates](../../azure-monitor/alerts/alerts-create-new-alert-rule.md#create-a-new-alert-rule-using-an-arm-template) to deploy multi-resource metric alerts. Learn more in our documentation, [Understand how metric alerts work in Azure Monitor](../../azure-monitor/alerts/alerts-types.md).

-This page provides latest news and updates regarding feature additions, engine versions support, extensions, and any other announcements relevant for Flexible Server - PostgreSQL

-* Postgres 15 is now available in public preview for Azure Database for PostgreSQL ΓÇô Flexible Server in limited regions (West Europe, East US, West US2, South East Asia, UK South, North Europe, Japan east).

- Customers need to go to the server parameters of the flexible server and allowlist all the extensions they intend to use. At least the ones mentioned in the error message should be allowed to be listed.

-When installing or migrating existing SAP on Oracle systems to Azure, the following deployment pattern should be followed:

-4. Azure Premium Storage SSD should be used. Do not use Standard or other storage types.

-6. Use ASMLib and do not use udev

-10. The size of the boot disk for large high performance Oracle database servers is important. As a minimum a P10 disk should be used for M-series or E-series. Do not use small disks such as P4 or P6. A small disk can cause performance issues.

-General information about running SAP Business Suite on Oracle can be found in the [<u>SAP on Oracle community page</u>](https://www.sap.com/community/topic/oracle.html). SAP on Oracle on Azure is only supported on Oracle Linux (and not Suse or Red Hat). Oracle RAC is not supported on Azure because RAC would require Multicast networking.

-7. ASM Sector Size and Logical Sector Size = default (UDEV is not recommended but requires 4k)

-| |Control file (first copy) | To increase DB size add extra P30 disks |

-recovery of all databases cannot be accomplished in a timely fashion.

-Usually customers will use RMAN, Azure Backup for Oracle and/or disk snap techniques in combination.

-Customer has a huge database where backup and/or restore + recovery of a single databases cannot be accomplished in a timely fashion.

-Usually customers will use RMAN, Azure Backup for Oracle and/or disk snap techniques in combination. In this variant, each relevant database file type is separated to different Oracle ASM disk groups.

-Oracle ASM Disk Groups can either be extended by adding extra disks or by extending current disks. It is recommended to add extra disks rather than extending existing disks. Review these MOS articles and links MOS Notes 1684112.1 and 2176737.1

-ASM will add a disk to the disk group:

-ASM will automatically rebalance the data.

-Run an Oracle AWR report as the first step when troubleshooting a performance problem. Disk performance metrics will be detailed in the AWR report.

-OS level monitoring tools cannot monitor ASM disks as there is no recognizable file system. Freespace monitoring must be done from within Oracle.

-The combination of Azure VMΓÇÖs and ANF is a robust and proven combination implemented by many customers on an exceptionally large scale.

-The mount option ΓÇ£nconnectΓÇ¥ is NOT recommended when the dNFS client is configured. dNFS manages the IO channel and makes use of multiple sessions, so this option is obsolete and can cause manifold issues. The dNFS client will ignore the mount options and will handle the IO directly.

-We highly recommend using the Oracle dNFS clint for all Oracle volumes.

-| NFS Vers | Mount Options |

-ASM is the default recommendation from Oracle for all SAP systems of any size on Azure. Performance, Reliability and Support will be better for customers using ASM. Oracle provide documentation and training for DBAs to transition to ASM and every customer who has migrated to ASM has been pleased with the benefits. In cases where the Oracle DBA team do not follow the recommendation from Oracle, Microsoft and SAP to use ASM the following LVM configuration should be used.

-2. During R3load migrations the Host Cache option for SAPDATA should be set to None

-2. During R3load migrations the Host Cache option for SAPDATA should be set to None

-As general guidance Linux Huge Pages should be configured to approximately 75% of the VM RAM size.  The SGA size can be set to 90% of the Huge Page size.  A approximate example would be a m192ms VM with 4 TB of RAM would have Huge Pages set proximately 3 TB.  The SGA can be set to a value a little less such as 2.95 TB.

-3. Install the Oracle Home on a dedicated independent disk (do not install Oracle Home on the C: Drive)

-At the time, of writing ASM for Windows customers on Azure is not supported. SWPM for Windows does not support ASM currently. VLDB SAP on Oracle migrations to Azure have required ASM and have therefore selected Oracle Linux.

-2. During R3load migrations the Host Cache option for SAPDATA should be set to None

-2. During R3load migrations the Host Cache option for SAPDATA should be set to None

-| Global transport Directory | Not supported | Not supported | Recommended | Recommended | Recommended | Recommended | Recommended |

-| /sapmnt | Not suitable | Restricted suitable (non-prod) | Recommended | Recommended | Recommended | Recommended | Recommended |

-| Zonal redundancy | Not for managed disks | Not for managed disks | Not supported for DBMS | No | No | No | Yes |

-> [!div class="nextstepaction"]

-> [Analyze performance](search-performance-analysis.md)

-> [Tips for better performance](search-performance-tips.md)

-|  | [**Neal Analytics**](https://nealanalytics.com/) offers over 10 years of cloud, data, and AI expertise on Azure. Its experts have recognized in-depth expertise across the Azure AI and ML services. Neal can help customers customize and implement Cognitive Search across a wide variety of use cases. Neal Analytics expertise ranges from enterprise-level search, form, and process automation to domain mapping for data extraction and analytics, plagiarism detection, and more. | [Product page](https://go.nealanalytics.com/cognitive-search)|

-1. Use the search bar to find "Azure Cognitive Search" or navigate to the resource through **Web** > **Azure Cognitive Search**.

-Across Azure, [reliability](../reliability/overview.md) means maintaining resiliency and availability if there's a service outage or degradation. In Cognitive Search, reliability is achieved when you:

-+ Deploy a single search service with multiple replicas to scale indexing and query workloads. Within a region, replicas run within availability zones for extra reliability.

-+ Deploy multiple search services across different geographic regions.

-All search workloads are fully contained within a single service that runs in a single geographic region. On a service, you can configure multiple replicas that automatically run in different availability zones. This capability is how you achieve high availability.

