+In this sample tutorial, learn how to integrate [Microsoft Dynamics 365 Fraud Protection](/dynamics365/fraud-protection/ap-overview) (DFP) with Azure Active Directory (AD) B2C.

+* Microsoft.SCIM.WebHostSample: `https://localhost:5001`

+* IIS Express: `https://localhost:44359`

+> [!NOTE]

+> It's important to understand that Azure AD Application Proxy is intended as a VPN or reverse proxy replacement for roaming (or remote) users who need access to internal resources. It's not intended for internal users on the corporate network. Internal users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues.

+For more information, see [New-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/new-mguserauthenticationtemporaryaccesspassmethod) and [Get-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationtemporaryaccesspassmethod?view=graph-powershell-beta&preserve-view=true).

+There are two locations where this policy may be configured, Conditional Access and Identity Protection. Configuration using a Conditional Access policy is the preferred method providing more context including enhanced diagnostic data, report-only mode integration, Graph API support, and the ability to utilize other Conditional Access attributes like sign-in frequency in the policy.

+1. Under **Session**.

+ 1. Select **Sign-in frequency**.

+ 1. Ensure **Every time** is selected.

+ 1. Select **Select**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+- [Require reauthentication every time](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time)

+- [Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md)

+- [Conditional Access common policies](concept-conditional-access-policy-common.md)

+- [Sign-in risk-based Conditional Access](howto-conditional-access-policy-risk.md)

+- [Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+- [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+- [What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md)

+There are two locations where this policy may be configured, Conditional Access and Identity Protection. Configuration using a Conditional Access policy is the preferred method providing more context including enhanced diagnostic data, report-only mode integration, Graph API support, and the ability to utilize other Conditional Access attributes like sign-in frequency in the policy.

+The Sign-in risk-based policy protects users from registering MFA in risky sessions. If users aren't registered for MFA, their risky sign-ins are blocked, and they see an AADSTS53004 error.

+1. Under **Session**.

+ 1. Select **Sign-in frequency**.

+ 1. Ensure **Every time** is selected.

+ 1. Select **Select**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+- [Require reauthentication every time](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time)

+- [Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md)

+- [Conditional Access common policies](concept-conditional-access-policy-common.md)

+- [User risk-based Conditional Access](howto-conditional-access-policy-risk-user.md)

+- [Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+- [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

+- [What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md)

+On Azure AD joined, hybrid Azure AD joined, or Azure AD registered devices, unlocking the device or signing in interactively will satisfy the sign-in frequency policy. In the following two examples user sign-in frequency is set to 1 hour:

+### Require reauthentication every time

+Supported scenarios:

+The Azure AD default for browser session persistence allows users on personal devices to choose whether to persist the session by showing a ΓÇ£Stay signed in?ΓÇ¥ prompt after successful authentication. If browser persistence is configured in AD FS using the guidance in the article [AD FS single sign-on settings](/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online), we'll comply with that policy and persist the Azure AD session as well. You can also configure whether users in your tenant see the ΓÇ£Stay signed in?ΓÇ¥ prompt by changing the appropriate setting in the [company branding pane](../fundamentals/customize-branding.md).

+ 1. Choose **Periodic reauthentication** and enter a value of hours or days or select **Every time**.

+ > 

+ > [!NOTE]

+ > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane in the Azure portal for the same user if you have configured both policies.

+ 1. Select a value from dropdown.

+1. Save your policy.

+1. Under **Session controls** > **Sign-in frequency**, select **Every time**.

+Use the [What If tool](what-if-tool.md) to simulate a sign-in from the user to the target application and other conditions based on how you configured your policy. The authentication session management controls show up in the result of the tool.

+We factor for five minutes of clock skew, so that we donΓÇÖt prompt users more often than once every five minutes. If the user has done MFA in the last 5 minutes, and they hit another Conditional Access policy that requires reauthentication, we won't prompt the user. Over-promoting users for reauthentication can impact their productivity and increase the risk of users approving MFA requests they didnΓÇÖt initiate. Use ΓÇ£Sign-in frequency ΓÇô every timeΓÇ¥ only for specific business needs.

+- If you configure sign-in frequency for mobile devices: Authentication after each sign-in frequency interval could be slow, it can take 30 seconds on average. Also, it could happen across various apps at the same time.

+- On iOS devices: If an app configures certificates as the first authentication factor and the app has both Sign-in frequency and [Intune mobile application management policies](/mem/intune/apps/app-lifecycle) applied, end-users are blocked from signing in to the app when the policy triggers.

+> Microsoft recommends you do _not_ use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.

+> * The Microsoft identity platform only supports the ROPC grant within Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint.

+> * Personal accounts that are invited to an Azure AD tenant can't use the ROPC flow.

+> * Accounts that don't have passwords can't sign in with ROPC, which means features like SMS sign-in, FIDO, and the Authenticator app won't work with that flow. If your app or users require these features, use a grant type other than ROPC.

+> * ROPC is not supported in [hybrid identity federation](../hybrid/whatis-fed.md) scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity provider, Azure AD is not able to test the username and password against that identity provider. [Pass-through authentication](../hybrid/how-to-connect-pta.md) is supported with ROPC, however.

+> * An exception to a hybrid identity federation scenario would be the following: Home Realm Discovery policy with **AllowCloudPasswordValidation** set to TRUE will enable ROPC flow to work for federated users when an on-premises password is synced to the cloud. For more information, see [Enable direct ROPC authentication of federated users for legacy applications](../manage-apps/home-realm-discovery-policy.md#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications).

+The ROPC flow is a single request; it sends the client identification and user's credentials to the identity provider, and receives tokens in return. The client must request the user's email address (UPN) and password before doing so. Immediately after a successful request, the client should securely discard the user's credentials from memory. It must never save them.

+| `tenant` | Required | The directory tenant that you want to log the user into. The tenant can be in GUID or friendly name format. However, its parameter can't be set to `common` or `consumers`, but may be set to `organizations`. |

+| `client_secret`| Sometimes required | If your app is a public client, then the `client_secret` or `client_assertion` can't be included. If the app is a confidential client, then it must be included.|

+| `client_assertion` | Sometimes required | A different form of `client_secret`, generated using a certificate. For more information, see [certificate credentials](active-directory-certificate-credentials.md). |

+> As part of not recommending this flow for use, the official SDKs do not support this flow for confidential clients, those that use a secret or assertion. You may find that the SDK you wish to use does not allow you to add a secret while using ROPC.

+| `invalid_grant` | The authentication failed | The credentials were incorrect or the client doesn't have consent for the requested scopes. If the scopes aren't granted, a `consent_required` error will be returned. To resolve this error, the client should send the user to an interactive prompt using a webview or browser. |

+For an example implementation of the ROPC flow, see the [.NET Core console application](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) code sample on GitHub.

+- How to create, delete, get, or update [federated identity credentials](/graph/api/resources/federatedidentitycredentials-overview) on an app registration using Microsoft Graph.

+ Title: Clean up stale guest accounts - Azure Active Directory | Microsoft Docs

+description: Clean up stale guest accounts using access reviews

+# Clean up stale guest accounts using access reviews

+As users collaborate with external partners, itΓÇÖs possible that many guest accounts get created in Azure Active Directory (Azure AD) tenants over time. When collaboration ends and the users no longer access your tenant, the guest accounts may become stale. Admins can use Access Reviews to automatically review inactive guest users and block them from signing in, and later, delete them from the directory.

+Learn more about [how to manage inactive user accounts in Azure AD](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts).

+There are a few recommended patterns that are effective at cleaning up stale guest accounts:

+1. Create a multi-stage review whereby guests self-attest whether they still need access. A second-stage reviewer assesses results and makes a final decision. Guests with denied access are disabled and later deleted.

+2. Create a review to remove inactive external guests. Admins define inactive as period of days. They disable and later delete guests that donΓÇÖt sign in to the tenant within that time frame. By default, this doesn't affect recently created users. [Learn more about how to identify inactive accounts](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts#how-to-detect-inactive-user-accounts).

+Use the following instructions to learn how to create Access Reviews that follow these patterns. Consider the configuration recommendations and then make the needed changes that suit your environment.

+## Create a multi-stage review for guests to self-attest continued access

+1. Create a [dynamic group](https://docs.microsoft.com/azure/active-directory/enterprise-users/groups-create-rule) for the guest users you want to review. For example,

+ `(user.userType -eq "Guest") and (user.mail -contains "@contoso.com") and (user.accountEnabled -eq true)`

+2. To [create an Access Review](https://docs.microsoft.com/azure/active-directory/governance/create-access-review)

+ for the dynamic group, navigate to **Azure Active Directory > Identity Governance > Access Reviews**.

+3. Select **New access review**.

+4. Configure Review type.

+ | Property | Value |

+ |:--|:-|

+ | Select what to review | **Teams + Groups**|

+ |Review scope | **Select Teams + groups** |

+ |Group| Select the dynamic group |

+ |Scope| **Guest users only**|

+ |(Optional) Review inactive guests | Check the box for **Inactive users (on tenant level) only**.<br> Enter the number of days that constitute inactivity.|

+ 

+5. Select **Next: Reviews**.

+6. Configure Reviews:

+ |Property | Value |

+ |:|:-|

+ | **First stage review** | |

+ | (Preview) Multi-stage review| Check the box|

+ |Select reviewers | **Users review their own access**|

+ | Stage duration (in days) | Enter the number of days |

+ |**Second stage review** | |

+ | Select reviewers | **Group owner(s)** or **Selected user(s) or group(s)**|

+ |Stage duration (in days) | Enter the number of days.<br>(Optional) Specify a fallback reviewer.|

+ | **Specify recurrence of review** | |

+ | Review recurrence | Select your preference from the drop-down|

+ |Start date| Select a date|

+ |End| Select your preference |

+ | **Specify reviewees to go to the next stage** | |

+ | Reviewees going to the next stage | Select reviewees. For example, select users who self-approved or responded **Don't know**.

+ 

+7. Select **Next: Settings**.

+8. Configure Settings:

+ | Property | Value |

+ |:--|:-|

+ | **Upon completion settings**| |

+ |Auto apply results to resource| Check the box|

+ |If reviewers don't respond | **Remove access** |

+ | Action to apply on denied guest users | **Block user from signing in for 30 days, then remove user from the tenant**|

+ | (Optional) At end of review, send notification to | Specify other users or groups to notify.|

+ | **Enable reviewer decision helpers** | |

+ | Additional content for reviewer email | Add a custom message for reviewers |

+ | All other fields| Leave the default values for the remaining options. |

+ 

+9. Select **Next: Review + Create**

+10. Enter an Access Review name. (Optional) provide description.

+11. Select **Create**.

+## Create a review to remove inactive external guests

+1. Create a [dynamic group](https://docs.microsoft.com/azure/active-directory/enterprise-users/groups-create-rule) for the guest users you want to review. For example,

+ `(user.userType -eq "Guest") and (user.mail -contains "@contoso.com") and (user.accountEnabled -eq true)`

+2. To [create an access review](https://docs.microsoft.com/azure/active-directory/governance/create-access-review) for the dynamic group, navigate to **Azure Active Directory > Identity Governance > Access Reviews**.

+3. Select **New access review**.

+4. Configure Review type:

+ |Property | Value |

+ |:|:|

+ | Select what to review | **Teams + Groups** |

+ | Review scope | **Select Teams + groups** |

+ | Group | Select the dynamic group |

+ | Scope | **Guest users only**

+ | Inactive users (on tenant level) only | Check the box |

+ | Days inactive | Enter the number of days that constitutes inactivity |

+ >[!NOTE]

+ >The inactivity time you configure will not affect recently created users. The Access Review will check if the user has been created in the timeframe you configure and ignore users who havenΓÇÖt existed for at least that amount of time. For example, if you set the inactivity time as 90 days and a guest user was created/invited less than 90 days ago, the guest user will not be in scope of the Access Review. This ensures that guests can sign in once before being removed.

+

+ 

+5. Select **Next: Reviews**.

+6. Configure Reviews:

+ | Property | Value |

+ |:-|:|

+ | **Specify reviewers** | |

+ | Select reviewers | Select **Group owner(s)** or a user or group.<br>(Optional) To enable the process to remain automated, select a reviewer who will take no action.|

+ | **Specify recurrence of review**| |

+ | Duration (in days) | Enter or select a value based on your preference|

+ | Review recurrence | Select your preference from the drop-down |

+ | Start date | Select a date |

+ | End | Choose an option |

+7. Select **Next: Settings**.

+ 

+8. Configure Settings:

+ | Property | Value |

+ | :-| :--|

+ | **Upon completion settings** | |

+ | Auto apply results to resource | Check the box |

+ | If reviews don't respond | **Remove access** |

+ | Action to apply on denied guest users | **Block user from signing in for 30 days, then remove user from the tenant** |

+ | **Enable reviewer decision helpers** | |

+ | No sign-in within 30 days | Check the box |

+ | All other fields | Check/uncheck the boxes based on your preference. |

+ 

+9. Select **Next: Review + Create**.

+10. Enter an Access Review name. (Optional) provide description.

+11. Select **Create**.

+Guest users who don't sign into the tenant for the number of days you

+configured are disabled for 30 days, then deleted. After deletion, you

+can restore guests for up to 30 days, after which a new invitation is

+needed.

+You'll need to have attributes populated on the users who will be in scope for being assigned access. The attributes you can use in the rules criteria of an access package assignment policy are those attributes listed in [supported properties](../enterprise-users/groups-dynamic-membership.md#supported-properties), along with [extension attributes and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties). These attributes can be brought into Azure AD from [Graph](/graph/api/resources/user), an HR system such as [SuccessFactors](../app-provisioning/sap-successfactors-integration-reference.md), [Azure AD Connect cloud sync](../cloud-sync/how-to-attribute-mapping.md) or [Azure AD Connect sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md).

+ > The rule builder might not be able to display some rules constructed in the text box, and validating a rule currently requires the you to be in the Global administrator role. For more information, see [rule builder in the Azure portal](../enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).

+- [Create an Automation account using the Azure portal](/azure/automation/quickstarts/create-azure-automation-account-portal)

+# Configure and enable risk policies

+ - Use more Conditional Access attributes like sign-in frequency in the policy

+1. Under **Session**.

+ 1. Select **Sign-in frequency**.

+ 1. Ensure **Every time** is selected.

+ 1. Select **Select**.

+1. Under **Session**.

+ 1. Select **Sign-in frequency**.

+ 1. Ensure **Every time** is selected.

+ 1. Select **Select**.

+- [Require reauthentication every time](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time)

+- To prevent elevation of privilege, only a Privileged Authentication Administrator or a Global Administrator can change the credentials or reset MFA or modify sensitive attributes for members and owners of a role-assignable group.

+1. Select **Azure Active Directory** > **User settings** > **User feature** > **Manage user feature settings**.

+3. If you want to set up Tableau Cloud manually, in a different web browser window, sign in to your Tableau Cloud company site as an administrator.

+ b. In the **User Attributes & Claims** section, click on the edit icon, perform the following steps to add SAML token attribute as shown in the below table:

+ | Name | Source Attribute|

+ | | |

+ | DispalyName | user.displayname |

+ * Full name: **displayname**

+* [FedRAMP Security Assessment Framework](https://reciprocity.com/blog/conducting-a-fedramp-risk-assessment/)

+ "verifiedCredentialsData": [

+ "issuer": "did:ion:issuer",

+ "credentialState": {

+ "revocationStatus": "VALID"

+ },

+ "domainValidation": {

+ "url": "https://contoso.com/"

+ }

+ "id_token": "eyJraWQiOiJkaWQ6aW<SNIP>",

+ "vp_token": "...",

+ "state": "..."

+}

+ ]

+ },

+ "validityInterval": 2592000,

+ "vc": {

+ "type": [

+ "VerifiedCredentialExpert"

+ ]

+ payload["claims"]["given_name"] = "Megan";

+ payload["claims"]["family_name"] = "Bowen";

+az ad group show --group appdev --query id -o tsv

+az ad group show --group opssre --query id -o tsv

+> The `validate-jwt` policy supports HS256 and RS256 signing algorithms. For HS256 the key must be provided inline within the policy in the base64 encoded form. For RS256 the key may be provided either via an Open ID configuration endpoint, or by providing the ID of an uploaded certificate that contains the public key or modulus-exponent pair of the public key but in PFX format.

+ * [Create a container](/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container) in the storage account to hold the backup data.

+[azure-storage-ip-firewall]: ../storage/common/storage-network-security.md#grant-access-from-an-internet-ip-range

+> - The MySQL Flexible Server is created behind a private [Virtual Network](/azure/virtual-network/virtual-networks-overview) and can't be accessed directly. To access the database, use phpMyAdmin that's deployed with the WordPress site. It can be found at the URL : https://`<sitename>`.azurewebsites.net/phpmyadmin

+> [Configure PHP app](configure-language-php.md)

+The following table includes links to bash scripts for Azure App Configuration by using the [az appconfig](/cli/azure/appconfig) commands in the Azure CLI:

+Traditionally, shipping a new application feature requires a complete redeployment of the application itself. Testing a feature often requires multiple deployments of the application. Each deployment might change the feature or expose the feature to different customers for testing.

+Feature management is a modern software-development practice that decouples feature release from code deployment and enables quick changes to feature availability on demand. It uses a technique called *feature flags* (also known as *feature toggles* and *feature switches*) to dynamically administer a feature's lifecycle.

+* **Selective activation**: Use feature flags to segment your users and deliver a specific set of features to each group. You might have a feature that works only on a certain web browser. You can define a feature flag so that only users of that browser can see and use the feature. By using this approach, you can easily expand the supported browser list later without having to make any code changes.

+You can set the value of `featureFlag` statically:

+To use feature flags effectively, you need to externalize all the feature flags used in an application. You can use this approach to change feature flag states without modifying and redeploying the application itself.

+[The feature flags in an ASP.NET Core app](./use-feature-flags-dotnet-core.md) shows how the .NET Core App Configuration provider and Feature Management libraries are used together to implement feature flags for your ASP.NET web application. For more information on feature flags in Azure App Configuration, see the following articles:

+* [Manage feature flags](./manage-feature-flags.md)

+* [Use conditional feature flags](./howto-feature-filters-aspnet-core.md)

+* [Enable a feature for specified users/groups](./howto-targetingfilter-aspnet-core.md)

+* [Add feature flags to an ASP.NET Core app](./quickstart-feature-flag-aspnet-core.md)

+* [Add feature flags to a .NET Framework app](./quickstart-feature-flag-dotnet.md)

+* [Add feature flags to an Azure Functions app](./quickstart-feature-flag-azure-functions-csharp.md)

+* [Add feature flags to a Spring Boot app](./quickstart-feature-flag-spring-boot.md)

+* [Use feature flags in an ASP.NET Core](./use-feature-flags-dotnet-core.md)

+* [Use feature flags in a Spring Boot app](./use-feature-flags-spring-boot.md)

+Here's an example of key names structured into a hierarchy based on component

+The use of configuration data within application frameworks might dictate specific naming schemes for key-values. For example, Java's Spring Cloud framework defines `Environment` resources that supply settings to a Spring application. These resources are parameterized by variables that include *application name* and *profile*. Keys for Spring Cloud-related configuration data typically start with these two elements separated by a delimiter.

