+|  provides authentication, authorization, profile and role management, and delegated B2B SaaS application administration. It also enables role-based access control (RBAC) for end-users of Azure AD B2C.|

+ Title: Configure the Grit IAM B2B2C solution with Azure Active Directory B2C

+description: Learn how to integrate Azure AD B2C authentication with the Grit IAM B2B2C solution

+# Tutorial: Configure the Grit IAM B2B2C solution with Azure Active Directory B2C

+In this tutorial, you learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with a [Grit IAM B2B2C](https://www.gritiam.com/b2b2c) solution. You can use the solution to provide secure, reliable, self-serviceable, and user-friendly identity and access management to your customers. Shared profile data such as first name, last name, home address, and email used in web and mobile applications are stored in a centralized manner with consideration to compliance and regulatory needs.

+Use Grit's B2BB2C solution for:

+- Authentication, authorization, profile and role management, and delegated B2B SaaS application administration.

+- Role-based access control for Azure AD B2C applications.

+## Prerequisites

+To get started, ensure the following prerequisites are met:

+- A Grit IAM account. You can go to [Grit IAM B2B2C solution](https://www.gritiam.com/b2b2c) to get a demo.

+- An Azure AD subscription. If you don't have one, you can create a [free Azure account](https://azure.microsoft.com/free/).

+- An Azure AD B2C tenant linked to the Azure subscription. You can learn more at [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md).

+- Configure your application in the Azure portal.

+## Scenario description

+Contoso does business with end customers and large enterprises, like Fabrikam_big1 and Fabrikam_big2. There're small enterprise customers like Fabrikam_small1 and Fabrikam_small2 and direct business is done with end customers like Smith1 and Smith2.

+*Contoso* has web and mobile applications and develops new applications. The applications rely on user shared profile data such as, first name, last name, address, and email. They want to centralize the profile data, so applications aren't collecting and storing the data. They want to store the profile information in accordance with certain compliance and regulations.

+

+This integration is composed of the following components:

+- **Azure AD B2C Identity Experience Framework (IEF)**: An engine that executes user journeys, which can include validating credentials, performing MFA, checking user access. It's aided by the Azure AD database and the API layer, which's configured using XML.

+- **Grit API layer**: This layer exposes user profile data and metadata about organizations and applications. The data is stored in Azure AD and Cosmos DB.

+- **Grit Onboarding portal**: Used by admins to onboard applications and organizations.

+- **Grit Admin portal**: Used by the *Contoso* admin and by admins of *fabrikam_big1*, and *fabirkam_small1*. Delegated admins can manage users and their access. Super admins of the organizations manage all users.

+- **Grit Visual IEF editor**: A low code/no code editor that customizes the user journey and is provided by Grit. It produces the XML used by IEF. *Contoso* developers use it to customize user journeys.

+- **Applications**: Developed by *Contoso* or third parties. Applications use Open ID or SAML to connect to the customer identity and access management (CIAM) system. The tokens they receive contain user-profile information, but can make API calls, with the token as the auth mechanism, to do user-profile data create, read, update and delete (CRUD) operations.

+> [!NOTE]

+> Components developed by Grit, except the visual IEF editor, will be deployed in the Contoso Azure environment.

+## Configure Grit B2B2C with Azure AD B2C

+Use the guidance provided in the following sections to get started with configuration.

+### Step 1 - Setup infrastructure

+To get started with setup:

+- Contact [Grit support](mailto:info@gritsoftwaresystems.com) to obtain access.

+- For evaluation, the Grit support team will deploy the infrastructure in the Grit Azure subscription and they'll give you admin rights.

+- After you purchase the solution, Grit engineers will install the production version in your Azure subscription.

+- The infrastructure integrates with your virtual network (VNet) setup, supports APIM (third-party API management) and the firewall.

+- Grit implementation engineers can provide custom recommendations based on your infrastructure.

+### Step 2 - Create admins in the Admin Portal

+Use the Grit Admin portal to assign administrators access to the portal where they can perform the following tasks -

+- Add other admins such as super, organization, application admin in the hierarchy depending on their permission level.

+- View/accept/reject all the user's requests for the application registration.

+- Search users.

+To learn how to assign admin roles, check the [tutorial.](https://app.archbee.com/doc/j1VX2J3B3xJ-zMqnmlDA5/9IW3PgI2yn1cCpPGm1vVN)

+### Step 3 - Onboard organizations

+Use the Onboarding portal for one or more of your customers and their identity provider (IdP) that supports OpenID Connect (OIDC) and SAML. Onboard customers without an IdP, for local account authentication. For B2C applications, enable social authentications.

+In the Grit Onboarding portal, create a super admin for the tenant. The Onboarding portal defines the claims per application and per organization. Thereafter, the portal creates an endpoint URL for the sign-in and sign-up user flow.

+To learn how to onboard an organization, check this [tutorial](https://app.archbee.com/doc/G_YZFq_VwvgMlmX-_efmX/8m90WVb2M6Yi0gCe7yor2).

+### Step 4 - Integrate applications using OIDC or SAML

+After you onboard the customer, the Grit Onboarding portal provides URLs to onboard the applications.

+Learn [how your customers can sign up, sign in, and manage their profiles](add-sign-up-and-sign-in-policy.md?pivots=b2c-custom-policy).

+## Test the scenarios

+Check the authentication [scenarios](#scenario-description) in your applications. Use the Grit Admin portal to change roles and user properties. Provide delegated access to Admin portal by inviting users.

+## Next steps

+- [Azure AD B2C custom policy overview](custom-policy-overview.md)

+- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](custom-policy-get-started.md?tabs=applications)

+- [SAAS Platform - Organization Application Onboarding Portal](https://app.archbee.com/doc/G_YZFq_VwvgMlmX-_efmX/8m90WVb2M6Yi0gCe7yor2)

+- [SAAS Platform - Admin Portal](https://app.archbee.com/doc/j1VX2J3B3xJ-zMqnmlDA5/9IW3PgI2yn1cCpPGm1vVN)

+Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for multifactor authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both multifactor authentication and SSPR. We recommend this video on [How to enable and configure SSPR in Azure AD](https://www.youtube.com/watch?v=rA8TvhNcCvQ)

+Combined registration supports the authentication methods and actions in the following table.

+> App passwords are available only to users who have been enforced for Azure AD Multi-Factor Authentication. App passwords are not available to users who are enabled for Azure AD Multi-Factor Authentication by a Conditional Access policy.

+Users can set one of the following options as the default multifactor authentication method.

+For both modes, users who have previously registered a method that can be used for Azure AD Multi-Factor Authentication need to perform multifactor authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods.

+Combined registration adheres to both multifactor authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration. If only an SSPR policy is enabled, then users will be able to skip the registration interruption and complete it at a later time.

+- *Multifactor Authentication registration enforced through Identity Protection:* Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).

+- *Multifactor Authentication registration enforced through per-user multifactor authentication:* Users are asked to register during sign-in. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).

+- *Multifactor Authentication registration enforced through Conditional Access or other policies:* Users are asked to register when they use a resource that requires multifactor authentication. They register multifactor authentication methods and SSPR methods (if the user is enabled for SSPR).

+When registration is enforced, users are shown the minimum number of methods needed to be compliant with both multifactor authentication and SSPR policies, from most to least secure. Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc.)

+If you have both multifactor authentication and SSPR enabled, we recommend that you enforce multifactor authentication registration.

+A user has not set up all required security info and goes to the Azure portal. After the user enters the user name and password, the user is prompted to set up security info. The user then follows the steps shown in the wizard to set up the required security info. If your settings allow it, the user can choose to set up methods other than those shown by default. After users complete the wizard, they review the methods they set up and their default method for multifactor authentication. To complete the setup process, the user confirms the info and continues to the Azure portal.

+### Set up other methods after partial registration

+If a user has partially satisfied MFA or SSPR registration due to existing authentication method registrations performed by the user or admin, users will only be asked to register additional information allowed by the Authentication methods policy. If more than one other authentication method is available for the user to choose and register, an option on the registration experience titled **I want to set up another method** will be shown and allow the user to set up their desired authentication method.

+A user who has previously set up at least one method that can be used for multifactor authentication navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user changes the current default method to a different default method. When finished, the user sees the new default method on the Security info page.

+description: Block legacy authentication using Azure AD Conditional Access.

+> Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication. For more information, see the article [Deprecation of Basic authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online)

+The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. When assigning users and applications to the policy, make sure to exclude users and service accounts that still need to sign in using legacy authentication. When choosing the cloud apps in which to apply this policy, select All cloud apps, targeted apps such as Office 365 (recommended) or at a minimum, Office 365 Exchange Online. Organizations can use the policy available in [Conditional Access templates](concept-conditional-access-policy-common.md) or the common policy [Conditional Access: Block legacy authentication](howto-conditional-access-policy-block-legacy.md) as a reference.

+To choose which app consent policy governs user consent for applications, you can use the [Microsoft Graph PowerShell](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true) module. The cmdlets used here are included in the [Microsoft.Graph.Identity.SignIns](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.SignIns) module.

+#### Connect to Microsoft Graph PowerShell

+Connect to Microsoft Graph PowerShell using the least-privilege permission needed. For reading the current user consent settings, use *Policy.Read.All*. For reading and changing the user consent settings, use *Policy.ReadWrite.Authorization*.

+```powershell

+Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"

+```

+Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{

+Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{

+Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{

+With [Microsoft Graph PowerShell](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true), you can view and manage app consent policies.

+An app consent policy consists of one or more "include" condition sets and zero or more "exclude" condition sets. For an event to be considered in an app consent policy, it must match *at least* one "include" condition set, and must not match *any* "exclude" condition set.

+1. Connect to [Microsoft Graph PowerShell](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true).

+ Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant"

+ Get-MgPolicyPermissionGrantPolicy | ft Id, DisplayName, Description

+1. View the "include" condition sets of a policy:

+ Get-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "microsoft-application-admin" | fl

+1. View the "exclude" condition sets:

+ Get-MgPolicyPermissionGrantPolicyExclude -PermissionGrantPolicyId "microsoft-application-admin" | fl

+ New-MgPolicyPermissionGrantPolicy `

+1. Add "include" condition sets.

+ New-MgPolicyPermissionGrantPolicyInclude `

+ -PermissionGrantPolicyId "my-custom-policy" `

+ -ClientApplicationsFromVerifiedPublisherOnly

+1. Optionally, add "exclude" condition sets.

+ $azureApi = Get-MgServicePrincipal -Filter "servicePrincipalNames/any(n:n eq 'https://management.azure.com/')"

+ New-MgPolicyPermissionGrantPolicyExclude `

+ -PermissionGrantPolicyId "my-custom-policy" `

+ Remove-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId "my-custom-policy"

+| ClientApplicationsFromVerifiedPublisherOnly | Set this switch to only match on client applications with a [verified publishers](../develop/publisher-verification-overview.md). Disable this switch (`-ClientApplicationsFromVerifiedPublisherOnly:$false`) to match on any client app, even if it does not have a verified publisher. Default is `$false`. |

+- For Microsoft Graph, the *RoleManagement.ReadWrite.Directory* permission is required to be able to manage the membership of role-assignable groups. The *Group.ReadWrite.All* permission won't work.

+> | microsoft.directory/deletedItems.devices/delete | Permanently delete devices, which can no longer be restored |

+> | microsoft.directory/deletedItems.devices/restore | Restore soft deleted devices to original state |

+> | microsoft.directory/contacts/create | Create contacts |

+> | microsoft.directory/domains/federation/update | Update federation property of domains |

+> | microsoft.directory/tenantManagement/tenants/create | Create new tenants in Azure Active Directory |

+> | microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks | Manage all aspects of lifecycle workflows and tasks in Azure AD |

+> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management |

+> | microsoft.directory/lifecycleWorkflows/workflows/allProperties/read | Read all properties of lifecycle workflows and tasks in Azure AD |

+> | microsoft.permissionsManagement/allEntities/allProperties/read | Read all aspects of Entra Permissions Management |

+> | microsoft.directory/deletedItems.devices/delete | Permanently delete devices, which can no longer be restored |

+> | microsoft.directory/deletedItems.devices/restore | Restore soft deleted devices to original state |

+> | microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks | Manage all aspects of lifecycle workflows and tasks in Azure AD |

+> | microsoft.directory/domains/federation/update | Update federation property of domains |

+> | microsoft.directory/deletedItems.devices/delete | Permanently delete devices, which can no longer be restored |

+> | microsoft.directory/deletedItems.devices/restore | Restore soft deleted devices to original state |

+ Title: Use Planned Maintenance for your Azure Kubernetes Service (AKS) cluster weekly releases (preview)

+description: Learn how to use Planned Maintenance in Azure Kubernetes Service (AKS) for cluster weekly releases

+# Use Planned Maintenance to schedule maintenance windows for your Azure Kubernetes Service (AKS) cluster exclusively for weekly releases (preview)

+ Planned Maintenance allows you to schedule weekly maintenance windows that will ensure the weekly releases [releases] are controlled. Maintenance Windows are configured using the Azure CLI, allowing you to select from a set of pre-available configurations.

+## Before you begin

+This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

+### Limitations

+When using Planned Maintenance, the following restrictions apply:

+- AKS reserves the right to break these windows for unplanned/reactive maintenance operations that are urgent or critical.

+- Currently, performing maintenance operations are considered *best-effort only* and are not guaranteed to occur within a specified window.

+- Updates cannot be blocked for more than seven days.

+## Available pre-created public maintenance configurations for you to pick

+There are 2 general kinds of pre-created public maintenance configurations:

+- For Weekday (Monday, Tuesday, Wednesday, Thursday), from 10 pm to 6 am next morning.

+- For Weekend (Friday, Saturday, Sunday), from 10 pm to 6 am next morning.

+For a list of pre-created public maintenance configurations on the weekday schedule, see below. For weekend schedules, replace `weekday` with `weekend`.

+|Configuration name| Time zone|

+|--|--|

+|aks-mrp-cfg-weekday_utc12|UTC+12|

+|...|...|

+|aks-mrp-cfg-weekday_utc1|UTC+1|

+|aks-mrp-cfg-weekday_utc|UTC+0|

+|aks-mrp-cfg-weekday_utc-1|UTC-1|

+|...|...|

+|aks-mrp-cfg-weekday_utc-12|UTC-12|

+## Assign a public maintenance configuration to an AKS Cluster

+Find the public maintenance configuration ID by name:

+```azurecli-interactive

+az maintenance public-configuration show --resource-name "aks-mrp-cfg-weekday_utc8"

+```

+This call may prompt you to install the `maintenance` extension. Once done, you can proceed:

+The output should look like the below example. Be sure to take note of the `id` field -

+```json

+{

+"duration": "08:00",

+"expirationDateTime": null,

+"extensionProperties": {

+"maintenanceSubScope": "AKS"

+},

+"id": "/subscriptions/0159df5c-b605-45a9-9876-36e17d5286e0/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/aks-mrp-cfg-weekday_utc8",

+"installPatches": null,

+"location": "westus2",

+"maintenanceScope": "Resource",

+"name": "aks-mrp-cfg-weekday_utc8",

+"namespace": "Microsoft.Maintenance",

+"recurEvery": "Week Monday,Tuesday,Wednesday,Thursday",

+"startDateTime": "2022-08-01 22:00",

+"systemData": null,

+"tags": {},

+"timeZone": "China Standard Time",

+"type": "Microsoft.Maintenance/publicMaintenanceConfigurations",

+"visibility": "Public"

+}

+```

+Next, assign the public maintenance configuration to your AKS cluster using the ID:

+```azurecli-interactive

+az maintenance assignment create --maintenance-configuration-id "/subscriptions/0159df5c-b605-45a9-9876-36e17d5286e0/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/aks-mrp-cfg-weekday_utc8" --name assignmentName --provider-name "Microsoft.ContainerService" --resource-group myResourceGroup --resource-name myAKSCluster --resource-type "managedClusters"

+```

+## List all maintenance windows in an existing cluster

+```azurecli-interactive

+az maintenance assignment list --provider-name "Microsoft.ContainerService" --resource-group myResourceGroup --resource-name myAKSCluster --resource-type "managedClusters"

+```

+## Delete a public maintenance configuration of an AKS cluster

+```azurecli-interactive

+az maintenance assignment delete --name assignmentName --provider-name "Microsoft.ContainerService" --resource-group myResourceGroup --resource-name myAKSCluster --resource-type "managedClusters"

+```

+<!-- LINKS - Internal -->

+[aks-quickstart-cli]: ./learn/quick-kubernetes-deploy-cli.md

+[aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md

+[aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md

+[aks-support-policies]: support-policies.md

+[aks-faq]: faq.md

+[az-extension-add]: /cli/azure/extension#az_extension_add

+[az-extension-update]: /cli/azure/extension#az_extension_update

+[az-feature-list]: /cli/azure/feature#az_feature_list

+[az-feature-register]: /cli/azure/feature#az_feature_register

+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli

+[az-provider-register]: /cli/azure/provider#az_provider_register

+[aks-upgrade]: upgrade-cluster.md

+[releases]:release-tracker.md

+ Title: Troubleshoot Dapr extension installation errors

+description: Troubleshoot errors you may encounter while installing the Dapr extension for AKS or Arc for Kubernetes

+# Troubleshoot Dapr extension installation errors

+This article details some common error messages you may encounter while installing the Dapr extension for Azure Kubernetes Service (AKS) or Arc for Kubernetes.

+## Installation failure without an error message

+If the extension fails to create or update without an error message, you can inspect where the creation of the extension failed by running the `az k8s-extension list` command. For example, if a wrong key is used in the configuration-settings, such as `global.ha=false` instead of `global.ha.enabled=false`:

+```azure-cli-interactive

+az k8s-extension list --cluster-type managedClusters --cluster-name myCluster --resource-group myResourceGroup

+```

+The below JSON is returned, and the error message is captured in the `message` property.

+```json

+"statuses": [

+ {

+ "code": "InstallationFailed",

+ "displayStatus": null,

+ "level": null,

+ "message": "Error: {failed to install chart from path [] for release [dapr-1]: err [template: dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml:1:17: executing \"dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml\" at <.Values.global.ha.enabled>: can't evaluate field enabled in type interface {}]} occurred while doing the operation : {Installing the extension} on the config",

+ "time": null

+ }

+],

+```

+Another example:

+```azurecli

+az k8s-extension list --cluster-type managedClusters --cluster-name myCluster --resource-group myResourceGroup

+```

+```json

+"statuses": [

+ {

+ "code": "InstallationFailed",

+ "displayStatus": null,

+ "level": null,

+ "message": "The extension operation failed with the following error: unable to add the configuration with configId {extension:microsoft-dapr} due to error: {error while adding the CRD configuration: error {failed to get the immutable configMap from the elevated namespace with err: configmaps 'extension-immutable-values' not found }}. (Code: ExtensionOperationFailed)",

+ "time": null

+ }

+ ]

+```

+For these cases, possible remediation actions are to:

+- [Restart your AKS or Arc for Kubernetes cluster](./start-stop-cluster.md).

+- Make sure you've [registered the `KubernetesConfiguration` service provider](./dapr.md#register-the-kubernetesconfiguration-service-provider).

+- Force delete and [reinstall the Dapr extension](./dapr.md).

+See below for examples of error messages you may encounter during Dapr extension install or update.

+## Error: Dapr version doesn't exist

+You're installing the Dapr extension and [targeting a specific version](./dapr.md#targeting-a-specific-dapr-version), but run into an error message saying the Dapr version doesn't exist.

+```

+(ExtensionOperationFailed) The extension operation failed with the following error: Failed to resolve the extension version from the given values.

+Code: ExtensionOperationFailed

+Message: The extension operation failed with the following error: Failed to resolve the extension version from the given values.

+```

+Try installing again, making sure to use a [supported version of Dapr](./dapr.md#dapr-versions).

+## Error: Dapr version exists, but not in the mentioned region

+Some versions of Dapr aren't available in all regions. If you receive an error message like the following, try installing in an [available region](./dapr.md#cloudsregions) where your Dapr version is supported.

+```

+(ExtensionTypeRegistrationGetFailed) Extension type microsoft.dapr is not registered in region <regionname>.

+Code: ExtensionTypeRegistrationGetFailed

+Message: Extension type microsoft.dapr is not registered in region <regionname>

+```

+## Error: `dapr-system` already exists

+You're installing the Dapr extension for AKS or Arc for Kubernetes, but receive an error message indicating that Dapr already exists. This error message may look like:

+```

+(ExtensionOperationFailed) The extension operation failed with the following error: Error: {failed to install chart from path [] for release [dapr-ext]: err [rendered manifests contain a resource that already exists. Unable to continue with install: ServiceAccount "dapr-operator" in namespace "dapr-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "dapr-ext": current value is "dapr"]} occurred while doing the operation : {Installing the extension} on the config

+```

+You need to uninstall Dapr OSS before installing the Dapr extension. For more information, read [Migrate from Dapr OSS](./dapr-migration.md).

+## Next steps

+If you're still running into issues, explore the [AKS troubleshooting guide](./troubleshooting.md) and the [Dapr OSS troubleshooting guide](https://docs.dapr.io/operations/troubleshooting/common_issues/).

+If the extension fails to create or update, try suggestions and solutions in the [Dapr extension troubleshooting guide](./dapr-troubleshooting.md).

+> [!NOTE]

+> ImageCleaner is a feature based on [Eraser](https://github.com/Azure/eraser).

+> On an AKS cluster, the feature name and property name is `ImageCleaner` while the relevant ImageCleaner pods' names contain `Eraser`.

+After the feature is enabled, the `eraser-controller-manager-xxx` pod and `collector-aks-xxx` pod will be deployed.

+A job named `eraser-aks-xxx`will be triggerred which causes ImageCleaner to remove the desired images from all nodes.

+|**Version identifier** | *v1* | Scheme-specific indicator of the version. For **Path**, the suffix for the API URL path. <br/><br/> If **Header** or **Query string** is selected, enter an additional value: the name of the header or query string parameter.<br/><br/> A usage example is displayed. |

+ Title: Quickstart - Create API Management instance - PowerShell

+description: Use this quickstart to create a new Azure API Management instance by using Azure PowerShell cmdlets.

+In this quickstart, you create a new API Management instance by using Azure PowerShell cmdlets.

+Azure API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. API Management lets you create and manage modern API gateways for existing backend services hosted anywhere.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure Cloud Shell or Azure PowerShell

+ [!INCLUDE [cloud-shell-try-it-no-header](../../includes/cloud-shell-try-it-no-header.md)]

+ If you choose to install and use the PowerShell locally, this quickstart requires the Azure PowerShell module version 1.0 or later. Run `Get-Module -ListAvailable Az` to find the version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+## Create an API Management instance

+By default, the command creates the instance in the Developer tier, an economical option to evaluate Azure API Management. This tier isn't for production use. For more information about the API Management tiers, see [Feature-based comparison of the Azure API Management tiers](api-management-features.md).

+CreatedTimeUtc : 9/9/2022 9:07:43 PM

+EnableClientCertificate :

+Zone :

+DisableGateway : False

+MinimalControlPlaneApiVersion :

+PublicIpAddressId :

+PlatformVersion : stv2

+PublicNetworkAccess : Enabled

+PrivateEndpointConnections :

+NAT gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports) allowing up to 1M available ports. Learn more in the [Scaling section](../../virtual-network/nat-gateway/nat-gateway-resource.md#scalability) of NAT gateway.

+After you choose to investigate the issue further by clicking on a topic, you can view more details about the topic often supplemented with graphs and markdowns. Diagnostic report can be a powerful tool for pinpointing the problem with your app. The following is the Web App Down from Availability and Performance:

+## Migrate to App Service on Linux

+There's a couple approaches when migrating your WordPress app to App Service on Linux. You could use a WP plugin or migrate manually using FTP and a MySQL client. Additional documentation, including [Migrating to App Service](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/wordpress_migration_linux_appservices.md), can be found at [WordPress - App Service on Linux](https://github.com/Azure/wordpress-linux-appservice/tree/main/WordPress).

+This tutorial walks you through the process of building, configuring, deploying, and scaling Java web apps on Azure.

+* [Azure CLI](/cli/azure/overview), installed on your own computer.

+ ```

+> [!IMPORTANT]

+> Be sure you have the H2 JDBC driver installed. You can add it using the following Maven command: `./mvnw quarkus:add-extension -Dextensions="jdbc-h2"`.

+[Quarkus](https://quarkus.io),

+ Title: 'Tutorial: Access data with managed identity in Java'

+description: Secure Azure Database for PostgreSQL connectivity with managed identity from a sample Java Tomcat app, and apply it to other Azure services.

+ms.devlang: java

+# Tutorial: Connect to a PostgreSQL Database from Java Tomcat App Service without secrets using a managed identity

+[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service in Azure. It also provides a [managed identity](overview-managed-identity.md) for your app, which is a turn-key solution for securing access to [Azure Database for PostgreSQL](/azure/postgresql/) and other Azure services. Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the environment variables. In this tutorial, you will learn how to:

+> [!div class="checklist"]

+> * Create a PostgreSQL database.

+> * Deploy the sample app to Azure App Service on Tomcat using WAR packaging.

+> * Configure a Spring Boot web application to use Azure AD authentication with PostgreSQL Database.

+> * Connect to PostgreSQL Database with Managed Identity using Service Connector.

+## Prerequisites

+* [Git](https://git-scm.com/)

+* [Java JDK](/azure/developer/java/fundamentals/java-support-on-azure)

+* [Maven](https://maven.apache.org)

+* [Azure CLI](/cli/azure/overview). This quickstart requires that you are running the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

+## Clone the sample app and prepare the repo

+Run the following commands in your terminal to clone the sample repo and set up the sample app environment.

+```bash

+git clone https://github.com/Azure-Samples/Passwordless-Connections-for-Java-Apps

+cd Passwordless-Connections-for-Java-Apps/Tomcat/checklist/

+```

+## Create an Azure Postgres DB

+Follow these steps to create an Azure Database for Postgres Single Server in your subscription. The Spring Boot app will connect to this database and store its data when running, persisting the application state no matter where you run the application.

+1. Sign into the Azure CLI, and optionally set your subscription if you have more than one connected to your login credentials.

