-1. Sign in to the [Azure portal](https://portal.azure.com) as the **global administrator** of your Azure AD B2C tenant.

-During this deployment, you'll configure your Azure AD B2C tenant where logs are generated. You'll also configure Microsoft Entra tenant where the Log Analytics workspace will be hosted. The Azure AD B2C accounts used (such as your admin account) should be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) role on the Azure AD B2C tenant. The Microsoft Entra account you'll use to run the deployment must be assigned the [Owner](../role-based-access-control/built-in-roles.md#owner) role in the Microsoft Entra subscription. It's also important to make sure you're signed in to the correct directory as you complete each step as described.

-Also, if you choose to provide higher levels of assurance by using Multi-factor Authentication (MFA) for Voice and SMS, you'll be charged a worldwide flat fee for each MFA attempt that month, whether the sign in is successful or unsuccessful.

-1. Select an **Azure AD B2C Tenant** from the dropdown. Only tenants for which you're a global administrator and that aren't already linked to a subscription are shown. The **Azure AD B2C Resource name** field is populated with the domain name of the Azure AD B2C tenant you select.

-1. In the Azure AD B2C directory itself, [invite a guest user](user-overview.md#guest-user) from the destination Microsoft Entra tenant (the one that the destination Azure subscription is linked to) and ensure this user has the **Global administrator** role in Azure AD B2C.

-[Customize the user interface in an Azure AD B2C user flow](customize-ui-with-html.md)

-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least Privileged Role Administrator.

-1. Log in to the site as a global administrator for the Azure AD B2C directory that you want to restore the deleted app for. This global administrator must have an email address similar to the following: `username@{yourTenant}.onmicrosoft.com`.

-1. Issue an HTTP POST against the URL `https://graph.microsoft.com/v1.0/directory/deleteditems/{id}/restore`. Replace the `{id}` portion of the URL with the `id` from the previous step.]

-You should now be able to [see the restored app](#verifying-that-the-extensions-app-is-present) in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.

- 1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD B2C tenant.

-## Next steps

-Anyone who creates an Azure Active Directory B2C (Azure AD B2C) becomes the *Global Administrator* of the tenant. It's a security risk if a non-admin user is allowed to create a tenant.

-As a *Global Administrator* in an Azure AD B2C tenant, you can restrict non-admin users from creating tenants. To do so, use the following steps:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Under **Default user role permissions**, review your **Restrict non-admin users from creating tenants** setting. If the setting is set to **No**, then contact your administrator to assign the tenant creator role to you. The setting is greyed out if you're not an administrator in the tenant.

-## Next steps

-1. Sign in to the [Azure portal](https://portal.azure.com) as an existing Global Administrator. If you use your Microsoft Entra account, make sure you're using the directory that contains your Azure AD B2C tenant:

-description: Learn how to add an administrator account to your Azure Active Directory B2C tenant. Learn how to invite a guest account as an administrator into your Azure AD B2C tenant.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least Privileged Role Administrator permissions.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least Privileged Role Administrator permissions.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least Privileged Role Administrator permissions.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as Privileged Role Administrator.

-To delete an existing user, you must have a *Global administrator* role assignment. Global admins can delete any user, including other admins. *User administrators* can delete any non-admin user.

->If you're unable to create Azure AD B2C tenant, [review your user settings page](tenant-management-check-tenant-creation-permission.md) to ensure that tenant creation isn't switched off. If tenant creation is switched on, ask your *Global Administrator* to assign you a **Tenant Creator** role.

-Azure AD B2C allows you to activate Go-Local add-on on an existing tenant as long as your tenant stores data in a country/region that has local data residence option. To opt-in to Go-Local add-on, use the following steps:

-1. Sign in to the [Azure portal](https://portal.azure.com/) with a global administrator or subscription administrator role. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.

-1. Sign in to the [Azure portal](https://portal.azure.com/) with a global administrator or subscription administrator role. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.

-1. Sign in to the [Azure portal](https://portal.azure.com/) with a global administrator or subscription administrator role. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.

-Next, learn more about getting started with Azure AD B2C [user flows and custom policies](user-flow-overview.md).

-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.

-

-> [Connect to Azure Database for PostgreSQL with Java](/azure/postgresql/connect-java)

-description: Learn how to get a data-driven Linux Quarkus app working in Azure App Service, with connection to a PostgreSQL running in Azure.

-zone_pivot_groups: app-service-portal-azd

-# Tutorial: Build a Quarkus web app with Azure App Service on Linux and PostgreSQL

-This tutorial shows how to build, configure, and deploy a secure [Quarkus](https://quarkus.io) application in Azure App Service that's connected to a PostgreSQL database (using [Azure Database for PostgreSQL](/azure/postgresql/)). Azure App Service is a highly scalable, self-patching, web-hosting service that can easily deploy apps on Windows or Linux. When you're finished, you'll have a Quarkus app running on [Azure App Service on Linux](overview.md).

-**To complete this tutorial, you'll need:**

-* An Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free/java/).

-* Knowledge of Java with [Quarkus](https://quarkus.io) development.

-* An Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free/java).

-* [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) installed. You can follow the steps with the [Azure Cloud Shell](https://shell.azure.com) because it already has Azure Developer CLI installed.

-* Knowledge of Java with Tomcat development.

-## Skip to the end

-You can quickly deploy the sample app in this tutorial and see it running in Azure. Just run the following commands in the [Azure Cloud Shell](https://shell.azure.com), and follow the prompt:

-```bash

-mkdir msdocs-quarkus-postgresql-sample-app

-cd msdocs-quarkus-postgresql-sample-app

-azd init --template msdocs-quarkus-postgresql-sample-app

-azd up

-```

-## 1. Run the sample

-First, you set up a sample data-driven app as a starting point. For your convenience, the sample repository, [Hibernate ORM with Panache and RESTEasy](https://github.com/Azure-Samples/msdocs-quarkus-postgresql-sample-app), includes a [dev container](https://docs.github.com/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers) configuration. The dev container has everything you need to develop an application, including the database, cache, and all environment variables needed by the sample application. The dev container can run in a [GitHub codespace](https://docs.github.com/en/codespaces/overview), which means you can run the sample on any computer with a web browser.

- :::column span="2":::

- **Step 1:** In a new browser window:

- 1. Sign in to your GitHub account.

- 1. Navigate to [https://github.com/Azure-Samples/msdocs-quarkus-postgresql-sample-app/fork](https://github.com/Azure-Samples/msdocs-quarkus-postgresql-sample-app/fork).

- 1. Unselect **Copy the main branch only**. You want all the branches.

- 1. Select **Create fork**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-1.png" alt-text="A screenshot showing how to create a fork of the sample GitHub repository." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-1.png":::

- :::column-end:::

- :::column span="2":::

- **Step 2:** In the GitHub fork:

- 1. Select **main** > **starter-no-infra** for the starter branch. This branch contains just the sample project and no Azure-related files or configuration.

- 1. Select **Code** > **Create codespace on main**.

- The codespace takes a few minutes to set up.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-2.png" alt-text="A screenshot showing how create a codespace in GitHub." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-2.png":::

- :::column-end:::

- :::column span="2":::

- **Step 3:** In the codespace terminal:

- 1. Run `mvn quarkus:dev`.

- 1. When you see the notification `Your application running on port 8080 is available.`, select **Open in Browser**. If you see a notification with port 5005, skip it.

- You should see the sample application in a new browser tab.

- To stop the Quarkus development server, type `Ctrl`+`C`.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-3.png" alt-text="A screenshot showing how to run the sample application inside the GitHub codespace." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-3.png":::

- :::column-end:::

-For more information on how the Quarkus sample application is created, see Quarkus documentation [Simplified Hibernate ORM with Panache](https://quarkus.io/guides/hibernate-orm-panache) and [Configure data sources in Quarkus](https://quarkus.io/guides/datasource).

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 2. Create App Service and PostgreSQL

-First, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Database for PostgreSQL. For the creation process, you'll specify:

-* The **Name** for the web app. It's the name used as part of the DNS name for your webapp in the form of `https://<app-name>.azurewebsites.net`.

-* The **Region** to run the app physically in the world.

-* The **Runtime stack** for the app. It's where you select the version of Java to use for your app.

-* The **Hosting plan** for the app. It's the pricing tier that includes the set of features and scaling capacity for your app.

-* The **Resource Group** for the app. A resource group lets you group (in a logical container) all the Azure resources needed for the application.

-Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps to create your Azure App Service resources.

- :::column span="2":::

- **Step 1:** In the Azure portal:

- 1. Enter "web app database" in the search bar at the top of the Azure portal.

- 1. Select the item labeled **Web App + Database** under the **Marketplace** heading.

- You can also navigate to the [creation wizard](https://portal.azure.com/?feature.customportal=false#create/Microsoft.AppServiceWebAppDatabaseV3) directly.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-1.png" alt-text="A screenshot showing how to use the search box in the top tool bar to find the Web App + Database creation wizard." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-1.png":::

- :::column-end:::

- :::column span="2":::

- **Step 2:** In the **Create Web App + Database** page, fill out the form as follows.

- 1. *Resource Group*: Select **Create new** and use a name of **msdocs-quarkus-postgres-tutorial**.

- 1. *Region*: Any Azure region near you.

- 1. *Name*: **msdocs-quarkus-postgres-XYZ** where *XYZ* is any three random characters. This name must be unique across Azure.

- 1. *Runtime stack*: **Java 17**.

- 1. *Java web server stack*: **Java SE (Embedded Web Server)**.

- 1. *Database*: **PostgreSQL - Flexible Server**. The server name and database name are set by default to appropriate values.

- 1. *Hosting plan*: **Basic**. When you're ready, you can [scale up](manage-scale-up.md) to a production pricing tier later.

- 1. Select **Review + create**.

- 1. After validation completes, select **Create**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-2.png" alt-text="A screenshot showing how to configure a new app and database in the Web App + Database wizard." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-2.png":::

- :::column-end:::

- :::column span="2":::

- **Step 3:** The deployment takes a few minutes to complete. Once deployment completes, select the **Go to resource** button. You're taken directly to the App Service app, but the following resources are created:

- - **Resource group**: The container for all the created resources.

