+## June 2024

+### Updated articles

+- [Define an OAuth2 custom error technical profile in an Azure Active Directory B2C custom policy](oauth2-error-technical-profile.md) - Error code updates

+- [Configure authentication in a sample Python web app by using Azure AD B2C](configure-authentication-sample-python-web-app.md) - Python version update

+[Standard training](../how-to/train-model.md#training-modes) is free and faster than Advanced training, making it useful to quickly understand the effect of changing your training set or schema while building the model. Once you're satisfied with the schema, consider using advanced training to get the best AIQ out of your model.

+## Addressing model inconsistencies

+If your model is overly sensitive to small grammatical changes, like casing or diacritics, you can systematically manipulate your dataset directly in the Language Studio. To use these features, click on the Settings tab on the left toolbar and locate the **Advanced project settings** section. First, you can ***Enable data transformation for casing***, which normalizes the casing of utterances when training, testing, and implementing your model. If you've migrated from LUIS, you might recognize that LUIS did this normalization by default. To access this feature via the API, set the `"normalizeCasing"` parameter to `true`. See an example below:

+ ...

+ ...

+ }

+...

+```

+Second, you can also leverage the **Advanced project settings** to ***Enable data augmentation for diacritics*** to generate variations of your training data for possible diacritic variations used in natural language. This feature is available for all languages, but it is especially useful for Germanic and Slavic languages, where users often write words using classic English characters instead of the correct characters. For example, the phrase "Navigate to the sports channel" in French is "Accédez à la chaîne sportive". When this feature is enabled, the phrase "Accedez a la chaine sportive" (without diacritic characters) is also included in the training dataset. If you enable this feature, please note that the utterance count of your training set will increase, and you may need to adjust your training data size accordingly. The current maximum utterance count after augmentation is 25,000. To access this feature via the API, set the `"augmentDiacritics"` parameter to `true`. See an example below:

+```json

+{

+ "projectFileVersion": "2022-10-01-preview",

+ ...

+ "settings": {

+ ...

+ "augmentDiacritics": true

+ ...

+The normalization layer normalizes the classification confidence scores to a confined range. The range selected currently is from `[-a,a]` where "a" is the square root of the number of intents. As a result, the normalization depends on the number of intents in the app. If there's a very low number of intents, the normalization layer has a very small range to work with. With a fairly large number of intents, the normalization is more effective.

+If this normalization doesnΓÇÖt seem to help intents that are out of scope to the extent that the confidence threshold can be used to filter out of scope utterances, it might be related to the number of intents in the app. Consider adding more intents to the app, or if you're using an orchestrated architecture, consider merging apps that belong to the same domain together.

+If you're using [orchestrated apps](./app-architecture.md), you may want to send custom parameter overrides for various child apps. The `targetProjectParameters` field allows users to send a dictionary representing the parameters for each target project. For example, consider an orchestrator app named `Orchestrator` orchestrating between a conversational language understanding app named `CLU1` and a custom question answering app named `CQA1`. If you want to send a parameter named "top" to the question answering app, you can use the above parameter.

+- The None Score threshold for the app (confidence threshold below which the topIntent is marked as None) when using this recipe should be set to 0. This is because this new recipe attributes a certain portion of the in domain probabilities to out of domain so that the model isn't incorrectly overconfident about in domain utterances. As a result, users may see slightly reduced confidence scores for in domain utterances as compared to the prod recipe.

+- This recipe isn't recommended for apps with just two (2) intents, such as IntentA and None, for example.

+- This recipe isn't recommended for apps with low number of utterances per intent. A minimum of 25 utterances per intent is highly recommended.

+| Upper Sorbian | `hsb` |

+| Language | Script code | Scripts |

+| - | - | -- |

+| Bengali (Bengali-Assamese) | `as` | `Latn`, `Beng` |

+| Bengali (Bangla) | `bn` | `Latn`, `Beng` |

+| Gujarati | `gu` | `Latn`, `Gujr` |

+| Hindi | `hi` | `Latn`, `Deva` |

+| Kannada | `kn` | `Latn`, `Knda` |

+| Malayalam | `ml` | `Latn`, `Mlym` |

+| Marathi | `mr` | `Latn`, `Deva` |

+| Oriya | `or` | `Latn`, `Orya` |

+| Gurmukhi | `pa` | `Latn`, `Guru` |

+| Tamil | `ta` | `Latn`, `Taml` |

+| Telugu | `te` | `Latn`, `Telu` |

+| Arabic | `ar` | `Latn`, `Arab` |

+| Cyrillic | `tt` | `Latn`, `Cyrl` |

+| Serbian | `sr` | `Latn`, `Cyrl` |

+| Unified Canadian Aboriginal Syllabics | `iu` | `Latn`, `Cans` |

+<!--

+-->

+> [Azure OpenAI On Your Data](../../openai/concepts/use-your-data.md) utilizes large language models (LLMs) to produce similar results to Custom Question Answering. If you wish to connect an existing Custom Question Answering project to Azure OpenAI On Your Data, please check out our [guide]( how-to/azure-openai-integration.md).

+## Use active learning

+Extractive text and document summarization support the following languages:

+| Language | Language code | Notes |

+|--|||

+| Chinese-Simplified | `zh-hans` | `zh` also accepted |

+| English | `en` | |

+| French | `fr` | |

+| German | `de` | |

+| Hebrew | `he` | |

+| Italian | `it` | |

+| Japanese | `ja` | |

+| Korean | `ko` | |

+| Polish | `pl` | |

+| Portuguese (Portugal) | `pt` | |

+| Portuguese (Brazil) | `pt-br` | |

+| Spanish | `es` | |

+Abstractive text and document summarization support the following languages:

+| Portuguese (Portugal) | `pt` | |

+| Portuguese (Brazil) | `pt-br` | |

+| Chinese-Traditional | `zh-hant` | |

+| Portuguese (Portugal) | `pt` | |

+| Portuguese (Brazil) | `pt-br` | |

+| Dutch, Flemish | `nl` | |

+| Swedish | `sv` | |

+| Danish | `da` | |

+| Finnish | `fi` | |

+| Russian | `ru` | |

+| Norwegian | `no` | |

+| Turkish | `tr` | |

+| Arabic | `ar` | |

+| Czech | `cs` | |

+| Hungarian | `hu` | |

+| Thai | `th` | |

+* Conversation summarization works with various spoken languages. For more information, see [language support](language-support.md?tabs=conversation-summarization).

+This article is to help you understand the support lifecycle for the Azure OpenAI API previews. New preview APIs target a monthly release cadence. After February 3rd, 2025, the latest three preview APIs will remain supported while older APIs will no longer be supported unless support is explicitly indicated.

+You need to [create](../how-to/create-resource.md) or use an existing resource in a [supported standard](#gpt-4-and-gpt-4-turbo-model-availability) or [global standard](#global-standard-model-availability) region where the model is available.

+### Global standard model availability

+| **Offering** | **Global-Standard** | **Standard** | **Provisioned** |

+## Global standard

+We recommend pulling changes from the `main` branch for the web app's source code frequently to ensure you have the latest bug fixes, API version, and improvements. Additionally, the web app must be synchronized every time the API version being used is [retired](../api-version-deprecation.md)

+- `2023-03-15-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-07-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-03-15-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-07-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-03-15-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-07-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` (This version or greater required for Vision scenarios) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview)

+- `2023-12-01-preview ` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-09-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-09-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2023-12-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+With personal voice, you can enable your users to get AI generated replication of their own voices in a few seconds. With a verbal statement and a short speech sample as the audio prompt, you can create a personal voice for your users and allow them to generate speech in any of the more than 90 languages supported across more than 100 locales.

+For pricing details on video translation, see [Speech service pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/). Note that video translation pricing will only be visible for [service regions](#supported-regions-and-languages) where the feature is available.

+Phi-3 Mini is a 3.8B parameters, lightweight, state-of-the-art open model. Phi-3-Mini was trained with Phi-3 datasets that include both synthetic data and the filtered, publicly-available websites data, with a focus on high quality and reasoning-dense properties.

+The model belongs to the Phi-3 model family, and the Mini version comes in two variants, 4K and 128K, which denote the context length (in tokens) that each model variant can support.

+The model underwent a rigorous enhancement process, incorporating both supervised fine-tuning and direct preference optimization to ensure precise instruction adherence and robust safety measures. When assessed against benchmarks that test common sense, language understanding, math, code, long context and logical reasoning, Phi-3-Mini-4K-Instruct and Phi-3-Mini-128K-Instruct showcased a robust and state-of-the-art performance among models with less than 13 billion parameters.

+# [Phi-3-small](#tab/phi-3-small)

+Phi-3-Small is a 7B parameters, lightweight, state-of-the-art open model. Phi-3-Small was trained with Phi-3 datasets that include both synthetic data and the filtered, publicly-available websites data, with a focus on high quality and reasoning-dense properties.

+The model belongs to the Phi-3 model family, and the Small version comes in two variants, 8K and 128K, which denote the context length (in tokens) that each model variant can support.

+- Phi-3-small-8k-Instruct

+- Phi-3-small-128k-Instruct

+The model underwent a rigorous enhancement process, incorporating both supervised fine-tuning and direct preference optimization to ensure precise instruction adherence and robust safety measures. When assessed against benchmarks that test common sense, language understanding, math, code, long context and logical reasoning, Phi-3-Small-8k-Instruct and Phi-3-Small-128k-Instruct showcased a robust and state-of-the-art performance among models with less than 13 billion parameters.

+Phi-3 Medium is a 14B parameters, lightweight, state-of-the-art open model. Phi-3-Medium was trained with Phi-3 datasets that include both synthetic data and the filtered, publicly-available websites data, with a focus on high quality and reasoning-dense properties.

+The model belongs to the Phi-3 model family, and the Medium version comes in two variants, 4K and 128K, which denote the context length (in tokens) that each model variant can support.

+The model underwent a rigorous enhancement process, incorporating both supervised fine-tuning and direct preference optimization to ensure precise instruction adherence and robust safety measures. When assessed against benchmarks that test common sense, language understanding, math, code, long context and logical reasoning, Phi-3-Medium-4k-Instruct and Phi-3-Medium-128k-Instruct showcased a robust and state-of-the-art performance among models with less than 13 billion parameters.

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+1. Select the project in which you want to deploy your model. To deploy the Phi-3 model, your project must belong to one of the regions listed in the [prerequisites](#prerequisites) section.

+Review the environment variables in the file `deployment/environmentVariables.sh` and then you use the

+`deploy.sh` script in the `deployment/infra/` directory of the [GitHub repository][github-repo] to deploy

+the application to Azure.

+The script displays a log as it runs. You can persist the log by redirecting the log information output and saving it to the `install.log` file in the `logs` directory using the following commands:

+mkdir ./logs

+ cooldownPeriod: 10 # How many seconds should we wait for downscale

+[nap-aks]: ./node-autoprovision.md

+* Configuring existing AKS clusters with an HTTP proxy is not supported; the HTTP proxy feature must be enabled at cluster creation time.

+1. Set **Client certificate mode** to **Require**. Select **Save** at the top of the page.

+### [ARM template](#tab/arm)

+1. Next to **Certificate exclusion paths**, select the edit icon.

+1. Select **New path**, specify a path, or a list of paths separated by `,` or `;`, and select **OK**.

+1. Select **Save** at the top of the page.

+In the following screenshot, any path for your app that starts with `/public` doesn't request a client certificate. Path matching is case-insensitive.

+In App Service, TLS termination of the request happens at the frontend load balancer. When App Service forwards the request to your app code with [client certificates enabled](#enable-client-certificates), it injects an `X-ARR-ClientCert` request header with the client certificate. App Service doesn't do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate.

+## ASP.NET Core sample

+ // 1. The certificate isn't expired and is active for the current time on server.

+ // This example doesn't test that this certificate is chained to a Trusted Root Authority (or revoked) on the server

+The following Java class encodes the certificate from `X-ARR-ClientCert` to an `X509Certificate` instance. `certificateIsValid()` validates that the certificate's thumbprint matches the one given in the constructor and that certificate hasn't expired.

+ * certificate hasn't expired.

+ * @return True if the certificate's thumbprint matches and hasn't expired. False otherwise.

+ * @return Returns true if the certificate hasn't expired. Returns false if it has expired.

+Run the following command in the [Cloud Shell](https://shell.azure.com) to set the .NET Core version to 8.0:

+az webapp config set --name <app-name> --resource-group <resource-group-name> --linux-fx-version "DOTNETCORE|8.0"

+`PRE_BUILD_COMMAND` and `POST_BUILD_COMMAND` are environment variables that are empty by default. To run prebuild commands, define `PRE_BUILD_COMMAND`. To run post-build commands, define `POST_BUILD_COMMAND`.

+When your ASP.NET Core app generates an exception in the Visual Studio debugger, the browser displays a detailed exception page, but in App Service that page is replaced by a generic **HTTP 500** or **An error occurred while processing your request.** To display the detailed exception page in App Service, Add the `ASPNETCORE_ENVIRONMENT` app setting to your app by running the following command in the <a target="_blank" href="https://shell.azure.com" >Cloud Shell</a>.

+#customer intent: As a developer, I want to learn how to deploy an ASP.NET Core web app to Azure App Service and connect to an Azure SQL Database.

+ Title: Deploy ASP.NET Core and Azure SQL Database app

+zone_pivot_groups: app-service-portal-azd

+In this tutorial, you learn how to deploy a data-driven ASP.NET Core app to Azure App Service and connect to an Azure SQL Database. You'll also deploy an Azure Cache for Redis to enable the caching code in your application. Azure App Service is a highly scalable, self-patching, web-hosting service that can easily deploy apps on Windows or Linux. Although this tutorial uses an ASP.NET Core 8.0 app, the process is the same for other versions of ASP.NET Core.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a secure-by-default App Service, SQL Database, and Redis cache architecture

+> * Deploy a sample data-driven ASP.NET Core app

+> * Use connection strings and app settings

+> * Generate database schema by uploading a migrations bundle

+> * Stream diagnostic logs from Azure

+> * Manage the app in the Azure portal

+> * Provision and deploy by using Azure Developer CLI

+## Prerequisites

+* An Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free).

+* A GitHub account. you can also [get one for free](https://github.com/join).

+* Knowledge of ASP.NET Core development.

+* **(Optional)** To try GitHub Copilot, a [GitHub Copilot account](https://docs.github.com/copilot/using-github-copilot/using-github-copilot-code-suggestions-in-your-editor). A 30-day free trial is available.

+<!-- ## Skip to the end

+You can quickly deploy the sample app in this tutorial and see it running in Azure. Just run the following commands in the [Azure Cloud Shell](https://shell.azure.com), and follow the prompt:

+```bash

+mkdir msdocs-app-service-sqldb-dotnetcore

+azd init --template msdocs-app-service-sqldb-dotnetcore

+azd up

+ -->

+## 1. Run the sample

+First, you set up a sample data-driven app as a starting point. For your convenience, the [sample repository](https://github.com/Azure-Samples/msdocs-app-service-sqldb-dotnetcore), includes a [dev container](https://docs.github.com/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers) configuration. The dev container has everything you need to develop an application, including the database, cache, and all environment variables needed by the sample application. The dev container can run in a [GitHub codespace](https://docs.github.com/en/codespaces/overview), which means you can run the sample on any computer with a web browser.

+ :::column span="2":::

+ **Step 1:** In a new browser window:

+ 1. Sign in to your GitHub account.

+ 1. Navigate to [https://github.com/Azure-Samples/msdocs-app-service-sqldb-dotnetcore/fork](https://github.com/Azure-Samples/msdocs-app-service-sqldb-dotnetcore/fork).

+ 1. Unselect **Copy the main branch only**. You want all the branches.

+ 1. Select **Create fork**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-run-sample-application-1.png" alt-text="A screenshot showing how to create a fork of the sample GitHub repository." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-run-sample-application-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** In the GitHub fork:

+ 1. Select **main** > **starter-no-infra** for the starter branch. This branch contains just the sample project and no Azure-related files or configuration.

+ 1. Select **Code** > **Create codespace on main**.

+ The codespace takes a few minutes to set up.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-run-sample-application-2.png" alt-text="A screenshot showing how to create a codespace in GitHub." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-run-sample-application-2.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 3:** In the codespace terminal:

+ 1. Run database migrations with `dotnet ef database update`.

+ 1. Run the app with `dotnet run`.

+ 1. When you see the notification `Your application running on port 5093 is available.`, select **Open in Browser**.

+ You should see the sample application in a new browser tab.

+ To stop the application, type `Ctrl`+`C`.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-run-sample-application-3.png" alt-text="A screenshot showing how to run the sample application inside the GitHub codespace." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-run-sample-application-3.png":::

+ :::column-end:::

+> [!TIP]

+> You can ask [GitHub Copilot](https://docs.github.com/copilot/using-github-copilot/using-github-copilot-code-suggestions-in-your-editor) about this repository. For example:

+>

+> * *@workspace What does this project do?*

+> * *@workspace What does the .devcontainer folder do?*

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+ 1. *Resource Group*: Select **Create new** and use a name of **msdocs-core-sql-tutorial**.

+ 1. *Region*: Any Azure region near you.

+ 1. *Name*: **msdocs-core-sql-XYZ** where *XYZ* is any three random characters. This name must be unique across Azure.

+ 1. *Runtime stack*: **.NET 8 (LTS)**.

+ 1. *Add Azure Cache for Redis?*: **Yes**.

+ 1. *Hosting plan*: **Basic**. When you're ready, you can [scale up](manage-scale-up.md) to a production pricing tier later.

+ - **Resource group**: The container for all the created resources.

+ - **App Service plan**: Defines the compute resources for App Service. A Linux plan in the *Basic* tier is created.

+ - **App Service**: Represents your app and runs in the App Service plan.

+ - **Virtual network**: Integrated with the App Service app and isolates back-end network traffic.

+ - **Private endpoints**: Access endpoints for the database server and the Redis cache in the virtual network.

+ - **Network interfaces**: Represents private IP addresses, one for each of the private endpoints.

+ - **Azure SQL Database server**: Accessible only from behind its private endpoint.

+ - **Azure SQL Database**: A database and a user are created for you on the server.

+ - **Azure Cache for Redis**: Accessible only from behind its private endpoint.

+ - **Private DNS zones**: Enable DNS resolution of the database server and the Redis cache in the virtual network.

+ **Step 1:** In the App Service page, from the left menu, select **Settings** > **Environment variables**.

+ 1. Find **AZURE_REDIS_CONNECTIONSTRING** in the **App settings** section. This string was generated from the new Redis cache by the creation wizard. To set up your application, this name is all you need.

+ 1. Select **Connection strings** and find **AZURE_SQL_CONNECTIONSTRING** in the **Connection strings** section. This string was generated from the new SQL database by the creation wizard. To set up your application, this name is all you need.

+ 1. If you want, you can select the setting and see, copy, or edit its value.

+In this step, you configure GitHub deployment using GitHub Actions. It's just one of many ways to deploy to App Service, but also a great way to have continuous integration in your deployment process. By default, every `git push` to your GitHub repository kicks off the build and deploy action.

+ **Step 1:** In the left menu, select **Deployment** > **Deployment Center**.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-1.png" alt-text="A screenshot showing how to open the deployment center in App Service." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-1.png":::

+ **Step 2:** In the Deployment Center page:

+ 1. In **Source**, select **GitHub**. By default, **GitHub Actions** is selected as the build provider.

+ 1. Sign in to your GitHub account and follow the prompt to authorize Azure.

+ 1. In **Organization**, select your account.

+ 1. In **Repository**, select **msdocs-app-service-sqldb-dotnetcore**.

+ 1. In **Branch**, select **starter-no-infra**. This is the same branch that you worked in with your sample app, without any Azure-related files or configuration.

+ 1. For **Authentication type**, select **User-assigned identity**.

+ 1. In the top menu, select **Save**.

+ App Service commits a workflow file into the chosen GitHub repository, in the `.github/workflows` directory.

+ By default, the deployment center [creates a user-assigned identity](#i-dont-have-permissions-to-create-a-user-assigned-identity) for the workflow to authenticate using Microsoft Entra (OIDC authentication). For alternative authentication options, see [Deploy to App Service using GitHub Actions](deploy-github-actions.md).

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-2.png" alt-text="A screenshot showing how to configure CI/CD using GitHub Actions." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-2.png":::

+ **Step 3:** Back in the GitHub codespace of your sample fork, run `git pull origin starter-no-infra`.

+ This pulls the newly committed workflow file into your codespace.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-3.png" alt-text="A screenshot showing git pull inside a GitHub codespace." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-3.png":::

+ **Step 4 (Option 1: with GitHub Copilot):**

+ 1. Start a new chat session by selecting the **Chat** view, then selecting **+**.

+ 1. Ask, "*@workspace How does the app connect to the database and the cache?*" Copilot might give you some explanation about the `MyDatabaseContext` class and how it's configured in *Program.cs*.

+ 1. Ask, "In production mode, I want the app to use the connection string called AZURE_SQL_CONNECTIONSTRING for the database and the app setting called AZURE_REDIS_CONNECTIONSTRING*." Copilot might give you a code suggestion similar to the one in the **Option 2: without GitHub Copilot** steps below and even tell you to make the change in the *Program.cs* file.

+ 1. Open *Program.cs* in the explorer and add the code suggestion.

+ GitHub Copilot doesn't give you the same response every time, and it's not always correct. You might need to ask more questions to fine-tune its response. For tips, see [What can I do with GitHub Copilot in my codespace?](#what-can-i-do-with-github-copilot-in-my-codespace)

+ :::image type="content" source="media/tutorial-dotnetcore-sqldb-app/github-copilot-1.png" alt-text="A screenshot showing how to ask a question in a new GitHub Copilot chat session." lightbox="media/tutorial-dotnetcore-sqldb-app/github-copilot-1.png":::

+ **Step 4 (Option 2: without GitHub Copilot):**

+ 1. Open *Program.cs* in the explorer.

+ 1. Find the commented code (lines 12-21) and uncomment it.

+ This code connects to the database by using `AZURE_SQL_CONNECTIONSTRING` and connects to the Redis cache by using the app setting `AZURE_REDIS_CONNECTIONSTRING`.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-4.png" alt-text="A screenshot showing a GitHub codespace and the Program.cs file opened." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-4.png":::

+ **Step 5 (Option 1: with GitHub Copilot):**

+ 1. Open *.github/workflows/starter-no-infra_msdocs-core-sql-XYZ* in the explorer. This file was created by the App Service create wizard.