+ ```azurecli-interactive

+ az login

+ az account set --subscription <subscription-ID>

+ ```

+1. Create an Azure Resource Group, noting the resource group name.

+ ```azurecli-interactive

+ RESOURCE_GROUP=<resource-group-name>

+ LOCATION=eastus

+ az group create --name $RESOURCE_GROUP --location $LOCATION

+ ```

+1. Create an Azure Postgres Database server. The server is created with an administrator account, but it won't be used as we'll use the Azure Active Directory (Azure AD) admin account to perform administrative tasks.

+ ```azurecli-interactive

+ POSTGRESQL_ADMIN_USER=azureuser

+ # PostgreSQL admin access rights won't be used as Azure AD authentication is leveraged to administer the database.

+ POSTGRESQL_ADMIN_PASSWORD=<admin-password>

+ POSTGRESQL_HOST=<postgresql-host-name>

+ # Create a PostgreSQL server.

+ az postgres server create \

+ --resource-group $RESOURCE_GROUP \

+ --name $POSTGRESQL_HOST \

+ --location $LOCATION \

+ --admin-user $POSTGRESQL_ADMIN_USER \

+ --admin-password $POSTGRESQL_ADMIN_PASSWORD \

+ --public-network-access 0.0.0.0 \

+ --sku-name B_Gen5_1

+ ```

+1. Create a database for the application.

+ ```azurecli-interactive

+ DATABASE_NAME=checklist

+ az postgres db create \

+ --resource-group $RESOURCE_GROUP \

+ --server-name $POSTGRESQL_HOST \

+ --name $DATABASE_NAME

+ ```

+## Deploy the application to App Service

+Follow these steps to build a WAR file and deploy to Azure App Service on Tomcat using a WAR packaging.

+The changes you made in *application.properties* also apply to the managed identity, so the only thing to do is to remove the existing application settings in App Service.

+1. The sample app contains a *pom-war.xml* file that can generate the WAR file. Run the following command to build the app.

+ ```bash

+ mvn clean package -f pom-war.xml

+ ```

+1. Create an Azure App Service resource on Linux using Tomcat 9.0.

+ ```azurecli-interactive

+ # Create an App Service plan

+ az appservice plan create \

+ --resource-group $RESOURCE_GROUP \

+ --name $APPSERVICE_PLAN \

+ --location $LOCATION \

+ --sku B1 \

+ --is-linux

+ # Create an App Service resource.

+ az webapp create \

+ --resource-group $RESOURCE_GROUP \

+ --name $APPSERVICE_NAME \

+ --plan $APPSERVICE_PLAN \

+ --runtime "TOMCAT:9.0-jre8"

+ ```

+1. Deploy the WAR package to App Service.

+ ```azurecli-interactive

+ az webapp deploy \

+ --resource-group $RESOURCE_GROUP \

+ --name $APPSERVICE_NAME \

+ --src-path target/app.war \

+ --type war

+ ```

+## Connect Postgres Database with identity connectivity

+Next, connect your app to an Postgres Database Single Server with a system-assigned managed identity using Service Connector. To do this, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres) command.

+```azurecli-interactive

+az webapp connection create postgres \

+ --resource-group $RESOURCE_GROUP \

+ --name $APPSERVICE_NAME \

+ --target-resource-group $RESOURCE_GROUP \

+ --server $POSTGRESQL_HOST \

+ --database $DATABASE_NAME \

+ --system-assigned-identity

+```

+This command creates a connection between your web app and your PostgreSQL server, and manages authentication through a system-assigned managed identity.

+## View sample web app

+Run the following command to open the deployed web app in your browser.

+```azurecli-interactive

+az webapp browse \

+ --resource-group $RESOURCE_GROUP \

+ --name MyWebapp \

+ --name $APPSERVICE_NAME

+```

+## Next steps

+Learn more about running Java apps on App Service on Linux in the developer guide.

+> [!div class="nextstepaction"]

+> [Java in App Service Linux dev guide](configure-language-java.md?pivots=platform-linux)

+ MRSIGNER is the hash of the enclave authorΓÇÖs public key which is associated with the private key used to sign the enclave binary. By validating MRSIGNER via an attestation policy, customers can verify if trusted binaries are running inside an enclave. When the policy claim does not match the enclave authorΓÇÖs MRSIGNER, it implies that the enclave binary is not signed by a trusted source and the attestation fails.

+6. a. For Direct Mode - Onboard the Cluster to Azure Arc, then deploys the Controller via the [unified experience](create-data-controller-direct-cli.md?tabs=linux#deployunified-experience)

+## AzureFunctionsWebHost__hostId

+|AzureFunctionsWebHost__hostId|`myuniquefunctionappname123456789`|

+ + [C# (isolated process)](create-first-function-vs-code-csharp.md?tabs=isolated-process)

+- Azure Functions proxies is a legacy feature for versions 1.x through 3.x of the Azure Functions runtime. Support for Functions proxies is being returned in version 4.x so that you can successfully upgrade your function apps to the latest runtime version. As soon as possible, you should instead switch to integrating your function apps with Azure API Management. API Management lets you take advantage of a more complete set of features for defining, securing, managing, and monetizing your Functions-based APIs. For more information, see [API Management integration](functions-proxies.md#api-management-integration). For information about the pending return of proxies in version 4.x, [Monitor the App Service announcements page](https://github.com/Azure/app-service-announcements/issues).

+You can explicitly set a specific host ID for your function app in the application settings by using the `AzureFunctionsWebHost__hostId` setting. For more information, see [AzureFunctionsWebHost__hostId](functions-app-settings.md#azurefunctionswebhost__hostid).

+ Start-Sleep $sleepSeconds

+> - Telemetry isn't sent instantly; items are batched and sent by the ApplicationInsights SDK. Console apps exit after calling `Track()` methods.

+> - Telemetry may not be sent unless `Flush()` and `Sleep`/`Delay` is done before the app exits as shown in [full example](#full-example) later in this article. `Sleep` is not required if you're using `InMemoryChannel`.

+> - **ApplicationInsights.config** is not supported by .NET Core applications.

+ - [Red Hat OpenShift](https://docs.openshift.com/container-platform/latest/welcome/https://docsupdatetracker.net/index.html) version 4.x

+> [!NOTE]

+> To access an Azure NetApp Files volume from an on-premises network via a VNet gateway (ExpressRoute or VPN) and firewall, configure the route table assigned to the VNet gateway to include the `/32` IPv4 address of the Azure NetApp Files volume listed and point to the firewall as the next hop. Using an aggregate address space that includes the Azure NetApp Files volume IP address will not forward the Azure NetApp Files traffic to the firewall.

+* [Manage Azure NetApp Files volume replication with the CLI](/cli/azure/netappfiles/volume/replication)

+### Quickstart examples

+The following example is extracted from a quickstart template, [SQL Server VM with performance optimized storage settings

+](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.attestation/attestation-provider-create/main.bicep):

+```bicep

+@description('Array containing DNS Servers')

+param dnsServers array = []

+...

+resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {

+ name: vnetName

+ location: location

+ properties: {

+ addressSpace: {

+ addressPrefixes: vnetAddressSpace

+ }

+ dhcpOptions: empty(dnsServers) ? null : {

+ dnsServers: dnsServers

+ }

+ ...

+ }

+}

+```

+In the [conditional expression](./operators-logical.md#conditional-expression--), the empty function is used to check whether the **dnsServers** array is an empty array.

+Takes an array of arrays, and returns an array of subarray elements, in the original order. Subarrays are only flattened once, not recursively.

+| arrayToFlattern |Yes |array |The array of subarrays to flatten.|

+### Quickstart examples

+The following example is extracted from a quickstart template, [Deploy API Management in external VNet with public IP

+](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip):

+```bicep

+@description('Numbers for availability zones, for example, 1,2,3.')

+param availabilityZones array = [

+ '1'

+ '2'

+]

+resource exampleApim 'Microsoft.ApiManagement/service@2021-08-01' = {

+ name: apiManagementName

+ location: location

+ sku: {

+ name: sku

+ capacity: skuCount

+ }

+ zones: ((length(availabilityZones) == 0) ? null : availabilityZones)

+ ...

+}

+```

+In the [conditional expression](./operators-logical.md#conditional-expression--), the `length` function check the length of the **availabilityZones** array.

+More examples can be found in these quickstart Bicep files:

+- [Backup Resource Manager VMs using Recovery Services vault

+](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.recoveryservices/recovery-services-backup-vms/)

+- [Deploy API Management into Availability Zones](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-simple-zones)

+- [Create a Firewall and FirewallPolicy with Rules and Ipgroups](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/azurefirewall-create-with-firewallpolicy-apprule-netrule-ipgroups)

+- [Create a sandbox setup of Azure Firewall with Zones](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/azurefirewall-with-zones-sandbox)

+### Quickstart examples

+The following example is extracted from a quickstart template, [Two VMs in VNET - Internal Load Balancer and LB rules

+](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/2-vms-internal-load-balancer):

+```bicep

+...

+var numberOfInstances = 2

+resource networkInterface 'Microsoft.Network/networkInterfaces@2021-05-01' = [for i in range(0, numberOfInstances): {

+ name: '${networkInterfaceName}${i}'

+ location: location

+ properties: {

+ ...

+ }

+}]

+resource vm 'Microsoft.Compute/virtualMachines@2021-11-01' = [for i in range(0, numberOfInstances): {

+ name: '${vmNamePrefix}${i}'

+ location: location

+ properties: {

+ ...

+ }

+}]

+```

+The Bicep file creates two networkInterface and two virtualMachine resources.

+More examples can be found in these quickstart Bicep files:

+- [Multi VM Template with Managed Disk](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-copy-managed-disks)

+- [Create a VM with multiple empty StandardSSD_LRS Data Disks](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-with-standardssd-disk)

+- [Create a Firewall and FirewallPolicy with Rules and Ipgroups](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/azurefirewall-create-with-firewallpolicy-apprule-netrule-ipgroups)

+- [Create an Azure Firewall with IpGroups](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/azurefirewall-create-with-ipgroups-and-linux-jumpbox)

+- [Create a sandbox setup of Azure Firewall with Zones](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/azurefirewall-with-zones-sandbox)

+- [Create an Azure Firewall with multiple IP public addresses](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/fw-docs-qs)

+- [Create a standard load-balancer](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/load-balancer-standard-create)

+- [Azure Traffic Manager VM example](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/traffic-manager-vm)

+- [Create A Security Automation for specific Alerts](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.security/securitycenter-create-automation-for-alertnamecontains)

+- [SQL Server VM with performance optimized storage settings](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.sqlvirtualmachine/sql-vm-new-storage)

+- [Create a storage account with multiple Blob containers](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.storage/storage-multi-blob-container)

+- [Create a storage account with multiple file shares](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.storage/storage-multi-file-share)

+In this example, the `ProjectGuid`, `RootNamespace` and `AssemblyName` properties contain placeholder values. When you create a project file, a unique GUID is created, and the name values match your project's name.

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {

+ "apiVersion": "2022-05-01",

+## Azure Container Apps limits

+For Azure Container Apps limits, see [Quotas in Azure Container Apps](../../container-apps/quotas.md).

+# Internet connectivity design considerations

+## Move a Backup vault across Azure subscriptions/resource groups

+**Recommendation**: Ensure that you've selected one of the supported regions to move Backup vaults. See [Supported regions](#supported-regions

+#### UserErrorCrossTenantMSIMoveNotSupported

+**Cause**: This error occurs if the subscription with which resource is associated has moved to a different Tenant, but the Managed Identity is still associated with the old Tenant.

+**Recommendation**: Remove the Managed Identity from the existing Tenant; move the resource and add it again to the new one.

+> [!IMPORTANT]

+> Identities must be configured as user-assigned managed identities. The system-assigned managed identity is available for retrieving [customer-managed keys from Azure KeyVault](batch-customer-managed-key.md), but these are not supported in batch pools.

+1. In the Search box, enter "Confidential Ledger", select said application, and then choose **Create**.

+ - **Name**: Provide a unique name.

+ - **Subscription**: Choose the desired subscription.

+1. You must add an Azure AD-based or Certificate-based user. Search the right-hand pane for your email address. Select your row, and then choose **Select** at the bottom of the pane. Your user profile may already be in the Azure AD-based user section, in which case you cannot add yourself again.

+ Each managed identity that accesses a *different* messaging entity should have a separate connection to that entity. If you use different Service Bus actions to send and receive messages, and those actions require different permissions, make sure to use different connections.

+- [**Generous quotas**](quotas.md) which are overridable to increase limits on a per-account basis.

+ Title: 'Tutorial: Access data with managed identity in Java using Service Connector'

+description: Secure Azure Database for PostgreSQL connectivity with managed identity from a sample Java Quarkus app, and deploy it to Azure Container Apps.

+ms.devlang: java

+# Tutorial: Connect to PostgreSQL Database from a Java Quarkus Container App without secrets using a managed identity

+[Azure Container Apps](overview.md) provides a [managed identity](managed-identity.md) for your app, which is a turn-key solution for securing access to [Azure Database for PostgreSQL](/azure/postgresql/) and other Azure services. Managed identities in Container Apps make your app more secure by eliminating secrets from your app, such as credentials in the environment variables.

+This tutorial walks you through the process of building, configuring, deploying, and scaling Java container apps on Azure. At the end of this tutorial, you'll have a [Quarkus](https://quarkus.io) application storing data in a [PostgreSQL](../postgresql/index.yml) database with a managed identity running on [Container Apps](overview.md).

+What you will learn:

+> [!div class="checklist"]

+> * Configure a Quarkus app to authenticate using Azure Active Directory (Azure AD) with a PostgreSQL Database.

+> * Create an Azure container registry and push a Java app image to it.

+> * Create a Container App in Azure.

+> * Create a PostgreSQL database in Azure.

+> * Connect to a PostgreSQL Database with managed identity using Service Connector.

+## 1. Prerequisites

+* [Azure CLI](/cli/azure/overview). This quickstart requires that you are running the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

+* [Git](https://git-scm.com/)

+* [Java JDK](/azure/developer/java/fundamentals/java-support-on-azure)

+* [Maven](https://maven.apache.org)

+* [Docker](https://docs.docker.com/get-docker/)

+* [GraalVM](https://www.graalvm.org/downloads/)

+## 2. Create a container registry

+Create a resource group with the [az group create](/cli/azure/group#az-group-create) command. An Azure resource group is a logical container into which Azure resources are deployed and managed.

+The following example creates a resource group named `myResourceGroup` in the East US Azure region.

+```azurecli

+az group create --name myResourceGroup --location eastus

+```

+Create an Azure container registry instance using the [az acr create](/cli/azure/acr#az-acr-create) command. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. In the following example, `myContainerRegistry007` is used. Update this to a unique value.

+```azurecli

+az acr create \

+ --resource-group myResourceGroup \

+ --name myContainerRegistry007 \

+ --sku Basic

+```

+## 3. Clone the sample app and prepare the container image

+This tutorial uses a sample Fruits list app with a web UI that calls a Quarkus REST API backed by [Azure Database for PostgreSQL](../postgresql/index.yml). The code for the app is available [on GitHub](https://github.com/quarkusio/quarkus-quickstarts/tree/main/hibernate-orm-panache-quickstart). To learn more about writing Java apps using Quarkus and PostgreSQL, see the [Quarkus Hibernate ORM with Panache Guide](https://quarkus.io/guides/hibernate-orm-panache) and the [Quarkus Datasource Guide](https://quarkus.io/guides/datasource).

+Run the following commands in your terminal to clone the sample repo and set up the sample app environment.

+```bash

+git clone https://github.com/quarkusio/quarkus-quickstarts

+cd quarkus-quickstarts/hibernate-orm-panache-quickstart

+```

+### Modify your project

+1. Add the required dependencies to your project's BOM file.

+ ```xml

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity-providers-jdbc-postgresql</artifactId>

+ <version>1.0.0-beta.1</version>

+ </dependency>

+ ```

+1. Configure the Quarkus app properties.

+ The Quarkus configuration is located in the *src/main/resources/application.properties* file. Open this file in your editor, and observe several default properties. The properties prefixed with `%prod` are only used when the application is built and deployed, for example when deployed to Azure App Service. When the application runs locally, `%prod` properties are ignored. Similarly, `%dev` properties are used in Quarkus' Live Coding / Dev mode, and `%test` properties are used during continuous testing.

+ Delete the existing content in *application.properties* and replace with the following to configure the database for dev, test, and production modes:

+ ```properties

+ quarkus.package.type=uber-jar

+ quarkus.hibernate-orm.database.generation=drop-and-create

+ quarkus.datasource.db-kind=postgresql

+ quarkus.datasource.jdbc.max-size=8

+ quarkus.datasource.jdbc.min-size=2

+ quarkus.hibernate-orm.log.sql=true

+ quarkus.hibernate-orm.sql-load-script=import.sql

+ quarkus.datasource.jdbc.acquisition-timeout = 10

+ %dev.quarkus.datasource.username=${AZURE_CLIENT_NAME}@${DBHOST}

+ %dev.quarkus.datasource.jdbc.url=jdbc:postgresql://${DBHOST}.postgres.database.azure.com:5432/${DBNAME}?\

+ authenticationPluginClassName=com.azure.identity.providers.postgresql.AzureIdentityPostgresqlAuthenticationPlugin\

+ &sslmode=require\

+ &azure.clientId=${AZURE_CLIENT_ID}\

+ &azure.clientSecret=${AZURE_CLIENT_SECRET}\

+ &azure.tenantId=${AZURE_TENANT_ID}

+ %prod.quarkus.datasource.username=${AZURE_MI_NAME}@${DBHOST}

+ %prod.quarkus.datasource.jdbc.url=jdbc:postgresql://${DBHOST}.postgres.database.azure.com:5432/${DBNAME}?\

+ authenticationPluginClassName=com.azure.identity.providers.postgresql.AzureIdentityPostgresqlAuthenticationPlugin\

+ &sslmode=require

+ %dev.quarkus.class-loading.parent-first-artifacts=com.azure:azure-core::jar,\

+ com.azure:azure-core-http-netty::jar,\

+ io.projectreactor.netty:reactor-netty-core::jar,\

+ io.projectreactor.netty:reactor-netty-http::jar,\

+ io.netty:netty-resolver-dns::jar,\

+ io.netty:netty-codec::jar,\

+ io.netty:netty-codec-http::jar,\

+ io.netty:netty-codec-http2::jar,\

+ io.netty:netty-handler::jar,\

+ io.netty:netty-resolver::jar,\

+ io.netty:netty-common::jar,\

+ io.netty:netty-transport::jar,\

+ io.netty:netty-buffer::jar,\

+ com.azure:azure-identity::jar,\

+ com.azure:azure-identity-providers-core::jar,\

+ com.azure:azure-identity-providers-jdbc-postgresql::jar,\

+ com.fasterxml.jackson.core:jackson-core::jar,\

+ com.fasterxml.jackson.core:jackson-annotations::jar,\

+ com.fasterxml.jackson.core:jackson-databind::jar,\

+ com.fasterxml.jackson.dataformat:jackson-dataformat-xml::jar,\

+ com.fasterxml.jackson.datatype:jackson-datatype-jsr310::jar,\

+ org.reactivestreams:reactive-streams::jar,\

+ io.projectreactor:reactor-core::jar,\

+ com.microsoft.azure:msal4j::jar,\

+ com.microsoft.azure:msal4j-persistence-extension::jar,\

+ org.codehaus.woodstox:stax2-api::jar,\

+ com.fasterxml.woodstox:woodstox-core::jar,\

+ com.nimbusds:oauth2-oidc-sdk::jar,\

+ com.nimbusds:content-type::jar,\

+ com.nimbusds:nimbus-jose-jwt::jar,\

+ net.minidev:json-smart::jar,\

+ net.minidev:accessors-smart::jar,\

+ io.netty:netty-transport-native-unix-common::jar

+ ```

+### Build and push a Docker image to the container registry

+1. Build the container image.

+ Run the following command to build the Quarkus app image. You must tag it with the fully qualified name of your registry login server. The login server name is in the format *\<registry-name\>.azurecr.io* (must be all lowercase), for example, *myContainerRegistry007.azurecr.io*. Replace the name with your own registry name.

+ ```bash

+ mvnw quarkus:add-extension -Dextensions="container-image-jib"

+ mvnw clean package -Pnative -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true -Dquarkus.container-image.registry=myContainerRegistry007 -Dquarkus.container-image.name=quarkus-postgres-passwordless-app -Dquarkus.container-image.tag=v1

+ ```

+1. Log in to the registry.

+ Before pushing container images, you must log in to the registry. To do so, use the [az acr login][az-acr-login] command. Specify only the registry resource name when signing in with the Azure CLI. Don't use the fully qualified login server name.

+ ```azurecli

+ az acr login --name <registry-name>

+ ```

+ The command returns a `Login Succeeded` message once completed.

+1. Push the image to the registry.

+ Use [docker push][docker-push] to push the image to the registry instance. Replace `myContainerRegistry007` with the login server name of your registry instance. This example creates the `quarkus-postgres-passwordless-app` repository, containing the `quarkus-postgres-passwordless-app:v1` image.

+ ```bash

+ docker push myContainerRegistry007/quarkus-postgres-passwordless-app:v1

+ ```

+## 4. Create a Container App on Azure

+1. Create a Container Apps instance by running the following command. Make sure you replace the value of the environment variables with the actual name and location you want to use.

+ ```azurecli

+ RESOURCE_GROUP="myResourceGroup"

+ LOCATION="eastus"

+ CONTAINERAPPS_ENVIRONMENT="my-environment"

+ az containerapp env create \

+ --resource-group $RESOURCE_GROUP \

+ --name $CONTAINERAPPS_ENVIRONMENT \

+ --location $LOCATION

+ ```

+1. Create a container app with your app image by running the following command. Replace the placeholders with your values. To find the container registry admin account details, see [Authenticate with an Azure container registry](../container-registry/container-registry-authentication.md)

+ ```azurecli

+ CONTAINER_IMAGE_NAME=quarkus-postgres-passwordless-app:v1

+ REGISTRY_SERVER=myContainerRegistry007

+ REGISTRY_USERNAME=<REGISTRY_USERNAME>

+ REGISTRY_PASSWORD=<REGISTRY_PASSWORD>

+ az containerapp create \

+ --resource-group $RESOURCE_GROUP \

+ --name my-container-app \

+ --image $CONTAINER_IMAGE_NAME \

+ --environment $CONTAINERAPPS_ENVIRONMENT \

+ --registry-server $REGISTRY_SERVER \

+ --registry-username $REGISTRY_USERNAME \

+ --registry-password $REGISTRY_PASSWORD

+ ```

+## 5. Create and connect a PostgreSQL database with identity connectivity

+Next, create a PostgreSQL Database Single Server and configure your container app to connect to a PostgreSQL Database with a system-assigned managed identity. The Quarkus app will connect to this database and store its data when running, persisting the application state no matter where you run the application.

+1. Create the database service.

+ ```azurecli

+ DB_SERVER_NAME='msdocs-quarkus-postgres-webapp-db'

+ ADMIN_USERNAME='demoadmin'

+ ADMIN_PASSWORD='<admin-password>'

+ az postgres server create \

+ --resource-group $RESOURCE_GROUP \

+ --name $DB_SERVER_NAME \

+ --location $LOCATION \

+ --admin-user $DB_USERNAME \

+ --admin-password $DB_PASSWORD \

+ --sku-name GP_Gen5_2

+ ```

+ The following parameters are used in the above Azure CLI command:

+ * *resource-group* &rarr; Use the same resource group name in which you created the web app, for example `msdocs-quarkus-postgres-webapp-rg`.

+ * *name* &rarr; The PostgreSQL database server name. This name must be **unique across all Azure** (the server endpoint becomes `https://<name>.postgres.database.azure.com`). Allowed characters are `A`-`Z`, `0`-`9`, and `-`. A good pattern is to use a combination of your company name and server identifier. (`msdocs-quarkus-postgres-webapp-db`)

+ * *location* &rarr; Use the same location used for the web app.

+ * *admin-user* &rarr; Username for the administrator account. It can't be `azure_superuser`, `admin`, `administrator`, `root`, `guest`, or `public`. For example, `demoadmin` is okay.

+ * *admin-password* &rarr; Password of the administrator user. It must contain 8 to 128 characters from three of the following categories: English uppercase letters, English lowercase letters, numbers, and non-alphanumeric characters.

+ > [!IMPORTANT]

+ > When creating usernames or passwords **do not** use the `$` character. Later in this tutorial, you will create environment variables with these values where the `$` character has special meaning within the Linux container used to run Java apps.

+ * *public-access* &rarr; `None` which sets the server in public access mode with no firewall rules. Rules will be created in a later step.

+ * *sku-name* &rarr; The name of the pricing tier and compute configuration, for example `GP_Gen5_2`. For more information, see [Azure Database for PostgreSQL pricing](https://azure.microsoft.com/pricing/details/postgresql/server/).

+1. Create a database named `fruits` within the PostgreSQL service with this command:

+ ```azurecli

+ az postgres db create \

+ --resource-group $RESOURCE_GROUP \

+ --server-name $DB_SERVER_NAME \

+ --name fruits

+ ```

+1. Connect the database to the container app with a system-assigned managed identity, using the connection command.

