+Feature management is a software-development practice that decouples feature release from code deployment and enables quick changes to feature availability on demand. It uses a technique called *feature flags* (also known as *feature toggles* and *feature switches*) to dynamically administer a feature's lifecycle.

+1. From the service menu, under **Settings**, select **GitOps** > **Create**.

+To view all of the configurations for a cluster, navigate to the cluster and select **GitOps** from the service menu.

+To see other Kubernetes resources deployed on the cluster, return to the cluster overview page and select **Kubernetes resources** from the service menu.

+To delete a Flux configuration, navigate to the cluster where the configuration was created and select **GitOps** from the service menu. Select the configuration you want to delete. From the top of the page, select **Delete**, then select **Delete** again when prompted to confirm.

+Through Azure Arc resource bridge, you can accomplish the following tasks for each private cloud infrastructure from Azure:

+While Azure has redundancy features at every level of failure, if a service impacting event occurs, Azure Arc resource bridge currently does not support cross-region failover or other resiliency capabilities. In the event of the service becoming unavailable, the on-premises VMs continue to operate unaffected. Management from Azure is unavailable during that service outage.

+Arc resource bridge typically releases a new version on a monthly cadence, at the end of the month. Delays might occur that could push the release date further out. Regardless of when a new release comes out, if you are within n-3 supported versions, then your Arc resource bridge version is supported. To stay updated on releases, visit the [Arc resource bridge release notes](release-notes.md). To learn more about upgrade options, visit [Upgrade Arc resource bridge](upgrade.md).

+Arc resource bridge does not currently support private link.

+ Title: "What's new with Azure Arc resource bridge"

+description: "Learn about the latest releases of Azure Arc resource bridge."

+# What's new with Azure Arc resource bridge

+Azure Arc resource bridge is updated on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about recent releases.

+We generally recommend using the most recent versions of the agents. The [version support policy](overview.md#supported-versions) generally covers the most recent version and the three previous versions (n-3).

+## Version 1.2.0 (July 2024)

+- Appliance: 1.2.0

+- CLI extension: 1.2.0

+- SFS release: 0.1.32.10710

+- Kubernetes: 1.28.5

+- Mariner: 2.0.20240609

+### Arc-enabled SCVMM

+- `CreateConfig`: Improve prompt messages and reorder networking prompts for the custom IP range scenario

+- `CreateConfig`: Validate Gateway IP input against specified IP range for the custom IP range scenario

+- `CreateConfig`: Add validation to check infra configuration capability for HA VM deployment. If HA isn't supported, reprompt users to proceed with standalone VM deployment

+### Arc-enabled VMware vSphere

+- Improve prompt messages in createconfig for VMware

+- Validate proxy scheme and check for required `no_proxy` entries

+### Features

+- Reject double commas (`,,`) in `no_proxy` string

+- Add default folder to createconfig list

+- Add conditional Fairfax URLs for US Gov Virginia support

+- Add new error codes

+### Bug fixes

+- Fix for openSSH [CVE-2024-63870](https://github.com/advisories/GHSA-2x8c-95vh-gfv4)

+## Version 1.1.1 (April 2024)

+- Appliance: 1.1.1

+- CLI extension: 1.1.1

+- SFS release: 0.1.26.10327

+- Kubernetes: 1.27.3

+- Mariner: 2.0.20240301

+### Arc-enabled SCVMM

+- Add quotes for resource names

+### Azure Stack HCI

+- HCI auto rotation logic on upgrade

+### Features

+- Updated log collection with describe nodes

+- Error message enhancement for failure to reach Arc resource bridge VM

+- Improve troubleshoot command error handling with scoped access key

+- Longer timeout for individual pod pulls

+- Updated `execute` command to allow passing in a kubeconfig

+- Catch `<>` in no_proxy string

+- Add validation to see if connections from the client machine are proxied

+- Diagnostic checker enhancement - Add default gateway and dns servers check to telemetry mode

+- Log collection enhancement

+### Bug fixes

+- HCI MOC image client fix to set storage container on catalog

+## Version 1.1.0 (April 2024)

+- Appliance: 1.1.0

+- CLI extension: 1.1.0

+- SFS release: 0.1.25.10229

+- Kubernetes: 1.27.3

+- Mariner: 2.0.20240223

+### Arc-enabled SCVMM

+- Use same `vmnetwork` key for HG and Cloud (`vmnetworkid`)

+- SCVMM - Add fallback for VMM IP pool with support for IP range in appliance network, add `--vlanid` parameter to accept `vlanid`

+- Non-interactive mode for SCVMM `troubleshoot` and `logs` commands

+- `Createconfig` command uses styled text to warn about saving config files instead of standard logger

+- Improved handling and error reporting for timeouts while provisioning/deprovisioning images from the cloud fabric

+- Verify template and snapshot health after provisioning an image, and clean up files associated to the template on image deprovision failures

+- Missing VHD state handing in SCVMM

+- SCVMM `validate` and `createconfig` fixes

+### Arc-enabled VMware vSphere

+- SSD storage validations added to VMware vSphere in telemetry mode to check if the ESXi host backing the resource pool has any SSD-backed storage

+- Improve missing privilege error message, show some privileges in error message

+- Validate host ESXi version and provide a concrete error message for placement profile

+- Improve message for no datacenters found, display default folder

+- Surface VMware error when finder fails during validate

+- Verify template health and fix it during image provision

+### Features

+- `deploy` command - diagnostic checker enhancements that add retries with exponential backoff to proxy client calls

+- `deploy` command - diagnostic checker enhancement: adds storage performance checker in telemetry mode to evaluate the storage performance of the VM used to deploy the appliance

+- `deploy` command - Add Timeout for SSH connection: New error message: "Error: Timeout occurred due to management machine being unable to reach the appliance VM IP, 192.168.0.11. Ensure that the requirements are met: `https://aka.ms/arb-machine-reqs: dial tcp 192.168.0.11:22: connect: connection timed out`

+- `validate` command - The appliance deployment now fails if Proxy Connectivity and No Proxy checks report any errors

+### Bug fixes

+- SCVMM ValueError fix - fallback option for VMM IP Pools with support for Custom IP Range based Appliance Network

+## Version 1.0.18 (February 2024)

+- Appliance: 1.0.18

+- CLI extension: 1.0.3

+- SFS release: 0.1.24.10201

+- Kubernetes: 1.26.6

+- Mariner: 2.0.20240123

+### Fabric/Private cloud provider

+- SCVMM `createconfig` command improvements - retry until valid Port and FQDN provided

+- SCVMM and VMware - Validate control plane IP address; add reprompts

+- SCVMM and VMware - extend `deploy` command timeout from 30 to 120 minutes

+### Features

+- `deploy` command - diagnostic checker enhancement: proxy checks in telemetry mode

+### Product

+- Reduction in CPU requests

+- ETCD preflight check enhancements for upgrade

+### Bug fixes

+- Fix for clusters impacted by the `node-ip` being set as `kube-vip` IP issue

+- Fix for SCVMM cred rotation with the same credentials

+## Version 1.0.17 (December 2023)

+- Appliance: 1.0.17

+- CLI extension: 1.0.2

+- SFS release: 0.1.22.11107

+- Kubernetes: 1.26.6

+- Mariner: 2.0.20231106

+### Fabric/Private cloud provider

+- SCVMM `createconfig` command improvements

+- Azure Stack HCI - extend `deploy` command timeout from 30 to 120 minutes

+- All private clouds - enable provider credential parameters to be passed in each command

+- All private clouds - basic validations for select `createconfig` command inputs

+- VMware - basic reprompts for select `createconfig` command inputs

+### Features

+- `deploy` command - diagnostic checker enhancement - improve `context` error messages

+### Bug fixes

+- Fix for `context` error always being returned as `Deploying`

+### Known bugs

+- Arc resource bridge upgrade shows appliance version as upgraded, but status shows upgrade failed

+## Version 1.0.16 (November 2023)

+- Appliance: 1.0.16

+- CLI extension: 1.0.1

+- SFS release: 0.1.21.11013

+- Kubernetes: 1.25.7

+- Mariner: 2.0.20231004

+### Fabric/Private cloud provider

+- SCVMM image provisioning and upgrade fixes

+- VMware vSphere - use full inventory path for networks

+- VMware vSphere error improvement for denied permission

+- Azure Stack HCI - enable default storage container

+### Features

+- `deploy` command - diagnostic checker enhancement - add `azurearcfork8s.azurecr.io` URL

+### Bug fixes

+- vSphere credential issue

+- Don't set storage container for non-`arc-appliance` catalog image provision requests

+- Monitoring agent not installed issue

+## Version 1.0.15 (September 2023)

+- Appliance: 1.0.15

+- CLI extension: 1.0.0

+- SFS release: 0.1.20.10830

+- Kubernetes: 1.25.7

+- Mariner: 2.0.20230823

+### Fabric/Infrastructure

+- `az arcappliance` CLI commands now only support static IP deployments for VMware and SCVMM

+- For test purposes only, Arc resource bridge on Azure Stack HCI may be deployed with DHCP configuration

+- Support for using canonical region names

+- Removal of VMware vSphere 6.7 fabric support (vSphere 7 and 8 are both supported)

+### Features

+- (new) `get-upgrades` command- fetches the new upgrade edge available for a current appliance cluster

+- (new) `upgrade` command - upgrades the appliance to the next available version (not available for SCVMM)

+- (update) `deploy` command - In addition to `deploy`, this command now also calls `create` command. `Create` command is now optional.

+- (new) `get-credentials` command - now allows fetching of SSH keys and kubeconfig, which are needed to run the `logs` command from a different machine than the one used to deploy Arc resource bridge

+- Allowing usage of `config-file` parameter for `get-credentials` command

+(new) Troubleshoot command - help debug live-site issues by running allowed actions directly on the appliance using a JIT access key

+### Bug fix

+- IPClaim premature deletion issue vSphere static IP

+## Next steps

+- Learn more about [Arc resource bridge](overview.md).

+- Learn how to [upgrade Arc resource bridge](upgrade.md).

+This article describes how Arc resource bridge is upgraded, and the two ways upgrade can be performed: cloud-managed upgrade or manual upgrade. Currently, some private cloud providers differ in how they handle Arc resource bridge upgrades.

+For **Arc-enabled VMware vSphere**, manual upgrade and cloud-managed upgrade are available. Appliances on version 1.0.15 and higher are automatically opted-in to cloud-managed upgrade. Cloud-managed upgrade helps ensure the appliance VM is kept within n-3 supported versions but not the latest version. If you would like to be on the latest version, you need to manual upgrade. In order for either upgrade option to work, [the upgrade prerequisites](#prerequisites) must be met. Microsoft may attempt to perform a cloud-managed upgrade of your Arc resource bridge at any time if your appliance will soon be out of support. While Microsoft offers cloud-managed upgrade, youΓÇÖre still responsible for ensuring that your Arc resource bridge is within the supported n-3 versions. Disruptions could cause cloud-managed upgrade to fail and you may need to manual upgrade the Arc resource bridge. If your Arc resource bridge is close to being out of support, we recommend a manual upgrade to make sure you maintain a supported version, rather than waiting for cloud-managed upgrade.

+For **Azure Arc VM management (preview) on Azure Stack HCI**, appliance version 1.0.15 or higher is only available on Azure Stack HCI build 23H2. In HCI 23H2, the LCM tool manages upgrades across all HCI, Arc resource bridge, and extension components as a "validated recipe" package. Any preview version of Arc resource bridge must be removed before updating from 22H2 to 23H2. Attempting to upgrade Arc resource bridge independent of other HCI environment components may cause problems in your environment that could result in a disaster recovery scenario. For more information, visit the [Arc VM management FAQ page](/azure-stack/hci/manage/azure-arc-vms-faq).

+For **Arc-enabled System Center Virtual Machine Manager (SCVMM)**, the manual upgrade feature is available for appliance version 1.0.15 and higher. Appliances running a version lower than 1.0.15 need to perform the recovery option to get to version 1.0.15 or higher. Review the steps for [performing the recovery operation](/azure/azure-arc/system-center-virtual-machine-manager/disaster-recovery). This deploys a new resource bridge and reconnects pre-existing Azure resources.

+Before upgrading an Arc resource bridge, the following prerequisites must be met:

+- The appliance VM must be on a General Availability version (1.0.15 or higher). If not, the Arc resource bridge VM needs to be redeployed. If you're using Arc-enabled VMware/AVS, you can [perform disaster recovery](../vmware-vsphere/recover-from-resource-bridge-deletion.md). If you're using Arc-enabled SCVMM, follow this [disaster recovery guide](../system-center-virtual-machine-manager/disaster-recovery.md).

+- The [credentials in the appliance VM](maintenance.md#update-credentials-in-the-appliance-vm) must be up-to-date. To test that the credentials within the Arc resource bridge VM are valid, perform an operation on an Arc-enabled VM from Azure. You can also [update the credentials](/azure/azure-arc/resource-bridge/maintenance) to be certain.

+- For Arc-enabled VMware, upgrading the resource bridge requires 200 GB of free space on the datastore. A new template is also created.

+- When performing a manual upgrade, run the upgrade command from the management machine used to initially deploy the Arc resource bridge, which should still contain the [appliance configuration files](system-requirements.md#configuration-files). You can also run the upgrade command from a different machine that meets the [management machine requirements](system-requirements.md#management-machine-requirements) and also contains the appliance configuration files.

+Deploying a new resource bridge is a process consisting of several steps: downloading the appliance image (~3.5 GB) from the cloud, using the image to deploy a new appliance VM, verifying the new resource bridge is running, connecting it to Azure, deleting the old appliance VM, and reserving the old IP to be used for a future upgrade.

+Arc resource bridges on a supported [private cloud provider](#private-cloud-providers) with an appliance version 1.0.15 or higher are automatically opted into cloud-managed upgrade. With cloud-managed upgrade, Microsoft may attempt to upgrade your Arc resource bridge at any time if it is on an appliance version that will soon be out of support. The upgrade prerequisites must be met for cloud-managed upgrade to work. While Microsoft offers cloud-managed upgrade, youΓÇÖre still responsible for checking that your resource bridge is healthy, online, in a "Running" status, and within the supported n-3 versions. Disruptions could cause cloud-managed upgrades to fail. If your Arc resource bridge is close to being out of support, we recommend a manual upgrade to make sure you maintain a supported version, rather than waiting for cloud-managed upgrade.

+To check your resource bridge status and the appliance version, run the `az arcappliance show` command from your management machine or check the Azure resource of your Arc resource bridge. If your appliance VM isn't in a healthy, Running state, cloud-managed upgrade might fail.

+Arc resource bridge can be manually upgraded from the management machine. You must meet all upgrade prerequisites before attempting to upgrade. The management machine must have the kubeconfig and [appliance configuration files](system-requirements.md#configuration-files) stored locally, or you won't be able to run the upgrade.

+Before upgrading, you need the latest Azure CLI extension for `arcappliance`:

+To upgrade a resource bridge on Azure Stack HCI, transition to 23H2 and use the built-in upgrade management tool. For more information, see [About updates for Azure Stack HCI, version 23H2](/azure-stack/hci/update/about-updates-23h2).

+The Arc resource bridge version is tied to the versions of underlying components used in the appliance image, such as the Kubernetes version. When there's a change in the appliance image, the Arc resource bridge version gets incremented. This generally happens when a new `az arcappliance` CLI extension version is released. A new extension is typically released on a monthly cadence at the end of the month or early in the month. For detailed release info, see the [Arc resource bridge release notes](release-notes.md).

+Generally, the latest released version and the previous three versions (n-3) of Arc resource bridge are supported. An Arc resource bridge on an unsupported version must be upgraded or redeployed to be in a production support window.

+Arc resource bridge typically releases a new version on a monthly cadence, at the end of the month, although it's possible that delays could push the release date further out. Regardless of when a new release comes out, if you're within n-3 supported versions, then your Arc resource bridge version is supported. To stay updated on releases, visit the [Arc resource bridge release notes](release-notes.md).

+If a resource bridge isn't upgraded to one of the supported versions (n-3), it falls outside the support window and will be unsupported. It might not always be possible to upgrade an unsupported resource bridge to a newer version, as component services used by Arc resource bridge may no longer be compatible. In addition, the unsupported resource bridge might not be able to provide reliable monitoring and health metrics.

+If an Arc resource bridge can't be upgraded to a supported version, you must delete it and deploy a new resource bridge. Depending on which private cloud product you're using, there might be other steps required to reconnect the resource bridge to existing resources. For details, check the partner product's Arc resource bridge recovery documentation.

+using System;

+using Azure;

+using Azure.Maps.Search;

+using Azure.Maps.Search.Models;

+for (int i = 0; i < searchResult.Value.Features.Count; i++)

+{

+ Console.WriteLine("Coordinate:" + string.Join(",", searchResult.Value.Features[i].Geometry.Coordinates));

+}

+```

+## Batch geocode addresses

+This sample demonstrates how to perform batch search address.

+```csharp

+using System;

+using Azure;

+using Azure.Maps.Search;

+using System.Collections.Generic;

+using Azure.Maps.Search.Models;

+using Azure.Maps.Search.Models.Queries;

+// Use Azure Maps subscription key authentication

+var subscriptionKey = Environment.GetEnvironmentVariable("SUBSCRIPTION_KEY") ?? string.Empty;

+var credential = new AzureKeyCredential(subscriptionKey);

+var client = new MapsSearchClient(credential);

+List<GeocodingQuery> queries = new List<GeocodingQuery>

+{

+ new GeocodingQuery()

+ {

+ Query ="15171 NE 24th St, Redmond, WA 98052, United States"

+ },

+ new GeocodingQuery()

+ {

+ AddressLine = "400 Broad St"

+ },

+};

+Response<GeocodingBatchResponse> results = client.GetGeocodingBatch(queries);

+//Print coordinates

+for (var i = 0; i < results.Value.BatchItems.Count; i++)

+{

+ for (var j = 0; j < results.Value.BatchItems[i].Features.Count; j++)

+ {

+ Console.WriteLine("Coordinates: " + string.Join(",", results.Value.BatchItems[i].Features[j].Geometry.Coordinates));

+ }

+}

+```

+## Reverse geocode a coordinates

+You can translate coordinates into human-readable street addresses. This process is also called reverse geocoding.

+```csharp

+using System;

+using Azure;

+using Azure.Maps.Search;

+using Azure.Core.GeoJson;

+using Azure.Maps.Search.Models;

+// Use Azure Maps subscription key authentication

+var subscriptionKey = Environment.GetEnvironmentVariable("SUBSCRIPTION_KEY") ?? string.Empty;

+var credential = new AzureKeyCredential(subscriptionKey);

+var client = new MapsSearchClient(credential);

+GeoPosition coordinates = new GeoPosition(-122.138685, 47.6305637);

+Response<GeocodingResponse> result = client.GetReverseGeocoding(coordinates);

+//Print addresses

+for (int i = 0; i < result.Value.Features.Count; i++)

+{

+ Console.WriteLine(result.Value.Features[i].Properties.Address.FormattedAddress);

+}

+using System;

+using Azure;

+using Azure.Maps.Search;

+using System.Collections.Generic;

+using Azure.Maps.Search.Models.Queries;

+ Coordinates = new GeoPosition(-122.349309, 47.620498)

+ Coordinates = new GeoPosition(-122.138679, 47.630356),

+ ResultTypes = new List<ReverseGeocodingResultTypeEnum>(){ ReverseGeocodingResultTypeEnum.Address, ReverseGeocodingResultTypeEnum.Neighborhood }

+Response<GeocodingBatchResponse> result = client.GetReverseGeocodingBatch(items);

+//Print addresses

+for (var i = 0; i < result.Value.BatchItems.Count; i++)

+{

+ Console.WriteLine(result.Value.BatchItems[i].Features[0].Properties.Address.AddressLine);

+ Console.WriteLine(result.Value.BatchItems[i].Features[0].Properties.Address.Neighborhood);

+}

+## Get polygons for a given location

+This sample demonstrates how to search polygons.

+```csharp

+using System;

+using Azure;

+using Azure.Maps.Search;

+using Azure.Core.GeoJson;

+using Azure.Maps.Search.Models;

+using Azure.Maps.Search.Models.Options;

+// Use Azure Maps subscription key authentication

+var subscriptionKey = Environment.GetEnvironmentVariable("SUBSCRIPTION_KEY") ?? string.Empty;

+var credential = new AzureKeyCredential(subscriptionKey);

+var client = new MapsSearchClient(credential);

+GetPolygonOptions options = new GetPolygonOptions()

+{

+ Coordinates = new GeoPosition(-122.204141, 47.61256),

+ ResultType = BoundaryResultTypeEnum.Locality,

+ Resolution = ResolutionEnum.Small,

+};

+Response<Boundary> result = client.GetPolygon(options);

+var count = ((GeoJsonPolygon)((GeoJsonGeometryCollection)result.Value.Geometry).Geometries[0]).Coordinates.Count;

+for (var i = 0; i < count; i++)

+{

+ var coorCount = ((GeoJsonPolygon)((GeoJsonGeometryCollection)result.Value.Geometry).Geometries[0]).Coordinates[i].Count;

+ for (var j = 0; j < coorCount; j++)

+ {

+ Console.WriteLine(string.Join(",",((GeoJsonPolygon)((GeoJsonGeometryCollection)result.Value.Geometry).Geometries[0]).Coordinates[i][j]));

+ }

+}

+```

+## Using V1 SDKs for Search and Render

+For more information on using Search v1, see [Azure Maps Search client library for .NET](https://www.nuget.org/packages/Azure.Maps.Search/1.0.0-beta.5). For more information on using Render v1, see [Azure Maps Render client library for .NET](https://www.nuget.org/packages/Azure.Maps.Rendering/1.0.0-beta.3).

+> [!Warning]

+> You shouldnΓÇÖt use an existing custom log table used by MMA agents. Your MMA agents won't be able to write to the table once the first AMA agent writes to the table. You should create a new table for AMA to use to prevent MMA data loss.

+ },

+ {

+ "name": "Computer",

+ "type": "string"

+| `Computer` | string | If you add this column to the incoming stream in the DCR, it will be populated with the name of the computer with the log file. This column is not created automatically and can't be added using the portal. You must manually modify the DCR created by the portal or create the DCR using another method where you can explicitly define the incoming stream. |

+| `Computer` | string | If you add this column to the incoming stream in the DCR, it will be populated with the name of the computer with the log file. This column is not created automatically and can't be added using the portal. You must manually modify the DCR created by the portal or create the DCR using another method where you can explicitly define the incoming stream. |

+For example, you can use the following PowerShell script to create a custom table with `RawData`, `FilePath`, and `Computer`. You wouldn't need a transformation for this table because the schema matches the default schema of the incoming stream.

+ },

+ {

+ "name": "Computer",

+ "type": "String"

+ },

+ {

+ "name": "Computer",

+ "type": "string"

+ :::image type="content" source="media/manage-access/table-level-access-control.png" alt-text="Screenshot that shows the Log Analytics workspace table management screen with the table-level access control button highlighted." lightbox="media/manage-access/table-level-access-control.png":::

+| [Configure data collection](monitor-virtual-machine-data-collection.md) | Create data collection rules to instruct the Azure Monitor agent to collect telemetry from the guest operating system. |

+| [Analyze collected data](monitor-virtual-machine-analyze.md) | Analyze monitoring data collected by Azure Monitor from virtual machines and their guest operating systems and applications to identify trends and critical information. |

+[Deploy the Azure Monitor agent to your virtual machines](monitor-virtual-machine-agent.md)

+Containers|[Custom metrics collected by Container insights](/previous-versions/azure/azure-monitor/containers/container-insights-custom-metrics)|New article.|

+|[Azure Monitor Agent overview](./agents/agents-overview.md)|Added Azure Monitor Agent support for Arm64-based virtual machines for a number of distributions. <br><br>Azure Monitor Agent and legacy agents don't support machines and appliances that run heavily customized or stripped-down versions of operating system distributions. <br><br>Azure Monitor Agent versions 1.15.2 and higher now support Syslog RFC formats, including Cisco Meraki, Cisco ASA, Cisco FTD, Sophos XG, Juniper Networks, Corelight Zeek, CipherTrust, NXLog, McAfee, and Common Event Format (CEF).|

+ * The cool access setting on the destination volume is updated automatically to match the source volume whenever the setting is changed on the source volume or during authorizing or performing a reverse resync of the replication only if the destination volume is in a cool access-enabled capacity pool. Changes to the cool access setting on the destination volume don't affect the setting on the source volume.

+@<decorator>(<argument>)

+@<decorator>(<argument>)

+The decorators include:

+| batchSize |[module](./modules.md#batchsize), [resource](./resource-declaration.md#batchsize) | N/A | integer | Set up instances to deploy sequentially. |

+| description | [func](./user-defined-functions.md#description), [param](./parameters.md#description), [module](./modules.md#description), [output](./outputs.md#description), [resource](./resource-declaration.md#description), [type](./user-defined-data-types.md#description), [var](./variables.md#description) | all | string | Provide descriptions for the elements. Markdown-formatted text can be used for the description text. |

+| export | [func](./user-defined-functions.md#export), [type](./user-defined-data-types.md#export), [var](./variables.md#export) | all | none| Indicates that the element can be imported by another Bicep file. |

+| maxLength | [param](./parameters.md#length-constraints), [output](./outputs.md#length-constraints), [type](./user-defined-data-types.md#length-constraints) | array, string | int | The maximum length for string and array elements. The value is inclusive. |

+| maxValue | [param](./parameters.md#integer-constraints), [output](./outputs.md#integer-constraints), [type](./user-defined-data-types.md#integer-constraints) | int | int | The maximum value for the integer elements. This value is inclusive. |

+| metadata | [func](./user-defined-functions.md#metadata), [output](./outputs.md#metadata), [param](./parameters.md#metadata), [type](./user-defined-data-types.md#metadata) | all | object | Custom properties to apply to the elements. Can include a description property that is equivalent to the description decorator. |

+| minLength | [param](./parameters.md#length-constraints), [output](./outputs.md#length-constraints), [type](./user-defined-data-types.md#length-constraints) | array, string | int | The minimum length for string and array elements. The value is inclusive. |

+| minValue | [param](./parameters.md#integer-constraints), [output](./outputs.md#integer-constraints), [type](./user-defined-data-types.md#integer-constraints) | int | int | The minimum value for the integer elements. This value is inclusive. |

+| secure | [param](./parameters.md#secure-parameters), [type](./user-defined-data-types.md#secure-types) | string, object | none | Marks the parameter as secure. The value for a secure parameter isn't saved to the deployment history and isn't logged. For more information, see [Secure strings and objects](data-types.md#secure-strings-and-objects). |

+| Decorator | Apply to | Argument | Description |

+| [description](#description) | all |string | Provide descriptions for the user-defined data type. |

+| [discriminator](#discriminator) | object | string | Use this decorator to ensure the correct subclass is identified and managed. |

+| [export](#export) | all | none | Indicates that the user-defined data type is available for import by another Bicep file. |

+| [maxLength](#length-constraints) | array, string | int | The maximum length for string and array data types. The value is inclusive. |

+| [maxValue](#integer-constraints) | int | int | The maximum value for the integer data types. This value is inclusive. |

+| [metadata](#metadata) | all | object | Custom properties to apply to the data types. Can include a description property that is equivalent to the description decorator. |

+| [minLength](#length-constraints) | array, string | int | The minimum length for string and array data types. The value is inclusive. |

+| [minValue](#integer-constraints) | int | int | The minimum value for the integer data types. This value is inclusive. |

+| [sealed](#sealed) | object | none | Elevate [BCP089](./diagnostics/bcp089.md) from a warning to an error when a property name of a use-define data type is likely a typo. For more information, see [Elevate error level](#elevate-error-level).|

+| [secure](#secure-types) | string, object | none | Marks the types as secure. The value for a secure type isn't saved to the deployment history and isn't logged. For more information, see [Secure strings and objects](data-types.md#secure-strings-and-objects). |

+### Integer constraints

+You can set minimum and maximum values for integer type. You can set one or both constraints.

+```bicep

+@minValue(1)

+@maxValue(12)

+type month int

+```

+### Length constraints

+You can specify minimum and maximum lengths for string and array types. You can set one or both constraints. For strings, the length indicates the number of characters. For arrays, the length indicates the number of items in the array.

+The following example declares two type. One type is for a storage account name that must have 3-24 characters. The other type is an array that must have from 1-5 items.

+```bicep

+@minLength(3)

+@maxLength(24)

+type storageAccountName string

+@minLength(1)

+@maxLength(5)

+type appNames array

+```

+### Metadata

+If you have custom properties that you want to apply to a user-defined data type, add a metadata decorator. Within the metadata, define an object with the custom names and values. The object you define for the metadata can contain properties of any name and type.

+You might use this decorator to track information about the data type that doesn't make sense to add to the [description](#description).

+```bicep

+@description('Configuration values that are applied when the application starts.')

+@metadata({

+ source: 'database'

+ contact: 'Web team'

+})

+type settings object

+```

+When you provide a `@metadata()` decorator with a property that conflicts with another decorator, that decorator always takes precedence over anything in the `@metadata()` decorator. So, the conflicting property within the `@metadata()` value is redundant and will be replaced. For more information, see [No conflicting metadata](./linter-rule-no-conflicting-metadata.md).

+### Secure types

+You can mark string or object user-defined data type as secure. The value of a secure type isn't saved to the deployment history and isn't logged.

+```bicep

+@secure()

+type demoPassword string

+@secure()

+type demoSecretObject object

+```

+| [metadata](#metadata) | object | Custom properties to apply to the function. Can include a description property that is equivalent to the description decorator. |

+### Metadata

+If you have custom properties that you want to apply to a user-defined function, add a metadata decorator. Within the metadata, define an object with the custom names and values. The object you define for the metadata can contain properties of any name and type.

+You might use this decorator to track information about the function that doesn't make sense to add to the [description](#description).

+```bicep

+@description('Configuration values that are applied when the application starts.')

+@metadata({

+ source: 'database'

+ contact: 'Web team'

+})

+type settings object

+```

+When you provide a `@metadata()` decorator with a property that conflicts with another decorator, that decorator always takes precedence over anything in the `@metadata()` decorator. So, the conflicting property within the `@metadata()` value is redundant and will be replaced. For more information, see [No conflicting metadata](./linter-rule-no-conflicting-metadata.md).

+ Title: Authorize an application request by using Microsoft Entra ID

+description: Learn how to authorize an application request to Web PubSub resources by using Microsoft Entra ID.

+# Authorize an application request by using Microsoft Entra ID

+Azure Web PubSub supports Microsoft Entra ID for authorizing requests from [applications](../active-directory/develop/app-objects-and-service-principals.md).

+This article shows you how to configure your Web PubSub resource and code to authorize a request to a Web PubSub resource from an Azure application.

+1. In the [Azure portal](https://portal.azure.com/), search for and then select **Microsoft Entra ID**.

+1. On the left menu under **Manage**, select **App registrations**.

+1. Select **New registration**.

+1. For **Name**, enter a name to use for your application.

+1. Select **Register** to confirm the application registration.

+When your application is registered, go to the application overview to view the values for **Application (client) ID** and **Directory (tenant) ID**. You use these values in the following sections.

+For more information about registering an application, see the quickstart [Register an application by using the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).

+For more information about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).

+### Add a client secret

+The application requires a client secret for a client to prove its identity when it requests a token.

+To create a client secret:

+1. On the left menu under **Manage**, select **Certificates & secrets**.

+1. On the **Client secrets** tab, select **New client secret**.

+ :::image type="content" source="media/howto-authorize-from-application/new-client-secret.png" alt-text="Screenshot that shows creating a client secret.":::

+1. Enter a description for the client secret, and then choose an **Expires** time for the secret.

+1. Copy the value of the client secret, and then paste it to a secure location to save for later use.

+ > [!NOTE]

+ > The secret is visible only when you create the secret. You can't view the client secret in the portal later.

+### Add a certificate

+You can upload a certificate instead of creating a client secret.

+## Add a role assignment in the Azure portal

+This section demonstrates how to assign a Web PubSub Service Owner role to a service principal (application) for a Web PubSub resource.

+> You can assign a role to any scope, including management group, subscription, resource group, and single resource. For more information about scope, see [Understand scope for Azure role-based access control](../role-based-access-control/scope-overview.md).

+1. In the [Azure portal](https://portal.azure.com/), go to your Web PubSub resource.

+1. On the left menu, select **Access control (IAM)** to display access control settings for the resource.

+1. Select the **Role assignments** tab and view the role assignments at this scope.

+ The following figure shows an example of the **Access control (IAM)** pane for a Web PubSub resource:

+ :::image type="content" source="media/howto-authorize-from-application/access-control.png" alt-text="Screenshot that shows an example of the Access control (IAM) pane.":::

+1. Select **Add** > **Add role assignment**.

+1. Select the **Roles** tab, and then select **Web PubSub Service Owner**.

+1. Select **Next**.

+ :::image type="content" source="media/howto-authorize-from-application/add-role-assignment.png" alt-text="Screenshot that shows adding a role assignment.":::

+1. Select the **Members** tab. Under **Assign access to**, select **User, group, or service principal**.

+1. Choose **Select members**.

+1. Search for and select the application to assign the role to.

+1. Choose **Select** to confirm the selection.

+1. Select **Next**.

+ :::image type="content" source="media/howto-authorize-from-application/assign-role-to-service-principals.png" alt-text="Screenshot that shows assigning a role to service principals.":::

+1. Select **Review + assign** to confirm the change.

+> Azure role assignments might take up to 30 minutes to propagate.

+To learn more about how to assign and manage Azure role assignments, see these articles:

+- [Assign Azure roles by using the Azure portal](../role-based-access-control/role-assignments-portal.yml)

+- [Assign Azure roles by using REST API](../role-based-access-control/role-assignments-rest.md)

+- [Assign Azure roles by using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)

+- [Assign Azure roles by using the Azure CLI](../role-based-access-control/role-assignments-cli.md)

+- [Assign Azure roles by using an Azure Resource Manager template](../role-based-access-control/role-assignments-template.md)

+1. Open Postman.

+1. For **Method**, select **GET**.

+1. For **URI**, enter `https://login.microsoftonline.com/<TENANT ID>/oauth2/token`. Replace `<TENANT ID>` with the value for **Directory (tenant) ID** on the **Overview** pane of the application you created.

+1. Select the **Headers** tab, and then add the following keys and values:

+ 1. For **Key**, select **Content-Type**.

+ 1. For **Value**, enter `application/x-www-form-urlencoded`.

+ :::image type="content" source="media/howto-authorize-from-application/get-azure-ad-token-using-postman.png" alt-text="Screenshot that shows information on the Basic tab when you use Postman to get the token.":::

+1. Select the **Body** tab.

+1. Select the body type **x-www-form-urlencoded**.

+1. Under **Key**, add the following keys and values:

+ 1. Select **grant_type**, and then select the value **client_credentials**.

+ 1. Select **client_id**, and then paste the value of **Application (client) ID** from the **Overview** pane of the application you created.

+ 1. Select **client_secret**, and then paste the value of the client secret you saved.

+ 1. Select **resource**, and then enter `https://webpubsub.azure.com` for the value.

