+ Title: Manage an App Service plan

+1. To start creating an App Service plan, go to [Create App Service Plan](https://ms.portal.azure.com/#create/Microsoft.AppServicePlanCreate) on the Azure portal.

+ :::image type="content" source="./media/azure-web-sites-web-hosting-plans-in-depth-overview/create-appserviceplan.png" alt-text="Create an App Service plan in the Azure portal.":::

+3. In the **App Service Plan details** section, name the App Service plan, and then select the **Operating System** and **Region**. The region specifies where your App Service plan is created.

+5. In the **Zone redundancy** section, select whether the App Service plan zone redundancy should be enabled or disabled.

+6. Select **Review + create** to create the App Service plan.

+> When you create an new App Service plan in an existing resource group, certain conditions with existing apps can trigger these errors:

+> This can happen due to incompatibilities with pricing tiers, regions, operating systems, availability zones, existing function apps, or existing web apps. If one of these errors occurs, create your App Service plan in a **new** resource group.

+You can move an app to another App Service plan, as long as the source plan and the target plan are in the _same resource group and geographical region and of the same OS type_. Any change in type, such as Windows to Linux or any type that's different from the originating type, isn't supported.

+> Azure deploys each new App Service plan into a deployment unit, internally called a *webspace*. Each region can have many webspaces, but your app can only move between plans that are created in the same webspace. An App Service Environment can have multiple webspaces, but your app can only move between plans that are created in the same webspace.

+> You canΓÇÖt specify the webspace you want when creating a plan, but itΓÇÖs possible to ensure that a plan is created in the same webspace as an existing plan. In brief, all plans created with the same resource group, region combination, and operating system are deployed into the same webspace. For example, if you created a plan in resource group A and region B, then any plan you subsequently create in resource group A and region B is deployed into the same webspace. Note that plans canΓÇÖt move webspaces after theyΓÇÖre created, so you canΓÇÖt move a plan into ΓÇ£the same webspaceΓÇ¥ as another plan by moving it to another resource group.

+ > If you're moving an app from a higher-tiered plan to a lower-tiered plan, such as from **D1** to **F1**, the app might lose certain capabilities in the target plan. For example, if your app uses TLS/SSL certificates, you might see this error message:

+The region in which your app runs is the region of the App Service plan it's in. However, you can't change an App Service plan's region. If you want to run your app in a different region, one alternative is app cloning. Cloning makes a copy of your app in a new or existing App Service plan in any region.

+> Cloning has some limitations. You can read about them in [Azure App Service App cloning](app-service-web-app-cloning.md#current-restrictions).

+To avoid unexpected charges, when you delete the last app in an App Service plan, App Service also deletes the plan by default. If you choose to keep the plan instead, you should change the plan to the **Free** tier so you're not charged.

+## Next step

+| **Create your first .NET app** | Use one of the following tools:<br><br>- [Visual Studio](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-vs)<br>- [Visual Studio Code](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-vscode)<br>- [Command line](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-cli)<br>- [Azure PowerShell](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-ps)<br>- [Azure portal](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-azure-portal) |

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add an SSL certificate](./configure-ssl-certificate.md)|

+| **Create your first Python app** | Use one of the following tools:<br><br>- [Flask - CLI](./quickstart-python.md?tabs=flask%2Cwindows%2Cazure-cli%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Flask - Visual Studio Code](./quickstart-python.md?tabs=flask%2Cwindows%2Cvscode-aztools%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Django - CLI](./quickstart-python.md?tabs=django%2Cwindows%2Cazure-cli%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Django - Visual Studio Code](./quickstart-python.md?tabs=django%2Cwindows%2Cvscode-aztools%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Django - Azure portal](./quickstart-python.md?tabs=django%2Cwindows%2Cazure-portal%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli) |

+| **Deploy your app** | - [Configure Python](configure-language-python.md)<br>- [GitHub Actions](./deploy-github-actions.md) |

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add an SSL certificate](./configure-ssl-certificate.md)|

+| **Connect to a database** | - [PostgreSQL - CLI](./tutorial-python-postgresql-app.md?tabs=flask%2Cwindows&pivots=azure-developer-cli)<br>- [PostgreSQL - Azure portal](./tutorial-python-postgresql-app.md?tabs=flask%2Cwindows&pivots=azure-portal)|

+| **Review best practices** | - [Scale your app](./manage-scale-up.md)<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual networks](./configure-vnet-integration-enable.md)|

+| **Create your first Node.js app** | Use one of the following tools:<br><br>- [Visual Studio Code](./quickstart-nodejs.md?tabs=linux&pivots=development-environment-vscode)<br>- [CLI](./quickstart-nodejs.md?tabs=linux&pivots=development-environment-cli)<br>- [Azure portal](./quickstart-nodejs.md?tabs=linux&pivots=development-environment-azure-portal) |

+| **Deploy your app** | - [Configure Node.js](./configure-language-nodejs.md?pivots=platform-linux)<br>- [GitHub Actions](./deploy-github-actions.md) |

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add an SSL certificate](./configure-ssl-certificate.md)|

+| **Review best practices** | - [Scale your app](./manage-scale-up.md)<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual networks](./configure-vnet-integration-enable.md)|

+| **Create your first Java app** | Use one of the following tools:<br><br>- [Maven deploy with an embedded web server](./quickstart-java.md?pivots=java-javase)<br>- [Maven deploy to a Tomcat server](./quickstart-java.md?pivots=java-tomcat)<br>- [Maven deploy to a JBoss server](./quickstart-java.md?pivots=java-jboss) |

+| **Deploy your app** | - [With Maven](configure-language-java-deploy-run.md?pivots=platform-linux#maven)<br>- [With Gradle](configure-language-java-deploy-run.md?pivots=platform-linux#gradle)<br>- [With popular IDEs (Visual Studio Code, IntelliJ, and Eclipse)](configure-language-java-deploy-run.md?pivots=platform-linux#ides)<br>- [Deploy WAR or JAR packages directly](./deploy-zip.md?tabs=cli#deploy-warjarear-packages)<br>- [With GitHub Actions](./deploy-github-actions.md) |

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add an SSL certificate](./configure-ssl-certificate.md)|

+| **Connect to a database** |- [Java Spring with Azure Cosmos DB](./tutorial-java-spring-cosmosdb.md)|

+| **Review best practices** | - [Scale your app](./manage-scale-up.md)<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual networks](./configure-vnet-integration-enable.md)|

+| **Create your first PHP app** | Use one of the following tools:<br><br>- [Linux - CLI](./quickstart-php.md?tabs=cli&pivots=platform-linux)<br>- [Linux - Azure portal](./quickstart-php.md?tabs=portal&pivots=platform-linux) |

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add an SSL certificate](./configure-ssl-certificate.md)|

+## Next step

+ Title: Back up an app in App Service

+In [Azure App Service](overview.md), you can easily restore app backups. You can also make on-demand custom backups or configure scheduled custom backups. You can restore a backup by overwriting an existing app or by restoring to a new app or slot. This article shows you how to restore a backup and make custom backups.

+Back up and restore is supported in the **Basic**, **Standard**, **Premium**, and **Isolated** tiers. For the **Basic** tier, only the production slot can be backed up and restored. For more information about scaling your App Service plan to use a higher tier, see [Scale up an app in Azure](manage-scale-up.md).

+> - Automatic backups can be restored to a target app within the App Service Environment itself, not in another App Service Environment.

+> - Custom backups can be restored to a target app in another App Service Environment, such as from App Service Environment v2 to App Service Environment v3.

+> - Backups can be restored to a target app of the same OS platform as the source app.

+There are two types of backups in App Service. Automatic backups are created for your app regularly as long as it's in a supported pricing tier. Custom backups require initial configuration and can be made on-demand or on a schedule. The following table shows the differences between the two types.

+| Linked database | Not backed up. | The following linked databases can be backed up: [SQL Database](/azure/azure-sql/database/), [Azure Database for MySQL](/azure/mysql/), [Azure Database for PostgreSQL](/azure/postgresql/), [MySQL in-app](https://azure.github.io/AppService/2016/08/18/Announcing-MySQL-in-app-for-Web-Apps-(Windows).html). |

+| Backups over a virtual network | Not supported. | Supported. |

+> App Service stops the target app or target slot while restoring a backup. To minimize downtime for a production app, restore the backup to a [deployment slot](deploy-staging-slots.md) first, then [swap](deploy-staging-slots.md#swap-two-slots) into production.

+1. To restore the automatic backup by overwriting the app's content and configuration:

+1. On your app management page in the [Azure portal](https://portal.azure.com), in the left menu, select **Backups**.

+1. In **Storage account**, select an existing storage account (in the same subscription) or select **Create new**. Do the same thing in **Container**.

+ > In-app MySQL databases are always backed up without any configuration. If you make settings for in-app MySQL databases manually, such as adding connection strings, the backups might not work correctly.

+1. On the **Configure custom backups** page, select **Set schedule**.

+1. Configure the backup schedule as desired and then select **Configure**.

+Custom backups can include linked databases (except when the backup is configured over Azure Virtual Network). To make sure your backup includes a linked database, do the following:

+For troubleshooting information, see [Why is my linked database not backed up?](#why-is-my-linked-database-not-backed-up).

+- The app is [integrated with a virtual network](overview-vnet-integration.md), or the app is in a v3 [App Service Environment](environment/overview.md).

+- The storage account [allows access from the virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) that the app is integrated with, or that the v3 App Service Environment is created with.

+Once the configuration is saved, any manual backup, scheduled backup, or restore is made through the virtual network. If you make changes to the app, the virtual network, or the storage account that prevent the app from accessing the storage account through the virtual network, the backup or restore operations fail.

+Partial backups are supported for custom backups (but not for automatic backups). Sometimes you don't want to back up everything on your app. Here are a few examples:

+* Your app has over 10 GB of content. (That's the max amount you can back up at a time.)

+Identify the folders that you want to exclude from your backups. For example, say you want to filter out the highlighted folder and files.

+Create a file called `_backup.filter` and put the preceding list in the file, but remove the root `%HOME%`. List one directory or file per line. The content of the file should be:

+Upload the `_backup.filter` file to the `D:\home\site\wwwroot\` directory of your site by using [FTP](deploy-ftp.md) or any other method. If you want, you can create the file directly by using Kudu `DebugConsole` and insert the content there.

+Run backups the same way you would normally do it: [custom on-demand](#create-a-custom-backup) or [custom scheduled](#configure-custom-scheduled-backups). Any files and folders that are specified in `_backup.filter` are excluded from the future backups.

+After you make one or more backups for your app, the backups are visible on the **Containers** page of your storage account and your app. In the storage account, each backup consists of a`.zip` file that contains the backup data and an `.xml` file that contains a manifest of the `.zip` file contents. You can unzip and browse through these files if you want to access your backups without actually performing an app restore.