+ 1. Highlight the `dotnet publish` step and select :::image type="icon" source="media/quickstart-dotnetcore/github-copilot-in-editor.png" border="false":::.

+ 1. Ask Copilot, "*Install dotnet ef, then create a migrations bundle in the same output folder.*"

+ 1. If the suggestion is acceptable, select **Accept**.

+ GitHub Copilot doesn't give you the same response every time, and it's not always correct. You might need to ask more questions to fine-tune its response. For tips, see [What can I do with GitHub Copilot in my codespace?](#what-can-i-do-with-github-copilot-in-my-codespace)

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/github-copilot-2.png" alt-text="A screenshot showing the use of GitHub Copilot in a GitHub workflow file." lightbox="./media/tutorial-dotnetcore-sqldb-app/github-copilot-2.png":::

+ **Step 5 (Option 2: without GitHub Copilot):**

+ 1. Open *.github/workflows/starter-no-infra_msdocs-core-sql-XYZ* in the explorer. This file was created by the App Service create wizard.

+ 1. Under the `dotnet publish` step, add a step to install the [Entity Framework Core tool](/ef/core/cli/dotnet) with the command `dotnet tool install -g dotnet-ef --version 8.*`.

+ 1. Under the new step, add another step to generate a database [migration bundle](/ef/core/managing-schemas/migrations/applying?tabs=dotnet-core-cli#bundles) in the deployment package: `dotnet ef migrations bundle --runtime linux-x64 -o ${{env.DOTNET_ROOT}}/myapp/migrationsbundle`.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-5.png" alt-text="A screenshot showing steps added to the GitHub workflow file for database migration bundle." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-5.png":::

+ **Step 6:**

+ 1. In the textbox, type a commit message like `Configure Azure database and cache connections`. Or, select :::image type="icon" source="media/quickstart-dotnetcore/github-copilot-in-editor.png" border="false"::: and let GitHub Copilot generate a commit message for you.

+ 1. Select **Commit**, then confirm with **Yes**.

+ 1. Select **Sync changes 1**, then confirm with **OK**.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-6.png" alt-text="A screenshot showing the changes being committed and pushed to GitHub." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-6.png":::

+ **Step 7:**

+ Back in the Deployment Center page in the Azure portal:

+ 1. Select **Logs**. A new deployment run is already started from your committed changes. You might need to select **Refresh** to see it.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-7.png" alt-text="A screenshot showing how to open deployment logs in the deployment center." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-7.png":::

+ **Step 8:** You're taken to your GitHub repository and see that the GitHub action is running. The workflow file defines two separate stages, build and deploy. Wait for the GitHub run to show a status of **Success**. It takes about 5 minutes.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-8.png" alt-text="A screenshot showing a GitHub run in progress." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-deploy-sample-code-8.png":::

+ **Step 1:** Back in the App Service page, in the left menu, select **Development Tools** > **SSH**, then select **Go**.

+ 1. Run the migration bundle that the GitHub workflow generated, with the command `./migrationsbundle -- --environment Production`. If it succeeds, App Service is connecting successfully to the SQL Database. Remember that `--environment Production` corresponds to the code changes you made in *Program.cs*.

+In the SSH session, only changes to files in `/home` can persist beyond app restarts. Changes outside of `/home` aren't persisted.

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+ 1. From the left menu, select **Monitoring** > **App Service logs**.

+ 1. Under **Application logging**, select **File System**, then select **Save**.

+## 2. Create Azure resources and deploy a sample app

+In this step, you create the Azure resources and deploy a sample app to App Service on Linux. The steps used in this tutorial create a set of secure-by-default resources that include App Service, Azure SQL Database, and Azure Cache for Redis.

+The dev container already has the [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) (AZD).

+1. From the repository root, run `azd init`.

+ ```bash

+ azd init --template dotnet-app-service-sqldb-infra

+ ```

+1. When prompted, give the following answers:

+

+ |Question |Answer |

+ |||

+ |The current directory is not empty. Would you like to initialize a project here in '\<your-directory>'? | **Y** |

+ |What would you like to do with these files? | **Keep my existing files unchanged** |

+ |Enter a new environment name | Type a unique name. The AZD template uses this name as part of the DNS name of your web app in Azure (`<app-name>.azurewebsites.net`). Alphanumeric characters and hyphens are allowed. |

+1. Sign into Azure by running the `azd auth login` command and following the prompt:

+ ```bash

+ azd auth login

+ ```

+1. Create the necessary Azure resources and deploy the app code with the `azd up` command. Follow the prompt to select the desired subscription and location for the Azure resources.

+ ```bash

+ azd up

+ ```

+ The `azd up` command takes about 15 minutes to complete (the Redis cache take the most time). It also compiles and deploys your application code, but you'll modify your code later to work with App Service. While it's running, the command provides messages about the provisioning and deployment process, including a link to the deployment in Azure. When it finishes, the command also displays a link to the deploy application.

+ This AZD template contains files (*azure.yaml* and the *infra* directory) that generate a secure-by-default architecture with the following Azure resources:

+ - **Resource group**: The container for all the created resources.

+ - **App Service plan**: Defines the compute resources for App Service. A Linux plan in the *Basic* tier is created.

+ - **App Service**: Represents your app and runs in the App Service plan.

+ - **Virtual network**: Integrated with the App Service app and isolates back-end network traffic.

+ - **Private endpoints**: Access endpoints for the database server and the Redis cache in the virtual network.

+ - **Network interfaces**: Represents private IP addresses, one for each of the private endpoints.

+ - **Azure SQL Database server**: Accessible only from behind its private endpoint.

+ - **Azure SQL Database**: A database and a user are created for you on the server.

+ - **Azure Cache for Redis**: Accessible only from behind its private endpoint.

+ - **Private DNS zones**: Enable DNS resolution of the database server and the Redis cache in the virtual network.

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 3. Verify connection strings

+The AZD template you use generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings) and outputs the them to the terminal for your convenience. App settings are one way to keep connection secrets out of your code repository.

+1. In the AZD output, find the settings `AZURE_SQL_CONNECTIONSTRING` and `AZURE_REDIS_CONNECTIONSTRING`. To keep secrets safe, only the setting names are displayed. They look like this in the AZD output:

+ <pre>

+ App Service app has the following connection strings:

+

+ - AZURE_SQL_CONNECTIONSTRING

+ - AZURE_REDIS_CONNECTIONSTRING

+ </pre>

+ `AZURE_SQL_CONNECTIONSTRING` contains the connection string to the SQL Database in Azure, and `AZURE_REDIS_CONNECTIONSTRING` contains the connection string to the Azure Redis cache. You need to use them in your code later.

+1. For your convenience, the AZD template shows you the direct link to the app's app settings page. Find the link and open it in a new browser tab.

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 4. Modify sample code and redeploy

+# [With GitHub Copilot](#tab/copilot)

+1. Back in the GitHub codespace of your sample fork, start a new chat session by selecting the **Chat** view, then selecting **+**.

+1. Ask, "*@workspace How does the app connect to the database and the cache?*" Copilot might give you some explanation about the `MyDatabaseContext` class and how it's configured in *Program.cs*.

+1. Ask, "In production mode, I want the app to use the connection string called AZURE_SQL_CONNECTIONSTRING for the database and the app setting called AZURE_REDIS_CONNECTIONSTRING*." Copilot might give you a code suggestion similar to the one in the **Option 2: without GitHub Copilot** steps below and even tell you to make the change in the *Program.cs* file.

+1. Open *Program.cs* in the explorer and add the code suggestion.

+ GitHub Copilot doesn't give you the same response every time, and it's not always correct. You might need to ask more questions to fine-tune its response. For tips, see [What can I do with GitHub Copilot in my codespace?](#what-can-i-do-with-github-copilot-in-my-codespace)

+# [Without GitHub Copilot](#tab/nocopilot)

+1. Back in the GitHub codespace of your sample fork, from the explorer, open *Program.cs*.

+1. In the `contextIntialized()` method, find the commented code (lines 12-21) and uncomment it.

+ ```csharp

+ else

+ {

+ builder.Services.AddDbContext<MyDatabaseContext>(options =>

+ options.UseSqlServer(builder.Configuration.GetConnectionString("AZURE_SQL_CONNECTIONSTRING")));

+ builder.Services.AddStackExchangeRedisCache(options =>

+ {

+ options.Configuration = builder.Configuration["AZURE_REDIS_CONNECTIONSTRING"];

+ options.InstanceName = "SampleInstance";

+ });

+ }

+ ```

+

+ When the app isn't in development mode (like in Azure App Service), this code connects to the database by using `AZURE_SQL_CONNECTIONSTRING` and connects to the Redis cache by using the app setting `AZURE_REDIS_CONNECTIONSTRING`.

+--

+Before you deploy these changes, you still need to generate a migration bundle.

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 4. Generate database schema

+With the SQL Database protected by the virtual network, the easiest way to run database migrations is in an SSH session with the App Service container. However, the App Service Linux containers don't have the .NET SDK, so the easiest way to run database migrations is to upload a self-contained migrations bundle.

+1. Generate a migrations bundle for your project with the following command:

+ ```bash

+ dotnet ef migrations bundle --runtime linux-x64 -o migrationsbundle

+ ```

+ > [!TIP]

+ > The sample application (see [DotNetCoreSqlDb.csproj](https://github.com/Azure-Samples/msdocs-app-service-sqldb-dotnetcore/blob/main/DotNetCoreSqlDb.csproj)) is configured to include this *migrationsbundle* file. During the `azd package` stage, *migrationsbundle* will be added to the deploy package.

+1. Deploy all the changes with `azd up`.

+ ```bash

+ azd up

+ ```

+1. In the azd output, find the URL for the SSH session and navigate to it in the browser. It looks like this in the output:

+ <pre>

+ Open SSH session to App Service container at: https://&lt;app-name>.scm.azurewebsites.net/webssh/host

+ </pre>

+1. In the SSH terminal, run the following commands:

+ ```bash

+ cd /home/site/wwwroot

+ ./migrationsbundle -- --environment Production

+ ```

+ If it succeeds, App Service is connecting successfully to the database. Remember that `--environment Production` corresponds to the code changes you made in *Program.cs*.

+In the SSH session, only changes to files in `/home` can persist beyond app restarts. Changes outside of `/home` aren't persisted.

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 6. Browse to the app

+1. In the AZD output, find the URL of your app and navigate to it in the browser. The URL looks like this in the AZD output:

+ <pre>

+ Deploying services (azd deploy)

+

+ (Γ£ô) Done: Deploying service web

+ - Endpoint: https://&lt;app-name>.azurewebsites.net/

+ </pre>

+2. Add a few tasks to the list.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-browse-app-2.png" alt-text="A screenshot of the ASP.NET Core web app with SQL Database running in Azure showing tasks." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-browse-app-2.png":::

+ Congratulations, you're running a web app in Azure App Service, with secure connectivity to Azure SQL Database.

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 7. Stream diagnostic logs

+Azure App Service can capture console logs to help you diagnose issues with your application. For convenience, the AZD template already [enabled logging to the local file system](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) and is [shipping the logs to a Log Analytics workspace](troubleshoot-diagnostic-logs.md#send-logs-to-azure-monitor).

+<!-- The sample application includes standard logging statements to demonstrate this capability, as shown in the following snippet:

+In the AZD output, find the link to stream App Service logs and navigate to it in the browser. The link looks like this in the AZD output:

+<pre>

+Stream App Service logs at: https://portal.azure.com/#@/resource/subscriptions/&lt;subscription-guid>/resourceGroups/&lt;group-name>/providers/Microsoft.Web/sites/&lt;app-name>/logStream

+</pre>

+Learn more about logging in .NET apps in the series on [Enable Azure Monitor OpenTelemetry for .NET, Node.js, Python and Java applications](../azure-monitor/app/opentelemetry-enable.md?tabs=aspnetcore).

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 8. Clean up resources

+To delete all Azure resources in the current deployment environment, run `azd down` and follow the prompts.

+```bash

+azd down

+```

+## Troubleshooting

+- [The portal deployment view for Azure SQL Database shows a Conflict status](#the-portal-deployment-view-for-azure-sql-database-shows-a-conflict-status)

+- [In the Azure portal, the log stream UI for the web app shows network errors](#in-the-azure-portal-the-log-stream-ui-for-the-web-app-shows-network-errors)

+- [The SSH session in the browser shows `SSH CONN CLOSED`](#the-ssh-session-in-the-browser-shows-ssh-conn-closed)

+- [The portal log stream page shows `Connected!` but no logs](#the-portal-log-stream-page-shows-connected-but-no-logs)

+### The portal deployment view for Azure SQL Database shows a Conflict status

+Depending on your subscription and the region you select, you might see the deployment status for Azure SQL Database to be `Conflict`, with the following message in Operation details:

+`InternalServerError: An unexpected error occured while processing the request.`

+This error is most likely caused by a limit on your subscription for the region you select. Try choosing a different region for your deployment.

+### In the Azure portal, the log stream UI for the web app shows network errors

+You might see this error:

+<pre>

+Unable to open a connection to your app. This may be due to any network security groups or IP restriction rules that you have placed on your app. To use log streaming, please make sure you are able to access your app directly from your current network.

+</pre>

+This is usually a transient error when the app is first started. Wait a few minutes and check again.

+### The SSH session in the browser shows `SSH CONN CLOSED`

+It takes a few minutes for the Linux container to start up. Wait a few minutes and check again.

+### The portal log stream page shows `Connected!` but no logs

+After you configure diagnostic logs, the app is restarted. You might need to refresh the page for the changes to take effect in the browser.

+- [I don't have permissions to create a user-assigned identity](#i-dont-have-permissions-to-create-a-user-assigned-identity)

+- [What can I do with GitHub Copilot in my codespace?](#what-can-i-do-with-github-copilot-in-my-codespace)

+### How much does this setup cost?

+Pricing for the created resources is as follows:

+### How do I connect to the Azure SQL Database server that's secured behind the virtual network with other tools?

+### How does local app development work with GitHub Actions?

+### How do I debug errors during the GitHub Actions deployment?

+### I don't have permissions to create a user-assigned identity

+See [Set up GitHub Actions deployment from the Deployment Center](deploy-github-actions.md#set-up-github-actions-deployment-from-the-deployment-center).

+### What can I do with GitHub Copilot in my codespace?

+You might have noticed that the GitHub Copilot chat view was already there for you when you created the codespace. For your convenience, we include the GitHub Copilot chat extension in the container definition (see *.devcontainer/devcontainer.json*). However, you need a [GitHub Copilot account](https://docs.github.com/copilot/using-github-copilot/using-github-copilot-code-suggestions-in-your-editor) (30-day free trial available).

+A few tips for you when you talk to GitHub Copilot:

+- In a single chat session, the questions and answers build on each other and you can adjust your questions to fine-tune the answer you get.

+- By default, GitHub Copilot doesn't have access to any file in your repository. To ask questions about a file, open the file in the editor first.

+- To let GitHub Copilot have access to all of the files in the repository when preparing its answers, begin your question with `@workspace`. For more information, see [Use the @workspace agent](https://github.blog/2024-03-25-how-to-use-github-copilot-in-your-ide-tips-tricks-and-best-practices/#10-use-the-workspace-agent).

+- In the chat session, GitHub Copilot can suggest changes and (with `@workspace`) even where to make the changes, but it's not allowed to make the changes for you. It's up to you to add the suggested changes and test it.

+Here are some other things you can say to fine-tune the answer you get.

+* I want this code to run only in production mode.

+* I want this code to run only in Azure App Service and not locally.

+* The --output-path parameter seems to be unsupported.

+

+## Related content

+* A GitHub account. you can also [get one for free](https://github.com/join).

+ 1. Ask, "*@workspace How does the app connect to the database?*" Copilot might give you some explanation about the `jdbc/MYSQLDS` data source and how it's configured.

+ GitHub Copilot doesn't give you the same response every time, you might need to ask more questions to fine-tune its response. For tips, see [What can I do with GitHub Copilot in my codespace?](#what-can-i-do-with-github-copilot-in-my-codespace)

+1. Ask, "*@workspace How does the app connect to the database?*" Copilot might give you some explanation about the `jdbc/MYSQLDS` data source and how it's configured.

+1. Ask, "*@workspace I want to replace the data source defined in persistence.xml with an existing JNDI data source in Tomcat but I want to do it dynamically.*" Copilot might give you a code suggestion similar to the one in the **Option 2: without GitHub Copilot** steps below and even tell you to make the change in the [ContextListener](https://github.com/Azure-Samples/msdocs-tomcat-mysql-sample-app/blob/starter-no-infra/src/main/java/com/microsoft/azure/appservice/examples/tomcatmysql/ContextListener.java) class.

+- By default, GitHub Copilot doesn't have access to any file in your repository. To ask questions about a file, open the file in the editor first.

+* When associating a Private Link Scope with an Arc Server, you must have Microsoft.HybridCompute/privateLinkScopes/read permission on the Private Link Scope Resource.

+- A virtual machine template resource on which you have *Arc SCVMM Private Cloud Resource User* role.

+2. You can initiate the creation of a new VM in either of the following two ways:

+ - Select **Azure Arc** as the service and then select **SCVMM management servers** under **Host environments** from the left blade. Search and select your SCVMM management server. Select **Virtual machines** under **SCVMM inventory** from the left blade and select **Add**.

+ Or

+ - Select **Azure Arc** as the service and then select **Machine** under **Azure Arc resources** from the left blade. Select **Add/Create** and select **Create a machine in a connected host environment** from the dropdown.

+1. Once the **Create an Azure Arc virtual machine** page opens, under **Basics** > **Project details**, select the **Subscription** and **Resource group** where you want to deploy the VM.

+1. Under **Instance details**, provide the following details:

+ - **Virtual machine name** - Specify the name of the virtual machine.

+ - **Custom location** - Select the custom location that your administrator has shared with you.

+ - **Virtual machine kind** - Select **System Center Virtual Machine Manager**.

+ - **Cloud** - Select the target VMM private cloud.

+ - **Availability set** - (Optional) Use availability sets to identify virtual machines that you want VMM to keep on separate hosts for improved continuity of service.

+1. Under **Template details**, provide the following details:

+ - **Template** - Choose the VM template for deployment.

+ - **Override template defaults** - Select the checkbox to override the default CPU cores and memory on the VM templates.

+ - Specify computer name for the VM if the VM template has computer name associated with it.

+1. Keep the **Enable Guest Management** checkbox selected to automatically install Azure connected machine agent immediately after the creation of the VM. [Azure connected machine agent (Arc agent)](../servers/agent-overview.md) is required if you're planning to use Azure management services to govern, patch, monitor, and secure your VM through Azure.

+1. Under **Administrator account**, provide the following details and select **Next : Disks >**.

+1. Under **Disks**, you can optionally change the disks configured in the template. You can add more disks or update existing disks.

+1. Under **Networking**, you can optionally change the network interfaces configured in the template. You can add Network interface cards (NICs) or update the existing NICs. You can also change the network that this NIC will be attached to provided you have appropriate permissions to the network resource.

+1. Under **Advanced**, enable processor compatibility mode if required.

+1. Under **Tags**, you can optionally add tags to the VM resource.

+1. Under **Review + create**, review all the properties and select **Create**. The VM will be created in a few minutes.

+- Create an SCVMM private cloud if you don't have one. The private cloud should have a reservation of at least 32 GB of RAM and 4 vCPUs. It should also have at least 100 GB of disk space.

+1. In the **Overview** page, select **Add resources** under **Manage resources across environments**.

+ :::image type="content" source="media/quick-start-connect-scvmm-to-azure/overview-add-infrastructure.png" alt-text="Screenshot of how to select Add your infrastructure for free." lightbox="media/quick-start-connect-scvmm-to-azure/overview-add-infrastructure.png":::

+1. In the **Host environments** section, in **System Center VMM** select **Add**.

+ :::image type="content" source="media/quick-start-connect-scvmm-to-azure/platform-add-system-center-vmm.png" alt-text="Screenshot of how to select System Center V M M platform." lightbox="media/quick-start-connect-scvmm-to-azure/platform-add-system-center-vmm.png":::

+1. Select **Create a new resource bridge** and select **Next : Basics >**.

+1. Select **Next: Tags >**.

+1. Assign Azure tags to your resources in **Value** under **Physical location tags**. You can add additional tags to help you organize your resources to facilitate administrative tasks using custom tags.

+1. Select **Next: Download and run script >**.

+By default, apps running in a Flex Consumption plan have limit of `100` overall instances. Currently the lowest maximum instance count value is `40`, and the highest supported maximum instance count value is `1000`. When you use the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command to create a function app in the Flex Consumption plan, use the `--maximum-instance-count` parameter to set this maximum instance count for of your app.

+Note that while you can change the maximum instance count of Flex Consumption apps up to 1000, your apps will reach a quota limit before reaching that number. Review [Regional subscription memory quotas](flex-consumption-plan.md#regional-subscription-memory-quotas) for more details.

+This example creates an app with a maximum instance count of `200`:

+You can set a number of always ready instances for the [Per-function scaling](flex-consumption-plan.md#per-function-scaling) groups or individual functions, to keep your functions loaded and ready to execute. There are three special groups, as in per-function scaling:

+Use `http`, `durable` or `blob` as the name for the name value pair setting to configure always ready counts for these groups. For all other functions in the app you need to configure always ready for each individual function using the format `function:<FUNCTION_NAME>=n`.

+1. Under **Always-ready instance minimum** type `http`, `blob`, `durable`, or a specific function name using the format `function:<FUNCTION_NAME>=n` in **Trigger** and type the **Number of always-ready instances**.

+## Per-function scaling

+Concurrency is a key factor that determines how Flex Consumption function apps scale. To improve the scale performance of apps with various trigger types, the Flex Consumption plan provides a more deterministic way of scaling your app on a per-function basis.

+This _per-function scaling_ behavior is a part of the hosting platform, so you don't need to configure your app or change the code. For more information, see [Per-function scaling](event-driven-scaling.md#per-function-scaling) in the Event-driven scaling article.

+In per function scaling, HTTP, Blob (Event Grid), and Durable triggers are special cases. All HTTP triggered functions in the app are grouped and scale together in the same instances, and all Durable triggered functions (Orchestration, Activity, or Entity triggers) are grouped and scale together in the same instances, and all Blob (Event Grid) functions are grouped and scale together in the same instances. All other functions in the app are scaled individually into their own instances.