+ ```azurecli

+ az containerapp connection create postgres \

+ --resource-group $RESOURCE_GROUP \

+ --name my-container-app \

+ --target-resource-group $RESOURCE_GROUP \

+ --server $DB_SERVER_NAME \

+ --database fruits \

+ --managed-identity

+ ```

+## 6. Review your changes

+You can find the application URL(FQDN) by using the following command:

+```azurecli

+az containerapp list --resource-group $RESOURCE_GROUP

+```

+When the new webpage shows your list of fruits, your app is connecting to the database using the managed identity. You should now be able to edit fruit list as before.

+## Next steps

+Learn more about running Java apps on Azure in the developer guide.

+> [!div class="nextstepaction"]

+> [Azure for Java Developers](/java/azure/)

+| Maximum length of SQL query| 512 KB |

+| Maximum explicitly included paths per container| 1500 ¹ |

+| Maximum explicitly excluded paths per container| 1500 ¹ |

+ Title: Configure customer-managed keys for your Azure Cosmos DB account

+description: Learn how to configure customer-managed keys for your Azure Cosmos DB account with Azure Key Vault

+ms.devlang: azurecli

+# Configure customer-managed keys for your Azure Cosmos account with Azure Key Vault

+Data stored in your Azure Cosmos account is automatically and seamlessly encrypted with keys managed by Microsoft (**service-managed keys**). Optionally, you can choose to add a second layer of encryption with keys you manage (**customer-managed keys** or CMK).

+You must store customer-managed keys in [Azure Key Vault](../key-vault/general/overview.md) and provide a key for each Azure Cosmos account that is enabled with customer-managed keys. This key is used to encrypt all the data stored in that account.

+> [!NOTE]

+> Currently, customer-managed keys are available only for new Azure Cosmos accounts. You should configure them during account creation.

+## <a id="register-resource-provider"></a> Register the Azure Cosmos DB resource provider for your Azure subscription

+1. Sign in to the [Azure portal](https://portal.azure.com/), go to your Azure subscription, and select **Resource providers** under the **Settings** tab:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-rp.png" alt-text="Resource providers entry from the left menu":::

+1. Search for the **Microsoft.DocumentDB** resource provider. Verify if the resource provider is already marked as registered. If not, choose the resource provider and select **Register**:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-rp-register.png" alt-text="Registering the Microsoft.DocumentDB resource provider":::

+## Configure your Azure Key Vault instance

+> [!IMPORTANT]

+> Your Azure Key Vault instance must be accessible through public network access or allow trusted Microsoft services to bypass its firewall. An instance that is exclusively accessible through [private endpoints](../key-vault/general/private-link-service.md) cannot be used to host your customer-managed keys.

+Using customer-managed keys with Azure Cosmos DB requires you to set two properties on the Azure Key Vault instance that you plan to use to host your encryption keys: **Soft Delete** and **Purge Protection**.

+If you create a new Azure Key Vault instance, enable these properties during creation:

+If you're using an existing Azure Key Vault instance, you can verify that these properties are enabled by looking at the **Properties** section on the Azure portal. If any of these properties isn't enabled, see the "Enabling soft-delete" and "Enabling Purge Protection" sections in one of the following articles:

+- [How to use soft-delete with PowerShell](../key-vault/general/key-vault-recovery.md)

+- [How to use soft-delete with Azure CLI](../key-vault/general/key-vault-recovery.md)

+## <a id="add-access-policy"></a> Add an access policy to your Azure Key Vault instance

+1. From the Azure portal, go to the Azure Key Vault instance that you plan to use to host your encryption keys. Select **Access Policies** from the left menu:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-akv-ap.png" alt-text="Access policies from the left menu":::

+1. Select **+ Add Access Policy**.

+1. Under the **Key permissions** drop-down menu, select **Get**, **Unwrap Key**, and **Wrap Key** permissions:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-akv-add-ap-perm2.png" alt-text="Selecting the right permissions":::

+1. Under **Select principal**, select **None selected**.

+1. Search for **Azure Cosmos DB** principal and select it (to make it easier to find, you can also search by application ID: `a232010e-820c-4083-83bb-3ace5fc29d0b` for any Azure region except Azure Government regions where the application ID is `57506a73-e302-42a9-b869-6f12d9ec29e9`). If the **Azure Cosmos DB** principal isn't in the list, you might need to re-register the **Microsoft.DocumentDB** resource provider as described in the [Register the resource provider](#register-resource-provider) section of this article.

+ > [!NOTE]

+ > This registers the Azure Cosmos DB first-party-identity in your Azure Key Vault access policy. To replace this first-party identity by your Azure Cosmos DB account managed identity, see [Using a managed identity in the Azure Key Vault access policy](#using-managed-identity).

+1. Choose **Select** at the bottom.

+ :::image type="content" source="./media/how-to-setup-cmk/portal-akv-add-ap.png" alt-text="Select the Azure Cosmos DB principal":::

+1. Select **Add** to add the new access policy.

+1. Select **Save** on the Key Vault instance to save all changes.

+## Generate a key in Azure Key Vault

+1. From the Azure portal, go the Azure Key Vault instance that you plan to use to host your encryption keys. Then, select **Keys** from the left menu:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-akv-keys.png" alt-text="Keys entry from the left menu":::

+1. Select **Generate/Import**, provide a name for the new key, and select an RSA key size. A minimum of 3072 is recommended for best security. Then select **Create**:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-akv-gen.png" alt-text="Create a new key":::

+1. After the key is created, select the newly created key and then its current version.

+1. Copy the key's **Key Identifier**, except the part after the last forward slash:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-akv-keyid.png" alt-text="Copying the key's key identifier":::

+## Create a new Azure Cosmos account

+### Using the Azure portal

+When you create a new Azure Cosmos DB account from the Azure portal, choose **Customer-managed key** in the **Encryption** step. In the **Key URI** field, paste the URI/key identifier of the Azure Key Vault key that you copied from the previous step:

+### <a id="using-powershell"></a> Using Azure PowerShell

+When you create a new Azure Cosmos DB account with PowerShell:

+- Pass the URI of the Azure Key Vault key copied earlier under the **keyVaultKeyUri** property in **PropertyObject**.

+- Use **2019-12-12** or later as the API version.

+> [!IMPORTANT]

+> You must set the `locations` property explicitly for the account to be successfully created with customer-managed keys.

+```powershell

+$resourceGroupName = "myResourceGroup"

+$accountLocation = "West US 2"

+$accountName = "mycosmosaccount"

+$failoverLocations = @(

+ @{ "locationName"="West US 2"; "failoverPriority"=0 }

+)

+$CosmosDBProperties = @{

+ "databaseAccountOfferType"="Standard";

+ "locations"=$failoverLocations;

+ "keyVaultKeyUri" = "https://<my-vault>.vault.azure.net/keys/<my-key>";

+}

+New-AzResource -ResourceType "Microsoft.DocumentDb/databaseAccounts" `

+ -ApiVersion "2019-12-12" -ResourceGroupName $resourceGroupName `

+ -Location $accountLocation -Name $accountName -PropertyObject $CosmosDBProperties

+```

+After the account has been created, you can verify that customer-managed keys have been enabled by fetching the URI of the Azure Key Vault key:

+```powershell

+Get-AzResource -ResourceGroupName $resourceGroupName -Name $accountName `

+ -ResourceType "Microsoft.DocumentDb/databaseAccounts" `

+ | Select-Object -ExpandProperty Properties `

+ | Select-Object -ExpandProperty keyVaultKeyUri

+```

+### Using an Azure Resource Manager template

+When you create a new Azure Cosmos account through an Azure Resource Manager template:

+- Pass the URI of the Azure Key Vault key that you copied earlier under the **keyVaultKeyUri** property in the **properties** object.

+- Use **2019-12-12** or later as the API version.

+> [!IMPORTANT]

+> You must set the `locations` property explicitly for the account to be successfully created with customer-managed keys.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "accountName": {

+ "type": "string"

+ },

+ "location": {

+ "type": "string"

+ },

+ "keyVaultKeyUri": {

+ "type": "string"

+ }

+ },

+ "resources":

+ [

+ {

+ "type": "Microsoft.DocumentDB/databaseAccounts",

+ "name": "[parameters('accountName')]",

+ "apiVersion": "2019-12-12",

+ "kind": "GlobalDocumentDB",

+ "location": "[parameters('location')]",

+ "properties": {

+ "locations": [

+ {

+ "locationName": "[parameters('location')]",

+ "failoverPriority": 0,

+ "isZoneRedundant": false

+ }

+ ],

+ "databaseAccountOfferType": "Standard",

+ "keyVaultKeyUri": "[parameters('keyVaultKeyUri')]"

+ }

+ }

+ ]

+}

+```

+Deploy the template with the following PowerShell script:

+```powershell

+$resourceGroupName = "myResourceGroup"

+$accountName = "mycosmosaccount"

+$accountLocation = "West US 2"

+$keyVaultKeyUri = "https://<my-vault>.vault.azure.net/keys/<my-key>"

+New-AzResourceGroupDeployment `

+ -ResourceGroupName $resourceGroupName `

+ -TemplateFile "deploy.json" `

+ -accountName $accountName `

+ -location $accountLocation `

+ -keyVaultKeyUri $keyVaultKeyUri

+```

+### <a id="using-azure-cli"></a> Using the Azure CLI

+When you create a new Azure Cosmos account through the Azure CLI, pass the URI of the Azure Key Vault key that you copied earlier under the `--key-uri` parameter.

+```azurecli-interactive

+resourceGroupName='myResourceGroup'

+accountName='mycosmosaccount'

+keyVaultKeyUri = 'https://<my-vault>.vault.azure.net/keys/<my-key>'

+az cosmosdb create \

+ -n $accountName \

+ -g $resourceGroupName \

+ --locations regionName='West US 2' failoverPriority=0 isZoneRedundant=False \

+ --key-uri $keyVaultKeyUri

+```

+After the account has been created, you can verify that customer-managed keys have been enabled by fetching the URI of the Azure Key Vault key:

+```azurecli-interactive

+az cosmosdb show \

+ -n $accountName \

+ -g $resourceGroupName \

+ --query keyVaultKeyUri

+```

+## <a id="using-managed-identity"></a> Using a managed identity in the Azure Key Vault access policy

+This access policy ensures that your encryption keys can be accessed by your Azure Cosmos DB account. The access policy is implemented by granting access to a specific Azure Active Directory (AD) identity. Two types of identities are supported:

+- Azure Cosmos DB's first-party identity can be used to grant access to the Azure Cosmos DB service.

+- Your Azure Cosmos DB account's [managed identity](how-to-setup-managed-identity.md) can be used to grant access to your account specifically.

+### To use a system-assigned managed identity

+Because a system-assigned managed identity can only be retrieved after the creation of your account, you still need to initially create your account using the first-party identity, as described [above](#add-access-policy). Then:

+1. If the system-assigned managed identity wasn't configured during account creation, [enable a system-assigned managed identity](./how-to-setup-managed-identity.md#add-a-system-assigned-identity) on your account and copy the `principalId` that got assigned.

+1. Add a new access policy to your Azure Key Vault account as described [above](#add-access-policy), but using the `principalId` you copied at the previous step instead of Azure Cosmos DB's first-party identity.

+1. Update your Azure Cosmos DB account to specify that you want to use the system-assigned managed identity when accessing your encryption keys in Azure Key Vault. You have two options:

+ - Specify the property in your account's Azure Resource Manager template:

+ ```json

+ {

+ "type": " Microsoft.DocumentDB/databaseAccounts",

+ "properties": {

+ "defaultIdentity": "SystemAssignedIdentity",

+ // ...

+ },

+ // ...

+ }

+ ```

+ - Update your account with the Azure CLI:

+ ```azurecli

+ resourceGroupName='myResourceGroup'

+ accountName='mycosmosaccount'

+

+ az cosmosdb update --resource-group $resourceGroupName --name $accountName --default-identity "SystemAssignedIdentity"

+ ```

+

+1. Optionally, you can then remove the Azure Cosmos DB first-party identity from your Azure Key Vault access policy.

+### To use a user-assigned managed identity

+1. When creating the new access policy in your Azure Key Vault account as described [above](#add-access-policy), use the `Object ID` of the managed identity you wish to use instead of Azure Cosmos DB's first-party identity.

+1. When creating your Azure Cosmos DB account, you must enable the user-assigned managed identity and specify that you want to use this identity when accessing your encryption keys in Azure Key Vault. Options include:

+ - Using an Azure Resource Manager template:

+

+ ```json

+ {

+ "type": "Microsoft.DocumentDB/databaseAccounts",

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "<identity-resource-id>": {}

+ }

+ },

+ // ...

+ "properties": {

+ "defaultIdentity": "UserAssignedIdentity=<identity-resource-id>"

+ "keyVaultKeyUri": "<key-vault-key-uri>"

+ // ...

+ }

+ }

+ ```

+ - Using the Azure CLI:

+ ```azurecli

+ resourceGroupName='myResourceGroup'

+ accountName='mycosmosaccount'

+ keyVaultKeyUri = 'https://<my-vault>.vault.azure.net/keys/<my-key>'

+

+ az cosmosdb create \

+ -n $accountName \

+ -g $resourceGroupName \

+ --key-uri $keyVaultKeyUri

+ --assign-identity <identity-resource-id>

+ --default-identity "UserAssignedIdentity=<identity-resource-id>"

+ ```

+

+## Use CMK with continuous backup

+You can create a continuous backup account by using the Azure CLI or an Azure Resource Manager template.

+Currently, only user-assigned managed identity is supported for creating continuous backup accounts.

+### To create a continuous backup account by using the Azure CLI

+```azurecli

+resourceGroupName='myResourceGroup'

+accountName='mycosmosaccount'

+keyVaultKeyUri = 'https://<my-vault>.vault.azure.net/keys/<my-key>'

+az cosmosdb create \

+ -n $accountName \

+ -g $resourceGroupName \

+ --key-uri $keyVaultKeyUri \

+ --locations regionName=<Location> \

+ --assign-identity <identity-resource-id> \

+ --default-identity "UserAssignedIdentity=<identity-resource-id>" \

+ --backup-policy-type Continuous

+```

+### To create a continuous backup account by using an Azure Resource Manager template

+When you create a new Azure Cosmos account through an Azure Resource Manager template:

+- Pass the URI of the Azure Key Vault key that you copied earlier under the **keyVaultKeyUri** property in the **properties** object.

+- Use **2021-11-15** or later as the API version.

+> [!IMPORTANT]

+> You must set the `locations` property explicitly for the account to be successfully created with customer-managed keys as shown in the preceding example.

+```json

+ {

+ "type": "Microsoft.DocumentDB/databaseAccounts",

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "<identity-resource-id>": {}

+ }

+ },

+ // ...

+ "properties": {

+ "backupPolicy": { "type": "Continuous" },

+ "defaultIdentity": "UserAssignedIdentity=<identity-resource-id>"

+ "keyVaultKeyUri": "<key-vault-key-uri>"

+ // ...

+ }

+}

+```

+## Customer-managed keys and double encryption

+The data you store in your Azure Cosmos DB account when using customer-managed keys ends up being encrypted twice:

+- Once through the default encryption performed with Microsoft-managed keys.

+- Once through the extra encryption performed with customer-managed keys.

+Double encryption only applies to the main Azure Cosmos DB transactional storage. Some features involve internal replication of your data to a second tier of storage where double encryption isn't provided, even with customer-managed keys. These features include:

+- [Azure Synapse Link](./synapse-link.md)

+- [Continuous backups with point-in-time restore](./continuous-backup-restore-introduction.md)

+

+## Key rotation

+Rotating the customer-managed key used by your Azure Cosmos account can be done in two ways.

+- Create a new version of the key currently used from Azure Key Vault:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-akv-rot.png" alt-text="Screenshot of the New Version option in the Versions page of the Azure portal.":::

+- Swap the key currently used with a different one by updating the key URI on your account. From the Azure portal, go to your Azure Cosmos account and select **Data Encryption** from the left menu:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-data-encryption.png" alt-text="Screenshot of the Data Encryption menu option in the Azure portal.":::

+ Then, replace the **Key URI** with the new key you want to use and select **Save**:

+ :::image type="content" source="./media/how-to-setup-cmk/portal-key-swap.png" alt-text="Screenshot of the Save option in the Key page of the Azure portal.":::

+ Here's how to do achieve the same result in PowerShell:

+ ```powershell

+ $resourceGroupName = "myResourceGroup"

+ $accountName = "mycosmosaccount"

+ $newKeyUri = "https://<my-vault>.vault.azure.net/keys/<my-new-key>"

+

+ $account = Get-AzResource -ResourceGroupName $resourceGroupName -Name $accountName `

+ -ResourceType "Microsoft.DocumentDb/databaseAccounts"

+

+ $account.Properties.keyVaultKeyUri = $newKeyUri

+

+ $account | Set-AzResource -Force

+ ```

+The previous key or key version can be disabled after the [Azure Key Vault audit logs](../key-vault/general/logging.md) don't show activity from Azure Cosmos DB on that key or key version anymore. No more activity should take place on the previous key or key version after 24 hours of key rotation.

+

+## Error handling

+If there are any errors with customer-managed keys in Azure Cosmos DB, Azure Cosmos DB returns the error details along with an HTTP substatus code in the response. You can use the HTTP substatus code to debug the root cause of the issue. See the [HTTP Status Codes for Azure Cosmos DB](/rest/api/cosmos-db/http-status-codes-for-cosmosdb) article to get the list of supported HTTP substatus codes.

+## Frequently asked questions

+### Are there more charges to enable customer-managed keys?

+No, there's no charge to enable this feature.

+### How do customer-managed keys influence capacity planning?

+[Request Units](./request-units.md) consumed by your database operations see an increase to reflect the extra processing required to perform encryption and decryption of your data when using customer-managed keys. The extra RU consumption may lead to slightly higher utilization of your provisioned capacity. Use the table below for guidance:

+| Operation type | Request Unit increase |

+|||

+| Point-reads (fetching items by their ID) | + 5% per operation |

+| Any write operation | + 6% per operation <br/> Approximately + 0.06 RU per indexed property |

+| Queries, reading change feed, or conflict feed | + 15% per operation |

+### What data gets encrypted with the customer-managed keys?

+All the data stored in your Azure Cosmos account is encrypted with the customer-managed keys, except for the following metadata:

+- The names of your Azure Cosmos DB [accounts, databases, and containers](./account-databases-containers-items.md#elements-in-an-azure-cosmos-db-account)

+- The names of your [stored procedures](./stored-procedures-triggers-udfs.md)

+- The property paths declared in your [indexing policies](./index-policy.md)

+- The values of your containers' [partition keys](./partitioning-overview.md)

+### Are customer-managed keys supported for existing Azure Cosmos accounts?

+This feature is currently available only for new accounts.

+### Is it possible to use customer-managed keys with the Azure Cosmos DB [analytical store](analytical-store-introduction.md)?

+Yes, Azure Synapse Link only supports configuring customer-managed keys using your Azure Cosmos DB account's managed identity. You must [use your Azure Cosmos DB account's managed identity](#using-managed-identity) in your Azure Key Vault access policy before [enabling Azure Synapse Link](configure-synapse-link.md#enable-synapse-link) on your account. For a how-to guide on how to enable managed identity and use it in an access policy, see [access Azure Key Vault from Azure Cosmos DB using a managed identity](access-key-vault-managed-identity.md).

+### Is there a plan to support finer granularity than account-level keys?

+Not currently, but container-level keys are being considered.

+### How can I tell if customer-managed keys are enabled on my Azure Cosmos account?

+From the Azure portal, go to your Azure Cosmos account and watch for the **Data Encryption** entry in the left menu; if this entry exists, customer-managed keys are enabled on your account:

+You can also programmatically fetch the details of your Azure Cosmos account and look for the presence of the `keyVaultKeyUri` property. See above for ways to do that [in PowerShell](#using-powershell) and [using the Azure CLI](#using-azure-cli).

+### How do customer-managed keys affect periodic backups?

+Azure Cosmos DB takes [regular and automatic backups](./online-backup-and-restore.md) of the data stored in your account. This operation backs up the encrypted data.

+The following conditions are necessary to successfully restore a periodic backup:

+- The encryption key that you used at the time of the backup is required and must be available in Azure Key Vault. This condition requires that no revocation was made and the version of the key that was used at the time of the backup is still enabled.

+- If you [used a system-assigned managed identity in the access policy](#to-use-a-system-assigned-managed-identity), temporarily [grant access to the Azure Cosmos DB first-party identity](#add-access-policy) before restoring your data. This requirement exists because a system-assigned managed identity is specific to an account and can't be reused in the target account. Once the data is fully restored to the target account, you can set your desired identity configuration and remove the first-party identity from the Key Vault access policy.

+### How do customer-managed keys affect continuous backups?

+Azure Cosmos DB gives you the option to configure [continuous backups](./continuous-backup-restore-introduction.md) on your account. With continuous backups, you can restore your data to any point in time within the past 30 days. To use continuous backups on an account where customer-managed keys are enabled, you must [use a user-assigned managed identity](#to-use-a-user-assigned-managed-identity) in the Key Vault access policy. Azure Cosmos DB first-party identities or system-assigned managed identities aren't currently supported on accounts using continuous backups.

+The following conditions are necessary to successfully perform a point-in-time restore:

+- The encryption key that you used at the time of the backup is required and must be available in Azure Key Vault. This requirement means that no revocation was made and the version of the key that was used at the time of the backup is still enabled.

+- You must ensure that the user-assigned managed identity originally used on the source account is still declared in the Key Vault access policy.

+> [!IMPORTANT]

+> If you revoke the encryption key before deleting your account, your account's backup may miss the data written up to 1 hour before the revocation was made.

+### How do I revoke an encryption key?

+Key revocation is done by disabling the latest version of the key:

+Alternatively, to revoke all keys from an Azure Key Vault instance, you can delete the access policy granted to the Azure Cosmos DB principal:

+### What operations are available after a customer-managed key is revoked?

+The only operation possible when the encryption key has been revoked is account deletion.

+## Next steps

+- Learn more about [data encryption in Azure Cosmos DB](./database-encryption-at-rest.md).

+- Get an overview of [secure access to data in Cosmos DB](secure-access-to-data.md).

+Azure Monitor for Azure Cosmos DB provides a metrics view to monitor your account and create dashboards. The Azure Cosmos DB metrics are collected by default, this feature doesn't require you to enable or configure anything explicitly. The server-side latency metric direct and server-side latency gateway metrics are used to view the server-side latency of an operation in two different connection modes. Use server-side latency gateway metric if your request operation is in gateway connectivity mode. Use server-side latency direct metric if your request operation is in direct connectivity mode. Azure Cosmos DB provides SLA of less than 10 ms for point read/write operations with direct connectivity. For point read and point write operations, the SLAs are calculated as detailed in the [SLA document](https://azure.microsoft.com/support/legal/sl) article.

+* A GET or a SET operation with partition key and ID

+You can look up the diagnostic log to see the size of the data returned. If you see a sustained high latency for query operations, you should look up the diagnostic log for higher [throughput or RU/s](cosmosdb-monitor-logs-basic-queries.md) used. Server side latency shows the amount of time spent on the backend infrastructure before the data was returned to the client. It's important to look at this metric to rule out any backend latency issues.

+1. Next select the **Server Side Latency Gateway** metric from the list of available metrics, if your operation is in gateway connectivity mode. Select the **Server Side Latency Direct** metric, if your operation is in direct connectivity mode. To learn in detail about all the available metrics in this list, see the [Metrics by category](monitor-cosmos-db-reference.md) article. In this example, let's select **Server Side Latency Gateway** and **Avg** as the aggregation value. In addition to these details, you can also select the **Time range** and **Time granularity** of the metrics. At max, you can view metrics for the past 30 days. After you apply the filter, a chart is displayed based on your filter. You can see the server-side latency in gateway connectivity mode per 5 minutes for the selected period.

+You can also filter metrics and get the charts displayed by a specific **CollectionName**, **DatabaseName**, **OperationType**, **Region**, and **PublicAPIType**.

+To filter the metrics, select **Add filter** and choose the required property such as **PublicAPIType** and select the value **Sql**. Select **Apply splitting** for **OperationType**. The graph then displays the server-side latency for different operations in gateway connection mode during the selected period. The operations executed via Stored procedure aren't logged so they aren't available under the OperationType metric.

+> [!NOTE]

+> Requests coming into Azure Cosmos DB donΓÇÖt always target a container. For example, you could create a database inside a globally distributed account and the request will still be recorded for the server-side latency metric. The request is recorded because it does take time to create a database resource, but it does not target a container. If you see that the value of the `CollectionName` metric is `<empty>`, this means that the target is not a container, but another resource in Azure Cosmos DB.

+>

+> As a workaround, you can proactively filter your metrics to a specific container (CollectionName) to exclude requests that aren't specific to the container that's the subject of your query.

+|[Mapping data flow](concepts-data-flow-overview.md) (source/-)|&#9312;, &#9313;|

+- Set up a self-hosted integration runtime. The most recent version can be found in [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=39717). For more information, see [Create and configure a self-hosted integration runtime](create-self-hosted-integration-runtime.md).

+To prepare an SAP CDC dataset, follow [Prepare the SAP CDC source dataset](sap-change-data-capture-prepare-linked-service-source-dataset.md#set-up-the-source-dataset).

+1. For the tabs **Projection**, **Optimize** and **Inspect**, please follow [mapping data flow](concepts-data-flow-overview.md).

+1. If **Run mode** is set to **Full on every run**, the tab **Optimize** offers additional selection and partitioning options. Each partition condition (the screenshot below shows an example with two conditions) will trigger a separate extraction process in the connected SAP system. Up to three of these extraction process are executed in parallel.

+ :::image type="content" source="media/sap-change-data-capture-solution/sap-change-data-capture-mapping-data-flow-optimize-partition.png" alt-text="Screenshot of the partitioning options in optimize of mapping data flow source.":::

+1. Select **Load file**, and then select the generated Resource Manager template. This is the **ARMTemplateForFactory.json** file located in the .zip file exported in step 1.

+| [SAP CDC (Preview)](connector-sap-change-data-capture.md) | | Γ£ô/- | | Can connect to all SAP releases supporting SAP Operational Data Provisioning (ODP). This includes most SAP ECC and SAP BW releases, as well as SAP S/4HANA, SAP BW/4HANA and SAP Landscape Transformation Replication Server (SLT). For details, follow [Overview and architecture of the SAP CDC capabilities (preview)](sap-change-data-capture-introduction-architecture.md) |

+ :::image type="content" source="media/sap-change-data-capture-solution/sap-cdc-new-dataset.png" alt-text="Screenshot that shows creating a new pipeline in the Data Factory Studio Author hub.":::

+### Set up the SAP Landscape Transformation Replication Server

+xxx.xxx.xxx.xxx sapecc01

+yyy.yyy.yyy.yyy sapbw01

+zzz.zzz.zzz.zzz sapnw01

+ 1. Using your preferred method, create a zip of the published files that are located in the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp\bin\Release\netcoreapp3.1\publish* directory. Name the zipped folder *publish.zip*.

+1. Use the following command to create a system-managed identity for the function. The output will display details of the identity that's been created. Take note of the **principalId** field in the output to use in the next step.

+ az functionapp identity assign --resource-group <your-resource-group> --name <your-function-app-name>

+Now, to see the results of the data simulation that you've set up, open a new local console window and navigate to *digital-twins-samples-main\DeviceSimulator\DeviceSimulator*.

+## High availability with Azure Availability Zones

+Event Hubs dedicated clusters offer [availability zones](../availability-zones/az-overview.md#availability-zones) support where you can run event streaming workloads in physically separate locations within each Azure region that are tolerant to local failures.

+> [!IMPORTANT]

+> Event Hubs dedicated clusters require at least 8 Capacity Units(CUs) to enable availability zones. Clusters with self-serve scaling does not support availability zones yet. Availability zone support is only available in [Azure regions with availability zones](https://learn.microsoft.com/azure/availability-zones/az-overview#azure-regions-with-availability-zones).

+You can purchase 1, 2, 4, 8 and 16 processing units for each namespace. As the premium tier is a capacity-based offering, the achievable throughput isn't set by a throttle as it is in the standard tier, but depends on the work you ask Event Hubs to do, similar to the dedicated tier. The effective ingest and stream throughput per PU will depend on various factors, including:

+* Number of producers and consumers

+* Payload size

+* Partition count

+* Egress request rate

+* Usage of Event Hubs Capture, Schema Registry, and other advanced features

+For more information, see [comparison between Event Hubs SKUs](event-hubs-quotas.md).

+## High availability with Azure Availability Zones

+Event Hubs premium offers [availability zones](../availability-zones/az-overview.md#availability-zones) support with no extra cost. Using availability zones, you can run event streaming workloads in physically separate locations within each Azure region that are tolerant to local failures.

+> [!IMPORTANT]

+> Availability zone support is only available in [Azure regions with availability zones](https://learn.microsoft.com/azure/availability-zones/az-overview#azure-regions-with-availability-zones).

+## Premium vs. dedicated tiers

+In comparison to the dedicated offering, the premium tier provides the following benefits:

+- Isolation inside a large multi-tenant environment that can shift resources quickly

+- Scale far more elastically and quicker

+- PUs can be dynamically adjusted

+Therefore, the premium tier is often a more cost effective option for event streaming workloads up to 160 MB/sec (per namespace), especially with changing loads throughout the day or week, when compared to the dedicated tier.

+> [!NOTE]

+> For the extra robustness gained by **availability-zone** support, the minimal deployment scale for the dedicated tier is **8 capacity units (CU)**, but you'll have availability zone support in the premium tier from the first PU in all availability zone regions.

+This quickstart shows how to stream into Event Hubs without changing your protocol clients or running your own clusters. You learn how to use your producers and consumers to talk to Event Hubs with just a configuration change in your applications.

+* An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.

+* To run this quickstart using managed identity, you need to run it on an Azure virtual machine.

+When you create an Event Hubs namespace, the Kafka endpoint for the namespace is automatically enabled. You can stream events from your applications that use the Kafka protocol into event hubs. Follow step-by-step instructions in the [Create an event hub using Azure portal](event-hubs-create.md) to create an Event Hubs namespace. If you're using a dedicated cluster, see [Create a namespace and event hub in a dedicated cluster](event-hubs-dedicated-cluster-create-portal.md#create-a-namespace-and-event-hub-within-a-cluster).

+### [Passwordless (Recommended)](#tab/passwordless)

+1. Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

+ Azure Event Hubs supports using Azure Active Directory (Azure AD) to authorize requests to Event Hubs resources. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal.

+ To use Managed Identity, you can create or configure a virtual machine using a system-assigned managed identity. For more information about configuring managed identity on a VM, see [Configure managed identities for Azure resources on a VM using the Azure portal](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity).

+1. In the virtual machine that you configure managed identity, clone the [Azure Event Hubs for Kafka repository](https://github.com/Azure/azure-event-hubs-for-kafka).

+1. Navigate to *azure-event-hubs-for-kafka/quickstart/java/producer*.

+1. Update the configuration details for the producer in *src/main/resources/producer.config* as follows:

+ After you configure the virtual machine with managed identity, you need to add managed identity to Event Hubs namespace. For that you need to follow these steps.

+ * In the Azure portal, navigate to your Event Hubs namespace. Go to **Access Control (IAM)** in the left navigation.

+ * Select **Add** and select `Add role assignment`.

+ * In the **Role** tab, select **Azure Event Hubs Data Owner**, then select **Next**=.

+ * In the **Members** tab, select the **Managed Identity** radio button for the type to assign access to.

+ * Select the **Select members** link. In the **Managed Identity** dropdown, select **Virtual Machine**, then select your virtual machine's managed identity.

+ * Select **Review + Assign**.

+1. After you configure managed identity, you can update *src/main/resources/producer.config* as shown below.