+The database backup for the app is stored in the root of the .zip file. For SQL Database, this is a BACPAC file (no file extension) and can be imported. To create a database in Azure SQL Database that's based on the BACPAC export, see [Import a BACPAC file to create a database in Azure SQL Database](/azure/azure-sql/database/database-import).

+| Storage access failed. | Delete the backup schedule and reconfigure it. Or reconfigure the backup storage. |

+| Error occurred while connecting to the database {0} on server {1}: Authentication to host '{1}' for user '\<username>' using method 'mysql_native_password' failed with message: Unknown database '\<db-name>' | Update the database connection string. |

+| A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server). | Ensure that the connection string is valid. Allow the app's [outbound IPs](overview-inbound-outbound-ips.md) in the database server settings. |

+| Cannot open server "\<name>" requested by the login. The login failed. | Ensure that the connection string is valid. |

+You can automate backup management with scripts by using [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/).

+- [Azure CLI samples](samples-cli.md).

+- [Azure PowerShell samples](samples-powershell.md).

+- [How do I stop an automatic backup?](#how-do-i-stop-an-automatic-backup)

+Automatic backups are available for Azure Functions in [dedicated (App Service)](../azure-functions/dedicated-plan.md) **Basic**, **Standard**, and **Premium** tiers. Automatic backups aren't supported for function apps in the [**Consumption**](../azure-functions/consumption-plan.md) or [**Elastic Premium**](../azure-functions/functions-premium-plan.md) pricing tiers.

+|Content| Restored?|

+| **Windows apps**: All app content under the `%HOME%` directory.<br/>**Linux apps**: All app content under the `/home` directory.<br/>**Custom containers (Windows and Linux)**: Content in [persistent storage](configure-custom-container.md?pivots=container-linux#use-persistent-shared-storage).| Yes |

+| Content from any [custom-mounted Azure storage](configure-connect-to-azure-storage.md?pivots=container-windows), such as from an Azure Files share | No |

+The following table shows which app configurations are restored when you choose to restore app configurations:

+|[Alerts and metrics](../azure-monitor/alerts/alerts-classic-portal.md)| No |

+|Backup| No |

+When [backing up over Azure Virtual Network](#back-up-and-restore-over-azure-virtual-network), you can't [back up the linked database](#back-up-and-restore-a-linked-database).

+* Backup of [TLS-enabled Azure Database for MySQL](/azure/mysql/concepts-ssl-connection-security) isn't supported. If a backup is configured, you get backup failures.

+* Backup of [TLS-enabled Azure Database for PostgreSQL](/azure/postgresql/concepts-ssl-connection-security) isn't supported. If a backup is configured, you get backup failures.

+1. On the **Backups** page for your target app, select **Restore** in the top menu.

+1. In **Name**, select **Browse** and select the downloaded ZIP file.

+1. Configure the rest of the sections as described in [Restore a backup](#restore-a-backup).

+The steps are the same as in [How do I restore to an app in a different subscription?](#how-do-i-restore-to-an-app-in-a-different-subscription).

+Automatic backups are stored in the same datacenter as the App Service. They shouldn't be relied upon as your disaster recovery plan.

+#### How do I stop an automatic backup?

+## Next step

+> In addition to the logging instructions in this article, you can also use the Azure Monitor integrated logging capability. You'll find more on this capability in the [Send logs to Azure Monitor](#send-logs-to-azure-monitor) section.

+|Type|Platform|Log storage location|Description|

+| Detailed Error Messages| Windows | App Service file system | Copies of the *.htm* error pages that would have been sent to the client browser. For security reasons, detailed error pages shouldn't be sent to clients in production, but App Service can save the error page each time an application error occurs that has HTTP code 400 or higher. The page may contain information that can help determine why the server returns the error code. |

+| Failed request tracing | Windows | App Service file system | Detailed tracing information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. This information is useful if you want to improve site performance or isolate a specific HTTP error. One folder is generated for each failed request. The folder contains the XML log file and the XSL stylesheet to view the log file with. |

+> In addition, you can use other Azure services, such as [Azure Monitor](../azure-monitor/app/azure-web-apps.md), to improve the logging and monitoring capabilities of your app.

+> Currently only .NET application logs can be written to the blob storage. Java, PHP, Node.js, and Python application logs can only be stored on the App Service file system (without code modifications to write logs to external storage).

+> 1. Enable logging to the storage account blob again. Save your setting.

+Under **Detailed Error Logging** or **Failed Request Tracing**, select **On**, and then select **Save**.

+Both types of logs are stored in the App Service file system. Up to 50 errors (files or folders) are retained. When the number of HTML files exceeds 50, the oldest error files are automatically deleted.

+ By default, ASP.NET Core uses the [Microsoft.Extensions.Logging.AzureAppServices](https://www.nuget.org/packages/Microsoft.Extensions.Logging.AzureAppServices) logging provider. For more information, see [ASP.NET Core logging in Azure](/aspnet/core/fundamentals/logging/). For information about WebJobs SDK logging, see [Get started with the Azure WebJobs SDK](./webjobs-sdk-get-started.md#enable-console-logging).

+> Some types of logging buffer write to the log file, which can result in events appearing in the incorrect order in the stream. For example, an application log entry that occurs when a user visits a page may be displayed in the stream before the corresponding HTTP log entry for the page request.

+To filter specific log types, such as HTTP, use the **--provider** parameter. For example:

+### In the local terminal

+To stream logs in the local console, [install Azure CLI](/cli/azure/install-azure-cli) and [sign in to your account](/cli/azure/authenticate-azure-cli). After you're signed in, follow the [instructions for Cloud Shell](#in-cloud-shell).

+For logs stored in the App Service file system, the easiest way to access the files is to download the ZIP file in the browser at:

+For Linux/custom containers, the ZIP file contains console output logs for both the Docker host and the Docker container. For a scaled-out app, the ZIP file contains one set of logs for each instance. In the App Service file system, these log files are the contents of the */home/LogFiles* directory. Deployment logs are stored in */site/deployments/*.

+| **Failed Request Traces** | */LogFiles/W3SVC#########/* | Contains XML files and an XSL file. You can view the formatted XML files in the browser. |

+| **Detailed Error Logs** | */LogFiles/DetailedErrors/* | Contains HTM error files. You can view the HTM files in the browser.<br/>Another way to view the failed request traces is to navigate to your app page in the portal. From the left menu, select **Diagnose and solve problems**, search for **Failed Request Tracing Logs**, and then click the icon to browse and view the trace you want. |

+| **Web Server Logs** | */LogFiles/http/RawLogs/* | Contains text files formatted using the [W3C extended log file format](/windows/desktop/Http/w3c-logging). You can read these files by using a text editor or a utility like [Log Parser](https://www.iis.net/downloads/community/2010/04/log-parser-22).<br/>App Service doesn't support the `s-computername`, `s-ip`, or `cs-version` fields. |

+| **Deployment logs** | */LogFiles/Git/* and */deployments/* | Contains logs generated by the internal deployment processes, as well as logs for Git deployments. |

+With [Azure Monitor integration](https://aka.ms/appsvcblog-azmon), you can [create Diagnostic Settings](https://azure.github.io/AppService/2019/11/01/App-Service-Integration-with-Azure-Monitor.html#create-a-diagnostic-setting) to send logs to storage accounts, event hubs and Log Analytics. When you add a diagnostic setting, App Service adds app settings to your app, which triggers an app restart.

+* [How to Monitor Azure App Service](monitor-app-service.md)

+You can use the [PowerShell script](https://github.com/azureautomation/Migrate-automation-account-assets-from-one-region-to-another) or [PowerShell workflow](https://github.com/azureautomation/Migrate-automation-account-assets-from-one-region-to-another-PwshWorkflow/tree/main) runbook or import from the Runbook gallery and execute it to enable migration of assets from one Automation account to another.

+* To find out what runbooks are supported, see [Azure Automation runbook types](automation-runbook-types.md).

+1. Navigate to your App Configuration store, and select **Import/export** from the **Operations** menu.

+1. The **Import** radio button is selected by default. Under **Source type**, select **Configuration file**.

+ | File type | Select the file type for import: YAML, Properties, or JSON. | *Json* |

+1. Click the **Browse** button, and select the file to import.

+ | File content profile | Select a content profile: Default or KVSet. The *Default* file content profile refers to the conventional configuration file schema widely adopted by existing programming frameworks or systems, supports JSON, Yaml, or Properties file formats. The *KVSet* file content profile refers to a file schema that contains all properties of an App Configuration key-value, including key, value, label, content type, and tags. | *Default* |

+ | Import mode | The import mode is used to determine whether to ignore identical key-values. With the *Ignore match* option, any key-values in the store that are the same as those in the configuration file are ignored. With the *All* option, all key-values in the configuration file are updated. | *Ignore match* |

+ | Exclude feature flag | If checked, feature flags will not be imported. | *Unchecked* |

+ | Strict | If the box is checked, any key-values in the store with the specified prefix and label that are not included in the configuration file are deleted when the File content profile is set to Default. When the File content profile is set to KVSet, any key-values in the store that are not included in the configuration file are deleted. If the box is unchecked, no key-values in the store will be deleted. | *Unchecked* |

+ | Separator | The separator is the delimiter used for flattening JSON or YAML files into key-value. It will be ignored for property files and feature flags. Supported values include no-separator, period (.), comma (,), semicolon (\;), hyphen (-), underscore (_), double underscore (__), slash (/), and colon (\:). | *:* |

+ | Depth | Optional. The depth for flattening JSON or YAML files into key-value pairs. By default, files are flattened to the deepest level if a separator is selected. This setting is not applicable for property files or feature flags. | |

+ | Add prefix | Optional. If specified, a prefix will be added to the key names of all imported key-values. | *TestApp:* |

+ | Add label | Optional. If specified, the provided label will be assigned to all imported key-values. | *prod* |

+ | Add content type | Optional. If specified, the provided content type will be added to all imported key-values. | *JSON (application/json)* |

+ | Add tags | Optional. If specified, the provided tags will be added to all imported key-values. | *{tag: tag1}* |

+You have successfully imported key-values from a JSON file. The key names were flattened using the `:` separator and prefixed with `TestApp:`. All imported key-values are labeled as `prod`, with a content type of `application/json`, and tagged with `tag: tag1`.

+You imported key-values from a JSON file, and assigned them the label "prod" and the prefix "TestApp:". The separator ";" is used and all key-values that you imported have content type set as "JSON".

+1. Navigate to your App Configuration store, and select **Import/export** from the **Operations** menu.

+1. The **Import** radio button is selected by default. Under **Source type**, select **App Configuration**.

