+

+**Potential benefits**: Ensure uninterrupted access to ADMA

+

+

+**Potential benefits**: Ensure uninterrupted access to ADMA

+

+

+**Potential benefits**: Ensure uninterrupted access to ADMA

+

+

+**Potential benefits**: Ensure uninterrupted access to ADMA

+

+

+**Potential benefits**: Improve service stability and leverage new platform features

+

+

+**Potential benefits**: Ensure service availability

+

+

+**Potential benefits**: Ensure business continuity

+

+

+**Potential benefits**: Improve service stability

+

+

+**Potential benefits**: Ensure service availability

+

+

+**Potential benefits**: Increased resilience against regional failures

+

+

+**Potential benefits**: Increase scalability and optimize cost.

+

+

+**Potential benefits**: Keep your app healthy

+

+

+**Potential benefits**: Keep your app healthy

+

+

+**Potential benefits**: Ensure business continuity

+

+

+**Potential benefits**: Ensure business continuity

+

+

+**Potential benefits**: Keep your app healthy

+

+

+**Potential benefits**: Optimize user experience and availability

+

+

+**Potential benefits**: Keep your app healthy and highly available

+

+

+**Potential benefits**: Keep your app healthy

+

+

+**Potential benefits**: Keep your app healthy while updating

+

+

+**Potential benefits**: Higher availability for the apps by avoiding throttling.

+

+

+**Potential benefits**: Keep your app healthy while updating

+

+**Potential benefits**: NA

+

+

+

+**Potential benefits**: Improve your application reliability

+

+

+**Potential benefits**: Ensure successful issuance of App Service Certificate.

+

+

+**Potential benefits**: Ensure business continuity through application gateway resilience

+

+

+**Potential benefits**: Ensure site integrity and avoid broken cookies or redirect urls through a resilient Application Gateway configuration.

+

+

+**Potential benefits**: Improve time-to-detect and time-to-mitigate issues in your network and provide insights on your network path via ExpressRoute

+

+

+**Potential benefits**: Improve resiliency in case of ExpressRoute peering location failure

+

+

+**Potential benefits**: Improve resiliency by allowing failover

+

+

+**Potential benefits**: Improve resiliency by avoiding traffic black holes

+

+

+**Potential benefits**: Improve resiliency by allowing failover to another region

+

+

+**Potential benefits**: Additional available features and higher stability and availability

+

+

+**Potential benefits**: Ensure business continuity through connection resilience

+

+

+**Potential benefits**: Ensure service availability by reducing unnecessary health probe traffic

+

+

+**Potential benefits**: Ensure service availability by having Front Door manage and rotate your certificates

+

+

+**Potential benefits**: Prevent outbound connection failures with NAT gateway

+

+

+**Potential benefits**: Resiliency of Application Gateways is considerably increased when using Availability Zones.

+

+

+**Potential benefits**: Avoid disruptions in management of Application Gateway resource

+

+

+**Potential benefits**: Ensure application integrity by preserving original host name

+

+

+**Potential benefits**: Maximum Resiliency in ExpressRoute is designed to ensure there isnΓÇÖt a single point of failure within the Microsoft network path. This is achieved by offering dual (2) circuits across two different locations for site diversity in ExpressRoute. The goal of Maximum Resiliency is to enhance availability and ensure the highest level of resilience for critical workloads.

+

+

+**Potential benefits**: Provides zonal resiliency and redundancy for ExpressRoute

+

+

+**Potential benefits**: Increase performance and resiliency.

+

+The version of Application Gateway for Containers was provisioned with a preview version and isn't supported for production. Ensure you provision a new gateway using the latest API version.

+

+**Potential benefits**: Ensure supportability and resiliency for production workloads

+

+

+**Potential benefits**: capability to handle more data

+

+

+**Potential benefits**: capability to handle more data

+

+

+**Potential benefits**: Able to index additional data

+

+

+**Potential benefits**: Arc-enabled K8s latest agent version

+

+

+**Potential benefits**: Continued support and new functionality

+

+

+**Potential benefits**: Improved stability, security, and new functionality

+

+

+**Potential benefits**: Get security patches, bug fixes and Microsoft support

+

+

+**Potential benefits**: Improved stability and new functionality

+

+

+**Potential benefits**: Avoid availability incidents when your cache has high memory fragmentation

+

+

+**Potential benefits**: Geo-Replication enables disaster recovery for cached data.

+

+

+**Potential benefits**: Avoid DNS failures in your Container Apps Environment.

+

+

+**Potential benefits**: Your service wont fail because of expired certificate.

+

+

+**Potential benefits**: Avoid downtime due to an expired certificate.

+

+

+**Potential benefits**: Better availability for your container app.

+

+

+**Potential benefits**: Scale your containers seamlessly with increase in storage or request rates without running into any limits

+

+

+**Potential benefits**: Optimize your RU usage and avoid rate limiting

+

+

+**Potential benefits**: Update your configurations to continue using customer-managed keys and access your data

+

+

+**Potential benefits**: Improve query result consistency and reliability

+

+

+**Potential benefits**: If action isnΓÇÖt taken, all create, read, update, and delete operations may begin to fail with NumberFormatException

+

+

+**Potential benefits**: If action isnΓÇÖt taken, all create, read, update, and delete operations may begin to fail with NumberFormatException

+

+

+**Potential benefits**: Take advantage of the latest features in version 3.6+ of Azure Cosmos DB's API for MongoDB

+

+

+**Potential benefits**: Improved reliability, query/storage efficiency, performance, and new feature capabilities

+

+**Potential benefits**: Prevent throttling and improve your query reliability and performance

+

+

+

+**Potential benefits**: Improve the availability of your production workloads

+

+

+**Potential benefits**: Improved reliability, performance, and new feature capabilities

+

+

+**Potential benefits**: Improved reliability, performance, and new feature capabilities

+

+

+**Potential benefits**: Azure's Service-Managed Failover feature enhances system availability by automating failover processes, reducing downtime, and improving resilience.

+

+

+**Potential benefits**: Activate HA to avoid database downtime in case of an unexpected node failure

+

+

+**Potential benefits**: Improved high availability and reduced risk of data loss

+

+

+**Potential benefits**: Ensure applications have another region in case of disaster recovery

+

+

+**Potential benefits**: Optimize control plane operation and avoid operation failure due to rate limiting

+

+

+**Potential benefits**: Improve reliability, availability, performance, and new feature capabilities

+

+

+**Potential benefits**: Improve reliability, availability, performance, and new feature capabilities

+

+

+**Potential benefits**: By implementing this approach, the standby server will be shielded from the adverse effects of high replication lag caused by the absence of a primary key on any table. This approach can contribute to reduced failover times, ultimately supporting the goal of maintaining business continuity.

+

+

+**Potential benefits**: By implementing this approach, the replica server will achieve a state of close synchronization with the primary server.

+

+

+**Potential benefits**: Improve PostgreSQL availability by removing inactive logical replication slots

+

+

+**Potential benefits**: Improve PostgreSQL availability by removing inactive logical replication slots

+

+

+**Potential benefits**: Ensures recovery from regional failure or disaster.

+

+

+**Potential benefits**: Configure maintenance window enables avoiding maintenance during system peak.

+

+

+**Potential benefits**: Ensure business continuity with latest supported version for your Edge devices

+

+

+**Potential benefits**: Ensure business continuity with supported SDK for your devices

+

+

+**Potential benefits**: Improve connectivity of your devices

+

+

+**Potential benefits**: Ensure business continuity with supported SDK

+

+

+**Potential benefits**: The IoT Hub can receive messages again.

+

+

+**Potential benefits**: Enabling Autoscaler for system node pool ensures system pods are scheduled and cluster can function.

+

+

+**Potential benefits**: Having 2 nodes ensures resiliency against node failures.

+

+

+**Potential benefits**: Ensures cluster reliability by preventing resource scarcity for core system pods

+

+

+**Potential benefits**: Best practice for consistent performance

+

+

+**Potential benefits**: Optimize DNS Connectivity with Azure Netapp Files

+

+**Potential benefits**: Prevent volume creation failures by ensuring subnet/read permissions

+

+

+

+**Potential benefits**: Improve resiliency of SAP Application on ANF

+

+

+**Potential benefits**: Manage disaster recovery easily with Azure NetApp Files replication features

+

+

+**Potential benefits**: Prevent application disruptions by enabling Continuous Availability for SMB volumes

+

+

+**Potential benefits**: Helps recovery of backup data in cases of accidental deletion

+

+

+**Potential benefits**: As one of the restore options, Cross Region Restore (CRR) allows you to restore Azure VMs in a secondary region, which is an Azure paired region.

+

+

+**Potential benefits**: Higher stability and availability

+

+

+**Potential benefits**: Enabling disaster recovery creates a continuously synchronized readable secondary database for a primary database.

+

+

+**Potential benefits**: Enabling zone redundancy ensures Azure SQL Database is resilient to zonal hardware and software failures and the recovery is transparent to applications.