+Keys stored in App Configuration are case-sensitive, unicode-based strings. The keys *app1* and *App1* are distinct in an App Configuration store. Keep this in mind when you use configuration settings within an application because some frameworks handle configuration keys case-insensitively. We don't recommend using case to differentiate keys.

+You can use any unicode character in key names except for `%`. A key name can't be `.` or `..` either. There's a combined size limit of 10 KB on a key-value. This limit includes all characters in the key, its value, and all associated optional attributes. Within this limit, you can have many hierarchical levels for keys.

+Two general approaches to naming keys are used for configuration data: flat or hierarchical. These methods are similar from an application usage standpoint, but hierarchical naming offers many advantages:

+> If you're looking for change versions, App Configuration keeps all changes of a key-value that occurred in the past certain period of time automatically. For more information, see [point-in-time snapshot](./concept-point-time-snapshot.md).

+| `key` is omitted or `key=*` | Matches all keys. |

+| `key=abc` | Matches key name **abc** exactly. |

+| `key=abc*` | Matches key names that start with **abc**.|

+| `key=abc,xyz` | Matches key names **abc** or **xyz**. Limited to five CSVs. |

+| `label` is omitted or `label=*` | Matches any label, which includes `\0`. |

+| `label=%00` | Matches `\0` label. |

+| `label=1.0.0` | Matches label **1.0.0** exactly. |

+| `label=1.0.*` | Matches labels that start with **1.0.**. |

+| `label=%00,1.0.0` | Matches labels `\0` or **1.0.0**, limited to five CSVs. |

+### Use content type

+Each key-value in App Configuration has a content type attribute. You can optionally use this attribute to store information about the type of value in a key-value that helps your application to process it properly. You can use any format for the content type. App Configuration uses [Media Types]( https://www.iana.org/assignments/media-types/media-types.xhtml) (also known as MIME types) for built-in data types such as feature flags, Key Vault references, and JSON key-values.

+> [!div class="nextstepaction"]

+> [Point-in-time snapshot](./concept-point-time-snapshot.md)

+> [!div class="nextstepaction"]

+> [Feature management](./concept-feature-management.md)

+> [!div class="nextstepaction"]

+> [Event handling](./concept-app-configuration-event.md)

+This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) first.

+This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, [Create a Java Spring app with Azure App Configuration](./quickstart-java-spring-app.md) first.

+> Managed identity can't be used to authenticate locally running applications. Your application must be deployed to an Azure service that supports Managed Identity. This article uses Azure App Service as an example. However, the same concept applies to any other Azure service that supports managed identity. For example, [Azure Kubernetes Service](../aks/use-azure-ad-pod-identity.md), [Azure Virtual Machine](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md), and [Azure Container Instances](../container-instances/container-instances-managed-identity.md). If your workload is hosted in one of those services, you can also leverage the service's managed identity support.

+* Azure subscription - [create one for free](https://azure.microsoft.com/free/)

+* A supported [Java Development Kit (JDK)](/java/azure/jdk) with version 11.

+* [Apache Maven](https://maven.apache.org/download.cgi) version 3.0 or above.

+1. Access your App Services resource in the [Azure portal](https://portal.azure.com). If you don't have an existing App Services resource to use, create one.

+1. When prompted, answer **Yes** to turn on the system-assigned managed identity.

+ :::image type="content" source="./media/add-managed-identity-app-service.png" alt-text="Screenshot of how to add a managed identity in App Service.":::

+1. In the [Azure portal](https://portal.azure.com), select **All resources** and select the App Configuration store that you created in the [quickstart](../azure-app-configuration/quickstart-azure-functions-csharp.md).

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu.png" alt-text="Screenshot that shows the Access control (IAM) page with Add role assignment menu open.":::

+ If you don't have permission to assign roles, then the **Add role assignment** option will be disabled. For more information, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).

+1. On the **Role** tab, select the **App Configuration Data Reader** role and then select **Next**.

+ :::image type="content" source="../../includes/role-based-access-control/media/select-role-assignment-generic.png" alt-text="Screenshot that shows the Add role assignment page with Role tab selected.":::

+1. On the **Members** tab, select **Managed identity** and then select **Select members**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-members.png" alt-text="Screenshot that shows the Add role assignment page with Members tab selected.":::

+1. Select your Azure subscription, for Managed identity select **App Service**, then select your App Service name.

+ :::image type="content" source="../../includes/role-based-access-control/media/select-managed-identity-members.png" alt-text="Screenshot that shows the select managed identities page.":::

+1. Add a reference to the `Azure.Identity` package:

+1. Open the *appsettings.json* file and add the following script. Replace *\<service_endpoint>*, including the brackets, with the URL to your App Configuration store.

+1. Open the *Program.cs* file and add a reference to the `Azure.Identity` and `Microsoft.Azure.Services.AppAuthentication` namespaces:

+1. If you wish to access only values stored directly in App Configuration, update the `CreateWebHostBuilder` method by replacing the `config.AddAzureAppConfiguration()` method (this method is found in the `Microsoft.Azure.AppConfiguration.AspNetCore` package).

+ > `CreateHostBuilder` replaces `CreateWebHostBuilder` in .NET Core 3.0. Select the correct syntax based on your environment.

+ > If you want to use a **user-assigned managed identity**, be sure to specify the `clientId` when creating the [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential).

+ >As explained in the [Managed Identities for Azure resources FAQs](../active-directory/managed-identities-azure-resources/known-issues.md), there is a default way to resolve which managed identity is used. In this case, the Azure Identity library enforces you to specify the desired identity to avoid possible runtime issues in the future. For instance, if a new user-assigned managed identity is added or if the system-assigned managed identity is enabled. So, you will need to specify the `clientId` even if only one user-assigned managed identity is defined, and there is no system-assigned managed identity.

+> If you want to use **user-assigned managed identity** the property `spring.cloud.azure.appconfiguration.stores[0].managed-identity.client-id`, ensure that you specify the `clientId` when creating the [ManagedIdentityCredential](/java/api/com.azure.identity.managedidentitycredential).

+You must deploy your app to an Azure service when you use managed identities. Managed identities can't be used for authentication of locally running apps. To deploy the .NET Core app that you created in the [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) quickstart and modified to use managed identities, follow the guidance in [Publish your web app](../app-service/quickstart-dotnetcore.md?pivots=development-environment-vs&tabs=netcore31#publish-your-web-app).

+Using managed identities requires you to deploy your app to an Azure service. Managed identities can't be used for authentication of locally running apps. To deploy the Spring app that you created in the [Create a Java Spring app with Azure App Configuration](./quickstart-java-spring-app.md) quickstart and modified to use managed identities, follow the guidance in [Publish your web app](../app-service/quickstart-java.md?tabs=javase&pivots=platform-linux).

+> To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<location>`. Within this command, the region must be specified for the `<location>` placeholder.

+Azure Fluid Relay is Generally Available now. For a complete list of available regions, see [Azure Fluid Relay regions and availability](https://azure.microsoft.com/global-infrastructure/services/?products=fluid-relay). For our pricing list, see [Azure Fluid Relay pricing](https://azure.microsoft.com/pricing/details/fluid-relay).

+See the **Usage** tab for a breakdown of ingestion by solution and table. This can help you quickly identify the tables that contribute to the bulk of your data volume. It also shows trending of data collection over time to determine if data collection steadily increases over time or suddenly increased in response to a particular configuration change.

+**Billable data volume by computer for the last full day**

+find where TimeGenerated between(startofday(ago(1d))..startofday(now())) project _BilledSize, _IsBillable, Computer, Type

+**Count of billable events by computer for the last full day**

+find where TimeGenerated between(startofday(ago(1d))..startofday(now())) project _IsBillable, Computer, Type

+**Billable data volume by resource ID for the last full day**

+find where TimeGenerated between(startofday(ago(1d))..startofday(now())) project _ResourceId, _BilledSize, _IsBillable

+**Billable data volume by resource group for the last full day**

+find where TimeGenerated between(startofday(ago(1d))..startofday(now())) project _ResourceId, _BilledSize, _IsBillable

+**Billable data volume by subscription for the last full day**

+find where TimeGenerated between(startofday(ago(1d))..startofday(now())) project _BilledSize, _IsBillable, _SubscriptionId

+> [!TIP]

+> For workspaces with large data volumes, doing queries such as shown in this section -- which query large volumes of raw data -- might need to be restricted to a single day. To track trends over time, consider settting up a [Power BI report](./log-powerbi.md) and using [incremental refresh](./log-powerbi.md#collect-data-with-power-bi-dataflows) to collect data volumes per resource once a day.

+> Queries against Application Insights table except `SystemEvents` will work for both a workspace-based and classic Application Insights resource, since [backwards compatibility](../app/convert-classic-resource.md#understanding-log-queries) allows you to continue to use [legacy table names](../app/apm-tables.md). For a workspace-based resource, open **Logs** from the **Log Analytics workspace** menu. For a classic resource, open **Logs** from the **Application Insights** menu.

+**Dependency operations generate the most data volume in the last 30 days (workspace-based or classic)**

+**Daily data volume by type for this Application Insights resource the last 7 days (classic only)**

+| where timestamp >= startofday(ago(7d)) and timestamp < startofday(now())

+| summarize sum(BillingTelemetrySizeInBytes) by BillingTelemetryType, bin(timestamp, 1d)

+**Daily data volume by type for all Application Insights resources in a workspace for the 7 days**

+union AppAvailabilityResults,

+ AppBrowserTimings,

+ AppDependencies,

+ AppExceptions,

+ AppEvents,

+ AppMetrics,

+ AppPageViews,

+ AppPerformanceCounters,

+ AppRequests,

+ AppSystemEvents,

+ AppTraces

+To look at the data volume trends for only a single Application Insights resource, add the following line before the `summarize` in the above query:

+> [!TIP]

+> For workspaces with large data volumes, doing queries such as this one above which query large volumes of raw data might need to be restricted to a single day. To track trends over time, consider settting up a [Power BI report](./log-powerbi.md) and using [incremental refresh](./log-powerbi.md#collect-data-with-power-bi-dataflows) to collect data volumes per resource once a day.

+> [!WARNING]

+> Use [find](/azure/data-explorer/kusto/query/findoperator?pivots=azuremonitor) queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-details-pane) to execute. If you don't need results per subscription, resource group, or resource name, use the [Usage](/azure/azure-monitor/reference/tables/usage) table as in the queries above.

+### Azure Machine Learning

+* [High-performance storage for AI Model Training tasks using Azure ML studio with Azure NetApp Files](https://techcommunity.microsoft.com/t5/azure-architecture-blog/high-performance-storage-for-ai-model-training-tasks-using-azure/ba-p/3609189#_Toc112321755)

+* [How to use Azure Machine Learning with Azure NetApp Files](https://github.com/csiebler/azureml-with-azure-netapp-files)

+* UK South

+> - [Microsoft.LoadTestService](#microsoftloadtestservice)

+> Moving or renaming any Application Insights resource changes the resource ID. When the ID changes for a workspace-based resource, data sent for the prior ID is accessible only by querying the underlying Log Analytics workspace. The data will not be accessible from within the renamed or moved Application Insights resource.

+## Microsoft.LoadTestService

+> [!div class="mx-tableFixed"]

+> | Resource type | Resource group | Subscription | Region move |

+> | - | -- | - | -- |

+> | loadtests | No | No | No |

+The recording should contain as little noise as possible, with a goal of -80 dB.

+Cognitive Services for big data can use resources from any [supported region](https://azure.microsoft.com/global-infrastructure/services/?products=cognitive-services), as well as [containerized Cognitive Services](../cognitive-services-container-support.md). Containers support low or no connectivity deployments with ultra-low latency responses. Containerized Cognitive Services can be run locally, directly on the worker nodes of your Spark cluster, or on an external orchestrator like Kubernetes.

+After you set up your Spark cluster and environment, you can run a short sample. This sample assumes Azure Databricks and the `mmlspark.cognitive` package. For an example using `synapseml.cognitive`, see [Add search to AI-enriched data from Apache Spark using SynapseML](/azure/search/search-synapseml-cognitive-services).

+Use this quickstart to create a Cognitive Services resource. After you create a Cognitive Service resource in the Azure portal, you'll get an endpoint and a key for authenticating your applications.

+1. Configure other settings for your resource as needed, read and accept the conditions (as applicable), and then select **Review + create**.

+1. Select the following links to create a Speech resource:

+ - [Speech Services](https://portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices)

+1. Select **Review + create**.

+1. If you want to delete only the Cognitive Service resource, select the resource group to see all the resources within it. On the next page, select the resource that you want to delete, select the ellipsis menu for that row, and select **Delete**.

+# Exploration

+Personalizer determines whether to explore or use the model's most probable action on each rank call. This is different than the behavior in some A/B frameworks that lock a treatment on specific user IDs.

+> For more information about measuring the current data usage of your Azure Cosmos DB account, see [Explore Azure Monitor Cosmos DB insights](cosmosdb-insights-overview.md#view-utilization-and-performance-metrics-for-azure-cosmos-db). Continuous 7-day tier does not incur charges for backup of the data.

+* Currently Azure Synapse Link isn't fully compatible with continuous backup mode. For more information about backup with analytical store, see [analytical store backup](analytical-store-introduction.md#backup).

+The following cmdlet assumes a single region write account, *Pitracct*, in the in *West US* region in the *MyRG* resource group. The account has continuous backup policy enabled. Continuous backup is configured at the ``Continuous7days`` tier:

+The following cmdlet is an example of continuous backup policy with the ``Continuous7days`` tier:

+ name : "Groceries",

+ description : "Pick up strawberries",

+ isComplete : false

+Check out the [Manage departments in the Azure portal](https://www.youtube.com/watch?v=NUlRrJFF1_U) video.

+>[!VIDEO https://www.youtube.com/embed/vs3wIeRDK4Q]

+Check out the [Manage purchase order number in the Azure portal](https://www.youtube.com/watch?v=26aanfQfjaY) video.

+>[!VIDEO https://www.youtube.com/embed/26aanfQfjaY]

+| servicePrincipalCredentialType | The credential type to use for service principal authentication. Allowed values are **ServicePrincipalKey** and **ServicePrincipalCert**. | Yes |

+| servicePrincipalCredential | The service principal credential. <br/> When you use **ServicePrincipalKey** as the credential type, specify the application's key. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> When you use **ServicePrincipalCert** as the credential, reference a certificate in Azure Key Vault, and ensure the certificate content type is **PKCS #12**.| Yes |

+| exportSettings | Advanced settings used to retrieve data from Snowflake. You can configure the ones supported by the COPY into command that the service will pass through when you invoke the statement. | Yes |

+ "type": "SnowflakeSource",

+ "sqlReaderQuery": "SELECT * FROM MyTable",

+ "exportSettings": {

+ "type": "SnowflakeExportCopyCommand"

+ }

+| importSettings | Advanced settings used to write data into Snowflake. You can configure the ones supported by the COPY into command that the service will pass through when you invoke the statement. | Yes |

+ "ON_ERROR": "SKIP_FILE"

+ "DATE_FORMAT": "YYYY-MM-DD"

+ "type": "SnowflakeSink",

+ "importSettings": {

+ "type": "SnowflakeImportCopyCommand"

+ }

+### Dataflow data-first experimental view

+To see the data-first experimental view, you will need to follow these steps to enable it. By default, users will see the **Classic** style.

+> [!NOTE]

+> To enable the data-first view, you will need to enable the preview experience in your settings and you will need an active Data flow debug session.

+In your data flow editor, you can find several canvas tools on the right side like the **Search** tool, **Zoom** tool, and **Multi-select** tool.

+You will see a new icon under the **Multi-select** tool. This is how you can toggle between the **Classic** and the **Data-first** views.

+#### Adding activities to the canvas

+##### Adding Activities

+##### Adjusting activity size

+Your containerized activities can be viewed in two sizes. In the expanded size, you will be able to see all the activities in the container.

+To save space on your canvas, you can also collapse the containerized view using the **Minimize** arrows found in the top right corner of the activity.

+This will shrink the activity size and hide the nested activities.

+If you have multiple container activities, you can save time by collapsing or expanding all activities at once by right clicking on the canvas. This will bring up the option to hide all nested activities.

+Click **Hide nested activities** to collapse all containerized activities. To expand all the activities, click **Show nested activities**, found in the same list of canvas options.

+| Azure Block blobs | <li>UNC path to shares: `//<DeviceIPAddress>/<storageaccountname_BlockBlob>/<ContainerName>/files/a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/files/a.txt`</li> |

+| Azure Page blobs | <li>UNC path to shares: `//<DeviceIPAddress>/<storageaccountname_PageBlob>/<ContainerName>/files/a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/files/a.txt`</li> |

+| Azure Files |<li>UNC path to shares: `//<DeviceIPAddress>/<storageaccountname_AzFile>/<ShareName>/files/a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.file.core.windows.net/<ShareName>/files/a.txt`</li> |

+| Azure Block blobs (Archive) | <li>UNC path to shares: `//<DeviceIPAddress>/<storageaccountname_BlockBlobArchive>/<ContainerName>/files/a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/files/a.txt`</li> |

+| Azure Block blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_BlockBlob>\<ContainerName>\files\a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/files/a.txt`</li> |

+| Azure Page blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_PageBlob>\<ContainerName>\files\a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/files/a.txt`</li> |

+| Azure Files |<li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_AzFile>\<ShareName>\files\a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.file.core.windows.net/<ShareName>/files/a.txt`</li> |

+| Azure Block blobs (Archive) | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_BlockBlobArchive>\<ContainerName>\files\a.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/files/a.txt`</li> |

+ - Azure Block blob - `\\10.126.76.138\utsac1_BlockBlob`

+ - Azure Page blob - `\\10.126.76.138\utsac1_PageBlob`

+ - Azure Files - `\\10.126.76.138\utsac1_AzFile`

+ - Azure Blob blob (Archive) - `\\10.126.76.138\utsac0_BlockBlobArchive`

+sudo mount -t nfs -o vers=2.1 10.126.76.138:/utsac1_BlockBlob /home/databoxubuntuhost/databox

+# Tutorial: View and configure DDoS diagnostic logging

+- **DDoSMitigationReports**: Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.

+ :::image type="content" source="./media/ddos-attack-telemetry/ddos-diagnostic-settings.png" alt-text="Screenshot of DDoS diagnostic settings." lightbox="./media/ddos-attack-telemetry/ddos-diagnostic-settings.png":::

+

+5. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last three months. Then hit Run.

+| **Hit count** | The count of packets observed |

+| Delete devices | | | Γ£ô |

+1. On your physical appliance or VM, sign in to the sensor's CLI using a terminal, such as PuTTY, or MobaXterm.

+# Renew an expired subscription, purchase a new one, or transfer your Azure resources

+If you no longer need a Visual Studio subscription or credit but you want to continue using your Azure resources, convert your Azure subscription to pay-as-you-go pricing by [removing your spending limit](../../cost-management-billing/manage/spending-limit.md#remove-the-spending-limit-in-azure-portal).

+|Direction |The traffic direction for which the signature is applied.<br>- **Inbound**: Signature is applied only on traffic arriving from the Internet and destined to your [configured private IP address range](firewall-preview.md#idps-private-ip-ranges-preview).<br>- **Outbound**: Signature is applied only on traffic sent from your [configured private IP address range](firewall-preview.md#idps-private-ip-ranges-preview) to the Internet.<br>- **Bidirectional**: Signature is always applied on any traffic direction.|

+ Title: Enable Private Link on an HDInsight Kafka Rest Proxy cluster

+description: Learn how to Enable Private Link on an HDInsight Kafka Rest Proxy cluster.