- - **App Service plan**: Defines the compute resources for App Service. A Linux plan in the *Basic* tier is created.

- - **App Service**: Represents your app and runs in the App Service plan.

- - **Virtual network**: Integrated with the App Service app and isolates back-end network traffic.

- - **Azure Database for PostgreSQL flexible server**: Accessible only from within the virtual network. A database and a user are created for you on the server.

- - **Private DNS zone**: Enables DNS resolution of the PostgreSQL server in the virtual network.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-3.png" alt-text="A screenshot showing the deployment process completed." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-3.png":::

- :::column-end:::

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 3. Verify connection settings

-The creation wizard generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings). In this step, you learn where to find the app settings, and how you can create your own.

-App settings are one way to keep connection secrets out of your code repository. When you're ready to move your secrets to a more secure location, you can use [Key Vault references](app-service-key-vault-references.md) instead.

- :::column span="2":::

- **Step 1:** In the App Service page, in the left menu, select **Environment variables**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-1.png" alt-text="A screenshot showing how to open the configuration page in App Service." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-1.png":::

- :::column-end:::

- :::column span="2":::

- **Step 2:** In the **App settings** tab of the **Environment variables** page, verify that `AZURE_POSTGRESQL_CONNECTIONSTRING` is present. It's injected at runtime as an environment variable.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-2.png" alt-text="A screenshot showing how to see the autogenerated connection string." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-2.png":::

- :::column-end:::

- :::column span="2":::

- **Step 4:** Select **Add application setting**. Name the setting `PORT` and set its value to `8080`, which is the default port of the Quarkus application. Select **Apply**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting.png" alt-text="A screenshot showing how to set the PORT app setting in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting.png":::

- :::column-end:::

- :::column span="2":::

- **Step 5:** Select **Apply**, then select **Confirm**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting-save.png" alt-text="A screenshot showing how to save the PORT app setting in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting-save.png":::

- :::column-end:::

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 4. Deploy sample code

-In this step, you'll configure GitHub deployment using GitHub Actions. It's just one of many ways to deploy to App Service, but also a great way to have continuous integration in your deployment process. By default, every `git push` to your GitHub repository will kick off the build and deploy action.

-Note the following:

- :::column span="2":::

- **Step 1:** Back in the App Service page, in the left menu, select **Deployment Center**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-1.png" alt-text="A screenshot showing how to open the deployment center in App Service." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-1.png":::

- :::column-end:::

- :::column span="2":::

- **Step 2:** In the Deployment Center page:

- 1. In **Source**, select **GitHub**. By default, **GitHub Actions** is selected as the build provider.

- 1. Sign in to your GitHub account and follow the prompt to authorize Azure.

- 1. In **Organization**, select your account.

- 1. In **Repository**, select **msdocs-quarkus-postgresql-sample-app**.

- 1. In **Branch**, select **starter-no-infra**.

- 1. In **Authentication type**, select **User-assigned identity (Preview)**.

- 1. In the top menu, select **Save**. App Service commits a workflow file into the chosen GitHub repository, in the `.github/workflows` directory.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-2.png" alt-text="A screenshot showing how to configure CI/CD using GitHub Actions." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-2.png":::

- :::column-end:::

- :::column span="2":::

- **Step 3:** Back in the GitHub codespace of your sample fork, run `git pull origin starter-no-infra`.

- This pulls the newly committed workflow file into your codespace.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-3.png" alt-text="A screenshot showing git pull inside a GitHub codespace." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-3.png":::

- :::column-end:::

- :::column span="2":::

- **Step 4:**

- 1. Open *src/main/resources/application.properties* in the explorer. Quarkus uses this file to load Java properties.

- 1. Find the commented code (lines 10-11) and uncomment it.

- This code sets the production variable `%prod.quarkus.datasource.jdbc.url` to the app setting that the creation wizard for you. The `quarkus.package.type` is set to build an Uber-Jar, which you need to run in App Service.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-4.png" alt-text="A screenshot showing a GitHub codespace and the application.properties file opened." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-4.png":::

- :::column-end:::

- :::column span="2":::

- **Step 5:**

- 1. Open *.github/workflows/main_msdocs-quarkus-postgres-XYZ.yml* in the explorer. This file was created by the App Service create wizard.

- 1. Under the `Build with Maven` step, change the Maven command to `mvn clean install -DskipTests`.

- `-DskipTests` skips the tests in your Quarkus project, to avoid the GitHub workflow failing prematurely.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-5.png" alt-text="A screenshot showing a GitHub codespace and a GitHub workflow YAML opened." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-5.png":::

- :::column-end:::

- :::column span="2":::

- **Step 6:**

- 1. Select the **Source Control** extension.

- 1. In the textbox, type a commit message like `Configure DB and deployment workflow`.

- 1. Select **Commit**, then confirm with **Yes**.

- 1. Select **Sync changes 1**, then confirm with **OK**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-6.png" alt-text="A screenshot showing the changes being committed and pushed to GitHub." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-6.png":::

- :::column-end:::

- :::column span="2":::

- **Step 7:** Back in the Deployment Center page in the Azure portal:

- 1. Select **Logs**. A new deployment run is already started from your committed changes.

- 1. In the log item for the deployment run, select the **Build/Deploy Logs** entry with the latest timestamp.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-7.png" alt-text="A screenshot showing how to open deployment logs in the deployment center." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-7.png":::

- :::column-end:::

- :::column span="2":::

- **Step 8:** You're taken to your GitHub repository and see that the GitHub action is running. The workflow file defines two separate stages, build and deploy. Wait for the GitHub run to show a status of **Complete**. It takes about 5 minutes.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-8.png" alt-text="A screenshot showing a GitHub run in progress." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-8.png":::

- :::column-end:::

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 5. Browse to the app

- :::column span="2":::

- **Step 1:** In the App Service page:

- 1. From the left menu, select **Overview**.

- 1. Select the URL of your app. You can also navigate directly to `https://<app-name>.azurewebsites.net`.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-1.png" alt-text="A screenshot showing how to launch an App Service from the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-1.png":::

- :::column-end:::

- :::column span="2":::

- **Step 2:** Add a few fruits to the list.

- Congratulations, you're running a web app in Azure App Service, with secure connectivity to Azure Database for PostgreSQL.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-2.png" alt-text="A screenshot of the Quarkus web app with PostgreSQL running in Azure showing a list of fruits." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-2.png":::

- :::column-end:::

-## 6. Stream diagnostic logs

-Azure App Service captures all messages output to the console to help you diagnose issues with your application. The sample application includes standard JBoss logging statements to demonstrate this capability as shown below.

- :::column span="2":::

- **Step 1:** In the App Service page:

- 1. From the left menu, select **App Service logs**.

- 1. Under **Application logging**, select **File System**.

- 1. In the top menu, select **Save**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-1.png" alt-text="A screenshot showing how to enable native logs in App Service in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-1.png":::

- :::column-end:::

- :::column span="2":::

- **Step 2:** From the left menu, select **Log stream**. You see the logs for your app, including platform logs and logs from inside the container.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-2.png" alt-text="A screenshot showing how to view the log stream in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-2.png":::

- :::column-end:::

-Learn more about logging in Java apps in the series on [Enable Azure Monitor OpenTelemetry for .NET, Node.js, Python and Java applications](../azure-monitor/app/opentelemetry-enable.md?tabs=java).

-## 7. Clean up resources

-When you're finished, you can delete all of the resources from your Azure subscription by deleting the resource group.

- :::column span="2":::

- **Step 1:** In the search bar at the top of the Azure portal:

- 1. Enter the resource group name.

- 1. Select the resource group.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-1.png" alt-text="A screenshot showing how to search for and navigate to a resource group in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-1.png":::

- :::column-end:::

- :::column span="2":::

- **Step 2:** In the resource group page, select **Delete resource group**.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-2.png" alt-text="A screenshot showing the location of the Delete Resource Group button in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-2.png":::

- :::column-end:::

- :::column span="2":::

- **Step 3:**

- 1. Confirm your deletion by typing the resource group name.

- 1. Select **Delete**.

- 1. Confirm with **Delete** again.

- :::column-end:::

- :::column:::

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-3.png" alt-text="A screenshot of the confirmation dialog for deleting a resource group in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-3.png"::::

- :::column-end:::

-## 2. Create Azure resources and deploy a sample app

-In this step, you create the Azure resources and deploy a sample app to App Service on Linux. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Database for PostgreSQL.

-The dev container already has the [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) (AZD).

-1. From the repository root, run `azd init`.

- ```bash

- azd init --template javase-app-service-postgresql-infra

- ```

-1. When prompted, give the following answers:

-

- |Question |Answer |

- |||

- |Continue initializing an app in '\<your-directory>'? | **Y** |

- |What would you like to do with these files? | **Keep my existing files unchanged** |

- |Enter a new environment name | Type a unique name. The AZD template uses this name as part of the DNS name of your web app in Azure (`<app-name>.azurewebsites.net`). Alphanumeric characters and hyphens are allowed. |

-1. Sign into Azure by running the `azd auth login` command and following the prompt:

- ```bash

- azd auth login

- ```

-1. Create the necessary Azure resources and deploy the app code with the `azd up` command. Follow the prompt to select the desired subscription and location for the Azure resources.

- ```bash

- azd up

- ```

- The `azd up` command takes about 15 minutes to complete (the Redis cache take the most time). It also compiles and deploys your application code, but you'll modify your code later to work with App Service. While it's running, the command provides messages about the provisioning and deployment process, including a link to the deployment in Azure. When it finishes, the command also displays a link to the deploy application.

- This AZD template contains files (*azure.yaml* and the *infra* directory) that generate a secure-by-default architecture with the following Azure resources:

- - **Resource group**: The container for all the created resources.

- - **App Service plan**: Defines the compute resources for App Service. A Linux plan in the *B1* tier is created.

- - **App Service**: Represents your app and runs in the App Service plan.