+ :::image type="content" source="media/howto-authorize-from-application/get-azure-ad-token-using-postman-body.png" alt-text="Screenshot that shows the Body tab parameters when you use Postman to get the token.":::

+ For an OAuth2/v2.0/token endpoint, pass the value for `scope` instead of the value for `resource`:

+ ```json

+ client_id: *your client ID*

+1. Select **Send** to send the request to get the token. The value for `access_token` is the access token.

+ :::image type="content" source="media/howto-authorize-from-application/get-azure-ad-token-using-postman-response.png" alt-text="Screenshot that shows the response token when you use Postman to get the token.":::

+## Code samples that use Microsoft Entra authorization

+Get samples that use Microsoft Entra authorization in our four officially supported programming languages:

+## Related content

+- [Use Microsoft Entra ID to authorize a request from a managed identity to Web PubSub resources](howto-authorize-from-managed-identity.md)

+ Title: Authorize a managed identity request

+description: Learn how to authorize a managed identity request to your Web PubSub resources by using Microsoft Entra ID.

+# Authorize a managed identity request by using Microsoft Entra ID

+This article shows you how to configure your Web PubSub resource and code to authorize the request to a Web PubSub resource from a managed identity.

+In this section, you set up a system-assigned managed identity on a virtual machine by using the Azure portal.

+1. In the [Azure portal](https://portal.azure.com/), search for and then select a virtual machine (VM).

+1. Under **Settings**, select **Identity**.

+1. On the **System assigned** tab, set **Status** to **On**.

+ :::image type="content" source="media/howto-authorize-from-managed-identity/identity-virtual-machine.png" alt-text="Screenshot that shows creating a system identity for a virtual machine.":::

+1. Select **Save** to confirm the change.

+### Create a user-assigned managed identity

+Learn how to [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity).

+### Configure managed identities on other platforms

+- [Configure managed identities for Azure resources on a VM by using the Azure portal](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md)

+- [Configure managed identities for Azure resources on an Azure VM by using Azure PowerShell](../active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md)

+- [Configure managed identities for Azure resources on an Azure VM by using the Azure CLI](../active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm.md)

+- [Configure managed identities for Azure resources on an Azure VM by using a template](../active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md)

+- [Configure managed identities for Azure resources on a VM by using the Azure SDK](../active-directory/managed-identities-azure-resources/qs-configure-sdk-windows-vm.md)

+### Configure managed identities for Azure App Service and Azure Functions

+Learn how to [use managed identities for App Service and Functions](../app-service/overview-managed-identity.md).

+## Add a role assignment in the Azure portal

+This section demonstrates how to assign the Web PubSub Service Owner role to a system-assigned identity for a Web PubSub resource.

+> [!NOTE]

+> You can assign a role to any scope, including management group, subscription, resource group, and single resource. For more information about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).

+1. In the [Azure portal](https://portal.azure.com/), go to your Web PubSub resource.

+1. On the left menu, select **Access control (IAM)** to display access control settings for your Web PubSub instance.

+1. Select the **Role assignments** tab and view the role assignments at this scope.

+ The following screenshot shows an example of the Access control (IAM) pane for a Web PubSub resource:

+ :::image type="content" source="media/howto-authorize-from-managed-identity/access-control.png" alt-text="Screenshot that shows an example of the Access control (IAM) pane.":::

+1. Select **Add** > **Add role assignment**.

+1. Select the **Roles** tab, and then select **Web PubSub Service Owner**.

+1. Select **Next**.

+ :::image type="content" source="media/howto-authorize-from-managed-identity/add-role-assignment.png" alt-text="Screenshot that shows adding a role assignment.":::

+1. Select the **Members** tab. Under **Assign access to**, select **Managed identity**.

+1. Choose **Select Members**.

+1. On the **Select managed identities** pane, select **System-assigned managed identity** > **Virtual machine**.

+1. Search for and then select the virtual machine that you want to assign the role to.

+1. Choose **Select** to confirm the selection.

+1. Select **Next**.

+ :::image type="content" source="media/howto-authorize-from-managed-identity/assign-role-to-managed-identities.png" alt-text="Screenshot that shows assigning a role to managed identities.":::

+1. Select **Review + assign** to confirm the change.

+> Azure role assignments might take up to 30 minutes to propagate.

+To learn more about how to assign and manage Azure role assignments, see these articles:

+- [Assign Azure roles by using the Azure portal](../role-based-access-control/role-assignments-portal.yml)

+- [Assign Azure roles by using REST API](../role-based-access-control/role-assignments-rest.md)

+- [Assign Azure roles by using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)

+- [Assign Azure roles by using the Azure CLI](../role-based-access-control/role-assignments-cli.md)

+- [Assign Azure roles by using an Azure Resource Manager template](../role-based-access-control/role-assignments-template.md)

+## Sample codes that use Microsoft Entra authorization

+Get samples that use Microsoft Entra authorization in our four officially supported programming languages:

+## Related content

+ Title: Turn on client certificate authentication (preview)

+description: Learn how to turn on client certificate authentication for Azure Web PubSub (preview).

+# Turn on client certificate authentication (preview)

+You can restrict access to your instance of Azure Web PubSub by turning on different types of authentication for the resource. One authentication method is to request a client certificate and validate the certificate in event handlers. This mechanism is called *client certificate authentication* or *Transport Layer Security (TLS) mutual authentication*. This article shows you how to set up your Web PubSub instance to use client certificate authentication.

+> [!NOTE]

+> Enabling client certificate authentication in a browser scenario generally is not recommended. Different browsers have different behaviors when they process a client certificate request, and you have little control in a JavaScript application. If you want to enable client certificate authentication, we recommend that you use it in scenarios in which you have strong control over TLS settings. An example is in a native application.

+* An Azure Web PubSub instance at a minimum Standard tier.

+* A function created in Azure Functions to handle connect events.

+## Deploy Web PubSub

+In this example, you use a function called `func-client-cert` as an event handler to process `connect` events. Clients connect to a hub called `echo`. The next sections have Bicep and Azure Resource Manager templates that you can use to deploy an Azure Web PubSub service with client certificate authentication enabled and event handlers configured.

+The templates enable client certificate authentication via the property `tls.clientCertEnabled`.

+The templates configure an event handler for the `connect` event to validate the client thumbprint. Also note that `anonymousConnectPolicy` is set to `allow` so that clients no longer need to send access tokens.

+### Azure Resource Manager

+## Validate a client certificate in an event handler

+You can validate an incoming client certificate via its SHA-1 thumbprint in the `connect` event. The value is available in `clientCertificates`. For more information, see [CloudEvents HTTP extension for event handler](reference-cloud-events.md#connect).

+The following code sample has function code that you can use to implement validation logic.

+## Rotate the certificate

+If you want to rotate the certificate, you can update your event handler code to accept multiple thumbprints.

+## Handle a missing client certificate

+Azure Web PubSub doesn't abort a TLS handshake when a client doesn't provide a client certificate. It's up to the event handler to decide whether to accept or reject a connection without a client certificate.

+## Related content

+* [How to configure an event handler](howto-develop-eventhandler.md)

+* [Golang sample](https://github.com/Azure/azure-webpubsub/blob/main/samples/golang/clientWithCert/Readme.md)

+ Title: Add a custom domain

+description: Learn how to create and configure a custom domain for Azure Web PubSub.

+# Add a custom domain

+In addition to the default domain that is included in an instance of Azure Web PubSub, you can add a custom domain. A custom domain is a domain name that you own and manage. You can use a custom domain to access your Web PubSub resources. For example, you can use `contoso.example.com` instead of `contoso.webpubsub.azure.com` to access your resources.

+* An Azure Web PubSub resource at a minimum Premium tier.

+Before you can add a custom domain, add a matching custom certificate. A custom certificate is a resource of your instance of Web PubSub. It references a certificate in your key vault. For security and compliance, Web PubSub doesn't permanently store your certificate. Instead, it fetches the certificate from your key vault and keeps it in memory.

+## Access the key vault by using a managed identity

+Azure Web PubSub uses a managed identity to access your key vault. To authorize access, it must be granted permissions.

+### Create a managed identity

+1. In the Azure portal, go to your Web PubSub resource.

+1. On the left menu, select **Identity**.

+1. Select the type of identity to use: **System assigned** or **User assigned**. To use a user-assigned identity, you create one first.

+ To use a system-assigned identity:

+ 1. Select **On**.

+ 1. Select **Yes** to confirm.

+ 1. Select **Save**.

+ :::image type="content" alt-text="Screenshot that shows adding a system-assigned managed identity." source="media\howto-custom-domain\portal-identity.png" :::

+ To add a user-assigned identity:

+ 1. Select **Add user assigned managed identity**.

+ 1. Select an existing identity.

+ 1. Select **Add**.

+ :::image type="content" alt-text="Screenshot that shows adding a user-assigned managed identity." source="media\howto-custom-domain\portal-user-assigned-identity.png" :::

+### Give key vault access to the managed identity

+Depending on how you configure your Azure Key Vault permissions model, you might need to grant permissions at different locations in the Azure portal.

+#### [Key vault access policy](#tab/vault-access-policy)

+If you use a key vault built-in access policy as a key vault permissions model:

+1. In the Azure portal, go to your key vault.

+1. On the left menu, select **Access configuration**.

+1. On the **Create an access policy** pane, select the **Permissions** tab.

+1. For **Secret permissions**, select **Get**.

+1. For **Certificate permissions**, select **Get**.

+ :::image type="content" alt-text="Screenshot of permissions selection in a key vault." source="media\howto-custom-domain\portal-key-vault-permissions.png" :::

+1. Search for the Web PubSub resource name.

+ :::image type="content" alt-text="Screenshot of principal selection in a key vault." source="media\howto-custom-domain\portal-key-vault-principal.png" :::

+1. Select the **Application** tab, and then select **Next**.

+If you use Azure role-based access control (Azure RBAC) as a key vault permissions model:

+1. In the Azure portal, go to your key vault.

+1. On the left menu, select **Access control (IAM)**.

+1. Select **Add** > **Add role assignment**.

+ :::image type="content" alt-text="Screenshot that shows the key vault Access control pane." source="media\howto-custom-domain\portal-key-vault-iam.png" :::

+1. Select the **Role** tab, and then select **Key Vault Secrets User**. Select **Next**.

+ :::image type="content" alt-text="Screenshot that shows the Role tab when adding a role assignment to a key vault." source="media\howto-custom-domain\portal-key-vault-role.png" :::

+1. Select the **Members** tab, and then select **Managed identity**.

+1. Search for and then select the Web PubSub resource name or the name of the user-assigned identity.

+ :::image type="content" alt-text="Screenshot that shows the Members tab when adding a role assignment to a key vault." source="media\howto-custom-domain\portal-key-vault-members.png" :::

+### Create a custom certificate

+1. In the Azure portal, go to your Web PubSub resource.

+1. On the left menu, select **Custom domain**.

+1. On the **Custom certificate** pane, select **Add**.

+ :::image type="content" alt-text="Screenshot that shows managing a custom certificate." source="media\howto-custom-domain\portal-custom-certificate-management.png" :::

+1. Enter a name for the custom certificate.

+1. Choose **Select from your Key Vault** to choose a key vault certificate. After you select a key vault, values for **Key Vault Base URI** and **Key Vault Secret Name** are automatically added. You also have to option to edit these fields manually.

+1. (Optional) To pin the certificate to a specific version, enter a value for **Key Vault Secret Version**.

+ :::image type="content" alt-text="Screenshot that shows adding a custom certificate." source="media\howto-custom-domain\portal-custom-certificate-add.png" :::

+Web PubSub fetches the certificate and validates its contents. When certificate validation succeeds, **Provisioning State** for the certificate is **Succeeded**.

+To validate the ownership of your custom domain, create a CNAME record for the custom domain and point it to the default domain of your Web PubSub resource.

+For example, if your default domain is `contoso.webpubsub.azure.com` and your custom domain is `contoso.example.com`, create a CNAME record on `example.com` like in this example:

+`contoso.example.com. 0 IN CNAME contoso.webpubsub.azure.com`

+If you use Azure DNS Zone, to learn how to add a CNAME record, see [Manage DNS records](../dns/dns-operations-recordsets-portal.md).

+If you use other DNS providers, follow guidance in the provider's documentation to create a CNAME record.

+## Add a custom domain to Web PubSub

+A custom domain is another sub resource of your Web PubSub instance. It contains all configurations that are required for a custom domain.

+1. In the Azure portal, go to your Web PubSub resource.

+1. On the left menu, select **Custom domain**.

+1. On the **Custom domain** pane, select **Add**.

+ :::image type="content" alt-text="Screenshot that shows custom domain management." source="media\howto-custom-domain\portal-custom-domain-management.png" :::

+1. Enter a name for the custom domain. Use the sub resource name.

+1. Enter the domain name. Use the full domain name of your custom domain, for example, `contoso.com`.

+ :::image type="content" alt-text="Screenshot that shows adding a custom domain." source="media\howto-custom-domain\portal-custom-domain-add.png" :::

+## Verify your custom domain

+You can now access your Web PubSub endpoint by using the custom domain.

+To verify the domain, you can access the Health API. The following examples use cURL.

+```azurepowershell

+The Health API should return a `200` status code without any certificate errors.

+## Configure a private network key vault

+If you configure a [private endpoint](../private-link/private-endpoint-overview.md) to your key vault, Web PubSub can't access the key vault by using a public network. You must set up a [shared private endpoint](./howto-secure-shared-private-endpoints-key-vault.md) to give Web PubSub access to your key vault via a private network.

+After you create a shared private endpoint, you can create a custom certificate as usual. You *don't have to change the domain in the key vault URI*. For example, if your key vault base URI is `https://contoso.vault.azure.net`, continue to use this URI to configure a custom certificate.

+You don't have to explicitly allow Web PubSub IP addresses in your key vault firewall settings. For more information, see [Key vault private link diagnostics](/azure/key-vault/general/private-link-diagnostics).

+## Rotate the certificate

+If you don't specify a secret version when you create a custom certificate, Web PubSub periodically checks for the latest version in the key vault. When a new version is detected, it's automatically applied. The delay is typically less than an hour.

+Alternatively, you can pin a custom certificate to a specific secret version in your key vault. When you need to apply a new certificate, you can edit the secret version, and then update the custom certificate proactively.

+## Related content

+* [Turn on managed identity for Azure Web PubSub](howto-use-managed-identity.md)

+* [Get started with Azure Key Vault certificates](/azure/key-vault/certificates/certificate-scenarios)

+* [What is Azure DNS?](../dns/dns-overview.md)

+| KeyVault reference parameter | `{@Microsoft.KeyVault(SecretUri=<secretUri>)}` | The **SecretUri** should be the full data-plane URI of a secret in the vault, optionally including a version, e.g., `https://myvault.vault.azure.net/secrets/mysecret/` or `https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931`. When using KeyVault reference, you also need to configure the authentication between your Web PubSub service and your KeyVault service, check [here](howto-use-managed-identity.md#use-a-managed-identity-for-a-key-vault-reference) for detailed steps. | `@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)` |

+ Title: Turn off local (access key) authentication

+description: Learn how to turn off local access key authentication and use only Microsoft Entra authorization for your Azure Web PubSub resource.

+# Turn off local (access key) authentication

+Azure Web PubSub resources can authenticate requests in two ways:

+- Microsoft Entra ID (recommended)

+- Access key

+Microsoft Entra ID provides superior security and ease of use over an access key. If you use Microsoft Entra ID, you don't need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID for your Web PubSub resources when possible.

+> Disabling local authentication might have the following results:

+> - The current set of access keys is permanently deleted.

+> - Tokens that are signed by using the current set of access keys become unavailable.

+> - A signature will *not* be attached in the upstream request header. Learn how to [validate an access token](./howto-use-managed-identity.md#validate-an-access-token).

+## Turn off local authentication

+You can turn off local authentication via access key by using:

+- The Azure portal

+- An Azure Resource Manager template

+- Azure Policy

+### Azure portal

+To turn off local authentication by using the Azure portal:

+1. In the [Azure portal](https://portal.azure.com), go to your Web PubSub resource.

+1. On the left menu under **Settings**, select **Keys**.

+1. For local authentication, select **Disabled**.

+1. Select **Save**.

+### Azure Resource Manager template

+You can turn off local authentication by setting the `disableLocalAuth` property to `true` as shown in the following Azure Resource Manager template:

+### Azure Policy

+You can assign the policy [Azure Web PubSub Service should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb66ab71c-582d-4330-adfd-ac162e78691e) in Azure Policy to an Azure subscription or to a resource group. Assigning this policy turns off local authentication for all Web PubSub resources in the subscription or resource group.

+## Related content

+- [Microsoft Entra ID for Web PubSub](concept-azure-ad-authorization.md)

+- [Authenticate your Azure applications](./howto-authorize-from-application.md)

+- [Authenticate by using managed identities](./howto-authorize-from-managed-identity.md)

+ Title: Manage network access control to an endpoint

+description: Learn how to control network access to your Azure Web PubSub resource.

+# Manage network access control

+You can configure Azure Web PubSub to secure and control the level of access to your service endpoint based on the request type and subset of networks used. When network rules are configured, only applications that request data over the specified set of networks can access your Web PubSub resource.

+Azure Web PubSub has a public endpoint that is accessible through the internet. You can also create a [private endpoint for your Web PubSub resource](howto-secure-private-endpoints.md). A private endpoint assigns a private IP address from your virtual network to the Web PubSub resource. It also secures all traffic between your virtual network and the Web PubSub resource over a private link. The Web PubSub network access control provides access control for both a public endpoint and for private endpoints.

+Optionally, you can choose to allow or deny certain types of requests for a public endpoint and for each private endpoint.

+An application that accesses a Web PubSub resource when network access control rules are in effect still requires proper authorization for the request.

+The next sections describe your two options to control access to your Web PubSub resources:

+- Deny all requests that originate in a public endpoint.

+- Allow only client connections from a public network.

+## Deny all public traffic

+To completely deny all public traffic, first configure the public network rule to allow no request type. Then, configure rules that grant access to traffic from specific virtual networks. This configuration enables you to build a secure network boundary for your applications.

+## Allow only client connections from a public network

+In this scenario, you configure the public network rule to allow only client connections from a public network. You can then configure private network rules to allow other types of requests that originate from a specific virtual network. This configuration hides your app servers on a public network and establishes secure connections between your app servers and Azure Web PubSub.

+## Manage network access control in the Azure portal

+You can manage network access control for Azure Web PubSub by using the Azure portal.

+1. In the Azure portal, go to the Web PubSub service you want to secure.

+1. On the left menu under **Settings**, select **Network access control**.

+1. To edit the default action, select **Default action**.

+ > The default action is the action that you take when no access control list (ACL) rules match. For example, if the default action is **Deny**, request types that are not explicitly approved are denied.

+ :::image type="content" source="./media/howto-secure-network-access-control/portal-network-access-control.png" alt-text="Screenshot that shows the Network access control pane in the Azure portal.":::

+1. To edit a public network rule, under **Public network**, select the types of requests that you want to allow.

+ :::image type="content" source="./media/howto-secure-network-access-control/portal-public-network.png" alt-text="Screenshot that shows editing a public network access control list in the Azure portal.":::

+1. To edit private endpoint network rules, under **Private endpoint connections**, select the allowed types of requests in each row.

+ Title: Use a private endpoint for access control

+description: Learn how to use private endpoints for secure access to Azure Web PubSub from a virtual network.

+# Use private endpoints for access control

+You can use [private endpoints](../private-link/private-endpoint-overview.md) for your Azure Web PubSub resource to allow clients in a [virtual network](../virtual-network/virtual-networks-overview.md) (VNet) to securely access data over a [private link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the VNet address space for your Web PubSub resource. Network traffic between the clients on the VNet and your Web PubSub resource traverses a private link on the Microsoft network, eliminating exposure on the public internet.

+Using private endpoints for your Web PubSub resource helps you:

+- Secure your Web PubSub resource by using network access control to block all connections on the public endpoint for Web PubSub.

+- Increase security for the VNet by enabling you to block exfiltration of data from the VNet.

+- Securely connect to Web PubSub from on-premises networks that connect to the VNet by using a [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [Azure ExpressRoute](../expressroute/expressroute-locations.md) with private peering.

+## Use private endpoints in a virtual network

+A private endpoint is a special network interface for an Azure service in your VNet. When you create a private endpoint for your Web PubSub resource, it provides secure connectivity between clients on your VNet and your service. The private endpoint is assigned an IP address from the IP address range of your VNet. The connection between the private endpoint and Web PubSub uses a secure private link.

+Applications in the VNet can connect to Web PubSub resources seamlessly by using the private endpoint. The applications *use the same connection strings and authorization mechanisms that they would use otherwise.*

+Private endpoints can be used with all protocols that the Web PubSub resource supports, including REST API.

+When you create a private endpoint for a Web PubSub resource in your VNet, a consent request is sent for approval to the Web PubSub resource owner. If the user who requests the private endpoint is also an owner of the Web PubSub resource, this consent request is automatically approved.

+You can manage consent requests and private endpoints for your Web PubSub resource on the **Private endpoints** tab in the [Azure portal](https://portal.azure.com).

+> If you want to restrict access to your Web PubSub resource through the private endpoint only, [set up network access control](howto-secure-network-access-control.md) to deny or control access through the public endpoint.

+### Connect to a private endpoint

+Clients on a VNet that uses a private endpoint should use the same connection string for the Web PubSub resource that clients that connect via a public endpoint use. We rely on Domain Name System (DNS) resolution to automatically route the connections from the VNet to Web PubSub over a private link.

+> Use the same connection string to connect to Web PubSub by using private endpoints as you would use for a public endpoint. Don't connect to Web PubSub by using its `privatelink` subdomain URL.

+We create a [private DNS zone](../dns/private-dns-overview.md) attached to the VNet with the necessary updates for the private endpoints, by default. If you're using your own DNS server, you might need to make other changes to your DNS configuration. The next section describes the updates that are required for private endpoints.

+When you create a private endpoint, the DNS CNAME resource record for your Web PubSub resource is updated to an alias in a subdomain that has the prefix `privatelink`. By default, we also create a [private DNS zone](../dns/private-dns-overview.md) that corresponds to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.

+When you resolve your Web PubSub resource domain name from outside the VNet with the private endpoint, it resolves to the public endpoint of the Web PubSub resource. When resolved from the VNet hosting the private endpoint, the domain name resolves to the private endpoint's IP address.

+For the preceding illustrated example, the DNS resource records for the Web PubSub resource `sample` when it's resolved from outside the VNet hosting the private endpoint:

+| `sample.webpubsub.azure.com` | CNAME | `sample.privatelink.webpubsub.azure.com` |

+| `sample.privatelink.webpubsub.azure.com` | A | \<Web PubSub public IP address\> |

+You can deny or control access for clients outside the VNet through the public endpoint by using network access control.

+The DNS resource records for the Web PubSub resource `sample` when it's resolved by a client in the VNet that hosts the private endpoint is similar to this example:

+| `sample.webpubsub.azure.com` | CNAME | `sample.privatelink.webpubsub.azure.com` |

+| `sample.privatelink.webpubsub.azure.com` | A | 10.1.1.5 |

+This approach gives access to Web PubSub *by using the same connection string* for clients on the VNet that hosts the private endpoint and to clients outside the VNet.

+If you use a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the Web PubSub resource endpoint to the private endpoint IP address. You should configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet or configure the A records for `sample.privatelink.webpubsub.azure.com` to use the private endpoint IP address.

+> If you use a custom or on-premises DNS server, you should configure your DNS server to resolve the Web PubSub resource name in the `privatelink` subdomain to the private endpoint IP address. You can do this by delegating the `privatelink` subdomain to the private DNS zone of the VNet or by configuring the DNS zone on your DNS server and then adding the DNS A records.

+We recommend that you use `privatelink.webpubsub.azure.com` for the DNS zone name for private endpoints in a Web PubSub resource.

+For more information about configuring your own DNS server to support private endpoints, see the following articles:

+The following sections describe how to create a private endpoint and a new instance of Web PubSub and how to create a private endpoint for an existing instance of Web PubSub.

+### Create a private endpoint in a new instance of Web PubSub

+1. In the Azure portal, create a new instance of Azure Web PubSub. On the **Networking** tab, for **Connectivity method**, select **Private endpoint**.

+ :::image type="content" source="./media/howto-secure-private-endpoints/portal-create-blade-networking-tab.png" alt-text="Screenshot that shows the Networking tab when you create a Web PubSub resource.":::

+1. Select **Add**. Select or enter the subscription, the resource group name, the Azure region, and a name for the new private endpoint. Choose a virtual network and subnet to use.

+### Create a private endpoint for an existing Web PubSub resource

+1. In the Azure portal, go to your Web PubSub resource.

+1. On the left menu under **Settings**, select **Private endpoint connections**.

+1. Select **Private endpoint**.

+1. Select or enter values for subscription, resource group, resource name, and region for the new private endpoint.

+1. Select the target Web PubSub resource.

+1. Select the target virtual network.

+## Known issues

+Keep in mind the following known issues about using private endpoints in Web PubSub.

+### Free tier constraints

+An Azure Web PubSub instance that's created by using the free tier can't integrate with a private endpoint.

+Clients in VNets that have existing private endpoints have constraints when they access other Web PubSub instances that have private endpoints. For example, a VNet N1 has a private endpoint for a Web PubSub instance W1. If the Web PubSub instance W2 has a private endpoint in a VNet N2, then clients in VNet N1 must also access Web PubSub instance W2 by using a private endpoint.

+If Web PubSub instance W2 doesn't have any private endpoints, then clients in VNet N1 can access the Web PubSub resource in that account without using a private endpoint. This constraint is a result of the DNS changes made when Web PubSub instance W2 creates a private endpoint.

+ Title: Rotate access keys

+description: Learn how and when to rotate Azure Web PubSub access keys by regenerating one key at a time.

+# Rotate access keys

+Each Azure Web PubSub instance has a pair of access keys that helps you authenticate clients when requests are made to the service. Both keys are associated with the instance endpoint URL.

+Each instance has a primary access key and a secondary access key. Rotate one access key at a time by regenerating a new key of that type, either primary or secondary. Update one access key while the other access key maintains existing authenticated connections.

+## When to rotate access keys

+For security and compliance requirements, we recommend that you routinely rotate your access keys.

+To regenerate an access key, complete the steps that are described in the following sections.

+### Enforced access key rotation

+In some scenarios, Azure Web PubSub might enforce a mandatory access key rotation. The service sends notifications via email and in the portal. If you receive this kind of notification or if you encounter service failure due to an access key issue, regenerate your access keys to rotate the keys.

+## Regenerate an access key

+1. In the [Azure portal](https://portal.azure.com/), sign in with your subscription credentials.

+1. Go to the Web PubSub instance that has keys you want to rotate.

+1. On the left menu, select **Keys**.

+1. Select **Regenerate Primary Key** or **Regenerate Secondary Key**. A new key and a corresponding connection string are created. You manage them in your Web PubSub instance.

+When the Azure Web PubSub service becomes generally available, you can also regenerate a key by using the Azure CLI.

+## Update configurations with the new connection string

+1. Copy the new connection string.

+1. Update all existing configurations to use the new connection string.

+1. Close the application, and then reopen it.

+ Title: Access a key vault in a private network via shared private endpoints

+description: Learn how to access a key vault in a private network through shared private endpoints.

+# Access a key vault in a private network through shared private endpoints

+Azure Web PubSub can access a key vault in a private network through shared private endpoint connections. This article shows you how to configure your Web PubSub resource to route outbound calls to a key vault through a shared private endpoint instead of through a public network.

+Private endpoints of secured resources created through Azure Web PubSub APIs are called *shared private link resources*. You "share" access to a resource, such as an instance of Azure Key Vault, that is integrated with [Azure Private Link](../private-link/private-link-overview.md). These private endpoints are created inside the Web PubSub execution environment and aren't directly visible to you.

+> * The resource ID of this Azure Web PubSub instance is `_/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webpubsub/contoso-webpubsub`.

+> * The resource ID of the Azure Key Vault instance is `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv`.

+> To use the steps in the following examples, replace these values with your own subscription ID, the name of your Web PubSub resource, and the name of your Azure Key Vault resource.

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* The [Azure CLI](/cli/azure/install-azure-cli) 2.25.0 or later (if you use the Azure CLI).

+* An Azure Web PubSub instance in a minimum Standard pricing tier.

+### Create a shared private endpoint resource to the key vault

+1. In the Azure portal, go to your Azure Web PubSub resource.

+1. On the left menu, select **Networking**.

+1. For **Name**, enter a name to use for the shared private endpoint.

+1. To select your key vault resource, complete one of the following steps:

+ * Choose **Select from your resources** and select your resource from the lists.

+ * Select **Specify resource ID** and enter your key vault resource ID.

+1. For **Request message**, enter **Please approve**.

+The shared private endpoint resource provisioning state is **Succeeded**. The connection state is **Pending** and waiting for approval for the target resource.

+You can make the following API call with the [Azure CLI](/cli/azure/) to create a shared private link resource. Replace the value `uri` with the URI in your scenario.

+The contents of the *create-pe.json* file represent the request body to the API:

+The process of creating an outbound private endpoint is a long-running (asynchronous) operation. As in all asynchronous Azure operations, the PUT call returns an `Azure-AsyncOperation` header value that looks like the following example:

+You can poll this URI periodically to get the status of the operation. Wait for the status to change to "Succeeded" before you proceed to the next section.

+To poll for the status, manually query the `Azure-AsyncOperationHeader` value:

+### Approve the private endpoint connection for the key vault

+After the private endpoint connection is created, the connection request from Web PubSub must be approved in your Key Vault resource.

+1. In the Azure portal, go to your Key Vault resource.

+1. On the left menu, select **Networking**.

+1. Select the private endpoint that Web PubSub created.

+1. Select **Approve**, and then select **Yes** to confirm.

+ It might take a few minutes for the private endpoint connection status to change to **Approved**.

+1. List private endpoint connections:

+ Check for a pending private endpoint connection. Note the connection ID.

+ "id": "<ID>",

+1. Approve the private endpoint connection:

+ az network private-endpoint-connection approve --id <private-endpoint-connection-ID>

+### Query the status of the shared private link resource

+It takes a few minutes for the approval to be propagated to Azure Web PubSub Service. You can check the state using either Azure portal or Azure CLI. The shared private endpoint between Azure Web PubSub Service and Azure Key Vault is active when the container state is approved.

+1. In the Azure portal, go to your Azure Web PubSub resource.

+1. On the left menu, select **Networking**.

+This command returns JSON. The connection state is indicated in `status` under `properties`.

+When `properties.provisioningState` is `Succeeded` and `properties.status` (connection state) is `Approved`, the shared private link resource is functional, and Web PubSub can communicate over the private endpoint.

+Now you can configure features like a custom domain as you typically would. You don't have to use a special domain for your key vault. Web PubSub automatically handles Domain Name System (DNS) resolution.

+## Related content

+* [What is a private endpoint?](../private-link/private-endpoint-overview.md)

+ Title: Secure outbound traffic through shared private endpoints

+description: Learn how to secure Azure Web PubSub outbound traffic by using shared private endpoints.

+# Secure outbound traffic through shared private endpoints

+If you're using an [event handler](concept-service-internals.md#event-handler) in Azure Web PubSub, you might have outbound traffic to upstream endpoints to a static web app that you created by using the Web Apps feature of Azure App Service or to a function that you created by using Azure Functions. You can configure Web Apps and Functions to use endpoints that accept connections from a list of virtual networks and refuse outside connections that originate in a public network. You can create an outbound [private endpoint connection](../private-link/private-endpoint-overview.md) in your Web PubSub services to reach these endpoints.

+This article shows you how to configure your Web PubSub resource to send upstream calls to a function in Azure Functions through a shared private endpoint instead of through a public network.

+- The upstream endpoint must be deployed by using Azure App Service or Azure Functions.

+- The Web PubSub resource must be on the Standard tier or the Premium tier.

+- An Azure App Service or an Azure Functions resource must be created by choosing a specific tier to create the resource. For more information, see [Use private endpoints for Azure Web App](../app-service/networking/private-endpoint.md).

+Private endpoints of secured resources that are created by using Azure Web PubSub APIs are called *shared private link resources*. You're "sharing" access to a resource, such as an Azure Functions resource, that is integrated with [Azure Private Link](https://azure.microsoft.com/services/private-link/). These private endpoints are created inside the Web PubSub service execution environment and aren't directly visible to you.

+- An Azure Web PubSub instance.

+> - The resource ID of this Azure Web PubSub resource is `_/subscriptions//00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webPubSub/contoso-webpubsub`.

+> - The resource ID of the Azure Functions network resource is `_/subscriptions//00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.Web/sites/contoso-func`.

+>

+> To use the steps in the following examples, replace these values with your own subscription ID, the name of your Web PubSub resource, and the name of your Azure Functions resource.

+## Create a shared private link resource to a function

+1. In the Azure portal, go to your Azure Web PubSub resource.

+1. On the left menu, select **Networking**.

+1. Select **Private access**.

+ :::image type="content" alt-text="Screenshot that shows managing shared private endpoints." source="media\howto-secure-shared-private-endpoints\portal-shared-private-endpoints-management.png" lightbox="media\howto-secure-shared-private-endpoints\portal-shared-private-endpoints-management.png" :::

+1. To set your target linked sources, either choose **Select from your resources** or enter your resource ID in **Specify resource ID**.

+ Optionally, you can enter text in **Request message** to send a request to the target resource owner.

+ :::image type="content" alt-text="Screenshot that shows adding a shared private endpoint." source="media\howto-secure-shared-private-endpoints\portal-shared-private-endpoints-add.png" :::

+The value for **Provisioning state** in the shared private endpoint resource is **Succeeded**. **Connection state** is **Pending** until the endpoint is approved at the target resource.

+Use the following API call with the [Azure CLI](/cli/azure/) to create a shared private link resource. Replace the values in the following example with the values from your scenario.

+The *create-pe.json* file contains the request body to the API. It's similar to the following example:

+The process of creating an outbound private endpoint is a long-running (asynchronous) operation. As in all asynchronous Azure operations, the PUT call returns an `Azure-AsyncOperation` header value that's similar to the following example:

+To poll this URI periodically to get the status of the operation, manually query the `Azure-AsyncOperationHeader` value. Here's an example:

+Wait until the status changes to "Succeeded" before you go to the next step.

+## Approve the private endpoint connection for the function

+When the shared private endpoint connection has a **Pending** status, the connection request must be approved at the target resource.

+> After the private endpoint connection is approved, the function is no longer accessible from a public network. You might need to create other private endpoints in your own virtual network to access the function endpoint.

+1. In the Azure portal, go to your Azure Functions app.

+1. On the left menu, select **Networking**.

+1. Under **Inbound Traffic**, select **Private endpoints**.

+1. Select **Approve**, and then select **Yes** to confirm.

+You can select **Refresh** to check the status. It might take a few minutes for the status **Connection state** to update to **Approved**.

+1. List private endpoint connections:

+ Check for a pending private endpoint connection. Note the connection ID.

+ "id": "<ID>",

+1. Approve the private endpoint connection:

+ az network private-endpoint-connection approve --id <private-endpoint-connection-ID>

+## Query the status of the shared private link resource

+It takes a few minutes for the approval to be reflected in Web PubSub. You can check the state by using either the Azure portal or the Azure CLI.

+This command returns JSON. The connection state is indicated in `status` under `properties`.

+When `properties.provisioningState` is `Succeeded` and `properties.status` (connection state) is `Approved`, the shared private link resource is functional, and Web PubSub can communicate over the private endpoint.

+At this point, the private endpoint between Azure Web PubSub and Azure Functions is established.

+## Verify that upstream calls are from a private IP address

+When the private endpoint is set up, you can verify that incoming calls are from a private IP address by checking the `X-Forwarded-For` header for upstream calls.

+## Related content

+- [What is a private endpoint?](../private-link/private-endpoint-overview.md)

+ Title: Use service tags for access control

+description: Learn how to use service tags to allow outbound traffic to your Azure Web PubSub resource.

+# Use service tags for access control

+You can use [service tags](../virtual-network/service-tags-overview.md) to identify Azure Web PubSub traffic. A service tag represents a group of IP address prefixes. Web PubSub manages a service tag called `AzureWebPubSub` for both inbound and outbound traffic.

+You can use a service tag to configure a network security group. Or, you can query the IP address prefixes by using the [Service Tag Discovery API](../virtual-network/service-tags-overview.md#service-tags-on-premises).

+Endpoints of Web PubSub resources are guaranteed to be within IP ranges of the service tag `AzureWebPubSub`.

+### Access Web PubSub resources from a virtual network

+You can allow outbound traffic from your network to Web PubSub by adding a new outbound network security rule.

+1. In the portal, go to the network security group.

+1. On the left menu, select **Outbound security rules**.

+1. Select **Add**.

+1. Select **Destination**, and then select **Service Tag**.

+1. Select **Destination service tag**, and then select **AzureWebPubSub**.

+1. For **Destination port ranges**, enter **443**.

+ :::image type="content" alt-text="Screenshot that shows how to create an outbound security rule." source="media/howto-service-tags/portal-add-outbound-security-rule.png" :::

+1. Update other fields as needed, and then select **Add**.

+Azure Web PubSub can generate network traffic to your resource by using service tags. The source of traffic is guaranteed to be within IP ranges that are defined by the `AzureWebPubSub` service tag.

+You can use service tags to control access to your Web PubSub resource if you:

+* Use [event listeners](howto-develop-event-listener.md).

+* Use a [Key Vault secret reference](howto-use-managed-identity.md#use-a-managed-identity-for-a-key-vault-reference) in URL template settings.

+* Use a [custom certificate](howto-custom-domain.md#add-a-custom-certificate).

+### Event handler endpoints in a virtual network

+You can configure a network security group to allow inbound traffic to a virtual network.

+1. In the Azure portal, go to the network security group.

+1. On the left menu, select **Inbound security rules**.

+1. Select **Add**.

+1. Select **Source**, and then select **Service Tag**.

+1. Select **Source service tag**, and then select **AzureWebPubSub**.

+1. For **Source port ranges**, enter **\***.

+1. Update other settings as needed.

+> [!NOTE]

+> Azure Web PubSub is a shared service. By allowing the `AzureWebPubSub` service tag or its associated IP address prefixes, you also allow traffic from other resources, even if they belong to other customers. Make sure that you implement appropriate authentication on your endpoints.

+### Event handler endpoints for Azure Functions

+For an Azure Functions app, you can use a [service tag-based rule](../app-service/app-service-ip-restrictions.md#set-a-service-tag-based-rule) to manage event handler endpoints securely.

+Alternatively, you can use [shared private endpoints](howto-secure-shared-private-endpoints.md) for increased security. Shared private endpoints are dedicated to your resources. No traffic from other resources can access your endpoints.

+### Azure Event Hubs and Azure Key Vault access

+For Azure Event Hubs and Azure Key Vault resources, we recommend that you use [shared private endpoints](howto-secure-shared-private-endpoints-key-vault.md) to help you maintain the highest level of security.

+## Related content

+* [Network security groups: service tags](../virtual-network/network-security-groups-overview.md#security-rules)

+ Title: Use a managed identity

+description: Learn how managed identities work in Azure Web PubSub and how to use a managed identity in a serverless scenario.

+# Use a managed identity

+This article shows you how to create and use a managed identity in Azure Web PubSub.

+> [!IMPORTANT]

+> Azure Web PubSub can support only one managed identity. You can add *either* a system-assigned identity or a user-assigned identity.

+To set up a managed identity in the Azure portal, create an Azure Web PubSub instance, and then turn on the feature.

+1. In the Azure portal, create a Web PubSub resource. Go to the resource in the portal.

+1. On the left menu, select **Identity**.

+1. Select the **System assigned** tab, and then set **Status** to **On**. Select **Save**.

+ :::image type="content" source="media/howto-use-managed-identity/system-identity-portal.png" alt-text="Screenshot that shows adding a system-assigned identity in the Azure portal.":::

+To create a Web PubSub resource by using a user-assigned identity, create the identity, and then add the identity's resource identifier to your service.

+1. Create a [user-assigned managed identity resource](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity).

+1. In the Azure portal, create a Web PubSub resource. Go to the resource in the portal.

+1. On the left menu, select **Identity**.

+1. Select the **User assigned** tab, and then select **Add**.

+1. Search for the identity that you created and select it. Select **Add**.

+ :::image type="content" source="media/howto-use-managed-identity/user-identity-portal.png" alt-text="Screenshot that shows adding a user-assigned identity in the Azure portal.":::

+Azure Web PubSub is a fully managed service, so you can't use a managed identity to manually get tokens. Instead, when Web PubSub sends events to an event handler, it uses the managed identity to get an access token. The service then sets the access token in the `Authorization` header of the HTTP request.

+### Set up managed identity authentication for an event handler

+1. Add a system-assigned identity or a user-assigned identity.

+1. Go to **Configure hub settings** and add or edit an upstream event handler.

+ :::image type="content" source="media/howto-use-managed-identity/msi-settings.png" alt-text="Screenshot that shows settings to use on the Configure hub settings pane.":::

+1. Under **Authentication**, select **Use Managed Identity**, and then select the **Specify the issued token audience** checkbox. The audience becomes the `aud` claim in the access token. The claim can be part of validation for your event handler.

+ For authentication, you can choose one of these options:

+ - Use an existing Microsoft Entra application. The application ID of the application you choose is used.

+ - Use the Application ID URI of the service principal.

+ > Using an empty resource actually acquires a token target for Microsoft Graph. Currently, Microsoft Graph enables token encryption, so it's not supported for an application to authenticate the token other than with Microsoft Graph. You should always create a service principal to represent your upstream target. Set the **Application ID** or **Application ID URI** value for the service principal you created.

+#### Authentication in an Azure Functions app

+You can easily set access validation for a Functions app without making code changes.

+1. In the Azure portal, go to the Functions app.

+1. On the left menu, select **Authentication**.

+1. Select **Add an identity provider**.

+1. On the **Basics** tab, for **Identity provider**, select **Microsoft**.

+1. For **Action to take when request is not authenticated**, select **Log in with Microsoft Entra ID**.

+1. The option to create a new registration is selected by default. You can change the name of the registration. For more information about how to enable a Microsoft Entra provider, see [Configure your Azure App Service or Azure Functions app to use a Microsoft Entra ID sign-in](../app-service/configure-authentication-provider-aad.md).

+1. Go to your Web PubSub resource and [add a system-assigned identity or a user-assigned identity](howto-use-managed-identity.md#add-a-system-assigned-identity).

+1. On the left menu for your Web PubSub resource, select **Settings**.

+1. Select **Edit** to edit your hub settings, and then select **Edit** to edit your event handler settings. Under **Authentication**, select **Use Managed Identity** and select the **Select from existing applications** checkbox. Select the application that you created.

+After you configure these settings, the Functions app rejects requests that don't have an access token in the header.

+### Validate an access token

+If you're not using the Web Apps feature of Azure App Service or Azure Functions, you also can validate the token.

+To validate an access token, your app should also validate the audience and the signing token. Signing tokens must be validated against the values in the OpenID discovery document. For an example, see the [tenant-independent version of the document](https://login.microsoftonline.com/common/.well-known/openid-configuration).

+Microsoft Entra middleware has built-in capabilities for validating access tokens. You can browse our [samples](../active-directory/develop/sample-v2-code.md) to find one that's written in the language you want to use.

+We provide libraries and code samples that show you how to handle token validation. Several open-source partner libraries also are available for JSON Web Token (JWT) validation. There's at least one option for almost every platform and language. For more information about Microsoft Entra authorization libraries and code samples, see [Microsoft identity platform authentication libraries](../active-directory/develop/reference-v2-libraries.md).

+If the event handler hosts in Azure Functions or Web Apps, an easy way is to [configure Microsoft Entra sign-in](../app-service/configure-authentication-provider-aad.md).

+## Use a managed identity for a key vault reference

+Web PubSub can access a key vault to get a secret by using a managed identity.

+1. Add a system-assigned identity or a user-assigned identity for Azure Web PubSub.

+1. In the key vault, grant secret read permissions for the managed identity by using access policies. For more information, see [Assign a key vault access policy in the Azure portal](/azure/key-vault/general/assign-access-policy-portal).

+Currently, this feature can be used in the following scenario:

+- Use syntax `{@Microsoft.KeyVault(SecretUri=<secret-identity>)}` to get secrets from a key vault in the event handler URL template setting.

+## Related content

+- [Tutorial: Create a serverless real-time chat app by using Azure Functions and Azure Web PubSub](quickstart-serverless.md)

+[Learn how to configure Role Based Access Control roles for your resource](./howto-authorize-from-application.md#add-a-role-assignment-in-the-azure-portal)

+AKS backup integrates with Backup center in Azure, providing a single view that can help you govern, monitor, operate, and analyze backups at scale. Your backups are also available in the Azure portal under **Settings** in the service menu for an AKS instance.

+Rather than regular expressions, you can instead create a separate rule for each origin you wish to allow using the **Request Header Wildcard** [match condition](./cdn-verizon-premium-rules-engine-reference-match-conditions.md). As with the regular expression method, the rules engine alone sets the CORS headers.

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector (Azure-hosted), which appears in the connector gallery under **Runtime** > **Shared**, and built-in connector, which appears in the connector gallery under **Runtime** > **In App** and is [service provider based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). <br><br>The Service Bus managed connector triggers follow the [*long polling trigger* pattern](#service-bus-managed-triggers), which means that the trigger periodically checks for messages in the queue or topic subscription. <br><br>Service Bus built-in connector non-session triggers follow the [*push trigger* pattern](introduction.md#triggers), while session triggers provide polling capabilities. The built-in version usually provides better performance, capabilities, pricing, and so on. <br><br>For more information, review the following documentation: <br><br>- [Service Bus managed connector reference](/connectors/servicebus/) <br>- [Service Bus built-in connector operations](/azure/logic-apps/connectors/built-in/reference/servicebus) <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+For the Service Bus built-in connector, non-session triggers follow the [*push trigger* pattern](introduction.md#triggers), while session-based triggers provide polling capability. Currently, the configuration settings for the Service Bus built-in trigger are shared between the [Azure Functions host extension](../azure-functions/functions-bindings-service-bus.md#hostjson-settings), which is defined in your logic app's [**host.json** file](../logic-apps/edit-app-settings-host-settings.md), and the trigger settings defined in your logic app's workflow, which you can set up either through the designer or code view. This section covers both settings locations.

+By default, the Service Bus built-in connector is a stateless connector. To run this connector's operations in stateful mode, see [Enable stateful mode for stateless built-in connectors](enable-stateful-affinity-built-in-connectors.md). Also, Service Bus built-in non-session triggers follow the [*push trigger* pattern](introduction.md#triggers), while session-based triggers provide polling capabilty.

+The Config Server for Spring Java component uses a GitHub repository as the source for configuration settings. Configuration values are made available to your container app via a binding between the component and your container app. As values change in the configuration server, they automatically flow to your application, all without requiring you to recompile or redeploy your application.

+| **Pricing** | The Config Server for Spring billing falls under consumption-based pricing. Resources consumed by managed Java components are billed at the active/idle rates. You can delete components that are no longer in use to stop billing. |

+### [Azure CLI](#tab/azure-cli)

+ export RESOURCE_GROUP=my-services-resource-group

+ export ENVIRONMENT=my-environment

+ export JAVA_COMPONENT_NAME=configserver

+1. Sign in to Azure with the Azure CLI.

+### [Azure portal](#tab/azure-portal)

+Use the following steps to create each of the resources necessary to create a container app.

+1. Search for **Container Apps** in the Azure portal and select **Create**.

+1. Enter the following values to *Basics* tab.

+ | Property | Value |

+ |||

+ | **Subscription** | Select your Azure subscription. |

+ | **Resource group** | Select **Create new** link to create a new resource group named **my-resource-group**. |

+ | **Container app name** | Enter **my-config-client**. |

+ | **Deployment source** | Select **Container image**. |

+ | **Region** | Select the region nearest you. |

+ | **Container Apps environment** | Select the **Create new** link to create a new environment. |

+1. In the *Create Container Apps environment* window, enter the following values.

+ | Property | Value |

+ |||

+ | **Environment name** | Enter **my-environment**. |

+ | **Zone redundancy** | Select **Disabled**. |

+ Select the **Create** button, and then select the **Container** tab.

+1. In *Container* tab, enter the following values.

+ | Property | Value |

+ |||

+ | **Name** | Enter **my-config-client**. |

+ | **Image source** | Select **Docker Hub or other registries**. |

+ | **Image type** | Select **Public**. |

+ | **Registry login server** | Enter **mcr.microsoft.com**. |

+ | **Image and tag** | Enter **javacomponents/samples/sample-service-config-client:latest**. |

+ Select the **Ingress** tab.

+1. In *Ingress* tab, enter the following and leave the rest of the form with their default values.

+ | Property | Value |

+ |||

+ | **Ingress** | Select **Enabled**. |

+ | **Ingress traffic** | Select **Accept traffic from anywhere**. |

+ | **Ingress type** | Select **HTTP**. |

+ | **Target port** | Enter **8080**. |

+ Select **Review + create**.

+1. Once the validation checks pass, select **Create** to create your container app.

+This environment is used to host both the Config Server for Spring java component and your container app.

+## Create the Config Server for Spring Java component

+Now that you have a Container Apps environment, you can create your container app and bind it to a Config Server for Spring java component. When you bind your container app, configuration values automatically synchronize from the Config Server component to your application.

+### [Azure CLI](#tab/azure-cli)

+### [Azure portal](#tab/azure-portal)

+Now that you have an existing environment and config server client container app, you can create a Java component instance of Config Server for Spring.

+1. Go to your container app's environment in the portal.

+1. From the left menu, under *Services* category, select **Services**.

+1. Select **+ Configure** drop down, and select **Java component**.

+1. In the *Configure Java component* panel, enter the following values.

+ | Property | Value |

+ |||

+ | **Java component type** | Select **Config Server for Spring**. |

+ | **Java component name** | Enter **configserver**. |

+1. In the *Git repositories* section, select the **+ Add** button and enter the following values.

+ | Property | Value |

+ |||

+ | **Type** | Select **HTTP**. |

+ | **URI** | Enter **https://github.com/Azure-Samples/azure-spring-cloud-config-java-aca.git**. |

+ Leave the rest of the fields with the default values and select **Add**.

+1. Select **Next**.

+1. On the *Review* tab, select **Configure**.

+## Bind your container app to the Config Server for Spring Java component

+### [Azure CLI](#tab/azure-cli)

+2. Bind to the Config Server for Spring.

+### [Azure portal](#tab/azure-portal)

+1. Go to your container app environment in the portal.

+1. From the left menu, under *Services* category, select **Services**.

+1. From the list, select **configserver**.

+1. Under *bindings, select the *App name* drop-down and select **my-config-client**.

+1. Select the **Review** tab.

+1. Select the **Configure** button.

+1. Return to your container app in the portal and copy the URL of your app to a text editor so you can use it in a coming step.

+Once the container app and the Config Server component are bound together, configuration changes are automatically synchronized to the container app.

+When you visit the app's URL again, the value of `connectTimeout` is now `10000`. This value comes from the git repo set in the `$URI` variable originally set as the source of the configuration component. Specifically, this value is drawn from the `connectionTimeout` property in the repo's *application.yml* file.

+The bind request injects configuration setting into the application as environment variables. These values are now available to the application code to use when fetching configuration settings from the config server.

+In this case, the following environment variables are available to the application:

+```bash

+SPRING_CLOUD_CONFIG_URI=http://[JAVA_COMPONENT_INTERNAL_FQDN]:80

+SPRING_CLOUD_CONFIG_COMPONENT_URI=http://[JAVA_COMPONENT_INTERNAL_FQDN]:80

+SPRING_CONFIG_IMPORT=optional:configserver:$SPRING_CLOUD_CONFIG_URI

+```

+If you want to customize your own `SPRING_CONFIG_IMPORT`, you can refer to the environment variable `SPRING_CLOUD_CONFIG_COMPONENT_URI`, for example, you can override by command line arguments, like `Java -Dspring.config.import=optional:configserver:${SPRING_CLOUD_CONFIG_COMPONENT_URI}?fail-fast=true`.

+You can also remove a binding from your application.

+## Unbind your container app from the Config Server for Spring Java component

+### [Azure CLI](#tab/azure-cli)

+ To remove a binding from a container app, use the `--unbind` option.

