-| OutputClaim | outputClaim | boolean | A string that is equivalent to the substring of length that begins at startIndex in this instance, or Empty if startIndex is equal to the length of this instance and length is zero. |

-# How to use additional context in Microsoft Authenticator app notifications (Preview) - Authentication Methods Policy

-This topic covers how to improve the security of user sign-in by adding the application name and geographic location of the sign-in to Microsoft Authenticator push and passwordless notifications. The schema for the API to enable application name and geographic location is currently being updated. **While the API is updated over the next two weeks, you should only use the Azure AD portal to enable application name and geographic location.**

-Your organization will need to enable Microsoft Authenticator push notifications for some users or groups by using the Azure AD portal. The new Authentication Methods Policy API will soon be ready as another configuration option.

->[!NOTE]

->Additional context can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication Method Policy.

-When a user receives a passwordless phone sign-in or MFA push notification in the Authenticator app, they'll see the name of the application that requests the approval and the location based on the IP address where the sign-in originated from.

-## Enable additional context

-To enable application name or geographic location, complete the following steps:

-1. On the **Configure** tab, for **Show application name in push and passwordless notifications (Preview)**, change **Status** to **Enabled**, choose who to include or exclude from the policy, and click **Save**.

- Then do the same for **Show geographic location in push and passwordless notifications (Preview)**.

-Additional context is not supported for Network Policy Server (NPS) or Active Directory Federation Services (AD FS).

-# How to use number matching in multifactor authentication (MFA) notifications (Preview) - Authentication Methods Policy

-This topic covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security. The schema for the API to enable number match is currently being updated. **While the API is updated over the next two weeks, you should only use the Azure AD portal to enable number match.**

->Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will be enabled by default for all tenants a few months after general availability (GA).<br>

-Your organization will need to enable Authenticator (traditional second factor) push notifications for some users or groups only by using the Azure AD portal. The new Authentication Methods Policy API will soon be ready as another configuration option. If your organization is using ADFS adapter or NPS extensions, please upgrade to the latest versions for a consistent experience.

-## Number matching

-<!check below with Mayur. The bit about the policy came from the number match FAQ at the end.>

-Number matching can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication Method Policy.

-Number matching is not supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.

-## Enable number matching

-To enable number matching, complete the following steps:

-1. On the **Basics** tab, click **Yes** and **All users** to enable the policy for everyone, and change **Authentication mode** to **Push**.

- Only users who are enabled for Microsoft Authenticator here can be included in the policy to require number matching for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see a number match.

-[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)

- clientId = "YOUR_CLIENT_ID"

- clientId = "YOUR_CLIENT_ID",

- clientSecret = "YOUR_CLIENT_SECRET"

-# Azure Active Directory security operations guide for Applications

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where there are Sigma templates for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-| Added credentials to existing applications| High| Azure AD Audit logs| Service-Core Directory, Category-ApplicationManagement <br>Activity: Update Application-Certificates and secrets management<br>-and-<br>Activity: Update Service principal/Update Application| Alert when credentials are: added outside of normal business hours or workflows, of types not used in your environment, or added to a non-SAML flow supporting service principal.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| App assigned to Azure RBAC role, or Azure AD Role| High to Medium| Azure AD Audit logs| Type: service principal<br>Activity: ΓÇ£Add member to roleΓÇ¥ or ΓÇ£Add eligible member to roleΓÇ¥<br>-or-<br>ΓÇ£Add scoped member to role.ΓÇ¥| For highly privileged roles such as Global Administrator, risk is high. For lower privileged roles risk is medium. Alert anytime an application is assigned to an Azure role or Azure AD role outside of normal change management or configuration procedures.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedPrivilegedRole.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| App granted highly privileged permissions, such as permissions with ΓÇ£*.AllΓÇ¥ (Directory.ReadWrite.All) or wide ranging permissions (Mail.*)| High |Azure AD Audit logs| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>- where-<br> Target(s) identifies an API with sensitive data (such as Microsoft Graph) <br>-and-<br>AppRole.Value identifies a highly privileged application permission (app role).| Apps granted broad permissions such as ΓÇ£*.AllΓÇ¥ (Directory.ReadWrite.All) or wide ranging permissions (Mail.*)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Administrator granting either application permissions (app roles) or highly privileged delegated permissions |High| Microsoft 365 portal| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>ΓÇ£Add delegated permission grantΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph) <br>-and-<br>DelegatedPermissionGrant.Scope includes high-privilege permissions.| Alert when a global administrator, application administrator, or cloud application administrator consents to an application. Especially look for consent outside of normal activity and change procedures.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Application is granted permissions for Microsoft Graph, Exchange, SharePoint, or Azure AD. |High| Azure AD Audit logs| ΓÇ£Add delegated permission grantΓÇ¥ <br>-or-<br>ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph, Exchange Online, and so on)| Alert as in the preceding row.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Application permissions (app roles) for other APIs are granted |Medium| Azure AD Audit logs| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies any other API.| Alert as in the preceding row.<br>[Link to Sigma repo](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Highly privileged delegated permissions are granted on behalf of all users |High| Azure AD Audit logs| ΓÇ£Add delegated permission grantΓÇ¥, where Target(s) identifies an API with sensitive data (such as Microsoft Graph), <br> DelegatedPermissionGrant.Scope includes high-privilege permissions, <br>-and-<br>DelegatedPermissionGrant.ConsentType is ΓÇ£AllPrincipalsΓÇ¥.| Alert as in the preceding row.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| How and when your Key Vaults are accessed and by whom| Medium| [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)| Resource type: Key Vaults| Look for: any access to Key Vault outside regular processes and hours, any changes to Key Vault ACL.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/AzureKeyVaultAccessManipulation.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| End-user consent to application| Low| Azure AD Audit logs| Activity: Consent to application / ConsentContext.IsAdminConsent = false| Look for: high profile or highly privileged accounts, app requests high-risk permissions, apps with suspicious names, for example generic, misspelled, etc.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/ConsentToApplicationDiscovery.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| End-user consent stopped due to risk-based consent| Medium| Azure AD Audit logs| Core Directory / ApplicationManagement / Consent to application<br> Failure status reason = Microsoft.online.Security.userConsent<br>BlockedForRiskyAppsExceptions| Monitor and analyze any time consent is stopped due to risk. Look for: high profile or highly privileged accounts, app requests high-risk permissions, or apps with suspicious names, for example generic, misspelled, etc.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Applications that are using the ROPC authentication flow|Medium | Azure AD Sign-ins log|Status=Success<br><br>Authentication Protocol-ROPC| High level of trust is being placed in this application as the credentials can be cached or stored. Move if possible to a more secure authentication flow. This should only be used in automated testing of applications, if at all. For more information, see [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

-|Applications using the Device code flow |Low to medium|Azure AD Sign-ins log|Status=Success<br><br>Authentication Protocol-Device Code|Device code flows are used for input constrained devices, which may not be in all environments. If successful device code flows appear, without a need for them, investigate for validity. For more information, see [Microsoft identity platform and the OAuth 2.0 device authorization grant flow](../develop/v2-oauth2-device-code.md)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

-| Redirect URI configuration changes| High| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are NOT unique to the application, URIs that point to a domain you don't control.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Changes to AppID URI| High| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update<br>Application<br>Activity: Update Service principal| Look for any AppID URI modifications, such as adding, modifying, or removing the URI.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationIDURIChanged.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Changes to application ownership| Medium| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Add owner to application| Look for any instance of a user being added as an application owner outside of normal change management activities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationOwnership.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Changes to log-out URL| Low| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle| Look for any modifications to a sign-out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml) |

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-| Device registration or join completed without MFA| Medium| Sign-in logs| Activity: successful authentication to Device Registration Service. <br>And<br>No MFA required| Alert when: Any device registered or joined without MFA<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Changes to the Device Registration MFA toggle in Azure AD| High| Audit log| Activity: Set device registration policies| Look for: The toggle being set to off. There isn't audit log entry. Schedule periodic checks.<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Sign-ins by non-compliant devices| High| Sign-in logs| DeviceDetail.isCompliant == false| If requiring sign-in from compliant devices, alert when: any sign in by non-compliant devices, or any access without MFA or a trusted location.<p>If working toward requiring devices, monitor for suspicious sign-ins.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulSigninFromNon-CompliantDevice.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Sign-ins by unknown devices| Low| Sign-in logs| DeviceDetail is empty, single factor authentication, or from a non-trusted location| Look for: any access from out of compliance devices, any access without MFA or trusted location<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Key retrieval| Medium| Audit logs| OperationName == "Read BitLocker key"| Look for: key retrieval, other anomalous behavior by users retrieving keys.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/BitLockerKeyRetrieval.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Users added to global or device admin roles| High| Audit logs| Activity type = Add member to role.| Look for: new users added to these Azure AD roles, subsequent anomalous behavior by machines or users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/UserAddedtoAdminRole.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-| New Conditional Access Policy created by non-approved actors|Medium | Azure AD Audit logs|Activity: Add conditional access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name | Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

-|Conditional Access Policy removed by non-approved actors|Medium|Azure AD Audit logs|Activity: Delete conditional access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name|Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-|Conditional Access Policy updated by non-approved actors|Medium|Azure AD Audit logs|Activity: Update conditional access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name|Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br><br>Review Modified Properties and compare ΓÇ£oldΓÇ¥ vs ΓÇ£newΓÇ¥ value<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-|Removal of a user from a group used to scope critical Conditional Access policies|Medium|Azure AD Audit logs|Activity: Remove member from group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Montior and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been removed.<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

-|Addition of a user to a group used to scope critical Conditional Access policies|Low|Azure AD Audit logs|Activity: Add member to group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Montior and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been added.<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we have added a link to the Sigma repo. The Sigma templates are not written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we have added a link to the Sigma repo. The Sigma templates are not written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-| Sign-in failure, bad password threshold | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Failure because of Conditional Access requirement |High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | This event can be an indication an attacker is trying to get into the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Interrupt | High, medium | Azure AD Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure reason = Authentication failed during strong authentication request | This event can be an indication an attacker has the password for the account but can't pass the multi-factor authentication challenge.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Account disabled or blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | This event could indicate someone is trying to gain access to an account after they've left the organization. Although the account is blocked, it's still important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| MFA fraud alert or block | High | Azure AD Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| MFA fraud alert or block | High | Azure AD Audit log log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken (based on tenant-level settings for fraud report) | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Privileged account sign-ins outside of expected controls | | Azure AD Sign-ins log | Status = Failure<br>UserPricipalName = \<Admin account\><br>Location = \<unapproved location\><br>IP address = \<unapproved IP\><br>Device info = \<unapproved Browser, Operating System\> | Monitor and alert on any entries that you've defined as unapproved.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Outside of normal sign-in times | High | Azure AD Sign-ins log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It's important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Password change | High | Azure AD Audit logs | Activity actor = Admin/self-service<br>-and-<br>Target = User<br>-and-<br>Status = Success or failure | Alert on any admin account password changes, especially for global admins, user admins, subscription admins, and emergency access accounts. Write a query targeted at all privileged accounts.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Change in legacy authentication protocol | High | Azure AD Sign-ins log | Client App = Other client, IMAP, POP3, MAPI, SMTP, and so on<br>-and-<br>Username = UPN<br>-and-<br>Application = Exchange (example) | Many attacks use legacy authentication, so if there's a change in auth protocol for the user, it could be an indication of an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/17ead56ae30b1a8e46bb0f95a458bdeb2d30ba9b/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| New device or location | High | Azure AD Sign-ins log | Device info = Device ID<br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>-and-<br>Target = User<br>-and-<br>Location | Most admin activity should be from [privileged access devices](/security/compass/privileged-access-devices), from a limited number of locations. For this reason, alert on new devices or locations.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Audit alert setting is changed | High | Azure AD Audit logs | Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity = Disable PIM alert<br>-and-<br>Status = Success | Changes to a core alert should be alerted if unexpected.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Administrators authenticating to other Azure AD tenants| Medium| Azure AD Sign-ins log| Status = success<br><br>Resource tenantID != Home Tenant ID| When scoped to Privileged Users, this monitor detects when an administrator has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant. <br><br>Alert if Resource TenantID isn't equal to Home Tenant ID<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AdministratorsAuthenticatingtoAnotherAzureADTenant.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-|Admin User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br><br>Category: UserManagement<br><br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member.<br><br> Was this change expected?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-|Guest users invited to tenant by non-approved inviters|Medium|Azure AD Audit logs|Activity: Invite external user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Privileged account creation| Medium| Azure AD Audit logs| Service = Core Directory<br>-and-<br>Category = User management<br>-and-<br>Activity type = Add user<br>-correlate with-<br>Category type = Role management<br>-and-<br>Activity type = Add member to role<br>-and-<br>Modified properties = Role.DisplayName| Monitor creation of any privileged accounts. Look for correlation that's of a short time span between creation and deletion of accounts.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Changes to authentication methods| High| Azure AD Audit logs| Service = Authentication Method<br>-and-<br>Activity type = User registered security information<br>-and-<br>Category = User management| This change could be an indication of an attacker adding an auth method to the account so they can have continued access.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Alert on changes to privileged account permissions| High| Azure AD Audit logs| Category = Role management<br>-and-<br>Activity type = Add eligible member (permanent)<br>-or-<br>Activity type = Add eligible member (eligible)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| This alert is especially for accounts being assigned roles that aren't known or are outside of their normal responsibilities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Unused privileged accounts| Medium| Azure AD Access Reviews| | Perform a monthly review for inactive privileged user accounts.<br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Addition of a Temporary Access Pass to a privileged account| High| Azure AD Audit logs| Activity: Admin registered security info<br><br>Status Reason: Admin registered temporary access pass method for user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name<br><br>Target: User Principal Name|Monitor and alert on a Temporary Access Pass being created for a privileged user.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Added to eligible privileged role| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role managementΓÇï<br>-and-<br>Activity type = Add member to role completed (eligible)<br>-and-<br>Status = Success or failureΓÇï<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Roles assigned out of PIM| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role managementΓÇï<br>-and-<br>Activity type = Add member to role (permanent)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| These roles should be closely monitored and alerted. Users shouldn't be assigned roles outside of PIM where possible.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Approvals and deny elevation| Low| Azure AD Audit Logs| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity type = Request approved or denied<br>-and-<br>Initiated actor = UPN| Monitor all elevations because it could give a clear indication of the timeline for an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Changes to PIM settings| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity type = Update role setting in PIM<br>-and-<br>Status reason = MFA on activation disabled (example)| One of these actions could reduce the security of the PIM elevation and make it easier for attackers to acquire a privileged account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/ChangestoPIMSettings.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Elevation not occurring on SAW/PAW| High| Azure AD Sign In logs| Device ID <br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>Correlate with:<br>Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity type = Add member to role completed (PIM activation)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| If this change is configured, any attempt to elevate on a non-PAW/SAW device should be investigated immediately because it could indicate an attacker is trying to use the account.<br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-| Alert on Add changes to privileged account permissions| High| Azure AD Audit logs| Category = Role Management<br>-and-<br>Activity Type ΓÇô Add eligible member (permanent) <br>-and-<br>Activity Type ΓÇô Add eligible member (eligible) <br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| Monitor and always alert for any changes to privileged role administrator and global administrator. This can be an indication an attacker is trying to gain privilege to modify role assignment settings. If you donΓÇÖt have a defined threshold, alert on 4 in 60 minutes for users and 2 in 60 minutes for privileged accounts.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAddedtoAdminRole.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Alert on bulk deletion changes to privileged account permissions| High| Azure AD Audit logs| Category = Role Management<br>-and-<br>Activity Type ΓÇô Remove eligible member (permanent) <br>-and-<br>Activity Type ΓÇô Remove eligible member (eligible) <br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/BulkChangestoPrivilegedAccountPermissions.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Changes to PIM settings| High| Azure AD Audit Log| Service = PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type = Update role setting in PIM<br>-and-<br>Status Reason = MFA on activation disabled (example)| Monitor and always alert for any changes to Privileged Role Administrator and Global Administrator. This can be an indication an attacker has access to modify role assignment settings. One of these actions could reduce the security of the PIM elevation and make it easier for attackers to acquire a privileged account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Approvals and deny elevation| High| Azure AD Audit Log| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity Type = Request Approved/Denied<br>-and-<br>Initiated actor = UPN| All elevations should be monitored. Log all elevations to give a clear indication of timeline for an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Alert setting changes to disabled.| High| Azure AD Audit logs| Service =PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type = Disable PIM Alert<br>-and-<br>Status = Success /Failure| Always alert. Helps detect bad actor removing alerts associated with Azure AD Multi-Factor Authentication requirements to activate privileged access. Helps detect suspicious or unsafe activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

-| Accounts assigned to a privileged role.| High | Azure AD Audit logs | Activity: Add user<br>Status = success<br>-and-<br>Activity: Delete user<br>Status = success<br>-and-<br>Activity: Add member to role<br>Status = success | If the account is assigned to an Azure AD role, Azure role, or privileged group membership, alert and prioritize the investigation.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml) |

-| Users authenticating to other Azure AD tenants.| Low| Azure AD Sign-ins log| Status = success<br>Resource tenantID != Home Tenant ID| Detects when a user has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant.<br>Alert if Resource TenantID isn't equal to Home Tenant ID <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/UsersAuthenticatingtoOtherAzureADTenants.yaml) |

-|User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br>Category: UserManagement<br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member. Was this expected?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml)

-|Guest users invited to tenant by non-approved inviters|Medium|Azure AD Audit logs|Activity: Invite external user<br>Category: UserManagement<br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml)

-| Failed sign-in attempts.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| Status = failed<br>-and-<br>Sign-in error code 50126 - <br>Error validating credentials due to invalid username or password.| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml) |

-| Smart lock-out events.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml) |

-| Interrupts| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| 500121, Authentication failed during strong authentication request. <br>-or-<br>50097, Device authentication is required or 50074, Strong Authentication is required. <br>-or-<br>50155, DeviceAuthenticationFailed<br>-or-<br>50158, ExternalSecurityChallenge - External security challenge wasn't satisfied<br>-or-<br>53003 and Failure reason = blocked by CA| Monitor and alert on interrupts.<br>Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml) |

-| Multi-factor authentication (MFA) fraud alerts.| High| Azure AD Sign-ins log| Status = failed<br>-and-<br>Details = MFA Denied<br>| Monitor and alert on any entry.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |

-| Failed authentications from countries you don't operate out of.| Medium| Azure AD Sign-ins log| Location = \<unapproved location\>| Monitor and alert on any entries. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml) |

-| Failed authentications for legacy protocols or protocols that aren't used.| Medium| Azure AD Sign-ins log| Status = failure<br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml) |

-| Failures blocked by CA.| Medium| Azure AD Sign-ins log| Error code = 53003 <br>-and-<br>Failure reason = blocked by CA| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml) |

-| Account disabled/blocked for sign-ins| Low| Azure AD Sign-ins log| Status = Failure<br>-and-<br>error code = 50057, The user account is disabled.| This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it is important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml) |

-| Authentications of privileged accounts outside of expected controls.| High| Azure AD Sign-ins log| Status = success<br>-and-<br>UserPricipalName = \<Admin account\><br>-and-<br>Location = \<unapproved location\><br>-and-<br>IP Address = \<unapproved IP\><br>Device Info= \<unapproved Browser, Operating System\><br>| Monitor and alert on successful authentication for privileged accounts outside of expected controls. Three common controls are listed. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml)<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| When only single-factor authentication is required.| Low| Azure AD Sign-ins log| Status = success<br>Authentication requirement = Single-factor authentication| Monitor periodically and ensure expected behavior.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Successful authentications from countries your organization doesn't operate out of.| Medium| Azure AD Sign-ins log| Status = success<br>Location = \<unapproved country\>| Monitor and alert on any entries not equal to the city names you provide.<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Successful authentication, session blocked by CA.| Medium| Azure AD Sign-ins log| Status = success<br>-and-<br>error code = 53003 ΓÇô Failure reason, blocked by CA| Monitor and investigate when authentication is successful, but session is blocked by CA.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Successful authentication after you have disabled legacy authentication.| Medium| Azure AD Sign-ins log| status = success <br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| If your organization has disabled legacy authentication, monitor and alert when successful legacy authentication has taken place.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Authentications to MBI and HBI application using single-factor authentication.| Low| Azure AD Sign-ins log| status = success<br>-and-<br>Application ID = \<HBI app\> <br>-and-<br>Authentication requirement = single-factor authentication.| Review and validate this configuration is intentional.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Authentications at days and times of the week or year that countries do not conduct normal business operations.| Low| Azure AD Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>Location = \<location\><br>Date\Time = \<not normal working hours\>| Monitor and alert on authentications days and times of the week or year that countries do not conduct normal business operations.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-| Measurable increase of successful sign ins.| Low| Azure AD Sign-ins log| Capture increases in successful authentication across the board. That is, success totals for today are >10% on the same day, the previous week.| If you don't have a set threshold, monitor and alert if successful authentications increase by 10% or greater.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-[externalIdentitiesPolicy resource type](/graph/api/resources/externalidentitiespolicy?view=graph-rest-beta)

-Identity Protection risk detections (alerts) are now also available in Microsoft 365 Defender to provide a unified investigation experience for security professionals. For more information, see: [Investigate alerts in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-alerts?view=o365-worldwide#alert-sources)

-We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values).

-We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values).

-1. Import other modules that your script may require. For example, if you are using Identity Protection, then you may wish to import the **Microsoft.Graph.Identity.SignIns** module.

-Once your runbook is published, your can create a schedule in Azure Automation, and link your runbook to that schedule to run automatically. Scheduling runbooks from Azure Automation is suitable for runbooks that do not need to interact with other Azure or Office 365 services.

-1. Add the parameter **Runbook name** and type the name of the runbook to be started.

-1. You can then add more operations to the Logic App, such as the [**Parse JSON** action](../../logic-apps/logic-apps-perform-data-operations.md#parse-json-action), that use the **Content** returned when the runbook completes.

-* The Active Directory schema version and forest functional level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema version and forest-level requirements are met.

- - The servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation.

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide)

-After you configure Salesforce, you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-> - Azure CNI Overlay does not currently support _v5 VM SKUs.