+# Enable Private Link on an HDInsight Kafka Rest Proxy cluster

+Follow these extra steps to enable private link for Kafka Rest Proxy HDI clusters.

+## Prerequisites

+As a prerequisite, complete the steps mentioned in [Enable Private Link on an HDInsight cluster document](./hdinsight-private-link.md), then perform the below steps.

+## Create private endpoints

+1. Click 'Create private endpoint' and use the following configurations to set up another Ambari private endpoint:

+

+ | Config | Value |

+ | | -- |

+ | Name | hdi-privlink-cluster-1 |

+ | Resource type | Microsoft.Network/privatelinkServices |

+ | Resource | kafkamanagementnode-* (This value should match the HDI deployment ID of your cluster, for example kafkamanagementnode 4eafe3a2a67e4cd88762c22a55fe4654) |

+ | Virtual network | hdi-privlink-client-vnet |

+ | Subnet | default |

+## Configure DNS to connect over private endpoints

+

+1. Add another record set to the Private DNS for Ambari.

+

+ | Config | Value |

+ | | -- |

+ | Name | YourPrivatelinkClusterName-1 |

+ | Type | A - Alias record to 1Pv4 address |

+ | TTL | 1 |

+ | TTL unit | Hours |

+ | IP Address | Private IP of private endpoint for Ambari access |

+

+## Next steps

+* [Enterprise Security Package for Azure HDInsight](enterprise-security-package.md)

+* [Enterprise security general information and guidelines in Azure HDInsight](./domain-joined/general-guidelines.md)

+Private Link can be used in cross-network scenarios where virtual network peering isn't available or enabled.

+When `privateLink` is set as *enabled*, internal [standard load balancers](../load-balancer/load-balancer-overview.md) (SLBs) are created, and an Azure Private Link service is provisioned for each SLB. The Private Link service is what allows you to access the HDInsight cluster from private endpoints.

+Successfully creating a Private Link cluster takes many steps, so we've outlined them here. Follow each of the steps below to ensure everything is set up correctly.

+To start, deploy the following resources if you haven't created them already. You need to have at least one resource group, two virtual networks, and a network security group to attach to the subnet where the HDInsight cluster will be deployed as shown below.

+2. Use the following configurations in the NAT Gateway. (We aren't including all configs here, so you can use the default values.)

+3. Once the NAT Gateway is finished deploying, you're ready to go to the next step.

+Your HDInsight cluster still needs access to its outbound dependencies. If these outbound dependencies aren't allowed, cluster creation might fail.

+At this point, all prerequisites should be taken care of and you're ready to deploy the Private Link cluster. The following diagram shows an example of the networking configuration that's required before you create the cluster. In this example, all outbound traffic is forced to Azure Firewall through a user-defined route. The required outbound dependencies should be allowed on the firewall before cluster creation. For Enterprise Security Package clusters, virtual network peering can provide the network connectivity to Azure Active Directory Domain Services.

+Azure automatically creates a Private link service for the Ambari and SSH load balancers during the Private Link cluster deployment. After the cluster is deployed, you have to create two Private endpoints on the client VNET(s), one for Ambari and one for SSH access. Then, link them to the Private link services that were created as part of the cluster deployment.

+3. Click 'Create private endpoint' and use the following configurations to set up the Ambari private endpoint:

+ | Resource | gateway-* (This value should match the HDI deployment ID of your cluster, for example gateway-4eafe3a2a67e4cd88762c22a55fe4654) |

+ | Resource | headnode-* (This value should match the HDI deployment ID of your cluster, for example headnode-4eafe3a2a67e4cd88762c22a55fe4654) |

+> [!IMPORTANT]

+> If you're using KafkaRestProxy HDInsight cluster, then follow this extra steps to [Enable Private Endpoints](./enable-private-link-on-kafka-rest-proxy-hdi-cluster.md#create-private-endpoints).

+>

+

+

+1. Create an Azure Private DNS zone. (We aren't including all configs here, all other configs are left at default values)

+

+> [!IMPORTANT]

+> If you are using KafkaRestProxy HDInsight cluster, then follow this extra steps to [Configure DNS to connect over private endpoint](./enable-private-link-on-kafka-rest-proxy-hdi-cluster.md#configure-dns-to-connect-over-private-endpoints).

+>

+## <a name="CheckConnectivity"></a>Step 7: Check cluster connectivity

+The last step is to test connectivity to the cluster. Since this cluster is isolated or private, we can't access the cluster using any public IP or FQDN. Instead we have a couple of options:

+* Set up VPN access to the client VNET from your on-premises network

+For this example, we'll deploy a VM in the client VNET using the following configuration to test the connectivity.

+3. If you're able to connect, the configuration is correct for SSH access.

+| _sort | Partial | Partial | sort=_lastUpdated is supported on Azure API for FHIR and the FHIR service. For Azure API for FHIR and OSS Cosmos DB databases created after April 20, 2021, sort is supported on first name, last name, birthdate, and clinical date. |

+When you do a search in FHIR, you are searching the database for resources that match certain search criteria. The FHIR API specifies a rich set of search parameters for fine-tuning search criteria. Each resource in FHIR carries information as a set of elements, and search parameters work to query the information in these elements. In a FHIR search API call, if a positive match is found between the request's search parameters and the corresponding element values stored in a resource instance, then the FHIR server returns a bundle containing the resource instance(s) whose elements satisfied the search criteria.

+As mentioned above, the results from a FHIR search will be available in paginated form at a link provided in the `searchset` bundle. By default, the FHIR service will display 10 search results per page, but this can be increased (or decreased) by setting the `_count` parameter. If there are more matches than fit on one page, the bundle will include a `next` link. Repeatedly fetching from the `next` link will yield the subsequent pages of results. Note that the `_count` parameter value cannot exceed 1000.

+For scenarios in which the search requires a logical AND condition that strictly checks for paired element values, refer to the **composite search** examples below.

+To search for resources that contain elements grouped together as logically connected pairs, FHIR defines composite search, which joins single parameter values together with the `$` operator ΓÇô forming a connected pair of parameters. In a composite search, a positive match occurs when the intersection of element values satisfies all conditions set in the paired search parameters. For example, if you want to find all `DiagnosticReport` resources that contain a potassium value less than `9.2`:

+## IoT Edge support

+Starting with version 1.4, IoT Edge supports sending a data payload contained in a JSON file. The payload file is read and sent to DPS when the device is (re)registered which typically happens when you run `iotedge config apply` for the first time. You can also force it to be re-read and registered by using the CLI's reprovision command `iotedge system reprovision`.

+Below is an example snippet from `/etc/aziot/config.toml` where the `payload` property is set to the path of a local JSON file.

+```toml

+ [provisioning]

+ source = "dps"

+ global_endpoint = "https://global.azure-devices-provisioning.net"

+ id_scope = "0ab1234C5D6"

+ # Uncomment to send a custom payload during DPS registration

+ payload = { uri = "file:///home/aziot/payload.json" }

+

+```

+The payload file (in this case `/home/aziot/payload/json`) can contain any valid JSON such as:

+```json

+{

+ "modelId": "dtmi:com:example:edgedevice;1"

+}

+```

+* To learn how to provision devices using a custom allocation policy, see [How to use custom allocation policies](./how-to-use-custom-allocation-policies.md)

+1. Go to the IoT Edge VM deployment template in GitHub: [Azure/iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.4).

+01. Verify your IoT Edge device uses the correct version of the IoT Edge agent when it starts. Find the **Default Edge Agent** section and set the image value for IoT Edge to version 1.4. For example:

+ image: "mcr.microsoft.com/azureiotedge-agent:1.4"

+ edgeAgent running Up 17 seconds mcr.microsoft.com/azureiotedge-agent:1.4

+ edgeHub running Up 6 seconds mcr.microsoft.com/azureiotedge-hub:1.4

+01. Verify your IoT Edge device uses the correct version of the IoT Edge agent when it starts. Find the **Default Edge Agent** section and set the image value for IoT Edge to version 1.4. For example:

+ image: "mcr.microsoft.com/azureiotedge-agent:1.4"

+ "image": "mcr.microsoft.com/azureiotedge-agent:1.4",

+ "image": "mcr.microsoft.com/azureiotedge-hub:1.4",

+image: "{Parent FQDN or IP}:443/azureiotedge-agent:1.4"

+>The following table reflects the supported scenarios for IoT Edge version 1.4. To see content about Windows containers, switch to the [IoT Edge 1.1](?view=iotedge-2018-06&preserve-view=true) version of this article.

+IoT Edge version 1.4 doesn't support Windows containers. Windows containers are not supported beyond version 1.1. To learn more about IoT Edge with Windows containers, see the [IoT Edge 1.1](?view=iotedge-2018-06&preserve-view=true) version of this article.

+1. Invoke the following commands on the EFLOW VM to grant *iotedge* permissions to the certificate files since `Copy-EflowVMFile` copies files with root only access permissions.

+This article lists the steps to deploy an Ubuntu 20.04 LTS virtual machine with the Azure IoT Edge runtime installed and configured using a pre-supplied device connection string. The deployment is accomplished using a [cloud-init](../virtual-machines/linux/using-cloud-init.md) based [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) maintained in the [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.4) project repository.

+On first boot, the virtual machine [installs the latest version of the Azure IoT Edge runtime via cloud-init](https://github.com/Azure/iotedge-vm-deploy/blob/1.4/cloud-init.txt). It also sets a supplied connection string before the runtime starts, allowing you to easily configure and connect the IoT Edge device without the need to start an SSH or remote desktop session.

+ [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fiotedge-vm-deploy%2F1.4%2FedgeDeploy.json)

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.4/edgeDeploy.json" \

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.4/edgeDeploy.json" \

+ If you have enrolled the device using a custom **Registration Id**, you must specify that registration ID as well when provisioning:

+ If you have enrolled the device using a custom **Registration Id**, you must specify that registration ID as well when provisioning:

+ # Uncomment to send a custom payload during DPS registration

+ # payload = { uri = "PATH_TO_JSON_FILE" }

+Optionally, find the auto reprovisioning mode section of the file. Use the `auto_reprovisioning_mode` parameter to configure your device's reprovisioning behavior. **Dynamic** - Reprovision when the device detects that it may have been moved from one IoT Hub to another. This is the default. **AlwaysOnStartup** - Reprovision when the device is rebooted or a crash causes the daemon(s) to restart. **OnErrorOnly** - Never trigger device reprovisioning automatically. Each mode has an implicit device reprovisioning fallback if the device is unable to connect to IoT Hub during identity provisioning due to connectivity errors. For more information, see [IoT Hub device reprovisioning concepts](../iot-dps/concepts-device-reprovision.md).

+<!-- iotedge-1.4 -->

+Optionally, uncomment the `payload` parameter to specify the path to a local JSON file. The contents of the file will be [sent to DPS as additional data](../iot-dps/how-to-send-additional-data.md#iot-edge-support) when the device registers. This is useful for [custom allocation](../iot-dps/how-to-use-custom-allocation-policies.md). For example, if you want to allocate your devices based on an IoT Plug and Play model ID without human intervention.

+<!-- iotedge-2020-11 -->

+Save and close the file.

+Apply the configuration changes that you made to IoT Edge.

+```bash

+sudo iotedge config apply

+```

+ # Uncomment to send a custom payload during DPS registration

+ # payload = { uri = "PATH_TO_JSON_FILE" }

+<!-- iotedge-1.4 -->

+1. Optionally, uncomment the `payload` parameter to specify the path to a local JSON file. The contents of the file will be [sent to DPS as additional data](../iot-dps/how-to-send-additional-data.md#iot-edge-support) when the device registers. This is useful for [custom allocation](../iot-dps/how-to-use-custom-allocation-policies.md). For example, if you want to allocate your devices based on an IoT Plug and Play model ID without human intervention.

+<!-- iotedge-2020-11 -->

+ # Uncomment to send a custom payload during DPS registration

+ # payload = { uri = "PATH_TO_JSON_FILE" }

+<!-- iotedge-1.4 -->

+1. Optionally, uncomment the `payload` parameter to specify the path to a local JSON file. The contents of the file will be [sent to DPS as additional data](../iot-dps/how-to-send-additional-data.md#iot-edge-support) when the device registers. This is useful for [custom allocation](../iot-dps/how-to-use-custom-allocation-policies.md). For example, if you want to allocate your devices based on an IoT Plug and Play model ID without human intervention.

+<!-- iotedge-2020-11 -->

+>Currently, there is no support for IoT Edge version 1.4 running on Windows devices.

+* The preview for the experimental MQTT broker in Edge Hub 1.2 has ended and is not included in Edge Hub 1.4. We are continuing to refine our plans for an MQTT broker based on feedback received. In the meantime, if you need a standards-compliant MQTT broker on IoT Edge, consider deploying an open-source broker like Mosquitto as an IoT Edge module.

+Currently, there is no support for IoT Edge version 1.4 running on Windows devices.

+* A **module identity** is a piece of information (including security credentials) stored in IoT Hub that is associated to each module instance.

+* A **module twin** is a JSON document stored in IoT Hub that contains state information for a module instance, including metadata, configurations, and conditions.

+ * Configure how updates to modules are applied

+### Configure how updates to modules are applied

+When a deployment is updated, Edge Agent receives the new configuration as a twin update. If the new configuration has new or updated module images, by default, Edge Agent sequentially processes each module:

+1. The updated image is downloaded

+1. The running module is stopped

+1. A new module instance is started

+1. The next module update is processed

+In some cases, for example when dependencies exist between modules, it may be desirable to first download all updated module images before restarting any running modules. This module update behavior can be configured by setting an IoT Edge Agent environment variable `ModuleUpdateMode` to string value `WaitForAllPulls`. For more information, see [IoT Edge Environment Variables](https://github.com/Azure/iotedge/blob/main/doc/EnvironmentVariables.md).

+```JSON

+"modulesContent": {

+ "$edgeAgent": {

+ "properties.desired": {

+ ...

+ "systemModules": {

+ "edgeAgent": {

+ "env": {

+ "ModuleUpdateMode": {

+ "value": "WaitForAllPulls"

+ }

+ ...

+```

+### Container management

+ * Configure image garbage collection

+### Configure image garbage collection

+Image garbage collection is a feature in IoT Edge v1.4 and later to automatically clean up Docker images that are no longer used by IoT Edge modules. It only deletes Docker images that were pulled by the IoT Edge runtime as part of a deployment. Deleting unused Docker images helps conserve disk space.

+The feature is implemented in IoT Edge's host component, the `aziot-edged` service and enabled by default. Cleanup is done every day at midnight (device local time) and removes unused Docker images that were last used seven days ago. The parameters to control cleanup behavior are set in the `config.toml` and explained later in this section. If parameters aren't specified in the configuration file, the default values are applied.

+For example, the following is the `config.toml` image garbage collection section using default values:

+

+```toml

+[image_garbage_collection]

+enabled = true

+cleanup_recurrence = "1d"

+image_age_cleanup_threshold = "7d"

+cleanup_time = "00:00"

+```

+The following table describes image garbage collection parameters. All parameters are **optional** and can be set individually to change the default settings.

+| Parameter | Description | Required | Default value |

+|--|-|-||

+| `enabled` | Enables the image garbage collection. You may choose to disable the feature by changing this setting to `false`. | Optional | true |

+| `cleanup_recurrence` | Controls the recurrence frequency of the cleanup task. Must be specified as a multiple of days and can't be less than one day. <br><br> For example: 1d, 2d, 6d, etc. | Optional | 1d |

+| `image_age_cleanup_threshold` | Defines the minimum age threshold of unused images before considering for cleanup and must be specified in days. You can specify as *0d* to clean up the images as soon as they're removed from the deployment. <br><br> Images are considered unused *after* they've been removed from the deployment. | Optional | 7d |

+| `cleanup_time` | Time of day, *in device local time*, when the cleanup task runs. Must be in 24-hour HH:MM format. | Optional | 00:00 |

+Use the following CLI command to create your IoT Edge device based on the prebuilt [iotedge-vm-deploy](https://github.com/Azure/iotedge-vm-deploy/tree/1.4) template.

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.4/edgeDeploy.json" \

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.4/edgeDeploy.json" `

+Update the **Image** field for both the edgeHub and edgeAgent modules to use the version tag 1.4. For example:

+* `mcr.microsoft.com/azureiotedge-hub:1.4`

+* `mcr.microsoft.com/azureiotedge-agent:1.4`

+| **1.4** | 1.4.0 | 1.4.0 | 1.4.0 |

+* Your IoT Edge device requires Azure IoT Edge runtime 1.2 or later for EST support. Azure IoT Edge runtime 1.3 or later required for EST certificate renewal.

+The IoT Edge extension defaults to the latest stable version of the IoT Edge runtime when it creates your deployment assets. Currently, the latest stable version is 1.4. If you're developing modules for devices running the 1.1 long-term support version or the earlier 1.0 version, update the IoT Edge runtime version in Visual Studio Code to match.

+ --template-uri "https://raw.githubusercontent.com/Azure/iotedge-vm-deploy/1.4/edgeDeploy.json" \

+ IoT Edge version 1.4 is preinstalled with this ARM template, saving the need to manually install the assets on the virtual machines. If you are installing IoT Edge on your own devices, see [Install Azure IoT Edge for Linux](how-to-provision-single-device-linux-symmetric.md) or [Update IoT Edge](how-to-update-iot-edge.md#special-case-update-from-10-or-11-to-latest-release).

+* **IoT Edge 1.4 (LTS)** is the latest long-term support (LTS) version of IoT Edge and contains content for new features and capabilities that are in the latest stable release. The documentation for this version covers all features and capabilities from all previous versions through 1.3. This version of the documentation also contains content for the IoT Edge for Linux on Windows (EFLOW) continuous release version.

+| [1.4](https://github.com/Azure/azure-iotedge/releases/tag/1.4.0) | Stable | August 2022 | Automatic image clean-up of unused Docker images <br> Ability to pass a [custom JSON payload to DPS on provisioning](../iot-dps/how-to-send-additional-data.md#iot-edge-support) <br> Ability to require all modules in a deployment be downloaded before restart <br> Use of the TCG TPM2 Software Stack which enables TPM hierarchy authorization values, specifying the TPM index at which to persist the DPS authentication key, and accommodating more [TPM configurations](http://github.com/Azure/iotedge/blob/897aed8c5573e8cad4b602e5a1298bdc64cd28b4/edgelet/contrib/config/linux/template.toml#L262-L288)

+| IoT Edge release | Available in EFLOW branch | Release date | Highlights |

+||--|--||

+| 1.4 | Continuous release (CR) <br> Long-term support (LTS) | TBA | |

+| 1.3 | Continuous release (CR) | TBA | |

+| 1.2 | [Continuous release (CR)](https://github.com/Azure/iotedge-eflow/releases/tag/1.2.7.07022) | January 2022 | **Public Preview** |

+| 1.1 | [Long-term support (LTS)](https://github.com/Azure/iotedge-eflow/releases/tag/1.1.2106.0) | June 2021 | [Long-term support plan and supported systems updates](support.md) |

+You must associate an Azure storage account and blob container with your IoT hub to use file upload features. All file uploads from devices registered with your IoT hub will go to this container. To configure a storage account and blob container on your IoT hub, see [Configure file uploads with Azure portal](iot-hub-configure-file-upload.md), [Configure file uploads with Azure CLI](iot-hub-configure-file-upload-cli.md), or [Configure file uploads with PowerShell](iot-hub-configure-file-upload-powershell.md). You can also use the IoT Hub management APIs to configure file uploads programmatically.