+ ``` azurecli

+ az containerapp update \

+ --name $APP_NAME \

+ --unbind $JAVA_COMPONENT_NAME \

+ --resource-group $RESOURCE_GROUP

+ ```

+### [Azure portal](#tab/azure-portal)

+1. Go to your container app environment in the portal.

+1. From the left menu, under *Services* category, select **Services**.

+1. From the list, select **configserver**.

+1. Under *Bindings*, find the line for *my-config-client* select and select **Delete**.

+1. Select **Next**.

+1. Select the **Review** tab.

+1. Select the **Configure** button.

+When you visit the app's URL again, the value of `connectTimeout` changes to back to `0`.

+ Title: "Tutorial: Create a highly available Eureka server component cluster in Azure Container Apps"

+description: Learn to create a highly available Eureka service in Azure Container Apps.

+#customer intent: As a developer, I want to create an Eureka server cluster so that I can ensure there is no downtime of my service registries regardless of load and failures.

+# Tutorial: Create a highly available Eureka server component cluster in Azure Container Apps

+In this tutorial, you learn to create a Eureka service designed to remain operational in the face of failures and high demand. Building a highly available Eureka service ensures the service registry is always available to clients regardless of demand.

+Achieving high availability status for Eureka includes linking multiple Eureka server instances together forming a cluster. The cluster provides resources so that if one Eureka server fails, the other services remain available for requests.

+In this tutorial, you:

+> [!div class="checklist"]

+> * Create a Eureka server for Spring components.

+> * Bind two Eureka servers for Spring components together into a cluster.

+> * Bind applications to both Eureka servers for highly available service discovery.

+## Prerequisites

+To complete this project, you need the following items:

+| Requirement | Instructions |

+|--|--|

+| Azure account | An active subscription is required. If you don't have one, you [can create one for free](https://azure.microsoft.com/free/). |

+| Azure CLI | Install the [Azure CLI](/cli/azure/install-azure-cli).|

+## Considerations

+When running managed Java components in Azure Container Apps, be aware of the following details:

+## Setup

+Use the following steps to create your Eureka service cluster.

+1. Create variables that hold application configuration values.

+ ```bash

+ export LOCATION=eastus

+ export RESOURCE_GROUP=my-services-resource-group

+ export ENVIRONMENT=my-environment

+ export EUREKA_COMPONENT_FIRST=eureka01

+ export EUREKA_COMPONENT_SECOND=eureka02

+ export APP_NAME=sample-service-eureka-client

+ export IMAGE="mcr.microsoft.com/javacomponents/samples/sample-service-eureka-client:latest"

+ ```

+1. Sign in to Azure with the Azure CLI.

+ ```azurecli

+ az login

+ ```

+1. Create a resource group.

+ ```azurecli

+ az group create --name $RESOURCE_GROUP --location $LOCATION

+ ```

+1. Create your Container Apps environment.

+ ```azurecli

+ az containerapp env create \

+ --name $ENVIRONMENT \

+ --resource-group $RESOURCE_GROUP \

+ --location $LOCATION

+ ```

+## Create a cluster

+Next, create two Eureka server instances and link them together as a cluster.

+1. Create two Eureka Server for Spring components.

+ ```azurecli

+ az containerapp env java-component eureka-server-for-spring create \

+ --environment $ENVIRONMENT \

+ --resource-group $RESOURCE_GROUP \

+ --name $EUREKA_COMPONENT_FIRST

+ ```

+ ```azurecli

+ az containerapp env java-component eureka-server-for-spring create \

+ --environment $ENVIRONMENT \

+ --resource-group $RESOURCE_GROUP \

+ --name $EUREKA_COMPONENT_SECOND

+ ```

+## Bind components together

+For the Eureka servers to work in a high-availability configuration, they need to be linked together.

+1. Bind the first Eureka server to the second.

+ ```azurecli

+ az containerapp env java-component eureka-server-for-spring update \

+ --environment $ENVIRONMENT \

+ --resource-group $RESOURCE_GROUP \

+ --name $EUREKA_COMPONENT_FIRST \

+ --bind $EUREKA_COMPONENT_SECOND

+ ```

+1. Bind the second Eureka server to the first.

+ ```azurecli

+ az containerapp env java-component eureka-server-for-spring update \

+ --environment $ENVIRONMENT \

+ --resource-group $RESOURCE_GROUP \

+ --name $EUREKA_COMPONENT_SECOND \

+ --bind $EUREKA_COMPONENT_FIRST

+ ```

+## Deploy and bind the application

+With the server components linked together, you can create the container app and binding it to the two Eureka components.

+1. Create the container app.

+ ```azurecli

+ az containerapp create \

+ --name $APP_NAME \

+ --resource-group $RESOURCE_GROUP \

+ --environment $ENVIRONMENT \

+ --image $IMAGE \

+ --min-replicas 1 \

+ --max-replicas 1 \

+ --ingress external \

+ --target-port 8080

+ ```

+1. Bind the container app to the first Eureka server component.

+ ```azurecli

+ az containerapp update \

+ --name $APP_NAME \

+ --resource-group $RESOURCE_GROUP \

+ --bind $EUREKA_COMPONENT_FIRST

+ ```

+1. Bind the container app to the second Eureka server component.

+ ```azurecli

+ az containerapp update \

+ --name $APP_NAME \

+ --resource-group $RESOURCE_GROUP \

+ --bind $EUREKA_COMPONENT_SECOND

+ ```

+## View the dashboards

+> [!IMPORTANT]

+> To view the dashboard, you need to have at least the `Microsoft.App/managedEnvironments/write` role assigned to your account on the managed environment resource. You can either explicitly assign `Owner` or `Contributor` role on the resource or follow the steps to create a custom role definition and assign it to your account.

+1. Create the custom role definition.

+ ```azurecli

+ az role definition create --role-definition '{

+ "Name": "Java Component Dashboard Access",

+ "IsCustom": true,

+ "Description": "Can access managed Java Component dashboards in managed environments",

+ "Actions": [

+ "Microsoft.App/managedEnvironments/write"

+ ],

+ "AssignableScopes": ["/subscriptions/<SUBSCRIPTION_ID>"]

+ }'

+ ```

+ Make sure to replace placeholder in between the `<>` brackets in the `AssignableScopes` value with your subscription ID.

+1. Assign the custom role to your account on managed environment resource.

+ Get the resource ID of the managed environment.

+ ```azurecli

+ export ENVIRONMENT_ID=$(az containerapp env show \

+ --name $ENVIRONMENT --resource-group $RESOURCE_GROUP \

+ --query id -o tsv)

+ ```

+1. Assign the role to your account.

+ Before running this command, replace the placeholder in between the `<>` brackets with your user or service principal ID.

+ ```azurecli

+ az role assignment create \

+ --assignee <USER_OR_SERVICE_PRINCIPAL_ID> \

+ --role "Java Component Dashboard Access" \

+ --scope $ENVIRONMENT_ID

+ ```

+1. Get the URL of the Eureka Server for Spring dashboard.

+ ```azurecli

+ az containerapp env java-component eureka-server-for-spring show \

+ --environment $ENVIRONMENT \

+ --resource-group $RESOURCE_GROUP \

+ --name $EUREKA_COMPONENT_FIRST \

+ --query properties.ingress.fqdn -o tsv

+ ```

+ This command returns the URL you can use to access the Eureka Server for Spring dashboard. Through the dashboard, you can verify that the Eureka server setup consists of two replicas.

+ :::image type="content" source="media/java-components/eureka-highly-available.png" alt-text="Screenshot of a highly available Eureka Server for Spring dashboard.":::

+## Clean up resources

+The resources created in this tutorial have an effect on your Azure bill. If you aren't going to use these services long-term, run the following command to remove everything created in this tutorial.

+```azurecli

+az group delete \

+ --resource-group $RESOURCE_GROUP

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Configure Eureka Server for Spring settings](java-eureka-server-usage.md)

+| **Scaling** | The Eureka Server for Spring canΓÇÖt scale. The scaling properties `minReplicas` and `maxReplicas` are both set to `1`. To achieve high availability, you can refer to [Create a Highly Available Eureka Service in Azure Container Apps](java-eureka-server-highly-available.md).|

+### [Azure CLI](#tab/azure-cli)

+ export APP_NAME=my-eureka-client

+1. Sign in to Azure with the Azure CLI.

+### [Azure portal](#tab/azure-portal)

+Use the following steps to create each of the resources necessary to create a container app.

+1. Search for **Container Apps** in the Azure portal and select **Create**.

+1. Enter the following values to *Basics* tab.

+ | Property | Value |

+ |||

+ | **Subscription** | Select your Azure subscription. |

+ | **Resource group** | Select **Create new** link to create a new resource group named **my-resource-group**. |

+ | **Container app name** | Enter **my-eureka-client**. |

+ | **Deployment source** | Select **Container image**. |

+ | **Region** | Select the region nearest you. |

+ | **Container Apps environment** | Select the **Create new** link to create a new environment. |

+1. In the *Create Container Apps environment* window, enter the following values.

+ | Property | Value |

+ |||

+ | **Environment name** | Enter **my-environment**. |

+ | **Zone redundancy** | Select **Disabled**. |

+ Select the **Create** button, and then select the **Container** tab.

+1. In *Container* tab, enter the following values.

+ | Property | Value |

+ |||

+ | **Name** | Enter **my-config-client**. |

+ | **Image source** | Select **Docker Hub or other registries**. |

+ | **Image type** | Select **Public**. |

+ | **Registry login server** | Enter **mcr.microsoft.com**. |

+ | **Image and tag** | Enter **javacomponents/samples/sample-service-eureka-client:latest**. |

+ Select the **Ingress** tab.

+1. In *Ingress* tab, enter the following and leave the rest of the form with their default values.

+ | Property | Value |

+ |||

+ | **Ingress** | Select **Enabled**. |

+ | **Ingress traffic** | Select **Accept traffic from anywhere**. |

+ | **Ingress type** | Select **HTTP**. |

+ | **Target port** | Enter **8080**. |

+ Select **Review + create**.

+1. Once the validation checks pass, select **Create** to create your container app.

+### [Azure CLI](#tab/azure-cli)

+### [Azure portal](#tab/azure-portal)

+Now that you have an existing environment and eureka client container app, you can create a Java component instance of Eureka Server for Spring.

+Now that you have an existing environment and config server client container app, you can create a Java component instance of Config Server for Spring.

+1. Go to your container app's environment in the portal.

+1. From the left menu, under *Services* category, select **Services**.

+1. Select **+ Configure** drop down, and select **Java component**.

+1. In the *Configure Java component* panel, enter the following values.

+ | Property | Value |

+ |||

+ | **Java component type** | Select **Eureka Server for Spring**. |

+ | **Java component name** | Enter **eureka**. |

+1. In the *Bindings* section, select the *App name* drop-down and select **my-component-app**.

+1. Select **Next**.

+1. On the *Review* tab, select **Configure**.

+### [Azure CLI](#tab/azure-cli)

+Copy the URL of your app to a text editor so you can use it in a coming step.

+### [Azure portal](#tab/azure-portal)

+1. Go to your container app environment in the portal.

+1. From the left menu, under *Services* category, select **Services**.

+1. From the list, select **eureka**.

+1. Under *bindings, select the *App name* drop-down and select **my-eureka-client**.

+1. Select the **Review** tab.

+1. Select the **Configure** button.

+1. Return to your container app in the portal and copy the URL of your app to a text editor so you can use it in a coming step.

+Return to the container app in the portal and copy the URL of your app to a text editor so you can use it in a coming step.

+Navigate to the `/allRegistrationStatus` route to view all applications registered with the Eureka Server for Spring.

+The binding injects several configurations into the application as environment variables, primarily the `eureka.client.service-url.defaultZone` property. This property indicates the internal endpoint of the Eureka Server Java component.

+The binding also injects the following properties:

+```bash

+"eureka.client.register-with-eureka": "true"

+"eureka.client.fetch-registry": "true"

+"eureka.instance.prefer-ip-address": "true"

+```

+The `eureka.client.register-with-eureka` property is set to `true` to enforce registration with the Eureka server. This registration overwrites the local setting in `application.properties`, from the config server and so on. If you want to set it to `false`, you can overwrite it by setting an environment variable in your container app.

+The `eureka.instance.prefer-ip-address` is set to `true` due to the specific DNS resolution rule in the container app environment. Don't modify this value so you don't break the binding.

+## Unbind your container app from the Eureka Server for Spring Java component

+### [Azure CLI](#tab/azure-cli)

+To remove a binding from a container app, use the `--unbind` option.

