+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+* Users cannot sign up for an Azure AD B2C Local Account. To create an account, an administrator can use the [Azure portal](manage-users-portal.md#create-a-consumer-user), or [Microsoft Graph API](microsoft-graph-operations.md).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+To enable sign-in for users with an Azure AD account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).

+To enable sign-in for users with an Azure AD account from a specific Azure AD organization, in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).

+To enable sign-in for users with a Microsoft account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). If you don't already have a Microsoft account, you can get one at [https://www.live.com/](https://www.live.com/).

+1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD B2C tenant.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+To create a custom attribute:

+1. Sign in to the [Azure portal](https://portal.azure.com), then navigate to **Azure AD B2C**.

+1. Sign in to the [Azure portal](https://portal.azure.com) as Global Administrator of your Azure AD B2C tenant.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ 

+1. Sign in to the [Azure portal](https://portal.azure.com).

+To get started, [enroll in the Azure CSP program](/partner-center/enrolling-in-the-csp-program). You can then enable Azure AD Domain Services using the [Azure portal](tutorial-create-instance.md) or [Azure PowerShell](powershell-create-instance.md).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the Azure portal with a hybrid administrator account.

+2. Select Azure AD Connect.

+3. Select **Manage Azure AD cloud sync**.

+4. Select the configuration you wish to add the extension attribute and mapping.

+5. Under **Manage attributes** select **click to edit mappings**.

+1. Sign in to the Azure portal as an administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator.

+**Can users be nudged on a mobile device?**

+Nudge is not available on mobile devices.

+Users in organizations with free and trial subscriptions can postpone the app setup up to three times. There is no way to hide the snooze option on the nudge for organizations with paid subscriptions yet. You can set the snoozeDuration to 0, which will ensure that users will see the nudge during each MFA attempt.

+**Why donΓÇÖt some users see a nudge when there is a Conditional Access policy for "Register security information"?**

+A nudge won't appear if a user is in scope for a Conditional Access policy that blocks access to the **Register security information** page.

+**Do users see a nudge when there is a terms of use (ToU) screen presented to the user during sign-in?**

+A nudge won't appear if a user is presented with the [terms of use (ToU)](/azure/active-directory/conditional-access/terms-of-use) screen during sign-in.

+**Do users see a nudge when Conditional Access custom controls are applicable to the sign-in?**

+A nudge won't appear if a user is redirected during sign-in due to [Conditional Access custom controls](/azure/active-directory/conditional-access/controls) settings.

+ - **Report output type**: CSV, PDF

+ - **Type of report**: **Summary**

+ | **Do you want to enable this app role?** | Specifies whether the app role is enabled. To delete an app role, deselect this checkbox and apply the change before attempting the delete operation. This setting controls the app role's usage and availability while being able to temporarily or permanently disabling it without removing it entirely. | _Checked_ |

+When the app role is set to enabled, any users, applications or groups who are assigned has it included in their tokens. These can be access tokens when your app is the API being called by an app or ID tokens when your app is signing in a user. If set to disabled, it becomes inactive and no longer assignable. Any previous assignees will still have the app role included in their tokens, but it has no effect as it is no longer actively assignable.

+If you're implementing app role business logic that signs in the users in your application scenario, first define the app roles in **App registrations**. Then, an admin assigns them to users and groups in the **Enterprise applications** pane. These assigned app roles are included with any token that's issued for your application.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Sign into the Azure portal.

+ 1. Navigate to **Azure Active Directory** > **Monitoring** > **Workbooks**.

+ 1. In the **Usage** section, open the **Sign-ins** workbook.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account.

+1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account.

+- **When I sign in to the Azure portal, I do not see any apps registered. Why?**

+#Customer intent: As an IT admin, I want to learn how to discover and fix issues related to the Microsoft Enterprise SSO plug-in on macOS and iOS.

+When [managing licenses in the Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products) or the [Microsoft 365 admin center](https://admin.microsoft.com), you see product names that look something like *Office 365 E3*. When you use PowerShell v1.0 cmdlets, the same product is identified using a specific but less friendly name: *ENTERPRISEPACK*. When using PowerShell v2.0 cmdlets or [Microsoft Graph](/graph/api/resources/subscribedsku), the same product is identified using a GUID value: *6fd2c87f-b296-42f0-b197-1e91e994b900*. The following table lists the most commonly used Microsoft online service products and provides their various ID values. These tables are for reference purposes in Azure Active Directory (Azure AD), part of Microsoft Entra, and are accurate only as of the date when this article was last updated. Microsoft will continue to make periodic updates to this document.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an External Identity Provider Administrator or a Global Administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com). In the left pane, select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com). On the left pane, select **Azure Active Directory**.

+Organizations should lock down access to the machines with on-premises hybrid components in the same way as your on-premises domain. For example, a backup operator or Hyper-V administrator shouldn't be able to sign in to the Azure AD Connect Server to change rules.

+For example, an administrator may configure a Conditional Access policy, which allows a user to sign in to the Azure portal only from approved locations, and also requires either multifactor authentication (MFA) or a hybrid Azure AD domain-joined device.

+* When you sign in to the Azure portal to create or manage a VM, you're authenticating against Azure AD (potentially using the same credentials if you've synchronized the correct accounts), and this could result in an authentication against your domain controllers should you be using Active Directory Federation Services (AD FS) or PassThrough Authentication.

+In entitlement management, you can see who has been assigned to access packages, their policy, status, and user lifecycle (preview). If an access package has an appropriate policy, you can also directly assign user to an access package. This article describes how to view, add, and remove assignments for access packages.

+- Azure AD Premium P2

+- Microsoft Entra ID governance subscription

+## Manage user lifecycle (preview)

+Entitlement management also allows you to get visibility into state of a guest user's lifecycle through the following viewpoints:

+- **Governed** - The user is set to be governed.

+- **Ungoverned** - The user is set to not be governed.

+- **Blank** - The lifecycle for the user is not determined. This happens when a user had an access package assigned before managing user lifecycle was possible.

+> [!NOTE]

+> When a guest user is set as **Governed**, based on ELM tenant settings their account will be deleted or disabled in specified days after their last access package assignment expires. Learn more about ELM settings here: [Manage external access with Azure Active Directory entitlement management](../fundamentals/6-secure-access-entitlement-managment.md).

+You can directly convert ungoverned users to governed by using the **Mark Guests as Governed ( preview)** functionality in the top menu bar.

+To manage user lifecycle, you'd follow these steps:

+**Prerequisite role:** Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. In the left menu, select **Assignments**.

+1. On the assignments screen, select the user you want to manage the lifecycle for, and then select **Mark guest as governed (Preview)**.

+ :::image type="content" source="media/entitlement-management-access-package-assignments/govern-user-lifecycle.png" alt-text="Screenshot of the govern user lifecycle selection.":::

+1. Select save.

+## Manage user lifecycle programmatically

+To manage user lifecycle programatically using Microsoft Graph, see: [accessPackageSubject resource type](/graph/api/resources/accesspackagesubject).

+- [View reports and logs](entitlement-management-reports.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) as a Global administrator or User administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Sign in to the Azure portal.

+ 1. Sign in to the Azure portal.

+ 1. Sign in to the Azure portal.

+4. Verify that the domain has been converted to managed by running the command below. The Authentication type should be set to managed.

+ Get-MgDomain -DomainId yourdomain.com

+1. Sign in to the Azure portal with an administrator account.

+1. Sign in to the Azure portal with an administrator account.

+1. Sign in to the Azure portal with an administrator account.

+1. Sign in to the [Azure portal](https://portal.azure.com/#home) using an account with permissions to create VMs, such as Contributor.

+- `{organization}` is the tenant ID or any verified domain name of the tenant you want to consent the application in. You can use the value `organizations`, which will cause the consent to happen in the home tenant of the user you sign in with.

+For more information on constructing the tenant-wide admin consent URL, see [Admin consent on the Microsoft identity platform](../develop/v2-admin-consent.md).

+ "AllowCloudPasswordValidation":false

+ 2. Add the following lines within the `OnBeforeRequest` function. Replace \<List of tenant identifiers\> with a domain registered with your tenant (for example, `contoso.onmicrosoft.com`). Replace \<directory ID\> with your tenant's Azure AD GUID identifier. You **must** include the correct GUID identifier in order for the logs to appear in your tenant.

+1. Sign in to the [Azure portal](https://portal.azure.com) with one of the roles listed in the prerequisites.

+1. Sign in with the user account that you assigned to the application. You're required to register for and use Azure AD Multi-Factor Authentication. Follow the prompts to complete the process and verify you successfully sign in to the Azure portal.

+1. In the [Azure portal](https://portal.azure.com), select the resource you want to delete.

+- Sign in to the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ The first attribute, alternativeSecurityIdentifier, is an internal attribute used to uniquely identify the user across tenants, match users in the source tenant with existing users in the target tenant, and ensure that each user only has one account. The matching attribute cannot be changed. Attempting to change the matching attribute or adding additional matching attributes will result in a `schemaInvalid` error.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ Title: Azure Active Directory SSO integration with Gainsight SAML

+description: Learn how to configure single sign-on between Azure Active Directory and Gainsight SAML.

+# Azure Active Directory SSO integration with Gainsight SAML

+In this article, you'll learn how to integrate Gainsight SAML with Azure Active Directory (Azure AD). Use Azure AD to manage user access and enable single sign-on with Gainsight SAML. Requires an existing Gainsight SAML subscription. When you integrate Gainsight SAML with Azure AD, you can:

+* Control in Azure AD who has access to Gainsight SAML.

+* Enable your users to be automatically signed-in to Gainsight SAML with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Gainsight SAML in a test environment. Gainsight SAML supports both **SP** and **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Gainsight SAML, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Gainsight SAML single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Gainsight SAML application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Gainsight SAML from the Azure AD gallery

+Add Gainsight SAML from the Azure AD application gallery to configure single sign-on with Gainsight SAML. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Gainsight SAML** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using one of the following patterns:

+ | **Identifier** |

+ |--|

+ | `urn:auth0:gainsight:<ID>` |

+ | `urn:auth0:gainsight-eu:<ID>` |

+

+ b. In the **Reply URL** textbox, type a URL using one of the following patterns:

+

+ | **Reply URL** |

+ ||

+ | `https://secured.gainsightcloud.com/login/callback?connection=<ID>` |

+ | `https://secured.eu.gainsightcloud.com/login/callback?connection=<ID>` |

+1. Perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL** textbox, type a URL using one of the following patterns:

+ | **Sign on URL** |

+ ||

+ | `https://secured.gainsightcloud.com/samlp/<ID>` |

+ | `https://secured.eu.gainsightcloud.com/samlp/<ID>` |

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Gainsight SAML support team](mailto:support@gainsight.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Gainsight SAML** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Gainsight SAML SSO

+To configure single sign-on on **Gainsight SAML** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Gainsight SAML support team](mailto:support@gainsight.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Gainsight SAML test user

+In this section, you create a user called Britta Simon at Gainsight SAML SSO. Work with [Gainsight SAML support team](mailto:support@gainsight.com) to add the users in the Gainsight SAML SSO platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Gainsight SAML Sign-on URL where you can initiate the login flow.

+* Go to Gainsight SAML Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Gainsight SAML for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Gainsight SAML tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Gainsight SAML for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Gainsight SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+1. Have your district's Microsoft Azure Active Directory admin sign in to the Azure portal.

+- JIRA Core and Software 6.4 to 9.10.0 or JIRA Service Desk 3.0 to 4.22.1 should be installed and configured on Windows 64-bit version.

+* JIRA Core and Software: 6.4 to 9.10.0.

+* Jira Core and Software: 6.0 to 9.10.0

+| | JIRA SAML SSO add-on redirects to incorrect URL from mobile browser. | 7.0.0 to 9.10.0 |

+* Jira Core and Software: 6.0 to 9.10.0

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Navigate to your current Workplace by Facebook app under Azure Active Directory > Enterprise Applications.

+* Sign in to the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com)

+| [Speech Service API][sp-containers-stt] | **Speech to text** ([image](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/speech-to-text/about)) | Transcribes continuous real-time speech into text. | Generally available. <br> This container can also [run in disconnected environments](containers/disconnected-containers.md). |

+| [Speech Service API][sp-containers-cstt] | **Custom Speech to text** ([image](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/custom-speech-to-text/about)) | Transcribes continuous real-time speech into text using a custom model. | Generally available <br> This container can also [run in disconnected environments](containers/disconnected-containers.md). |

+| [Speech Service API][sp-containers-ntts] | **Neural Text to speech** ([image](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/neural-text-to-speech/about)) | Converts text to natural-sounding speech using deep neural network technology, allowing for more natural synthesized speech. | Generally available. <br> This container can also [run in disconnected environments](containers/disconnected-containers.md). |

+| [Speech Service API][sp-containers-lid] | **Speech language detection** ([image](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/language-detection/about)) | Determines the language of spoken audio. | Gated preview |

+| [Azure AI Vision][cv-containers] | **Read OCR** ([image](https://mcr.microsoft.com/product/azure-cognitive-services/vision/read/about)) | The Read OCR container allows you to extract printed and handwritten text from images and documents with support for JPEG, PNG, BMP, PDF, and TIFF file formats. For more information, see the [Read API documentation](./computer-vision/overview-ocr.md). | Generally Available. Gated - [request access](https://aka.ms/csgate). <br>This container can also [run in disconnected environments](containers/disconnected-containers.md). |

+| [Spatial Analysis][spa-containers] | **Spatial analysis** ([image](https://mcr.microsoft.com/product/azure-cognitive-services/vision/spatial-analysis/about)) | Analyzes real-time streaming video to understand spatial relationships between people, their movement, and interactions with objects in physical environments. | Preview |

+1. Sign in to the [Azure portal](https://portal.azure.com) and select **Create a new resource** for one of the applicable Azure AI services or Azure AI services listed.

+1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com?WT.mc_id=academiccontent-github-cxa) in your browser. If you're asked to sign in, do so using your Microsoft account.

+Please report any embarrassing or offensive captions by going to the [Azure portal](https://portal.azure.com) and navigating to the **Feedback** button in the top right.

+1. Sign in to the [Azure portal](https://portal.azure.com) and select **Create a new resource** for one of the applicable Azure AI services or Azure AI services listed above.

+In your web browser, navigate to the [Custom Vision web page](https://customvision.ai) and select __Sign in__. Sign in with the same account you used to sign in to the Azure portal.

+ > If no resource is available, please confirm that you have logged into [customvision.ai](https://customvision.ai) with the same account as you used to sign in to the [Azure portal](https://portal.azure.com). Also, please confirm you have selected the same "Directory" in the Custom Vision website as the directory in the Azure portal where your Custom Vision resources are located. In both sites, you may select your directory from the drop down account menu at the top right corner of the screen.

+In your web browser, navigate to the [Custom Vision web page](https://customvision.ai) and select __Sign in__. Sign in with the same account you used to sign in to the Azure portal.

+ > If no resource is available, please confirm that you have logged into [customvision.ai](https://customvision.ai) with the same account as you used to sign in to the [Azure portal](https://portal.azure.com). Also, please confirm you have selected the same "Directory" in the Custom Vision website as the directory in the Azure portal where your Custom Vision resources are located. In both sites, you may select your directory from the drop down account menu at the top right corner of the screen.

+ > You will need a macOS device to run an iOS emulator.

+If you've followed all of the steps of this scenario and used the app to deploy Azure services to your account, sign in to the [Azure portal](https://portal.azure.com). There, cancel the services you don't want to use.

+* A [Document Intelligence instance](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) in the Azure portal. You can use the free pricing tier (`F0`) to try the service. After your resource deploys, select **Go to resource** to get your key and endpoint.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Your storage account** > **containers** > **your container**.

+* A [**Document Intelligence**](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [**Azure AI services**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource in the Azure portal. For detailed steps, _see_ [Create a multi-service resource](../../ai-services/multi-service-resource.md?pivots=azportal).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Your storage account** > **Data storage** > **Containers**.

+ * Sign in to the [Azure portal](https://portal.azure.com)

+* Sign in to the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+Your Language resource must have identity management, to enable it using the [Azure portal](https://portal.azure.com):

+ 1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure OpenAI resource.