+1. Select an App Configuration store to import data from, and fill out the form with the following parameters:

+ | Selection mode | Select whether to import from regular key-values, which is the default option, or from a snapshot. | *Default* |

+ | Key filter | Used to filter key-values based on the key name for import. If no keys are specified, all keys are eligible. | Starts with *test* |

+ | At a specific time |Optional. Fill out this field to import key-values from a specific point in time in the selected configuration store. If left empty, it defaults to the current point in time of the key-values.| *07/28/2022 12:00:00 AM* |

+ | From label | Select one or more labels to import key-values associated with those labels. If no label is selected, all labels are eligible. | *prod* |

+ | Exclude feature flag | If checked, feature flags will not be imported. | *Unchecked* |

+ | Add prefix | Optional. If specified, a prefix will be added to the key names of all imported key-values. | *TestApp:* |

+ | Override labels | Optional. By default, the original labels of the source key-values are preserved. To override them, check the box and enter a new label for imported key-values. | *new* |

+ | Override content types | Optional. By default, the original content types of the source key-values are preserved. To override them, check the box and enter a new content type for imported key-values. Note that the content type of feature flags cannot be overridden. | *JSON (application/json)* |

+You imported key-values from an App Configuration store as of January 28, 2021, at 12 AM, with key names starting with `test` and the label `prod`. The key names were prefixed with `TestApp:`. All imported key-values were assigned the label `new` and the content type `application/json`.

+1. Navigate to your App Configuration store, and select **Import/export** from the **Operations** menu.

+1. The **Import** radio button is selected by default. Under **Source type**, select **App Services**.

+1. Select an App Configuration store to import data from, and fill out the form with the following parameters:

+ | Update settings to reference | If checked, the app settings in App Service will be updated to App Configuration references for the imported key-values. This allows you to manage your app settings in App Configuration going forward. Your App Service will automatically pull the current value from App Configuration. To learn more, see [Use App Configuration references for App Service and Azure Functions](/azure/app-service/app-service-configuration-references). | *Checked* |

+ | Add prefix | Optional. If specified, a prefix will be added to the key names of all imported key-values. | *TestApp:* |

+ | Add label | Optional. If specified, the provided label will be assigned to all imported key-values. | *prod* |

+ | Add content type | Optional. If specified, the provided content type will be added to all imported key-values. | *JSON (application/json)* |

+You imported all application settings from an App Service as key-values, and assigned them the label `prod` and the prefix `TestApp:`. All key-values that you imported have content type set as `application/json`.

+Follow these steps to export configuration data from an App Configuration store to a JSON, YAML, or Properties file.

+1. Navigate to your App Configuration store, and select **Import/export**.

+1. Select the **Export** radio button and under **Target type**, select **Configuration file**.

+ | Parameter | Description | Example |

+ | File type | Select the file type for export: YAML, Properties, or JSON. | *JSON* |

+ | File content profile | Select a content profile: Default or KVSet. The *Default* file content profile refers to the conventional configuration file schema widely adopted by existing programming frameworks or systems, supports JSON, Yaml, or Properties file formats. The *KVSet* file content profile refers to a file schema that contains all properties of an App Configuration key-value, including key, value, label, content type, and tags. | *Default* |

+ | Selection mode | Select whether to export from regular key-values, which is the default option, or from a snapshot. | *Default* |

+ | Key filter | Used to filter key-values based on the key name for export. If no keys are specified, all keys are eligible. | Starts with *TestApp:* |

+ | At a specific time | Optional. Fill out this field to export key-values from a specific point in time in the selected configuration store. If left empty, it defaults to the current point in time of the key-values. | *07/28/2022 12:00:00 AM* |

+ | From label | Select the label to export key-values associated with those labels. If no label is selected, all labels are eligible. Note that you can only select one label when exporting with the `Default` file content profile. To export key-values with more than one label, use the `KVSet` file content profile. | *prod* |

+ | Remove prefix | Optional. If specified, the prefix will be removed from the key names of all exported key-values that contain it. | *TestApp:* |

+ | Separator | The separator is the delimiter used for segmenting key names and reconstructing hierarchical configurations for JSON or YAML files from key-values. It will be ignored for property files and feature flags. Supported values include no separator, period (.), comma (,), semicolon (\;), hyphen (-), underscore (_), double underscore (__), slash (/), and colon (\:). | *:* |

+You exported key-values from an App Configuration store as of July 28, 2021, at 12 AM, with key names starting with `TestApp:` and the label `prod`, to a JSON file. The prefix `TestApp:` was trimmed from key names, and the separator `:` was used to segment the key names and reconstruct the hierarchical JSON format.

+1. Navigate to your App Configuration store that contains the data you want to export, and select **Import/export** from the **Operations** menu.

+1. Select the **Export** radio button and under **Target type**, select **App Configuration**.

+1. Fill out the form with the following parameters:

+ | Selection mode | Select whether to export from regular key-values, which is the default option, or from a snapshot. | *Default* |

+ | Key filter | Used to filter key-values based on the key name for export. If no keys are specified, all keys are eligible. | Starts with *TestApp:* |

+ | At a specific time | Optional. Fill out this field to export key-values from a specific point in time in the selected configuration store. If left empty, it defaults to the current point in time of the key-values. | *07/28/2022 12:00:00 AM* |

+ | From label | Select one or more labels to export key-values associated with those labels. If no label is selected, all labels are eligible. | *prod* |

+ | Exclude feature flag | If checked, feature flags will not be exported. | *Unchecked* |

+1. Select destination store, fill out the form with the following parameters:

+ | Parameter | Description | Example |

+ |-|-|--|

+ | Subscription | Your current subscription is selected by default. | *my-subscription* |

+ | Resource group | Select a resource group that contains the App Configuration store where you want to export the configuration. Your current resource group is selected by default. | *my-resource-group* |

+ | Resource | Select the App Configuration store where you want to export the configuration. | *my-other-app-config-store* |

+ | Parameter | Description | Example |

+ | Remove prefix | Optional. If specified, the prefix will be removed from the key names of all exported key-values that contain it. | *TestApp:* |

+ | Override labels | Optional. By default, the original labels of the source key-values are preserved. To override them, check the box and enter a new label for exported key-values. | *new* |

+ | Override content types | Optional. By default, the original content types of the source key-values are preserved. To override them, check the box and enter a new content type for exported key-values. Note that the content type of feature flags cannot be overridden. | *JSON (application/json)* |

+You exported key-values from an App Configuration store as of July 28, 2022, at 12 AM, with key names starting with `TestApp:` and the label `prod`, to another App Configuration store. All exported key-values were trimmed the key prefix `TestApp:`, and assigned the label `new` and the content type `application/json`.

+> Exporting feature flags to App Service is not supported.

+1. Navigate to your App Configuration store, and select **Import/export** from the **Operations** menu.

+1. Select the **Export** radio button and under **Target type**, select **App Services**.

+1. The **Export as reference** option is checked by default. When the box is checked, the application settings in App Service will be added as App Configuration references for the exported key-values. This allows you to manage your settings in App Configuration, with your App Service automatically pulling the current values from App Configuration. To learn more, see [Use App Configuration references for App Service and Azure Functions](/azure/app-service/app-service-configuration-references). If the box is unchecked, the key and value will be directly exported to App Service. Remember to export your data again whenever you make changes in App Configuration to ensure your application picks up the updates.

+1. Fill out the form with the following parameters:

+ | Parameter | Description | Example |

+ |-|-|--|

+ | Selection mode | Select whether to export from regular key-values, which is the default option, or from a snapshot. | *Default* |

+ | Key filter | Used to filter key-values based on the key name for export. If no keys are specified, all keys are eligible. | Starts with *TestApp:* |

+ | At a specific time | Optional. Fill out this field to export key-values from a specific point in time in the selected configuration store. If left empty, it defaults to the current point in time of the key-values. | *07/28/2022 12:00:00 AM* |

+ | From label | Select one label to export key-values associated with this label. | *prod* |

+1. Select a destination store and fill out the form with the following parameters:

+ | Resource group | Select a resource group that contains the App Service where you want to export the configuration. | *my-resource-group* |

+ | Resource | Select the App Service where you want to export the configuration. | *my-app-service* |

+ | Remove prefix | Optional. If specified, the prefix will be removed from the key names of all exported key-values that contain it. | *TestApp:* |

+You exported key-values from an App Configuration store as of July 28, 2022, at 12 AM, with key names starting with `TestApp:` and the label `prod`, to the application settings of an App Service resource. The prefix `TestApp:` was trimmed from exported key names.

+- **Public access is disabled for your store or you are accessing from a private endpoint that is not in the storeΓÇÖs private endpoint configurations**. If your App Configuration store has private endpoints enabled, you can only access it from within the configured virtual network by default. Ensure that the machine running the Azure portal or CLI is joined to the same virtual network as the private endpoint. If you have just enabled public network access to your App Configuration store, wait at least 5 minutes before retrying to allow the cache to refresh.

+5. Run `deactivate` to shut down the virtual environment.

+You can review the complete template project [here](https://github.com/Azure-Samples/functions-quickstart-dotnet-azd).

+You can review the complete template project [here](https://github.com/Azure-Samples/azure-functions-java-flex-consumption-azd).

+You can review the complete template project [here](https://github.com/Azure-Samples/functions-quickstart-javascript-azd).

+You can review the complete template project [here](https://github.com/Azure-Samples/functions-quickstart-typescript-azd).

+You can review the complete template project [here](https://github.com/Azure-Samples/functions-quickstart-powershell-azd).

+You can review the complete template project [here](https://github.com/Azure-Samples/functions-quickstart-python-http-azd).

+ ::: zone pivot="programming-language-csharp,programming-language-javascript,programming-language-typescript,programming-language-java,programming-language-python"

+

+

+ ::: zone-end

+ ::: zone pivot="programming-language-powershell"

+ ### [PowerShell](#tab/powershell)

+ ```powershell

+ $APP_NAME = azd env get-value AZURE_FUNCTION_NAME

+ func azure functionapp list-functions $APP_NAME --show-keys

+ ```

+ ### [Cmd](#tab/cmd2)

+ ```cmd

+ for /f "tokens=*" %i in ('azd env get-value AZURE_FUNCTION_NAME') do set APP_NAME=%i

+ func azure functionapp list-functions %APP_NAME% --show-keys

+ ```

+ ::: zone-end

+2. As before, use your HTTP test tool to validate these URLs in your function app running in Azure.

+ - When defining custom functions in the KQL query for log search alerts, it is important to be cautious with function code that includes relative time clauses (e.g., now()). Custom functions with relative time clauses that are not defined within the log search alert KQL query itself can introduce inconsistencies in query results, potentially impacting the accuracy and reliability of alert evaluations. Therefore:

+ - To ensure accurate and timely alerting, always define relative time clauses directly within the log search alert KQL query.

+ - If time ranges are needed inside the function, they should be passed as parameters and used in the function.