+

+

+**Potential benefits**: The latest version of AKS enabled by Azure Arc with new functionality and improved stability.

+

+

+**Potential benefits**: The latest version of AKS enabled by Azure Arc with new functionality and improved stability.

+

+**Potential benefits**: Ensure the ability to manage your data by migrating your classic storage account(s)

+

+

+

+**Potential benefits**: Continuity of your service

+

+

+**Potential benefits**: Our new API versions contain the latest and greatest features and capabilities.

+

+

+**Potential benefits**: If you upgrade to a paid SKU you can use the resource again today.

+

+

+**Potential benefits**: The Premium tier provides the highest amount of performance, scale and resiliency options

+

+

+**Potential benefits**: Improved resilience and pull performance, simplified registry management and reduced data transfer costs

+

+**Potential benefits**: Ensure service availability.

+

+

+

+**Potential benefits**: Ensure service availability.

+

+

+**Potential benefits**: undefined

+

+

+**Potential benefits**: LatestΓÇÖ version can be automatically rotated.

+

+

+**Potential benefits**: Ensure service availability.

+

+

+**Potential benefits**: Improves high availability and reduced risk of data loss

+

+

+**Potential benefits**: To get the latest changes and bug fixes on the Self-Hosted Integration runtime

+

+

+**Potential benefits**: Improved reliability

+

+

+**Potential benefits**: Ensure cluster health and stability

+

+

+**Potential benefits**: This change is to improve cluster security posture

+

+

+**Potential benefits**: Avoid Kafka broker issues

+

+

+**Potential benefits**: Security posture improvement for HDInsight

+

+

+**Potential benefits**: Get the latest fixes and features

+

+A cluster not using the latest image doesn't have the latest upgrades. Your cluster isn't using the latest image. We recommend you use the latest versions of HDInsight images for the best of open source updates, Azure updates, and security fixes. HDInsight releases happen every 30 to 60 days.

+

+**Potential benefits**: Get the latest fixes and features

+

+**Potential benefits**: Improved availability

+

+

+**Potential benefits**: Improved Reliability in Scaling and Network connectivity

+

+

+

+**Potential benefits**: Avoid any disruption to service due to customer exceeding quota limits.

+

+

+**Potential benefits**: Service Bus premium tier offers better resiliency with CPU and memory resource isolation as well as Geo-disaster recovery

+

+

+**Potential benefits**: Enabling autoscale prevents users from capacity constraints

+

+

+**Potential benefits**: SQL aware backups with no-infra for backup, centralized management, AG integration and point-in-time restore

+

+

+**Potential benefits**: Avoid scale issues when account reaches capacity limit

+

+

+**Potential benefits**: Protect data from accidental or malicious deletion

+

+

+**Potential benefits**: Ensure your business-critical applications stay protected

+

+

+**Potential benefits**: Stay informed about issues and advisories across 4 areas (Service issues, Planned maintenance, Security advisories and Health advisories)

+

+

+**Potential benefits**: Ensure business continuity through data resilience

+

+

+**Potential benefits**: Ensure business continuity in case of any Azure region outage

+

+

+**Potential benefits**: Ensures better security, stability and resiliency than hard coded IP Addresses

+

+

+**Potential benefits**: Improved availability with single VM SLA available only when all disks are premium

+

+

+**Potential benefits**: Leverage higher resiliency and other benefits of Managed Disks

+

+

+**Potential benefits**: Minimize any potential disruptions to your VM workloads

+

+

+**Potential benefits**: Minimize any potential disruptions to your VM workloads

+

+

+**Potential benefits**: Minimize any potential disruptions to your VM workloads

+

+

+**Potential benefits**: Minimize any potential disruptions to your Virtual Machine Scale Set workloads

+

+

+**Potential benefits**: Minimize any potential disruptions to your Virtual Machine Scale Set workloads

+

+

+**Potential benefits**: Minimize any potential disruptions to your Virtual Machine Scale Set workloads

+

+

+**Potential benefits**: Ensure successful deployment and session host functionality when using Windows Virtual Desktop service

+

+

+**Potential benefits**: Reduce write failures due to region outages

+

+

+**Potential benefits**: Usage of zonal VMs protect your apps from zonal outage in any other zones.

+

+

+**Potential benefits**: Increase resiliency by exposing application health to Azure

+

+

+**Potential benefits**: Protection of your Virtual Machines

+

+

+**Potential benefits**: Increase resiliency by automating repair of failed instances

+

+

+**Potential benefits**: Ensures high availability while maintaining cost-efficiency

+

+

+**Potential benefits**: By designing your applications to use ZRS Disks, your data is replicated across 3 Availability Zones, making your disk resilient to a zonal outage

+

+

+**Potential benefits**: Improved Database availability and resource use

+

+**Potential benefits**: Seamless connection brokering operations

+

+

+

+**Potential benefits**: High availability and on-demand large scale for Hyperspace web servers in Epic DB

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+

+**Potential benefits**: Reliability of HA setup in SAP workloads

+

+Workspace gateways are currently available in the following regions:

+* A workspace gateway needs to be in the same region as the API Management instance's primary Azure region and in the same subscription.

+1. Create a new JSON file for your configuration at the root of your project (deployed to C:\home\site\wwwroot in your web / function app). Fill in your desired configuration according to the [file-based configuration reference](#configuration-file-reference). If modifying an existing Azure Resource Manager configuration, make sure to translate the properties captured in the `authsettings` collection into your configuration file.

+ You can also change the `DEPLOYMENT_BRANCH` app setting in the Azure portal, by selecting **Environment variables** under **Settings** and adding a new App setting with a name of `DEPLOYMENT_BRANCH` and value of `main`.

+You can also run a package from an external URL, such as Azure Blob Storage. You can use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload package files to your Blob storage account. You should use a private storage container with a [Shared Access Signature (SAS)](../vs-azure-tools-storage-manage-with-storage-explorer.md#generate-a-sas-in-storage-explorer) or [use a managed identity](#access-a-package-in-azure-blob-storage-using-a-managed-identity) to enable the App Service runtime to access the package securely.

+> [!NOTE]

+> Currently, an existing App Service resource that runs a local package cannot be migrated to run from a remote package. You will have to create a new App Service resource configured to run from an external URL.

+description: Learn how App Service plans work in Azure App Service, how they're billed, and how to scale them for your needs.

+The _pricing tier_ of an App Service plan determines what App Service features you get and how much you pay for the plan. The pricing tiers available to your App Service plan depend on the operating system selected at creation time. These are the categories of pricing tiers:

+- **Shared compute**: **Free** and **Shared**, the two base tiers, run an app on the same Azure VM as other App Service apps, including apps of other customers. These tiers allocate CPU quotas to each app that runs on the shared resources, and the resources cannot scale out. These tiers are intended to be used only for development and testing purposes.

+- **Dedicated compute**: The **Basic**, **Standard**, **Premium**, **PremiumV2**, and **PremiumV3** tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources. The higher the tier, the more VM instances that are available to you for scale-out.

+- **Isolated**: The **Isolated** and **IsolatedV2** tiers run dedicated Azure VMs on dedicated Azure virtual networks. They provide network isolation on top of compute isolation to your apps. They provide the maximum scale-out capabilities.

+Each tier also provides a specific subset of App Service features. These features include custom domains and TLS/SSL certificates, autoscaling, deployment slots, backups, Traffic Manager integration, and more. The higher the tier, the more features that are available. To find out which features are supported in each pricing tier, see [App Service plan details](https://azure.microsoft.com/pricing/details/app-service/windows/#pricing).

+## PremiumV3 pricing tier

+Multiple VM sizes are available for this tier, including 4-to-1 and 8-to-1 memory-to-core ratios:

+When you create an app in App Service, it's part of an App Service plan. When the app runs, it runs on all the VM instances configured in the App Service plan. If multiple apps are in the same App Service plan, they all share the same VM instances. If you have multiple deployment slots for an app, all deployment slots also run on the same VM instances. If you enable diagnostic logs, perform backups, or run [WebJobs](webjobs-create.md), they also use CPU cycles and memory on these VM instances.

+Except for the **Free** tier, an App Service plan carries a charge on the compute resources it uses.

+- App Service Domains - You pay when you purchase one in Azure and when you renew it each year.

+- App Service Certificates - You pay when you purchase one in Azure and when you renew it each year.

+- IP-based TLS connections - There's an hourly charge for each IP-based TLS connection, but some **Standard** tiers or above give you one IP-based TLS connection for free. SNI-based TLS connections are free.

+Your App Service plan can be scaled up and down at any time. It's as simple as changing the pricing tier of the plan. You can choose a lower pricing tier at first and scale up later when you need more App Service features.

+The same works in reverse. When you feel you no longer need the capabilities or features of a higher tier, you can scale down to a lower tier, which saves you money.

+If your app is in the same App Service plan with other apps, you may want to improve the app's performance by isolating the compute resources. You can do this by moving the app into a separate App Service plan. For more information, see [Move an app to another App Service plan](app-service-plan-manage.md#move).

