-In the Terminal, run the app by entering the following command, which runs the Flask development server. The development server looks for `app.py` by default. Then, open your browser and navigate to the web app URL: <http://localhost:5000>.

-|Element |Page layout version range |jQuery version |Handlebars Runtime version |Handlebars Compliler version |

-## Unified sign-in sign-up page with password reset link (unifiedssp)

-## Device-list filtering (preview)

-Previously, you could filter the device list only by activity and enabled state. In this preview, you can filter the device list by these device attributes:

-To enable the preview filtering functionality in the **All devices** view:

-1. Go to **Azure Active Directory** > **Devices**.

-1. Select the banner that says **Try out the new devices filtering improvements. Click to enable the preview.**

- 

-You can now add filters to your **All devices** view.

-> [!WARNING]

-> The per-user **Enabled/Enforced Azure AD Multi-Factor Authentication** setting is not supported for the Azure Windows VM Sign-In app.

-If you've configured a Conditional Access policy that requires MFA before you can access the resource, you need to ensure that the Windows 10 or later PC that's initiating the remote desktop connection to your VM signs in by using a strong authentication method such as Windows Hello. If you don't use a strong authentication method for your remote desktop connection, you'll see the error.

-> [!WARNING]

-> The legacy per-user **Enabled/Enforced Azure AD Multi-Factor Authentication** setting is not supported for the Azure Windows VM Sign-In app. This setting causes sign-in to fail with the "Your credentials did not work" error message.

-You can resolve the problem by removing the per-user MFA setting through these commands:

-```

-# Get StrongAuthenticationRequirements configure on a user

-(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements

-

-# Clear StrongAuthenticationRequirements from a user

-$mfa = @()

-Set-MsolUser -UserPrincipalName username@contoso.com -StrongAuthenticationRequirements $mfa

-

-# Verify StrongAuthenticationRequirements are cleared from the user

-(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements

-```

->* Validate your SQL server instantiations can be [migrated to a different domain](https://social.technet.microsoft.com/wiki/contents/articles/24960.migrating-sql-server-to-new-domain.aspx). If your SQL service is running in virtual machines, [use this guidance](/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide).

-Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can [filter your list of devices on more properties](../devices/device-management-azure-portal.md#device-list-filtering-preview), including OS type, join type, compliance, and more. These additions should simplify locating a particular device.

-description: This article explains how to migrate from federated authentication, to cloud authentication, by using a staged rollout.

-# Migrate to cloud authentication using staged rollout

-Staged rollout allows you to selectively test groups of users with cloud authentication capabilities like Azure AD Multi-Factor Authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains. This article discusses how to make the switch. Before you begin the staged rollout, however, you should consider the implications if one or more of the following conditions is true:

-For an overview of the feature, view this "Azure Active Directory: What is staged rollout?" video:

-The following scenarios are supported for staged rollout. The feature works only for:

-The following scenarios are not supported for staged rollout:

- - Dynamic groups are *not supported* for staged rollout.

- >You still need to make the final cutover from federated to cloud authentication by using Azure AD Connect or PowerShell. Staged rollout doesn't switch domains from federated to managed. For more information about domain cutover, see [Migrate from federation to password hash synchronization](./migrate-from-federation-to-cloud-authentication.md) and [Migrate from federation to pass-through authentication](./migrate-from-federation-to-cloud-authentication.md).

-## Get started with staged rollout

-To test the *password hash sync* sign-in by using staged rollout, follow the pre-work instructions in the next section.

-If you want to test *pass-through authentication* sign-in by using staged rollout, enable it by following the pre-work instructions in the next section.

-We recommend enabling *seamless SSO* irrespective of the sign-in method (*password hash sync* or *pass-through authentication*) you select for staged rollout. To enable *seamless SSO*, follow the pre-work instructions in the next section.

-Enable *seamless SSO* on the Active Directory forests by using PowerShell. If you have more than one Active Directory forest, enable it for each forest individually. *Seamless SSO* is triggered only for users who are selected for staged rollout. It doesn't affect your existing federation setup.

-## Enable staged rollout

-### Enable a staged rollout of a specific feature on your tenant

-2. Select the **Enable staged rollout for managed user sign-in** link.

- >The members in a group are automatically enabled for staged rollout. Nested and dynamic groups are not supported for staged rollout.

-We've enabled audit events for the various actions we perform for staged rollout:

- >An audit event is logged when *seamless SSO* is turned on by using staged rollout.

- >An audit event is logged when a group is added to *password hash sync* for staged rollout.

-1. On the extranet, go to the [Apps page](https://myapps.microsoft.com) in a private browser session, and then enter the UserPrincipalName (UPN) of the user account that's selected for staged rollout.

- Users who've been targeted for staged rollout are not redirected to your federated login page. Instead, they're asked to sign in on the Azure AD tenant-branded sign-in page.

-1. On the intranet, go to the [Apps page](https://myapps.microsoft.com) in a private browser session, and then enter the UserPrincipalName (UPN) of the user account that's selected for staged rollout.

- Users who've been targeted for staged rollout of *seamless SSO* are presented with a "Trying to sign you in ..." message before they're silently signed in.

- To track user sign-ins that still occur on Active Directory Federation Services (AD FS) for selected staged rollout users, follow the instructions at [AD FS troubleshooting: Events and logging](/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#types-of-events). Check vendor documentation about how to check this on third-party federation providers.

- >While users are in Staged rollout with PHS, changing passwords might take up to 2 minutes to take effect due to sync time. Make sure to set expectations with your users to avoid helpdesk calls after they changed their password.

-You can monitor the users and groups added or removed from staged rollout and users sign-ins while in staged rollout, using the new Hybrid Auth workbooks in the Azure portal.

-## Remove a user from staged rollout

-Removing a user from the group disables staged rollout for that user. To disable the staged rollout feature, slide the control back to **Off**.

-**Q: Can I use PowerShell to perform staged rollout?**

-A: Yes. To learn how to use PowerShell to perform staged rollout, see [Azure AD Preview](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#staged_rollout).

-## Test multi-factor authentication

-## Add the terms of use to the policy

-1. Select **Conditional Access**, and then select the *MFA Pilot* policy.

-description: Learn how to configure single sign-on between Azure Active Directory and AWS Single Sign-on.

-# Tutorial: Azure AD SSO integration with AWS Single Sign-on

-In this tutorial, you'll learn how to integrate AWS Single Sign-on with Azure Active Directory (Azure AD). When you integrate AWS Single Sign-on with Azure AD, you can:

-* Control in Azure AD who has access to AWS Single Sign-on.

-* Enable your users to be automatically signed-in to AWS Single Sign-on with their Azure AD accounts.

-* AWS Single Sign-on single sign-on (SSO) enabled subscription.

-* AWS Single Sign-on supports **SP and IDP** initiated SSO.

-* AWS Single Sign-on supports [**Automated user provisioning**](./aws-single-sign-on-provisioning-tutorial.md).

-## Add AWS Single Sign-on from the gallery

-To configure the integration of AWS Single Sign-on into Azure AD, you need to add AWS Single Sign-on from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **AWS Single Sign-on** in the search box.

-1. Select **AWS Single Sign-on** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for AWS Single Sign-on

-Configure and test Azure AD SSO with AWS Single Sign-on using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AWS Single Sign-on.

-To configure and test Azure AD SSO with AWS Single Sign-on, perform the following steps:

-1. **[Configure AWS Single Sign-on SSO](#configure-aws-single-sign-on-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create AWS Single Sign-on test user](#create-aws-single-sign-on-test-user)** - to have a counterpart of B.Simon in AWS Single Sign-on that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **AWS Single Sign-on** application integration page, find the **Manage** section and select **single sign-on**.

- b. Click on **folder logo** to select metadata file which is explained to download in **[Configure AWS Single Sign-on SSO](#configure-aws-single-sign-on-sso)** section and click **Add**.

- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [AWS Single Sign-on Client support team](mailto:aws-sso-partners@amazon.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. AWS Single Sign-on application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

- > If ABAC is enabled in AWS SSO, the additional attributes may be passed as session tags directly into AWS accounts.

-1. On the **Set up AWS Single Sign-on** section, copy the appropriate URL(s) based on your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to AWS Single Sign-on.

-1. In the applications list, select **AWS Single Sign-on**.

-## Configure AWS Single Sign-on SSO

-1. To automate the configuration within AWS Single Sign-on, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

-2. After adding extension to the browser, click on **Set up AWS Single Sign-on** will direct you to the AWS Single Sign-on application. From there, provide the admin credentials to sign into AWS Single Sign-on. The browser extension will automatically configure the application for you and automate steps 3-10.

-3. If you want to setup AWS Single Sign-on manually, in a different web browser window, sign in to your AWS Single Sign-on company site as an administrator.

-1. Go to the **Services -> Security, Identity, & Compliance -> AWS Single Sign-On**.

-3. On the **Settings** page, find **Identity source** and click on **Change**.

-4. On the Change identity source, choose **External identity provider**.

- a. In the **Service provider metadata** section, find **AWS SSO SAML metadata** and select **Download metadata file** to download the metadata file and save it on your computer and use this metadata file to upload on Azure portal.

- b. Copy **AWS SSO Sign-in URL** value, paste this value into the **Sign on URL** text box in the **Basic SAML Configuration section** in the Azure portal.

- c. In the **Identity provider metadata** section, choose **Browse** to upload the metadata file which you have downloaded from the Azure portal.

-### Create AWS Single Sign-on test user

-1. Open the **AWS SSO console**.

- g. Choose **Next: Groups**.

- > Make sure the username entered in AWS SSO matches the userΓÇÖs Azure AD sign-in name. This will you help avoid any authentication problems.

-AWS SSO console, choose **AWS accounts**.

-about permission sets, see the AWS SSO **Permission Sets** page.

-> AWS Single Sign-on also supports automatic user provisioning, you can find more details [here](./aws-single-sign-on-provisioning-tutorial.md) on how to configure automatic user provisioning.