+ Title: Build an AI-powered group chat with Azure SignalR and OpenAI Completion API

+description: A tutorial explaining how Azure SignalR and OpenAI Completion API are used together to build an AI-powered group chat

+uid: tutorials/ai-powered-group-chat

+# Build an AI-powered group chat with Azure SignalR and OpenAI Completion API

+The integration of AI into applications is rapidly becoming a must-have for developers looking to help their users be more creative, productive, and achieve their health goals. AI-powered features, such as intelligent chatbots, personalized recommendations, and contextual responses, add significant value to modern apps. The AI-powered apps that came out since ChatGPT captured our imagination are primarily between one user and one AI assistant. As developers get more comfortable with the capabilities of AI, they're exploring AI-powered apps in a team's context. They ask "what value can AI add to a team of collaborators?"

+This tutorial guides you through building a real-time group chat application. Among a group of human collaborators in a chat, there's an AI assistant, which has access to the chat history and can be invited to help out by any collaborator when they start the message with `@gpt`. The finished app looks like this.

+We use OpenAI for generating intelligent, context-aware responses and SignalR for delivering the response to users in a group. You can find the complete code [in this repo](https://github.com/aspnet/AzureSignalR-samples/tree/main/samples/AIStreaming).

+## Dependencies

+You can use either Azure OpenAI or OpenAI for this project. Make sure to update the `endpoint` and `key` in `appsetting.json`. `OpenAIExtensions` reads the configuration when the app starts and they're required to authenticate and use either service.

+# [OpenAI](#tab/open-ai)

+To build this application, you need the following:

+* ASP.NET Core: To create the web application and host the SignalR hub

+* [SignalR](https://www.nuget.org/packages/Microsoft.AspNetCore.SignalR.Client): For real-time communication between clients and the server

+* [Azure SignalR](./signalr-overview.md): For managing SignalR connections at scale

+* [OpenAI Client](https://www.nuget.org/packages/OpenAI/2.0.0-beta.10): To interact with OpenAI's API for generating AI responses

+# [Azure OpenAI](#tab/azure-open-ai)

+To build this application, you need the following:

+* ASP.NET Core: To create the web application and host the SignalR hub

+* [SignalR](https://www.nuget.org/packages/Microsoft.AspNetCore.SignalR.Client): For real-time communication between clients and the server

+* [Azure SignalR](./signalr-overview.md): For managing SignalR connections at scale

+* [Azure OpenAI](https://www.nuget.org/packages/Azure.AI.OpenAI/2.0.0-beta.3): Azure.AI.OpenAI

+## Implementation

+In this section, we walk through the key parts of the code that integrate SignalR with OpenAI to create an AI-enhanced group chat experience.

+### Data flow

+### SignalR Hub integration

+The `GroupChatHub` class manages user connections, message broadcasting, and AI interactions. When a user sends a message starting with `@gpt`, the hub forwards it to OpenAI, which generates a response. The AI's response is streamed back to the group in real-time.

+```csharp

+var chatClient = _openAI.GetChatClient(_options.Model);

+await foreach (var completion in chatClient.CompleteChatStreamingAsync(messagesInludeHistory))

+{

+ // ...

+ // Buffering and sending the AI's response in chunks

+ await Clients.Group(groupName).SendAsync("newMessageWithId", "ChatGPT", id, totalCompletion.ToString());

+ // ...

+}

+```

+### Maintain context with history

+Every request to [OpenAI's Chat Completions API](https://platform.openai.com/docs/guides/chat-completions) is stateless - OpenAI doesn't store past interactions. In a chat application, what a user or an assistant has said is important for generating a response that's contextually relevant. We can achieve this by including chat history in every request to the Completions API.

+The `GroupHistoryStore` class manages chat history for each group. It stores messages posted by both the users and AI assistants, ensuring that the conversation context is preserved across interactions. This context is crucial for generating coherent AI responses.

+```csharp

+// Store message generated by AI-assistant in memory

+public void UpdateGroupHistoryForAssistant(string groupName, string message)

+{

+ var chatMessages = _store.GetOrAdd(groupName, _ => InitiateChatMessages());

+ chatMessages.Add(new AssistantChatMessage(message));

+}

+```

+```csharp

+// Store message generated by users in memory

+_history.GetOrAddGroupHistory(groupName, userName, message);

+```

+### Stream AI responses

+The `CompleteChatStreamingAsync()` method streams responses from OpenAI incrementally, which allows the application to send partial responses to the client as they're generated.

+The code uses a `StringBuilder` to accumulate the AI's response. It checks the length of the buffered content and sends it to the clients when it exceeds a certain threshold (for example, 20 characters). This approach ensures that users see the AIΓÇÖs response as it forms, mimicking a human-like typing effect.

+```csharp

+totalCompletion.Append(content);

+if (totalCompletion.Length - lastSentTokenLength > 20)

+{

+ await Clients.Group(groupName).SendAsync("newMessageWithId", "ChatGPT", id, totalCompletion.ToString());

+ lastSentTokenLength = totalCompletion.Length;

+}

+```

+## Explore further

+This project opens up exciting possibilities for further enhancement:

+- **Advanced AI features**: Use other OpenAI capabilities like sentiment analysis, translation, or summarization.

+- **Incorporating multiple AI agents**: You can introduce multiple AI agents with distinct roles or expertise areas within the same chat. For example, one agent might focus on text generation and the other provides image or audio generation. This interaction can create a richer and more dynamic user experience where different AI agents interact seamlessly with users and each other.

+- **Share chat history between server instances**: Implement a database layer to persist chat history across sessions, allowing conversations to resume even after a disconnect. Beyond SQL or NO SQL based solutions, you can also explore using a caching service like Redis. It can significantly improve performance by storing frequently accessed data, such as chat history or AI responses, in memory. This reduces latency and offloads database operations, leading to faster response times, particularly in high-traffic scenarios.

+The Multi-AZ capability for Azure VMware Solution Stretched Clusters is also tagged in the following table. Customer quota for Azure VMware Solution is assigned by Azure region, and you aren't able to specify the Availability Zone during private cloud provisioning. An auto selection algorithm is used to balance deployments across the Azure region. If you have a particular Availability Zone you want to deploy to, open a [Service Request](https://rc.portal.azure.com/#create/Microsoft.Support) with Microsoft requesting a "special placement policy" for your subscription, Azure region, Availability Zone, and SKU type. This policy remains in place until you request it be removed or changed.

+| Australia East | AZ02 | AV36, AV64| No |7|

+| Australia Southeast | AZ01 | AV36 | No | N/A |

+| Canada Central | AZ02 | AV36, **AV36P,** AV64| No |7|

+| Central US | AZ03 | AV36P, AV64| No |7|

+| East US | AZ01 | **AV36P**, AV64| Yes |7|

+| North Europe | AZ02 | AV36, AV64 | No |7|

+| Southeast Asia | AZ02 | **AV36** | No | N/A |

+| Sweden Central | AZ01 | AV36, (AV64 Planned H2 2024)| No | N/A (7 Planned H2 2024)|

+| West Europe | AZ03 | AV36P, AV64 | Yes |7|

+| [VMSA-2024-0006](https://www.vmware.com/security/advisories/VMSA-2024-0006.html) ESXi Use-after-free and Out-of-bounds write vulnerability | March 2024 | Microsoft has confirmed the applicability of the vulnerabilities and is rolling out the provided VMware updates. | Ongoing 2024 - Resolved in [vCenter Server 8.0 U2b & ESXi 8.0 U2b](architecture-private-clouds.md#vmware-software-versions) |

+| AV36P SKU new private cloud deploys with vSphere 7, not vSphere 8. | September 2024 | The AV36P SKU is waiting for a Hotfix to be deployed, which will resolve this issue. | N/A |

+PostgreSQL Flexible Server backup data can be recovered in user specified storage containers that can be used to re-build the PostgreSQL flexible server. You can restore this data as a new PostgreSQL - flexible server with the database native tools.

+- **RecoveryServicesVault**: `azurefilesvault`

+- **Policy:** `schedule1`

+- **Resource group**: `azurefiles`

+- **Storage Account**: `testvault2`

+- **File Share**: `testshare`

+ In our example, it's `StorageContainer;Storage;AzureFiles;testvault2`

+You can verify if the registration was successful from the value of the `registrationstatus` parameter in the response body. In our case, it shows the status as registered for `testvault2`, so the registration operation was successful.

+| Area | JavaScript | .NET | Python | Java SE | iOS | Android | Other |

+|||--|-|-||-|--|

+| Azure Resource Manager | [npm](https://www.npmjs.com/package/@azure/arm-communication) | [NuGet](https://www.nuget.org/packages/Azure.ResourceManager.Communication) | [PyPi](https://pypi.org/project/azure-mgmt-communication/) | [Maven](https://search.maven.org/search?q=a:azure-resourcemanager-communication) | - | - | [Go via GitHub](https://github.com/Azure/azure-sdk-for-go/releases/tag/v46.3.0) |

+| Advanced Messaging | [npm](https://www.npmjs.com/package/@azure-rest/communication-messages) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Messages) | [PyPi](https://pypi.org/project/azure-communication-messages/) | [Maven](https://search.maven.org/search?q=a:azure-communication-messages) | - | - | - |

+| Calling | [npm](https://www.npmjs.com/package/@azure/communication-calling) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Calling.WindowsClient) | - | - | [GitHub](https://github.com/Azure/azure-sdk-for-ios/releases) ([docs](/objectivec/communication-services/calling/)) | [Maven](https://search.maven.org/artifact/com.azure.android/azure-communication-calling/) | - |

+| Call Automation | [npm](https://www.npmjs.com/package/@azure/communication-call-automation) | [NuGet](https://www.nuget.org/packages/Azure.Communication.CallAutomation) | [PyPi](https://pypi.org/project/azure-communication-callautomation/) | [Maven](https://search.maven.org/search?q=a:azure-communication-callautomation) | - | - | - |

+| Chat | [npm](https://www.npmjs.com/package/@azure/communication-chat) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Chat) | [PyPi](https://pypi.org/project/azure-communication-chat/) | [Maven](https://search.maven.org/search?q=a:azure-communication-chat) | [GitHub](https://github.com/Azure/azure-sdk-for-ios/releases) | [Maven](https://search.maven.org/search?q=a:azure-communication-chat) | - |

+| Common | [npm](https://www.npmjs.com/package/@azure/communication-common) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Common/) | N/A | [Maven](https://search.maven.org/search?q=a:azure-communication-common) | [GitHub](https://github.com/Azure/azure-sdk-for-ios/releases) | [Maven](https://search.maven.org/artifact/com.azure.android/azure-communication-common) | - |

+| Email | [npm](https://www.npmjs.com/package/@azure/communication-email) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Email) | [PyPi](https://pypi.org/project/azure-communication-email/) | [Maven](https://search.maven.org/artifact/com.azure/azure-communication-email) | - | - | - |