- - **Virtual network**: Integrated with the App Service app and isolates back-end network traffic.

- - **Azure Database for PostgreSQL flexible server**: Accessible only from behind its private endpoint. A database is created for you on the server.

- - **Azure Cache for Redis**: Accessible only from within the virtual network.

- - **Private DNS zones**: Enable DNS resolution of the database server and the Redis cache in the virtual network.

- - **Log Analytics workspace**: Acts as the target container for your app to ship its logs, where you can also query the logs.

- - **Key vault**: Used to keep your database password the same when you redeploy with AZD.

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 3. Verify connection strings

-The AZD template you use generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings) and outputs the them to the terminal for your convenience. App settings are one way to keep connection secrets out of your code repository.

-1. In the AZD output, find the app setting `AZURE_POSTGRESQL_CONNECTIONSTRING`. To keep secrets safe, only the setting names are displayed. They look like this in the AZD output:

- <pre>

- App Service app has the following connection strings:

-

- - AZURE_POSTGRESQL_CONNECTIONSTRING

- - AZURE_REDIS_CONNECTIONSTRING

- </pre>

- `AZURE_POSTGRESQL_CONNECTIONSTRING` contains the connection string to the PostgreSQL database in Azure. You need to use it in your code later.

-1. For your convenience, the AZD template shows you the direct link to the app's app settings page. Find the link and open it in a new browser tab. Later, you will add an app setting using AZD instead of in the portal.

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 4. Modify sample code and redeploy

-1. Back in the GitHub codespace of your sample fork, open *infra/resources.bicep*.

-1. Find the `appSettings` resource and comment the property `PORT: '8080'`. When you're done, your `appSettings` resource should look like the following code:

- ```Bicep

- resource appSettings 'config' = {

- name: 'appsettings'

- properties: {

- PORT: '8080'

- }

- }

- ```

-1. From the explorer, open *src/main/resources/application.properties*.

-1. Find the commented code (lines 10-11) and uncomment it.

- ```

- %prod.quarkus.datasource.jdbc.url=${AZURE_POSTGRESQL_CONNECTIONSTRING}

- quarkus.package.type=uber-jar

- ```

-

- This code sets the production variable `%prod.quarkus.datasource.jdbc.url` to the app setting that the creation wizard for you. The `quarkus.package.type` is set to build an Uber-Jar, which you need to run in App Service.

-1. Back in the codespace terminal, run `azd up`.

-

- ```bash

- azd up

- ```

- > [!TIP]

- > `azd up` actually does `azd package`, `azd provision`, and `azd deploy`. `azd provision` lets you update the Azure changes you made in *infra/resources.bicep*. `azd deploy` uploads the built Jar file.

- >

- > To find out how the Jar file is packaged, you can run `azd package --debug` by itself.

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 5. Browse to the app

-1. In the AZD output, find the URL of your app and navigate to it in the browser. The URL looks like this in the AZD output:

- <pre>

- Deploying services (azd deploy)

-

- (Γ£ô) Done: Deploying service web

- - Endpoint: https://&lt;app-name>.azurewebsites.net/

- </pre>

-2. Add a few fruits to the list.

- :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-2.png" alt-text="A screenshot of the Quarkus web app with PostgreSQL running in Azure showing fruits." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-2.png":::

- Congratulations, you're running a web app in Azure App Service, with secure connectivity to Azure Database for PostgreSQL.

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 6. Stream diagnostic logs

-Azure App Service can capture console logs to help you diagnose issues with your application. For convenience, the AZD template already [enabled logging to the local file system](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) and is [shipping the logs to a Log Analytics workspace](troubleshoot-diagnostic-logs.md#send-logs-to-azure-monitor).

-The sample application includes standard JBoss logging statements to demonstrate this capability as shown below.

-In the AZD output, find the link to stream App Service logs and navigate to it in the browser. The link looks like this in the AZD output:

-<pre>

-Stream App Service logs at: https://portal.azure.com/#@/resource/subscriptions/&lt;subscription-guid>/resourceGroups/&lt;group-name>/providers/Microsoft.Web/sites/&lt;app-name>/logStream

-</pre>

-Learn more about logging in Java apps in the series on [Enable Azure Monitor OpenTelemetry for .NET, Node.js, Python and Java applications](../azure-monitor/app/opentelemetry-enable.md?tabs=java).

-Having issues? Check the [Troubleshooting section](#troubleshooting).

-## 7. Clean up resources

-To delete all Azure resources in the current deployment environment, run `azd down` and follow the prompts.

-```bash

-azd down

-```

-## Troubleshooting

-#### I see the error log "ERROR [org.acm.hib.orm.pan.ent.FruitEntityResource] (vert.x-eventloop-thread-0) Failed to handle request: jakarta.ws.rs.NotFoundException: HTTP 404 Not Found".

-This is a Vert.x error (see [Quarkus Reactive Architecture](https://quarkus.io/guides/quarkus-reactive-architecture)), indicating that the client requested an unknown path. This error happens on every app startup because App Service verifies that the app starts by sending a `GET` request to `/robots933456.txt`.

-#### The app failed to start and shows the following error in log: "Model classes are defined for the default persistence unit \<default> but configured datasource \<default> not found: the default EntityManagerFactory will not be created."

-This Quarkus error is most likely because the app can't connect to the Azure database. Make sure that the app setting `AZURE_POSTGRESQL_CONNECTIONSTRING` hasn't been changed, and that *application.properties* is using the app setting properly.

-## Frequently asked questions

-#### How much does this setup cost?

-Pricing for the created resources is as follows:

-#### How do I connect to the PostgreSQL server that's secured behind the virtual network with other tools?

-#### How does local app development work with GitHub Actions?

-Using the autogenerated workflow file from App Service as an example, each `git push` kicks off a new build and deployment run. From a local clone of the GitHub repository, you make the desired updates and push to GitHub. For example:

-```terminal

-git add .

-git commit -m "<some-message>"

-git push origin main

-```

-#### What if I want to run tests with PostgreSQL during the GitHub workflow?

-The default Quarkus sample application includes tests with database connectivity. To avoid connection errors, you added the `-skipTests` property. If you want, you can run the tests against a PostgreSQL service container. For example, in the automatically generated workflow file in your GitHub fork (*.github/workflows/main_cephalin-quarkus.yml*), make the following changes:

-1. Add YAML code for the PostgreSQL container to the `build` job, as shown in the following snippet.

- ```yml

- ...

- jobs:

- build:

- runs-on: ubuntu-latest

-

- # BEGIN CODE ADDITION

- container: ubuntu

-

- # Hostname for the PostgreSQL container

- postgresdb:

- image: postgres

- env:

- POSTGRES_PASSWORD: postgres

- POSTGRES_USER: postgres

- POSTGRES_DB: postgres

- # Set health checks to wait until postgres has started

- options: >-

- --health-cmd pg_isready

- --health-interval 10s

- --health-timeout 5s

- --health-retries 5

-

- # END CODE ADDITION

-

- steps:

- - uses: actions/checkout@v4

- ...

- ```

-

- `container: ubuntu` tells GitHub to run the `build` job in a container. This way, the connection string in your dev environment `jdbc:postgresql://postgresdb:5432/postgres` can work as-is in when the workflow runs. For more information about PostgreSQL connectivity in GitHub Actions, see [Creating PostgreSQL service containers](https://docs.github.com/en/actions/using-containerized-services/creating-postgresql-service-containers).

-1. In the `Build with Maven` step, remove `-DskipTests`. For example:

- ```yml

- - name: Build with Maven

- run: mvn clean install

- ```

-## Next steps

-Learn more about running Java apps on App Service in the developer guide.

-> [!div class="nextstepaction"]

-> [Configure a Java app in Azure App Service](configure-language-java-deploy-run.md?pivots=platform-linux)

-Learn how to secure your app with a custom domain and certificate.

-> [!div class="nextstepaction"]

-> [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md)

-## 5. Deploy sample code

-## 6. Browse to the app

-## 7. Stream diagnostic logs

-## 8. Clean up resources

-## 5. Browse to the app

-## 6. Stream diagnostic logs

-## 7. Clean up resources

-> [!NOTE]

-> Durable entities are currently not supported in PowerShell.

-> [!NOTE]

-> Durable entities are currently not supported in Java.

-* If you have questions, submit an issue to the team [here](https://github.com/Azure/azure-functions-eventgrid-extension/issues)

-## Next steps

-> [!div class="nextstepaction"]

-> [Using the Azure Function return value](./functions-bindings-return-value.md)

-description: Learn to manage return values for Azure Functions

-# ms.devlang: csharp, fsharp, java, javascript, powershell, python

-zone_pivot_groups: programming-languages-set-functions-lang-workers

-# Using the Azure Function return value

-This article explains how return values work inside a function. In languages that have a return value, you can bind a function [output binding](./functions-triggers-bindings.md#binding-direction) to the return value.

-Set the `name` property in *function.json* to `$return`. If there are multiple output bindings, use the return value for only one of them.

-How return values are used depends on the C# mode you're using in your function app:

-# [Isolated worker model](#tab/isolated-process)

-See [Output bindings in the .NET worker guide](./dotnet-isolated-process-guide.md#output-bindings) for details and examples.

-# [In-process model](#tab/in-process)

-In a C# class library, apply the output binding attribute to the method return value. In C# and C# script, alternative ways to send data to an output binding are `out` parameters and [collector objects](functions-reference-csharp.md#writing-multiple-output-values).

