+Each request that is sent to Azure AD B2C specifies a **[user flow](user-flow-overview.md)** (a built-in policy) or a **[custom policy](user-flow-overview.md)** that controls the behavior of Azure AD B2C. Both policy types enable you to create a highly customizable set of user experiences.

+Many modern web applications are built as client-side single-page applications ("SPAs"). Developers write them by using JavaScript or a SPA framework such as Angular, Vue, or React. These applications run on a web browser and have different authentication characteristics than traditional server-side web applications.

+We **recommended** this approach. Having limited-lifetime refresh tokens helps your application adapt to [modern browser cookie privacy limitations](../active-directory/develop/reference-third-party-cookies-spas.md), like Safari ITP.

+Some libraries, like [MSAL.js 1.x](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core), only support the [implicit grant flow](implicit-flow-single-page-application.md) or your application is implemented to use implicit flow. In these cases, Azure AD B2C supports the [OAuth 2.0 implicit flow](implicit-flow-single-page-application.md). The implicit grant flow allows the application to get **ID** and **Access** tokens. Unlike the authorization code flow, implicit grant flow doesn't return a **Refresh token**.

+We **don't recommended** this approach.

+* [Visual Studio 2022 17.0 or later](https://visualstudio.microsoft.com/downloads) with the **ASP.NET and web development** workload

+* [Visual Studio 2022 17.0 or later](https://visualstudio.microsoft.com/downloads), with the ASP.NET and web development workload

+* For content such as how-to information or code samples for IT professionals and developers, see the [technical documentation for Azure AD B2C](../active-directory-b2c/index.yml).

+* [Technical documentation for Azure AD B2C](../active-directory-b2c/index.yml)

+### JSON Arrays

+To add JSON objects to a JSON array, use the format of **array name** and the **index** in the array. The array is zero based. Start with zero to N, without skipping any number. The items in the array can contain any object. For example, the first item contains two objects, *app* and *appId*. The second item contains a single object, *program*. The third item contains four objects, *color*, *language*, *logo* and *background*.

+The following example demonstrates how to configure JSON arrays. The **emails** array uses the `InputClaims` with dynamic values. The **values** array uses the `InputParameters` with static values.

+```xml

+<ClaimsTransformation Id="GenerateJsonPayload" TransformationMethod="GenerateJson">

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="mailToName1" TransformationClaimType="emails.0.name" />

+ <InputClaim ClaimTypeReferenceId="mailToAddress1" TransformationClaimType="emails.0.address" />

+ <InputClaim ClaimTypeReferenceId="mailToName2" TransformationClaimType="emails.1.name" />

+ <InputClaim ClaimTypeReferenceId="mailToAddress2" TransformationClaimType="emails.1.address" />

+ </InputClaims>

+ <InputParameters>

+ <InputParameter Id="values.0.app" DataType="string" Value="Mobile app" />

+ <InputParameter Id="values.0.appId" DataType="string" Value="123" />

+ <InputParameter Id="values.1.program" DataType="string" Value="Holidays" />

+ <InputParameter Id="values.2.color" DataType="string" Value="Yellow" />

+ <InputParameter Id="values.2.language" DataType="string" Value="Spanish" />

+ <InputParameter Id="values.2.logo" DataType="string" Value="contoso.png" />

+ <InputParameter Id="values.2.background" DataType="string" Value="White" />

+ </InputParameters>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="result" TransformationClaimType="outputClaim" />

+ </OutputClaims>

+</ClaimsTransformation>

+```

+The result of this claims transformation:

+```json

+{

+ "values": [

+ {

+ "app": "Mobile app",

+ "appId": "123"

+ },

+ {

+ "program": "Holidays"

+ },

+ {

+ "color": "Yellow",

+ "language": "Spanish",

+ "logo": "contoso.png",

+ "background": "White"

+ }

+ ],

+ "emails": [

+ {

+ "name": "Joni",

+ "address": "joni@contoso.com"

+ },

+ {

+ "name": "Emily",

+ "address": "emily@contoso.com"

+ }

+ ]

+}

+```

+To specify a JSON array in both the input claims and the input parameters, you must start the array in the `InputClaims` element, zero to N. Then, in the `InputParameters` element continue the index from the last index.

+The following example demonstrates an array that is defined in both the input claims and the input parameters. The first item of the *values* array `values.0` is defined in the input claims. The input parameters continue from index one `values.1` through two index `values.2`.

+```xml

+<ClaimsTransformation Id="GenerateJsonPayload" TransformationMethod="GenerateJson">

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="app" TransformationClaimType="values.0.app" />

+ <InputClaim ClaimTypeReferenceId="appId" TransformationClaimType="values.0.appId" />

+ </InputClaims>

+ <InputParameters>

+ <InputParameter Id="values.1.program" DataType="string" Value="Holidays" />

+ <InputParameter Id="values.2.color" DataType="string" Value="Yellow" />

+ <InputParameter Id="values.2.language" DataType="string" Value="Spanish" />

+ <InputParameter Id="values.2.logo" DataType="string" Value="contoso.png" />

+ <InputParameter Id="values.2.background" DataType="string" Value="White" />

+ </InputParameters>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="result" TransformationClaimType="outputClaim" />

+ </OutputClaims>

+</ClaimsTransformation>

+```

+ Title: Using Application Gateway WAF to protect your application

+description: How to add Web Application Firewall protection for apps published with Azure Active Directory Application Proxy.

+# Using Application Gateway WAF to protect your application

+When using Azure Active Directory (Azure AD) Application Proxy to expose applications deployed on-premises, on sealed Azure Virtual Networks, or in other public clouds, you can integrate a Web Application Firewall (WAF) in the data flow in order to protect your application from malicious attacks.

+## What is Azure Web Application Firewall?

+Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. For more information about Azure WAF on Application Gateway, see [What is Azure Web Application Firewall on Azure Application Gateway?][waf-overview].

+## Deployment steps

+This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure WAF on Application Gateway. In this guide we'll be using the Azure portal. The reference architecture for this deployment is represented below.

+

+### Configure Azure Application Gateway to send traffic to your internal application.

+Some steps of the Application Gateway configuration will be omitted in this article. For a detailed guide on how to create and configure an Application Gateway, see [Quickstart: Direct web traffic with Azure Application Gateway - Azure portal][appgw_quick].

+##### 1. Create a private-facing HTTPS listener.

+This will allow users to access the web application privately when connected to the corporate network.

+

+##### 2. Create a backend pool with the web servers.

+In this example, the backend servers have Internet Information Services (IIS) installed.

+

+##### 3. Create a backend setting.

+This will determine how requests will reach the backend pool servers.

+

+

+ ##### 4. Create a routing rule that ties the listener, the backend pool, and the backend setting created in the previous steps.

+

+ 

+ 

+

+ ##### 5. Enable the WAF in the Application Gateway and set it to Prevention mode.

+

+ 

+

+ ### Configure your application to be remotely accessed through Application Proxy in Azure AD.

+

+As represented in the diagram above, both connector VMs, the Application Gateway, and the backend servers were deployed in the same VNET in Azure. This setup also applies to applications and connectors deployed on-premises.

+For a detailed guide on how to add your application to Application Proxy in Azure AD, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory][appproxy-add-app]. For more information about performance considerations concerning the Application Proxy connectors, see [Optimize traffic flow with Azure Active Directory Application Proxy][appproxy-optimize].

+

+

+In this example, the same URL was configured as the internal and external URL. Remote clients will access the application over the Internet on port 443, through the Application Proxy, whereas clients connected to the corporate network will access the application privately through the Application Gateway directly, also on port 443. For a detailed step on how to configure custom domains in Application Proxy, see [Configure custom domains with Azure AD Application Proxy][appproxy-custom-domain].

+To ensure the connector VMs send requests to the Application Gateway, an [Azure Private DNS zone][private-dns] was created with an A record pointing www.fabrikam.one to the private frontend IP of the Application Gateway.

+### Test the application.

+After [adding a user for testing](/azure/active-directory/app-proxy/application-proxy-add-on-premises-application#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Azure AD, and upon successful authentication, will access the application.

+

+

+### Simulate an attack.

+To test if the WAF is blocking malicious requests, you can simulate an attack using a basic SQL injection signature. For example, "https://www.fabrikam.one/api/sqlquery?query=x%22%20or%201%3D1%20--".

+

+An HTTP 403 response confirms that the request was blocked by the WAF.

+The Application Gateway [Firewall logs][waf-logs] provide more details about the request and why it was blocked by the WAF.

+

+## Next steps

+To prevent false positives, learn how to [Customize Web Application Firewall rules](/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal), configure [Web Application Firewall exclusion lists](/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal), or [Web Application Firewall custom rules](/azure/web-application-firewall/ag/create-custom-waf-rules).

+[waf-overview]: /azure/web-application-firewall/ag/ag-overview

+[appgw_quick]: /azure/application-gateway/quick-create-portal

+[appproxy-add-app]: /azure/active-directory/app-proxy/application-proxy-add-on-premises-application

+[appproxy-optimize]: /azure/active-directory/app-proxy/application-proxy-network-topology

+[appproxy-custom-domain]: /azure/active-directory/app-proxy/application-proxy-configure-custom-domain

+[private-dns]: /azure/dns/private-dns-getstarted-portal

+[waf-logs]: /azure/application-gateway/application-gateway-diagnostics#firewall-log

+- For more information, see [Azure Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-azure).

+- For information on how to onboard Permissions Management in your organization, see [Enable Permissions Management in your organization](onboard-enable-tenant.md).

+# Use the What If tool to troubleshoot Conditional Access policies

+The **Conditional Access What If policy tool** allows you to understand the impact of [Conditional Access](./overview.md) policies in your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

+The **What If** tool provides a way to quickly determine the policies that apply to a specific user. You can use the information, for example, if you need to troubleshoot an issue.

+In the **Conditional Access What If tool**, you first need to configure the conditions of the sign-in scenario you want to simulate. These settings may include:

+The What If tool doesn't test for [Conditional Access service dependencies](service-dependencies.md). For example, if you're using What If to test a Conditional Access policy for Microsoft Teams, the result doesn't take into consideration any policy that would apply to Office 365 Exchange Online, a Conditional Access service dependency for Microsoft Teams.

+When the evaluation has finished, the tool generates a report of the affected policies. To gather more information about a Conditional Access policy, the [Conditional Access insights and reporting workbook](howto-conditional-access-insights-reporting.md) can provide more details about policies in report-only mode and those policies currently enabled.

+You can find the **What If** tool in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**.

+Before you can run the What If tool, you must provide the conditions you want to evaluate.

+## Conditions

+The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions, see the article [Building a Conditional Access policy](concept-conditional-access-policies.md).

+## Evaluation

+- An indicator whether classic policies exist in your environment.

+- Policies that will apply to your user or workload identity.

+- Policies that don't apply to your user or workload identity.

+If [classic policies](policy-migration.md#classic-policies) exist for the selected cloud apps, an indicator is presented to you. By clicking the indicator, you're redirected to the classic policies page. On the classic policies page, you can migrate a classic policy or just disable it. You can return to your evaluation result by closing this page.

+On the list of policies that apply, you can also find a list of [grant controls](concept-conditional-access-grant.md) and [session controls](concept-conditional-access-session.md) that must be satisfied.

+On the list of policies that don't apply, you can find the reasons why these policies don't apply. For each listed policy, the reason represents the first condition that wasn't satisfied.

+- If you're ready to configure Conditional Access policies for your environment, see the [Conditional Access common policies](concept-conditional-access-policy-common.md).

+# [.NET](#tab/dotnet)

+# [JavaScript](#tab/JavaScript)

+When these conditions are met, the app can extract the claims challenge from the API response header as follows:

+```javascript

+const authenticateHeader = response.headers.get('www-authenticate');

+const claimsChallenge = authenticateHeader

+ .split(' ')

+ .find((entry) => entry.includes('claims='))

+ .split('claims="')[1]

+ .split('",')[0];

+```

+Your app would then use the claims challenge to acquire a new access token for the resource.

+```javascript

+let tokenResponse;

+try {

+ tokenResponse = await msalInstance.acquireTokenSilent({

+ claims: window.atob(claimsChallenge), // decode the base64 string

+ scopes: scopes, // e.g ['User.Read', 'Contacts.Read']

+ account: account, // current active account

+ });

+} catch (error) {

+ if (error instanceof InteractionRequiredAuthError) {

+ tokenResponse = await msalInstance.acquireTokenPopup({

+ claims: window.atob(claimsChallenge), // decode the base64 string

+ scopes: scopes, // e.g ['User.Read', 'Contacts.Read']

+ account: account, // current active account

+ });

+ }

+}

+```

+Once your application is ready to handle the claim challenge returned by a CAE-enabled resource, you can tell Microsoft Identity your app is CAE-ready by adding a `clientCapabilities` property in the MSAL configuration.

+```javascript

+const msalConfig = {

+ auth: {

+ clientId: 'Enter_the_Application_Id_Here',

+ clientCapabilities: ["CP1"]

+ // the remaining settings

+ // ...

+ }

+}

+const msalInstance = new PublicClientApplication(msalConfig);

+```

+You can test your application by signing in a user and then using the Azure portal to revoke the user's session. The next time the app calls the CAE-enabled API, the user will be asked to reauthenticate.

+- [React single-page application using MSAL React to sign-in users against Azure Active Directory](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph)

+- [Enable your ASP.NET Core web app to sign in users and call Microsoft Graph with the Microsoft identity platform](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)

+#### [.NET](#tab/dotnet)

+#### [JavaScript](#tab/JavaScript)

+Those using MSAL.js can add `clientCapabilities` property to the configuration object.

+```javascript

+const msalConfig = {

+ auth: {

+ clientId: 'Enter_the_Application_Id_Here',

+ clientCapabilities: ["CP1"]

+ // the remaining settings

+ // ...

+ }

+}

+const msalInstance = new msal.PublicClientApplication(msalConfig);

+```

+A request of:

+### [.NET](#tab/dotnet)

+### [JavaScript](#tab/JavaScript)

+```javascript

+const checkIsClientCapableOfClaimsChallenge = (req, res, next) => {

+ // req.authInfo contains the decoded access token payload

+ if (req.authInfo['xms_cc'] && req.authInfo['xms_cc'].includes('CP1')) {

+ // Return formatted claims challenge as this client understands this

+

+ } else {

+ return res.status(403).json({ error: 'Client is not capable' });

+ }

+}

+```

+- [React single-page application using MSAL React to sign-in users against Azure Active Directory](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph)

+- [Enable your ASP.NET Core web app to sign in users and call Microsoft Graph with the Microsoft identity platform](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)

+ > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.

+* For content such as how-to information or code samples for IT professionals and developers, see the [technical documentation for Azure Active Directory](../index.yml).

+* [Technical documentation for Azure Active Directory](../index.yml)

+On the Azure AD Enterprise Application representing the federation relation with IAS, disable "[User assignment required](../manage-apps/assign-user-or-group-access-portal.md)". This also means you can safely skip [assignment of users](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md#assign-the-azure-ad-test-user).

+* **Enforce strong authentication** - Strong authentication must always be used when accessing the isolated environment services and infrastructure. Whenever possible, [passwordless authentication](/azure/active-directory/authentication/concept-authentication-passwordless) such as [Windows for Business Hello](/windows/security/identity-protection/hello-for-business/hello-overview) or a [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)) should be used.

+Provision accounts in the isolated environment for administrative personnel and IT teams who will be operating the environment. This will enable you to add stronger security policies such as device-based access control for [secure workstations](/security/compass/privileged-access-deployment). As discussed in previous sections, non-production environments can potentially utilize Azure AD B2B collaboration to onboard privileged accounts to the non-production tenants using the same posture and security controls designed for privileged access in their production environment.

+If managed identities aren't supported or not possible, consider [provisioning service principal objects](/azure/active-directory/develop/app-objects-and-service-principals).

+A [passwordless solution](../authentication/concept-authentication-passwordless.md) is the best solution for ensuring the most convenient and secure method of authentication. Passwordless credentials such as [FIDO security keys](../authentication/howto-authentication-passwordless-security-key.md) and [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) are recommended for human identities with privileged roles.

+Below are some specific recommendations for Azure solutions. For general guidance on Conditional Access policies for individual environments, check the [CA Best practices](../conditional-access/overview.md), [Azure AD Operations Guide](../fundamentals/active-directory-ops-guide-auth.md), and [Conditional Access for Zero Trust](/azure/architecture/guide/security/conditional-access-zero-trust):

+* Consider managing Conditional Access policies at scale with automation using [MS Graph CA API](/azure/active-directory/conditional-access/howto-conditional-access-apis)). For example, you can use the API to configure, manage, and monitor CA policies consistently across tenants.

+The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), [Azure Security Benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](/azure/active-directory/fundamentals/active-directory-ops-guide-ops) for detailed guidance to operate individual environments.

+* **Privileged role activity** - Configure and review security [alerts generated by Azure AD PIM](/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts). If locking down direct RBAC assignments isn't fully enforceable with technical controls (for example, Owner role has to be granted to product teams to do their job), then monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly to access the subscription with Azure RBAC.

+**Human identities** are user objects that generally represent people in an organization. These identities are either created and managed directly in Azure AD or are synchronized from an on-premises Active Directory to Azure AD for a given organization. These types of identities are referred to as **local identities**. There can also be user objects invited from a partner organization or a social identity provider using [Azure AD B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). In this content, we refer to these types of identity as **external identities**.

+**Non-human identities** include any identity not associated with a human. This type of identity is an object such as an application that requires an identity to run. In this content, we refer to this type of identity as a **workload identity**. Various terms are used to describe this type of identity, including [application objects and service principals](/azure/marketplace/manage-aad-apps).

+* **Service principal object**. Although there are [exceptions](/azure/marketplace/manage-aad-apps), application objects can be considered the *definition* of an application. Service principal objects can be considered an instance of an application. Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.

+Azure AD allows application and service principal objects to authenticate with a password (also known as an application secret), or with a certificate. The use of passwords for service principals is discouraged and [we recommend using a certificate](/azure/active-directory/develop/howto-create-service-principal-portal) whenever possible.

+* **Managed identities for Azure resources**. Managed identities are special service principals in Azure AD. This type of service principal can be used to authenticate against services that support Azure AD authentication without needing to store credentials in your code or handle secrets management. For more information, see [What are managed identities for Azure resources?](/azure/active-directory/managed-identities-azure-resources/overview)

+**Hybrid identity**. A hybrid identity is an identity that spans on-premises and cloud environments. This provides the benefit of being able to use the same identity to access on-premises and cloud resources. The source of authority in this scenario is typically an on-premises directory, and the identity lifecycle around provisioning, de-provisioning and resource assignment is also driven from on-premises. For more information, see [Hybrid identity documentation](/azure/active-directory/hybrid/).

+ * **Azure AD Registered**. Devices not owned by the organization, for example, a personal device, used to access company resources. Organizations may require the device be enrolled via [Mobile Device Management (MDM)](https://www.microsoft.com/itshowcase/mobile-device-management-at-microsoft), or enforced through [Mobile Application Management (MAM)](/office365/enterprise/office-365-client-support-mobile-application-management) without enrollment to access resources. This capability can be provided by a service such as Microsoft Intune.

+**Conditional Access**. Azure AD Conditional Access policies are tools to bring user and device context into the authorization flow when accessing Azure AD resources. Organizations should explore use of Conditional Access policies to allow, deny, or enhance authentication based on user, risk, device, and network context. For more information, see the [Azure AD Conditional Access documentation](/azure/active-directory/conditional-access/).

+**Device management**. Azure AD is used to manage the lifecycle and integration with cloud and on-premises device management infrastructures. It also is used to define policies to control access from cloud or on-premises devices to your organizational data. Azure AD provides the lifecycle services of devices in the directory and the credential provisioning to enable authentication. It also manages a key attribute of a device in the system that is the level of trust. This detail is important when designing a resource access policy. For more information, see [Azure AD Device Management documentation](/azure/active-directory/devices/).

+**Configuration management**. Azure AD has service elements that need to be configured and managed to ensure the service is configured to an organization's requirements. These elements include domain management, SSO configuration, and application management to name but a few. Azure AD provides a portal and the Microsoft Graph API to allow organizations to manage these elements or integrate into existing processes. To learn more about Microsoft Graph, see [Use the Microsoft Graph API](/graph/use-the-api).

+Azure AD also provides information on the actions that are being performed within Azure AD, and reports on security risks. For more information, see [Azure Active Directory reports and monitoring](/azure/active-directory/reports-monitoring/).

+Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference) role to regional support specialists, so they can manage users only in the region that they support. An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only:

+For more information on administrative units, see [Administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units).

+>Using [Named Locations](/azure/active-directory/conditional-access/location-condition) can present some challenges to your [zero-trust journey](https://www.microsoft.com/security/business/zero-trust). Verify that using Named Locations fits into your security strategy and principles.

+ * [Microsoft 365 groups](/microsoft-365/community/all-about-groups)

+* **Identity compromise** - Within the boundary of a tenant, any identity can be assigned any role, given the one providing access has sufficient privileges. While the impact of compromised non-privileged identities is largely contained, compromised administrators can have broad impact. For example, if an Azure AD global administrator account is compromised, Azure resources can become compromised. To mitigate risk of identity compromise, or bad actors, implement [tiered administration](/security/compass/privileged-access-access-model) and ensure that you follow principles of least privilege for [Azure AD Administrator Roles](/azure/active-directory/roles/delegate-by-task). Similarly, ensure that you create CA policies that specifically exclude test accounts and test service principals from accessing resources outside of the test applications. For more information on privileged access strategy, see [Privileged access: Strategy](/security/compass/privileged-access-strategy).

+* **Trusting resource compromise** - Human identities aren't the only security consideration. Any compromised component of the Azure AD tenant can impact trusting resources based on its level of permissions at the tenant and resource level. The impact of a compromised component of an Azure AD trusting resource is determined by the privileges of the resource; resources that are deeply integrated with the directory to perform write operations can have profound impact in the entire tenant. Following [guidance for zero trust](/azure/architecture/guide/security/conditional-access-zero-trust) can help limit the impact of compromise.

+A new tenant provides the ability to have a separate set of administrators. Organizations can choose to use corporate identities through [Azure AD B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). Similarly, organizations can implement [Azure Lighthouse](/azure/lighthouse/overview) for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Intune or Microsoft Endpoint Manager. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

+* **User permission check** - Permissions are assigned to users using [role-based access control (RBAC)](/azure/role-based-access-control/overview). An RBAC role specifies a set of permissions a user may take on a specific resource. RBAC helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

+**Microsoft 365 Lighthouse** - [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

+* No central management or configuration of servers. For example, there's no Group Policy that can be applied to a group of servers. Organizations should consider deploying [Update Management in Azure](/azure/automation/update-management/overview) to manage patching and updates of these servers.

+**Configuration separation** - In some cases, resources such as applications have dependencies on tenant-wide configurations like authentication methods or [named locations](/azure/active-directory/conditional-access/location-condition#named-locations). You should consider these dependencies when isolating resources. Global administrators can configure the resource settings and tenant-wide settings that affect resources.

+>There are multiple ways to define the management hierarchy based on an organization's individual requirements, constraints, and goals. For more information, consult the Cloud Adoption Framework guidance on how to [Organize Azure Resources](/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources)).

+Consider isolating sensitive or test resources according to [Azure landing zone conceptual architecture](/azure/cloud-adoption-framework/ready/landing-zone/). For example, Identity subscription should be assigned to separated management group and all subscriptions for development purposes could be separated in "Sandbox" management group. More details can be found in the [Enterprise-Scale documentation](/azure/cloud-adoption-framework/ready/enterprise-scale/faq). Separation for testing purposes within a single tenant is also considered in the [management group hierarchy of the reference architecture](/azure/cloud-adoption-framework/ready/enterprise-scale/testing-approach).

+ <img alt='Azure support' src='/media/logos/logo_azure.svg'>

+ <img alt='Stay informed' src='/media/common/i_blog.svg'>

+- [Tech Community](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity/): Share your experiences, engage and learn from experts.

+- [Promapp](../saas-apps/promapp-provisioning-tutorial.md)

+Users can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-on requests. Multiple application accounts can now have a separate service principal to handle instance-specific claims mapping and roles assignment. For more information, see:

+ * For other applications, follow steps 1-3 to [configure provisioning via Graph APIs](../app-provisioning/application-provisioning-configuration-api.md).

+1. If **Provisioning Status** for the application is **Off**, turn it to **On**. You can also start provisioning [using Graph APIs](../app-provisioning/application-provisioning-configuration-api.md#step-4-start-the-provisioning-job).

+1. Monitor the [provisioning status](../app-provisioning/check-status-user-account-provisioning.md) through the Portal or [Graph APIs](../app-provisioning/application-provisioning-configuration-api.md#monitor-the-provisioning-job-status) to ensure that all users were matched successfully.

+1. Check the provisioning log through the [Azure portal](../reports-monitoring/concept-provisioning-logs.md) or [Graph APIs](../app-provisioning/application-provisioning-configuration-api.md#monitor-provisioning-events-using-the-provisioning-logs). Filter the log to the status **Failure**. If there are failures with an ErrorCode of **DuplicateTargetEntries**, this indicates an ambiguity in your provisioning matching rules, and you'll need to update the Azure AD users or the mappings that are used for matching to ensure each Azure AD user matches one application user. Then filter the log to the action **Create** and status **Skipped**. If users were skipped with the SkipReason code of **NotEffectivelyEntitled**, this may indicate that the user accounts in Azure AD were not matched because the user account status was **Disabled**.

+Typically, IT delegates access approval decisions to business decision makers. Furthermore, IT can involve the users themselves. For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users may be unaware of the handling requirements for data in an organization to which they've been invited.

+Organizations can automate the access lifecycle process through technologies such as [dynamic groups](../enterprise-users/groups-dynamic-membership.md), coupled with user provisioning to [SaaS apps](../saas-apps/tutorial-list.md) or [apps integrated with SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md). Organizations can also control which [guest users have access to on-premises applications](../external-identities/hybrid-cloud-to-on-premises.md). These access rights can then be regularly reviewed using recurring [Azure AD access reviews](access-reviews-overview.md). [Azure AD entitlement management](entitlement-management-overview.md) also enables you to define how users request access across packages of group and team memberships, application roles, and SharePoint Online roles. For more information, see the [simplifying identity governance tasks with automation](#simplifying-identity-governance-tasks-with-automation) section below to select the appropriate Azure AD features for your access lifecycle automation scenarios.

+There are also tutorials for [managing access to resources in entitlement management](entitlement-management-access-package-first.md), [onboarding external users to Azure AD through an approval process](entitlement-management-onboard-external-user.md), [governing access to your applications](identity-governance-applications-prepare.md) and the [application's existing users](identity-governance-applications-existing-users.md).

+While there's no perfect solution or recommendation for every customer, the following configuration guides also provide the baseline policies Microsoft recommends you follow to ensure a more secure and productive workforce.

+- [Prerequisites for configuring Azure AD for identity governance](identity-governance-applications-prepare.md)

+## Simplifying identity governance tasks with automation

+Once you've started using these identity governance features, you can easily automate common identity governance scenarios. The following table shows how to get started for each scenario:

+| Scenario to automate | Automation guide |

+| - | |

+| Creating, updating and deleting AD and Azure AD user accounts automatically for employees |[Plan cloud HR to Azure AD user provisioning](../app-provisioning/plan-cloud-hr-provision.md)|

+| Updating the membership of a group, based on changes to the member user's attributes | [Create a dynamic group](../enterprise-users/groups-create-rule.md)|

+| Assigning licenses | [group-based licensing](../enterprise-users/licensing-groups-assign.md) |

+| Adding and removing a user's group memberships, application roles, and SharePoint site roles, on a specific date | [Configure lifecycle settings for an access package in entitlement management](entitlement-management-access-package-lifecycle-policy.md)|

+| Running custom workflows when a user requests or receives access, or access is removed | [Trigger Logic Apps in entitlement management](entitlement-management-logic-apps-integration.md) (preview) |

+| Regularly having memberships of guests in Microsoft groups and Teams reviewed, and removing guest memberships that are denied |[Create an access review](create-access-review.md) |

+| Removing guest accounts that were denied by a reviewer |[Review and remove external users who no longer have resource access](access-reviews-external-users.md) |

+| Removing guest accounts that have no access package assignments |[Manage the lifecycle of external users](entitlement-management-external-users.md#manage-the-lifecycle-of-external-users) |

+| Provisioning users into on-premises and cloud applications that have their own directories or databases | [Configure automatic user provisioning](../app-provisioning/user-provisioning.md) with user assignments or [scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md) |

+| Other scheduled tasks | [Automate identity governance tasks with Azure Automation](identity-governance-automation.md) and Microsoft Graph via the [Microsoft.Graph.Identity.Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) PowerShell module|

+It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you use Azure AD PIM to activate a role as needed to perform these tasks. The following are the least privileged [directory roles](../roles/permissions-reference.md) to configure Identity Governance features:

+| Access reviews | User Administrator (with the exception of access reviews of Azure or Azure AD roles, which require Privileged Role Administrator) |

+| Privileged Identity Management | Privileged Role Administrator |

+| Terms of use | Security Administrator or Conditional Access Administrator |

+### New versions of the agent and Auto upgrade

+If a new version of the Health agent is released, any existing installed agents are automatically updated.

+> [!IMPORTANT]

+> Azure AD Connect Health for Sync requires Azure AD Connect Sync V2. If you are still using AADConnect V1 you must upgrade to the latest version.

+> AADConnect V1 is retired on August 31, 2022. Azure AD Connect Health for Sync will no longer work with AADConnect V1 in December 2022.

+>

+>[!Note]

+>

+>You cannot set up Azure AD Connect in an Active-Active setup. It must be Active-Passive. Ensure that only 1 Azure AD Connect server is actively syncing changes.

+#### Change currently Active Sync Server to staging mode

+1. For the currently Active Azure AD Connect server, open the Azure AD Connect Console and click "Configure staging mode" then Next:

+ > [!div class="mx-imgBorder"]

+ > 

+2. You will need to sign into Azure AD with Global Admin or Hybrid Identity Admin credentials:

+ > [!div class="mx-imgBorder"]

+ > 

+3. Tick the box for Staging Mode and click Next:

+ > [!div class="mx-imgBorder"]

+ > 

+4. The Azure AD Connect server will check for installed components and then prompt you whether you want to start the sync process:

+ > [!div class="mx-imgBorder"]

+ > 

+Since the server will be in staging mode, it will not write changes to Azure AD, but retain any changes to the AD in its Connector Space, ready to write them.

+5. After selecting whether to start or stop the sync process and clicking Configure, the Azure AD Connect server will configure itself into Staging Mode.

+When this is completed, you will be prompted with a screen that confirms Staging Mode is enabled.

+6. You can confirm that the server is successfully in Staging Mode by opening the Synchronization Service console.

+From here, there should be no more Export jobs since the change and Full & Delta Imports will be suffixed with "(Stage Only)" like below:

+ > [!div class="mx-imgBorder"]

+ > 

+#### Change current Staging Sync server to active mode

+1. Now move to the Azure AD Connect server that was originally in Staging Mode and open the Azure AD Connect console.

+ Click on "Configure staging mode" and click Next:

+ > [!div class="mx-imgBorder"]

+ > 

+ The message at the bottom of the Console indicates this server is in Staging Mode.

+ Untick the box for Staging Mode and click Next

+ > [!div class="mx-imgBorder"]

+ > 

+ As per the warning on this page, it is important to ensure no other Azure AD Connect server is actively syncing.

+ There should only be one active Azure AD Connect sync server at any time.

+3. When you are prompted to start the sync process, tick this box and click Configure:

+ > [!div class="mx-imgBorder"]

+ > 

+4. Once the process is finished you should get the below confirmation screen where you can click Exit to finish:

+ > [!div class="mx-imgBorder"]

+ > 

+

+ > [!div class="mx-imgBorder"]

+ > 

+Azure AD Connect Health will stop working after December 20222. We will auto upgrade all Health agents to a new version before the end of 2022, but we cannot auto upgrade if you are running AADConnect V1 due to compatibility issues with V versions.

+> [!IMPORTANT]

+> Azure AD Connect Health for Sync requires Azure AD Connect Sync V2. If you are still using AADConnect V1 you must upgrade to the latest version.

+> AADConnect V1 is retired on August 31, 2022. Azure AD Connect Health for Sync will no longer work with AADConnect V1 in December 2022.

+| Password spray | Offline | A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been successfully performed. For example, the attacker is successfully authenticated, in the detected instance. |

+| Anomalous user activity | Offline | This risk detection indicates that suspicious patterns of activity have been identified for an authenticated user. The post-authentication behavior for users is assessed for anomalies based on an action or sequence of actions occurring for the account, along with any sign-in risk detected. |

+| Anomalous service principal activity (public preview) | Offline | This risk detection indicates suspicious patterns of activity have been identified for an authenticated service principal. The post-authentication behavior for service principals is assessed for anomalies based on action or sequence of actions occurring for the account, along with any sign-in risk detected. |

+- [Proactive security with Zero Trust](https://www.microsoft.com/security/business/zero-trust) through [Azure AD SSO](https://azure.microsoft.com/solutions/active-directory-sso/OCID=AIDcmm5edswduu_SEM_e13a1a1787ce1700761a78c235ae5906:G:s&ef_id=e13a1a1787ce1700761a78c235ae5906:G:s&msclkid=e13a1a1787ce1700761a78c235ae5906#features), [Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks) and

+ [Conditional Access](/azure/active-directory/conditional-access/overview).

+architecture](/azure/active-directory/manage-apps/datawiza-with-azure-ad#datawiza-with-azure-ad-authentication-architecture).

+ - See, [Quickstart: Create a new tenant in Azure Active Directory.](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant)

+ - See, [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).

+ - See, [Azure AD built-in roles, all roles](/azure/active-directory/roles/permissions-reference#all-roles).

+To provide an extra level of security for sign-ins, enforce multifactor authentication (MFA) for user sign-in. One way to achieve this is to [enable MFA on the Azure portal](/azure/active-directory/authentication/tutorial-enable-azure-mfa).

+- [Configure Datawiza and Azure AD for secure hybrid access](/azure/active-directory/manage-apps/datawiza-with-azure-ad)

+- [Configure Datawiza with Azure AD B2C](/azure/active-directory-b2c/partner-datawiza)

+| Akamai Enterprise Application Access | [Akamai Enterprise Application Access](../saas-apps/akamai-tutorial.md) |

+| Citrix ADC | [Citrix ADC](../saas-apps/citrix-netscaler-tutorial.md) |

+| F5 BIG-IP Access Policy Manager | [F5 BIG-IP Access Policy Manager](./f5-aad-integration.md) |

+| Kemp LoadMaster | [Kemp LoadMaster](../saas-apps/kemp-tutorial.md) |

+| Pulse Secure Virtual Traffic Manager | [Pulse Secure Virtual Traffic Manager](../saas-apps/pulse-secure-virtual-traffic-manager-tutorial.md) |

+| Cisco AnyConnect | [Cisco AnyConnect](../saas-apps/cisco-anyconnect.md) |

+| Fortinet FortiGate | [Fortinet FortiGate](../saas-apps/fortigate-ssl-vpn-tutorial.md) |

+| F5 BIG-IP Access Policy Manager | [F5 BIG-IP Access Policy Manager](./f5-aad-password-less-vpn.md) |

+| Palo Alto Networks GlobalProtect | [Palo Alto Networks GlobalProtect](../saas-apps/paloaltoadmin-tutorial.md) |

+| Pulse Connect Secure | [Pulse Connect Secure](../saas-apps/pulse-secure-pcs-tutorial.md) |

+| Datawiza Access Broker | [Datawiza Access Broker](./datawiza-with-azure-ad.md) |

+| Perimeter 81 | [Perimeter 81](../saas-apps/perimeter-81-tutorial.md) |

+| Silverfort Authentication Platform | [Silverfort Authentication Platform](./silverfort-azure-ad-integration.md) |

+| Strata Maverics Identity Orchestrator | [Strata Maverics Identity Orchestrator](../saas-apps/maverics-identity-orchestrator-saml-connector-tutorial.md) |

+| Zscaler Private Access | [Zscaler Private Access](../saas-apps/zscalerprivateaccess-tutorial.md) |

+> New technical content is added daily. This list does not include every article that talks about managed identities. Please refer to each service's content set for details on their managed identities support. Resource provider namespace information is available in the article titled [Resource providers for Azure services](../../azure-resource-manager/management/azure-services-resource-providers.md).

+Users with this role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. Additionally, the role provides access to all sign-in logs, audit logs, and activity reports in Azure AD and data returned by the Microsoft Graph reporting API. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. They don't have any admin permissions to configure settings or access the product-specific admin centers like Exchange. This role has no access to view, create, or manage support tickets.

+ Title: 'Tutorial: Azure Active Directory integration with Blackboard Learn - Shibboleth'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Blackboard Learn'

+ Title: 'Tutorial: Configure Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: 48afc8f5-a030-42da-9ffa-14fe5f80e333

+ms.devlang: na

+# Tutorial: Configure Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service for automatic user provisioning

+This tutorial describes the steps you need to perform in both Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service](https://www.paloaltonetworks.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service.