-For business continuity and recovery from disasters at a regional level, you should develop a strategy that includes a cross-regional topology, consisting of multiple search services having identical configuration and content. Your custom script or code provides the "fail over" mechanism to an alternate search service if one suddenly becomes unavailable.

-[Availability zones](../availability-zones/az-overview.md) are an Azure platform capability that divides a region's data centers into distinct physical location groups to provide high-availability, within the same region. If you use availability zones for Cognitive Search, individual replicas are the units for zone assignment. A search service runs within one region; its replicas run in different zones.

-You can utilize availability zones with Azure Cognitive Search by adding two or more replicas to your search service. Each replica is placed in a different availability zone within the region. If you have more replicas than availability zones, the replicas are distributed across availability zones as evenly as possible. There's no specific action on your part, except to [create a search service](search-create-service-portal.md) in a region that provides availability zones, and then to configure the service to [use multiple replicas](search-capacity-planning.md#adjust-capacity).

-As noted, you must have multiple replicas for high availability: two for read-only query workloads, three for read-write workloads that include indexing.

-Your service must be deployed in a region that supports availability zones. Azure Cognitive Search currently supports availability zones for Standard tier or higher, in one of the following regions:

-Availability zones don't impact the [Azure Cognitive Search Service Level Agreement](https://azure.microsoft.com/support/legal/sla/search/v1_0/). You still need three or more replicas for query high availability.

-Service redundancy is necessary if operational requirements include:

-+ [Business continuity and disaster recovery (BCDR)](../availability-zones/cross-region-replication-azure.md) (Cognitive Search doesn't provide instant failover in the event of an outage).

-+ Global availability. If query and indexing requests come from all over the world, users who are closest to the host data center will have faster performance. Creating more services in regions with close proximity to these users can equalize performance for all users.

-If you need two or more search services, creating them in different regions can meet application requirements for continuity and recovery, as well as faster response times for a global user base.

-There are two options for keeping two or more distributed search services in sync:

-If you're already using indexer on one service, you can configure a second indexer on a second service to use the same data source object, pulling data from the same location. Each service in each region has its own indexer and a target index (your search index isn't shared, which means data is duplicated), but each indexer references the same data source.

-### Use Azure Traffic Manager and Azure Application Gateway to coordinate requests

-[Azure Traffic Manager](../traffic-manager/traffic-manager-overview.md) allows you to route requests to multiple geo-located websites that are then backed by multiple search services. Azure Traffic Manager is primarily used for routing network traffic across different endpoints based on specific routing methods (such as priority, performance, or geographic location). It acts at the DNS level to direct incoming requests to the appropriate endpoint. It doesn't have inherent knowledge of the health or availability of specific services like Azure Cognitive Search.

-To add health checks and failover capabilities for Azure Cognitive Search, you would typically use Azure Application Gateway or a load balancer in combination with Azure Traffic Manager. [Azure Application Gateway](/azure/application-gateway/overview) supports health probes, which can be configured to check the availability of specific backend services and perform load balancing accordingly.

-The architecture for this solution would consist of search-enabled client apps that connect to Application Gateway through Azure Traffic Manager, where each gateway endpoint connects to a backend search service in a specific region.

-## Data residency

-When you deploy multiple search services in various geographic regions, your content is stored in your chosen region.

-Azure Cognitive Search won't store data outside of your specified region without your authorization. Specifically, the following features write to an Azure Storage resource: [enrichment cache](cognitive-search-incremental-indexing-conceptual.md), [debug session](cognitive-search-debug-session.md), [knowledge store](knowledge-store-concept-intro.md). The storage account is one that you provide, and it could be in any region.

-If both the storage account and the search service are in the same region, network traffic between search and storage uses a private IP address and occurs over the Microsoft backbone network. Because private IP addresses are used, you can't configure IP firewalls or a private endpoint for network security. Instead, use the [trusted service exception](search-indexer-howto-access-trusted-service-exception.md) as an alternative when both services are in the same region.

-## Disaster recovery and service outages

-Customers who use [indexers](search-indexer-overview.md) to populate and refresh indexes can handle disaster recovery through geo-specific indexers that retrieve data from the same data source. Two services in different regions, each running an indexer, could index the same data source to achieve geo-redundancy. If you're indexing from data sources that are also geo-redundant, be aware that Azure Cognitive Search indexers can only perform incremental indexing (merging updates from new, modified, or deleted documents) from primary replicas. In a failover event, be sure to redirect the indexer to the new primary replica.

-Because Azure Cognitive Search isn't a primary data storage solution, Microsoft doesn't provide a formal mechanism for self-service backup and restore. However, you can use the **index-backup-restore** sample code in this [Azure Cognitive Search .NET sample repo](https://github.com/Azure-Samples/azure-search-dotnet-samples) to back up your index definition and snapshot to a series of JSON files, and then use these files to restore the index, if needed. This tool can also move indexes between service tiers.

-+ Review [Case Study: Use Cognitive Search to Support Complex AI Scenarios](https://techcommunity.microsoft.com/t5/azure-ai/case-study-effectively-using-cognitive-search-to-support-complex/ba-p/2804078) for real-world tips.

-[3]: ./media/search-reliability/geo-search-traffic-mgr.png

-## Query syntax for cross-field vector query

-You can set "vector.fields" property to multiple vector fields. For example, the Postman collection has vector fields named titleVector and contentVector. Your query can include both titleVector and contentVector.

-## Query syntax for multi-modal vector queries

-You can issue a search request with multiple query vectors using the `vectors` query parameter. The queries execute concurrently over the same embedding space in the search index, looking for similarities in each of the vector fields. The result set is a union of the documents that matched all vector queries. A common example of this query request is when using models such as [CLIP](https://openai.com/research/clip) for a multi-modal vector search.

-You must use REST for this scenario. Currently, there isn't support for multiple vector fields in the alpha SDKs.

-+ `vectors.fields` contains the image vectors and text vectors in the search index.

- "value": [1.0, 2.0],

- "value": [1.0, 2.0, 3.0],

-For example, to calculate the **raw_size**, let's assume you're using a popular Azure OpenAI model, `text-embedding-ada-002` with 1,536 dimensions. This means one document would consume 1,536 `Edm.Single` (floats), or 6,144 bytes since each `Edm.Single` is 4 bytes. 1,000 documents with a single, 1,536-dimensional vector field would consume in total 100 docs x 1536 floats/doc = 1,536,000 floats, or 6,144,000 bytes.