+ ``` azurecli

+ az containerapp update \

+ --name $APP_NAME \

+ --unbind $JAVA_COMPONENT_NAME \

+ --resource-group $RESOURCE_GROUP

+ ```

+### [Azure portal](#tab/azure-portal)

+1. Go to your container app environment in the portal.

+1. From the left menu, under *Services* category, select **Services**.

+1. From the list, select **eureka**.

+1. Under *Bindings*, find the line for *my-eureka-client* select and select **Delete**.

+1. Select **Next**.

+1. Select the **Review** tab.

+1. Select the **Configure** button.

+ Get the resource ID of the managed environment:

+ :::image type="content" source="media/java-components/eureka-alone.png" alt-text="Screenshot of the Eureka Server for Spring dashboard." lightbox="media/java-components/eureka-alone.png":::

+Data sources for smart views are as follows:

+- Reservations ΓÇô Source data is from amortized usage and charges.

+- Resource groups ΓÇô Source data is from actual usage and charges.

+- Services ΓÇô Source data is from actual usage and charges.

+- Subscriptions ΓÇô Source data is from actual usage and charges.

+- Resources ΓÇô Source data is from actual usage and charges.

+In this example, 100 TB of reserved capacity appears as a quantity in Azure usage reports including your Azure invoice and the Services view in Cost analysis. It appears as 3,303 hours. It represents the total amount of the reservation (100 TB / days in a month) * 1024. So, for the example in July: (100 TB / 31 days) = 3.2258 TB * 1024 = 3,303.22 GB (per day).

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. Please migrate to [Azure Database for MySQL connector](connector-azure-database-for-mysql.md) by that date. You can also refer to this [article](https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/migrating-from-azure-database-for-mariadb-to-azure-database-for/ba-p/3838455) for the Azure Database for MariaDB migration guidance.

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+- Interact with the client to determine if the traffic is potentially a spoofed packet (for example: SYN Auth or SYN Cookie or by dropping a packet for the source to retransmit it).

+Microsoft Intune Endpoint Privilege Management allows your organization's users to run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.

+ 1. Select **Add assignments** the **Intune Administrator** role.

+* Increase the bandwidth of your ExpressRoute circuit, provided there's capacity available on the port.

+ > * When upgrading the bandwidth of an ExpressRoute circuit, the Azure portal provides a list of available bandwidth options based on the capacity of the port. If the desired bandwidth isn't available, you need to recreate the circuit to get the desired bandwidth.

+ > :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/circuit-bandwidth-upgrade.png" alt-text="Screenshot of the bandwidth upgrade available for an ExpressRoute circuit.":::

+1. On this page, you can review individual maintenance events by filtering on a target subscription and Azure Region. To further narrow the scope of health history events, you can select the health event type and define a past time range. To filter for planned ExpressRoute circuit maintenance, set the Health Event Type to **Planned Maintenance**.

+Defender EASM provides eight dashboards:

+- **Overview**: this dashboard is the default landing page when you access Defender EASM. It provides the key context that can help you familiarize yourself with your attack surface.

+- **Inventory changes**: this dashboard displays any changes to your asset counts, separately listing additions and removals from your inventory. This dashboard also displays assets that have been automatically removed from inventory because the system determined that the asset is no longer live or owned by your organization.

+- **Security posture**: this dashboard helps organizations understand the maturity and complexity of their security program based on the metadata derived from assets in your Approved inventory. It is composed of technical and nontechnical policies, processes and controls that mitigate risk of external threats. This dashboard provides insight on CVE exposure, domain administration and configuration, hosting and networking, open ports, and SSL certificate configuration.

+Selecting an individual chart segment opens a drilldown view of the data, listing any assets that comprise the segment count. At the top of this page, select **Download CSV report** to begin your export. This action creates a task manager notification where you can track the status of your export.

+## Inventory changes

+Your attack surface is constantly changing, which is why Defender EASM continuously analyzes and updates your inventory to ensure accuracy. Assets are frequently added and removed from inventory, so it's important to track these changes to understand your attack surface and identify key trends. The inventory changes dashboard provides an overview of these changes, displaying the "added" and "removed" counts for each asset type. You can filter the dashboard by two date ranges: either the last 7 or 30 days.

+The "Changes by date" section provides more granular context on how your attack surface has changed on a daily basis. This section categorizes removals as "removed by user" or "removed by system." User removals include all manual removals, including individual, bulk or cascading asset state changes, as well as removals triggered by user-configured asset policies. System removals occur automatically. The system removes assets that are no longer relevant to your attack surface because recent scans no longer observed their connection to your inventory. Assets are eligible for pruning if they haven't been observed in a scan for 30-60 days, depending on the asset type. Assets that are manually added to inventory are not eligible for removal. From the "Changes by date" section, you can click on any listed value to see a full list of the assets that were added or removed.

+

+The Security Posture dashboard helps organizations measure the maturity of their security program based on the status of assets in your Confirmed Inventory. It is composed of technical and non-technical policies, processes and controls that mitigate the risk of external threats. This dashboard provides insight on CVE exposure, domain administration and configuration, hosting and networking, open ports, and SSL certificate configuration.

+To see how to accomplish these steps in a single query with the `join` operator, go to [List virtual machines with their network interface and public IP](../samples/advanced.md#get-virtual-networks-and-subnets-of-network-interfaces) sample.

+> results. See the [Show API version for each resource type](./samples/advanced.md#show-api-version-for-each-resource-type)

+ Title: Supported Azure Resource Manager resource types

+description: Provide a list of the Azure Resource Manager resource types supported by Azure Resource Graph and Change History.

+# Azure Resource Graph table and resource type reference

+Azure Resource Graph supports the following **resource types** of

+[Azure Resource Manager](../../../azure-resource-manager/management/overview.md). Each **resource type** is

+part of a **table** in Resource Graph.

+## advisorresources

+For sample queries for this table, see [Resource Graph sample queries for advisorresources](../samples/samples-by-table.md#advisorresources).

+- microsoft.advisor/configurations

+- microsoft.advisor/recommendations

+ - Sample query: [Get cost savings summary from Azure Advisor](../samples/samples-by-category.md#get-cost-savings-summary-from-azure-advisor)

+ - Sample query: [List Arc-enabled servers not running latest released agent version](../samples/samples-by-category.md#list-arc-enabled-servers-not-running-latest-released-agent-version)

+- microsoft.advisor/recommendations/suppressions

+- microsoft.advisor/suppressions

+## alertsmanagementresources

+- microsoft.alertsmanagement/alerts

+## chaosresources

+- microsoft.chaos/experiments/statuses

+- microsoft.chaos/targets

+- microsoft.chaos/targets/capabilities

+## desktopvirtualizationresources

+- microsoft.desktopvirtualization/hostpools/sessionhosts

+## extendedlocationresources

+For sample queries for this table, see [Resource Graph sample queries for extendedlocationresources](../samples/samples-by-table.md#extendedlocationresources).

+- microsoft.extendedlocation/customlocations/enabledresourcetypes

+ - Sample query: [Get enabled resource types for Azure Arc-enabled custom locations](../samples/samples-by-category.md#get-enabled-resource-types-for-azure-arc-enabled-custom-locations)

+ - Sample query: [List Azure Arc-enabled custom locations with VMware or SCVMM enabled](../samples/samples-by-category.md#list-azure-arc-enabled-custom-locations-with-vmware-or-scvmm-enabled)

+## guestconfigurationresources

+For sample queries for this table, see [Resource Graph sample queries for guestconfigurationresources](../samples/samples-by-table.md#guestconfigurationresources).

+- microsoft.guestconfiguration/guestconfigurationassignments

+ - Sample query: [Count machines in scope of guest configuration policies](../samples/samples-by-category.md#count-machines-in-scope-of-guest-configuration-policies)

+ - Sample query: [Count of non-compliant guest configuration assignments](../samples/samples-by-category.md#count-of-non-compliant-guest-configuration-assignments)

+ - Sample query: [Find all reasons a machine is non-compliant for guest configuration assignments](../samples/samples-by-category.md#find-all-reasons-a-machine-is-non-compliant-for-guest-configuration-assignments)

+## healthresources

+For sample queries for this table, see [Resource Graph sample queries for healthresources](../samples/samples-by-table.md#healthresources).

+- microsoft.resourcehealth/availabilitystatuses

+ - Sample query: [Count of virtual machines by availability state and Subscription Id](../samples/samples-by-category.md#count-of-virtual-machines-by-availability-state-and-subscription-id)

+ - Sample query: [List of virtual machines and associated availability states by Resource Ids](../samples/samples-by-category.md#list-of-virtual-machines-and-associated-availability-states-by-resource-ids)

+ - Sample query: [List of virtual machines by availability state and power state with Resource Ids and resource Groups](../samples/samples-by-category.md#list-of-virtual-machines-by-availability-state-and-power-state-with-resource-ids-and-resource-groups)

+ - Sample query: [List of virtual machines that are not Available by Resource Ids](../samples/samples-by-category.md#list-of-virtual-machines-that-are-not-available-by-resource-ids)

+## iotsecurityresources

+For sample queries for this table, see [Resource Graph sample queries for iotsecurityresources](../samples/samples-by-table.md#iotsecurityresources).

+- microsoft.iotsecurity/locations/devicegroups/alerts

+ - Sample query: [Get all New alerts from the past 30 days](../samples/samples-by-category.md#get-all-new-alerts-from-the-past-30-days)

+- microsoft.iotsecurity/locations/devicegroups/devices

+ - Sample query: [Count how many IoT Devices there are in your network, by operation system](../samples/samples-by-category.md#count-how-many-iot-devices-there-are-in-your-network-by-operation-system)

+- microsoft.iotsecurity/locations/devicegroups/recommendations

+ - Sample query: [Get all High severity recommendations](../samples/samples-by-category.md#get-all-high-severity-recommendations)

+- microsoft.iotsecurity/locations/sites

+- microsoft.iotsecurity/locations/sites/sensors

+- microsoft.iotsecurity/onpremisesensors

+- microsoft.iotsecurity/sensors

+ - Sample query: [Count all sensors by type](../samples/samples-by-category.md#count-all-sensors-by-type)

+- microsoft.iotsecurity/sites

+ - Sample query: [List sites with a specific tag value](../samples/samples-by-category.md#list-sites-with-a-specific-tag-value)

+## kubernetesconfigurationresources

+For sample queries for this table, see [Resource Graph sample queries for kubernetesconfigurationresources](../samples/samples-by-table.md#kubernetesconfigurationresources).

+- microsoft.kubernetesconfiguration/extensions

+ - Sample query: [List all Azure Arc-enabled Kubernetes clusters with Azure Monitor extension](../samples/samples-by-category.md#list-all-azure-arc-enabled-kubernetes-clusters-with-azure-monitor-extension)

+ - Sample query: [List all Azure Arc-enabled Kubernetes clusters without Azure Monitor extension](../samples/samples-by-category.md#list-all-azure-arc-enabled-kubernetes-clusters-without-azure-monitor-extension)

+- microsoft.kubernetesconfiguration/fluxconfigurations

+- microsoft.kubernetesconfiguration/sourcecontrolconfigurations

+## maintenanceresources

+- microsoft.maintenance/applyupdates

+- microsoft.maintenance/configurationassignments

+- microsoft.maintenance/updates

+- microsoft.resources/subscriptions (Subscriptions)

+ - Sample query: [Count of subscriptions per management group](../samples/samples-by-category.md#count-of-subscriptions-per-management-group)

+ - Sample query: [Key vaults with subscription name](../samples/samples-by-category.md#key-vaults-with-subscription-name)

+ - Sample query: [List all management group ancestors for a specified subscription](../samples/samples-by-category.md#list-all-management-group-ancestors-for-a-specified-subscription)

+ - Sample query: [List all subscriptions under a specified management group](../samples/samples-by-category.md#list-all-subscriptions-under-a-specified-management-group)

+ - Sample query: [Remove columns from results](../samples/samples-by-category.md#remove-columns-from-results)

+ - Sample query: [Secure score per management group](../samples/samples-by-category.md#secure-score-per-management-group)

+## patchassessmentresources

+For sample queries for this table, see [Resource Graph sample queries for patchassessmentresources](../samples/samples-by-table.md#patchassessmentresources).

+- microsoft.compute/virtualmachines/patchassessmentresults

+- microsoft.compute/virtualmachines/patchassessmentresults/softwarepatches

+- microsoft.hybridcompute/machines/patchassessmentresults

+- microsoft.hybridcompute/machines/patchassessmentresults/softwarepatches

+## patchinstallationresources

+- microsoft.compute/virtualmachines/patchinstallationresults

+- microsoft.compute/virtualmachines/patchinstallationresults/softwarepatches

+- microsoft.hybridcompute/machines/patchinstallationresults

+- microsoft.hybridcompute/machines/patchinstallationresults/softwarepatches

+## policyresources

+For sample queries for this table, see [Resource Graph sample queries for policyresources](../samples/samples-by-table.md#policyresources).

+- microsoft.authorization/policyassignments

+- microsoft.authorization/policydefinitions

+- microsoft.authorization/policysetdefinitions

+- microsoft.policyinsights/policystates

+ - Sample query: [Compliance by policy assignment](../samples/samples-by-category.md#compliance-by-policy-assignment)

+ - Sample query: [Compliance by resource type](../samples/samples-by-category.md#compliance-by-resource-type)

+ - Sample query: [List all non-compliant resources](../samples/samples-by-category.md#list-all-non-compliant-resources)

+ - Sample query: [Summarize resource compliance by state](../samples/samples-by-category.md#summarize-resource-compliance-by-state)

+ - Sample query: [Summarize resource compliance by state per location](../samples/samples-by-category.md#summarize-resource-compliance-by-state-per-location)

+## recoveryservicesresources

+- microsoft.dataprotection/backupvaults/backupinstances

+- microsoft.dataprotection/backupvaults/backupjobs

+- microsoft.dataprotection/backupvaults/backuppolicies

+- microsoft.recoveryservices/vaults/alerts

+- Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems (Backup Items)

+- microsoft.recoveryservices/vaults/backupjobs

+- microsoft.recoveryservices/vaults/backuppolicies

+## resourcecontainers

+For sample queries for this table, see [Resource Graph sample queries for resourcecontainers](../samples/samples-by-table.md#resourcecontainers).

+- microsoft.management/managementgroups

+ - Sample query: [Count of subscriptions per management group](../samples/samples-by-category.md#count-of-subscriptions-per-management-group)

+ - Sample query: [List all management group ancestors for a specified management group](../samples/samples-by-category.md#list-all-management-group-ancestors-for-a-specified-management-group)

+- microsoft.resources/subscriptions (Subscriptions)

+ - Sample query: [Count of subscriptions per management group](../samples/samples-by-category.md#count-of-subscriptions-per-management-group)

+ - Sample query: [Key vaults with subscription name](../samples/samples-by-category.md#key-vaults-with-subscription-name)

+ - Sample query: [List all management group ancestors for a specified subscription](../samples/samples-by-category.md#list-all-management-group-ancestors-for-a-specified-subscription)

+ - Sample query: [List all subscriptions under a specified management group](../samples/samples-by-category.md#list-all-subscriptions-under-a-specified-management-group)

+ - Sample query: [Remove columns from results](../samples/samples-by-category.md#remove-columns-from-results)

+ - Sample query: [Secure score per management group](../samples/samples-by-category.md#secure-score-per-management-group)

+- Microsoft.Resources/subscriptions/resourceGroups (Resource groups)

+ - Sample query: [Combine results from two queries into a single result](../samples/samples-by-category.md)

+ - Sample query: [Find storage accounts with a specific case-insensitive tag on the resource group](../samples/samples-by-category.md#find-storage-accounts-with-a-specific-case-insensitive-tag-on-the-resource-group)

+ - Sample query: [Find storage accounts with a specific case-sensitive tag on the resource group](../samples/samples-by-category.md#find-storage-accounts-with-a-specific-case-sensitive-tag-on-the-resource-group)

+## resources

+For sample queries for this table, see [Resource Graph sample queries for resources](../samples/samples-by-table.md#resources).

+- 84codes.CloudAMQP/servers (CloudAMQP)

+- Citrix.Services/XenAppEssentials (Citrix Virtual Apps Essentials)

+- Citrix.Services/XenDesktopEssentials (Citrix Virtual Desktops Essentials)

+- conexlink.mycloudit/accounts

+- crypteron.datasecurity/apps

+- Dynatrace.Observability/monitors (Dynatrace)

+- GitHub.Enterprise/accounts (GitHub AE)

+- gridpro.evops/accounts

+- gridpro.evops/accounts/eventrules

+- gridpro.evops/accounts/requesttemplates

+- gridpro.evops/accounts/views

+- hive.streaming/services

+- incapsula.waf/accounts

+- LiveArena.Broadcast/services (LiveArena Broadcast)

+- Mailjet.Email/services (Mailjet Email Service)

+- micorosft.web/kubeenvironments

+- Microsoft.AAD/domainServices (Azure AD Domain Services)

+- microsoft.aadiam/azureadmetrics

+- microsoft.aadiam/privateLinkForAzureAD (Private Link for Azure AD)

+- microsoft.aadiam/tenants

+- Microsoft.AgFoodPlatform/farmBeats (Azure FarmBeats)

+- microsoft.aisupercomputer/accounts

+- microsoft.aisupercomputer/accounts/jobgroups

+- microsoft.aisupercomputer/accounts/jobgroups/jobs

+- microsoft.alertsmanagement/actionrules

+- microsoft.alertsmanagement/resourcehealthalertrules

+- microsoft.alertsmanagement/smartdetectoralertrules

+- Microsoft.AnalysisServices/servers (Analysis Services)

+- Microsoft.AnyBuild/clusters (AnyBuild clusters)

+- Microsoft.ApiManagement/service (API Management services)

+- microsoft.appassessment/migrateprojects

+- Microsoft.AppConfiguration/configurationStores (App Configuration)

+- Microsoft.AppPlatform/Spring (Azure Spring Cloud)

+- microsoft.archive/collections

+- Microsoft.Attestation/attestationProviders (Attestation providers)

+- microsoft.authorization/elevateaccessroleassignment

+- Microsoft.Authorization/resourceManagementPrivateLinks (Resource management private links)

+- microsoft.automanage/accounts

+- microsoft.automanage/configurationprofilepreferences

+- microsoft.automanage/configurationprofiles

+- Microsoft.Automation/AutomationAccounts (Automation Accounts)

+- microsoft.automation/automationaccounts/configurations

+- Microsoft.Automation/automationAccounts/runbooks (Runbook)

+- microsoft.autonomousdevelopmentplatform/accounts

+- Microsoft.AutonomousSystems/workspaces (Bonsai)

+- Microsoft.AVS/privateClouds (AVS Private clouds)

+- microsoft.azconfig/configurationstores

+- Microsoft.AzureActiveDirectory/b2cDirectories (B2C Tenants)

+- Microsoft.AzureActiveDirectory/guestUsages (Guest Usages)

+- Microsoft.AzureArcData/dataControllers (Azure Arc data controllers)

+- Microsoft.AzureArcData/postgresInstances (Azure Arc-enabled PostgreSQL Hyperscale server groups)

+- Microsoft.AzureArcData/sqlManagedInstances (SQL managed instances - Azure Arc)

+- Microsoft.AzureArcData/sqlServerInstances (SQL Server - Azure Arc)

+- microsoft.azurecis/autopilotenvironments

+- microsoft.azurecis/dstsserviceaccounts

+- microsoft.azurecis/dstsserviceclientidentities

+- microsoft.azuredata/datacontrollers

+- microsoft.azuredata/hybriddatamanagers

+- microsoft.azuredata/postgresinstances

+- microsoft.azuredata/sqlbigdataclusters

+- microsoft.azuredata/sqlinstances

+- microsoft.azuredata/sqlmanagedinstances

+- microsoft.azuredata/sqlserverinstances

+- Microsoft.AzureData/sqlServerRegistrations (SQL Server registries)

+- Microsoft.AzurePercept/accounts (Azure Percept accounts)

+- microsoft.azuresphere/catalogs

+- microsoft.azuresphere/catalogs/products

+- microsoft.azuresphere/catalogs/products/devicegroups

+- microsoft.azurestack/edgesubscriptions

+- microsoft.azurestack/linkedsubscriptions

+- Microsoft.Azurestack/registrations (Azure Stack Hubs)

+- Microsoft.AzureStackHCI/clusters (Azure Stack HCI)

+- microsoft.azurestackhci/galleryimages

+- microsoft.azurestackhci/networkinterfaces

+- microsoft.azurestackhci/virtualharddisks

+- Microsoft.AzureStackHci/virtualMachines (Azure Stack HCI virtual machine - Azure Arc)

+- microsoft.azurestackhci/virtualmachines/extensions

+- microsoft.azurestackhci/virtualnetworks

+- microsoft.backupsolutions/vmwareapplications

+- microsoft.baremetal/consoleconnections

+- Microsoft.BareMetal/crayServers (Cray Servers)

+- Microsoft.BareMetal/monitoringServers (Monitoring Servers)

+- Microsoft.BareMetalInfrastructure/bareMetalInstances (BareMetal Instances)

+- Microsoft.Batch/batchAccounts (Batch accounts)

+- microsoft.batchai/clusters

+- microsoft.batchai/fileservers

+- microsoft.batchai/jobs

+- microsoft.batchai/workspaces

+- Microsoft.Bing/accounts (Bing Resources)

+- microsoft.bingmaps/mapapis

+- microsoft.biztalkservices/biztalk

+- Microsoft.Blockchain/blockchainMembers (Azure Blockchain Service)

+- Microsoft.Blockchain/cordaMembers (Corda)

+- microsoft.blockchain/watchers

+- Microsoft.BotService/botServices (Bot Services)

+- Microsoft.Cache/Redis (Azure Cache for Redis)

+- Microsoft.Cache/RedisEnterprise (Redis Enterprise)

+- microsoft.cascade/sites

+- Microsoft.Cdn/CdnWebApplicationFirewallPolicies (Web application firewall policies (WAF))

+- microsoft.cdn/profiles (Front Doors Standard/Premium (Preview))

+- Microsoft.Cdn/Profiles/AfdEndpoints (Endpoints)

+- microsoft.cdn/profiles/endpoints (Endpoints)

+- Microsoft.CertificateRegistration/certificateOrders (App Service Certificates)

+- microsoft.chaos/chaosexperiments (Chaos Experiments (Classic))

+- microsoft.chaos/experiments (Chaos Experiments)

+- microsoft.classicCompute/domainNames (Cloud services (classic))

+- Microsoft.ClassicCompute/VirtualMachines (Virtual machines (classic))

+- Microsoft.ClassicNetwork/networkSecurityGroups (Network security groups (classic))

+- Microsoft.ClassicNetwork/reservedIps (Reserved IP addresses (classic))

+- Microsoft.ClassicNetwork/virtualNetworks (Virtual networks (classic))

+- Microsoft.ClassicStorage/StorageAccounts (Storage accounts (classic))

+- microsoft.cloudes/accounts

+- microsoft.cloudsearch/indexes

+- Microsoft.CloudTest/accounts (CloudTest Accounts)

+- Microsoft.CloudTest/hostedpools (1ES Hosted Pools)

+- Microsoft.CloudTest/images (CloudTest Images)

+- Microsoft.CloudTest/pools (CloudTest Pools)

+- Microsoft.ClusterStor/nodes (ClusterStors)

+- microsoft.codesigning/codesigningaccounts

+- microsoft.codespaces/plans

+- Microsoft.Cognition/syntheticsAccounts (Synthetics Accounts)

+- Microsoft.CognitiveServices/accounts (Cognitive Services)

+- Microsoft.Compute/availabilitySets (Availability sets)

+- Microsoft.Compute/capacityReservationGroups (Capacity Reservation Groups)

+- microsoft.compute/capacityreservationgroups/capacityreservations

+- microsoft.compute/capacityreservations

+- Microsoft.Compute/cloudServices (Cloud services (extended support))

+- Microsoft.Compute/diskAccesses (Disk Accesses)

+- Microsoft.Compute/diskEncryptionSets (Disk Encryption Sets)

+- Microsoft.Compute/disks (Disks)

+- Microsoft.Compute/galleries (Azure compute galleries)

+- Microsoft.Compute/galleries/applications (VM application definitions)

+- Microsoft.Compute/galleries/applications/versions (VM application versions)

+- Microsoft.Compute/galleries/images (VM image definitions)

+- Microsoft.Compute/galleries/images/versions (VM image versions)

+- Microsoft.Compute/hostgroups (Host groups)

+- Microsoft.Compute/hostgroups/hosts (Hosts)

+- Microsoft.Compute/images (Images)

+- Microsoft.Compute/ProximityPlacementGroups (Proximity placement groups)

+- Microsoft.Compute/restorePointCollections (Restore Point Collections)

+- microsoft.compute/sharedvmextensions

+- microsoft.compute/sharedvmextensions/versions

+- microsoft.compute/sharedvmimages

+- microsoft.compute/sharedvmimages/versions

+- Microsoft.Compute/snapshots (Snapshots)

+- Microsoft.Compute/sshPublicKeys (SSH keys)

+- microsoft.compute/swiftlets

+- Microsoft.Compute/VirtualMachines (Virtual machines)

+ - Sample query: [Count of virtual machines by power state](../samples/samples-by-category.md#count-of-virtual-machines-by-power-state)

+ - Sample query: [Count virtual machines by OS type](../samples/samples-by-category.md#count-virtual-machines-by-os-type)

+ - Sample query: [Count virtual machines by OS type with extend](../samples/samples-by-category.md#count-virtual-machines-by-os-type-with-extend)

+ - Sample query: [List all extensions installed on a virtual machine](../samples/samples-by-category.md#list-all-extensions-installed-on-a-virtual-machine)

+ - Sample query: [List machines that are not running and the last compliance status](../samples/samples-by-category.md#list-machines-that-are-not-running-and-the-last-compliance-status)

+ - Sample query: [List of virtual machines by availability state and power state with Resource Ids and resource Groups](../samples/samples-by-category.md#list-of-virtual-machines-by-availability-state-and-power-state-with-resource-ids-and-resource-groups)

+ - Sample query: [List virtual machines with their network interface and public IP](../samples/samples-by-category.md#list-virtual-machines-with-their-network-interface-and-public-ip)

+ - Sample query: [Show all virtual machines ordered by name in descending order](../samples/samples-by-category.md#show-all-virtual-machines-ordered-by-name-in-descending-order)

+ - Sample query: [Show first five virtual machines by name and their OS type](../samples/samples-by-category.md#show-first-five-virtual-machines-by-name-and-their-os-type)

+ - Sample query: [Summarize virtual machine by the power states extended property](../samples/samples-by-category.md#summarize-virtual-machine-by-the-power-states-extended-property)

+ - Sample query: [Virtual machines matched by regex](../samples/samples-by-category.md#virtual-machines-matched-by-regex)

+- microsoft.compute/virtualmachines/extensions

+ - Sample query: [List all extensions installed on a virtual machine](../samples/samples-by-category.md#list-all-extensions-installed-on-a-virtual-machine)

+- microsoft.compute/virtualmachines/runcommands

+- Microsoft.Compute/virtualMachineScaleSets (Virtual machine scale sets)

+ - Sample query: [Get virtual machine scale set capacity and size](../samples/samples-by-category.md#get-virtual-machine-scale-set-capacity-and-size)

+- microsoft.compute/virtualmachinescalesets/virtualmachines/networkinterfaces/ipconfigurations/publicipaddresses

+- Microsoft.ConfidentialLedger/ledgers (Confidential Ledgers)

+- Microsoft.Confluent/organizations (Confluent organizations)

+- Microsoft.ConnectedCache/cacheNodes (Connected Cache Resources)

+- Microsoft.ConnectedCache/enterpriseCustomers (Connected Cache Resources)

+- Microsoft.ConnectedVehicle/platformAccounts (Connected Vehicle Platforms)

+- microsoft.connectedvmwarevsphere/clusters

+- microsoft.connectedvmwarevsphere/datastores

+- microsoft.connectedvmwarevsphere/hosts

+- microsoft.connectedvmwarevsphere/resourcepools

+- Microsoft.connectedVMwareVSphere/vCenters (VMware vCenters)

+- Microsoft.ConnectedVMwarevSphere/VirtualMachines (VMware + AVS virtual machines)

+- microsoft.connectedvmwarevsphere/virtualmachines/extensions

+- microsoft.connectedvmwarevsphere/virtualmachinetemplates

+- microsoft.connectedvmwarevsphere/virtualnetworks

+- Microsoft.ContainerInstance/containerGroups (Container instances)

+- Microsoft.ContainerRegistry/registries (Container registries)

+- microsoft.containerregistry/registries/agentpools

+- microsoft.containerregistry/registries/buildtasks

+- Microsoft.ContainerRegistry/registries/replications (Container registry replications)

+- microsoft.containerregistry/registries/taskruns

+- microsoft.containerregistry/registries/tasks

+- Microsoft.ContainerRegistry/registries/webhooks (Container registry webhooks)

+- microsoft.containerservice/containerservices

+- Microsoft.ContainerService/managedClusters (Kubernetes services)

+ - Sample query: [List impacted resources when transferring an Azure subscription](../samples/samples-by-category.md#list-impacted-resources-when-transferring-an-azure-subscription)

+- microsoft.containerservice/openshiftmanagedclusters

+- microsoft.containerservice/snapshots

+- microsoft.contoso/clusters

+- microsoft.contoso/employees

+- microsoft.contoso/installations

+- microsoft.contoso/towers

+- microsoft.costmanagement/connectors

+- microsoft.customproviders/resourceproviders

+- microsoft.d365customerinsights/instances

+- Microsoft.Dashboard/grafana (Grafana Workspaces)

+- Microsoft.DataBox/jobs (Azure Data Box)

+- Microsoft.DataBoxEdge/dataBoxEdgeDevices (Azure Stack Edge / Data Box Gateway)

+- Microsoft.Databricks/workspaces (Azure Databricks Services)

+- Microsoft.DataCatalog/catalogs (Data Catalog)

+- microsoft.datacatalog/datacatalogs

+- Microsoft.DataCollaboration/workspaces (Project CI)

+- Microsoft.Datadog/monitors (Datadog)

+- Microsoft.DataFactory/dataFactories (Data factories)

+- Microsoft.DataFactory/factories (Data factories (V2))

+- Microsoft.DataLakeAnalytics/accounts (Data Lake Analytics)

+- Microsoft.DataLakeStore/accounts (Data Lake Storage Gen1)

+ - Sample query: [List impacted resources when transferring an Azure subscription](../samples/samples-by-category.md#list-impacted-resources-when-transferring-an-azure-subscription)

+- microsoft.datamigration/controllers

+- Microsoft.DataMigration/services (Azure Database Migration Services)

+- Microsoft.DataMigration/services/projects (Azure Database Migration Projects)

+- microsoft.datamigration/slots

+- microsoft.datamigration/sqlmigrationservices (Azure Database Migration Services)

+- Microsoft.DataProtection/BackupVaults (Backup vaults)

+- Microsoft.DataProtection/resourceGuards (Resource Guards (Preview))

+- microsoft.dataprotection/resourceoperationgatekeepers

+- microsoft.datareplication/replicationfabrics

+- Microsoft.DataReplication/replicationVaults (Site Recovery Vaults)

+- Microsoft.DataShare/accounts (Data Shares)

+- Microsoft.DBforMariaDB/servers (Azure Database for MariaDB servers)

+- Microsoft.DBforMySQL/flexibleServers (Azure Database for MySQL flexible servers)

+- Microsoft.DBforMySQL/servers (Azure Database for MySQL servers)

+- Microsoft.DBforPostgreSQL/flexibleServers (Azure Database for PostgreSQL flexible servers)

+- Microsoft.DBforPostgreSQL/serverGroups (Azure Database for PostgreSQL server groups)

+- Microsoft.DBforPostgreSQL/serverGroupsv2 (Azure Database for PostgreSQL server groups)

+- Microsoft.DBforPostgreSQL/servers (Azure Database for PostgreSQL servers)

+- Microsoft.DBforPostgreSQL/serversv2 (Azure Database for PostgreSQL servers v2)

+- microsoft.dbforpostgresql/singleservers

+- microsoft.delegatednetwork/controller

+- microsoft.delegatednetwork/delegatedsubnets

+- microsoft.delegatednetwork/orchestratorinstances

+- microsoft.delegatednetwork/orchestrators

+- microsoft.deploymentmanager/artifactsources

+- Microsoft.DeploymentManager/Rollouts (Rollouts)

+- microsoft.deploymentmanager/servicetopologies

+- microsoft.deploymentmanager/servicetopologies/services

+- microsoft.deploymentmanager/servicetopologies/services/serviceunits

+- microsoft.deploymentmanager/steps

+- Microsoft.DesktopVirtualization/ApplicationGroups (Application groups)

+- Microsoft.DesktopVirtualization/HostPools (Host pools)

+- Microsoft.DesktopVirtualization/ScalingPlans (Scaling plans)

+- Microsoft.DesktopVirtualization/Workspaces (Workspaces)

+- microsoft.devai/instances

+- microsoft.devai/instances/experiments

+- microsoft.devai/instances/sandboxes

+- microsoft.devai/instances/sandboxes/experiments

+- microsoft.devices/elasticpools

+- microsoft.devices/elasticpools/iothubtenants

+- Microsoft.Devices/IotHubs (IoT Hub)

+- Microsoft.Devices/ProvisioningServices (Device Provisioning Services)

+- Microsoft.DeviceUpdate/Accounts (Device Update for IoT Hubs)

+- microsoft.deviceupdate/accounts/instances

+- microsoft.devops/pipelines (DevOps Starter)

+- microsoft.devspaces/controllers

+- microsoft.devtestlab/labcenters

+- Microsoft.DevTestLab/labs (DevTest Labs)

+- microsoft.devtestlab/labs/servicerunners

+- Microsoft.DevTestLab/labs/virtualMachines (Virtual machines)

+- microsoft.devtestlab/schedules

+- Microsoft.DigitalTwins/digitalTwinsInstances (Azure Digital Twins)

+- Microsoft.DocumentDB/cassandraClusters (Azure Managed Instance for Apache Cassandra)

+- Microsoft.DocumentDb/databaseAccounts (Azure Cosmos DB accounts)

+ - Sample query: [List Azure Cosmos DB with specific write locations](../samples/samples-by-category.md#list-azure-cosmos-db-with-specific-write-locations)

+- Microsoft.DomainRegistration/domains (App Service Domains)

+- microsoft.dynamics365fraudprotection/instances

+- Microsoft.EdgeOrder/addresses (Azure Edge Hardware Center Address)

+- microsoft.edgeorder/ordercollections

+- Microsoft.EdgeOrder/orderItems (Azure Edge Hardware Center)

+- microsoft.edgeorder/orders

+- Microsoft.Elastic/monitors (Elasticsearch (Elastic Cloud))

+- microsoft.enterpriseknowledgegraph/services

+- Microsoft.EventGrid/domains (Event Grid Domains)

+- microsoft.eventgrid/partnerdestinations

+- Microsoft.EventGrid/partnerNamespaces (Event Grid Partner Namespaces)

+- Microsoft.EventGrid/partnerRegistrations (Event Grid Partner Registrations)

+- Microsoft.EventGrid/partnerTopics (Event Grid Partner Topics)

+- Microsoft.EventGrid/systemTopics (Event Grid System Topics)

+- Microsoft.EventGrid/topics (Event Grid Topics)

+- Microsoft.EventHub/clusters (Event Hubs Clusters)

+- Microsoft.EventHub/namespaces (Event Hubs Namespaces)

+- Microsoft.Experimentation/experimentWorkspaces (Experiment Workspaces)

+- Microsoft.ExtendedLocation/CustomLocations (Custom locations)

+ - Sample query: [List Azure Arc-enabled custom locations with VMware or SCVMM enabled](../samples/samples-by-category.md#list-azure-arc-enabled-custom-locations-with-vmware-or-scvmm-enabled)

+- microsoft.falcon/namespaces

+- Microsoft.Fidalgo/devcenters (Fidalgo DevCenters)

+- microsoft.fidalgo/machinedefinitions

+- microsoft.fidalgo/networksettings

+- Microsoft.Fidalgo/projects (Fidalgo Projects)

+- Microsoft.Fidalgo/projects/environments (Fidalgo Environments)

+- microsoft.fidalgo/projects/pools

+- Microsoft.FluidRelay/fluidRelayServers (Fluid Relay)

+- microsoft.footprintmonitoring/profiles

+- microsoft.gaming/titles

+- Microsoft.Genomics/accounts (Genomics accounts)

+- microsoft.guestconfiguration/automanagedaccounts

+- Microsoft.HanaOnAzure/hanaInstances (SAP HANA on Azure)

+- Microsoft.HanaOnAzure/sapMonitors (Azure Monitors for SAP Solutions)

+- microsoft.hardwaresecuritymodules/dedicatedhsms

+- Microsoft.HDInsight/clusterpools (HDInsight cluster pools)

+- Microsoft.HDInsight/clusterpools/clusters (HDInsight gen2 clusters)

+- Microsoft.HDInsight/clusterpools/clusters/sessionclusters (HDInsight session clusters)

+- Microsoft.HDInsight/clusters (HDInsight clusters)

+- Microsoft.HealthBot/healthBots (Azure Health Bot)

+- Microsoft.HealthcareApis/services (Azure API for FHIR)

+- microsoft.healthcareapis/services/privateendpointconnections

+- Microsoft.HealthcareApis/workspaces (Healthcare APIs Workspaces)

+- Microsoft.HealthcareApis/workspaces/dicomservices (DICOM services)

+- Microsoft.HealthcareApis/workspaces/fhirservices (FHIR services)

+- Microsoft.HealthcareApis/workspaces/iotconnectors (IoT connectors)

+- Microsoft.HpcWorkbench/instances (HPC Workbenches (preview))

+- Microsoft.HybridCompute/machines (Servers - Azure Arc)

+ - Sample query: [Get count and percentage of Arc-enabled servers by domain](../samples/samples-by-category.md#get-count-and-percentage-of-arc-enabled-servers-by-domain)

+ - Sample query: [List all extensions installed on an Azure Arc-enabled server](../samples/samples-by-category.md#list-all-extensions-installed-on-an-azure-arc-enabled-server)

+ - Sample query: [List Arc-enabled servers not running latest released agent version](../samples/samples-by-category.md#list-arc-enabled-servers-not-running-latest-released-agent-version)

+- microsoft.hybridcompute/machines/extensions

+ - Sample query: [List all extensions installed on an Azure Arc-enabled server](../samples/samples-by-category.md#list-all-extensions-installed-on-an-azure-arc-enabled-server)

+- Microsoft.HybridCompute/privateLinkScopes (Azure Arc Private Link Scopes)

+- microsoft.hybridcontainerservice/provisionedclusters

+- Microsoft.HybridData/dataManagers (StorSimple Data Managers)

+- Microsoft.HybridNetwork/devices (Azure Network Function Manager ΓÇô Devices)

+- Microsoft.HybridNetwork/networkFunctions (Azure Network Function Manager ΓÇô Network Functions)

+- microsoft.hybridnetwork/virtualnetworkfunctions

+- Microsoft.ImportExport/jobs (Import/export jobs)

+- microsoft.industrydatalifecycle/basemodels

+- microsoft.industrydatalifecycle/custodiancollaboratives

+- microsoft.industrydatalifecycle/dataconsumercollaboratives

+- microsoft.industrydatalifecycle/derivedmodels

+- microsoft.industrydatalifecycle/membercollaboratives

+- microsoft.industrydatalifecycle/modelmappings

+- microsoft.industrydatalifecycle/pipelinesets

+- microsoft.insights/actiongroups

+- microsoft.insights/activitylogalerts

+- microsoft.insights/alertrules

+- microsoft.insights/autoscalesettings

+- microsoft.insights/components (Application Insights)

+- microsoft.insights/datacollectionendpoints (Data collection endpoints)

+- microsoft.insights/datacollectionrules (Data collection rules)

+- microsoft.insights/guestdiagnosticsettings

+- microsoft.insights/metricalerts

+- microsoft.insights/notificationgroups

+- microsoft.insights/notificationrules

+- Microsoft.Insights/privateLinkScopes (Azure Monitor Private Link Scopes)

+- microsoft.insights/querypacks

+- microsoft.insights/scheduledqueryrules

+- microsoft.insights/webtests (Availability tests)

+- microsoft.insights/workbooks (Azure Workbooks)

+- microsoft.insights/workbooktemplates (Azure Workbook Templates)

+- Microsoft.IntelligentITDigitalTwin/digitalTwins (Minervas)

+- Microsoft.IntelligentITDigitalTwin/digitalTwins/assets (Assets)

+- Microsoft.IntelligentITDigitalTwin/digitalTwins/executionPlans (Deployments)

+- Microsoft.IntelligentITDigitalTwin/digitalTwins/testPlans (Suites)

+- Microsoft.IntelligentITDigitalTwin/digitalTwins/tests (Scripts)

+- Microsoft.IoTCentral/IoTApps (IoT Central Applications)

+- microsoft.iotspaces/graph

+- microsoft.keyvault/hsmpools

+- microsoft.keyvault/managedhsms

+- Microsoft.KeyVault/vaults (Key vaults)

+ - Sample query: [Count key vault resources](../samples/samples-by-category.md#count-key-vault-resources)

+ - Sample query: [Key vaults with subscription name](../samples/samples-by-category.md#key-vaults-with-subscription-name)

+ - Sample query: [List impacted resources when transferring an Azure subscription](../samples/samples-by-category.md#list-impacted-resources-when-transferring-an-azure-subscription)

+- Microsoft.Kubernetes/connectedClusters (Kubernetes - Azure Arc)

+ - Sample query: [List all Azure Arc-enabled Kubernetes clusters without Azure Monitor extension](../samples/samples-by-category.md#list-all-azure-arc-enabled-kubernetes-clusters-without-azure-monitor-extension)

+ - Sample query: [List all Azure Arc-enabled Kubernetes resources](../samples/samples-by-category.md#list-all-azure-arc-enabled-kubernetes-resources)

+- Microsoft.Kusto/clusters (Azure Data Explorer Clusters)

+- Microsoft.Kusto/clusters/databases (Azure Data Explorer Databases)

+- Microsoft.LabServices/labAccounts (Lab Services)

+- microsoft.labservices/labplans

+- microsoft.labservices/labs

+- Microsoft.LoadTestService/LoadTests (Azure Load Testing)

+- Microsoft.Logic/integrationAccounts (Integration accounts)

+- Microsoft.Logic/integrationServiceEnvironments (Integration Service Environments)

+- Microsoft.Logic/integrationServiceEnvironments/managedApis (Managed Connector)

+- Microsoft.Logic/workflows (Logic apps)

+- Microsoft.Logz/monitors (Logz main account)

+- Microsoft.Logz/monitors/accounts (Logz sub account)

+- Microsoft.MachineLearning/commitmentPlans (Machine Learning Studio (classic) web service plans)

+- Microsoft.MachineLearning/webServices (Machine Learning Studio (classic) web services)

+- Microsoft.MachineLearning/workspaces (Machine Learning Studio (classic) workspaces)

+- microsoft.machinelearningcompute/operationalizationclusters

+- microsoft.machinelearningexperimentation/accounts/workspaces

+- microsoft.machinelearningservices/aisysteminventories

+- microsoft.machinelearningservices/modelinventories

+- microsoft.machinelearningservices/modelinventory

+- microsoft.machinelearningservices/virtualclusters

+- Microsoft.MachineLearningServices/workspaces (Machine learning)

+- microsoft.machinelearningservices/workspaces/batchendpoints

+- microsoft.machinelearningservices/workspaces/batchendpoints/deployments

+- microsoft.machinelearningservices/workspaces/inferenceendpoints

+- microsoft.machinelearningservices/workspaces/inferenceendpoints/deployments

+- Microsoft.MachineLearningServices/workspaces/onlineEndpoints (Machine learning online endpoints)

+- Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments (Machine learning online deployments)

+- Microsoft.Maintenance/maintenanceConfigurations (Maintenance Configurations)

+- microsoft.maintenance/maintenancepolicies

+- microsoft.managedidentity/groups

+- Microsoft.ManagedIdentity/userAssignedIdentities (Managed Identities)

+ - Sample query: [List impacted resources when transferring an Azure subscription](../samples/samples-by-category.md#list-impacted-resources-when-transferring-an-azure-subscription)

+- microsoft.managednetwork/managednetworkgroups

+- microsoft.managednetwork/managednetworkpeeringpolicies

+- microsoft.managednetwork/managednetworks

+- microsoft.managednetwork/managednetworks/managednetworkgroups

+- microsoft.managednetwork/managednetworks/managednetworkpeeringpolicies

+- Microsoft.Maps/accounts (Azure Maps Accounts)

+- Microsoft.Maps/accounts/creators (Azure Maps Creator Resources)

+- microsoft.maps/accounts/privateatlases

+- Microsoft.MarketplaceApps/classicDevServices (Classic Dev Services)

+- microsoft.media/mediaservices (Media Services)

+- microsoft.media/mediaservices/liveevents (Live events)

+- microsoft.media/mediaservices/streamingendpoints (Streaming Endpoints)

+- microsoft.media/mediaservices/transforms

+- microsoft.media/videoanalyzers (Video Analyzers)

+- microsoft.microservices4spring/appclusters

+- microsoft.migrate/assessmentprojects

+- microsoft.migrate/migrateprojects

+- microsoft.migrate/movecollections

+- Microsoft.Migrate/projects (Migration projects)

+- Microsoft.MixedReality/holographicsBroadcastAccounts (Holographics Broadcast Accounts)

+- Microsoft.MixedReality/objectAnchorsAccounts (Object Anchors Accounts)

+- Microsoft.MixedReality/objectUnderstandingAccounts (Object Understanding Accounts)

+- Microsoft.MixedReality/remoteRenderingAccounts (Remote Rendering Accounts)

+- Microsoft.MixedReality/spatialAnchorsAccounts (Spatial Anchors Accounts)

+- microsoft.mixedreality/surfacereconstructionaccounts

+- Microsoft.MobileNetwork/mobileNetworks (Mobile Networks)

+- microsoft.mobilenetwork/mobilenetworks/datanetworks

+- Microsoft.MobileNetwork/mobileNetworks/services (Services)

+- microsoft.mobilenetwork/mobilenetworks/simpolicies

+- Microsoft.MobileNetwork/mobileNetworks/sites (Mobile Network Sites)

+- microsoft.mobilenetwork/mobilenetworks/slices

+- microsoft.mobilenetwork/networks

+- microsoft.mobilenetwork/networks/sites

+- Microsoft.MobileNetwork/packetCoreControlPlanes (Arc for network functions ΓÇô Packet Cores)

+- microsoft.mobilenetwork/packetcorecontrolplanes/packetcoredataplanes

+- microsoft.mobilenetwork/packetcorecontrolplanes/packetcoredataplanes/attacheddatanetworks

+- Microsoft.MobileNetwork/sims (Sims)

+- microsoft.mobilenetwork/sims/simprofiles

+- microsoft.monitor/accounts

+- Microsoft.NetApp/netAppAccounts (NetApp accounts)

+- microsoft.netapp/netappaccounts/backuppolicies

+- Microsoft.NetApp/netAppAccounts/capacityPools (Capacity pools)

+- Microsoft.NetApp/netAppAccounts/capacityPools/Volumes (Volumes)

+- microsoft.netapp/netappaccounts/capacitypools/volumes/mounttargets

+- Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots (Snapshots)

+- microsoft.netapp/netappaccounts/capacitypools/volumes/subvolumes

+- Microsoft.NetApp/netAppAccounts/snapshotPolicies (Snapshot policies)

+- Microsoft.Network/applicationGateways (Application gateways)

+- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies (Web application firewall policies (WAF))

+- Microsoft.Network/applicationSecurityGroups (Application security groups)

+- Microsoft.Network/azureFirewalls (Firewalls)

+- Microsoft.Network/bastionHosts (Bastions)

+- Microsoft.Network/connections (Connections)

+- Microsoft.Network/customIpPrefixes (Custom IP Prefixes)

+- microsoft.network/ddoscustompolicies

+- Microsoft.Network/ddosProtectionPlans (DDoS protection plans)

+- Microsoft.Network/dnsForwardingRulesets (Dns Forwarding Rulesets)

+- Microsoft.Network/dnsResolvers (DNS Private Resolvers)

+- Microsoft.Network/dnsZones (DNS zones)

+- microsoft.network/dscpconfigurations

+- Microsoft.Network/expressRouteCircuits (ExpressRoute circuits)

+- microsoft.network/expressroutecrossconnections

+- microsoft.network/expressroutegateways

+- Microsoft.Network/expressRoutePorts (ExpressRoute Direct)

+- Microsoft.Network/firewallPolicies (Firewall Policies)

+- microsoft.network/firewallpolicies/rulegroups

+- Microsoft.Network/frontdoors (Front Doors)

+- Microsoft.Network/FrontDoorWebApplicationFirewallPolicies (Web Application Firewall policies (WAF))

+- microsoft.network/ipallocations

+- Microsoft.Network/ipGroups (IP Groups)

+- Microsoft.Network/LoadBalancers (Load balancers)

+- Microsoft.Network/localnetworkgateways (Local network gateways)

+- microsoft.network/mastercustomipprefixes

+- Microsoft.Network/natGateways (NAT gateways)

+- Microsoft.Network/NetworkExperimentProfiles (Internet Analyzer profiles)

+- microsoft.network/networkintentpolicies

+- Microsoft.Network/networkinterfaces (Network interfaces)

+ - Sample query: [Get virtual networks and subnets of network interfaces](../samples/samples-by-category.md#get-virtual-networks-and-subnets-of-network-interfaces)

+ - Sample query: [List virtual machines with their network interface and public IP](../samples/samples-by-category.md#list-virtual-machines-with-their-network-interface-and-public-ip)

+- Microsoft.Network/networkManagers (Network Managers)

+- microsoft.network/networkprofiles

+- Microsoft.Network/NetworkSecurityGroups (Network security groups)

+ - Sample query: [Show unassociated network security groups](../samples/samples-by-category.md#show-unassociated-network-security-groups)

+- microsoft.network/networksecurityperimeters

+- microsoft.network/networkvirtualappliances

+- microsoft.network/networkwatchers (Network Watchers)

+- microsoft.network/networkwatchers/connectionmonitors

+- microsoft.network/networkwatchers/flowlogs (NSG Flow Logs)

+- microsoft.network/networkwatchers/lenses

+- microsoft.network/networkwatchers/pingmeshes

+- microsoft.network/p2svpngateways

+- Microsoft.Network/privateDnsZones (Private DNS zones)

+- microsoft.network/privatednszones/virtualnetworklinks

+- microsoft.network/privateendpointredirectmaps

+- Microsoft.Network/privateEndpoints (Private endpoints)

+- Microsoft.Network/privateLinkServices (Private link services)

+- Microsoft.Network/PublicIpAddresses (Public IP addresses)

+ - Sample query: [List virtual machines with their network interface and public IP](../samples/samples-by-category.md#list-virtual-machines-with-their-network-interface-and-public-ip)

+- Microsoft.Network/publicIpPrefixes (Public IP Prefixes)

+- Microsoft.Network/routeFilters (Route filters)

+- Microsoft.Network/routeTables (Route tables)

+- microsoft.network/sampleresources

+- microsoft.network/securitypartnerproviders

+- Microsoft.Network/serviceEndpointPolicies (Service endpoint policies)

+- Microsoft.Network/trafficmanagerprofiles (Traffic Manager profiles)

+- microsoft.network/virtualhubs

+- microsoft.network/virtualhubs/bgpconnections

+- microsoft.network/virtualhubs/ipconfigurations

+- Microsoft.Network/virtualNetworkGateways (Virtual network gateways)

+- Microsoft.Network/virtualNetworks (Virtual networks)

+- microsoft.network/virtualnetworktaps

+- microsoft.network/virtualrouters

+- Microsoft.Network/virtualWans (Virtual WANs)

+- microsoft.network/vpngateways

+- microsoft.network/vpnserverconfigurations

+- microsoft.network/vpnsites

+- microsoft.networkfunction/azuretrafficcollectors

+- Microsoft.NotificationHubs/namespaces (Notification Hub Namespaces)

+- Microsoft.NotificationHubs/namespaces/notificationHubs (Notification Hubs)

+- microsoft.nutanix/interfaces

+- microsoft.nutanix/nodes

+- microsoft.objectstore/osnamespaces

+- microsoft.offazure/hypervsites

+- microsoft.offazure/importsites

+- microsoft.offazure/mastersites