+ 1. Configure alert condition (Note: to avoid noisy alerts, we recommend configuring alerts with the Aggregation type set to Average, looking back on a 5 minute window of data, and with a threshold of 95%)

+Before you can build business-to-business (B2B) and enterprise integration workflows using Azure Logic Apps, you need to create an *integration account* resource. This account is a scalable cloud-based container in Azure that simplifies how you store and manage B2B artifacts that you define and use in your workflows for B2B scenarios, for example:

+* [Trading partners](logic-apps-enterprise-integration-partners.md)

+* [Agreements](logic-apps-enterprise-integration-agreements.md)

+* [Maps](logic-apps-enterprise-integration-maps.md)

+* [Schemas](logic-apps-enterprise-integration-schemas.md)

+* [Certificates](logic-apps-enterprise-integration-certificates.md)

+You also need an integration account to electronically exchange B2B messages with other organizations. When other organizations use protocols and message formats different from your organization, you have to convert these formats so your organization's system can process those messages. With Azure Logic Apps, you can build workflows that support the following industry-standard protocols:

+* [AS2](logic-apps-enterprise-integration-as2.md)

+* [EDIFACT](logic-apps-enterprise-integration-edifact.md)

+* [RosettaNet](logic-apps-enterprise-integration-rosettanet.md)

+* [X12](logic-apps-enterprise-integration-x12.md)

+* Link your integration account to a logic app resource.

+* Unlink your integration account from a logic app resource.

+> [!NOTE]

+>

+> If you use an [integration service environment (ISE)](connect-virtual-network-vnet-isolated-environment-overview.md),

+> and you need to create an integration account to use with that ISE, review

+> [Create integration accounts in an ISE](add-artifacts-integration-service-environment-ise.md#create-integration-account-environment).

+If you're new to creating B2B enterprise integration workflows in Azure Logic Apps, review the following documentation:

+* [What is Azure Logic Apps](logic-apps-overview.md)

+* [B2B enterprise integration workflows with Azure Logic Apps and Enterprise Integration Pack](logic-apps-enterprise-integration-overview.md)

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Make sure that you use the same Azure subscription for both your integration account and logic app resource.

+* Whether you're working on a Consumption or Standard logic app workflow, your logic app resource must already exist before you can link your integration account.

+ * For Consumption logic app resources, this link is required before you can use the artifacts from your integration account with your workflow. Although you can create your artifacts without this link, the link is required when you're ready to use these artifacts.

+ * For Standard logic app resources, this link is optional, based on your scenario:

+ * If you have an integration account with the artifacts that you need or want to use, you can link the integration account to each Standard logic app resource where you want to use the artifacts.

+ * Some Azure-hosted integration account connectors, such as **AS2**, **EDIFACT**, and **X12**, let you create a connection to your integration account. If you're just using these connectors, you don't need the link.

+ * The built-in connectors named **Liquid** and **Flat File** let you select maps and schemas that you previously uploaded to your logic app resource or to a linked integration account.

+ If you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option, which also means you don't have to upload maps and schemas to each logic app resource. Either way, you can use these artifacts across all child workflows within the *same logic app resource*.

+* Basic knowledge about how to create logic app workflows. For more information, review the following documentation:

+ * [Quickstart: Create your first Consumption logic app workflow](quickstart-create-first-logic-app-workflow.md)

+ * [Create a Standard logic app workflow with single-tenant Azure Logic Apps](create-single-tenant-workflows-azure-portal.md)

+Integration accounts are available in different tiers that [vary in pricing](https://azure.microsoft.com/pricing/details/logic-apps/). Based on the tier you choose, creating an integration account might incur costs. For more information, review [Azure Logic Apps pricing and billing models](logic-apps-pricing.md#integration-accounts) and [Azure Logic Apps pricing](https://azure.microsoft.com/pricing/details/logic-apps/).

+Based on your requirements and scenarios, determine the appropriate integration account tier to create. The following table describes the available tiers:

+| **Basic** | For scenarios where you want only message handling or to act as a small business partner that has a trading partner relationship with a larger business entity. <br><br>Supported by the Azure Logic Apps SLA. |

+| **Standard** | For scenarios where you have more complex B2B relationships and increased numbers of entities that you must manage. <br><br>Supported by the Azure Logic Apps SLA. |

+| **Free** | For exploratory scenarios, not production scenarios. This tier has limits on region availability, throughput, and usage. For example, the Free tier is available only for public regions in Azure, for example, West US or Southeast Asia, but not for [Azure China 21Vianet](/azure/chin). <br><br>**Note**: Not supported by the Azure Logic Apps SLA. |

+> [!IMPORTANT]

+>

+> For you to successfully link and use your integration account with your logic app,

+> make sure that both resources exist in the *same* Azure subscription and Azure region.

+1. In the [Azure portal](https://portal.azure.com), sign in with your Azure account credentials.

+1. In the Azure portal search box, enter **integration accounts**, and select **Integration accounts**.

+ | **Resource group** | Yes | <*Azure-resource-group-name*> | The name for the [Azure resource group](../azure-resource-manager/management/overview.md) to use for organizing related resources. For this example, create a new resource group named **FabrikamIntegration-RG**. |

+ | **Integration account name** | Yes | <*integration-account-name*> | Your integration account's name, which can contain only letters, numbers, hyphens (`-`), underscores (`_`), parentheses (`(`, `)`), and periods (`.`). This example uses **Fabrikam-Integration**. |

+ | **Region** | Yes | <*Azure-region*> | The Azure region where to store your integration account metadata. Either select the same location as your logic app resource, or create your logic apps in the same location as your integration account. For this example, use **West US**. <br><br>**Note**: To create an integration account inside an [integration service environment (ISE)](connect-virtual-network-vnet-isolated-environment-overview.md), select **Associate with integration service environment** and select your ISE as the location. For more information, see [Create integration accounts in an ISE](add-artifacts-integration-service-environment-ise.md#create-integration-account-environment). |

+ | **Pricing Tier** | Yes | <*pricing-level*> | The pricing tier for the integration account, which you can change later. For this example, select **Free**. For more information, review the following documentation: <br><br>- [Logic Apps pricing model](logic-apps-pricing.md#integration-accounts) <br>- [Logic Apps limits and configuration](logic-apps-limits-and-config.md#integration-account-limits) <br>- [Logic Apps pricing](https://azure.microsoft.com/pricing/details/logic-apps/) |

+1. When you're done, select **Review + create**.

+ * [Azure Logic Apps pricing model](logic-apps-pricing.md#integration-accounts)

+ * [Azure Logic Apps limits and configuration](logic-apps-limits-and-config.md#integration-account-limits)

+ * [Azure Logic Apps pricing](https://azure.microsoft.com/pricing/details/logic-apps/)

+## Link to logic app

+For you to successfully link your integration account to your logic app resource, make sure that both resources use the *same* Azure subscription and Azure region.

+### [Consumption](#tab/consumption)

+This section describes how to complete this task using the Azure portal. If you use Visual Studio and your logic app is in an [Azure Resource Group project](../azure-resource-manager/templates/create-visual-studio-deployment-project.md), you can [link your logic app to an integration account by using Visual Studio](manage-logic-apps-with-visual-studio.md#link-integration-account).

+1. In the [Azure portal](https://portal.azure.com), open your logic app resource.

+1. On your logic app's navigation menu, under **Settings**, select **Workflow settings**. Under **Integration account**, open the **Select an Integration account** list, and select the integration account you want.

+Now your logic app workflow can use the artifacts in your integration account plus the B2B connectors, such as XML validation and flat file encoding or decoding.

+### [Standard](#tab/standard)

+#### Find your integration account's callback URL

+Before you can link your integration account to a Standard logic app resource, you need to have your integration account's **callback URL**.

+1. In the [Azure portal](https://portal.azure.com), sign in with your Azure account credentials.

+1. In the Azure portal search box, find and select your integration account. To browse existing accounts, enter **integration accounts**, and then select **Integration accounts**.

+1. From the **Integration accounts** list, select your integration account.

+1. On your selected integration account's navigation menu, under **Settings**, select **Callback URL**.

+1. Find the **Generated Callback URL** property value, copy the value, and save the URL to use later for linking.

+#### Link your integration account to your Standard logic app resource

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource.

+1. On your logic app's navigation menu, under **Settings**, select **Configuration**.

+1. On the **Configuration** pane, check whether the app setting named **WORKFLOW_INTEGRATION_ACCOUNT_CALLBACK_URL** exists.

+1. If the app setting doesn't exist, under the **Configuration** pane toolbar, select **New application setting**.

+1. Provide the following values for the app setting:

+ | Property | Value |

+ |-|-|

+ | **Name** | **WORKFLOW_INTEGRATION_ACCOUNT_CALLBACK_URL** |

+ | **Value** | <*integration-account-callback-URL*> |

+ |||

+1. When you're done, select **OK**. When you return to the **Configuration** pane, make sure to save your changes. On the **Configuration** pane toolbar, select **Save**.

+* [Azure Logic Apps pricing](https://azure.microsoft.com/pricing/details/logic-apps/)

+* [Azure Logic Apps pricing model](logic-apps-pricing.md#integration-accounts)

+### [Consumption](#tab/consumption)

+ },

+ }

+### [Standard](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource.

+1. On your logic app's navigation menu, under **Settings**, select **Configuration**.

+1. On the **Configuration** pane, find the app setting named **WORKFLOW_INTEGRATION_ACCOUNT_CALLBACK_URL**.

+1. In the **Delete** column, select **Delete** (trash can icon).

+1. On the **Configuration** pane toolbar, select **Save**.

+1. After you finish, make sure that you update all scripts with the new resource IDs for your moved resources.

+description: Transform JSON and XML by using Liquid templates as maps in workflows using Azure Logic Apps.

+# Transform JSON and XML using Liquid templates as maps in workflows using Azure Logic Apps

+When you want to perform basic JSON transformations in your logic app workflows, you can use built-in data operations, such as the **Compose** action or **Parse JSON** action. However, some scenarios might require advanced and complex transformations that include elements such as iterations, control flows, and variables. For transformations between JSON to JSON, JSON to text, XML to JSON, or XML to text, you can create a template that describes the required mapping or transformation using the Liquid open-source template language. You can select this template when you add a **Liquid** built-in action to your workflow. You can use **Liquid** actions in multi-tenant Consumption logic app workflows and single-tenant Standard logic app workflows.

+Although no **Liquid** triggers are available, you can use any trigger or action to get or feed the source JSON or XML content into your workflow for transformation. For example, you can use a built-in connector trigger, a managed or Azure-hosted connector trigger available for Azure Logic Apps, or even another app.

+This article shows how to complete the following tasks:

+* Upload the template to your integration account for Consumption logic app workflows or to your Standard logic app resource for use in any child workflow.

+* Add a Liquid action to your workflow.

+For more information, review the following documentation:

+* [Perform data operations in Azure Logic Apps](logic-apps-perform-data-operations.md)

+* [Liquid open-source template language](https://shopify.github.io/liquid/)

+* [Consumption versus Standard logic apps](logic-apps-overview.md#resource-type-and-host-environment-differences)

+* [Integration account built-in connectors](../connectors/built-in.md#integration-account-built-in)

+* [Built-in connectors overview for Azure Logic Apps](../connectors/built-in.md)

+* [Managed or Azure-hosted connectors overview for Azure Logic Apps](../connectors/managed.md) and [Managed or Azure-hosted connectors in Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors)

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* Your logic app resource and workflow. Liquid operations don't have any triggers available, so your workflow has to minimally include a trigger. For more information, review the following documentation:

+ * [Quickstart: Create your first Consumption logic app workflow with multi-tenant Azure Logic Apps](quickstart-create-first-logic-app-workflow.md)

+ * [Create a Standard logic app workflow with single-tenant Azure Logic Apps](create-single-tenant-workflows-azure-portal.md)

+* Based on whether you're working on a Consumption or Standard logic app workflow, you'll need an [integration account resource](logic-apps-enterprise-integration-create-integration-account.md). Usually, you need this resource when you want to define and store artifacts for use in enterprise integration and B2B workflows.

+ > [!IMPORTANT]

+ >

+ > To work together, both your integration account and logic app resource must exist in the same Azure subscription and Azure region.

+ * If you're working on a Consumption logic app workflow, your integration account requires a [link to your logic app resource](logic-apps-enterprise-integration-create-integration-account.md?tabs=consumption#link-account).

+ * If you're working on a Standard logic app workflow, you can link your integration account to your logic app resource, upload maps directly to your logic app resource, or both, based on the following scenarios:

+ * If you already have an integration account with the artifacts that you need or want to use, you can link the integration account to multiple Standard logic app resources where you want to use the artifacts. That way, you don't have to upload maps to each individual logic app. For more information, review [Link your logic app resource to your integration account](logic-apps-enterprise-integration-create-integration-account.md?tabs=standard#link-account).

+ * Some Azure-hosted integration account connectors, such as **AS2**, **EDIFACT**, and **X12**, let you create a connection to your integration account. If you're just using these connectors, you don't need the link.

+ * The built-in connectors named **Liquid** and **Flat File** let you select maps and schemas that you previously uploaded to your logic app resource or to a linked integration account, but not both. You can then use these artifacts across all child workflows within the *same logic app resource*.

+ So, if you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option. Either way, you can use these artifacts across all child workflows within the same logic app resource.

+ >

+ > The Liquid action named **Transform JSON to JSON** follows the [DotLiquid implementation for Liquid](https://github.com/dotliquid/dotliquid),

+<a name="create-template"></a>

+## Step 1 - Create the template

+Before you can perform a Liquid transformation in your logic app workflow, you must first create a Liquid template that defines the mapping that you want.

+ The JSON to JSON transformation example in this article uses the following sample Liquid template:

+ ```

+ { %- assign deviceList = content.devices | Split: ', ' -% }

+1. Save the template using the Liquid template (**.liquid**) file extension. This example uses **SimpleJsonToJsonTemplate.liquid**.

+<a name="upload-template"></a>

+## Step 2 - Upload Liquid template

+After you create your Liquid template, you now have to upload the template based on the following scenario:

+* If you're working on a Consumption logic app workflow, [upload your template to your integration account](#upload-template-integration-account).

+* If you're working on a Standard logic app workflow, you can [upload your template to your integration account](#upload-template-integration-account), or [upload your template to your logic app resource](#upload-template-standard-logic-app).

+<a name="upload-template-integration-account"></a>

+### Upload template to integration account

+1. In the [Azure portal](https://portal.azure.com), sign in with your Azure account credentials.

+1. In the Azure portal search box, enter **integration accounts**, and select **Integration accounts**.

+ 

+ 

+1. On the integration account's navigation menu, under **Settings**, select **Maps**.

+ 

+1. On the **Maps** pane, select **Add**. Provide the following information about your map:

+ | **Map type** | **Liquid** | The type for your map. For JSON to JSON transformation, you must select **Liquid**. |

+ 

+<a name="upload-template-standard-logic-app"></a>

+### Upload template to Standard logic app

+1. In the [Azure portal](https://portal.azure.com), find and open your logic app resource. Make sure that you're at the resource level, not the workflow level.

+1. On your logic app resource's navigation menu, under **Artifacts**, select **Maps**.

+1. On the **Maps** pane toolbar, select **Add**.

+1. On the **Add Map** pane, provide the following information about your template:

+ | Property | Value | Description |

+ |-|-|-|

+ | **Name** | `JsonToJsonTemplate` | The name for your map, which is "JsonToJsonTemplate" in this example |

+ | **Map type** | **Liquid** | The type for your map. For JSON to JSON transformation, you must select **Liquid**. |

+ | **Map** | `SimpleJsonToJsonTemplate.liquid` | An existing Liquid template or map file to use for transformation, which is "SimpleJsonToJsonTemplate.liquid" in this example. To find this file, you can use the file picker. For map size limits, see [Limits and configuration](../logic-apps/logic-apps-limits-and-config.md#artifact-capacity-limits). |

+ |||

+1. When you're done, select **OK**.

+ After your map file finishes uploading, the map appears in the **Maps** list. On your integration account's **Overview** page, under **Artifacts**, your uploaded map also appears.

+## Step 3 - Add the Liquid transformation action

+The following steps show how to add a Liquid transformation action for Consumption and Standard logic app workflows.

+### [Consumption](#tab/consumption)

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer, if not already open.

+1. If your workflow doesn't have a trigger or any other actions that your workflow needs, add those operations first. Liquid operations don't have any triggers available.

+ This example continues with the Request trigger named **When a HTTP request is received**.

+1. On the workflow designer, under the step where you want to add the Liquid action, select **New step**.

+1. Under the **Choose an operation** search box, select **All**. In the search box, enter **liquid**.

+1. From the actions list, select the Liquid action that you want to use.

+ This example continues using the action named **Transform JSON to JSON**.

+ 

+1. In the action's **Content** property, provide the JSON output from the trigger or a previous action that you want to transform by following these steps.

+ 1. Click inside the **Content** box so that the dynamic content list appears.

+ 1. From the dynamic content list, select the JSON data that you want to transform.

+

+ For this example, from the dynamic content list, under **When a HTTP request is received**, select the **Body** token, which represents the body content output from the trigger.

+ 

+1. For the **Map** property, open the **Map** list, and select your Liquid template.

+ This example continues with the template named **JsonToJsonTemplate**.

+ 

+ > [!NOTE]

+ >

+ > If the maps list is empty, most likely your logic app resource isn't linked to your integration account.

+ > Make sure to [link your logic app resource to the integration account that has the Liquid template or map](logic-apps-enterprise-integration-create-integration-account.md?tabs=consumption#link-account).

+ When you're done, the action looks similar to the following example:

+ 

+### [Standard](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer, if not already open.

+1. If your workflow doesn't have a trigger or any other actions that your workflow needs, add those operations first. Liquid operations don't have any triggers available.

+ This example continues with the Request trigger named **When a HTTP request is received**.

+1. On the designer, under the step where you want to add the Liquid action, select the plus sign (**+**), and then select **Add an action**.

+1. On the **Add an action** pane that appears, under the search box, select **Built-in**.

+1. In the search box, enter **liquid**. From the actions list, select the Liquid action that you want to use.

+ This example continues using the action named **Transform JSON to JSON**.

+ 

+1. In the action's **Content** property, provide the JSON output from the trigger or a previous action that you want to transform by following these steps.

+ 1. Click inside the **Content** box so that the dynamic content list appears.

+ 1. From the dynamic content list, select the JSON data that you want to transform.

+ For this example, in the dynamic content list, under **When a HTTP request is received**, select the **Body** token, which represents the body content output from the trigger.

+ 

+1. From the **Source** list, select either **LogicApp** or **IntegrationAccount** as your Liquid template source.

+ This example continues by selecting **IntegrationAccount**.

+ 

+1. From the **Name** list, select your Liquid template.

+ This example continues with the template named **JsonToJsonTemplate**.

+ 

+ > [!NOTE]

+ >

+ > If the maps list is empty, most likely your logic app resource isn't linked to your integration account.

+ > Make sure to [link your logic app resource to the integration account that has the Liquid template or map](logic-apps-enterprise-integration-create-integration-account.md?tabs=standard#link-account).

+ When you're done, the action looks similar to the following example:

+ 

+## Test your workflow

+1. By using [Postman](https://www.getpostman.com/postman) or a similar tool and the `POST` method, send a call to the Request trigger's URL and include the JSON input to transform, for example:

+ ```json

+ {

+ "devices": "Surface, Mobile, Desktop computer, Monitors",

+ "firstName": "Dean",

+ "lastName": "Ledet",

+ "phone": "(111)0001111"

+ }

+ ```

+1. After your workflow finishes running, go to the workflow's run history, and examine the **Transform JSON to JSON** action's inputs and outputs, for example:

+ 

+## Other Liquid transformations

+You can use Liquid to perform other transformations, for example:

+The following Liquid template shows an example transformation for JSON to text:

+The following example shows the sample inputs and outputs:

+

+The following Liquid template shows an example transformation for XML to JSON:

+```json

+The following example shows the sample inputs and outputs:

+

+The following Liquid template shows an example transformation for XML to text:

+```json

+The following example shows the sample inputs and outputs:

+

+<a name="template-considerations"></a>

+## Liquid template considerations

+* Liquid templates follow the [file size limits for maps](logic-apps-limits-and-config.md#artifact-capacity-limits) in Azure Logic Apps.

+* The **Transform JSON to JSON** action follows the [DotLiquid implementation for Liquid](https://github.com/dotliquid/dotliquid). This implementation is a port to the .NET Framework from the [Shopify implementation for Liquid](https://shopify.github.io/liquid/) and differs in [specific cases](https://github.com/dotliquid/dotliquid/issues).

+ The following list describes the known differences:

+ * The **Transform JSON to JSON** action natively outputs a string, which can include JSON, XML, HTML, and so on. The Liquid action only indicates that the expected text output from the Liquid template's is a JSON string. The action instructs your logic app to parse input as a JSON object and applies a wrapper so that Liquid can interpret the JSON structure. After the transformation, the action instructs your logic app to parse the text output from Liquid back to JSON.

+ DotLiquid doesn't natively understand JSON, so make sure that you escape the backslash character (`\`) and any other reserved JSON characters.

+ * If your template uses [Liquid filters](https://shopify.github.io/liquid/basics/introduction/#filters), make sure that you follow the [DotLiquid and C# naming conventions](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Designers#filter-and-output-casing), which use *sentence casing*. For all Liquid transforms, make sure that filter names in your template also use sentence casing. Otherwise, the filters won't work.

+ For example, when you use the `replace` filter, use `Replace`, not `replace`. The same rule applies if you try out examples at [DotLiquid online](http://dotliquidmarkup.org/TryOnline). For more information, see [Shopify Liquid filters](https://shopify.dev/docs/themes/liquid/reference/filters) and [DotLiquid Liquid filters](https://github.com/dotliquid/dotliquid/wiki/DotLiquid-for-Developers#create-your-own-filters). The Shopify specification includes examples for each filter, so for comparison, you can try these examples at [DotLiquid - Try online](http://dotliquidmarkup.org/TryOnline).

+ * The `json` filter from the Shopify extension filters is currently [not implemented in DotLiquid](https://github.com/dotliquid/dotliquid/issues/384). Typically, you can use this filter to prepare text output for JSON string parsing, but instead, you need to use the `Replace` filter instead.

+ * The standard `Replace` filter in the [DotLiquid implementation](https://github.com/dotliquid/dotliquid/blob/b6a7d992bf47e7d7dcec36fb402f2e0d70819388/src/DotLiquid/StandardFilters.cs#L425) uses [regular expression (RegEx) matching](/dotnet/standard/base-types/regular-expression-language-quick-reference), while the [Shopify implementation](https://shopify.github.io/liquid/filters/replace/) uses [simple string matching](https://github.com/Shopify/liquid/issues/202). Both implementations appear to work the same way until you use a RegEx-reserved character or an escape character in the match parameter.

+ For example, to escape the RegEx-reserved backslash (`\`) escape character, use `| Replace: '\\', '\\'`, and not `| Replace: '\', '\\'`. These examples show how the `Replace` filter behaves differently when you try to escape the backslash character. While this version works successfully:

+ `{ "SampleText": "{{ 'The quick brown fox "jumped" over the sleeping dog\\' | Replace: '\\', '\\' | Replace: '"', '\"'}}"}`

+ With this result:

+ `{ "SampleText": "The quick brown fox \"jumped\" over the sleeping dog\\\\"}`

+ This version fails:

+ `{ "SampleText": "{{ 'The quick brown fox "jumped" over the sleeping dog\\' | Replace: '\', '\\' | Replace: '"', '\"'}}"}`

+ With this error:

+ `{ "SampleText": "Liquid error: parsing "\" - Illegal \ at end of pattern."}`

+ For more information, see [Replace standard filter uses RegEx pattern matching...](https://github.com/dotliquid/dotliquid/issues/385).

+ * The `Sort` filter in the [DotLiquid implementation](https://github.com/dotliquid/dotliquid/blob/b6a7d992bf47e7d7dcec36fb402f2e0d70819388/src/DotLiquid/StandardFilters.cs#L326) sorts items in an array or collection by property but with these differences:

+ * Follows [Shopify's sort_natural behavior](https://shopify.github.io/liquid/filters/sort_natural/), not [Shopify's sort behavior](https://shopify.github.io/liquid/filters/sort/).

+ * Sorts only in string-alphanumeric order. For more information, see [Numeric sort](https://github.com/Shopify/liquid/issues/980).

+ * Uses *case-insensitive* order, not case-sensitive order. For more information, see [Sort filter doesn't follow casing behavior from Shopify's specification]( https://github.com/dotliquid/dotliquid/issues/393).

+1. In the [Azure portal](https://portal.azure.com), sign in with your Azure account credentials.

+1. In the Azure portal search box, enter **integration accounts**, and select **Integration accounts**.

+1. Find and select your integration account.

+1. On the integration account's navigation menu, under **Settings**, select **Maps**.

+1. On the **Maps** pane, select **Add**.

+description: Learn about how Azure Machine Learning uses MLflow to log metrics and artifacts from machine learning models, and to deploy your machine learning models to an endpoint.

+> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning developer platform that you're using:"]

+[MLflow](https://www.mlflow.org) is an open-source framework that's designed to manage the complete machine learning lifecycle. Its ability to train and serve models on different platforms allows you to use a consistent set of tools regardless of where your experiments are running: locally on your computer, on a remote compute target, on a virtual machine, or on an Azure Machine Learning compute instance.

+> Azure Machine Learning workspaces are MLflow-compatible, which means you can use Azure Machine Learning workspaces in the same way that you use an MLflow tracking server. Such compatibility has the following advantages:

+> * You can use Azure Machine Learning workspaces as your tracking server for any experiment you're running with MLflow, whether it runs on Azure Machine Learning or not. You only need to configure MLflow to point to the workspace where the tracking should happen.

+> * You can run any training routine that uses MLflow in Azure Machine Learning without changes. MLflow also supports model management and model deployment capabilities.

+MLflow can manage the complete machine learning lifecycle by using four core capabilities:

+* [Tracking](https://mlflow.org/docs/latest/quickstart.html#using-the-tracking-api) is a component of MLflow that logs and tracks your training job metrics, parameters, and model artifacts. It doesn't matter where your experiment's environment is--locally on your computer, on a remote compute target, on a virtual machine, or on an Azure Machine Learning compute instance.

+* [Model Registry](https://mlflow.org/docs/latest/model-registry.html) is a component of MLflow that manages a model's versions in a centralized repository.

+* [Model deployment](https://mlflow.org/docs/latest/models.html#deploy-a-python-function-model-on-microsoft-azure-ml) is a capability of MLflow that deploys models registered through the MLflow format to compute targets. Because of how MLflow models are stored, there's no need to provide scoring scripts for models in such a format.

+* [Project](https://mlflow.org/docs/latest/projects.html) is a format for packaging data science code in a reusable and reproducible way, based primarily on conventions. It's supported in preview on Azure Machine Learning.

+Azure Machine Learning uses MLflow Tracking for metric logging and artifact storage for your experiments, whether you created the experiments via the Azure Machine Learning Python SDK, the Azure Machine Learning CLI, or Azure Machine Learning studio. We recommend using MLflow for tracking experiments. To get started, see [Log metrics, parameters, and files with MLflow](how-to-log-view-metrics.md).

+> Unlike the Azure Machine Learning SDK v1, there's no logging functionality in the SDK v2 (preview). We recommend that you use MLflow for logging.

+With MLflow Tracking, you can connect Azure Machine Learning as the back end of your MLflow experiments. The workspace provides a centralized, secure, and scalable location to store training metrics and models. Capabilities include:

+* [Track machine learning experiments and models running locally or in the cloud](how-to-use-mlflow-cli-runs.md) with MLflow in Azure Machine Learning.

+* [Track Azure Databricks machine learning experiments](how-to-use-mlflow-azure-databricks.md) with MLflow in Azure Machine Learning.

+* [Track Azure Synapse Analytics machine learning experiments](how-to-use-mlflow-azure-synapse.md) with MLflow in Azure Machine Learning.

+> - MLflow in R support is limited to tracking an experiment's metrics, parameters, and models on Azure Machine Learning jobs. RStudio or Jupyter Notebooks with R kernels are not supported. Model registries are not supported if you're using the MLflow R SDK. As an alternative, use the Azure Machine Learning CLI or Azure Machine Learning studio for model registration and management. View an [R example about using the MLflow tracking client with Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step/r).

+> - MLflow in Java support is limited to tracking an experiment's metrics and parameters on Azure Machine Learning jobs. Artifacts and models can't be tracked via the MLflow Java SDK. View a [Java example about using the MLflow tracking client with Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step/java/iris).

+To learn how to use MLflow to query experiments and runs in Azure Machine Learning, see [Manage experiments and runs with MLflow](how-to-track-experiments-mlflow.md).

+## Model registries with MLflow

+Azure Machine Learning supports MLflow for model management. This support represents a convenient way to support the entire model lifecycle for users who are familiar with the MLflow client.

+To learn more about how to manage models by using the MLflow API in Azure Machine Learning, view [Manage model registries in Azure Machine Learning with MLflow](how-to-manage-models-mlflow.md).

+## Model deployments of MLflow models

+You can [deploy MLflow models to Azure Machine Learning](how-to-deploy-mlflow-models.md) so that you can apply the model management capabilities and no-code deployment offering in Azure Machine Learning. Azure Machine Learning supports deploying models to both real-time and batch endpoints. You can use the `azureml-mlflow` MLflow plug-in, the Azure Machine Learning CLI v2, and the user interface in Azure Machine Learning studio.

+## Training MLflow projects (preview)

+You can submit training jobs to Azure Machine Learning by using [MLflow projects](https://www.mlflow.org/docs/latest/projects.html) (preview). You can submit jobs locally with Azure Machine Learning tracking or migrate your jobs to the cloud via [Azure Machine Learning compute](./how-to-create-attach-compute-cluster.md).

+Learn more at [Train machine learning models with MLflow projects and Azure Machine Learning (preview)](how-to-train-mlflow-projects.md).

+## MLflow SDK, Azure Machine Learning v2, and Azure Machine Learning studio capabilities

+The following table shows which operations are supported by each of the tools available in the machine learning lifecycle.

+| Feature | MLflow SDK | Azure Machine Learning v2 (CLI/SDK) | Azure Machine Learning studio |

+| Track and log metrics, parameters, and models | **&check;** | | |

+| Retrieve metrics, parameters, and models | **&check;**¹ | ² | **&check;** |

+| Submit training jobs by using machine learning pipelines | | **&check;** | |

+> - ³ View [Manage model registries in Azure Machine Learning with MLflow](how-to-manage-models-mlflow.md) for details.

+> - ⁴ View [Deploy MLflow models to Azure Machine Learning](how-to-deploy-mlflow-models.md) for details. Deployment of MLflow models to batch inference by using the MLflow SDK is not possible at the moment.

+If you're getting started with MLflow in Azure Machine Learning, we recommend that you explore the [notebook examples about how to use MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/readme.md):

+* [Training and tracking an XGBoost classifier with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_classification_mlflow.ipynb): Demonstrates how to track experiments by using MLflow, log models, and combine multiple flavors into pipelines.

+* [Training and tracking an XGBoost classifier with MLflow using service principal authentication](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_service_principal.ipynb): Demonstrates how to track experiments by using MLflow from compute that's running outside Azure Machine Learning. It shows how to authenticate against Azure Machine Learning services by using a service principal.

+* [Hyper-parameter optimization using Hyperopt and nested runs in MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_nested_runs.ipynb): Demonstrates how to use child runs in MLflow to do hyper-parameter optimization for models by using the popular library Hyperopt. It shows how to transfer metrics, parameters, and artifacts from child runs to parent runs.

+* [Logging models with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/logging-models/logging_model_with_mlflow.ipynb): Demonstrates how to use the concept of models instead of artifacts with MLflow, including how to construct custom models.

+* [Manage runs and experiments with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/run-history/run_history.ipynb): Demonstrates how to query experiments, runs, metrics, parameters, and artifacts from Azure Machine Learning by using MLflow.

+* [Manage model registries with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/model-management/model_management.ipynb): Demonstrates how to manage models in registries by using MLflow.

+* [Deploying models with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/no-code-deployment/deploying_with_mlflow.ipynb): Demonstrates how to deploy no-code models in MLflow format to a deployment target in Azure Machine Learning.

+* [Training models in Azure Databricks and deploying them on Azure Machine Learning](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/no-code-deployment/track_with_databricks_deploy_aml.ipynb): Demonstrates how to train models in Azure Databricks and deploy them in Azure Machine Learning. It also includes how to handle cases where you also want to track the experiments with the MLflow instance in Azure Databricks.

+* [Migrating models with a scoring script to MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/migrating-scoring-to-mlflow/scoring_to_mlmodel.ipynb): Demonstrates how to migrate models with scoring scripts to no-code deployment with MLflow.

+* [Using MLflow REST with Azure Machine Learning](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/using-rest-api/using_mlflow_rest_api.ipynb): Demonstrates how to work with the MLflow REST API when you're connected to Azure Machine Learning.

+Once you have a model you like, you register it with the workspace. You then use the registered model and scoring scripts to deploy to an [online endpoint](concept-endpoints.md) as a REST-based HTTP endpoint.

+| Workspace management task | Portal | Studio | Python SDK | Azure CLI | VS Code |

+|-|-|-|-|-|-|

+| Create a workspace | **&check;** | **&check;** | **&check;** | **&check;** | **&check;** |

+| Manage workspace access | **&check;** | | | **&check;** | |

+| Create and manage compute resources | **&check;** | **&check;** | **&check;** | **&check;** | **&check;** |

+| Create a compute instance | | **&check;** | **&check;** | **&check;** | **&check;** |

+## Create a workspace

+* Use [Azure Machine Learning studio](quickstart-create-resources.md) to quickly create a workspace with default settings.

+* Use the [Azure portal](how-to-manage-workspace.md?tabs=azure-portal#create-a-workspace) for a point-and-click interface with more options.

+* Use the [Azure Machine Learning SDK for Python](how-to-manage-workspace.md?tabs=python#create-a-workspace) to create a workspace on the fly from Python scripts or Jupyter notebooks.

+## Sub resources

+## Associated resources

+When you deploy an Azure Machine Learning workspace, various other services are [required as dependent associated resources](./concept-workspace.md#associated-resources). When you use the CLI to create the workspace, the CLI can either create new associated resources on your behalf or you could attach existing resources.

+The following Terraform configurations can be used to create an Azure Machine Learning workspace. When you create an Azure Machine Learning workspace, various other services are required as dependencies. The template also specifies these [associated resources to the workspace](./concept-workspace.md#associated-resources). Depending on your needs, you can choose to use the template that creates resources with either public or private network connectivity.

+In this article, you create, view, and delete [**Azure Machine Learning workspaces**](concept-workspace.md) for [Azure Machine Learning](overview-what-is-azure-machine-learning.md), using the Azure portal or the [SDK for Python](/python/api/overview/azure/ml/).

+You can create a workspace [directly in Azure Machine Learning studio](./quickstart-create-resources.md#create-the-workspace), with limited options available. Or use one of the methods below for more control of options.

+* **AMLOnlineEndpointTrafficLog** (preview): You could choose to enable traffic logs if you want to check the information of your request. Below are some cases:

+* **AMLOnlineEndpointEventLog** (preview): Contains event information regarding the containerΓÇÖs life cycle. Currently, we provide information on the following types of events:

+**AMLOnlineEndpointTrafficLog** (preview)

+**AMLOnlineEndpointEventLog** (preview)

+* If you have configured Azure Container Registry for your workspace behind the virtual network, you must use a compute cluster to build Docker images. If you use a compute cluster configured for no public IP address, you must provide some method for the cluster to access the public internet. Internet access is required when accessing images stored on the Microsoft Container Registry, packages installed on Pypi, Conda, etc. For more information, see [Enable Azure Container Registry](how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr).

+ > * If you use a compute cluster configured for no public IP address, you must provide some way for the cluster to access the public internet. Internet access is required when accessing images stored on the Microsoft Container Registry, packages installed on Pypi, Conda, etc. You need to configure User Defined Routing (UDR) to reach to a public IP to access the internet. For example, you can use the public IP of your firewall, or you can use [Virtual Network NAT](../virtual-network/nat-gateway/nat-overview.md) with a public IP. For more information, see [How to securely train in a VNet](how-to-secure-training-vnet.md).

+If you already have a workspace, skip this section and continue to [Create a compute instance](#create-compute-instance).

+If you don't yet have a workspace, create one now:

+1. Sign in to [Azure Machine Learning studio](https://ml.azure.com)

+1. Select **Create workspace**

+1. Provide the following information to configure your new workspace:

+ Field|Description

+ |

+ Workspace name |Enter a unique name that identifies your workspace. Names must be unique across the resource group. Use a name that's easy to recall and to differentiate from workspaces created by others. The workspace name is case-insensitive.

+ Subscription |Select the Azure subscription that you want to use.

+ Resource group | Use an existing resource group in your subscription or enter a name to create a new resource group. A resource group holds related resources for an Azure solution. You need *contributor* or *owner* role to use an existing resource group. For more information about access, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md).

+ Region | Select the Azure region closest to your users and the data resources to create your workspace.

+1. Select **Create** to create the workspace

+## Create compute instance

+1. If you didn't just create a workspace in the previous section, sign in to [Azure Machine Learning studio](https://ml.azure.com) now, and select your workspace.

+## Create compute clusters

+## Quick tour of the studio

+## Clean up resources

+1. Select "Terminal", to open the terminal session on the compute instance.

+* The data asset for training

+description: Learn about how Azure Machine Learning uses MLflow to log metrics and artifacts from machine learning models, and to deploy your machine learning models as a web service.

+> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning developer platform that you're using:"]

+[MLflow](https://www.mlflow.org) is an open-source library for managing the life cycle of your machine learning experiments. MLflow's tracking URI and logging API are collectively known as [MLflow Tracking](https://mlflow.org/docs/latest/quickstart.html#using-the-tracking-api). This component of MLflow logs and tracks your training run metrics and model artifacts, no matter where your experiment's environment is--on your computer, on a remote compute target, on a virtual machine, or in an Azure Databricks cluster.

+Together, MLflow Tracking and Azure Machine learning allow you to track an experiment's run metrics and store model artifacts in your Azure Machine Learning workspace.

+The following table summarizes the clients that can use Azure Machine Learning and their respective capabilities.

+MLflow Tracking offers metric logging and artifact storage functionalities that are otherwise available only through the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/intro).

+| Capability | MLflow Tracking and deployment | Azure Machine Learning Python SDK | Azure Machine Learning CLI | Azure Machine Learning studio|

+| Manage a workspace | | Γ£ô | Γ£ô | Γ£ô |

+| Monitor model performance ||Γ£ô| | |

+With MLflow Tracking, you can connect Azure Machine Learning as the back end of your MLflow experiments. You can then do the following tasks:

+You can use MLflow Tracking to submit training jobs with [MLflow Projects](https://www.mlflow.org/docs/latest/projects.html) and Azure Machine Learning back-end support (preview). You can submit jobs locally with Azure Machine Learning tracking or migrate your runs to the cloud via [Azure Machine Learning compute](../how-to-create-attach-compute-cluster.md).

+Learn more at [Train machine learning models with MLflow projects and Azure Machine Learning (preview)](../how-to-train-mlflow-projects.md).

+You can [deploy your MLflow model as an Azure web service](../how-to-deploy-mlflow-models.md) so that you can apply the model management and data drift detection capabilities in Azure Machine Learning to your production models.