+## Always ready instances

+Flex Consumption includes an _always ready_ feature that lets you choose instances that are always running and assigned to each of your per-function scale groups or functions. This is a great option for scenarios where you need to have a minimum number of instances always ready to handle requests, for example, to reduce your application's cold start latency. The default is 0 (zero).

+For example, if you set always ready to 2 for your HTTP group of functions, the platform keeps two instances always running and assigned to your app for your HTTP functions in the app. Those instances are processing your function executions, but depending on concurrency settings, the platform scales beyond those two instances with on-demand instances.

+To learn how to configure always ready instances, see [Set always ready instance counts](flex-consumption-how-to.md#set-always-ready-instance-counts).

+Currently in preview each region in a given subscription has a memory limit of `512,000 MB` for all instances of apps running on Flex Consumption plans. This means that, in a given subscription and region, you could have any combination of instance memory sizes and counts, as long as they stay under the quota limit. For example, each the following examples would mean the quota has been reached and the apps would stop scaling:

+This quota can be increased to allow your Flex Consumption apps to scale further, depending on your requirements. If your apps require a larger quota please create a support ticket.

+ + Not all regions are currently supported. To learn more, see [View currently supported regions](flex-consumption-how-to.md#view-currently-supported-regions).

+ + There is a temporary limitation in West US 3. If you see the following error "This region has quota of 0 instances for your subscription. Try selecting different region or SKU." in that region please raise a support ticket so that your app can be unblocked.

+|dynamicThrottlesEnabled|true^\*|When enabled, this setting causes the request processing pipeline to periodically check system performance counters like `connections/threads/processes/memory/cpu/etc` and if any of those counters are over a built-in high threshold (80%), requests will be rejected with a `429 "Too Busy"` response until the counter(s) return to normal levels.<br/>^\*The default in a Consumption plan is `true`. The default in the Premium and Dedicated plans is `false`.|

+|maxConcurrentRequests|100^\*|The maximum number of HTTP functions that are executed in parallel. This value allows you to control concurrency, which can help manage resource utilization. For example, you might have an HTTP function that uses a large number of system resources (memory/cpu/sockets) such that it causes issues when concurrency is too high. Or you might have a function that makes outbound requests to a third-party service, and those calls need to be rate limited. In these cases, applying a throttle here can help. <br/>^*The default for a Consumption plan is 100. The default for the Premium and Dedicated plans is unbounded (`-1`).|

+|maxOutstandingRequests|200^\*|The maximum number of outstanding requests that are held at any given time. This limit includes requests that are queued but have not started executing, as well as any in progress executions. Any incoming requests over this limit are rejected with a 429 "Too Busy" response. That allows callers to employ time-based retry strategies, and also helps you to control maximum request latencies. This only controls queuing that occurs within the script host execution path. Other queues such as the ASP.NET request queue will still be in effect and unaffected by this setting. <br/>^\*The default for a Consumption plan is 200. The default for the Premium and Dedicated plans is unbounded (`-1`).|

+The agent can handle many thousands of events per second in the gateway event forwarding scenario. The exact throughput rate depends on various factors such as the size of each event, the specific data type, and physical hardware resources. This article describes the Microsoft internal benchmark used for testing the agent throughput of 10k Syslog events in the forwarder scenario. The benchmark results should provide a guide to size the resources that you need in your environment.

+- Each AMA is limited to ingesting 20k EPS, and drops any data that exceeds the limits.

+- For other considerations for forwarders, see the Log Analytics Gateway documentation.

+The amount of data sent per agent depends on:

+> To receive the Defender for Servers data allowance on your Log Analytics workspace, the **Security** solution must have been [created on the workspace](/cli/azure/monitor/log-analytics/solution).

+- [Logs ingestion API](../logs/logs-ingestion-api-overview.md)

+The following data types still require creating a DCE:

+- [AMA Based Custom Logs](../agents/data-collection-text-log.md)

+- [Windows IIS Logs](../agents/data-collection-iis.md)

+- [Prometheus Metrics](../containers/container-insights-prometheus-logs.md)

+Summary rules don't have a direct cost, and you only pay for the query on the source table(s) and the ingestion to the destination table:

+When you remove columns in the query, the columns and data remain in the destination table and are subjected to the [retention period](data-retention-archive.md) defined on the table or workspace. If the removed columns aren't needed in destination table, [Update schema and remove columns](create-custom-table.md#add-or-delete-a-custom-column) accordingly. During the retention period, if you add columns with the same name, old data that hasn't reached retention policy, shows up.

+## Supported host types

+Azure NetApp Files datastores for Azure VMware Solution are currently supported in the following host types:

+* AV36

+* AV36P

+* AV52

+* AV64

+- Planning. AI agent can plan and sequence actions to achieve specific goals. The integration of LLMs has revolutionized their planning capabilities.

+- Tool usage. Advanced AI agent can utilize various tools, such as code execution, search, and computation capabilities, to perform tasks effectively. Tool usage is often done through function calling.

+- Perception. AI agent can perceive and process information from their environment, including visual, auditory, and other sensory data, making them more interactive and context aware.

+- Memory. AI agent possess the ability to remember past interactions (tool usage and perception) and behaviors (tool usage and planning). It stores these experiences and even perform self-reflection to inform future actions. This memory component allows for continuity and improvement in agent performance over time.

+Azure Cosmos DB provides single-digit millisecond latency, making it highly suitable for processes requiring rapid data access and management, including caching (both traditional and [semantic caching](https://techcommunity.microsoft.com/t5/azure-architecture-blog/optimize-azure-openai-applications-with-semantic-caching/ba-p/4106867), transactions, and operational workloads. This low latency is crucial for AI agents that need to perform complex reasoning, make real-time decisions, and provide immediate responses. Moreover, its [use of state-of-the-art DiskANN algorithm](nosql/vector-search.md#enroll-in-the-vector-search-preview-feature) provides accurate and fast vector search with 95% less memory consumption.

+ Title: Background indexing

+description: Background indexing to enable non-blocking operation during index creation

+# Background indexing (Preview)

+Background indexing is a technique that enables a database system to perform indexing operations on a collection without blocking other queries or updates. Azure Cosmos DB for Mongo vcore accepts the background indexing request and asynchronously performs it in background.

+If working with smaller tiers or workloads with higher I/O needs, it's recommended to predefine indexes on empty collections and avoid relying on background indexing.

+> [!NOTE]

+> Background indexing is a Preview feature. Enabling this feature requires raising a support request.

+> [!IMPORTANT]

+> It is advised to create `unique` indexes on an empty collection as those are created in foreground, which results in blocking of reads and writes.

+>

+> It is advised to create indexes based on query predicates beforehand, while the collection is still empty. It prevents resource contention if pushed on read-write heavy large collection.

+## Monitor index build

+We can learn about the progress of index build using command `currentOp()`.

+```javascript

+db.currentOp("db_name":"<db_name>", "collection_name":"<collection_name>")

+```

+- `db_name` is an optional parameter.

+- `collection_name` is optional parameter.

+```javascript

+// Output for reviewing build status

+{

+inprog: [

+ {

+ shard: 'defaultShard',

+ active: true,

+ type: 'op',

+ opid: '10000003049:1701252500485346',

+ op_prefix: Long("10000003049"),

+ currentOpTime: ISODate("2024-06-24T10:08:20.000Z"),

+ secs_running: Long("2"),

+ command: {createIndexes: '' },

+ op: 'command',

+ waitingForLock: true

+ },

+ {

+ shard: 'defaultShard',

+ active: true,

+ type: 'op',

+ opid: '10000003050:1701252500499914',

+ op_prefix: Long("10000003050"),

+ currentOpTime: ISODate("2024-06-24T10:08:20.000Z"),

+ secs_running: Long("2"),

+ command: {

+ createIndexes: 'BRInventory', },

+ indexes: [

+ {

+ v:2,

+ key: {vendorItemId: 1, vendorId: 1, itemType: 1},

+ name: 'compound_idx'

+ }

+ ],

+ '$db': 'test'

+ op: 'command',

+ waitingForLock: false,

+ progress: {

+ blocks_done: Long("12616"),

+ blocks_done: Long("1276873"),

+ documents_d: Long("0"),

+ documents_to: Long("0")

+ },

+ msg: 'Building index.Progress 0.0098803875. Waiting on op_prefix: 10000000000.'

+ }

+ ],

+ ok: 1

+}

+```

+## Limitations

+- Unique indexes can't be created in the background. It's best to create them on an empty collection and then load the data.

+- Background indexing is performed sequentially within a single collection. However, the number of simultaneous index builds on different collections is configurable (default: 2).

+## Next Steps

+> [!div class="nextstepaction"]

+> [Best practices](how-to-create-indexes.md)

+<tr><td><code>getnonce</code></td><td colspan="3">Deprecated in MongoDB 4.0</td></tr>

+<tr><td><code>logout</code></td><td colspan="3">Deprecated in MongoDB 5.0</td></tr>

+<tr><td><code>getLastError</code></td><td colspan="3">Deprecated in MongoDB 5.1</td></tr>

+Azure Cosmos DB for MongoDB vCore provides seamless scalability and high availability. This document serves as a quick guide for developers who want to learn how to scale and configure their clusters. Changes to the cluster are performed live without downtime.

+2. Navigate to the existing Azure Cosmos DB for MongoDB vCore cluster page.

+3. From the Azure Cosmos DB for MongoDB vCore cluster page, select the **Scale** navigation menu option.

+ >

+ > Upgrade or downgrade from burstable tiers to memory optimized tier isn't supported at the moment.

+2. Select **Save** to persist your change.

+2. Select **Save** to persist your change.

+2. Select **Save** to persist your change.

+ Title: Indexes on Azure Cosmos DB for MongoDB vCore

+description: Basic know-how for efficient usage of indexes on Azure Cosmos DB for MongoDB vCore.

+# Manage indexing in Azure Cosmos DB for MongoDB vcore

+Indexes are structures that improve data retrieval speed by providing quick access to fields in a collection. They work by creating an ordered set of pointers to data, often based on key fields. Azure Cosmos DB for MongoDB vcore utilizes indexes in multiple contexts, including query push down, unique constraints and sharding.

+> [!IMPORTANT]

+> The "_id" field is the **only** field indexed by default & maximum size of the field can be `2 KB`. It is recommended to add additional indexes based on query filters & predicates to optimize performance.

+## Index types

+For simplicity, let us consider an example of a blog application with the following setup:

+- **Database name**: `cosmicworks`

+- **Collection name**: `products`

+This example application stores articles as documents with the following structure. All the example quoted further utilizes the structure of this collection.

+```json

+{

+ "_id": ObjectId("617a34e7a867530bff1b2346"),

+ "title": "Azure Cosmos DB - A Game Changer",

+ "content": "Azure Cosmos DB is a globally distributed, multi-model database service.",

+ "author": {lastName: "Doe", firstName: "John"},

+ "category": "Technology",

+ "launchDate": ISODate("2024-06-24T10:08:20.000Z"),

+ "published": true

+}

+```

+## Single field indexes

+Single field indexes store information from a single field in a collection. The sort order of the single field index doesn't matter. `_id` field remains indexed by default.

+Azure Cosmos DB for MongoDB vcore supports creating index at following

+- Top-level document fields.

+- Embedded document.

+- Fields within embedded document.

+The following command creates a single field index on the field `author` and the following command creates it on an embedded field `firstName`.

+```javascript

+use cosmicworks

+db.products.createIndex({"author": 1})

+// indexing embedded property

+db.products.createIndex({"author.firstName": -1})

+```

+One query can use multiple single field indexes where available.

+> [!NOTE]

+> Azure Cosmos DB for MongoDB vcore allows creating maximum of 64 indexes on a collection. Depending on the tier, we can plan extension up to 300 indexes upon request.

+## Compound indexes

+Compound indexes improve database performance by allowing efficient **querying and sorting** based on multiple fields within documents. This optimization reduces the need to scan entire collections, speeding up data retrieval and organization.

+The following command creates a compound index on the fields `author` and `launchDate` in opposite sort order.

+```javascript

+use cosmicworks

+db.products.createIndex({"author":1, "launchDate":-1})

+```

+`Order` of fields affect the selectivity or utilization of index. The `find` query wouldn't utilize the index created.

+```javascript

+use cosmicworks

+db.products.find({"launchDate": {$gt: ISODate("2024-06-01T00:00:00.000Z")}})

+```

+Compounded indexes on nested fields aren't supported by default due to limitations with arrays. If your nested field doesn't contain an array, the index works as intended. If your nested field contains an array (anywhere on the path), that value is ignored in the index.

+As an example, a compound index containing `author.lastName` works in this case since there's no array on the path:

+```json

+{

+ "_id": ObjectId("617a34e7a867530bff1b2346"),

+ "title": "The Culmination",

+ "author": {lastName: "Lindsay", firstName: "Joseph"},

+ "launchDate": ISODate("2024-06-24T10:08:20.000Z"),

+ "published": true

+}

+```

+This same compound index doesn't work in this case since there's an array in the path:

+```json

+{

+ "_id": ObjectId("617a34e7a867530bff1b2346"),

+ "title": "Beautiful Creatures",

+ "author": [ {lastName: "Garcia", firstName: "Kami"}, {lastName: "Stohl", firstName: "Margaret"} ],

+ "launchDate": ISODate("2024-06-24T10:08:20.000Z"),

+ "published": true

+}

+```

+### Limitations

+- Maximum of 32 fields\paths within a compound index.

+## Partial indexes

+Indexes that have an associated query filter that describes when to generate a term in the index.

+```javascript

+use cosmicworks

+db.products.createIndex (

+ { "author": 1, "launchDate": 1 },

+ { partialFilterExpression: { "launchDate": { $gt: ISODate("2024-06-24T10:08:20.000Z") } } }

+)

+```

+### Limitations

+- Partial indexes don't support `ORDER BY` or `UNIQUE` unless the filter qualifies.

+## Text indexes

+Text indexes are special data structures that optimize text-based queries, making them faster and more efficient.

+Use the `createIndex` method with the `text` option to create a text index on the `title` field.

+```javascript

+use cosmicworks;

+db.products.createIndex({ Title: "text" })

+```

+> [!NOTE]

+> While you can define only one text index per collection, Azure Cosmos DB for MongoDB vCore allows you to create text indexes on combination of multiple fields to enable you to perform text searches across different fields in your documents.

+### Configure text index options

+Text indexes in Azure Cosmos DB for MongoDB vcore come with several options to customize their behavior. For example, you can specify the language for text analysis, set weights to prioritize certain fields, and configure case-insensitive searches. Here's an example of creating a text index with options:

+- Create an index to support search on both the `title` and `content` fields with English language support. Also, assign higher weights to the `title` field to prioritize it in search results.

+ ```javascript

+ use cosmicworks

+ db.products.createIndex(

+ { Title: "text", content: "text" },

+ { default_language: "english", weights: { Title: 10, content: 5 }, caseSensitive: false }

+ )

+ ```

+> [!NOTE]

+> When a client performs a text search query with the term "Cosmos DB," the score for each document in the collection will be calculated based on the presence and frequency of the term in both the "title" and "content" fields, with higher importance given to the "title" field due to its higher weight.

+### Perform a text search using a text index

+Once the text index is created, you can perform text searches using the "text" operator in your queries. The text operator takes a search string and matches it against the text index to find relevant documents.

+- Perform a text search for the phrase `Cosmos DB`.

+ ```javascript

+ use cosmicworks

+ db.products.find(

+ { $text: { $search: "Cosmos DB" } }

+ )

+ ```

+- Optionally, use the `$meta` projection operator along with the `textScore` field in a query to see the weight

+ ```javascript

+ use cosmicworks

+ db.products.find(

+ { $text: { $search: "Cosmos DB" } },

+ { score: { $meta: "textScore" } }

+ )

+ ```

+### Limitations

+- Only one text index can be defined on a collection.

+- Text indexes support simple text searches and don't yet provide advanced search capabilities like regular expressions.

+- Sort operations can't use the ordering of the text index in MongoDB.

+- Hint() isn't supported in combination with a query using $text expression.

+- Text indexes can be relatively large, consuming significant storage space compared to other index types.

+## WildCard indexes

+Index on single field, indexes all paths beneath the `field` , excluding other fields that are on the same level. For example, for the following sample document

+```json

+{

+ "children":

+ {

+ "familyName": "Merriam",

+ "pets": { "details": {ΓÇ£nameΓÇ¥: "Goofy", ΓÇ¥ageΓÇ¥: 3} }

+ }

+}

+```

+Creating an index on { "pets.$**": 1 }, creates index on details & sub-document properties but doesn't create an index on ΓÇ£familyNameΓÇ¥.

+### Limitations

+- Wildcard indexes can't support unique indexes.

+- Wildcard indexes don't support push downs of `ORDER BY` unless the filter includes only paths present in the wildcard (since they don't index undefined elements)

+- A compound wildcard index can only have 1 wildcard term and 1 or more additional index terms.

+`{ "pets.$**": 1, ΓÇ£familyNameΓÇ¥: 1 }`

+## Geospatial indexes

+Geospatial indexes support queries on data stored as GeoJSON objects or legacy coordinate pairs. You can use geospatial indexes to improve performance for queries on geospatial data or to run certain geospatial queries.

+Azure Cosmos DB for MongoDB vcore provides two types of geospatial indexes:

+- 2dsphere Indexes, which support queries that interpret geometry on a sphere.

+- 2d Indexes, which support queries that interpret geometry on a flat surface.

+### 2d indexes

+2d indexes are supported only with legacy coordinate pair style of storing geospatial data.

+Use the `createIndex` method with the `2d` option to create a geospatial index on the `location` field.

+```javascript

+db.places.createIndex({ "location": "2d"});

+```

+### Limitations

+- Only 1 location field can be part of the `2d` index and only 1 other non-geospatial field can be part of the `compound 2d` index

+`db.places.createIndex({ "location": "2d", "non-geospatial-field": 1 / -1 })`

+### 2dsphere indexes

+`2dsphere` indexes support geospatial queries on an earth-like sphere. It can support both GeoJSON objects or legacy coordinate pairs. `2dSphere` indexes work with the GeoJSON style of storing data, if legacy points are encountered then these are converted to GeoJSON point.

+Use the `createIndex` method with the `2dsphere` option to create a geospatial index on the `location` field.

+```javascript

+db.places.createIndex({ "location": "2dsphere"});

+```

+`2dsphere` indexes allow creating indexes on multiple geospatial and multiple non-geospatial data fields.

+`db.places.createIndex({ "location": "2d", "non-geospatial-field": 1 / -1, ... "more non-geospatial-field": 1 / -1 })`

+### Limitations

+- A compound index using a regular index and geospatial index isn't supported. Creating either of the geospatial indexes would lead into errors.

+ ```javascript

+ // Compound Regular & 2dsphere indexes are not supported yet

+ db.collection.createIndex({a: 1, b: "2dsphere"})

+ // Compound 2d indexes are not supported yet

+ db.collection.createIndex({a: "2d", b: 1})

+ ```

+- Polygons with holes don't work. Inserting a Polygon with hole isn't restricted though `$geoWithin` query fails for scenarios:

+ 1. If the query itself has polygon with holes.

+ ```javascript

+ coll.find(

+ {

+ "b": {

+ "$geoWithin": {

+ "$geometry": {

+ "coordinates": [

+ [

+ [ 0, 0], [0, 10], [10, 10],[10,0],[0, 0]

+ ],

+ [

+ [5, 5], [8, 5], [ 8, 8], [ 5, 8], [ 5, 5]

+ ]

+ ],

+ "type": "Polygon"

+ }

+ }

+ }

+ })

+ // MongoServerError: $geoWithin currently doesn't support polygons with holes

+ ```

+ 2. If there's any unfiltered document that has polygon with holes.

+

+ ```javascript

+ [mongos] test> coll.find()

+ [

+ {

+ _id: ObjectId("667bf7560b4f1a5a5d71effa"),

+ b: {

+ type: 'Polygon',

+ coordinates: [

+ [ [ 0, 0 ], [ 0, 10 ], [ 10, 10 ], [ 10, 0 ], [ 0, 0 ] ],

+ [ [ 5, 5 ], [ 8, 5 ], [ 8, 8 ], [ 5, 8 ], [ 5, 5 ] ]

+ ]

+ }

+ }

+ ]

+ // MongoServerError: $geoWithin currently doesn't support polygons with holes

+ ```

+ 3. `key` field is mandatory while using `geoNear`.

+ ```javascript

+ [mongos] test> coll.aggregate([{ $geoNear: { $near: { "type": "Point", coordinates: [0, 0] } } }])

+ // MongoServerError: $geoNear requires a 'key' option as a String

+ ```

+## Next steps

+- Learn about indexing [Best practices](how-to-create-indexes.md) for most efficient outcomes.

+- Learn about [background indexing](background-indexing.md)

+- Learn here to work with [Text indexing](how-to-create-text-index.md).

+- Learn here about [Wildcard indexing](how-to-create-wildcard-indexes.md).

+# Computed properties in Azure Cosmos DB for NoSQL

+After the computed properties are created, you can execute queries that reference the properties by using any method, including all SDKs and Azure Data Explorer in the Azure portal.

+Adding computed properties to a container doesn't consume RUs. Write operations on containers that have computed properties defined might have a slight RU increase. If a computed property is indexed, RUs on write operations increase to reflect the costs for indexing and evaluation of the computed property.

+In all regions (except Brazil South and Southeast Asia), Azure Data Factory data is stored and replicated in the [paired region](../availability-zones/cross-region-replication-azure.md#azure-paired-regions) to protect against metadata loss. During regional datacenter failures, Microsoft may initiate a regional failover of your Azure Data Factory instance. In most cases, no action is required on your part. When the Microsoft-managed failover has completed, you'll be able to access your Azure Data Factory in the failover region.

+Refer [here](/graph/data-connect-faq#how-can-i-approve-pam-requests-via-microsoft-365-admin-portal) on how the approver can approve the data access request.

+> Threat protection for AI workloads relies on [Azure OpenAI content filtering](../ai-services/openai/concepts/content-filter.md) for prompt-base triggered alert. If you opt out of prompt-based trigger alerts and removed that capability, it can affect Defender for Cloud's ability to monitor and detect such attacks.

+### Detected credential theft attempts on an Azure Open AI model deployment

+(AI.Azure_CredentialTheftAttempt)

+### A Jailbreak attempt on an Azure Open AI model deployment was blocked by Azure AI Content Safety Prompt Shields

+(AI.Azure_Jailbreak.ContentFiltering.BlockedAttempt)

+**Description**: The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AIΓÇÖs safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were blocked by Azure Responsible AI Content Safety (AKA Prompt Shields), ensuring the integrity of the AI resources and the data security.