+| Identity | [npm](https://www.npmjs.com/package/@azure/communication-identity) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Identity) | [PyPi](https://pypi.org/project/azure-communication-identity/) | [Maven](https://search.maven.org/search?q=a:azure-communication-identity) | - | - | - |

+| Job Router | [npm](https://www.npmjs.com/package/@azure-rest/communication-job-router) | [NuGet](https://www.nuget.org/packages/Azure.Communication.JobRouter) | [PyPi](https://pypi.org/project/azure-communication-jobrouter/) | [Maven](https://search.maven.org/search?q=a:azure-communication-jobrouter) | - | - | - |

+| Phone numbers | [npm](https://www.npmjs.com/package/@azure/communication-phone-numbers) | [NuGet](https://www.nuget.org/packages/Azure.Communication.PhoneNumbers) | [PyPi](https://pypi.org/project/azure-communication-phonenumbers/) | [Maven](https://search.maven.org/search?q=a:azure-communication-phonenumbers) | - | - | - |

+| Rooms | [npm](https://www.npmjs.com/package/@azure/communication-rooms) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Rooms) | [PyPi](https://pypi.org/project/azure-communication-rooms/) | [Maven](https://search.maven.org/search?q=a:azure-communication-rooms) | - | - | - |

+| Signaling | [npm](https://www.npmjs.com/package/@azure/communication-signaling) | - | | - | - | - | - |

+| SMS | [npm](https://www.npmjs.com/package/@azure/communication-sms) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Sms) | [PyPi](https://pypi.org/project/azure-communication-sms/) | [Maven](https://search.maven.org/artifact/com.azure/azure-communication-sms) | - | - | - |

+| UI Library | [npm](https://www.npmjs.com/package/@azure/communication-react) | - | - | - | [GitHub](https://github.com/Azure/communication-ui-library-ios) | [GitHub](https://github.com/Azure/communication-ui-library-android) | [GitHub](https://github.com/Azure/communication-ui-library), [Storybook](https://azure.github.io/communication-ui-library/?path=/story/overview--page) |

+# Configure the Admin for Spring component in Azure Container Apps

+Extract the download and change into the *containerapps-albumapi-java-main* folder.

+If Docker isn't available, you can utilize the AD token provided for authentication. Authenticate with your [individual Microsoft Entra identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) using an AD token. Always use "000..." for the `USER_NAME` as the token is parsed through the `PASSWORD` variable.

+> [!WARNING]

+> You will not be able to create new subscriptions or transfer existing subscriptions from an enrollment account if the UPN is deleted from Entra ID.

+| servicePrincipalId | The Application (client) ID of the application registered in Microsoft Entra ID. | Yes |

+| servicePrincipalCredentialType | Specify the credential type to use for service principal authentication. Allowed values are `ServicePrincipalKey` and `ServicePrincipalCert`. | No |

+| ***For ServicePrincipalKey*** | | |

+| servicePrincipalKey | The application's key. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [section](#grant-permission-for-using-service-principal-key) for more details including the permission settings. | No |

+| ***For ServicePrincipalCert*** | | |

+| servicePrincipalEmbeddedCert | Specify the base64 encoded certificate of your application registered in Microsoft Entra ID, and ensure the certificate content type is **PKCS #12**. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). Refer to this [article](/sharepoint/dev/solution-guidance/security-apponly-azuread) for permission settings.| No |

+| servicePrincipalEmbeddedCertPassword | Specify the password of your certificate if your certificate is secured with a password. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No |

+| | | |

+**Example 1: Using service principal key authentication**

+ "servicePrincipalCredentialType": "ServicePrincipalKey",

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+**Example 2: Using service principal certificate authentication**

+```json

+{

+ "name": "SharePointOnlineList",

+ "properties": {

+ "type": "SharePointOnlineList",

+ "typeProperties": {

+ "siteUrl": "<site URL>",

+ "servicePrincipalId": "<service principal id>",

+ "servicePrincipalCredentialType": "ServicePrincipalCert",

+ "servicePrincipalEmbeddedCert": {

+ "type": "SecureString",

+ "value": "<base64 encoded string of (.pfx) certificate data>"

+ },

+ "servicePrincipalEmbeddedCertPassword": {

+ "type": "SecureString",

+ "value": "<password of your certificate>"

+ },

+ "tenantId": "<tenant ID>"

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+### Grant permission for using service principal key

+The SharePoint List Online connector uses service principal authentication to connect to SharePoint. Follow these steps to set it up:

+1. Register an application with the Microsoft identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:

+ - Application ID

+ - Application key

+ - Tenant ID

+2. Grant SharePoint Online site permission to your registered application by following the steps below. To do this, you need a site admin role.

+ 1. Open your SharePoint Online site link. For example, the URL in the format `https://<your-site-url>/_layouts/15/appinv.aspx` where the placeholder `<your-site-url>` is your site.

+ 2. Search the application ID you registered, fill the empty fields, and click "Create".

+ - App Domain: `contoso.com`

+ - Redirect URL: `https://www.contoso.com`

+ - Permission Request XML:

+ ```xml

+ <AppPermissionRequests AllowAppOnlyPolicy="true">

+ <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>

+ </AppPermissionRequests>

+ ```

+ :::image type="content" source="media/connector-sharepoint-online-list/sharepoint-online-grant-permission-admin.png" alt-text="Grant SharePoint Online site permission to your registered application when you have site admin role.":::

+

+ > [!NOTE]

+ > In the context of configuring the SharePoint connector, the "App Domain" and "Redirect URL" refer to the SharePoint app that you have registered in Microsoft Entra ID to allow access to your SharePoint data. The "App Domain" is the domain where your SharePoint site is hosted. For example, if your SharePoint site is located at "https://contoso.sharepoint.com", then the "App Domain" would be "contoso.sharepoint.com". The "Redirect URL" is the URL that the SharePoint app will redirect to after the user has authenticated and granted permissions to the app. This URL should be a page on your SharePoint site that the app has permission to access. For example, you could use the URL of a page that displays a list of files in a library, or a page that displays the contents of a document.

+ 3. Click "Trust It" for this app.

+1. Follow the [Grant permission for using service principal key](#grant-permission-for-using-service-principal-key) section to create Microsoft Entra application and grant permission to SharePoint Online.

+> Transporting data from on-premises NFS clients into Data Box using NFSv4 is supported. However, to copy data from Data Box to Azure, Data Box supports only REST-based transport. Azure file share with NFSv4.1 does not support REST for data access/transfers.

+ Title: Vulnerability management for Microsoft Defender for IoT in the Azure portal

+description: Learn about vulnerability management for Microsoft Defender for IoT in the Azure portal.

+# Vulnerability management in the Azure portal

+With vulnerability management, Microsoft Defender for IoT in the Azure portal provides extended coverage for Operational Technology (OT) networks, which identify security vulnerabilities in OT network devices.

+The OT security administrator views vulnerability data, such as Common Vulnerabilities and Exposures (CVE) details and a CVSS score, in the device inventory, workbooks and security recommendations for each device. The administrator can then proactively manage network exposure based on the vulnerability details and recommended remediation actions.

+Defender for IoT provides vulnerability coverage for [supported OT vendors](resources-manage-proprietary-protocols.md) where Defender for IoT can detect firmware models and firmware versions. Vulnerability data is based on the repository of standards-based vulnerability data documented in the US government National Vulnerability Database (NVD) and is displayed with its CVE details and description.

+## Vulnerability management capabilities

+The key vulnerability management capabilities are:

+| Capability | Description |

+| | |

+| [Device inventory](how-to-manage-device-inventory-for-organizations.md#view-full-device-details)| The Device inventory displays the current vulnerabilities detected on each device. |

+| [Workbooks](workbooks.md#view-workbooks) | Data about the vulnerabilities detected on OT devices is available using the **Vulnerabilities** workbook. Workbooks are pages created by Microsoft and provided out-of-the-box, which contain graphs and charts to display your data and help you analyze the data more effectively. |

+| [Security Recommendations](recommendations.md#supported-security-recommendations) | OT devices listed in the Device inventory contain suggested security recommendations for any critically severe vulnerability detected for top OT vendors. The vulnerability recommendation is named **Secure your vulnerable `vendor` devices**.<br><br>The recommendations are based on the device vendor or Cybersecurity & Infrastructure Agency (CISA) and list the remediation steps needed to improve the security of the network. |

+ [  ](./media/dns-operations-recordsets-portal/recordsets.png)

+ [  ](./media/dns-operations-recordsets-portal/record-page.png)

+ [  ](./media/dns-operations-recordsets-portal/delete-record-set.png)

+* For more information about Azure DNS alias records, see [Azure DNS alias records overview](dns-alias.md).

+

+

+

+> Event Grid supports more RBAC roles for purposes beyond sending events. For more information, see [Event Grid built-in roles](security-authorization.md#built-in-roles).

+> Event Grid supports more RBAC roles for purposes beyond sending events. For more information, see [Event Grid built-in roles](security-authorization.md#built-in-roles).

+ :::image type="content" source="./media/rate-limit/existing-circuit.png" alt-text="Screenshot of the configuration page for an ExpressRoute Direct circuit showing the Enable Rate Limiting setting set to Yes.":::

+To disable rate limiting for an existing ExpressRoute Direct circuit, complete the following steps:

+ :::image type="content" source="./media/rate-limit/disable-rate-limiting.png" alt-text="Screenshot of the configuration page for an ExpressRoute Direct circuit showing the Enable Rate Limiting setting set to No.":::

+ An ExpressRoute circuit has two connection links between Microsoft edge routers and customer edge (CE) routers. For example, if your circuit bandwidth is set to 1 Gbps and you distribute your traffic evenly across both links, you can reach up to 2*1 (that is, 2) Gbps. However, this is not a recommended practice and we suggest using the extra bandwidth for high availability only. If you exceed the configured bandwidth over private or Microsoft peering on either of the links by more than 20%, then rate limiting lowers the throughput to the configured bandwidth.

+ In the Azure portal, on the ΓÇÿCircuitsΓÇÖ pane of your ExpressRoute Direct port, you will see all the circuits configured over the ExpressRoute Direct port along with the rate limiting status. See the following screenshot as an example:

+ Increasing the circuit bandwidth does not affect the traffic flow through the circuit. The bandwidth increase is seamless and the circuit bandwidth upgrade will be reflected in a few minutes. It is important to note the bandwidth increase is irreversible.

+* Enhanced security features, such as [Private Link integration](private-link.md), advanced WAF enhancements with DRS 2.1, anomaly scoring based detection and bot management, and many more to come.

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+ Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see [Root management group for each directory](./overview.md#root-management-group-for-each-directory).

