Contents

Manage Azure resources documentation

Overview
What is Resource Manager?
Concepts
Subscription and service limits
Resource name rules
Resource Manager and classic deployment
Resource providers by service
Control plane and data plane
Extension resource types
Resource instance limit
Security
Security baseline
Security controls by Azure Policy
How to
Move resources
Overview
Move across resource groups/subscriptions
Move across regions
Supported resources
Services
Resource groups/subscriptions
App Service
Azure DevOps
Azure Automation
Classic deployment
Networking
Recovery Services
Virtual Machines
 Regions
Azure API Management
Azure App Service
Azure Automation
Azure Backup (Recovery Services vault)
Azure Batch
Azure Cognitive Search
Azure Container Registry
Azure Cosmos DB
Azure Database for MariaDB Server
Azure Database for MySQL Server
Azure Database for PostgreSQL Server
Azure Event Hubs
Azure Functions
Azure IoT Hub
Azure Resource Manager
Azure Storage
Azure SQL DB & MI
Azure VMs
Logic apps
Maintenance Control configuration
Azure Cache for Redis
Networking
Virtual network
Network Interface (NIC)
Network security group (NSG)
Public IP addresses
Power BI
Site Recovery (Recovery Services vaults)
SQL Server on Azure VM
Tags
Decision guide
 Use tags
Azure Policy definitions - compliance
Supported resource types
Azure Resource Graph queries
Private link access
Create - portal
Create - REST
Manage - REST
Manage resource groups
Azure portal
Azure CLI
Azure PowerShell
Manage resources
Azure portal
Azure CLI
Azure PowerShell
Resource providers and types
Preview features
Delete resource groups and resources
Lock resources
Authenticate across tenants
Throttling requests
Track asynchronous operations
Control plane metrics in Azure Monitor
Reference
REST
Azure PowerShell
Azure CLI
.NET
Java
JavaScript
Python
 Azure Policy built-ins
Resources
Build your skills with Microsoft Learn
Azure Roadmap
Pricing calculator
Service updates
Stack Overflow
Manage personal data
Videos
 What is Azure Resource Manager?
2/23/2022 • 6 minutes to read • Edit Online

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer
that enables you to create, update, and delete resources in your Azure account. You use management features,
like access control, locks, and tags, to secure and organize your resources after deployment.
To learn about Azure Resource Manager templates (ARM templates), see the ARM template overview. To learn
about Bicep, see Bicep overview.

Consistent management layer

When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request.
It authenticates and authorizes the request. Resource Manager sends the request to the Azure service, which
takes the requested action. Because all requests are handled through the same API, you see consistent results
and capabilities in all the different tools.
The following image shows the role Azure Resource Manager plays in handling Azure requests.

All capabilities that are available in the portal are also available through PowerShell, Azure CLI, REST APIs, and
client SDKs. Functionality initially released through APIs will be represented in the portal within 180 days of
initial release.

Terminology
If you're new to Azure Resource Manager, there are some terms you might not be familiar with.
resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web
apps, databases, and virtual networks are examples of resources. Resource groups, subscriptions,
management groups, and tags are also examples of resources.
resource group - A container that holds related resources for an Azure solution. The resource group
includes those resources that you want to manage as a group. You decide which resources belong in a
resource group based on what makes the most sense for your organization. See Resource groups.
resource provider - A service that supplies Azure resources. For example, a common resource provider is
Microsoft.Compute , which supplies the virtual machine resource. Microsoft.Storage is another common
resource provider. See Resource providers and types.
declarative syntax - Syntax that lets you state "Here's what I intend to create" without having to write the
 sequence of programming commands to create it. ARM templates and Bicep files are examples of declarative
syntax. In those files, you define the properties for the infrastructure to deploy to Azure.
ARM template - A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a
resource group, subscription, management group, or tenant. The template can be used to deploy the
resources consistently and repeatedly. See Template deployment overview.
Bicep file - A file for declaratively deploying Azure resources. Bicep is a language that's been designed to
provide the best authoring experience for infrastructure as code solutions in Azure. See Bicep overview.

The benefits of using Resource Manager

With Resource Manager, you can:
Manage your infrastructure through declarative templates rather than scripts.
Deploy, manage, and monitor all the resources for your solution as a group, rather than handling these
resources individually.
Redeploy your solution throughout the development lifecycle and have confidence your resources are
deployed in a consistent state.
Define the dependencies between resources so they're deployed in the correct order.
Apply access control to all services because Azure role-based access control (Azure RBAC) is natively
integrated into the management platform.
Apply tags to resources to logically organize all the resources in your subscription.
Clarify your organization's billing by viewing costs for a group of resources sharing the same tag.

Understand scope
Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The
following image shows an example of these layers.

You apply management settings at any of these levels of scope. The level you select determines how widely the
setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the
subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a
policy on the resource group, that policy is applied to the resource group and all its resources. However, another
resource group doesn't have that policy assignment.
For information about managing identities and access, see Azure Active Directory.
You can deploy templates to tenants, management groups, subscriptions, or resource groups.

Resource groups
There are some important factors to consider when defining your resource group:
All the resources in your resource group should share the same lifecycle. You deploy, update, and delete
them together. If one resource, such as a server, needs to exist on a different deployment cycle it should
be in another resource group.
Each resource can exist in only one resource group.
You can add or remove a resource to a resource group at any time.
You can move a resource from one resource group to another group. For more information, see Move
resources to new resource group or subscription.
The resources in a resource group can be located in different regions than the resource group.
When you create a resource group, you need to provide a location for that resource group.
You may be wondering, "Why does a resource group need a location? And, if the resources can have
different locations than the resource group, why does the resource group location matter at all?"
The resource group stores metadata about the resources. When you specify a location for the resource
group, you're specifying where that metadata is stored. For compliance reasons, you may need to ensure
that your data is stored in a particular region.
If a resource group's region is temporarily unavailable, you can't update resources in the resource group
because the metadata is unavailable. The resources in other regions will still function as expected, but you
can't update them. This condition doesn't apply to global resources like Azure Content Delivery Network,
Azure DNS, Azure Traffic Manager, and Azure Front Door.
For more information about building reliable applications, see Designing reliable Azure applications.
A resource group can be used to scope access control for administrative actions. To manage a resource
group, you can assign Azure Policies, Azure roles, or resource locks.
You can apply tags to a resource group. The resources in the resource group don't inherit those tags.
A resource can connect to resources in other resource groups. This scenario is common when the two
resources are related but don't share the same lifecycle. For example, you can have a web app that
connects to a database in a different resource group.
When you delete a resource group, all resources in the resource group are also deleted. For information
about how Azure Resource Manager orchestrates those deletions, see Azure Resource Manager resource
group and resource deletion.
You can deploy up to 800 instances of a resource type in each resource group. Some resource types are
exempt from the 800 instance limit. For more information, see resource group limits.
Some resources can exist outside of a resource group. These resources are deployed to the subscription,
management group, or tenant. Only specific resource types are supported at these scopes.
To create a resource group, you can use the portal, PowerShell, Azure CLI, or an ARM template.

Resiliency of Azure Resource Manager

The Azure Resource Manager service is designed for resiliency and continuous availability. Resource Manager
and control plane operations (requests sent to management.azure.com ) in the REST API are:
Distributed across regions. Some services are regional.
Distributed across Availability Zones (and regions) in locations that have multiple Availability Zones.
 Not dependent on a single logical data center.
Never taken down for maintenance activities.
This resiliency applies to services that receive requests through Resource Manager. For example, Key Vault
benefits from this resiliency.

Next steps
To learn about limits that are applied across Azure services, see Azure subscription and service limits,
quotas, and constraints.
To learn about moving resources, see Move resources to new resource group or subscription.
To learn about tagging resources, see Use tags to organize your Azure resources.
To learn about locking resources, see Lock resources to prevent unexpected changes.
 Azure subscription and service limits, quotas, and
constraints
2/23/2022 • 125 minutes to read • Edit Online

This document lists some of the most common Microsoft Azure limits, which are also sometimes called quotas.
To learn more about Azure pricing, see Azure pricing overview. There, you can estimate your costs by using the
pricing calculator. You also can go to the pricing details page for a particular service, for example, Windows VMs.
For tips to help manage your costs, see Prevent unexpected costs with Azure billing and cost management.

Managing limits
NOTE
Some services have adjustable limits.
When a service doesn't have adjustable limits, the following tables use the header Limit . In those cases, the default and
the maximum limits are the same.
When the limit can be adjusted, the tables include Default limit and Maximum limit headers. The limit can be raised
above the default limit but not above the maximum limit.
If you want to raise the limit or quota above the default limit, open an online customer support request at no charge.
The terms soft limit and hard limit often are used informally to describe the current, adjustable limit (soft limit) and the
maximum limit (hard limit). If a limit isn't adjustable, there won't be a soft limit, only a hard limit.

Free Trial subscriptions aren't eligible for limit or quota increases. If you have a Free Trial subscription, you can
upgrade to a Pay-As-You-Go subscription. For more information, see Upgrade your Azure Free Trial subscription
to a Pay-As-You-Go subscription and the Free Trial subscription FAQ.
Some limits are managed at a regional level.
Let's use vCPU quotas as an example. To request a quota increase with support for vCPUs, you must decide how
many vCPUs you want to use in which regions. You then request an increase in vCPU quotas for the amounts
and regions that you want. If you need to use 30 vCPUs in West Europe to run your application there, you
specifically request 30 vCPUs in West Europe. Your vCPU quota isn't increased in any other region--only West
Europe has the 30-vCPU quota.
As a result, decide what your quotas must be for your workload in any one region. Then request that amount in
each region into which you want to deploy. For help in how to determine your current quotas for specific
regions, see Resolve errors for resource quotas.

General limits
For limits on resource names, see Naming rules and restrictions for Azure resources.
For information about Resource Manager API read and write limits, see Throttling Resource Manager requests.
Management group limits
The following limits apply to management groups.
 RESO URC E L IM IT

Management groups per Azure AD tenant 10,000

Subscriptions per management group Unlimited.

Levels of management group hierarchy Root level plus 6 levels1

Direct parent management group per management group One

Management group level deployments per location 8002

Locations of Management group level deployments 10

1The 6 levels don't include the subscription level.

2If you reach the limit of 800
deployments, delete deployments from the history that are no longer needed. To
delete management group level deployments, use Remove-AzManagementGroupDeployment or az deployment
mg delete.
Subscription limits
The following limits apply when you use Azure Resource Manager and Azure resource groups.

RESO URC E L IM IT

Subscriptions associated with an Azure Active Directory Unlimited

tenant

Coadministrators per subscription Unlimited

Resource groups per subscription 980

Azure Resource Manager API request size 4,194,304 bytes

Tags per subscription1 50

Unique tag calculations per subscription1 80,000

Subscription-level deployments per location 8002

Locations of Subscription-level deployments 10

1You can apply up to 50 tags directly to a subscription. However, the subscription can contain an unlimited
number of tags that are applied to resource groups and resources within the subscription. The number of tags
per resource or resource group is limited to 50. Resource Manager returns a list of unique tag name and values
in the subscription only when the number of tags is 80,000 or less. You still can find a resource by tag when the
number exceeds 80,000.
2Deployments are automatically deleted from the history as you near the limit. For more information, see
Automatic deletions from deployment history.
Resource group limits
 RESO URC E L IM IT

Resources per resource group Resources aren't limited by resource group. Instead, they're
limited by resource type in a resource group. See next row.

Resources per resource group, per resource type 800 - Some resource types can exceed the 800 limit. See
Resources not limited to 800 instances per resource group.

Deployments per resource group in the deployment history 8001

Resources per deployment 800

Management locks per unique scope 20

Number of tags per resource or resource group 50

Tag key length 512

Tag value length 256

1Deployments are automatically deleted from the history as you near the limit. Deleting an entry from the
deployment history doesn't affect the deployed resources. For more information, see Automatic deletions from
deployment history.
Template limits

VA L UE L IM IT

Parameters 256

Variables 256

Resources (including copy count) 800

Outputs 64

Template expression 24,576 chars

Resources in exported templates 200

Template size 4 MB

Parameter file size 4 MB

You can exceed some template limits by using a nested template. For more information, see Use linked
templates when you deploy Azure resources. To reduce the number of parameters, variables, or outputs, you can
combine several values into an object. For more information, see Objects as parameters.
You may get an error with a template or parameter file of less than 4 MB, if the total size of the request is too
large. For more information about how to simplify your template to avoid a large request, see Resolve errors for
job size exceeded.

Active Directory limits

Here are the usage constraints and other service limits for the Azure AD service.

C AT EGO RY L IM IT

Tenants A single user can belong to a maximum of 500 Azure AD

tenants as a member or a guest.
A single user can create a maximum of 200 directories.

Domains You can add no more than 5,000 managed domain

names.
If you set up all of your domains for federation with on-
premises Active Directory, you can add no more than 2,500
domain names in each tenant.

Resources By default, a maximum of 50,000 Azure AD resources

can be created in a single tenant by users of the
Azure Active Directory Free edition. If you have at
least one verified domain, the default Azure AD
service quota for your organization is extended to
300,000 Azure AD resources.
The Azure AD service quota for organizations created
by self-service sign-up remains 50,000 Azure AD
resources, even after you perform an internal admin
takeover and the organization is converted to a
managed tenant with at least one verified domain.
This service limit is unrelated to the pricing tier limit
of 500,000 resources on the Azure AD pricing page.
To go beyond the default quota, you must contact
Microsoft Support.
A non-admin user can create no more than 250
Azure AD resources. Both active resources and
deleted resources that are available to restore count
toward this quota. Only deleted Azure AD resources
that were deleted fewer than 30 days ago are
available to restore. Deleted Azure AD resources that
are no longer available to restore count toward this
quota at a value of one-quarter for 30 days.
If you have developers who are likely to repeatedly
exceed this quota in the course of their regular
duties, you can create and assign a custom role with
permission to create a limitless number of app
registrations.

Schema extensions String-type extensions can have a maximum of 256

characters.
Binary-type extensions are limited to 256 bytes.
Only 100 extension values, across all types and all
applications, can be written to any single Azure AD
resource.
Only User, Group, TenantDetail, Device, Application,
and ServicePrincipal entities can be extended with
string-type or binary-type single-valued attributes.
C AT EGO RY L IM IT

Applications A maximum of 100 users and service principals can

be owners of a single application.
A user, group, or service principal can have a
maximum of 1,500 app role assignments. The
limitation is on the service principal, user, or group
across all app roles and not on the number of
assignments on a single app role.
An app configured for password-based single sign-
on can have a maximum of 48 groups assigned with
credentials configured.
A user can have credentials configured for a
maximum of 48 apps using password-based single
sign-on. This limit only applies for credentials
configured when the user is directly assigned the
app, not when the user is a member of a group
which is assigned.
See additional limits in Validation differences by
supported account types.

Application manifest A maximum of 1,200 entries can be added to the application

manifest.
See additional limits in Validation differences by supported
account types.
C AT EGO RY L IM IT

Groups A non-admin user can create a maximum of 250

groups in an Azure AD organization. Any Azure AD
admin who can manage groups in the organization
can also create an unlimited number of groups (up to
the Azure AD object limit). If you assign a role to a
user to remove the limit for that user, assign a less
privileged, built-in role such as User Administrator or
Groups Administrator.
An Azure AD organization can have a maximum of
5,000 dynamic groups.
A maximum of 400 role-assignable groups can be
created in a single Azure AD organization (tenant).
A maximum of 100 users can be owners of a single
group.
Any number of Azure AD resources can be members
of a single group.
A user can be a member of any number of groups.
When security groups are being used in combination
with SharePoint Online, a user can be a part of 2,049
security groups in total. This includes both direct and
indirect group memberships. When this limit is
exceeded, authentication and search results become
unpredictable.
By default, the number of members in a group that
you can synchronize from your on-premises Active
Directory to Azure Active Directory by using Azure
AD Connect is limited to 50,000 members. If you
need to sync a group membership that's over this
limit, you must onboard the Azure AD Connect Sync
V2 endpoint API.
Nested groups in Azure AD are not supported within
all scenarios.
When you select a list of groups, you can assign a
group expiration policy to a maximum of 500
Microsoft 365 groups. There is no limit when the
policy is applied to all Microsoft 365 groups.

At this time, the following scenarios are supported with

nested groups:
One group can be added as a member of another
group, and you can achieve group nesting.
Group membership claims. When an app is
configured to receive group membership claims in
the token, nested groups in which the signed-in user
is a member are included.
Conditional access (when a conditional access policy
has a group scope).
Restricting access to self-serve password reset.
Restricting which users can do Azure AD Join and
device registration.

The following scenarios are not supported with nested

groups:
App role assignment, for both access and
provisioning. Assigning groups to an app is
supported, but any groups nested within the directly
assigned group won't have access.
Group-based licensing (assigning a license
automatically to all members of a group).
 Microsoft 365 Groups.
C AT EGO RY L IM IT

Application Proxy A maximum of 500 transactions* per second per

Application Proxy application.
A maximum of 750 transactions per second for the
Azure AD organization.

*A transaction is defined as a single HTTP request and

response for a unique resource. When clients are
throttled, they'll receive a 429 response (too many
requests).

Access Panel There's no limit to the number of applications per user that
can be displayed in the Access Panel, regardless of the
number of assigned licenses.

Reports A maximum of 1,000 rows can be viewed or downloaded in

any report. Any additional data is truncated.

Administrative units An Azure AD resource can be a member of no more than 30

administrative units.

Azure AD roles and permissions A maximum of 30 Azure AD custom roles can be

created in an Azure AD organization.
A maximum of 100 Azure AD custom role
assignments for a single principal at tenant scope.
A maximum of 100 Azure AD built-in role
assignments for a single principal at non-tenant
scope (such as an administrative unit or Azure AD
object). There is no limit to Azure AD built-in role
assignments at tenant scope.
A group can't be added as a group owner.
A user's ability to read other users' tenant
information can be restricted only by the Azure AD
organization-wide switch to disable all non-admin
users' access to all tenant information (not
recommended). For more information, see To restrict
the default permissions for member users.
It might take up to 15 minutes or you might have to
sign out and sign back in before admin role
membership additions and revocations take effect.

API Management limits

RESO URC E L IM IT

Maximum number of scale units 12 per region1

Cache size 5 GiB per unit2

Concurrent back-end connections3 per HTTP authority 2,048 per unit4

Maximum cached response size 2 MiB

Maximum policy document size 256 KiB5

 RESO URC E L IM IT

Maximum custom gateway domains per service instance6 20

Maximum number of CA certificates per service instance7 10

Maximum number of service instances per subscription8 20

Maximum number of subscriptions per service instance8 500

Maximum number of client certificates per service instance8 50

Maximum number of APIs per service instance8 50

Maximum number of API management operations per 1,000

service instance8

Maximum total request duration8 30 seconds

Maximum request payload size8 1 GiB

Maximum buffered payload size8 2 MiB

Maximum request URL size9 16,384 bytes

Maximum length of URL path segment10 260 characters

Maximum size of API schema used by validation policy10 4 MB

Maximum size of request or response body in validate- 100 KB

content policy10

Maximum number of self-hosted gateways11 25

1 Scaling limits depend on the pricing tier. For details on the pricing tiers and their scaling limits, see API
Management pricing.
2 Per unit cache size depends on the pricing tier. To see the pricing tiers and their scaling limits, see API

Management pricing.
3 Connections are pooled and reused unless explicitly closed by the back end.
4 This limit is per unit of the Basic, Standard, and Premium tiers. The Developer tier is limited to 1,024. This limit

doesn't apply to the Consumption tier.

5 This limit applies to the Basic, Standard, and Premium tiers. In the Consumption tier, policy document size is

limited to 16 KiB.
6 Multiple custom domains are supported in the Developer and Premium tiers only.
7 CA certificates are not supported in the Consumption tier.
8 This limit applies to the Consumption tier only. There are no limits in these categories for other tiers.
9 Applies to the Consumption tier only. Includes an up to 2048-bytes long query string.
10 To increase this limit, contact support.
11 Self-hosted gateways are supported in the Developer and Premium tiers only. The limit applies to the number

of self-hosted gateway resources. To raise this limit contact support. Note, that the number of nodes (or replicas)
associated with a self-hosted gateway resource is unlimited in the Premium tier and capped at a single node in
the Developer tier.
App Service limits
P REM IUM
RESO URC E F REE SH A RED B A SIC STA N DA RD ( V1- V3) ISO L AT ED

Web, mobile, 10 100 Unlimited2 Unlimited2 Unlimited2 Unlimited2

or API apps
per Azure
App Service
plan1

App Service 10 per region 10 per 100 per 100 per 100 per 100 per
plan resource resource resource resource resource
group group group group group

Compute Shared Shared Dedicated3 Dedicated3 Dedicated3 Dedicated3

instance type

Scale out 1 shared 1 shared 3 dedicated3 10 dedicated3 20 dedicated 100

(maximum for v1; 30 dedicated4
instances) dedicated for
v2 and v3.3

Storage5 1 GB5 1 GB5 10 GB5 50 GB5 250 GB5 1 TB12

The available
storage quota
is 999 GB.

CPU time (5 3 minutes 3 minutes Unlimited, Unlimited, Unlimited, Unlimited,

minutes)6 pay at pay at pay at pay at
standard standard standard standard
rates rates rates rates

CPU time 60 minutes 240 minutes Unlimited, Unlimited, Unlimited, Unlimited,

(day)6 pay at pay at pay at pay at
standard standard standard standard
rates rates rates rates

Memory (1 1,024 MB per 1,024 MB per N/A N/A N/A N/A

hour) App Service app
plan

Bandwidth 165 MB Unlimited, Unlimited, Unlimited, Unlimited, Unlimited,

data transfer data transfer data transfer data transfer data transfer
rates apply rates apply rates apply rates apply rates apply

Application 32-bit 32-bit 32-bit/64-bit 32-bit/64-bit 32-bit/64-bit 32-bit/64-bit

architecture

Web sockets 5 35 350 Unlimited Unlimited Unlimited

per instance7

Outbound IP 600 600 Depends on Depends on Depends on 16,000

connections instance size8 instance size8 instance size8
per instance
 P REM IUM
RESO URC E F REE SH A RED B A SIC STA N DA RD ( V1- V3) ISO L AT ED

Concurrent 1 1 1 5 5 5
debugger
connections
per
application

App Service Not Not 10 10 10 10

Certificates supported supported
per
subscription

Custom 0 500 500 500 500 500

domains per (azurewebsite
app s.net
subdomain
only)

Custom Not Not Unlimited SNI Unlimited SNI Unlimited SNI Unlimited SNI
domain SSL supported, supported, SSL SSL and 1 IP SSL and 1 IP SSL and 1 IP
support wildcard wildcard connections SSL SSL SSL
certificate for certificate for connections connections connections
*.azurewebsit *.azurewebsit included included included
es.net es.net
available by available by
default default

Hybrid 5 per plan 25 per plan 220 per app 220 per app
connections

Virtual X X X
Network
Integration

Private 100 per app

Endpoints

Integrated X X X X X9
load balancer

Access 512 rules per 512 rules per 512 rules per 512 rules per 512 rules per 512 rules per
restrictions app app app app app app

Always On X X X X

Scheduled Scheduled Scheduled Scheduled

backups backups backups backups
every 2 every hour, a every hour, a
hours, a maximum of maximum of
maximum of 50 backups 50 backups
12 backups per day per day
per day (manual + (manual +
(manual + scheduled) scheduled)
scheduled)

Autoscale X X X
 P REM IUM
RESO URC E F REE SH A RED B A SIC STA N DA RD ( V1- V3) ISO L AT ED

WebJobs10 X X X X X X

Endpoint X X X X
monitoring

Staging slots 5 20 20
per app

Testing in X X X
Production

Diagnostic X X X X X X
Logs

Kudu X X X X X X

Authenticatio X X X X X X
n and
Authorization

App Service X X X X
Managed
Certificates11

SLA 99.95% 99.95% 99.95% 99.95%

1 Apps and storage quotas are per App Service plan unless noted otherwise.
2 The actual number of apps that you can host on these machines depends on the activity of the apps, the size of
the machine instances, and the corresponding resource utilization.
3 Dedicated instances can be of different sizes. For more information, see App Service pricing.
4 More are allowed upon request.

5 The storage limit is the total content size across all apps in the same App service plan. The total content size of

all apps across all App service plans in a single resource group and region cannot exceed 500 GB. The file
system quota for App Service hosted apps is determined by the aggregate of App Service plans created in a
region and resource group.
6 These resources are constrained by physical resources on the dedicated instances (the instance size and the

number of instances).
7 If you scale an app in the Basic tier
to two instances, you have 350 concurrent connections for each of the two
instances. For Standard tier and above, there are no theoretical limits to web sockets, but other factors can limit
the number of web sockets. For example, maximum concurrent requests allowed (defined by
maxConcurrentRequestsPerCpu ) are: 7,500 per small VM, 15,000 per medium VM (7,500 x 2 cores), and 75,000
per large VM (18,750 x 4 cores).
8 The maximum IP connections are per instance and depend on the instance size: 1,920 per B1/S1/P1V3
instance, 3,968 per B2/S2/P2V3 instance, 8,064 per B3/S3/P3V3 instance.
9 App Service Isolated SKUs can be internally load balanced (ILB) with Azure Load Balancer, so there's no public

connectivity from the internet. As a result, some features of an ILB Isolated App Service must be used from
machines that have direct access to the ILB network endpoint.
10 Run custom executables and/or scripts on demand, on a schedule, or continuously as a background task
within your App Service instance. Always On is required for continuous WebJobs execution. There's no
predefined limit on the number of WebJobs that can run in an App Service instance. There are practical limits
that depend on what the application code is trying to do.
11 Only issuing standard certificates (wildcard certificates aren't available). Limited to only one free certificate

per custom domain.

12 Total storage usage across all apps deployed in a single App Service Environment (regardless of how they're
allocated across different resource groups).

Automation limits
Process automation

RESO URC E L IM IT N OT ES

Maximum number of new jobs that 100 When this limit is reached, the
can be submitted every 30 seconds subsequent requests to create a job
per Azure Automation account fail. The client receives an error
(nonscheduled jobs) response.

Maximum number of concurrent 200 When this limit is reached, the

running jobs at the same instance of subsequent requests to create a job
time per Automation account fail. The client receives an error
(nonscheduled jobs) response.

Maximum storage size of job metadata 10 GB (approximately 4 million jobs) When this limit is reached, the
for a 30-day rolling period subsequent requests to create a job
fail.

Maximum job stream limit 1 MiB A single stream cannot be larger than
1 MiB.

Maximum number of modules that 5

can be imported every 30 seconds per
Automation account

Maximum size of a module 100 MB

Maximum size of a node configuration 1 MB Applies to state configuration

file

Job run time, Free tier 500 minutes per subscription per
calendar month

Maximum amount of disk space 1 GB Applies to Azure sandboxes only.

allowed per sandbox1

Maximum amount of memory given 400 MB Applies to Azure sandboxes only.

to a sandbox1

Maximum number of network sockets 1,000 Applies to Azure sandboxes only.

allowed per sandbox1
 RESO URC E L IM IT N OT ES

Maximum runtime allowed per 3 hours Applies to Azure sandboxes only.

runbook1

Maximum number of Automation No limit

accounts in a subscription

Maximum number of system hybrid 4,000

runbook workers per Automation
Account

Maximum number of user hybrid 4,000

runbook workers per Automation
Account

Maximum number of concurrent jobs 50

that can be run on a single Hybrid
Runbook Worker

Maximum runbook job parameter size 512 kilobytes

Maximum runbook parameters 50 If you reach the 50-parameter limit,

you can pass a JSON or XML string to
a parameter and parse it with the
runbook.

Maximum webhook payload size 512 kilobytes

Maximum days that job data is 30 days

retained

Maximum PowerShell workflow state 5 MB Applies to PowerShell workflow

size runbooks when checkpointing
workflow.

Maximum number of tags supported 15

by an Automation account

1A sandbox is a shared environment that can be used by multiple jobs. Jobs that use the same sandbox are

bound by the resource limitations of the sandbox.

Change Tracking and Inventory
The following table shows the tracked item limits per machine for change tracking.

RESO URC E L IM IT N OT ES

File 500

File size 5 MB

Registry 250

Windows software 250 Doesn't include software updates.

 RESO URC E L IM IT N OT ES

Linux packages 1,250

Services 250

Daemon 250

Update Management
The following table shows the limits for Update Management.

RESO URC E L IM IT N OT ES

Number of machines per update 1000

deployment

Number of dynamic groups per 500

update deployment

Azure App Configuration

RESO URC E L IM IT C O M M EN T

Configuration stores for Free tier 1 store per subscription

Configuration stores for Standard tier Unlimited stores per subscription

Configuration store requests for Free 1,000 requests per day Once the quota is exhausted, HTTP
tier status code 429 will be returned for all
requests until the end of the day

Configuration store requests for 30,000 per hour Once the quota is exhausted, requests
Standard tier may return HTTP status code 429
indicating Too Many Requests - until
the end of the hour

Storage for Free tier 10 MB

Storage for Standard tier 1 GB

Keys and Values 10 KB For a single key-value item, including

all metadata

Azure Cache for Redis limits

RESO URC E L IM IT

Cache size 1.2 TB

Databases 64

Maximum connected clients 40,000

 RESO URC E L IM IT

Azure Cache for Redis replicas, for high availability 3

Shards in a premium cache with clustering 10

Azure Cache for Redis limits and sizes are different for each pricing tier. To see the pricing tiers and their
associated sizes, see Azure Cache for Redis pricing.
For more information on Azure Cache for Redis configuration limits, see Default Redis server configuration.
Because configuration and management of Azure Cache for Redis instances is done by Microsoft, not all Redis
commands are supported in Azure Cache for Redis. For more information, see Redis commands not supported
in Azure Cache for Redis.

Azure Cloud Services limits

RESO URC E L IM IT

Web or worker roles per deployment1 25

Instance input endpoints per deployment 25

Input endpoints per deployment 25

Internal endpoints per deployment 25

Hosted service certificates per deployment 199

1Each Azure Cloud Service with web or worker roles can have two deployments, one for production and one for
staging. This limit refers to the number of distinct roles, that is, configuration. This limit doesn't refer to the
number of instances per role, that is, scaling.

Azure Cognitive Search limits

Pricing tiers determine the capacity and limits of your search service. Tiers include:
Free multi-tenant service, shared with other Azure subscribers, is intended for evaluation and small
development projects.
Basic provides dedicated computing resources for production workloads at a smaller scale, with up to three
replicas for highly available query workloads.
Standard , which includes S1, S2, S3, and S3 High Density, is for larger production workloads. Multiple levels
exist within the Standard tier so that you can choose a resource configuration that best matches your
workload profile.
Limits per subscription
You can create multiple services, limited only by the number of services allowed at each tier. For example, you
could create up to 16 services at the Basic tier and another 16 services at the S1 tier within the same
subscription. For more information about tiers, see Choose an SKU or tier for Azure Cognitive Search.
Maximum service limits can be raised upon request. If you need more services within the same subscription,
contact Azure Support.
 RESO URC
E F REE 1 B A SIC S1 S2 S3 S3 H D L1 L2

Maximu 1 16 16 8 6 6 6 6
m
services

Maximu N/A 3 SU 36 SU 36 SU 36 SU 36 SU 36 SU 36 SU
m scale in
search
units
(SU)2

1 Free is based on infrastructure that's shared with other customers. Because the hardware isn't dedicated, scale-
up isn't supported on the free tier.
2 Search units are billing units, allocated as either
a replica or a partition. You need both resources for storage,
indexing, and query operations. To learn more about SU computations, see Scale resource levels for query and
index workloads.
Limits per search ser vice
A search service is constrained by disk space or by a hard limit on the maximum number of indexes or indexers,
whichever comes first. The following table documents storage limits. For maximum object limits, see Limits by
resource.

RESO URC
E F REE B A SIC 1 S1 S2 S3 S3 H D L1 L2

Service No Yes Yes Yes Yes Yes Yes Yes

level
agreeme
nt (SLA)2

Storage 50 MB 2 GB 25 GB 100 GB 200 GB 200 GB 1 TB 2 TB

per
partition

Partitions N/A 1 12 12 12 3 12 12
per
service

Partition N/A 2 GB 25 GB 100 GB 200 GB 200 GB 1 TB 2 TB

size

Replicas N/A 3 12 12 12 12 12 12

1 Basic has one fixed partition. Additional search units can be used to add replicas for larger query volumes.
2 Service level agreements are in effect forbillable services on dedicated resources. Free services and preview
features have no SLA. For billable services, SLAs take effect when you provision sufficient redundancy for your
service. Two or more replicas are required for query (read) SLAs. Three or more replicas are required for query
and indexing (read-write) SLAs. The number of partitions isn't an SLA consideration.
To learn more about limits on a more granular level, such as document size, queries per second, keys, requests,
and responses, see Service limits in Azure Cognitive Search.
Azure Cognitive Services limits
The following limits are for the number of Cognitive Services resources per Azure subscription. There is a limit
of only one allowed 'Free' account, per Cognitive Service type, per subscription. Each of the Cognitive Services
may have other limitations, for more information, see Azure Cognitive Services.

TYPE L IM IT EXA M P L E

A mixture of Cognitive Services Maximum of 200 total Cognitive 100 Computer Vision resources in
resources Services resources per region. West US, 50 Speech Service resources
in West US, and 50 Text Analytics
resources in West US.

A single type of Cognitive Services Maximum of 100 resources per region 100 Computer Vision resources in
resources. West US 2, and 100 Computer Vision
resources in East US.

Azure Cosmos DB limits

For Azure Cosmos DB limits, see Limits in Azure Cosmos DB.

Azure Data Explorer limits

The following table describes the maximum limits for Azure Data Explorer clusters.

RESO URC E L IM IT

Clusters per region per subscription 20

Instances per cluster 1000

Number of databases in a cluster 10,000

Number of follower clusters (data share consumers) per 100

leader cluster (data share producer)

The following table describes the limits on management operations performed on Azure Data Explorer clusters.

SC O P E O P ERAT IO N L IM IT

Cluster read (for example, get a cluster) 500 per 5 minutes

Cluster write (for example, create a database) 1000 per hour

Azure Database for MySQL

For Azure Database for MySQL limits, see Limitations in Azure Database for MySQL.

Azure Database for PostgreSQL

For Azure Database for PostgreSQL limits, see Limitations in Azure Database for PostgreSQL.

Azure Functions limits

 C O N SUM P T IO N DEDIC AT ED
RESO URC E PLAN P REM IUM P L A N PLAN A SE K UB ERN ET ES

Default timeout 5 30 301 30 30

duration (min)

Max timeout 10 unbounded7 unbounded2 unbounded unbounded

duration (min)

Max outbound 600 active (1200 unbounded unbounded unbounded unbounded

connections (per total)
instance)

Max request size 100 100 100 100 Depends on

(MB)3 cluster

Max query string 4096 4096 4096 4096 Depends on

length3 cluster

Max request URL 8192 8192 8192 8192 Depends on

length3 cluster

ACU per 100 210-840 100-840 210-2508 AKS pricing

instance

Max memory 1.5 3.5-14 1.75-14 3.5 - 14 Any node is

(GB per instance) supported

Max instance 200 1009 varies by SKU10 10010 Depends on

count cluster

Function apps 100 100 unbounded4 unbounded unbounded

per plan

App Service 100 per region 100 per resource 100 per resource - -
plans group group

Storage5 5 TB 250 GB 50-1000 GB 1 TB n/a

Custom domains 5006 500 500 500 n/a

per app

Custom domain unbounded SNI unbounded SNI unbounded SNI unbounded SNI n/a
SSL support SSL connection SSL and 1 IP SSL SSL and 1 IP SSL SSL and 1 IP SSL
included connections connections connections
included included included

1 By default, the timeout for the Functions 1.x runtime in an App Service plan is unbounded.
2 Requires the App Service plan be set to Always On. Pay at standard rates.
3 These limits are set in the host.
4 The actual number of function apps that you can host depends on the activity of the apps, the size of the
machine instances, and the corresponding resource utilization.
5 The storage limit is the total content size in temporary storage across all apps in the same App Service plan.

Consumption plan uses Azure Files for temporary storage.

6 When your function app is hosted in a Consumption plan, only the CNAME option is supported. For function

apps in a Premium plan or an App Service plan, you can map a custom domain using either a CNAME or an A
record.
7 Guaranteed for up to 60 minutes.
8 Workers are roles that host customer apps. Workers are available in three fixed sizes: One vCPU/3.5 GB RAM;

Two vCPU/7 GB RAM; Four vCPU/14 GB RAM.

9 When running on Linux in a Premium plan, you're currently limited to 20 instances.
10 See App Service limits for details.

For more information, see Functions Hosting plans comparison.

Azure Healthcare APIs

Healthcare APIs service limits
Azure Healthcare APIs is a set of managed API services based on open standards and frameworks. The service
enables workflows to improve healthcare, and offers scalable and secure healthcare solutions. It's currently in
public preview. Azure Healthcare APIs includes the Fast Healthcare Interoperability Resources (FHIR) service, the
Digital Imaging and Communications in Medicine (DICOM) service, and the IoT connector.
The FHIR service is an implementation of the FHIR specification within the Azure Healthcare APIs. It enables you
to combine in a single workspace one or more FHIR service instances with optional DICOM service instances
and IoT connectors. The Azure API for FHIR is General Availability (GA), and available as a stand-alone service
offering.

Q UOTA N A M E DEFA ULT L IM IT M A XIM UM L IM IT N OT ES

Workspace 10 Contact support Limit per subscription

FHIR 10 Contact support Limit per workspace

DICOM 10 Contact support Limit per workspace

IoT connector 10 N/A Limit per workspace, can't

be increased

Azure API for FHIR service limits

Azure API for FHIR is a managed, standards-based, compliant API for clinical health data that enables solutions
for actionable analytics and machine learning.

Q UOTA N A M E DEFA ULT L IM IT M A XIM UM L IM IT N OT ES

Request Units (RUs) 10,000 RUs Contact support Maximum You need a minimum of
available is 1,000,000. 400 RUs or 40 RUs/GB,
whichever is larger.

Concurrent connections 15 concurrent connections Contact support

on two instances (for a total
of 30 concurrent requests)

Azure API for FHIR Service 10 Contact support

Instances per Subscription

Azure Kubernetes Service limits

 RESO URC E L IM IT

Maximum clusters per subscription 5000

Maximum nodes per cluster with Virtual Machine Availability 100

Sets and Basic Load Balancer SKU

Maximum nodes per cluster with Virtual Machine Scale Sets 1000 (across all node pools)
and Standard Load Balancer SKU

Maximum node pools per cluster 100

Maximum pods per node: Basic networking with Kubenet Maximum: 250
Azure CLI default: 110
Azure Resource Manager template default: 110
Azure portal deployment default: 30

Maximum pods per node: Advanced networking with Azure Maximum: 250
Container Networking Interface Default: 30

Open Service Mesh (OSM) AKS addon Kubernetes Cluster Version: 1.19+
OSM controllers per cluster: 1
Pods per OSM controller: 500
Kubernetes service accounts managed by OSM: 50

K UB ERN ET ES C O N T RO L P L A N E T IER L IM IT

Paid tier Automatically scales out based on the load

Free tier Limited resources with inflight requests limit of 50 mutating

and 100 read-only calls

Azure Machine Learning limits

The latest values for Azure Machine Learning Compute quotas can be found in the Azure Machine Learning
quota page

Azure Maps limits

The following table shows the usage limit for the Azure Maps S0 pricing tier. Usage limit depends on the pricing
tier.

RESO URC E S0 P RIC IN G T IER L IM IT

Maximum request rate per subscription 50 requests per second

The following table shows the cumulative data size limit for Azure Maps accounts in an Azure subscription. The
Azure Maps Data service is available only at the S1 pricing tier.

RESO URC E L IM IT

Maximum storage per Azure subscription 1 GB

Maximum size per file upload 100 MB

For more information on the Azure Maps pricing tiers, see Azure Maps pricing.

Azure Monitor limits

Alerts
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Metric alerts (classic) 100 active alert rules per subscription. Call support

Metric alerts 5,000 active alert rules per Call support.

subscription in Azure public, Azure
China 21Vianet and Azure
Government clouds. If you are hitting
this limit, explore if you can use same
type multi-resource alerts.
5,000 metric time-series per alert rule.

Activity log alerts 100 active alert rules per subscription Same as default
(cannot be increased).

Log alerts 1000 active alert rules per Call support

subscription. 1000 active alert rules
per resource.

Alert processing rules 1000 active rules per subscription. Call support

Alert rules and alert processing rules Log search alerts 4096 characters Same as default
description length All other 2048 characters

Alerts API
Azure Monitor Alerts have several throttling limits to protect against users making an excessive number of calls.
Such behavior can potentially overload the system backend resources and jeopardize service responsiveness.
The following limits are designed to protect customers from interruptions and ensure consistent service level.
The user throttling and limits are designed to impact only extreme usage scenario and should not be relevant
for typical usage.

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Alerts - Get Summary 50 calls per minute per subscription Same as default

Alerts - Get All (not "Get By Id") 100 calls per minute per subscription Same as default

All other alerts calls 1000 calls per minute per subscription Same as default

Action groups
You may have an unlimited number of action groups in a subscription.

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Azure app push 10 Azure app actions per action group. Same as Default

Email 1,000 email actions in an action group. Same as Default

No more than 100 emails in an hour.
Also see the rate limiting information.
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Email ARM role 10 Email ARM role actions per action Same as Default
group.

Event Hub 10 Event Hub actions per action Same as Default

group.

ITSM 10 ITSM actions in an action group. Same as Default

Logic app 10 logic app actions in an action Same as Default

group.

Runbook 10 runbook actions in an action group. Same as Default

Secure Webhook 10 secure webhook actions in an Same as Default

action group. Maximum number of
webhook calls is 1500 per minute per
subscription. Other limits are available
at action-specific information.

SMS 10 SMS actions in an action group. Same as Default

No more than 1 SMS message every 5
minutes.
Also see the rate limiting information.

Voice 10 voice actions in an action group. Same as Default

No more than 1 voice call every 5
minutes.
Also see the rate limiting information.

Webhook 10 webhook actions in an action Same as Default

group. Maximum number of webhook
calls is 1500 per minute per
subscription. Other limits are available
at action-specific information.

Autoscale
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Autoscale settings 100 per region per subscription. Same as default

Autoscale profiles 20 profiles per autoscale setting. Same as default

Log queries and language

General query limits
L IM IT DESC RIP T IO N
 L IM IT DESC RIP T IO N

Query language Azure Monitor uses the same Kusto query language as
Azure Data Explorer. See Azure Monitor log query language
differences for KQL language elements not supported in
Azure Monitor.

Azure regions Log queries can experience excessive overhead when data
spans Log Analytics workspaces in multiple Azure regions.
See Query limits for details.

Cross resource queries Maximum number of Application Insights resources and Log
Analytics workspaces in a single query limited to 100.
Cross-resource query is not supported in View Designer.
Cross-resource query in log alerts is supported in the new
scheduledQueryRules API.
See Cross-resource query limits for details.

User query throttling

Azure Monitor has several throttling limits to protect against users sending an excessive number of queries.
Such behavior can potentially overload the system backend resources and jeopardize service responsiveness.
The following limits are designed to protect customers from interruptions and ensure consistent service level.
The user throttling and limits are designed to impact only extreme usage scenario and should not be relevant
for typical usage.

M EA SURE L IM IT P ER USER DESC RIP T IO N

Concurrent queries 5 A user can run up to 5 concurrent

queries, any additional query will be
added to a queue. When one of the
running queries finishes, the first query
in the queue is pulled from the queue
and starts running. Note: Alerts
queries are not part of this limit.

Time in concurrency queue 3 minutes If a query sits in the queue for more
than 3 minutes without being started,
it will be terminated with an HTTP
error response with code 429.

Total queries in concurrency queue
200 Once the number of queries in the
queue reach 200, the next query will
be rejected with an HTTP error code
429. This number is in addition to the
five queries that can be running
simultaneously.

Query rate 200 queries per 30 seconds Overall rate of queries that can be
submitted by a single user to all
workspaces. This limit applies to
programmatic queries or queries
initiated by visualization parts such as
Azure dashboards and the Log
Analytics workspace summary page.

Optimize your queries as described in Optimize log queries in Azure Monitor.

Dashboards and workbooks can contain multiple queries in a single view that generate a burst of queries
every time they load or refresh. Consider breaking them up into multiple views that load on demand.
 In Power BI, consider extracting only aggregated results rather than raw logs.
Log Analytics workspaces
Data collection volume and retention
T IER
Current Per GB pricing tier
(introduced April 2018)
Legacy Free tiers
(introduced April 2016)
Legacy Standalone Per GB
tier
(introduced April 2016)
Legacy Per Node (OMS)
(introduced April 2016)
Legacy Standard tier
Legacy Premium tier
Number of workspaces per subscription.
P RIC IN G T IER
Free tier
All other tiers
Azure por tal
L IM IT P ER DAY DATA RET EN T IO N C O M M EN T
No limit 30 - 730 days Data retention beyond 31
days is available for
additional charges. Learn
more about Azure Monitor
pricing.
500 MB 7 days When your workspace
reaches the 500 MB per
day limit, data ingestion
stops and resumes at the
start of the next day. A day
is based on UTC. Note that
data collected by Microsoft
Defender for Cloud is not
included in this 500 MB per
day limit and will continue
to be collected above this
limit.
No limit 30 to 730 days Data retention beyond 31
days is available for
additional charges. Learn
more about Azure Monitor
pricing.
No limit 30 to 730 days Data retention beyond 31
days is available for
additional charges. Learn
more about Azure Monitor
pricing.
No limit 30 days Retention can't be adjusted
No limit 365 days Retention can't be adjusted
W O RK SPA C E L IM IT C O M M EN T S
10 This limit can't be increased.
No limit You're limited by the number of
resources within a resource group and
the number of resource groups per
subscription.
 C AT EGO RY L IM IT C O M M EN T S

Maximum records returned by a log 30,000 Reduce results using query scope, time
query range, and filters in the query.

Data Collector API

C AT EGO RY L IM IT C O M M EN T S

Maximum size for a single post 30 MB Split larger volumes into multiple
posts.

Maximum size for field values 32 KB Fields longer than 32 KB are truncated.

Quer y API

C AT EGO RY L IM IT C O M M EN T S

Maximum records returned in a single 500,000

query

Maximum size of data returned ~104 MB (~100 MiB)

Maximum query running time 10 minutes See Timeouts for details.

Maximum request rate 200 requests per 30 seconds per See Log queries and language.
Azure AD user or client IP address

Azure Monitor Logs connector

C AT EGO RY L IM IT C O M M EN T S

Max size of data ~16.7 MB (~16 MiB) The connector infrastructure dictates
that limit is set lower than query API
limit

Max number of records 500,000

Max connector timeout 110 second

Max query timeout 100 second

Charts Visualization in Logs page and the

connector are using different charting
libraries and some functionality isn't
available in the connector currently

General workspace limits

C AT EGO RY L IM IT C O M M EN T S

Maximum columns in a table 500

Maximum characters for column name 45

 C AT EGO RY L IM IT C O M M EN T S

Data ingestion volume rate

Azure Monitor is a high scale data service that serves thousands of customers sending terabytes of data each
month at a growing pace. The volume rate limit intends to isolate Azure Monitor customers from sudden
ingestion spikes in multitenancy environment. A default ingestion volume rate threshold of 500 MB
(compressed) is defined in workspaces, this is translated to approximately 6 GB/min uncompressed -- the
actual size can vary between data types depending on the log length and its compression ratio. The volume rate
limit applies to data ingested from Azure resources via Diagnostic settings. When volume rate limit is reached, a
retry mechanism attempts to ingest the data 4 times in a period of 30 minutes and drop it if operation fails. It
doesn't apply to data ingested from agents or Data Collector API.
When data sent to your workspace is at a volume rate higher than 80% of the threshold configured in your
workspace, an event is sent to the Operation table in your workspace every 6 hours while the threshold
continues to be exceeded. When ingested volume rate is higher than threshold, some data is dropped and an
event is sent to the Operation table in your workspace every 6 hours while the threshold continues to be
exceeded. If your ingestion volume rate continues to exceed the threshold or you are expecting to reach it
sometime soon, you can request to increase it in by opening a support request.
See Monitor health of Log Analytics workspace in Azure Monitor to create alert rules to be proactively notified
when you reach any ingestion limits.

NOTE
Depending on how long you've been using Log Analytics, you might have access to legacy pricing tiers. Learn more about
Log Analytics legacy pricing tiers.

Application Insights
There are some limits on the number of metrics and events per application, that is, per instrumentation key.
Limits depend on the pricing plan that you choose.

RESO URC E DEFA ULT L IM IT N OT E

Total data per day 100 GB You can reduce data by setting a cap. If
you need more data, you can increase
the limit in the portal, up to 1,000 GB.
For capacities greater than 1,000 GB,
send email to
[email protected].

Throttling 32,000 events/second The limit is measured over a minute.

Data retention Logs 30 - 730 days This resource is for Logs.

Data retention Metrics 90 days This resource is for Metrics Explorer.

Availability multi-step test detailed 90 days This resource provides detailed results
results retention of each step.

Maximum telemetry item size 64 kB

Maximum telemetry items per batch 64 K

 RESO URC E DEFA ULT L IM IT N OT E

Property and metric name length 150 See type schemas.

Property value string length 8,192 See type schemas.

Trace and exception message length 32,768 See type schemas.

Availability tests count per app 100

Profiler data retention 5 days

Profiler data sent per day 10 GB

For more information, see About pricing and quotas in Application Insights.

Azure Data Factory limits

Azure Data Factory is a multitenant service that has the following default limits in place to make sure customer
subscriptions are protected from each other's workloads. To raise the limits up to the maximum for your
subscription, contact support.
Version 2
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Total number of entities, such as 5,000 Contact support.

pipelines, data sets, triggers, linked
services, Private Endpoints, and
integration runtimes, within a data
factory

Total CPU cores for Azure-SSIS 256 Contact support.

Integration Runtimes under one
subscription

Concurrent pipeline runs per data 10,000 10,000

factory that's shared among all
pipelines in the factory

Concurrent External activity runs per 3,000 3,000

subscription per Azure Integration
Runtime region
External activities are managed on
integration runtime but execute on linked
services, including Databricks, stored
procedure, Web, and others. This limit does
not apply to Self-hosted IR.

Concurrent Pipeline activity runs per 1,000 1,000

subscription per Azure Integration
Runtime region
Pipeline activities execute on integration
runtime, including Lookup, GetMetadata,
and Delete. This limit does not apply to Self-
hosted IR.
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Concurrent authoring operations per 200 200

subscription per Azure Integration
Runtime region
Including test connection, browse folder list
and table list, preview data. This limit does
not apply to Self-hosted IR.

Concurrent Data Integration Units1 Region group 12 : 6,000
consumption per subscription per Region group 22 : 3,000
Azure Integration Runtime region Region group 32 : 1,500
Managed virtual network2 : 2,400
Region group 12 : 6,000
Region group 22 : 3,000
Region group 32 : 1,500
Managed virtual network: Contact
support.

Maximum activities per pipeline, which 40 40

includes inner activities for containers

Maximum number of linked 100 Contact support.

integration runtimes that can be
created against a single self-hosted
integration runtime

Maximum parameters per pipeline 50 50

ForEach items 100,000 100,000

ForEach parallelism 20 50

Maximum queued runs per pipeline 100 100

Characters per expression 8,192 8,192

Minimum tumbling window trigger 5 min 15 min

interval

Maximum timeout for pipeline activity 7 days 7 days

runs

Bytes per object for pipeline objects3 200 KB 200 KB

Bytes per object for dataset and linked 100 KB 2,000 KB

service objects3

Bytes per payload for each activity 896 KB 896 KB

run4

Data Integration Units1 per copy 256 256

activity run

Write API calls 1,200/h 1,200/h

This limit is imposed by Azure Resource

Manager, not Azure Data Factory.
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Read API calls 12,500/h 12,500/h

This limit is imposed by Azure Resource

Manager, not Azure Data Factory.

Monitoring queries per minute 1,000 1,000

Maximum time of data flow debug 8 hrs 8 hrs

session

Concurrent number of data flows per 50 Contact support.

integration runtime

Concurrent number of data flows per 20 Contact support.

integration runtime in managed vNet

Concurrent number of data flow 3 3

debug sessions per user per factory

Data Flow Azure IR TTL limit 4 hrs 4 hrs

Meta Data Entity Size limit in a factory 2 GB Contact support.

1 The data integration unit (DIU) is used in a cloud-to-cloud copy operation, learn more from Data integration
units (version 2). For information on billing, see Azure Data Factory pricing.
2 Azure Integration Runtime is globally available to ensure data compliance, efficiency, and reduced network

egress costs.

REGIO N GRO UP REGIO N S

Region group 1 Central US, East US, East US 2, North Europe, West Europe,
West US, West US 2

Region group 2 Australia East, Australia Southeast, Brazil South, Central

India, Japan East, North Central US, South Central US,
Southeast Asia, West Central US

Region group 3 Other regions

If managed virtual network is enabled, the data integration unit (DIU) in all region groups are 2,400.
3 Pipeline, data set, and linked service objects represent a logical grouping of your
workload. Limits for these
objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is
designed to scale to handle petabytes of data.
4 The payload for each activity run includes the activity configuration, the associated dataset(s) and linked
service(s) configurations if any, and a small portion of system properties generated per activity type. Limit for
this payload size doesn't relate to the amount of data you can move and process with Azure Data Factory. Learn
about the symptoms and recommendation if you hit this limit.
Version 1
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Pipelines within a data factory 2,500 Contact support.

Data sets within a data factory 5,000 Contact support.

Concurrent slices per data set 10 10

Bytes per object for pipeline objects1 200 KB 200 KB

Bytes per object for data set and 100 KB 2,000 KB

linked service objects1

Azure HDInsight on-demand cluster 60 Contact support.

cores within a subscription2

Cloud data movement units per copy 32 32

activity run3

Retry count for pipeline activity runs 1,000 MaxInt (32 bit)

1 Pipeline, data set, and linked service objects represent a logical grouping of your
workload. Limits for these
objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is
designed to scale to handle petabytes of data.
2 On-demand HDInsight cores are allocated out of the subscription that contains the data factory. As a result, the

previous limit is the Data Factory-enforced core limit for on-demand HDInsight cores. It's different from the core
limit that's associated with your Azure subscription.
3 The cloud data movement unit (DMU) for version 1 is used in a cloud-to-cloud copy operation, learn more
from Cloud data movement units (version 1). For information on billing, see Azure Data Factory pricing.

RESO URC E DEFA ULT LO W ER L IM IT M IN IM UM L IM IT

Scheduling interval 15 minutes 15 minutes

Interval between retry attempts 1 second 1 second

Retry timeout value 1 second 1 second

Web service call limits

Azure Resource Manager has limits for API calls. You can make API calls at a rate within the Azure Resource
Manager API limits.

Azure NetApp Files

Azure NetApp Files has a regional limit for capacity. The standard capacity limit for each subscription is 25 TiB,
per region, across all service levels. To increase the capacity, use the Service and subscription limits (quotas)
support request.
To learn more about the limits for Azure NetApp Files, see Resource limits for Azure NetApp Files.

Azure Policy limits

There's a maximum count for each object type for Azure Policy. For definitions, an entry of Scope means the
management group or subscription. For assignments and exemptions, an entry of Scope means the
management group, subscription, resource group, or individual resource.

W H ERE W H AT M A XIM UM C O UN T

Scope Policy definitions 500

Scope Initiative definitions 200

Tenant Initiative definitions 2,500

Scope Policy or initiative assignments 200

Scope Exemptions 1000

Policy definition Parameters 20

Initiative definition Policies 1000

Initiative definition Parameters 300

Policy or initiative assignments Exclusions (notScopes) 400

Policy rule Nested conditionals 512

Remediation task Resources 50,000

Policy definition, initiative, or Bytes 1,048,576

assignment request body

Policy rules have additional limits to the number of conditions and their complexity. See Policy rule limits for
more details.

Azure Quantum limits

Provider Limits & Quota
The Azure Quantum Service supports both first and third-party service providers. Third-party providers own
their limits and quotas. Users can view offers and limits in the Azure portal when configuring third-party
providers.
You can find the published quota limits for Microsoft's first party Optimization Solutions provider below.
Learn & Develop SKU

RESO URC E L IM IT

CPU-based concurrent jobs up to 51 concurrent jobs

FPGA-based concurrent jobs up to 21 concurrent jobs

CPU-based solver hours 20 hours per month

FPGA-based solver hours 1 hour per month

While on the Learn & Develop SKU, you cannot request an increase on your quota limits. Instead you should
switch to the Performance at Scale SKU.
Performance at Scale SKU

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

CPU-based concurrent jobs up to 1001 concurrent jobs same as default limit

FPGA-based concurrent jobs up to 101 concurrent jobs same as default limit

Solver hours 1,000 hours per month up to 50,000 hours per month

Reach out to Azure Support to request a limit increase.

For more information, please review the Azure Quantum pricing page. Review the relevant provider pricing
pages in the Azure portal for details on third-party offerings.
1 Describes the number of jobs that can be queued at the same time.

Azure RBAC limits

The following limits apply to Azure role-based access control (Azure RBAC).

RESO URC E L IM IT

Azure role assignments per Azure subscription 2,000

The role assignments limit for a subscription is currently
being increased. For more information, see Troubleshoot
Azure RBAC.

Azure role assignments per management group 500

Size of description for Azure role assignments 2 KB

Size of condition for Azure role assignments 8 KB

Azure custom roles per tenant 5,000

Azure custom roles per tenant 2,000

(for Azure Germany and Azure China 21Vianet)

Azure SignalR Service limits

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Azure SignalR Service units per 1 1

instance for Free tier

Azure SignalR Service units per 100 100

instance for Standard tier

Azure SignalR Service units per 5 5

subscription per region for Free tier
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Total Azure SignalR Service unit counts 150 Unlimited

per subscription per region

Concurrent connections per unit for 20 20

Free tier

Concurrent connections per unit for 1,000 1,000

Standard tier

Included messages per unit per day for 20,000 20,000

Free tier

Additional messages per unit per day 0 0

for Free tier

Included messages per unit per day for 1,000,000 1,000,000

Standard tier

Additional messages per unit per day Unlimited Unlimited

for Standard tier

To request an update to your subscription's default limits, open a support ticket.

For more information about how connections and messages are counted, see Messages and connections in
Azure SignalR Service.
If your requirements exceed the limits, switch from Free tier to Standard tier and add units. For more
information, see How to scale an Azure SignalR Service instance?.
If your requirements exceed the limits of a single instance, add instances. For more information, see How to
scale SignalR Service with multiple instances?.

Azure Virtual Desktop Service limits

The following table describes the maximum limits for Azure Virtual Desktop.

A Z URE VIRT UA L DESK TO P O B JEC T PA REN T C O N TA IN ER O B JEC T SERVIC E L IM IT

Workspace Azure Active Directory Tenant 1300

HostPool Workspace 400

Application group HostPool 5001

RemoteApp Application group 500

Role Assignment Any Azure Virtual Desktop Object 200

Session Host HostPool 10,000

1If you require over 500 Application groups then please raise a support ticket via the Azure portal.
All other Azure resources used in Azure Virtual Desktop such as Virtual Machines, Storage, Networking etc. are
all subject to their own resource limitations documented in the relevant sections of this article.
To get started with Azure Virtual Desktop, use the getting started guide. For deeper architectural content for
Azure Virtual Desktop, use the Azure Virtual Desktop section of the Cloud Adoption Framework. For pricing
information for Azure Virtual Desktop, add "Azure Virtual Desktop" within the Compute section of the Azure
Pricing Calculator.

Azure VMware Solution limits

The following table describes the maximum limits for Azure VMware Solution.

RESO URC E L IM IT

Clusters per private cloud 12

Minimum number of hosts per cluster 3

Maximum number of hosts per cluster 16

hosts per private cloud 96

vCenter per private cloud 1

HCX site pairings 25 (any edition)

Azure VMware Solution ExpressRoute max linked private 4

clouds The virtual network gateway used determines the actual max
linked private clouds. For more details, see About
ExpressRoute virtual network gateways

Azure VMware Solution ExpressRoute port speed 10 Gbps

The virtual network gateway used determines the actual
bandwidth. For more details, see About ExpressRoute virtual
network gateways

Public IPs exposed via vWAN 100

vSAN capacity limits 75% of total usable (keep 25% available for SLA)

For other VMware-specific limits, use the VMware configuration maximum tool!.

Backup limits
For a summary of Azure Backup support settings and limitations, see Azure Backup Support Matrices.

Batch limits
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Azure Batch accounts per region per 1-3 50

subscription

Dedicated cores per Batch account 90-900 Contact support

Low-priority cores per Batch account 10-100 Contact support

 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Active jobs and job schedules per 100-300 1,0001

Batch account (completed jobs have
no limit)

Pools per Batch account 20-100 5001

1To request an increase beyond this limit, contact Azure Support.

NOTE
Default limits vary depending on the type of subscription you use to create a Batch account. Cores quotas shown are for
Batch accounts in Batch service mode. View the quotas in your Batch account.

IMPORTANT
To help us better manage capacity during the global health pandemic, the default core quotas for new Batch accounts in
some regions and for some types of subscription have been reduced from the above range of values, in some cases to
zero cores. When you create a new Batch account, check your core quota and request a core quota increase, if required.
Alternatively, consider reusing Batch accounts that already have sufficient quota.

Classic deployment model limits

If you use classic deployment model instead of the Azure Resource Manager deployment model, the following
limits apply.

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

vCPUs per subscription1 20 10,000

Coadministrators per subscription 200 200

Storage accounts per subscription2 100 100

Cloud services per subscription 20 200

Local networks per subscription 10 500

DNS servers per subscription 9 100

Reserved IPs per subscription 20 100

Affinity groups per subscription 256 256

Subscription name length (characters) 64 64

1Extra small instances count as one vCPU toward the vCPU limit despite using a partial CPU core.

2The storage account limit includes both Standard and Premium storage accounts.

Container Instances limits

 RESO URC E L IM IT

Standard sku container groups per region per subscription 1001

Dedicated sku container groups per region per subscription 01

Number of containers per container group 60

Number of volumes per container group 20

Standard sku cores (CPUs) per region per subscription 101,2

Standard sku cores (CPUs) for K80 GPU per region per 181,2
subscription

Standard sku cores (CPUs) for P100 or V100 GPU per region 01,2
per subscription

Ports per IP 5

Container instance log size - running instance 4 MB

Container instance log size - stopped instance 16 KB or 1,000 lines

Container group creates per hour 3001

Container group creates per 5 minutes 1001

Container group deletes per hour 3001

Container group deletes per 5 minutes 1001

1To request a limit increase, create an Azure Support request. Free subscriptions including Azure Free Account

and Azure for Students aren't eligible for limit or quota increases. If you have a free subscription, you can
upgrade to a Pay-As-You-Go subscription.
2Default limit for Pay-As-You-Go subscription. Limit may differ for other category types.

Container Registry limits

The following table details the features and limits of the Basic, Standard, and Premium service tiers.

RESO URC E B A SIC STA N DA RD P REM IUM

Included storage1 (GiB) 10 100 500

Storage limit (TiB) 20 20 20

Maximum image layer size 200 200 200

(GiB)

Maximum manifest size 4 4 4

(MiB)
 RESO URC E B A SIC STA N DA RD P REM IUM

ReadOps per minute2, 3 1,000 3,000 10,000

WriteOps per minute2, 4 100 500 2,000

Download bandwidth2 30 60 100

(Mbps)

Upload bandwidth 2 (Mbps) 10 20 50

Webhooks 2 10 500

Geo-replication N/A N/A Supported

Availability zones N/A N/A Preview

Content trust N/A N/A Supported

Private link with private N/A N/A Supported

endpoints

• Private endpoints N/A N/A 200

Public IP network rules N/A N/A 100

Service endpoint VNet N/A N/A Preview

access

• Virtual network rules N/A N/A 100

Customer-managed keys N/A N/A Supported

Repository-scoped N/A N/A Preview

permissions

• Tokens N/A N/A 20,000

• Scope maps N/A N/A 20,000

• Repositories per scope N/A N/A 500

map

1 Storage included in the daily rate for each tier. Additional storage may be used, up to the registry storage limit,
at an additional daily rate per GiB. For rate information, see Azure Container Registry pricing. If you need
storage beyond the registry storage limit, please contact Azure Support.
2ReadOps, WriteOps, and Bandwidth are minimum estimates. Azure Container Registry strives to improve
performance as usage requires.
3A docker pull translates to multiple read operations based on the number of layers in the image, plus the
manifest retrieval.
4A docker push translates to multiple write operations, based on the number of layers that must be pushed. A
docker push includes ReadOps to retrieve a manifest for an existing image.
Content Delivery Network limits
RESO URC E L IM IT

Azure Content Delivery Network profiles 25

Content Delivery Network endpoints per profile 25

Custom domains per endpoint 25

Maximum origin group per profile 10

Maximum origin per origin group 10

Maximum number of rules per CDN endpoint 25

Maximum number of match conditions per rule 10

Maximum number of actions per rule 5

A Content Delivery Network subscription can contain one or more Content Delivery Network profiles. A Content
Delivery Network profile can contain one or more Content Delivery Network endpoints. You might want to use
multiple profiles to organize your Content Delivery Network endpoints by internet domain, web application, or
some other criteria.

Data Lake Analytics limits

Azure Data Lake Analytics makes the complex task of managing distributed infrastructure and complex code
easy. It dynamically provisions resources, and you can use it to do analytics on exabytes of data. When the job
completes, it winds down resources automatically. You pay only for the processing power that was used. As you
increase or decrease the size of data stored or the amount of compute used, you don't have to rewrite code. To
raise the default limits for your subscription, contact support.

RESO URC E L IM IT C O M M EN T S

Maximum number of concurrent jobs 20

Maximum number of analytics units 250 Use any combination of up to a

(AUs) per account maximum of 250 AUs across 20 jobs.
To increase this limit, contact Microsoft
Support.

Maximum script size for job 3 MB

submission

Maximum number of Data Lake 5 To increase this limit, contact Microsoft

Analytics accounts per region per Support.
subscription

Data Factory limits

Azure Data Factory is a multitenant service that has the following default limits in place to make sure customer
subscriptions are protected from each other's workloads. To raise the limits up to the maximum for your
subscription, contact support.
Version 2
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Total number of entities, such as 5,000 Contact support.

pipelines, data sets, triggers, linked
services, Private Endpoints, and
integration runtimes, within a data
factory

Total CPU cores for Azure-SSIS 256 Contact support.

Integration Runtimes under one
subscription

Concurrent pipeline runs per data 10,000 10,000

factory that's shared among all
pipelines in the factory

Concurrent External activity runs per 3,000 3,000

subscription per Azure Integration
Runtime region
External activities are managed on
integration runtime but execute on linked
services, including Databricks, stored
procedure, Web, and others. This limit does
not apply to Self-hosted IR.

Concurrent Pipeline activity runs per 1,000 1,000

subscription per Azure Integration
Runtime region
Pipeline activities execute on integration
runtime, including Lookup, GetMetadata,
and Delete. This limit does not apply to Self-
hosted IR.

Concurrent authoring operations per 200 200

subscription per Azure Integration
Runtime region
Including test connection, browse folder list
and table list, preview data. This limit does
not apply to Self-hosted IR.

Concurrent Data Integration Units1 Region group 12 : 6,000
consumption per subscription per Region group 22 : 3,000
Azure Integration Runtime region Region group 32 : 1,500
Managed virtual network2 : 2,400
Region group 12 : 6,000
Region group 22 : 3,000
Region group 32 : 1,500
Managed virtual network: Contact
support.

Maximum activities per pipeline, which 40 40

includes inner activities for containers

Maximum number of linked 100 Contact support.

integration runtimes that can be
created against a single self-hosted
integration runtime

Maximum parameters per pipeline 50 50

ForEach items 100,000 100,000

 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

ForEach parallelism 20 50

Maximum queued runs per pipeline 100 100

Characters per expression 8,192 8,192

Minimum tumbling window trigger 5 min 15 min

interval

Maximum timeout for pipeline activity 7 days 7 days

runs

Bytes per object for pipeline objects3 200 KB 200 KB

Bytes per object for dataset and linked 100 KB 2,000 KB

service objects3

Bytes per payload for each activity 896 KB 896 KB

run4

Data Integration Units1 per copy 256 256

activity run

Write API calls 1,200/h 1,200/h

This limit is imposed by Azure Resource

Manager, not Azure Data Factory.

Read API calls 12,500/h 12,500/h

This limit is imposed by Azure Resource

Manager, not Azure Data Factory.

Monitoring queries per minute 1,000 1,000

Maximum time of data flow debug 8 hrs 8 hrs

session

Concurrent number of data flows per 50 Contact support.

integration runtime

Concurrent number of data flows per 20 Contact support.

integration runtime in managed vNet

Concurrent number of data flow 3 3

debug sessions per user per factory

Data Flow Azure IR TTL limit 4 hrs 4 hrs

Meta Data Entity Size limit in a factory 2 GB Contact support.

1 The data integration unit (DIU) is used in a cloud-to-cloud copy operation, learn more from Data integration
units (version 2). For information on billing, see Azure Data Factory pricing.
2
2 Azure Integration Runtime is globally available to ensure data compliance, efficiency, and reduced network

egress costs.

REGIO N GRO UP REGIO N S

Region group 1 Central US, East US, East US 2, North Europe, West Europe,
West US, West US 2

Region group 2 Australia East, Australia Southeast, Brazil South, Central

India, Japan East, North Central US, South Central US,
Southeast Asia, West Central US

Region group 3 Other regions

If managed virtual network is enabled, the data integration unit (DIU) in all region groups are 2,400.
3 Pipeline, data set, and linked service objects represent a logical grouping of your
workload. Limits for these
objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is
designed to scale to handle petabytes of data.
4 The payload for each activity run includes the activity configuration, the associated dataset(s) and linked
service(s) configurations if any, and a small portion of system properties generated per activity type. Limit for
this payload size doesn't relate to the amount of data you can move and process with Azure Data Factory. Learn
about the symptoms and recommendation if you hit this limit.
Version 1
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Pipelines within a data factory 2,500 Contact support.

Data sets within a data factory 5,000 Contact support.

Concurrent slices per data set 10 10

Bytes per object for pipeline objects1 200 KB 200 KB

Bytes per object for data set and 100 KB 2,000 KB

linked service objects1

Azure HDInsight on-demand cluster 60 Contact support.

cores within a subscription2

Cloud data movement units per copy 32 32

activity run3

Retry count for pipeline activity runs 1,000 MaxInt (32 bit)

1 Pipeline, data set, and linked service objects represent a logical grouping of your
workload. Limits for these
objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is
designed to scale to handle petabytes of data.
2 On-demand HDInsight cores are allocated out of the subscription that contains the data factory. As a result, the

previous limit is the Data Factory-enforced core limit for on-demand HDInsight cores. It's different from the core
limit that's associated with your Azure subscription.

3
3 The cloud data movement unit (DMU) for version 1 is used in a cloud-to-cloud copy operation, learn more
from Cloud data movement units (version 1). For information on billing, see Azure Data Factory pricing.

RESO URC E DEFA ULT LO W ER L IM IT M IN IM UM L IM IT

Scheduling interval 15 minutes 15 minutes

Interval between retry attempts 1 second 1 second

Retry timeout value 1 second 1 second

Web service call limits

Azure Resource Manager has limits for API calls. You can make API calls at a rate within the Azure Resource
Manager API limits.

Data Lake Storage limits

Azure Data Lake Storage Gen2 is not a dedicated service or storage account type. It is the latest release of
capabilities that are dedicated to big data analytics. These capabilities are available in a general-purpose v2 or
BlockBlobStorage storage account, and you can obtain them by enabling the Hierarchical namespace feature
of the account. For scale targets, see these articles.
Scale targets for Blob storage.
Scale targets for standard storage accounts.
Azure Data Lake Storage Gen1 is a dedicated service. It's an enterprise-wide hyper-scale repository for big
data analytic workloads. You can use Data Lake Storage Gen1 to capture data of any size, type, and ingestion
speed in one single place for operational and exploratory analytics. There's no limit to the amount of data you
can store in a Data Lake Storage Gen1 account.

RESO URC E L IM IT C O M M EN T S

Maximum number of Data Lake 10 To request an increase for this limit,

Storage Gen1 accounts, per contact support.
subscription, per region

Maximum number of access ACLs, per 32 This is a hard limit. Use groups to
file or folder manage access with fewer entries.

Maximum number of default ACLs, per 32 This is a hard limit. Use groups to
file or folder manage access with fewer entries.

Data Share limits

Azure Data Share enables organizations to simply and securely share data with their customers and partners.

RESO URC E L IM IT

Maximum number of Data Share resources per Azure 100

subscription

Maximum number of sent shares per Data Share resource 200

 RESO URC E L IM IT

Maximum number of received shares per Data Share 100

resource

Maximum number of invitations per sent share 200

Maximum number of share subscriptions per sent share 200

Maximum number of datasets per share 200

Maximum number of snapshot schedules per share 1

Database Migration Service Limits

Azure Database Migration Service is a fully managed service designed to enable seamless migrations from
multiple database sources to Azure data platforms with minimal downtime.

RESO URC E L IM IT C O M M EN T S

Maximum number of services per 10 To request an increase for this limit,

subscription, per region contact support.

Device Update for IoT Hub limits

NOTE
When a given resource or operation doesn't have adjustable limits, the default and the maximum limits are the same.
When the limit can be adjusted, the table includes different values for Default limit and Maximum limit headers. The limit
can be raised above the default limit but not above the maximum limit. If you want to raise the limit or quota above the
default limit, open an online customer support request.

This table provides the limits for the Device Update for IoT Hub resource in Azure Resource Manager:

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT A DJUSTA B L E?

Accounts per subscription 2 25 Yes

Instances per account 2 25 Yes

Length of account name Minimum: 3 Minimum: 3 No

Maximum: 24 Maximum: 24

Length of instance name Minimum: 3 Minimum: 3 No

Maximum: 36 Maximum: 36

This table provides the various limits associated with the operations within Device Update for IoT Hub:

O P ERAT IO N DEFA ULT L IM IT M A XIM UM L IM IT A DJUSTA B L E?

Number of devices per 10,000 10,000 No

instance
 O P ERAT IO N DEFA ULT L IM IT M A XIM UM L IM IT A DJUSTA B L E?

Number of update 25 25 No
providers per instance

Number of update names 25 25 No

per provider per instance

Number of update versions 100 100 No

per update provider and
name per instance

Total number of updates 100 100 No

per instance

Maximum single update file 2 GB 2 GB No

size

Maximum combined size of 2 GB 2 GB No

all files in a single import
action

Number of device groups 75 75 No

per instance

Digital Twins limits

NOTE
Some areas of this service have adjustable limits, and others do not. This is represented in the tables below with the
Adjustable? column. When the limit can be adjusted, the Adjustable? value is Yes.

Functional limits
The following table lists the functional limits of Azure Digital Twins.

TIP
For modeling recommendations to operate within these functional limits, see Modeling best practices.

A REA C A PA B IL IT Y DEFA ULT L IM IT A DJUSTA B L E?

Azure resource Number of Azure Digital 10 Yes

Twins instances in a region,
per subscription

Digital twins Number of twins in an 500,000 Yes

Azure Digital Twins instance

Digital twins Number of incoming 5,000 No

relationships to a single
twin
A REA C A PA B IL IT Y DEFA ULT L IM IT A DJUSTA B L E?

Digital twins Number of outgoing 5,000 No

relationships from a single
twin

Digital twins Maximum size (of JSON 32 KB No

body in a PUT or PATCH
request) of a single twin

Digital twins Maximum request payload 32 KB No

size

Digital twins Maximum size of a string 4 KB No

property value (UTF-8)

Digital twins Maximum size of a propery 1 KB No

name

Routing Number of endpoints for a 6 No

single Azure Digital Twins
instance

Routing Number of routes for a 6 Yes

single Azure Digital Twins
instance

Models Number of models within a 10,000 Yes

single Azure Digital Twins
instance

Models Number of models that can 250 No

be uploaded in a single API
call

Models Maximum size (of JSON 1 MB No

body in a PUT or PATCH
request) of a single model

Models Number of items returned 100 No

in a single page

Query Number of items returned 100 Yes

in a single page

Query Number of AND / OR 50 Yes

expressions in a query

Query Number of array items in an 50 Yes

IN / NOT IN clause

Query Number of characters in a 8,000 Yes

query

Query Number of JOINS in a 5 Yes

query
Rate limits
The following table reflects the rate limits of different APIs.

API C A PA B IL IT Y DEFA ULT L IM IT A DJUSTA B L E?

Models API Number of requests per 100 Yes

second

Digital Twins API Number of read requests 1,000 Yes

per second

Digital Twins API Number of patch requests 1,000 Yes

per second

Digital Twins API Number of create/delete 50 Yes

operations per second
across all twins and
relationships

Digital Twins API Number of 10 No

create/update/delete
operations per second on a
single twin or its
relationships

Query API Number of requests per 500 Yes

second

Query API Query Units per second 4,000 Yes

Event Routes API Number of requests per 100 Yes

second

Other limits
Limits on data types and fields within DTDL documents for Azure Digital Twins models can be found within its
spec documentation in GitHub: Digital Twins Definition Language (DTDL) - version 2.
Query latency details are described in Query language. Limitations of particular query language features can be
found in the query reference documentation.

Event Grid limits

The following limits apply to Azure Event Grid topics (system, custom, and partner topics).

NOTE
These limits are per region.

RESO URC E L IM IT

Custom topics per Azure subscription 100

Event subscriptions per topic 500

 RESO URC E L IM IT

Publish rate for a custom or a partner topic (ingress) 5,000 events/sec or 5 MB/sec (whichever is met first)

Event size 1 MB

Number of incoming events per batch 5,000

Private endpoint connections per topic 64

IP Firewall rules per topic 16

The following limits apply to Azure Event Grid domains .

RESO URC E L IM IT

Topics per event domain 100,000

Event subscriptions per topic within a domain 500

Domain scope event subscriptions 50

Publish rate for an event domain (ingress) 5,000 events/sec or 5 MB/sec (whichever is met first)

Event Domains per Azure Subscription 100

Private endpoint connections per domain 64

IP Firewall rules per domain 16

Event Hubs limits

The following tables provide quotas and limits specific to Azure Event Hubs. For information about Event Hubs
pricing, see Event Hubs pricing.
Common limits for all tiers
The following limits are common across all tiers.

L IM IT N OT ES VA L UE

Size of an event hub name - 256 characters

Size of a consumer group name Kafka protocol doesn't require the Kafka: 256 characters
creation of a consumer group.
AMQP: 50 characters

Number of non-epoch receivers per - 5

consumer group

Number of authorization rules per Subsequent requests for authorization 12

namespace rule creation are rejected.
 L IM IT N OT ES VA L UE

Number of calls to the - 50 per second

GetRuntimeInformation method

Number of virtual networks (VNet) - 128

Number of IP Config rules - 128

Maximum length of a schema group 50

name

Maximum length of a schema name 100

Size in bytes per schema 1 MB

Number of properties per schema 1024

group

Size in bytes per schema group 256

property key

Size in bytes per schema group 1024

property value

Basic vs. standard vs. premium vs. dedicated tiers

The following table shows limits that may be different for basic, standard, premium, and dedicated tiers.

NOTE
In the table, CU is capacity unit, PU is processing unit, and TU is throughput unit.
You can configure TUs for a basic or standard tier namespace or PUs for a premium tier namespace.
When you create a dedicated cluster, 1 CU is assigned to the cluster. To have more CUs for the cluster, submit a ticket.

L IM IT B A SIC STA N DA RD P REM IUM DEDIC AT ED

Maximum size of 256 KB 1 MB 1 MB 1 MB

Event Hubs
publication

Number of consumer 1 20 100 1000

groups per event No limit per CU
hub

Number of brokered 100 5,000 10000 per PU 100, 000 per CU

connections per
namespace For example, if the
namespace is
assigned 3 PUs, the
limit is 30000.

Maximum retention 1 day 7 days 90 days 90 days

period of event data
 L IM IT B A SIC STA N DA RD P REM IUM DEDIC AT ED

Maximum TUs or 40 TUs 40 TUs 16 PUs 20 CUs

PUs or CUs

Number of partitions 32 32 100 per event hub, 1024 per event hub
per event hub but there is a limit of 2000 per CU
200 per PU at the
namespace level.

For example, if a
namespace is
assigned 2 PUs, the
limit for total number
of partitions in all
event hubs in the
namespace is 2 * 200
= 400.

Number of 1000 1000 1000 1000 (50 per CU)

namespaces per
subscription

Number of event 10 10 100 per PU 1000

hubs per namespace

Capture N/A Pay per hour Included Included

Size of the schema N/A 25 100 1024

registry (namespace)
in mega bytes

Number of schema N/A 1 - excluding the 100 1000

groups in a schema default group 1 MB per schema 1 MB per schema
registry or
namespace

Number of schema N/A 25 1000 10000

versions across all
schema groups

Throughput per unit Ingress - 1 MB/s or Ingress - 1 MB/s or No limits per PU * No limits per CU *
1000 events per 1000 events per
second second
Egress – 2 MB/s or Egress – 2 MB/s or
4096 events per 4096 events per
second second

* Depends on various factors such as resource allocation, number of partitions, storage, and so on.

NOTE
You can publish events individually or batched. The publication limit (according to SKU) applies regardless of whether it is
a single event or a batch. Publishing events larger than the maximum threshold will be rejected.

IoT Central limits

IoT Central limits the number of applications you can deploy in a subscription to 10. If you need to increase this
limit, contact Microsoft support.

IoT Hub limits

The following table lists the limits associated with the different service tiers S1, S2, S3, and F1. For information
about the cost of each unit in each tier, see Azure IoT Hub pricing.

RESO URC E S1 STA N DA RD S2 STA N DA RD S3 STA N DA RD F 1 F REE

Messages/day 400,000 6,000,000 300,000,000 8,000

Maximum units 200 200 10 1

NOTE
If you anticipate using more than 200 units with an S1 or S2 tier hub or 10 units with an S3 tier hub, contact Microsoft
Support.

The following table lists the limits that apply to IoT Hub resources.

RESO URC E L IM IT

Maximum paid IoT hubs per Azure subscription 50

Maximum free IoT hubs per Azure subscription 1

Maximum number of characters in a device ID 128

Maximum number of device identities 1,000

returned in a single call

IoT Hub message maximum retention for device-to-cloud 7 days

messages

Maximum size of device-to-cloud message 256 KB

Maximum size of device-to-cloud batch AMQP and HTTP: 256 KB for the entire batch
MQTT: 256 KB for each message

Maximum messages in device-to-cloud batch 500

Maximum size of cloud-to-device message 64 KB

Maximum TTL for cloud-to-device messages 2 days

Maximum delivery count for cloud-to-device 100

messages

Maximum cloud-to-device queue depth per device 50

Maximum delivery count for feedback messages 100

in response to a cloud-to-device message
 RESO URC E L IM IT

Maximum TTL for feedback messages in 2 days

response to a cloud-to-device message

Maximum size of device twin 8 KB for tags section, and 32 KB for desired and reported
properties sections each

Maximum length of device twin string key 1 KB

Maximum length of device twin string value 4 KB

Maximum depth of object in device twin 10

Maximum size of direct method payload 128 KB

Job history maximum retention 30 days

Maximum concurrent jobs 10 (for S3), 5 for (S2), 1 (for S1)

Maximum additional endpoints (beyond built-in endpoints) 10 (for S1, S2, and S3)

Maximum message routing rules 100 (for S1, S2, and S3)

Maximum number of concurrently connected device streams 50 (for S1, S2, S3, and F1 only)

Maximum device stream data transfer 300 MB per day (for S1, S2, S3, and F1 only)

NOTE
If you need more than 50 paid IoT hubs in an Azure subscription, contact Microsoft Support.

NOTE
Currently, the total number of devices plus modules that can be registered to a single IoT hub is capped at 1,000,000. If
you want to increase this limit, contact Microsoft Support.

IoT Hub throttles requests when the following quotas are exceeded.

T H ROT T L E P ER- H UB VA L UE

Identity registry operations 83.33/sec/unit (5,000/min/unit) (for S3).

(create, retrieve, list, update, and delete), 1.67/sec/unit (100/min/unit) (for S1 and S2).
individual or bulk import/export

Device connections 6,000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.

Device-to-cloud sends 6,000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.
 T H ROT T L E P ER- H UB VA L UE

Cloud-to-device sends 83.33/sec/unit (5,000/min/unit) (for S3), 1.67/sec/unit

(100/min/unit) (for S1 and S2).

Cloud-to-device receives 833.33/sec/unit (50,000/min/unit) (for S3), 16.67/sec/unit

(1,000/min/unit) (for S1 and S2).

File upload operations 83.33 file upload initiations/sec/unit (5,000/min/unit) (for

S3), 1.67 file upload initiations/sec/unit (100/min/unit) (for
S1 and S2).
10,000 SAS URIs can be out for an Azure Storage account at
one time.
10 SAS URIs/device can be out at one time.

Direct methods 24 MB/sec/unit (for S3), 480 KB/sec/unit (for S2), 160
KB/sec/unit (for S1).
Based on 8-KB throttling meter size.

Device twin reads 500/sec/unit (for S3), Maximum of 100/sec or 10/sec/unit

(for S2), 100/sec (for S1)

Device twin updates 250/sec/unit (for S3), Maximum of 50/sec or 5/sec/unit (for
S2), 50/sec (for S1)

Jobs operations 83.33/sec/unit (5,000/min/unit) (for S3), 1.67/sec/unit

(create, update, list, and delete) (100/min/unit) (for S2), 1.67/sec/unit (100/min/unit) (for S1).

Jobs per-device operation throughput 50/sec/unit (for S3), maximum of 10/sec or 1/sec/unit (for
S2), 10/sec (for S1).

Device stream initiation rate 5 new streams/sec (for S1, S2, S3, and F1 only).

IoT Hub Device Provisioning Service limits

NOTE
Some areas of this service have adjustable limits. This is represented in the tables below with the Adjustable? column.
When the limit can be adjusted, the Adjustable? value is Yes.
The actual value to which a limit can be adjusted may vary based on each customer’s deployment. Multiple instances of
DPS may be required for very large deployments.
If your business requires raising an adjustable limit or quota above the default limit, you can request additional resources
by opening a support ticket.

The following table lists the limits that apply to Azure IoT Hub Device Provisioning Service resources.

RESO URC E L IM IT A DJUSTA B L E?

Maximum device provisioning services 10 Yes

per Azure subscription

Maximum number of registrations 1,000,000 Yes

 RESO URC E L IM IT A DJUSTA B L E?

Maximum number of individual 1,000,000 Yes

enrollments

Maximum number of enrollment 100 Yes

groups (X.509 certificate)

Maximum number of enrollment 100 No

groups (symmetric key)

Maximum number of CAs 25 No

Maximum number of linked IoT hubs 50 No

Maximum size of message 96 KB No

TIP
If the hard limit on symmetric key enrollment groups is a blocking issue, it is recommended to use individual enrollments
as a workaround.

The Device Provisioning Service has the following rate limits.

RAT E P ER- UN IT VA L UE A DJUSTA B L E?

Operations 200/min/service Yes

Device registrations 200/min/service Yes

Device polling operation 5/10 sec/device No

Key Vault limits

Azure Key Vault service supports two resource types: Vaults and Managed HSMs. The following two sections
describe the service limits for each of them respectively.
Resource type: vault
This section describes service limits for resource type vaults for Public cloud.

NOTE
For Azure US Government cloud and Azure China, the limits are half from what is documented below.

Key transactions (maximum transactions allowed in 10 seconds, per vault per region 1):

H SM K EY SO F T WA RE K EY
H SM K EY A L L OT H ER SO F T WA RE K EY A L L OT H ER
K EY T Y P E C REAT E K EY T RA N SA C T IO N S C REAT E K EY T RA N SA C T IO N S

RSA 2,048-bit 10 2,000 20 4,000

RSA 3,072-bit 10 500 20 1,000

 H SM K EY SO F T WA RE K EY
H SM K EY A L L OT H ER SO F T WA RE K EY A L L OT H ER
K EY T Y P E C REAT E K EY T RA N SA C T IO N S C REAT E K EY T RA N SA C T IO N S

RSA 4,096-bit 10 250 20 500

ECC P-256 10 2,000 20 4,000

ECC P-384 10 2,000 20 4,000

ECC P-521 10 2,000 20 4,000

ECC SECP256K1 10 2,000 20 4,000

NOTE
In the previous table, we see that for RSA 2,048-bit software keys, 4,000 GET transactions per 10 seconds are allowed. For
RSA 2,048-bit HSM-keys, 2,000 GET transactions per 10 seconds are allowed.
The throttling thresholds are weighted, and enforcement is on their sum. For example, as shown in the previous table,
when you perform GET operations on RSA HSM-keys, it's eight times more expensive to use 4,096-bit keys compared to
2,048-bit keys. That's because 2,000/250 = 8.
In a given 10-second interval, an Azure Key Vault client can do only one of the following operations before it encounters a
429 throttling HTTP status code:

4,000 RSA 2,048-bit software-key GET transactions

2,000 RSA 2,048-bit HSM-key GET transactions
250 RSA 4,096-bit HSM-key GET transactions
248 RSA 4,096-bit HSM-key GET transactions and 16 RSA 2,048-bit HSM-key GET transactions

Secrets, managed storage account keys, and vault transactions:

M A XIM UM T RA N SA C T IO N S A L LO W ED IN 10 SEC O N DS, P ER

T RA N SA C T IO N S T Y P E VA ULT P ER REGIO N 1

All transactions 4,000

For information on how to handle throttling when these limits are exceeded, see Azure Key Vault throttling
guidance.
1 A subscription-wide limit forall transaction types is five times per key vault limit. For example, HSM-other
transactions per subscription are limited to 10,000 transactions in 10 seconds per subscription.
Backup keys, secrets, certificates
When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the
object as an encrypted blob. This blob cannot be decrypted outside of Azure. To get usable data from this blob,
you must restore the blob into a key vault within the same Azure subscription and Azure geography

T RA N SA C T IO N S T Y P E M A XIM UM K EY VA ULT O B JEC T VERSIO N S A L LO W ED

Back up individual key, secret, certificate 500

 NOTE
Attempting to backup a key, secret, or certificate object with more versions than above limit will result in an error. It is not
possible to delete previous versions of a key, secret, or certificate.

Limits on count of keys, secrets and certificates:

Key Vault does not restrict the number of keys, secrets or certificates that can be stored in a vault. The
transaction limits on the vault should be taken into account to ensure that operations are not throttled.
Key Vault does not restrict the number of versions on a secret, key or certificate, but storing a large number of
versions (500+) can impact the performance of backup operations. See Azure Key Vault Backup.
Azure Private Link integration

NOTE
The number of key vaults with private endpoints enabled per subscription is an adjustable limit. The limit shown below is
the default limit. If you would like to request a limit increase for your service, please create a support request and it will be
assessed on a case by case basis.

RESO URC E L IM IT

Private endpoints per key vault or managed HSM 64

Key vaults with private endpoints per subscription 400

Resource type: Managed HSM

This section describes service limits for resource type managed HSM .
Object limits

IT EM L IM IT S

Number of HSM instances per subscription per region 5

Number of keys per HSM instance 5000

Number of versions per key 100

Number of custom role definitions per HSM instance 50

Number of role assignments at HSM scope 50

Number of role assignments at each individual key scope 10

Transaction limits for administrative operations (number of operations per second per HSM instance)

O P ERAT IO N N UM B ER O F O P ERAT IO N S P ER SEC O N D

All RBAC operations 5

(includes all CRUD operations for role definitions and role
assignments)
 O P ERAT IO N N UM B ER O F O P ERAT IO N S P ER SEC O N D

Full HSM Backup/Restore 1

(only one concurrent backup or restore operation per HSM
instance supported)

Transaction limits for cryptographic operations (number of operations per second per HSM instance)
Each Managed HSM instance constitutes three load balanced HSM partitions. The throughput limits are a
function of underlying hardware capacity allocated for each partition. The tables below show maximum
throughput with at least one partition available. Actual throughput may be up to 3x higher if all three
partitions are available.
Throughput limits noted assume that one single key is being used to achieve maximum throughput. For
example, if a single RSA-2048 key is used the maximum throughput will be 1100 sign operations. If you use
1100 different keys with one transaction per second each, they will not be able to achieve the same
throughput.
R SA k e y o p e r a t i o n s (n u m b e r o f o p e r a t i o n s p e r se c o n d p e r H SM i n st a n c e )

O P ERAT IO N 2048- B IT 3072- B IT 4096- B IT

Create Key 1 1 1

Delete Key (soft-delete) 10 10 10

Purge Key 10 10 10

Backup Key 10 10 10

Restore Key 10 10 10

Get Key Information 1100 1100 1100

Encrypt 10000 10000 6000

Decrypt 1100 360 160

Wrap 10000 10000 6000

Unwrap 1100 360 160

Sign 1100 360 160

Verify 10000 10000 6000

E C k e y o p e r a t i o n s (n u m b e r o f o p e r a t i o n s p e r se c o n d p e r H SM i n st a n c e )

This table describes number of operations per second for each curve type.

O P ERAT IO N P - 256 P - 256K P - 384 P - 521

Create Key 1 1 1 1

Delete Key (soft- 10 10 10 10

delete)
 O P ERAT IO N P - 256 P - 256K P - 384 P - 521

Purge Key 10 10 10 10

Backup Key 10 10 10 10

Restore Key 10 10 10 10

Get Key Information 1100 1100 1100 1100

Sign 260 260 165 56

Verify 130 130 82 28

A E S k e y o p e r a t i o n s (n u m b e r o f o p e r a t i o n s p e r se c o n d p e r H SM i n st a n c e )

Encrypt and Decrypt operations assume a 4KB packet size.

Throughput limits for Encrypt/Decrypt apply to AES-CBC and AES-GCM algorithms.
Throughput limits for Wrap/Unwrap apply to AES-KW algorithm.

O P ERAT IO N 128- B IT 192- B IT 256- B IT

Create Key 1 1 1

Delete Key (soft-delete) 10 10 10

Purge Key 10 10 10

Backup Key 10 10 10

Restore Key 10 10 10

Get Key Information 1100 1100 1100

Encrypt 8000 8000 8000

Decrypt 8000 8000 8000

Wrap 9000 9000 9000

Unwrap 9000 9000 9000

Managed identity limits

Each managed identity counts towards the object quota limit in an Azure AD tenant as described in Azure
AD service limits and restrictions.
The rate at which managed identities can be created have the following limits:
1. Per Azure AD Tenant per Azure region: 400 create operations per 20 seconds.
2. Per Azure Subscription per Azure region : 80 create operations per 20 seconds.
The rate at which a user-assigned managed identity can be assigned with an Azure resource :
 1. Per Azure AD Tenant per Azure region: 400 assignment operations per 20 seconds.
2. Per Azure Subscription per Azure region : 300 assignment operations per 20 seconds.

