Azure Dicumentation

Contents
Manage Azure resources documentation

Overview
What is Resource Manager?
Concepts
Subscription and service limits
Resource name rules
Resource Manager and classic deployment
Azure common security attributes
Resource providers by service
Resource instance limit
How to
Move - resource groups/subscriptions
Move resources
Supported resources
Troubleshoot move
Services
App Service
Azure DevOps
Classic deployment
Networking
Recovery Services
Virtual Machines
Move - regions
Move across regions
Supported services
Services
Azure VMs
Azure Storage
Azure SQL
Virtual network
Network security group (NSG)
Public IP addresses
Tags
Tag resources
Tag support
Manage
Manage resource groups
Use the Azure portal
Use the Azure CLI
Use Azure PowerShell
Manage resources
Use the Azure portal
Use the Azure CLI
Delete resource groups and resources
Lock resources
Create EA subscriptions
Grant access to create EA subscriptions
Authenticate across tenants
View activity logs
Resource providers and types
Throttling requests
Track asynchronous operations
Reference
REST
Azure PowerShell
Azure CLI
.NET
Java
Python
Resources
Azure Roadmap
Azure Roadmap
Pricing calculator
Service updates
Stack Overflow
Manage personal data
Videos
Azure Resource Manager overview
12/23/2019 • 5 minutes to read • Edit Online
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer
that enables you to create, update, and delete resources in your Azure subscription. You use management
features, like access control, locks, and tags, to secure and organize your resources after deployment.
To learn about Azure Resource Manager templates, see Template deployment overview.
Consistent management layer

When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request.
It authenticates and authorizes the request. Resource Manager sends the request to the Azure service, which
takes the requested action. Because all requests are handled through the same API, you see consistent results
and capabilities in all the different tools.
The following image shows the role Azure Resource Manager plays in handling Azure requests.
All capabilities that are available in the portal are also available through PowerShell, Azure CLI, REST APIs, and
client SDKs. Functionality initially released through APIs will be represented in the portal within 180 days of
initial release.
Terminology
If you're new to Azure Resource Manager, there are some terms you might not be familiar with.
resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps,
databases, and virtual networks are examples of resources.
resource group - A container that holds related resources for an Azure solution. The resource group includes
those resources that you want to manage as a group. You decide which resources belong in a resource group
based on what makes the most sense for your organization. See Resource groups.
resource provider - A service that supplies Azure resources. For example, a common resource provider is
Microsoft.Compute, which supplies the virtual machine resource. Microsoft.Storage is another common
resource provider. See Resource providers and types.
Resource Manager template - A JavaScript Object Notation (JSON ) file that defines one or more resources
to deploy to a resource group or subscription. The template can be used to deploy the resources consistently
and repeatedly. See Template deployment overview.
declarative syntax - Syntax that lets you state "Here is what I intend to create" without having to write the
sequence of programming commands to create it. The Resource Manager template is an example of
declarative syntax. In the file, you define the properties for the infrastructure to deploy to Azure. See Template
deployment overview.
The benefits of using Resource Manager

With Resource Manager, you can:
Manage your infrastructure through declarative templates rather than scripts.
Deploy, manage, and monitor all the resources for your solution as a group, rather than handling these
resources individually.
Redeploy your solution throughout the development lifecycle and have confidence your resources are
deployed in a consistent state.
Define the dependencies between resources so they're deployed in the correct order.
Apply access control to all services in your resource group because Role-Based Access Control (RBAC ) is
natively integrated into the management platform.
Apply tags to resources to logically organize all the resources in your subscription.
Clarify your organization's billing by viewing costs for a group of resources sharing the same tag.
Understand scope
Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The
following image shows an example of these layers.
You apply management settings at any of these levels of scope. The level you select determines how widely the
setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the
subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a
policy on the resource group, that policy is applied the resource group and all its resources. However, another
resource group doesn't have that policy assignment.
You can deploy templates to management groups, subscriptions, or resource groups.
Resource groups
There are some important factors to consider when defining your resource group:
All the resources in your group should share the same lifecycle. You deploy, update, and delete them
together. If one resource, such as a database server, needs to exist on a different deployment cycle it
should be in another resource group.
Each resource can only exist in one resource group.
You can add or remove a resource to a resource group at any time.
You can move a resource from one resource group to another group. For more information, see Move
resources to new resource group or subscription.
A resource group can contain resources that are located in different regions.
A resource group can be used to scope access control for administrative actions.
A resource can interact with resources in other resource groups. This interaction is common when the two
resources are related but don't share the same lifecycle (for example, web apps connecting to a database).
When creating a resource group, you need to provide a location for that resource group. You may be wondering,
"Why does a resource group need a location? And, if the resources can have different locations than the resource
group, why does the resource group location matter at all?" The resource group stores metadata about the
resources. When you specify a location for the resource group, you're specifying where that metadata is stored.
For compliance reasons, you may need to ensure that your data is stored in a particular region.
If the resource group's region is temporarily unavailable, you can't update resources in the resource group
because the metadata is unavailable. The resources in other regions will still function as expected, but you can't
update them. For more information about building reliable applications, see Designing reliable Azure
applications.
Resiliency of Azure Resource Manager

The Azure Resource Manager service is designed for resiliency and continuous availability. Resource Manager
and control plane operations (requests sent to management.azure.com) in the REST API are:
Distributed across regions. Some services are regional.
Distributed across Availability Zones (as well regions) in locations that have multiple Availability Zones.
Not dependent on a single logical data center.
Never taken down for maintenance activities.
This resiliency applies to services that receive requests through Resource Manager. For example, Key Vault
benefits from this resiliency.
Next steps
For all the operations offered by resource providers, see the Azure REST APIs.
To learn about moving resources, see Move resources to new resource group or subscription.
To learn about tagging resources, see Use tags to organize your Azure resources.
To learn about locking resources, see Lock resources to prevent unexpected changes.
For information about creating templates for deployments, see Template deployment overview.
Azure subscription and service limits, quotas, and
constraints
This document lists some of the most common Microsoft Azure limits, which are also sometimes called quotas.
This document doesn't currently cover all Azure services. Over time, the list will be expanded and updated to cover
more services.
To learn more about Azure pricing, see Azure pricing overview. There, you can estimate your costs by using the
pricing calculator. You also can go to the pricing details page for a particular service, for example, Windows VMs.
For tips to help manage your costs, see Prevent unexpected costs with Azure billing and cost management.
NOTE
If you want to raise the limit or quota above the default limit, open an online customer support request at no charge. The
limits can't be raised above the maximum limit value shown in the following tables. If there's no maximum limit column, the
resource doesn't have adjustable limits.
Free Trial subscriptions aren't eligible for limit or quota increases. If you have a Free Trial subscription, you can upgrade to a
Pay-As-You-Go subscription. For more information, see Upgrade your Azure Free Trial subscription to a Pay-As-You-Go
subscription and the Free Trial subscription FAQ.
Limits and Azure Resource Manager

It's now possible to combine multiple Azure resources into a single Azure resource group. When you use resource
groups, limits that once were global become managed at a regional level with Azure Resource Manager. For more
information about Azure resource groups, see Azure Resource Manager overview.
In the following list of limits, a new table reflects any differences in limits when you use Azure Resource Manager.
For example, there's a Subscription limits table and a Subscription limits - Azure Resource Manager table.
When a limit applies to both scenarios, it's only shown in the first table. Unless otherwise indicated, limits are
global across all regions.
NOTE
Quotas for resources in Azure resource groups are per-region accessible by your subscription, not per-subscription as the
service management quotas are. Let's use vCPU quotas as an example. To request a quota increase with support for vCPUs,
you must decide how many vCPUs you want to use in which regions. You then make a specific request for Azure resource
group vCPU quotas for the amounts and regions that you want. If you need to use 30 vCPUs in West Europe to run your
application there, you specifically request 30 vCPUs in West Europe. Your vCPU quota isn't increased in any other region--
only West Europe has the 30-vCPU quota.
As a result, decide what your Azure resource group quotas must be for your workload in any one region. Then request that
amount in each region into which you want to deploy. For help in how to determine your current quotas for specific regions,
see Troubleshoot deployment issues.
Service-specific limits
Active Directory
API Management
App Service
Application Gateway
Automation
Azure Cache for Redis
Azure Cloud Services
Azure Cognitive Search
Azure Cognitive Services
Azure Cosmos DB
Azure Data Explorer
Azure Database for MySQL
Azure Database for PostgreSQL
Azure DNS
Azure Firewall
Azure Functions
Azure Kubernetes Service
Azure Machine Learning
Azure Maps
Azure Monitor
Azure Policy
Azure SignalR Service
Backup
Batch
BizTalk Services
Container Instances
Container Registry
Content Delivery Network
Data Factory
Data Lake Analytics
Data Lake Store
Database Migration Service
Event Grid
Event Hubs
Front Door Service
Identity Manager
IoT Central
IoT Hub
IoT Hub Device Provisioning Service
Key Vault
Media Services
Mobile Services
Multi-Factor Authentication
Networking
Application Gateway
Azure Bastion
Azure DNS
Azure Front Door Service
Azure Firewall
ExpressRoute
Load Balancer
Network Watcher
Public IP address
Private Link
Traffic Manager
Virtual Network
Virtual WAN
Notification Hubs
Resource group
Role-based access control
Scheduler
Service Bus
Site Recovery
SQL Database
SQL Data Warehouse
Storage
StorSimple System
Stream Analytics
Subscription
Virtual Machines
Virtual machine scale sets
Subscription limits
Subscription limits - Azure Service Management (classic deployment model)
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
vCPUs per subscription1 20 10,000
Coadministrators per subscription 200 200
Storage accounts per subscription2 100 100
Cloud services per subscription 20 200
Local networks per subscription 10 500
DNS servers per subscription 9 100
Reserved IPs per subscription 20 100
Affinity groups per subscription 256 256
Subscription name length (characters) 64 64
1Extra small instances count as one vCPU toward the vCPU limit despite using a partial CPU core.
2The storage account limit includes both Standard and Premium storage accounts.
Subscription limits - Azure Resource Manager
The following limits apply when you use Azure Resource Manager and Azure resource groups. Limits that haven't
changed with Azure Resource Manager aren't listed. See the previous table for those limits.
For information about Resource Manager API read and write limits, see Throttling Resource Manager requests.
VMs per subscription 25,0001 per region. 25,000 per region.
VM total cores per subscription 201 per region. Contact support.
Azure Spot VM total cores per 201 per region. Contact support.
subscription
VM per series, such as Dv2 and F, cores 201 per region. Contact support.
per subscription
Coadministrators per subscription Unlimited. Unlimited.
Storage accounts per region per 250 250

subscription
Resource groups per subscription 980 980
Availability sets per subscription 2,000 per region. 2,000 per region.
Azure Resource Manager API request 4,194,304 bytes. 4,194,304 bytes.

size
Tags per subscription2 Unlimited. Unlimited.
Unique tag calculations per 10,000 10,000

subscription2
Cloud services per subscription N/A3 N/A3
Affinity groups per subscription N/A3 N/A3
Subscription-level deployments per 8004 800

location
1Default limits vary by offer

category type, such as Free Trial and Pay-As-You-Go, and by series, such as Dv2, F,
and G. For example, the default for Enterprise Agreement subscriptions is 350.
2You can apply an unlimited number of tags per subscription. The number of tags per resource or resource group
is limited to 50. Resource Manager returns a list of unique tag name and values in the subscription only when the
number of tags is 10,000 or less. You still can find a resource by tag when the number exceeds 10,000.
3These features are no longer required with Azure resource groups and Resource Manager.
4If you reach the limit of 800deployments, delete deployments from the history that are no longer needed. To
delete subscription level deployments, use Remove-AzDeployment or az deployment delete.
NOTE
Virtual machine cores have a regional total limit. They also have a limit for regional per-size series, such as Dv2 and F. These
limits are separately enforced. For example, consider a subscription with a US East total VM core limit of 30, an A series core
limit of 30, and a D series core limit of 30. This subscription can deploy 30 A1 VMs, or 30 D1 VMs, or a combination of the
two not to exceed a total of 30 cores. An example of a combination is 10 A1 VMs and 20 D1 VMs.
Resource group limits

Resources per resource group, per 800 Some resource types can exceed the
resource type 800 limit. See Resources not limited to
800 instances per resource group.
Deployments per resource group in the 8001 800

deployment history
Resources per deployment 800 800
Management locks per unique scope 20 20
Number of tags per resource or 50 50

resource group
Tag key length 512 512
Tag value length 256 256
1If you reach the limit of 800

deployments per resource group, delete deployments from the history that are no
longer needed. Deleting an entry from the deployment history doesn't affect the deployed resources. For more
information, see Resolve error when deployment count exceeds 800.
Template limits
VALUE DEFAULT LIMIT MAXIMUM LIMIT
Parameters 256 256
Variables 256 256
Resources (including copy count) 800 800
Outputs 64 64
Template expression 24,576 chars 24,576 chars
Resources in exported templates 200 200
Template size 4 MB 4 MB
Parameter file size 64 KB 64 KB
You can exceed some template limits by using a nested template. For more information, see Use linked templates
when you deploy Azure resources. To reduce the number of parameters, variables, or outputs, you can combine
several values into an object. For more information, see Objects as parameters.
Virtual Machines limits
Virtual Machines limits
Virtual machines per cloud service1 50 50
Input endpoints per cloud service 2 150 150
1Virtual machines created by using the classic deployment model instead of Azure Resource Manager are
automatically stored in a cloud service. You can add more virtual machines to that cloud service for load balancing
and availability.
2Input endpoints allow communications to a virtual machine from outside the virtual machine's cloud service.
Virtual machines in the same cloud service or virtual network can automatically communicate with each other. For
more information, see How to set up endpoints to a virtual machine.
Virtual Machines limits - Azure Resource Manager
The following limits apply when you use Azure Resource Manager and Azure resource groups.
RESOURCE DEFAULT LIMIT
Virtual machines per availability set 200
Certificates per subscription Unlimited1
1With Azure Resource Manager, certificates are stored in the Azure Key Vault. The number of certificates is
unlimited for a subscription. There's a 1-MB limit of certificates per deployment, which consists of either a single
VM or an availability set.
Shared Image Gallery limits
There are limits, per subscription, for deploying resources using Shared Image Galleries:
100 shared image galleries, per subscription, per region
1,000 image definitions, per subscription, per region
10,000 image versions, per subscription, per region
Virtual machine scale sets limits
Maximum number of VMs in a scale set 1,000 1,000
Maximum number of VMs based on a 600 600

custom VM image in a scale set
Maximum number of scale sets in a 2,000 2,000

region
Container Instances limits

Standard sku container groups per region per subscription 1001
Dedicated sku container groups per region per subscription 01
Number of containers per container group 60
Number of volumes per container group 20
Ports per IP 5
Container instance log size - running instance 4 MB
Container instance log size - stopped instance 16 KB or 1,000 lines
Container creates per hour 3001
Container creates per 5 minutes 1001
Container deletes per hour 3001
Container deletes per 5 minutes 1001
1To request a limit increase, create an Azure Support request.
Container Registry limits

The following table details the features and limits of the Basic, Standard, and Premium service tiers.
RESOURCE BASIC STANDARD PREMIUM
Storage1 10 GiB 100 GiB 500 GiB
Maximum image layer size 200 GiB 200 GiB 200 GiB
ReadOps per minute2, 3 1,000 3,000 10,000
WriteOps per minute2, 4 100 500 2,000
Download bandwidth MBps2 30 60 100
Upload bandwidth MBps2 10 20 50
Webhooks 2 10 500
Geo-replication N/A N/A Supported
Content trust N/A N/A Supported
Virtual network access N/A N/A Preview
Repository-scoped N/A N/A Preview

permissions
RESOURCE BASIC STANDARD PREMIUM
• Tokens N/A N/A 20,000
• Scope maps N/A N/A 20,000
• Repositories per scope N/A N/A 500

map
1The specified storage limits are the amount of included storage for each tier. You're charged an additional daily
rate per GiB for image storage above these limits. For rate information, see Azure Container Registry pricing.
2ReadOps, WriteOps, and Bandwidth are minimum estimates. Azure Container Registry strives to improve
performance as usage requires.
3A docker pull translates to multiple read operations based on the number of layers in the image, plus the manifest
retrieval.
4A docker push translates to multiple write operations, based on the number of layers that must be pushed. A
docker push includes ReadOps to retrieve a manifest for an existing image.
Azure Kubernetes Service limits
Maximum clusters per subscription 100
Maximum nodes per cluster with Virtual Machine Availability 100

Sets and Basic Load Balancer SKU
Maximum nodes per cluster with Virtual Machine Scale Sets 800 (100 nodes per node pool)
and Standard Load Balancer SKU
Maximum pods per node: Basic networking with Kubenet 110
Maximum pods per node: Advanced networking with Azure Azure CLI deployment: 301
Container Networking Interface Azure Resource Manager template: 301
Portal deployment: 30
1When you deploy an Azure Kubernetes Service (AKS ) cluster with the Azure CLI or a Resource Manager
template, this value is configurable up to 250 pods per node. You can't configure maximum pods per node after
you've already deployed an AKS cluster, or if you deploy a cluster by using the Azure portal.
Azure Machine Learning limits
The latest values for Azure Machine Learning Compute quotas can be found in the Azure Machine Learning quota
page
Networking limits
Networking limits - Azure Resource Manager The following limits apply only for networking resources managed
through Azure Resource Manager per region per subscription. Learn how to view your current resource usage
against your subscription limits.
NOTE
We recently increased all default limits to their maximum limits. If there's no maximum limit column, the resource doesn't
have adjustable limits. If you had these limits increased by support in the past and don't see updated limits in the following
tables, open an online customer support request at no charge
RESOURCE DEFAULT/MAXIMUM LIMIT
Virtual networks 1,000
Subnets per virtual network 3,000
Virtual network peerings per virtual network 500
Virtual network gateways (VPN gateways) per virtual network 1
Virtual network gateways (ExpressRoute gateways) per virtual 1

network
DNS servers per virtual network 20
Private IP addresses per virtual network 65,536
Private IP addresses per network interface 256
Private IP addresses per virtual machine 256
Public IP addresses per network interface 256
Public IP addresses per virtual machine 256
Concurrent TCP or UDP flows per NIC of a virtual machine or 500,000

role instance
Network interface cards 65,536
Network Security Groups 5,000
NSG rules per NSG 1,000
IP addresses and ranges specified for source or destination in 4,000

a security group
Application security groups 3,000
Application security groups per IP configuration, per NIC 20
IP configurations per application security group 4,000
Application security groups that can be specified within all 100

security rules of a network security group
User-defined route tables 200
User-defined routes per route table 400
Point-to-site root certificates per Azure VPN Gateway 20
Virtual network TAPs 100
Network interface TAP configurations per virtual network TAP 100
Public IP address limits
Public IP addresses - dynamic 1,000 for Basic. Contact support.
Public IP addresses - static 1,000 for Basic. Contact support.
Public IP addresses - static 1,000 for Standard. Contact support.
Public IP prefix length /28 Contact support.
Load balancer limits

The following limits apply only for networking resources managed through Azure Resource Manager per region
per subscription. Learn how to view your current resource usage against your subscription limits.
Standard Load Balancer
Load balancers 1,000
Rules per resource 1,500
Rules per NIC (across all IPs on a NIC) 300
Frontend IP configurations 600
Backend pool size 1,000 IP configurations, single virtual network
High-availability ports 1 per internal frontend
Outbound rules per Load Balancer 20
Basic Load Balancer
Load balancers 1,000
Rules per resource 250

Rules per NIC (across all IPs on a NIC) 300
Frontend IP configurations 200
Backend pool size 300 IP configurations, single availability set
Availability sets per Load Balancer 150
The following limits apply only for networking resources managed through the classic deployment model per subscription. Learn how
to view your current resource usage against your subscription limits .
Virtual networks 100 100
Local network sites 20 50
DNS servers per virtual network 20 20
Private IP addresses per virtual network 4,096 4,096
Concurrent TCP or UDP flows per NIC 500,000, up to 1,000,000 for two or 500,000, up to 1,000,000 for two or
of a virtual machine or role instance more NICs. more NICs.
Network Security Groups (NSGs) 200 200
NSG rules per NSG 1,000 1,000
User-defined route tables 200 200
User-defined routes per route table 400 400
Public IP addresses (dynamic) 500 500
Reserved public IP addresses 500 500
Public VIP per deployment 5 Contact support
Private VIP (internal load balancing) per 1 1

deployment
Endpoint access control lists (ACLs) 50 50
ExpressRoute limits
ExpressRoute circuits per subscription 10
ExpressRoute circuits per region per subscription, with Azure 10