-* Click on **Test this application** in Azure portal. This will redirect to AWS Single Sign-on Sign on URL where you can initiate the login flow.

-* Go to AWS Single Sign-on Sign-on URL directly and initiate the login flow from there.

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the AWS Single Sign-on for which you set up the SSO.

-You can also use Microsoft My Apps to test the application in any mode. When you click the AWS Single Sign-on tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AWS Single Sign-on for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure AWS Single Sign-on you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-Azure Storage encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for encryption at rest for both the OS and data disks for your AKS clusters. Learn more about customer-managed keys on [Linux][customer-managed-keys-linux] and [Windows][customer-managed-keys-windows].

-

-> Ensure your AKS cluster identity has read permission of DiskEncryptionSet

-Create a **new resource group** and AKS cluster, then use your key to encrypt the OS disk. Customer-managed keys are only supported in Kubernetes versions greater than 1.17.

-When new node pools are added to the cluster created above, the customer-managed key provided during the create is used to encrypt the OS disk.

-OS disk encryption key will be used to encrypt data disk if key is not provided for data disk from v1.17.2, and you can also encrypt AKS data disks with your other keys.

-> Ensure you have the proper AKS credentials. The managed identity will need to have contributor access to the resource group where the diskencryptionset is deployed. Otherwise, you will get an error suggesting that the managed identity does not have permissions.

-```

-Next, run this deployment in your AKS cluster:

-For more details on using Azure tags, see [Use Azure tags in Azure Kubernetes Service (AKS)][use-tags].

-| cluster-autoscaler | Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting may have happened in the cluster. |

-| guard | Managed Azure Active Directory and Azure RBAC audits. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. |

-This section refers to all of the Azure Monitor Logs tables relevant to AKS and available for query by Log Analytics.

-> Only the gateway component of API Management is deployed to all regions. The service management component and developer portal are hosted in the Primary region only. Therefore, in case of the Primary region outage, access to the developer portal and ability to change configuration (e.g. adding APIs, applying policies) will be impaired until the Primary region comes back online. While the Primary region is offline, available Secondary regions will continue to serve the API traffic using the latest configuration available to them. Optionally enable [zone redundancy](zone-redundancy.md) to improve the availability and resiliency of the Primary or Secondary regions.

-1. Optionally enable [**Availability zones**](zone-redundancy.md).

-API Management **Premium** tier also supports [zone redundancy](zone-redundancy.md), which provides resiliency and high availability to a service instance in a specific Azure region (location).

-* [Availability zones](zone-redundancy.md) are enabled, added, or removed.

-|Premium | 1. Enable [zone redundancy](zone-redundancy.md)<br/> -or-<br/> 2. Create new [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) VNet connection¹<br/> -or-<br/> 3. Update existing [VNet configuration](#update-vnet-configuration) |

-* Learn more about [zone redundancy](zone-redundancy.md).

- - The API Management instance must be hosted on the [`stv2` compute platform](compute-infrastructure.md). For example, create a new instance or, if you already have an instance in the Premium service tier, enable [zone redundancy](zone-redundancy.md).

-description: Learn how to improve the resiliency of your Azure API Management service instance in a region by enabling zone redundancy.

-# Availability zone support for Azure API Management

-This article shows how to enable zone redundancy for your API Management instance by using the Azure portal. [Zone redundancy](../availability-zones/az-overview.md#availability-zones) provides resiliency and high availability to a service instance in a specific Azure region (location). With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, making it resilient to a zone failure.

-API Management also supports [multi-region deployments](api-management-howto-deploy-multi-region.md), which helps reduce request latency perceived by geographically distributed API consumers and improves availability of the gateway component if one region goes offline. The combination of availability zones for redundancy within a region, and multi-region deployments to improve the gateway availability if there is a regional outage, helps enhance both the reliability and performance of your API Management instance.

-## Supported regions

-Configuring API Management for zone redundancy is currently supported in the following Azure regions.

-* Australia East

-* Brazil South

-* Canada Central

-* Central India

-* Central US

-* East Asia

-* East US

-* East US 2

-* France Central

-* Germany West Central

-* Japan East

-* Korea Central (*)

-* North Europe

-* Norway East (*)

-* South Africa North (*)

-* South Central US

-* Southeast Asia

-* Switzerland North

-* UK South

-* West Europe

-* West US 2

-* West US 3

-> [!IMPORTANT]

-> The regions with * against them have restrictive access in an Azure subscription to enable availability zone support. Please work with your Microsoft sales or customer representative.

-## Prerequisites

-* If you haven't yet created an API Management service instance, see [Create an API Management service instance](get-started-create-service-instance.md). Select the Premium service tier.

-* If your API Management instance is deployed in a [virtual network](api-management-using-with-vnet.md), ensure that you set up a virtual network, subnet, and public IP address in any new location where you plan to enable zone redundancy.

-> [!NOTE]

-> If you've configured [autoscaling](api-management-howto-autoscale.md) for your API Management instance in the primary location, you might need to adjust your autoscale settings after enabling zone redundancy. The number of API Management units in autoscale rules and limits must be a multiple of the number of zones.

-## Enable zone redundancy - portal

-In the portal, optionally enable zone redundancy when you add a location to your API Management service, or update the configuration of an existing location.

-1. In the Azure portal, navigate to your API Management service and select **Locations** in the menu.

-1. Select an existing location, or select **+ Add** in the top bar. The location must [support availability zones](#supported-regions).

-1. Select the number of scale **[Units](upgrade-and-scale.md)** in the location.

-1. In **Availability zones**, select one or more zones. The number of units selected must distribute evenly across the availability zones. For example, if you selected 3 units, select 3 zones so that each zone hosts one unit.

-1. If the API Management instance is deployed in a [virtual network](api-management-using-with-vnet.md), select an existing virtual network, subnet, and public IP address that are available in the location. For an existing location, the virtual network and subnet must be configured from the Virtual Network blade.

-1. Select **Apply** and then select **Save**.

-> [!IMPORTANT]

-> The public IP address in the location changes when you enable, add, or remove availability zones. When updating availability zones in a region with network settings, you must configure a different public IP address resource than the one you set up previously.

-> [!NOTE]

-> It can take 15 to 45 minutes to apply the change to your API Management instance.

-## Next steps

-* Learn more about [deploying an Azure API Management service instance to multiple Azure regions](api-management-howto-deploy-multi-region.md).

-* You can also enable zone redundancy using an [Azure Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-simple-zones).

-* Learn more about [Azure services that support availability zones](../availability-zones/az-region.md).

-* Learn more about building for [reliability](/azure/architecture/framework/resiliency/app-design) in Azure.

-Set environment variables to specify how to connect to a local PostgreSQL instance.

-This sample application requires an *.env* file describing how to connect to your local PostgreSQL instance. Create an *.env* file using the *.env.sample* file as a guide. Set the value of `DBNAME` to the name of an existing database in your local PostgreSQL instance. This tutorial assumes the database name is *restaurant*. Set the values of `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance.

-In a web browser, go to the sample application at `http://localhost:5000` and add some restaurants and restaurant reviews to see how the app works.

-In a web browser, go to the sample application at `http://localhost:8000` and add some restaurants and restaurant reviews to see how the app works.

-> * Connect your application and GitOps repositories to Azure Repos or Git Hub.

- func init LocalFunctionProj --worker-runtime dotnet-isolated

-This article is an introduction to using C# to develop .NET isolated process functions, which run out-of-process in Azure Functions. Running out-of-process lets you decouple your function code from the Azure Functions runtime. Isolated process C# functions run on .NET 5.0, .NET 6.0, and .NET Framework 4.8 (preview support). [In-process C# class library functions](functions-dotnet-class-library.md) aren't supported on .NET 5.0.

-Previously Azure Functions has only supported a tightly integrated mode for .NET functions, which run [as a class library](functions-dotnet-class-library.md) in the same process as the host. This mode provides deep integration between the host process and the functions. For example, .NET class library functions can share binding APIs and types. However, this integration also requires a tighter coupling between the host process and the .NET function. For example, .NET functions running in-process are required to run on the same version of .NET as the Functions runtime. To enable you to run outside these constraints, you can now choose to run in an isolated process. This process isolation also lets you develop functions that use current .NET releases (such as .NET 5.0), not natively supported by the Functions runtime. Both isolated process and in-process C# class library functions run on .NET 6.0. To learn more, see [Supported versions](#supported-versions).

-> To be able to publish your isolated function project to either a Windows or a Linux function app in Azure, you must set a value of `dotnet-isolated` in the remote [FUNCTIONS_WORKER_RUNTIME](functions-app-settings.md#functions_worker_runtime) application setting. To support [zip deployment](deployment-zip-push.md) and [running from the deployment package](run-functions-from-deployment-package.md) on Linux, you also need to update the `linuxFxVersion` site config setting to `DOTNET-ISOLATED|6.0`. To learn more, see [Manual version updates on Linux](set-runtime-version.md#manual-version-updates-on-linux).

-| .NET versions | .NET Core 3.1<br/>.NET 6.0 | .NET 5.0<br/>.NET 6.0<br/>.NET Framework 4.8 (Preview) |

-| 4.x | GA | **_Recommended runtime version for functions in all languages._** Use this version to [run C# functions on .NET 6.0 and .NET Framework 4.8](functions-dotnet-class-library.md#supported-versions). |

-You can also choose `net6.0` or `net48` as the target framework if you're using [.NET isolated process functions](dotnet-isolated-process-guide.md). Support for `net48` is currently in preview.

- * **Location**: select a location. For example, **West US 2**.

-Picking a location for your Azure Maps account that aligns with other resources in your subscription, like managed identities, may help to improve the level of service for [control-plane](../azure-resource-manager/management/control-plane-and-data-plane.md) operations.