+ ```xml

+ bootstrap.servers=NAMESPACENAME.servicebus.windows.net:9093

+ security.protocol=SASL_SSL

+ sasl.mechanism=OAUTHBEARER

+ sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;

+ sasl.login.callback.handler.class=CustomAuthenticateCallbackHandler;

+ ```

+ You can find the source code for the sample handler class CustomAuthenticateCallbackHandler on GitHub [here](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth/java/appsecret/producer/src/main/java).

+1. Run the producer code and stream events into Event Hubs:

+ ```shell

+ mvn clean package

+ mvn exec:java -Dexec.mainClass="TestProducer"

+ ```

+1. Navigate to *azure-event-hubs-for-kafka/quickstart/java/consumer*.

+1. Update the configuration details for the consumer in *src/main/resources/consumer.config* as follows:

+1. Make sure you configure managed identity as mentioned in step 3 and use the following consumer configuration.

+ ```xml

+ bootstrap.servers=NAMESPACENAME.servicebus.windows.net:9093

+ security.protocol=SASL_SSL

+ sasl.mechanism=OAUTHBEARER

+ sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;

+ sasl.login.callback.handler.class=CustomAuthenticateCallbackHandler;

+ ```

+ You can find the source code for the sample handler class CustomAuthenticateCallbackHandler on GitHub [here](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth/java/appsecret/consumer/src/main/java).

+ You can find all the OAuth samples for Event Hubs for Kafka [here](https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth).

+1. Run the consumer code and process events from event hub using your Kafka clients:

+ ```java

+ mvn clean package

+ mvn exec:java -Dexec.mainClass="TestConsumer"

+ ```

+ If your Event Hubs Kafka cluster has events, you now start receiving them from the consumer.

+### [Connection string](#tab/connection-string)

+1. Navigate to *azure-event-hubs-for-kafka/quickstart/java/producer*.

+1. Update the configuration details for the producer in *src/main/resources/producer.config* as follows:

+ ```xml

+ bootstrap.servers=NAMESPACENAME.servicebus.windows.net:9093

+ security.protocol=SASL_SSL

+ sasl.mechanism=PLAIN

+ sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="$ConnectionString" password="{YOUR.EVENTHUBS.CONNECTION.STRING}";

+ ```

+ > [!IMPORTANT]

+ > Replace `{YOUR.EVENTHUBS.CONNECTION.STRING}` with the connection string for your Event Hubs namespace. For instructions on getting the connection string, see [Get an Event Hubs connection string](event-hubs-get-connection-string.md). Here's an example configuration: `sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="$ConnectionString" password="Endpoint=sb://mynamespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=XXXXXXXXXXXXXXXX";`

+1. Run the producer code and stream events into Event Hubs:

+ ```shell

+ mvn clean package

+ mvn exec:java -Dexec.mainClass="TestProducer"

+ ```

+1. Navigate to *azure-event-hubs-for-kafka/quickstart/java/consumer*.

+1. Update the configuration details for the consumer in *src/main/resources/consumer.config* as follows:

+ ```xml

+ bootstrap.servers=NAMESPACENAME.servicebus.windows.net:9093

+ security.protocol=SASL_SSL

+ sasl.mechanism=PLAIN

+ sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="$ConnectionString" password="{YOUR.EVENTHUBS.CONNECTION.STRING}";

+ ```

+ > [!IMPORTANT]

+ > Replace `{YOUR.EVENTHUBS.CONNECTION.STRING}` with the connection string for your Event Hubs namespace. For instructions on getting the connection string, see [Get an Event Hubs connection string](event-hubs-get-connection-string.md). Here's an example configuration: `sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="$ConnectionString" password="Endpoint=sb://mynamespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=XXXXXXXXXXXXXXXX";`

+1. Run the consumer code and process events from event hub using your Kafka clients:

+ ```java

+ mvn clean package

+ mvn exec:java -Dexec.mainClass="TestConsumer"

+ ```

+If your Event Hubs Kafka cluster has events, you will now start receiving them from the consumer.

+When a policy definition is assigned to a scope, Azure Policy determines which resources in that scope should be considered for compliance evaluation. A resource will only be assessed for compliance if it is considered **applicable** to the given policy assignment.

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+Also you can see the clusters in each workload type, including Spark, HBase, Hive, and Kafka.

+HDInsight service has two main components: a Resource provider and open-source software (OSS) componentscomponents that are deployed on a cluster.

+With export, data is exported in multiple files each containing resources of only one type. No individual file will exceed 100,000 resource records. The result is that you may get multiple files for a resource type, which will be enumerated (for example, `Patient-1.ndjson`, `Patient-2.ndjson`).

+ Title: IotCentralJsonPathContentTemplate mappings in MedTech service device mappings - Azure Health Data Services

+description: This article describes how IotCentralJsonPathContent mappings with MedTech service device mappings templates.

+> Check out the [IoMT Connector Data Mapper](https://github.com/microsoft/iomt-fhir/tree/master/tools/data-mapper) tool for editing, testing, and troubleshooting the MedTech service device and FHIR destination mappings. Export mappings for uploading to MedTech service in the Azure portal or use with the [open-source version](https://github.com/microsoft/iomt-fhir) of the MedTech service.

+This article describes how to use IoTCentralJsonPathContentTemplate mappings with the MedTech service device mappings.

+In this article, you learned how to use IotCentralJsonPathContentTemplate with your MedTech service device mappings. To learn how to use FHIR destination mappings, see

+FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+- Audit logs track activity in your application.

+- Use audit logs to track activity in your IoT Central application.

+> [!TIP]

+> Create and delete operations on API tokens are recorded in the [audit log](howto-use-audit-logs.md).

+> [!NOTE]

+> IoT Central applications have an internal [audit log](howto-use-audit-logs.md) to track activity within the application.

+> [!NOTE]

+> Operations on users and roles are recorded in the IoT Central [audit log](howto-use-audit-logs.md).

+Every user must have a user account before they can sign in and access an application. IoT Central supports Microsoft user accounts, Azure Active Directory accounts, Azure Active Directory groups, and Azure Active Directory service principals. To learn more, see [Microsoft account help](https://support.microsoft.com/products/microsoft-account?category=manage-account) and [Quickstart: Add new users to Azure Active Directory](../../active-directory/fundamentals/add-users-azure-active-directory.md).

+1. To add a user on the **Users** page, choose **+ Assign user**. To add a service principal on the **Users** page, choose **+ Assign service principal**. To add an Azure Active Directory group on the **Users** page, choose **+ Assign group**. Start typing the name of the Active Directory group or service principal to auto-populate the form.

+ > Service principals and Active Directory groups must belong to the same Azure Active Directory tenant as the Azure subscription associated with the IoT Central application.

+The following limitations apply to Azure Active Directory groups and service principals:

+- Total number of Azure Active Directory groups for each IoT Central application can't be more than 20.

+- Total number of unique Azure Active Directory groups from the same Azure Active Directory tenant can't be more than 200 across all IoT Central applications.

+- Service principals that are part of an Azure Active Directory group aren't automatically granted access to the application. The service principals must be added explicitly.

+**Audit log permissions**

+| Name | Dependencies |

+| - | -- |

+| View | None |

+| Full Control | View |

+> [!CAUTION]

+> Any user granted permission to view the audit log can see all log entries even if they don't have permission to view or modify the entities listed in the log. Therefore, any user who can view the log can view the identity of and changes made to any modified entity.

+ Title: Use Azure IoT Central audit logs | Microsoft Docs

+description: Learn how to use audit logs in IoT Central to track changes made in an IoT Central application

+# Administrator

+# Use audit logs to track activity in your IoT Central application

+This article describes how to use audit logs to track who made what changes at what time in your IoT Central applications. You can:

+- Sort the audit log.

+- Filter the audit log.

+- Customize the audit log.

+- Manage access to the audit log.

+The audit log records information about who made a change, information about the modified entity, the action that made change, and when the change was made. The log tracks changes made through the UI, programatically with the REST API, and through the CLI.

+The log records changes to the following IoT Central entities:

+- [Users](howto-manage-users-roles.md#add-users)

+- [Roles](howto-manage-users-roles.md#manage-roles)

+- [API tokens](howto-authorize-rest-api.md#token-types)

+- [Application template export](howto-create-iot-central-application.md#create-and-use-a-custom-application-template)

+- [File upload configuration](howto-configure-file-uploads.md#configure-device-file-uploads)

+- [Application customization](howto-customize-ui.md)

+- [Device enrollment groups](concepts-device-authentication.md)

+- [Device templates](howto-set-up-template.md)

+- [Device lifecycle events](howto-export-to-blob-storage.md#device-lifecycle-changes-format)

+The log records changes made by the following types of user:

+- IoT Central user - the log shows the user's email.

+- API token - the log shows the token name.

+- Azure Active Directory user - the log shows the user email or ID.

+- Service principal - the log shows the service principal name.

+The log stores data for 30 days, after which it's no longer available.

+The following screenshot shows the audit log view with the location of the sorting and filtering controls highlighted:

+## Customize the log

+Select **Column options** to customize the audit log view. You can add and remove columns, reorder the columns, and change the column widths:

+## Sort the log

+You can sort the log into ascending or descending timestamp order. To sort, select **Timestamp**:

+## Filter the log

+To focus on a specific time, filter the log by time range. Select **Edit time range** and specify the range you're interested in:

+To focus on specific entries, filter by entity type or action. Select **Filter** and use the multi-select drop-downs to specify your filter conditions:

+## Manage access

+The built-in **App Administrator** role has access to the audit logs by default. The administrator can grant access to other roles. An administrator can assign either **Full control** or **View** audit log permissions to other roles. To learn more, see [Manage users and roles in your IoT Central application](howto-manage-users-roles.md).

+> [!IMPORTANT]

+> Any user granted permission to view the audit log can see all log entries even if they don't have permission to view or modify the entities listed in the log. Therefore, any user who can view the log can view the identity of and changes made to any modified entity.

+## Next steps

+Now that you've learned how to manage users and roles in your IoT Central application, the suggested next step is to learn how to [Manage IoT Central organizations](howto-create-organizations.md).

+- Use audit logs to track activity in your IoT Central application.

+## Integrate with Azure Pipelines

+Continuous integration and continuous delivery (CI/CD) refers to the process of developing and delivering software in short, frequent cycles using automation pipelines. You can use Azure Pipelines to automate the build, test, and deployment of IoT Central application configurations.

+To learn more, see [Integrate IoT Central into your Azure CI/CD pipeline](howto-integrate-with-devops.md).

+- Use a secure virtual network.

+- Audit logs track activity in the application.

+## Audit logs

+Audit logs let administrators track activity within your IoT Central application. Administrators can see who made what changes at what times. To learn more, see [Use audit logs to track activity in your IoT Central application](howto-use-audit-logs.md).

+

+> The items you see in the left pane depend on your user role. Learn more about [managing users and roles](howto-manage-users-roles.md).

+<!-- TODO: Needs a new screenshot and entry. -->

+ :::image type="content" source="media/overview-iot-central-tour/navigation-bar.png" alt-text="left pane":::

+ **Devices** lets you manage all your devices.

+ **Device groups** lets you view and create collections of devices specified by a query. Device groups are used through the application to perform bulk operations.

+ **Device templates** lets you create and manage the characteristics of devices that connect to your application.

+ **Data explorer** exposes rich capabilities to analyze historical trends and correlate various telemetries from your devices.

+ **Dashboards** displays all application and personal dashboards.

+ **Jobs** lets you manage your devices at scale by running bulk operations.

+ **Rules** lets you create and edit rules to monitor your devices. Rules are evaluated based on device data and trigger customizable actions.

+ **Data export** lets you configure a continuous export to external services such as storage and queues.

+ **Audit logs** lets you view changes made to entities in your application.

+ **Permissions** lets you manage an organization's users, devices and data.

+ **Application** lets you manage your application's settings, billing, users, and roles.

+ **Customization** lets you customize your application appearance.

+ **IoT Central Home** lets you jump back to the IoT Central app manager.

+ :::column-end:::

+IoT Central applications are fully hosted by Microsoft, which reduces the administration overhead of managing your applications. Administrators manage access to your application with [user roles and permissions](howto-administer.md) and track activity by using [audit logs](howto-use-audit-logs.md).

+ Title: Quickstart - Set up Device Provisioning Service in portal

+In this quickstart, you will learn how to set up the IoT Hub Device Provisioning Service in the Azure portal. The IoT Hub Device Provisioning Service enables zero-touch, just-in-time device provisioning to any IoT hub. The Device Provisioning Service enables customers to provision millions of IoT devices in a secure and scalable manner, without requiring human intervention. Azure IoT Hub Device Provisioning Service supports IoT devices with TPM, symmetric key, and X.509 certificate authentications. For more information, please refer to [IoT Hub Device Provisioning Service overview](about-iot-dps.md).

+After importing the certificate, you can view the certificate using the Azure PowerShell [Get-AzKeyVaultCertificate](/powershell/module/az.keyvault/get-azkeyvaultcertificate) cmdlet

+- Review the [Key Vault security overview](../general/security-features.md)

+This document will cover the different configurations for an Azure Key Vault firewall in detail. To follow the step-by-step instructions on how to configure these settings, see [Configure Azure Key Vault networking settings](how-to-azure-key-vault-network-security.md).

+This section will cover the different ways that an Azure Key Vault firewall can be configured.

+By default, when you create a new key vault, the Azure Key Vault firewall is disabled. All applications and Azure services can access the key vault and send requests to the key vault. Note, this configuration does not mean that any user will be able to perform operations on your key vault. The key vault still restricts access to secrets, keys, and certificates stored in key vault by requiring Azure Active Directory authentication and access policy permissions. To understand key vault authentication in more detail see [Authentication in Azure Key Vault](authentication.md). For more information, see [Access Azure Key Vault behind a firewall](access-behind-firewall.md).

+When you enable the Key Vault Firewall, you will be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' The trusted services list does not cover every single Azure service. For example, Azure DevOps is not on the trusted services list. **This does not imply that services that do not appear on the trusted services list not trusted or insecure.** The trusted services list encompasses services where Microsoft controls all of the code that runs on the service. Since users can write custom code in Azure services such as Azure DevOps, Microsoft does not provide the option to create a blanket approval for the service. Furthermore, just because a service appears on the trusted service list, doesn't mean it is allowed for all scenarios.

+To determine if a service you are trying to use is on the trusted service list, please see the following document [Virtual network service endpoints for Azure Key Vault](overview-vnet-service-endpoints.md#trusted-services).

+If you would like to authorize a particular service to access key vault through the Key Vault Firewall, you can add its IP Address to the key vault firewall allowlist. This configuration is best for services that use static IP addresses or well-known ranges. There is a limit of 1000 CIDR ranges for this case.

+1. Log in to the Azure portal.

+1. Select the resource (specific instance of the service).

+1. Click on the 'Properties' blade under 'Settings'.

+1. Copy this value or range and enter it into the key vault firewall allowlist.

+> When using the Access Policy permission model, if a user has `Contributor` permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has `Contributor` role access to your key vaults with the Access Policy permission model to ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates. It is recommended to use the new **Role Based Access Control (RBAC) permission model** to avoid this issue. With the RBAC permission model, permission management is limited to 'Owner' and 'User Access Administrator' roles, which allows separation of duties between roles for security operations and general administrative operations.

+oid=$(az ad signed-in-user show --query id -o tsv)

+The [Azure CLI quickstart](quick-create-cli.md) or [Azure PowerShell quickstart](quick-create-powershell.md) demonstrate how to store a single-line secret. You can also use Key Vault to store a multi-line secret, such as a JSON file or RSA private key.

+## Set the secret using Azure CLI

+You can then view the stored secret using the Azure CLI [az keyvault secret show](/cli/azure/keyvault/secret#az-keyvault-secret-show) command.

+```azurecli-interactive

+az keyvault secret show --name "MultilineSecret" --vault-name "<your-unique-keyvault-name>" --query "value"

+```

+The secret will be returned with newlines embedded:

+```bash

+"This is\nmy multi-line\nsecret"

+```

+## Set the secret using Azure Powershell

+You can then view the stored secret using the Azure CLI [az keyvault secret show](/cli/azure/keyvault/secret#az-keyvault-secret-show) command or the Azure PowerShell [Get-AzKeyVaultSecret](/powershell/module/az.keyvault/get-azkeyvaultsecret) cmdlet.

+ Title: Export workflows from ISE to Standard

+description: Export logic app workflows from an integration service environment (ISE) to a Standard logic app using Visual Studio Code.

+ms.suite: integration

+#Customer intent: As a developer, I want to export one or more ISE workflows to a Standard workflow.

+# Export ISE workflows to a Standard logic app (Preview)

+> [!NOTE]

+>

+> This capability is in preview and is subject to the

+> [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Standard logic app workflows, which run in single-tenant Azure Logic Apps, offer many new and improved capabilities. For example, you get compute isolation, virtual network integration, and private endpoints along with App Services Environment hosting, local development and debugging using Visual Studio Code, low latency with stateless workflows, and more.

+If you want the benefits from Standard workflows, but your workflows run in an integration service environment (ISE), you can now replace your ISE with single-tenant Azure Logic Apps. This switch makes sense for most scenarios that require some ISE capabilities such as isolation and network integration, and can help lower operation costs.

+You can now export logic app workflows from an ISE to a Standard logic app. Using Visual Studio Code and the latest Azure Logic Apps (Standard) extension, you export your logic apps as stateful workflows to a Standard logic app project. You can then locally update, test, and debug your workflows to get them ready for redeployment. When you're ready, you can deploy either directly from Visual Studio Code or through your own DevOps process.

+> [!NOTE]

+>

+> The export capability doesn't migrate your workflows. Instead, this tool replicates artifacts,

+> such as workflow definitions, connections, integration account artifacts, and others. Your source

+> logic app resources, workflows, trigger history, run history, and other data stay intact.

+>

+> You control the export process and your migration journey. You can test and validate your

+> exported workflows to your satisfaction with the destination environment. You choose when

+> to disable or delete your source logic apps.

+This article provides information about the export process and shows how to export your logic app workflows from an ISE to a local Standard logic app project in Visual Studio Code.

+## Known issues and limitations

+- To run the export tool, you must be on the same network as your ISE. So, if your ISE is internal, you have to run the export tool from a Visual Studio Code instance that can access your ISE through the internal network. Otherwise, you can't download the exported package or files.

+- The following logic apps and scenarios are currently ineligible for export:

+ - Consumption workflows in multi-tenant Azure Logic Apps

+ - Logic apps that use custom connectors

+ - Logic apps that use the Azure API Management connector

+ - Logic apps that use the Azure Functions connector

+- The export tool doesn't export any infrastructure information, such as virtual network dependencies or integration account settings.

+- The export tool can export logic app workflows with triggers that have concurrency settings. However, single-tenant Azure Logic Apps ignores these settings.

+- For now, connectors with the **ISE** label deploy as their *managed* versions, which appear in the designer under the **Azure** tab. The export tool will have the capability to export **ISE** connectors as built-in, service provider connectors when the latter gain parity with their ISE versions. The export tool automatically makes the conversion when an **ISE** connector is available to export as a built-in, service provider connector.

+- Currently, connection credentials aren't cloned from source logic app workflows. Before your logic app workflows can run, you'll have to reauthenticate these connections after export.

+## Exportable operation types

+| Operation | JSON type |

+|--|--|

+| Trigger | **Built-in**: `Http`, `HttpWebhook`, `Recurrence`, `manual` (Request) <br><br>**Managed**: `ApiConnection` `ApiConnectionNotification`, `ApiConnectionWebhook` |

+| Action | **Built-in**: `AppendToArrayVariable`, `AppendToStringVariable`, `Compose`, `DecrementVariable`, `Foreach`, `Http`, `HttpWebhook`, `If`, `IncrementVariable`, `InitializeVariable`, `JavaScriptCode`, `Join`, `ParseJson`, `Response`, `Scope`, `Select`, `SetVariable`, `Switch`, `Table`, `Terminate`, `Until`, `Wait` <br><br>- **Managed**: `ApiConnection`, `ApiConnectionWebhook` |

+## Prerequisites

+- An existing ISE with the logic app workflows that you want to export.

+- To include and deploy managed connections in your workflows, you'll need an existing Azure resource group for deploying these connections. This option is recommended only for non-production environments.

+- Review and meet the requirements for [how to set up Visual Studio Code with the Azure Logic Apps (Standard) extension](create-single-tenant-workflows-visual-studio-code.md#prerequisites).

+## Group logic apps for export

+With the Azure Logic Apps (Standard) extension, you can combine multiple ISE-hosted logic app workflows into a single Standard logic app project. In single-tenant Azure Logic Apps, one Standard logic app resource can have multiple workflows. With this approach, you can pre-validate your workflows so that you don't miss any dependencies when you select logic apps for export.

+Consider the following recommendations when you select logic apps for export:

+- Group logic apps where workflows share the same resources, such as integration account artifacts, maps, and schemas, or use resources through a chain of processes.

+- For the organization and number of workflows per logic app, review [Best practices and recommendations](create-single-tenant-workflows-azure-portal.md#best-practices-and-recommendations).

+## Export ISE workflows to a local project

+### Select logic apps for export

+1. In Visual Studio Code, sign in to Azure, if you haven't already.

+1. In the left navigation bar, select **Azure** to open the **Azure** window (Shift + Alt + A), and expand the **Logic Apps (Standard)** extension view.

+ 

+1. On the extension toolbar, select **Export Logic App...**.

+ 

+1. After the **Export** tab opens, select your Azure subscription and ISE instance, and then select **Next**.

+ 

+1. Select the logic apps to export. Each selected logic app appears on the **Selected logic apps** list to the side. When you're done, select **Next**.

+ 

+ > [!TIP]

+ >

+ > You can also search for logic apps and filter on resource group.

+ The export tool starts to validate whether your selected logic apps are eligible for export.

+### Review export validation results

+1. After export validation completes, review the results by expanding the entry for each logic app.

+ - Logic apps that have errors are ineligible for export. You must remove these logic apps from the export list until you fix them at the source. To remove a logic app from the list, select **Back**.

+ For example, **SourceLogicApp2** has an error and can't be exported until fixed:

+ 

+ - Logic apps that pass validation with or without warnings are still eligible for export. To continue, select **Export** if all apps validate successfully, or select **Export with warnings** if apps have warnings.

+ For example, **SourceLogicApp3** has a warning, but you can still continue to export:

+ 

+ The following table provides more information about each validation icon and status:

+ | Validation icon | Validation status |

+ |--|-|

+ |  | Item passed validation, so export can continue without problems to resolve. |

+ |  | Item failed validation, so export can't continue. <br><br>The validation entry for the failed item automatically appears expanded and provides information about the validation failure. |

+ |  | Item passed validation with a warning, but export can continue with required post-export resolution. <br><br>The validation entry for the item with a warning automatically appears expanded and provides information about the warning and required post-export remediation. |

+1. After the **Finish export** section appears, for **Export location**, browse and select a local folder for your new Standard logic app project.

+ 

+1. If your workflow has *managed* connections that you want to deploy, which is only recommended for non-production environments, select **Deploy managed connections**, which shows existing resource groups in your Azure subscription. Select the resource group where you want to deploy the managed connections.

+ 

+1. Under **After export steps**, review any required post-export steps, for example:

+ 

+1. Based on your scenario, select **Export and finish** or **Export with warnings and finish**.

+ The export tool downloads your project to your selected folder location, expands the project in Visual Studio Code, and deploys any managed connections, if you selected that option.

+ 

+1. After this process completes, Visual Studio Code opens a new workspace. You can now safely close the export window.

+1. From your Standard logic app project, open and review the README.md file for the required post-export steps.

+ 

+## Post-export steps

+### Remediation steps

+Some exported logic app workflows require post-export remediation steps to run on the Standard platform.

+1. From your Standard logic app project, open the README.md file, and review the remediation steps for your exported workflows. The export tool generates the README.md file, which contains all the required post-export steps.

+1. Before you make any changes to your source logic app workflow, make sure to test your new Standard logic app resource and workflows.

+### Integration account actions and settings

+If you export actions that depend on an integration account, you have to manually set up your Standard logic app with a reference link to the integration account that contains the required artifacts. For more information, review [Link integration account to a Standard logic app](logic-apps-enterprise-integration-create-integration-account.md#link-account).

+## Project folder structure

+After the export process finishes, your Standard logic app project contains new folders and files alongside most others in a [typical Standard logic app project](create-single-tenant-workflows-visual-studio-code.md).

+The following table describes these new folders and files added by the export process:

+| Folder | File | Description |

+|--||-|

+| .development\\deployment | LogicAppStandardConnections.parameters.json | Azure Resource Manager template parameters file for deploying managed connectors |

+| | LogicAppStandardConnections.template.json | Azure Resource Manager template definition for deploying managed connectors |

+| | LogicAppStandardInfrastructure.parameters.json | Azure Resource Manager template parameters file for deploying Standard logic app resource |

+| | LogicAppStandardInfrastructure.template.json | Azure Resource Manager template definition for deploying Standard logic app resource |

+| .logs\\export | exportReport.json | Export report summary raw file, which includes all the steps required for post-export remediation |

+| | exportValidation.json | Validation report raw file, which includes the validation results for each exported logic app. |

+| | README.md | Markdown file with export results summary, including the created logic apps and all the required next steps. |

+## Next steps

+- [Run, test, and debug locally](create-single-tenant-workflows-visual-studio-code.md#run-test-and-debug-locally)

+Named Entity Recognition (NER)| CLI v2:`text_ner` <br> SDK v2 (preview): `text_ner()`| There are multiple possible tags for tokens in sequences. The task is to predict the tags for all the tokens for each sequence. <br> <br> For example, extracting domain-specific entities from unstructured text, such as contracts or financial documents.

+## Thresholding

+Thresholding is the multi-label feature that allows users to pick the threshold above which the predicted probabilities will lead to a positive label. Lower values allow for more labels, which is better when users care more about recall, but this option could lead to more false positives. Higher values allow fewer labels and hence better for users who care about precision, but this option could lead to more false negatives.

+* If more than 10% of the samples in your dataset contain more than 128 tokens, it's considered long range.

+ * In order to use the long range text feature, you should use a NC6 or higher/better SKUs for GPU such as: [NCv3](../virtual-machines/ncv3-series.md) series or [ND](../virtual-machines/nd-series.md) series.

+In AutoML NLP only hold-out validation is supported and it requires a validation dataset.

+> [!IMPORTANT]

+> SDK v2 is currently in public preview.

+> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+In this article, you will learn how to deploy Triton and a model to a managed online endpoint. Information is provided on using the CLI (command line), Python SDK v2, and Azure Machine Learning studio.

+# [Azure CLI](#tab/azure-cli)

+* A working Python 3.8 (or higher) environment.

+* You must have additional Python packages installed for scoring and may install them with the code below. They include:

+ * Numpy - An array and numerical computing library

+ * [Triton Inference Server Client](https://github.com/triton-inference-server/client) - Facilitates requests to the Triton Inference Server

+ * Pillow - A library for image operations

+ * Gevent - A networking library used when connecting to the Triton Server

+```azurecli

+pip install numpy

+pip install tritonclient[http]

+pip install pillow

+pip install gevent

+```

+# [Python](#tab/python)

+* A working Python 3.8 (or higher) environment.

+* You must have additional Python packages installed for scoring and may install them with the code below. They include:

+ * Numpy - An array and numerical computing library

+ * [Triton Inference Server Client](https://github.com/triton-inference-server/client) - Facilitates requests to the Triton Inference Server

+ * Pillow - A library for image operations

+ * Gevent - A networking library used when connecting to the Triton Server