+* For more information about the HDInsight tools for Visual Studio, see [Use Data Lake Tools for Visual Studio to connect to Azure HDInsight and run Apache Hive queries](apache-hadoop-visual-studio-tools-get-started.md)

+# Export de-identified data

+> Results when using the FHIR&reg; service's deidentified (de-ID) export vary based on the nature of the data being exported, and what de-ID functions are in use. Microsoft is unable to evaluate deidentified export outputs or determine the acceptability for your use cases and compliance needs. The FHIR service's deidentified export is not guaranteed to meet any specific legal, regulatory, or compliance requirements.

+ The FHIR service can deidentify data when you run an `$export` operation. For deidentified export, the FHIR service uses the anonymization engine from the [FHIR tools for anonymization](https://github.com/microsoft/FHIR-Tools-for-Anonymization) (OSS) project on GitHub. There's a [sample config file](https://github.com/microsoft/Tools-for-Health-Data-Anonymization/blob/master/docs/FHIR-anonymization.md#sample-configuration-file) to help you get started redacting/transforming FHIR data fields that contain personally identifying information.

+The anonymization engine comes with a sample configuration file to help you get started with [HIPAA Safe Harbor Method](https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/https://docsupdatetracker.net/index.html#safeharborguidance) de-ID requirements. The configuration file is a JSON file with four properties: `fhirVersion`, `processingErrors`, `fhirPathRules`, `parameters`.

+We recommend that you host the export configuration files on Azure Container Registry(ACR).

+4. Register the ACR servers in the FHIR service. You can use the portal to open "Artifacts" in the "Transform and transfer data" section to add the ACR server.

+Following is an example of an anonymized `$export' query.

+The Azure portal provides a web interface with guided workflows, making it an efficient tool for deploying the FHIR&reg; service, and ensuring accurate configuration within Azure Health Data Services.

+By using the bulk `$export` operation in the FHIR&reg; service, you can export data as described in the [HL7 FHIR Bulk Data Access specification](https://www.hl7.org/fhir/uv/bulkdata/).

+After you set up the FHIR service to connect with a Data Lake Storage Gen2 account, you can call the `$export` endpoint, and the FHIR service will export data into an Azure Blob Storage container inside the storage account. The following example request exports all resources into a container, which is specified by name (`{{containerName}}`). Note: You must create the container in the Data Lake Storage Gen2 account before hand if you want to specify the `{{containerName}}` in the request.

+Data is exported in multiple files. Each file contains resources of only one type. The number of resources in an individual file is. The maximum number of resources is based on system performance. It's currently set to 5,000, but can change.

+The result is that you might get multiple files for a resource type. The file names follow the format `<resourceName>-<number>-<number>.ndjson`. The order of the files isn't guaranteed to correspond to any ordering of the resources in the database.

+- After an `$export` operation is complete and all data has been written inside a folder, the FHIR service doesn't export anything to that folder again. Subsequent exports to the same container will be inside a newly created folder.

+| `_outputFormat` | Yes | Currently supports three values to align to the FHIR specification: `application/fhir+ndjson`, `application/ndjson`, or just `ndjson`. All export jobs return `.ndjson` files and the passed value has no effect on code behavior. |

+| `_type` | Yes | Allows you to specify which types of resources to be included. For example, `_type=Patient` would return only patient resources.|

+| `_container` | No | Specifies the name of the container in the configured storage account where the data should be exported. If a container is specified, the data is exported into a folder in that container. If the container isn't specified, the data is exported to a new container with an autogenerated name. |

+| `_till` | No | Allows you to export resources that have been modified up to the specified time. This parameter is applicable only with System-Level export. In this case, if historical versions haven't been disabled or purged, export guarantees a true snapshot view. |

+|`includeAssociatedData` | No | Allows you to export history and soft deleted resources. This filter doesn't work with '_typeFilter' query parameter. Include value as '_history' to export history/non-latest versioned resources. Include value as '_deleted' to export soft deleted resources. |

+In this article, you've learned about exporting FHIR resources by using the `$export` operation. For information about how to set up and use other options for export, see:

+This section covers some of the frequently asked questions about the Azure Health Data Services FHIR&reg; service.

+Azure API for FHIR was our initial generally available product and is being retired as of September 30, 2026. The following table describes differences between Azure API for FHIR and Azure Health Data Services, FHIR service.

+|**Convert-data**|Supports enabling "Allow trusted services" in Account container registry| There's a known issue: Enabling private link with Azure Container Registry may result in access issues when attempting to use the container registry from the FHIR service.|

+To provision a FHIR instance with storage capacity beyond 4TB, create a support request with Issue type 'Service and Subscription limit (quotas)'.

+FHIR service is available in all regions that Azure Health Data Services is available. You can see supported regions on the [Products by Region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-api-for-fhir) page.

+To see what will be releasing to the managed service, you can review the [releases page](https://github.com/microsoft/fhir-server/releases) of the open-source FHIR Server. We've worked to tag items with Azure Health Data Services if they'll release to the managed service and are available two weeks after they are on the open-source release page in. We have also included instructions on how to [test the build](https://github.com/microsoft/fhir-server/blob/master/docs/Testing-Releases.md), if you'd like to test in your own environment. We're evaluating how to best share additional managed service updates.

+SMART (Substitutable Medical Applications and Reusable Technology) on FHIR is a set of open specifications to integrate partner applications with FHIR Servers and other Health IT systems, such as Electronic Health Records and Health Information Exchanges. By creating a SMART on FHIR application, you can ensure that your application can be accessed and used by many different systems. For more information about SMART, see [SMART Health IT](https://smarthealthit.org/).

+### Are extensions supported on the FHIR service?

+Yes. We allow you to load any valid FHIR JSON data into the server. If you want to store the structure definition that defines [extensions](https://www.hl7.org/fhir/extensibility.html), you can save this as a structure definition resource. To search on extensions, you'll need to [define your own search parameters](how-to-do-custom-search.md).

+The current limit on _count is 1000. If you set _count to more than 1000, you'll receive a warning in the bundle that only 1,000 records will be shown.

+We support the [$patient-everything operation](patient-everything.md) which gets you all data related to a single patient.

+No, the FHIR service doesn't currently support terminology operations.

+To perform a health check on a FHIR service, enter `{{fhirurl}}/health/check` in the GET request. You should be able to see status of FHIR service. A HTTP Status code response with 200 and OverallStatus as **Healthy** means your health check is successful.

+If there are errors, you may receive an error response with HTTP status code 404 (Not Found) or status code 500 (Internal Server Error), and detailed information in the response body.

+Here's a summary of the supported RESTful capabilities. For more information on the implementation of these capabilities, see [FHIR REST API capabilities](rest-api-capabilities.md).

+| update with optimistic locking | Yes | Yes | |

+| update (conditional) | Yes | Yes | |

+| history | Yes | Yes | |

+| batch | Yes | Yes | |

+| transaction | No | Yes | |

+| intermediaries | No | No | |

+How the FHIR&reg; service in Azure Health Data Services validates an access token depends on implementation and configuration. In this article, we walk through the validation steps, which can be helpful when troubleshooting access issues.

+The first step in the token validation is to verify that the token was issued by the correct identity provider, and that it hasn't been modified. The FHIR server is configured to use a specific identity provider known as the authority `Authority`. The FHIR server retrieves information about the identity provider from the `/.well-known/openid-configuration` endpoint. When you use Microsoft Entra ID, the full URL would be:

+Microsoft Entra ID returns a document like the following to the FHIR server.

+The important properties for the FHIR server are:

+* `jwks_uri`, which tells the server where to fetch the encryption keys needed to validate the token signature, and

+* `issuer`, which tells the server what will be in the issuer claim (`iss`) of tokens issued by this server. The FHIR server can use this to validate that it's receiving an authentic token.

+Once the server verifies the authenticity of the token, the FHIR server will proceed to validate that the client has the required claims to access the token.

+When you use the FHIR service, the server validates:

+We recommend configuring the FHIR service to use Azure RBAC to manage data plane role assignments. You can also configure local RBAC if your FHIR service uses an external or secondary Microsoft Entra tenant.

+When using the OSS Microsoft FHIR server for Azure, the server validates:

+1. The token has a role in the `roles` claim that is allowed access to the FHIR server.

+For details on how to [define roles on the FHIR server](https://github.com/microsoft/fhir-server/blob/master/docs/Roles.md).

+In this article, you'll learn how to deploy FHIR&reg; service within the Azure Health Data Services using Bicep.

+> You can also verify that the FHIR service is up and running by opening a browser and navigating to `https://<yourfhirservice>.azurehealthcareapis.com/metadata`. If the capability statement is automatically displayed or downloaded, your deployment was successful. Make sure to replace **\<yourfhirservice\>** with the **\<service-name\>** you used in the deployment step of this quickstart.

+Access to diagnostic logs is essential for any healthcare service. Compliance with regulatory requirements like Health Insurance Portability and Accountability Act (HIPAA) is a must. In this article, you learn how to choose settings for diagnostic logs in the FHIR&reg; service within Azure Health Data Services. You'll also review some sample queries for these logs.

+|`OperationDuration` | Int| The time it took to complete this request in seconds. Note: This column value is always 0 due to a known issue|

+You can use these basic Log Analytics queries to explore your log data.

+In this article, you learned how to enable logs for the FHIR service. Having access to logs is essential for monitoring a service and providing compliance reports.

+To learn about setting custom headers on diagnostic logs, visit

+ persistentVolumeClaimRef: <your PVC name>

+As of February 2024, the Azure Certified Device program is retired. Therefore, Microsoft is no longer accepting submissions of DTDL models to the [Azure IoT plug and play models](https://github.com/Azure/iot-plugandplay-models) repository.

+- Validate any changes in a deployment slot before you apply those changes to the production slot.

+ To learn more about getting the user's location in UWP apps, see [Get the user's location](/windows/uwp/maps-and-location/get-location).

+> [!NOTE]

+> Enabling CMK on *existing* ARO clusters is only possible for worker nodes, not master nodes. You can achieve this using machine-API through machineset CRs. See [Enabling customer-managed encryption keys for a machine set](https://docs.openshift.com/container-platform/4.12/machine_management/creating_machinesets/creating-machineset-azure.html#machineset-enabling-customer-managed-encryption-azure_creating-machineset-azure) and [Modifying a compute machine set](https://docs.openshift.com/container-platform/4.12/machine_management/modifying-machineset.html) for more information.

+>

+There are multiple tools available from Oracle: ZDM, Data Guard, Data pump, GoldenGate, and more. For more information, see [Migrate Oracle workloads to Azure](/azure/cloud-adoption-framework/scenarios/oracle-iaas/oracle-migration-planning?wt.mc_id=knwlserapi_inproduct_azportal#migrate-oracle-workloads-to-azure). Contact your Oracle representative for commercials.