-Any Azure Maps REST API on endpoint `atlas.microsoft.com`, `*.atlas.microsoft.com`, or other endpoints belonging to the Azure data-plane are not affected by the choice of the Azure Maps account location.

-> [!div class="nextstepaction"]

-> [!div class="nextstepaction"]

- :::image type="content" source="./media/quick-android-map/create-account.png" alt-text="A screenshot that shows the Create Maps account pane in the Azure portal.":::

-3. Select **Azure Maps** in the drop down list that appears, then select the **Create** button.

- :::image type="content" source="./media/quick-demo-map-app/create-account.png" alt-text="A screen shot showing the Create an Azure Maps Account resource page in the Azure portal." lightbox="./media/quick-demo-map-app/create-account.png":::

- :::image type="content" source="./media/quick-demo-map-app/interactive-search.png" alt-text="A screen shot showing the interactive map search web application." lightbox="./media/quick-demo-map-app/interactive-search.png":::

-* Setup your development environment.

- 

-First, create a new iOS App project. Complete these steps to create a Xcode project:

-* [Python](./opencensus-python.md)

-Azure Monitor autoscale applies only to [Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/), [Cloud Services](https://azure.microsoft.com/services/cloud-services/), [App Service - Web Apps](https://azure.microsoft.com/services/app-service/web/), [API Management services](../../api-management/api-management-key-concepts.md), and [Azure Data Explorer Clusters](/azure/data-explorer/).

-description: Profile web apps on an Azure VM by using Application Insights Profiler.

-# Profile web apps running on an Azure virtual machine or a virtual machine scale set by using Application Insights Profiler

-You can also deploy Azure Application Insights Profiler on these

-* [Azure App Service](./profiler.md?toc=%2fazure%2fazure-monitor%2ftoc.json)

-* [Azure Cloud Services](profiler-cloudservice.md?toc=/azure/azure-monitor/toc.json)

-* [Azure Service Fabric](?toc=%2fazure%2fazure-monitor%2ftoc.json)

-## Deploy Profiler on a virtual machine or a virtual machine scale set

-This article shows you how to get Application Insights Profiler running on your Azure virtual machine (VM) or Azure virtual machine scale set. Profiler is installed with the Azure Diagnostics extension for VMs. Configure the extension to run Profiler, and build the Application Insights SDK into your application.

-1. Add the Application Insights SDK to your [ASP.NET application](../app/asp-net.md).

- To view profiles for your requests, you must send request telemetry to Application Insights.

-1. Install Azure Diagnostics extension on your VM. For full Resource Manager template examples, see:

- * [Virtual machine](https://github.com/Azure/azure-docs-json-samples/blob/master/application-insights/WindowsVirtualMachine.json)

- * [Virtual machine scale set](https://github.com/Azure/azure-docs-json-samples/blob/master/application-insights/WindowsVirtualMachineScaleSet.json)

-

- The key part is the ApplicationInsightsProfilerSink in the WadCfg. To have Azure Diagnostics enable Profiler to send data to your iKey, add another sink to this section.

- ```json

- {

- "name": "ApplicationInsightsSink",

- "ApplicationInsights": "85f73556-b1ba-46de-9534-606e08c6120f"

- },

- "ApplicationInsightsProfiler": "85f73556-b1ba-46de-9534-606e08c6120f"

- },

- ```

-1. Deploy the modified environment deployment definition.

- Applying the modifications usually involves a full template deployment or a cloud service-based publish through PowerShell cmdlets or Visual Studio.

- The following PowerShell commands are an alternate approach for existing virtual machines that touch only the Azure Diagnostics extension. Add the previously mentioned ProfilerSink to the config that's returned by the Get-AzVMDiagnosticsExtension command. Then pass the updated config to the Set-AzVMDiagnosticsExtension command.

- $ConfigFilePath = [IO.Path]::GetTempFileName()

- # After you export the currently deployed Diagnostics config to a file, edit it to include the ApplicationInsightsProfiler sink.

- (Get-AzVMDiagnosticsExtension -ResourceGroupName "MyRG" -VMName "MyVM").PublicSettings | Out-File -Verbose $ConfigFilePath

- # Set-AzVMDiagnosticsExtension might require the -StorageAccountName argument

- # If your original diagnostics configuration had the storageAccountName property in the protectedSettings section (which is not downloadable), be sure to pass the same original value you had in this cmdlet call.

- Set-AzVMDiagnosticsExtension -ResourceGroupName "MyRG" -VMName "MyVM" -DiagnosticsConfigurationPath $ConfigFilePath

-1. If the intended application is running through [IIS](https://www.microsoft.com/web/downloads/platform.aspx), enable the `IIS Http Tracing` Windows feature.

- 1. Establish remote access to the environment, and then use the [Add Windows features](/iis/configuration/system.webserver/tracing/) window. Or run the following command in PowerShell (as administrator):

- ```powershell

- Enable-WindowsOptionalFeature -FeatureName IIS-HttpTracing -Online -All

- ```

-

- 1. If establishing remote access is a problem, you can use the [Azure CLI](/cli/azure/get-started-with-azure-cli) to run the following command:

- ```azurecli

- az vm run-command invoke -g MyResourceGroupName -n MyVirtualMachineName --command-id RunPowerShellScript --scripts "Enable-WindowsOptionalFeature -FeatureName IIS-HttpTracing -Online -All"

- ```

-1. Deploy your application.

-## Set Profiler Sink using Azure Resource Explorer

-We don't yet have a way to set the Application Insights Profiler sink from the portal. Instead of using PowerShell as described above, you can use Azure Resource Explorer to set the sink. But note, if you deploy the VM again, the sink will be lost. You'll need to update the config you use when deploying the VM to preserve this setting.

-1. Check that the Windows Azure Diagnostics extension is installed by viewing the extensions installed for your virtual machine.

- ![Check if WAD extension is installed][wadextension]

-2. Find the VM Diagnostics extension for your VM. Go to [https://resources.azure.com](https://resources.azure.com). Expand your resource group, Microsoft.Compute virtualMachines, virtual machine name, and extensions.

- ![Navigate to WAD config in Azure Resource Explorer][azureresourceexplorer]

-3. Add the Application Insights Profiler sink to the SinksConfig node under WadCfg. If you don't already have a SinksConfig section, you may need to add one. Be sure to specify the proper Application Insights iKey in your settings. You'll need to switch the explorers mode to Read/Write in the upper right corner and Press the blue 'Edit' button.

- ![Add Application Insights Profiler Sink][resourceexplorersinksconfig]

-4. When you're done editing the config, press 'Put'. If the put is successful, a green check will appear in the middle of the screen.

- ![Send put request to apply changes][resourceexplorerput]

-We have no plan to support Application Insights Profiler for on-premises servers.

-## Next steps

-[azureresourceexplorer]: ./media/profiler-vm/azure-resource-explorer.png

-[resourceexplorerput]: ./media/profiler-vm/resource-explorer-put.png

-[resourceexplorersinksconfig]: ./media/profiler-vm/resource-explorer-sinks-config.png

-[wadextension]: ./media/profiler-vm/wad-extension.png

-The command creates a file named _main.bicep_ in the same directory as the ARM template.

-Open ID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.

-1. If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.

- This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later.

-1. Create a service principal. Replace the `$appID` with the appId from your JSON output.

- This command generates JSON output with a different `objectId` and will be used in the next step. The new `objectId` is the `assignee-object-id`.

-

- Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later.

-1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).

-

- az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

-

-

- parameters: storagePrefix=mystore

-

-

-

- parameters: storagePrefix=mystore

-A group of controls with built-in validation for Windows and Linux passwords and SSH public keys.

-

-

-

-For inline comments, you can use either `//` or `/* ... */`.

-To start extracting insights with Azure Video Indexer, you need to [create an account](connect-to-azure.md) and upload videos, see the [how can i get started](#how-can-i-get-started-with-azure-video-indexer) section below.

-## Backup Alerts in Recovery Services vault

-Alerts are primarily scenarios where users are notified so that they can take relevant action. The **Backup Alerts** section shows alerts generated by Azure Backup service. These alerts are defined by the service and user can't custom create any alerts.

-### Alert scenarios

-The following scenarios are defined by service as alertable scenarios.

-### Alerts from the following Azure Backup solutions are shown here

-> [!NOTE]

-> Alerts from System Center Data Protection Manager (SC-DPM), Microsoft Azure Backup Server (MABS) aren't displayed here.

-### Consolidated Alerts

-For Azure workload backup solutions such as SQL and SAP HANA, log backups can be generated very frequently (up to every 15 minutes according to the policy). So it's also possible that the log backup failures are also very frequent (up to every 15 minutes). In this scenario, the end user will be overwhelmed if an alert is raised for each failure occurrence. So an alert is sent for the first occurrence and if the later failures are because of the same root cause, then further alerts aren't generated. The first alert is updated with the failure count. But if the alert is inactivated by the user, the next occurrence will trigger another alert and this will be treated as the first alert for that occurrence. This is how Azure Backup performs alert consolidation for SQL and SAP HANA backups. On-demand backup jobs are not consolidated.

-### Exceptions when an alert is not raised

-There are few exceptions when an alert isn't raised on a failure. They are:

-The exceptions above are designed from the understanding that the result of these operations (primarily user triggered) shows up immediately on portal/PS/CLI clients. So the user is immediately aware and doesn't need a notification.

-### Alert types

-Based on alert severity, alerts can be defined in three types:

-## Notification for Backup Alerts

-> [!NOTE]

-> Configuration of notification can be done only through the Azure portal. PS/CLI/REST API/Azure Resource Manager Template support isn't supported.

-Once an alert is raised, users are notified. Azure Backup provides an inbuilt notification mechanism via e-mail. One can specify individual email addresses or distribution lists to be notified when an alert is generated. You can also choose whether to get notified for each individual alert or to group them in an hourly digest and then get notified.