Media Services limits

NOTE
For resources that aren't fixed, open a support ticket to ask for an increase in the quotas. Don't create additional Azure
Media Services accounts in an attempt to obtain higher limits.

Account limits
RESO URC E DEFA ULT L IM IT

Media Services accounts in a single subscription 100 (fixed)

Asset limits
RESO URC E DEFA ULT L IM IT

Assets per Media Services account 1,000,000

Storage (media) limits

RESO URC E DEFA ULT L IM IT

File size In some scenarios, there is a limit on the maximum file size
supported for processing in Media Services. (1)

Storage accounts 100(2) (fixed)

1 The maximum size supported for a single blob is currently up to 5 TB in Azure Blob Storage. Additional limits
apply in Media Services based on the VM sizes that are used by the service. The size limit applies to the files that
you upload and also the files that get generated as a result of Media Services processing (encoding or
analyzing). If your source file is larger than 260-GB, your Job will likely fail.
2 The storage accounts must be from the same Azure subscription.
Jobs (encoding & analyzing) limits
RESO URC E DEFA ULT L IM IT

Jobs per Media Services account 500,000 (3) (fixed)

Job inputs per Job 50 (fixed)

Job outputs per Job 20 (fixed)

Transforms per Media Services account 100 (fixed)

Transform outputs in a Transform 20 (fixed)

Files per job input 10 (fixed)

3
3 This number includes queued, finished, active, and canceled Jobs. It does not include deleted Jobs.
Any Job record in your account older than 90 days will be automatically deleted, even if the total number of
records is below the maximum quota.
Live streaming limits
RESO URC E DEFA ULT L IM IT

Live Events (4) per Media Services account 5

Live Outputs per Live Event 3 (5)

Max Live Output duration Size of the DVR window

4 For detailed information about Live Event limitations, see Live Event types comparison and limitations.
5 Live Outputs start on creation and stop when deleted.

Packaging & delivery limits

RESO URC E DEFA ULT L IM IT

Streaming Endpoints (stopped or running) per Media 2

Services account

Dynamic Manifest Filters 100

Streaming Policies 100 (6)

Unique Streaming Locators associated with an Asset at one 100(7) (fixed)

time

6 When using a custom Streaming Policy, you should design a limited set of such policies for your Media Service
account, and re-use them for your StreamingLocators whenever the same encryption options and protocols are
needed. You should not be creating a new Streaming Policy for each Streaming Locator.
7 Streaming Locators are not designed for managing per-user access control. To give different access rights to
individual users, use Digital Rights Management (DRM) solutions.
Protection limits
RESO URC E DEFA ULT L IM IT

Options per Content Key Policy 30

Licenses per month for each of the DRM types on Media 1,000,000
Services key delivery service per account

Support ticket
For resources that are not fixed, you may ask for the quotas to be raised, by opening a support ticket. Include
detailed information in the request on the desired quota changes, use-case scenarios, and regions required.
Do not create additional Azure Media Services accounts in an attempt to obtain higher limits.
Media Services v2 (legacy)
For limits specific to Media Services v2 (legacy), see Media Services v2 (legacy)
Mobile Services limits
T IER F REE B A SIC STA N DA RD

API calls 500,000 1.5 million per unit 15 million per unit

Active devices 500 Unlimited Unlimited

Scale N/A Up to 6 units Unlimited units

Push notifications Azure Notification Hubs Notification Hubs Basic tier Notification Hubs Standard
Free tier included, up to 1 included, up to 10 million tier included, up to 10
million pushes pushes million pushes

Real-time messaging/ Limited 350 per mobile service Unlimited

Web Sockets

Offline synchronizations Limited Included Included

Scheduled jobs Limited Included Included

Azure SQL Database 20 MB included 20 MB included 20 MB included

(required)
Standard rates apply for
additional capacity

CPU capacity 60 minutes per day Unlimited Unlimited

Outbound data transfer 165 MB per day (daily Included Included

rollover)

For more information on limits and pricing, see Azure Mobile Services pricing.

Multi-Factor Authentication limits

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Maximum number of trusted IP 0 50

addresses or ranges per subscription

Remember my devices, number of 14 60

days

Maximum number of app passwords 0 No limit

Allow X attempts during MFA call 1 99

Two-way text message timeout 60 600

seconds

Default one-time bypass seconds 300 1,800

Lock user account after X consecutive Not set 99

MFA denials
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Reset account lockout counter after X Not set 9,999

minutes

Unlock account after X minutes Not set 9,999

Networking limits
Networking limits - Azure Resource Manager
The following limits apply only for networking resources managed through Azure Resource Manager per
region per subscription. Learn how to view your current resource usage against your subscription limits.

NOTE
We recently increased all default limits to their maximum limits. If there's no maximum limit column, the resource doesn't
have adjustable limits. If you had these limits increased by support in the past and don't see updated limits in the
following tables, open an online customer support request at no charge

RESO URC E L IM IT

Virtual networks 1,000

Subnets per virtual network 3,000

Virtual network peerings per virtual network 500

Virtual network gateways (VPN gateways) per virtual 1

network

Virtual network gateways (ExpressRoute gateways) per 1

virtual network

DNS servers per virtual network 20

Private IP addresses per virtual network 65,536

Private IP addresses per network interface 256

Private IP addresses per virtual machine 256

Public IP addresses per network interface 256

Public IP addresses per virtual machine 256

Concurrent TCP or UDP flows per NIC of a virtual machine 500,000

or role instance

Network interface cards 65,536

Network Security Groups 5,000

 RESO URC E L IM IT

NSG rules per NSG 1,000

IP addresses and ranges specified for source or destination 4,000

in a security group

Application security groups 3,000

Application security groups per IP configuration, per NIC 20

IP configurations per application security group 4,000

Application security groups that can be specified within all 100

security rules of a network security group

User-defined route tables 200

User-defined routes per route table 400

Point-to-site root certificates per Azure VPN Gateway 20

Point-to-site revoked client certificates per Azure VPN 300

Gateway

Virtual network TAPs 100

Network interface TAP configurations per virtual network 100

TAP

Public IP address limits

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Public IP addresses1,2 10 for Basic. Contact support.

Static Public IP addresses1 10 for Basic. Contact support.

Standard Public IP addresses1 10 Contact support.

Public IP addresses per Resource 800 Contact support.

Group

Public IP Prefixes limited by number of Standard Public Contact support.

IPs in a subscription

Public IP prefix length /28 Contact support.

1Default limits for

Public IP addresses vary by offer category type, such as Free Trial, Pay-As-You-Go, CSP. For
example, the default for Enterprise Agreement subscriptions is 1000.
2Public IP addresses limit refers to the total amount of Public IP addresses, including Basic and Standard.

Load balancer limits

The following limits apply only for networking resources managed through Azure Resource Manager per region
per subscription. Learn how to view your current resource usage against your subscription limits.
Standard Load Balancer

RESO URC E L IM IT

Load balancers 1,000

Rules (Load Balancer + Inbound NAT) per resource 1,500

Rules per NIC (across all IPs on a NIC) 300

Frontend IP configurations 600

Backend pool size 1,000 IP configurations, single virtual network

Backend resources per Load Balancer 1 1,200

High-availability ports rule 1 per internal frontend

Outbound rules per Load Balancer 600

Load Balancers per VM 2 (1 Public and 1 internal)

1 The limit is up to 1,200

resources, in any combination of standalone virtual machine resources, availability set
resources, and virtual machine scale-set placement groups.
Basic Load Balancer

RESO URC E L IM IT

Load balancers 1,000

Rules per resource 250

Rules per NIC (across all IPs on a NIC) 300

Frontend IP configurations 2 200

Backend pool size 300 IP configurations, single availability set

Availability sets per Load Balancer 1

Load Balancers per VM 2 (1 Public and 1 internal)

2 The limit for

a single discrete resource in a backend pool (standalone virtual machine, availability set, or virtual
machine scale-set placement group) is to have up to 250 Frontend IP configurations across a single Basic Public
Load Balancer and Basic Internal Load Balancer.
The following limits apply only for networking resources managed through the classic deployment model per
subscription. Learn how to view your current resource usage against your subscription limits.
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Virtual networks 100 100

Local network sites 20 50

DNS servers per virtual network 20 20

Private IP addresses per virtual 4,096 4,096

network

Concurrent TCP or UDP flows per NIC 500,000, up to 1,000,000 for two or 500,000, up to 1,000,000 for two or
of a virtual machine or role instance more NICs. more NICs.

Network Security Groups (NSGs) 200 200

NSG rules per NSG 200 1,000

User-defined route tables 200 200

User-defined routes per route table 400 400

Public IP addresses (dynamic) 500 500

Reserved public IP addresses 500 500

Public IP per deployment 5 Contact support

Private IP (internal load balancing) per 1 1

deployment

Endpoint access control lists (ACLs) 50 50

ExpressRoute limits
RESO URC E L IM IT

ExpressRoute circuits per subscription 50

ExpressRoute circuits per region per subscription, with Azure 10

Resource Manager

Maximum number of IPv4 routes advertised to Azure 4,000

private peering with ExpressRoute Standard

Maximum number of IPv4 routes advertised to Azure 10,000

private peering with ExpressRoute Premium add-on

Maximum number of IPv6 routes advertised to Azure 100

private peering with ExpressRoute Standard

Maximum number of IPv6 routes advertised to Azure 100

private peering with ExpressRoute Premium add-on
 RESO URC E L IM IT

Maximum number of IPv4 routes advertised from Azure 1,000

private peering from the VNet address space for an
ExpressRoute connection

Maximum number of IPv6 routes advertised from Azure 1,000

private peering from the VNet address space for an
ExpressRoute connection

Maximum number of IPv4 routes advertised to Microsoft 200

peering with ExpressRoute Standard

Maximum number of IPv4 routes advertised to Microsoft 200

peering with ExpressRoute Premium add-on

Maximum number of IPv6 routes advertised to Microsoft 200

peering with ExpressRoute Standard

Maximum number of IPv6 routes advertised to Microsoft 200

peering with ExpressRoute Premium add-on

Maximum number of ExpressRoute circuits linked to the 4

same virtual network in the same peering location

Maximum number of ExpressRoute circuits linked to the 16 (For more information, see Gateway SKU.)
same virtual network in different peering locations

Number of virtual network links allowed per ExpressRoute See the Number of virtual networks per ExpressRoute circuit
circuit table.

Number of virtual networks per ExpressRoute circuit

N UM B ER O F VIRT UA L N ET W O RK L IN K S N UM B ER O F VIRT UA L N ET W O RK L IN K S
C IRC UIT SIZ E F O R STA N DA RD W IT H P REM IUM A DD- O N

50 Mbps 10 20

100 Mbps 10 25

200 Mbps 10 25

500 Mbps 10 40

1 Gbps 10 50

2 Gbps 10 60

5 Gbps 10 75

10 Gbps 10 100

40 Gbps* 10 100

100 Gbps* 10 100

*100 Gbps ExpressRoute Direct Only

NOTE
Global Reach connections count against the limit of virtual network connections per ExpressRoute Circuit. For example, a
10 Gbps Premium Circuit would allow for 5 Global Reach connections and 95 connections to the ExpressRoute Gateways
or 95 Global Reach connections and 5 connections to the ExpressRoute Gateways or any other combination up to the
limit of 100 connections for the circuit.

Virtual Network Gateway limits

RESO URC E L IM IT

VNet Address Prefixes 600 per VPN gateway

Aggregate BGP routes 4,000 per VPN gateway

Local Network Gateway address prefixes 1000 per local network gateway

S2S connections Depends on the gateway SKU

P2S connections Depends on the gateway SKU

P2S route limit - IKEv2 256 for non-Windows / 25 for Windows

P2S route limit - OpenVPN 1000

Max. flows 100K for VpnGw1/AZ / 512K for VpnGw2-4/AZ

NAT Gateway limits

RESO URC E L IM IT

Public IP addresses 16 per NAT gateway

Virtual WAN limits

RESO URC E L IM IT

VPN (branch) connections per hub 1,000

Aggregate throughput per Virtual WAN Site-to-site VPN 20 Gbps

gateway

Throughput per Virtual WAN VPN connection (2 tunnels) 2 Gbps with 1 Gbps/IPsec tunnel

Point-to-Site users per hub 100,000

Aggregate throughput per Virtual WAN User VPN (Point-to- 200 Gbps
site) gateway

Aggregate throughput per Virtual WAN ExpressRoute 20 Gbps

gateway
 RESO URC E L IM IT

ExpressRoute Circuit connections per hub 8

VNet connections per hub 500 minus total number of hubs in Virtual WAN

Aggregate throughput per Virtual WAN Hub Router 50 Gbps for VNet to VNet transit

VM workload across all VNets connected to a single Virtual 2000 (If you want to raise the limit or quota above the
WAN hub default limit, open an online customer support request.)

Application Gateway limits

The following table applies to v1, v2, Standard, and WAF SKUs unless otherwise stated.

RESO URC E L IM IT N OT E

Azure Application Gateway 1,000 per subscription

Front-end IP configurations 2 1 public and 1 private

Front-end ports 1001

Back-end address pools 1001

Back-end servers per pool 1,200

HTTP listeners 2001 Limited to 100 active listeners that are

routing traffic. Active listeners = total
number of listeners - listeners not
active.
If a default configuration inside a
routing rule is set to route traffic (for
example, it has a listener, a backend
pool, and HTTP settings) then that also
counts as a listener. See Frequently
asked questions about Application
Gateway for additional details.

HTTP load-balancing rules 4001

Back-end HTTP settings 1001

Instances per gateway V1 SKU - 32

V2 SKU - 125

SSL certificates 1001 1 per HTTP listener

Maximum SSL certificate size V1 SKU - 10 KB

V2 SKU - 16 KB

Authentication certificates 100

Trusted root certificates 100

 RESO URC E L IM IT N OT E

Request timeout minimum 1 second

Request timeout maximum to private 24 hours

backend

Request timeout maximum to external 4 minutes

backend

Number of sites 1001 1 per HTTP listener

URL maps per listener 1

Maximum path-based rules per URL 100

map

Redirect configurations 1001

Number of rewrite rule sets 400

Number of Header or URL 40

configuration per rewrite rule set

Number of conditions per rewrite rule 40

set

Concurrent WebSocket connections Medium gateways 20k2

Large gateways 50k2

Maximum URL length 32KB

Maximum header size 32KB

Maximum header field size for HTTP/2 8KB

Maximum header size for HTTP/2 16KB

Maximum file upload size (Standard V2 - 4 GB

SKU) V1 - 2GB

Maximum file upload size (WAF SKU) V1 Medium - 100 MB

V1 Large - 500 MB
V2 - 750 MB
V2 (with CRS 3.2 or newer) - 4GB3

WAF body size limit (without files) V1 or V2 (with CRS 3.1 and older) -
128KB
V2 (with CRS 3.2 or newer) - 2MB3

Maximum WAF custom rules 100

Maximum WAF exclusions per 40

Application Gateway

1
1 In case of WAF-enabled SKUs, you must limit the number of resources to 40.
2 Limit is per Application Gateway instance not per Application Gateway resource.
3 Must define the value via WAF Policy for Application Gateway
Network Watcher limits
RESO URC E L IM IT N OT E

Azure Network Watcher 1 per region Network Watcher is created to enable

access to the service. Only one
instance of Network Watcher is
required per subscription per region.

Packet capture sessions 10,000 per region Number of sessions only, not saved
captures.

Private Link limits

The following limits apply to Azure private link:

RESO URC E L IM IT

Number of private endpoints per virtual network 1000

Number of private endpoints per subscription 64000

Number of private link services per subscription 800

Number of IP Configurations on a private link service 8 (This number is for the NAT IP addresses used per PLS)

Number of private endpoints on the same private link 1000

service

Number of subscriptions allowed in visibility setting on 100

private link service

Number of subscriptions allowed in auto-approval setting on 100

private link service

Number of private endpoints per key vault 64

Number of key vaults with private endpoints per 400

subscription

Number of private DNS zone groups that can be linked to a 1

private endpoint

Number of DNS zones in each group 5

Traffic Manager limits

RESO URC E L IM IT

Profiles per subscription 200

 RESO URC E L IM IT

Endpoints per profile 200

Azure Bastion limits

W O RK LO A D T Y P E* L IM IT **

Light 100

Medium 50

Heavy 5

*These workload types are defined here: Remote Desktop workloads

**These limits are based on RDP performance tests for Azure Bastion. The numbers may vary due to other on-
going RDP sessions or other on-going SSH sessions.
Azure DNS limits
Public DNS zones

RESO URC E L IM IT

Public DNS Zones per subscription 250 1

Record sets per public DNS zone 10,000 1

Records per record set in public DNS zone 20

Number of Alias records for a single Azure resource 20

1If you need to increase these limits, contact Azure Support.

Private DNS zones

RESO URC E L IM IT

Private DNS zones per subscription 1000

Record sets per private DNS zone 25000

Records per record set for private DNS zones 20

Virtual Network Links per private DNS zone 1000

Virtual Networks Links per private DNS zones with auto- 100
registration enabled

Number of private DNS zones a virtual network can get 1

linked to with auto-registration enabled

Number of private DNS zones a virtual network can get 1000

linked
 RESO URC E L IM IT

Number of DNS queries a virtual machine can send to Azure 1000 1

DNS resolver, per second

Maximum number of DNS queries queued (pending 200 1

response) per virtual machine

1These limits are applied to every individual virtual machine and not at the virtual network level. DNS queries
exceeding these limits are dropped.
Azure Firewall limits
RESO URC E L IM IT

Data throughput 30 Gbps

Rule limits 10,000 unique source/destinations in network and

application rules

Total size of rules within a single Rule Collection Group 2 Mb

Number of Rule Collection Groups in a Firewall Policy 50

Maximum DNAT rules 298 (for firewalls configured with a single Public IP address)

The DNAT limitation is due to the underlying platform. The

maximum number of DNAT rules is 298. However, any
additional public IP addresses reduce the number of the
available DNAT rules. For example, two public IP addresses
allow for 297 DNAT rules. If a rule's protocol is configured for
both TCP and UDP, it counts as two rules.

Minimum AzureFirewallSubnet size /26

Port range in network and application rules 1 - 65535

Public IP addresses 250 maximum. All public IP addresses can be used in DNAT
rules and they all contribute to available SNAT ports.

IP addresses in IP Groups Maximum of 100 IP Groups per firewall.

Maximum 5000 individual IP addresses or IP prefixes per
each IP Group.
 RESO URC E L IM IT

Route table By default, AzureFirewallSubnet has a 0.0.0.0/0 route with

the NextHopType value set to Internet .

Azure Firewall must have direct Internet connectivity. If your

AzureFirewallSubnet learns a default route to your on-
premises network via BGP, you must override that with a
0.0.0.0/0 UDR with the NextHopType value set as
Internet to maintain direct Internet connectivity. By default,
Azure Firewall doesn't support forced tunneling to an on-
premises network.

However, if your configuration requires forced tunneling to

an on-premises network, Microsoft will support it on a case
by case basis. Contact Support so that we can review your
case. If accepted, we'll allow your subscription and ensure the
required firewall Internet connectivity is maintained.

FQDNs in network rules For good performance, do not exceed more than 1000
FQDNs across all network rules per firewall.

Azure Front Door Service limits

RESO URC E L IM IT

Azure Front Door resources per subscription 100

Front-end hosts, which includes custom domains per 500

resource

Routing rules per resource 500

Back-end pools per resource 50

Back ends per back-end pool 100

Path patterns to match for a routing rule 25

URLs in a single cache purge call 100

Custom web application firewall rules per policy 100

Web application firewall policy per subscription 100

Web application firewall match conditions per custom rule 10

Web application firewall IP address ranges per custom rule 600

Web application firewall string match values per match 10

condition

Web application firewall string match value length 256

Web application firewall POST body parameter name length 256

 RESO URC E L IM IT

Web application firewall HTTP header name length 256

Web application firewall cookie name length 256

Web application firewall exclusion limit 100

Web application firewall HTTP request body size inspected 128 KB

Web application firewall custom response body length 2 KB

Azure Front Door Standard/Premium (Preview) Service Limits

*** Maximum 500 total Standard and Premium profiles per subscription.

RESO URC E STA N DA RD SK U L IM IT P REM IUM SK U L IM IT

Maximum endpoint per profile 10 25

Maximum custom domain per profile 100 200

Maximum origin group per profile 100 200

Maximum secrets per profile 100 200

Maximum security policy per profile 100 200

Maximum rule set per profile 100 200

Maximum rules per rule set 100 100

Maximum origin per origin group 50 50

Maximum routes per endpoint 100 200

URLs in a single cache purge call 100 100

Custom web application firewall rules 100 100

per policy

Web application firewall match 10 10

conditions per custom rule

Web application firewall IP address 600 600

ranges per custom rule

Web application firewall string match 10 10

values per match condition

Web application firewall string match 256 256

value length
 RESO URC E STA N DA RD SK U L IM IT P REM IUM SK U L IM IT

Web application firewall POST body 256 256

parameter name length

Web application firewall HTTP header 256 256

name length

Web application firewall cookie name 256 256

length

Web application firewall HTTP request 128 KB 128 KB

body size inspected

Web application firewall custom 2 KB 2 KB

response body length

Timeout values
Cl i en t t o Fr o n t Do o r

Front Door has an idle TCP connection timeout of 61 seconds.

F r o n t D o o r t o a p p l i c a t i o n b a c k- e n d

If the response is a chunked response, a 200 is returned if or when the first chunk is received.
After the HTTP request is forwarded to the back end, Front Door waits for 30 seconds for the first packet
from the back end. Then it returns a 503 error to the client. This value is configurable via the field
sendRecvTimeoutSeconds in the API.
If a request is cached and it takes more than 30 seconds for the first packet from Front Door or from
the backend, then a 504 error is returned to the client.
After the first packet is received from the back end, Front Door waits for 30 seconds in an idle timeout. Then
it returns a 503 error to the client. This timeout value is not configurable.
Front Door to the back-end TCP session timeout is 90 seconds.
Upload and download data limit

W IT H C H UN K ED T RA N SF ER
EN C O DIN G ( C T E) W IT H O UT H T T P C H UN K IN G

Download There's no limit on the download size. There's no limit on the download size.

Upload There's no limit as long as each CTE The size can't be larger than 2 GB.
upload is less than 2 GB.

Other limits
Maximum URL size - 8,192 bytes - Specifies maximum length of the raw URL (scheme + hostname + port +
path + query string of the URL)
Maximum Query String size - 4,096 bytes - Specifies the maximum length of the query string, in bytes.
Maximum HTTP response header size from health probe URL - 4,096 bytes - Specified the maximum length
of all the response headers of health probes.
Maximum rules engine action header value character: 640 characters.
Maximum rules engine condition header value character: 256 characters.
Maximum ETag header size: 128 bytes
For more information about limits that apply to Rules Engine configurations, see Rules Engine terminology

Notification Hubs limits

 T IER F REE B A SIC STA N DA RD

Included pushes 1 million 10 million 10 million

Active devices 500 200,000 10 million

Tag quota per installation or 60 60 60

registration

For more information on limits and pricing, see Notification Hubs pricing.

Azure Purview limits

The latest values for Azure Purview quotas can be found in the Azure Purview quota page.

Service Bus limits

The following table lists quota information specific to Azure Service Bus messaging. For information about
pricing and other quotas for Service Bus, see Service Bus pricing.

Q UOTA N A M E SC O P E VA L UE N OT ES

Maximum number of Namespace 1000 (default and Subsequent requests for

namespaces per Azure maximum) additional namespaces are
subscription rejected.

Queue or topic size Entity 1, 2, 3, 4 GB or 5 GB Defined upon

creation/updation of the
In the Premium SKU, queue or topic.
and the Standard SKU
with partitioning Subsequent incoming
enabled, the maximum messages are rejected, and
queue or topic size is an exception is received by
80 GB. the calling code.
Total size limit for a
premium namespace is
1 TB per messaging
unit. Total size of all
entities in a namespace
can't exceed this limit.

Number of concurrent Namespace Net Messaging: 1,000. Subsequent requests for

connections on a additional connections are
namespace AMQP: 5,000. rejected, and an exception is
received by the calling code.
REST operations don't count
toward concurrent TCP
connections.

Number of concurrent Entity 5,000 Subsequent receive

receive requests on a requests are rejected, and
queue, topic, or an exception is received by
subscription entity the calling code. This quota
applies to the combined
number of concurrent
receive operations across all
subscriptions on a topic.
Q UOTA N A M E
Number of topics or queues
per namespace
Number of partitioned
topics or queues per
namespace
Maximum size of any
messaging entity path:
queue or topic
Maximum size of any
messaging entity name:
namespace, subscription, or
subscription rule
Maximum size of a message
ID
Maximum size of a message
session ID
Message size for a queue,
topic, or subscription entity
SC O P E VA L UE
Namespace 10,000 for the Basic or
Standard tier. The total
number of topics and
queues in a namespace
must be less than or equal
to 10,000.
For the Premium tier, 1,000
per messaging unit (MU).
Namespace Basic and Standard tiers:
100.
Partitioned entities aren't
supported in the Premium
tier.
Each partitioned queue or
topic counts toward the
quota of 1,000 entities per
namespace.
Entity - 260 characters.
Entity - 50 characters.
Entity - 128
Entity - 128
Entity Incoming messages that
exceed these quotas are
rejected, and an exception is
received by the calling code.
N OT ES
Subsequent requests for
creation of a new topic or
queue on the namespace
are rejected. As a result, if
configured through the
Azure portal, an error
message is generated. If
called from the
management API, an
exception is received by the
calling code.
Subsequent requests for
creation of a new
partitioned topic or queue
in the namespace are
rejected. As a result, if
configured through the
Azure portal, an error
message is generated. If
called from the
management API, the
exception
QuotaExceededExceptio
n is received by the calling
code.
If you want to have
more partitioned
entities in a basic or a
standard tier
namespace, create
additional namespaces.
256 KB for Standard tier
100 MB for Premium tier.
The message size includes
the size of properties
(system and user) and the
size of payload. The size of
system properties varies
depending on your
scenario.
Q UOTA N A M E
Message property size for a
queue, topic, or
subscription entity
Number of subscriptions
per topic
Number of SQL filters per
topic
Number of correlation filters
per topic
Size of SQL filters or actions
SC O P E VA L UE
Entity The exception
SerializationException
is generated.
Entity Subsequent requests for
creating additional
subscriptions for the topic
are rejected. As a result, if
configured through the
portal, an error message is
shown. If called from the
management API, an
exception is received by the
calling code.
Entity Subsequent requests for
creation of additional filters
on the topic are rejected,
and an exception is received
by the calling code.
Entity Subsequent requests for
creation of additional filters
on the topic are rejected,
and an exception is received
by the calling code.
Namespace Subsequent requests for
creation of additional filters
are rejected, and an
exception is received by the
calling code.
N OT ES
Maximum message
property size for each
property is 32 KB.
Cumulative size of all
properties can't exceed
64 KB. This limit applies
to the entire header of
the brokered message,
which has both user
properties and system
properties, such as
sequence number, label,
and message ID.
Maximum number of
header properties in
property bag:
byte/int.MaxValue .
2,000 per-topic for the
Standard tier and Premium
tier.
2,000
100,000
Maximum length of filter
condition string: 1,024 (1
K).
Maximum length of rule
action string: 1,024 (1 K).
Maximum number of
expressions per rule action:
32.
 Q UOTA N A M E SC O P E VA L UE N OT ES

Number of shared access
authorization rules per
namespace, queue, or topic
Entity, namespace Subsequent requests for
creation of additional rules
are rejected, and an
exception is received by the
calling code.
Maximum number of rules
per entity type: 12.
Rules that are configured
on a Service Bus namespace
apply to all types: queues,
topics.

Number of messages per Transaction Additional incoming 100

transaction messages are rejected, and
an exception stating "Can't For both Send() and
send more than 100 SendAsync() operations.
messages in a single
transaction" is received by
the calling code.

Number of virtual network Namespace 128

and IP filter rules

Site Recovery limits

The following limits apply to Azure Site Recovery.

L IM IT IDEN T IF IER L IM IT

Number of vaults per subscription 500

Number of servers per Recovery Services vault 250

Number of protection groups per Recovery Services vault No limit

Number of recovery plans per Recovery Services vault No limit

Number of servers per protection group No limit

Number of servers per recovery plan 100

SQL Database limits

For SQL Database limits, see SQL Database resource limits for single databases, SQL Database resource limits
for elastic pools and pooled databases, and SQL Database resource limits for SQL Managed Instance.
The maximum number of private endpoints per Azure SQL Database logical server is 250.

Azure Synapse Analytics limits

Azure Synapse Analytics has the following default limits to ensure customer's subscriptions are protected from
each other's workloads. To raise the limits to the maximum for your subscription, contact support.
Synapse Workspace Limits
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Synapse workspaces in an Azure 20 20

subscription

Synapse Pipeline Limits

RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Synapse pipelines in a Synapse 800 800

workspace

Total number of entities, such as 5,000 Contact support.

pipelines, data sets, triggers, linked
services, Private Endpoints, and
integration runtimes, within a
workspace

Total CPU cores for Azure-SSIS 256 Contact support.

Integration Runtimes under one
workspace

Concurrent pipeline runs per 10,000 10,000

workspace that's shared among all
pipelines in the workspace

Concurrent External activity runs per 3,000 3,000

workspace per Azure Integration
Runtime region
External activities are managed on
integration runtime but execute on linked
services, including Databricks, stored
procedure, HDInsight, Web, and others. This
limit does not apply to Self-hosted IR.

Concurrent Pipeline activity runs per 1,000 1,000

workspace per Azure Integration
Runtime region
Pipeline activities execute on integration
runtime, including Lookup, GetMetadata,
and Delete. This limit does not apply to Self-
hosted IR.

Concurrent authoring operations per 200 200

workspace per Azure Integration
Runtime region
Including test connection, browse folder list
and table list, preview data. This limit does
not apply to Self-hosted IR.

Concurrent Data Integration Units1 Region group 12 : 6,000
consumption per workspace per Azure Region group 22 : 3,000
Integration Runtime region Region group 32 : 1,500
Managed virtual network2 : 2,400
Region group 12 : 6,000
Region group 22 : 3,000
Region group 32 : 1,500
Managed virtual network: Contact
support.

Maximum activities per pipeline, which 40 40

includes inner activities for containers
RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Maximum number of linked 100 Contact support.

integration runtimes that can be
created against a single self-hosted
integration runtime

Maximum parameters per pipeline 50 50

ForEach items 100,000 100,000

ForEach parallelism 20 50

Maximum queued runs per pipeline 100 100

Characters per expression 8,192 8,192

Minimum tumbling window trigger 5 min 15 min

interval

Maximum timeout for pipeline activity 7 days 7 days

runs

Bytes per object for pipeline objects3 200 KB 200 KB

Bytes per object for dataset and linked 100 KB 2,000 KB

service objects3

Bytes per payload for each activity 896 KB 896 KB

run4

Data Integration Units1 per copy 256 256

activity run

Write API calls 1,200/h 1,200/h

This limit is imposed by Azure Resource

Manager, not Azure Synapse Analytics.

Read API calls 12,500/h 12,500/h

This limit is imposed by Azure Resource

Manager, not Azure Synapse Analytics.

Monitoring queries per minute 1,000 1,000

Maximum time of data flow debug 8 hrs 8 hrs

session

Concurrent number of data flows per 50 Contact support.

integration runtime

Concurrent number of data flows per 20 Contact support.

integration runtime in managed vNet
 RESO URC E DEFA ULT L IM IT M A XIM UM L IM IT

Concurrent number of data flow 3 3

debug sessions per user per
workspace

Data Flow Azure IR TTL limit 4 hrs 4 hrs

Meta Data Entity Size limit in a 2 GB Contact support.

workspace

1 The data integration unit (DIU) is used in a cloud-to-cloud copy operation, learn more from Data integration
units (version 2). For information on billing, see Azure Synapse Analytics Pricing.
2 Azure Integration Runtime is globally available to ensure data compliance, efficiency, and reduced network

egress costs.
| Region group | Regions | | -------- | ------ | | Region group 1 | Central US, East US, East US 2, North Europe, West
Europe, West US, West US 2 | | Region group 2 | Australia East, Australia Southeast, Brazil South, Central India,
Japan East, North Central US, South Central US, Southeast Asia, West Central US | | Region group 3 | Other
regions | If managed virtual network is enabled, the data integration unit (DIU) in all region groups are 2,400.
3 Pipeline, data set, and linked service objects represent a logical grouping of your
workload. Limits for these
objects don't relate to the amount of data you can move and process with Azure Synapse Analytics. Synapse
Analytics is designed to scale to handle petabytes of data.
4 The payload for each activity run includes the activity configuration, the associated dataset(s) and linked
service(s) configurations if any, and a small portion of system properties generated per activity type. Limit for
this payload size doesn't relate to the amount of data you can move and process with Azure Synapse Analytics.
Learn about the symptoms and recommendation if you hit this limit.
Dedicated SQL pool limits
For details of capacity limits for dedicated SQL pools in Azure Synapse Analytics, see dedicated SQL pool
resource limits.
Web service call limits
Azure Resource Manager has limits for API calls. You can make API calls at a rate within the Azure Resource
Manager API limits.

Azure Files and Azure File Sync

To learn more about the limits for Azure Files and File Sync, see Azure Files scalability and performance targets.

Storage limits
The following table describes default limits for Azure general-purpose v2 (GPv2), general-purpose v1 (GPv1),
and Blob storage accounts. The ingress limit refers to all data that is sent to a storage account. The egress limit
refers to all data that is received from a storage account.
Microsoft recommends that you use a GPv2 storage account for most scenarios. You can easily upgrade a GPv1
or a Blob storage account to a GPv2 account with no downtime and without the need to copy data. For more
information, see Upgrade to a GPv2 storage account.
NOTE
You can request higher capacity and ingress limits. To request an increase, contact Azure Support.

RESO URC E L IM IT

Number of storage accounts per region per subscription, 250

including standard, and premium storage accounts.

Default maximum storage account capacity 5 PiB 1

Maximum number of blob containers, blobs, file shares, No limit

tables, queues, entities, or messages per storage account.

Default maximum request rate per storage account 20,000 requests per second1

Default maximum ingress per general-purpose v2 and Blob 60 Gbps1

storage account in the following regions (LRS/GRS):
Australia East
Central US
East Asia
East US 2
Japan East
Korea Central
North Europe
South Central US
Southeast Asia
UK South
West Europe
West US

Default maximum ingress per general-purpose v2 and Blob 60 Gbps1

storage account in the following regions (ZRS):
Australia East
Central US
East US
East US 2
Japan East
North Europe
South Central US
Southeast Asia
UK South
West Europe
West US 2

Default maximum ingress per general-purpose v2 and Blob 25 Gbps1

storage account in regions that aren't listed in the previous
row.

Default maximum ingress for general-purpose v1 storage 10 Gbps1

accounts (all regions)
 RESO URC E L IM IT

Default maximum egress for general-purpose v2 and Blob 120 Gbps1

storage accounts in the following regions (LRS/GRS):
Australia East
Central US
East Asia
East US 2
Japan East
Korea Central
North Europe
South Central US
Southeast Asia
UK South
West Europe
West US

Default maximum egress for general-purpose v2 and Blob 120 Gbps1

storage accounts in the following regions (ZRS):
Australia East
Central US
East US
East US 2
Japan East
North Europe
South Central US
Southeast Asia
UK South
West Europe
West US 2

Default maximum egress for general-purpose v2 and Blob 50 Gbps1

storage accounts in regions that aren't listed in the previous
row.

Maximum egress for general-purpose v1 storage accounts 20 Gbps if RA-GRS/GRS is enabled, 30 Gbps for LRS/ZRS2
(US regions)

Maximum egress for general-purpose v1 storage accounts 10 Gbps if RA-GRS/GRS is enabled, 15 Gbps for LRS/ZRS2
(non-US regions)

Maximum number of IP address rules per storage account 200

Maximum number of virtual network rules per storage 200

account

Maximum number of resource instance rules per storage 200

account

Maximum number of private endpoints per storage account 200

1 Azure Storage standard accounts support higher capacity limits and higher limits for ingress and egress by
request. To request an increase in account limits, contact Azure Support.
2 If yourstorage account has read-access enabled with geo-redundant storage (RA-GRS) or geo-zone-redundant
storage (RA-GZRS), then the egress targets for the secondary location are identical to the egress targets of the
primary location. For more information, see Azure Storage replication.
For more information on limits for standard storage accounts, see Scalability targets for standard storage
accounts.
Storage resource provider limits
The following limits apply only when you perform management operations by using Azure Resource Manager
with Azure Storage.

RESO URC E L IM IT

Storage account management operations (read) 800 per 5 minutes

Storage account management operations (write) 10 per second / 1200 per hour

Storage account management operations (list) 100 per 5 minutes

Azure Blob storage limits

RESO URC E TA RGET

Maximum size of single blob container Same as maximum storage account capacity

Maximum number of blocks in a block blob or append blob 50,000 blocks

Maximum size of a block in a block blob 4000 MiB

Maximum size of a block blob 50,000 X 4000 MiB (approximately 190.7 TiB)

Maximum size of a block in an append blob 4 MiB

Maximum size of an append blob 50,000 x 4 MiB (approximately 195 GiB)

Maximum size of a page blob 8 TiB2

Maximum number of stored access policies per blob 5

container

Target request rate for a single blob Up to 500 requests per second

Target throughput for a single page blob Up to 60 MiB per second2

Target throughput for a single block blob Up to storage account ingress/egress limits1

1 Throughput for a single blob depends on several factors, including, but not limited to: concurrency, request
size, performance tier, speed of source for uploads, and destination for downloads. To take advantage of the
performance enhancements of high-throughput block blobs, upload larger blobs or blocks. Specifically, call the
Put Blob or Put Block operation with a blob or block size that is greater than 4 MiB for standard storage
accounts. For premium block blob or for Data Lake Storage Gen2 storage accounts, use a block or blob size that
is greater than 256 KiB.
2 Page blobs are not yet supported in accounts that have the Hierarchical namespace setting on them.
The following table describes the maximum block and blob sizes permitted by service version.
 M A XIM UM B LO B SIZ E VIA
M A XIM UM B LO C K SIZ E ( VIA M A XIM UM B LO B SIZ E ( VIA SIN GL E W RIT E O P ERAT IO N
SERVIC E VERSIO N P UT B LO C K ) P UT B LO C K L IST ) ( VIA P UT B LO B )

Version 2019-12-12 and 4000 MiB Approximately 190.7 TiB 5000 MiB (preview)
later (4000 MiB X 50,000 blocks)

Version 2016-05-31 100 MiB Approximately 4.75 TiB 256 MiB

through version 2019-07- (100 MiB X 50,000 blocks)
07

Versions prior to 2016-05- 4 MiB Approximately 195 GiB (4 64 MiB

31 MiB X 50,000 blocks)

Azure Queue storage limits

RESO URC E TA RGET

Maximum size of a single queue 500 TiB

Maximum size of a message in a queue 64 KiB

Maximum number of stored access policies per queue 5

Maximum request rate per storage account 20,000 messages per second, which assumes a 1-KiB
message size

Target throughput for a single queue (1-KiB messages) Up to 2,000 messages per second

Azure Table storage limits

The following table describes capacity, scalability, and performance targets for Table storage.

RESO URC E TA RGET

Number of tables in an Azure storage account Limited only by the capacity of the storage account

Number of partitions in a table Limited only by the capacity of the storage account

Number of entities in a partition Limited only by the capacity of the storage account

Maximum size of a single table 500 TiB

Maximum size of a single entity, including all property values 1 MiB

Maximum number of properties in a table entity 255 (including the three system properties, Par titionKey ,
RowKey , and Timestamp )

Maximum total size of an individual property in an entity Varies by property type. For more information, see
Proper ty Types in Understanding the Table Service Data
Model.

Size of the Par titionKey A string up to 1 KiB in size

Size of the RowKey A string up to 1 KiB in size

 RESO URC E TA RGET

Size of an entity group transaction A transaction can include at most 100 entities and the
payload must be less than 4 MiB in size. An entity group
transaction can include an update to an entity only once.

Maximum number of stored access policies per table 5

Maximum request rate per storage account 20,000 transactions per second, which assumes a 1-KiB
entity size

Target throughput for a single table partition (1 KiB-entities) Up to 2,000 entities per second

Virtual machine disk limits

You can attach a number of data disks to an Azure virtual machine (VM). Based on the scalability and
performance targets for a VM's data disks, you can determine the number and type of disk that you need to
meet your performance and capacity requirements.

IMPORTANT
For optimal performance, limit the number of highly utilized disks attached to the virtual machine to avoid possible
throttling. If all attached disks aren't highly utilized at the same time, the virtual machine can support a larger number of
disks.

For Azure managed disks:

The following table illustrates the default and maximum limits of the number of resources per region per
subscription. The limits remain the same irrespective of disks encrypted with either platform-managed keys or
customer-managed keys. There is no limit for the number of Managed Disks, snapshots and images per
resource group.

RESO URC E L IM IT

Standard managed disks 50,000

Standard SSD managed disks 50,000

Premium managed disks 50,000

Standard_LRS snapshots1 75,000

Standard_ZRS snapshots1 75,000

Managed image 50,000

1 The total numberof full disk snapshots an individual disk may have is 200. An individual disk may also have
200 incremental snapshots, which are counted separately from full disk snapshots.
For standard storage accounts: A Standard storage account has a maximum total request rate of 20,000
IOPS. The total IOPS across all of your virtual machine disks in a Standard storage account should not exceed
this limit.
You can roughly calculate the number of highly utilized disks supported by a single standard storage account
based on the request rate limit. For example, for a Basic tier VM, the maximum number of highly utilized disks is
about 66, which is 20,000/300 IOPS per disk. The maximum number of highly utilized disks for a Standard tier
VM is about 40, which is 20,000/500 IOPS per disk.
For premium storage accounts: A premium storage account has a maximum total throughput rate of 50
Gbps. The total throughput across all of your VM disks should not exceed this limit.
For more information, see Virtual machine sizes.
Disk encryption sets
There's a limitation of 1000 disk encryption sets per region, per subscription. For more information, see the
encryption documentation for Linux or Windows virtual machines. If you need to increase the quota, contact
Azure support.
Managed virtual machine disks
Standard HDD managed disks
STA N
DA RD
DISK
TYPE S4 S6 S10 S15 S20 S30 S40 S50 S60 S70 S80

Disk 32 64 128 256 512 1,024 2,048 4,096 8,192 16,38 32,76
size in 4 7
GiB

IOPS Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to
per 500 500 500 500 500 500 500 500 1,300 2,000 2,000
disk

Throu Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to
ghput 60 60 60 60 60 60 60 60 300 500 500
per MB/s MB/s MB/s MB/se MB/se MB/se MB/se MB/se MB/se MB/se MB/se
disk ec ec ec c c c c c c c c

Standard SSD managed disks

STA
ND
AR
D
SSD
SIZ
ES E1 E2 E3 E4 E6 E10 E15 E20 E30 E40 E50 E60 E70 E80

Dis 4 8 16 32 64 128 256 512 1,0 2,0 4,0 8,1 16, 32,
k 24 48 96 92 384 767
size
in
GiB

IOP Up Up Up Up Up Up Up Up Up Up Up Up Up Up
S to to to to to to to to to to to to to to
per 500 500 500 500 500 500 500 500 500 500 500 2,0 4,0 6,0
disk 00 00 00
 STA
ND
AR
D
SSD
SIZ
ES E1 E2 E3 E4 E6 E10 E15 E20 E30 E40 E50 E60 E70 E80

Thr Up Up Up Up Up Up Up Up Up Up Up Up Up Up
oug to to to to to to to to to to to to to to
hpu 60 60 60 60 60 60 60 60 60 60 60 400 600 750
t MB MB MB MB MB MB MB MB MB MB/ MB/ MB/ MB/ MB/
per /sec /sec /sec /sec /sec /sec /sec /sec /sec sec sec sec sec sec
disk

Ma 600 600 600 600 600 600 600 600 100

x 0
bur
st
IOP
S
per
disk

Ma 150 150 150 150 150 150 150 150 250

x MB MB MB MB MB MB MB MB MB
bur /sec /sec /sec /sec /sec /sec /sec /sec /sec
st
thr
oug
hpu
t
per
disk

Ma 30 30 30 30 30 30 30 30 30
x min min min min min min min min min
bur
st
dur
atio
n

Premium SSD managed disks: Per-disk limits

P RE
M IU
M
SSD
SIZ
ES P1 P2 P3 P4 P6 P 10 P 15 P 20 P 30 P 40 P 50 P 60 P 70 P 80

Dis 4 8 16 32 64 128 256 512 1,0 2,0 4,0 8,1 16, 32,
k 24 48 96 92 384 767
size
in
GiB
P RE
M IU
M
SSD
SIZ
ES P1 P2 P3 P4 P6 P 10 P 15 P 20 P 30 P 40 P 50 P 60 P 70 P 80

Pro 120 120 120 120 240 500 1,1 2,3 5,0 7,5 7,5 16, 18, 20,
visi 00 00 00 00 00 000 000 000
one
d
IOP
S
per
disk

Pro 25 25 25 25 50 100 125 150 200 250 250 500 750 900
visi MB MB MB MB MB MB MB MB MB MB/ MB/ MB/ MB/ MB/
one /sec /sec /sec /sec /sec /sec /sec /sec /sec sec sec sec sec sec
d
Thr
oug
hpu
t
per
disk

Ma 3,5 3,5 3,5 3,5 3,5 3,5 3,5 3,5 30, 30, 30, 30, 30, 30,
x 00 00 00 00 00 00 00 00 000 000 000 000 000 000
bur * * * * * *
st
IOP
S
per
disk

Ma 170 170 170 170 170 170 170 170 1,0 1,0 1,0 1,0 1,0 1,0
x MB MB MB MB MB MB MB MB 00 00 00 00 00 00
bur /sec /sec /sec /sec /sec /sec /sec /sec MB MB/ MB/ MB/ MB/ MB/
st /sec sec* sec* sec* sec* sec*
thr *
oug
hpu
t
per
disk

Ma 30 30 30 30 30 30 30 30 Unli Unli Unli Unli Unli Unli

x min min min min min min min min mit mit mit mit mit mit
bur ed* ed* ed* ed* ed* ed*
st
dur
atio
n

Eligi No No No No No No No No Yes, Yes, Yes, Yes, Yes, Yes,

ble up up up up up up
for to to to to to to
rese one one one one one one
rvat yea year year year year year
ion r
*Applies only to disks with on-demand bursting enabled.
Premium SSD managed disks: Per-VM limits
RESO URC E L IM IT

Maximum IOPS Per VM 80,000 IOPS with GS5 VM

Maximum throughput per VM 2,000 MB/s with GS5 VM

Unmanaged virtual machine disks

Standard unmanaged vir tual machine disks: Per-disk limits

VM T IER B A SIC T IER VM STA N DA RD T IER VM

Disk size 4,095 GB 4,095 GB

Maximum 8-KB IOPS per persistent 300 500

disk

Maximum number of disks that 66 40

perform the maximum IOPS

Premium unmanaged vir tual machine disks: Per-account limits

RESO URC E L IM IT

Total disk capacity per account 35 TB

Total snapshot capacity per account 10 TB

Maximum bandwidth per account (ingress + egress)1 <=50 Gbps

1Ingress refers to all data from

requests that are sent to a storage account. Egress refers to all data from
responses that are received from a storage account.
Premium unmanaged vir tual machine disks: Per-disk limits

P REM IUM
STO RA GE DISK
TYPE P 10 P 20 P 30 P 40 P 50

Disk size 128 GiB 512 GiB 1,024 GiB (1 TB) 2,048 GiB (2 TB) 4,095 GiB (4 TB)

Maximum IOPS 500 2,300 5,000 7,500 7,500

per disk

Maximum 100 MB/sec 150 MB/sec 200 MB/sec 250 MB/sec 250 MB/sec
throughput per
disk

Maximum 280 70 35 17 8
number of disks
per storage
account
Premium unmanaged vir tual machine disks: Per-VM limits

RESO URC E L IM IT

Maximum IOPS per VM 80,000 IOPS with GS5 VM

Maximum throughput per VM 2,000 MB/sec with GS5 VM

StorSimple System limits

L IM IT IDEN T IF IER L IM IT C O M M EN T S

Maximum number of storage account 64

credentials

Maximum number of volume 64

containers

Maximum number of volumes 255

Maximum number of schedules per 168 A schedule for every hour, every day
bandwidth template of the week.

Maximum size of a tiered volume on 64 TB for StorSimple 8100 and StorSimple 8100 and StorSimple 8600
physical devices StorSimple 8600 are physical devices.

Maximum size of a tiered volume on 30 TB for StorSimple 8010 StorSimple 8010 and StorSimple 8020
virtual devices in Azure are virtual devices in Azure that use
64 TB for StorSimple 8020 Standard storage and Premium
storage, respectively.

Maximum size of a locally pinned 9 TB for StorSimple 8100 StorSimple 8100 and StorSimple 8600
volume on physical devices are physical devices.
24 TB for StorSimple 8600

Maximum number of iSCSI 512

connections

Maximum number of iSCSI 512

connections from initiators

Maximum number of access control 64

records per device

Maximum number of volumes per 24

backup policy

Maximum number of backups retained 64

per backup policy

Maximum number of schedules per 10

backup policy

Maximum number of snapshots of any 256 This amount includes local snapshots
type that can be retained per volume and cloud snapshots.
L IM IT IDEN T IF IER
Maximum number of snapshots that
can be present in any device
Maximum number of volumes that can
be processed in parallel for backup,
restore, or clone
Restore and clone recover time for
tiered volumes
L IM IT C O M M EN T S
10,000
16 If there are more than 16
volumes, they're processed
sequentially as processing slots
become available.
New backups of a cloned or a
restored tiered volume can't
occur until the operation is
finished. For a local volume,
backups are allowed after the
volume is online.
<2 minutes The volume is made available
within 2 minutes of a restore or
clone operation, regardless of
the volume size.
The volume performance might
initially be slower than normal
as most of the data and
metadata still resides in the
cloud. Performance might
increase as data flows from the
cloud to the StorSimple device.
The total time to download
metadata depends on the
allocated volume size.
Metadata is automatically
brought into the device in the
background at the rate of 5
minutes per TB of allocated
volume data. This rate might be
affected by Internet bandwidth
to the cloud.
The restore or clone operation
is complete when all the
metadata is on the device.
Backup operations can't be
performed until the restore or
clone operation is fully
complete.
 L IM IT IDEN T IF IER
Restore recover time for locally pinned
volumes
Thin-restore availability
Maximum client read/write
throughput, when served from the
SSD tier*
Maximum client read/write
throughput, when served from the
HDD tier*
Maximum client read/write
throughput, when served from the
cloud tier*
*Maximum throughput per I/O type was measured with 100 percent read and 100 percent write scenarios.
Actual throughput might be lower and depends on I/O mix and network conditions.
L IM IT C O M M EN T S
<2 minutes The volume is made available
within 2 minutes of the restore
operation, regardless of the
volume size.
The volume performance might
initially be slower than normal
as most of the data and
metadata still resides in the
cloud. Performance might
increase as data flows from the
cloud to the StorSimple device.
The total time to download
metadata depends on the
allocated volume size.
Metadata is automatically
brought into the device in the
background at the rate of 5
minutes per TB of allocated
volume data. This rate might be
affected by Internet bandwidth
to the cloud.
Unlike tiered volumes, if there
are locally pinned volumes, the
volume data is also
downloaded locally on the
device. The restore operation is
complete when all the volume
data has been brought to the
device.
The restore operations might
be long and the total time to
complete the restore will
depend on the size of the
provisioned local volume, your
Internet bandwidth, and the
existing data on the device.
Backup operations on the
locally pinned volume are
allowed while the restore
operation is in progress.
Last failover
920/720 MB/sec with a single 10- Up to two times with MPIO and two
gigabit Ethernet network interface network interfaces.
120/250 MB/sec
11/41 MB/sec Read throughput depends on clients
generating and maintaining sufficient
I/O queue depth.
Stream Analytics limits
L IM IT IDEN T IF IER L IM IT C O M M EN T S

Maximum number of streaming units 500 To request an increase in streaming

per subscription per region units for your subscription beyond
500, contact Microsoft Support.

Maximum number of inputs per job 60 There's a hard limit of 60 inputs per
Azure Stream Analytics job.

Maximum number of outputs per job 60 There's a hard limit of 60 outputs per
Stream Analytics job.

Maximum number of functions per job 60 There's a hard limit of 60 functions per
Stream Analytics job.

Maximum number of streaming units 192 There's a hard limit of 192 streaming
per job units per Stream Analytics job.

Maximum number of jobs per region 1,500 Each subscription can have up to
1,500 jobs per geographical region.

Reference data blob MB 5 GB Up to 5 GB when using 6 SUs or more.

Maximum number of characters in a 512000 There's a hard limit of 512k characters

query in an Azure Stream Analytics job query.

Virtual Machines limits

Virtual Machines limits
RESO URC E L IM IT

Virtual machines per cloud service 1 50

Input endpoints per cloud service 2 150

1 Virtual machines created by using the classic deployment model instead of Azure Resource Manager are
automatically stored in a cloud service. You can add more virtual machines to that cloud service for load
balancing and availability.
2 Input endpoints allow communications to a virtual machine from outside the virtual machine's cloud service.
Virtual machines in the same cloud service or virtual network can automatically communicate with each other.
Virtual Machines limits - Azure Resource Manager
The following limits apply when you use Azure Resource Manager and Azure resource groups.

RESO URC E L IM IT

VMs per subscription 25,0001 per region.

VM total cores per subscription 201 per region. Contact support to increase limit.
 RESO URC E L IM IT

Azure Spot VM total cores per subscription 201 per region. Contact support to increase limit.

VM per series, such as Dv2 and F, cores per subscription 201 per region. Contact support to increase limit.

Availability sets per subscription 2,500 per region.

Virtual machines per availability set 200

Proximity placement groups per resource group 800

Certificates per availability set 1992

Certificates per subscription Unlimited3

1 Default limits vary by offercategory type, such as Free Trial and Pay-As-You-Go, and by series, such as Dv2, F,
and G. For example, the default for Enterprise Agreement subscriptions is 350. For security, subscriptions default
to 20 cores to prevent large core deployments. If you need more cores, submit a support ticket.
2 Properties such as SSH public keys are also pushed as certificates and count towards this limit. To bypass this

limit, use the Azure Key Vault extension for Windows or the Azure Key Vault extension for Linux to install
certificates.
3 With Azure Resource Manager, certificates are stored in the Azure Key Vault. The number of certificates is
unlimited for a subscription. There's a 1-MB limit of certificates per deployment, which consists of either a single
VM or an availability set.

NOTE
Virtual machine cores have a regional total limit. They also have a limit for regional per-size series, such as Dv2 and F.
These limits are separately enforced. For example, consider a subscription with a US East total VM core limit of 30, an A
series core limit of 30, and a D series core limit of 30. This subscription can deploy 30 A1 VMs, or 30 D1 VMs, or a
combination of the two not to exceed a total of 30 cores. An example of a combination is 10 A1 VMs and 20 D1 VMs.

Shared Image Gallery limits

There are limits, per subscription, for deploying resources using Shared Image Galleries:
100 shared image galleries, per subscription, per region
1,000 image definitions, per subscription, per region
10,000 image versions, per subscription, per region

Virtual machine scale sets limits

RESO URC E L IM IT

Maximum number of VMs in a scale set 1,000

Maximum number of VMs based on a custom VM image in 600

a scale set

Maximum number of scale sets in a region 2,500

See also
Understand Azure limits and increases
Virtual machine and cloud service sizes for Azure
Sizes for Azure Cloud Services
Naming rules and restrictions for Azure resources
 Naming rules and restrictions for Azure resources
2/23/2022 • 25 minutes to read • Edit Online

This article summarizes naming rules and restrictions for Azure resources. For recommendations about how to
name resources, see Recommended naming and tagging conventions.
This article lists resources by resource provider namespace. For a list of how resource providers match Azure
services, see Resource providers for Azure services.
Resource names are case-insensitive unless noted in the valid characters column.

NOTE
When retrieving resource names using various APIs, returned values may display different case values than what is listed
in the valid characters table.

In the following tables, the term alphanumeric refers to:

a through z (lowercase letters)
A through Z (uppercase letters)
0 through 9 (numbers)

NOTE
All resources with a public endpoint can't include reserved words or trademarks in the name. For a list of the blocked
words, see Resolve reserved resource name errors.

Microsoft.AnalysisServices
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

servers resource group 3-63 Lowercase letters and

numbers.

Start with lowercase letter.

Microsoft.ApiManagement
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

service global 1-50 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / apis service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

service / apis / issues api 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / apis / issues / issue 1-80 Alphanumerics and

attachments hyphens.

Start with letter and end

with alphanumeric.

service / apis / issues / issue 1-80 Alphanumerics and

comments hyphens.

Start with letter and end

with alphanumeric.

service / apis / operations api 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / apis / operations / operation 1-80 Alphanumerics and

tags hyphens.

Start with letter and end

with alphanumeric.

service / apis / releases api 1-80 Alphanumerics,

underscores, and hyphens.

Start and end with

alphanumeric or
underscore.

service / apis / schemas api 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / apis / api 1-80 Alphanumerics and

tagDescriptions hyphens.

Start with letter and end

with alphanumeric.

service / apis / tags api 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

service / api-version-sets service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / service 1-80 Alphanumerics and

authorizationServers hyphens.

Start with letter and end

with alphanumeric.

service / backends service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / certificates service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / diagnostics service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / groups service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / groups / users group 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / identityProviders service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / loggers service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

service / notifications service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / notifications / notification 1-80 Alphanumerics and

recipientEmails hyphens.

Start with letter and end

with alphanumeric.

service / service 1-80 Alphanumerics and

openidConnectProviders hyphens.

Start with letter and end

with alphanumeric.

service / policies service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / products service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / products / apis product 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / products / groups product 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / products / tags product 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / properties service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

service / subscriptions service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / tags service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / templates service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

service / users service 1-80 Alphanumerics and

hyphens.

Start with letter and end

with alphanumeric.

Microsoft.AppConfiguration
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

configurationStores resource group 5-50 Alphanumerics,

underscores, and hyphens.

Microsoft.Authorization
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

locks scope of assignment 1-90 Alphanumerics, periods,

underscores, hyphens, and
parenthesis.

Can't end in period.

policyAssignments scope of assignment 1-128 display name Display name can contain
any characters.
1-64 resource name
Resource name can't use:
1-24 resource name at <>*%&:\?.+/ or control
management group scope characters.

Can't end with period or

space.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

policyDefinitions scope of definition 1-128 display name Display name can contain
any characters.
1-64 resource name
Resource name can't use:
<>*%&:\?.+/ or control
characters.

Can't end with period or

space.

policySetDefinitions scope of definition 1-128 display name Display name can contain
any characters.
1-64 resource name
Resource name can't use:
1-24 resource name at <>*%&:\?.+/ or control
management group scope characters.

Can't end with period or

space.

roleAssignments tenant 36 Must be a globally unique

identifier (GUID).

roleDefinitions tenant 36 Must be a globally unique

identifier (GUID).

Microsoft.Automation
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

automationAccounts resource group & region 6-50 Alphanumerics and

(See note below) hyphens.

Start with letter and end

with alphanumeric.

automationAccounts / automation account 1-128 Can't use:

certificates <>*%&:\?.+/ or control
characters

Can't end with space.

automationAccounts / automation account 1-128 Can't use:

connections <>*%&:\?.+/ or control
characters

Can't end with space.

automationAccounts / automation account 1-128 Can't use:

credentials <>*%&:\?.+/ or control
characters

Can't end with space.

 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

automationAccounts / automation account 1-63 Alphanumerics,

runbooks underscores, and hyphens.

Start with letter.

automationAccounts / automation account 1-128 Can't use:

schedules <>*%&:\?.+/ or control
characters

Can't end with space.

automationAccounts / automation account 1-128 Can't use:

variables <>*%&:\?.+/ or control
characters

Can't end with space.

automationAccounts / automation account 1-63 Alphanumerics,

watchers underscores, and hyphens.

Start with letter.

automationAccounts / automation account 1-128 Can't use:

webhooks <>*%&:\?.+/ or control
characters

Can't end with space.

NOTE
Automation account names are unique per region and resource group. Names for deleted Automation accounts might
not be immediately available.

Microsoft.Batch
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

batchAccounts Region 3-24 Lowercase letters and

numbers.

batchAccounts / batch account 1-64 Alphanumerics,

applications underscores, and hyphens.

batchAccounts / certificates batch account 5-45 Alphanumerics,

underscores, and hyphens.

batchAccounts / pools batch account 1-64 Alphanumerics,

underscores, and hyphens.

Microsoft.Blockchain
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

blockchainMembers global 2-20 Lowercase letters and

numbers.

Start with lowercase letter.

Microsoft.BotService
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

botServices global 2-64 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

botServices / channels bot service 2-64 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

botServices / Connections bot service 2-64 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

enterpriseChannels resource group 2-64 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

Microsoft.Cache
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

Redis global 1-63 Alphanumerics and

hyphens.

Start and end with

alphanumeric. Consecutive
hyphens not allowed.

Redis / firewallRules Redis 1-256 Alphanumerics

Microsoft.Cdn
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

profiles resource group 1-260 Alphanumerics and

hyphens.

Start and end with

alphanumeric.

profiles / endpoints global 1-50 Alphanumerics and

hyphens.

Start and end with

alphanumeric.

Microsoft.CertificateRegistration
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

certificateOrders resource group 3-30 Alphanumerics.

Microsoft.CognitiveServices
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

accounts resource group 2-64 Alphanumerics and

hyphens.

Start and end with

alphanumeric.

Microsoft.Compute
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

availabilitySets resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End with alphanumeric or
underscore.

cloudservices resource group 1-15 Can't use spaces, control

characters, or these
See note below. characters:
~ ! @ # $ % ^ & * ( )
= + _ [ ] { } \ | ; :
. ' " , < > / ?

Can't start with underscore.

Can't end with period or
hyphen.

diskEncryptionSets resource group 1-80 Alphanumerics,

underscores, and hyphens.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

disks resource group 1-80 Alphanumerics,

underscores, and hyphens.

galleries resource group 1-80 Alphanumerics and periods.

Start and end with

alphanumeric.

galleries / applications gallery 1-80 Alphanumerics, hyphens,

and periods.

Start and end with

alphanumeric.

galleries / application 32-bit integer Numbers and periods.

applications/versions

galleries / images gallery 1-80 Alphanumerics,

underscores, hyphens, and
periods.

Start and end with

alphanumeric.

galleries / images / versions image 32-bit integer Numbers and periods.

images resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End with alphanumeric or
underscore.

snapshots resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End with alphanumeric or
underscore.

virtualMachines resource group 1-15 (Windows) Can't use spaces, control

1-64 (Linux) characters, or these
characters:
See note below. ~ ! @ # $ % ^ & * ( )
= + _ [ ] { } \ | ; :
. ' " , < > / ?

Windows VMs can't include

period or end with hyphen.

Linux VMs can't end with

period or hyphen.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

virtualMachineScaleSets resource group 1-15 (Windows) Can't use spaces, control

1-64 (Linux) characters, or these
characters:
See note below. ~ ! @ # $ % ^ & * ( )
= + _ [ ] { } \ | ; :
. ' " , < > / ?

Can't start with underscore.

Can't end with period or
hyphen.

NOTE
Azure virtual machines have two distinct names: resource name and host name. When you create a virtual machine in the
portal, the same value is used for both names. The restrictions in the preceding table are for the host name. The actual
resource name can have up to 64 characters.

Microsoft.Communication
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

communicationServices global 1-63 Alphanumerics and

hyphens.

Can't use underscores.

Microsoft.Consumption
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

budgets subscription or resource 1-63 Alphanumerics, hyphens,

group and underscores.

Microsoft.ContainerInstance
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

containerGroups resource group 1-63 Lowercase letters, numbers,

and hyphens.

Can't start or end with

hyphen. Consecutive
hyphens aren't allowed.

Microsoft.ContainerRegistry
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

registries global 5-50 Alphanumerics.

registries / buildTasks registry 5-50 Alphanumerics.

 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

registries / buildTasks/steps build task 5-50 Alphanumerics.

registries / replications registry 5-50 Alphanumerics.

registries / scopeMaps registry 5-50 Alphanumerics, hyphens,

and underscores.

registries / tasks registry 5-50 Alphanumerics, hyphens,

and underscores.

registries / tokens registry 5-50 Alphanumerics, hyphens,

and underscores.

registries / webhooks registry 5-50 Alphanumerics.

Microsoft.ContainerService
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

managedClusters resource group 1-63 Alphanumerics,

underscores, and hyphens.

Start and end with

alphanumeric.

openShiftManagedClusters resource group 1-30 Alphanumerics.

Microsoft.CustomerInsights
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

hubs resource group 1-64 Alphanumerics.

Start with letter.

hubs / authorizationPolicies hub 1-50 Alphanumerics,

underscores, and periods.

Start and end with

alphanumeric.

hubs / connectors hub 1-128 Alphanumerics and

underscores.

Start with letter.

hubs / connector 1-128 Alphanumerics and

connectors/mappings underscores.

Start with letter.

 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

hubs / interactions hub 1-128 Alphanumerics and

underscores.

Start with letter.

hubs / kpi hub 1-512 Alphanumerics and

underscores.

Start with letter.

hubs / links hub 1-512 Alphanumerics and

underscores.

Start with letter.

hubs / predictions hub 1-512 Alphanumerics and

underscores.

Start with letter.

hubs / profiles hub 1-128 Alphanumerics and

underscores.

Start with letter.

hubs / relationshipLinks hub 1-512 Alphanumerics and

underscores.

Start with letter.

hubs / relationships hub 1-512 Alphanumerics and

underscores.

Start with letter.

hubs / roleAssignments hub 1-128 Alphanumerics and

underscores.

Start with letter.

hubs / views hub 1-512 Alphanumerics and

underscores.

Start with letter.

Microsoft.CustomProviders
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

associations resource group 1-180 Can't use:

%&\\?/ or control
characters

Can't end with period or

space.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

resourceProviders resource group 3-64 Can't use:

%&\\?/ or control
characters

Can't end with period or

space.

Microsoft.DataBox
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

jobs resource group 3-24 Alphanumerics, hyphens,

underscores and periods.

Microsoft.Databricks
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

workspaces resource group 3-64 Alphanumerics,

underscores, and hyphens

Microsoft.DataFactory
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

factories global 3-63 Alphanumerics and

hyphens.

Start and end with

alphanumeric.

factories / dataflows factory 1-260 Can't use:

<>*#.%&:\\+?/ or control
characters

Start with alphanumeric.

factories / datasets factory 1-260 Can't use:

<>*#.%&:\\+?/ or control
characters

Start with alphanumeric.

factories / factory 3-63 Alphanumerics and

integrationRuntimes hyphens.

Start and end with

alphanumeric.

factories / linkedservices factory 1-260 Can't use:

<>*#.%&:\\+?/ or control
characters

Start with alphanumeric.

 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

factories / pipelines factory 1-260 Can't use:

<>*#.%&:\\+?/ or control
characters

Start with alphanumeric.

factories / triggers factory 1-260 Can't use:

<>*#.%&:\\+?/ or control
characters

Start with alphanumeric.

factories / triggers / trigger 1-260 Can't use:

rerunTriggers <>*#.%&:\\+?/ or control
characters

Start with alphanumeric.

Microsoft.DataLakeAnalytics
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

accounts global 3-24 Lowercase letters and

numbers.

accounts / computePolicies account 3-60 Alphanumerics, hyphens,

and underscores.

accounts / account 3-24 Lowercase letters and

dataLakeStoreAccounts numbers.

accounts / firewallRules account 3-50 Alphanumerics, hyphens,

and underscores.

accounts / storageAccounts account 3-60 Alphanumerics, hyphens,

and underscores.

Microsoft.DataLakeStore
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

accounts global 3-24 Lowercase letters and

numbers.

accounts / firewallRules account 3-50 Alphanumerics, hyphens,

and underscores.

accounts / account 3-50 Alphanumerics, hyphens,

virtualNetworkRules and underscores.

Microsoft.DataMigration
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

services resource group 2-62 Alphanumerics, hyphens,

periods, and underscores.

Start with alphanumeric.

services / projects service 2-57 Alphanumerics, hyphens,

periods, and underscores.

Start with alphanumeric.

Microsoft.DBforMariaDB
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

servers global 3-63 Lowercase letters, hyphens

and numbers.

Can't start or end with

hyphen.

servers / databases servers 1-63 Alphanumerics and

hyphens.

servers / firewallRules servers 1-128 Alphanumerics, hyphens,

and underscores.

servers / servers 1-128 Alphanumerics and

virtualNetworkRules hyphens.

Microsoft.DBforMySQL
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

servers global 3-63 Lowercase letters, hyphens

and numbers.

Can't start or end with

hyphen.

servers / databases servers 1-63 Alphanumerics and

hyphens.

servers / firewallRules servers 1-128 Alphanumerics, hyphens,

and underscores.

servers / servers 1-128 Alphanumerics and

virtualNetworkRules hyphens.

Microsoft.DBforPostgreSQL
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

servers global 3-63 Lowercase letters, hyphens

and numbers.

Can't start or end with

hyphen.

servers / databases servers 1-63 Alphanumerics and

hyphens.

servers / firewallRules servers 1-128 Alphanumerics, hyphens,

and underscores.

servers / servers 1-128 Alphanumerics and

virtualNetworkRules hyphens.

Microsoft.Devices
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

IotHubs global 3-50 Alphanumerics and

hyphens.

Can't end with hyphen.

IotHubs / certificates IoT hub 1-64 Alphanumerics, hyphens,

periods, and underscores.

IotHubs / eventHubEndpoints 1-50 Alphanumerics, hyphens,

eventHubEndpoints / periods, and underscores.
ConsumerGroups

provisioningServices resource group 3-64 Alphanumerics and

hyphens.

End with alphanumeric.

provisioningServices / provisioningServices 1-64 Alphanumerics, hyphens,

certificates periods, and underscores.

Microsoft.DevTestLab
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

labs resource group 1-50 Alphanumerics,

underscores, and hyphens.

labs / customimages lab 1-80 Alphanumerics,

underscores, hyphens, and
parentheses.

labs / formulas lab 1-80 Alphanumerics,

underscores, hyphens, and
parentheses.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

labs / virtualmachines lab 1-15 (Windows) Alphanumerics and

1-64 (Linux) hyphens.

Start and end with

alphanumeric. Can't be all
numbers.

Microsoft.DocumentDB
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

databaseAccounts global 3-44 Lowercase letters, numbers,

and hyphens.

Start with lowercase letter

or number.

Microsoft.EventGrid
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

domains resource group 3-50 Alphanumerics and

hyphens.

domains / topics domain 3-50 Alphanumerics and

hyphens.

eventSubscriptions resource group 3-64 Alphanumerics and

hyphens.

topics resource group 3-50 Alphanumerics and

hyphens.

Microsoft.EventHub
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

clusters resource group 6-50 Alphanumerics and

hyphens.

Start with letter. End with

letter or number.

namespaces global 6-50 Alphanumerics and

hyphens.

Start with letter. End with

letter or number.

namespaces / namespace 1-50 Alphanumerics, periods,

AuthorizationRules hyphens and underscores.

Start and end with letter or

number.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

namespaces / global 6-50 Alphanumerics and

disasterRecoveryConfigs hyphens.

Start with letter. End with

alphanumeric.

namespaces / eventhubs namespace 1-256 Alphanumerics, periods,

hyphens and underscores.

Start and end with letter or

number.

namespaces / eventhubs / event hub 1-50 Alphanumerics, periods,

authorizationRules hyphens and underscores.

Start and end with letter or

number.

namespaces / eventhubs / event hub 1-50 Alphanumerics, periods,

consumergroups hyphens and underscores.

Start and end with letter or

number.

Microsoft.HDInsight
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

clusters global 3-59 Alphanumerics and

hyphens

Start and end with letter or

number.

Microsoft.ImportExport
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

jobs resource group 2-64 Alphanumerics and

hyphens.

Start with letter.

Microsoft.Insights
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

actionGroups resource group 1-260 Can't use:

:<>+/&%\? or control
characters

Can't end with space or

period.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

components resource group 1-260 Can't use:

%&\?/ or control
characters

Can't end with space or

period.

scheduledQueryRules resource group 1-260 Can't use:

*<>%{}&:\\?/# or control
characters

Can't end with space or

period.

metricAlerts resource group 1-260 Can't use:

*#&+:<>?@%{}\/ or
control characters

Can't end with space or

period.

activityLogAlerts resource group 1-260 Can't use:

<>*%{}&:\\?+/# or
control characters

Can't end with space or

period.

Microsoft.IoTCentral
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

IoTApps global 2-63 Lowercase letters, numbers

and hyphens.

Start with lowercase letter

or number.

Microsoft.KeyVault
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

vaults global 3-24 Alphanumerics and

hyphens.

Start with letter. End with

letter or digit. Can't contain
consecutive hyphens.

vaults / secrets Vault 1-127 Alphanumerics and

hyphens.

Microsoft.Kusto
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

clusters global 4-22 Lowercase letters and

numbers.

Start with letter.

/clusters / databases cluster 1-260 Alphanumerics, hyphens,

spaces, and periods.

/clusters / databases / database 1-40 Alphanumerics, hyphens,

dataConnections spaces, and periods.

/clusters / databases / database 1-40 Alphanumerics, hyphens,

eventhubconnections spaces, and periods.

Microsoft.Logic
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

integrationAccounts resource group 1-80 Alphanumerics, hyphens,

underscores, periods, and
parenthesis.

integrationAccounts / integration account 1-80 Alphanumerics, hyphens,

assemblies underscores, periods, and
parenthesis.

integrationAccounts / integration account 1-20 Alphanumerics.

batchConfigurations

integrationAccounts / integration account 1-80 Alphanumerics, hyphens,

certificates underscores, periods, and
parenthesis.

integrationAccounts / maps integration account 1-80 Alphanumerics, hyphens,

underscores, periods, and
parenthesis.

integrationAccounts / integration account 1-80 Alphanumerics, hyphens,

partners underscores, periods, and
parenthesis.

integrationAccounts / integration account 1-80 Alphanumerics, hyphens,

rosettanetprocessconfigurat underscores, periods, and
ions parenthesis.

integrationAccounts / integration account 1-80 Alphanumerics, hyphens,

schemas underscores, periods, and
parenthesis.

integrationAccounts / integration account 1-80 Alphanumerics, hyphens,

sessions underscores, periods, and
parenthesis.

integrationServiceEnvironm resource group 1-80 Alphanumerics, hyphens,

ents periods, and underscores.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

integrationServiceEnvironm integration service 1-80 Alphanumerics, hyphens,

ents / managedApis environment periods, and underscores.

workflows resource group 1-43 Alphanumerics, hyphens,

underscores, periods, and
parenthesis.

Microsoft.MachineLearning
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

commitmentPlans resource group 1-260 Can't use:

<>*%&:?+/\\ or control
characters

Can't end with a space.

webServices resource group 1-260 Can't use:

<>*%&:?+/\\ or control
characters

Can't end with a space.

workspaces resource group 1-260 Can't use:

<>*%&:?+/\\ or control
characters

Can't end with a space.

Microsoft.MachineLearningServices
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

workspaces resource group 3-33 Alphanumerics and

hyphens.

workspaces / computes workspace 2-16 Alphanumerics and

hyphens.

Microsoft.ManagedIdentity
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

userAssignedIdentities resource group 3-128 Alphanumerics, hyphens,

and underscores

Start with letter or number.

Microsoft.Maps
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

accounts resource group 1-98 (for resource group Alphanumerics,

name and account name) underscores, periods, and
hyphens.

Start with alphanumeric.

Microsoft.Media
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

mediaservices resource group 3-24 Lowercase letters and

numbers.

mediaservices / liveEvents Media service 1-32 Alphanumerics and

hyphens.

Start with alphanumeric.

mediaservices / liveEvents / Live event 1-256 Alphanumerics and

liveOutputs hyphens.

Start with alphanumeric.

mediaservices / Media service 1-24 Alphanumerics and

streamingEndpoints hyphens.

Start with alphanumeric.

Microsoft.Network
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

applicationGateways resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

applicationSecurityGroups resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

azureFirewalls resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End with alphanumeric or
underscore.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

bastionHosts resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

connections resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

dnsZones resource group 1-63 characters Each label can contain

alphanumerics, underscores,
2 to 34 labels and hyphens.

Each label is a set of Each label is separated by a

characters separated by a period.
period. For example,
contoso.com has 2 labels.

expressRouteCircuits resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

firewallPolicies resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

firewallPolicies / ruleGroups firewall policy 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

frontDoors global 5-64 Alphanumerics and

hyphens.

Start and end with

alphanumeric.

frontdoorWebApplicationFir resource group 1-128 Alphanumerics.

ewallPolicies
Start with letter.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

loadBalancers resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

loadBalancers / load balancer 1-80 Alphanumerics,

inboundNatRules underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

localNetworkGateways resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

networkInterfaces resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

networkSecurityGroups resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

networkSecurityGroups / network security group 1-80 Alphanumerics,

securityRules underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

networkWatchers resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

privateDnsZones resource group 1-63 characters Each label can contain

alphanumerics, underscores,
2 to 34 labels and hyphens.

Each label is a set of Each label is separated by a

characters separated by a period.
period. For example,
contoso.com has 2 labels.

privateDnsZones / private DNS zone 1-80 Alphanumerics,

virtualNetworkLinks underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

publicIPAddresses resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

publicIPPrefixes resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

routeFilters resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

routeFilters / route filter 1-80 Alphanumerics,

routeFilterRules underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

routeTables resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

routeTables / routes route table 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

serviceEndpointPolicies resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

trafficmanagerprofiles global 1-63 Alphanumerics, hyphens,

and periods.

Start and end with

alphanumeric.

virtualNetworkGateways resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

virtualNetworks resource group 2-64 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

virtualnetworks / subnets virtual network 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

virtualNetworks / virtual network 1-80 Alphanumerics,

virtualNetworkPeerings underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

virtualWans resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

vpnGateways resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

vpnGateways / VPN gateway 1-80 Alphanumerics,

vpnConnections underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

vpnSites resource group 1-80 Alphanumerics,

underscores, periods, and
hyphens.

Start with alphanumeric.

End alphanumeric or
underscore.

Microsoft.NotificationHubs
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

namespaces global 6-50 Alphanumerics and

hyphens

Start with letter. End with

alphanumeric.

namespaces / namespace 1-256 Alphanumerics, periods,

AuthorizationRules hyphens, and underscores.

Start alphanumeric.

namespaces / namespace 1-260 Alphanumerics, periods,

notificationHubs hyphens, and underscores.

Start alphanumeric.

namespaces / notification hub 1-256 Alphanumerics, periods,

notificationHubs / hyphens, and underscores.
AuthorizationRules
Start alphanumeric.
Microsoft.OperationalInsights
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

clusters resource group 4-63 Alphanumerics and

hyphens.

Start and end with

alphanumeric.

workspaces global 4-63 Alphanumerics and

hyphens.

Start and end with

alphanumeric.

Microsoft.OperationsManagement
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

solutions workspace N/A For solutions authored by

Microsoft, the name must
be in the pattern:
SolutionType(WorkspaceName)

For solutions authored by

third parties, the name
must be in the pattern:
SolutionType[WorkspaceName]

For example, a valid name

is:
AntiMalware(contoso-
IT)

The solution type is case-

sensitive.

Microsoft.Portal
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

dashboards resource group 3-160 Alphanumerics and

hyphens.

To use restricted characters,

add a tag named hidden-
title with the dashboard
name you want to use. The
portal displays that name
when showing the
dashboard.

Microsoft.PowerBI
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

workspaceCollections region 3-63 Alphanumerics and

hyphens.

Can't start with hyphen.

Can't use consecutive
hyphens.

Microsoft.PowerBIDedicated
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

capacities region 3-63 Lowercase letters or

numbers

Start with lowercase letter.

Microsoft.RecoveryServices
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

vaults resource group 2-50 Alphanumerics and

hyphens.

Start with letter.

vaults / backupPolicies vault 3-150 Alphanumerics and

hyphens.

Start with letter. Can't end

with hyphen.

Microsoft.Relay
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

namespaces global 6-50 Alphanumerics and

hyphens.

Start with a letter. End with

a letter or number.

namespaces / namespace 1-50 Alphanumerics, periods,

AuthorizationRules hyphens and underscores.

Start and end with

alphanumeric.

namespaces / namespace 1-260 Alphanumerics, periods,

HybridConnections hyphens, underscores, and
slashes.

Start and end with

alphanumeric.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

namespaces / hybrid connection 1-50 Alphanumerics, periods,

HybridConnections/authoriz hyphens and underscores.
ationRules
Start and end with
alphanumeric.

namespaces / WcfRelays namespace 1-260 Alphanumerics, periods,

hyphens, underscores, and
slashes.

Start and end with

alphanumeric.

namespaces / WcfRelays / Wcf relay 1-50 Alphanumerics, periods,

authorizationRules hyphens and underscores.

Start and end with

alphanumeric.

Microsoft.Resources
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

deployments resource group 1-64 Alphanumerics,

underscores, parentheses,
hyphens, and periods.

resourcegroups subscription 1-90 Alphanumerics,

underscores, parentheses,
hyphens, periods, and
unicode characters that
match the regex
documentation.

Can't end with period.

tagNames resource 1-512 Can't use:

<>%&\?/ or control
characters

tagNames / tagValues tag name 1-256 All characters.

templateSpecs resource group 1-90 Alphanumerics,

underscores, parentheses,
hyphens, and periods.

Microsoft.Security
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

advancedThreatProtectionS resource group see value Must be current

ettings

alertsSuppressionRules subscription 1-260 Alphanumerics,

underscores, and hyphens.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

assessmentMetadata assessment type 1-260 Alphanumerics,

underscores, and hyphens.

assessments assessment type 1-260 Alphanumerics,

underscores, and hyphens.

automations resource group 1-260 Alphanumerics,

underscores, and hyphens.

autoProvisioningSettings subscription 1-260 Alphanumerics,

underscores, and hyphens.

connectors subscription 1-260 Alphanumerics,

underscores, and hyphens.

deviceSecurityGroups resource group 1-260 Alphanumerics,

underscores, and hyphens.

informationProtectionPolicie resource group see values Use one of:

s custom
effective

iotSecuritySolutions resource group 1-260 Alphanumerics,

underscores, and hyphens.

locations / subscription 1-260 Alphanumerics,

applicationWhitelistings underscores, and hyphens.

locations / resource group 1-260 Alphanumerics,

jitNetworkAccessPolicies underscores, and hyphens.

ingestionSettings subscription 1-260 Alphanumerics,

underscores, and hyphens.

pricings subscription 1-260 Alphanumerics,

underscores, and hyphens.

securityContacts subscription 1-260 Alphanumerics,

underscores, and hyphens.

settings subscription see values Use one of:

MCAS
Sentinel
WDATP
WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW

serverVulnerabilityAssessme resource type see value Must be Default

nts

sqlVulnerabilityAssessments Vulnerability assessment 1-260 Alphanumerics,

/ baselineRules underscores, and hyphens.

Microsoft.ServiceBus
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

namespaces global 6-50 Alphanumerics and

hyphens.

Start with a letter. End with

a letter or number.

For more information, see

Create namespace.

namespaces / namespace 1-50 Alphanumerics, periods,

AuthorizationRules hyphens, and underscores.

Start and end with

alphnumeric.

namespaces / global 6-50 Alphanumerics and

disasterRecoveryConfigs hyphens.

Start with letter. End with

alphanumeric.

namespaces / namespace Should always be $default .

migrationConfigurations

namespaces / queues namespace 1-260 Alphanumerics, periods,

hyphens, underscores, and
slashes.

Start and end with

alphanumeric.

namespaces / queues / queue 1-50 Alphanumerics, periods,

authorizationRules hyphens, and underscores.

Start and end with

alphnumeric.

namespaces / topics namespace 1-260 Alphanumerics, periods,

hyphens, underscores, and
slashes.

Start and end with

alphanumeric.

namespaces / topics / topic 1-50 Alphanumerics, periods,

authorizationRules hyphens, and underscores.

Start and end with

alphnumeric.

namespaces / topics / topic 1-50 Alphanumerics, periods,

subscriptions hyphens, and underscores.

Start and end with

alphnumeric.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

namespaces / topics / subscription 1-50 Alphanumerics, periods,

subscriptions / rules hyphens, and underscores.

Start and end with

alphnumeric.

Microsoft.ServiceFabric
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

clusters region 4-23 Lowercase letters, numbers,

and hyphens.

Start with lowercase letter.

End with lowercase letter or
number.

Microsoft.SignalRService
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

signalR global 3-63 Alphanumerics and

hyphens.

Start with letter. End with

letter or number.

Microsoft.Sql
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

managedInstances global 1-63 Lowercase letters, numbers,

and hyphens.

Can't start or end with

hyphen.

Can't have any special

characters, such as @ .

servers global 1-63 Lowercase letters, numbers,

and hyphens.

Can't start or end with

hyphen.

servers / administrators server Must be ActiveDirectory

.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

servers / databases server 1-128 Can't use:

<>*%&:\/? or control
characters

Can't end with period or

space.

servers / databases / database 1-150 Alphanumerics, hyphens,

syncGroups and underscores.

servers / elasticPools server 1-128 Can't use:

<>*%&:\/? or control
characters

Can't end with period or

space.

servers / failoverGroups global 1-63 Lowercase letters, numbers,

and hyphens.

Can't start or end with

hyphen.

servers / firewallRules server 1-128 Can't use:

<>*%&:;\/? or control
characters

Can't end with period.

servers / keys server Must be in format:

VaultName_KeyName_KeyVersion
.

Microsoft.Storage
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

storageAccounts global 3-24 Lowercase letters and

numbers.

storageAccounts / storage account Must be default .

blobServices

storageAccounts / storage account 3-63 Lowercase letters, numbers,

blobServices / containers and hyphens.

Start with lowercase letter

or number. Can't use
consecutive hyphens.

storageAccounts / storage account Must be default .

fileServices
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

storageAccounts / storage account 3-63 Lowercase letters, numbers,

fileServices / shares and hyphens.

Can't start or end with

hyphen. Can't use
consecutive hyphens.

storageAccounts / storage account Must be default .

managementPolicies

blob container 1-1024 Any URL characters, case

sensitive

queue storage account 3-63 Lowercase letters, numbers,

and hyphens.

Can't start or end with

hyphen. Can't use
consecutive hyphens.

table storage account 3-63 Alphanumerics.

Start with letter.

Microsoft.StorageSync
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

storageSyncServices resource group 1-260 Alphanumerics, spaces,

periods, hyphens, and
underscores.

Can't end with period or

space.

storageSyncServices / storage sync service 1-260 Alphanumerics, spaces,

syncGroups periods, hyphens, and
underscores.

Can't end with period or

space.

Microsoft.StorSimple
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

managers resource group 2-50 Alphanumerics and

hyphens.

Start with letter. End with

alphanumeric.

Microsoft.StreamAnalytics
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

streamingjobs resource group 3-63 Alphanumerics, hyphens,

and underscores.

streamingjobs / functions streaming job 3-63 Alphanumerics, hyphens,

and underscores.

streamingjobs / inputs streaming job 3-63 Alphanumerics, hyphens,

and underscores.

streamingjobs / outputs streaming job 3-63 Alphanumerics, hyphens,

and underscores.

streamingjobs / streaming job 3-63 Alphanumerics, hyphens,

transformations and underscores.

Microsoft.TimeSeriesInsights
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

environments resource group 1-90 Can't use:

'<>%&:\?/# or control
characters

environments / environment 1-90 Can't use:

accessPolicies '<>%&:\?/# or control
characters

environments / environment 1-90 Can't use:

eventSources '<>%&:\?/# or control
characters

environments / environment 3-63 Alphanumerics

referenceDataSets

Microsoft.Web
EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

certificates resource group 1-260 Can't use:

/

Can't end with space or

period.

serverfarms resource group 1-40 Alphanumerics and

hyphens.

sites global or per domain. See 2-60 Contains alphanumerics

note below. and hyphens.

Can't start or end with

hyphen.
 EN T IT Y SC O P E L EN GT H VA L ID C H A RA C T ERS

sites / slots site 2-59 Alphanumerics and

hyphens.

NOTE
A web site must have a globally unique URL. When you create a web site that uses a hosting plan, the URL is
http://<app-name>.azurewebsites.net . The app name must be globally unique. When you create a web site that uses
an App Service Environment, the app name must be unique within the domain for the App Service Environment. For both
cases, the URL of the site is globally unique.
Azure Functions has the same naming rules and restrictions as Microsoft.Web/sites. However, prior to version 4.x of Azure
Functions Core Tools, the function name was truncated to 32 characters when generating the host ID. For version 4.x, this
limit no longer applies. For earlier versions, limit the function name to 32 characters to avoid naming collisions.

Next steps
For recommendations about how to name resources, see Ready: Recommended naming and tagging
conventions.
All resources with a public endpoint can't include reserved words or trademarks in the name. For a list of
the blocked words, see Resolve reserved resource name errors.
 Azure Resource Manager vs. classic deployment:
Understand deployment models and the state of
your resources
2/23/2022 • 10 minutes to read • Edit Online

NOTE
The information provided in this article is only used when you migrate from the classic deployment to the Azure Resource
Manager deployment.

In this article, you learn about Azure Resource Manager and classic deployment models. The Resource Manager
and classic deployment models represent two different ways of deploying and managing your Azure solutions.
You work with them through two different API sets, and the deployed resources can contain important
differences. The two models aren't compatible with each other. This article describes those differences.
To simplify the deployment and management of resources, Microsoft recommends that you use Resource
Manager for all new resources. If possible, Microsoft recommends that you redeploy existing resources through
Resource Manager. If you've used Cloud Services, you can migrate your solution to Cloud Services (extended
support).
If you're new to Resource Manager, you may want to first review the terminology defined in the Azure Resource
Manager overview.

History of the deployment models

Azure originally provided only the classic deployment model. In this model, each resource existed
independently; there was no way to group related resources together. Instead, you had to manually track which
resources made up your solution or application, and remember to manage them in a coordinated approach. To
deploy a solution, you had to either create each resource individually through the portal or create a script that
deployed all the resources in the correct order. To delete a solution, you had to delete each resource individually.
You couldn't easily apply and update access control policies for related resources. Finally, you couldn't apply tags
to resources to label them with terms that help you monitor your resources and manage billing.
In 2014, Azure introduced Resource Manager, which added the concept of a resource group. A resource group is
a container for resources that share a common lifecycle. The Resource Manager deployment model provides
several benefits:
You can deploy, manage, and monitor all the services for your solution as a group, rather than handling these
services individually.
You can repeatedly deploy your solution throughout its lifecycle and have confidence your resources are
deployed in a consistent state.
You can apply access control to all resources in your resource group, and those policies are automatically
applied when new resources are added to the resource group.
You can apply tags to resources to logically organize all the resources in your subscription.
You can use JavaScript Object Notation (JSON) to define the infrastructure for your solution. The JSON file is
known as a Resource Manager template.
You can define the dependencies between resources so they're deployed in the correct order.
When Resource Manager was added, all resources were retroactively added to default resource groups. If you
create a resource through classic deployment now, the resource is automatically created within a default
resource group for that service, even though you didn't specify that resource group at deployment. However,
just existing within a resource group doesn't mean that the resource has been converted to the Resource
Manager model.

Understand support for the models

There are three scenarios to be aware of:
1. Cloud Services (classic) doesn't support the Resource Manager deployment model. Cloud Services (extended
support) supports the Resource Manager deployment model.
2. Virtual machines, storage accounts, and virtual networks support both Resource Manager and classic
deployment models.
3. All other Azure services support Resource Manager.
For virtual machines, storage accounts, and virtual networks, if the resource was created through classic
deployment, you must continue to operate on it through classic operations. If the virtual machine, storage
account, or virtual network was created through Resource Manager deployment, you must continue using
Resource Manager operations. This distinction can get confusing when your subscription contains a mix of
resources created through Resource Manager and classic deployment. This combination of resources can create
unexpected results because the resources don't support the same operations.
In some cases, a Resource Manager command can retrieve information about a resource created through classic
deployment, or can perform an administrative task such as moving a classic resource to another resource group.
But, these cases shouldn't give the impression that the type supports Resource Manager operations. For
example, suppose you have a resource group that contains a virtual machine that was created with classic
deployment. If you run the following Resource Manager PowerShell command:

Get-AzResource -ResourceGroupName ExampleGroup -ResourceType Microsoft.ClassicCompute/virtualMachines

It returns the virtual machine:

Name : ExampleClassicVM
ResourceId :
/subscriptions/{guid}/resourceGroups/ExampleGroup/providers/Microsoft.ClassicCompute/virtualMachines/Example
ClassicVM
ResourceName : ExampleClassicVM
ResourceType : Microsoft.ClassicCompute/virtualMachines
ResourceGroupName : ExampleGroup
Location : westus
SubscriptionId : {guid}

However, the Resource Manager cmdlet Get-AzVM only returns virtual machines deployed through Resource
Manager. The following command doesn't return the virtual machine created through classic deployment.

Get-AzVM -ResourceGroupName ExampleGroup

Only resources created through Resource Manager support tags. You can't apply tags to classic resources.