+ ```azurecli

+ pip install numpy

+ pip install tritonclient[http]

+ pip install pillow

+ pip install gevent

+ ```

+* Access to NCv3-series VMs for your Azure subscription.

+ > [!IMPORTANT]

+ > You may need to request a quota increase for your subscription before you can use this series of VMs. For more information, see [NCv3-series](../virtual-machines/ncv3-series.md).

+The information in this article is based on the [Deploy a model to online endpoints using Triton](https://github.com/Azure/azureml-examples/blob/main/sdk/endpoints/online/triton/single-model/online-endpoints-triton.ipynb) notebook contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste files, clone the repo and then change directories to the `sdk/endpoints/online/triton/single-model/online-endpoints-triton.ipynb` directory in the repo:

+```azurecli

+git clone https://github.com/Azure/azureml-examples --depth 1

+cd azureml-examples

+cd sdk/endpoints/online/triton/single-model/online-endpoints-triton.ipynb

+```

+# [Studio](#tab/azure-studio)

+* An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+* An Azure Machine Learning workspace. If you don't have one, use the steps in [Manage Azure Machine Learning workspaces in the portal or with the Python SDK](how-to-manage-workspace.md) to create one.

+

+## Define the deployment configuration

+# [Azure CLI](#tab/azure-cli)

+This section shows how you can deploy to a managed online endpoint using the Azure CLI with the Machine Learning extension (v2).

+1. Create a YAML configuration file for the deployment. The following example configures a deployment named __blue__ to the endpoint defined in the previous step. The one used in the following commands is located at `/cli/endpoints/online/triton/single-model/create-managed-deployment.yml` in the azureml-examples repo you cloned earlier:

+# [Python](#tab/python)

+This section shows how you can define a Triton deployment to deploy to a managed online endpoint using the Azure Machine Learning Python SDK (v2).

+> [!IMPORTANT]

+> For Triton no-code-deployment, **[testing via local endpoints](how-to-deploy-managed-online-endpoints.md#deploy-and-debug-locally-by-using-local-endpoints)** is currently not supported.

+1. To connect to a workspace, we need identifier parameters - a subscription, resource group and workspace name.

+ ```python

+ subscription_id = "<SUBSCRIPTION_ID>"

+ resource_group = "<RESOURCE_GROUP>"

+ workspace_name = "<AML_WORKSPACE_NAME>"

+ ```

+1. Use the following command to set the name of the endpoint that will be created. In this example, a random name is created for the endpoint:

+ ```python

+ import random

+ endpoint_name = f"endpoint-{random.randint(0, 10000)}"

+1. We use these details above in the `MLClient` from `azure.ai.ml` to get a handle to the required Azure Machine Learning workspace. Check the [configuration notebook](https://github.com/Azure/azureml-examples/tree/main/sdk/jobs/configuration.ipynb) for more details on how to configure credentials and connect to a workspace.

+ ```python

+ from azure.ai.ml import MLClient

+ from azure.identity import DefaultAzureCredential

+ ml_client = MLClient(

+ DefaultAzureCredential(),

+ subscription_id,

+ resource_group,

+ workspace_name,

+ )

+ ```

+1. Create a `ManagedOnlineEndpoint` object to configure the endpoint. The following example configures the name and authentication mode of the endpoint.

+ ```python

+ from azure.ai.ml.entities import ManagedOnlineEndpoint

+ endpoint = ManagedOnlineEndpoint(name=endpoint_name, auth_mode="key")

+ ```

+1. Create a `ManagedOnlineDeployment` object to configure the deployment. The following example configures a deployment named __blue__ to the endpoint defined in the previous step and defines a local model inline.

+ ```python

+ from azure.ai.ml.entities import ManagedOnlineDeployment, Model

+

+ model_name = "densenet-onnx-model"

+ model_version = 1

+

+ deployment = ManagedOnlineDeployment(

+ name="blue",

+ endpoint_name=endpoint_name,

+ model=Model(

+ name=model_name,

+ version=model_version,

+ path="./models",

+ type="triton_model"

+ ),

+ instance_type="Standard_NC6s_v3",

+ instance_count=1,

+ )

+ ```

+# [Studio](#tab/azure-studio)

+This section shows how you can define a Triton deployment on a managed online endpoint using [Azure Machine Learning studio](https://ml.azure.com).

+## Deploy to Azure

+# [Azure CLI](#tab/azure-cli)

+1. To create a new endpoint using the YAML configuration, use the following command:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-triton-managed-online-endpoint.sh" ID="create_endpoint":::

+1. To create the deployment using the YAML configuration, use the following command:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-triton-managed-online-endpoint.sh" ID="create_deployment":::

+# [Python](#tab/python)

+1. To create a new endpoint using the `ManagedOnlineEndpoint` object, use the following command:

+ ```python

+ endpoint = ml_client.online_endpoints.begin_create_or_update(endpoint)

+ ```

+1. To create the deployment using the `ManagedOnlineDeployment` object, use the following command:

+ ```python

+ ml_client.online_deployments.begin_create_or_update(deployment)

+ ```

+1. Once the deployment completes, its traffic value will be set to `0%`. Update the traffic to 100%.

+ ```python

+ endpoint.traffic = {"blue": 100}

+ ml_client.online_endpoints.begin_create_or_update(endpoint)

+ ```

+# [Studio](#tab/azure-studio)

+1. Complete the wizard to deploy to the endpoint.

+ :::image type="content" source="media/how-to-deploy-with-triton/review-screen-triton.png" lightbox="media/how-to-deploy-with-triton/review-screen-triton.png" alt-text="Screenshot showing NCD review screen":::

+1. Once the deployment completes, its traffic value will be set to `0%`. Update the traffic to 100% from the Endpoint page by clicking `Update Traffic` on the second menu row.

+## Test the endpoint

+# [Azure CLI](#tab/azure-cli)

+Once your deployment completes, use the following command to make a scoring request to the deployed endpoint.

+> [!TIP]

+> The file `/cli/endpoints/online/triton/single-model/triton_densenet_scoring.py` in the azureml-examples repo is used for scoring. The image passed to the endpoint needs pre-processing to meet the size, type, and format requirements, and post-processing to show the predicted label. The `triton_densenet_scoring.py` uses the `tritonclient.http` library to communicate with the Triton inference server.

+1. To get the endpoint scoring uri, use the following command:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-triton-managed-online-endpoint.sh" ID="get_scoring_uri":::

+1. To get an authentication key, use the following command:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-triton-managed-online-endpoint.sh" ID="get_token":::

+1. To score data with the endpoint, use the following command. It submits the image of a peacock (https://aka.ms/peacock-pic) to the endpoint:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-triton-managed-online-endpoint.sh" ID="check_scoring_of_model":::

+ The response from the script is similar to the following text:

+ ```

+ Is server ready - True

+ Is model ready - True

+ /azureml-examples/cli/endpoints/online/triton/single-model/densenet_labels.txt

+ 84 : PEACOCK

+ ```

+# [Python](#tab/python)

+1. To get the endpoint scoring uri, use the following command:

+ ```python

+ endpoint = ml_client.online_endpoints.get(endpoint_name)

+ scoring_uri = endpoint.scoring_uri

+ ```

+1. To get an authentication key, use the following command:

+ keys = ml_client.online_endpoints.list_keys(endpoint_name)

+ auth_key = keys.primary_key

+1. The following scoring code uses the [Triton Inference Server Client](https://github.com/triton-inference-server/client) to submit the image of a peacock to the endpoint. This script is available in the companion notebook to this example - [Deploy a model to online endpoints using Triton](https://github.com/Azure/azureml-examples/blob/main/sdk/endpoints/online/triton/single-model/online-endpoints-triton.ipynb).

+ ```python

+ # Test the blue deployment with some sample data

+ import requests

+ import gevent.ssl

+ import numpy as np

+ import tritonclient.http as tritonhttpclient

+ from pathlib import Path

+ import prepost

+ img_uri = "http://aka.ms/peacock-pic"

+ # We remove the scheme from the url

+ url = scoring_uri[8:]

+ # Initialize client handler

+ triton_client = tritonhttpclient.InferenceServerClient(

+ url=url,

+ ssl=True,

+ ssl_context_factory=gevent.ssl._create_default_https_context,

+ )

+ # Create headers

+ headers = {}

+ headers["Authorization"] = f"Bearer {auth_key}"

+ # Check status of triton server

+ health_ctx = triton_client.is_server_ready(headers=headers)

+ print("Is server ready - {}".format(health_ctx))

+ # Check status of model

+ model_name = "model_1"

+ status_ctx = triton_client.is_model_ready(model_name, "1", headers)

+ print("Is model ready - {}".format(status_ctx))

+ if Path(img_uri).exists():

+ img_content = open(img_uri, "rb").read()

+ else:

+ agent = f"Python Requests/{requests.__version__} (https://github.com/Azure/azureml-examples)"

+ img_content = requests.get(img_uri, headers={"User-Agent": agent}).content

+ img_data = prepost.preprocess(img_content)

+ # Populate inputs and outputs

+ input = tritonhttpclient.InferInput("data_0", img_data.shape, "FP32")

+ input.set_data_from_numpy(img_data)

+ inputs = [input]

+ output = tritonhttpclient.InferRequestedOutput("fc6_1")

+ outputs = [output]

+ result = triton_client.infer(model_name, inputs, outputs=outputs, headers=headers)

+ max_label = np.argmax(result.as_numpy("fc6_1"))

+ label_name = prepost.postprocess(max_label)

+ print(label_name)

+ ```

+1. The response from the script is similar to the following text:

+ ```

+ Is server ready - True

+ Is model ready - True

+ /azureml-examples/sdk/endpoints/online/triton/single-model/densenet_labels.txt

+ 84 : PEACOCK

+ ```

+# [Studio](#tab/azure-studio)

+Azure Machine Learning Studio provides the ability to test endpoints with JSON. However, serialized JSON is not currently included for this example.

+To test an endpoint using Azure Machine Learning Studio, click `Test` from the Endpoint page.

+

+### Delete the endpoint and model

+# [Azure CLI](#tab/azure-cli)

+1. Once you're done with the endpoint, use the following command to delete it:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-triton-managed-online-endpoint.sh" ID="delete_endpoint":::

+1. Use the following command to archive your model:

+ ```azurecli

+ az ml model archive --name $MODEL_NAME --version $MODEL_VERSION

+ ```

+# [Python](#tab/python)

+1. Delete the endpoint. Deleting the endpoint also deletes any child deployments, however it will not archive associated Environments or Models.

+ ```python

+ ml_client.online_endpoints.begin_delete(name=endpoint_name)

+ ```

+1. Archive the model with the following code.

+ ```python

+ ml_client.models.archive(name=model_name, version=model_version)

+ ```

+# [Studio](#tab/azure-studio)

+1. From the endpoint's page, click `Delete` in the second row below the endpoint's name.

+1. From the model's page, click `Delete` in the first row below the model's name.

+* The full SKU names listed in the table can be used for Azure CLI or Azure Resource Manager templates (ARM templates) requests to create and update deployments.

+* For more information on configuration details such as CPU and RAM, see [Azure Machine Learning Pricing](https://azure.microsoft.com/pricing/details/machine-learning/) and [VM sizes](../virtual-machines/sizes.md).

+| V.Small | Standard_DS1_v2 <br/> Standard_DS2_v2 | Standard_F2s_v2 | Standard_E2s_v3 | Standard_NC4as_T4_v3 |

+| Small | Standard_DS3_v2 | Standard_F4s_v2 | Standard_E4s_v3 | Standard_NC6s_v2 <br/> Standard_NC6s_v3 <br/> Standard_NC8as_T4_v3 |

+| Medium | Standard_DS4_v2 | Standard_F8s_v2 | Standard_E8s_v3 | Standard_NC12s_v2 <br/> Standard_NC12s_v3 <br/> Standard_NC16as_T4_v3 |

+| Large | Standard_DS5_v2 | Standard_F16s_v2 | Standard_E16s_v3 | Standard_NC24s_v2 <br/> Standard_NC24s_v3 <br/> Standard_NC64as_T4_v3 |

+| X-Large| - | Standard_F32s_v2 <br/> Standard_F48s_v2 <br/> Standard_F64s_v2 <br/> Standard_F72s_v2 | Standard_E32s_v3 <br/> Standard_E48s_v3 <br/> Standard_E64s_v3 | - |

+- The project geography is only used to store the discovered metadata.

+- When you create a project, you select a geography. The project and related resources are created in one of the regions in the geography. The region is allocated by the Azure Migrate service. Azure Migrate does not move or store customer data outside of the region allocated.

+- [Assess Hyper-V VMs](tutorial-assess-hyper-v.md) for migration.

+ Title: Azure Database for MySQL - flexible server - major version upgrade

+description: Learn how to upgrade major version for an Azure Database for MySQL - Flexible server.

+# Major version upgrade in Azure Database for MySQL flexible server preview

+>[!Note]

+> This article contains references to the term slave, a term that Microsoft no longer uses. When the term is removed from the software, we will remove it from this article.

+This article describes how you can upgrade your MySQL major version in-place in Azure Database for MySQL Flexible server.

+This feature will enable customers to perform in-place upgrades of their MySQL 5.7 servers to MySQL 8.0 with a click of button without any data movement or the need of any application connection string changes.

+>[!Important]

+> - Major version upgrade for Azure database for MySQL Flexible Server is available in public preview.

+> - Major version upgrade is currently not available for Burstable SKU 5.7 servers.

+> - Duration of downtime will vary based on the size of your database instance and the number of tables on the database.

+> - Upgrading major MySQL version is irreversible. Your deployment might fail if validation identifies the server is configured with any features that are [removed](https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html#mysql-nutshell-removals) or [deprecated](https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html#mysql-nutshell-deprecations). You can make necessary configuration changes on the server and try upgrade again

+## Prerequisites

+- Read Replicas with MySQL version 5.7 should be upgraded before Primary Server for replication to be compatible between different MySQL versions, read more on [Replication Compatibility between MySQL versions](https://dev.mysql.com/doc/mysql-replication-excerpt/8.0/en/replication-compatibility.html).

+- Before you upgrade your production servers, we strongly recommend you to test your application compatibility and verify your database compatibility with features [removed](https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html#mysql-nutshell-removals)/[deprecated](https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html#mysql-nutshell-deprecations) in the new MySQL version.

+- Trigger [on-demand backup](./how-to-trigger-on-demand-backup.md) before you perform major version upgrade on your production server, which can be used to [rollback to version 5.7](./how-to-restore-server-portal.md) from the full on-demand backup taken.

+## Perform Planned Major version upgrade from MySQL 5.7 to MySQL 8.0 using Azure portal

+1. In the [Azure portal](https://portal.azure.com/), select your existing Azure Database for MySQL 5.7 server.

+ >[!Important]

+ > We recommend performing upgrade first on restored copy of the server rather than upgrading production directly. See [how to perform point-in-time restore](./how-to-restore-server-portal.md).

+2. From the overview page, click the Upgrade button in the toolbar

+ >[!Important]

+ > Before upgrading visit link for list of [features removed](https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html#mysql-nutshell-removals) in MySQL 8.0.

+ > Verify deprecated [sql_mode](/https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sql_mode) values and remove/deselect them from your current Flexible Server 5.7 using Server Parameters Blade on your Azure Portal to avoid deployment failure.

+ > [sql_mode](/https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sql_mode) with values NO_AUTO_CREATE_USER, NO_FIELD_OPTIONS, NO_KEY_OPTIONS and NO_TABLE_OPTIONS are no longer supported in MySQL 8.0.

+ :::image type="content" source="./media/how-to-upgrade/1-how-to-upgrade.png" alt-text="Screenshot showing Azure Database for MySQL Upgrade.":::

+3. In the Upgrade sidebar, verify Major Upgrade version to upgrade i.e 8.0.