-

-When notification is configured, you'll receive a welcome or introductory email. This confirms that Azure Backup can send emails to these addresses when an alert is raised.<br>

-If the frequency was set to an hourly digest and an alert was raised and resolved within an hour, it won't be a part of the upcoming hourly digest.

-> [!NOTE]

->

-> - If a destructive operation such as **stop protection with delete data** is performed, an alert is raised and an email is sent to subscription owners, admins, and co-admins even if notifications aren't configured for the Recovery Services vault.

-> - To configure notification for successful jobs use [Log Analytics](backup-azure-monitoring-use-azuremonitor.md#using-log-analytics-workspace).

-## Inactivating alerts

-To inactivate/resolve an active alert, you can select the list item corresponding to the alert you wish to inactivate. This opens up a screen that displays detailed information about the alert, with an **Inactivate** button on the top. Selecting this button will change the status of the alert to **Inactive**. You may also inactivate an alert by right-clicking on the list item corresponding to that alert and selecting **Inactivate**.

-

-Azure Backup also provides alerts via Azure Monitor, to enable users to have a consistent experience for alert management across different Azure services, including backup. With Azure Monitor alerts, you can route alerts to any notification channel supported by Azure Monitor such as email, ITSM, Webhook, Logic App and so on.

-Currently, Azure Backup has made two main types of built-in alerts available:

-* **Security Alerts**: For scenarios, such as deletion of backup data, or disabling of soft-delete functionality for a vault, security alerts (of severity Sev 0) are fired, and displayed in the Azure portal or consumed via other clients (PowerShell, CLI and REST API). Security alerts are generated by default and can't be turned off. However, you can control the scenarios for which the notifications (for example, emails) should be fired. For more information on how to configure notifications, see [Action rules](../azure-monitor/alerts/alerts-action-rules.md).

-* **Job Failure Alerts**: For scenarios, such as backup failure and restore failure, Azure Backup provides built-in alerts via Azure Monitor (of Severity Sev 1). Unlike security alerts, you can choose to turn off Azure Monitor alerts for job failure scenarios. For example, if you have already configured custom alert rules for job failures via Log Analytics, and don't need built-in alerts to be fired for every job failure. By default, alerts for job failures are turned off. Refer to the [section on turning on alerts for these scenarios](#turning-on-azure-monitor-alerts-for-job-failure-scenarios) for more details.

-

-| Security | Delete Backup Data | - Azure Virtual Machine <br><br> - SQL in Azure VM (non-AG scenarios) <br><br> - SAP HANA in Azure VM <br><br> - Azure Backup Agent <br><br> - DPM <br><br> - Azure Backup Server <br><br> - Azure Database for PostgreSQL Server <br><br> - Azure Blobs <br><br> - Azure Managed Disks | Stop protection with delete data alert is only generated if soft-delete functionality is enabled for the vault, that is, if soft-delete feature is disabled for a vault, then a single alert is sent to notify the user that soft-delete has been disabled. Subsequent deletion of backup data of any item does not raise an alert. |

-| Security | Upcoming Purge | - Azure Virtual Machine <br><br> - SQL in Azure VM (non-AG scenarios) <br><br> - SAP HANA in Azure VM | For all workloads which support soft-delete, this alert is fired when the backup data for an item is 2 days away from being permanently purged by the Azure Backup service |

-| Security | Soft Delete Disabled for Vault | Recovery Services vaults | This alert is fired when the soft-deleted backup data for an item has been permanently deleted by the Azure Backup service |

-| Jobs | Backup Failure | - Azure Virtual Machine <br><br> - SQL in Azure VM (non-AG scenarios) <br><br> - SAP HANA in Azure VM <br><br> - Azure Backup Agent <br><br> - Azure Files <br><br> - Azure Database for PostgreSQL Server <br><br> - Azure Managed Disks | This alert is fired when a backup job failure has occurred. By default, alerts for backup failures are turned off. Refer to the [section on turning on alerts for this scenario](#turning-on-azure-monitor-alerts-for-job-failure-scenarios) for more details. |

-| Jobs | Restore Failure | - Azure Virtual Machine <br><br> - SQL in Azure VM (non-AG scenarios) <br><br> - SAP HANA in Azure VM <br><br> - Azure Backup Agent <br><br> - Azure Files <br><br> - Azure Database for PostgreSQL Server <br><br> - Azure Blobs <br><br> - Azure Managed Disks | This alert is fired when a restore job failure has occurred. By default, alerts for restore failures are turned off. Refer to the [section on turning on alerts for this scenario](#turning-on-azure-monitor-alerts-for-job-failure-scenarios) for more details. |

-To opt in to Azure Monitor alerts for backup failure and restore failure scenarios, follow the below steps:

-1. Go to the Azure portal and search for **Preview Features**.

- :::image type="content" source="media/backup-azure-monitoring-laworkspace/portal-preview-features.png" alt-text="Screenshot for viewing preview features in portal.":::

-1. You can view the list of all preview features that are available for you to opt in to.

- To receive job failure alerts for workloads backed up to Recovery Services vaults, select the flag named **EnableAzureBackupJobFailureAlertsToAzureMonitor** corresponding to *Microsoft.RecoveryServices* provider (column 3).

- :::image type="content" source="media/backup-azure-monitoring-laworkspace/alert-preview-feature-flags.png" alt-text="Screenshot for Alerts preview registration.":::

-1. Click **Register** to enable this feature for your subscription.

- > [!NOTE]

- > It may take up to 24 hours for the registration to take effect. To enable this feature for multiple subscriptions, repeat the above process by selecting the relevant subscription at the top of the screen. We also recommend to re-register the preview flag if a new resource has been created in the subscription after the initial registration to continue receiving alerts.

-1. As a best practice, we also recommend you to register the resource provider to ensure that the feature registration information gets synced with the Azure Backup service as expected.

- To register the resource provider, run the following PowerShell command in the subscription for which you have registered the feature flag.

- ```powershell

- Register-AzResourceProvider -ProviderNamespace <ProviderNamespace>

- ```

- To receive alerts for Recovery Services vaults, use the value *Microsoft.RecoveryServices* for the *ProviderNamespace* parameter.

-1. Go to the vault and click **Properties**.

-1. Locate the **Monitoring Settings** vault property and click **Update**.

-1. Click **Update** to save the setting for the vault.

-Once an alert is fired for a vault, you can go to Backup center to view the alert in the Azure portal. On the **Overview** tab, you can see a summary of active alerts split by severity. There're two kinds of alerts displayed:

-* **Datasource Alerts**: Alerts that are tied to a specific datasource being backed up (for example, back up or restore failure for a VM, deleting backup data for a database, and so on) appear under the **Datasource Alerts** section.

-* **Global Alerts**: Alerts that are not tied to a specific datasource (for example, disabling soft-delete functionality for a vault) appear under the **Global Alerts** section.

-Each of the above types of alerts is further split into **Security** and **Configured** alerts. Currently, Security alerts include the scenarios of deleting backup data, or disabling soft-delete for vault (for the applicable workloads as detailed in the above section). Configured alerts include backup failure and restore failure since these alerts are only fired after registering the feature in the preview portal.

-Clicking any of the numbers (or on the **Alerts** menu item) opens up a list of all active alerts fired with the relevant filters applied. You can filter on a range of properties, such as subscription, resource group, vault, severity, state, and so on. You can click any of the alerts to get more details about the alert, such as the affected datasource, alert description and recommended action, and so on.

-You can change the state of an alert to **Acknowledged** or **Closed** by clicking on **Change Alert State**.

-> - In Backup center, only alerts for Azure-based workloads are displayed currently. To view alerts for on-premises resources, navigate to the Recovery Services vault and click the **Alerts** menu item.

-> - Only Azure Monitor alerts are displayed in Backup center. Alerts raised by the older alerting solution (accessed via the [Backup Alerts](#backup-alerts-in-recovery-services-vault) tab in Recovery Services vault) are not displayed in Backup center. For more information about Azure Monitor alerts, see [Overview of alerts in Azure](../azure-monitor/alerts/alerts-overview.md).

-> - Currently, in case of blob restore alerts, alerts appear under datasource alerts only if you select both the dimensions - *datasourceId* and *datasourceType* while creating the alert rule. If any dimensions aren't selected, the alerts appear under global alerts.

-To configure notifications for Azure Monitor alerts, create an [alert processing rule](../azure-monitor/alerts/alerts-action-rules.md). To create an alert processing rule (earlier called _action rule_) to send email notifications to a given email address, follow these steps. Also, follow these steps to routing these alerts to other notification channels, such as ITSM, webhook, logic app, and so on.

-1. Click **Alerts (Preview)** from the menu and select **Alert processing rules (preview)**.

-1. Click **Create**.

-1. Click **Review+Create** and then **Create** to deploy the action group.

-8. Save the action rule.

-> Don't forget to use double quotation marks around attribute values. Standards for well-formed, valid XML requires attribute values to be enclosed in double quotation marks. For example, `<prosody volume="90">` is a well-formed, valid element, but `<prosody volume=90>` is not. SSML might not recognize attribute values that aren't in double quotation marks.

-You can adjust the speaking language for the `en-US-JennyMultilingualNeural` neural voice at the sentence level and word level by using the `<lang xml:lang>` element. The `en-US-JennyMultilingualNeural` neural voice is multilingual in 14 languages (For example: English, Spanish, and Chinese). The supported languages are provided in a table following the `<lang>` syntax and attribute definitions.

-Within the `speak` element, you can specify multiple languages including `en-US` for text-to-speech output. For each adjusted language, the text must match the language and be wrapped in a `voice` element. This SSML snippet shows how to use `<lang xml:lang>` to change the speaking languages to `es-MX`, `en-US`, and `fr-FR`.

- ¡Esperamos trabajar con usted!

-This SSML snippet demonstrates how the `emphasis` element is used to add moderate level emphasis for the word "meetings".