+### A Jailbreak attempt on an Azure Open AI model deployment was detected by Azure AI Content Safety Prompt Shields

+(AI.Azure_Jailbreak.ContentFiltering.DetectedAttempt)

+**Description**: The Jailbreak alert, carried out using a direct prompt injection technique, is designed to notify the SOC there was an attempt to manipulate the system prompt to bypass the generative AIΓÇÖs safeguards, potentially accessing sensitive data or privileged functions. It indicated that such attempts were detected by Azure Responsible AI Content Safety (AKA Prompt Shields), but were not blocked due to content filtering settings or due to low confidence.

+### Sensitive Data Exposure Detected in Azure Open AI Model Deployment

+(AI.Azure_DataLeakInModelResponse.Sensitive)

+ Title: Assign access to workload owners

+description: Learn how to assign access to a workload owner of an Amazon Web Service or Google Cloud Project connector.

+#customer intent: As a workload owner, I want to learn how to assign access to my AWS or GCP connector so that I can view the suggested recommendations provided by Defender for Cloud.

+# Assign access to workload owners

+When you onboard your AWS or GCP environments, Defender for Cloud automatically creates a security connector as an Azure resource inside the connected subscription and resource group. Defender for cloud also creates the identity provider as an IAM role it requires during the onboarding process.

+Assign permission to users, on specific security connectors, below the parent connector? Yes, you can. You need to determine to which AWS accounts or GCP projects you want users to have access to. Meaning, you need to identify the security connectors that correspond to the AWS account or GCP project to which you want to assign users access.

+## Prerequisites

+- An Azure account. If you don't already have an Azure account, you can [create your Azure free account today](https://azure.microsoft.com/free/).

+- At least one security connector for [Azure](connect-azure-subscription.md), [AWS](quickstart-onboard-aws.md) or [GCP](quickstart-onboard-gcp.md).

+## Configure permissions on the security connector

+Permissions for security connectors are managed through Azure role-based access control (RBAC). You can assign roles to users, groups, and applications at a subscription, resource group, or resource level.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Locate the relevant AWS or GCP connector.

+1. Assign permissions to the workload owners with All resources or the Azure Resource Graph option in the Azure portal.

+ ### [All resources](#tab/all-resources)

+

+ 1. Search for and select **All resources**.

+

+ :::image type="content" source="media/assign-access-to-workload/all-resources.png" alt-text="Screenshot that shows you how to search for and select all resources." lightbox="media/assign-access-to-workload/all-resources.png":::

+

+ 1. Select **Manage view** > **Show hidden types**.

+

+ :::image type="content" source="media/assign-access-to-workload/show-hidden-types.png" alt-text="Screenshot that shows you where on the screen to find the show hidden types option." lightbox="media/assign-access-to-workload/show-hidden-types.png":::

+

+ 1. Select the **Types equals all** filter.

+

+ 1. Enter `securityconnector` in the value field and add a check to the `microsoft.security/securityconnectors`.

+

+ :::image type="content" source="media/assign-access-to-workload/security-connector.png" alt-text="Screenshot that shows where the field is located and where to enter the value on the screen." lightbox="media/assign-access-to-workload/security-connector.png":::

+

+ 1. Select **Apply**.

+

+ 1. Select the relevant resource connector.

+ ### [Azure Resource Graph](#tab/azure-resource-graph)

+ 1. Search for and select **Resource Graph Explorer**.

+

+ :::image type="content" source="media/assign-access-to-workload/resource-graph-explorer.png" alt-text="Screenshot that shows you how to search for and select resource graph explorer." lightbox="media/assign-access-to-workload/resource-graph-explorer.png":::

+

+ 1. Copy and paste the following query to locate the security connector:

+

+ ### [AWS](#tab/aws)

+

+ ```bash

+ resources

+ | where type == "microsoft.security/securityconnectors"

+ | extend source = tostring(properties.environmentName) 

+ | where source == "AWS"

+ | project name, subscriptionId, resourceGroup, accountId = properties.hierarchyIdentifier, cloud = properties.environmentName 

+ ```

+

+ ### [GCP](#tab/gcp)

+

+ ```bash

+ resources

+ | where type == "microsoft.security/securityconnectors"

+ | extend source = tostring(properties.environmentName) 

+ | where source == "GCP"

+ | project name, subscriptionId, resourceGroup, projectId = properties.hierarchyIdentifier, cloud = properties.environmentName 

+ ```

+

+

+

+ 1. Select **Run query**.

+

+ 1. Toggle formatted results to **On**.

+

+ :::image type="content" source="media/assign-access-to-workload/formatted-results.png" alt-text="Screenshot that shows where the formatted results toggle is located on the screen." lightbox="media/assign-access-to-workload/formatted-results.png":::

+

+ 1. Select the relevant subscription and resource group to locate the relevant security connector.

+

+

+

+1. Select **Access control (IAM)**.

+

+ :::image type="content" source="media/assign-access-to-workload/control-i-am.png" alt-text="Screenshot that shows where to select Access control IAM in the resource you selected." lightbox="media/assign-access-to-workload/control-i-am.png":::

+

+1. Select **+Add** > **Add role assignment**.

+

+1. Select the desired role.

+

+1. Select **Next**.

+

+1. Select **+ Select members**.

+

+ :::image type="content" source="media/assign-access-to-workload/select-members.png" alt-text="Screenshot that shows where the button is on the screen to select the + select members button.":::

+

+1. Search for and select the relevant user or group.

+

+1. Select the **Select** button.

+

+1. Select **Next**.

+

+1. Select **Review + assign**.

+1. Review the information.

+1. Select **Review + assign**.

+After setting the permission for the security connector, the workload owners will be able to view recommendations in Defender for Cloud for the AWS and GCP resources that are associated with the security connector.

+## Next step

+> [!div class="nextstepaction"]

+> [RBAC permissions](permissions.md)

+> [!NOTE]

+> To move your Defender for Endpoint extension to a different subscription in the same tenant, delete either the `MDE.Linux' or 'MDE.Windows` extension from the virtual machine and Defender for Cloud will automatically redeploy it.

+1. Select a scan interval between 1 to 24 hours.

+ Some data collectors run with fixed scan intervals and are not affected by custom interval configurations. The following table shows the fixed scan intervals for each excluded data collector:

+ | Data collector name | Scan interval |

+ |--|--|

+ | EC2Instance <br> ECRImage <br> ECRRepository <br> RDSDBInstance <br> S3Bucket <br> S3BucketTags <br> S3Region <br> EKSCluster <br> EKSClusterName <br> EKSNodegroup <br> EKSNodegroupName <br> AutoScalingAutoScalingGroup | 1 hour |

+ | EcsClusterArn <br> EcsService <br> EcsServiceArn <br> EcsTaskDefinition <br> EcsTaskDefinitionArn <br> EcsTaskDefinitionTags <br> AwsPolicyVersion <br> LocalPolicyVersion <br> AwsEntitiesForPolicy <br> LocalEntitiesForPolicy <br> BucketEncryption <br> BucketPolicy <br> S3PublicAccessBlockConfiguration <br> BucketVersioning <br> S3LifecycleConfiguration <br> BucketPolicyStatus <br> S3ReplicationConfiguration <br> S3AccessControlList <br> S3BucketLoggingConfig <br> PublicAccessBlockConfiguration | 12 hours |

+- [Assign access to workload owners](assign-access-to-workload.md).

+description: Defend your GCP resources by using Microsoft Defender for Cloud. Protect your workloads and enhance your cloud security with our comprehensive solution.

+You also select a location and add the organization ID for your project.

+You can also set a scan interval between 1 to 24 hours.

+Some data collectors run with fixed scan intervals and are not affected by custom interval configurations. The following table shows the fixed scan intervals for each excluded data collector:

+| Data collector name | Scan interval |

+|--|--|

+| ComputeInstance <br> ArtifactRegistryRepositoryPolicy <br> ArtifactRegistryImage <br> ContainerCluster <br> ComputeInstanceGroup <br> ComputeZonalInstanceGroupInstance <br> ComputeRegionalInstanceGroupManager <br> ComputeZonalInstanceGroupManager <br> ComputeGlobalInstanceTemplate | 1 hour |

+When you onboard an organization, you can also choose to exclude project numbers and folder IDs.

+- [Assign access to workload owners](assign-access-to-workload.md).

+The following example focuses on secure score recommendations for **Remediate vulnerabilities**.

+**Current score** | The current score for this control.<br/><br/> Current score = [Score per resource] * [Number of healthy resources]<br/><br/>Each control contributes to the total score. In this example, the control is contributing 3.33 points to current total score.

+**Potential score increase** | The remaining points available to you within the control. If you remediate all the recommendations in this control, your score increases by 4%.<br/><br/> Potential score increase = [Score per resource] * [Number of unhealthy resources]

+For more information, see [On-premises backup file capacity](references-data-retention.md#backup-file-capacity).

+description: Learn about the data retention periods and capacities for Microsoft Defender for IoT data stored in Microsoft Azure, the OT sensor, and on-premises management console.

+# Data retention, privacy, and sharing across Microsoft Defender for IoT

+Microsoft Defender for IoT stores data in the Microsoft Azure portal, in OT network sensors, and in on-premises management consoles.

+Each storage type has varying storage capacity options and retention times. This article describes the data retention policy for the amount of data and length of time the data is stored in each storage type before being deleted or overwritten.

+## What are we collecting?

+Defender for IoT collects information from your configured devices and stores it in a service specific, customer-dedicated and segregated tenant. The stored data is for administration, tracking, and reporting purposes.

+Information collected includes network connection data (IPs and ports), and device details (device identifiers, names, operating system versions, firmware versions). Defender for IoT stores this data securely in accordance with Microsoft privacy practices andΓÇ»[Microsoft Trust Center policies](https://azure.microsoft.com/explore/trusted-cloud/).

+This data enables Defender for IoT to:

+- Proactively identify indicators of attack (IOAs) in your organization.

+- Generate alerts if a possible attack is detected.

+- Provide your security team a view into devices and addresses related to threat signals from your network, enabling you to investigate and explore possible network security threats.

+Microsoft doesn't use your data for advertising.

+## Data location

+Defender for IoT uses the Microsoft Azure data centers in the European Union and the United States. Customer data collected by the service might be stored in one of two geo-locations:

+- The geolocation of the tenant as identified during provisioning.

+- The geolocation as defined by the data storage rules of an online service, that's used by Defender for IoT to process its data.

+## Data retention

+Data from Defender for IoT is retained for as long as a customer is active or for 90 days after the end of your contract. During this period the data is visible across your other services on the portal.

+Your data is kept and is available while your license is under a grace period or in suspended mode. 90 days after the end of this period, your data is erased from Microsoft's systems making it unrecoverable.

+The following table lists how long device data is stored in each Defender for IoT storage type.

+The following table lists how long alert data is stored in each Defender for IoT storage type. Alert data is stored as listed, regardless of the alert's status, or whether it's been learned or muted.

+The following table lists how long PCAP data is stored in each Defender for IoT storage type.

+| **OT network sensor** | Dependent on the sensor's storage capacity allocated for PCAP files, which determines its [hardware profile](ot-appliance-sizing.md): <br><br>- **C5600**: 130 GB <br>- **E1800**: 130 GB <br>- **E1000** : 78 GB<br>- **E500**: 78 GB <br>- **L500**: 7 GB <br>- **L100**: 2.5 GB<br><br> If a sensor exceeds its maximum storage capacity, the oldest PCAP file is deleted to accommodate the new one. <br><br> For more information, see [Access alert PCAP data](how-to-view-alerts.md#access-alert-pcap-data) and [Pre-configured physical appliances for OT monitoring](ot-pre-configured-appliances.md). |

+The retention of event timeline data isn't limited by time. However, assuming a frequency of 500 events per day, all hardware profiles are able to retain the events for at least **90 day**s.

+## Backup file capacity

+Both the OT network sensor and the on-premises management console have automated backups running daily, and older backup files are overwritten when the configured storage capacity reaches its limit.

+| **L100** | Backups aren't supported |

+| **L500** | 20 GB |

+| **E1800** | 100 GB |

+| **C5600** | 100 GB |

+If the device can't allocate enough hard disk space, then only the last backup is saved on the on-premises management console.

+- A single sensor backup file is limited to a maximum of 40 GB. A file exceeding that size isn't sent to the on-premises management console.

+## Data sharing for Microsoft Defender for IoT

+Microsoft Defender for IoT shares data, including customer data, among the following Microsoft products, also licensed by the customer.

+- Microsoft Defender XDR

+- Microsoft Sentinel

+- Microsoft Threat Intelligence Center

+- Microsoft Defender for Cloud

+- Microsoft Defender for Endpoint

+- Microsoft Security Exposure Management

+- VNets with [encryption](/azure/virtual-network/virtual-network-encryption-overview) enabled do not support Azure DNS Private Resolver.

+The all-active Azure Event Hubs cluster model with [availability zone support](../reliability/reliability-event-hubs.md) provides resiliency against hardware and datacenter outages. However, if a disaster where an entire region and all zones are unavailable, you can use Geo-disaster recovery to recover your workload and application configuration.

+Geo-Disaster recovery ensures that the entire configuration of a namespace (Event Hubs, Consumer Groups, and settings) is continuously replicated from a primary namespace to a secondary namespace when paired.

+The Geo-disaster recovery feature of Azure Event Hubs is a disaster recovery solution. The concepts and workflow described in this article apply to disaster scenarios, and not to temporary outages. For a detailed discussion of disaster recovery in Microsoft Azure, see [this article](/azure/architecture/resiliency/disaster-recovery-azure-applications).

+With Geo-Disaster recovery, you can initiate a once-only failover move from the primary to the secondary at any time. The failover move points the chosen alias name for the namespace to the secondary namespace. After the move, the pairing is then removed. The failover is nearly instantaneous once initiated.

+* ExpressRoute-VPN Gateway coexist configurations are **not supported with Basic SKU public IP**.

+| **[New Era](https://www.neweratech.com/us/)** | North America |

+- **SNAT** - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. Azure Firewall randomly selects the first source public IP address to use for a connection and selects another public IP after ports from the first IP have been exhausted. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. Consider using a [public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md) to simplify this configuration.

+> [!NOTE]

+> In scenarios with high traffic volume and throughput, it is recommended to use a [NAT Gateway](/azure/nat-gateway/nat-overview) to provide outbound connectivity. SNAT ports are dynamically allocated across all public IPs associated with NAT Gateway. To learn more see [integrate NAT Gateway with Azure Firewall](/azure/firewall/integrate-with-nat-gateway).

+> [!IMPORTANT]

+> Deploying NAT gateway with a [zone redundant firewall](deploy-availability-zone-powershell.md) is not recommended deployment option, as a single instance of NAT gateway does not support zonal redundant deployment at this time.

+[03]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_virtual_machine_configuration_assignment

+- `create`: FHIR service checks that the profile content is unique from the existing resources and that it's acceptable to be created as a new resource.

+ Title: Send cloud-to-device messages

+description: How to send cloud-to-device messages from a back-end app and receive them on a device app using the Azure IoT SDKs for C#, Python, Java, Node.js, and C.

+zone_pivot_groups: iot-hub-howto-c2d-1

+# Send and receive cloud-to-device messages

+Azure IoT Hub is a fully managed service that enables bi-directional communications, including cloud-to-device (C2D) messages from solution back ends to millions of devices.

+This article describes how to use the Azure IoT SDKs to build the following types of applications:

+* Device applications that receive and handle cloud-to-device messages from an IoT Hub messaging queue.

+* Back end applications that send cloud-to-device messages to a single device through an IoT Hub messaging queue.

+This article is meant to complement runnable SDK samples that are referenced from within this article.

+## Overview

+For a device application to receive cloud-to-device messages, it must connect to IoT Hub and then set up a message handler to process incoming messages. The [Azure IoT Hub device SDKs](./iot-hub-devguide-sdks.md#azure-iot-hub-device-sdks) provide classes and methods that a device can use to receive and handle messages from the service. This article discusses key elements of any device application that receives messages, including:

+* Declare a device client object

+* Connect to IoT Hub

+* Retrieve messages from the IoT Hub message queue

+* Process the message and send an acknowledgment back to IoT Hub

+* Configure a receive message retry policy

+For a back end application to send cloud-to-device messages, it must connect to an IoT Hub and send messages through an IoT Hub message queue. The [Azure IoT Hub service SDKs](./iot-hub-devguide-sdks.md#azure-iot-hub-service-sdks) provide classes and methods that an application can use to send messages to devices. This article discusses key elements of any application that sends messages to devices, including:

+* Declare a service client object

+* Connect to IoT Hub

+* Build and send the message

+* Receive delivery feedback

+* Configure a send message retry policy

+## Understand the message queue

+To understand cloud-to-device messaging, it's important to understand some fundamentals about how IoT Hub device message queues work.

+Cloud-to-device messages sent from a solution backend application to an IoT device are routed through IoT Hub. There's no direct peer-to-peer messaging communication between the solution backend application and the target device. IoT Hub places incoming messages into its message queue, ready to be downloaded by target IoT devices.

+To guarantee at-least-once message delivery, IoT hub persists cloud-to-device messages in per-device queues. Devices must explicitly acknowledge completion of a message before IoT Hub removes the message from the queue. This approach guarantees resiliency against connectivity and device failures.

+When IoT Hub puts a message in a device message queue, it sets the message state to *Enqueued*. When a device thread takes a message from the queue, IoT Hub locks the message by setting the message state to *Invisible*. This state prevents other threads on the device from processing the same message. When a device thread successfully completes the processing of a message, it notifies IoT Hub and then IoT Hub sets the message state to *Completed*.

+A device application that successfully receives and processes a message is said to *Complete* the message. However, if necessary a device can also:

+* *Reject* the message, which causes IoT Hub to set it to the Dead lettered state. Devices that connect over the Message Queuing Telemetry Transport (MQTT) protocol can't reject cloud-to-device messages.

+* *Abandon* the message, which causes IoT Hub to put the message back in the queue, with the message state set to *Enqueued*. Devices that connect over the MQTT protocol can't abandon cloud-to-device messages.

+For more information about the cloud-to-device message lifecycle and how IoT Hub processes cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+## Connection reconnection policy

+This article doesn't demonstrate a message retry policy for the device to IoT Hub connection or external application to IoT Hub connection. In production code, you should implement connection retry policies as described in [Manage device reconnections to create resilient applications](/azure/iot/concepts-manage-device-reconnections).

+## Message retention time, retry attempts, and max delivery count

+As described in [Send cloud-to-device messages from IoT Hub](/azure/iot-hub/iot-hub-devguide-messages-c2d#cloud-to-device-configuration-options), you can view and configure defaults for the following message values using portal IoT Hub configuration options or the Azure CLI. These configuration options can affect message delivery and feedback.

+* Default TTL (time to live) - The amount of time a message is available for a device to consume before it's expired by IoT Hub.

+* Feedback retention time - The amount of time IoT Hub retains the feedback for expiration or delivery of cloud-to-device messages.

+* The number of times IoT Hub attempts to deliver a cloud-to-device message to a device.

+# Test workflows with mock data in Azure Logic Apps

+* Learn more about [Azure Logic Apps](logic-apps-overview.md)

+Phi-3 Mini is a 3.8B parameters, lightweight, state-of-the-art open model. Phi-3-Mini was trained with Phi-3 datasets that include both synthetic data and the filtered, publicly-available websites data, with a focus on high quality and reasoning-dense properties.

+The model belongs to the Phi-3 model family, and the Mini version comes in two variants, 4K and 128K, which denote the context length (in tokens) that each model variant can support.

+The model underwent a rigorous enhancement process, incorporating both supervised fine-tuning and direct preference optimization to ensure precise instruction adherence and robust safety measures. When assessed against benchmarks that test common sense, language understanding, math, code, long context and logical reasoning, Phi-3-Mini-4K-Instruct and Phi-3-Mini-128K-Instruct showcased a robust and state-of-the-art performance among models with less than 13 billion parameters.

+# [Phi-3-small](#tab/phi-3-small)

+Phi-3-Small is a 7B parameters, lightweight, state-of-the-art open model. Phi-3-Small was trained with Phi-3 datasets that include both synthetic data and the filtered, publicly-available websites data, with a focus on high quality and reasoning-dense properties.

+The model belongs to the Phi-3 model family, and the Small version comes in two variants, 8K and 128K, which denote the context length (in tokens) that each model variant can support.

+- Phi-3-small-8k-Instruct

+- Phi-3-small-128k-Instruct

+The model underwent a rigorous enhancement process, incorporating both supervised fine-tuning and direct preference optimization to ensure precise instruction adherence and robust safety measures. When assessed against benchmarks that test common sense, language understanding, math, code, long context and logical reasoning, Phi-3-Small-8k-Instruct and Phi-3-Small-128k-Instruct showcased a robust and state-of-the-art performance among models with less than 13 billion parameters.

+Phi-3 Medium is a 14B parameters, lightweight, state-of-the-art open model. Phi-3-Medium was trained with Phi-3 datasets that include both synthetic data and the filtered, publicly-available websites data, with a focus on high quality and reasoning-dense properties.

+The model belongs to the Phi-3 model family, and the Medium version comes in two variants, 4K and 128K, which denote the context length (in tokens) that each model variant can support.

+The model underwent a rigorous enhancement process, incorporating both supervised fine-tuning and direct preference optimization to ensure precise instruction adherence and robust safety measures. When assessed against benchmarks that test common sense, language understanding, math, code, long context and logical reasoning, Phi-3-Medium-4k-Instruct and Phi-3-Medium-128k-Instruct showcased a robust and state-of-the-art performance among models with less than 13 billion parameters.

+1. Select the workspace in which you want to deploy your models. To use the serverless API model deployment offering, your workspace must belong to one of the regions listed in the [prerequisites](#prerequisites) section.