-> [!NOTE]

-> AKS provides the option to enable and disable the CSI drivers (preview) on new and existing clusters. CSI drivers are enabled by default on new clusters. You should verify that there are no existing Persistent Volumes created by Azure Disks and Azure Files CSI drivers and that there is not any existing VolumeSnapshot, VolumeSnapshotClass or VolumeSnapshotContent resources before running this command on existing cluster. This preview version is provided without a service level agreement, and you can occasionally expect breaking changes while in preview. The preview version isn't recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

-* You also need the Azure CLI installed and configured. Run az --version to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-### Install the `aks-preview` Azure CLI

-You also need the *aks-preview* Azure CLI extension version 0.5.78 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.

-```azurecli-interactive

-# Install the aks-preview extension

-az extension add --name aks-preview

-# Update the extension to make sure you have the latest version installed

-az extension update --name aks-preview

-```

-`--enable-disk-driver` allows you enable the [Azure Disks CSI driver][azure-disk-csi]. `--enable-file-driver` allows you to enable the [Azure Files CSI driver][azure-files-csi]. `--enable-snapshot-controller` allows you to enable the [snapshot controller][snapshot-controller].

-recommendations: false

-description: Deploy a Java application with Azure Database for PostgreSQL server to Open Liberty/WebSphere Liberty on an Azure Kubernetes Service(AKS) cluster

-keywords: java, jakartaee, javaee, microprofile, open-liberty, websphere-liberty, aks, kubernetes

-# Deploy a Java application with Azure Database for PostgreSQL server to Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster

-This article demonstrates how to:

-* Run your Java, Java EE, Jakarta EE, or MicroProfile application on the Open Liberty or WebSphere Liberty runtime with a PostgreSQL DB connection.

-* Build the application Docker image using Open Liberty or WebSphere Liberty container images.

-* Deploy the containerized application to an AKS cluster using the Open Liberty Operator.

-The Open Liberty Operator simplifies the deployment and management of applications running on Kubernetes clusters. With Open Liberty Operator, you can also perform more advanced operations, such as gathering traces and dumps.

-For more information on Open Liberty, see [the Open Liberty project page](https://openliberty.io/). For more information on IBM WebSphere Liberty, see [the WebSphere Liberty product page](https://www.ibm.com/cloud/websphere-liberty).

-* This article requires at least version 2.31.0 of Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

-* If running the commands in this guide locally (instead of Azure Cloud Shell):

- * Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, macOS, Windows Subsystem for Linux).

- * Install a Java SE implementation (for example, [AdoptOpenJDK OpenJDK 8 LTS/OpenJ9](https://adoptopenjdk.net/?variant=openjdk8&jvmVariant=openj9)).

- * Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.

- * Install [Docker](https://docs.docker.com/get-docker/) for your OS.

- * Create a user-assigned managed identity and assign `Owner` role or `Contributor` and `User Access Administrator` roles to that identity by following the steps in [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). Assign `Directory readers` role to the identity in Azure AD by following [Assign Azure AD roles to users](../active-directory/roles/manage-roles-portal.md). Return to this document after creating the identity and assigning it the necessary roles.

-## Create a Jakarta EE runtime using the portal

-The steps in this section guide you to create a Jakarta EE runtime on AKS. After completing these steps, you will have an Azure Container Registry and an Azure Kubernetes Service cluster for the sample application.

-1. Visit the [Azure portal](https://portal.azure.com/). In the search box at the top of the page, type **IBM WebSphere Liberty and Open Liberty on Azure Kubernetes Service**. When the suggestions start appearing, select the one and only match that appears in the **Marketplace** section.

-1. Select **Create** to start.

-1. In the **Basics** tab, create a new resource group called *java-liberty-project-rg*.

-1. Select *East US* as **Region**.

-1. Select the user-assigned managed identity you created above.

-1. Leave all other values at the defaults and start creating the cluster by selecting **Review + create**.

-1. When the validation completes, select **Create**. This may take up to ten minutes.

-1. After the deployment is complete, select the resource group into which you deployed the resources.

- 1. In the list of resources in the resource group, select the resource with **Type** of **Container registry**.

- 1. Save aside the values for **Registry name**, **Login server**, **Username**, and **password**. You may use the copy icon at the right of each field to copy the value of that field to the system clipboard.

-1. Navigate again to the resource group into which you deployed the resources.

-1. In the **Settings** section, select **Deployments**.

-1. Select the bottom most deployment. The **Deployment name** will match the publisher ID of the offer. It will contain the string **ibm**.

-1. In the left pane, select **Outputs**.

-1. Using the same copy technique as with the preceding values, save aside the values for the following outputs:

- - **clusterName**

- - **appDeploymentTemplateYamlEncoded**

- - **cmdToConnectToCluster**

- These values will be used later in this article. Note that several other useful commands are listed in the outputs.

-## Create an Azure Database for PostgreSQL server

-The steps in this section guide you through creating an Azure Database for PostgreSQL server using the Azure CLI for use with your app.

-1. Create a resource group

- An Azure resource group is a logical group in which Azure resources are deployed and managed.

- Create a resource group called *java-liberty-project-postgresql* using the [az group create](/cli/azure/group#az-group-create) command in the *eastus* location.

- ```bash

- RESOURCE_GROUP_NAME=java-liberty-project-postgresql

- az group create --name $RESOURCE_GROUP_NAME --location eastus

- ```

-1. Create the PostgreSQL server

- Use the [az postgres server create](/cli/azure/postgres/server#az-postgres-server-create) command to create the DB server. The following example creates a DB server named *youruniquedbname*. Make sure *youruniqueacrname* is unique within Azure.

-

- > [!TIP]

- > To help ensure a globally unique name, prepend a disambiguation string such as your initials and the MMDD of today's date.

- ```bash

- export DB_NAME=youruniquedbname

- export DB_ADMIN_USERNAME=myadmin

- export DB_ADMIN_PASSWORD=<server_admin_password>

- az postgres server create --resource-group $RESOURCE_GROUP_NAME --name $DB_NAME --location eastus --admin-user $DB_ADMIN_USERNAME --admin-password $DB_ADMIN_PASSWORD --sku-name GP_Gen5_2

- ```

-1. Allow Azure Services, such as our Open Liberty and WebSphere Liberty application, to access the Azure PostgreSQL server.

- ```bash

- az postgres server firewall-rule create --resource-group $RESOURCE_GROUP_NAME \

- --server-name $DB_NAME \

- --name "AllowAllWindowsAzureIps" \

- --start-ip-address "0.0.0.0" \

- --end-ip-address "0.0.0.0"

- ```

-1. Allow your local IP address to access the Azure PostgreSQL server. This is necessary to allow the `liberty:devc` to access the database.

- ```bash

- az postgres server firewall-rule create --resource-group $RESOURCE_GROUP_NAME \

- --server-name $DB_NAME \

- --name "AllowMyIp" \

- --start-ip-address YOUR_IP_ADDRESS \

- --end-ip-address YOUR_IP_ADDRESS

- ```

-If you don't want to use the CLI, you may use the Azure portal by following the steps in [Quickstart: Create an Azure Database for PostgreSQL server by using the Azure portal](../postgresql/quickstart-create-server-database-portal.md). You must also grant access to Azure services by following the steps in [Firewall rules in Azure Database for PostgreSQL - Single Server](../postgresql/concepts-firewall-rules.md#connecting-from-azure). Return to this document after creating and configuring the database server.

-## Configure and deploy the sample application

-Follow the steps in this section to deploy the sample application on the Jakarta EE runtime. These steps use Maven and the `liberty-maven-plugin`. To learn more about the `liberty-maven-plugin` see [Building a web application with Maven](https://openliberty.io/guides/maven-intro.html).

-### Check out the application

-Clone the sample code for this guide. The sample is on [GitHub](https://github.com/Azure-Samples/open-liberty-on-aks).

-There are three samples in the repository. We will use *javaee-app-db-using-actions/postgres*. Here is the file structure of the application.

-```

-javaee-app-db-using-actions/postgres

-Γö£ΓöÇ src/main/

-Γöé Γö£ΓöÇ aks/

-Γöé Γöé Γö£ΓöÇ db-secret.yaml

-Γöé Γöé Γö£ΓöÇ openlibertyapplication.yaml

-Γöé Γö£ΓöÇ docker/

-Γöé Γöé Γö£ΓöÇ Dockerfile

-Γöé Γöé Γö£ΓöÇ Dockerfile-local

-Γöé Γöé Γö£ΓöÇ Dockerfile-wlp

-Γöé Γöé Γö£ΓöÇ Dockerfile-wlp-local

-Γöé Γö£ΓöÇ liberty/config/

-Γöé Γöé Γö£ΓöÇ server.xml

-Γöé Γö£ΓöÇ java/

-Γöé Γö£ΓöÇ resources/

-Γöé Γö£ΓöÇ webapp/

-Γö£ΓöÇ pom.xml

-```

-The directories *java*, *resources*, and *webapp* contain the source code of the sample application. The code declares and uses a data source named `jdbc/JavaEECafeDB`.

-In the *aks* directory, we placed two deployment files. *db-secret.xml* is used to create [Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) with DB connection credentials. The file *openlibertyapplication.yaml* is used to deploy the application image.

-In the *docker* directory, we placed four Dockerfiles. *Dockerfile-local* is used for local debugging, and *Dockerfile* is used to build the image for an AKS deployment. These two files work with Open Liberty. *Dockerfile-wlp-local* and *Dockerfile-wlp* are also used for local debugging and to build the image for an AKS deployment respectively, but instead work with WebSphere Liberty.

-In directory *liberty/config*, the *server.xml* is used to configure the DB connection for the Open Liberty and WebSphere Liberty cluster.

-### Acquire necessary variables from AKS deployment

-After the offer is successfully deployed, an AKS cluster will be generated automatically. The AKS cluster is configured to connect to the ACR. Before we get started with the application, we need to extract the namespace configured for the AKS.

-1. Run the following command to print the current deployment file, using the `appDeploymentTemplateYamlEncoded` you saved above. The output contains all the variables we need.

- ```bash

- echo <appDeploymentTemplateYamlEncoded> | base64 -d

- ```

-1. Save the `metadata.namespace` from this yaml output aside for later use in this article.

-### Build the project

-Now that you have gathered the necessary properties, you can build the application. The POM file for the project reads many properties from the environment.

-```bash

-cd <path-to-your-repo>/javaee-app-db-using-actions/postgres

-# The following variables will be used for deployment file generation

-export LOGIN_SERVER=<Azure_Container_Registery_Login_Server_URL>

-export REGISTRY_NAME=<Azure_Container_Registery_Name>

-export USER_NAME=<Azure_Container_Registery_Username>

-export PASSWORD=<Azure_Container_Registery_Password>

-export DB_SERVER_NAME=${DB_NAME}.postgres.database.azure.com

-export DB_PORT_NUMBER=5432

-export DB_TYPE=postgres

-export DB_USER=${DB_ADMIN_USERNAME}@${DB_NAME}

-export DB_PASSWORD=${DB_ADMIN_PASSWORD}

-export NAMESPACE=<metadata.namespace>

-mvn clean install

-```

-### Test your project locally

-Use the `liberty:devc` command to run and test the project locally before dealing with any Azure complexity. For more information on `liberty:devc`, see the [Liberty Plugin documentation](https://github.com/OpenLiberty/ci.maven/blob/main/docs/dev.md#devc-container-mode).

-In the sample application, we've prepared *Dockerfile-local* and *Dockerfile-wlp-local* for use with `liberty:devc`.

-1. Start your local docker environment if you haven't done so already. The instructions for doing this vary depending on the host operating system.

-1. Start the application in `liberty:devc` mode

- ```bash

- cd <path-to-your-repo>/javaee-app-db-using-actions/postgres

- # If you are running with Open Liberty

- mvn liberty:devc -Ddb.server.name=${DB_SERVER_NAME} -Ddb.port.number=${DB_PORT_NUMBER} -Ddb.name=${DB_TYPE} -Ddb.user=${DB_USER} -Ddb.password=${DB_PASSWORD} -Ddockerfile=target/Dockerfile-local

- # If you are running with WebSphere Liberty

- mvn liberty:devc -Ddb.server.name=${DB_SERVER_NAME} -Ddb.port.number=${DB_PORT_NUMBER} -Ddb.name=${DB_TYPE} -Ddb.user=${DB_USER} -Ddb.password=${DB_PASSWORD} -Ddockerfile=target/Dockerfile-wlp-local

- ```

-1. Verify the application works as expected. You should see a message similar to `[INFO] [AUDIT] CWWKZ0003I: The application javaee-cafe updated in 1.930 seconds.` in the command output if successful. Go to `http://localhost:9080/` in your browser and verify the application is accessible and all functions are working.

-1. Press `Ctrl+C` to stop `liberty:devc` mode.

-### Build image for AKS deployment

-After successfully running the app in the Liberty Docker container, you can run the `docker build` command to build the image.

-```bash

-cd <path-to-your-repo>/javaee-app-db-using-actions/postgres

-# Fetch maven artifactId as image name, maven build version as image version

-IMAGE_NAME=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.artifactId}' --non-recursive exec:exec)

-IMAGE_VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)

-cd <path-to-your-repo>/javaee-app-db-using-actions/postgres/target

-# If you are running with Open Liberty

-docker build -t ${IMAGE_NAME}:${IMAGE_VERSION} --pull --file=Dockerfile .

-# If you are running with WebSphere Liberty

-docker build -t ${IMAGE_NAME}:${IMAGE_VERSION} --pull --file=Dockerfile-wlp .

-```

-### Upload image to ACR

-Now, we upload the built image to the ACR created in the offer.

-```bash

-docker tag ${IMAGE_NAME}:${IMAGE_VERSION} ${LOGIN_SERVER}/${IMAGE_NAME}:${IMAGE_VERSION}

-docker login -u ${USER_NAME} -p ${PASSWORD} ${LOGIN_SERVER}

-docker push ${LOGIN_SERVER}/${IMAGE_NAME}:${IMAGE_VERSION}

-```

-### Deploy and test the application

-The steps in this section deploy and test the application.

-1. Connect to the AKS cluster

- Paste the value of **cmdToConnectToCluster** into a bash shell.

-1. Apply the DB secret

- ```bash

- kubectl apply -f <path-to-your-repo>/javaee-app-db-using-actions/postgres/target/db-secret.yaml

- ```

- You will see the output `secret/db-secret-postgres created`.

-1. Apply the deployment file

- ```bash

- kubectl apply -f <path-to-your-repo>/javaee-app-db-using-actions/postgres/target/openlibertyapplication.yaml

- ```

-1. Wait for the pods to be restarted

- Wait until all pods are restarted successfully using the following command.

- ```bash

- kubectl get pods -n $NAMESPACE --watch

- ```

- You should see output similar to the following to indicate that all the pods are running.

- ```bash

- NAME READY STATUS RESTARTS AGE

- javaee-cafe-cluster-67cdc95bc-2j2gr 1/1 Running 0 29s

- javaee-cafe-cluster-67cdc95bc-fgtt8 1/1 Running 0 29s

- javaee-cafe-cluster-67cdc95bc-h47qm 1/1 Running 0 29s

- ```

-1. Verify the results

- 1. Get endpoint of the deployed service

- ```bash

- kubectl get service -n $NAMESPACE

- ```

- 1. Go to `EXTERNAL-IP:9080` to test the application.

-## Clean up resources

-To avoid Azure charges, you should clean up unnecessary resources. When the cluster is no longer needed, use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, container service, container registry, and all related resources.

-```azurecli-interactive

-az group delete --name <RESOURCE_GROUP_NAME> --yes --no-wait

-```

-## Next steps

-* [Azure Kubernetes Service](https://azure.microsoft.com/free/services/kubernetes-service/)

-* [Azure Database for PostgreSQL](https://azure.microsoft.com/services/postgresql/)

-* [Open Liberty](https://openliberty.io/)

-* [Open Liberty Operator](https://github.com/OpenLiberty/open-liberty-operator)

-* [Open Liberty Server Configuration](https://openliberty.io/docs/ref/config/)

-description: Deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster.

-This article demonstrates how to:

-* Build the application Docker image using Open Liberty container images.

-* Deploy the containerized application to an AKS cluster using the Open Liberty Operator.

-The Open Liberty Operator simplifies the deployment and management of applications running on Kubernetes clusters. With Open Liberty Operator, you can also perform more advanced operations, such as gathering traces and dumps.

-For more details on Open Liberty, see [the Open Liberty project page](https://openliberty.io/). For more details on IBM WebSphere Liberty, see [the WebSphere Liberty product page](https://www.ibm.com/cloud/websphere-liberty).

-* This article requires the latest version of Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

- * Install a Java SE implementation (for example, [AdoptOpenJDK OpenJDK 8 LTS/OpenJ9](https://adoptopenjdk.net/?variant=openjdk8&jvmVariant=openj9)).

-* Please make sure you have been assigned either `Owner` role or `Contributor` and `User Access Administrator` roles of the subscription. You can verify it by following steps in [List role assignments for a user or group](../role-based-access-control/role-assignments-list-portal.md#list-role-assignments-for-a-user-or-group)

-## Create a resource group

-An Azure resource group is a logical group in which Azure resources are deployed and managed.

-Create a resource group called *java-liberty-project* using the [az group create](/cli/azure/group#az-group-create) command in the *eastus* location. This resource group will be used later for creating the Azure Container Registry (ACR) instance and the AKS cluster.

-```azurecli-interactive

-RESOURCE_GROUP_NAME=java-liberty-project

-az group create --name $RESOURCE_GROUP_NAME --location eastus

-```

-## Create an ACR instance

-Use the [az acr create](/cli/azure/acr#az-acr-create) command to create the ACR instance. The following example creates an ACR instance named *youruniqueacrname*. Make sure *youruniqueacrname* is unique within Azure.

-```azurecli-interactive

-export REGISTRY_NAME=youruniqueacrname

-az acr create --resource-group $RESOURCE_GROUP_NAME --name $REGISTRY_NAME --sku Basic --admin-enabled

-```

-After a short time, you should see a JSON output that contains:

-```output

- "provisioningState": "Succeeded",

- "publicNetworkAccess": "Enabled",

- "resourceGroup": "java-liberty-project",

-```

-### Connect to the ACR instance

-You will need to sign in to the ACR instance before you can push an image to it. Run the following commands to verify the connection:

-```azurecli-interactive

-export LOGIN_SERVER=$(az acr show -n $REGISTRY_NAME --query 'loginServer' -o tsv)

-export USER_NAME=$(az acr credential show -n $REGISTRY_NAME --query 'username' -o tsv)

-export PASSWORD=$(az acr credential show -n $REGISTRY_NAME --query 'passwords[0].value' -o tsv)

-docker login $LOGIN_SERVER -u $USER_NAME -p $PASSWORD

-```

-You should see `Login Succeeded` at the end of command output if you have logged into the ACR instance successfully.

-## Create an AKS cluster

-Use the [az aks create](/cli/azure/aks#az-aks-create) command to create an AKS cluster. The following example creates a cluster named *myAKSCluster* with one node. This will take several minutes to complete.

-```azurecli-interactive

-CLUSTER_NAME=myAKSCluster

-az aks create --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME --node-count 1 --generate-ssh-keys --enable-managed-identity

-```

-After a few minutes, the command completes and returns JSON-formatted information about the cluster, including the following:

-```output

- "nodeResourceGroup": "MC_java-liberty-project_myAKSCluster_eastus",

- "privateFqdn": null,

- "provisioningState": "Succeeded",

- "resourceGroup": "java-liberty-project",

-```

-### Connect to the AKS cluster

-To manage a Kubernetes cluster, you use [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), the Kubernetes command-line client. If you use Azure Cloud Shell, `kubectl` is already installed. To install `kubectl` locally, use the [az aks install-cli](/cli/azure/aks#az-aks-install-cli) command:

-```azurecli-interactive

-az aks install-cli

-```

-To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials](/cli/azure/aks#az-aks-get-credentials) command. This command downloads credentials and configures the Kubernetes CLI to use them.

-```azurecli-interactive

-az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME --overwrite-existing

-```

-> [!NOTE]

-> The above command uses the default location for the [Kubernetes configuration file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), which is `~/.kube/config`. You can specify a different location for your Kubernetes configuration file using *--file*.

-To verify the connection to your cluster, use the [kubectl get]( https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) command to return a list of the cluster nodes.

-```azurecli-interactive

-kubectl get nodes

-```

-The following example output shows the single node created in the previous steps. Make sure that the status of the node is *Ready*:

-```output

-NAME STATUS ROLES AGE VERSION

-aks-nodepool1-xxxxxxxx-yyyyyyyyyy Ready agent 76s v1.18.10

-```

-The steps in this section guide you through creating an Azure SQL Database single database for use with your app. If your application doesn't require a database, you can skip this section.

-1. Create a single database in Azure SQL Database by following the steps in: [Quickstart: Create an Azure SQL Database single database](/azure/azure-sql/database/single-database-create-quickstart). Return to this document after creating and configuring the database server.

- > [!NOTE]

- >

- > * At the **Basics** step, write down **Database name**, ***Server name**.database.windows.net*, **Server admin login** and **Password**.

- > * At the **Networking** step, set **Connectivity method** to **Public endpoint**, **Allow Azure services and resources to access this server** to **Yes**, and **Add current client IP address** to **Yes**.

- >

- > 

-2. Once your database is created, open **your SQL server** > **Firewalls and virtual networks**. Set **Minimal TLS Version** to **> 1.0** and select **Save**.

- 

-3. Open **your SQL database** > **Connection strings** > Select **JDBC**. Write down the **Port number** following sql server address. For example, **1433** is the port number in the example below.

- 

-## Install Open Liberty Operator

-After creating and connecting to the cluster, install the [Open Liberty Operator](https://github.com/OpenLiberty/open-liberty-operator/tree/main/deploy/releases/0.8.0#option-2-install-using-kustomize) by running the following commands.

-```azurecli-interactive

-# Install Open Liberty Operator

-OPERATOR_VERSION=0.8.2

-mkdir -p overlays/watch-all-namespaces

-wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/overlays/watch-all-namespaces/olo-all-namespaces.yaml -q -P ./overlays/watch-all-namespaces

-wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/overlays/watch-all-namespaces/cluster-roles.yaml -q -P ./overlays/watch-all-namespaces

-wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/overlays/watch-all-namespaces/kustomization.yaml -q -P ./overlays/watch-all-namespaces

-mkdir base

-wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/base/kustomization.yaml -q -P ./base

-wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/base/open-liberty-crd.yaml -q -P ./base

-wget https://raw.githubusercontent.com/OpenLiberty/open-liberty-operator/main/deploy/releases/${OPERATOR_VERSION}/kustomize/base/open-liberty-operator.yaml -q -P ./base

-kubectl apply -k overlays/watch-all-namespaces

-```

-## Configure and build the application image

-To deploy and run your Liberty application on the AKS cluster, containerize your application as a Docker image using [Open Liberty container images](https://github.com/OpenLiberty/ci.docker) or [WebSphere Liberty container images](https://github.com/WASdev/ci.docker).