+> * Remove users in Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service.

+> * Provision groups and group memberships in Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service.

+> * [Single sign-on](palo-alto-networks-cloud-identity-enginecloud-authentication-service-tutorial.md) to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in Palo Alto Networks with Admin rights.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service to support provisioning with Azure AD

+Contact [Palo Alto Networks Customer Support](https://support.paloaltonetworks.com/support) to obtain the **SCIM Url** and corresponding **Token**.

+## Step 3. Add Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service from the Azure AD application gallery

+Add Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service from the Azure AD application gallery to start managing provisioning to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service. If you have previously setup Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service. If the connection fails, ensure your Palo Alto Networks account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service**.

+1. Review the user attributes that are synchronized from Azure AD to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||&check;

+ |displayName|String||&check;

+ |title|String||

+ |emails[type eq "work"].value|String||

+ |emails[type eq "other"].value|String||

+ |preferredLanguage|String||

+ |name.givenName|String||&check;

+ |name.familyName|String||&check;

+ |name.formatted|String||&check;

+ |name.honorificSuffix|String||

+ |name.honorificPrefix|String||

+ |addresses[type eq "work"].formatted|String||

+ |addresses[type eq "work"].streetAddress|String||

+ |addresses[type eq "work"].locality|String||

+ |addresses[type eq "work"].region|String||

+ |addresses[type eq "work"].postalCode|String||

+ |addresses[type eq "work"].country|String||

+ |addresses[type eq "other"].formatted|String||

+ |addresses[type eq "other"].streetAddress|String||

+ |addresses[type eq "other"].locality|String||

+ |addresses[type eq "other"].region|String||

+ |addresses[type eq "other"].postalCode|String||

+ |addresses[type eq "other"].country|String||

+ |phoneNumbers[type eq "work"].value|String||

+ |phoneNumbers[type eq "mobile"].value|String||

+ |phoneNumbers[type eq "fax"].value|String||

+ |externalId|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String||

+ > [!NOTE]

+ > **Schema Discovery** is enabled on this app. Hence you might see more attributes in the application than mentioned in the table above.

+

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service**.

+1. Review the group attributes that are synchronized from Azure AD to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service for update operations. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service|

+ |||||

+ |displayName|String|&check;|&check;

+ |members|Reference||

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you are ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+[csi-blob-storage-open-source-driver-uninstall-steps]: https://github.com/kubernetes-sigs/blob-csi-driver/blob/master/docs/install-csi-driver-master.md#clean-up-blob-csi-driver

+ - `Premium_ZRS`, `StandardSSD_ZRS` disk types are supported. ZRS disk could be scheduled on the zone or non-zone node, without the restriction that disk volume should be co-located in the same zone as a given node. For more information, including which regions are supported, see [Zone-redundant storage for managed disks](../virtual-machines/disks-redundancy.md).

+Applications running in Azure Kubernetes Service (AKS) may need to store and retrieve data. While some application workloads can use local, fast storage on unneeded, emptied nodes, others require storage that persists on more regular data volumes within the Azure platform.

+* Share the same data volumes.

+* Reattach data volumes if the pod is rescheduled on a different node.

+Finally, you might need to collect and store sensitive data or application configuration information into pods.

+Traditional volumes are created as Kubernetes resources backed by Azure Storage. You can manually create data volumes to be assigned to pods directly, or have Kubernetes automatically create them. Data volumes can use: [Azure Disks][disks-types], [Azure Files][storage-files-planning], [Azure NetApp Files][azure-netapp-files-service-levels], or [Azure Blobs][storage-account-overview].

+Use *Azure Disks* to create a Kubernetes *DataDisk* resource. Disks types include:

+>For most production and development workloads, use Premium SSD.

+Use *Azure Files* to mount a Server Message Block (SMB) version 3.1.1 share or Network File System (NFS) version 4.1 share backed by an Azure storage accounts to pods. Files let you share data across multiple nodes and pods and can use:

+* Ultra Storage

+* Standard Storage

+Use *Azure Blob Storage* to create a blob storage container and mount it using the NFS v3.0 protocol or BlobFuse.

+* Block Blobs

+Kubernetes volumes represent more than just a traditional disk for storing and retrieving information. Kubernetes volumes can also be used as a way to inject data into a pod for use by the containers.

+You can use *secret* volumes to inject sensitive data into pods, such as passwords.

+1. Create a Secret using the Kubernetes API.

+1. Define your pod or deployment and request a specific Secret.

+ * The Secret is stored in *tmpfs*, not written to disk.

+You can use *configMap* to inject key-value pair properties into pods, such as application configuration information. Define application configuration information as a Kubernetes resource, easily updated and applied to new instances of pods as they're deployed.

+Like using a secret:

+1. Create a ConfigMap using the Kubernetes API.

+1. Request the ConfigMap when you define a pod or deployment.

+| `azureblob-nfs-premium` | Uses Azure Premium storage to create an Azure Blob storage container and connect using the NFS v3 protocol. The reclaim policy ensures that the underlying Azure Blob storage container is deleted when the persistent volume that used it is deleted. |

+| `azureblob-fuse-premium` | Uses Azure Premium storage to create an Azure Blob storage container and connect using BlobFuse. The reclaim policy ensures that the underlying Azure Blob storage container is deleted when the persistent volume that used it is deleted. |

+A PersistentVolumeClaim requests storage of a particular StorageClass, access mode, and size. The Kubernetes API server can dynamically provision the underlying Azure storage resource if no existing resource can fulfill the claim based on the defined StorageClass.

+* The persistent volume claim to request the desired storage.

+* The *volumeMount* for your applications to read and write data.

+- [Enable Container Storage Interface (CSI) drivers for Azure Disks, Azure Files, and Azure Blob storage on Azure Kubernetes Service][csi-storage-drivers]

+- [Use Azure Disks CSI driver in Azure Kubernetes Service][azure-disk-csi]

+- [Use Azure Files CSI driver in Azure Kubernetes Service][azure-files-csi]

+- [Use Azure Blob storage CSI driver (preview) in Azure Kubernetes Service][azure-blob-csi]

+- [Integrate Azure NetApp Files with Azure Kubernetes Service][azure-netapp-files]

+[azure-blob-csi]: azure-blob-csi.md

+Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with [Web Application Routing][web-app-routing], [NGINX ingress][osm-nginx], or [Contour ingress][osm-contour]. Open source projects integrating with OSM are not covered by the [AKS support policy][aks-support-policy].

+At this time, [Azure Gateway Ingress Controller (AGIC)][agic] only works for HTTP backends. If you configure OSM to use AGIC, AGIC will not be used for other backends such as HTTPS and mTLS.

+### Using the Azure Gateway Ingress Controller (AGIC) with the OSM add-on for HTTP ingress

+> [!IMPORTANT]

+> You can't configure [Azure Gateway Ingress Controller (AGIC)][agic] for HTTPS ingress.

+After installing the AGIC ingress controller, create a namespace for the application service, add it to the mesh using the OSM CLI, and deploy the application service to that namespace:

+```console

+# Create a namespace

+kubectl create ns httpbin

+# Add the namespace to the mesh

+osm namespace add httpbin

+# Deploy the application

+export RELEASE_BRANCH=release-v1.2

+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/$RELEASE_BRANCH/manifests/samples/httpbin/httpbin.yaml -n httpbin

+```

+Verify that the pods are up and running, and have the envoy sidecar injected:

+```console

+kubectl get pods -n httpbin

+```

+Example output:

+```console

+NAME READY STATUS RESTARTS AGE

+httpbin-7c6464475-9wrr8 2/2 Running 0 6d20h

+```

+```console

+kubectl get svc -n httpbin

+```

+Example output:

+```console

+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

+httpbin ClusterIP 10.0.92.135 <none> 14001/TCP 6d20h

+```

+Next, deploy the following `Ingress` and `IngressBackend` configurations to allow external clients to access the `httpbin` service on port `14001`.

+```console

+kubectl apply -f <<EOF

+apiVersion: networking.k8s.io/v1

+kind: Ingress

+metadata:

+ name: httpbin

+ namespace: httpbin

+ annotations:

+ kubernetes.io/ingress.class: azure/application-gateway

+spec:

+ rules:

+ - http:

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: httpbin

+ port:

+ number: 14001

+kind: IngressBackend

+apiVersion: policy.openservicemesh.io/v1alpha1

+metadata:

+ name: httpbin

+ namespace: httpbin

+spec:

+ backends:

+ - name: httpbin

+ port:

+ number: 14001 # targetPort of httpbin service

+ protocol: http

+ sources:

+ - kind: IPRange

+ name: 10.0.0.0/8

+EOF

+```

+Ensure that both the Ingress and IngressBackend objects have been successfully deployed:

+```console

+kubectl get ingress -n httpbin

+```

+Example output:

+```console

+NAME CLASS HOSTS ADDRESS PORTS AGE

+httpbin <none> * 20.85.173.179 80 6d20h

+```

+```console

+kubectl get ingressbackend -n httpbin

+```

+Example output:

+```console

+NAME STATUS

+httpbin committed

+```

+Use `kubectl` to display the external IP address of the ingress service.

+```console

+kubectl get ingress -n httpbin

+```

+Use `curl` to verify you can access the `httpbin` service using the external IP address of the ingress service.

+```console

+curl -sI http://<external-ip>/get

+```

+Confirm you receive a response with `status 200`.

+#### For non-RBAC key vault

+If your key vault is not enabled with `--enable-rbac-authorization`, you could use `az keyvault set-policy` to create an Azure KeyVault policy.

+#### For RBAC key vault

+If your key vault is enabled with `--enable-rbac-authorization`, you need to assign the "Key Vault Administrator" RBAC role which has decrypt, encrypt permission.

+```azurecli-interactive

+az role assignment create --role "Key Vault Crypto User" --assignee-object-id $IDENTITY_OBJECT_ID --assignee-principal-type "ServicePrincipal" --scope $KEYVAULT_RESOURCE_ID

+```

+#### For non-RBAC key vault

+If your key vault is not enabled with `--enable-rbac-authorization`, you could use `az keyvault set-policy` to create an Azure KeyVault policy.

+#### For RBAC key vault

+If your key vault is enabled with `--enable-rbac-authorization`, you need to assign a RBAC role which at least contains decrypt, encrypt permission.

+```azurecli-interactive

+az role assignment create --role "Key Vault Crypto User" --assignee-object-id $IDENTITY_OBJECT_ID --assignee-principal-type "ServicePrincipal" --scope $KEYVAULT_RESOURCE_ID

+```

+### Assign permission for creating private link

+ Title: What is Azure Analysis Services?

+Microsoft [Q&A](/answers/products/) is a technical community platform that provides a rich online experience in answering your technical questions. Join the conversation on [Q&A - Azure Analysis Services forum](/answers/topics/azure-analysis-services.html).

+1. Update the value of `AZURE_RESOURCE_GROUP` to your resource group name.

+1. Update the values of `WEB_APP_NAME` and `SQL_SERVER_NAME` to your web app name and sql server name.

+> [Learn about Azure and GitHub integration](/azure/developer/github/)

+> The access tokens provided to your app via EasyAuth do not have scopes for other APIs, such as Graph, even if your application has permissions to access those APIs. To use these APIs, you will need to use Azure Resource Manager to configure the token returned so it can be used to authenticate to other services. For more information, see [Tutorial: Access Microsoft Graph from a secured .NET app as the user](/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer) .

+ For more information, see [Running Gunicorn](https://docs.gunicorn.org/en/stable/run.html) (docs.gunicorn.org). If you are using scale rules to scale your web app up and down, you can dynamically set the number of workers using the `NUM_CORES` environment variable in our startup command, for example: `--workers $((($NUM_CORES*2)+1))`. For more information on setting the recommended number of gunicorn workers, see [the Gunicorn FAQ](https://docs.gunicorn.org/en/stable/design.html#how-many-workers)

+- **Import App Service Certificate** - Follow the workflow at [Import an App Service certificate](configure-ssl-certificate.md#buy-and-import-app-service-certificate), then select this option here.

+If selected **HTTPS Only**, **Off** It means anyone can still access your app using HTTP. You can redirect all HTTP requests to the HTTPS port by selecting **On**.

+* [FAQ : App Service Certificates](./faq-configuration-and-management.yml)

+# Secure connections by adding and managing TLS/SSL certificates in Azure App Service

+You can add digital security certificates to [use in your application code](configure-ssl-certificate-in-code.md) or to [secure custom DNS names](configure-ssl-bindings.md) in [Azure App Service](overview.md), which provides a highly scalable, self-patching web hosting service. Currently called Transport Layer Security (TLS) certificates, also previously known as Secure Socket Layer (SSL) certificates, these private or public certificates help you secure internet connections by encrypting data sent between your browser, websites that you visit, and the website server.

+The following table lists the options for you to add certificates in App Service:

+> [!NOTE]

+> After you upload a certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination, internally called a *webspace*. That way, the certificate is accessible to other apps in the same resource group and region combination.

+ - Map the domain where you want the certificate to App Service. For information, see [Tutorial: Map an existing custom DNS name to Azure App Service](app-service-web-tutorial-custom-domain.md).

+

+ - For a root domain (like contoso.com), make sure your app doesn't have any [IP restrictions](app-service-ip-restrictions.md) configured. Both certificate creation and its periodic renewal for a root domain depends on your app being reachable from the internet.

+The [free App Service managed certificate](#create-a-free-managed-certificate) and the [App Service certificate](#buy-and-import-app-service-certificate) already satisfy the requirements of App Service. If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:

+To secure a custom domain in a TLS binding, the certificate has more requirements:

+> **Elliptic Curve Cryptography (ECC) certificates** work with App Service but aren't covered by this article. For the exact steps to create ECC certificates, work with your certificate authority.

+The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. Without any action required from you, this TLS/SSL server certificate is fully managed by App Service and is automatically renewed continuously in six-month increments, 45 days before expiration, as long as the prerequisites that you set up stay the same. All the associated bindings are updated with the renewed certificate. You create and bind the certificate to a custom domain, and let App Service do the rest.

+> Before you create a free managed certificate, make sure you have [met the prerequisites](#prerequisites) for your app.

+>

+> Free certificates are issued by DigiCert. For some domains, you must explicitly allow DigiCert as a certificate issuer by creating a [CAA domain record](https://wikipedia.org/wiki/DNS_Certification_Authority_Authorization) with the value: `0 issue digicert.com`.

+>

+> Azure fully manages the certificates on your behalf, so any aspect of the managed certificate, including the root issuer, can change at anytime. These changes are outside your control. Make sure to avoid hard dependencies and "pinning" practice certificates to the managed certificate or any part of the certificate hierarchy. If you need the certificate pinning behavior, add a certificate to your custom domain using any other available method in this article.

+- Doesn't support wildcard certificates.

+- Doesn't support usage as a client certificate by using certificate thumbprint, which is planned for deprecation and removal.

+- Doesn't support private DNS.

+- Isn't exportable.

+- Isn't supported in an App Service Environment (ASE).

+### [Apex domain](#tab/apex)

+- Isn't supported on apps that are not publicly accessible.

+- Isn't supported with root domains that are integrated with Traffic Manager.

+- Must meet all the above for successful certificate issuances and renewals.

+### [Subdomain](#tab/subdomain)

+- Must have CNAME mapped _directly_ to `<app-name>.azurewebsites.net`. Mapping to an intermediate CNAME value blocks certificate issuance and renewal.

+- Must meet all the above for successful certificate issuance and renewals.

+1. In the [Azure portal](https://portal.azure.com), from the left menu, select **App Services** > **\<app-name>**.

+1. On your app's navigation menu, select **TLS/SSL settings**. On the pane that opens, select **Private Key Certificates (.pfx)** > **Create App Service Managed Certificate**.

+ 

+1. Select the custom domain for the free certificate, and then select **Create**. You can create only one certificate for each supported custom domain.

+ When the operation completes, the certificate appears in the **Private Key Certificates** list.

+ 

+1. To secure a custom domain with this certificate, you still have to create a certificate binding. Follow the steps in [Create binding](configure-ssl-bindings.md#create-binding).

+## Buy and import App Service certificate

+If you purchase an App Service certificate from Azure, Azure manages the following tasks:

+- Handles the purchase process from GoDaddy.

+- Manages [certificate renewal](#renew-app-service-certificate).

+- Synchronizes the certificate automatically with the imported copies in App Service apps.

+To purchase an App Service certificate, go to [Start certificate order](#start-certificate-purchase).

+> [!NOTE]

+> Currently, App Service certificates aren't supported in Azure National Clouds.

+If you already have a working App Service certificate, you can complete the following tasks:

+- [Manage the App Service certificate](#manage-app-service-certificates), such as renew, rekey, and export.

+### Start certificate purchase

+1. Go to the [App Service Certificate creation page](https://portal.azure.com/#create/Microsoft.SSL), and start your purchase for an App Service certificate.

+ > [!NOTE]

+ > In this article, all prices shown are for example purposes only.

+ >

+ > App Service Certificates purchased from Azure are issued by GoDaddy. For some domains, you must explicitly allow GoDaddy as a certificate issuer by creating a [CAA domain record](https://wikipedia.org/wiki/DNS_Certification_Authority_Authorization) with the value: `0 issue godaddy.com`

+ :::image type="content" source="./media/configure-ssl-certificate/purchase-app-service-cert.png" alt-text="Screenshot of 'Create App Service Certificate' pane with purchase options.":::

+1. To help you configure the certificate, use the following table. When you're done, select **Create**.

+ | Setting | Description |

+ |-|-|

+ | **Subscription** | The Azure subscription to associate with the certificate. |

+ | **Resource group** | The resource group that will contain the certificate. You can either create a new resource group or select the same resource group as your App Service app. |

+ | **SKU** | Determines the type of certificate to create, either a standard certificate or a [wildcard certificate](https://wikipedia.org/wiki/Wildcard_certificate). |

+ | **Naked Domain Host Name** | Specify the root domain. The issued certificate secures *both* the root domain and the `www` subdomain. In the issued certificate, the **Common Name** field specifies the root domain, and the **Subject Alternative Name** field specifies the `www` domain. To secure any subdomain only, specify the fully qualified domain name for the subdomain, for example, `mysubdomain.contoso.com`.|

+ | **Certificate name** | The friendly name for your App Service certificate. |

+ | **Enable auto renewal** | Select whether to automatically renew the certificate before expiration. Each renewal extends the certificate expiration by one year and the cost is charged to your subscription. |

+### Store certificate in Azure Key Vault

+[Key Vault](../key-vault/general/overview.md) is an Azure service that helps safeguard cryptographic keys and secrets used by cloud applications and services. For App Service certificates, the storage of choice is Key Vault. After you finish the certificate purchase process, you have to complete a few more steps before you start using this certificate.

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate. On the certificate menu, select **Certificate Configuration** > **Step 1: Store**.

+ 

+1. On the **Key Vault Status** page, to create a new vault or choose an existing vault, select **Key Vault Repository**.

+1. If you create a new vault, set up the vault based on the following table, and make sure to use the same subscription and resource group as your App Service app. When you're done, select **Create**.

+ | Setting | Description |

+ |-|-|

+ | **Name** | A unique name that uses only alphanumeric characters and dashes. |

+ | **Resource group** | Recommended: The same resource group as your App Service certificate. |

+ | **Location** | The same location as your App Service app. |

+ | **Pricing tier** | For information, see [Azure Key Vault pricing details](https://azure.microsoft.com/pricing/details/key-vault/). |

+ | **Access policies** | Defines the applications and the allowed access to the vault resources. You can set up these policies later by following the steps at [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-portal.md). Currently, App Service Certificate supports only Key Vault access policies, not the RBAC model. |

+ | **Virtual Network Access** | Restrict vault access to certain Azure virtual networks. You can set up this restriction later by following the steps at [Configure Azure Key Vault Firewalls and Virtual Networks](../key-vault/general/network-security.md) |

+1. After you select the vault, close the **Key Vault Repository** page. The **Step 1: Store** option should show a green check mark to indicate success. Keep the page open for the next step.

+### Confirm domain ownership

+1. From the same **Certificate Configuration** page in the previous section, select **Step 2: Verify**.

+ 

+1. Select **App Service Verification**. However, because you previously mapped the domain to your web app per the [Prerequisites](#prerequisites), the domain is already verified. To finish this step, just select **Verify**, and then select **Refresh** until the message **Certificate is Domain Verified** appears.

+The following domain verification methods are supported:

+| Method | Description |

+|--|-|

+| **App Service** | The most convenient option when the domain is already mapped to an App Service app in the same subscription because the App Service app has already verified the domain ownership. Review the last step in [Confirm domain ownership](#confirm-domain-ownership). |

+| **Domain** | Confirm an [App Service domain that you purchased from Azure](manage-custom-dns-buy-domain.md). Azure automatically adds the verification TXT record for you and completes the process. |

+| **Mail** | Confirm the domain by sending an email to the domain administrator. Instructions are provided when you select the option. |

+| **Manual** | Confirm the domain by using either a DNS TXT record or an HTML page, which applies only to **Standard** certificates per the following note. The steps are provided after you select the option. The HTML page option doesn't work for web apps with "HTTPS Only' enabled. |

+> For a **Standard** certificate, the certificate provider gives you a certificate for the requested top-level domain *and* the `www` subdomain, for example, `contoso.com` and `www.contoso.com`. However, starting December 1, 2021, [a restriction is introduced](https://azure.github.io/AppService/2021/11/22/ASC-1130-Change.html) on **App Service** and the **Manual** verification methods. To confirm domain ownership, both use HTML page verification. This method doesn't allow the certificate provider to include the `www` subdomain when issuing, rekeying, or renewing a certificate.

+> However, the **Domain** and **Mail** verification methods continue to include the `www` subdomain with the requested top-level domain in the certificate.

+1. In the [Azure portal](https://portal.azure.com), from the left menu, select **App Services** > **\<app-name>**.

+1. From your app's navigation menu, select **TLS/SSL settings** > **Private Key Certificates (.pfx)** > **Import App Service Certificate**.

+ 

+1. Select the certificate that you just purchased, and then select **OK**.

+ When the operation completes, the certificate appears in the **Private Key Certificates** list.

+ 

+1. To secure a custom domain with this certificate, you still have to create a certificate binding. Follow the steps in [Create binding](configure-ssl-bindings.md#create-binding).

+If you use Azure Key Vault to manage your certificates, you can import a PKCS12 certificate into App Service from Key Vault if you met the [requirements](#private-certificate-requirements).

+By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you have to [authorize read access for the resource provider to the key vault](../key-vault/general/assign-access-policy-cli.md).

+> Currently, a Key Vault certificate supports only the Key Vault access policy, not RBAC model.

+| Resource provider | Service principal AppId | Key vault secret permissions | Key vault certificate permissions |

+|--|--|--|--|

+| **Microsoft Azure App Service** or **Microsoft.Azure.WebSites** | - `abfa0a7c-a6b6-4736-8310-5855508787cd`, which is the same for all Azure subscriptions <br><br>- For Azure Government cloud environment, use `6a02c803-dafd-4136-b4c3-5a6f318b4714`. | Get | Get |

+| **Microsoft.Azure.CertificateRegistration** | | Get<br/>List<br/>Set<br/>Delete | Get<br/>List |

+1. In the [Azure portal](https://portal.azure.com), on the left menu, select **App Services** > **\<app-name>**.

+1. From your app's navigation menu, select **TLS/SSL settings** > **Private Key Certificates (.pfx)** > **Import Key Vault Certificate**.

+ 

+1. To help you select the certificate, use the following table:

+ | Setting | Description |

+ |-|-|

+ | **Subscription** | The subscription associated with the key vault. |

+ | **Key Vault** | The key vault that has the certificate you want to import. |

+ | **Certificate** | From this list, select a PKCS12 certificate that's in the vault. All PKCS12 certificates in the vault are listed with their thumbprints, but not all are supported in App Service. |

+ When the operation completes, the certificate appears in the **Private Key Certificates** list. If the import fails with an error, the certificate doesn't meet the [requirements for App Service](#private-certificate-requirements).

+ 

+ > [!NOTE]

+ > If you update your certificate in Key Vault with a new certificate, App Service automatically syncs your certificate within 24 hours.

+1. To secure a custom domain with this certificate, you still have to create a certificate binding. Follow the steps in [Create binding](configure-ssl-bindings.md#create-binding).

+After you get a certificate from your certificate provider, make the certificate ready for App Service by following the steps in this section.

+If your certificate authority gives you multiple certificates in the certificate chain, you have to merge the certificates following the same order.

+1. In a text editor, open each received certificate.

+1. To store the merged certificate, create a file named _mergedcertificate.crt_.

+1. Copy the content for each certificate into this file. Make sure to follow the certificate sequence specified by the certificate chain, starting with your certificate and ending with the root certificate, for example:

+ ```

+ --BEGIN CERTIFICATE--

+ <your entire Base64 encoded SSL certificate>

+ --END CERTIFICATE--

+ --BEGIN CERTIFICATE--

+ <The entire Base64 encoded intermediate certificate 1>

+ --END CERTIFICATE--

+ --BEGIN CERTIFICATE--

+ <The entire Base64 encoded intermediate certificate 2>

+ --END CERTIFICATE--

+ --BEGIN CERTIFICATE--

+ <The entire Base64 encoded root certificate>

+ --END CERTIFICATE--

+ ```

+### Export merged private certificate to PFX

+Now, export your merged TLS/SSL certificate with the private key that was used to generate your certificate request. If you generated your certificate request using OpenSSL, then you created a private key file.

+1. To export your certificate to a PFX file, run the following command, but replace the placeholders _&lt;private-key-file>_ and _&lt;merged-certificate-file>_ with the paths to your private key and your merged certificate file.

+ ```bash

+ openssl pkcs12 -export -out myserver.pfx -inkey <private-key-file> -in <merged-certificate-file>

+ ```

+1. When you're prompted, specify a password for the export operation. When you upload your TLS/SSL certificate to App Service later, you'll have to provide this password.

+1. If you used IIS or _Certreq.exe_ to generate your certificate request, install the certificate to your local computer, and then [export the certificate to a PFX file](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754329(v=ws.11)).

+1. In the [Azure portal](https://portal.azure.com), from the left menu, select **App Services** > **\<app-name>**.

+1. From your app's navigation menu, select **TLS/SSL settings** > **Private Key Certificates (.pfx)** > **Upload Certificate**.

+ 

+1. In **PFX Certificate File**, select your PFX file. In **Certificate password**, enter the password that you created when you exported the PFX file. When you're done, select **Upload**.

+ When the operation completes, the certificate appears in the **Private Key Certificates** list.

+ 

+1. To secure a custom domain with this certificate, you still have to create a certificate binding. Follow the steps in [Create binding](configure-ssl-bindings.md#create-binding).

+Public certificates are supported in the *.cer* format.

+1. In the [Azure portal](https://portal.azure.com), from the left menu, select **App Services** > **\<app-name>**.

+1. From your app's navigation menu, select **TLS/SSL settings** > **Public Certificates (.cer)** > **Upload Public Key Certificate**.

+1. For **Name**, enter the name for the certificate. In **CER Certificate file**, select your CER file. When you're done, select **Upload**.

+ 

+1. After the certificate is uploaded, copy the certificate thumbprint, and then review [Make the certificate accessible](configure-ssl-certificate-in-code.md#make-the-certificate-accessible).

+Before a certificate expires, make sure to add the renewed certificate to App Service, and update any [TLS/SSL bindings](configure-ssl-certificate.md) where the process depends on the certificate type. For example, a [certificate imported from Key Vault](#import-a-certificate-from-key-vault), including an [App Service certificate](#buy-and-import-app-service-certificate), automatically syncs to App Service every 24 hours and updates the TLS/SSL binding when you renew the certificate. For an [uploaded certificate](#upload-a-private-certificate), there's no automatic binding update. Based on your scenario, review the corresponding section:

+- [Renew an uploaded certificate](#renew-uploaded-certificate)

+- [Renew an App Service certificate](#renew-app-service-certificate)

+## Renew uploaded certificate

+When you replace an expiring certificate, the way you update the certificate binding with the new certificate might adversely affect user experience. For example, your inbound IP address might change when you delete a binding, even if that binding is IP-based. This result is especially impactful when you renew a certificate that's already in an IP-based binding. To avoid a change in your app's IP address, and to avoid downtime for your app due to HTTPS errors, follow these steps in the specified sequence:

+1. Bind the new certificate to the same custom domain without deleting the existing, expiring certificate. For this task, go to your App Service app's TLS/SSL settings pane, and select **Add Binding**.

+ This action replaces the binding, rather than remove the existing certificate binding.

+1. Delete the existing certificate.

+## Renew App Service certificate

+By default, App Service certificates have a one-year validity period. Before and nearer to the expiration date, you can automatically or manually renew App Service certificates in one-year increments. The renewal process effectively gives you a new App Service certificate with the expiration date extended to one year from the existing certificate's expiration date.

+> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew or rekey process. The new certificate order remains in "pending issuance" mode during the renew or rekey process until you complete the domain verification.

+> Unlike an App Service managed certificate, domain re-verification for App Service certificates *isn't* automated. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review [Confirm domain ownership](#confirm-domain-ownership).

+>

+> The renewal process requires that the well-known [service principal for App Service has the required permissions on your key vault](deploy-resource-manager-template.md#deploy-web-app-certificate-from-key-vault). These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permisisons from your key vault.

+1. To change the automatic renewal setting for your App Service certificate at any time, on the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate.

+1. On the left menu, select **Auto Renew Settings**.

+1. Select **On** or **Off**, and select **Save**.

+ If you turn on automatic renewal, certificates can start automatically renewing 32 days before expiration.

+ 

+1. To manually renew the certificate instead, select **Manual Renew**. You can request to manually renew your certificate 60 days before expiration.

+1. After the renew operation completes, select **Sync**.

+ The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

+ > [!NOTE]

+ > If you don't select **Sync**, App Service automatically syncs your certificate within 24 hours.

+## Renew a certificate imported from Key Vault

+To renew a certificate that you imported into App Service from Key Vault, review [Renew your Azure Key Vault certificate](../key-vault/certificates/overview-renew-certificate.md).

+After the certificate renews inside your key vault, App Service automatically syncs the new certificate, and updates any applicable TLS/SSL binding within 24 hours. To sync manually, follow these steps:

+1. Under **Private Key Certificates**, select the imported certificate, and then select **Sync**.

+This section includes links to tasks that help you manage an [App Service certificate that you purchased](#buy-and-import-app-service-certificate):

+- [Rekey an App Service certificate](#rekey-app-service-certificate)

+- [Export an App Service certificate](#export-app-service-certificate)

+- [Delete an App Service certificate](#delete-app-service-certificate)

+- [Renew an App Service certificate](#renew-app-service-certificate)

+### Rekey App Service certificate

+If you think your certificate's private key is compromised, you can rekey your certificate. This action rolls the certificate with a new certificate issued from the certificate authority.

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate. From the left menu, select **Rekey and Sync**.

+1. To start the process, select **Rekey**. This process can take 1-10 minutes to complete.

+ 

+1. You might also be required to [reconfirm domain ownership](#confirm-domain-ownership).

+1. After the rekey operation completes, select **Sync**.

+ The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

+ > [!NOTE]

+ > If you don't select **Sync**, App Service automatically syncs your certificate within 24 hours.

+### Export App Service certificate

+Because an App Service certificate is a [Key Vault secret](../key-vault/general/about-keys-secrets-certificates.md), you can export a copy as a PFX file, which you can use for other Azure services or outside of Azure.

+> [!IMPORTANT]

+> The exported certificate is an unmanaged artifact. App Service doesn't sync such artifacts when the App Service Certificate is [renewed](#renew-app-service-certificate). You must export and install the renewed certificate where necessary.

+#### [Azure portal](#tab/portal)

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate.

+1. On the left menu, select **Export Certificate**.

+1. Select the certificate's current version.

+#### [Azure CLI](#tab/cli)

+To export the App Service Certificate as a PFX file, run the following commands in [Azure Cloud Shell](https://shell.azure.com). Or, you can locally run Cloud Shell locally if you [installed Azure CLI](/cli/azure/install-azure-cli). Replace the placeholders with the names that you used when you [bought the App Service certificate](#start-certificate-purchase).

+The downloaded PFX file is a raw PKCS12 file that contains both the public and private certificates and has an import password that's an empty string. You can locally install the file by leaving the password field empty. You can't [upload the file as-is into App Service](#upload-a-private-certificate) because the file isn't [password protected](#private-certificate-requirements).

+### Delete App Service certificate

+If you delete an App Service certificate, the delete operation is irreversible and final. The result is a revoked certificate, and any binding in App Service that uses this certificate becomes invalid.

+To prevent accidental deletion, Azure puts a lock on the App Service certificate. So, to delete the certificate, you have to first remove the delete lock on the certificate.

+1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate.

+1. On the left menu, select **Locks**.

+1. On your certificate, find the lock with the lock type named **Delete**. To the right side, select **Delete**.

+ 

+1. Now, you can delete the App Service certificate. From the left menu, select **Overview** > **Delete**.

+1. When the confirmation box opens, enter the certificate name, and select **OK**.

+For security enhancement, it's recommended to bind TLS/SSL certificate for session encryption. To bind TLS/SSL certificate to the application gateway, a valid public certificate with following information is required. With [App Service Certificates](../configure-ssl-certificate.md#start-certificate-purchase), you can buy a TLS/SSL certificate and export it in .pfx format.

+* They are not affected by connection issues to the storage, since the read-only copy is cached on the worker.

+> [!NOTE]

+> If you are using Java (Java SE, Tomcat, or JBoss EAP), then by default the Java artifacts--.jar, .war, and .ear files--are copied locally to the worker. If your Java application depends on read-only access to other files as well, set `JAVA_COPY_ALL` to `true` for those files to also be copied. If Local Cache is enabled, it takes precendnce over this Java-specific enhancement.

+```jsonc

+- [App Service certificates](configure-ssl-certificate.md#buy-and-import-app-service-certificate) One-time charge at the time of purchase. If you have multiple subdomains to secure, you can reduce cost by purchasing one wildcard certificate instead of multiple standard certificates.

+Create a table of contents entry for the article in the How-to guides section where appropriate. -->

+When you set up a domain or TLS/SSL certificate for your web apps in Azure App Service, you might encounter the following common problems. This article also includes the possible causes and solutions for these problems.

+At any point in this article, you can get more help by contacting Azure experts on the [Microsoft Q & A and Stack Overflow forums](https://azure.microsoft.com/support/forums/). Alternatively, to file an Azure support incident, go to the [Azure Support site](https://azure.microsoft.com/support/options/), and select **Get Support**.

+This problem might happen if you have multiple IP-based TLS/SSL bindings for the same IP address across multiple apps. For example, app A has an IP-based TLS/SSL binding with an old certificate. App B has an IP-based TLS/SSL binding with a new certificate for the same IP address. When you update the app TLS binding with the new certificate, the update fails with this error because the same IP address is used for another app.

+To resolve this problem, try one of the following methods:

+This problem might happen if another app uses the certificate.

+1. Remove the TLS binding for that certificate from the apps.

+1. Try to delete the certificate.

+1. If you still can't delete the certificate, clear the internet browser cache, and reopen the Azure portal in a new browser window. Then try to delete the certificate.

+In the Azure portal, you can't purchase an [Azure App Service certificate](./configure-ssl-certificate.md#buy-and-import-app-service-certificate).

+This problem can happen for any of the following reasons:

+- The App Service plan is a Free or Shared pricing tier. These tiers don't support TLS.

+ **Solution**: Upgrade the App Service plan to Standard.

+ **Solution**: Add a valid credit card to your subscription.

+ **Solution**: Upgrade your subscription.

+- The subscription reached the limit on purchases that are allowed on a subscription.

+ **Solution**: App Service certificates have a limit of 10 certificate purchases for the Pay-As-You-Go and EA subscription types. For other subscription types, the limit is 3. To increase the limit, contact [Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade).

+ **Solution**: If the certificate is marked as fraud and isn't resolved after 24 hours, follow these steps:

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Go to **App Service Certificates**, and select the certificate.

+ 1. Select **Certificate Configuration** > **Step 2: Verify** > **Domain Verification**. This step sends an email notice to the Azure certificate provider to resolve the problem.

+"Error 404 - Web app not found."

+Your configured custom domain is missing a "CNAME record" or an "A record".

+- If you added an "A record", make sure that a TXT record is also added. For more information, see [Create the "A record"](./app-service-web-tutorial-custom-domain.md#3-create-the-dns-records).

+- If you don't have to use the root domain for your app, the recommendation is that you use a "CNAME record", rather than an "A record".

+- Don't use both a "CNAME record" and an "A record" for the same domain. This issue can cause a conflict and prevent domain resolution.

+The internet browser might still be caching the old IP address for your domain.

+Clear the browser. For Windows devices, you can run the command `ipconfig /flushdns`. To check that your domain points to the app's IP address, use [WhatsmyDNS.net](https://www.whatsmydns.net/).