-

-<speak version="1.0" xmlns="http://www.w3.org/2001/10/synthesis" xmlns:mstts="https://www.w3.org/2001/mstts" xml:lang="en-US">

- <voice name="en-US-GuyNeural">

- I can help you join your <emphasis level="moderate">meetings</emphasis> fast.

- </voice>

-</speak>

-The Mathematical Markup Language (MathML) is an XML-compliant markup language that lets developers specify how input text is converted into synthesized speech by using text-to-speech.

-> The MathML elements (tags) are currently supported by all neural voices in the `en-US` and `en-AU` locales.

-[**Management APIs reference documentation**](/azure/rest/api/cognitiveservices/)

-# DCasv5 and ECasv5 series confidential VMs (preview)

-> [!IMPORTANT]

-> Azure DCasv5/ECasv5-series confidential virtual machines are currently in Preview. Use is subject to your [Azure subscription](https://azure.microsoft.com/support/legal/) and terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/welcome/welcomepage) and the [Microsoft Products and Services Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) ("DPA").

-Confidential VMs offer a new and enhanced disk encryption scheme. This scheme protects all critical partitions of the disk. It also binds disk encryption keys to the virtual machine's TPM and makes the protected disk content accessible only to the VM. These encryption keys can securely bypass Azure components, including the hypervisor and host operating system. To minimize the attack potential, a dedicated and separate cloud service also encrypts the disk during the initial creation of the VM.

-If the compute platform is missing critical settings for your VM's isolation then during boot [Azure Attestation](https://azure.microsoft.com/services/azure-attestation/) will not attest to the platform's health. This will prevent the VM from starting. For example, this scenario happens if you haven't enabled SEV-SNP.

-Confidential VMs use both the OS disk and a small encrypted virtual machine guest state (VMGS) disk of several megabytes. The VMGS disk contains the security state of the VM's components. Some components include the vTPM and UEFI bootloader. The small VMGS disk might incur a monthly storage cost.

-Confidential VMs boot only after successful attestation of the platform's critical components and security settings. The attestation report includes:

-Confidential VMs feature a virtual TPM (vTPM) for Azure VMs. The vTPM is a virtualized version of a hardware TPM, and complies with the TPM2.0 spec. You can use a vTPM as a dedicated, secure vault for keys and measurements. Confidential VMs have their own dedicated vTPM instance, which runs in a secure environment outside the reach of any VM.

-# Quickstart: Deploy confidential VM with ARM template (preview)

-> [!IMPORTANT]

-> Confidential virtual machines (confidential VMs) in Azure Confidential Computing is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-# Quickstart: Create confidential VM on AMD in the Azure portal (preview)

-> [!IMPORTANT]

-> Confidential virtual machines (confidential VMs) in Azure Confidential Computing is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

- 1. For **Image**, select the OS image to use for your VM. For this tutorial, select **Ubuntu Server 20.04 LTS (Confidential VM preview)**, **Windows Server 2019 [Small disk] Data Center**, or **Windows Server 2022 [Small disk] Data Center**.

-# Azure Confidential VM options on AMD (preview)

-To deploy a confidential VM instance, consider a pay-as-you-go subscription or other purchase option. If you're using an [Azure free account](https://azure.microsoft.com/free/), the quota doesn't allow the appropriate amount of Azure compute cores.

-You're responsible for creating high availability and disaster recovery solutions for your confidential VMs. Planning for these scenarios helps minimize avoid prolonged downtime.

- --query id --output tsv)

-|HTTPS/SSL/TLS encryption|All connections to Azure Cosmos DB support HTTPS. Azure Cosmos DB also supports TLS 1.2.<br>It is possible to enforce a minimum TLS version server-side. To do so, open an [Azure support ticket](https://azure.microsoft.com/support/options/).|

-In this quickstart, you'll build a sample Go application that uses the Azure SDK for Go to manage a Cosmos DB SQL API account.

- * [Try Azure Cosmos DB for free](https://azure.microsoft.com/try/cosmosdb/), a tests environment that lasts for 30 days.

-> [Import data into Azure Cosmos DB for the SQL API](../import-data.md)

-### What's the difference between the Invoice API, the Transaction API, and the Cost Details API?

-The [Cost Details](/rest/api/cost-management/generate-cost-details-report) report is only available for customers with an Enterprise Agreement or Microsoft Customer Agreement. If you're an MSDN, Pay-As-You-Go or Visual Studio customer, see [Get cost details as a legacy customer](get-usage-details-legacy-customer.md).

-description: This article explains how you get cost data if you're a legacy customer.

-# Get cost details as a legacy customer

-If you have an MSDN, pay-as-you-go, or Visual Studio Azure subscription, we recommend that you use [Exports](../costs/tutorial-export-acm-data.md) or the [Exports API](../costs/ingest-azure-usage-at-scale.md) to get cost details data (formerly known as usage details). The [Cost Details](/rest/api/cost-management/generate-cost-details-report) API report isn't supported for your subscription type yet.

-For legacy customers, use the following call.

-| resourceGuid | MeterId | |

-| consumedServiceId | ConsumedService | |

-The Cost Details API is only available for customers with an Enterprise Agreement or Microsoft Customer Agreement. If you're an MSDN, pay-as-you-go or Visual Studio customer, see [Get usage details as a legacy customer](get-usage-details-legacy-customer.md).

-The Azure Consumption APIs give you programmatic access to cost and usage data for your Azure resources. These APIs currently only support Enterprise Enrollments, Web Direct Subscriptions (with a few exceptions), and CSP Azure plan subscriptions. The APIs are continually updated to support other types of Azure subscriptions.

-Azure Consumption APIs provide access to:

-If the existing enterprise administrator isn't available, contact your partner or software advisor to request that they change the contact details through the Volume Licensing Service Center (VLSC) tool.

- - If the existing enterprise administrator isn't available, contact your partner or software advisor to request that they change the contact details through the Volume Licensing Service Center (VLSC) tool.

-Support plans can't be transferred. If you have a support plan, you should cancel it for the old agreement and then buy a new one for the new agreement.

-| EA | MOSP (PAYG) | <ul><li>Transfer from an EA enrollment to a MOSP subscription requires a [billing support ticket](https://azure.microsoft.com/support/create-ticket/). <li> Reservations don't automatically transfer and transferring them isn't supported. |

-| EA | MCA - individual | <ul><li>For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-| EA | EA | <ul><li>Transferring between EA enrollments requires a [billing support ticket](https://azure.microsoft.com/support/create-ticket/). <li> Self-service reservation transfers are supported. <li> Transfer within the same enrollment is the same action as changing the account owner. For details, see [Change EA subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership). |

-| EA | MCA - Enterprise | <ul><li> Transferring all enrollment products is completed as part of the MCA transition process from an EA. For more information, see [Complete Enterprise Agreement tasks in your billing account for a Microsoft Customer Agreement](mca-enterprise-operations.md). <li> If you want to transfer specific products, not all of the products in an enrollment, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-| EA | MPA | <ul><li> Only CSP direct bill partners certified as an [Azure Expert Managed Services Provider (MSP)](https://partner.microsoft.com/membership/azure-expert-msp) can request to transfer Azure products for their customers that have a Direct Enterprise Agreement (EA). For more information, see [Get billing ownership of Azure subscriptions to your MPA account](mpa-request-ownership.md). Product transfers are allowed only for customers who have accepted a Microsoft Customer Agreement (MCA) and purchased an Azure plan with the CSP Program. <li> There are limitations and restrictions. For more information, see [Transfer EA subscriptions to a CSP partner](transfer-subscriptions-subscribers-csp.md#transfer-ea-subscriptions-to-a-csp-partner). |

-| MCA - individual | MOSP (PAYG) | <ul><li> For details, see [Transfer billing ownership of an Azure subscription to another account](billing-subscription-transfer.md). <li> Reservations don't automatically transfer and transferring them isn't supported. |

-| MCA - individual | MCA - individual | <ul><li>For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-| MCA - individual | EA | <ul><li> For details, see [Transfer a subscription to an EA](mosp-ea-transfer.md#transfer-the-subscription-to-the-ea). <li> Self-service reservation transfers are supported. |

-| MCA - individual | MCA - Enterprise | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md).<li> Self-service reservation transfers are supported. |

-| MCA - Enterprise | MOSP | <ul><li> Requires a [billing support ticket](https://azure.microsoft.com/support/create-ticket/). <li> Reservations don't automatically transfer and transferring them isn't supported. |

-| MCA - Enterprise | MCA - individual | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-| MCA - Enterprise | MCA - Enterprise | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-| MCA - Enterprise | MPA | <ul><li> Only CSP direct bill partners certified as an [Azure Expert Managed Services Provider (MSP)](https://partner.microsoft.com/membership/azure-expert-msp) can request to transfer Azure products for their customers that have a Microsoft Customer Agreement with a Microsoft representative. For more information, see [Get billing ownership of Azure subscriptions to your MPA account](mpa-request-ownership.md). Product transfers are allowed only for customers who have accepted a Microsoft Customer Agreement (MCA) and purchased an Azure plan with the CSP Program. <li> Self-service reservation transfers are supported. <li> There are limitations and restrictions. For more information, see [Transfer EA subscriptions to a CSP partner](transfer-subscriptions-subscribers-csp.md#transfer-ea-subscriptions-to-a-csp-partner). |

-| Previous Azure offer in CSP | Previous Azure offer in CSP | <ul><li> Requires a [billing support ticket](https://azure.microsoft.com/support/create-ticket/). <li> Reservations don't automatically transfer and transferring them isn't supported. |

-| MPA | EA | <ul><li> Automatic transfer isn't supported. Any transfer requires resources to move from the existing MPA product manually to a newly created or an existing EA product. <li> Use the information in the [Perform resource transfers](#perform-resource-transfers) section. <li> Reservations don't automatically transfer and transferring them isn't supported. |

-| MPA | MPA | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-| MOSP (PAYG) | MOSP (PAYG) | <ul><li> If you're changing the billing owner of the subscription, see [Transfer billing ownership of an Azure subscription to another account](billing-subscription-transfer.md). <li> Reservations don't automatically transfer so you must open a [billing support ticket](https://azure.microsoft.com/support/create-ticket/) to transfer them. |

-| MOSP (PAYG) | MCA - individual | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-| MOSP (PAYG) | EA | <ul><li>If you're transferring the subscription to the EA enrollment, see [Transfer a subscription to an EA](mosp-ea-transfer.md#transfer-the-subscription-to-the-ea). <li> If you're changing billing ownership, see [Change Azure subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership). |

-| MOSP (PAYG) | MCA - Enterprise | <ul><li> For details, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <li> Self-service reservation transfers are supported. |

-# User defined functions (Preview) in mapping data flow

-> [!IMPORTANT]

-> User defined functions and mapping data flow libraries are currently in public preview.