-+ **Vector database**. Use Cognitive Search as a vector store to server as long-term memory or an external knowledge base for Large Language Models (LLMs), or other applications.

-*Embedding space* is the corpus for vector search. Machine learning models create the embedding space by mapping individual words, phrases, or documents (for natural language processing), images, or other forms of data into a representation comprised of a vector of real numbers representing a coordinate in a high-dimensional space. In this embedding space, similar items are located close together, and dissimilar items are located farther apart.

-description: This article provides a list of Azure Service Bus messaging exceptions and suggested actions to taken when the exception occurs.

-# Service Bus messaging exceptions

-This article lists the .NET exceptions generated by .NET Framework APIs.

-## Exception categories

-The messaging APIs generate exceptions that can fall into the following categories, along with the associated action you can take to try to fix them. The meaning and causes of an exception can vary depending on the type of messaging entity:

-1. User coding error ([System.ArgumentException](/dotnet/api/system.argumentexception), [System.InvalidOperationException](/dotnet/api/system.invalidoperationexception), [System.OperationCanceledException](/dotnet/api/system.operationcanceledexception), [System.Runtime.Serialization.SerializationException](/dotnet/api/system.runtime.serialization.serializationexception)). General action: try to fix the code before proceeding.

-2. Setup/configuration error ([Microsoft.ServiceBus.Messaging.MessagingEntityNotFoundException](/dotnet/api/microsoft.azure.servicebus.messagingentitynotfoundexception), [System.UnauthorizedAccessException](/dotnet/api/system.unauthorizedaccessexception). General action: review your configuration and change if necessary.

-3. Transient exceptions ([Microsoft.ServiceBus.Messaging.MessagingException](/dotnet/api/microsoft.servicebus.messaging.messagingexception), [Microsoft.ServiceBus.Messaging.ServerBusyException](/dotnet/api/microsoft.azure.servicebus.serverbusyexception), [Microsoft.ServiceBus.Messaging.MessagingCommunicationException](/dotnet/api/microsoft.servicebus.messaging.messagingcommunicationexception)). General action: retry the operation or notify users. The `RetryPolicy` class in the client SDK can be configured to handle retries automatically. For more information, see [Retry guidance](/azure/architecture/best-practices/retry-service-specific#service-bus).

-4. Other exceptions ([System.Transactions.TransactionException](/dotnet/api/system.transactions.transactionexception), [System.TimeoutException](/dotnet/api/system.timeoutexception), [Microsoft.ServiceBus.Messaging.MessageLockLostException](/dotnet/api/microsoft.azure.servicebus.messagelocklostexception), [Microsoft.ServiceBus.Messaging.SessionLockLostException](/dotnet/api/microsoft.azure.servicebus.sessionlocklostexception)). General action: specific to the exception type; refer to the table in the following section:

-> [!IMPORTANT]

-> - Azure Service Bus doesn't retry an operation in case of an exception when the operation is in a transaction scope.

-> - For retry guidance specific to Azure Service Bus, see [Retry guidance for Service Bus](/azure/architecture/best-practices/retry-service-specific#service-bus).

-## Exception types

-The following table lists messaging exception types, and their causes, and notes suggested action you can take.

-| **Exception Type** | **Description/Cause/Examples** | **Suggested Action** | **Note on automatic/immediate retry** |

-| | | | |

-| [TimeoutException](/dotnet/api/system.timeoutexception) |The server didn't respond to the requested operation within the specified time, which is controlled by [OperationTimeout](/dotnet/api/microsoft.servicebus.messaging.messagingfactorysettings). The server may have completed the requested operation. It can happen because of network or other infrastructure delays. |Check the system state for consistency and retry if necessary. See [Timeout exceptions](#timeoutexception). |Retry might help in some cases; add retry logic to code. |

-| [InvalidOperationException](/dotnet/api/system.invalidoperationexception) |The requested user operation isn't allowed within the server or service. See the exception message for details. For example, [Complete()](/dotnet/api/microsoft.azure.servicebus.queueclient.completeasync) generates this exception if the message was received in [ReceiveAndDelete](/dotnet/api/microsoft.azure.servicebus.receivemode) mode. |Check the code and the documentation. Make sure the requested operation is valid. |Retry doesn't help. |

-| [OperationCanceledException](/dotnet/api/system.operationcanceledexception) |An attempt is made to invoke an operation on an object that has already been closed, aborted, or disposed. In rare cases, the ambient transaction is already disposed. |Check the code and make sure it doesn't invoke operations on a disposed object. |Retry doesn't help. |

-| [UnauthorizedAccessException](/dotnet/api/system.unauthorizedaccessexception) |The [TokenProvider](/dotnet/api/microsoft.servicebus.tokenprovider) object couldn't acquire a token, the token is invalid, or the token doesn't contain the claims required to do the operation. |Make sure the token provider is created with the correct values. Check the configuration of the Access Control Service. |Retry might help in some cases; add retry logic to code. |

-| [ArgumentException](/dotnet/api/system.argumentexception)<br /> [ArgumentNullException](/dotnet/api/system.argumentnullexception)<br />[ArgumentOutOfRangeException](/dotnet/api/system.argumentoutofrangeexception) |One or more arguments supplied to the method are invalid.<br /> The URI supplied to [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) or [Create](/dotnet/api/microsoft.servicebus.messaging.messagingfactory) contains path segment(s).<br /> The URI scheme supplied to [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) or [Create](/dotnet/api/microsoft.servicebus.messaging.messagingfactory) is invalid. <br />The property value is larger than 32 KB. |Check the calling code and make sure the arguments are correct. |Retry doesn't help. |

-| [MessagingEntityNotFoundException](/dotnet/api/microsoft.azure.servicebus.messagingentitynotfoundexception) |Entity associated with the operation doesn't exist or it has been deleted. |Make sure the entity exists. |Retry doesn't help. |

-| [MessageNotFoundException](/dotnet/api/microsoft.servicebus.messaging.messagenotfoundexception) |Attempt to receive a message with a particular sequence number. This message isn't found. |Make sure the message hasn't been received already. Check the deadletter queue to see if the message has been deadlettered. |Retry doesn't help. |