+- The app is resource-intensive. The number may actually be lower depending on how resource intensive the hosted applications are. However, for general guidance, refer to the table below:

+ | App Service Plan SKU | Maximum Apps |

+ | I4v2, I5v2, I6v2 | Maximum density bound by vCPU usage |

+ | P3mv3, P4mv3, P5mv3 | Maximum density bound by vCPU usage |

+- The app needs resources in a different geographical region.

+ This way you can allocate a new set of resources for your app and gain greater control of your apps.

+> [!NOTE]

+> An active slot is also classified as an active app because it too is competing for resources on the same App Service Plan.

+## Next step

+ > * The [Private-only deployment](application-gateway-private-deployment.md) (with only private IP) for the Application Gateway v2 SKU is currently in Public Preview.

+ > * Application Gateway frontend now supports dual-stack IP addresses in Public Preview. You can create up to four frontend IP addresses: Two IPv4 addresses (public and private) and two IPv6 addresses (public and private).

+- A Standard or Premium tier Azure App Configuration instance.

+- An Azure Key Vault with soft-delete and purge-protection features enabled.

+1. [Create an App Configuration store](./quickstart-azure-app-configuration-create.md) in the Standard or Premium tier if you don't have one.

+Enabling private endpoints requires a [Standard or Premium tier](https://azure.microsoft.com/pricing/details/app-configuration/) App Configuration store. To learn about private link pricing details, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link).

+App Configuration has three tiers, Free, Standard and Premium. Check the following details for snapshot quotas in each tier.

+* **Premium tier**: This tier has a snapshot storage quota of 4 GB. One can create as many snapshots as possible as long as the total storage size of all active and archived snapshots is less than 4 GB.

+Azure App Configuration's Soft delete feature allows recovery of your data such as key-values, feature flags, and revision history of a deleted store. It's automatically enabled for all stores in the Standard and Premium tiers. In this article, learn more about the soft delete feature and its functionality.

+ | **Pricing tier** | *Standard* or *Premium* | Select the Standard or Premium pricing tier. For more information, see the [App Configuration pricing page](https://azure.microsoft.com/pricing/details/app-configuration). |

+- Collect log data for analysis with [Logs in Azure Monitor](../../azure-monitor/logs/data-platform-logs.md) by enabling the Azure Monitor agent VM extension. Log data analysis makes it useful for doing complex analysis across log data from different kinds of sources.

+- With [VM insights](../../azure-monitor/vm/vminsights-overview.md), it analyzes the performance of your Windows and Linux VMs, and monitors their processes and dependencies on other resources and external processes. This is achieved through enabling both the Azure Monitor agent and Dependency agent VM extensions.

+### Azure Monitor agent VM extension

+Before you install the extension we suggest you review the [deployment options for the Azure Monitor agent](concept-log-analytics-extension-deployment.md) to understand the different methods available and which meets your requirements.

+|Operating system |Azure Monitor agent |Dependency VM Insights |Qualys |Custom Script |Key Vault |Hybrid Runbook |Antimalware Extension |Windows Admin Center |

+|--|--|--|-|--|-||-||

+|Windows Server 2022 |X |X |X |X | |X | |X |

+|Windows Server 2019 |X |X |X |X |X | | |X |

+|Windows Server 2016 |X |X |X |X |X |X |Built-in |X |

+|Windows Server 2012 R2 |X |X |X |X | |X |X | |

+|Windows Server 2012 |X |X |X |X |X |X |X | |

+|Windows Server 2008 R2 SP1 |X |X |X |X | |X |X | |

+|Windows Server 2008 R2 | | |X |X | |X |X | |

+|Windows Server 2008 SP2 | | |X |X | |X | | |

+|Windows 11 client OS |X | |X | | | | | |

+|Windows 10 1803 (RS4) and higher |X | |X |X | | | | |

+|Windows 10 Enterprise (including multi-session) and Pro (Server scenarios only) |X |X |X |X | |X | | |

+|Windows 8 Enterprise and Pro (Server scenarios only) | |X |X | | |X | | |

+|Windows 7 SP1 (Server scenarios only) | |X |X | | |X | | |

+|Azure Stack HCI (Server scenarios only) | | |X | | |X | | |

+|Operating system |Azure Monitor agent |Dependency VM Insights |Qualys |Custom Script |Key Vault |Hybrid Runbook |Antimalware Extension |Connected Machine agent |

+|--|--|--|-|--|-||-||

+|Amazon Linux 2 | | |X | | |X |X |

+|CentOS Linux 8 |X |X |X |X | |X |X |

+|CentOS Linux 7 |X |X |X |X | |X |X |

+|CentOS Linux 6 | | |X |X | |X | |

+|Debian 10 |X | |X |X | |X | |

+|Debian 9 |X |X |X |X | | | |

+|Debian 8 | |X |X | | |X | |

+|Debian 7 | | |X | | |X | |

+|OpenSUSE 13.1+ | | |X |X | | | |

+|Oracle Linux 8 |X | |X |X | |X |X |

+|Oracle Linux 7 |X | |X |X | |X |X |

+|Oracle Linux 6 | | |X |X | |X |X |

+|Red Hat Enterprise Linux Server 8 |X | |X |X | |X |X |

+|Red Hat Enterprise Linux Server 7 |X |X |X |X | |X |X |

+|Red Hat Enterprise Linux Server 6 | |X |X | | |X | |

+|SUSE Linux Enterprise Server 15.2 |X | |X |X |X | |X |

+|SUSE Linux Enterprise Server 15.1 |X | |X |X |X |X |X |

+|SUSE Linux Enterprise Server 15 SP1 |X |X |X |X |X |X |X |

+|SUSE Linux Enterprise Server 15 |X |X |X |X |X |X |X |

+|SUSE Linux Enterprise Server 15 SP5 |X |X |X |X | |X |X |

+|Ubuntu 20.04 LTS |X |X |X |X | |X |X |

+|Ubuntu 18.04 LTS |X |X |X |X |X |X |X |

+|Ubuntu 16.04 LTS |X |X |X | | |X |X |

+|Ubuntu 14.04 LTS | | |X | | |X | |

+- A resource pool or a cluster with a minimum capacity of 8 GB of RAM and 4 vCPUs.

+- A datastore with a minimum of 200 GB of free disk space or 400 GB for High Availability deployment, available through the resource pool or cluster.

+- 8 GB of memory

+ Title: "AZFD0013: The configured runtime does not match the worker runtime metadata found in the deployed function app artifacts."

+description: "Learn how to troubleshoot the event 'AZFD0013: The configured runtime does not match the worker runtime metadata found in the deployed function app artifacts' in Azure Functions."

+# AZFD0013: The configured runtime does not match the worker runtime metadata found in the deployed function app artifacts

+This event occurs when a function app has a `FUNCTIONS_WORKER_RUNTIME` setting specifying a language stack, but a payload for a different stack is deployed to it.

+| | Value |

+|-|-|

+| **Event ID** |AZFD0013|

+| **Severity** |Warning or Error|

+## Event description

+The `FUNCTIONS_WORKER_RUNTIME` application setting indicates the language or language stack on which the function app runs, such as `python`. For more information on valid values, see the [`FUNCTIONS_WORKER_RUNTIME`][fwr] reference. The deployed application must correspond with the provided value. If there is a mismatch, it means that either the value of `FUNCTIONS_WORKER_RUNTIME` is incorrect, or that an unexpected payload was deployed to the application.

+This event may appear for apps that were previously using inconsistent and undefined behavior to continue running while in a mismatch state. Follow the instructions in this article to resolve the event for these applications. Doing so allows these apps to take advantage of performance enhancements and ensure that they can continue to operate as expected.

+.NET apps undergoing a [migration from the in-process model to the isolated worker][isolated-migration] may encounter this event temporarily during that process. When `FUNCTIONS_WORKER_RUNTIME` is updated to "dotnet-isolated", but the application is still using an in-process model payload, this event may appear until the migration is completed. See the migration guidance for instructions on using deployment slots to prevent this event from appearing in your production environment.

+## How to resolve the event

+The event message indicates the current value of `FUNCTIONS_WORKER_RUNTIME` and the detected runtime metadata from the app payload. The values must be aligned, either by deploying an application of the appropriate type or by updating the value of `FUNCTIONS_WORKER_RUNTIME` to match.

+For most applications, the correct resolution is to update the value of [`FUNCTIONS_WORKER_RUNTIME`][fwr]. To do so, on your function app in Azure, set the `FUNCTIONS_WORKER_RUNTIME` [application setting][app-settings] to the [expected value][fwr] for your application payload. When running locally in the Azure Functions Core Tools, you should also add `FUNCTIONS_WORKER_RUNTIME` to the [local.settings.json file](../../functions-develop-local.md#local-settings-file).

+For apps following a migration guide, see that guide for relevant instructions. [Migrating .NET applications to the isolated worker model][isolated-migration] involves first setting `FUNCTIONS_WORKER_RUNTIME` to "dotnet-isolated" before deploying the updated application payload, and this event may appear temporarily between those steps.