-This Spark connector is supported for the following activities:

-You can copy data from Spark to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This SQL Server connector is supported for the following activities:

-You can copy data from a SQL Server database to any supported sink data store. Or, you can copy data from any supported source data store to a SQL Server database. For a list of data stores that are supported as sources or sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Sybase connector is supported for the following activities:

-You can copy data from Sybase database to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Teradata connector is supported for the following activities:

-You can copy data from Teradata Vantage to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Vertica connector is supported for the following activities:

-You can copy data from Vertica to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-|**OT networks** |**Sensor software version 22.2.3**:<br><br>- [OT appliance hardware profile updates](#ot-appliance-hardware-profile-updates)<br>- [PCAP access from the Azure portal](#pcap-access-from-the-azure-portal-public-preview)<br>- [Bi-directional alert synch between sensors and the Azure portal](#bi-directional-alert-synch-between-sensors-and-the-azure-portal-public-preview)<br>- [Support diagnostic log enhancements](#support-diagnostic-log-enhancements-public-preview)<br>- [Improved security for uploading protocol plugins](#improved-security-for-uploading-protocol-plugins)<br><br>To update to version 22.2.3:<br>- From version 22.1.x, update directly to version 22.2.3<br>- From version 10.x, first update to version 21.1.6, and then update again to 22.2.3<br><br>For more information, see [Update Defender for IoT OT monitoring software](update-ot-software.md). |

-description: Learn how to route events within Azure Digital Twins and to other Azure Services.

-# Route events within and outside of Azure Digital Twins

-This article covers *event routes* and how Azure Digital Twins uses them to send data internally and to consumers outside the service.

-There are two major cases for sending Azure Digital Twins data:

-* Sending data from one twin in the Azure Digital Twins graph to another. For instance, when a property on one digital twin changes, you may want to notify and update another digital twin based on the updated data.

-* Sending data to downstream data services for more storage or processing (also known as *data egress*). For instance, a business that is already using [Azure Maps](../azure-maps/about-azure-maps.md) may want to use Azure Digital Twins to enhance their solution. They can quickly enable an Azure Map after setting up Azure Digital Twins, bring Azure Map entities into Azure Digital Twins as [digital twins](concepts-twins-graph.md) in the twin graph, or run powerful queries using their Azure Maps and Azure Digital Twins data together.

-Event routes are used for both of these scenarios.

-An event route lets you send event data from digital twins in Azure Digital Twins to custom-defined endpoints in your subscriptions. Three Azure services are currently supported for endpoints: [Event Hubs](../event-hubs/event-hubs-about.md), [Event Grid](../event-grid/overview.md), and [Service Bus](../service-bus-messaging/service-bus-messaging-overview.md). Each of these Azure services can be connected to other services and acts as the middleman, sending data along to final destinations such as Time Series Insights or Azure Maps for whatever processing you need.

-Azure Digital Twins implements *at least once* delivery for data emitted to egress services.

-The following diagram illustrates the flow of event data through a larger IoT solution with an Azure Digital Twins aspect:

-Typical downstream targets for event routes are resources like Time Series Insights, Azure Maps, storage, and analytics solutions.

-### Event routes for internal digital twin events

-Event routes are also used to handle events within the twin graph and send data from digital twin to digital twin. This sort of event handling is done by connecting event routes through Event Grid to compute resources, such as [Azure Functions](../azure-functions/functions-overview.md). These functions then define how twins should receive and respond to events.

-When a compute resource wants to modify the twin graph based on an event that it received via event route, it's helpful for it to know which twin it wants to modify ahead of time.

-The event message also contains the ID of the source twin that sent the message, so the compute resource can use queries or traverse relationships to find a target twin for the desired operation.

-See how to set up and manage an event route:

-Or, see how to use Azure Functions to route events within Azure Digital Twins:

-When you use [CLI](create-view-manage-system-topics-cli.md), [REST](/rest/api/eventgrid/controlplane-version2021-12-01/event-subscriptions/create-or-update), or [Azure Resource Manager template](create-view-manage-system-topics-arm.md), you can choose either of the above methods. We recommend that you create a system topic first and then create a subscription on the topic, as it's the latest way of creating system topics.

-Use the PowerShell command: [`New-AzEventHubApplicationGroup`](//powershell/module/az.eventhub/new-azeventhubapplicationgroup) to create an application group in an Event Hubs namespace.

-# Tutorial: Connect a virtual network to an ExpressRoute circuit

-> * [Video - Azure portal](https://azure.microsoft.com/documentation/videos/azure-expressroute-how-to-create-a-connection-between-your-vpn-gateway-and-expressroute-circuit)

-This article helps you link virtual networks (VNets) to Azure ExpressRoute circuits by using the Resource Manager deployment model and PowerShell. Virtual networks can either be in the same subscription or part of another subscription. This article also shows you how to update a virtual network link.

-* You can link up to 10 virtual networks to a standard ExpressRoute circuit. All virtual networks must be in the same geopolitical region when using a standard ExpressRoute circuit.

-* A single VNet can be linked to up to 16 ExpressRoute circuits. Use the steps in this article to create a new connection object for each ExpressRoute circuit you're connecting to. The ExpressRoute circuits can be in the same subscription, different subscriptions, or a mix of both.

-* If you enable the ExpressRoute premium add-on, you can link virtual networks outside of the geopolitical region of the ExpressRoute circuit. The premium add-on will also allow you to connect more than 10 virtual networks to your ExpressRoute circuit depending on the bandwidth chosen. Check the [FAQ](expressroute-faqs.md) for more details on the premium add-on.

-* In order to create the connection from the ExpressRoute circuit to the target ExpressRoute virtual network gateway, the number of address spaces advertised from the local or peered virtual networks needs to be equal to or less than **200**. Once the connection has been successfully created, you can add additional address spaces, up to 1,000, to the local or peered virtual networks.

-### FastPath and Private Link for 100Gbps ExpressRoute Direct

-With FastPath and Private Link, Private Link traffic sent over ExpressRoute bypassess the ExpressRoute virtual network gateway in the data path. This is Generally Available for connections associated to 100Gb ExpressRoute Direct circuits. To enable this, follow the below guidance:

-* Virtual Network (Vnet) Resource ID

-3. Disable and Enable FastPath on the target connection(s) to enables the changes. Once this step is complete. 100Gb Private Link traffic over ExpressRoute will bypass the ExpressRoute Virtual Network Gateway in the data path.

-FastPath support for virtual network peering is now in Public preview, both IPv4 and IPv6 scenarios are supported. IPv4 FastPath and Vnet peering can be enabled on connections associated to both ExpressRoute Direct and ExpressRoute Partner circuits. IPv6 FastPath and Vnet peering support is limited to connections associated to ExpressRoute Direct.

-To enroll in these previews, run the follow Azure PowerShell command in the target Azure subscription:

-### FastPath and Private Link for 10Gbps ExpressRoute Direct

-With FastPath and Private Link, Private Link traffic sent over ExpressRoute bypassess the ExpressRoute virtual network gateway in the data path. This preview supports connections associated to 10Gbps ExpressRoute Direct circuits. This preview doesn't support ExpressRoute circuits managed by an ExpressRoute partner.

-For more information about ExpressRoute, see the ExpressRoute FAQ.

-> [ExpressRoute FAQ](expressroute-faqs.md)

-# Tutorial: Connect a virtual network to an ExpressRoute circuit using the portal

-> * [Video - Azure portal](https://azure.microsoft.com/documentation/videos/azure-expressroute-how-to-create-a-connection-between-your-vpn-gateway-and-expressroute-circuit)

-This tutorial helps you create a connection to link a virtual network to an Azure ExpressRoute circuit using the Azure portal. The virtual networks that you connect to your Azure ExpressRoute circuit can either be in the same subscription or be part of another subscription.

-In this tutorial, you learned how to connect a virtual network to a circuit in the same subscription and a different subscription. For more information about ExpressRoute gateways, see: [ExpressRoute virtual network gateways](expressroute-about-virtual-network-gateways.md).

-Additional KQL log queries were added (as seen in the following screenshot) to query structured firewall logs.

-| Routing rule with caching enabled. Cache misses at both edge and parent cache POPP | 2 | 1. Edge POP code</br>2. Parent cache POP code | 1. Edge POP code</br>2. Parent cache POP code | 1. True</br>2. False | 1. MISS</br>2. MISS |

-```

-* [Upload data to HDInsight](../hdinsight-upload-data.md): Find other methods for uploading data to HDInsight/Azure Blob storage.

-* [Troubleshoot Permission Error Create Table](./interactive-query-troubleshoot-permission-error-create-table.md)

-description: How to open a help request for Azure HPC Cache, including how to create a quota increase request

-> [!TIP]

-> If you need a quota increase, most requests can be handled automatically. Follow the instructions below in [Request a quota increase](#request-a-quota-increase).

-1. To fork the Git Hub repository, open the [IoT Central CI/CD GitHub repository](https://github.com/Azure/iot-central-CICD-sample) and select **Fork**.

-1. The YAML file is saved to your Git Hub repository, so you need to provide a commit message and then select **Save and run** again.