-# [with DB connection](#tab/with-sql)

-Follow the steps in this section to deploy the sample application on the Jakarta EE runtime. These steps use Maven and the `liberty-maven-plugin`. To learn more about the `liberty-maven-plugin`, see [Building a web application with Maven](https://openliberty.io/guides/maven-intro.html).

-Clone the sample code for this guide. The sample is on [GitHub](https://github.com/Azure-Samples/open-liberty-on-aks).

-There are three samples in the repository. We will use *javaee-app-db-using-actions/mssql*. Here is the file structure of the application.

-javaee-app-db-using-actions/mssql

-In the *docker* directory, we place four Dockerfiles. *Dockerfile-local* is used for local debugging, and *Dockerfile* is used to build the image for an AKS deployment. These two files work with Open Liberty. *Dockerfile-wlp-local* and *Dockerfile-wlp* are also used for local debugging and to build the image for an AKS deployment respectively, but instead work with WebSphere Liberty.

-In the *liberty/config* directory, the *server.xml* is used to configure the DB connection for the Open Liberty and WebSphere Liberty cluster.

-### Build project

-Now that you have gathered the necessary properties, you can build the application. The POM file for the project reads many properties from the environment.

-cd <path-to-your-repo>/javaee-app-db-using-actions/mssql

-export LOGIN_SERVER=${LOGIN_SERVER}

-export REGISTRY_NAME=${REGISTRY_NAME}

-export USER_NAME=${USER_NAME}

-export PASSWORD=${PASSWORD}

-export NAMESPACE=default

-Use the `liberty:devc` command to run and test the project locally before dealing with any Azure complexity. For more information on `liberty:devc`, see the [Liberty Plugin documentation](https://github.com/OpenLiberty/ci.maven/blob/main/docs/dev.md#devc-container-mode).

- ```bash

- cd <path-to-your-repo>/javaee-app-db-using-actions/mssql

- # If you are running with Open Liberty

- mvn liberty:devc -Ddb.server.name=${DB_SERVER_NAME} -Ddb.port.number=${DB_PORT_NUMBER} -Ddb.name=${DB_NAME} -Ddb.user=${DB_USER} -Ddb.password=${DB_PASSWORD} -Ddockerfile=target/Dockerfile-local

- # If you are running with WebSphere Liberty

- mvn liberty:devc -Ddb.server.name=${DB_SERVER_NAME} -Ddb.port.number=${DB_PORT_NUMBER} -Ddb.name=${DB_NAME} -Ddb.user=${DB_USER} -Ddb.password=${DB_PASSWORD} -Ddockerfile=target/Dockerfile-wlp-local

- ```

-1. Verify the application works as expected. You should see a message similar to `[INFO] [AUDIT] CWWKZ0003I: The application javaee-cafe updated in 1.930 seconds.` in the command output if successful. Go to `http://localhost:9080/` in your browser to verify the application is accessible and all functions are working.

-cd <path-to-your-repo>/javaee-app-db-using-actions/mssql

-IMAGE_NAME=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.artifactId}' --non-recursive exec:exec)

-IMAGE_VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)

-cd <path-to-your-repo>/javaee-app-db-using-actions/mssql/target

-Now, we upload the built image to the ACR created in the previous steps.

-# [without DB connection](#tab/without-sql)

-1. Clone the sample code for this guide. The sample is on [GitHub](https://github.com/Azure-Samples/open-liberty-on-aks).

-1. Change directory to `javaee-app-simple-cluster` of your local clone.

-1. Run `mvn clean package` to package the application.

-1. Run `mvn liberty:dev` to test the application. You should see `The defaultServer server is ready to run a smarter planet.` in the command output if successful. Use `CTRL-C` to stop the application.

-1. Retrieve values for properties `artifactId` and `version` defined in the `pom.xml`.

- ```azurecli-interactive

- artifactId=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.artifactId}' --non-recursive exec:exec)

- version=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)

- ```

-1. Run `cd target` to change directory to the build of the sample.

-1. Run one of the following commands to build the application image and push it to the ACR instance.

- * Build with Open Liberty base image if you prefer to use Open Liberty as a lightweight open source JavaΓäó runtime:

- ```azurecli-interactive

- # Build and tag application image. This will cause the ACR instance to pull the necessary Open Liberty base images.

- az acr build -t ${artifactId}:${version} -r $REGISTRY_NAME .

- ```

- * Build with WebSphere Liberty base image if you prefer to use a commercial version of Open Liberty:

- ```azurecli-interactive

- # Build and tag application image. This will cause the ACR instance to pull the necessary WebSphere Liberty base images.

- az acr build -t ${artifactId}:${version} -r $REGISTRY_NAME --file=Dockerfile-wlp .

- ```

-## Deploy application on the AKS cluster

-The steps in this section deploy the application.

-# [with DB connection](#tab/with-sql)

-Follow steps below to deploy the Liberty application on the AKS cluster.

-1. Attach the ACR instance to the AKS cluster so that the AKS cluster is authenticated to pull image from the ACR instance.

- ```azurecli-interactive

- az aks update -n $CLUSTER_NAME -g $RESOURCE_GROUP_NAME --attach-acr $REGISTRY_NAME

- ```

-1. Retrieve the value for `artifactId` defined in `pom.xml`.

- cd <path-to-your-repo>/javaee-app-db-using-actions/mssql

- artifactId=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.artifactId}' --non-recursive exec:exec)

-1. Apply the DB secret and deployment file by running the following command:

- ```bash

- cd <path-to-your-repo>/javaee-app-db-using-actions/mssql/target

-

- # Apply DB secret

- kubectl apply -f <path-to-your-repo>/javaee-app-db-using-actions/mssql/target/db-secret.yaml

- # Apply deployment file

- kubectl apply -f <path-to-your-repo>/javaee-app-db-using-actions/mssql/target/openlibertyapplication.yaml

- # Check if OpenLibertyApplication instance is created

- kubectl get openlibertyapplication ${artifactId}-cluster

- NAME IMAGE EXPOSED RECONCILED AGE

- javaee-cafe-cluster youruniqueacrname.azurecr.io/javaee-cafe:1.0.25 True 59s

- # Check if deployment created by Operator is ready

- kubectl get deployment ${artifactId}-cluster --watch

- NAME READY UP-TO-DATE AVAILABLE AGE

- javaee-cafe-cluster 0/3 3 0 20s

-1. Wait until you see `3/3` under the `READY` column and `3` under the `AVAILABLE` column, then use `CTRL-C` to stop the `kubectl` watch process.

-# [without DB connection](#tab/without-sql)

-Follow steps below to deploy the Liberty application on the AKS cluster.

-1. Attach the ACR instance to the AKS cluster so that the AKS cluster is authenticated to pull image from the ACR instance.

- ```azurecli-interactive

- az aks update -n $CLUSTER_NAME -g $RESOURCE_GROUP_NAME --attach-acr $REGISTRY_NAME

-1. Verify the current working directory is `javaee-app-simple-cluster/target` of your local clone.