+## When to suppress the event

+This event shouldn't be suppressed.

+[app-settings]: ../../functions-how-to-use-azure-function-app-settings.md#settings

+[fwr]: ../../functions-app-settings.md#functions_worker_runtime

+[isolated-migration]:../../migrate-dotnet-to-isolated-model.md

+1. Navigate to *src/main/java/org/example/functions/HttpTriggerJava.java* to see the code generated. Beside line 17, you should see a green **Run** button. Select it and then select **Run 'Functions-azur...'**. You should see your function app running locally with a few logs.

+1. You can try the function by accessing the displayed endpoint from browser, such as `http://localhost:7071/api/HttpTriggerJava?name=Azure`.

+1. Select line 20 of the file *src/main/java/org/example/functions/HttpTriggerJava.java* to add a breakpoint. Access the endpoint `http://localhost:7071/api/HttpTriggerJava?name=Azure` again and you should find that the breakpoint is hit. You can then try more debug features like **Step**, **Watch**, and **Evaluation**. Stop the debug session by selecting **Stop**.

+These host version migration guides also help you migrate to the isolated worker model as you work through them.

+Before you migrate an app to the isolated worker model, you should thoroughly review the contents of this guide. You should also familiarize yourself with the features of the [isolated worker model][isolated-guide] and the [differences between the two models](./dotnet-isolated-in-process-differences.md).

+1. Migrate your local project to the isolated worker model by following the steps in [Migrate your local project](#migrate-your-local-project).

+The section outlines the various changes that you need to make to your local project to move it to the isolated worker model. Some of the steps change based on your target version of .NET. Use the tabs to select the instructions that match your desired version. These steps assume a local C# project, and if your app is instead using C# script (`.csx` files), you should [convert to the project model](./functions-reference-csharp.md#convert-a-c-script-app-to-a-c-project) before continuing.

+First, convert the project file and update your dependencies. As you do, you will see build errors for the project. In subsequent steps, you'll make the corresponding changes to remove these errors.

+The rest of this section walks you through each of these steps.

+The `Function` attribute in the isolated worker model replaces the `FunctionName` attribute. The new attribute has the same signature, and the only difference is in the name. You can therefore just perform a string replacement across your project.

+In the in-process model, you could include an optional `ILogger` parameter to your function, or you could use dependency injection to get an `ILogger<T>`. If your app already used dependency injection, the same mechanisms work in the isolated worker model.

+However, for any Functions that relied on the `ILogger` method parameter, you need to make a change. It is recommended that you use dependency injection to obtain an `ILogger<T>`. Use the following steps to migrate the function's logging mechanism:

+ Replace both instances of `MyFunction` in the preceding code snippet with the name of your function class.

+ - **Input bindings typically need "Input" added to their name.** For example, if you used the `CosmosDB` input binding attribute in the in-process model, the attribute would now be `CosmosDBInput`.

+ - **Output bindings typically need "Output" added to their name.** For example, if you used the `Queue` output binding attribute in the in-process model, this attribute would now be `QueueOutput`.

+The value you have for `AzureWebJobsStorage`` might be different. You do not need to change its value as part of the migration.

+Updating your function app to the isolated model involves two changes that should be completed together, because if you only complete one, the app is in an error state. Both of these changes also cause the app process to restart. For these reasons, you should perform the update using a [staging slot](./functions-deployment-slots.md). Staging slots help minimize downtime for your app and allow you to test and verify your migrated code with your updated configuration in Azure. You can then deploy your fully migrated app to the production slot through a swap operation.

+> [!IMPORTANT]

+> [When an app's deployed payload doesn't match the configured runtime, it will be in an error state](./errors-diagnostics/diagnostic-events/azfd0013.md). During the migration process, you will put the app into this state, ideally only temporarily. Deployment slots help mitigate the impact of this, because the error state will be resolved in your staging (non-production) environment before the changes are applied as single update to your production environment. Slots also defend against any mistakes and allow you to detect any other issues before reaching production.

+>

+> During the process, you might still see errors in logs coming from your staging (non-production) slot. This is expected, though these should go away as you proceed through the steps. Before you perform the slot swap operation, you should confirm that these errors stop being raised and that your application is working as expected.

+Use the following steps to use deployment slots to update your function app to the isolated worker model:

+1. [Create a deployment slot](./functions-deployment-slots.md#add-a-slot) if you haven't already. You might also want to familiarize yourself with the slot swap process and ensure that you can make updates to the existing application with minimal disruption.

+1. Change the configuration of the staging (non-production) slot to use the isolated worker model by setting the `FUNCTIONS_WORKER_RUNTIME` application setting to `dotnet-isolated`. `FUNCTIONS_WORKER_RUNTIME` should **not** be marked as a "slot setting".

+ If you are also targeting a different version of .NET as part of your update, you should also change the stack configuration. To do so, see the [instructions to update the stack configuration for the isolated worker model](./update-language-versions.md?pivots=programming-language-csharp#update-the-stack-configuration). You will use the same instructions for any future .NET version updates you make.

+ If you have any automated infrastructure provisioning such as a CI/CD pipeline, make sure that the automations are also updated to keep `FUNCTIONS_WORKER_RUNTIME` set to `dotnet-isolated` and to target the correct .NET version.

+1. Publish your migrated project to the staging (non-production) slot of your function app.

+

+ If you use Visual Studio to publish an isolated worker model project to an existing app or slot that uses the in-process model, it can also complete the previous step for you at the same time. If you did not complete the previous step, Visual Studio prompts you to update the function app during deployment. Visual Studio presents this as a single operation, but these are still two separate operations. You might still see errors in your logs from the staging (non-production) slot during the interim state.

+1. Confirm that your application is working as expected within the staging (non-production) slot.

+1. Perform a [slot swap operation](./functions-deployment-slots.md#swap-slots). This applies the changes you made in your staging (non-production) slot to the production slot. A slot swap happens as a single update, which avoids introducing the interim error state in your production environment.

+1. Confirm that your application is working as expected within the production slot.

+Once you complete these steps, the migration is complete, and your app runs on the isolated model. Congratulations! Repeat the steps from this guide as necessary for [any other apps needing migration](#identify-function-apps-to-migrate).

+<a name='cognitive-services-azure-openai'></a>

+### [Azure AI

+- Configure encryption at rest of content in Azure OpenAI [using customer-managed keys in Azure Key Vault](/azure/ai-services/openai/encrypt-data-at-rest#use-customer-managed-keys-with-azure-key-vault).

+|China|China North 3 (Preview), China East 3 (Preview)|

+Restore-AzKeyVaultKey -VaultName '<target_key_vault_name>' -InputFile $keyDestination

+Azure Backup supports both Recovery Services vault and Backup vault, and enables you to back up and restore different datasources. You need to create the appropriate vault based on the datasource type that you want to protect. Learn more about [the supported vaults](/azure/backup/backup-azure-backup-faq#what-are-the-various-vaults-supported-for-backup-and-restore-).

+For the network quality of the audio sending end, check UFD events with the values of `networkSendQuality`.

+For the network quality of the receiving end, check UFD events with the values of `networkReceiveQuality`.

+In addition, you can use the [Media Stats API](../../../../concepts/voice-video-calling/media-quality-sdk.md) to monitor and track real-time network performance from the Web client.

+There are two metrics related to the audio delay: `rttInMs` and `jitterBufferDelayInMs`.

+The [rttInMs](../../../../concepts/voice-video-calling/media-quality-sdk.md?pivots=platform-web#audio-send-metrics) has a direct impact on the audio delay, as the metric indicates the round trip time of packets. High latency can result in perceptible delays in audio.

+We recommend a round-trip time of 200 ms or less.

+If the round-trip time is larger than 500 ms, users may experience significant delays that can lead to frustration and hinder effective communication. In such cases, the conversation flow can be disrupted, making it difficult to have a smooth and natural interaction.

+In [jitterBufferDelayInMs](../../../../concepts/voice-video-calling/media-quality-sdk.md?pivots=platform-web#audio-receive-metrics) shows how long the audio samples stay in the jitter buffer.

+This value can be affected by various factors, such as late arrival of packets, out-of-order, packet loss, etc.

+Normally, it's less than 200 ms. Users may notice audio delays in the call if this value is high.

+### No session available or might be locked by another receiver

+Occasionally, a session-based trigger might fail with the following error:

+``` json

+{

+ "status": 400,

+ "error": {

+ "message": "Communication with the Service Bus namespace 'xxxx' and 'yyyy' entity failed. The requested session 'zzzz' cannot be accepted. It may be locked by another receiver."

+ }

+}

+```

+Due to reasons such as an infrastructure update, connector deployment, and so on, the possibility exists for requests to not get routed to the same role instance. If this event happens, requests fail for one of the following reasons:

+- The receiver that performs the operations in the session isn't available in the role instance that serves the request.

+ - The new role instance tries to obtain the session, which either timed out in the old role instance or wasn't closed.