+- Make sure that you have permissions to add a host name to an app by checking with the subscription administrator.

+This problem happens for one of the following reasons:

+- The time to live (TTL) period hasn't expired. To determine the TTL value, check your domain's DNS configuration, and wait for the period to expire.

+- Wait for 48 hours for this problem to resolve by itself.

+- If you can change the TTL setting in your DNS configuration, try changing the value to 5 minutes, which might solve this problem.

+- To verify that your domain points to the app's IP address, use [WhatsmyDNS.net](https://www.whatsmydns.net/). If the domain doesn't point to the IP address, configure the "A record" to the app's correct IP address.

+The subscription owner might have accidentally deleted the domain.

+If your domain was deleted fewer than seven days ago, the domain hasn't started the deletion process. In this case, you can buy the same domain again on the Azure portal under the same subscription. (Be sure to type the exact domain name in the search box.) You won't be charged again for this domain. If the domain was deleted more than seven days ago, contact [Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) for help with restoring the domain.

+Delete that certificate, and then buy a new certificate.

+If the current certificate that uses the wrong domain is in the "Issued" state, you'll also be billed for that certificate. App Service certificates aren't refundable, but you can contact [Azure support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) for other possible options.

+#### Cause

+App Service automatically syncs your certificate within 48 hours. When you rotate or update a certificate, sometimes the application is still retrieving the old certificate and not the newly updated certificate. The reason is that the job to sync the certificate resource hasn't run yet. To resolve this problem, sync the certificate, which automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

+You can force a sync for the certificate.

+1. Select **Rekey and Sync**, and then select **Sync**. The sync takes some time to finish.

+1. When the sync completes, the following notification appears: "Successfully updated all the resources with the latest certificate."

+1. Wait a few minutes for DNS propagation to run, and then select the **Refresh** button to trigger the verification.

+As an alternative, you can use the HTML webpage method to manually verify your domain. This method allows the certificate authority to confirm the domain ownership of the domain for which the certificate is issued.

+1. Create an HTML file that's named **{domain verification token}.html**. The file content should contain the value of domain verification token.

+> A certificate purchase has only 15 days to complete the domain verification operation. After 15 days, the certificate authority denies the certificate, and you're not charged for the certificate. In this situation, delete this certificate and try again.>

+This problem happens for one of the following reasons:

+ **Solution**: Add a valid credit card to your subscription.

+ **Solution**: [Assign the Owner role](../role-based-access-control/role-assignments-portal.md) to your account. Or, contact the subscription administrator to get permission to purchase a domain.

+ **Solution**: Upgrade your Azure subscription to another subscription type, such as a Pay-As-You-Go subscription.

+This problem happens for one of the following reasons:

+ **Solution**: Ask the subscription administrator to give you permission to add a host name.

+ **Solution**: Verify that your "CNAME record" or "A record" is correctly set up. To map a custom domain to an app, create either a "CNAME record" or an "A record". If you want to use a root domain, you must use an "A record" and "TXT record":

+ |Record type|Host|Point to|

+ |||--|

+ |A|@|IP address for an app|

+ |TXT|@|`<app-name>.azurewebsites.net`|

+ |CNAME|www|`<app-name>.azurewebsites.net`|

+When you purchase a domain from the Azure portal, the App Service app is automatically configured to use that custom domain. You donΓÇÖt have to take any further steps. For more information, watch Azure App Service Self Help: Add a Custom Domain Name on Channel9.

+**Can I use a domain purchased in the Azure portal to point to an Azure virtual machine instead?**

+Yes, you can point the domain to a virtual machine. For more information, see [Use Azure DNS to provide custom domain settings for an Azure service](../dns/dns-custom-domain.md).

+**I enabled auto-renew but still received a renewal notice for my domain via email. What should I do?**

+If you enabled auto-renew, you don't need to take any action. The renewal notice through email only informs you that the domain is close to expiration and if auto-renew isn't enabled, you have to manually renew.

+**Will I be charged for Azure DNS hosting my domain?**

+The initial cost of domain purchase applies to domain registration only. Along with the registration cost, Azure DNS incurs charges, based on your usage. For more information, see [Azure DNS pricing](https://azure.microsoft.com/pricing/details/dns/).

+You're not required to migrate to Azure DNS hosting. If you want to migrate to Azure DNS, the domain management experience in the Azure portal provides information about the steps necessary to move to Azure DNS. If you bought the domain through App Service, migration from GoDaddy hosting to Azure DNS is a relatively seamless procedure.

+Starting July 24, 2017, Azure hosts App Service domains purchased from the Azure portal on Azure DNS. If you prefer to use a different hosting provider, you must go to their website to obtain a domain hosting solution.

+When you purchase a domain through the Azure portal, you can choose to add privacy at no extra cost. This benefit is included with purchasing your domain through Azure App Service.

+When you purchase a domain, you're not charged for five days. During this time, you can decide whether to keep the domain. If you choose to not keep the domain within this duration, you're not charged. However, domains that end with `.uk` are the exception. If you purchase such a domain, you're immediately charged, and you can't get a refund.

+Yes, when you access the Custom Domains and TLS blade in the Azure portal, you see the domains that you purchased. You can configure your app to use any of those domains.

+Yes, you can move a domain to another subscription or resource group using the [Move-AzResource](/powershell/module/az.Resources/Move-azResource) PowerShell cmdlet.

+You can manage your domain even if you don't have an App Service web app. You can use the domain for Azure services such as Virtual Machines, Azure Storage, and so on. If you plan to use the domain for App Service web apps, you must include a web app that's not on a free App Service plan so that you can bind the domain to your web app.

+Yes, you can move your web app across subscriptions. Follow the guidance in [How to move resources in Azure](../azure-resource-manager/management/move-resource-group-and-subscription.md). Some limitations apply when you move a web app. For more information, see [Limitations for moving App Service resources](../azure-resource-manager/management/move-limitations/app-service-move-limitations.md).

+After you move a web app, the host name bindings of the domains within the custom domains setting should stay the same. No extra steps are required to configure the host name bindings.

+Application Gateway (Standard or WAF) SKU can support up to 32 instances (32 instance IP addresses + 1 private frontend IP configuration + 5 Azure reserved) ΓÇô so a minimum subnet size of /26 is recommended

+Application Gateway (Standard_v2 or WAF_v2 SKU) can support up to 125 instances (125 instance IP addresses + 1 private frontend IP configuration + 5 Azure reserved). A minimum subnet size of /24 is recommended.

+To determine the available capacity of a subnet that has existing Application Gateways provisioned, take the size of the subnet and subtract the five reserved IP addresses of the subnet reserved by the platform.  Next, take each gateway and subtract the the max-instance count.  For each gateway that has a private frontend IP configuration, subtract one additional IP address per gateway as well.

+For example, here's how to calculate the available addressing for a subnet with three gateways of varying sizes:

+- Gateway 1: Maximum of 10 instances; utilizes a private frontend IP configuration

+- Gateway 2: Maximum of 2 instances; no private frontend IP configuration

+- Gateway 3: Maximum of 15 instances; utilizes a private frontend IP configuration

+- Subnet Size: /24

+Subnet Size /24 = 255 IP addresses - 5 reserved from the platform = 250 available addresses.

+250 - Gateway 1 (10) - 1 private frontend IP configuration = 239

+239 - Gateway 2 (2) = 237

+237 - Gateway 3 (15) - 1 private frontend IP configuration = 223

+> IP addresses are allocated from the beginning of the defined subnet space for gateway instances. As instances are created and removed due to creation of gateways or scaling events, it can become difficult to understand what the next available address is in the subnet. To be able to determine the next address to use for a future gateway and have a contiguous addressing theme for frontend IPs, consider assigning frontend IP addresses from the upper half of the defined subset space. For example, if my subnet address space is 10.5.5.0/24, consider setting the private frontend IP configuration of your gateways starting with 10.5.5.254 and then following with 10.5.5.253, 10.5.5.252, 10.5.5.251, and so forth for future gateways.

+### Disable Automanage machines that need to be upgraded

+* PowerShell runbooks. PowerShell Workflow runbooks and Graphical runbooks aren't supported by watcher tasks.

+1. Follow the steps [here](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.

+## Monitor performance of Hybrid Workers using VM insights

+Using [VM insights](../azure-monitor/vm/vminsights-overview.md), you can monitor the performance of Azure VMs and Arc-enabled Servers deployed as Hybrid Runbook workers. Among multiple elements that are considered during performances, the VM insights monitors the key operating system performance indicators related to processor, memory, network adapter, and disk utilization.

+- For Azure VMs, see [How to chart performance with VM insights](../azure-monitor/vm/vminsights-performance.md).

+- For Arc-enabled servers, see [Tutorial: Monitor a hybrid machine with VM insights](../azure-arc/servers/learn/tutorial-enable-vm-insights.md).

+- To learn about VM extensions for Arc-enabled servers, see [VM extension management with Azure Arc-enabled servers](../azure-arc/servers/manage-vm-extensions.md).

+ Title: Enable geo-replication (preview)

+description: Learn how to use Azure App Configuration geo replication to create, delete, and manage replicas of your configuration store.

+ms.assetid:

+ms.devlang: csharp

+#Customer intent: I want to be able to list, create, and delete the replicas of my configuration store.

+# Enable geo-replication (Preview)

+This article covers replication of Azure App Configuration stores. You'll learn about how to create and delete a replica in your configuration store.

+To learn more about the concept of geo-replication, see [Geo-replication in Azure App Configuration](./concept-soft-delete.md).

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free/dotnet)

+- We assume you already have an App Configuration store. If you want to create one, [create an App Configuration store](quickstart-aspnet-core-app.md).

+## Create and list a replica

+To create a replica of your configuration store in the portal, follow the steps below.

+<!-- ### [Portal](#tab/azure-portal) -->

+1. In your App Configuration store, under **Settings**, select **Geo-replication**.

+1. Under **Replica(s)**, select **Create**. Choose the location of your new replica in the dropdown, then assign the replica a name. This replica name must be unique.

+

+ :::image type="content" source="./media/how-to-geo-replication-create-flow.png" alt-text="Screenshot of the Geo Replication button being highlighted as well as the create button for a replica.":::

+

+1. Select **Create**.

+1. You should now see your new replica listed under Replica(s). Check that the status of the replica is "Succeeded", which indicates that it was created successfully.

+

+ :::image type="content" source="media/how-to-geo-replication-created-replica-successfully.png" alt-text="Screenshot of the list of replicas that have been created for the configuration store.":::

+<!-- ### [Azure CLI](#tab/azure-cli)

+1. In the CLI, run the following code to create a replica of your configuration store.

+ ```azurecli-interactive

+ az appconfig replica create --store-name MyConfigStoreName --name MyNewReplicaName --location MyNewReplicaLocation

+ ```

+1. Verify that the replica was created successfully by listing all replicas of your configuration store.

+ ```azurecli-interactive

+ az appconfig replica list --store-name MyConfigStoreName

+ ```

+ -->

+## Delete a replica

+To delete a replica in the portal, follow the steps below.

+<!-- ### [Portal](#tab/azure-portal) -->

+1. In your App Configuration store, under **Settings**, select **Geo-replication**.

+1. Under **Replica(s)**, select the **...** to the right of the replica you want to delete. Select **Delete** from the dropdown.

+ :::image type="content" source="./media/how-to-geo-replication-delete-flow.png" alt-text=" Screenshot showing the three dots on the right of the replica being selected, showing you the delete option.":::

+

+1. Verify the name of the replica to be deleted and select **OK** to confirm.

+1. Once the process is complete, check the list of replicas that the correct replica has been deleted.

+<!-- ### [Azure CLI](#tab/azure-cli)

+1. In the CLI, run the following code.

+ ```azurecli-interactive

+ az appconfig replica delete --store-name MyConfigStoreName --name MyNewReplicaName

+ ```

+1. Verify that the replica was deleted successfully by listing all replicas of your configuration store.

+ ```azurecli-interactive

+ az appconfig replica list --store-name MyConfigStoreName

+ ```

+ -->

+## Next steps

+> [!div class="nextstepaction"]

+> [Geo-replication concept](./concept-soft-delete.md)

+### [Customer-managed keytab mode](#tab/customer-managed-keytab-mode)

+ - `spec.services.primary.dnsName`

+ You provide a DNS name for the primary SQL endpoint.

+ - `spec.services.primary.port`

+ You provide a port number for the primary SQL endpoint.

+- **Optional**

+ - `spec.security.activeDirectory.connector.namespace`

+ Kubernetes namespace of the pre-existing Active Directory connector to join for AD authentication. When not provided, system will assume the same namespace as SQL.

+- **Required** (For AD authentication)

+ - `spec.security.activeDirectory.connector.name`

+ Name of the pre-existing Active Directory connector custom resource to join for AD authentication. When provided, system will assume that AD authentication is desired.

+ - `spec.security.activeDirectory.encryptionTypes`

+ List of Kerberos encryption types to allow for the automatically generated AD account provided in `spec.security.activeDirectory.accountName`. Accepted values are RC4, AES128 and AES256. It defaults to allow all encryption types when there is no value provided. You can disable RC4 by providing only AES128 and AES256 as encryption types.

+## August 9, 2022

+This release is published August 9, 2022.

+### Image tag

+`v1.10.0_2022-08-09`

+For complete release version information, see [Version log](version-log.md#august-9-2022).

+### Arc-enabled SQL Managed Instance

+- AES encryption can now be enabled for AD authentication.

+### `arcdata` Azure CLI extension

+- The Azure CLI help text for the Arc data controller, Arc-enabled SQL Managed Instance, and Active Directory connector command groups has been updated to reflect new naming conventions. Indirect mode arguments are now referred to as _Kubernetes API - targeted_ arguments, and direct mode arguments are now referred to as _Azure Resource Manager - targeted_ arguments.

+## August 9, 2022

+|Component|Value|

+|--|--|

+|Container images tag |`v1.10.0_2022-08-09`|

+|CRD names and version|`datacontrollers.arcdata.microsoft.com`: v1beta1, v1 through v6<br/>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`kafkas.arcdata.microsoft.com`: v1beta1<br/>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1 through v6<br/>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2<br/>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1<br/>`failovergroups.sql.arcdata.microsoft.com`: v1beta1, v1beta2, v1<br/>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1, v1beta2<br/>|

+|Azure Resource Manager (ARM) API version|2022-03-01-preview (No change)|

+|`arcdata` Azure CLI extension version|1.4.5 ([Download](https://arcdataazurecliextension.blob.core.windows.net/stage/arcdata-1.4.5-py2.py3-none-any.whl))|

+|Arc enabled Kubernetes helm chart extension version|1.2.20381002|

+|Arc Data extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.5.0 ([Download](https://azuredatastudioarcext.blob.core.windows.net/stage/arc-1.5.0.vsix))</br>1.5.0 ([Download](https://azuredatastudioarcext.blob.core.windows.net/stage/azcli-1.5.0.vsix))|

+|`arcdata` Azure CLI extension version|1.4.3 ([Download](https://arcdataazurecliextension.blob.core.windows.net/stage/arcdata-1.4.3-py2.py3-none-any.whl))|

+|`arcdata` Azure CLI extension version|1.4.2 ([Download](https://arcdataazurecliextension.blob.core.windows.net/stage/arcdata-1.4.2-py2.py3-none-any.whl))|

+The default TCP settings in some Linux versions can cause Redis server connections to fail for 13 minutes or more. The default settings can prevent the client application from detecting closed connections and restoring them automatically if the connection was not closed gracefully.

+The failure to reestablish a connection can happen occur in situations where the network connection is disrupted or the Redis server goes offline for unplanned maintenance.

+In rare cases, StackExchange.Redis fails to reconnect after a connection is dropped. In these cases, restarting the client or creating a new `ConnectionMultiplexer` fixes the issue. We recommend using a singleton `ConnectionMultiplexer` pattern while allowing apps to force a reconnection periodically. Take a look at the quickstart sample project that best matches the framework and platform your application uses. You can see an example of this code pattern in our [quickstarts](https://github.com/Azure-Samples/azure-cache-redis-samples).

+> For more information on setting these variables, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

+For more information on entry script, see [Define scoring code.](/azure/machine-learning/how-to-deploy-managed-online-endpoints)

+For more information on inference configuration, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

+> The code snippet assumes that `model` contains a registered model, and that `inference_config` contains the configuration for the inference environment. For more information, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

+> [SymbolLayerOptions](/javascript/api/azure-maps-control/atlas.symbollayeroptions)

+> [Azure Maps Spatial IO package](/javascript/api/azure-maps-spatial-io/)

+> * For more information on resource properties, see [Property values](/azure/templates/microsoft.insights/components?tabs=bicep#property-values)

+Or you can set the cloud role name using the Java system property `applicationinsights.role.name`

+(which will also take precedence over cloud role name specified in the json configuration).

+Or you can set the cloud role instance using the Java system property `applicationinsights.role.instance`

+(which will also take precedence over cloud role instance specified in the json configuration).

+ * Run the command: `kubectl describe pod <omsagent-pod-name> --namespace=kube-system`. In the status returned, note the value under **Image** for omsagent in the *Containers* section of the output.

+ | parse RawData.value with

+ | parse RawData.value with

+- **If you use both Azure Monitor and Microsoft Sentinel**, create a separate workspace for each. Consider combining the two if it helps you reach a commitment tier.

+- **If you use both Microsoft Sentinel and Microsoft Defender for Cloud**, consider using the same workspace for both solutions to keep security data in one place.

+Once you've enabled the Application Insights Profiler, you can:

+- Start a new profiling session

+- Configure Profiler triggers

+- View recent profiling sessions

+Azure Application Insights needs to track requests for your application in order to provide profiles for your application on the Performance page in the Azure portal.

+For applications built on already-instrumented frameworks (like ASP.NET and ASP.NET Core)S, Application Insights can automatically track requests.

+But for other applications (like Azure Cloud Services worker roles and Service Fabric stateless APIs), you need to track requests with code that tells Application Insights where your requests begin and end. Requests telemetry is then sent to Application Insights, which you can view on the Performance page. Profiles are collected for those requests.

+To manually track requests:

+

+ Calling `StartOperation<RequestTelemetry>` within another `StartOperation<RequestTelemetry>` scope isn't supported. You can use `StartOperation<DependencyTelemetry>` in the nested scope instead. For example:

+## Next steps

+Troubleshoot the [Application Insights Profiler](./profiler-troubleshooting.md).

+- A functioning [ASP.NET Core application](/aspnet/core/getting-started)

+> [Generate load and view Profiler traces](./profiler-data.md)

+If you choose to use AD DS with Azure NetApp Files, follow the guidance in [Extend AD DS into Azure Architecture Guide](/azure/architecture/reference-architectures/identity/adds-extend-domain) and ensure that you meet the Azure NetApp Files [network](#network-requirements) and [DNS requirements](#ad-ds-requirements) for AD DS.

+"workloadSetting": "[variables('description'))]"

+- **Documentation.** Bicep's documentation is open to contributions, too. For more information, see the [Microsoft contributor guide overview](/contribute/).

+* [configurations - Advisor](/azure/templates/microsoft.advisor/configurations)

+* [profile - Change Analysis](/azure/templates/microsoft.changeanalysis/profile)

+ Deployment Scripts splits the arguments into an array of strings by invoking the [CommandLineToArgvW](/windows/win32/api/shellapi/nf-shellapi-commandlinetoargvw) system call. This step is necessary because the arguments are passed as a [command property](/rest/api/container-instances/containergroups/createorupdate#containerexec)

+| Microsoft.CertificateRegistration | [App Service Certificates](../../app-service/configure-ssl-certificate.md#import-certificate-into-app-service) |

+| Microsoft.MobileNetwork | [Azure Private 5G Core](../../private-5g-core/index.yml) |

+* predict

+## Microsoft.ContainerService

+* fleetMemberships

+* GenerateCostDetailsReport

+* cloudServiceSlots

+* applications

+* dataSensitivitySettings

+* huntsessions

+* recommendations

+- If a preview feature requires approval, the registration state is **Pending**. You must request approval from the Azure service offering the preview feature. Usually, you request access through a support ticket.

+Some services require other methods, such as email, to get approval for pending request. Check announcements about the preview feature for information about how to get access.

+* actionRules

+* generateDeploymentLicense

+## Microsoft.NotificationHubs

+* namespaces - By default, limited to 800 instances. That limit can be increased by contacting support.

+* namespaces/notificationHubs - By default, limited to 800 instances. That limit can be increased by contacting support.

+## Microsoft.Security

+* assignments

+> | predict | No | No |

+> | connectedEnvironments | Yes | Yes |

+> | connectedEnvironments / certificates | Yes | Yes |

+> | runtimeVersions | No | No |

+> | ciamDirectories | Yes | Yes |

+> | SqlServerInstances / Databases | Yes | Yes |

+> | accounts / sensors | No | No |

+## Microsoft.AzureScan

+> [!div class="mx-tableFixed"]

+> | Resource type | Supports tags | Tag in cost report |

+> | - | -- | -- |

+> | scanningAccounts | Yes | Yes |

+## Microsoft.AzureSphereGen2

+> [!div class="mx-tableFixed"]

+> | Resource type | Supports tags | Tag in cost report |

+> | - | -- | -- |

+> | catalogs | Yes | Yes |

+> | catalogs / certificates | No | No |

+> | catalogs / deviceRegistrations | Yes | Yes |

+> | catalogs / provisioningPackages | Yes | Yes |

+> | generateDeploymentLicense | No | No |

+> | galleryimages | Yes | Yes |

+> | marketplacegalleryimages | Yes | Yes |

+> | storagecontainers | Yes | Yes |

+> | billingAccounts / associatedTenants | No | No |

+> | billingAccounts / notificationContacts | No | No |

+> | calculateMigrationCost | No | No |

+> | canMigrate | No | No |

+> | migrate | No | No |

+> | VirtualMachines / AssessPatches | No | No |

+> | VirtualMachines / InstallPatches | No | No |

+> | fleetMemberships | No | No |

+> | fleets | Yes | Yes |

+> | fleets / members | No | No |

+> | GenerateCostDetailsReport | No | No |

+> | workspaces / proposals / virtualOutputReferences | No | No |

+> | factories / pipelines | No | No |

+> | assessForMigration | No | No |

+## Microsoft.DevCenter

+> [!div class="mx-tableFixed"]

+> | Resource type | Supports tags | Tag in cost report |

+> | - | -- | -- |

+> | devcenters | Yes | Yes |

+> | devcenters / attachednetworks | No | No |

+> | devcenters / catalogs | No | No |

+> | devcenters / devboxdefinitions | Yes | Yes |

+> | devcenters / environmentTypes | No | No |

+> | devcenters / galleries | No | No |

+> | devcenters / galleries / images | No | No |

+> | devcenters / galleries / images / versions | No | No |

+> | devcenters / images | No | No |

+> | networkconnections | Yes | Yes |

+> | projects | Yes | Yes |

+> | projects / attachednetworks | No | No |

+> | projects / devboxdefinitions | No | No |

+> | projects / environmentTypes | No | No |

+> | projects / pools | Yes | Yes |

+> | projects / pools / schedules | No | No |

+> | registeredSubscriptions | No | No |

+## Microsoft.DevHub

+> [!div class="mx-tableFixed"]

+> | Resource type | Supports tags | Tag in cost report |

+> | - | -- | -- |

+> | workflows | Yes | Yes |

+> | registeredSubscriptions | No | No |

+> | validateMedtechMappings | No | No |

+> | storageSpaces | Yes | Yes |

+> | virtualNetworks | Yes | Yes |

+> | configurationGroupValues | Yes | Yes |

+> | networkFunctionPublishers | No | No |

+> | networkFunctionPublishers / networkFunctionDefinitionGroups | No | No |

+> | networkFunctionPublishers / networkFunctionDefinitionGroups / publisherNetworkFunctionDefinitionVersions | No | No |

+> | networkfunctions | Yes | Yes |

+> | publishers | Yes | Yes |

+> | publishers / artifactStores | Yes | Yes |

+> | publishers / artifactStores / artifactManifests | Yes | Yes |

+> | publishers / configurationGroupSchemas | Yes | Yes |

+> | publishers / networkFunctionDefinitionGroups | Yes | Yes |

+> | publishers / networkFunctionDefinitionGroups / networkFunctionDefinitionVersions | Yes | Yes |

+> | publishers / networkFunctionDefinitionGroups / previewSubscriptions | Yes | Yes |

+> | publishers / networkServiceDesignGroups | Yes | Yes |

+> | publishers / networkServiceDesignGroups / networkServiceDesignVersions | Yes | Yes |

+> | siteNetworkServices | Yes | Yes |

+> | sites | Yes | Yes |

+> | workspaces / schedules | No | No |

+> | search | No | No |

+> | modernizeProjects | Yes | Yes |

+> | packetCoreControlPlaneVersions | No | No |

+> | simGroups | Yes | Yes |

+> | simGroups / sims | No | No |

+> | cloudServiceSlots | No | No |

+> | trafficmanagerprofiles / azureendpoints | No | No |

+> | trafficmanagerprofiles / externalendpoints | No | No |

+> | trafficmanagerprofiles / nestedendpoints | No | No |

+> | cloudServicesNetworks | Yes | Yes |

+> | defaultCniNetworks | Yes | Yes |

+> | disks | Yes | Yes |

+> | l2Networks | Yes | Yes |

+> | l3Networks | Yes | Yes |

+> | storageAppliances | Yes | Yes |

+> | trunkedNetworks | Yes | Yes |

+## Microsoft.Pki

+> [!div class="mx-tableFixed"]

+> | Resource type | Supports tags | Tag in cost report |

+> | - | -- | -- |

+> | Pki | Yes | Yes |

+> | Pkis | Yes | Yes |

+> | Pkis / certificateAuthorities | Yes | Yes |

+> | Pkis / enrollmentPolicies | Yes | Yes |

+> | VirtualMachines / HybridIdentityMetadata | No | No |

+> | applications | No | No |

+> | dataSensitivitySettings | No | No |

+> | vmScanners | No | No |

+> | azureDevOpsConnectors | Yes | Yes |

+> | azureDevOpsConnectors / orgs | No | No |

+> | azureDevOpsConnectors / orgs / projects | No | No |

+> | azureDevOpsConnectors / orgs / projects / repos | No | No |

+> | gitHubConnectors / owners | No | No |

+> | gitHubConnectors / owners / repos | No | No |

+> | huntsessions | No | No |

+> | recommendations | No | No |

+> | managedInstances / advancedThreatProtectionSettings | No | No |

+> | managedInstances / databases / advancedThreatProtectionSettings | No | No |

+> | servers / databases / sqlvulnerabilityassessments | No | No |

+> | servers / sqlvulnerabilityassessments | No | No |

+## Microsoft.StorageMover

+> [!div class="mx-tableFixed"]

+> | Resource type | Supports tags | Tag in cost report |

+> | - | -- | -- |

+> | storageMovers | Yes | Yes |

+> | storageMovers / agents | No | No |

+> | storageMovers / endpoints | No | No |

+> | storageMovers / projects | No | No |

+> | storageMovers / projects / jobDefinitions | No | No |

+> | storageMovers / projects / jobDefinitions / jobRuns | No | No |

+> | testBaseAccounts / externalTestTools | No | No |

+> | testBaseAccounts / externalTestTools / testCases | No | No |

+> | predict | No |

+> | connectedEnvironments | Yes |

+> | connectedEnvironments / certificates | Yes |

+> | runtimeVersions | No |

+> | ciamDirectories | Yes |

+> | SqlServerInstances / Databases | Yes |

+> | accounts / sensors | No |

+## Microsoft.AzureScan

+> [!div class="mx-tableFixed"]

+> | Resource type | Complete mode deletion |

+> | - | -- |

+> | scanningAccounts | Yes |

+## Microsoft.AzureSphereGen2

+> [!div class="mx-tableFixed"]

+> | Resource type | Complete mode deletion |

+> | - | -- |

+> | catalogs | Yes |

+> | catalogs / certificates | No |

+> | catalogs / deviceRegistrations | Yes |

+> | catalogs / provisioningPackages | Yes |

+> | generateDeploymentLicense | No |

+> | galleryimages | Yes |

+> | marketplacegalleryimages | Yes |

+> | storagecontainers | Yes |

+> | billingAccounts / associatedTenants | No |

+> | billingAccounts / notificationContacts | No |

+> | calculateMigrationCost | No |

+> | canMigrate | No |

+> | migrate | No |

+> | VirtualMachines / AssessPatches | No |

+> | VirtualMachines / InstallPatches | No |

+> | fleetMemberships | No |

+> | fleets | Yes |

+> | fleets / members | No |

+> | GenerateCostDetailsReport | No |

+> | workspaces / proposals / virtualOutputReferences | No |

+> | factories / pipelines | No |

+> | assessForMigration | No |

+## Microsoft.DevCenter

+> [!div class="mx-tableFixed"]

+> | Resource type | Complete mode deletion |

+> | - | -- |

+> | devcenters | Yes |

+> | devcenters / attachednetworks | No |

+> | devcenters / catalogs | No |

+> | devcenters / devboxdefinitions | Yes |

+> | devcenters / environmentTypes | No |

+> | devcenters / galleries | No |

+> | devcenters / galleries / images | No |

+> | devcenters / galleries / images / versions | No |

+> | devcenters / images | No |

+> | networkconnections | Yes |

+> | projects | Yes |

+> | projects / attachednetworks | No |

+> | projects / devboxdefinitions | No |

+> | projects / environmentTypes | No |

+> | projects / pools | Yes |

+> | projects / pools / schedules | No |

+> | registeredSubscriptions | No |

+## Microsoft.DevHub

+> [!div class="mx-tableFixed"]

+> | Resource type | Complete mode deletion |

+> | - | -- |

+> | workflows | Yes |

+> | registeredSubscriptions | No |

+> | validateMedtechMappings | No |

+> | storageSpaces | Yes |

+> | virtualNetworks | Yes |

+> | configurationGroupValues | Yes |

+> | networkFunctionPublishers | No |

+> | networkFunctionPublishers / networkFunctionDefinitionGroups | No |

+> | networkFunctionPublishers / networkFunctionDefinitionGroups / publisherNetworkFunctionDefinitionVersions | No |

+> | networkfunctions | Yes |

+> | publishers | Yes |

+> | publishers / artifactStores | Yes |

+> | publishers / artifactStores / artifactManifests | Yes |

+> | publishers / configurationGroupSchemas | Yes |

+> | publishers / networkFunctionDefinitionGroups | Yes |

+> | publishers / networkFunctionDefinitionGroups / networkFunctionDefinitionVersions | Yes |

+> | publishers / networkFunctionDefinitionGroups / previewSubscriptions | Yes |

+> | publishers / networkServiceDesignGroups | Yes |

+> | publishers / networkServiceDesignGroups / networkServiceDesignVersions | Yes |

+> | siteNetworkServices | Yes |

+> | sites | Yes |

+> | workspaces / schedules | No |

+> | search | No |

+> | modernizeProjects | Yes |

+> | packetCoreControlPlaneVersions | No |

+> | simGroups | Yes |

+> | simGroups / sims | No |

+> | cloudServiceSlots | No |

+> | trafficmanagerprofiles / azureendpoints | No |

+> | trafficmanagerprofiles / externalendpoints | No |

+> | trafficmanagerprofiles / nestedendpoints | No |

+> | cloudServicesNetworks | Yes |

+> | defaultCniNetworks | Yes |

+> | disks | Yes |

+> | l2Networks | Yes |

+> | l3Networks | Yes |

+> | storageAppliances | Yes |

+> | trunkedNetworks | Yes |

+## Microsoft.Pki

+> [!div class="mx-tableFixed"]

+> | Resource type | Complete mode deletion |

+> | - | -- |

+> | Pki | Yes |

+> | Pkis | Yes |

+> | Pkis / certificateAuthorities | Yes |

+> | Pkis / enrollmentPolicies | Yes |

+> | VirtualMachines / HybridIdentityMetadata | No |

+> | applications | No |

+> | dataSensitivitySettings | No |

+> | vmScanners | No |

+> | azureDevOpsConnectors | Yes |

+> | azureDevOpsConnectors / orgs | No |

+> | azureDevOpsConnectors / orgs / projects | No |

+> | azureDevOpsConnectors / orgs / projects / repos | No |

+> | gitHubConnectors / owners | No |

+> | gitHubConnectors / owners / repos | No |

+> | huntsessions | No |

+> | recommendations | No |

+> | managedInstances / advancedThreatProtectionSettings | No |

+> | managedInstances / databases / advancedThreatProtectionSettings | No |

+> | servers / databases / sqlvulnerabilityassessments | No |

+> | servers / sqlvulnerabilityassessments | No |

+## Microsoft.StorageMover

+> [!div class="mx-tableFixed"]

+> | Resource type | Complete mode deletion |

+> | - | -- |

+> | storageMovers | Yes |

+> | storageMovers / agents | No |

+> | storageMovers / endpoints | No |

+> | storageMovers / projects | No |

+> | storageMovers / projects / jobDefinitions | No |

+> | storageMovers / projects / jobDefinitions / jobRuns | No |

+> | testBaseAccounts / externalTestTools | No |

+> | testBaseAccounts / externalTestTools / testCases | No |

+ Deployment Scripts splits the arguments into an array of strings by invoking the [CommandLineToArgvW](/windows/win32/api/shellapi/nf-shellapi-commandlinetoargvw) system call. This step is necessary because the arguments are passed as a [command property](/rest/api/container-instances/containergroups/createorupdate#containerexec)

+- [Building an end-to-end IoT solution with SQL Edge](tutorial-deploy-azure-resources.md)

+> [!VIDEO https://docs.microsoft.com/shows/Data-Exposed/Azure-SQL-Edge-Demo-Renewable-Energy/player]

+You can use Azure storage services in workloads running in your private cloud. The Azure storage services include Storage Accounts, Table Storage, and Blob Storage. The connection of workloads to Azure storage services doesn't traverse the internet. This connectivity provides more security and enables you to use SLA-based Azure storage services in your private cloud workloads. You can also connect Azure disk pools or [Azure NetApp Files datastores](attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) to expand the storage capacity.

+> [!VIDEO https://docs.microsoft.com/shows/IT-Ops-Talk/Configure-backups-at-scale-using-Azure-Policy/player]

+ > [!VIDEO https://docs.microsoft.com/shows/IT-Ops-Talk/Automatically-retry-failed-backup-jobs-using-Azure-Resource-Graph-and-Azure-Automation-Runbooks/player]

+ Note that Windows Server 2008 R2 is at end of support and we recommend you to upgrade it soon.

+Soft delete is available in all Azure Public and National regions.

+If you prefer to install and use the CLI locally, this tutorial requires Azure CLI version 2.0.30 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

+ Title: Install .NET on Azure Cloud Services (classic) roles

+description: This article describes how to manually install the .NET Framework on your cloud service web and worker roles.

+>The Azure SDK 2.9 contains a restriction on deploying .NET Framework 4.6 on the Guest OS family 4 or earlier. A fix for the restriction is available in the [`azure-cloud-services-files` GitHub repo](https://github.com/MicrosoftDocs/azure-cloud-services-files/tree/master/Azure%20Targets%20SDK%202.9).

+- **Code snippets**: In Microsoft [technical documentation](/) and [training resources](/learn), select the **Try It** button that appears with Azure CLI and Azure PowerShell code snippets:

+- **Details**: Administrators may wish to disable access to Cloud Shell for their users. Cloud Shell utilizes access to the `ux.console.azure.com` domain, which can be denied, stopping any access to Cloud Shell's entrypoints including `portal.azure.com`, `shell.azure.com`, Visual Studio Code Azure Account extension, and `docs.microsoft.com`. In the US Government cloud, the entrypoint is `ux.console.azure.us`; there is no corresponding `shell.azure.us`.

+In our example, we'll utilize an [NCv3 series VM](../../virtual-machines/ncv3-series.md) that has one v100 GPU.

+sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1804/x86_64/3bf863cc.pub

+An Azure Virtual Machine with a GPU can also be used to run Spatial Analysis. The example below will use a [NCv3 series VM](../../virtual-machines/ncv3-series.md) that has one v100 GPU.

+To locate the VM size, select "See all sizes" and then view the list for "N-Series" and select **NC6s_v3**, shown below.

+> The Speech-to-text REST API v2.0 is deprecated and will be retired by February 29, 2024. Please migrate your applications to the [Speech-to-text REST API v3.0](rest-speech-to-text.md).

+* Speech

+* Speech

+## Guidance

+After you trained your model, you will see some guidance and recommendation on how to improve the model. It's recommended to have a model covering all points in the guidance section.

+* Training set has enough data: When an entity type has fewer than 15 labeled instances in the training data, it can lead to lower accuracy due to the model not being adequately trained on these cases. In this case, consider adding more labeled data in the training set. You can check the *data distribution* tab for more guidance.

+* All entity types are present in test set: When the testing data lacks labeled instances for an entity type, the modelΓÇÖs test performance may become less comprehensive due to untested scenarios. You can check the *test set data distribution* tab for more guidance.