-| [MessagingCommunicationException](/dotnet/api/microsoft.servicebus.messaging.messagingcommunicationexception) |Client isn't able to establish a connection to Service Bus. |Make sure the supplied host name is correct and the host is reachable. <p>If your code runs in an environment with a firewall/proxy, ensure that the traffic to the Service Bus domain/IP address and ports isn't blocked.</p>|Retry might help if there are intermittent connectivity issues. |

-| [ServerBusyException](/dotnet/api/microsoft.azure.servicebus.serverbusyexception) |Service isn't able to process the request at this time. |Client can wait for a period of time, then retry the operation. |Client may retry after certain interval. If a retry results in a different exception, check retry behavior of that exception. |

-| [MessagingException](/dotnet/api/microsoft.servicebus.messaging.messagingexception) |Generic messaging exception that may be thrown in the following cases:<p>An attempt is made to create a [QueueClient](/dotnet/api/microsoft.azure.servicebus.queueclient) using a name or path that belongs to a different entity type (for example, a topic).</p><p>An attempt is made to send a message larger than 256 KB. </p>The server or service encountered an error during processing of the request. See the exception message for details. It's usually a transient exception.</p><p>The request was terminated because the entity is being throttled. Error code: 50001, 50002, 50008. </p> | Check the code and ensure that only serializable objects are used for the message body (or use a custom serializer). <p>Check the documentation for the supported value types of the properties and only use supported types.</p><p> Check the [IsTransient](/dotnet/api/microsoft.servicebus.messaging.messagingexception) property. If it's **true**, you can retry the operation. </p>| If the exception is due to throttling, wait for a few seconds and retry the operation again. Retry behavior is undefined and might not help in other scenarios.|

-| [MessagingEntityAlreadyExistsException](/dotnet/api/microsoft.servicebus.messaging.messagingentityalreadyexistsexception) |Attempt to create an entity with a name that is already used by another entity in that service namespace. |Delete the existing entity or choose a different name for the entity to be created. |Retry doesn't help. |

-| [QuotaExceededException](/dotnet/api/microsoft.azure.servicebus.quotaexceededexception) |The messaging entity has reached its maximum allowable size, or the maximum number of connections to a namespace has been exceeded. |Create space in the entity by receiving messages from the entity or its subqueues. See [QuotaExceededException](#quotaexceededexception). |Retry might help if messages have been removed in the meantime. |

-| [RuleActionException](/dotnet/api/microsoft.servicebus.messaging.ruleactionexception) |Service Bus returns this exception if you attempt to create an invalid rule action. Service Bus attaches this exception to a deadlettered message if an error occurs while processing the rule action for that message. |Check the rule action for correctness. |Retry doesn't help. |

-| [FilterException](/dotnet/api/microsoft.servicebus.messaging.filterexception) |Service Bus returns this exception if you attempt to create an invalid filter. Service Bus attaches this exception to a deadlettered message if an error occurred while processing the filter for that message. |Check the filter for correctness. |Retry doesn't help. |

-| [SessionCannotBeLockedException](/dotnet/api/microsoft.servicebus.messaging.sessioncannotbelockedexception) |Attempt to accept a session with a specific session ID, but the session is currently locked by another client. |Make sure the session is unlocked by other clients. |Retry might help if the session has been released in the interim. |

-| [TransactionSizeExceededException](/dotnet/api/microsoft.servicebus.messaging.transactionsizeexceededexception) |Too many operations are part of the transaction. |Reduce the number of operations that are part of this transaction. |Retry doesn't help. |

-| [MessagingEntityDisabledException](/dotnet/api/microsoft.azure.servicebus.messagingentitydisabledexception) |Request for a runtime operation on a disabled entity. |Activate the entity. |Retry might help if the entity has been activated in the interim. |

-| [NoMatchingSubscriptionException](/dotnet/api/microsoft.servicebus.messaging.nomatchingsubscriptionexception) |Service Bus returns this exception if you send a message to a topic that has pre-filtering enabled and none of the filters match. |Make sure at least one filter matches. |Retry doesn't help. |

-| [MessageSizeExceededException](/dotnet/api/microsoft.servicebus.messaging.messagesizeexceededexception) |A message payload exceeds the 256-KB limit. The 256-KB limit is the total message size, which can include system properties and any .NET overhead. |Reduce the size of the message payload, then retry the operation. |Retry doesn't help. |

-| [TransactionException](/dotnet/api/system.transactions.transactionexception) |The ambient transaction (`Transaction.Current`) is invalid. It may have been completed or aborted. Inner exception may provide additional information. | |Retry doesn't help. |

-| [TransactionInDoubtException](/dotnet/api/system.transactions.transactionindoubtexception) |An operation is attempted on a transaction that is in doubt, or an attempt is made to commit the transaction and the transaction becomes in doubt. |Your application must handle this exception (as a special case), as the transaction may have already been committed. |- |

-## QuotaExceededException

-[QuotaExceededException](/dotnet/api/microsoft.azure.servicebus.quotaexceededexception) indicates that a quota for a specific entity has been exceeded.

-> [!NOTE]

-> For Service Bus quotas, see [Quotas](service-bus-quotas.md).

-### Queues and topics

-For queues and topics, it's often the size of the queue. The error message property contains further details, as in the following example:

-```output

-Microsoft.ServiceBus.Messaging.QuotaExceededException

-Message: The maximum entity size has been reached or exceeded for Topic: 'xxx-xxx-xxx'.

- Size of entity in bytes:1073742326, Max entity size in bytes:

-1073741824..TrackingId:xxxxxxxxxxxxxxxxxxxxxxxxxx, TimeStamp:3/15/2013 7:50:18 AM

-```

-The message states that the topic exceeded its size limit, in this case 1 GB (the default size limit).

-### Namespaces

-For namespaces, [QuotaExceededException](/dotnet/api/microsoft.azure.servicebus.quotaexceededexception) can indicate that an application has exceeded the maximum number of connections to a namespace. For example:

-```output

-Microsoft.ServiceBus.Messaging.QuotaExceededException: ConnectionsQuotaExceeded for namespace xxx.