+|[Microsoft Enterprise Agreement](https://azure.microsoft.com/pricing/enterprise-agreement/) and [Enterprise Dev/Test](https://azure.microsoft.com/offers/ms-azr-0148p/) | Subscription owner |

+- When doing a subscription or account ownership transfers between two organizational IDs within the same tenant Azure RBAC policies and role assignments are preserved.

+- Policies and administrator roles don't transfer across different directories. The destination enrollment account owner is assigned as the Subscription Owner role on the subscription.

+You can use subscriptions to give teams in your organization access to development environments and projects. For example:

+When you create different subscriptions for each application environment, you help secure each environment. As an account owner, you can create multiple subscriptions and assign different Subscription Owners for each subscription.

+The person who manages subscriptions and developoment projects.

+**Subscription**<br>

+Represents an Azure EA subscription and is a container of Azure services.

+**Subscription owner**<br>

+- **Subscriptions** are the smallest unit in the Azure portal for Cost Management. They're containers for Azure services.

+- Manage subscription role assignments.

+## September 2023

+### Pipelines

+Added support for metadata driven pipelines for dynamic full and incremental processing in Azure SQL [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/metadata-driven-pipelines-for-dynamic-full-and-incremental/ba-p/3925362)

+## August 2024

+## Data movement

+- Azure Table Storage connector now supports two more authentication types: system-assigned managed identity authentication and user-assigned managed identity authentication. [Learn more](connector-azure-table-storage.md)

+- Azure Files connector now supports two more authentication types: system-assigned managed identity authenticatino and user-assigned managed identity authentication. [Learn more](connector-azure-file-storage.md)

+> To create or scale an AZ-enabled self-serve cluster, you must [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) requesting three CUs or greater. A three CU (or greater) self-serve cluster created via Portal is NOT AZ-enabled.

+- microsoft.compute/virtualmachinescalesets/virtualmachines

+- microsoft.compute/virtualmachinescalesets/virtualmachines/networkinterfaces

+ git checkout 20240904

+## Overview

+## Upgrade approach

+ > Within the same subscription, we advise using the same **Resource Group** and **Managed identity** values for all alert rules.

+For quota alerts, make sure the **Scope** is your Subscription and the **Signal type** is the customer query log. Add a sample query for quota usages. Follow the remaining steps as described in the [Create or edit an alert rule](../azure-monitor/alerts/alerts-create-new-alert-rule.md?tabs=log).

+- [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types)

+- September 03, 2024: Included Mv3 High Memory and Very High Memory in HANA storage configuration in [SAP HANA Azure virtual machine Premium SSD storage configurations](./hana-vm-premium-ssd-v1.md), [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md), and [SAP HANA Azure virtual machine Ultra Disk storage configurations](./hana-vm-ultra-disk.md)

+| M416(d)s_6_v3 | 5,696 GiB | 4,000 MBps | 4 x P40 | 1,000 MBps | no bursting | 30,000 | no bursting |

+| M416(d)s_8_v2 | 7,600 | 2,000 MBps | 4 x P40 | 1,000 MBps | no bursting | 30,000 | no bursting |

+| M416(d)s_8_v3 | 7,600 | 4,000 MBps | 4 x P40 | 1,000 MBps | no bursting | 30,000 | no bursting |

+| M624(d)s_12_v3, M832s_12_v3 | 11,400 GiB | 4,000 MBps | 4 x P50 | 1,000 MBps | no bursting | 30,000 | no bursting |

+| M832ixs¹ | 14,902 GiB | larger than 2,000 Mbps | 4 x P60² | 2,000 MBps | no bursting | 64,000 | no bursting |

+| M832s_16_v3 | 15,200 GiB | 8,000 Mbps | 4 x P60² | 2,000 MBps | no bursting | 64,000 | no bursting |

+| M832ixs_v2¹ | 23,088 GiB | larger than 2,000 Mbps | 4 x P60² | 2,000 MBps | no bursting | 64,000 | no bursting |

+| M896ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 4 x P60² | 2,000 MBps | no bursting | 64,000 | no bursting |

+| M1792ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 6 x P60² | 2,000 MBps | no bursting | 64,000 | no bursting |

+| M208ms_v2 | 5,700 GiB | 1,000 MBps | 3 x P15 | 375 MBps | 510 MBps | 3,300 | 10,500 |

+| M416(d)s_6_v3 | 5,696 GiB | 2,000 MBps | 3 x P15 | 375 MBps | 510 MBps | 3,300 | 10,500 |

+| M416(d)s_8_v3 | 7,600 GiB | 4,000 MBps | 3 x P15 | 375 MBps | 510 MBps | 3,300 | 10,500 |

+| M624s_12_v3, M832s_12_v3 | 11,400 GiB | 4,000 MBps | 3 x P15 | 375 MBps | 510 MBps | 3,300 | 10,500 |

+| M832s_16_v3 | 15,200 GiB | 8,000 Mbps | 4 x P20 | 600 MBps | 680 MBps | 9,200 | 14,000 |

+| M896ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 4 x P20 | 600 MBps | 680 MBps | 9,200 | 14,000 |

+| M1792ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 4 x P20 | 600 MBps | 680 MBps | 9,200 | 14,000 |

+| M416(d)s_6_v3 | 5,696 GiB | 2,000 MBps | 1 x P30 | 1 x P10 | 1 x P6 |

+| M416(d)s_8_v3 | 7,600 GiB | 4,000 MBps | 1 x P30 | 1 x P10 | 1 x P6 |

+| M624s_12_v3, M832s_12_v3 | 11,400 GiB | 4,000 MBps | 1 x P30 | 1 x P10 | 1 x P6 |

+| M832ixs¹ | 14,902 GiB | larger than 2,000 Mbps | 1 x P30 | 1 x P10 | 1 x P6 |

+| M832s_16_v3 | 15,200 GiB | 8,000 Mbps | 1 x P30 | 1 x P10 | 1 x P6 |

+| M832ixs_v2¹ | 23,088 GiB | larger than 2,000 Mbps |1 x P30 | 1 x P10 | 1 x P6 |

+| M896ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps |1 x P30 | 1 x P10 | 1 x P6 |

+| M1792ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps |1 x P30 | 1 x P10 | 1 x P6 |

+| M416(d)s_6_v3 | 5,696 GiB | 4,000 MBps | 130,000 | 6,848 GB | 1,200 MBps| 30,000 |

+| M416(d)s_8_v3 | 7,600 GiB | 4,000 MBps | 130,000 | 9,120 GB | 1,250 MBps| 30,000 |

+| M624s_12_v3, M832s_12_v3 | 11,400 GiB | 4,000 MBps | 130,000 | 13,680 GB | 1,300 MBps| 40,000 |

+| M832s_16_v3 | 15,200 GiB | 8,000 Mbps | 130,000 | 19,200 GB | 4,000 MBps² | 60,000 |

+| M896ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 130,000/260,000³ | 36,0000 GB | 2,000 MBps² | 80,000 |

+| M1792ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 130,000/260,000³ | 36,0000 GB | 2,000 MBps² | 80,000 |

+³ Larger number with using NVMe interface usage

+| M416(d)s_6_v3 | 5,696 GiB | 4,000 MBps | 130,000 | 512 GB | 400 MBps | 5,000 | 1,024 GB |

+| M416s_8_v2 | 7,600 GiB | 2,000 MBps | 80,000 | 512 GB | 400 MBps | 5,000 | 1,024 GB |

+| M416(d)s_8_v3 | 7,600 GiB | 4,000 MBps | 130,000 | 512 GB | 400 MBps | 5,000 | 1,024 GB |

+| M624s_12_v3, M832s_12_v3 | 11,400 GiB | 4,000 MBps | 130,000 | 512 GB | 600 MBps | 6,000 | 1,024 GB |

+| M832s_16_v3 | 15,200 GiB | 8,000 Mbps | 130,000 | 512 GB | 600 MBps | 10,000 | 1,024 GB |

+| M896ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 130,000/260,000³ | 600 MBps | 10,000 | 1,024 GB |

+| M1792ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 130,000/260,000³ | 600 MBps | 10,000 | 1,024 GB |

+³ Larger number with using NVMe interface usage

+| M416(d)s_6_v3 | 5,696 GiB | 4,000 MBps | 7,200 GB | 1,000 MBps | 14,400 | 512 GB | 400 MBps | 4,000 |

+| M416(d)s_8_v3 | 7,600 GiB | 4,000 MBps | 1,250 MBps | 20,000 | 512 GB | 400 MBps | 4,000 |

+| M624s_12_v3, M832s_12_v3 | 11,400 GiB | 4,000 MBps | 1,500 MBps | 28,800 | 512 GB | 400 MBps | 4,000 |

+| M832s_16_v3 | 15,200 GiB | 8,000 Mbps | 4,000 MBps² | 60,000 | 512 GB | 600 MBps | 10,000 |

+| M896ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 2,000 MBps² | 60,000 | 512 GB | 600 MBps | 10,000 |

+| M1792ixds_32_v3¹ | 30,400 GiB | 8,000 Mbps | 2,000 MBps² | 60,000 | 512 GB | 600 MBps | 10,000 |

+ You might also be prompted to enter credentials to a non-Microsoft service so that Microsoft Sentinel can authenticate to your systems. For example, with playbooks, you might want to take response actions as prescribed in your system.