+ :::image type="content" source="./media/how-to-upgrade/2-how-to-upgrade.png" alt-text="Screenshot showing Upgrade.":::

+4. For Primary Server, click on confirmation checkbox, to confirm that all your replica servers are upgraded before primary server. Once confirmed that all your replicas are upgraded, Upgrade button will be enabled. For your read-replicas and standalone servers, Upgrade button will be enabled by default.

+ :::image type="content" source="./media/how-to-upgrade/3-how-to-upgrade.png" alt-text="Screenshot showing confirmation.":::

+5. Once Upgrade button is enabled, you can click on Upgrade button to proceed with deployment.

+ :::image type="content" source="./media/how-to-upgrade/4-how-to-upgrade.png" alt-text="Screenshot showing upgrade.":::

+## Perform Planned Major version upgrade from MySQL 5.7 to MySQL 8.0 using Azure CLI

+Follow these steps to perform major version upgrade for your Azure Database of MySQL 5.7 server using Azure CLI.

+1. Install [Azure CLI](/cli/azure/install-azure-cli) for Windows or use [Azure CLI](../../cloud-shell/overview.md) in Azure Cloud Shell to run the upgrade commands.

+ This upgrade requires version 2.40.0 or later of the Azure CLI. If you are using Azure Cloud Shell, the latest version is already installed. Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

+2. After you sign in, run the [az mysql server upgrade](/cli/azure/mysql/server#az-mysql-server-upgrade) command.

+ ```azurecli

+ az mysql server upgrade --name testsvr --resource-group testgroup --subscription MySubscription --version 8.0

+ ```

+3. Under confirmation prompt, type ΓÇ£yΓÇ¥ for confirming or ΓÇ£nΓÇ¥ to stop the upgrade process and enter.

+## Perform major version upgrade from MySQL 5.7 to MySQL 8.0 on read replica using Azure portal

+1. In the Azure portal, select your existing Azure Database for MySQL 5.7 read replica server.

+2. From the Overview page, click the Upgrade button in the toolbar.

+>[!Important]

+> Before upgrading visit link for list of [features removed](https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html#mysql-nutshell-removals) in MySQL 8.0.

+>Verify deprecated [sql_mode](/https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sql_mode) values and remove/deselect them from your current Flexible Server 5.7 using Server Parameters Blade on your Azure Portal to avoid deployment failure.

+3. In the Upgrade section, select Upgrade button to upgrade Azure database for MySQL 5.7 read replica server to 8.0 server.

+4. A notification will confirm that upgrade is successful.

+5. From the Overview page, confirm that your Azure database for MySQL read replica server version is 8.0.

+6. Now go to your primary server and perform major version upgrade on it.

+## Perform minimal downtime major version upgrade from MySQL 5.7 to MySQL 8.0 using read replicas

+1. In the Azure portal, select your existing Azure Database for MySQL 5.7.

+2. Create a [read replica](./how-to-read-replicas-portal.md) from your primary server.

+3. Upgrade your [read replica to version](#perform-planned-major-version-upgrade-from-mysql-57-to-mysql-80-using-azure-cli) 8.0.

+4. Once you confirm that the replica server is running on version 8.0, stop your application from connecting to your primary server.

+5. Check replication status, and make sure replica is all caught up with primary, so all the data is in sync and ensure there are no new operations performed in primary.

+Confirm with the show slave status command on the replica server to view the replication status.

+ ```azurecli

+ SHOW SLAVE STATUS\G

+ ```

+ If the state of Slave_IO_Running and Slave_SQL_Running are "yes" and the value of Seconds_Behind_Master is "0", replication is working well. Seconds_Behind_Master indicates how late the replica is. If the value isn't "0", it means that the replica is processing updates. Once you confirm Seconds_Behind_Master is "0" it's safe to stop replication.

+6. Promote your read replica to primary by stopping replication.

+7. Set Server Parameter read_only to 0 i.e., OFF to start writing on promoted primary.

+ Point your application to the new primary (former replica) which is running server 8.0. Each server has a unique connection string. Update your application to point to the (former) replica instead of the source.

+>[!Note]

+> This scenario will have downtime during steps 4, 5 and 6 only.

+## Frequently asked questions

+- Will this cause downtime of the server and if so, how long?

+ To have minimal downtime during upgrades, follow the steps mentioned under - [Perform minimal downtime major version upgrade from MySQL 5.7 to MySQL 8.0 using read replicas](#perform-minimal-downtime-major-version-upgrade-from-mysql-57-to-mysql-80-using-read-replicas).

+ The server will be unavailable during the upgrade process, so we recommend you perform this operation during your planned maintenance window. The estimated downtime depends on the database size, storage size provisioned (IOPs provisioned), and the number of tables on the database. The upgrade time is directly proportional to the number of tables on the server. To estimate the downtime for your server environment, we recommend to first perform upgrade on restored copy of the server.

+- When will this upgrade feature be GA?

+

+ The GA of this feature will be planned by December 2022. However, the feature is production ready and fully supported by Azure so you should run it with confidence in your environment. As a recommended best practice, we strongly suggest you run and test it first on a restored copy of the server so you can estimate the downtime during upgrade and perform application compatibility test before you run it on production.

+

+- What happens to my backups after upgrade?

+

+ All backups (automated/on-demand) taken before major version upgrade, when used for restoration will always restore to a server with older version (5.7).

+ All the backups (automated/on-demand) taken after major version upgrade will restore to server with upgraded version (8.0). It's highly recommended to take on-demand backup before you perform the major version upgrade for an easy rollback.

+ ## Next steps

+ - Learn more on [how to configure scheduled maintenance](./how-to-maintenance-portal.md) for your Azure Database for MySQL flexible server.

+ - Learn about what's new in [MySQL version 8.0](https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html).

+- **Major version upgrade in Azure Database for MySQL - Flexible Server (Preview)**

+ You can now upgrade your MySQL major version, in-place in Azure Database for MySQL Flexible server from MySQL 5.7 servers to MySQL 8.0 with a click of button without any data movement or the need of any application connection string changes.[Learn more](./how-to-upgrade.md)

+You'll use the [Azure Database for MySQL Deployment task](/azure/devops/pipelines/tasks/deploy/azure-mysql-deployment). The Azure Database for MySQL Deployment task only works with Azure Database for MySQL Single Server.

+This article demonstrates creating a sample application that uses Java and [JDBC](https://en.wikipedia.org/wiki/Java_Database_Connectivity) to store and retrieve information in [Azure Database for MySQL](./index.yml).

+In this article, we'll include two authentication methods: Azure Active Directory (Azure AD) authentication and MySQL authentication. The **Passwordless** tab shows the Azure AD authentication and the **Password** tab shows the MySQL authentication.

+Azure AD authentication is a mechanism for connecting to Azure Database for MySQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.

+MySQL authentication uses accounts stored in MySQL. If you choose to use passwords as credentials for the accounts, these credentials will be stored in the `user` table. Because these passwords are stored in MySQL, you'll need to manage the rotation of the passwords by yourself.

+- MySQL command line client. You can connect to your server using the [mysql.exe](https://dev.mysql.com/downloads/) command-line tool with Azure Cloud Shell. Alternatively, you can use the `mysql` command line in your local environment.

+First, set up some environment variables. In [Azure Cloud Shell](https://shell.azure.com/), run the following commands:

+### [Passwordless (Recommended)](#tab/passwordless)

+export AZ_RESOURCE_GROUP=database-workshop

+export AZ_DATABASE_NAME=<YOUR_DATABASE_NAME>

+export AZ_LOCATION=<YOUR_AZURE_REGION>

+export AZ_MYSQL_AD_NON_ADMIN_USERNAME=demo-non-admin

+export AZ_LOCAL_IP_ADDRESS=<YOUR_LOCAL_IP_ADDRESS>

+export CURRENT_USERNAME=$(az ad signed-in-user show --query userPrincipalName -o tsv)

+export CURRENT_USER_OBJECTID=$(az ad signed-in-user show --query id -o tsv)

+```

+Replace the placeholders with the following values, which are used throughout this article:

+- `<YOUR_DATABASE_NAME>`: The name of your MySQL server. It should be unique across Azure.

+- `<YOUR_AZURE_REGION>`: The Azure region you'll use. You can use `eastus` by default, but we recommend that you configure a region closer to where you live. You can see the full list of available regions by entering `az account list-locations`.

+- `<YOUR_LOCAL_IP_ADDRESS>`: The IP address of your local computer, from which you'll run your Spring Boot application. One convenient way to find it is to open [whatismyip.akamai.com](http://whatismyip.akamai.com/).

+### [Password](#tab/password)

+```bash

+export AZ_RESOURCE_GROUP=database-workshop

+export AZ_DATABASE_NAME=<YOUR_DATABASE_NAME>

+export AZ_LOCATION=<YOUR_AZURE_REGION>

+export AZ_MYSQL_ADMIN_USERNAME=demo

+export AZ_MYSQL_ADMIN_PASSWORD=<YOUR_MYSQL_ADMIN_PASSWORD>

+export AZ_MYSQL_NON_ADMIN_USERNAME=demo-non-admin

+export AZ_MYSQL_NON_ADMIN_PASSWORD=<YOUR_MYSQL_NON_ADMIN_PASSWORD>

+export AZ_LOCAL_IP_ADDRESS=<YOUR_LOCAL_IP_ADDRESS>

+- `<YOUR_MYSQL_ADMIN_PASSWORD>` and `<YOUR_MYSQL_NON_ADMIN_PASSWORD>`: The password of your MySQL database server. That password should have a minimum of eight characters. The characters should be from three of the following categories: English uppercase letters, English lowercase letters, numbers (0-9), and non-alphanumeric characters (!, $, #, %, and so on).

+- `<YOUR_LOCAL_IP_ADDRESS>`: The IP address of your local computer, from which you'll run your Java application. One convenient way to find it is to open [whatismyip.akamai.com](http://whatismyip.akamai.com/).

+Next, create a resource group by using the following command:

+ --output tsv

+### Create a MySQL server and set up admin user

+The first thing you'll create is a managed MySQL server.

+> You can read more detailed information about creating MySQL servers in [Quickstart: Create an Azure Database for MySQL server by using the Azure portal](./quickstart-create-mysql-server-database-using-azure-portal.md).

+#### [Passwordless connection (Recommended)](#tab/passwordless)

+If you're using Azure CLI, run the following command to make sure it has sufficient permission:

+```bash

+az login --scope https://graph.microsoft.com/.default

+```

+Then, run the following command to create the server:

+```azurecli

+az mysql server create \

+ --resource-group $AZ_RESOURCE_GROUP \

+ --name $AZ_DATABASE_NAME \

+ --location $AZ_LOCATION \

+ --sku-name B_Gen5_1 \

+ --storage-size 5120 \

+ --output tsv

+```

+Next, run the following command to set the Azure AD admin user:

+```azurecli

+az mysql server ad-admin create \

+ --resource-group $AZ_RESOURCE_GROUP \

+ --server-name $AZ_DATABASE_NAME \

+ --display-name $CURRENT_USERNAME \

+ --object-id $CURRENT_USER_OBJECTID

+```

+> [!IMPORTANT]

+> When setting the administrator, a new user is added to the Azure Database for MySQL server with full administrator permissions. You can only create one Azure AD admin per MySQL server. Selection of another user will overwrite the existing Azure AD admin configured for the server.

+This command creates a small MySQL server and sets the Active Directory admin to the signed-in user.

+#### [Password](#tab/password)

+ --admin-user $AZ_MYSQL_ADMIN_USERNAME \

+ --admin-password $AZ_MYSQL_ADMIN_PASSWORD \

+ --output tsv

+Azure Databases for MySQL instances are secured by default. These instances have a firewall that doesn't allow any incoming connection. To be able to use your database, you need to add a firewall rule that will allow the local IP address to access the database server.

+Because you configured your local IP address at the beginning of this article, you can open the server's firewall by running the following command:

+ --output tsv

+```

+If you're connecting to your MySQL server from Windows Subsystem for Linux (WSL) on a Windows computer, you'll need to add the WSL host ID to your firewall.

+Obtain the IP address of your host machine by running the following command in WSL:

+```bash

+cat /etc/resolv.conf

+```

+Copy the IP address following the term `nameserver`, then use the following command to set an environment variable for the WSL IP Address:

+```bash

+AZ_WSL_IP_ADDRESS=<the-copied-IP-address>

+```

+Then, use the following command to open the server's firewall to your WSL-based app:

+```azurecli

+az mysql server firewall-rule create \

+ --resource-group $AZ_RESOURCE_GROUP \

+ --name $AZ_DATABASE_NAME-database-allow-local-ip-wsl \

+ --server $AZ_DATABASE_NAME \

+ --start-ip-address $AZ_WSL_IP_ADDRESS \

+ --end-ip-address $AZ_WSL_IP_ADDRESS \

+ --output tsv

+The MySQL server that you created earlier is empty. Use the following command to create a new database called `demo`:

+ --output tsv

+```

+### Create a MySQL non-admin user and grant permission

+Next, create a non-admin user and grant all permissions on the `demo` database to it.

+> [!NOTE]

+> You can read more detailed information about creating MySQL users in [Create users in Azure Database for MySQL](/azure/mysql/single-server/how-to-create-users).

+#### [Passwordless connection (Recommended)](#tab/passwordless)

+Create a SQL script called *create_ad_user.sql* for creating a non-admin user. Add the following contents and save it locally:

+```bash

+export AZ_MYSQL_AD_NON_ADMIN_USERID=$CURRENT_USER_OBJECTID

+cat << EOF > create_ad_user.sql

+SET aad_auth_validate_oids_in_tenant = OFF;

+CREATE AADUSER '$AZ_MYSQL_AD_NON_ADMIN_USERNAME' IDENTIFIED BY '$AZ_MYSQL_AD_NON_ADMIN_USERID';

+GRANT ALL PRIVILEGES ON demo.* TO '$AZ_MYSQL_AD_NON_ADMIN_USERNAME'@'%';

+FLUSH privileges;

+EOF

+```

+Then, use the following command to run the SQL script to create the Azure AD non-admin user:

+```bash

+mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $CURRENT_USERNAME@$AZ_DATABASE_NAME --enable-cleartext-plugin --password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken` < create_ad_user.sql

+```

+Now use the following command to remove the temporary SQL script file:

+```bash

+rm create_ad_user.sql

+#### [Password](#tab/password)

+Create a SQL script called *create_user.sql* for creating a non-admin user. Add the following contents and save it locally:

+```bash

+cat << EOF > create_user.sql

+CREATE USER '$AZ_MYSQL_NON_ADMIN_USERNAME'@'%' IDENTIFIED BY '$AZ_MYSQL_NON_ADMIN_PASSWORD';

+GRANT ALL PRIVILEGES ON demo.* TO '$AZ_MYSQL_NON_ADMIN_USERNAME'@'%';

+FLUSH PRIVILEGES;

+EOF

+```

+Then, use the following command to run the SQL script to create the Azure AD non-admin user:

+```bash

+mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $AZ_MYSQL_ADMIN_USERNAME@$AZ_DATABASE_NAME --enable-cleartext-plugin --password=$AZ_MYSQL_ADMIN_PASSWORD < create_user.sql

+```

+Now use the following command to remove the temporary SQL script file:

+```bash

+rm create_user.sql

+```

+Using your favorite IDE, create a new Java project using Java 8 or above. Create a *pom.xml* file in its root directory and add the following contents:

+#### [Passwordless connection (Recommended)](#tab/passwordless)

+```xml

+<?xml version="1.0" encoding="UTF-8"?>

+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">

+ <modelVersion>4.0.0</modelVersion>

+ <groupId>com.example</groupId>

+ <artifactId>demo</artifactId>

+ <version>0.0.1-SNAPSHOT</version>

+ <name>demo</name>

+ <properties>

+ <java.version>1.8</java.version>

+ <maven.compiler.source>1.8</maven.compiler.source>

+ <maven.compiler.target>1.8</maven.compiler.target>

+ </properties>

+ <dependencies>

+ <dependency>

+ <groupId>mysql</groupId>

+ <artifactId>mysql-connector-java</artifactId>

+ <version>8.0.30</version>

+ </dependency>

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity-providers-jdbc-mysql</artifactId>

+ <version>1.0.0-beta.1</version>

+ </dependency>

+ </dependencies>

+</project>

+```

+#### [Password](#tab/password)

+ <version>8.0.30</version>

+This file is an [Apache Maven](https://maven.apache.org/) file that configures your project to use Java 8 and a recent MySQL driver for Java.

+Run the following script in the project root directory to create a *src/main/resources/application.properties* file and add configuration details:

+#### [Passwordless connection (Recommended)](#tab/passwordless)

+```bash

+mkdir -p src/main/resources && touch src/main/resources/application.properties

+cat << EOF > src/main/resources/application.properties

+url=jdbc:mysql://${AZ_DATABASE_NAME}.mysql.database.azure.com:3306/demo?sslMode=REQUIRED&serverTimezone=UTC&defaultAuthenticationPlugin=com.azure.identity.providers.mysql.AzureIdentityMysqlAuthenticationPlugin&authenticationPlugins=com.azure.identity.providers.mysql.AzureIdentityMysqlAuthenticationPlugin

+user=${AZ_MYSQL_AD_NON_ADMIN_USERNAME}@${AZ_DATABASE_NAME}

+EOF

+#### [Password](#tab/password)

+```bash

+mkdir -p src/main/resources && touch src/main/resources/application.properties

+cat << EOF > src/main/resources/application.properties

+url=jdbc:mysql://${AZ_DATABASE_NAME}.mysql.database.azure.com:3306/demo?useSSL=true&sslMode=REQUIRED&serverTimezone=UTC

+user=${AZ_MYSQL_NON_ADMIN_USERNAME}@${AZ_DATABASE_NAME}

+password=${AZ_MYSQL_NON_ADMIN_PASSWORD}

+EOF

+```

+> The configuration property `url` has `?serverTimezone=UTC` appended to tell the JDBC driver to use the UTC date format (or Coordinated Universal Time) when connecting to the database. Otherwise, your Java server would not use the same date format as the database, which would result in an error.

+Next, you'll use a *src/main/resources/schema.sql* file to create a database schema. Create that file, then add the following contents:

+```bash

+touch src/main/resources/schema.sql

+cat << EOF > src/main/resources/schema.sql

+EOF

+Create a *src/main/java/DemoApplication.java* file and add the following contents:

+ /* Prepare to store and retrieve data from the MySQL server.

+ Todo todo = new Todo(1L, "configuration", "congratulations, you have set up JDBC correctly!", true);

+ */

+This Java code will use the *application.properties* and the *schema.sql* files that you created earlier. After connecting to the MySQL server, you can create a schema to store your data.

+In this file, you can see that we commented methods to insert, read, update and delete data. You'll implement those methods in the rest of this article, and you'll be able to uncomment them one after each other.

+> The `AbandonedConnectionCleanupThread.uncheckedShutdown();` line at the end is a MySQL driver command to destroy an internal thread when shutting down the application. You can safely ignore this line.

+- Using Maven, you can run the application with the following command: `mvn exec:java -Dexec.mainClass="com.example.demo.DemoApplication"`.

+The application should connect to the Azure Database for MySQL, create a database schema, and then close the connection. You should see output similar to the following example in the console logs:

+```output

+[INFO ] Loading application properties

+[INFO ] Connecting to the database

+[INFO ] Database connection test: demo

+[INFO ] Create database schema

+[INFO ] Closing database connection

+```output

+[INFO ] Loading application properties

+[INFO ] Connecting to the database

+[INFO ] Database connection test: demo

+[INFO ] Create database schema

+[INFO ] Insert data

+Next, read the data previously inserted to validate that your code works correctly.

+```output

+[INFO ] Loading application properties

+[INFO ] Connecting to the database

+[INFO ] Database connection test: demo

+[INFO ] Create database schema

+[INFO ] Insert data

+[INFO ] Read data

+[INFO ] Data read from the database: Todo{id=1, description='configuration', details='congratulations, you have set up JDBC correctly!', done=true}

+[INFO ] Closing database connection

+Next, update the data you previously inserted.

+```output

+[INFO ] Loading application properties

+[INFO ] Connecting to the database

+[INFO ] Database connection test: demo

+[INFO ] Create database schema

+[INFO ] Insert data

+[INFO ] Read data

+[INFO ] Data read from the database: Todo{id=1, description='configuration', details='congratulations, you have set up JDBC correctly!', done=true}

+[INFO ] Update data

+[INFO ] Read data

+[INFO ] Data read from the database: Todo{id=1, description='configuration', details='congratulations, you have updated data!', done=true}

+[INFO ] Closing database connection

+Finally, delete the data you previously inserted.

+```output

+[INFO ] Loading application properties

+[INFO ] Connecting to the database

+[INFO ] Database connection test: demo

+[INFO ] Create database schema

+[INFO ] Insert data

+[INFO ] Read data

+[INFO ] Data read from the database: Todo{id=1, description='configuration', details='congratulations, you have set up JDBC correctly!', done=true}

+[INFO ] Update data

+[INFO ] Read data

+[INFO ] Data read from the database: Todo{id=1, description='configuration', details='congratulations, you have updated data!', done=true}

+[INFO ] Delete data

+[INFO ] Read data

+[INFO ] There is no data in the database!

+[INFO ] Closing database connection

+One such open source tool is Suricata, an IDS engine that uses rulesets to monitor network traffic and triggers alerts whenever suspicious events occur. Suricata offers a multi-threaded engine, meaning it can perform network traffic analysis with increased speed and efficiency. For more details about Suricata and its capabilities, visit their website at https://suricata.io/.

+ self.Endpoint = 'https' + part[11:].lower()

+> |[pg_repack](https://reorg.github.io/pg_repack/) | 1.4.7 | lets you remove bloat from tables and indexes|

+> |[pg_repack](https://reorg.github.io/pg_repack/) | 1.4.7 | lets you remove bloat from tables and indexes|

+> |[pg_repack](https://reorg.github.io/pg_repack/) | 1.4.7 | lets you remove bloat from tables and indexes|

+> |[pg_repack](https://reorg.github.io/pg_repack/) | 1.4.7 | lets you remove bloat from tables and indexes|

+This article demonstrates how to create a sample application that uses Java and [JDBC](https://en.wikipedia.org/wiki/Java_Database_Connectivity) to store and retrieve information in [Azure Database for PostgreSQL](./index.yml).

+In this article, we'll include two authentication methods: Azure Active Directory (Azure AD) authentication and PostgreSQL authentication. The **Passwordless** tab shows the Azure AD authentication and the **Password** tab shows the PostgreSQL authentication.

+Azure AD authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.

+PostgreSQL authentication uses accounts stored in PostgreSQL. If you choose to use passwords as credentials for the accounts, these credentials will be stored in the `user` table. Because these passwords are stored in PostgreSQL, you'll need to manage the rotation of the passwords by yourself.

+- [Azure Cloud Shell](../../cloud-shell/quickstart.md) or [Azure CLI](/cli/azure/install-azure-cli) 2.37.0 or above required. We recommend Azure Cloud Shell so you'll be logged in automatically and have access to all the tools you'll need.

+First, set up some environment variables. In [Azure Cloud Shell](https://shell.azure.com/), run the following commands:

+### [Passwordless (Recommended)](#tab/passwordless)

+```bash

+export AZ_RESOURCE_GROUP=database-workshop

+export AZ_DATABASE_NAME=<YOUR_DATABASE_NAME>

+export AZ_LOCATION=<YOUR_AZURE_REGION>

+export AZ_POSTGRESQL_AD_NON_ADMIN_USERNAME=<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>

+export AZ_LOCAL_IP_ADDRESS=<YOUR_LOCAL_IP_ADDRESS>

+export CURRENT_USERNAME=$(az ad signed-in-user show --query userPrincipalName -o tsv)

+export CURRENT_USER_OBJECTID=$(az ad signed-in-user show --query id -o tsv)

+```

+Replace the placeholders with the following values, which are used throughout this article:

+- `<YOUR_DATABASE_NAME>`: The name of your PostgreSQL server, which should be unique across Azure.

+- `<YOUR_AZURE_REGION>`: The Azure region you'll use. You can use `eastus` by default, but we recommend that you configure a region closer to where you live. You can see the full list of available regions by entering `az account list-locations`.

+- `<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>`: The username of your PostgreSQL database server. Make ensure the username is a valid user in your Azure AD tenant.

+- `<YOUR_LOCAL_IP_ADDRESS>`: The IP address of your local computer, from which you'll run your Spring Boot application. One convenient way to find it is to open [whatismyip.akamai.com](http://whatismyip.akamai.com/).

+> [!IMPORTANT]

+> When setting <YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>, the username must already exist in your Azure AD tenant or you will be unable to create an Azure AD user in your database.