Resource Manager
Maximum number of routes advertised to Azure private 4,000

peering with ExpressRoute Standard
Maximum number of routes advertised to Azure private 10,000

peering with ExpressRoute Premium add-on
Maximum number of routes advertised from Azure private 200

peering from the VNet address space for an ExpressRoute
connection
Maximum number of routes advertised to Microsoft peering 200

with ExpressRoute Standard
Maximum number of routes advertised to Microsoft peering 200

with ExpressRoute Premium add-on
Maximum number of ExpressRoute circuits linked to the same 4

virtual network in the same peering location
Maximum number of ExpressRoute circuits linked to the same 4

virtual network in different peering locations
Number of virtual network links allowed per ExpressRoute See the Number of virtual networks per ExpressRoute circuit
circuit table.
Number of virtual networks per ExpressRoute circuit
NUMBER OF VIRTUAL NETWORK LINKS NUMBER OF VIRTUAL NETWORK LINKS

CIRCUIT SIZE FOR STANDARD WITH PREMIUM ADD-ON
50 Mbps 10 20
100 Mbps 10 25
200 Mbps 10 25
500 Mbps 10 40
1 Gbps 10 50
2 Gbps 10 60
5 Gbps 10 75
10 Gbps 10 100
40 Gbps* 10 100
100 Gbps* 10 100
*100 Gbps ExpressRoute Direct Only

NOTE
Global Reach connections count against the limit of virtual network connections per ExpressRoute Circuit. For example, a 10
Gbps Premium Circuit would allow for 5 Global Reach connections and 95 connections to the ExpressRoute Gateways or 95
Global Reach connections and 5 connections to the ExpressRoute Gateways or any other combination up to the limit of 100
connections for the circuit.
Virtual WAN limits
RESOURCE LIMIT
Virtual WAN hubs per region 1
Virtual WAN hubs per virtual wan Azure regions
VPN (branch) connections per hub 1,000
VNet connections per hub 500
Point-to-Site users per hub 10,000
Aggregate throughput per Virtual WAN VPN gateway 20 Gbps
Throughput per Virtual WAN VPN connection (2 tunnels) 2 Gbps with 1 Gbps/IPsec tunnel
Aggregate throughput per Virtual WAN ExpressRoute 20 Gbps

gateway
Application Gateway limits

The following table applies to v1, v2, Standard, and WAF SKUs unless otherwise stated.
RESOURCE DEFAULT/MAXIMUM LIMIT NOTE
Azure Application Gateway 1,000 per subscription
Front-end IP configurations 2 1 public and 1 private
Front-end ports 1001
Back-end address pools 1001
Back-end servers per pool 1,200
HTTP listeners 1001
HTTP load-balancing rules 1001
Back-end HTTP settings 1001
Instances per gateway 32
SSL certificates 1001 1 per HTTP listeners

RESOURCE DEFAULT/MAXIMUM LIMIT NOTE
Maximum SSL certificate size V1 SKU - 10 KB

V2 SKU - 16 KB
Authentication certificates 100
Trusted root certificates 100
Request timeout minimum 1 second
Request timeout maximum 24 hours
Number of sites 1001 1 per HTTP listeners
URL maps per listener 1
Maximum path-based rules per URL 100

map
Redirect configurations 1001
Concurrent WebSocket connections Medium gateways 20k

Large gateways 50k
Maximum URL length 32KB
Maximum header size for HTTP/2 4KB
Maximum file upload size, Standard 2 GB
Maximum file upload size WAF v1 Medium WAF gateways, 100 MB

v1 Large WAF gateways, 500 MB
v2 WAF, 750 MB
WAF body size limit, without files 128 KB
Maximum WAF custom rules 100
Maximum WAF exclusions 100
1 In case of WAF -enabled SKUs, we recommend that you limit the number of resources to 40 for optimal
performance.
Network Watcher limits
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT NOTE
Azure Network Watcher 1 per region 1 per region Network Watcher is created
to enable access to the
service. Only one instance of
Network Watcher is required
per subscription per region.
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT NOTE
Packet capture sessions 10,000 per region 10,000 Number of sessions only, not
saved captures.
Private Link limits

The following limits apply to Azure private link:
RESOURCE LIMIT
Number of private endpoints per virtual network 1000
Number of private endpoints per subscription 64000
Number of private link service per subscription 800
Number of IP Configurations on a private link service 8 (This number is for the NAT IP addresses used per PLS)
Number of private endpoints on the same private link service 1000
Traffic Manager limits
Profiles per subscription 200
Endpoints per profile 200
Azure Bastion limits
Concurrent RDP connections 25*
Concurrent SSH connections More than 50**
*May vary due to other on-going RDP sessions or other on-going SSH sessions.
**May vary if there are existing RDP connections or usage from other on-going SSH sessions.
Azure DNS limits
Public DNS zones
Public DNS Zones per subscription 250 1
Record sets per public DNS zone 10,000 1
Records per record set in public DNS zone 20
Number of Alias records for a single Azure resource 20
Private DNS zones per subscription 1000

Record sets per private DNS zone 25000
Records per record set for private DNS zones 20
Virtual Network Links per private DNS zone 1000
Virtual Networks Links per private DNS zones with auto- 100
registration enabled
Number of private DNS zones a virtual network can get linked 1

to with auto-registration enabled
Number of private DNS zones a virtual network can get linked 1000
1If you need to increase these limits, contact Azure Support.
Azure Firewall limits
Data throughput 30 Gbps1
Rules 10,000. All rule types combined.
DNAT rules per public IP address 299
Minimum AzureFirewallSubnet size /26
Port range in network and application rules 0-64,000. Work is in progress to relax this limitation.
Public IP addresses 100 maximum (Currently, SNAT ports are added only for the
first five public IP addresses.)
Route table By default, AzureFirewallSubnet has a 0.0.0.0/0 route with the

NextHopType value set to Internet.
Azure Firewall must have direct Internet connectivity. If your

AzureFirewallSubnet learns a default route to your on-
premises network via BGP, you must override that with a
0.0.0.0/0 UDR with the NextHopType value set as Internet
to maintain direct Internet connectivity. By default, Azure
Firewall doesn't support forced tunneling to an on-premises
network.
However, if your configuration requires forced tunneling to an

on-premises network, Microsoft will support it on a case by
case basis. Contact Support so that we can review your case. If
accepted, we'll allow your subscription and ensure the required
firewall Internet connectivity is maintained.
1If you need to increase these limits, contact Azure Support.
Azure Front Door Service limits

Azure Front Door Service resources per subscription 100
Front-end hosts, which includes custom domains per resource 100
Routing rules per resource 100
Back-end pools per resource 50
Back ends per back-end pool 100
Path patterns to match for a routing rule 25
Custom web application firewall rules per policy 10
Web application firewall policy per subscription 100
Web application firewall match conditions per custom rule 10
Web application firewall IP address ranges per match 600

condition
Web application firewall string match values per match 10

condition
Web application firewall string match value length 256
Web application firewall POST body parameter name length 256
Web application firewall HTTP header name length 256
Web application firewall cookie name length 256
Web application firewall HTTP request body size inspected 128 KB
Web application firewall custom response body length 2 KB
Timeout values
Client to Front Door
Front Door has an idle TCP connection timeout of 61 seconds.
Front Door to application back-end
If the response is a chunked response, a 200 is returned if or when the first chunk is received.
After the HTTP request is forwarded to the back end, Front Door waits for 30 seconds for the first packet from
the back end. Then it returns a 503 error to the client.
After the first packet is received from the back end, Front Door waits for 30 seconds in an idle timeout. Then it
returns a 503 error to the client.
Front Door to the back-end TCP session timeout is 30 minutes.
Upload and download data limit
WITH CHUNKED TRANSFER ENCODING
(CTE) WITHOUT HTTP CHUNKING
Download There's no limit on the download size. There's no limit on the download size.
Upload There's no limit as long as each CTE The size can't be larger than 2 GB.
upload is less than 2 GB.
Other limits
Maximum URL size - 8,192 bytes - Specifies maximum length of the raw URL (scheme + hostname + port +
path + query string of the URL )
Maximum Query String size - 4,096 bytes - Specifies the maximum length of the query string, in bytes.
Storage limits
The following table describes default limits for Azure general-purpose v1, v2, and Blob storage accounts. The
ingress limit refers to all data from requests that are sent to a storage account. The egress limit refers to all data
from responses that are received from a storage account.
Number of storage accounts per region per subscription, 250

including both standard and premium accounts
Maximum storage account capacity 2 PiB for US and Europe, and 500 TiB for all other regions
(including the UK)1
Maximum number of blob containers, blobs, file shares, tables, No limit

queues, entities, or messages per storage account
Maximum request rate1 per storage account 20,000 requests per second
Maximum ingress1 per storage account (US, Europe regions) 25 Gbps
Maximum ingress1 per storage account (regions other than 5 Gbps if RA-GRS/GRS is enabled, 10 Gbps for LRS/ZRS2
US and Europe)
Maximum egress for general-purpose v2 and Blob storage 50 Gbps

accounts (all regions)
Maximum egress for general-purpose v1 storage accounts 20 Gbps if RA-GRS/GRS is enabled, 30 Gbps for LRS/ZRS2
(US regions)
Maximum egress for general-purpose v1 storage accounts 10 Gbps if RA-GRS/GRS is enabled, 15 Gbps for LRS/ZRS2
(non-US regions)
Maximum number of virtual network rules per storage 200

account
Maximum number of IP address rules per storage account 200
1Azure Storage standard accounts support higher capacity limits and higher limits for ingress by request. To
request an increase in account limits for ingress, contact Azure Support. For more information, see Announcing
larger, higher scale storage accounts.
2 If your storage account has read-access enabled with geo-redundant storage (RA-GRS ) or geo-zone-redundant
storage (RA-GZRS ), then the egress targets for the secondary location are identical to those of the primary
location. Azure Storage replication options include:
Locally redundant storage (LRS )
Zone-redundant storage (ZRS )
Geo-redundant storage (GRS )
Read-access geo-redundant storage (RA-GRS )
Geo-zone-redundant storage (GZRS )
Read-access geo-zone-redundant storage (RA-GZRS )
NOTE
Microsoft recommends that you use a general-purpose v2 storage account for most scenarios. You can easily upgrade a
general-purpose v1 or an Azure Blob storage account to a general-purpose v2 account with no downtime and without the
need to copy data. For more information, see Upgrade to a general-purpose v2 storage account.
If the needs of your application exceed the scalability targets of a single storage account, you can build your
application to use multiple storage accounts. You can then partition your data objects across those storage
accounts. For information on volume pricing, see Azure Storage pricing.
All storage accounts run on a flat network topology and support the scalability and performance targets outlined
in this article, regardless of when they were created. For more information on the Azure Storage flat network
architecture and on scalability, see Microsoft Azure Storage: A Highly Available Cloud Storage Service with Strong
Consistency.
For more information on limits for standard storage accounts, see Scalability targets for standard storage
accounts.
Storage resource provider limits
The following limits apply only when you perform management operations by using Azure Resource Manager
with Azure Storage.
Storage account management operations (read) 800 per 5 minutes
Storage account management operations (write) 200 per hour
Storage account management operations (list) 100 per 5 minutes
Azure Blob storage limits
RESOURCE TARGET
Maximum size of single blob container Same as maximum storage account capacity
Maximum number of blocks in a block blob or append blob 50,000 blocks
Maximum size of a block in a block blob 100 MiB
Maximum size of a block blob 50,000 X 100 MiB (approximately 4.75 TiB)
Maximum size of a block in an append blob 4 MiB

RESOURCE TARGET
Maximum size of an append blob 50,000 x 4 MiB (approximately 195 GiB)
Maximum size of a page blob 8 TiB
Maximum number of stored access policies per blob container 5
Target request rate for a single blob Up to 500 requests per second
Target throughput for a single page blob Up to 60 MiB per second
Target throughput for a single block blob Up to storage account ingress/egress limits1
1 Throughput for a single blob depends on several factors, including, but not limited to: concurrency, request size,
performance tier, speed of source for uploads, and destination for downloads. To take advantage of the
performance enhancements of high-throughput block blobs, upload larger blobs or blocks. Specifically, call the Put
Blob or Put Block operation with a blob or block size that is greater than 4 MiB for standard storage accounts. For
premium block blob or for Data Lake Storage Gen2 storage accounts, use a block or blob size that is greater than
256 KiB.
Azure Files limits
For more information on Azure Files limits, see Azure Files scalability and performance targets.
RESOURCE STANDARD FILE SHARES PREMIUM FILE SHARES
Minimum size of a file share No minimum; pay as you go 100 GiB; provisioned
Maximum size of a file share 100 TiB*, 5 TiB 100 TiB
Maximum size of a file in a file share 1 TiB 1 TiB
Maximum number of files in a file share No limit No limit
Maximum IOPS per share 10,000 IOPS*, 1,000 IOPS 100,000 IOPS
Maximum number of stored access 5 5

policies per file share
Target throughput for a single file share up to 300 MiB/sec*, Up to 60 MiB/sec , See premium file share ingress and
egress values
Maximum egress for a single file share See standard file share target Up to 6,204 MiB/s
throughput
Maximum ingress for a single file share See standard file share target Up to 4,136 MiB/s
throughput
Maximum open handles per file 2,000 open handles 2,000 open handles
Maximum number of share snapshots 200 share snapshots 200 share snapshots
Maximum object (directories and files) 2,048 characters 2,048 characters

name length
RESOURCE STANDARD FILE SHARES PREMIUM FILE SHARES
Maximum pathname component (in the 255 characters 255 characters

path \A\B\C\D, each letter is a
component)
* Not available in all regions, see Regional availability for a list of available regions.
Azure File Sync limits
RESOURCE TARGET HARD LIMIT
Storage Sync Services per region 20 Storage Sync Services Yes
Sync groups per Storage Sync Service 100 sync groups Yes
Registered servers per Storage Sync 99 servers Yes

Service
Cloud endpoints per sync group 1 cloud endpoint Yes
Server endpoints per sync group 50 server endpoints No
Server endpoints per server 30 server endpoints Yes
File system objects (directories and files) 100 million objects No

per sync group
Maximum number of file system objects 5 million objects Yes

(directories and files) in a directory
Maximum object (directories and files) 64 KiB Yes

security descriptor size
File size 100 GiB No
Minimum file size for a file to be tiered V9: Based on file system cluster size Yes
(double file system cluster size). For
example, if the file system cluster size is
4kb, the minimum file size will be 8kb.
V8 and older: 64 KiB
NOTE
An Azure File Sync endpoint can scale up to the size of an Azure file share. If the Azure file share size limit is reached, sync will
not be able to operate.
Azure Queue storage limits
RESOURCE TARGET
Maximum size of a single queue 500 TiB
Maximum size of a message in a queue 64 KiB

RESOURCE TARGET
Maximum number of stored access policies per queue 5
Maximum request rate per storage account 20,000 messages per second, which assumes a 1-KiB message
size
Target throughput for a single queue (1-KiB messages) Up to 2,000 messages per second
Azure Table storage limits
RESOURCE TARGET
Maximum size of a single table 500 TiB
Maximum size of a table entity 1 MiB
Maximum number of properties in a table entity 255, which includes three system properties: PartitionKey,
RowKey, and Timestamp
Maximum total size of property values in an entity 1 MiB
Maximum total size of an individual property in an entity Varies by property type. For more information, see Property
Types in Understanding the Table Service Data Model.
Maximum number of stored access policies per table 5
Maximum request rate per storage account 20,000 transactions per second, which assumes a 1-KiB entity
size
Target throughput for a single table partition (1 KiB-entities) Up to 2,000 entities per second
Virtual machine disk limits

You can attach a number of data disks to an Azure virtual machine. Based on the scalability and performance
targets for a VM's data disks, you can determine the number and type of disk that you need to meet your
performance and capacity requirements.
IMPORTANT
For optimal performance, limit the number of highly utilized disks attached to the virtual machine to avoid possible
throttling. If all attached disks aren't highly utilized at the same time, the virtual machine can support a larger number of
disks.
For Azure managed disks:

The following table illustrates the default and maximum limits of the number of resources per region per
subscription. There is no limit for the number of Managed Disks, snapshots and images per resource group.
Standard managed disks 50,000 50,000
Standard SSD managed disks 50,000 50,000

Premium managed disks 50,000 50,000
Standard_LRS snapshots 50,000 50,000
Standard_ZRS snapshots 50,000 50,000
Managed image 50,000 50,000
For Standard storage accounts: A Standard storage account has a maximum total request rate of 20,000
IOPS. The total IOPS across all of your virtual machine disks in a Standard storage account should not
exceed this limit.
You can roughly calculate the number of highly utilized disks supported by a single Standard storage
account based on the request rate limit. For example, for a Basic tier VM, the maximum number of highly
utilized disks is about 66, which is 20,000/300 IOPS per disk. The maximum number of highly utilized disks
for a Standard tier VM is about 40, which is 20,000/500 IOPS per disk.
For Premium storage accounts: A Premium storage account has a maximum total throughput rate of 50
Gbps. The total throughput across all of your VM disks should not exceed this limit.
For more information, see Virtual machine sizes.
Managed virtual machine disks
Standard HDD managed disks
STAND
ARD
DISK
TYPE S4 S6 S10 S15 S20 S30 S40 S50 S60 S70 S80
Disk 32 64 128 256 512 1,024 2,048 4,096 8,192 16,38 32,76
size in 4 7
GiB
IOPS Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to
per 500 500 500 500 500 500 500 500 1,300 2,000 2,000
disk
Throu Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to Up to
ghput 60 60 60 60 60 60 60 60 300 500 500
per MiB/s MiB/s MiB/s MiB/s MiB/s MiB/s MiB/s MiB/s MiB/s MiB/s MiB/s
disk ec ec ec ec ec ec ec ec ec ec ec
Standard SSD managed disks
STA
NDA
RD
SSD
SIZE
S E1* E2* E3* E4 E6 E10 E15 E20 E30 E40 E50 E60 E70 E80
Disk 4 8 16 32 64 128 256 512 1,02 2,04 4,09 8,19 16,3 32,7
size 4 8 6 2 84 67
in
GiB
STA
NDA
RD
SSD
SIZE
S E1* E2* E3* E4 E6 E10 E15 E20 E30 E40 E50 E60 E70 E80
IOP Up Up Up Up Up Up Up Up Up Up Up Up Up Up
S to to to to to to to to to to to to to to
per 120 120 120 120 240 500 500 500 500 500 500 2,00 4,00 6,00
disk 0 0 0
Thr Up Up Up Up Up Up Up Up Up Up Up Up Up Up
oug to to to to to to to to to to to to to to
hpu 25 25 25 25 50 60 60 60 60 60 60 400 600 750
t MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB
per /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec
disk
*Denotes a disk size that is currently in preview, for regional availability information see New disk sizes: Managed
and unmanaged.
Premium SSD managed disks: Per-disk limits
PRE
MIU
M
SSD
SIZE
S P1* P2* P3* P4 P6 P10 P15 P20 P30 P40 P50 P60 P70 P80
Disk 4 8 16 32 64 128 256 512 1,02 2,04 4,09 8,19 16,3 32,7
size 4 8 6 2 84 67
in
GiB
IOP 120 120 120 120 240 500 1,10 2,30 5,00 7,50 7,50 16,0 18,0 20,0
S 0 0 0 0 0 00 00 00
per
disk
Thr 25 25 25 25 50 100 125 150 200 250 250 500 750 900
oug MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB MiB
hpu /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec /sec
t
per
disk
Max 3,5 3,5 3,5 3,5 3,5 3,50 3,50 3,50

bur 00 00 00 00 00 0 0 0
st
IOP
S
per
disk
**
PRE
MIU
M
SSD
SIZE
S P1* P2* P3* P4 P6 P10 P15 P20 P30 P40 P50 P60 P70 P80
Max 170 170 170 170 170 170 170 170

bur MiB MiB MiB MiB MiB MiB MiB MiB
st /sec /sec /sec /sec /sec /sec /sec /sec
thro
ugh
put
per
disk
**
Max 30 30 30 30 30 30 30 30
bur min min min min min min min min
st
dur
atio
n**
*Denotes a disk size that is currently in preview, for regional availability information see New disk sizes: Managed
and unmanaged.
**Denotes a feature that is currently in preview, see Disk bursting for more information.
Premium SSD managed disks: Per-VM limits
Maximum IOPS Per VM 80,000 IOPS with GS5 VM
Maximum throughput per VM 2,000 MB/s with GS5 VM
Unmanaged virtual machine disks