-For IoT Edge devices, the data mapping applies to the telemetry from all the IoT Edge modules and hub. You can't apply mappings to a specific IoT edge module.

-For devices assigned to a device template, you can't map data for components or inherited interfaces. However, you can map any data from your device before you assign it to a device template.

-The IoT Edge extension defaults to the latest stable version of the IoT Edge runtime when it creates your deployment assets. Currently, the latest stable version is version 1.2. If you're developing modules for devices running the 1.1 long-term support version or the earlier 1.0 version, update the IoT Edge runtime version in Visual Studio Code to match.

-Device Update for IoT Hub uses [Automatic Device Management](../iot-hub/iot-hub-automatic-device-management.md) for deployments and uses ADM configs to perform device management operations like updates at scale. In order to enable Device Update to do this, users need to set Contributor access for Azure Device Update Service Principal in the IoT Hub permissions.

-Below actions will be blocked (after 9/28/22) if these permissions are not set:

-[Azure Monitor Workbooks in Microsoft Sentinel](../../sentinel/overview.md#workbooks) help you visualize and monitor data from your connected data sources to gain insights. You can use the built-in workbook templates in Microsoft Sentinel, or create custom workbooks for your scenarios.

-* [Add Python packages](how-to-prebuilt-docker-images-inference-python-extensibility.md).

-* [Use prebuilt inference image as base for a new Dockerfile](how-to-extend-prebuilt-docker-image-inference.md). Using this method, you can install both **Python packages and apt packages**.

-* [Add Python packages to prebuilt images](how-to-prebuilt-docker-images-inference-python-extensibility.md).

-* [Use a prebuilt package as a base for a new Dockerfile](how-to-extend-prebuilt-docker-image-inference.md).

-* RStudio (See [Add RStudio]([Create and manage an Azure Machine Learning compute instance]): Select the **Terminal** tab on top left.

-1. Select **Create** to set up RStudio as a custom application on your compute instance.

-

-1. Follow the steps listed above to **Add application** when creating your compute instance.

-1. Select **Custom Application** on the **Application** dropdown.

-### Do I need to reload the server when changing the score script?

-### Which OS is supported?

-* For more information on creating an entry script and deploying models, see [How to deploy a model using Azure Machine Learning](how-to-deploy-and-where.md).

-> Managed identity is only supported when using the Azure Machine Learning SDK from an Azure Virtual Machine or with an Azure Machine Learning compute cluster. Using a managed identity with a compute cluster is currently in preview.

-### Use a service principal with the REST API (preview)

-The service principal can also be used to authenticate to the Azure Machine Learning [REST API](/rest/api/azureml/) (preview). You use the Azure Active Directory [client credentials grant flow](../active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md), which allow service-to-service calls for headless authentication in automated workflows.

-> For [private link enabled Azure Machine Learning workspace](how-to-configure-private-link.md), you have to [deploy Azure Databricks in your own network (VNet injection)](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject.md) to ensure proper connectivity.

-## Training curated environments

-## Inference curated environments and prebuilt docker images

- > [!NOTE]

- > This capability is currently in Public Preview.

-This page lets you define where and how to make your offer available, including markets and release date.

-To specify the markets in which your offer should be available, select **Edit markets**.

-Your selections here apply only to new acquisitions; if someone already has your app in a market you later remove, they can continue using it, but no new customers in that market will be able to get your offer.

->[!IMPORTANT]

->It is your responsibility to meet any local legal requirements, even if those requirements aren't listed here or in Partner Center. Even if you select all markets, local laws, restrictions, or other factors may prevent certain offers from being listed in some countries and regions.

-Select **Save draft** before continuing to the next tab in the left-nav menu, **Technical configuration**.

-In the left-nav menu, select **Offer Management**, then **Manage offer names**.

-## Reserve a name

-To delete a name, select **Delete**.

-Provide listing details in any one or multiple supported languages. Select **Manage additional languages** to add a language. Select each language to add its listing details.

-If you selected additional languages, select each from the dropdown list at the top of the page and repeat the above steps for each one. When finished, continue to the next tab in the left-nav menu, **Availability**.

-For **Additional purchases**, select whether or not your offer requires purchases of a service or additional in-app purchases.

-For **Power BI certification** (optional), read the description carefully and if you want to request Power BI certification, select the check box. [Certified](/power-bi/developer/visuals/power-bi-custom-visuals-certified) Power BI visuals meet certain specified code requirements that the Microsoft Power BI team has tested and approved. We recommend that you submit and publish your Power BI visual *before* you request certification, because the certification process takes extra time that could delay publishing of your offer.

-To configure the lead management in Partner Center:

-1. In the **Connection details** dialog box, select a lead destination from the list.

-1. When youΓÇÖve configured the connection details, select **Connect**.

-1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

-Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

-This page lets you define the [categories](./categories.md) used to group your offer on Microsoft AppSource, the legal contracts that support your offer, and support documentation.

-Select up to three **[Categories](./categories.md)** for grouping your offer into the appropriate marketplace search areas. This table shows the categories that are available for Power BI visuals.

-| All | All the different types of visuals that are certified for use within your organization. |

-1. Clear the **Use the Standard Contract for Microsoft's commercial marketplace** check box.

-1. In the **EULA** filed (see image above), enter a single web address for your terms and conditions. Or, point to the Power BI visuals contract at `https://visuals.azureedge.net/app-store/Power%20BI%20-%20Default%20Custom%20Visual%20EULA.pdf` (PDF). Either will display as an active link in AppSource.

-> - The version number should be incremented between package updates.

-## Sample PBIX report file

-To showcase your visual offer, help users get familiar with the visual. Highlight the value the visual brings to the user and give examples of usage and formatting options. Add a "hints" page at the end with tips, tricks, and things to avoid. The sample PBIX report file must work offline, without any external connections.

-> [!NOTE]

-> - The PBIX report must use the same version of the visual as the PBIVIZ.

-> - The PBIX report file must work offline, without any external connections.

-Select **Save draft** before skipping in the left-nav menu to the **Offer management** tab.

-There is a [cut plane](../overview/features/cut-planes.md) object in the scene. Try enabling it in its properties and moving it around:

-Automation rules fully support cross-workspace and [multi-tenant deployments](extend-sentinel-across-workspaces-tenants.md#managing-workspaces-across-tenants-using-azure-lighthouse) (in the case of multi-tenant, using [Azure Lighthouse](../lighthouse/index.yml)).

- > In a multi-tenant ([Lighthouse](extend-sentinel-across-workspaces-tenants.md#managing-workspaces-across-tenants-using-azure-lighthouse)) scenario, you must define the permissions on the tenant where the playbook lives, even if the automation rule calling the playbook is in a different tenant. To do that, you must have **Owner** permissions on the playbook's resource group.

-Microsoft Sentinel is built on top of a Log Analytics workspace. You'll notice that the first step in onboarding Microsoft Sentinel is to select the Log Analytics workspace you wish to use for that purpose.

-You can get the full benefit of the Microsoft Sentinel experience when using a single workspace. Even so, there are some circumstances that may require you to have multiple workspaces. The following table lists some of these situations and, when possible, suggests how the requirement may be satisfied with a single workspace:

-| Sovereignty and regulatory compliance | A workspace is tied to a specific region. If data needs to be kept in different [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/) to satisfy regulatory requirements, it must be split into separate workspaces. | |

-| Granular retention settings | Historically, multiple workspaces were the only way to set different retention periods for different data types. This is no longer needed in many cases, thanks to the introduction of table level retention settings. | Use [table level retention settings](https://techcommunity.microsoft.com/t5/azure-sentinel/new-per-data-type-retention-is-now-available-for-azure-sentinel/ba-p/917316) or automate [data deletion](../azure-monitor/logs/personal-data-mgmt.md#exporting-and-deleting-personal-data) |

-| Legacy architecture | The use of multiple workspaces may stem from a historical design that took into consideration limitations or best practices which do not hold true anymore. It might also be an arbitrary design choice that can be modified to better accommodate Microsoft Sentinel.<br><br>Examples include:<br><ul><li>Using a per-subscription default workspace when deploying Microsoft Defender for Cloud</li><li>The need for granular access control or retention settings, the solutions for which are relatively new</li></ul> | Re-architect workspaces |

-A particular use case that mandates multiple workspaces is an MSSP Microsoft Sentinel service. In this case, many if not all of the above requirements apply, making multiple workspaces, across tenants, the best practice. The MSSP can use [Azure Lighthouse](../lighthouse/overview.md) to extend Microsoft Sentinel cross-workspace capabilities across tenants.

-As implied by the requirements above, there are cases where multiple Microsoft Sentinel workspaces, potentially across Azure Active Directory (Azure AD) tenants, need to be centrally monitored and managed by a single SOC.

-To address this requirement, Microsoft Sentinel offers multiple-workspace capabilities that enable central monitoring, configuration, and management, providing a single pane of glass across everything covered by the SOC, as presented in the diagram below.

-In the following sections, we will explain how to operate this model, and particularly how to:

-Microsoft Sentinel supports a [multiple workspace incident view](./multiple-workspace-view.md) facilitating central incident monitoring and management across multiple workspaces. The centralized incident view lets you manage incidents directly or drill down transparently to the incident details in the context of the originating workspace.

-Microsoft Sentinel supports querying [multiple workspaces in a single query](../azure-monitor/logs/cross-workspace-query.md), allowing you to search and correlate data from multiple workspaces in a single query.

-Cross-workspace queries can now be included in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse) as in the case of an MSSP, subject to the following limitations:

-Alerts and incidents created by cross-workspace analytics rules will contain all the related entities, including those from all the referenced workspaces as well as the "home" workspace (where the rule was defined). This will allow analysts to have a full picture of alerts and incidents.

-[Workbooks](./overview.md#workbooks) provide dashboards and apps to Microsoft Sentinel. When working with multiple workspaces, they provide monitoring and actions across workspaces.