-1. Run the following commands to deploy your Liberty application with 3 replicas to the AKS cluster. Command output is also shown inline.

- ```azurecli-interactive

- # Create OpenLibertyApplication "javaee-cafe-cluster"

- kubectl apply -f openlibertyapplication.yaml

- openlibertyapplication.openliberty.io/javaee-cafe-cluster created

- # Check if OpenLibertyApplication instance is created

- kubectl get openlibertyapplication ${artifactId}-cluster

- NAME IMAGE EXPOSED RECONCILED AGE

- javaee-cafe-cluster youruniqueacrname.azurecr.io/javaee-cafe:1.0.25 True 59s

- # Check if deployment created by Operator is ready

- kubectl get deployment ${artifactId}-cluster --watch

- NAME READY UP-TO-DATE AVAILABLE AGE

- javaee-cafe-cluster 0/3 3 0 20s

-1. Wait until you see `3/3` under the `READY` column and `3` under the `AVAILABLE` column, use `CTRL-C` to stop the `kubectl` watch process.

-### Test the application

-When the application runs, a Kubernetes load balancer service exposes the application front end to the internet. This process can take a while to complete.

-To monitor progress, use the [kubectl get service](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get) command with the `--watch` argument.

-```azurecli-interactive

-kubectl get service ${artifactId}-cluster --watch

-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

-javaee-cafe-cluster LoadBalancer 10.0.251.169 52.152.189.57 80:31732/TCP 68s

-```

-Once the *EXTERNAL-IP* address changes from *pending* to an actual public IP address, use `CTRL-C` to stop the `kubectl` watch process.

-Open a web browser to the external IP address of your service (`52.152.189.57` for the above example) to see the application home page. You should see the pod name of your application replicas displayed at the top-left of the page. Wait for a few minutes and refresh the page to see a different pod name displayed due to load balancing provided by the AKS cluster.

->[!NOTE]

-> - Currently the application is not using HTTPS. It is recommended to [ENABLE TLS with your own certificates](ingress-own-tls.md).

-## Clean up the resources

-You can learn more from references used in this guide:

-* [Liberty Maven Plugin](https://github.com/OpenLiberty/ci.maven#liberty-maven-plugin)

-* [Open Liberty Container Images](https://github.com/OpenLiberty/ci.docker)

-* [WebSphere Liberty Container Images](https://github.com/WASdev/ci.docker)

-It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.

-* Azure CLI, PowerShell, and SDK currently do not support management operations of WebSocket APIs.

-* Currently, the set header policy doesn't support changing certain well-known headers, including `Host` headers, in onHandshake requests.

-1. In the **Type** drop-down list, select the type of rule.

-The different types of rules are described in the following sections.

-1. On the **Edit Access Restriction** pane, make your changes, and then select **Update rule**. Edits are effective immediately, including changes in priority ordering.

-To delete a rule, on the **Access Restrictions** page, select the ellipsis (**...**) next to the rule you want to delete, and then select **Remove**.

-When you add your first access restriction rule, the service adds an explicit *Deny all* rule with a priority of 2147483647. In practice, the explicit *Deny all* rule is the final rule to be executed, and it blocks access to any IP address that's not explicitly allowed by an *Allow* rule.

-For a scenario where you want to explicitly block a single IP address or a block of IP addresses, but allow access to everything else, add an explicit *Allow All* rule.

-In addition to being able to control access to your app, you can restrict access to the SCM site that's used by your app. The SCM site is both the web deploy endpoint and the Kudu console. You can assign access restrictions to the SCM site from the app separately or use the same set of restrictions for both the app and the SCM site. When you select the **Same restrictions as \<app name>** check box, everything is blanked out. If you clear the check box, your SCM site settings are reapplied.

- > [!NOTE]

- > Working with service tags, http headers or multi-source rules in Azure CLI requires at least version 2.23.0. You can verify the version of the installed module with: ```az version```

- > [!NOTE]

- > Working with service tags, http headers or multi-source rules in Azure PowerShell requires at least version 5.7.0. You can verify the version of the installed module with: ```Get-InstalledModule -Name Az```

-There are a number of addresses that are used for outbound calls. The outbound addresses used by your app for making outbound calls are listed in the properties for your app. These addresses are shared by all the apps running on the same worker VM family in the App Service deployment. If you want to see all the addresses that your app might use in a scale unit, there's property called `possibleOutboundAddresses` that will list them.

-App Service has a number of endpoints that are used to manage the service. Those addresses are published in a separate document and are also in the `AppServiceManagement` IP service tag. The `AppServiceManagement` tag is used only in App Service Environments where you need to allow such traffic. The App Service inbound addresses are tracked in the `AppService` IP service tag. There's no IP service tag that contains the outbound addresses used by App Service.

-Access restrictions let you filter *inbound* requests. The filtering action takes place on the front-end roles that are upstream from the worker roles where your apps are running. Because the front-end roles are upstream from the workers, you can think of access restrictions as network-level protection for your apps.

-This feature allows you to build a list of allow and deny rules that are evaluated in priority order. It's similar to the network security group (NSG) feature in Azure networking. You can use this feature in an ASE or in the multi-tenant service. When you use it with an ILB ASE, you can restrict access from private address blocks.

-#### IP-based access restriction rules

-The IP-based access restrictions feature helps when you want to restrict the IP addresses that can be used to reach your app. Both IPv4 and IPv6 are supported. Some use cases for this feature:

-* Restrict access to your app from a set of well-defined addresses.

-* Restrict access to traffic coming through an external load-balancing service or other network appliances with known egress IP addresses.

-To learn how to enable this feature, see [Configuring access restrictions][iprestrictions].

-> [!NOTE]

-> IP-based access restriction rules only handle virtual network address ranges when your app is in an App Service Environment. If your app is in the multi-tenant service, you need to use [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md) to restrict traffic to select subnets in your virtual network.

-#### Access restriction rules based on service endpoints

-Service endpoints allow you to lock down *inbound* access to your app so that the source address must come from a set of subnets that you select. This feature works together with IP access restrictions. Service endpoints aren't compatible with remote debugging. If you want to use remote debugging with your app, your client can't be in a subnet that has service endpoints enabled. The process for setting service endpoints is similar to the process for setting IP access restrictions. You can build an allow/deny list of access rules that includes public addresses and subnets in your virtual networks.

-> [!NOTE]

-> Access restriction rules based on service endpoints are not supported on apps that use IP-based SSL ([App-assigned address](#app-assigned-address)).

-Some use cases for this feature:

-* Set up an application gateway with your app to lock down inbound traffic to your app.

-* Restrict access to your app to resources in your virtual network. These resources can include VMs, ASEs, or even other apps that use virtual network integration.

-

-To learn more about configuring service endpoints with your app, see [Azure App Service access restrictions][serviceendpoints].

-#### Access restriction rules based on service tags

-[Azure service tags][servicetags] are well defined sets of IP addresses for Azure services. Service tags group the IP ranges used in various Azure services and is often also further scoped to specific regions. This allows you to filter *inbound* traffic from specific Azure services.

-For a full list of tags and more information, visit the service tag link above.

-To learn how to enable this feature, see [Configuring access restrictions][iprestrictions].

-#### Http header filtering for access restriction rules

-For each access restriction rule, you can add additional http header filtering. This allows you to further inspect the incoming request and filter based on specific http header values. Each header can have up to eight values per rule. The following list of http headers is currently supported:

-* X-Forwarded-For

-* X-Forwarded-Host

-* X-Azure-FDID

-* X-FD-HealthProbe

-Some use cases for http header filtering are:

-* Restrict access to traffic from proxy servers forwarding the host name

-* Restrict access to a specific Azure Front Door instance with a service tag rule and X-Azure-FDID header restriction

-Note that App Service Hybrid Connections is unaware of what you're doing on top of it. So you can use it to access a database, a web service, or an arbitrary TCP socket on a mainframe. The feature essentially tunnels TCP packets.

-This feature solves the problem of accessing resources in other virtual networks. It can even be used to connect through a virtual network to either other virtual networks or on-premises. It doesn't work with ExpressRoute-connected virtual networks, but it does work with site-to-site VPN-connected networks. It's usually inappropriate to use this feature from an app in an App Service Environment (ASE) because the ASE is already in your virtual network. Use cases for this feature:

-With an ASE, you don't need to use virtual network integration because the ASE is already in your virtual network. If you want to access resources like SQL or Azure Storage over service endpoints, enable service endpoints on the ASE subnet. If you want to access resources in the virtual network or private endpoints in the virtual network, you don't need to do any additional configuration. If you want to access resources across ExpressRoute, you're already in the virtual network and don't need to configure anything on the ASE or the apps in it.

-* When you use service endpoints, you only need to secure traffic to your API app to the integration subnet. Service endpoints helps to secure the API app, but you could still have data exfiltration from your front-end app to other apps in the app service.

-[iprestrictions]: ./app-service-ip-restrictions.md

-| **Max number of pages (Analysis)** | 2 | No limit |

-> [Resiliency and Disaster Recovery](./concept-disaster-recovery.md)

- If the certificate is missing, please contact support.

-8. Under **Region**, select an Azure location where the resource metadata will be stored. Currently, supported regions are **East US** and **West Europe**.

- | **Storage Account** | Drop-down and select your storage account. | Choose a storage account in the same region and subscription as the cache. A **Premium Storage** account is recommended because it has higher throughput. Also, using the soft delete feature on the storage account could lead to increased storage costs. For more information, see [Pricing and billing](../storage/blobs/soft-delete-blob-overview.md). |

- | **First Storage Account** | Drop-down and select your storage account. | Choose a storage account in the same region and subscription as the cache. A **Premium Storage** account is recommended because it has higher throughput. Also, using the soft delete feature on the storage account could lead to increased storage costs. For more information, see [Pricing and billing](../storage/blobs/soft-delete-blob-overview.md). |

-Soft delete isn't recommended. RDB and AOF persistence can write to your blobs as frequently as every hour, every few minutes, or every second. Also, enabling soft delete on a storage account means Azure Cache for Redis can't minimize storage costs by deleting the old backup data. Soft delete can quickly become expensive with the typical data sizes of a cache and write operations every second. For more information on soft delete costs, see [Pricing and billing](../storage/blobs/soft-delete-blob-overview.md).

-You can connect to Azure Fluid Relay by providing the tenant ID and key that is uniquely generated for you when creating the Azure resource. You can build your own token provider implementation or you can use the two token provider implementations that the Fluid Framework provides: [InsecureTokenProvider](https://fluidframework.com/docs/apis/test-client-utils/insecuretokenprovider) and [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider).

-> Beginning on December 3, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime can no longer be supported. Before that time, please test, verify, and migrate your function apps to version 4.x of the Functions runtime. For more information, see [Migrating from 3.x to 4.x](#migrating-from-3x-to-4x).

-Azure Functions runtime is built around various components, including operating systems, the Azure Functions host, and language-specific workers. To maintain full support coverages for function apps, Azure Functions uses a phased reduction in support as programming language versions reach their end-of-life dates. For most language versions, the retirement date coincides with the community end-of-life date.

-Starting on the end-of-life date for a language version, you can no longer create new function apps targeting that language version.

-After the language end-of-life date, function apps that use retired language versions won't be eligible for new features, security patches, and performance optimizations. However, these function apps will continue to run on the platform.

->If you're running functions apps using an unsupported language version, you'll be required to upgrade before receiving support for the function apps.

-|.NET 5|8 May 2022|TBA|

-|Node 6|30 April 2019|28 February 2022|

-|Node 8|31 December 2019|28 February 2022|

-|Node 10|30 April 2021|30 September 2022|

-|Node 12|30 Apr 2022|TBA|

-|[Amalgama Technologies Inc](http://amalgamatetech.com/)|

-## Can I deploy Azure Monitor Agent?

-Deploy Azure Monitor Agent on all new virtual machines to collect data for [supported services and features](#supported-services-and-features).

-If you have virtual machines already deployed with legacy agents, we recommend you [check whether Azure Monitor Agent supports your monitoring needs](#compare-to-legacy-agents) and [migrate to Azure Monitor Agent](./azure-monitor-agent-migration.md) as soon as possible.

- | Global | The action groups service decides where to store the action group. The action group is persisted in at least two regions to ensure regional resiliency. Processing of actions may be done in any [geographic region](/global-infrastructure/geographies/#overview).<br></br>Voice, SMS and email actions performed as the result of [service health alerts](/azure/service-health/alerts-activity-log-service-notifications-portal) are resilient to Azure live-site-incidents. |

- | Regional | The action group is stored within the selected region. The action group is [zone-redundant](/azure/availability-zones/az-region#highly-available-services). Processing of actions is performed within the region.</br></br>Use this option if you want to ensure that the processing of your action group is performed within a specific [geographic boundary](/global-infrastructure/geographies/#overview). |

-> There are restrictions when you use dimensions in an alert rule with multiple conditions. For more information, see [Restrictions when using dimensions in a metric alert rule with multiple conditions](alerts-troubleshoot-metric.md#restrictions-when-using-dimensions-in-a-metric-alert-rule-with-multiple-conditions).

-Azure Monitor now supports a [new metric alert type](./alerts-overview.md) which has significant benefits over the older [classic metric alerts](./alerts-classic.overview.md). Metrics are available for [large list of Azure services](../essentials/metrics-supported.md). The newer alerts support a (growing) subset of the resource types. This article lists that subset.

-You can also use newer metric alerts on popular log data stored in a Log Analytics workspace extracted as metrics. For more information, view [Metric Alerts for Logs](./alerts-metric-logs.md).

-## Portal, PowerShell, CLI, REST support

-Currently, you can create newer metric alerts only in the Azure portal, [REST API](/rest/api/monitor/metricalerts/), or [Resource Manager Templates](./alerts-metric-create-templates.md). Support for configuring newer alerts using PowerShell and Azure CLI versions 2.0 and higher is coming soon.

-## Metrics and Dimensions Supported

-Newer metric alerts support alerting for metrics that use dimensions. You can use dimensions to filter your metric to the right level. All supported metrics along with applicable dimensions can be explored and visualized from [Azure Monitor - Metrics Explorer](../essentials/metrics-charts.md).

-|Resource type |Dimensions Supported |Multi-resource alerts| Metrics Available|

-|Microsoft.ApiManagement/service | Yes | No | [API Management](../essentials/metrics-supported.md#microsoftapimanagementservice) |

-|Microsoft.App/containerApps | Yes | No | Container Apps |

-|Microsoft.AppConfiguration/configurationStores |Yes | No | [App Configuration](../essentials/metrics-supported.md#microsoftappconfigurationconfigurationstores) |

-|Microsoft.Automation/automationAccounts | Yes| No | [Automation Accounts](../essentials/metrics-supported.md#microsoftautomationautomationaccounts) |

-|Microsoft.Batch/batchAccounts | Yes | No | [Batch Accounts](../essentials/metrics-supported.md#microsoftbatchbatchaccounts) |

-|Microsoft.Bing/accounts | Yes | No | [Bing Accounts](../essentials/metrics-supported.md#microsoftbingaccounts) |

-|Microsoft.BotService/botServices | Yes | No | [Bot Services](../essentials/metrics-supported.md#microsoftbotservicebotservices) |

-|microsoft.Cdn/profiles | Yes | No | [CDN Profiles](../essentials/metrics-supported.md#microsoftcdnprofiles) |

-|Microsoft.ClassicCompute/domainNames/slots/roles | No | No | [Classic Cloud Services](../essentials/metrics-supported.md#microsoftclassiccomputedomainnamesslotsroles) |

-|Microsoft.ClassicCompute/virtualMachines | No | No | [Classic Virtual Machines](../essentials/metrics-supported.md#microsoftclassiccomputevirtualmachines) |

-|Microsoft.ClassicStorage/storageAccounts | Yes | No | [Storage Accounts (classic)](../essentials/metrics-supported.md#microsoftclassicstoragestorageaccounts) |

-|Microsoft.ClassicStorage/storageAccounts/blobServices | Yes | No | [Storage Accounts (classic) - Blobs](../essentials/metrics-supported.md#microsoftclassicstoragestorageaccountsblobservices) |

-|Microsoft.ClassicStorage/storageAccounts/fileServices | Yes | No | [Storage Accounts (classic) - Files](../essentials/metrics-supported.md#microsoftclassicstoragestorageaccountsfileservices) |

-|Microsoft.ClassicStorage/storageAccounts/queueServices | Yes | No | [Storage Accounts (classic) - Queues](../essentials/metrics-supported.md#microsoftclassicstoragestorageaccountsqueueservices) |

-|Microsoft.ClassicStorage/storageAccounts/tableServices | Yes | No | [Storage Accounts (classic) - Tables](../essentials/metrics-supported.md#microsoftclassicstoragestorageaccountstableservices) |

-|Microsoft.CognitiveServices/accounts | Yes | No | [Cognitive Services](../essentials/metrics-supported.md#microsoftcognitiveservicesaccounts) |

-|Microsoft.Compute/cloudServices | Yes | No | [Cloud Services](../essentials/metrics-supported.md#microsoftcomputecloudservices) |

-|Microsoft.Compute/cloudServices/roles | Yes | No | [Cloud Service Roles](../essentials/metrics-supported.md#microsoftcomputecloudservicesroles) |

-|Microsoft.Compute/virtualMachines | Yes | Yes<sup>1</sup> | [Virtual Machines](../essentials/metrics-supported.md#microsoftcomputevirtualmachines) |

-|Microsoft.Compute/virtualMachineScaleSets | Yes | No |[Virtual Machine Scale Sets](../essentials/metrics-supported.md#microsoftcomputevirtualmachinescalesets) |

-|Microsoft.ContainerInstance/containerGroups | Yes| No | [Container Groups](../essentials/metrics-supported.md#microsoftcontainerinstancecontainergroups) |

-|Microsoft.ContainerRegistry/registries | No | No | [Container Registries](../essentials/metrics-supported.md#microsoftcontainerregistryregistries) |

-|Microsoft.ContainerService/managedClusters | Yes | No | [Managed Clusters](../essentials/metrics-supported.md#microsoftcontainerservicemanagedclusters) |

-|Microsoft.DataBoxEdge/dataBoxEdgeDevices | Yes | Yes | [Data Box](../essentials/metrics-supported.md#microsoftdataboxedgedataboxedgedevices) |

-|Microsoft.DataFactory/datafactories| Yes| No | [Data Factories V1](../essentials/metrics-supported.md#microsoftdatafactorydatafactories) |

-|Microsoft.DataFactory/factories |Yes | No | [Data Factories V2](../essentials/metrics-supported.md#microsoftdatafactoryfactories) |

-|Microsoft.DataProtection/backupVaults | Yes | Yes | Backup Vaults |

-|Microsoft.DataShare/accounts | Yes | No | [Data Shares](../essentials/metrics-supported.md#microsoftdatashareaccounts) |

-|Microsoft.DBforMariaDB/servers | No | No | [DB for MariaDB](../essentials/metrics-supported.md#microsoftdbformariadbservers) |

-|Microsoft.DBforMySQL/servers | No | No |[DB for MySQL](../essentials/metrics-supported.md#microsoftdbformysqlservers)|

-|Microsoft.DBforPostgreSQL/flexibleServers | Yes | Yes | [DB for PostgreSQL (flexible servers)](../essentials/metrics-supported.md#microsoftdbforpostgresqlflexibleservers)|

-|Microsoft.DBforPostgreSQL/serverGroupsv2 | Yes | No | DB for PostgreSQL (hyperscale) |

-|Microsoft.DBforPostgreSQL/servers | No | No | [DB for PostgreSQL](../essentials/metrics-supported.md#microsoftdbforpostgresqlservers)|

-|Microsoft.DBforPostgreSQL/serversv2 | No | No | [DB for PostgreSQL V2](../essentials/metrics-supported.md#microsoftdbforpostgresqlserversv2)|

-|Microsoft.Devices/IotHubs | Yes | No |[IoT Hub](../essentials/metrics-supported.md#microsoftdevicesiothubs) |

-|Microsoft.Devices/provisioningServices| Yes | No | [Device Provisioning Services](../essentials/metrics-supported.md#microsoftdevicesprovisioningservices) |

-|Microsoft.DigitalTwins/digitalTwinsInstances | Yes | No | [Digital Twins](../essentials/metrics-supported.md#microsoftdigitaltwinsdigitaltwinsinstances) |

-|Microsoft.DocumentDB/databaseAccounts | Yes | No | [Cosmos DB](../essentials/metrics-supported.md#microsoftdocumentdbdatabaseaccounts) |

-|Microsoft.EventGrid/domains | Yes | No | [Event Grid Domains](../essentials/metrics-supported.md#microsofteventgriddomains) |

-|Microsoft.EventGrid/systemTopics | Yes | No | [Event Grid System Topics](../essentials/metrics-supported.md#microsofteventgridsystemtopics) |

-|Microsoft.EventGrid/topics |Yes | No | [Event Grid Topics](../essentials/metrics-supported.md#microsofteventgridtopics) |

-|Microsoft.EventHub/clusters |Yes| No | [Event Hubs Clusters](../essentials/metrics-supported.md#microsofteventhubclusters) |

-|Microsoft.EventHub/namespaces |Yes| No | [Event Hubs](../essentials/metrics-supported.md#microsofteventhubnamespaces) |

-|Microsoft.HDInsight/clusters | Yes | No | [HDInsight Clusters](../essentials/metrics-supported.md#microsofthdinsightclusters) |

-|Microsoft.KeyVault/vaults | Yes |Yes |[Vaults](../essentials/metrics-supported.md#microsoftkeyvaultvaults)|

-|Microsoft.Kusto/Clusters | Yes |No |[Data Explorer Clusters](../essentials/metrics-supported.md#microsoftkustoclusters)|

-|Microsoft.Logic/integrationServiceEnvironments | Yes | No |[Integration Service Environments](../essentials/metrics-supported.md#microsoftlogicintegrationserviceenvironments) |

-|Microsoft.Logic/workflows | No | No |[Logic Apps](../essentials/metrics-supported.md#microsoftlogicworkflows) |

-|Microsoft.MachineLearningServices/workspaces | Yes | No | [Machine Learning](../essentials/metrics-supported.md#microsoftmachinelearningservicesworkspaces) |

-|Microsoft.MachineLearningServices/workspaces/onlineEndpoints | Yes | No | Machine Learning - Endpoints |

-|Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments | Yes | No | Machine Learning - Endpoint Deployments |

-|Microsoft.Maps/accounts | Yes | No | [Maps Accounts](../essentials/metrics-supported.md#microsoftmapsaccounts) |

-|Microsoft.Medi#microsoftmediamediaservices) |

-|Microsoft.Medi#microsoftmediamediaservicesstreamingendpoints) |

-|Microsoft.NetApp/netAppAccounts/capacityPools | Yes | Yes | [Azure NetApp Capacity Pools](../essentials/metrics-supported.md#microsoftnetappnetappaccountscapacitypools) |

-|Microsoft.NetApp/netAppAccounts/capacityPools/volumes | Yes | Yes | [Azure NetApp Volumes](../essentials/metrics-supported.md#microsoftnetappnetappaccountscapacitypoolsvolumes) |

-|Microsoft.Network/applicationGateways | Yes | No | [Application Gateways](../essentials/metrics-supported.md#microsoftnetworkapplicationgateways) |

-|Microsoft.Network/azurefirewalls | Yes | No | [Firewalls](../essentials/metrics-supported.md#microsoftnetworkazurefirewalls) |

-|Microsoft.Network/dnsZones | No | No | [DNS Zones](../essentials/metrics-supported.md#microsoftnetworkdnszones) |

-|Microsoft.Network/expressRouteCircuits | Yes | No |[ExpressRoute Circuits](../essentials/metrics-supported.md#microsoftnetworkexpressroutecircuits) |

-|Microsoft.Network/expressRouteGateways | Yes | No |[ExpressRoute Gateways](../essentials/metrics-supported.md#microsoftnetworkexpressroutegateways) |

-|Microsoft.Network/expressRoutePorts | Yes | No |[ExpressRoute Direct](../essentials/metrics-supported.md#microsoftnetworkexpressrouteports) |

-|Microsoft.Network/loadBalancers (only for Standard SKUs)| Yes| No | [Load Balancers](../essentials/metrics-supported.md#microsoftnetworkloadbalancers) |

-|Microsoft.Network/natGateways| No | No | [NAT Gateways](../essentials/metrics-supported.md#microsoftnetworknatgateways) |

-|Microsoft.Network/privateEndpoints| No | No | [Private Endpoints](../essentials/metrics-supported.md#microsoftnetworkprivateendpoints) |

-|Microsoft.Network/privateLinkServices| No | No | [Private Link Services](../essentials/metrics-supported.md#microsoftnetworkprivatelinkservices) |

-|Microsoft.Network/publicipaddresses | No | No | [Public IP Addresses](../essentials/metrics-supported.md#microsoftnetworkpublicipaddresses)|

-|Microsoft.Network/trafficManagerProfiles | Yes | No | [Traffic Manager Profiles](../essentials/metrics-supported.md#microsoftnetworktrafficmanagerprofiles) |

-|Microsoft.Peering/peerings | Yes | No | [Peerings](../essentials/metrics-supported.md#microsoftpeeringpeerings) |

-|Microsoft.Peering/peeringServices | Yes | No | [Peering Services](../essentials/metrics-supported.md#microsoftpeeringpeeringservices) |

-|Microsoft.PowerBIDedicated/capacities | No | No | [Capacities](../essentials/metrics-supported.md#microsoftpowerbidedicatedcapacities) |

-|Microsoft.Purview/accounts | Yes | No | [Purview Accounts](../essentials/metrics-supported.md#microsoftpurviewaccounts) |

-|Microsoft.ServiceBus/namespaces | Yes | No | [Service Bus](../essentials/metrics-supported.md#microsoftservicebusnamespaces) |

-|Microsoft.SignalRService/WebPubSub | Yes | No | [Web PubSub Service](../essentials/metrics-supported.md#microsoftsignalrservicewebpubsub) |

-|Microsoft.Sql/managedInstances | No | No | [SQL Managed Instances](../essentials/metrics-supported.md#microsoftsqlmanagedinstances) |

-|Microsoft.Sql/servers/databases | No | Yes | [SQL Databases](../essentials/metrics-supported.md#microsoftsqlserversdatabases) |

-|Microsoft.Sql/servers/elasticPools | No | Yes | [SQL Elastic Pools](../essentials/metrics-supported.md#microsoftsqlserverselasticpools) |

-|Microsoft.Storage/storageAccounts |Yes | No | [Storage Accounts](../essentials/metrics-supported.md#microsoftstoragestorageaccounts)|

-|Microsoft.Storage/storageAccounts/blobServices | Yes| No | [Storage Accounts - Blobs](../essentials/metrics-supported.md#microsoftstoragestorageaccountsblobservices) |

-|Microsoft.Storage/storageAccounts/fileServices | Yes| No | [Storage Accounts - Files](../essentials/metrics-supported.md#microsoftstoragestorageaccountsfileservices) |

-|Microsoft.Storage/storageAccounts/queueServices | Yes| No | [Storage Accounts - Queues](../essentials/metrics-supported.md#microsoftstoragestorageaccountsqueueservices) |

-|Microsoft.Storage/storageAccounts/tableServices | Yes| No | [Storage Accounts - Tables](../essentials/metrics-supported.md#microsoftstoragestorageaccountstableservices) |

-|Microsoft.StorageCache/caches | Yes | No | [HPC Caches](../essentials/metrics-supported.md#microsoftstoragecachecaches) |

-|Microsoft.StorageSync/storageSyncServices | Yes | No | [Storage Sync Services](../essentials/metrics-supported.md#microsoftstoragesyncstoragesyncservices) |

-|Microsoft.StreamAnalytics/streamingjobs | Yes | No | [Stream Analytics](../essentials/metrics-supported.md#microsoftstreamanalyticsstreamingjobs) |

-|Microsoft.Synapse/workspaces | Yes | No | [Synapse Analytics](../essentials/metrics-supported.md#microsoftsynapseworkspaces) |

-|Microsoft.Synapse/workspaces/bigDataPools | Yes | No | [Synapse Analytics Apache Spark Pools](../essentials/metrics-supported.md#microsoftsynapseworkspacesbigdatapools) |

-|Microsoft.Synapse/workspaces/sqlPools | Yes | No | [Synapse Analytics SQL Pools](../essentials/metrics-supported.md#microsoftsynapseworkspacessqlpools) |

-|Microsoft.VMWareCloudSimple/virtualMachines | Yes | No | [CloudSimple Virtual Machines](../essentials/metrics-supported.md#microsoftvmwarecloudsimplevirtualmachines) |

-|Microsoft.Web/containerApps | Yes | No | Container Apps |

-|Microsoft.Web/hostingEnvironments/multiRolePools | Yes | No | [App Service Environment Multi-Role Pools](../essentials/metrics-supported.md#microsoftwebhostingenvironmentsmultirolepools)|

-|Microsoft.Web/hostingEnvironments/workerPools | Yes | No | [App Service Environment Worker Pools](../essentials/metrics-supported.md#microsoftwebhostingenvironmentsworkerpools)|

-|Microsoft.Web/serverfarms | Yes | No | [App Service Plans](../essentials/metrics-supported.md#microsoftwebserverfarms)|

-|Microsoft.Web/sites | Yes | No | [App Services and Functions](../essentials/metrics-supported.md#microsoftwebsites)|

-|Microsoft.Web/sites/slots | Yes | No | [App Service slots](../essentials/metrics-supported.md#microsoftwebsitesslots)|

-<sup>1</sup> Not supported for virtual machine network metrics (Network In Total, Network Out Total, Inbound Flows, Outbound Flows, Inbound Flows Maximum Creation Rate, Outbound Flows Maximum Creation Rate) and custom metrics.

-> You can also use the [common alert schema](./alerts-common-schema.md), which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor, for your webhook integrations. [Learn about the common alert schema definitions.](./alerts-common-schema-definitions.md)ΓÇï

-* Learn more about the new [Alerts experience](./alerts-overview.md).

-# Frequently asked questions about Azure Monitor metric alerts

-## Metric alert should have fired but didn't

-If you believe a metric alert should have fired but it didnΓÇÖt fire and isn't found in the Azure portal, try the following steps:

-1. **Configuration** - Review the metric alert rule configuration to make sure itΓÇÖs properly configured:

- - Check that the **Aggregation type** and **Aggregation granularity (period)** are configured as expected. **Aggregation type** determines how metric values are aggregated (learn more [here](../essentials/metrics-aggregation-explained.md#aggregation-types)), and **Aggregation granularity (period)** controls how far back the evaluation aggregates the metric values each time the alert rule runs.

- - Check that the **Threshold value** or **Sensitivity** are configured as expected.

- - For an alert rule that uses Dynamic Thresholds, check if advanced settings are configured, as **Number of violations** may filter alerts and **Ignore data before** can impact how the thresholds are calculated.

- > [!NOTE]

- > Dynamic Thresholds require at least 3 days and 30 metric samples before becoming active.

-2. **Fired but no notification** - Review the [fired alerts list](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/alertsV2) to see if you can locate the fired alert. If you can see the alert in the list, but have an issue with some of its actions or notifications, see more information [here](./alerts-troubleshoot.md#action-or-notification-on-my-alert-did-not-work-as-expected).

-3. **Already active** - Check if thereΓÇÖs already a fired alert on the metric time series you expected to get an alert for. Metric alerts are stateful, meaning that once an alert is fired on a specific metric time series, additional alerts on that time series will not be fired until the issue is no longer observed. This design choice reduces noise. The alert is resolved automatically when the alert condition is not met for three consecutive evaluations.

-4. **Dimensions used** - If you've selected some [dimension values for a metric](./alerts-metric-overview.md#using-dimensions), the alert rule monitors each individual metric time series (as defined by the combination of dimension values) for a threshold breach. To also monitor the aggregate metric time series (without any dimensions selected), configure an additional alert rule on the metric without selecting dimensions.

-5. **Aggregation and time granularity** - If you're visualizing the metric using [metrics charts](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/metrics), ensure that:

- * The selected **Aggregation** in the metric chart is the same as **Aggregation type** in your alert rule

- * The selected **Time granularity** is the same as the **Aggregation granularity (period)** in your alert rule (and not set to 'Automatic')

-1. Review the [fired alerts list](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/alertsV2) to locate the fired alert, and click to view its details. Review the information provided under **Why did this alert fire?** to see the metric chart, **Metric Value**, and **Threshold value** at the time when the alert was triggered.

- > [!NOTE]

- > If you're using a Dynamic Thresholds condition type and think that the thresholds used were not correct, please provide feedback using the frown icon. This feedback will impact the machine learning algorithmic research and help improve future detections.

-2. If you've selected multiple dimension values for a metric, the alert will be triggered when **any** of the metric time series (as defined by the combination of dimension values) breaches the threshold. For more information about using dimensions in metric alerts, see [here](./alerts-metric-overview.md#using-dimensions).

-3. Review the alert rule configuration to make sure itΓÇÖs properly configured:

- - Check that the **Aggregation type**, **Aggregation granularity (period)**, and **Threshold value** or **Sensitivity** are configured as expected

- - For an alert rule that uses Dynamic Thresholds, check if advanced settings are configured, as **Number of violations** may filter alerts and **Ignore data before** can impact how the thresholds are calculated

- > Dynamic Thresholds require at least 3 days and 30 metric samples before becoming active.

-4. If you're visualizing the metric using [Metrics chart](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/metrics), ensure that:

- - The selected **Aggregation** in the metric chart is the same as **Aggregation type** in your alert rule

- - The selected **Time granularity** is the same as the **Aggregation granularity (period)** in your alert rule (and not set to 'Automatic')

-5. If the alert fired while there are already fired alerts that monitor the same criteria (that arenΓÇÖt resolved), check if the alert rule has been configured not to automatically resolve alerts. Such configuration causes the alert rule to become stateless, meaning that the alert rule does not auto-resolve fired alerts, and does not require a fired alert to be resolved before firing again on the same time-series.

- You can check if the alert rule is configured not to auto-resolve in one of the following ways:

- - By editing the alert rule in the Azure portal, and reviewing if the 'Automatically resolve alerts' checkbox is unchecked (available under the 'Alert rule details' section).

- - By reviewing the script used to deploy the alert rule, or by retrieving the alert rule definition, and checking if the *autoMitigate* property is set to **false**.

-## Can't find the metric to alert on - virtual machines guest metrics

-To alert on guest operating system metrics of virtual machines (for example: memory, disk space), ensure you've installed the required agent to collect this data to Azure Monitor Metrics:

-For more information about collecting data from the guest operating system of a virtual machine, see [here](../vm/monitor-vm-azure.md#guest-operating-system).

-> [!NOTE]

-> If you configured guest metrics to be sent to a Log Analytics workspace, the metrics appear under the Log Analytics workspace resource and will start showing data **only** after creating an alert rule that monitors them. To do so, follow the steps to [configure a metric alert for logs](./alerts-metric-logs.md#configuring-metric-alert-for-logs).

-> [!NOTE]

-> Monitoring a guest metric for multiple virtual machines with a single alert rule isn't supported by metric alerts currently. You can achieve this with a [log alert rule](./alerts-unified-log.md). To do so, make sure the guest metrics are collected to a Log Analytics workspace, and create a log alert rule on the workspace.

-## CanΓÇÖt find the metric to alert on

-If youΓÇÖre looking to alert on a specific metric but canΓÇÖt see it when creating an alert rule, check the following:

-## CanΓÇÖt find the metric dimension to alert on

-If you're looking to alert on [specific dimension values of a metric](./alerts-metric-overview.md#using-dimensions), but cannot find these values, note the following:

-1. It might take a few minutes for the dimension values to appear under the **Dimension values** list

-2. The displayed dimension values are based on metric data collected in the last day

-3. If the dimension value isnΓÇÖt yet emitted or isn't shown, you can use the 'Add custom value' option to add a custom dimension value

-4. If youΓÇÖd like to alert on all possible values of a dimension (including future values), choose the 'Select all current and future values' option

-5. Custom metrics dimensions of Application Insights resources are turned off by default. To turn on the collection of dimensions for these custom metrics, see [here](../app/pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation).

-## Metric alert rules still defined on a deleted resource

-When deleting an Azure resource, associated metric alert rules aren't deleted automatically. To delete alert rules associated with a resource that has been deleted:

-1. Open the resource group in which the deleted resource was defined

-1. In the list displaying the resources, check the **Show hidden types** checkbox

-1. Filter the list by Type == **microsoft.insights/metricalerts**

-1. Select the relevant alert rules and select **Delete**

-Metric alerts are stateful by default, and therefore additional alerts are not fired if thereΓÇÖs already a fired alert on a given time series. If you wish to make a specific metric alert rule stateless, and get alerted on every evaluation<sup>1</sup> in which the alert condition is met, follow one of these options:

-<sup>1</sup> For stateless metric alert rules, an alert will trigger once every 10 minutes at a minimum, even if the frequency of evaluation is equal or less than 5 minutes and the condition is still being met.

-> [!NOTE]

-> Making a metric alert rule stateless prevents fired alerts from becoming resolved, so even after the condition isnΓÇÖt met anymore, the fired alerts will remain in a fired state until the 30 days retention period.

-When creating a metric alert rule, the metric name is validated against the [Metric Definitions API](/rest/api/monitor/metricdefinitions/list) to make sure it exists. In some cases, you'd like to create an alert rule on a custom metric even before itΓÇÖs emitted. For example, when creating (using a Resource Manager template) an Application Insights resource that will emit a custom metric, along with an alert rule that monitors that metric.

-To avoid having the deployment fail when trying to validate the custom metricΓÇÖs definitions, you can use the *skipMetricValidation* parameter in the criteria section of the alert rule, which will cause the metric validation to be skipped. See the example below for how to use this parameter in a Resource Manager template. For more information, see the [complete Resource Manager template samples for creating metric alert rules](./alerts-metric-create-templates.md).

-> [!NOTE]

-> Using the *skipMetricValidation* parameter might also be required when defining an alert rule on an existing custom metric that hasn't been emitted in several days.

-These are the currently support regions for regional processing of metric alert rules:

-To enable regional data processing in one of these regions, select the specified region in the **Details** section of the [create a new alert rule wizard](./alerts-create-new-alert-rule.md).

-

-> We are continually adding more regions for regional data processing.

-## Export the Azure Resource Manager template of a metric alert rule via the Azure portal

-Exporting the Resource Manager template of a metric alert rule helps you understand its JSON syntax and properties, and can be used to automate future deployments.

-2. Click **Properties**.

-3. Under **Automation**, select **Export template**.

-If you've reached the quota limit, the following steps may help resolve the issue:

-1. Try deleting or disabling metric alert rules that arenΓÇÖt used anymore.

-2. Switch to using metric alert rules that monitor multiple resources. With this capability, a single alert rule can monitor multiple resources using only one alert rule counted against the quota. For more information about this capability and the supported resource types, see [here](./alerts-metric-overview.md#monitoring-at-scale-using-metric-alerts-in-azure-monitor).

-3. If you need the quota limit to be increased, open a support request, and provide the following information:

- - Subscription Id(s) for which the quota limit needs to be increased

- - Resource type for the quota increase: **Metric alerts** or **Metric alerts (Classic)**

- - Requested quota limit

-## Check total number of metric alert rules

-To check the current usage of metric alert rules, follow the steps below.

-1. Open the **Alerts** screen, and click **Manage alert rules**

-2. Filter to the relevant subscription, by using the **Subscription** dropdown control

-3. Make sure NOT to filter to a specific resource group, resource type, or resource

-4. In the **Signal type** dropdown control, select **Metrics**

-5. Verify that the **Status** dropdown control is set to **Enabled**

-6. The total number of metric alert rules are displayed above the alert rules list

-## Managing alert rules using Resource Manager templates, REST API, Azure PowerShell, or the Azure CLI

-If you're running into issues creating, updating, retrieving, or deleting metric alerts using Resource Manager templates, REST API, PowerShell, or the Azure CLI, the following steps may help resolve the issue.

-Review the [REST API guide](/rest/api/monitor/metricalerts/) to verify you're passing the all the parameters correctly

-Make sure that you're using the right CLI commands for metric alerts:

- - For a platform metric: Make sure that you're using the **Metric** name from [the Azure Monitor supported metrics page](../essentials/metrics-supported.md), and not the **Metric Display Name**

- - For a custom metric: Make sure that the metric is already being emitted (you cannot create an alert rule on a custom metric that doesn't yet exist), and that you're providing the custom metric's namespace (see a Resource Manager template example [here](./alerts-metric-create-templates.md#template-for-a-static-threshold-metric-alert-that-monitors-a-custom-metric))

- - You can only select one value per dimension within each criterion

- - You cannot use "\*" as a dimension value

- - When metrics that are configured in different criterions support the same dimension, then a configured dimension value must be explicitly set in the same way for all of those metrics (see a Resource Manager template example [here](./alerts-metric-create-templates.md#template-for-a-static-threshold-metric-alert-that-monitors-multiple-criteria))

-To create a metric alert rule, youΓÇÖll need to have the following permissions:

-Therefore, to create a metric alert rule, all involved subscriptions must be registered to this resource provider:

-> [!NOTE]

-> If the alert rule name contains characters that aren't alphabetic or numeric (for example: spaces, punctuation marks or symbols), these characters may be URL-encoded when retrieved by certain clients.

-## Restrictions when using dimensions in a metric alert rule with multiple conditions

-Metric alerts support alerting on multi-dimensional metrics as well as support defining multiple conditions (up to 5 conditions per alert rule).

-Consider the following constraints when using dimensions in an alert rule that contains multiple conditions:

- - Consider a metric alert rule that is defined on a storage account and monitors two conditions:

- - I'd like to update the first condition, and only monitor transactions where the **ApiName** dimension equals *"GetBlob"*

- - Because both the **Transactions** and **SuccessE2ELatency** metrics support an **ApiName** dimension, I'll need to update both conditions, and have both of them specify the **ApiName** dimension with a *"GetBlob"* value.

-## Setting the alert rule's Period and Frequency

-We recommend choosing an *Aggregation granularity (Period)* that is larger than the *Frequency of evaluation*, to reduce the likelihood of missing the first evaluation of added time series in the following cases:

-If the behavior of a metric changed recently, the changes won't necessarily become reflected in the Dynamic Threshold borders (upper and lower bounds) immediately, as those are calculated based on metric data from the last 10 days. When viewing the Dynamic Threshold borders for a given metric, make sure to look at the metric trend in the last week, and not only for recent hours or days.

-To identify weekly seasonality, the Dynamic Thresholds model requires at least three weeks of historical data. Once enough historical data is available, any weekly seasonality that exists in the metric data will be identified and the model would be adjusted accordingly.

-When a metric exhibits large fluctuation, Dynamic Thresholds will build a wider model around the metric values, which can result in the lower border being below zero. Specifically, this can happen in the following cases:

-1. The sensitivity is set to low

-2. The median values are close to zero

-3. The metric exhibits an irregular behavior with high variance (there are spikes or dips in the data)

-When the lower bound has a negative value, this means that it's plausible for the metric to reach a zero value given the metric's irregular behavior. You may consider choosing a higher sensitivity or a larger *Aggregation granularity (Period)* to make the model less sensitive, or using the *Ignore data before* option to exclude a recent irregularity from the historical data used to build the model.

-1. Threshold sensitivity - Set the sensitivity to *Low* in order to be more tolerant for deviations.

-2. Number of violations (under *Advanced settings*) - Configure the alert rule to trigger only if a number of deviations occur within a certain period of time. This will make the rule less susceptible to transient deviations.

-Sometimes, an alert rule won't trigger even when a high sensitivity is configured. This usually happens when the metric's distribution is highly irregular.

-* Move to monitoring a complementary metric that's suitable for your scenario (if applicable). For example, check for changes in success rate, rather than failure rate.

-* Try selecting a different aggregation granularity (period).

-* Check if there was a drastic change in the metric behavior in the last 10 days (an outage). An abrupt change can impact the upper and lower thresholds calculated for the metric and make them broader. Wait for a few days until the outage is no longer taken into the thresholds calculation, or use the *Ignore data before* option (under *Advanced settings*).

-* If your data has weekly seasonality, but not enough history is available for the metric, the calculated thresholds can result in having broad upper and lower bounds. For example, the calculation can treat weekdays and weekends in the same way, and build wide borders that don't always fit the data. This should resolve itself once enough metric history is available, at which point the correct seasonality will be detected and the calculated thresholds will update accordingly.

-## When configuring an alert rule's condition, why is Dynamic threshold disabled?

-While dynamic thresholds are supported for the vast majority of metrics, there are some metrics that can't use dynamic thresholds.

-The table below lists the metrics that aren't supported by dynamic thresholds.

-| Resource Type | Metric Name |

-Insert a few lines of code in your application to find out what users are doing with it, or to help diagnose issues. You can send telemetry from device and desktop apps, web clients, and web servers. Use the [Application Insights](./app-insights-overview.md) core telemetry API to send custom events and metrics and your own versions of standard telemetry. This API is the same API that the standard Application Insights data collectors use.

-If you'd like to follow along with the guidance in this article, certain pre-requisites are needed.

-* Visual Studio Workloads: ASP.NET and web development, Data storage and processing, and Azure development

-* Deploy the [completed sample application (`2 - Completed Application`)](./tutorial-asp-net-core.md) or an existing ASP.NET Core application with the [Application Insights for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) NuGet package installed and [configured to gather server-side telemetry](asp-net-core.md#enable-application-insights-server-side-telemetry-visual-studio).

-The Application Insights .NET and .NET Core SDKs have two different methods of collecting custom metrics, `TrackMetric()`, and `GetMetric()`. The key difference between these two methods is local aggregation. `TrackMetric()` lacks pre-aggregation while `GetMetric()` has pre-aggregation. The recommended approach is to use aggregation, therefore, `TrackMetric()` is no longer the preferred method of collecting custom metrics. This article will walk you through using the GetMetric() method, and some of the rationale behind how it works.

-`TrackMetric()` sends raw telemetry denoting a metric. It's inefficient to send a single telemetry item for each value. `TrackMetric()` is also inefficient in terms of performance since every `TrackMetric(item)` goes through the full SDK pipeline of telemetry initializers and processors. Unlike `TrackMetric()`, `GetMetric()` handles local pre-aggregation for you and then only submits an aggregated summary metric at a fixed interval of one minute. So if you need to closely monitor some custom metric at the second or even millisecond level you can do so while only incurring the storage and network traffic cost of only monitoring every minute. This behavior also greatly reduces the risk of throttling occurring since the total number of telemetry items that need to be sent for an aggregated metric are greatly reduced.

-In Application Insights, custom metrics collected via `TrackMetric()` and `GetMetric()` aren't subject to [sampling](./sampling.md). Sampling important metrics can lead to scenarios where alerting you may have built around those metrics could become unreliable. By never sampling your custom metrics, you can generally be confident that when your alert thresholds are breached, an alert will fire. But since custom metrics aren't sampled, there are some potential concerns.

-Trend tracking in a metric every second, or at an even more granular interval can result in:

-Throttling is a concern as it can lead to missed alerts. The condition to trigger an alert could occur locally and then be dropped at the ingestion endpoint due to too much data being sent. We don't recommend using `TrackMetric()` for .NET and .NET Core unless you've implemented your own local aggregation logic. If you're trying to track every instance an event occurs over a given time period, you may find that [`TrackEvent()`](./api-custom-events-metrics.md#trackevent) is a better fit. Though keep in mind that unlike custom metrics, custom events are subject to sampling. You can still use `TrackMetric()` even without writing your own local pre-aggregation, but if you do so be aware of the pitfalls.

-In summary `GetMetric()` is the recommended approach since it does pre-aggregation, it accumulates values from all the Track() calls and sends a summary/aggregate once every minute. `GetMetric()` can significantly reduce the cost and performance overhead by sending fewer data points, while still collecting all relevant information.

-Application Insights can chart metrics that aren't attached to particular events. For example, you could monitor a queue length at regular intervals. With metrics, the individual measurements are of less interest than the variations and trends, and so statistical charts are useful.

-To send metrics to Application Insights, you can use the `TrackMetric(..)` API. We'll cover the recommended way to send a metric:

-* **Aggregation**. When you work with metrics, every single measurement is rarely of interest. Instead, a summary of what happened during a particular time period is important. Such a summary is called _aggregation_.

- For example, the aggregate metric sum for that time period is `1` and the count of the metric values is `2`. When you use the aggregation approach, you invoke `TrackMetric` only once per time period and send the aggregate values. We recommend this approach because it can significantly reduce the cost and performance overhead by sending fewer data points to Application Insights, while still collecting all relevant information.

-3. Immediately following the previous code, insert the following to add a custom metric.

-4. Right-click the **AzureCafe** project in Solution Explorer and select **Publish** from the context menu.

- 

-5. Select **Publish** to promote the new code to the Azure App Service.

- 

-6. Once the publish has succeeded, a new browser window opens to the Azure Cafe web application.

- 

-7. Perform various activities in the web application to generate some telemetry.

- 1. Select **Details** next to a Cafe to view its menu and reviews.

- 

- 2. On the Cafe screen, select the **Reviews** tab to view and add reviews. Select the **Add review** button to add a review.

- 

- 3. On the Create a review dialog, enter a name, rating, comments, and upload a photo for the review. Once completed, select **Add review**.

- 

- 4. Repeat adding reviews as desired to generate more telemetry.

-1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

- :::image type="content" source="media/tutorial-asp-net-custom-metrics/application-insights-resource-group.png" alt-text="First screenshot of a resource group with the Application Insights resource highlighted." lightbox="media/tutorial-asp-net-custom-metrics/application-insights-resource-group.png":::

-2. From the left menu of the Application Insights resource, select **Logs** from beneath the **Monitoring** section. In the **Tables** pane, double-click on the **customMetrics** table, located under the **Application Insights** tree. Modify the query to retrieve metrics for the **ReviewPerformed** custom named metric as follows, then select **Run** to filter the results.

-3. Observe the results display the rating value present in the Review.

-As referenced before, `GetMetric(..)` is the preferred method for sending metrics. In order to make use of this method, we'll be performing some changes to the existing code.

-> GetMetric does not support tracking the last value (i.e. "gauge") or tracking histograms/distributions.

-2. Locate the `CreateReview` method and the code added in the previous [TrackMetric example](#trackmetric-example).

-3. Replace the previously added code in _Step 3_ with the following one.

- 

-5. Select **Publish** to promote the new code to the Azure App Service.

- 

-6. Once the publish has succeeded, a new browser window opens to the Azure Cafe web application.

- 

-7. Perform various activities in the web application to generate some telemetry.

- 1. Select **Details** next to a Cafe to view its menu and reviews.

- 

- 2. On the Cafe screen, select the **Reviews** tab to view and add reviews. Select the **Add review** button to add a review.

- 

- 3. On the Create a review dialog, enter a name, rating, comments, and upload a photo for the review. Once completed, select **Add review**.

- 

- 4. Repeat adding reviews as desired to generate more telemetry.

-1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

- 

-2. From the left menu of the Application Insights resource, select **Logs** from beneath the **Monitoring** section. In the **Tables** pane, double-click on the **customMetrics** table, located under the **Application Insights** tree. Modify the query to retrieve metrics for the **ReviewPerformed** custom named metric as follows, then select **Run** to filter the results.

-3. Observe the results display the rating value present in the Review and the aggregated values.

-By default multi-dimensional metrics within the Metric explorer experience aren't turned on in Application Insights resources.

-To enable multi-dimensional metrics for an Application Insights resource, Select **Usage and estimated costs** > **Custom Metrics** > **Send custom metrics to Azure Metric Store (With dimensions)** > **OK**.

-Once you have made that change and send new multi-dimensional telemetry, you'll be able to **Apply splitting**.

-> Only newly sent metrics after the feature was turned on in the portal will have dimensions stored.

-3. Replace the previously added code in _Step 3_ with the following one.

-4. Still in the `CreateReview` method, change to code to match the following one.

-5. Right-click the **AzureCafe** project in Solution Explorer and select **Publish** from the context menu.

- 

-6. Select **Publish** to promote the new code to the Azure App Service.

- 

-7. Once the publish has succeeded, a new browser window opens to the Azure Cafe web application.

- 

-8. Perform various activities in the web application to generate some telemetry.

- 1. Select **Details** next to a Cafe to view its menu and reviews.

- 

- 2. On the Cafe screen, select the **Reviews** tab to view and add reviews. Select the **Add review** button to add a review.

- 

- 3. On the Create a review dialog, enter a name, rating, comments, and upload a photo for the review. Once completed, select **Add review**.

- 

- 4. Repeat adding reviews as desired to generate more telemetry.

-1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

- 

-2. From the left menu of the Application Insights resource, select **Logs** from beneath the **Monitoring** section. In the **Tables** pane, double-click on the **customMetrics** table, located under the **Application Insights** tree. Modify the query to retrieve metrics for the **ReviewPerformed** custom named metric as follows, then select **Run** to filter the results.

-3. Observe the results display the rating value present in the Review and the aggregated values.

-4. In order to better observe the **IncludesPhoto** dimension, we can extract it into a separate variable (column) by using the following query.

-5. Since we reused the same custom metric name has before, results with and without the custom dimension will be displayed. In order to avoid that, we'll update the query to match the following one.

-1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

- 

-2. From the left menu of the Application Insights resource, select **Metrics** from beneath the **Monitoring** section.

-3. For **Metric Namespace**, select **azure.applicationinsights**.

- 

-4. For **Metric**, select **ReviewPerformed**.

- 

-5. However, you'll notice that you aren't able to split the metric by your new custom dimension, or view your custom dimension with the metrics view. Select **Apply Splitting**.

- 

-6. For the custom dimension **Values** to use, select **IncludesPhoto**.

- 

-* Ensure that youΓÇÖre using the proper mount instructions for the volume. See [Mount a volume for Windows or Linux VMs](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md).

- * If you want to enable Active Directory LDAP users and extended groups (up to 1024 groups) to access the volume, select the **LDAP** option. Follow instructions in [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) to complete the required configurations.

-4. Click **Review + Create** to review the volume details. Then click **Create** to create the volume.

-* [Enable Active Directory Domain Services (ADDS) LDAP authentication for NFS volumes](configure-ldap-over-tls.md)

-* [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md)

-A dashboard in the Azure portal is a focused and organized view of your cloud resources. This quickstart focuses on the process of deploying an Azure Resource Manager template (ARM template) to create a dashboard. The dashboard shows the performance of a virtual machine (VM), as well as some static information and links.

-## Create a virtual machine

-The dashboard you create in the next part of this quickstart requires an existing VM. Create a VM by following these steps.

-1. In the Azure portal, select **Cloud Shell** from the global controls at the top of the page.

- :::image type="content" source="media/quick-create-template/cloud-shell.png" alt-text="Screenshot showing the Cloud Shell option in the Azure portal.":::

-1. In the **Cloud Shell** window, select **PowerShell**.

- :::image type="content" source="media/quick-create-template/powershell.png" alt-text="Screenshot showing the PowerShell option in Cloud Shell.":::

-1. Copy the following command and enter it at the command prompt to create a resource group.