Standard unmanaged virtual machine disks: Per-disk limits
VM TIER BASIC TIER VM STANDARD TIER VM
Disk size 4,095 GB 4,095 GB
Maximum 8-KB IOPS per persistent disk 300 500
Maximum number of disks that perform 66 40

the maximum IOPS
Premium unmanaged virtual machine disks: Per-account limits
Total disk capacity per account 35 TB
Total snapshot capacity per account 10 TB
Maximum bandwidth per account (ingress + egress)1 <=50 Gbps
1
1Ingress refers to all data from
requests that are sent to a storage account. Egress refers to all data from responses
that are received from a storage account.
Premium unmanaged virtual machine disks: Per-disk limits
PREMIUM
STORAGE DISK
TYPE P10 P20 P30 P40 P50
Disk size 128 GiB 512 GiB 1,024 GiB (1 TB) 2,048 GiB (2 TB) 4,095 GiB (4 TB)
Maximum IOPS 500 2,300 5,000 7,500 7,500

per disk
Maximum 100 MB/sec 150 MB/sec 200 MB/sec 250 MB/sec 250 MB/sec
throughput per
disk
Maximum 280 70 35 17 8
number of disks
per storage
account
Premium unmanaged virtual machine disks: Per-VM limits
Maximum IOPS per VM 80,000 IOPS with GS5 VM
Maximum throughput per VM 2,000 MB/sec with GS5 VM
Azure Cloud Services limits

Web or worker roles per deployment1 25 25
Instance input endpoints per 25 25

deployment
Input endpoints per deployment 25 25
Internal endpoints per deployment 25 25
Hosted service certificates per 199 199

deployment
1Each Azure Cloud Service with web or worker roles can have two deployments, one for production and one for
staging. This limit refers to the number of distinct roles, that is, configuration. This limit doesn't refer to the number
of instances per role, that is, scaling.
Azure Cognitive Services limits
The following limits are for the number of Cognitive Services resources per Azure subscription. Each of the
Cognitive Services may have additional limitations, for more information see Azure Cognitive Services.
TYPE LIMIT EXAMPLE
A mixture of Cognitive Services Maximum of 200 total Cognitive 100 Computer Vision resources in West
resources Services resources. US 2, 50 Speech Service resources in
West US, and 50 Text Analytics
resources in East US.
A single type of Cognitive Services Maximum of 100 resources per region, 100 Computer Vision resources in West
resources. with a maximum of 200 total Cognitive US 2, and 100 Computer Vision
Services resources. resources in East US.
App Service limits

The following App Service limits include limits for Web Apps, Mobile Apps, and API Apps.
RESOURCE FREE SHARED BASIC STANDARD PREMIUM (V2) ISOLATED
Web, mobile, 10 100 Unlimited2 Unlimited2 Unlimited2 Unlimited2

or API apps
per Azure App
Service plan1
App Service 10 per region 10 per 100 per 100 per 100 per 100 per
plan resource resource resource resource resource
group group group group group
Compute Shared Shared Dedicated3 Dedicated3 Dedicated3 Dedicated3

instance type
Scale out 1 shared 1 shared 3 dedicated3 10 dedicated3 30 dedicated3 100

(maximum dedicated4
instances)
Storage5 1 GB5 1 GB5 10 GB5 50 GB5 250 GB5 1 TB5
CPU time (5 3 minutes 3 minutes Unlimited, pay Unlimited, pay Unlimited, pay Unlimited, pay
minutes)6 at standard at standard at standard at standard
rates rates rates rates
CPU time 60 minutes 240 minutes Unlimited, pay Unlimited, pay Unlimited, pay Unlimited, pay
(day)6 at standard at standard at standard at standard
rates rates rates rates
Memory (1 1,024 MB per 1,024 MB per N/A N/A N/A N/A

hour) App Service app
plan
Bandwidth 165 MB Unlimited, Unlimited, Unlimited, Unlimited, Unlimited,

data transfer data transfer data transfer data transfer data transfer
rates apply rates apply rates apply rates apply rates apply
Application 32-bit 32-bit 32-bit/64-bit 32-bit/64-bit 32-bit/64-bit 32-bit/64-bit

architecture
Web sockets 5 35 350 Unlimited Unlimited Unlimited

per instance7
IP connections 600 600 Depends on Depends on Depends on 64,000

instance size8 instance size8 instance size8
Concurrent 1 1 1 5 5 5
debugger
connections
per
application
App Service Not Not 10 10 10 10

Certificates supported supported
per
subscription9
Custom 0 500 500 500 500 500

domains per (azurewebsites
app .net
subdomain
only)
Custom Not Not Unlimited SNI Unlimited SNI Unlimited SNI Unlimited SNI
domain SSL supported, supported, SSL SSL and 1 IP SSL and 1 IP SSL and 1 IP
support wildcard wildcard connections SSL SSL SSL
certificate for certificate for connections connections connections
*.azurewebsite *.azurewebsite included included included
s.net available s.net available
by default by default
Hybrid 5 25 200 200

connections
per plan
Integrated X X X X X10
load balancer
Always On X X X X
Scheduled Scheduled Scheduled Scheduled

backups backups every backups every backups every
2 hours, a hour, a hour, a
maximum of maximum of maximum of
12 backups 50 backups 50 backups
per day per day per day
(manual + (manual + (manual +
scheduled) scheduled) scheduled)
Autoscale X X X
WebJobs11 X X X X X X
Azure X X X X X
Scheduler
support
Endpoint X X X X
monitoring
Staging slots 5 20 20
SLA 99.95% 99.95% 99.95% 99.95%
1Apps and storage quotas are per App Service plan unless noted otherwise.
2The actual number of apps that you can host on these machines depends on the activity of the apps, the size of
the machine instances, and the corresponding resource utilization.
3Dedicated instances can be of different sizes. For more information, see App Service pricing.
4More are allowed upon request.
5The storage limit is the total content size across all apps in the same App service plan. The total content size of all
apps across all App service plans in a single resource group and region cannot exceed 500GB.
6These resources are constrained by physical resources on the dedicated instances (the instance size and the
number of instances).
7If you scale an app in the Basic tier to two instances, you have 350 concurrent connections for each of the two
instances. For Standard tier and above, there are no theoretical limits to web sockets, but other factors can limit the
number of web sockets. For example, maximum concurrent requests allowed (defined by
maxConcurrentRequestsPerCpu ) are: 7,500 per small VM, 15,000 per medium VM (7,500 x 2 cores), and 75,000 per
large VM (18,750 x 4 cores).
8The maximum IP connections are per instance and depend on the instance size: 1,920 per B1/S1/P1V2 instance,
3,968 per B2/S2/P2V2 instance, 8,064 per B3/S3/P3V2 instance.

9The App Service Certificate quota limit per subscription can be increased via a support request to a maximum
limit of 200.
10App Service Isolated SKUs can be internally load balanced ( ILB ) with Azure Load Balancer, so there's no public
connectivity from the internet. As a result, some features of an ILB Isolated App Service must be used from
machines that have direct access to the ILB network endpoint.
11Run custom executables and/or scripts on demand, on a schedule, or continuously as a background task within
your App Service instance. Always On is required for continuous WebJobs execution. Azure Scheduler Free or
Standard is required for scheduled WebJobs. There's no predefined limit on the number of WebJobs that can run
in an App Service instance. There are practical limits that depend on what the application code is trying to do.
Functions limits
RESOURCE CONSUMPTION PLAN PREMIUM PLAN APP SERVICE PLAN1
Scale out Event driven Event driven Manual/autoscale
Max instances 200 100 10-20
Default timeout duration 5 30 302

(min)
Max timeout duration (min) 10 60 unbounded3
Max outbound connections 600 active (1200 total) unbounded unbounded

(per instance)
Max request size (MB)4 100 100 100
Max query string length 4 4096 4096 4096
Max request URL length4 8192 8192 8192

RESOURCE CONSUMPTION PLAN PREMIUM PLAN APP SERVICE PLAN
ACU per instance 100 210-840 100-840
Max memory (GB per 1.5 3.5-14 1.75-14

instance)
Function apps per plan 100 100 unbounded5
App Service plans 100 per region 100 per resource group 100 per resource group
Storage6 1 GB 250 GB 50-1000 GB
Custom domains per app 5007 500 500
Custom domain SSL support unbounded SNI SSL unbounded SNI SSL and 1 IP unbounded SNI SSL and 1 IP
connection included SSL connections included SSL connections included
1 For specific limits for the various App Service plan options, see the App Service plan limits.
2 By default, the timeout for the Functions 1.x runtime in an App Service plan is unbounded.
3 Requires the App Service plan be set to Always On. Pay at standard rates.
4 These limits are set in the host.
5 The actual number of function apps that you can host depends on the activity of the apps, the size of the machine
instances, and the corresponding resource utilization.

6 The storage limit is the total content size in temporary storage across all apps in the same App Service plan.
Consumption plan uses Azure Files for temporary storage.

7 When your function app is hosted in a Consumption plan, only the CNAME option is supported. For function
apps in a Premium plan or an App Service plan, you can map a custom domain using either a CNAME or an A
record.
Scheduler limits
The following table describes each of the major quotas, limits, defaults, and throttles in Azure Scheduler.
RESOURCE LIMIT DESCRIPTION
Job size The maximum job size is 16,000. If a PUT or a PATCH

operation results in a job size larger than this limit, a 400 Bad
Request status code is returned.
Job collections The maximum number of job collections per Azure

subscription is 200,000.
Jobs per collection By default, the maximum number of jobs is five jobs in a free
job collection and 50 jobs in a standard job collection. You can
change the maximum number of jobs on a job collection. All
jobs in a job collection are limited to the value set on the job
collection. If you attempt to create more jobs than the
maximum jobs quota, the request fails with a 409 Conflict
status code.
Time to start time The maximum "time to start time" is 18 months.
Recurrence span The maximum recurrence span is 18 months.

RESOURCE LIMIT DESCRIPTION
Frequency By default, the maximum frequency quota is one hour in a free

job collection and one minute in a standard job collection.
You can make the maximum frequency on a job collection
lower than the maximum. All jobs in the job collection are
limited to the value set on the job collection. If you
attempt to create a job with a higher frequency than the
maximum frequency on the job collection, the request fails
with a 409 Conflict status code.
Body size The maximum body size for a request is 8,192 chars.
Request URL size The maximum size for a request URL is 2,048 chars.
Header count The maximum header count is 50 headers.
Aggregate header size The maximum aggregate header size is 4,096 chars.
Timeout The request timeout is static, that is, not configurable. and is
60 seconds for HTTP actions. For longer running operations,
follow the HTTP asynchronous protocols. For example, return
a 202 immediately but continue working in the background.
Job history The maximum response body stored in job history is 2,048
bytes.
Job history retention Job history is kept for up to two months or up to the last
1,000 executions.
Completed and faulted job retention Completed and faulted jobs are kept for 60 days.
Batch limits
Azure Batch accounts per region per 1-3 50

subscription
Dedicated cores per Batch account 90-900 Contact support
Low-priority cores per Batch account 10-100 Contact support
Active jobs and job schedules per 100-300 1,0001

Batch account (completed jobs have
no limit)
Pools per Batch account 20-100 5001
NOTE
Default limits vary depending on the type of subscription you use to create a Batch account. Cores quotas shown are for
Batch accounts in Batch service mode. View the quotas in your Batch account.
1
1To request an increase beyond this limit, contact Azure Support.
BizTalk Services limits

The following table shows the limits for Azure BizTalk Services.
RESOURCE FREE (PREVIEW) DEVELOPER BASIC STANDARD PREMIUM
Scale out N/A N/A Yes, in increments Yes, in increments Yes, in increments
of 1 Basic unit of 1 Standard of 1 Premium
unit unit
Scale limit N/A N/A Up to 8 units Up to 8 units Up to 8 units
EAI bridges per N/A 25 25 125 500

unit
EDI agreements N/A 10 50 250 1,000

per unit
Hybrid 5 5 10 50 100
connections per
unit
Hybrid 5 5 50 250 500

connection data
transfer (GBs) per
unit
Number of N/A 1 2 5 25
connections that
use BizTalk
Adapter Service
per unit
Archiving N/A Available N/A N/A Available
High availability N/A N/A Available Available Available
Azure Cosmos DB limits

For Azure Cosmos DB limits, see Limits in Azure Cosmos DB.
Azure Data Explorer limits
The following table describes the maximum limits for Azure Data Explorer clusters.
RESOURCE LIMIT
Clusters per region per subscription 20
Instances per cluster 1000
Number of databases in a cluster 10,000
Number of attached database configurations in a cluster 70
The following table describes the limits on management operations performed on Azure Data Explorer clusters.
SCOPE OPERATION LIMIT
Cluster read (for example, get a cluster) 500 per 5 minutes
Cluster write (for example, create a database) 1000 per hour
Azure Database for MySQL

For Azure Database for MySQL limits, see Limitations in Azure Database for MySQL.
Azure Database for PostgreSQL
For Azure Database for PostgreSQL limits, see Limitations in Azure Database for PostgreSQL.
Azure Cognitive Search limits
Pricing tiers determine the capacity and limits of your search service. Tiers include:
Free multi-tenant service, shared with other Azure subscribers, is intended for evaluation and small
development projects.
Basic provides dedicated computing resources for production workloads at a smaller scale, with up to three
replicas for highly available query workloads.
Standard, which includes S1, S2, S3, and S3 High Density, is for larger production workloads. Multiple levels
exist within the Standard tier so that you can choose a resource configuration that best matches your workload
profile.
Limits per subscription
You can create multiple services within a subscription. Each one can be provisioned at a specific tier. You're limited
only by the number of services allowed at each tier. For example, you could create up to 12 services at the Basic
tier and another 12 services at the S1 tier within the same subscription. For more information about tiers, see
Choose an SKU or tier for Azure Cognitive Search.
Maximum service limits can be raised upon request. If you need more services within the same subscription,
contact Azure Support.
RESOURCE FREE1 BASIC S1 S2 S3 S3 HD L1 L2
Maximum 1 16 16 8 6 6 6 6
services
Maximum N/A 3 SU 36 SU 36 SU 36 SU 36 SU 36 SU 36 SU
scale in
search
units
(SU)2
1 Free is based on shared, not dedicated, resources. Scale-up is not supported on shared resources.
2 Search units are billing units, allocated as either

a replica or a partition. You need both resources for storage,
indexing, and query operations. To learn more about SU computations, see Scale resource levels for query and
index workloads.
Limits per search service
Storage is constrained by disk space or by a hard limit on the maximum number of indexes, document, or other
high-level resources, whichever comes first. The following table documents storage limits. For maximum limits on
indexes, documents, and other objects, see Limits by resource.
RESOURCE FREE BASIC1 S1 S2 S3 S3 HD 2 L1 L2
Service No Yes Yes Yes Yes Yes Yes Yes

level
agreemen
t (SLA)3
Storage 50 MB 2 GB 25 GB 100 GB 200 GB 200 GB 1 TB 2 TB

per
partition
Partitions N/A 1 12 12 12 3 12 12
per
service
Partition N/A 2 GB 25 GB 100 GB 200 GB 200 GB 1 TB 2 TB

size
Replicas N/A 3 12 12 12 12 12 12
1 Basic has one fixed partition. At this tier, additional search units are used for allocating more replicas for
increased query workloads.
2 S3 HD has a hard limit of three partitions, which is lower than the partition limit for S3. The lower partition limit
is imposed because the index count for S3 HD is substantially higher. Given that service limits exist for both
computing resources (storage and processing) and content (indexes and documents), the content limit is reached
first.
3 Service level agreements are offered for billable services on dedicated resources. Free services and preview
features have no SLA. For billable services, SLAs take effect when you provision sufficient redundancy for your
service. Two or more replicas are required for query (read) SLAs. Three or more replicas are required for query
and indexing (read-write) SLAs. The number of partitions isn't an SLA consideration.
To learn more about limits on a more granular level, such as document size, queries per second, keys, requests, and
responses, see Service limits in Azure Cognitive Search.
Media Services limits
NOTE
For resources that aren't fixed, open a support ticket to ask for an increase in the quotas. Don't create additional Azure
Media Services accounts in an attempt to obtain higher limits.
Azure Media Services accounts in a single subscription 25 (fixed)
Media reserved units per Media Services account 25 (S1)

10 (S2, S3)1
Jobs per Media Services account 50,0002
Chained tasks per job 30 (fixed)
Assets per Media Services account 1,000,000

Assets per task 50
Assets per job 100
Unique locators associated with an asset at one time 54
Live channels per Media Services account 5
Programs in stopped state per channel 50
Programs in running state per channel 3
Streaming endpoints that are stopped or running per Media 2

Services account
Streaming units per streaming endpoint 10
Storage accounts 1,0005 (fixed)
Policies 1,000,0006
File size In some scenarios, there's a limit on the maximum file size
supported for processing in Media Services.7
1If you change the type, for example, from S2 to S1, the maximum reserved unit limits are reset.
2This number includes queued, finished, active, and canceled jobs. It doesn't include deleted jobs. You can delete
old jobs by using IJob.Delete or the DELETE HTTP request.
As of April 1, 2017, any job record in your account older than 90 days is automatically deleted, along with its
associated task records. Automatic deletion occurs even if the total number of records is below the maximum
quota. To archive the job and task information, use the code described in Manage assets with the Media Services
.NET SDK.
3When you make a request to list job entities, a maximum of 1,000 jobs is returned per request. To keep track of all
submitted jobs, use the top or skip queries as described in OData system query options.
4Locators aren't designed for
managing per-user access control. To give different access rights to individual users,
use digital rights management (DRM ) solutions. For more information, see Protect your content with Azure Media
Services.
5The storage accounts must be from the same Azure subscription.
6There's a limit of 1,000,000
policies for different Media Services policies. An example is for the Locator policy or
ContentKeyAuthorizationPolicy.
NOTE
If you always use the same days and access permissions, use the same policy ID. For information and an example, see
Manage assets with the Media Services .NET SDK.
7The maximum size supported for a single blob is currently up to 5 TB in Azure Blob Storage. Additional limits
apply in Media Services based on the VM sizes that are used by the service. The size limit applies to the files that
you upload and also the files that get generated as a result of Media Services processing (encoding or analyzing). If
your source file is larger than 260-GB, your Job will likely fail.
The following table shows the limits on the media reserved units S1, S2, and S3. If your source file is larger than
the limits defined in the table, your encoding job fails. If you encode 4K resolution sources of long duration, you're
required to use S3 media reserved units to achieve the performance needed. If you have 4K content that's larger
than the 260-GB limit on the S3 media reserved units, open a support ticket.
MEDIA RESERVED UNIT TYPE MAXIMUM INPUT SIZE (GB)
S1 26
S2 60
S3 260
Content Delivery Network limits

Azure Content Delivery Network profiles 25
Content Delivery Network endpoints per profile 25
Custom domains per endpoint 25
A Content Delivery Network subscription can contain one or more Content Delivery Network profiles. A Content
Delivery Network profile can contain one or more Content Delivery Network endpoints. You might want to use
multiple profiles to organize your Content Delivery Network endpoints by internet domain, web application, or
some other criteria.
Mobile Services limits
TIER FREE BASIC STANDARD
API calls 500,000 1.5 million per unit 15 million per unit
Active devices 500 Unlimited Unlimited
Scale N/A Up to 6 units Unlimited units
Push notifications Azure Notification Hubs Free Notification Hubs Basic tier Notification Hubs Standard
tier included, up to 1 million included, up to 10 million tier included, up to 10
pushes pushes million pushes
Real-time messaging/ Limited 350 per mobile service Unlimited

Web Sockets
Offline synchronizations Limited Included Included
Scheduled jobs Limited Included Included

Azure SQL Database 20 MB included 20 MB included 20 MB included

(required)
Standard rates apply for
additional capacity
CPU capacity 60 minutes per day Unlimited Unlimited
Outbound data transfer 165 MB per day (daily Included Included

rollover)
For more information on limits and pricing, see Azure Mobile Services pricing.
Azure Monitor limits
Alerts
Metric alerts (classic) 100 active alert rules per subscription. Call support.
Metric alerts 1000 active alert rules per subscription Call support.
in Azure public, Azure China 21Vianet
and Azure Government clouds.
Activity log alerts 100 active alert rules per subscription. Same as default.
Log alerts 512 Call support.
Action groups 2,000 action groups per subscription. Call support.
Autoscale settings 100 per region per subscription. Same as default.
Action groups
Azure app push 10 Azure app actions per action group. Call support.
Email 1,000 email actions in an action group. Call support.