+### [Password](#tab/password)

+export AZ_RESOURCE_GROUP=database-workshop

+export AZ_DATABASE_NAME=<YOUR_DATABASE_NAME>

+export AZ_LOCATION=<YOUR_AZURE_REGION>

+export AZ_POSTGRESQL_ADMIN_USERNAME=demo

+export AZ_POSTGRESQL_ADMIN_PASSWORD=<YOUR_POSTGRESQL_ADMIN_PASSWORD>

+export AZ_POSTGRESQL_NON_ADMIN_USERNAME=demo_non_admin

+export AZ_POSTGRESQL_NON_ADMIN_PASSWORD=<YOUR_POSTGRESQL_NON_ADMIN_PASSWORD>

+export AZ_LOCAL_IP_ADDRESS=<YOUR_LOCAL_IP_ADDRESS>

+- `<YOUR_POSTGRESQL_ADMIN_PASSWORD>` and `<YOUR_POSTGRESQL_NON_ADMIN_PASSWORD>`: The password of your PostgreSQL database server. That password should have a minimum of eight characters. The characters should be from three of the following categories: English uppercase letters, English lowercase letters, numbers (0-9), and non-alphanumeric characters (!, $, #, %, and so on).

+- `<YOUR_LOCAL_IP_ADDRESS>`: The IP address of your local computer, from which you'll run your Java application. One convenient way to find it is to open [whatismyip.akamai.com](http://whatismyip.akamai.com/).

+ --output tsv

+### Create a PostgreSQL server and set up admin user

+The first thing you'll create is a managed PostgreSQL server with an admin user.

+#### [Passwordless (Recommended)](#tab/passwordless)

+If you're using Azure CLI, run the following command to make sure it has sufficient permission:

+```bash

+az login --scope https://graph.microsoft.com/.default

+```

+Then run following command to create the server:

+```azurecli

+az postgres server create \

+ --resource-group $AZ_RESOURCE_GROUP \

+ --name $AZ_DATABASE_NAME \

+ --location $AZ_LOCATION \

+ --sku-name B_Gen5_1 \

+ --storage-size 5120 \

+ --output tsv

+```

+Now run the following command to set the Azure AD admin user:

+```azurecli

+az postgres server ad-admin create \

+ --resource-group $AZ_RESOURCE_GROUP \

+ --server-name $AZ_DATABASE_NAME \

+ --display-name $CURRENT_USERNAME \

+ --object-id $CURRENT_USER_OBJECTID

+```

+> [!IMPORTANT]

+> When setting the administrator, a new user is added to the Azure Database for PostgreSQL server with full administrator permissions. Only one Azure AD admin can be created per PostgreSQL server and selection of another one will overwrite the existing Azure AD admin configured for the server.

+This command creates a small PostgreSQL server and sets the Active Directory admin to the signed-in user.

+#### [Password](#tab/password)

+ --admin-user $AZ_POSTGRESQL_ADMIN_USERNAME \

+ --admin-password $AZ_POSTGRESQL_ADMIN_PASSWORD \

+ --output tsv

+ --output tsv

+```

+If you're connecting to your PostgreSQL server from Windows Subsystem for Linux (WSL) on a Windows computer, you'll need to add the WSL host ID to your firewall.

+Obtain the IP address of your host machine by running the following command in WSL:

+```bash

+cat /etc/resolv.conf

+```

+Copy the IP address following the term `nameserver`, then use the following command to set an environment variable for the WSL IP Address:

+```bash

+AZ_WSL_IP_ADDRESS=<the-copied-IP-address>

+```

+Then, use the following command to open the server's firewall to your WSL-based app:

+```azurecli

+az postgres server firewall-rule create \

+ --resource-group $AZ_RESOURCE_GROUP \

+ --name $AZ_DATABASE_NAME-database-allow-local-ip \

+ --server $AZ_DATABASE_NAME \

+ --start-ip-address $AZ_WSL_IP_ADDRESS \

+ --end-ip-address $AZ_WSL_IP_ADDRESS \

+ --output tsv

+The PostgreSQL server that you created earlier is empty. Use the following command to create a new database called `demo`:

+ --output tsv

+### Create a PostgreSQL non-admin user and grant permission

+Next, create a non-admin user and grant all permissions on the `demo` database to it.

+> [!NOTE]

+> You can read more detailed information about creating PostgreSQL users in [Create users in Azure Database for PostgreSQL](/azure/PostgreSQL/single-server/how-to-create-users).

+#### [Passwordless (Recommended)](#tab/passwordless)

+Create a SQL script called *create_ad_user.sql* for creating a non-admin user. Add the following contents and save it locally:

+```bash

+cat << EOF > create_ad_user.sql

+SET aad_validate_oids_in_tenant = off;

+CREATE ROLE "$AZ_POSTGRESQL_AD_NON_ADMIN_USERNAME" WITH LOGIN IN ROLE azure_ad_user;

+GRANT ALL PRIVILEGES ON DATABASE demo TO "$AZ_POSTGRESQL_AD_NON_ADMIN_USERNAME";

+EOF

+```

+Then, use the following command to run the SQL script to create the Azure AD non-admin user:

+```bash

+psql "host=$AZ_DATABASE_NAME.postgres.database.azure.com user=$CURRENT_USERNAME@$AZ_DATABASE_NAME dbname=demo port=5432 password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken` sslmode=require" < create_ad_user.sql

+```

+Now use the following command to remove the temporary SQL script file:

+```bash

+rm create_ad_user.sql

+```

+#### [Password](#tab/password)

+Create a SQL script called *create_user.sql* for creating a non-admin user. Add the following contents and save it locally:

+```bash

+cat << EOF > create_user.sql

+CREATE ROLE "$AZ_POSTGRESQL_NON_ADMIN_USERNAME" WITH LOGIN PASSWORD '$AZ_POSTGRESQL_NON_ADMIN_PASSWORD';

+GRANT ALL PRIVILEGES ON DATABASE demo TO "$AZ_POSTGRESQL_NON_ADMIN_USERNAME";

+EOF

+```

+Then, use the following command to run the SQL script to create the Azure AD non-admin user:

+```bash

+psql "host=$AZ_DATABASE_NAME.postgres.database.azure.com user=$AZ_POSTGRESQL_ADMIN_USERNAME@$AZ_DATABASE_NAME dbname=demo port=5432 password=$AZ_POSTGRESQL_ADMIN_PASSWORD sslmode=require" < create_user.sql

+```

+Now use the following command to remove the temporary SQL script file:

+```bash

+rm create_user.sql

+```

+Using your favorite IDE, create a new Java project using Java 8 or above, and add a *pom.xml* file in its root directory with the following contents:

+#### [Passwordless (Recommended)](#tab/passwordless)

+ <dependency>

+ <groupId>org.postgresql</groupId>

+ <artifactId>postgresql</artifactId>

+ <version>42.3.6</version>

+ </dependency>

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity-providers-jdbc-postgresql</artifactId>

+ <version>1.0.0-beta.1</version>

+ </dependency>

+#### [Password](#tab/password)

+```xml

+<?xml version="1.0" encoding="UTF-8"?>

+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">

+ <modelVersion>4.0.0</modelVersion>

+ <groupId>com.example</groupId>

+ <artifactId>demo</artifactId>

+ <version>0.0.1-SNAPSHOT</version>

+ <name>demo</name>

+ <properties>

+ <java.version>1.8</java.version>

+ <maven.compiler.source>1.8</maven.compiler.source>

+ <maven.compiler.target>1.8</maven.compiler.target>

+ </properties>

+ <dependencies>

+ <dependency>

+ <groupId>org.postgresql</groupId>

+ <artifactId>postgresql</artifactId>

+ <version>42.3.6</version>

+ </dependency>

+ </dependencies>

+</project>

+```

+This file is an [Apache Maven](https://maven.apache.org/) file that configures your project to use Java 8 and a recent PostgreSQL driver for Java.

+Create a *src/main/resources/application.properties* file, then add the following contents:

+#### [Passwordless (Recommended)](#tab/passwordless)

+```bash

+cat << EOF > src/main/resources/application.properties

+url=jdbc:postgresql://${AZ_DATABASE_NAME}.postgres.database.azure.com:5432/demo?sslmode=require&authenticationPluginClassName=com.azure.identity.providers.postgresql.AzureIdentityPostgresqlAuthenticationPlugin

+user=${AZ_POSTGRESQL_AD_NON_ADMIN_USERNAME}@${AZ_DATABASE_NAME}

+EOF

+#### [Password](#tab/password)

+```bash

+cat << EOF > src/main/resources/application.properties

+url=jdbc:postgresql://${AZ_DATABASE_NAME}.postgres.database.azure.com:5432/demo?sslmode=require

+user=${AZ_POSTGRESQL_NON_ADMIN_USERNAME}@${AZ_DATABASE_NAME}

+password=${AZ_POSTGRESQL_NON_ADMIN_PASSWORD}

+EOF

+```

+> The configuration property `url` has `?sslmode=require` appended to tell the JDBC driver to use TLS ([Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)) when connecting to the database. Using TLS is mandatory with Azure Database for PostgreSQL, and it's a good security practice.

+You'll use a *src/main/resources/schema.sql* file to create a database schema. Create that file, then add the following contents:

+```bash

+cat << EOF > src/main/resources/schema.sql

+EOF

+Create a *src/main/java/DemoApplication.java* file, then add the following contents:

+ /* Prepare for data processing in the PostgreSQL server.

+ Todo todo = new Todo(1L, "configuration", "congratulations, you have set up JDBC correctly!", true);

+ */

+This Java code will use the *application.properties* and the *schema.sql* files that you created earlier in order to connect to the PostgreSQL server and create a schema that will store your data.

+In this file, you can see that we commented methods to insert, read, update and delete data. You'll code those methods in the rest of this article, and you'll be able to uncomment them one after another.

+> The database credentials are stored in the `user` and `password` properties of the *application.properties* file. Those credentials are used when executing `DriverManager.getConnection(properties.getProperty("url"), properties);`, as the properties file is passed as an argument.

+- Using Maven, you can run the application by using the following command: `mvn exec:java -Dexec.mainClass="com.example.demo.DemoApplication"`.

+```output

+```output

+To validate that your code works correctly, read the data that you previously inserted.

+```output

+Next, update the data you previously inserted.

+```output

+Finally, delete the data you previously inserted.

+```output

+- A Salesforce connected app, which will be used to access your Salesforce information.

+ - If you need to create a connected app, you can follow the [Salesforce documentation](https://help.salesforce.com/s/articleView?id=sf.connected_app_create_basics.htm&type=5).

+ - You will need to [enable OAuth for you Salesforce application](https://help.salesforce.com/s/articleView?id=sf.connected_app_create_api_integration.htm&type=5).

+ * Provide the username of the user that the [connected app](#prerequisites) is imitating in the User name input field.

+ * Otherwise, **concatenate the password and security token as the value of the secret**. The security token is an automatically generated key that must be added to the end of the password when logging in to Salesforce from an untrusted network. Learn more about how to [get or reset a security token](https://help.salesforce.com/apex/HTViewHelpDoc?id=user_security_token.htm).

+You recently added or updated a role assignment, but the changes are not being detected. You might see the message `Status: 401 (Unauthorized)`.

+**Cause 1**

+**Solution 1**

+**Cause 2**

+You added managed identities to a group and assigned a role to that group. The back-end services for managed identities maintain a cache per resource URI for around 24 hours.

+**Solution 2**

+It can take several hours for changes to a managed identity's group or role membership to take effect. For more information, see [Limitation of using managed identities for authorization](../active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).

+In this quickstart, you will create your first search index using the **Import data** wizard and a built-in sample data source consisting of fictitious hotel data. The wizard guides you through the creation of a search index (hotels-sample-index) so that you can write interesting queries within minutes.

+Although you won't use the options in this quickstart, the wizard includes a page for AI enrichment so that you can extract text and structure from image files and unstructured text. For a similar walkthrough that includes AI enrichment, see [Quickstart: Create a skillset](cognitive-search-quickstart-blob.md).

+## Create an index and load data

+1. **Playbook** - Select **Open Playbook** to advance to the Playbook templates (Preview) menu.

+ :::image type="content" source="media/sentinel-solutions-deploy/manage-solution-playbook.png" alt-text="Screenshot of solution content for Log4j Vulnerability Detection with a Playbook selected and the Open Playbook button available.":::

+ After the populated search finds the template, select it and the **Create Playbook** button is available to start playbook creation. Alternately, you can select the Active playbooks menu tab where the playbook name is filtered. Selecting the playbook name link will take you to the Automation blade to view or edit the playbook in use.

+ :::image type="content" source="media/sentinel-solutions-deploy/manage-solution-playbook-active.png" alt-text="Screenshot of solution content for Log4j Vulnerability Detection with a Playbook selected and the Create Playbook button available. The Active Playbooks menu tab is highlighted.":::

+Supported authentication and clients for App Service, Container Apps, and Azure Spring Apps:

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+||--|--|--|-|

+| .NET (MySqlConnector) | | |  | |

+| Go (go-sql-driver for mysql) | | |  | |

+| Java (JDBC) |  | |  | |

+| Java - Spring Boot (JDBC) |  | |  | |

+| Node.js (mysql) | | |  | |

+| Python (mysql-connector-python) | | |  | |

+| Python-Django | | |  | |

+| PHP (mysqli) | | |  | |

+| Ruby (mysql2) | | |  | |

+| None | | |  | |

+### Java (JDBC) system-assigned managed identity

+| Default environment variable name | Description | Example value |

+|--|||

+| AZURE_MYSQL_CONNECTIONSTRING | JDBC MySQL connection string | `jdbc:mysql://<MySQL-DB-name>.mysql.database.azure.com:3306/<MySQL-DB-name>?sslmode=required&user=<MySQL-DB-username>` |

+### Java - Spring Boot (JDBC) system-assigned managed identity

+| Application properties | Description | Example value |

+|--|-|--|

+| spring.datatsource.url | Spring Boot JDBC database URL | `jdbc:mysql://<MySQL-DB-name>.mysql.database.azure.com:3306/<MySQL-DB-name>?sslmode=required` |

+| spring.datatsource.username | Database username | `Connection-Name` |

+| spring.datatsource.password | Database password | `MySQL-DB-password` |

+Supported authentication and clients for App Service, Container Apps, and Azure Spring Apps:

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+||--|--|--|-|

+| .NET (ADO.NET) | | |  | |

+| Go (pg) | | |  | |

+| Java (JDBC) |  | |  | |

+| Java - Spring Boot (JDBC) |  | |  | |

+| Node.js (pg) | | |  | |

+| Python (psycopg2) | | |  | |

+| Python-Django | | |  | |

+| PHP (native) | | |  | |

+| Ruby (ruby-pg) | | |  | |

+| None | | |  | |

+| Default environment variable name | Description | Example value |

+|--|--|-|

+### Java (JDBC) system-assigned managed identity

+| Default environment variable name | Description | Example value |

+|--|--|--|

+| AZURE_POSTGRESQL_CONNECTIONSTRING | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<connection-name>` |

+### Java - Spring Boot (JDBC) system-assigned managed identity

+| Application properties | Description | Example value |

+|--|-||

+| spring.datatsource.url | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |

+| spring.datatsource.username | Database username | `Connection-Name` |

+| spring.datatsource.password | Database password | `<password>` |

+Supported authentication and clients for App Service, Container Apps, and Azure Spring Apps:

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+|--|::|::|::|:--:|

+| .NET | | |  | |

+| Go | | |  | |

+| Java |  | |  | |

+| Java - Spring Boot |  | |  | |

+| PHP | | |  | |

+| Node.js | | |  | |

+| Python | | |  | |

+| Python - Django | | |  | |

+| Ruby | | |  | |

+| None | | |  | |

+### Azure Container Apps and Azure App Service

+#### Java Database Connectivity (JDBC) system-assigned managed identity

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> |--|--|--|

+> | AZURE_SQL_CONNECTIONSTRING | Azure SQL Database connection string | `jdbc:sqlserver://<sql-server>.database.windows.net:1433;databaseName=<sql-database>;authentication=ActiveDirectoryMSI;` |

+> | spring.datasource.password | Azure SQL Database datasource password | `<sql-password>` |

+#### Java Spring Boot (spring-boot-starter-jdbc) system-assigned managed identity

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> |--|-|--|

+> | spring.datasource.url | Azure SQL Database datasource URL | `jdbc:sqlserver://<sql-server>.database.windows.net:1433;databaseName=<sql-db>;authentication=ActiveDirectoryMSI;` |

+> | Default environment variable name | Description | Sample value |

+> |--|--||

+> | AZURE_SQL_DATABASE | Azure SQL Database database | `<sql-database>` |

+> | AZURE_SQL_USERNAME | Azure SQL Database username | `<sql-username>` |

+> | AZURE_SQL_PASSWORD | Azure SQL Database password | `<sql-password>` |

+> | AZURE_SQL_DATABASE | Azure SQL Database database | `<sql-database>` |

+> | AZURE_SQL_UID | Azure SQL Database unique identifier (UID) | `<sql-username>` |

+> | AZURE_SQL_PASSWORD | Azure SQL Database password | `<sql-password>` |

+> | AZURE_SQL_DATABASE | Azure SQL Database database | `<sql-database>` |

+> | AZURE_SQL_USER | Azure SQL Database user | `<sql-username>` |

+> | AZURE_SQL_PASSWORD | Azure SQL Database password | `<sql-password>` |

+> | AZURE_SQL_NAME | Azure SQL Database name | `<sql-database>` |

+> | AZURE_SQL_USER | Azure SQL Database user | `<sql-username>` |

+> | AZURE_SQL_PASSWORD | Azure SQL Database password | `<sql-password>` |

+> | AZURE_SQL_DATABASE | Azure SQL Database database | `<sql-database>` |

+> | AZURE_SQL_USERNAME | Azure SQL Database username | `<sql-username>` |

+> | AZURE_SQL_PASSWORD | Azure SQL Database password | `<sql-password>` |

+> | Default environment variable name | Description | Sample value |

+> |--|-|-|

+> | spring.datasource.username | Azure SQL Database datasource username | `<sql-username>` |

+> | spring.datasource.password | Azure SQL Database datasource password | `<sql-password>` |

+#### Java Spring Boot (spring-boot-starter-jdbc) system-assigned managed identity

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> |--|-|--|

+> | spring.datasource.url | Azure SQL Database datasource URL | `jdbc:sqlserver://<sql-server>.database.windows.net:1433;databaseName=<sql-db>;authentication=ActiveDirectoryMSI;` |

+> * Upgrading the DurabilityLevel for a nodetype with multipleAvailabilityZones, is not supported. Please create a new nodetype with the higher durability instead.

+> * SF supports just 3 AvailabilityZones. Any higher number is not supported right now.

+## Connect to Azure SQL Database with a managed identity

+You can connect your application deployed to Azure Spring Apps to an Azure SQL Database with a managed identity by following manual steps or using [Service Connector](../service-connector/overview.md).

+### [Manual configuration](#tab/manual)

+### Grant permission to the managed identity

+The value of the `<MIName>` placeholder follows the rule `<service-instance-name>/apps/<app-name>`; for example: `myspringcloud/apps/sqldemo`. You can also query the MIName with Azure CLI:

+az ad sp show --id <identity-object-ID> --query displayName

+### Configure your Java app to use a managed identity

+Open the *src/main/resources/application.properties* file, then add `Authentication=ActiveDirectoryMSI;` at the end of the `spring.datasource.url` line, as shown in the following example. Be sure to use the correct value for the $AZ_DATABASE_NAME variable.

+#### [Service Connector](#tab/service-connector)

+Configure your app deployed to Azure Spring to connect to an SQL Database with a system-assigned managed identity using the `az spring connection create` command, as shown in the following example.

+> [!NOTE]

+> This command requires you to run the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

+```azurecli-interactive

+az spring connection create sql \

+ --resource-group $SPRING_APP_RESOURCE_GROUP \

+ --service $Spring_APP_SERVICE_NAME \

+ --app $APP_NAME --deployment $DEPLOYMENT_NAME \

+ --target-resource-group $SQL_RESOURCE_GROUP \

+ --server $SQL_SERVER_NAME \

+ --database $DATABASE_NAME \

+ --system-assigned-identity

+```

+Rebuild the app and deploy it to the Azure Spring Apps provisioned in the second bullet point under Prerequisites. Now you have a Spring Boot application, authenticated by a managed identity, that uses JPA to store and retrieve data from an Azure SQL Database in Azure Spring Apps.

+* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md).

+* An Azure Database for PostgreSQL Flexible Server instance.

+* [Azure CLI](/cli/azure/install-azure-cli).

+ ```xml

+ <dependency>

+ <groupId>org.springframework.boot</groupId>

+ <artifactId>spring-boot-starter-data-jpa</artifactId>

+ </dependency>

+ <dependency>

+ <groupId>com.azure.spring</groupId>

+ <artifactId>spring-cloud-azure-starter-jdbc-mysql</artifactId>

+ </dependency>

+ ```

+ ```properties

+ spring.datasource.url=jdbc:mysql://some-server.mysql.database.azure.com:3306/testdb?useSSL=true&requireSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC

+ spring.datasource.username=admin@some-server

+ spring.datasource.password=abc******

+ spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect

+ ```

+#### [Passwordless connection using a managed identity](#tab/Passwordless)

+Configure your Spring app to connect to a MySQL Database Flexible Server with a system-assigned managed identity by using the `az spring connection create` command, as shown in the following example.

+> [!NOTE]

+> This command requires you to run the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

+```azurecli

+az spring connection create mysql-flexible \

+ --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \

+ --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \

+ --app $APP_NAME \

+ --deployment $DEPLOYMENT_NAME \

+ --target-resource-group $MYSQL_RESOURCE_GROUP \

+ --server $MYSQL_SERVER_NAME \

+ --database $DATABASE_NAME \

+ --system-assigned-identity

+```

+ Title: How to bind an Azure Database for PostgreSQL to your application in Azure Spring Apps

+description: Learn how to bind an Azure Database for PostgreSQL instance to your application in Azure Spring Apps.

+# Bind an Azure Database for PostgreSQL to your application in Azure Spring Apps

+> [!NOTE]

+> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

+**This article applies to:** ✔️ Java ❌ C#

+**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier

+With Azure Spring Apps, you can bind select Azure services to your applications automatically, instead of having to configure your Spring Boot application manually. This article shows you how to bind your application to your Azure Database for PostgreSQL instance.

+## Prerequisites

+* An application deployed to Azure Spring Apps. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md).

+* An Azure Database for PostgreSQL Flexible Server instance.

+* [Azure CLI](/cli/azure/install-azure-cli).

+## Prepare your Java project

+1. In your project's *pom.xml* file, add the following dependency:

+ ```xml

+ <dependency>

+ <groupId>org.springframework.boot</groupId>

+ <artifactId>spring-boot-starter-data-jpa</artifactId>

+ </dependency>

+ <dependency>

+ <groupId>com.azure.spring</groupId>

+ <artifactId>spring-cloud-azure-starter-jdbc-postgresql</artifactId>

+ </dependency>

+ ```

+1. In the *application.properties* file, remove any `spring.datasource.*` properties.

+1. Update the current app by running `az spring app deploy`, or create a new deployment for this change by running `az spring app deployment create`.

+## Bind your app to the Azure Database for PostgreSQL instance

+### [Using admin credentials](#tab/Secrets)

+1. Note the admin username and password of your Azure Database for PostgreSQL account.

+1. Connect to the server, create a database named **testdb** from a PostgreSQL client, and then create a new non-admin account.

+1. Run the following command to connect to the database with admin username and password.

+ ```azurecli

+ az spring connection create postgres \

+ --resource-group $AZURE_SPRING_APPS_RESOURCE_GROUP \

+ --service $AZURE_SPRING_APPS_SERVICE_INSTANCE_NAME \

+ --app $APP_NAME \

+ --deployment $DEPLOYMENT_NAME \

+ --target-resource-group $POSTGRES_RESOURCE_GROUP \

+ --server $POSTGRES_SERVER_NAME \

+ --database testdb \

+ --secret name=$USERNAME secret=$PASSWORD

+ ```

+### [Using a passwordless connection with a managed identity](#tab/Passwordless)

+Configure Azure Spring Apps to connect to the PostgreSQL Database Single Server with a system-assigned managed identity using the `az spring connection create` command.

+> [!NOTE]

+> This command requires you to run the latest [edge build of Azure CLI](https://github.com/Azure/azure-cli/blob/dev/doc/try_new_features_before_release.md). [Download and install the edge builds](https://github.com/Azure/azure-cli#edge-builds) for your platform.

+```azurecli

+az spring connection create postgres \

+ --resource-group $SPRING_APP_RESOURCE_GROUP \

+ --service $Spring_APP_SERVICE_NAME \

+ --app $APP_NAME --deployment $DEPLOYMENT_NAME \

+ --target-resource-group $POSTGRES_RESOURCE_GROUP \

+ --server $POSTGRES_SERVER_NAME \

+ --database $DATABASE_NAME \

+ --system-assigned-identity

+```

+## Next steps

+In this article, you learned how to bind an application in Azure Spring Apps to an Azure Database for MySQL instance. To learn more about binding services to an application, see [Bind an Azure Cosmos DB database to an application in Azure Spring Apps](./how-to-bind-cosmos.md).

+To enable stable URL environments, make the following changes to your [configuration .yml file](build-configuration.md?tabs=github-actions).

+- Set the `production_branch` input to your production branch name on the `static-web-apps-deploy` job in GitHub action or on the AzureStaticWebApp task. This action ensures changes to your production branch are deployed to the production environment, while changes to other branches are deployed to a preview environment.

+## Next steps

+ Title: 'Quickstart: Build your first static web app'

+# Quickstart: Build your first static web app

+- [Azure DevOps](https://azure.microsoft.com/services/devops) organization

+> If you don't see any repositories:

+> - You may need to authorize Azure Static Web Apps in GitHub. Browse to your GitHub repository and go to **Settings > Applications > Authorized OAuth Apps**, select **Azure Static Web Apps**, and then select **Grant**.