+- microsoft.offazure/serversites

+- microsoft.offazure/vmwaresites

+- Microsoft.OpenEnergyPlatform/energyServices (Azure OpenEnergy)

+- microsoft.openlogisticsplatform/applicationworkspaces

+- Microsoft.OpenLogisticsPlatform/workspaces (Open Supply Chain Platform)

+- microsoft.operationalinsights/clusters

+- Microsoft.OperationalInsights/querypacks (Log Analytics query packs)

+- Microsoft.OperationalInsights/workspaces (Log Analytics workspaces)

+- Microsoft.OperationsManagement/solutions (Solutions)

+- microsoft.operationsmanagement/views

+- Microsoft.Orbital/contactProfiles (Contact Profiles)

+- Microsoft.Orbital/EdgeSites (Edge Sites)

+- Microsoft.Orbital/GroundStations (Ground Stations)

+- Microsoft.Orbital/l2Connections (L2 Connections)

+- microsoft.orbital/orbitalendpoints

+- microsoft.orbital/orbitalgateways

+- microsoft.orbital/orbitalgateways/orbitall2connections

+- microsoft.orbital/orbitalgateways/orbitall3connections

+- Microsoft.Orbital/spacecrafts (Spacecrafts)

+- Microsoft.Peering/peerings (Peerings)

+- Microsoft.Peering/peeringServices (Peering Services)

+- Microsoft.PlayFab/playerAccountPools (Player account pools)

+- Microsoft.PlayFab/titles (PlayFab titles)

+- Microsoft.Portal/dashboards (Shared dashboards)

+- microsoft.portalsdk/rootresources

+- microsoft.powerbi/privatelinkservicesforpowerbi

+- microsoft.powerbi/tenants

+- microsoft.powerbi/workspacecollections

+- microsoft.powerbidedicated/autoscalevcores

+- Microsoft.PowerBIDedicated/capacities (Power BI Embedded)

+- microsoft.powerplatform/accounts

+- microsoft.powerplatform/enterprisepolicies

+- microsoft.projectbabylon/accounts

+- microsoft.providerhubdevtest/regionalstresstests

+- Microsoft.Purview/Accounts (Purview accounts)

+- Microsoft.Quantum/Workspaces (Quantum Workspaces)

+- Microsoft.RecommendationsService/accounts (Intelligent Recommendations Accounts)

+- Microsoft.RecommendationsService/accounts/modeling (Modeling)

+- Microsoft.RecommendationsService/accounts/serviceEndpoints (Service Endpoints)

+- Microsoft.RecoveryServices/vaults (Recovery Services vaults)

+- microsoft.recoveryservices/vaults/replicationfabrics/replicationprotectioncontainers/replicationprotecteditems

+- microsoft.recoveryservices/vaults/replicationfabrics/replicationrecoveryservicesproviders

+- Microsoft.RedHatOpenShift/OpenShiftClusters (Azure Red Hat OpenShift)

+- Microsoft.Relay/namespaces (Relays)

+- microsoft.remoteapp/collections

+- microsoft.resiliency/chaosexperiments

+- Microsoft.ResourceConnector/Appliances (Resource bridges)

+- Microsoft.resourcegraph/queries (Resource Graph queries)

+- Microsoft.Resources/deploymentScripts (Deployment Scripts)

+- Microsoft.Resources/templateSpecs (Template specs)

+- microsoft.resources/templatespecs/versions

+- Microsoft.SaaS/applications (Software as a Service (classic))

+- Microsoft.SaaS/resources (SaaS)

+- Microsoft.Scheduler/jobCollections (Scheduler Job Collections)

+- Microsoft.Scom/managedInstances (Aquila Instances)

+- microsoft.scvmm/availabilitysets

+- microsoft.scvmm/clouds

+- Microsoft.scvmm/virtualMachines (SCVMM virtual machine - Azure Arc)

+- microsoft.scvmm/virtualmachinetemplates

+- microsoft.scvmm/virtualnetworks

+- microsoft.scvmm/vmmservers

+- Microsoft.Search/searchServices (Search services)

+- microsoft.security/assignments

+- microsoft.security/automations

+- microsoft.security/customassessmentautomations

+- microsoft.security/customentitystoreassignments

+- microsoft.security/iotsecuritysolutions

+- microsoft.security/securityconnectors

+- microsoft.security/standards

+- Microsoft.SecurityDetonation/chambers (Security Detonation Chambers)

+- Microsoft.ServiceBus/namespaces (Service Bus Namespaces)

+- Microsoft.ServiceFabric/clusters (Service Fabric clusters)

+- microsoft.servicefabric/containergroupsets

+- Microsoft.ServiceFabric/managedclusters (Service Fabric managed clusters)

+- microsoft.servicefabricmesh/applications

+- microsoft.servicefabricmesh/gateways

+- microsoft.servicefabricmesh/networks

+- microsoft.servicefabricmesh/secrets

+- microsoft.servicefabricmesh/volumes

+- Microsoft.ServicesHub/connectors (Services Hub Connectors)

+- Microsoft.SignalRService/SignalR (SignalR)

+- Microsoft.SignalRService/WebPubSub (Web PubSub Service)

+- microsoft.singularity/accounts

+- microsoft.skytap/nodes

+- microsoft.solutions/appliancedefinitions

+- microsoft.solutions/appliances

+- Microsoft.Solutions/applicationDefinitions (Service catalog managed application definitions)

+- Microsoft.Solutions/applications (Managed applications)

+- microsoft.solutions/jitrequests

+- microsoft.spoolservice/spools

+- Microsoft.Sql/instancePools (Instance pools)

+- Microsoft.Sql/managedInstances (SQL managed instances)

+- Microsoft.Sql/managedInstances/databases (Managed databases)

+- Microsoft.Sql/servers (SQL servers)

+- Microsoft.Sql/servers/databases (SQL databases)

+ - Sample query: [List impacted resources when transferring an Azure subscription](../samples/samples-by-category.md#list-impacted-resources-when-transferring-an-azure-subscription)

+ - Sample query: [List SQL Databases and their elastic pools](../samples/samples-by-category.md#list-sql-databases-and-their-elastic-pools)

+- Microsoft.Sql/servers/elasticpools (SQL elastic pools)

+ - Sample query: [List SQL Databases and their elastic pools](../samples/samples-by-category.md#list-sql-databases-and-their-elastic-pools)

+- microsoft.sql/servers/jobaccounts

+- Microsoft.Sql/servers/jobAgents (Elastic Job agents)

+- Microsoft.Sql/virtualClusters (Virtual clusters)

+- microsoft.sqlvirtualmachine/sqlvirtualmachinegroups

+- Microsoft.SqlVirtualMachine/SqlVirtualMachines (SQL virtual machines)

+- microsoft.sqlvm/dwvm

+- microsoft.storage/datamovers

+- Microsoft.Storage/StorageAccounts (Storage accounts)

+ - Sample query: [Find storage accounts with a specific case-insensitive tag on the resource group](../samples/samples-by-category.md#find-storage-accounts-with-a-specific-case-insensitive-tag-on-the-resource-group)

+ - Sample query: [Find storage accounts with a specific case-sensitive tag on the resource group](../samples/samples-by-category.md#find-storage-accounts-with-a-specific-case-sensitive-tag-on-the-resource-group)

+ - Sample query: [List all storage accounts with specific tag value](../samples/samples-by-category.md#list-all-storage-accounts-with-specific-tag-value)

+ - Sample query: [List impacted resources when transferring an Azure subscription](../samples/samples-by-category.md#list-impacted-resources-when-transferring-an-azure-subscription)

+- Microsoft.StorageCache/amlFilesystems (Lustre File Systems)

+- Microsoft.StorageCache/caches (HPC caches)

+- Microsoft.StoragePool/diskPools (Disk Pools)

+- Microsoft.StorageSync/storageSyncServices (Storage Sync Services)

+- Microsoft.StorageSyncDev/storageSyncServices (Storage Sync Services)

+- Microsoft.StorageSyncInt/storageSyncServices (Storage Sync Services)

+- Microsoft.StorSimple/Managers (StorSimple Device Managers)

+- Microsoft.StreamAnalytics/clusters (Stream Analytics clusters)

+- Microsoft.StreamAnalytics/StreamingJobs (Stream Analytics jobs)

+- microsoft.swiftlet/virtualmachines

+- microsoft.swiftlet/virtualmachinesnapshots

+- Microsoft.Synapse/privateLinkHubs (Azure Synapse Analytics (private link hubs))

+- Microsoft.Synapse/workspaces (Azure Synapse Analytics)

+- Microsoft.Synapse/workspaces/bigDataPools (Apache Spark pools)

+- microsoft.synapse/workspaces/eventstreams

+- Microsoft.Synapse/workspaces/kustopools (Data Explorer pools (preview))

+- microsoft.synapse/workspaces/sqldatabases

+- Microsoft.Synapse/workspaces/sqlPools (Dedicated SQL pools)

+- microsoft.terraformoss/providerregistrations

+- Microsoft.TestBase/testBaseAccounts (Test Base Accounts)

+- microsoft.testbase/testbaseaccounts/packages

+- microsoft.testbase/testbases

+- Microsoft.TimeSeriesInsights/environments (Time Series Insights environments)

+- Microsoft.TimeSeriesInsights/environments/eventsources (Time Series Insights event sources)

+- Microsoft.TimeSeriesInsights/environments/referenceDataSets (Time Series Insights reference data sets)

+- microsoft.token/stores

+- microsoft.tokenvault/vaults

+- Microsoft.VideoIndexer/accounts (Video Analyzer for Media)

+- Microsoft.VirtualMachineImages/imageTemplates (Image Templates)

+- microsoft.visualstudio/account (Azure DevOps organizations)

+- microsoft.visualstudio/account/extension

+- microsoft.visualstudio/account/project (DevOps Starter)

+- microsoft.vmware/arczones

+- microsoft.vmware/resourcepools

+- microsoft.vmware/vcenters

+- microsoft.vmware/virtualmachines

+- microsoft.vmware/virtualmachinetemplates

+- microsoft.vmware/virtualnetworks

+- Microsoft.VMwareCloudSimple/dedicatedCloudNodes (CloudSimple Nodes)

+- Microsoft.VMwareCloudSimple/dedicatedCloudServices (CloudSimple Services)

+- Microsoft.VMwareCloudSimple/virtualMachines (CloudSimple Virtual Machines)

+- microsoft.vmwareonazure/privateclouds

+- microsoft.vmwarevirtustream/privateclouds

+- microsoft.vsonline/accounts

+- Microsoft.VSOnline/Plans (Visual Studio Online Plans)

+- microsoft.web/apimanagementaccounts

+- microsoft.web/apimanagementaccounts/apis

+- microsoft.web/certificates

+- Microsoft.Web/connectionGateways (On-premises data gateways)

+- Microsoft.Web/connections (API Connections)

+- Microsoft.Web/containerApps (Container Apps)

+- Microsoft.Web/customApis (Logic Apps Custom Connector)

+- Microsoft.Web/HostingEnvironments (App Service Environments)

+- Microsoft.Web/KubeEnvironments (App Service Kubernetes Environments)

+- Microsoft.Web/serverFarms (App Service plans)

+- Microsoft.Web/sites (App Services)

+- microsoft.web/sites/premieraddons

+- Microsoft.Web/sites/slots (App Service (Slots))

+- Microsoft.Web/StaticSites (Static Web Apps)

+- microsoft.web/workerapps

+- Microsoft.WindowsESU/multipleActivationKeys (Windows Multiple Activation Keys)

+- Microsoft.WindowsIoT/DeviceServices (Windows 10 IoT Core Services)

+- microsoft.workloadbuilder/migrationagents

+- microsoft.workloadbuilder/workloads

+- microsoft.workloads/monitors

+- Microsoft.Workloads/phpworkloads (Linux workloads (LAMP) (preview))

+- Microsoft.Workloads/sapVirtualInstances (SAP Virtual Instances)

+- Microsoft.Workloads/sapVirtualInstances/applicationInstances (SAP app server instances)

+- Microsoft.Workloads/sapVirtualInstances/centralInstances (SAP central server instances)

+- Microsoft.Workloads/sapVirtualInstances/databaseInstances (SAP database server instances)

+- myget.packagemanagement/services

+- NGINX.NGINXPLUS/nginxDeployments (NGINX Deployment)

+- Paraleap.CloudMonix/services (CloudMonix)

+- Pokitdok.Platform/services (PokitDok Platform)

+- private.arsenv1/resourcetype1

+- private.contoso/employees

+- private.flows/flows

+- Providers.Test/statefulIbizaEngines (My Resources)

+- RavenHq.Db/databases (RavenHQ)

+- Raygun.CrashReporting/apps (Raygun)

+- Sendgrid.Email/accounts (SendGrid Accounts)

+- sparkpost.basic/services

+- stackify.retrace/services

+- test.shoebox/testresources

+- test.shoebox/testresources2

+- TrendMicro.DeepSecurity/accounts (Deep Security SaaS)

+- u2uconsult.theidentityhub/services

+- Wandisco.Fusion/fusionGroups (LiveData Planes)

+- Wandisco.Fusion/fusionGroups/azureZones (Azure Zones)

+- Wandisco.Fusion/fusionGroups/azureZones/plugins (Plugins)

+- Wandisco.Fusion/fusionGroups/hiveReplicationRules (Hive Replication Rules)

+- Wandisco.Fusion/fusionGroups/managedOnPremZones (On-premises Zones)

+- wandisco.fusion/fusiongroups/onpremzones

+- Wandisco.Fusion/fusionGroups/replicationRules (Replication Rules)

+- Wandisco.Fusion/migrators (LiveData Migrators)

+- Wandisco.Fusion/migrators/exclusionTemplates (Exclusions)

+- Wandisco.Fusion/migrators/liveDataMigrations (Migrations)

+- Wandisco.Fusion/migrators/metadataMigrations (Metadata Migrations)

+- Wandisco.Fusion/migrators/metadataTargets (Metadata Targets)

+- Wandisco.Fusion/migrators/pathMappings (Path Mappings)

+- Wandisco.Fusion/migrators/targets (Targets)

+## securityresources

+For sample queries for this table, see [Resource Graph sample queries for securityresources](../samples/samples-by-table.md#securityresources).

+- microsoft.security/assessments

+ - Sample query: [Count healthy, unhealthy, and not applicable resources per recommendation](../samples/samples-by-category.md#count-healthy-unhealthy-and-not-applicable-resources-per-recommendation)

+ - Sample query: [List Azure Security Center recommendations](../samples/samples-by-category.md#list-azure-security-center-recommendations)

+ - Sample query: [List Container Registry vulnerability assessment results](../samples/samples-by-category.md#list-container-registry-vulnerability-assessment-results)

+ - Sample query: [List Qualys vulnerability assessment results](../samples/samples-by-category.md#list-qualys-vulnerability-assessment-results)

+- microsoft.security/assessments/subassessments

+ - Sample query: [List Container Registry vulnerability assessment results](../samples/samples-by-category.md#list-container-registry-vulnerability-assessment-results)

+ - Sample query: [List Qualys vulnerability assessment results](../samples/samples-by-category.md#list-qualys-vulnerability-assessment-results)

+- microsoft.security/insights/classification (Data Sensitivity Security Insights (Preview))

+ - Sample query: [Get sensitivity insight of a specific resource](../samples/samples-by-category.md)

+- microsoft.security/iotalerts

+ - Sample query: [Get all IoT alerts on hub, filtered by type](../samples/samples-by-category.md#get-all-iot-alerts-on-hub-filtered-by-type)

+ - Sample query: [Get specific IoT alert](../samples/samples-by-category.md#get-specific-iot-alert)

+- microsoft.security/locations/alerts (Security Alerts)

+- microsoft.security/pricings

+ - Sample query: [Show Azure Defender pricing tier per subscription](../samples/samples-by-category.md#show-azure-defender-pricing-tier-per-subscription)

+- microsoft.security/regulatorycompliancestandards

+ - Sample query: [Regulatory compliance state per compliance standard](../samples/samples-by-category.md#regulatory-compliance-state-per-compliance-standard)

+- microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols

+- microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments

+ - Sample query: [Regulatory compliance assessments state](../samples/samples-by-category.md#regulatory-compliance-assessments-state)

+- microsoft.security/securescores

+ - Sample query: [Secure score per management group](../samples/samples-by-category.md#secure-score-per-management-group)

+ - Sample query: [Secure score per subscription](../samples/samples-by-category.md#secure-score-per-subscription)

+- microsoft.security/securescores/securescorecontrols

+ - Sample query: [Controls secure score per subscription](../samples/samples-by-category.md#controls-secure-score-per-subscription)

+- microsoft.security/softwareinventories

+- microsoft.security/softwareinventory

+## servicehealthresources

+For sample queries for this table, see [Resource Graph sample queries for servicehealthresources](../samples/samples-by-table.md#servicehealthresources).

+- microsoft.resourcehealth/events

+ - Sample query: [Active Service Health event subscription impact](../samples/samples-by-category.md#active-service-health-event-subscription-impact)

+ - Sample query: [All active health advisory events](../samples/samples-by-category.md#all-active-health-advisory-events)

+ - Sample query: [All active planned maintenance events](../samples/samples-by-category.md#all-active-planned-maintenance-events)

+ - Sample query: [All active Service Health events](../samples/samples-by-category.md#all-active-service-health-events)

+ - Sample query: [All active service issue events](../samples/samples-by-category.md#all-active-service-issue-events)

+## workloadmonitorresources

+- microsoft.workloadmonitor/monitors

+## Next steps

+- Learn more about the [query language](../concepts/query-language.md).

+- Learn more about how to [explore resources](../concepts/explore-resources.md).

+- See samples of [Starter queries](../samples/starter.md).

+ Title: Advanced query samples

+description: Use Azure Resource Graph to run some advanced queries, including working with columns, listing tags used, and matching resources with regular expressions.

+# Advanced Resource Graph query samples

+The first step to understanding queries with Azure Resource Graph is a basic understanding of the

+[Query Language](../concepts/query-language.md). If you aren't already familiar with [Azure Data

+Explorer](/azure/data-explorer/data-explorer-overview), it's recommended to review the basics

+to understand how to compose requests for the resources you're looking for.

+We'll walk through the following advanced queries:

+- [Show API version for each resource type](#show-api-version-for-each-resource-type)

+- [Get virtual machine scale set capacity and size](#get-virtual-machine-scale-set-capacity-and-size)

+- [Remove columns from results](#remove-columns-from-results)

+- [List all tag names](#list-all-tag-names)

+- [Virtual machines matched by regex](#virtual-machines-matched-by-regex)

+- [List Azure Cosmos DB with specific write locations](#list-azure-cosmos-db-with-specific-write-locations)

+- [Key vaults with subscription name](#key-vaults-with-subscription-name)

+- [List SQL Databases and their elastic pools](#list-sql-databases-and-their-elastic-pools)

+- [List virtual machines with their network interface and public IP](#list-virtual-machines-with-their-network-interface-and-public-ip)

+- [List all extensions installed on a virtual machine](#list-all-extensions-installed-on-a-virtual-machine)

+- [Find storage accounts with a specific tag on the resource group](#find-storage-accounts-with-a-specific-tag-on-the-resource-group)

+- [Combine results from two queries into a single result](#combine-results-from-two-queries-into-a-single-result)

+- [Get virtual networks and subnets of network interfaces](#get-virtual-networks-and-subnets-of-network-interfaces)

+- [Summarize virtual machine by the power states extended property](#summarize-virtual-machine-by-the-power-states-extended-property)

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

+before you begin.

+## Language support

+Azure CLI (through an extension) and Azure PowerShell (through a module) support Azure Resource

+Graph. Before running any of the following queries, check that your environment is ready. See

+[Azure CLI](../first-query-azurecli.md#install-the-extension) and [Azure

+PowerShell](../first-query-powershell.md#install-the-module) for steps to install and

+validate your shell environment of choice.

+## Show API version for each resource type

+Resource Graph primarily uses the most recent non-preview version of a Resource Provider API to

+`GET` resource properties during an update. In some cases, the API version used has been overridden

+to provide more current or widely used properties in the results. The following query details the

+API version used for gathering properties on each resource type:

+```kusto

+Resources

+| distinct type, apiVersion

+| where isnotnull(apiVersion)

+| order by type asc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | distinct type, apiVersion | where isnotnull(apiVersion) | order by type asc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | distinct type, apiVersion | where isnotnull(apiVersion) | order by type asc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20distinct%20type%2C%20apiVersion%0D%0A%7C%20where%20isnotnull%28apiVersion%29%0D%0A%7C%20order%20by%20type%20asc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20distinct%20type%2C%20apiVersion%0D%0A%7C%20where%20isnotnull%28apiVersion%29%0D%0A%7C%20order%20by%20type%20asc" target="_blank">portal.azure.us</a>

+- Microsoft Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20distinct%20type%2C%20apiVersion%0D%0A%7C%20where%20isnotnull%28apiVersion%29%0D%0A%7C%20order%20by%20type%20asc" target="_blank">portal.azure.cn</a>

+## Get virtual machine scale set capacity and size

+This query looks for virtual machine scale set resources and gets various details including the

+virtual machine size and the capacity of the scale set. The query uses the `toint()` function to

+cast the capacity to a number so that it can be sorted. Finally, the columns are renamed into custom

+named properties.

+```kusto

+Resources

+| where type=~ 'microsoft.compute/virtualmachinescalesets'

+| where name contains 'contoso'

+| project subscriptionId, name, location, resourceGroup, Capacity = toint(sku.capacity), Tier = sku.name

+| order by Capacity desc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type=~ 'microsoft.compute/virtualmachinescalesets' | where name contains 'contoso' | project subscriptionId, name, location, resourceGroup, Capacity = toint(sku.capacity), Tier = sku.name | order by Capacity desc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type=~ 'microsoft.compute/virtualmachinescalesets' | where name contains 'contoso' | project subscriptionId, name, location, resourceGroup, Capacity = toint(sku.capacity), Tier = sku.name | order by Capacity desc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%3D~%20%27microsoft.compute%2Fvirtualmachinescalesets%27%0D%0A%7C%20where%20name%20contains%20%27contoso%27%0D%0A%7C%20project%20subscriptionId%2C%20name%2C%20location%2C%20resourceGroup%2C%20Capacity%20%3D%20toint%28sku.capacity%29%2C%20Tier%20%3D%20sku.name%0D%0A%7C%20order%20by%20Capacity%20desc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%3D~%20%27microsoft.compute%2Fvirtualmachinescalesets%27%0D%0A%7C%20where%20name%20contains%20%27contoso%27%0D%0A%7C%20project%20subscriptionId%2C%20name%2C%20location%2C%20resourceGroup%2C%20Capacity%20%3D%20toint%28sku.capacity%29%2C%20Tier%20%3D%20sku.name%0D%0A%7C%20order%20by%20Capacity%20desc" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%3D~%20%27microsoft.compute%2Fvirtualmachinescalesets%27%0D%0A%7C%20where%20name%20contains%20%27contoso%27%0D%0A%7C%20project%20subscriptionId%2C%20name%2C%20location%2C%20resourceGroup%2C%20Capacity%20%3D%20toint%28sku.capacity%29%2C%20Tier%20%3D%20sku.name%0D%0A%7C%20order%20by%20Capacity%20desc" target="_blank">portal.azure.cn</a>

+## Remove columns from results

+The following query uses `summarize` to count resources by subscription, `join` to combine it with

+subscription details from _ResourceContainers_ table, then `project-away` to remove some of the

+columns.

+```kusto

+Resources

+| summarize resourceCount=count() by subscriptionId

+| join (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId

+| project-away subscriptionId, subscriptionId1

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | summarize resourceCount=count() by subscriptionId | join (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId| project-away subscriptionId, subscriptionId1"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | summarize resourceCount=count() by subscriptionId | join (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId| project-away subscriptionId, subscriptionId1"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20summarize%20resourceCount%3Dcount%28%29%20by%20subscriptionId%0D%0A%7C%20join%20%28ResourceContainers%20%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%27%20%7C%20project%20SubName%3Dname%2C%20subscriptionId%29%20on%20subscriptionId%0D%0A%7C%20project-away%20subscriptionId%2C%20subscriptionId1" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20summarize%20resourceCount%3Dcount%28%29%20by%20subscriptionId%0D%0A%7C%20join%20%28ResourceContainers%20%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%27%20%7C%20project%20SubName%3Dname%2C%20subscriptionId%29%20on%20subscriptionId%0D%0A%7C%20project-away%20subscriptionId%2C%20subscriptionId1" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20summarize%20resourceCount%3Dcount%28%29%20by%20subscriptionId%0D%0A%7C%20join%20%28ResourceContainers%20%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%27%20%7C%20project%20SubName%3Dname%2C%20subscriptionId%29%20on%20subscriptionId%0D%0A%7C%20project-away%20subscriptionId%2C%20subscriptionId1" target="_blank">portal.azure.cn</a>

+## List all tag names

+This query starts with the tag and builds a JSON object listing all unique tag names and their

+corresponding types.

+```kusto

+Resources

+| project tags

+| summarize buildschema(tags)

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | project tags | summarize buildschema(tags)"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | project tags | summarize buildschema(tags)"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20tags%0D%0A%7C%20summarize%20buildschema%28tags%29" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20tags%0D%0A%7C%20summarize%20buildschema%28tags%29" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20tags%0D%0A%7C%20summarize%20buildschema%28tags%29" target="_blank">portal.azure.cn</a>

+## Virtual machines matched by regex

+This query looks for virtual machines that match a [regular expression](/dotnet/standard/base-types/regular-expression-language-quick-reference)

+(known as _regex_). The **matches regex \@** allows us to define the regex to match, which is `^Contoso(.*)[0-9]+$`.

+That regex definition is explained as:

+- `^` - Match must start at the beginning of the string.

+- `Contoso` - The case-sensitive string.

+- `(.*)` - A subexpression match:

+ - `.` - Matches any single character (except a new line).

+ - `*` - Matches previous element zero or more times.

+- `[0-9]` - Character group match for numbers 0 through 9.

+- `+` - Matches previous element one or more times.

+- `$` - Match of the previous element must occur at the end of the string.

+After matching by name, the query projects the name and orders by name ascending.

+```kusto

+Resources

+| where type =~ 'microsoft.compute/virtualmachines' and name matches regex @'^Contoso(.*)[0-9]+$'

+| project name

+| order by name asc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type =~ 'microsoft.compute/virtualmachines' and name matches regex @'^Contoso(.*)[0-9]+\$' | project name | order by name asc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.compute/virtualmachines' and name matches regex @'^Contoso(.*)[0-9]+$' | project name | order by name asc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.compute%2Fvirtualmachines%27%20and%20name%20matches%20regex%20%40%27%5EContoso%28.%2A%29%5B0-9%5D%2B%24%27%0D%0A%7C%20project%20name%0D%0A%7C%20order%20by%20name%20asc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.compute%2Fvirtualmachines%27%20and%20name%20matches%20regex%20%40%27%5EContoso%28.%2A%29%5B0-9%5D%2B%24%27%0D%0A%7C%20project%20name%0D%0A%7C%20order%20by%20name%20asc" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.compute%2Fvirtualmachines%27%20and%20name%20matches%20regex%20%40%27%5EContoso%28.%2A%29%5B0-9%5D%2B%24%27%0D%0A%7C%20project%20name%0D%0A%7C%20order%20by%20name%20asc" target="_blank">portal.azure.cn</a>

+## List Azure Cosmos DB with specific write locations

+The following query limits to Azure Cosmos DB resources, uses `mv-expand` to expand the property bag

+for **properties.writeLocations**, then project specific fields and limit the results further to

+**properties.writeLocations.locationName** values matching either 'East US' or 'West US'.

+```kusto

+Resources

+| where type =~ 'microsoft.documentdb/databaseaccounts'

+| project id, name, writeLocations = (properties.writeLocations)

+| mv-expand writeLocations

+| project id, name, writeLocation = tostring(writeLocations.locationName)

+| where writeLocation in ('East US', 'West US')

+| summarize by id, name

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type =~ 'microsoft.documentdb/databaseaccounts' | project id, name, writeLocations = (properties.writeLocations) | mv-expand writeLocations | project id, name, writeLocation = tostring(writeLocations.locationName) | where writeLocation in ('East US', 'West US') | summarize by id, name"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.documentdb/databaseaccounts' | project id, name, writeLocations = (properties.writeLocations) | mv-expand writeLocations | project id, name, writeLocation = tostring(writeLocations.locationName) | where writeLocation in ('East US', 'West US') | summarize by id, name"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.documentdb%2Fdatabaseaccounts%27%0D%0A%7C%20project%20id%2C%20name%2C%20writeLocations%20%3D%20%28properties.writeLocations%29%0D%0A%7C%20mv-expand%20writeLocations%0D%0A%7C%20project%20id%2C%20name%2C%20writeLocation%20%3D%20tostring%28writeLocations.locationName%29%0D%0A%7C%20where%20writeLocation%20in%20%28%27East%20US%27%2C%20%27West%20US%27%29%0D%0A%7C%20summarize%20by%20id%2C%20name" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.documentdb%2Fdatabaseaccounts%27%0D%0A%7C%20project%20id%2C%20name%2C%20writeLocations%20%3D%20%28properties.writeLocations%29%0D%0A%7C%20mv-expand%20writeLocations%0D%0A%7C%20project%20id%2C%20name%2C%20writeLocation%20%3D%20tostring%28writeLocations.locationName%29%0D%0A%7C%20where%20writeLocation%20in%20%28%27East%20US%27%2C%20%27West%20US%27%29%0D%0A%7C%20summarize%20by%20id%2C%20name" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.documentdb%2Fdatabaseaccounts%27%0D%0A%7C%20project%20id%2C%20name%2C%20writeLocations%20%3D%20%28properties.writeLocations%29%0D%0A%7C%20mv-expand%20writeLocations%0D%0A%7C%20project%20id%2C%20name%2C%20writeLocation%20%3D%20tostring%28writeLocations.locationName%29%0D%0A%7C%20where%20writeLocation%20in%20%28%27East%20US%27%2C%20%27West%20US%27%29%0D%0A%7C%20summarize%20by%20id%2C%20name" target="_blank">portal.azure.cn</a>

+## Key vaults with subscription name

+The following query shows a complex use of `join` with **kind** as _leftouter_. The query limits the

+joined table to subscriptions resources and with `project` to include only the original field

+_subscriptionId_ and the _name_ field renamed to _SubName_. The field rename avoids `join` adding it

+as _name1_ since the field already exists in _resources_. The original table is filtered with

+`where` and the following `project` includes columns from both tables. The query result is all key

+vaults displaying type, the name of the key vault, and the name of the subscription it's in.

+```kusto

+Resources

+| join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId

+| where type == 'microsoft.keyvault/vaults'

+| project type, name, SubName

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type == 'microsoft.keyvault/vaults' | project type, name, SubName"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type == 'microsoft.keyvault/vaults' | project type, name, SubName"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20join%20kind%3Dleftouter%20%28ResourceContainers%20%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%27%20%7C%20project%20SubName%3Dname%2C%20subscriptionId%29%20on%20subscriptionId%0D%0A%7C%20where%20type%20%3D%3D%20%27microsoft.keyvault%2Fvaults%27%0D%0A%7C%20project%20type%2C%20name%2C%20SubName" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20join%20kind%3Dleftouter%20%28ResourceContainers%20%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%27%20%7C%20project%20SubName%3Dname%2C%20subscriptionId%29%20on%20subscriptionId%0D%0A%7C%20where%20type%20%3D%3D%20%27microsoft.keyvault%2Fvaults%27%0D%0A%7C%20project%20type%2C%20name%2C%20SubName" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20join%20kind%3Dleftouter%20%28ResourceContainers%20%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%27%20%7C%20project%20SubName%3Dname%2C%20subscriptionId%29%20on%20subscriptionId%0D%0A%7C%20where%20type%20%3D%3D%20%27microsoft.keyvault%2Fvaults%27%0D%0A%7C%20project%20type%2C%20name%2C%20SubName" target="_blank">portal.azure.cn</a>

+## List SQL Databases and their elastic pools

+The following query uses **leftouter** `join` to bring together SQL Database resources and their

+related elastic pools, if they've any.

+```kusto

+Resources

+| where type =~ 'microsoft.sql/servers/databases'

+| project databaseId = id, databaseName = name, elasticPoolId = tolower(tostring(properties.elasticPoolId))

+| join kind=leftouter (

+ Resources

+ | where type =~ 'microsoft.sql/servers/elasticpools'

+ | project elasticPoolId = tolower(id), elasticPoolName = name, elasticPoolState = properties.state)

+on elasticPoolId

+| project-away elasticPoolId1

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type =~ 'microsoft.sql/servers/databases' | project databaseId = id, databaseName = name, elasticPoolId = tolower(tostring(properties.elasticPoolId)) | join kind=leftouter ( Resources | where type =~ 'microsoft.sql/servers/elasticpools' | project elasticPoolId = tolower(id), elasticPoolName = name, elasticPoolState = properties.state) on elasticPoolId | project-away elasticPoolId1"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.sql/servers/databases' | project databaseId = id, databaseName = name, elasticPoolId = tolower(tostring(properties.elasticPoolId)) | join kind=leftouter ( Resources | where type =~ 'microsoft.sql/servers/elasticpools' | project elasticPoolId = tolower(id), elasticPoolName = name, elasticPoolState = properties.state) on elasticPoolId | project-away elasticPoolId1"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.sql%2Fservers%2Fdatabases%27%0D%0A%7C%20project%20databaseId%20%3D%20id%2C%20databaseName%20%3D%20name%2C%20elasticPoolId%20%3D%20tolower%28tostring%28properties.elasticPoolId%29%29%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.sql%2Fservers%2Felasticpools%27%0D%0A%20%20%20%20%7C%20project%20elasticPoolId%20%3D%20tolower%28id%29%2C%20elasticPoolName%20%3D%20name%2C%20elasticPoolState%20%3D%20properties.state%29%0D%0Aon%20elasticPoolId%0D%0A%7C%20project-away%20elasticPoolId1" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.sql%2Fservers%2Fdatabases%27%0D%0A%7C%20project%20databaseId%20%3D%20id%2C%20databaseName%20%3D%20name%2C%20elasticPoolId%20%3D%20tolower%28tostring%28properties.elasticPoolId%29%29%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.sql%2Fservers%2Felasticpools%27%0D%0A%20%20%20%20%7C%20project%20elasticPoolId%20%3D%20tolower%28id%29%2C%20elasticPoolName%20%3D%20name%2C%20elasticPoolState%20%3D%20properties.state%29%0D%0Aon%20elasticPoolId%0D%0A%7C%20project-away%20elasticPoolId1" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.sql%2Fservers%2Fdatabases%27%0D%0A%7C%20project%20databaseId%20%3D%20id%2C%20databaseName%20%3D%20name%2C%20elasticPoolId%20%3D%20tolower%28tostring%28properties.elasticPoolId%29%29%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.sql%2Fservers%2Felasticpools%27%0D%0A%20%20%20%20%7C%20project%20elasticPoolId%20%3D%20tolower%28id%29%2C%20elasticPoolName%20%3D%20name%2C%20elasticPoolState%20%3D%20properties.state%29%0D%0Aon%20elasticPoolId%0D%0A%7C%20project-away%20elasticPoolId1" target="_blank">portal.azure.cn</a>

+## List virtual machines with their network interface and public IP

+This query uses two **leftouter** `join` commands to bring together virtual machines created with

+the Resource Manager deployment model, their related network interfaces, and any public IP address

+related to those network interfaces.

+```kusto

+Resources

+| where type =~ 'microsoft.compute/virtualmachines'

+| extend nics=array_length(properties.networkProfile.networkInterfaces)

+| mv-expand nic=properties.networkProfile.networkInterfaces

+| where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic)

+| project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id)

+| join kind=leftouter (

+ Resources

+ | where type =~ 'microsoft.network/networkinterfaces'

+ | extend ipConfigsCount=array_length(properties.ipConfigurations)

+ | mv-expand ipconfig=properties.ipConfigurations

+ | where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true'

+ | project nicId = id, publicIpId = tostring(ipconfig.properties.publicIPAddress.id))

+on nicId

+| project-away nicId1

+| summarize by vmId, vmName, vmSize, nicId, publicIpId

+| join kind=leftouter (

+ Resources

+ | where type =~ 'microsoft.network/publicipaddresses'

+ | project publicIpId = id, publicIpAddress = properties.ipAddress)

+on publicIpId

+| project-away publicIpId1

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type =~ 'microsoft.compute/virtualmachines' | extend nics=array_length(properties.networkProfile.networkInterfaces) | mv-expand nic=properties.networkProfile.networkInterfaces | where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic) | project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id) | join kind=leftouter ( Resources | where type =~ 'microsoft.network/networkinterfaces' | extend ipConfigsCount=array_length(properties.ipConfigurations) | mv-expand ipconfig=properties.ipConfigurations | where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true' | project nicId = id, publicIpId = tostring(ipconfig.properties.publicIPAddress.id)) on nicId | project-away nicId1 | summarize by vmId, vmName, vmSize, nicId, publicIpId | join kind=leftouter ( Resources | where type =~ 'microsoft.network/publicipaddresses' | project publicIpId = id, publicIpAddress = properties.ipAddress) on publicIpId | project-away publicIpId1"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.compute/virtualmachines' | extend nics=array_length(properties.networkProfile.networkInterfaces) | mv-expand nic=properties.networkProfile.networkInterfaces | where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic) | project vmId = id, vmName = name, vmSize=tostring(properties.hardwareProfile.vmSize), nicId = tostring(nic.id) | join kind=leftouter ( Resources | where type =~ 'microsoft.network/networkinterfaces' | extend ipConfigsCount=array_length(properties.ipConfigurations) | mv-expand ipconfig=properties.ipConfigurations | where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true' | project nicId = id, publicIpId = tostring(ipconfig.properties.publicIPAddress.id)) on nicId | project-away nicId1 | summarize by vmId, vmName, vmSize, nicId, publicIpId | join kind=leftouter ( Resources | where type =~ 'microsoft.network/publicipaddresses' | project publicIpId = id, publicIpAddress = properties.ipAddress) on publicIpId | project-away publicIpId1"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.compute%2Fvirtualmachines%27%0D%0A%7C%20extend%20nics%3Darray_length%28properties.networkProfile.networkInterfaces%29%20%0D%0A%7C%20mv-expand%20nic%3Dproperties.networkProfile.networkInterfaces%20%0D%0A%7C%20where%20nics%20%3D%3D%201%20or%20nic.properties.primary%20%3D~%20%27true%27%20or%20isempty%28nic%29%20%0D%0A%7C%20project%20vmId%20%3D%20id%2C%20vmName%20%3D%20name%2C%20vmSize%3Dtostring%28properties.hardwareProfile.vmSize%29%2C%20nicId%20%3D%20tostring%28nic.id%29%20%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.network%2Fnetworkinterfaces%27%0D%0A%20%20%20%20%7C%20extend%20ipConfigsCount%3Darray_length%28properties.ipConfigurations%29%20%0D%0A%20%20%20%20%7C%20mv-expand%20ipconfig%3Dproperties.ipConfigurations%20%0D%0A%20%20%20%20%7C%20where%20ipConfigsCount%20%3D%3D%201%20or%20ipconfig.properties.primary%20%3D~%20%27true%27%0D%0A%20%20%20%20%7C%20project%20nicId%20%3D%20id%2C%20publicIpId%20%3D%20tostring%28ipconfig.properties.publicIPAddress.id%29%29%0D%0Aon%20nicId%0D%0A%7C%20project-away%20nicId1%0D%0A%7C%20summarize%20by%20vmId%2C%20vmName%2C%20vmSize%2C%20nicId%2C%20publicIpId%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.network%2Fpublicipaddresses%27%0D%0A%20%20%20%20%7C%20project%20publicIpId%20%3D%20id%2C%20publicIpAddress%20%3D%20properties.ipAddress%29%0D%0Aon%20publicIpId%0D%0A%7C%20project-away%20publicIpId1" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.compute%2Fvirtualmachines%27%0D%0A%7C%20extend%20nics%3Darray_length%28properties.networkProfile.networkInterfaces%29%20%0D%0A%7C%20mv-expand%20nic%3Dproperties.networkProfile.networkInterfaces%20%0D%0A%7C%20where%20nics%20%3D%3D%201%20or%20nic.properties.primary%20%3D~%20%27true%27%20or%20isempty%28nic%29%20%0D%0A%7C%20project%20vmId%20%3D%20id%2C%20vmName%20%3D%20name%2C%20vmSize%3Dtostring%28properties.hardwareProfile.vmSize%29%2C%20nicId%20%3D%20tostring%28nic.id%29%20%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.network%2Fnetworkinterfaces%27%0D%0A%20%20%20%20%7C%20extend%20ipConfigsCount%3Darray_length%28properties.ipConfigurations%29%20%0D%0A%20%20%20%20%7C%20mv-expand%20ipconfig%3Dproperties.ipConfigurations%20%0D%0A%20%20%20%20%7C%20where%20ipConfigsCount%20%3D%3D%201%20or%20ipconfig.properties.primary%20%3D~%20%27true%27%0D%0A%20%20%20%20%7C%20project%20nicId%20%3D%20id%2C%20publicIpId%20%3D%20tostring%28ipconfig.properties.publicIPAddress.id%29%29%0D%0Aon%20nicId%0D%0A%7C%20project-away%20nicId1%0D%0A%7C%20summarize%20by%20vmId%2C%20vmName%2C%20vmSize%2C%20nicId%2C%20publicIpId%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.network%2Fpublicipaddresses%27%0D%0A%20%20%20%20%7C%20project%20publicIpId%20%3D%20id%2C%20publicIpAddress%20%3D%20properties.ipAddress%29%0D%0Aon%20publicIpId%0D%0A%7C%20project-away%20publicIpId1" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.compute%2Fvirtualmachines%27%0D%0A%7C%20extend%20nics%3Darray_length%28properties.networkProfile.networkInterfaces%29%20%0D%0A%7C%20mv-expand%20nic%3Dproperties.networkProfile.networkInterfaces%20%0D%0A%7C%20where%20nics%20%3D%3D%201%20or%20nic.properties.primary%20%3D~%20%27true%27%20or%20isempty%28nic%29%20%0D%0A%7C%20project%20vmId%20%3D%20id%2C%20vmName%20%3D%20name%2C%20vmSize%3Dtostring%28properties.hardwareProfile.vmSize%29%2C%20nicId%20%3D%20tostring%28nic.id%29%20%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.network%2Fnetworkinterfaces%27%0D%0A%20%20%20%20%7C%20extend%20ipConfigsCount%3Darray_length%28properties.ipConfigurations%29%20%0D%0A%20%20%20%20%7C%20mv-expand%20ipconfig%3Dproperties.ipConfigurations%20%0D%0A%20%20%20%20%7C%20where%20ipConfigsCount%20%3D%3D%201%20or%20ipconfig.properties.primary%20%3D~%20%27true%27%0D%0A%20%20%20%20%7C%20project%20nicId%20%3D%20id%2C%20publicIpId%20%3D%20tostring%28ipconfig.properties.publicIPAddress.id%29%29%0D%0Aon%20nicId%0D%0A%7C%20project-away%20nicId1%0D%0A%7C%20summarize%20by%20vmId%2C%20vmName%2C%20vmSize%2C%20nicId%2C%20publicIpId%0D%0A%7C%20join%20kind%3Dleftouter%20%28%0D%0A%20%20%20%20Resources%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.network%2Fpublicipaddresses%27%0D%0A%20%20%20%20%7C%20project%20publicIpId%20%3D%20id%2C%20publicIpAddress%20%3D%20properties.ipAddress%29%0D%0Aon%20publicIpId%0D%0A%7C%20project-away%20publicIpId1" target="_blank">portal.azure.cn</a>

+## List all extensions installed on a virtual machine

+First, this query uses `extend` on the virtual machines resource type to get the ID in uppercase

+(`toupper()`) the ID, get the operating system name and type, and get the virtual machine size.

+Getting the resource ID in upper case is a good way to prepare to join to another property. Then,

+the query uses `join` with **kind** as _leftouter_ to get virtual machine extensions by matching an

+upper cased `substring` of the extension ID. The portion of the ID before

+"/extensions/\<ExtensionName\>" is the same format as the virtual machines ID, so we use this

+property for the `join`. `summarize` is then used with `make_list` on the name of the virtual

+machine extension to combine the name of each extension where _id_, _OSName_, _OSType_, and _VMSize_

+are the same into a single array property. Lastly, we `order by` the lower cased _OSName_ with

+**asc**. By default, `order by` is descending.

+```kusto

+Resources

+| where type == 'microsoft.compute/virtualmachines'

+| extend

+ JoinID = toupper(id),

+ OSName = tostring(properties.osProfile.computerName),

+ OSType = tostring(properties.storageProfile.osDisk.osType),

+ VMSize = tostring(properties.hardwareProfile.vmSize)

+| join kind=leftouter(

+ Resources

+ | where type == 'microsoft.compute/virtualmachines/extensions'

+ | extend

+ VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),

+ ExtensionName = name

+) on $left.JoinID == $right.VMId

+| summarize Extensions = make_list(ExtensionName) by id, OSName, OSType, VMSize

+| order by tolower(OSName) asc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type == 'microsoft.compute/virtualmachines' | extend JoinID = toupper(id), OSName = tostring(properties.osProfile.computerName), OSType = tostring(properties.storageProfile.osDisk.osType), VMSize = tostring(properties.hardwareProfile.vmSize) | join kind=leftouter( Resources | where type == 'microsoft.compute/virtualmachines/extensions' | extend VMId = toupper(substring(id, 0, indexof(id, '/extensions'))), ExtensionName = name ) on \$left.JoinID == \$right.VMId | summarize Extensions = make_list(ExtensionName) by id, OSName, OSType, VMSize | order by tolower(OSName) asc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type == 'microsoft.compute/virtualmachines' | extend JoinID = toupper(id), OSName = tostring(properties.osProfile.computerName), OSType = tostring(properties.storageProfile.osDisk.osType), VMSize = tostring(properties.hardwareProfile.vmSize) | join kind=leftouter( Resources | where type == 'microsoft.compute/virtualmachines/extensions' | extend VMId = toupper(substring(id, 0, indexof(id, '/extensions'))), ExtensionName = name ) on `$left.JoinID == `$right.VMId | summarize Extensions = make_list(ExtensionName) by id, OSName, OSType, VMSize | order by tolower(OSName) asc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D%3D%20'microsoft.compute%2Fvirtualmachines'%0A%7C%20extend%0A%20%20%20%20JoinID%20%3D%20toupper(id)%2C%0A%20%20%20%20OSName%20%3D%20tostring(properties.osProfile.computerName)%2C%0A%20%20%20%20OSType%20%3D%20tostring(properties.storageProfile.osDisk.osType)%2C%0A%20%20%20%20VMSize%20%3D%20tostring(properties.hardwareProfile.vmSize)%0A%7C%20join%20kind%3Dleftouter(%0A%20%20%20%20Resources%0A%20%20%20%20%7C%20where%20type%20%3D%3D%20'microsoft.compute%2Fvirtualmachines%2Fextensions'%0A%20%20%20%20%7C%20extend%20%0A%20%20%20%20%20%20%20%20VMId%20%3D%20toupper(substring(id%2C%200%2C%20indexof(id%2C%20'%2Fextensions')))%2C%0A%20%20%20%20%20%20%20%20ExtensionName%20%3D%20name%0A)%20on%20%24left.JoinID%20%3D%3D%20%24right.VMId%0A%7C%20summarize%20Extensions%20%3D%20make_list(ExtensionName)%20by%20id%2C%20OSName%2C%20OSType%2C%20VMSize%0A%7C%20order%20by%20tolower(OSName)%20asc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D%3D%20'microsoft.compute%2Fvirtualmachines'%0A%7C%20extend%0A%20%20%20%20JoinID%20%3D%20toupper(id)%2C%0A%20%20%20%20OSName%20%3D%20tostring(properties.osProfile.computerName)%2C%0A%20%20%20%20OSType%20%3D%20tostring(properties.storageProfile.osDisk.osType)%2C%0A%20%20%20%20VMSize%20%3D%20tostring(properties.hardwareProfile.vmSize)%0A%7C%20join%20kind%3Dleftouter(%0A%20%20%20%20Resources%0A%20%20%20%20%7C%20where%20type%20%3D%3D%20'microsoft.compute%2Fvirtualmachines%2Fextensions'%0A%20%20%20%20%7C%20extend%20%0A%20%20%20%20%20%20%20%20VMId%20%3D%20toupper(substring(id%2C%200%2C%20indexof(id%2C%20'%2Fextensions')))%2C%0A%20%20%20%20%20%20%20%20ExtensionName%20%3D%20name%0A)%20on%20%24left.JoinID%20%3D%3D%20%24right.VMId%0A%7C%20summarize%20Extensions%20%3D%20make_list(ExtensionName)%20by%20id%2C%20OSName%2C%20OSType%2C%20VMSize%0A%7C%20order%20by%20tolower(OSName)%20asc" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D%3D%20'microsoft.compute%2Fvirtualmachines'%0A%7C%20extend%0A%20%20%20%20JoinID%20%3D%20toupper(id)%2C%0A%20%20%20%20OSName%20%3D%20tostring(properties.osProfile.computerName)%2C%0A%20%20%20%20OSType%20%3D%20tostring(properties.storageProfile.osDisk.osType)%2C%0A%20%20%20%20VMSize%20%3D%20tostring(properties.hardwareProfile.vmSize)%0A%7C%20join%20kind%3Dleftouter(%0A%20%20%20%20Resources%0A%20%20%20%20%7C%20where%20type%20%3D%3D%20'microsoft.compute%2Fvirtualmachines%2Fextensions'%0A%20%20%20%20%7C%20extend%20%0A%20%20%20%20%20%20%20%20VMId%20%3D%20toupper(substring(id%2C%200%2C%20indexof(id%2C%20'%2Fextensions')))%2C%0A%20%20%20%20%20%20%20%20ExtensionName%20%3D%20name%0A)%20on%20%24left.JoinID%20%3D%3D%20%24right.VMId%0A%7C%20summarize%20Extensions%20%3D%20make_list(ExtensionName)%20by%20id%2C%20OSName%2C%20OSType%2C%20VMSize%0A%7C%20order%20by%20tolower(OSName)%20asc" target="_blank">portal.azure.cn</a>

+## Find storage accounts with a specific tag on the resource group

+The following query uses an **inner** `join` to connect storage accounts with resource groups that

+have a specified case-sensitive tag name and tag value.

+```kusto

+Resources

+| where type =~ 'microsoft.storage/storageaccounts'

+| join kind=inner (

+ ResourceContainers

+ | where type =~ 'microsoft.resources/subscriptions/resourcegroups'

+ | where tags['Key1'] =~ 'Value1'

+ | project subscriptionId, resourceGroup)

+on subscriptionId, resourceGroup

+| project-away subscriptionId1, resourceGroup1

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type =~ 'microsoft.storage/storageaccounts' | join kind=inner ( ResourceContainers | where type =~ 'microsoft.resources/subscriptions/resourcegroups' | where tags['Key1'] =~ 'Value1' | project subscriptionId, resourceGroup) on subscriptionId, resourceGroup | project-away subscriptionId1, resourceGroup1"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.storage/storageaccounts' | join kind=inner ( ResourceContainers | where type =~ 'microsoft.resources/subscriptions/resourcegroups' | where tags['Key1'] =~ 'Value1' | project subscriptionId, resourceGroup) on subscriptionId, resourceGroup | project-away subscriptionId1, resourceGroup1"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.storage%2Fstorageaccounts%27%0D%0A%7C%20join%20kind%3Dinner%20%28%0D%0A%20%20%20%20ResourceContainers%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%0D%0A%20%20%20%20%7C%20where%20tags%5B%27Key1%27%5D%20%3D~%20%27Value1%27%0D%0A%20%20%20%20%7C%20project%20subscriptionId%2C%20resourceGroup%29%0D%0Aon%20subscriptionId%2C%20resourceGroup%0D%0A%7C%20project-away%20subscriptionId1%2C%20resourceGroup1" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.storage%2Fstorageaccounts%27%0D%0A%7C%20join%20kind%3Dinner%20%28%0D%0A%20%20%20%20ResourceContainers%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%0D%0A%20%20%20%20%7C%20where%20tags%5B%27Key1%27%5D%20%3D~%20%27Value1%27%0D%0A%20%20%20%20%7C%20project%20subscriptionId%2C%20resourceGroup%29%0D%0Aon%20subscriptionId%2C%20resourceGroup%0D%0A%7C%20project-away%20subscriptionId1%2C%20resourceGroup1" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.storage%2Fstorageaccounts%27%0D%0A%7C%20join%20kind%3Dinner%20%28%0D%0A%20%20%20%20ResourceContainers%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%0D%0A%20%20%20%20%7C%20where%20tags%5B%27Key1%27%5D%20%3D~%20%27Value1%27%0D%0A%20%20%20%20%7C%20project%20subscriptionId%2C%20resourceGroup%29%0D%0Aon%20subscriptionId%2C%20resourceGroup%0D%0A%7C%20project-away%20subscriptionId1%2C%20resourceGroup1" target="_blank">portal.azure.cn</a>