-Here's C# code that uses the return value for an output binding, followed by an async example:

-```cs

-[FunctionName("QueueTrigger")]

-[return: Blob("output-container/{id}")]

-public static string Run([QueueTrigger("inputqueue")]WorkItem input, ILogger log)

-{

- string json = string.Format("{{ \"id\": \"{0}\" }}", input.Id);

- log.LogInformation($"C# script processed queue message. Item={json}");

- return json;

-}

-```

-```cs

-[FunctionName("QueueTrigger")]

-[return: Blob("output-container/{id}")]

-public static Task<string> Run([QueueTrigger("inputqueue")]WorkItem input, ILogger log)

-{

- string json = string.Format("{{ \"id\": \"{0}\" }}", input.Id);

- log.LogInformation($"C# script processed queue message. Item={json}");

- return Task.FromResult(json);

-}

-```

-Here's the output binding in the *function.json* file:

-```json

-{

- "name": "$return",

- "type": "blob",

- "direction": "out",

- "path": "output-container/{id}"

-}

-```

-Here's the JavaScript code:

-```javascript

-module.exports = function (context, input) {

- var json = JSON.stringify(input);

- context.log('Node.js script processed queue message', json);

- return json;

-}

-```

-Here's the output binding in the *function.json* file:

-```json

-{

- "name": "Response",

- "type": "blob",

- "direction": "out",

- "path": "output-container/{blobname}"

-}

-```

-Here's the PowerShell code that uses the return value for an http output binding:

-```powershell

-Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

- StatusCode = [HttpStatusCode]::OK

- Body = $blobname

- })

-```

-Here's the output binding in the *function.json* file:

-```json

-{

- "name": "$return",

- "type": "blob",

- "direction": "out",

- "path": "output-container/{id}"

-}

-```

-Here's the Python code:

-```python

-def main(input: azure.functions.InputStream) -> str:

- return json.dumps({

- 'name': input.name,

- 'length': input.length,

- 'content': input.read().decode('utf-8')

- })

-```

-Apply the output binding annotation to the function method. If there are multiple output bindings, use the return value for only one of them.

-Here's Java code that uses the return value for an output binding:

-```java

-@FunctionName("QueueTrigger")

-@StorageAccount("AzureWebJobsStorage")

-@BlobOutput(name = "output", path = "output-container/{id}")

-public static String run(

- @QueueTrigger(name = "input", queueName = "inputqueue") WorkItem input,

- final ExecutionContext context

-) {

- String json = String.format("{ \"id\": \"%s\" }", input.id);

- context.getLogger().info("Java processed queue message. Item=" + json);

- return json;

-}

-```

-## Next steps

-> [!div class="nextstepaction"]

-> [Handle Azure Functions binding errors](./functions-bindings-errors.md)

-Each binding has its own supported types; for instance, a blob trigger attribute can be applied to a string parameter, a POCO parameter, a `CloudBlockBlob` parameter, or any of several other supported types. The [binding reference article for blob bindings](functions-bindings-storage-blob-trigger.md#usage) lists all supported parameter types. For more information, see [Triggers and bindings](functions-triggers-bindings.md) and the [binding reference docs for each binding type](functions-triggers-bindings.md#next-steps).

-You can use a method return value for an output binding, by applying the attribute to the method return value. For examples, see [Triggers and bindings](./functions-bindings-return-value.md).

-Each binding has its own supported types; for instance, a blob trigger can be used with a string parameter, a POCO parameter, a `CloudBlockBlob` parameter, or any of several other supported types. The [binding reference article for blob bindings](functions-bindings-storage-blob-trigger.md#usage) lists all supported parameter types for blob triggers. For more information, see [Triggers and bindings](functions-triggers-bindings.md) and the [binding reference docs for each binding type](functions-triggers-bindings.md#next-steps).

-Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger. Triggers have associated data, which is often provided as the payload of the function.

-Binding to a function is a way of declaratively connecting another resource to the function; bindings may be connected as *input bindings*, *output bindings*, or both. Data from bindings is provided to the function as parameters.

-You can mix and match different bindings to suit your needs. Bindings are optional and a function might have one or multiple input and/or output bindings.

-|A scheduled job reads Blob Storage contents and creates a new Azure Cosmos DB document. | Timer | Blob Storage | Azure Cosmos DB |

-|The Event Grid is used to read an image from Blob Storage and a document from Azure Cosmos DB to send an email. | Event Grid | Blob Storage and Azure Cosmos DB | SendGrid |

-| A webhook that uses Microsoft Graph to update an Excel sheet. | HTTP | *None* | Microsoft Graph |

-These examples aren't meant to be exhaustive, but are provided to illustrate how you can use triggers and bindings together.

-### Trigger and binding definitions

-Triggers and bindings are defined differently depending on the development language.

-| Language | Triggers and bindings are configured by... |

-|-|--|

-| C# class library | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;decorating methods and parameters with C# attributes |

-| Java | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;decorating methods and parameters with Java annotations |

-| JavaScript/PowerShell/Python/TypeScript | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;updating [function.json](./functions-reference.md) ([schema](http://json.schemastore.org/function)) |

-For languages that rely on function.json, the portal provides a UI for adding bindings in the **Integration** tab. You can also edit the file directly in the portal in the **Code + test** tab of your function. Visual Studio Code lets you easily [add a binding to a function.json file](functions-develop-vs-code.md?tabs=nodejs#add-a-function-to-your-project) by following a convenient set of prompts.

-In .NET and Java, the parameter type defines the data type for input data. For instance, use `string` to bind to the text of a queue trigger, a byte array to read as binary, and a custom type to de-serialize to an object. Since .NET class library functions and Java functions don't rely on *function.json* for binding definitions, they can't be created and edited in the portal. C# portal editing is based on C# script, which uses *function.json* instead of attributes.

-To learn more about how to add bindings to existing functions, see [Connect functions to Azure services using bindings](add-bindings-existing-function.md).

-For languages that are dynamically typed such as JavaScript, use the `dataType` property in the *function.json* file. For example, to read the content of an HTTP request in binary format, set `dataType` to `binary`:

- "dataType": "binary",

- "type": "httpTrigger",

- "name": "req",

- "direction": "in"

-Other options for `dataType` are `stream` and `string`.

-## Binding direction

-All triggers and bindings have a `direction` property in the [function.json](./functions-reference.md) file:

-When you use [attributes in a class library](functions-dotnet-class-library.md) to configure triggers and bindings, the direction is provided in an attribute constructor or inferred from the parameter type.

-Use the following table to find examples of specific binding types that show you how to work with bindings in your functions. First, choose the language tab that corresponds to your project.

-## Resources

-## Next steps

-> [!div class="nextstepaction"]

-> [Register Azure Functions binding extensions](./functions-bindings-register.md)

-description: Tutorial on how to migrate a web app from Bing Maps to Microsoft Azure Maps.

-# Tutorial: Migrate a web app from Bing Maps

-Web apps that use Bing Maps often use the Bing Maps V8 JavaScript SDK. The Azure Maps Web SDK is the suitable Azure-based SDK to migrate to. The Azure Maps Web SDK lets you customize interactive maps with your own content and imagery for display in your web or mobile applications. This control makes use of WebGL, allowing you to render large data sets with high performance. Develop with this SDK using JavaScript or TypeScript. This tutorial demonstrates how to:

-There is no need to set accelerated networking for the network interface cards (NICs) in the dedicated subnet of Azure NetApp Files. [Accelerated networking](../virtual-network/virtual-machine-network-throughput.md) is a capability that only applies to Azure virtual machines. Azure NetApp Files NICs are optimized by design.

-## How do I convert throughput-based service levels of Azure NetApp Files to IOPS?

-You can convert MB/s to IOPS by using the following formula:

-Service mode is an important concept in Azure SignalR Service. SignalR Service currently supports three service modes: *Default*, *Serverless*, and *Classic*. Your SignalR Service resource will behave differently in each mode. In this article, you'll learn how to choose the right service mode based on your scenario.

-You'll be asked to specify a service mode when you create a new SignalR resource in the Azure portal.

-As the name implies, *Default* mode is the default service mode for SignalR Service. In Default mode, your application works as a typical [ASP.NET Core SignalR](/aspnet/core/signalr/introduction) or ASP.NET SignalR (deprecated) application. You have a web server application that hosts a hub, called a *hub server*, and clients have full duplex communication with the hub server. The difference between ASP.NET Core SignalR and Azure SignalR Service is instead of connecting client and hub server directly, client and server both connect to SignalR Service and use the service as a proxy. The following diagram shows the typical application structure in Default mode.

-In Default mode, there are WebSocket connections between hub server and SignalR Service called *server connections*. These connections are used to transfer messages between a server and client. When a new client is connected, SignalR Service will route the client to one hub server (assume you've more than one server) through existing server connections. The client connection will stick to the same hub server during its lifetime. This property is referred to as *connection stickiness*. When the client sends messages, they always go to the same hub server. With stickiness behavior, you can safely maintain some states for individual connections on your hub server. For example, if you want to stream something between server and client, you don't need to consider the case where data packets go to different servers.

-The default routing model also means when a hub server goes offline, the connections routed to that server will be dropped. You should expect connections to drop when your hub server is offline for maintenance, and handle reconnection to minimize the effects on your application.

-Unlike Default mode, Serverless mode doesn't require a hub server to be running, which is why this mode is named "serverless." SignalR Service is responsible for maintaining client connections. There's no guarantee of connection stickiness and HTTP requests may be less efficient than WebSockets connections.

-Because there's no server connection, if you try to use a server SDK to establish a server connection you'll get an error. SignalR Service will reject server connection attempts in Serverless mode.

-It's also possible for your server application to receive messages and connection events from clients. SignalR Service will deliver messages and connection events to pre-configured endpoints (called *upstream endpoints*) using web hooks. Upstream endpoints can only be configured in Serverless mode. For more information, see [Upstream endpoints](concept-upstream.md).

-Classic is a mixed mode of Default and Serverless modes. In Classic mode, connection type is decided by whether there's a hub server connected when the client connection is established. If there's a hub server, the client connection will be routed to a hub server. If a hub server isn't available, the client connection will be made in a limited serverless mode where client-to-server messages can't be delivered to a hub server. Classic mode serverless connections don't support some features such as upstream endpoints.

-If all your hub servers are offline for any reason, connections will be made in Serverless mode. It's your responsibility to ensure that at least one hub server is always available.

-Messages sent into the service are inbound messages and messages sent out of the service are outbound messages. Only outbound messages from Azure SignalR Service are counted for billing. Ping messages between clients and servers are ignored.

-* If you have three clients and one application server, when one client sends a 4-KB message for the server broadcast to all clients, the billed message count is eight:

-The service and the application server keep syncing connection status and making adjustments to server connections to get better performance and service stability. So you may see changes in the number of server connections in your running service.