+> - You may need to authorize Azure Static Web Apps in your Azure DevOps organization. You must be an owner of the organization to grant the permissions. Request third-party application access via via OAuth. For more information, see [Authorize access to REST APIs with OAuth 2.0](https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#2-authorize-your-app).

+1. Select the banner that says, _Click here to check the status of your GitHub Actions runs_, which takes you to the GitHub Actions and runs against your repository. Once you verify the deployment job is complete, then you can navigate to your website via the generated URL.

+2. Once GitHub Actions workflow is complete, select on the _URL_ link to open the website in new tab.

+Once the workflow is complete, select the _URL_ link to open the website in new tab.

+2. Select **Delete**.

+3. Select **Yes** to confirm the delete action. This action may take a few moments to complete.

+ Title: Monitor Azure Static Web Apps

+Once you create the Application Insights instance, it creates an associated application setting in the Azure Static Web Apps instance used to link the services together.

+> If you want to track how the different features of your web app are used end-to-end client side, you can insert trace calls in your JavaScript code. For more information, see [Application Insights for webpages](/azure-monitor/app/javascript?tabs=snippet).

+The following table highlights a few locations in the portal you can use to inspect aspects of your application's API endpoints.

+> For more information on Application Insights usage, see the [App insights overview](../azure-monitor/app/app-insights-overview.md).

+In some cases, you may want to limit logging while still capturing details on errors and warnings. You can do so by making the following changes to your _host.json_ file of the Azure Functions app.

+> [Set up authentication and authorization](authentication-authorization.md)

+If your account has an event subscription, read operations on the secondary endpoint will result in an error. To resolve this issue, remove event subscriptions. Using the dfs endpoint (abfss://URI) for non-hierarchical namespace enabled accounts will not generate events, but the blob endpoint (wasb:// URI) will generate events.

+BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);

+- [Give Feedback](https://github.com/Azure/azure-sdk-for-net/issues)

+ Title: Implement a retry policy .NET

+description: Learn about retry policies and how to implement them for Blob Storage. This article helps you set up a retry policy for Blob Storage requests using the .NET v12 SDK.

+# Implement a retry policy for .NET

+Any application that runs in the cloud or communicates with remote services and resources must be able to handle transient faults. It's common for these applications to experience faults due to a momentary loss of network connectivity, a request timeout when a service or resource is busy, or other factors. Developers should build applications to handle transient faults transparently to improve stability and resiliency.

+This article shows you how to use .NET client libraries to set up a retry policy for an application that connects to Azure Blob Storage. Retry policies define how the application handles failed requests, and should always be tuned to match the business requirements of the application and the nature of the failure.

+> [!NOTE]

+> The examples in this article assume that you're working with an existing app or that you've created a sample console app using the guidance in the [Get started with Azure Blob Storage and .NET](storage-blob-dotnet-get-started.md) article.

+## Configure retry options

+Retry policies for Blob Storage are configured programmatically, offering control over how retry options are applied to various service requests and scenarios. For example, a web app issuing requests based on user interaction might implement a policy with fewer retries and shorter delays to increase responsiveness and notify the user when an error occurs. Alternatively, an app or component running batch requests in the background might increase the number of retries and use an exponential backoff strategy to allow the request time to complete successfully.

+In this example for blob storage, we'll configure the retry options in the `Retry` property of the [BlobClientOptions](/dotnet/api/azure.storage.blobs.blobclientoptions) class. Then, we'll create a client object for the blob service using the retry options.

+In the code above, each service request issued from the `BlobServiceClient` object will use the retry options as defined in the `BlobClientOptions` object. You can configure various retry strategies for service clients based on the needs of your app.

+## Use geo-redundancy to improve app resiliency

+If your app requires high availability and greater resiliency against failures, you can leverage Azure Storage geo-redundancy options as part of your retry policy. Storage accounts configured for geo-redundant replication are synchronously replicated in the primary region, and asynchronously replicated to a secondary region that is hundreds of miles away.

+Azure Storage offers two options for geo-redundant replication: [Geo-redundant storage (GRS)](../common/storage-redundancy.md#geo-redundant-storage) and [Geo-zone-redundant storage (GZRS)](../common/storage-redundancy.md#geo-zone-redundant-storage). In addition to enabling geo-redundancy for your storage account, you also need to configure read access to the data in the secondary region. To learn how to change replication options for your storage account, see [Change how a storage account is replicated](../common/redundancy-migration.md).

+In this example, we set the `GeoRedundantSecondaryUri` property in `BlobClientOptions`. When this property is set and a read request failure occurs in the primary region, the app will seamlessly switch to perform retries against the secondary region endpoint.

+Apps that make use of geo-redundancy need to keep in mind some specific design considerations. To learn more, see [Use geo-redundancy to design highly available applications](../common/geo-redundant-design.md).

+## Next steps

+Now that you understand how to implement a retry policy using the .NET client library, see the following articles for more detailed architectural guidance:

+- For architectural guidance and general best practices for retry policies, see [Transient fault handling](/azure/architecture/best-practices/transient-faults).

+- For guidance on implementing a retry pattern for transient failures, see [Retry pattern](/azure/architecture/patterns/retry).

+ Title: StorSimple 8000 Series Update 5.2 release notes

+description: Describes new features, issues, and workarounds for StorSimple 8000 Series Update 5.2.

+ms.assetid:

+# StorSimple 8000 Series Update 5.2 release notes

+## Overview

+The following release notes describe new features and identify critical open issues for StorSimple 8000 Series Update 5.2. They also contain a list of the StorSimple software updates included in this release.

+The release notes are continuously updated. As critical issues are discovered, they're added to the update. Before you deploy StorSimple 8000 Series, carefully review the information contained in these release notes.

+Update 5.2 corresponds to software version 6.3.9600.17886.

+> [!IMPORTANT]

+>

+> * Update 5.2 is a mandatory security update. It must be installed immediately to ensure the operation of the device. Microsoft implements a phased rollout, so your new release might not detect all available updates. To ensure a complete update to 5.2, wait a few days and then scan for updates again.

+> * If you're not notified about Update 5.2 via a banner in the Azure portal UI, contact Microsoft Support.

+## What's new in Update 5.2

+* **Automatic remediation for failed backups caused by a device controller left active for long periods.** When a device controller is continuously active for a long period (more than a year), scheduled and manually triggered backups may fail. No alert or other notification is raised in the Azure portal. The only way to recover is to initiate a controller failover. Update 5.2 detects this condition and remediates it by initiating a controller failover. An alert informs the customer.

+* **Reliability issue fixed in backup code path** without which a backup could be corrupted in a rare scenario.

+* **Issue with Local Only volume conversion fixed.** In earlier releases, Local Only volume conversion might get stuck if the system restarts at a specific window of the conversion.

+* **SHA 256 hashing algorithm is supported for the remote management certificate.** Remote management certificates are used while connecting to the PowerShell interface of the appliance, or during a Support session using remote PowerShell over Single Sockets Layer (SSL). Earlier releases use an SHA 128 hashing algorithm, which is considered weak. Update 5.2 uses SHA 256, which is considered more secure.

+## Install Update 5.2

+Use the following steps to install Update 5.2:

+1. [Connect to Windows PowerShell on the StorSimple 8000 series device](storsimple-8000-deployment-walkthrough-u2.md#use-putty-to-connect-to-the-device-serial-console), or connect directly to the appliance via serial cable.

+1. Use [Start-HcsUpdate](/powershell/module/hcs/start-hcsupdate.md?view=winserver2012r2-ps&preserve-view=true) to update the device. For detailed steps, see [Install regular updates via Windows PowerShell](storsimple-update-device.md#to-install-regular-updates-via-windows-powershell-for-storsimple). This update is non-disruptive.

+1. If ```Start-HcsUpdate``` doesn't work because of firewall issues, contact Microsoft Support.

+## Verify the updates

+To verify Update 5.2, check for these software versions after installation:

+* FriendlySoftwareVersion: StorSimple 8000 Series Update 5.2

+* HcsSoftwareVersion: 6.3.9600.17886

+* CisAgentVersion: 1.0.9777.0

+* MdsAgentVersion: 35.2.2.0

+* Lsisas2Version: 2.0.78.00

+## Next steps

+Install StorSimple 8000 Series Update 5.2. Steps to install Update 5.2 are largely the same as for installation of Update 5.1. For more information, see detailed steps in [Installing via the hotfix method](storsimple-8000-install-update-51.md).

+> Due to global replication or caching latency, there may be a delay when permissions are revoked or granted. Changes should be reflected within 10 minutes. Even though test connection can pass initially, jobs may fail when they are started before the permissions fully propagate.

+| May 2022 | **Azure Synapse Data Explorer connector for Power Automate, Logic Apps, and Power Apps** | The Azure Data Explorer connector for Power Automate enables you to orchestrate and schedule flows, send notifications, and alerts, as part of a scheduled or triggered task. To learn more, read [Azure Data Explorer connector for Microsoft Power Automate](/azure/data-explorer/flow) and [Usage examples for Azure Data Explorer connector to Power Automate](/azure/data-explorer/flow-usage). |

+| March 2022 | **Enforce minimal TLS version** | You can now raise or lower the minimum TLS version for dedicated SQL pools in Synapse workspaces. To learn more, see [Azure SQL connectivity settings](/azure/azure-sql/database/connectivity-settings#minimal-tls-version). The [workspace managed SQL API](/rest/api/synapse/sqlserver/workspace-managed-sql-server-dedicated-sql-minimal-tls-settings/update) can be used to modify the minimum TLS settings.|

+> In-session passwordless authentication is currently in public preview.

+Azure Virtual Desktop supports in-session passwordless authentication (preview) using [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) or security devices like FIDO keys when using the [Windows Desktop client](user-documentation/connect-windows-7-10.md). Passwordless authentication is enabled automatically when the session host and local PC are using the following operating systems:

+ - Windows 11 Enterprise single or multi-session with the [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed.

+ - Windows 10 Enterprise single or multi-session, versions 20H2 or later with the [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed.

+ - Windows Server 2022 with the [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed.

+To disable passwordless authentication on your host pool, you must [customize an RDP property](customize-rdp-properties.md). You can find the **WebAuthn redirection** property under the **Device redirection** tab in the Azure portal or set the **redirectwebauthn** property to **0** using PowerShell.

+> Single sign-on using Azure AD authentication is currently in public preview.

+Single sign-on is available on session hosts using the following operating systems:

+ - Windows 11 Enterprise single or multi-session with the [2022-09 Cumulative Updates for Windows 11 Preview (KB5017383)](https://support.microsoft.com/kb/KB5017383) or later installed.

+ - Windows 10 Enterprise single or multi-session, versions 20H2 or later with the [2022-09 Cumulative Updates for Windows 10 Preview (KB5017380)](https://support.microsoft.com/kb/KB5017380) or later installed.

+ - Windows Server 2022 with the [2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381)](https://support.microsoft.com/kb/KB5017381) or later installed.

+You can use the [Windows Desktop client](user-documentation/connect-windows-7-10.md) on local PCs running Windows 10 or later. There's no requirement for the local PC to be joined to a domain or Azure AD. You can also have a single sign-on experience when using the [web client](user-documentation/connect-web.md).

+To enable SSO on your host pool, you must [customize an RDP property](customize-rdp-properties.md). You can find the **Azure AD Authentication** property under the **Connection information** tab in the Azure portal or set the **enablerdsaadauth** property to **1** using PowerShell.

+- If you're accessing Azure Virtual Desktop from our web client, see [Connect with the web client](./user-documentation/connect-web.md).

+ Title: Azure Virtual Desktop user connection quality - Azure

+description: Connection quality for Azure Virtual Desktop users.

+>[!IMPORTANT]

+>The Connection Graphics Data Logs are currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+If you're already using [Azure Log Analytics](diagnostics-log-analytics.md), you can monitor network and graphics data for Azure Virtual Desktop connections. The connection network and graphics data Log Analytics collects can help you discover areas that impact your end-user's graphical experience. The service collects data for reports regularly throughout the session. Azure Virtual Desktop connection network data reports have the following advantages over RemoteFX network performance counters:

+To start collecting this data, youΓÇÖll need to make sure you have diagnostics and the **Network Data Logs** and **Connection Graphics Data Logs Preview** tables enabled in your Azure Virtual Desktop host pools.

+>[!NOTE]

+>Normal storage charges for Log Analytics will apply. Learn more at [Azure Monitor Logs pricing details](../azure-monitor/logs/cost-logs.md).

+4. Select **allLogs** or select the names of the diagnostics tables you want to collect data for, including **Network Data Logs** and **Connection Graphics Data Logs Preview**. The *allLogs* parameter will automatically add new tables to your data table in the future.

+8. Make sure the network data is going to your selected destination by returning to the host pool's resource page, selecting **Logs**, then running one of the queries in [Sample queries for Azure Log Analytics](#sample-queries-for-azure-log-analytics-network-data). In order for your query to get results, your host pool must have active users who have been connecting to sessions. Keep in mind that it can take up to 15 minutes for network data to appear in the Azure portal.

+

+ To check network data, return to the host pool's resource page, select **Logs**, then run one of the queries in [Sample queries for Azure Log Analytics](connection-latency.md#sample-queries-for-azure-log-analytics-network-data). In order for your query to get results, your host pool must have active users who've connected to sessions before. Keep in mind that it can take up to 15 minutes for network data to appear in the Azure portal.

+- The **estimated round trip time (milliseconds)** is the average estimated round trip time during each connection time interval. Round trip time is how long a network request takes to go from the end-user's device to the session host through the network, then return from the session host to the end-user device.

+- The **Correlation ID** is the ActivityId of a specific Azure Virtual Desktop connection that's assigned to every diagnostic within that connection.

+- The **time generated** is a timestamp in Coordinated Universal Time (UTC) time that marks when an event the data counter is tracking happened on the virtual machine (VM). All averages are measured by the time window that ends at the marked timestamp.

+- The **Resource ID** is a unique ID assigned to the Azure Virtual Desktop host pool associated with the data the diagnostics service collects for this table.

+- The **source system**, **Subscription ID**, **Tenant ID**, and **type** (table name).

+#### Frequency

+The service generates these network data points every two minutes during an active session.

+### Connection graphics data (preview)

+You should consult the Graphics data table (preview) when users report slow or choppy experiences in their Azure Virtual Desktop sessions. The Graphics data table will give you useful information whenever graphical indicators, end-to-end delay, and dropped frames percentage fall below the "healthy" threshold for Azure Virtual Desktop. This table will help your admins track and understand factors across the server, client, and network that could be contributing to the user's slow or choppy experience. However, while the Graphics data table is a useful tool for troubleshooting poor user experience, since it's not regularly populated throughout a session, it isn't a reliable environment baseline.

+The Graphics table only captures performance data from the Azure Virtual Desktop graphics stream. This table doesn't capture performance degradation or "slowness" caused by application-specific factors or the virtual machine (CPU or storage constraints). You should use this table with other VM performance metrics to determine if the delay is caused by the remote desktop service (graphics and network) or something inherent in the VM or app itself.

+The graphics data you collect for your data tables includes the following information:

+- The **Last evaluated connection time interval** is the two minutes leading up to the time graphics indicators fell below the quality threshold.

+- The **end-to-end delay (milliseconds)** is the delay in the time between when a frame is captured on the server until the time frame is rendered on the client, measured as the sum of the encoding delay on the server, network delay, the decoding delay on the client, and the rendering time on the client. The delay reflected is the highest (worst) delay recorded in the last evaluated connection time interval.

+- The **compressed frame size (bytes)** is he compressed size of the frame with the highest end-to-end delay in the last evaluated connection time interval.

+- The **encoding delay on the server (milliseconds)** is the time it takes to encode the frame with the highest end-to-end delay in the last evaluated connection time interval on the server.

+- The **decoding delay on the client (milliseconds)** is the time it takes to decode the frame with the highest end-to-end delay in the last evaluated connection time interval on the client.

+- The **rendering delay on the client (milliseconds)** is the time it takes to render the frame with the highest end-to-end delay in the last evaluated connection time interval on the client.

+- The **percentage of frames skipped** is the total percentage of frames dropped by these three sources:

+

+ - The client (slow client decoding).

+ - The network (insufficient network bandwidth).

+ - The server (the server is busy).

+ The recorded values (one each for client, server, and network) are from the second with the highest dropped frames in the last evaluated connection time interval.

+- The **estimated available bandwidth (kilobytes per second)** is the average estimated available network bandwidth during the second with the highest end-to-end delay in the time interval.

+- The **estimated round trip time (milliseconds)**, which is the average estimated round trip time during the second with the highest end-to-end delay in the time interval. Round trip time is how long a network request takes to go from the end-user's device to the session host through the network, then return from the session host to the end-user device.

+- The **Correlation ID**, which is the ActivityId of a specific Azure Virtual Desktop connection that's assigned to every diagnostic within that connection.

+- The **Resource ID** is a unique ID assigned to the Azure Virtual Desktop host pool associated with the data the diagnostics service collects for this table.

+#### Frequency

+In contrast to other diagnostics tables that report data at regular intervals throughout a session, the frequency of data collection for the graphics data varies depending on the graphical health of a connection. The table won't record data for "Good" scenarios, but will recording if any of the following metrics are recorded as "Poor" or "Okay," and the resulting data will be sent to your storage account. Data only records once every two minutes, maximum. The metrics involved in data collection are listed in the following table:

+| Metric | Bad | Okay | Good |

+|--|--|||

+| Percentage of dropped frames with low frame rate (less than 15 fps) | Greater than 15% | 10%ΓÇô15% | less than 10% |

+| Percentage of dropped frames with high frame rage (greater than 15 fps) | Greater than 50% | 20%ΓÇô50% | Less than 20% |

+| End-to-end delay per frame | Greater than 300 ms | 150 msΓÇô300 ms | Less than 150 ms |

+>[!NOTE]

+>For end-to-end delay per frame, if any frame in a single second is delayed by over 300 ms, the service registers it as "Bad". If all frames in a single second take between 150 ms and 300 ms, the service marks it as "Okay."

+## Sample queries for Azure Log Analytics: network data

+|Redundancy|Locally redundant/zone-redundant/geo-redundant/geo-zone-redundant|Locally redundant/geo-redundant [with cross-region replication](/azure/azure-netapp-files/cross-region-replication-introduction)|Locally redundant/zone-redundant/geo-redundant|

+|Tiers and performance| Standard (Transaction optimized)<br>Premium<br>Up to max 100K IOPS per share with 10 GBps per share at about 3 ms latency|Standard<br>Premium<br>Ultra<br>Up to 4.5GBps per volume at about 1 ms latency. For IOPS and performance details, see [Azure NetApp Files performance considerations](/azure/azure-netapp-files/azure-netapp-files-performance-considerations) and [the FAQ](/azure/azure-netapp-files/faq-performance#how-do-i-convert-throughput-based-service-levels-of-azure-netapp-files-to-iops).|Standard HDD: up to 500 IOPS per-disk limits<br>Standard SSD: up to 4k IOPS per-disk limits<br>Premium SSD: up to 20k IOPS per-disk limits<br>We recommend Premium disks for Storage Spaces Direct|

+## Azure NetApp Files tiers

+Azure NetApp Files volumes are organized in capacity pools. Volume performance is defined by the service level of the hosting capacity pool. Three performance levels are offered, ultra, premium and standard. For more information, see [Storage hierarchy of Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-understand-storage-hierarchy).

+## My connection data isn't going to Azure Log Analytics

+If your **Connection Network Data Logs** aren't going to Azure Log Analytics every two minutes, you'll need to check the following things:

+- Make sure you've [configured the diagnostic settings correctly](diagnostics-log-analytics.md).

+- Make sure you've configured the VM and [monitoring agents](azure-monitor.md) correctly.

+- Make sure you're actively using the session. Sessions that aren't actively used won't send data to Azure Log Analytics as frequently.

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported <br>

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported <br>

+ "msiEndpoint": <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,

+ "msiClientId": <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>

+> The 'authenticationSettings' property is **required** for VMs with any **user assigned identities**. Even if you want to use a system assigned identity this is still required otherwise the VM extension will not know which identity to use. Without this section, a VM with user assigned identities will result in the Key Vault extension failing and being unable to download certificates.

+ "msiEndpoint": <Required when msiClientId is provided. MSI endpoint e.g. for most Azure VMs: "http://169.254.169.254/metadata/identity">,

+ "msiClientId": <Required when VM has any user assigned identities. MSI identity e.g.: "c7373ae5-91c2-4165-8ab6-7381d6e75619".>

+> The 'authenticationSettings' property is **required** for VMs with any **user assigned identities**. Even if you want to use a system-assigned identity, this is still required; otherwise the VM extension will not know which identity to use. Without this section, a VM with user-assigned identities will result in the Key Vault extension failing and being unable to download certificates.

+ qemu-img convert -f raw -o subformat=fixed,force_size -O vpc MyLinuxVM.raw MyLinuxVM.vhd

+ Or, with qemu versions before 2.6, remove the `force_size` option.

+ qemu-img convert -f raw -o subformat=fixed -O vpc MyLinuxVM.raw MyLinuxVM.vhd

+- It's possible to switch from pay-as-you-go images to BYOS using the [Azure Hybrid Benefit](../../linux/azure-hybrid-benefit-linux.md). To convert from RHEL BYOS to pay-as-you-go, follow the steps in [Azure Hybrid Benefit for bring-your-own-subscription Linux virtual machines](../../linux/azure-hybrid-benefit-byos-linux.md#get-started)

+Review this section to familiarize yourself with considerations for designing virtual networks with NAT gateway.

+Connecting from your Azure virtual network to Azure PaaS services can be done directly over the Azure backbone and bypass the internet. When you bypass the internet to connect to other Azure PaaS services, you free up SNAT ports and reduce the risk of SNAT port exhaustion. [Private Link](../../private-link/private-link-overview.md) should be used when possible to connect to Azure PaaS services in order to free up SNAT port inventory.

+Private Link uses the private IP addresses of your virtual machines or other compute resources from your Azure network to directly connect privately and securely to Azure PaaS services over the Azure backbone. See a list of all [Azure service listed here](../../private-link/availability.md) that are supported by Private Link.

+### Coexistence of outbound and inbound connectivity

+### Monitor outbound network traffic with NSG flow logs

+A network security group allows you to filter inbound and outbound traffic to and from a virtual machine. To monitor outbound traffic flowing from NAT, you can enable NSG flow logs.

+To learn more about NSG flow logs, see [NSG Flow Log Overview](../../network-watcher/network-watcher-nsg-flow-logging-overview.md).

+For guides on how to enable NSG flow logs, see [Enabling NSG Flow Logs](../../network-watcher/network-watcher-nsg-flow-logging-overview.md#enabling-nsg-flow-logs).

+## Performance

+Each NAT gateway can provide up to 50 Gbps of throughput. This data throughput includes data processed both outbound and inbound through a NAT gateway resource. You can split your deployments into multiple subnets and assign each subnet or group of subnets a NAT gateway to scale out.

+NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. NAT gateway can process 1M packets per second and scale up to 5M packets per second.

+Review the following section for details and the [troubleshooting article](./troubleshoot-nat.md) for specific problem resolution guidance.

+## Scalability

+Scaling NAT gateway is primarily a function of managing the shared, available SNAT port inventory. NAT needs sufficient SNAT port inventory for expected peak outbound flows for all subnets that are attached to a NAT gateway. You can use public IP addresses, public IP prefixes, or both to create SNAT port inventory.

+A single NAT gateway can scale up to 16 IP addresses. Each NAT gateway public IP address provides 64,512 SNAT ports to make outbound connections. NAT gateway can scale up to over 1 million SNAT ports. TCP and UDP are separate SNAT port inventories and are unrelated to NAT gateway.

+> [!NOTE]

+> If you assign a public IP prefix, the entire public IP prefix is used. You can't assign a public IP prefix and then break out individual IP addresses to assign to other resources. If you want to assign individual IP addresses from a public IP prefix to multiple resources, you need to create individual public IP addresses and assign them as needed instead of using the public IP prefix itself.

+When you scale your workload, assume that each flow requires a new SNAT port, and then scale the total number of available IP addresses for outbound traffic. Carefully consider the scale you're designing for, and then allocate IP addresses quantities accordingly.

+SNAT maps private addresses in your subnet to one or more public IP addresses attached to NAT gateway, rewriting the source address and source port in the process. SNAT ports sent to different destinations will most likely be reused when possible. As SNAT port exhaustion approaches, flows may not succeed.

+For a SNAT example, see [SNAT fundamentals](#source-network-address-translation).

+A NAT gateway will translate flow 4 to a source port that may already be in use for other destinations as well (see flow 1 from table above). See [Scale NAT gateway](#scalability) for more discussion on correctly sizing your IP address provisioning.

+6. In the **Threshold value** box, enter a percentage value that the Total SNAT connection count must drop below before an alert is fired. When deciding what threshold value to use, keep in mind how much you've scaled out your NAT gateway outbound connectivity with public IP addresses. For more information, see [Scale NAT gateway](./nat-gateway-resource.md#scalability).

+1. On the **Monitoring** tab, set **Boot diagnostics** to **Disable**. Accept the other defaults and then select **Review + create**.