+* The Azure Machine Learning workspace you're connecting to must be assigned to the same Azure Storage account that Language Studio is connected to. Be sure that the Azure Machine Learning workspace has the storage blob data reader permission on the storage account. The workspace needs to have been linked to the storage account during the [creation process in the Azure portal](https://portal.azure.com/#create/Microsoft.MachineLearningServices).

+1. Use the [Azure portal](https://portal.azure.com) to navigate to the Azure Blob Storage account connected to your language resource.

+ > Make sure your workspace is linked to the same Azure Blob Storage account and Language resource before continuing. You can create a new workspace and [link to your storage account using the Azure portal](https://portal.azure.com/#create/Microsoft.MachineLearningServices). Ensure that the storage account is properly linked to the workspace.

+| Determine the sentiment and opinions expressed in text. | Unstructured text | [Sentiment analysis and opinion mining](./sentiment-opinion-mining/overview.md) | Γ£ô |

+## Development options

+|Development option |Description |

+|||

+|Language studio | Language Studio is a web-based platform that lets you try entity linking with text examples without an Azure account, and your own data when you sign up. |

+|REST API | Integrate sentiment analysis into your applications programmatically using the REST API. |

+For more information, see [sentiment analysis quickstart](./custom/quickstart.md).

+Use the [`docker pull`](https://docs.docker.com/engine/reference/commandline/pull/) command to download this container image from the Microsoft public container registry. You can find the featured tags on the [Microsoft Container Registry](https://mcr.microsoft.com/product/azure-cognitive-services/textanalytics/healthcare/about)

+- Get the access-token for your account with resource type 'https://ossrdbms-aad.database.windows.net'. The access token is the password you need to sign in to the Azure Database for PostgreSQL by your account. An example using `az` client:

+² Version `0314` of gpt-4 and gpt-4-32k will be retired no earlier than July 5, 2024. See [model updates](#model-updates) for model upgrade behavior.

+¹ Version `0301` of gpt-35-turbo will be retired no earlier than July 5, 2024. See [model updates](#model-updates) for model upgrade behavior.

+The `gpt-35-turbo` (`0301`) and both `gpt-4` (`0314`) models will be retired no earlier than July 5, 2024. Upon retirement, deployments will automatically be upgraded to the default version at the time of retirement. If you would like your deployment to stop accepting completion requests rather than upgrading, then you will be able to set the model upgrade option to expire through the API. We will publish guidelines on this by September 1.

+# How to use function calling with Azure OpenAI Service (Preview)

+ function_to_call = available_functions[function_name]

+ function_response = function_to_call(**function_args)

+* For more examples on working with functions, check out the [Azure OpenAI Samples GitHub repository](https://aka.ms/oai/functions-samples)

+* Get started with the GPT-35-Turbo model with [the GPT-35-Turbo quickstart](../chatgpt-quickstart.md).

+ Title: 'Use your own data with Azure OpenAI Service'

+> Check the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery) and determine the right voice for your business needs.

+ > * The [**Translator container image**](https://mcr.microsoft.com/product/azure-cognitive-services/translator/text-translation/about) supports limited features compared to cloud offerings.

+When you create a cluster using the [az aks create][az-aks-create] command, the `--zones` parameter specifies the availability zones to deploy agent nodes into. The availability zones that the managed control plane components are deployed into are **not** controlled by this parameter. They are automatically spread across all availability zones (if present) in the region during cluster deployment.

+The following example creates an AKS cluster named *myAKSCluster* in the resource group named *myResourceGroup* with a total of three nodes. One agent node in zone *1*, one in *2*, and then one in *3*.

+[azure-datalake-storage-account]: ../storage/blobs/upgrade-to-data-lake-storage-gen2-how-to.md

+[key-vault-generate]: ../key-vault/general/manage-with-cli2.md

+ ```

+ ```output

+To show secrets held in the secrets store:

+To display a secret in the store, for example this command shows the test secret `ExampleSecret`:

+```

+kubectl exec busybox-secrets-store-inline -- cat /mnt/secrets-store/ExampleSecret

+```

+Disable the secrets provider addon:

+```azurecli-interactive

+az aks addon disable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider

+```

+Re-enable the secrets provider addon, but without the `enable-secret-rotation` parameter:

+```bash

+az aks addon enable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider

+```

+- [**Azure Disks**](azure-disk-csi.md) can be used to create a Kubernetes *DataDisk* resource. Disks can use Azure Premium Storage, backed by high-performance SSDs, or Azure Standard Storage, backed by regular HDDs or Standard SSDs. For most production and development workloads, use Premium Storage. Azure Disks are mounted as *ReadWriteOnce* and are only available to one node in AKS. For storage volumes that can be accessed by multiple nodes simultaneously, use Azure Files.

+## Why is my cluster create/update taking so long?

+If you have issues with create and update cluster operations, make sure you don't have any assigned policies or service constraints that may block your AKS cluster from managing resources like VMs, load balancers, tags, etc.

+ :::image type="content" source="media/howto-deploy-java-wls-app/marketplace-search-results.png" alt-text="Screenshot of the Azure portal showing WLS in search results." lightbox="media/howto-deploy-java-wls-app/marketplace-search-results.png":::

+ :::image type="content" source="media/howto-deploy-java-wls-app/portal-start-experience.png" alt-text="Screenshot of the Azure portal showing WebLogic Server on AKS." lightbox="media/howto-deploy-java-wls-app/portal-start-experience.png":::

+1. You must deploy the offer in an empty resource group. In the **Resource group** field, select **Create new** and then fill in a value for the resource group. Because resource groups must be unique within a subscription, pick a unique name. An easy way to have unique names is to use a combination of your initials, today's date, and some identifier - for example, `ejb0723wls``.

+1. Select **Next: AKS**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/configure-single-sign-on.png" alt-text="Screenshot of the Azure portal showing the configure sso pane." lightbox="media/howto-deploy-java-wls-app/configure-single-sign-on.png":::

+1. In the **Application** section, next to **Deploy an application?**, select **Yes**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/configure-application.png" alt-text="Screenshot of the Azure portal showing the configure applications pane." lightbox="media/howto-deploy-java-wls-app/configure-application.png":::

+1. Select the **Load balancing** pane.

+1. Next to **Load Balancing Options**, select **Standard Load Balancer Service**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/resource-group-deployments.png" alt-text="Screenshot of the Azure portal showing the resource group deployments list." lightbox="media/howto-deploy-java-wls-app/resource-group-deployments.png":::

+[aoai-get-started]: ../ai-services/openai/quickstart.md

+[managed-identity]: /azure/ai-services/openai/how-to/managed-identity#authorize-access-to-managed-identities

+[aoai]: ../ai-services/openai/index.yml

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account with sufficient permissions in the tenant.

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to your API Management instance.

+| config.service.endpoint.disableCertificateValidation | Defines if the self-hosted gateway should validate the server-side certificate of the Configuration API. It is recommended to use certificate validation, only disable for testing purposes and with caution as it can introduce security risk. | No | `false` | v2.0+ |

+App Service has [built-in continuous delivery](deploy-continuous-deployment.md) for containers through the Deployment Center. Navigate to your app in the [Azure portal](https://portal.azure.com) and select **Deployment Center** under **Deployment**. Follow the instructions to select your repository and branch. This will configure a DevOps build and release pipeline to automatically build, tag, and deploy your container when new commits are pushed to your selected branch.

+- [How to sign in to the Azure CLI on Circle CI](https://circleci.com/orbs/registry/orb/circleci/azure-cli)

+To clone an app using the [Azure portal](https://portal.azure.com), navigate to your existing App Service and select **Clone App** under **Development Tools**. Fill in the required fields using the details for your new App Service Environment v3.

+> Windows Containers uses an additional IP address per app for each App Service plan instance, and you need to size the subnet accordingly. If your App Service Environment has for example 2 Windows Container App Service plans each with 25 instances and each with 5 apps running, you will need 300 IP addresses and additional addresses to support horizontal (in/out) scale.

+>

+> Sample calculation:

+>

+> For each App Service plan instance, you need:

+> 5 Windows Container apps = 5 IP addresses

+> 1 IP address per App Service plan instance

+> 5 + 1 = 6 IP addresses

+>

+> For 25 instances:

+> 6 x 25 = 150 IP addresses per App Service plan

+>

+> Since you have 2 App Service plans, 2 x 150 = 300 IP addresses.

+> Windows Containers uses an additional IP address per app for each App Service plan instance, and you need to size the subnet accordingly. If you have for example 10 Windows Container App Service plan instances with 4 apps running, you will need 50 IP addresses and additional addresses to support horizontal (in/out) scale.

+>

+> Sample calculation:

+>

+> For each App Service plan instance, you need:

+> 4 Windows Container apps = 4 IP addresses

+> 1 IP address per App Service plan instance

+> 4 + 1 = 5 IP addresses

+>

+> For 10 instances:

+> 5 x 10 = 50 IP addresses per App Service plan

+>

+> Since you have 1 App Service plan, 1 x 50 = 50 IP addresses.

+ 

+ 

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- [**Troubleshoot Ingress Controller issues**](ingress-controller-troubleshoot.md): Troubleshoot any issues with the Ingress Controller.

+> Application Gateway v2 SKU requires a Public IP. Should you require Application Gateway to be private, Attach a [`Network Security Group`](../virtual-network/network-security-groups-overview.md) to the Application Gateway's subnet to restrict traffic.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and open your Automation account from the **Automation Accounts** page.

+Once the script has run, have the user sign in to the Azure portal and select **All Resources**. In the list, the user can see the runbook for which he/she has been added as an Automation Runbook Operator.

+* To start a runbook, see [Start a runbook in Azure Automation](start-runbooks.md).

+1. In the [Azure portal](https://portal.azure.com), select the virtual machine.

+### Configure file content changes

+To configure file content changes, follow these steps:

+1. In your virtual machine, under **Operations**, select **Change tracking** > **Settings**.

+1. In the **Data Collection Rule Configuration (Preview)** page, select **File Content** > **Link** to link the storage account.

+ :::image type="content" source="media/manage-change-tracking-monitoring-agent/file-content-inline.png" alt-text="Screenshot of selecting the link option to connect with the Storage account." lightbox="media/manage-change-tracking-monitoring-agent/file-content-expanded.png":::

+1. In **Content Location for Change Tracking** screen, select your **Subscription**, **Storage** and confirm if you are using **System Assigned Managed Identity**.

+1. Select **Upload file content for all settings**, and then select **Save**. It ensures that the file content changes for all the files residing in this DCR will be tracked.

+#### [System Assigned Managed Identity](#tab/sa-mi)

+When the storage account is linked using the system assigned managed identity, a blob is created.

+1. From [Azure portal](https://portal.azure.com), go to **Storage accounts**, and select the storage account.

+1. In the storage account page, under **Data storage**, select **Containers** > **Changetracking blob** > **Access Control (IAM)**.

+1. In the **Changetrackingblob | Access Control (IAM)** page, select **Add** and then select **Add role assignment**.

+ :::image type="content" source="media/manage-change-tracking-monitoring-agent/blob-add-role-inline.png" alt-text="Screenshot of selecting to add role." lightbox="media/manage-change-tracking-monitoring-agent/blob-add-role-expanded.png":::

+1. In the **Add role assignment** page, use the search for **Blob Data contributor** to assign a storage Blob contributor role for the specific VM. This permission provides access to read, write, and delete storage blob containers and data.

+ :::image type="content" source="media/manage-change-tracking-monitoring-agent/blob-contributor-inline.png" alt-text="Screenshot of selecting the contributor role for storage blog." lightbox="media/manage-change-tracking-monitoring-agent/blob-contributor-expanded.png":::

+1. Select the role and assign it to your virtual machine.

+ :::image type="content" source="media/manage-change-tracking-monitoring-agent/blob-add-role-vm-inline.png" alt-text="Screenshot of assigning the role to VM." lightbox="media/manage-change-tracking-monitoring-agent/blob-add-role-vm-expanded.png":::

+#### [User Assigned Managed Identity](#tab/ua-mi)

+For user-assigned managed identity, follow these steps to assign the user assigned managed identity to the VM and provide the permission.

+1. In the storage account page, under **Data storage**, select **Containers** > **Changetracking blob** > **Access Control (IAM)**.

+1. In **Changetrackingblob | Access Control (IAM)** page, select **Add** and then select **Add role assignment**.

+1. Search for **Storage Blob Data Contributor**, select the role and assign it to your user-assigned managed identity.

+

+ :::image type="content" source="media/manage-change-tracking-monitoring-agent/user-assigned-add-role-inline.png" alt-text="Screenshot of adding the role to user-assigned managed identity." lightbox="media/manage-change-tracking-monitoring-agent/user-assigned-add-role-expanded.png":::

+1. Go to your virtual machine, under **Settings**, select **Identity**, under **User assigned** tab, select **+Add**.

+1. In the **Add user assigned managed identity**, select the **Subscription** and add the user-assigned managed identity.

+ :::image type="content" source="media/manage-change-tracking-monitoring-agent/user-assigned-assign-role-inline.png" alt-text="Screenshot of assigning the role to user-assigned managed identity." lightbox="media/manage-change-tracking-monitoring-agent/user-assigned-assign-role-expanded.png":::

+#### Upgrade the extension version

+> [!NOTE]

+> Ensure that ChangeTracking-Linux/ ChangeTracking-Windows extension version is upgraded to 2.13

+Use the following command to upgrade the extension version:

+```azurecli-interactive

+az vm extension set -n {ExtensionName} --publisher Microsoft.Azure.ChangeTrackingAndInventory --ids {VirtualMachineResourceId}

+```

+The extension for Windows is `Vms - ChangeTracking-Windows`and for Linux is `Vms - ChangeTracking-Linux`.

+## Tracking file content changes

+Change Tracking and Inventory allows you to view the contents of a Windows or Linux file. For each change to a file, Change Tracking and Inventory stores the contents of the file in an [Azure Storage account](../../storage/common/storage-account-create.md). When you're tracking a file, you can view its contents before or after a change. The file content can be viewed either inline or side by side. [Learn more](manage-change-tracking-monitoring-agent.md#configure-file-content-changes).

+

+Change Tracking and Inventory allows monitoring of changes to Windows registry keys. Monitoring allows you to pinpoint extensibility points where third-party code and malware can activate. The following table lists pre-configured (but not enabled) registry keys. To track these keys, you must enable each one.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+This article describes the connectivity modes available for Azure Arc-enabled data services, and their respective requirements.

+ Title: Delete resources from Azure Arc-enabled data services

+description: Describes how to delete resources from Azure Arc-enabled data services

+The information in this article applies to resources in Azure Arc-enabled data services. To delete resources in Azure, review the information at [Azure Resource Manager resource group and resource deletion](../../azure-resource-manager/management/delete-resource-group.md).