-While the service is being deployed, let's switch to prepare the code. Clone the [sample app from GitHub](https://github.com/aspnet/AzureSignalR-samples.git), set the SignalR Service connection string, and run the application locally.

-To deploy Zerto on Azure VMware Solution, follow these [instructions](https://help.zerto.com/bundle/Install.AVS.HTML/page/Prerequisites_Zerto_AVS.htm).

-| **Possible causes** | HANA LSN Log chain break can be triggered for various reasons, including:<ul><li>Azure Storage call failure to commit backup.</li><li>The Tenant DB is offline.</li><li>Extension upgrade terminates an in-progress Backup job.</li><li>Unable to connect to Azure Storage during backup.</li><li>SAP HANA has rolled back a transaction in the backup process.</li><li>A backup is complete, but catalog isn't yet updated with success in HANA system.</li><li>Backup failed from Azure Backup perspective, but success from the perspective of HANA ΓÇö the log backup/catalog destination might have been updated from Backint-to-file system, or the Backint executable might have been changed.</li></ul> |

-| **Recommended action** | To resolve this issue, Azure Backup triggers an auto-heal Full backup. While this auto-heal backup is in progress, all log backups are triggered by HANA fail with **OperationCancelledBecauseConflictingAutohealOperationRunningUserError**. Once the auto-heal Full backup is complete, logs and all other backups start working as expected.<br>If you don't see an auto-heal full backup triggered or any successful backup (Full/Differential/ Incremental) in 24 hours, contact Microsoft support.</br> |

-|Recommended action | Ensure that your restore scenario isn't in the following list of possible incompatible restores:<br> **Case 1:** SYSTEMDB can't be renamed during restore.<br>**Case 2:** Source ΓÇö SDC and target ΓÇö MDC: The source database can't be restored as SYSTEMDB or tenant DB on the target. <br> **Case 3:** Source ΓÇö MDC and target ΓÇö SDC: The source database (SYSTEMDB or tenant DB) can't be restored to the target.<br>To learn more, see the note **1642148** in the [SAP support launchpad](https://launchpad.support.sap.com). |

-**Possible causes** | Backup user (AZUREWLBACKUPHANAUSER) created by the preregistration script doesn't have one or more of the following roles assigned:<ul><li>For MDC, DATABASE ADMIN and BACKUP ADMIN (for HANA 2.0 SPS05 and later) create new databases during restore.</li><li>For SDC, BACKUP ADMIN creates new databases during restore.</li><li>CATALOG READ to read the backup catalog.</li><li>SAP_INTERNAL_HANA_SUPPORT to access a few private tables. Only required for SDC and MDC versions prior to HANA 2.0 SPS04 Rev 46. It's not required for HANA 2.0 SPS04 Rev 46 and later. This is because we're getting the required information from public tables now with the fix from HANA team.</li></ul>

-**Possible causes** | The Database/Backup user created by the preregistration script doesn't set expiry for the password. However, if it was altered, you may see this error.

-**Possible causes** | The SAP HANA preregistration script to set up the environment hasn't been run.

-**Possible causes** | When you've reached the maximum permissible limit for an operation in a span of 24 hours, this error appears. This error usually appears when there are at-scale operations such as modify policy or auto-protection. Unlike the case of CloudDosAbsoluteLimitReached, there isn't much you can do to resolve this state. In fact, Azure Backup service will retry the operations internally for all the items in question.<br><br> For example, if you have a large number of datasources protected with a policy and you try to modify that policy, it'll trigger the configure protection jobs for each of the protected items and sometimes may hit the maximum limit permissible for such operations per day.

-In multiple container databases for HANA, the standard configuration is SYSTEMDB + 1 or more Tenant DBs. Restore of an entire SAP HANA instance restores both SYSTEMDB and Tenant DBs. One restores SYSTEMDB first and then proceeds for Tenant DB. System DB essentially means to override the system information on the selected target. This restore also overrides the BackInt related information in the target instance. So after the system DB is restored to a target instance, run the preregistration script again. Only then the subsequent tenant DB restores will succeed.

- - Run the preregistration script

- - Run the preregistration script

- - The original VM and the new VM have the same SID. The preregistration script runs successfully.

- - The original VM and the new VM have different SIDs. The preregistration script fails. Contact support to get help in this scenario.

-Create a Recovery Services vault with the [az backup vault create](/cli/azure/backup/vault#az-backup-vault-create) command. Use the resource group and location as that of the VM you want to protect. Learn how to create a VM using Azure CLI with [this VM quickstart](/azure/virtual-machines/linux/quick-create-cli).

-9. After granting permission, **Rediscover DBs** in the portal: Vault **->** Backup Infrastructure **->** Workload in Azure VM:

-az backup protection update-for-vm --resource-group {resourcegroup} --vault-name {vaultname} -c {vmname} -i {vmname} --backup-management-type AzureIaasVM --exclude-all-data-disks

-# Pull images from a connected registry on IoT Edge device

-# Quickstart: Create a connected registry using the Azure CLI

-# Quickstart: Create a connected registry using the Azure portal

-# Quickstart: Deploy a connected registry to an IoT Edge device

->The price change might result in a a price decrease, not only an increase, as explained in this example.

-description: Learn how an Azure Databricks prepurchase discount applies to your usage. You can use Databricks prepurchased units at any time during the purchase term.

-# How Azure Databricks prepurchase discount is applied

-Databricks prepurchase applies to all Databricks workloads and tiers. You can think of the prepurchase as a pool of prepaid Databricks commit units. Usage is deducted from the pool, regardless of the workload or tier. Usage is deducted in the following ratios:

-| Workload | DBU application ratio - Standard tier | DBU application ratio - Premium tier |

-| | | |

-| All-purpose compute | 0.4 | 0.55 |

-| Jobs compute | 0.15 | 0.30 |

-| Jobs light compute | 0.07 | 0.22 |

-| SQL compute | N/A | 0.22 |

-| SQL Pro compute | N/A | 0.55 |

-| Serverless SQL | N/A | 0.70 |

-| Serverless real-time inference | N/A | 0.082 |

-| Model training | N/A | 0.65 |

-| Delta Live Tables | NA | 0.30 (core), 0.38 (pro), 0.54 (advanced) |

-| All Purpose Photon | NA | 0.55 |

-For example, when All-purpose compute ΓÇô Standard Tier capacity gets consumed, the prepurchased Databricks commit units get deducted by 0.4 units. When Jobs light compute ΓÇô Standard Tier capacity gets used, the prepurchased Databricks commit unit gets deducted by 0.07 units.

-> Enabling Photon increases the DBU count.

-## Next steps

-| servicePrincipalKey | Specify the Microsoft Entra application's key. Mark this field as a **SecureString** to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |

-**Example**

-* **Software requirements:** For hosts that connect to the Data Box, describes supported operating systems, file transfer protocols, storage accounts, storage types, and browsers for the local web UI.

-* **Networking requirements:** For the Data Box, describes requirements for network connections and ports for best operation of the Data Box.

-> Connection to Data Box shares is not supported via REST for export orders.

-> Transporting data from on-premises NFS clients into Data Box using NFSv4 is supported. However, to copy data from Data Box to Azure, Data Box supports only REST-based transport. Azure file share with NFSv4.1 does not support REST for data access/transfers.

-The following table lists the ports that need to be opened in your firewall to allow for SMB or NFS traffic. In this table, *In* (*inbound*) refers to the direction from which incoming client requests access to your device. *Out* (or *outbound*) refers to the direction in which your Data Box device sends data externally, beyond the deployment. For example, data might be outbound to the Internet.

- "changeCategory": "System",

- "propertyChangeType": "Update",

-### For EOL versions (Spark 2.4 clusters):

- /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --create --replication-factor 3 --partitions 8 --topic test --zookeeper $KAFKAZKHOSTS

- This command connects to Zookeeper using the host information stored in `$KAFKAZKHOSTS`. It then creates an Apache Kafka topic named **test**.

- /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --list --zookeeper $KAFKAZKHOSTS

- /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --delete --topic topicname --zookeeper $KAFKAZKHOSTS

-| [Yocto (Kirkstone)](https://www.yoctoproject.org/)<br>For Yocto issues, open a [GitHub issue](https://github.com/Azure/meta-iotedge/issues) |  |  |  | [April 2026](https://wiki.yoctoproject.org/wiki/Releases) |

-| [Debian 11 ](https://www.debian.org/releases/bullseye/) |  | |  | [June 2026](https://wiki.debian.org/LTS) |

-| [Ubuntu Core ²](https://snapcraft.io/azure-iot-edge) |  | |  | [April 2027](https://ubuntu.com/about/release-cycle) |

-| [Yocto (Kirkstone)](https://www.yoctoproject.org/)<br>For Yocto issues, open a [GitHub issue](https://github.com/Azure/meta-iotedge/issues) |  |  |  | [April 2026](https://wiki.yoctoproject.org/wiki/Releases) |

-² Ubuntu Core is fully supported but the automated testing of Snaps currently happens on Ubuntu 22.04 Server LTS.

- 

- 

- systemAssignedManagedIdentitySettings:{

- }

- systemAssignedManagedIdentitySettings: {

- }

-|France Central |&check; | |

-3. Investigate and remediate the original breach (engage the [Microsoft Detection and Response Team (DART)](https://www.microsoft.com/security/blog/2019/03/25/dart-the-microsoft-cybersecurity-team-we-hope-you-never-meet/) to help)

-In this article, you learned how to improve your backup and restore plan to protect against ransomware. For best practices on deploying ransomware protection, see Rapidly protect against ransomware and extortion.

-Microsoft Security team blog posts:

-#Customer intent: As a security analyst, I want to quickly add relevant threat intelligence from my investigation for myself and others so I don't lose important information.

-For example, you discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.

-Microsoft Sentinel allows you to flag these types of entities right from within your incident investigation, and add it to your threat intelligence. You are able to view the added indicators both in **Logs** and **Threat Intelligence**, and use them across your Microsoft Sentinel workspace.