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+|[Zertia](https://zertia.es/)||[ExpressRoute ΓÇô Intercloud connectivity](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/zertiatelecomunicacionessl1615311863650.zertia-inter-conect-of103?tab=Overview)|[Enterprise Connectivity Suite - Virtual WAN](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/zertiatelecomunicacionessl1615311863650.zertia-vw-suite-of101?tab=Overview); [Manage Virtual WAN ΓÇô SD-WAN Fortinet](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/zertiatelecomunicacionessl1615311863650.zertia-mvw-fortinet-of101?tab=Overview); [Manage Virtual WAN ΓÇô SD-WAN Cisco Meraki](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/zertiatelecomunicacionessl1615311863650.zertia-mvw-cisco-of101?tab=Overview)|||

+[Azure Site Recovery (Recovery Services vaults)](relocation-site-recovery.md)| ✅ | ✅| ❌ |

+ Title: Relocate Azure Recovery Vault and Site Recovery to another region

+description: Learn how to relocate an Azure Recovery Vault and Site Recovery to a new region

+ - subject-relocation

+# Relocate Azure Recovery Vault and Site Recovery to another region

+This article shows you how to relocate [Azure Recovery Vault and Site Recovery](../site-recovery/site-recovery-overview.md) when moving your workload to another region.

+

+One of the related resources you might want to relocate when you relocate your Azure VMs is your Recovery Services vault configuration.

+There's no first-class way to move an existing Recovery Services vault configuration from one region to another. This is because you configured your target region based on your source VM region. When you decide to change the source region, the previously existing configurations of the target region can't be reused and must be reset. This article defines the step-by-step process to reconfigure the disaster recovery setup and move it to a different region.

+## Prerequisites

+- Copy the details replication goal from the SourceRecovery Services vault.

+- Copy the details replication policy from the Source Recovery Services vault with the critical details such as:

+ - *RPO threshold* defines how often recovery points are created.

+ - *Recovery point retention* specifies how longer each recovery point is retained.

+ - *App-consistent snapshot frequency* specifies how often app-consistent snapshots are created.

+- Copy internal resources or settings of Azure Resource Vault.

+ - Network firewall reconfiguration

+ - Alert Notification.

+ - Move workbook if configured

+ - Diagnostic settings reconfiguration

+- List all Recovery Service Vault dependent resources. The most common dependencies are:

+ - Azure Virtual Machine (VM)

+ - Public IP address

+ - Azure Virtual Network

+ - Azure Recovery Service Vault

+- Determine network bandwidth need vs. RPO assessment

+ - Estimated network bandwidth thatΓÇÖs required for delta replication

+ - Throughput that Site Recovery can get from on-premises to Azure

+ - Number of VMs to batch, based on the estimated bandwidth to complete initial replication in a given amount of time

+ - RPO that can be achieved for a given bandwidth

+ - Impact on the desired RPO if lower bandwidth is provisioned

+- As it's a relocation of Recovery service vault, you must cross check the permission requirement in the current VMware vCenter server/VMware vSphere ESXi host during profiling.

+- Make sure that you remove and delete the Site Recovery configuration before you try to move the Azure VMs to a different region.

+ > [!NOTE]

+ > If your new target region for the Azure VM is the same as the Site Recovery target region, you can use your existing replication configuration and move it. Follow the steps in [Move Azure IaaS VMs to another Azure region](../site-recovery/azure-to-azure-tutorial-migrate.md).

+- Ensure that you're making an informed decision and that stakeholders are informed. Your VM won't be protected against disasters until the move of the VM is complete.

+## Identify Azure Site Recovery dependencies

+We recommend that you do this step before you proceed to the next one. It's easier to identify the relevant resources while the VMs are being replicated.

+For each Azure VM that's being replicated, go to **Protected Items** > **Replicated Items** > **Properties** and identify the following resources:

+- Target resource group

+- Cache storage account

+- Target storage account (in case of an unmanaged disk-based Azure VM)

+- Target network

+## Disable the existing disaster recovery configuration

+1. Go to the Recovery Services vault.

+2. In **Protected Items** > **Replicated Items**, right-click the machine and select **Disable replication**.

+3. Repeat this step for all the VMs that you want to move.

+> [!NOTE]

+> The mobility service won't be uninstalled from the protected servers. You must uninstall it manually. If you plan to protect the server again, you can skip uninstalling the mobility service.

+## Delete the resources

+1. Go to the Recovery Services vault.

+2. Select **Delete**.

+3. Delete all the other resources you [previously identified](#identify-azure-site-recovery-dependencies).

+

+## Relocate Azure VMs to the new target region

+Follow the steps in these articles based on your requirement to relocate Azure VMs to the target region:

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+- [Move Azure VMs into Availability Zones](../site-recovery/move-azure-VMs-AVset-Azone.md)

+## Set up Site Recovery based on the new source region for the VMs

+Configure disaster recovery for the Azure VMs that were moved to the new region by following the steps in [Set up disaster recovery for Azure VMs](../site-recovery/azure-to-azure-tutorial-enable-replication.md).

+- [Generate Cluster CVE Report](#generate-cluster-cve-report)\

+ Command Name: `cluster-cve-report`\

+ Arguments: None

+### Generate Cluster CVE Report

+Vulnerability data is collected with the `cluster-cve-report` command and formatted as JSON to `{year}-{month}-{day}-nexus-cluster-vulnerability-report.json`. The JSON file is found in the data extract zip file located in the storage account. The data collected will include vulnerability data per container image in the cluster.

+This example executes the `cluster-cve-report` command without arguments.

+> [!NOTE]

+> The target machine must be a control-plane node or the action will not execute.

+```azurecli

+az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \

+ --resource-group "cluster_MRG" \

+ --subscription "subscription" \

+ --commands '[{"command":"cluster-cve-report"}]' \

+ --limit-time-seconds 600

+```

+__`cluster-cve-report` Output__

+```azurecli

+====Action Command Output====

+Nexus cluster vulnerability report saved.

+================================

+Script execution result can be found in storage account:

+https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12

+```

+__CVE Report Schema__

+```JSON

+{

+ "$schema": "http://json-schema.org/draft-07/schema#",

+ "title": "Vulnerability Report",

+ "type": "object",

+ "properties": {

+ "metadata": {

+ "type": "object",

+ "properties": {

+ "dateRetrieved": {

+ "type": "string",

+ "format": "date-time",

+ "description": "The date and time when the data was retrieved."

+ },

+ "platform": {

+ "type": "string",

+ "description": "The name of the platform."

+ },

+ "resource": {

+ "type": "string",

+ "description": "The name of the resource."

+ },

+ "runtimeVersion": {

+ "type": "string",

+ "description": "The version of the runtime."

+ },

+ "managementVersion": {

+ "type": "string",

+ "description": "The version of the management software."

+ },

+ "vulnerabilitySummary": {

+ "type": "object",

+ "properties": {

+ "criticalCount": {

+ "type": "integer",

+ "description": "Number of critical vulnerabilities."

+ },

+ "highCount": {

+ "type": "integer",

+ "description": "Number of high severity vulnerabilities."

+ },

+ "mediumCount": {

+ "type": "integer",

+ "description": "Number of medium severity vulnerabilities."

+ },

+ "lowCount": {

+ "type": "integer",

+ "description": "Number of low severity vulnerabilities."

+ },

+ "noneCount": {

+ "type": "integer",

+ "description": "Number of vulnerabilities with no severity."

+ },

+ "unknownCount": {

+ "type": "integer",

+ "description": "Number of vulnerabilities with unknown severity."

+ }

+ },

+ "required": ["criticalCount", "highCount", "mediumCount", "lowCount", "noneCount", "unknownCount"]

+ }

+ },

+ "required": ["dateRetrieved", "platform", "resource", "runtimeVersion", "managementVersion", "vulnerabilitySummary"]

+ },

+ "containers": {

+ "type": "object",

+ "additionalProperties": {

+ "type": "array",

+ "items": {

+ "type": "object",

+ "properties": {

+ "namespace": {

+ "type": "string",

+ "description": "The namespace of the container."

+ },

+ "digest": {

+ "type": "string",

+ "description": "The digest of the container image."

+ },

+ "os": {

+ "type": "object",

+ "properties": {

+ "family": {

+ "type": "string",

+ "description": "The family of the operating system."

+ }

+ },

+ "required": ["family"]

+ },

+ "summary": {

+ "type": "object",

+ "properties": {

+ "criticalCount": {

+ "type": "integer",

+ "description": "Number of critical vulnerabilities in this container."

+ },

+ "highCount": {

+ "type": "integer",

+ "description": "Number of high severity vulnerabilities in this container."

+ },

+ "lowCount": {

+ "type": "integer",

+ "description": "Number of low severity vulnerabilities in this container."

+ },

+ "mediumCount": {

+ "type": "integer",

+ "description": "Number of medium severity vulnerabilities in this container."

+ },

+ "noneCount": {

+ "type": "integer",

+ "description": "Number of vulnerabilities with no severity in this container."

+ },

+ "unknownCount": {

+ "type": "integer",

+ "description": "Number of vulnerabilities with unknown severity in this container."

+ }

+ },

+ "required": ["criticalCount", "highCount", "lowCount", "mediumCount", "noneCount", "unknownCount"]

+ },

+ "vulnerabilities": {

+ "type": "array",

+ "items": {

+ "type": "object",

+ "properties": {

+ "title": {

+ "type": "string",

+ "description": "Title of the vulnerability."

+ },

+ "vulnerabilityID": {

+ "type": "string",

+ "description": "Identifier of the vulnerability."

+ },

+ "fixedVersion": {

+ "type": "string",

+ "description": "The version in which the vulnerability is fixed."

+ },

+ "installedVersion": {

+ "type": "string",

+ "description": "The currently installed version."

+ },

+ "referenceLink": {

+ "type": "string",

+ "format": "uri",

+ "description": "Link to the vulnerability details."

+ },

+ "publishedDate": {

+ "type": "string",

+ "format": "date-time",

+ "description": "The date when the vulnerability was published."

+ },

+ "score": {

+ "type": "number",

+ "description": "The CVSS score of the vulnerability."

+ },

+ "severity": {

+ "type": "string",

+ "description": "The severity level of the vulnerability."

+ },

+ "resource": {

+ "type": "string",

+ "description": "The resource affected by the vulnerability."

+ },

+ "target": {

+ "type": "string",

+ "description": "The target of the vulnerability."

+ },

+ "packageType": {

+ "type": "string",

+ "description": "The type of the package."

+ },

+ "exploitAvailable": {

+ "type": "boolean",

+ "description": "Indicates if an exploit is available for the vulnerability."

+ }

+ },

+ "required": ["title", "vulnerabilityID", "fixedVersion", "installedVersion", "referenceLink", "publishedDate", "score", "severity", "resource", "target", "packageType", "exploitAvailable"]

+ }

+ }

+ },

+ "required": ["namespace", "digest", "os", "summary", "vulnerabilities"]

+ }

+ }

+ }

+ },

+ "required": ["metadata", "containers"]

+}

+```

+__CVE Data Details__

+The CVE data is refreshed per container image every 24-hours based on Kubernetes resource instantiation or whenever there is a change to the Kubernetes resource referencing the image (whichever occurs first).

+In order to create the cluster this way, you need to provide a template file (cluster.jsonc) and a parameter file (cluster.parameters.jsonc).

+[cluster.jsonc](./cluster-jsonc-example.md) ,

+The Cluster deployment is in-progress when detailedStatus is set to `Deploying` and detailedStatusMessage shows the progress of deployment.

+## Delete a cluster

+When deleting a cluster, it will delete the resources in Azure and the cluster that resides in the on-premises environment.

+>[!NOTE]

+>If there are any tenant resources that exist in the cluster, it will not be deleted until those resources are deleted.

+```azurecli

+az networkcloud cluster delete --name "$CLUSTER_NAME" --resource-group "$CLUSTER_RG"

+```

+- Local path storage

+> The introduction of this capability enables auto-rotation for existing instances. If any of the supported credentials have not been rotated within the last 60 days, they will be rotated at the time of upgrade.

+- Type of credential that needs to be rotated.

+- Provide the Customer Key Vault ID where rotated credentials are written.

+ Title: Cloud NGFW for Azure deployment behind Azure Application Gateway

+description: This article describes how to use Azure Application Gateway with Cloud NGFW for Azure by Palo Alto Networks to help secure web applications.

+# Cloud NGFW for Azure deployment behind Azure Application Gateway

+This article describes a recommended architecture for deploying Cloud NGFW for Azure by Palo Alto Networks behind Azure Application Gateway. Cloud NGFW for Azure is a next-generation firewall that's delivered as an Azure Native ISV Service. You can find Cloud NGFW for Azure in Azure Marketplace and consume it in your Azure Virtual Network and Azure Virtual WAN instances.

+With Cloud NGFW for Azure, you can access core firewall capabilities from Palo Alto Networks, such as App-ID and Advanced URL Filtering. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures. The deployment model in this article uses the reverse proxy and web application firewall (WAF) functionality of Application Gateway by using the network security capabilities of Cloud NGFW for Azure.

+For more information about Cloud NGFW for Azure, see [What is Cloud NGFW by Palo Alto Networks - an Azure Native ISV Service?](palo-alto-overview.md).

+## Architecture

+Cloud NGFW for Azure helps secure inbound, outbound, and lateral traffic that traverses a hub virtual network or a virtual WAN hub.

+To help secure ingress connections, a Cloud NGFW for Azure resource supports Destination Network Address Translation (DNAT) configurations. Cloud NGFW for Azure accepts client connections on one or more of the configured public IP addresses and performs the address translation and traffic inspection. It also enforces user-configured security policies.

+For web applications, you benefit from using Application Gateway as both a reverse proxy and a load balancer. This combination offers the best security when you want to secure both web-based and nonweb workloads in Azure and on-premises ingress connections. Cloud NGFW for Azure allows the use of a single public IP address of Application Gateway to proxy the HTTP and HTTPS connections to many web application back ends. Any non-HTTP connections should be directed through the Cloud NGFW for Azure public IP address for inspection and policy enforcement.

+Application Gateway also offers WAF capabilities to look for patterns that indicate an attack at the web application layer. For more information about Application Gateway features, see the [service documentation](/azure/application-gateway).

+Cloud NGFW for Azure supports two deployment architectures:

+- Hub-and-spoke virtual network

+- Virtual WAN

+The following sections describe the details and the required configuration to implement this architecture in Azure.

+### Hub virtual network

+This deployment allocates two subnets in the hub virtual network. The Cloud NGFW for Azure resource is provisioned into the hub virtual network.

+Application Gateway is deployed in a dedicated virtual network with a front end listening on a public IP address. The back-end pool targets the workloads that serve the web application; in this example, a virtual machine in a spoke virtual network with an IP address of 192.168.1.0/24.

+Similar to spoke virtual networks, the Application Gateway virtual network must be peered with the hub virtual network to ensure that the traffic can be routed toward the destination spoke virtual network.

+To force incoming web traffic through the Cloud NGFW for Azure resource, you must create a user-defined route and associate it with the Application Gateway subnet. The next hop in this case is the private IP address of Cloud NGFW for Azure. You can find this address by selecting **Overview** from the resource menu in the Azure portal.

+Here's an example user-defined route:

+- Address prefix: 192.168.1.0/24

+- Next hop type: virtual appliance

+- Next hop IP address: 172.16.1.132

+After you deploy and configure the infrastructure, you must apply a security policy to Cloud NGFW for Azure that allows the connection from the Application Gateway virtual network. Application Gateway proxies the client's TCP connection and creates a new connection to the destination specified in the back-end target. The source IP of this connection is the private IP address from the Application Gateway subnet. Configure the security policy accordingly, by using the Application Gateway virtual network prefix to ensure that it's treated as the inbound flow. The original source IP of the client isn't preserved at layer 3.

+Nonweb traffic can continue using the public IP addresses and DNAT rules in Cloud NGFW for Azure.

+### Virtual WAN

+Securing a virtual WAN hub by using a Palo Alto Networks software as a service (SaaS) solution is the most effective and easiest way to guarantee that your virtual WAN has a consistent security policy applied across the entire deployment.

+You must configure a routing intent and a routing policy to use a Cloud NGFW for Azure resource as a next hop for public or private traffic. Any connected spoke virtual network, VPN gateway, or Azure ExpressRoute gateway then gets the routing information to send the traffic through the Cloud NGFW for Azure resource.

+By default, the virtual network connection to the hub has the **Propagate Default Route** option set to **Enabled**. This setting installs a 0.0.0.0/0 route to force all nonmatched traffic sourced from that virtual network to go through the virtual WAN hub. In this topology, this setting would result in asymmetric routing because the return traffic proxied by Application Gateway would go back to the virtual hub instead of the internet. When you're connecting the Application Gateway virtual network to the virtual WAN hub, set this attribute to **Disabled** to allow the Application Gateway-sourced traffic to break out locally.

+In some cases, disabling the default route propagation might not be desirable. An example is when other applications or workloads are hosted in the Application Gateway virtual network and require the inspection by Cloud NGFW for Azure. In this case, you can enable the default route propagation but add a 0.0.0.0/0 route to the Application Gateway subnet to override the default route received from the hub. An explicit route to the application virtual network is also required.

+You can locate the next hop IP address of Cloud NGFW for Azure by viewing the effective routes of a workload in a spoke virtual network. The following example shows the effective routes for a virtual machine network interface.

+## Security policy considerations

+### Azure rulestacks

+You can use Azure rulestacks to configure security rules and apply security profiles in the Azure portal or through the API. When you're implementing the preceding architecture, configure the security rules by using Palo Alto Networks App-ID, Advanced Threat Prevention, Advanced URL Filtering, DNS Security, and [Cloud-Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions).

+For more information, see [Cloud NGFW Native Policy Management Using Rulestacks](https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/native-policy-management).

+> [!NOTE]

+> Use of the X-Forwarded-For (XFF) HTTP header field to enforce security policy is currently not supported with Azure rulestacks.

+### Panorama

+When you manage Cloud NGFW for Azure resources by using Panorama, you can use existing and new policy constructs such as template stacks, zones, and vulnerability profiles. You can configure the Cloud NGFW for Azure security policies between the two zones: private and public. Inbound traffic goes from public to private, outbound traffic goes from private to public, and east-west traffic goes from private to private.

+The ingress traffic that comes through Application Gateway is forwarded through the private zone to the Cloud NGFW for Azure resource for inspection and security policy enforcement.

+You need to apply special considerations to zone-based policies to ensure that the traffic coming from Application Gateway is treated as inbound. These policies include security rules, threat prevention profiles, and inline cloud analysis. The traffic is treated as private-to-private because Application Gateway proxies it, and it's sourced through the private IP address from the Application Gateway subnet.

+## Related content

+- [Cloud NGFW for Azure](https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure) (documentation from Palo Alto Networks)

+- [Zero-trust network for web applications with Azure Firewall and Application Gateway](/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall)

+- [Firewall and Application Gateway for virtual networks](/azure/architecture/example-scenario/gateway/firewall-application-gateway)

+- [Configure Palo Alto Networks Cloud NGFW in Virtual WAN](/azure/virtual-wan/how-to-palo-alto-cloud-ngfw)

+In this section, you see how create a Palo Alto Networks resource.

+1. After reviewing all the information, select **Create**. Azure now deploys the Cloud NGFW by Palo Alto Networks.

+ | **Value** | Paste the GitHub personal access token you copied previously. |

+ | **Value** | Paste the GitHub personal access token you copied previously. |

+## Azure Policy Support

+[Azure Policy](../../governance/policy/overview.md) helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

+### Built-in Policy Definitions

+Built-in policies are developed and tested by Microsoft, ensuring they meet common standards and best practices, an be deployed quickly without the need for additional configuration, making them ideal for standard compliance requirements. Built-in policies often cover widely recognized standards and compliance frameworks.

+The section below provides an index of Azure Policy built-in policy definitions for Azure Database for PostgreSQL - Flexible Server. Use the link in the Source column to view the source on the Azure Policy GitHub repo.

+|**Name (Azure Portal)**|**Description**|**Effect(s)**|**Version(GitHub)**|

+|--||-|-|

+|[A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fce39a96d-bf09-4b60-8c32-e85d52abea0f)|Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_ProvisionEntraAdmin_AINE.json)|

+|[Auditing with PgAudit should be enabled for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4eb5e667-e871-4292-9c5d-8bbb94e0c908)|This policy helps audit any PostgreSQL flexible servers in your environment, which isn't enabled to use pgaudit.|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnablePgAudit_AINE.json)|

+|[Connection throttling should be enabled for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdacf07fa-0eea-4486-80bc-b93fae88ac40)|This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_ConnectionThrottling_Enabled_AINE.json)|

+|[Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F78ed47da-513e-41e9-a088-e829b373281d)|Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers, which is missing this diagnostic setting is created or updated|DeployIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_DiagnosticSettings_LogAnalytics_DINE.json)|

+|[Disconnections should be logged for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d14b021-1bae-4f93-b36b-69695e14984a)|This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableLogDisconnections_AINE.json)|

+|[Enforce SSL connection should be enabled for PostgreSQL flexible servers](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc29c38cb-74a7-4505-9a06-e588ab86620a)|Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableSSL_AINE.json)|

+|[Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcee2f9fd-3968-44be-a863-bd62c9884423)|Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create|Audit, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_GeoRedundant_Audit.json)|

+|[Log checkpoints should be enabled for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F70be9e12-c935-49ac-9bd8-fd64b85c1f87)|This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableLogCheckpoint_AINE.json)|

+|[Log connections should be enabled for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F086709ac-11b5-478d-a893-9567a16d2ae3)|This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableLogConnections_AINE.json)|

+|[PostgreSQL FlexIble servers should use customer-managed keys to encrypt data at rest](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12c74c95-0efd-48da-b8d9-2a7d68470c92)|Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management|Audit, Deny, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json)|

+|[PostgreSQL flexible servers should be running TLS version 1.2 or newer](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa43d5475-c569-45ce-a268-28fa79f4e87a)|This policy helps audit any PostgreSQL flexible servers in your environment, which is running with TLS version less than 1.2|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_MinTLS_AINE.json)|

+|[Private endpoint should be enabled for PostgreSQL flexible servers](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5375a5bb-22c6-46d7-8a43-83417cfb4460)|Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure|AuditIfNotExists, Disabled|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnablePrivateEndPoint_AINE.json)|

+### Custom Policy Definitions

+Custom policies can be precisely tailored to match the specific requirements of your organization, including unique security policies or compliance mandates. With custom policies you have complete control over the policy logic and parameters, allowing for sophisticated and fine-grained policy definitions.

+| [Azure Event Hubs](./reliability-event-hubs.md#availability-zone-support) |  |

+|Azure Event Hubs| [Reliability in Event Hubs](./reliability-event-hubs.md)| [Reliability in Event Hubs](./reliability-event-hubs.md) |

+ Title: Reliability in Azure Event Hubs

+description: Learn about reliability in Azure Event Hubs.