- ```powershell

- New-AzResourceGroup -Name SimpleWinVmResourceGroup -Location EastUS

- ```

-1. Next, copy the following command and enter it at the command prompt to create a VM in your new resource group.

- ```powershell

- New-AzVm `

- -ResourceGroupName "SimpleWinVmResourceGroup" `

- -Name "myVM1" `

- -Location "East US"

- ```

-1. Enter a username and password for the VM. This is a new user name and password; it's not, for example, the account you use to sign in to Azure. For more information, see [username requirements](../virtual-machines/windows/faq.yml#what-are-the-username-requirements-when-creating-a-vm-) and [password requirements](../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).

-| Ukrainian | `uk-UA` | | | | Γ£ö | |

-| Vietnamese | `vi-VN` | | | | Γ£ö | |

-* portal - the portal column lists supported languages for the [web portal](https://aka.ms/vi-portal-link)

-* widgets - the [widgets](video-indexer-embed-widgets.md) column lists supported languages for translating the index file

-| **Language** | **Code** | **Portal** | **Widgets** |

-| Ukrainian | `uk-UA` | |Γ£ö |

-| Vietnamese | `vi-VN` | | Γ£ö |

-[Overview](video-indexer-overview.md)

-|`sort` | Strings separated by comma | Allows you to control the sorting of an insight.<br/>Each sort consist of 3 values: widget name, property and order, connected with '_' `sort=name_property_order`<br/>Available options:<br/>widgets: keywords, audioEffects, labels, sentiments, emotions, keyframes, scenes, namedEntities and spokenLanguage.<br/>property: startTime, endTime, seenDuration, name and id.<br/>order: asc and desc.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?sort=labels_id_asc,keywords_name_desc` renders the labels sorted by id in ascending order and keywords sorted by name in descending order.|

-[Disable Internet access or enable a default route](disable-internet-access.md)

-## UserErrorSSLDisabled

-SSL needs to be enabled for connections to the server.

-When you add a UDR, define the route for each related Batch IP address prefix, and set **Next hop type** to **Internet**.

-> Batch service IP addresses can change over time. To prevent outages due to an IP address change, create a process to refresh Batch service IP addresses automatically and keep them up to date in your route table.

-## Isolation security

-For the purposes of isolation, if your scenario requires isolating jobs from each other, do so by having them in separate pools. A pool is the security isolation boundary in Batch, and by default, two pools are not visible or able to communicate with each other. Avoid using separate Batch accounts as a means of isolation.

-When provisioning [Batch pools in a virtual network](batch-virtual-network.md), ensure that you are closely following the guidelines regarding the use of the `BatchNodeManagement` service tag, ports, protocols and direction of the rule. Use of the service tag is highly recommended, rather than using the underlying Batch service IP addresses. This is because the IP addresses can change over time. Using Batch service IP addresses directly can cause instability, interruptions, or outages for your Batch pools.

-For User Defined Routes (UDRs), ensure that you have a process in place to update Batch service IP addresses periodically in your route table, since these addresses change over time. To learn how to obtain the list of Batch service IP addresses, see [Service tags on-premises](../virtual-network/service-tags-overview.md). The Batch service IP addresses will be associated with the `BatchNodeManagement` service tag (or the regional variant that matches your Batch account region).

-You can use the following method to upload the SAP components to your Azure account using scripts. Then, you can [run the software installation wizard](#install-software) to install the SAP software.

-### Download supporting software

-After setting up your Azure Storage account, you need an Ubuntu VM to run scripts that download the software components.

-1. Download the following shell script for the deployer VM packages.

- ```azurecli

- wget "https://raw.githubusercontent.com/Azure/Azure-Center-for-SAP-solutions-preview/main/DownloadDeployerVMPackages.sh" -O "DownloadDeployerVMPackages.sh"

-1. Update the shell script's file permissions.

- ```azurecli

- chmod +x DownloadDeployerVMPackages.sh

-1. Run the shell script.

- ```azurecli

- ./DownloadDeployerVMPackages.sh

-1. When asked if you have a storage account, enter `Y`.

-1. When asked for the base path to the software storage account, enter the container path. To find the container path:

- 1. Find the storage account that you created in the Azure portal.

- 1. Find the container named `sapbits`.

- 1. On the container's sidebar menu, select **Properties** under **Settings**.

- 1. Copy down the **URL** value. The format is `https://<your-storage-account>.blob.core.windows.net/sapbits`.

-1. In the Azure CLI, when asked for the access key, enter your storage account's key. To find the storage account's key:

- 1. Find the storage account in the Azure portal.

-1. Once the script completes successfully, in the Azure portal, find the container named `sapbits` in the storage account that you created.

-1. Make sure the deployer VM packages are now visible in `sapbits`.

- 1. On the **Overview** page for `sapbits`, look for a folder named **deployervmpackages**.