-The new [incident details page](investigate-incidents.md) gives you another way to add entities to threat intelligence, in addition to the investigation graph. Both ways are shown below.

-1. From the Microsoft Sentinel navigation menu, select **Incidents**.

-1. Select an incident to investigate. In the incident details panel, select **View full details** to open the incident details page.

- :::image type="content" source="media/add-entity-to-threat-intelligence/incident-details-overview.png" alt-text="Screenshot of incident details page." lightbox="media/add-entity-to-threat-intelligence/incident-details-overview.png":::

-1. Find the entity from the **Entities** widget that you want to add as a threat indicator. (You can filter the list or enter a search string to help you locate it.)

- Only the following types of entities can be added as threat indicators:

- :::image type="content" source="media/add-entity-to-threat-intelligence/entity-actions-from-overview.png" alt-text="Screenshot of adding an entity to threat intelligence.":::

-The [investigation graph](investigate-cases.md) is a visual, intuitive tool that presents connections and patterns and enables your analysts to ask the right questions and follow leads. You can use it to add entities to your threat intelligence indicator lists, making them available across your workspace.

-1. From the Microsoft Sentinel navigation menu, select **Incidents**.

-1. Select an incident to investigate. In the incident details panel, select the **Actions** button and choose **Investigate** from the pop-up menu. This will open the investigation graph.

- :::image type="content" source="media/add-entity-to-threat-intelligence/select-incident-to-investigate.png" alt-text="Screenshot of selecting incident from queue to investigate.":::

-1. Select the entity from the graph that you want to add as a threat indicator. A side panel will open on the right. Select **Add to TI**.

- Only the following types of entities can be added as threat indicators:

- :::image type="content" source="media/add-entity-to-threat-intelligence/add-entity-to-ti.png" alt-text="Screenshot of adding entity to threat intelligence.":::

-Whichever of the two interfaces you choose, you will end up here:

-1. The **New indicator** side panel will open. The following fields will be populated automatically:

- - **Type**

- - The type of indicator represented by the entity you're adding.

- Drop-down with possible values: *ipv4-addr*, *ipv6-addr*, *URL*, *file*, *domain-name*

- - Required; automatically populated based on the **entity type**.

- - Required; automatically populated by the **entity value**.

- - **Tags**

- - Optional; automatically populated by the **incident ID**. You can add others.

- - Name of the indicator&mdash;this is what will be displayed in your list of indicators.

- - Optional; automatically populated by the **incident name.**

- - Optional; automatically populated by the user logged into Microsoft Sentinel.

- - **Threat type**

- - Optional; free text.

- - Optional; free text.

- - Revoked status of the indicator. Mark checkbox to revoke the indicator, clear checkbox to make it active.

- - Optional; boolean.

- - Score reflecting confidence in the correctness of the data, by percent.

- - Optional; integer, 1-100

- - **Kill chain**

- - Phases in the [*Lockheed Martin Cyber Kill Chain*](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html#OVERVIEW) to which the indicator corresponds.

- - Optional; free text

- - Required; date/time

- - Optional; date/time

- :::image type="content" source="media/add-entity-to-threat-intelligence/new-indicator-panel.png" alt-text="Screenshot of entering information in new threat indicator panel.":::

-1. When all the fields are filled in to your satisfaction, select **Apply**. You'll see a confirmation message in the upper-right-hand corner that your indicator was created.

-1. The entity will be added as a threat indicator in your workspace. You can find it [in the list of indicators in the **Threat intelligence** page](work-with-threat-indicators.md#find-and-view-your-indicators-in-the-threat-intelligence-page), and also [in the *ThreatIntelligenceIndicators* table in **Logs**](work-with-threat-indicators.md#find-and-view-your-indicators-in-logs).

-In this article, you learned how to add entities to your threat indicator lists. For more information, see:

-You can, however, run the following command, which will download and run the `TimeGenerated.py` script. This script configures the Log Analytics agent to populate the *TimeGenerated* field with the event's original time on its source system, instead of the time it was received by the agent.

-wget -O TimeGenerated.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/TimeGenerated.py && python TimeGenerated.py {ws_id}

-> [!IMPORTANT]

-> The GCP Pub/Sub connectors are currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-1. Select the **GCP Pub/Sub Audit Logs (Preview)** connector.

-1. Select the **Google Security Command Center (Preview)** connector.

-description: Learn about how to connect Microsoft Sentinel to industry-standard threat intelligence feeds to import threat indicators.

-#customer intent: As a SOC admin, I want to connect Microsoft Sentinel to a STIX/TAXII feed to ingest threat intelligence, so I can generate alerts incidents.

-The most widely adopted industry standard for the transmission of threat intelligence is a [combination of the STIX data format and the TAXII protocol](https://oasis-open.github.io/cti-documentation/). If your organization receives threat indicators from solutions that support the current STIX/TAXII version (2.0 or 2.1), you can use the **Threat Intelligence - TAXII data connector** to bring your threat indicators into Microsoft Sentinel. This connector enables a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.

-To import STIX formatted threat indicators to Microsoft Sentinel from a TAXII server, you must get the TAXII server API Root and Collection ID, and then enable the Threat Intelligence - TAXII data connector in Microsoft Sentinel.

-Learn more about [Threat Intelligence](understand-threat-intelligence.md) in Microsoft Sentinel, and specifically about the [TAXII threat intelligence feeds](threat-intelligence-integration.md#taxii-threat-intelligence-feeds) that can be integrated with Microsoft Sentinel.

-**See also**: [Connect your threat intelligence platform (TIP) to Microsoft Sentinel](connect-threat-intelligence-tip.md)

-## Prerequisites

-## Get the TAXII server API Root and Collection ID

-TAXII 2.x servers advertise API Roots, which are URLs that host Collections of threat intelligence. You can usually find the API Root and the Collection ID in the documentation pages of the threat intelligence provider hosting the TAXII server.

-> In some cases, the provider will only advertise a URL called a Discovery Endpoint. You can use the [cURL](https://en.wikipedia.org/wiki/CURL) utility to browse the discovery endpoint and request the API Root.

-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Content management**, select **Content hub**. <br>For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Content management** > **Content hub**.

-## Enable the Threat intelligence - TAXII data connector

-1. To configure the TAXII data connector, select the **Data connectors** menu.

-1. Find and select the **Threat Intelligence - TAXII** data connector > **Open connector page** button.

- :::image type="content" source="media/connect-threat-intelligence-taxii/taxii-data-connector-config.png" alt-text="Screenshot displaying the data connectors page with the TAXII data connector listed." lightbox="media/connect-threat-intelligence-taxii/taxii-data-connector-config.png":::

-1. Enter a **friendly name** for this TAXII server Collection, the **API Root URL**, the **Collection ID**, a **Username** (if required), and a **Password** (if required), and choose the group of indicators and the polling frequency you want. Select the **Add** button.

- :::image type="content" source="media/connect-threat-intelligence-taxii/threat-intel-configure-taxii-servers.png" alt-text="Configure TAXII servers":::

-You should receive confirmation that a connection to the TAXII server was established successfully, and you may repeat the last step above as many times as you want, to connect to multiple Collections from one or more TAXII servers.

-Within a few minutes, threat indicators should begin flowing into this Microsoft Sentinel workspace. You can find the new indicators in the **Threat intelligence** blade, accessible from the Microsoft Sentinel navigation menu.

-## IP allow listing for the Microsoft Sentinel TAXII client

-When relevant, the following IP addresses are those to include in your allowlist:

-In this document, you learned how to connect Microsoft Sentinel to threat intelligence feeds using the TAXII protocol. To learn more about Microsoft Sentinel, see the following articles.

-```

-#Customer intent: As a security analyst, I want to bulk import indicators from common file types to my threat intelligence (TI), so I can more effectively share TI during an investigation.

-In this how-to guide, you'll add indicators from a CSV or JSON file into Microsoft Sentinel threat intelligence. A lot of threat intelligence sharing still happens across emails and other informal channels during an ongoing investigation. The ability to import indicators directly into Microsoft Sentinel threat intelligence allows you to quickly socialize emerging threats for your team and make them available to power other analytics such as producing security alerts, incidents, and automated responses.

-> This feature is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Add multiple indicators to your threat intelligence with a specially crafted CSV or JSON file. Download the file templates to get familiar with the fields and how they map to the data you have. Review the required fields for each template type to validate your data before importing.

-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Threat intelligence**.

- :::image type="content" source="media/indicators-bulk-file-import/import-using-file-menu-fixed.png" alt-text="Screenshot of the menu options to import indicators using a file menu." lightbox="media/indicators-bulk-file-import/import-using-file-menu-fixed.png":::

- :::image type="content" source="media/indicators-bulk-file-import/import-using-file-menu-defender-portal.png" alt-text="Screenshot of the menu options to import indicators using a file menu from the Defender portal." lightbox="media/indicators-bulk-file-import/import-using-file-menu-defender-portal.png":::

-1. Choose CSV or JSON from the **File Format** drop down menu.

- :::image type="content" source="media/indicators-bulk-file-import/format-select-and-download.png" alt-text="Screenshot of the menu flyout to upload a CSV or JSON file, choose a template to download, and specify a source.":::

-1. Select the **Download template** link once you've chosen a bulk upload template.

-1. Consider grouping your indicators by source since each file upload requires one.

-The templates provide all the fields you need to create a single valid indicator, including required fields and validation parameters. Replicate that structure to populate additional indicators in one file. For more information on the templates, see [Understand the import templates](indicators-bulk-file-import.md#understand-the-import-templates).

-1. Drag your indicators file to the **Upload a file** section or browse for the file using the link.

-1. Choose how you want Microsoft Sentinel to handle invalid indicator entries by selecting one of the radio buttons at the bottom of the **Import using a file** pane.

- :::image type="content" source="media/indicators-bulk-file-import/upload-file-pane.png" alt-text="Screenshot of the menu flyout to upload a CSV or JSON file, choose a template to download, and specify a source highlighting the Import button.":::

-1. Select the **Import** button.