No more than 100 emails in an hour.
Also see the rate limiting information.
ITSM 10 ITSM actions in an action group. Call support.
Logic app 10 logic app actions in an action group. Call support.
Runbook 10 runbook actions in an action group. Call support.
SMS 10 SMS actions in an action group. Call support.

No more than 1 SMS message every 5
minutes.
Voice 10 voice actions in an action group. Call support.

No more than 1 voice call every 5
minutes.
Webhook 10 webhook actions in an action group. Call support.

Maximum number of webhook calls is
1500 per minute per subscription.
Other limits are available at action-
specific information.
Log queries and language
LIMIT DESCRIPTION
Query language Azure Monitor uses the same Kusto query language as Azure
Data Explorer. See Azure Monitor log query language
differences for KQL language elements not supported in Azure
Monitor.
Azure regions Log queries can experience excessive overhead when data
spans Log Analytics workspaces in multiple Azure regions. See
Query limits for details.
Cross resource queries Maximum number of Application Insights resources and Log
Analytics workspaces in a single query limited to 100.
Cross-resource query is not supported in View Designer.
Cross-resource query in log alerts is supported in the new
scheduledQueryRules API.
See Cross-resource query limits for details.
Query throttling A user is limited to 200 queries per 30 seconds on any

number of workspaces. This limit applies to programmatic
queries or to queries initiated by visualization parts such as
Azure dashboards and the Log Analytics workspace summary
page.
Log Analytics workspaces

Data collection volume and retention
TIER LIMIT PER DAY DATA RETENTION COMMENT
Current Per GB pricing tier No limit 30 - 730 days Data retention beyond 31
(introduced April 2018) days is available for
additional charges. Learn
more about Azure Monitor
pricing.
TIER LIMIT PER DAY DATA RETENTION COMMENT
Legacy Free tiers 500 MB 7 days When your workspace

(introduced April 2016) reaches the 500 MB per day
limit, data ingestion stops
and resumes at the start of
the next day. A day is based
on UTC. Note that data
collected by Azure Security
Center is not included in this
500 MB per day limit and
will continue to be collected
above this limit.
Legacy Standalone Per GB No limit 30 to 730 days Data retention beyond 31

tier days is available for
(introduced April 2016) additional charges. Learn
pricing.
Legacy Per Node (OMS) No limit 30 to 730 days Data retention beyond 31
(introduced April 2016) days is available for
additional charges. Learn
pricing.
Legacy Standard tier No limit 30 days Retention can't be adjusted
Legacy Premium tier No limit 365 days Retention can't be adjusted
Number of workspaces per subscription.
PRICING TIER WORKSPACE LIMIT COMMENTS
Free tier 10 This limit can't be increased.
All other tiers No limit You're limited by the number of

resources within a resource group and
the number of resource groups per
subscription.
Azure portal
CATEGORY LIMITS COMMENTS
Maximum records returned by a log 10,000 Reduce results using query scope, time
query range, and filters in the query.
Data Collector API
Maximum size for a single post 30 MB Split larger volumes into multiple posts.
Maximum size for field values 32 KB Fields longer than 32 KB are truncated.
Search API
Maximum records returned in a single 500,000

query
Maximum size of data returned 64,000,000 bytes (~61 MiB)
Maximum query running time 10 minutes See Timeouts for details.
Maximum request rate 200 requests per 30 seconds per AAD See Rate limits for details.
user or client IP address
General workspace limits
Maximum columns in a table 500
Maximum characters for column name 500
Data export Not currently available Use Azure Function or Logic App to
aggregate and export data.
Data ingestion volume rate

Azure Monitor is a high scale data service that serves thousands of customers sending terabytes of data each
month at a growing pace. The default ingestion volume rate limit for data sent from Azure resources using
diagnostic settings is approximately 6 GB/min per workspace. This is an approximate value since the actual size
can vary between data types depending on the log length and its compression ratio. This limit does not apply to
data that is sent from agents or Data Collector API.
If you send data at a higher rate to a single workspace, some data is dropped, and an event is sent to the Operation
table in your workspace every 6 hours while the threshold continues to be exceeded. If your ingestion volume
continues to exceed the rate limit or you are expecting to reach it sometime soon, you can request an increase to
your workspace by opening a support request.
To be notified on such an event in your workspace, create a log alert rule using the following query with alert logic
base on number of results grater than zero.
Operation
|where OperationCategory == "Ingestion"
|where Detail startswith "The rate of data crossed the threshold"
NOTE
Depending on how long you've been using Log Analytics, you might have access to legacy pricing tiers. Learn more about
Log Analytics legacy pricing tiers.
Application Insights
There are some limits on the number of metrics and events per application, that is, per instrumentation key. Limits
depend on the pricing plan that you choose.
RESOURCE DEFAULT LIMIT NOTE
Total data per day 100 GB You can reduce data by setting a cap. If
you need more data, you can increase
the limit in the portal, up to 1,000 GB.
For capacities greater than 1,000 GB,
send email to
[email protected].
Throttling 32,000 events/second The limit is measured over a minute.
Data retention 90 days This resource is for Search, Analytics,

and Metrics Explorer.
Availability multi-step test detailed 90 days This resource provides detailed results
results retention of each step.
Maximum event size 64,000,000 bytes
Property and metric name length 150 See type schemas.
Property value string length 8,192 See type schemas.
Trace and exception message length 32,768 See type schemas.
Availability tests count per app 100
Profiler data retention 5 days
Profiler data sent per day 10 GB
For more information, see About pricing and quotas in Application Insights.
Notification Hubs limits
Included pushes 1 million 10 million 10 million
Active devices 500 200,000 10 million
Tag quota per installation or 60 60 60

registration
For more information on limits and pricing, see Notification Hubs pricing.
Event Hubs limits
The following tables provide quotas and limits specific to Azure Event Hubs. For information about Event Hubs
pricing, see Event Hubs pricing.
The following limits are common across basic, standard, and dedicated tiers.
LIMIT SCOPE NOTES VALUE
Number of Event Hubs Subscription - 100

namespaces per subscription
Number of event hubs per Namespace Subsequent requests for 10

namespace creation of a new event hub
are rejected.
Number of partitions per Entity - 32

event hub
Maximum size of an event Entity - 50 characters

hub name
Number of non-epoch Entity - 5

receivers per consumer
group
Maximum throughput units Namespace Exceeding the throughput 20

unit limit causes your data
to be throttled and
generates a server busy
exception. To request a
larger number of
throughput units for a
Standard tier, file a support
request. Additional
throughput units are
available in blocks of 20 on a
committed purchase basis.
Number of authorization Namespace Subsequent requests for 12

rules per namespace authorization rule creation
are rejected.
Number of calls to the Entity - 50 per second

GetRuntimeInformation
method
Number of virtual network Entity - 128

(VNet) and IP Config rules
Event Hubs Basic and Standard - quotas and limits

LIMIT SCOPE NOTES BASIC STANDARD
Maximum size of Entity 256 KB 1 MB

Event Hubs event
Number of consumer Entity 1 20

groups per event hub
LIMIT SCOPE NOTES BASIC STANDARD
Number of AMQP Namespace Subsequent requests 100 5,000

connections per for additional
namespace connections are
rejected, and an
exception is received
by the calling code.
Maximum retention Entity 1 day 1-7 days

period of event data
Apache Kafka enabled Namespace Event Hubs No Yes

namespace namespace streams
applications using
Kafka protocol
Capture Entity When enabled, micro- No Yes

batches on the same
stream
Event Hubs Dedicated - quotas and limits

The Event Hubs Dedicated offering is billed at a fixed monthly price, with a minimum of 4 hours of usage. The
Dedicated tier offers all the features of the Standard plan, but with enterprise scale capacity and limits for
customers with demanding workloads.
FEATURE LIMITS
Bandwidth 20 CUs
Namespaces 50 per CU
Event Hubs 1000 per namespace
Ingress events Included
Message Size 1 MB
Partitions 2000 per CU
Consumer groups No limit per CU, 1000 per event hub
Brokered connections 100 K included
Message Retention 90 days, 10 TB included per CU
Capture Included
Service Bus limits

The following table lists quota information specific to Azure Service Bus messaging. For information about pricing
and other quotas for Service Bus, see Service Bus pricing.
QUOTA NAME SCOPE NOTES VALUE
Maximum number of Basic Namespace Subsequent requests for 100

or Standard namespaces per additional Basic or Standard
Azure subscription namespaces are rejected by
the Azure portal.
Maximum number of Namespace Subsequent requests for 100

Premium namespaces per additional Premium
Azure subscription namespaces are rejected by
the portal.
Queue or topic size Entity Defined upon creation of the 1, 2, 3, 4 GB or 5 GB.

queue or topic.
In the Premium SKU, and
Subsequent incoming the Standard SKU with
messages are rejected, and partitioning enabled, the
an exception is received by maximum queue or topic
the calling code. size is 80 GB.
Number of concurrent Namespace Subsequent requests for NetMessaging: 1,000.

connections on a namespace additional connections are
rejected, and an exception is AMQP: 5,000.
received by the calling code.
REST operations don't count
toward concurrent TCP
connections.
Number of concurrent Entity Subsequent receive requests 5,000

receive requests on a queue, are rejected, and an
topic, or subscription entity exception is received by the
calling code. This quota
applies to the combined
number of concurrent
receive operations across all
subscriptions on a topic.
Number of topics or queues Namespace Subsequent requests for 10,000 for the Basic or
per namespace creation of a new topic or Standard tier. The total
queue on the namespace are number of topics and
rejected. As a result, if queues in a namespace must
configured through the be less than or equal to
Azure portal, an error 10,000.
message is generated. If
called from the management For the Premium tier, 1,000
API, an exception is received per messaging unit (MU).
by the calling code. Maximum limit is 4,000.
Number of partitioned Namespace Subsequent requests for Basic and Standard tiers:
topics or queues per creation of a new partitioned 100.
namespace topic or queue on the
namespace are rejected. As a Partitioned entities aren't
result, if configured through supported in the Premium
the Azure portal, an error tier.
message is generated. If
called from the management Each partitioned queue or
API, the exception topic counts toward the
QuotaExceededException quota of 1,000 entities per
is received by the calling namespace.
code.
Maximum size of any Entity - 260 characters.

messaging entity path:
queue or topic
Maximum size of any Entity - 50 characters.

messaging entity name:
namespace, subscription, or
subscription rule
Maximum size of a message Entity - 128

ID
Maximum size of a message Entity - 128

session ID
Message size for a queue, Entity Incoming messages that Maximum message size: 256
topic, or subscription entity exceed these quotas are KB for Standard tier, 1 MB
rejected, and an exception is for Premium tier.
received by the calling code.
Due to system overhead,
this limit is less than these
values.
Maximum header size: 64

KB.
Maximum number of header

properties in property bag:
byte/int.MaxValue.
Maximum size of property in

property bag: No explicit
limit. Limited by maximum
header size.
Message property size for a Entity The exception Maximum message property
queue, topic, or subscription SerializationException is size for each property is
entity generated. 32,000. Cumulative size of
all properties can't exceed
64,000. This limit applies to
the entire header of the
BrokeredMessage, which has
both user properties and
system properties, such as
SequenceNumber, Label, and
MessageId.
Number of subscriptions per Entity Subsequent requests for 2,000 per-topic for the
topic creating additional Standard tier.
subscriptions for the topic
are rejected. As a result, if
configured through the
portal, an error message is
shown. If called from the
management API, an
exception is received by the
calling code.
Number of SQL filters per Entity Subsequent requests for 2,000

topic creation of additional filters
on the topic are rejected,
and an exception is received
Number of correlation filters Entity Subsequent requests for 100,000

per topic creation of additional filters
on the topic are rejected,
and an exception is received
Size of SQL filters or actions Namespace Subsequent requests for Maximum length of filter
creation of additional filters condition string: 1,024 (1 K).
are rejected, and an
exception is received by the Maximum length of rule
calling code. action string: 1,024 (1 K).
Maximum number of
expressions per rule action:
32.
Number of Entity, namespace Subsequent requests for Maximum number of rules:

SharedAccessAuthorizationR creation of additional rules 12.
ule rules per namespace, are rejected, and an
queue, or topic exception is received by the Rules that are configured on
calling code. a Service Bus namespace
apply to all queues and
topics in that namespace.
Number of messages per Transaction Additional incoming 100

transaction messages are rejected, and
an exception stating "Cannot For both Send() and
send more than 100 SendAsync() operations.
messages in a single
transaction" is received by
the calling code.
Number of virtual network Namespace 128

and IP filter rules
IoT Central limits

IoT Central limits the number of applications you can deploy in a subscription to 10. If you need to increase this
limit, contact Microsoft support.
IoT Hub limits
The following table lists the limits associated with the different service tiers S1, S2, S3, and F1. For information
about the cost of each unit in each tier, see Azure IoT Hub pricing.
RESOURCE S1 STANDARD S2 STANDARD S3 STANDARD F1 FREE
Messages/day 400,000 6,000,000 300,000,000 8,000
Maximum units 200 200 10 1

NOTE
If you anticipate using more than 200 units with an S1 or S2 tier hub or 10 units with an S3 tier hub, contact Microsoft
Support.
The following table lists the limits that apply to IoT Hub resources.
RESOURCE LIMIT
Maximum paid IoT hubs per Azure subscription 100
Maximum free IoT hubs per Azure subscription 1
Maximum number of characters in a device ID 128
Maximum number of device identities 1,000

returned in a single call
IoT Hub message maximum retention for device-to-cloud 7 days

messages
Maximum size of device-to-cloud message 256 KB
Maximum size of device-to-cloud batch AMQP and HTTP: 256 KB for the entire batch
MQTT: 256 KB for each message
Maximum messages in device-to-cloud batch 500
Maximum size of cloud-to-device message 64 KB
Maximum TTL for cloud-to-device messages 2 days
Maximum delivery count for cloud-to-device 100

messages
Maximum cloud-to-device queue depth per device 50
Maximum delivery count for feedback messages 100

in response to a cloud-to-device message
Maximum TTL for feedback messages in 2 days

response to a cloud-to-device message
Maximum size of device twin 8 KB for tags section, and 32 KB for desired and reported
properties sections each
Maximum length of device twin string key 1 KB
Maximum length of device twin string value 4 KB
Maximum depth of object in device twin 10
Maximum size of direct method payload 128 KB

RESOURCE LIMIT
Job history maximum retention 30 days
Maximum concurrent jobs 10 (for S3), 5 for (S2), 1 (for S1)
Maximum additional endpoints 10 (for S1, S2, and S3)
Maximum message routing rules 100 (for S1, S2, and S3)
Maximum number of concurrently connected device streams 50 (for S1, S2, S3, and F1 only)
Maximum device stream data transfer 300 MB per day (for S1, S2, S3, and F1 only)
NOTE
If you need more than 100 paid IoT hubs in an Azure subscription, contact Microsoft Support.
NOTE
Currently, the total number of devices plus modules that can be registered to a single IoT hub is capped at 1,000,000. If you
want to increase this limit, contact Microsoft Support.
IoT Hub throttles requests when the following quotas are exceeded.
THROTTLE PER-HUB VALUE
Identity registry operations 83.33/sec/unit (5,000/min/unit) (for S3).

(create, retrieve, list, update, and delete), 1.67/sec/unit (100/min/unit) (for S1 and S2).
individual or bulk import/export
Device connections 6,000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.
Device-to-cloud sends 6,000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.
Cloud-to-device sends 83.33/sec/unit (5,000/min/unit) (for S3), 1.67/sec/unit

(100/min/unit) (for S1 and S2).
Cloud-to-device receives 833.33/sec/unit (50,000/min/unit) (for S3), 16.67/sec/unit

(1,000/min/unit) (for S1 and S2).
File upload operations 83.33 file upload initiations/sec/unit (5,000/min/unit) (for S3),
1.67 file upload initiations/sec/unit (100/min/unit) (for S1 and
S2).
10,000 SAS URIs can be out for an Azure Storage account at
one time.
10 SAS URIs/device can be out at one time.
THROTTLE PER-HUB VALUE
Direct methods 24 MB/sec/unit (for S3), 480 KB/sec/unit (for S2), 160
KB/sec/unit (for S1).
Based on 8-KB throttling meter size.
Device twin reads 500/sec/unit (for S3), Maximum of 100/sec or 10/sec/unit (for
S2), 100/sec (for S1)
Device twin updates 250/sec/unit (for S3), Maximum of 50/sec or 5/sec/unit (for
S2), 50/sec (for S1)
Jobs operations 83.33/sec/unit (5,000/min/unit) (for S3), 1.67/sec/unit

(create, update, list, and delete) (100/min/unit) (for S2), 1.67/sec/unit (100/min/unit) (for S1).
Jobs per-device operation throughput 50/sec/unit (for S3), maximum of 10/sec or 1/sec/unit (for S2),
10/sec (for S1).
Device stream initiation rate 5 new streams/sec (for S1, S2, S3, and F1 only).
IoT Hub Device Provisioning Service limits

The following table lists the limits that apply to Azure IoT Hub Device Provisioning Service resources.
RESOURCE LIMIT
Maximum device provisioning services per Azure subscription 10
Maximum number of enrollments 1,000,000
Maximum number of registrations 1,000,000
Maximum number of enrollment groups 100
Maximum number of CAs 25
Maximum number of linked IoT hubs 50
Maximum size of message 96 KB
NOTE
To increase the number of enrollments and registrations on your provisioning service, contact Microsoft Support.
The Device Provisioning Service throttles requests when the following quotas are exceeded.
THROTTLE PER-UNIT VALUE
Operations 200/min/service
Device registrations 200/min/service
Device polling operation 5/10 sec/device

Data Factory limits
Azure Data Factory is a multitenant service that has the following default limits in place to make sure customer
subscriptions are protected from each other's workloads. To raise the limits up to the maximum for your
subscription, contact support.
Version 2
Data factories in an Azure subscription 50 Contact support.
Total number of entities, such as 5,000 Contact support.

pipelines, data sets, triggers, linked
services, and integration runtimes,
within a data factory
Total CPU cores for Azure-SSIS 256 Contact support.

Integration Runtimes under one
subscription
Concurrent pipeline runs per data 10,000 Contact support.

factory that's shared among all
pipelines in the factory
Concurrent External activity runs per 3000 Contact support.

subscription per Azure Integration
Runtime region
External activities are managed on integration
runtime but execute on linked services,
including Databricks, stored procedure,
HDInsights, Web, and others.
Concurrent Pipeline activity runs per 1000 Contact support.

Runtime region
Pipeline activities execute on integration
runtime, including Lookup, GetMetadata, and
Delete.
Concurrent authoring operations per 200 Contact support.