Changes for compute, network, and storage

The following diagram displays compute, network, and storage resources deployed through Resource Manager.
SRP: Storage Resource Provider, CRP: Compute Resource Provider, NRP: Network Resource Provider
Note the following relationships between the resources:
All the resources exist within a resource group.
The virtual machine depends on a specific storage account defined in the Storage resource provider to store
its disks in blob storage (required).
The virtual machine references a specific network interface card defined in the Network resource provider
(required) and an availability set defined in the Compute resource provider (optional).
The network interface card references the virtual machine's assigned IP address (required), the subnet of the
virtual network for the virtual machine (required), and to a Network Security Group (optional).
The subnet within a virtual network references a Network Security Group (optional).
The load balancer instance references the backend pool of IP addresses that include the network interface
card of a virtual machine (optional) and references a load balancer public or private IP address (optional).
Here are the components and their relationships for classic deployment:
The classic solution for hosting a virtual machine includes:
Cloud Services (classic) acts as a container for hosting virtual machines (compute). Virtual machines are
automatically provided with a network interface card and an IP address assigned by Azure. Additionally, the
cloud service contains an external load balancer instance, a public IP address, and default endpoints to allow
remote desktop and remote PowerShell traffic for Windows-based virtual machines and Secure Shell (SSH)
traffic for Linux-based virtual machines.
A required storage account that stores the virtual hard disks for a virtual machine, including the operating
system, temporary, and additional data disks (storage).
An optional virtual network that acts as an additional container, in which you can create a subnetted structure
and choose the subnet on which the virtual machine is located (network).
The following table describes changes in how Compute, Network, and Storage resource providers interact:

IT EM C L A SSIC RESO URC E M A N A GER

Cloud Service for Virtual Machines Cloud Service was a container for Cloud Service is no longer an object
holding the virtual machines that required for creating a Virtual Machine
required Availability from the platform using the new model.
and Load Balancing.

Virtual Networks A virtual network is optional for the Virtual machine requires a virtual
virtual machine. If included, the virtual network that has been deployed with
network can't be deployed with Resource Manager.
Resource Manager.

Storage Accounts The virtual machine requires a storage The virtual machine requires a storage
account that stores the virtual hard account to store its disks in blob
disks for the operating system, storage.
temporary, and additional data disks.
IT EM C L A SSIC
Availability Sets Availability to the platform was
indicated by configuring the same
"AvailabilitySetName" on the Virtual
Machines. The maximum count of fault
domains was 2.
Affinity Groups Affinity Groups were required for
creating Virtual Networks. However,
with the introduction of Regional
Virtual Networks, that wasn't required
anymore.
Load Balancing Creation of a Cloud Service provides
an implicit load balancer for the Virtual
Machines deployed.
Virtual IP Address Cloud Services gets a default VIP
(Virtual IP Address) when a VM is
added to a cloud service. The Virtual IP
Address is the address associated with
the implicit load balancer.
Reserved IP Address You can reserve an IP Address in Azure
and associate it with a Cloud Service to
ensure that the IP Address is sticky.
Public IP Address (PIP) per VM Public IP Addresses can also be
associated to a VM directly.
Endpoints Input Endpoints needed to be
configured on a Virtual Machine to be
open up connectivity for certain ports.
One of the common modes of
connecting to virtual machines done
by setting up input endpoints.
DNS Name A cloud service would get an implicit
globally unique DNS Name. For
example:
mycoffeeshop.cloudapp.net .
RESO URC E M A N A GER
Availability Set is a resource exposed
by Microsoft.Compute Provider. Virtual
Machines that require high availability
must be included in the Availability Set.
The maximum count of fault domains
is now 3.
To simplify, the Affinity Groups concept
doesn't exist in the APIs exposed
through Azure Resource Manager.
The Load Balancer is a resource
exposed by the Microsoft.Network
provider. The primary network
interface of the Virtual Machines that
needs to be load balanced should be
referencing the load balancer. Load
Balancers can be internal or external. A
load balancer instance references the
backend pool of IP addresses that
include the NIC of a virtual machine
(optional) and references a load
balancer public or private IP address
(optional).
Public IP address is a resource exposed
by the Microsoft.Network provider.
Public IP address can be static
(reserved) or dynamic. Dynamic public
IPs can be assigned to a Load Balancer.
Public IPs can be secured using
Security Groups.
Public IP Address can be created in
static mode and it offers the same
capability as a reserved IP address.
Public IP address is a resource exposed
by the Microsoft.Network provider.
Public IP Address can be static
(reserved) or dynamic.
Inbound NAT Rules can be configured
on Load Balancers to achieve the same
capability of enabling endpoints on
specific ports for connecting to the
VMs.
DNS Names are optional parameters
that can be specified on a Public IP
Address resource. The FQDN is in the
following format -
<domainlabel>.
<region>.cloudapp.azure.com
.
 IT EM C L A SSIC RESO URC E M A N A GER

Network Interfaces Primary and Secondary Network Network Interface is a resource

Interface and its properties were
defined as network configuration of a
Virtual machine.
exposed by Microsoft.Network
Provider. The lifecycle of the Network
Interface isn't tied to a Virtual
Machine. It references the virtual
machine's assigned IP address
(required), the subnet of the virtual
network for the virtual machine
(required), and to a Network Security
Group (optional).

To learn about connecting virtual networks from different deployment models, see Connect virtual networks
from different deployment models in the portal.

Migrate from classic to Resource Manager

If you're ready to migrate your resources from classic deployment to Resource Manager deployment, see:
1. Technical deep dive on platform-supported migration from classic to Azure Resource Manager
2. Platform supported migration of IaaS resources from Classic to Azure Resource Manager
3. Migrate IaaS resources from classic to Azure Resource Manager by using Azure PowerShell
4. Migrate IaaS resources from classic to Azure Resource Manager by using Azure CLI

Frequently asked questions

Can I create a vir tual machine using Resource Manager to deploy in a vir tual network created
using classic deployment?
This configuration isn't supported. You can't use Resource Manager to deploy a virtual machine into a virtual
network that was created using classic deployment.
Can I create a vir tual machine using Resource Manager from a user image that was created using
the classic deployment model?
This configuration isn't supported. However, you can copy the virtual hard disk files from a storage account that
was created using the classic deployment model, and add them to a new account created through Resource
Manager.
What is the impact on the quota for my subscription?
The quotas for the virtual machines, virtual networks, and storage accounts created through the Azure Resource
Manager are separate from other quotas. Each subscription gets quotas to create the resources using the new
APIs. You can read more about the additional quotas here.
Can I continue to use my automated scripts for provisioning vir tual machines, vir tual networks,
and storage accounts through the Resource Manager APIs?
All the automation and scripts that you've built continue to work for the existing virtual machines, virtual
networks created under the Azure Service Management mode. However, the scripts have to be updated to use
the new schema for creating the same resources through the Resource Manager mode.
Where can I find examples of Azure Resource Manager templates?
A comprehensive set of starter templates can be found on Azure Resource Manager Quickstart Templates.
Next steps
To see the commands for deploying a template, see Deploy an application with Azure Resource Manager
template.
 Resource providers for Azure services
2/23/2022 • 4 minutes to read • Edit Online

This article shows how resource provider namespaces map to Azure services. If you don't know the resource
provider, see Find resource provider.

Match resource provider to service

The resources providers that are marked with - registered are registered by default for your subscription. For
more information, see Registration.

RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.AAD Azure Active Directory Domain Services

Microsoft.Addons core

Microsoft.ADHybridHealthService - registered Azure Active Directory

Microsoft.Advisor Azure Advisor

Microsoft.AlertsManagement Azure Monitor

Microsoft.AnalysisServices Azure Analysis Services

Microsoft.ApiManagement API Management

Microsoft.AppConfiguration Azure App Configuration

Microsoft.AppPlatform Azure Spring Cloud

Microsoft.Attestation Azure Attestation Service

Microsoft.Authorization - registered Azure Resource Manager

Microsoft.Automation Automation

Microsoft.AutonomousSystems Autonomous Systems

Microsoft.AVS Azure VMware Solution

Microsoft.AzureActiveDirectory Azure Active Directory B2C

Microsoft.AzureArcData Azure Arc-enabled data services

Microsoft.AzureData SQL Server registry

Microsoft.AzureStack core
RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.AzureStackHCI Azure Stack HCI

Microsoft.Batch Batch

Microsoft.Billing - registered Cost Management and Billing

Microsoft.BingMaps Bing Maps

Microsoft.Blockchain Azure Blockchain Service

Microsoft.BlockchainTokens Azure Blockchain Tokens

Microsoft.Blueprint Azure Blueprints

Microsoft.BotService Azure Bot Service

Microsoft.Cache Azure Cache for Redis

Microsoft.Capacity core

Microsoft.Cdn Content Delivery Network

Microsoft.CertificateRegistration App Service Certificates

Microsoft.ChangeAnalysis Azure Monitor

Microsoft.ClassicCompute Classic deployment model virtual machine

Microsoft.ClassicInfrastructureMigrate Classic deployment model migration

Microsoft.ClassicNetwork Classic deployment model virtual network

Microsoft.ClassicStorage Classic deployment model storage

Microsoft.ClassicSubscription - registered Classic deployment model

Microsoft.CognitiveServices Cognitive Services

Microsoft.Commerce - registered core

Microsoft.Compute Virtual Machines

Virtual Machine Scale Sets

Microsoft.Consumption - registered Cost Management

Microsoft.ContainerInstance Container Instances

Microsoft.ContainerRegistry Container Registry

Microsoft.ContainerService Azure Kubernetes Service (AKS)

RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.CostManagement - registered Cost Management

Microsoft.CostManagementExports Cost Management

Microsoft.CustomerLockbox Customer Lockbox for Microsoft Azure

Microsoft.CustomProviders Azure Custom Providers

Microsoft.DataBox Azure Data Box

Microsoft.DataBoxEdge Azure Stack Edge

Microsoft.Databricks Azure Databricks

Microsoft.DataCatalog Data Catalog

Microsoft.DataFactory Data Factory

Microsoft.DataLakeAnalytics Data Lake Analytics

Microsoft.DataLakeStore Azure Data Lake Storage Gen2

Microsoft.DataMigration Azure Database Migration Service

Microsoft.DataProtection Data Protection

Microsoft.DataShare Azure Data Share

Microsoft.DBforMariaDB Azure Database for MariaDB

Microsoft.DBforMySQL Azure Database for MySQL

Microsoft.DBforPostgreSQL Azure Database for PostgreSQL

Microsoft.DesktopVirtualization Windows Virtual Desktop

Microsoft.Devices Azure IoT Hub

Azure IoT Hub Device Provisioning Service

Microsoft.DeviceUpdate Device Update for IoT Hub

Microsoft.DevOps Azure DevOps

Microsoft.DevSpaces Azure Dev Spaces

Microsoft.DevTestLab Azure Lab Services

Microsoft.DigitalTwins Azure Digital Twins

Microsoft.DocumentDB Azure Cosmos DB

RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.DomainRegistration App Service

Microsoft.DynamicsLcs Lifecycle Services

Microsoft.EnterpriseKnowledgeGraph Enterprise Knowledge Graph

Microsoft.EventGrid Event Grid

Microsoft.EventHub Event Hubs

Microsoft.Features - registered Azure Resource Manager

Microsoft.GuestConfiguration Azure Policy

Microsoft.HanaOnAzure SAP HANA on Azure Large Instances

Microsoft.HardwareSecurityModules Azure Dedicated HSM

Microsoft.HDInsight HDInsight

Microsoft.HealthcareApis (Azure API for FHIR) Azure API for FHIR

Microsoft.HealthcareApis (Healthcare APIs) Healthcare APIs

Microsoft.HybridCompute Azure Arc-enabled servers

Microsoft.HybridData StorSimple

Microsoft.HybridNetwork Network Function Manager

Microsoft.ImportExport Azure Import/Export

Microsoft.Insights Azure Monitor

Microsoft.IoTCentral Azure IoT Central

Microsoft.IoTSpaces Azure Digital Twins

Microsoft.Intune Azure Monitor

Microsoft.KeyVault Key Vault

Microsoft.Kubernetes Azure Arc-enabled Kubernetes

Microsoft.KubernetesConfiguration Azure Arc-enabled Kubernetes

Microsoft.Kusto Azure Data Explorer

Microsoft.LabServices Azure Lab Services

RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.Logic Logic Apps

Microsoft.MachineLearning Machine Learning Studio

Microsoft.MachineLearningServices Azure Machine Learning

Microsoft.Maintenance Azure Maintenance

Microsoft.ManagedIdentity Managed identities for Azure resources

Microsoft.ManagedNetwork Virtual networks managed by PaaS services

Microsoft.ManagedServices Azure Lighthouse

Microsoft.Management Management Groups

Microsoft.Maps Azure Maps

Microsoft.Marketplace core

Microsoft.MarketplaceApps core

Microsoft.MarketplaceOrdering - registered core

Microsoft.Media Media Services

Microsoft.Microservices4Spring Azure Spring Cloud

Microsoft.Migrate Azure Migrate

Microsoft.MixedReality Azure Spatial Anchors

Microsoft.NetApp Azure NetApp Files

Microsoft.Network Application Gateway

Azure Bastion
Azure DDoS Protection
Azure DNS
Azure ExpressRoute
Azure Firewall
Azure Front Door Service
Azure Private Link
Load Balancer
Network Watcher
Traffic Manager
Virtual Network
Virtual Network NAT
Virtual WAN
VPN Gateway

Microsoft.Notebooks Azure Notebooks

Microsoft.NotificationHubs Notification Hubs

RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.ObjectStore Object Store

Microsoft.OffAzure Azure Migrate

Microsoft.OperationalInsights Azure Monitor

Microsoft.OperationsManagement Azure Monitor

Microsoft.Peering Azure Peering Service

Microsoft.PolicyInsights Azure Policy

Microsoft.Portal - registered Azure portal

Microsoft.PowerBI Power BI

Microsoft.PowerBIDedicated Power BI Embedded

Microsoft.PowerPlatform Power Platform

Microsoft.ProjectBabylon Azure Data Catalog

Microsoft.Quantum Azure Quantum

Microsoft.RecoveryServices Azure Site Recovery

Microsoft.RedHatOpenShift Azure Red Hat OpenShift

Microsoft.Relay Azure Relay

Microsoft.ResourceGraph - registered Azure Resource Graph

Microsoft.ResourceHealth Azure Service Health

Microsoft.Resources - registered Azure Resource Manager

Microsoft.SaaS core

Microsoft.Scheduler Scheduler

Microsoft.Search Azure Cognitive Search

Microsoft.Security Security Center

Microsoft.SecurityInsights Microsoft Sentinel

Microsoft.SerialConsole - registered Azure Serial Console for Windows

Microsoft.ServiceBus Service Bus

RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.ServiceFabric Service Fabric

Microsoft.Services core

Microsoft.SignalRService Azure SignalR Service

Microsoft.SoftwarePlan License

Microsoft.Solutions Azure Managed Applications

Microsoft.Sql Azure SQL Database

Azure SQL Managed Instance
Azure Synapse Analytics

Microsoft.SqlVirtualMachine SQL Server on Azure Virtual Machines

Microsoft.Storage Storage

Microsoft.StorageCache Azure HPC Cache

Microsoft.StorageSync Storage

Microsoft.StorSimple StorSimple

Microsoft.StreamAnalytics Azure Stream Analytics

Microsoft.Subscription core

microsoft.support - registered core

Microsoft.Synapse Azure Synapse Analytics

Microsoft.TimeSeriesInsights Azure Time Series Insights

Microsoft.Token Token

Microsoft.VirtualMachineImages Azure Image Builder

microsoft.visualstudio Azure DevOps

Microsoft.VMware Azure VMware Solution

Microsoft.VMwareCloudSimple Azure VMware Solution by CloudSimple

Microsoft.VSOnline Azure DevOps

Microsoft.Web App Service

Azure Functions

Microsoft.WindowsDefenderATP Microsoft Defender Advanced Threat Protection

 RESO URC E P RO VIDER N A M ESPA C E A Z URE SERVIC E

Microsoft.WindowsESU Extended Security Updates

Microsoft.WindowsIoT Windows 10 IoT Core Services

Microsoft.WorkloadMonitor Azure Monitor

Registration
The resources providers above that are marked with - registered are registered by default for your
subscription. To use the other resource providers, you must register them. However, many resource providers
are registered for you when you take certain actions. For example, if you create a resource through the portal,
the portal automatically registers any unregistered resource providers that are needed. When deploy resources
through an Azure Resource Manager template, any required resource providers are also registered.

IMPORTANT
Only register a resource provider when you're ready to use it. The registration step enables you to maintain least
privileges within your subscription. A malicious user can't use resource providers that aren't registered.

Find resource provider

If you have existing infrastructure in Azure, but aren't sure which resource provider is used, you can use either
Azure CLI or PowerShell to find the resource provider. Specify the name of the resource group that contains the
resources to find.
The following example uses Azure CLI:

az resource list -g examplegroup

The results include the resource type. The resource provider namespace is the first part of the resource type. The
following example shows the Microsoft.KeyVault resource provider.

[
{
...
"type": "Microsoft.KeyVault/vaults"
}
]

The following example uses PowerShell:

Get-AzResource -ResourceGroupName examplegroup

The results include the resource type. The resource provider namespace is the first part of the resource type. The
following example shows the Microsoft.KeyVault resource provider.
 Name : examplekey
ResourceGroupName : examplegroup
ResourceType : Microsoft.KeyVault/vaults
...

Next steps
For more information about resource providers, including how to register a resource provider, see Azure
resource providers and types.
 Azure control plane and data plane
2/23/2022 • 2 minutes to read • Edit Online

Azure operations can be divided into two categories - control plane and data plane. This article describes the
differences between those two types of operations.
You use the control plane to manage resources in your subscription. You use the data plane to use capabilities
exposed by your instance of a resource type.
For example:
You create a virtual machine through the control plane. After the virtual machine is created, you interact
with it through data plane operations, such as Remote Desktop Protocol (RDP).
You create a storage account through the control plane. You use the data plane to read and write data in
the storage account.
You create a Cosmos database through the control plane. To query data in the Cosmos database, you use
the data plane.

Control plane
All requests for control plane operations are sent to the Azure Resource Manager URL. That URL varies by the
Azure environment.
For Azure global, the URL is https://management.azure.com .
For Azure Government, the URL is https://management.usgovcloudapi.net/ .
For Azure Germany, the URL is https://management.microsoftazure.de/ .
For Microsoft Azure China 21Vianet, the URL is https://management.chinacloudapi.cn .
To discover which operations use the Azure Resource Manager URL, see the Azure REST API. For example, the
create or update operation for MySql is a control plane operation because the request URL is:

PUT
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Mic
rosoft.DBforMySQL/servers/{serverName}/databases/{databaseName}?api-version=2017-12-01

Azure Resource Manager handles all control plane requests. It automatically applies the Azure features you've
implemented to manage your resources, such as:
Azure role-based access control (Azure RBAC)
Azure Policy
Management Locks
Activity Logs
After authenticating the request, Azure Resource Manager sends it to the resource provider, which completes the
operation.
The control plane includes two scenarios for handling requests - "green field" and "brown field". Green field
refers to new resources. Brown field refers to existing resources. As you deploy resources, Azure Resource
Manager understands when to create new resources and when to update existing resources. You don't have to
worry that identical resources will be created.
Data plane
Requests for data plane operations are sent to an endpoint that's specific to your instance. For example, the
Detect Language operation in Cognitive Services is a data plane operation because the request URL is:

POST {Endpoint}/text/analytics/v2.0/languages

Data plane operations aren't limited to REST API. They may require other credentials such as logging in to a
virtual machine or database server.
Features that enforce management and governance might not apply to data plane operations. You need to
consider the different ways users interact with your solutions. For example, a lock that prevents users from
deleting a database doesn't prevent users from deleting data through queries.
You can use some policies to govern data plane operations. For more information, see Resource Provider modes
(preview) in Azure Policy.

Next steps
For an overview of Azure Resource Manager, see What is Azure Resource Manager?
To learn more about the effect of policy definitions on new resources and existing resources, see Evaluate
the impact of a new Azure Policy definition.
 Resource types that extend capabilities of other
resources
2/23/2022 • 2 minutes to read • Edit Online

An extension resource is a resource that adds to another resource's capabilities. For example, resource lock is an
extension resource. You apply a resource lock to another resource to prevent it from being deleted or modified.
It doesn't make sense to create a resource lock by itself. An extension resource is always applied to another
resource.

Microsoft.Advisor
Microsoft.Advisor/configurations
Microsoft.Advisor/recommendations
Microsoft.Advisor/suppressions

Microsoft.AlertsManagement
Microsoft.AlertsManagement/alerts

Microsoft.Authorization
Microsoft.Authorization/batchResourceCheckAccess
Microsoft.Authorization/denyAssignments
Microsoft.Authorization/eligibleChildResources
Microsoft.Authorization/locks
Microsoft.Authorization/policyAssignments
Microsoft.Authorization/policyDefinitions
Microsoft.Authorization/policyExemptions
Microsoft.Authorization/policySetDefinitions
Microsoft.Authorization/privateLinkAssociations
Microsoft.Authorization/roleAssignmentApprovals
Microsoft.Authorization/roleAssignments
Microsoft.Authorization/roleAssignmentScheduleInstances
Microsoft.Authorization/roleAssignmentScheduleRequests
Microsoft.Authorization/roleAssignmentSchedules
Microsoft.Authorization/roleDefinitions
Microsoft.Authorization/roleEligibilityScheduleInstances
Microsoft.Authorization/roleEligibilityScheduleRequests
Microsoft.Authorization/roleEligibilitySchedules
Microsoft.Authorization/roleManagementPolicies
Microsoft.Authorization/roleManagementPolicyAssignments

Microsoft.Automanage
Microsoft.Automanage/configurationProfileAssignmentIntents
Microsoft.Automanage/configurationProfileAssignments
Microsoft.Billing
Microsoft.Billing/billingPeriods
Microsoft.Billing/billingPermissions
Microsoft.Billing/billingRoleAssignments
Microsoft.Billing/billingRoleDefinitions
Microsoft.Billing/createBillingRoleAssignment

Microsoft.Blueprint
Microsoft.Blueprint/blueprintAssignments
Microsoft.Blueprint/blueprints

Microsoft.Capacity
Microsoft.Capacity/listSkus

Microsoft.ChangeAnalysis
Microsoft.ChangeAnalysis/changes
Microsoft.ChangeAnalysis/changeSnapshots
Microsoft.ChangeAnalysis/computeChanges

Microsoft.Consumption
Microsoft.Consumption/AggregatedCost
Microsoft.Consumption/Balances
Microsoft.Consumption/Budgets
Microsoft.Consumption/Charges
Microsoft.Consumption/CostTags
Microsoft.Consumption/credits
Microsoft.Consumption/events
Microsoft.Consumption/Forecasts
Microsoft.Consumption/lots
Microsoft.Consumption/Marketplaces
Microsoft.Consumption/Pricesheets
Microsoft.Consumption/products
Microsoft.Consumption/ReservationDetails
Microsoft.Consumption/ReservationRecommendationDetails
Microsoft.Consumption/ReservationRecommendations
Microsoft.Consumption/ReservationSummaries
Microsoft.Consumption/ReservationTransactions

Microsoft.ContainerInstance
Microsoft.ContainerInstance/serviceAssociationLinks

Microsoft.CostManagement
Microsoft.CostManagement/Alerts
 Microsoft.CostManagement/Budgets
Microsoft.CostManagement/CheckNameAvailability
Microsoft.CostManagement/Dimensions
Microsoft.CostManagement/Exports
Microsoft.CostManagement/ExternalSubscriptions
Microsoft.CostManagement/Forecast
Microsoft.CostManagement/GenerateDetailedCostReport
Microsoft.CostManagement/Insights
Microsoft.CostManagement/OperationResults
Microsoft.CostManagement/OperationStatus
Microsoft.CostManagement/Query
Microsoft.CostManagement/Reportconfigs
Microsoft.CostManagement/Reports
Microsoft.CostManagement/ScheduledActions
Microsoft.CostManagement/Views

Microsoft.CustomProviders
Microsoft.CustomProviders/associations

Microsoft.DataMigration
Microsoft.DataMigration/DatabaseMigrations

Microsoft.Diagnostics
Microsoft.Diagnostics/InsightDiagnostics
Microsoft.Diagnostics/solutions

Microsoft.EventGrid
Microsoft.EventGrid/eventSubscriptions
Microsoft.EventGrid/extensionTopics

Microsoft.GuestConfiguration
Microsoft.GuestConfiguration/configurationProfileAssignments
Microsoft.GuestConfiguration/guestConfigurationAssignments
Microsoft.GuestConfiguration/software

Microsoft.HybridConnectivity
Microsoft.HybridConnectivity/endpoints

microsoft.insights
microsoft.insights/baseline
microsoft.insights/dataCollectionRuleAssociations
microsoft.insights/diagnosticSettings
microsoft.insights/diagnosticSettingsCategories
microsoft.insights/eventtypes
 microsoft.insights/extendedDiagnosticSettings
microsoft.insights/guestDiagnosticSettingsAssociation
microsoft.insights/logDefinitions
microsoft.insights/logs
microsoft.insights/metricbaselines
microsoft.insights/metricDefinitions
microsoft.insights/metricNamespaces
microsoft.insights/metrics
microsoft.insights/myWorkbooks
microsoft.insights/topology
microsoft.insights/transactions

Microsoft.IoTSecurity
Microsoft.IoTSecurity/sensors
Microsoft.IoTSecurity/sites

Microsoft.KubernetesConfiguration
Microsoft.KubernetesConfiguration/extensions
Microsoft.KubernetesConfiguration/fluxConfigurations
Microsoft.KubernetesConfiguration/sourceControlConfigurations

Microsoft.Maintenance
Microsoft.Maintenance/applyUpdates
Microsoft.Maintenance/configurationAssignments
Microsoft.Maintenance/updates

Microsoft.ManagedIdentity
Microsoft.ManagedIdentity/Identities

Microsoft.ManagedServices
Microsoft.ManagedServices/registrationAssignments
Microsoft.ManagedServices/registrationDefinitions

Microsoft.OperationalInsights
Microsoft.OperationalInsights/storageInsightConfigs

Microsoft.OperationsManagement
Microsoft.OperationsManagement/managementassociations

Microsoft.PolicyInsights
Microsoft.PolicyInsights/attestations
Microsoft.PolicyInsights/eventGridFilters
Microsoft.PolicyInsights/policyEvents
 Microsoft.PolicyInsights/policyStates
Microsoft.PolicyInsights/policyTrackedResources
Microsoft.PolicyInsights/remediations

Microsoft.Quota
Microsoft.Quota/operationsStatus
Microsoft.Quota/quotaRequests
Microsoft.Quota/quotas
Microsoft.Quota/usages

Microsoft.RecoveryServices
Microsoft.RecoveryServices/backupProtectedItems
Microsoft.RecoveryServices/replicationEligibilityResults

Microsoft.ResourceHealth
Microsoft.ResourceHealth/childResources
Microsoft.ResourceHealth/events
Microsoft.ResourceHealth/impactedResources

Microsoft.Resources
Microsoft.Resources/links
Microsoft.Resources/tags

Microsoft.Security
Microsoft.Security/adaptiveNetworkHardenings
Microsoft.Security/advancedThreatProtectionSettings
Microsoft.Security/antiMalwareSettings
Microsoft.Security/assessmentMetadata
Microsoft.Security/assessments
Microsoft.Security/Compliances
Microsoft.Security/dataCollectionAgents
Microsoft.Security/deviceSecurityGroups
Microsoft.Security/InformationProtectionPolicies
Microsoft.Security/insights
Microsoft.Security/jitPolicies
Microsoft.Security/serverVulnerabilityAssessments
Microsoft.Security/sqlVulnerabilityAssessments

Microsoft.SecurityInsights
Microsoft.SecurityInsights/aggregations
Microsoft.SecurityInsights/alertRules
Microsoft.SecurityInsights/alertRuleTemplates
Microsoft.SecurityInsights/automationRules
Microsoft.SecurityInsights/bookmarks
 Microsoft.SecurityInsights/cases
Microsoft.SecurityInsights/dataConnectors
Microsoft.SecurityInsights/dataConnectorsCheckRequirements
Microsoft.SecurityInsights/enrichment
Microsoft.SecurityInsights/entities
Microsoft.SecurityInsights/entityQueryTemplates
Microsoft.SecurityInsights/incidents
Microsoft.SecurityInsights/listrepositories
Microsoft.SecurityInsights/metadata
Microsoft.SecurityInsights/onboardingStates
Microsoft.SecurityInsights/settings
Microsoft.SecurityInsights/sourceControls
Microsoft.SecurityInsights/threatIntelligence
Microsoft.SecurityInsights/watchlists

Microsoft.SerialConsole
Microsoft.SerialConsole/serialPorts

Microsoft.ServiceLinker
Microsoft.ServiceLinker/linkers

Microsoft.SoftwarePlan
Microsoft.SoftwarePlan/hybridUseBenefits

Microsoft.Subscription
Microsoft.Subscription/policies

microsoft.support
microsoft.support/supporttickets

Microsoft.WorkloadMonitor
Microsoft.WorkloadMonitor/monitors

Next steps
To get the resource ID for an extension resource in an Azure Resource Manager template, use the
extensionResourceId.
For an example of creating an extension resource in a template, see Event Grid Event Subscriptions.
 Resources not limited to 800 instances per resource
group
2/23/2022 • 2 minutes to read • Edit Online

By default, you can deploy up to 800 instances of a resource type in each resource group. However, some
resource types are exempt from the 800 instance limit. This article lists the Azure resource types that can have
more than 800 instances in a resource group. All other resources types are limited to 800 instances.
For some resource types, you need to contact support to have the 800 instance limit removed. Those resource
types are noted in this article.
Some resources have a limit on the number instances per region. This limit is different than the 800 instances
per resource group. To check your instances per region, use the Azure portal. Select your subscription and
Usage + quotas in the left pane. For more information, see Check resource usage against limits.

Microsoft.AlertsManagement
resourceHealthAlertRules
smartDetectorAlertRules

Microsoft.Automation
automationAccounts

Microsoft.AzureStack
linkedSubscriptions
registrations
registrations/customerSubscriptions
registrations/products

Microsoft.BotService
botServices - By default, limited to 800 instances. That limit can be increased by contacting support.

Microsoft.Compute
disks
galleries
galleries/images
galleries/images/versions
images
snapshots
virtualMachineScaleSets - By default, limited to 800 instances. That limit can be increased by contacting
support.
virtualMachines
virtualMachines/extensions - Supports an unlimited number of VM extension instances.
Microsoft.ContainerInstance
containerGroups

Microsoft.ContainerRegistry
registries/buildTasks
registries/buildTasks/listSourceRepositoryProperties
registries/buildTasks/steps
registries/buildTasks/steps/listBuildArguments
registries/eventGridFilters
registries/replications
registries/tasks
registries/webhooks

Microsoft.D365CustomerInsights
instances

Microsoft.DBforMariaDB
servers

Microsoft.DBforMySQL
flexibleServers
servers

Microsoft.DBforPostgreSQL
flexibleServers
serverGroups
serverGroupsv2
servers
serversv2

Microsoft.DevTestLab
schedules

Microsoft.EnterpriseKnowledgeGraph
services

Microsoft.EventHub
clusters
namespaces

Microsoft.Experimentation
experimentWorkspaces
Microsoft.GuestConfiguration
autoManagedVmConfigurationProfiles
configurationProfileAssignments
guestConfigurationAssignments
software
softwareUpdateProfile
softwareUpdates

Microsoft.HybridCompute
machines - Supports up to 5,000 instances.
machines/extensions - Supports an unlimited number of VM extension instances.

microsoft.insights
metricalerts
scheduledqueryrules

Microsoft.Logic
integrationAccounts
workflows

Microsoft.Media
mediaservices/liveEvents

Microsoft.NetApp
netAppAccounts
netAppAccounts/capacityPools
netAppAccounts/capacityPools/volumes
netAppAccounts/capacityPools/volumes/mountTargets
netAppAccounts/capacityPools/volumes/snapshots
netAppAccounts/capacityPools/volumes/subvolumes
netAppAccounts/snapshotPolicies
netAppAccounts/volumeGroups

Microsoft.Network
applicationGatewayWebApplicationFirewallPolicies
applicationSecurityGroups
bastionHosts
ddosProtectionPlans
dnszones
dnszones/A
dnszones/AAAA
dnszones/CAA
dnszones/CNAME
 dnszones/MX
dnszones/NS
dnszones/PTR
dnszones/SOA
dnszones/SRV
dnszones/TXT
dnszones/all
dnszones/recordsets
networkIntentPolicies
networkInterfaces
privateDnsZones
privateDnsZones/A
privateDnsZones/AAAA
privateDnsZones/CNAME
privateDnsZones/MX
privateDnsZones/PTR
privateDnsZones/SOA
privateDnsZones/SRV
privateDnsZones/TXT
privateDnsZones/all
privateDnsZones/virtualNetworkLinks
privateEndpoints
privateLinkServices
publicIPAddresses
serviceEndpointPolicies
trafficmanagerprofiles
virtualNetworkTaps

Microsoft.PortalSdk
rootResources

Microsoft.PowerBI
workspaceCollections - By default, limited to 800 instances. That limit can be increased by contacting
support.

Microsoft.PowerBIDedicated
autoScaleVCores - By default, limited to 800 instances. That limit can be increased by contacting support.
capacities - By default, limited to 800 instances. That limit can be increased by contacting support.

Microsoft.Relay
namespaces

Microsoft.Scheduler
jobcollections
Microsoft.ServiceBus
namespaces

Microsoft.Singularity
accounts
accounts/accountQuotaPolicies
accounts/groupPolicies
accounts/jobs
accounts/models
accounts/storageContainers

Microsoft.Sql
servers/databases

Microsoft.Storage
storageAccounts

Microsoft.StreamAnalytics
streamingjobs - By default, limited to 800 instances. That limit can be increased by contacting support.

Next steps
For a complete list of quotas and limits, see Azure subscription and service limits, quotas, and constraints.
 Azure Policy Regulatory Compliance controls for
Azure Resource Manager
2/23/2022 • 101 minutes to read • Edit Online

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as
built-ins, for the compliance domains and security controls related to different compliance standards. This
page lists the compliance domains and security controls for Azure Resource Manager. You can assign the
built-ins for a security control individually to help make your Azure resources compliant with the specific
standard.
The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the
Policy Version column to view the source on the Azure Policy GitHub repo.

IMPORTANT
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance
with the control; however, there often is not a one-to-one or complete match between a control and one or more policies.
As such, Compliant in Azure Policy refers only to the policies themselves; this doesn't ensure you're fully compliant with
all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure
Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status.
The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards
may change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this
compliance standard, see Australian Government ISM PROTECTED.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Guidelines for System 380 Operating system Deprecated accounts 3.0.0

Hardening - configuration - 380 should be removed
Operating system from your
hardening subscription

Guidelines for System 380 Operating system Deprecated accounts 3.0.0

Hardening - configuration - 380 with owner
Operating system permissions should
hardening be removed from
your subscription

Guidelines for 414 User identification - MFA should be 3.0.0

Personnel Security - 414 enabled accounts
Access to systems with write
and their resources permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Guidelines for 414 User identification - MFA should be 3.0.0

Personnel Security - 414 enabled on accounts
Access to systems with owner
and their resources permissions on your
subscription

Guidelines for 414 User identification - MFA should be 3.0.0

Personnel Security - 414 enabled on accounts
Access to systems with read
and their resources permissions on your
subscription

Guidelines for 430 Suspension of access Deprecated accounts 3.0.0

Personnel Security - to systems - 430 should be removed
Access to systems from your
and their resources subscription

Guidelines for 430 Suspension of access Deprecated accounts 3.0.0

Personnel Security - to systems - 430 with owner
Access to systems permissions should
and their resources be removed from
your subscription

Guidelines for 441 Temporary access to Deprecated accounts 3.0.0

Personnel Security - systems - 441 should be removed
Access to systems from your
and their resources subscription

Guidelines for 441 Temporary access to Deprecated accounts 3.0.0

Personnel Security - systems - 441 with owner
Access to systems permissions should
and their resources be removed from
your subscription

Guidelines for 441 Temporary access to External accounts 3.0.0

Personnel Security - systems - 441 with owner
Access to systems permissions should
and their resources be removed from
your subscription

Guidelines for 441 Temporary access to External accounts 3.0.0

Personnel Security - systems - 441 with write
Access to systems permissions should
and their resources be removed from
your subscription

Guidelines for Media 947 Using media for data MFA should be 3.0.0
- Media usage transfers - 947 enabled on accounts
with read
permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Guidelines for System 1173 Multi-factor MFA should be 3.0.0

Hardening - authentication - enabled accounts
Authentication 1173 with write
hardening permissions on your
subscription

Guidelines for System 1173 Multi-factor MFA should be 3.0.0

Hardening - authentication - enabled on accounts
Authentication 1173 with owner
hardening permissions on your
subscription

Guidelines for System 1384 Multi-factor MFA should be 3.0.0

Hardening - authentication - enabled accounts
Authentication 1384 with write
hardening permissions on your
subscription

Guidelines for System 1384 Multi-factor MFA should be 3.0.0

Hardening - authentication - enabled on accounts
Authentication 1384 with owner
hardening permissions on your
subscription

Guidelines for System 1384 Multi-factor MFA should be 3.0.0

Hardening - authentication - enabled on accounts
Authentication 1384 with read
hardening permissions on your
subscription

Guidelines for 1503 Standard access to A maximum of 3 3.0.0

Personnel Security - systems - 1503 owners should be
Access to systems designated for your
and their resources subscription

Guidelines for 1503 Standard access to There should be 3.0.0

Personnel Security - systems - 1503 more than one
Access to systems owner assigned to
and their resources your subscription

Guidelines for 1508 Privileged access to A maximum of 3 3.0.0

Personnel Security - systems - 1508 owners should be
Access to systems designated for your
and their resources subscription

Guidelines for 1508 Privileged access to There should be 3.0.0

Personnel Security - systems - 1508 more than one
Access to systems owner assigned to
and their resources your subscription

Guidelines for System 1511 Performing backups - Audit virtual 1.0.0

Management - Data 1511 machines without
backup and disaster recovery
restoration configured
Azure Security Benchmark
The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on
Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security
Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - Azure Security Benchmark.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Network Security NS-10 Ensure Domain Azure Defender for 1.0.0

Name System (DNS) DNS should be
security enabled

Identity IM-3 Manage application Service principals 1.0.0

Management identities securely should be used to
and automatically protect your
subscriptions instead
of management
certificates

Identity IM-6 Use strong MFA should be 3.0.0

Management authentication enabled accounts
controls with write
permissions on your
subscription

Identity IM-6 Use strong MFA should be 3.0.0

Management authentication enabled on accounts
controls with owner
permissions on your
subscription

Identity IM-6 Use strong MFA should be 3.0.0

Management authentication enabled on accounts
controls with read
permissions on your
subscription

Privileged Access PA-1 Separate and limit A maximum of 3 3.0.0

highly owners should be
privileged/administra designated for your
tive users subscription

Privileged Access PA-1 Separate and limit Deprecated accounts 3.0.0

highly with owner
privileged/administra permissions should
tive users be removed from
your subscription

Privileged Access PA-1 Separate and limit External accounts 3.0.0

highly with owner
privileged/administra permissions should
tive users be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Privileged Access PA-1 Separate and limit There should be 3.0.0

highly more than one
privileged/administra owner assigned to
tive users your subscription

Privileged Access PA-4 Review and reconcile Deprecated accounts 3.0.0

user access regularly should be removed
from your
subscription

Privileged Access PA-4 Review and reconcile Deprecated accounts 3.0.0

user access regularly with owner
permissions should
be removed from
your subscription

Privileged Access PA-4 Review and reconcile External accounts 3.0.0

user access regularly with owner
permissions should
be removed from
your subscription

Privileged Access PA-4 Review and reconcile External accounts 3.0.0

user access regularly with read
permissions should
be removed from
your subscription

Privileged Access PA-4 Review and reconcile External accounts 3.0.0

user access regularly with write
permissions should
be removed from
your subscription

Data Protection DP-2 Monitor anomalies Azure Defender for 1.0.2

and threats targeting Azure SQL Database
sensitive data servers should be
enabled

Data Protection DP-2 Monitor anomalies Azure Defender for 1.0.0

and threats targeting open-source
sensitive data relational databases
should be enabled

Data Protection DP-2 Monitor anomalies Azure Defender for 1.0.2

and threats targeting SQL servers on
sensitive data machines should be
enabled

Data Protection DP-2 Monitor anomalies Azure Defender for 1.0.3

and threats targeting Storage should be
sensitive data enabled

Data Protection DP-8 Ensure security of Azure Defender for 1.0.3

key and certificate Key Vault should be
repository enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.3
Detection detection capabilities App Service should
be enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.2
Detection detection capabilities Azure SQL Database
servers should be
enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.0
Detection detection capabilities DNS should be
enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.3
Detection detection capabilities Key Vault should be
enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.0
Detection detection capabilities open-source
relational databases
should be enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.0
Detection detection capabilities Resource Manager
should be enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.3
Detection detection capabilities servers should be
enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.2
Detection detection capabilities SQL servers on
machines should be
enabled

Logging and Threat LT-1 Enable threat Azure Defender for 1.0.3
Detection detection capabilities Storage should be
enabled

Logging and Threat LT-1 Enable threat Microsoft Defender 1.0.0

Detection detection capabilities for Containers should
be enabled

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.3
Detection detection for identity App Service should
and access be enabled
management

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.2
Detection detection for identity Azure SQL Database
and access servers should be
management enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.0
Detection detection for identity DNS should be
and access enabled
management

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.3
Detection detection for identity Key Vault should be
and access enabled
management

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.0
Detection detection for identity open-source
and access relational databases
management should be enabled

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.0
Detection detection for identity Resource Manager
and access should be enabled
management

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.3
Detection detection for identity servers should be
and access enabled
management

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.2
Detection detection for identity SQL servers on
and access machines should be
management enabled

Logging and Threat LT-2 Enable threat Azure Defender for 1.0.3
Detection detection for identity Storage should be
and access enabled
management

Logging and Threat LT-2 Enable threat Microsoft Defender 1.0.0

Detection detection for identity for Containers should
and access be enabled
management

Logging and Threat LT-5 Centralize security Auto provisioning of 1.0.1

Detection log management and the Log Analytics
analysis agent should be
enabled on your
subscription

Incident Response IR-2 Preparation - setup Email notification for 1.0.1

incident notification high severity alerts
should be enabled

Incident Response IR-2 Preparation - setup Email notification to 2.0.0

incident notification subscription owner
for high severity
alerts should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR-2 Preparation - setup Subscriptions should 1.0.1

incident notification have a contact email
address for security
issues

Incident Response IR-3 Detection and Azure Defender for 1.0.3

analysis - create App Service should
incidents based on be enabled
high-quality alerts

Incident Response IR-3 Detection and Azure Defender for 1.0.2

analysis - create Azure SQL Database
incidents based on servers should be
high-quality alerts enabled

Incident Response IR-3 Detection and Azure Defender for 1.0.0

analysis - create DNS should be
incidents based on enabled
high-quality alerts

Incident Response IR-3 Detection and Azure Defender for 1.0.3

analysis - create Key Vault should be
incidents based on enabled
high-quality alerts

Incident Response IR-3 Detection and Azure Defender for 1.0.0

analysis - create open-source
incidents based on relational databases
high-quality alerts should be enabled

Incident Response IR-3 Detection and Azure Defender for 1.0.0

analysis - create Resource Manager
incidents based on should be enabled
high-quality alerts

Incident Response IR-3 Detection and Azure Defender for 1.0.3

analysis - create servers should be
incidents based on enabled
high-quality alerts

Incident Response IR-3 Detection and Azure Defender for 1.0.2

analysis - create SQL servers on
incidents based on machines should be
high-quality alerts enabled

Incident Response IR-3 Detection and Azure Defender for 1.0.3

analysis - create Storage should be
incidents based on enabled
high-quality alerts

Incident Response IR-3 Detection and Microsoft Defender 1.0.0

analysis - create for Containers should
incidents based on be enabled
high-quality alerts
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR-5 Detection and Azure Defender for 1.0.3

analysis - prioritize App Service should
incidents be enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.2

analysis - prioritize Azure SQL Database
incidents servers should be
enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.0

analysis - prioritize DNS should be
incidents enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.3

analysis - prioritize Key Vault should be
incidents enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.0

analysis - prioritize open-source
incidents relational databases
should be enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.0

analysis - prioritize Resource Manager
incidents should be enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.3

analysis - prioritize servers should be
incidents enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.2

analysis - prioritize SQL servers on
incidents machines should be
enabled

Incident Response IR-5 Detection and Azure Defender for 1.0.3

analysis - prioritize Storage should be
incidents enabled

Incident Response IR-5 Detection and Microsoft Defender 1.0.0

analysis - prioritize for Containers should
incidents be enabled

Endpoint Security ES-1 Use Endpoint Azure Defender for 1.0.3

Detection and servers should be
Response (EDR) enabled

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on
Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security
Benchmark mapping files.
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - Azure Security Benchmark.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Incident Response 10.4 Provide security Subscriptions should 1.0.1

incident contact have a contact email
details and configure address for security
alert notifications for issues
security incidents

Logging and 2.2 Configure central Auto provisioning of 1.0.1

Monitoring security log the Log Analytics
management agent should be
enabled on your
subscription

Logging and 2.2 Configure central Azure Monitor log 1.0.0

Monitoring security log profile should collect
management logs for categories
'write,' 'delete,' and
'action'

Logging and 2.2 Configure central Azure Monitor 2.0.0

Monitoring security log should collect activity
management logs from all regions

Logging and 2.4 Collect security logs Auto provisioning of 1.0.1

Monitoring from operating the Log Analytics
systems agent should be
enabled on your
subscription

Identity and Access 3.1 Maintain an A maximum of 3 3.0.0

Control inventory of owners should be
administrative designated for your
accounts subscription

Identity and Access 3.1 Maintain an Deprecated accounts 3.0.0

Control inventory of with owner
administrative permissions should
accounts be removed from
your subscription

Identity and Access 3.1 Maintain an External accounts 3.0.0

Control inventory of with owner
administrative permissions should
accounts be removed from
your subscription

Identity and Access 3.1 Maintain an There should be 3.0.0

Control inventory of more than one
administrative owner assigned to
accounts your subscription

Identity and Access 3.10 Regularly review and Deprecated accounts 3.0.0
Control reconcile user access should be removed
from your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identity and Access 3.10 Regularly review and Deprecated accounts 3.0.0
Control reconcile user access with owner
permissions should
be removed from
your subscription

Identity and Access 3.10 Regularly review and External accounts 3.0.0
Control reconcile user access with owner
permissions should
be removed from
your subscription

Identity and Access 3.10 Regularly review and External accounts 3.0.0
Control reconcile user access with read
permissions should
be removed from
your subscription

Identity and Access 3.10 Regularly review and External accounts 3.0.0
Control reconcile user access with write
permissions should
be removed from
your subscription

Identity and Access 3.3 Use dedicated A maximum of 3 3.0.0

Control administrative owners should be
accounts designated for your
subscription

Identity and Access 3.3 Use dedicated There should be 3.0.0

Control administrative more than one
accounts owner assigned to
your subscription

Identity and Access 3.5 Use multi-factor MFA should be 3.0.0

Control authentication for all enabled accounts
Azure Active with write
Directory based permissions on your
access subscription

Identity and Access 3.5 Use multi-factor MFA should be 3.0.0

Control authentication for all enabled on accounts
Azure Active with owner
Directory based permissions on your
access subscription

Identity and Access 3.5 Use multi-factor MFA should be 3.0.0

Control authentication for all enabled on accounts
Azure Active with read
Directory based permissions on your
access subscription

Data Protection 4.9 Log and alert on Azure Monitor 2.0.0

changes to critical should collect activity
Azure resources logs from all regions
Canada Federal PBMM
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance
standard, see Canada Federal PBMM.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Access Control AC-2 Account Deprecated accounts 3.0.0

Management should be removed
from your
subscription

Access Control AC-2 Account Deprecated accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with read
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with write
permissions should
be removed from
your subscription

Access Control AC-5 Separation of Duties A maximum of 3 3.0.0

owners should be
designated for your
subscription

Access Control AC-5 Separation of Duties There should be 3.0.0

more than one
owner assigned to
your subscription

Access Control AC-6 Least Privilege A maximum of 3 3.0.0

owners should be
designated for your
subscription

Access Control AC-6 Least Privilege There should be 3.0.0

more than one
owner assigned to
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Contingency CP-7 Alternative Audit virtual 1.0.0

Planning Processing Site machines without
disaster recovery
configured

Identification and IA-2(1) Identification and MFA should be 3.0.0

Authentication Authentication enabled accounts
(Organizational with write
Users) | Network permissions on your
Access to Privileged subscription
Accounts

Identification and IA-2(1) Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(Organizational with owner
Users) | Network permissions on your
Access to Privileged subscription
Accounts

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information
about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Identity and Access CIS Microsoft Azure Ensure that multi- MFA should be 3.0.0
Management Foundations factor authentication enabled accounts
Benchmark is enabled for all with write
recommendation 1.1 privileged users permissions on your
subscription

Identity and Access CIS Microsoft Azure Ensure that multi- MFA should be 3.0.0
Management Foundations factor authentication enabled on accounts
Benchmark is enabled for all with owner
recommendation 1.1 privileged users permissions on your
subscription

Identity and Access CIS Microsoft Azure Ensure that multi- MFA should be 3.0.0
Management Foundations factor authentication enabled on accounts
Benchmark is enabled for all with read
recommendation 1.2 non-privileged users permissions on your
subscription

Identity and Access CIS Microsoft Azure Ensure that there are External accounts 3.0.0
Management Foundations no guest users with owner
Benchmark permissions should
recommendation 1.3 be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identity and Access CIS Microsoft Azure Ensure that there are External accounts 3.0.0
Management Foundations no guest users with read
Benchmark permissions should
recommendation 1.3 be removed from
your subscription

Identity and Access CIS Microsoft Azure Ensure that there are External accounts 3.0.0
Management Foundations no guest users with write
Benchmark permissions should
recommendation 1.3 be removed from
your subscription

Security Center CIS Microsoft Azure Ensure that standard Azure Defender for 1.0.3
Foundations pricing tier is selected App Service should
Benchmark be enabled
recommendation 2.1

Security Center CIS Microsoft Azure Ensure that standard Azure Defender for 1.0.2
Foundations pricing tier is selected Azure SQL Database
Benchmark servers should be
recommendation 2.1 enabled

Security Center CIS Microsoft Azure Ensure that standard Azure Defender for 1.0.3
Foundations pricing tier is selected Key Vault should be
Benchmark enabled
recommendation 2.1

Security Center CIS Microsoft Azure Ensure that standard Azure Defender for 1.0.3
Foundations pricing tier is selected servers should be
Benchmark enabled
recommendation 2.1

Security Center CIS Microsoft Azure Ensure that standard Azure Defender for 1.0.2
Foundations pricing tier is selected SQL servers on
Benchmark machines should be
recommendation 2.1 enabled

Security Center CIS Microsoft Azure Ensure that standard Azure Defender for 1.0.3
Foundations pricing tier is selected Storage should be
Benchmark enabled
recommendation 2.1

Security Center CIS Microsoft Azure Ensure that standard Microsoft Defender 1.0.0
Foundations pricing tier is selected for Containers should
Benchmark be enabled
recommendation 2.1

Security Center CIS Microsoft Azure Ensure that 'Security Subscriptions should 1.0.1
Foundations contact emails' is set have a contact email
Benchmark address for security
recommendation issues
2.16
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Security Center CIS Microsoft Azure Ensure that 'Send Email notification for 1.0.1
Foundations email notification for high severity alerts
Benchmark high severity alerts' is should be enabled
recommendation set to 'On'
2.18

Security Center CIS Microsoft Azure Ensure that 'Send Email notification to 2.0.0
Foundations email also to subscription owner
Benchmark subscription owners' for high severity
recommendation is set to 'On' alerts should be
2.19 enabled

Security Center CIS Microsoft Azure Ensure that Auto provisioning of 1.0.1
Foundations 'Automatic the Log Analytics
Benchmark provisioning of agent should be
recommendation 2.2 monitoring agent' is enabled on your
set to 'On' subscription

Logging and CIS Microsoft Azure Ensure that a Log Azure subscriptions 1.0.0
Monitoring Foundations Profile exists should have a log
Benchmark profile for Activity
recommendation Log
5.1.1

Logging and CIS Microsoft Azure Ensure that Activity Activity log should be 1.0.0
Monitoring Foundations Log Retention is set retained for at least
Benchmark 365 days or greater one year
recommendation
5.1.2

Logging and CIS Microsoft Azure Ensure audit profile Azure Monitor log 1.0.0
Monitoring Foundations captures all the profile should collect
Benchmark activities logs for categories
recommendation 'write,' 'delete,' and
5.1.3 'action'

Logging and CIS Microsoft Azure Ensure the log profile Azure Monitor 2.0.0
Monitoring Foundations captures activity logs should collect activity
Benchmark for all regions logs from all regions
recommendation including global
5.1.4

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 3.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create Policy specific Policy
recommendation Assignment operations
5.2.1

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update specific
recommendation Network Security Administrative
5.2.2 Group operations
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Delete Network specific
recommendation Security Group Administrative
5.2.3 operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update specific
recommendation Network Security Administrative
5.2.4 Group Rule operations

Logging and CIS Microsoft Azure Ensure that activity An activity log alert 1.0.0
Monitoring Foundations log alert exists for should exist for
Benchmark the Delete Network specific
recommendation Security Group Rule Administrative
5.2.5 operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update specific Security
recommendation Security Solution operations
5.2.6

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Delete Security specific Security
recommendation Solution operations
5.2.7

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update or specific
recommendation Delete SQL Server Administrative
5.2.8 Firewall Rule operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update or specific
recommendation Delete SQL Server Administrative
5.2.8 Firewall Rule operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Update Security specific Security
recommendation Policy operations
5.2.9

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information
about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Identity and Access CIS Microsoft Azure Ensure that multi- MFA should be 3.0.0
Management Foundations factor authentication enabled accounts
Benchmark is enabled for all with write
recommendation 1.1 privileged users permissions on your
subscription

Identity and Access CIS Microsoft Azure Ensure that multi- MFA should be 3.0.0
Management Foundations factor authentication enabled on accounts
Benchmark is enabled for all with owner
recommendation 1.1 privileged users permissions on your
subscription

Identity and Access CIS Microsoft Azure Ensure that multi- MFA should be 3.0.0
Management Foundations factor authentication enabled on accounts
Benchmark is enabled for all with read
recommendation 1.2 non-privileged users permissions on your
subscription

Identity and Access CIS Microsoft Azure Ensure guest users External accounts 3.0.0
Management Foundations are reviewed on a with owner
Benchmark monthly basis permissions should
recommendation 1.3 be removed from
your subscription

Identity and Access CIS Microsoft Azure Ensure guest users External accounts 3.0.0
Management Foundations are reviewed on a with read
Benchmark monthly basis permissions should
recommendation 1.3 be removed from
your subscription

Identity and Access CIS Microsoft Azure Ensure guest users External accounts 3.0.0
Management Foundations are reviewed on a with write
Benchmark monthly basis permissions should
recommendation 1.3 be removed from
your subscription

Security Center CIS Microsoft Azure Ensure that Azure Azure Defender for 1.0.3
Foundations Defender is set to On servers should be
Benchmark for Servers enabled
recommendation 2.1

Security Center CIS Microsoft Azure Ensure that Auto provisioning of 1.0.1
Foundations 'Automatic the Log Analytics
Benchmark provisioning of agent should be
recommendation monitoring agent' is enabled on your
2.11 set to 'On' subscription

Security Center CIS Microsoft Azure Ensure 'Additional Subscriptions should 1.0.1
Foundations email addresses' is have a contact email
Benchmark configured with a address for security
recommendation security contact email issues
2.13
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Security Center CIS Microsoft Azure Ensure that 'Notify Email notification for 1.0.1
Foundations about alerts with the high severity alerts
Benchmark following severity' is should be enabled
recommendation set to 'High'
2.14

Security Center CIS Microsoft Azure Ensure that Azure Azure Defender for 1.0.3
Foundations Defender is set to On App Service should
Benchmark for App Service be enabled
recommendation 2.2

Security Center CIS Microsoft Azure Ensure that Azure Azure Defender for 1.0.2
Foundations Defender is set to On Azure SQL Database
Benchmark for Azure SQL servers should be
recommendation 2.3 database servers enabled

Security Center CIS Microsoft Azure Ensure that Azure Azure Defender for 1.0.2
Foundations Defender is set to On SQL servers on
Benchmark for SQL servers on machines should be
recommendation 2.4 machines enabled

Security Center CIS Microsoft Azure Ensure that Azure Azure Defender for 1.0.3
Foundations Defender is set to On Storage should be
Benchmark for Storage enabled
recommendation 2.5

Security Center CIS Microsoft Azure Ensure that Azure Microsoft Defender 1.0.0
Foundations Defender is set to On for Containers should
Benchmark for Kubernetes be enabled
recommendation 2.6

Security Center CIS Microsoft Azure Ensure that Azure Microsoft Defender 1.0.0
Foundations Defender is set to On for Containers should
Benchmark for Container be enabled
recommendation 2.7 Registries

Security Center CIS Microsoft Azure Ensure that Azure Azure Defender for 1.0.3
Foundations Defender is set to On Key Vault should be
Benchmark for Key Vault enabled
recommendation 2.8

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 3.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create Policy specific Policy
recommendation Assignment operations
5.2.1

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 3.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Delete Policy specific Policy
recommendation Assignment operations
5.2.2
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update specific
recommendation Network Security Administrative
5.2.3 Group operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Delete Network specific
recommendation Security Group Administrative
5.2.4 operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update specific
recommendation Network Security Administrative
5.2.5 Group Rule operations

Logging and CIS Microsoft Azure Ensure that activity An activity log alert 1.0.0
Monitoring Foundations log alert exists for should exist for
Benchmark the Delete Network specific
recommendation Security Group Rule Administrative
5.2.6 operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update specific Security
recommendation Security Solution operations
5.2.7

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Delete Security specific Security
recommendation Solution operations
5.2.8

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update or specific
recommendation Delete SQL Server Administrative
5.2.9 Firewall Rule operations

Logging and CIS Microsoft Azure Ensure that Activity An activity log alert 1.0.0
Monitoring Foundations Log Alert exists for should exist for
Benchmark Create or Update or specific
recommendation Delete SQL Server Administrative
5.2.9 Firewall Rule operations

CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see
Cybersecurity Maturity Model Certification (CMMC).
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Access Control AC.1.001 Limit information Deprecated accounts 3.0.0

system access to should be removed
authorized users, from your
processes acting on subscription
behalf of authorized
users, and devices
(including other
information systems).

Access Control AC.1.001 Limit information Deprecated accounts 3.0.0

system access to with owner
authorized users, permissions should
processes acting on be removed from
behalf of authorized your subscription
users, and devices
(including other
information systems).

Access Control AC.1.001 Limit information External accounts 3.0.0

system access to with owner
authorized users, permissions should
processes acting on be removed from
behalf of authorized your subscription
users, and devices
(including other
information systems).

Access Control AC.1.001 Limit information External accounts 3.0.0

system access to with read
authorized users, permissions should
processes acting on be removed from
behalf of authorized your subscription
users, and devices
(including other
information systems).

Access Control AC.1.001 Limit information External accounts 3.0.0

system access to with write
authorized users, permissions should
processes acting on be removed from
behalf of authorized your subscription
users, and devices
(including other
information systems).

Access Control AC.2.007 Employ the principle External accounts 3.0.0

of least privilege, with read
including for specific permissions should
security functions be removed from
and privileged your subscription
accounts.

Access Control AC.2.007 Employ the principle External accounts 3.0.0

of least privilege, with write
including for specific permissions should
security functions be removed from
and privileged your subscription
accounts.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC.3.017 Separate the duties A maximum of 3 3.0.0

of individuals to owners should be
reduce the risk of designated for your
malevolent activity subscription
without collusion.

Access Control AC.3.017 Separate the duties There should be 3.0.0

of individuals to more than one
reduce the risk of owner assigned to
malevolent activity your subscription
without collusion.

Access Control AC.3.018 Prevent non- An activity log alert 1.0.0

privileged users from should exist for
executing privileged specific
functions and Administrative
capture the execution operations
of such functions in
audit logs.

Access Control AC.3.018 Prevent non- An activity log alert 1.0.0

privileged users from should exist for
executing privileged specific
functions and Administrative
capture the execution operations
of such functions in
audit logs.

Access Control AC.3.018 Prevent non- An activity log alert 1.0.0

privileged users from should exist for
executing privileged specific
functions and Administrative
capture the execution operations
of such functions in
audit logs.

Access Control AC.3.018 Prevent non- An activity log alert 1.0.0

privileged users from should exist for
executing privileged specific
functions and Administrative
capture the execution operations
of such functions in
audit logs.

Access Control AC.3.018 Prevent non- An activity log alert 1.0.0

privileged users from should exist for
executing privileged specific
functions and Administrative
capture the execution operations
of such functions in
audit logs.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC.3.021 Authorize remote An activity log alert 1.0.0

execution of should exist for
privileged commands specific
and remote access to Administrative
security-relevant operations
information.

Access Control AC.3.021 Authorize remote An activity log alert 1.0.0

execution of should exist for
privileged commands specific
and remote access to Administrative
security-relevant operations
information.

Access Control AC.3.021 Authorize remote An activity log alert 1.0.0

execution of should exist for
privileged commands specific
and remote access to Administrative
security-relevant operations
information.

Access Control AC.3.021 Authorize remote An activity log alert 1.0.0

execution of should exist for
privileged commands specific
and remote access to Administrative
security-relevant operations
information.

Access Control AC.3.021 Authorize remote An activity log alert 1.0.0

execution of should exist for
privileged commands specific
and remote access to Administrative
security-relevant operations
information.

Access Control AC.3.021 Authorize remote An activity log alert 1.0.0

execution of should exist for
privileged commands specific Security
and remote access to operations
security-relevant
information.

Audit and AU.2.041 Ensure that the An activity log alert 1.0.0
Accountability actions of individual should exist for
system users can be specific
uniquely traced to Administrative
those users so they operations
can be held
accountable for their
actions.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU.2.041 Ensure that the An activity log alert 1.0.0
Accountability actions of individual should exist for
system users can be specific
uniquely traced to Administrative
those users so they operations
can be held
accountable for their
actions.

Audit and AU.2.041 Ensure that the An activity log alert 1.0.0
Accountability actions of individual should exist for
system users can be specific
uniquely traced to Administrative
those users so they operations
can be held
accountable for their
actions.

Audit and AU.2.041 Ensure that the An activity log alert 1.0.0
Accountability actions of individual should exist for
system users can be specific
uniquely traced to Administrative
those users so they operations
can be held
accountable for their
actions.

Audit and AU.2.041 Ensure that the An activity log alert 1.0.0
Accountability actions of individual should exist for
system users can be specific
uniquely traced to Administrative
those users so they operations
can be held
accountable for their
actions.

Audit and AU.2.041 Ensure that the An activity log alert 3.0.0
Accountability actions of individual should exist for
system users can be specific Policy
uniquely traced to operations
those users so they
can be held
accountable for their
actions.

Audit and AU.2.041 Ensure that the An activity log alert 1.0.0
Accountability actions of individual should exist for
system users can be specific Security
uniquely traced to operations
those users so they
can be held
accountable for their
actions.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU.2.041 Ensure that the Azure Monitor log 1.0.0
Accountability actions of individual profile should collect
system users can be logs for categories
uniquely traced to 'write,' 'delete,' and
those users so they 'action'
can be held
accountable for their
actions.

Audit and AU.2.041 Ensure that the Azure Monitor 2.0.0

Accountability actions of individual should collect activity
system users can be logs from all regions
uniquely traced to
those users so they
can be held
accountable for their
actions.

Audit and AU.2.041 Ensure that the Azure subscriptions 1.0.0

Accountability actions of individual should have a log
system users can be profile for Activity
uniquely traced to Log
those users so they
can be held
accountable for their
actions.

Audit and AU.2.042 Create and retain Activity log should be 1.0.0
Accountability system audit logs retained for at least
and records to the one year
extent needed to
enable the
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.2.042 Create and retain An activity log alert 1.0.0
Accountability system audit logs should exist for
and records to the specific
extent needed to Administrative
enable the operations
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU.2.042 Create and retain An activity log alert 1.0.0
Accountability system audit logs should exist for
and records to the specific
extent needed to Administrative
enable the operations
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.2.042 Create and retain An activity log alert 1.0.0
Accountability system audit logs should exist for
and records to the specific
extent needed to Administrative
enable the operations
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.2.042 Create and retain An activity log alert 1.0.0
Accountability system audit logs should exist for
and records to the specific
extent needed to Administrative
enable the operations
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.2.042 Create and retain An activity log alert 1.0.0
Accountability system audit logs should exist for
and records to the specific
extent needed to Administrative
enable the operations
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.2.042 Create and retain An activity log alert 3.0.0
Accountability system audit logs should exist for
and records to the specific Policy
extent needed to operations
enable the
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU.2.042 Create and retain An activity log alert 1.0.0
Accountability system audit logs should exist for
and records to the specific Security
extent needed to operations
enable the
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.2.042 Create and retain Azure Monitor 2.0.0

Accountability system audit logs should collect activity
and records to the logs from all regions
extent needed to
enable the
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.2.042 Create and retain Azure subscriptions 1.0.0

Accountability system audit logs should have a log
and records to the profile for Activity
extent needed to Log
enable the
monitoring, analysis,
investigation, and
reporting of unlawful
or unauthorized
system activity.

Audit and AU.3.049 Protect audit An activity log alert 3.0.0

Accountability information and should exist for
audit logging tools specific Policy
from unauthorized operations
access, modification,
and deletion.

Security Assessment CA.2.158 Periodically assess An activity log alert 1.0.0

the security controls should exist for
in organizational specific Security
systems to determine operations
if the controls are
effective in their
application.

Security Assessment CA.3.161 Monitor security An activity log alert 1.0.0

controls on an should exist for
ongoing basis to specific Security
ensure the continued operations
effectiveness of the
controls.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Configuration CM.2.061 Establish and An activity log alert 3.0.0

Management maintain baseline should exist for
configurations and specific Policy
inventories of operations
organizational
systems (including
hardware, software,
firmware, and
documentation)
throughout the
respective system
development life
cycles.

Configuration CM.2.065 Track, review, An activity log alert 1.0.0

Management approve or should exist for
disapprove, and log specific
changes to Administrative
organizational operations
systems.

Configuration CM.2.065 Track, review, An activity log alert 1.0.0

Management approve or should exist for
disapprove, and log specific
changes to Administrative
organizational operations
systems.

Configuration CM.2.065 Track, review, An activity log alert 1.0.0

Management approve or should exist for
disapprove, and log specific
changes to Administrative
organizational operations
systems.

Configuration CM.2.065 Track, review, An activity log alert 1.0.0

Management approve or should exist for
disapprove, and log specific
changes to Administrative
organizational operations
systems.

Configuration CM.2.065 Track, review, An activity log alert 1.0.0

Management approve or should exist for
disapprove, and log specific
changes to Administrative
organizational operations
systems.

Configuration CM.2.065 Track, review, An activity log alert 3.0.0

Management approve or should exist for
disapprove, and log specific Policy
changes to operations
organizational
systems.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Configuration CM.2.065 Track, review, An activity log alert 1.0.0

Management approve or should exist for
disapprove, and log specific Security
changes to operations
organizational
systems.

Configuration CM.2.065 Track, review, Azure Monitor 2.0.0

Management approve or should collect activity
disapprove, and log logs from all regions
changes to
organizational
systems.

Configuration CM.2.065 Track, review, Azure subscriptions 1.0.0

Management approve or should have a log
disapprove, and log profile for Activity
changes to Log
organizational
systems.

Identification and IA.1.077 Authenticate (or MFA should be 3.0.0

Authentication verify) the identities enabled accounts
of those users, with write
processes, or devices, permissions on your
as a prerequisite to subscription
allowing access to
organizational
information systems.

Identification and IA.1.077 Authenticate (or MFA should be 3.0.0

Authentication verify) the identities enabled on accounts
of those users, with owner
processes, or devices, permissions on your
as a prerequisite to subscription
allowing access to
organizational
information systems.

Identification and IA.1.077 Authenticate (or MFA should be 3.0.0

Authentication verify) the identities enabled on accounts
of those users, with read
processes, or devices, permissions on your
as a prerequisite to subscription
allowing access to
organizational
information systems.

Identification and IA.3.083 Use multifactor MFA should be 3.0.0

Authentication authentication for enabled accounts
local and network with write
access to privileged permissions on your
accounts and for subscription
network access to
non-privileged
accounts.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identification and IA.3.083 Use multifactor MFA should be 3.0.0

Authentication authentication for enabled on accounts
local and network with owner
access to privileged permissions on your
accounts and for subscription
network access to
non-privileged
accounts.

Identification and IA.3.083 Use multifactor MFA should be 3.0.0

Authentication authentication for enabled on accounts
local and network with read
access to privileged permissions on your
accounts and for subscription
network access to
non-privileged
accounts.

Identification and IA.3.084 Employ replay- MFA should be 3.0.0

Authentication resistant enabled accounts
authentication with write
mechanisms for permissions on your
network access to subscription
privileged and
nonprivileged
accounts.

Identification and IA.3.084 Employ replay- MFA should be 3.0.0

Authentication resistant enabled on accounts
authentication with owner
mechanisms for permissions on your
network access to subscription
privileged and
nonprivileged
accounts.

Identification and IA.3.084 Employ replay- MFA should be 3.0.0

Authentication resistant enabled on accounts
authentication with read
mechanisms for permissions on your
network access to subscription
privileged and
nonprivileged
accounts.

Incident Response IR.2.092 Establish an Email notification for 1.0.1

operational incident- high severity alerts
handling capability should be enabled
for organizational
systems that includes
preparation,
detection, analysis,
containment,
recovery, and user
response activities.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR.2.092 Establish an Email notification to 2.0.0

operational incident- subscription owner
handling capability for high severity
for organizational alerts should be
systems that includes enabled
preparation,
detection, analysis,
containment,
recovery, and user
response activities.

Incident Response IR.2.092 Establish an Subscriptions should 1.0.1

operational incident- have a contact email
handling capability address for security
for organizational issues
systems that includes
preparation,
detection, analysis,
containment,
recovery, and user
response activities.

Incident Response IR.2.093 Detect and report An activity log alert 1.0.0
events. should exist for
specific Security
operations

Incident Response IR.2.093 Detect and report Azure Defender for 1.0.3
events. App Service should
be enabled

Incident Response IR.2.093 Detect and report Azure Defender for 1.0.2
events. Azure SQL Database
servers should be
enabled

Incident Response IR.2.093 Detect and report Azure Defender for 1.0.3
events. Key Vault should be
enabled

Incident Response IR.2.093 Detect and report Azure Defender for 1.0.3
events. servers should be
enabled

Incident Response IR.2.093 Detect and report Azure Defender for 1.0.2
events. SQL servers on
machines should be
enabled

Incident Response IR.2.093 Detect and report Azure Defender for 1.0.3
events. Storage should be
enabled

Incident Response IR.2.093 Detect and report Email notification for 1.0.1
events. high severity alerts
should be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR.2.093 Detect and report Microsoft Defender 1.0.0

events. for Containers should
be enabled

Recovery RE.2.137 Regularly perform Audit virtual 1.0.0

and test data back- machines without
ups. disaster recovery
configured

Recovery RE.3.139 Regularly perform Audit virtual 1.0.0

complete, machines without
comprehensive and disaster recovery
resilient data backups configured
as organizationally-
defined.

Risk Assessment RM.2.141 Periodically assess Azure Defender for 1.0.3

the risk to App Service should
organizational be enabled
operations (including
mission, functions,
image, or reputation),
organizational assets,
and individuals,
resulting from the
operation of
organizational
systems and the
associated
processing, storage,
or transmission of
CUI.

Risk Assessment RM.2.141 Periodically assess Azure Defender for 1.0.2

the risk to Azure SQL Database
organizational servers should be
operations (including enabled
mission, functions,
image, or reputation),
organizational assets,
and individuals,
resulting from the
operation of
organizational
systems and the
associated
processing, storage,
or transmission of
CUI.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Risk Assessment RM.2.141 Periodically assess Azure Defender for 1.0.3

the risk to Key Vault should be
organizational enabled
operations (including
mission, functions,
image, or reputation),
organizational assets,
and individuals,
resulting from the
operation of
organizational
systems and the
associated
processing, storage,
or transmission of
CUI.

Risk Assessment RM.2.141 Periodically assess Azure Defender for 1.0.3

the risk to servers should be
organizational enabled
operations (including
mission, functions,
image, or reputation),
organizational assets,
and individuals,
resulting from the
operation of
organizational
systems and the
associated
processing, storage,
or transmission of
CUI.

Risk Assessment RM.2.141 Periodically assess Azure Defender for 1.0.2

the risk to SQL servers on
organizational machines should be
operations (including enabled
mission, functions,
image, or reputation),
organizational assets,
and individuals,
resulting from the
operation of
organizational
systems and the
associated
processing, storage,
or transmission of
CUI.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Risk Assessment RM.2.141 Periodically assess Azure Defender for 1.0.3

the risk to Storage should be
organizational enabled
operations (including
mission, functions,
image, or reputation),
organizational assets,
and individuals,
resulting from the
operation of
organizational
systems and the
associated
processing, storage,
or transmission of
CUI.

Risk Assessment RM.2.141 Periodically assess Microsoft Defender 1.0.0

the risk to for Containers should
organizational be enabled
operations (including
mission, functions,
image, or reputation),
organizational assets,
and individuals,
resulting from the
operation of
organizational
systems and the
associated
processing, storage,
or transmission of
CUI.

Risk Assessment RM.2.142 Scan for Azure Defender for 1.0.3

vulnerabilities in App Service should
organizational be enabled
systems and
applications
periodically and when
new vulnerabilities
affecting those
systems and
applications are
identified.

Risk Assessment RM.2.142 Scan for Azure Defender for 1.0.2

vulnerabilities in Azure SQL Database
organizational servers should be
systems and enabled
applications
periodically and when
new vulnerabilities
affecting those
systems and
applications are
identified.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Risk Assessment RM.2.142 Scan for Azure Defender for 1.0.3

vulnerabilities in Key Vault should be
organizational enabled
systems and
applications
periodically and when
new vulnerabilities
affecting those
systems and
applications are
identified.

Risk Assessment RM.2.142 Scan for Azure Defender for 1.0.3

vulnerabilities in servers should be
organizational enabled
systems and
applications
periodically and when
new vulnerabilities
affecting those
systems and
applications are
identified.

Risk Assessment RM.2.142 Scan for Azure Defender for 1.0.2

vulnerabilities in SQL servers on
organizational machines should be
systems and enabled
applications
periodically and when
new vulnerabilities
affecting those
systems and
applications are
identified.

Risk Assessment RM.2.142 Scan for Azure Defender for 1.0.3

vulnerabilities in Storage should be
organizational enabled
systems and
applications
periodically and when
new vulnerabilities
affecting those
systems and
applications are
identified.

Risk Assessment RM.2.142 Scan for Microsoft Defender 1.0.0

vulnerabilities in for Containers should
organizational be enabled
systems and
applications
periodically and when
new vulnerabilities
affecting those
systems and
applications are
identified.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Risk Assessment RM.2.143 Remediate Azure Defender for 1.0.3

vulnerabilities in App Service should
accordance with risk be enabled
assessments.

Risk Assessment RM.2.143 Remediate Azure Defender for 1.0.2

vulnerabilities in Azure SQL Database
accordance with risk servers should be
assessments. enabled

Risk Assessment RM.2.143 Remediate Azure Defender for 1.0.3

vulnerabilities in Key Vault should be
accordance with risk enabled
assessments.

Risk Assessment RM.2.143 Remediate Azure Defender for 1.0.3

vulnerabilities in servers should be
accordance with risk enabled
assessments.

Risk Assessment RM.2.143 Remediate Azure Defender for 1.0.2

vulnerabilities in SQL servers on
accordance with risk machines should be
assessments. enabled

Risk Assessment RM.2.143 Remediate Azure Defender for 1.0.3

vulnerabilities in Storage should be
accordance with risk enabled
assessments.

Risk Assessment RM.2.143 Remediate Microsoft Defender 1.0.0

vulnerabilities in for Containers should
accordance with risk be enabled
assessments.

Risk Management RM.3.144 Periodically perform Azure Defender for 1.0.3

risk assessments to App Service should
identify and prioritize be enabled
risks according to the
defined risk
categories, risk
sources and risk
measurement criteria.

Risk Management RM.3.144 Periodically perform Azure Defender for 1.0.2

risk assessments to Azure SQL Database
identify and prioritize servers should be
risks according to the enabled
defined risk
categories, risk
sources and risk
measurement criteria.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Risk Management RM.3.144 Periodically perform Azure Defender for 1.0.3

risk assessments to Key Vault should be
identify and prioritize enabled
risks according to the
defined risk
categories, risk
sources and risk
measurement criteria.

Risk Management RM.3.144 Periodically perform Azure Defender for 1.0.3

risk assessments to servers should be
identify and prioritize enabled
risks according to the
defined risk
categories, risk
sources and risk
measurement criteria.

Risk Management RM.3.144 Periodically perform Azure Defender for 1.0.2

risk assessments to SQL servers on
identify and prioritize machines should be
risks according to the enabled
defined risk
categories, risk
sources and risk
measurement criteria.

Risk Management RM.3.144 Periodically perform Azure Defender for 1.0.3

risk assessments to Storage should be
identify and prioritize enabled
risks according to the
defined risk
categories, risk
sources and risk
measurement criteria.

Risk Management RM.3.144 Periodically perform Microsoft Defender 1.0.0

risk assessments to for Containers should
identify and prioritize be enabled
risks according to the
defined risk
categories, risk
sources and risk
measurement criteria.

System and SC.3.181 Separate user A maximum of 3 3.0.0

Communications functionality from owners should be
Protection system management designated for your
functionality. subscription

System and SC.3.181 Separate user Deprecated accounts 3.0.0

Communications functionality from with owner
Protection system management permissions should
functionality. be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SC.3.181 Separate user External accounts 3.0.0

Communications functionality from with owner
Protection system management permissions should
functionality. be removed from
your subscription

System and SC.3.181 Separate user There should be 3.0.0

Communications functionality from more than one
Protection system management owner assigned to
functionality. your subscription

System and SC.3.187 Establish and Azure Defender for 1.0.3

Communications manage Key Vault should be
Protection cryptographic keys enabled
for cryptography
employed in
organizational
systems.

System and SC.3.190 Protect the MFA should be 3.0.0

Communications authenticity of enabled accounts
Protection communications with write
sessions. permissions on your
subscription

System and SC.3.190 Protect the MFA should be 3.0.0

Communications authenticity of enabled on accounts
Protection communications with owner
sessions. permissions on your
subscription

System and SC.3.190 Protect the MFA should be 3.0.0

Communications authenticity of enabled on accounts
Protection communications with read
sessions. permissions on your
subscription

System and SI.1.213 Perform periodic Azure Defender for 1.0.3

Information Integrity scans of the App Service should
information system be enabled
and real-time scans
of files from external
sources as files are
downloaded, opened,
or executed.

System and SI.1.213 Perform periodic Azure Defender for 1.0.2

Information Integrity scans of the Azure SQL Database
information system servers should be
and real-time scans enabled
of files from external
sources as files are
downloaded, opened,
or executed.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI.1.213 Perform periodic Azure Defender for 1.0.3

Information Integrity scans of the Key Vault should be
information system enabled
and real-time scans
of files from external
sources as files are
downloaded, opened,
or executed.

System and SI.1.213 Perform periodic Azure Defender for 1.0.3

Information Integrity scans of the servers should be
information system enabled
and real-time scans
of files from external
sources as files are
downloaded, opened,
or executed.

System and SI.1.213 Perform periodic Azure Defender for 1.0.2

Information Integrity scans of the SQL servers on
information system machines should be
and real-time scans enabled
of files from external
sources as files are
downloaded, opened,
or executed.

System and SI.1.213 Perform periodic Azure Defender for 1.0.3

Information Integrity scans of the Storage should be
information system enabled
and real-time scans
of files from external
sources as files are
downloaded, opened,
or executed.

System and SI.1.213 Perform periodic Microsoft Defender 1.0.0

Information Integrity scans of the for Containers should
information system be enabled
and real-time scans
of files from external
sources as files are
downloaded, opened,
or executed.

System and SI.2.216 Monitor An activity log alert 1.0.0

Information Integrity organizational should exist for
systems, including specific
inbound and Administrative
outbound operations
communications
traffic, to detect
attacks and
indicators of
potential attacks.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI.2.216 Monitor An activity log alert 1.0.0

Information Integrity organizational should exist for
systems, including specific
inbound and Administrative
outbound operations
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor An activity log alert 1.0.0

Information Integrity organizational should exist for
systems, including specific
inbound and Administrative
outbound operations
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor An activity log alert 1.0.0

Information Integrity organizational should exist for
systems, including specific
inbound and Administrative
outbound operations
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor An activity log alert 1.0.0

Information Integrity organizational should exist for
systems, including specific
inbound and Administrative
outbound operations
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor An activity log alert 3.0.0

Information Integrity organizational should exist for
systems, including specific Policy
inbound and operations
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI.2.216 Monitor An activity log alert 1.0.0

Information Integrity organizational should exist for
systems, including specific Security
inbound and operations
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Azure Defender for 1.0.3

Information Integrity organizational App Service should
systems, including be enabled
inbound and
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Azure Defender for 1.0.2

Information Integrity organizational Azure SQL Database
systems, including servers should be
inbound and enabled
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Azure Defender for 1.0.3

Information Integrity organizational Key Vault should be
systems, including enabled
inbound and
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Azure Defender for 1.0.3

Information Integrity organizational servers should be
systems, including enabled
inbound and
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI.2.216 Monitor Azure Defender for 1.0.2

Information Integrity organizational SQL servers on
systems, including machines should be
inbound and enabled
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Azure Defender for 1.0.3

Information Integrity organizational Storage should be
systems, including enabled
inbound and
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Azure Monitor 2.0.0

Information Integrity organizational should collect activity
systems, including logs from all regions
inbound and
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Azure subscriptions 1.0.0

Information Integrity organizational should have a log
systems, including profile for Activity
inbound and Log
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Email notification to 2.0.0

Information Integrity organizational subscription owner
systems, including for high severity
inbound and alerts should be
outbound enabled
communications
traffic, to detect
attacks and
indicators of
potential attacks.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI.2.216 Monitor Microsoft Defender 1.0.0

Information Integrity organizational for Containers should
systems, including be enabled
inbound and
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.216 Monitor Subscriptions should 1.0.1

Information Integrity organizational have a contact email
systems, including address for security
inbound and issues
outbound
communications
traffic, to detect
attacks and
indicators of
potential attacks.

System and SI.2.217 Identify unauthorized Activity log should be 1.0.0

Information Integrity use of organizational retained for at least
systems. one year

System and SI.2.217 Identify unauthorized An activity log alert 1.0.0

Information Integrity use of organizational should exist for
systems. specific
Administrative
operations

System and SI.2.217 Identify unauthorized An activity log alert 1.0.0

Information Integrity use of organizational should exist for
systems. specific
Administrative
operations

System and SI.2.217 Identify unauthorized An activity log alert 1.0.0

Information Integrity use of organizational should exist for
systems. specific
Administrative
operations

System and SI.2.217 Identify unauthorized An activity log alert 1.0.0

Information Integrity use of organizational should exist for
systems. specific
Administrative
operations

System and SI.2.217 Identify unauthorized An activity log alert 1.0.0

Information Integrity use of organizational should exist for
systems. specific
Administrative
operations
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI.2.217 Identify unauthorized An activity log alert 3.0.0

Information Integrity use of organizational should exist for
systems. specific Policy
operations

System and SI.2.217 Identify unauthorized An activity log alert 1.0.0

Information Integrity use of organizational should exist for
systems. specific Security
operations

System and SI.2.217 Identify unauthorized Azure Monitor log 1.0.0

Information Integrity use of organizational profile should collect
systems. logs for categories
'write,' 'delete,' and
'action'

System and SI.2.217 Identify unauthorized Azure Monitor 2.0.0

Information Integrity use of organizational should collect activity
systems. logs from all regions

System and SI.2.217 Identify unauthorized Azure subscriptions 1.0.0

Information Integrity use of organizational should have a log
systems. profile for Activity
Log

System and SI.2.217 Identify unauthorized Email notification to 2.0.0

Information Integrity use of organizational subscription owner
systems. for high severity
alerts should be
enabled

FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard,
see FedRAMP High.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Access Control AC-2 Account A maximum of 3 3.0.0

Management owners should be
designated for your
subscription

Access Control AC-2 Account Deprecated accounts 3.0.0

Management should be removed
from your
subscription

Access Control AC-2 Account Deprecated accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC-2 Account External accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with read
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with write
permissions should
be removed from
your subscription

Access Control AC-2 (7) Role-based Schemes Service principals 1.0.0

should be used to
protect your
subscriptions instead
of management
certificates

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage App Service should
be enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.2
Atypical Usage Azure SQL Database
servers should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.0
Atypical Usage DNS should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage Key Vault should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.0
Atypical Usage Resource Manager
should be enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage servers should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.2
Atypical Usage SQL servers on
machines should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage Storage should be
enabled

Access Control AC-2 (12) Account Monitoring / Microsoft Defender 1.0.0

Atypical Usage for Containers should
be enabled

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled accounts
with write
permissions on your
subscription

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled on accounts
with owner
permissions on your
subscription

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled on accounts
with read
permissions on your
subscription

Access Control AC-5 Separation of Duties There should be 3.0.0

more than one
owner assigned to
your subscription

Access Control AC-6 Least Privilege A maximum of 3 3.0.0

owners should be
designated for your
subscription

Access Control AC-6 (7) Review of User A maximum of 3 3.0.0

Privileges owners should be
designated for your
subscription

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and App Service should
Reporting be enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.2

Accountability Analysis, and Azure SQL Database
Reporting servers should be
enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.0

Accountability Analysis, and DNS should be
Reporting enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and Key Vault should be
Reporting enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.0

Accountability Analysis, and Resource Manager
Reporting should be enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and servers should be
Reporting enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.2

Accountability Analysis, and SQL servers on
Reporting machines should be
enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and Storage should be
Reporting enabled

Audit and AU-6 Audit Review, Microsoft Defender 1.0.0

Accountability Analysis, and for Containers should
Reporting be enabled

Audit and AU-6 (4) Central Review and Auto provisioning of 1.0.1
Accountability Analysis the Log Analytics
agent should be
enabled on your
subscription

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis App Service should
be enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.2
Accountability Analysis Azure SQL Database
servers should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.0
Accountability Analysis DNS should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis Key Vault should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.0
Accountability Analysis Resource Manager
should be enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis servers should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.2
Accountability Analysis SQL servers on
machines should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis Storage should be
enabled

Audit and AU-6 (4) Central Review and Microsoft Defender 1.0.0
Accountability Analysis for Containers should
be enabled

Audit and AU-6 (5) Integration / Auto provisioning of 1.0.1

Accountability Scanning and the Log Analytics
Monitoring agent should be
Capabilities enabled on your
subscription

Audit and AU-6 (5) Integration / Azure Defender for 1.0.3

Accountability Scanning and App Service should
Monitoring be enabled
Capabilities

Audit and AU-6 (5) Integration / Azure Defender for 1.0.2

Accountability Scanning and Azure SQL Database
Monitoring servers should be
Capabilities enabled

Audit and AU-6 (5) Integration / Azure Defender for 1.0.0

Accountability Scanning and DNS should be
Monitoring enabled
Capabilities

Audit and AU-6 (5) Integration / Azure Defender for 1.0.3

Accountability Scanning and Key Vault should be
Monitoring enabled
Capabilities

Audit and AU-6 (5) Integration / Azure Defender for 1.0.0

Accountability Scanning and Resource Manager
Monitoring should be enabled
Capabilities

Audit and AU-6 (5) Integration / Azure Defender for 1.0.3

Accountability Scanning and servers should be
Monitoring enabled
Capabilities

Audit and AU-6 (5) Integration / Azure Defender for 1.0.2

Accountability Scanning and SQL servers on
Monitoring machines should be
Capabilities enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-6 (5) Integration / Azure Defender for 1.0.3

Accountability Scanning and Storage should be
Monitoring enabled
Capabilities

Audit and AU-6 (5) Integration / Microsoft Defender 1.0.0

Accountability Scanning and for Containers should
Monitoring be enabled
Capabilities

Audit and AU-12 Audit Generation Auto provisioning of 1.0.1

Accountability the Log Analytics
agent should be
enabled on your
subscription

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability App Service should
be enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.2

Accountability Azure SQL Database
servers should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.0

Accountability DNS should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability Key Vault should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.0

Accountability Resource Manager
should be enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability servers should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.2

Accountability SQL servers on
machines should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability Storage should be
enabled

Audit and AU-12 Audit Generation Microsoft Defender 1.0.0

Accountability for Containers should
be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-12 (1) System-wide / Time- Auto provisioning of 1.0.1

Accountability correlated Audit Trail the Log Analytics
agent should be
enabled on your
subscription

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.3
Accountability correlated Audit Trail App Service should
be enabled

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.2
Accountability correlated Audit Trail Azure SQL Database
servers should be
enabled

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.0
Accountability correlated Audit Trail DNS should be
enabled

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.3
Accountability correlated Audit Trail Key Vault should be
enabled

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.0
Accountability correlated Audit Trail Resource Manager
should be enabled

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.3
Accountability correlated Audit Trail servers should be
enabled

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.2
Accountability correlated Audit Trail SQL servers on
machines should be
enabled

Audit and AU-12 (1) System-wide / Time- Azure Defender for 1.0.3
Accountability correlated Audit Trail Storage should be
enabled

Audit and AU-12 (1) System-wide / Time- Microsoft Defender 1.0.0

Accountability correlated Audit Trail for Containers should
be enabled

Configuration CM-7 Least Functionality Azure Defender for 1.0.3

Management servers should be
enabled

Contingency CP-7 Alternate Processing Audit virtual 1.0.0

Planning Site machines without
disaster recovery
configured
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled accounts
(organizational Users) with write
permissions on your
subscription

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(organizational Users) with owner
permissions on your
subscription

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(organizational Users) with read
permissions on your
subscription

Identification and IA-2 Identification and Service principals 1.0.0

Authentication Authentication should be used to
(organizational Users) protect your
subscriptions instead
of management
certificates

Identification and IA-2 (1) Network Access to MFA should be 3.0.0

Authentication Privileged Accounts enabled accounts
with write
permissions on your
subscription

Identification and IA-2 (1) Network Access to MFA should be 3.0.0

Authentication Privileged Accounts enabled on accounts
with owner
permissions on your
subscription

Identification and IA-2 (2) Network Access to MFA should be 3.0.0

Authentication Non-privileged enabled on accounts
Accounts with read
permissions on your
subscription

Identification and IA-4 Identifier Service principals 1.0.0

Authentication Management should be used to
protect your
subscriptions instead
of management
certificates

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

App Service should
be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR-4 Incident Handling Azure Defender for 1.0.2

Azure SQL Database
servers should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.0

DNS should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

Key Vault should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.0

Resource Manager
should be enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

servers should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.2

SQL servers on
machines should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

Storage should be
enabled

Incident Response IR-4 Incident Handling Email notification for 1.0.1

high severity alerts
should be enabled

Incident Response IR-4 Incident Handling Email notification to 2.0.0

subscription owner
for high severity
alerts should be
enabled

Incident Response IR-4 Incident Handling Microsoft Defender 1.0.0

for Containers should
be enabled

Incident Response IR-4 Incident Handling Subscriptions should 1.0.1

have a contact email
address for security
issues

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

App Service should
be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.2

Azure SQL Database
servers should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.0

DNS should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

Key Vault should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.0

Resource Manager
should be enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

servers should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.2

SQL servers on
machines should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

Storage should be
enabled

Incident Response IR-5 Incident Monitoring Email notification for 1.0.1

high severity alerts
should be enabled

Incident Response IR-5 Incident Monitoring Email notification to 2.0.0

subscription owner
for high severity
alerts should be
enabled

Incident Response IR-5 Incident Monitoring Microsoft Defender 1.0.0

for Containers should
be enabled

Incident Response IR-5 Incident Monitoring Subscriptions should 1.0.1

have a contact email
address for security
issues

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning App Service should
be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.2

Scanning Azure SQL Database
servers should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.0

Scanning DNS should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning Key Vault should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.0

Scanning Resource Manager
should be enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning servers should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.2

Scanning SQL servers on
machines should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning Storage should be
enabled

Risk Assessment RA-5 Vulnerability Microsoft Defender 1.0.0

Scanning for Containers should
be enabled

System and SC-3 Security Function Azure Defender for 1.0.3

Communications Isolation servers should be
Protection enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity App Service should
be enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.2

Information Integrity Azure SQL Database
servers should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.0

Information Integrity DNS should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity Key Vault should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI-2 Flaw Remediation Azure Defender for 1.0.0

Information Integrity Resource Manager
should be enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity servers should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.2

Information Integrity SQL servers on
machines should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity Storage should be
enabled

System and SI-2 Flaw Remediation Microsoft Defender 1.0.0

Information Integrity for Containers should
be enabled

System and SI-3 Malicious Code Azure Defender for 1.0.3

Information Integrity Protection servers should be
enabled

System and SI-3 (1) Central Management Azure Defender for 1.0.3
Information Integrity servers should be
enabled

System and SI-4 Information System Auto provisioning of 1.0.1

Information Integrity Monitoring the Log Analytics
agent should be
enabled on your
subscription

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring App Service should
be enabled

System and SI-4 Information System Azure Defender for 1.0.2

Information Integrity Monitoring Azure SQL Database
servers should be
enabled

System and SI-4 Information System Azure Defender for 1.0.0

Information Integrity Monitoring DNS should be
enabled

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring Key Vault should be
enabled

System and SI-4 Information System Azure Defender for 1.0.0

Information Integrity Monitoring Resource Manager
should be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring servers should be
enabled

System and SI-4 Information System Azure Defender for 1.0.2

Information Integrity Monitoring SQL servers on
machines should be
enabled

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring Storage should be
enabled

System and SI-4 Information System Microsoft Defender 1.0.0

Information Integrity Monitoring for Containers should
be enabled

System and SI-16 Memory Protection Azure Defender for 1.0.3

Information Integrity servers should be
enabled

FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance
standard, see FedRAMP Moderate.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Access Control AC-2 Account A maximum of 3 3.0.0

Management owners should be
designated for your
subscription

Access Control AC-2 Account Deprecated accounts 3.0.0

Management should be removed
from your
subscription

Access Control AC-2 Account Deprecated accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC-2 Account External accounts 3.0.0

Management with read
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with write
permissions should
be removed from
your subscription

Access Control AC-2 (7) Role-based Schemes Service principals 1.0.0

should be used to
protect your
subscriptions instead
of management
certificates

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage App Service should
be enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.2
Atypical Usage Azure SQL Database
servers should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.0
Atypical Usage DNS should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage Key Vault should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.0
Atypical Usage Resource Manager
should be enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage servers should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.2
Atypical Usage SQL servers on
machines should be
enabled

Access Control AC-2 (12) Account Monitoring / Azure Defender for 1.0.3
Atypical Usage Storage should be
enabled

Access Control AC-2 (12) Account Monitoring / Microsoft Defender 1.0.0

Atypical Usage for Containers should
be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled accounts
with write
permissions on your
subscription

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled on accounts
with owner
permissions on your
subscription

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled on accounts
with read
permissions on your
subscription

Access Control AC-5 Separation of Duties There should be 3.0.0

more than one
owner assigned to
your subscription

Access Control AC-6 Least Privilege A maximum of 3 3.0.0

owners should be
designated for your
subscription

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and App Service should
Reporting be enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.2

Accountability Analysis, and Azure SQL Database
Reporting servers should be
enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.0

Accountability Analysis, and DNS should be
Reporting enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and Key Vault should be
Reporting enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.0

Accountability Analysis, and Resource Manager
Reporting should be enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and servers should be
Reporting enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-6 Audit Review, Azure Defender for 1.0.2

Accountability Analysis, and SQL servers on
Reporting machines should be
enabled

Audit and AU-6 Audit Review, Azure Defender for 1.0.3

Accountability Analysis, and Storage should be
Reporting enabled

Audit and AU-6 Audit Review, Microsoft Defender 1.0.0

Accountability Analysis, and for Containers should
Reporting be enabled

Audit and AU-12 Audit Generation Auto provisioning of 1.0.1

Accountability the Log Analytics
agent should be
enabled on your
subscription

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability App Service should
be enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.2

Accountability Azure SQL Database
servers should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.0

Accountability DNS should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability Key Vault should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.0

Accountability Resource Manager
should be enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability servers should be
enabled

Audit and AU-12 Audit Generation Azure Defender for 1.0.2

Accountability SQL servers on
machines should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-12 Audit Generation Azure Defender for 1.0.3

Accountability Storage should be
enabled

Audit and AU-12 Audit Generation Microsoft Defender 1.0.0

Accountability for Containers should
be enabled

Configuration CM-7 Least Functionality Azure Defender for 1.0.3

Management servers should be
enabled

Contingency CP-7 Alternate Processing Audit virtual 1.0.0

Planning Site machines without
disaster recovery
configured

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled accounts
(organizational Users) with write
permissions on your
subscription

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(organizational Users) with owner
permissions on your
subscription

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(organizational Users) with read
permissions on your
subscription

Identification and IA-2 Identification and Service principals 1.0.0

Authentication Authentication should be used to
(organizational Users) protect your
subscriptions instead
of management
certificates

Identification and IA-2 (1) Network Access to MFA should be 3.0.0

Authentication Privileged Accounts enabled accounts
with write
permissions on your
subscription

Identification and IA-2 (1) Network Access to MFA should be 3.0.0

Authentication Privileged Accounts enabled on accounts
with owner
permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identification and IA-2 (2) Network Access to MFA should be 3.0.0

Authentication Non-privileged enabled on accounts
Accounts with read
permissions on your
subscription

Identification and IA-4 Identifier Service principals 1.0.0

Authentication Management should be used to
protect your
subscriptions instead
of management
certificates

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

App Service should
be enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.2

Azure SQL Database
servers should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.0

DNS should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

Key Vault should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.0

Resource Manager
should be enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

servers should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.2

SQL servers on
machines should be
enabled

Incident Response IR-4 Incident Handling Azure Defender for 1.0.3

Storage should be
enabled

Incident Response IR-4 Incident Handling Email notification for 1.0.1

high severity alerts
should be enabled

Incident Response IR-4 Incident Handling Email notification to 2.0.0

subscription owner
for high severity
alerts should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR-4 Incident Handling Microsoft Defender 1.0.0

for Containers should
be enabled

Incident Response IR-4 Incident Handling Subscriptions should 1.0.1

have a contact email
address for security
issues

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

App Service should
be enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.2

Azure SQL Database
servers should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.0

DNS should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

Key Vault should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.0

Resource Manager
should be enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

servers should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.2

SQL servers on
machines should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

Storage should be
enabled

Incident Response IR-5 Incident Monitoring Email notification for 1.0.1

high severity alerts
should be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR-5 Incident Monitoring Email notification to 2.0.0

subscription owner
for high severity
alerts should be
enabled

Incident Response IR-5 Incident Monitoring Microsoft Defender 1.0.0

for Containers should
be enabled

Incident Response IR-5 Incident Monitoring Subscriptions should 1.0.1

have a contact email
address for security
issues

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning App Service should
be enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.2

Scanning Azure SQL Database
servers should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.0

Scanning DNS should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning Key Vault should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.0

Scanning Resource Manager
should be enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning servers should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.2

Scanning SQL servers on
machines should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Scanning Storage should be
enabled

Risk Assessment RA-5 Vulnerability Microsoft Defender 1.0.0

Scanning for Containers should
be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity App Service should
be enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.2

Information Integrity Azure SQL Database
servers should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.0

Information Integrity DNS should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity Key Vault should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.0

Information Integrity Resource Manager
should be enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity servers should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.2

Information Integrity SQL servers on
machines should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity Storage should be
enabled

System and SI-2 Flaw Remediation Microsoft Defender 1.0.0

Information Integrity for Containers should
be enabled

System and SI-3 Malicious Code Azure Defender for 1.0.3

Information Integrity Protection servers should be
enabled

System and SI-3 (1) Central Management Azure Defender for 1.0.3
Information Integrity servers should be
enabled

System and SI-4 Information System Auto provisioning of 1.0.1

Information Integrity Monitoring the Log Analytics
agent should be
enabled on your
subscription

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring App Service should
be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI-4 Information System Azure Defender for 1.0.2

Information Integrity Monitoring Azure SQL Database
servers should be
enabled

System and SI-4 Information System Azure Defender for 1.0.0

Information Integrity Monitoring DNS should be
enabled

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring Key Vault should be
enabled

System and SI-4 Information System Azure Defender for 1.0.0

Information Integrity Monitoring Resource Manager
should be enabled

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring servers should be
enabled

System and SI-4 Information System Azure Defender for 1.0.2

Information Integrity Monitoring SQL servers on
machines should be
enabled

System and SI-4 Information System Azure Defender for 1.0.3

Information Integrity Monitoring Storage should be
enabled

System and SI-4 Information System Microsoft Defender 1.0.0

Information Integrity Monitoring for Containers should
be enabled

System and SI-16 Memory Protection Azure Defender for 1.0.3

Information Integrity servers should be
enabled

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance
standard, see HIPAA HITRUST 9.2.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Privilege 1144.01c1System.4 - The organization A maximum of 3 3.0.0

Management 01.c explicitly authorizes owners should be
access to specific designated for your
security relevant subscription
functions (deployed
in hardware,
software, and
firmware) and
security-relevant
information.