+### Install with dependencies

+Some solutions have dependencies to install, including many [domain solutions](sentinel-solutions-catalog.md#domain-solutions) and solutions that use the unified AMA connectors for [CEF, Syslog](cef-syslog-ama-overview.md), or [custom logs](connect-custom-logs-ama.md).

+In such cases, select **Install with dependencies** to ensure that the required data connectors are also installed. From there, select one or more of the dependencies to install them along with the original solution. The original solution you chose to install is always selected by default.

+If one or more of the dependency solutions is already installed, but has updates, use the **Install/Update** button to both install and update all selected solutions in bulk. For example:

+After you install a solution, each content type within the solution might require more steps to configure. For more information, see [Enable content items in a solution](#enable-content-items-in-a-solution).

+- [Install domain solutions with dependencies](#install-domain-solutions-with-dependencies)

+### Install domain solutions with dependencies

+Some Microsoft Sentinel content hub solutions, including many [domain solutions](sentinel-solutions-catalog.md#domain-solutions) and solutions that use the unified AMA connectors for [CEF, Syslog](cef-syslog-ama-overview.md), or [custom logs](connect-custom-logs-ama.md), don't necessarily include a data connector of their own. Instead, they rely on data connectors from other solutions to provide visibility in a specific area across data connectors. The data connectors they use are prerequisites for the domain solution to work properly.

+When installing a domain solution, you can now select **Install with dependencies** to ensure that the data connectors required by the domain solution are also installed:

+For more information, see [Install with dependencies](sentinel-solutions-deploy.md#install-with-dependencies) and [Domain solutions](sentinel-solutions-catalog.md#domain-solutions).

+### What conditions must be met to create a recovery plan for multi-VM consistency?

+Creating a recovery plan for multi-VM consistency virtual machine works only if the following conditions are met:

+- Virtual machine must be in the same subscription and region.

+- Virtual machine must communicate over the network using host names.

+> [!NOTE]

+>

+>Regions that don't support Azure availability zones also don't support Azure Site Recovery zone-to-zone replication. For Azure Site Recovery zone-to-zone replication to work, the region must support availability zones.

+> [!NOTE]

+> The cache limits are specific to Azure-to-Azure and Zone-to-Zone DR scenarios.

+>

+> When you enable replication via the virtual machine workflow for cross subscription, the portal only lists the cache storage account from the source subscription, but doesn't list any storage account created in the target subscription. To set up this scenario, use [PowerShell](azure-to-azure-powershell.md).

+> [!NOTE]

+> Azure Site Recovery doesn't support PAC files as a proxy.

+> [!IMPORTANT]

+> This section describes an older alerting solution (referred to as classic alerts). We recommend you to switch to using Azure Monitor based alerts as it offers multiple benefits. For more information on how to switch, see [Switch Azure Monitor Based alerts](../backup/move-to-azure-monitor-alerts.md).

+#### If the *enable replication* job fails for a cluster, can we restart it after fixing the issue without reselecting clusters again?

+Yes, you can restart the job without reselecting clusters, just like other A2A scenarios. However, since the *enable replication* process runs for each node, you need to restart the failed job for all nodes through the Site Recovery Jobs interface.

+1. Assign the `Owner` role to the Azure Spring Cloud Resource Provider. For more information, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml).

+ :::image type="content" source="./media/how-to-deploy-in-azure-virtual-network/assign-owner-resource-provider.png" alt-text="Screenshot of the Azure portal Access Control page with Add role assignment pane and Select box with Azure Spring Cloud Resource Provider highlighted." lightbox="./media/how-to-deploy-in-azure-virtual-network/assign-owner-resource-provider.png":::

+* Permissions must be assigned before instance creation. Be sure to grant Azure Spring Cloud Resource Provider the `Owner` permission (or `User Access Administrator` and `Network Contributor` permissions) on your route tables.

+## 2024 August 30

+Major refresh release notes for:

+- Service version: August 30, 2024

+- Agent version: 3.1.636

+### What's new

+- Stricter password restrictions.

+- Security improvements and bug fixes.

+

+ Title: Manage concurrency in Blob Storage

+# Manage concurrency in Blob Storage

+- While most messages arrive in near real-time, there is no service level agreement around the time it takes for a message to arrive. In some instances, it might take few minutes for the message to arrive. As messages can arrive after some delay, use the etag fields to understand if your information about objects is still up-to-date. To learn how to use the etag field, see [Manage concurrency in Blob Storage](./concurrency-manage.md?toc=/azure/storage/blobs/toc.json#manage-concurrency-in-blob-storage).

+# [Intune](#tab/intune)

+Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#cloudkerberosticketretrievalenabled), set to 1

+# [Group Policy](#tab/gpo)

+Configure this group policy on the client(s) to "Enabled": `Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon`

+# [Registry Key](#tab/regkey)

+Set the following registry value on the client(s) by running this command from an elevated command prompt:

+```console

+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

+```

+# [Intune](#tab/intune)

+Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/HostToRealm](/windows/client-management/mdm/policy-csp-admx-kerberos#hosttorealm)

+# [Group Policy](#tab/gpo)

+Configure this group policy on the client(s): `Administrative Template\System\Kerberos\Define host name-to-Kerberos realm mappings`

+- Set the policy to `Enabled`

+- Then, click on the `Show...` button to define the list of host name-to-realm mappings. For each storage account configured for AD DS, add an entry where:

+ - `Value` is the AD DS-enabled storage account's host name, i.e. `<your storage account name>.file.core.windows.net`

+ - `Value name` is the AD DS realm name

+# [Registry Key](#tab/regkey)

+Run the following `ksetup` Windows command on the client(s):

+```console

+ksetup /addhosttorealmmap <hostname> <REALMNAME>

+```

+For example, if your realm is `CONTOSO.LOCAL`, run `ksetup /addhosttorealmmap <your storage account name>.file.core.windows.net CONTOSO.LOCAL`

+# [Intune](#tab/intune)

+Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled), set to 0

+# [Group Policy](#tab/gpo)

+Configure this group policy on the client(s) to "Disabled": `Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon`

+# [Registry Key](#tab/regkey)

+Set the following registry value on the client(s) by running this command from an elevated command prompt:

+```console

+reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 0

+```

+# [Intune](#tab/intune)

+Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/HostToRealm](/windows/client-management/mdm/policy-csp-admx-kerberos#hosttorealm)

+# [Group Policy](#tab/gpo)

+Configure this group policy on the client(s): `Administrative Template\System\Kerberos\Define host name-to-Kerberos realm mappings`

+# [Registry Key](#tab/regkey)

+Run the following `ksetup` Windows command on the client(s):

+```console

+ksetup /delhosttorealmmap <hostname> <realmname>

+```

+For example, if your realm is `CONTOSO.LOCAL`, run `ksetup /delhosttorealmmap <your storage account name>.file.core.windows.net CONTOSO.LOCAL`

+You can view the list of current host name to Kerberos realm mappings by inspecting the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm`.

+ if ($eventType -ne ΓÇ£Microsoft.Maintenance.PreMaintenanceEventΓÇ¥ -and $eventType ΓÇône ΓÇ£Microsoft.Maintenance.PostMaintenanceEventΓÇ¥ ) {

+| Scanners&#8309; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Scanners&#8309; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+| Scanners&#8309; | _{:::image type="icon" source="media/yes.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} | _{:::image type="icon" source="media/no.svg" border="false":::} |

+1. High-level redirection of TWAIN scanners isn't supported. You can only redirect USB scanners using opaque low-level redirection. For more information, see [Peripheral and resource redirection over the Remote Desktop Protocol](redirection-remote-desktop-protocol.md).

+A rollout might take several weeks before the agent is available in all environments. Some agent versions might not reach nonvalidation environments, so you may see multiple versions of the agent deployed across your environments.

+| Validation | 1.0.9103.2900 |

+## Version 1.0.9103.3800

+*Published: June 2024*

+## Version 1.0.9103.3700

+## Version 1.0.9103.2900 (validation)

+*Published: June 2024*

+- General improvements and bug fixes.

+- Other general bug fixes and agent upgrades.

+ b. If you don't need a zone redundant public IP address, use the [following upgrade options](#upgrade-disassociated-public-ips-using-portal-powershell-or-azure-cli).

+ | Resource using Basic SKU public IP addresses | Decision path |

+ | Virtual Machine | Use scripts or manually detach and upgrade public IPs. For standalone virtual machines, you can use the [upgrade script](public-ip-upgrade-vm.md) or for virtual machines in an availability set use [this script](public-ip-upgrade-availability-set.md). |

+ | Virtual Machine Scale Sets | [Replace basic SKU instance public IP addresses](/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine) with new standard SKU |

+ | VPN Gateway (using Basic IPs) |At this time, it's not necessary to upgrade. When an upgrade is necessary, we'll update this decision path with migration information and send out a service health alert. |

+ | ExpressRoute Gateway (using Basic IPs) | New ExpressRoute Gateway is required. Follow the [ExpressRoute Gateway migration guidance](../../expressroute/gateway-migration.md) for upgrading from Basic to Standard SKU. |

+> If you have a virtual machine scale set (uniform model) with public IP configurations per instance, note these are not Public IP resources and as such cannot be upgraded; a new public IP address is required. You can use the SKU property to specify that Standard IP configurations are required for each VMSS instance as shown [here](/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine).