Runtime region
Including test connection, browse folder list
and table list, preview data.
Concurrent Data Integration Units1 Region group 12 : 6000 Contact support.

consumption per subscription per Azure Region group 22 : 3000
Integration Runtime region Region group 32 : 1500
Maximum activities per pipeline, which 40 40

includes inner activities for containers
Maximum number of linked integration 100 Contact support.

runtimes that can be created against a
single self-hosted integration runtime
Maximum parameters per pipeline 50 50

ForEach items 100,000 100,000
ForEach parallelism 20 50
Maximum queued runs per pipeline 100 100
Characters per expression 8,192 8,192
Minimum tumbling window trigger 15 min 15 min

interval
Maximum timeout for pipeline activity 7 days 7 days

runs
Bytes per object for pipeline objects3 200 KB 200 KB
Bytes per object for dataset and linked 100 KB 2,000 KB

service objects3
Data Integration Units1 per copy 256 Contact support.

activity run
Write API calls 1,200/h Contact support.
This limit is imposed by Azure Resource

Manager, not Azure Data Factory.
Read API calls 12,500/h Contact support.
This limit is imposed by Azure Resource

Manager, not Azure Data Factory.
Monitoring queries per minute 1,000 Contact support.
Entity CRUD operations per minute 50 Contact support.
Maximum time of data flow debug 8 hrs 8 hrs

session
Concurrent number of data flows per 50 Contact support.

factory
Concurrent number of data flow debug 3 3

sessions per user per factory
Data Flow Azure IR TTL limit 4 hrs Contact support.
1 The data integration unit ( DIU ) is used in a cloud-to-cloud copy operation, learn more from Data integration
units (version 2). For information on billing, see Azure Data Factory pricing.
2 Azure Integration Runtime is globally available to ensure data compliance, efficiency, and reduced network
egress costs.
REGION GROUP REGIONS
Region group 1 Central US, East US, East US2, North Europe, West Europe,
West US, West US 2
Region group 2 Australia East, Australia Southeast, Brazil South, Central India,
Japan East, Northcentral US, Southcentral US, Southeast Asia,
West Central US
Region group 3 Canada Central, East Asia, France Central, Korea Central, UK
South
3 Pipeline, data set, and linked service objects represent a logical grouping of your
workload. Limits for these
objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is
designed to scale to handle petabytes of data.
Version 1
Pipelines within a data factory 2,500 Contact support.
Data sets within a data factory 5,000 Contact support.
Concurrent slices per data set 10 10
Bytes per object for pipeline objects1 200 KB 200 KB
Bytes per object for data set and linked 100 KB 2,000 KB
service objects1
Azure HDInsight on-demand cluster 60 Contact support.

cores within a subscription2
Cloud data movement units per copy 32 Contact support.

activity run3
Retry count for pipeline activity runs 1,000 MaxInt (32 bit)
1 Pipeline, data set, and linked service objects represent a logical grouping of your
workload. Limits for these
objects don't relate to the amount of data you can move and process with Azure Data Factory. Data Factory is
designed to scale to handle petabytes of data.
2 On-demand HDInsight cores are allocated out of the subscription that contains the data factory. As a result, the
previous limit is the Data Factory-enforced core limit for on-demand HDInsight cores. It's different from the core
limit that's associated with your Azure subscription.
3 The cloud data movement unit ( DMU ) forversion 1 is used in a cloud-to-cloud copy operation, learn more from
Cloud data movement units (version 1). For information on billing, see Azure Data Factory pricing.
RESOURCE DEFAULT LOWER LIMIT MINIMUM LIMIT
Scheduling interval 15 minutes 15 minutes
Interval between retry attempts 1 second 1 second

RESOURCE DEFAULT LOWER LIMIT MINIMUM LIMIT
Retry timeout value 1 second 1 second
Web service call limits

Azure Resource Manager has limits for API calls. You can make API calls at a rate within the Azure Resource
Manager API limits.
Data Lake Analytics limits
Azure Data Lake Analytics makes the complex task of managing distributed infrastructure and complex code easy.
It dynamically provisions resources, and you can use it to do analytics on exabytes of data. When the job
completes, it winds down resources automatically. You pay only for the processing power that was used. As you
increase or decrease the size of data stored or the amount of compute used, you don’t have to rewrite code. To
raise the default limits for your subscription, contact support.
RESOURCE DEFAULT LIMIT COMMENTS
Maximum number of concurrent jobs 20
Maximum number of analytics units 250 Use any combination of up to a

(AUs) per account maximum of 250 AUs across 20 jobs. To
increase this limit, contact Microsoft
Support.
Maximum script size for job submission 3 MB
Maximum number of Data Lake 5 To increase this limit, contact Microsoft

Analytics accounts per region per Support.
subscription
Data Lake Store limits

Azure Data Lake Storage Gen1 is an enterprise-wide hyper-scale repository for big data analytic workloads. You
can use Data Lake Storage Gen1 to capture data of any size, type, and ingestion speed in one single place for
operational and exploratory analytics. There's no limit to the amount of data you can store in a Data Lake Storage
Gen1 account.
Maximum number of Data Lake Storage 10 To request an increase for this limit,
Gen1 accounts, per subscription, per contact support.
region
Maximum number of access ACLs, per 32 This is a hard limit. Use groups to
file or folder manage access with fewer entries.
Maximum number of default ACLs, per 32 This is a hard limit. Use groups to
file or folder manage access with fewer entries.
Database Migration Service Limits

Azure Database Migration Service is a fully managed service designed to enable seamless migrations from
multiple database sources to Azure data platforms with minimal downtime.
Maximum number of services per 2 To request an increase for this limit,

subscription, per region contact support.
Stream Analytics limits
LIMIT IDENTIFIER LIMIT COMMENTS
Maximum number of streaming units 500 To request an increase in streaming

per subscription per region units for your subscription beyond 500,
contact Microsoft Support.
Maximum number of inputs per job 60 There's a hard limit of 60 inputs per
Azure Stream Analytics job.
Maximum number of outputs per job 60 There's a hard limit of 60 outputs per
Stream Analytics job.
Maximum number of functions per job 60 There's a hard limit of 60 functions per
Stream Analytics job.
Maximum number of streaming units 192 There's a hard limit of 192 streaming
per job units per Stream Analytics job.
Maximum number of jobs per region 1,500 Each subscription can have up to 1,500
jobs per geographical region.
Reference data blob MB 300 Reference data blobs can't be larger

than 300 MB each.
Active Directory limits

Here are the usage constraints and other service limits for the Azure Active Directory (Azure AD ) service.
CATEGORY LIMITS
Directories A single user can belong to a maximum of 500 Azure AD

directories as a member or a guest.
A single user can create a maximum of 20 directories.
Domains You can add no more than 900 managed domain names. If
you set up all of your domains for federation with on-
premises Active Directory, you can add no more than 450
domain names in each directory.
CATEGORY LIMITS
Resources A maximum of 50,000 Azure AD resources can be

created in a single directory by users of the Free
edition of Azure Active Directory by default. If you
have at least one verified domain, the default directory
service quota in Azure AD is extended to 300,000
Azure AD resources.
A non-admin user can create no more than 250 Azure
AD resources. Both active resources and deleted
resources that are available to restore count toward
this quota. Only deleted Azure AD resources that were
deleted fewer than 30 days ago are available to
restore. Deleted Azure AD resources that are no longer
available to restore count toward this quota at a value
of one-quarter for 30 days. If you have developers
who are likely to repeatedly exceed this quota in the
course of their regular duties, you can create and
assign a custom role with permission to create a
limitless number of app registrations.
Schema extensions String-type extensions can have a maximum of 256

characters.
Binary-type extensions are limited to 256 bytes.
Only 100 extension values, across all types and all
applications, can be written to any single Azure AD
resource.
Only User, Group, TenantDetail, Device, Application,
and ServicePrincipal entities can be extended with
string-type or binary-type single-valued attributes.
Schema extensions are available only in the Graph API
version 1.21 preview. The application must be granted
write access to register an extension.
Applications A maximum of 100 users can be owners of a single

application.
Application Manifest A maximum of 1200 entries can be added in the Application

Manifest.
Groups A maximum of 100 users can be owners of a single

group.
Any number of Azure AD resources can be members of
a single group.
A user can be a member of any number of groups.
The number of members in a group that you can
synchronize from your on-premises Active Directory to
Azure Active Directory by using Azure AD Connect is
limited to 50,000 members.
CATEGORY LIMITS
Application Proxy A maximum of 500 transactions per second per App

Proxy application
A maximum of 750 transactions per second for the
tenant
A transaction is defined as a single http request and response

for a unique resource. When throttled, clients will receive a
429 response (too many requests).
Access Panel There's no limit to the number of applications that can

be seen in the Access Panel per user. This applies to
users assigned licenses for Azure AD Premium or the
Enterprise Mobility Suite.
A maximum of 10 app tiles can be seen in the Access
Panel for each user. This limit applies to users who are
assigned licenses for Azure AD Free license plan.
Examples of app tiles include Box, Salesforce, or
Dropbox. This limit doesn't apply to administrator
accounts.
Reports A maximum of 1,000 rows can be viewed or downloaded in

any report. Any additional data is truncated.
Administrative units An Azure AD resource can be a member of no more than 30

administrative units.
Admin roles and permissions A group cannot be added as an owner.

A group cannot be assigned to a role.
Users’ ability to read other users’ directory information
cannot be restricted outside of the tenant-wide switch
to disable all non-admin users’ access to all directory
information (not recommended). More information on
default permissions here.
It may take up to 15 minutes or signing out/signing in
before admin role membership additions and
revocations take effect.
Event Grid limits

The following limits apply to Azure Event Grid system topics and custom topics, not event domains.
RESOURCE LIMIT
Custom topics per Azure subscription 100
Event subscriptions per topic 500
Publish rate for a custom topic (ingress) 5,000 events per second per topic
Publish requests 250 per second
Event size Support for 64 KB in General Availability (GA). Support for 1

MB is currently in preview.
The following limits apply to event domains only.
RESOURCE LIMIT
Topics per event domain 100,000
Event subscriptions per topic within a domain 500
Domain scope event subscriptions 50
Publish rate for an event domain (ingress) 5,000 events per second
Publish requests 250 per second
Event Domains per Azure Subscription 100
Azure Maps limits

The following table shows the usage limit for the Azure Maps S0 pricing tier. Usage limit depends on the pricing
tier.
RESOURCE S0 PRICING TIER LIMIT
Maximum request rate per subscription 50 requests per second
The following table shows the data size limit for Azure Maps. The Azure Maps data service is available only at the
S1 pricing tier.
RESOURCE LIMIT
Maximum size of data 50 MB
For more information on the Azure Maps pricing tiers, see Azure Maps pricing.
Azure Policy limits
There's a maximum count for each object type for Azure Policy. An entry of Scope means either the subscription or
the management group.
WHERE WHAT MAXIMUM COUNT
Scope Policy definitions 500
Scope Initiative definitions 100
Tenant Initiative definitions 1,000
Scope Policy or initiative assignments 100
Policy definition Parameters 20
Initiative definition Policies 100
Initiative definition Parameters 100

WHERE WHAT MAXIMUM COUNT
Policy or initiative assignments Exclusions (notScopes) 400
Policy rule Nested conditionals 512
StorSimple System limits

Maximum number of storage account 64

credentials
Maximum number of volume containers 64
Maximum number of volumes 255
Maximum number of schedules per 168 A schedule for every hour, every day of
bandwidth template the week.
Maximum size of a tiered volume on 64 TB for StorSimple 8100 and StorSimple 8100 and StorSimple 8600
physical devices StorSimple 8600 are physical devices.
Maximum size of a tiered volume on 30 TB for StorSimple 8010 StorSimple 8010 and StorSimple 8020
virtual devices in Azure 64 TB for StorSimple 8020 are virtual devices in Azure that use
Standard storage and Premium storage,
respectively.
Maximum size of a locally pinned 9 TB for StorSimple 8100 StorSimple 8100 and StorSimple 8600
volume on physical devices 24 TB for StorSimple 8600 are physical devices.
Maximum number of iSCSI connections 512
Maximum number of iSCSI connections 512

from initiators
Maximum number of access control 64

records per device
Maximum number of volumes per 24

backup policy
Maximum number of backups retained 64

per backup policy
Maximum number of schedules per 10

backup policy
Maximum number of snapshots of any 256 This amount includes local snapshots
type that can be retained per volume and cloud snapshots.
Maximum number of snapshots that 10,000

can be present in any device
Maximum number of volumes that can 16 If there are more than 16

be processed in parallel for backup, volumes, they're processed
restore, or clone sequentially as processing slots
become available.
New backups of a cloned or a
restored tiered volume can't
occur until the operation is
finished. For a local volume,
backups are allowed after the
volume is online.
Restore and clone recover time for <2 minutes The volume is made available
tiered volumes within 2 minutes of a restore or
clone operation, regardless of
the volume size.
The volume performance might
initially be slower than normal as
most of the data and metadata
still resides in the cloud.
Performance might increase as
data flows from the cloud to the
StorSimple device.
The total time to download
metadata depends on the
allocated volume size. Metadata
is automatically brought into the
device in the background at the
rate of 5 minutes per TB of
allocated volume data. This rate
might be affected by Internet
bandwidth to the cloud.
The restore or clone operation is
complete when all the metadata
is on the device.
Backup operations can't be
performed until the restore or
clone operation is fully complete.
Restore recover time for locally pinned <2 minutes The volume is made available
volumes within 2 minutes of the restore
operation, regardless of the
volume size.
The volume performance might
initially be slower than normal as
most of the data and metadata
still resides in the cloud.
Performance might increase as
data flows from the cloud to the
StorSimple device.
The total time to download
metadata depends on the
allocated volume size. Metadata
is automatically brought into the
device in the background at the
rate of 5 minutes per TB of
allocated volume data. This rate
might be affected by Internet
bandwidth to the cloud.
Unlike tiered volumes, if there
are locally pinned volumes, the
volume data is also downloaded
locally on the device. The restore
operation is complete when all
the volume data has been
brought to the device.
The restore operations might be
long and the total time to
complete the restore will depend
on the size of the provisioned
local volume, your Internet
bandwidth, and the existing data
on the device. Backup
operations on the locally pinned
volume are allowed while the
restore operation is in progress.
Thin-restore availability Last failover
Maximum client read/write throughput, 920/720 MB/sec with a single 10- Up to two times with MPIO and two
when served from the SSD tier* gigabit Ethernet network interface network interfaces.
Maximum client read/write throughput, 120/250 MB/sec

when served from the HDD tier*
Maximum client read/write throughput, 11/41 MB/sec Read throughput depends on clients
when served from the cloud tier* generating and maintaining sufficient
I/O queue depth.
*Maximum throughput per I/O type was measured with 100 percent read and 100 percent write scenarios. Actual
throughput might be lower and depends on I/O mix and network conditions.
Backup limits
For a summary of Azure Backup support settings and limitations, see Azure Backup Support Matrices.
Azure SignalR Service limits
Azure SignalR Service units per instance 1 1

for Free tier
Azure SignalR Service units per instance 100 100

for Standard tier
Azure SignalR Service units per 5 5

subscription per region for Free tier
Total Azure SignalR Service unit counts 150 Unlimited

per subscription per region
Connections per unit per day for Free 20 20

tier
Connections per unit per day for 1,000 1,000

Standard tier
Included messages per unit per day for 20,000 20,000

Free tier
Included messages per unit per day for 1,000,000 1,000,000

Standard tier
To request an update to your subscription's default limits, open a support ticket.

Site Recovery limits
The following limits apply to Azure Site Recovery.
LIMIT IDENTIFIER DEFAULT LIMIT
Number of vaults per subscription 500
Number of servers per Azure vault 250
Number of protection groups per Azure vault No limit
Number of recovery plans per Azure vault No limit
Number of servers per protection group No limit
Number of servers per recovery plan 50
API Management limits

RESOURCE LIMIT
Maximum number of scale units 10 per region1
Cache size 5 GiB per unit2
Concurrent back-end connections3 per HTTP authority 2,048 per unit4

RESOURCE LIMIT
Maximum cached response size 2 MiB
Maximum policy document size 256 KiB5
Maximum custom gateway domains per service instance 6 20
Maximum number of CA certificates per service instance 10
Maximum number of service instances per subscription 7 20
Maximum number of subscriptions per service instance 7 500
Maximum number of client certificates per service instance 7 50
Maximum number of APIs per service instance 7 50
Maximum number of API operations per service instance 7 1,000
Maximum total request duration7 30 seconds
Maximum buffered payload size7 2 MiB
Maximum request URL size8 4096 bytes
1Scaling limits depend on the pricing tier. To see the pricing tiers and their scaling limits, see API Management
pricing.
2Per unit cache size depends on the pricing tier. To see the pricing tiers and their scaling limits, see API
Management pricing.
3Connections are pooled and reused unless explicitly closed by the back end.
4This limit is per unit of the Basic, Standard, and Premium tiers. The Developer tier is limited to 1,024. This limit
doesn't apply to the Consumption tier.

5This limit applies to the Basic, Standard, and Premium tiers. In the Consumption tier, policy document size is
limited to 4 KiB.
6This resource is available in the Premium tier only.
7This resource applies to the Consumption tier only.
8Applies to the Consumption tier only. Includes an up to 2048 bytes long query string.
Azure Cache for Redis limits

RESOURCE LIMIT
Cache size 1.2 TB
Databases 64
Maximum connected clients 40,000
Azure Cache for Redis replicas, for high availability 1
Shards in a premium cache with clustering 10

Azure Cache for Redis limits and sizes are different for each pricing tier. To see the pricing tiers and their associated
sizes, see Azure Cache for Redis pricing.
For more information on Azure Cache for Redis configuration limits, see Default Redis server configuration.
Because configuration and management of Azure Cache for Redis instances is done by Microsoft, not all Redis
commands are supported in Azure Cache for Redis. For more information, see Redis commands not supported in
Azure Cache for Redis.
Key Vault limits
Key transactions (maximum transactions allowed in 10 seconds, per vault per region 1):
HSM KEY SOFTWARE KEY

HSM KEY ALL OTHER SOFTWARE KEY ALL OTHER
KEY TYPE CREATE KEY TRANSACTIONS CREATE KEY TRANSACTIONS
RSA 2,048-bit 5 1,000 10 2,000
RSA 3,072-bit 5 250 10 500
RSA 4,096-bit 5 125 10 250
ECC P-256 5 1,000 10 2,000
ECC P-384 5 1,000 10 2,000
ECC P-521 5 1,000 10 2,000
ECC SECP256K1 5 1,000 10 2,000
NOTE
In the previous table, we see that for RSA 2,048-bit software keys, 2,000 GET transactions per 10 seconds are allowed. For
RSA 2,048-bit HSM-keys, 1,000 GET transactions per 10 seconds are allowed.
The throttling thresholds are weighted, and enforcement is on their sum. For example, as shown in the previous table, when
you perform GET operations on RSA HSM-keys, it's eight times more expensive to use 4,096-bit keys compared to 2,048-bit
keys. That's because 1,000/125 = 8.
In a given 10-second interval, an Azure Key Vault client can do only one of the following operations before it encounters a
429 throttling HTTP status code:
2,000 RSA 2,048-bit software-key GET transactions

1,000 RSA 2,048-bit HSM-key GET transactions
125 RSA 4,096-bit HSM-key GET transactions
124 RSA 4,096-bit HSM-key GET transactions and 8 RSA 2,048-bit HSM-key GET transactions
Secrets, managed storage account keys, and vault transactions:
MAXIMUM TRANSACTIONS ALLOWED IN 10 SECONDS, PER VAULT

TRANSACTIONS TYPE PER REGION1
All transactions 2,000
For information on how to handle throttling when these limits are exceeded, see Azure Key Vault throttling
guidance.
1A subscription-wide limit for all transaction types is five times per key vault limit. For example, HSM -other
transactions per subscription are limited to 5,000 transactions in 10 seconds per subscription.
Multi-Factor Authentication limits
Maximum number of trusted IP 0 50

addresses or ranges per subscription
Remember my devices, number of days 14 60
Maximum number of app passwords 0 No limit
Allow X attempts during MFA call 1 99
Two-way text message timeout seconds 60 600
Default one-time bypass seconds 300 1,800
Lock user account after X consecutive Not set 99

MFA denials
Reset account lockout counter after X Not set 9,999

minutes
Unlock account after X minutes Not set 9,999
Automation limits
Process automation
RESOURCE MAXIMUM LIMIT NOTES
Maximum number of new jobs that can 100 When this limit is reached, the
be submitted every 30 seconds per subsequent requests to create a job fail.
Azure Automation account The client receives an error response.
(nonscheduled jobs)
Maximum number of concurrent 200 When this limit is reached, the

running jobs at the same instance of subsequent requests to create a job fail.
time per Automation account The client receives an error response.
(nonscheduled jobs)
Maximum storage size of job metadata 10 GB (approximately 4 million jobs) When this limit is reached, the
for a 30-day rolling period subsequent requests to create a job fail.
Maximum job stream limit 1MB A single stream cannot be larger than 1
MB.
Maximum number of modules that can 5

be imported every 30 seconds per
Automation account
Maximum size of a module 100 MB
Job run time, Free tier 500 minutes per subscription per
calendar month
RESOURCE MAXIMUM LIMIT NOTES
Maximum amount of disk space allowed 1 GB Applies to Azure sandboxes only.

per sandbox1
Maximum amount of memory given to 400 MB Applies to Azure sandboxes only.

a sandbox1
Maximum number of network sockets 1,000 Applies to Azure sandboxes only.

allowed per sandbox1
Maximum runtime allowed per 3 hours Applies to Azure sandboxes only.