+If it's necessary to look for a case insensitive tag name and tag value, use `mv-expand` with the

+**bagexpansion** parameter. This query uses more quota than the previous query, so use `mv-expand`

+only if necessary.

+```kusto

+Resources

+| where type =~ 'microsoft.storage/storageaccounts'

+| join kind=inner (

+ ResourceContainers

+ | where type =~ 'microsoft.resources/subscriptions/resourcegroups'

+ | mv-expand bagexpansion=array tags

+ | where isnotempty(tags)

+ | where tags[0] =~ 'key1' and tags[1] =~ 'value1'

+ | project subscriptionId, resourceGroup)

+on subscriptionId, resourceGroup

+| project-away subscriptionId1, resourceGroup1

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type =~ 'microsoft.storage/storageaccounts' | join kind=inner ( ResourceContainers | where type =~ 'microsoft.resources/subscriptions/resourcegroups' | mv-expand bagexpansion=array tags | where isnotempty(tags) | where tags[0] =~ 'key1' and tags[1] =~ 'value1' | project subscriptionId, resourceGroup) on subscriptionId, resourceGroup | project-away subscriptionId1, resourceGroup1"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.storage/storageaccounts' | join kind=inner ( ResourceContainers | where type =~ 'microsoft.resources/subscriptions/resourcegroups' | mv-expand bagexpansion=array tags | where isnotempty(tags) | where tags[0] =~ 'key1' and tags[1] =~ 'value1' | project subscriptionId, resourceGroup) on subscriptionId, resourceGroup | project-away subscriptionId1, resourceGroup1"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.storage%2Fstorageaccounts%27%0D%0A%7C%20join%20kind%3Dinner%20%28%0D%0A%20%20%20%20ResourceContainers%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%0D%0A%20%20%20%20%7C%20mv-expand%20bagexpansion%3Darray%20tags%0D%0A%20%20%20%20%7C%20where%20isnotempty%28tags%29%0D%0A%20%20%20%20%7C%20where%20tags%5B0%5D%20%3D~%20%27key1%27%20and%20tags%5B1%5D%20%3D~%20%27value1%27%0D%0A%20%20%20%20%7C%20project%20subscriptionId%2C%20resourceGroup%29%0D%0Aon%20subscriptionId%2C%20resourceGroup%0D%0A%7C%20project-away%20subscriptionId1%2C%20resourceGroup1" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.storage%2Fstorageaccounts%27%0D%0A%7C%20join%20kind%3Dinner%20%28%0D%0A%20%20%20%20ResourceContainers%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%0D%0A%20%20%20%20%7C%20mv-expand%20bagexpansion%3Darray%20tags%0D%0A%20%20%20%20%7C%20where%20isnotempty%28tags%29%0D%0A%20%20%20%20%7C%20where%20tags%5B0%5D%20%3D~%20%27key1%27%20and%20tags%5B1%5D%20%3D~%20%27value1%27%0D%0A%20%20%20%20%7C%20project%20subscriptionId%2C%20resourceGroup%29%0D%0Aon%20subscriptionId%2C%20resourceGroup%0D%0A%7C%20project-away%20subscriptionId1%2C%20resourceGroup1" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.storage%2Fstorageaccounts%27%0D%0A%7C%20join%20kind%3Dinner%20%28%0D%0A%20%20%20%20ResourceContainers%0D%0A%20%20%20%20%7C%20where%20type%20%3D~%20%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%0D%0A%20%20%20%20%7C%20mv-expand%20bagexpansion%3Darray%20tags%0D%0A%20%20%20%20%7C%20where%20isnotempty%28tags%29%0D%0A%20%20%20%20%7C%20where%20tags%5B0%5D%20%3D~%20%27key1%27%20and%20tags%5B1%5D%20%3D~%20%27value1%27%0D%0A%20%20%20%20%7C%20project%20subscriptionId%2C%20resourceGroup%29%0D%0Aon%20subscriptionId%2C%20resourceGroup%0D%0A%7C%20project-away%20subscriptionId1%2C%20resourceGroup1" target="_blank">portal.azure.cn</a>

+## Combine results from two queries into a single result

+The following query uses `union` to get results from the _ResourceContainers_ table and add them to

+results from the _Resources_ table.

+```kusto

+ResourceContainers

+| where type=='microsoft.resources/subscriptions/resourcegroups' | project name, type | limit 5

+| union (Resources | project name, type | limit 5)

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "ResourceContainers | where type=='microsoft.resources/subscriptions/resourcegroups' | project name, type | limit 5 | union (Resources | project name, type | limit 5)"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "ResourceContainers | where type=='microsoft.resources/subscriptions/resourcegroups' | project name, type | limit 5 | union (Resources | project name, type | limit 5)"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/ResourceContainers%0D%0A%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%20%7C%20project%20name%2C%20type%20%20%7C%20limit%205%0D%0A%7C%20union%20%20%28Resources%20%7C%20project%20name%2C%20type%20%7C%20limit%205%29" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/ResourceContainers%0D%0A%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%20%7C%20project%20name%2C%20type%20%20%7C%20limit%205%0D%0A%7C%20union%20%20%28Resources%20%7C%20project%20name%2C%20type%20%7C%20limit%205%29" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/ResourceContainers%0D%0A%7C%20where%20type%3D%3D%27microsoft.resources%2Fsubscriptions%2Fresourcegroups%27%20%7C%20project%20name%2C%20type%20%20%7C%20limit%205%0D%0A%7C%20union%20%20%28Resources%20%7C%20project%20name%2C%20type%20%7C%20limit%205%29" target="_blank">portal.azure.cn</a>

+## Get virtual networks and subnets of network interfaces

+Use a regular expression `parse` to get the virtual network and subnet names from the resource ID

+property. While `parse` enables getting data from a complex field, it's optimal to access properties

+directly if they exist instead of using `parse`.

+```kusto

+Resources

+| where type =~ 'microsoft.network/networkinterfaces'

+| project id, ipConfigurations = properties.ipConfigurations

+| mvexpand ipConfigurations

+| project id, subnetId = tostring(ipConfigurations.properties.subnet.id)

+| parse kind=regex subnetId with '/virtualNetworks/' virtualNetwork '/subnets/' subnet

+| project id, virtualNetwork, subnet

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type =~ 'microsoft.network/networkinterfaces' | project id, ipConfigurations = properties.ipConfigurations | mvexpand ipConfigurations | project id, subnetId = tostring(ipConfigurations.properties.subnet.id) | parse kind=regex subnetId with '/virtualNetworks/' virtualNetwork '/subnets/' subnet | project id, virtualNetwork, subnet"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.network/networkinterfaces' | project id, ipConfigurations = properties.ipConfigurations | mvexpand ipConfigurations | project id, subnetId = tostring(ipConfigurations.properties.subnet.id) | parse kind=regex subnetId with '/virtualNetworks/' virtualNetwork '/subnets/' subnet | project id, virtualNetwork, subnet"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D~%20%27microsoft.network%2Fnetworkinterfaces%27%0A%7C%20project%20id%2C%20ipConfigurations%20%3D%20properties.ipConfigurations%0A%7C%20mvexpand%20ipConfigurations%0A%7C%20project%20id%2C%20subnetId%20%3D%20tostring%28ipConfigurations.properties.subnet.id%29%0A%7C%20parse%20kind%3Dregex%20subnetId%20with%20%27%2FvirtualNetworks%2F%27%20virtualNetwork%20%27%2Fsubnets%2F%27%20subnet%20%0A%7C%20project%20id%2C%20virtualNetwork%2C%20subnet" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D~%20%27microsoft.network%2Fnetworkinterfaces%27%0A%7C%20project%20id%2C%20ipConfigurations%20%3D%20properties.ipConfigurations%0A%7C%20mvexpand%20ipConfigurations%0A%7C%20project%20id%2C%20subnetId%20%3D%20tostring%28ipConfigurations.properties.subnet.id%29%0A%7C%20parse%20kind%3Dregex%20subnetId%20with%20%27%2FvirtualNetworks%2F%27%20virtualNetwork%20%27%2Fsubnets%2F%27%20subnet%20%0A%7C%20project%20id%2C%20virtualNetwork%2C%20subnet" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D~%20%27microsoft.network%2Fnetworkinterfaces%27%0A%7C%20project%20id%2C%20ipConfigurations%20%3D%20properties.ipConfigurations%0A%7C%20mvexpand%20ipConfigurations%0A%7C%20project%20id%2C%20subnetId%20%3D%20tostring%28ipConfigurations.properties.subnet.id%29%0A%7C%20parse%20kind%3Dregex%20subnetId%20with%20%27%2FvirtualNetworks%2F%27%20virtualNetwork%20%27%2Fsubnets%2F%27%20subnet%20%0A%7C%20project%20id%2C%20virtualNetwork%2C%20subnet" target="_blank">portal.azure.cn</a>

+## Summarize virtual machine by the power states extended property

+This query uses the [extended properties](../concepts/query-language.md#extended-properties) on

+virtual machines to summarize by power states.

+```kusto

+Resources

+| where type == 'microsoft.compute/virtualmachines'

+| summarize count() by tostring(properties.extended.instanceView.powerState.code)

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+az graph query -q "Resources | where type == 'microsoft.compute/virtualmachines' | summarize count() by tostring(properties.extended.instanceView.powerState.code)"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type == 'microsoft.compute/virtualmachines' | summarize count() by tostring(properties.extended.instanceView.powerState.code)"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%20%7C%20where%20type%20%3D%3D%20%27microsoft.compute%2Fvirtualmachines%27%20%7C%20summarize%20count%28%29%20by%20tostring%28properties.extended.instanceView.powerState.code%29" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%20%7C%20where%20type%20%3D%3D%20%27microsoft.compute%2Fvirtualmachines%27%20%7C%20summarize%20count%28%29%20by%20tostring%28properties.extended.instanceView.powerState.code%29" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%20%7C%20where%20type%20%3D%3D%20%27microsoft.compute%2Fvirtualmachines%27%20%7C%20summarize%20count%28%29%20by%20tostring%28properties.extended.instanceView.powerState.code%29" target="_blank">portal.azure.cn</a>

+## Next steps

+- See samples of [Starter queries](starter.md).

+- Learn more about the [query language](../concepts/query-language.md).

+- Learn more about how to [explore resources](../concepts/explore-resources.md).

+ Title: Starter query samples

+description: Use Azure Resource Graph to run some starter queries, including counting resources, ordering resources, or by a specific tag.

+# Starter Resource Graph query samples

+The first step to understanding queries with Azure Resource Graph is a basic understanding of the

+[Query Language](../concepts/query-language.md). If you aren't already familiar with

+[Kusto Query Language (KQL)](/azure/kusto/query/index), it's recommended to review the

+[KQL tutorial](/azure/kusto/query/tutorial) to understand how to compose requests for the

+resources you're looking for.

+This article uses the following starter queries:

+- [Count Azure resources](#count-azure-resources)

+- [Count Key Vault resources](#count-key-vault-resources)

+- [List resources sorted by name](#list-resources-sorted-by-name)

+- [Show all virtual machines ordered by name in descending order](#show-all-virtual-machines-ordered-by-name-in-descending-order)

+- [Show first five virtual machines by name and their OS type](#show-first-five-virtual-machines-by-name-and-their-os-type)

+- [Count virtual machines by OS type](#count-virtual-machines-by-os-type)

+- [Show resources that contain storage](#show-resources-that-contain-storage)

+- [List all Azure virtual network subnets](#list-all-azure-virtual-network-subnets)

+- [List all public IP addresses](#list-all-public-ip-addresses)

+- [Count resources that have IP addresses configured by subscription](#count-resources-that-have-ip-addresses-configured-by-subscription)

+- [List resources with a specific tag value](#list-resources-with-a-specific-tag-value)

+- [List all storage accounts with specific tag value](#list-all-storage-accounts-with-specific-tag-value)

+- [List all tags and their values](#list-all-tags-and-their-values)

+- [Show unassociated network security groups](#show-unassociated-network-security-groups)

+- [List Azure Monitor alerts ordered by severity](#list-azure-monitor-alerts-ordered-by-severity)

+- [List Azure Monitor alerts ordered by severity and alert state](#list-azure-monitor-alerts-ordered-by-severity-and-alert-state)

+- [List Azure Monitor alerts ordered by severity, monitor service, and target resource type ](#list-azure-monitor-alerts-ordered-by-severity-monitor-service-and-target-resource-type)

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)

+before you begin.

+## Language support

+Azure CLI (through an extension) and Azure PowerShell (through a module) support Azure Resource

+Graph. Before running any of the following queries, check that your environment is ready. See

+[Azure CLI](../first-query-azurecli.md#install-the-extension) and [Azure

+PowerShell](../first-query-powershell.md#install-the-module) for steps to install and

+validate your shell environment of choice.

+## Count Azure resources

+This query returns number of Azure resources that exist in the subscriptions that you have access

+to. It's also a good query to validate your shell of choice has the appropriate Azure Resource

+Graph components installed and in working order.

+```kusto

+Resources

+| summarize count()

+```

+# [Azure CLI](#tab/azure-cli)

+By default, Azure CLI queries all accessible subscriptions but you can specify the `--subscriptions` parameter to query specific subscriptions.

+```azurecli-interactive

+az graph query -q "Resources | summarize count()"

+```

+This example uses a variable for the subscription ID.

+```azurecli-interactive

+subid=$(az account show --query id --output tsv)

+az graph query -q "Resources | summarize count()" --subscriptions $subid

+```

+You can also query by the scopes for management group and tenant. Replace `<managementGroupId>` and `<tenantId>` with your values.

+```azurecli-interactive

+az graph query -q "Resources | summarize count()" --management-groups '<managementGroupId>'

+```

+```azurecli-interactive

+az graph query -q "Resources | summarize count()" --management-groups '<tenantId>'

+```

+You can also use a variable for the tenant ID.

+```azurecli-interactive

+tenantid=$(az account show --query tenantId --output tsv)

+az graph query -q "Resources | summarize count()" --management-groups $tenantid

+```

+# [Azure PowerShell](#tab/azure-powershell)

+By default, Azure PowerShell gets results for all subscriptions in your tenant.

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | summarize count()"

+```

+This example uses a variable to query a specific subscription ID.

+```azurepowershell-interactive

+$subid = (Get-AzContext).Subscription.Id

+Search-AzGraph -Query "authorizationresources | summarize count()" -Subscription $subid

+```

+You can query by the scopes for management group and tenant. Replace `<managementGroupId>`with your value. The `UseTenantScope` parameter doesn't require a value.

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | summarize count()" -ManagementGroup '<managementGroupId>'

+```

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | summarize count()" -UseTenantScope

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20summarize%20count%28%29" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20summarize%20count%28%29" target="_blank">portal.azure.us</a>

+- Microsoft Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20summarize%20count%28%29" target="_blank">portal.azure.cn</a>

+## Count Key Vault resources

+This query uses `count` instead of `summarize` to count the number of records returned. Only key

+vaults are included in the count.

+```kusto

+Resources

+| where type =~ 'microsoft.keyvault/vaults'

+| count

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | count"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | count"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.keyvault%2Fvaults%27%0D%0A%7C%20count" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.keyvault%2Fvaults%27%0D%0A%7C%20count" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27microsoft.keyvault%2Fvaults%27%0D%0A%7C%20count" target="_blank">portal.azure.cn</a>

+## List resources sorted by name

+This query returns any type of resource, but only the **name**, **type**, and **location**

+properties. It uses `order by` to sort the properties by the **name** property in ascending (`asc`)

+order.

+```kusto

+Resources

+| project name, type, location

+| order by name asc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | project name, type, location | order by name asc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | project name, type, location | order by name asc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20name%2C%20type%2C%20location%0D%0A%7C%20order%20by%20name%20asc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20name%2C%20type%2C%20location%0D%0A%7C%20order%20by%20name%20asc" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20name%2C%20type%2C%20location%0D%0A%7C%20order%20by%20name%20asc" target="_blank">portal.azure.cn</a>

+## Show all virtual machines ordered by name in descending order

+To list only virtual machines (which are type `Microsoft.Compute/virtualMachines`), we can match

+the property **type** in the results. Similar to the previous query, `desc` changes the `order by`

+to be descending. The `=~` in the type match tells Resource Graph to be case insensitive.

+```kusto

+Resources

+| project name, location, type

+| where type =~ 'Microsoft.Compute/virtualMachines'

+| order by name desc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | project name, location, type| where type =~ 'Microsoft.Compute/virtualMachines' | order by name desc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | project name, location, type| where type =~ 'Microsoft.Compute/virtualMachines' | order by name desc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20name%2C%20location%2C%20type%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20order%20by%20name%20desc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20name%2C%20location%2C%20type%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20order%20by%20name%20desc" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20project%20name%2C%20location%2C%20type%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20order%20by%20name%20desc" target="_blank">portal.azure.cn</a>

+## Show first five virtual machines by name and their OS type

+This query uses `top` to only retrieve five matching records that are ordered by name. The type

+of the Azure resource is `Microsoft.Compute/virtualMachines`. `project` tells Azure Resource Graph

+which properties to include.

+```kusto

+Resources

+| where type =~ 'Microsoft.Compute/virtualMachines'

+| project name, properties.storageProfile.osDisk.osType

+| top 5 by name desc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | project name, properties.storageProfile.osDisk.osType | top 5 by name desc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | project name, properties.storageProfile.osDisk.osType | top 5 by name desc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20project%20name%2C%20properties.storageProfile.osDisk.osType%0D%0A%7C%20top%205%20by%20name%20desc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20project%20name%2C%20properties.storageProfile.osDisk.osType%0D%0A%7C%20top%205%20by%20name%20desc" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20project%20name%2C%20properties.storageProfile.osDisk.osType%0D%0A%7C%20top%205%20by%20name%20desc" target="_blank">portal.azure.cn</a>

+## Count virtual machines by OS type

+Building on the previous query, we're still limiting by Azure resources of type

+`Microsoft.Compute/virtualMachines`, but are no longer limiting the number of records returned.

+Instead, we used `summarize` and `count()` to define how to group and aggregate the values by

+property, which in this example is `properties.storageProfile.osDisk.osType`. For an example of how

+this string looks in the full object, see [explore resources - virtual machine

+discovery](../concepts/explore-resources.md#virtual-machine-discovery).

+```kusto

+Resources

+| where type =~ 'Microsoft.Compute/virtualMachines'

+| summarize count() by tostring(properties.storageProfile.osDisk.osType)

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | summarize count() by tostring(properties.storageProfile.osDisk.osType)"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | summarize count() by tostring(properties.storageProfile.osDisk.osType)"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20summarize%20count%28%29%20by%20tostring%28properties.storageProfile.osDisk.osType%29" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20summarize%20count%28%29%20by%20tostring%28properties.storageProfile.osDisk.osType%29" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20summarize%20count%28%29%20by%20tostring%28properties.storageProfile.osDisk.osType%29" target="_blank">portal.azure.cn</a>

+A different way to write the same query is to `extend` a property and give it a temporary name for

+use within the query, in this case **os**. **os** is then used by `summarize` and `count()` as in

+the previous example.

+```kusto

+Resources

+| where type =~ 'Microsoft.Compute/virtualMachines'

+| extend os = properties.storageProfile.osDisk.osType

+| summarize count() by tostring(os)

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | extend os = properties.storageProfile.osDisk.osType | summarize count() by tostring(os)"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'Microsoft.Compute/virtualMachines' | extend os = properties.storageProfile.osDisk.osType | summarize count() by tostring(os)"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20extend%20os%20%3D%20properties.storageProfile.osDisk.osType%0D%0A%7C%20summarize%20count%28%29%20by%20tostring%28os%29" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20extend%20os%20%3D%20properties.storageProfile.osDisk.osType%0D%0A%7C%20summarize%20count%28%29%20by%20tostring%28os%29" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Compute%2FvirtualMachines%27%0D%0A%7C%20extend%20os%20%3D%20properties.storageProfile.osDisk.osType%0D%0A%7C%20summarize%20count%28%29%20by%20tostring%28os%29" target="_blank">portal.azure.cn</a>

+> [!NOTE]

+> Be aware that while `=~` allows case insensitive matching, use of properties (such as

+> **properties.storageProfile.osDisk.osType**) in the query require the case to be correct. If the

+> property is the incorrect case, a null or incorrect value is returned and the grouping or

+> summarization would be incorrect.

+## Show resources that contain storage

+Instead of explicitly defining the type to match, this example query finds any Azure resource

+that `contains` the word **storage**.

+```kusto

+Resources

+| where type contains 'storage' | distinct type

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type contains 'storage' | distinct type"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type contains 'storage' | distinct type"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27storage%27%20%7C%20distinct%20type" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27storage%27%20%7C%20distinct%20type" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27storage%27%20%7C%20distinct%20type" target="_blank">portal.azure.cn</a>

+## List all Azure virtual network subnets

+This query returns a list of Azure virtual networks (VNets) including subnet names and address prefixes. Thanks to [Saul Dolgin](https://github.com/sdolgin) for the contribution.

+```kusto

+Resources

+| where type == 'microsoft.network/virtualnetworks'

+| extend subnets = properties.subnets

+| mv-expand subnets

+| project name, subnets.name, subnets.properties.addressPrefix, location, resourceGroup, subscriptionId

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type == 'microsoft.network/virtualnetworks' | extend subnets = properties.subnets | mv-expand subnets | project name, subnets.name, subnets.properties.addressPrefix, location, resourceGroup, subscriptionId"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type == 'microsoft.network/virtualnetworks' | extend subnets = properties.subnets | mv-expand subnets | project name, subnets.name, subnets.properties.addressPrefix, location, resourceGroup, subscriptionId

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Fvirtualnetworks%27%0A%7C%20extend%20subnets%20%3D%20properties.subnets%0A%7C%20mv-expand%20subnets%0A%7C%20project%20name%2C%20subnets.name%2C%20subnets.properties.addressPrefix%2C%20location%2C%20resourceGroup%2C%20subscriptionId" target="_blank">portal.Azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Fvirtualnetworks%27%0A%7C%20extend%20subnets%20%3D%20properties.subnets%0A%7C%20mv-expand%20subnets%0A%7C%20project%20name%2C%20subnets.name%2C%20subnets.properties.addressPrefix%2C%20location%2C%20resourceGroup%2C%20subscriptionId" target="_blank">portal.Azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0A%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Fvirtualnetworks%27%0A%7C%20extend%20subnets%20%3D%20properties.subnets%0A%7C%20mv-expand%20subnets%0A%7C%20project%20name%2C%20subnets.name%2C%20subnets.properties.addressPrefix%2C%20location%2C%20resourceGroup%2C%20subscriptionId" target="_blank">portal.Azure.cn</a>

+## List all public IP addresses

+Similar to the previous query, find everything that is a type with the word **publicIPAddresses**.

+This query expands on that pattern to only include results where **properties.ipAddress**

+`isnotempty`, to only return the **properties.ipAddress**, and to `limit` the results by the top

+100. You may need to escape the quotes depending on your chosen shell.

+```kusto

+Resources

+| where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress)

+| project properties.ipAddress

+| limit 100

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | project properties.ipAddress | limit 100"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | project properties.ipAddress | limit 100"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27publicIPAddresses%27%20and%20isnotempty%28properties.ipAddress%29%0D%0A%7C%20project%20properties.ipAddress%0D%0A%7C%20limit%20100" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27publicIPAddresses%27%20and%20isnotempty%28properties.ipAddress%29%0D%0A%7C%20project%20properties.ipAddress%0D%0A%7C%20limit%20100" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27publicIPAddresses%27%20and%20isnotempty%28properties.ipAddress%29%0D%0A%7C%20project%20properties.ipAddress%0D%0A%7C%20limit%20100" target="_blank">portal.azure.cn</a>

+## Count resources that have IP addresses configured by subscription

+Using the previous example query and adding `summarize` and `count()`, we can get a list by subscription of resources with configured IP addresses.

+```kusto

+Resources

+| where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress)

+| summarize count () by subscriptionId

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27publicIPAddresses%27%20and%20isnotempty%28properties.ipAddress%29%0D%0A%7C%20summarize%20count%20%28%29%20by%20subscriptionId" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27publicIPAddresses%27%20and%20isnotempty%28properties.ipAddress%29%0D%0A%7C%20summarize%20count%20%28%29%20by%20subscriptionId" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20contains%20%27publicIPAddresses%27%20and%20isnotempty%28properties.ipAddress%29%0D%0A%7C%20summarize%20count%20%28%29%20by%20subscriptionId" target="_blank">portal.azure.cn</a>

+## List resources with a specific tag value

+We can limit the results by properties other than the Azure resource type, such as a tag. In this

+example, we're filtering for Azure resources with a tag name of **Environment** that have a value

+of **Internal**.

+```kusto

+Resources

+| where tags.environment=~'internal'

+| project name

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where tags.environment=~'internal' | project name"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where tags.environment=~'internal' | project name"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20tags.environment%3D~%27internal%27%0D%0A%7C%20project%20name" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20tags.environment%3D~%27internal%27%0D%0A%7C%20project%20name" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20tags.environment%3D~%27internal%27%0D%0A%7C%20project%20name" target="_blank">portal.azure.cn</a>

+To also provide what tags the resource has and their values, add the property **tags** to the

+`project` keyword.

+```kusto

+Resources

+| where tags.environment=~'internal'

+| project name, tags

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where tags.environment=~'internal' | project name, tags"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where tags.environment=~'internal' | project name, tags"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20tags.environment%3D~%27internal%27%0D%0A%7C%20project%20name%2C%20tags" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20tags.environment%3D~%27internal%27%0D%0A%7C%20project%20name%2C%20tags" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20tags.environment%3D~%27internal%27%0D%0A%7C%20project%20name%2C%20tags" target="_blank">portal.azure.cn</a>

+## List all storage accounts with specific tag value

+Combine the filter functionality of the previous example and filter Azure resource type by **type**

+property. This query also limits our search for specific types of Azure resources with a specific

+tag name and value.

+```kusto

+Resources

+| where type =~ 'Microsoft.Storage/storageAccounts'

+| where tags['tag with a space']=='Custom value'

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where tags['tag with a space']=='Custom value'"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where tags['tag with a space']=='Custom value'"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Storage%2FstorageAccounts%27%0D%0A%7C%20where%20tags%5B%27tag%20with%20a%20space%27%5D%3D%3D%27Custom%20value%27" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Storage%2FstorageAccounts%27%0D%0A%7C%20where%20tags%5B%27tag%20with%20a%20space%27%5D%3D%3D%27Custom%20value%27" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%27Microsoft.Storage%2FstorageAccounts%27%0D%0A%7C%20where%20tags%5B%27tag%20with%20a%20space%27%5D%3D%3D%27Custom%20value%27" target="_blank">portal.azure.cn</a>

+> [!NOTE]

+> This example uses `==` for matching instead of the `=~` conditional. `==` is a case sensitive match.

+## List all tags and their values

+This query lists tags on management groups, subscriptions, and resources along with their values.

+The query first limits to resources where tags `isnotempty()`, limits the included fields by only

+including _tags_ in the `project`, and `mvexpand` and `extend` to get the paired data from the

+property bag. It then uses `union` to combine the results from _ResourceContainers_ to the same

+results from _Resources_, giving broad coverage to which tags are fetched. Last, it limits the

+results to `distinct` paired data and excludes system-hidden tags.

+```kusto

+ResourceContainers

+| where isnotempty(tags)

+| project tags

+| mvexpand tags

+| extend tagKey = tostring(bag_keys(tags)[0])

+| extend tagValue = tostring(tags[tagKey])

+| union (

+ resources

+ | where isnotempty(tags)

+ | project tags

+ | mvexpand tags

+ | extend tagKey = tostring(bag_keys(tags)[0])

+ | extend tagValue = tostring(tags[tagKey])

+)

+| distinct tagKey, tagValue

+| where tagKey !startswith "hidden-"

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "ResourceContainers | where isnotempty(tags) | project tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) | union (resources | where notempty(tags) | project tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) ) | distinct tagKey, tagValue | where tagKey !startswith "hidden-""

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "ResourceContainers | where isnotempty(tags) | project tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) | union (resources | where notempty(tags) | project tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) ) | distinct tagKey, tagValue | where tagKey !startswith "hidden-""

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/ResourceContainers%20%0A%7C%20where%20isnotempty%28tags%29%0A%7C%20project%20tags%0A%7C%20mvexpand%20tags%0A%7C%20extend%20tagKey%20%3D%20tostring%28bag_keys%28tags%29%5B0%5D%29%0A%7C%20extend%20tagValue%20%3D%20tostring%28tags%5BtagKey%5D%29%0A%7C%20union%20%28%0A%20%20%20%20resources%0A%20%20%20%20%7C%20where%20isnotempty%28tags%29%0A%20%20%20%20%7C%20project%20tags%0A%20%20%20%20%7C%20mvexpand%20tags%0A%20%20%20%20%7C%20extend%20tagKey%20%3D%20tostring%28bag_keys%28tags%29%5B0%5D%29%0A%20%20%20%20%7C%20extend%20tagValue%20%3D%20tostring%28tags%5BtagKey%5D%29%0A%29%0A%7C%20distinct%20tagKey%2C%20tagValue%0A%7C%20where%20tagKey%20%21startswith%20%22hidden-%22" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/ResourceContainers%20%0A%7C%20where%20isnotempty%28tags%29%0A%7C%20project%20tags%0A%7C%20mvexpand%20tags%0A%7C%20extend%20tagKey%20%3D%20tostring%28bag_keys%28tags%29%5B0%5D%29%0A%7C%20extend%20tagValue%20%3D%20tostring%28tags%5BtagKey%5D%29%0A%7C%20union%20%28%0A%20%20%20%20resources%0A%20%20%20%20%7C%20where%20isnotempty%28tags%29%0A%20%20%20%20%7C%20project%20tags%0A%20%20%20%20%7C%20mvexpand%20tags%0A%20%20%20%20%7C%20extend%20tagKey%20%3D%20tostring%28bag_keys%28tags%29%5B0%5D%29%0A%20%20%20%20%7C%20extend%20tagValue%20%3D%20tostring%28tags%5BtagKey%5D%29%0A%29%0A%7C%20distinct%20tagKey%2C%20tagValue%0A%7C%20where%20tagKey%20%21startswith%20%22hidden-%22" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/ResourceContainers%20%0A%7C%20where%20isnotempty%28tags%29%0A%7C%20project%20tags%0A%7C%20mvexpand%20tags%0A%7C%20extend%20tagKey%20%3D%20tostring%28bag_keys%28tags%29%5B0%5D%29%0A%7C%20extend%20tagValue%20%3D%20tostring%28tags%5BtagKey%5D%29%0A%7C%20union%20%28%0A%20%20%20%20resources%0A%20%20%20%20%7C%20where%20isnotempty%28tags%29%0A%20%20%20%20%7C%20project%20tags%0A%20%20%20%20%7C%20mvexpand%20tags%0A%20%20%20%20%7C%20extend%20tagKey%20%3D%20tostring%28bag_keys%28tags%29%5B0%5D%29%0A%20%20%20%20%7C%20extend%20tagValue%20%3D%20tostring%28tags%5BtagKey%5D%29%0A%29%0A%7C%20distinct%20tagKey%2C%20tagValue%0A%7C%20where%20tagKey%20%21startswith%20%22hidden-%22" target="_blank">portal.azure.cn</a>

+## Show unassociated network security groups

+This query returns Network Security Groups (NSGs) that aren't associated to a network interface or

+subnet.

+```kusto

+Resources

+| where type =~ "microsoft.network/networksecuritygroups" and isnull(properties.networkInterfaces) and isnull(properties.subnets)

+| project name, resourceGroup

+| sort by name asc

+```

+# [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az graph query -q "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc"

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+Search-AzGraph -Query "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc"

+```

+# [Portal](#tab/azure-portal)

+Try this query in Azure Resource Graph Explorer:

+- Azure portal: <a href="https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%22microsoft.network%2Fnetworksecuritygroups%22%20and%20isnull%28properties.networkInterfaces%29%20and%20isnull%28properties.subnets%29%0D%0A%7C%20project%20name%2C%20resourceGroup%0D%0A%7C%20sort%20by%20name%20asc" target="_blank">portal.azure.com</a>

+- Azure Government portal: <a href="https://portal.azure.us/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%22microsoft.network%2Fnetworksecuritygroups%22%20and%20isnull%28properties.networkInterfaces%29%20and%20isnull%28properties.subnets%29%0D%0A%7C%20project%20name%2C%20resourceGroup%0D%0A%7C%20sort%20by%20name%20asc" target="_blank">portal.azure.us</a>

+- Azure operated by 21Vianet portal: <a href="https://portal.azure.cn/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade/query/Resources%0D%0A%7C%20where%20type%20%3D~%20%22microsoft.network%2Fnetworksecuritygroups%22%20and%20isnull%28properties.networkInterfaces%29%20and%20isnull%28properties.subnets%29%0D%0A%7C%20project%20name%2C%20resourceGroup%0D%0A%7C%20sort%20by%20name%20asc" target="_blank">portal.azure.cn</a>

+## List Azure Monitor alerts ordered by severity

+```kusto

+alertsmanagementresources

+| where type =~ 'microsoft.alertsmanagement/alerts'ΓÇ»

+| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()

+| project Severity = tostring(properties.essentials.severity)

+| summarize AlertsCount = count() by Severity

+

+```

+## List Azure Monitor alerts ordered by severity and alert state

+```kusto

+alertsmanagementresources

+| where type =~ 'microsoft.alertsmanagement/alerts'ΓÇ»

+| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()

+| project Severity = tostring(properties.essentials.severity),

+ AlertState= tostring(properties.essentials.alertState)

+| summarize AlertsCount = count() by Severity, AlertState

+```

+## List Azure Monitor alerts ordered by severity, monitor service, and target resource type

+```kusto

+alertsmanagementresources

+| where type =~ 'microsoft.alertsmanagement/alerts'ΓÇ»

+| where todatetime(properties.essentials.startDateTime) >= ago(2h) and todatetime(properties.essentials.startDateTime) < now()

+| project Severity = tostring(properties.essentials.severity),

+MonitorCondition = tostring(properties.essentials.monitorCondition),

+ObjectState = tostring(properties.essentials.alertState),

+MonitorService = tostring(properties.essentials.monitorService),

+AlertRuleId = tostring(properties.essentials.alertRule),

+SignalType = tostring(properties.essentials.signalType),

+TargetResource = tostring(properties.essentials.targetResourceName),

+TargetResourceType = tostring(properties.essentials.targetResourceName), idΓÇ»

+| summarize AlertsCount = count() by Severity, MonitorService , TargetResourceType

+```

+## Next steps

+- Learn more about the [query language](../concepts/query-language.md).

+- Learn more about how to [explore resources](../concepts/explore-resources.md).

+- See samples of [Advanced queries](advanced.md).

+In this quickstart, you create a shared query called _Count VMs by OS_. To try this query in SDK or in portal with Resource Graph Explorer, see [Samples - Count virtual machines by OS type](../resource-graph/samples/starter.md#count-virtual-machines-by-os-type).

+ :::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/create-firewall-page.png" alt-text="Screenshot showing create a firewall basic tab." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/create-firewall-page.png":::

+ :::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/set-up-firewall.png" alt-text="Screenshot showing how to set up firewall." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/set-up-firewall.png":::

+ :::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/create-route-table.png" alt-text="Screenshot showing how to create route table." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/create-route-table.png":::

+ :::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/associate-subnet.png" alt-text="Screenshot showing how to associate subnet." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/associate-subnet.png":::

+2. Connect using administrator (tenant administrator) credentials.

+1. Create a security group.

+ 1. Select **Administrator**, and then **Select**.

+1. On the **Connect to Microsoft Entra ID** page, enter the username and password of the administrator for Microsoft Entra ID. Use the username `fabrikamazureadmin@hdifabrikam.com` that you created when you configured your Active Directory tenant. Then select **Next**.

+The Administrator of the Microsoft Entra tenant should enable Microsoft Entra ID to use password hashes for ADFS backed users. Apply the `AllowCloudPasswordValidationPolicy` as shown in the article [Use Enterprise Security Package in HDInsight](../domain-joined/apache-domain-joined-architecture.md).

+

+

+To specify the Azure storage account in JSON view, you need to use the [REST API](/rest/api/healthcareapis/fhir-services/create-or-update) to update the FHIR service.

+

+

+

+To configure export settings and create a Data Lake Storage Gen2 account, refer to [Configure settings for export](./configure-export-data.md).

+3. Select scopes (permissions) that the confidential client application will ask for on behalf of a user. Select **Dicom.ReadWrite**, and then select **Add permissions**.

+ [  ](dicom/media/dicom-select-scope.png#lightbox)

+ systemAssignedManagedIdentitySettings:{

+ audience: "https://eventgrid.azure.net"

+ }

+ mode: Enabled

+ systemAssignedManagedIdentitySettings: {

+ audience: "https://eventgrid.azure.net"

+ }

+ mode: Enabled

+ Title: Use Azure Policy to secure Azure Load Testing

+description: Learn how to use Azure Policy to secure your Azure Load Testing resources

+

+# Secure your Azure Load Testing resources with Azure Policy

+[Azure Policy](../governance/policy/overview.md) is a governance tool that allows you to enforce organizational standards and to assess compliance at-scale. The policies allow you to perform audits, real-time enforcement, and remediation of your Azure environment. Audit results are available in your compliance dashboard. In the dashboard, you can review which resources and components are compliant and noncompliant, and take remediation actions. For more information, see the [Overview of the Azure Policy service](../governance/policy/overview.md).

+Use Azure policy to manage your load testing resources in scenarios like:

+- **Private tests**

+ - When you want to ensure that load tests in Azure Load Testing can be created only in private test traffic mode.

+ - When you want to ensure that the resources like virtual machines, Network Security Group (NSG), Azure load balancer and public IP created by the Azure Load Testing service get created only in a set of virtual networks in your subscription.

+- **Customer-managed keys**

+ - You want to use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource.

+## Types of policy effects and guidance

+When enforcing a policy, you can determine its [effect](../governance/policy/policy-glossary.md#effect) over the resulting evaluation. Each policy definition allows you to choose one of multiple [effects](../governance/policy/concepts/effect-basics.md). Therefore, policy enforcement may behave differently depending on the type of operation you are evaluating. In general, the effects for policies that integrate with Azure Load Testing include:

+- [**Audit**](../governance/policy/concepts/effects.md#audit): When the effect of a policy is set to `Audit`, the policy doesn't cause any breaking changes to your environment. The policy alerts you to Azure Load Testing resources that don't comply with the policy definitions within a specified scope. Components are marked as noncompliant in the policy compliance dashboard. The `Audit` value is default if no policy effect is selected.

+- [**Deny**](../governance/policy/concepts/effects.md#deny): When the effect of a policy is set to `Deny`, the policy blocks the creation of a new test run that doesn't comply with the policy definition. Existing noncompliant test runs and resources are not affected. The 'Audit' capabilities continue to operate.

+- [**Disabled**](../governance/policy/concepts/effects.md#disabled): When the effect of a policy is set to `Disabled`, the policy gets evaluated but enforcement doesn't take effect. This effect is useful to disable the policy for a specific condition as opposed to all conditions.

+## Built-in policy definitions

+Predetermined policies, referred to as 'built-ins', allow governance over your load testing resources so you don't have to write custom policies in JSON format to enforce commonly used rules associated with best security practices. Even though built-ins are predetermined, certain policies require you to define parameters. For example, by defining the effect of the policy, you can audit the load testing resource before enforcing a deny operation to prevent outages. See [built-in policies for Azure Load Testing](../governance/policy/samples/built-in-policies.md#azure-load-testing) to view the current built-in policies available for Azure Load Testing.

+## Enable and manage a load testing policy

+### Select a policy definition

+1. Log in to the Azure portal.

+1.Search **Policy** in the search bar and select **Policy**.

+ 

+1. In the **Policy** window, select **Definitions**.

+ 

+1. In the *Category* filter, unselect **Select All** and select **Azure Load Testing**.

+ 

+1. Now you should be able to see all the policies available for Azure Load Testing. Make sure you read and understand the [policy guidance](#types-of-policy-effects-and-guidance) and select a policy you want to assign to a scope.

+ 

+### Assign a policy to a scope

+1. Select a policy to apply. In this example, the **Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network** policy is shown. Click the **Assign** button in the top-left corner.

+ 

+

+1. Select the subscription where you want the policy to be applied.

+ - You can choose to restrict the scope to only a single resource group within a subscription.

+

+ - If you want to apply the policy to the entire subscription and exclude some resource groups, you can also configure an exclusion list.

+

+ - Set the policy enforcement selector to **Enabled** if you want the effect of the policy (audit or deny) to occur or **Disabled** to turn the effect (audit or deny) off.

+ 

+1. To specify the policy effect, select the parameters tab at the top of the screen.

+

+ 1. Uncheck the *Only show parameters that need input or review* option.

+

+ 1. Select **Audit** or **Deny** or **Disabled** for the effect of the policy following the [policy guidance](#types-of-policy-effects-and-guidance).

+

+ 1. Select the **Review + create** button.

+ 

+## Feature limitations

+- The **Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network** policy is only applicable for load tests that are triggered after the policy assignment. If the "audit" effect is selected, the Azure Load Testing resources with load test runs that are violating the policy will be shown as noncompliant. To remediate, delete the test runs that are violating the policy and reassign the policy.

+- Assigning a policy with a "deny" effect may take from 30 mins (on average) or up to one hour to start denying the creation of non-compliant resources. The delay refers to following scenarios:

+ - A new policy is assigned.

+ - An existing policy assignment is modified.

+ - A new Azure Load Testing resource is created in a scope with existing policies.

+- The policy evaluation of existing components in an Azure Load Testing resource may take up to one hour (one average) or up to two hours before compliance results are viewable in the portal.

+- If the compliance results show up as "Not Started" it may be due to the following reasons:

+ - The policy evaluation is not completed. Initial evaluation latency can take up to two hours.

+ - There are no Azure Load Testing resources in the scope of the policy assignment.

+## Next steps

+- Learn more about the [Azure Policy service](../governance/policy/overview.md)

+- See Key Vault samples: [Azure Load Testing built-in policy definitions](../governance/policy/samples/built-in-policies.md#azure-load-testing)

+Save the following example as *azuredeploy.json*:

+```azurecli-interactive

+az deployment group create \

+ --name aroDeployment \

+ --resource-group $RESOURCEGROUP \

+ --template-file azuredeploy.json \

+ --parameters location=$LOCATION \

+ --parameters domain=$DOMAIN \

+ --parameters pullSecret=$PULL_SECRET \

+ --parameters clusterName=$ARO_CLUSTER_NAME \

+ --parameters aadClientId=$SP_CLIENT_ID \

+ --parameters aadObjectId=$SP_OBJECT_ID \

+ --parameters aadClientSecret=$SP_CLIENT_SECRET \

+ --parameters rpObjectId=$ARO_RP_SP_OBJECT_ID

+```

+<li>Set up the OpenShift Ingress cluster operator and the default IngressController. Provide the ability to add additional customer-managed IngressControllers and set the default IngressController as private.

+<li>Install, configure, and maintain the OVN-Kubernetes network plugin and related components for default internal pod traffic.

+Access is currently limited. For now, we're working with customers that have an existing technical partnership with Microsoft and that have targeted specific use cases. In addition to applying for initial access, all requests for Azure Operator 5G Core Preview are required to go through a use-case review.

+**Related content**

+- [What is Azure Operator 5G Core?](overview-product.md)

+- [Deploy Azure Operator 5G Core](quickstart-deploy-5g-core.md)

+- [Deployment order for clusters, network functions, and observability.](concept-deployment-order.md)

+|On-premises connectivity to Oracle database cluster via vWAN attached SD-WAN|No|

+ Title: Use Confluent Connectors in Azure (preview)

+description: Learn how to use Confluent Connectors in Azure (preview) to connect an instance of Apache Kafka® & Apache Flink on Confluent Cloud to Azure Blob Storage.

+# customerIntent: As a developer I want use Confluent Connectors in Azure

+# Use Confluent Connectors in Azure (preview)

+Confluent Cloud offers a solution designed to help developers connect their Confluent clusters to popular data sources and sinks. This solution is available in Azure using the Confluent Connectors feature.

+> [!NOTE]

+> Currently, Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service only supports Confluent Connectors for Azure Blob Storage, including source and sink connectors.

+In this guide, you learn how to connect an instance of Apache Kafka & Apache Flink on Confluent Cloud to Azure Blob Storage.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free)

+* An [Azure Blob Storage](/azure/storage/blobs/storage-quickstart-blobs-portal) resource.

+* A [Confluent organization](./create.md) created on Azure Native ISV Services

+* The Azure subscription Owner or subscription Contributor role is required. If necessary, contact your subscription administrator to assign you one of these roles.

+* A [configured environment, cluster, and topic](https://docs.confluent.io/cloud/current/get-started/https://docsupdatetracker.net/index.html) inside the confluent organization. If you don't have one already, go to Confluent to create these constructs.

+## Create a Confluent sink Connector for Azure Blob Storage (preview)

+Follow these steps to create a sink connector for Azure Blob Storage.

+1. Open your Confluent organization and select **Confluent** > **Confluent Connectors (Preview)** from the left menu.

+ :::image type="content" source="./media/confluent-connectors/create-new-connector.png" alt-text="Screenshot from the Azure portal showing the Confluent Connectors menu.":::

+2. Select **Create new connector**. A connector pane opens up on the right hand side. Select or enter the following information under **Create a new connector**.

+### Basics

+Set the basic settings below, then select **Next**.

+| Setting | Example value | Description |