+| Aspect | Standard SKU public IP | Basic SKU public IP |

+## Upgrade disassociated public IPs using Portal, PowerShell, or Azure CLI

+- [Upgrade a disassociated public IP address - Azure portal](public-ip-upgrade-portal.md)

+- [Upgrade a disassociated public IP address - Azure PowerShell](public-ip-upgrade-powershell.md)

+- [Upgrade a disassociated public IP address - Azure CLI](public-ip-upgrade-cli.md)

+ Title: 'Upgrade public IP addresses attached to virtual machines in an Availability Set from Basic to Standard'

+description: This article shows you how to upgrade all public IP address attached to a VM in an Availability Set to a standard public IP address

+# Upgrade all public IP addresses attached to VMs in an Availability Set from Basic to Standard

+>[!Important]

+>On September 30, 2025, Basic SKU public IPs will be retired. For more information, see the [official announcement](https://azure.microsoft.com/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/). If you are currently using Basic SKU public IPs, make sure to upgrade to Standard SKU public IPs prior to the retirement date. This article will help guide you through the upgrade process.

+For more information about the retirement of Basic SKU Public IPs and the benefits of Standard SKU Public IPs, see [here](public-ip-basic-upgrade-guidance.md)

+## Upgrade overview

+This script upgrades any Public IP Addresses attached to the Virtual Machines (VMs) in an Availability Set from Basic to Standard SKU. In order to perform the upgrade, the Public IP Address allocation method is set to static before being disassociated from each VM. Once disassociated, the Public IP SKU is upgraded to Standard, then the IP is reassociated with original VM until all IPs are upgraded.

+Because the Public IP allocation is set to 'Static' before detaching from the VMs, the IP addresses don't change during the upgrade process, even in the event of a script failure. The module double-checks that the Public IP allocation method is 'Static' before detaching the Public IP from the VM.

+The module logs all upgrade activity to a file named `AvSetPublicIPUpgrade.log`, created in the same location where the module was executed (by default).

+## Constraints/ Unsupported Scenarios

+* **VMs with network interfaces associated to a Load Balancer**: Because the Load Balancer and Public IP SKUs associated with a VM must match, it isn't possible to upgrade the instance-level Public IP addresses associated with a VM when the VM's network interfaces are also associated with a Load Balancer, either through Backend Pool or NAT Pool membership. Use the scripts [Upgrade a Basic Load Balancer to Standard SKU](../../load-balancer/upgrade-basic-standard-with-powershell.md) to upgrade both the Load Balancer and Public IPs as the same time.

+* **VMs without a Network Security Group**: VMs with IPs to be upgraded must have a Network Security Group (NSG) associated with either the subnet of each IP configuration with a Public IP, or with the NIC directly. This is because Standard SKU Public IPs are "secure by default," meaning that any traffic to the Public IP must be explicitly allowed at an NSG to reach the VM. Basic SKU Public IPs allow any traffic by default. Upgrading Public IP SKUs without an NSG would result in inbound internet traffic to the Public IP previously allowed with the Basic SKU. See: [Public IP SKUs](public-ip-addresses.md#sku)

+## Download the script

+Download the migration script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureAvSetBasicPublicIPUpgrade).

+```powershell

+Install-Module -Name AzureAvSetBasicPublicIPUpgrade -Scope CurrentUser -Repository PSGallery -Force

+```

+## Use the module

+1. Use `Select-AzSubscription` to select the Azure subscription where your Availability Set exists

+ ```powershell

+ Select-AzSubscription -Subscription <SubscriptionId>

+ ```

+2. Locate the Availability Set with the attached Basic Public IPs that you wish to upgrade. Record its name and resource group name.

+3. Examine the module parameters:

+ - *AvailabilitySetName [string] Required* - This parameter is the name of your Availability Set.

+ - *ResourceGroupName [string] Required* - This parameter is the resource group for your Availability Set with the Basic Public IPs attached that you want to upgrade.

+4. Run the upgrade, using the following examples or `Get-Help Start-AzAvSetPublicIPUpgrade` for guidance.

+### Example uses of the script

+Upgrade VMs in a single Availability Set, passing the Availability Set name and resource group name as parameters.

+```powershell

+Start-AzAvSetPublicIPUpgrade -availabilitySetName 'myAvSet' -resourceGroupName 'myRG'

+```

+Evaluate VMs in a single Availability Set, without making any changes

+```powershell

+Start-AzAvSetPublicIPUpgrade -availabilitySetName 'myAvSet' -resourceGroupName 'myRG' -WhatIf

+```

+Attempt upgrade of VMs in every Availability Set the user has access to. VMs without Public IPs, which are already upgraded, or which do not have NSGs are skipped.

+```powershell

+Get-AzAvailabilitySet -resourceGroupName 'myRG' | Start-AzAvSetPublicIPUpgrade -skipVMMissingNSG

+```

+Recover from a failed migration, passing the name and resource group of the Availability Set to recover, along with the recovery log file.

+```powershell

+Start-AzAvSetPublicIPUpgrade -RecoverFromFile ./AvSetPublicIPUpgrade_Recovery_2020-01-01-00-00.csv -AvailabilitySetName myAvSet -ResourceGroup rg-myrg

+```

+

+### Recovering from a failed migration

+If a migration fails due to a transient issue, such as a network outage or client system issue, the migration can be retried to configure the VM and Public IPs in the goal state. At execution, the script outputs a recovery log file, which is used to ensure the VM is properly reconfigured. Review the log file `AvSetPublicIPUpgrade.log` created in the location where the script was executed.

+To recover from a failed upgrade, pass the recovery log file path to the script with the `-recoverFromFile` parameter and identify the Availability Set to recover with the `-AvailabilitySetName` parameter, as shown in this example.

+```powershell

+Start-VMPublicIPUpgrade -RecoverFromFile ./AvSetPublicIPUpgrade_Recovery_2020-01-01-00-00.csv -AvailabilitySetName myAvSet -ResourceGroupName rg-myrg

+```

+## Common questions

+### How long will the migration take and how long will my VM be inaccessible at its Public IP?

+The time it takes to upgrade a VM's Public IPs depends on the number of Public IPs and Network Interfaces associated with the VM. In testing, a VM with a single NIC and Public IP takes between 1 and 2 minutes to upgrade. Each NIC on the VM adds about another minute, and each Public IP adds a few seconds each.

+### Can I roll back to a Basic SKU Public IP?

+It isn't possible to downgrade a Public IP address from Standard to Basic.

+### Can I test a migration before executing?

+There is no way to evaluate upgrading a Public IP without completing the action. However, this script includes a `-WhatIf` parameter, which checks that your Availability Set VMs will support the upgrade and walks through the steps without taking action.

+### Does the script support Zonal Basic SKU Public IPs?

+Yes, the process of upgrading a Zonal Basic SKU Public IP to a Zonal Standard SKU Public IP is identical and works in the script.

+## Next steps

+* [Upgrading a Basic public IP address to Standard SKU - Guidance](public-ip-basic-upgrade-guidance.md)

+* [Upgrading a Basic public IP address to Standard SKU - Portal](public-ip-upgrade-portal.md)

+## BGP learned route in HUB

+Check BGP learned route in HUB.

+```azurepowershell-interactive

+Get-AzRouteServerPeerLearnedRoute -ResourceGroupName "[resource group name]" -RouteServerName "[hub name]" -PeerName "[peer name]"

+```

+> [!NOTE]

+> Getting the effective routes applied on Virtual WAN routing intent next hop resources is only supported for the next hop resource specified in private routing policy. If you are using both private and internet routing policies, check the effective routes on the next hop resource specified in the private routing policy for the effective routes Virtual WAN programs on the internet routing policy next hop resource. If you are only using internet routing policies, check the effective routes on the defaultRouteTable to view the routes programmed on the internet routing policy next hop resource.

+

+The steps in this article assume that you've deployed a virtual WAN with one or more hubs and at least two virtual networks connected to Virtual WAN.

+## Routing Considerations with Private Link in Virtual WAN

+Private Endpoint connectivity in Azure is stateful. When a connection to a private endpoint gets established through Virtual WAN, traffic is routed through one or more traffic hops through different Virtual WAN components (for example Virtual Hub router, ExpressRoute Gateway, VPN Gateway, Azure Firewall, or NVA). The exact hops traffic takes is based on your Virtual WAN routing configurations. Behind the scenes, Azure's software-defined networking layer sends all packets related to a single 5-tuple flow to one of the backend instances servicing different Virtual WAN components. Asymmetrically routed traffic (for example, traffic corresponding to a single 5-tuple flow routed to different backend instances) is not supported and is dropped by the Azure platform.