Privilege 1145.01c2System.1 - Role-based access There should be 3.0.0

Management 01.c control is more than one
implemented and owner assigned to
capable of mapping your subscription
each user to one or
more roles, and each
role to one or more
system functions.

Privilege 1146.01c2System.23 The organization External accounts 3.0.0

Management - 01.c promotes the with owner
development and use permissions should
of programs that be removed from
avoid the need to your subscription
run with elevated
privileges and system
routines to avoid the
need to grant
privileges to users.

Privilege 1147.01c2System.45 Elevated privileges Deprecated accounts 3.0.0

Management 6 - 01.c are assigned to a with owner
different user ID from permissions should
those used for be removed from
normal business use, your subscription
all users access
privileged services in
a single role, and
such privileged
access is minimized.

Privilege 1151.01c3System.1 - The organization A maximum of 3 3.0.0

Management 01.c limits authorization owners should be
to privileged designated for your
accounts on subscription
information systems
to a pre-defined
subset of users.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Privilege 1152.01c3System.2 - The organization There should be 3.0.0

Management 01.c audits the execution more than one
of privileged owner assigned to
functions on your subscription
information systems
and ensures
information systems
prevent non-
privileged users from
executing privileged
functions.

Privilege 1154.01c3System.4 - Contractors are A maximum of 3 3.0.0

Management 01.c provided with owners should be
minimal system and designated for your
physical access only subscription
after the organization
assesses the
contractor's ability to
comply with its
security requirements
and the contractor
agrees to comply.

User Authentication 1116.01j1Organizati Strong authentication MFA should be 3.0.0

for External onal.145 - 01.j methods such as enabled on accounts
Connections multi-factor, Radius with owner
or Kerberos (for permissions on your
privileged access) and subscription
CHAP (for encryption
of credentials for
dialup methods) are
implemented for all
external connections
to the organizations
network.

User Authentication 1117.01j1Organizati Remote access by MFA should be 3.0.0

for External onal.23 - 01.j vendors and business enabled accounts
Connections partners (e.g., for with write
remote maintenance) permissions on your
is subscription
disabled/deactivated
when not in use.

User Authentication 1118.01j2Organizati Organizations MFA should be 3.0.0

for External onal.124 - 01.j implement enabled on accounts
Connections encryption (e.g. VPN with read
solutions or private permissions on your
lines) and logs subscription
remote access to the
organization's
network by
employees,
contractors or third
party (e.g., vendors).
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

User Authentication 1121.01j3Organizati Remote MFA should be 3.0.0

for External onal.2 - 01.j administration enabled on accounts
Connections sessions are with owner
authorized, permissions on your
encrypted, and subscription
employ increased
security measures.

User Authentication 1173.01j1Organizati If encryption is not MFA should be 3.0.0

for External onal.6 - 01.j used for dial-up enabled accounts
Connections connections, the CIO with write
or his/her designated permissions on your
representative subscription
provides specific
written authorization.

User Authentication 1174.01j1Organizati The organization MFA should be 3.0.0

for External onal.7 - 01.j protects wireless enabled on accounts
Connections access to systems with read
containing sensitive permissions on your
information by subscription
authenticating both
users and devices.

User Authentication 1176.01j2Organizati The organization MFA should be 3.0.0

for External onal.5 - 01.j requires a callback enabled on accounts
Connections capability with re- with owner
authentication to permissions on your
verify dial-up subscription
connections from
authorized locations.

User Authentication 1177.01j2Organizati User IDs assigned to MFA should be 3.0.0

for External onal.6 - 01.j vendors are reviewed enabled accounts
Connections in accordance with with write
the organization's permissions on your
access review policy, subscription
at a minimum
annually.

User Authentication 1178.01j2Organizati Node authentication, MFA should be 3.0.0

for External onal.7 - 01.j including enabled on accounts
Connections cryptographic with read
techniques (e.g., permissions on your
machine certificates), subscription
serves as an
alternative means of
authenticating
groups of remote
users where they are
connected to a
secure, shared
computer facility.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

User Identification 11109.01q1Organiza The organization MFA should be 3.0.0

and Authentication tional.57 - 01.q ensures that enabled on accounts
redundant user IDs with owner
are not issued to permissions on your
other users and that subscription
all users are uniquely
identified and
authenticated for
both local and
remote access to
information systems.

User Identification 11110.01q1Organiza Non-organizational MFA should be 3.0.0

and Authentication tional.6 - 01.q users (all information enabled accounts
system users other with write
than organizational permissions on your
users, such as subscription
patients, customers,
contractors, or
foreign nationals), or
processes acting on
behalf of non-
organizational users,
determined to need
access to information
residing on the
organization's
information systems,
are uniquely
identified and
authenticated.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

User Identification 11111.01q2System.4 When PKI-based MFA should be 3.0.0

and Authentication - 01.q authentication is enabled on accounts
used, the information with read
system validates permissions on your
certificates by subscription
constructing and
verifying a
certification path to
an accepted trust
anchor, including
checking certificate
status information;
enforces access to
the corresponding
private key; maps the
identity to the
corresponding
account of the
individual or group;
and implements a
local cache of
revocation data to
support path
discovery and
validation in case of
an inability to access
revocation
information via the
network.

User Identification 11112.01q2Organiza The information A maximum of 3 3.0.0

and Authentication tional.67 - 01.q system employs owners should be
replay-resistant designated for your
authentication subscription
mechanisms such as
nonce, one-time
passwords, or time
stamps to secure
network access for
privileged accounts;
and, for hardware
token-based
authentication,
employs mechanisms
that satisfy minimum
token requirements
discussed in NIST SP
800-63-2, Electronic
Authentication
Guideline.

User Identification 11208.01q1Organiza The organization There should be 3.0.0

and Authentication tional.8 - 01.q requires that more than one
electronic signatures, owner assigned to
unique to one your subscription
individual, cannot be
reused by, or
reassigned to,
anyone else.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Monitoring System 1120.09ab3System.9 Unauthorized remote Azure Monitor 2.0.0

Use - 09.ab connections to the should collect activity
information systems logs from all regions
are monitored and
reviewed at least
quarterly, and
appropriate action is
taken if an
unauthorized
connection is
discovered.

Monitoring System 1212.09ab1System.1 All applicable legal Azure Monitor log 1.0.0
Use - 09.ab requirements related profile should collect
to monitoring logs for categories
authorized access 'write,' 'delete,' and
and unauthorized 'action'
access attempts are
met.

Monitoring System 1213.09ab2System.1 Automated systems Auto provisioning of 1.0.1

Use 28 - 09.ab deployed throughout the Log Analytics
the organization's agent should be
environment are enabled on your
used to monitor key subscription
events and
anomalous activity,
and analyze system
logs, the results of
which are reviewed
regularly.

Monitoring System 1214.09ab2System.3 Monitoring includes Azure Monitor 2.0.0

Use 456 - 09.ab privileged operations, should collect activity
authorized access or logs from all regions
unauthorized access
attempts, including
attempts to access
deactivated accounts,
and system alerts or
failures.

Monitoring System 1219.09ab3System.1 The information Azure Monitor log 1.0.0

Use 0 - 09.ab system is able to profile should collect
automatically process logs for categories
audit records for 'write,' 'delete,' and
events of interest 'action'
based on selectable
criteria.

Monitoring System 1220.09ab3System.5 Monitoring includes Auto provisioning of 1.0.1

Use 6 - 09.ab inbound and the Log Analytics
outbound agent should be
communications and enabled on your
file integrity subscription
monitoring.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Administrator and 1270.09ad1System.1 The organization An activity log alert 1.0.0

Operator Logs 2 - 09.ad ensures proper should exist for
logging is enabled in specific
order to audit Administrative
administrator operations
activities; and reviews
system administrator
and operator logs on
a regular basis.

Administrator and 1271.09ad1System.1 An intrusion An activity log alert 1.0.0

Operator Logs - 09.ad detection system should exist for
managed outside of specific
the control of system Administrative
and network operations
administrators is
used to monitor
system and network
administration
activities for
compliance.

Business Continuity 1634.12b1Organizati The organization Audit virtual 1.0.0

and Risk Assessment onal.1 - 12.b identifies the critical machines without
business processes disaster recovery
requiring business configured
continuity.

Business Continuity 1638.12b2Organizati Business continuity Audit virtual 1.0.0

and Risk Assessment onal.345 - 12.b risk assessments (i) machines without
are carried out disaster recovery
annually with full configured
involvement from
owners of business
resources and
processes; (ii)
consider all business
processes and is not
limited to the
information assets,
but includes the
results specific to
information security;
and (iii) identifies,
quantifies, and
prioritizes risks
against key business
objectives and criteria
relevant to the
organization,
including critical
resources, impacts of
disruptions, allowable
outage times, and
recovery priorities.

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance
standard, see IRS 1075 September 2016.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Access Control 9.3.1.2 Account Deprecated accounts 3.0.0

Management (AC-2) should be removed
from your
subscription

Access Control 9.3.1.2 Account Deprecated accounts 3.0.0

Management (AC-2) with owner
permissions should
be removed from
your subscription

Access Control 9.3.1.2 Account External accounts 3.0.0

Management (AC-2) with owner
permissions should
be removed from
your subscription

Access Control 9.3.1.2 Account External accounts 3.0.0

Management (AC-2) with read
permissions should
be removed from
your subscription

Access Control 9.3.1.2 Account External accounts 3.0.0

Management (AC-2) with write
permissions should
be removed from
your subscription

Access Control 9.3.1.5 Separation of Duties A maximum of 3 3.0.0

(AC-5) owners should be
designated for your
subscription

Access Control 9.3.1.5 Separation of Duties There should be 3.0.0

(AC-5) more than one
owner assigned to
your subscription

Access Control 9.3.1.6 Least Privilege (AC-6) A maximum of 3 3.0.0

owners should be
designated for your
subscription

Access Control 9.3.1.6 Least Privilege (AC-6) There should be 3.0.0

more than one
owner assigned to
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Contingency 9.3.6.6 Alternate Processing Audit virtual 1.0.0

Planning Site (CP-7) machines without
disaster recovery
configured

Identification and 9.3.7.2 Identification and MFA should be 3.0.0

Authentication Authentication enabled accounts
(Organizational with write
Users) (IA-2) permissions on your
subscription

Identification and 9.3.7.2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(Organizational with owner
Users) (IA-2) permissions on your
subscription

Identification and 9.3.7.2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(Organizational with read
Users) (IA-2) permissions on your
subscription

ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard,
see ISO 27001:2013.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Organization of 6.1.2 Segregation of Duties A maximum of 3 3.0.0

information security owners should be
designated for your
subscription

Organization of 6.1.2 Segregation of Duties There should be 3.0.0

information security more than one
owner assigned to
your subscription

Access control 9.2.3 Management of External accounts 3.0.0

privileged access with owner
rights permissions should
be removed from
your subscription

Access control 9.2.3 Management of External accounts 3.0.0

privileged access with write
rights permissions should
be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access control 9.2.3 Management of MFA should be 3.0.0

privileged access enabled accounts
rights with write
permissions on your
subscription

Access control 9.2.3 Management of MFA should be 3.0.0

privileged access enabled on accounts
rights with owner
permissions on your
subscription

Access control 9.2.4 Management of MFA should be 3.0.0

secret authentication enabled accounts
information of users with write
permissions on your
subscription

Access control 9.2.4 Management of MFA should be 3.0.0

secret authentication enabled on accounts
information of users with owner
permissions on your
subscription

Access control 9.2.4 Management of MFA should be 3.0.0

secret authentication enabled on accounts
information of users with read
permissions on your
subscription

Access control 9.2.5 Review of user access Deprecated accounts 3.0.0

rights should be removed
from your
subscription

Access control 9.2.5 Review of user access Deprecated accounts 3.0.0

rights with owner
permissions should
be removed from
your subscription

Access control 9.2.5 Review of user access External accounts 3.0.0

rights with owner
permissions should
be removed from
your subscription

Access control 9.2.5 Review of user access External accounts 3.0.0

rights with write
permissions should
be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access control 9.2.6 Removal or Deprecated accounts 3.0.0

adjustment of access should be removed
rights from your
subscription

Access control 9.2.6 Removal or Deprecated accounts 3.0.0

adjustment of access with owner
rights permissions should
be removed from
your subscription

Access control 9.4.2 Secure log-on MFA should be 3.0.0

procedures enabled accounts
with write
permissions on your
subscription

Access control 9.4.2 Secure log-on MFA should be 3.0.0

procedures enabled on accounts
with owner
permissions on your
subscription

Access control 9.4.2 Secure log-on MFA should be 3.0.0

procedures enabled on accounts
with read
permissions on your
subscription

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance
standard, see New Zealand ISM Restricted.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Information security ISM-7 6.4.5 Availability Audit virtual 1.0.0

monitoring requirements machines without
disaster recovery
configured

Software security SS-3 14.1.9 Maintaining Azure Defender for 1.0.3

hardened SOEs App Service should
be enabled

Software security SS-3 14.1.9 Maintaining Azure Defender for 1.0.2

hardened SOEs Azure SQL Database
servers should be
enabled

Software security SS-3 14.1.9 Maintaining Azure Defender for 1.0.3

hardened SOEs Key Vault should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Software security SS-3 14.1.9 Maintaining Azure Defender for 1.0.3

hardened SOEs servers should be
enabled

Software security SS-3 14.1.9 Maintaining Azure Defender for 1.0.2

hardened SOEs SQL servers on
machines should be
enabled

Software security SS-3 14.1.9 Maintaining Azure Defender for 1.0.3

hardened SOEs Storage should be
enabled

Software security SS-3 14.1.9 Maintaining Microsoft Defender 1.0.0

hardened SOEs for Containers should
be enabled

Access Control and AC-3 16.1.35 Methods for MFA should be 3.0.0
Passwords system user enabled on accounts
identification and with read
authentication permissions on your
subscription

Access Control and AC-5 16.1.46 Suspension Deprecated accounts 3.0.0

Passwords of access should be removed
from your
subscription

Access Control and AC-5 16.1.46 Suspension Deprecated accounts 3.0.0

Passwords of access with owner
permissions should
be removed from
your subscription

Access Control and AC-9 16.3.5 Use of A maximum of 3 3.0.0

Passwords Privileged Accounts owners should be
designated for your
subscription

Access Control and AC-11 16.4.30 Privileged External accounts 3.0.0

Passwords Access Management with owner
permissions should
be removed from
your subscription

Access Control and AC-11 16.4.30 Privileged External accounts 3.0.0

Passwords Access Management with write
permissions should
be removed from
your subscription

Access Control and AC-11 16.4.30 Privileged MFA should be 3.0.0

Passwords Access Management enabled accounts
with write
permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control and AC-11 16.4.30 Privileged MFA should be 3.0.0

Passwords Access Management enabled on accounts
with owner
permissions on your
subscription

Access Control and AC-11 16.4.30 Privileged There should be 3.0.0

Passwords Access Management more than one
owner assigned to
your subscription

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance
standard, see NIST SP 800-53 Rev. 5.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Access Control AC-2 Account A maximum of 3 3.0.0

Management owners should be
designated for your
subscription

Access Control AC-2 Account Deprecated accounts 3.0.0

Management should be removed
from your
subscription

Access Control AC-2 Account Deprecated accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with owner
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with read
permissions should
be removed from
your subscription

Access Control AC-2 Account External accounts 3.0.0

Management with write
permissions should
be removed from
your subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC-2 (7) Privileged User Service principals 1.0.0

Accounts should be used to
protect your
subscriptions instead
of management
certificates

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.3
for Atypical Usage App Service should
be enabled

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.2
for Atypical Usage Azure SQL Database
servers should be
enabled

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.0
for Atypical Usage DNS should be
enabled

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.3
for Atypical Usage Key Vault should be
enabled

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.0
for Atypical Usage Resource Manager
should be enabled

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.3
for Atypical Usage servers should be
enabled

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.2
for Atypical Usage SQL servers on
machines should be
enabled

Access Control AC-2 (12) Account Monitoring Azure Defender for 1.0.3
for Atypical Usage Storage should be
enabled

Access Control AC-2 (12) Account Monitoring Microsoft Defender 1.0.0

for Atypical Usage for Containers should
be enabled

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled accounts
with write
permissions on your
subscription

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled on accounts
with owner
permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control AC-3 Access Enforcement MFA should be 3.0.0

enabled on accounts
with read
permissions on your
subscription

Access Control AC-5 Separation of Duties There should be 3.0.0

more than one
owner assigned to
your subscription

Access Control AC-6 Least Privilege A maximum of 3 3.0.0

owners should be
designated for your
subscription

Access Control AC-6 (7) Review of User A maximum of 3 3.0.0

Privileges owners should be
designated for your
subscription

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.3
Accountability Analysis, and App Service should
Reporting be enabled

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.2
Accountability Analysis, and Azure SQL Database
Reporting servers should be
enabled

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.0
Accountability Analysis, and DNS should be
Reporting enabled

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.3
Accountability Analysis, and Key Vault should be
Reporting enabled

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.0
Accountability Analysis, and Resource Manager
Reporting should be enabled

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.3
Accountability Analysis, and servers should be
Reporting enabled

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.2
Accountability Analysis, and SQL servers on
Reporting machines should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-6 Audit Record Review, Azure Defender for 1.0.3
Accountability Analysis, and Storage should be
Reporting enabled

Audit and AU-6 Audit Record Review, Microsoft Defender 1.0.0

Accountability Analysis, and for Containers should
Reporting be enabled

Audit and AU-6 (4) Central Review and Auto provisioning of 1.0.1
Accountability Analysis the Log Analytics
agent should be
enabled on your
subscription

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis App Service should
be enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.2
Accountability Analysis Azure SQL Database
servers should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.0
Accountability Analysis DNS should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis Key Vault should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.0
Accountability Analysis Resource Manager
should be enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis servers should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.2
Accountability Analysis SQL servers on
machines should be
enabled

Audit and AU-6 (4) Central Review and Azure Defender for 1.0.3
Accountability Analysis Storage should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-6 (4) Central Review and Microsoft Defender 1.0.0
Accountability Analysis for Containers should
be enabled

Audit and AU-6 (5) Integrated Analysis Auto provisioning of 1.0.1

Accountability of Audit Records the Log Analytics
agent should be
enabled on your
subscription

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.3
Accountability of Audit Records App Service should
be enabled

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.2
Accountability of Audit Records Azure SQL Database
servers should be
enabled

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.0
Accountability of Audit Records DNS should be
enabled

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.3
Accountability of Audit Records Key Vault should be
enabled

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.0
Accountability of Audit Records Resource Manager
should be enabled

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.3
Accountability of Audit Records servers should be
enabled

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.2
Accountability of Audit Records SQL servers on
machines should be
enabled

Audit and AU-6 (5) Integrated Analysis Azure Defender for 1.0.3
Accountability of Audit Records Storage should be
enabled

Audit and AU-6 (5) Integrated Analysis Microsoft Defender 1.0.0

Accountability of Audit Records for Containers should
be enabled

Audit and AU-12 Audit Record Auto provisioning of 1.0.1

Accountability Generation the Log Analytics
agent should be
enabled on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-12 Audit Record Azure Defender for 1.0.3

Accountability Generation App Service should
be enabled

Audit and AU-12 Audit Record Azure Defender for 1.0.2

Accountability Generation Azure SQL Database
servers should be
enabled

Audit and AU-12 Audit Record Azure Defender for 1.0.0

Accountability Generation DNS should be
enabled

Audit and AU-12 Audit Record Azure Defender for 1.0.3

Accountability Generation Key Vault should be
enabled

Audit and AU-12 Audit Record Azure Defender for 1.0.0

Accountability Generation Resource Manager
should be enabled

Audit and AU-12 Audit Record Azure Defender for 1.0.3

Accountability Generation servers should be
enabled

Audit and AU-12 Audit Record Azure Defender for 1.0.2

Accountability Generation SQL servers on
machines should be
enabled

Audit and AU-12 Audit Record Azure Defender for 1.0.3

Accountability Generation Storage should be
enabled

Audit and AU-12 Audit Record Microsoft Defender 1.0.0

Accountability Generation for Containers should
be enabled

Audit and AU-12 (1) System-wide and Auto provisioning of 1.0.1

Accountability Time-correlated the Log Analytics
Audit Trail agent should be
enabled on your
subscription

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.3
Accountability Time-correlated App Service should
Audit Trail be enabled

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.2
Accountability Time-correlated Azure SQL Database
Audit Trail servers should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.0
Accountability Time-correlated DNS should be
Audit Trail enabled

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.3
Accountability Time-correlated Key Vault should be
Audit Trail enabled

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.0
Accountability Time-correlated Resource Manager
Audit Trail should be enabled

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.3
Accountability Time-correlated servers should be
Audit Trail enabled

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.2
Accountability Time-correlated SQL servers on
Audit Trail machines should be
enabled

Audit and AU-12 (1) System-wide and Azure Defender for 1.0.3
Accountability Time-correlated Storage should be
Audit Trail enabled

Audit and AU-12 (1) System-wide and Microsoft Defender 1.0.0

Accountability Time-correlated for Containers should
Audit Trail be enabled

Configuration CM-7 Least Functionality Azure Defender for 1.0.3

Management servers should be
enabled

Contingency CP-7 Alternate Processing Audit virtual 1.0.0

Planning Site machines without
disaster recovery
configured

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled accounts
(organizational Users) with write
permissions on your
subscription

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(organizational Users) with owner
permissions on your
subscription

Identification and IA-2 Identification and MFA should be 3.0.0

Authentication Authentication enabled on accounts
(organizational Users) with read
permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identification and IA-2 Identification and Service principals 1.0.0

Authentication Authentication should be used to
(organizational Users) protect your
subscriptions instead
of management
certificates

Identification and IA-2 (1) Multi-factor MFA should be 3.0.0

Authentication Authentication to enabled accounts
Privileged Accounts with write
permissions on your
subscription

Identification and IA-2 (1) Multi-factor MFA should be 3.0.0

Authentication Authentication to enabled on accounts
Privileged Accounts with owner
permissions on your
subscription

Identification and IA-2 (2) Multi-factor MFA should be 3.0.0

Authentication Authentication to enabled on accounts
Non-privileged with read
Accounts permissions on your
subscription

Identification and IA-4 Identifier Service principals 1.0.0

Authentication Management should be used to
protect your
subscriptions instead
of management
certificates

Identification and IA-5 (1) Password-based Azure Defender for 1.0.3

Authentication Authentication App Service should
be enabled

Identification and IA-5 (1) Password-based Azure Defender for 1.0.2

Authentication Authentication Azure SQL Database
servers should be
enabled

Identification and IA-5 (1) Password-based Azure Defender for 1.0.0

Authentication Authentication DNS should be
enabled

Identification and IA-5 (1) Password-based Azure Defender for 1.0.3

Authentication Authentication Key Vault should be
enabled

Identification and IA-5 (1) Password-based Azure Defender for 1.0.0

Authentication Authentication Resource Manager
should be enabled

Identification and IA-5 (1) Password-based Azure Defender for 1.0.3

Authentication Authentication servers should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identification and IA-5 (1) Password-based Azure Defender for 1.0.2

Authentication Authentication SQL servers on
machines should be
enabled

Identification and IA-5 (1) Password-based Azure Defender for 1.0.3

Authentication Authentication Storage should be
enabled

Identification and IA-5 (1) Password-based Email notification for 1.0.1

Authentication Authentication high severity alerts
should be enabled

Identification and IA-5 (1) Password-based Email notification to 2.0.0

Authentication Authentication subscription owner
for high severity
alerts should be
enabled

Identification and IA-5 (1) Password-based Microsoft Defender 1.0.0

Authentication Authentication for Containers should
be enabled

Identification and IA-5 (1) Password-based Subscriptions should 1.0.1

Authentication Authentication have a contact email
address for security
issues

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

App Service should
be enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.2

Azure SQL Database
servers should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.0

DNS should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

Key Vault should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.0

Resource Manager
should be enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

servers should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.2

SQL servers on
machines should be
enabled

Incident Response IR-5 Incident Monitoring Azure Defender for 1.0.3

Storage should be
enabled

Incident Response IR-5 Incident Monitoring Email notification for 1.0.1

high severity alerts
should be enabled

Incident Response IR-5 Incident Monitoring Email notification to 2.0.0

subscription owner
for high severity
alerts should be
enabled

Incident Response IR-5 Incident Monitoring Microsoft Defender 1.0.0

for Containers should
be enabled

Incident Response IR-5 Incident Monitoring Subscriptions should 1.0.1

have a contact email
address for security
issues

Incident Response IR-6 (2) Vulnerabilities Related Email notification for 1.0.1
to Incidents high severity alerts
should be enabled

Incident Response IR-6 (2) Vulnerabilities Related Email notification to 2.0.0

to Incidents subscription owner
for high severity
alerts should be
enabled

Incident Response IR-6 (2) Vulnerabilities Related Subscriptions should 1.0.1

to Incidents have a contact email
address for security
issues

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Monitoring and App Service should
Scanning be enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.2

Monitoring and Azure SQL Database
Scanning servers should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.0

Monitoring and DNS should be
Scanning enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Monitoring and Key Vault should be
Scanning enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.0

Monitoring and Resource Manager
Scanning should be enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Monitoring and servers should be
Scanning enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.2

Monitoring and SQL servers on
Scanning machines should be
enabled

Risk Assessment RA-5 Vulnerability Azure Defender for 1.0.3

Monitoring and Storage should be
Scanning enabled

Risk Assessment RA-5 Vulnerability Microsoft Defender 1.0.0

Monitoring and for Containers should
Scanning be enabled

System and SC-3 Security Function Azure Defender for 1.0.3

Communications Isolation servers should be
Protection enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity App Service should
be enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.2

Information Integrity Azure SQL Database
servers should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.0

Information Integrity DNS should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity Key Vault should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.0

Information Integrity Resource Manager
should be enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity servers should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI-2 Flaw Remediation Azure Defender for 1.0.2

Information Integrity SQL servers on
machines should be
enabled

System and SI-2 Flaw Remediation Azure Defender for 1.0.3

Information Integrity Storage should be
enabled

System and SI-2 Flaw Remediation Microsoft Defender 1.0.0

Information Integrity for Containers should
be enabled

System and SI-3 Malicious Code Azure Defender for 1.0.3

Information Integrity Protection servers should be
enabled

System and SI-4 System Monitoring Auto provisioning of 1.0.1

Information Integrity the Log Analytics
agent should be
enabled on your
subscription

System and SI-4 System Monitoring Azure Defender for 1.0.3

Information Integrity App Service should
be enabled

System and SI-4 System Monitoring Azure Defender for 1.0.2

Information Integrity Azure SQL Database
servers should be
enabled

System and SI-4 System Monitoring Azure Defender for 1.0.0

Information Integrity DNS should be
enabled

System and SI-4 System Monitoring Azure Defender for 1.0.3

Information Integrity Key Vault should be
enabled

System and SI-4 System Monitoring Azure Defender for 1.0.0

Information Integrity Resource Manager
should be enabled

System and SI-4 System Monitoring Azure Defender for 1.0.3

Information Integrity servers should be
enabled

System and SI-4 System Monitoring Azure Defender for 1.0.2

Information Integrity SQL servers on
machines should be
enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

System and SI-4 System Monitoring Azure Defender for 1.0.3

Information Integrity Storage should be
enabled

System and SI-4 System Monitoring Microsoft Defender 1.0.0

Information Integrity for Containers should
be enabled

System and SI-4 (12) Automated Email notification for 1.0.1

Information Integrity Organization- high severity alerts
generated Alerts should be enabled

System and SI-4 (12) Automated Email notification to 2.0.0

Information Integrity Organization- subscription owner
generated Alerts for high severity
alerts should be
enabled

System and SI-4 (12) Automated Subscriptions should 1.0.1

Information Integrity Organization- have a contact email
generated Alerts address for security
issues

System and SI-16 Memory Protection Azure Defender for 1.0.3

Information Integrity servers should be
enabled

RMIT Malaysia
To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see
RMIT Malaysia.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Cryptography RMiT 10.19 Cryptography - Azure Defender for 1.0.3

10.19 Key Vault should be
enabled

Cryptography RMiT 10.19 Cryptography - Service principals 1.0.0

10.19 should be used to
protect your
subscriptions instead
of management
certificates

Network Resilience RMiT 10.38 Network Resilience - Enable Security 1.0.0

10.38 Center's auto
provisioning of the
Log Analytics agent
on your subscriptions
with custom
workspace.
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Network Resilience RMiT 10.38 Network Resilience - Enable Security 1.0.0

10.38 Center's auto
provisioning of the
Log Analytics agent
on your subscriptions
with default
workspace.

Cloud Services RMiT 10.51 Cloud Services - Audit virtual 1.0.0

10.51 machines without
disaster recovery
configured

Access Control RMiT 10.54 Access Control - Deprecated accounts 3.0.0

10.54 should be removed
from your
subscription

Access Control RMiT 10.54 Access Control - Deprecated accounts 3.0.0

10.54 with owner
permissions should
be removed from
your subscription

Access Control RMiT 10.54 Access Control - External accounts 3.0.0

10.54 with owner
permissions should
be removed from
your subscription

Access Control RMiT 10.54 Access Control - External accounts 3.0.0

10.54 with read
permissions should
be removed from
your subscription

Access Control RMiT 10.54 Access Control - External accounts 3.0.0

10.54 with write
permissions should
be removed from
your subscription

Access Control RMiT 10.54 Access Control - MFA should be 3.0.0

10.54 enabled accounts
with write
permissions on your
subscription

Access Control RMiT 10.54 Access Control - MFA should be 3.0.0

10.54 enabled on accounts
with owner
permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Access Control RMiT 10.54 Access Control - MFA should be 3.0.0

10.54 enabled on accounts
with read
permissions on your
subscription

Access Control RMiT 10.58 Access Control - MFA should be 3.0.0

10.58 enabled accounts
with write
permissions on your
subscription

Access Control RMiT 10.58 Access Control - MFA should be 3.0.0

10.58 enabled on accounts
with owner
permissions on your
subscription

Access Control RMiT 10.58 Access Control - MFA should be 3.0.0

10.58 enabled on accounts
with read
permissions on your
subscription

Access Control RMiT 10.61 Access Control - Deprecated accounts 3.0.0

10.61 should be removed
from your
subscription

Access Control RMiT 10.61 Access Control - Deprecated accounts 3.0.0

10.61 with owner
permissions should
be removed from
your subscription

Access Control RMiT 10.61 Access Control - MFA should be 3.0.0

10.61 enabled on accounts
with owner
permissions on your
subscription

Access Control RMiT 10.61 Access Control - MFA should be 3.0.0

10.61 enabled on accounts
with read
permissions on your
subscription

Security of Digital RMiT 10.66 Security of Digital Activity log should be 1.0.0
Services Services - 10.66 retained for at least
one year

Security of Digital RMiT 10.66 Security of Digital Azure Monitor log 1.0.0
Services Services - 10.66 profile should collect
logs for categories
'write,' 'delete,' and
'action'
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Security of Digital RMiT 10.66 Security of Digital Azure Monitor 2.0.0

Services Services - 10.66 should collect activity
logs from all regions

Security of Digital RMiT 10.66 Security of Digital Azure Monitor 1.0.0

Services Services - 10.66 solution 'Security and
Audit' must be
deployed

Security of Digital RMiT 10.66 Security of Digital Azure subscriptions 1.0.0

Services Services - 10.66 should have a log
profile for Activity
Log

Security Operations RMiT 11.17 Security Operations Email notification to 2.0.0

Centre (SOC) Centre (SOC) - 11.17 subscription owner
for high severity
alerts should be
enabled

Security Operations RMiT 11.17 Security Operations Email notification to 2.0.0

Centre (SOC) Centre (SOC) - 11.17 subscription owner
for high severity
alerts should be
enabled

Security Operations RMiT 11.18 Security Operations Auto provisioning of 1.0.1

Centre (SOC) Centre (SOC) - 11.18 the Log Analytics
agent should be
enabled on your
subscription

Security Operations RMiT 11.18 Security Operations Auto provisioning of 1.0.1

Centre (SOC) Centre (SOC) - 11.18 the Log Analytics
agent should be
enabled on your
subscription

Security Operations RMiT 11.18 Security Operations Azure Defender for 1.0.2
Centre (SOC) Centre (SOC) - 11.18 Azure SQL Database
servers should be
enabled

Security Operations RMiT 11.18 Security Operations Azure Defender for 1.0.2
Centre (SOC) Centre (SOC) - 11.18 Azure SQL Database
servers should be
enabled

Security Operations RMiT 11.18 Security Operations Email notification for 1.0.1
Centre (SOC) Centre (SOC) - 11.18 high severity alerts
should be enabled

Security Operations RMiT 11.18 Security Operations Email notification for 1.0.1
Centre (SOC) Centre (SOC) - 11.18 high severity alerts
should be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Security Operations RMiT 11.18 Security Operations Subscriptions should 1.0.1

Centre (SOC) Centre (SOC) - 11.18 have a contact email
address for security
issues

Security Operations RMiT 11.18 Security Operations Subscriptions should 1.0.1

Centre (SOC) Centre (SOC) - 11.18 have a contact email
address for security
issues

Cybersecurity RMiT 11.5 Cybersecurity Azure Defender for 1.0.3

Operations Operations - 11.5 App Service should
be enabled

Cybersecurity RMiT 11.5 Cybersecurity Azure Defender for 1.0.3

Operations Operations - 11.5 servers should be
enabled

Cybersecurity RMiT 11.5 Cybersecurity Azure Defender for 1.0.2

Operations Operations - 11.5 SQL servers on
machines should be
enabled

Cybersecurity RMiT 11.5 Cybersecurity Azure Defender for 1.0.3

Operations Operations - 11.5 Storage should be
enabled

Cybersecurity RMiT 11.5 Cybersecurity Microsoft Defender 1.0.0

Operations Operations - 11.5 for Containers should
be enabled

Control Measures on RMiT Appendix 5.7 Control Measures on Auto provisioning of 1.0.1
Cybersecurity Cybersecurity - the Log Analytics
Appendix 5.7 agent should be
enabled on your
subscription

Control Measures on RMiT Appendix 5.7 Control Measures on Azure Defender for 1.0.2
Cybersecurity Cybersecurity - Azure SQL Database
Appendix 5.7 servers should be
enabled

Control Measures on RMiT Appendix 5.7 Control Measures on Azure Defender for 1.0.3
Cybersecurity Cybersecurity - servers should be
Appendix 5.7 enabled

Control Measures on RMiT Appendix 5.7 Control Measures on Azure Defender for 1.0.2
Cybersecurity Cybersecurity - SQL servers on
Appendix 5.7 machines should be
enabled

Control Measures on RMiT Appendix 5.7 Control Measures on Email notification for 1.0.1
Cybersecurity Cybersecurity - high severity alerts
Appendix 5.7 should be enabled
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Control Measures on RMiT Appendix 5.7 Control Measures on Microsoft Defender 1.0.0
Cybersecurity Cybersecurity - for Containers should
Appendix 5.7 be enabled

Control Measures on RMiT Appendix 5.7 Control Measures on Subscriptions should 1.0.1
Cybersecurity Cybersecurity - have a contact email
Appendix 5.7 address for security
issues

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see
Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance
standard, see UK OFFICIAL.

P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E ( A ZURE PO RTA L) ( GIT HUB)

Identity and 10 Identity and Deprecated accounts 3.0.0

authentication authentication should be removed
from your
subscription

Identity and 10 Identity and Deprecated accounts 3.0.0

authentication authentication with owner
permissions should
be removed from
your subscription

Identity and 10 Identity and External accounts 3.0.0

authentication authentication with owner
permissions should
be removed from
your subscription

Identity and 10 Identity and External accounts 3.0.0

authentication authentication with read
permissions should
be removed from
your subscription

Identity and 10 Identity and External accounts 3.0.0

authentication authentication with write
permissions should
be removed from
your subscription

Identity and 10 Identity and MFA should be 3.0.0

authentication authentication enabled accounts
with write
permissions on your
subscription
 P O L IC Y P O L IC Y VERSIO N
DO M A IN C O N T RO L ID C O N T RO L T IT L E

Identity and 10 Identity and MFA should be 3.0.0

authentication authentication enabled on accounts
with owner
permissions on your
subscription

Identity and 10 Identity and MFA should be 3.0.0

authentication authentication enabled on accounts
with read
permissions on your
subscription

Operational security 5.3 Protective Audit virtual 1.0.0

Monitoring machines without
disaster recovery
configured

Secure user 9.1 Authentication of External accounts 3.0.0

management users to with owner
management permissions should
interfaces and be removed from
support channels your subscription

Secure user 9.1 Authentication of External accounts 3.0.0

management users to with read
management permissions should
interfaces and be removed from
support channels your subscription

Secure user 9.1 Authentication of External accounts 3.0.0

management users to with write
management permissions should
interfaces and be removed from
support channels your subscription

Secure user 9.1 Authentication of MFA should be 3.0.0

management users to enabled accounts
management with write
interfaces and permissions on your
support channels subscription

Secure user 9.1 Authentication of MFA should be 3.0.0

management users to enabled on accounts
management with owner
interfaces and permissions on your
support channels subscription

Secure user 9.1 Authentication of MFA should be 3.0.0

management users to enabled on accounts
management with read
interfaces and permissions on your
support channels subscription

Next steps
Learn more about Azure Policy Regulatory Compliance.
See the built-ins on the Azure Policy GitHub repo.
 Move Azure resources across resource groups,
subscriptions, or regions
2/23/2022 • 2 minutes to read • Edit Online

Azure resources can be moved to a new resource group or subscription, or across regions.

Move resources across resource groups or subscriptions

You can move Azure resources to either another Azure subscription or another resource group under the same
subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API to move resources. To
learn more, see Move resources to a new resource group or subscription.
Upgrade a subscription
If you actually want to upgrade your Azure subscription (such as switching from free to pay-as-you-go), you
need to convert your subscription.
To upgrade a free trial, see Upgrade your Free Trial or Microsoft Imagine Azure subscription to Pay-As-You-
Go.
To change a pay-as-you-go account, see Change your Azure Pay-As-You-Go subscription to a different offer.
If you can't convert the subscription, create an Azure support request. Select Subscription Management for
the issue type.

Move resources across regions

Azure geographies, regions, and availability zones form the foundation of the Azure global infrastructure. Azure
geographies typically contain two or more Azure regions. A region is an area within a geography, containing
Availability Zones, and multiple data centers.
After deploying resources in specific Azure region, there are many reasons that you might want to move
resources to a different region.
Align to a region launch : Move your resources to a newly introduced Azure region that wasn't previously
available.
Align for ser vices/features : Move resources to take advantage of services or features that are available in
a specific region.
Respond to business developments : Move resources to a region in response to business changes, such
as mergers or acquisitions.
Align for proximity : Move resources to a region local to your business.
Meet data requirements : Move resources to align with data residency requirements, or data classification
needs. Learn more.
Respond to deployment requirements : Move resources that were deployed in error, or move in response
to capacity needs.
Respond to decommissioning : Move resources because of decommissioned regions.
Move resources with Resource Mover
You can move resources to a different region with Azure Resource Mover. Resource Mover provides:
A single hub for moving resources across regions.
Reduced move time and complexity. Everything you need is in a single location.
 A simple and consistent experience for moving different types of Azure resources.
An easy way to identify dependencies across resources you want to move. This identification helps you to
move related resources together, so that everything works as expected in the target region, after the move.
Automatic cleanup of resources in the source region, if you want to delete them after the move.
Testing. You can try out a move, and then discard it if you don't want to do a full move.
You can move resources to another region using a couple of different methods:
Star t moving resources from a resource group : With this method, you kick off the region move from
within a resource group. After selecting the resources you want to move, the process continues in the
Resource Mover hub, to check resource dependencies, and orchestrate the move process. Learn more.
Star t moving resources directly from the Resource Mover hub : With this method, you kick off the
region move process directly in the hub. Learn more.

Next steps
To check if a resource type supports being moved, see Move operation support for resources.
To learn more about the region move process, see About the move process.
 Move resources to a new resource group or
subscription
2/23/2022 • 13 minutes to read • Edit Online

This article shows you how to move Azure resources to either another Azure subscription or another resource
group under the same subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API
to move resources.
Both the source group and the target group are locked during the move operation. Write and delete operations
are blocked on the resource groups until the move completes. This lock means you can't add, update, or delete
resources in the resource groups. It doesn't mean the resources are frozen. For example, if you move an Azure
SQL logical server, its databases and other dependent resources to a new resource group or subscription,
applications that use the databases experience no downtime. They can still read and write to the databases. The
lock can last for a maximum of four hours, but most moves complete in much less time.
If your move requires setting up new dependent resources, you'll experience an interruption in those services
until they've been reconfigured.
Moving a resource only moves it to a new resource group or subscription. It doesn't change the location of the
resource.

Changed resource ID
When you move a resource, you change its resource ID. The standard format for a resource ID is
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
. When you move a resource to a new resource group or subscription, you change one or more values in that
path.
If you use the resource ID anywhere, you'll need to change that value. For example, if you have a custom
dashboard in the portal that references a resource ID, you'll need to update that value. Look for any scripts or
templates that need to be updated for the new resource ID.

Checklist before moving resources

There are some important steps to do before moving a resource. By verifying these conditions, you can avoid
errors.
1. The resources you want to move must support the move operation. For a list of which resources support
move, see Move operation support for resources.
2. Some services have specific limitations or requirements when moving resources. If you're moving any of
the following services, check that guidance before moving.
If you're using Azure Stack Hub, you can't move resources between groups.
App Services move guidance
Azure DevOps Services move guidance
Classic deployment model move guidance - Classic Compute, Classic Storage, Classic Virtual
Networks, and Cloud Services
Networking move guidance
Recovery Services move guidance
Virtual Machines move guidance
To move an Azure subscription to a new management group, see Move subscriptions.
3. If you move a resource that has an Azure role assigned directly to the resource (or a child resource), the
role assignment isn't moved and becomes orphaned. After the move, you must re-create the role
assignment. Eventually, the orphaned role assignment is automatically removed, but we recommend
removing the role assignment before the move.
 For information about how to manage role assignments, see List Azure role assignments and Assign
Azure roles.
4. The source and destination subscriptions must be active. If you have trouble enabling an account that has
been disabled, create an Azure support request. Select Subscription Management for the issue type.
5. The source and destination subscriptions must exist within the same Azure Active Directory tenant. To
check that both subscriptions have the same tenant ID, use Azure PowerShell or Azure CLI.
For Azure PowerShell, use:

(Get-AzSubscription -SubscriptionName <your-source-subscription>).TenantId

(Get-AzSubscription -SubscriptionName <your-destination-subscription>).TenantId

For Azure CLI, use:

az account show --subscription <your-source-subscription> --query tenantId

az account show --subscription <your-destination-subscription> --query tenantId

If the tenant IDs for the source and destination subscriptions aren't the same, use the following methods
to reconcile the tenant IDs:
Transfer ownership of an Azure subscription to another account
How to associate or add an Azure subscription to Azure Active Directory
6. The destination subscription must be registered for the resource provider of the resource being moved. If
not, you receive an error stating that the subscription is not registered for a resource type . You
might see this error when moving a resource to a new subscription, but that subscription has never been
used with that resource type.
For PowerShell, use the following commands to get the registration status:

Set-AzContext -Subscription <destination-subscription-name-or-id>

Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState

To register a resource provider, use:

Register-AzResourceProvider -ProviderNamespace Microsoft.Batch

For Azure CLI, use the following commands to get the registration status:

az account set -s <destination-subscription-name-or-id>

az provider list --query "[].{Provider:namespace, Status:registrationState}" --out table

To register a resource provider, use:

az provider register --namespace Microsoft.Batch

7. The account moving the resources must have at least the following permissions:
Microsoft.Resources/subscriptions/resourceGroups/moveResources/action on the source
resource group.
Microsoft.Resources/subscriptions/resourceGroups/write on the destination resource group.
8. Before moving the resources, check the subscription quotas for the subscription you're moving the
resources to. If moving the resources means the subscription will exceed its limits, you need to review
whether you can request an increase in the quota. For a list of limits and how to request an increase, see
Azure subscription and service limits, quotas, and constraints.
9. For a move across subscriptions, the resource and its dependent resources must be located
in the same resource group and they must be moved together. For example, a VM with managed
 disks would require the VM and the managed disks to be moved together, along with other dependent
resources.
If you're moving a resource to a new subscription, check to see whether the resource has any dependent
resources, and whether they're located in the same resource group. If the resources aren't in the same
resource group, check to see whether the resources can be combined into the same resource group. If so,
bring all these resources into the same resource group by using a move operation across resource
groups.
For more information, see Scenario for move across subscriptions.

Scenario for move across subscriptions

Moving resources from one subscription to another is a three-step process:

For illustration purposes, we have only one dependent resource.

Step 1: If dependent resources are distributed across different resource groups, first move them into one
resource group.
Step 2: Move the resource and dependent resources together from the source subscription to the target
subscription.
Step 3: Optionally, redistribute the dependent resources to different resource groups within the target
subscription.

Use the portal

To move resources, select the resource group that contains those resources.
Select the resources you want to move. To move all of the resources, select the checkbox at the top of list. Or,
select resources individually.
Select the Move button.

This button gives you three options:

Move to a new resource group.
Move to a new subscription.
Move to a new region. To change regions, see Move resources across regions (from resource group).
Select whether you're moving the resources to a new resource group or a new subscription.
The source resource group is automatically set. Specify the destination resource group. If you're moving to a
new subscription, also specify the subscription. Select Next .
The portal validates that the resources can be moved. Wait for validation to complete.

When validation completes successfully, select Next .

Acknowledge that you need to update tools and scripts for these resources. To start moving the resources, select
Move .
When the move has completed, you're notified of the result.

Use Azure PowerShell

Validate
To test your move scenario without actually moving the resources, use the Invoke-AzResourceAction command.
Use this command only when you need to predetermine the results. To run this operation, you need the:
Resource ID of the source resource group
Resource ID of the target resource group
Resource ID of each resource to move

Invoke-AzResourceAction -Action validateMoveResources `

-ResourceId "/subscriptions/{subscription-id}/resourceGroups/{source-rg}" `
-Parameters @{ resources= @("/subscriptions/{subscription-id}/resourceGroups/{source-
rg}/providers/{resource-provider}/{resource-type}/{resource-name}", "/subscriptions/{subscription-
id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}",
"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-
type}/{resource-name}");targetResourceGroup = '/subscriptions/{subscription-id}/resourceGroups/{destination-
rg}' }
If validation passes, you see no output.
If validation fails, you see an error message describing why the resources can't be moved.
Move
To move existing resources to another resource group or subscription, use the Move-AzResource command. The
following example shows how to move several resources to a new resource group.

$webapp = Get-AzResource -ResourceGroupName OldRG -ResourceName ExampleSite

$plan = Get-AzResource -ResourceGroupName OldRG -ResourceName ExamplePlan
Move-AzResource -DestinationResourceGroupName NewRG -ResourceId $webapp.ResourceId, $plan.ResourceId

To move to a new subscription, include a value for the DestinationSubscriptionId parameter.

Use Azure CLI

Validate
To test your move scenario without actually moving the resources, use the az resource invoke-action command.
Use this command only when you need to predetermine the results. To run this operation, you need the:
Resource ID of the source resource group
Resource ID of the target resource group
Resource ID of each resource to move
In the request body, use \" to escape double quotes.

az resource invoke-action --action validateMoveResources \

--ids "/subscriptions/{subscription-id}/resourceGroups/{source-rg}" \
--request-body "{ \"resources\": [\"/subscriptions/{subscription-id}/resourceGroups/{source-
rg}/providers/{resource-provider}/{resource-type}/{resource-name}\", \"/subscriptions/{subscription-
id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-type}/{resource-name}\",
\"/subscriptions/{subscription-id}/resourceGroups/{source-rg}/providers/{resource-provider}/{resource-
type}/{resource-name}\"],\"targetResourceGroup\":\"/subscriptions/{subscription-
id}/resourceGroups/{destination-rg}\" }"

If validation passes, you see:

{} Finished ..

If validation fails, you see an error message describing why the resources can't be moved.
Move
To move existing resources to another resource group or subscription, use the az resource move command.
Provide the resource IDs of the resources to move. The following example shows how to move several resources
to a new resource group. In the --ids parameter, provide a space-separated list of the resource IDs to move.

webapp=$(az resource show -g OldRG -n ExampleSite --resource-type "Microsoft.Web/sites" --query id --output

tsv)
plan=$(az resource show -g OldRG -n ExamplePlan --resource-type "Microsoft.Web/serverfarms" --query id --
output tsv)
az resource move --destination-group newgroup --ids $webapp $plan

To move to a new subscription, provide the --destination-subscription-id parameter.

Use REST API

Validate
The validate move operation lets you test your move scenario without actually moving the resources. Use this
operation to check if the move will succeed. Validation is automatically called when you send a move request.
Use this operation only when you need to predetermine the results. To run this operation, you need the:
 Name of the source resource group
Resource ID of the target resource group
Resource ID of each resource to move
The access token for your account
Send the following request:

POST https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<source-
group>/validateMoveResources?api-version=2019-05-10
Authorization: Bearer <access-token>
Content-type: application/json

With a request body:

{
"resources": ["<resource-id-1>", "<resource-id-2>"],
"targetResourceGroup": "/subscriptions/<subscription-id>/resourceGroups/<target-group>"
}

If the request is formatted correctly, the operation returns:

Response Code: 202

cache-control: no-cache
pragma: no-cache
expires: -1
location: https://management.azure.com/subscriptions/<subscription-id>/operationresults/<operation-id>?api-
version=2018-02-01
retry-after: 15
...

The 202 status code indicates the validation request was accepted, but it hasn't yet determined if the move
operation will succeed. The location value contains a URL that you use to check the status of the long-running
operation.
To check the status, send the following request:

GET <location-url>
Authorization: Bearer <access-token>

While the operation is still running, you continue to receive the 202 status code. Wait the number of seconds
indicated in the retry-after value before trying again. If the move operation validates successfully, you receive
the 204 status code. If the move validation fails, you receive an error message, such as:

{"error":{"code":"ResourceMoveProviderValidationFailed","message":"<message>"...}}

Move
To move existing resources to another resource group or subscription, use the Move resources operation.

POST https://management.azure.com/subscriptions/{source-subscription-id}/resourcegroups/{source-resource-
group-name}/moveResources?api-version={api-version}

In the request body, you specify the target resource group and the resources to move.

{
"resources": ["<resource-id-1>", "<resource-id-2>"],
"targetResourceGroup": "/subscriptions/<subscription-id>/resourceGroups/<target-group>"
}
Frequently asked questions
Question: My resource move operation, which usually takes a few minutes, has been running for
almost an hour. Is there something wrong?
Moving a resource is a complex operation that has different phases. It can involve more than just the resource
provider of the resource you're trying to move. Because of the dependencies between resource providers, Azure
Resource Manager allows 4 hours for the operation to complete. This time period gives resource providers a
chance to recover from transient issues. If your move request is within the four-hour period, the operation keeps
trying to complete and may still succeed. The source and destination resource groups are locked during this
time to avoid consistency issues.
Question: Why is my resource group locked for four hours during resource move?
A move request is allowed a maximum of four hours to complete. To prevent modifications on the resources
being moved, both the source and destination resource groups are locked during the resource move.
There are two phases in a move request. In the first phase, the resource is moved. In the second phase,
notifications are sent to other resource providers that are dependent on the resource being moved. A resource
group can be locked for the entire four hours when a resource provider fails either phase. During the allowed
time, Resource Manager retries the failed step.
If a resource can't be moved within four hours, Resource Manager unlocks both resource groups. Resources that
were successfully moved are in the destination resource group. Resources that failed to move are left the source
resource group.
Question: What are the implications of the source and destination resource groups being locked
during the resource move?
The lock prevents you from deleting either resource group, creating a new resource in either resource group, or
deleting any of the resources involved in the move.
The following image shows an error message from the Azure portal when a user tries to delete a resource
group that is part of an ongoing move.

Question: What does the error code "MissingMoveDependentResources" mean?

When moving a resource, its dependent resources must either exist in the destination resource group or
subscription, or be included in the move request. You get the MissingMoveDependentResources error code
when a dependent resource doesn't meet this requirement. The error message has details about the dependent
resource that needs to be included in the move request.
For example, moving a virtual machine could require moving seven resource types with three different resource
providers. Those resource providers and types are:
Microsoft.Compute
virtualMachines
disks
Microsoft.Network
networkInterfaces
publicIPAddresses
 networkSecurityGroups
virtualNetworks
Microsoft.Storage
storageAccounts
Another common example involves moving a virtual network. You may have to move several other resources
associated with that virtual network. The move request could require moving public IP addresses, route tables,
virtual network gateways, network security groups, and others.
Question: What does the error code "RequestDisallowedByPolicy" mean?
Resource Manager validates your move request before attempting the move. This validation includes checking
policies defined on the resources involved in the move. For example, if you're attempting to move a key vault
but your organization has a policy to deny the creation of a key vault in the target resource group, validation
fails and the move is blocked. The returned error code is RequestDisallowedByPolicy .
For more information about policies, see What is Azure Policy?.
Question: Why can't I move some resources in Azure?
Currently, not all resources in Azure support move. For a list of resources that support move, see Move
operation support for resources.
Question: How many resources can I move in a single operation?
When possible, break large moves into separate move operations. Resource Manager immediately returns an
error when there are more than 800 resources in a single operation. However, moving less than 800 resources
may also fail by timing out.
Question: What is the meaning of the error that a resource isn't in succeeded state?
When you get an error message that indicates a resource can't be moved because it isn't in a succeeded state, it
may actually be a dependent resource that is blocking the move. Typically, the error code is
MoveCannotProceedWithResourcesNotInSucceededState .
If the source or target resource group contains a virtual network, the states of all dependent resources for the
virtual network are checked during the move. The check includes those resources directly and indirectly
dependent on the virtual network. If any of those resources are in a failed state, the move is blocked. For
example, if a virtual machine that uses the virtual network has failed, the move is blocked. The move is blocked
even when the virtual machine isn't one of the resources being moved and isn't in one of the resource groups
for the move.
When you receive this error, you have two options. Either move your resources to a resource group that doesn't
have a virtual network, or contact support.

Next steps
For a list of which resources support move, see Move operation support for resources.
 Move resources across regions (from resource
group)
2/23/2022 • 8 minutes to read • Edit Online

In this article, learn how to move resources in a specific resource group to a different Azure region. In the
resource group, you select the resources you want to move. Then, you move them using Azure Resource Mover.

Prerequisites
You need Owner access on the subscription in which resources you want to move are located.
The first time you add a resource for a specific source and destination mapping in an Azure
subscription, Resource Mover creates a system-assigned managed identity (formerly known as
Managed Service Identify (MSI)) that's trusted by the subscription.
To create the identity, and to assign it the required role (Contributor or User Access administrator in
the source subscription), the account you use to add resources needs Owner permissions on the
subscription. Learn more about Azure roles.
The subscription needs enough quota to create the source resources in the target region. If it doesn't, request
additional limits. Learn more.
Verify pricing and charges associated with the target region to which you're moving VMs. Use the pricing
calculator to help you.
Check that the resources you want to move are supported by Resource Mover:
Azure VMs and associated disks
NICs
Availability sets
Azure virtual networks
Public IP addresses
Network security groups (NSGs)
Internal and public load balancers
Azure SQL databases and elastic pools

Check VM requirements
1. Check that the VMs you want to move are supported.
Verify supported Windows VMs.
Verify supported Linux VMs and kernel versions.
Check supported compute, storage, and networking settings.
2. Make sure VMs have the latest trusted root certificates and an updated certificate revocation list (CRL).
On Azure VMs running Windows, install the latest Windows updates.
On VMs running Linux, follow the Linux distributor guidance to ensure the machine has the latest
certificates and CRL.
3. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs
If you're using network security group (NSG) rules to control outbound connectivity, create these
 service tag rules.

Select resources to move

Select resources you want to move. You move resources to a target region in the source region subscription. If
you want to change the subscription, you can do that after the resources are moved.

NOTE
Don't select associated disks or the operation will fail. Associated disks are automatically included in a VM move.

1. In the Azure portal, open the relevant resource group.

2. In the resource group page, select the resources that you want to move.
3. Select Move > Move to another region .

4. In Source + destination , select the target region to which you want to move the resources. Then select
Next .

5. In Resources to move , select Next .

6. In Select resources , select resource you want to move. You can only add resources supported for move.
Then select Done .
 7. In Move resources , select Next .
8. In Review + Add , check the source and target details.
9. Confirm that you understand that metadata about the resources being moved will be stored in a resource
group created for this purpose, and that you allow Resource Mover to create a system-managed identity
to access the subscription resources.
10. Select Proceed to begin adding the resources.
11. The add resource operation starts. When the operation completes, the notifications show that resources
were added, and deployment succeeded.
12. In the notifications, select Adding resources for move .
13. After selecting the notification, the resources you selected are added to a move collection in the Azure
Resource Mover hub. Resource Mover helps you to check dependencies, and then start moving resources
to the target region.

Resolve dependencies
Resources you're moving appear in the Across regions page, in a Prepare pending state. Start validation as
follows:
1. If resources show a Validate dependencies message in the Issues column, select the Validate
dependencies button. The validation process begins.

2. If dependencies are found, select Add dependencies .

3. In Add dependencies , select the dependent resources > Add dependencies . Monitor progress in the
notifications.

4. Add additional dependencies if needed, and validate dependencies as needed. Select Refresh to ensure
resources show an up-to-date state.
5. On the Across regions page, verify that resources are now in a Prepare pending state, with no issues.
Move the source resource group
Before you can prepare and move resources, the source resource group must be present in the target region.
Prepare to move the source resource group
Prepare as follows:
1. In Across regions , select the source resource group > Prepare .
2. In Prepare resources , select Prepare .

During the Prepare process, Resource Mover generates Azure Resource Manager (ARM) templates using
the resource group settings. Resources inside the resource group aren't affected.

NOTE
After preparing the resource group, it's in the Initiate move pending state. Refresh to show the latest state.

Move the source resource group

Initiate the move as follows:
1. In Across regions , select the resource group > Initiate Move
2. ln Move Resources , select Initiate move . The resource group moves into an Initiate move in progress
state.
3. After initiating the move, the target resource group is created, based on the generated ARM template. The
source resource group moves into a Commit move pending state.

To commit and finish the move process:

1. In Across regions , select the resource group > Commit move
2. ln Move Resources , select Commit .

NOTE
After committing the move, the source resource group is in a Delete source pending state.

Modify target settings

If you don't want to move a source resource, you can do either of the following:
Create a resource in the target region with the same name and settings as the resource in the source region.
Create a new equivalent resource in the target region. Except for the settings you specify, the target resource
is created with the same settings as the source.
Use an existing resource in the target region.
Modify a setting as follows:
1. To modify a setting, select the entry in the Destination configuration column for the resource.
2. In the Destination configuration page, specify the target settings you want to use. Changes are only made
for the resource you're editing. You need to update any dependent resources separately.
The exact settings you modify depend on the resource type. Learn more about editing target settings.

Prepare resources to move

Now that the source resource group is moved, you can prepare to move the other resources.
1. In Across regions , select the resources you want to prepare.

2. Select Prepare .
 NOTE
During the prepare process, the Azure Site Recovery Mobility agent is installed on VMs, for replication.
VM data is replicated periodically to the target region. This doesn't affect the source VM.
Resource Move generates ARM templates for the other source resources.
After preparing resources, they're in an Initiate move pending state.

Initiate the move

With resources prepared, you can now initiate the move.
1. In Across regions , select resources with state Initiate move pending. Then select Initiate move .
2. In Move resources , select Initiate move .
3. Track move progress in the notifications bar.

NOTE
For VMs, replica VMs are created in the target region. The source VM is shut down, and some downtime occurs
(usually minutes).
Resource Mover recreates other resources using the ARM templates that were prepared. There's usually no downtime.
For load balancers, NAT rules aren't copied. Create them in the target region after you commit the move.
For public IP addresses, the DNS name label isn't copied. Recreate the label after you commit the move.
After preparing resources, they're in an Commit move pending state.
Discard or commit?
After the initial move, you can decide whether you want to commit the move, or to discard it.
Discard : You might discard a move if you're testing, and you don't want to actually move the source
resource. Discarding the move returns the resource to a state of Initiate move pending.
Commit : Commit completes the move to the target region. After committing, a source resource will be in a
state of Delete source pending, and you can decide if you want to delete it.

Discard the move

You can discard the move as follows:
1. In Across regions , select resources with state Commit move pending, and select Discard move .
2. In Discard move , select Discard .
3. Track move progress in the notifications bar.
4. When the notifications show that the move was successful, select Refresh .

NOTE
For VMs, After discarding resources, they're in an Initiate move pending state.

Commit the move

If you want to complete the move process, commit the move.
1. In Across regions , select resources with state Commit move pending, and select Commit move .
2. In Commit resources , select Commit .
3. Track the commit progress in the notifications bar.
 NOTE
After committing the move, VMs stop replicating. The source VM isn't impacted by the commit.
Commit doesn't impact source networking resources.
After committing the move, resources are in a Delete source pending state.

Configure settings after the move

1. Since DNS name labels aren't copied over for public IP addresses, after the move is done, navigate to the
target resources and update the label.
2. For internal load balancers, since NAT rules aren't copied over, navigate to the resources created in the target
region, and update the NAT rules.
3. The Mobility service isn't uninstalled automatically from VMs. Uninstall it manually, or leave it if you plan to
move the server again.

Delete source resources after commit

After the move, you can optionally delete resources in the source region.
1. In Across Regions , select the name of each source resource that you want to delete.
2. In the properties page for each resource, select Delete .

Delete additional resources created for move

After the move, you can manually delete the move collection, and Site Recovery resources that were created.
The move collection is hidden by default. To see it you need to turn on hidden resources.
The cache storage has a lock that must be deleted, before it can be deleted.
Delete as follows:
1. Locate the resources in resource group RegionMoveRG-<sourceregion>-<target-region> , in the source
region.
2. Check that all the VM and other source resources in the move collection have been moved/deleted. This
ensures that there are no pending resources using them.
3. Delete the resources:
The move collection name is movecollection-<sourceregion>-<target-region> .
The cache storage account name is resmovecache<guid>
The vault name is ResourceMove-<sourceregion>-<target-region>-GUID .

Next steps
Learn about the move process.
 Move operation support for resources
2/23/2022 • 28 minutes to read • Edit Online

This article lists whether an Azure resource type supports the move operation. It also provides information
about special conditions to consider when moving a resource.

IMPORTANT
In most cases, a child resource can't be moved independently from its parent resource. Child resources have a resource
type in the format of <resource-provider-namespace>/<parent-resource>/<child-resource> . For example,
Microsoft.ServiceBus/namespaces/queues is a child resource of Microsoft.ServiceBus/namespaces . When you
move the parent resource, the child resource is automatically moved with it. If you don't see a child resource in this article,
you can assume it is moved with the parent resource. If the parent resource doesn't support move, the child resource
can't be moved.

Jump to a resource provider namespace:

Microsoft.AAD
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

domainservices No No No

microsoft.aadiam
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

diagnosticsettings No No No

diagnosticsettingscategories No No No

privatelinkforazuread Yes Yes No

tenants Yes Yes No

Microsoft.Addons
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

supportproviders No No No

Microsoft.ADHybridHealthService
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

aadsupportcases No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

addsservices No No No

agents No No No

anonymousapiusers No No No

configuration No No No

logs No No No

reports No No No

servicehealthmetrics No No No

services No No No

Microsoft.Advisor
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

configurations No No No

generaterecommendations No No No

metadata No No No

recommendations No No No

suppressions No No No

Microsoft.AlertsManagement
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

actionrules Yes Yes No

alerts No No No

alertslist No No No

alertsmetadata No No No

alertssummary No No No

alertssummarylist No No No

smartdetectoralertrules Yes Yes No

smartgroups No No No
Microsoft.AnalysisServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

servers Yes Yes No

Microsoft.ApiManagement
IMPORTANT
An API Management service that is set to the Consumption SKU can't be moved.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

reportfeedback No No No

service Yes Yes Yes (using template)

Move API Management

across regions.

Microsoft.AppConfiguration
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

configurationstores Yes Yes No

configurationstores / No No No
eventgridfilters

Microsoft.AppPlatform
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

spring Yes Yes No

Microsoft.AppService
IMPORTANT
See App Service move guidance.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

apiapps No No Yes (using template)

Move an App Service app

to another region

appidentities No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

gateways No No No

Microsoft.Attestation
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

attestationproviders Yes Yes No

Microsoft.Authorization
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

classicadministrators No No No

dataaliases No No No

denyassignments No No No

elevateaccess No No No

findorphanroleassignments No No No

locks No No No

permissions No No No

policyassignments No No No

policydefinitions No No No

policysetdefinitions No No No

privatelinkassociations No No No

resourcemanagementprivat No No No
elinks

roleassignments No No No

roleassignmentsusagemetri No No No
cs

roledefinitions No No No

Microsoft.Automation
 IMPORTANT
Runbooks must exist in the same resource group as the Automation Account.
For information, see Move your Azure Automation account to another subscription.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

automationaccounts Yes Yes Yes (using template)

Using geo-replication

automationaccounts / Yes Yes No

configurations

automationaccounts / Yes Yes No

runbooks

Microsoft.AVS
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

privateclouds Yes Yes No

Microsoft.AzureActiveDirectory
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

b2cdirectories Yes Yes No

b2ctenants No No No

Microsoft.AzureData
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

datacontrollers No No No

hybriddatamanagers No No No

postgresinstances No No No

sqlinstances No No No

sqlmanagedinstances No No No

sqlserverinstances No No No

sqlserverregistrations Yes Yes No

Microsoft.AzureStack
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

cloudmanifestfiles No No No

registrations Yes Yes No

Microsoft.AzureStackHCI
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

clusters No No No

Microsoft.Batch
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

batchaccounts Yes Yes Batch accounts can't be

moved directly from one
region to another, but you
can use a template to
export a template, modify
it, and deploy the template
to the new region.

Learn about moving a

Batch account across
regions

Microsoft.Billing
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

billingaccounts No No No

billingperiods No No No

billingpermissions No No No

billingproperty No No No

billingroleassignments No No No

billingroledefinitions No No No

departments No No No

enrollmentaccounts No No No

invoices No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

transfers No No No

Microsoft.BingMaps
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

mapapis No No No

Microsoft.BizTalkServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

biztalk No No No

Microsoft.Blockchain
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

blockchainmembers No No No

The blockchain network

can't have nodes in different
regions.

cordamembers No No No

watchers No No No

Microsoft.BlockchainTokens
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

tokenservices No No No

Microsoft.Blueprint
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

blueprintassignments No No No

blueprints No No No

Microsoft.BotService
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

botservices Yes Yes No

Microsoft.Cache
IMPORTANT
If the Azure Cache for Redis instance is configured with a virtual network, the instance can't be moved to a different
subscription. See Networking move limitations.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

redis Yes Yes No

redisenterprise No No No

Microsoft.Capacity
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

appliedreservations No No No

calculateexchange No No No

calculateprice No No No

calculatepurchaseprice No No No

catalogs No No No

commercialreservationorder No No No
s

exchange No No No

reservationorders No No No

reservations No No No

resources No No No

validatereservationorder No No No

Microsoft.Cdn
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

cdnwebapplicationfirewallm No No No
anagedrulesets

cdnwebapplicationfirewallpo Yes Yes No

licies

edgenodes No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

profiles Yes Yes No

profiles / endpoints Yes Yes No

Microsoft.CertificateRegistration
IMPORTANT
See App Service move guidance.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

certificateorders Yes Yes No

Microsoft.ClassicCompute
IMPORTANT
See Classic deployment move guidance. Classic deployment resources can be moved across subscriptions with an
operation specific to that scenario.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

capabilities No No No

domainnames Yes No No

quotas No No No

resourcetypes No No No

validatesubscriptionmoveav No No No
ailability

virtualmachines Yes Yes No

Microsoft.ClassicInfrastructureMigrate
IMPORTANT
See Classic deployment move guidance. Classic deployment resources can be moved across subscriptions with an
operation specific to that scenario.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

classicinfrastructureresource No No No
s
Microsoft.ClassicNetwork
IMPORTANT
See Classic deployment move guidance. Classic deployment resources can be moved across subscriptions with an
operation specific to that scenario.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

capabilities No No No

expressroutecrossconnectio No No No
ns

expressroutecrossconnectio No No No
ns / peerings

gatewaysupporteddevices No No No

networksecuritygroups No No No

quotas No No No

reservedips No No No

virtualnetworks No No No

Microsoft.ClassicStorage
IMPORTANT
See Classic deployment move guidance. Classic deployment resources can be moved across subscriptions with an
operation specific to that scenario.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

disks No No No

images No No No

osimages No No No

osplatformimages No No No

publicimages No No No

quotas No No No

storageaccounts Yes No Yes

vmimages No No No
Microsoft.ClassicSubscription
IMPORTANT
See Classic deployment move guidance. Classic deployment resources can be moved across subscriptions with an
operation specific to that scenario.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

operations No No No

Microsoft.CognitiveServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts Yes Yes No

Cognitive Search Yes Yes Supported with manual

steps.

Learn about moving your

Azure Cognitive Search
service to another region

Microsoft.Commerce
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

ratecard No No No

usageaggregates No No No

Microsoft.Compute
IMPORTANT
See Virtual Machines move guidance.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

availabilitysets Yes Yes Yes

Use Azure Resource Mover

to move availability sets.

diskaccesses No No No

diskencryptionsets No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

disks Yes Yes Yes

Use Azure Resource Mover

to move Azure VMs and
related disks.

galleries No No No

galleries / images No No No

galleries / images / versions No No No

hostgroups No No No

hostgroups / hosts No No No

images Yes Yes No

proximityplacementgroups Yes Yes No

restorepointcollections No No No

restorepointcollections / No No No
restorepoints

sharedvmextensions No No No

sharedvmimages No No No

sharedvmimages / versions No No No

snapshots Yes Yes No

sshpublickeys No No No

virtualmachines Yes Yes Yes

Use Azure Resource Mover

to move Azure VMs.

virtualmachines / Yes Yes No

extensions

virtualmachinescalesets Yes Yes No

Microsoft.Confluent
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

organizations No No No
Microsoft.Consumption
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

aggregatedcost No No No

balances No No No

budgets No No No

charges No No No

costtags No No No

credits No No No

events No No No

forecasts No No No

lots No No No

marketplaces No No No

pricesheets No No No

products No No No

reservationdetails No No No

reservationrecommendation No No No
details

reservationrecommendation No No No
s

reservationsummaries No No No

reservationtransactions No No No

tags No No No

tenants No No No

terms No No No

usagedetails No No No

Microsoft.ContainerInstance
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

containergroups No No No

serviceassociationlinks No No No

Microsoft.ContainerRegistry
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

registries Yes Yes No

registries / agentpools Yes Yes No

registries / buildtasks Yes Yes No

registries / replications Yes Yes No

registries / tasks Yes Yes No

registries / webhooks Yes Yes No

Microsoft.ContainerService
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

containerservices No No No

managedclusters No No No

openshiftmanagedclusters No No No

Microsoft.ContentModerator
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

applications No No No

Microsoft.CortanaAnalytics
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No

Microsoft.CostManagement
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

alerts No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

billingaccounts No No No

budgets No No No

cloudconnectors No No No

connectors Yes Yes No

departments No No No

dimensions No No No

enrollmentaccounts No No No

exports No No No

externalbillingaccounts No No No

forecast No No No

query No No No

register No No No

reportconfigs No No No

reports No No No

settings No No No

showbackrules No No No

views No No No

Microsoft.CustomerInsights
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

hubs No No No

Microsoft.CustomerLockbox
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

requests No No No

Microsoft.CustomProviders
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

associations No No No

resourceproviders Yes Yes No

Microsoft.DataBox
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

jobs No No No

Microsoft.DataBoxEdge
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

availableskus No No No

databoxedgedevices No No No

Microsoft.Databricks
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

workspaces No No No

Microsoft.DataCatalog
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

catalogs Yes Yes No

datacatalogs No No No

Microsoft.DataConnect
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

connectionmanagers No No No

Microsoft.DataExchange
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

packages No No No

plans No No No
Microsoft.DataFactory
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

datafactories Yes Yes No

factories Yes Yes No

Microsoft.DataLake
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

datalakeaccounts No No No

Microsoft.DataLakeAnalytics
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts Yes Yes No

Microsoft.DataLakeStore
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts Yes Yes No

Microsoft.DataMigration
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

services No No No

services / projects No No No

slots No No No

Microsoft.DataProtection
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

backupvaults Yes Yes No

Microsoft.DataShare
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts Yes Yes No

Microsoft.DBforMariaDB
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

servers Yes Yes You can use a cross-region

read replica to move an
existing server. Learn more.

If the service is provisioned

with geo-redundant backup
storage, you can use geo-
restore to restore in other
regions. Learn more.

Microsoft.DBforMySQL
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

flexibleServers Yes Yes No

servers Yes Yes You can use a cross-region

read replica to move an
existing server. Learn more.

Microsoft.DBforPostgreSQL
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

flexibleServers Yes Yes No

servergroups No No No

servers Yes Yes You can use a cross-region

read replica to move an
existing server. Learn more.

serversv2 Yes Yes No

Microsoft.DeploymentManager
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

artifactsources Yes Yes No

rollouts Yes Yes No

servicetopologies Yes Yes No

servicetopologies / services Yes Yes No

servicetopologies / services Yes Yes No

/ serviceunits
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

steps Yes Yes No

Microsoft.DesktopVirtualization
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

applicationgroups Yes Yes No

hostpools Yes Yes No

workspaces Yes Yes No

Microsoft.Devices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

elasticpools No No No. Resource isn't exposed.

elasticpools / iothubtenants No No No. Resource isn't exposed.

iothubs Yes Yes Yes. Learn more

provisioningservices Yes Yes No

Microsoft.DevOps
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

pipelines Yes Yes No

controllers pending pending No

Microsoft.DevSpaces
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

controllers Yes Yes No

AKS cluster pending pending No

Learn more about moving

to another region.

Microsoft.DevTestLab
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

labcenters No No No

labs Yes No No

labs / environments Yes Yes No

labs / servicerunners Yes Yes No

labs / virtualmachines Yes No No

schedules Yes Yes No

Microsoft.DigitalTwins
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

digitaltwinsinstances No No Yes, by recreating resources

in new region. Learn more

Microsoft.DocumentDB
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

databaseaccountnames No No No

databaseaccounts Yes Yes No

Microsoft.DomainRegistration
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

domains Yes Yes No

generatessorequest No No No

topleveldomains No No No

validatedomainregistrationi No No No
nformation

Microsoft.EnterpriseKnowledgeGraph
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

services Yes Yes No

Microsoft.EventGrid
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

domains Yes Yes No

eventsubscriptions No - can't be moved No - can't be moved No

independently but independently but
automatically moved with automatically moved with
subscribed resource. subscribed resource.

extensiontopics No No No

partnernamespaces Yes Yes No

partnerregistrations No No No

partnertopics Yes Yes No

systemtopics Yes Yes No

topics Yes Yes No

topictypes No No No

Microsoft.EventHub
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

clusters Yes Yes No

namespaces Yes Yes Yes (with template)

Move an Event Hub

namespace to another
region

sku No No No

Microsoft.Experimentation
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

experimentworkspaces No No No

Microsoft.ExtendedLocation
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

customLocations No No No

Microsoft.Falcon
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

namespaces Yes Yes No

Microsoft.Features
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

featureproviders No No No

features No No No

providers No No No

subscriptionfeatureregistrati No No No
ons

Microsoft.Genomics
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No

Microsoft.GuestConfiguration
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

automanagedaccounts No No No

automanagedvmconfigurati No No No
onprofiles

guestconfigurationassignme No No No
nts

software No No No

softwareupdateprofile No No No

softwareupdates No No No

Microsoft.HanaOnAzure
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

hanainstances No No No

sapmonitors No No No

Microsoft.HardwareSecurityModules
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

dedicatedhsms No No No

Microsoft.HDInsight
IMPORTANT
You can move HDInsight clusters to a new subscription or resource group. However, you can't move across subscriptions
the networking resources linked to the HDInsight cluster (such as the virtual network, NIC, or load balancer). In addition,
you can't move to a new resource group a NIC that is attached to a virtual machine for the cluster.
When moving an HDInsight cluster to a new subscription, first move other resources (like the storage account). Then,
move the HDInsight cluster by itself.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

clusters Yes Yes No

Microsoft.HealthcareApis
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

services Yes Yes No

Microsoft.HybridCompute
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

machines Yes Yes No

machines / extensions Yes Yes No

Microsoft.HybridData
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

datamanagers Yes Yes No

Microsoft.HybridNetwork
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

devices No No No

vnfs No No No

Microsoft.Hydra
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

components No No No

networkscopes No No No

Microsoft.ImportExport
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

jobs Yes Yes No

Microsoft.Insights
IMPORTANT
Make sure moving to new subscription doesn't exceed subscription quotas.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts Yes Yes No. Learn more.

actiongroups Yes Yes No

activitylogalerts No No No

alertrules Yes Yes No

autoscalesettings Yes Yes No

baseline No No No

components Yes Yes No

datacollectionrules No No No

diagnosticsettings No No No

diagnosticsettingscategories No No No

eventcategories No No No

eventtypes No No No

extendeddiagnosticsettings No No No

guestdiagnosticsettings No No No

listmigrationdate No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

logdefinitions No No No

logprofiles No No No

logs No No No

metricalerts No No No

metricbaselines No No No

metricbatch No No No

metricdefinitions No No No

metricnamespaces No No No

metrics No No No

migratealertrules No No No

migratetonewpricingmodel No No No

myworkbooks No No No

notificationgroups No No No

privatelinkscopes No No No

rollbacktolegacypricingmod No No No
el

scheduledqueryrules Yes Yes No

topology No No No

transactions No No No

vminsightsonboardingstatu No No No
ses

webtests Yes Yes No

webtests / gettestresultfile No No No

workbooks Yes Yes No

workbooktemplates Yes Yes No

Microsoft.IoTCentral
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

apptemplates No No No

iotapps Yes Yes No

Microsoft.IoTHub
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

iothub Yes Yes Yes (clone hub)

Clone an IoT hub to

another region

Microsoft.IoTSpaces
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

graph Yes Yes No

Microsoft.KeyVault
IMPORTANT
Key Vaults used for disk encryption can't be moved to a resource group in the same subscription or across subscriptions.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

deletedvaults No No No

hsmpools No No No

managedhsms No No No

vaults Yes Yes No

Microsoft.Kubernetes
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

connectedclusters No No No

registeredsubscriptions No No No

Microsoft.KubernetesConfiguration
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

sourcecontrolconfigurations No No No

Microsoft.Kusto
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

clusters Yes Yes No

Microsoft.LabServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

labaccounts No No No

users No No No

Microsoft.LocationBasedServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No

Microsoft.LocationServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No, it's a global service.

Microsoft.Logic
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

hostingenvironments No No No

integrationaccounts Yes Yes No

integrationserviceenvironm Yes No No
ents

integrationserviceenvironm Yes No No
ents / managedapis

isolatedenvironments No No No

workflows Yes Yes No

Microsoft.MachineLearning
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

commitmentplans No No No

webservices Yes No No

workspaces Yes Yes No

Microsoft.MachineLearningCompute
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

operationalizationclusters No No No

Microsoft.MachineLearningExperimentation
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No

teamaccounts No No No

Microsoft.MachineLearningModelManagement
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No

Microsoft.MachineLearningServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

workspaces No No No

Microsoft.Maintenance
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

configurationassignments No No Yes. Learn more

maintenanceconfigurations Yes Yes Yes. Learn more

updates No No No

Microsoft.ManagedIdentity
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

identities No No No

userassignedidentities No No No

Microsoft.ManagedNetwork
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

managednetworks No No No

managednetworks / No No No
managednetworkgroups

managednetworks / No No No
managednetworkpeeringpol
icies

notification No No No

Microsoft.ManagedServices
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

marketplaceregistrationdefi No No No
nitions

registrationassignments No No No

registrationdefinitions No No No

Microsoft.Management
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

getentities No No No

managementgroups No No No

managementgroups / No No No
settings

resources No No No

starttenantbackfill No No No

tenantbackfillstatus No No No

Microsoft.Maps
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts Yes Yes No, Azure Maps is a

geospatial service.

accounts / privateatlases Yes Yes No

Microsoft.Marketplace
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

offers No No No

offertypes No No No

privategalleryitems No No No

privatestoreclient No No No

privatestores No No No

products No No No

publishers No No No

register No No No

Microsoft.MarketplaceApps
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

classicdevservices No No No

Microsoft.MarketplaceOrdering
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

agreements No No No

offertypes No No No

Microsoft.Media
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

mediaservices Yes Yes No

mediaservices / liveevents Yes Yes No

 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

mediaservices / Yes Yes No

streamingendpoints

Microsoft.Microservices4Spring
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

appclusters No No No

Microsoft.Migrate
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

assessmentprojects No No No

migrateprojects No No No

movecollections No No No

projects No No No

Microsoft.MixedReality
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

holographicsbroadcastacco No No No
unts

objectunderstandingaccoun No No No
ts

remoterenderingaccounts Yes Yes No

spatialanchorsaccounts Yes Yes No

Microsoft.NetApp
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

netappaccounts No No No

netappaccounts / No No No
capacitypools

netappaccounts / No No No
capacitypools / volumes
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

netappaccounts / No No No
capacitypools / volumes /
mounttargets

netappaccounts / No No No
capacitypools / volumes /
snapshots

Microsoft.Network
IMPORTANT
See Networking move guidance.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

applicationgateways No No No

applicationgatewaywebappli No No No
cationfirewallpolicies

applicationsecuritygroups Yes Yes No

azurefirewalls No No No

bastionhosts No No No

bgpservicecommunities No No No

connections Yes Yes No

ddoscustompolicies Yes Yes No

ddosprotectionplans No No No

dnszones Yes Yes No

expressroutecircuits No No No

expressroutegateways No No No

expressrouteserviceprovider No No No
s

firewallpolicies No No No

frontdoors No No No

ipallocations Yes Yes No

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

ipgroups Yes Yes No

loadbalancers Yes - Basic SKU Yes - Basic SKU Yes

Yes - Standard SKU No - Standard SKU
Use Azure Resource Mover
to move internal and
external load balancers.

localnetworkgateways Yes Yes No

natgateways No No No

networkexperimentprofiles No No No

networkintentpolicies Yes Yes No

networkinterfaces Yes Yes Yes

Use Azure Resource Mover

to move NICs.

networkprofiles No No No

networksecuritygroups Yes Yes Yes

Use Azure Resource Mover

to move network security
groups (NGSs).

networkwatchers No No No

networkwatchers / Yes No No
connectionmonitors

networkwatchers / flowlogs Yes No No

networkwatchers / Yes No No
pingmeshes

p2svpngateways No No No

privatednszones Yes Yes No

privatednszones / Yes Yes No

virtualnetworklinks

privatednszonesinternal No No No

privateendpointredirectmap No No No
s

privateendpoints No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

privatelinkservices No No No

publicipaddresses Yes - Basic SKU Yes - Basic SKU Yes

Yes - Standard SKU No - Standard SKU
Use Azure Resource Mover
to move public IP address
configurations (IP addresses
are not retained).

publicipprefixes Yes Yes No

routefilters No No No

routetables Yes Yes No

securitypartnerproviders Yes Yes No

serviceendpointpolicies Yes Yes No

trafficmanagergeographichi No No No
erarchies

trafficmanagerprofiles Yes Yes No

trafficmanagerprofiles / No No No
heatmaps

trafficmanagerusermetricske No No No
ys

virtualhubs No No No

virtualnetworkgateways Yes Yes No

virtualnetworks Yes Yes No

virtualnetworktaps No No No

virtualrouters Yes Yes No

virtualwans No No

vpngateways (Virtual WAN) No No No

vpnserverconfigurations No No No

vpnsites (Virtual WAN) No No No

Microsoft.NotificationHubs
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

namespaces Yes Yes No

namespaces / Yes Yes No

notificationhubs

Microsoft.ObjectStore
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

osnamespaces Yes Yes No

Microsoft.OffAzure
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

hypervsites No No No

importsites No No No

serversites No No No

vmwaresites No No No

Microsoft.OperationalInsights
IMPORTANT
Make sure that moving to a new subscription doesn't exceed subscription quotas.
Workspaces that have a linked automation account can't be moved. Before you begin a move operation, be sure to unlink
any automation accounts.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

clusters No No No

deletedworkspaces No No No

linktargets No No No

storageinsightconfigs No No No

workspaces Yes Yes No

Microsoft.OperationsManagement
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

managementassociations No No No

managementconfigurations Yes Yes No

solutions Yes Yes No

views Yes Yes No

Microsoft.Peering
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

legacypeerings No No No

peerasns No No No

peeringlocations No No No

peerings No No No

peeringservicecountries No No No

peeringservicelocations No No No

peeringserviceproviders No No No

peeringservices No No No

Microsoft.PolicyInsights
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

policyevents No No No

policystates No No No

policytrackedresources No No No

remediations No No No

Microsoft.Portal
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

consoles No No No

dashboards Yes Yes No

 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

usersettings No No No

Microsoft.PowerBI
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

workspacecollections Yes Yes No

Microsoft.PowerBIDedicated
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

capacities Yes Yes No

Microsoft.ProjectBabylon
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No

Microsoft.Purview
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts Yes Yes No

Microsoft.ProviderHub
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

availableaccounts No No No

providerregistrations No No No

rollouts No No No

Microsoft.Quantum
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

workspaces No No No

Microsoft.RecoveryServices
 IMPORTANT
See Recovery Services move guidance.
See Continue backups in Recovery Services vault after moving resources across regions.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

replicationeligibilityresults No No No

vaults Yes Yes No.

Moving Recovery Services

vaults for Azure Backup
across Azure regions isn't
supported.

In Recovery Services vaults

for Azure Site Recovery, you
can disable and recreate the
vault in the target region.