+ Title: Introducing Azure Arc-enabled data services

+description: Describes Azure Arc-enabled data services

+ ```azurecli

+When you deploy an Azure Arc-enabled SQL managed instance, you can configure the size of the persistent volume (PV) for `data`, `logs`, `datalogs`, and `backups`. The deployment creates these volumes based on the values set by parameters `--volume-size-data`, `--volume-size-logs`, `--volume-size-datalogs`, and `--volume-size-backups`. When these volumes become full, you will need to resize the `PersistentVolumes`. Azure Arc-enabled SQL Managed Instance is deployed as part of a `StatefulSet` for both General Purpose or Business Critical service tiers. Kubernetes supports automatic resizing for persistent volumes but not for volumes attached to `StatefulSet`.

+Ensure the Arc-enabled SQL managed instance is back to ready status by running:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Create a new Azure Cache for Redis resource with a **Cache type** of any of the premium tiers. Complete **Basics** tab with all the required information.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+To be able to view Application Insights data from a function app, you must have at least Contributor role permissions on the function app. You also need to have the [Monitoring Reader permission](../azure-monitor/roles-permissions-security.md#monitoring-reader) on the Application Insights instance. You have these permissions by default for any function app and Application Insights instance that you create.

+1. To begin, sign in to the [Azure portal] using your Azure account. In the search bar at the top of the portal, enter the name of your function app and select it from the list.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+This article shows you two ways to set map styles using the Azure Maps iOS SDK. Azure Maps has six different maps styles to choose from. For more information about supported map styles, see [supported map styles in Azure Maps].

+- Complete the [Create an iOS app] quickstart.

+- An [Azure Maps account].

+Often it's desirable to focus the map over a set of data. A bounding box can be calculated from features using the `BoundingBox.fromData(_:)` method and can be passed into the `bounds` option of the map camera. When setting a map view based on a bounding box, it's often useful to specify a `padding` value to account for the point size of data points being rendered as bubbles or symbols. The following code shows how to set all optional camera options when using a bounding box to set the position of the camera.

+The aspect ratio of a bounding box may not be the same as the aspect ratio of the map, as such the map often shows the full bounding box area, and are often only tight vertically or horizontally.

+| `animationDuration(_ duration: Double)` | Specifies how long the camera animates between the views in milliseconds (ms). |

+| `animationType(_ animationType: AnimationType)` | Specifies the type of animation transition to perform.<br><br> - `.jump` - an immediate change.<br> - `.ease` - gradual change of the camera's settings.<br> - `.fly` - gradual change of the camera's settings following an arc resembling flight. |

+The following animation demonstrates the above code animating the map view from New York to Seattle.

+- [Add a symbol layer]

+- [Add a bubble layer]

+[Add a bubble layer]: add-bubble-layer-map-ios.md

+[Add a symbol layer]: add-symbol-layer-ios.md

+[Azure Maps account]: https://azure.microsoft.com/services/azure-maps

+[Create an iOS app]: quick-ios-app.md

+[supported map styles in Azure Maps]: supported-map-styles.md

+The `atlas.layer.OgcMapLayer` class can overlay Web Map Services (WMS) imagery and Web Map Tile Services (WMTS) imagery on the map. WMS is a standard protocol developed by OGC for serving georeferenced map images over the internet. Image georeferencing is the processes of associating an image to a geographical location. WMTS is also a standard protocol developed by OGC. It's designed for serving prerendered and georeferenced map tiles.

+The following sections outline the web map service features supported by the `OgcMapLayer` class.

+- CRS supported: `EPSG:3857` or `GoogleMapsCompatible`

+- TileMatrix identifier must be an integer value that corresponds to a zoom level on the map. In Azure Maps, the zoom level is a value between `"0"` and `"22"`. So, `"0"` is supported, but `"00"` isn't supported.

+> [OgcMapLayer]

+> [OgcMapLayerOptions]

+> [Connect to a WFS service]

+> [Leverage core operations]

+> [Supported data format details]

+[Connect to a WFS service]: spatial-io-connect-wfs-service.md

+[Leverage core operations]: spatial-io-core-operations.md

+[OGC map layer options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/OGC%20map%20layer%20options/OGC%20map%20layer%20options.html

+[OGC map layer]: https://samples.azuremaps.com/spatial-io-module/ogc-map-layer-example

+[OGC Web Map Service explorer]: https://samples.azuremaps.com/spatial-io-module/ogc-web-map-service-explorer

+[OgcMapLayer]: /javascript/api/azure-maps-spatial-io/atlas.layer.ogcmaplayer

+[OgcMapLayerOptions]: /javascript/api/azure-maps-spatial-io/atlas.ogcmaplayeroptions

+[Supported data format details]: spatial-io-supported-data-format-details.md

+| July 2023| **Windows** <ul><li>Fix crash when Event Log subscription callback throws errors.<li>MetricExtension updated to 2.2023.609.2051</li></ui> |1.18.0| Comming Soon|

+| May 2023 | **Windows** <ul><li>Enable Large Event support for all regions.</li><li>Update to TroubleShooter 1.4.0.</li><li>Fixed issue when Event Log subscription become invalid an would not resubscribe.</li><li>AMA: Fixed issue with Large Event sending too large data. Also affecting Custom Log.</li></ul> **Linux** <ul><li>Support for CIS and SELinux [hardening](./agents-overview.md)</li><li>Include Ubuntu 22.04 (Jammy) in azure-mdsd package publishing</li><li>Move storage SDK patch to build container</li><li>Add system Telegraf counters to AMA</li><li>Drop msgpack and syslog data if not configured in active configuration</li><li>Limit the events sent to Public ingestion pipeline</li><li>**Fixes** <ul><li>Fix mdsd crash in init when in persistent mode </li><li>Remove FdClosers from ProtocolListeners to avoid a race condition</li><li>Fix sed regex special character escaping issue in rpm macro for Centos 7.3.Maipo</li><li>Fix latency and future timestamp issue</li><li>Install AMA syslog configs only if customer is opted in for syslog in DCR</li><li>Fix heartbeat time check</li><li>Skip unnecessary cleanup in fatal signal handler</li><li>Fix case where fast-forwarding may cause intervals to be skipped</li><li>Fix comma separated custom log paths with fluent</li><li>Fix to prevent events folder growing too large and filling the disk</li><li>hot fix (1.26.3) for Syslog</li></ul><</li><ul> | 1.16.0.0 | 1.26.2 1.26.3<sup>Hotfix</sup>|

+ "identifier-name": "mi_res_id" or "object_id" or "client_id",

+ We recommend that you use `mi_res_id` as the `identifier-name`. The following sample commands only show usage with `mi_res_id` for the sake of brevity. For more information on `mi_res_id`, `object_id`, and `client_id`, see the [Managed identity documentation](../../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md#get-a-token-using-http).

+Enable-InstrumentationEngine

+Enable-ApplicationInsightsMonitoring -InstrumentationKey xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

+Enable-ApplicationInsightsMonitoring -InstrumentationKeyMap `

+ ` @(@{MachineFilter='.*';AppFilter='WebAppExclude'},

+ ` @{MachineFilter='.*';AppFilter='WebAppOne';InstrumentationSettings=@{InstrumentationKey='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx1'}},

+ ` @{MachineFilter='.*';AppFilter='WebAppTwo';InstrumentationSettings=@{InstrumentationKey='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx2'}},

+ ` @{MachineFilter='.*';AppFilter='.*';InstrumentationSettings=@{InstrumentationKey='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxdefault'}})

+Disable-InstrumentationEngine

+Disable-ApplicationInsightsMonitoring

+Get-ApplicationInsightsMonitoringConfig

+Get-ApplicationInsightsMonitoringStatus

+Get-ApplicationInsightsMonitoringStatus -PowerShellModule

+Get-ApplicationInsightsMonitoringStatus -InspectProcess

+Enable-ApplicationInsightsMonitoring -InstrumentationKey xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

+ ` @(@{MachineFilter='.*';AppFilter='WebAppExclude'},

+ ` @{MachineFilter='.*';AppFilter='WebAppOne';InstrumentationSettings=@{InstrumentationKey='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx1'}},

+ ` @{MachineFilter='.*';AppFilter='WebAppTwo';InstrumentationSettings=@{InstrumentationKey='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx2'}},

+ ` @{MachineFilter='.*';AppFilter='.*';InstrumentationSettings=@{InstrumentationKey='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxdefault'}})

+Start-ApplicationInsightsMonitoringTrace -CollectRedfieldEvents

+While users can publish any custom `EventCounters` to meet their needs, [.NET](/dotnet/fundamentals/) publishes a set of these counters by default. This document walks through the steps required to collect and view `EventCounters` (system defined or user defined) in Azure Application Insights.

+Application Insights supports collecting `EventCounters` with its `EventCounterCollectionModule`, which is part of the newly released NuGet package [Microsoft.ApplicationInsights.EventCounterCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.EventCounterCollector). `EventCounterCollectionModule` is automatically enabled when using either [AspNetCore](asp-net-core.md) or [WorkerService](worker-service.md). `EventCounterCollectionModule` collects counters with a nonconfigurable collection frequency of 60 seconds. There are no special permissions required to collect EventCounters. For ASP.NET Core applications, you also want to add the [Microsoft.ApplicationInsights.AspNetCore](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) package.

+```dotnetcli

+dotnet add package Microsoft.ApplicationInsights.EventCounterCollector

+dotnet add package Microsoft.ApplicationInsights.AspNetCore

+```

+Starting with 2.15.0 version of either [AspNetCore SDK](asp-net-core.md) or [WorkerService SDK](worker-service.md), no counters are collected by default. The module itself is enabled, so users can add the desired counters to

+The following example shows how to add/remove counters. This customization would be done as part of your application service configuration after Application Insights telemetry collection is enabled using either `AddApplicationInsightsTelemetry()` or `AddApplicationInsightsWorkerService()`. Following is an example code from an ASP.NET Core application. For other type of applications, refer to [this](worker-service.md#configure-or-remove-default-telemetry-modules) document.

+# [ASP.NET Core 6.0+](#tab/dotnet6)

+```csharp

+using Microsoft.ApplicationInsights.Extensibility.EventCounterCollector;

+using Microsoft.Extensions.DependencyInjection;

+builder.Services.ConfigureTelemetryModule<EventCounterCollectionModule>(

+ (module, o) =>

+ {

+ // Removes all default counters, if any.

+ module.Counters.Clear();

+ // Adds a user defined counter "MyCounter" from EventSource named "MyEventSource"

+ module.Counters.Add(

+ new EventCounterCollectionRequest("MyEventSource", "MyCounter"));

+ // Adds the system counter "gen-0-size" from "System.Runtime"

+ module.Counters.Add(

+ new EventCounterCollectionRequest("System.Runtime", "gen-0-size"));

+ }

+ );

+```

+# [ASP.NET Core 3.1](#tab/dotnet31)

+using Microsoft.ApplicationInsights.Extensibility.EventCounterCollector;

+using Microsoft.Extensions.DependencyInjection;

+public void ConfigureServices(IServiceCollection services)

+{

+ //... other code...

+ // The following code shows how to configure the module to collect

+ // additional counters.

+ services.ConfigureTelemetryModule<EventCounterCollectionModule>(

+ (module, o) =>

+ {

+ // Removes all default counters, if any.

+ module.Counters.Clear();

+ // Adds a user defined counter "MyCounter" from EventSource named "MyEventSource"

+ module.Counters.Add(

+ new EventCounterCollectionRequest("MyEventSource", "MyCounter"));

+ // Adds the system counter "gen-0-size" from "System.Runtime"

+ module.Counters.Add(

+ new EventCounterCollectionRequest("System.Runtime", "gen-0-size"));

+ }

+ );

+}

+`EventCounterCollectionModule` can be disabled by using `ApplicationInsightsServiceOptions`.

+The following example uses the ASP.NET Core SDK.

+# [ASP.NET Core 6.0+](#tab/dotnet6)

+```csharp

+using Microsoft.ApplicationInsights.AspNetCore.Extensions;

+using Microsoft.Extensions.DependencyInjection;

+var applicationInsightsServiceOptions = new ApplicationInsightsServiceOptions();

+applicationInsightsServiceOptions.EnableEventCounterCollectionModule = false;

+builder.Services.AddApplicationInsightsTelemetry(applicationInsightsServiceOptions);

+```

+# [ASP.NET Core 3.1](#tab/dotnet31)

+using Microsoft.ApplicationInsights.AspNetCore.Extensions;

+using Microsoft.Extensions.DependencyInjection;

+public void ConfigureServices(IServiceCollection services)

+{

+ //... other code...

+ var applicationInsightsServiceOptions = new ApplicationInsightsServiceOptions();

+ applicationInsightsServiceOptions.EnableEventCounterCollectionModule = false;

+ services.AddApplicationInsightsTelemetry(applicationInsightsServiceOptions);

+}

+A similar approach can be used for the WorkerService SDK as well, but the namespace must be changed as shown in the following example.

+# [ASP.NET Core 6.0+](#tab/dotnet6)

+using Microsoft.ApplicationInsights.AspNetCore.Extensions;

+using Microsoft.Extensions.DependencyInjection;

+var applicationInsightsServiceOptions = new ApplicationInsightsServiceOptions();

+applicationInsightsServiceOptions.EnableEventCounterCollectionModule = false;

+builder.Services.AddApplicationInsightsTelemetry(applicationInsightsServiceOptions);

+```

+# [ASP.NET Core 3.1](#tab/dotnet31)

+```csharp

+using Microsoft.ApplicationInsights.WorkerService;

+using Microsoft.Extensions.DependencyInjection;

+public void ConfigureServices(IServiceCollection services)

+{

+ //... other code...

+}

+Like other metrics, you can [set an alert](../alerts/alerts-log.md) to warn you if an event counter goes outside a limit you specify. Open the Alerts pane and select Add Alert.

+Live Metrics don't show EventCounters as of today. Use Metric Explorer or Analytics to see the telemetry.

+### I have enabled Application Insights from Azure Web App Portal. Why can't I see EventCounters?

+ [Application Insights extension](./azure-web-apps.md) for ASP.NET Core doesn't yet support this feature.

+* [Dependency tracking](./asp-net-dependencies.md)

+ This is a *required* field.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+To access your Log Analytics workspace, you sign in to the Azure portal using the organizational account or Microsoft account that you set up previously. All traffic between the portal and Azure Monitor service is sent over a secure HTTPS channel. When using the portal, a session ID is generated on the user client (web browser) and data is stored in a local cache until the session is terminated. When terminated, the cache is deleted. Client-side cookies, which do not contain personally identifiable information, are not automatically removed. Session cookies are marked HTTPOnly and are secured. After a pre-determined idle period, the Azure portal session is terminated.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+* After installing, sign in for the first time. For more information, see [How to sign in to the Azure CLI](/cli/azure/get-started-with-azure-cli#how-to-sign-into-the-azure-cli).

+- [Build an end-to-end IoT solution with SQL Edge](tutorial-deploy-azure-resources.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ Once clicked, the authenticated credentials will be used to sign in again to the Azure AI Video Indexer website with the new directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the same subscription tenant in which your Azure AI Video Indexer Azure Resource Manager (ARM) account was created.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+In this tutorial, you'll create a jump box in the resource group you created in the [previous tutorial](tutorial-configure-networking.md) and sign in to the Azure VMware Solution vCenter Server. This jump box is a Windows virtual machine (VM) on the same virtual network you created. It provides access to both vCenter Server and the NSX Manager.

+> * Sign in to vCenter Server from this VM

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ Title: Reference - C# Client-side SDK for Azure Web PubSub

+description: This reference describes the C# client-side SDK for Azure Web PubSub service.

+# Azure Web PubSub client library for .NET

+> [!NOTE]

+> Details about the terms used here are described in [key concepts](./key-concepts.md) article.

+The client-side SDK aims to speed up developer's workflow; more specifically,

+- simplifies managing client connections

+- simplifies sending messages among clients

+- automatically retries after unintended drops of client connection

+- **reliably** deliveries messages in number and in order after recovering from connection drops

+As shown in the diagram, your clients establish WebSocket connections with your Web PubSub resource.

+## Getting started

+### Install the package

+Install the client library from [NuGet](https://www.nuget.org/):

+```dotnetcli

+dotnet add package Azure.Messaging.WebPubSub.Client --prerelease

+```

+### Prerequisites

+- An Azure subscription

+- An existing Web PubSub instance

+### Authenticate the client

+A Client uses a `Client Access URL` to connect and authenticate with the service. `Client Access URL` follows the pattern as `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. There are multiple ways to get a `Client Access URL`. As a quick start, you can copy and paste from Azure portal, and for production, you usually need a negotiation server to generate `Client Access URL`. [See details.](#use-negotiation-server-to-generate-client-access-url)

+#### Use Client Access URL from Azure portal

+As a quick start, you can go to Azure portal and copy the **Client Access URL** from **Keys** blade.

+As shown in the diagram, the client is granted permission of sending messages to specific groups and joining specific groups. Learn more about client permission, see [permissions.](./reference-json-reliable-webpubsub-subprotocol.md#permissions)

+```C# Snippet:WebPubSubClient_Construct

+var client = new WebPubSubClient(new Uri("<client-access-uri>"));

+```

+#### Use negotiation server to generate `Client Access URL`

+In production, a client usually fetches the `Client Access URL` from a negotiation server. The server holds the `connection string` and generates the `Client Access URL` through `WebPubSubServiceClient`. As a sample, the code snippet just demonstrates how to generate the `Client Access URL` inside a single process.

+```C# Snippet:WebPubSubClient_Construct2

+var client = new WebPubSubClient(new WebPubSubClientCredential(token =>

+{

+ // In common practice, you will have a negotiation server for generating token. Client should fetch token from it.

+ return FetchClientAccessTokenFromServerAsync(token);

+}));

+```

+```C# Snippet:WebPubSubClient_GenerateClientAccessUri

+public async ValueTask<Uri> FetchClientAccessTokenFromServerAsync(CancellationToken token)

+{

+ var serviceClient = new WebPubSubServiceClient("<< Connection String >>", "hub");

+ return await serviceClient.GetClientAccessUriAsync();

+}

+```

+Features to differentiate `WebPubSubClient` and `WebPubSubServiceClient`.

+|Class Name|WebPubSubClient|WebPubSubServiceClient|

+||||

+|NuGet Package Name|Azure.Messaging.WebPubSub.Client |Azure.Messaging.WebPubSub|

+|Features|Used on client side. Publish messages and subscribe to messages.|Used on server side. Generate Client Access Uri and manage clients|

+## Examples

+### Consume messages from the server and groups

+A client can add callbacks to consume messages from the server and groups. Note, clients can only receive group messages that it has joined.

+```C# Snippet:WebPubSubClient_Subscribe_ServerMessage

+client.ServerMessageReceived += eventArgs =>

+{

+ Console.WriteLine($"Receive message: {eventArgs.Message.Data}");

+ return Task.CompletedTask;

+};

+```

+```C# Snippet:WebPubSubClient_Subscribe_GroupMessage

+client.GroupMessageReceived += eventArgs =>

+{

+ Console.WriteLine($"Receive group message from {eventArgs.Message.Group}: {eventArgs.Message.Data}");

+ return Task.CompletedTask;

+};

+```

+### Add callbacks for `connected`, `disconnected`, and `stopped` events

+When a client connection is connected to the service, the `connected` event is triggered once it received the connected message from the service.

+```C# Snippet:WebPubSubClient_Subscribe_Connected

+client.Connected += eventArgs =>

+{

+ Console.WriteLine($"Connection {eventArgs.ConnectionId} is connected");

+ return Task.CompletedTask;

+};

+```

+When a client connection is disconnected and fails to recover, the `disconnected` event is triggered.

+```C# Snippet:WebPubSubClient_Subscribe_Disconnected

+client.Disconnected += eventArgs =>

+{

+ Console.WriteLine($"Connection is disconnected");