-<tracking-id-guid>_G12 >

-System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]:

-ConnectionsQuotaExceeded for namespace xxx.

-```

-### Common causes

-There are two common causes for this error: the dead-letter queue, and non-functioning message receivers.

-1. **[Dead-letter queue](service-bus-dead-letter-queues.md)**

- A reader is failing to complete messages and the messages are returned to the queue/topic when the lock expires. It can happen if the reader encounters an exception that prevents it from calling [BrokeredMessage.Complete](/dotnet/api/microsoft.servicebus.messaging.brokeredmessage.complete). After a message has been read 10 times, it moves to the dead-letter queue by default. This behavior is controlled by the [QueueDescription.MaxDeliveryCount](/dotnet/api/microsoft.servicebus.messaging.queuedescription.maxdeliverycount) property and has a default value of 10. As messages pile up in the dead letter queue, they take up space.

- To resolve the issue, read and complete the messages from the dead-letter queue, as you would from any other queue. You can use the [FormatDeadLetterPath](/dotnet/api/microsoft.azure.servicebus.entitynamehelper.formatdeadletterpath) method to help format the dead-letter queue path.

-2. **Receiver stopped**. A receiver has stopped receiving messages from a queue or subscription. The way to identify this is to look at the [QueueDescription.MessageCountDetails](/dotnet/api/microsoft.servicebus.messaging.messagecountdetails) property, which shows the full breakdown of the messages. If the [ActiveMessageCount](/dotnet/api/microsoft.servicebus.messaging.messagecountdetails.activemessagecount) property is high or growing, then the messages aren't being read as fast as they are being written.

-## TimeoutException

-A [TimeoutException](/dotnet/api/system.timeoutexception) indicates that a user-initiated operation is taking longer than the operation timeout.

-You should check the value of the [ServicePointManager.DefaultConnectionLimit](/dotnet/api/system.net.servicepointmanager.defaultconnectionlimit) property, as hitting this limit can also cause a [TimeoutException](/dotnet/api/system.timeoutexception).

-Timeouts are expected to happen during or in-between maintenance operations such as Service Bus service updates (or) OS updates on resources that run the service. During OS updates, entities are moved around and nodes are updated or rebooted, which can cause timeouts. For service level agreement (SLA) details for the Azure Service Bus service, see [SLA for Service Bus](https://azure.microsoft.com/support/legal/sla/service-bus/).

-### Queues and topics

-For queues and topics, the timeout is specified either in the [MessagingFactorySettings.OperationTimeout](/dotnet/api/microsoft.servicebus.messaging.messagingfactorysettings) property, as part of the connection string, or through [ServiceBusConnectionStringBuilder](/dotnet/api/microsoft.azure.servicebus.servicebusconnectionstringbuilder). The error message itself might vary, but it always contains the timeout value specified for the current operation.

-## MessageLockLostException

-### Cause

-The **MessageLockLostException** is thrown when a message is received using the [PeekLock](message-transfers-locks-settlement.md#peeklock) Receive mode and the lock held by the client expires on the service side.

-The lock on a message may expire due to various reasons:

- * The lock timer has expired before it was renewed by the client application.

- * The client application acquired the lock, saved it to a persistent store and then restarted. Once it restarted, the client application looked at the inflight messages and tried to complete these.

-You may also receive this exception in the following scenarios:

-* Service Update

-* OS update

-* Changing properties on the entity (queue, topic, subscription) while holding the lock.

-### Resolution

-In the event of a **MessageLockLostException**, the client application can no longer process the message. The client application may optionally consider logging the exception for analysis, but the client *must* dispose off the message.

-Since the lock on the message has expired, it would go back on the Queue (or Subscription) and can be processed by the next client application which calls receive.

-If the **MaxDeliveryCount** has exceeded then the message may be moved to the **DeadLetterQueue**.

-## SessionLockLostException

-### Cause

-The **SessionLockLostException** is thrown when a session is accepted and the lock held by the client expires on the service side.

-The lock on a session may expire due to various reasons:

- * The lock timer has expired before it was renewed by the client application.

- * The client application acquired the lock, saved it to a persistent store and then restarted. Once it restarted, the client application looked at the inflight sessions and tried to process the messages in those sessions.

-You may also receive this exception in the following scenarios:

-* Service Update

-* OS update

-* Changing properties on the entity (queue, topic, subscription) while holding the lock.

-### Resolution

-In the event of a **SessionLockLostException**, the client application can no longer process the messages on the session. The client application may consider logging the exception for analysis, but the client *must* dispose off the message.

-Since the lock on the session has expired, it would go back on the Queue (or Subscription) and can be locked by the next client application which accepts the session. Since the session lock is held by a single client application at any given time, the in-order processing is guaranteed.

-## SocketException

-### Cause

-A **SocketException** is thrown in the following cases:

- * When a connection attempt fails because the host did not properly respond after a specified time (TCP error code 10060).

- * An established connection failed because connected host has failed to respond.

- * There was an error processing the message or the timeout is exceeded by the remote host.

- * Underlying network resource issue.

-### Resolution

-The **SocketException** errors indicate that the VM hosting the applications is unable to convert the name `<mynamespace>.servicebus.windows.net` to the corresponding IP address.

-Check to see if below command succeeds in mapping to an IP address.

-```powershell

-PS C:\> nslookup <mynamespace>.servicebus.windows.net

-```

-which should provide an output as below

-```bash

-Name: <cloudappinstance>.cloudapp.net

-Address: XX.XX.XXX.240

-Aliases: <mynamespace>.servicebus.windows.net

-```

-If the above name **does not resolve** to an IP and the namespace alias, check which the network administrator to investigate further. Name resolution is done through a DNS server typically a resource in the customer network. If the DNS resolution is done by Azure DNS please contact Azure support.

-If name resolution **works as expected**, check if connections to Azure Service Bus is allowed [here](service-bus-troubleshooting-guide.md#connectivity-certificate-or-timeout-issues)

-## MessagingException

-### Cause

-**MessagingException** is a generic exception that may be thrown for various reasons. Some of the reasons are listed below.

- * An attempt is made to create a **QueueClient** on a **Topic** or a **Subscription**.

- * The size of the message sent is greater than the limit for the given tier. Read more about the Service Bus [quotas and limits](service-bus-quotas.md).