+<!--#Customer intent: I want to understand reliability support in Azure Event Hubs so that I can respond to and/or avoid failures in order to minimize downtime and data loss. -->

+# Reliability in Azure Event Hubs

+This article describes reliability support in [Azure Event Hubs](../event-hubs/event-hubs-about.md), and covers both intra-regional resiliency with [availability zones](#availability-zone-support) and [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity). For a more detailed overview of reliability principles in Azure, see [Azure reliability](/azure/architecture/framework/resiliency/overview).

+## Availability zone support

+Event Hubs implements transparent failure detection and failover mechanisms so that, when failure occurs, the service continues to operate within the assured service-levels and without noticeable interruptions. If you create an Event Hubs namespace in a region that supports availability zones, [zone redundancy](./availability-zones-overview.md#zonal-and-zone-redundant-services) is automatically enabled. With zone-redundancy, fault tolerance is increased and the service has enough capacity reserves to cope with the outage of an entire facility. Both metadata and data (events) are replicated across data centers in each zone.

+### Prerequisites

+Availability zone support is only available in [Azure regions with availability zones](./availability-zones-service-support.md).

+### Create a resource with availability zones enabled

+When you use the Azure portal, zone redundancy is automatically enabled. When you create a namespace, you see the following highlighted message when you select a region that supports availability zones.

+### Disable availability zones

+The Azure portal doesn't support disabling availability zones. To disable availability zones, use one of the following methods:

+- Azure CLI command [`az eventhubs namespace`](/cli/azure/eventhubs/namespace#az-eventhubs-namespace-create) with `--zone-redundant=false`

+- PowerShell command [`New-AzEventHubNamespace`](/powershell/module/az.eventhub/new-azeventhubnamespace) with `-ZoneRedundant=false` to create a namespace with zone redundancy disabled.

+### Availability zone migration

+When you create availability zones in a region that supports them, availability zones are automatically enabled. If you wish to learn how to move your Event Hub to a new region that supports availability zones, see

+[Relocate Event Hubs to another region](../operational-excellence/relocation-event-hub.md).

+### Pricing

+Need Info. Any pricing considerations when using availability zones?

+## Cross-region disaster recovery and business continuity

+The all-active Azure Event Hubs cluster model with availability zone support provides resiliency against hardware and datacenter outages. However, if a disaster where an entire region and all zones are unavailable, you can use Geo-disaster recovery to recover your workload and application configuration.

+There are two features that provide geo-disaster recovery in Azure Event Hubs.

+- **Geo-disaster recovery (Metadata DR)**, which just provides replication of only metadata.

+

+ Geo-Disaster recovery ensures that the entire configuration of a namespace (Event Hubs, Consumer Groups, and settings) is continuously replicated from a primary namespace to a secondary namespace when paired.

+

+ The Geo-disaster recovery feature of Azure Event Hubs is a disaster recovery solution. The concepts and workflow described in this article apply to disaster scenarios, and not to temporary outages. For a detailed discussion of disaster recovery in Microsoft Azure, see [this article](/azure/architecture/resiliency/disaster-recovery-azure-applications).

+

+ With Geo-Disaster recovery, you can initiate a once-only failover move from the primary to the secondary at any time. The failover move points the chosen alias name for the namespace to the secondary namespace. After the move, the pairing is then removed. The failover is nearly instantaneous once initiated.

+ For detailed information, as well as samples and further documentation, on Geo-Disaster recovery in Event Hubs, see [Azure Event Hubs - Geo-disaster recovery](../event-hubs/event-hubs-geo-dr.md).

+- **Geo-replication (public preview)**, which provides replication of both metadata and data, replicates configuration information and all of the data from a primary namespace to one, or more secondary namespaces. When a failover is performed, the selected secondary becomes the primary and the previous primary becomes a secondary. Users can perform a failover back to the original primary when desired.

+ For detailed information, as well as samples and further documentation, on Geo-replication in Event Hubs, see [Geo-replication ](../event-hubs/geo-replication.md).

+## Next steps

+- [Reliability in Azure](./overview.md)

+All of the above resources must have public access enabled for the portal nodes to be able to access them. Otherwise, the wizard fails. After the wizard runs, firewalls and private endpoints can be enabled on the different integration components for security. For more information, see [Secure connections in the import wizards](search-import-data-portal.md#secure-connections).

+ Azure Storage must be a standard performance (general-purpose v2) account. Access tiers can be hot, cool, and cold. Don't use ADLS Gen2 (a storage account with a hierarchical namespace). ADLS Gen2 isn't supported with this version of the wizard.

+All of the above resources must have public access enabled for the portal nodes to be able to access them. Otherwise, the wizard fails. After the wizard runs, firewalls and private endpoints can be enabled on the different integration components for security. For more information, see [Secure connections in the import wizards](search-import-data-portal.md#secure-connections).

+For this quickstart, which uses built-in sample data, make sure the search service doesn't have [network access controls](service-configure-firewall.md) in place. The portal controller uses the public endpoint to retrieve data and metadata from the built-in sample data source hosted by Microsoft. For more information, see [Secure connections in the import wizards](search-import-data-portal.md#secure-connections).

+The wizard creates a data source connection to sample data hosted by Microsoft on Azure Cosmos DB. This sample data is retrieved accessed over a public endpoint. You don't need your own Azure Cosmos DB account or source files to run this quickstart.

+ Title: Import wizards in Azure portal

+description: Learn about the import wizards in the Azure portal used to create and load an index, and optionally invoke applied AI for vectorization, natural language processing, translation, OCR, and image analysis.

+# Import wizards in Azure AI Search

+Azure AI Search has two import wizards that automate indexing and object definitions so that you can begin querying immediately. If you're new to Azure AI Search, these wizards are one of the most powerful features at your disposal. With minimal effort, you can create an indexing or enrichment pipeline that exercises most of the functionality of Azure AI Search.

+The **Import data wizard** supports nonvector workflows. You can extract alphanumeric text from raw documents. You can also configure applied AI and built-in skills that infer structure and generate text searchable content from image files and unstructured data.

+The **Import and vectorize data wizard** supports vectorization. You must specify an existing deployment of an embedding model, but the wizard makes the connection, formulates the request, and handles the response. It generates vector content from text or image content.

+If you're using the wizard for proof-of-concept testing, this article explains the internal workings of the wizards so that you can use them more effectively.

+This article isn't a step by step. For help with using the wizard with built-in sample data see:

+## Starting the wizards

+In the [Azure portal](https://portal.azure.com), open the search service page from the dashboard or [find your service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices) in the service list.

+In the service Overview page at the top, select **Import data** or **Import and vectorize data**.

+The wizards open fully expanded in the browser window so that you have more room to work.

+The wizard outputs the objects in the following table. After the objects are created, you can review their JSON definitions in the portal or call them from code.

+| [Skillset](/rest/api/searchservice/skillsets/create) | Optional. A complete set of instructions for manipulating, transforming, and shaping content, including analyzing and extracting information from image files. Skillsets are also used for integrated vectorization. Unless the volume of work fall under the limit of 20 transactions per indexer per day, the skillset must include a reference to an Azure AI multiservice resource that provides enrichment. For integrated vectorization, you can use either Azure AI Vision or an embedding model in the Azure AI Studio model catalog. |

+| [Knowledge store](knowledge-store-concept-intro.md) | Optional. Stores output from in tables and blobs in Azure Storage for independent analysis or downstream processing in nonsearch scenarios. |

+## Benefits

+Before writing any code, you can use the wizards for prototyping and proof-of-concept testing. The wizards connect to external data sources, sample the data to create an initial index, and then import and optionally vectorize the data as JSON documents into an index on Azure AI Search.

+If you're evaluating skillsets, the wizard handles output field mappings and adds helper functions to create usable objects. Text split is added if you specify a parsing mode. Text merge is added if you chose image analysis so that the wizard can reunite text descriptions with image content. Shaper skills added to support valid projections if you chose the knowledge store option. All of the above tasks come with a learning curve. If you're new to enrichment, the ability to have these steps handled for you allows you to measure the value of a skill without having to invest much time and effort.

+Overall, the advantages of using the wizard are clear: as long as requirements are met, you can create a queryable index within minutes. Some of the complexities of indexing, such as serializing data as JSON documents, are handled by the wizard.

+## Limitations

+## Secure connections

+The import wizards make outbound connections using the portal controller and public endpoints. You can't use the wizards if Azure resources are accessed over a private connection or through a shared private link.

+You can use the wizards over restricted public connections, but not all functionality is available.

+ Sample data is hosted by Microsoft on specific Azure resources. The portal controller connects to those resources over a public endpoint. If you put your search service behind a firewall, you get this error when attempting to retrieve the builtin sample data: `Import configuration failed, error creating Data Source`, followed by `"An error has occured."`.

+ The Azure resource must admit network requests from the IP address of the device used on the connection. You should also list Azure AI Search as a trusted service on the resource's network configuration. For example, in Azure Storage, you can list `Microsoft.Search/searchServices` as a trusted service.

+ + In the **Import and vectorize data** wizard, the error is `"Access denied due to Virtual Network/Firewall rules."`

+ + In the **Import data** wizard, there's no error, but the skillset won't be created.

+If firewall settings prevent your wizard workflows from succeeding, consider scripted or programmatic approaches instead.

+1. Optionally, add applied AI to extract or generate content and structure. Inputs for creating a knowledge store are collected in this step.

+1. Run the wizard to create objects, optionally vectorize data, load data into an index, set a schedule and other configuration options.

+The wizards connect to an external [supported data source](search-indexer-overview.md#supported-data-sources) using the internal logic provided by Azure AI Search indexers, which are equipped to sample the source, read metadata, crack documents to read content and structure, and serialize contents as JSON for subsequent import to Azure AI Search.

+Skillset configuration occurs after the data source definition because the type of data source informs the availability of certain built-in skills. In particular, if you're indexing files from Blob storage, your choice of parsing mode of those files determine whether sentiment analysis is available.

+The wizard adds the skills you choose. It also adds other skills that are necessary for achieving a successful outcome. For example, if you specify a knowledge store, the wizard adds a Shaper skill to support projections (or physical data structures).

+The wizards sample your data source to detect the fields and field type. Depending on the data source, it might also offer fields for indexing metadata.

+ The default is *Standard Lucene* but you could choose *Microsoft English* if you wanted to use Microsoft's analyzer for advanced lexical processing, such as resolving irregular noun and verb forms. Only language analyzers can be specified in the portal. If you use a custom analyzer or a non-language analyzer like Keyword, Pattern, and so forth, you must create it programmatically. For more information about analyzers, see [Add language analyzers](search-language-support.md).

+The best way to understand the benefits and limitations of the wizard is to step through it. Here's a quickstart that explains each step.

+Key-based authentication is the default. You can replace it with [role-based access](search-security-enable-roles.md), which eliminates the need for hardcoded keys in your code.

+If you want to use roles for authorized access to Azure AI Search, this article explains how to enable role-based access control for your search service.

+Azure provides a global authentication and [role-based authorization system](../role-based-access-control/role-assignments-portal.yml) for all services running on the platform. In Azure AI Search, you can assign Azure roles for:

+1. [Find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices).

+1. On the leftmost pane, under **Access control (IAM)**, select **Identity**.

+1. Select **Add** and then select **Add role assignment**.

+1. On the **Roles** page:

+ + Select **Search Index Data Contributor** to load a search index with vectors generated by an embedding model. Choose this role if you intend to use integrated vectorization during indexing.

+ + Or, select **Search Index Data Reader** to provide queries with a vector generated by an embedding model. The embedding used in a query isn't written to an index, so no write permissions are required.

+1. Select **Next**.

+1. On the **Members** page, select **Managed identity** and **Select members**.

+1. Filter by system-managed identity and then select the managed identity of your Azure AI multiservice account.

+> These features are in public preview under [Supplemental Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). The [2024-03-01-preview REST API](/rest/api/searchservice/operation-groups?view=rest-searchservice-2024-03-01-preview&preserve-view=true) and later preview APIs provide the new data types, vector compression properties, and the `stored` property. We recommend using the latest preview APIs.

+The `stored` property is a new boolean on a vector field definition that determines whether storage is allocated for retrievable vector field content. The `stored` property is set to true by default. If you don't need vector content in a query response, you can save up to 50 percent storage per field by setting `stored` to false.

+When evaluating whether to set this property, consider whether you need vectors in the response. Because vectors aren't human readable, they're typically omitted in a query response that's rendered on a search page. However, if you're using vectors in downstream processing, such as passing query results to a model or process that consumes vector content, you should keep `stored` set to true and choose a different technique for minimizing vector size.

+Remember that the `stored` attribution is irreversible. It's set during index creation on vector fields when physical data structures are created. If you want retrievable vector content later, you must drop and rebuild the index, or create and load a new field that has the new attribution.

+ PUT https://[service-name].search.windows.net/indexes/[index-name]?api-version=2024-05-01-previewΓÇ»

+POST https://[service-name].search.windows.net/indexes/[index-name]/docs/search?api-version=2024-05-01-Preview  

+- [CrowdStrike Falcon Adversary Intelligence (using Azure Functions)](data-connectors/crowdstrike-falcon-adversary-intelligence.md)

+ Title: "CrowdStrike Falcon Adversary Intelligence (using Azure Functions) connector for Microsoft Sentinel"

+description: "Learn how to install the connector CrowdStrike Falcon Adversary Intelligence (using Azure Functions) to connect your data source to Microsoft Sentinel."

+# CrowdStrike Falcon Adversary Intelligence (using Azure Functions) connector for Microsoft Sentinel

+The [CrowdStrike](https://www.crowdstrike.com/) Falcon Indicators of Compromise connector retrieves the Indicators of Compromise from the Falcon Intel API and uploads them [Microsoft Sentinel Threat Intel](/azure/sentinel/understand-threat-intelligence).

+This is autogenerated content. For changes, contact the solution provider.

+## Connector attributes

+| Connector attribute | Description |

+| | |

+| **Azure function app code** | https://aka.ms/sentinel-CrowdStrikeFalconAdversaryIntelligence-Functionapp |

+| **Log Analytics table(s)** | IndicatorsOfCompromise<br/> |

+| **Data collection rules support** | Not currently supported |

+| **Supported by** | [Microsoft Corporation](https://support.microsoft.com) |

+## Query samples

+**Threat Intel - Crowdstrike Indicators of Compromise**

+ ```kusto

+ThreatIntelligenceIndicator

+

+ | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'

+

+ | sort by TimeGenerated desc

+ ```

+## Prerequisites

+To integrate with CrowdStrike Falcon Adversary Intelligence (using Azure Functions) make sure you have:

+- **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/).

+- **CrowdStrike API Client ID and Client Secret**: **CROWDSTRIKE_CLIENT_ID**, **CROWDSTRIKE_CLIENT_SECRET**, **CROWDSTRIKE_BASE_URL**. CrowdStrike credentials must have Indicators (Falcon Intelligence) read scope.

+## Vendor installation instructions

+**STEP 1 - [Generate CrowdStrike API credentials](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/).**

+Make sure 'Indicators (Falcon Intelligence)' scope has 'read' selected

+**STEP 2 - [Register an Entra App](/entra/identity-platform/quickstart-register-app) with client secret.**

+Provide the Entra App principal with 'Microsoft Sentinel Contributor' role assignment on the respective log analytics workspace. [How to assign roles on Azure](/azure/role-based-access-control/role-assignments-portal).

+**STEP 3 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**

+> [!IMPORTANT]

+> Before deploying the CrowdStrike Falcon Indicator of Compromise connector, have the Workspace ID (can be copied from the following).

+Option 1 - Azure Resource Manager (ARM) Template

+Use this method for automated deployment of the CrowdStrike Falcon Adversary Intelligence connector using an ARM template.

+1. Select the following **Deploy to Azure** button.

+ [](https://aka.ms/sentinel-CrowdStrikeFalconAdversaryIntelligence-azuredeploy)

+2. Provide the following parameters: CrowdStrikeClientId, CrowdStrikeClientSecret, CrowdStrikeBaseUrl, WorkspaceId, TenantId, Indicators, AadClientId, AadClientSecret, LookBackDays

+Option 2 - Manual Deployment of Azure Functions

+Use the following step-by-step instructions to deploy the CrowdStrike Falcon Adversary Intelligence connector manually with Azure Functions (Deployment via Visual Studio Code).

+**1. Deploy a Function App**

+You need to [prepare VS Code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.

+1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdStrikeFalconAdversaryIntelligence-Functionapp) file. Extract archive to your local development computer.

+2. Start VS Code. Choose File in the main menu and select Open Folder.

+3. Select the top level folder from extracted files.

+4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.

+If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**

+If you're already signed in, go to the next step.

+5. Provide the following information at the prompts:

+ a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.

+ b. **Select Subscription:** Choose the subscription to use.

+ c. Select **Create new Function App in Azure** (Don't choose the Advanced option)

+ d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdStrikeFalconIOCXXXXX).

+ e. **Select a runtime:** Choose Python 3.9.

+ f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.

+6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

+7. Go to Azure portal for the Function App configuration.

+**2. Configure the Function App**

+1. In the Function App, select the Function App Name and select **Configuration**.

+2. In the **Application settings** tab, select **New application setting**.

+3. Add each of the following application settings individually, with their respective string values (case-sensitive):

+ - CROWDSTRIKE_CLIENT_ID

+ - CROWDSTRIKE_CLIENT_SECRET

+ - CROWDSTRIKE_BASE_URL

+ - TENANT_ID

+ - INDICATORS

+ - WorkspaceKey

+ - AAD_CLIENT_ID

+ - AAD_CLIENT_SECRET

+ - LOOK_BACK_DAYS

+ - WORKSPACE_ID

+4. Once all application settings are entered, select **Save**.

+## Next steps

+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-crowdstrikefalconep?tab=Overview) in the Azure Marketplace.

+## Prerequisites

+SAP HANA logs are sent over Syslog. Make sure that your AMA agent or your Log Analytics agent (legacy) is configured to collect Syslog files. For more information, see:

+For more information, see [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](../connect-cef-syslog-ama.md).

+1. Sign into your HANA database operating system as a user with sudo privileges.

+1. Install an agent on your machine and confirm that your machine is connected. For more information, see:

+ - [Azure Monitor Agent](/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal)

+ - [Log Analytics Agent](../../azure-monitor/agents/agent-linux.md) (legacy)

+1. Configure your agent to collect Syslog data. For more information, see:

+ - [Azure Monitor Agent](/azure/azure-monitor/agents/data-collection-syslog)

+ - [Log Analytics Agent](/azure/azure-monitor/agents/data-sources-syslog) (legacy)

+ > Because the facilities where HANA database events are saved can change between different distributions, we recommend that you add all facilities. Check them against your Syslog logs, and then remove any that aren't relevant.

+## Verify your configuration

+In Microsoft Sentinel, check to confirm that HANA database events are now shown in the ingested logs. For example, run the following query:

+```Kusto

+//generated function structure for custom log Syslog

+// generated on 2024-05-07

+let D_Syslog = datatable(TimeGenerated:datetime

+,EventTime:datetime

+,Facility:string

+,HostName:string

+,SeverityLevel:string

+,ProcessID:int

+,HostIP:string

+,ProcessName:string

+,Type:string

+)['1000-01-01T00:00:00Z', '1000-01-01T00:00:00Z', 'initialString', 'initialString', 'initialString', 'initialString',1,'initialString', 'initialString', 'initialString'];

+let T_Syslog = (Syslog | project

+TimeGenerated = column_ifexists('TimeGenerated', '1000-01-01T00:00:00Z')

+,EventTime = column_ifexists('EventTime', '1000-01-01T00:00:00Z')

+,Facility = column_ifexists('Facility', 'initialString')

+,HostName = column_ifexists('HostName', 'initialString')

+,SeverityLevel = column_ifexists('SeverityLevel', 'initialString')

+,ProcessID = column_ifexists('ProcessID', 1)

+,HostIP = column_ifexists('HostIP', 'initialString')

+,ProcessName = column_ifexists('ProcessName', 'initialString')

+,Type = column_ifexists('Type', 'initialString')

+);

+T_Syslog | union isfuzzy= true (D_Syslog | where TimeGenerated != '1000-01-01T00:00:00Z')

+```

+## Add analytics rules for SAP HANA

+Use the following built-in analytics rules to have Microsoft Sentinel start triggering alerts on related SAP HANA activity:

+- **SAP - (PREVIEW) HANA DB -Assign Admin Authorizations**

+- **SAP - (PREVIEW) HANA DB -Audit Trail Policy Changes**

+- **SAP - (PREVIEW) HANA DB -Deactivation of Audit Trail**

+- **SAP - (PREVIEW) HANA DB -User Admin actions**

+For more information, see [Microsoft Sentinel solution for SAP® applications: security content reference](sap-solution-security-content.md).

+## Related content

+> [!WARNING]

+> As of 31 October 2024, TLS 1.0 and TLS 1.1 will no longer be supported on Azure. [TLS 1.0 and TLS 1.1 end of support announcement](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/) The minimum TLS version will be 1.2 for all Service Bus deployments.

+> [!IMPORTANT]

+> On 31 October 2024, TLS 1.3 will be enabled for AMQP traffic. TLS 1.3 is already enabled for HTTPS traffic. Java clients may have a problem with TLS 1.3 due to a dependency on an older version of Proton-J. For more details, read [Java client changes to support TLS 1.3 with Azure Service Bus and Azure Event Hubs](https://techcommunity.microsoft.com/t5/messaging-on-azure-blog/java-client-changes-to-support-tls-1-3-with-azure-service-bus/ba-p/4089355)

+#### Missing subscription registration

+**Error Message:**

+`The subscription is not registered to use namespace 'Microsoft.KubernetesConfiguration'`

+**Reason:**

+Service Connector requires the subscription to be registered for `Microsoft.KubernetesConfiguration`, which is the resource provider for [Azure Arc-enabled Kubernetes cluster extensions](../azure-arc/kubernetes/extensions.md).

+**Mitigation:**

+To resolve errors related to resource provider registration, follow this [tutorial](../azure-resource-manager/troubleshooting/error-register-resource-provider.md).

+The app registration status shows the state in service discovery. The Basic/Standard plan uses Eureka for service discovery. For more information on how the Eureka client calculates the state, see [Eureka's health checks](https://cloud.spring.io/spring-cloud-netflix/multi/multi__service_discovery_eureka_clients.html#_eurekas_health_checks). The Enterprise pricing plan uses [Tanzu Service Registry](how-to-enterprise-service-registry.md) for service discovery.