+* Entity types are balanced within training and test sets: When sampling bias causes an inaccurate representation of an entity typeΓÇÖs frequency, it can lead to lower accuracy due to the model expecting that entity type to occur too often or too little. You can check the *data distribution* tab for more guidance.

+* Entity types are evenly distributed between training and test sets: When the mix of entity types doesnΓÇÖt match between training and test sets, it can lead to lower testing accuracy due to the model being trained differently from how itΓÇÖs being tested. You can check the *data distribution* tab for more guidance.

+* Unclear distinction between entity types in training set: When the training data is similar for multiple entity types, it can lead to lower accuracy because the entity types may be frequently misclassified as each other. Review the following entity types and consider merging them if theyΓÇÖre similar. Otherwise, add more examples to better distinguish them from each other. You can check the *confusion matrix* tab for more guidance.

+* View the model [confusion matrix](how-to/view-model-evaluation.md). If you notice that a certain entity type is frequently not predicted correctly, consider adding more tagged instances for this class. If you notice that two entity types are frequently predicted as each other, this means the schema is ambiguous, and you should consider merging them both into one entity type for better performance.

+* [Review test set predictions](how-to/view-model-evaluation.md). If one of the entity types has a lot more tagged instances than the others, your model may be biased towards this type. Add more data to the other entity types or remove examples from the dominating type.

+* [Review your test set](how-to/view-model-evaluation.md) to see predicted and tagged entities side-by-side so you can get a better idea of your model performance, and decide if any changes in the schema or the tags are necessary.

+* If you're retraining the same model, your test set will be the same, but you might notice a slight change in predictions made by the model. This is because the trained model is not robust enough and this is a factor of how representative and distinct your data is and the quality of your tagged data.

+Training is the process where the model learns from your [labeled data](tag-data.md). After training is completed, you'll be able to view the [model's performance](view-model-evaluation.md) to determine if you need to improve your model.

+After training is completed, you'll be able to view [model performance](view-model-evaluation.md) to optionally improve your model if needed. Once you're satisfied with your model, you can deploy it, making it available to use for [extracting entities](call-api.md) from text.

+* [Deploy your model](deploy-model.md)

+4. **View the model's performance**: After training is completed, view the model's evaluation details, its performance and guidance on how to improve it.

+7. **Extract entities**: Use your custom models for entity extraction tasks.

+* [Model evaluation](how-to/view-model-evaluation.md)

+## Guidance

+After you trained your model, you will see some guidance and recommendation on how to improve the model. It's recommended to have a model covering all points in the guidance section.

+* Training set has enough data: When a class type has fewer than 15 labeled instances in the training data, it can lead to lower accuracy due to the model not being adequately trained on these cases.

+* All class types are present in test set: When the testing data lacks labeled instances for a class type, the modelΓÇÖs test performance may become less comprehensive due to untested scenarios.

+* Class types are balanced within training and test sets: When sampling bias causes an inaccurate representation of a class typeΓÇÖs frequency, it can lead to lower accuracy due to the model expecting that class type to occur too often or too little.

+* Class types are evenly distributed between training and test sets: When the mix of class types doesnΓÇÖt match between training and test sets, it can lead to lower testing accuracy due to the model being trained differently from how itΓÇÖs being tested.

+* Class types in training set are clearly distinct: When the training data is similar for multiple class types, it can lead to lower accuracy because the class types may be frequently misclassified as each other.

+* [Review your test set](how-to/view-model-evaluation.md) to see predicted and tagged classes side-by-side so you can get a better idea of your model performance, and decide if any changes in the schema or the tags are necessary.

+Training is the process where the model learns from your [labeled data](tag-data.md). After training is completed, you will be able to [view the model's performance](view-model-evaluation.md) to determine if you need to improve your model.

+After training is completed, you will be able to [view the model's performance](view-model-evaluation.md) to optionally improve your model if needed. Once you're satisfied with your model, you can deploy it, making it available to use for [classifying text](call-api.md).

+As you review your how your model performs, learn about the [evaluation metrics](../concepts/evaluation-metrics.md) that are used. Once you know whether your model performance needs to improve, you can begin improving the model.

+5. **Deploy the model**: Deploying a model makes it available for use via the [Analyze API](https://aka.ms/ct-runtime-swagger).

+6. **Classify text**: Use your custom model for custom text classification tasks.

+## Scenarios

+* Enhance search capabilities and search indexing - Customers can build knowledge graphs based on entities detected in documents to enhance document search as tags.

+* Automate business processes - For example, when reviewing insurance claims, recognized entities like name and location could be highlighted to facilitate the review. Or a support ticket could be generated with a customer's name and company automatically from an email.

+* Customer analysis ΓÇô Determine the most popular information conveyed by customers in reviews, emails, and calls to determine the most relevant topics that get brought up and determine trends over time.

+Currently the conversational PII preview API supports all Azure regions supported by the Language service.

+curl -i -X POST https://your-language-endpoint-here/language/analyze-conversations/jobs?api-version=2022-05-15-preview \

+curl -i -X POST https://your-language-endpoint-here/language/analyze-conversations/jobs?api-version=2022-05-15-preview \

+ Title: What is Azure OpenAI? (Preview)

+# What is Azure OpenAI? (Preview)

+ - `realTimeNotificationConnected` - when real time notification is connected.

+ - `realTimeNotificationDisconnected` -when real time notification is disconnected.

+ - Connect a Notification Hub resource with Communication Services resource to send push notifications and notify your application users about incoming chats and messages when the mobile app is not running in the foreground.

+

+ IOS and Android SDK can support the below event:

+ - `chatMessageReceived` - when a new message is sent to a chat thread by a participant.

+

+ Android SDK can support the below additional events:

+> Currently sending chat push notifications with Notification Hub is generally available in Android version 1.1.0 and in public preview for iOS version 1.3.0-beta.1.

+|Mobile push notifications with Notification Hub | The Chat SDK provides APIs allowing clients to be notified for incoming messages and other operations occurring in a chat thread by connecting an Azure Notification Hub to your Communication Services resource. In situations where your mobile app is not running in the foreground, patterns are available to [fire pop-up notifications](../notifications.md) ("toasts") to inform end-users, see [Chat concepts](concepts.md#push-notifications). | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ |

+| Sendmail | Send Email messages </br> *Attachments are supported* | ✔️ | ✔️ | ✔️ | ✔️ |

+| Get Status | Receive Delivery Reports for messages sent | ✔️ | ✔️ | ✔️ | ✔️ |

+Communication Services APIs are documented alongside other [Azure REST APIs](/rest/api/azure/). This documentation will tell you how to structure your HTTP messages and offers guidance for using [Postman](../tutorials/postman-tutorial.md). REST interface documentation is also published in Swagger format on [GitHub](https://github.com/Azure/azure-rest-api-specs). You can find throttling limits for individual APIs on [service limits page](./service-limits.md).

+ Title: Enable push notifications in your chat app

+description: Learn how to enable push notification in IOS App by using Azure Communication Chat SDK

+# Enable Push Notifications in your chat app

+>[!IMPORTANT]

+>This Push Notification feature is currently in public preview. Preview APIs and SDKs are provided without a service-level agreement, and aren't recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+This tutorial will guide you to enable Push Notification in your IOS App by using Azure Communication Chat SDK.

+Push notifications alert clients of incoming messages in a chat thread in situations where the mobile app isn't running in the foreground. Azure Communication Services supports two versions of push notifications.

+- `Basic Version` : The user will be able to see a badge number of 1 on the appΓÇÖs icon, receive a notification sound and see a pop-up alert banner.

+- `Advanced Version`: Except for the features supported in basic version, the Contoso will be able to customize the title & message preview section in alert banner.

+ <img src="./media/add-chat-push-notification/basic-version.png" width="340" height="270" alt="Screenshot of basic version of push notification.">

+ [Basic Version]

+ <img src="./media/add-chat-push-notification/advanced-version.png" width="340" height="270" alt="Screenshot of advanced version of push notification.">

+ [Advanced Version]

+## Download code

+Access the sample code for this tutorial on [GitHub](https://github.com/Azure-Samples/communication-services-ios-quickstarts/tree/main/add-chat-push-notifications).

+## Prerequisites

+1. Finish all the prerequisite steps in [Chat Quickstart](https://docs.microsoft.com/azure/communication-services/quickstarts/chat/get-started?pivots=programming-language-swift)

+2. ANH Setup

+Create an Azure Notification Hub within the same subscription as your Communication Services resource and link the Notification Hub to your Communication Services resource. See [Notification Hub provisioning](../concepts/notifications.md#notification-hub-provisioning).

+3. APNS Cert Configuration

+Here we recommend creating a .p12 APNS cert and set it in Notification Hub.

+ `If you are not a Microsoft internal client`, please follow step 1 to step 9.

+ `If you are a Microsoft internal client`, please submit a ticket [here](https://aka.ms/mapsupport) and provide the bundle ID of your app to get a .p12 cert. Once you get a valid certificate issued, please execute the step 9.

+* Step 1: Log in to the Apple Developer Portal. Navigate to `Certificates, IDs & Profiles > Identifiers > App IDs` and click the App ID associated with your app.

+ <img src="./media/add-chat-push-notification/cert-1.png" width="700" height="230" alt="Screenshot of APNS Cert Configuration step 1.">

+* Step 2: On the screen for your App ID, check ΓÇ»`Capabilities > Push Notifications`. Click Save and respond ΓÇ£ConfirmΓÇ¥ to the Modify App Capabilities dialog box that appears.

+ <img src="./media/add-chat-push-notification/cert-2.png" width="700" height="350" alt="Screenshot of APNS Cert Configuration step 2-1.">

+ <img src="./media/add-chat-push-notification/cert-3.png" width="700" height="210" alt="Screenshot of APNS Cert Configuration step 2-2.">

+* Step 3: In the same page, click `Capabilities > Push Notifications > Configure`. Click one of the following buttons:

+ * Development SSL Certificate > Create Certificate (for testing push notifications while developing an iOS app)

+ * Production SSL Certificate > Create Certificate (for sending push notifications in production)

+ <img src="./media/add-chat-push-notification/cert-4.png" width="700" height="320" alt="Screenshot of APNS Cert Configuration step 3.">

+* Step 4: Then you're navigated to the below page. Here, you'll upload a Certificate Signing Request (CSR). Follow the next step to create a CSR.

+ <img src="./media/add-chat-push-notification/cert-5.png" width="700" height="400" alt="Screenshot of APNS Cert Configuration step 4.">

+* Step 5: In a new browser tab, follow this [help page](https://help.apple.com/developer-account/#/devbfa00fef7) to create a CSR and save the file as ΓÇ£App name.cerΓÇ¥.

+ <img src="./media/add-chat-push-notification/cert-6.png" width="700" height="360" alt="Screenshot of APNS Cert Configuration step 5 - 1.">

+ <img src="./media/add-chat-push-notification/cert-7.png" width="700" height="500" alt="Screenshot of APNS Cert Configuration step 5 - 2.">

+* Step 6: Drag the .cer file to ΓÇ£Choose FileΓÇ¥ area. Then hit ΓÇ£continueΓÇ¥ on the right top corner.

+ <img src="./media/add-chat-push-notification/cert-8.png" width="880" height="400" alt="Screenshot of APNS Cert Configuration step 6.">

+* Step 7: Click ΓÇ£DownloadΓÇ¥ and save the file to local disk.

+ <img src="./media/add-chat-push-notification/cert-9.png" width="700" height="220" alt="Screenshot of APNS Cert Configuration step 7.">

+* Step 8: Open the .cer file you downloaded; it will open Keychain Access. Select your certificate, right-click, and export your certificate in .p12 format.

+ <img src="./media/add-chat-push-notification/cert-11.png" width="700" height="400" alt="Screenshot of APNS Cert Configuration step 8.">

+* Step 9: Go to your notification hub, click ΓÇ£Apple (APNS)ΓÇ¥ under Settings and select ΓÇ£CertificateΓÇ¥ under Authentication Mode. Also select the Application Mode based on your need. Then upload the .p12 file you just created.

+ <img src="./media/add-chat-push-notification/cert-12.png" width="700" height="360" alt="Screenshot of APNS Cert Configuration step 9.">

+4. XCode Configuration

+* In XCode, go to  `Signing & Capabilities`. Add a capability by selecting "+ Capability", and then select “Push Notifications”.

+* Add another capability by selecting “+ Capability”, and then select “Background Modes”. Also select “Remote Notifications” under Background Modes.

+<img src="./media/add-chat-push-notification/xcode-config.png" width="730" height="500" alt="Screenshot of Enable Push Notifications and Background modes in Xcode.">

+## Implementation

+### 1 - Basic Version

+If you want to implement a basic version of Push Notification, you need to register for remote notifications with APNS (Apple Push Notification Service). Refer to [sample code](https://github.com/Azure-Samples/communication-services-ios-quickstarts/blob/main/add-chat-push-notifications/SwiftPushTest/AppDelegate.swift) to see the related implementation in `AppDelegate.swift`.

+### 2 - Advanced Version

+If you want to implement an advanced version of Push Notification, you need to include the following items in your app. The reason is that we encrypt customer content (e.g. chat message content, sender display name, etc.) in push notification payload and it requires some workaround on your side.

+* Item 1: Data Storage for encryption keys

+First, you should create a persistent data storage in IOS device. This data storage should be able to share data between Main App and App Extensions (Refer to Item 2 for more information about App Extension ΓÇô Notification Service Extension).

+In our sample code, we'll choose ΓÇ£App GroupΓÇ¥ as the data storage. Below are the suggested steps to create and use ΓÇ£App GroupΓÇ¥:

+Follow the steps in [Add a capability](https://developer.apple.com/documentation/xcode/adding-capabilities-to-your-app?changes=latest_minor#Add-a-capability) to add the Apps Groups capability to your appΓÇÖs targets ΓÇô both Main App and Notification Service Extension (Refer to Item 2 on how to create a Notification Service Extension).

+Also follow the steps in this [Apple official doc](https://developer.apple.com/documentation/xcode/configuring-app-groups?changes=latest_minor) to configure App Group. Make sure your Main App and App Extension have the same container name.

+* Item 2: Notification Service Extension

+Second, you should implement a ΓÇ£Notification Service ExtensionΓÇ¥ bundled with main app. This is used for decrypting the push notification payload when receiving it.

+Go to this [Apple official doc](https://developer.apple.com/documentation/usernotifications/modifying_content_in_newly_delivered_notifications). Follow the step ΓÇ£Add a Service App Extension to your projectΓÇ¥ and ΓÇ£Implement Your ExtensionΓÇÖs Handler MethodsΓÇ¥.

+Notice that in the step ΓÇ£Implement Your ExtensionΓÇÖs Handler Methods,ΓÇ¥ Apple provides the sample code to decrypt data and we'll follow the overall structure. However, since we use chat SDK for decryption, we need to replace the part starting from `ΓÇ£// Try to decode the encrypted message data.ΓÇ¥` with our customized logic. Refer to the [sample code](https://github.com/Azure-Samples/communication-services-ios-quickstarts/blob/main/add-chat-push-notifications/SwiftPushTestNotificationExtension/NotificationService.swift) to see the related implementation in `NotificationService.swift`.

+* Item 3: Implementation of PushNotificationKeyHandler Protocol

+Third, `PushNotificationKeyHandler` is required for advanced version. As the SDK user, you could use the default `AppGroupPushNotificationKeyHandler` class provided by chat SDK to generate a key handler. If you donΓÇÖt use `App Group` as the key storage or would like to customize key handling methods, create your own class which conforms to PushNotificationKeyHandler protocol.

+For PushNotificationKeyHandler, it defines two methods: `onPersistKey(encryptionKey:expiryTime)` and `onRetrieveKeys() -> [String]`.

+The first method is used to persist the encryption key in the storage of userΓÇÖs IOS device. Chat SDK will set 45 minutes as the expiry time of the encryption key. If you want Push Notification to be effect for more than 45 minutes, you need to schedule to call `chatClient.startPushNotifications(deviceToken:)` on a comparatively frequent basis (eg. every 15 minutes) so a new encryption key could be registered before the old key expires.

+The second method is used to retrieve the valid keys previously stored. You have the flexibility to provide the customization based on the data storage (item 1) you choose.

+In protocol extension, chat SDK provides the implementation of `decryptPayload(notification:) -> PushNotificationEvent` method which you can take advantage of. Refer to the [sample code](https://github.com/Azure-Samples/communication-services-ios-quickstarts/blob/main/add-chat-push-notifications/SwiftPushTestNotificationExtension/NotificationService.swift) to see the related implementation in `NotificationService.swift`.

+## Testing

+1. Create a Chat Thread with User A and User B.

+2. Download the Sample App Repo and follow the above steps in the prerequisites and implementation section.

+3. Put User AΓÇÖs <ACESS_TOEKN> and <ACS_RESOURCE_ENDPOINT> into `AppSettings.plist`.

+4. Set ΓÇ£Enable BitcodeΓÇ¥ to ΓÇ£NoΓÇ¥ for two Pods targets ΓÇô AzureCommunicationChat and Trouter.

+5. Plug the IOS device into your mac, run the program and click ΓÇ£allowΓÇ¥ when asked to authorize push notification on device.

+6. As User B, send a chat message. You (User A) should be able to receive a push notification in your IOS device.

+ --context-path "./dockerfile" `

+| Feature | Quantity | Scope | Remarks |

+|--|--|--|--|

+| Environments | 5 | For a subscription per region | |

+| Container Apps | 20 | Environment | |

+| Revisions | 100 | Container app | |

+| Replicas | 30 | Revision | |

+| Cores | 2 | Replica | Maximum number of cores that can be requested by a revision replica. |

+| Cores | 20 | Environment | Calculated by the total cores an environment can accommodate. For instance, the sum of cores requested by each active replica of all revisions in an environment. |

+## Considerations

+* Pay-as-you-go and trial subscriptions are limited to 1 environment per region per subscription.

+* If an environment runs out of allowed cores:

+ * Provisioning times out with a failure

+ * The app silently refuses to scale out

+ --name <APPLICATION_NAME> \

+ --revision <REVISION_NAME> \

+ --name <APPLICATION_NAME> `

+ --revision <REVISION_NAME> `

+cqlsh <YOUR_ACCOUNT_NAME>.cassandra.cosmosdb.azure.com 10350 -u <YOUR_ACCOUNT_NAME> -p <YOUR_ACCOUNT_PASSWORD> --ssl --protocol-version=4

+| Cores: `--cpus` | | Make sure to allocate enough memory and CPU cores. At least two cores are recommended. |

+# Azure Cosmos DB Emulator - release notes and download information

+This article shows the Azure Cosmos DB Emulator released versions and it details the latest updates. The download center only has the latest version of the emulator available to download.

+> [!IMPORTANT]

+> Earlier versions of the Azure Cosmos DB Emulator aren't actively supported by the developer team.

+| | |

+| **Download** | [Microsoft Download Center](https://aka.ms/cosmosdb-emulator) |

+| **Get started** | [Develop locally with Azure Cosmos DB Emulator](local-emulator.md) |

+### `2.14.9` (July 7, 2022)

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB.

+### `2.14.8`

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB.

+### `2.14.7` (May 9, 2022)

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB. In addition to this update, there are a couple of issues addressed in this release:

+ - Update Data Explorer to the latest content and fix a broken link for the quick start sample documentation.

+ - Add option to enable the Mongo API version for the Linux Cosmos DB emulator by setting the environment variable: `AZURE_COSMOS_EMULATOR_ENABLE_MONGODB_ENDPOINT` in the Docker container. Valid settings are: `3.2`, `3.6`, `4.0` and `4.2`

+### `2.14.6` (March 7, 2022)

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB. In addition to this update, there are a couple of issues addressed in this release:

+ - Fix for an issue related to high CPU usage when the emulator is running.

+ - Add PowerShell option to set the Mongo API version: `-MongoApiVersion`. Valid settings are: `3.2`, `3.6` and `4.0`

+### `2.14.5` (January 18, 2022)

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB. One other important update with this release is to reduce the number of services executed in the background and start them as needed.

+### `2.14.4` (October 25, 2021)

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB.

+### `2.14.3` (September 8, 2021)

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB. It also addresses issues with performance data that's collected and resets the base image for the Linux Cosmos emulator Docker image.

+### `2.14.2` (August 12, 2021)

+- This release updates the local Data Explorer content to latest Microsoft Azure version and resets the base for the Linux Cosmos emulator Docker image.

+### `2.14.1` (June 18, 2021)

+- This release improves the start-up time for the emulator while reducing the footprint of its data on the disk. Activate this new optimization by using the `/EnablePreview` argument.

+### `2.14.0` (June 15, 2021)

+- This release updates the local Data Explorer content to latest Microsoft Azure version. It also fixes an issue when importing many items by using the JSON file upload feature.

+### `2.11.13` (April 21, 2021)

+- This release updates the local Data Explorer content to latest Microsoft Azure version and adds a new MongoDB endpoint configuration, `4.0`.

+### `2.11.11` (February 22, 2021)

+- This release updates the local Data Explorer content to latest Microsoft Azure version.

+### `2.11.10` (January 5, 2021)

+- This release updates the local Data Explorer content to latest Microsoft Azure version. It also adds a new public option, `/ExportPemCert`, which enables the emulator user to directly export the public emulator's certificate as a `.PEM` file.

+### `2.11.9` (December 3, 2020)

+- This release updates the Azure Cosmos DB Emulator background services to match the latest online functionality of the Azure Cosmos DB. It also addresses couple issues with the Azure Cosmos DB Emulator functionality:

+ - Fix for an issue where large document payload requests fail when using Direct mode and Java client applications.

+ - Fix for a connectivity issue with MongoDB endpoint version 3.6 when targeted by .NET based applications.

+### `2.11.8` (November 6, 2020)

+- This release includes an update for the Azure Cosmos DB Emulator Data Explorer and fixes an issue where **transport layer security (TLS) 1.3** clients try to open the Data Explorer.

+### `2.11.6` (October 6, 2020)

+- This release addresses a concurrency-related issue when creating more than one container at the same time. The issue can leave the emulator in a corrupted state and future API requests to the emulator's endpoint will fail with *service unavailable* errors. The work-around is to stop the emulator, reset of the emulator's local data and restart.

+### `2.11.5` (August 23, 2020)

+- This release adds two new Azure Cosmos DB Emulator startup options:

+ - `/EnablePreview` - Enables preview features for the Azure Cosmos DB Emulator. The preview features that are still under development and are available via CI and sample writing.

+ - `/EnableAadAuthentication` - Enables the emulator to accept custom Azure Active Directory tokens as an alternative to the Azure Cosmos primary keys. This feature is still under development; specific role assignments and other permission-related settings aren't currently supported.

+### `2.11.2` (July 7, 2020)

+- This release changes how the Azure Cosmos DB Emulator collects traces. Windows Performance Runtime (WPR) is now the default tools for capturing event trace log-based traces while deprecating logman based capturing. With the latest Windows security update, LOGMAN stopped working as expected when executed through the Azure Cosmos DB Emulator.

+### `2.11.1` (June 10, 2020)

+- This release fixes couple bugs related to Azure Cosmos DB Emulator Data Explorer:

+ - Data Explorer fails to connect to the Azure Cosmos DB Emulator endpoint when hosted in some Web browser versions. Emulator users might not be able to create a database or a container through the Web page.

+ - Resolved bug that prevented emulator users from creating an item from a JSON file using Data Explorer upload action.

+### `2.11.0`

+### `2.9.2`

+- This release fixes a bug while enabling support for MongoDb endpoint version 3.2. It also adds support for generating trace messages for troubleshooting purposes using [Windows Performance Recorder (WPR)](/windows-hardware/test/wpt/wpr-command-line-options) instead of [logman](/windows-server/administration/windows-commands/logman).

+### `2.9.1`

+### `2.9.0`

+### `2.7.2`

+- This release adds MongoDB version 3.6 server support to the Azure Cosmos DB Emulator. To start a MongoDB endpoint that target version 3.6 of the service, start the emulator from an Administrator command line with `/EnableMongoDBEndpoint=3.6` option.

+### `2.7.0`

+### `2.4.6`

+### `2.4.3`

+- MongoDB service is no longer started by default. By default, the emulator enables the SQL endpoint. The user must start the endpoint manually using the emulator's `/EnableMongoDbEndpoint` command-line option. Now, it's like all the other service endpoints, such as Gremlin, Cassandra, and Table.

+- Fixes a bug in the emulator when starting with ΓÇ£/AllowNetworkAccessΓÇ¥ where the Gremlin, Cassandra, and Table endpoints weren't correctly handling requests from external clients.

+### `2.4.0`

+## Next steps

+- [Install and use the Azure Cosmos DB Emulator for local development and testing](local-emulator.md)

+Here are some real-world change feed code examples that extend beyond the scope of the provided samples:

+ * If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

+>[!Note]

+> Make sure you have permission to execute the following command and access the schema *INFORMATION_SCHEMA* and the table *COLUMNS*.

+>

+>- `COPY INTO <location>`

+>[!Note]

+> Make sure you have permission to execute the following command and access the schema *INFORMATION_SCHEMA* and the table *COLUMNS*.

+>

+>- `SELECT CURRENT_REGION()`

+>- `COPY INTO <table>`

+>- `SHOW REGIONS`

+>- `CREATE OR REPLACE STAGE`

+>- `DROP STAGE`

+- Snowflake

+ - Pipeline Activity = $0.00003 (Prorated for 1 minute of execution time. $0.005/hour on Azure Integration Runtime)

+ - Monitor the pipeline run.

+ Title: Azure Stack Edge hardware additional terms | Microsoft Docs

+description: Describes additional terms for Azure Stack Edge hardware.

+# Azure Stack Edge hardware additional terms

+This article documents additional terms for Azure Stack Edge hardware.

+## Availability of the Azure Stack Edge device

+Microsoft isn't obligated to continue to offer the Azure Stack Edge device or any other hardware product in connection with the Service. The Azure Stack Edge device may not be offered in all regions or jurisdictions, and even where it is offered, it may be subject to availability. Microsoft reserves the right to refuse to offer the Azure Stack Edge device to anyone in its sole discretion and judgment.

+## Use of the Azure Stack Edge device

+As part of the Service, Microsoft allows Customer to use the Azure Stack Edge device for as long as Customer has an active subscription to the Service. If Customer no longer has an active subscription and fails to return the Azure Stack Edge device, Microsoft may deem the Azure Stack Edge device as lost as described in the ΓÇ£Title and risk of loss; shipment and return responsibilitiesΓÇ¥ section.

+## Title and risk of loss; shipment and return responsibilities

+### Title and risk of loss

+All right, title and interest in each Azure Stack Edge device is and shall remain the property of Microsoft, and except as described in these Additional Terms, no rights are granted to any Azure Stack Edge device (including under any patent, copyright, trade secret, trademark or other proprietary rights). Customer will compensate Microsoft for any loss, damage or destruction to or of any Azure Stack Edge device once it has been delivered by the carrier to CustomerΓÇÖs designated address until the Microsoft-designated carrier accepts the Azure Stack Edge device for return delivery, including while it is at any of CustomerΓÇÖs locations (other than expected wear and tear that don't compromise the structure or functionality) or such circumstances as described in the ΓÇ£Responsibilities if a government customer moves an Azure Stack Edge device between customerΓÇÖs locationsΓÇ¥ section. Customer is responsible for inspecting the Azure Stack Edge device upon receipt from the carrier and for promptly reporting any damages to Microsoft Support at [adbeops@microsoft.com](mailto:adbeops@microsoft.com).

+If Customer prefers to arrange CustomerΓÇÖs own pick-up and/or return of the Azure Stack Edge device pursuant to the ΓÇ£Shipment and return of Azure Stack Edge deviceΓÇ¥ section below, Customer is responsible for the entire risk of loss of, or any damage to the Azure Stack Edge device until it has been returned to and accepted by Microsoft.

+Microsoft may charge Customer for a lost device fee for the Azure Stack Edge device (or equivalent) as described on the pricing pages for the specific Azure Stack Edge device models under the **FAQ** section at https://azure.microsoft.com/pricing/details/azure-stack/edge/ for the following reasons: (i) the Azure Stack Edge device is lost or materially damaged while it is CustomerΓÇÖs responsibility as described above, (ii) Customer does not provide the Azure Stack Edge device to the Microsoft-designated carrier for return or return the Azure Stack Edge device pursuant to the ΓÇ£Shipment and return of Azure Stack Edge deviceΓÇ¥ section below within 30 days from the end of CustomerΓÇÖs use of the Service. Microsoft reserves the right to change the fee charged for lost or damaged devices, including charging different amounts for different device form factors.

+### Shipment and return of Azure Stack Edge device

+Customer will be responsible for a one-time metered shipping fee for the shipment of the Azure Stack Edge device from Microsoft to Customer and return shipping of the same, in addition to any metered amounts for carrier charges, any taxes, or applicable customs fees. When returning an Azure Stack Edge device to Microsoft, Customer will package and ship the same in accordance with MicrosoftΓÇÖs instructions, including using a carrier designated by Microsoft and the packaging materials provided by Microsoft. If Customer prefers to arrange CustomerΓÇÖs own pick-up and/or return of the same, then Customer is responsible for the costs of shipping the Azure Stack Edge device, including protections against any loss or damage of the Azure Stack Edge device (for example, insurance coverage) while in transit. Customer will package and ship the Azure Stack Edge device in accordance with MicrosoftΓÇÖs packaging instructions. Customer is also responsible to ensure that it removes all CustomerΓÇÖs data from the Azure Stack Edge device prior to returning it to Microsoft, including following any Microsoft-issued processes for wiping or clearing the Azure Stack Edge device.

+### Responsibilities if a government customer moves an Azure Stack Edge device between customerΓÇÖs locations

+Government Customer agrees to comply with and be responsible for all applicable import, export and general trade laws and regulations should Customer decide to transport the Azure Stack Edge device beyond the country border in which Customer receives the Azure Stack Edge device. For clarity, but not limited to, if a government Customer is in possession of an Azure Stack Edge device, only the government Customer may, at government CustomerΓÇÖs sole risk and expense, transport the Azure Stack Edge device to its different locations in accordance with this section and the requirements of the Additional Terms. Customer is responsible for obtaining at CustomerΓÇÖs own risk and expense any export license, import license and other official authorization for the exportation and importation of the Azure Stack Edge device and CustomerΓÇÖs data to any different Customer location. Customer shall also be responsible for customs clearance to any different Customer location, and will bear all duties, taxes, and other official charges payable upon importation as well as all costs and risks of carrying out customs formalities in a timely manner.

+

+If Customer transports the Azure Stack Edge device to a different location, Customer agrees to return the Azure Stack Edge device to the country location where Customer received it initially, prior to shipping the Azure Stack Edge device back to Microsoft. Customer acknowledges that there are inherent risks in shipping data on and in connection with the Azure Stack Edge device, and that Microsoft will have no liability to Customer for any damage, theft, or loss occurring to an Azure Stack Edge device or any data stored on one, including during transit. It's CustomerΓÇÖs responsibility to obtain the appropriate support agreement from Microsoft to meet CustomerΓÇÖs operating objectives for the Azure Stack Edge device; however, depending on the location to which Customer intends to move the Azure Stack Edge device, MicrosoftΓÇÖs ability to provide hardware servicing and support may be delayed, or may not be available.

+## Fees

+Microsoft will charge Customer specified fees in connection with CustomerΓÇÖs use of the Azure Stack Edge device as part of the Service, with [the current schedule of fees for each Azure Stack Edge model](https://azure.microsoft.com/pricing/details/azure-stack/edge/). Customer may use other Azure services in connection with CustomerΓÇÖs use of the Service, and Microsoft deems such services as separate services that may be subject to separate metered fees and costs. By way of example only, Azure Storage, Azure Compute, and Azure IoT Hub are separate Azure services, and if used (even in connection with its use of the Service), separate Azure metered services will apply.

+## Next steps

+- [Azure Stack Edge](https://azure.microsoft.com/products/azure-stack/edge/#overview).

+- [Azure Stack Edge pricing](https://azure.microsoft.com/pricing/details/azure-stack/edge/).

+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Tutorial: Store data at the edge with SQL Server databases](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <ul><li>In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**</li><li>Download [sqlcmd utility](/sql/tools/sqlcmd-utility) on your client machine. </li><li>Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.</li><li>Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd".</li>After this, steps 3-4 from the current documentation should be identical. </li></ul> |

+- [Prepare to deploy Azure Stack Edge Pro device with GPU](azure-stack-edge-gpu-deploy-prep.md)

+| **2.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Tutorial: Store data at the edge with SQL Server databases](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <ul><li>In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**</li><li>Download [sqlcmd utility](/sql/tools/sqlcmd-utility) on your client machine.</li><li>Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.</li><li>Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd".</li>After this, steps 3-4 from the current documentation should be identical. </li></ul> |

+There's a required workflow for preparing a custom VM image. For the image source, you need to use a fixed VHD from any size that Azure supports. For VM size options, see [Supported VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md#supported-vm-sizes).

+ You can use any Windows Gen1 or Gen2 VM with a fixed-size VHD in Azure Marketplace. For a of list Azure Marketplace images that could work, see [Commonly used Azure Marketplace images for Azure Stack Edge](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md#commonly-used-marketplace-images).

+If using Red Hat Enterprise Linux (RHEL) images, only the Red Hat Enterprise Linux Bring Your Own Subscription (RHEL BYOS) images, also known as the Red Hat gold images, are supported and can be used to create your VM image. The standard pay-as-you-go RHEL images on Azure Marketplace aren't supported on Azure Stack Edge.

+1. Sign in to [Red Hat Subscription Management](https://access.redhat.com/management). Navigate to the [Cloud Access Dashboard](https://access.redhat.com/management/cloud) from the top menu bar.

+ Title: Azure Data Box hardware additional terms

+description: Describes additional terms for Azure Data Box hardware.

+# Azure Data Box hardware additional terms

+This article documents additional terms for Azure Data Box hardware.

+## Availability of Data Box devices

+The Data Box Device may not be offered in all regions or jurisdictions, and even where it is offered, it may be subject to availability. Microsoft is not responsible for delays related to the Service outside of its direct control. Microsoft reserves the right to refuse to offer the Service and corresponding Data Box Device to anyone in its sole discretion and judgment.

+## Possession and return of the Data Box device

+As part of the Service, Microsoft allows Customer to retain the Data Box Device for limited periods of time which may vary based on the Data Box Device type. If Customer retains the Data Box Device beyond the specified time period, Microsoft may charge Customer additional daily fees as described at https://go.microsoft.com/fwlink/?linkid=2052173.

+## Shipment and title; fees

+### Title and risk of loss

+All right, title and interest in each Data Box Device is and shall remain the property of Microsoft, and except as described in the Additional Terms, no rights are granted to any Data Box Device (including under any patent, copyright, trade secret, trademark or other proprietary rights). Customer will compensate Microsoft for any loss, material damage or destruction to or of any Data Box Device while it is at any of CustomerΓÇÖs locations as described in Shipment and Title; Fees, Table 1. Customer is responsible for inspecting the Data Box Device upon receipt from the carrier and for promptly reporting any damage to Microsoft Support at databoxsupport@microsoft.com. Customer is responsible for the entire risk of loss of, or any damage to, the Data Box Device once it has been delivered by the carrier to CustomerΓÇÖs designated address until the Microsoft-designated carrier accepts the Data Box Device for delivery back to the Designated Azure Data Center.

+### Fees

+Microsoft may charge Customer specified fees in connection with its use of the Data Box Device as part of the Service, as described at https://go.microsoft.com/fwlink/?linkid=2052173. For clarity, Azure Storage and Azure IoT Hub are separate Azure Services, and if used (even in connection with its use of the Service), separate Azure metered fees will apply. Additional Azure services Customer uses after completing a transfer of data using the Azure Data Box Service are also subject to separate usage fees. For Data Box Devices, Microsoft may charge Customer a lost device fee, as provided in Table 1 below, if (i) the Data Box Device is lost or materially damaged while it is in CustomerΓÇÖs care; and/or (ii) Customer does not provide the Data Box Device to the Microsoft-designated carrier for return within the time period after the date it was delivered to Customer as provided in Table 1 below. Microsoft reserves the right to change the fees charged for Data Box Device types, including charging different amounts for different device form factors.

+Table 1:

+|Data Box device type | Lost or materially damaged time period and amounts|

+|||

+|Data Box | Period: After 90 days<br> Amount: $40,000.00 USD |

+|Data Box Disk | Period: After 90 days<br> Amount: $2,500.00 USD |

+|Data Box Heavy | Period: After 90 days<br> Amount: $250,000.00 USD |

+|Data Box Gateway | N/A |

+### Shipment and return of Data Box device

+Microsoft will designate a carrier for shipping and delivery of Data Box Devices that are transported or delivered between Customer and a Designated Azure Data Center or a Microsoft entity. Customer will be responsible for costs of shipping a Data Box Device from Microsoft or a Designated Azure Data Center to Customer and return shipping of the Data Box Device, including any metered amounts for carrier charges, any taxes, or applicable customs fees. When returning a Data Box Device to Microsoft, Customer will package and ship the Data Box Device in accordance with MicrosoftΓÇÖs instructions, including using a carrier designated by Microsoft and the packaging materials provided by Microsoft.