Microsoft.RedHatOpenShift
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

openshiftclusters No No No

Microsoft.Relay
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

namespaces Yes Yes No

Microsoft.ResourceGraph
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

queries Yes Yes No

resourcechangedetails No No No

resourcechanges No No No

resources No No No

resourceshistory No No No

subscriptionsstatus No No No

Microsoft.ResourceHealth
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

childresources No No No

emergingissues No No No

events No No No

metadata No No No

notifications No No No

Microsoft.Resources
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

deployments No No No

deploymentscripts No No Yes

Move Microsoft.Resources
resources to new region

deploymentscripts / logs No No No

links No No No

providers No No No

resourcegroups No No No

resources No No No

subscriptions No No No

tags No No No

templatespecs No No Yes

Move Microsoft.Resources
resources to new region

templatespecs / versions No No No

tenants No No No

Microsoft.SaaS
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

applications Yes No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

resources Yes Yes No

saasresources No No No

Microsoft.Search
IMPORTANT
You can't move several Search resources in different regions in one operation. Instead, move them in separate operations.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

resourcehealthmetadata No No No

searchservices Yes Yes No

Microsoft.Security
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

adaptivenetworkhardenings No No No

advancedthreatprotectionse No No No
ttings

alerts No No No

allowedconnections No No No

applicationwhitelistings No No No

assessmentmetadata No No No

assessments No No No

autodismissalertsrules No No No

automations Yes Yes No

autoprovisioningsettings No No No

complianceresults No No No

compliances No No No

datacollectionagents No No No

devicesecuritygroups No No No
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

discoveredsecuritysolutions No No No

externalsecuritysolutions No No No

informationprotectionpolicie No No No
s

iotsecuritysolutions Yes Yes No

iotsecuritysolutions / No No No
analyticsmodels

iotsecuritysolutions / No No No
analyticsmodels /
aggregatedalerts

iotsecuritysolutions / No No No
analyticsmodels /
aggregatedrecommendatio
ns

jitnetworkaccesspolicies No No No

policies No No No

pricings No No No

regulatorycompliancestanda No No No
rds

regulatorycompliancestanda No No No
rds /
regulatorycompliancecontro
ls

regulatorycompliancestanda No No No
rds /
regulatorycompliancecontro
ls /
regulatorycomplianceassess
ments

securitycontacts No No No

securitysolutions No No No

securitysolutionsreferenced No No No
ata

securitystatuses No No No

securitystatusessummaries No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

servervulnerabilityassessme No No No
nts

settings No No No

subassessments No No No

tasks No No No

topologies No No No

workspacesettings No No No

Microsoft.SecurityInsights
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

aggregations No No No

alertrules No No No

alertruletemplates No No No

automationrules No No No

bookmarks No No No

cases No No No

dataconnectors No No No

entities No No No

entityqueries No No No

incidents No No No

officeconsents No No No

settings No No No

threatintelligence No No No

Microsoft.SerialConsole
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

consoleservices No No No
Microsoft.ServerManagement
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

gateways No No No

nodes No No No

Microsoft.ServiceBus
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

namespaces Yes Yes No

premiummessagingregions No No No

sku No No No

Microsoft.ServiceFabric
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

applications No No No

clusters Yes Yes No

containergroups No No No

containergroupsets No No No

edgeclusters No No No

managedclusters No No No

networks No No No

secretstores No No No

volumes No No No

Microsoft.ServiceFabricMesh
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

applications Yes Yes No

containergroups No No No

gateways Yes Yes No

 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

networks Yes Yes No

secrets Yes Yes No

volumes Yes Yes No

Microsoft.Services
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

rollouts No No No

Microsoft.SignalRService
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

signalr Yes Yes No

Microsoft.SoftwarePlan
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

hybridusebenefits No No No

Microsoft.Solutions
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

applicationdefinitions No No No

applications No No No

jitrequests No No No

Microsoft.Sql
IMPORTANT
A database and server must be in the same resource group. When you move a SQL server, all its databases are also
moved. This behavior applies to Azure SQL Database and Azure Synapse Analytics databases.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

instancepools No No No

locations Yes Yes No

 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

managedinstances No No Yes

Learn more about moving

managed instances across
regions.

managedinstances / No No Yes
databases

servers Yes Yes Yes

servers / databases Yes Yes Yes

Learn more about moving

databases across regions.

Learn more about using

Azure Resource Mover to
move Azure SQL databases.

servers / databases / Yes Yes No

backuplongtermretentionpo
licies

servers / elasticpools Yes Yes Yes

Learn more about moving

elastic pools across regions.

Learn more about using

Azure Resource Mover to
move Azure SQL elastic
pools.

servers / jobaccounts Yes Yes No

servers / jobagents Yes Yes No

virtualclusters No No No

Microsoft.SqlVirtualMachine
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

sqlvirtualmachinegroups Yes Yes No

sqlvirtualmachines Yes Yes No

Microsoft.Storage
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

storageaccounts Yes Yes Yes

Move an Azure Storage

account to another region

Microsoft.StorageCache
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

caches No No No

Microsoft.StorageSync
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

storagesyncservices Yes Yes No

Microsoft.StorageSyncDev
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

storagesyncservices No No No

Microsoft.StorageSyncInt
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

storagesyncservices No No No

Microsoft.StorSimple
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

managers No No No

Microsoft.StreamAnalytics
IMPORTANT
Stream Analytics jobs can't be moved when in running state.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

clusters No No No

streamingjobs Yes Yes No

Microsoft.StreamAnalyticsExplorer
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

environments No No No

instances No No No

Microsoft.Subscription
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

subscriptions No No No

Microsoft.Support
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

services No No No

supporttickets No No No

Microsoft.Synapse
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

workspaces No No No

workspaces / bigdatapools No No No

workspaces / sqlpools No No No

Microsoft.TimeSeriesInsights
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

environments Yes Yes No

environments / Yes Yes No

eventsources

environments / Yes Yes No

referencedatasets

Microsoft.Token
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

stores Yes Yes No

Microsoft.VirtualMachineImages
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

imagetemplates No No No

Microsoft.VisualStudio
IMPORTANT
To change the subscription for Azure DevOps, see change the Azure subscription used for billing.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

account No No No

account / extension No No No

account / project No No No

Microsoft.VMware
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

arczones No No No

resourcepools No No No

vcenters No No No

virtualmachines No No No

virtualmachinetemplates No No No

virtualnetworks No No No

Microsoft.VMwareCloudSimple
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

dedicatedcloudnodes No No No

dedicatedcloudservices No No No

virtualmachines No No No

Microsoft.VnfManager
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

devices No No No

vnfs No No No

Microsoft.VSOnline
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

accounts No No No

plans No No No

registeredsubscriptions No No No

Microsoft.Web
IMPORTANT
See App Service move guidance.

RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

availablestacks No No No

billingmeters No No No

certificates No Yes No

certificates (managed) No No No

connectiongateways Yes Yes No

connections Yes Yes No

customapis Yes Yes No

deletedsites No No No

deploymentlocations No No No

georegions No No No

hostingenvironments No No No

kubeenvironments Yes Yes No

publishingusers No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

recommendations No No No

resourcehealthmetadata No No No

runtimes No No No

serverfarms Yes Yes No

serverfarms / No No No
eventgridfilters

sites Yes Yes No

sites / premieraddons Yes Yes No

sites / slots Yes Yes No

sourcecontrols No No No

staticsites No No No

Microsoft.WindowsESU
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

multipleactivationkeys No No No

Microsoft.WindowsIoT
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

deviceservices No No No

Microsoft.WorkloadBuilder
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

workloads No No No

Microsoft.WorkloadMonitor
RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

components No No No

componentssummary No No No

monitorinstances No No No
 RESO URC E T Y P E RESO URC E GRO UP SUB SC RIP T IO N REGIO N M O VE

monitorinstancessummary No No No

monitors No No No

Third-party services
Third-party services currently don't support the move operation.

Next steps
For commands to move resources, see Move resources to new resource group or subscription.
Learn more about the Resource Mover service.
To get the same data as a file of comma-separated values, download move-support-resources.csv for
resource group and subscription move support. If you want those properties and region move support,
download move-support-resources-with-regions.csv.
 Move guidance for App Service resources
2/23/2022 • 2 minutes to read • Edit Online

This article describes the steps to move App Service resources. There are specific requirements for moving App
Service resources to a new subscription.

Move across subscriptions

When moving a Web App across subscriptions, the following guidance applies:
Moving a resource to a new resource group or subscription is a metadata change that shouldn't affect
anything about how the resource functions. For example, the inbound IP address for an app service doesn't
change when moving the app service.
The destination resource group must not have any existing App Service resources. App Service resources
include:
Web Apps
App Service plans
Uploaded or imported TLS/SSL certificates
App Service Environments
All App Service resources in the resource group must be moved together.
App Service Environments can't be moved to a new resource group or subscription. However, you can move
a web app and app service plan to a new subscription without moving the App Service Environment. After
the move, the web app is no longer hosted in the App Service Environment.
You can move a certificate bound to a web without deleting the TLS bindings, as long as the certificate is
moved with all other resources in the resource group. However, you can't move a free App Service managed
certificate. For that scenario, see Move with free managed certificates.
App Service resources can only be moved from the resource group in which they were originally created. If
an App Service resource is no longer in its original resource group, move it back to its original resource
group. Then, move the resource across subscriptions. For help with finding the original resource group, see
the next section.

Find original resource group

If you don't remember the original resource group, you can find it through diagnostics. For your web app, select
Diagnose and solve problems . Then, select Configuration and Management .
Select Migration Options .

Select the option for recommended steps to move the web app.
You see the recommended actions to take before moving the resources. The information includes the original
resource group for the web app.

Move hidden resource types in portal

When using the portal to move your App Service resources, you may see an error indicating that you haven't
moved all of the resources. If you see this error, check if there are resource types that the portal didn't display.
Select Show hidden types . Then, select all of the resources to move.
Move with free managed certificates
You can't move a free App Service managed certificate. Instead, delete the managed certificate and recreate it
after moving the web app. To get instructions for deleting the certificate, use the Migration Operations tool.
If your free App Service managed certificate gets created in an unexpected resource group, try moving the app
service plan back to its original resource group. Then, recreate the free managed certificate. This issue will be
fixed.

Move support
To determine which App Service resources can be moved, see move support status for:
Microsoft.AppService
Microsoft.CertificateRegistration
Microsoft.DomainRegistration
Microsoft.Web

Next steps
For commands to move resources, see Move resources to new resource group or subscription.
 Move your Azure Automation account to another
subscription
2/23/2022 • 4 minutes to read • Edit Online

Azure Automation allows you to move some resources to a new resource group or subscription. You can move
resources through the Azure portal, PowerShell, the Azure CLI, or the REST API. To learn more about the process,
see Move resources to a new resource group or subscription.
The Automation account is one of the resources that you can move. In this article, you'll learn to move
Automation accounts to another resource or subscription. The high-level steps for moving your Automation
account are:
1. Disable your features.
2. Unlink your workspace.
3. Move the Automation account.
4. Delete and re-create the Run As accounts.
5. Re-enable your features.

Remove features
To unlink your workspace from your Automation account, you must remove the feature resources in your
workspace:
Change Tracking and Inventory
Update Management
Start/Stop VMs during off-hours
1. In the Azure portal, locate your resource group.
2. Find each feature, and select Delete on the Delete Resources page.
If you prefer, you can delete the resources by using the Remove-AzResource cmdlet:

$workspaceName = <myWorkspaceName>
$resourceGroupName = <myResourceGroup>
Remove-AzResource -ResourceType 'Microsoft.OperationsManagement/solutions' -ResourceName
"ChangeTracking($workspaceName)" -ResourceGroupName $resourceGroupName
Remove-AzResource -ResourceType 'Microsoft.OperationsManagement/solutions' -ResourceName
"Updates($workspaceName)" -ResourceGroupName $resourceGroupName
Remove-AzResource -ResourceType 'Microsoft.OperationsManagement/solutions' -ResourceName "Start-Stop-
VM($workspaceName)" -ResourceGroupName $resourceGroupName

Remove alert rules for Start/Stop VMs during off-hours

For Start/Stop VMs during off-hours, you also need to remove the alert rules created by the feature.
1. In the Azure portal, go to your resource group and select Monitoring > Aler ts > Manage aler t rules .
2. On the Rules page, you should see a list of the alerts configured in that resource group. The feature
creates these rules:
AutoStop_VM_Child
ScheduledStartStop_Parent
SequencedStartStop_Parent
3. Select the rules one at a time, and select Delete to remove them.

NOTE
If you don't see any alert rules on the Rules page, change the Status field to Disabled to show disabled alerts.

4. When you remove the alert rules, you must remove the action group created for Start/Stop VMs during
off-hours notifications. In the Azure portal, select Monitor > Aler ts > Manage action groups .
5. Select Star tStop_VM_Notification .
6. On the action group page, select Delete .
If you prefer, you can delete your action group by using the Remove-AzActionGroup cmdlet:

Remove-AzActionGroup -ResourceGroupName <myResourceGroup> -Name StartStop_VM_Notification

Unlink your workspace

Now you can unlink your workspace:
1. In the Azure portal, select Automation account > Related Resources > Linked workspace .
2. Select Unlink workspace to unlink the workspace from your Automation account.

Move your Automation account

You can now move your Automation account and its runbooks.
1. In the Azure portal, browse to the resource group of your Automation account. Select Move > Move to
another subscription .

2. Select the resources in your resource group that you want to move. Ensure that you include your
Automation account, runbooks, and Log Analytics workspace resources.

Re-create Run As accounts

Run As accounts create a service principal in Azure Active Directory to authenticate with Azure resources. When
you change subscriptions, the Automation account no longer uses the existing Run As account. To re-create the
Run As accounts:
1. Go to your Automation account in the new subscription, and select Run as accounts under Account
Settings . You'll see that the Run As accounts show as incomplete now.

2. Delete the Run As accounts, one at a time, by selecting Delete on the Proper ties page.

NOTE
If you don't have permissions to create or view the Run As accounts, you see the following message:
You do not have permissions to create an Azure Run As account (service principal) and grant the
Contributor role to the service principal.
For more information, see Permissions required to configure Run As accounts.

3. After you've deleted the Run As accounts, select Create under Azure Run As account .
4. On the Add Azure Run As account page, select Create to create the Run As account and service principal.
5. Repeat the steps above with the Azure Classic Run As account.

Enable features
After you re-create the Run As accounts, you must re-enable the features that you removed before the move:
1. To turn on Change Tracking and Inventory, select Change Tracking and Inventor y in your Automation
account. Choose the Log Analytics workspace that you moved over, and select Enable .
2. Repeat step 1 for Update Management.

3. Machines that are enabled with your features are visible when you've connected the existing Log
Analytics workspace. To turn on the Start/Stop VMs during off-hours feature, you must re-enable it. Under
Related Resources , select Star t/Stop VMs > Learn more about and enable the solution >
Create to start the deployment.
4. On the Add Solution page, choose your Log Analytics workspace and Automation account.

5. Configure the feature as described in Start/Stop VMs during off-hours overview.

Verify the move

When the move is complete, verify that the capabilities listed below are enabled.
 C A PA B IL IT Y T EST S T RO UB L ESH O OT IN G

Runbooks A runbook can successfully run and Troubleshoot runbooks

connect to Azure resources.

Source control You can run a manual sync on your Source control integration
source control repository.

Change tracking and inventory Verify that you see current inventory Troubleshoot change tracking
data from your machines.

Update management Verify that you see your machines and Troubleshoot update management
that they're healthy.
Run a test software update
deployment.

Shared resources Verify that you see all your shared

resources, such as credentials and
variables.

Next steps
To learn about moving resources in Azure, see Move resources in Azure.
 Move guidance for Classic deployment model
resources
2/23/2022 • 2 minutes to read • Edit Online

The steps to move resources deployed through the classic model differ based on whether you're moving the
resources within a subscription or to a new subscription.

Move in the same subscription

When moving resources from one resource group to another resource group within the same subscription, the
following restrictions apply:
Virtual networks (classic) can't be moved.
Virtual machines (classic) must be moved with the cloud service.
Cloud service can only be moved when the move includes all its virtual machines.
Only one cloud service can be moved at a time.
Only one storage account (classic) can be moved at a time.
Storage account (classic) can't be moved in the same operation with a virtual machine or a cloud service.
To move classic resources to a new resource group within the same subscription, use the standard move
operations through the portal, Azure PowerShell, Azure CLI, or REST API. You use the same operations as you
use for moving Resource Manager resources.

Move across subscriptions

When moving resources to a new subscription, the following restrictions apply:
All classic resources in the subscription must be moved in the same operation.
The target subscription must not have any other classic resources.
The move can only be requested through a separate REST API for classic moves. The standard Resource
Manager move commands don't work when moving classic resources to a new subscription.
To move classic resources to a new subscription, use the REST operations that are specific to classic resources. To
use REST, do the following steps:
1. Check if the source subscription can participate in a cross-subscription move. Use the following
operation:

POST
https://management.azure.com/subscriptions/{sourceSubscriptionId}/providers/Microsoft.ClassicCompute/
validateSubscriptionMoveAvailability?api-version=2016-04-01

In the request body, include:

{
"role": "source"
}

The response for the validation operation is in the following format:

 {
"status": "{status}",
"reasons": [
"reason1",
"reason2"
]
}

2. Check if the destination subscription can participate in a cross-subscription move. Use the following
operation:

POST
https://management.azure.com/subscriptions/{destinationSubscriptionId}/providers/Microsoft.ClassicCom
pute/validateSubscriptionMoveAvailability?api-version=2016-04-01

In the request body, include:

{
"role": "target"
}

The response is in the same format as the source subscription validation.

3. If both subscriptions pass validation, move all classic resources from one subscription to another
subscription with the following operation:

POST https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.ClassicCompute/moveSubscriptionResources?api-version=2016-04-01

In the request body, include:

{
"target": "/subscriptions/{target-subscription-id}"
}

The operation may run for several minutes.

Next steps
If you have trouble moving classic resources, contact Support.
For commands to move resources, see Move resources to new resource group or subscription.
 Move guidance for networking resources
2/23/2022 • 2 minutes to read • Edit Online

This article describes how to move virtual networks and other networking resources for specific scenarios.
During the move, your networking resources will operate without interruption.

Dependent resources
NOTE
Please note that VPN Gateways associated with Public IP Standard SKU addresses are not currently able to move between
resource groups or subscriptions.

When moving a resource, you must also move its dependent resources (for example - public IP addresses,
virtual network gateways, all associated connection resources). Local network gateways can be in a different
resource group.
To move a virtual machine with a network interface card to a new subscription, you must move all dependent
resources. Move the virtual network for the network interface card, all other network interface cards for the
virtual network, and the VPN gateways.
For more information, see Scenario for move across subscriptions.

Peered virtual network

To move a peered virtual network, you must first disable the virtual network peering. Once disabled, you can
move the virtual network. After the move, reenable the virtual network peering.

Subnet links
You can't move a virtual network to a different subscription if the virtual network contains a subnet with
resource navigation links. For example, if an Azure Cache for Redis resource is deployed into a subnet, that
subnet has a resource navigation link.

Next steps
For commands to move resources, see Move resources to new resource group or subscription.
 Move a Recovery Services vault across Azure
Subscriptions and Resource Groups
2/23/2022 • 15 minutes to read • Edit Online

This article explains how to move a Recovery Services vault configured for Azure Backup across Azure
subscriptions, or to another resource group in the same subscription. You can use the Azure portal or
PowerShell to move a Recovery Services vault.

Supported regions
All public regions and sovereign regions are supported, except France South, France Central, Germany
Northeast and Germany Central.

Prerequisites for moving Recovery Services vault

During vault move across resource groups, both the source and target resource groups are locked
preventing the write and delete operations. For more information, see this article.
Only admin subscription has the permissions to move a vault.
For moving vaults across subscriptions, the target subscription must reside in the same tenant as the source
subscription and its state must be enabled. To move a vault to a different Azure AD, see Transfer subscription
to a different directory and Recovery Service vault FAQs.
You must have permission to perform write operations on the target resource group.
Moving the vault only changes the resource group. The Recovery Services vault will reside on the same
location and it can't be changed.
You can move only one Recovery Services vault, per region, at a time.
If a VM doesn't move with the Recovery Services vault across subscriptions, or to a new resource group, the
current VM recovery points will remain intact in the vault until they expire.
Whether the VM is moved with the vault or not, you can always restore the VM from the retained backup
history in the vault.
The Azure Disk Encryption requires that the key vault and VMs reside in the same Azure region and
subscription.
To move a virtual machine with managed disks, see this article.
The options for moving resources deployed through the Classic model differ depending on whether you're
moving the resources within a subscription, or to a new subscription. For more information, see this article.
Backup policies defined for the vault are retained after the vault moves across subscriptions or to a new
resource group.
You can only move a vault that contains any of the following types of backup items. Any backup items of
types not listed below will need to be stopped and the data permanently deleted before moving the vault.
Azure Virtual Machines
Microsoft Azure Recovery Services (MARS) Agent
Microsoft Azure Backup Server (MABS)
Data Protection Manager (DPM)
If you move a vault containing VM backup data, across subscriptions, you must move your VMs to the same
subscription, and use the same target VM resource group name (as it was in old subscription) to continue
backups.
 NOTE
Moving Recovery Services vaults for Azure Backup across Azure regions isn't supported.

If you've configured any VMs (Azure IaaS, Hyper-V, VMware) or physical machines for disaster recovery using Azure Site
Recover y , the move operation will be blocked. If you want to move vaults for Azure Site Recovery, review this article to
learn about moving vaults manually.

Use Azure portal to move Recovery Services vault to different

resource group
To move a Recovery Services vault and its associated resources to different resource group:
1. Sign in to the Azure portal.
2. Open the list of Recover y Ser vices vaults and select the vault you want to move. When the vault
dashboard opens, it appears as shown in the following image.

If you don't see the Essentials information for your vault, select the drop-down icon. You should now see
the Essentials information for your vault.
3. In the vault overview menu, select change next to the Resource group , to open the Move resources
pane.

4. In the Move resources pane, for the selected vault it's recommended to move the optional related
resources by selecting the checkbox as shown in the following image.

5. To add the target resource group, in the Resource group drop-down list, select an existing resource
group or select create a new group option.

6. After adding the resource group, confirm I understand that tools and scripts associated with
moved resources will not work until I update them to use new resource IDs option and then
select OK to complete moving the vault.

Use Azure portal to move Recovery Services vault to a different

subscription
You can move a Recovery Services vault and its associated resources to a different subscription
1. Sign in to the Azure portal.
2. Open the list of Recovery Services vaults and select the vault you want to move. When the vault
dashboard opens, it appears as shown the following image.
 If you don't see the Essentials information for your vault, select the drop-down icon. You should now see
the Essentials information for your vault.

3. In the vault overview menu, select change next to Subscription , to open the Move resources pane.

4. Select the resources to be moved, here we recommend you to use the Select All option to select all the
listed optional resources.
5. Select the target subscription from the Subscription drop-down list, where you want the vault to be
moved.
6. To add the target resource group, in the Resource group drop-down list, select an existing resource
group or select create a new group option.

7. Select I understand that tools and scripts associated with moved resources will not work
until I update them to use new resource IDs option to confirm, and then select OK .

NOTE
Cross subscription backup (RS vault and protected VMs are in different subscriptions) isn't a supported scenario. Also,
storage redundancy option from local redundant storage (LRS) to global redundant storage (GRS) and vice versa can't be
modified during the vault move operation.

Use Azure portal to back up resources in Recovery Services vault after

moving across regions
Azure Resource Mover supports the movement of multiple resources across regions. While moving your
resources from one region to another, you can ensure that your resources stay protected. As Azure Backup
supports protection of several workloads, you may need to take some steps to continue having the same level
of protection in the new region.
To understand the detailed steps to achieve this, refer to the sections below.

NOTE
Azure Backup currently doesn’t support the movement of backup data from one Recovery Services vault to another. To
protect your resource in the new region, the resource needs to be registered and backed up to a new/existing vault in
the new region. When moving your resources from one region to another, backup data in your existing Recovery
Services vaults in the older region can be retained/deleted based on your requirement. If you choose to retain data in
the old vaults, you will incur backup charges accordingly.
After resource move, to ensure continued security for backed-up resources in a vault that was configured with Multi-
User Authorization (MUA), the destination vault should be configured with MUA using a Resource Guard in the
destination region. This is because the Resource Guard and the vault must be located in the same region; therefore,
the Resource Guard for the source vault can't be used to enable MUA on the destination vault.
Back up Azure Virtual Machine after moving across regions
When an Azure Virtual Machine (VM) that’s been protected by a Recovery Services vault is moved from one
region to another, it can no longer be backed up to the older vault. The backups in the old vault will start failing
with the errors BCMV2VMNotFound or ResourceNotFound . For information on how to protect your VMs in
the new region, see the following sections.
Prepare to move Azure VMs
Before you move a VM, ensure the following prerequisites are met:
1. See the prerequisites associated with VM move and ensure that the VM is eligible for move.
2. Select the VM on the Backup Items tab of existing vault’s dashboard and select Stop protection followed
by retain/delete data as per your requirement. When the backup data for a VM is stopped with retain data,
the recovery points remain forever and don’t adhere to any policy. This ensures you always have your
backup data ready for restore.

NOTE
Retaining data in the older vault will incur backup charges. If you no longer wish to retain data to avoid billing, you
need to delete the retained backup data using the Delete data option.

3. Ensure that the VMs are turned on. All VMs’ disks that need to be available in the destination region are
attached and initialized in the VMs.
4. Ensure that VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To
do so:
On Windows VMs, install the latest Windows updates.
On Linux VMs, refer to distributor guidance to ensure that machines have the latest certificates and
CRL.
5. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs.
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.
Move Azure VMs
Move your VM to the new region using Azure Resource Mover.
Protect Azure VMs using Azure Backup
Start protecting your VM in a new or existing Recovery Services vault in the new region. When you need to
restore from your older backups, you can still do it from your old Recovery Services vault if you had chosen to
retain the backup data.
The above steps should help ensure that your resources are being backed up in the new region as well.
Back up Azure File Share after moving across regions
Azure Backup offers a snapshot management solution for your Azure Files today. This means, you don’t move
the file share data into the Recovery Services vaults. Also, as the snapshots don’t move with your Storage
Account, you’ll effectively have all your backups (snapshots) in the existing region only and protected by the
existing vault. However, if you move your Storage Accounts along with the file shares across regions or create
new file shares in the new region, see to the following sections to ensure that they are protected by Azure
Backup.
Prepare to move Azure File Share
Before you move the Storage Account, ensure the following prerequisites are met:
1. See the prerequisites to move Storage Account.
2. Export and modify a Resource Move template. For more information, see Prepare Storage Account for region
move.
Move Azure File Share
To move your Storage Accounts along with the Azure File Shares in them from one region to another, see Move
an Azure Storage account to another region.

NOTE
When Azure File Share is copied across regions, its associated snapshots don’t move along with it. In order to move the
snapshots data to the new region, you need to move the individual files and directories of the snapshots to the Storage
Account in the new region using AzCopy.

Protect Azure File share using Azure Backup

Start protecting the Azure File Share copied into the new Storage Account in a new or existing Recovery Services
vault in the new region.
Once the Azure File Share is copied to the new region, you can choose to stop protection and retain/delete the
snapshots (and the corresponding recovery points) of the original Azure File Share as per your requirement.
This can be done by selecting your file share on the Backup Items tab of the original vault’s dashboard. When
the backup data for Azure File Share is stopped with retain data, the recovery points remain forever and don’t
adhere to any policy.
This ensures that you will always have your snapshots ready for restore from the older vault.
Back up SQL Server/SAP HANA in Azure VM after moving across regions
When you move a VM running SQL or SAP HANA servers to another region, the SQL and SAP HANA databases
in those VMs can no longer be backed up in the vault of the earlier region. To protect the SQL and SAP HANA
servers running in Azure VM in the new region, see the following sections.
Prepare to move SQL Server/SAP HANA in Azure VM
Before you move SQL Server/SAP HANA running in a VM to a new region, ensure the following prerequisites
are met:
1. See the prerequisites associated with VM move and ensure that the VM is eligible for move.
2. Select the VM on the Backup Items tab of the existing vault’s dashboard and select the databases for which
backup needs to be stopped. Select Stop protection followed by retain/delete data as per your requirement.
When the backup data is stopped with retain data, the recovery points remain forever and don’t adhere to
any policy. This ensures that you always have your backup data ready for restore.

NOTE
Retaining data in the older vault will incur backup charges. If you no longer wish to retain data to avoid billing, you
need to delete the retained backup data using Delete data option.

3. Ensure that the VMs to be moved are turned on. All VMs disks that need to be available in the destination
region are attached and initialized in the VMs.
4. Ensure that VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To
do so:
On Windows VMs, install the latest Windows updates.
On Linux VMs, refer to the distributor guidance and ensure that machines have the latest certificates
and CRL.
5. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
 URLs.
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.
Move SQL Server/SAP HANA in Azure VM
Move your VM to the new region using Azure Resource Mover.
Protect SQL Server/SAP HANA in Azure VM using Azure Backup
Start protecting the VM in a new/existing Recovery Services vault in the new region. When you need to restore
from your older backups, you can still do it from your old Recovery Services vault.
The above steps should help ensure that your resources are being backed up in the new region as well.

Use PowerShell to move Recovery Services vault

To move a Recovery Services vault to another resource group, use the Move-AzureRMResource cmdlet.
Move-AzureRMResource requires the resource name and type of resource. You can get both from the
Get-AzureRmRecoveryServicesVault cmdlet.

$destinationRG = "<destinationResourceGroupName>"
$vault = Get-AzureRmRecoveryServicesVault -Name <vaultname> -ResourceGroupName <vaultRGname>
Move-AzureRmResource -DestinationResourceGroupName $destinationRG -ResourceId $vault.ID

To move the resources to different subscription, include the -DestinationSubscriptionId parameter.

Move-AzureRmResource -DestinationSubscriptionId "<destinationSubscriptionID>" -DestinationResourceGroupName

$destinationRG -ResourceId $vault.ID

After executing the above cmdlets, you'll be asked to confirm that you want to move the specified resources.
Type Y to confirm. After a successful validation, the resource moves.

Use CLI to move Recovery Services vault

To move a Recovery Services vault to another resource group, use the following cmdlet:

az resource move --destination-group <destinationResourceGroupName> --ids <VaultResourceID>

To move to a new subscription, provide the --destination-subscription-id parameter.

Post migration
1. Set/verify the access controls for the resource groups.
2. The Backup reporting and monitoring feature needs to be configured again for the vault after the move
completes. The previous configuration will be lost during the move operation.

Move an Azure virtual machine to a different recovery service vault.

If you want to move an Azure virtual machine that has backup enabled, then you have two choices. They depend
on your business requirements:
Don’t need to preserve previous backed-up data
Must preserve previous backed-up data
Don’t need to preserve previous backed-up data
To protect workloads in a new vault, the current protection and data will need to be deleted in the old vault and
backup is configured again.

WARNING
The following operation is destructive and can't be undone. All backup data and backup items associated with the
protected server will be permanently deleted. Proceed with caution.

Stop and delete current protection on the old vault:

1. Disable soft delete in the vault properties. Follow these steps to disable soft delete.
2. Stop protection and delete backups from the current vault. In the Vault dashboard menu, select Backup
Items . Items listed here that need to be moved to the new vault must be removed along with their
backup data. See how to delete protected items in the cloud and delete protected items on premises.
3. If you're planning to move AFS (Azure file shares), SQL servers or SAP HANA servers, then you'll need
also to unregister them. In the vault dashboard menu, select Backup Infrastructure . See how to
unregister the SQL server, unregister a storage account associated with Azure file shares, and unregister
an SAP HANA instance.
4. Once they're removed from the old vault, continue to configure the backups for your workload in the new
vault.
Must preserve previous backed-up data
If you need to keep the current protected data in the old vault and continue the protection in a new vault, there
are limited options for some of the workloads:
For MARS, you can stop protection with retain data and register the agent in the new vault.
Azure Backup service will continue to retain all the existing recovery points of the old vault.
You'll need to pay to keep the recovery points in the old vault.
You'll be able to restore the backed-up data only for unexpired recovery points in the old vault.
A new initial replica of the data will need to be created on the new vault.
For an Azure VM, you can stop protection with retain data for the VM in the old vault, move the VM to
another resource group, and then protect the VM in the new vault. See guidance and limitations for
moving a VM to another resource group.
A VM can be protected in only one vault at a time. However, the VM in the new resource group can be
protected on the new vault as it's considered a different VM.
Azure Backup service will retain the recovery points that have been backed up on the old vault.
You'll need to pay to keep the recovery points in the old vault (see Azure Backup pricing for details).
You'll be able to restore the VM, if needed, from the old vault.
The first backup on the new vault of the VM in the new resource will be an initial replica.

Next steps
You can move many different types of resources between resource groups and subscriptions.
For more information, see Move resources to new resource group or subscription.
 Move guidance for virtual machines
2/23/2022 • 4 minutes to read • Edit Online

This article describes the scenarios that aren't currently supported and the steps to move virtual machines with
backup.

Scenarios not supported

The following scenarios aren't yet supported:
Virtual Machine Scale Sets with Standard SKU Load Balancer or Standard SKU Public IP can't be moved.
Virtual machines in an existing virtual network can be moved to a new subscription only when the virtual
network and all of its dependent resources are also moved.
Virtual machines created from Marketplace resources with plans attached can't be moved across
subscriptions. For a potential workaround, see Virtual machines with Marketplace plans.
Low-priority virtual machines and low-priority virtual machine scale sets can't be moved across resource
groups or subscriptions.
Virtual machines in an availability set can't be moved individually.

Azure disk encryption

You can't move a virtual machine that is integrated with a key vault to implement Azure Disk Encryption for
Linux VMs or Azure Disk Encryption for Windows VMs. To move the VM, you must disable encryption.
Azure CLI
PowerShell

az vm encryption disable --resource-group demoRG --name myVm1 --volume-type all

Virtual machines with Marketplace plans

Virtual machines created from Marketplace resources with plans attached can't be moved across subscriptions.
To work around this limitation, you can de-provision the virtual machine in the current subscription, and deploy
it again in the new subscription. The following steps help you recreate the virtual machine in the new
subscription. However, they might not work for all scenarios. If the plan is no longer available in the Marketplace,
these steps won't work.
1. Get information about the plan.
Azure CLI
PowerShell

az vm show --resource-group demoRG --name myVm1 --query plan

2. Check that the offering still exists in the Marketplace.

Azure CLI
PowerShell
 az vm image list-skus --publisher Fabrikam --offer LinuxServer --location centralus

3. Either clone the OS disk to the destination subscription, or move the original disk after deleting the
virtual machine from source subscription.
4. In the destination subscription, accept the Marketplace terms for your plan. You can accept the terms by
running the following PowerShell command:
Azure CLI
PowerShell

az vm image terms accept --publisher {publisher} --offer {product/offer} --plan {name/SKU}

Or, you can create a new instance of a virtual machine with the plan through the portal. You can delete
the virtual machine after accepting the terms in the new subscription.
5. In the destination subscription, recreate the virtual machine from the cloned OS disk using PowerShell,
CLI, or an Azure Resource Manager template. Include the marketplace plan that's attached to the disk. The
information about the plan should match the plan you purchased in the new subscription. For more
information, see Create the VM.
For more information, see Move a Marketplace Azure Virtual Machine to another subscription.

Virtual machines with Azure Backup

To move virtual machines configured with Azure Backup, you must delete the restore points collections
(snapshots) from the vault. Restore points already copied to the vault can be retained and moved.
If soft delete is enabled for your virtual machine, you can't move the virtual machine while those restore points
are kept. Either disable soft delete or wait 14 days after deleting the restore points.
Portal
1. Temporarily stop the backup and keep backup data.
2. To move virtual machines configured with Azure Backup, do the following steps:
a. Find the location of your virtual machine.
b. Find a resource group with the following naming pattern: AzureBackupRG_<VM location>_1 . For
example, the name is in the format of AzureBackupRG_westus2_1.
c. In the Azure portal, check Show hidden types .
d. Find the resource with type Microsoft.Compute/restorePointCollections that has the naming
pattern AzureBackup_<VM name>_########### .
e. Delete this resource. This operation deletes only the instant recovery points, not the backed-up data in
the vault.
f. After the delete operation is complete, you can move your virtual machine.
3. Move the VM to the target resource group.
4. Reconfigure the backup.
Script
1. Find the location of your virtual machine.
2. Find a resource group with the naming pattern - AzureBackupRG_<VM location>_1 . For example, the name
might be AzureBackupRG_westus2_1 .
3. If you're moving only one virtual machine, get the restore point collection for that virtual machine.

Azure CLI
PowerShell

RESTOREPOINTCOL=$(az resource list -g AzureBackupRG_<VM location>_1 --resource-type

Microsoft.Compute/restorePointCollections --query "[?starts_with(name, 'AzureBackup_<VM name>')].id"
--output tsv)

Delete this resource. This operation deletes only the instant recovery points, not the backed-up data in
the vault.

Azure CLI
PowerShell

az resource delete --ids $RESTOREPOINTCOL

4. If you're moving all the virtual machines with back ups in this location, get the restore point collections
for those virtual machines.

Azure CLI
PowerShell

RESTOREPOINTCOL=$(az resource list -g AzureBackupRG_<VM location>_1 --resource-type

Microsoft.Compute/restorePointCollections)

Delete each resource. This operation deletes only the instant recovery points, not the backed-up data in
the vault.
Azure CLI
PowerShell

az resource delete --ids $RESTOREPOINTCOL

Next steps
For commands to move resources, see Move resources to new resource group or subscription.
For information about moving Recovery Service vaults for backup, see Recovery Services limitations.
 How to move Azure API Management across
regions
2/23/2022 • 2 minutes to read • Edit Online

This article describes how to move an API Management instance to a different Azure region. You might move
your instance to another region for many reasons. For example:
Locate your instance closer to your API consumers
Deploy features available in specific regions only
Meet internal policy and governance requirements
To move API Management instances from one Azure region to another, use the service's backup and restore
operations. You can use a different API Management instance name or the existing name.

NOTE
API Management also supports multi-region deployment, which distributes a single Azure API management service
across multiple Azure regions. Multi-region deployment helps reduce request latency perceived by geographically
distributed API consumers and improves service availability if one region goes offline.

Availability
IMPORTANT
This feature is available in the Premium , Standard , Basic, and Developer tiers of API Management.

Considerations
Choose the same API Management pricing tier in the source and target regions.
Backup and restore won't work when migrating between different cloud types. For that scenario, export the
resource as a template. Then, adapt the exported template for the target Azure region and re-create the
resource.

Prerequisites
Review requirements and limitations of the API Management backup and restore operations.
See What is not backed up. Record settings and data that you will need to recreate manually after moving the
instance.
Create a storage account in the source region. You will use this account to back up the source instance.

Prepare and move

Option 1: Use a different API Management instance name
1. In the target region, create a new API Management instance with the same pricing tier as the source API
Management instance. Use a different name for the new instance.
2. Back up the existing API Management instance to the storage account.
3. Restore the source instance's backup to the new API Management instance.
4. If you have a custom domain pointing to the source region API Management instance, update the custom
domain CNAME to point to the new API Management instance.
Option 2: Use the same API Management instance name

WARNING
This option deletes the original API Management instance and results in downtime during the migration. Ensure that you
have a valid backup before deleting the source instance.

1. Back up the existing API Management instance to the storage account.

2. Delete the API Management instance in the source region.
3. Create a new API Management instance in the target region with the same name as the one in the source
region.
4. Restore the source instance's backup to the new API Management instance in the target region.

Verify
1. Ensure that the restore operation completes successfully before accessing your API Management instance in
the target region.
2. Configure settings that are not automatically moved during the restore operation. Examples: virtual network
configuration, managed identities, developer portal content, and custom domain and custom CA certificates.
3. Access your API Management endpoints in the target region. For example, test your APIs, or access the
developer portal.

Clean up source resources

If you moved the API Management instance using Option 1, after you successfully restore and configure the
target instance, you may delete the source instance.

Next steps
For more information about the backup and restore feature, see how to implement disaster recovery.
For information on migrating Azure resources, see Azure cross-region migration guidance.
Optimize and save on your cloud spending.
 Move an App Service resource to another region
2/23/2022 • 2 minutes to read • Edit Online

This article describes how to move App Service resources to a different Azure region. You might move your
resources to another region for a number of reasons. For example, to take advantage of a new Azure region, to
deploy features or services available in specific regions only, to meet internal policy and governance
requirements, or in response to capacity planning requirements.
App Service resources are region-specific and can't be moved across regions. You must create a copy of your
existing App Service resources in the target region, then move your content over to the new app. If your source
app uses a custom domain, you can migrate it to the new app in the target region when you're finished.
To make copying your app easier, you can clone an individual App Service app into an App Service plan in
another region, but it does have limitations, especially that it doesn't support Linux apps.

Prerequisites
Make sure that the App Service app is in the Azure region from which you want to move.
Make sure that the target region supports App Service and any related service, whose resources you want to
move.

Prepare
Identify all the App Service resources that you're currently using. For example:
App Service apps
App Service plans
Deployment slots
Custom domains purchased in Azure
TLS/SSL certificates
Azure Virtual Network integration
Hybrid connections.
Managed identities
Backup settings
Certain resources, such as imported certificates or hybrid connections, contain integration with other Azure
services. For information on how to move those resources across regions, see the documentation for the
respective services.

Move
1. Create a back up of the source app.
2. Create an app in a new App Service plan, in the target region.
3. Restore the back up in the target app
4. If you use a custom domain, bind it preemptively to the target app with awverify. and enable the domain in
the target app.
5. Configure everything else in your target app to be the same as the source app and verify your configuration.
6. When you're ready for the custom domain to point to the target app, remap the domain name.
Clean up source resources
Delete the source app and App Service plan. An App Service plan in the non-free tier carries a charge, even if no
app is running in it.

Next steps
Azure App Service App Cloning Using PowerShell
 Management of Azure Automation data
2/23/2022 • 5 minutes to read • Edit Online

This article contains several topics explaining how data is protected and secured in an Azure Automation
environment.

TLS 1.2 for Azure Automation

To insure the security of data in transit to Azure Automation, we strongly encourage you to configure the use of
Transport Layer Security (TLS) 1.2. The following are a list of methods or clients that communicate over HTTPS
to the Automation service:
Webhook calls
Hybrid Runbook Workers, which include machines managed by Update Management and Change
Tracking and Inventory.
DSC nodes
Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently
work to allow backwards compatibility, they are not recommended . We do not recommend explicitly setting
your agent to only use TLS 1.2 unless its necessary, as it can break platform level security features that allow you
to automatically detect and take advantage of newer more secure protocols as they become available, such as
TLS 1.3.
For information about TLS 1.2 support with the Log Analytics agent for Windows and Linux, which is a
dependency for the Hybrid Runbook Worker role, see Log Analytics agent overview - TLS 1.2.
Platform-specific guidance
P L AT F O RM / L A N GUA GE SUP P O RT M O RE IN F O RM AT IO N

Linux Linux distributions tend to rely on Check the OpenSSL Changelog to

OpenSSL for TLS 1.2 support. confirm your version of OpenSSL is
supported.

Windows 8.0 - 10 Supported, and enabled by default. To confirm that you are still using the
default settings.

Windows Server 2012 - 2016 Supported, and enabled by default. To confirm that you are still using the
default settings

Windows 7 SP1 and Windows Server Supported, but not enabled by default. See the Transport Layer Security (TLS)
2008 R2 SP1 registry settings page for details on
how to enable.

Data retention
When you delete a resource in Azure Automation, it's retained for many days for auditing purposes before
permanent removal. You can't see or use the resource during this time. This policy also applies to resources that
belong to a deleted Automation account. The retention policy applies to all users and currently can't be
customized. However, if you need to keep data for a longer period, you can forward Azure Automation job data
to Azure Monitor logs.
The following table summarizes the retention policy for different resources.

DATA P O L IC Y

Accounts An account is permanently removed 30 days after a user

deletes it.

Assets An asset is permanently removed 30 days after a user

deletes it, or 30 days after a user deletes an account that
holds the asset. Assets include variables, schedules,
credentials, certificates, Python 2 packages, and connections.

DSC Nodes A DSC node is permanently removed 30 days after being

unregistered from an Automation account using Azure
portal or the Unregister-AzAutomationDscNode cmdlet in
Windows PowerShell. A node is also permanently removed
30 days after a user deletes the account that holds the node.

Jobs A job is deleted and permanently removed 30 days after

modification, for example, after the job completes, is
stopped, or is suspended.

Modules A module is permanently removed 30 days after a user

deletes it, or 30 days after a user deletes the account that
holds the module.

Node Configurations/MOF Files An old node configuration is permanently removed 30 days

after a new node configuration is generated.

Node Reports A node report is permanently removed 90 days after a new

report is generated for that node.

Runbooks A runbook is permanently removed 30 days after a user

deletes the resource, or 30 days after a user deletes the
account that holds the resource1 .

1The runbook can be recovered within the 30-day window by filing an Azure support incident with Microsoft
Azure Support. Go to the Azure support site and select Submit a suppor t request .

Data backup
When you delete an Automation account in Azure, all objects in the account are deleted. The objects include
runbooks, modules, configurations, settings, jobs, and assets. They can't be recovered after the account is
deleted. You can use the following information to back up the contents of your Automation account before
deleting it.
Runbooks
You can export your runbooks to script files using either the Azure portal or the Get-
AzureAutomationRunbookDefinition cmdlet in Windows PowerShell. You can import these script files into
another Automation account, as discussed in Manage runbooks in Azure Automation.
Integration modules
You can't export integration modules from Azure Automation, they have to be made available outside of the
Automation account.
Assets
You can't export Azure Automation assets: certificates, connections, credentials, schedules, and variables. Instead,
you can use the Azure portal and Azure cmdlets to note the details of these assets. Then use these details to
create any assets that are used by runbooks that you import into another Automation account.
You can't retrieve the values for encrypted variables or the password fields of credentials using cmdlets. If you
don't know these values, you can retrieve them in a runbook. For retrieving variable values, see Variable assets
in Azure Automation. To find out more about retrieving credential values, see Credential assets in Azure
Automation.
DSC configurations
You can export your DSC configurations to script files using either the Azure portal or the Export-
AzAutomationDscConfiguration cmdlet in Windows PowerShell. You can import and use these configurations in
another Automation account.

Geo-replication in Azure Automation

Geo-replication is standard in Azure Automation accounts. You choose a primary region when setting up your
account. The internal Automation geo-replication service assigns a secondary region to the account
automatically. The service then continuously backs up account data from the primary region to the secondary
region. The full list of primary and secondary regions can be found at Cross-region replication in Azure:
Business continuity and disaster recovery.
The backup created by the Automation geo-replication service is a complete copy of Automation assets,
configurations, and the like. This backup can be used if the primary region goes down and loses data. In the
unlikely event that data for a primary region is lost, Microsoft attempts to recover it.

NOTE
Azure Automation stores customer data in the region selected by the customer. For the purpose of BCDR, for all regions
except Brazil South and Southeast Asia, Azure Automation data is stored in a different region (Azure paired region). Only
for the Brazil South (Sao Paulo State) region of Brazil geography and Southeast Asia region (Singapore) of the Asia Pacific
geography, we store Azure Automation data in the same region to accommodate data-residency requirements for these
regions.

The Automation geo-replication service isn't accessible directly to external customers if there is a regional
failure. If you want to maintain Automation configuration and runbooks during regional failures:
1. Select a secondary region to pair with the geographical region of your primary Automation account.
2. Create an Automation account in the secondary region.
3. In the primary account, export your runbooks as script files.
4. Import the runbooks to your Automation account in the secondary region.

Next steps
To learn more about secure assets in Azure Automation, see Encryption of secure assets in Azure
Automation.
To find out more about geo-replication, see Creating and using active geo-replication.
 Back up resources in Recovery Services vault after
moving across regions
2/23/2022 • 6 minutes to read • Edit Online

Azure Resource Mover supports the movement of multiple resources across regions. While moving your
resources from one region to another, you can ensure that your resources stay protected. As Azure Backup
supports protection of several workloads, you may need to take some steps to continue having the same level
of protection in the new region.
To understand the detailed steps to achieve this, refer to the sections below.

NOTE
Azure Backup currently doesn’t support the movement of backup data from one Recovery Services vault to another. To
protect your resource in the new region, the resource needs to be registered and backed up to a new/existing vault in the
new region. When moving your resources from one region to another, backup data in your existing Recovery Services
vaults in the older region can be retained/deleted based on your requirement. If you choose to retain data in the old
vaults, you will incur backup charges accordingly.

Back up Azure Virtual Machine after moving across regions

When an Azure Virtual Machine (VM) that’s been protected by a Recovery Services vault is moved from one
region to another, it can no longer be backed up to the older vault. The backups in the old vault will start failing
with the errors BCMV2VMNotFound or ResourceNotFound . For information on how to protect your VMs in
the new region, see the following sections.
Prepare to move Azure VMs
Before you move a VM, ensure the following prerequisites are met:
1. See the prerequisites associated with VM move and ensure that the VM is eligible for move.
2. Select the VM on the Backup Items tab of existing vault’s dashboard and select Stop protection followed
by retain/delete data as per your requirement. When the backup data for a VM is stopped with retain data,
the recovery points remain forever and don’t adhere to any policy. This ensures you always have your
backup data ready for restore.

NOTE
Retaining data in the older vault will incur backup charges. If you no longer wish to retain data to avoid billing, you
need to delete the retained backup data using the Delete data option.

3. Ensure that the VMs are turned on. All VMs’ disks that need to be available in the destination region are
attached and initialized in the VMs.
4. Ensure that VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To
do so:
On Windows VMs, install the latest Windows updates.
On Linux VMs, refer to distributor guidance to ensure that machines have the latest certificates and
CRL.
5. Allow outbound connectivity from VMs:
 If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs.
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.
Move Azure VMs
Move your VM to the new region using Azure Resource Mover.
Protect Azure VMs using Azure Backup
Start protecting your VM in a new or existing Recovery Services vault in the new region. When you need to
restore from your older backups, you can still do it from your old Recovery Services vault if you had chosen to
retain the backup data.
The above steps should help ensure that your resources are being backed up in the new region as well.

Back up Azure File Share after moving across regions

Azure Backup offers a snapshot management solution for your Azure Files today. This means, you don’t move
the file share data into the Recovery Services vaults. Also, as the snapshots don’t move with your Storage
Account, you’ll effectively have all your backups (snapshots) in the existing region only and protected by the
existing vault. However, if you move your Storage Accounts along with the file shares across regions or create
new file shares in the new region, see to the following sections to ensure that they are protected by Azure
Backup.
Prepare to move Azure File Share
Before you move the Storage Account, ensure the following prerequisites are met:
1. See the prerequisites to move Storage Account.
2. Export and modify a Resource Move template. For more information, see Prepare Storage Account for region
move.
Move Azure File Share
To move your Storage Accounts along with the Azure File Shares in them from one region to another, see Move
an Azure Storage account to another region.

NOTE
When Azure File Share is copied across regions, its associated snapshots don’t move along with it. In order to move the
snapshots data to the new region, you need to move the individual files and directories of the snapshots to the Storage
Account in the new region using AzCopy.

Protect Azure File share using Azure Backup

Start protecting the Azure File Share copied into the new Storage Account in a new or existing Recovery Services
vault in the new region.
Once the Azure File Share is copied to the new region, you can choose to stop protection and retain/delete the
snapshots (and the corresponding recovery points) of the original Azure File Share as per your requirement.
This can be done by selecting your file share on the Backup Items tab of the original vault’s dashboard. When
the backup data for Azure File Share is stopped with retain data, the recovery points remain forever and don’t
adhere to any policy.
This ensures that you will always have your snapshots ready for restore from the older vault.

Back up SQL Server/SAP HANA in Azure VM after moving across

regions
When you move a VM running SQL or SAP HANA servers to another region, the SQL and SAP HANA databases
in those VMs can no longer be backed up in the vault of the earlier region. To protect the SQL and SAP HANA
servers running in Azure VM in the new region, see the follow sections.
Prepare to move SQL Server/SAP HANA in Azure VM
Before you move SQL Server/SAP HANA running in a VM to a new region, ensure the following prerequisites
are met:
1. See the prerequisites associated with VM move and ensure that the VM is eligible for move.
2. Select the VM on the Backup Items tab of the existing vault’s dashboard and select the databases for which
backup needs to be stopped. Select Stop protection followed by retain/delete data as per your requirement.
When the backup data is stopped with retain data, the recovery points remain forever and don’t adhere to
any policy. This ensures that you always have your backup data ready for restore.

NOTE
Retaining data in the older vault will incur backup charges. If you no longer wish to retain data to avoid billing, you
need to delete the retained backup data using Delete data option.

3. Ensure that the VMs to be moved are turned on. All VMs disks that need to be available in the destination
region are attached and initialized in the VMs.
4. Ensure that VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To
do so:
On Windows VMs, install the latest Windows updates.
On Linux VMs, refer to the distributor guidance and ensure that machines have the latest certificates
and CRL.
5. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs.
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.
Move SQL Server/SAP HANA in Azure VM
Move your VM to the new region using Azure Resource Mover.
Protect SQL Server/SAP HANA in Azure VM using Azure Backup
Start protecting the VM in a new/existing Recovery Services vault in the new region. When you need to restore
from your older backups, you can still do it from your old Recovery Services vault.
The above steps should help ensure that your resources are being backed up in the new region as well.
 Move an Azure Batch account to another region
2/23/2022 • 4 minutes to read • Edit Online

There are scenarios where you might want to move an existing Azure Batch account from one region to another.
For example, you might want to move for disaster recovery planning. This article explains how to move a Batch
account between regions using the Azure portal.
Moving Batch accounts directly from one region to another isn't possible. You can use an Azure Resource
Manager template (ARM template) to export the existing configuration of your Batch account instead. Then,
stage the resource in another region. First, export the Batch account to a template. Next, modify the parameters
to match the destination region. Deploy the modified template to the new region. Last, recreate jobs and other
features in the account.
For more information on Resource Manager and templates, see Quickstart: Create and deploy Azure Resource
Manager templates by using the Azure portal.

Prerequisites
Make sure that the services and features that your Batch account uses are supported in the new target
region.
It's recommended to move the storage account associated with your Batch account to the new target region.
Follow the steps in Move an Azure Storage account to another region. If you prefer, you can leave the storage
account in the original region. Typically, performance is better when your storage account is in the same
region as your Batch account. This article assumes you've already migrated your storage account.

Prepare the template

To get started, you'll need to export and then modify an ARM template.
Export a template
Export an ARM template that contains settings and information for your Batch account.
1. Sign in to the Azure portal.
2. Select All resources and then select your Batch account.
3. Select > Automation > Expor t template .
4. Choose Download in the Expor t template pane.
5. Locate the .zip file that you downloaded from the portal. Unzip that file into a folder of your choice.
This zip file contains the .json files that make up the template. The file also includes scripts to deploy the
template.
Modify the template
Load and modify the template so you can create a new Batch account in the target region.
1. In the Azure portal, select Create a resource .
2. In Search the Marketplace , type template deployment , and then press ENTER .
3. Select Template deployment (deploy using custom templates) .
4. Select Create .
5. Select Build your own template in the editor .
6. Select Load file , and then select the template.json file that you downloaded in the last section.
7. In the uploaded template.json file, name the target Batch account by entering a new defaultValue for
the Batch account name. This example sets the defaultValue of the Batch account name to
mytargetaccount and replaces the string in defaultValue with the resource ID for
mytargetstorageaccount .

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"batchAccounts_mysourceaccount_name": {
"defaultValue": "mytargetaccount",
"type": "String"
}
},

8. Next, update the defaultValue of the storage account with your migrated storage account's resource ID.
To get this value, navigate to the storage account in the Azure portal, select JSON View near the top fo
the screen, and then copy the value shown under Resource ID . This example uses the resource ID for a
storage account named mytargetstorageaccount in the resource group mytargetresourcegroup .

"storageAccounts_mysourcestorageaccount_externalid": {
"defaultValue":
"/subscriptions/{subscriptionID}/resourceGroups/mytargetresourcegroup/providers/Microsoft.Storage/sto
rageAccounts/mytargetstorageaccount",
"type": "String"
}
},

9. Finally, edit the location property to use your target region. This example sets the target region to
centralus .

{
"resources": [
{
"type": "Microsoft.Batch/batchAccounts",
"apiVersion": "2021-01-01",
"name": "[parameters('batchAccounts_mysourceaccount_name')]",
"location": "centralus",

To obtain region location codes, see Azure Locations. The code for a region is the region name with no spaces.
For example, Central US = centralus .

Move the account

Deploy the template to create a new Batch account in the target region.
1. Now that you've made your modifications, select Save below the template.json file.
2. Enter or select the property values:
Subscription : Select an Azure subscription.
 Resource group : Select the resource group that you created when moving the associated storage
account.
Region : Select the Azure region where you want to move the account.
3. Select Review and create , then select Create .
Configure the new Batch account
Some features won't export to a template, so you'll have to recreate them in the new Batch account. These
features include:
Jobs
Job schedules
Certificates
Application packages
Be sure to configure features in the new account as needed. You can look at how you've configured these
features in your source Batch account for reference.

Discard or clean up
Confirm that your new Batch account is successfully working in the new region. Also make sure to restore the
necessary features. Then, you can delete the source Batch account.
1. In the Azure portal, expand the menu on the left side to open the menu of services, and choose Batch
accounts .
2. Locate the Batch account to delete, and right-click the More button (...) on the right side of the listing. Be
sure that you're selecting the original source Batch account, not the new one you created.
3. Select Delete , then confirm.

Next steps
Learn more about moving resources to a new resource group or subscription.
Learn how to move Azure VMs to another region.
 Move your Azure Cognitive Search service to
another Azure region
2/23/2022 • 2 minutes to read • Edit Online

Occasionally, customers ask about moving a search service to another region. Currently, there is no built-in
mechanism or tooling to help with that task, but this article can help you understand the manual steps for
recreating indexes and other objects on a new search service in a different region.

NOTE
In the Azure portal, all services have an Expor t template command. In the case of Azure Cognitive Search, this
command produces a basic definition of a service (name, location, tier, replica, and partition count), but does not
recognize the content of your service, nor does it carry over keys, roles, or logs. Although the command exists, we don't
recommend using it for moving a search service.

Prerequisites
Ensure that the services and features that your account uses are supported in the target region.
For preview features, ensure that your subscription is approved for the target region.

Prepare and move

1. Identify dependencies and related services to understand the full impact of relocating a service, in case
you need to move more than just Azure Cognitive Search.
Azure Storage is used for logging, creating a knowledge store, and is a commonly used external data
source for AI enrichment and indexing. Cognitive Services is a dependency in AI enrichment. Both
Cognitive Services and your search service are required to be in the same region if you are using AI
enrichment.
2. Create an inventory of all objects on the service so that you know what to move: indexes, synonym maps,
indexers, data sources, skillsets. If you enabled logging, create and archive any reports you might need
for a historical record.
3. Check pricing and availability in the new region to ensure availability of Azure Cognitive Search plus any
related services in the new region. The majority of features are available in all regions, but some preview
features have restricted availability.
4. Create a service in the new region and republish from source code any existing indexes, synonym maps,
indexers, data sources, and skillsets. Remember that service names must be unique so you cannot reuse
the existing name. Check each skillset to see if connections to Cognitive Services are still valid in terms of
the same-region requirement. Also, if knowledge stores are created, check the connection strings for
Azure Storage if you are using a different service.
5. Reload indexes and knowledge stores, if applicable. You'll either use application code to push JSON data
into an index, or rerun indexers to pull documents in from external sources.
6. Enable logging, and if you are using them, re-create security roles.
7. Update client applications and test suites to use the new service name and API keys, and test all
 applications.

Discard or clean up
Delete the old service once the new service is fully tested and operational. Deleting the service automatically
deletes all content associated with the service.

Next steps
The following links can help you locate more information when completing the steps outlined above.
Azure Cognitive Search pricing and regions
Choose a tier
Create a search service
Load search documents
Enable logging
 Move an Azure Cosmos DB account to another
region
2/23/2022 • 2 minutes to read • Edit Online

APPLIES TO: SQL API Cassandra API Gremlin API Table API Azure Cosmos DB API for
MongoDB
This article describes how to either:
Move a region where data is replicated in Azure Cosmos DB.
Migrate account (Azure Resource Manager) metadata and data from one region to another.

Move data from one region to another

Azure Cosmos DB supports data replication natively, so moving data from one region to another is simple. You
can accomplish it by using the Azure portal, Azure PowerShell, or the Azure CLI. It involves the following steps:
1. Add a new region to the account.
To add a new region to an Azure Cosmos DB account, see Add/remove regions to an Azure Cosmos DB
account.
2. Perform a manual failover to the new region.
When the region that's being removed is currently the write region for the account, you'll need to start a
failover to the new region added in the previous step. This is a zero-downtime operation. If you're moving
a read region in a multiple-region account, you can skip this step.
To start a failover, see Perform manual failover on an Azure Cosmos account.
3. Remove the original region.
To remove a region from an Azure Cosmos DB account, see Add/remove regions from your Azure
Cosmos DB account.

NOTE
If you perform a failover operation or add/remove a new region while an asynchronous throughput scaling operation is in
progress, the throughput scale-up operation will be paused. It will resume automatically when the failover or add/remove
region operation is complete.

Migrate Azure Cosmos DB account metadata

Azure Cosmos DB does not natively support migrating account metadata from one region to another. To migrate
both the account metadata and customer data from one region to another, you must create a new account in the
desired region and then copy the data manually.
A near-zero-downtime migration for the SQL API requires the use of the change feed or a tool that uses it. If
you're migrating the MongoDB API, the Cassandra API, or another API, or to learn more about options for
migrating data between accounts, see Options to migrate your on-premises or cloud data to Azure Cosmos DB.
The following steps demonstrate how to migrate an Azure Cosmos DB account for the SQL API and its data from
one region to another:
1. Create a new Azure Cosmos DB account in the desired region.
To create a new account via the Azure portal, PowerShell, or the Azure CLI, see Create an Azure Cosmos
DB account.
2. Create a new database and container.
To create a new database and container, see Create an Azure Cosmos container.
3. Migrate data by using the Azure Cosmos DB Live Data Migrator tool.
To migrate data with near zero downtime, see Azure Cosmos DB Live Data Migrator tool.
4. Update the application connection string.
With the Live Data Migrator tool still running, update the connection information in the new deployment
of your application. You can retrieve the endpoints and keys for your application from the Azure portal.

5. Redirect requests to the new application.

After the new application is connected to Azure Cosmos DB, you can redirect client requests to your new
deployment.
6. Delete any resources that you no longer need.
With requests now fully redirected to the new instance, you can delete the old Azure Cosmos DB account
and the Live Data Migrator tool.

Next steps
For more information and examples on how to manage the Azure Cosmos account as well as databases and
containers, read the following articles:
Manage an Azure Cosmos account
Change feed in Azure Cosmos DB
 Move an Azure Database for MariaDB server to
another region by using the Azure portal
2/23/2022 • 2 minutes to read • Edit Online

There are various scenarios for moving an existing Azure Database for MariaDB server from one region to
another. For example, you might want to move a production server to another region as part of your disaster
recovery planning.
You can use an Azure Database for MariaDB cross-region read replica to complete the move to another region.
To do so, first create a read replica in the target region. Next, stop replication to the read replica server to make it
a standalone server that accepts both read and write traffic.

NOTE
This article focuses on moving your server to a different region. If you want to move your server to a different resource
group or subscription, refer to the move article.

Prerequisites
The read replica feature is only available for Azure Database for MariaDB servers in the General Purpose
or Memory Optimized pricing tiers. Ensure the source server is in one of these pricing tiers.
Make sure that your Azure Database for MariaDB source server is in the Azure region that you want to
move from.

Prepare to move
To create a cross-region read replica server in the target region using the Azure portal, use the following steps:
1. Sign into the Azure portal.
2. Select the existing Azure Database for MariaDB server that you want to use as the source server. This action
opens the Over view page.
3. Select Replication from the menu, under SETTINGS .
4. Select Add Replica .
5. Enter a name for the replica server.
6. Select the location for the replica server. The default location is the same as the source server's. Verify that
you've selected the target location where you want the replica to be deployed.
7. Select OK to confirm creation of the replica. During replica creation, data is copied from the source server to
the replica. Create time may last several minutes or more, in proportion to the size of the source server.

NOTE
When you create a replica, it doesn't inherit the VNet service endpoints of the source server. These rules must be set up
independently for the replica.

Move
 IMPORTANT
The standalone server can't be made into a replica again. Before you stop replication on a read replica, ensure the replica
has all the data that you require.

Stopping replication to the replica server, causes it to become a standalone server. To stop replication to the
replica from the Azure portal, use the following steps:
1. Once the replica has been created, locate and select your Azure Database for MariaDB source server.
2. Select Replication from the menu, under SETTINGS .
3. Select the replica server.
4. Select Stop replication .
5. Confirm you want to stop replication by clicking OK .

Clean up source server

You may want to delete the source Azure Database for MariaDB server. To do so, use the following steps:
1. Once the replica has been created, locate and select your Azure Database for MariaDB source server.
2. In the Over view window, select Delete .
3. Type in the name of the source server to confirm you want to delete.
4. Select Delete .

Next steps
In this tutorial, you moved an Azure Database for MariaDB server from one region to another by using the
Azure portal and then cleaned up the unneeded source resources.
Learn more about read replicas
Learn more about managing read replicas in the Azure portal
Learn more about business continuity options
 Move an Azure Database for MySQL server to
another region by using the Azure portal
2/23/2022 • 2 minutes to read • Edit Online

APPLIES TO: Azure Database for MySQL - Single Server

There are various scenarios for moving an existing Azure Database for MySQL server from one region to
another. For example, you might want to move a production server to another region as part of your disaster
recovery planning.
You can use an Azure Database for MySQL cross-region read replica to complete the move to another region. To
do so, first create a read replica in the target region. Next, stop replication to the read replica server to make it a
standalone server that accepts both read and write traffic.

NOTE
This article focuses on moving your server to a different region. If you want to move your server to a different resource
group or subscription, refer to the move article.

Prerequisites
The read replica feature is only available for Azure Database for MySQL servers in the General Purpose or
Memory Optimized pricing tiers. Ensure the source server is in one of these pricing tiers.
Make sure that your Azure Database for MySQL source server is in the Azure region that you want to
move from.

Prepare to move
To create a cross-region read replica server in the target region using the Azure portal, use the following steps:
1. Sign into the Azure portal.
2. Select the existing Azure Database for MySQL server that you want to use as the source server. This action
opens the Over view page.
3. Select Replication from the menu, under SETTINGS .
4. Select Add Replica .
5. Enter a name for the replica server.
6. Select the location for the replica server. The default location is the same as the source server's. Verify that
you've selected the target location where you want the replica to be deployed.
7. Select OK to confirm creation of the replica. During replica creation, data is copied from the source server to
the replica. Create time may last several minutes or more, in proportion to the size of the source server.

NOTE
When you create a replica, it doesn't inherit the VNet service endpoints of the source server. These rules must be set up
independently for the replica.

Move
 IMPORTANT
The standalone server can't be made into a replica again. Before you stop replication on a read replica, ensure the replica
has all the data that you require.

Stopping replication to the replica server, causes it to become a standalone server. To stop replication to the
replica from the Azure portal, use the following steps:
1. Once the replica has been created, locate and select your Azure Database for MySQL source server.
2. Select Replication from the menu, under SETTINGS .
3. Select the replica server.
4. Select Stop replication .
5. Confirm you want to stop replication by clicking OK .

Clean up source server

You may want to delete the source Azure Database for MySQL server. To do so, use the following steps:
1. Once the replica has been created, locate and select your Azure Database for MySQL source server.
2. In the Over view window, select Delete .
3. Type in the name of the source server to confirm you want to delete.
4. Select Delete .

Next steps
In this tutorial, you moved an Azure Database for MySQL server from one region to another by using the Azure
portal and then cleaned up the unneeded source resources.
Learn more about read replicas
Learn more about managing read replicas in the Azure portal
Learn more about business continuity options
 Move an Azure Database for Azure Database for
PostgreSQL - Single Server to another region by
using the Azure portal
2/23/2022 • 3 minutes to read • Edit Online

There are various scenarios for moving an existing Azure Database for PostgreSQL server from one region to
another. For example, you might want to move a production server to another region as part of your disaster
recovery planning.
You can use an Azure Database for PostgreSQL cross-region read replica to complete the move to another
region. To do so, first create a read replica in the target region. Next, stop replication to the read replica server to
make it a standalone server that accepts both read and write traffic.

NOTE
This article focuses on moving your server to a different region. If you want to move your server to a different resource
group or subscription, refer to the move article.

Prerequisites
The cross-region read replica feature is only available for Azure Database for PostgreSQL - Single Server
in the General Purpose or Memory Optimized pricing tiers. Ensure the source server is in one of these
pricing tiers.
Make sure that your Azure Database for PostgreSQL source server is in the Azure region that you want to
move from.

Prepare to move
To prepare the source server for replication using the Azure portal, use the following steps:
1. Sign into the Azure portal.
2. Select the existing Azure Database for PostgreSQL server that you want to use as the source server. This
action opens the Over view page.
3. From the server's menu, select Replication . If Azure replication support is set to at least Replica , you can
create read replicas.
4. If Azure replication support is not set to at least Replica , set it. Select Save .
5. Restart the server to apply the change by selecting Yes .
6. You will receive two Azure portal notifications once the operation is complete. There is one notification for
updating the server parameter. There is another notification for the server restart that follows immediately.
7. Refresh the Azure portal page to update the Replication toolbar. You can now create read replicas for this
server.
To create a cross-region read replica server in the target region using the Azure portal, use the following steps:
1. Select the existing Azure Database for PostgreSQL server that you want to use as the source server.
2. Select Replication from the menu, under SETTINGS .
3. Select Add Replica .
4. Enter a name for the replica server.
5. Select the location for the replica server. The default location is the same as the primary server's. Verify that
you've selected the target location where you want the replica to be deployed.
6. Select OK to confirm creation of the replica. During replica creation, data is copied from the source server to
the replica. Create time may last several minutes or more, in proportion to the size of the source server.

NOTE
When you create a replica, it doesn't inherit the firewall rules and VNet service endpoints of the primary server. These
rules must be set up independently for the replica.

Move
IMPORTANT
The standalone server can't be made into a replica again. Before you stop replication on a read replica, ensure the replica
has all the data that you require.

To stop replication to the replica from the Azure portal, use the following steps:
1. Once the replica has been created, locate and select your Azure Database for PostgreSQL source server.
2. Select Replication from the menu, under SETTINGS .
3. Select the replica server.
4. Select Stop replication .
5. Confirm you want to stop replication by clicking OK .

Clean up source server

You may want to delete the source Azure Database for PostgreSQL server. To do so, use the following steps:
1. Once the replica has been created, locate and select your Azure Database for PostgreSQL source server.
2. In the Over view window, select Delete .
3. Type in the name of the source server to confirm you want to delete.
4. Select Delete .

Next steps
In this tutorial, you moved an Azure Database for PostgreSQL server from one region to another by using the
Azure portal and then cleaned up the unneeded source resources.
Learn more about read replicas
Learn more about managing read replicas in the Azure portal
Learn more about business continuity options
 Move an Azure Event Hubs namespace to another
region
2/23/2022 • 4 minutes to read • Edit Online

This article shows you how to export an Azure Resource Manager template for an existing Event Hubs
namespace and then use the template to create a namespace with same configuration settings in another
region. However, this process doesn't move events that aren't processed yet. You need to process the events
from the original namespace before deleting it.
If you have other resources in the Azure resource group that contains the Event Hubs namespace, you may want
to export the template at the resource group level so that all related resources can be moved to the new region
in one step. The steps in this article show you how to export a namespace to the template. The steps for
exporting a resource group to the template are similar.

Prerequisites
Ensure that the services and features that your account uses are supported in the target region.
If you have capture feature enabled for event hubs in the namespace, move Azure Storage or Azure Data
Lake Store Gen 2 or Azure Data Lake Store Gen 1 accounts before moving the Event Hubs namespace. You
can also move the resource group that contains both Storage and Event Hubs namespaces to the other
region by following steps similar to the ones described in this article.
If the Event Hubs namespace is in an Event Hubs cluster , move the dedicated cluster to the target region
before you go through steps in this article. You can also use the quickstart template on GitHub to create an
Event Hubs cluster. In the template, remove the namespace portion of the JSON to create only the cluster.

Prepare
To get started, export a Resource Manager template. This template contains settings that describe your Event
Hubs namespace.
1. Sign in to the Azure portal.
2. Select All resources and then select your Event Hubs namespace.
3. On the Event Hubs Namespace page, select Expor t template under Automation in the left menu.
4. Choose Download in the Expor t template page.
5. Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.
This zip file contains the .json files that include the template and scripts to deploy the template.

Move
Deploy the template to create an Event Hubs namespace in the target region.
1. In the Azure portal, select Create a resource .
2. In Search the Marketplace , type template deployment , and select Template deployment (deploy
using custom templates) .
3. Select Build your own template in the editor .
4. Select Load file , and then follow the instructions to load the template.json file that you downloaded in the
last section.
5. Update the value of the location property to point to the new region. To obtain location codes, see Azure
locations. The code for a region is the region name with no spaces, for example, West US is equal to westus .
6. Select Save to save the template.
7. On the Custom deployment page, follow these steps:
a. Select an Azure subscription .
b. Select an existing resource group or create one. If the source namespace was in an Event Hubs
cluster, select the resource group that contains cluster in the target region.
c. Select the target location or region. If you selected an existing resource group, this setting is read-
only.
d. In the SETTINGS section, do the following steps:
a. Enter the new namespace name .
 b. If your source namespace was in an Event Hubs cluster , enter names of resource group
and Event Hubs cluster as part of external ID .

/subscriptions/<AZURE SUBSCRIPTION ID>/resourceGroups/<CLUSTER'S RESOURCE

GROUP>/providers/Microsoft.EventHub/clusters/<CLUSTER NAME>

c. If event hub in your namespace uses a Storage account for capturing events, specify the
resource group name and the storage account for
StorageAccounts_<original storage account name>_external field.

/subscriptions/0000000000-0000-0000-0000-0000000000000/resourceGroups/<STORAGE'S
RESOURCE GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE ACCOUNT NAME>

e. Select Review + create at the bottom of the page.

f. On the Review + create page, review settings, and then select Create .

Discard or clean up
After the deployment, if you want to start over, you can delete the target Event Hubs namespace , and repeat
the steps described in the Prepare and Move sections of this article.
To commit the changes and complete the move of an Event Hubs namespace, delete the Event Hubs
namespace in the original region. Make sure that you processed all the events in the namespace before
deleting the namespace.
To delete an Event Hubs namespace (source or target) by using the Azure portal:
1. In the search window at the top of Azure portal, type Event Hubs , and select Event Hubs from search
results. You see the Event Hubs namespaces in a list.
2. Select the target namespace to delete, and select Delete from the toolbar.

3. On the Delete Namespace page, confirm the deletion by typing the namespace name , and then select
Delete .

Next steps
In this tutorial, you moved an Azure Event Hubs namespace from one region to another and cleaned up the
source resources. To learn more about moving resources between regions and disaster recovery in Azure, refer
to:
Move resources to a new resource group or subscription
Move Azure VMs to another region
 Move your function app between regions in Azure
Functions
2/23/2022 • 3 minutes to read • Edit Online

This article describes how to move Azure Functions resources to a different Azure region. You might move your
resources to another region for one of the following reasons:
Take advantage of a new Azure region
Deploy features or services that are available only in specific regions
Meet internal policy and governance requirements
Respond to capacity planning requirements
Azure Functions resources are region-specific and can't be moved across regions. You must create a copy of
your existing function app resources in the target region, then redeploy your functions code over to the new
app.
If minimal downtime is a requirement, consider running your function app in both regions to implement a
disaster recovery architecture:
Azure Functions geo-disaster recovery
Disaster recovery and geo-distribution in Azure Durable Functions

Prerequisites
Make sure that the target region supports Azure Functions and any related service whose resources you
want to move
Have access to the original source code for the functions you're migrating

Prepare
Identify all the function app resources used on the source region, which may include the following:
Function app
Hosting plan
Deployment slots
Custom domains purchased in Azure
TLS/SSL certificates and settings
Configured networking options
Managed identities
Configured application settings - users with the enough access can copy all the source application settings by
using the Advanced Edit feature in the portal
Scaling configurations
Your functions may connect to other resources by using triggers or bindings. For information on how to move
those resources across regions, see the documentation for the respective services.
You should be able to also export a template from existing resources.

Move
Deploy the function app to the target region and review the configured resources.
Redeploy function app
If you have access to the deployment and automation resources that created the function app in the source
region, re-run the same deployment steps in the target region to create and redeploy your app.
If you only have access to the source code but not the deployment and automation resources you can deploy
and configure the function app on the target region using any of the available deployment technologies or using
one of the continuous deployment methods.
Review configured resources
Review and configure the resources identified in the Prepare step above in the target region if they weren't
configured during the deploy.
Move considerations
If your deployment resources and automation doesn't create a function app, create an app of the same type
in a new hosting plan in the target region
Function app names are globally unique in Azure, so the app in the target region can't have the same name
as the one in the source region
References and application settings that connect your function app to dependencies need to be reviewed and,
when needed, updated. For example, when you move a database that your functions call, you must also
update the application settings or configuration to connect to the database in the target region. Some
application settings such as the Application Insights instrumentation key or the Azure storage account used
by the function app can be already be configured on the target region and do not need to be updated
Remember to verify your configuration and test your functions in the target region
If you had custom domain configured, remap the domain name
For Functions running on Dedicated plans also review the App Service Migration Plan in case the plan is
shared with web apps

Clean up source resources

After the move is complete, delete the function app and hosting plan from the source region. You pay for
function apps in Premium or Dedicated plans, even when the app itself isn't running.

Next steps
Review the Azure Architecture Center for examples of Azure Functions running in multiple regions as part of
more advanced solution architectures
 How to clone an Azure IoT hub to another region
2/23/2022 • 24 minutes to read • Edit Online

This article explores ways to clone an IoT Hub and provides some questions you need to answer before you
start. Here are several reasons you might want to clone an IoT hub:
You are moving your company from one region to another, such as from Europe to North America (or
vice versa), and you want your resources and data to be geographically close to your new location, so you
need to move your hub.
You are setting up a hub for a development versus production environment.
You want to do a custom implementation of multi-hub high availability. For more information, see the
How to achieve cross region HA section of IoT Hub high availability and disaster recovery.
You want to increase the number of partitions configured for your hub. This is set when you first create
your hub, and can't be changed. You can use the information in this article to clone your hub and when
the clone is created, increase the number of partitions.
To clone a hub, you need a subscription with administrative access to the original hub. You can put the new hub
in a new resource group and region, in the same subscription as the original hub, or even in a new subscription.
You just can't use the same name because the hub name has to be globally unique.

NOTE
At this time, there's no feature available for cloning an IoT hub automatically. It's primarily a manual process, and thus is
fairly error-prone. The complexity of cloning a hub is directly proportional to the complexity of the hub. For example,
cloning an IoT hub with no message routing is fairly simple. If you add message routing as just one complexity, cloning
the hub becomes at least an order of magnitude more complicated. If you also move the resources used for routing
endpoints, it's another order of magniture more complicated.

Things to consider
There are several things to consider before cloning an IoT hub.
Make sure that all of the features available in the original location are also available in the new location.
Some services are in preview, and not all features are available everywhere.
Do not remove the original resources before creating and verifying the cloned version. Once you remove
a hub, it's gone forever, and there is no way to recover it to check the settings or data to make sure the
hub is replicated correctly.
Many resources require globally unique names, so you must use different names for the cloned versions.
You also should use a different name for the resource group to which the cloned hub belongs.
Data for the original IoT hub is not migrated. This includes telemetry messages, cloud-to-device (C2D)
commands, and job-related information such as schedules and history. Metrics and logging results are
also not migrated.
For data or messages routed to Azure Storage, you can leave the data in the original storage account,
transfer that data to a new storage account in the new region, or leave the old data in place and create a
new storage account in the new location for the new data. For more information on moving data in Blob
storage, see Get started with AzCopy.
 Data for Event Hubs and for Service Bus Topics and Queues can't be migrated. This is point-in-time data
and is not stored after the messages are processed.
You need to schedule downtime for the migration. Cloning the devices to the new hub takes time. If you
are using the Import/Export method, benchmark testing has revealed that it could take around two hours
to move 500,000 devices, and four hours to move a million devices.
You can copy the devices to the new hub without shutting down or changing the devices.
If the devices were originally provisioned using DPS, re-provisioning them updates the connection
information stored in each device.
Otherwise, you have to use the Import/Export method to move the devices, and then the devices
have to be modified to use the new hub. For example, you can set up your device to consume the
IoT Hub host name from the twin desired properties. The device will take that IoT Hub host name,
disconnect the device from the old hub, and reconnect it to the new one.
You need to update any certificates you are using so you can use them with the new resources. Also, you
probably have the hub defined in a DNS table somewhere — you will need to update that DNS
information.

Methodology
This is the general method we recommend for moving an IoT hub from one region to another. For message
routing, this assumes the resources are not being moved to the new region. For more information, see the
section on Message Routing.
1. Export the hub and its settings to a Resource Manager template.
2. Make the necessary changes to the template, such as updating all occurrences of the name and the
location for the cloned hub. For any resources in the template used for message routing endpoints,
update the key in the template for that resource.
3. Import the template into a new resource group in the new location. This creates the clone.
4. Debug as needed.
5. Add anything that wasn't exported to the template.
For example, consumer groups are not exported to the template. You need to add the consumer groups
to the template manually or use the Azure portal after the hub is created. There is an example of adding
one consumer group to a template in the article Use an Azure Resource Manager template to configure
IoT Hub message routing.
6. Copy the devices from the original hub to the clone. This is covered in the section Managing the devices
registered to the IoT hub.

How to handle message routing

If your hub uses custom routing, exporting the template for the hub includes the routing configuration, but it
does not include the resources themselves. You must choose whether to move the routing resources to the new
location or to leave them in place and continue to use them "as is".
For example, say you have a hub in West US that is routing messages to a storage account (also in West US),
and you want to move the hub to East US. You can move the hub and have it still route messages to the storage
account in West US, or you can move the hub and also move the storage account. There may be a small
performance hit from routing messages to endpoint resources in a different region.
You can move a hub that uses message routing pretty easily if you do not also move the resources used for the
routing endpoints.
If the hub uses message routing, you have two choices.
1. Move the resources used for the routing endpoints to the new location.
You must create the new resources yourself either manually in the Azure portal or through the use
of Resource Manager templates.
You must rename all of the resources when you create them in the new location, as they have
globally unique names.
You must update the resource names and the resource keys in the new hub's template, before
creating the new hub. The resources should be present when the new hub is created.
2. Don't move the resources used for the routing endpoints. Use them "in place".
In the step where you edit the template, you will need to retrieve the keys for each routing
resource and put them in the template before you create the new hub.
The hub still references the original routing resources and routes messages to them as configured.
You will have a small performance hit because the hub and the routing endpoint resources are not
in the same location.

Prepare to migrate the hub to another region

This section provides specific instructions for migrating the hub.
Find the original hub and export it to a resource template.
1. Sign into the Azure portal.
2. Go to Resource Groups and select the resource group that contains the hub you want to move. You can
also go to Resources and find the hub that way. Select the hub.
3. Select Expor t template from the list of properties and settings for the hub.

4. Select Download to download the template. Save the file somewhere you can find it again.
View the template
1. Go to the Downloads folder (or to whichever folder you used when you exported the template) and find
the zip file. Extract the zip file and find the file called template.json . Select and copy it. Go to a different
folder and paste the template file (Ctrl+V). Now you can edit it.
The following example is for a generic hub with no routing configuration. It is an S1 tier hub (with 1 unit)
called ContosoHub in region westus . Here is the exported template.

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"IotHubs_ContosoHub_connectionString": {
"type": "SecureString"
},
"IotHubs_ContosoHub_containerName": {
"type": "SecureString"
},
"IotHubs_ContosoHub_name": {
"defaultValue": "ContosoHub",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Devices/IotHubs",
"apiVersion": "2021-07-01",
"name": "[parameters('IotHubs_ContosoHub_name')]",
"location": "westus",
"sku": {
"name": "S1",
"tier": "Standard",
"capacity": 1
},
"identity": {
"type": "None"
},
"properties": {
"ipFilterRules": [],
"eventHubEndpoints": {
"events": {
"retentionTimeInDays": 1,
 "retentionTimeInDays": 1,
"partitionCount": 4
}
},
"routing": {
"endpoints": {
"serviceBusQueues": [],
"serviceBusTopics": [],
"eventHubs": [],
"storageContainers": []
},
"routes": [],
"fallbackRoute": {
"name": "$fallback",
"source": "DeviceMessages",
"condition": "true",
"endpointNames": [
"events"
],
"isEnabled": true
}
},
"storageEndpoints": {
"$default": {
"sasTtlAsIso8601": "PT1H",
"connectionString": "[parameters('IotHubs_ContosoHub_connectionString')]",
"containerName": "[parameters('IotHubs_ContosoHub_containerName')]"
}
},
"messagingEndpoints": {
"fileNotifications": {
"lockDurationAsIso8601": "PT1M",
"ttlAsIso8601": "PT1H",
"maxDeliveryCount": 10
}
},
"enableFileUploadNotifications": false,
"cloudToDevice": {
"maxDeliveryCount": 10,
"defaultTtlAsIso8601": "PT1H",
"feedback": {
"lockDurationAsIso8601": "PT1M",
"ttlAsIso8601": "PT1H",
"maxDeliveryCount": 10
}
},
"features": "None",
"disableLocalAuth": false,
"allowedFqdnList": []
}
}
]
}

Edit the template

You have to make some changes before you can use the template to create the new hub in the new region. Use
VS Code or a text editor to edit the template.
Edit the hub name and location
1. Remove the container name parameter section at the top. ContosoHub does not have an associated
container.
 "parameters": {
...
"IotHubs_ContosoHub_containerName": {
"type": "SecureString"
},
...
},

2. Remove the storageEndpoints property.

"properties": {
...
"storageEndpoints": {
"$default": {
"sasTtlAsIso8601": "PT1H",
"connectionString": "[parameters('IotHubs_ContosoHub_connectionString')]",
"containerName": "[parameters('IotHubs_ContosoHub_containerName')]"
}
},
...

3. Under resources , change the location from westus to eastus.

Old version:

"location": "westus",

New version:

"location": "eastus",

Update the keys for the routing resources that are not being moved
When you export the Resource Manager template for a hub that has routing configured, you will see that the
keys for those resources are not provided in the exported template -- their placement is denoted by asterisks.
You must fill them in by going to those resources in the portal and retrieving the keys before you import the
new hub's template and create the hub.
1. Retrieve the keys required for any of the routing resources and put them in the template. You can retrieve
the key(s) from the resource in the Azure portal.
For example, if you are routing messages to a storage container, find the storage account in the portal.
Under the Settings section, select Access keys , then copy one of the keys. Here's what the key looks like
when you first export the template:

"connectionString": "DefaultEndpointsProtocol=https;
AccountName=fabrikamstorage1234;AccountKey=****",
"containerName": "fabrikamresults",

2. After you retrieve the account key for the storage account, put it in the template in the clause
AccountKey=**** in the place of the asterisks.

3. For service bus queues, get the Shared Access Key matching the SharedAccessKeyName. Here is the key
and the SharedAccessKeyName in the json:
 "connectionString": "Endpoint=sb://fabrikamsbnamespace1234.servicebus.windows.net:5671/;
SharedAccessKeyName=iothubroutes_FabrikamResources;
SharedAccessKey=****;
EntityPath=fabrikamsbqueue1234",

4. The same applies for the Service Bus Topics and Event Hub connections.
Create the new routing resources in the new location
This section only applies if you are moving the resources used by the hub for the routing endpoints.
If you want to move the routing resources, you must manually set up the resources in the new location. You can
create the routing resources using the Azure portal, or by exporting the Resource Manager template for each of
the resources used by the message routing, editing them, and importing them. After the resources are set up,
you can import the hub's template (which includes the routing configuration).
1. Create each resource used by the routing. You can do this manually using the Azure portal, or create the
resources using Resource Manager templates. If you want to use templates, these are the steps to follow:
a. For each resource used by the routing, export it to a Resource Manager template.
b. Update the name and location of the resource.
c. Update any cross-references between the resources. For example, if you create a template for a
new storage account, you need to update the storage account name in that template and any other
template that references it. In most cases, the routing section in the template for the hub is the
only other template that references the resource.
d. Import each of the templates, which deploys each resource.
Once the resources used by the routing are set up and running, you can continue.
2. In the template for the IoT hub, change the name of each of the routing resources to its new name, and
update the location if needed.
Now you have a template that will create a new hub that looks almost exactly like the old hub, depending on
how you decided to handle the routing.

Move -- create the new hub in the new region by loading the
template
Create the new hub in the new location using the template. If you have routing resources that are going to
move, the resources should be set up in the new location and the references in the template updated to match. If
you are not moving the routing resources, they should be in the template with the updated keys.
1. Sign into the Azure portal.
2. Select Create a resource .
3. In the search box, type "template deployment" and select Enter.
4. Select template deployment (deploy using custom templates) . This takes you to a screen for the
Template deployment. Select Create . You see this screen:
5. Select Build your own template in the editor , which enables you to upload your template from a file.
6. Select Load file .

7. Browse for the new template you edited and select it, then select Open . It loads your template in the edit
window. Select Save .
8. Fill in the following fields on the custom deployment page.
Subscription : Select the subscription to use.
Resource group : Create a new resource group in a new location. If you already have one set up, you can
select it instead of creating a new one.
Region : If you selected an existing resource group, the region is filled in for you to match the location of
the resource group. If you created a new resource group, this will be its location.
Connection string : Fill in the connection string for your hub.
Hub name : Give the new hub in the new region a name.
 9. Select the Review + create button.
10. Select the Create button. The portal validates your template and deploys your cloned hub. If you have
routing configuration data, it will be included in the new hub, but will point at the resources in the prior
location.
Managing the devices registered to the IoT hub
Now that you have your clone up and running, you need to copy all of the devices from the original hub to the
clone.
There are multiple ways to accomplish this. You either originally used Device Provisioning Service (DPS)to
provision the devices, or you didn't. If you did, this is not difficult. If you did not, this can be very complicated.
If you did not use DPS to provision your devices, you can skip the next section and start with Using
Import/Export to move the devices to the new hub.

Using DPS to re-provision the devices in the new hub

To use DPS to move the devices to the new location, see How to re-provision devices. When you're finished, you
can view the devices in the Azure portal and verify they are in the new location.
Go to the new hub using the Azure portal. Select your hub, then select IoT Devices . You see the devices that
were re-provisioned to the cloned hub. You can also view the properties for the cloned hub.
If you have implemented routing, test and make sure your messages are routed to the resources correctly.
Committing the changes after using DPS
This change has been committed by the DPS service.
Rolling back the changes after using DPS.
If you want to roll back the changes, re-provision the devices from the new hub to the old one.
You are now finished migrating your hub and its devices. You can skip to Clean-up.

Using Import-Export to move the devices to the new hub

The application targets .NET Core, so you can run it on either Windows or Linux. You can download the sample,
retrieve your connection strings, set the flags for which bits you want to run, and run it. You can do this without
ever opening the code.
Downloading the sample
1. Use the IoT C# samples from this page: Azure IoT Samples for C#. Download the zip file and unzip it on
your computer.
2. The pertinent code is in ./iot-hub/Samples/service/ImportExportDevicesSample. You don't need to view
or edit the code in order to run the application.
3. To run the application, specify three connection strings and five options. You pass this data in as
command-line arguments or use environment variables, or use a combination of the two. We're going to
pass the options in as command line arguments, and the connection strings as environment variables.
The reason for this is because the connection strings are long and ungainly, and unlikely to change, but
you might want to change the options and run the application more than once. To change the value of an
environment variable, you have to close the command window and Visual Studio or VS Code, whichever
you are using.
Options
Here are the five options you specify when you run the application. We'll put these on the command line in a
minute.
addDevices (argument 1) -- set this to true if you want to add virtual devices that are generated for you.
These are added to the source hub. Also, set numToAdd (argument 2) to specify how many devices you
want to add. The maximum number of devices you can register to a hub is one million.The purpose of
this option is for testing -- you can generate a specific number of devices, and then copy them to another
hub.
copyDevices (argument 3) -- set this to true to copy the devices from one hub to another.
deleteSourceDevices (argument 4) -- set this to true to delete all of the devices registered to the source
hub. We recommending waiting until you are certain all of the devices have been transferred before you
run this. Once you delete the devices, you can't get them back.
deleteDestDevices (argument 5) -- set this to true to delete all of the devices registered to the
destination hub (the clone). You might want to do this if you want to copy the devices more than once.
The basic command will be dotnet run -- this tells .NET to build the local csproj file and then run it. You add your
command-line arguments to the end before you run it.
Your command-line will look like these examples:
 // Format: dotnet run add-devices num-to-add copy-devices delete-source-devices delete-destination-
devices

// Add 1000 devices, don't copy them to the other hub, or delete them.
// The first argument is true, numToAdd is 50, and the other arguments are false.
dotnet run true 1000 false false false

// Copy the devices you just added to the other hub; don't delete anything.
// The first argument is false, numToAdd is 0, copy-devices is true, and the delete arguments are both
false
dotnet run false 0 true false false

Using environment variables for the connection strings

1. To run the sample, you need the connection strings to the old and new IoT hubs, and to a storage account
you can use for temporary work files. We will store the values for these in environment variables.
2. To get the connection string values, sign in to the Azure portal.
3. Put the connection strings somewhere you can retrieve them, such as NotePad. If you copy the following,
you can paste the connection strings in directly where they go. Don't add spaces around the equal sign, or
it changes the variable name. Also, you do not need double-quotes around the connection strings. If you
put quotes around the storage account connection string, it won't work.
For Windows, this is how you set the environment variables:

SET IOTHUB_CONN_STRING=<put connection string to original IoT Hub here>

SET DEST_IOTHUB_CONN_STRING=<put connection string to destination or clone IoT Hub here>
SET STORAGE_ACCT_CONN_STRING=<put connection string to the storage account here>

For Linux, this is how you define the environment variables:

export IOTHUB_CONN_STRING="<put connection string to original IoT Hub here>"

export DEST_IOTHUB_CONN_STRING="<put connection string to destination or clone IoT Hub here>"
export STORAGE_ACCT_CONN_STRING="<put connection string to the storage account here>"

4. For the IoT hub connection strings, go to each hub in the portal. You can search in Resources for the hub.
If you know the Resource Group, you can go to Resource groups , select your resource group, and then
select the hub from the list of assets in that resource group.
5. Select Shared access policies from the Settings for the hub, then select iothubowner and copy one of
the connection strings. Do the same for the destination hub. Add them to the appropriate SET commands.
6. For the storage account connection string, find the storage account in Resources or under its Resource
group and open it.
7. Under the Settings section, select Access keys and copy one of the connection strings. Put the
connection string in your text file for the appropriate SET command.
Now you have the environment variables in a file with the SET commands, and you know what your command-
line arguments are. Let's run the sample.
Running the sample application and using command-line arguments
1. Open a command prompt window. Select Windows and type in command prompt to get the command
prompt window.
2. Copy the commands that set the environment variables, one at a time, and paste them into the command
prompt window and select Enter. When you're finished, type SET in the command prompt window to see
 your environment variables and their values. Once you've copied these into the command prompt
window, you don't have to copy them again, unless you open a new command prompt window.
3. In the command prompt window, change directories until you are in ./ImportExportDevicesSample
(where the ImportExportDevicesSample.csproj file exists). Then type the following, and include your
command-line arguments.

// Format: dotnet run add-devices num-to-add copy-devices delete-source-devices delete-destination-

devices
dotnet run arg1 arg2 arg3 arg4 arg5

The dotnet command builds and runs the application. Because you are passing in the options when you
run the application, you can change the values of them each time you run the application. For example,
you may want to run it once and create new devices, then run it again and copy those devices to a new
hub, and so on. You can also perform all the steps in the same run, although we recommend not deleting
any devices until you are certain you are finished with the cloning. Here is an example that creates 1000
devices and then copies them to the other hub.