+Azure Stream Analytics supports Availability Zones for all jobs. Any new dedicated cluster or new job will automatically benefit from Availability Zones, and, in case of disaster in a zone, will continue to run seamlessly by failing over to the other zones without the need of any user action. Availability Zones provide customers with the ability to withstand datacenter failures through redundancy and logical isolation of services. This will significantly reduce the risk of outage for your streaming pipelines. Note that Azure Stream Analytics jobs integrated with VNET don't currently support Availability Zones.

+ Title: Compare Remote Desktop client features across platforms and devices

+description: Learn about which features of the Remote Desktop client are supported on which platforms and devices for Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PC connections.

+zone_pivot_groups: remote-desktop-clients

+# Compare Remote Desktop app features across platforms and devices

+> This article is shared for services and products that use the Remote Desktop Protocol (RDP) to provide remote access to Windows desktops and apps.

+>

+> Use the buttons at the top of this article to select what you want to connect to so the article shows the relevant information.

+The Remote Desktop app is available on Windows, macOS, iOS and iPadOS, Android and Chrome OS, and in a web browser. However, support for some features differs across these platforms. This article details which features are supported on which platforms.

+The Remote Desktop app is available on Windows, macOS, iOS and iPadOS, Android and Chrome OS, and in a web browser. However, support for some features differs across these platforms. This article details which features are supported on which platforms when connecting to a Cloud PC from Windows 365.

+The Remote Desktop app is available on Windows, macOS, iOS and iPadOS, Android and Chrome OS, and in a web browser. However, support for some features differs across these platforms. This article details which features are supported on which platforms when connecting to Microsoft Dev Box.

+There are three versions of the Remote Desktop app for Windows, which are all supported for connecting to Azure Virtual Desktop:

+- Standalone download as an MSI installer. This is the most common version of the Remote Desktop app for Windows and is referred to in this article as **Windows (MSI)**.

+- Azure Virtual Desktop app from the Microsoft Store. This is a preview version of the Remote Desktop app for Windows and is referred to in this article as **Windows (AVD Store)**.

+- Remote Desktop app from the Microsoft Store. This version is no longer being developed and is referred to in this article as **Windows (RD Store)**.

+There are two versions of the Remote Desktop app for Windows, which are both supported for connecting to Remote Desktop Services and remote PCs:

+- Remote Desktop Connection. This is provided in Windows and is referred to in this article as **Windows (MSTSC)**, after the name of the executable file. It also includes the **RemoteApp and Desktop Connections** Control Panel applet.

+- Remote Desktop app from the Microsoft Store. This version is no longer being developed and is referred to in this article as **Windows (RD Store)**.

+## Experience

+The following table compares which Remote Desktop app experience features are supported on which platforms:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Appearance (dark or light) | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Integrated apps | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Localization | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Pin to Start Menu | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Search | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| URI schemes | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. [ms-rd and ms-avd URI schemes](uri-scheme.md) only.

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Appearance (dark or light) | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Integrated apps | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Localization | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Pin to Start Menu | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Search | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Windows 365 Boot | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows 365 Frontline | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Windows 365 Switch | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Appearance (dark or light) | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Integrated apps | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Localization | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Pin to Start Menu | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Search | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Appearance (dark or light) | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Integrated apps | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Localization | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Pin to Start Menu | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Search | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| URI schemes | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. When subscribed to Remote Desktop Services using the **RemoteApp and Desktop Connections** Control Panel applet.

+1. [Legacy RDP URI scheme](/windows-server/remote/remote-desktop-services/clients/remote-desktop-uri#ms-rd-uri-scheme) only.

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Appearance (dark or light) | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Localization | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Pin to Start Menu | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Search | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| URI schemes | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. [Legacy RDP URI scheme](/windows-server/remote/remote-desktop-services/clients/remote-desktop-uri#ms-rd-uri-scheme) only.

+The following table provides a description for each of the experience features:

+| Feature | Description |

+|--|--|

+| Appearance (dark or light) | Change the appearance of the Remote Desktop app to be light or dark. |

+| Integrated apps | Individual apps using RemoteApp are integrated with the local device as if they're running locally. |

+| Localization | User interface available in languages other than *English (United States)*. |

+| Pin to Start Menu | Pin your favorite devices and apps to the Windows Start Menu for quick access. |

+| Search | Quickly search for devices or apps. |

+| Uniform Resource Identifier (URI) schemes | Start the Remote Desktop app or connect to a remote session with specific parameters and values with a URI. |

+| Feature | Description |

+|--|--|

+| Appearance (dark or light) | Change the appearance of Windows App to be light or dark. |

+| Localization | User interface available in languages other than *English (United States)*. |

+| Pin to home | Pin your favorite Cloud PCs to the **Home** tab for quick access. |

+| Pin to taskbar | Pin your favorite Cloud PCs to the **Windows taskbar** for quick access. |

+| Search | Quickly search for devices or apps. |

+| [Windows 365 Boot](/windows-365/enterprise/windows-365-boot-overview) | Boot directly to a Cloud PC, not the local device. |

+| [Windows 365 Frontline](/windows-365/enterprise/introduction-windows-365-frontline) | Share a Cloud PC for shift and part-time workers. |

+| [Windows 365 Switch](/windows-365/enterprise/windows-365-switch-overview) | Easily switch between your local device and a Cloud PC with the **Windows 11 Task view**. |

+| Feature | Description |

+|--|--|

+| Appearance (dark or light) | Change the appearance of Windows App to be light or dark. |

+| Localization | User interface available in languages other than *English (United States)*. |

+| Pin to home | Pin your favorite dev boxes to the **Home** tab for quick access. |

+| Pin to taskbar | Pin your favorite dev boxes to the **Windows taskbar** for quick access. |

+| Search | Quickly search for devices or apps. |

+| Feature | Description |

+|--|--|

+| Appearance (dark or light) | Change the appearance of the Remote Desktop app to be light or dark. |

+| Localization | User interface available in languages other than *English (United States)*. |

+| Pin to Start Menu | Pin your favorite devices and apps to the Windows Start Menu for quick access. |

+| Search | Quickly search for devices or apps. |

+| Uniform Resource Identifier (URI) schemes | Start the Remote Desktop app or connect to a remote session with specific parameters and values with a URI. |

+## Display

+The following table compares which display features are supported on which platforms:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Dynamic resolution | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| External monitor | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Multiple monitors&sup1; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Selected monitors | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Smart sizing | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. Up to 16 monitors.

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Dynamic resolution | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| External monitor | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Multiple monitors&sup1; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Selected monitors | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Smart sizing | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. Up to 16 monitors.

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Dynamic resolution | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| External monitor | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Multiple monitors&sup1; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Selected monitors | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Smart sizing | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. Up to 16 monitors.

+The following table provides a description for each of the display features:

+| Feature | Description |

+|--|--|

+| Dynamic resolution | The resolution and orientation of local displays is dynamically reflected in the remote session for desktops. If the session is running in *windowed* mode, the desktop is dynamically resized to the size of the window. |

+| External display | Enables the use of an external display for a remote session. |

+| Multiple displays | Enables the remote session to use all local displays.<br /><br />Each display can have a maximum resolution of 8K, with the total combined resolution limited to 32K. These limits depend on factors such as session host specification and network connectivity. |

+| Selected displays | Specifies which local displays to use for the remote session. |

+| Smart sizing | A desktop in *windowed* mode is dynamically scaled to the window's size. |

+## Multimedia

+The following table shows which multimedia features are available on each platform:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Multimedia redirection | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Teams media optimizations | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Multimedia redirection | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Teams media optimizations | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+The following table provides a description for each of the multimedia features:

+| Feature | Description |

+|--|--|

+| [Multimedia redirection](multimedia-redirection-intro.md) | Redirect media content from the desktop or app to the physical machine for faster processing and rendering. |

+| [Teams media optimizations](teams-on-avd.md) | Optimized Microsoft Teams calling and meeting experience. |

+| Feature | Description |

+|--|--|

+| Multimedia redirection | Redirect media content from the Cloud PC or dev box to the physical machine for faster processing and rendering. |

+| [Teams media optimizations](/windows-365/enterprise/teams-on-cloud-pc) | Optimized Microsoft Teams calling and meeting experience. |

+## Redirection

+The following sections detail the redirection support available on each platform.

+### Device redirection

+The following table shows which local devices you can redirect to a remote session on each platform:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Cameras | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Local drive/storage | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; |

+| Microphones | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Printers | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&#8308; |

+| Scanners | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Smart cards | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Speakers | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Cameras | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Local drive/storage | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; |

+| Microphones | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Printers | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&#8308; |

+| Scanners | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Smart cards | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Speakers | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Cameras | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Local drive/storage | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; |

+| Microphones | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Printers | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&#8308; |

+| Scanners | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Smart cards | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Speakers | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+1. Camera redirection in a web browser is in preview.

+1. Limited to uploading and downloading files through a web browser.

+1. The Remote Desktop app on macOS supports the *Publisher Imagesetter* printer driver by default (*Common UNIX Printing System* (CUPS) only). Native printer drivers aren't supported.

+1. PDF printing only.

+The following table provides a description for each type of device you can redirect:

+| Device type | Description |

+|--|--|

+| Cameras | Redirect a local camera to use with apps like Microsoft Teams. |

+| Local drive/storage | Access local disk drives in a remote session. |

+| Microphones | Redirect a local microphone to use with apps like Microsoft Teams. |

+| Printers | Print from a remote session to a local printer. |

+| Scanners | Access a local scanner in a remote session. |

+| Smart cards | Use smart cards in a remote session. |

+| Speakers | Play audio in the remote session or on local device. |

+The following table shows which input methods you can redirect:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Keyboard | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Keyboard input language | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Keyboard shortcuts | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Mouse/trackpad | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Multi-touch | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Pen | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Touch | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Keyboard | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Keyboard input language | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Keyboard shortcuts | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Mouse/trackpad | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Multi-touch | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Pen | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Touch | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Keyboard | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Keyboard input language | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Keyboard shortcuts | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Mouse/trackpad | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | <sub>:::image type="icon" source="media/yes.svg" border="false"::: | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Multi-touch | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Pen | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Touch | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+1. Enabled by alternative keyboard layout.

+The following table provides a description for each type of input you can redirect:

+| Input type | Description |

+|--|--|

+| Keyboard | Redirect keyboard inputs to the remote session. |

+| Mouse/trackpad | Redirect mouse or trackpad inputs to the remote session. |

+| Multi-touch | Redirect multiple touches simultaneously to the remote session. |

+| Pen | Redirect pen inputs, including pressure, to the remote session. |

+| Touch | Redirect touch inputs to the remote session. |

+The following table shows which ports you can redirect:

+| Port type | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Serial | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| USB | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |_{:::image type="icon" source="media/no.svg" border="false":::} |

+| Port type | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Serial | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| USB | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |_{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Serial | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| USB | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+The following table provides a description for each port you can redirect:

+| Port type | Description |

+|--|--|

+| Serial | Redirect serial (COM) ports on the local device to the remote session. |

+| USB | Redirect supported USB devices on the local device to the remote session. |

+### Other redirection

+The following table shows which other features you can redirect:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Clipboard - bidirectional | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Clipboard - unidirectional | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Location | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Third-party virtual channel plugins | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Time zone | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| WebAuthn | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Clipboard - bidirectional | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Clipboard - unidirectional | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Location | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Third-party virtual channel plugins | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Time zone | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| WebAuthn | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Clipboard - bidirectional | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Clipboard - unidirectional | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Location | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Third-party virtual channel plugins | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Time zone | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| WebAuthn | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. Text and images only.

+1. From a local device running Windows 11 only.

+1. Text only.

+The following table provides a description for each other redirection feature you can redirect:

+| Feature | Description |

+|--|--|

+| Clipboard - bidirectional | Redirect the clipboard on the local device is to the remote session and from the remote session to the local device. |

+| Clipboard - unidirectional | Either redirect the clipboard on the local device to the remote session or from the remote session to the local device. |

+| Location | The location of the local device can be available in the remote session. |

+| Third-party virtual channel plugins | Enables third-party virtual channel plugins to extend Remote Desktop Protocol (RDP) capabilities. |

+| Time zone | The time zone of the local device can be available in the remote session. |

+| WebAuthn | Authentication requests in the remote session can be redirected to the local device allowing the use of security devices such as Windows Hello for Business or a security key. |

+## Authentication

+The following sections detail the authentication support available on each platform and the following table provides a description for each credential type:

+| Credential type | Description |

+|--|--|

+| [FIDO2 security keys](/entra/identity/authentication/concept-authentication-passwordless#fido2-security-keys) | FIDO2 security keys provide a standards-based passwordless authentication method that comes in many form factors. FIDO2 incorporates the web authentication (WebAuthn) standard. |

+| [Microsoft Authenticator](/entra/identity/authentication/howto-authentication-passwordless-phone) | The Microsoft Authenticator app helps sign in to Microsoft Entra ID without using a password, or provides an extra verification option for multifactor authentication. Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device, where the device uses a PIN or biometric. |

+| [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/#comparing-key-based-and-certificate-based-authentication) | Uses an enterprise managed public key infrastructure (PKI) for issuing and managing end user certificates. |

+| [Windows Hello for Business cloud trust](/windows/security/identity-protection/hello-for-business/#comparing-key-based-and-certificate-based-authentication) | Uses Microsoft Entra Kerberos, which enables a simpler deployment when compared to the key trust model. |

+| [Windows Hello for Business key trust](/windows/security/identity-protection/hello-for-business/#comparing-key-based-and-certificate-based-authentication) | Uses hardware-bound keys created during the provisioning experience. |

+### Cloud service authentication

+The authentication to the service, which includes subscribing to your resources and authenticating to the Gateway, is with Microsoft Entra ID. For more information about the service components of Azure Virtual Desktop, see [Azure Virtual Desktop service architecture and resilience](service-architecture-resilience.md).

+The following table shows which credential types are available for each platform:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| FIDO2 security keys | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Microsoft Authenticator | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Password | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card with Active Directory Federation Services | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card with Microsoft Entra certificate-based authentication | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Windows Hello for Business certificate trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Windows Hello for Business cloud trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Windows Hello for Business key trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| FIDO2 security keys | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Microsoft Authenticator | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Password | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card with Active Directory Federation Services | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card with Microsoft Entra certificate-based authentication | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Windows Hello for Business certificate trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Windows Hello for Business cloud trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+| Windows Hello for Business key trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; |

+1. Available when using a web browser on a local Windows device only.

+### Remote session authentication

+When connecting to a remote session, there are multiple ways to authenticate. If single sign-on (SSO) is enabled, the credentials used to sign into the cloud service are automatically passed through when connecting to the remote session. The following table shows which types of credential that can be used to authenticate to the remote session if single sign-on is disabled:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| FIDO2 security keys | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Microsoft Authenticator | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Password | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business certificate trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business cloud trust | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business key trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| FIDO2 security keys | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Microsoft Authenticator | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Password | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business certificate trust | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business cloud trust | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business key trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup3; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. Requires smart card redirection.

+1. Requires smart card redirection with Network Level Authentication (NLA) disabled.

+1. Requires a [certificate for Remote Desktop Protocol (RDP) sign-in](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs).

+### In-session authentication

+The following table shows which types of credential are available when authenticating within a remote session:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| FIDO2 security keys | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Password | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business certificate trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business cloud trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business key trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| FIDO2 security keys | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Password | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Smart card | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup1; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business certificate trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business cloud trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Windows Hello for Business key trust | ^{&#160;&#160;&#8201;}_{:::image type="icon" source="media/yes.svg" border="false":::}&sup2; | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. Requires smart card redirection.

+1. Requires WebAuthn redirection.

+## Security

+The following table shows which security features are available on each platform:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Screen capture protection | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Watermarking | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Screen capture protection | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Watermarking | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+The following table provides a description for each security feature:

+| Feature | Description |

+|--|--|

+| [Screen capture protection](screen-capture-protection.md) | Helps prevent sensitive information in the remote session from being screen captured from the physical device. |

+| [Watermarking](watermarking.md) | Helps protect sensitive information from being stolen or altered. |

+The following table provides a description for each security feature:

+| Feature | Description |

+|--|--|

+| [Screen capture protection](/azure/virtual-desktop/screen-capture-protection?context=%2Fwindows-365%2Fcontext%2Fpr-context) | Helps prevent sensitive information in the remote session from being screen captured from the physical device. |

+| [Watermarking](/azure/virtual-desktop/watermarking?context=%2Fwindows-365%2Fcontext%2Fpr-context) | Helps protect sensitive information from being stolen or altered. |

+## Network

+The following table shows which network features are available on each platform:

+| Feature | Windows<br />(MSI) | Windows<br />(AVD Store) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+| Connection information | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| RDP Shortpath for managed networks | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| RDP Shortpath for public networks | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSI) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|

+| Connection information | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+| RDP Shortpath for managed networks | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| RDP Shortpath for public networks | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Feature | Windows<br />(MSTSC) | Windows<br />(RD Store) | macOS | iOS/<br />iPadOS | Android/<br />Chrome OS | Web browser |

+|--|:-:|:-:|:-:|:-:|:-:|:-:|

+| Connection information | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | | _{:::image type="icon" source="media/yes.svg" border="false":::} |

+The following table provides a description for each network feature:

+| Feature | Description |

+|--|--|

+| Connection information | See the connection information of the remote session. |

+| [RDP Shortpath for managed networks](rdp-shortpath.md?tabs=managed-networks) | Better connection reliability and more consistent latency through direct UDP-based transport on a private/managed network connection. |

+| [RDP Shortpath for public networks](rdp-shortpath.md?tabs=public-networks) | Better connection reliability and more consistent latency through direct UDP-based transport on a public network connection. |

+| Feature | Description |

+|--|--|

+| Connection information | See the connection information of the remote session. |

+| [RDP Shortpath for managed networks](/windows-365/enterprise/rdp-shortpath-private-networks) | Better connection reliability and more consistent latency through direct UDP-based transport on a private/managed network connection. |

+| [RDP Shortpath for public networks](/windows-365/enterprise/rdp-shortpath-public-networks) | Better connection reliability and more consistent latency through direct UDP-based transport on a public network connection. |

+| Feature | Description |

+|--|--|

+| Connection information | See the connection information of the remote session. |

+ Title: Configure default chroma value for Azure Virtual Desktop

+description: Learn how to configure the default chroma value from 4:2:0 to 4:4:4.

+# Configure the default chroma value for Azure Virtual Desktop

+The chroma value determines the color space used for encoding. By default, the chroma value is set to 4:2:0, which provides a good balance between image quality and network bandwidth. You can increase the default chroma value to 4:4:4 to improve image quality. You don't need to use GPU acceleration to change the default chroma value.

+This article shows you how to set the default chroma value. You can use Microsoft Intune or Group Policy to configure your session hosts.

+## Prerequisites

+Before you can configure the default chroma value, you need:

+- An existing host pool with session hosts.

+- To configure Microsoft Intune, you need:

+ - Microsoft Entra ID account that is assigned the [Policy and Profile manager](/mem/intune/fundamentals/role-based-access-control-reference#policy-and-profile-manager) built-in RBAC role.

+ - A group containing the devices you want to configure.

+- To configure Group Policy, you need:

+ - A domain account that is a member of the **Domain Admins** security group.

+ - A security group or organizational unit (OU) containing the devices you want to configure.

+## Increase the default chroma value to 4:4:4

+By default, the chroma value is set to 4:2:0. You can increase the default chroma value to 4:4:4 using Microsoft Intune or Group Policy.

+Select the relevant tab for your scenario.

+# [Microsoft Intune](#tab/intune)

+To increase the default chroma value to 4:4:4 using Microsoft Intune:

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/).

+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, with the **Settings catalog** profile type.

+1. In the settings picker, browse to **Administrative templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Remote Session Environment**.

+ :::image type="content" source="media/enable-gpu-acceleration/remote-session-environment-intune.png" alt-text="A screenshot showing the redirection options in the Microsoft Intune portal." lightbox="media/enable-gpu-acceleration/remote-session-environment-intune.png":::

+1. Check the box for the following settings, then close the settings picker:

+ 1. **Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections**

+ 1. **Configure image quality for RemoteFX Adaptive Graphics**

+1. Expand the **Administrative templates** category, then set each setting as follows:

+ 1. Set toggle the switch for **Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections** to **Enabled**.

+ 1. Set toggle the switch for **Configure image quality for RemoteFX Adaptive Graphics** to **Enabled**, then for **Image quality: (Device)**, select **High**.

+1. Select **Next**.

+1. *Optional*: On the **Scope tags** tab, select a scope tag to filter the profile. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).

+1. On the **Assignments** tab, select the group containing the computers providing a remote session you want to configure, then select **Next**.

+1. On the **Review + create** tab, review the settings, then select **Create**.

+1. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.

+# [Group Policy](#tab/group-policy)

+To increase the default chroma value to 4:4:4 using Group Policy:

+1. Open the **Group Policy Management** console on device you use to manage the Active Directory domain.

+1. Create or edit a policy that targets the computers providing a remote session you want to configure.

+1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Remote Session Environment**.

+ :::image type="content" source="media/enable-gpu-acceleration/remote-session-environment-group-policy.png" alt-text="A screenshot showing the redirection options in the Group Policy editor." lightbox="media/enable-gpu-acceleration/remote-session-environment-group-policy.png":::

+1. Configure the following settings:

+ 1. Double-click the policy setting **Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections** to open it. Select **Enabled**, then select **OK**.

+ 1. Double-click the policy setting **Configure image quality for RemoteFX Adaptive Graphics** to **Enabled**, then for **Image quality**, select **High**. Select **OK**.

+1. Ensure the policy is applied to your session hosts, then restart them for the settings to take effect.

+## Verify a remote session is using a chroma value of 4:4:4

+To verify that a remote session is using a chroma value of 4:4:4, you need to [open an Azure support request](https://azure.microsoft.com/support/create-ticket/) with Microsoft Support who can verify the chroma value from telemetry.

+## Related content

+- [Configure GPU acceleration](enable-gpu-acceleration.md)

+ Title: Enable GPU acceleration for Azure Virtual Desktop

+# Enable GPU acceleration for Azure Virtual Desktop

+Azure Virtual Desktop supports graphics processing unit (GPU) acceleration in rendering and encoding for improved app performance and scalability using the Remote Desktop Protocol (RDP). GPU acceleration is crucial for graphics-intensive applications and can be used with all [supported operating systems](prerequisites.md#operating-systems-and-licenses) for Azure Virtual Desktop.