runbook1
Maximum number of Automation No limit

accounts in a subscription
Maximum number of Hybrid Worker 4,000

Groups per Automation Account
Maximum number of concurrent jobs 50

that can be run on a single Hybrid
Runbook Worker
Maximum runbook job parameter size 512 kilobits
Maximum runbook parameters 50 If you reach the 50-parameter limit, you

can pass a JSON or XML string to a
parameter and parse it with the
runbook.
Maximum webhook payload size 512 kilobits
Maximum days that job data is retained 30 days
Maximum PowerShell workflow state 5 MB Applies to PowerShell workflow

size runbooks when checkpointing workflow.
1A sandbox is a shared environment that can be used by multiple jobs. Jobs that use the same sandbox are bound
by the resource limitations of the sandbox.
Change Tracking and Inventory
The following table shows the tracked item limits per machine for change tracking.
RESOURCE LIMIT NOTES
File 500
Registry 250
Windows software 250 Doesn't include software updates.
Linux packages 1,250
Services 250
Daemon 250
Update Management
The following table shows the limits for Update Management.
Number of machines per update 1000

deployment
Identity Manager limits

CATEGORY LIMIT
User-assigned managed identities When you create user-assigned managed identities,

only alphanumeric characters (0-9, a-z, and A-Z) and
the hyphen (-) are supported. For the assignment to a
virtual machine or virtual machine scale set to work
properly, the name is limited to 24 characters.
If you use the managed identity virtual machine
extension, the supported limit is 32 user-assigned
managed identities. Without the managed identity
virtual machine extension, the supported limit is 512
user-assigned identities.
Role -based access control limits

RESOURCE LIMIT
Role assignments for Azure resources per Azure subscription 2,000
Role assignments for Azure resources per management group 500
Custom roles for Azure resources per tenant 5,000
Custom roles for Azure resources per tenant 2,000

(specialized clouds, such as Azure Government, Azure
Germany, and Azure China 21Vianet)
SQL Database limits

For SQL Database limits, see SQL Database resource limits for single databases, SQL Database resource limits for
elastic pools and pooled databases, and SQL Database resource limits for managed instances.
SQL Data Warehouse limits
For SQL Data Warehouse limits, see SQL Data Warehouse resource limits.
See also
Understand Azure limits and increases
Virtual machine and cloud service sizes for Azure
Sizes for Azure Cloud Services
Naming rules and restrictions for Azure resources
This article summarizes naming rules and restrictions for Azure resources. For recommendations about how to
name resources, see Ready: Recommended naming and tagging conventions.
Resource names are case-insensitive unless specifically noted in the valid characters column.
In the following tables, the term alphanumeric refers to:
a through z (lowercase letters)
A through Z (uppercase letters)
0 through 9 (numbers)
Microsoft.AnalysisServices
ENTITY SCOPE LENGTH VALID CHARACTERS
servers resource group 3-63 Lowercase letters and

numbers.
Start with lowercase letter.
Microsoft.ApiManagement
service global 1-50 Alphanumerics.
Start with letter.
service / apis service 1-256 Can't use:

*#&+:<>?
service / apis / issues api 1-256 Can't use:

*#&+:<>?
service / apis / issues / issue 1-256 Can't use:

attachments *#&+:<>?
service / apis / issues / issue 1-256 Can't use:

comments *#&+:<>?
service / apis / operations api 1-256 Can't use:

*#&+:<>?
service / apis / operations / operation 1-256 Can't use:

tags *#&+:<>?
service / apis / releases api 1-80 Alphanumerics, underscores,

and hyphens.
Start and end with

alphanumeric or underscore.
service / apis / schemas api 1-256 Can't use:

*#&+:<>?
service / apis / api 1-256 Can't use:

tagDescriptions *#&+:<>?
service / apis / tags api 1-256 Can't use:

*#&+:<>?
service / api-version-sets service 1-256 Can't use:

*#&+:<>?
service / service 1-256 Can't use:

authorizationServers *#&+:<>?
service / backends service 1-256 Can't use:

*#&+:<>?
service / certificates service 1-256 Can't use:

*#&+:<>?
service / diagnostics service 1-256 Can't use:

*#&+:<>?
service / groups service 1-256 Can't use:

*#&+:<>?
service / groups / users group 1-256 Can't use:

*#&+:<>?
service / identityProviders service 1-256 Can't use:

*#&+:<>?
service / loggers service 1-256 Can't use:

*#&+:<>?
service / notifications service 1-256 Can't use:

*#&+:<>?
service / notifications / notification 1-256 Can't use:

recipientEmails *#&+:<>?
service / service 1-256 Can't use:

openidConnectProviders *#&+:<>?
service / policies service 1-256 Can't use:

*#&+:<>?
service / products service 1-256 Can't use:

*#&+:<>?
service / products / apis product 1-256 Can't use:

*#&+:<>?
service / products / groups product 1-256 Can't use:

*#&+:<>?
service / products / tags product 1-256 Can't use:

*#&+:<>?
service / properties service 1-256 Can't use:

*#&+:<>?
service / subscriptions service 1-256 Can't use:

*#&+:<>?
service / tags service 1-256 Can't use:

*#&+:<>?
service / templates service 1-256 Can't use:

*#&+:<>?
service / users service 1-256 Can't use:

*#&+:<>?
Microsoft.AppConfiguration
configurationStores resource group 5-50 Alphanumerics, underscores,

and hyphens.
Microsoft.Authorization
locks scope of assignment 1-90 Alphanumerics, periods,

underscores, hyphens, and
parenthesis.
Can't end in period.

policyassignments scope of assignment 1-128 display name Display name can contain
any characters.
1-260 resource name
Resource name can't include
% and can't end with period
or space.
policydefinitions scope of definition 1-128 display name Display name can contain
any characters.
1-260 resource name
or space.
policySetDefinitions scope of definition 1-128 display name Display name can contain
any characters.
1-260 resource name
or space.
Microsoft.Automation
automationAccounts resource group 6-50 Alphanumerics and hyphens.
Start with letter, and end

with alphanumeric.
automationAccounts / automation account 1-128 Can't use:

certificates <>*%&:\?.+/
Can't end with space.

connections <>*%&:\?.+/

credentials <>*%&:\?.+/
automationAccounts / automation account 1-63 Alphanumerics, underscores,

runbooks and hyphens.
Start with letter.

schedules <>*%&:\?.+/


variables <>*%&:\?.+/
automationAccounts / automation account 1-63 Alphanumerics, underscores,

watchers and hyphens.
Start with letter.

webhooks <>*%&:\?.+/
Microsoft.Batch
batchAccounts Region 3-24 Lowercase letters and

numbers.
batchAccounts / applications batch account 1-64 Alphanumerics, underscores,

and hyphens.
batchAccounts / certificates batch account 5-45 Alphanumerics, underscores,

and hyphens.
batchAccounts / pools batch account 1-64 Alphanumerics, underscores,

and hyphens.
Microsoft.Blockchain
blockchainMembers global 2-20 Lowercase letters and

numbers.
Microsoft.BotService
botServices global 2-64 Alphanumerics, underscores,

periods, and hyphens.
Start with alphanumeric.

botServices / channels bot service 2-64 Alphanumerics, underscores,

botServices / Connections bot service 2-64 Alphanumerics, underscores,

enterpriseChannels resource group 2-64 Alphanumerics, underscores,

Microsoft.Cache
Redis global 1-63 Alphanumerics and hyphens.
Start and end with

alphanumeric. Consecutive
hyphens not allowed.
Redis / firewallRules Redis 1-256 Alphanumerics
Microsoft.Cdn
profiles resource group 1-260 Alphanumerics and hyphens.
Start and end with

alphanumeric.
profiles / endpoints global 1-50 Alphanumerics and hyphens.
Start and end with

alphanumeric.
Microsoft.CertificateRegistration
certificateOrders resource group 3-30 Alphanumerics.
Microsoft.CognitiveServices
accounts resource group 2-64 Alphanumerics and hyphens.
Start and end with

alphanumeric.
Microsoft.Compute
availabilitySets resource group 1-80 Alphanumerics, underscores,

Start with alphanumeric. End

with alphanumeric or
underscore.
diskEncryptionSets resource group 1-80 Alphanumerics and

underscores.
disks resource group 1-80 Alphanumerics and

underscores.
galleries resource group 1-80 Alphanumerics and periods.
Start and end with

alphanumeric.
galleries / applications gallery 1-80 Alphanumerics, hyphens,

and periods.
Start and end with

alphanumeric.
galleries / application 32-bit integer Numbers and periods.

applications/versions
galleries / images gallery 1-80 Alphanumerics, hyphens,

and periods.
Start and end with

alphanumeric.
galleries / images / versions image 32-bit integer Numbers and periods.
images resource group 1-80 Alphanumerics, underscores,


underscore.
snapshots resource group 1-80 Alphanumerics, underscores,


underscore.
virtualMachines resource group 1-15 (Windows) Can't use:

1-64 (Linux) \/""[]:|<>+=;,?*@&
See note below. Can't start with underscore.

Can't end with period or
hyphen.
virtualMachineScaleSets resource group 1-15 (Windows) Can't use:

1-64 (Linux) \/""[]:|<>+=;,?*@&
See note below. Can't start with underscore.

hyphen.
NOTE
Azure virtual machines have two distinct names: resource name and host name. When you create a virtual machine in the
portal, the same value is used for both names. The restrictions in the preceding table are for the host name. The actual
resource name can have up to 64 characters.
Microsoft.ContainerInstance
containerGroups resource group 1-63 Lowercase letters, numbers,

and hyphens.
Can't start or end with

hyphen. Consecutive
hyphens aren't allowed.
Microsoft.ContainerRegistry
registries global 5-50 Alphanumerics.
registries / buildTasks registry 5-50 Alphanumerics.
registries / buildTasks/steps build task 5-50 Alphanumerics.
registries / replications registry 5-50 Alphanumerics.
registries / scopeMaps registry 5-50 Alphanumerics, hyphens,

and underscores.
registries / tasks registry 5-50 Alphanumerics, hyphens,

and underscores.
registries / tokens registry 5-50 Alphanumerics, hyphens,

and underscores.
registries / webhooks registry 5-50 Alphanumerics.
Microsoft.ContainerService
managedClusters resource group 1-63 Alphanumerics, underscores,

and hyphens.
Start and end with

alphanumeric.
openShiftManagedClusters resource group 1-30 Alphanumerics.
Microsoft.CustomerInsights
hubs resource group 1-64 Alphanumerics.
Start with letter.
hubs / authorizationPolicies hub 1-50 Alphanumerics, underscores,

and periods.
Start and end with

alphanumeric.
hubs / connectors hub 1-128 Alphanumerics and

underscores.
Start with letter.
hubs / connectors/mappings connector 1-128 Alphanumerics and

underscores.
Start with letter.
hubs / interactions hub 1-128 Alphanumerics and

underscores.
Start with letter.
hubs / kpi hub 1-512 Alphanumerics and

underscores.
Start with letter.

hubs / links hub 1-512 Alphanumerics and

underscores.
Start with letter.
hubs / predictions hub 1-512 Alphanumerics and

underscores.
Start with letter.
hubs / profiles hub 1-128 Alphanumerics and

underscores.
Start with letter.
hubs / relationshipLinks hub 1-512 Alphanumerics and

underscores.
Start with letter.
hubs / relationships hub 1-512 Alphanumerics and

underscores.
Start with letter.
hubs / roleAssignments hub 1-128 Alphanumerics and

underscores.
Start with letter.
hubs / views hub 1-512 Alphanumerics and

underscores.
Start with letter.
Microsoft.CustomProviders
associations resource group 1-180 Can't use:

%&\\?/

space.
resourceProviders resource group 3-64 Can't use:

%&\\?/

space.
Microsoft.DataBox
jobs resource group 3-24 Alphanumerics, hyphens,

underscores and periods.
Microsoft.Databricks
workspaces resource group 3-30 Alphanumerics, underscores,

and hyphens
Microsoft.DataFactory
factories global 3-63 Alphanumerics and hyphens.
Start and end with

alphanumeric.
factories / dataflows factory 1-260 Can't use:

<>*#.%&:\\+?/
factories / datasets factory 1-260 Can't use:

<>*#.%&:\\+?/
factories / factory 3-63 Alphanumerics and hyphens.

integrationRuntimes
Start and end with
alphanumeric.
factories / linkedservices factory 1-260 Can't use:

<>*#.%&:\\+?/
factories / pipelines factory 1-260 Can't use:

<>*#.%&:\\+?/
factories / triggers factory 1-260 Can't use:

<>*#.%&:\\+?/
factories / triggers / trigger 1-260 Can't use:

rerunTriggers <>*#.%&:\\+?/

Microsoft.DataLakeAnalytics
accounts global 3-24 Lowercase letters and

numbers.
accounts / computePolicies account 3-60 Alphanumerics, hyphens,

and underscores.
accounts / account 3-24 Lowercase letters and

dataLakeStoreAccounts numbers.
accounts / firewallRules account 3-50 Alphanumerics, hyphens,

and underscores.
accounts / storageAccounts account 3-60 Alphanumerics, hyphens,

and underscores.
Microsoft.DataLakeStore
accounts global 3-24 Lowercase letters and

numbers.
accounts / firewallRules account 3-50 Alphanumerics, hyphens,

and underscores.
accounts / account 3-50 Alphanumerics, hyphens,

virtualNetworkRules and underscores.
Microsoft.DataMigration
services resource group 2-62 Alphanumerics, hyphens,

periods, and underscores.
services / projects service 2-57 Alphanumerics, hyphens,

Microsoft.DBforMariaDB
servers global 3-63 Lowercase letters, hyphens

and numbers.

hyphen.
servers / databases servers 1-63 Alphanumerics and hyphens.
servers / firewallRules servers 1-128 Alphanumerics, hyphens,

and underscores.
servers / servers 1-128 Alphanumerics and hyphens.

virtualNetworkRules
Microsoft.DBforMySQL

and numbers.

hyphen.

and underscores.

virtualNetworkRules
Microsoft.DBforPostgreSQL

and numbers.

hyphen.

and underscores.

virtualNetworkRules
Microsoft.Devices
IotHubs global 3-50 Alphanumerics and hyphens.
Can't end with hyphen.
IotHubs / certificates IoT hub 1-64 Alphanumerics, hyphens,

IotHubs / eventHubEndpoints 1-50 Alphanumerics, hyphens,

eventHubEndpoints / periods, and underscores.
ConsumerGroups
provisioningServices resource group 3-64 Alphanumerics and hyphens.
End with alphanumeric.
provisioningServices / provisioningServices 1-64 Alphanumerics, hyphens,

certificates periods, and underscores.
Microsoft.DevTestLab
labs resource group 1-50 Alphanumerics, underscores,

and hyphens.
labs / customimages lab 1-80 Alphanumerics, underscores,

hyphens, and parentheses.
labs / formulas lab 1-80 Alphanumerics, underscores,

hyphens, and parentheses.
labs / virtualmachines lab 1-15 (Windows) Alphanumerics and hyphens.

1-64 (Linux)
Start and end with
alphanumeric. Can't be all
numbers.
Microsoft.DocumentDB
databaseAccounts global 3-31 Lowercase letters, numbers,

and hyphens.
Start with lowercase letter or

number.
Microsoft.EventGrid
domains resource group 3-50 Alphanumerics and hyphens.

domains / topics domain 3-50 Alphanumerics and hyphens.
eventSubscriptions resource group 3-64 Alphanumerics and hyphens.
topics resource group 3-50 Alphanumerics and hyphens.
Microsoft.EventHub
clusters resource group 6-50 Alphanumerics and hyphens.
Start with letter. End with

letter or number.
namespaces global 6-50 Alphanumerics and hyphens.

letter or number.
namespaces / namespace 1-50 Alphanumerics, periods,

AuthorizationRules hyphens and underscores.
Start and end with letter or

number.

disasterRecoveryConfigs hyphens and underscores.

number.
namespaces / eventhubs namespace 1-50 Alphanumerics, periods,

hyphens and underscores.

number.
namespaces / eventhubs / event hub 1-50 Alphanumerics, periods,

authorizationRules hyphens and underscores.

number.
namespaces / eventhubs / event hub 1-50 Alphanumerics, periods,

consumergroups hyphens and underscores.

number.
Microsoft.HDInsight
clusters global 3-59 Alphanumerics and hyphens

number.
Microsoft.ImportExport
jobs resource group 2-64 Alphanumerics and hyphens.
Start with letter.
Microsoft.IoTCentral
IoTApps global 2-63 Lowercase letters, numbers

and hyphens.

number.
Microsoft.KeyVault
vaults global 3-24 Alphanumerics and hyphens.

letter or digit. Can't contain
consecutive hyphens.
vaults / secrets Vault 1-127 Alphanumerics and hyphens.
Microsoft.Kusto
clusters global 4-22 Lowercase letters and

numbers.
Start with letter.
/clusters / databases cluster 1-260 Alphanumerics, hyphens,

spaces, and periods.
/clusters / databases / database 1-40 Alphanumerics, hyphens,

dataConnections spaces, and periods.
/clusters / databases / database 1-40 Alphanumerics, hyphens,

eventhubconnections spaces, and periods.
Microsoft.Logic
integrationAccounts resource group 1-80 Alphanumerics, hyphens,

underscores, periods, and
parenthesis.
integrationAccounts / integration account 1-80 Alphanumerics, hyphens,

assemblies underscores, periods, and
parenthesis.
integrationAccounts / integration account 1-20 Alphanumerics.

batchConfigurations

certificates underscores, periods, and
parenthesis.
integrationAccounts / maps integration account 1-80 Alphanumerics, hyphens,

parenthesis.

partners underscores, periods, and
parenthesis.

rosettanetprocessconfigurati underscores, periods, and
ons parenthesis.

schemas underscores, periods, and
parenthesis.

sessions underscores, periods, and
parenthesis.
integrationServiceEnvironme resource group 1-80 Alphanumerics, hyphens,

nts periods, and underscores.
integrationServiceEnvironme integration service 1-80 Alphanumerics, hyphens,

nts / managedApis environment periods, and underscores.
workflows resource group 1-80 Alphanumerics, hyphens,

parenthesis.
Microsoft.MachineLearning
commitmentPlans resource group 1-260 Can't use:

<>*%&:?+/\\
Can't end with a space.
webServices resource group 1-260 Can't use:

<>*%&:?+/\\
workspaces resource group 1-260 Can't use:

<>*%&:?+/\\
Microsoft.MachineLearningServices
workspaces resource group 3-33 Alphanumerics and hyphens.
workspaces / computes workspace 2-16 Alphanumerics and hyphens.
Microsoft.ManagedIdentity
userAssignedIdentities resource group 3-128 Alphanumerics, hyphens,

and underscores
Start with letter or number.
Microsoft.Maps
accounts resource group 1-98 (for resource group Alphanumerics, underscores,

name and account name) periods, and hyphens.
Microsoft.Media
mediaservices resource group 3-24 Lowercase letters and

numbers.
mediaservices / liveEvents Media service 1-32 Alphanumerics and hyphens.

mediaservices / liveEvents / Live event 1-256 Alphanumerics and hyphens.

liveOutputs
mediaservices / Media service 1-24 Alphanumerics and hyphens.

streamingEndpoints
Microsoft.Network
applicationGateways resource group 1-80 Alphanumerics, underscores,


applicationSecurityGroups resource group 1-80 Alphanumerics, underscores,


azureFirewalls resource group 1-80 Alphanumerics, underscores,


underscore.
bastionHosts resource group 1-80 Alphanumerics, underscores,


connections resource group 1-80 Alphanumerics, underscores,


dnsZones resource group 1-63 characters Each label can contain

alphanumerics, underscores,
2 to 34 labels and hyphens.
Each label is a set of Each label is separated by a

characters separated by a period.
period. For example,
contoso.com has 2 labels.
expressRouteCircuits resource group 1-80 Alphanumerics, underscores,


firewallPolicies resource group 1-80 Alphanumerics, underscores,


firewallPolicies / ruleGroups firewall policy 1-80 Alphanumerics, underscores,


frontDoors global 5-64 Alphanumerics and hyphens.
Start and end with

alphanumeric.
loadBalancers resource group 1-80 Alphanumerics, underscores,


loadBalancers / load balancer 1-80 Alphanumerics, underscores,

inboundNatRules periods, and hyphens.

localNetworkGateways resource group 1-80 Alphanumerics, underscores,


networkInterfaces resource group 1-80 Alphanumerics, underscores,


networkSecurityGroups resource group 1-80 Alphanumerics, underscores,


networkSecurityGroups / network security group 1-80 Alphanumerics, underscores,

securityRules periods, and hyphens.

networkWatchers resource group 1-80 Alphanumerics, underscores,


privateDnsZones resource group 1-63 characters Each label can contain

alphanumerics, underscores,
2 to 34 labels and hyphens.
Each label is a set of Each label is separated by a

characters separated by a period.
period. For example,
contoso.com has 2 labels.
privateDnsZones / private DNS zone 1-80 Alphanumerics, underscores,

virtualNetworkLinks periods, and hyphens.

publicIPAddresses resource group 1-80 Alphanumerics, underscores,


publicIPPrefixes resource group 1-80 Alphanumerics, underscores,


routeFilters resource group 1-80 Alphanumerics, underscores,


routeFilters / routeFilterRules route filter 1-80 Alphanumerics, underscores,


routeTables resource group 1-80 Alphanumerics, underscores,


routeTables / routes route table 1-80 Alphanumerics, underscores,


serviceEndpointPolicies resource group 1-80 Alphanumerics, underscores,


trafficmanagerprofiles global 1-63 Alphanumerics, hyphens,

and periods.
Start and end with

alphanumeric.
virtualNetworkGateways resource group 1-80 Alphanumerics, underscores,


virtualNetworks resource group 2-64 Alphanumerics, underscores,


virtualnetworks / subnets virtual network 1-80 Alphanumerics, underscores,


virtualNetworks / virtual network 1-80 Alphanumerics, underscores,

virtualNetworkPeerings periods, and hyphens.

virtualWans resource group 1-80 Alphanumerics, underscores,


vpnGateways resource group 1-80 Alphanumerics, underscores,


vpnGateways / VPN gateway 1-80 Alphanumerics, underscores,

vpnConnections periods, and hyphens.

vpnSites resource group 1-80 Alphanumerics, underscores,


Microsoft.NotificationHubs
namespaces global 6-50 Alphanumerics and hyphens
Start and end with

alphanumeric.