// Format: dotnet run add-devices num-to-add copy-devices delete-source-devices delete-destination-

devices

// Add 1000 devices, don't copy them to the other hub or delete them.
dotnet run true 1000 false false false

// Do not add any devices. Copy the ones you just created to the other hub; don't delete anything.
dotnet run false 0 true false false

After you verify that the devices were copied successfully, you can remove the devices from the source
hub like this:

// Format: dotnet run add-devices num-to-add copy-devices delete-source-devices delete-destination-

devices
// Delete the devices from the source hub.
dotnet run false 0 false true false

Running the sample application using Visual Studio

1. If you want to run the application in Visual Studio, change your current directory to the folder where the
IoTHubServiceSamples.sln file resides. Then run this command in the command prompt window to open
the solution in Visual Studio. You must do this in the same command window where you set the
environment variables, so those variables are known.

IoTHubServiceSamples.sln

2. Right-click on the project ImportExportDevicesSample and select Set as star tup project .
3. Set the variables at the top of Program.cs in the ImportExportDevicesSample folder for the five options.
 // Add randomly created devices to the source hub.
private static bool addDevices = true;
//If you ask to add devices, this will be the number added.
private static int numToAdd = 0;
// Copy the devices from the source hub to the destination hub.
private static bool copyDevices = false;
// Delete all of the devices from the source hub. (It uses the IoTHubConnectionString).
private static bool deleteSourceDevices = false;
// Delete all of the devices from the destination hub. (Uses the DestIotHubConnectionString).
private static bool deleteDestDevices = false;

4. Select F5 to run the application. After it finishes running, you can view the results.
View the results
You can view the devices in the Azure portal and verify they are in the new location.
1. Go to the new hub using the Azure portal. Select your hub, then select IoT Devices . You see the devices
you just copied from the old hub to the cloned hub. You can also view the properties for the cloned hub.
2. Check for import/export errors by going to the Azure storage account in the Azure portal and looking in
the devicefiles container for the ImportErrors.log . If this file is empty (the size is 0), there were no
errors. If you try to import the same device more than once, it rejects the device the second time and
adds an error message to the log file.
Committing the changes
At this point, you have copied your hub to the new location and migrated the devices to the new clone. Now you
need to make changes so the devices work with the cloned hub.
To commit the changes, here are the steps you need to perform:
Update each device to change the IoT Hub host name to point the IoT Hub host name to the new hub. You
should do this using the same method you used when you first provisioned the device.
Change any applications you have that refer to the old hub to point to the new hub.
After you're finished, the new hub should be up and running. The old hub should have no active devices
and be in a disconnected state.
Rolling back the changes
If you decide to roll back the changes, here are the steps to perform:
Update each device to change the IoT Hub Hostname to point the IoT Hub Hostname for the old hub. You
should do this using the same method you used when you first provisioned the device.
Change any applications you have that refer to the new hub to point to the old hub. For example, if you
are using Azure Analytics, you may need to reconfigure your Azure Stream Analytics input.
Delete the new hub.
If you have routing resources, the configuration on the old hub should still point to the correct routing
configuration, and should work with those resources after the hub is restarted.
Checking the results
To check the results, change your IoT solution to point to your hub in the new location and run it. In other words,
perform the same actions with the new hub that you performed with the previous hub and make sure they work
correctly.
If you have implemented routing, test and make sure your messages are routed to the resources correctly.
Clean-up
Don't clean up until you are really certain the new hub is up and running and the devices are working correctly.
Also be sure to test the routing if you are using that feature. When you're ready, clean up the old resources by
performing these steps:
If you haven't already, delete the old hub. This removes all of the active devices from the hub.
If you have routing resources that you moved to the new location, you can delete the old routing
resources.

Next steps
You have cloned an IoT hub into a new hub in a new region, complete with the devices. For more information
about performing bulk operations against the identity registry in an IoT Hub, see Import and export IoT Hub
device identities in bulk.
For more information about IoT Hub and development for the hub, please see the following articles.
IoT Hub developer's guide
IoT Hub routing tutorial
IoT Hub device management overview
If you want to deploy the sample application, please see .NET Core application deployment.
 Move Microsoft.Resources resources to new region
2/23/2022 • 2 minutes to read • Edit Online

You may need to move an existing resource to a new region. This article shows how to move two resource types
- templateSpecs and deploymentScripts - that are in the Microsoft.Resources namespace.

Move template specs to new region

If you have a template spec in one region and want to move it to new region, you can export the template spec
and redeploy it.
1. Use the command to export an existing template spec. For the parameter values, provide the values that
match the template spec you want to export.
For Azure PowerShell, use:

Export-AzTemplateSpec `
-ResourceGroupName demoRG `
-Name demoTemplateSpec `
-Version 1.0 `
-OutputFolder c:\export

For Azure CLI, use:

az template-specs export \
--resource-group demoRG \
--name demoTemplateSpec \
--version 1.0 \
--output-folder c:\export

2. Use the exported template spec to create a new template spec. The following examples show westus for
the new region but you can provide the region you want.
For Azure PowerShell, use:

New-AzTemplateSpec `
-Name movedTemplateSpec `
-Version 1.0 `
-ResourceGroupName newRG `
-Location westus `
-TemplateJsonFile c:\export\1.0.json

For Azure CLI, use:

az template-specs create \
--name movedTemplateSpec \
--version "1.0" \
--resource-group newRG \
--location "westus" \
--template-file "c:\export\demoTemplateSpec.json"

Move deployment scripts to new region

1. Select the resource group that contains the deployment script you want to move to a new region.
2. Export the template. When exporting, select the deployment script and any other required resources.
3. In the exported template, delete the following properties:
tenantId
principalId
clientId
4. The exported template has a hardcoded value for the region of the deployment script.

"location": "westus2",

Change the template to allow a parameter for setting the location. For more information, see Set resource
location in ARM template

"location": "[parameters('location')]",

5. Deploy the exported template and specify a new region for the deployment script.

Next steps
To learn about moving resources to a new resource group or subscription, see Move resources to a new
resource group or subscription.
To learn about moving resources to a new region, see Move resources across regions.
 Move an Azure Storage account to another region
2/23/2022 • 5 minutes to read • Edit Online

To move a storage account, create a copy of your storage account in another region. Then, move your data to
that account by using AzCopy, or another tool of your choice.
In this article, you'll learn how to:
Export a template.
Modify the template by adding the target region and storage account name.
Deploy the template to create the new storage account.
Configure the new storage account.
Move data to the new storage account.
Delete the resources in the source region.

Prerequisites
Ensure that the services and features that your account uses are supported in the target region.
For preview features, ensure that your subscription is allowlisted for the target region.

Prepare
To get started, export, and then modify a Resource Manager template.
Export a template
This template contains settings that describe your storage account.
Portal
PowerShell

To export a template by using Azure portal:

1. Sign in to the Azure portal.
2. Select All resources and then select your storage account.
3. Select > Automation > Expor t template .
4. Choose Download in the Expor t template blade.
5. Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.
This zip file contains the .json files that comprise the template and scripts to deploy the template.
Modify the template
Modify the template by changing the storage account name and region.
Portal
PowerShell

To deploy the template by using Azure portal:

1. In the Azure portal, select Create a resource .
2. In Search the Marketplace , type template deployment , and then press ENTER .
3. Select Template deployment .

4. Select Create .
5. Select Build your own template in the editor .
6. Select Load file , and then follow the instructions to load the template.json file that you downloaded in
the last section.
7. In the template.json file, name the target storage account by setting the default value of the storage
account name. This example sets the default value of the storage account name to mytargetaccount .

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccounts_mysourceaccount_name": {
"defaultValue": "mytargetaccount",
"type": "String"
}
},

8. Edit the location property in the template.json file to the target region. This example sets the target
region to centralus .

"resources": [{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[parameters('storageAccounts_mysourceaccount_name')]",
"location": "centralus"
}]

To obtain region location codes, see Azure Locations. The code for a region is the region name with no
spaces, Central US = centralus .

Move
Deploy the template to create a new storage account in the target region.
Portal
PowerShell

1. Save the template.json file.

2. Enter or select the property values:
Subscription : Select an Azure subscription.
Resource group : Select Create new and give the resource group a name.
Location : Select an Azure location.
3. Click the I agree to the terms and conditions stated above checkbox, and then click the Select
Purchase button.
Configure the new storage account
Some features won't export to a template, so you'll have to add them to the new storage account.
The following table lists these features along with guidance for adding them to your new storage account.

F EAT URE GUIDA N C E

Lifecycle management policies Manage the Azure Blob storage lifecycle

Static websites Host a static website in Azure Storage

Event subscriptions Reacting to Blob storage events

Aler ts Create, view, and manage activity log alerts by using Azure
Monitor

Content Deliver y Network (CDN) Use Azure CDN to access blobs with custom domains over
HTTPS

NOTE
If you set up a CDN for the source storage account, just change the origin of your existing CDN to the primary blob
service endpoint (or the primary static website endpoint) of your new account.

Move data to the new storage account

AzCopy is the preferred tool to move your data over. It's optimized for performance. One way that it's faster, is
that data is copied directly between storage servers, so AzCopy doesn't use the network bandwidth of your
computer. Use AzCopy at the command line or as part of a custom script. See Get started with AzCopy.
You can also use Azure Data Factory to move your data over. It provides an intuitive user interface. To use Azure
Data Factory, see any of these links:.
Copy data to or from Azure Blob storage by using Azure Data Factory
Copy data to or from Azure Data Lake Storage Gen2 using Azure Data Factory
Copy data from or to Azure Files by using Azure Data Factory
Copy data to and from Azure Table storage by using Azure Data Factory

Discard or clean up
After the deployment, if you want to start over, you can delete the target storage account, and repeat the steps
described in the Prepare and Move sections of this article.
To commit the changes and complete the move of a storage account, delete the source storage account.
 Portal
PowerShell

To remove a storage account by using the Azure portal:

1. In the Azure portal, expand the menu on the left side to open the menu of services, and choose Storage
accounts to display the list of your storage accounts.
2. Locate the target storage account to delete, and right-click the More button (...) on the right side of the
listing.
3. Select Delete , and confirm.

Next steps
In this tutorial, you moved an Azure storage account from one region to another and cleaned up the source
resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to:
Move resources to a new resource group or subscription
Move Azure VMs to another region
 Move resources to new region - Azure SQL
Database & Azure SQL Managed Instance
2/23/2022 • 10 minutes to read • Edit Online

APPLIES TO: Azure SQL Database Azure SQL Managed Instance

This article teaches you a generic workflow for how to move your database or managed instance to a new
region.

Overview
There are various scenarios in which you'd want to move your existing database or managed instance from one
region to another. For example, you're expanding your business to a new region and want to optimize it for the
new customer base. Or you need to move the operations to a different region for compliance reasons. Or Azure
released a new region that provides a better proximity and improves the customer experience.
This article provides a general workflow for moving resources to a different region. The workflow consists of the
following steps:
1. Verify the prerequisites for the move.
2. Prepare to move the resources in scope.
3. Monitor the preparation process.
4. Test the move process.
5. Initiate the actual move.
6. Remove the resources from the source region.

NOTE
This article applies to migrations within the Azure public cloud or within the same sovereign cloud.

NOTE
To move Azure SQL databases and elastic pools to a different Azure region, you can also use Azure Resource Mover (in
preview). Refer this tutorial for detailed steps to do the same.

NOTE
This article uses the Azure Az PowerShell module, which is the recommended PowerShell module for interacting with
Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az
PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Move a database
Verify prerequisites
1. Create a target server for each source server.
2. Configure the firewall with the right exceptions by using PowerShell.
3. Configure the servers with the correct logins. If you're not the subscription administrator or SQL server
administrator, work with the administrator to assign the permissions that you need. For more
information, see How to manage Azure SQL Database security after disaster recovery.
4. If your databases are encrypted with transparent data encryption (TDE) and bring your own encryption
key (BYOK or Customer-Managed Key) in Azure Key Vault, ensure that the correct encryption material is
provisioned in the target regions.
The simplest way to do this is to add the encryption key from the existing key vault (that is being used
as TDE Protector on source server) to the target server and then set the key as the TDE Protector on
the target server

NOTE
A server or managed instance in one region can now be connected to a key vault in any other region.

As a best practice to ensure the target server has access to older encryption keys (required for
restoring database backups), run the Get-AzSqlServerKeyVaultKey cmdlet on the source server or Get-
AzSqlInstanceKeyVaultKey cmdlet on the source managed instance to return the list of available keys
and add those keys to the target server.
For more information and best practices on configuring customer-managed TDE on the target server,
see Azure SQL transparent data encryption with customer-managed keys in Azure Key Vault.
To move the key vault to the new region, see Move an Azure key vault across regions
5. If database-level audit is enabled, disable it and enable server-level auditing instead. After failover,
database-level auditing will require the cross-region traffic, which isn't desired or possible after the move.
6. For server-level audits, ensure that:
The storage container, Log Analytics, or event hub with the existing audit logs is moved to the target
region.
Auditing is configured on the target server. For more information, see Get started with SQL Database
auditing.
7. If your instance has a long-term retention policy (LTR), the existing LTR backups will remain associated
with the current server. Because the target server is different, you'll be able to access the older LTR
backups in the source region by using the source server, even if the server is deleted.

NOTE
This will be insufficient for moving between the sovereign cloud and a public region. Such a migration will require
moving the LTR backups to the target server, which is not currently supported.

Prepare resources
1. Create a failover group between the server of the source and the server of the target.
2. Add the databases you want to move to the failover group.
Replication of all added databases will be initiated automatically. For more information, see Best practices
for using failover groups with single databases.
Monitor the preparation process
You can periodically call Get-AzSqlDatabaseFailoverGroup to monitor replication of your databases from the
source to the target. The output object of Get-AzSqlDatabaseFailoverGroup includes a property for the
ReplicationState :
 ReplicationState = 2 (CATCH_UP) indicates the database is synchronized and can be safely failed over.
ReplicationState = 0 (SEEDING) indicates that the database is not yet seeded, and an attempt to fail over
will fail.
Test synchronization
After ReplicationState is 2, connect to each database or subset of databases using the secondary endpoint
<fog-name>.secondary.database.windows.net and perform any query against the databases to ensure connectivity,
proper security configuration, and data replication.
Initiate the move
1. Connect to the target server using the secondary endpoint <fog-name>.secondary.database.windows.net .
2. Use Switch-AzSqlDatabaseFailoverGroup to switch the secondary managed instance to be the primary with
full synchronization. This operation will succeed or it will roll back.
3. Verify that the command has completed successfully by using
nslook up <fog-name>.secondary.database.windows.net to ascertain that the DNS CNAME entry points to the
target region IP address. If the switch command fails, the CNAME won't be updated.
Remove the source databases
Once the move completes, remove the resources in the source region to avoid unnecessary charges.
1. Delete the failover group using Remove-AzSqlDatabaseFailoverGroup.
2. Delete each source database using Remove-AzSqlDatabase for each of the databases on the source server.
This will automatically terminate geo-replication links.
3. Delete the source server using Remove-AzSqlServer.
4. Remove the key vault, audit storage containers, event hub, Azure Active Directory (Azure AD) instance, and
other dependent resources to stop being billed for them.

Move elastic pools

Verify prerequisites
1. Create a target server for each source server.
2. Configure the firewall with the right exceptions using PowerShell.
3. Configure the servers with the correct logins. If you're not the subscription administrator or server
administrator, work with the administrator to assign the permissions that you need. For more
information, see How to manage Azure SQL Database security after disaster recovery.
4. If your databases are encrypted with transparent data encryption and use your own encryption key in
Azure Key Vault, ensure that the correct encryption material is provisioned in the target region.
5. Create a target elastic pool for each source elastic pool, making sure the pool is created in the same
service tier, with the same name and the same size.
6. If a database-level audit is enabled, disable it and enable server-level auditing instead. After failover,
database-level auditing will require cross-region traffic, which is not desired, or possible after the move.
7. For server-level audits, ensure that:
The storage container, Log Analytics, or event hub with the existing audit logs is moved to the target
region.
Audit configuration is configured at the target server. For more information, see SQL Database
auditing.
8. If your instance has a long-term retention policy (LTR), the existing LTR backups will remain associated
with the current server. Because the target server is different, you'll be able to access the older LTR
 backups in the source region using the source server, even if the server is deleted.

NOTE
This will be insufficient for moving between the sovereign cloud and a public region. Such a migration will require
moving the LTR backups to the target server, which is not currently supported.

Prepare to move
1. Create a separate failover group between each elastic pool on the source server and its counterpart
elastic pool on the target server.
2. Add all the databases in the pool to the failover group.
Replication of the added databases will be initiated automatically. For more information, see Best
practices for failover groups with elastic pools.

NOTE
While it is possible to create a failover group that includes multiple elastic pools, we strongly recommend that you
create a separate failover group for each pool. If you have a large number of databases across multiple elastic
pools that you need to move, you can run the preparation steps in parallel and then initiate the move step in
parallel. This process will scale better and will take less time compared to having multiple elastic pools in the same
failover group.

Monitor the preparation process

You can periodically call Get-AzSqlDatabaseFailoverGroup to monitor replication of your databases from the
source to the target. The output object of Get-AzSqlDatabaseFailoverGroup includes a property for the
ReplicationState :
ReplicationState = 2 (CATCH_UP) indicates the database is synchronized and can be safely failed over.
ReplicationState = 0 (SEEDING) indicates that the database is not yet seeded, and an attempt to fail over
will fail.
Test synchronization
Once ReplicationState is , connect to each database or subset of databases using the secondary endpoint
2
<fog-name>.secondary.database.windows.net and perform any query against the databases to ensure connectivity,
proper security configuration, and data replication.
Initiate the move
1. Connect to the target server using the secondary endpoint <fog-name>.secondary.database.windows.net .
2. Use Switch-AzSqlDatabaseFailoverGroup to switch the secondary managed instance to be the primary with
full synchronization. This operation will either succeed, or it will roll back.
3. Verify that the command has completed successfully by using
nslook up <fog-name>.secondary.database.windows.net to ascertain that the DNS CNAME entry points to the
target region IP address. If the switch command fails, the CNAME won't be updated.
Remove the source elastic pools
Once the move completes, remove the resources in the source region to avoid unnecessary charges.
1. Delete the failover group using Remove-AzSqlDatabaseFailoverGroup.
2. Delete each source elastic pool on the source server using Remove-AzSqlElasticPool.
3. Delete the source server using Remove-AzSqlServer.
4. Remove the key vault, audit storage containers, event hub, Azure AD instance, and other dependent
 resources to stop being billed for them.

Move a managed instance

Verify prerequisites
1. For each source managed instance, create a target instance of SQL Managed Instance of the same size in the
target region.
2. Configure the network for a managed instance. For more information, see network configuration.
3. Configure the target master database with the correct logins. If you're not the subscription or SQL Managed
Instance administrator, work with the administrator to assign the permissions that you need.
4. If your databases are encrypted with transparent data encryption and use your own encryption key in Azure
Key Vault, ensure that the Azure Key Vault with identical encryption keys exists in both source and target
regions. For more information, see Transparent data encryption with customer-managed keys in Azure Key
Vault.
5. If audit is enabled for the managed instance, ensure that:
The storage container or event hub with the existing logs is moved to the target region.
Audit is configured on the target instance. For more information, see Auditing with SQL Managed
Instance.
6. If your instance has a long-term retention policy (LTR), the existing LTR backups will remain associated with
the current instance. Because the target instance is different, you'll be able to access the older LTR backups in
the source region using the source instance, even if the instance is deleted.

NOTE
This will be insufficient for moving between the sovereign cloud and a public region. Such a migration will require moving
the LTR backups to the target instance, which is not currently supported.

Prepare resources
Create a failover group between each source managed instance and the corresponding target instance of SQL
Managed Instance.
Replication of all databases on each instance will be initiated automatically. For more information, see Auto-
failover groups.
Monitor the preparation process
You can periodically call Get-AzSqlDatabaseFailoverGroup to monitor replication of your databases from the
source to the target. The output object of Get-AzSqlDatabaseFailoverGroup includes a property for the
ReplicationState :
ReplicationState = 2 (CATCH_UP) indicates the database is synchronized and can be safely failed over.
ReplicationState = 0 (SEEDING) indicates that the database isn't yet seeded, and an attempt to fail over will
fail.
Test synchronization
Once ReplicationState is , connect to each database, or subset of databases using the secondary endpoint
2
<fog-name>.secondary.database.windows.net and perform any query against the databases to ensure connectivity,
proper security configuration, and data replication.
Initiate the move
1. Connect to the target managed instance by using the secondary endpoint
<fog-name>.secondary.database.windows.net .
2. Use Switch-AzSqlDatabaseFailoverGroup to switch the secondary managed instance to be the primary with
 full synchronization. This operation will succeed, or it will roll back.
3. Verify that the command has completed successfully by using
nslook up <fog-name>.secondary.database.windows.net to ascertain that the DNS CNAME entry points to the
target region IP address. If the switch command fails, the CNAME won't be updated.
Remove the source managed instances
Once the move finishes, remove the resources in the source region to avoid unnecessary charges.
1. Delete the failover group using Remove-AzSqlDatabaseFailoverGroup. This will drop the failover group
configuration and terminate geo-replication links between the two instances.
2. Delete the source managed instance using Remove-AzSqlInstance.
3. Remove any additional resources in the resource group, such as the virtual cluster, virtual network, and
security group.

Next steps
Manage your database after it has been migrated.
 Tutorial: Move Azure VMs across regions
2/23/2022 • 8 minutes to read • Edit Online

In this article, learn how to move Azure VMs, and related network/storage resources, to a different Azure region,
using Azure Resource Mover. .
In this tutorial, you learn how to:
Check prerequisites and requirements.
Select the resources you want to move.
Resolve resource dependencies.
Prepare and move the source resource group.
Prepare and move the other resources.
Decide whether you want to discard or commit the move.
Optionally remove resources in the source region after the move.

NOTE
Tutorials show the quickest path for trying out a scenario, and use default options.

If you don't have an Azure subscription, create a free account before you begin. Then sign in to the Azure portal.

Prerequisites
REQ UIREM EN T DESC RIP T IO N

Resource Mover suppor t Review supported regions and other common questions.

Subscription permissions Check you have Owner access on the subscription

containing the resources that you want to move

Why do I need Owner access? The first time you add a

resource for a specific source and destination pair in an
Azure subscription, Resource Mover creates a system-
assigned managed identity (formerly known as Managed
Service Identify (MSI)) that's trusted by the subscription. To
create the identity, and to assign it the required role
(Contributor or User Access administrator in the source
subscription), the account you use to add resources needs
Owner permissions on the subscription. Learn more about
Azure roles.

VM suppor t Check that the VMs you want to move are supported.

- Verify supported Windows VMs.

- Verify supported Linux VMs and kernel versions.

- Check supported compute, storage, and networking

settings.
 REQ UIREM EN T DESC RIP T IO N

Destination subscription The subscription in the destination region needs enough

quota to create the resources you're moving in the target
region. If it doesn't have quota, request additional limits.

Destination region charges Verify pricing and charges associated with the target region
to which you're moving VMs. Use the pricing calculator to
help you.

Prepare VMs
1. After checking that VMs meet requirements, make sure that VMs you want to move are turned on. All VMs
disks that you want to be available in the destination region must be attached and initialized in the VM.
2. Make sure VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To do
this:
On Windows VMs, install the latest Windows updates.
On Linux VMs, follow distributor guidance so that machines have the latest certificates and CRL.
3. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.

Select resources
Select resources you want to move.
All supported resource types in resource groups within the selected source region are displayed.
Resources that have already been added for moving across regions aren't shown.
You move resources to a target region in the same subscription as the source region. If you want to change
the subscription, you can do that after the resources are moved.
1. In the Azure portal, search for resource mover. Then, under Ser vices , select Azure Resource Mover .

2. In Over view , click Get star ted .

3. In Move resources > Source + destination , select the source subscription and region.
4. In Destination , select the region to which you want to move the VMs. Then click Next .

5. In Resources to move , click Select resources .

6. In Select resources , select the VM. You can only add resources supported for move. Then click Done .
 7. In Resources to move , click Next .
8. In Review , check the source and destination settings.

9. Click Proceed , to begin adding the resources.

10. After the add process finishes successfully, click Adding resources for move in the notification icon.
11. After clicking the notification, review the resources on the Across regions page.
 NOTE
Added resources are in a Prepare pending state.
The resource group for the VMs is added automatically.
If you want to remove an resource from a move collection, the method for doing that depends on where you are in
the move process. Learn more.

Resolve dependencies
1. If resources show a Validate dependencies message in the Issues column, click the Validate
dependencies button. The validation process begins.
2. If dependencies are found, click Add dependencies .
3. In Add dependencies , leave the default Show all dependencies option.
Show all dependencies iterates through all of the direct and indirect dependencies for a resource. For
example, for a VM it shows the NIC, virtual network, network security groups (NSGs) etc.
Show first level dependencies only shows only direct dependencies. For example, for a VM it shows
the NIC, but not the virtual network.
4. Select the dependent resources you want to add > Add dependencies . Monitor progress in the
notifications.

5. Validate dependencies again.

Move the source resource group

Before you can prepare and move VMs, the VM resource group must be present in the target region.
Prepare to move the source resource group
During the Prepare process, Resource Mover generates Azure Resource Manager (ARM) templates using the
resource group settings. Resources inside the resource group aren't affected.
Prepare as follows:
1. In Across regions , select the source resource group > Prepare .
2. In Prepare resources , click Prepare .

NOTE
After preparing the resource group, it's in the Initiate move pending state.

Move the source resource group

Initiate the move as follows:
1. In Across regions , select the resource group > Initiate Move
2. ln Move Resources , click Initiate move . The resource group moves into an Initiate move in progress
state.
3. After initiating the move, the target resource group is created, based on the generated ARM template. The
source resource group moves into a Commit move pending state.

To commit and finish the move process:

1. In Across regions , select the resource group > Commit move .
2. ln Move Resources , click Commit .

NOTE
After committing the move, the source resource group is in a Delete source pending state.

Prepare resources to move

Now that the source resource group is moved, you can prepare to move other resources that are in the Prepare
pending state.
1. In Across regions , verify that resources are now in a Prepare pending state, with no issues. If they're not,
validate again and resolve any outstanding issues.
2. If you want to edit target settings before beginning the move, select the link in the Destination
configuration column for the resource, and edit the settings. If you edit the target VM settings, the
target VM size shouldn't be smaller than the source VM size.
Now that the source resource group is moved, you can prepare to move the other resources.
3. Select the resources you want to prepare.

4. Select Prepare .

NOTE
During the prepare process, the Azure Site Recovery Mobility agent is installed on VMs, to replicate them.
VM data is replicated periodically to the target region. This doesn't affect the source VM.
Resource Move generates ARM templates for the other source resources.
After preparing resources, they're in an Initiate move pending state.

Initiate the move

With resources prepared, you can now initiate the move.
1. In Across regions , select resources with state Initiate move pending. Then click Initiate move .
2. In Move resources , click Initiate move .
3. Track move progress in the notifications bar.

NOTE
For VMs, replica VMs are created in the target region. The source VM is shut down, and some downtime occurs
(usually minutes).
Resource Mover recreates other resources using the ARM templates that were prepared. There's usually no downtime.
After moving resources, they're in an Commit move pending state.
Discard or commit?
After the initial move, you can decide whether you want to commit the move, or to discard it.
Discard : You might discard a move if you're testing, and you don't want to actually move the source
resource. Discarding the move returns the resource to a state of Initiate move pending.
Commit : Commit completes the move to the target region. After committing, a source resource will be in a
state of Delete source pending, and you can decide if you want to delete it.

Discard the move

You can discard the move as follows:
1. In Across regions , select resources with state Commit move pending, and click Discard move .
2. In Discard move , click Discard .
3. Track move progress in the notifications bar.

NOTE
After discarding resources, VMs are in an Initiate move pending state.

Commit the move

If you want to complete the move process, commit the move.
1. In Across regions , select resources with state Commit move pending, and click Commit move .
2. In Commit resources , click Commit .
3. Track the commit progress in the notifications bar.
 NOTE
After committing the move, VMs stop replicating. The source VM isn't impacted by the commit.
Commit doesn't impact source networking resources.
After committing the move, resources are in a Delete source pending state.

Configure settings after the move

The Mobility service isn't uninstalled automatically from VMs. Uninstall it manually, or leave it if you plan to
move the server again.
Modify Azure role-based access control (Azure RBAC) rules after the move.

Delete source resources after commit

After the move, you can optionally delete resources in the source region.

NOTE
A few resources, for example key vaults and SQL Server servers, can't be deleted from the portal, and must be deleted
from the resource property page.

1. In Across Regions , click the name of the source resource that you want to delete.
2. Select Delete source .

Delete additional resources created for move

After the move, you can manually delete the move collection, and Site Recovery resources that were created.
The move collection is hidden by default. To see it you need to turn on hidden resources.
The cache storage has a lock that must be deleted, before it can be deleted.
Delete as follows:
1. Locate the resources in resource group RegionMoveRG-<sourceregion>-<target-region> .
2. Check that all the VM and other source resources in the source region have been moved or deleted. This
ensures that there are no pending resources using them.
3. Delete the resources:
The move collection name is movecollection-<sourceregion>-<target-region> .
The cache storage account name is resmovecache<guid>
The vault name is ResourceMove-<sourceregion>-<target-region>-GUID .

Next steps
In this tutorial, you:
Moved Azure VMs to another Azure region.
 Moved resources associated with VMs to another region.
Now, trying moving Azure SQL databases and elastic pools to another region.
Move Azure SQL resources
 Move logic app resources to other Azure resource
groups, regions, or subscriptions
2/23/2022 • 6 minutes to read • Edit Online

To migrate your logic app or related resources to another Azure resource group, region, or subscription, you
have various ways to complete these tasks, such as the Azure portal, Azure PowerShell, Azure CLI, and REST API.
Before you move resources, review these considerations:
You can move only specific logic app resource types between Azure resource groups or subscriptions.
Check the limits on the number of logic app resources that you can have in your Azure subscription and
in each Azure region. These limits affect whether you can move specific resource types when the region
stays the same across subscriptions or resource groups. For example, you can have only one Free tier
integration account for each Azure region in each Azure subscription.
When you move resources, Azure creates new resource IDs. So, make sure that you use the new IDs
instead and update any scripts or tools that are associated with the moved resources.
After you migrate logic apps between subscriptions, resource groups, or regions, you must recreate or
reauthorize any connections that require Open Authentication (OAuth).
You can move an integration service environment (ISE) only to another resource group that exists in the
same Azure region or Azure subscription. You can't move an ISE to a resource group that exists in a
different Azure region or Azure subscription. Also, after such a move, you must update all references to
the ISE in your logic app workflows, integration accounts, connections, and so on.

Prerequisites
The same Azure subscription that was used to create the logic app or integration account that you want
to move
Resource owner permissions to move and set up the resources that you want. Learn more about Azure
role-based access control (Azure RBAC).

Move resources between subscriptions

To move a resource, such as a logic app or integration account, to another Azure subscription, you can use the
Azure portal, Azure PowerShell, Azure CLI, or REST API. These steps cover the Azure portal, which you can use
when the resource's region stays the same. For other steps and general preparation, see Move resources to a
new resource group or subscription.
1. In the Azure portal, find and select the logic app resource that you want to move.
2. On the resource's Over view page, next to Subscription , select the change link.
3. On the Move resources page, select the logic app resource and any related resources that you want to
move.
4. From the Subscription list, select the destination subscription.
5. From the Resource group list, select the destination resource group. Or, to create a different resource
group, select Create a new group .
6. To confirm your understanding that any scripts or tools that are associated with the moved resources
won't work until you update them with the new resource IDs, select the confirmation box, and then select
OK .

Move resources between resource groups

To move a resource, such as a logic app, integration account, or integration service environment (ISE), to another
Azure resource group, you can use the Azure portal, Azure PowerShell, Azure CLI, or REST API. These steps cover
the Azure portal, which you can use when the resource's region stays the same. For other steps and general
preparation, see Move resources to a new resource group or subscription.
Before actually moving resources between groups, you can test whether you can successfully move your
resource to another group. For more information, see Validate your move.
1. In the Azure portal, find and select the logic app resource that you want to move.
2. On the resource's Over view page, next to Resource group , select the change link.
3. On the Move resources page, select the logic app resource and any related resources that you want to
move.
4. From the Resource group list, select the destination resource group. Or, to create a different resource
group, select Create a new group .
5. To confirm your understanding that any scripts or tools that are associated with the moved resources
won't work until you update them with the new resource IDs, select the confirmation box, and then select
OK .

Move resources between regions

When you want to move a logic app to a different region, your options depend on the way that you created your
logic app. Based on the option that you choose, you must recreate or reauthorize the connections in your logic
app.
In the Azure portal, recreate the logic app in the new region and reconfigure the workflow settings. To
save time, you can copy the underlying workflow definition and connections from the source app to the
destination app. To view the "code" behind a logic app, on the Logic App Designer toolbar, select Code
view .
By using Visual Studio and the Azure Logic Apps Tools for Visual Studio, you can open and download
your logic app from the Azure portal as an Azure Resource Manager template. This template is mostly
ready for deployment and includes the resource definitions for your logic app, including the workflow
itself, and connections. The template also declares parameters for the values to use at deployment. That
way, you can more easily change where and how you deploy the logic app, based on your needs. To
specify the location and other necessary information for deployment, you can use a separate parameters
file.
If you created and deployed your logic app by using continuous integration (CI) and continuous delivery
(CD) tools, such as Azure Pipelines in Azure DevOps, you can deploy your app to another region by using
those tools.
For more information about deployment templates for logic apps, see these topics:
Overview: Automate deployment for Azure Logic Apps by using Azure Resource Manager templates
Find, open, and download your logic app from the Azure portal into Visual Studio
Create Azure Resource Manager templates for Azure Logic Apps
 Deploy Azure Resource Manager templates for Azure Logic Apps
Related resources
Some Azure resources, such as on-premises data gateway resources in Azure, can exist in a region that differs
from the logic apps that use those resources. However, other Azure resources, such as linked integration
accounts, must exist in the same region as your logic apps. Based on your scenario, make sure that your logic
apps can access the resources that your apps expect to exist in the same region.
For example, to link a logic app to an integration account, both resources must exist in the same region. In
scenarios such as disaster recovery, you usually want integration accounts that have the same configuration and
artifacts. In other scenarios, you might need integration accounts with different configurations and artifacts.
Custom connectors in Azure Logic Apps are visible to the connectors' authors and users who have the same
Azure subscription and the same Azure Active Directory tenant. These connectors are available in the same
region where logic apps are deployed. For more information, see Share custom connectors in your organization.
The template that you get from Visual Studio includes only the resource definitions for your logic app and its
connections. So, if your logic app uses other resources, for example, an integration account and B2B artifacts,
such as partners, agreements, and schemas, you must export that integration account's template by using the
Azure portal. This template includes the resource definitions for both the integration account and artifacts.
However, the template isn't fully parameterized. So, you must manually parameterize the values that you want to
use for deployment.
Export templates for integration accounts
1. In the Azure portal, find and open your integration account.
2. On your integration account's menu, under Settings , select Expor t template .
3. On the toolbar, select Download , and save the template.
4. Open and edit the template to parameterize the necessary values for deployment.

Next steps
Move Azure resources to new resource groups or subscriptions
 Move a Maintenance Control configuration to
another region
2/23/2022 • 2 minutes to read • Edit Online

Applies to: ✔
️ Linux VMs ✔
️ Windows VMs ✔
️ Flexible scale sets ✔
️ Uniform scale sets
Follow this article to move a Maintenance Control configuration to a different Azure region. You might want to
move a configuration for a number of reasons. For example, to take advantage of a new region, to deploy
features or services available in a specific region, to meet internal policy and governance requirements, or in
response to capacity planning.
Maintenance control, with customized maintenance configurations, allows you to control how platform updates
are applied to VMs, and to Azure Dedicated Hosts. There are a couple of scenarios for moving maintenance
control across regions:
To move your maintenance control configuration, but not the resources associated with the configuration,
follow the instructions in this article.
To move the resources associated with a maintenance configuration, but not the configuration itself, follow
these instructions.
To move both the maintenance configuration and the resources associated with it, first follow the instructions
in this article. Then, follow these instructions.

Prerequisites
Before you begin moving a maintenance control configuration:
Maintenance configurations are associated with Azure VMs or Azure Dedicated Hosts. Make sure that
VM/host resources exist in the new region before you begin.
Identify:
Existing maintenance control configurations.
The resource groups in which existing configurations currently reside.
The resource groups to which the configurations will be added after moving to the new region.
The resources associated with the maintenance configuration you want to move.
Check that the resources in the new region are the same as those associated with the current
maintenance configurations. The configurations can have the same names in the new region as they
did in the old, but this isn't required.

Prepare and move

1. Retrieve all of the maintenance configurations in each subscription. Run the CLI az maintenance
configuration list command to do this, replacing $subId with your subscription ID.

az maintenance configuration list --subscription $subId --query "[*].{Name:name, Location:location,

ResGroup:resourceGroup}" --output table

2. Review the returned table list of configuration records within the subscription. Here's an example. Your list
will contain values for your specific environment.
 NAME LO C AT IO N RESO URC E GRO UP

Skip Maintenance eastus2 configuration-resource-group

IgniteDemoConfig eastus2 configuration-resource-group

defaultMaintenanceConfiguration- eastus test-configuration

eastus

3. Save your list for reference. As you move the configurations, it helps you to verify that everything's been
moved.
4. As a reference, map each configuration/resource group to the new resource group in the new region.
5. Create new maintenance configurations in the new region using PowerShell, or CLI.
6. Associate the configurations with the resources in the new region, using PowerShell, or CLI.

Verify the move

After moving the configurations, compare configurations and resources in the new region with the table list you
prepared.

Clean up source resources

After the move, consider deleting the moved maintenance configurations in the source region, PowerShell, or
CLI.

Next steps
Follow these instructions if you need to move resources associated with maintenance configurations.
 Move Azure Cache for Redis instances to different
regions
2/23/2022 • 11 minutes to read • Edit Online

In this article, you learn how to move Azure Cache for Redis instances to a different Azure region. You might
move your resources to another region for a number of reasons:
To take advantage of a new Azure region.
To deploy features or services available in specific regions only.
To meet internal policy and governance requirements.
To respond to capacity planning requirements.
If you're looking to migrate to Azure Cache for Redis from on-premises, cloud-based VMs, or another hosting
service, we recommend you see Migrate to Azure Cache for Redis.
The tier of Azure Cache for Redis you use determines the option that's best for you.

C A C H E T IER O P T IO N S

Premium Geo-replication, create a new cache, dual-write to two

caches, export and import data via RDB file, or migrate
programmatically

Basic or Standard Create a new cache, dual-write to two caches, or migrate

programmatically

Enterprise or Enterprise Flash Create a new cache or export and import data with an RDB
file, or migrate programmatically

Geo-replication (Premium)
Prerequisites
To configure geo-replication between two caches, the following prerequisites must be met:
Both caches are Premium tier caches.
Both caches are in the same Azure subscription.
The secondary linked cache is either the same cache size or a larger cache size than the primary linked cache.
Both caches already exist and are running.
Prepare
To move your cache instance to another region, you need to create a second premium cache instance in the
desired region. Once both caches are running, you can set up geo-replication between the two cache instances.

NOTE
Data transfer between Azure regions is charged at standard bandwidth rates.

Some features aren't supported with geo-replication:

Zone Redundancy isn't supported with geo-replication.
 Persistence isn't supported with geo-replication.
Conditions for geo-replications support:
Clustering is supported if both caches have clustering enabled and have the same number of shards.
Caches in different VNets are supported with caveats. See Can I use geo-replication with my caches in a
VNet? for more information.
After geo-replication is configured, the following restrictions apply to your linked cache pair:
The secondary linked cache is read-only. You can read from it, but you can't write any data to it.
If you choose to read from the Geo-Secondary instance, whenever a full data sync is happening
between the Geo-Primary and the Geo-Secondary, such as when either Geo-Primary or Geo-
Secondary is updated and on some reboot scenarios as well, the Geo-Secondary instance throws
errors on any Redis operation against it until the full data sync between Geo-Primary and Geo-
Secondary is complete.
Applications reading from Geo-Secondary should be built to fall back to the Geo-Primary whenever
the Geo-Secondary is throwing such errors.
Any data that was in the secondary linked cache before the link was added is removed. If the geo-replication
is later removed however, the replicated data remains in the secondary linked cache.
You can't scale either cache while the caches are linked.
You can't change the number of shards if the cache has clustering enabled.
You can't enable persistence on either cache.
You can Export from either cache.
You can't Import into the secondary linked cache.
You can't delete either linked cache, or the resource group that contains them, until you unlink the caches. For
more information, see Why did the operation fail when I tried to delete my linked cache?
If the caches are in different regions, network egress costs apply to the data moved across regions. For more
information, see How much does it cost to replicate my data across Azure regions?
Automatic failover doesn't occur between the primary and secondary linked cache. For more information
and information on how to failover a client application, see How does failing over to the secondary linked
cache work?
Move
1. To link two caches together for geo-replication, fist click Geo-replication from the Resource menu of the
cache that you intend to be the primary linked cache. Next, click Add cache replication link from Geo-
replication on the left.
2. Select the name of your intended secondary cache from the Compatible caches list. If your secondary
cache isn't displayed in the list, verify that the Geo-replication prerequisites for the secondary cache are
met. To filter the caches by region, select the region in the map to display only those caches in the
Compatible caches list.

You can also start the linking process or view details about the secondary cache by using the context
menu.

3. Select Link to link the two caches together and begin the replication process.
Verify
1. You can view the progress of the replication process using Geo-replication on the left.

You can also view the linking status on the left, using Over view , for both the primary and secondary
caches.
 Once the replication process is complete, the Link status changes to Succeeded .

The primary linked cache remains available for use during the linking process. The secondary linked
cache isn't available until the linking process completes.
Clean up source resources
Once your new cache in the targeted region is populated with all necessary data, remove the link between the
two caches and delete the original instance.
1. To remove the link between two caches and stop geo-replication, click Unlink caches from the Geo-
replication on the left.
 When the unlinking process completes, the secondary cache is available for both reads and writes.

NOTE
When the geo-replication link is removed, the replicated data from the primary linked cache remains in the secondary
cache.

2. Delete the original instance.

Create a new cache (All tiers)

Prerequisites
Azure subscription - create one for free
Prepare
If you don't need to maintain your data during the move, the easiest way to move regions is to create a new
cache instance in the targeted region and connect your application to it. For example, if you use Redis as a look-
aside cache of database records, you can easily rebuild the cache from scratch.
Move
1. To create a cache, sign in to the Azure portal and select Create a resource .
2. On the New page, select Databases and then select Azure Cache for Redis .

3. On the New Redis Cache page, configure the settings for your new cache.

SET T IN G C H O O SE A VA L UE DESC RIP T IO N

 SET T IN G C H O O SE A VA L UE DESC RIP T IO N

Subscription Drop down and select your The subscription under which to
subscription. create this new Azure Cache for
Redis instance.

Resource group Drop down and select a resource
group, or select Create new and
enter a new resource group name.
Name for the resource group in
which to create your cache and
other resources. By putting all your
app resources in one resource
group, you can easily manage or
delete them together.

DNS name Enter a unique name. The cache name must be a string
between 1 and 63 characters that
contain only numbers, letters, or
hyphens. The name must start and
end with a number or letter, and
can't contain consecutive hyphens.
Your cache instance's host name will
be <DNS
name>.redis.cache.windows.net.

Location Drop down and select a location. Select a region near other services
that will use your cache.

Cache type Drop down and select a tier. The tier determines the size,
performance, and features that are
available for the cache. For more
information, see Azure Cache for
Redis Overview.

4. Select the Networking tab or select the Networking button at the bottom of the page.
5. In the Networking tab, select your connectivity method.
6. Select the Next: Advanced tab or select the Next: Advanced button on the bottom of the page.
7. In the Advanced tab for a basic or standard cache instance, select the enable toggle if you want to enable
a non-TLS port. You can also select which Redis version you would like use, either 4 or 6.

8. In the Advanced tab for premium cache instance, configure the settings for non-TLS port, clustering, and
data persistence. You can also select which Redis version you would like use, either 4 or 6.
9. Select the Next: Tags tab or select the Next: Tags button at the bottom of the page.
10. Optionally, in the Tags tab, enter the name and value if you wish to categorize the resource.
11. Select Review + create . You're taken to the Review + create tab where Azure validates your
configuration.
12. After the green Validation passed message appears, select Create .
It takes a while for the cache to create. You can monitor progress on the Azure Cache for Redis Over view page.
When Status shows as Running , the cache is ready to use.
Finally, update your application to use the new instances.
Clean up source resources
Once your new cache in the targeted region is running, delete the original instance.

Export and import data with an RDB file (Premium, Enterprise,

Enterprise Flash)
Open-source Redis defines a standard mechanism for taking a snapshot of a cache's in-memory dataset and
saving it to a file. This file, called RDB, can be read by another Redis cache. Azure Cache for Redis Premium and
Enterprise supports importing data into a cache instance with RDB files. You can use an RDB file to transfer data
from an existing cache to Azure Cache for Redis.

IMPORTANT
RDB file format can change between Redis versions and might not maintain backward-compatibility. The Redis version of
the cache you're exporting from should be the same or lower than the version of your new cache instance.

Prerequisites
Both caches are Premium tier or Enterprise tier caches.
The second cache is either the same cache size or a larger cache size than the original cache.
The Redis version of the cache you're exporting from should be the same or lower than the version of your
new cache instance.
Prepare
To move your cache instance to another region, you'll need to create a second premium cache instance or a
second enterprise cache instance in the desired region.
Move
1. See here for more information on how to import and export data in Azure Cache for Redis.
2. Update your application to use the new cache instance.
Verify
You can monitor the progress of the import operation by following the notifications from the Azure portal, or by
viewing the events in the audit log.
Clean up source resources
Once your new cache in the targeted region is running, delete the original instance.

Dual-write to two caches (Basic, Standard, and Premium)

Rather than moving data directly between caches, you can use your application to write data to both an existing
cache and a new one you're setting up. The application initially reads data from the existing cache initially. When
the new cache has the necessary data, you switch the application to that cache and retire the old one. Let's say,
for example, you use Redis as a session store and the application sessions are valid for seven days. After writing
to the two caches for a week, you'll be certain the new cache contains all non-expired session information. You
can safely rely on it from that point onward without concern over data loss.
Prerequisites
The second cache is either the same cache size or a larger cache size than the original cache.
Prepare
To move your cache instance to another region, you'll need to create a second cache instance in the desired
region.
Move
General steps to implement this option are:
1. Modify application code to write to both the new and the original instances.
2. Continue reading data from the original instance until the new instance is sufficiently populated with
data.
3. Update the application code to reading and writing from the new instance only.
Clean up source resources
Once your new cache in the targeted region is running, delete the original instance.

Migrate programmatically (All tiers)

You can create a custom migration process by programmatically reading data from an existing cache and
writing them into Azure Cache for Redis. This open-source tool can be used to copy data from one Azure Cache
for Redis instance to an another instance in a different Azure Cache region. A compiled version is available as
well. You may also find the source code to be a useful guide for writing your own migration tool.

NOTE
This tool isn't officially supported by Microsoft.

Prerequisites
The second cache is either the same cache size or a larger cache size than the original cache.
Prepare
Create a VM in the region where the existing cache is located. If your dataset is large, choose a relatively
powerful VM to reduce copying time.
To move your cache instance to another region, you'll need to create a second cache instance in the desired
region.
Move
After creating a VM in the region where the existing cache is located and creating a new cache in the desired
region, the general steps to implement this option are:
1. Flush data from the new cache to ensure that it's empty. This step is required because the copy tool itself
doesn't overwrite any existing key in the target cache.

IMPORTANT
Make sure to NOT flush from the source cache.

2. Use an application such as the open-source tool above to automate the copying of data from the source
cache to the target. Remember that the copy process could take a while to complete depending on the
 size of your dataset.
Clean up source resources
Once your new cache in the targeted region is running, delete the original instance.

Next steps
Learn more about Azure Cache for Redis features.
Geo-replication FAQ
Azure Cache for Redis service tiers
High availability for Azure Cache for Redis
 Tutorial: Move Azure VMs across regions
2/23/2022 • 8 minutes to read • Edit Online

In this article, learn how to move Azure VMs, and related network/storage resources, to a different Azure region,
using Azure Resource Mover. .
In this tutorial, you learn how to:
Check prerequisites and requirements.
Select the resources you want to move.
Resolve resource dependencies.
Prepare and move the source resource group.
Prepare and move the other resources.
Decide whether you want to discard or commit the move.
Optionally remove resources in the source region after the move.

NOTE
Tutorials show the quickest path for trying out a scenario, and use default options.

If you don't have an Azure subscription, create a free account before you begin. Then sign in to the Azure portal.

Prerequisites
REQ UIREM EN T DESC RIP T IO N

Resource Mover suppor t Review supported regions and other common questions.

Subscription permissions Check you have Owner access on the subscription

containing the resources that you want to move

Why do I need Owner access? The first time you add a

resource for a specific source and destination pair in an
Azure subscription, Resource Mover creates a system-
assigned managed identity (formerly known as Managed
Service Identify (MSI)) that's trusted by the subscription. To
create the identity, and to assign it the required role
(Contributor or User Access administrator in the source
subscription), the account you use to add resources needs
Owner permissions on the subscription. Learn more about
Azure roles.

VM suppor t Check that the VMs you want to move are supported.

- Verify supported Windows VMs.

- Verify supported Linux VMs and kernel versions.

- Check supported compute, storage, and networking

settings.
 REQ UIREM EN T DESC RIP T IO N

Destination subscription The subscription in the destination region needs enough

quota to create the resources you're moving in the target
region. If it doesn't have quota, request additional limits.

Destination region charges Verify pricing and charges associated with the target region
to which you're moving VMs. Use the pricing calculator to
help you.

Prepare VMs
1. After checking that VMs meet requirements, make sure that VMs you want to move are turned on. All VMs
disks that you want to be available in the destination region must be attached and initialized in the VM.
2. Make sure VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To do
this:
On Windows VMs, install the latest Windows updates.
On Linux VMs, follow distributor guidance so that machines have the latest certificates and CRL.
3. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.

Select resources
Select resources you want to move.
All supported resource types in resource groups within the selected source region are displayed.
Resources that have already been added for moving across regions aren't shown.
You move resources to a target region in the same subscription as the source region. If you want to change
the subscription, you can do that after the resources are moved.
1. In the Azure portal, search for resource mover. Then, under Ser vices , select Azure Resource Mover .

2. In Over view , click Get star ted .

3. In Move resources > Source + destination , select the source subscription and region.
4. In Destination , select the region to which you want to move the VMs. Then click Next .

5. In Resources to move , click Select resources .

6. In Select resources , select the VM. You can only add resources supported for move. Then click Done .
 7. In Resources to move , click Next .
8. In Review , check the source and destination settings.

9. Click Proceed , to begin adding the resources.

10. After the add process finishes successfully, click Adding resources for move in the notification icon.
11. After clicking the notification, review the resources on the Across regions page.
 NOTE
Added resources are in a Prepare pending state.
The resource group for the VMs is added automatically.
If you want to remove an resource from a move collection, the method for doing that depends on where you are in
the move process. Learn more.

Resolve dependencies
1. If resources show a Validate dependencies message in the Issues column, click the Validate
dependencies button. The validation process begins.
2. If dependencies are found, click Add dependencies .
3. In Add dependencies , leave the default Show all dependencies option.
Show all dependencies iterates through all of the direct and indirect dependencies for a resource. For
example, for a VM it shows the NIC, virtual network, network security groups (NSGs) etc.
Show first level dependencies only shows only direct dependencies. For example, for a VM it shows
the NIC, but not the virtual network.
4. Select the dependent resources you want to add > Add dependencies . Monitor progress in the
notifications.

5. Validate dependencies again.

Move the source resource group

Before you can prepare and move VMs, the VM resource group must be present in the target region.
Prepare to move the source resource group
During the Prepare process, Resource Mover generates Azure Resource Manager (ARM) templates using the
resource group settings. Resources inside the resource group aren't affected.
Prepare as follows:
1. In Across regions , select the source resource group > Prepare .
2. In Prepare resources , click Prepare .

NOTE
After preparing the resource group, it's in the Initiate move pending state.

Move the source resource group

Initiate the move as follows:
1. In Across regions , select the resource group > Initiate Move
2. ln Move Resources , click Initiate move . The resource group moves into an Initiate move in progress
state.
3. After initiating the move, the target resource group is created, based on the generated ARM template. The
source resource group moves into a Commit move pending state.

To commit and finish the move process:

1. In Across regions , select the resource group > Commit move .
2. ln Move Resources , click Commit .

NOTE
After committing the move, the source resource group is in a Delete source pending state.

Prepare resources to move

Now that the source resource group is moved, you can prepare to move other resources that are in the Prepare
pending state.
1. In Across regions , verify that resources are now in a Prepare pending state, with no issues. If they're not,
validate again and resolve any outstanding issues.
2. If you want to edit target settings before beginning the move, select the link in the Destination
configuration column for the resource, and edit the settings. If you edit the target VM settings, the
target VM size shouldn't be smaller than the source VM size.
Now that the source resource group is moved, you can prepare to move the other resources.
3. Select the resources you want to prepare.

4. Select Prepare .

NOTE
During the prepare process, the Azure Site Recovery Mobility agent is installed on VMs, to replicate them.
VM data is replicated periodically to the target region. This doesn't affect the source VM.
Resource Move generates ARM templates for the other source resources.
After preparing resources, they're in an Initiate move pending state.

Initiate the move

With resources prepared, you can now initiate the move.
1. In Across regions , select resources with state Initiate move pending. Then click Initiate move .
2. In Move resources , click Initiate move .
3. Track move progress in the notifications bar.

NOTE
For VMs, replica VMs are created in the target region. The source VM is shut down, and some downtime occurs
(usually minutes).
Resource Mover recreates other resources using the ARM templates that were prepared. There's usually no downtime.
After moving resources, they're in an Commit move pending state.
Discard or commit?
After the initial move, you can decide whether you want to commit the move, or to discard it.
Discard : You might discard a move if you're testing, and you don't want to actually move the source
resource. Discarding the move returns the resource to a state of Initiate move pending.
Commit : Commit completes the move to the target region. After committing, a source resource will be in a
state of Delete source pending, and you can decide if you want to delete it.

Discard the move

You can discard the move as follows:
1. In Across regions , select resources with state Commit move pending, and click Discard move .
2. In Discard move , click Discard .
3. Track move progress in the notifications bar.

NOTE
After discarding resources, VMs are in an Initiate move pending state.

Commit the move

If you want to complete the move process, commit the move.
1. In Across regions , select resources with state Commit move pending, and click Commit move .
2. In Commit resources , click Commit .
3. Track the commit progress in the notifications bar.
 NOTE
After committing the move, VMs stop replicating. The source VM isn't impacted by the commit.
Commit doesn't impact source networking resources.
After committing the move, resources are in a Delete source pending state.

Configure settings after the move

The Mobility service isn't uninstalled automatically from VMs. Uninstall it manually, or leave it if you plan to
move the server again.
Modify Azure role-based access control (Azure RBAC) rules after the move.

Delete source resources after commit

After the move, you can optionally delete resources in the source region.

NOTE
A few resources, for example key vaults and SQL Server servers, can't be deleted from the portal, and must be deleted
from the resource property page.

1. In Across Regions , click the name of the source resource that you want to delete.
2. Select Delete source .

Delete additional resources created for move

After the move, you can manually delete the move collection, and Site Recovery resources that were created.
The move collection is hidden by default. To see it you need to turn on hidden resources.
The cache storage has a lock that must be deleted, before it can be deleted.
Delete as follows:
1. Locate the resources in resource group RegionMoveRG-<sourceregion>-<target-region> .
2. Check that all the VM and other source resources in the source region have been moved or deleted. This
ensures that there are no pending resources using them.
3. Delete the resources:
The move collection name is movecollection-<sourceregion>-<target-region> .
The cache storage account name is resmovecache<guid>
The vault name is ResourceMove-<sourceregion>-<target-region>-GUID .

Next steps
In this tutorial, you:
Moved Azure VMs to another Azure region.
 Moved resources associated with VMs to another region.
Now, trying moving Azure SQL databases and elastic pools to another region.
Move Azure SQL resources
 Tutorial: Move Azure VMs across regions
2/23/2022 • 8 minutes to read • Edit Online

In this article, learn how to move Azure VMs, and related network/storage resources, to a different Azure region,
using Azure Resource Mover. .
In this tutorial, you learn how to:
Check prerequisites and requirements.
Select the resources you want to move.
Resolve resource dependencies.
Prepare and move the source resource group.
Prepare and move the other resources.
Decide whether you want to discard or commit the move.
Optionally remove resources in the source region after the move.

NOTE
Tutorials show the quickest path for trying out a scenario, and use default options.

If you don't have an Azure subscription, create a free account before you begin. Then sign in to the Azure portal.

Prerequisites
REQ UIREM EN T DESC RIP T IO N

Resource Mover suppor t Review supported regions and other common questions.

Subscription permissions Check you have Owner access on the subscription

containing the resources that you want to move

Why do I need Owner access? The first time you add a

resource for a specific source and destination pair in an
Azure subscription, Resource Mover creates a system-
assigned managed identity (formerly known as Managed
Service Identify (MSI)) that's trusted by the subscription. To
create the identity, and to assign it the required role
(Contributor or User Access administrator in the source
subscription), the account you use to add resources needs
Owner permissions on the subscription. Learn more about
Azure roles.

VM suppor t Check that the VMs you want to move are supported.

- Verify supported Windows VMs.

- Verify supported Linux VMs and kernel versions.

- Check supported compute, storage, and networking

settings.
 REQ UIREM EN T DESC RIP T IO N

Destination subscription The subscription in the destination region needs enough

quota to create the resources you're moving in the target
region. If it doesn't have quota, request additional limits.

Destination region charges Verify pricing and charges associated with the target region
to which you're moving VMs. Use the pricing calculator to
help you.

Prepare VMs
1. After checking that VMs meet requirements, make sure that VMs you want to move are turned on. All VMs
disks that you want to be available in the destination region must be attached and initialized in the VM.
2. Make sure VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To do
this:
On Windows VMs, install the latest Windows updates.
On Linux VMs, follow distributor guidance so that machines have the latest certificates and CRL.
3. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.

Select resources
Select resources you want to move.
All supported resource types in resource groups within the selected source region are displayed.
Resources that have already been added for moving across regions aren't shown.
You move resources to a target region in the same subscription as the source region. If you want to change
the subscription, you can do that after the resources are moved.
1. In the Azure portal, search for resource mover. Then, under Ser vices , select Azure Resource Mover .

2. In Over view , click Get star ted .

3. In Move resources > Source + destination , select the source subscription and region.
4. In Destination , select the region to which you want to move the VMs. Then click Next .

5. In Resources to move , click Select resources .

6. In Select resources , select the VM. You can only add resources supported for move. Then click Done .
 7. In Resources to move , click Next .
8. In Review , check the source and destination settings.

9. Click Proceed , to begin adding the resources.

10. After the add process finishes successfully, click Adding resources for move in the notification icon.
11. After clicking the notification, review the resources on the Across regions page.
 NOTE
Added resources are in a Prepare pending state.
The resource group for the VMs is added automatically.
If you want to remove an resource from a move collection, the method for doing that depends on where you are in
the move process. Learn more.

Resolve dependencies
1. If resources show a Validate dependencies message in the Issues column, click the Validate
dependencies button. The validation process begins.
2. If dependencies are found, click Add dependencies .
3. In Add dependencies , leave the default Show all dependencies option.
Show all dependencies iterates through all of the direct and indirect dependencies for a resource. For
example, for a VM it shows the NIC, virtual network, network security groups (NSGs) etc.
Show first level dependencies only shows only direct dependencies. For example, for a VM it shows
the NIC, but not the virtual network.
4. Select the dependent resources you want to add > Add dependencies . Monitor progress in the
notifications.

5. Validate dependencies again.

Move the source resource group

Before you can prepare and move VMs, the VM resource group must be present in the target region.
Prepare to move the source resource group
During the Prepare process, Resource Mover generates Azure Resource Manager (ARM) templates using the
resource group settings. Resources inside the resource group aren't affected.
Prepare as follows:
1. In Across regions , select the source resource group > Prepare .
2. In Prepare resources , click Prepare .

NOTE
After preparing the resource group, it's in the Initiate move pending state.

Move the source resource group

Initiate the move as follows:
1. In Across regions , select the resource group > Initiate Move
2. ln Move Resources , click Initiate move . The resource group moves into an Initiate move in progress
state.
3. After initiating the move, the target resource group is created, based on the generated ARM template. The
source resource group moves into a Commit move pending state.

To commit and finish the move process:

1. In Across regions , select the resource group > Commit move .
2. ln Move Resources , click Commit .

NOTE
After committing the move, the source resource group is in a Delete source pending state.

Prepare resources to move

Now that the source resource group is moved, you can prepare to move other resources that are in the Prepare
pending state.
1. In Across regions , verify that resources are now in a Prepare pending state, with no issues. If they're not,
validate again and resolve any outstanding issues.
2. If you want to edit target settings before beginning the move, select the link in the Destination
configuration column for the resource, and edit the settings. If you edit the target VM settings, the
target VM size shouldn't be smaller than the source VM size.
Now that the source resource group is moved, you can prepare to move the other resources.
3. Select the resources you want to prepare.

4. Select Prepare .

NOTE
During the prepare process, the Azure Site Recovery Mobility agent is installed on VMs, to replicate them.
VM data is replicated periodically to the target region. This doesn't affect the source VM.
Resource Move generates ARM templates for the other source resources.
After preparing resources, they're in an Initiate move pending state.

Initiate the move

With resources prepared, you can now initiate the move.
1. In Across regions , select resources with state Initiate move pending. Then click Initiate move .
2. In Move resources , click Initiate move .
3. Track move progress in the notifications bar.

NOTE
For VMs, replica VMs are created in the target region. The source VM is shut down, and some downtime occurs
(usually minutes).
Resource Mover recreates other resources using the ARM templates that were prepared. There's usually no downtime.
After moving resources, they're in an Commit move pending state.
Discard or commit?
After the initial move, you can decide whether you want to commit the move, or to discard it.
Discard : You might discard a move if you're testing, and you don't want to actually move the source
resource. Discarding the move returns the resource to a state of Initiate move pending.
Commit : Commit completes the move to the target region. After committing, a source resource will be in a
state of Delete source pending, and you can decide if you want to delete it.

Discard the move

You can discard the move as follows:
1. In Across regions , select resources with state Commit move pending, and click Discard move .
2. In Discard move , click Discard .
3. Track move progress in the notifications bar.

NOTE
After discarding resources, VMs are in an Initiate move pending state.

Commit the move

If you want to complete the move process, commit the move.
1. In Across regions , select resources with state Commit move pending, and click Commit move .
2. In Commit resources , click Commit .
3. Track the commit progress in the notifications bar.
 NOTE
After committing the move, VMs stop replicating. The source VM isn't impacted by the commit.
Commit doesn't impact source networking resources.
After committing the move, resources are in a Delete source pending state.

Configure settings after the move

The Mobility service isn't uninstalled automatically from VMs. Uninstall it manually, or leave it if you plan to
move the server again.
Modify Azure role-based access control (Azure RBAC) rules after the move.

Delete source resources after commit

After the move, you can optionally delete resources in the source region.

NOTE
A few resources, for example key vaults and SQL Server servers, can't be deleted from the portal, and must be deleted
from the resource property page.

1. In Across Regions , click the name of the source resource that you want to delete.
2. Select Delete source .

Delete additional resources created for move

After the move, you can manually delete the move collection, and Site Recovery resources that were created.
The move collection is hidden by default. To see it you need to turn on hidden resources.
The cache storage has a lock that must be deleted, before it can be deleted.
Delete as follows:
1. Locate the resources in resource group RegionMoveRG-<sourceregion>-<target-region> .
2. Check that all the VM and other source resources in the source region have been moved or deleted. This
ensures that there are no pending resources using them.
3. Delete the resources:
The move collection name is movecollection-<sourceregion>-<target-region> .
The cache storage account name is resmovecache<guid>
The vault name is ResourceMove-<sourceregion>-<target-region>-GUID .

Next steps
In this tutorial, you:
Moved Azure VMs to another Azure region.
 Moved resources associated with VMs to another region.
Now, trying moving Azure SQL databases and elastic pools to another region.
Move Azure SQL resources
 Tutorial: Move Azure VMs across regions
2/23/2022 • 8 minutes to read • Edit Online

In this article, learn how to move Azure VMs, and related network/storage resources, to a different Azure region,
using Azure Resource Mover. .
In this tutorial, you learn how to:
Check prerequisites and requirements.
Select the resources you want to move.
Resolve resource dependencies.
Prepare and move the source resource group.
Prepare and move the other resources.
Decide whether you want to discard or commit the move.
Optionally remove resources in the source region after the move.

NOTE
Tutorials show the quickest path for trying out a scenario, and use default options.

If you don't have an Azure subscription, create a free account before you begin. Then sign in to the Azure portal.

Prerequisites
REQ UIREM EN T DESC RIP T IO N

Resource Mover suppor t Review supported regions and other common questions.

Subscription permissions Check you have Owner access on the subscription

containing the resources that you want to move

Why do I need Owner access? The first time you add a

resource for a specific source and destination pair in an
Azure subscription, Resource Mover creates a system-
assigned managed identity (formerly known as Managed
Service Identify (MSI)) that's trusted by the subscription. To
create the identity, and to assign it the required role
(Contributor or User Access administrator in the source
subscription), the account you use to add resources needs
Owner permissions on the subscription. Learn more about
Azure roles.

VM suppor t Check that the VMs you want to move are supported.

- Verify supported Windows VMs.

- Verify supported Linux VMs and kernel versions.

- Check supported compute, storage, and networking

settings.
 REQ UIREM EN T DESC RIP T IO N

Destination subscription The subscription in the destination region needs enough

quota to create the resources you're moving in the target
region. If it doesn't have quota, request additional limits.

Destination region charges Verify pricing and charges associated with the target region
to which you're moving VMs. Use the pricing calculator to
help you.

Prepare VMs
1. After checking that VMs meet requirements, make sure that VMs you want to move are turned on. All VMs
disks that you want to be available in the destination region must be attached and initialized in the VM.
2. Make sure VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To do
this:
On Windows VMs, install the latest Windows updates.
On Linux VMs, follow distributor guidance so that machines have the latest certificates and CRL.
3. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.

Select resources
Select resources you want to move.
All supported resource types in resource groups within the selected source region are displayed.
Resources that have already been added for moving across regions aren't shown.
You move resources to a target region in the same subscription as the source region. If you want to change
the subscription, you can do that after the resources are moved.
1. In the Azure portal, search for resource mover. Then, under Ser vices , select Azure Resource Mover .

2. In Over view , click Get star ted .

3. In Move resources > Source + destination , select the source subscription and region.
4. In Destination , select the region to which you want to move the VMs. Then click Next .

5. In Resources to move , click Select resources .

6. In Select resources , select the VM. You can only add resources supported for move. Then click Done .
 7. In Resources to move , click Next .
8. In Review , check the source and destination settings.

9. Click Proceed , to begin adding the resources.

10. After the add process finishes successfully, click Adding resources for move in the notification icon.
11. After clicking the notification, review the resources on the Across regions page.
 NOTE
Added resources are in a Prepare pending state.
The resource group for the VMs is added automatically.
If you want to remove an resource from a move collection, the method for doing that depends on where you are in
the move process. Learn more.

Resolve dependencies
1. If resources show a Validate dependencies message in the Issues column, click the Validate
dependencies button. The validation process begins.
2. If dependencies are found, click Add dependencies .
3. In Add dependencies , leave the default Show all dependencies option.
Show all dependencies iterates through all of the direct and indirect dependencies for a resource. For
example, for a VM it shows the NIC, virtual network, network security groups (NSGs) etc.
Show first level dependencies only shows only direct dependencies. For example, for a VM it shows
the NIC, but not the virtual network.
4. Select the dependent resources you want to add > Add dependencies . Monitor progress in the
notifications.

5. Validate dependencies again.

Move the source resource group

Before you can prepare and move VMs, the VM resource group must be present in the target region.
Prepare to move the source resource group
During the Prepare process, Resource Mover generates Azure Resource Manager (ARM) templates using the
resource group settings. Resources inside the resource group aren't affected.
Prepare as follows:
1. In Across regions , select the source resource group > Prepare .
2. In Prepare resources , click Prepare .

NOTE
After preparing the resource group, it's in the Initiate move pending state.

Move the source resource group

Initiate the move as follows:
1. In Across regions , select the resource group > Initiate Move
2. ln Move Resources , click Initiate move . The resource group moves into an Initiate move in progress
state.
3. After initiating the move, the target resource group is created, based on the generated ARM template. The
source resource group moves into a Commit move pending state.

To commit and finish the move process:

1. In Across regions , select the resource group > Commit move .
2. ln Move Resources , click Commit .

NOTE
After committing the move, the source resource group is in a Delete source pending state.

Prepare resources to move

Now that the source resource group is moved, you can prepare to move other resources that are in the Prepare
pending state.
1. In Across regions , verify that resources are now in a Prepare pending state, with no issues. If they're not,
validate again and resolve any outstanding issues.
2. If you want to edit target settings before beginning the move, select the link in the Destination
configuration column for the resource, and edit the settings. If you edit the target VM settings, the
target VM size shouldn't be smaller than the source VM size.
Now that the source resource group is moved, you can prepare to move the other resources.
3. Select the resources you want to prepare.

4. Select Prepare .

NOTE
During the prepare process, the Azure Site Recovery Mobility agent is installed on VMs, to replicate them.
VM data is replicated periodically to the target region. This doesn't affect the source VM.
Resource Move generates ARM templates for the other source resources.
After preparing resources, they're in an Initiate move pending state.

Initiate the move

With resources prepared, you can now initiate the move.
1. In Across regions , select resources with state Initiate move pending. Then click Initiate move .
2. In Move resources , click Initiate move .
3. Track move progress in the notifications bar.

NOTE
For VMs, replica VMs are created in the target region. The source VM is shut down, and some downtime occurs
(usually minutes).
Resource Mover recreates other resources using the ARM templates that were prepared. There's usually no downtime.
After moving resources, they're in an Commit move pending state.
Discard or commit?
After the initial move, you can decide whether you want to commit the move, or to discard it.
Discard : You might discard a move if you're testing, and you don't want to actually move the source
resource. Discarding the move returns the resource to a state of Initiate move pending.
Commit : Commit completes the move to the target region. After committing, a source resource will be in a
state of Delete source pending, and you can decide if you want to delete it.

Discard the move

You can discard the move as follows:
1. In Across regions , select resources with state Commit move pending, and click Discard move .
2. In Discard move , click Discard .
3. Track move progress in the notifications bar.

NOTE
After discarding resources, VMs are in an Initiate move pending state.

Commit the move

If you want to complete the move process, commit the move.
1. In Across regions , select resources with state Commit move pending, and click Commit move .
2. In Commit resources , click Commit .
3. Track the commit progress in the notifications bar.
 NOTE
After committing the move, VMs stop replicating. The source VM isn't impacted by the commit.
Commit doesn't impact source networking resources.
After committing the move, resources are in a Delete source pending state.

Configure settings after the move

The Mobility service isn't uninstalled automatically from VMs. Uninstall it manually, or leave it if you plan to
move the server again.
Modify Azure role-based access control (Azure RBAC) rules after the move.

Delete source resources after commit

After the move, you can optionally delete resources in the source region.

NOTE
A few resources, for example key vaults and SQL Server servers, can't be deleted from the portal, and must be deleted
from the resource property page.

1. In Across Regions , click the name of the source resource that you want to delete.
2. Select Delete source .

Delete additional resources created for move

After the move, you can manually delete the move collection, and Site Recovery resources that were created.
The move collection is hidden by default. To see it you need to turn on hidden resources.
The cache storage has a lock that must be deleted, before it can be deleted.
Delete as follows:
1. Locate the resources in resource group RegionMoveRG-<sourceregion>-<target-region> .
2. Check that all the VM and other source resources in the source region have been moved or deleted. This
ensures that there are no pending resources using them.
3. Delete the resources:
The move collection name is movecollection-<sourceregion>-<target-region> .
The cache storage account name is resmovecache<guid>
The vault name is ResourceMove-<sourceregion>-<target-region>-GUID .

Next steps
In this tutorial, you:
Moved Azure VMs to another Azure region.
 Moved resources associated with VMs to another region.
Now, trying moving Azure SQL databases and elastic pools to another region.
Move Azure SQL resources
 Tutorial: Move Azure VMs across regions
2/23/2022 • 8 minutes to read • Edit Online

In this article, learn how to move Azure VMs, and related network/storage resources, to a different Azure region,
using Azure Resource Mover. .
In this tutorial, you learn how to:
Check prerequisites and requirements.
Select the resources you want to move.
Resolve resource dependencies.
Prepare and move the source resource group.
Prepare and move the other resources.
Decide whether you want to discard or commit the move.
Optionally remove resources in the source region after the move.

NOTE
Tutorials show the quickest path for trying out a scenario, and use default options.

If you don't have an Azure subscription, create a free account before you begin. Then sign in to the Azure portal.

Prerequisites
REQ UIREM EN T DESC RIP T IO N

Resource Mover suppor t Review supported regions and other common questions.

Subscription permissions Check you have Owner access on the subscription

containing the resources that you want to move

Why do I need Owner access? The first time you add a

resource for a specific source and destination pair in an
Azure subscription, Resource Mover creates a system-
assigned managed identity (formerly known as Managed
Service Identify (MSI)) that's trusted by the subscription. To
create the identity, and to assign it the required role
(Contributor or User Access administrator in the source
subscription), the account you use to add resources needs
Owner permissions on the subscription. Learn more about
Azure roles.

VM suppor t Check that the VMs you want to move are supported.

- Verify supported Windows VMs.

- Verify supported Linux VMs and kernel versions.

- Check supported compute, storage, and networking

settings.
 REQ UIREM EN T DESC RIP T IO N

Destination subscription The subscription in the destination region needs enough

quota to create the resources you're moving in the target
region. If it doesn't have quota, request additional limits.

Destination region charges Verify pricing and charges associated with the target region
to which you're moving VMs. Use the pricing calculator to
help you.

Prepare VMs
1. After checking that VMs meet requirements, make sure that VMs you want to move are turned on. All VMs
disks that you want to be available in the destination region must be attached and initialized in the VM.
2. Make sure VMs have the latest trusted root certificates, and an updated certificate revocation list (CRL). To do
this:
On Windows VMs, install the latest Windows updates.
On Linux VMs, follow distributor guidance so that machines have the latest certificates and CRL.
3. Allow outbound connectivity from VMs:
If you're using a URL-based firewall proxy to control outbound connectivity, allow access to these
URLs
If you're using network security group (NSG) rules to control outbound connectivity, create these
service tag rules.

Select resources
Select resources you want to move.
All supported resource types in resource groups within the selected source region are displayed.
Resources that have already been added for moving across regions aren't shown.
You move resources to a target region in the same subscription as the source region. If you want to change
the subscription, you can do that after the resources are moved.
1. In the Azure portal, search for resource mover. Then, under Ser vices , select Azure Resource Mover .

2. In Over view , click Get star ted .

3. In Move resources > Source + destination , select the source subscription and region.
4. In Destination , select the region to which you want to move the VMs. Then click Next .

5. In Resources to move , click Select resources .

6. In Select resources , select the VM. You can only add resources supported for move. Then click Done .
 7. In Resources to move , click Next .
8. In Review , check the source and destination settings.

9. Click Proceed , to begin adding the resources.

10. After the add process finishes successfully, click Adding resources for move in the notification icon.
11. After clicking the notification, review the resources on the Across regions page.
 NOTE
Added resources are in a Prepare pending state.
The resource group for the VMs is added automatically.
If you want to remove an resource from a move collection, the method for doing that depends on where you are in
the move process. Learn more.

Resolve dependencies
1. If resources show a Validate dependencies message in the Issues column, click the Validate
dependencies button. The validation process begins.
2. If dependencies are found, click Add dependencies .
3. In Add dependencies , leave the default Show all dependencies option.
Show all dependencies iterates through all of the direct and indirect dependencies for a resource. For
example, for a VM it shows the NIC, virtual network, network security groups (NSGs) etc.
Show first level dependencies only shows only direct dependencies. For example, for a VM it shows
the NIC, but not the virtual network.
4. Select the dependent resources you want to add > Add dependencies . Monitor progress in the
notifications.

5. Validate dependencies again.

Move the source resource group

Before you can prepare and move VMs, the VM resource group must be present in the target region.
Prepare to move the source resource group
During the Prepare process, Resource Mover generates Azure Resource Manager (ARM) templates using the
resource group settings. Resources inside the resource group aren't affected.
Prepare as follows:
1. In Across regions , select the source resource group > Prepare .
2. In Prepare resources , click Prepare .

NOTE
After preparing the resource group, it's in the Initiate move pending state.

Move the source resource group

Initiate the move as follows:
1. In Across regions , select the resource group > Initiate Move
2. ln Move Resources , click Initiate move . The resource group moves into an Initiate move in progress
state.
3. After initiating the move, the target resource group is created, based on the generated ARM template. The
source resource group moves into a Commit move pending state.

To commit and finish the move process:

1. In Across regions , select the resource group > Commit move .
2. ln Move Resources , click Commit .

NOTE
After committing the move, the source resource group is in a Delete source pending state.

Prepare resources to move

Now that the source resource group is moved, you can prepare to move other resources that are in the Prepare
pending state.
1. In Across regions , verify that resources are now in a Prepare pending state, with no issues. If they're not,
validate again and resolve any outstanding issues.
2. If you want to edit target settings before beginning the move, select the link in the Destination
configuration column for the resource, and edit the settings. If you edit the target VM settings, the
target VM size shouldn't be smaller than the source VM size.
Now that the source resource group is moved, you can prepare to move the other resources.
3. Select the resources you want to prepare.

4. Select Prepare .

NOTE
During the prepare process, the Azure Site Recovery Mobility agent is installed on VMs, to replicate them.
VM data is replicated periodically to the target region. This doesn't affect the source VM.
Resource Move generates ARM templates for the other source resources.
After preparing resources, they're in an Initiate move pending state.

Initiate the move

With resources prepared, you can now initiate the move.
1. In Across regions , select resources with state Initiate move pending. Then click Initiate move .
2. In Move resources , click Initiate move .
3. Track move progress in the notifications bar.

NOTE
For VMs, replica VMs are created in the target region. The source VM is shut down, and some downtime occurs
(usually minutes).
Resource Mover recreates other resources using the ARM templates that were prepared. There's usually no downtime.
After moving resources, they're in an Commit move pending state.
Discard or commit?
After the initial move, you can decide whether you want to commit the move, or to discard it.
Discard : You might discard a move if you're testing, and you don't want to actually move the source
resource. Discarding the move returns the resource to a state of Initiate move pending.
Commit : Commit completes the move to the target region. After committing, a source resource will be in a
state of Delete source pending, and you can decide if you want to delete it.

Discard the move

You can discard the move as follows:
1. In Across regions , select resources with state Commit move pending, and click Discard move .
2. In Discard move , click Discard .
3. Track move progress in the notifications bar.

NOTE
After discarding resources, VMs are in an Initiate move pending state.

Commit the move

If you want to complete the move process, commit the move.
1. In Across regions , select resources with state Commit move pending, and click Commit move .
2. In Commit resources , click Commit .
3. Track the commit progress in the notifications bar.
 NOTE
After committing the move, VMs stop replicating. The source VM isn't impacted by the commit.
Commit doesn't impact source networking resources.
After committing the move, resources are in a Delete source pending state.

Configure settings after the move

The Mobility service isn't uninstalled automatically from VMs. Uninstall it manually, or leave it if you plan to
move the server again.
Modify Azure role-based access control (Azure RBAC) rules after the move.

Delete source resources after commit

After the move, you can optionally delete resources in the source region.

NOTE
A few resources, for example key vaults and SQL Server servers, can't be deleted from the portal, and must be deleted
from the resource property page.

1. In Across Regions , click the name of the source resource that you want to delete.
2. Select Delete source .

Delete additional resources created for move

After the move, you can manually delete the move collection, and Site Recovery resources that were created.
The move collection is hidden by default. To see it you need to turn on hidden resources.
The cache storage has a lock that must be deleted, before it can be deleted.
Delete as follows:
1. Locate the resources in resource group RegionMoveRG-<sourceregion>-<target-region> .
2. Check that all the VM and other source resources in the source region have been moved or deleted. This
ensures that there are no pending resources using them.
3. Delete the resources:
The move collection name is movecollection-<sourceregion>-<target-region> .
The cache storage account name is resmovecache<guid>
The vault name is ResourceMove-<sourceregion>-<target-region>-GUID .

Next steps
In this tutorial, you:
Moved Azure VMs to another Azure region.
 Moved resources associated with VMs to another region.
Now, trying moving Azure SQL databases and elastic pools to another region.
Move Azure SQL resources
 Move a Recovery Services vault and Azure Site
Recovery configuration to another Azure region
2/23/2022 • 2 minutes to read • Edit Online

There are various scenarios in which you might want to move your existing Azure resources from one region to
another. Examples are for manageability, governance reasons, or because of company mergers and acquisitions.
One of the related resources you might want to move when you move your Azure VMs is the disaster recovery
configuration.
There's no first-class way to move an existing disaster recovery configuration from one region to another. This is
because you configured your target region based on your source VM region. When you decide to change the
source region, the previously existing configurations of the target region can't be reused and must be reset. This
article defines the step-by-step process to reconfigure the disaster recovery setup and move it to a different
region.
In this document, you will:
Verify prerequisites for the move.
Identify the resources that were used by Azure Site Recovery.
Disable replication.
Delete the resources.
Set up Site Recovery based on the new source region for the VMs.

IMPORTANT
Currently, there's no first-class way to move a Recovery Services vault and the disaster recovery configuration as is to a
different region. This article guides you through the process of disabling replication and setting it up in the new region.

Prerequisites
Make sure that you remove and delete the disaster recovery configuration before you try to move the
Azure VMs to a different region.

NOTE
If your new target region for the Azure VM is the same as the disaster recovery target region, you can use your
existing replication configuration and move it. Follow the steps in Move Azure IaaS VMs to another Azure region.

Ensure that you're making an informed decision and that stakeholders are informed. Your VM won't be
protected against disasters until the move of the VM is complete.

Identify the resources that were used by Azure Site Recovery

We recommend that you do this step before you proceed to the next one. It's easier to identify the relevant
resources while the VMs are being replicated.
For each Azure VM that's being replicated, go to Protected Items > Replicated Items > Proper ties and
identify the following resources:
 Target resource group
Cache storage account
Target storage account (in case of an unmanaged disk-based Azure VM)
Target network

Disable the existing disaster recovery configuration

1. Go to the Recovery Services vault.
2. In Protected Items > Replicated Items , right-click the machine and select Disable replication .
3. Repeat this step for all the VMs that you want to move.

NOTE
The mobility service won't be uninstalled from the protected servers. You must uninstall it manually. If you plan to protect
the server again, you can skip uninstalling the mobility service.

Delete the resources

1. Go to the Recovery Services vault.
2. Select Delete .
3. Delete all the other resources you previously identified.

Move Azure VMs to the new target region

Follow the steps in these articles based on your requirement to move Azure VMs to the target region:
Move Azure VMs to another region
Move Azure VMs into Availability Zones

Set up Site Recovery based on the new source region for the VMs
Configure disaster recovery for the Azure VMs that were moved to the new region by following the steps in Set
up disaster recovery for Azure VMs.
 Move a SQL Server VM to another region within
Azure with Azure Site Recovery
2/23/2022 • 8 minutes to read • Edit Online

APPLIES TO: SQL Server on Azure VM

This article teaches you how to use Azure Site Recovery to migrate your SQL Server virtual machine (VM) from
one region to another within Azure.
Moving a SQL Server VM to a different region requires doing the following:
1. Preparing: Confirm that both your source SQL Server VM and target region are adequately prepared for the
move.
2. Configuring: Moving your SQL Server VM requires that it is a replicated object within the Azure Site
Recovery vault. You need to add your SQL Server VM to the Azure Site Recovery vault.
3. Testing: Migrating the SQL Server VM requires failing it over from the source region to the replicated target
region. To ensure that the move process will succeed, you need to first test that your SQL Server VM can
successfully fail over to the target region. This will help expose any issues and avoid them when performing
the actual move.
4. Moving: Once your test failover passed, and you know that you are safe to migrate your SQL Server VM, you
can perform the move of the VM to the target region.
5. Cleaning up: To avoid billing charges, remove the SQL Server VM from the vault, and any unnecessary
resources that are left over in the resource group.

Verify prerequisites
Confirm that moving from your source region to your target region is supported.
Review the scenario architecture and components as well as the support limitations and requirements.
Verify account permissions. If you created your free Azure account, you're the administrator of your
subscription. If you're not the subscription administrator, work with the administrator to assign the
permissions that you need. To enable replication for a VM and copy data using Azure Site Recovery, you must
have:
Permissions to create a VM. The Virtual Machine Contributor built-in role has these permissions,
which include:
Permissions to create a VM in the selected resource group.
Permissions to create a VM in the selected virtual network.
Permissions to write to the selected storage account.
Permissions to manage Azure Site Recovery operations. The Site Recovery Contributor role has
all the permissions that are required to manage Site Recovery operations in a Recovery
Services vault.

Prepare to move
Prepare both the source SQL Server VM and the target region for the move.
Prepare the source SQL Server VM
Ensure that all the latest root certificates are on the SQL Server VM that you want to move. If the latest root
certificates are not there, security constraints will prevent data copy to the target region.
 For Windows VMs, install all of the latest Windows updates on the VM, so that all the trusted root certificates
are on the machine. In a disconnected environment, follow the standard Windows Update and certificate
update process for your organization.
For Linux VMs, follow the guidance provided by your Linux distributor to get the latest trusted root
certificates and certificate revocation list on the VM.
Make sure you're not using an authentication proxy to control network connectivity for the VMs that you
want to move.
If the VM that you're trying to move doesn't have access to the internet, or it's using a firewall proxy to
control outbound access, check the requirements.
Identify the source networking layout and all the resources that you're currently using. This includes but isn't
limited to load balancers, network security groups (NSGs), and public IPs.
Prepare the target region
Verify that your Azure subscription allows you to create VMs in the target region that's used for disaster
recovery. Contact support to enable the required quota.
Make sure that your subscription has enough resources to support VMs with size that match your source
VMs. If you're using Site Recovery to copy data to the target, Site Recovery chooses the same size, or the
closest possible size for the target VM.
Make sure that you create a target resource for every component that's identified in the source networking
layout. This step is important to ensure that your VMs have all the functionality and features in the target
region that you had in the source region.
Azure Site Recovery automatically discovers and creates a virtual network when you enable
replication for the source VM. You can also pre-create a network and assign it to the VM in the user
flow for enabling replication. You need to manually create any other resources in the target region.
To create the most commonly used network resources that are relevant for you based on the source VM
configuration, see the following documentation:
Network security groups
Load balancer
Public IP address
For any additional networking components, see the networking documentation.
Manually create a non-production network in the target region if you want to test the configuration before
you perform the final move to the target region. We recommend this step because it ensures minimal
interference with the production network.

Configure Azure Site Recovery vault

The following steps show you how to use Azure Site Recovery to copy data to the target region. Create the
Recovery Services vault in any region other than the source region.
1. Sign in to the Azure portal.
2. Choose to Create a resource from the upper-left hand corner of the navigation pane.
3. Select IT & Management tools and then select Backup and Site Recover y .
4. On the Basics tab, under Project details , either create a new resource group in the target region, or
select an existing resource group in the target region.
5. Under Instance Details , specify a name for your vault, and then select your target Region from the
drop-down.
6. Select Review + Create to create your Recovery Services vault.
7. Select All ser vices from the upper-left hand corner of the navigation pane and in the search box type
 recovery services .
8. (Optionally) Select the star next to Recover y Ser vices vaults to add it to your quick navigation bar.
9. Select Recover y ser vices vaults and then select the Recovery Services vault you created.
10. On the Over view pane, select Replicate .

11. Select Source and then select Azure as the source. Select the appropriate values for the other drop-
down fields, such as the location for your source VMs. Only resources groups located in the Source
location region will be visible in the Source resource group field.
12. Select Vir tual machines and then choose the virtual machines you want to migrate. Select OK to save
your VM selection.
13. Select Settings , and then choose your Target location from the drop-down. This should be the
resource group you prepared earlier.
14. Once you have customized replication, select Create target resources to create the resources in the
new location.
15. Once resource creation is complete, select Enable replication to start replication of your SQL Server
VM from the source to the target region.
16. You can check the status of replication by navigating to your recovery vault, selecting Replicated items
and viewing the Status of your SQL Server VM. A status of Protected indicates that replication has
completed.
Test move process
The following steps show you how to use Azure Site Recovery to test the move process.
1. Navigate to your Recover y Ser vices vault in the Azure portal and select Replicated items .
2. Select the SQL Server VM you would like to move, verify that the Replication Health shows as Healthy
and then select Test Failover .

3. On the Test Failover page, select the Latest app-consistent recovery point to use for the failover, as
that is the only type of snapshot that can guarantee SQL Server data consistency.
4. Select the virtual network under Azure vir tual network and then select OK to test failover.
 IMPORTANT
We recommend that you use a separate Azure VM network for the failover test. Don't use the production network
that was set up when you enabled replication and that you want to move your VMs into eventually.

5. To monitor progress, navigate to your vault, select Site Recover y jobs under Monitoring , and then
select the Test failover job that's in progress.

6. Once the test completes, navigate to Vir tual machines in the portal and review the newly created
virtual machine. Make sure the SQL Server VM is running, is sized appropriately, and is connected to the
appropriate network.
7. Delete the VM that was created as part of the test, as the Failover option will be grayed out until the
failover test resources are cleaned up. Navigate back to the vault, select Replicated items , select the SQL
Server VM, and then select Cleanup test failover . Record and save any observations associated with
the test in the Notes section and select the checkbox next to Testing is complete. Delete test failover
vir tual machines . Select OK to clean up resources after the test.

Move the SQL Server VM

The following steps show you how to move the SQL Server VM from your source region to your target region.
1. Navigate to the Recover y Ser vices vault, select Replicated items , select the VM, and then select
Failover .
2. Select the latest app-consistent recover point under Recover y Point .
3. Select the check box next to Shut down the machine before beginning failover . Site Recovery will
attempt to shut down the source VM before triggering the failover. Failover will continue even if shut
down fails.
4. Select OK to start the failover.
5. You can monitor the failover process from the same Site Recover y jobs page you viewed when
monitoring the failover test in the previous section.
6. After the job completes, check that the SQL Server VM appears in the target region as expected.
7. Navigate back to the vault, select Replicated Items , select the SQL Server VM, and select Commit to
finish the move process to the target region. Wait until the commit job finishes.
8. Register your SQL Server VM with the SQL IaaS Agent extension to enable SQL vir tual machine
manageability in the Azure portal and features associated with the extension. For more information, see
Register SQL Server VM with the SQL IaaS Agent extension.

WARNING
SQL Server data consistency is only guaranteed with app-consistent snapshots. The latest processed snapshot can't be
used for SQL Server failover as a crash recovery snapshot can't guarantee SQL Server data consistency.

Clean up source resources

To avoid billing charges, remove the SQL Server VM from the vault, and delete any unnecessary associated
resources.
1. Navigate back to the Site Recover y vault, select Replicated items , and select the SQL Server VM.
2. Select Disable Replication . Select a reason for disabling protection, and then select OK to disable
replication.

IMPORTANT
It is important to perform this step to avoid being charged for Azure Site Recovery replication.

3. If you have no plans to reuse any of the resources in the source region, delete all relevant network
resources, and corresponding storage accounts.
Next steps
For more information, see the following articles:
Overview of SQL Server on a Windows VM
SQL Server on a Windows VM FAQ
SQL Server on a Windows VM pricing guidance
What's new for SQL Server on Azure VMs
 Use tags to organize your Azure resources and
management hierarchy
2/23/2022 • 16 minutes to read • Edit Online

You apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a
taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name Environment and
the value Production to all the resources in production.
For recommendations on how to implement a tagging strategy, see Resource naming and tagging decision
guide.

IMPORTANT
Tag names are case-insensitive for operations. A tag with a tag name, regardless of casing, is updated or retrieved.
However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports.
Tag values are case-sensitive.

NOTE
This article provides steps about how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center
and the GDPR section of the Service Trust portal.

Required access
There are two ways to get the required access to tag resources.
You can have write access to the Microsoft.Resources/tags resource type. This access lets you tag any
resource, even if you don't have access to the resource itself. The Tag Contributor role grants this access.
Currently, the tag contributor role can't apply tags to resources or resource groups through the portal. It
can apply tags to subscriptions through the portal. It supports all tag operations through PowerShell and
REST API.
You can have write access to the resource itself. The Contributor role grants the required access to apply
tags to any entity. To apply tags to only one resource type, use the contributor role for that resource. For
example, to apply tags to virtual machines, use the Virtual Machine Contributor.

PowerShell
Apply tags
Azure PowerShell offers two commands for applying tags: New-AzTag and Update-AzTag. You must have the
Az.Resources module 1.12.0 or later. You can check your version with Get-InstalledModule -Name Az.Resources .
You can install that module or install Azure PowerShell 3.6.1 or later.
The New-AzTag replaces all tags on the resource, resource group, or subscription. When calling the command,
pass in the resource ID of the entity you wish to tag.
The following example applies a set of tags to a storage account:
 $tags = @{"Dept"="Finance"; "Status"="Normal"}
$resource = Get-AzResource -Name demoStorage -ResourceGroup demoGroup
New-AzTag -ResourceId $resource.id -Tag $tags

When the command completes, notice that the resource has two tags.

Properties :
Name Value
====== =======
Dept Finance
Status Normal

If you run the command again but this time with different tags, notice that the earlier tags are removed.

$tags = @{"Team"="Compliance"; "Environment"="Production"}

New-AzTag -ResourceId $resource.id -Tag $tags

Properties :
Name Value
=========== ==========
Environment Production
Team Compliance

To add tags to a resource that already has tags, use Update-AzTag . Set the -Operation parameter to Merge .

$tags = @{"Dept"="Finance"; "Status"="Normal"}

Update-AzTag -ResourceId $resource.id -Tag $tags -Operation Merge

Notice that the two new tags were added to the two existing tags.