+There are three components to GPU acceleration in Azure Virtual Desktop that work together to improve the user experience:

+- **GPU-accelerated application rendering**: Use the GPU to render graphics in a remote session.

+- **GPU-accelerated frame encoding**: The Remote Desktop Protocol encodes all graphics rendered for transmission to the local device. When part of the screen is frequently updated, it's encoded with the H.264/AVC video codec.

+- **Full-screen video encoding**: A full-screen video profile provides a higher frame rate and better user experience, but uses more network bandwidth and both session host and client resources. It benefits applications such as 3D modeling, CAD/CAM, or video playback and editing.

+> [!TIP]

+> - You can enable full-screen video encoding even without GPU acceleration.

+>

+> - You can also increase the [default chroma value](configure-default-chroma-value.md) to improve the image quality.

+This article shows you which Azure VM sizes you can use as a session host with GPU acceleration, and how to enable GPU acceleration for rendering and encoding. You can use Microsoft Intune or Group Policy to configure your session hosts.

+## Supported GPU-optimized Azure VM sizes

+The following Azure VM sizes are optimized for GPU acceleration and are supported as session hosts in Azure Virtual Desktop:

+- [NVv3-series](../virtual-machines/nvv3-series.md)

+- [NVv4-series](../virtual-machines/nvv4-series.md). GPU-accelerated frame encoding isn't available with NVv4-series VMs.

+- [NVadsA10 v5-series](../virtual-machines/nva10v5-series.md)

+- [NCasT4_v3-series](../virtual-machines/nct4-v3-series.md)

+The right choice of VM size depends on many factors, including your particular application workloads, desired quality of user experience, and cost. In general, larger and more capable GPUs offer a better user experience at a given user density. Smaller and fractional GPU sizes allow more fine-grained control over cost and quality.

+VM sizes with an NVIDIA GPU come with a GRID license that supports 25 concurrent users.

+> [!IMPORTANT]

+> Azure NC, NCv2, NCv3, ND, and NDv2 series VMs aren't generally appropriate as session hosts. These VM sizes are tailored for specialized, high-performance compute or machine learning tools, such as those built with NVIDIA CUDA. They don't support GPU acceleration for most applications or the Windows user interface.

+Before you can enable GPU acceleration, you need:

+- An existing host pool with session hosts using [supported GPU-optimized Azure VM sizes](#supported-gpu-optimized-azure-vm-sizes).

+- To configure Microsoft Intune, you need:

+ - Microsoft Entra ID account that is assigned the [Policy and Profile manager](/mem/intune/fundamentals/role-based-access-control-reference#policy-and-profile-manager) built-in RBAC role.

+ - A group containing the devices you want to configure.

+- To configure Group Policy, you need:

+ - A domain account that is a member of the **Domain Admins** security group.

+ - A security group or organizational unit (OU) containing the devices you want to configure.

+To take advantage of the GPU capabilities of Azure N-series VMs in Azure Virtual Desktop, you must install the appropriate graphics drivers. Follow the instructions at [Supported operating systems and drivers](../virtual-machines/sizes-gpu.md#supported-operating-systems-and-drivers) to install drivers.

+> [!IMPORTANT]

+> Only Azure-distributed drivers are supported.

+When installing drivers, here are some important guidelines:

+- For VMs sizes with an NVIDIA GPU, only NVIDIA *GRID* drivers support GPU acceleration for most applications and the Windows user interface. NVIDIA *CUDA* drivers don't support GPU acceleration for these VM sizes. To download and learn how to install the driver, see [Install NVIDIA GPU drivers on N-series VMs running Windows](../virtual-machines/windows/n-series-driver-setup.md) and be sure to install the GRID driver. If you install the driver by using the [NVIDIA GPU Driver Extension](../virtual-machines/extensions/hpccompute-gpu-windows.md), the GRID driver is automatically installed for these VM sizes.

+- For VMs sizes with an AMD GPU, install the AMD drivers that Azure provides. To download and learn how to install the driver, see [Install AMD GPU drivers on N-series VMs running Windows](../virtual-machines/windows/n-series-amd-driver-setup.md).

+## Enable GPU-accelerated application rendering, frame encoding, and full-screen video encoding

+By default, remote sessions are rendered with the CPU and don't use available GPUs. You can enable GPU-accelerated application rendering, frame encoding, and full-screen video encoding using Microsoft Intune or Group Policy.

+> [!NOTE]

+> GPU-accelerated frame encoding isn't available with NVv4-series VMs.

+Select the relevant tab for your scenario.

+# [Microsoft Intune](#tab/intune)

+To enable GPU-accelerated application rendering using Microsoft Intune:

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/).

+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, with the **Settings catalog** profile type.

+1. In the settings picker, browse to **Administrative templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Remote Session Environment**.

+ :::image type="content" source="media/enable-gpu-acceleration/remote-session-environment-intune.png" alt-text="A screenshot showing the redirection options in the Microsoft Intune portal." lightbox="media/enable-gpu-acceleration/remote-session-environment-intune.png":::

+1. Select the following settings, then close the settings picker:

+ 1. For GPU-accelerated application rendering, check the box for **Use hardware graphics adapters for all Remote Desktop Services sessions**.

+ 1. For GPU accelerated frame encoding, check the box for **Configure H.264/AVC hardware encoding for Remote Desktop connections**.

+ 1. For full-screen video encoding, check the box for **Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections**.

+1. Expand the **Administrative templates** category, then set toggle the switch for each setting as follows:

+ 1. For GPU-accelerated application rendering, set **Use hardware graphics adapters for all Remote Desktop Services sessions** to **Enabled**.

+ 1. For GPU accelerated frame encoding, set **Configure H.264/AVC hardware encoding for Remote Desktop connections** to **Enabled**.

+ 1. For full-screen video encoding, set **Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections** to **Enabled**.

+1. Select **Next**.

+1. *Optional*: On the **Scope tags** tab, select a scope tag to filter the profile. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).

+1. On the **Assignments** tab, select the group containing the computers providing a remote session you want to configure, then select **Next**.

+1. On the **Review + create** tab, review the settings, then select **Create**.

+1. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.

+# [Group Policy](#tab/group-policy)

+To enable GPU-accelerated application rendering using Group Policy:

+1. Open the **Group Policy Management** console on device you use to manage the Active Directory domain.

+1. Create or edit a policy that targets the computers providing a remote session you want to configure.

+1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Remote Session Environment**.

+ :::image type="content" source="media/enable-gpu-acceleration/remote-session-environment-group-policy.png" alt-text="A screenshot showing the redirection options in the Group Policy editor." lightbox="media/enable-gpu-acceleration/remote-session-environment-group-policy.png":::

+1. Configure the following settings:

+ 1. For GPU-accelerated application rendering, double-click the policy setting **Use hardware graphics adapters for all Remote Desktop Services sessions** to open it. Select **Enabled**, then select **OK**.

+ 1. For GPU accelerated frame encoding, double-click the policy setting **Configure H.264/AVC hardware encoding for Remote Desktop connections** to open it. Select **Enabled**, then select **OK**. If you're using Windows Server 2016, you see an extra drop-down menu in the setting; set **Prefer AVC Hardware Encoding** to **Always attempt**.

+ 1. For full-screen video encoding, double-click the policy setting **Prioritize H.264/AVC 444 Graphics mode for Remote Desktop connections** to open it. Select **Enabled**, then select **OK**.

+1. Ensure the policy is applied to your session hosts, then restart them for the settings to take effect.

+## Verify GPU acceleration

+To verify that a remote session is using GPU acceleration, GPU-accelerated application rendering, frame encoding, and full-screen video encoding:

+1. Connect to one of the session hosts you configured, either through Azure Virtual Desktop or a direct RDP connection.

+1. Open an application that uses GPU acceleration and generate some load for the GPU.

+1. Open Task Manager and go to the **Performance** tab. Select the GPU to see whether the GPU is being utilized by the application.

+ :::image type="content" source="media/enable-gpu-acceleration/task-manager-rdp-gpu.png" alt-text="A screenshot showing the GPU usage in Task Manager when in a Remote Desktop session." lightbox="media/enable-gpu-acceleration/task-manager-rdp-gpu.png":::

+ > [!TIP]

+ > For NVIDIA GPUs, you can also use the `nvidia-smi` utility to check for GPU utilization when running your application. For more information, see [Verify driver installation](../virtual-machines/windows/n-series-driver-setup.md#verify-driver-installation).

+1. Open Event Viewer from the start menu, or run `eventvwr.msc` from the command line.

+1. Navigate to one of the following locations:

+ 1. For connections through Azure Virtual Desktop, go to **Applications and Services Logs** > **Microsoft** > **Windows** > **RemoteDesktopServices-RdpCoreCDV** > **Operational**.

+ 1. For connections through a direct RDP connection, go to **Applications and Services Logs** > **Microsoft** > **Windows** > **RemoteDesktopServices-RdpCoreTs** > **Operational**.

+1. Look for the following event IDs:

+ - **Event ID 170**: If you see **AVC hardware encoder enabled: 1** in the event text, RDP is using GPU-accelerated frame encoding.

+ - **Event ID 162**: If you see **AVC available: 1, Initial Profile: 2048** in the event text, RDP is using full-screen video encoding (H.264/AVC 444).

+## Related content

+Increase the [default chroma value](configure-default-chroma-value.md) to improve the image quality.

+Round-trip time (RTT) is an estimate of the connection's round-trip time between the end-userΓÇÖs location and the session host's Azure region. To see which locations have the best latency, look up your desired location in [Azure network round-trip latency statistics](../networking/azure-network-latency.md).

+- Round-trip time (RTT) latency from the client's network to the Azure region that contains the host pools should be less than 150 ms. To see which locations have the best latency, look up your desired location in [Azure network round-trip latency statistics](../networking/azure-network-latency.md). To optimize for network performance, we recommend you create session hosts in the Azure region closest to your users.

+- To create a GPU optimized Azure virtual machine, see [Enable GPU acceleration for Azure Virtual Desktop](enable-gpu-acceleration.md).

+## Optimize VM latency by reviewing Azure network round-trip latency statistics

+Round-trip time (RTT) latency from the client's network to the Azure region that contains the host pools should be less than 150 ms. To see which locations have the best latency, look up your desired location in [Azure network round-trip latency statistics](../networking/azure-network-latency.md). To optimize for network performance, we recommend you create session hosts in the Azure region closest to your users. We recommend you review the statistics every two to three months to make sure the optimal location hasn't changed as Azure Virtual Desktop rolls out to new areas.

+- The Microsoft Store Remote Desktop Client is now generally available. This version of the Microsoft Store Remote Desktop Client is compatible with Azure Virtual Desktop. We've also introduced refreshed UI flows for improved user experiences. This update includes fluent design, light and dark modes, and many other exciting changes. We've also rewritten the client to use the same underlying remote desktop protocol (RDP) engine as the iOS, macOS, and Android clients. This lets us deliver new features at a faster rate across all platforms. [Download the client](https://www.microsoft.com/p/microsoft-remote-desktop/9wzdncrfj3ps?rtc=1&activetab=pivot:overviewtab).

+Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup). The following example creates a resource group named *myResourceGroup* in the *East US* location:

+> Upgrade policies for Virtual Machine Scale Sets with Uniform Orchestration are in general availability (GA).

+> Rolling upgrade policy for Virtual Machine Scale sets with Uniform Orchestration is in general availability (GA).

+> Manual upgrade policy for Virtual Machine Scale Sets with Uniform Orchestration is in general availability (GA).

+> Upgrade policies for Virtual Machine Scale Sets with Uniform Orchestration are in general availability (GA).

+> Setting the upgrade policy to automatic during scale set creation using CLI or PowerShell on Virtual Machine Scale Sets with Flexible Orchestration is not yet available. To set the upgrade policy to automatic, update the upgrade policy after scale set deployment. See [changing the upgrade policy on a Virtual Machine Scale Set](virtual-machine-scale-sets-change-upgrade-policy.md).

+> Setting the upgrade policy to automatic during scale set creation using CLI or PowerShell on Virtual Machine Scale Sets with Flexible Orchestration is not yet available. To set the upgrade policy to automatic, update the upgrade policy after scale set deployment. See [changing the upgrade policy on a Virtual Machine Scale Set](virtual-machine-scale-sets-change-upgrade-policy.md).

+> Upgrade policies for Virtual Machine Scale Sets with Uniform Orchestration are in general availability (GA).

+The Azure HPC team is offering optimized and pre-configured Linux VM images for HPC and AI workloads. These VM images are:

+ >Some data disks on Linux VMs can be resized without Deallocating the VM, please check [Expand virtual hard disks on a Linux VM](/azure/virtual-machines/linux/expand-disks? tabs=ubuntu#expand-an-azure-managed-disk) in order to verify your disks meet the requirements.

+ --resource-group myMaintenanceRg \

+ --resource-group myHostResourceGroup \

+Azure virtual machines (VMs) are one of several types of [on-demand, scalable computing resources](/azure/architecture/guide/technology-choices/compute-decision-tree) that Azure offers. Typically, you choose a virtual machine when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a virtual machine, how you create it, and how you manage it.

+| A virtual Network Interface Card (NIC) | For connecting to the virtual network | There's no separate cost for NICs. However, there's a limit to how many NICs you can use based on your [VM's size](sizes.md). Size your VM accordingly and reference [Virtual Machine pricing](https://azure.microsoft.com/pricing/details/virtual-machines/linux/). |

+| OS Disk and possibly separate disks for data. | It's a best practice to keep your data on a separate disk from your operating system, in case you ever have a VM fail, you can detach the data disk, and attach it to a new VM. | All new virtual machines have an operating system disk and a local disk. <br> Azure doesn't charge for local disk storage. <br> The operating system disk, which is usually 127GiB but is smaller for some images, is charged at the [regular rate for disks](https://azure.microsoft.com/pricing/details/managed-disks/). <br> You can see the cost for attach Premium (SSD based) and Standard (HDD) based disks to your virtual machines on the [Managed Disks pricing page](https://azure.microsoft.com/pricing/details/managed-disks/). |

+You can also choose to have Azure can create and store public and private SSH keys - Azure uses the public key in your VM and you use the private key when you access the VM over SSH. Otherwise, you need a username and password.

+There are multiple [geographical regions](https://azure.microsoft.com/regions/) around the world where you can create Azure resources. Usually, the region is called **location** when you create a virtual machine. For a virtual machine, the location specifies where the virtual hard disks are stored.

+- **[Availability Zones](../availability-zones/az-overview.md)** are physically separated zones within an Azure region. Availability zones guarantee virtual machine connectivity to at least one instance at least 99.99% of the time when you have two or more instances deployed across two or more Availability Zones in the same Azure region.

+Microsoft Azure supports various Linux and Windows distributions. You can find available distributions in the [marketplace](https://azuremarketplace.microsoft.com), Azure portal or by querying results using CLI, PowerShell, and REST APIs.

+Microsoft works closely with partners to ensure the images available are updated and optimized for an Azure runtime. For more information on Azure partner offers, see the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?filters=partners%3Bvirtual-machine-images&page=1)

+Azure supports for [cloud-init](https://cloud-init.io/) across most Linux distributions that support it. We're actively working with our Linux partners to make cloud-init enabled images available in the Azure Marketplace. These images make your cloud-init deployments and configurations work seamlessly with virtual machines and virtual machine scale sets.

+This article covers a true disaster recovery scenario, when a whole region experiences an outage due to major natural disaster or widespread service interruption. These are rare occurrences, but you must prepare for the possibility that there's an outage of an entire region. If an entire region experiences a service disruption, the locally redundant copies of your data would temporarily be unavailable. If you enabled geo-replication, three additional copies of your Azure Storage blobs and tables are stored in a different region. In the event of a complete regional outage or a disaster in which the primary region isn't recoverable, Azure remaps all of the DNS entries to the geo-replicated region.

+In the case of a service disruption of the entire region where your Azure virtual machine application is deployed, we provide the following guidance for Azure virtual machines.

+This option is the best if you don't set up Azure Site Recovery, read-access geo-redundant storage, or geo-redundant storage prior to the disruption. If you set up geo-redundant storage or read-access geo-redundant storage for the storage account where your VM virtual hard drives (VHDs) are stored, you can look to recover the base image VHD and try to provision a new VM from it. This option isn't preferred because there are no guarantees of synchronization of data, which means this option isn't guaranteed to work.

+## Sample script

+```powershell

+<#

+.DESCRIPTION

+This sample demonstrates how to create a Managed Disk from a VHD file.

+Create Managed Disks from VHD files in following scenarios:

+1. Create a Managed OS Disk from a specialized VHD file. A specialized VHD is a copy of VHD from an exisitng VM that maintains the user accounts, applications and other state data from your original VM.

+ Attach this Managed Disk as OS disk to create a new virtual machine.

+2. Create a Managed data Disk from a VHD file. Attach the Managed Disk to an existing VM or attach it as data disk to create a new virtual machine.

+.NOTES

+1. Before you use this sample, please install the latest version of Azure PowerShell from here: http://go.microsoft.com/?linkid=9811175&clcid=0x409

+2. Provide the appropriate values for each variable. Note: The angled brackets should not be included in the values you provide.

+#>

+#Provide the subscription Id

+$subscriptionId = 'yourSubscriptionId'

+#Provide the name of your resource group

+$resourceGroupName ='yourResourceGroupName'

+#Provide the name of the Managed Disk

+$diskName = 'yourDiskName'

+#Provide the size of the disks in GB. It should be greater than the VHD file size.

+$diskSize = '128'

+#Provide the URI of the VHD file that will be used to create Managed Disk.

+# VHD file can be deleted as soon as Managed Disk is created.

+# e.g. https://contosostorageaccount1.blob.core.windows.net/vhds/contoso-um-vm120170302230408.vhd

+$vhdUri = 'https://contosoststorageaccount1.blob.core.windows.net/vhds/contosovhd123.vhd'

+#Provide the resource Id of the storage account where VHD file is stored.

+#e.g. /subscriptions/6472s1g8-h217-446b-b509-314e17e1efb0/resourceGroups/MDDemo/providers/Microsoft.Storage/storageAccounts/contosostorageaccount

+$storageAccountId = '/subscriptions/yourSubscriptionId/resourceGroups/yourResourceGroupName/providers/Microsoft.Storage/storageAccounts/yourStorageAccountName'

+#Provide the storage type for the Managed Disk. PremiumLRS or StandardLRS.

+$sku = 'Premium_LRS'

+#Provide the Azure location (e.g. westus) where Managed Disk will be located.

+#The location should be same as the location of the storage account where VHD file is stored.

+#Get all the Azure location using command below:

+#Get-AzureRmLocation

+$location = 'westus'

+#Set the context to the subscription Id where Managed Disk will be created

+Set-AzContext -Subscription $subscriptionId

+#If you're creating an OS disk, add the following lines

+#Acceptable values are either Windows or Linux

+#$OSType = 'yourOSType'

+#Acceptable values are either V1 or V2

+#$HyperVGeneration = 'yourHyperVGen'

+#If you're creating an OS disk, add -HyperVGeneration and -OSType parameters

+$diskConfig = New-AzDiskConfig -SkuName $sku -Location $location -DiskSizeGB $diskSize -SourceUri $vhdUri -CreateOption Import

+#Create Managed disk

+New-AzDisk -DiskName $diskName -Disk $diskConfig -ResourceGroupName $resourceGroupName -StorageAccountId $storageAccountId

+```

+Set-AzVMRunCommand -ResourceGroupName "myRg" `

+-VMName "myVM" `

+-RunCommandName "RunCommandName" `

+-SourceScriptUri ΓÇ£<SAS_URI_of_a_storage_blob_with_read_access_or_public_URI>" `

+-OutputBlobUri ΓÇ£<SAS_URI_of_a_storage_append_blob_with_read_add_create_write_access>" `

+-ErrorBlobUri ΓÇ£<SAS_URI_of_a_storage_append_blob_with_read_add_create_write_access>ΓÇ¥

+Running a command requires the `Microsoft.Compute/virtualMachines/runCommands/action` permission. The [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role and higher levels have this permission.

+As of June 30, 2024, Red Hat has sunsetted CentOS and replaced it with CentOS Stream. For more information, see [Transforming the development experience within CentOS](https://www.redhat.com/en/topics/linux/centos-linux-eol)

+CentOS 7 and 8 are the final releases of CentOS Linux. The end-of-life dates for CentOS 7 and 8 were:

+If your workload runs on many distributions, you may want to consider moving to another distribution, either community-based or commercial.

+Some of these offers do have a price associated, and can include services such as end customer support etc.

+This end-of-life moment may also be an opportunity for you to consider modernizing your workload, move to a PaaS, SaaS or containerized solution.

+This example is a simple deployment of Azure Firewall. For advanced configuration and setup, see [Tutorial: Deploy and configure Azure Firewall and policy by using the Azure portal](../../firewall/tutorial-firewall-deploy-portal-policy.md). When associated with multiple public IPs, Azure Firewall randomly selects the first source Public IP for outbound connectivity and only uses the next available Public IP after no more connections can be made from the current public IP due to SNAT port exhaustion. You can associate a [network address translation (NAT) gateway](/azure/nat-gateway/nat-overview) to a Firewall subnet to extend the scalability of source network address translation (SNAT). With this configuration, all outbound traffic uses the public IP address or addresses of the NAT gateway. For more information, see [Scale SNAT ports with Azure Virtual Network NAT](../../firewall/integrate-with-nat-gateway.md).

+> . It is recommended to instead use [NAT Gateway] to provide dynamic scalability of your outbound connectivity.

+Protocols other than Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) in network filter rules are unsupported for SNAT to the public IP of the firewall.

+Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses enable Azure resources to communicate to Internet and public-facing Azure services. You dedicate the address to the resource until you unassign it. A resource without an assigned public IP can still communicate outbound. Azure automatically assigns an available dynamic IP address for outbound communication. This address isn't dedicated to the resource and can change over time. For more information about outbound connections in Azure, see [Understand outbound connections](../../load-balancer/load-balancer-outbound-connections.md?toc=%2fazure%2fvirtual-network%2ftoc.json).

+2. Identify the [Basic SKU public IP](public-ip-upgrade-portal.md#upgrade-public-ip-address) in your organization that requires upgrade.

+ms.localizationpriority: medium

+- Virtual networks with encryption enabled do not support [Azure DNS Private Resolver](/azure/dns/dns-private-resolver-overview).

+- [Corelight, Inc.](https://corelight.com/)