- :::image type="content" source="media/indicators-bulk-file-import/manage-file-imports.png" alt-text="Screenshot of the menu option to manage file imports.":::

-1. Review the status of imported files and the number of invalid indicator entries. The valid indicator count is updated once the file is processed. Wait for the import to complete to get the updated count of valid indicators.

- :::image type="content" source="media/indicators-bulk-file-import/manage-file-imports-pane.png" alt-text="Screenshot of the manage file imports pane with example ingestion data. The columns show sorted by imported number with various sources.":::

-1. View and sort imports by selecting **Source**, indicator file **Name**, the number **Imported**, the **Total** number of indicators in each file, or the **Created** date.

-1. Select the preview of the error file or download the error file containing the errors about invalid indicators.

-Microsoft Sentinel maintains the status of the file import for 30 days. The actual file and the associated error file are maintained in the system for 24 hours. After 24 hours the file and the error file are deleted, but any ingested indicators continue to show in Threat Intelligence.

-Review each template to ensure your indicators are imported successfully. Be sure to reference the instructions in the template file and the following supplemental guidance.

-### CSV template structure

-1. Choose between the **File indicators** or **All other indicator types** option from the **Indicator type** drop down menu when you select **CSV**.

- The CSV template needs multiple columns to accommodate the file indicator type because file indicators can have multiple hash types like MD5, SHA256, and more. All other indicator types like IP addresses only require the observable type and the observable value.

-1. Only the `validFrom`, `observableType` and `observableValue` fields are required.

-1. Keep in mind the max file size for a CSV file import is 50MB.

-Here's an example domain-name indicator using the CSV template.

-1. There is only one JSON template for all indicator types. The JSON template is based on STIX 2.1 format.

-1. The `pattern` element supports indicator types of: file, ipv4-addr, ipv6-addr, domain-name, url, user-account, email-addr, and windows-registry-key types.

-1. Close the last indicator in the array using the `}` without a comma.

-1. Keep in mind the max file size for a JSON file import is 250MB.

-Here's an example ipv4-addr indicator using the JSON template.

-This article has shown you how to manually bolster your threat intelligence by importing indicators gathered in flat files. Check out these links to learn how indicators power other analytics in Microsoft Sentinel.

-For more information on using and customizing the **Threat Intelligence** workbook, see [Work with threat indicators in Microsoft Sentinel](work-with-threat-indicators.md#workbooks-provide-insights-about-your-threat-intelligence).

-description: This article explains how to detect threats with Microsoft generated threat intelligence in Microsoft Sentinel.

-#Customer intent: As a SOC analyst, I want to match my security data with Microsoft threat intelligence so I can generate high fidelity alerts and incidents.

-Take advantage of threat intelligence produced by Microsoft to generate high fidelity alerts and incidents with the **Microsoft Defender Threat Intelligence Analytics** rule. This built-in rule in Microsoft Sentinel matches indicators with Common Event Format (CEF) logs, Windows DNS events with domain and IPv4 threat indicators, syslog data, and more.

-> Matching analytics is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-In order to produce high fidelity alerts and incidents, one or more of the supported data connectors must be installed, but a premium MDTI license is not required. Install the appropriate solutions from the content hub to connect these data sources.

- - Common Event Format (CEF)

- - DNS (Preview)

- :::image type="content" source="media/use-matching-analytics-to-detect-threats/data-sources.png" alt-text="A screenshot showing the Microsoft Defender Threat Intelligence Analytics rule data source connections.":::

- For example, depending on your data source you might use the following solutions and data connectors.

- |[Common Event Format solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-commoneventformat?tab=Overview) | [Common Event Format (CEF) connector for Microsoft Sentinel](data-connectors/common-event-format-cef.md)|

-1. Click the **Analytics** menu from the **Configuration** section.

-1. Select the **Rule templates** menu tab.

-1. In the search window type *threat intelligence*.

-1. Click **Create rule**. The rule details are read only, and the default status of the rule is enabled.

-1. Click **Review** > **Create**.

-Microsoft Defender Threat Intelligence (MDTI) Analytics matches your logs with domain, IP and URL indicators in the following way:

-1. In the Microsoft Sentinel workspace where you've enabled the **Microsoft Defender Threat Intelligence Analytics** rule, select **Incidents** and search for **Microsoft Defender Threat Intelligence Analytics**.

- Any incidents found are shown in the grid.

- For example:

-1. Observe the severity assigned to the alerts and the incident. Depending on how the indicator is matched, an appropriate severity is assigned to an alert from `Informational` to `High`. For example, if the indicator is matched with firewall logs that have allowed the traffic, a high severity alert is generated. If the same indicator was matched with firewall logs that blocked the traffic, the alert generated would be low or medium.

-1. Observe the indicator details. When a match is found, the indicator is published to the Log Analytics **ThreatIntelligenceIndicators** table, and displayed in the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as **Microsoft Defender Threat Intelligence Analytics**.

-For example, in the **ThreatIntelligenceIndicators** table:

-In the **Threat Intelligence** page:

-Along with high fidelity alerts and incidents, some MDTI indicators include a link to a reference article in the MDTI community portal.

-For more information, see the [MDTI portal](https://ti.defender.microsoft.com) and [What is Microsoft Defender Threat Intelligence?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti)

-#customer intent: As a security analyst, I want to use threat intelligence so I can power my threat detections.

-Integrate threat intelligence (TI) into Microsoft Sentinel through the following activities:

-### Find and view your indicators in the Threat intelligence page

-This procedure describes how to view and manage your indicators in the **Threat intelligence** page, accessible from the main Microsoft Sentinel menu. Use the **Threat intelligence** page to sort, filter, and search your imported threat indicators without writing a Log Analytics query.

-**To view your threat intelligence indicators in the Threat intelligence page**:

-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Threat intelligence**.

-1. From the grid, select the indicator for which you want to view more details. The indicator's details appear on the right, showing information such as confidence levels, tags, threat types, and more.

-1. Microsoft Sentinel only displays the most current version of indicators in this view. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-indicators).

-1. IP and domain name indicators are enriched with extra GeoLocation and WhoIs data, providing more context for investigations where the selected indicator is found.

-For example:

-> [!IMPORTANT]

-> GeoLocation and WhoIs enrichment is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-This procedure describes how to view your imported threat indicators in the Microsoft Sentinel **Logs** area, together with other Microsoft Sentinel event data, regardless of the source feed or the connector used.

-Imported threat indicators are listed in the **Microsoft Sentinel > ThreatIntelligenceIndicator** table, which is the basis for threat intelligence queries run elsewhere in Microsoft Sentinel, such as in **Analytics** or **Workbooks**.

-**To view your threat intelligence indicators in Logs**:

-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **General**, select **Logs**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Investigation & response** > **Hunting** > **Advanced hunting**.

-1. The **ThreatIntelligenceIndicator** table is located under the **Microsoft Sentinel** group.

-1. Select the **Preview data** icon (the eye) next to the table name and select the **See in query editor** button to run a query that will show records from this table.

- Your results should look similar to the sample threat indicator shown in this screenshot:

- :::image type="content" source="media/work-with-threat-indicators/ti-table-results.png" alt-text="Screenshot shows sample ThreatIntelligenceIndicator table results with the details expanded." lightbox="media/work-with-threat-indicators/ti-table-results.png":::

-The **Threat intelligence** page also allows you to create threat indicators directly within the Microsoft Sentinel interface, and perform two of the most common threat intelligence administrative tasks: indicator tagging and creating new indicators related to security investigations.

-1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Threat intelligence**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Threat intelligence**.

-1. Select the **Add new** button from the menu bar at the top of the page.

- :::image type="content" source="media/work-with-threat-indicators/threat-intel-add-new-indicator.png" alt-text="Add a new threat indicator" lightbox="media/work-with-threat-indicators/threat-intel-add-new-indicator.png":::

-1. Choose the indicator type, then complete the form on the **New indicator** panel. The required fields are marked with a red asterisk (*).

-1. Select **Apply**. The indicator is added to the indicators list, and is also sent to the *ThreatIntelligenceIndicator* table in **Logs**.

-Tagging threat indicators is an easy way to group them together to make them easier to find. Typically, you might apply tags to an indicator related to a particular incident, or representing threats from a particular known actor or well-known attack campaign. Once you search for the indicators you want to work with, tag them individually, or multi-select indicators and tag them all at once with one or more tags. Since tagging is free-form, a recommended practice is to create standard naming conventions for threat indicator tags.

-Microsoft Sentinel also allows you to edit indicators, whether they've been created directly in Microsoft Sentinel, or come from partner sources, like TIP and TAXII servers. For indicators created in Microsoft Sentinel, all fields are editable. For indicators coming from partner sources, only specific fields are editable, including tags, *Expiration date*, *Confidence*, and *Revoked*. Either way, keep in mind only the latest version of the indicator is displayed in the **Threat Intelligence** page view. For more information on how indicators are updated, see [Understand threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-indicators).

-## Workbooks provide insights about your threat intelligence

- 1. From the [Azure portal](https://portal.azure.com/), navigate to the **Microsoft Sentinel** service.

- 1. Choose the **workspace** to which youΓÇÖve imported threat indicators using either threat intelligence data connector.

- 1. Select **Workbooks** from the **Threat management** section of the Microsoft Sentinel menu.

- 1. Find the workbook titled **Threat Intelligence** and verify you have data in the **ThreatIntelligenceIndicator** table as shown below.

- :::image type="content" source="media/work-with-threat-indicators/threat-intel-verify-data.png" alt-text="Verify data":::

- 1. Select the **Save** button and choose an Azure location to store the workbook. This step is required if you are going to modify the workbook in any way and save your changes.

- 1. Now select the **View saved workbook** button to open the workbook for viewing and editing.

- 1. You should now see the default charts provided by the template. To modify a chart, select the **Edit** button at the top of the page to enter editing mode for the workbook.

-1. In the **Visualization** drop-down, select **Bar chart**.

-1. Select the **Done editing** button. YouΓÇÖve created a new chart for your workbook.