+* [Track machine learning models with MLflow and Azure Machine Learning](how-to-use-mlflow.md)

+* [Train machine learning models with MLflow projects and Azure Machine Learning (preview)](../how-to-train-mlflow-projects.md)

+* [Track Azure Databricks runs with MLflow](../how-to-use-mlflow-azure-databricks.md)

+* [Deploy models with MLflow](how-to-deploy-mlflow-models.md)

+When you deploy an Azure Machine Learning workspace, various other services are [required as dependent associated resources](../concept-workspace.md#associated-resources). When you use the CLI to create the workspace, the CLI can either create new associated resources on your behalf or you could attach existing resources.

+* Don't remove or modify the cluster Prometheus service.

+* Don't remove or modify the cluster Alertmanager service or Default receiver. It *is* supported to create additional receivers to notify external systems.

+- An entire subnet with no existing IPs allocated or in use that can be dedicated to Orbital GSaaS in your virtual network in your resource group.

+An Azure account is used to establish a billing relationship. An Azure account is a user identity, one or more Azure subscriptions, and an associated set of Azure resources. The person who creates the account is the Account Administrator for all subscriptions created in that account. That person is also the default Service Administrator for the subscription.

+### Symptom - ARM template role assignment returns BadRequest status

+When you try to deploy an ARM template that assigns a role to a service principal you get the error:

+`Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (code: RoleAssignmentUpdateNotPermitted)`

+**Cause**

+The role assignment `name` is not unique, and it is viewed as an update.

+**Solution**

+Provide an idempotent unique value for the role assignment `name`

+```

+{

+ "type": "Microsoft.Authorization/roleAssignments",

+ "apiVersion": "2018-09-01-preview",

+ "name": "[guid(concat(resourceGroup().id, variables('resourceName'))]",

+ "properties": {

+ "roleDefinitionId": "[variables('roleDefinitionId')]",

+ "principalId": "[variables('principalId')]"

+ }

+}

+```

+Use the [Azure.Search.Documents (version 11) client library](/dotnet/api/overview/azure/search.documents-readme) to create a .NET Core console application in C# that creates, loads, and queries a search index.

+When setting up your project, you'll download the [Azure.Search.Documents NuGet package](https://www.nuget.org/packages/Azure.Search.Documents/).

+Calls to the service require a URL endpoint and an access key on every request. As a first step, find the API key and URL to add to your project. You'll specify both values when creating the client in a later step.

+2. In **Settings** > **Keys**, get an admin key for full rights on the service, required if you're creating or deleting objects. There are two interchangeable primary and secondary keys. You can use either one.

+1. Select **Browse**.

+1. Select **Install** on the right to add the assembly to your project and solution.

+1. Copy the following code into **Hotel.cs** to define the structure of a hotel document. Attributes on the field determine how it's used in an application. For example, the `IsFilterable` attribute must be assigned to every field that supports a filter expression.

+1. Create two more classes: **Hotel.Methods.cs** and **Address.Methods.cs** for ToString() overrides. These classes are used to render search results in the console output. The contents of these classes aren't provided in this article, but you can copy the code from [files in GitHub](https://github.com/Azure-Samples/azure-search-dotnet-samples/tree/master/quickstart/v11/AzureSearchQuickstart-v11).

+This section adds two pieces of functionality: query logic, and results. For queries, use the [Search](/dotnet/api/azure.search.documents.searchclient.search) method. This method takes search text (the query string) and other [options](/dotnet/api/azure.search.documents.searchoptions).

+1. In the second query, search on a term, add a filter that selects documents where Rating is greater than 4, and then sort by Rating in descending order. Filter is a boolean expression that is evaluated over [IsFilterable](/dotnet/api/azure.search.documents.indexes.models.searchfield.isfilterable) fields in an index. Filter queries either include or exclude values. As such, there's no relevance score associated with a filter query.

+Full text search and filters are performed using the [SearchClient.Search](/dotnet/api/azure.search.documents.searchclient.search) method. A search query can be passed in the `searchText` string, while a filter expression can be passed in the [Filter](/dotnet/api/azure.search.documents.searchoptions.filter) property of the [SearchOptions](/dotnet/api/azure.search.documents.searchoptions) class. To filter without searching, just pass `"*"` for the `searchText` parameter of the [Search](/dotnet/api/azure.search.documents.searchclient.search) method. To search without filtering, leave the `Filter` property unset, or don't pass in a `SearchOptions` instance at all.

+If you're using a free service, remember that you're limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit.

+* Visual Studio Code with the Python extension (or equivalent tool), with Python 3.7 or later

+* [azure-search-documents package](https://pypi.org/project/azure-search-documents/) from the Azure SDK for Python

+In this task, start Jupyter Notebook and verify that you can connect to Azure Cognitive Search. You'll do this step by requesting a list of indexes from your service.

+1. In the second cell, input the request elements that will be constants on every request. Provide your search service name, admin API key, and query API key, copied in a previous step. This cell also sets up the clients you'll use for specific operations: [SearchIndexClient](/python/api/azure-search-documents/azure.search.documents.indexes.searchindexclient) to create an index, and [SearchClient](/python/api/azure-search-documents/azure.search.documents.searchclient) to query an index.

+ service_name = "YOUR-SEARCH-SERVICE-NAME"

+Each field has a name, type, and attributes that determine how the field is used (for example, whether it's full-text searchable, filterable, or retrievable in search results). Within an index, one of the fields of type `Edm.String` must be designated as the *key* for document identity.

+1. In this example, look up a specific document based on its key. You would typically want to return a document when a user select on a document in a search result.

+1. In this example, we'll use the autocomplete function. Autocomplete is typically used in a search box to provide potential matches as the user types into the search box.

+If you're using a free service, remember that you're limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit.

+This tutorial uses [Azure.Search.Documents](/dotnet/api/overview/azure/search) to create and run multiple indexers. In this tutorial, you'll set up two Azure data sources so that you can configure an indexer that pulls from both to populate a single search index. The two data sets must have a value in common to support the merge. In this sample, that field is an ID. As long as there's a field in common to support the mapping, an indexer can merge data from disparate resources: structured data from Azure SQL, unstructured data from Blob storage, or any combination of [supported data sources](search-indexer-overview.md#supported-data-sources) on Azure.

+For an earlier version of the .NET SDK, see [Microsoft.Azure.Search (version 10) code sample](https://github.com/Azure-Samples/azure-search-dotnet-samples/tree/master/multiple-data-sources/v10) on GitHub.

+> [!NOTE]

+1. Select **Items** under **hotels**, and then select **Upload Item** on the command bar. Navigate to and then select the file **cosmosdb/HotelsDataSubset_CosmosDb.json** in the project folder.

+1. Copy a connection string from the **Keys** page into Notepad. You'll need this value for **appsettings.json** in a later step. If you didn't use the suggested database name "hotel-rooms-db", copy the database name as well.

+1. Sign in to the [Azure portal](https://portal.azure.com), navigate to your Azure storage account, select **Blobs**, and then select **+ Container**.

+1. After the container is created, open it and select **Upload** on the command bar. Navigate to the folder containing the sample files. Select all of them and then select **Upload**.

+1. Copy the storage account name and a connection string from the **Access Keys** page into Notepad. You'll need both values for **appsettings.json** in a later step.

+The third component is Azure Cognitive Search, which you can [create in the portal](search-create-service-portal.md) or [find an existing search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices) in your Azure resources.

+To authenticate to your search service, you'll need the service URL and an access key.

+1. In the **Browse** tab, find and then install **Azure.Search.Documents** (version 11.0 or later).

+Azure Cognitive Search indexers can use field mappings to rename and even reformat data fields during the indexing process, so that source data can be directed to the correct index field. For example, in Cosmos DB, the hotel identifier is called **`HotelId`**. But in the JSON blob files for the hotel rooms, the hotel identifier is named **`Id`**. The program handles this discrepancy by mapping the **`Id`** field from the blobs to the **`HotelId`** key field in the indexer.

+The data model is defined by the Hotel class, which also contains references to the Address and Room classes. The FieldBuilder drills down through multiple class definitions to generate a complex data structure for the index. Metadata tags are used to define the attributes of each field, such as whether it's searchable or sortable.

+The following snippets from the Hotel.cs file show single fields, followed by a reference to another data model class, Room[], which in turn is defined in **Room.cs** file (not shown).

+// Map the Id field in the Room documents to the HotelId key field in the index

+Select on the hotel-rooms-sample index in the list. You'll see a Search Explorer interface for the index. Enter a query for a term like "Luxury". You should see at least one document in the results, and this document should show a list of room objects in its rooms array.

+- Run the following command to check if any port is blocked on the firewall. Ports used are 443 (HTTPS), 5671 and 5672 (AMQP) and 9354 (Net Messaging/SBMP). Depending on the library you use, other ports are also used. Here is the sample command that check whether the 5671 port is blocked. C

+2. Navigate to the sample folder `azure-service-bus\samples\DotNet\Azure.Messaging.ServiceBus\BasicSendReceiveTutorialWithFilters`.

+5. Navigate to the `BasicSendReceiveTutorialWithFilters\bin\Debug\netcoreapp3.1` folder.

+ dotnet --roll-forward Major BasicSendReceiveTutorialWithFilters.dll -ConnectionString "myConnectionString" -TopicName "myTopicName"

+CentOS | 6.5, 6.6, 6.7, 6.8, 6.9, 6.10 </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, [7.8](https://support.microsoft.com/help/4564347/), [7.9 pre-GA version](https://support.microsoft.com/help/4578241/), 7.9 GA version is supported from 9.37 hot fix patch** </br> 8.0, 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), 8.4, 8.5, 8.6

+14.04 LTS | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new 14.04 LTS kernels supported in this release. |

+14.04 LTS | [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | No new 14.04 LTS kernels supported in this release. |

+16.04 LTS | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new 16.04 LTS kernels supported in this release. |

+16.04 LTS | [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | No new 16.04 LTS kernels supported in this release. |

+18.04 LTS |[9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new 18.04 LTS kernels supported in this release. |

+18.04 LTS |[9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | 4.15.0-1139-azure </br> 4.15.0-1142-azure </br> 4.15.0-1145-azure </br> 4.15.0-1146-azure </br> 4.15.0-180-generic </br> 4.15.0-184-generic </br> 4.15.0-187-generic </br> 4.15.0-188-generic </br> 4.15.0-189-generic </br> 5.4.0-1080-azure </br> 5.4.0-1083-azure </br> 5.4.0-1085-azure </br> 5.4.0-1086-azure </br> 5.4.0-113-generic </br> 5.4.0-117-generic </br> 5.4.0-120-generic </br> 5.4.0-121-generic </br> 5.4.0-122-generic |

+18.04 LTS |[9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 4.15.0-1134-azure </br> 4.15.0-1136-azure </br> 4.15.0-1137-azure </br> 4.15.0-1138-azure </br> 4.15.0-173-generic </br> 4.15.0-175-generic </br> 4.15.0-176-generic </br> 4.15.0-177-generic </br> 5.4.0-105-generic </br> 5.4.0-1073-azure </br> 5.4.0-1074-azure </br> 5.4.0-1077-azure </br> 5.4.0-1078-azure </br> 5.4.0-107-generic </br> 5.4.0-109-generic </br> 5.4.0-110-generic |

+20.04 LTS |[9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 5.4.0-1080-azure </br> 5.4.0-1083-azure </br> 5.4.0-1085-azure </br> 5.4.0-1086-azure </br> 5.4.0-113-generic </br> 5.4.0-117-generic </br> 5.4.0-120-generic </br> 5.4.0-121-generic </br> 5.4.0-122-generic |

+20.04 LTS |[9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | No new 20.04 LTS kernels supported in this release. |

+20.04 LTS |[9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 5.4.0-1074-azure </br> 5.4.0-107-generic </br> 5.4.0-1077-azure </br> 5.4.0-1078-azure </br> 5.4.0-109-generic </br> 5.4.0-110-generic </br> 5.11.0-1007-azure </br> 5.11.0-1012-azure </br> 5.11.0-1013-azure </br> 5.11.0-1015-azure </br> 5.11.0-1017-azure </br> 5.11.0-1019-azure </br> 5.11.0-1020-azure </br> 5.11.0-1021-azure </br> 5.11.0-1022-azure </br> 5.11.0-1023-azure </br> 5.11.0-1025-azure </br> 5.11.0-1027-azure </br> 5.11.0-1028-azure </br> 5.11.0-22-generic </br> 5.11.0-25-generic </br> 5.11.0-27-generic </br> 5.11.0-34-generic </br> 5.11.0-36-generic </br> 5.11.0-37-generic </br> 5.11.0-38-generic </br> 5.11.0-40-generic </br> 5.11.0-41-generic </br> 5.11.0-43-generic </br> 5.11.0-44-generic </br> 5.11.0-46-generic </br> 5.4.0-1077-azure </br> 5.4.0-1078-azure </br> 5.8.0-1033-azure </br> 5.8.0-1036-azure </br> 5.8.0-1039-azure </br> 5.8.0-1040-azure </br> 5.8.0-1041-azure </br> 5.8.0-1042-azure </br> 5.8.0-1043-azure </br> 5.8.0-23-generic </br> 5.8.0-25-generic </br> 5.8.0-28-generic </br> 5.8.0-29-generic </br> 5.8.0-31-generic </br> 5.8.0-33-generic </br> 5.8.0-34-generic </br> 5.8.0-36-generic </br> 5.8.0-38-generic </br> 5.8.0-40-generic </br> 5.8.0-41-generic </br> 5.8.0-43-generic </br> 5.8.0-44-generic </br> 5.8.0-45-generic </br> 5.8.0-48-generic </br> 5.8.0-49-generic </br> 5.8.0-50-generic </br> 5.8.0-53-generic </br> 5.8.0-55-generic </br> 5.8.0-59-generic </br> 5.8.0-63-generic |

+Debian 7 | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new Debian 7 kernels supported in this release. |

+Debian 7 | [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | No new Debian 7 kernels supported in this release. |

+Debian 8 | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new Debian 8 kernels supported in this release. |

+Debian 8 | [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | No new Debian 8 kernels supported in this release. |

+Debian 9.1 | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new Debian 9.1 kernels supported in this release. |

+Debian 10 | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new Debian 10 kernels supported in this release.

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> No new SLES 12 Azure kernels supported in this release. |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br>4.12.14-16.100-azure:5 </br> 4.12.14-16.103-azure:5 |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 4.12.14-16.94-azure:5 </br> 4.12.14-16.97-azure:5 </br> 4.12.14-122.110-default:5 </br> 4.12.14-122.113-default:5 </br> 4.12.14-122.116-default:5 </br> 4.12.14-122.121-default:5 |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3) | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | By default, all [stock SUSE 15, SP1, SP2, SP3 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> No new SLES 15 Azure kernels supported in this release. |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3 | [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | By default, all [stock SUSE 15, SP1, SP2, SP3 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br>5.3.18-150300.38.69-azure:3 </br>

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3 | [9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | By default, all [stock SUSE 15, SP1, SP2, SP3 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 5.3.18-150300.38.37-azure:3 </br> 5.3.18-150300.38.40-azure:3 </br> 5.3.18-150300.38.47-azure:3 </br> 5.3.18-150300.38.50-azure:3 </br> 5.3.18-150300.38.53-azure:3 </br> 5.3.18-150300.38.56-azure:3 </br> 5.3.18-150300.38.59-azure:3 </br> 5.3.18-150300.38.62-azure:3 </br> 5.3.18-36-azure:3 </br> 5.3.18-38.11-azure:3 </br> 5.3.18-38.14-azure:3 </br> 5.3.18-38.17-azure:3 </br> 5.3.18-38.22-azure:3 </br> 5.3.18-38.25-azure:3 </br> 5.3.18-38.28-azure:3 </br> 5.3.18-38.31-azure:3 </br> 5.3.18-38.34-azure:3 </br> 5.3.18-38.3-azure:3 </br> 5.3.18-38.8-azure:3 |

+| **Configuration server machine** | A single on-premises machine. We recommend that you run it as a VMware VM that can be deployed from a downloaded OVF template.<br/><br/> The machine runs all on-premises Site Recovery components, which include the configuration server, process server, and master target server. | **Configuration server**: Coordinates communications between on-premises and Azure, and manages data replication.<br/><br/> **Process server**: Installed by default on the configuration server. It receives replication data; optimizes it with caching, compression, and encryption; and sends it to Azure Storage. The process server also installs Azure Site Recovery Mobility Service on VMs you want to replicate, and performs automatic discovery of on-premises machines. As your deployment grows, you can add additional, separate process servers to handle larger volumes of replication traffic.<br/><br/> **Master target server**: Installed by default on the configuration server. It handles replication data during failback from Azure. For large deployments, you can add an additional, separate master target server for failback. |

+Linux: CentOS | 5.2 to 5.11</b><br/> 6.1 to 6.10</b><br/> </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/) </br> [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), 8.4, 8.5, 8.6 <br/><br/> Few older kernels on servers running CentOS 5.2-5.11 & 6.1-6.10 do not have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) pre-installed. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure.

+14.04 LTS | [9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), [9.47](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8), [9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39), [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 3.13.0-24-generic to 3.13.0-170-generic,<br/>3.16.0-25-generic to 3.16.0-77-generic,<br/>3.19.0-18-generic to 3.19.0-80-generic,<br/>4.2.0-18-generic to 4.2.0-42-generic,<br/>4.4.0-21-generic to 4.4.0-148-generic,<br/>4.15.0-1023-azure to 4.15.0-1045-azure |

+16.04 LTS |[9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), [9.47](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8), [9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39), [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 4.4.0-21-generic to 4.4.0-210-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic, 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-142-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1113-azure </br> 4.15.0-101-generic to 4.15.0-107-generic |

+18.04 |[9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 4.15.0-1146-azure </br> 4.15.0-189-generic </br> 5.4.0-1086-azure </br> 5.4.0-122-generic </br>

+20.04 LTS|[9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 5.4.0-1080-azure </br> 5.4.0-1083-azure </br> 5.4.0-1085-azure </br> 5.4.0-1086-azure </br> 5.4.0-113-generic </br> 5.4.0-117-generic </br> 5.4.0-120-generic </br> 5.4.0-121-generic </br> 5.4.0-122-generic |

+20.04 LTS |[9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | No new 20.04 LTS kernels supported in this release |

+Debian 7 | [9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), [9.47](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8), [9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39), [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 3.2.0-4-amd64 to 3.2.0-6-amd64, 3.16.0-0.bpo.4-amd64 |

+Debian 8 |[9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), [9.47](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8), [9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39), [9.49](https://support.microsoft.com/en-us/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 3.16.0-4-amd64 to 3.16.0-11-amd64, 4.9.0-0.bpo.4-amd64 to 4.9.0-0.bpo.12-amd64 |

+Debian 9.1 | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new Debian 9.1 kernels supported in this release|

+Debian 10 | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | No new Debian 10 kernels supported in this release|

+Debian 10 | [9.48](https://support.microsoft.com/en-us/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 4.19.0-19-cloud-amd64, 4.19.0-20-cloud-amd64 </br> 4.19.0-19-amd64, 4.19.0-20-amd64 </br> 5.8.0-0.bpo.2-amd64, 5.8.0-0.bpo.2-cloud-amd64, 5.9.0-0.bpo.2-amd64, 5.9.0-0.bpo.2-cloud-amd64, 5.9.0-0.bpo.5-amd64, 5.9.0-0.bpo.5-cloud-amd64, 5.10.0-0.bpo.7-amd64, 5.10.0-0.bpo.7-cloud-amd64, 5.10.0-0.bpo.9-amd64, 5.10.0-0.bpo.9-cloud-amd64, 5.10.0-0.bpo.11-amd64, 5.10.0-0.bpo.11-cloud-amd64, 5.10.0-0.bpo.12-amd64, 5.10.0-0.bpo.12-cloud-amd64 |

+SUSE Linux Enterprise Server 12 (SP1,SP2,SP3,SP4, SP5) | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br> 4.12.14-16.103-azure:5 |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.48](https://support.microsoft.com/en-us/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br> 4.12.14-16.85-azure:5 </br> 4.12.14-16.88-azure:5 </br> 4.12.14-16.94-azure:5 </br> 4.12.14-16.97-azure:5 |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3 | [9.50](https://support.microsoft.com/en-us/topic/update-rollup-63-for-azure-site-recovery-kb5017421-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | By default, all [stock SUSE 15, SP1, SP2, SP3 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 5.3.18-150300.38.69-azure:3 |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3 | [9.48](https://support.microsoft.com/en-us/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | By default, all [stock SUSE 15, SP1, SP2, SP3 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 5.3.18-150300.38.37-azure:3 </br> 5.3.18-150300.38.40-azure:3 </br> 5.3.18-150300.38.47-azure:3 </br> 5.3.18-150300.38.50-azure:3 </br> 5.3.18-150300.38.53-azure:3 </br> 5.3.18-150300.38.56-azure:3 </br> 5.3.18-150300.38.59-azure:3 </br> 5.3.18-150300.38.62-azure:3 </br> 5.3.18-36-azure:3 </br> 5.3.18-38.11-azure:3 </br> 5.3.18-38.14-azure:3 </br> 5.3.18-38.17-azure:3 </br> 5.3.18-38.22-azure:3 </br> 5.3.18-38.25-azure:3 </br> 5.3.18-38.28-azure:3 </br> 5.3.18-38.31-azure:3 </br> 5.3.18-38.34-azure:3 </br> 5.3.18-38.3-azure:3 </br> 5.3.18-38.8-azure:3 </br> |

+An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+1. Create an Azure Database for MySQL flexible server using the [az mysql flexible-server create](/cli/azure/mysql/flexible-server#az-mysql-flexible-server-create) command. Replace the placeholders `<database-name>`, `<resource-group-name>`, `<MySQL-flexible-server-name>`, `<admin-username>`, and `<admin-password>` with a name for your new database, the name of your resource group, a name for your new server, and an admin username and password.