+||||

+| **Connector Type** | *Sink* | A sink connector pulls data from Kafka topics and pushes it into an external database or system for storage or further processing. |

+| **Connector Class** | *Azure Blob Storage Sink* | Select the Azure service you want to connect. Azure Blob Storage is currently the only available option. |

+| **Connector name** | *blob-sink-connector* | Enter a name for your connector. |

+| **Environment** | *env1* | Select the environment where you would like to create this connector. |

+| **Cluster** | *cluster1* | Select the cluster where you would like to create this connector. |

+| **Topics** | *topic_1* | Select one or more topics from where the data needs to be pulled. If there are no topics in the cluster in the selected cluster, create one by selecting **new topic**, which will open the Confluent website. |

+| **Subscription** | *My subscription* | Select the Azure subscription for the Azure Blob Storage where the data needs to be pushed. |

+| **Storage Account** | *storageaccount1* | Select the storage account where the data needs to be pushed. If needed, select **Create new** to create a new [storage account](../../storage/common/storage-account-create.md#basics-tab). |

+| **Container** | *container1* | Select the container within the storage account where the data needs to be pushed. If needed, [create a new container](../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). |

+### Authentication

+Configure the authentication of your Kafka cluster via API keys. **Create New** is selected by default, which means that API keys will be automatically generated and configured when the connector is created. Proceed to the next tab.

+### Configuration

+| Setting | Example value | Description |

+||||

+| **Input Data Format** | *JSON* | Select an input Kafka record data format type among the following options: AVRO, JSON, string, Protobuf. |

+| **Output Data Format** | *JSON* | Select an output data format among the following options: AVRO, JSON, string, Protobuf. |

+| **Time interval** | *Hourly* | Select the time interval in which you would like the data to be grouped. Choose between hourly and daily. |

+| **Flush size** | *1000* | Optionally enter a flush size. Default flush size is 1000. |

+| **Number of tasks** | *1* | Optionally enter the maximum number of tasks you would like your connector to support simultaneously. Default is 1. |

+Select **Review + create** to continue.

+### Review + Create

+Review the listed settings for your new connector to ensure that the details are good to go. Once done, select **Create** to begin the connector deployment.

+A notification is displayed on the top right, calling out the status of the deployment. Once it shows "created", refresh the **Confluent Connectors (Preview)** page. You can now see the new connector tile on this page.

+## Create a Confluent source Connector for Azure Blob Storage (preview)

+1. Open your Confluent organization and select **Confluent** > **Confluent Connectors (Preview)** from the left menu.

+ :::image type="content" source="./media/confluent-connectors/create-new-connector.png" alt-text="Screenshot from the Azure portal showing the Confluent Connectors menu.":::

+2. Select **Create new connector**. A connector pane opens up on the right hand side. Select or enter the following information under **Create a new connector**.

+### Basics

+Set the basic settings below, then select **Next**.

+| Setting | Example value | Description |

+||-|-|

+| **Connector Type** | *Source* | A source connector pulls data from an external database or system and pushes it into Kafka topics. |

+| **Connector Class** | *Azure Blob Storage* | Select the Azure service you want to connect. Azure Blob Storage is currently the only available option. |

+| **Connector name** | *blob-source-connector* | Enter a name for your connector. |

+| **Environment** | *env1* | Select the environment where you would like to create this connector. |

+| **Cluster** | *cluster1* | Select the cluster where you would like to create this connector. |

+| **Subscription** | *My subscription* | Select the Azure subscription for the Azure Blob Storage where the data needs to be pulled. |

+| **Storage Account** | *storageaccount1* | Select the storage account where the data needs to be pulled. If needed, select **Create new** to create a new [storage account](../../storage/common/storage-account-create.md#basics-tab). |

+| **Container** | *container1* | Select the container within the storage account where the data needs to be pushed. If needed, [create a new container](../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). |

+### Authentication

+Configure the authentication of your Kafka cluster via API keys. **Create New** is selected by default, which means that API keys will be automatically generated and configured when the connector is created. Proceed to the next tab.

+### Configuration

+| Setting | Example value | Description |

+|--|--||

+| **Input Data Format** | *JSON* | Select an input Kafka record data format type among the following options: AVRO, JSON, string, Protobuf. |

+| **Output Data Format** | *JSON* | Select an output data format among the following options: AVRO, JSON, string, Protobuf. |

+| **Topic name and regex** | `my-topic:.*\.json+` | Configure the topic name and the regex pattern of your messages to ensure they are mapped. For example, `*my-topic:.*\.json+` moves all the files ending with .json into *my-topic*. |

+| **Number of tasks** | *1* | Optionally enter the maximum number of tasks you would like your connector to support simultaneously. Default is 1. |

+Select **Review + create** to continue.

+### Review + Create

+Review the listed settings for your new connector to ensure that the details are good to go. Once done, select **Create** to begin the connector deployment.

+A notification is displayed on the top right, calling out the status of the deployment. Once it shows *completed*, refresh the **Confluent Connectors** page. You can now see the new connector tile on this page.

+## Manage Azure Confluent Connectors (preview)

+1. Open your Confluent organization and select **Confluent** > **Confluent Connectors** from the left menu.

+1. Select your **Environment** and **Cluster** from the dropdown menu. The Azure portal now displays the list of Azure connectors in the respective environment and cluster. The following optional actions are available:

+ * Filter connectors by **Type** (**Source** or **Sink**) and **Status** (**Running**, **Failed**, **Provisioning, or **Paused**).

+ * Search for a connector by entering a name in the search bar on the right hand side.

+ :::image type="content" source="./media/confluent-connectors/display-connectors.png" alt-text="Screenshot of the Azure platform that shows a list of existing connectors in the Confluent Connectors (Preview) tab." lightbox="./media/confluent-connectors/display-connectors.png":::

+ To learn more about a connector, select the connector tile, which opens the Confluent UI. On this page, you can see the connector health, throughput and other stats, edit, and delete the connector.

+## Next steps

+- For help with troubleshooting, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).

+- Get started with Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service on

+ > [!div class="nextstepaction"]

+ > [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Confluent%2Forganizations)

+ > [!div class="nextstepaction"]

+ > [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/confluentinc.confluent-cloud-azure-prod?tab=Overview)

+ Title: Connect a Confluent organization to Azure compute services

+description: Learn how to connect an instance of Apache Kafka® & Apache Flink® on Confluent Cloud™ to Azure compute services using Service Connector.

+# Connect a Confluent organization to Azure compute services

+In this guide, learn how to connect an instance of Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service, to Azure compute services, using Service Connector.

+This guide shows step by step instructions to connect an app deployed to Azure App Service to a Confluent organization. You can apply a similar method to connect your Confluent organization to other [compute services supported by Service Connector](../../service-connector/overview.md#what-services-are-supported-by-service-connector).

+* An existing Confluent organization. If you don't have one yet, refer to [create a Confluent organization](./create.md)

+ | **Source** | *Azure Marketplace Confluent resource (preview)* | Select **Azure Marketplace Confluent resource (preview)**. |

+ Title: Confluent developer resources and tools

+description: Learn about resources and developer tools available with Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service

+# CustomerIntent: As a developer implementing Apache Kafka & Apache Flink on Confluent Cloud , I want to know about other resources and tools available so that create applications that use Astro and Airflow for data orchestration.

+# What are some resources and tools you can use with Apache Kafka & Apache Flink on Confluent CloudΓäó?

+In this article, you learn about resources and tools for use with Apache Kafka® & Apache Flink® on Confluent Cloud™

+## Confluent links

+For help with using Apache Kafka & Apache Flink on Confluent Cloud, see the following links to the [Confluent site](https://docs.confluent.io/home/overview.html).

+To learn about billing options, see:

+* [Azure Marketplace with Pay As You Go](https://docs.confluent.io/cloud/current/billing/ccloud-azure-payg.html)

+* [Azure Marketplace with Commitments](https://docs.confluent.io/cloud/current/billing/ccloud-azure-ubb.html)

+To learn about managing the solutions, see:

+* [Create a Cluster in Confluent Cloud](https://docs.confluent.io/cloud/current/clusters/create-cluster.html)

+* [Confluent Cloud Environments](https://docs.confluent.io/current/cloud/using/environments.html)

+* [Confluent Cloud Basics](https://docs.confluent.io/current/cloud/using/cloud-basics.html)

+For support and terms, see:

+* [Confluent support](https://support.confluent.io)

+* [Terms of Service](https://www.confluent.io/confluent-cloud-tos)

+To learn more, see Confluent blog articles about Azure services that integrate with Confluent Cloud:

+* [Use Azure Cosmos DB sink connector](https://www.confluent.io/blog/announcing-confluent-cloud-azure-cosmos-db-connector)

+* [Set up secure networking with Azure Private Link](https://www.confluent.io/blog/how-to-set-up-secure-networking-in-confluent-with-azure-private-link)

+* [Search using Azure Cache for Redis and Azure Spring Cloud](https://www.confluent.io/blog/real-time-search-and-analytics-with-confluent-cloud-azure-redis-spring-cloud)

+* [Consume data with Confluent and Azure Databricks](https://www.confluent.io/blog/consume-avro-data-from-kafka-topics-and-secured-schema-registry-with-databricks-confluent-cloud-on-azure)

+## Next steps

+- For more help with using Apache Airflow on Astro, see the Apache Airflow on Astro documentation.

+- Get started with Apache Airflow on Astro ΓÇô An Azure Native ISV Service on

+ > [!div class="nextstepaction"]

+ > [Azure portal](https://ms.portal.azure.com/?Azure_Marketplace_Astronomer_assettypeoptions=%7B%22Astronomer%22%3A%7B%22options%22%3A%22%22%7D%7D#browse/Astronomer.Astro%2Forganizations)

+ > [!div class="nextstepaction"]

+ > [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/astronomer1591719760654.astronomer?tab=Overview)

+## Unable to create a service connection to Confluent Kafka using Service Connector

+1. Ensure that your Confluent organization is up and running.

+1. If you have opted for the Confluent marketplace resource, please ensure that your Azure Native Confluent organization is still active and not in an unsubscribed status.

+1. If you're using a schema-based data type like AVRO, please ensure you also opt for configuring the schema registry.

+## Unable to see the list of connectors using Confluent connectors

+If you're not able to see the list of connectors, please make sure you have the Subscription owner or contributor rights. If not, contact your Azure subscription administrator.

+## Creating a Confluent connector fails

+1. If you're not able to create a connector, please check if you have the right permissions and all the mandatory fields are inputted.

+1. Check that the Azure service you're trying to connect to is configured properly.

+1. If the issue still persists, contact [Confluent support](https://support.confluent.io).

+## Not able to see my Confluent connector in the list

+1. If you just created a new connector and are not able to see it in the list of connectors, select **Refresh**.

+2. If you still do not see your connector, contact [Confluent support](https://support.confluent.io).

+By default, the route that's learned over ExpressRoute is preferred over the ones learned over VPN or SDWAN. You can configure routing preference to influence Route Server route selection. For more information, see [Routing preference](hub-routing-preference.md).

+ > For **SLES 15 SP4**, verify the versions of the `crmsh` and `pacemaker` packages to ensure they meet the minimum version requirements:

+ >

+ > - `crmsh-4.4.0+20221028.3e41444-150400.3.9.1` or later

+ > - `pacemaker-2.1.2+20211124.ada5c3b36-150400.4.6.1` or later

+ > [!IMPORTANT]

+ >

+ > - **SLES 12 SP5:** If python-azure-core-1.23.1-**2.12.8** is installed, the Azure fence agent may fail to start in a Pacemaker cluster, displaying the error message ΓÇ£Azure Resource Manager Python SDK not found or not accessibleΓÇ¥ in /var/log/messages. Follow the instructions in [SUSE KBA 21532](https://www.suse.com/support/kb/doc/?id=000021532) for more details.

+ > - **SLES 15 SP4+:** After updating the OS, the Azure libraries for Python might use the Python 3.11 interpreter, causing the Azure fence agent to fail to start in a Pacemaker cluster. The error message ΓÇ£Azure Resource Manager Python SDK not found or not accessibleΓÇ¥ will appear in /var/log/messages. Follow the instructions in [SUSE KBA 21504](https://www.suse.com/support/kb/doc/?id=000021504) for more details.

+10. **[A]** Install fence-agents-azure-arm package.

+ For **SLES 12 SP5**, if you are using `fence-agents` version `4.9.0+git.1624456340.8d746be9-3.41.3` or later, and for **SLES 15 SP4 and newer**, you need to install the `fence-agents-azure-arm` package. This package will include all required dependencies.

+ # On SLES 12 SP5 with fence-agents version 4.9.0+git.1624456340.8d746be9-3.41.3 or higher. You might need to activate the public cloud extension first

+ sudo zypper install fence-agents-azure-arm

+

+ # On SLES 15 SP4 and later. You might need to activate the public cloud extension first. In this example, the SUSEConnect

+ SUSEConnect -p sle-module-public-cloud/15.4/x86_64

+ sudo zypper install fence-agents-azure-arm

+11. **[A]** Install the Azure Python SDK and Azure Identity Python module.

+ For **SLES 12 SP5**, if your `fence-agents` version is lower then `4.9.0+git.1624456340.8d746be9-3.41.3`, and for **SLES 15 SP3 and below**, you need to install below additional packages.

+ # You might need to activate the public cloud extension first

+ SUSEConnect -p sle-module-public-cloud/12/x86_64

+ sudo zypper install python-azure-mgmt-compute

+ sudo zypper install python-azure-identity

+

+ > - On SLES 12 SP5, install version 4.6.2 or later of the *python-azure-mgmt-compute* package.

+12. **[A]** Set up the hostname resolution.

+13. **[1]** Install the cluster.

+14. **[2]** Add the node to the cluster.

+15. **[A]** Change the hacluster password to the same password.

+16. **[A]** Adjust the corosync settings.

+# Adjust the command with your subscription ID and resource group of the VM

+sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm \

+params msi=true subscriptionId="subscription ID" resourceGroup="resource group" \

+pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 pcmk_host_map="prod-cl1-0:prod-cl1-0-vm-name;prod-cl1-1:prod-cl1-1-vm-name" \

+op monitor interval=3600 timeout=120

+sudo crm configure property stonith-timeout=900

+ sudo crm configure primitive health-azure-events ocf:heartbeat:azure-events-az \

+ meta allow-unhealthy-nodes=true failure-timeout=120s \

+ op start start-delay=60s \

+

+ Title: Best practices for protecting secrets

+ai-usage: ai-assisted

+This article provides guidance on protecting your secrets and reducing the risk of unauthorized access. Follow this guidance to help ensure you do not store sensitive information such as credentials in code, GitHub repositories, logs, continuous integration/continuous deployment (CI/CD) pipelines, and so forth. The guidance in this article is compiled from recommendations of individual services, as well as from the [Microsoft Cloud Security Benchmark](/security/benchmark/azure/introduction) (MCSB).

+## General best practices

+In today's digital landscape, securing sensitive information such as application credentials and secrets is paramount. A breach can lead to severe consequences, including data loss, financial penalties, and damage to reputation. Implementing a comprehensive secret management strategy is essential to mitigating these risks.

+### Conduct an audit to identify secrets

+Before you can secure your secrets, you need to know where they are. Conducting a thorough audit of your systems and applications helps identify all the sensitive information that needs protection. This includes passwords, API keys, connection strings, and other credentials. Regular audits ensure that new secrets are accounted for and existing ones are properly managed.

+It's important to note that even dynamically created secrets, such as OAuth tokens, which may be temporary, still need to be safeguarded with the same rigor as long-term secrets.

+### Avoid hardcoding secrets

+Embedding secrets directly into your code or configuration files is a significant security risk. If your codebase is compromised, so are your secrets. Instead, use environment variables or configuration management tools that keep secrets out of your source code. This practice minimizes the risk of accidental exposure and simplifies the process of updating secrets.

+Additionally, integrating secret retrieval into your automated deployment pipeline and using secret injection patterns can prevent secrets from being accidentally exposed in logs or version control, further enhancing the security of your deployment process.

+See [Recommendations for protecting application secrets](/azure/well-architected/security/application-secrets)

+### Use secure key stores

+Leveraging secure key stores ensures that your secrets are stored in a secure, encrypted location. Services like [Azure Key Vault](/azure/key-vault) and [Azure Managed HSM](/azure/key-vault/managed-hsm) provide robust security features, including access control, logging, and automatic rotation. This approach centralizes the management of your secrets and reduces the risk of unauthorized access.

+For even greater security, particularly for highly sensitive or critical secrets, consider encrypting the secret with a key stores in a Hardware Security Model (HSM), which offer enhanced protection compared to software-based secret stores. For an overview of all the key management offering in Azure and guidance on which to choose, see [Key management in Azure](key-management.md) and [How to choose the right key management solution](key-management-choose.md).

+### Implement secret scanning tools

+Regularly scanning your codebase for embedded secrets can prevent accidental exposure. Tools like [Azure DevOps Credential Scanner](/azure/devops/repos/security/github-advanced-security-secret-scanning) and [GitHub secret scanning](https://docs.github.com/en/code-security/secret-security/about-secret-scanning) feature can automatically detect and alert you to any secrets found in your repositories. Integrating these tools into your CI/CD pipeline ensures continuous monitoring. It is crucial to treat any secret found by these scanning tools as compromised, which means it should be immediately revoked and replaced to maintain the integrity of your security posture.

+### Leverage managed identities

+[Managed identities](/azure/active-directory/managed-identities-azure-resources/overview) in Azure provide a secure way for applications to authenticate to Azure services without storing credentials in the code. By enabling managed identities for Azure resources, you can securely access Azure Key Vault and other services, reducing the need to handle secrets manually. This approach not only minimizes the creation of secrets but also reduces the surface area for potential breaches, as the responsibility for managing credentials is delegated to the platform.

+### Apply granular access control

+Follow the principle of least privilege by applying granular access control to your secrets. Use [Azure role-based access control](/azure/role-based-access-control/overview) (RBAC) to ensure that only authorized entities have access to specific secrets. Regularly review and update access permissions to prevent unauthorized access. It's also advisable to implement distinct roles such as user, administrator, and auditor to manage access to secrets, ensuring that only trusted identities have the appropriate level of permission.

+See the [Azure Key Vault RBAC guide](/azure/key-vault/general/rbac-guide).

+### Rotate secrets regularly

+Secrets are susceptible to leakage or exposure over time. Regularly rotating your secrets reduces the risk of unauthorized access. You can [rotate secrets in Azure Key Vault](/azure/key-vault/secrets//tutorial-rotation) for certain secrets; for those that cannot be automatically rotated, establish a manual rotation process and ensure they are purged when no longer in use.

+Automating the secret rotation process and building redundancy into your secret management can ensure that rotation does not disrupt service availability. Implementing retry logic and concurrent access patterns in your code can help minimize issues during the rotation window.

+### Monitor and log access

+Enable logging and monitoring for your secret management system to track access and usage. Use [Key Vault logging](/azure/key-vault/key-vault-logging) and/or services like [Azure Monitor](/azure/azure-monitor/overview) and [Azure Event Grid](/azure/event-grid/overview), to monitor all activities related to your secrets. This provides visibility into who accessed your secrets and helps detect any suspicious behavior or potential security incidents. Maintaining detailed audit trails is critical for inspecting and validating access to secrets, which can help prevent identity theft, avoid repudiation, and reduce unnecessary exposure.

+### Implement network isolation

+Reduce the exposure of your secrets by implementing network isolation. Configure [firewalls and network security groups](/azure/key-vault/general/network-security) to restrict access to your key vaults. Only allow trusted applications and services to access your secrets, minimizing the attack surface and preventing unauthorized access. Additionally, consider using multiple key vaults to create isolation boundaries for different components, ensuring that if one component is compromised, it cannot gain control of other secrets or the entire workload.

+### Encrypt secrets at rest and in transit

+Ensure that your secrets are encrypted both at rest and in transit. [Azure Key Vault](/azure/key-vault/general/overview) securely stores secrets using envelope encryption, where Data Encryption Keys (DEKs) are encrypted by Key Encryption Keys (KEKs), providing an additional layer of security. This approach enhances protection against unauthorized access. Additionally, use secure communication protocols like HTTPS to encrypt data in transit between your applications and the key vault, ensuring that your secrets are safeguarded during both storage and transmission.

+In Azure, encryption at rest is implemented across various services using AES 256 encryption, while data in transit is secured through TLS and MACsec to prevent unauthorized access during transmission. These encryption practices provide comprehensive protection for your data, whether itΓÇÖs being stored or transmitted between systems. For more details, see [Encryption at rest and in transit](encryption-atrest.md).

+### Safe distribution of secrets

+When distributing secrets, ensure they are shared securely within and outside the organization. Use tools designed for secure sharing and include secret recovery procedures in your disaster recovery plans. If a key is compromised or leaked, it should be regenerated immediately. To further enhance security, use distinct keys for each consumer rather than sharing keys, even if they have similar access patterns. This practice simplifies key management and revocation, ensuring that compromised keys can be revoked without affecting other consumers.

+## Service-specific best practices

+Individual services may have additional best practices and guidance for protecting secrets. Here are some examples:

+- API Management: [Use named values in Azure API Management policies with Key Vault Integration](/azure/api-management/api-management-howto-properties)

+- App Service: [Use Key Vault references for App Service and Azure Functions](/azure/app-service/app-service-key-vault-references)

+- Application Gateway: [Configure an Application Gateway with TLS termination using the Azure portal](/azure/application-gateway/create-ssl-portal#configuration-tab)

+- Automation: [Manage credentials in Azure Automation](/azure/automation/shared-resources/credentials?tabs=azure-powershell)

+- Azure App Configuration: [Tutorial: Use Key Vault references in an ASP.NET Core app](/azure/azure-app-configuration/use-key-vault-references-dotnet-core)

+- Azure Bot Service: [Azure Bot Service encryption for data at rest](/azure/bot-service/bot-service-encryption)

+- Azure Center for SAP solutions: [Azure Center for SAP Solutions - Deployment - Prepare network for deployment](/azure/sap/center-sap-solutions/prepare-network#allowlist-key-vault)

+- Azure Communications Gateway: [Create and store secrets](/azure/communications-gateway/prepare-to-deploy#4-create-and-store-secrets)

+- Azure Communications Service: [Create and manage access tokens](/azure/communication-services/quickstarts/identity/access-tokens)

+- Azure Database for PostgreSQL - Flexible Server: [Azure Database for PostgreSQL - Flexible Server Data Encryption with a Customer-managed Key](/azure/postgresql/flexible-server/concepts-data-encryption)

+- Azure Databricks: [Key Vault Integration in Databricks](/azure/databricks/security/secrets/secret-scopes)

+- Azure DevTest Labs: [Enable user-assigned managed identities on lab virtual machines in Azure DevTest Labs](/azure/devtest-labs/enable-managed-identities-lab-vms)

+- Azure Front Door: [Azure Front Door Secrets](/azure/frontdoor/create-front-door-portal)

+- Azure HDInsight on AKS: [Resource prerequisites - Create Azure Key Vault](/azure/hdinsight-aks/prerequisites-resources)

+- Azure Information Protection: [Details for Azure Information Protection Key Vault Support](/azure/information-protection/byok-price-restrictions#azure-key-vault-key-storage)

+- Azure Kubernetes Service (AKS): [CSI Secret Store](/azure/aks/csi-secrets-store-driver)

+- Azure Managed Applications: [Access Key Vault secret when deploying Azure Managed Applications](/azure/azure-resource-manager/managed-applications/key-vault-access)

+- Azure OpenAI: [Develop Azure AI services applications with Key Vault](/azure/ai-services/use-key-vault?tabs=azure-cli&pivots=programming-language-csharp)

+- Azure Purview: [Credentials for source authentication in Microsoft Purview](/azure/purview/manage-credentials)

+- Azure SignalR Service: [Key Vault secret reference in URL template settings](/azure/azure-signalr/concept-upstream#key-vault-secret-reference-in-url-template-settings)

+- Azure Service Bus: [Authenticate and authorize an application with Microsoft Entra ID to access Azure Service Bus entities](../../service-bus-messaging/authenticate-application.md)

+- Azure Stack Edge: [Manage Azure Stack Edge secrets using Azure Key Vault](/azure/databox-online/azure-stack-edge-gpu-activation-key-vault)

+- Azure Stack Hub: [Rotate secrets](/azure-stack/operator/azure-stack-rotate-secrets)

+- Azure Web PubSub: [Add a custom certificate](/azure/azure-web-pubsub/howto-custom-domain?tabs=vault-access-policy%2Cazure-powershell#add-a-custom-certificate)

+- Backup: [Configure a vault to encrypt using customer-managed keys](/azure/backup/encryption-at-rest-with-cmk?tabs=portal#configure-a-vault-to-encrypt-using-customer-managed-keys)

+- Cognitive

+- Data Factory: [Store credentials in Azure Key Vault](/azure/data-factory/store-credentials-in-key-vault)

+- ExpressRoute: [Configure MACsec encryption for ExpressRoute Direct.](/azure/expressroute/expressroute-howto-macsec)

+- Functions: [Use Key Vault references for App Service and Azure Functions](/azure/app-service/app-service-key-vault-references?toc=%2Fazure%2Fazure-functions%2Ftoc.json)

+- Key Vault: [About Azure Key Vault secrets](/azure/key-vault/secrets/about-secrets)

+- Logic Apps: [Logic Apps Standard App Settings](/azure/app-service/app-service-key-vault-references?tabs=azure-cli)

+- Machine Learning Service: [Use authentication credential secrets in Azure Machine Learning jobs](/azure/machine-learning/how-to-use-secrets-in-runs)

+- SQL IaaS: [Configure Azure Key Vault integration for SQL Server on Azure VMs (Resource Manager)](/azure/azure-sql/virtual-machines/windows/azure-key-vault-integration-configure)

+- Storage: [Manage storage account keys with Key Vault and the Azure CLI](/azure/key-vault/secrets/overview-storage-keys)

+3. Log in to the server where you have installed Azure Log Analytics agent.

+ b. zpa.conf uses the port **22033** by default. Ensure this port isn't being used by any other source on your server

+ c. If you would like to change the default port for **zpa.conf** make sure that it shouldn't get conflict with default AMA agent ports I.e.(For example CEF uses TCP port **25226** or **25224**)

+* **Standard tier** - Suited for developer/test environments or low throughput scenarios where the applications are **not sensitive** to throttling.

+* **Premium tier** - Suited for production environments with varied throughput requirements where predictable latency and throughput are required. Additionally, Service Bus premium namespaces can be [auto scaled](automate-update-messaging-units.md) and can be enabled to accommodate spikes in throughput.

+The Service Bus clients that interact with the service, such as [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient), [ServiceBusSender](/dotnet/api/azure.messaging.servicebus.servicebussender), [ServiceBusReceiver](/dotnet/api/azure.messaging.servicebus.servicebusreceiver), and [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor), should be registered for dependency injection as singletons (or instantiated once and shared). ServiceBusClient (factory) can be registered for dependency injection with the [ServiceBusClientBuilderExtensions](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/servicebus/Azure.Messaging.ServiceBus/src/Compatibility/ServiceBusClientBuilderExtensions.cs).

+- [PowerShell](/powershell/module/az.servicebus/new-azservicebustopic)

+* Temporary queues

+* Temporary topics

+* Shared durable subscriptions

+* Unshared durable subscriptions

+* Shared non-durable subscriptions

+* Unshared non-durable subscriptions

+ Title: Integrate Azure AI services with service connector

+description: In this document, learn how to integrate Azure AI Services into your application with Service Connector

+# Integrate Azure AI services with Service Connector

+This page shows supported authentication methods and clients, and shows sample code you can use to connect Azure AI Services to other cloud services using Service Connector. You might still be able to connect to Azure AI Services using other methods. This page also shows default environment variable names and values you get when you create the service connection.

+## Supported compute services

+Service Connector can be used to connect the following compute services to Azure AI

+- Azure App Service

+- Azure Functions

+- Azure Container Apps

+- Azure Spring Apps

+## Supported authentication types and client types

+The table below shows which combinations of authentication methods and clients are supported for connecting your compute service to Azure AI Services using Service Connector. A ΓÇ£YesΓÇ¥ indicates that the combination is supported, while a ΓÇ£NoΓÇ¥ indicates that it is not supported.

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+|-|:--:|::|::|:--:|

+| .NET | Yes | Yes | Yes | Yes |

+| Java | Yes | Yes | Yes | Yes |

+| Node.js | Yes | Yes | Yes | Yes |

+| Python | Yes | Yes | Yes | Yes |

+| None | Yes | Yes | Yes | Yes |

+This table indicates that all combinations of client types and authentication methods in the table are supported. All client types can use any of the authentication methods to connect to Azure AI Services using Service Connector.

+## Default environment variable names or application properties and sample code

+Use the connection details below to connect compute services to Azure AI Services. For more information about naming conventions, check the [Service Connector internals](concept-service-connector-internals.md#configuration-naming-convention) article.

+### System-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | - | |

+| AZURE_AISERVICES_OPENAI_BASE | Azure OpenAI endpoint | `https://<your-Azure-AI-Services-endpoint>.openai.azure.com/` |

+| AZURE_AISERVICES_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<your-Azure-AI-Services-endpoint>.cognitiveservices.azure.com/` |

+| AZURE_AISERVICES_SPEECH_ENDPOINT | Speech to Text (Standard) API endpoint | `https://<location>.stt.speech.microsoft.com` |

+#### Sample code

+Refer to the steps and code below to connect to Azure AI Services using a system-assigned managed identity.

+### User-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | -- | -- |

+| AZURE_AISERVICES_OPENAI_BASE | Azure OpenAI endpoint | `https://<your-Azure-AI-Services-endpoint>.openai.azure.com/` |

+| AZURE_AISERVICES_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<your-Azure-AI-Services-endpoint>.cognitiveservices.azure.com/` |

+| AZURE_AISERVICES_SPEECH_ENDPOINT | Speech to Text (Standard) API endpoint | `https://<location>.stt.speech.microsoft.com` |

+| AZURE_AISERVICES_CLIENTID | Your client ID | `<client-ID>` |

+#### Sample code

+Refer to the steps and code below to connect to Azure AI Services using a user-assigned managed identity.

+### Connection string

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | | |

+> | AZURE_AISERVICES_OPENAI_BASE | Azure OpenAI endpoint | `https://<your-Azure-AI-Services-endpoint>.openai.azure.com/` |

+> | AZURE_AISERVICES_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<your-Azure-AI-Services-endpoint>.cognitiveservices.azure.com/` |

+> | AZURE_AISERVICES_SPEECH_ENDPOINT | Speech to Text (Standard) API endpoint | `https://<location>.stt.speech.microsoft.com` |

+> | AZURE_AISERVICES_KEY | Azure AI Services API key | `<api-key>` |

+#### Sample Code

+Refer to the steps and code below to connect to Azure AI Services using a connection string.

+### Service principal

+| Default environment variable name | Description | Sample value |

+| -- | -- | - |

+| AZURE_AISERVICES_OPENAI_BASE | Azure OpenAI endpoint | `https://<your-Azure-AI-Services-endpoint>.openai.azure.com/` |

+| AZURE_AISERVICES_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<your-Azure-AI-Services-endpoint>.cognitiveservices.azure.com/` |

+| AZURE_AISERVICES_SPEECH_ENDPOINT | Speech to Text (Standard) API endpoint | `https://<location>.stt.speech.microsoft.com` |

+| AZURE_AISERVICES_CLIENTID | Your client ID | `<client-ID>` |

+| AZURE_AISERVICES_CLIENTSECRET | Your client secret | `<client-secret>` |

+| AZURE_AISERVICES_TENANTID | Your tenant ID | `<tenant-ID>` |

+#### Sample code

+Refer to the steps and code below to connect to Azure AI Services using a service principaL.

+## Next steps

+Follow the tutorial listed below to learn more about Service Connector.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+ Title: Integrate an Azure AI multi-service resource with service connector

+description: In this document, learn how to integrate an Azure AI multi-service resource into your application with Service Connector

+# Integrate an Azure AI multi-service resource with Service Connector

+This page shows supported authentication methods and clients, and shows sample code you can use to connect an Azure AI multi-service resource to other cloud services using Service Connector. You might still be able to connect to an Azure AI multi-service resource using other methods. This page also shows default environment variable names and values you get when you create the service connection.

+## Supported compute services

+Service Connector can be used to connect the following compute services to an Azure AI multi-service resource:

+- Azure App Service

+- Azure Functions

+- Azure Container Apps

+- Azure Spring Apps

+## Supported authentication types and client types

+The table below shows which combinations of authentication methods and clients are supported for connecting your compute service to an Azure AI multi-service resource using Service Connector. A ΓÇ£YesΓÇ¥ indicates that the combination is supported, while a ΓÇ£NoΓÇ¥ indicates that it is not supported.

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+|-|:--:|::|::|:--:|

+| .NET | Yes | Yes | Yes | Yes |

+| Java | Yes | Yes | Yes | Yes |

+| Node.js | Yes | Yes | Yes | Yes |

+| Python | Yes | Yes | Yes | Yes |

+| None | Yes | Yes | Yes | Yes |

+This table indicates that all combinations of client types and authentication methods in the table are supported. All client types can use any of the authentication methods to connect to an Azure AI multi-service resource using Service Connector.

+## Default environment variable names or application properties and sample code

+Use the connection details below to connect compute services to an Azure AI multi-service resource. For more information about naming conventions, check the [Service Connector internals](concept-service-connector-internals.md#configuration-naming-convention) article.

+### System-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | - | |

+| AZURE_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<cognitive-service-name>.cognitiveservices.azure.com/` |

+#### Sample code

+Refer to the steps and code below to connect to an Azure AI multi-service resource using a system-assigned managed identity.

+### User-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | -- | -- |

+| AZURE_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<cognitive-service-name>.cognitiveservices.azure.com/` |

+| AZURE_COGNITIVESERVICES_CLIENTID | Your client ID | `<client-ID>` |

+#### Sample code

+Refer to the steps and code below to connect to an Azure AI multi-service resource using a user-assigned managed identity.

+### Connection string

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | | |

+> | AZURE_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<cognitive-service-name>.cognitiveservices.azure.com/` |

+> | AZURE_COGNITIVESERVICES_KEY | API key of an Azure AI multi-service resource | `<api-key>` |

+#### Sample Code

+Refer to the steps and code below to connect to an Azure AI multi-service resource using a connection string.

+### Service principal

+| Default environment variable name | Description | Sample value |

+| -- | -- | - |

+| AZURE_COGNITIVESERVICES_ENDPOINT | Azure Cognitive Services token provider service | `https://<cognitive-service-name>.cognitiveservices.azure.com/` |

+| AZURE_COGNITIVESERVICES_CLIENTID | Your client ID | `<client-ID>` |

+| AZURE_COGNITIVESERVICES_CLIENTSECRET | Your client secret | `<client-secret>` |

+| AZURE_COGNITIVESERVICES_TENANTID | Your tenant ID | `<tenant-ID>` |

+#### Sample code

+Refer to the steps and code below to connect to an Azure AI multi-service resource using a service principaL.

+## Next steps

+Follow the tutorial listed below to learn more about Service Connector.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+ Title: Integrate Azure OpenAI Service with service connector

+description: In this document, learn how to integrate Azure OpenAI Service into your application with Service Connector

+# Integrate Azure OpenAI Service with Service Connector

+This page shows supported authentication methods and clients, and shows sample code you can use to connect Azure OpenAI Service to other cloud services using Service Connector. You might still be able to connect to Azure OpenAI Service using other methods. This page also shows default environment variable names and values you get when you create the service connection.

+## Supported compute services

+Service Connector can be used to connect the following compute services to Azure OpenAI Service:

+- Azure App Service

+- Azure Functions

+- Azure Container Apps

+- Azure Spring Apps

+## Supported authentication types and client types

+The table below shows which combinations of authentication methods and clients are supported for connecting your compute service to Azure OpenAI Service using Service Connector. A ΓÇ£YesΓÇ¥ indicates that the combination is supported, while a ΓÇ£NoΓÇ¥ indicates that it is not supported.

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+|-|:--:|::|::|:--:|

+| .NET | Yes | Yes | Yes | Yes |

+| Java | Yes | Yes | Yes | Yes |

+| Node.js | Yes | Yes | Yes | Yes |

+| Python | Yes | Yes | Yes | Yes |

+| None | Yes | Yes | Yes | Yes |

+This table indicates that all combinations of client types and authentication methods in the table are supported. All client types can use any of the authentication methods to connect to Azure OpenAI Service using Service Connector.

+## Default environment variable names or application properties and sample code

+Use the connection details below to connect compute services to Azure OpenAI Service. For more information about naming conventions, check the [Service Connector internals](concept-service-connector-internals.md#configuration-naming-convention) article.

+### System-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | - | |

+| AZURE_OPENAI_BASE | Azure OpenAI Service endpoint | `https://<Azure-OpenAI-name>.openai.azure.com/` |

+#### Sample code

+Refer to the steps and code below to connect to Azure OpenAI Service using a system-assigned managed identity.

+### User-assigned managed identity

+| Default environment variable name | Description | Sample value |

+| | -- | -- |

+| AZURE_OPENAI_BASE | Azure OpenAI Service Endpoint | `https://<Azure-OpenAI-name>.openai.azure.com/` |

+| AZURE_OPENAI_CLIENTID | Your client ID | `<client-ID>` |

+#### Sample code

+Refer to the steps and code below to connect to Azure OpenAI Service using a user-assigned managed identity.

+### Connection string

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | | |

+> | AZURE_OPENAI_BASE | Azure OpenAI Service Endpoint | `https://<Azure-OpenAI-name>.openai.azure.com/` |

+> | AZURE_OPENAI_KEY | Azure OpenAI Service API key | `<api-key>` |

+#### Sample Code

+Refer to the steps and code below to connect to Azure OpenAI Service using a connection string.

+### Service principal

+| Default environment variable name | Description | Sample value |

+| -- | -- | - |

+| AZURE_OPENAI_BASE | Azure OpenAI Service Endpoint | `https://<Azure-OpenAI-name>.openai.azure.com/` |

+| AZURE_OPENAI_CLIENTID | Your client ID | `<client-ID>` |

+| AZURE_OPENAI_CLIENTSECRET | Your client secret | `<client-secret>` |

+| AZURE_OPENAI_TENANTID | Your tenant ID | `<tenant-ID>` |

+#### Sample code

+Refer to the steps and code below to connect to Azure OpenAI Service using a service principaL.

+## Next steps

+Follow the tutorial listed below to learn more about Service Connector.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+ Title: Configure private network access for backend storage in your virtual network

+# Configure private network access for backend storage in your virtual network

+* [Private Link and DNS integration at scale](/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale)

+> [!NOTE]

+> The Blob Capacity and Blob Count metric are emitted hourly. A background process computes these metrics and updates them multiple times a day.

+- See [Metrics and logs FAQ](storage-blob-faq.yml#metrics-and-logs) for frequently asked questions and answers.

+Our latest updates enhance the resiliency and performance of stateful containers. We now offer multi-zone storage pools and volume replication for local NVMe storage pools, ensuring availability during single node failures. Snapshot support is available across all storage options for backup and disaster recovery. Additionally, the Ephemeral Disk portfolio has been expanded to include temp SSD support, providing cost-efficient solutions for use cases leveraging directly attached local storage:

+- Enhance the resiliency of your persistent volumes hosted on local NVMe storage (L-series ephemeral disks) with replication support.

+- Improved persistent volume recovery after a restart of an Azure Kubernetes Service (AKS) cluster.

+- Customize the performance of your local NVMe storage with new performance tier options.

+Azure always stores multiple copies of your data to protect it in the face of both planned and unplanned events. These events include transient hardware failures, network or power outages, and natural disasters. Data redundancy ensures that your storage account meets the [Service-Level Agreement (SLA) for Microsoft Online Services](https://azure.microsoft.com/support/legal/sla/storage/).

+This article describes the process of changing replication settings for an existing storage account that hosts Azure file shares.

+|Azure Synapse serverless SQL pool|[Querying a view shows unexpected results](#querying-a-view-shows-unexpected-results)|Has workaround|

+### Querying a view shows unexpected results

+When you query the view for which the underlying schema has changed after the view was created, you may encounter unexpected results. This means that the view references columns or objects that were modified or no longer exist. To overcome this you need to manually adjust the view definition to align with the underlying schema changes.

+**Workaround**: Manually adjust the view definition.

+Trusted Signing provides a choice between two pricing tiers: Basic and Premium. Both tiers are tailored to offer the service at an optimal cost, suitable for any signing scenario. Additional details on Trusted Signing's [Pricing](https://azure.microsoft.com/pricing/details/trusted-signing/) page.

+ Title: Device Guard Signing Service migration to Trusted Signing

+description: Learn how to migrate from Device Guard Signing Service (DGSSv2) to Trusted Signing for code integrity policy

+# Device Guard Signing Service (DGSSv2) migration to Trusted Signing for code integrity policy

+Device Guard Signing Service is being deprecated at the beginning of December 2024. All existing DGSSv2 customers who plan to continue using the service must transition to Trusted Signing.

+The root that issues the code signing and CI policy signing certificates remains the same between DGSSv2 and Trusted Signing. Since Trusted Signing is an Azure service, you now need to have Azure Tenant ID and Subscription ID to access signing, and a new dedicated EKU for signing. Steps you need to take include:

+1. Get an Azure account

+2. Set up access to signing control (controlled through Azure portal and Azure identities)

+3. Choose a pricing tier (Trusted Signing is a paid service ΓÇô learn more about pricing [here](https://azure.microsoft.com/pricing/details/trusted-signing/))

+4. Follow the steps dependent on your migration scenarios

+This guide outlines the steps needed to migrate to Trusted Signing. **Read the entirety of this document and note these steps must be followed carefully; missing a step may cause damage to the OS image.**

+## Migration scenarios

+- Scenario 1: Signed CI Policy Migration & Deployment

+ - You have an existing CI policy signed with DGSSv2 and now wish to migrate it to Trusted Signing.

+- Scenario 2: Unsigned to Signed CI Policy Migration & Deployment

+ - You have an existing unsigned CI policy and now wish to migrate it to Trusted Signing with a signed CI policy.

+- Scenario 3: Unsigned to Unsigned CI Policy Migration & Deployment

+ - You have an existing unsigned CI policy and now wish to migrate it to Trusted Signing, maintaining it as an unsigned CI policy.

+- Scenario 4: No Existing CI Policy

+ - You currently don't have a CI policy deployed in your environment and want to migrate to Trusted Signing.

+## Prerequisites

+- We strongly encourage creating a restoration image(s) before proceeding with the migration steps.

+- If you had previously deployed a CI policy in your environment (scenarios #1 and #2 above), you must have access to the existing policy xml file.

+- We strongly encourage you to do the steps below on one machine before attempting to deploy to your broader environment.

+> [!IMPORTANT]

+> Migration isn't possible without creating a Trusted Signing account, Private Trust identity validation, and Private Trust CI policy signing certificate profile using these steps: [Quickstart: Set up Trusted Signing | Microsoft Learn](https://learn.microsoft.com/azure/trusted-signing/quickstart?tabs=registerrp-portal%2Caccount-portal%2Ccertificateprofile-portal%2Cdeleteresources-portal).

+## Scenario 1: Signed CI Policy Migration and Deployment

+The migration of the signed CI policy is applicable only to customers who have already implemented a DGSSv2 signed CI policy in their environment. To ensure a smooth transition and deployment, carefully follow the next two steps:

+### Step 1: Remove the deployed signed CI policy from a single machine

+> [!Note]

+> By following the actions of step 1, your machine isn't protected by CI until you have deployed a new one. The deployment of a new policy is covered by step 2

+1. Confirm with your system administrator to verify you have a DGSSv2 signed policy deployed, or use below manual way:

+ - Go to `C:\Windows\System32\CodeIntegrity`, if there's a `SiPolicy.p7b` file, which indicates you have a CI policy deployed.

+ - Open the file. If it shows a certificate, it means the CI policy is signed.

+ - If you see the error `ΓÇ£This file is invalid for use as the following: PKCS #7ΓÇ¥`, the CI policy is unsigned.

+2. Under the Rules section of the current CI Policy XML file, add the following rule:

+ ```

+ <Rule>

+ <Option>Enabled:Unsigned System Integrity Policy</Option>

+ </Rule>

+ ```

+3. Convert the policy xml to .bin file using this PowerShell: ConvertFrom-CIPolicy

+Sample:

+```

+ConvertFrom-CIPolicy -XmlFilePath <xmlCIPolicyFilePath> -BinaryFilePath <binaryCIPolicyFilePath>

+```

+4. Sign the generated policy .bin file with Trusted Signing using the following instructions: [Sign a CI policy | Microsoft Learn](https://learn.microsoft.com/azure/trusted-signing/how-to-sign-ci-policy).

+5. Deploy this signed policy .bin file. For more information, refer to [Deploy Windows Defender Application Control polices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy).

+6. Reboot the machine and confirm the Code Integrity event 3099 shows that the policy is activated.

+ - Open Event Viewer (Select Start, type Event Viewer) &rarr; Applications and Services Logs &rarr; Microsoft &rarr; Windows &rarr; CodeIntegrity &rarr; Operational

+ - Filter by event ID 3099

+>[!NOTE]

+> If you don't see event 3099, DON'T proceed to step 7. Restart from No.1 and make sure your CI policy file is well formed and successfully signed.

+> - Well formed: Compare the xml with the [default CI policy xml](https://learn.microsoft.com/windows/security/application-security/application-control/windows-defender-application-control/design/example-wdac-base-policies) to verify the format.

+> - Successfully signed: To verify, use SignTool; refer to this [link](https://docs.microsoft.com/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature).

+

+7. Run the command to delete this CI policy: `del SiPolicy.p7b` from both folders: C:\Windows\System32\CodeIntegrity and S:\EFI\Microsoft\Boot.

+ 1. If there's no S: drive, run the command: ΓÇ»

+ `mountvol.exe s: /s`.

+ 2. If your machine already has an S: drive, mount the EFI partition to a different letter, such as X.

+ 3. If there's no EFI partition in the machine, ignore the EFI deletion step (if there's no /s option for the command mountvol.exe).

+8. Reboot the machine once deletion is completed.

+9. Reboot the machine twice more, to ensure the CI policy is properly removed, before moving on or deploying this change to other machines.

+### Step 2: Deploy and test the new CI policy on the same machine

+1. Continue to the steps outlined in Scenario 2.

+## Scenario 2: Unsigned to Signed CI Policy Migration and Deployment

+### Step 1: Determine your new EKUs

+1. Since Trusted Signing is a new service it has different EKUs than DGSSv2. Therefore, you need to get the new EKUs added to your policy. You need to get your EKU from the Trusted Signing account to add to your CI policyΓÇÖs EKU section. The two ways to do so are:

+ 1. Using the steps in [Sign a CI policy | Microsoft Learn](https://learn.microsoft.com/azure/trusted-signing/how-to-sign-ci-policy) run the command Get-AzCodeSigningCustomerEkuto get the customer EKU.

+ 2. Within your Trusted Signing account, select ΓÇ£Certificate ProfilesΓÇ¥, then select your Private Trust certificate profile. You'll see information on the profile like the screenshot below. The ΓÇÿEnhanced key usageΓÇÖ listed is your customer EKU.

+

+ :::image type="content" source="media/trusted-signing-select-eku.png" alt-text="Screenshot that shows eku." lightbox="media/trusted-signing-select-eku.png":::

+2. Now that you have the customer EKU. You'll need to generate a function EKU. To do so pass the customer EKU into the code below. The output is your function EKU.

+```

+private string CalculateEkuValue(string CustomerEku)

+{

+     var ekuOid = CryptoConfig.EncodeOID(CustomerEku);

+     var ekuBit = BitConverter.ToString(ekuOid).Replace("-", "");

+     var ekuArray = ekuBit.ToCharArray();

+     ekuArray[1] = '1';

+     return new string(ekuArray);

+}

+```

+### Step 2: Deploy and test the new CI policy

+1. Now that you have your two EKUs, it is time to edit your CI policy. If you have an existing CI policy, you can proceed to the next section. To create a new one go to: [Policy creation for common WDAC usage scenarios - Windows Security | Microsoft Learn](https://learn.microsoft.com/windows/security/application-security/application-control/windows-defender-application-control/design/common-wdac-use-cases).

+2. Add the new EKU in the EKU section of your policy, using the two EKU values from Step 1.

+```

+<EKU ID="ID_EKU_ACS" FriendlyName="ACS EKU -Customer EKU" Value="function EKU"/>

+```

+3. Verify these signers are present/added in the CI policy:

+```

+<Signer ID="ID_SIGNER_ACS_CODE" Name="Your Account Name Code Signing Certificate">

+<CertRoot Value="28D3FAEF436A9D7644F01BEFFBF9E143AE6FB7A00B125F86CC9594A078980904B0597DF0F6BDD15E65E80F4D74E6D606" Type="TBS"/>

+<CertEKU ID="ID_EKU_ACS"/>

+</Signer>

+<Signer ID="ID_SIGNER_ACS_POLICY" Name="Your Account Name CI Policy Signing Certificate">

+<CertRoot Type="TBS" Value="FC9C3E96720126881A6CEA067B5EA11ED0ABFC77835F720EDCFF4660C9A59669"/>

+<CertEKU ID="ID_EKU_ACS"/>

+</Signer>

+```

+**Your Account Name Code Signing Certificate** is your Trusted Signing account name. Note that this field isn't verified in the CI policy, but we recommend you putting your Trusted signing account name in the field. To find your account name on the Azure portal navigate to [Azure portal](https://portal.azure.com/), search ΓÇ£Trusted SigningΓÇ¥ in the top search bar and select your account that comes up in the search results. The screenshot below shows the account name outlined in red.

+ :::image type="content" source="media/trusted-signing-account-overview.png" alt-text="Screenshot that shows account overview." lightbox="media/trusted-signing-account-overview.png":::

+4. Convert the .xml to .bin policy file using the following command: ConvertFrom-CIPolicy

+Sample:

+```

+ConvertFrom-CIPolicy -XmlFilePath <xmlCIPolicyFilePath> -BinaryFilePath <binaryCIPolicyFilePath>

+```

+5. If you would like to sign this policy, following these instructions [Sign a CI policy | Microsoft Learn](https://learn.microsoft.com/azure/trusted-signing/how-to-sign-ci-policy)to sign the policy using Trusted Signing.

+6. Deploy this signed policy .bin file; refer to this [link](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) for instructions.

+7. Reboot the machine and confirm that Code Integrity event 3099 is showing, which means the new CI policy is activated.

+> [!NOTE]

+> If you don't see event 3099, DON'T proceed to step 8. Restart from No.1 and make sure your CI policy file is well formed and successfully signed.

+ 1. Well formed: Compare the xml with the default CI policy xml to verify the format.

+ 2. Successfully signed: To verify, use SignTool; refer to this [link](https://docs.microsoft.com/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature).

+8. Reboot the machine again to ensure a successful boot.

+9. Reboot the machine twice more, to ensure the CI policy is properly enabled, before moving on or deploying this change to other machines.

+### Step 3: Perform testing to validate that the new policy does not break any expected scenarios

+1. Verify that any files signed with Trusted Signing still behave as expected.

+2. Sign a catalog file with Trusted Signing and make sure it can run on your test machine with the Trusted Signing (new) CI policy.

+ 1. To sign catalog files with Trusted Signing, refer to the steps in:

+ 1. [Quickstart: Set up Trusted Signing | Microsoft Learn](https://learn.microsoft.com/azure/trusted-signing/quickstart?tabs=registerrp-portal%2Caccount-portal%2Ccertificateprofile-portal%2Cdeleteresources-portal) to set up a Private Trust certificate profile.

+ 2. [Set up signing integrations to use Trusted Signing | Microsoft Learn](https://learn.microsoft.com/azure/trusted-signing/how-to-signing-integrations) to sign the files using Private Trust in the Trusted Signing service.

+

+ 2. To sign MSIX packages with Trusted Signing, refer to instructions on how to sign MSIX packages with [MSIX Packaging Tool](https://learn.microsoft.com/windows/msix/packaging-tool/tool-overview) or SignTool - directly through Trusted Signing.

+ 1. To sign with Trusted Signing in the MSIX Packaging Tool you need to join the MSIX Insiders program.

+3. After confirming the CI policy is activated on this machine and all scenarios work as expected, repeat steps on the rest of the desired machines in your environment.

+ ## Scenario 3: Unsigned to Unsigned CI Policy Migration and Deployment

+You need to add the Trusted Signing EKUs to your existing CI policy by following the steps in Scenario 2 to locate and update the EKUs.

+ ## Scenario 4: No existing CI policy

+If isolation is desired, deploy a new CI policy by following steps outlined in Scenario 2.

+## Related content

+- [Understand Windows Defender Application Control (WDAC) policy rules and file rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create).

+- [Deploy catalog files to support Windows Defender Application Control (Windows 10) - Windows security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control#:~:text=%20Deploy%20catalog%20files%20to%20support%20Windows%20Defender,signing%20certificate%20to%20a%20Windows%20Defender...%20More%20).

+- [Example Windows Defender Application Control (WDAC) base policies (Windows 10) - Windows security | Microsoft Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies)

+- [Use multiple Windows Defender Application Control Policies (Windows 10)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies#deploying-multiple-policies-locally)

+- **PowerShell for Authenticode**: To use PowerShell for Trusted Signing, see [Trusted Signing](https://www.powershellgallery.com/packages/TrustedSigning/) in PowerShell Gallery to install the PowerShell module.

+|`publishedDateTime` |Timestamp representing when the specific update was made available by the OS vendor. The machine's OS update service or package manager generates the information. If your OS package manager or update service doesn't provide the detail of when an update was provided by OS vendor, the value is null. Currently this value is not available in case of Linux updates.|

+ To use Azure Files when your session hosts joined to Microsoft Entra ID, you need to assign the [Reader and Data Access](../role-based-access-control/built-in-roles.md#reader-and-data-access) Azure role-based access control (RBAC) role to both the **Azure Virtual Desktop** and **Azure Virtual Desktop ARM Provider** service principals. To learn how to assign an Azure RBAC role to the Azure Virtual Desktop service principals, see [Assign RBAC roles to the Azure Virtual Desktop service principals](service-principal-assign-roles.md).

+>

+> - Redirecting the [bluetooth driver stack](/windows-hardware/drivers/bluetooth/bluetooth-driver-stack) isn't supported. If a peripheral is connected to the local device, such as a bluetooth keyboard, it's redirected to the remote session based on the [supported peripheral class](#supported-resources-and-peripherals).

+> In this article, SSH (port 22) is exposed to the internet for the VM that is assigned to the **asg-mgmt** application security group.

+### Virtual Network Address Space Limits

+> [!NOTE]

+> The maximum number of Virtual Network address spaces that you can connect to a single Virtual WAN hub is adjustable. Open an Azure support case to request a limit increase. The limits are applicable at the Virtual WAN hub level. If you have multiple Virtual WAN hubs that require a limit increase, request a limit increase for all Virtual WAN hubs in your Virtual WAN deployment.

+For customers using routing intent, the maximum number of address spaces across all Virtual Networks **directly connected** to a single Virtual WAN hub is 400. This limit is applied individually to each Virtual WAN hub in a Virtual WAN deployment. Virtual Network address spaces connected to **remote** (other Virtual WAN hubs in the same Virtual WAN) hubs are **not** counted towards this limit.

+If the number of directly connected Virtual Network address spaces connected to a hub exceeds the limit, enabling or updating routing intent on the Virtual Hub will fail. For hubs already configured with routing intent where Virtual Network address spaces exceeds the limit as a result of an operation such as a Virtual Network address space update, the newly connected address space may not be routable.

+Proactively request a limit increase if the total number of address spaces across all locally connected Virtual Networks exceeds 90% of the documented limit or if you have any planned network expansion or deployment operations that will increase the number of Virtual Network address spaces past the limit.

+

+The following table provides example Virtual Network address space calculations.

+|Virtual Hub| Virtual Network Count| Address spaces per Virtual Network | Total number of Virtual Network address spaces connected to Virtual Hub| Suggested Action|

+|--|--|--|--|--|

+| Hub #1| 200| 1 | 200| No action required, monitor address space count.|

+| Hub #2| 150 | 3 | 450| Request limit increase to use routing intent.|

+| Hub #3 |370 | 1| 370| Request limit increase.|

+You can use the following Powershell script to approximate the number of address spaces in Virtual Networks connected to a single Virtual WAN hub. Run this script for all Virtual WAN hubs in your Virtual WAN. An Azure Monitor metric to allow you to track and configure alerts on connected Virtual Network address spaces is on the roadmap.

+Make sure to modify the resource ID of the Virtual WAN Hub in the script to match your environment. If you have cross-tenant Virtual Network connections, make sure you have sufficient permissions to read the Virtual WAN Virtual Network connection object as well as the connected Virtual Network resource.

+```powershell-interactive

+$hubVNETconnections = Get-AzVirtualHubVnetConnection -ParentResourceId "/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/virtualHubs/<virtual hub name>"

+$addressSpaceCount = 0

+

+foreach($connection in $hubVNETconnections) {

+ try{

+ $resourceURI = $connection.RemoteVirtualNetwork.Id

+ $RG = ($resourceURI -split "/")[4]

+ $name = ($resourceURI -split "/")[8]

+ $VNET = Get-AzVirtualNetwork -Name $name -ResourceGroupName $RG -ErrorAction "Stop"

+ $addressSpaceCount += $VNET.AddressSpace.AddressPrefixes.Count

+ }

+ catch{

+ Write-Host "An error ocurred while processing VNET connected to Virtual WAN hub with resource URI: " -NoNewline

+ Write-Host $resourceURI

+ Write-Host "Error Message: " -ForegroundColor Red

+ Write-Host $_.Exception.Message -ForegroundColor Red

+ }

+ finally{

+ }

+}

+Write-Host "Total Address Spaces in VNETs connected to this Virtual WAN Hub: " -ForegroundColor Green -NoNewline

+Write-Host $addressSpaceCount -ForegroundColor Green

+```