-### Download SAP media

-You can download the SAP installation media required to install the SAP software, using a script as described in this section.

-1. Sign in to the Ubuntu VM that you created in the [previous section](#download-supporting-software).

-1. Install Ansible 2.9.27 on the ubuntu VM

- ```bash

- sudo pip3 install ansible==2.9.27

- ```

-

-1. Clone the SAP automation repository from GitHub.

- ```azurecli

- git clone https://github.com/Azure/sap-automation.git

- ```

-1. Run the Ansible script **playbook_bom_download** with your own information.

- - For `<username>`, use your SAP username.

- - For `<password>`, use your SAP password.

- - For `<bom_base_name>`, use the SAP Version you want to install i.e. **_S41909SPS03_v0011ms_** or **_S42020SPS03_v0003ms_** or **_S4HANA_2021_ISS_v0001ms_**

- - For `<storageAccountAccessKey>`, use your storage account's access key. You found this value in the [previous section](#download-supporting-software).

- - For `<containerBasePath>`, use the path to your `sapbits` container. You found this value in the [previous section](#download-supporting-software).

- 1. For **SAP FQDN**, provide a fully qualified domain name (FQDN) for your SAP system. For example, `sap.contoso.com`.

- 1. For High Availability (HA) systems only, enter the client identifier for the Fencing Agent service principal for **Fencing client ID**.

- 1. For **SSH private key**, provide the SSH private key that you created or selected as part of your infrastructure deployment.

-> * For this quickstart it is recommended that you use a Translator text single-service subscription.

-> * With the single-service subscription you'll include one authorization header (**Ocp-Apim-Subscription-key**) with the REST API request. The value for Ocp-Apim-Subscription-key is your Azure secret key for your Translator Text subscription.

-> * If you choose to use the multi-service Cognitive Services subscription, it requires two authentication headers (**Ocp-Api-Subscription-Key** and **Ocp-Apim-Subscription-Region**). The value for Ocp-Apim-Subscription-Region is the region associated with your subscription.

-> * For more information on how to use the Ocp-Apim-Subscription-Region header, _see_ [Use the Text Translator APIs](translator-text-apis.md).

-|Header|Value| Condition |

-|**Ocp-Apim-Subscription-Key** |Your Translator service key from the Azure portal.|<ul><li>***Required***</li></ul> |

-|**Content-Type**|The content type of the payload. The accepted value is **application/json** or **charset=UTF-8**.|<ul><li>***Required***</li></ul>|

-|**Content-Length**|The **length of the request** body.|<ul><li>***Optional***</li></ul> |

-|**X-ClientTraceId**|A client-generated GUID to uniquely identify the request. You can omit this header if you include the trace ID in the query string using a query parameter named ClientTraceId.|<ul><li>***Optional***</li></ul>

-|||

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- {

- "detectedLanguage": {

- "language": "en",

- "score": 1.0

- },

- "translations": [

- {

- "text": "J'aimerais vraiment conduire votre voiture autour du pâté de maisons plusieurs fois!",

- "to": "fr"

- },

- {

- "text": "Ngingathanda ngempela ukushayela imoto yakho endaweni evimbelayo izikhathi ezimbalwa!",

- "to": "zu"

- }

- ]

- }

- "detectedLanguage": {

- "language": "en",

- "score": 1.0

- },

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

-location = "YOUR_RESOURCE_LOCATION"

- {

- "detectedLanguage": {

- "language": "en",

- "score": 1.0

- },

- "translations": [

- {

- "text": "J'aimerais vraiment conduire votre voiture autour du pâté de maisons plusieurs fois!",

- "to": "fr"

- },

- {

- "text": "Ngingathanda ngempela ukushayela imoto yakho endaweni evimbelayo izikhathi ezimbalwa!",

- "to": "zu"

- }

- ]

- }

-|**Ocp-Apim-Subscription-Region**|The region where your resource was created. |<ul><li>***Required*** when using a multi-service Cognitive Services Resource.</li><li> ***Optional*** when using a single-service Translator Resource.</li></ul>|

-|||

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource and can be found in the Azure portal on the Keys and Endpoint page.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-// Add your location, also known as region. The default is global.

-// This is required if using a Cognitive Services resource.

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

- location := "<YOUR-RESOURCE-LOCATION>";

- // Add your location, also known as region. The default is global.

- // This is required if using a Cognitive Services resource.

-var key = "<YOUR-TRANSLATOR-KEY>";

-var endpoint = "https://api.cognitive.microsofttranslator.com";

-var location = "<YOUR-RESOURCE-LOCATION>";

-# Add your location, also known as region. The default is global.

-# This is required if using a Cognitive Services resource.

-# Understand Identifier types

-zone_pivot_groups: acs-js-csharp

-When the application is registered, you'll see an identifier in the overview. This identifier, *Application (client) ID*, is used in the next steps.

-1. In the URL *https://login.microsoftonline.com/{Tenant_ID}/adminconsent?client_id={Application_ID}*, the Administrator replaces {Tenant_ID} with the Fabrikam tenant ID, and replaces {Application_ID} with the Contoso Application ID.

-> This tutorial focuses on the solution deployment outlined below. If you're interested in building and running the solution on your own, [follow the README instructions within the repo](https://github.com/azure-samples/container-apps-store-api-microservice/build-and-run.md).

-description: Push and pull supply chain artifacts using Azure Registry (Preview)

-* **ORAS CLI** - The ORAS CLI enables push, discover, pull of artifacts to an ORAS Artifacts enabled registry.

-Download and install a preview ORAS release for your operating system. See [ORAS Install instructions][oras-install-docs] for how to extract and install the file for your operating system, referencing an Alpha.1 preview build from the [ORAS GitHub repo][oras-preview-install]

-Configure environment variables to easily copy/paste commands into your shell. The commands can be run in the [Azure Cloud Shell](https://shell.azure.com/)

-In the command output, note the `zoneRedundancy` property for the registry. When enabled, the registry is zone redundant, and ORAS Artifact enabled:

-### Push a signature to the registry, as a reference to the container image

-The ORAS command pushes the signature to a repository, referencing another artifact through the `subject` parameter. The `--artifact-type` provides for differentiating artifacts, similar to file extensions that enable different file types. One or more files can be pushed by specifying `file:mediaType`

-oras push $REGISTRY/$REPO \

- --artifact-type 'signature/example' \

- --subject $IMAGE \

- ./signature.json:application/json

-For more information on oras push, see [ORAS documentation][oras-push-docs].

-## Push a multi-file artifact as a reference

-Create some documentation around an artifact

-Push the multi-file artifact as a reference

-oras push $REGISTRY/$REPO \

- --artifact-type 'readme/example' \

- --subject $IMAGE \

-Using `oras discover`, view the graph of artifacts now stored in the registry

-The output shows the beginning of a graph of artifacts, where the signature and docs are viewed as children of the container image

-### Push a sample SBoM to the registry

-oras push $REGISTRY/$REPO \

- --artifact-type 'sbom/example' \

- --subject $IMAGE \

- ./sbom.json:application/json

- $IMAGE | jq -r ".references[0].digest")

-echo '{"artifact": "'$REGISTRY/${REPO}@$SBOM_DIGEST'", "signature": "pat hancock"}' > sbom-signature.json

-### Push the SBoM signature

-oras push $REGISTRY/$REPO \

- --subject $REGISTRY/$REPO@$SBOM_DIGEST \

- $IMAGE | jq -r ".references[0].digest")

-oras pull -a -o ./download $REGISTRY/$REPO@$DOC_DIGEST

- --repository $ACR_NAME \

-* Learn more about [the ORAS CLI](https://oras.land)

-[oras-preview-install]: https://github.com/oras-project/oras/releases/tag/v0.2.1-alpha.1

-[oras-push-docs]: https://oras.land/cli/1_pushing/

-You can use the Azure Cloud Shell or a local installation of the Azure CLI to run the command examples in this article. If you'd like to use it locally, version 2.0.74 or later is required. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli](/cli/azure/install-azure-cli).

-* ```/data/sales/20??/**/``` Gets all files in the 20th century

-* ```/data/sales/2004/*/12/[XY]1?.csv``` Gets all csv files in 2004 in December starting with X or Y prefixed by a two-digit number

->When creating linked service for Azure Synapse **serverless** SQL pool from UI, choose "enter manually" instead of browsing from subscription.

-| <*ticks-number*> | Integer | The number of ticks since the specified timestamp |

-| @pipeline()?TriggeredByPipelineName | Name of the pipeline that triggers the pipeline run. Applicable when the pipeline run is triggered by an ExecutePipeline activity. Evaluate to _Null_ when used in other circumstances. Note the question mark after @pipeline() |

-| @pipeline()?TriggeredByPipelineRunId | Run ID of the pipeline that triggers the pipeline run. Applicable when the pipeline run is triggered by an ExecutePipeline activity. Evaluate to _Null_ when used in other circumstances. Note the question mark after @pipeline() |

-### Error code: 2128

-### Error code: 2108

-#### More details

-To use **Fiddler** to create an HTTP session of the monitored web application:

-1. Download, install, and open [Fiddler](https://www.telerik.com/download/fiddler).

-1. If your web application uses HTTPS, go to **Tools** > **Fiddler Options** > **HTTPS**.

- 1. In the HTTPS tab, select both **Capture HTTPS CONNECTs** and **Decrypt HTTPS traffic**.

- :::image type="content" source="media/data-factory-troubleshoot-guide/fiddler-options.png" alt-text="Fiddler options":::

-1. If your application uses TLS/SSL certificates, add the Fiddler certificate to your device.

- Go to: **Tools** > **Fiddler Options** > **HTTPS** > **Actions** > **Export Root Certificate to Desktop**.

-1. Turn off capturing by going to **File** > **Capture Traffic**. Or press **F12**.

-1. Clear your browser's cache so that all cached items are removed and must be downloaded again.

-1. Create a request:

-1. Select the **Composer** tab.

- 1. Set the HTTP method and URL.

-

- 1. If needed, add headers and a request body.

- 1. Select **Execute**.

-1. Turn on traffic capturing again, and complete the problematic transaction on your page.

-1. Go to: **File** > **Save** > **All Sessions**.

-For more information, see [Getting started with Fiddler](https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureFiddler).

-Here is where you'll configure the target output schema from the parsing that will be written into a single column. The easiest way to set a schema for your output from parsing is to click the 'Detect Type' button on the top right of the expression builder. ADF will attempt to autodetect the schema from the string field which you are parsing and set it for you in the output expression.

-In this example, we have defined parsing of the incoming field "jsonString" which is plain text, but formatted as a JSON structure. We're going to store the parsed results as JSON in a new column called "json" with this schema:

-##### Adding Activities

-description: This topic describes how to use the SAP data partitioning template for SAP change data capture (Preview) in Azure Data Factory.

-# Auto-generate a pipeline from the SAP data partitioning template

-This topic introduces and describes auto-generation of a pipeline with the SAP data partitioning template for SAP change data capture (Preview) in Azure Data Factory.

-## Steps to use the SAP data partitioning template

-To auto-generate ADF pipeline from SAP data partitioning template, complete the following steps.

-1. Create a new pipeline from template.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-pipeline-from-template.png" alt-text="Screenshot of the Azure Data Factory resources tab with the Pipeline from template menu highlighted.":::

-1. Select the **Partition SAP data to extract and load into Azure Data Lake Store Gen2 in parallel** template.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-template-selection.png" alt-text="Screenshot of the template gallery with the SAP data partitioning template highlighted.":::

-

-1. Create SAP CDC and ADLS Gen2 linked services, if you havenΓÇÖt done so already, and use them as inputs to SAP data partitioning template.

- For the **Connect via integration runtime** property of SAP ODP linked service, select your SHIR. For the **Connect via integration runtime** property of ADLS Gen2 linked service, select _AutoResolveIntegrationRuntime_.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-template-configuration.png" alt-text="Screenshot of the SAP data partitioning template configuration page with the Inputs section highlighted.":::

-1. Select **Use this template** button to auto-generate SAP data partitioning pipeline that can run multiple ADF copy activities to extract multiple partitions in parallel.

- ADF copy activities run on SHIR to concurrently extract raw data (full) from your SAP system and load it into ADLS Gen2 as CSV files. The files can be found in _sapcdc_ container under _deltachange/&lt;your pipeline name&gt;/&lt;your pipeline run timestamp&gt;_ folder path. The **Extraction mode** property of ADF copy activity is set to _Full_.

- To ensure high throughput, locate your SAP system, SHIR, ADLS Gen2, and Azure IR in the same region.

-1. Assign your SAP data extraction context and data source object names, as well as an array of partitions, each is defined as an array of row selection conditions, as run-time parameter values for SAP data partitioning pipeline.

- For the **selectionRangeList** parameter, enter your array of partition(s), each is defined as an array of row selection condition(s). For example, hereΓÇÖs an array of three partitions, where the first partition includes only rows where the value in _CUSTOMERID_ column is between _1_ and _1000000_ (the first million customers), the second partition includes only rows where the value in _CUSTOMERID_ column is between _1000001_ and _2000000_ (the second million customers), and the third partition includes the rest of customers:

- _[[{"fieldName":"CUSTOMERID","sign":"I","option":"BT","low":"1","high":"1000000"}],[{"fieldName":"CUSTOMERID","sign":"I","option":"BT","low":"1000001","high":"2000000"}],[{"fieldName":"CUSTOMERID","sign":"E","option":"BT","low":"1","high":"2000000"}]]_

- These three partitions will be extracted using three ADF copy activities running in parallel.

-1. Select the **Save all** button and you can now run SAP data partitioning pipeline.

-[Auto-generate a pipeline from the SAP data replication template](sap-change-data-capture-data-replication-template.md).

-description: This topic describes how to use the SAP data replication template for SAP change data capture (Preview) in Azure Data Factory.

-# Auto-generate a pipeline from the SAP data replication template

-This topic describes how to use the SAP data replication template for SAP change data capture (Preview) in Azure Data Factory.

-## Steps to auto-generate a pipeline from the SAP data replication template

-1. Create a new pipeline from template.

-1. Select the **Replicate SAP data to Azure Synapse Analytics and persist raw data in Azure Data Lake Store Gen2** template.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-data-replication-template.png" alt-text="Screenshot of the template gallery with the SAP data replication template highlighted.":::

-1. Create SAP CDC, ADLS Gen2, and Azure Synapse Analytics linked services, if you havenΓÇÖt done so already, and use them as inputs to SAP data replication template.

- For the **Connect via integration runtime** property of the SAP ODP linked service, select your SHIR. For the **Connect via integration runtime** property of ADLS Gen2/Azure Synapse Analytics linked services, select _AutoResolveIntegrationRuntime_.

-1. Select the **Use this template** button to auto-generate an SAP data replication pipeline that contains Azure Data Factory copy and dataflow activities.

- The data factory copy activity runs on the SHIR to extract raw data (full + deltas) from SAP systems and load it into ADLS Gen2 where itΓÇÖs persisted as CSV files, archiving/preserving historical changes. The files can be found in the _sapcdc_ container under the _deltachange/&lt;your pipeline name\&gt;/&lt;your pipeline run timestamp&gt;_ folder path. The **Extraction mode** property of the copy activity is set to _Delta_. The **Subscriber process** property of copy activity is parameterized.

- The data factory data flow activity runs on the Azure IR to transform the raw data and merge all changes into Azure Synapse Analytics, replicating SAP data.

- To ensure high throughput, locate your SAP system, SHIR, ADLS Gen2, Azure IR, and Azure Synapse Analytics in the same region.

-1. Assign your SAP data extraction context, data source object, key column, and subscriber process names, as well as Synapse SQL schema and table names as run-time parameter values for SAP data replication pipeline.

- For the **keyColumns** parameter, enter your key column name(s) as an array of string(s), such as _[“CUSTOMERID”]/[“keyColumn1”, “keyColumn2”, “keyColumn3”, … up to 10 key column names]_. The key column(s) in raw SAP data will be used by ADF data flow activity to identify changed (created/updated/deleted) rows.

- For the **subscriberProcess** parameter, enter a unique name for the Subscriber process property of ADF copy activity. For example, you can name it _&lt;your pipeline name&gt;\_&lt;your copy activity name&gt;_. You can rename it to start a new ODQ subscription in SAP systems.

-1. Select the **Save all** button and you can now run SAP data replication pipeline.

-1. If you want to replicate SAP data to ADLS Gen2 in Delta format, complete the same steps as above, except using the **Replicate SAP data to Azure Data Lake Store Gen2 in Delta format and persist raw data in CSV format** template.

- ADF copy activity runs on SHIR to extract raw data (full + deltas) from SAP systems and load it into ADLS Gen2 where itΓÇÖs persisted as CSV files, archiving/preserving historical changes. The files can be found in the _sapcdc_ container under the _deltachange/&lt;your pipeline name&gt;/&lt;your pipeline run timestamp&gt;_ folder path. The **Extraction mode** property of ADF copy activity is set to _Delta_. The **Subscriber process** property of ADF copy activity is parameterized.

- ADF data flow activity runs on Azure IR to transform the raw data and merge all changes into ADLS Gen2 as Delta Lake/Lakehouse table, replicating SAP data. The table can be found in the _saptimetravel_ container under the _<your SAP table/object name>_ folder containing the _\_delta\_log_ subfolder and Parquet files. It can be queried using Synapse serverless SQL pool, see [Query Delta Lake files using serverless SQL pool in Azure Synapse Analytics](../synapse-analytics/sql/query-delta-lake-format.md), while time travel can be done using Synapse serverless Apache Spark pool, see [Quickstart: Create a serverless Apache Spark pool in Azure Synapse Analytics using web tools](../synapse-analytics/quickstart-apache-spark-notebook.md) and [Read older versions of data using Time Travel](../synapse-analytics/spark/apache-spark-delta-lake-overview.md?pivots=programming-language-python#read-older-versions-of-data-using-time-travel).

- To ensure high throughput, locate your SAP system, SHIR, ADLS Gen2, Azure IR, and Delta Lake/Lakehouse in the same region.

-[Managing your SAP change data capture solution](sap-change-data-capture-management.md).

-description: This topic describes how to debug issues with Copy activity for SAP change data capture (Preview) using self-hosted integration runtime (SHIR) logs in Azure Data Factory.

-# Debug ADF copy activity issues by sending SHIR logs

-If you want us to debug your ADF copy activity issues, send SHIR logs to us. To do so, complete the following steps.

-On SHIR machine, open the Microsoft Integration Runtime Configuration Manager app, select the Diagnostics tab, select the Send logs button, and select the Send Logs button again on dialog window that pops up.

-## Contacting support

-When SHIR logs have been uploaded/sent to us and you are contacting support, provide the Report ID and Timestamp values displayed on the dialog window.

-

-[Auto-generate ADF pipeline from SAP data partitioning template](sap-change-data-capture-data-partitioning-template.md)

-description: This topic introduces and describes the architecture for SAP change data capture (Preview) in Azure Data Factory.

-# SAP change data capture (CDC) solution in Azure Data Factory (Preview)

-This topic introduces and describes the architecture for SAP change data capture (Preview) in Azure Data Factory.

-## Introduction

-Azure Data Factory (ADF) is a data integration (ETL/ELT) Platform as a Service (PaaS) and for SAP data integration, ADF currently offers six connectors:

-These connectors can only extract data in batches, where each batch treats old and new data equally w/o identifying data changes (ΓÇ£batch modeΓÇ¥). This extraction mode isnΓÇÖt optimal when dealing w/ large data sets, such as tables w/ millions/billions records, that change often. To keep your copy of SAP data fresh/up-to-date, frequently extracting it in full is expensive/inefficient. ThereΓÇÖs a manual and limited workaround to extract mostly new/updated records, but this process requires a column w/ timestamp/monotonously increasing values and continuously tracking the highest value since last extraction (ΓÇ£watermarkingΓÇ¥). Unfortunately, some tables have no column that can be used for watermarking and this process canΓÇÖt handle deleted records.

-Consequently, our customers have been asking for a new connector that can extract only data changes (inserts/updates/deletes = ΓÇ£deltasΓÇ¥), leveraging the CDC feature that exists in most SAP systems (in ΓÇ£CDC modeΓÇ¥). After gathering their requirements, weΓÇÖve decided to build a new SAP ODP connector leveraging SAP Operational Data Provisioning (ODP) framework. This new connector can connect to all SAP systems that support ODP, such as R/3, ECC, S/4HANA, BW, and BW/4HANA, directly at the application layer or indirectly via SAP Landscape Transformation (SLT) replication server as a proxy. It can fully/incrementally extract SAP data that includes not only physical tables, but also logical objects created on top of those tables, such as Advanced Business Application Programming (ABAP) Core Data Services (CDS) views, w/o watermarking. Combined w/ existing ADF features, such as copy + data flow activities, pipeline templates, and tumbling window triggers, we can offer low-latency SAP CDC/replication solution w/ self-managed pipeline experience.

-This document provides a high-level architecture of our SAP CDC solution in ADF, the prerequisites and step-by-step guidelines to preview it, and its current limitations.

-## Architecture

-The high-level architecture of our SAP CDC solution in ADF is divided into two sides, left-hand-side (LHS) and right-hand-side (RHS). LHS includes SAP ODP connector that invokes ODP API over standard Remote Function Call (RFC) modules to extract raw SAP data (full + deltas). RHS includes ADF copy activity that loads the raw SAP data into any destination, such as Azure Blob Storage/Azure Data Lake Store (ADLS) Gen2, in CSV/Parquet format, essentially archiving/preserving all historical changes. RHS can also include ADF data flow activity that transforms the raw SAP data, merges all changes, and loads the result into any destination, such as Azure SQL Database/Azure Synapse Analytics, essentially replicating SAP data. ADF data flow activity can also load the result into ADLS Gen2 in Delta format, enabling time-travel to produce snapshots of SAP data at any given periods in the past. LHS and RHS can be combined as SAP CDC/replication template to auto-generate ADF pipeline that can be frequently run using ADF tumbling window trigger to replicate SAP data into Azure w/ low latency and w/o watermarking.

-ADF copy activity w/ SAP ODP connector runs on a self-hosted integration runtime (SHIR) that you install on your on-premises/virtual machine, so it has a line of sight to your SAP source systems/SLT replication server, while ADF data flow activity runs on a serverless Databricks/Spark cluster, Azure IR. SAP ODP connector via ODP can extract various data source (ΓÇ£providerΓÇ¥) types, such as:

-These providers run on SAP systems to produce full/incremental data in Operational Delta Queue (ODQ) that is consumed by ADF copy activity w/ SAP ODB connector in ADF pipeline (ΓÇ£subscriberΓÇ¥).