+### Transit risks

+

+Although data on a Data Box Device is encrypted, Customer acknowledges that there are inherent risks in shipping data on and in connection with the Data Box Device, and that Microsoft will have no liability to Customer for any damage, theft, or loss occurring to a Data Box Device or any data stored on one, including during transit.

+### Self-managed shipment

+Alternatively, Customer may elect to use CustomerΓÇÖs designated carrier or Customer itself to ship and return the Data Box Device by selecting this option in the Service portal. Once selected, (i) Microsoft will inform Customer about Data Box Device availability; (ii) Microsoft will prepare the Data Box Device for pick-up by CustomerΓÇÖs designated carrier or Customer itself; and (iii) Customer will coordinate with Microsoft and Designated Azure Data Center personnel for pick-up and return of the Data Box Device by CustomerΓÇÖs designated carrier or Customer directly. CustomerΓÇÖs election for self-managed shipment is subject to the following: (i) Customer abides by all other applicable terms and conditions related to the Service and Data Box Device, including the Product Terms and the Azure Data Box Hardware Terms; (ii) Customer is responsible for the entire risk of loss of, or any damage to, the Data Box Device (as described in the ΓÇ£Shipment and Title; FeesΓÇ¥ section, under subsection (a) ΓÇ£Title and Risk of LossΓÇ¥) from the time that Microsoft makes the Data Box Device available for pick-up by CustomerΓÇÖs designated carrier or Customer, to the time Microsoft has accepted the Data Box Device from CustomerΓÇÖs designated carrier or Customer at the Designated Azure Data Center; (iii) Customer is fully responsible for the costs of shipping a Data Box Device from Microsoft or a Designated Azure Data Center to Customer and return shipping of the same, including carrier charges, any taxes, or applicable customs fees; (iv) When returning a Data Box Device to Microsoft or a Designated Azure Data Center, Customer will package and ship the Data Box Device in accordance with MicrosoftΓÇÖs instructions and any packaging materials provided by Microsoft; (v) Customer will be charged applicable fees (as described in the ΓÇ£Shipment and Title; FeesΓÇ¥ section, under subsection (b) ΓÇ£FeesΓÇ¥) which commence from the time the Data Box Device is ready for pick-up at the agreed upon time and location, and will cease once the Data Box Device has been delivered to Microsoft or the Designated Azure Data Center; and (vi) Customer acknowledges that there are inherent risks in shipping data on and in connection with the Data Box Device, and that Microsoft will have no liability to Customer for any damage, theft, or loss occurring to a Data Box Device or any data stored on one, including during transit when shipped by CustomerΓÇÖs designated carrier.

+## Responsibilities if Customer moves a Data Box device between locations

+While Customer is in possession of a Data Box Device, Customer may, at its sole risk and expense, transport the Data Box Device to its domestic locations, and international locations as permitted by Microsoft in writing, for use to upload its data in accordance with this section and the requirements of the Additional Terms.

+If Customer wishes to move a Data Box Device to another country, then Customer must be the exporter of record from the country of export and importer of record into the country where the Data Box Device is being imported. Customer is responsible for obtaining, at its own risk and expense, any export license, import license and other official authorization for the exportation and importation of the Data Box Device and CustomerΓÇÖs data to any such different Customer location. Customer shall also be responsible for customs clearance at any such different Customer location, and will bear all duties, taxes, fines, penalties (if applicable) and all charges payable for exporting and importing the Data Box Device, as well as any and all costs and risks of carrying out customs formalities in a timely manner. Customer agrees to comply with and be responsible for all applicable import, export and general trade laws and regulations should Customer decide to transport the Data Box Device beyond the country border in which Customer receives the Data Box Device. Additionally, if Customer transports the Data Box Device to a different country, prior to shipping the Data Box Device back to the original point of origin, whether a specified Microsoft entity or a Designated Azure Data Center, Customer agrees to return the Data Box Device to the country location where Customer initially received the Data Box Device. If requested, Microsoft may provide MicrosoftΓÇÖs estimated value of the Data Box Device as supplied by Microsoft to Customer and share available product certifications for the Data Box Device.

+## Next steps

+- [Azure Data Box](data-box-overview.md)

+- [Azure Data Box pricing](https://azure.microsoft.com/pricing/details/databox/)

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you will need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you will need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you will need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+^{<a name="footnote4"></a>4} Runtime protection can detect threats for these [Supported host operating systems](#supported-host-operating-systems).

+^{<a name="footnote2"></a>2} To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for your environments, you will need to onboard [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+- Mariner 1.0

+- Mariner 2.0

+| [Removing security alerts for machines reporting to cross tenant Log Analytics workspaces](#removing-security-alerts-for-machines-reporting-to-cross-tenant-log-analytics-workspaces) | September 2022 |

+| [Legacy Assessments APIs deprecation](#legacy-assessments-apis-deprecation) | September 2022 |

+### Removing security alerts for machines reporting to cross-tenant Log Analytics workspaces

+**Estimated date for change:** September 2022

+Defender for Cloud lets you choose the workspace that your Log Analytics agents report to. When a machine belongs to one tenant (ΓÇ£Tenant AΓÇ¥) but its Log Analytics agent reports to a workspace in a different tenant (ΓÇ£Tenant BΓÇ¥), security alerts about the machine are reported to the first tenant (ΓÇ£Tenant AΓÇ¥).

+With this change, alerts on machines connected to Log Analytics workspace in a different tenant will no longer appear in Defender for Cloud.

+If you want to continue receiving the alerts in Defender for Cloud, connect the Log Analytics agent of the relevant machines to the workspace in the same tenant as the machine.

+### Legacy Assessments APIs deprecation

+The following APIs are set to be deprecated:

+- Security Tasks

+- Security Statuses

+- Security Summaries

+These three APIs exposed old formats of assessments and will be replaced by the [Assessments APIs](/rest/api/securitycenter/assessments) and [SubAssessments APIs](/rest/api/securitycenter/sub-assessments). All data that is exposed by these legacy APIs will also be available in the new APIs.

+ Title: Extra deployment steps and samples for Enterprise IoT deployment - Microsoft Defender for IoT

+description: Describes additional deployment and validation procedures to use when deploying an Enterprise IoT network sensor.

+# Extra steps and samples for Enterprise IoT deployment

+This article provides extra steps for deploying an Enterprise IoT sensor, including a sample SPAN port configuration procedure, and CLI steps to validate your deployment or delete a sensor.

+For more information, see [Tutorial: Get started with Enterprise IoT monitoring](tutorial-getting-started-eiot-sensor.md).

+## Configure a SPAN monitoring interface for a virtual appliance

+While a virtual switch doesn't have mirroring capabilities, you can use *Promiscuous mode* in a virtual switch environment as a workaround for configuring a SPAN port.

+*Promiscuous mode* is a mode of operation and a security, monitoring, and administration technique that is defined at the virtual switch or portgroup level. When Promiscuous mode is used, any of the virtual machineΓÇÖs network interfaces that are in the same portgroup can view all network traffic that goes through that virtual switch. By default, Promiscuous mode is turned off.

+This procedure describes an example of how to configure a SPAN port on your vSwitch with VMware ESXi. Enterprise IoT sensors also support VMs using Microsoft Hyper-V.

+**To configure a SPAN monitoring interface**:

+1. On your vSwitch, open the vSwitch properties and select **Add** > **Virtual Machine** > **Next**.

+1. Enter **SPAN Network** as your network label, and then select **VLAN ID** > **All** > **Next** > **Finish**.

+1. Select **SPAN Network** > **Edit** > **Security**, and verify that the **Promiscuous Mode** policy is set to **Accept** mode.

+1. Select **OK**, and then select **Close** to close the vSwitch properties.

+1. Open the **IoT Sensor VM** properties.

+1. For **Network Adapter 2**, select the **SPAN** network.

+1. Select **OK**.

+1. Connect to the sensor, and verify that mirroring works.

+If you've jumped to this procedure from the tutorial procedure for [Prepare a physical appliance or VM](tutorial-getting-started-eiot-sensor.md#prepare-a-physical-appliance-or-vm), continue with [step 2](tutorial-getting-started-eiot-sensor.md#sign-in) to continue preparing your appliance.

+## Validate your Enterprise IoT sensor setup

+If, after completing the Enterprise IoT sensor installation and setup, you don't see your sensor showing on the **Sites and sensors** page in the Azure portal, this procedure can help validate your installation directly on the sensor.

+Wait 1 minute after your sensor installation has completed before starting this procedure.

+**To validate the sensor setup from the sensor**:

+1. To process your system sanity, run:

+ ```bash

+ sudo docker ps

+ ```

+1. In the results that display, ensure that the following containers are up and listed as healthy.

+ - `compose_attributes-collector_1`

+ - `compose_cloud-communication_1`

+ - `compose_logstash_1`

+ - `compose_horizon_1`

+ - `compose_statistics-collector_1`

+ - `compose_properties_1`

+ For example:

+ :::image type="content" source="media/tutorial-get-started-eiot/validate-setup.png" alt-text="Screenshot of the validated containers listed." lightbox="media/tutorial-get-started-eiot/validate-setup.png":::

+1. Check your port validation to see which interface is defined to handle port mirroring. Run:

+ ```bash

+ sudo docker logs compose_horizon_1

+ ````

+ For example, the following response might be displayed: `Found env variable for monitor interfaces: ens192`

+1. Wait 5 minutes and then check your traffic D2C sanity. Run:

+ ```bash

+ sudo docker logs -f compose_attributes-collector_1

+ ```

+ Check the results to ensure that packets are being sent as expected.

+## Remove an Enterprise IoT network sensor (optional)

+Remove a sensor if it's no longer in use with Defender for IoT.

+**To remove a sensor**, run the following command on the sensor server or VM:

+```bash

+sudo apt purge -y microsoft-eiot-sensor

+```

+> [!IMPORTANT]

+> If you want to cancel your plan for Enterprise IoT networks only, do so from [Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).

+>

+> If you want to cancel your plan for both OT and Enterprise IoT networks together, you can use the [**Pricing**](how-to-manage-subscriptions.md) page in Defender for IoT in the Azure portal.

+>

+## Next steps

+For more information, see [Tutorial: Get started with Enterprise IoT monitoring](tutorial-getting-started-eiot-sensor.md) and [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md).

+<!--for example?-->

+ Title: View and manage alerts in the Microsoft Defender for IoT portal on Azure

+description: View and manage alerts detected by cloud-connected network sensors in the Microsoft Defender for IoT portal on Azure.

+This article describes how to manage your alerts from Microsoft Defender for IoT on the Azure portal.

+| **Last detection** | The last time the alert was detected. <br>- If an alert's status is **New**, and the same traffic is seen again, the **Last detection** time is updated for the same alert. <br>- If the alert's status is **Closed** and traffic is seen again, the **Last detection** time is *not* updated, and a new alert is triggered.|

+**To view additional information:**

+1. Select **Edit columns** from the Alerts page.

+1. In the Edit Columns dialog box, select **Add Column** and choose an item to add. The following items are available:

+ | Column | Description

+ |--|--|

+ | **Source device address** |The IP address of the source device. |

+ | **Destination device address** | The IP address of the destination device. |

+ | **Destination device** | The IP address, MAC, or destination device name.|

+ | **First detection** | Defines the first time the alert was detected in the network. |

+ | **ID** |The unique alert ID.|

+ | **Last activity** | Defines the last time the alert was changed, including manual updates for severity or status, or automated changes for device updates or device/alert de-duplication |

+ | **Protocol** | The protocol detected in the network traffic for this alert.|

+ | **Sensor** | The sensor that detected the alert.|

+ | **Zone** | The zone assigned to the sensor that detected the alert.|

+ | **Category**| The category associated with the alert, such as *operational issues*,*custom alerts*, or *illegal commands*. |

+ | **Type**| The internal name of the alert. |

+1. Copy the command to a safe location, and continue with installing the sensor. For more information, see [Tutorial: Get started with Enterprise IoT monitoring](tutorial-getting-started-eiot-sensor.md#install-the-sensor-software).

+|:::image type="icon" source="medi#install-the-sensor-software). |

+1. Onboard a new plan to the new subscription you want to use. For more information, see:

+1. Onboard your sensors again under the new subscription. For OT sensors, [upload a new activation](how-to-manage-individual-sensors.md#upload-new-activation-files) file for your sensors.

+1. Delete the sensor identities from the legacy subscription. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).

+ Title: View alerts details on the sensor Alerts page - Microsoft Defender for IoT

+This article describes how to view alerts triggered by your Microsoft Defender for IoT OT network sensors.

+| **Last detection** | The last time the alert activity was detected. |

+## IT/OT mixed environments

+## Monitoring at the site level

+|L60 | 10 Mbps | 100 |Physical / Virtual|

+- [ICS/OT Security video series](https://www.youtube.com/playlist?list=PLmAptfqzxVEXz5txCCKYUdpQETAMpeOhu)

+| 22.2.4 | 07/2022 | 04/2023 |

+| 22.2.3 | 07/2022 | 04/2023 |

+| 22.1.7 | 07/2022 | 04/2023 |

+- [New alert columns with timestamp data](#new-alert-columns-with-timestamp-data)

+### New alert columns with timestamp data

+Starting with OT sensor version 22.2.4, Defender for IoT alerts in the Azure portal and the sensor console now show the following columns and data:

+- **Last detection**. Defines the last time the alert was detected in the network, and replaces the **Detection time** column.

+- **First detection**. Defines the first time the alert was detected in the network.

+- **Last activity**. Defines the last time the alert was changed, including manual updates for severity or status, or automated changes for device updates or device/alert de-duplication.

+The **First detection** and **Last activity** columns aren't displayed by default. Add them to your **Alerts** page as needed.

+> [!TIP]

+> If you're also a Microsoft Sentinel user, you'll be familiar with similar data from your Log Analytics queries. The new alert columns in Defender for IoT are mapped as follows:

+>

+> - The Defender for IoT **Last detection** time is similar to the Log Analytics **EndTime**

+> - The Defender for IoT **First detection** time is similar to the Log Analytics **StartTime**

+> - The Defender for IoT **Last activity** time is similar to the Log Analytics **TimeGenerated**

+For more information, see:

+- [View alerts on the Defender for IoT portal](how-to-manage-cloud-alerts.md)

+- [View alerts on your sensor](how-to-view-alerts.md)

+- [OT threat monitoring in enterprise SOCs](concept-sentinel-integration.md)

+- DDL traffic: alerting and monitoring are supported.

+In this tutorial, you learn about:

+> * Integrating with Microsoft Defender for Endpoint

+> * Prerequisites for Enterprise IoT network monitoring with Defender for IoT

+> * How to prepare a physical appliance or VM as a network sensor

+> * How to onboard an Enterprise IoT sensor and install software

+> * How to view detected Enterprise IoT devices in the Azure portal

+> * How to view devices, alerts, vulnerabilities, and recommendations in Defender for Endpoint

+Integrate with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) to extend your security analytics capabilities, providing complete coverage across your Enterprise IoT devices. Defender for Endpoint analytics features include alerts, vulnerabilities, and recommendations for your enterprise devices.

+After you've onboarded a plan for Enterprise IoT and set up your Enterprise IoT network sensor, your device data integrates automatically with Microsoft Defender for Endpoint.

+- Discovered devices appear in both the Defender for IoT and Defender for Endpoint portals.

+- In Defender for Endpoint, view discovered IoT devices and related alerts, vulnerabilities, and recommendations.

+For more information, see [Onboard with Microsoft Defender for IoT in Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).

+Before starting this tutorial, make sure that you have the following prerequisites.

+### Azure subscription prerequisites

+- Make sure that you've added a Defender for IoT plan for Enterprise IoT networks to your Azure subscription from Microsoft Defender for Endpoint.

+For more information, see [Onboard with Microsoft Defender for IoT](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).

+- Make sure that you can access the Azure portal as a **Security admin**, subscription **Contributor**, or subscription **Owner** user. For more information, see [Required permissions](getting-started.md#permissions).

+### Physical appliance or VM requirements

+You can use a physical appliance or a virtual machine as your network sensor. In either case, make sure that your machine has the following specifications:

+| Tier | Requirements |

+|--|--|

+| **Minimum** | To support up to 1 Gbps: <br><br>- 4 CPUs, each with 2.4 GHz or more<br>- 16-GB RAM of DDR4 or better<br>- 250 GB HDD |

+| **Recommended** | To support up to 15 Gbps: <br><br>- 8 CPUs, each with 2.4 GHz or more<br>- 32-GB RAM of DDR4 or better<br>- 500 GB HDD |

+Make sure that your physical appliance or VM also has:

+- [Ubuntu 18.04 Server](https://releases.ubuntu.com/18.04/) operating system. If you don't yet have Ubuntu installed, download the installation files to an external storage, such as a DVD or disk-on-key, and install it on your appliance or VM. For more information, see the Ubuntu [Image Burning Guide](https://help.ubuntu.com/community/BurningIsoHowto).

+- Network adapters, at least one for your switch monitoring (SPAN) port, and one for your management port to access the sensor's user interface

+## Prepare a physical appliance or VM

+This procedure describes how to prepare your physical appliance or VM to install the Enterprise IoT network sensor software.

+**To prepare your appliance**:

+1. Connect a network interface (NIC) from your physical appliance or VM to a switch as follows:

+ - **Physical appliance** - Connect a monitoring NIC to a SPAN port directly by a copper or fiber cable.

+ - **VM** - Connect a vNIC to a vSwitch, and configure your vSwitch security settings to accept *Promiscuous mode*. For more information, see, for example [Configure a SPAN monitoring interface for a virtual appliance](extra-deploy-enterprise-iot.md#configure-a-span-monitoring-interface-for-a-virtual-appliance).

+1. <a name="sign-in"></a>Sign in to your physical appliance or VM and run the following command to validate incoming traffic to the monitoring port:

+ ifconfig

+ The system displays a list of all monitored interfaces.

+ Identify the interfaces that you want to monitor, which are usually the interfaces with no IP address listed. Interfaces with incoming traffic will show an increasing number of RX packets.

+1. For each interface you want to monitor, run the following command to enable Promiscuous mode in the network adapter:

+ ```bash

+ ifconfig <monitoring port> up promisc

+ ```

+ Where `<monitoring port>` is an interface you want to monitor. Repeat this step for each interface you want to monitor.

+1. Ensure network connectivity by opening the following ports in your firewall:

+ | Protocol | Transport | In/Out | Port | Purpose |

+ |--|--|--|--|--|

+ | HTTPS | TCP | In/Out | 443 | Cloud connection |

+ | DNS | TCP/UDP | In/Out | 53 | Address resolution |

+1. Make sure that your physical appliance or VM can access the cloud using HTTP on port 443 to the following Microsoft domains:

+ > [!TIP]

+ > You can also download and add the [Azure public IP ranges](https://www.microsoft.com/download/details.aspx?id=56519) so your firewall will allow the Azure domains that are specified above, along with their region.

+ >

+ > The Azure public IP ranges are updated weekly. New ranges appearing in the file will not be used in Azure for at least one week. To use this option, download the new json file every week and perform the necessary changes at your site to correctly identify services running in Azure.

+## Register an Enterprise IoT sensor

+This procedure describes how to register your Enterprise IoT sensor with Defender for IoT and then install the sensor software on the physical appliance or VM that you're using as your network sensor.

+> [!NOTE]

+> This procedure describes how to install sensor software on a VM using ESXi. Enterprise IoT sensors are also supported using Hyper-V.

+>

+**Prerequisites**: Make sure that you have all [Prerequisites](#prerequisites) satisfied and have completed [Prepare a physical appliance or VM](#prepare-a-physical-appliance-or-vm).

+**To register your Enterprise IoT sensor**:

+1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **Set up Enterprise IoT Security**.

+1. On the **Set up Enterprise IoT Security** page, enter the following details, and then select **Register**:

+ - In the **Sensor name** field, enter a meaningful name for your sensor.

+ - From the **Subscription** drop-down menu, select the subscription where you want to add your sensor.

+ A **Sensor registration successful** screen shows your next steps and the command you'll need to start the sensor installation.

+1. Copy the command to a safe location, where you'll be able to copy it to your physical appliance or VM in order to [install the sensor](#install-the-sensor-software).

+## Install the sensor software

+Run the command that you received and saved when you registered the Enterprise IoT sensor.

+The installation process checks to see if the required Docker version is already installed. If itΓÇÖs not, the sensor installation also installs the latest Docker version.

+<a name="install"></a>**To install the sensor**:

+1. On your physical appliance or VM, sign in to the sensor's CLI using a terminal, such as PUTTY, or MobaXterm.

+1. Run the command that you'd saved from the Azure portal. For example:

+ :::image type="content" source="media/tutorial-get-started-eiot/enter-command.png" alt-text="Screenshot of running the command to install the Enterprise IoT sensor monitoring software.":::

+ The command process checks to see if the required Docker version is already installed. If itΓÇÖs not, the sensor installation also installs the latest Docker version.

+ When the command process completes, the Ubuntu **Configure microsoft-eiot-sensor** wizard appears. In this wizard, use the up or down arrows to navigate, and the SPACE bar to select an option. Press ENTER to advance to the next screen.

+1. In the **Configure microsoft-eiot-sensor** wizard, in the **What is the name of the monitored interface?** screen, select one or more interfaces that you want to monitor with your sensor, and then select **OK**.

+ For example:

+ :::image type="content" source="media/tutorial-get-started-eiot/install-monitored-interface.png" alt-text="Screenshot of the Configuring microsoft-eiot-sensor screen.":::

+1. In the **Set up proxy server?** screen, select whether to set up a proxy server for your sensor. For example:

+ :::image type="content" source="media/tutorial-get-started-eiot/proxy.png" alt-text="Screenshot of the Set up a proxy server? screen.":::

+ If you're setting up a proxy server, select **Yes**, and then define the proxy server host, port, username, and password, selecting **Ok** after each option.

+ The installation takes a few minutes to complete.

+1. In the Azure portal, check that the **Sites and sensors** page now lists your new sensor.

+ :::image type="content" source="media/tutorial-get-started-eiot/view-sensor-listed.png" alt-text="Screenshot of your new Enterprise IoT sensor listed in the Sites and sensors page.":::

+In the **Sites and sensors** page, Enterprise IoT sensors are all automatically added to the same site, named **Enterprise network**. For more information, see [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md).

+> [!TIP]

+> If you don't see your Enterprise IoT data in Defender for IoT as expected, make sure that you're viewing the Azure portal with the correct subscriptions selected. For more information, see [Manage Azure portal settings](/azure/azure-portal/set-preferences).

+>

+> If you still don't view your data as expected, [validate your sensor setup](extra-deploy-enterprise-iot.md#validate-your-enterprise-iot-sensor-setup) from the CLI.

+View your devices and network information in the Defender for IoT **Device inventory** page on the Azure portal.

+For more information, see [Manage your IoT devices with the device inventory for organizations](how-to-manage-device-inventory-for-organizations.md).

+## Delete an Enterprise IoT network sensor (optional)

+Remove a sensor if it's no longer in use with Defender for IoT.

+1. From the **Sites and sensors** page on the Azure portal, locate your sensor in the grid.

+1. In the row for your sensor, select the **...** options menu on the right > **Delete sensor**.

+Alternately, remove your sensor manually from the CLI. For more information, see [Extra steps and samples for Enterprise IoT deployment](extra-deploy-enterprise-iot.md#remove-an-enterprise-iot-network-sensor-optional).

+> [!IMPORTANT]

+> If you want to cancel your plan for Enterprise IoT networks only, do so from [Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).

+>

+> If you want to cancel your plan for both OT and Enterprise IoT networks together, you can use the [**Pricing**](how-to-manage-subscriptions.md) page in Defender for IoT in the Azure portal.

+>

+For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).

+Continue viewing device data in both the Azure portal and Defender for Endpoint, depending on your organization's needs.

+In Defender for Endpoint, also view alerts data, recommendations and vulnerabilities related to your network traffic.

+For more information in Defender for Endpoint documentation, see:

+- [Onboard with Microsoft Defender for IoT in Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration)

+- [Defender for Endpoint device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview)

+- [Alerts in Defender for Endpoint](/microsoft-365/security/defender-endpoint/alerts-queue)

+- [Security recommendations in Defender for Endpoint](/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation)

+- [Defender for Endpoint: Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation)

+> [!VIDEO https://docs.microsoft.com/Events/Build/2018/BRK3308/player]

+To view instructions for contributing to this documentation, visit the [Microsoft contributor guide](/contribute/).

+Learn how to use Azure Digital Twins Explorer's features in detail: [Use Azure Digital Twins Explorer](how-to-use-azure-digital-twins-explorer.md).

+You may optionally decide to use the `sourceTime` field on twin properties to record timestamps for when property updates are observed in the real world. Azure Digital Twins natively supports `sourceTime` in the metadata for each twin property. The `sourceTime` value must comply to ISO 8601 date and time format. For more information about this field and other fields on digital twins, see [Digital twin JSON format](concepts-twins-graph.md#digital-twin-json-format).

+To update the `sourceTime` field on a property that's part of a component, include the component at the start of the path. In the example above, this would mean changing the path value from `/$metadata/Temperature/sourceTime` to `myComponent/$metadata/Temperature/sourceTime`.

+>[!NOTE]

+> If you update both the `sourceTime` and value on a property, and then later update only the property's value, the `sourceTime` timestamp from the first update will remain.

+To enroll in these previews, send an email to exrpm@microsoft.com and include the following information:

+* Subscription ID

+* Service key of the target ExpressRoute circuit

+* Name and Resource Group/ARM resource ID of the target virtual network(s)

+Other non-Microsoft resources might help you understand and work with your Microsoft Azure FXT Edge Filer hybrid cache.

+* [FXT Cluster Creation Guide](https://azure.github.io/Avere/legacy/create_cluster/4_8/html/create_https://docsupdatetracker.net/index.html) - Cluster creation guide from previous products

+## edgeorderresources

+- microsoft.edgeorder/orders

+## networkresources

+- microsoft.network/networkgroupmemberships

+- microsoft.network/networkmanagerconnections

+- microsoft.network/networkmanagers/connectivityconfigurations

+- microsoft.network/networkmanagers/networkgroups

+- microsoft.network/networkmanagers/networkgroups/staticmembers

+- microsoft.network/securityadminconfigurations

+- microsoft.network/securityadminconfigurations/rulecollections

+- microsoft.network/securityadminconfigurations/rulecollections/rules

+- microsoft.recoveryservices/vaults/backupFabrics/protectionContainers/protectedItems (Backup Items)

+## resourcecontainerchanges

+- microsoft.resources/changes

+- microsoft.resources/subscriptions/resourceGroups (Resource groups)

+- microsoft.AAD/domainServices (Azure AD Domain Services)

+- microsoft.AgFoodPlatform/farmBeats (Azure FarmBeats)

+- microsoft.AnalysisServices/servers (Analysis Services)

+- microsoft.AnyBuild/clusters (AnyBuild clusters)

+- microsoft.ApiManagement/service (API Management services)

+- microsoft.AppConfiguration/configurationStores (App Configuration)

+- microsoft.AppPlatform/Spring (Azure Spring Cloud)

+- microsoft.Attestation/attestationProviders (Attestation providers)

+- microsoft.Authorization/resourceManagementPrivateLinks (Resource management private links)

+- microsoft.Automation/AutomationAccounts (Automation Accounts)

+- microsoft.Automation/automationAccounts/runbooks (Runbook)

+- microsoft.AutonomousSystems/workspaces (Bonsai)

+- microsoft.AVS/privateClouds (AVS Private clouds)

+- microsoft.AzureActiveDirectory/b2cDirectories (B2C Tenants)

+- microsoft.AzureActiveDirectory/guestUsages (Guest Usages)

+- microsoft.AzureArcData/dataControllers (Azure Arc data controllers)

+- microsoft.AzureArcData/postgresInstances (Azure Arc-enabled PostgreSQL Hyperscale server groups)

+- microsoft.AzureArcData/sqlManagedInstances (SQL managed instances - Azure Arc)

+- microsoft.AzureArcData/sqlServerInstances (SQL Server - Azure Arc)

+- microsoft.AzureData/sqlServerRegistrations (SQL Server registries)

+- microsoft.AzurePercept/accounts (Azure Percept accounts)

+- microsoft.AzureStackHCI/clusters (Azure Stack HCI)

+- microsoft.AzureStackHci/virtualMachines (Azure Stack HCI virtual machine - Azure Arc)

+- microsoft.BareMetal/crayServers (Cray Servers)

+- microsoft.BareMetal/monitoringServers (Monitoring Servers)

+- microsoft.BareMetalInfrastructure/bareMetalInstances (BareMetal Instances)

+- microsoft.Batch/batchAccounts (Batch accounts)

+- microsoft.Bing/accounts (Bing Resources)

+- microsoft.BotService/botServices (Bot Services)

+- microsoft.Cache/Redis (Azure Cache for Redis)

+- microsoft.Cache/RedisEnterprise (Redis Enterprise)

+- microsoft.Cdn/CdnWebApplicationFirewallPolicies (Content Delivery Network WAF policies)

+- microsoft.Cdn/Profiles/AfdEndpoints (Endpoints)

+- microsoft.CertificateRegistration/certificateOrders (App Service Certificates)

+- microsoft.ClassicCompute/VirtualMachines (Virtual machines (classic))

+- microsoft.ClassicNetwork/networkSecurityGroups (Network security groups (classic))

+- microsoft.ClassicNetwork/reservedIps (Reserved IP addresses (classic))

+- microsoft.ClassicNetwork/virtualNetworks (Virtual networks (classic))

+- microsoft.ClassicStorage/StorageAccounts (Storage accounts (classic))

+- microsoft.CloudTest/accounts (CloudTest Accounts)

+- microsoft.CloudTest/hostedpools (1ES Hosted Pools)

+- microsoft.CloudTest/images (CloudTest Images)

+- microsoft.CloudTest/pools (CloudTest Pools)

+- microsoft.ClusterStor/nodes (ClusterStors)

+- microsoft.CognitiveServices/accounts (Cognitive Services)

+- microsoft.Compute/availabilitySets (Availability sets)

+- microsoft.Compute/capacityReservationGroups (Capacity Reservation Groups)

+- microsoft.Compute/cloudServices (Cloud services (extended support))

+- microsoft.Compute/diskAccesses (Disk Accesses)

+- microsoft.Compute/diskEncryptionSets (Disk Encryption Sets)

+- microsoft.Compute/disks (Disks)

+- microsoft.Compute/galleries (Azure compute galleries)

+- microsoft.Compute/galleries/applications (VM application definitions)

+- microsoft.Compute/galleries/applications/versions (VM application versions)

+- microsoft.Compute/galleries/images (VM image definitions)

+- microsoft.Compute/galleries/images/versions (VM image versions)

+- microsoft.Compute/hostgroups (Host groups)

+- microsoft.Compute/hostgroups/hosts (Hosts)

+- microsoft.Compute/images (Images)

+- microsoft.Compute/ProximityPlacementGroups (Proximity placement groups)

+- microsoft.Compute/restorePointCollections (Restore Point Collections)

+- microsoft.Compute/snapshots (Snapshots)

+- microsoft.Compute/sshPublicKeys (SSH keys)

+- microsoft.Compute/VirtualMachines (Virtual machines)

+- microsoft.Compute/virtualMachineScaleSets (Virtual machine scale sets)

+- microsoft.ConfidentialLedger/ledgers (Confidential Ledgers)

+- microsoft.Confluent/organizations (Confluent organizations)

+- microsoft.ConnectedCache/cacheNodes (Connected Cache Resources)

+- microsoft.ConnectedCache/enterpriseCustomers (Connected Cache Resources)

+- microsoft.ConnectedVehicle/platformAccounts (Connected Vehicle Platforms)

+- microsoft.connectedVMwareVSphere/vCenters (VMware vCenters)

+- microsoft.ConnectedVMwarevSphere/VirtualMachines (VMware + AVS virtual machines)

+- microsoft.ContainerInstance/containerGroups (Container instances)

+- microsoft.ContainerRegistry/registries (Container registries)

+- microsoft.ContainerRegistry/registries/replications (Container registry replications)

+- microsoft.ContainerRegistry/registries/webhooks (Container registry webhooks)

+- microsoft.ContainerService/managedClusters (Kubernetes services)

+- microsoft.Dashboard/grafana (Grafana Workspaces)

+- microsoft.DataBox/jobs (Azure Data Box)

+- microsoft.DataBoxEdge/dataBoxEdgeDevices (Azure Stack Edge / Data Box Gateway)

+- microsoft.Databricks/workspaces (Azure Databricks Services)

+- microsoft.DataCatalog/catalogs (Data Catalog)

+- microsoft.DataCollaboration/workspaces (Project CI)

+- microsoft.Datadog/monitors (Datadog)

+- microsoft.DataFactory/dataFactories (Data factories)

+- microsoft.DataFactory/factories (Data factories (V2))

+- microsoft.DataLakeAnalytics/accounts (Data Lake Analytics)

+- microsoft.DataLakeStore/accounts (Data Lake Storage Gen1)

+- microsoft.DataMigration/services (Azure Database Migration Services)

+- microsoft.DataMigration/services/projects (Azure Database Migration Projects)

+- microsoft.DataProtection/BackupVaults (Backup vaults)

+- microsoft.DataProtection/resourceGuards (Resource Guards (Preview))

+- microsoft.DataReplication/replicationVaults (Site Recovery Vaults)

+- microsoft.DataShare/accounts (Data Shares)

+- microsoft.DBforMariaDB/servers (Azure Database for MariaDB servers)

+- microsoft.DBforMySQL/flexibleServers (Azure Database for MySQL flexible servers)

+- microsoft.DBforMySQL/servers (Azure Database for MySQL servers)

+- microsoft.DBforPostgreSQL/flexibleServers (Azure Database for PostgreSQL flexible servers)

+- microsoft.DBforPostgreSQL/serverGroups (Azure Database for PostgreSQL server groups)

+- microsoft.DBforPostgreSQL/serverGroupsv2 (Azure Database for PostgreSQL server groups)

+- microsoft.DBforPostgreSQL/servers (Azure Database for PostgreSQL servers)

+- microsoft.DBforPostgreSQL/serversv2 (Azure Database for PostgreSQL servers v2)

+- microsoft.DeploymentManager/Rollouts (Rollouts)

+- microsoft.DesktopVirtualization/ApplicationGroups (Application groups)

+- microsoft.DesktopVirtualization/HostPools (Host pools)

+- microsoft.DesktopVirtualization/ScalingPlans (Scaling plans)

+- microsoft.DesktopVirtualization/Workspaces (Workspaces)

+- microsoft.Devices/IotHubs (IoT Hub)

+- microsoft.Devices/ProvisioningServices (Device Provisioning Services)

+- microsoft.DeviceUpdate/Accounts (Device Update for IoT Hubs)

+- microsoft.DevTestLab/labs (DevTest Labs)

+- microsoft.DevTestLab/labs/virtualMachines (Virtual machines)

+- microsoft.DigitalTwins/digitalTwinsInstances (Azure Digital Twins)

+- microsoft.DocumentDB/cassandraClusters (Azure Managed Instance for Apache Cassandra)

+- microsoft.DocumentDb/databaseAccounts (Azure Cosmos DB accounts)

+- microsoft.DomainRegistration/domains (App Service Domains)

+- microsoft.EdgeOrder/addresses (Azure Edge Hardware Center Address)

+- microsoft.EdgeOrder/orderItems (Azure Edge Hardware Center)

+- microsoft.Elastic/monitors (Elasticsearch (Elastic Cloud))

+- microsoft.EventGrid/domains (Event Grid Domains)

+- microsoft.EventGrid/partnerNamespaces (Event Grid Partner Namespaces)

+- microsoft.EventGrid/partnerRegistrations (Event Grid Partner Registrations)

+- microsoft.EventGrid/partnerTopics (Event Grid Partner Topics)

+- microsoft.EventGrid/systemTopics (Event Grid System Topics)

+- microsoft.EventGrid/topics (Event Grid Topics)

+- microsoft.EventHub/clusters (Event Hubs Clusters)

+- microsoft.EventHub/namespaces (Event Hubs Namespaces)

+- microsoft.Experimentation/experimentWorkspaces (Experiment Workspaces)

+- microsoft.ExtendedLocation/CustomLocations (Custom locations)

+- microsoft.Fidalgo/devcenters (Fidalgo DevCenters)

+- microsoft.Fidalgo/projects (Fidalgo Projects)

+- microsoft.Fidalgo/projects/environments (Fidalgo Environments)

+- microsoft.FluidRelay/fluidRelayServers (Fluid Relay)

+- microsoft.Genomics/accounts (Genomics accounts)

+- microsoft.HanaOnAzure/hanaInstances (SAP HANA on Azure)

+- microsoft.HanaOnAzure/sapMonitors (Azure Monitors for SAP Solutions)

+- microsoft.HDInsight/clusterpools (HDInsight cluster pools)