AuthorizationRules hyphens, and underscores.
Start alphanumeric.

notificationHubs hyphens, and underscores.
Start alphanumeric.
namespaces / notification hub 1-256 Alphanumerics, periods,

notificationHubs / hyphens, and underscores.
AuthorizationRules
Start alphanumeric.
Microsoft.OperationalInsights
clusters resource group 4-63 Alphanumerics and hyphens.
Start and end with

alphanumeric.
workspaces resource group 4-63 Alphanumerics and hyphens.
Start and end with

alphanumeric.
Microsoft.PowerBI
workspaceCollections region 3-63 Alphanumerics and hyphens.
Can't start with hyphen.

Can't use consecutive
hyphens.
Microsoft.PowerBIDedicated
capacities region 3-63 Lowercase letters or

numbers
Microsoft.RecoveryServices
vaults resource group 2-50 Alphanumerics and hyphens.
Start with letter.
vaults / backupPolicies vault 3-150 Alphanumerics and hyphens.
Start with letter. Can't end

with hyphen.
Microsoft.Relay
Start with a letter. End with a

letter or number.

AuthorizationRules hyphens and underscores.
Start and end with

alphanumeric.

HybridConnections hyphens, underscores, and
slashes.
Start and end with

alphanumeric.
namespaces / hybrid connection 1-50 Alphanumerics, periods,

HybridConnections/authoriz hyphens and underscores.
ationRules
Start and end with
alphanumeric.
namespaces / WcfRelays namespace 1-260 Alphanumerics, periods,

hyphens, underscores, and
slashes.
Start and end with

alphanumeric.
namespaces / WcfRelays / Wcf relay 1-50 Alphanumerics, periods,

authorizationRules hyphens and underscores.
Start and end with

alphanumeric.
Microsoft.Resources
deployments resource group 1-64 Alphanumerics, underscores,

parentheses, hyphens, and
periods.
resourcegroups subscription 1-90 Alphanumerics, underscores,

parentheses, hyphens,
periods, and unicode
characters that match the
regex documentation.
Can't end with period.
tagNames resource 1-512 Can't use:

<>%&\?/
tagNames / tagValues tag name 1-256 All characters.
Microsoft.ServiceBus
Start with a letter. End with a

letter or number.
For more information, see

Create namespace.

AuthorizationRules hyphens, and underscores.
Start and end with

alphnumeric.
namespaces / global 6-50 Alphanumerics and hyphens.

disasterRecoveryConfigs
alphanumeric.
namespaces / namespace Should always be $default.

migrationConfigurations
namespaces / queues namespace 1-260 Alphanumerics, periods,

slashes.
Start and end with

alphanumeric.
namespaces / queues / queue 1-50 Alphanumerics, periods,

authorizationRules hyphens, and underscores.
Start and end with

alphnumeric.
namespaces / topics namespace 1-260 Alphanumerics, periods,

slashes.
Start and end with

alphanumeric.
namespaces / topics / topic 1-50 Alphanumerics, periods,

authorizationRules hyphens, and underscores.
Start and end with

alphnumeric.
namespaces / topics / topic 1-50 Alphanumerics, periods,

subscriptions hyphens, and underscores.
Start and end with

alphnumeric.
namespaces / topics / subscription 1-50 Alphanumerics, periods,

subscriptions / rules hyphens, and underscores.
Start and end with

alphnumeric.
Microsoft.ServiceFabric
clusters region 4-23 Lowercase letters, numbers,

and hyphens.

End with lowercase letter or
number.
Microsoft.SignalRService
signalR global 3-63 Alphanumerics and hyphens.

letter or number.
Microsoft.Sql
managedInstances global 1-63 Lowercase letters, numbers,

and hyphens.

hyphen.
servers global 1-63 Lowercase letters, numbers,

and hyphens.

hyphen.
servers / databases server 1-128 Can't use:

<>*%&:\/?

space.
servers / databases / database 1-150 Alphanumerics, hyphens,

syncGroups and underscores.
servers / elasticPools server 1-128 Can't use:

<>*%&:\/?

space.
servers / failoverGroups global 1-63 Lowercase letters, numbers,

and hyphens.

hyphen.
servers / firewallRules server 1-128 Can't use:

<>*%&:;\/?
Can't end with period.
Microsoft.Storage
storageAccounts global 3-24 Lowercase letters and

numbers.
storageAccounts / storage account Must be default .

blobServices
storageAccounts / storage account 3-63 Lowercase letters, numbers,

blobServices / containers and hyphens.

number. Can't use

fileServices
storageAccounts / storage account 3-63 Lowercase letters, numbers,

fileServices / shares and hyphens.

hyphen. Can't use

managementPolicies
blob container 1-1024 Any URL characters, case

sensitive
queue storage account 3-63 Lowercase letters, numbers,

and hyphens.

hyphen. Can't use
table storage account 3-63 Alphanumerics.
Start with letter.
Microsoft.StorageSync
storageSyncServices resource group 1-260 Alphanumerics, spaces,

periods, hyphens, and
underscores.

space.
storageSyncServices / storage sync service 1-260 Alphanumerics, spaces,

syncGroups periods, hyphens, and
underscores.

space.
Microsoft.StorSimple
managers resource group 2-50 Alphanumerics and hyphens.

alphanumeric.
Microsoft.StreamAnalytics
streamingjobs resource group 3-63 Alphanumerics, hyphens,

and underscores.
streamingjobs / functions streaming job 3-63 Alphanumerics, hyphens,

and underscores.
streamingjobs / inputs streaming job 3-63 Alphanumerics, hyphens,

and underscores.
streamingjobs / outputs streaming job 3-63 Alphanumerics, hyphens,

and underscores.
streamingjobs / streaming job 3-63 Alphanumerics, hyphens,

transformations and underscores.
Microsoft.TimeSeriesInsights
environments resource group 1-90 Can't use:

'<>%&:\?/#
environments / environment 1-90 Can't use:

accessPolicies '<>%&:\?/#
environments / environment 1-90 Can't use:

eventSources '<>%&:\?/#
environments / environment 3-63 Alphanumerics

referenceDataSets
Microsoft.Web
serverfarms resource group 1-40 Alphanumerics and hyphens.
sites global 2-60 Contains alphanumerics and

hyphens.

hyphen.
sites / slots site 2-59 Alphanumerics and hyphens.
Next steps
For recommendations about how to name resources, see Ready: Recommended naming and tagging conventions.
Azure Resource Manager vs. classic deployment:
Understand deployment models and the state of your
resources
NOTE
The information provided in this article is only used when you migrate from the classic deployment to the Azure Resource
Manager deployment.
In this article, you learn about Azure Resource Manager and classic deployment models. The Resource Manager
and classic deployment models represent two different ways of deploying and managing your Azure solutions. You
work with them through two different API sets, and the deployed resources can contain important differences. The
two models aren't compatible with each other. This article describes those differences.
To simplify the deployment and management of resources, Microsoft recommends that you use Resource Manager
for all new resources. If possible, Microsoft recommends that you redeploy existing resources through Resource
Manager.
If you're new to Resource Manager, you may want to first review the terminology defined in the Azure Resource
Manager overview.
History of the deployment models

Azure originally provided only the classic deployment model. In this model, each resource existed independently;
there was no way to group related resources together. Instead, you had to manually track which resources made up
your solution or application, and remember to manage them in a coordinated approach. To deploy a solution, you
had to either create each resource individually through the portal or create a script that deployed all the resources
in the correct order. To delete a solution, you had to delete each resource individually. You couldn't easily apply and
update access control policies for related resources. Finally, you couldn't apply tags to resources to label them with
terms that help you monitor your resources and manage billing.
In 2014, Azure introduced Resource Manager, which added the concept of a resource group. A resource group is a
container for resources that share a common lifecycle. The Resource Manager deployment model provides several
benefits:
You can deploy, manage, and monitor all the services for your solution as a group, rather than handling these
services individually.
You can repeatedly deploy your solution throughout its lifecycle and have confidence your resources are
deployed in a consistent state.
You can apply access control to all resources in your resource group, and those policies are automatically
applied when new resources are added to the resource group.
You can apply tags to resources to logically organize all the resources in your subscription.
You can use JavaScript Object Notation (JSON ) to define the infrastructure for your solution. The JSON file is
known as a Resource Manager template.
You can define the dependencies between resources so they're deployed in the correct order.
When Resource Manager was added, all resources were retroactively added to default resource groups. If you
create a resource through classic deployment now, the resource is automatically created within a default resource
group for that service, even though you didn't specify that resource group at deployment. However, just existing
within a resource group doesn't mean that the resource has been converted to the Resource Manager model.
Understand support for the models

There are three scenarios to be aware of:
1. Cloud Services doesn't support Resource Manager deployment model.
2. Virtual machines, storage accounts, and virtual networks support both Resource Manager and classic
deployment models.
3. All other Azure services support Resource Manager.
For virtual machines, storage accounts, and virtual networks, if the resource was created through classic
deployment, you must continue to operate on it through classic operations. If the virtual machine, storage account,
or virtual network was created through Resource Manager deployment, you must continue using Resource
Manager operations. This distinction can get confusing when your subscription contains a mix of resources created
through Resource Manager and classic deployment. This combination of resources can create unexpected results
because the resources don't support the same operations.
In some cases, a Resource Manager command can retrieve information about a resource created through classic
deployment, or can perform an administrative task such as moving a classic resource to another resource group.
But, these cases shouldn't give the impression that the type supports Resource Manager operations. For example,
suppose you have a resource group that contains a virtual machine that was created with classic deployment. If you
run the following Resource Manager PowerShell command:
Get-AzResource -ResourceGroupName ExampleGroup -ResourceType Microsoft.ClassicCompute/virtualMachines
It returns the virtual machine:
Name : ExampleClassicVM
ResourceId :
/subscriptions/{guid}/resourceGroups/ExampleGroup/providers/Microsoft.ClassicCompute/virtualMachines/ExampleCla
ssicVM
ResourceName : ExampleClassicVM
ResourceType : Microsoft.ClassicCompute/virtualMachines
ResourceGroupName : ExampleGroup
Location : westus
SubscriptionId : {guid}
However, the Resource Manager cmdlet Get-AzVM only returns virtual machines deployed through Resource
Manager. The following command doesn't return the virtual machine created through classic deployment.
Get-AzVM -ResourceGroupName ExampleGroup
Only resources created through Resource Manager support tags. You can't apply tags to classic resources.
Changes for compute, network, and storage

The following diagram displays compute, network, and storage resources deployed through Resource Manager.
Note the following relationships between the resources:
All the resources exist within a resource group.
The virtual machine depends on a specific storage account defined in the Storage resource provider to store its
disks in blob storage (required).
The virtual machine references a specific network interface card defined in the Network resource provider
(required) and an availability set defined in the Compute resource provider (optional).
The network interface card references the virtual machine's assigned IP address (required), the subnet of the
virtual network for the virtual machine (required), and to a Network Security Group (optional).
The subnet within a virtual network references a Network Security Group (optional).
The load balancer instance references the backend pool of IP addresses that include the network interface card
of a virtual machine (optional) and references a load balancer public or private IP address (optional).
Here are the components and their relationships for classic deployment:
The classic solution for hosting a virtual machine includes:
A required cloud service that acts as a container for hosting virtual machines (compute). Virtual machines are
automatically provided with a network interface card and an IP address assigned by Azure. Additionally, the
cloud service contains an external load balancer instance, a public IP address, and default endpoints to allow
remote desktop and remote PowerShell traffic for Windows-based virtual machines and Secure Shell (SSH)
traffic for Linux-based virtual machines.
A required storage account that stores the virtual hard disks for a virtual machine, including the operating
system, temporary, and additional data disks (storage).
An optional virtual network that acts as an additional container, in which you can create a subnetted structure
and choose the subnet on which the virtual machine is located (network).
The following table describes changes in how Compute, Network, and Storage resource providers interact:
ITEM CLASSIC RESOURCE MANAGER
Cloud Service for Virtual Machines Cloud Service was a container for Cloud Service is no longer an object
holding the virtual machines that required for creating a Virtual Machine
required Availability from the platform using the new model.
and Load Balancing.
Virtual Networks A virtual network is optional for the Virtual machine requires a virtual
virtual machine. If included, the virtual network that has been deployed with
network can't be deployed with Resource Manager.
Resource Manager.
Storage Accounts The virtual machine requires a storage The virtual machine requires a storage
account that stores the virtual hard account to store its disks in blob
disks for the operating system, storage.
temporary, and additional data disks.
Availability Sets Availability to the platform was Availability Set is a resource exposed by
indicated by configuring the same Microsoft.Compute Provider. Virtual
“AvailabilitySetName” on the Virtual Machines that require high availability
Machines. The maximum count of fault must be included in the Availability Set.
domains was 2. The maximum count of fault domains is
now 3.
Affinity Groups Affinity Groups were required for To simplify, the Affinity Groups concept
creating Virtual Networks. However, doesn’t exist in the APIs exposed
with the introduction of Regional Virtual through Azure Resource Manager.
Networks, that wasn't required
anymore.
Load Balancing Creation of a Cloud Service provides an The Load Balancer is a resource exposed
implicit load balancer for the Virtual by the Microsoft.Network provider. The
Machines deployed. primary network interface of the Virtual
Machines that needs to be load
balanced should be referencing the load
balancer. Load Balancers can be internal
or external. A load balancer instance
references the backend pool of IP
addresses that include the NIC of a
virtual machine (optional) and
references a load balancer public or
private IP address (optional).
Virtual IP Address Cloud Services gets a default VIP Public IP address is a resource exposed
(Virtual IP Address) when a VM is added by the Microsoft.Network provider.
to a cloud service. The Virtual IP Public IP address can be static
Address is the address associated with (reserved) or dynamic. Dynamic public
the implicit load balancer. IPs can be assigned to a Load Balancer.
Public IPs can be secured using Security
Groups.
Reserved IP Address You can reserve an IP Address in Azure Public IP Address can be created in
and associate it with a Cloud Service to static mode and it offers the same
ensure that the IP Address is sticky. capability as a reserved IP address.
Public IP Address (PIP) per VM Public IP Addresses can also be Public IP address is a resource exposed
associated to a VM directly. by the Microsoft.Network provider.
Public IP Address can be static
(reserved) or dynamic.
Endpoints Input Endpoints needed to be Inbound NAT Rules can be configured

configured on a Virtual Machine to be on Load Balancers to achieve the same
open up connectivity for certain ports. capability of enabling endpoints on
One of the common modes of specific ports for connecting to the
connecting to virtual machines done by VMs.
setting up input endpoints.
DNS Name A cloud service would get an implicit DNS Names are optional parameters
globally unique DNS Name. For that can be specified on a Public IP
example: mycoffeeshop.cloudapp.net Address resource. The FQDN is in the
. following format -
<domainlabel>.
<region>.cloudapp.azure.com
.
Network Interfaces Primary and Secondary Network Network Interface is a resource exposed
Interface and its properties were by Microsoft.Network Provider. The
defined as network configuration of a lifecycle of the Network Interface isn't
Virtual machine. tied to a Virtual Machine. It references
the virtual machine's assigned IP
address (required), the subnet of the
virtual network for the virtual machine
(required), and to a Network Security
Group (optional).
To learn about connecting virtual networks from different deployment models, see Connect virtual networks from
different deployment models in the portal.
Migrate from classic to Resource Manager

If you're ready to migrate your resources from classic deployment to Resource Manager deployment, see:
1. Technical deep dive on platform-supported migration from classic to Azure Resource Manager
2. Platform supported migration of IaaS resources from Classic to Azure Resource Manager
3. Migrate IaaS resources from classic to Azure Resource Manager by using Azure PowerShell
4. Migrate IaaS resources from classic to Azure Resource Manager by using Azure CLI
Frequently asked questions

Can I create a virtual machine using Resource Manager to deploy in a virtual network created using
classic deployment?
This configuration isn't supported. You can't use Resource Manager to deploy a virtual machine into a virtual
network that was created using classic deployment.
Can I create a virtual machine using Resource Manager from a user image that was created using the
classic deployment model?
This configuration isn't supported. However, you can copy the virtual hard disk files from a storage account that
was created using the classic deployment model, and add them to a new account created through Resource
Manager.
What is the impact on the quota for my subscription?
The quotas for the virtual machines, virtual networks, and storage accounts created through the Azure Resource
Manager are separate from other quotas. Each subscription gets quotas to create the resources using the new APIs.
You can read more about the additional quotas here.
Can I continue to use my automated scripts for provisioning virtual machines, virtual networks, and
storage accounts through the Resource Manager APIs?
All the automation and scripts that you've built continue to work for the existing virtual machines, virtual networks
created under the Azure Service Management mode. However, the scripts have to be updated to use the new
schema for creating the same resources through the Resource Manager mode.
Where can I find examples of Azure Resource Manager templates?
A comprehensive set of starter templates can be found on Azure Resource Manager Quickstart Templates.
Next steps
To see the commands for deploying a template, see Deploy an application with Azure Resource Manager
template.
Security controls for Azure Resource Manager
This article documents the security controls built into Azure Resource Manager.
A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent,
detect, and respond to security vulnerabilities.
For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control
that is not applicable to the service. We might also provide a note or links to more information about an attribute.
Data protection
SECURITY CONTROL YES/NO NOTES
Server-side encryption at rest: Yes

Microsoft-managed keys
Encryption in transit (such as Yes HTTPS/TLS.