Properties :
Name Value
=========== ==========
Status Normal
Dept Finance
Team Compliance
Environment Production

Each tag name can have only one value. If you provide a new value for a tag, the old value is replaced even if
you use the merge operation. The following example changes the Status tag from Normal to Green.

$tags = @{"Status"="Green"}
Update-AzTag -ResourceId $resource.id -Tag $tags -Operation Merge

Properties :
Name Value
=========== ==========
Status Green
Dept Finance
Team Compliance
Environment Production

When you set the -Operation parameter to Replace , the existing tags are replaced by the new set of tags.
 $tags = @{"Project"="ECommerce"; "CostCenter"="00123"; "Team"="Web"}
Update-AzTag -ResourceId $resource.id -Tag $tags -Operation Replace

Only the new tags remain on the resource.

Properties :
Name Value
========== =========
CostCenter 00123
Team Web
Project ECommerce

The same commands also work with resource groups or subscriptions. You pass in the identifier for the resource
group or subscription you want to tag.
To add a new set of tags to a resource group, use:

$tags = @{"Dept"="Finance"; "Status"="Normal"}

$resourceGroup = Get-AzResourceGroup -Name demoGroup
New-AzTag -ResourceId $resourceGroup.ResourceId -tag $tags

To update the tags for a resource group, use:

$tags = @{"CostCenter"="00123"; "Environment"="Production"}

$resourceGroup = Get-AzResourceGroup -Name demoGroup
Update-AzTag -ResourceId $resourceGroup.ResourceId -Tag $tags -Operation Merge

To add a new set of tags to a subscription, use:

$tags = @{"CostCenter"="00123"; "Environment"="Dev"}

$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id
New-AzTag -ResourceId "/subscriptions/$subscription" -Tag $tags

To update the tags for a subscription, use:

$tags = @{"Team"="Web Apps"}

$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id
Update-AzTag -ResourceId "/subscriptions/$subscription" -Tag $tags -Operation Merge

You may have more than one resource with the same name in a resource group. In that case, you can set each
resource with the following commands:

$resource = Get-AzResource -ResourceName sqlDatabase1 -ResourceGroupName examplegroup

$resource | ForEach-Object { Update-AzTag -Tag @{ "Dept"="IT"; "Environment"="Test" } -ResourceId
$_.ResourceId -Operation Merge }

List tags
To get the tags for a resource, resource group, or subscription, use the Get-AzTag command and pass in the
resource ID for the entity.
To see the tags for a resource, use:
 $resource = Get-AzResource -Name demoStorage -ResourceGroup demoGroup
Get-AzTag -ResourceId $resource.id

To see the tags for a resource group, use:

$resourceGroup = Get-AzResourceGroup -Name demoGroup

Get-AzTag -ResourceId $resourceGroup.ResourceId

To see the tags for a subscription, use:

$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id

Get-AzTag -ResourceId "/subscriptions/$subscription"

List by tag
To get resources that have a specific tag name and value, use:

(Get-AzResource -Tag @{ "CostCenter"="00123"}).Name

To get resources that have a specific tag name with any tag value, use:

(Get-AzResource -TagName "Dept").Name

To get resource groups that have a specific tag name and value, use:

(Get-AzResourceGroup -Tag @{ "CostCenter"="00123" }).ResourceGroupName

Remove tags
To remove specific tags, use Update-AzTag and set -Operation to Delete . Pass in the tags you want to delete.

$removeTags = @{"Project"="ECommerce"; "Team"="Web"}

Update-AzTag -ResourceId $resource.id -Tag $removeTags -Operation Delete

The specified tags are removed.

Properties :
Name Value
========== =====
CostCenter 00123

To remove all tags, use the Remove-AzTag command.

$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id

Remove-AzTag -ResourceId "/subscriptions/$subscription"

Azure CLI
Apply tags
Azure CLI offers two commands for applying tags: az tag create and az tag update. You must have Azure CLI
2.10.0 or later. You can check your version with az version . To update or install, see Install the Azure CLI.
The az tag create replaces all tags on the resource, resource group, or subscription. When calling the
command, pass in the resource ID of the entity you wish to tag.
The following example applies a set of tags to a storage account:

resource=$(az resource show -g demoGroup -n demoStorage --resource-type Microsoft.Storage/storageAccounts --

query "id" --output tsv)
az tag create --resource-id $resource --tags Dept=Finance Status=Normal

When the command completes, notice that the resource has two tags.

"properties": {
"tags": {
"Dept": "Finance",
"Status": "Normal"
}
},

If you run the command again but this time with different tags, notice that the earlier tags are removed.

az tag create --resource-id $resource --tags Team=Compliance Environment=Production

"properties": {
"tags": {
"Environment": "Production",
"Team": "Compliance"
}
},

To add tags to a resource that already has tags, use az tag update . Set the --operation parameter to Merge .

az tag update --resource-id $resource --operation Merge --tags Dept=Finance Status=Normal

Notice that the two new tags were added to the two existing tags.

"properties": {
"tags": {
"Dept": "Finance",
"Environment": "Production",
"Status": "Normal",
"Team": "Compliance"
}
},

Each tag name can have only one value. If you provide a new value for a tag, the old value is replaced even if
you use the merge operation. The following example changes the Status tag from Normal to Green.

az tag update --resource-id $resource --operation Merge --tags Status=Green

 "properties": {
"tags": {
"Dept": "Finance",
"Environment": "Production",
"Status": "Green",
"Team": "Compliance"
}
},

When you set the --operation parameter to Replace , the existing tags are replaced by the new set of tags.

az tag update --resource-id $resource --operation Replace --tags Project=ECommerce CostCenter=00123 Team=Web

Only the new tags remain on the resource.

"properties": {
"tags": {
"CostCenter": "00123",
"Project": "ECommerce",
"Team": "Web"
}
},

The same commands also work with resource groups or subscriptions. You pass in the identifier for the resource
group or subscription you want to tag.
To add a new set of tags to a resource group, use:

group=$(az group show -n demoGroup --query id --output tsv)

az tag create --resource-id $group --tags Dept=Finance Status=Normal

To update the tags for a resource group, use:

az tag update --resource-id $group --operation Merge --tags CostCenter=00123 Environment=Production

To add a new set of tags to a subscription, use:

sub=$(az account show --subscription "Demo Subscription" --query id --output tsv)

az tag create --resource-id /subscriptions/$sub --tags CostCenter=00123 Environment=Dev

To update the tags for a subscription, use:

az tag update --resource-id /subscriptions/$sub --operation Merge --tags Team="Web Apps"

List tags
To get the tags for a resource, resource group, or subscription, use the az tag list command and pass in the
resource ID for the entity.
To see the tags for a resource, use:
 resource=$(az resource show -g demoGroup -n demoStorage --resource-type Microsoft.Storage/storageAccounts --
query "id" --output tsv)
az tag list --resource-id $resource

To see the tags for a resource group, use:

group=$(az group show -n demoGroup --query id --output tsv)

az tag list --resource-id $group

To see the tags for a subscription, use:

sub=$(az account show --subscription "Demo Subscription" --query id --output tsv)

az tag list --resource-id /subscriptions/$sub

List by tag
To get resources that have a specific tag name and value, use:

az resource list --tag CostCenter=00123 --query [].name

To get resources that have a specific tag name with any tag value, use:

az resource list --tag Team --query [].name

To get resource groups that have a specific tag name and value, use:

az group list --tag Dept=Finance

Remove tags
To remove specific tags, use az tag update and set --operation to Delete . Pass in the tags you want to delete.

az tag update --resource-id $resource --operation Delete --tags Project=ECommerce Team=Web

The specified tags are removed.

"properties": {
"tags": {
"CostCenter": "00123"
}
},

To remove all tags, use the az tag delete command.

az tag delete --resource-id $resource

Handling spaces
If your tag names or values include spaces, enclose them in double quotes.

az tag update --resource-id $group --operation Merge --tags "Cost Center"=Finance-1222 Location="West US"
ARM templates
You can tag resources, resource groups, and subscriptions during deployment with an Azure Resource Manager
template (ARM template).

NOTE
The tags you apply through an ARM template or Bicep file overwrite any existing tags.

Apply values
The following example deploys a storage account with three tags. Two of the tags ( Dept and Environment ) are
set to literal values. One tag ( LastDeployed ) is set to a parameter that defaults to the current date.

JSON
Bicep

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"utcShort": {
"type": "string",
"defaultValue": "[utcNow('d')]"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[concat('storage', uniqueString(resourceGroup().id))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"tags": {
"Dept": "Finance",
"Environment": "Production",
"LastDeployed": "[parameters('utcShort')]"
},
"properties": {}
}
]
}

Apply an object
You can define an object parameter that stores several tags, and apply that object to the tag element. This
approach provides more flexibility than the previous example because the object can have different properties.
Each property in the object becomes a separate tag for the resource. The following example has a parameter
named tagValues that is applied to the tag element.

JSON
Bicep
 {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"tagValues": {
"type": "object",
"defaultValue": {
"Dept": "Finance",
"Environment": "Production"
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[concat('storage', uniqueString(resourceGroup().id))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"tags": "[parameters('tagValues')]",
"properties": {}
}
]
}

Apply a JSON string

To store many values in a single tag, apply a JSON string that represents the values. The entire JSON string is
stored as one tag that can't exceed 256 characters. The following example has a single tag named CostCenter
that contains several values from a JSON string:

JSON
Bicep
 {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[concat('storage', uniqueString(resourceGroup().id))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"tags": {
"CostCenter": "{\"Dept\":\"Finance\",\"Environment\":\"Production\"}"
},
"properties": {}
}
]
}

Apply tags from resource group

To apply tags from a resource group to a resource, use the resourceGroup() function. When getting the tag
value, use the tags[tag-name] syntax instead of the tags.tag-name syntax, because some characters aren't
parsed correctly in the dot notation.
JSON
Bicep

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[concat('storage', uniqueString(resourceGroup().id))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"tags": {
"Dept": "[resourceGroup().tags['Dept']]",
"Environment": "[resourceGroup().tags['Environment']]"
},
"properties": {}
}
]
}
Apply tags to resource groups or subscriptions
You can add tags to a resource group or subscription by deploying the Microsoft.Resources/tags resource type.
The tags are applied to the target resource group or subscription for the deployment. Each time you deploy the
template you replace any tags there were previously applied.

JSON
Bicep

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"tagName": {
"type": "string",
"defaultValue": "TeamName"
},
"tagValue": {
"type": "string",
"defaultValue": "AppTeam1"
}
},
"resources": [
{
"type": "Microsoft.Resources/tags",
"name": "default",
"apiVersion": "2021-04-01",
"properties": {
"tags": {
"[parameters('tagName')]": "[parameters('tagValue')]"
}
}
}
]
}

To apply the tags to a resource group, use either PowerShell or Azure CLI. Deploy to the resource group that you
want to tag.

New-AzResourceGroupDeployment -ResourceGroupName exampleGroup -TemplateFile

https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

az deployment group create --resource-group exampleGroup --template-uri

https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

To apply the tags to a subscription, use either PowerShell or Azure CLI. Deploy to the subscription that you want
to tag.

New-AzSubscriptionDeployment -name tagresourcegroup -Location westus2 -TemplateUri

https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

az deployment sub create --name tagresourcegroup --location westus2 --template-uri

https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

For more information about subscription deployments, see Create resource groups and resources at the
subscription level.
The following template adds the tags from an object to either a resource group or subscription.
JSON
Bicep

{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"tags": {
"type": "object",
"defaultValue": {
"TeamName": "AppTeam1",
"Dept": "Finance",
"Environment": "Production"
}
}
},
"resources": [
{
"type": "Microsoft.Resources/tags",
"apiVersion": "2021-04-01",
"name": "default",
"properties": {
"tags": "[parameters('tags')]"
}
}
]
}

Portal
If a user doesn't have the required access for applying tags, you can assign the Tag Contributor role to the
user. For more information, see Tutorial: Grant a user access to Azure resources using RBAC and the Azure
portal.
1. To view the tags for a resource or a resource group, look for existing tags in the overview. If you have not
previously applied tags, the list is empty.

2. To add a tag, select Click here to add tags .

3. Provide a name and value.
4. Continue adding tags as needed. When done, select Save .

5. The tags are now displayed in the overview.

6. To add or delete a tag, select change .

7. To delete a tag, select the trash icon. Then, select Save .
To bulk assign tags to multiple resources:
1. From any list of resources, select the checkbox for the resources you want to assign the tag. Then, select
Assign tags .

2. Add names and values. When done, select Save .

To view all resources with a tag:
1. On the Azure portal menu, search for tags . Select it from the available options.

2. Select the tag for viewing resources.

3. All resources with that tag are displayed.

REST API
To work with tags through the Azure REST API, use:
Tags - Create Or Update At Scope (PUT operation)
Tags - Update At Scope (PATCH operation)
Tags - Get At Scope (GET operation)
Tags - Delete At Scope (DELETE operation)

SDKs
For samples of applying tags with SDKs, see:
.NET
Java
JavaScript
Python

Inherit tags
Tags applied to the resource group or subscription aren't inherited by the resources. To apply tags from a
subscription or resource group to the resources, see Azure Policies - tags.

Tags and billing

You can use tags to group your billing data. For example, if you're running multiple VMs for different
organizations, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime
environment, such as the billing usage for VMs running in the production environment.
You can retrieve information about tags by downloading the usage file, a comma-separated values (CSV) file
available from the Azure portal. For more information, see Download or view your Azure billing invoice and
daily usage data. For services that support tags with billing, the tags appear in the Tags column.
For REST API operations, see Azure Billing REST API Reference.

Limitations
The following limitations apply to tags:
Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag
support for Azure resources.
Each resource, resource group, and subscription can have a maximum of 50 tag name/value pairs. If you
need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The
JSON string can contain many values that are applied to a single tag name. A resource group or
subscription can contain many resources that each have 50 tag name/value pairs.
The tag name is limited to 512 characters, and the tag value is limited to 256 characters. For storage
accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
Tags can't be applied to classic resources such as Cloud Services.
Azure IP Groups and Azure Firewall Policies don't support PATCH operations, which means they don't
support updating tags through the portal. Instead, use the update commands for those resources. For
example, you can update tags for an IP group with the az network ip-group update command.
Tag names can't contain these characters: < , > , % , & , \ , ? , /

NOTE
Azure DNS zones and Traffic Manager doesn't support the use of spaces in the tag or a tag that starts with
a number.
Azure DNS tag names do not support special and unicode characters. The value can contain all characters.
Azure Front Door doesn't support the use of # or : in the tag name.
The following Azure resources only support 15 tags:
Azure Automation
Azure CDN
Azure DNS (Zone and A records)
Azure Private DNS (Zone, A records, and virtual network link)

Next steps
Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support
for Azure resources.
For recommendations on how to implement a tagging strategy, see Resource naming and tagging decision
guide.
 Assign policy definitions for tag compliance
2/23/2022 • 4 minutes to read • Edit Online

You use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of
resources being deployed to your subscription that don't have the expected tags for your organization. Instead
of manually applying tags or searching for resources that aren't compliant, you create a policy that automatically
applies the needed tags during deployment. Tags can also now be applied to existing resources with the new
Modify effect and a remediation task. The following section shows example policy definitions for tags.

Policy definitions
NAME VERSIO N
( A ZURE PO RTA L) DESC RIP T IO N EF F EC T ( S) ( GIT HUB)

Add a tag to resource Adds the specified tag and modify 1.0.0
groups value when any resource
group missing this tag is
created or updated. Existing
resource groups can be
remediated by triggering a
remediation task. If the tag
exists with a different value
it will not be changed.

Add a tag to resources
Adds the specified tag and modify 1.0.0
value when any resource
missing this tag is created
or updated. Existing
resources can be
remediated by triggering a
remediation task. If the tag
exists with a different value
it will not be changed. Does
not modify tags on
resource groups.

Add a tag to subscriptions
Adds the specified tag and modify 1.0.0
value to subscriptions via a
remediation task. If the tag
exists with a different value
it will not be changed. See
https://aka.ms/azurepolicyre
mediation for more
information on policy
remediation.

Add or replace a tag on Adds or replaces the modify 1.0.0

resource groups
specified tag and value
when any resource group is
created or updated. Existing
resource groups can be
remediated by triggering a
remediation task.
NAME VERSIO N
DESC RIP T IO N EF F EC T ( S)

Add or replace a tag on Adds or replaces the modify 1.0.0

resources specified tag and value
when any resource is
created or updated. Existing
resources can be
remediated by triggering a
remediation task. Does not
modify tags on resource
groups.

Add or replace a tag on Adds or replaces the modify 1.0.0

subscriptions specified tag and value on
subscriptions via a
remediation task. Existing
resource groups can be
remediated by triggering a
remediation task. See
https://aka.ms/azurepolicyre
mediation for more
information on policy
remediation.

Append a tag and its value Appends the specified tag append 1.0.0
from the resource group with its value from the
resource group when any
resource which is missing
this tag is created or
updated. Does not modify
the tags of resources
created before this policy
was applied until those
resources are changed. New
'modify' effect policies are
available that support
remediation of tags on
existing resources (see
https://aka.ms/modifydoc).

Append a tag and its value Appends the specified tag append 1.0.0
to resource groups and value when any
resource group which is
missing this tag is created
or updated. Does not
modify the tags of resource
groups created before this
policy was applied until
those resource groups are
changed. New 'modify'
effect policies are available
that support remediation of
tags on existing resources
(see
https://aka.ms/modifydoc).
NAME VERSIO N
DESC RIP T IO N EF F EC T ( S)

Append a tag and its value Appends the specified tag append 1.0.1
to resources and value when any
resource which is missing
this tag is created or
updated. Does not modify
the tags of resources
created before this policy
was applied until those
resources are changed.
Does not apply to resource
groups. New 'modify' effect
policies are available that
support remediation of tags
on existing resources (see
https://aka.ms/modifydoc).

Inherit a tag from the Adds or replaces the modify 1.0.0

resource group specified tag and value from
the parent resource group
when any resource is
created or updated. Existing
resources can be
remediated by triggering a
remediation task.

Inherit a tag from the Adds the specified tag with modify 1.0.0
resource group if missing its value from the parent
resource group when any
resource missing this tag is
created or updated. Existing
resources can be
remediated by triggering a
remediation task. If the tag
exists with a different value
it will not be changed.

Inherit a tag from the Adds or replaces the modify 1.0.0

subscription specified tag and value from
the containing subscription
when any resource is
created or updated. Existing
resources can be
remediated by triggering a
remediation task.

Inherit a tag from the Adds the specified tag with modify 1.0.0
subscription if missing its value from the
containing subscription
when any resource missing
this tag is created or
updated. Existing resources
can be remediated by
triggering a remediation
task. If the tag exists with a
different value it will not be
changed.
 NAME VERSIO N
DESC RIP T IO N EF F EC T ( S)

Require a tag and its value Enforces a required tag and deny 1.0.0
on resource groups its value on resource
groups.

Require a tag and its value Enforces a required tag and deny 1.0.1
on resources its value. Does not apply to
resource groups.

Require a tag on resource Enforces existence of a tag deny 1.0.0

groups on resource groups.

Require a tag on resources Enforces existence of a tag. deny 1.0.1

Does not apply to resource
groups.

Next steps
To learn about tagging resources, see Use tags to organize your Azure resources.
Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support
for Azure resources.
 Tag support for Azure resources
2/23/2022 • 49 minutes to read • Edit Online

This article describes whether a resource type supports tags. The column labeled Suppor ts tags indicates
whether the resource type has a property for the tag. The column labeled Tag in cost repor t indicates whether
that resource type passes the tag to the cost report. You can view costs by tags in the Cost Management cost
analysis and the Azure billing invoice and daily usage data.
To get the same data as a file of comma-separated values, download tag-support.csv.
Jump to a resource provider namespace:

Microsoft.AAD
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

DomainServices Yes Yes

DomainServices / oucontainer No No

Microsoft.Addons
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

supportProviders No No

Microsoft.ADHybridHealthService
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

aadsupportcases No No

addsservices No No

agents No No

anonymousapiusers No No

configuration No No

logs No No

reports No No

servicehealthmetrics No No

services No No
Microsoft.Advisor
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

advisorScore No No

configurations No No

generateRecommendations No No

metadata No No

recommendations No No

suppressions No No

NOTE
All Microsoft.Advisor resources are free and therefore not included in the cost report.

Microsoft.AgFoodPlatform
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

farmBeats Yes Yes

farmBeats / eventGridFilters No No

farmBeats / extensions No No

farmBeatsExtensionDefinitions No No

Microsoft.AlertsManagement
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

actionRules Yes Yes

alerts No No

alertsList No No

alertsMetaData No No

alertsSummary No No

alertsSummaryList No No

migrateFromSmartDetection No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

prometheusRuleGroups Yes Yes

resourceHealthAlertRules Yes Yes

smartDetectorAlertRules Yes Yes

smartGroups No No

Microsoft.AnalysisServices
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

servers Yes Yes

Microsoft.AnyBuild
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusters No No

Microsoft.ApiManagement
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

deletedServices No No

getDomainOwnershipIdentifier No No

reportFeedback No No

service Yes Yes

service / eventGridFilters No No

validateServiceName No No

NOTE
Azure API Management only supports creating a maximum of 15 tag name/value pairs for each service.

Microsoft.AppAssessment
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

migrateProjects No No

migrateProjects / assessments No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

migrateProjects / assessments / No No
assessedApplications

migrateProjects / assessments / No No
assessedApplications / machines

migrateProjects / assessments / No No
assessedMachines

migrateProjects / assessments / No No
assessedMachines / applications

migrateProjects / assessments / No No
machinesToAssess

migrateProjects / sites No No

migrateProjects / sites / No No
applianceConfigurations

migrateProjects / sites / machines No No

Microsoft.AppConfiguration
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

configurationStores Yes No

configurationStores / eventGridFilters No No

configurationStores / keyValues No No

deletedConfigurationStores No No

Microsoft.AppPlatform
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Spring Yes Yes

Spring / apps No No

Spring / apps / deployments No No

Microsoft.Attestation
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

attestationProviders Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

defaultProviders No No

Microsoft.Authorization
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accessReviewScheduleDefinitions No No

accessReviewScheduleSettings No No

batchResourceCheckAccess No No

classicAdministrators No No

dataAliases No No

dataPolicyManifests No No

denyAssignments No No

diagnosticSettings No No

diagnosticSettingsCategories No No

elevateAccess No No

eligibleChildResources No No

findOrphanRoleAssignments No No

locks No No

permissions No No

policyAssignments No No

policyDefinitions No No

policyExemptions No No

policySetDefinitions No No

privateLinkAssociations No No

providerOperations No No

resourceManagementPrivateLinks Yes Yes

roleAssignmentApprovals No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

roleAssignments No No

roleAssignmentScheduleInstances No No

roleAssignmentScheduleRequests No No

roleAssignmentSchedules No No

roleAssignmentsUsageMetrics No No

roleDefinitions No No

roleEligibilityScheduleInstances No No

roleEligibilityScheduleRequests No No

roleEligibilitySchedules No No

roleManagementPolicies No No

roleManagementPolicyAssignments No No

Microsoft.Automanage
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

bestPractices No No

bestPractices / versions No No

configurationProfileAssignmentIntents No No

configurationProfileAssignments No No

configurationProfilePreferences Yes Yes

configurationProfiles Yes Yes

configurationProfiles / versions Yes Yes

Microsoft.Automation
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

automationAccounts Yes Yes

automationAccounts / configurations Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

automationAccounts / No No
hybridRunbookWorkerGroups

automationAccounts / No No
hybridRunbookWorkerGroups /
hybridRunbookWorkers

automationAccounts / jobs No No

automationAccounts / No No
privateEndpointConnectionProxies

automationAccounts / No No
privateEndpointConnections

automationAccounts / No No
privateLinkResources

automationAccounts / runbooks Yes Yes

automationAccounts / No No
softwareUpdateConfigurations

automationAccounts / webhooks No No

NOTE
Azure Automation only supports creating a maximum of 15 tag name/value pairs for each Automation resource.

Microsoft.AVS
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

privateClouds Yes Yes

privateClouds / addons No No

privateClouds / authorizations No No

privateClouds / cloudLinks No No

privateClouds / clusters No No

privateClouds / clusters / datastores No No

privateClouds / clusters / No No
placementPolicies

privateClouds / clusters / No No
virtualMachines
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

privateClouds / No No
globalReachConnections

privateClouds / hcxEnterpriseSites No No

privateClouds / scriptExecutions No No

privateClouds / scriptPackages No No

privateClouds / scriptPackages / No No
scriptCmdlets

privateClouds / workloadNetworks No No

privateClouds / workloadNetworks / No No
dhcpConfigurations

privateClouds / workloadNetworks / No No
dnsServices

privateClouds / workloadNetworks / No No
dnsZones

privateClouds / workloadNetworks / No No
gateways

privateClouds / workloadNetworks / No No
portMirroringProfiles

privateClouds / workloadNetworks / No No
publicIPs

privateClouds / workloadNetworks / No No
segments

privateClouds / workloadNetworks / No No
virtualMachines

privateClouds / workloadNetworks / No No
vmGroups

Microsoft.Azure.Geneva
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

environments No No

environments / accounts No No

environments / accounts / namespaces No No

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

environments / accounts / namespaces No No

/ configurations

Microsoft.AzureActiveDirectory
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

b2cDirectories Yes No

b2ctenants No No

guestUsages Yes Yes

Microsoft.AzureArcData
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

DataControllers No No

PostgresInstances No No

SqlManagedInstances No No

SqlServerInstances No No

Microsoft.AzureCIS
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

autopilotEnvironments No No

dstsServiceAccounts No No

dstsServiceClientIdentities No No

Microsoft.AzureData
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

sqlServerRegistrations Yes Yes

sqlServerRegistrations / sqlServers No No

Microsoft.AzurePercept
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts No No

accounts / devices No No

accounts / devices / sensors No No

accounts / solutioninstances No No

accounts / solutions No No

accounts / targets No No

Microsoft.AzureSphere
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

catalogs No No

catalogs / certificates No No

catalogs / deployments No No

catalogs / devices No No

catalogs / images No No

catalogs / products No No

catalogs / products / devicegroups No No

Microsoft.AzureStack
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

cloudManifestFiles No No

linkedSubscriptions Yes Yes

registrations Yes Yes

registrations / customerSubscriptions No No

registrations / products No No

Microsoft.AzureStackHCI
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusters No No

clusters / arcSettings No No

clusters / arcSettings / extensions No No

galleryimages No No

networkinterfaces No No

virtualharddisks No No

virtualmachines No No

virtualmachines / extensions No No

virtualmachines / No No
hybrididentitymetadata

virtualnetworks No No

Microsoft.BackupSolutions
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

VMwareApplications Yes Yes

Microsoft.BareMetalInfrastructure
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

bareMetalInstances Yes Yes

Microsoft.Batch
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

batchAccounts Yes Yes

batchAccounts / certificates No No

batchAccounts / pools No No

Microsoft.Billing
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

billingAccounts No No
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

billingAccounts / agreements No No

billingAccounts / No No
appliedReservationOrders

billingAccounts / billingPermissions No No

billingAccounts / billingProfiles No No

billingAccounts / billingProfiles / No No
billingPermissions

billingAccounts / billingProfiles / No No
billingRoleAssignments

billingAccounts / billingProfiles / No No
billingRoleDefinitions

billingAccounts / billingProfiles / No No
billingSubscriptions

billingAccounts / billingProfiles / No No
createBillingRoleAssignment

billingAccounts / billingProfiles / No No
customers

billingAccounts / billingProfiles / No No
instructions

billingAccounts / billingProfiles / No No
invoices

billingAccounts / billingProfiles / No No
invoices / pricesheet

billingAccounts / billingProfiles / No No
invoices / transactions

billingAccounts / billingProfiles / No No
invoiceSections

billingAccounts / billingProfiles / No No
invoiceSections / billingPermissions

billingAccounts / billingProfiles / No No
invoiceSections /
billingRoleAssignments

billingAccounts / billingProfiles / No No
invoiceSections / billingRoleDefinitions
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

billingAccounts / billingProfiles / No No
invoiceSections / billingSubscriptions

billingAccounts / billingProfiles / No No
invoiceSections /
createBillingRoleAssignment

billingAccounts / billingProfiles / No No
invoiceSections / initiateTransfer

billingAccounts / billingProfiles / No No
invoiceSections / products

billingAccounts / billingProfiles / No No
invoiceSections / products / transfer

billingAccounts / billingProfiles / No No
invoiceSections / products /
updateAutoRenew

billingAccounts / billingProfiles / No No
invoiceSections / transactions

billingAccounts / billingProfiles / No No
invoiceSections / transfers

billingAccounts / billingProfiles / No No
invoiceSections /
validateDeleteInvoiceSectionEligibility

billingAccounts / BillingProfiles / No No
patchOperations

billingAccounts / billingProfiles / No No
paymentMethodLinks

billingAccounts / billingProfiles / No No
paymentMethods

billingAccounts / billingProfiles / No No
policies

billingAccounts / billingProfiles / No No
pricesheet

billingAccounts / billingProfiles / No No
pricesheetDownloadOperations

billingAccounts / billingProfiles / No No
products

billingAccounts / billingProfiles / No No
reservations
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

billingAccounts / billingProfiles / No No
transactions

billingAccounts / billingProfiles / No No
validateDeleteBillingProfileEligibility

billingAccounts / billingProfiles / No No
validateDetachPaymentMethodEligibilit
y

billingAccounts / No No
billingRoleAssignments

billingAccounts / billingRoleDefinitions No No

billingAccounts / No No
billingSubscriptionAliases

billingAccounts / billingSubscriptions No No

billingAccounts / billingSubscriptions / No No
elevateRole

billingAccounts / billingSubscriptions / No No
invoices

billingAccounts / No No
createBillingRoleAssignment

billingAccounts / No No
createInvoiceSectionOperations

billingAccounts / customers No No

billingAccounts / customers / No No
billingPermissions

billingAccounts / customers / No No
billingSubscriptions

billingAccounts / customers / No No
initiateTransfer

billingAccounts / customers / policies No No

billingAccounts / customers / products No No

billingAccounts / customers / No No
transactions

billingAccounts / customers / transfers No No

RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

billingAccounts / customers / No No
transferSupportedAccounts

billingAccounts / departments No No

billingAccounts / departments / No No
billingPermissions

billingAccounts / departments / No No
billingRoleAssignments

billingAccounts / departments / No No
billingRoleDefinitions

billingAccounts / departments / No No
billingSubscriptions

billingAccounts / departments / No No
enrollmentAccounts

billingAccounts / enrollmentAccounts No No

billingAccounts / enrollmentAccounts / No No
billingPermissions

billingAccounts / enrollmentAccounts / No No
billingRoleAssignments

billingAccounts / enrollmentAccounts / No No
billingRoleDefinitions

billingAccounts / enrollmentAccounts / No No
billingSubscriptions

billingAccounts / invoices No No

billingAccounts / invoices / No No
transactions

billingAccounts / invoices / No No
transactionSummary

billingAccounts / invoiceSections No No

billingAccounts / invoiceSections / No No
billingSubscriptionMoveOperations

billingAccounts / invoiceSections / No No
billingSubscriptions

billingAccounts / invoiceSections / No No
billingSubscriptions / transfer
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

billingAccounts / invoiceSections / No No
elevate

billingAccounts / invoiceSections / No No
initiateTransfer

billingAccounts / invoiceSections / No No
patchOperations

billingAccounts / invoiceSections / No No
productMoveOperations

billingAccounts / invoiceSections / No No
products

billingAccounts / invoiceSections / No No
products / transfer

billingAccounts / invoiceSections / No No
products / updateAutoRenew

billingAccounts / invoiceSections / No No
transactions

billingAccounts / invoiceSections / No No
transfers

billingAccounts / lineOfCredit No No

billingAccounts / patchOperations No No

billingAccounts / payableOverage No No

billingAccounts / paymentMethods No No

billingAccounts / payNow No No

billingAccounts / permissionRequests No No

billingAccounts / policies No No

billingAccounts / products No No

billingAccounts / promotionalCredits No No

billingAccounts / reservations No No

billingAccounts / savingsPlanOrders No No

billingAccounts / savingsPlanOrders / No No
savingsPlans
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

billingAccounts / savingsPlans No No

billingAccounts / transactions No No

billingPeriods No No

billingPermissions No No

billingProperty No No

billingRoleAssignments No No

billingRoleDefinitions No No

createBillingRoleAssignment No No

departments No No

enrollmentAccounts No No

invoices No No

paymentMethods No No

permissionRequests No No

promotionalCredits No No

promotions No No

transfers No No

transfers / acceptTransfer No No

transfers / declineTransfer No No

transfers / operationStatus No No

transfers / validateTransfer No No

validateAddress No No

Microsoft.BillingBenefits
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

savingsPlanOrderAliases No No

savingsPlanOrders No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

savingsPlanOrders / savingsPlans No No

savingsPlans No No

validate No No

Microsoft.Blockchain
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

blockchainMembers Yes Yes

Microsoft.BlockchainTokens
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

TokenServices Yes Yes

TokenServices / BlockchainNetworks No No

TokenServices / Groups No No

TokenServices / Groups / Accounts No No

TokenServices / TokenTemplates No No

Microsoft.Blueprint
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

blueprintAssignments No No

blueprintAssignments / No No
assignmentOperations

blueprintAssignments / operations No No

blueprints No No

blueprints / artifacts No No

blueprints / versions No No

blueprints / versions / artifacts No No

Microsoft.BotService
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

botServices Yes Yes

botServices / channels No No

botServices / connections No No

botServices / No No
privateEndpointConnectionProxies

botServices / No No
privateEndpointConnections

botServices / privateLinkResources No No

hostSettings No No

languages No No

templates No No

Microsoft.Cache
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Redis Yes Yes

Redis / EventGridFilters No No

Redis / No No
privateEndpointConnectionProxies

Redis / No No
privateEndpointConnectionProxies /
validate

Redis / privateEndpointConnections No No

Redis / privateLinkResources No No

redisEnterprise Yes Yes

redisEnterprise / databases No No

RedisEnterprise / No No
privateEndpointConnectionProxies

RedisEnterprise / No No
privateEndpointConnectionProxies /
validate
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

RedisEnterprise / No No
privateEndpointConnections

RedisEnterprise / privateLinkResources No No

Microsoft.Capacity
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

appliedReservations No No

autoQuotaIncrease No No

calculateExchange No No

calculatePrice No No

calculatePurchasePrice No No

catalogs No No

commercialReservationOrders No No

exchange No No

ownReservations No No

placePurchaseOrder No No

reservationOrders No No

reservationOrders / calculateRefund No No

reservationOrders / merge No No

reservationOrders / reservations No No

reservationOrders / reservations / No No
revisions

reservationOrders / return No No

reservationOrders / split No No

reservationOrders / swap No No

reservations No No

resourceProviders No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

resources No No

validateReservationOrder No No

Microsoft.Cascade
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

sites No No

Microsoft.Cdn
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

CdnWebApplicationFirewallManagedR No No
uleSets

CdnWebApplicationFirewallPolicies Yes Yes

edgenodes No No

profiles Yes Yes

profiles / afdendpoints Yes Yes

profiles / afdendpoints / routes No No

profiles / customdomains No No

profiles / endpoints Yes Yes

profiles / endpoints / customdomains No No

profiles / endpoints / origingroups No No

profiles / endpoints / origins No No

profiles / origingroups No No

profiles / origingroups / origins No No

profiles / rulesets No No

profiles / rulesets / rules No No

profiles / secrets No No

profiles / securitypolicies No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

validateProbe No No

Microsoft.CertificateRegistration
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

certificateOrders Yes Yes

certificateOrders / certificates No No

validateCertificateRegistrationInformati No No
on

Microsoft.ChangeAnalysis
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

changes No No

changeSnapshots No No

computeChanges No No

profile No No

resourceChanges No No

Microsoft.Chaos
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

artifactSetDefinitions No No

artifactSetSnapshots No No

chaosExperiments Yes Yes

chaosProviderConfigurations No No

chaosTargets No No

experiments Yes Yes

targets No No

Microsoft.ClassicCompute
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

capabilities No No

domainNames No No

domainNames / capabilities No No

domainNames / internalLoadBalancers No No

domainNames / serviceCertificates No No

domainNames / slots No No

domainNames / slots / roles No No

domainNames / slots / roles / No No

metricDefinitions

domainNames / slots / roles / metrics No No

moveSubscriptionResources No No

operatingSystemFamilies No No

operatingSystems No No

quotas No No

resourceTypes No No

validateSubscriptionMoveAvailability No No

virtualMachines No No

virtualMachines / diagnosticSettings No No

virtualMachines / metricDefinitions No No

virtualMachines / metrics No No

Microsoft.ClassicInfrastructureMigrate
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

classicInfrastructureResources No No

Microsoft.ClassicNetwork
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

capabilities No No

expressRouteCrossConnections No No

expressRouteCrossConnections / No No
peerings

gatewaySupportedDevices No No

networkSecurityGroups No No

quotas No No

reservedIps No No

virtualNetworks No No

virtualNetworks / No No
remoteVirtualNetworkPeeringProxies

virtualNetworks / No No
virtualNetworkPeerings

Microsoft.ClassicStorage
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

capabilities No No

disks No No

images No No

osImages No No

osPlatformImages No No

publicImages No No

quotas No No

storageAccounts No No

storageAccounts / blobServices No No

storageAccounts / fileServices No No

storageAccounts / metricDefinitions No No

storageAccounts / metrics No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

storageAccounts / queueServices No No

storageAccounts / services No No

storageAccounts / services / No No
diagnosticSettings

storageAccounts / services / No No
metricDefinitions

storageAccounts / services / metrics No No

storageAccounts / tableServices No No

storageAccounts / vmImages No No

vmImages No No

Microsoft.ClusterStor
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

nodes Yes Yes

Microsoft.CodeSigning
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

codeSigningAccounts No No

codeSigningAccounts / No No
certificateProfiles

Microsoft.Codespaces
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

plans Yes No

registeredSubscriptions No No

Microsoft.CognitiveServices
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts / No No
networkSecurityPerimeterAssociationPr
oxies

accounts / No No
privateEndpointConnectionProxies

accounts / No No
privateEndpointConnections

accounts / privateLinkResources No No

deletedAccounts No No

Microsoft.Commerce
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

RateCard No No

UsageAggregates No No

Microsoft.Compute
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

availabilitySets Yes Yes

capacityReservationGroups Yes Yes

capacityReservationGroups / Yes Yes

capacityReservations

cloudServices Yes Yes

cloudServices / networkInterfaces No No

cloudServices / publicIPAddresses No No

cloudServices / roleInstances No No

cloudServices / roleInstances / No No
networkInterfaces

cloudServices / roles No No

diskAccesses Yes Yes

diskEncryptionSets Yes Yes

RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

disks Yes Yes

galleries Yes Yes

galleries / applications Yes No

galleries / applications / versions Yes No

galleries / images Yes No

galleries / images / versions Yes No

hostGroups Yes Yes

hostGroups / hosts Yes Yes

images Yes Yes

proximityPlacementGroups Yes Yes

restorePointCollections Yes Yes

restorePointCollections / restorePoints No No

restorePointCollections / restorePoints No No
/ diskRestorePoints

sharedVMExtensions Yes Yes

sharedVMExtensions / versions No No

sharedVMImages Yes Yes

sharedVMImages / versions No No

snapshots Yes Yes

sshPublicKeys Yes Yes

virtualMachines Yes Yes

virtualMachines / extensions Yes Yes

virtualMachines / metricDefinitions No No

virtualMachines / runCommands Yes Yes

virtualMachineScaleSets Yes Yes

virtualMachineScaleSets / extensions No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

virtualMachineScaleSets / No No
networkInterfaces

virtualMachineScaleSets / Yes No
publicIPAddresses

virtualMachineScaleSets / No No
virtualMachines

virtualMachineScaleSets / No No
virtualMachines / extensions

virtualMachineScaleSets / No No
virtualMachines / networkInterfaces

NOTE
You can't add a tag to a virtual machine that has been marked as generalized. You mark a virtual machine as generalized
with Set-AzVm -Generalized or az vm generalize.

Microsoft.Communication
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

CommunicationServices No No

CommunicationServices / No No
eventGridFilters

EmailServices No No

EmailServices / Domains No No

registeredSubscriptions No No

Microsoft.ConfidentialLedger
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Ledgers No No

Microsoft.ConnectedCache
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

CacheNodes No No

enterpriseCustomers No No
Microsoft.ConnectedVehicle
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

platformAccounts No No

registeredSubscriptions No No

Microsoft.ConnectedVMwarevSphere
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Clusters No No

Datastores No No

Hosts No No

ResourcePools No No

VCenters No No

VCenters / InventoryItems No No

VirtualMachines No No

VirtualMachines / Extensions Yes Yes

VirtualMachines / GuestAgents No No

VirtualMachines / No No
HybridIdentityMetadata

VirtualMachineTemplates No No

VirtualNetworks No No

Microsoft.Consumption
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

AggregatedCost No No

Balances No No

Budgets No No

Charges No No

CostTags No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

credits No No

events No No

Forecasts No No

lots No No

Marketplaces No No

Pricesheets No No

products No No

ReservationDetails No No

ReservationRecommendationDetails No No

ReservationRecommendations No No

ReservationSummaries No No

ReservationTransactions No No

Tags No No

tenants No No

Terms No No

UsageDetails No No

Microsoft.ContainerInstance
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

containerGroups Yes Yes

serviceAssociationLinks No No

Microsoft.ContainerRegistry
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

registries Yes Yes

registries / agentPools Yes Yes

registries / builds No No
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

registries / builds / cancel No No

registries / builds / getLogLink No No

registries / buildTasks Yes Yes

registries / buildTasks / steps No No

registries / connectedRegistries No No

registries / connectedRegistries / No No
deactivate

registries / eventGridFilters No No

registries / exportPipelines No No

registries / generateCredentials No No

registries / getBuildSourceUploadUrl No No

registries / GetCredentials No No

registries / importImage No No

registries / importPipelines No No

registries / pipelineRuns No No

registries / No No
privateEndpointConnectionProxies

registries / No No
privateEndpointConnectionProxies /
validate

registries / No No
privateEndpointConnections

registries / privateLinkResources No No

registries / queueBuild No No

registries / regenerateCredential No No

registries / regenerateCredentials No No

registries / replications Yes Yes

registries / runs No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

registries / runs / cancel No No

registries / scheduleRun No No

registries / scopeMaps No No

registries / taskRuns No No

registries / tasks Yes Yes

registries / tokens No No

registries / updatePolicies No No

registries / webhooks Yes Yes

registries / webhooks / No No
getCallbackConfig

registries / webhooks / ping No No

Microsoft.ContainerService
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

containerServices Yes Yes

managedClusters Yes Yes

ManagedClusters / eventGridFilters No No

openShiftManagedClusters Yes Yes

snapshots Yes Yes

Microsoft.CostManagement
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Alerts No No

BenefitUtilizationSummaries No No

BillingAccounts No No

Budgets No No

calculatePrice No No
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

CloudConnectors No No

Connectors Yes Yes

costAllocationRules No No

Departments No No

Dimensions No No

EnrollmentAccounts No No

Exports No No

ExternalBillingAccounts No No

ExternalBillingAccounts / Alerts No No

ExternalBillingAccounts / Dimensions No No

ExternalBillingAccounts / Forecast No No

ExternalBillingAccounts / Query No No

ExternalSubscriptions No No

ExternalSubscriptions / Alerts No No

ExternalSubscriptions / Dimensions No No

ExternalSubscriptions / Forecast No No

ExternalSubscriptions / Query No No

fetchPrices No No

Forecast No No

GenerateDetailedCostReport No No

GenerateReservationDetailsReport No No

Insights No No

Query No No

register No No

Reportconfigs No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Reports No No

ScheduledActions No No

Settings No No

showbackRules No No

Views No No

Microsoft.CustomerLockbox
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

DisableLockbox No No

EnableLockbox No No

requests No No

TenantOptedIn No No

Microsoft.CustomProviders
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

associations No No

resourceProviders Yes Yes

Microsoft.D365CustomerInsights
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

instances Yes Yes

Microsoft.Dashboard
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

grafana No No

Microsoft.DataBox
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

jobs Yes Yes

Microsoft.DataBoxEdge
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

DataBoxEdgeDevices Yes Yes

Microsoft.Databricks
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

workspaces Yes Yes

workspaces / dbWorkspaces No No

workspaces / virtualNetworkPeerings No No

Microsoft.DataCatalog
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

catalogs Yes Yes

Microsoft.DataFactory
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

dataFactories Yes Yes

dataFactories / diagnosticSettings No No

dataFactories / metricDefinitions No No

dataFactorySchema No No

factories Yes Yes

factories / integrationRuntimes No No

NOTE
If you have Azure-SSIS integration runtimes in your data factory, their running cost will be tagged with data factory tags.
Running Azure-SSIS integration runtimes must be stopped and restarted for new data factory tags to be applied to their
running cost.

Microsoft.DataLakeAnalytics
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts / dataLakeStoreAccounts No No

accounts / storageAccounts No No

accounts / storageAccounts / No No
containers

accounts / transferAnalyticsUnits No No

Microsoft.DataLakeStore
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

accounts / eventGridFilters No No

accounts / firewallRules No No

Microsoft.DataMigration
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

DatabaseMigrations No No

services Yes Yes

services / projects Yes Yes

SqlMigrationServices Yes Yes

Microsoft.DataProtection
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

BackupVaults Yes Yes

ResourceGuards Yes Yes

Microsoft.DataShare
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

accounts / shares No No

accounts / shares / datasets No No

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts / shares / invitations No No

accounts / shares / No No
providersharesubscriptions

accounts / shares / No No
synchronizationSettings

accounts / sharesubscriptions No No

accounts / sharesubscriptions / No No
consumerSourceDataSets

accounts / sharesubscriptions / No No
datasetmappings

accounts / sharesubscriptions / No No
triggers

Microsoft.DBforMariaDB
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

servers Yes Yes

servers / advisors No No

servers / keys No No

servers / No No
privateEndpointConnectionProxies

servers / privateEndpointConnections No No

servers / privateLinkResources No No

servers / queryTexts No No

servers / recoverableServers No No

servers / No No
resetQueryPerformanceInsightData

servers / start No No

servers / stop No No

servers / topQueryStatistics No No

servers / virtualNetworkRules No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

servers / waitStatistics No No

Microsoft.DBforMySQL
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

flexibleServers Yes Yes

getPrivateDnsZoneSuffix No No

servers Yes Yes

servers / advisors No No

servers / keys No No

servers / No No
privateEndpointConnectionProxies

servers / privateEndpointConnections No No

servers / privateLinkResources No No

servers / queryTexts No No

servers / recoverableServers No No

servers / No No
resetQueryPerformanceInsightData

servers / start No No

servers / stop No No

servers / topQueryStatistics No No

servers / upgrade No No

servers / virtualNetworkRules No No

servers / waitStatistics No No

Microsoft.DBforPostgreSQL
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

flexibleServers Yes Yes

getPrivateDnsZoneSuffix No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

serverGroups Yes Yes

serverGroupsv2 Yes Yes

servers Yes Yes

servers / advisors No No

servers / keys No No

servers / No No
privateEndpointConnectionProxies

servers / privateEndpointConnections No No

servers / privateLinkResources No No

servers / queryTexts No No

servers / recoverableServers No No

servers / No No
resetQueryPerformanceInsightData

servers / topQueryStatistics No No

servers / virtualNetworkRules No No

servers / waitStatistics No No

serversv2 Yes Yes

Microsoft.DelegatedNetwork
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

controller Yes Yes

delegatedSubnets Yes Yes

orchestrators Yes Yes

Microsoft.DeploymentManager
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

artifactSources Yes Yes

rollouts Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

serviceTopologies Yes Yes

serviceTopologies / services Yes Yes

serviceTopologies / services / Yes Yes

serviceUnits

steps Yes Yes

Microsoft.DesktopVirtualization
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

applicationgroups Yes Yes

applicationgroups / applications No No

applicationgroups / desktops No No

applicationgroups / startmenuitems No No

hostpools Yes Yes

hostpools / msixpackages No No

hostpools / sessionhosts No No

hostpools / sessionhosts / No No
usersessions

hostpools / usersessions No No

scalingplans Yes Yes

workspaces Yes Yes

Microsoft.DevAI
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

instances No No

instances / experiments No No

instances / sandboxes No No

instances / sandboxes / experiments No No

Microsoft.Devices
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

ElasticPools Yes Yes

ElasticPools / IotHubTenants Yes Yes

ElasticPools / IotHubTenants / No No
securitySettings

IotHubs Yes Yes

IotHubs / eventGridFilters No No

IotHubs / failover No No

IotHubs / securitySettings No No

ProvisioningServices Yes Yes

usages No No

Microsoft.DeviceUpdate
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts No No

accounts / instances No No

accounts / No No
privateEndpointConnectionProxies

accounts / No No
privateEndpointConnections

accounts / privateLinkResources No No

registeredSubscriptions No No

Microsoft.DevOps
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

pipelines Yes Yes

Microsoft.DevSpaces
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

controllers Yes Yes

Microsoft.DevTestLab
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

labcenters Yes Yes

labs Yes Yes

labs / environments Yes Yes

labs / serviceRunners Yes Yes

labs / virtualMachines Yes Yes

schedules Yes Yes

Microsoft.Diagnostics
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

AzureKB No No

InsightDiagnostics No No

solutions No No

Microsoft.DigitalTwins
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

digitalTwinsInstances Yes Yes

digitalTwinsInstances / endpoints No No

digitalTwinsInstances / No No
timeSeriesDatabaseConnections

Microsoft.DocumentDB
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

cassandraClusters Yes Yes

databaseAccountNames No No

databaseAccounts Yes Yes

restorableDatabaseAccounts No No

Microsoft.DomainRegistration
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

domains Yes Yes

domains / domainOwnershipIdentifiers No No

generateSsoRequest No No

topLevelDomains No No

validateDomainRegistrationInformatio No No
n

Microsoft.DynamicsLcs
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

lcsprojects No No

lcsprojects / clouddeployments No No

lcsprojects / connectors No No

Microsoft.EdgeOrder
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

addresses Yes Yes

orderItems Yes Yes

orders No No

productFamiliesMetadata No No

Microsoft.EnterpriseKnowledgeGraph
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

services Yes Yes

Microsoft.EventGrid
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

domains Yes Yes

domains / topics No No

eventSubscriptions No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

extensionTopics No No

partnerDestinations Yes Yes

partnerNamespaces Yes Yes

partnerNamespaces / channels No No

partnerNamespaces / eventChannels No No

partnerRegistrations Yes Yes

partnerTopics Yes Yes

partnerTopics / eventSubscriptions No No

systemTopics Yes Yes

systemTopics / eventSubscriptions No No

topics Yes Yes

topicTypes No No

Microsoft.EventHub
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusters Yes Yes

namespaces Yes Yes

namespaces / authorizationrules No No

namespaces / disasterrecoveryconfigs No No

namespaces / eventhubs No No

namespaces / eventhubs / No No
authorizationrules

namespaces / eventhubs / No No
consumergroups

namespaces / networkrulesets No No

namespaces / No No
privateEndpointConnections

Microsoft.Experimentation
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

experimentWorkspaces Yes Yes

Microsoft.Falcon
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

namespaces Yes Yes

Microsoft.Features
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

featureConfigurations No No

featureProviderNamespaces No No

featureProviders No No

features No No

providers No No

subscriptionFeatureRegistrations No No

Microsoft.Fidalgo
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

devcenters No No

devcenters / catalogs No No

devcenters / catalogs / items No No

devcenters / environmentTypes No No

devcenters / mappings No No

machinedefinitions No No

networksettings No No

networksettings / healthchecks No No

projects No No

projects / catalogItems No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

projects / environments No No

projects / environments / deployments No No

projects / environmentTypes No No

projects / pools No No

Microsoft.FluidRelay
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

fluidRelayServers No No

fluidRelayServers / fluidRelayContainers No No

Microsoft.Gallery
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

enroll No No

galleryitems No No

generateartifactaccessuri No No

myareas No No

myareas / areas No No

myareas / areas / areas No No

myareas / areas / areas / galleryitems No No

myareas / areas / galleryitems No No

myareas / galleryitems No No

register No No

resources No No

retrieveresourcesbyid No No

Microsoft.Genomics
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

Microsoft.Graph
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

AzureAdApplication No No

Microsoft.GuestConfiguration
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

autoManagedAccounts Yes Yes

autoManagedVmConfigurationProfiles Yes Yes

configurationProfileAssignments No No

guestConfigurationAssignments No No

software No No

softwareUpdateProfile No No

softwareUpdates No No

Microsoft.HanaOnAzure
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

hanaInstances Yes Yes

sapMonitors Yes Yes

Microsoft.HardwareSecurityModules
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

dedicatedHSMs Yes Yes

Microsoft.HDInsight
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusterPools Yes Yes

clusterPools / clusters Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusterPools / clusters / instanceViews No No

clusterPools / clusters / serviceConfigs No No

clusterPools / clusters / sessionClusters Yes Yes

clusterPools / clusters / sessionClusters No No

/ instanceViews

clusterPools / clusters / sessionClusters No No

/ serviceConfigs

clusters Yes Yes

clusters / applications No No

Microsoft.HealthBot
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

healthBots No No

Microsoft.HealthcareApis
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

services Yes Yes

services / iomtconnectors No No

services / iomtconnectors / No No
connections

services / iomtconnectors / mappings No No

services / No No
privateEndpointConnectionProxies

services / privateEndpointConnections No No

services / privateLinkResources No No

workspaces Yes Yes

workspaces / dicomservices Yes Yes

workspaces / eventGridFilters No No

workspaces / fhirservices Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

workspaces / iotconnectors Yes Yes

workspaces / iotconnectors / No No
destinations

workspaces / iotconnectors / No No
fhirdestinations

workspaces / No No
privateEndpointConnectionProxies

workspaces / No No
privateEndpointConnections

workspaces / privateLinkResources No No

Microsoft.HpcWorkbench
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

instances No No

instances / chambers No No

instances / chambers / accessProfiles No No

instances / chambers / workloads No No

instances / consortiums No No

Microsoft.HybridCompute
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

machines Yes Yes

machines / assessPatches No No

machines / extensions Yes Yes

machines / installPatches No No

machines / privateLinkScopes No No

privateLinkScopes Yes Yes

privateLinkScopes / No No
privateEndpointConnectionProxies
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

privateLinkScopes / No No
privateEndpointConnections

Microsoft.HybridConnectivity
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

endpoints No No

Microsoft.HybridContainerService
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

provisionedClusters No No

provisionedClusters / agentPools No No

provisionedClusters / No No
hybridIdentityMetadata

Microsoft.HybridData
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

dataManagers Yes Yes

Microsoft.HybridNetwork
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

devices No No

networkFunctions No No

networkFunctionVendors No No

registeredSubscriptions No No

vendors No No

vendors / vendorSkus No No

vendors / vendorSkus / No No
previewSubscriptions

Microsoft.Hydra
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

components Yes Yes

networkScopes Yes Yes

Microsoft.ImportExport
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

jobs Yes Yes

Microsoft.Insights
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

actionGroups Yes Yes

activityLogAlerts Yes Yes

alertrules Yes Yes

autoscalesettings Yes Yes

components Yes Yes

components / analyticsItems No No

components / favorites No No

components / linkedStorageAccounts No No

components / myAnalyticsItems No No

components / pricingPlans No No

components / No No
ProactiveDetectionConfigs

dataCollectionEndpoints No No

dataCollectionRuleAssociations No No

dataCollectionRules Yes Yes

diagnosticSettings No No

guestDiagnosticSettings Yes Yes

guestDiagnosticSettingsAssociation Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

logprofiles Yes Yes

metricAlerts Yes Yes

myWorkbooks No No

privateLinkScopes Yes Yes

privateLinkScopes / No No
privateEndpointConnections

privateLinkScopes / scopedResources No No

queryPacks Yes Yes

queryPacks / queries No No

scheduledQueryRules Yes Yes

webtests Yes Yes

workbooks Yes Yes

workbooktemplates Yes Yes

Microsoft.Intune
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

diagnosticSettings No No

diagnosticSettingsCategories No No

Microsoft.IoTCentral
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

appTemplates No No

IoTApps Yes Yes

Microsoft.IoTFirmwareDefense
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

firmwareGroups No No

firmwareGroups / firmwares No No
Microsoft.IoTSecurity
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

alertTypes No No

defenderSettings No No

onPremiseSensors No No

recommendationTypes No No

sensors No No

sites No No

Microsoft.IoTSpaces
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Graph Yes Yes

Microsoft.KeyVault
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

deletedManagedHSMs No No

deletedVaults No No

hsmPools Yes Yes

managedHSMs Yes Yes

vaults Yes Yes

vaults / accessPolicies No No

vaults / eventGridFilters No No

vaults / keys No No

vaults / keys / versions No No

vaults / secrets No No

Microsoft.Kubernetes
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

connectedClusters No No

registeredSubscriptions No No

Microsoft.KubernetesConfiguration
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

extensions No No

fluxConfigurations No No

namespaces No No

sourceControlConfigurations No No

Microsoft.Kusto
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusters Yes Yes

clusters / No No
attacheddatabaseconfigurations

clusters / databases No No

clusters / databases / dataconnections No No

clusters / databases / No No
eventhubconnections

clusters / databases / No No
principalassignments

clusters / databases / scripts No No

clusters / dataconnections No No

clusters / principalassignments No No

clusters / sharedidentities No No

Microsoft.LabServices
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

labaccounts Yes No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

labplans Yes Yes

labs Yes Yes

users No No

Microsoft.LocationServices
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

Microsoft.Logic
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

hostingEnvironments Yes Yes

integrationAccounts Yes Yes

integrationServiceEnvironments Yes Yes

integrationServiceEnvironments / No No
managedApis

isolatedEnvironments Yes Yes

workflows Yes Yes

Microsoft.MachineLearning
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

commitmentPlans Yes Yes

webServices Yes Yes

Workspaces Yes Yes

Microsoft.MachineLearningServices
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

aisysteminventories Yes Yes

virtualclusters Yes Yes

workspaces Yes Yes

RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

workspaces / batchEndpoints Yes Yes

workspaces / batchEndpoints / Yes Yes

deployments

workspaces / batchEndpoints / No No
deployments / jobs

workspaces / batchEndpoints / jobs No No

workspaces / codes No No

workspaces / codes / versions No No

workspaces / components No No

workspaces / components / versions No No

workspaces / computes No No

workspaces / data No No

workspaces / datasets No No

workspaces / datastores No No

workspaces / environments No No

workspaces / eventGridFilters No No

workspaces / jobs No No

workspaces / labelingJobs No No

workspaces / linkedServices No No

workspaces / models No No

workspaces / models / versions No No

workspaces / onlineEndpoints Yes Yes

workspaces / onlineEndpoints / Yes Yes

deployments

workspaces / services No No

NOTE
Workspace tags don't propagate to compute clusters and compute instances.
Microsoft.Maintenance
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

applyUpdates No No

configurationAssignments No No

maintenanceConfigurations Yes Yes

publicMaintenanceConfigurations No No

updates No No

Microsoft.ManagedIdentity
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Identities No No

userAssignedIdentities Yes Yes

Microsoft.ManagedServices
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

marketplaceRegistrationDefinitions No No

registrationAssignments No No

registrationDefinitions No No

Microsoft.Management
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

getEntities No No

managementGroups No No

managementGroups / settings No No

resources No No

startTenantBackfill No No

tenantBackfillStatus No No

Microsoft.Maps
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

accounts / creators Yes Yes

accounts / eventGridFilters No No

accounts / privateAtlases Yes Yes

Microsoft.Marketplace
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

macc No No

offers No No

offerTypes No No

offerTypes / publishers No No

offerTypes / publishers / offers No No

offerTypes / publishers / offers / plans No No

offerTypes / publishers / offers / plans / No No

agreements

offerTypes / publishers / offers / plans / No No

configs

offerTypes / publishers / offers / plans / No No

configs / importImage

privategalleryitems No No

privateStoreClient No No

privateStores No No

privateStores / No No
AdminRequestApprovals

privateStores / billingAccounts No No

privateStores / bulkCollectionsAction No No

privateStores / collections No No

privateStores / collections / offers No No

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

privateStores / collections / No No
transferOffers

privateStores / No No
collectionsToSubscriptionsMapping

privateStores / No No
fetchAllSubscriptionsInTenant

privateStores / offers No No

privateStores / offers / No No
acknowledgeNotification

privateStores / queryApprovedPlans No No

privateStores / queryNotificationsState No No

privateStores / queryOffers No No

privateStores / RequestApprovals No No

privateStores / requestApprovals / No No
query

privateStores / requestApprovals / No No
withdrawPlan

products No No

publishers No No

publishers / offers No No

publishers / offers / amendments No No

register No No

Microsoft.MarketplaceApps
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

classicDevServices Yes Yes

updateCommunicationPreference No No

Microsoft.MarketplaceNotifications
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

reviewsnotifications No No

Microsoft.MarketplaceOrdering
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

agreements No No

offertypes No No

Microsoft.Media
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

mediaservices Yes Yes

mediaservices / accountFilters No No

mediaservices / assets No No

mediaservices / assets / assetFilters No No

mediaservices / contentKeyPolicies No No

mediaservices / eventGridFilters No No

mediaservices / graphInstances No No

mediaservices / graphTopologies No No

mediaservices / liveEventOperations No No

mediaservices / liveEvents Yes Yes

mediaservices / liveEvents / No No
liveOutputs

mediaservices / liveOutputOperations No No

mediaservices / mediaGraphs No No

mediaservices / No No
privateEndpointConnectionOperations

mediaservices / No No
privateEndpointConnectionProxies

mediaservices / No No
privateEndpointConnections
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

mediaservices / No No
streamingEndpointOperations

mediaservices / streamingEndpoints Yes Yes

mediaservices / streamingLocators No No

mediaservices / streamingPolicies No No

mediaservices / transforms No No

mediaservices / transforms / jobs No No

videoAnalyzers Yes Yes

videoAnalyzers / accessPolicies No No

videoAnalyzers / edgeModules No No

videoAnalyzers / livePipelines No No

videoAnalyzers / pipelineJobs No No

videoAnalyzers / pipelineTopologies No No

videoAnalyzers / videos No No

Microsoft.Migrate
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

assessmentProjects Yes Yes

migrateprojects Yes Yes

moveCollections Yes Yes

projects Yes Yes

Microsoft.MixedReality
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

holographicsBroadcastAccounts Yes Yes

objectAnchorsAccounts Yes Yes

objectUnderstandingAccounts Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

remoteRenderingAccounts Yes Yes

spatialAnchorsAccounts Yes Yes

Microsoft.MobileNetwork
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

mobileNetworks No No

mobileNetworks / dataNetworks No No

mobileNetworks / services No No

mobileNetworks / simPolicies No No

mobileNetworks / sites No No

mobileNetworks / slices No No

networks No No

networks / sites No No

packetCoreControlPlanes No No

packetCoreControlPlanes / No No
packetCoreDataPlanes

packetCoreControlPlanes / No No
packetCoreDataPlanes /
attachedDataNetworks

packetCores No No

sims No No

sims / simProfiles No No

Microsoft.Monitor
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

Microsoft.NetApp
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

netAppAccounts Yes No

netAppAccounts / accountBackups No No

netAppAccounts / capacityPools Yes Yes

netAppAccounts / capacityPools / Yes No

volumes

netAppAccounts / capacityPools / No No
volumes / snapshots

netAppAccounts / capacityPools / No No
volumes / subvolumes

netAppAccounts / snapshotPolicies Yes Yes

netAppAccounts / volumeGroups No No

Microsoft.NetworkFunction
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

azureTrafficCollectors Yes Yes

Microsoft.Network
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

applicationGateways Yes Yes

applicationGatewayWebApplicationFire Yes Yes

wallPolicies

applicationSecurityGroups Yes Yes

azureFirewallFqdnTags No No

azureFirewalls Yes No

bastionHosts Yes No

bgpServiceCommunities No No

connections Yes Yes

customIpPrefixes Yes Yes

ddosCustomPolicies Yes Yes

RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

ddosProtectionPlans Yes Yes

dnsOperationStatuses No No

dnszones Yes, see note below Yes

dnszones / A No No

dnszones / AAAA No No

dnszones / all No No

dnszones / CAA No No

dnszones / CNAME No No

dnszones / MX No No

dnszones / NS No No

dnszones / PTR No No

dnszones / recordsets No No

dnszones / SOA No No

dnszones / SRV No No

dnszones / TXT No No

dscpConfigurations Yes Yes

expressRouteCircuits Yes Yes

expressRouteCrossConnections Yes Yes

expressRouteGateways Yes Yes

expressRoutePorts Yes Yes

expressRouteServiceProviders No No

firewallPolicies Yes, see note below Yes

frontdoors Yes, but limited (see note below) Yes

frontdoorWebApplicationFirewallMana Yes, but limited (see note below) No

gedRuleSets
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

frontdoorWebApplicationFirewallPolicie Yes, but limited (see note below) Yes

s

getDnsResourceReference No No

internalNotify No No

ipAllocations Yes Yes

ipGroups Yes, see note below Yes

loadBalancers Yes Yes

localNetworkGateways Yes Yes

natGateways Yes Yes

networkIntentPolicies Yes Yes

networkInterfaces Yes Yes

networkManagers Yes Yes

networkProfiles Yes Yes

networkSecurityGroups Yes Yes

networkVirtualAppliances Yes Yes

networkWatchers Yes Yes

networkWatchers / Yes No
connectionMonitors

networkWatchers / flowLogs Yes No

networkWatchers / lenses Yes No

networkWatchers / pingMeshes Yes No

p2sVpnGateways Yes Yes

privateDnsOperationStatuses No No

privateDnsZones Yes Yes

privateDnsZones / A No No

privateDnsZones / AAAA No No
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

privateDnsZones / all No No

privateDnsZones / CNAME No No

privateDnsZones / MX No No

privateDnsZones / PTR No No

privateDnsZones / SOA No No

privateDnsZones / SRV No No

privateDnsZones / TXT No No

privateDnsZones / virtualNetworkLinks Yes Yes

privateEndpoints Yes Yes

privateLinkServices Yes Yes

publicIPAddresses Yes Yes

publicIPPrefixes Yes Yes

routeFilters Yes Yes

routeTables Yes Yes

securityPartnerProviders Yes Yes

serviceEndpointPolicies Yes Yes

trafficManagerGeographicHierarchies No No

trafficmanagerprofiles Yes, see note below Yes

trafficmanagerprofiles/heatMaps No No

trafficManagerUserMetricsKeys No No

virtualHubs Yes Yes

virtualNetworkGateways Yes Yes

virtualNetworks Yes Yes

virtualNetworks / subnets No No

virtualNetworkTaps Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

virtualWans Yes No

vpnGateways Yes Yes

vpnServerConfigurations Yes Yes

vpnSites Yes Yes

webApplicationFirewallPolicies Yes Yes

NOTE
For Azure Front Door Service, you can apply tags when creating the resource, but updating or adding tags is not
currently supported. Front Door doesn't support the use of # or : in the tag name.
Azure DNS zones and Traffic Manager doesn't support the use of spaces in the tag or a tag that starts with a number.
Azure DNS tag names do not support special and unicode characters. The value can contain all characters.
Azure IP Groups and Azure Firewall Policies don't support PATCH operations, which means they don't support updating
tags through the portal. Instead, use the update commands for those resources. For example, you can update tags for an
IP group with the az network ip-group update command.

Microsoft.Notebooks
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

NotebookProxies No No

Microsoft.NotificationHubs
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

namespaces Yes No

namespaces / notificationHubs Yes No

Microsoft.ObjectStore
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

osNamespaces No No

Microsoft.OffAzure
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

HyperVSites Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

ImportSites Yes Yes

MasterSites Yes Yes

ServerSites Yes Yes

VMwareSites Yes Yes

Microsoft.OpenEnergyPlatform
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

energyServices No No

Microsoft.OperationalInsights
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusters Yes Yes

deletedWorkspaces No No

linkTargets No No

querypacks Yes Yes

storageInsightConfigs No No

workspaces Yes Yes

workspaces / dataExports No No

workspaces / dataSources No No

workspaces / linkedServices No No

workspaces / linkedStorageAccounts No No

workspaces / metadata No No

workspaces / query No No

workspaces / scopedPrivateLinkProxies No No

workspaces / storageInsightConfigs No No

workspaces / tables No No
Microsoft.OperationsManagement
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

managementassociations No No

managementconfigurations Yes Yes

solutions Yes Yes

views Yes Yes

Microsoft.Peering
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

cdnPeeringPrefixes No No

legacyPeerings No No

lookingGlass No No

peerAsns No No

peerings Yes Yes

peeringServiceCountries No No

peeringServiceProviders No No

peeringServices Yes Yes

Microsoft.PlayFab
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

PlayerAccountPools No No

Titles No No

Microsoft.PolicyInsights
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

attestations No No

eventGridFilters No No

policyEvents No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

policyMetadata No No

policyStates No No

policyTrackedResources No No

remediations No No

Microsoft.Portal
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

consoles No No

dashboards Yes Yes

tenantconfigurations No No

userSettings No No

Microsoft.PowerBI
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

privateLinkServicesForPowerBI Yes Yes

tenants Yes Yes

tenants / workspaces No No

workspaceCollections Yes Yes

Microsoft.PowerBIDedicated
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

autoScaleVCores Yes Yes

capacities Yes Yes

servers Yes Yes

Microsoft.PowerPlatform
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

enterprisePolicies Yes Yes

Microsoft.ProjectBabylon
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

deletedAccounts No No

Microsoft.ProviderHub
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

providerRegistrations No No

providerRegistrations / customRollouts No No

providerRegistrations / defaultRollouts No No

providerRegistrations / No No
resourceActions

providerRegistrations / No No
resourceTypeRegistrations

Microsoft.Purview
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

accounts / kafkaConfigurations No No

deletedAccounts No No

getDefaultAccount No No

removeDefaultAccount No No

setDefaultAccount No No

Microsoft.Quantum
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

Workspaces No No
Microsoft.Quota
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

quotaRequests No No

quotas No No

usages No No

Microsoft.RecommendationsService
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts No No

accounts / modeling No No

accounts / serviceEndpoints No No

Microsoft.RecoveryServices
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

backupProtectedItems No No

vaults Yes Yes

Microsoft.RedHatOpenShift
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

OpenShiftClusters Yes Yes

Microsoft.Relay
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

namespaces Yes Yes

namespaces / authorizationrules No No

namespaces / hybridconnections No No

namespaces / hybridconnections / No No
authorizationrules

namespaces / No No
privateEndpointConnections
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

namespaces / wcfrelays No No

namespaces / wcfrelays / No No
authorizationrules

Microsoft.ResourceConnector
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

appliances Yes Yes

Microsoft.ResourceGraph
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

queries Yes Yes

resourceChangeDetails No No

resourceChanges No No

resources No No

resourcesHistory No No

subscriptionsStatus No No

Microsoft.ResourceHealth
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

availabilityStatuses No No

childAvailabilityStatuses No No

childResources No No

emergingissues No No

events No No

impactedResources No No

metadata No No

Microsoft.Resources
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

deployments Yes No

deployments / operations No No

deploymentScripts Yes Yes

deploymentScripts / logs No No

deploymentStacks No No

deploymentStacks / snapshots No No

links No No

providers No No

resourceGroups Yes No

subscriptions Yes No

templateSpecs Yes Yes

templateSpecs / versions Yes Yes

tenants No No

Microsoft.SaaS
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

applications Yes Yes

resources Yes Yes

saasresources No No

Microsoft.Scheduler
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

jobcollections Yes Yes

Microsoft.Scom
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

managedInstances No No
Microsoft.ScVmm
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

AvailabilitySets No No

clouds No No

VirtualMachines No No

VirtualMachineTemplates No No

VirtualNetworks No No

vmmservers No No

VMMServers / InventoryItems No No

Microsoft.Search
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

resourceHealthMetadata No No

searchServices Yes Yes

Microsoft.Security
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

adaptiveNetworkHardenings No No

advancedThreatProtectionSettings No No

alerts No No

alertsSuppressionRules No No

allowedConnections No No

antiMalwareSettings No No

applicationWhitelistings No No

assessmentMetadata No No

assessments No No

assessments / governanceAssignments No No

assignments Yes Yes

RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

attackPaths No No

autoDismissAlertsRules No No

automations Yes Yes

AutoProvisioningSettings No No

Compliances No No

connectedContainerRegistries No No

connectors No No

customAssessmentAutomations Yes Yes

customEntityStoreAssignments Yes Yes

dataCollectionAgents No No

dataScanners Yes Yes

deviceSecurityGroups No No

discoveredSecuritySolutions No No

externalSecuritySolutions No No

governanceRules No No

InformationProtectionPolicies No No

ingestionSettings No No

insights No No

iotSecuritySolutions Yes Yes

iotSecuritySolutions / analyticsModels No No

iotSecuritySolutions / analyticsModels No No
/ aggregatedAlerts

iotSecuritySolutions / analyticsModels No No
/ aggregatedRecommendations

iotSecuritySolutions / iotAlerts No No

iotSecuritySolutions / iotAlertTypes No No
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

iotSecuritySolutions / No No
iotRecommendations

iotSecuritySolutions / No No
iotRecommendationTypes

jitNetworkAccessPolicies No No

jitPolicies No No

MdeOnboardings No No

policies No No

pricings No No

regulatoryComplianceStandards No No

regulatoryComplianceStandards / No No
regulatoryComplianceControls

regulatoryComplianceStandards / No No
regulatoryComplianceControls /
regulatoryComplianceAssessments

secureScoreControlDefinitions No No

secureScoreControls No No

secureScores No No

secureScores / secureScoreControls No No

securityConnectors Yes Yes

securityContacts No No

securitySolutions No No

securitySolutionsReferenceData No No

securityStatuses No No

securityStatusesSummaries No No

serverVulnerabilityAssessments No No

settings No No

sqlVulnerabilityAssessments No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

standards Yes Yes

subAssessments No No

tasks No No

topologies No No

workspaceSettings No No

Microsoft.SecurityGraph
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

diagnosticSettings No No

diagnosticSettingsCategories No No

Microsoft.SecurityInsights
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

aggregations No No

alertRules No No

alertRuleTemplates No No

automationRules No No

bookmarks No No

cases No No

dataConnectors No No

dataConnectorsCheckRequirements No No

enrichment No No

entities No No

entityQueries No No

entityQueryTemplates No No

incidents No No

metadata No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

MitreCoverageRecords No No

officeConsents No No

onboardingStates No No

settings No No

sourceControls No No

threatIntelligence No No

watchlists No No

Microsoft.SerialConsole
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

consoleServices No No

serialPorts No No

Microsoft.ServiceBus
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

namespaces Yes Yes

namespaces / authorizationrules No No

namespaces / disasterrecoveryconfigs No No

namespaces / eventgridfilters No No

namespaces / networkrulesets No No

namespaces / No No
privateEndpointConnections

namespaces / queues No No

namespaces / queues / No No
authorizationrules

namespaces / topics No No

namespaces / topics / No No
authorizationrules
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

namespaces / topics / subscriptions No No

namespaces / topics / subscriptions / No No

rules

premiumMessagingRegions No No

Microsoft.ServiceFabric
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

applications Yes Yes

clusters Yes Yes

clusters / applications No No

containerGroups Yes Yes

containerGroupSets Yes Yes

edgeclusters Yes Yes

edgeclusters / applications No No

managedclusters Yes Yes

managedclusters / applications No No

managedclusters / applications / No No
services

managedclusters / applicationTypes No No

managedclusters / applicationTypes / No No
versions

managedclusters / nodetypes No No

networks Yes Yes

secretstores Yes Yes

secretstores / certificates No No

secretstores / secrets No No

volumes Yes Yes

Microsoft.ServiceFabricMesh
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

applications Yes Yes

containerGroups Yes Yes

gateways Yes Yes

networks Yes Yes

secrets Yes Yes

volumes Yes Yes

Microsoft.ServiceLinker
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

dryruns No No

linkers No No

Microsoft.Services
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

providerRegistrations No No

providerRegistrations / No No
resourceTypeRegistrations

rollouts Yes Yes

Microsoft.SignalRService
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

SignalR Yes Yes

SignalR / eventGridFilters No No

WebPubSub Yes Yes

Microsoft.Singularity
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes Yes

accounts / accountQuotaPolicies No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts / groupPolicies No No

accounts / jobs No No

accounts / models No No

accounts / storageContainers No No

images No No

quotas No No

Microsoft.SoftwarePlan
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

hybridUseBenefits No No

Microsoft.Solutions
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

applicationDefinitions Yes Yes

applications Yes Yes

jitRequests Yes Yes

Microsoft.SQL
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

instancePools Yes Yes

longtermRetentionManagedInstance / No No
longtermRetentionDatabase /
longtermRetentionBackup

longtermRetentionServer / No No
longtermRetentionDatabase /
longtermRetentionBackup

managedInstances Yes Yes

managedInstances / administrators No No

managedInstances / databases No No
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

managedInstances / databases / No No
backupLongTermRetentionPolicies

managedInstances / databases / No No
backupShortTermRetentionPolicies

managedInstances / databases / No No
schemas / tables / columns /
sensitivityLabels

managedInstances / databases / No No
vulnerabilityAssessments

managedInstances / databases / No No
vulnerabilityAssessments / rules /
baselines

managedInstances / No No
encryptionProtector

managedInstances / keys No No

managedInstances / No No
restorableDroppedDatabases /
backupShortTermRetentionPolicies

managedInstances / sqlAgent No No

managedInstances / No No
vulnerabilityAssessments

servers Yes Yes

servers / administrators No No

servers / advisors No No

servers / auditingSettings No No

servers / communicationLinks No No

servers / databases Yes (see note below) Yes

servers / databases / advisors No No

servers / databases / auditingSettings No No

servers / databases / No No
backupLongTermRetentionPolicies

servers / databases / No No
backupShortTermRetentionPolicies
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

servers / databases / No No
dataMaskingPolicies

servers / databases / extensions No No

servers / databases / No No
securityAlertPolicies

servers / databases / syncGroups No No

servers / databases / syncGroups / No No

syncMembers

servers / databases / No No
transparentDataEncryption

servers / databases / workloadGroups No No

servers / elasticpools Yes Yes

servers / encryptionProtector No No

servers / failoverGroups No No

servers / firewallRules No No

servers / jobAgents Yes Yes

servers / jobAgents / jobs No No

servers / jobAgents / jobs / steps No No

servers / jobAgents / jobs / executions No No

servers / keys No No

servers / restorableDroppedDatabases No No

servers / serviceobjectives No No

servers / tdeCertificates No No

servers / virtualNetworkRules No No

virtualClusters No No

NOTE
The Master database doesn't support tags, but other databases, including Azure Synapse Analytics databases, support
tags. Azure Synapse Analytics databases must be in Active (not Paused) state.
Microsoft.SqlVirtualMachine
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

SqlVirtualMachineGroups Yes Yes

SqlVirtualMachineGroups / No No
AvailabilityGroupListeners

SqlVirtualMachines Yes Yes

Microsoft.Storage
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

dataMovers Yes Yes

dataMovers / agents No No

dataMovers / endpoints No No

dataMovers / projects No No

dataMovers / projects / jobDefinitions No No

dataMovers / projects / jobDefinitions No No

/ jobRuns

deletedAccounts No No

storageAccounts Yes Yes

storageAccounts / blobServices No No

storageAccounts / encryptionScopes No No

storageAccounts / fileServices No No

storageAccounts / queueServices No No

storageAccounts / services No No

storageAccounts / services / No No
metricDefinitions

storageAccounts / tableServices No No

usages No No

Microsoft.StorageCache
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

amlFilesystems Yes Yes

caches Yes Yes

caches / storageTargets No No

usageModels No No

Microsoft.StorageReplication
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

replicationGroups No No

Microsoft.StorageSync
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

storageSyncServices Yes Yes

storageSyncServices / No No
registeredServers

storageSyncServices / syncGroups No No

storageSyncServices / syncGroups / No No
cloudEndpoints

storageSyncServices / syncGroups / No No
serverEndpoints

storageSyncServices / workflows No No

Microsoft.StorSimple
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

managers Yes Yes

Microsoft.StreamAnalytics
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

clusters Yes Yes

clusters / privateEndpoints No No

streamingjobs Yes (see note below) Yes

 NOTE
You can't add a tag when streamingjobs is running. Stop the resource to add a tag.

Microsoft.Subscription
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

acceptChangeTenant No No

acceptOwnership No No

acceptOwnershipStatus No No

aliases No No

cancel No No

changeTenantRequest No No

changeTenantStatus No No

CreateSubscription No No

enable No No

policies No No

rename No No

SubscriptionDefinitions No No

SubscriptionOperations No No

subscriptions No No

Microsoft.Synapse
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

kustoOperations No No

privateLinkHubs Yes Yes

workspaces Yes Yes

workspaces / bigDataPools Yes Yes

workspaces / kustoPools Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

workspaces / kustoPools / No No
attacheddatabaseconfigurations

workspaces / kustoPools / databases No No

workspaces / kustoPools / databases / No No

dataconnections

workspaces / operationStatuses No No

workspaces / sqlDatabases Yes Yes

workspaces / sqlPools Yes Yes

Microsoft.TestBase
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

testBaseAccounts No No

testBaseAccounts / customerEvents No No

testBaseAccounts / emailEvents No No

testBaseAccounts / flightingRings No No

testBaseAccounts / packages No No

testBaseAccounts / packages / No No
favoriteProcesses

testBaseAccounts / packages / No No
osUpdates

testBaseAccounts / testSummaries No No

testBaseAccounts / testTypes No No

testBaseAccounts / usages No No

Microsoft.TimeSeriesInsights
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

environments Yes No

environments / accessPolicies No No

environments / eventsources Yes No

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

environments / No No
privateEndpointConnectionProxies

environments / No No
privateEndpointConnections

environments / privateLinkResources No No

environments / referenceDataSets Yes No

Microsoft.VideoIndexer
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts No No

Microsoft.VirtualMachineImages
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

imageTemplates Yes Yes

imageTemplates / runOutputs No No

Microsoft.VMware
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

arczones No No

resourcepools No No

vcenters No No

VCenters / InventoryItems No No

virtualmachines No No

virtualmachinetemplates No No

virtualnetworks No No

Microsoft.VMwareCloudSimple
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

dedicatedCloudNodes Yes Yes

 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

dedicatedCloudServices Yes Yes

virtualMachines Yes Yes

Microsoft.VSOnline
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

accounts Yes No

plans Yes No

registeredSubscriptions No No

Microsoft.WindowsDefenderATP
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

diagnosticSettings No No

diagnosticSettingsCategories No No

Microsoft.Web
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

apiManagementAccounts No No

apiManagementAccounts / apiAcls No No

apiManagementAccounts / apis No No

apiManagementAccounts / apis / No No
apiAcls

apiManagementAccounts / apis / No No
connectionAcls

apiManagementAccounts / apis / No No
connections

apiManagementAccounts / apis / No No
connections / connectionAcls

apiManagementAccounts / apis / No No
localizedDefinitions

apiManagementAccounts / No No
connectionAcls
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

apiManagementAccounts / No No
connections

billingMeters No No

certificates Yes Yes

connectionGateways Yes Yes

connections Yes Yes

customApis Yes Yes

deletedSites No No

functionAppStacks No No

generateGithubAccessTokenForAppser No No
viceCLI

hostingEnvironments Yes Yes

hostingEnvironments / No No
eventGridFilters

hostingEnvironments / multiRolePools No No

hostingEnvironments / workerPools No No

kubeEnvironments Yes Yes

publishingUsers No No

recommendations No No

resourceHealthMetadata No No

runtimes No No

serverFarms Yes Yes

serverFarms / eventGridFilters No No

serverFarms / firstPartyApps No No

serverFarms / firstPartyApps / No No
keyVaultSettings

sites Yes Yes

sites / config No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

sites / eventGridFilters No No

sites / hostNameBindings No No

sites / networkConfig No No

sites / premieraddons Yes Yes

sites / slots Yes Yes

sites / slots / eventGridFilters No No

sites / slots / hostNameBindings No No

sites / slots / networkConfig No No

sourceControls No No

staticSites Yes Yes

validate No No

verifyHostingEnvironmentVnet No No

webAppStacks No No

Microsoft.WindowsESU
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

multipleActivationKeys Yes Yes

Microsoft.WindowsIoT
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

DeviceServices Yes Yes

Microsoft.WorkloadBuilder
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

migrationAgents No No

workloads No No

workloads / instances No No
 RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

workloads / versions No No

workloads / versions / artifacts No No

Microsoft.WorkloadMonitor
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

monitors No No

Microsoft.Workloads
RESO URC E T Y P E SUP P O RT S TA GS TA G IN C O ST REP O RT

monitors No No

monitors / providerInstances No No

phpWorkloads No No

phpWorkloads / wordpressInstances No No

sapVirtualInstances No No

sapVirtualInstances / No No
applicationInstances

sapVirtualInstances / centralInstances No No

sapVirtualInstances / No No
databaseInstances

Next steps
To learn how to apply tags to resources, see Use tags to organize your Azure resources.
 Azure Resource Graph sample queries for Azure
Resource Manager
2/23/2022 • 4 minutes to read • Edit Online

This page is a collection of Azure Resource Graph sample queries for Azure Resource Manager. For a complete
list of Azure Resource Graph samples, see Resource Graph samples by Category and Resource Graph samples
by Table.

Sample queries for tags

Find storage accounts with a specific case -insensitive tag on the resource group
Similar to the 'Find storage accounts with a specific case-sensitive tag on the resource group' query, but when
it's necessary to look for a case insensitive tag name and tag value, use mv-expand with the bagexpansion
parameter. This query uses more quota than the original query, so use mv-expand only if necessary.

Resources
| where type =~ 'microsoft.storage/storageaccounts'
| join kind=inner (
ResourceContainers
| where type =~ 'microsoft.resources/subscriptions/resourcegroups'
| mv-expand bagexpansion=array tags
| where isnotempty(tags)
| where tags[0] =~ 'key1' and tags[1] =~ 'value1'
| project subscriptionId, resourceGroup)
on subscriptionId, resourceGroup
| project-away subscriptionId1, resourceGroup1

Azure CLI
Azure PowerShell
Portal

az graph query -q "Resources | where type =~ 'microsoft.storage/storageaccounts' | join kind=inner (

ResourceContainers | where type =~ 'microsoft.resources/subscriptions/resourcegroups' | mv-expand
bagexpansion=array tags | where isnotempty(tags) | where tags[0] =~ 'key1' and tags[1] =~ 'value1' | project
subscriptionId, resourceGroup) on subscriptionId, resourceGroup | project-away subscriptionId1,
resourceGroup1"

Find storage accounts with a specific case -sensitive tag on the resource group
The following query uses an inner join to connect storage accounts with resource groups that have a
specified case-sensitive tag name and tag value.

Resources
| where type =~ 'microsoft.storage/storageaccounts'
| join kind=inner (
ResourceContainers
| where type =~ 'microsoft.resources/subscriptions/resourcegroups'
| where tags['Key1'] =~ 'Value1'
| project subscriptionId, resourceGroup)
on subscriptionId, resourceGroup
| project-away subscriptionId1, resourceGroup1
 Azure CLI
Azure PowerShell
Portal

az graph query -q "Resources | where type =~ 'microsoft.storage/storageaccounts' | join kind=inner (

ResourceContainers | where type =~ 'microsoft.resources/subscriptions/resourcegroups' | where tags['Key1']
=~ 'Value1' | project subscriptionId, resourceGroup) on subscriptionId, resourceGroup | project-away
subscriptionId1, resourceGroup1"

List all tag names

This query starts with the tag and builds a JSON object listing all unique tag names and their corresponding
types.

Resources
| project tags
| summarize buildschema(tags)

Azure CLI
Azure PowerShell
Portal

az graph query -q "Resources | project tags | summarize buildschema(tags)"

List all tags and their values

This query lists tags on management groups, subscriptions, and resources along with their values. The query
first limits to resources where tags isnotempty() , limits the included fields by only including tags in the
project , and mvexpand and extend to get the paired data from the property bag. It then uses union to
combine the results from ResourceContainers to the same results from Resources, giving broad coverage to
which tags are fetched. Last, it limits the results to distinct paired data and excludes system-hidden tags.

ResourceContainers
| where isnotempty(tags)
| project tags
| mvexpand tags
| extend tagKey = tostring(bag_keys(tags)[0])
| extend tagValue = tostring(tags[tagKey])
| union (
resources
| where isnotempty(tags)
| project tags
| mvexpand tags
| extend tagKey = tostring(bag_keys(tags)[0])
| extend tagValue = tostring(tags[tagKey])
)
| distinct tagKey, tagValue
| where tagKey !startswith "hidden-"

Azure CLI
Azure PowerShell
Portal
 az graph query -q "ResourceContainers | where isnotempty(tags) | project tags | mvexpand tags | extend
tagKey = tostring(bag_keys(tags)[0]) | extend tagValue = tostring(tags[tagKey]) | union ( resources | where
isnotempty(tags) | project tags | mvexpand tags | extend tagKey = tostring(bag_keys(tags)[0]) | extend
tagValue = tostring(tags[tagKey]) ) | distinct tagKey, tagValue | where tagKey !startswith "hidden-""

List resources with a specific tag value

We can limit the results by properties other than the Azure resource type, such as a tag. In this example, we're
filtering for Azure resources with a tag name of Environment that have a value of Internal . To also provide
what tags the resource has and their values, add the property tags to the project keyword.

Resources
| where tags.environment=~'internal'
| project name, tags

Azure CLI
Azure PowerShell
Portal

az graph query -q "Resources | where tags.environment=~'internal' | project name, tags"

Next steps
Learn more about the query language.
Learn more about how to explore resources.
See samples of Starter language queries.
See samples of Advanced language queries.
 Use portal to create private link for managing Azure
resources
2/23/2022 • 3 minutes to read • Edit Online

This article explains how you can use Azure Private Link to restrict access for managing resources in your
subscriptions. It shows using the Azure portal for setting up management of resources through private access.
Private links enable you to access Azure services over a private endpoint in your virtual network. When you
combine private links with Azure Resource Manager's operations, you block users who aren't at the specific
endpoint from managing resources. If a malicious user gets credentials to an account in your subscription, that
user can't manage the resources without being at the specific endpoint.
Private link provides the following security benefits:
Private Access - users can manage resources from a private network via a private endpoint.
Data exfiltration - users are denied access to resources not included in the scope.

NOTE
Azure Kubernetes Service (AKS) currently doesn't support the ARM private endpoint implementation.

Understand architecture
For this release, you can only apply private link management access at the level of the root management group.
This limitation means private link access is applied across your tenant.
There are two resource types you'll use when implementing management through a private link.
Resource management private link (Microsoft.Authorization/resourceManagementPrivateLinks)
Private link association (Microsoft.Authorization/privateLinkAssociations)
The following image shows how to construct a solution that restricts access for managing resources.

The private link association extends the root management group. The private link association and the private
endpoints reference the resource management private link.

Workflow
To set up a private link for resources, use the following steps. The steps are described in greater detail later in
this article.
1. Create the resource management private link.
2. Create a private link association. The private link association extends the root management group. It also
references the resource ID for the resource management private link.
3. Add a private endpoint that references the resource management private link.
After completing those steps, you can manage Azure resources that are within the hierarchy of the scope. You
use a private endpoint that is connected to the subnet.
You can monitor access to the private link. For more information, see Logging and monitoring.

Required permissions
To set up the private link for resource management, you need the following access:
Owner on the subscription. This access is needed to create resource management private link resource.
Owner or Contributor at the root management group. This access is needed to create the private link
association resource.
The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign
roles at the root management group. To enable creating resource management private links, the Global
Administrator must have permission to read root management group and elevate access to have User Access
Administrator permission on all subscriptions and management groups in the tenant. After getting the User
Access Administrator permission, the Global Administrator must grant Owner or Contributor permission at
the root management group to the user creating the private link association.

Create resource management private link

When you create a resource management private link, the private link association is automatically created for
you.
1. In the portal, search for Resource management private links and select it from the available options.

2. If your subscription doesn't already have resource management private links, you'll see a blank page.
Select Create resource management private link .
3. Provide values for the new resource management private link. The root management group for the
directory you selected is used for the new resource. Select Review + create .
4. After validation passes, select Create .

Create private endpoint

Now, create a private endpoint that references the resource management private link.
1. Navigate to the Private Link Center . Select Create private endpoint .

2. In the Basics tab, provide values for your private endpoint.

3. In the Resource tab, select Connect to an Azure resource in my director y . For resource type, select
Microsoft.Authorization/resourceManagementPrivateLinks . For target subresource, select
ResourceManagement .
4. In the Configuration tab, select your virtual network. We recommend integrating with a private DNS
zone. Select Review + create .
5. After validation passes, select Create .

Verify private DNS zone

To make sure your environment is properly configured, check the local IP address for the DNS zone.
1. In the resource group where you deployed the private endpoint, select the private DNS zone resource
named privatelink .azure.com .
2. Verify that the record set named management has a valid local IP address.
Next steps
To learn more about private links, see Azure Private Link.
 Use REST API to create private link for managing
Azure resources
2/23/2022 • 3 minutes to read • Edit Online

This article explains how you can use Azure Private Link to restrict access for managing resources in your
subscriptions.
Private links enable you to access Azure services over a private endpoint in your virtual network. When you
combine private links with Azure Resource Manager's operations, you block users who aren't at the specific
endpoint from managing resources. If a malicious user gets credentials to an account in your subscription, that
user can't manage the resources without being at the specific endpoint.
Private link provides the following security benefits:
Private Access - users can manage resources from a private network via a private endpoint.
Data exfiltration - users are denied access to resources not included in the scope.

NOTE
Azure Kubernetes Service (AKS) currently doesn't support the ARM private endpoint implementation.

Understand architecture
For this release, you can only apply private link management access at the level of the root management group.
This limitation means private link access is applied across your tenant.
There are two resource types you'll use when implementing management through a private link.
Resource management private link (Microsoft.Authorization/resourceManagementPrivateLinks)
Private link association (Microsoft.Authorization/privateLinkAssociations)
The following image shows how to construct a solution that restricts access for managing resources.

The private link association extends the root management group. The private link association and the private
endpoints reference the resource management private link.

Workflow
To set up a private link for resources, use the following steps. The steps are described in greater detail later in
this article.
1. Create the resource management private link.
2. Create a private link association. The private link association extends the root management group. It also
references the resource ID for the resource management private link.
3. Add a private endpoint that references the resource management private link.
After completing those steps, you can manage Azure resources that are within the hierarchy of the scope. You
use a private endpoint that is connected to the subnet.
You can monitor access to the private link. For more information, see Logging and monitoring.