+- microsoft.HDInsight/clusterpools/clusters (HDInsight gen2 clusters)

+- microsoft.HDInsight/clusterpools/clusters/sessionclusters (HDInsight session clusters)

+- microsoft.HDInsight/clusters (HDInsight clusters)

+- microsoft.HealthBot/healthBots (Azure Health Bot)

+- microsoft.HealthcareApis/services (Azure API for FHIR)

+- microsoft.HealthcareApis/workspaces (Healthcare APIs Workspaces)

+- microsoft.HealthcareApis/workspaces/dicomservices (DICOM services)

+- microsoft.HealthcareApis/workspaces/fhirservices (FHIR services)

+- microsoft.HealthcareApis/workspaces/iotconnectors (IoT connectors)

+- microsoft.HpcWorkbench/instances (HPC Workbenches (preview))

+- microsoft.HpcWorkbench/instances/chambers (Chambers (preview))

+- microsoft.HpcWorkbench/instances/chambers/accessProfiles (Chamber Profiles (preview))

+- microsoft.HpcWorkbench/instances/chambers/workloads (Chamber VMs (preview))

+- microsoft.HpcWorkbench/instances/consortiums (Consortiums (preview))

+- microsoft.HybridCompute/machines (Servers - Azure Arc)

+- microsoft.HybridCompute/privateLinkScopes (Azure Arc Private Link Scopes)

+- microsoft.HybridData/dataManagers (StorSimple Data Managers)

+- microsoft.HybridNetwork/devices (Azure Network Function Manager ΓÇô Devices)

+- microsoft.HybridNetwork/networkFunctions (Azure Network Function Manager ΓÇô Network Functions)

+- microsoft.ImportExport/jobs (Import/export jobs)

+- microsoft.Insights/privateLinkScopes (Azure Monitor Private Link Scopes)

+- microsoft.IoTCentral/IoTApps (IoT Central Applications)

+- microsoft.KeyVault/vaults (Key vaults)

+- microsoft.Kubernetes/connectedClusters (Kubernetes - Azure Arc)

+- microsoft.Kusto/clusters (Azure Data Explorer Clusters)

+- microsoft.Kusto/clusters/databases (Azure Data Explorer Databases)

+- microsoft.LabServices/labAccounts (Lab accounts)

+- microsoft.LabServices/labPlans (Lab plans)

+- microsoft.LabServices/labs (Labs)

+- microsoft.LoadTestService/LoadTests (Azure Load Testing)

+- microsoft.Logic/integrationAccounts (Integration accounts)

+- microsoft.Logic/integrationServiceEnvironments (Integration Service Environments)

+- microsoft.Logic/integrationServiceEnvironments/managedApis (Managed Connector)

+- microsoft.Logic/workflows (Logic apps)

+- microsoft.Logz/monitors (Logz main account)

+- microsoft.Logz/monitors/accounts (Logz sub account)

+- microsoft.Logz/monitors/metricsSource (Logz metrics data source)

+- microsoft.MachineLearning/commitmentPlans (Machine Learning Studio (classic) web service plans)

+- microsoft.MachineLearning/webServices (Machine Learning Studio (classic) web services)

+- microsoft.MachineLearning/workspaces (Machine Learning Studio (classic) workspaces)

+- microsoft.MachineLearningServices/workspaces (Machine learning)

+- microsoft.MachineLearningServices/workspaces/onlineEndpoints (Machine learning online endpoints)

+- microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments (Machine learning online deployments)

+- microsoft.Maintenance/maintenanceConfigurations (Maintenance Configurations)

+- microsoft.ManagedIdentity/userAssignedIdentities (Managed Identities)

+- microsoft.Maps/accounts (Azure Maps Accounts)

+- microsoft.Maps/accounts/creators (Azure Maps Creator Resources)

+- microsoft.Migrate/projects (Migration projects)

+- microsoft.MixedReality/objectAnchorsAccounts (Object Anchors Accounts)

+- microsoft.MixedReality/objectUnderstandingAccounts (Object Understanding Accounts)

+- microsoft.MixedReality/remoteRenderingAccounts (Remote Rendering Accounts)

+- microsoft.MixedReality/spatialAnchorsAccounts (Spatial Anchors Accounts)

+- microsoft.MobileNetwork/mobileNetworks (Mobile Networks)

+- microsoft.MobileNetwork/mobileNetworks/dataNetworks (Data Networks)

+- microsoft.MobileNetwork/mobileNetworks/services (Services)

+- microsoft.MobileNetwork/mobileNetworks/simPolicies (Sim Policies)

+- microsoft.MobileNetwork/mobileNetworks/sites (Mobile Network Sites)

+- microsoft.MobileNetwork/mobileNetworks/slices (Slices)

+- microsoft.MobileNetwork/packetCoreControlPlanes (Packet Core Control Planes)

+- microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes (Packet Core Data Planes)

+- microsoft.MobileNetwork/packetCoreControlPlanes/packetCoreDataPlanes/attachedDataNetworks (Attached Data Networks)

+- microsoft.MobileNetwork/sims (Sims)

+- microsoft.NetApp/netAppAccounts (NetApp accounts)

+- microsoft.NetApp/netAppAccounts/capacityPools (Capacity pools)

+- microsoft.NetApp/netAppAccounts/capacityPools/Volumes (Volumes)

+- microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots (Snapshots)

+- microsoft.NetApp/netAppAccounts/snapshotPolicies (Snapshot policies)

+- microsoft.Network/applicationGateways (Application gateways)

+- microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies (Application Gateway WAF policies)

+- microsoft.Network/applicationSecurityGroups (Application security groups)

+- microsoft.Network/azureFirewalls (Firewalls)

+- microsoft.Network/bastionHosts (Bastions)

+- microsoft.Network/connections (Connections)

+- microsoft.Network/customIpPrefixes (Custom IP Prefixes)

+- microsoft.Network/ddosProtectionPlans (DDoS protection plans)

+- microsoft.Network/dnsForwardingRulesets (Dns Forwarding Rulesets)

+- microsoft.Network/dnsResolvers (DNS Private Resolvers)

+- microsoft.Network/dnsZones (DNS zones)

+- microsoft.Network/expressRouteCircuits (ExpressRoute circuits)

+- microsoft.Network/expressRoutePorts (ExpressRoute Direct)

+- microsoft.Network/firewallPolicies (Firewall Policies)

+- microsoft.Network/frontdoors (Front Doors)

+- microsoft.Network/FrontDoorWebApplicationFirewallPolicies (Web Application Firewall policies (WAF))

+- microsoft.Network/ipGroups (IP Groups)

+- microsoft.Network/LoadBalancers (Load balancers)

+- microsoft.Network/localnetworkgateways (Local network gateways)

+- microsoft.Network/natGateways (NAT gateways)

+- microsoft.Network/NetworkExperimentProfiles (Internet Analyzer profiles)

+- microsoft.Network/networkinterfaces (Network interfaces)

+- microsoft.Network/NetworkSecurityGroups (Network security groups)

+- microsoft.Network/privateDnsZones (Private DNS zones)

+- microsoft.Network/privateEndpoints (Private endpoints)

+- microsoft.Network/privateLinkServices (Private link services)

+- microsoft.Network/PublicIpAddresses (Public IP addresses)

+- microsoft.Network/publicIpPrefixes (Public IP Prefixes)

+- microsoft.Network/routeFilters (Route filters)

+- microsoft.Network/routeTables (Route tables)

+- microsoft.Network/serviceEndpointPolicies (Service endpoint policies)

+- microsoft.Network/trafficmanagerprofiles (Traffic Manager profiles)

+- microsoft.Network/virtualNetworkGateways (Virtual network gateways)

+- microsoft.Network/virtualNetworks (Virtual networks)

+- microsoft.Network/virtualWans (Virtual WANs)

+- microsoft.NotificationHubs/namespaces (Notification Hub Namespaces)

+- microsoft.NotificationHubs/namespaces/notificationHubs (Notification Hubs)

+- microsoft.OpenEnergyPlatform/energyServices (Project Oak Forest)

+- microsoft.OpenLogisticsPlatform/workspaces (Open Supply Chain Platform)

+- microsoft.OperationalInsights/querypacks (Log Analytics query packs)

+- microsoft.OperationalInsights/workspaces (Log Analytics workspaces)

+- microsoft.OperationsManagement/solutions (Solutions)

+- microsoft.Orbital/contactProfiles (Contact Profiles)

+- microsoft.Orbital/EdgeSites (Edge Sites)

+- microsoft.Orbital/GroundStations (Ground Stations)

+- microsoft.Orbital/l2Connections (L2 Connections)

+- microsoft.Orbital/spacecrafts (Spacecrafts)

+- microsoft.Peering/peerings (Peerings)

+- microsoft.Peering/peeringServices (Peering Services)

+- microsoft.PlayFab/playerAccountPools (PlayFab player account pools)

+- microsoft.PlayFab/titles (PlayFab titles)

+- microsoft.Portal/dashboards (Shared dashboards)

+- microsoft.PowerBIDedicated/capacities (Power BI Embedded)

+- microsoft.Purview/Accounts (microsoft Purview accounts)

+- microsoft.Quantum/Workspaces (Quantum Workspaces)

+- microsoft.RecommendationsService/accounts (Intelligent Recommendations Accounts)

+- microsoft.RecommendationsService/accounts/modeling (Modeling)

+- microsoft.RecommendationsService/accounts/serviceEndpoints (Service Endpoints)

+- microsoft.RecoveryServices/vaults (Recovery Services vaults)

+- microsoft.RedHatOpenShift/OpenShiftClusters (Azure Red Hat OpenShift)

+- microsoft.Relay/namespaces (Relays)

+- microsoft.ResourceConnector/Appliances (Resource bridges)

+- microsoft.resourcegraph/queries (Resource Graph queries)

+- microsoft.Resources/deploymentScripts (Deployment Scripts)

+- microsoft.Resources/templateSpecs (Template specs)

+- microsoft.SaaS/applications (Software as a Service (classic))

+- microsoft.SaaS/resources (SaaS)

+- microsoft.Scom/managedInstances (Aquila Instances)

+- microsoft.scvmm/virtualMachines (SCVMM virtual machine - Azure Arc)

+- microsoft.ScVmm/vmmServers (SCVMM management servers)

+- microsoft.Search/searchServices (Search services)

+- microsoft.SecurityDetonation/chambers (Security Detonation Chambers)

+- microsoft.ServiceBus/namespaces (Service Bus Namespaces)

+- microsoft.ServiceFabric/clusters (Service Fabric clusters)

+- microsoft.ServiceFabric/managedclusters (Service Fabric managed clusters)

+- microsoft.ServicesHub/connectors (Services Hub Connectors)

+- microsoft.SignalRService/SignalR (SignalR)

+- microsoft.SignalRService/WebPubSub (Web PubSub Service)

+- microsoft.Solutions/applicationDefinitions (Service catalog managed application definitions)

+- microsoft.Solutions/applications (Managed applications)

+- microsoft.Sql/instancePools (Instance pools)

+- microsoft.Sql/managedInstances (SQL managed instances)

+- microsoft.Sql/managedInstances/databases (Managed databases)

+- microsoft.Sql/servers (SQL servers)

+- microsoft.Sql/servers/databases (SQL databases)

+- microsoft.Sql/servers/elasticpools (SQL elastic pools)

+- microsoft.Sql/servers/jobAgents (Elastic Job agents)

+- microsoft.Sql/virtualClusters (Virtual clusters)

+- microsoft.SqlVirtualMachine/SqlVirtualMachines (SQL virtual machines)

+- microsoft.Storage/StorageAccounts (Storage accounts)

+- microsoft.StorageCache/amlFilesystems (Lustre File Systems)

+- microsoft.StorageCache/caches (HPC caches)

+- microsoft.StoragePool/diskPools (Disk Pools)

+- microsoft.StorageSync/storageSyncServices (Storage Sync Services)

+- microsoft.StorageSyncDev/storageSyncServices (Storage Sync Services)

+- microsoft.StorageSyncInt/storageSyncServices (Storage Sync Services)

+- microsoft.StorSimple/Managers (StorSimple Device Managers)

+- microsoft.StreamAnalytics/clusters (Stream Analytics clusters)

+- microsoft.StreamAnalytics/StreamingJobs (Stream Analytics jobs)

+- microsoft.Synapse/privateLinkHubs (Azure Synapse Analytics (private link hubs))

+- microsoft.Synapse/workspaces (Azure Synapse Analytics)

+- microsoft.Synapse/workspaces/bigDataPools (Apache Spark pools)

+- microsoft.Synapse/workspaces/kustopools (Data Explorer pools (preview))

+- microsoft.Synapse/workspaces/sqlPools (Dedicated SQL pools)

+- microsoft.TestBase/testbaseAccounts (Test Base Accounts)

+- microsoft.TestBase/testBaseAccounts/packages (Test Base Packages)

+- microsoft.TimeSeriesInsights/environments (Time Series Insights environments)

+- microsoft.TimeSeriesInsights/environments/eventsources (Time Series Insights event sources)

+- microsoft.TimeSeriesInsights/environments/referenceDataSets (Time Series Insights reference data sets)

+- microsoft.VideoIndexer/accounts (Video Analyzer for Media)

+- microsoft.VirtualMachineImages/imageTemplates (Image Templates)

+- microsoft.VMwareCloudSimple/dedicatedCloudNodes (CloudSimple Nodes)

+- microsoft.VMwareCloudSimple/dedicatedCloudServices (CloudSimple Services)

+- microsoft.VMwareCloudSimple/virtualMachines (CloudSimple Virtual Machines)

+- microsoft.VSOnline/Plans (Visual Studio Online Plans)

+- microsoft.Web/connectionGateways (On-premises data gateways)

+- microsoft.Web/connections (API Connections)

+- microsoft.Web/containerApps (Container Apps)

+- microsoft.Web/customApis (Logic Apps Custom Connector)

+- microsoft.Web/HostingEnvironments (App Service Environments)

+- microsoft.Web/KubeEnvironments (App Service Kubernetes Environments)

+- microsoft.Web/serverFarms (App Service plans)

+- microsoft.Web/sites (App Services)

+- microsoft.Web/sites/slots (App Service (Slots))

+- microsoft.Web/StaticSites (Static Web Apps)

+- microsoft.WindowsESU/multipleActivationKeys (Windows Multiple Activation Keys)

+- microsoft.WindowsIoT/DeviceServices (Windows 10 IoT Core Services)

+- microsoft.Workloads/monitors (Azure Monitors for SAP Solutions (v2))

+- microsoft.Workloads/phpworkloads (Scalable WordPress on Linux)

+- microsoft.Workloads/sapVirtualInstances (SAP Virtual Instances)

+- microsoft.Workloads/sapVirtualInstances/applicationInstances (SAP app server instances)

+- microsoft.Workloads/sapVirtualInstances/centralInstances (SAP central server instances)

+- microsoft.Workloads/sapVirtualInstances/databaseInstances (SAP database server instances)

+ - Sample query: [List microsoft Defender recommendations](../samples/samples-by-category.md)

+ from pyspark.sql import SparkSession

+ spark = SparkSession.builder \

+ .appName('hdisample') \

+ .getOrCreate()

+* [Oracle Java Development kit](https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html). This tutorial uses Java version 8.0.202.

+ [](media/fhir-resource-manager-template/deploy-azure-api-fhir.png#lightbox)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+ Title: Display the MedTech service metrics - Azure Health Data Services

+# How to display and configure the MedTech service metrics

+In this article, you'll learn how to display and configure the [MedTech service](iot-connector-overview.md) metrics in the Azure portal. You'll also learn how to pin the MedTech service metrics tile to an Azure portal dashboard for later viewing.

+The MedTech service metrics can be used to help determine the health and performance of your MedTech service and can be useful with troubleshooting and seeing patterns and/or trends with your MedTech service.

+This table shows the available MedTech service metrics and the information that the metrics are capturing and displaying within the Azure portal:

+Metric category|Metric name|Metric description|

+|--|--|--|

+|Availability|IotConnector Health Status|The overall health of the MedTech service.|

+|Errors|Total Error Count|The total number of errors.|

+|Latency|Average Group Stage Latency|The average latency of the group stage. The [group stage](iot-data-flow.md#group) performs buffering, aggregating, and grouping on normalized messages.|

+|Latency|Average Normalize Stage Latency|The average latency of the normalized stage. The [normalized stage](iot-data-flow.md#normalize) performs normalization on raw incoming messages.|

+|Traffic|Number of Fhir resources saved|The total number of Fast Healthcare Interoperability Resources (FHIR&#174;) resources [updated or persisted](iot-data-flow.md#persist) by the MedTech service.|

+|Traffic|Number of Incoming Messages|The number of received raw [incoming messages](iot-data-flow.md#ingest) (for example, the device events) from the configured source event hub.|

+|Traffic|Number of Measurements|The number of normalized value readings received by the FHIR [transformation stage](iot-data-flow.md#transform) of the MedTech service.|

+|Traffic|Number of Message Groups|The number of groups that have messages aggregated in the designated time window.|

+|Traffic|Number of Normalized Messages|The number of normalized messages.|

+## Display and configure the MedTech service metrics

+1. Within your Azure Health Data Services workspace, select **MedTech service** under **Services**.

+ :::image type="content" source="media\iot-metrics-display\iot-workspace-displayed-with-connectors-button.png" alt-text="Screenshot of select the MedTech service within the workspace." lightbox="media\iot-metrics-display\iot-workspace-displayed-with-connectors-button.png":::

+2. Select the MedTech service that you would like to display metrics for. For this example, we'll select a MedTech service named **mt-azuredocsdemo**. You'll select your own MedTech service.

+3. Select **Metrics** within the MedTech service page.

+ :::image type="content" source="media\iot-metrics-display\iot-select-metrics.png" alt-text="Screenshot of select the Metrics option within your MedTech service." lightbox="media\iot-metrics-display\iot-select-metrics.png":::

+4. The MedTech service metrics page will open allowing you to use the drop-down menus to view and select the metrics that are available for the MedTech service.

+ :::image type="content" source="media\iot-metrics-display\iot-metrics-opening-page.png" alt-text="Screenshot the MedTech service metrics page with drop-down menus." lightbox="media\iot-metrics-display\iot-metrics-opening-page.png":::

+5. Select the metrics combinations that you want to display for your MedTech service. For this example, we'll be choosing the following selections:

+ * **Metric Namespace** = Standard metrics (**Default**)

+ * **Aggregation** = How you would like to display the metrics. For this example, we'll choose **Count**.

+6. You can now see your MedTech service metrics for **Number of Incoming Messages** displayed on the MedTech service metrics page.

+ :::image type="content" source="media\iot-metrics-display\iot-metrics-select-options.png" alt-text="Screenshot of select metrics to display." lightbox="media\iot-metrics-display\iot-metrics-select-options.png":::

+7. You can add more metrics by selecting **Add metric**.

+ :::image type="content" source="media\iot-metrics-display\iot-select-add-metric.png" alt-text="Screenshot of select Add metric to add more MedTech service metrics." lightbox="media\iot-metrics-display\iot-select-add-metric.png":::

+8. Then select the metrics that you would like to add to your MedTech service.

+ :::image type="content" source="media\iot-metrics-display\iot-metrics-select-more-metrics.png" alt-text="Screenshot of select more metrics to add to your MedTech service." lightbox="media\iot-metrics-display\iot-metrics-select-more-metrics.png":::

+ > [!TIP]

+ >

+ > To learn more about advanced metrics display and sharing options, see [Getting started with Azure Metrics Explorer](/azure-monitor/essentials/metrics-getting-started)

+ >

+ > If you leave the MedTech service metrics page, the metrics settings for your MedTech service are lost and will have to be recreated. If you would like to save your MedTech service metrics for future viewing, you can pin them to an Azure dashboard as a tile.

+1. To pin the MedTech service metrics tile to an Azure portal dashboard, select the **Pin to dashboard** option.

+ :::image type="content" source="media\iot-metrics-display\iot-metrics-select-add-pin-to-dashboard.png" alt-text="Screenshot of select the Pin to dashboard option." lightbox="media\iot-metrics-display\iot-metrics-select-add-pin-to-dashboard.png":::

+2. Select the dashboard you would like to display your MedTech service metrics to by using the drop-down menu. For this example, we'll use a private dashboard named **Azuredocsdemo_Dashboard**. Select **Pin** to add your MedTech service metrics tile to the dashboard.

+ :::image type="content" source="media\iot-metrics-display\iot-select-pin-to-dashboard.png" alt-text="Screenshot of select dashboard and Pin options to complete the dashboard pinning process." lightbox="media\iot-metrics-display\iot-select-pin-to-dashboard.png":::

+4. Once you've received a successful confirmation, select the **Dashboard** option.

+ :::image type="content" source="media\iot-metrics-display\iot-select-dashboard-with-metrics-tile.png" alt-text="Screenshot of select the Dashboard option." lightbox="media\iot-metrics-display\iot-select-dashboard-with-metrics-tile.png":::

+5. Use the drop-down menu to select the dashboard that you pinned your MedTech service metrics tile. For this example, the dashboard is named **Azuredocsdemo_Dashboard**.

+ :::image type="content" source="media\iot-metrics-display\iot-select-dashboard-with-metrics-pin.png" alt-text="Screenshot of selecting dashboard with pinned MedTech service metrics tile." lightbox="media\iot-metrics-display\iot-select-dashboard-with-metrics-pin.png":::

+6. The dashboard will display the MedTech service metrics tile that you created in the previous steps.

+ :::image type="content" source="media\iot-metrics-display\iot-metrics-display-dashboard-with-metrics-pin.png" alt-text="Screenshot of dashboard with pinned MedTech service metrics tile." lightbox="media\iot-metrics-display\iot-metrics-display-dashboard-with-metrics-pin.png":::

+To learn how to configure the diagnostic settings and export the MedTech service metrics to another location (for example: an Azure storage account), see

+> [!div class="nextstepaction"]

+> [How to configure diagnostic settings for exporting the MedTech service metrics](iot-metrics-diagnostics-export.md)

+To learn about the MedTech service frequently asked questions (FAQs), see

+> [!div class="nextstepaction"]

+> [Frequently asked questions about the MedTech service](iot-connector-faqs.md)

+## July 2022

+### FHIR service

+#### **Bug fixes**

+|Bug fixes |Related information |

+| :-- | : |

+| (Open Source) History bundles were sorted with the oldest version first. | We've recently identified an issue with the sorting order of history bundles on FHIR® server. History bundles were sorted with the oldest version first. Per [FHIR specification](https://hl7.org/fhir/http.html#history), the sorting of versions defaults to the oldest version last. This bug fix, addresses FHIR server behavior for sorting history bundle.<br /><br />We understand if you would like to keep the sorting per existing behavior (oldest version first). To support existing behavior, we recommend you append `_sort=_lastUpdated` to the HTTP `GET` command utilized for retrieving history. <br /><br />For example: `<Server URL>/_history?_sort=_lastUpdated` <br /><br />For more information, see [#2689](https://github.com/microsoft/fhir-server/pull/2689).

+#### **Known issues**

+| Known Issue | Description |

+| : | :- |

+| Using [token type fields](https://www.hl7.org/fhir/search.html#token) of more than 128 characters in length can result in undesired behavior on `create`, `search`, `update`, and `delete` operations. | Currently, no workaround available. |

+| Queries not providing consistent result count after appended with `_sort` operator. For more information, see [#2680](https://github.com/microsoft/fhir-server/pull/2680). | Currently, no workaround available.|

+For more information about the currently known issues with the FHIR service, see [Known issues: FHIR service](known-issues.md).

+### MedTech service

+#### **Improvements**

+|Azure Health Data Services |Related information |

+| :-- | : |

+|Improvements to documentations for Events and MedTech and availability zones. |Tested and enhanced usability and functionality. Added new documents to enable customers to better take advantage of the new improvements. See [Consume Events with Logic Apps](./../healthcare-apis/events/events-deploy-portal.md) and [Deploy Events Using the Azure portal](./../healthcare-apis/events/events-deploy-portal.md). |

+|One touch launch Azure MedTech deploy. |[Deploy the MedTech Service in the Azure portal](./../healthcare-apis/iot/deploy-iot-connector-in-azure.md)|

+### DICOM service

+#### **Features**

+|Enhancements | Related information |

+| : | :- |

+|DICOM Service availability expands to new regions. | The DICOM Service is now available in the following [regions](https://azure.microsoft.com/global-infrastructure/services/): Southeast Asia, Central India, Korea Central, and Switzerland North. |

+|Fast retrieval of individual DICOM frames | For DICOM images containing multiple frames, performance improvements have been made to enable fast retrieval of individual frames (60 KB frames as fast as 60 MS). These improved performance characteristics enable workflows such as [viewing digital pathology images](https://microsofthealth.visualstudio.com/DefaultCollection/Health/_git/marketing-azure-docs?version=GBmain&path=%2Fimaging%2Fdigital-pathology%2FDigital%20Pathology%20using%20Azure%20DICOM%20service.md&_a=preview), which require rapid retrieval of individual frames. |

+|Queries not providing consistent result count after appended with the `_sort operator. |Fixes the issue with the help of distinct operator to resolve inconsistency and record duplication in response. For more information, see [#2680](https://github.com/microsoft/fhir-server/pull/2680). |

+|Added handling for SqlTruncate errors |Added a check for SqlTruncate exceptions and tests. In particular, exceptions and tests will catch SqlTruncate exceptions for Decimal type based on the specified precision and scale. For more information, see [#2553](https://github.com/microsoft/fhir-server/pull/2553). |

+|API version is now required as part of the URI |All REST API requests to the DICOM service must now include the API version in the URI. For more information, see [API versioning for DICOM service](./../healthcare-apis/dicom/api-versioning-dicom-service.md). |

+|Events |The Events feature within Health Data Services is now generally available (GA). The Events feature allows customers to receive notifications and triggers when FHIR observations are created, updated, or deleted. For more information, see [Events message structure](./../healthcare-apis/events/events-message-structure.md) and [What are events?](./../healthcare-apis/events/events-overview.md). |

+|Customers can define their own query tags using the Extended Query Tags feature |With Extended Query Tags feature, customers now efficiently query non-DICOM metadata for capabilities like multi-tenancy and cohorts. It's available for all customers in Azure Health Data Services. |

+|Deploy and configure Azure Health Data Services using scripts |We've started the process of providing PowerShell, CLI scripts, and ARM templates to configure app registration and role assignments. Scripts for deploying Azure Health Data Services will be available after GA. |

+|Added Publisher to `CapabilityStatement.name` |You can now find the publisher in the capability statement at `CapabilityStatement.name`. [#2319](https://github.com/microsoft/fhir-server/pull/2319) |

+|Log `FhirOperation` linked to anonymous calls to Request metrics |We weren't logging operations that didnΓÇÖt require authentication. We extended the ability to get `FhirOperation` type in `RequestMetrics` for anonymous calls. [#2295](https://github.com/microsoft/fhir-server/pull/2295) |

+|FHIR service autoscale |The [FHIR service autoscale](./fhir/fhir-service-autoscale.md) is designed to provide optimized service scalability automatically to meet customer demands when they perform data transactions in consistent or various workloads at any time. It's available in all [regions](https://azure.microsoft.com/global-infrastructure/services/) where the FHIR service is supported. |

+|Resolved 500 error when the date was passed with a time zone. |This fix addresses a 500 error when a date with a time zone was passed into a datetime field [#2270](https://github.com/microsoft/fhir-server/pull/2270). |

+|Resolved issue when posting a bundle with incorrect Media Type returned a 500 error. |Previously when posting a search with a key that contains certain characters, a 500 error is returned. This fixes issue [#2264](https://github.com/microsoft/fhir-server/pull/2264) and addresses [#2148](https://github.com/microsoft/fhir-server/issues/2148). |

+|Content-Type header now includes transfer-syntax. |This enhancement enables the user to know which transfer syntax is used in case multiple accept headers are being supplied. |

+|Test Data Generator tool |We've updated Azure Health Data Services GitHub samples repo to include a [Test Data Generator tool](https://github.com/microsoft/healthcare-apis-samples/blob/main/docs/HowToRunPerformanceTest.md) using Synthea data. This tool is an improvement to the open source [public test projects](https://github.com/ShadowPic/PublicTestProjects), based on Apache JMeter that can be deployed to Azure AKS for performance tests. |

+|Regions | South Brazil and Central Canada. For more information about Azure regions and availability zones, see [Azure services that support availability zones](https://azure.microsoft.com/global-infrastructure/services/). |

+| Running a reindex job | [Re-index improvements](./././fhir/how-to-run-a-reindex.md)|

+| MedTech service normalized improvements with calculations to support and enhance health data standardization. | See [Use Device mappings](./../healthcare-apis/iot/how-to-use-device-mappings.md) and [Calculated Functions](./../healthcare-apis/iot/how-to-use-calculated-functions-mappings.md) |

+In this article, you learned about the features and enhancements made to Azure Health Data Services. For more information about the known issues with Azure Health Data Services, see

+| **Support** | Need to support and document your solution | Access to Microsoft support (GitHub, Microsoft Q&A, Microsoft technical documentation, Customer Support teams) |

+For full documentation of Device Provisioning Service APIs, see [Azure IoT Hub Device Provisioning Service REST API](/rest/api/iot-dps).

+Azure IoT Hub [customer data request features](../iot-hub/iot-hub-customer-data-requests.md).

+> In the [update manifest](/azure/iot-hub-device-update/update-manifest), each step should have different ΓÇ£installedCriteriaΓÇ¥ string if that string is being used to determine whether the step should be performed or not.

+> IsInstalled validation logic for each step: The Device Update agentΓÇÖs [step handler](https://github.com/Azure/iot-hub-device-update/blob/main/src/content_handlers/steps_handler/README.md) checks to see if particular update is already installed i.e., checks for IsInstalled() resulted in a result code ΓÇ£900ΓÇ¥ which means ΓÇÿtrueΓÇÖ. If an update is already installed, to avoid re-installing an update that is already on the device, the DU agent will skip future steps because we use it to determine whether to perform the step or not.

+> Reporting an update result: The result of a step handler execution must be written to ADUC_Result struct in a desired result file as specified in --result-file option [learn more](https://github.com/Azure/iot-hub-device-update/blob/main/src/content_handlers/steps_handler/README.md#steps-content-handler). Then based on results of the execution, for success return 0, for any fatal errors return -1 or 0xFF.

+This article demonstrates how to [file upload capabilities of IoT Hub](iot-hub-devguide-file-upload.md) upload a file to [Azure blob storage](../storage/index.yml), using an Azure IoT .NET device and service SDKs.

+These files are typically batch processed in the cloud, using tools such as [Azure Data Factory](../data-factory/introduction.md) or the [Hadoop](../hdinsight/index.yml) stack. When you need to upload files from a device, you can still use the security and reliability of IoT Hub. This article shows you how.

+At the end of this article, you run two .NET console apps:

+> IoT Hub supports many device platforms and languages (including C, Java, Python, and JavaScript) through Azure IoT device SDKs. Refer to the [Azure IoT Developer Center](https://azure.microsoft.com/develop/iot) to learn how to connect your device to Azure IoT Hub.

+ Download the .NET Core SDK for multiple platforms from [.NET](https://dotnet.microsoft.com/download).

+ Verify the current version of the .NET Core SDK on your development machine using the following command:

+* Download the Azure IoT C# samples from [Download sample](https://github.com/Azure-Samples/azure-iot-samples-csharp/archive/main.zip) and extract the ZIP archive.

+* Port 8883 should be open in your firewall. The sample in this article uses MQTT protocol, which communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](iot-hub-mqtt-support.md#connecting-to-iot-hub).

+In this article, you use a sample from the Azure IoT C# samples repository you downloaded earlier as the device app. You can open the files below using Visual Studio, Visual Studio Code, or a text editor of your choice.

+The sample is located at **azure-iot-samples-csharp/iot-hub/Samples/device/FileUploadSample** in the folder where you extracted the Azure IoT C# samples.

+A job wraps one of these actions and tracks the execution against a set of devices that is defined by a device twin query. For example, a back-end app can use a job to invoke a direct method on 10,000 devices that reboots the devices. You specify the set of devices with a device twin query and schedule the job to run at a future time. The job tracks progress as each of the devices receives and executes the reboot direct method.

+* Device twin and properties: [Get started with device twins](iot-hub-csharp-csharp-twin-getstarted.md) and [Understand and use device twins in IoT Hub](iot-hub-devguide-device-twins.md)

+This article shows you how to create two .NET (C#) console apps:

+* A device app, **SimulateDeviceMethods**, that implements a direct method called **LockDoor**, which can be called by the back-end app.

+* A back-end app, **ScheduleJob**, that creates two jobs. One job calls the **lockDoor** direct method and another job sends desired property updates to multiple devices.

+> [!NOTE]

+> See [Azure IoT SDKs](iot-hub-devguide-sdks.md) for more information about the SDK tools available to build both device and back-end apps.

+> To keep things simple, this article does not implement a retry policies. In production code, you should implement retry policies (such as connection retry), as suggested in [Transient fault handling](/azure/architecture/best-practices/transient-faults).

+In this article, you scheduled jobs to run a direct method and update the device twin's properties.

+To continue exploring IoT Hub and device management patterns, update an image in [Device Update for Azure IoT Hub tutorial using the Raspberry Pi 3 B+ Reference Image](../iot-hub-device-update/device-update-raspberry-pi.md).

+This article demonstrates how to [file upload capabilities of IoT Hub](iot-hub-devguide-file-upload.md) upload a file to [Azure blob storage](../storage/index.yml), using Java.

+These files are typically batch processed in the cloud, using tools such as [Azure Data Factory](../data-factory/introduction.md) or the [Hadoop](../hdinsight/index.yml) stack. When you need to upload files from a device, you can still use the security and reliability of IoT Hub. This article shows you how. View two samples from [azure-iot-sdk-java

+](https://github.com/Azure/azure-iot-sdk-java/tree/main/device/iot-device-samples/file-upload-sample/src/main/java/samples/com/microsoft/azure/sdk/iot) in GitHub.

+> IoT Hub supports many device platforms and languages (including C, .NET, and JavaScript) through Azure IoT device SDKs. Refer to the [Azure IoT Developer Center](https://azure.microsoft.com/develop/iot) to learn how to connect your device to Azure IoT Hub.

+* Port 8883 should be open in your firewall. The device sample in this article uses MQTT protocol, which communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](iot-hub-mqtt-support.md#connecting-to-iot-hub).

+In this article, you learned how to use the file upload feature of IoT Hub to simplify file uploads from devices. You can continue to explore this feature with the following articles:

+A job wraps one of these actions and tracks the execution against a set of devices. A device twin query defines the set of devices the job executes against. For example, a back-end app can use a job to invoke a direct method on 10,000 devices that reboots the devices. You specify the set of devices with a device twin query and schedule the job to run at a future time. The job tracks progress as each of the devices receives and executes the reboot direct method.

+* Device twin and properties: [Get started with device twins](iot-hub-java-java-twin-getstarted.md) and [Understand and use device twins in IoT Hub](iot-hub-devguide-device-twins.md)

+This article shows you how to create two Java apps:

+* A device app, **simulated-device**, that implements a direct method called **lockDoor**, which can be called by the back-end app.

+* A back-end app, **schedule-jobs**, that creates two jobs. One job calls the **lockDoor** direct method and another job sends desired property updates to multiple devices.

+> See [Azure IoT SDKs](iot-hub-devguide-sdks.md) for more information about the SDK tools available to build both device and back-end apps.

+> [!NOTE]

+> To keep things simple, this article does not implement a retry policy. In production code, you should implement retry policies (such as an exponential backoff), as suggested in the article, [Transient Fault Handling](/azure/architecture/best-practices/transient-faults).

+## Get the IoT Hub connection string

+In this article, you scheduled jobs to run a direct method and update the device twin's properties.

+To continue exploring IoT Hub and device management patterns, update an image in [Device Update for Azure IoT Hub tutorial using the Raspberry Pi 3 B+ Reference Image](../iot-hub-device-update/device-update-raspberry-pi.md).

+This article demonstrates how to [file upload capabilities of IoT Hub](iot-hub-devguide-file-upload.md) upload a file to [Azure blob storage](../storage/index.yml), using Node.js.

+These files are typically batch processed in the cloud, using tools such as [Azure Data Factory](../data-factory/introduction.md) or the [Hadoop](../hdinsight/index.yml) stack. When you need to upland files from a device, you can still use the security and reliability of IoT Hub. This article shows you how.

+> IoT Hub supports many device platforms and languages (including C, Java, Python, and JavaScript) through Azure IoT device SDKs. Refer to the [Azure IoT Developer Center](https://azure.microsoft.com/develop/iot) to learn how to connect your device to Azure IoT Hub.

+* Port 8883 should be open in your firewall. The device sample in this article uses MQTT protocol, which communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](iot-hub-mqtt-support.md#connecting-to-iot-hub).