+ return Task.CompletedTask;

+};

+```

+When a client is stopped, which means the client connection is disconnected and the client stops trying to reconnect, the `stopped` event is triggered. This usually happens after the `client.StopAsync()` is called, or disabled `AutoReconnect`. If you want to restart the client, you can call `client.StartAsync()` in the `Stopped` event.

+```C# Snippet:WebPubSubClient_Subscribe_Stopped

+client.Stopped += eventArgs =>

+{

+ Console.WriteLine($"Client is stopped");

+ return Task.CompletedTask;

+};

+```

+### Auto rejoin groups and handle rejoin failure

+When a client connection has dropped and fails to recover, all group contexts are cleaned up on the service side. That means when the client reconnects, it needs to rejoin groups. By default, the client enabled `AutoRejoinGroups` options. However, this feature has limitations. The client can only rejoin groups that it's originally joined **by the client** rather than joined **by the server side**. And rejoin group operations may fail due to various reasons, for example, the client doesn't have permission to join groups. In such cases, users need to add a callback to handle such failure.

+```C# Snippet:WebPubSubClient_Subscribe_RestoreFailed

+client.RejoinGroupFailed += eventArgs =>

+{

+ Console.WriteLine($"Restore group failed");

+ return Task.CompletedTask;

+};

+```

+### Operation and retry

+By default, the operation such as `client.JoinGroupAsync()`, `client.LeaveGroupAsync()`, `client.SendToGroupAsync()`, `client.SendEventAsync()` has three reties. You can use `WebPubSubClientOptions.MessageRetryOptions` to change. If all retries have failed, an error is thrown. You can keep retrying by passing in the same `ackId` as previous retries, thus the service can help to deduplicate the operation with the same `ackId`.

+```C# Snippet:WebPubSubClient_JoinGroupAndRetry

+// Send message to group "testGroup"

+try

+{

+ await client.JoinGroupAsync("testGroup");

+}

+catch (SendMessageFailedException ex)

+{

+ if (ex.AckId != null)

+ {

+ await client.JoinGroupAsync("testGroup", ackId: ex.AckId);

+ }

+}

+```

+## Troubleshooting

+### Enable logs

+You can set the following environment variable to get the debug logs when using this library.

+```bash

+export AZURE_LOG_LEVEL=verbose

+```

+For more detailed instructions on how to enable logs, you can look at the [@azure/logger package docs](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/core/logger).

+### Live Trace

+Use [Live Trace tool](./howto-troubleshoot-resource-logs.md#capture-resource-logs-by-using-the-live-trace-tool) from Azure portal to inspect live message traffic through your Web PubSub resource.

+ Title: Reference - Java Client-side SDK for Azure Web PubSub

+description: This reference describes the Java client-side SDK for Azure Web PubSub service.

+# Azure WebPubSub client library for Java

+> [!NOTE]

+> Details about the terms used here are described in [key concepts](./key-concepts.md) article.

+The client-side SDK aims to speed up developer's workflow; more specifically,

+- simplifies managing client connections

+- simplifies sending messages among clients

+- automatically retries after unintended drops of client connection

+- **reliably** deliveries messages in number and in order after recovering from connection drops

+As shown in the diagram, your clients establish WebSocket connections with your Web PubSub resource.

+## Getting started

+### Prerequisites

+- Java Development Kit (JDK) with version 8 or above

+- Azure subscription

+- An existing Web PubSub instance

+### Adding the package to your product

+[//]: # ({x-version-update-start;com.azure:azure-messaging-webpubsub-client;current})

+```xml

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-messaging-webpubsub-client</artifactId>

+ <version>1.0.0-beta.1</version>

+</dependency>

+```

+[//]: # ({x-version-update-end})

+### Authenticate the client

+A client uses a `Client Access URL` to connect and authenticate with the service. The URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. There are multiple ways to get a `Client Access URL`. As a quick start, you can copy and paste from Azure portal, and for production, you usually need a negotiation server to generate the URL. [See details.](#use-negotiation-server-to-generate-client-access-url)

+#### Use `Client Access URL` from Azure portal

+As a quick start, you can go to Azure portal and copy the **Client Access URL** from **Keys** blade.

+As shown in the diagram, the client is granted permission of sending messages to specific groups and joining specific groups. Learn more about client permission, see [permissions.](./reference-json-reliable-webpubsub-subprotocol.md#permissions)

+```java readme-sample-createClientFromUrl

+WebPubSubClient client = new WebPubSubClientBuilder()

+ .clientAccessUrl("<client-access-url>")

+ .buildClient();

+```

+#### Use negotiation server to generate `Client Access URL`

+In production, a client usually fetches the `Client Access URL` from a negotiation server. The server holds the `connection string` and generates the `Client Access URL` through `WebPubSubServiceClient`. As a sample, the code snippet just demonstrates how to generate the `Client Access URL` inside a single process.

+```java readme-sample-createClientFromCredential

+// WebPubSubServiceAsyncClient is from com.azure:azure-messaging-webpubsub

+// create WebPubSub service client

+WebPubSubServiceAsyncClient serverClient = new WebPubSubServiceClientBuilder()

+ .connectionString("<connection-string>")

+ .hub("<hub>>")

+ .buildAsyncClient();

+// wrap WebPubSubServiceAsyncClient.getClientAccessToken as WebPubSubClientCredential

+WebPubSubClientCredential clientCredential = new WebPubSubClientCredential(Mono.defer(() ->

+ serverClient.getClientAccessToken(new GetClientAccessTokenOptions()

+ .setUserId("<user-name>")

+ .addRole("webpubsub.joinLeaveGroup")

+ .addRole("webpubsub.sendToGroup"))

+ .map(WebPubSubClientAccessToken::getUrl)));

+// create WebPubSub client

+WebPubSubClient client = new WebPubSubClientBuilder()

+ .credential(clientCredential)

+ .buildClient();

+```

+Features to differentiate `WebPubSubClient` and `WebPubSubServiceClient`.

+|Class Name|WebPubSubClient|WebPubSubServiceClient|

+||||

+|Package Name|azure-messaging-webpubsub-client|azure-messaging-webpubsub|

+|Features|Used on client side. Publish messages and subscribe to messages.|Used on server side. Generate `Client Access URL` and manage clients.|

+## Examples

+### Consume messages from the server and groups

+A client can add callbacks to consume messages from the server and groups. Note, clients can only receive group messages that it has joined.

+```java readme-sample-listenMessages

+client.addOnGroupMessageEventHandler(event -> {

+ System.out.println("Received group message from " + event.getFromUserId() + ": "

+ + event.getData().toString());

+});

+client.addOnServerMessageEventHandler(event -> {

+ System.out.println("Received server message: "

+ + event.getData().toString());

+});

+```

+### Add callbacks for `connected`, `disconnected`, and `stopped` events

+When a client connection is connected to the service, the `connected` event is triggered.

+When a client connection is disconnected and fails to recover, the `disconnected` event is triggered.

+When a client is stopped, which means the client connection is disconnected and the client stops trying to reconnect, the `stopped` event is triggered. This usually happens after the `client.StopAsync()` is called, or disabled `AutoReconnect`. If you want to restart the client, you can call `client.StartAsync()` in the `Stopped` event.

+```java readme-sample-listenEvent

+client.addOnConnectedEventHandler(event -> {

+ System.out.println("Connection is connected: " + event.getConnectionId());

+});

+client.addOnDisconnectedEventHandler(event -> {

+ System.out.println("Connection is disconnected");

+});

+client.addOnStoppedEventHandler(event -> {

+ System.out.println("Client is stopped");

+});

+```

+### Operation and retry

+By default, the operation such as `client.joinGroup()`, `client.leaveGroup()`, `client.sendToGroup()`, `client.sendEvent()` has three reties. You can use `WebPubSubClientBuilder.retryOptions()` to change. If all retries have failed, an error is thrown. You can keep retrying by passing in the same `ackId` as previous retries, thus the service can help to deduplicate the operation with the same `ackId`.

+```java readme-sample-sendAndRetry

+try {

+ client.joinGroup("testGroup");

+} catch (SendMessageFailedException e) {

+ if (e.getAckId() != null) {

+ client.joinGroup("testGroup", e.getAckId());

+ }

+}

+```

+## Troubleshooting

+### Enable logs

+You can set the following environment variable to get the debug logs when using this library.

+```bash

+export AZURE_LOG_LEVEL=verbose

+```

+For more detailed instructions on how to enable logs, you can look at the [@azure/logger package docs](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/core/logger).

+### Live Trace

+Use [Live Trace tool](./howto-troubleshoot-resource-logs.md#capture-resource-logs-by-using-the-live-trace-tool) from Azure portal to inspect live message traffic through your Web PubSub resource.

+ Title: Reference - JavaScript Client-side SDK for Azure Web PubSub

+description: This reference describes the JavaScript client-side SDK for Azure Web PubSub service.

+# Web PubSub client-side SDK for JavaScript

+> [!NOTE]

+> Details about the terms used here are described in [key concepts](./key-concepts.md) article.

+The client-side SDK aims to speed up developer's workflow; more specifically,

+- simplifies managing client connections

+- simplifies sending messages among clients

+- automatically retries after unintended drops of client connection

+- **reliably** deliveries messages in number and in order after recovering from connection drops

+As shown in the diagram, your clients establish WebSocket connections with your Web PubSub resource.

+## Getting started

+### Prerequisites

+- [LTS versions of Node.js](https://nodejs.org/about/releases/)

+- An Azure subscription

+- A Web PubSub resource

+### 1. Install the `@azure/web-pubsub-client` package

+```bash

+npm install @azure/web-pubsub-client

+```

+### 2. Connect with your Web PubSub resource

+A client uses `Client Access URL` to connect and authenticate with the service, which follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. A client can have a few ways to obtain `Client Access URL`. For this quick guide, you can copy and paste one from Azure portal shown. (For production, your clients usually get `Client Access URL` generated on your application server. [See details](#use-an-application-server-to-generate-client-access-url-programatically) )

+As shown in the diagram, the client has the permissions to send messages to and join a specific group named **`group1`**.

+```js

+// Imports the client libray

+const { WebPubSubClient } = require("@azure/web-pubsub-client");

+// Instantiates the client object

+const client = new WebPubSubClient("<client-access-url>");

+// Starts the client connection with your Web PubSub resource

+await client.start();

+// ...

+// The client can join/leave groups, send/receive messages to and from those groups all in real-time

+```

+### 3. Join groups

+A client can only receive messages from groups that it has joined. You can add a callback to specify the logic of what to do when receiving messages.

+```js

+// ...continues the code snippet from above

+// Specifies the group to join

+let groupName = "group1";

+// Registers a listener for the event 'group-message' early before joining a group to not miss messages

+client.on("group-message", (e) => {

+ console.log(`Received message: ${e.message.data}`);

+});

+// A client needs to join the group it wishes to receive messages from

+await client.joinGroup(groupName);

+```

+### 4. Send messages to a group

+```js

+// ...continues the code snippet from above

+// Send a message to a joined group

+await client.sendToGroup(groupName, "hello world", "text");

+// In the Console tab of your developer tools found in your browser, you should see the message printed there.

+```

+## Examples

+### Handle `connected`, `disconnected` and `stopped` events

+Azure Web PubSub fires system events like `connected`, `disconnected` and `stopped`. You can register event handlers to decide what the program should do when the events are fired.

+1. When a client is successfully connected to your Web PubSub resource, the `connected` event is triggered. This snippet simply prints out the [connection ID](./key-concepts.md)

+```js

+client.on("connected", (e) => {

+ console.log(`Connection ${e.connectionId} is connected.`);

+});

+```

+2. When a client is disconnected and fails to recover the connection, the `disconnected` event is triggered. This snippet simply prints out the message.

+```js

+client.on("disconnected", (e) => {

+ console.log(`Connection disconnected: ${e.message}`);

+});

+```

+3. The `stopped` event is triggered when the client is disconnected **and** the client stops trying to reconnect. This usually happens after the `client.stop()` is called, or `autoReconnect` is disabled or a specified limit to trying to reconnect has reached. If you want to restart the client, you can call `client.start()` in the stopped event.

+```js

+// Registers an event handler for the "stopped" event

+client.on("stopped", () => {

+ console.log(`Client has stopped`);

+});

+```

+### Use an application server to generate `Client Access URL` programatically

+In production, clients usually fetch `Client Access URL` from an application server. The server holds the `connection string` to your Web PubSub resource and generates the `Client Access URL` with help from the server-side library `@azure/web-pubsub`.

+#### 1. Application server

+The code snippet is an example of an application server exposes a `/negotiate` endpoint and returns `Client Access URL`.

+```js

+// This code snippet uses the popular Express framework

+const express = require('express');

+const app = express();

+const port = 8080;

+// Imports the server library, which is different from the client library

+const { WebPubSubServiceClient } = require('@azure/web-pubsub');

+const hubName = 'sample_chat';

+const serviceClient = new WebPubSubServiceClient("<web-pubsub-connectionstring>", hubName);

+// Note that the token allows the client to join and send messages to any groups. It is specified with the "roles" option.

+app.get('/negotiate', async (req, res) => {

+ let token = await serviceClient.getClientAccessToken({roles: ["webpubsub.joinLeaveGroup", "webpubsub.sendToGroup"] });

+ res.json({

+ url: token.url

+ });

+});

+app.listen(port, () => console.log(`Application server listening at http://localhost:${port}/negotiate`));

+```

+#### 2. Client side

+```js

+const { WebPubSubClient } = require("@azure/web-pubsub-client")

+const client = new WebPubSubClient({

+ getClientAccessUrl: async () => {

+ let value = await (await fetch(`/negotiate`)).json();

+ return value.url;

+ }

+});

+await client.start();

+```

+> [!NOTE]

+> To see the full code of this sample, please refer to [samples-browser](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/web-pubsub/web-pubsub-client/samples-browser).

+### A client consumes messages from the application server or joined groups

+A client can add callbacks to consume messages from an application server or groups.

+```js

+// Registers a listener for the "server-message". The callback is invoked when your application server sends message to the connectionID, to or broadcast to all connections.

+client.on("server-message", (e) => {

+ console.log(`Received message ${e.message.data}`);

+});

+// Registers a listener for the "group-message". The callback is invoked when the client receives a message from the groups it has joined.

+client.on("group-message", (e) => {

+ console.log(`Received message from ${e.message.group}: ${e.message.data}`);

+});

+```

+> [!NOTE]

+> For `group-message` event, the client can **only** receive messages from the groups that it has joined.

+### Handle rejoin failure

+When a client is disconnected and fails to recover, all group contexts are cleaned up in your Web PubSub resource. This means when the client reconnects, it needs to rejoin groups. By default, the client has `autoRejoinGroup` option enabled.

+However, you should be aware of `autoRejoinGroup`'s limitations.

+- The client can only rejoin groups that it has been joined by the client code _not_ by the server side code.

+- "Rejoin group" operations may fail due to various reasons, for example, the client doesn't have permission to join the groups. In such cases, you need to add a callback to handle this failure.

+```js

+// By default autoRejoinGroups=true. You can disable it by setting to false.

+const client = new WebPubSubClient("<client-access-url>", { autoRejoinGroups: true });

+// Registers a listener to handle "rejoin-group-failed" event

+client.on("rejoin-group-failed", e => {

+ console.log(`Rejoin group ${e.group} failed: ${e.error}`);

+})

+```

+### Retry

+By default, the operation such as `client.joinGroup()`, `client.leaveGroup()`, `client.sendToGroup()`, `client.sendEvent()` has three retries. You can configure through the `messageRetryOptions`. If all retries have failed, an error is thrown. You can keep retrying by passing in the same `ackId` as previous retries so that the Web PubSub service can deduplicate the operation.

+```js

+try {

+ await client.joinGroup(groupName);

+} catch (err) {

+ let id = null;

+ if (err instanceof SendMessageError) {

+ id = err.ackId;

+ }

+ await client.joinGroup(groupName, {ackId: id});

+}

+```

+## JavaScript Bundle

+To use this client library in the browser, you need to use a bundler. For details on how to create a bundle, refer to our [bundling documentation](https://github.com/Azure/azure-sdk-for-js/blob/main/documentation/Bundling.md).

+## Troubleshooting

+### Enable logs

+You can set the following environment variable to get the debug logs when using this library.

+```bash

+export AZURE_LOG_LEVEL=verbose

+```

+For more detailed instructions on how to enable logs, you can look at the [@azure/logger package docs](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/core/logger).

+### Live Trace

+Use [Live Trace tool](./howto-troubleshoot-resource-logs.md#capture-resource-logs-by-using-the-live-trace-tool) from Azure portal to inspect live message traffic through your Web PubSub resource.

+ Title: Reference - Python Client-side SDK for Azure Web PubSub

+description: This reference describes the Python client-side SDK for Azure Web PubSub service.

+# Azure Web PubSub client library for Python

+> [!NOTE]

+> Details about the terms used here are described in [key concepts](./key-concepts.md) article.

+The client-side SDK aims to speed up developer's workflow; more specifically,

+- simplifies managing client connections

+- simplifies sending messages among clients

+- automatically retries after unintended drops of client connection

+- **reliably** deliveries messages in number and in order after recovering from connection drops

+As shown in the diagram, your clients establish WebSocket connections with your Web PubSub resource.

+## Getting started

+### Prerequisites

+- [Python 3.7+](https://www.python.org/downloads/)

+- An Azure subscription

+- A Web PubSub resource

+### 1. Install the `azure-messaging-webpubsubclient` package

+```bash

+pip install azure-messaging-webpubsubclient

+```

+### 2. Connect with your Web PubSub resource

+A client uses a `Client Access URL` to connect and authenticate with the service, which follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. A client can have a few ways to obtain the `Client Access URL`. For this quick start, you can copy and paste one from Azure portal shown.

+As shown in the diagram, the client has the permissions to send messages to and join a specific group named **`group1`**.

+```python

+from azure.messaging.webpubsubclient import WebPubSubClient

+client = WebPubSubClient("<<client-access-url>>")

+with client:

+ # The client can join/leave groups, send/receive messages to and from those groups all in real-time

+ ...

+```

+### 3. Join groups

+A client can only receive messages from groups that it has joined and you need to add a callback to specify the logic when receiving messages.

+```python

+# ...continues the code snippet from above

+# Registers a listener for the event 'group-message' early before joining a group to not miss messages

+group_name = "group1";

+client.on("group-message", lambda e: print(f"Received message: {e.data}"));

+# A client needs to join the group it wishes to receive messages from

+client.join_group(groupName);

+```

+### 4. Send messages to a group

+```python

+# ...continues the code snippet from above

+# Send a message to a joined group

+client.send_to_group(group_name, "hello world", "text");

+# In the Console tab of your developer tools found in your browser, you should see the message printed there.

+```

+## Examples

+### Add callbacks for `connected`, `disconnected` and `stopped` events

+1. When a client is successfully connected to your Web PubSub resource, the `connected` event is triggered.