Required permissions
To set up the private link for resource management, you need the following access:
Owner on the subscription. This access is needed to create resource management private link resource.
Owner or Contributor at the root management group. This access is needed to create the private link
association resource.
The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign
roles at the root management group. To enable creating resource management private links, the Global
Administrator must have permission to read root management group and elevate access to have User Access
Administrator permission on all subscriptions and management groups in the tenant. After getting the User
Access Administrator permission, the Global Administrator must grant Owner or Contributor permission at
the root management group to the user creating the private link association.

Create resource management private link

To create resource management private link, send the following request:

PUT
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Mic
rosoft.Authorization/resourceManagementPrivateLinks/{rmplName}?api-version=2020-05-01

In the request body, include the location you want for the resource:

{
"location":"{region}"
}

The operation returns:

{
"id":
"/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Authorization/resourceManagementPrivateL
inks/{name}",
"location": "{region}",
"name": "{rmplName}",
"properties": {
"privateEndpointConnections": []
},
"resourceGroup": "{rgName}",
"type": "Microsoft.Authorization/resourceManagementPrivateLinks"
}

Note the ID that is returned for the new resource management private link. You'll use it for creating the private
link association.

Create private link association

To create the private link association, use:
 PUT
https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/M
icrosoft.Authorization/privateLinkAssociations/{GUID}?api-version=2020-05-01

In the request body, include:

{
"properties": {
"privateLink": "/subscriptions/{subscription-id}/resourceGroups/{rg-
name}/providers/Microsoft.Authorization/resourceManagementPrivateLinks/{rmplName}",
"publicNetworkAccess": "enabled"
}
}

The operation returns:

{
"id": {plaResourceId},
"name": {plaName},
"properties": {
"privateLink": {rmplResourceId},
"publicNetworkAccess": "Enabled",
"tenantId": "{tenantId}",
"scope": "/providers/Microsoft.Management/managementGroups/{managementGroupId}"
},
"type": "Microsoft.Authorization/privateLinkAssociations"
}

Add private endpoint

This article assumes you already have a virtual network. In the subnet that will be used for the private endpoint,
you must turn off private endpoint network policies. If you haven't turned off private endpoint network policies,
see Disable network policies for private endpoints.
To create a private endpoint, use the following operation:

PUT
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Mic
rosoft.Network/privateEndpoints/{privateEndpointName}?api-version=2020-11-01

In the request body, set the privateServiceLinkId to the ID from your resource management private link. The
groupIds must contain ResourceManagement . The location of the private endpoint must be the same as the
location of the subnet.
 {
"location": "westus2",
"properties": {
"privateLinkServiceConnections": [
{
"name": "{connection-name}",
"properties": {
"privateLinkServiceId":
"/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Authorization/resourceManagementPrivateL
inks/{name}",
"groupIds": [
"ResourceManagement"
]
}
}
],
"subnet": {
"id":
"/subscriptions/{subID}/resourceGroups/{rgName}/providers/Microsoft.Network/virtualNetworks/{vnet-
name}/subnets/{subnet-name}"
}
}
}

The next step varies depending whether you're using automatic or manual approval. For more information
about approval, see Access to a private link resource using approval workflow.
The response includes approval state.

"privateLinkServiceConnectionState": {
"actionsRequired": "None",
"description": "",
"status": "Approved"
},

If your request is automatically approved, you can continue to the next section. If your request requires manual
approval, wait for the network admin to approve your private endpoint connection.

Next steps
To learn more about private links, see Azure Private Link.
 Manage resource management private links with
REST API
2/23/2022 • 2 minutes to read • Edit Online

This article explains how you to work with existing resource management private links. It shows REST API
operations for getting and deleting existing resources.
If you need to create a resource management private link, see Use portal to create private link for managing
Azure resources or Use REST API to create private link for managing Azure resources.

Resource management private links

To get a specific resource management private link, send the following request:

GET
https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Mic
rosoft.Authorization/resourceManagementPrivateLinks/{rmplName}?api-version=2020-05-01

The operation returns:

{
"properties": {
"privateEndpointConnections": []
},
"id": {rmplResourceId},
"name": {rmplName},
"type": "Microsoft.Authorization/resourceManagementPrivateLinks",
"location": {region}
}

To get all resource management private links in a subscription, use:

GET
https://management.azure.com/subscriptions/{subscriptionID}/providers/Microsoft.Authorization/resourceManage
mentPrivateLinks?api-version=2020-05-01

The operation returns:

 [
{
"properties": {
"privateEndpointConnections": []
},
"id": {rmplResourceId},
"name": {rmplName},
"type": "Microsoft.Authorization/resourceManagementPrivateLinks",
"location": {region}
},
{
"properties": {
"privateEndpointConnections": []
},
"id": {rmplResourceId},
"name": {rmplName},
"type": "Microsoft.Authorization/resourceManagementPrivateLinks",
"location": {region}
}
]

To delete a specific resource management private link, use:

DELETE
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Mic
rosoft.Authorization/resourceManagementPrivateLinks/{rmplName}?api-version=2020-05-01

The operation returns: Status 200 OK .

Private link association

To get a specific private link association for a management group, use:

GET
https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupID}/providers/M
icrosoft.Authorization/privateLinkAssociations?api-version=2020-05-01

The operation returns:

{
"value": [
{
"properties": {
"privateLink": {rmplResourceID},
"tenantId": {tenantId},
"scope": "/providers/Microsoft.Management/managementGroups/{managementGroupId}"
},
"id": {plaResourceId},
"type": "Microsoft.Authorization/privateLinkAssociations",
"name": {plaName}
}
]
}

To delete a private link association, use:

 DELETE
https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupID}/providers/M
icrosoft.Authorization/privateLinkAssociations/{plaID}?api-version=2020-05-01

The operation returns: Status 200 OK .

Private endpoints
To get all private endpoints in a subscription, use:

GET
https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/privateEndpoints?
api-version=2020-04-01

The operation returns:

 {
"value": [
{
"name": {privateEndpointName},
"id": {privateEndpointResourceId},
"etag": {etag},
"type": "Microsoft.Network/privateEndpoints",
"location": {region},
"properties": {
"provisioningState": "Updating",
"resourceGuid": {GUID},
"privateLinkServiceConnections": [
{
"name": {connectionName},
"id": {connectionResourceId},
"etag": {etag},
"properties": {
"provisioningState": "Succeeded",
"privateLinkServiceId": {rmplResourceId},
"groupIds": [
"ResourceManagement"
],
"privateLinkServiceConnectionState": {
"status": "Approved",
"description": "",
"actionsRequired": "None"
}
},
"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
}
],
"manualPrivateLinkServiceConnections": [],
"subnet": {
"id": {subnetResourceId}
},
"networkInterfaces": [
{
"id": {networkInterfaceResourceId}
}
],
"customDnsConfigs": [
{
"fqdn": "management.azure.com",
"ipAddresses": [
"10.0.0.4"
]
}
]
}
}
]
}

Next steps
To learn more about private links, see Azure Private Link.
To create a resource management private links, see Use portal to create private link for managing Azure
resources or Use REST API to create private link for managing Azure resources.
 Manage Azure Resource Manager resource groups
by using the Azure portal
2/23/2022 • 3 minutes to read • Edit Online

Learn how to use the Azure portal with Azure Resource Manager to manage your Azure resource groups. For
managing Azure resources, see Manage Azure resources by using the Azure portal.
Other articles about managing resource groups:
Manage Azure resource groups by using Azure CLI
Manage Azure resource groups by using Azure PowerShell

NOTE
This article provides steps about how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center
and the GDPR section of the Service Trust portal.

What is a resource group

A resource group is a container that holds related resources for an Azure solution. The resource group can
include all the resources for the solution, or only those resources that you want to manage as a group. You
decide how you want to allocate resources to resource groups based on what makes the most sense for your
organization. Generally, add resources that share the same lifecycle to the same resource group so you can
easily deploy, update, and delete them as a group.
The resource group stores metadata about the resources. Therefore, when you specify a location for the
resource group, you are specifying where that metadata is stored. For compliance reasons, you may need to
ensure that your data is stored in a particular region.

Create resource groups

1. Sign in to the Azure portal.
2. Select Resource groups
3. Select Add .
4. Enter the following values:
Subscription : Select your Azure subscription.
Resource group : Enter a new resource group name.
Region : Select an Azure location, such as Central US .

5. Select Review + Create

6. Select Create . It takes a few seconds to create a resource group.
7. Select Refresh from the top menu to refresh the resource group list, and then select the newly created
resource group to open it. Or select Notification (the bell icon) from the top, and then select Go to
resource group to open the newly created resource group
List resource groups
1. Sign in to the Azure portal.
2. To list the resource groups, select Resource groups

3. To customize the information displayed for the resource groups, select Edit columns . The following
screenshot shows the addition columns you could add to the display:

Open resource groups

1. Sign in to the Azure portal.
2. Select Resource groups .
3. Select the resource group you want to open.

Delete resource groups

1. Open the resource group you want to delete. See Open resource groups.
2. Select Delete resource group .
For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource
Manager resource group deletion.

Deploy resources to a resource group

After you have created a Resource Manager template, you can use the Azure portal to deploy your Azure
resources. For creating a template, see Quickstart: Create and deploy Azure Resource Manager templates by
using the Azure portal. For deploying a template using the portal, see Deploy resources with Resource Manager
templates and Azure portal.

Move to another resource group or subscription

You can move the resources in the group to another resource group. For more information, see Move resources
to new resource group or subscription.

Lock resource groups

Locking prevents other users in your organization from accidentally deleting or modifying critical resources,
such as Azure subscription, resource group, or resource.
1. Open the resource group you want to lock. See Open resource groups.
2. In the left pane, select Locks .
3. To add a lock to the resource group, select Add .
4. Enter Lock name , Lock type , and Notes . The lock types include Read-only , and Delete .

For more information, see Lock resources to prevent unexpected changes.

Tag resource groups

You can apply tags to resource groups and resources to logically organize your assets. For information, see
Using tags to organize your Azure resources.
Export resource groups to templates
For information about exporting templates, see Single and multi-resource export to template - Portal.

Manage access to resource groups

Azure role-based access control (Azure RBAC) is the way that you manage access to resources in Azure. For
more information, see Assign Azure roles using the Azure portal.

Next steps
To learn Azure Resource Manager, see Azure Resource Manager overview.
To learn the Resource Manager template syntax, see Understand the structure and syntax of Azure Resource
Manager templates.
To learn how to develop templates, see the step-by-step tutorials.
To view the Azure Resource Manager template schemas, see template reference.
 Manage Azure Resource Manager resource groups
by using Azure CLI
2/23/2022 • 2 minutes to read • Edit Online

Learn how to use Azure CLI with Azure Resource Manager to manage your Azure resource groups. For
managing Azure resources, see Manage Azure resources by using Azure CLI.
Other articles about managing resource groups:
Manage Azure resource groups by using the Azure portal
Manage Azure resource groups by using Azure PowerShell

What is a resource group

A resource group is a container that holds related resources for an Azure solution. The resource group can
include all the resources for the solution, or only those resources that you want to manage as a group. You
decide how you want to add resources to resource groups based on what makes the most sense for your
organization. Generally, add resources that share the same lifecycle to the same resource group so you can
easily deploy, update, and delete them as a group.
The resource group stores metadata about the resources. When you specify a location for the resource group,
you're specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data
is stored in a particular region.

Create resource groups

to create a resource group, use az group create.

az group create --name demoResourceGroup --location westus

List resource groups

To list the resource groups in your subscription, use az group list.

az group list

To get one resource group, use az group show.

az group show --name exampleGroup

Delete resource groups

To delete a resource group, use az group delete.

az group delete --name exampleGroup

For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource
Manager resource group deletion.

Deploy resources
You can deploy Azure resources by using Azure CLI, or by deploying an Azure Resource Manager (ARM)
template or Bicep file.
The following example creates a storage account. The name you provide for the storage account must be unique
across Azure.

az storage account create --resource-group exampleGroup --name examplestore --location westus --sku
Standard_LRS --kind StorageV2

To deploy an ARM template or Bicep file, use az deployment group create.

az deployment group create --resource-group exampleGroup --template-file storage.bicep

For more information about deploying an ARM template, see Deploy resources with Resource Manager
templates and Azure CLI.
For more information about deploying a Bicep file, see Deploy resources with Bicep and Azure CLI.

Lock resource groups

Locking prevents other users in your organization from accidentally deleting or modifying critical resources.
To prevent a resource group and its resources from being deleted, use az lock create.

az lock create --name LockGroup --lock-type CanNotDelete --resource-group exampleGroup

To get the locks for a resource group, use az lock list.

az lock list --resource-group exampleGroup

To delete a lock, use az lock delete

az lock delete --name exampleLock --resource-group exampleGroup

For more information, see Lock resources with Azure Resource Manager.

Tag resource groups

You can apply tags to resource groups and resources to logically organize your assets. For information, see
Using tags to organize your Azure resources.

Export resource groups to templates

To assist with creating ARM templates, you can export a template from existing resources. For more information,
see Use Azure CLI to export a template.

Manage access to resource groups

To manage access to a resource group, use Azure role-based access control (Azure RBAC). For more information,
see Add or remove Azure role assignments using Azure CLI.

Next steps
To learn Azure Resource Manager, see Azure Resource Manager overview.
To learn the Resource Manager template syntax, see Understand the structure and syntax of Azure Resource
Manager templates.
 Manage Azure Resource Manager resource groups
by using Azure PowerShell
2/23/2022 • 2 minutes to read • Edit Online

Learn how to use Azure PowerShell with Azure Resource Manager to manage your Azure resource groups. For
managing Azure resources, see Manage Azure resources by using Azure PowerShell.
Other articles about managing resource groups:
Manage Azure resource groups by using the Azure portal
Manage Azure resource groups by using Azure CLI

What is a resource group

A resource group is a container that holds related resources for an Azure solution. The resource group can
include all the resources for the solution, or only those resources that you want to manage as a group. You
decide how you want to add resources to resource groups based on what makes the most sense for your
organization. Generally, add resources that share the same lifecycle to the same resource group so you can
easily deploy, update, and delete them as a group.
The resource group stores metadata about the resources. When you specify a location for the resource group,
you're specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data
is stored in a particular region.

Create resource groups

To create a resource group, use New-AzResourceGroup.

New-AzResourceGroup -Name exampleGroup -Location westus

List resource groups

To list the resource groups in your subscription, use Get-AzResourceGroup.

Get-AzResourceGroup

To get one resource group, provide the name of the resource group.

Get-AzResourceGroup -Name exampleGroup

Delete resource groups

To delete a resource group, use Remove-AzResourceGroup.

Remove-AzResourceGroup -Name exampleGroup

For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource
Manager resource group deletion.

Deploy resources
You can deploy Azure resources by using Azure PowerShell, or by deploying an Azure Resource Manager (ARM)
template or Bicep file.
The following example creates a storage account. The name you provide for the storage account must be unique
across Azure.

New-AzStorageAccount -ResourceGroupName exampleGroup -Name examplestore -Location westus -SkuName

"Standard_LRS"

To deploy an ARM template or Bicep file, use New-AzResourceGroupDeployment.

New-AzResourceGroupDeployment -ResourceGroupName exampleGroup -TemplateFile storage.bicep

For more information about deploying an ARM template, see Deploy resources with ARM templates and Azure
PowerShell.
For more information about deploying a Bicep file, see Deploy resources with Bicep and Azure PowerShell.

Lock resource groups

Locking prevents other users in your organization from accidentally deleting or modifying critical resources..
To prevent a resource group and its resources from being deleted, use New-AzResourceLock.

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleGroup

To get the locks for a resource group, use Get-AzResourceLock.

Get-AzResourceLock -ResourceGroupName exampleGroup

For more information, see Lock resources with Azure Resource Manager.

Tag resource groups

You can apply tags to resource groups and resources to logically organize your assets. For information, see
Using tags to organize your Azure resources.

Export resource groups to templates

To assist with creating ARM templates, you can export a template from existing resources. For more information,
see Use Azure PowerShell to export a template.

Manage access to resource groups

Azure role-based access control (Azure RBAC) is the way that you manage access to resources in Azure. For
more information, see Add or remove Azure role assignments using Azure PowerShell.

Next steps
To learn Azure Resource Manager, see Azure Resource Manager overview.
To learn the Resource Manager template syntax, see Understand the structure and syntax of Azure Resource
Manager templates.
 Manage Azure resources by using the Azure portal
2/23/2022 • 3 minutes to read • Edit Online

Learn how to use the Azure portal with Azure Resource Manager to manage your Azure resources. For
managing resource groups, see Manage Azure resource groups by using the Azure portal.
Other articles about managing resources:
Manage Azure resources by using Azure CLI
Manage Azure resources by using Azure PowerShell

NOTE
This article provides steps about how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center
and the GDPR section of the Service Trust portal.

Deploy resources to a resource group

After you have created a Resource Manager template, you can use the Azure portal to deploy your Azure
resources. For creating a template, see Quickstart: Create and deploy Azure Resource Manager templates by
using the Azure portal. For deploying a template using the portal, see Deploy resources with Resource Manager
templates and Azure portal.

Open resources
Azure resources are organized by Azure services and by resource groups. The following procedures shows how
to open a storage account called mystorage0207 . The virtual machine resides in a resource group called
mystorage0207rg .
To open a resource by the service type:
1. Sign in to the Azure portal.
2. In the left pane, select the Azure service. In this case, Storage accounts . If you don't see the service
listed, select All ser vices , and then select the service type.

3. Select the resource you want to open.

 A storage account looks like:

To open a resource by resource group:

1. Sign in to the Azure portal.
2. In the left pane, select Resource groups to list the resource within the group.
3. Select the resource you want to open.

Manage resources
When viewing a resource in the portal, you see the options for managing that particular resource.

The screenshot shows the management options for an Azure virtual machine. You can perform operations such
as starting, restarting, and stopping a virtual machine.

Delete resources
1. Open the resource in the portal. For the steps, see Open resources.
2. Select Delete . The following screenshot shows the management options for a virtual machine.
3. Type the name of the resource to confirm the deletion, and then select Delete .
For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource
Manager resource group deletion.

Move resources
1. Open the resource in the portal. For the steps, see Open resources.
2. Select Move . The following screenshot shows the management options for a storage account.

3. Select Move to another resource group or Move to another subscription depending on your
needs.
For more information, see Move resources to new resource group or subscription.

Lock resources
Locking prevents other users in your organization from accidentally deleting or modifying critical resources,
such as Azure subscription, resource group, or resource.
1. Open the resource in the portal. For the steps, see Open resources.
2. Select Locks . The following screenshot shows the management options for a storage account.

3. Select Add , and then specify the lock properties.

For more information, see Lock resources with Azure Resource Manager.

Tag resources
Tagging helps organizing your resource group and resources logically.
1. Open the resource in the portal. For the steps, see Open resources.
2. Select Tags . The following screenshot shows the management options for a storage account.
3. Specify the tag properties, and then select Save .
For information, see Using tags to organize your Azure resources.

Monitor resources
When you open a resource, the portal presents default graphs and tables for monitoring that resource type. The
following screenshot shows the graphs for a virtual machine:

You can select the pin icon on the upper right corner of the graphs to pin the graph to the dashboard. To learn
about working with dashboards, see Creating and sharing dashboards in the Azure portal.

Manage access to resources

Azure role-based access control (Azure RBAC) is the way that you manage access to resources in Azure. For
more information, see Assign Azure roles using the Azure portal.

Next steps
To learn Azure Resource Manager, see Azure Resource Manager overview.
To learn the Resource Manager template syntax, see Understand the structure and syntax of Azure Resource
Manager templates.
To learn how to develop templates, see the step-by-step tutorials.
To view the Azure Resource Manager template schemas, see template reference.
 Manage Azure resources by using Azure CLI
2/23/2022 • 3 minutes to read • Edit Online

Learn how to use Azure CLI with Azure Resource Manager to manage your Azure resources. For managing
resource groups, see Manage Azure resource groups by using Azure CLI.
Other articles about managing resources:
Manage Azure resources by using the Azure portal
Manage Azure resources by using Azure PowerShell

Deploy resources to an existing resource group

You can deploy Azure resources directly by using Azure CLI, or deploy a Resource Manager template to create
Azure resources.
Deploy a resource
The following script creates a storage account.

echo "Enter the Resource Group name:" &&

read resourceGroupName &&
echo "Enter the location (i.e. centralus):" &&
read location &&
echo "Enter the storage account name:" &&
read storageAccountName &&
az storage account create --resource-group $resourceGroupName --name $storageAccountName --location
$location --sku Standard_LRS --kind StorageV2 &&
az storage account show --resource-group $resourceGroupName --name $storageAccountName

Deploy a template
The following script creates deploy a Quickstart template to create a storage account. For more information, see
Quickstart: Create ARM templates with Visual Studio Code.

echo "Enter the Resource Group name:" &&

read resourceGroupName &&
echo "Enter the location (i.e. centralus):" &&
read location &&
az deployment group create --resource-group $resourceGroupName --template-uri
"https://raw.githubusercontent.com/Azure/azure-quickstart-
templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json"

For more information, see Deploy resources with Resource Manager templates and Azure CLI.

Deploy a resource group and resources

You can create a resource group and deploy resources to the group. For more information, see Create resource
group and deploy resources.

Deploy resources to multiple subscriptions or resource groups

Typically, you deploy all the resources in your template to a single resource group. However, there are scenarios
where you want to deploy a set of resources together but place them in different resource groups or
subscriptions. For more information, see Deploy Azure resources to multiple subscriptions or resource groups.

Delete resources
The following script shows how to delete a storage account.

echo "Enter the Resource Group name:" &&

read resourceGroupName &&
echo "Enter the storage account name:" &&
read storageAccountName &&
az storage account delete --resource-group $resourceGroupName --name $storageAccountName

For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource
Manager resource group deletion.

Move resources
The following script shows how to remove a storage account from one resource group to another resource
group.

echo "Enter the source Resource Group name:" &&

read srcResourceGroupName &&
echo "Enter the destination Resource Group name:" &&
read destResourceGroupName &&
echo "Enter the storage account name:" &&
read storageAccountName &&
storageAccount=$(az resource show --resource-group $srcResourceGroupName --name $storageAccountName --
resource-type Microsoft.Storage/storageAccounts --query id --output tsv) &&
az resource move --destination-group $destResourceGroupName --ids $storageAccount

For more information, see Move resources to new resource group or subscription.

Lock resources
Locking prevents other users in your organization from accidentally deleting or modifying critical resources,
such as Azure subscription, resource group, or resource.
The following script locks a storage account so the account can't be deleted.

echo "Enter the Resource Group name:" &&

read resourceGroupName &&
echo "Enter the storage account name:" &&
read storageAccountName &&
az lock create --name LockSite --lock-type CanNotDelete --resource-group $resourceGroupName --resource-name
$storageAccountName --resource-type Microsoft.Storage/storageAccounts

The following script gets all locks for a storage account:

echo "Enter the Resource Group name:" &&

read resourceGroupName &&
echo "Enter the storage account name:" &&
read storageAccountName &&
az lock list --resource-group $resourceGroupName --resource-name $storageAccountName --resource-type
Microsoft.Storage/storageAccounts --parent ""

The following script deletes a lock of a storage account:

 echo "Enter the Resource Group name:" &&
read resourceGroupName &&
echo "Enter the storage account name:" &&
read storageAccountName &&
lockId=$(az lock show --name LockSite --resource-group $resourceGroupName --resource-type
Microsoft.Storage/storageAccounts --resource-name $storageAccountName --output tsv --query id)&&
az lock delete --ids $lockId

For more information, see Lock resources with Azure Resource Manager.

Tag resources
Tagging helps organizing your resource group and resources logically. For information, see Using tags to
organize your Azure resources.

Manage access to resources

Azure role-based access control (Azure RBAC) is the way that you manage access to resources in Azure. For
more information, see Add or remove Azure role assignments using Azure CLI.

Next steps
To learn Azure Resource Manager, see Azure Resource Manager overview.
To learn the Resource Manager template syntax, see Understand the structure and syntax of Azure Resource
Manager templates.
To learn how to develop templates, see the step-by-step tutorials.
To view the Azure Resource Manager template schemas, see template reference.
 Manage Azure resources by using Azure PowerShell
2/23/2022 • 3 minutes to read • Edit Online

Learn how to use Azure PowerShell with Azure Resource Manager to manage your Azure resources. For
managing resource groups, see Manage Azure resource groups by using Azure PowerShell.
Other articles about managing resources:
Manage Azure resources by using the Azure portal
Manage Azure resources by using Azure CLI

Deploy resources to an existing resource group

You can deploy Azure resources directly by using Azure PowerShell, or deploy a Resource Manager template to
create Azure resources.
Deploy a resource
The following script creates a storage account.

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
$storageAccountName = Read-Host -Prompt "Enter the storage account name"

# Create the storage account.

$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroupName `
-Name $storageAccountName `
-Location $location `
-SkuName "Standard_LRS"

# Retrieve the context.

$ctx = $storageAccount.Context

Deploy a template
The following script creates deploy a Quickstart template to create a storage account. For more information, see
Quickstart: Create Azure Resource Manager templates by using Visual Studio Code.

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-
templates/master/quickstarts/microsoft.storage/storage-account-create/azuredeploy.json"
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -Location
$location

For more information, see Deploy resources with Resource Manager templates and Azure PowerShell.

Deploy a resource group and resources

You can create a resource group and deploy resources to the group. For more information, see Create resource
group and deploy resources.

Deploy resources to multiple subscriptions or resource groups

Typically, you deploy all the resources in your template to a single resource group. However, there are scenarios
where you want to deploy a set of resources together but place them in different resource groups or
subscriptions. For more information, see Deploy Azure resources to multiple subscriptions or resource groups.

Delete resources
The following script shows how to delete a storage account.

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$storageAccountName = Read-Host -Prompt "Enter the storage account name"

Remove-AzStorageAccount -ResourceGroupName $resourceGroupName -AccountName $storageAccountName

For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource
Manager resource group deletion.

Move resources
The following script shows how to remove a storage account from one resource group to another resource
group.

$srcResourceGroupName = Read-Host -Prompt "Enter the source Resource Group name"

$destResourceGroupName = Read-Host -Prompt "Enter the destination Resource Group name"
$storageAccountName = Read-Host -Prompt "Enter the storage account name"

$storageAccount = Get-AzResource -ResourceGroupName $srcResourceGroupName -ResourceName $storageAccountName

Move-AzResource -DestinationResourceGroupName $destResourceGroupName -ResourceId $storageAccount.ResourceId

For more information, see Move resources to new resource group or subscription.

Lock resources
Locking prevents other users in your organization from accidentally deleting or modifying critical resources,
such as Azure subscription, resource group, or resource.
The following script locks a storage account so the account can't be deleted.

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$storageAccountName = Read-Host -Prompt "Enter the storage account name"

New-AzResourceLock -LockName LockStorage -LockLevel CanNotDelete -ResourceGroupName $resourceGroupName -

ResourceName $storageAccountName -ResourceType Microsoft.Storage/storageAccounts

The following script gets all locks for a storage account:

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$storageAccountName = Read-Host -Prompt "Enter the storage account name"

Get-AzResourceLock -ResourceGroupName $resourceGroupName -ResourceName $storageAccountName -ResourceType

Microsoft.Storage/storageAccounts

The following script deletes a lock of a storage account:

 $resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"
$storageAccountName = Read-Host -Prompt "Enter the storage account name"

$lockId = (Get-AzResourceLock -ResourceGroupName $resourceGroupName -ResourceName $storageAccountName -

ResourceType Microsoft.Storage/storageAccounts).LockId
Remove-AzResourceLock -LockId $lockId

For more information, see Lock resources with Azure Resource Manager.

Tag resources
Tagging helps organizing your resource group and resources logically. For information, see Using tags to
organize your Azure resources.

Manage access to resources

Azure role-based access control (Azure RBAC) is the way that you manage access to resources in Azure. For
more information, see Add or remove Azure role assignments using Azure PowerShell.

Next steps
To learn Azure Resource Manager, see Azure Resource Manager overview.
To learn the Resource Manager template syntax, see Understand the structure and syntax of Azure Resource
Manager templates.
To learn how to develop templates, see the step-by-step tutorials.
To view the Azure Resource Manager template schemas, see template reference.
 Azure resource providers and types
2/23/2022 • 7 minutes to read • Edit Online

When deploying resources, you frequently need to retrieve information about the resource providers and types.
For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This
resource provider offers a resource type called vaults for creating the key vault.
The name of a resource type is in the format: {resource-provider}/{resource-type} . The resource type for a
key vault is Microsoft.KeyVault/vaults .
In this article, you learn how to:
View all resource providers in Azure
Check registration status of a resource provider
Register a resource provider
View resource types for a resource provider
View valid locations for a resource type
View valid API versions for a resource type
You can do these steps through the Azure portal, Azure PowerShell, or Azure CLI.
For a list that maps resource providers to Azure services, see Resource providers for Azure services.

Register resource provider

Before using a resource provider, your Azure subscription must be registered for the resource provider.
Registration configures your subscription to work with the resource provider.

IMPORTANT
Only register a resource provider when you're ready to use it. The registration step enables you to maintain least
privileges within your subscription. A malicious user can't use resource providers that aren't registered.

Some resource providers are registered by default. For a list of resource providers registered by default, see
Resource providers for Azure services.
Other resource providers are registered automatically when you take certain actions. When you create a
resource through the portal, the resource provider is typically registered for you. When you deploy an Azure
Resource Manager template or Bicep file, resource providers defined in the template are registered
automatically. However, if a resource in the template creates supporting resources that aren't in the template,
such as monitoring or security resources, you need to manually register those resource providers.
For other scenarios, you may need to manually register a resource provider.

IMPORTANT
Your application code shouldn't block the creation of resources for a resource provider that is in the registering
state. When you register the resource provider, the operation is done individually for each supported region. To create
resources in a region, the registration only needs to be completed in that region. By not blocking a resource provider in
the registering state, your application can continue much sooner than waiting for all regions to complete.
You must have permission to do the /register/action operation for the resource provider. The permission is
included in the Contributor and Owner roles.
You can't unregister a resource provider when you still have resource types from that resource provider in your
subscription.

Azure portal
Register resource provider
To see all resource providers, and the registration status for your subscription:
1. Sign in to the Azure portal.
2. On the Azure portal menu, search for Subscriptions . Select it from the available options.

3. Select the subscription you want to view.

4. On the left menu, under Settings , select Resource providers .

5. Find the resource provider you want to register, and select Register . To maintain least privileges in your
subscription, only register those resource providers that you're ready to use.
 IMPORTANT
As noted earlier, don't block the creation of resources for a resource provider that is in the registering state. By
not blocking a resource provider in the registering state, your application can continue much sooner than waiting for all
regions to complete.

View resource provider

To see information for a particular resource provider:
1. Sign in to the Azure portal.
2. On the Azure portal menu, select All ser vices .
3. In the All ser vices box, enter resource explorer , and then select Resource Explorer .
4. Expand Providers by selecting the right arrow.

5. Expand a resource provider and resource type that you want to view.

6. Resource Manager is supported in all regions, but the resources you deploy might not be supported in all
regions. Also, there may be limitations on your subscription that prevent you from using some regions
that support the resource. The resource explorer displays valid locations for the resource type.
7. The API version corresponds to a version of REST API operations that are released by the resource
provider. As a resource provider enables new features, it releases a new version of the REST API. The
resource explorer displays valid API versions for the resource type.

Azure PowerShell
To see all resource providers in Azure, and the registration status for your subscription, use:

Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState

The command returns:

 ProviderNamespace RegistrationState
-------------------------------- ------------------
Microsoft.ClassicCompute Registered
Microsoft.ClassicNetwork Registered
Microsoft.ClassicStorage Registered
Microsoft.CognitiveServices Registered
...

To see all registered resource providers for your subscription, use:

Get-AzResourceProvider -ListAvailable | Where-Object RegistrationState -eq "Registered" | Select-Object

ProviderNamespace, RegistrationState | Sort-Object ProviderNamespace

To maintain least privileges in your subscription, only register those resource providers that you're ready to use.
To register a resource provider, use:

Register-AzResourceProvider -ProviderNamespace Microsoft.Batch

The command returns:

ProviderNamespace : Microsoft.Batch
RegistrationState : Registering
ResourceTypes : {batchAccounts, operations, locations, locations/quotas}
Locations : {West Europe, East US, East US 2, West US...}

IMPORTANT
As noted earlier, don't block the creation of resources for a resource provider that is in the registering state. By
not blocking a resource provider in the registering state, your application can continue much sooner than waiting for all
regions to complete.

To see information for a particular resource provider, use:

Get-AzResourceProvider -ProviderNamespace Microsoft.Batch

The command returns:

{ProviderNamespace : Microsoft.Batch
RegistrationState : Registered
ResourceTypes : {batchAccounts}
Locations : {West Europe, East US, East US 2, West US...}

...

To see the resource types for a resource provider, use:

(Get-AzResourceProvider -ProviderNamespace Microsoft.Batch).ResourceTypes.ResourceTypeName

The command returns:

 batchAccounts
operations
locations
locations/quotas

The API version corresponds to a version of REST API operations that are released by the resource provider. As a
resource provider enables new features, it releases a new version of the REST API.
To get the available API versions for a resource type, use:

((Get-AzResourceProvider -ProviderNamespace Microsoft.Batch).ResourceTypes | Where-Object ResourceTypeName -

eq batchAccounts).ApiVersions

The command returns:

2017-05-01
2017-01-01
2015-12-01
2015-09-01
2015-07-01

Resource Manager is supported in all regions, but the resources you deploy might not be supported in all
regions. Also, there may be limitations on your subscription that prevent you from using some regions that
support the resource.
To get the supported locations for a resource type, use.

((Get-AzResourceProvider -ProviderNamespace Microsoft.Batch).ResourceTypes | Where-Object ResourceTypeName -

eq batchAccounts).Locations

The command returns:

West Europe
East US
East US 2
West US
...

Azure CLI
To see all resource providers in Azure, and the registration status for your subscription, use:

az provider list --query "[].{Provider:namespace, Status:registrationState}" --out table

The command returns:

Provider Status
-------------------------------- ----------------
Microsoft.ClassicCompute Registered
Microsoft.ClassicNetwork Registered
Microsoft.ClassicStorage Registered
Microsoft.CognitiveServices Registered
...
To see all registered resource providers for your subscription, use:

az provider list --query "sort_by([?registrationState=='Registered'].{Provider:namespace,

Status:registrationState}, &Provider)" --out table

To maintain least privileges in your subscription, only register those resource providers that you're ready to use.
To register a resource provider, use:

az provider register --namespace Microsoft.Batch

The command returns a message that registration is on-going.

To see information for a particular resource provider, use:

az provider show --namespace Microsoft.Batch

The command returns:

{
"id": "/subscriptions/####-####/providers/Microsoft.Batch",
"namespace": "Microsoft.Batch",
"registrationsState": "Registering",
"resourceTypes:" [
...
]
}

IMPORTANT
As noted earlier, don't block the creation of resources for a resource provider that is in the registering state. By
not blocking a resource provider in the registering state, your application can continue much sooner than waiting for all
regions to complete.

To see the resource types for a resource provider, use:

az provider show --namespace Microsoft.Batch --query "resourceTypes[*].resourceType" --out table

The command returns:

Result
---------------
batchAccounts
operations
locations
locations/quotas

The API version corresponds to a version of REST API operations that are released by the resource provider. As a
resource provider enables new features, it releases a new version of the REST API.
To get the available API versions for a resource type, use:
 az provider show --namespace Microsoft.Batch --query "resourceTypes[?
resourceType=='batchAccounts'].apiVersions | [0]" --out table

The command returns:

Result
---------------
2017-05-01
2017-01-01
2015-12-01
2015-09-01
2015-07-01

Resource Manager is supported in all regions, but the resources you deploy might not be supported in all
regions. Also, there may be limitations on your subscription that prevent you from using some regions that
support the resource.
To get the supported locations for a resource type, use.

az provider show --namespace Microsoft.Batch --query "resourceTypes[?

resourceType=='batchAccounts'].locations | [0]" --out table

The command returns:

Result
---------------
West Europe
East US
East US 2
West US
...

Next steps
To learn about creating Resource Manager templates, see Authoring Azure Resource Manager templates.
To view the resource provider template schemas, see Template reference.
For a list that maps resource providers to Azure services, see Resource providers for Azure services.
To view the operations for a resource provider, see Azure REST API.
 Set up preview features in Azure subscription
2/23/2022 • 5 minutes to read • Edit Online

This article shows you how to manage preview features in your Azure subscription. Preview features let you opt
in to new functionality before it's released. Some preview features are available to anyone who wants to opt in.
Other preview features require approval from the product team.
Azure Feature Exposure Control (AFEC) is available through the Microsoft.Features namespace. Preview features
have the following format for the resource ID:
Microsoft.Features/providers/{resourceProviderNamespace}/features/{featureName}

List preview features

You can list all the preview features and their registration states for an Azure subscription.
Portal
Azure CLI
PowerShell

The portal only shows a preview feature when the service that owns the feature has explicitly opted in to the
preview features management experience.
1. Sign in to the Azure portal.
2. In the search box, enter subscriptions and select Subscriptions .

3. Select the link for your subscription's name.

4. From the left menu, under Settings select Preview features .

5. You see a list of available preview features and your current registration status.
6. From Preview features you can filter the list by name , State , or Type :
Filter by name : Must contain text from a preview feature's name, not the Display name .
State : Select the drop-down menu and choose a state. The portal doesn't filter by Unregistered .
Type : Select the drop-down menu and choose a type.

Register preview feature

Register a preview feature in your Azure subscription to expose more functionality for a resource provider. Some
preview features require approval.
After a preview feature is registered in your subscription, you'll see one of two states: Registered or Pending .
For a preview feature that doesn't require approval, the state is Registered .
If a preview feature requires approval, the registration state is Pending .
To request approval, submit an Azure support request.
After the registration is approved, the preview feature's state changes to Registered .

Portal
Azure CLI
PowerShell

1. Sign in to the Azure portal.

2. In the search box, enter subscriptions and select Subscriptions .
3. Select the link for your subscription's name.
4. From the left menu, under Settings select Preview features .
5. Select the link for the preview feature you want to register.
6. Select Register .
7. Select OK .
The Preview features screen refreshes and the preview feature's State is displayed.

Unregister preview feature

When you've finished using a preview feature, unregister it from your Azure subscription. You may notice two
different statuses after unregistering the feature. If you unregister through the portal, the status is set to Not
registered . If you unregister through Azure CLI, PowerShell, or REST API, the status is set to Unregistered . The
status is different because the portal deletes the feature registration, but the commands unregister the feature.
In both cases, the feature is no longer available in your subscription. In both cases, you can opt in to the feature
again by re-registering it.
Portal
Azure CLI
PowerShell

You can unregister preview features from Preview features . The State changes to Not registered .
1. Sign in to the Azure portal.
2. In the search box, enter subscriptions and select Subscriptions .
3. Select the link for your subscription's name.
4. From the left menu, under Settings select Preview features .
5. Select the link for the preview feature you want to unregister.
6. Select Unregister .
7. Select OK .

Next steps
To use REST API calls and list, register, or unregister preview features, see the Features documentation.
For more information about how to register a resource provider, see Azure resource providers and types.
For a list that maps resource providers to Azure services, see Resource providers for Azure services.
 Azure Resource Manager resource group and
resource deletion
2/23/2022 • 2 minutes to read • Edit Online

This article shows how to delete resource groups and resources. It describes how Azure Resource Manager
orders the deletion of resources when you delete a resource group.

How order of deletion is determined

When you delete a resource group, Resource Manager determines the order to delete resources. It uses the
following order:
1. All the child (nested) resources are deleted.
2. Resources that manage other resources are deleted next. A resource can have the managedBy property set
to indicate that a different resource manages it. When this property is set, the resource that manages the
other resource is deleted before the other resources.
3. The remaining resources are deleted after the previous two categories.
After the order is determined, Resource Manager issues a DELETE operation for each resource. It waits for any
dependencies to finish before proceeding.
For synchronous operations, the expected successful response codes are:
200
204
404
For asynchronous operations, the expected successful response is 202. Resource Manager tracks the location
header or the azure-async operation header to determine the status of the asynchronous delete operation.
Deletion errors
When a delete operation returns an error, Resource Manager retries the DELETE call. Retries happen for the 5xx,
429 and 408 status codes. By default, the time period for retry is 15 minutes.

After deletion
Resource Manager issues a GET call on each resource that it tried to delete. The response of this GET call is
expected to be 404. When Resource Manager gets a 404, it considers the deletion to have completed
successfully. Resource Manager removes the resource from its cache.
However, if the GET call on the resource returns a 200 or 201, Resource Manager recreates the resource.
If the GET operation returns an error, Resource Manager retries the GET for the following error code:
Less than 100
408
429
Greater than 500
For other error codes, Resource Manager fails the deletion of the resource.
 IMPORTANT
Resource Group deletion is irreversible.

Delete resource group

Use one of the following methods to delete the resource group.
PowerShell
Azure CLI
Portal

Remove-AzResourceGroup -Name ExampleResourceGroup

Delete resource
Use one of the following methods to delete a resource.

PowerShell
Azure CLI
Portal

Remove-AzResource `
-ResourceGroupName ExampleResourceGroup `
-ResourceName ExampleVM `
-ResourceType Microsoft.Compute/virtualMachines

Required access and deletion failures

To delete a resource group, you need access to the delete action for the
Microsoft.Resources/subscriptions/resourceGroups resource. You also need delete for all resources in the
resource group.
For a list of operations, see Azure resource provider operations. For a list of built-in roles, see Azure built-in
roles.
If you have the required access, but the delete request fails, it may be because there's a lock on the resources or
resource group. Even if you didn't manually lock a resource group, it may have been automatically locked by a
related service. Or, the deletion can fail if the resources are connected to resources in other resource groups that
aren't being deleted. For example, you can't delete a virtual network with subnets that are still in use by a virtual
machine.

Next steps
To understand Resource Manager concepts, see Azure Resource Manager overview.
For deletion commands, see PowerShell, Azure CLI, and REST API.
 Lock resources to prevent unexpected changes
2/23/2022 • 11 minutes to read • Edit Online

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your
organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the
user might have.
You can set the lock level to CanNotDelete or ReadOnly . In the portal, the locks are called Delete and Read-
only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the
resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource.
Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles. To
learn about setting permissions for users and roles, see Azure role-based access control (Azure RBAC).

Lock inheritance
When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources
you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

Understand scope of locks

NOTE
It's important to understand that locks don't apply to all types of operations. Azure operations can be divided into two
categories - control plane and data plane. Locks only apply to control plane operations .

Control plane operations are operations sent to https://management.azure.com . Data plane operations are
operations sent to your instance of a service, such as https://myaccount.blob.core.windows.net/ . For more
information, see Azure control plane and data plane. To discover which operations use the control plane URL,
see the Azure REST API.
This distinction means locks prevent changes to a resource, but they don't restrict how resources perform their
own functions. For example, a ReadOnly lock on a SQL Database logical server prevents you from deleting or
modifying the server. It doesn't prevent you from creating, updating, or deleting data in the databases on that
server. Data transactions are permitted because those operations aren't sent to https://management.azure.com .
More examples of the differences between control and data plane operations are described in the next section.

Considerations before applying locks

Applying locks can lead to unexpected results because some operations that don't seem to modify the resource
actually require actions that are blocked by the lock. Locks will prevent any operations that require a POST
request to the Azure Resource Manager API. Some common examples of the operations that are blocked by
locks are:
A read-only lock on a storage account prevents users from listing the account keys. The Azure Storage
List Keys operation is handled through a POST request to protect access to the account keys, which
 provide complete access to data in the storage account. When a read-only lock is configured for a storage
account, users who don't have the account keys must use Azure AD credentials to access blob or queue
data. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage
account or to a data container (blob container or queue).
A cannot-delete lock on a storage account doesn't prevent data within that account from being deleted
or modified. This type of lock only protects the storage account itself from being deleted. If a request uses
data plane operations, the lock on the storage account doesn't protect blob, queue, table, or file data
within that storage account. However, if the request uses control plane operations, the lock protects those
resources.
For example, if a request uses File Shares - Delete, which is a control plane operation, the deletion is
denied. If the request uses Delete Share, which is a data plane operation, the deletion succeeds. We
recommend that you use the control plane operations.
A read-only lock on a storage account doesn't prevent data within that account from being deleted or
modified. This type of lock only protects the storage account itself from being deleted or modified, and
doesn't protect blob, queue, table, or file data within that storage account.
A read-only lock on an App Ser vice resource prevents Visual Studio Server Explorer from displaying
files for the resource because that interaction requires write access.
A read-only lock on a resource group that contains an App Ser vice plan prevents you from scaling up
or out the plan.
A read-only lock on a resource group that contains a vir tual machine prevents all users from starting
or restarting the virtual machine. These operations require a POST request.
A read-only lock on a resource group that contains an automation account prevents all runbooks
from starting. These operations require a POST request.
A cannot-delete lock on a resource group prevents Azure Resource Manager from automatically
deleting deployments in the history. If you reach 800 deployments in the history, your deployments will
fail.
A cannot-delete lock on the resource group created by Azure Backup Ser vice causes backups to fail.
The service supports a maximum of 18 restore points. When locked, the backup service can't clean up
restore points. For more information, see Frequently asked questions-Back up Azure VMs.
A cannot-delete lock on a resource group prevents Azure Machine Learning from autoscaling Azure
Machine Learning compute clusters to remove unused nodes.
A read-only lock on a Log Analytics workspace prevents User and Entity Behavior Analytics
(UEBA) from being enabled.
A read-only lock on a subscription prevents Azure Advisor from working correctly. Advisor is unable
to store the results of its queries.
A read-only lock on an Application Gateway prevents you from getting the backend health of the
application gateway. That operation uses POST, which is blocked by the read-only lock.
A read-only lock on a AKS cluster prevents all users from accessing any cluster resources from the
Kubernetes Resources section of AKS cluster left-side blade on the Azure portal. These operations
require a POST request for authentication.

Who can create or delete locks

To create or delete management locks, you must have access to Microsoft.Authorization/* or
Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator
are granted those actions.

Managed Applications and locks

Some Azure services, such as Azure Databricks, use managed applications to implement the service. In that case,
the service creates two resource groups. One resource group contains an overview of the service and isn't
locked. The other resource group contains the infrastructure for the service and is locked.
If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked.
If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be
deleted because it's owned by a system application.
Instead, delete the service, which also deletes the infrastructure resource group.
For managed applications, select the service you deployed.

Notice the service includes a link for a Managed Resource Group . That resource group holds the
infrastructure and is locked. It can't be directly deleted.

To delete everything for the service, including the locked infrastructure resource group, select Delete for the
service.
Configure locks
Portal
1. In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks .

2. To add a lock, select Add . If you want to create a lock at a parent level, select the parent. The currently
selected resource inherits the lock from the parent. For example, you could lock the resource group to
apply a lock to all its resources.

3. Give the lock a name and lock level. Optionally, you can add notes that describe the lock.

4. To delete the lock, select the Delete button.

Template
When using an Azure Resource Manager template (ARM template) or Bicep file to deploy a lock, you need to be
aware of the scope of the lock and the scope of the deployment. To apply a lock at the deployment scope, such
as locking a resource group or subscription, don't set the scope property. When locking a resource within the
deployment scope, set the scope property.
The following template applies a lock to the resource group it's deployed to. Notice there isn't a scope property
on the lock resource because the scope of the lock matches the scope of deployment. This template is deployed
at the resource group level.
JSON
Bicep

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"name": "rgLock",
"properties": {
"level": "CanNotDelete",
"notes": "Resource group should not be deleted."
}
}
]
}

To create a resource group and lock it, deploy the following template at the subscription level.

JSON
Bicep
 {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"type": "string"
},
"rgLocation": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"name": "[parameters('rgName')]",
"location": "[parameters('rgLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "lockDeployment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"name": "rgLock",
"properties": {
"level": "CanNotDelete",
"notes": "Resource group and its resources should not be deleted."
}
}
],
"outputs": {}
}
}
}
],
"outputs": {}
}

When applying a lock to a resource within the resource group, add the scope property. Set scope to the name
of the resource to lock.
The following example shows a template that creates an app service plan, a website, and a lock on the website.
The scope of the lock is set to the website.

JSON
Bicep
 {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"hostingPlanName": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"siteName": "[concat('ExampleSite', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2020-12-01",
"name": "[parameters('hostingPlanName')]",
"location": "[parameters('location')]",
"sku": {
"tier": "Free",
"name": "f1",
"capacity": 0
},
"properties": {
"targetWorkerCount": 1
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "[variables('siteName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
],
"properties": {
"serverFarmId": "[parameters('hostingPlanName')]"
}
},
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"name": "siteLock",
"scope": "[concat('Microsoft.Web/sites/', variables('siteName'))]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('siteName'))]"
],
"properties": {
"level": "CanNotDelete",
"notes": "Site should not be deleted."
}
}
]
}

Azure PowerShell
You lock deployed resources with Azure PowerShell by using the New-AzResourceLock command.
To lock a resource, provide the name of the resource, its resource type, and its resource group name.
 New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType
Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

To lock a resource group, provide the name of the resource group.

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup

To get information about a lock, use Get-AzResourceLock. To get all the locks in your subscription, use:

Get-AzResourceLock

To get all locks for a resource, use:

Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName

exampleresourcegroup

To get all locks for a resource group, use:

Get-AzResourceLock -ResourceGroupName exampleresourcegroup

To delete a lock for a resource, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -

ResourceType Microsoft.Web/sites).LockId
Remove-AzResourceLock -LockId $lockId

To delete a lock for a resource group, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup).LockId

Remove-AzResourceLock -LockId $lockId

Azure CLI
You lock deployed resources with Azure CLI by using the az lock create command.
To lock a resource, provide the name of the resource, its resource type, and its resource group name.

az lock create --name LockSite --lock-type CanNotDelete --resource-group exampleresourcegroup --resource-

name examplesite --resource-type Microsoft.Web/sites

To lock a resource group, provide the name of the resource group.

az lock create --name LockGroup --lock-type CanNotDelete --resource-group exampleresourcegroup

To get information about a lock, use az lock list. To get all the locks in your subscription, use:

az lock list

To get all locks for a resource, use:

 az lock list --resource-group exampleresourcegroup --resource-name examplesite --namespace Microsoft.Web --
resource-type sites --parent ""

To get all locks for a resource group, use:

az lock list --resource-group exampleresourcegroup

To delete a lock for a resource, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --resource-type

Microsoft.Web/sites --resource-name examplesite --output tsv --query id)
az lock delete --ids $lockid

To delete a lock for a resource group, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --output tsv --query id)
az lock delete --ids $lockid

REST API
You can lock deployed resources with the REST API for management locks. The REST API enables you to create
and delete locks, and retrieve information about existing locks.
To create a lock, run:

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version=
{api-version}

The scope could be a subscription, resource group, or resource. The lock-name is whatever you want to call the
lock. For api-version, use 2016-09-01 .
In the request, include a JSON object that specifies the properties for the lock.

{
"properties": {
"level": "CanNotDelete",
"notes": "Optional text notes."
}
}

Next steps
To learn about logically organizing your resources, see Using tags to organize your resources.
You can apply restrictions and conventions across your subscription with customized policies. For more
information, see What is Azure Policy?.
For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see Azure
enterprise scaffold - prescriptive subscription governance.
 Authenticate requests across tenants
2/23/2022 • 2 minutes to read • Edit Online

When creating a multi-tenant application, you may need to handle authentication requests for resources that are
in different tenants. A common scenario is when a virtual machine in one tenant must join a virtual network in
another tenant. Azure Resource Manager provides a header value for storing auxiliary tokens to authenticate the
requests to different tenants.

Header values for authentication

The request has the following authentication header values:

H EA DER N A M E DESC RIP T IO N EXA M P L E VA L UE

Authorization Primary token Bearer <primary-token>

x-ms-authorization-auxiliary Auxiliary tokens Bearer <auxiliary-token1>,

EncryptedBearer <auxiliary-token2>,
Bearer <auxiliary-token3>

The auxiliary header can hold up to three auxiliary tokens.

In the code of your multi-tenant app, get the authentication token for other tenants and store them in the
auxiliary headers. All the tokens must be from the same user or application. The user or application must have
been invited as a guest to the other tenants.

Processing the request

When your app sends a request to Resource Manager, the request is run under the identity from the primary
token. The primary token must be valid and unexpired. This token must be from a tenant that can manage the
subscription.
When the request references a resource from different tenant, Resource Manager checks the auxiliary tokens to
determine if the request can be processed. All auxiliary tokens in the header must be valid and unexpired. If any
token is expired, Resource Manager returns a 401 response code. The response includes the client ID and tenant
ID from the token that isn't valid. If the auxiliary header contains a valid token for the tenant, the cross tenant
request is processed.

Next steps
To learn about authentication requests, see Authentication flows and application scenarios.
For more information about tokens, see Azure Active Directory access tokens.
 Throttling Resource Manager requests
2/23/2022 • 6 minutes to read • Edit Online

This article describes how Azure Resource Manager throttles requests. It shows you how to track the number of
requests that remain before reaching the limit, and how to respond when you've reached the limit.
Throttling happens at two levels. Azure Resource Manager throttles requests for the subscription and tenant. If
the request is under the throttling limits for the subscription and tenant, Resource Manager routes the request
to the resource provider. The resource provider applies throttling limits that are tailored to its operations. The
following image shows how throttling is applied as a request goes from the user to Azure Resource Manager
and the resource provider.

Subscription and tenant limits

Every subscription-level and tenant-level operation is subject to throttling limits. Subscription requests are ones
that involve passing your subscription ID, such as retrieving the resource groups in your subscription. Tenant
requests don't include your subscription ID, such as retrieving valid Azure locations.
The default throttling limits per hour are shown in the following table.

SC O P E O P ERAT IO N S L IM IT

Subscription reads 12000

Subscription deletes 15000

Subscription writes 1200

Tenant reads 12000

Tenant writes 1200

These limits are scoped to the security principal (user or application) making the requests and the subscription
ID or tenant ID. If your requests come from more than one security principal, your limit across the subscription
or tenant is greater than 12,000 and 1,200 per hour.
These limits apply to each Azure Resource Manager instance. There are multiple instances in every Azure region,
and Azure Resource Manager is deployed to all Azure regions. So, in practice, the limits are higher than these
limits. The requests from a user are usually handled by different instances of Azure Resource Manager.
The remaining requests are returned in the response header values.

Resource provider limits

Resource providers apply their own throttling limits. Because Resource Manager throttles by principal ID and by
instance of Resource Manager, the resource provider might receive more requests than the default limits in the
previous section.
This section discusses the throttling limits of some widely used resource providers.
Storage throttling
The following limits apply only when you perform management operations by using Azure Resource Manager
with Azure Storage.

RESO URC E L IM IT

Storage account management operations (read) 800 per 5 minutes

Storage account management operations (write) 10 per second / 1200 per hour

Storage account management operations (list) 100 per 5 minutes

Network throttling
The Microsoft.Network resource provider applies the following throttle limits:

O P ERAT IO N L IM IT

write / delete (PUT) 1000 per 5 minutes

read (GET) 10000 per 5 minutes

NOTE
Azure DNS and Azure Private DNS have a throttle limit of 500 read (GET) operations per 5 minutes.

Compute throttling
For information about throttling limits for compute operations, see Troubleshooting API throttling errors -
Compute.
For checking virtual machine instances within a virtual machine scale set, use the Virtual Machine Scale Sets
operations. For example, use the Virtual Machine Scale Set VMs - List with parameters to check the power state
of virtual machine instances. This API reduces the number of requests.
Azure Resource Graph throttling
Azure Resource Graph limits the number of requests to its operations. The steps in this article to determine the
remaining requests and how to respond when the limit is reached also apply to Resource Graph. However,
Resource Graph sets its own limit and reset rate. For more information, see Resource Graph throttling headers.
Other resource providers
For information about throttling in other resource providers, see:
 Azure Key Vault throttling guidance
AKS troubleshooting

Error code
When you reach the limit, you receive the HTTP status code 429 Too many requests . The response includes a
Retr y-After value, which specifies the number of seconds your application should wait (or sleep) before
sending the next request. If you send a request before the retry value has elapsed, your request isn't processed
and a new retry value is returned.
After waiting for specified time, you can also close and reopen your connection to Azure. By resetting the
connection, you may connect to a different instance of Azure Resource Manager.
If you're using an Azure SDK, the SDK may have an auto retry configuration. For more information, see Retry
guidance for Azure services.
Some resource providers return 429 to report a temporary problem. The problem could be an overload
condition that isn't directly caused by your request. Or, it could represent a temporary error about the state of
the target resource or dependent resource. For example, the network resource provider returns 429 with the
Retr yableErrorDueToAnotherOperation error code when the target resource is locked by another operation.
To determine if the error comes from throttling or a temporary condition, view the error details in the response.

Remaining requests
You can determine the number of remaining requests by examining response headers. Read requests return a
value in the header for the number of remaining read requests. Write requests include a value for the number of
remaining write requests. The following table describes the response headers you can examine for those values:

RESP O N SE H EA DER DESC RIP T IO N

x-ms-ratelimit-remaining-subscription-deletes Subscription scoped deletes remaining. This value is returned

on delete operations.

x-ms-ratelimit-remaining-subscription-reads Subscription scoped reads remaining. This value is returned

on read operations.

x-ms-ratelimit-remaining-subscription-writes Subscription scoped writes remaining. This value is returned

on write operations.

x-ms-ratelimit-remaining-tenant-reads Tenant scoped reads remaining

x-ms-ratelimit-remaining-tenant-writes Tenant scoped writes remaining

x-ms-ratelimit-remaining-subscription-resource-requests Subscription scoped resource type requests remaining.

This header value is only returned if a service has overridden

the default limit. Resource Manager adds this value instead
of the subscription reads or writes.

x-ms-ratelimit-remaining-subscription-resource-entities- Subscription scoped resource type collection requests

read remaining.

This header value is only returned if a service has overridden

the default limit. This value provides the number of
remaining collection requests (list resources).
 RESP O N SE H EA DER DESC RIP T IO N

x-ms-ratelimit-remaining-tenant-resource-requests Tenant scoped resource type requests remaining.

This header is only added for requests at tenant level, and

only if a service has overridden the default limit. Resource
Manager adds this value instead of the tenant reads or
writes.

x-ms-ratelimit-remaining-tenant-resource-entities-read Tenant scoped resource type collection requests remaining.

This header is only added for requests at tenant level, and

only if a service has overridden the default limit.

The resource provider can also return response headers with information about remaining requests. For
information about response headers returned by the Compute resource provider, see Call rate informational
response headers.

Retrieving the header values

Retrieving these header values in your code or script is no different than retrieving any header value.
For example, in C# , you retrieve the header value from an HttpWebResponse object named response with
the following code:

response.Headers.GetValues("x-ms-ratelimit-remaining-subscription-reads").GetValue(0)

In PowerShell , you retrieve the header value from an Invoke-WebRequest operation.

$r = Invoke-WebRequest -Uri https://management.azure.com/subscriptions/{guid}/resourcegroups?api-

version=2016-09-01 -Method GET -Headers $authHeaders
$r.Headers["x-ms-ratelimit-remaining-subscription-reads"]

For a complete PowerShell example, see Check Resource Manager Limits for a Subscription.
If you want to see the remaining requests for debugging, you can provide the -Debug parameter on your
PowerShell cmdlet.

Get-AzResourceGroup -Debug

Which returns many values, including the following response value:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11999

To get write limits, use a write operation:

New-AzResourceGroup -Name myresourcegroup -Location westus -Debug

Which returns many values, including the following values:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Created

Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-subscription-writes: 1199

In Azure CLI , you retrieve the header value by using the more verbose option.

az group list --verbose --debug

Which returns many values, including the following values:

msrest.http_logger : Response status: 200

msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger : 'Content-Encoding': 'gzip'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'Vary': 'Accept-Encoding'
msrest.http_logger : 'x-ms-ratelimit-remaining-subscription-reads': '11998'

To get write limits, use a write operation:

az group create -n myresourcegroup --location westus --verbose --debug

Which returns many values, including the following values:

msrest.http_logger : Response status: 201

msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Length': '163'
msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'x-ms-ratelimit-remaining-subscription-writes': '1199'

Next steps
For a complete PowerShell example, see Check Resource Manager Limits for a Subscription.
For more information about limits and quotas, see Azure subscription and service limits, quotas, and
constraints.
To learn about handling asynchronous REST requests, see Track asynchronous Azure operations.
 Track asynchronous Azure operations
2/23/2022 • 4 minutes to read • Edit Online

Some Azure REST operations run asynchronously because the operation can't be completed quickly. This article
describes how to track the status of asynchronous operations through values returned in the response.

Status codes for asynchronous operations

An asynchronous operation initially returns an HTTP status code of either:
201 (Created)
202 (Accepted)
However, that status code doesn't necessarily mean the operation is asynchronous. An asynchronous operation
also returns a value for provisioningState that indicates the operation hasn't finished. The value can vary by
operation but won't include Succeeded , Failed , or Canceled . Those three values indicate the operation has
finished. If no value is returned for provisioningState , the operation has finished and succeeded.
When the operation successfully completes, it returns either:
200 (OK)
204 (No Content)
Refer to the REST API documentation to see the responses for the operation you're executing.
After getting the 201 or 202 response code, you're ready to monitor the status of the operation.

URL to monitor status

There are two different ways to monitor the status the asynchronous operation. You determine the correct
approach by examining the header values that are returned from your original request. First, look for:
Azure-AsyncOperation - URL for checking the ongoing status of the operation. If your operation returns this
value, use it to track the status of the operation.
Retry-After - The number of seconds to wait before checking the status of the asynchronous operation.

If Azure-AsyncOperation isn't one of the header values, then look for:

Location - URL for determining when an operation has completed. Only use this value only when Azure-
AsyncOperation isn't returned.
Retry-After - The number of seconds to wait before checking the status of the asynchronous operation.

Azure-AsyncOperation request and response

If you have a URL from the Azure-AsyncOperation header value, send a GET request to that URL. Use the value
from Retry-After to schedule how often to check the status. You'll get a response object that indicates the
status of the operation. A different response is returned when checking the status of the operation with the
Location URL. For more information about the response from a location URL, see Create storage account (202
with Location and Retry-After).
The response properties can vary but always include the status of the asynchronous operation.
 {
"status": "{status-value}"
}

The following example shows other values that might be returned from the operation:

{
"id": "{resource path from GET operation}",
"name": "{operation-id}",
"status" : "Succeeded | Failed | Canceled | {resource provider values}",
"startTime": "2017-01-06T20:56:36.002812+00:00",
"endTime": "2017-01-06T20:56:56.002812+00:00",
"percentComplete": {double between 0 and 100 },
"properties": {
/* Specific resource provider values for successful operations */
},
"error" : {
"code": "{error code}",
"message": "{error description}"
}
}

The error object is returned when the status is Failed or Canceled. All other values are optional. The response
you receive may look different than the example.

provisioningState values
Operations that create, update, or delete (PUT, PATCH, DELETE) a resource typically return a provisioningState
value. When an operation has completed, one of following three values is returned:
Succeeded
Failed
Canceled
All other values indicate the operation is still running. The resource provider can return a customized value that
indicates its state. For example, you may receive Accepted when the request is received and running.

Example requests and responses

Start virtual machine (202 with Azure -AsyncOperation)
This example shows how to determine the status of start operation for virtual machines. The initial request is in
the following format:

POST
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-
group}/providers/Microsoft.Compute/virtualMachines/{vm-name}/start?api-version=2019-12-01

It returns status code 202. Among the header values, you see:

Azure-AsyncOperation : https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Compute/locations/{region}/operations/{operation-id}?api-version=2019-12-01

To check the status of the asynchronous operation, sending another request to that URL.
 GET
https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Compute/locations/{region}/operations/{operation-id}?api-version=2019-12-01

The response body contains the status of the operation:

{
"startTime": "2017-01-06T18:58:24.7596323+00:00",
"status": "InProgress",
"name": "9a062a88-e463-4697-bef2-fe039df73a02"
}

Deploy resources (201 with Azure -AsyncOperation)

This example shows how to determine the status of deployments operation for deploying resources to Azure.
The initial request is in the following format:

PUT
https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-
group}/providers/microsoft.resources/deployments/{deployment-name}?api-version=2020-06-01

It returns status code 201. The body of the response includes:

"provisioningState":"Accepted",

Among the header values, you see:

Azure-AsyncOperation: https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-
group}/providers/Microsoft.Resources/deployments/{deployment-name}/operationStatuses/{operation-id}?api-
version=2020-06-01

To check the status of the asynchronous operation, sending another request to that URL.

GET
https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-
group}/providers/Microsoft.Resources/deployments/{deployment-name}/operationStatuses/{operation-id}?api-
version=2020-06-01

The response body contains the status of the operation:

{
"status": "Running"
}

When the deployment is finished, the response contains:

{
"status": "Succeeded"
}

Create storage account (202 with Location and Retry-After)

This example shows how to determine the status of the create operation for storage accounts. The initial request
is in the following format:
 PUT
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-
group}/providers/Microsoft.Storage/storageAccounts/{storage-name}?api-version=2019-06-01

And the request body contains properties for the storage account:

{
"location": "South Central US",
"properties": {},
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage"
}

It returns status code 202. Among the header values, you see the following two values:

Location: https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Storage/operations/{operation-id}?monitor=true&api-version=2019-06-01
Retry-After: 17

After waiting for number of seconds specified in Retry-After, check the status of the asynchronous operation by
sending another request to that URL.

GET
https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Storage/operations/{operation-id}?monitor=true&api-version=2019-06-01

If the request is still running, you receive a status code 202. If the request has completed, your receive a status
code 200. The body of the response contains the properties of the storage account that was created.

Next steps
For documentation about each REST operation, see REST API documentation.
For information about deploying templates through the Resource Manager REST API, see Deploy resources
with Resource Manager templates and Resource Manager REST API.
 Azure Resource Manager metrics in Azure Monitor
2/23/2022 • 4 minutes to read • Edit Online

When you create and manage resources in Azure, your requests are orchestrated through Azure's control plane,
Azure Resource Manager. This article describes how to monitor the volume and latency of control plane requests
made to Azure.
With these metrics, you can observe traffic and latency for control plane requests throughout your
subscriptions. For example, you can now figure out when your requests have been throttled or failed by filtering
for specific status codes. We've dug into this below in examining throttled requests and examining server errors.
The metrics are available for up to three months (93 days) and only track synchronous requests. For a scenario
like a VM creation, the metrics do not represent the performance or reliability of the long running asynchronous
operation.

Accessing Azure Resource Manager metrics

You can access control plane metrics via the Azure Monitor REST APIs, SDKs, and the Azure portal (by selecting
the "Azure Resource Manager" metric). For an overview on Azure Monitor, see Azure Monitor Metrics.
There is no opt-in or sign-up process to access control plane metrics.
For guidance on how to retrieve a bearer token and make requests to Azure, see Azure REST API reference.

Metric definition
The definition for Azure Resource Manager metrics in Azure Monitor is only accessible through the 2017-12-01-
preview API version. To retrieve the definition, you can run the following snippet, with your subscription ID
replacing "00000000-0000-0000-0000-000000000000":

curl --location --request GET 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-

000000000000/providers/microsoft.insights/metricDefinitions?api-version=2017-12-01-
preview&metricnamespace=microsoft.resources/subscriptions' \
--header 'Authorization: bearer {{bearerToken}}'

This will return the definition for the metrics schema. Notably, this schema includes the dimensions you can
filter on with the Monitor API:

DIM EN SIO N N A M E DESC RIP T IO N

ResourceUri The full Resource ID for a particular resource.

RequestRegion The Azure Resource Manager region where your control

plane requests land, like "EastUS2". This region is not the
resource's location.
 DIM EN SIO N N A M E DESC RIP T IO N

StatusCode Response type from Azure Resource Manager for your

control plane request. Possible values are (but not limited
to):
-0
- 200
- 201
- 400
- 404
- 429
- 500
- 502

StatusCodeClass The class for the status code returned from Azure Resource
Manager. Possible values are:
- 2xx
- 4xx
- 5xx

Namespace The namespace for the Resource Provider, in all caps, like
"MICROSOFT.COMPUTE"

ResourceType Any resource type in Azure that you have created or sent a
request to, in all caps, like "VIRTUALMACHINES"

Method The HTTP method used in the request made to Azure

Resource Manager. Possible values are:
- GET
- HEAD
- PUT
- POST
- PATCH
- DELETE

Examples
Now, let's look at some scenarios that can help you exploring Azure Resource Manager metrics.
Query traffic and latency control plane metrics via Azure portal
First, navigate to the Azure Monitor blade within the portal:
After selecting Explore Metrics , select a single subscription and then select the Azure Resource Manager
metric:

Then, after selecting Apply , you can visualize your Traffic or Latency control plane metrics with custom filtering
and splitting:
Query traffic and latency control plane metrics via REST API
After you are authenticated with Azure, you can make a request to retrieve control plane metrics for your
subscription. In the script shared below, please replace "00000000-0000-0000-0000-000000000000" with your
subscription ID.
The request below will retrieve the average request latency (in seconds) and the total request count for the 2 day
timespan, broken down by 1 day intervals:

curl --location --request GET "https://management.azure.com/subscriptions/00000000-0000-0000-0000-

000000000000/providers/microsoft.insights/metrics?api-version=2021-05-
01&interval=P1D&metricnames=Latency&metricnamespace=microsoft.resources/subscriptions&region=global&aggregat
ion=average,count&timespan=2021-11-01T00:00:00Z/2021-11-03T00:00:00Z" \
--header "Authorization: bearer {{bearerToken}}"

In the case of Azure Resource Manager metrics, you can retrieve the traffic count by using the Latency metric
and including the 'count' aggregation. You'll see the JSON response for the request below:
 {
"cost": 5758,
"timespan": "2021-11-01T00:00:00Z/2021-11-03T00:00:00Z",
"interval": "P1D",
"value": [
{
"id": "subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Insights/metrics/Latency",
"type": "Microsoft.Insights/metrics",
"name": {
"value": "Latency",
"localizedValue": "Latency"
},
"displayDescription": "Latency data for all requests to Azure Resource Manager",
"unit": "Seconds",
"timeseries": [
{
"metadatavalues": [],
"data": [
{
"timeStamp": "2021-11-01T00:00:00Z",
"count": 1406.0,
"average": 0.19345163584637273
},
{
"timeStamp": "2021-11-02T00:00:00Z",
"count": 1517.0,
"average": 0.28294792353328935
}
]
}
],
"errorCode": "Success"
}
],
"namespace": "microsoft.resources/subscriptions",
"resourceregion": "global"
}

If you want to retrieve only the traffic count, then you can utilize the Traffic metric with the 'count' aggregation:

curl --location --request GET 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-

000000000000/providers/microsoft.insights/metrics?api-version=2021-05-
01&interval=P1D&metricnames=Traffic&metricnamespace=microsoft.resources/subscriptions&region=global&aggregat
ion=count&timespan=2021-11-01T00:00:00Z/2021-11-03T00:00:00Z' \
--header 'Authorization: bearer {{bearerToken}}'

The response for the request is:

 {
"cost": 2879,
"timespan": "2021-11-01T00:00:00Z/2021-11-03T00:00:00Z",
"interval": "P1D",
"value": [
{
"id": "subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Insights/metrics/Traffic",
"type": "Microsoft.Insights/metrics",
"name": {
"value": "Traffic",
"localizedValue": "Traffic"
},
"displayDescription": "Traffic data for all requests to Azure Resource Manager",
"unit": "Count",
"timeseries": [
{
"metadatavalues": [],
"data": [
{
"timeStamp": "2021-11-01T00:00:00Z",
"count": 1406.0
},
{
"timeStamp": "2021-11-02T00:00:00Z",
"count": 1517.0
}
]
}
],
"errorCode": "Success"
}
],
"namespace": "microsoft.resources/subscriptions",
"resourceregion": "global"
}

For the metrics supporting dimensions, you need to specify the dimension value to see the corresponding
metrics values. For example, if you want to focus on the Latency for successful requests to ARM, you need to
filter the StatusCodeClass dimension with 2XX .
If you want to look at the number of requests made in your subscription for Networking resources, like Virtual
Networks and Load Balancers, you would need to filter the Namespace dimension for
MICROSOFT.NETWORK .
Examining Throttled Requests
To view only your throttled requests, you need to filter for 429 status code responses only. For REST API calls,
filtering is accomplished via the $filter property and the StatusCode dimension by appending:
$filter=StatusCode eq '429' as seen at the end of the request in the following snippet:

curl --location --request GET 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-

000000000000/providers/microsoft.insights/metrics?api-version=2021-05-
01&interval=P1D&metricnames=Latency&metricnamespace=microsoft.resources/subscriptions&region=global&aggregat
ion=count,average&timespan=2021-11-01T00:00:00Z/2021-11-03T00:00:00Z&$filter=StatusCode%20eq%20%27429%27' \
--header 'Authorization: bearer {{bearerToken}}'

You can also filter directly in portal:

Examining Server Errors
Similar to looking at throttled requests, you view all requests that returned a server error response code by
filtering 5xx responses only. For REST API calls, filtering is accomplished via the $filter property and the
StatusCodeClass dimension by appending: $filter=StatusCodeClass eq '5xx' as seen at the end of the request in
the following snippet:

curl --location --request GET 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-

000000000000/providers/microsoft.insights/metrics?api-version=2021-05-
01&interval=P1D&metricnames=Latency&metricnamespace=microsoft.resources/subscriptions&region=global&aggregat
ion=count,average&timespan=2021-11-01T00:00:00Z/2021-11-
03T00:00:00Z&$filter=StatusCodeClass%20eq%20%275xx%27' \
--header 'Authorization: bearer {{bearerToken}}'

You can also accomplish generic server errors filtering within portal by setting the filter property to
'StatusCodeClass' and the value to '5xx', similar to what was done in the throttling example above.

Next steps
Azure Monitor Overview
 Azure Policy built-in definitions for Azure Resource
Manager
2/23/2022 • 14 minutes to read • Edit Online

This page is an index of Azure Policy built-in policy definitions for Azure Resource Manager. For additional Azure
Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the
Version column to view the source on the Azure Policy GitHub repo.

Azure Resource Manager

NAME VERSIO N
( A ZURE PO RTA L) DESC RIP T IO N EF F EC T ( S) ( GIT HUB)

A maximum of 3 owners It is recommended to AuditIfNotExists, Disabled 3.0.0

should be designated for
your subscription
designate up to 3
subscription owners in
order to reduce the
potential for breach by a
compromised owner.

Activity log should be
retained for at least one
year
This policy audits the AuditIfNotExists, Disabled 1.0.0
activity log if the retention
is not set for 365 days or
forever (retention days set
to 0).

Add a tag to resource Adds the specified tag and modify 1.0.0
groups value when any resource
group missing this tag is
created or updated. Existing
resource groups can be
remediated by triggering a
remediation task. If the tag
exists with a different value
it will not be changed.

Add a tag to subscriptions
Adds the specified tag and modify 1.0.0
value to subscriptions via a
remediation task. If the tag
exists with a different value
it will not be changed. See
https://aka.ms/azurepolicyre
mediation for more
information on policy
remediation.
NAME
Add or replace a tag on
resource groups
Add or replace a tag on
subscriptions
Allowed locations for
resource groups
An activity log alert should
exist for specific
Administrative operations
An activity log alert should
exist for specific Policy
operations
An activity log alert should
exist for specific Security
operations
Append a tag and its value
to resource groups
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Adds or replaces the modify 1.0.0
specified tag and value
when any resource group is
created or updated. Existing
resource groups can be
remediated by triggering a
remediation task.
Adds or replaces the modify 1.0.0
specified tag and value on
subscriptions via a
remediation task. Existing
resource groups can be
remediated by triggering a
remediation task. See
https://aka.ms/azurepolicyre
mediation for more
information on policy
remediation.
This policy enables you to deny 1.0.0
restrict the locations your
organization can create
resource groups in. Use to
enforce your geo-
compliance requirements.
This policy audits specific AuditIfNotExists, Disabled 1.0.0
Administrative operations
with no activity log alerts
configured.
This policy audits specific AuditIfNotExists, Disabled 3.0.0
Policy operations with no
activity log alerts
configured.
This policy audits specific AuditIfNotExists, Disabled 1.0.0
Security operations with no
activity log alerts
configured.
Appends the specified tag append 1.0.0
and value when any
resource group which is
missing this tag is created
or updated. Does not
modify the tags of resource
groups created before this
policy was applied until
those resource groups are
changed. New 'modify'
effect policies are available
that support remediation of
tags on existing resources
(see
https://aka.ms/modifydoc).
NAME VERSIO N
DESC RIP T IO N EF F EC T ( S)

Audit virtual machines Audit virtual machines auditIfNotExists 1.0.0

without disaster recovery which do not have disaster
configured recovery configured. To
learn more about disaster
recovery, visit
https://aka.ms/asr-doc.

Auto provisioning of the To monitor for security AuditIfNotExists, Disabled 1.0.1

Log Analytics agent should vulnerabilities and threats,
be enabled on your Azure Security Center
subscription collects data from your
Azure virtual machines.
Data is collected by the Log
Analytics agent, formerly
known as the Microsoft
Monitoring Agent (MMA),
which reads various
security-related
configurations and event
logs from the machine and
copies the data to your Log
Analytics workspace for
analysis. We recommend
enabling auto provisioning
to automatically deploy the
agent to all supported
Azure VMs and any new
ones that are created.

Azure Defender for App Azure Defender for App AuditIfNotExists, Disabled 1.0.3
Service should be enabled Service leverages the scale
of the cloud, and the
visibility that Azure has as a
cloud provider, to monitor
for common web app
attacks.

Azure Defender for Azure Azure Defender for SQL AuditIfNotExists, Disabled 1.0.2
SQL Database servers provides functionality for
should be enabled surfacing and mitigating
potential database
vulnerabilities, detecting
anomalous activities that
could indicate threats to
SQL databases, and
discovering and classifying
sensitive data.
NAME
Azure Defender for DNS
should be enabled
Azure Defender for Key
Vault should be enabled
Azure Defender for open-
source relational databases
should be enabled
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Azure Defender for DNS AuditIfNotExists, Disabled 1.0.0
provides an additional layer
of protection for your cloud
resources by continuously
monitoring all DNS queries
from your Azure resources.
Azure Defender alerts you
about suspicious activity at
the DNS layer. Learn more
about the capabilities of
Azure Defender for DNS at
https://aka.ms/defender-
for-dns . Enabling this Azure
Defender plan results in
charges. Learn about the
pricing details per region on
Security Center's pricing
page:
https://aka.ms/pricing-
security-center .
Azure Defender for Key AuditIfNotExists, Disabled 1.0.3
Vault provides an additional
layer of protection and
security intelligence by
detecting unusual and
potentially harmful
attempts to access or
exploit key vault accounts.
Azure Defender for open- AuditIfNotExists, Disabled 1.0.0
source relational databases
detects anomalous activities
indicating unusual and
potentially harmful
attempts to access or
exploit databases. Learn
more about the capabilities
of Azure Defender for
open-source relational
databases at
https://aka.ms/AzDforOpen
SourceDBsDocu. Important:
Enabling this plan will result
in charges for protecting
your open-source relational
databases. Learn about the
pricing on Security Center's
pricing page:
https://aka.ms/pricing-
security-center
NAME
Azure Defender for
Resource Manager should
be enabled
Azure Defender for servers
should be enabled
Azure Defender for SQL
servers on machines should
be enabled
Azure Defender for Storage
should be enabled
Azure Monitor log profile
should collect logs for
categories 'write,' 'delete,'
and 'action'
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Azure Defender for AuditIfNotExists, Disabled 1.0.0
Resource Manager
automatically monitors the
resource management
operations in your
organization. Azure
Defender detects threats
and alerts you about
suspicious activity. Learn
more about the capabilities
of Azure Defender for
Resource Manager at
https://aka.ms/defender-
for-resource-manager .
Enabling this Azure
Defender plan results in
charges. Learn about the
pricing details per region on
Security Center's pricing
page:
https://aka.ms/pricing-
security-center .
Azure Defender for servers AuditIfNotExists, Disabled 1.0.3
provides real-time threat
protection for server
workloads and generates
hardening
recommendations as well as
alerts about suspicious
activities.
Azure Defender for SQL AuditIfNotExists, Disabled 1.0.2
provides functionality for
surfacing and mitigating
potential database
vulnerabilities, detecting
anomalous activities that
could indicate threats to
SQL databases, and
discovering and classifying
sensitive data.
Azure Defender for Storage AuditIfNotExists, Disabled 1.0.3
provides detections of
unusual and potentially
harmful attempts to access
or exploit storage accounts.
This policy ensures that a AuditIfNotExists, Disabled 1.0.0
log profile collects logs for
categories 'write,' 'delete,'
and 'action'
NAME
Azure Monitor should
collect activity logs from all
regions
Azure Monitor solution
'Security and Audit' must be
deployed
Azure subscriptions should
have a log profile for
Activity Log
Configure Azure Activity
logs to stream to specified
Log Analytics workspace
Configure Azure Defender
for App Service to be
enabled
Configure Azure Defender
for Azure SQL database to
be enabled
VERSIO N
DESC RIP T IO N EF F EC T ( S)
This policy audits the Azure AuditIfNotExists, Disabled 2.0.0
Monitor log profile which
does not export activities
from all Azure supported
regions including global.
This policy ensures that AuditIfNotExists, Disabled 1.0.0
Security and Audit is
deployed.
This policy ensures if a log AuditIfNotExists, Disabled 1.0.0
profile is enabled for
exporting activity logs. It
audits if there is no log
profile created to export the
logs either to a storage
account or to an event hub.
Deploys the diagnostic DeployIfNotExists, Disabled 1.0.0
settings for Azure Activity
to stream subscriptions
audit logs to a Log
Analytics workspace to
monitor subscription-level
events
Azure Defender for App DeployIfNotExists, Disabled 1.0.1
Service leverages the scale
of the cloud, and the
visibility that Azure has as a
cloud provider, to monitor
for common web app
attacks.
Azure Defender for SQL DeployIfNotExists, Disabled 1.0.0
provides functionality for
surfacing and mitigating
potential database
vulnerabilities, detecting
anomalous activities that
could indicate threats to
SQL databases, and
discovering and classifying
sensitive data.
NAME
Configure Azure Defender
for DNS to be enabled
Configure Azure Defender
for Key Vaults to be enabled
Configure Azure Defender
for open-source relational
databases to be enabled
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Azure Defender for DNS DeployIfNotExists, Disabled 1.0.1
provides an additional layer
of protection for your cloud
resources by continuously
monitoring all DNS queries
from your Azure resources.
Azure Defender alerts you
about suspicious activity at
the DNS layer. Learn more
about the capabilities of
Azure Defender for DNS at
https://aka.ms/defender-
for-dns . Enabling this Azure
Defender plan results in
charges. Learn about the
pricing details per region on
Security Center's pricing
page:
https://aka.ms/pricing-
security-center .
Azure Defender for Key DeployIfNotExists, Disabled 1.0.1
Vault provides an additional
layer of protection and
security intelligence by
detecting unusual and
potentially harmful
attempts to access or
exploit key vault accounts.
Azure Defender for open- DeployIfNotExists, Disabled 1.0.0
source relational databases
detects anomalous activities
indicating unusual and
potentially harmful
attempts to access or
exploit databases. Learn
more about the capabilities
of Azure Defender for
open-source relational
databases at
https://aka.ms/AzDforOpen
SourceDBsDocu. Important:
Enabling this plan will result
in charges for protecting
your open-source relational
databases. Learn about the
pricing on Security Center's
pricing page:
https://aka.ms/pricing-
security-center
NAME VERSIO N
DESC RIP T IO N EF F EC T ( S)

Configure Azure Defender Azure Defender for DeployIfNotExists, Disabled 1.0.1

for Resource Manager to be Resource Manager
enabled automatically monitors the
resource management
operations in your
organization. Azure
Defender detects threats
and alerts you about
suspicious activity. Learn
more about the capabilities
of Azure Defender for
Resource Manager at
https://aka.ms/defender-
for-resource-manager .
Enabling this Azure
Defender plan results in
charges. Learn about the
pricing details per region on
Security Center's pricing
page:
https://aka.ms/pricing-
security-center .

Configure Azure Defender Azure Defender for servers DeployIfNotExists, Disabled 1.0.0
for servers to be enabled provides real-time threat
protection for server
workloads and generates
hardening
recommendations as well as
alerts about suspicious
activities.

Configure Azure Defender Azure Defender for SQL DeployIfNotExists, Disabled 1.0.0
for SQL servers on provides functionality for
machines to be enabled surfacing and mitigating
potential database
vulnerabilities, detecting
anomalous activities that
could indicate threats to
SQL databases, and
discovering and classifying
sensitive data.

Configure Azure Defender Azure Defender for Storage DeployIfNotExists, Disabled 1.0.0
for Storage to be enabled provides detections of
unusual and potentially
harmful attempts to access
or exploit storage accounts.
NAME
Configure disaster recovery
on virtual machines by
enabling replication via
Azure Site Recovery
Configure Log Analytics
workspace and automation
account to centralize logs
and monitoring
Configure Microsoft
Defender for Containers to
be enabled
Deploy - Configure
suppression rules for Azure
Security Center alerts
Deploy export to Event Hub
for Azure Security Center
data
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Virtual machines without DeployIfNotExists, Disabled 2.0.0
disaster recovery
configurations are
vulnerable to outages and
other disruptions. If the
virtual machine does not
already have disaster
recovery configured, this
would initiate the same by
enabling replication using
preset configurations to
facilitate business
continuity. You can
optionally include/exclude
virtual machines containing
a specified tag to control
the scope of assignment. To
learn more about disaster
recovery, visit
https://aka.ms/asr-doc.
Deploy resource group DeployIfNotExists, 2.0.0
containing Log Analytics AuditIfNotExists, Disabled
workspace and linked
automation account to
centralize logs and
monitoring. The automation
account is aprerequisite for
solutions like Updates and
Change Tracking.
Microsoft Defender for DeployIfNotExists, Disabled 1.0.0
Containers provides
hardening, vulnerability
assessment and run-time
protections for your Azure,
hybrid, and multi-cloud
Kubernetes environments.
Suppress Azure Security deployIfNotExists 1.0.0
Center alerts to reduce
alerts fatigue by deploying
suppression rules on your
management group or
subscription.
Enable export to Event Hub deployIfNotExists 4.0.0
of Azure Security Center
data. This policy deploys an
export to Event Hub
configuration with your
conditions and target Event
Hub on the assigned scope.
To deploy this policy on
newly created subscriptions,
open the Compliance tab,
select the relevant non-
compliant assignment and
create a remediation task.
NAME VERSIO N
DESC RIP T IO N EF F EC T ( S)

Deploy export to Log Enable export to Log deployIfNotExists 4.0.0

Analytics workspace for Analytics workspace of
Azure Security Center data Azure Security Center data.
This policy deploys an
export to Log Analytics
workspace configuration
with your conditions and
target workspace on the
assigned scope. To deploy
this policy on newly created
subscriptions, open the
Compliance tab, select the
relevant non-compliant
assignment and create a
remediation task.

Deploy Workflow Enable automation of Azure deployIfNotExists 4.0.0

Automation for Azure Security Center alerts. This
Security Center alerts policy deploys a workflow
automation with your
conditions and triggers on
the assigned scope. To
deploy this policy on newly
created subscriptions, open
the Compliance tab, select
the relevant non-compliant
assignment and create a
remediation task.

Deploy Workflow Enable automation of Azure deployIfNotExists 4.0.0

Automation for Azure Security Center
Security Center recommendations. This
recommendations policy deploys a workflow
automation with your
conditions and triggers on
the assigned scope. To
deploy this policy on newly
created subscriptions, open
the Compliance tab, select
the relevant non-compliant
assignment and create a
remediation task.

Deploy Workflow Enable automation of Azure deployIfNotExists 4.0.0

Automation for Azure Security Center regulatory
Security Center regulatory compliance. This policy
compliance deploys a workflow
automation with your
conditions and triggers on
the assigned scope. To
deploy this policy on newly
created subscriptions, open
the Compliance tab, select
the relevant non-compliant
assignment and create a
remediation task.
NAME
Deprecated accounts
should be removed from
your subscription
Deprecated accounts with
owner permissions should
be removed from your
subscription
Email notification for high
severity alerts should be
enabled
Email notification to
subscription owner for high
severity alerts should be
enabled
Enable Azure Security
Center on your subscription
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Deprecated accounts AuditIfNotExists, Disabled 3.0.0
should be removed from
your subscriptions.
Deprecated accounts are
accounts that have been
blocked from signing in.
Deprecated accounts with AuditIfNotExists, Disabled 3.0.0
owner permissions should
be removed from your
subscription. Deprecated
accounts are accounts that
have been blocked from
signing in.
To ensure the relevant AuditIfNotExists, Disabled 1.0.1
people in your organization
are notified when there is a
potential security breach in
one of your subscriptions,
enable email notifications
for high severity alerts in
Security Center.
To ensure your subscription AuditIfNotExists, Disabled 2.0.0
owners are notified when
there is a potential security
breach in their subscription,
set email notifications to
subscription owners for
high severity alerts in
Security Center.
Identifies existing deployIfNotExists 1.0.0
subscriptions that are not
monitored by Azure
Security Center (ASC).
Subscriptions not
monitored by ASC will be
registered to the free
pricing tier. Subscriptions
already monitored by ASC
(free or standard), will be
considered compliant. To
register newly created
subscriptions, open the
compliance tab, select the
relevant non-compliant
assignment and create a
remediation task. Repeat
this step when you have
one or more new
subscriptions you want to
monitor with Security
Center.
NAME
Enable Security Center's
auto provisioning of the
Log Analytics agent on your
subscriptions with custom
workspace.
Enable Security Center's
auto provisioning of the
Log Analytics agent on your
subscriptions with default
workspace.
External accounts with
owner permissions should
be removed from your
subscription
External accounts with read
permissions should be
removed from your
subscription
External accounts with write
permissions should be
removed from your
subscription
MFA should be enabled
accounts with write
permissions on your
subscription
MFA should be enabled on
accounts with owner
permissions on your
subscription
MFA should be enabled on
accounts with read
permissions on your
subscription
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Allow Security Center to DeployIfNotExists, Disabled 1.0.0
auto provision the Log
Analytics agent on your
subscriptions to monitor
and collect security data
using a custom workspace.
Allow Security Center to DeployIfNotExists, Disabled 1.0.0
auto provision the Log
Analytics agent on your
subscriptions to monitor
and collect security data
using ASC default
workspace.
External accounts with AuditIfNotExists, Disabled 3.0.0
owner permissions should
be removed from your
subscription in order to
prevent unmonitored
access.
External accounts with read AuditIfNotExists, Disabled 3.0.0
privileges should be
removed from your
subscription in order to
prevent unmonitored
access.
External accounts with write AuditIfNotExists, Disabled 3.0.0
privileges should be
removed from your
subscription in order to
prevent unmonitored
access.
Multi-Factor Authentication AuditIfNotExists, Disabled 3.0.0
(MFA) should be enabled
for all subscription accounts
with write privileges to
prevent a breach of
accounts or resources.
Multi-Factor Authentication AuditIfNotExists, Disabled 3.0.0
(MFA) should be enabled
for all subscription accounts
with owner permissions to
prevent a breach of
accounts or resources.
Multi-Factor Authentication AuditIfNotExists, Disabled 3.0.0
(MFA) should be enabled
for all subscription accounts
with read privileges to
prevent a breach of
accounts or resources.
 NAME
Microsoft Defender for
Containers should be
enabled
Require a tag and its value
on resource groups
Require a tag on resource
groups
Service principals should be
used to protect your
subscriptions instead of
management certificates
Subscriptions should have a
contact email address for
security issues
There should be more than
one owner assigned to your
subscription
Next steps
See the built-ins on the Azure Policy GitHub repo.
Review the Azure Policy definition structure.
Review Understanding policy effects.
VERSIO N
DESC RIP T IO N EF F EC T ( S)
Microsoft Defender for AuditIfNotExists, Disabled 1.0.0
Containers provides
hardening, vulnerability
assessment and run-time
protections for your Azure,
hybrid, and multi-cloud
Kubernetes environments.
Enforces a required tag and deny 1.0.0
its value on resource
groups.
Enforces existence of a tag deny 1.0.0
on resource groups.
Management certificates AuditIfNotExists, Disabled 1.0.0
allow anyone who
authenticates with them to
manage the subscription(s)
they are associated with. To
manage subscriptions more
securely, use of service
principals with Resource
Manager is recommended
to limit the impact of a
certificate compromise.
To ensure the relevant AuditIfNotExists, Disabled 1.0.1
people in your organization
are notified when there is a
potential security breach in
one of your subscriptions,
set a security contact to
receive email notifications
from Security Center.
It is recommended to AuditIfNotExists, Disabled 3.0.0
designate more than one
subscription owner in order
to have administrator
access redundancy.
 Manage personal data associated with Azure
Resource Manager
2/23/2022 • 2 minutes to read • Edit Online

To avoid exposing sensitive information, delete any personal information you may have provided in
deployments, resource groups, or tags. Azure Resource Manager provides operations that let you manage
personal data you may have provided in deployments, resource groups, or tags.

NOTE
This article provides steps about how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center
and the GDPR section of the Service Trust portal.

Delete personal data in deployment history

For deployments, Resource Manager retains parameter values and status messages in the deployment history.
These values persist until you delete the deployment from the history. To see if you have provided personal data
in these values, list the deployments. If you find personal data, delete the deployments from the history.
To list deployments in the history, use:
List By Resource Group
Get-AzResourceGroupDeployment
az deployment group list
To delete deployments from the history, use:
Delete
Remove-AzResourceGroupDeployment
az deployment group delete

Delete personal data in resource group names

The name of the resource group persists until you delete the resource group. To see if you have provided
personal data in the names, list the resource groups. If you find personal data, move the resources to a new
resource group, and delete the resource group with personal data in the name.
To list resource groups , use:
List
Get-AzResourceGroup
az group list
To delete resource groups , use:
Delete
Remove-AzResourceGroup
az group delete
Delete personal data in tags
Tags names and values persist until you delete or modify the tag. To see if you have provided personal data in
the tags, list the tags. If you find personal data, delete the tags.
To list tags , use:
List
Get-AzTag
az tag list
To delete tags , use:
Delete
Remove-AzTag
az tag delete

Next steps
For an overview of Azure Resource Manager, see the What is Resource Manager?