+In this article, you learned how to use the file upload feature of IoT Hub to simplify file uploads from devices. You can continue to explore this feature with the following articles:

+Use Azure IoT Hub to schedule and track jobs that update millions of devices. Use jobs to:

+Conceptually, a job wraps one of these actions and tracks the progress of execution against a set of devices, which is defined by a device twin query. For example, a back-end app can use a job to invoke a reboot method on 10,000 devices, specified by a device twin query and scheduled at a future time. That application can then track progress as each of those devices receives and executes the reboot method.

+* Device twin and properties: [Get started with device twins](iot-hub-node-node-twin-getstarted.md) and [Understand and use device twins in IoT Hub](iot-hub-devguide-device-twins.md)

+This article shows you how to create two Node.js apps:

+* A Node.js simulated device app, **simDevice.js**, that implements a direct method called **lockDoor**, which can be called by the back-end app.

+* A Node.js console app, **scheduleJobService.js**, that creates two jobs. One job calls the **lockDoor** direct method and another job sends desired property updates to multiple devices.

+> [!NOTE]

+> See [Azure IoT SDKs](iot-hub-devguide-sdks.md) for more information about the SDK tools available to build both device and back-end apps.

+> To keep things simple, this article does not implement a retry policy. In production code, you should implement retry policies (such as an exponential backoff), as suggested in the article, [Transient Fault Handling](/azure/architecture/best-practices/transient-faults).

+## Get the IoT Hub connection string

+In this article, you scheduled jobs to run a direct method and update the device twin's properties.

+To continue exploring IoT Hub and device management patterns, update an image in [Device Update for Azure IoT Hub tutorial using the Raspberry Pi 3 B+ Reference Image](../iot-hub-device-update/device-update-raspberry-pi.md).

+This article demonstrates how to [file upload capabilities of IoT Hub](iot-hub-devguide-file-upload.md) upload a file to [Azure blob storage](../storage/index.yml), using Python.

+These files are typically batch processed in the cloud, using tools such as [Azure Data Factory](../data-factory/introduction.md) or the [Hadoop](../hdinsight/index.yml) stack. When you need to upland files from a device, you can still use the security and reliability of IoT Hub. This article shows you how.

+At the end of this article, you run the Python console app **FileUpload.py**, which uploads a file to storage using the Python Device SDK.

+* Port 8883 should be open in your firewall. The device sample in this article uses MQTT protocol, which communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](iot-hub-mqtt-support.md#connecting-to-iot-hub).

+In this article, you learned how to use the file upload feature of IoT Hub to simplify file uploads from devices. You can continue to explore this feature with the following articles:

+Use Azure IoT Hub to schedule and track jobs that update millions of devices. Use jobs to:

+Conceptually, a job wraps one of these actions and tracks the progress of execution against a set of devices, which is defined by a device twin query. For example, a back-end app can use a job to invoke a reboot method on 10,000 devices, specified by a device twin query and scheduled at a future time. That application can then track progress as each of those devices receives and executes the reboot method.

+* Device twin and properties: [Get started with device twins](iot-hub-python-twin-getstarted.md) and [Understand and use device twins in IoT Hub](iot-hub-devguide-device-twins.md)

+This article shows you how to create two Python apps:

+* A Python simulated device app, **simDevice.py**, that implements a direct method called **lockDoor**, which can be called by the back-end app.

+* A Python console app, **scheduleJobService.py**, that creates two jobs. One job calls the **lockDoor** direct method and another job sends desired property updates to multiple devices.

+> [!NOTE]

+> See [Azure IoT SDKs](iot-hub-devguide-sdks.md) for more information about the SDK tools available to build both device and back-end apps.

+> To keep things simple, this article does not implement a retry policy. In production code, you should implement retry policies (such as an exponential backoff), as suggested in the article, [Transient Fault Handling](/azure/architecture/best-practices/transient-faults).

+## Get the IoT Hub connection string

+In this article, you scheduled jobs to run a direct method and update the device twin's properties.

+To continue exploring IoT Hub and device management patterns, update an image in [Device Update for Azure IoT Hub tutorial using the Raspberry Pi 3 B+ Reference Image](../iot-hub-device-update/device-update-raspberry-pi.md).

+To preclude device impersonation, IoT Hub requires you to let it know what devices to expect. You do this by creating a device entry in the IoT Hub's device registry. This process is automated when using IoT Hub [Device Provisioning Service](../iot-dps/about-iot-dps.md).

+# As a developer, I want to connect to my single-tenant logic app workflows with virtual networks using private endpoints and virtual network integration.

+# Secure traffic between single-tenant Standard logic apps and Azure virtual networks using private endpoints

+To securely and privately communicate between your workflow in a Standard logic app and an Azure virtual network, you can set up *private endpoints* for inbound traffic and use virtual network integration for outbound traffic.

+This article shows how to set up access through private endpoints for inbound traffic and virtual network integration for outbound traffic.

+- [Regional virtual network integration?](../app-service/networking-features.md#regional-vnet-integration)

+## Set up outbound traffic using virtual network integration

+To secure outbound traffic from your logic app, you can integrate your logic app with a virtual network. First, create and test an example workflow. You can then set up virtual network integration.

+### Set up virtual network integration

+1. After Azure successfully provisions the virtual network integration, try to run the workflow again.

+> With virtual network integration, make sure that no firewall or network security policy blocks these connections.

+### Considerations for outbound traffic through virtual network integration

+Experiments and runs in Azure Machine Learning can be queried using MLflow. This removes the need of any Azure Machine Learning specific SDKs to manage anything that happens inside of a training job, allowing dependencies removal and creating a more seamless transition between local runs and cloud.

+MLflow allows you to:

+* Create, delete and search for experiments in a workspace.

+* If you're running in a compute not hosted in Azure ML, configure MLflow to point to the Azure ML tracking URL. You can follow the instruction at [Track runs from your local machine](how-to-use-mlflow-cli-runs.md).

+The MLflow SDK exposes several methods to retrieve runs, including options to control what is returned and how. Use the following table to learn about which of those methods are currently supported in MLflow when connected to Azure Machine Learning:

+| Filtering runs with comparators `OR` | | |

+> - ² `!=` for tags not supported.

+You can also look for a run with a specific combination in the hyperparameters using the parameter `filter_string`. Use `params` to access run's parameters and `metrics` to access metrics logged in the run. MLflow supports expressions joined by the AND keyword (the syntax does not support OR):

+* Monitor your job resources (preview)

+## Monitor your job resources (preview)

+Navigate to your job in the studio and select the Monitoring tab. This view provides insights on your job's resources on a 30 day rolling basis.

+>[!NOTE]

+>This view supports only compute that is managed by AzureML.

+>Jobs with a runtime of less than 5 minutes will not have enough data to populate this view.

+You can also check if the blobs are present in the workspace storage account.

+

+ ```azurecli

+ az storage blob exists --account-name foobar --container-name 210212154504-1517266419 --name WebUpload/210212154504-1517266419/GaussianNB.pkl --subscription <sub-name>`

+ ```

+

+- If the blob is present, you can use this command to obtain the logs from the storage initializer:

+ ```azurecli

+ az ml online-deployment get-logs --endpoint-name <endpoint-name> --name <deployment-name> ΓÇô-container storage-initializer`

+ ```

+Below is a list of reasons you might run into this error:

+* [Operation was cancelled by another operation which has a higher priority](#operation-cancelled-by-another-higher-priority-operation)

+* [Operation was cancelled due to a previous operation waiting for lock confirmation](#operation-cancelled-waiting-for-lock-confirmation)

+#### Operation cancelled by another higher priority operation

+Azure operations have a certain priority level and are executed from highest to lowest. This error happens when your operation happened to be overridden by another operation that has a higher priority.

+Retrying the operation might allow it to be performed without cancellation.

+#### Operation cancelled waiting for lock confirmation

+Azure operations have a brief waiting period after being submitted during which they retrieve a lock to ensure that we do not run into race conditions. This error happens when the operation you submitted is the same as another operation that is currently still waiting for confirmation that it has received the lock to proceed. It may indicate that you have submitted a very similar request too soon after the initial request.

+Retrying the operation after waiting a few seconds up to a minute may allow it to be performed without cancellation.

+- [Online endpoint YAML reference](reference-yaml-endpoint-online.md)

+For the CLI, you can use the [sweep job YAML schema](./reference-yaml-job-sweep.md), to define the search space in your YAML:

+* For a conservative policy that provides savings without terminating promising jobs, consider a Median Stopping Policy with `evaluation_interval` 1 and `delay_evaluation` 5. These are conservative settings that can provide approximately 25%-35% savings with no loss on primary metric (based on our evaluation data).

+* `timeout`: Maximum time in seconds the entire sweep job is allowed to run. Once this limit is reached the system will cancel the sweep job, including all its trials.

+sweep_job.set_limits(max_total_trials=20, max_concurrent_trials=4, timeout=1200)

+This code configures the hyperparameter tuning experiment to use a maximum of 20 total trial jobs, running four trial jobs at a time with a timeout of 1200 seconds for the entire sweep job.

+- **Parallel Coordinates Chart**: This visualization shows the correlation between primary metric performance and individual hyperparameter values. The chart is interactive via movement of axes (click and drag by the axis label), and by highlighting values across a single axis (click and drag vertically along a single axis to highlight a range of desired values). The parallel coordinates chart includes an axis on the rightmost portion of the chart that plots the best metric value corresponding to the hyperparameters set for that job instance. This axis is provided in order to project the chart gradient legend onto the data in a more readable fashion.

+> [Automated ML](../concept-automated-ml.md) workflows generated via the Azure Machine Learning studio currently only support TabularDatasets.

+>

+>[!NOTE]

+> For TabularDatasets generating from [SQL query results](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#from-sql-query-query--validate-true--set-column-types-none--query-timeout-30-), T-SQL (e.g. 'WITH' sub query) or duplicate column name is not supported. Complex queries like T-SQL can cause performance issues. Duplicate column names in a dataset can cause ambiguity issues.

+* For more dataset training examples, see the [sample notebooks](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/work-with-data/).

+ [](./media/workspaces/partner-center-home.png#lightbox)

+ [](./media/azure-benefit/enrolled-workspaces.png#lightbox)

+ "allowedCustomerOperations": <CSP purchases>["Read"] <All Others> ["Delete", "Update", "Read"],

+If you don't see the error code listed below or if the error code starts with **_AZCM_**, refer to [this guide for troubleshooting Azure Arc](../azure-arc/servers/troubleshoot-agent-onboard.md)

+ Title: Modernize ASP.NET web apps to Azure App Service code

+# Modernize ASP.NET web apps to Azure App Service code

+ Title: What is Azure Orbital Analytics?

+description: Azure Orbital Analytics are Azure capabilities that allow you to discover and distribute the most valuable insights from your spaceborne data.

+# What is Azure Orbital Analytics?

+Azure Orbital Analytics are Azure capabilities using spaceborne data and AI that allow you to discover and distribute the most valuable insights from your spaceborne data to take action in less time.

+## What it provides

+Azure Orbital Analytics provides the ability to downlink spaceborne data from Azure Orbital Ground Station (AOGS), first- or third-party archives, or customer-acquired data directly into Azure. This data is efficiently stored using Azure Data Platform components. From there, you can convert raw spaceborne sensor data into analysis-ready data using Azure Orbital Analytics processing pipelines.

+## Integrations

+Derive insights on data by applying AI models, integrating applications, and more. Partner AI models and Microsoft tools extract the highest precision results. Finally, deliver data to various endpoints such as Microsoft Teams, Power Platform, or other open-source locations. Azure Orbital Analytics enables scenarios including land classification, asset monitoring, object detection, and more.

+## Partnerships

+Azure Orbital Analytics is the pathway between satellite operators and Microsoft customers. Partnerships with Airbus, Blackshark, and Orbital Insight enable information extraction and publishing to EsriΓÇÖs ArcGIS workflows.

+Orbital Analytics for Azure Synapse applies artificial intelligence over satellite imagery at scale using Azure resources.

+## Next steps

+- [Geospatial reference architecture](./geospatial-reference-architecture.md)

+- [Spaceborne data analysis with Azure Synapse Analytics](/azure/architecture/industries/aerospace/geospatial-processing-analytics)

+Here is an example of a typical VNET setup with a subnet delegated to Azure Orbital Ground Station.

+When you create a contact, you can find these IPs by viewing the contact properties. Select JSON view in the portal or use the GET contact API call to view the contact properties. Make sure to use the current API version of 2022-03-01. The parameters of interest are below:

+> - The source and destination IPs are always taken from the subnet address range.

+| Contact Profile Link ipAddress | Blank | Routable IP from delegated subnet | Blank | Not applicable |

+| Contact Profile Link port | Unique port in 49152-65535 | Unique port in 49152-65535 | Unique port in 49152-65535 | Not applicable |

+| Contact Object sourceIP | Not applicable | Link will come from one of these IPs | Not applicable | Not applicable |

+| Contact Profile Link ipAddress | Blank | Routable IP from delegated subnet | Not applicable | Routable IP from delegated subnet |

+| Contact Profile Link port | Unique port in 49152-65535 | Unique port in 49152-65535 | Not applicable | Unique port in 49152-65535 |

+| Contact Object destinationIP | Connect to this IP | Not applicable | Not applicable | Not applicable |

+- [Schedule a contact](schedule-contact.md)

+description: Learn about migrating your Single Server databases to Azure Database for PostgreSQL Flexible Server by using the Azure CLI.

+- For a successful end-to-end migration, follow the post-migration steps in [Migrate from Azure Database for PostgreSQL Single Server to Flexible Server](./concepts-single-to-flexible.md).

+The following information lists the known limitations to the use of private endpoints:

+### Network security group

+| Limitation | Description |

+| | |

+| Effective routes and security rules unavailable for private endpoint network interface. | Effective routes and security rules won't be displayed for the private endpoint NIC in the Azure portal. |

+| NSG flow logs unsupported. | NSG flow logs unavailable for inbound traffic destined for a private endpoint. |

+| Intermittent drops with zone-redundant storage (ZRS) storage accounts. | Customers that use ZRS storage accounts might see periodic intermittent drops, even with *allow NSG* applied on a storage private-endpoint subnet. |

+| Intermittent drops with Azure Key Vault. | Customers that use Azure Key Vault might see periodic intermittent drops, even with *allow NSG* applied on a Key Vault private-endpoint subnet. |

+| The number of address prefixes per NSG is limited. | Having more than 500 address prefixes in an NSG in a single rule is unsupported. |

+| AllowVirtualNetworkAccess flag | Customers that set virtual network peering on their virtual network (virtual network A) with the *AllowVirtualNetworkAccess* flag set to *false* on the peering link to another virtual network (virtual network B) can't use the *VirtualNetwork* tag to deny traffic from virtual network B accessing private endpoint resources. The customers need to explicitly place a block for virtual network BΓÇÖs address prefix to deny traffic to the private endpoint. |

+| No more than 50 members in an Application Security Group. | Fifty is the number of IP Configurations that can be tied to each respective ASG thatΓÇÖs coupled to the NSG on the private endpoint subnet. Connection failures may occur with more than 50 members. |

+| Destination port ranges supported up to a factor of 250K. | Destination port ranges are supported as a multiplication SourceAddressPrefixes, DestinationAddressPrefixes, and DestinationPortRanges. </br></br> Example inbound rule: </br> 1 source * 1 destination * 4K portRanges = 4K Valid </br> 10 sources * 10 destinations * 10 portRanges = 1K Valid </br> 50 sources * 50 destinations * 50 portRanges = 125K Valid </br> 50 sources * 50 destinations * 100 portRanges = 250K Valid </br> 100 sources * 100 destinations * 100 portRanges = 1M Invalid, NSG has too many sources/destinations/ports. |

+| Source port filtering is interpreted as * | Source port filtering isn't actively used as valid scenario of traffic filtering for traffic destined to a private endpoint. |

+| Feature unavailable in select regions. | Currently unavailable in the following regions: </br> West India </br> UK North </br> UK South 2 </br> Australia Central 2 </br> South Africa West </br> Brazil Southeast |

+| Dual port NSG rules are unsupported. | If multiple port ranges are used with NSG rules, only the first port range is honored for allow rules and deny rules. Rules with multiple port ranges are defaulted to *deny all* instead of to denying specific ports. </br><br>For more information, see the UDR rule example in the next table. |

+| Priority | Source port | Destination port | Action | Effective action |

+### NSG additional considerations

+- Outbound traffic denied from a private endpoint isn't a valid scenario, as the service provider can't originate traffic.

+- The following services may require all destination ports to be open when leveraging a private endpoint and adding NSG security filters:

+ - Cosmos DB - For more information see, [Service port ranges](/azure/cosmos-db/sql/sql-sdk-connection-modes#service-port-ranges).

+### UDR

+| Limitation | Description |

+| | |

+| SNAT is recommended at all times. | Due to the variable nature of the private endpoint data-plane, it's recommended to SNAT traffic destined to a private endpoint to ensure return traffic is honored. |

+| Feature unavailable in select regions. | Currently unavailable in the following regions: </br> West India </br> UK North </br> UK South 2 </br> Australia Central 2 </br> South Africa West </br> Brazil Southeast |

+### Application security group

+| Limitation | Description |

+| | |

+| Feature unavailable in select regions. | Currently unavailable in the following regions: </br> West India </br> UK North </br> UK South 2 </br> Australia Central 2 </br> South Africa West </br> Brazil Southeast |

+1. On the left pane, select **Networking**.

+> Currently, if you cannot enable **Allow Azure services and resources to access this workspace** on your Azure Synapse workspaces, when set up scan on Microsoft Purview governance portal, you will hit serverless DB enumeration failure. In this case, to scan serverless DBs, you can use [Microsoft Purview REST API - Scans - Create Or Update](/rest/api/purview/scanningdataplane/scans/create-or-update/) to set up scan. Refer to [this example](#set-up-scan-using-api).

+### Set up scan using API

+Here is an example of creating scan for serverless DB using API. Replace the `{place_holder}` and `enum_option_1 | enum_option_2 (note)` value with your actual settings.

+```http

+PUT https://{purview_account_name}.purview.azure.com/scan/datasources/<data_source_name>/scans/{scan_name}?api-version=2022-02-01-preview

+```

+```json

+{

+ "properties":{

+ "resourceTypes":{

+ "AzureSynapseServerlessSql":{

+ "scanRulesetName":"AzureSynapseSQL",

+ "scanRulesetType":"System",

+ "resourceNameFilter":{

+ "resources":[ "{serverless_database_name_1}", "{serverless_database_name_2}", ...]

+ }

+ }

+ },

+ "credential":{

+ "referenceName":"{credential_name}",

+ "credentialType":"SqlAuth | ServicePrincipal | ManagedIdentity (if UAMI authentication)"

+ },

+ "collection":{

+ "referenceName":"{collection_name}",

+ "type":"CollectionReference"

+ },

+ "connectedVia":{

+ "referenceName":"{integration_runtime_name}",

+ "integrationRuntimeType":"SelfHosted (if self-hosted IR) | Managed (if VNet IR)"

+ }

+ },

+ "kind":"AzureSynapseWorkspaceCredential | AzureSynapseWorkspaceMsi (if system-assigned managed identity authentication)"

+}

+```

+To schedule the scan, additionally create a trigger for it after scan creation, refer to [Triggers - Create Trigger](/rest/api/purview/scanningdataplane/triggers/create-trigger).

+ - **Description**: This utility is based on and covers the entire set functionality described in the [Microsoft Purview REST API reference](/rest/api/purview/). [Download & Install from PowerShell Gallery](https://aka.ms/purview-api-ps). It helps you execute all the documented Microsoft Purview REST APIs through a breezy fast and easy to use PowerShell interface. Use and automate Microsoft Purview APIs for regular and long-term usage via command-line and scripted methods. This is an alternative for customers looking to do bulk tasks in automated manner, batch-mode, or scheduled cron jobs; as against the GUI method of using the Azure portal and Microsoft Purview governance portal. Detailed documentation, sample usage guide, self-help, and examples are available on [GitHub:Azure-Purview-API-PowerShell](https://github.com/Azure/Azure-Purview-API-PowerShell).

+ var hitType = hits[0].HitType;

+ auto hitType = hits[0].HitType;

+* **`SubPartId`:** Which *submesh* was hit in a [MeshComponent](../../concepts/meshes.md#meshcomponent). Can be used to index into `MeshComponent.UsedMaterials` and look up the [material](../../concepts/materials.md) at that point.

+* **`HitType`:** What was hit by the ray: `TriangleFrontFace`, `TriangleBackFace` or `Point`. By default, [ARR renders double sided](single-sided-rendering.md#prerequisites) so the triangles the user sees are not necessarily front facing. If you want to differentiate between `TriangleFrontFace` and `TriangleBackFace` in your code, make sure your models are authored with correct face directions first.

+## Spatial queries

+A *spatial query* allows for the runtime to check which [MeshComponent](../../concepts/meshes.md#meshcomponent) are intersected by a world-space axis-aligned bounding box (AABB). This check is very performant as the individual check is performed based on each mesh part's bounds in the scene, not on an individual triangle basis. As an optimization, a maximum number of hit mesh components can be provided.\

+While such a query can be run manually on the client side, for large scenes it will be much faster for the server to compute this.

+```cs

+async void QueryAABB(RenderingSession session)

+{

+ // Query all mesh components in a 2x2x2m cube.

+ SpatialQuery query = new SpatialQuery();

+ query.Bounds = new Microsoft.Azure.RemoteRendering.Bounds(new Double3(-1, -1, -1), new Double3(1, 1, 1));

+ query.MaxResults = 100;

+ SpatialQueryResult result = await session.Connection.SpatialQueryAsync(query);

+ foreach (MeshComponent meshComponent in result.Overlaps)

+ {

+ Entity owner = meshComponent.Owner;

+ // do something with the hit MeshComponent / Entity

+ }

+}

+```

+```cpp

+void QueryAABB(ApiHandle<RenderingSession> session)

+{

+ // Query all mesh components in a 2x2x2m cube.

+ SpatialQuery query;

+ query.Bounds.Min = {-1, -1, -1};

+ query.Bounds.Max = {1, 1, 1};

+ query.MaxResults = 100;

+ session->Connection()->SpatialQueryAsync(query, [](Status status, ApiHandle<SpatialQueryResult> result)

+ {

+ if (status == Status::OK)

+ {

+ std::vector<ApiHandle<MeshComponent>> overlaps;

+ result->GetOverlaps(overlaps);

+ for (ApiHandle<MeshComponent> meshComponent : overlaps)

+ {

+ ApiHandle<Entity> owner = meshComponent->GetOwner();

+ // do something with the hit MeshComponent / Entity

+ }

+ }

+ });

+}

+```

+* [Overriding hierarchical states](override-hierarchical-state.md)

+* [Single sided rendering](single-sided-rendering.md)

+Azure service: [App Service Certificates](../app-service/configure-ssl-certificate.md#buy-and-import-app-service-certificate)

+ [Download HotelReviews_Free.csv](https://github.com/Azure-Samples/azure-search-sample-data/blob/master/hotelreviews/HotelReviews_data.csv). This CSV contains 19 pieces of customer feedback about a single hotel (originates from Kaggle.com). The file is in a repo with other sample data. If you don't want the whole repo, copy the raw content and paste it into a spreadsheet app on your device.

+ [Upload the file to a blob container](../storage/blobs/storage-quickstart-blobs-portal.md) in Azure Storage.

+1. [Download HotelReviews_Free.csv](https://github.com/Azure-Samples/azure-search-sample-data/blob/master/hotelreviews/HotelReviews_data.csv). This CSV contains 19 pieces of customer feedback about a single hotel (originates from Kaggle.com). The file is in a repo with other sample data. If you don't want the whole repo, copy the raw content and paste it into a spreadsheet app on your device.

+| Maximum running time ⁶| 1-3 minutes |2 or 24 hours |2 or 24 hours |2 or 24 hours |2 or 24 hours |N/A |2 or 24 hours |2 or 24 hours |

+⁶ Indexer maximum run time for Basic tier or higher can be 2 or 24 hours, depending on system resources, product implementation and other factors.

+For additional resources for the Roslyn Analyzers task, review the [Roslyn-based analyzers](/dotnet/standard/analyzers/api-analyzer).

+If you have further questions about the Security Code Analysis extension and the tools offered, check out [our FAQ page](security-code-analysis-faq.yml).

+| **EventType** | Mandatory | Enumerated | Describes the operation reported by the record. <br><br>For File records, supported values include: <br><br>- `FileAccessed`<br>- `FileCreated`<br>- `FileModified`<br>- `FileDeleted`<br>- `FileRenamed`<br>- `FileCopied`<br>- `FileMoved`<br>- `FolderCreated`<br>- `FolderDeleted` |

+### Understand alert timestamps

+Defender for IoT alerts, in both the Azure portal and on the sensor console, track the time an alert was first detected, last detected, and last changed.

+The following table describes the Defender for IoT alert timestamp fields, with a mapping to the relevant fields from Log Analytics shown in Microsoft Sentinel.

+|Defender for IoT field |Description | Log Analytics field |

+||||

+|**First detection** |Defines the first time the alert was detected in the network. | `StartTime` |

+|**Last detection** | Defines the last time the alert was detected in the network, and replaces the **Detection time** column.| `EndTime` |

+|**Last activity** | Defines the last time the alert was changed, including manual updates for severity or status, or automated changes for device updates or device/alert de-duplication | `TimeGenerated` |

+In Defender for IoT on the Azure portal and the sensor console, the **Last detection** column is shown by default. Edit the columns on the **Alerts** page to show the **First detection** and **Last activity** columns as needed.

+For more information, see [View alerts on the Defender for IoT portal](../defender-for-iot/organizations/how-to-manage-cloud-alerts.md) and [View alerts on your sensor](../defender-for-iot/organizations/how-to-view-alerts.md).

+## Microsoft technical resources

+| **EventSchemaVersion** | Mandatory | String | The version of the schema. The version of the schema documented here is `0.2.4`. |

+|<a name="networkicmptype"></a> **NetworkIcmpType** | Optional | String | For an ICMP message, the ICMP message type number, as described in [RFC 2780](https://datatracker.ietf.org/doc/html/rfc2780) for IPv4 network connections, or in [RFC 4443](https://datatracker.ietf.org/doc/html/rfc4443) for IPv6 network connections. |

+| **NetworkIcmpCode** | Optional | Integer | For an ICMP message, the ICMP code number as described in [RFC 2780](https://datatracker.ietf.org/doc/html/rfc2780) for IPv4 network connections, or in [RFC 4443](https://datatracker.ietf.org/doc/html/rfc4443) for IPv6 network connections. |

+| **TcpFlagsAck** | Optional | Boolean | The TCP ACK Flag reported. The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK as well as a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet. |

+| **TcpFlagsFin** | Optional | Boolean | The TCP FIN Flag reported. The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender. |

+| **TcpFlagsSyn** | Optional | Boolean | The TCP SYN Flag reported. The synchronization flag is used as a first step in establishing a three way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set. |

+| **TcpFlagsUrg** | Optional | Boolean | The TCP URG Flag reported. The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See [RFC 6093](https://tools.ietf.org/html/rfc6093) for more details. |

+| **TcpFlagsPsh** | Optional | Boolean | The TCP PSH Flag reported. The push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them. |

+| **TcpFlagsRst** | Optional | Boolean | The TCP RST Flag reported. The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it. |

+| **TcpFlagsEce** | Optional | Boolean | The TCP ECE Flag reported. This flag is responsible for indicating if the TCP peer is [ECN capable](https://en.wikipedia.org/wiki/Explicit_Congestion_Notification). See [RFC 3168](https://tools.ietf.org/html/rfc3168) for more details. |

+| **TcpFlagsCwr** | Optional | Boolean | The TCP CWR Flag reported. The congestion window reduced flag is used by the sending host to indicate it received a packet with the ECE flag set. See [RFC 3168](https://tools.ietf.org/html/rfc3168) for more details. |

+| **TcpFlagsNs** | Optional | Boolean | The TCP NS Flag reported. The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See [RFC 3540](https://tools.ietf.org/html/rfc3540) for more details |

+| **ThreatIpAddr** | Optional | IP Address | An IP address for which a threat was identified. The field [ThreatField](#threatfield) contains the name of the field **ThreatIpAddr** represents. |

+| <a name="threatfield"></a>**ThreatField** | Optional | Enumerated | The field for which a threat was identified. The value is either `SrcIpAddr` or `DstIpAddr`. |

+| **ThreatConfidence** | Optional | Integer | The confidence level of the threat identified, normalized to a value between 0 and a 100.|

+| **ThreatOriginalConfidence** | Optional | String | The original confidence level of the threat identified, as reported by the reporting device.|

+| **ThreatIsActive** | Optional | Boolean | True ID the threat identified is considered an active threat. |

+| **ThreatFirstReportedTime** | Optional | datetime | The first time the IP address or domain were identified as a threat. |

+| **ThreatLastReportedTime** | Optional | datetime | The last time the IP address or domain were identified as a threat.|

+Theses are the changes in version 0.2.4 of the schema:

+- Added the `TcpFlags` fields.

+- Updated `NetworkIcpmType` and `NetworkIcmpCode` to reflect the number value for both.

+- Added additional inspection fields.

+- [Advanced Security Information Model (ASIM) content](normalization-content.md)

+ Title: Advanced Security Information Model (ASIM) known issues | Microsoft Docs

+description: This article outlines the Microsoft Sentinel Advanced Security Information Model (ASIM) known issues.

+# Advanced Security Information Model (ASIM) known issues (Public preview)

+The following are the Advanced Security Information Model (ASIM) known issues and limitations:

+## Time picker set to a custom range

+When using ASIM parsers in the log screen, the time picker will change automatically to "set in query", which will result in querying over all data in the relevant tables. The query results may not be the expected results and performance may be slow.

+To ensure correct and timely results, set the time range to your preferred range after it changes to "set in query".

+## Performance challenges

+ASIM based queries over a long time range, and which do not use filtering parameters, may be slow. Parsing is a resource-intensive operation, and when applied to a large, unfiltered, dataset, it is expected to be slow.

+If you encounter performance issues:

+- When using an interactive query, make sure to set the time picker to time range needed.

+- Use parser filters. Most importantly use the `starttime` and the `endtime` filter parameters.

+## The ingest_time() function is not supported

+The `ingest_time()` function reports the time at which a record was ingested into Microsoft Sentinel, which may be different from `TimeGenerated`. This information is commonly used in queries that take into account ingestion delays. The `ingest_time()` has to be used in the context of a specific table and does not work with ASIM functions, which unify many different tables.

+## Misleading informational message

+In some cases when using ASIM parser functions, usually when there are no results to the query, the following information message is displayed.

+While the message is alarming, it is informational only, and the system behaved as expected. ASIM functions combine data from many sources, regardless of whether they are available in your environment or not. The message suggests that some of the sources are not available in your environment.

+## <a name="next-steps"></a>Next steps

+This article discusses the Advanced Security Information Model (ASIM) help functions.

+For more information, see:

+- Watch the [Deep Dive Webinar on Microsoft Sentinel Normalizing Parsers and Normalized Content](https://www.youtube.com/watch?v=zaqblyjQW6k) or review the [slides](https://1drv.ms/b/s!AnEPjr8tHcNmjGtoRPQ2XYe3wQDz?e=R3dWeM)

+- [Advanced Security Information Model (ASIM) overview](normalization.md)

+- [Advanced Security Information Model (ASIM) schemas](normalization-about-schemas.md)

+- [Advanced Security Information Model (ASIM) parsers](normalization-about-parsers.md)

+- [Using the Advanced Security Information Model (ASIM)](normalization-about-parsers.md)

+- [Modifying Microsoft Sentinel content to use the Advanced Security Information Model (ASIM) parsers](normalization-modify-content.md)

+| Schema | Parser | Line to add

+| | - | - |

+| DNS | `Im_DnsCustom` | `_parser_name_ (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype)` |

+| NetworkSession | `Im_NetworkSessionCustom` | `_parser_name_ (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)` |

+| WebSession | `Im_WebSessionCustom`| `_parser_name_ (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)` |

+For example, to exclude the Azure Firewall DNS parser, add the following record to the watchlist:

+| Schema | Parser | Line to add |

+| | -- | - |

+| **Authentication** | `ImAuthentication` | `_parser_name_ (starttime, endtime, targetusername_has)` |

+| **DNS** | `ImDns` | `_parser_name_ (starttime, endtime, srcipaddr, domain_has_any,`<br>` responsecodename, response_has_ipv4, response_has_any_prefix,`<br>` eventtype)` |

+| **File Event** | `imFileEvent` | `_parser_name_` |

+| **Network Session** | `imNetworkSession` | `_parser_name_ (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any,`<br>` httpuseragent_has_any, hostname_has_any, dvcaction, eventresult)` |

+| **Process Event** | - `imProcess`<br> - `imProcessCreate`<br> - `imProcessTerminate` | `_parser_name_` |

+| **Registry Event** | `imRegistry`<br><br> | `_parser_name_` |

+| **Web Session** | `imWebSession`<br><br> | `_parser_name_ parser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)` |

+| **Source** | **Notes** | **Parser**

+| | | - |

+| **Normalized DNS Logs** | Any event normalized at ingestion to the `ASimDnsActivityLogs` table. | `_Im_Dns_Native` |

+| **Azure Firewall** | | `_Im_Dns_AzureFirewallVxx` |

+| **Cisco Umbrella** | | `_Im_Dns_CiscoUmbrellaVxx` |

+| **Corelight Zeek** | | `_Im_Dns_CorelightZeekVxx` |

+| **GCP DNS** | | `_Im_Dns_GcpVxx` |

+| - **Infoblox NIOS**<br> - **BIND**<br> - **BlucCat** | The same parsers support multiple sources. | `_Im_Dns_InfobloxNIOSVxx` |

+| **Microsoft DNS Server** | Collected by the DNS connector and the Log Analytics Agent. | `_Im_Dns_MicrosoftOMSVxx` |

+| **Microsoft DNS Server** | Collected by NXlog. | `_Im_Dns_MicrosoftNXlogVxx` |

+| **Sysmon for Windows** (event 22) | Collected by the Log Analytics Agent<br> or the Azure Monitor Agent,<br>supporting both the<br> `Event` and `WindowsEvent` tables. | `_Im_Dns_MicrosoftSysmonVxx` |

+| **Vectra AI** | |`_Im_Dns_VectraIAVxx` |

+| **Zscaler ZIA** | | `_Im_Dns_ZscalerZIAVxx` |

+| **Source** | **Notes** | **Parser** |

+| **AppGate SDP** | IP connection logs collected using Syslog. | `_Im_NetworkSession_AppGateSDPVxx` |

+| **AWS VPC logs** | Collected using the AWS S3 connector. | `_Im_NetworkSession_AWSVPCVxx` |

+| **Azure Firewall logs** | |`_Im_NetworkSession_AzureFirewallVxx`|

+| **Azure Monitor VMConnection** | Collected as part of the Azure Monitor [VM Insights solution](../azure-monitor/vm/vminsights-overview.md). | `_Im_NetworkSession_VMConnectionVxx` |

+| **Azure Network Security Groups (NSG) logs** | Collected as part of the Azure Monitor [VM Insights solution](../azure-monitor/vm/vminsights-overview.md). | `_Im_NetworkSession_AzureNSGVxx` |

+| **Fortigate FortiOS** | IP connection logs collected using Syslog. | `_Im_NetworkSession_FortinetFortiGateVxx` |

+| **Microsoft 365 Defender for Endpoint** | | `_Im_NetworkSession_Microsoft365DefenderVxx`|

+| **Microsoft Defender for IoT - Endpoint** | | `_Im_NetworkSession_MD4IoTVxx` |

+| **Palo Alto PanOS traffic logs** | Collected using CEF. | `_Im_NetworkSession_PaloAltoCEFVxx` |

+| **Sysmon for Linux** (event 3) | Collected using the Log Analytics Agent<br> or the Azure Monitor Agent. |`_Im_NetworkSession_LinuxSysmonVxx` |

+| **Vectra AI** | | `_Im_NetworkSession_VectraIAVxx` |

+| **Windows Firewall logs** | Collected as Windows events using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. | `_Im_NetworkSession_MicrosoftWindowsEventFirewallVxx`|

+| **Zscaler ZIA firewall logs** | Collected using CEF. | `_Im_NetworkSessionZscalerZIAVxx` |

+| **Source** | **Notes** | **Parser** |

+|**Squid Proxy** | | `_Im_WebSession_SquidProxyVxx` |

+| **Vectra AI Streams** | | `_Im_WebSession_VectraAIVxx` |

+| **Zscaler ZIA** | Collected using CEF | `_Im_WebSessionZscalerZIAVxx` |

+* The user needs to have Microsoft.Authorization/roleAssignments/write permissions to the host group such as [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles#owner) to do role assignments in a host group. For more information, see [Assign Azure roles using the Azure portal - Azure RBAC](/azure/role-based-access-control/role-assignments-portal?tabs=current#prerequisites).

+If you need to create a new client certificate, follow the steps in [set and retrieve a certificate from Azure Key Vault](/azure/key-vault/certificates/quick-create-portal). Note the certificate thumbprint as it will be required to deploy the template in the next step.