+During maintenance events on Virtual WAN infrastructure, backend instances are rebooted one at a time, which can lead to intermittent connectivity issues to Private Endpoint as the instance servicing the flow is temporarily unavailable. The similar problem can occur when Azure Firewall or Virtual hub router scales out. The same traffic flow can be load-balanced to a new backend instance that is different than the instance currently servicing the flow.

+To mitigate the impact of maintenance and scale-out events on Private Link or Private Endpoint traffic consider the following best practices:

+* Configure the TCP time-out value of your on-premises application to fall between 15-30 seconds. A smaller TCP time-out value will allow application traffic to recover more quickly from maintenance and scale-out events. Alternatively, test different application time-out values to determine a suitable time-out based on your requirements.

+* Pre-scale Virtual WAN components to handle traffic bursts to prevent autoscale events from occurring. For the Virtual Hub router, you can set the minimum routing infrastructure units on your hub router to prevent scaling during traffic bursts.

+Lastly, if you are using on-premises connectivity between Azure and on-premises using VPN or ExpressRoute, ensure your on-premises device is configured to use the same VPN tunnel or same Microsoft Enterprise Edge router as the next-hop for each 5-tuple corresponding to private endpoint traffic.

+

+Clicking on the private endpoint we've created, you should see its private IP address and its Fully Qualified Domain Name (FQDN). The private endpoint should have an IP address in the range of the VNet (10.1.3.0/24):

+### What is the maximum number of spoke Virtual Network addresses supported for hubs configured with Routing Intent?

+The maximum number of address spaces across all Virtual Networks directly connected to a single Virtual WAN hub is 400. This limit is applied individually to each Virtual WAN hub in a Virtual WAN deployment. Virtual Network address spaces connected to remote (other Virtual WAN hubs in the same Virtual WAN) hubs are not counted towards this limit.

+This limit is adjustable. For more information on the limit, the procedure to request a limit increase and sample scripts to determine the number of address spaces across Virtual Networks connected to a Virtual WAN hub, see [routing intent virtual network address space limits](how-to-routing-policies.md#virtual-network-address-space-limits).

+### Are there limits on the number of routes I can advertise?

+Yes, there are limits. ExpressRoute supports up to 4,000 prefixes for private peering and 200 prefixes for Microsoft peering. With ExpressRoute Premium, you can increase the limit to 10,000 routes for private peering. The maximum number of routes advertised from Azure private peering via an ExpressRoute Gateway over an ExpressRoute circuit is 1,000, which is the same for both standard and premium ExpressRoute circuits. For more details, you can review [the ExpressRoute circuits Route Limits on the Azure subscription limits and quotas page](../azure-resource-manager/management/azure-subscription-service-limits.md#route-advertisement-limits) Please note that IPv6 route advertisements are currently not supported with Virtual WAN.

+### Are there restrictions on IP ranges I can advertise over the BGP session?

+Yes, there are restrictions. Private prefixes (RFC1918) are not accepted for the Microsoft peering BGP session. However, any prefix size up to a /32 prefix is accepted on both the Microsoft and private peering.

+### What happens if the BGP route limit gets exceeded?

+If the BGP route limit is exceeded, BGP sessions will disconnect. The sessions will be restored once the prefix count is reduced below the limit. For more information, see [the ExpressRoute circuits Route limits on the Azure subscription limits and quotas page](../azure-resource-manager/management/azure-subscription-service-limits.md#route-advertisement-limits).

+### Can I monitor the number of routes advertised or received over an ExpressRoute circuit?

+Yes, you can. For the best practices and configuration for metric-based alert monitoring, [refer to the Azure monitoring best practices](../virtual-wan/monitoring-best-practices.md#expressroute-gateway).

+### What is the recommendation to reduce the number of IP prefixes?

+We recommend aggregating the prefixes before advertising them over ExpressRoute or VPN gateway. Additionally, you can use

+[Route-Maps](../virtual-wan/route-maps-about.md) to summarize routes advertised from/to Virtual WAN.

+ Title: 'Troubleshoot point-to-site connections: macOS X clients'

+description: Learn how to troubleshoot point-to-site connectivity issues from macOS X using the native VPN client.

+# Troubleshoot Point-to-Site VPN connections from macOS X VPN clients

+This article helps you troubleshoot point-to-site connectivity issues from macOS X clients that use the native macOS X VPN client and IKEv2. VPN client configuration in macOS X is very basic for IKEv2 connections and doesn't allow for much customization. There are only four settings that need to be checked:

+## <a name="certificate"></a> Certificate-based authentication

+1. Check the VPN client settings. Go to **Settings** and locate **VPN**.

+1. From the list, click the **i** next to the VPN entry that you want to investigate. This opens the settings configuration for the VPN connection.

+1. Verify that the **Server Address** is the complete FQDN and includes the cloudapp.net.

+1. The **Remote ID** should be the same as the Server Address (Gateway FQDN).

+1. The **Local ID** should be the same as the **Subject** of the client certificate.

+1. For **Authentication**, verify that "Certificate" is selected.

+1. Click the **Select** button and verify that the correct certificate is selected.

+1. Click **OK** to save any changes.

+If you're still having issues, see the [IKEv2 packet capture](#packet) section.

+## <a name="ikev2"></a>Username and password authentication

+1. Check the VPN client settings. Go to **Settings** and locate **VPN**.

+1. From the list, click the **i** next to the VPN entry that you want to investigate. This opens the settings configuration for the VPN connection.

+1. Verify that the **Server Address** is the complete FQDN and includes the cloudapp.net.

+1. The **Remote ID** should be the same as the Server Address (Gateway FQDN).

+1. The **Local ID** can be blank.

+1. For **Authentication**, verify that "Username" is selected.

+1. Verify that the correct credentials are entered.

+1. Click **OK** to save any changes.

+If you're still having issues, see the [IKEv2 packet capture](#packet) section.

+## <a name="packet"></a>Packet capture - IKEv2

+Download [Wireshark](https://www.wireshark.org/#download) and perform a packet capture.

+1. Filter on *isakmp* and look at the **IKE_SA** packets. You should be able to look at the SA proposal details under the **Payload: Security Association**.

+1. Verify that the client and the server have a common set.

+1. If there's no server response on the network traces, verify you enabled IKEv2 protocol on the Azure VPN gateway. You can check by going to the Azure portal, selecting the VPN gateway, and then selecting **Point-to-site configuration**.

+For more help, see [Microsoft Support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade).

+## VPN client error: The connection was prevented because of a policy configured on your RAS/VPN server. (Error 812)

+## VPN client error: The remote connection was not made because the attempted VPN tunnels failed. (Error 800)

+## <a name="entra-expired"></a>VPN client error: Your authentication with Microsoft Entra has expired

+If you're using Microsoft Entra ID authentication, you might encounter the following error:

+**Your authentication with Microsoft Entra has expired so you need to re-authenticate to acquire a new token. Please try connecting again. Authentication policies and timeout are configured by your administrator in Entra tenant.**

+### Cause

+The point-to-site connection is disconnected because the current refresh token has expired or becomes invalid. New access tokens canΓÇÖt be fetched for authenticating the user.

+When an Azure VPN Client tries to establish connection with an Azure VPN gateway using Microsoft Entra ID authentication, an access token is required to authenticate the user. This token gets renewed approximately every hour. A valid access token can only be issued when the user has a valid refresh token. If the user doesnΓÇÖt have a valid refresh token, the connection gets disconnected.

+The refresh token can show as expired/invalid due to several reasons. You can check User Entra sign-in logs for debugging. See [Microsoft Entra sign-in logs](/entra/identity/monitoring-health/concept-sign-ins).

+* **Refresh token has expired**

+ * The default lifetime for the refresh tokens is 90 days. After 90 days, users need to reconnect to get a new refresh token.

+ * Entra tenant admins can add conditional access policies for sign-in frequency that trigger periodic reauthentication every 'X' hrs. (Refresh token will expire in 'X' hrs). By using custom conditional access policies, users are forced use an interactive sign-in every 'X' hrs. For more information, see [Refresh tokens in the Microsoft identity platform](/entra/identity-platform/refresh-tokens) and [Configure adaptive session lifetime policies](/entra/identity/conditional-access/howto-conditional-access-session-lifetime).

+* **Refresh token is invalid**

+ * The user has been removed from tenant.

+ * The user's credentials have changed.

+ * Sessions have been revoked by the Entra tenant Admin.

+ * The device has become noncompliant (if itΓÇÖs a managed device).

+ * Other Entra policies configured by Entra Admins that require users to periodically use interactive sign-in.

+### Solution

+In these scenarios, users need to reconnect. This triggers an interactive sign-in process in Microsoft Entra that issues a new refresh token and access token.

+## VPN client error: Dialing VPN connection \<VPN Connection Name\>, Status = VPN Platform did not trigger connection