+ ```azurecli-interactive

+ az mysql flexible-server create \

+ --resource-group <resource-group-name> \

+ --name <MySQL-flexible-server-name> \

+ --database-name <database-name> \

+ --admin-user <admin-username> \

+ --admin-password <admin-password>

+ > [!NOTE]

+ > Standard_B1ms SKU is used by default. Refer to [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/) for pricing details.

+ > [!TIP]

+ > Password should be at least eight characters long and contain at least one English uppercase letter, one English lowercase letter, one number, and one non-alphanumeric character (!, $, #, %, and so on.).

+1. A CLI prompt asks if you want to enable access to your IP. Enter `Y` to confirm.

+## Connect your application to the MySQL database

+Use [Service Connector](../service-connector/overview.md) to connect the app hosted in Azure Spring Apps to your MySQL database.

+> [!NOTE]

+> The service binding feature in Azure Spring Apps is being deprecated in favor of Service Connector.

+### [Azure CLI](#tab/azure-cli)

+1. If you're using Service Connector for the first time, start by running the command [az provider register](/cli/azure/provider#az-provider-register) to register the Service Connector resource provider.

+ ```azurecli-interactive

+ az provider register --namespace Microsoft.ServiceLinker

+ ```

+1. Run the `az spring connection create` command to create a service connection between Azure Spring Apps and the Azure MySQL database. Replace the placeholders below with your own information.

+ | Setting | Description |

+ ||-|

+ | `--resource-group` | The name of the resource group that contains the app hosted by Azure Spring Apps. |

+ | `--service` | The name of the Azure Spring Apps resource. |

+ | `--app` | The name of the application hosted by Azure Spring Apps that connects to the target service. |

+ | `--target-resource-group` | The name of the resource group with the storage account. |

+ | `--server` | The MySQL server you want to connect to |

+ | `--database` | The name of the database you created earlier. |

+ | `--secret name` | The MySQL server username. |

+ | `--secret` | The MySQL server password. |

+ ```azurecli-interactive

+ az spring connection create mysql-flexible \

+ --resource-group <Azure-Spring-Apps-resource-group-name> \

+ --service <Azure-Spring-Apps-resource-name> \

+ --app <app-name> \

+ --target-resource-group <mySQL-server-resource-group> \

+ --server <server-name> \

+ --database <database-name> \

+ --secret name=<username> secret=<secret>

+ ```

+ > [!TIP]

+ > If the `az spring` command isn't recognized by the system, check that you have installed the Azure Spring Apps extension by running `az extension add --name spring`.

+### [Portal](#tab/azure-portal)

+1. In the Azure portal, type the name of your Azure Spring Apps instance in the search box at the top of the screen and select your instance.

+1. Under **Settings**, select **Apps** and select the application from the list.

+1. Select **Service Connector** from the left table of contents and select **Create**.

+ :::image type="content" source="./media\quickstart-integrate-azure-database-mysql\create-service-connection.png" alt-text="Screenshot of the Azure portal, in the Azure Spring Apps instance, create a connection with Service Connector.":::

+1. Select or enter the following settings in the table.

+ | Setting | Example | Description |

+ ||--|-|

+ | **Service type** | *DB for MySQL flexible server* | Select DB for MySQL flexible server as your target service |

+ | **Subscription** | *my-subscription* | The subscription that contains your target service. The default value is the subscription that contains the app deployed to Azure Spring Apps. |

+ | **Connection name** | *mysql_rk29a* | The connection name that identifies the connection between your app and target service. Use the connection name provided by Service Connector or enter your own connection name. |

+ | **MySQL flexible server** | *MySQL80* | Select the MySQL flexible server you want to connect to. |

+ | **MySQL database** | *petclinic* | Select the database you created earlier. |

+ | **Client type** | *.NET* | Select the application stack that works with the target service you selected. |

+ :::image type="content" source="./media\quickstart-integrate-azure-database-mysql\basics-tab.png" alt-text="Screenshot of the Azure portal, filling out the basics tab in Service Connector.":::

+1. Select **Next: Authentication** to select the authentication type. Then select **Connection string > Database credentials** and enter your database username and password.

+1. Select **Next: Networking** to select the network configuration and select **Configure firewall rules to enable access to target service**. Enter your username and password so that your app can reach the database.

+1. Select **Next: Review + Create** to review the provided information. Wait a few seconds for Service Connector to validate the information and select **Create** to create the service connection.

+## Check connection to MySQL database

+### [Azure CLI](#tab/azure-cli)

+Run the `az spring connection validate` command to show the status of the connection between Azure Spring Apps and the Azure MySQL database. Replace the placeholders below with your own information.

+```azurecli-interactive

+az spring connection validate

+ --resource-group <Azure-Spring-Apps-resource-group-name> \

+ --service <Azure-Spring-Apps-resource-name> \

+ --app <app-name> \

+ --connection <connection-name>

+The following output is displayed:

+```Output

+Name Result

+- --

+The target existence is validated success

+The target service firewall is validated success

+The configured values (except username/password) is validated success

+> [!TIP]

+> To get more details about the connection between your services, remove `--output table` from the above command.

+### [Portal](#tab/azure-portal)

+Azure Spring Apps connections are displayed under **Settings > Service Connector**. Select **Validate** to check your connection status, and select **Learn more** to review the connection validation details.

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group by using the [az group delete](/cli/azure/group#az-group-delete) command, which deletes the resources in the resource group. Replace `<resource-group>` with the name of your resource group.

+az group delete --name <resource-group>

+Before adding an API, create and deploy a frontend application to Azure Static Web Apps. Use an existing app that you've already deployed or create one by following the [Building your first static site with Azure Static Web Apps](getting-started.md) quickstart.

+1. Select **Azure Static Web Apps: Create HTTP Function...**. If you're prompted to install the Azure Functions extension, install it and rerun this command.

+ }());

+To run your frontend app and API together locally, Azure Static Web Apps provides a CLI that emulates the cloud environment. The CLI uses the Azure Functions Core Tools to run the API.

+```bash

+npm install -g @azure/static-web-apps-cli

+```

+There's no need to build the app.

+1. When the CLI processes start, access your app at [http://localhost:4280/](http://localhost:4280/). Notice how the page calls the API and displays its output, `Hello from the API`.

+1. When prompted for a commit message, enter **feat: add API** and commit all changes to your local git repository.

+Microsoft Azure Blob Storage allows you to store large amounts of unstructured object data. You can use blob storage to gather or expose media, content, or application data to users. Because all blob data is stored within containers, you must create a storage container before you can begin to upload data. To learn more about blob storage, read the [Introduction to Azure Blob storage](storage-blobs-introduction.md).

+In this how-to article, you learned how to manage containers in Blob Storage. To learn more about working with blob storage by using Azure CLI, select an option below.

+- **Hybrid identities**

+ [Hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) are on-premises AD identities that are synced to the cloud.

+This section summarizes the supported Azure file shares authentication scenarios for Azure AD DS, on-premises AD DS, and Azure AD Kerberos for hybrid identities (preview). We recommend selecting the domain service that you adopted for your client environment for integration with Azure Files. If you have AD DS already setup on-premises or in Azure where your devices are domain joined to your AD, you should choose to leverage AD DS for Azure file shares authentication. Similarly, if you've already adopted Azure AD DS, you should use that for authenticating to Azure file shares.

+- **On-premises AD DS authentication:** On-premises AD DS-joined or Azure AD DS-joined Windows machines can access Azure file shares with on-premises Active Directory credentials that are synched to Azure AD over SMB. Your client must have line of sight to your AD DS.

+- **Azure AD DS authentication:** Azure AD DS-joined Windows machines can access Azure file shares with Azure AD credentials over SMB.

+- **Azure AD Kerberos for hybrid identities (preview):** Using Azure AD for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) allows Azure AD users to access Azure file shares using Kerberos authentication. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs.

+- Azure AD DS and on-premises AD DS authentication don't support authentication against computer accounts. You can consider using a service logon account instead.

+- Identity-based authentication isn't supported with Network File System (NFS) shares.

+### Azure AD Kerberos for hybrid identities (preview)

+Enabling and configuring Azure AD for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) allows Azure AD users to access Azure file shares using Kerberos authentication. This configuration uses Azure AD to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. However, configuring access control lists (ACLs) and permissions might require line-of-sight to the domain controller.

+For more information on this preview feature, see [Enable Azure Active Directory Kerberos authentication for hybrid identities on Azure Files](storage-files-identity-auth-azure-active-directory-enable.md).

+[Azure Files](storage-files-introduction.md) supports identity-based authentication over Server Message Block (SMB) using three different methods: on-premises Active Directory Domain Services (AD DS), Azure Active Directory Domain Services (Azure AD DS), and Azure Active Directory (Azure AD) Kerberos for hybrid identities (preview). We strongly recommend that you review the [How it works section](./storage-files-active-directory-overview.md#how-it-works) to select the right AD source for authentication. The setup is different depending on the domain service you choose. This article focuses on enabling and configuring Azure AD DS for authentication with Azure file shares.

+[Azure Files](storage-files-introduction.md) supports identity-based authentication over Server Message Block (SMB) using three different methods: on-premises Active Directory Domain Services (AD DS), Azure Active Directory Domain Services (Azure AD DS), and Azure Active Directory (Azure AD) Kerberos for hybrid identities (preview). We strongly recommend that you review the [How it works section](./storage-files-active-directory-overview.md#how-it-works) to select the right AD source for authentication. The setup is different depending on the domain service you choose. This article focuses on enabling and configuring Azure AD DS for authentication with Azure file shares.

+ Title: Use Azure Active Directory to authorize access to Azure files over SMB for hybrid identities using Kerberos authentication (preview)

+description: Learn how to enable identity-based Kerberos authentication for hybrid user identities over Server Message Block (SMB) for Azure Files through Azure Active Directory. Your users can then access Azure file shares by using their Azure AD credentials (preview).

+# Enable Azure Active Directory Kerberos authentication for hybrid identities on Azure Files (preview)

+> [!IMPORTANT]

+> Azure Files authentication with Azure Active Directory Kerberos is currently in public preview.

+> This preview version is provided without a service level agreement, and isn't recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+For more information on all supported options and considerations, see [Overview of Azure Files identity-based authentication options for SMB access](storage-files-active-directory-overview.md). For more information about Azure Active Directory (AD) Kerberos, see [Deep dive: How Azure AD Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889).

+[Azure Files](storage-files-introduction.md) supports identity-based authentication over Server Message Block (SMB) using the Kerberos authentication protocol through the following three methods:

+- On-premises Active Directory Domain Services (AD DS)

+- Azure Active Directory Domain Services (Azure AD DS)

+- Azure Active Directory Kerberos (Azure AD) for hybrid user identities only

+This article focuses on the last method: enabling and configuring Azure AD for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD identities that are synced to the cloud. This allows Azure AD users to access Azure file shares using Kerberos authentication. This configuration uses Azure AD to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. However, configuring access control lists (ACLs) and permissions might require line-of-sight to the domain controller.

+> [!NOTE]

+> Your Azure Storage account can't authenticate with both Azure AD and a second method like AD DS or Azure AD DS. You can only use one authentication method. If you've already chosen another authentication method for your storage account, you must disable it before enabling Azure AD Kerberos.

+## Applies to

+| File share type | SMB | NFS |

+|-|:-:|:-:|

+| Standard file shares (GPv2), LRS/ZRS |  |  |

+| Standard file shares (GPv2), GRS/GZRS |  |  |

+| Premium file shares (FileStorage), LRS/ZRS |  |  |

+## Prerequisites

+Before you enable Azure AD over SMB for Azure file shares, make sure you've completed the following prerequisites.

+The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems:

+ - Windows 11 Enterprise single or multi-session.

+ - Windows 10 Enterprise single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the [KB5007253 - 2021-11 Cumulative Update Preview for Windows 10](https://support.microsoft.com/topic/november-22-2021-kb5007253-os-builds-19041-1387-19042-1387-19043-1387-and-19044-1387-preview-d1847be9-46c1-49fc-bf56-1d469fc1b3af).

+ - Windows Server, version 2022 with the latest cumulative updates installed, especially the [KB5007254 - 2021-11 Cumulative Update Preview for Microsoft server operating system version 21H2](https://support.microsoft.com/topic/november-22-2021-kb5007254-os-build-20348-380-preview-9a960291-d62e-486a-adcc-6babe5ae6fc1).

+To learn how to create and configure a Windows VM and log in by using Azure AD-based authentication, see [Log in to a Windows virtual machine in Azure by using Azure AD](../../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).

+This feature doesn't currently support user accounts that you create and manage solely in Azure AD. User accounts must be [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which means you'll also need AD DS and Azure AD Connect. You must create these accounts in Active Directory and sync them to Azure AD. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Azure AD.

+You must disable multi-factor authentication (MFA) on the Azure AD app representing the storage account.

+Azure AD Kerberos authentication only supports using AES-256 encryption.

+## Regional availability

+Azure Files authentication with Azure AD Kerberos public preview is available in Azure public cloud in [all Azure regions](https://azure.microsoft.com/global-infrastructure/locations/).

+## Enable Azure AD Kerberos authentication for hybrid user accounts (preview)

+To enable Azure AD Kerberos authentication on Azure Files for hybrid user accounts (preview), use the Azure portal.

+1. Sign in to the Azure portal and select the storage account you want to enable Azure AD Kerberos authentication for.

+1. Under **Data storage**, select **File shares**.

+1. Next to **Active Directory**, select the configuration status (for example, **Not configured**).

+

+ :::image type="content" source="media/storage-files-identity-auth-azure-active-directory-enable/configure-active-directory.png" alt-text="Screenshot of the Azure portal showing file share settings for a storage account. Active Directory configuration settings are selected." lightbox="media/storage-files-identity-auth-azure-active-directory-enable/configure-active-directory.png" border="true":::

+1. Under **Azure AD Kerberos (preview)**, select **Set up**.

+1. Select the **Azure AD Kerberos** checkbox.

+ :::image type="content" source="media/storage-files-identity-auth-azure-active-directory-enable/setup-azure-ad-kerberos.png" alt-text="Screenshot of the Azure portal showing Active Directory configuration settings for a storage account. Azure AD Kerberos is selected." lightbox="media/storage-files-identity-auth-azure-active-directory-enable/setup-azure-ad-kerberos.png" border="true":::

+1. Optional: If you want to configure directory and file-level permissions through Windows File Explorer, then you also need to specify the domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or by running the following PowerShell cmdlets from an on-premises AD-joined client:

+ ```PowerShell

+ $domainInformation = Get-ADDomain

+ $domainGuid = $domainInformation.ObjectGUID.ToString()

+ $domainName = $domainInformation.DnsRoot

+ ```

+ If you'd prefer to configure directory and file-level permissions using icacls, you can skip this step. However, if you want to use icacls, the client will need line-of-sight to the on-premises AD.

+1. Select **Save**.

+## Grant admin consent to the new service principal

+After enabling Azure AD Kerberos authentication, you'll need to explicitly grant admin consent to the new Azure AD application registered in your Azure AD tenant to complete your configuration. You can configure the API permissions from the [Azure portal](https://portal.azure.com) by following these steps:

+1. Open **Azure Active Directory**.