-Since ODP completely decouples providers from subscribers, any SAP docs that offer provider configurations are applicable for ADF as a subscriber. For more info on ODP, see [Introduction to operational data provisioning](https://wiki.scn.sap.com/wiki/display/BI/Introduction+to+Operational+Data+Provisioning).

-[Prerequisites and configuration of the SAP CDC solution](sap-change-data-capture-prerequisites-configuration.md)

-description: This article describes how to manage SAP change data capture (Preview) in Azure Data Factory.

-# Management of SAP change data capture (CDC) (Preview) in Azure Data Factory

-This article describes how to manage SAP change data capture (Preview) in Azure Data Factory.

-## Run SAP a data replication pipeline on a recurring schedule

-To run an SAP data replication pipeline on a recurring schedule with a specified frequency, complete the following steps:

-1. Create a tumbling window trigger that runs SAP data replication pipeline frequently with the **Max concurrency** property set to _1_, see [Create a trigger that runs a pipeline on a tumbling window](how-to-create-tumbling-window-trigger.md?tabs=data-factory).

-1. After the tumbling window trigger is created, add a self-dependency on it, such that subsequent pipeline runs always waits until previous pipeline runs are successfully completed, see [Create a tumbling window trigger dependency](tumbling-window-trigger-dependency.md).

-To recover a failed SAP data replication pipeline run, complete the following steps:

-1. If any SAP data replication pipeline run fails, the subsequent run scheduled by tumbling window trigger will be suspended, waiting on dependency.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-trigger-status.png" alt-text="Screenshot of the trigger status window with an SAP tumbling window trigger in the failed state.":::

-1. In that case, you can fix the issues causing pipeline run failure, switch the **Extraction mode** property of the copy activity to _Recovery_, and manually run SAP data replication pipeline in this mode.

-1. If the recovery run is successfully completed, switch back the **Extraction mode** property of the copy activity to _Delta_, and select the **Rerun** button next to the failed run of tumbling window trigger.

-To monitor data extractions on SAP systems, complete the following steps:

-1. Using SAP Logon Tool on your SAP source system, run ODQMON transaction code.

-1. Enter the value for the **Subscriber name** property of your SAP ODP linked service in the **Subscriber** input field and select _All_ in the **Request Selection** dropdown menu to show all data extractions using that linked service.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-monitor-delta-queues.png" alt-text="Screenshot of the SAP ODQMON tool with all data extractions for a particular subscriber.":::

-1. You can now see all registered subscriber processes in ODQ representing data extractions from ADF copy activities that use your SAP ODP linked service. On each ODQ subscription, you can drill down to see individual full/delta extractions. On each extraction, you can drill down to see individual data packages that were consumed.

-1. When ADF copy activities that extract SAP data are no longer needed, their ODQ subscriptions should be deleted, so SAP systems can stop tracking their subscription states and remove the unconsumed data packages from ODQ. To do so, select the unneeded ODQ subscriptions and delete them.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-delete-queue-subscriptions.png" alt-text="Screenshot of the SAP ODQMON tool with the delete button highlighted for a particular queue subscription.":::

-## Troubleshooting delta change

-The Azure Data Factory ODP connector reads delta changes from the ODP framework, which itself provides them in tables called Operational Delta Queues (ODQs).

-In situations where the data movement works technically (that is, copy activities complete without errors), but doesn't appear to deliver the data correctly (for example, no data at all, or maybe just a subset of the expected data), you should first investigate if the number of records provided on the SAP side match the number of rows transferred by ADF. If so, the issue isn't related to ADF, but probably comes from incorrect or missing configuration on SAP side.

-### Troubleshooting in SAP using ODQMON

-To analyze what data the SAP system has provided for your scenario, start transaction ODQMON in your SAP backend system. If you're using the SLT scenario, with a standalone SLT server, start the transaction there.

-To find the Operational Delta Queue(s) corresponding to your copy activities or copy activity runs, use the filter options (blurred out below). In the field ΓÇ£QueueΓÇ¥ you can use wildcards to narrow down the search, for example, by table name *EKKO*, etc.

-Selecting the check box ΓÇ£Calculate Data VolumeΓÇ¥ provides details about the number of rows and data volume (in bytes) contained in the ODQs.

-Double clicking on the queue will bring you to the subscriptions of this ODQ. Since there can be multiple subscribers to the same ODQ, check for the subscriber name (which you entered in the ADF linked service) and pick the subscription whose timestamp best fits your copy activity run. (Note that for delta subscriptions, the first run of the copy activity will be recorded on SAP side for the subscription).

-Drilling down into the subscription, you find a list of ΓÇ£requestsΓÇ¥, corresponding to copy activity runs in ADF. In the screenshot below, you see the result of four copy activity runs.

-Based on the timestamp in the first row, find the line corresponding to the copy activity run you want to analyze. If the number of rows shown in this screen equals the number of rows read by the copy activity, you've verified that ADF has read and transferred the data as provided by the SAP system.

-In this case, we recommend consulting with the team responsible for your SAP system.

-The following are the current limitations of SAP CDC solution in ADF:

-description: This article introduces and describes preparation of the linked service and source dataset for SAP change data capture (Preview) in Azure Data Factory.

-# Prepare the SAP ODP linked service and source dataset for the SAP CDC solution in Azure Data Factory (Preview)

-This article introduces and describes preparation of the linked service and source dataset for SAP change data capture (Preview) in Azure Data Factory.

-## Prepare the SAP ODP linked service

-To prepare SAP ODP linked service, complete the following steps:

-1. On ADF Studio, go to the **Linked services** section of **Manage** hub and select the **New** button to create a new linked service.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-new-linked-service.png" alt-text="Screenshot of the manage hub in Azure Data Factory with the New Linked Service button highlighted.":::

-1. Search for _SAP_ and select _SAP CDC (Preview)_.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-linked-service-selection.png" alt-text="Screenshot of the linked service source selection with SAP CDC (Preview) selected.":::

-1. Set SAP ODP linked service properties, many of them are similar to SAP Table linked service properties, see [Linked service properties](connector-sap-table.md?tabs=data-factory#linked-service-properties).

- 1. For the **Connect via integration runtime** property, select your SHIR.

- 1. For the **Server name** property, enter the mapped server name for your SAP system.

- 1. For the **Subscriber name** property, enter a unique name to register and identify this ADF connection as a subscriber that consumes data packages produced in ODQ by your SAP system. For example, you can name it <_your ADF name_>_<_your linked service name_>.

- When using extraction mode "Delta", the combination of Subscriber name (maintained in the linked service) and Subscriber process has to be unique for every copy activity reading from the same ODP source object to ensure that the ODP framework can distinguish these copy activities and provide the correct chances.

-1. Test the connection and create your new SAP ODP linked service.

-## Prepare the SAP ODP source dataset

-To prepare an ADF copy activity with an SAP ODP data source, complete the following steps:

-1. On ADF Studio, go to the **Pipeline** section of the **Author** hub, select the **…** button to drop down the **Pipeline Actions** menu, and select the **New pipeline** item.

-1. Drag & drop the **Copy data** activity onto the canvas of new pipeline, go to the **Source** tab of ADF copy activity, and select the **New** button to create a new source dataset.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-copy-source-configuration.png" alt-text="Screenshot of the Copy data activity's Source configuration.":::

-1. Search for _SAP_ and select _SAP CDC (Preview)_.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-source-dataset-selection.png" alt-text="Screenshot of the SAP CDC (Preview) dataset type on the New dataset dialog.":::

-1. Select your new SAP ODP linked service for the new source dataset and set the rest of its properties.

- 1. For the **Connect via integration runtime** property, select your SHIR.

- 1. For the **Context** property, select the context of data extraction via ODP, such as:

- - _ABAP_CDS_ for extracting ABAP CDS views from S/4HANA

- - _BW_ for extracting InfoProviders or InfoObjects from SAP BW or BW/4HANA

- - _SAPI_ for extracting SAP extractors from SAP ECC

- - _SLT~_<_your queue alias_> for extracting SAP application tables from SAP source systems via SLT replication server as a proxy

- If you want to extract SAP application tables, but donΓÇÖt want to use SLT replication server as a proxy, you can create SAP extractors via RSO2 transaction code/CDS views on top of those tables and extract them directly from your SAP source systems in _SAPI/ABAP_CDS_ context, respectively.

- 1. For the **Object name** property, select the name of data source object to extract under the selected data extraction context. If you connect to your SAP source system via SLT replication server as a proxy, the **Preview data** feature isn't supported for now.

- 1. Check the **Edit** check boxes, if loading the dropdown menu selections takes too long and you want to type them yourself.

-

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-source-dataset-configuration.png" alt-text="Screenshot of the SAP CDC (Preview) dataset configuration page.":::

-1. Select the **OK** button to create your new SAP ODP source dataset.

-1. For the **Extraction** mode property of ADF copy activity, select one of the following modes:

- - _Full_ for always extracting the current snapshot of selected data source object w/o registering ADF copy activity as its ΓÇ£deltaΓÇ¥ subscriber that consumes data changes produced in ODQ by your SAP system

- - _Delta_ for initially extracting the current snapshot of selected data source object, registering ADF copy activity as its ΓÇ£deltaΓÇ¥ subscriber, and subsequently extracting new data changes produced in ODQ by your SAP system since the last extraction

- - _Recovery_ for repeating the last extraction that was part of a failed pipeline run

-1. For the **Subscriber process** property of ADF copy activity, enter a unique name to register and identify this ADF copy activity as a ΓÇ£deltaΓÇ¥ subscriber of the selected data source object, so your SAP system can manage its subscription state to keep track of data changes produced in ODQ and consumed in consecutive extractions, eliminating the need for watermarking them yourself. For example, you can name it <_your pipeline name_>_<_your copy activity name_>.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-copy-source-configuration.png" alt-text="Screenshot of the SAP CDC (Preview) source configuration in a Copy activity.":::

-1. If you want to extract only data from some columns/rows, you can use the column projection/row selection features:

- 1. For the **Projection** property of ADF copy activity, select the **Refresh** button to load the dropdown menu selections w/ column names of the selected data source object.

- If you have many columns and you want to include only a few in your data extraction, select the check boxes for those columns. If you have many columns and you want to exclude only a few in your data extraction, select the **Select all** check box first and then unselect the check boxes for those columns. If no column is selected, all will be extracted by default.

- Check the **Edit** check box, if loading the dropdown menu selections takes too long and you want to add/type them yourself.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-copy-source-projection-configuration.png" alt-text="Screenshot of the SAP CDC (Preview) source configuration with the Projection, Selection, and Additional columns sections highlighted.":::

- 1. For the **Selection** property of ADF copy activity, select the **New** button to add a new row selection condition containing **Field name/Sign/Option/Low/High** arguments.

- 1. For the **Field name** argument, select the **Refresh** button to load the dropdown menu selections w/ column names of the selected data source object. if loading the dropdown menu selections takes too long, you can type it yourself.

- 1. For the **Sign** argument, select _Inclusive/Exclusive_ to respectively include/exclude only rows that meet the selection condition in your data extraction.

- 1. For the **Option** argument, select _EQ/CP/BT_ to respectively apply the following row selection conditions:

- - ΓÇ£True if the value in **Field name** column is equal to the value of **Low** argumentΓÇ¥

- - ΓÇ¥True if the value in **Field name** column contains a pattern specified in the value of **Low** argumentΓÇ¥

- - ΓÇ¥True if the value in **Field name** column is between the values of **Low** and **High** argumentsΓÇ¥

- Please consult SAP docs/support notes to ensure that your row selection conditions can be applied to the selected data source object. For example, here are some row selection conditions and their respective arguments:

- |**Row selection condition** |**Field name** |**Sign** |**Option** |**Low** |**High** |

- |Include only rows where the value in _COUNTRY_ column is _CHINA_ |_COUNTRY_ |_Inclusive_ |_EQ_ |_CHINA_ | |

- |Exclude only rows where the value in _COUNTRY_ column is _CHINA_ |_COUNTRY_ |_Exclusive_ |_EQ_ |_CHINA_ | |

- |Include only rows where the value in _FIRSTNAME_ column contains _JO*_ pattern |_FIRSTNAME_ |_Inclusive_ |_CP_ |_JO*_ | |

- |Include only rows where the value in _CUSTOMERID_ column is between _1_ and _999999_ |_CUSTOMERID_ |_Inclusive_ |_BT_ |_1_ |_999999_ |

-

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-copy-selection-additional-columns.png" alt-text="Screenshot of the SAP CDC (Preview) source configuration for a Copy activity with the Selection and Additional columns sections highlighted.":::

-

- Row selections are especially useful to divide large data sets into multiple partitions, where each partition can be extracted using a single copy activity, so you can perform full extractions using multiple copy activities running in parallel. These copy activities will in turn invoke parallel processes on your SAP system to produce data packages in ODQ that can also be consumed by parallel processes in each copy activity, thus increasing throughput significantly.

-

-1. Go to the **Sink** tab of ADF copy activity and select an existing sink dataset or create a new one for any data store, such as Azure Blob Storage/ADLS Gen2.

- To increase throughput, you can enable ADF copy activity to concurrently extract data packages produced in ODQ by your SAP system and enforce all extraction processes to immediately write them into the sink in parallel. For example, if you use ADLS Gen2 as sink, leave the **File name** field in **File path** property of sink dataset empty, so all extracted data packages will be written as separate files.

-1. Go to the **Settings** tab of ADF copy activity and increase throughput by setting the **Degree of copy parallelism** property to concurrently extract data packages produced in ODQ by your SAP system.

- If you use Azure Blob Storage/ADLS Gen2 as sink, the maximum number of effective parallel extractions is four/five per SHIR machine, but you can install SHIR as a cluster of up to four machines, see [High availability and scalability](create-self-hosted-integration-runtime.md?tabs=data-factory#high-availability-and-scalability).

-1. Adjust the maximum size of data packages produced in ODQ to fine-tune parallel extractions. The default size is 50 MB, so 3 GB of SAP table/object will be extracted into 60 files of raw SAP data in ADLS Gen2. Lowering it to 15 MB could increase throughput, but will produce more (200) files. To do so, select the **Code** button of ADF pipeline to edit the **maxPackageSize** property of ADF copy activity.

-1. If you set the **Extraction mode** property of ADF copy activity to _Delta_, your initial/subsequent extractions will respectively consume full data/new data changes produced in ODQ by your SAP system since the last extraction.

- For each extraction, you can skip the actual data production/consumption/transfer and simply initialize/advance your ΓÇ£deltaΓÇ¥ subscription state. This is especially useful when you want to perform full and delta extractions using separate copy activities w/ different partitions. To do so, select the **Code** button of ADF pipeline to add the **deltaExtensionNoData** property of ADF copy activity and set it to _true_. Remove that property when you want to resume extracting data.

- :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-copy-code-2.png" alt-text="Screenshot of the code configuration for a pipeline with the deltaExtensionNoData property highlighted.":::

-1. Select the **Save all** and **Debug** buttons to run your new pipeline containing ADF copy activity w/ SAP ODP source dataset.

-To illustrate the results of full and delta extractions from consecutively running your new pipeline, letΓÇÖs use the following simple/small custom table in SAP ECC as an example of data source object to extract.

-HereΓÇÖs the raw SAP data from initial/full extraction as CSV file in ADLS Gen2. It contains system columns/fields (ODQ_CHANGEMODE/ODQ_ENTITYCNTR/_SEQUENCENUMBER) that can be used by ADF data flow activity to merge data changes when replicating SAP data. The ODQ_CHANGEMODE column marks the type of change for each row/record: (C)reated, (U)pdated, or (D)eleted. The initial run of your pipeline w/ _Delta_ extraction mode always induces a full load that marks all rows as (C)reated.

-After creating, updating, and deleting three rows of the custom table in SAP ECC, hereΓÇÖs the raw SAP data from subsequent/delta extraction as CSV file in ADLS Gen2.

-[Debug ADF copy activity issues by sending SHIR logs](sap-change-data-capture-debug-shir-logs.md)

-description: This topic introduces and describes the prerequisites and configuration of SAP change data capture (Preview) in Azure Data Factory.

-# SAP change data capture (CDC) solution prerequisites and configuration in Azure Data Factory (Preview)

-This topic introduces and describes the prerequisites and configuration of SAP change data capture (Preview) in Azure Data Factory.

-To preview our new SAP CDC solution in ADF you can/should:

-## Configure SAP systems for ODP framework

-To configure your SAP systems for ODP, follow these guidelines:

-ODP comes by default in software releases of most SAP systems (ECC, S/4HANA, BW, and BW/4HANA), except in very early ones. To ensure that your SAP systems come w/ ODP, please refer to the following SAP docs/support notes ΓÇô Even though they mostly mention SAP BW/DS as subscribers/consumers for data extractions via ODP, they also apply to ADF as a subscriber/consumer:

-### SAP user configurations

-Data extractions via ODP require a properly configured user on SAP systems, which needs to be authorized for ODP API invocations over RFC modules. This user configuration is exactly the same as that required for data extractions via ODP from SAP source systems into BW or BW/4HANA:

-### SAP data source configurations

-ODP offers various data extraction ΓÇ£contextsΓÇ¥ or ΓÇ£source object typesΓÇ¥. While most data source objects are ready to extract, some need additional configurations. In SAPI context, the objects to extract are called DataSources/extractors. In order to extract DataSources, complete the following steps:

- - [1560241 - To release DataSources for ODP API](https://launchpad.support.sap.com/#/notes/1560241) ΓÇô This should be combined w/ running the following programs:

- - RODPS_OS_EXPOSE to release DataSources for external use.

- - BS_ANLY_DS_RELEASE_ODP to release BW extractors for ODP API.

- - [2232584 - To release SAP extractors for ODP API](https://launchpad.support.sap.com/#/notes/2232584) ΓÇô This contains a list of all SAP-delivered DataSources (7400+) that have been released.

-### SLT configurations

-SLT is a database trigger-enabled CDC solution that can replicate SAP application tables and simple views in near real time from SAP source systems to various targets, including ODQ, such that it can be used as a proxy in data extractions via ODP. It can be installed on SAP source systems as Data Migration Server (DMIS) add-on or on a standalone replication server. In order to use SLT replication server as a proxy, complete the following steps:

- - In the Specify Source System section, specify the RFC destination representing your SAP source system.

- - In the Specify Target System section:

- - Select the RFC Connection radio button.

- - Select Operational Data Provisioning (ODP) in the Scenario for RFC Communication dropdown menu.

- - For the Queue Alias property, enter your queue alias that can be used to select the context of your data extractions via ODP in ADF as SLT~<_your queue alias_>.

-For more info on SLT configurations, see [Replicating Data to SAP Business Warehouse](https://help.sap.com/docs/SAP_LANDSCAPE_TRANSFORMATION_REPLICATION_SERVER/969cf5258b964a5ba56380da648ac84e/737e69568fb4c359e10000000a441470.html).

-### Known issues

-Here are SAP support notes to resolve known issues on SAP systems:

-### Validation

-To validate your SAP system configurations for ODP, you can run RODPS_REPL_TEST program to test the extraction of your SAPI extractors, CDS views, BW objects, etc., see [Replication test with RODPS_REPL_TEST](https://wiki.scn.sap.com/wiki/display/BI/Replication+test+with+RODPS_REPL_TEST).

-[Prepare the SHIR with the SAP ODP connector](sap-change-data-capture-shir-preparation.md).

-description: This article introduces and describes preparation of the self-hosted integration runtime (SHIR) for SAP change data capture (Preview) in Azure Data Factory.

-# Self-hosted integration runtime (SHIR) preparation for the SAP change data capture (CDC) solution in Azure Data Factory (Preview)

-This article introduces and describes preparation of the self-hosted integration runtime (SHIR) for SAP change data capture (Preview) in Azure Data Factory.

-To prepare SHIR w/ SAP ODP connector, complete the following steps:

-## Create and configure SHIR

-On ADF Studio, create and configure SHIR, see [Create and configure a self-hosted integration runtime](create-self-hosted-integration-runtime.md?tabs=data-factory). You can download our latest private SHIR version w/ improved performance and detailed error messages from [SHIR installation download](https://www.microsoft.com/download/details.aspx?id=39717) and install it on your on-premises/virtual machine.

-The more CPU cores you have on your SHIR machine, the higher your data extraction throughput. For example, our internal test achieved +12 MB/s throughput from running parallel extractions on SHIR machine w/ 16 CPU cores.

-## Download and install the latest 64-bit SAP .NET Connector (SAP NCo 3.0)

-Download the latest [64-bit SAP .NET Connector (SAP NCo 3.0)](https://support.sap.com/en/product/connectors/msnet.html) and install it on your SHIR machine. During installation, select the **Install Assemblies to GAC** option in the **Optional setup steps** window.

-

-## Add required network security rule on your SAP systems

-Add a network security rule on your SAP systems, so SHIR machine can connect to them. If your SAP system is on Azure virtual machine (VM), add the rule by setting the **Source IP addresses/CIDR ranges** property to your SHIR machine IP address and the **Destination port ranges** property to 3200,3300. For example:

-

-## Run PowerShell cmdlet allowing your SHIR to connect to your SAP systems

-On your SHIR machine, run the following PowerShell cmdlet to ensure that it can connect to your SAP systems: Test-NetConnection _&lt;SAP system IP address&gt;_ -port 3300

-## Edit hosts file on SHIR machine to add SAP IP addresses to server names

-On your SHIR machine, edit _C:\Windows\System32\drivers\etc\hosts_ to add mappings of SAP system IP addresses to server names. For example:

-[Prepare the SAP ODP linked service and source dataset](sap-change-data-capture-prepare-linked-service-source-dataset.md).

-# Azure Stack Edge hardware additional terms

-## Availability of the Azure Stack Edge device

-Microsoft isn't obligated to continue to offer the Azure Stack Edge device or any other hardware product in connection with the Service. The Azure Stack Edge device may not be offered in all regions or jurisdictions, and even where it is offered, it may be subject to availability. Microsoft reserves the right to refuse to offer the Azure Stack Edge device to anyone in its sole discretion and judgment.

-## Use of the Azure Stack Edge device

-As part of the Service, Microsoft allows Customer to use the Azure Stack Edge device for as long as Customer has an active subscription to the Service. If Customer no longer has an active subscription and fails to return the Azure Stack Edge device, Microsoft may deem the Azure Stack Edge device as lost as described in the ΓÇ£Title and risk of loss; shipment and return responsibilitiesΓÇ¥ section.