-Workbooks can provide cross-workspace queries in one of three methods, each of which cater to different levels of end-user expertise:

-| Write cross-workspace queries | The workbook creator can write cross-workspace queries (described above) in the workbook. | This option enables workbook creators to shield the user entirely from the workspace structure. |

-| Add a workspace selector to the workbook | The workbook creator can implement a workspace selector as part of the workbook, as described [here](https://techcommunity.microsoft.com/t5/azure-sentinel/making-your-azure-sentinel-workbooks-multi-tenant-or-multi/ba-p/1402357). | This option provides the user with control over the workspaces shown by the workbook, by means of an easy-to-use dropdown box. |

-| Edit the workbook interactively | An advanced user modifying an existing workbook can edit the queries in it, selecting the target workspaces using the workspace selector in the editor. | This option enables a power user to easily modify existing workbooks to work with multiple workspaces. |

-|

-Microsoft Sentinel provides preloaded query samples designed to get you started and get you familiar with the tables and the query language. These built-in hunting queries are developed by Microsoft security researchers on a continuous basis, both adding new queries and fine-tuning existing queries, to provide you with an entry point to look for new detections and identify signs of intrusion that may have gone undetected by your security tools.

-Cross-workspace hunting capabilities enable your threat hunters to create new hunting queries, or adapt existing ones, to cover multiple workspaces, by using the union operator and the workspace() expression as shown above.

-To configure and manage multiple Microsoft Sentinel workspaces, you will need to automate the use of the Microsoft Sentinel management API. For more information on how to automate the deployment of Microsoft Sentinel resources, including alert rules, hunting queries, workbooks and playbooks, see [Extending Microsoft Sentinel: APIs, Integration and management automation](https://techcommunity.microsoft.com/t5/azure-sentinel/extending-azure-sentinel-apis-integration-and-management/ba-p/1116885).

-See also [Deploy Custom Content from your Repository](ci-cd.md) for a consolidated methodology for managing Microsoft Sentinel as code and for deploying and configuring resources from a private Azure DevOps or GitHub repository.

-## Managing workspaces across tenants using Azure Lighthouse

-As mentioned above, in many scenarios, the different Microsoft Sentinel workspaces can be located in different Azure AD tenants. You can use [Azure Lighthouse](../lighthouse/overview.md) to extend all cross-workspace activities across tenant boundaries, allowing users in your managing tenant to work on Microsoft Sentinel workspaces across all tenants. Once Azure Lighthouse is [onboarded](../lighthouse/how-to/onboard-customer.md), use the [directory + subscription selector](./multiple-tenants-service-providers.md#how-to-access-microsoft-sentinel-in-managed-tenants) on the Azure portal to select all the subscriptions containing workspaces you want to manage, in order to ensure that they will all be available in the different workspace selectors in the portal.

-When using Azure Lighthouse, it is recommended to create a group for each Microsoft Sentinel role and delegate permissions from each tenant to those groups.

-In this document, you learned how Microsoft Sentinel's capabilities can be extended across multiple workspaces and tenants. For practical guidance on implementing Microsoft Sentinel's cross-workspace architecture, see the following articles:

-Microsoft Sentinel is a scalable, cloud-native, **security information and event management (SIEM)** and **security orchestration, automation, and response (SOAR)** solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.

-

-Building on the full range of existing Azure services, Microsoft Sentinel natively incorporates proven foundations, like Log Analytics, and Logic Apps. Microsoft Sentinel enriches your investigation and detection with AI, and provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence.

-## Connect to all your data

-To on-board Microsoft Sentinel, you first need to [connect to your security sources](connect-data-sources.md).

-Microsoft Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Defender for Cloud Apps, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Microsoft Sentinel as well.

-For more information, see [Find your data connector](data-connectors-reference.md).

-

-## Workbooks

-After you [connected your data sources](quickstart-onboard.md) to Microsoft Sentinel, you can monitor the data using the Microsoft Sentinel integration with Azure Monitor Workbooks, which provides versatility in creating custom workbooks.

-While Workbooks are displayed differently in Microsoft Sentinel, it may be useful for you to see how to [Create interactive reports with Azure Monitor Workbooks](../azure-monitor/visualize/workbooks-overview.md). Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.

-

-## Analytics

-To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses [analytics to correlate alerts into incidents](detect-threats-built-in.md). **Incidents** are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Microsoft Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. These analytics connect the dots, by combining low fidelity alerts about different entities into potential high-fidelity security incidents.

-

-## Security automation & orchestration

-Built on the foundation of Azure Logic Apps, Microsoft Sentinel's automation and orchestration solution provides a highly extensible architecture that enables scalable automation as new technologies and threats emerge. To build playbooks with Azure Logic Apps, you can choose from a growing gallery of built-in playbooks. These include [200+ connectors](../connectors/apis-list.md) for services such as Azure functions. The connectors allow you to apply any custom logic in code, ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Defender for Cloud Apps.

-For example, if you use the ServiceNow ticketing system, you can use the tools provided to use Azure Logic Apps to automate your workflows and open a ticket in ServiceNow each time a particular event is detected.

-

-## Investigation

-Currently in preview, Microsoft Sentinel [deep investigation](investigate-cases.md) tools help you to understand the scope and find the root cause, of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its connections to get to the root cause of the threat.

-

-## Hunting

-Use Microsoft Sentinel's [powerful hunting search-and-query tools](hunting.md), based on the MITRE framework, which enable you to proactively hunt for security threats across your organizationΓÇÖs data sources, before an alert is triggered. After you discover which hunting query provides high-value insights into possible attacks, you can also create custom detection rules based on your query, and surface those insights as alerts to your security incident responders. While hunting, you can create bookmarks for interesting events, enabling you to return to them later, share them with others, and group them with other correlating events to create a compelling incident for investigation.

-

-## Notebooks

-[Use notebooks in Microsoft Sentinel](notebooks.md) to extend the scope of what you can do with Microsoft Sentinel data. For example, perform analytics that aren't built in to Microsoft Sentinel, such as some Python machine learning features, create data visualizations that aren't built in to Microsoft Sentinel, such as custom timelines and process trees, or integrate data sources outside of Microsoft Sentinel, such as an on-premises data set.

-## Community

-The Microsoft Sentinel community is a powerful resource for threat detection and automation. Our Microsoft security analysts constantly create and add new workbooks, playbooks, hunting queries, and more, posting them to the community for you to use in your environment. You can download sample content from the private community GitHub [repository](https://aka.ms/asicommunity) to create custom workbooks, hunting queries, notebooks, and playbooks for Microsoft Sentinel.

-

-1. Select the **+ Add** button.

-| [Storage Analytics logs (classic)](../common/storage-analytics-logging.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) |  |  ³ |  |  |

-| [Storage Analytics logs (classic)](../common/storage-analytics-logging.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) |  |  ² ³ | |  |

- "activities": [

- {

- "typeProperties": {

- "waitTimeInSeconds": "-::int",

- "headers": "=::object"

- }

- ]

- "*": "="

-# DCasv5 and DCadsv5-series confidential VMs (preview)

-> [!IMPORTANT]

-> Confidential virtual machines (confidential VMs) in Azure Confidential Computing is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-# ECasv5 and ECadsv5-series (preview)

-> [!IMPORTANT]

-> Confidential virtual machines (confidential VMs) in Azure Confidential Computing is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-The sample Resource Manager template is [dsc-linux-azure-storage-on-ubuntu](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/dsc-linux-azure-storage-on-ubuntu) and [dsc-linux-public-storage-on-ubuntu](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/dsc-linux-public-storage-on-ubuntu).

-2. Rebuild the initrd with the hv_vmbus and hv_storvsc kernel modules:

-[Xilinx Alveo U250 2021.1 Deployment VM ΓÇô Ubuntu18.04](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/xilinx.xilinx_xrt2021_1_ubuntu1804_deployment_image)

-[Xilinx Alveo U250 2021.1 Deployment VM ΓÇô Ubuntu20.04](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/xilinx.xilinx_xrt2021_1_ubuntu2004_deployment_image)

-[Xilinx Alveo U250 2021.1 Deployment VM ΓÇô CentOS7.8](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/xilinx.xilinx_xrt2021_1_centos78_deployment_image)

-The SAP start service provides a host of services, including monitoring the SAP system. We're using SAPControl, which is a SOAP web service interface that exposes these capabilities. The SAPControl web service interface differentiates between [protected and unprotected](https://wiki.scn.sap.com/wiki/display/SI/Protected+web+methods+of+sapstartsrv) web service methods.

-Even if you're running your Oracle DBMS and SAP application instances on Oracle Linux, you can run your SAP Central Services on SLES or RHEL and protect it with a Pacemaker-based cluster. Pacemaker as a high-availability framework isn't supported on Oracle Linux.

-> For Type II units only the SLES 12 SP2 OS version is supported at this point.

- To have proper network performance and system stability, ensure the appropriate OS-specific version of eNIC and fNIC drivers are installed per the following compatibility table. Servers are delivered to customers with compatible versions. However, drivers can get rolled back to default versions during OS/kernel patching. Ensure the appropriate driver version is running post OS/kernel patching operations.

- | SuSE | SLES 12 SP2 | 3.1.3h | 2.3.0.40 | 1.6.0.34 |

- | SuSE | SLES 12 SP3 | 3.1.3h | 2.3.0.44 | 1.6.0.36 |

- | SuSE | SLES 12 SP4 | 3.2.3i | 4.0.0.6 | 2.0.0.60 |

- | SuSE | SLES 12 SP5 | 3.2.3i | 4.0.0.8 | 2.0.0.60 |

- | Red Hat | RHEL 7.2 | 3.1.3h | 2.3.0.39 | 1.6.0.34 |

- | Red Hat | RHEL 7.6 | 3.2.3i | 3.1.137.5 | 2.0.0.50 |

-> [Set up SMT server for SUSE Linux](hana-setup-smt.md)