- * Specific data plane request (send, receive, complete, abandon) was terminated due to throttling.

- * Transient issues caused due to service upgrades and restarts.

-> [!NOTE]

-> The above list of exceptions is not exhaustive.

-### Resolution

-The resolution steps depend on what caused the **MessagingException** to be thrown.

- * For **transient issues** (where ***isTransient*** is set to ***true***) or for **throttling issues**, retrying the operation may resolve it. The default retry policy on the SDK can be leveraged for this.

- * For other issues, the details in the exception indicate the issue and resolution steps can be deduced from the same.

-## StorageQuotaExceededException

-### Cause

-The **StorageQuotaExceededException** is generated when the total size of entities in a premium namespace exceeds the limit of 1 TB per [messaging unit](service-bus-premium-messaging.md).

-### Resolution

-## Next steps

-For the complete Service Bus .NET API reference, see the [Azure .NET API reference](/dotnet/api/overview/azure/service-bus).

-For troubleshooting tips, see the [Troubleshooting guide](service-bus-troubleshooting-guide.md)

-| Dotnet | | | | Γ£ö | |

-| Integrate with Dynatrace APM agent. | See [How to configure APM integration and CA certificates](./how-to-enterprise-configure-apm-integration-and-ca-certificates.md). | N/A | N/A |

-| Specify a Go version. | Supports *1.18.\**, *1.19.\**. The default value is *1.18.\**.<br> The Go version is automatically detected from the appΓÇÖs *go.mod* file. You can override this version by setting the `BP_GO_VERSION` environment variable at build time. | `BP_GO_VERSION` | `--build-env BP_GO_VERSION=1.19.*` |

-| Specify a Node version. | Supports *12.\**, *14.\**, *16.\**, *18.\**, *19.\**. The default value is *18.\**. <br>You can specify the Node version via an *.nvmrc* or *.node-version* file at the application directory root. `BP_NODE_VERSION` overrides the settings. | `BP_NODE_VERSION` | `--build-env BP_NODE_VERSION=18.*` |

-1. Go to the following location to create a new repository:

- - [https://github.com/staticwebdev/roles-function/generate](https://github.com/login?return_to=/staticwebdev/roles-function/generate)

-1. In a new browser window, go to the [Azure portal](https://portal.azure.com) and sign in with your Azure account.

-1. Select **Create a resource** in the top left corner.

-1. Type **static web apps** in the search box.

-1. Select **Static Web App**.

-1. Configure your Azure Static Web App with the following information:

- | **Input** | **Value** | **Notes** |

- | - | - | - |

- | _Subscription_ | Select your Azure subscription | |

- | _Resource group_ | Create a new one named **my-custom-roles-app-group** | |

- | _Name_ | **my-custom-roles-app** | |

- | _Hosting plan_ | **Standard** | Customizing authentication and assigning roles using a function require the Standard plan |

- | _Region_ | Select a region closest to you | |

- | _Deployment details_ | Select **GitHub** as the source | |

-1. Select **Sign-in with GitHub** and authenticate with GitHub.

-1. Select the name of the _Organization_ where you created the repository.

-1. Select **my-custom-roles-app** from the _Repository_ drop-down.

-1. Select **main** from the _Branch_ drop-down.

-1. In the _Build Details_ section, add configuration details for this app.

- | **Input** | **Value** | **Notes** |

- | - | - | - |

- | _Build presets_ | **Custom** | |

- | _App location_ | **frontend** | Folder in the repository containing the app |

- | _API location_ | **api** | Folder in the repository containing the API |

- | _Output location_ | | This app has no build output |

-1. Select **Review + create**. Then select **Create** to create the static web app and initiate the first deployment.

-1. Select **Go to resource** to open your new static web app.

-1. In the overview section, locate your application's **URL**. Copy this value into a text editor as you'll need this URL to set up Active Directory authentication and test the app.

-1. In the menu bar, select **App registrations**.

-1. Select **+ New registration** to open the *Register an application* page

-1. Enter a name for the application. For example, **MyStaticWebApp**.

-1. For *Supported account types*, select **Accounts in this organizational directory only**.

-1. For *Redirect URIs*, select **Web** and enter the Azure Active Directory login [authentication callback](authentication-custom.md#authentication-callbacks) of your static web app. For example, `<YOUR_SITE_URL>/.auth/login/aad/callback`.

- Replace `<YOUR_SITE_URL>` with the URL of your static web app.

-1. After the app registration is created, copy the **Application (client) ID** and **Directory (tenant) ID** in the *Essentials* section to a text editor. You'll need these values to configure Active Directory authentication in your static web app.

-1. Select *Authentication* in the menu bar.

- :::image type="content" source="media/assign-roles-microsoft-graph/enable-id-tokens.png" alt-text="Enable ID tokens":::

-

- This configuration is required by Static Web Apps to authenticate your users.

-1. Select *Certificates & secrets* in the menu bar.

-1. In the *Client secrets* section, select **+ New client secret**.

-1. Enter a name for the client secret. For example, **MyStaticWebApp**.

-1. Leave the default of _6 months_ for the *Expires* field.

-1. Note the **Value** of the client secret you created. You'll need this value to configure Active Directory authentication in your static web app.

-1. In a browser, open the GitHub repository containing the static web app you deployed. Go to the app's configuration file at *frontend/staticwebapp.config.json*. It contains the following section:

- > [!NOTE]

- > To obtain an access token for Microsoft Graph, the `loginParameters` field must be configured with `resource=https://graph.microsoft.com`.

-2. Select **Edit** to update the file.

-3. Update the *openIdIssuer* value of `https://login.microsoftonline.com/<YOUR_AAD_TENANT_ID>` by replacing `<YOUR_AAD_TENANT_ID>` with the directory (tenant) ID of your Azure Active Directory.

-4. Select **Commit directly to the main branch** and select **Commit changes**.

-5. A GitHub Actions run triggers to update the static web app.

-6. Go to your static web app resource in the Azure portal.

-7. Select **Configuration** in the menu bar.

-8. In the *Application settings* section, add the following settings:

- ||-|

- | `AAD_CLIENT_ID` | *Your Active Directory application (client) ID* |

- | `AAD_CLIENT_SECRET` | *Your Active Directory application client secret value* |

-9. Select **Save**.