+Event Grid supports both manual and automatic geo disaster recovery (GeoDR) on the server side. You can still implement client-side disaster recovery logic if you want a greater control on the failover process. For details about automatic GeoDR, see [Server-side geo disaster recovery in Azure Event Grid](../event-grid/geo-disaster-recovery.md). For details on how to implement client-side disaster recovery, see [Client-side failover implementation in Azure Event Grid](../event-grid/custom-disaster-recovery-client-side.md).

+Control plane access is not inherited to your data plane provided that the container authentication method is set to **Microsoft Entra User Account** and not **Access Key**. This separation prevents roles with wildcards (`*`) from having unrestricted access to your data. For example, if a user has a [Reader](built-in-roles.md#reader) role on a subscription, then they can view the storage account, but by default they can't view the underlying data.

+PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 -RoleDefinitionName "Storage Blob Data Contributor" -Scope /subscriptions/11111111-1111-1111-1111-111111111111

+description: This article explains what Microsoft Sentinel automation rules are, and how to use them to implement your Security Orchestration, Automation and Response (SOAR) operations. Automation rules increase your SOC's effectiveness and save you time and resources.

+This article explains what Microsoft Sentinel automation rules are, and how to use them to implement your Security Orchestration, Automation and Response (SOAR) operations. Automation rules increase your SOC's effectiveness and save you time and resources.

+Automation rules are triggered **when an incident is created or updated** or **when an alert is created**. Recall that incidents include alerts, and that both alerts and incidents can be created by analytics rules, as explained in [Threat detection in Microsoft Sentinel](threat-detection.md).

+With automation rules centrally handling the response to both incidents and alerts, how should you choose which to automate, and in which circumstances?

+The main reason to use **alert-triggered automation** is for responding to alerts generated by analytics rules that *do not create incidents* (that is, where incident creation is *disabled* in the **Incident settings** tab of the [analytics rule wizard](detect-threats-custom.md#configure-the-incident-creation-settings)).

+This reason is especially relevant when your Microsoft Sentinel workspace is onboarded to the unified security operations platform. In this scenario, all incident creation happens in Microsoft Defender XDR, and therefore the incident creation rules in Microsoft Sentinel *must be disabled*.

+Even without being onboarded to the unified portal, you might anyway decide to use alert-triggered automation if you want to use other external logic to decide if and when to create incidents from alerts, and how alerts are grouped together. For example:

+- A playbook, triggered by an alert that doesnΓÇÖt have an associated incident, can enrich the alert with information from other sources, and based on some external logic decide whether to create an incident or not.

+- A playbook, triggered by an alert, can, instead of creating an incident, look for an appropriate existing incident to add the alert to. Learn more about [incident expansion](relate-alerts-to-incidents.md).

+- A playbook, triggered by an alert, can notify SOC personnel of the alert so the team can decide whether or not to create an incident.

+- A playbook, triggered by an alert, can send the alert to an external ticketing system for incident creation and management, and that system creates a new ticket for each alert.

+Complex sets of conditions can be defined to govern when actions (see below) should run. These conditions include the event that triggers the rule (incident created or updated, or alert created), the states or values of the incident's properties and [entity properties](#supported-entity-properties) (for incident trigger only), and also the analytics rule or rules that generated the incident or alert.

+One of these properties is **Updated by**. This property lets you track the type of source that made the change in the incident. You can create a condition evaluating whether the incident was updated by one of the following values, depending on whether you onboarded your workspace to the unified security operations platform:

+#### Supported entity properties

+For the list of entity properties supported as conditions for automation rules, see [Microsoft Sentinel automation rules reference](automation-rule-reference.md).

+Actions can be defined to run when the conditions (see above) are met. You can define many actions in a rule, and you can choose the order in which they run (see below). The following actions can be defined using automation rules, without the need for the [advanced functionality of a playbook](automate-responses-with-playbooks.md):

+- There is no validation mechanism that prevents multiple rules from having the same order number, even within the same trigger type.

+If you used playbooks to create tickets in external systems when incidents are created, you can use an update-trigger automation rule to call a playbook that updates those tickets.

+- For help with implementing playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).

+ Title: Microsoft Sentinel automation rules reference | Microsoft Docs

+description: This article displays the supported properties and entities in Microsoft Sentinel automation rules.

+# Microsoft Sentinel automation rules reference

+This article contains reference information about the configuration of automation rules and the supported conditions and properties.

+To learn more about automation rules, see [Automate threat response in Microsoft Sentinel with automation rules](automate-incident-handling-with-automation-rules.md).

+For instructions on creating, managing, and using automation rules, see [Create and use Microsoft Sentinel automation rules to manage response](create-manage-use-automation-rules.md).

+## Supported entity properties

+The following entities and entity properties can be used as conditions for automation rules:

+### [Property descriptions](#tab/descriptions)

+This table shows the entity properties supported in the automation rules API. These are the entity properties whose values you can set as conditions for triggering an automation rule.

+For the full list of supported properties, which includes incident properties, see [Automation rule property condition supported properties](/rest/api/securityinsights/automation-rules/get) in the [Automation rules API documentation](/rest/api/securityinsights/automation-rules).

+| Name (in API) | Type | Description |

+|-|--|-|

+| AccountAadTenantId | string | The account Microsoft Entra ID tenant ID |

+| AccountAadUserId | string | The account Microsoft Entra ID user ID |

+| AccountName | string | The account name |

+| AccountNTDomain | string | The account NetBIOS domain name |

+| AccountPUID | string | The account Microsoft Entra ID Passport User ID |

+| AccountSid | string | The account security identifier |

+| AccountObjectGuid | string | The account object unique identifier |

+| AccountUPNSuffix | string | The account user principal name suffix |

+| AzureResourceResourceId | string | The Azure resource ID |

+| AzureResourceSubscriptionId | string | The Azure resource subscription ID |

+| CloudApplicationAppId | string | The cloud application identifier |

+| CloudApplicationAppName | string | The cloud application name |

+| DNSDomainName | string | The dns record domain name |

+| FileDirectory | string | The file directory full path |

+| FileName | string | The file name without path |

+| FileHashValue | string | The file hash value |

+| HostAzureID | string | The host Azure resource ID |

+| HostName | string | The host name without domain |

+| HostNetBiosName | string | The host NetBIOS name |

+| HostNTDomain | string | The host NT domain |

+| HostOSVersion | string | The host operating system |

+| IoTDeviceId | string | The IoT device ID |

+| IoTDeviceName | string | The IoT device name |

+| IoTDeviceType | string | The IoT device type |

+| IoTDeviceVendor | string | The IoT device vendor |

+| IoTDeviceModel | string | The IoT device model |

+| IoTDeviceOperatingSystem | string | The IoT device operating system |

+| IPAddress | string | The IP address |

+| MailboxDisplayName | string | The mailbox display name |

+| MailboxPrimaryAddress | string | The mailbox primary address |

+| MailboxUPN | string | The mailbox user principal name |

+| MailMessageDeliveryAction | string | The mail message delivery action |

+| MailMessageDeliveryLocation | string | The mail message delivery location |

+| MailMessageRecipient | string | The mail message recipient |

+| MailMessageSenderIP | string | The mail message sender IP address |

+| MailMessageSubject | string | The mail message subject |

+| MailMessageP1Sender | string | The mail message P1 sender (delegated sender) |

+| MailMessageP2Sender | string | The mail message P2 sender (original sender) |

+| MalwareCategory | string | The malware category |

+| MalwareName | string | The malware name |

+| ProcessCommandLine | string | The process execution command line |

+| ProcessId | string | The process ID |

+| RegistryKey | string | The registry key path |

+| RegistryValueData | string | The registry key value in string formatted representation |

+| Url | string | The url |

+### [Mapping to entities](#tab/mapping)

+This table shows how the supported entity properties in the [Automation rules API](/rest/api/securityinsights/automation-rules) are displayed in the condition drop-down in the automation rules creation wizard. It also shows how those properties map to [entities and their identifiers](entities-reference.md) as defined in Microsoft Sentinel security alerts.

+| Name in API | Name in UI drop-down | Entity: Identifier in V3 alert schema |

+| | | - |

+| AccountAadTenantId | Account tenant ID | Account: AadTenantId |

+| AccountAadUserId | Account AAD user ID | Account: AadUserId |

+| AccountName | Account name | Account: Name |

+| AccountNTDomain | Account NT domain | Account: NTDomain |

+| AccountPUID | Account PUID | Account: PUID |

+| AccountSid | Account SID | Account: Sid |

+| AccountObjectGuid | Account object ID | Account: ObjectGuid |

+| AccountUPNSuffix | Account UPN suffix | Account: UPNSuffix |

+| AzureResourceResourceId | Azure resource ID | AzureResource: ResourceId |

+| AzureResourceSubscriptionId | Azure resource subscription ID | AzureResource: SubscriptionId |

+| CloudApplicationAppId | Cloud application ID | CloudApplication: AppId |

+| CloudApplicationAppName | Cloud application name | CloudApplication: Name |

+| DNSDomainName | DNS domain name | DNS: DomainName |

+| FileDirectory | File directory | File: Directory |

+| FileName | File name | File: Name |

+| FileHashValue | File hash | FileHash: Value |

+| HostAzureID | Host Azure ID | Host: AzureID |

+| HostName | Host name | Host: HostName |

+| HostNetBiosName | Host NetBIOS name | Host: NetBiosName |

+| HostNTDomain | Host NT domain | Host: NTDomain |

+| HostOSVersion | Host operating system | Host: OSVersion |

+| IoTDeviceId | IoT device ID | IoTDevice: DeviceId |

+| IoTDeviceName | IoT device name | IoTDevice: DeviceName |

+| IoTDeviceType | IoT device type | IoTDevice: DeviceType |

+| IoTDeviceVendor | IoT device vendor | IoTDevice: Manufacturer |

+| IoTDeviceModel | IoT device model | IoTDevice: Model |

+| IoTDeviceOperatingSystem | IoT device operating system | IoTDevice: OperatingSystem |

+| IPAddress | IP address | IP: Address |

+| MailboxDisplayName | Mailbox display name | Mailbox: DisplayName |

+| MailboxPrimaryAddress | Mailbox primary address | Mailbox: MailboxPrimaryAddress |

+| MailboxUPN | Mailbox UPN | Mailbox: Upn |

+| MailMessageDeliveryAction | Mail message delivery action | MailMessage: DeliveryAction |

+| MailMessageDeliveryLocation | Mail message delivery location | MailMessage: DeliveryLocation |

+| MailMessageRecipient | Mail message recipient | MailMessage: Recipient |

+| MailMessageSenderIP | Mail message sender IP | MailMessage: SenderIP |

+| MailMessageSubject | Mail message subject | MailMessage: Subject |

+| MailMessageP1Sender | Mail message P1 sender | MailMessage: P1Sender |

+| MailMessageP2Sender | Mail message P2 sender | MailMessage: P2Sender |

+| MalwareCategory | Malware category | Malware: Category |

+| MalwareName | Malware name | Malware: Name |

+| ProcessCommandLine | Process command line | Process: CommandLine |

+| ProcessId | Process ID | Process: ProcessId |

+| RegistryKey | Registry key | RegistryKey: Key |

+| RegistryValueData | Registry value | RegistryValue: Value |

+| Url | Url | Url: Url |

+ | - **Title**<br>- **Description**<br>- All listed **entity properties**<br>&nbsp;&nbsp;(see [supported entity properties](automation-rule-reference.md)) | - Equals/Does not equal<br>- Contains/Does not contain<br>- Starts with/Does not start with<br>- Ends with/Does not end with |

+ | - **Title**<br>- **Description**<br>- All listed **entity properties**<br>&nbsp;&nbsp;(see [supported entity properties](automation-rule-reference.md)) | - Equals/Does not equal<br>- Contains/Does not contain<br>- Starts with/Does not start with<br>- Ends with/Does not end with |

+- **Target** - The system on which **TargetApp*** is running.