- :::image type="content" source="media/work-with-threat-indicators/threat-intel-bar-chart.png" alt-text="Bar chart":::

-Workbooks provide powerful interactive dashboards that give you insights into all aspects of Microsoft Sentinel. There is a whole lot you can do with workbooks, and while the provided templates are a great starting point, you will likely want to dive in and customize these templates, or create new dashboards combining many different data sources so to visualize your data in unique ways. Since Microsoft Sentinel workbooks are based on Azure Monitor workbooks, there is already extensive documentation available, and many more templates. A great place to start is this article on how to [Create interactive reports with Azure Monitor workbooks](../azure-monitor/visualize/workbooks-overview.md).

-There is also a rich community of [Azure Monitor workbooks on GitHub](https://github.com/microsoft/Application-Insights-Workbooks) to download more templates and contribute your own templates.

-In this article, you learned all the ways to work with threat intelligence indicators throughout Microsoft Sentinel. For more about threat intelligence in Microsoft Sentinel, see the following articles:

-This error usually occurs when attempting to create a service connection while the AKS (Azure Kubernetes Service) cluster is in an updating state. The service connection update conflicts with the ongoing update.

-Ensure your cluster is in a "Succeeded" state before retrying the creation. It resolves most errors related to conflicts.

-To resolve errors related to resource provider registration, follow this [tutorial](../azure-resource-manager/troubleshooting/error-register-resource-provider.md).

-1. If you're using Service Connector for the first time, start by running the command [az provider register](/cli/azure/provider#az-provider-register) to register the Service Connector resource provider.

- > You can check if the resource provider has already been registered by running the command `az provider show -n "Microsoft.ServiceLinker" --query registrationState`. If the output is `Registered`, then Service Connector has already been registered.

-> [Tutorial: Connect to Azure Storage using workload identity](./tutorial-python-aks-storage-workload-identity.md)

-> [!Note]

->

-To get started, install the [Azure.Storage.Files.DataLake](https://www.nuget.org/packages/Azure.Storage.Files.DataLake/) NuGet package.

-1. Open a command window (For example: Windows PowerShell).

-2. From your project directory, install the Azure.Storage.Files.DataLake preview package by using the `dotnet add package` command.

- ```console

- dotnet add package Azure.Storage.Files.DataLake -v 12.6.0 -s https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json

- ```

- Then, add these using statements to the top of your code file.

- ```csharp

- using Azure;

- using Azure.Core;

- using Azure.Storage;

- using Azure.Storage.Files.DataLake;

- using Azure.Storage.Files.DataLake.Models;

- using System.Collections.Generic;

- using System.Threading.Tasks;

- ```

-To use the snippets in this article, you'll need to create a [DataLakeServiceClient](/dotnet/api/azure.storage.files.datalake.datalakeserviceclient) instance that represents the storage account.

-<a name='connect-by-using-azure-active-directory-ad'></a>

-### Connect by using Microsoft Entra ID

-You can use the [Azure identity client library for .NET](/dotnet/api/overview/azure/identity-readme) to authenticate your application with Microsoft Entra ID.

-After you install the package, add this using statement to the top of your code file.

-```csharp

-using Azure.Identity;

-```

-First, you'll have to assign one of the following [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) roles to your security principal:

-|Role|ACL setting capability|

-|--|--|

-|[Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner)|All directories and files in the account.|

-|[Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor)|Only directories and files owned by the security principal.|

-### Connect by using an account key

-To update an ACL recursively, create a new ACL object with the ACL entry that you want to update, and then use that object in update ACL operation. Do not get the existing ACL, just provide ACL entries to be updated.

-To remove ACL entries recursively, create a new ACL object for ACL entry to be removed, and then use that object in remove ACL operation. Do not get the existing ACL, just provide the ACL entries to be removed.

- - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription..

- - Owning user of the target container or directory to which you plan to apply ACL settings. To set ACLs recursively, this includes all child items in the target container or directory.

- - Storage account key.

-## Set up your project

-To get started, open [this page](https://search.maven.org/artifact/com.azure/azure-storage-file-datalake) and find the latest version of the Java library. Then, open the *pom.xml* file in your text editor. Add a dependency element that references that version.

-If you plan to authenticate your client application by using Microsoft Entra ID, then add a dependency to the Azure Secret Client Library. See [Adding the Secret Client Library package to your project](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity#adding-the-package-to-your-project).

-Next, add these imports statements to your code file.

-To use the snippets in this article, you'll need to create a **DataLakeServiceClient** instance that represents the storage account.

-<a name='connect-by-using-azure-active-directory-azure-ad'></a>

-### Connect by using Microsoft Entra ID

-|Role|ACL setting capability|

-|--|--|

-|[Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner)|All directories and files in the account.|

-|[Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor)|Only directories and files owned by the security principal.|

-To learn more about using **DefaultAzureCredential** to authorize access to data, see [Azure Identity client library for Java](/java/api/overview/azure/identity-readme).

-### Connect by using an account key

- - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription..

- - Storage account key..

-Install Data Lake client library for JavaScript by opening a terminal window, and then typing the following command.

-```javascript

-Import the `storage-file-datalake` package by placing this statement at the top of your code file.

-To use the snippets in this article, you'll need to create a **DataLakeServiceClient** instance that represents the storage account.

-### Connect by using Microsoft Entra ID

-You can use the [Azure identity client library for JS](https://www.npmjs.com/package/@azure/identity) to authenticate your application with Microsoft Entra ID.

-|Role|ACL setting capability|

-|--|--|

-|[Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner)|All directories and files in the account.|

-|[Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor)|Only directories and files owned by the security principal.|

-To learn more about using **DefaultAzureCredential** to authorize access to data, see [Overview: Authenticate JavaScript apps to Azure using the Azure SDK](/azure/developer/javascript/sdk/authentication/overview).

-### Connect by using an account key

-Install the Azure Data Lake Storage client library for Python by using [pip](https://pypi.org/project/pip/).

-```

-pip install azure-storage-file-datalake

-Add these import statements to the top of your code file.

-from azure.storage.filedatalake import DataLakeServiceClient

-To use the snippets in this article, you'll need to create a **DataLakeServiceClient** instance that represents the storage account.

-<a name='connect-by-using-azure-active-directory-ad'></a>

-### Connect by using Microsoft Entra ID

-You can use the [Azure identity client library for Python](https://pypi.org/project/azure-identity/) to authenticate your application with Microsoft Entra ID.

-First, you'll have to assign one of the following [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) roles to your security principal:

-|Role|ACL setting capability|

-|--|--|

-|[Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner)|All directories and files in the account.|

-|[Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor)|Only directories and files owned by the security principal.|

-### Connect by using an account key

-This example removes an ACL entry from the ACL of the directory named `my-parent-directory`. This method accepts a boolean parameter named `is_default_scope` that specifies whether to remove the entry from the default ACL. if that parameter is `True`, the updated ACL entry is preceded with the string `default:`.

-`azcopy cp "https://[srcaccount].blob.core.windows.net/[containername]?[SAS]" "https://[dstaccount].blob.core.windows.net/[containername]?[SAS]" --include-after='2020-08-19T15:04:00Z''"`

-`azcopy cp "https://[srcaccount].blob.core.windows.net/[containername]?[SAS]" "https://[dstaccount].blob.core.windows.net/[containername]?[SAS]" --include-before='2020-08-19T15:04:00Z'"`

-The following table summarizes the steps you'll need to take if you choose to migrate your applications to client-side encryption v2:

-If your application is using client-side encryption with an earlier version of the .NET or Python client library, you must first upgrade your code to a version that supports client-side encryption v2. Next, you must decrypt and re-encrypt your data with client-side encryption v2. If necessary, you can use a version of the client library that supports client-side encryption v2 side-by-side with an earlier version of the client library while you are migrating your code.

-During encryption, the client library generates a random IV of 16 bytes along with a random CEK of 32 bytes and performs envelope encryption of the queue message text using this information. The wrapped CEK and some additional encryption metadata are then added to the encrypted queue message. This modified message (shown below) is stored on the service.

-During decryption, the wrapped key is extracted from the queue message and unwrapped. The IV is also extracted from the queue message and used along with the unwrapped key to decrypt the queue message data. Encryption metadata is small (under 500 bytes), so while it does count toward the 64KB limit for a queue message, the impact should be manageable. The encrypted message is Base64-encoded, as shown in the above snippet, which will also expand the size of the message being sent.

-Due to the short-lived nature of messages in the queue, decrypting and reencrypting queue messages after updating to client-side encryption v2 should not be necessary. Any less secure messages will be rotated in the course of normal queue consumption.

-description: Example Azure role assignment conditions for Queue Storage.

-The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the **Visual editor** tab and the **Code editor** tabs below to view the examples for your preferred portal editor.

-The following image shows the condition after the settings have been entered into the Azure portal. Note that you must group expressions to ensure correct evaluation.

-The following image shows the condition after the settings have been entered into the Azure portal. Note that you must group expressions to ensure correct evaluation.

-The following image shows the condition after the settings have been entered into the Azure portal. Note that you must group expressions to ensure correct evaluation.

- - `drivestoredirect:s:C\:;E\:;`: Redirect the specified drive letters for one or more drives, such as this example.

-|Tiers and performance| Standard (Transaction optimized)<br>Premium<br>Up to max 100K IOPS per share with 10 GBps per share at about 3-ms latency|Standard<br>Premium<br>Ultra<br>Up to max 460K IOPS per volume with 4.5 GBps per volume at about 1 ms latency. For IOPS and performance details, see [Azure NetApp Files performance considerations](../azure-netapp-files/azure-netapp-files-performance-considerations.md) and [the FAQ](../azure-netapp-files/faq-performance.md#how-do-i-convert-throughput-based-service-levels-of-azure-netapp-files-to-iops).|Standard HDD: up to 500 IOPS per-disk limits<br>Standard SSD: up to 4k IOPS per-disk limits<br>Premium SSD: up to 20k IOPS per-disk limits<br>We recommend Premium disks for Storage Spaces Direct|

-# Configure a cross-tenant connection in Azure Virtual Network Manager Preview - portal