-The sample application contains a serverless function (*api/GetRoles/index.js*) that queries Microsoft Graph to determine if a user is in a pre-defined group. Based on the user's group memberships, the function assigns custom roles to the user. The application is configured to restrict certain routes based on these custom roles.

-1. In your GitHub repository, go to the *GetRoles* function located at *api/GetRoles/index.js*. Near the top, there is a `roleGroupMappings` object that maps custom user roles to Azure Active Directory groups.

-2. Select **Edit**.

-3. Update the object with group IDs from your Azure Active Directory tenant.

- The *GetRoles* function is called whenever a user is successfully authenticated with Azure Active Directory. The function uses the user's access token to query their Active Directory group membership from Microsoft Graph. If the user is a member of any groups defined in the `roleGroupMappings` object , the corresponding custom roles are returned by the function.

-

- In the above example, if a user is a member of the Active Directory group with ID `b6059db5-9cef-4b27-9434-bb793aa31805`, they are granted the `reader` role.

-4. Select **Commit directly to the main branch** and select **Commit changes**.

-5. A GitHub Actions run triggers to update the static web app.

-6. When the deployment is complete, you can verify your changes by navigating to the app's URL.

-7. Log in to your static web app using Azure Active Directory.

-8. When you are logged in, the sample app displays the list of roles that you are assigned based on your identity's Active Directory group membership. Depending on these roles, you are permitted or prohibited to access some of the routes in the app.

-> Some queries against Microsoft Graph return multiple pages of data. When more than one query request is required, Microsoft Graph returns an `@odata.nextLink` property in the response which contains a URL to the next page of results. For more details please refer to [Paging Microsoft Graph data in your app](/graph/paging)

-REVIEW Stephen/Fabian: not reviewed

-In this article, you'll learn how to successfully register a previously deployed Storage Mover agent VM. Registration creates a trust relationship with your cloud service and enables the agent to receive migration jobs.

-Registration is always initiated from the agent. For security purposes, trust can only be created by the agent reaching out to the Storage Mover service. The registration procedure utilizes your Azure credentials and permissions on the storage mover resource you've previously deployed. If you don't have a storage mover cloud resource or an agent VM deployed yet, refer to the [prerequisites section](#prerequisites).

-Your agent needs to be connected to the internet. <!-- The article **<!!!!! ARTICLE AND LINK NEEDED !!!!!>** showcases connectivity requirements and options. -->

-<!-- The **<!!!!! ARTICLE AND LINK NEEDED !!!!!>** article can help troubleshoot in case you've encountered any issues. -->

-In this step, you'll register your agent with the storage mover resource you've deployed in an Azure subscription.

-You'll be prompted for:

-Once you've supplied these values, the agent will attempt registration, and requires you to sign into Azure with the credentials that have permissions to the supplied subscription and storage mover resource.

-The agent will display the device auth URL: [https://microsoft.com/devicelogin](https://microsoft.com/devicelogin) and a unique sign-in code. Navigate to the displayed URL on an internet connected machine, enter the code, and sign into Azure with your credentials.

-The agent will display detailed progress. Once the registration is complete, you'll be able to see the agent in the Azure portal. It will be under *Registered agents* in the storage mover resource you've registered the agent with.

-The process of deletion is automatically initiated when you unregister the agent. However, there are other ways to remove this identity. Doing so will incapacitate the registered agent and require the agent to be unregistered. Only the registration process can get an agent to obtain and maintain its Azure identity properly.

-The agent is automatically authorized to converse with the Storage Mover service. You won't be able to see or influence this authorization short of destroying the managed identity, for instance by unregistering the agent.

-This assignment is made in the admin's sign-in context in the Azure portal. Therefore, the admin must be a member of the role-based access control (RBAC) control plane role "Owner" for the target container. This assignment is made just-in-time when you start a migration job. It is at this point that you've selected an agent to execute a migration job. As part of this start action, the agent is given permissions to the data plane of the target container. The agent won't be authorized to perform any management plane actions, such as deleting the target container or configuring any features on it.

-| **Availability** | 99.9% | 99% | 99% | Offline |

-| **Availability** <br> **(RA-GRS reads)** | 99.99% | 99.99% | 99.9% | Offline |

-| Azure Files (REST) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported (preview)](../files/authorize-oauth-rest.md) | Not supported | Not supported | Not supported |

-For information about the built-in roles that support access to file data, see [Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST (preview)](authorize-oauth-rest.md).

-# Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST (preview)

-Azure Files OAuth over REST (preview) enables admin-level read and write access to Azure file shares for users and applications via the [OAuth](https://oauth.net/) authentication protocol, using Azure Active Directory (Azure AD) for REST API based access. Users, groups, first-party services such as Azure portal, and third-party services and applications using REST interfaces can now use OAuth authentication and authorization with an Azure AD account to access data in Azure file shares. PowerShell cmdlets and Azure CLI commands that call REST APIs can also use OAuth to access Azure file shares.

-Azure Files OAuth over REST (preview) only supports the FileREST Data APIs that support operations on files and directories. OAuth isn't supported on FilesREST data plane APIs that manage FileService and FileShare resources. These management APIs are called using the Storage Account Key or SAS token, and are exposed through the data plane for legacy reasons. We recommend using the control plane APIs (the storage resource provider - Microsoft.Storage) that support OAuth for all management activities related to FileService and FileShare resources.

-This preview provides two new built-in roles that include these new actions.

-### AD DS & Azure AD DS Authentication

-**Can I use the canonical name (CNAME) to mount an Azure file share while using identity-based authentication (AD DS or Azure AD DS)?**

- No, this scenario isn't currently supported in single-forest AD environments. As an alternative to CNAME, you can use DFS Namespaces with SMB Azure file shares. To learn more, see [How to use DFS Namespaces with Azure Files](files-manage-namespaces.md).