+- Five9

+You can specify options for listing containers by using the [ListContainersOptions](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#ListContainersOptions) struct. This struct includes fields for managing the number of results, filtering by prefix, and including container information using [ListContainersInclude](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service#ListContainersInclude).

+You can release a lease using one of the following methods on a JavaScript [BlobLeaseClient](/javascript/api/@azure/storage-blob/blobleaseclient) instance:

+- [Managing Concurrency in Blob storage](concurrency-manage.md)

+Our latest updates enhance the resiliency and performance of stateful containers. We now offer multi-zone storage pools and volume replication for local NVMe storage pools, ensuring availability during single node failures. Snapshot support is available across all storage options for backup and disaster recovery. Additionally, the Ephemeral Disk portfolio now includes temp SSD support, providing cost-efficient solutions for use cases leveraging directly attached local storage:

+For more information on these features, email the Azure Container Storage team at containerstoragepm@microsoft.com.

+The recommended way to mount an Azure file share on Linux is using SMB 3.1.1. By default, Azure Files requires encryption in transit, which is supported by SMB 3.0+. Azure Files also supports SMB 2.1, which doesn't support encryption in transit, but you can't mount Azure file shares with SMB 2.1 from another Azure region or on-premises for security reasons. Unless your application specifically requires SMB 2.1, use SMB 3.1.1. SMB 2.1 support was added to Linux kernel version 3.7, so if you're using a version of the Linux kernel after 3.7, it should support SMB 2.1.

+> All mounting scripts in this article will mount SMB file shares using the default 0755 Linux file and folder permissions. This means read, write, and execute for the file/directory owner, read and execute for users in the owner group, and read and execute for other users. Depending on your organization's security policies, you might want to set alternate `uid`/`gid` or `dir_mode` and `file_mode` permissions in the mount options. For more information on how to set permissions, see [UNIX numeric notation](https://en.wikipedia.org/wiki/File_system_permissions#Numeric_notation).

+Next, update the `autofs` configuration files.

+## Supported data sources

+Azure Synapse Spark supports over 25 data sources to connect to using managed private endpoints. Users need to specify the resource identifier, which can be found in the **Properties** settings page of their data source in the Azure portal.

+| Service| Resource ID Format|

+|:--|:--|

+| Cognitive Services | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.CognitiveServices/accounts/{resource-name}|

+| Azure Databricks | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Databricks/workspaces/{workspace-name}|

+| Azure Database for MariaDB | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.DBforMariaDB/servers/{server-name}|

+| Azure Database for MySQL | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.DBforMySQL/servers/{server-name}|

+| Azure Database for PostgreSQL | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.DBforPostgreSQL/servers/{server-name}|

+| Azure Cosmos DB for MongoDB | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.DocumentDB/databaseAccounts/{account-name}|

+| Azure Cosmos DB for NoSQL | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.DocumentDB/databaseAccounts/{account-name}

+| Azure Monitor Private Link Scopes | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Insights/privateLinkScopes/{scope-name}|

+| Azure Key Vault | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}|

+| Azure Data Explorer (Kusto) | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Kusto/clusters/{cluster-name}|

+| Azure Machine Learning | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}|

+| Microsoft Purview | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Purview/accounts/{account-name}|

+| Azure Search | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Search/searchServices/{service-name}|

+| Azure SQL Database | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Sql/servers/{server-name}|

+| Azure SQL Database (Azure SQL Managed Instance) | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Sql/managedInstances/{instance-name}|

+| Azure Blob Storage | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}|

+| Azure Data Lake Storage Gen2 | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}|

+| Azure File Storage | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}|

+| Azure Queue Storage | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}|

+| Azure Table Storage | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}|

+| Azure Synapse Analytics | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Synapse/workspaces/{workspace-name}|

+| Azure Synapse Analytics (Artifacts) | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Synapse/workspaces/{workspace-name}|

+| Azure Functions | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{function-app-name}|

+| Azure Event Hubs | /subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/Microsoft.EventHub/namespaces/{namespace-name}

+| Azure IoT Hub | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Devices/IotHubs/{iothub-name}

+| Azure IoT Hub | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Devices/IotHubs/{iothub-name}

+| Azure App Services | /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{app-service-name}

+To learn more, advance to the [Create Managed private endpoints to your data sources](./how-to-create-managed-private-endpoints.md) article.

+> * End of Support was announced for Azure Synapse Runtime for Apache Spark 3.2 July 8, 2023.

+> * Effective July 8, 2024, Azure Synapse discontinued official support for Spark 3.2 Runtimes. The Synapse Spark Team is moving forward with the 3.2 __job disablement__ process September 12, 2024, beginning with partial pools and jobs disablement. We will continue with further full disablement on October 31st, 2024.

+* In accordance with the Synapse runtime for Apache Spark lifecycle policy, Azure Synapse runtime for Apache Spark 3.2 will be retired as of July 8, 2024. Existing workflows will continue to run but security updates and bug fixes will no longer be available. Metadata will temporarily remain in the Synapse workspace.

+* **We strongly recommend that you upgrade your Apache Spark 3.2 workloads to [Azure Synapse Runtime for Apache Spark 3.4 (GA)](./apache-spark-34-runtime.md) before July 8, 2024.**

+- A local share. For more information, see [Create Azure Stack HCI VM image using images in a local share](/azure-stack/hci/manage/virtual-machine-image-local-share).

+- Understand how connectivity for the Azure Virtual Desktop service works at [Azure Virtual Desktop network connectivity](network-connectivity.md).

+ :::image type="content" source="../media/management-ui-redirect-uri-inline.png" alt-text="Screenshot of the Configure Web page on the Authentication tab for an app registration.":::

+5. In the left panel, select **API permissions** to confirm that permissions were added. If you're providing admin consent for all users, select the **Grant admin consent for `tenantname`** button and follow the dialog prompts.

+ :::image type="content" source="../media/management-ui-permissions-inline.png" alt-text="Screenshot of the API permissions page for an app registration that highlights the option to grant admin consent for Contoso." lightbox="../media/management-ui-permissions-expanded.png":::

+- If the value is set to **No**, you must sign in using an account with the required permissions to provide consent for all users in the tenant. No other users will face a consent prompt. For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent).

+3. If you providing consent for all users, you can now select the checkbox to **Consent on behalf of your organization**. Select **Accept** to provide consent. This will now take you to the management tool.

+- A user administrator account within the Microsoft Entra tenant with permissions to manage your Azure Virtual Desktop (classic) resources.

+> - You can no longer be able to create new Azure Virtual Desktop (classic) tenants. Azure Virtual Desktop (classic) will retire on **September 30, 2026**. You should transition to [Azure Virtual Desktop](../index.yml) before that date. For more information, see [Azure Virtual Desktop (classic) retirement](classic-retirement.md).

+* A account within the Microsoft Entra tenant with the required permissions to provide admin consent for for an application in the tenant. For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent).

+ * This also applies to Cloud Solution Provider (CSP) organizations that are creating an Azure Virtual Desktop tenant for their customers. If you're in a CSP organization, you must be able to sign in with an appropriate account in the customer's Microsoft Entra instance.

+2. Sign in to the Azure Virtual Desktop consent page with the appropriate account.

+6. Sign in to the Azure Virtual Desktop consent page, as you did in step 2.

+Assigning a Microsoft Entra user the `TenantCreator` application role allows that user to create an Azure Virtual Desktop tenant associated with the Microsoft Entra instance.

+5. Search for a user account that will create your Azure Virtual Desktop tenant.

+ - If you're using a Microsoft Identity Provider like contosoadmin@live.com or contosoadmin@outlook.com, you might not be able to sign in to Azure Virtual Desktop.

+- The user has the relevant permissions on their subscription and at the tenant level, but they can't sign in to Azure.

+Azure Virtual Network Manager can be deployed and managed through the [Azure portal](./create-virtual-network-manager-portal.md), [Azure CLI](./create-virtual-network-manager-cli.md), [Azure PowerShell](./create-virtual-network-manager-powershell.md), or [Terraform](./create-virtual-network-manager-terraform.md).

+|Load balancer frontend | Browse to an unused public IP address and select **Associate**. Pick the load balancer with the relevant front-end IP configuration to replace the IP. The old IP can be deleted using the same method as a virtual machine. | Use [Set-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/set-azloadbalancerfrontendipconfig) to associate a new front-end IP config with a public load balancer. Use [Remove-AzPublicIpAddress](/powershell/module/az.network/remove-azpublicipaddress) to delete a public IP. You can also use [Remove-AzLoadBalancerFrontendIpConfig](/powershell/module/az.network/remove-azloadbalancerfrontendipconfig) to remove a frontend IP config if there are more than one. | Use [az network lb frontend-ip update](/cli/azure/network/lb/frontend-ip#az-network-lb-frontend-ip-update) to associate a new frontend IP config with a public load balancer. Use [Remove-AzPublicIpAddress](/powershell/module/az.network/remove-azpublicipaddress) to delete a public IP. You can also use [az network lb frontend-ip delete](/cli/azure/network/lb/frontend-ip#az-network-lb-frontend-ip-delete) to remove a frontend IP config if there are more than one. |

+ "Id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "Id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "cccccccc-2222-3333-4444-dddddddddddd"

+ "Id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "Id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "cccccccc-2222-3333-4444-dddddddddddd"

+1. On the **Overview** page of **vm-web**, note the **Public IP address** for your VM. The address shown in the following example is 203.0.113.103. Your address is different:

+> You can manage cross-tenant virtual network connections only through PowerShell or the Azure CLI installed on your local machine. Because Azure Portal does not support cross-tenant operations, you **can't** manage cross-tenant virtual network connections through Azure portal or Azure portal CloudShell (both PowerShell and CLI).