-## Title and risk of loss; shipment and return responsibilities

-### Title and risk of loss

-All right, title and interest in each Azure Stack Edge device is and shall remain the property of Microsoft, and except as described in these Additional Terms, no rights are granted to any Azure Stack Edge device (including under any patent, copyright, trade secret, trademark or other proprietary rights). Customer will compensate Microsoft for any loss, damage or destruction to or of any Azure Stack Edge device once it has been delivered by the carrier to CustomerΓÇÖs designated address until the Microsoft-designated carrier accepts the Azure Stack Edge device for return delivery, including while it is at any of CustomerΓÇÖs locations (other than expected wear and tear that don't compromise the structure or functionality) or such circumstances as described in the ΓÇ£Responsibilities if a government customer moves an Azure Stack Edge device between customerΓÇÖs locationsΓÇ¥ section. Customer is responsible for inspecting the Azure Stack Edge device upon receipt from the carrier and for promptly reporting any damages to Microsoft Support at [adbeops@microsoft.com](mailto:adbeops@microsoft.com).

-If Customer prefers to arrange CustomerΓÇÖs own pick-up and/or return of the Azure Stack Edge device pursuant to the ΓÇ£Shipment and return of Azure Stack Edge deviceΓÇ¥ section below, Customer is responsible for the entire risk of loss of, or any damage to the Azure Stack Edge device until it has been returned to and accepted by Microsoft.

-Microsoft may charge Customer for a lost device fee for the Azure Stack Edge device (or equivalent) as described on the pricing pages for the specific Azure Stack Edge device models under the **FAQ** section at https://azure.microsoft.com/pricing/details/azure-stack/edge/ for the following reasons: (i) the Azure Stack Edge device is lost or materially damaged while it is CustomerΓÇÖs responsibility as described above, (ii) Customer does not provide the Azure Stack Edge device to the Microsoft-designated carrier for return or return the Azure Stack Edge device pursuant to the ΓÇ£Shipment and return of Azure Stack Edge deviceΓÇ¥ section below within 30 days from the end of CustomerΓÇÖs use of the Service. Microsoft reserves the right to change the fee charged for lost or damaged devices, including charging different amounts for different device form factors.

-### Shipment and return of Azure Stack Edge device

-Customer will be responsible for a one-time metered shipping fee for the shipment of the Azure Stack Edge device from Microsoft to Customer and return shipping of the same, in addition to any metered amounts for carrier charges, any taxes, or applicable customs fees. When returning an Azure Stack Edge device to Microsoft, Customer will package and ship the same in accordance with MicrosoftΓÇÖs instructions, including using a carrier designated by Microsoft and the packaging materials provided by Microsoft. If Customer prefers to arrange CustomerΓÇÖs own pick-up and/or return of the same, then Customer is responsible for the costs of shipping the Azure Stack Edge device, including protections against any loss or damage of the Azure Stack Edge device (for example, insurance coverage) while in transit. Customer will package and ship the Azure Stack Edge device in accordance with MicrosoftΓÇÖs packaging instructions. Customer is also responsible to ensure that it removes all CustomerΓÇÖs data from the Azure Stack Edge device prior to returning it to Microsoft, including following any Microsoft-issued processes for wiping or clearing the Azure Stack Edge device.

-### Responsibilities if a government customer moves an Azure Stack Edge device between customerΓÇÖs locations

-Government Customer agrees to comply with and be responsible for all applicable import, export and general trade laws and regulations should Customer decide to transport the Azure Stack Edge device beyond the country border in which Customer receives the Azure Stack Edge device. For clarity, but not limited to, if a government Customer is in possession of an Azure Stack Edge device, only the government Customer may, at government CustomerΓÇÖs sole risk and expense, transport the Azure Stack Edge device to its different locations in accordance with this section and the requirements of the Additional Terms. Customer is responsible for obtaining at CustomerΓÇÖs own risk and expense any export license, import license and other official authorization for the exportation and importation of the Azure Stack Edge device and CustomerΓÇÖs data to any different Customer location. Customer shall also be responsible for customs clearance to any different Customer location, and will bear all duties, taxes, and other official charges payable upon importation as well as all costs and risks of carrying out customs formalities in a timely manner.

-If Customer transports the Azure Stack Edge device to a different location, Customer agrees to return the Azure Stack Edge device to the country location where Customer received it initially, prior to shipping the Azure Stack Edge device back to Microsoft. Customer acknowledges that there are inherent risks in shipping data on and in connection with the Azure Stack Edge device, and that Microsoft will have no liability to Customer for any damage, theft, or loss occurring to an Azure Stack Edge device or any data stored on one, including during transit. It's CustomerΓÇÖs responsibility to obtain the appropriate support agreement from Microsoft to meet CustomerΓÇÖs operating objectives for the Azure Stack Edge device; however, depending on the location to which Customer intends to move the Azure Stack Edge device, MicrosoftΓÇÖs ability to provide hardware servicing and support may be delayed, or may not be available.

-Microsoft will charge Customer specified fees in connection with CustomerΓÇÖs use of the Azure Stack Edge device as part of the Service, with [the current schedule of fees for each Azure Stack Edge model](https://azure.microsoft.com/pricing/details/azure-stack/edge/). Customer may use other Azure services in connection with CustomerΓÇÖs use of the Service, and Microsoft deems such services as separate services that may be subject to separate metered fees and costs. By way of example only, Azure Storage, Azure Compute, and Azure IoT Hub are separate Azure services, and if used (even in connection with its use of the Service), separate Azure metered services will apply.

-# Integrate Azure Purview with Microsoft Defender for Cloud

-**Episode description**: In this episode of Defender for Cloud in the field, David Trigano joins Yuri Diogenes to share the new integration of Microsoft Defender for Cloud with Azure Purview, which was released at Ignite 2021.

-David explains the use case scenarios for this integration and how the data classification is done by Azure Purview can help prioritize recommendations and alerts in Defender for Cloud. David also demonstrates the overall experience of data enrichment based on the information that flows from Azure Purview to Defender for Cloud.

-Learn more about the [integration with Azure Purview](information-protection.md).

-| **PCI Slot 1 (Low profile)**| Quad Port Ethernet NIC| 811546-B21 - HPE 1 GbE 4p BASE-T I350 Adapter SI |

-| **PCI Slot 1 (Low profile)** | DP F/O NIC|727054-B21 - HPE 10 GbE 2p FLR-SFP+ X710 Adapter|

-|**PCI Slot 2 (High profile)**| Quad Port Ethernet NIC|811546-B21 - HPE 1 GbE 4p BASE-T I350 Adapter SI|

-| **PCI Slot 2 (High profile)**|DP F/O NIC| 727054-B21 - HPE 10 GbE 2p FLR-SFP+ X710 Adapter|

-| **PCI Slot 2 (High profile)**|Quad Port F/O NIC| 869585-B21 - HPE 10 GbE 4p SFP+ X710 Adapter SI|

-| **SFPs for Fiber Optic NICs**|MultiMode, Short Range|455883-B21 - HPE BLc 10G SFP+ SR Transceiver|

-**To install iLO software**:

-1. In the dialog box, choose the relevant ISO file.

-# Connect Microsoft Defender for IoT sensors without direct internet access by using a proxy (legacy)

-This article describes how to connect Microsoft Defender for IoT sensors to Defender for IoT via a proxy, with no direct internet access. This article is only relevant if you are using a legacy connection method via your own IoT Hub.

-Starting with sensor software versions 22.1.x, updated connection methods are supported that don't require customers to have their own IoT Hub. For more information, see [Sensor connection methods](architecture-connections.md) and [Connect your sensors to Microsoft Defender for IoT](connect-sensors.md).

-We recommend that you use the procedures in this article only if you are using a legacy sensor version lower than 22.1.x.

-For this scenario we'll be installing, and configuring the latest version of [Squid](http://www.squid-cache.org/) on an Ubuntu 18 server.

-> Microsoft Defender for IoT does not offer support for Squid or any other proxy service.

-You can migrate an instance of Azure Database for MySQL ΓÇô Single Server to Azure Database for MySQL ΓÇô Flexible Server by using Azure Database Migration Service (DMS), a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms. In this tutorial, weΓÇÖll perform an offline migration of a sample database from an Azure Database for MySQL single server to a MySQL flexible server (both running version 5.7) using a DMS migration activity.

-> DMS supports migrating from lower version MySQL servers (v5.6 and above) to higher versions. In addition, DMS supports cross-region, cross-resource group, and cross-subscription migrations, so you can select a different region, resource group, and subscription for the target server than that specified for your source server.

-In this tutorial, you will learn how to:

-* When migrating non-table objects, DMS does not support renaming databases.

-* When migrating the schema, DMS does not support creating a database on the target server.

-* Currently, DMS does not support migrating the DEFINER clause for objects. All object types with definers on the source are dropped and after the migration the default definer for tables will be set to the login used to run the migration.

-* Currently, DMS only supports migrating a schema as part of data movement. If nothing is selected for data movement, the schema migration will not occur. Note that selecting a table for schema migration also selects it for data movement.

-DMS supports cross-region, cross-resource group, and cross-subscription migrations, so you are free to select appropriate region, resource group and subscription for your target flexible server. Before you create your target flexible server, consider the following configuration guidance to help ensure faster data loads using DMS.

-* Select the compute size and compute tier for the target flexible server based on the source single serverΓÇÖs pricing tier and VCores as in the following table:

-* For network connectivity, on the Networking tab, if the source single server has private endpoints or private links configured, select Private Access; otherwise, select Public Access.

-* Next to configure the newly created target flexible server, proceed as follows:

- Keep in mind that some privileges may be necessary depending on the contents of the views. Please refer to the MySQL docs specific to your version for ΓÇ£CREATE VIEW STATEMENTΓÇ¥ for details

- * max_allowed_packet ΓÇô set to 1073741824 (i.e., 1GB) to prevent any connection issues due to large rows.

-01. In the Azure portal, select + **Create a resource**, search for the term ΓÇ£Azure Database Migration ServiceΓÇ¥, and then select **Azure Database Migration Service** from the drop-down list.

-02. On the **Azure Database Migration Service** screen, select **Create**.

-03. On the **Select migration scenario and Database Migration Service** page, under **Migration scenario**, select **Azure Database for MySQL-Single Server** as the source server type, and then select **Azure Database for MySQL** as target server type, and then select **Select**.

-04. On the **Create Migration Service** page, on the **Basics** tab, under **Project details**, select the appropriate subscription, and then select an existing resource group or create a new one.

-05. Under **Instance details**, specify a name for the service, select a region, and then verify that **Azure** is selected as the service mode.

-06. To the right of **Pricing tier**, select **Configure tier**.

-07. On the Configure page, select the pricing tier and number of vCores for your DMS instance, and then select Apply.

-08. On the **Create Migration Service** page, select **Next : Networking >>**.

-09. On the **Networking** tab, select an existing VNet from the list or provide the name of new VNet to create, and then select **Review + Create**.

- > * Ensure that your VNet Network Security Group (NSG) rules don't block the outbound port 443 of ServiceTag for ServiceBus, Storage, and Azure Monitor. For more details about VNet NSG traffic filtering, see [Filter network traffic with network security groups](./../virtual-network/virtual-network-vnet-plan-design-arm.md).

-

-2. In the search results, select the DMS instance that you just created, and then select + **New Migration Project**.

-Selecting this check box prevents Write/Delete operations on the source server during migration, which ensures the data integrity of the target database as the source is migrated. When you make your source server read only as part of the migration process, all the databases on the source server, regardless of whether they are selected for migration, will be read-only.

-6. Select **Next : Select databases>>** to navigate to the Select tables tab.

- If you select a table in the source database that doesnΓÇÖt exist on the target database, the box under **Migrate schema** is selected by default. For tables that do exist in the target database, a note indicates that the selected table already contains data and will be truncated. In addition, if the schema of a table on the target server does not match the schema on the source, the table will be dropped before the migration continues.

- DMS validates your inputs, and if the validation passes, you will be able to start the migration.

-* If you scaled-up the target flexible server for faster migration, scale it back by selecting the compute size and compute tier for the target flexible server based on the source single serverΓÇÖs pricing tier and VCores as in the table below.

-You can migrate an instance of Azure Database for MySQL ΓÇô Single Server to Azure Database for MySQL ΓÇô Flexible Server by using Azure Database Migration Service (DMS), a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms. In this tutorial, weΓÇÖll perform an online migration of a sample database from an Azure Database for MySQL single server to a MySQL flexible server (both running version 5.7) using a DMS migration activity.

-> DMS online migration is now in Preview. DMS supports migration for MySQL versions - 5.7 and 8.0, and also supports migration from lower version MySQL servers (v5.7 and above) to higher versions. In addition, DMS supports cross-region, cross-resource group, and cross-subscription migrations, so you can select a different region, resource group, and subscription for the target server than that specified for your source server.

-In this tutorial, you will learn how to:

- * Use the MySQL command line tool of your choice to determine whether log_bin is enabled on the source server. The Binlog is not always turned on by default, so verify that it is enabled before starting the migration. To determine whether log_bin is enabled on the source server, run the command: SHOW VARIABLES LIKE 'log_binΓÇÖ

- * Ensure that the user has ΓÇ£REPLICATION CLIENTΓÇ¥ and ΓÇ£REPLICATION SLAVEΓÇ¥ permission on source server for reading and applying the bin log.

- * If you're targeting a replicate changes migration, configure the binlog_expire_logs_seconds parameter on the source server to ensure that binlog files are not purged before the replica commits the changes. We recommend at least two days to start. After a successful cutover, the value can be reset.

- * If migrating views, user must have the ΓÇ£SHOW VIEWΓÇ¥ privilege.

- * If migrating triggers, user must have the ΓÇ£TRIGGERΓÇ¥ privilege.

- * If migrating events, the user must have the ΓÇ£EVENTΓÇ¥ privilege for the database from which the event is to be shown.

-* When migrating non-table objects, DMS does not support renaming databases.

-* When migrating the schema, DMS does not support creating a database on the target server.

-* Currently, DMS does not support migrating the DEFINER clause for objects. All object types with definers on the source are dropped and after the migration the default definer for tables will be set to the login used to run the migration.

-* Currently, DMS only supports migrating a schema as part of data movement. If nothing is selected for data movement, the schema migration will not occur. Note that selecting a table for schema migration also selects it for data movement.

-* Online migration only replicates DML changes; replicating DDL changes is not supported. Do not make any schema changes to the source while replication is in progress.

-DMS supports cross-region, cross-resource group, and cross-subscription migrations, so you are free to select appropriate region, resource group and subscription for your target flexible server. Before you create your target flexible server, consider the following configuration guidance to help ensure faster data loads using DMS.

-* Select the compute size and compute tier for the target flexible server based on the source single serverΓÇÖs pricing tier and VCores as in the following table:

-\* For the migration, select General Purpose 16 VCores compute for the target flexible server for faster migrations. Scale back to the desired compute size for the target server after migration is complete by following the compute size recommendation in the Performing post-migration activities section later in this article.

-With these best practices in mind, create your target flexible server and then configure it.

-* Next to configure the newly created target flexible server, proceed as follows:

- Keep in mind that some privileges may be necessary depending on the contents of the views. Please refer to the MySQL docs specific to your version for ΓÇ£CREATE VIEW STATEMENTΓÇ¥ for details

- * Create a target database with the same name as that on source server, though it need not be populated with tables/views, etc.

- * max_allowed_packet ΓÇô set to 1073741824 (i.e., 1GB) to prevent any connection issues due to large rows.

-01. In the Azure portal, select + **Create a resource**, search for the term ΓÇ£Azure Database Migration ServiceΓÇ¥, and then select **Azure Database Migration Service** from the drop-down list.

-02. On the **Azure Database Migration Service** screen, select **Create**.

-03. On the **Select migration scenario and Database Migration Service** page, under **Migration scenario**, select **Azure Database for MySQL-Single Server** as the source server type, and then select **Azure Database for MySQL** as target server type, and then select **Select**.

-04. On the **Create Migration Service** page, on the **Basics** tab, under **Project details**, select the appropriate subscription, and then select an existing resource group or create a new one.

-05. Under **Instance details**, specify a name for the service, select a region, and then verify that **Azure** is selected as the service mode.

-06. To the right of **Pricing tier**, select **Configure tier**.

-07. On the Configure page, select the pricing tier and number of vCores for your DMS instance, and then select Apply.

-08. On the **Create Migration Service** page, select **Next : Networking >>**.

-09. On the **Networking** tab, select an existing VNet from the list or provide the name of new VNet to create, and then select **Review + Create**.

- > Your vNet must be configured with access to both the source single server and the target flexible server, so be sure to:

- > * Ensure that your VNet Network Security Group (NSG) rules don't block the outbound port 443 of ServiceTag for ServiceBus, Storage, and Azure Monitor. For more details about VNet NSG traffic filtering, see [Filter network traffic with network security groups](./../virtual-network/virtual-network-vnet-plan-design-arm.md).

-

- > If you want to add tags to the service, first select Next : Tags to advance to the Tags tab first. Adding tags to the service is optional.

-2. In the search results, select the DMS instance that you just created, and then select + **New Migration Project**.

-3. On the **New migration project** page, specify a name for the project, in the Source server type selection box, select **Azure Database For MySQL ΓÇô Single Server**, in the Target server type selection box, select **Azure Database For MySQL**, in the **Migration activity type** selection box, select **Online migration**, and then select **Create and run activity**.

- > Selecting Create project only as the migration activity type will only create the migration project; you can then run the migration project at a later time.

-3. Select **Next : Select databases>>**, and then, on the Select databases tab, under [Preview] Select server objects, select the server objects that you want to migrate.

- If you select a database on the source server that doesnΓÇÖt exist on the target database, you will see a warning message ΓÇÿNot available at TargetΓÇÖ and you wonΓÇÖt be able to select the database for migration.

-5. Select **Next : Select databases>>** to navigate to the Select tables tab.

- DMS validates your inputs, and if the validation passes, you will be able to start the migration.

- > You only need to navigate to the Configure migration settings tab if you are trying to troubleshoot failing migrations.

-1. Once the **Initial Load** activity is completed, navigate to the **Initial Load** tab to view the completion status and the number of tables completed.

-2. Once the **Initial Load** activity is completed, you are navigated to the **Replicate Data Changes** tab automatically. You can monitor the migration progress as the screen is auto-refreshed every 30 seconds. Select **Refresh** to update the display and view the seconds behind source as and when needed.

-3. Monitor the **Seconds behind source** and as soon as it nears 0, proceed to start cutover by clicking on the **Start Cutover** menu tab at the top of the migration activity screen. Follow the steps in the cutover window before you are ready to perform a cutover. Once all steps are completed, click on **Confirm** and next click on **Apply**.

-When the migration is complete, be sure to complete the following post-migration activities.

-* Update the connection string to point to the new target flexible server.

-* If you scaled-up the target flexible server for faster migration, scale it back by selecting the compute size and compute tier for the target flexible server based on the source single serverΓÇÖs pricing tier and VCores as in the table below.

-* Clean up Data Migration Service resources:

- 2. Select your migration service instance from the search results and select **Delete service**.

- 3. On the confirmation dialog box, in the **TYPE THE DATABASE MIGRATION SERVICE NAME** textbox, specify the name of the service, and then select **Delete**.

-When performing a migration, be sure to keep the following best practices in mind.

-* For information about Azure Database Migration Service, see the article [What is Azure Database Migration Service?](./dms-overview.md).

-* For information about known issues and limitations when performing migrations using DMS, see the article [Common issues - Azure Database Migration Service](./known-issues-troubleshooting-dms.md).

-* For troubleshooting source database connectivity issues while using DMS, see the article [Issues connecting source databases](./known-issues-troubleshooting-dms-source-connectivity.md).

-`request.timeout.ms` | 60000 | > 20000| Event Hubs will internally default to a minimum of 20,000 ms. *While requests with lower timeout values are accepted, client behavior isn't guaranteed.*. <p>Make sure that your **request.timeout.ms** is at least the recommended value of 60000 and your **session.timeout.ms** is at least the recommended value of 30000. Having these settings too low could cause consumer timeouts, which then cause rebalances (which then cause more timeouts, which cause more rebalancing, and so on).</p>

- if (!uri || !saName || !saKey) {

- throw "Missing required parameter";

- }

- var encoded = encodeURIComponent(uri);

- var now = new Date();

- var week = 60*60*24*7;

- var ttl = Math.round(now.getTime() / 1000) + week;

- var signature = encoded + '\n' + ttl;

- var signatureUTF8 = utf8.encode(signature);

- var hash = crypto.createHmac('sha256', saKey).update(signatureUTF8).digest('base64');

- return 'SharedAccessSignature sr=' + encoded + '&sig=' +

- encodeURIComponent(hash) + '&se=' + ttl + '&skn=' + saName;

-| **[KINX](https://www.kinx.net/service/cloudhub/ms-expressroute/?lang=en)** |Supported |Supported | Seoul |

-| **[SIFY](http://telecom.sify.com/azure-expressroute.html)** |Supported |Supported | Chennai, Mumbai2 |

-description: Learn about Check Point CloudGuard Connect to secure Azure virtual hubs

-# Secure virtual hubs using Check Point Cloudguard Connect

-Check Point CloudGuard Connect is a Trusted Security Partner in Azure Firewall Manager. It protects globally distributed branch office to Internet (B2I) or virtual network to Internet (V2I) connections with advanced threat prevention.

-With a simple configuration in Azure Firewall Manager, you can route branch hub and virtual network connections to the Internet through the CloudGuard Connect security as a service (SECaaS). Traffic is protected in transit from your hub to the Check Point cloud service in IPsec VPN tunnels.

->[!NOTE]

-> This offering provides limited features compared to the [Check Point NVA integration with Virtual WAN](../virtual-wan/about-nva-hub.md#partners). We strongly recommend using this NVA integration to secure your network traffic.

-Watch the following video to see how to deploy Check Point CloudGuard Connect as a trusted Azure security partner.

-An IP Group can have a single IP address, multiple IP addresses, or one or more IP address ranges.

-Rule collection groups have a maximum size of 2 MB. If you need more than 2 MB, you can split the rules into multiple rule collection groups. A Firewall Policy can contain 50 rule collection groups.

- > To learn more about advanced metrics display and sharing options, see [Getting started with Azure Metrics Explorer](/azure/azure/azure/azure-monitor/essentials/metrics-getting-started)