- * Timestamps, most notably the creation, and last-modified timestamps

-description: Set up your mobile application developed using Visual Studio Mobile Center to send Real User Measurements to Traffic Manager

-# How to send Real User Measurements to Traffic Manager with Visual Studio Mobile Center

-You can set up your mobile application developed using Visual Studio Mobile Center to send Real User Measurements to Traffic Manager by following the steps:

-## Step 2: Instrument your app with the RUM package of Mobile Center SDK

-If you're new to Visual Studio Mobile Center, visit its [website](https://mobile.azure.com). For detailed instructions on SDK integration, see

- MobileCenter.start(getApplication(), "<Your Mobile Center AppSecret>", RealUserMeasurements.class);

-POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Compute/machines/virtualMachineName/installPatches?api-version=2020-12-01`

- > The upper maintenance window is 3.55 hours.

-Before you can configure Start VM on Connect, you'll need to assign the *Desktop Virtualization Power On Contributor* role-based access control (RBAC) role with your Azure subscription as the assignable scope. Assigning this role at any level lower than your subscription, such as the resource group, host pool, or VM, will prevent Start VM on Connect from working properly. You'll need to add each Azure subscription as an assignable scope that contains host pools and session host VMs you want to use with Start VM on Connect. This role and assignment will allow Azure Virtual Desktop to power on VMs, check their status, and report diagnostic information in those subscriptions.

-MSIX app attach is a way to deliver MSIX applications to both physical and virtual machines. However, MSIX app attach is different from regular MSIX because it's made especially for supported products, such as Azure Virtual Desktop. This article will describe what MSIX app attach is and what it can do for you.

-You can set your Spot Priority Mix in the Scaling tab of the Virtual Machine Scale Sets creation process in the Azure portal. The following steps instruct you on how to access this feature during that process.

-1 In the **Spot** tab, select the check-box next to *Scale with VMs and Spot VMs* option under the **Scale with VMs and discounted Spot VMs** section.

-Alternatively, if you want to add a data disk to an individual instance in a scale set, use [Add-AzVMDataDisk](/powershell/module/az.compute/add-azvmdatadisk).

-$VirtualMachine = Get-AzVM -ResourceGroupName "myResourceGroup" -Name "myScaleSet_Instance1"

-Add-AzVMDataDisk -VM $VirtualMachine -Name "disk1" -LUN 2 -Caching ReadOnly -DiskSizeinGB 1 -CreateOption Empty

-Update-AzVM -ResourceGroupName "myResourceGroup" -VM $VirtualMachine

-Alternatively, if you want to remove a data disk to an individual instance in a scale set, use [Remove-AzVMDataDisk](/powershell/module/az.compute/remove-azvmdatadisk).

-$VirtualMachine = Get-AzVM -ResourceGroupName "myResourceGroup" -Name "myScaleSet_c91dfbd9"

-Remove-AzVMDataDisk -VM $VirtualMachine -Name "myScaleSet_c91dfbd9_disk3_65c5d7a8f5ae40cb8d5f80c04b7b3d2e"

-Update-AzVM -ResourceGroupName "myResourceGroup" -VM $VirtualMachine

- "automaticOSUpgradePolicy": {

- "enableAutomaticOSUpgrade": true,

- "useRollingUpgradePolicy": true,

- "disableAutomaticRollback": false

- }

- }

- },

-[Live Migration](maintenance-and-updates.md): Supported <br>

-[Memory Preserving Updates](maintenance-and-updates.md): Supported <br>

-[VM Generation Support](generation-2.md): Generation 1 and 2 <br>

-[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported <br>

-Shared managed disks don't natively offer a fully managed file system that can be accessed using SMB/NFS. You need to use a cluster manager, like Windows Server Failover Cluster (WSFC), or Pacemaker, that handles cluster node communication and write locking.

-Azure Premium SSDs deliver high-performance and low-latency disk support for virtual machines (VMs) with input/output (IO)-intensive workloads. To take advantage of the speed and performance of Premium SSDs, you can migrate existing VM disks to Premium SSDs. Premium SSDs are suitable for mission-critical production applications, but you can use them only with compatible VM series.

-Azure standard SSDs are optimized for workloads that need consistent performance at lower IOPS levels. They're an especially good choice for customers with varying workloads supported by on-premises hard disk drive (HDD) solutions. Compared to standard HDDs, standard SSDs deliver better availability, consistency, reliability, and latency. Standard SSDs are suitable for web servers, low IOPS application servers, lightly used enterprise applications, and non-production workloads. Like standard HDDs, standard SSDs are available on all Azure VMs.

-Azure standard HDDs deliver reliable, low-cost disk support for VMs running latency-tolerant workloads. With standard storage, your data is stored on HDDs, and performance may vary more widely than that of SSD-based disks. Standard HDDs are designed to deliver write latencies of less than 10 ms and read latencies of less than 20 ms for most IO operations. Actual performance may vary depending on IO size and workload pattern, however. When working with VMs, you can use standard HDD disks for dev/test scenarios and less critical workloads. Standard HDDs are available in all Azure regions and can be used with all Azure VMs.

-[Live Migration](maintenance-and-updates.md): Supported <br>

-[Memory Preserving Updates](maintenance-and-updates.md): Supported <br>

-[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported <br>

-[Ephemeral OS Disks](ephemeral-os-disks.md): Not Supported <br>

->

-> The Key Vault VM Extension downloads the certificates in the default location or to the location provided by "certStoreLocation" property in the VM Extension settings. The KeyValut VM Extension updates the folder permission to 700 (drwx) allowing read, write and execute permission to the owner of the folder only

-* Users can chose to upgrade their key vault vm extension version to `V2.0` to use full certificate chain download feature. Issuer certificates (intermediate and root) will be appended to the leaf certificate in the PEM file.

-

-This disk has a maximum capacity of 4,095 GiB, however, many operating systems are partitioned with [master boot record (MBR)](https://wikipedia.org/wiki/Master_boot_record) by default. MBR limits the usable size to 2 TiB. If you need more than 2 TiB, create and attach [data disks](#data-disk) and use them for data storage. If you need to store data on the OS disk and require the additional space, [convert it to GUID Partition Table](/windows-server/storage/disk-management/change-an-mbr-disk-into-a-gpt-disk) (GPT). To learn about the differences between MBR and GPT on Windows deployments, see [Windows and GPT FAQ](/windows-hardware/manufacture/desktop/windows-and-gpt-faq).

-### [Deploying mainframe applications to Microsoft Azure](http://content.microfocus.com/deploying-mainframe-azure)