+ ```python

+ client.on("connected", lambda e: print(f"Connection {e.connection_id} is connected"))

+ ```

+2. When a client is disconnected and fails to recover the connection, the `disconnected` event is triggered.

+ ```python

+ client.on("disconnected", lambda e: print(f"Connection disconnected: {e.message}"))

+ ```

+3. The `stopped` event is triggered when the client is disconnected **and** the client stops trying to reconnect. This usually happens after the `client.stop()` is called, or `auto_reconnect` is disabled or a specified limit to trying to reconnect has reached. If you want to restart the client, you can call `client.start()` in the stopped event.

+ ```python

+ client.on("stopped", lambda : print("Client has stopped"))

+ ```

+### A client consumes messages from the application server or joined groups

+A client can add callbacks to consume messages from your application server or groups. Note, for `group-message` event the client can _only_ receive group messages that it has joined.

+ ```python

+ # Registers a listener for the "server-message". The callback is invoked when your application server sends message to the connectionID, to or broadcast to all connections.

+ client.on("server-message", lambda e: print(f"Received message {e.data}"))

+ # Registers a listener for the "group-message". The callback is invoked when the client receives a message from the groups it has joined.

+ client.on("group-message", lambda e: print(f"Received message from {e.group}: {e.data}"))

+ ```

+### Handle rejoin failure

+When a client is disconnected and fails to recover, all group contexts are cleaned up in your Web PubSub resource. This means when the client reconnects, it needs to rejoin groups. By default, the client has `auto_rejoin_groups` option enabled.

+However, you should be aware of `auto_rejoin_groups`'s limitations.

+- The client can only rejoin groups that it's originally joined **by the client code _not_ by the server side code**.

+- "rejoin group" operations may fail due to various reasons, for example, the client doesn't have permission to join the groups. In such cases, you need to add a callback to handle this failure.

+```python

+# By default auto_rejoin_groups=True. You can disable it by setting to False.

+client = WebPubSubClient("<client-access-url>", auto_rejoin_groups=True);

+# Registers a listener to handle "rejoin-group-failed" event

+client.on("rejoin-group-failed", lambda e: print(f"Rejoin group {e.group} failed: {e.error}"))

+```

+### Operation and retry

+By default, the operation such as `client.join_group()`, `client.leave_group()`, `client.send_to_group()`, `client.send_event()` has three retries. You can configure through the key-word arguments. If all retries have failed, an error is thrown. You can keep retrying by passing in the same `ack_id` as previous retries so that the Web PubSub service can deduplicate the operation.

+```python

+try:

+ client.join_group(group_name)

+except SendMessageError as e:

+ client.join_group(group_name, ack_id=e.ack_id)

+```

+## Troubleshooting

+### Enable logs

+You can set the following environment variable to get the debug logs when using this library.

+```bash

+export AZURE_LOG_LEVEL=verbose

+```

+For more detailed instructions on how to enable logs, you can look at the [@azure/logger package docs](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/core/logger).

+### Live Trace

+Use [Live Trace tool](./howto-troubleshoot-resource-logs.md#capture-resource-logs-by-using-the-live-trace-tool) from Azure portal to inspect live message traffic through your Web PubSub resource.

+| Change passphrase |Operation failed. ID: 120002 |**Cause:**<br/>This error occurs when security settings are enabled, or when you try to change the passphrase when you're using an unsupported version.<br/>**Recommended action:**<br/> To change the passphrase, you must first update the backup agent to the minimum version, which is 2.0.9052. You also need to update Azure Backup Server to the minimum of update 1, and then enter a valid security PIN. To get the PIN, sign in to the Azure portal and go to the Recovery Services vault. Then go to **Settings** > **Properties** > **Generate Security PIN**. Use this PIN to change the passphrase. |

+- Review the [permissions required to use Cross Region Restore](backup-rbac-rs-vault.md#minimum-role-requirements-for-azure-vm-backup).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the Azure portal, navigate to **All resources** > **your-cdn-profile**.

+* Second, a chaos experiment has a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) or a [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) that executes faults on a resource. If you choose to use a system-assigned managed identity for your experiment, the identity is created at experiment creation time in your Azure Active Directory tenant. User-assigned managed identites may be used across any number of experiments.

+ Within a chaos experiment, you can choose to enable custom role assignment on either your system-assigned or user-assigned managed identity selection. Enabling this functionality allows Chaos Studio to create and assign a custom role containing any necessary experiment action capabilities to your experiment's identity (that do not already exist in your identity selection). If a chaos experiment is using a user-assigned managed identity, any custom roles assigned to the experiment identity by Chaos Studio will persist after experiment deletion.

+

+ If you choose to grant your experiment permissions manually, you must grant its identity [appropriate permissions](chaos-studio-fault-providers.md) to all target resources. If the experiment identity doesn't have appropriate permission to a resource, it can't execute a fault against that resource.

+## User-assigned Managed Identity

+A chaos experiment can utilize a [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) to obtain sufficient permissions to inject faults on the experiment's target resources. Additionally, user-assigned managed identities may be used across any number of experiments in Chaos Studio. To utilize this functionality, you must:

+* First, create a user-assigned managed identity within the [Managed Identities](../active-directory/managed-identities-azure-resources/overview.md) service. You may assign your user-assigned managed identity required permissions to run your chaos experiment(s) at this point.

+* Second, when creating your chaos experiment, select a user-assigned managed identity from your Subscription. You can choose to enable custom role assignment at this step. Enabling this functionality would grant your identity selection any required permissions it may need based on the faults contained in your experiment.

+* Third, after you've added all of your faults to your chaos experiment, review if your identity configuration contains all the necessary actions for your chaos experiment to run successfully. If it does not, contact your system administrator for access or edit your experiment's fault selections.

+Chaos Studio doesn't support Azure Private Link for agent-based scenarios.

+Key Vault is used to store certificates that are associated to Cloud Services (extended support). Key Vaults can be created through the [Azure portal](../key-vault/general/quick-create-portal.md) and [PowerShell](../key-vault/general/quick-create-powershell.md). Add the certificates to Key Vault, then reference the certificate thumbprints in Service Configuration file. You also need to enable Key Vault for appropriate permissions so that Cloud Services (extended support) resource can retrieve certificate stored as secrets from Key Vault.

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to the Key Vault. If you do not have a Key Vault set up, you can opt to create one in this same window.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- [Azure AI services documentation page](../../ai-services/index.yml)

+* [Azure AI services documentation](../../../ai-services/index.yml)

+* [Azure AI services documentation](../../../ai-services/index.yml)

+* [Azure AI services documentation](../../../ai-services/index.yml)

+* [Azure AI services documentation](../../../ai-services/index.yml)

+* [Azure AI services documentation](../../../ai-services/index.yml)

+* [Azure AI services documentation](../../../ai-services/index.yml)

+- [Cognitive Services Documentation page](../../ai-services/index.yml)

+This API is optimal for applications that need access to all content that is relevant to a user's search query. If you're building an application that requires only a specific type of result, consider using the [Bing Image Search API](../bing-image-search/overview.md), [Bing Video Search API](../bing-video-search/overview.md), or [Bing News Search API](../bing-news-search/search-the-web.md). See [Cognitive Services APIs](../../ai-services/index.yml) for a complete list of Bing Search APIs.

+> [!div class="nextstepaction"]

+> [Get started with Job Router](../../quickstarts/router/get-started-router.md)

+|RecognizeCompleted|400|8532|Action failed, inter-digit silence timeout reached.|

+|RecognizeFailed|400|8510|Action failed, initial silence timeout reached.|

+|RecognizeCompleted|400|8532|Action failed, inter-digit silence time out reached.|

+|RecognizeFailed|400|8510|Action failed, initial silence time out reached.|

+|RecognizeFailed|400|8547|Action failed, recognized phrase does not match a valid option.|

+## Next Steps

+Explore Job Router How-To's [tutorials](https://learn.microsoft.com/azure/communication-services/concepts/router/concepts#check-out-our-how-to-guides)

+[Init containers](containers.md#init-containers) can't access managed identities.

+Run the following commands in the bash shell in the container. First, sign in to the Azure CLI using the managed identity:

+If you've added a certificate to your service principal, you can sign in to the Azure CLI with certificate-based authentication, and then use the [az acr login][az-acr-login] command to access a registry. Using a certificate as a secret instead of a password provides additional security when you use the CLI.

+To use the service principal with certificate to [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal), the certificate must be in PEM format and include the private key. If your certificate isn't in the required format, use a tool such as `openssl` to convert it. When you run [az login][az-login] to sign into the CLI using the service principal, also provide the service principal's application ID and the Active Directory tenant ID. The following example shows these values as environment variables:

+## Limitations

+- Token with repository-scoped permissions does not currently support docker push and pull of signed images.

+>* Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+The recommended method when working in a command line is with the Azure CLI command [az acr login](/cli/azure/acr#az-acr-login). For example, to access a registry named `myregistry`, sign in the Azure CLI and then authenticate to your registry:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the **Azure Container Registry** to which you pushed the Nginx image.

+1. Select **Repositories** to see a list of the repositories that contain the images in the registry.

+1. Select a repository to see the image tags within that repository.

+When using [az acr login](/cli/azure/acr#az-acr-login) with an Azure Active Directory identity, first [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli), and then specify the Azure resource name of the registry. The resource name is the name provided when the registry was created, such as *myregistry* (without a domain suffix). Example:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos DB account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Open a new terminal window and run the SSH command you copied from the Azure portal. This article uses terminal in a macOS, you can follow the similar instructions using an SSH client on a Windows machine. When prompted, type **yes** to continue and enter the **password** you have set for the virtual machine in the previous step.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) or the [Azure Cosmos DB Explorer](https://cosmos.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) or the [Azure Cosmos DB Explorer](https://cosmos.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your subscription. The `CosmosRestoreOperator` role is available at subscription level.

+* Provision continuous backup using the [Azure portal](provision-account-continuous-backup.md#provision-portal), [PowerShell](provision-account-continuous-backup.md#provision-powershell), [CLI](provision-account-continuous-backup.md#provision-cli), or [Azure Resource Manager](provision-account-continuous-backup.md#provision-arm-template).

+* Restore an account using the [Azure portal](restore-account-continuous-backup.md#restore-account-portal), [PowerShell](restore-account-continuous-backup.md#restore-account-powershell), [CLI](restore-account-continuous-backup.md#restore-account-cli), or [Azure Resource Manager](restore-account-continuous-backup.md#restore-arm-template).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos DB account.

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos DB account.

+Azure Cosmos DB accounts with periodic mode backup policy can be migrated to continuous mode using the [Azure portal](#portal), [CLI](#cli), [PowerShell](#powershell), or [Resource Manager templates](#ARM-template). Migration from periodic to continuous mode is a one-way migration and itΓÇÖs not reversible. After migrating from periodic to continuous mode, you can apply the benefits of continuous mode.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+* Restore an account using the [Azure portal](restore-account-continuous-backup.md#restore-account-portal), [PowerShell](restore-account-continuous-backup.md#restore-account-powershell), [CLI](restore-account-continuous-backup.md#restore-account-cli), or [Azure Resource Manager](restore-account-continuous-backup.md#restore-arm-template).

+1. In a new window, sign in to the [Azure portal](https://www.portal.azure.com/).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos DB account. Check that the three records from the ΓÇ£hotelsΓÇ¥ topic are created in your account.

+* [Perform bulk operations on Azure Cosmos DB data](./bulk-executor-java.md)

+1. Sign in to the [Azure portal](https://portal.azure.com/learn.docs.microsoft.com) and navigate to your Azure Cosmos DB account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos DB account.

+The query uses fields in the original items.

+- [`ToString`](tostring.md)

+ Title: INDEX_OF

+description: An Azure Cosmos DB for NoSQL system function that returns the index of the first occurrence of a string.

+# INDEX_OF (NoSQL query)

+Returns the starting index of the first occurrence of a substring expression within a specified string expression.

+INDEX_OF(<string_expr_1>, <string_expr_2> [, <numeric_expr>])

+| | Description |

+| | |

+| **`string_expr_1`** | A string expression that is the target of the search. |

+| **`string_expr_2`** | A string expression with the substring that is the source of the search (or to search for). |

+| **`numeric_expr` *(Optional)*** | An optional numeric expression that indicates where, in `string_expr_1`, to start the search. If not specified, the default value is `0`. |

+The following example returns the index of various substrings inside the larger string **"AdventureWorks"**.

+- [`SUBSTRING`](substring.md)

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+ Title: LOG

+description: An Azure Cosmos DB for NoSQL system function that returns the natural logarithm of the specified numeric expression

+# LOG (NoSQL query)

+Returns the natural logarithm of the specified numeric expression.

+LOG(<numeric_expr> [, <numeric_base>])

+| | Description |

+| | |

+| **`numeric_expr`** | A numeric expression. |

+| **`numeric_base` *(Optional)*** | An optional numeric value that sets the base for the logarithm. If not set, the default value is the natural logarithm approximately equal to `2.718281828``. |

+Returns a numeric expression.

+The following example returns the logarithm value of various values.

+## Remarks

+- This function doesn't use the index.

+- The natural logarithm of the exponential of a number is the number itself: `LOG( EXP( n ) ) = n`. And the exponential of the natural logarithm of a number is the number itself: `EXP( LOG( n ) ) = n`.

+- [`LOG10`](log10.md)

+ Title: LOG10

+description: An Azure Cosmos DB for NoSQL system function that returns the base-10 logarithm of the specified numeric expression

+# LOG10 (NoSQL query)

+Returns the base-10 logarithm of the specified numeric expression.

+LOG10(<numeric_expr>)

+| | Description |

+| | |

+| **`numeric_expr`** | A numeric expression. |

+Returns a numeric expression.

+The following example returns the logarithm value of various values.

+## Remarks

+- This function doesn't use the index.

+- The `LOG10` and `POWER` functions are inversely related to one another.

+- [`LOG`](log.md)

+- This function doesn't use the index.

+- This function doesn't use the index.

+This next example uses a field from an existing item.

+This query rounds the previous field using the function.

+- This function returns `undefined` if the specified bin size is `0`.

+ Title: RIGHT

+description: An Azure Cosmos DB for NoSQL system function that returns a substring from the right side of a string.

+# RIGHT (NoSQL query)

+Returns the right part of a string up to the specified number of characters.

+RIGHT(<string_expr>, <numeric_expr>)

+| | Description |

+| | |

+| **`string_expr`** | A string expression. |

+| **`numeric_expr`** | A numeric expression specifying the number of characters to extract from `string_expr`. |

+Returns a string expression.

+The following example returns the right part of the string `Microsoft` for various length values.

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- [`LEFT`](left.md)

+It's strongly recommended to use version 4.48.0 and above.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to the restored account.

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos DB account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+When you reserve capacity for your Azure Cosmos DB resources, you are reserving [provisioned throughput](set-throughput.md). If the provisioned throughput is exceeded, requests beyond that provisioning will be billed using pay-as-you go rates. For more information on reservations, see the [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) article. For more information on provisioned throughput, see [provisioned throughput types](how-to-choose-offer.md#overview-of-provisioned-throughput-types).

+This article describes how to identify the restore time and restore a live or deleted Azure Cosmos DB account. It shows how to restore the account using the [Azure portal](#restore-account-portal), [PowerShell](#restore-account-powershell), [CLI](#restore-account-cli), or an [Azure Resource Manager template](#restore-arm-template).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to the restored account.