+3. The [sample ARM deployment template for Dedicated Host Group](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-2-NT-ADH) used in the previous step also adds a role assignment to the host group with contributor access. For more information on Azure roles, see [Azure built-in roles - Azure RBAC](/azure/role-based-access-control/built-in-roles#all). This role assignment is defined in the resources section of template with Principal ID determined from the first step and a role definition ID.

+ * Client Certificate Thumbprint: Provide the thumbprint of the client certificate that you would like to use to access your cluster. If you don't have a certificate, follow [set and retrieve a certificate](/azure/key-vault/certificates/quick-create-portal) to create a self-signed certificate.

+ * ARM PowerShell cmdlets: [New-AzResourceGroupDeployment (Az.Resources)](/powershell/module/az.resources/new-azresourcegroupdeployment). Store the paths of your ARM template and parameter files in variables, then deploy the template.

+This guide builds upon the managed cluster quick start guide: [Deploy a Service Fabric managed cluster using Azure Resource Manager](/azure/service-fabric/quickstart-managed-cluster-template)

+* Ephemeral OS disks aren't supported for every SKU. VM sizes such as DSv1, DSv2, DSv3, Esv3, Fs, FsV2, GS, M, Mdsv2, Bs, Dav4, Eav4 supports Ephemeral OS disks. Ensure the SKU with which you want to deploy supports Ephemeral OS disk. For more information on individual SKU, see [supported VM SKU](/azure/virtual-machines/dv3-dsv3-series) and navigate to the desired SKU on left side pane.

+If you need to create a new client certificate, follow the steps in [set and retrieve a certificate from Azure Key Vault](/azure/key-vault/certificates/quick-create-portal). Note the certificate thumbprint as it will be required to deploy the template in the next step.

+ * Client Certificate Thumbprint: Provide the thumbprint of the client certificate that you would like to use to access your cluster. If you don't have a certificate, follow [set and retrieve a certificate](/azure/key-vault/certificates/quick-create-portal) to create a self-signed certificate.

+ * ARM PowerShell cmdlets: [New-AzResourceGroupDeployment (Az.Resources)](/powershell/module/az.resources/new-azresourcegroupdeployment). Store the paths of your ARM template and parameter files in variables, then deploy the template.

+{

+ "apiVersion": "[variables('sfApiVersion')]",

+ "type": "Microsoft.ServiceFabric/managedclusters/nodetypes",

+ "name": "[concat(parameters('clusterName'), '/', parameters('nodeType2Name'))]",

+ "location": "[resourcegroup().location]",

+ "dependsOn": [

+ "[concat('Microsoft.ServiceFabric/managedclusters/', parameters('clusterName'))]"

+ ],

+ "properties": {

+ "isPrimary": false,

+ "vmImagePublisher": "[parameters('vmImagePublisher')]",

+ "vmImageOffer": "[parameters('vmImageOffer')]",

+ "vmImageSku": "[parameters('vmImageSku')]",

+ "vmImageVersion": "[parameters('vmImageVersion')]",

+ "vmSize": "[parameters('nodeType2VmSize')]",

+ "vmInstanceCount": "[parameters('nodeType2VmInstanceCount')]",

+ "dataDiskSizeGB": "[parameters('nodeType2DataDiskSizeGB')]",

+ "dataDiskType": "[parameters('nodeType2managedDataDiskType')]"

+ }

+}

+6) Select `Manage node type scaling` to configure the scaling settings and choose between custom autoscale and manual scale options. Autoscale is a built-in feature that helps applications perform their best when demand changes. You can choose to scale your resource manually to a specific instance count, or via a custom Autoscale policy that scales based on metric(s) thresholds, or schedule instance count which scales during designated time windows. [Learn more about Azure Autoscale](/azure/azure-monitor/platform/autoscale-get-started?WT.mc_id=Portal-Microsoft_Azure_Monitoring) or [view the how-to video](https://www.microsoft.com/videoplayer/embed/RE4u7ts).

+This implies that it is not possible to recover the persisted state of that node. This generally happens if a hard disk has been wiped clean, or if a hard disk crashes. The node has to be down for this operation to be successful. This operation lets Service Fabric know that the replicas on that node no longer exist, and that Service Fabric should stop waiting for those replicas to come back up. Do not run this cmdlet if the state on the node has not been removed and the node can come back up with its state intact. Starting from Service Fabric 6.5, in order to use this API for seed nodes, please change the seed nodes to regular (non-seed) nodes and then invoke this API to remove the node state. If the cluster is running on Azure, after the seed node goes down, Service Fabric will try to change it to a non-seed node automatically. To make this happen, make sure the number of non-seed nodes in the primary node type is no less than the number of Down seed nodes. If necessary, add more nodes to the primary node type to achieve this. For standalone cluster, if the Down seed node is not expected to come back up with its state intact, please remove the node from the cluster. For more information, see [Add or remove nodes to a standalone Service Fabric cluster running on Windows Server](/azure/service-fabric/service-fabric-cluster-windows-server-add-remove-nodes).

+1. Learn about [VMware vSphere failback](failover-failback-overview.md#vmwarephysical-reprotectionfailback).

+3. Make sure you've completed the [requirements](avs-tutorial-reprotect.md#before-you-begin) for reprotection and failback, and that you've [enabled reprotection](avs-tutorial-reprotect.md#enable-reprotection) of Azure VMs, so that they're replicating from Azure to the Azure VMware Solution private cloud. VMs must be in a replicated state in order to fail back.

+5. Failover begins. Azure Site Recovery shuts down the Azure VMs.

+> For Windows VMs, Azure Site Recovery disables the VMware tools during failover. During failback of the Windows VM, the VMware tools are enabled again.

+- If you're new to Azure Automation, you can [sign up](https://azure.microsoft.com/services/automation/) and [download sample scripts](https://azure.microsoft.com/documentation/scripts/). For more information, see [Automation runbooks - known issues and limitations](/azure/automation/automation-runbook-types#powershell-runbooks).

+East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East, Canada Central, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, Switzerland North, China East 2 (Mooncake), and China North 2 (Mooncake). [Learn More](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud)

+East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East, Canada Central, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, and Switzerland North.

+- Complete the previous quickstarts in this series:

+ - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md).

+ - [Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps](./quickstart-setup-config-server.md).

+ - [Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md).

+ - [Set up a Log Analytics workspace](./quickstart-setup-log-analytics.md).

+You'll see output similar to the following example:

+1. Then select **Run**, and you'll see logs. For more information, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md).

+1. Select the link between **solar-system-weather** and **planet-weather-provider** to see more details such as the slowest calls by HTTP methods.

+- Complete the previous quickstarts in this series:

+ - [Provision an Azure Spring Apps service instance](./quickstart-provision-service-instance.md).

+ - [Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps](./quickstart-setup-config-server.md).

+ - [Build and deploy apps to Azure Spring Apps](./quickstart-deploy-apps.md).

+ - [Set up a Log Analytics workspace](./quickstart-setup-log-analytics.md).

+You'll see logs like this:

+1. Then you'll see filtered logs. For more information, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md).

+Navigate to the `Application insights` blade, and then navigate to the `Metrics` blade. You can see metrics contributed by Spring Boot apps, Spring modules, and dependencies.

+The following chart shows `gateway-requests` (Spring Cloud Gateway), `hikaricp_connections` (JDBC Connections), and `http_client_requests`.

+Spring Boot registers several core metrics, including JVM, CPU, Tomcat, and Logback. The Spring Boot auto-configuration enables the instrumentation of requests handled by Spring MVC. All three REST controllers (`OwnerResource`, `PetResource`, and `VisitResource`) have been instrumented by the `@Timed` Micrometer annotation at the class level.

+The `customers-service` application has the following custom metrics enabled:

+ - @Timed: `petclinic.owner`

+ - @Timed: `petclinic.pet`

+The `visits-service` application has the following custom metrics enabled:

+ - @Timed: `petclinic.visit`

+You can use the Availability Test feature in Application Insights and monitor the availability of applications:

+>

+> [Analyze logs and metrics with diagnostics settings](diagnostic-services.md)

+>

+ Title: "Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps"

+# Quickstart: Set up Spring Cloud Config Server for Azure Spring Apps

+Config Server is a centralized configuration service for distributed systems. It uses a pluggable repository layer that currently supports local storage, Git, and Subversion. In this quickstart, you set up the Config Server to get data from a Git repository.

+## Config Server procedures

+## Config Server procedures

+| Secret permission | Certificate permission | Select principal |

+|-||--|

+| Get, List | Get, List | Azure Spring Cloud Domain-Management |

+- **Functions Core Tools runtime**¹ handles requests to the site's API.

+Optionally, if you use the `swa init` command, the Static Web Apps CLI looks at your application code and build a _swa-cli.config.json_ configuration file for the CLI. When you use the _swa-cli.config.json_ file, you can run `swa start` to launch your application locally.

+¹ The Azure Functions Core Tools are automatically installed by the CLI if they aren't already on your system.

+ npm install @azure/static-web-apps-cli

+1. Initialize the repository for the CLI.

+ ```console

+ swa init

+ ```

+ Answer the questions posed by the CLI to verify your configuration settings are correct.

+| Description | Command | Comments |

+|--|--|--|

+| Serve a specific folder | `swa start ./<OUTPUT_FOLDER_NAME>` | Replace `<OUTPUT_FOLDER_NAME>` with the name of your output folder. |

+| Use a running framework development server | `swa start http://localhost:3000` | This command works when you have an instance of your application running under port `3000`. Update the port number if your configuration is different. |

+| Start a Functions app in a folder | `swa start ./<OUTPUT_FOLDER_NAME> --api-location ./api` | Replace `<OUTPUT_FOLDER_NAME>` with the name of your output folder. This command expects your application's API to have files in the _api_ folder. Update this value if your configuration is different. |

+| Use a running Functions app | `swa start ./<OUTPUT_FOLDER_NAME> --api-location http://localhost:7071` | Replace `<OUTPUT_FOLDER_NAME>` with the name of your output folder. This command expects your Azure Functions application to be available through port `7071`. Update the port number if your configuration is different. |

+| **Claims** | A list of [user claims](user-information.md#client-principal-data), where each name is on a new line. |

+ swa start http://localhost:<DEV-SERVER-PORT-NUMBER> --appDevserverUrl http://localhost:7071

+ Replace `<DEV_SERVER_PORT_NUMBER>` with the development server's port number.

+- Verify that the destination account still exists.

+- Verify that the destination container is not in the process of being deleted, or has not just been deleted. Deleting a container may take up to 30 seconds.

+- Verify that the destination container is still participating in the object replication policy.

+- Check whether the source or destination blob has been moved to the Archive tier. Archived blobs cannot be replicated via object replication. For more information about the Archive tier, see [Hot, Cool, and Archive access tiers for blob data](access-tiers-overview.md).

+- Verify that destination container or blob is not protected by an immutability policy. Keep in mind that a container or blob can inherit an immutability policy from its parent. For more information about immutability policies, see [Overview of immutable storage for blob data](immutable-storage-overview.md).

+- Point-in-time restore is not supported for hierarchical namespaces or operations via Azure Data Lake Storage Gen2.

+| v1.25.0 | August 3, 2022 | August 3, 2023 |

+| v1.24.3 | June 21, 2022 | June 21, 2023 |

+| v1.24.2 | May 27, 2022 | May 27, 2023 |

+Storage Explorer requires the .NET 6 runtime to be installed on your system. The ASP.NET runtime is **not** required.

+> Older versions of Storage Explorer may require a different version of .NET or .NET Core. Refer to release notes or in app error messages to help determine the required version.

+### [Ubuntu 22.04](#tab/2204)

+1. Install the [.NET 6 runtime](/dotnet/core/install/linux-ubuntu)

+### [Ubuntu 20.04](#tab/2004)

+1. Install the [.NET 6 runtime](/dotnet/core/install/linux-ubuntu)

+### [Ubuntu 18.04](#tab/1804)

+1. Install the [.NET 6 runtime](/dotnet/core/install/linux-ubuntu)

+EmployeeEntity employee = await employeeTable.GetEntityAsync<EmployeeEntity>("Sales", "212");

+For the Stream Analytics job to access your Cosmos DB using managed identity, the service principal you created must have special permissions to your Azure Cosmos DB account. In this step, you can assign a role to your stream analytics job's system-assigned managed identity. Azure Cosmos DB has multiple built-in roles that you can assign to the managed identity. For this solution, you will use the following role:

+|Built-in role |

+||

+|Cosmos DB Built-in Data Contributor|

+ | Role | Cosmos DB Built-in Data Contributor |

+For the Stream Analytics job to access your Service Bus using managed identity, the service principal you created must have special permissions to your Azure Service Bus resource. In this step, you can assign a role to your stream analytics job's system-assigned managed identity. Azure provides the below Azure built-in roles for authorizing access to a Service Bus namespace. For Azure Stream Analytics you would need this role:

+ | Role | Azure Service Bus Data Sender |

+| | Power BI | No | Yes |

+Once a database has been created by a Spark job, you can create tables in it with Spark that use Parquet, Delta, or CSV as the storage format. Table names will be converted to lower case and need to be queried using the lower case name. These tables will immediately become available for querying by any of the Azure Synapse workspace Spark pools. They can also be used from any of the Spark jobs subject to permissions.

+Azure Synapse currently only shares managed and external Spark tables that store their data in Parquet, DELTA, or CSV format with the SQL engines. Tables backed by other formats are not automatically synced. You may be able to sync such tables explicitly yourself as an external table in your own SQL database if the SQL engine supports the table's underlying format.

+> Currently, only Parquet and CSV formats are fully supported in serverless SQL pool. Spark Delta tables are also available in the serverless SQL pool, but this feature is in **public preview**. External tables created in Spark are not available in dedicated SQL pool databases.

+- The SQL external table's file format is Parquet, Delta, or CSV.

+> Database level collation is `Latin1_General_100_CI_AS_SC_UTF8`.

+> A table that is not using Delta, Parquet or CSV as its storage format will not be synchronized.

+> * Please refer to [Lifecycle FAQ - Microsoft Azure](/lifecycle/faq/azure) for information about Azure lifecycle policies.

+SELECT SchemaName = SCHEMA_NAME(t.schema_id)

+ , [ReplicatedTable] = t.[name]

+ , [RebuildStatement] = 'SELECT TOP 1 * FROM ' + '[' + SCHEMA_NAME(t.schema_id) + '].[' + t.[name] +']'

+FROM sys.tables t

+JOIN sys.pdw_replicated_table_cache_state c

+ ON c.object_id = t.object_id

+JOIN sys.pdw_table_distribution_properties p

+ ON p.object_id = t.object_id

+WHERE c.[state] = 'NotReady'

+AND p.[distribution_policy_desc] = 'REPLICATE'

+> The REST APIs that are described in this article are for standalone dedicated SQL pools (formerly SQL DW) and are not applicable to a dedicated SQL pool that's created in an Azure Synapse Analytics workspace. For information about REST APIs to use specifically for an Azure Synapse Analytics workspace, see [Azure Synapse Analytics workspace REST API](/rest/api/synapse/).

+ Title: 'Power BI integration - Azure Time Series Insights Gen 2'

+* Learn more about [Power BI](/power-bi/).

+ Title: 'Overview: What is Azure Time Series Insights Gen2? - Azure Time Series Insights Gen2'

+ Title: 'Manage reference data in GA environments using C# - Azure Time Series Insights'

+Register-AzProviderPreviewFeature -Name InGuestAutoAssessmentVMPreview -ProviderNamespace Microsoft.Compute

+- View our [autoscale FAQ](autoscale-faq.yml) to answer commonly asked questions.

+- To get a list of available time zones for a VM, run the [Get-TimeZone PowerShell cmdlet](/powershell/module/microsoft.powershell.management/get-timezone) on the VM.

+- If you're experiencing agent or connectivity-related issues, see the [Azure Virtual Desktop Agent issues troubleshooting guide](troubleshoot-agent.md).

+Signing users out won't deallocate their VMs. To learn how to deallocate VMs, see [Start or stop VMs during off hours](../automation/automation-solution-vm-management.md) for personal host pools and [Autoscale](autoscale-scaling-plan.md) for pooled host pools.

+Yes. Users can shut down the VM by using the Start menu within their session, just like they would with a physical machine. However, shutting down the VM won't deallocate the VM. To learn how to deallocate VMs, see [Start or stop VMs during off hours](../automation/automation-solution-vm-management.md) for personal host pools and [Autoscale](autoscale-scaling-plan.md) for pooled host pools.

+You can group costs by host pool by using the cm-resource-parent tag. This tag won't impact billing but will let you review tagged costs in Microsoft Cost Management without having to use filters. The key for this tag is **cm-resource-parent** and its value is the resource ID of the Azure resource you want to group costs by. For example, you can group costs by host pool by entering the host pool resource ID as the value. To learn more about how to use this tag, see [Group related resources in the cost analysis (preview)](../cost-management-billing/costs/enable-preview-features-cost-management-labs.md#group-related-resources-in-the-cost-analysis-preview).

+- Zoom in/zoom out of chat windows isn't supported.

+2. Download PsExec from [PsExec v2.40](/sysinternals/downloads/psexec).

+2. Download PsExec from [PsExec v2.40](/sysinternals/downloads/psexec).

+| Canonical | 0001-com-ubuntu-server-focal | 20_04-lts-gen2 |

+| MicrosoftCBLMariner | CBL-Mariner | 1-gen2 |

+| MicrosoftCBLMariner | CBL-Mariner | CBL-Mariner-2-gen2 |

+| MicrosoftWindowsServer | WindowsServer | 2019-Datacenter-gensecond |

+| MicrosoftWindowsServer | WindowsServer | 2019-Datacenter-smalldisk-g2 |

+| MicrosoftWindowsServer | WindowsServer | 2022-datacenter-g2 |

+| MicrosoftWindowsServer | WindowsServer | 2022-datacenter-azure-edition-core |

+| MicrosoftWindowsServer | WindowsServer | 2022-datacenter-azure-edition-core-smalldisk |

+- 100 image version replicas, per subscription, per region however 50 replicas should be sufficient for most use cases

+You can change the behavior when you delete a VM. The following example updates the VM to delete the NIC, OS disk, and data disk when the VM is deleted.

+### [CLI](#tab/cli3)

+The following example sets the delete option to `detach` so you can reuse the disk.

+```azurecli-interactive

+az resource update --resource-group myResourceGroup --name myVM --resource-type virtualMachines --namespace Microsoft.Compute --set properties.storageProfile.osDisk.deleteOption=detach

+```

+### [REST](#tab/rest3)

+### [Portal](#tab/portal4)

+### [CLI](#tab/cli4)

+### [PowerShell](#tab/powershell4)

+### [REST](#tab/rest4)

+### [Portal](#tab/portal5)

+### [CLI](#tab/cli5)

+### [PowerShell](#tab/powershell5)

+### [REST](#tab/rest5)

+Here's an example:

+Here's the sample output:

+The VM Agent is required to manage, install and execute extensions. If the VM Agent isn't running or is failing to report a Ready status to the Azure platform, then the extensions won't work correctly.

+If you're running scripts on the VM using Custom Script Extension, you could sometimes run into an error where VM was created successfully but the script has failed. Under these conditions, the recommended way to recover from this error is to remove the extension and rerun the template again.

+You can also trigger a new GoalState to the VM, by executing a "VM Reapply". VM [Reapply](/rest/api/compute/virtualmachines/reapply) is an API introduced in 2020 to reapply a VM's state. We recommend doing this at a time when you can tolerate a short VM downtime. While Reapply itself doesn't cause a VM reboot, and the vast majority of times calling Reapply won't reboot the VM, there's a very small risk that some other pending update to the VM model gets applied when Reapply triggers a new goal state, and that other change could require a restart.

+It could happen that you're creating an Azure VM based on a specialized Disk coming from another Azure VM. In that case, it's possible that the old VM contained extensions, and so will have binaries, logs and status files left over. The new VM model won't be aware of the previous VM's extensions states, and it might report an incorrect status for these extensions. We strongly recommend you to remove the extensions from the old VM before creating the new one, and then reinstall these extensions once the new VM is created.

+The same can happen when you create a generalized image from an existing Azure VM. We invite you to remove extensions to avoid inconsistent state from the extensions.

+## Known issues

+### PowerShell isn't recognized as an internal or external command

+You notice the following error entries in the RunCommand extension's output:

+```Log sample

+RunCommandExtension failed with "'powershell' isn't recognized as an internal or external command,"

+```

+**Analysis**

+Extensions run under Local System account, so it's very possible that powershell.exe works fine when you RDP into the VM, but fails when run with RunCommand.

+**Solution**

+- Check that PowerShell is properly listed in the PATH environment variable:

+ - Open Control Panel

+ - System and Security

+ - System

+ - Advanced tab -> Environmental Variables

+- Under 'System variables' click edit and ensure that PowerShell is in the PATH environment variable (usually: "C:\Windows\System32\WindowsPowerShell\v1.0")

+- Reboot the VM or restart the WindowsAzureGuestAgent service then try the Run Command again.

+### Command isn't recognized as an internal or external command

+You see the following in the C:\WindowsAzure\Logs\Plugins\<ExtensionName>\<Version>\CommandExecution.log file:

+```Log sample

+Execution Error: '<command>' isn't recognized as an internal or external command, operable program or batch file.

+```

+**Analysis**

+Extensions run under Local System account, so it's very possible that powershell.exe works fine when you RDP into the VM, but fails when run with RunCommand.

+**Solution**

+- Open a Command Prompt in the VM and execute a command to reproduce the error. The VM Agent uses the Administrator cmd.exe and you may have some preconfigured command to execute every time cmd is started.

+- It's also likely that your PATH variable is misconfigured, but this will depend on the command that is having the problem.

+### VMAccessAgent is failing with Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Runtime.InteropServices.COMException (0x800706D9): There are no more endpoints available from the endpoint mapper.

+You see the following in the extension's status:

+```Log sample

+Type Microsoft.Compute.VMAccessAgent

+Version 2.4.8

+Status Provisioning failed

+Status level Error

+Status message Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Runtime.InteropServices.COMException (0x800706D9): There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9) at NetFwTypeLib.INetFwRules.GetEnumerator() at

+Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.RemoteDesktopManager.EnableRemoteDesktopFirewallRules()

+at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.RemoteDesktopManager.EnableRemoteDesktop() at

+```

+**Analysis**

+This error can happen when the Windows Firewall service isn't running.

+**Solution**

+Check if the Windows Firewall service is enabled and running. If it's not, please enable and start it - then try again to run the VMAccessAgent.

+### The remote certificate is invalid according to the validation procedure.

+You see the following in the WaAppAgent.log

+```Log sample

+System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. > System.Security.

+Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

+```

+**Analysis**

+Your VM is probably missing the Baltimore CyberTrust Root certificate in "Trusted Root Certification Authorities".

+**Solution**

+Open the certificates console with certmgr.msc, and check if the certificate is there.

+If it's not, please install it from https://cacert.omniroot.com/bc2025.crt

+Another possible issue is that the certificate chain is broken by a third party SSL Inspection tool, like ZScaler. That kind of tool should be configured to bypass SSL inspection.

+For more information on creating the account, a container, and uploading your netlist as a blob to that container, see [Quickstart: Create, download, and list blobs with Azure CLI](../storage/blobs/storage-quickstart-blobs-cli.md).

+description: Learn how to set up a classic release pipeline and deploy to Linux virtual machines using the blue-green deployment strategy.

+**Applies to:** :heavy_check_mark: Linux VMs

+Azure Pipelines provides a fully featured set of CI/CD automation tools for deployments to virtual machines. This article will show you how to set up a classic release pipeline that uses the blue-green strategy to deploy to Linux virtual machines. Azure also supports other strategies like [rolling](./tutorial-devops-azure-pipelines-classic.md) and [canary](./tutorial-azure-devops-canary-strategy.md) deployments.

+## Blue-green deployments

+A blue-green deployment is a deployment strategy where you create two separate and identical environments but only one is live at any time. This strategy is used to increase availability and reduce downtime by switching between the blue/green environments. The blue environment is usually set to run the current version of the application while the green environment is set to host the updated version. When all updates are completed, traffic is directed to the green environment and blue environment is set to idle.

+Using the **Continuous-delivery** feature, you can use the blue-green deployment strategy to deploy to your virtual machines from Azure portal.

+1. Sign in to [Azure portal](https://portal.azure.com/) and navigate to a virtual machine.

+1. ISelect **Continuous delivery**, and then select **Configure**.

+ 

+1. In the configuration panel, select **Use existing** and select your organization/project or select **Create** and create new ones.

+1. Select your **Deployment group name** from the dropdown menu or create a new one.

+1. Select your **Build pipeline** from the dropdown menu.

+1. Select the **Deployment strategy** dropdown menu, and then select **Blue-Green**.

+ 

+1. Add a "blue" or "green" tag to VMs that are used for blue-green deployments. If a VM is for a standby role, tag it as "green". Otherwise, tag it as "blue".

+ 

+1. Select **OK** to configure the classic release pipeline to deploy to your virtual machine.

+ 

+1. Navigate to your release pipeline and then select **Edit** to view the pipeline configuration. In this example, the *dev* stage is composed of three jobs:

+ 1. Deploy Green: the app is deployed to a standby VM tagged "green".

+ 1. Wait for manual resumption: the pipeline pauses and waits for manual intervention.

+ 1. Swap Blue-Green: this job swaps the "blue" and "green" tags in the VMs. This ensures that VMs with older application versions are now tagged as "green". During the next pipeline run, applications will be deployed to these VMs.

+ 

+## Resources

+- [Deploy to Azure virtual machines with Azure DevOps](../../devops-project/azure-devops-project-vms.md)

+- [Deploy to an Azure virtual machine scale set](/azure/devops/pipelines/apps/cd/azure/deploy-azure-scaleset)

+## Related articles

+The install, update, and remove commands must be written with file naming in mind. The `configFileName` is assigned to the config file for the VM and `packageFileName` is the name assigned downloaded package on the VM. For more information regarding these additional VM settings, refer to [UserArtifactSettings](/rest/api/compute/gallery-application-versions/create-or-update?tabs=HTTP#userartifactsettings) in our API docs.

+* [Red Hat on Azure overview](./overview.md)

+* [Red Hat on Azure overview](./overview.md)

+- August 09, 2022: Release of scenario [HA for SAP ASCS/ERS with NFS simple mount](./high-availability-guide-suse-nfs-simple-mount.md) on SLES 15 for SAP Applications

+In general, Microsoft supports only high availability configurations and software packages that are described in the [SAP workload scenarios](/azure/virtual-machines/workloads/sap/get-started). You can read the same statement in SAP note [#1928533](https://launchpad.support.sap.com/#/notes/1928533). Microsoft will not provide support for other high availability third-party software frameworks that are not documented by Microsoft with SAP workload. In such cases, the third-party supplier of the high availability framework is the supporting party for the high availability configuration who needs to be engaged by you as a customer into the support process. Exceptions are going to be mentioned in this article.

+ Title: "Configuring Azure Policy with network groups in Azure Virtual Network Manager (Preview)"

+description: Learn about how to utilize Azure Policy to configure a high scale and dynamic network group used with Azure Virtual Network Manager.

+# Configuring Azure Policy with network groups in Azure Virtual Network Manager (Preview)

+In this article, you'll learn how [Azure Policy](../governance/policy/overview.md) is used in Azure Virtual Network Manager to define dynamic network group membership. Dynamic network groups allow you to create scalable and dynamically adapting virtual network environments in your organization.

+> [!IMPORTANT]

+> Azure Virtual Network Manager is currently in public preview.

+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Azure Policy overview

+Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as [policy definitions](#policy-definition). Once your business rules have been formed, the policy definition is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Learn more about scope usage with [Scope in Azure Policy](../governance/policy/concepts/scope.md).

+> [!NOTE]

+> Azure Policy is only used for the definition of dynamic network group membership.

+## Policy definition

+Creating and implementing a policy in Azure Policy begins with creating a policy definition resource. Every policy definition has conditions under which it's enforced, and a defined effect that takes place if the conditions are met.

+With network groups, your policy definition includes your conditional expression for matching virtual networks meeting your criteria, and specifies the destination network group where any matching resources are placed. The `addToNetworkGroup` effect is used to accomplish this. The following is a sample of a policy rule definition with the `addToNetworkGroup` effect.

+```json

+"policyRule": {

+ "if": {

+ "allOf": [

+ {

+ "field": "Name",

+ "contains": "-gen"

+ }

+ ]

+ },

+ "then": {

+ "effect": "addToNetworkGroup",

+ "details": {

+ "networkGroupId": "/subscriptions/12345678-abcd-123a-1234-1234abcd7890/resourceGroups/myResourceGroup2/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/myNG"

+ }

+ }

+}

+```

+Learn more about [policy definition structure](../governance/policy/concepts/definition-structure.md).

+## Policy assignments

+Similar to Virtual Network Manager configurations, policy definitions don't immediately take effect when you create them. To begin applying, you must create a Policy Assignment, which assigns a definition to evaluate at a given scope. Currently, all resource within the scope will be evaluated against the definition. This allows you to have a single reusable definition that you can assign at multiple places for more granular group membership control. Learn more information on the [Assignment Structure](../governance/policy/concepts/assignment-structure.md) for Azure Policy.

+

+Policy definitions and assignment can be created through with API/PS/CLI or [Azure Policy Portal]().

+## Required permissions

+To use Azure Policy with network groups, users need the following permissions:

+- `Microsoft.ApiManagement/service/apis/operations/policy/write` is needed at the scope you're assigning.

+- `Microsoft.Network/networkManagers/networkGroups/join/action` action is needed on the target network group referenced in the **Add to network group** section. This permission allows for the adding and removing of objects from the target network group.

+- When using set definitions to assign multiple policies at the same time, concurrent `networkGroup/join/action` permissions are needed on all definitions being assigned at the time of assignment.

+To set the needed permissions, uses can be assigned built-in roles with [role-based access control](../role-based-access-control/quickstart-assign-role-user-portal.md):

+- **Network Contributor** role to the target network group.

+- **API Management Service Contributor** role at the target scope level.

+For more granular role assignment, you can create [custom roles](../role-based-access-control/custom-roles-portal.md) using the `networkGroups/join/action` permission and `policy/write` permission.

+## Helpful tips

+### Type filtering

+When configuring your policy definitions, it's recommended to always include a **type** condition to scope it to virtual networks. This will allow Policy to filter out non virtual network operations and improve the efficiency of your policy resources.

+### Regional slicing

+Policy resources are global, which means that any change will take effect on all resources under the assignment scope, regardless of region. If regional slicing and gradual rollout is a concern for you, it's recommended to also include a `where location in []` condition. Then, you can incrementally expand the locations list to gradually roll out the effect.

+### Assignment scoping

+If you're following management group best practices using [Azure management groups](../governance/management-groups/overview.md), it's likely you already have your resources organized in a hierarchy structure. Using assignments, you can assign the same definition to multiple distinct scopes within your hierarchy, allowing you to have higher granularity control of which resources are eligible for your network group

+## Next steps

+- Create an [Azure Virtual Network Manager](create-virtual-network-manager-portal.md) instance.

+- Learn about [configuration deployments](concept-deployments.md) in Azure Virtual Network Manager.

+- Learn how to block network traffic with a [SecurityAdmin configuration](how-to-block-network-traffic-portal.md).

+$location = "West US"

+ Location = $location

+

+

+

+

+ ResourceGroupName = $rg.Name

+ Location = $location

+ Location = $location

+ Location = $location

+ Location = $location

+To complete the configuration of the virtual networks, add a /24 subnet to each one. Create a subnet configuration named **default** with [Add-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/add-azvirtualnetworksubnetconfig).

+ AddressPrefix = '10.1.0.0/24'

+ AddressPrefix = '10.2.0.0/24'

+1. Create a network group to add virtual networks to.

+ Name = 'myNetworkGroup'

+ ResourceGroupName = $rg.Name

+ NetworkManagerName = $networkManager.Name

+ }

+ $networkgroup = New-AzNetworkManagerGroup @ng

+

+### Option 1: Static membership

+1. Add the static member to the network group with the following commands:

+ 1. Static members must have a network group scoped unique name. It's recommended to use a consistent hash of the virtual network ID. Below is an approach using the ARM Templates uniqueString() implementation.

+

+ ```azurepowershell-interactive

+ function Get-UniqueString ([string]$id, $length=13)

+ {

+ $hashArray = (new-object System.Security.Cryptography.SHA512Managed).ComputeHash($id.ToCharArray())

+ -join ($hashArray[1..$length] | ForEach-Object { [char]($_ % 26 + [byte][char]'a') })

+ }

+ ```

+

+ $smA = @{

+ Name = Get-UniqueString $virtualNetworkA.Id

+ ResourceGroupName = $rg.Name

+ NetworkGroupName = $networkGroup.Name

+ NetworkManagerName = $networkManager.Name

+ ResourceId = $virtualNetworkA.Id

+ }

+ $statimemberA = New-AzNetworkManagerStaticMember @sm

+

+ ```azurepowershell-interactive

+ $smB = @{

+ Name = Get-UniqueString $virtualNetworkB.Id

+ ResourceGroupName = $rg.Name

+ NetworkGroupName = $networkGroup.Name

+ NetworkManagerName = $networkManager.Name

+ ResourceId = $virtualNetworkB.Id

+ }

+ $statimemberB = New-AzNetworkManagerStaticMember @sm

+ ```

+

+ ```azurepowershell-interactive

+ $smC = @{

+ Name = Get-UniqueString $virtualNetworkC.Id

+ ResourceGroupName = $rg.Name

+ NetworkGroupName = $networkGroup.Name

+ NetworkManagerName = $networkManager.Name

+ ResourceId = $virtualNetworkC.Id

+ }

+ $statimemberC = New-AzNetworkManagerStaticMember @sm

+ ```

+

+### Option 2: Dynamic membership

+1. Define the conditional statement and store it in a variable.

+> [!NOTE]

+> It is recommended to scope all of your conditionals to only scan for type `Microsoft.Network/virtualNetwork` for efficiency.

+```azurepowershell-interactive

+$conditionalMembership = '{

+ "allof":[

+ {

+ "field": "type",

+ "equals": "Microsoft.Network/virtualNetwork"

+ }

+ {

+ "field": "name",

+ "contains": "VNet"

+ }

+ ]

+}'

+```

+

+1. Create the Azure Policy definition using the conditional statement defined in the last step using New-AzPolicyDefinition.

+> [!IMPORTANT]

+> Policy resources must have a scope unique name. It is recommended to use a consistent hash of the network group. Below is an approach using the ARM Templates uniqueString() implementation.

+

+```azurepowershell-interactive

+ function Get-UniqueString ([string]$id, $length=13)

+ {

+ $hashArray = (new-object System.Security.Cryptography.SHA512Managed).ComputeHash($id.ToCharArray())

+ -join ($hashArray[1..$length] | ForEach-Object { [char]($_ % 26 + [byte][char]'a') })

+ }

+```

+```azurepowershell-interactive

+$defn = @{

+ Name = Get-UniqueString $networkgroup.Id

+ Mode = 'Microsoft.Network.Data'

+ Policy = $conditionalMembership

+}

+

+$policyDefinition = New-AzPolicyDefinition $defn

+```

+

+1. Assign the policy definition at a scope within your network managers scope for it to begin taking effect.

+ $assgn = @{

+ Name = Get-UniqueString $networkgroup.Id

+ PolicyDefinition = $policyDefinition

+

+ $policyAssignment = New-AzPolicyAssignment $assgn

+

+

+

+ ResourceGroupName = $rg.Name

+ NetworkManagerName = $networkManager.Name

+ ```

+Commit the configuration to the target regions with Deploy-AzNetworkManagerCommit. This will trigger your configuration to begin taking effect.

+ Name = $networkManager.Name

+ ResourceGroupName = $rg.Name

+

+ Remove-AzNetworkManagerConnectivityConfiguration @connectivityconfig.Id

+

+ ```

+2. Remove the policy resources with Remove-AzPolicy*

+ ```azurepowershell-interactive

+

+ Remove-AzPolicyAssignment $policyAssignment.Id

+ Remove-AzPolicyAssignment $policyDefinition.Id

+

+3. Remove the network group with Remove-AzNetworkManagerGroup.

+ Remove-AzNetworkManagerGroup $networkGroup.Id

+4. Delete the network manager instance with Remove-AzNetworkManager.

+ Remove-AzNetworkManager $networkManager.Id

+5. If you no longer need the resource created, delete the resource group with [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup).

+> Learn how to [Block network traffic with security admin rules](how-to-block-network-traffic-powershell.md)

+You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains [security rules](#security-rules) that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

+|Protocol | TCP, UDP, ICMP, ESP, AH, or Any. The ESP and AH protocols are not currently available via the Azure Portal but can be used via ARM templates. |

+1. Repeat steps 1-5 to create a second virtual machine. In step 3, name the virtual machine *myVmPrivate*. In step 4, select the **Private** subnet and set *NIC network security group* to **None**.

+You can connect your on-premises computers and networks to a virtual network using any of the following options:

+* Ubuntu 22.04 x64