+2. Select **App registrations** on the left pane.

+3. Select **All Applications**.

+ :::image type="content" source="media/storage-files-identity-auth-azure-active-directory-enable/azure-portal-azuread-app-registrations.png" alt-text="Screenshot of the Azure portal. Azure Active Directory is open. App registrations is selected in the left pane. All applications is highlighted in the right pane." lightbox="media/storage-files-identity-auth-azure-active-directory-enable/azure-portal-azuread-app-registrations.png":::

+4. Select the application with the name matching **[Storage Account] $storageAccountName.file.core.windows.net**.

+5. Select **API permissions** in the left pane.

+6. Select **Add permissions** at the bottom of the page.

+7. Select **Grant admin consent for "DirectoryName"**.

+## Disable multi-factor authentication on the storage account

+Azure AD Kerberos doesn't support using MFA to access Azure file shares configured with Azure AD Kerberos. You must exclude the Azure AD app representing your storage account from your MFA conditional access policies if they apply to all apps. The storage account app should have the same name as the storage account in the conditional access exclusion list.

+ > [!IMPORTANT]

+ > If you don't exclude MFA policies from the storage account app, you won't be able to access the file share. Trying to map the file share using *net use* will result in an error message that says "System error 1327: Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."

+## Assign share-level permissions

+When you enable identity-based access, you can set for each share which users and groups have access to that particular share. Once a user is allowed into a share, NTFS permissions on individual files and folders take over. This allows for fine-grained control over permissions, similar to an SMB share on a Windows server.

+To set share-level permissions, follow the instructions in [Assign share-level permissions to an identity](storage-files-identity-ad-ds-assign-permissions.md).

+## Configure directory and file-level permissions

+Once your share-level permissions are in place, there are two options for configuring directory and file-level permissions with Azure AD Kerberos authentication:

+- **Windows Explorer experience:** If you choose this option, then the client must be domain-joined to the on-premises AD.

+- **icacls utility:** If you choose this option, then the client needs line-of-sight to the on-premises AD.

+To configure directory and file level permissions through Windows File explorer, you also need to specify domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or from an on-premises AD-joined client. If you prefer to configure using icacls, this step is not required.

+To configure directory and file-level permissions, follow the instructions in [Configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md).

+## Disable Azure AD authentication on your storage account

+If you want to use another authentication method, you can disable Azure AD authentication on your storage account by using the Azure portal.

+> [!NOTE]

+> Disabling this feature means that there will be no Active Directory configuration for file shares in your storage account until you enable one of the other Active Directory sources to reinstate your Active Directory configuration.

+1. Sign in to the Azure portal and select the storage account you want to enable Azure AD Kerberos authentication for.

+1. Under **Data storage**, select **File shares**.

+1. Next to **Active Directory**, select the configuration status (for example, **Not configured**).

+1. Under **Azure AD Kerberos (preview)**, select **Set up**.

+1. Uncheck the **Azure AD Kerberos** checkbox.

+1. Select **Save**.

+## Next steps

+For more information, see these resources:

+- [Overview of Azure Files identity-based authentication support for SMB access](storage-files-active-directory-overview.md)

+- [Enable AD DS authentication to Azure file shares](storage-files-identity-ad-ds-enable.md)

+- [Create a profile container with Azure Files and Azure Active Directory (preview)](../../virtual-desktop/create-profile-container-azure-ad.md)

+- [FAQ](storage-files-faq.md)

+To access an Azure file share, the user of the file share must be authenticated and authorized to access the share. This is done based on the identity of the user accessing the file share. Azure Files integrates with four main identity providers:

+- **Azure Active Directory (Azure AD) Kerberos for hybrid identities (preview)**: Azure AD Kerberos allows you to use Azure AD to authenticate [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD identities that are synced to the cloud. This configuration uses Azure AD to issue Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs.

+description: Troubleshoot problems with SMB Azure file shares in Windows. See common issues related to Azure Files when you connect from Windows clients, and see possible resolutions.

+Network traffic is denied if virtual network (VNET) and firewall rules are configured on the storage account, unless the client IP address or virtual network is allow-listed.

+Second, try [mounting Azure file share with storage account key](./storage-how-to-use-files-windows.md). If you failed to mount, download [`AzFileDiagnostics`](https://github.com/Azure-Samples/azure-files-samples/tree/master/AzFileDiagnostics/Windows) to help you validate the client running environment, detect the incompatible client configuration which would cause access failure for Azure Files, give prescriptive guidance on self-fix and collect the diagnostics traces.

+2. CheckADObject: Confirm that there is an object in the Active Directory that represents the storage account and has the correct SPN (service principal name). If the SPN isn't correctly set up, please run the Set-AD cmdlet returned in the debug cmdlet to configure the SPN.

+## Potential errors when enabling Azure AD Kerberos authentication for hybrid users

+You might encounter the following errors when trying to enable Azure AD Kerberos authentication for hybrid user accounts, which is currently in public preview.

+### Error - Grant admin consent disabled

+In some cases, Azure AD admin may disable the ability to grant admin consent to Azure AD applications. Below is the screenshot of what this may look like in the Azure portal.

+ :::image type="content" source="media/storage-troubleshoot-windows-file-connection-problems/grant-admin-consent-disabled.png" alt-text="Screenshot of the Azure portal configured permissions blade displaying a warning that some actions may be disabled due to your permissions." lightbox="media/storage-troubleshoot-windows-file-connection-problems/grant-admin-consent-disabled.png":::

+If this is the case, ask your Azure AD admin to grant admin consent to the new Azure AD application. To find and view your administrators, select **roles and administrators**, then select **Cloud application administrator**.

+### Error - "The request to AAD Graph failed with code BadRequest"

+#### Cause 1: an application management policy is preventing credentials from being created

+When enabling Azure AD Kerberos authentication, you might encounter this error if the following conditions are met:

+1. You're using the beta/preview feature of [application management policies](/graph/api/resources/applicationauthenticationmethodpolicy?view=graph-rest-beta).

+2. You (or your administrator) have set a [tenant-wide policy](/graph/api/resources/tenantappmanagementpolicy?view=graph-rest-beta) that:

+ - Has no start date, or has a start date before 2019-01-01

+ - Sets a restriction on service principal passwords, which either disallows custom passwords or sets a maximum password lifetime of less than 365.5 days

+There is currently no workaround for this error during the public preview.

+#### Cause 2: an application already exists for the storage account

+You might also encounter this error if you have previously enabled Azure AD Kerberos authentication through manual limited preview steps. To delete the existing application, the customer or their IT admin can run the following script. Running this script will remove the old manually created application and allow the new experience to auto-create and manage the newly created application.

+> [!IMPORTANT]

+> This script must be run in PowerShell 5 because the AzureAD module doesn't work in PowerShell 7. This PowerShell snippet uses Azure AD Graph.

+```powershell

+$storageAccount = "exampleStorageAccountName"

+$tenantId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"

+Import-Module AzureAD

+Connect-AzureAD -TenantId $tenantId

+$application = Get-AzureADApplication -Filter "DisplayName eq '${storageAccount}'"

+if ($null -ne $application) {

+ Remove-AzureADApplication -ObjectId $application.ObjectId

+}

+```

+## Need help?

+For a walkthrough of configuring a Power BI output and dashboard, see the [Tutorial: Analyze fraudulent call data with Stream Analytics and visualize results in Power BI dashboard](stream-analytics-real-time-fraud-detection.md) tutorial.

+- [Tutorial: Analyze fraudulent call data with Stream Analytics and visualize results in Power BI dashboard](stream-analytics-real-time-fraud-detection.md)

+ Title: Create a profile container with Azure Files and Azure Active Directory (preview)

+This feature is currently supported in the Azure Public, Azure Government, and Azure China clouds.

+## Configure your Azure storage account and file share

+To store your FSLogix profiles on an Azure file share:

+1. [Create an Azure Storage account](../storage/files/storage-how-to-create-file-share.md#create-a-storage-account) if you don't already have one.

+ > [!NOTE]

+ > Your Azure Storage account can't authenticate with both Azure AD and a second method like Active Directory Domain Services (AD DS) or Azure AD DS. You can only use one authentication method.

+2. [Create an Azure Files share](../storage/files/storage-how-to-create-file-share.md#create-a-file-share) under your storage account to store your FSLogix profiles if you haven't already.

+3. [Enable Azure Active Directory Kerberos authentication on Azure Files](../storage/files/storage-files-identity-auth-azure-active-directory-enable.md) to enable access from Azure AD-joined VMs.

+ - When configuring the directory and file-level permissions, review the recommended list of permissions for FSLogix profiles at [Configure the storage permissions for profile containers](/fslogix/fslogix-storage-config-ht).

+ - Without proper directory-level permissions in place, a user can delete the user profile or access the personal information of a different user. It's important to make sure users have proper permissions to prevent accidental deletion from happening.

+1. Enable the Azure AD Kerberos functionality using one of the following methods.

+ - Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the session host: [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled)

+ - Configure this Group policy on the session host: `Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon`

+ - Create the following registry value on the session host: `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1`

+Finally, verify the profile created in Azure Files after the user has successfully signed in:

+## Configuration Web App pipeline

+Create the Configuration Web App pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:

+| Setting | Value |

+| - | -- |

+| Branch | main |

+| Path | `deploy/pipelines/21-deploy-web-app.yaml` |

+| Name | Configuration Web App |

+Save the Pipeline, to see the Save option select the chevron next to the Run button. Navigate to the Pipelines section and select the pipeline. Rename the pipeline to 'Configuration Web App' by choosing 'Rename/Move' from the three-dot menu on the right.

+Select the _Control plane deployment_ pipeline, provide the configuration names for the deployer and the SAP library and choose "Run" to deploy the control plane. Make sure to check ""Deploy the configuration web application" if you would like to set up the configuration web app.

+### Configure the Azure DevOps Services self-hosted agent manually

+> [!NOTE]

+>This is only needed if the Azure DevOps Services agent is not automatically configured. Please check that the agent pool is empty before proceeding.

+Wait for the deployment to finish. Once the deployment is complete, navigate to the Extensions tab and follow the instructions to finalize the configuration and update the reply-url values for the app registration.

+As a result of running the SAP workload zone deployment pipeline, part of the web app URL needed will be stored in a variable named "WEBAPP_URL_BASE" in your environment-specific variable group. Copy this value, and use it in the following command:

+> | `iscsi_subnet_nsg_name` | The name of the `iscsi` Network Security Group name | Optional | |

+## Utility VM Parameters

+> [!div class="mx-tdCol2BreakAll "]

+> | Variable | Description | Type | Notes |

+> | -- | - | | - |

+> | `utility_vm_count` | Defines the number of Utility virtual machines to deploy. | Optional | Use the utility virtual machine to host SAPGui |

+> | `utility_vm_size` | Defines the SKU for the Utility virtual machines. | Optional | Default: Standard_D4ds_v4 |

+> | `utility_vm_useDHCP` | Defines if Azure subnet provided IPs should be used. | Optional | |

+> | `utility_vm_image` | Defines the virtual machine image to use. | Optional | Default: Windows Server 2019 |

+> | `utility_vm_nic_ips` | Defines the IP addresses for the virtual machines. | Optional | |

+- For the 'SAP software acquisition' and the 'Configuration and SAP installation' pipelines a configured self hosted agent.

+### SAP and Virtual machine Credentials management

+The automation framework will use the workload zone key vault for storing both the automation user credentials and the SAP system credentials. The virtual machine credentials are named as follows:

+| Credential | Name | Example |

+| | - | - |

+| Private key | [IDENTIFIER]-sshkey | DEV-WEEU-SAP01-sid-sshkey |

+| Public key | [IDENTIFIER]-sshkey-pub | DEV-WEEU-SAP01-sid-sshkey-pub |

+| Username | [IDENTIFIER]-username | DEV-WEEU-SAP01-sid-username |

+| Password | [IDENTIFIER]-password | DEV-WEEU-SAP01-sid-password |

+| sidadm Password | [IDENTIFIER]-[SID]-sap-password | DEV-WEEU-SAP01-X00-sap-password |

+* Shared storage for the SAP Systems either Azure Files or Azure NetApp Files.

+1. Deploy the workload zone. This step deploys the [workload zone components](#workload-zone-structure), such as the virtual network and key vaults.

+1. Deploy the system. This step includes the [infrastructure for the SAP system](#sap-system-setup) deployment and the SAP configuration [configuration and SAP installation](automation-run-ansible.md).

+* Azure DevOps

+* Azure Cloud Shell

+The automation framework uses a default naming convention. If you'd like to use a custom naming convention, plan and define your custom names before deployment. For more information, see [how to configure the naming convention](automation-naming-module.md).

+- Azure Files for NFS

+ - For database files

+ Title: 'Connect cross-tenant virtual networks to a hub: PowerShell'

+description: This article helps you connect cross-tenant virtual networks to a virtual hub by using PowerShell.

+# Connect cross-tenant virtual networks to a Virtual WAN hub

+This article helps you use Azure Virtual WAN to connect a virtual network to a virtual hub in a different tenant. This architecture is useful if you have client workloads that must be connected to be the same network but are on different tenants. For example, as shown in the following diagram, you can connect a non-Contoso virtual network (the remote tenant) to a Contoso virtual hub (the parent tenant).

+* Connect a cross-tenant virtual network to a virtual hub.

+The steps for this configuration use a combination of the Azure portal and PowerShell. However, the feature itself is available in PowerShell and the Azure CLI only.

+> You can manage cross-tenant virtual network connections only through PowerShell or the Azure CLI. You *cannot* manage cross-tenant virtual network connections in the Azure portal.

+## Before you begin

+* A virtual WAN and virtual hub in your parent subscription

+* A virtual network configured in a subscription in a different (remote) tenant

+Make sure that the virtual network address space in the remote tenant does not overlap with any other address space within any other virtual networks already connected to the parent virtual hub.

+1. In the subscription of the virtual network in the remote tenant, add the Contributor role assignment to the administrator (the user who administers the virtual hub). Contributor permissions will enable the administrator to modify and access the virtual networks in the remote tenant.

+ You can use either PowerShell or the Azure portal to assign this role. See the following articles for steps:

+ * [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)

+ * [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md)

+1. Run the following command to add the remote tenant subscription and the parent tenant subscription to the current session of PowerShell. If you're signed in to the parent, you need to run the command for only the remote tenant.

+1. Verify that the role assignment is successful. Sign in to Azure PowerShell by using the parent credentials and run the following command:

+ If the permissions have successfully propagated to the parent and have been added to the session, the subscriptions owned by the parent and the remote tenant will both appear in the output of the command.

+## <a name="connect"></a>Connect a virtual network to a hub

+In the following steps, you'll use commands to switch between the context of the two subscriptions as you link the virtual network to the virtual hub. Replace the example values to reflect your own environment.

+1. Make sure you're in the context of your remote account:

+1. Create a local variable to store the metadata of the virtual network that you want to connect to the hub:

+1. Switch back to the parent account:

+1. Connect the virtual network to the hub:

+You can view the new connection in either PowerShell or the Azure portal:

+* In the PowerShell console, the metadata from the newly formed connection will appear if the connection was successfully formed.

+* In the Azure portal, go to the virtual hub and select **Connectivity** > **Virtual Network Connections**. You can then view the pointer to the connection. To see the actual resource, you'll need the proper permissions.

+## Scenario: Add static routes to a virtual network hub connection

+In the following steps, you'll use commands to add a static route to the virtual hub's default route table and a virtual network connection to point to a next-hop IP address (that is, an NVA appliance). Replace the example values to reflect your own environment.

+>[!NOTE]

+>- Before you run the commands, make sure you have access and are authorized to the remote subscription.

+>- The destination prefix can be one CIDR or multiple ones. For a single CIDR, use this format: `@("10.19.2.0/24")`. For multiple CIDRs, use this format: `@("10.19.2.0/24", "10.40.0.0/16")`.

+1. Make sure you're in the context of your parent account:

+ ```azurepowershell-interactive

+ Select-AzSubscription -SubscriptionId "[parent ID]"

+ ```

+2. Add a route in the virtual hub's default route table without a specific IP address.

+ 1. Get the connection details:

+ ```azurepowershell-interactive

+ $hubVnetConnection = Get-AzVirtualHubVnetConnection -Name "[HubconnectionName]" -ParentResourceName "[Hub Name]" -ResourceGroupName "[resource group name]"

+ ```

+ 1. Add a static route to the virtual hub's route table. (The next hop is a virtual network connection.)

+ ```azurepowershell-interactive

+ $Route2 = New-AzVHubRoute -Name "[Route Name]" -Destination ΓÇ£[@("Destination prefix")]ΓÇ¥ -DestinationType "CIDR" -NextHop $hubVnetConnection.Id -NextHopType "ResourceId"

+ ```

+ 1. Update the hub's current default route table:

+

+ ```azurepowershell-interactive

+ Update-AzVHubRouteTable -ResourceGroupName "[resource group name]"-VirtualHubName [ΓÇ£Hub NameΓÇ¥] -Name "defaultRouteTable" -Route @($Route2)

+ ```

+

+ 1. Update the route in the virtual network connection to specify the next hop as an IP address.

+ > [!NOTE]

+ > The route name should be the same as the one you used when you added a static route earlier. Otherwise, you'll create two routes in the routing table: one without an IP address and one with an IP address.

+ ```azurepowershell-interactive

+ $newroute = New-AzStaticRoute -Name "[Route Name]" -AddressPrefix "[@("Destination prefix")]" -NextHopIpAddress "[Destination NVA IP address]"

+ $newroutingconfig = New-AzRoutingConfiguration -AssociatedRouteTable $hubVnetConnection.RoutingConfiguration.AssociatedRouteTable.id -Id $hubVnetConnection.RoutingConfiguration.PropagatedRouteTables.Ids[0].id -Label @("default") -StaticRoute @($newroute)

+ Update-AzVirtualHubVnetConnection -ResourceGroupName $rgname -VirtualHubName "[Hub Name]" -Name "[Virtual hub connection name]" -RoutingConfiguration $newroutingconfig

+ ```

+

+ This update command will remove the previous manual configuration route in your routing table.

+

+ 1. Verify that the static route is established to a next-hop IP address.

+ ```azurepowershell-interactive

+ Get-AzVirtualHubVnetConnection -ResourceGroupName "[Resource group]" -VirtualHubName "[virtual hub name]" -Name "[Virtual hub connection name]"

+ ```

+## <a name="troubleshoot"></a>Troubleshoot

+* Verify that the metadata in `$remote` (from the [preceding section](#connect)) matches the information from the Azure portal.

+* Verify permissions by using the IAM settings of the remote tenant resource group, or by using Azure PowerShell commands (`Get-AzSubscription`).

+* Make sure quotes are included around the names of resource groups or any other environment-specific variables (for example, `"VirtualHub1"` or `"VirtualNetwork1"`).

+## Next steps

+- For more information about Virtual WAN, see the [FAQ](virtual-wan-faq.md).

+| Allied Telesis |AR Series VPN Routers |AR-Series 5.4.7+ | [Configuration guide](https://www.alliedtelesis.com/configure/site-to-site-vpn-between-azure-and-ar-series-router) |[Configuration guide](https://www.alliedtelesis.com/configure/site-to-site-vpn-between-azure-and-ar-series-router)|

+| Rule severity | Value contributed to anomaly score |