+* Provision continuous backup using the [Azure portal](provision-account-continuous-backup.md#provision-portal), [PowerShell](provision-account-continuous-backup.md#provision-powershell), [CLI](provision-account-continuous-backup.md#provision-cli), or [Azure Resource Manager](provision-account-continuous-backup.md#provision-arm-template).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos DB account.

+* [Performance tips for Azure Cosmos DB and .NET SDK v2](performance-tips.md)

+> As of February 20, 2023 indirect EA customers no longer manage their billing account in the EA portal. Instead, they use the Azure portal.

+> Until August 14, 2023, this change doesnΓÇÖt affect customers with Azure Government EA enrollments. They continue using the EA portal to manage their enrollment until then. However, after August 14, 2023, EA customers won't be able to manage their Azure Government EA enrollments from the [Azure portal](https://portal.azure.com). Instead, they can manage it from the Azure Government portal at [https://portal.azure.us](https://portal.azure.us). The functionality mentioned in this article the same as the Azure Government portal.

+1. Sign in to the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/AllBillingScopes).

+ - For Azure global, the URL is `https://signup.azure.com/signup?offer=MS-AZR-0017P&appId=IbizaCatalogBlade`.

+ - For Azure Government, the URL is `https://signup.azure.us/signup?offer=MS-AZR-0017P&appId=IbizaCatalogBlade`.

+1. Go to [Link to a partner ID](https://portal.azure.com/#blade/Microsoft_Azure_Billing/managementpartnerblade) in the Azure portal and sign in.

+1. Enter the [Microsoft Cloud Partner Program](https://partner.microsoft.com/) ID for your organization. Be sure to use the **Associated Partner ID** shown on your partner center profile. It's typically known as your [partner location ID](/partner-center/account-structure).

+1. Sign in to the [Azure portal](https://portal.azure.com) as the Account Administrator and navigate to **Cost Management + Billing**.

+1. Sign in to the [Azure portal](https://portal.azure.com) as the Account Administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) as the Account Administrator.

+ - **Edge:** Open **Settings** (the three dots by your profile picture), select **New InPrivate window**, and then browse and sign in to the [Azure portal](https://portal.azure.com).

+ - **Edge:** Open **Settings** (the three dots by your profile picture), select **New InPrivate window**, and then browse and sign in to the [Azure portal](https://portal.azure.com).

+**Scenario:** You receive the error signing into the [Azure portal](https://portal.azure.com).

+If you have questions or need help but can't sign in to the Azure portal, [create a support request](https://support.microsoft.com/oas/?prid=15470).

+Direct EA customers can complete all administrative tasks in the Azure portal. You can use the [Azure portal](https://portal.azure.com) to manage billing, costs, and Azure services.

+Enterprise administrators have the most privileges when managing an Azure EA enrollment. The initial Azure EA admin was created when the EA agreement was set up. However, you can add or remove new admins at any time. New admins are only added by existing admins. For more information about adding additional enterprise admins, see [Create another enterprise admin](ea-portal-administration.md#create-another-enterprise-administrator). Direct EA customers can use the Azure portal to add EA admins, see [Create another enterprise admin on Azure portal](direct-ea-administration.md#add-another-enterprise-administrator). For more information about billing profile roles and tasks, see [Billing profile roles and tasks](understand-mca-roles.md#billing-profile-roles-and-tasks).

+> If the Account Owner is a service account and doesn't have an email, use an In-Private session to sign in to the Azure portal and navigate to Cost Management to be prompted to accept the activation welcome email.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Cost Management + Billing**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ Title: How an Azure Databricks prepurchase discount is applied

+description: Learn how an Azure Databricks prepurchase discount applies to your usage. You can use these Databricks at any time during the purchase term.

+# How Azure Databricks prepurchase discount is applied

+You can use prepurchased Azure Databricks commit units (DBCU) at any time during the purchase term. Any Azure Databricks usage is deducted from the prepurchased DBCUs automatically.

+Unlike VMs, prepurchased units don't expire on an hourly basis. You can use them at any time during the term of the purchase. To get the prepurchase discounts, you don't need to redeploy or assign a prepurchased plan to your Azure Databricks workspaces for the usage.

+The prepurchase discount applies only to Azure Databricks unit (DBU) usage. Other charges such as compute, storage, and networking are charged separately.

+## Prepurchase discount application

+Databricks prepurchase applies to all Databricks workloads and tiers. You can think of the prepurchase as a pool of prepaid Databricks commit units. Usage is deducted from the pool, regardless of the workload or tier. Usage is deducted in the following ratio:

+| All Purpose Photon | NA | 0.55 |

+For example, when a quantity of Data Analytics ΓÇô Standard tier is consumed, the prepurchased Databricks commit units is deducted by 0.4 units. When a quantity of Data Engineering Light ΓÇô Standard tier is used, the prepurchased Databricks commit unit is deducted by 0.07 units.

+When the prepurchase discount applies to your Databricks usage, on-demand charges appear as zero in the usage data. For more information about reservation costs and usage, see [Get Enterprise Agreement reservation costs and usage](understand-reserved-instance-usage-ea.md).

+- To learn more about prepurchasing Azure Databricks to save money, see [Optimize Azure Databricks costs with a pre-purchase](prepay-databricks-reserved-capacity.md).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- For more information about reservations, see [What are Azure Reservations?](save-compute-costs-reservations.md).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Cost Management + Billing**.

+You can assign these roles from the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Cost Management + Billing**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Cost Management + Billing**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- [Manage Azure savings plans](manage-savings-plan.md).

+[Learn about the Reserve Bank of India directive; Restriction on storage of actual card data](https://rbidocs.rbi.org.in/rdocs/notification/PDFs/DPSSC09B09841EF3746A0A7DC4783AC90C8F3.PDF)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ Title: Monitor an integration runtime within a managed virtual network

+description: Learn how to monitor an integration runtime within an Azure Data Factory managed virtual network.

+# Monitor an integration runtime within a managed virtual network

+You can use an Azure Data Factory managed virtual network to securely connect your data sources to a virtual network that the Data Factory service manages. By using this capability, you can establish a private and isolated environment for your data integration and orchestration processes.

+When you use a managed virtual network, you combine the data integration and orchestration capabilities in Data Factory with the security and flexibility of Azure virtual networks. It empowers you to build robust, scalable, and secure data integration pipelines that seamlessly connect to your network resources, whether they're on-premises or in the cloud.

+One common problem of managed compute is the lack of visibility into performance and health, especially within a managed virtual network environment. Without proper monitoring, identifying and resolving problems becomes challenging and can lead to potential delays, errors, and performance degradation.

+By using enhanced monitoring in Data Factory, you can gain valuable insights into your data integration processes. These insights can lead to improved efficiency, better resource utilization, and enhanced overall performance. With proactive monitoring and timely alerts, you can address issues, optimize workflows, and ensure the smooth execution of your data integration pipelines within the managed virtual network environment.

+The introduction of new metrics enhances the visibility and monitoring capabilities within managed virtual network environments.

+Azure Data Factory provides three distinct types of compute pools:

+- Compute for a copy activity

+- Compute for a pipeline activity, such as a lookup

+- Compute for an external activity, such as an Azure Databricks notebook

+These compute pools offer flexibility and scalability to accommodate diverse workloads and allocate resources optimally. Each is tailored to handle specific activity execution requirements.

+To help ensure consistent and comprehensive monitoring across all compute pools, we've implemented the same sets of monitoring metrics:

+- Capacity utilization

+- Available capacity percentage

+- Waiting queue length

+Regardless of the type of compute pool that you're using, you can access and analyze a standardized set of metrics to gain insights into the performance and health of your data integration activities.

+> [!NOTE]

+> These metrics are valid only when you're enabling time-to-live (TTL) in an integration runtime within a managed virtual network.

+|Copy capacity utilization of MVNet integration runtime|Percent|The maximum percentage of Data Integration Unit (DIU) utilization for TTL copy activities in a managed virtual network's integration runtime within a 1-minute window.|

+|Copy available capacity percentage of MVNet integration runtime|Percent|The maximum percentage of available DIU for TTL copy activities in a managed virtual network's integration runtime within a 1-minute window.|

+|Copy waiting queue length of MVNet integration runtime|Count|The waiting queue length of TTL copy activities in a managed virtual network's integration runtime within a 1-minute window.|

+|Pipeline capacity utilization of MVNet integration runtime|Percent|The maximum percentage of DIU utilization for pipeline activities in a managed virtual network's integration runtime within a 1-minute window.|

+|Pipeline available capacity percentage of MVNet integration runtime|Percent|The maximum percentage of available DIU for pipeline activities in a managed virtual network's integration runtime within a 1-minute window.|

+|Pipeline waiting queue length of MVNet integration runtime|Count|The waiting queue length of pipeline activities in a managed virtual network's integration runtime within a 1-minute window.|

+|External capacity utilization of MVNet integration runtime|Percent|The maximum percentage of DIU utilization for external activities in a managed virtual network's integration runtime within a 1-minute window.|

+|External available capacity percentage of MVNet integration runtime|Percent|The maximum percentage of available DIU for external activities in a managed virtual network's integration runtime within a 1-minute window.|

+|External waiting queue length of MVNet integration runtime|Count|The waiting queue length of external activities in a managed virtual network's integration runtime within a 1-minute window.|

+By using the metrics, you can seamlessly track and assess the performance and robustness of your integration runtime within a managed virtual network. You can also uncover potential areas for continuous improvement by optimizing the compute settings and workflow to maximize efficiency.

+To provide more clarity on the practical application of these metrics, here are a few example scenarios.

+If you observe that capacity utilization is below 100 percent and the available capacity percentage is high, the compute resources that you reserved are being efficiently utilized.

+If the waiting queue length remains consistently low or experiences occasional short spikes, we advise you to queue other activities until the capacity utilization reaches 100 percent. This approach helps ensure optimal utilization of resources and helps maintain a smooth workflow with minimal delays.

+### Performance oriented

+If you observe that capacity utilization is consistently low, and the waiting queue length remains consistently low or experiences occasional short spikes, the compute resources that you reserved are higher than the demand for activities.

+In such cases, regardless of whether the available capacity percentage is high or low, we recommend that you reduce the allocated compute resources to lower your costs. By rightsizing the compute to match the workload requirements, you can optimize your resource utilization and save costs without compromising the efficiency of your operations.

+### Cost oriented

+If you notice that all metrics (including capacity utilization, available capacity percentage, and waiting queue length) are high, the compute resources that you reserved are likely insufficient for your activities.

+In this scenario, we recommend that you increase the allocated compute resources to reduce queue time. Adding more compute capacity helps ensure that your activities have sufficient resources to run efficiently, which minimizes any delays that a crowded queue causes.

+If you notice that the available capacity percentage fluctuates between low and high within a specific time period, it's likely due to the intermittent execution of your activities. That is, the TTL period that you configured is shorter than the interval between your activities. This problem can have a significant impact on the performance of your workflow and can increase costs, because we charge for the warm-up time of the compute for up to 2 minutes.

+To address this problem, there are two possible solutions:

+- Queue more activities to maintain a consistent workload and utilize the available compute resources more effectively. By keeping the compute continuously engaged, you can avoid the warm-up time and achieve better performance.

+- Consider enlarging the TTL period to align with the interval between your activities. This approach keeps the compute resources available for a longer duration, which reduces the frequency of warm-up periods and optimizes cost efficiency.

+Advance to the following article to learn about managed virtual networks and managed private endpoints: [Azure Data Factory managed virtual network](managed-virtual-network-private-endpoint.md).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+| **DropReasons** | Analysis of causes of dropped packets. The keys include `Protocol violation invalid TCP`. `syn Protocol violation invalid TCP`, `Protocol violation invalid UDP`, `UDP reflection`, `TCP rate limit exceeded`, `UDP rate limit exceeded`, `Destination limit exceeded`, `Other packet flood Rate limit exceeded`, and `Packet was forwarded to service`. Protocol violation invalid drop reasons refer to malformed packets. |

+1. Sign in to the [Azure portal](https://portal.azure.com).

+## Data sharing

+When you enable Defender for Storage Malware Scanning, it may share metadata, including metadata classified as customer data (e.g. SHA-256 hash), with Microsoft Defender for Endpoint.

+Data is kept logically separate on each component throughout the service. All data is tagged per organization. This tagging persists throughout the data lifecycle, and it's enforced at each layer of the service.

+We adhere to the [Microsoft Online Services Data Protection Addendum](https://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=17880), which states that Microsoft won't use customer data or derive information from it for any advertising or similar commercial purposes. We only use customer data as needed to provide you with Azure services, including purposes compatible with providing those services. You retain all rights to customer data.

+The Log Analytics agent scans for various security-related configurations and events it into [Event Tracing for Windows](/windows/win32/etw/event-tracing-portal) (ETW) traces. In addition, the operating system raises event log events during the course of running the machine. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, logged in user, and tenant ID. The Log Analytics agent reads event log entries and ETW traces and copies them to your workspace(s) for analysis. The Log Analytics agent also enables process creation events and command line auditing.

+| Europe (excluding United Kingdom) | Europe |

+| Asia (excluding India, Japan, Korea, China) | Asia Pacific |

+To learn more about Microsoft Defender for Cloud, see [What is Microsoft Defender for Cloud?](defender-for-cloud-introduction.md).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+Azure account | You need an Azure account to sign in to the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for and select **Management Groups**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for and select **Management Groups**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In [Defender for IoT](https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) in the Azure portal, go to the **Alerts** page. By default, alerts are sorted by the **Last detection** column, from most recent to oldest alert, so that you can first see the latest alerts in your network.

+> [Enhance security posture with security recommendations](recommendations.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+### Sign in via the [Azure portal](https://portal.azure.com)

+1. Choose or enter the email address to authenticate.

+ 

+2. Once youΓÇÖre logged in, go to Subscriptions under Azure Services.

+ 

+3. Select **+ Add**.

+4. This action takes you to a page where you can find the eligible offers.

+5. Select the correct subscription offer to associate with your account.

+> This method uses the login credentials you used when signing in to the Azure portal. This way of signing in has a higher probability of associating your subscription with your organizationΓÇÖs directory through your corporate Microsoft Account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+The chosen Educators should now receive an email inviting them to visit the Education Hub to begin using these Credits. Ensure the Educators sign in to the Azure portal with the account associated with the credit's billing profile.

+> Possible values for `Status` are:

+> - `Delivered`: The message was successfully handed over to the intended destination (recipient Mail Transfer Agent).

+> - `Suppressed`: The recipient email had hard bounced previously, and all subsequent emails to this recipient are being temporarily suppressed as a result.

+> - `Bounced`: The email hard bounced, which may have happened because the email address does not exist or the domain is invalid.

+> - `Quarantined`: The message was quarantined (as spam, bulk mail, or phishing).

+> - `FilteredSpam`: The message was identified as spam, and was rejected or blocked (not quarantined).

+> - `Expanded`: A distribution group recipient was expanded before delivery to the individual members of the group.

+> - `Failed`: The message wasn't delivered.

+> Possible values for `engagementType` are `View` and `Click`. When the `engagementType` is `Click`, `engagementContext` is the link in the Email sent which was clicked.

+This article shows you how to create, view, and manage event subscriptions to namespace topics in Azure Event Grid.

+This article shows you how to create, view, and manage namespace topics in Azure Event Grid.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In a new tab or new window of a web browser, sign in to the [Azure portal](https://portal.azure.com).

+Access control enables you to manage the authorization of clients to publish or subscribe to topics, using a role-based access control model. Given the enormous scale of IoT environments, assigning permission for each client to each topic is incredibly tedious. Event GridΓÇÖs flexible access control tackles this scale challenge through grouping clients and topics into client groups and topic spaces.

+The main components of the access control model are:

+ Title: 'Overview of MQTT Support in Azure Event Grid (preview)'

+Azure Event Grid enables your MQTT clients to communicate with each other and with Azure services, to support your Internet of Things (IoT) solutions.

+Event GridΓÇÖs MQTT support enables you to accomplish the following scenarios:

+- Must not be `specversion`, `id`, `time`, `type`, `source`, `subject`, `datacontenttype`, `dataschema`, `data`, or `data_base64`.

+- Must not start with `azsp`.

+- Unspecified client attributes/user properties: if a dynamic enrichment pointed to a client attribute/user property that doesnΓÇÖt exist, the enrichment will include the specified key with an empty string for a value. For example, `emptyproperty`: "".

+- Arrays: Arrays in client attributes and duplicate user properties are transformed to a comma-separated string. For example: if the enriched client attribute is set to be ΓÇ£arrayΓÇ¥: ΓÇ£value1ΓÇ¥, ΓÇ£value2ΓÇ¥, ΓÇ£value3ΓÇ¥, the resulting enriched property will be `array`: `value1,value2,value3`. Another example: if the same MQTT publish request has the following user properties > "userproperty1": "value1", "userproperty1": "value2", resulting enriched property will be `userproperty1`: `value1,value2`.

+- You need to assign "Event Grid Data Sender" role to yourself on the Event Grid custom topic.

+ - In the "Role" tab, select "Event Grid Data Sender", then select "Next".

+>- MQTT v3.1.1 and v5.0 support (preview)

+>- Pull-style event consumption using HTTP (preview)

+>The initial regions where these features are available are: East US, Central US, South Central US, West US 2, East Asia, Southeast Asia, North Europe, West Europe, UAE North

+**MQTT messaging (preview)**. IoT devices and applications can communicate with each other over MQTT. Event Grid can also be used to route MQTT messages to Azure services or custom endpoints for further data analysis, visualization, or storage. This integration with Azure services enables you to build data pipelines that start with data ingestion from your IoT devices.

+**Data distribution using push and pull delivery (preview) modes**. At any point in a data pipeline, HTTP applications can consume messages using push or pull APIs. The source of the data may include MQTT clientsΓÇÖ data, but also includes the following data sources that send their events over HTTP:

+### MQTT messaging (preview)

+- **Flexible event consumption model** ΓÇô when using HTTP, consume events using pull (preview) or push delivery mode.

+> Private links are available with pull delivery, not with push delivery. This is not a gap. Private links “…[enables you to access Azure PaaS Services](../private-link/private-link-overview.md)…” That is, private links were designed to be used when you connect to Event Grid for publishing events or receiving events, not when Event Grid is connecting (sending events) to your webhook or Azure Service.

+Azure Event Grid uses a pay-per-event pricing model. You only pay for what you use. For the push-style delivery that is generally available, the first 100,000 operations per month are free. Examples of operations include event publication, event delivery, delivery attempts, event filter evaluations that refer to event data properties (sometimes referred to as Advanced Filters), and events sent to a dead letter location. For details, see the [pricing page](https://azure.microsoft.com/pricing/details/event-grid/).

+Follow the steps in this article if you need to send application events to Event Grid so that they're received by consumer clients. Consumers connect to Event Grid to read the events ([pull delivery](pull-delivery-overview.md)).

+>[!NOTE]

+> - Namespaces, namespace topics, and event subscriptions associated to namespace topics are initially available in the following regions: East US, Central US, South Central US, West US 2, East Asia, Southeast Asia, North Europe, West Europe, UAE North

+> - The Azure [CLI Event Grid extension](/cli/azure/eventgrid) does not yet support namespaces and any of the resources it contains. We will use [Azure CLI resource](/cli/azure/resource) to create Event Grid resources.

+> - Azure Event Grid namespaces currently supports Shared Access Signatures (SAS) token and access keys authentication.

+Retrieve the namespace hostname. You use it to compose the namespace HTTP endpoint to which events are sent. Note that the following operations were first available with API version `2023-06-01-preview`.

+If the acknowledge operation is executed before the lock token expires (300 seconds as set when we created the event subscription), you should see a response like the following example:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+>[!NOTE]

+- Pull.style event consumption using HTTP

+### Pull delivery using HTTP (preview)

+### MQTT messaging (preview)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> [!NOTE]

+> Although it is possible to connect up to 16 circuits to your virtual network, the outgoing traffic from your virtual network will be load-balanced using Equal-Cost Multipath (ECMP) across a maximum of 4 circuits.

+ > [!NOTE]

+ > ExpressRoute is a Trusted Service within Azure that supports Network Security policies within the Azure Key Vault. For more information refer to [Configure Azure Key Vault Firewall and Virtual Networks](https://learn.microsoft.com/azure/key-vault/general/network-security)

+> [!NOTE]

+> By default, Passive FTP is enabled, and Active FTP needs additional configured on Azure Firewall. For instructions, see next section.

+>

+> Most FTP servers do not accept data and control channels from different source IP addresses for security reasons. Hence, FTP sessions via Azure Firewall are required to connect with a single client IP. This implies E-W FTP traffic should never be SNATΓÇÖed with Azure Firewall Private IP and instead use client IP for FTP flows. Likewise for internet FTP traffic, it is recommended to provision Azure Firewall with a single public IP for FTP connectivity. It is recommended to use NAT Gateway to avoid SNAT exhaustion.

+|Outbound VNet - Internet<br><br>(FTP client in VNet, server on Internet) |Not supported *|Network Rules to configure:<br>- Allow From Source VNet to Dest IP port 21<br>- Allow From Source VNet to Dest IP \<Range of Data Ports> |

+|Inbound DNAT<br><br>(FTP client on Internet, FTP server in VNet) |DNAT rule to configure:<br>- DNAT From Internet Source to VNet IP port 21<br><br>Network rule to configure:<br>- Allow **traffic from** FTP server IP **to** the internet client IP on the active FTP port ranges. |Tip: Azure Firewall supports limited number of DNAT rules. It's important to configure the FTP server to use a small port range on the Data channel.<br><br>DNAT Rules to configure:<br>- DNAT From Internet Source to VNet IP port 21<br>- DNAT From Internet Source to VNet IP \<Range of Data Ports> |

+|[Machines should have secret findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ac7c827-eea2-4bde-acc7-9568cd320efa) |Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSecretAssessment_Audit.json) |

+|[Machines should have secret findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ac7c827-eea2-4bde-acc7-9568cd320efa) |Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSecretAssessment_Audit.json) |

+[New Zealand ISM Restricted](https://www.nzism.gcsb.govt.nz/ism-document). To understand

+1. Sign in to the [Azure portal](https://portal.azure.com).

+User can either [sign in to your Azure subscription](#sign-in-to-your-azure-subscription), or [link a HDInsight cluster](#link-a-cluster). Use the Ambari username/password or domain joined credential to connect to your HDInsight cluster.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+The MedTech service can receive messages from devices you create and manage through an IoT hub in [Azure IoT Hub](../../iot-hub/iot-concepts-and-iot-hub.md). This tutorial uses an Azure Resource Manager template (ARM template) and a **Deploy to Azure** button to deploy a MedTech service. The template also deploys an IoT hub to create and manage devices, and message routes device messages to an event hub for the MedTech service to read and process. After device data processing, the FHIR resources are persisted into a FHIR service, which is also included in the template.

+> To learn how the MedTech service transforms and persists device data into the FHIR service as FHIR resources, see [Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md).

+- Microsoft.HealthcareApis, Microsoft.EventHub, and Microsoft.Devices resource providers registered with your Azure subscription. To learn more, see [Azure resource providers and types](../../azure-resource-manager/management/resource-providers-and-types.md).

+ - **Fhir Contributor Principle Id** (optional): An Azure Active Directory (Azure AD) user object ID to provide FHIR service read/write permissions.

+ You can use this account to give access to the FHIR service to view the FHIR Observations that are generated in this tutorial. We recommend that you use your own Azure AD user object ID so you can access the messages in the FHIR service. If you choose not to use the **Fhir Contributor Principle Id** option, clear the text box.

+3. In **Review + create**, check the template validation status. If validation is successful, the template displays **Validation Passed**. If validation fails, fix the issue that's indicated in the error message, and then select **Review + create** again.

+When the deployment completes, the following resources and access roles are created:

+2. In Explorer, under **Azure IoT Hub**, select **…** and choose **Select IoT Hub**.

+ * **Edit**: Clear any existing text, and then copy/paste the following test message JSON.

+ > You can use the **Copy** option in in the right corner of the below test message, and then paste it within the **Edit** window.

+ "HeartRate": 78,

+ "RespiratoryRate": 12,

+ "HeartRateVariability": 30,

+ "BodyTemperature": 98.6,

+ "BloodPressure": {

+ "Systolic": 120,

+ "Diastolic": 80

+ }

+ }

+Now that you have successfully sent a test message to your IoT hub, you can now review your MedTech service metrics. Review metrics to verify that your MedTech service received, grouped, transformed, and persisted the test message into your FHIR service. To learn more, see [How to use the MedTech service monitoring and health checks tabs](how-to-use-monitoring-and-health-checks-tabs.md#use-the-medtech-service-monitoring-tab).

+* **Number of Incoming Messages**: Received the incoming test message from the event hub.

+* **Number of FHIR resources**: Created five FHIR resources that are persisted into your FHIR service.

+To learn about methods of deploying the MedTech service, see

+The following example shows a request body that updates the display name of a dashboard and adds the dashboard to the list of favorites:

+ "favorite": true

+ "favorite": true

+ "displayName": "Blob Storage",

+ "authorization": {

+ "type": "connectionString",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;EndpointSuffix=core.windows.net",

+ "containerName": "central-data"

+ },

+ "displayName": "Blob Storage",

+ "authorization": {

+ "type": "connectionString",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;EndpointSuffix=core.windows.net",

+ "containerName": "central-data"

+ },

+You can use this call to perform an incremental update to an export. The sample request body looks like the following example that updates the `connectionString` of a destination:

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=********;EndpointSuffix=core.windows.net"

+ "authorization": {

+ "type": "connectionString",

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;EndpointSuffix=core.windows.net",

+ "containerName": "central-data"

+ },

+}

+ }

+ "value": "My value 2"

+The following sample request body updates the `SendInterval` desired property setting for the `SimuatedTemperatureSetting` module:

+ "SendInterval": 30

+ "SendInterval": 30

+The sample request body looks like the following example that adds a `LastMaintenanceDate` cloud property to the `capabilityModel` in the device template:

+The following sample request body changes the `enabled` field to `false`:

+ "enabled": false

+ "displayName": "CheckoutThermostat",

+ "enabled": false

+The following example shows a request body that updates the parent of the organization:

+Use the following request to update a file upload blob storage account connection string in your IoT Central application:

+ "connectionString": "DefaultEndpointsProtocol=https;AccountName=yourAccountName;AccountKey=*****;BlobEndpoint=https://yourAccountName.blob.core.windows.net/"

+ "container": "yourContainerName",

+ "state": "succeeded",

+ "etag": "\"7502ac89-0000-0300-0000-627eaf100000\""

+ * Use the Azure Cloud Shell, an interactive shell that runs CLI commands in your browser. This option is recommended because you don't need to install anything. If you're using Cloud Shell for the first time, sign in to the [Azure portal](https://portal.azure.com). Follow the steps in [Cloud Shell quickstart](../cloud-shell/quickstart.md) to **Start Cloud Shell** and **Select the Bash environment**.

+ * Use the Azure Cloud Shell, an interactive shell that runs CLI commands in your browser. This option is recommended because you don't need to install anything. If you're using Cloud Shell for the first time, sign in to the [Azure portal](https://portal.azure.com). Follow the steps in [Cloud Shell quickstart](../cloud-shell/quickstart.md) to **Start Cloud Shell** and **Select the Bash environment**.

+1. Open a command window and go to the folder where you unzipped the IoT C# SDK. Find the folder with the arm-read-write.csproj file. You create the environment variables in this command window. Sign in to the [Azure portal](https://portal.azure.com) to get the keys. Select **Resource Groups** then select the resource group used for this quickstart.

+1. Sign in to the [Azure portal](https://portal.azure.com) and select the Resource Group, then select the storage account.

+To remove the resources added during this quickstart, sign in to the [Azure portal](https://portal.azure.com). Select **Resource Groups**, then find the resource group you used for this quickstart. Select the resource group and then select *Delete*. It will delete all of the resources in the group.

+IoT Hub supports [Azure availability zones](../availability-zones/az-overview.md). An availability zone is a high-availability offering that protects your applications and data from datacenter failures. A region with availability zone support comprises three zones supporting that region. Each zone provides one or more datacenters, each in a unique physical location with independent power, cooling, and networking. This configuration provides replication and redundancy within the region.

+Availability zones provide two advantages: data resiliency and smoother deployments.

+*Data resiliency* comes from replacing the underlying storage services with availability-zones-supported storage. Data resilience is important for IoT solutions because these solutions often operate in complex, dynamic, and uncertain environments where failures or disruptions can have significant consequences. Whether an IoT solution supports a manufacturing floor, retail or restaurant environments, healthcare systems, or infrastructure, the availability and quality of data is necessary to recover from failures and to provide reliable and consistent services.

+*Smoother deployments* come from replacing the underlying data center hardware with newer hardware that supports availability zones. These hardware improvements minimize customer impact from device disconnects and reconnects as well as other deployment-related downtime. The IoT Hub engineering team deploys multiple updates to each IoT hub ever month, for both security reasons and to provide feature improvements. Availability-zones-supported hardware is split into 15 update domains so that each update goes smoother, with minimal impact to your workflows. For more information about update domains, see [Availability sets](../virtual-machines/availability-set-overview.md).

+Availability zone support for IoT Hub is enabled automatically for new IoT Hub resources created in the following Azure regions:

+| Region | Data resiliency | Smoother deployments |

+| | | |

+| Australia East | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Brazil South | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Canada Central | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Central India | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Central US | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| East US | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| France Central | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Germany West Central | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Japan East | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Korea Central | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| North Europe | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Norway East | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Qatar Central | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Southcentral US | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Southeast Asia | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| UK South | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| West Europe | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| West US 2 | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| West US 3 | :::image type="icon" source="./media/icons/no-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Open a command window and go to the folder where you unzipped the IoT C# SDK. Find the folder with the arm-read-write.csproj file. You create the environment variables in this command window. Sign in to the [Azure portal](https://portal.azure.com) to get the keys. Select **Resource Groups** then select the resource group used for this quickstart.

+1. Sign in to the [Azure portal](https://portal.azure.com) and select the Resource Group, then select the storage account.

+1. Select the **Properties** blade under **Settings**.

+1. Look for the **IP Address** field.

+1. Sign in to the Azure portal.

+1. Select the key vault you wish to configure.

+1. Select the 'Networking' blade.

+1. Select '+ Add existing virtual network'.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ Title: How Managed HSM implements key sovereignty, availability, performance, and scalability without tradeoffs

+description: A technical description of how Customer Key control is implemented cryptographically by managed HSM

+# Azure Managed HSM: key sovereignty, availability, performance, and scalability

+Cryptographic keys are the root of trust for securing modern computer systems, be they in the cloud or on-premises. As such, controlling who has authority over those keys is critical to building secure and compliant applications. In Azure, our vision of how the key management should be done in the cloud is expressed in the concept of **key sovereignty**, which means a customer's organization has full and exclusive control over what people can access keys and change key management policies; and over what Azure services consume these keys. Once these decisions are made by the customer, Microsoft personnel are prevented through technical means from changing these decisions. The key management service code executes the customer's decisions until the customer tells it to do otherwise, and Microsoft personnel cannot intervene.

+At the same time, it is our belief that every service in the cloud must be fully managed ΓÇô it must provide the availability, resiliency, security and cloud fundamental promises, backed by service level agreements (SLA). In order to deliver a managed service, Microsoft needs to patch key management servers, upgrade HSM firmware, heal failing hardware, perform failovers, etc. ΓÇô high privilege operations. As most security professionals know, denying someone with high privilege or physical access to a system access to the data within that system is a difficult problem. This article explains how we solved this problem in the Managed HSM service (giving customers both full key sovereignty and fully managed service SLAs) by using confidential computing technology paired with Hardware Security Modules (HSMs).

+## The Managed HSM hardware environment

+A customer's Managed HSM pool in any given Azure region is housed in a [secure Azure datacenter](../../security/fundamentals/physical-security.md), with three instances spread over several servers, each deployed in a different rack to ensure redundancy. Each server has a [FIPS 140-2 Level 3](https://csrc.nist.gov/publications/detail/fips/140/2/final) validated Marvell Liquid Security HSM Adapter with multiple cryptographic cores used to create fully isolated HSM partitions including fully isolated credentials, data storage, access control, etc.

+The physical separation of the instances inside the datacenter is critical to ensuring that the loss of a single component (top-of-rack switch, power management unit in a rack, etc.) can't affect all the instances of a pool. These servers are dedicated to the Azure Security HSM team, and are not shared with other Azure teams, and no customer workloads are deployed to these servers. Physical access controls, including locked racks, are used to prevent unauthorized access to the servers. These controls meet FedRAMP-High, PCI, SOC 1/2/3, ISO 270x, and other security and privacy standards, and are regularly independently verified as part of [Azure's compliance program](https://www.microsoft.com/trust-center/compliance/compliance-overview?rtc=1). The HSMs have enhanced physical security, validated to meet FIPS 140-2 Level 3 and the entire Managed HSM service is built on top of the standard [secure Azure platform](../../security/fundamentals/platform.md) including [Trusted Launch](../../virtual-machines/trusted-launch.md), which protects against advanced persistent threats (APTs).

+The HSM adapters can support dozens of isolated HSM partitions. Running on each server is a control process, called Node Service (NS), that takes ownership of each adapter and installs the credentials for the adapter owner, in this case Microsoft. The HSM is designed so that ownership of the adapter does not provide Microsoft with access to data stored in customer partitions. It only allows Microsoft to create, resize and delete customer partitions, and it supports taking blind backups of any partition for the customer. A blind backup is one wrapped by a customer provided key that can be restored by the service

+code only inside an HSM instance owned by the customer, and whose contents are not readable by Microsoft.

+### Architecture of a Managed HSM Pool

+Figure 1 below show the architecture of an HSM pool, which consists of three Linux VMs, each running on an HSM server in its own datacenter rack to support availability. The important components are:

+- The HSM fabric controller (HFC) is the control plane for the service, which drives automated patching and repairs for the pool.

+- A FIPS 140-2 Level 3 compliant cryptographic boundary, exclusive for each customer, including three Intel SGX confidential enclaves, each connected to an HSM instance. The root keys for this boundary are generated and stored in the three HSMs. As we will describe, no Microsoft person has access to the data within this boundary; only service code running in the SGX enclave (including the Node Service agent), acting on behalf of the customer, has access.

+

+### The trusted execution environment (TEE)

+A Managed HSM pool consists of three service instances each implemented as a Trusted Execution Environment (TEE) which uses [Intel Secure Guard Extensions (SGX)](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) capabilities and the [Open Enclave SDK](https://openenclave.io/sdk/). Execution within a TEE ensures that no person on either the VM hosting the service or the VM's host server has access to customer secrets, data, or the HSM partition. Each TEE is dedicated to a specific customer, and it runs TLS management, request handling, and access control to the HSM partition. No credentials or customer-specific data encryption keys exist in the clear outside this TEE, except as part of the Security Domain package. That package is encrypted to customer-provided key and downloads when their pool is first created.

+The TEEs communicate among themselves using [attested TLS](https://arxiv.org/pdf/1801.05863.pdf), which combines the remote attestation capabilities of the SGX platform with TLS 1.2. This allows MSHM code in the TEE to limit its communication to only other code signed by the same MHSM service code signing key, preventing man-in-the-middle attacks. The MHSM service's code signing key is stored in Microsoft's Product Release and Security Service (which is also used to store, for example, the Windows code signing key), and is controlled by the Managed HSM team. As part of our regulatory and compliance obligations for change management, this key cannot be used by any other Microsoft team to sign their code.

+The TLS certificates used for TEE to TEE communication are self-issued by the service code inside the TEE, and contain what is called a platform report generated by the Intel SGX enclave on the server. The platform report is signed with keys derived from keys fused by Intel into the CPU when it's manufactured. The report identifies the code that is loaded into the SGX enclave by its code signing key and binary hash. Given this platform report, service instances can determine that a peer is also signed by the MHSM service code signing key and, with some crypto entanglement via the platform report, can also determine that the self-issued certificate signing key must also have been generated inside the TEE, preventing external impersonation.

+## Delivering availability SLAs with full Customer Key control

+### Managed HSM pool creation

+The high-availability properties of Managed HSM pools come from the automatically managed triple redundant HSM instances that are always kept in sync (or if using [multi-region replication](multi-region-replication.md), from keeping all six instances in sync). Pool creation is managed by the HSM Fabric Controller (HFC) service that allocates pools across the available hardware in the Azure region chosen by the customer. When a new pool is requested, HFC selects three servers across several racks with available space on their HSM adapters, and starts creating the pool:

+1. HFC instructs Node Service on each of the three TEEs to launch a new instance of the service code with a set of parameters that identify the customer's Azure Active Directory tenant, the internal VNET IP addresses of all three instances, and some other service configuration. One partition is randomly assigned as Primary.

+1. The three instances start. Each instance connects to a partition on its local HSM adapter, then zeroizes and initializes the partition using randomly generated usernames and credentials (to ensure the partition cannot be accessed by a human operator or other TEE instance).

+1. The primary instance creates a partition owner root certificate with the private key generated in the HSM, and establishes ownership of the pool by signing a partition level certificate for the HSM partition with this root certificate. The primary also generates a data encryption key, which is used to protect all customer data at rest inside the service (for key material, a double wrapping is used as the HSM also protects the key material itself).

+1. Next, this ownership data is synchronized to the two secondary instances. Each secondary contacts the primary using attested TLS. The primary shares the partition owner root certificate with private key, and the data encryption key. The secondaries now use the partition root certificate to issue a partition certificate to their own HSM partitions. Once this is done, we have HSM partitions on three separate servers owned by the same partition root certificate.

+1. Still over the attested TLS link, the primary's HSM partition shares with the secondaries its generated data wrapping key (used to encrypt messages between the three HSMs), using a secure API provided by the HSM vendor. During this exchange, the HSMs confirm that they have the same partition owner certificate, and then use a Diffie-Hellman scheme to encrypt the messages such that Microsoft service code cannot read them ΓÇô all the service code can do is transport opaque blobs between the HSMs.

+ At this point, all three instances are ready to be exposed as a pool on the customer's VNET: They share the same partition owner certificate and private key, the same data encryption key, and a common data wrapping key. However, each instance has unique credentials to their HSM partitions. Now the final steps are completed:

+1. Each instance generates an RSA key pair and a Certificate Signing Request (CSR) for its public facing TLS certificate. The CSR is signed by the Microsoft PKI system using a Microsoft public root, and the resultant TLS certificate is returned to the instance.

+1. All three instances obtain their own SGX sealing key from their local CPU: this key is generated using the CPU's own unique key, and the TEE's code signing key.

+1. The pool derives a unique pool key from the SGX sealing keys, encrypts all its secrets with this pool key, and then writes the encrypted blobs to disk. These blobs can only be decrypted by code signed by the same SGX sealing key, running on the same physical CPU. The secrets are thus bound to that particular instance.

+The secure bootstrap process is now complete. This process has allowed for both the creation of a triple redundant HSM pool, and creation of a cryptographic guarantee of the sovereignty of customer data.

+### Maintaining availability SLAs at runtime using confidential service healing

+The pool creation story above can explain how the Managed HSM service is able to deliver its high availability SLAs by securely managing the servers that underlie the service. Imagine that a server, or an HSM adapter, or even the power supply to the rack fails. The goal of the MSHM service is, without any customer intervention or the possibility of secrets being exposed in clear text outside the TEE, to heal the pool back to three healthy instances. This is achieved through confidential service healing.

+It starts with the HFC knowing which pools had instances on the failed server. HFC finds new, healthy servers within the pool's region to deploy the replacement instances to. It launches new instances, which are then treated exactly as a secondary during the initial provisioning step: initialize the HSM, find its primary, securely exchange secrets over attested TLS, sign the HSM into the ownership hierarchy, and then seal its service data to its new CPU. The service is now healed, fully automatically and fully confidentially.

+### Recovering from disaster using the security domain

+The Security Domain (SD) is a secured blob that contains all the credentials needed to rebuild the HSM partition from scratch: the partition owner key, the partition credentials, the data wrapping key, plus an initial backup of the HSM. Before the service becomes live, the customer must download the SD by providing a set of RSA encryption keys to secure it. The SD data originates in the TEEs and is protected by a generated symmetric key and an implementation of [Shamir's Secret Sharing algorithm](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing) which splits the key shares across the customer provided RSA public keys according to customer selected quorum parameters. During this process, none of the service keys or credentials are ever exposed in plaintext outside the service code running in the TEEs; only the customer, by presenting a quorum of their RSA keys to the TEE, can decrypt the SD during a recovery scenario.

+The SD is needed only for cases where due to some catastrophe, entire Azure region is, and Microsoft loses all three instances of the pool simultaneously. If only one or even two instances are lost, then confidential service healing with quietly recover to three healthy instances with no customer intervention. If the entire region is lost, then because SGX sealing keys are unique to each CPU, Microsoft has no way to recover the HSM credentials and partition owner keys; they exist only within the context of the instances. In the extremely unlikely event that this catastrophe happens, the customer can recover their previous pool state and data by creating a new blank pool, and injecting it into the SD, and then presenting their RSA key quorum to prove ownership of the SD. For the case where a customer has enabled multi-region replication, the even more unlikely catastrophe of both of the regions experiencing a simultaneous, complete failure would have to happen before customer intervention would be needed to recover the pool from the SD.

+### Controlling access to the service

+As we have described, our service code in the TEE is the only entity with access to the HSM itself, as the necessary credentials are not given to the customer or anyone else. Instead, the customer's pool is bound to their Azure Active Directory instance, and this is used for authentication and authorization. At initial provisioning, the customer can choose an initial set of Administrators for the pool, and these individuals, as well as the customer's Azure Active Directory tenant Global Administrator, can then set access control policies within the pool. All access control policies are stored by the service in the same database as the masked keys, also encrypted. Only the service code in the TEE has access to these access control policies.

+## Conclusion

+Managed HSM removes the need for customers to make tradeoffs between availability and control over cryptographic keys by using cutting edge, hardware backed confidential enclave technology. As discussed in this paper, the implementation is such that no Microsoft personnel can access Customer Key material or related secrets, even with physical access to the Managed HSM host machines and HSMs. This has allowed our customers in the sectors of financial services, manufacturing, public sector, defense and other verticals to accelerate their migration to the cloud with full confidence.

+## What's next

+Further reading:

+- [Azure Key Vault Managed HSM ΓÇô Control your data in the cloud](mhsm-control-data.md)

+- [About the Managed HSM security domain](security-domain.md)

+- [Managed HSM access control](access-control.md)

+- [Local RBAC built in roles](built-in-roles.md)

+- [Managing compliance in the cloud](https://www.microsoft.com/trust-center/compliance/compliance-overview?rtc=1)

+- For technical details, see [How Managed HSM implements key sovereignty, availability, performance, and scalability without tradeoffs](managed-hsm-technical-details.md)

+### Sign in to the Azure portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+| **[Global tier](./cross-region-overview.md)** | Standard Load Balancer supports the Global tier for Public Load Balancers enabling cross-region load balancing | Not supported |

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the **Azure** window that opens, on the **Workspace** section toolbar, from the **Azure Logic Apps** menu, select **Create new logic app workspace**.

+ :::image type="content" source="media/create-run-custom-code-functions/create-workspace.png" alt-text="Screenshot shows Visual Studio Code, Azure window, Workspace section toolbar, and selected option for Create new logic app workspace.":::

+1. In the **Azure** window, on the **Workspace** section toolbar, from the **Azure Logic Apps** menu, select **Create New Project**.

+ 

+1. In the **Azure** window, on the **Workspace** section toolbar, from the **Azure Logic Apps** menu, select **Deploy to Logic App**.

+ 

+ >

+ >

+1. In the **Azure** window, on the **Workspace** section toolbar, from the **Azure Logic Apps** menu, select **Create workflow**.

+1. On the Visual Studio Code Activity Bar, select **Azure** to open the **Azure** window (Shift + Alt + A).

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-azure-view.png" alt-text="Screenshot showing Visual Studio Code Activity Bar with Azure icon selected.":::

+1. On the **Workspace** section toolbar, from the **Azure Logic Apps** menu, select **Export Logic App**.

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-export-logic-app.png" alt-text="Screenshot showing Azure window, Workspace section toolbar, and Export Logic App selected.":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-subscription-consumption.png" alt-text="Screenshot showing Export tab with Azure subscription and region selected.":::

+1. On the Visual Studio Code Activity Bar, select **Azure** to open the **Azure** window (Shift + Alt + A).

+ 

+1. On the **Workspace** section toolbar, from the **Azure Logic Apps** menu, select **Export Logic App**.

+ 

+ 

+ - [Model](https://learn.microsoft.com/azure/machine-learning/how-to-manage-models?view=azureml-api-2&tabs=cli%2Cuse-local)