ExpressRoute encryption, in VNet
encryption, and VNet-VNet encryption)
Server-side encryption at rest: N/A Azure Resource Manager stores no

customer-managed keys (BYOK) customer content, only control data.
Column level encryption (Azure Data Yes

Services)
API calls encrypted Yes
Network
Service endpoint support No
VNet injection support Yes
Network isolation and firewalling No

support
Forced tunneling support No
Monitoring & logging

Azure monitoring support (Log No

analytics, App insights, etc.)
Control and management plane logging Yes Activity logs expose all write operations
and audit (PUT, POST, DELETE) performed on your
resources; see View activity logs to audit
actions on resources.
Data plane logging and audit N/A
Identity
Authentication Yes Azure Active Directory based.
Authorization Yes
Configuration management
Configuration management support Yes

(versioning of configuration, etc.)
Next steps
Learn more about the built-in security controls across Azure services.
Resource providers for Azure services
This article shows how resource provider namespaces map to Azure services.
Match resource provider to service

RESOURCE PROVIDER NAMESPACE AZURE SERVICE
Microsoft.AAD Azure Active Directory Domain Services
Microsoft.Addons core
Microsoft.ADHybridHealthService Azure Active Directory
Microsoft.Advisor Azure Advisor
Microsoft.AlertsManagement Azure Monitor
Microsoft.AnalysisServices Azure Analysis Services
Microsoft.ApiManagement API Management
Microsoft.AppConfiguration core
Microsoft.Attestation Azure Attestation Service
Microsoft.Authorization Azure Resource Manager
Microsoft.Automation Automation
Microsoft.AzureActiveDirectory Azure Active Directory B2C
Microsoft.AzureStack core
Microsoft.Batch Batch
Microsoft.Billing Billing
Microsoft.BingMaps Bing Maps
Microsoft.Blockchain Azure Blockchain Service
Microsoft.Blueprint Azure Blueprints
Microsoft.BotService Azure Bot Service
Microsoft.Cache Azure Cache for Redis

Microsoft.Capacity core
Microsoft.Cdn Content Delivery Network
Microsoft.CertificateRegistration App Service Certificates
Microsoft.ChangeAnalysis Azure Monitor
Microsoft.ClassicCompute Classic deployment model virtual machine
Microsoft.ClassicInfrastructureMigrate Classic deployment model migration
Microsoft.ClassicNetwork Classic deployment model virtual network
Microsoft.ClassicStorage Classic deployment model storage
Microsoft.ClassicSubscription Classic deployment model
Microsoft.CognitiveServices Cognitive Services
Microsoft.Commerce core
Microsoft.Compute Virtual Machines

Virtual Machine Scale Sets
Microsoft.Consumption Cost Management
Microsoft.ContainerInstance Container Instances
Microsoft.ContainerRegistry Container Registry
Microsoft.ContainerService Azure Kubernetes Service (AKS)
Microsoft.CostManagement Cost Management
Microsoft.CostManagementExports Cost Management
Microsoft.CustomerLockbox Customer Lockbox for Microsoft Azure
Microsoft.CustomProviders Azure Custom Providers
Microsoft.DataBox Azure Data Box
Microsoft.DataBoxEdge Azure Data Box Edge
Microsoft.Databricks Azure Databricks
Microsoft.DataCatalog Data Catalog
Microsoft.DataFactory Data Factory

Microsoft.DataLakeAnalytics Data Lake Analytics
Microsoft.DataLakeStore Azure Data Lake Store
Microsoft.DataMigration Azure Database Migration Service
Microsoft.DataShare Azure Data Share
Microsoft.DBforMariaDB Azure Database for MariaDB
Microsoft.DBforMySQL Azure Database for MySQL
Microsoft.DBforPostgreSQL Azure Database for PostgreSQL
Microsoft.DesktopVirtualization Windows Virtual Desktop
Microsoft.DeploymentManager Azure Deployment Manager
Microsoft.Devices IoT Hub

IoT Hub Device Provisioning Service
Microsoft.DevOps Azure DevOps
Microsoft.DevSpaces Azure Dev Spaces
Microsoft.DevTestLab Azure Lab Services
Microsoft.DocumentDB Azure Cosmos DB
Microsoft.DomainRegistration App Service
Microsoft.EnterpriseKnowledgeGraph Enterprise Knowledge Graph
Microsoft.EventGrid Event Grid
Microsoft.EventHub Event Hubs
Microsoft.Features Azure Resource Manager
Microsoft.Genomics Microsoft Genomics
Microsoft.GuestConfiguration Azure Policy
Microsoft.HanaOnAzure SAP HANA on Azure
Microsoft.HardwareSecurityModules Azure Dedicated HSM
Microsoft.HDInsight HDInsight
Microsoft.HealthcareApis Azure API for FHIR

Microsoft.HybridCompute Azure Arc
Microsoft.HybridData StorSimple
Microsoft.ImportExport Azure Import/Export
microsoft.insights Azure Monitor
Microsoft.IoTCentral IoT Central
Microsoft.IoTSpaces Azure Digital Twins
Microsoft.KeyVault Key Vault
Microsoft.Kusto Azure Data Explorer
Microsoft.LabServices Azure Lab Services
Microsoft.Logic Logic Apps
Microsoft.MachineLearning Machine Learning Studio
Microsoft.MachineLearningServices Machine Learning Service
Microsoft.ManagedIdentity Managed identities for Azure resources
Microsoft.ManagedServices Azure Lighthouse
Microsoft.Management Management Groups
Microsoft.Maps Azure Maps
Microsoft.Marketplace core
Microsoft.MarketplaceApps core
Microsoft.MarketplaceOrdering core
Microsoft.Media Media Services
Microsoft.Migrate Azure Migrate
Microsoft.MixedReality Azure Spatial Anchors
Microsoft.NetApp Azure NetApp Files

Microsoft.Network Virtual Network

Load Balancer
Application Gateway
Azure DNS
ExpressRoute
VPN Gateway
Traffic Manager
Network Watcher
Azure Firewall
Azure Front Door Service
Azure Bastion
Microsoft.NotificationHubs Notification Hubs
Microsoft.OffAzure Azure Migrate
Microsoft.OperationalInsights Azure Monitor
Microsoft.OperationsManagement Azure Monitor
Microsoft.Peering Microsoft Azure Peering Service
Microsoft.PolicyInsights Azure Policy
Microsoft.Portal Azure portal
Microsoft.PowerBI Power BI
Microsoft.PowerBIDedicated Power BI Embedded
Microsoft.RecoveryServices Site Recovery
Microsoft.Relay Azure Relay
Microsoft.ResourceGraph Azure Resource Graph
Microsoft.ResourceHealth core
Microsoft.Resources Azure Resource Manager
Microsoft.SaaS core
Microsoft.Scheduler Scheduler
Microsoft.Search Azure Search
Microsoft.Security Security Center
Microsoft.SecurityInsights Azure Sentinel
Microsoft.SerialConsole Azure Serial Console

Microsoft.ServiceBus Service Bus
Microsoft.ServiceFabric Service Fabric
Microsoft.ServiceFabricMesh Service Fabric Mesh
Microsoft.SignalRService Azure SignalR Service
Microsoft.SiteRecovery Site Recovery
Microsoft.Solutions Azure Managed Applications
Microsoft.Sql Azure SQL Database

SQL Data Warehouse
Microsoft.SqlVirtualMachine SQL Server on Azure Virtual Machines
Microsoft.Storage Storage
Microsoft.StorageCache Azure HPC Cache
Microsoft.StorageSync Storage
Microsoft.StorSimple StorSimple
Microsoft.StreamAnalytics Stream Analytics
Microsoft.Subscription core
microsoft.support core
Microsoft.TimeSeriesInsights Time Series Insights
Microsoft.VirtualMachineImages Azure Image Builder
microsoft.visualstudio Azure DevOps
Microsoft.VMwareCloudSimple Azure VMware Solution by CloudSimple
Microsoft.Web App Service

Functions
Microsoft.WindowsIoT Windows 10 IoT Core Services
Microsoft.WorkloadMonitor Azure Monitor
Next steps
For more information about resource providers, see Azure resource providers and types
Resources not limited to 800 instances per resource
group
By default, you can deploy up to 800 instances of a resource type in each resource group. However, some resource
types are exempt from the 800 instance limit. This article lists the Azure resource types that can have more than
800 instances in a resource group. All other resources types are limited to 800 instances.
For some resource types, you need to contact support to have the 800 instance limit removed. Those resource
types are noted in this article.
automationAccounts
Microsoft.AzureStack
registrations
registrations/customerSubscriptions
registrations/products
botServices - By default, limited to 800 instances. That limit can be increased by contacting support.
Microsoft.Compute
disks
images
snapshots
virtualMachines
containerGroups
registries/buildTasks
registries/buildTasks/listSourceRepositoryProperties
registries/buildTasks/steps
registries/buildTasks/steps/listBuildArguments
registries/eventGridFilters
registries/replications
registries/tasks
registries/webhooks
servers
servers
serverGroups
servers
serversv2
Microsoft.EnterpriseKnowledgeGraph
services
Microsoft.EventHub
clusters
namespaces
Microsoft.Experimentation
experimentWorkspaces
Microsoft.GuestConfiguration
configurationProfileAssignments
guestConfigurationAssignments
software
softwareUpdateProfile
softwareUpdates
Microsoft.Logic
integrationAccounts
workflows
Microsoft.NetApp
netAppAccounts
netAppAccounts/capacityPools
netAppAccounts/capacityPools/volumes
netAppAccounts/capacityPools/volumes/mountTargets
netAppAccounts/capacityPools/volumes/snapshots
Microsoft.Network
applicationGatewayWebApplicationFirewallPolicies
applicationSecurityGroups
bastionHosts
ddosProtectionPlans
dnszones
dnszones/A
dnszones/AAAA
dnszones/CAA
dnszones/CNAME
dnszones/MX
dnszones/NS
dnszones/PTR
dnszones/SOA
dnszones/SRV
dnszones/TXT
dnszones/all
dnszones/recordsets
networkIntentPolicies
networkInterfaces
privateDnsZones
privateDnsZones/A
privateDnsZones/AAAA
privateDnsZones/CNAME
privateDnsZones/MX
privateDnsZones/PTR
privateDnsZones/SOA
privateDnsZones/SRV
privateDnsZones/TXT
privateDnsZones/all
privateDnsZones/virtualNetworkLinks
privateEndpoints
privateLinkServices
publicIPAddresses - By default, limited to 800 instances. That limit can be increased by contacting support.
serviceEndpointPolicies
trafficmanagerprofiles
virtualNetworkTaps
Microsoft.PortalSdk
rootResources
Microsoft.PowerBI
workspaceCollections - By default, limited to 800 instances. That limit can be increased by contacting support.
Microsoft.Relay
namespaces
Microsoft.Scheduler
jobcollections
namespaces
Microsoft.ServiceFabricMesh
applications
containerGroups
gateways
networks
secrets
volumes
Microsoft.Storage
storageAccounts
Microsoft.Web
apiManagementAccounts/apis
sites
Next steps
For a complete list of quotas and limits, see Azure subscription and service limits, quotas, and constraints.
Move resources to a new resource group or
subscription
This article shows you how to move Azure resources to either another Azure subscription or another resource
group under the same subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API
to move resources.
Both the source group and the target group are locked during the move operation. Write and delete operations
are blocked on the resource groups until the move completes. This lock means you can't add, update, or delete
resources in the resource groups. It doesn't mean the resources are frozen. For example, if you move a SQL
Server and its database to a new resource group, an application that uses the database experiences no downtime.
It can still read and write to the database. The lock can last for a maximum of four hours, but most moves
complete in much less time.
Moving a resource only moves it to a new resource group or subscription. It doesn't change the location of the
resource.
Checklist before moving resources

There are some important steps to do before moving a resource. By verifying these conditions, you can avoid
errors.
1. The resources you want to move must support the move operation. For a list of which resources support
move, see Move operation support for resources.
2. Some services have specific limitations or requirements when moving resources. If you've moving any of
the following services, check that guidance before moving.
App Services move guidance
Azure DevOps Services move guidance
Classic deployment model move guidance - Classic Compute, Classic Storage, Classic Virtual
Networks, and Cloud Services
Networking move guidance
Recovery Services move guidance
Virtual Machines move guidance
3. The source and destination subscriptions must be active. If you have trouble enabling an account that has
been disabled, create an Azure support request. Select Subscription Management for the issue type.
4. The source and destination subscriptions must exist within the same Azure Active Directory tenant. To
check that both subscriptions have the same tenant ID, use Azure PowerShell or Azure CLI.
For Azure PowerShell, use:
(Get-AzSubscription -SubscriptionName <your-source-subscription>).TenantId

(Get-AzSubscription -SubscriptionName <your-destination-subscription>).TenantId
For Azure CLI, use:

az account show --subscription <your-source-subscription> --query tenantId
az account show --subscription <your-destination-subscription> --query tenantId
If the tenant IDs for the source and destination subscriptions aren't the same, use the following methods to
reconcile the tenant IDs:
Transfer ownership of an Azure subscription to another account
How to associate or add an Azure subscription to Azure Active Directory
5. The destination subscription must be registered for the resource provider of the resource being moved. If
not, you receive an error stating that the subscription is not registered for a resource type. You might
see this error when moving a resource to a new subscription, but that subscription has never been used
with that resource type.
For PowerShell, use the following commands to get the registration status:
Set-AzContext -Subscription <destination-subscription-name-or-id>

Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState
To register a resource provider, use:
Register-AzResourceProvider -ProviderNamespace Microsoft.Batch
For Azure CLI, use the following commands to get the registration status:
az account set -s <destination-subscription-name-or-id>

az provider list --query "[].{Provider:namespace, Status:registrationState}" --out table
To register a resource provider, use:
az provider register --namespace Microsoft.Batch
6. The account moving the resources must have at least the following permissions:
Microsoft.Resources/subscriptions/resourceGroups/moveResources/action on the source
resource group.
Microsoft.Resources/subscriptions/resourceGroups/write on the destination resource group.
7. Before moving the resources, check the subscription quotas for the subscription you're moving the
resources to. If moving the resources means the subscription will exceed its limits, you need to review
whether you can request an increase in the quota. For a list of limits and how to request an increase, see
Azure subscription and service limits, quotas, and constraints.
8. For a move across subscriptions, the resource and its dependent resources must be located in the
same resource group and they must be moved together. For example, a VM with managed disks
would require the VM and the managed disks to be moved together, along with other dependent
resources.
If you're moving a resource to a new subscription, check to see whether the resource has any dependent
resources, and whether they're located in the same resource group. If the resources aren't in the same
resource group, check to see whether the resources can be consolidated into the same resource group. If
so, bring all these resources into the same resource group by using a move operation across resource
groups.
For more information, see Scenario for move across subscriptions.
Scenario for move across subscriptions

Moving resources from one subscription to another is a three-step process:
For illustration purposes, we have only one dependent resource.

Step 1: If dependent resources are distributed across different resource groups, first move them into one
resource group.
Step 2: Move the resource and dependent resources together from the source subscription to the target
subscription.
Step 3: Optionally, redistribute the dependent resources to different resource groups within the target
subscription.
Validate move
The validate move operation lets you test your move scenario without actually moving the resources. Use this
operation to check if the move will succeed. Validation is automatically called when you send a move request. Use
this operation only when you need to predetermine the results. To run this operation, you need the:
name of the source resource group
resource ID of the target resource group
resource ID of each resource to move
the access token for your account
Send the following request:
POST https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<source-
group>/validateMoveResources?api-version=2019-05-10
Authorization: Bearer <access-token>
Content-type: application/json
With a request body:

{
"resources": ["<resource-id-1>", "<resource-id-2>"],
"targetResourceGroup": "/subscriptions/<subscription-id>/resourceGroups/<target-group>"
}
If the request is formatted correctly, the operation returns:
Response Code: 202

cache-control: no-cache
pragma: no-cache
expires: -1
location: https://management.azure.com/subscriptions/<subscription-id>/operationresults/<operation-id>?api-
version=2018-02-01
retry-after: 15
...
The 202 status code indicates the validation request was accepted, but it hasn't yet determined if the move
operation will succeed. The location value contains a URL that you use to check the status of the long-running
operation.
To check the status, send the following request:
GET <location-url>
Authorization: Bearer <access-token>
While the operation is still running, you continue to receive the 202 status code. Wait the number of seconds
indicated in the retry-after value before trying again. If the move operation validates successfully, you receive
the 204 status code. If the move validation fails, you receive an error message, such as:
{"error":{"code":"ResourceMoveProviderValidationFailed","message":"<message>"...}}
Use the portal

To move resources, select the resource group with those resources, and then select the Move button.
Select whether you're moving the resources to a new resource group or a new subscription.
Select the resources to move and the destination resource group. Acknowledge that you need to update scripts
for these resources and select OK. If you selected the edit subscription icon in the previous step, you must also
select the destination subscription.
In Notifications, you see that the move operation is running.
When it has completed, you're notified of the result.
If you get an error, see Troubleshoot moving Azure resources to new resource group or subscription.
To move existing resources to another resource group or subscription, use the Move-AzResource command. The
following example shows how to move several resources to a new resource group.
$webapp = Get-AzResource -ResourceGroupName OldRG -ResourceName ExampleSite

$plan = Get-AzResource -ResourceGroupName OldRG -ResourceName ExamplePlan
Move-AzResource -DestinationResourceGroupName NewRG -ResourceId $webapp.ResourceId, $plan.ResourceId
To move to a new subscription, include a value for the DestinationSubscriptionId parameter.

Use Azure CLI

To move existing resources to another resource group or subscription, use the az resource move command.
Provide the resource IDs of the resources to move. The following example shows how to move several resources
to a new resource group. In the --ids parameter, provide a space-separated list of the resource IDs to move.
webapp=$(az resource show -g OldRG -n ExampleSite --resource-type "Microsoft.Web/sites" --query id --output

tsv)
plan=$(az resource show -g OldRG -n ExamplePlan --resource-type "Microsoft.Web/serverfarms" --query id --
output tsv)
az resource move --destination-group newgroup --ids $webapp $plan
To move to a new subscription, provide the --destination-subscription-id parameter.

Use REST API

To move existing resources to another resource group or subscription, use the Move resources operation.
POST https://management.azure.com/subscriptions/{source-subscription-id}/resourcegroups/{source-resource-
group-name}/moveResources?api-version={api-version}
In the request body, you specify the target resource group and the resources to move.
{
"resources": ["<resource-id-1>", "<resource-id-2>"],
"targetResourceGroup": "/subscriptions/<subscription-id>/resourceGroups/<target-group>"
}
Frequently asked questions

Question: My resource move operation, which usually takes a few minutes, has been running for
almost an hour. Is there something wrong?
Moving a resource is a complex operation that has different phases. It can involve more than just the resource
provider of the resource you're trying to move. Because of the dependencies between resource providers, Azure
Resource Manager allows 4 hours for the operation to complete. This time period gives resource providers a
chance to recover from transient issues. If your move request is within the 4-hour period, the operation keeps
trying to complete and may still succeed. The source and destination resource groups are locked during this time
to avoid consistency issues.
Question: Why is my resource group locked for 4 hours during resource move?
The 4-hour window is the maximum time allowed for resource move. To prevent modifications on the resources
being moved, both the source and destination resource groups are locked for the duration of the resource move.
There are two phases in a move request. In the first phase, the resource is moved. In the second phase,
notifications are sent to other resource providers that are dependent on the resource being moved. A resource
group can be locked for the entire 4-hour window when a resource provider fails either phase. During the
allowed time, Resource Manager retries the failed step.
If a resource can't be moved within the 4-hour window, Resource Manager unlocks both resource groups.
Resources that were successfully moved are in the destination resource group. Resources that failed to move are
left the source resource group.
Question: What are the implications of the source and destination resource groups being locked
during the resource move?
The lock prevents you from deleting either resource group, creating a new resource in either resource group, or
deleting any of the resources involved in the move.
The following image shows an error message from the Azure portal when a user tries to delete a resource group
that is part of an ongoing move.
Question: What does the error code "MissingMoveDependentResources" mean?

When moving a resource, its dependent resources must either exist in the destination resource group or
subscription, or be included in the move request. You get the MissingMoveDependentResources error code when
a dependent resource doesn't meet this requirement. The error message has details about the dependent
resource that needs to be included in the move request.
For example, moving a virtual machine could require moving seven resource types with three different resource
providers. Those resource providers and types are:
Microsoft.Compute
virtualMachines
disks
Microsoft.Network
networkInterfaces
publicIPAddresses
networkSecurityGroups
virtualNetworks
Microsoft.Storage
storageAccounts
Another common example involves moving a virtual network. You may have to move several other resources
associated with that virtual network. The move request could require moving public IP addresses, route tables,
virtual network gateways, network security groups, and others.
Question: Why can’t I move some resources in Azure?
Currently, not all resources in Azure support move. For a list of resources that support move, see Move operation
support for resources.
Next steps
For a list of which resources support move, see Move operation support for resources.
Move operation support for resources
This article lists whether an Azure resource type supports the move operation. It also provides information about
special conditions to consider when moving a resource.
Jump to a resource provider namespace:
Microsoft.AAD
RESOURCE TYPE RESOURCE GROUP SUBSCRIPTION
domainservices No No
microsoft.aadiam
tenants No No
Microsoft.Advisor
configurations No No
recommendations No No
suppressions No No
Microsoft.AlertsManagement
actionrules Yes Yes
alerts No No
alertssummary No No
smartdetectoralertrules Yes Yes
servers Yes Yes
service Yes Yes
configurationstores Yes Yes
Microsoft.AppPlatform
spring Yes Yes
Microsoft.AppService
apiapps No No
appidentities No No
gateways No No
IMPORTANT
See App Service move guidance.
checkaccess No No
denyassignments No No
findorphanroleassignments No No
locks No No
permissions No No
policyassignments No No
policydefinitions No No
policysetdefinitions No No
roleassignments No No
roleassignmentsusagemetrics No No
roledefinitions No No
automationaccounts Yes Yes
automationaccounts / configurations Yes Yes
automationaccounts / runbooks Yes Yes
IMPORTANT
Runbooks must exist in the same resource group as the Automation Account.
Microsoft.AzureActiveDirectory
b2cdirectories Yes Yes
Microsoft.AzureData
hybriddatamanagers No No
postgresinstances No No
sqlbigdataclusters No No
sqlinstances No No
sqlserverregistrations Yes Yes

registrations Yes Yes
Microsoft.Batch
batchaccounts Yes Yes
Microsoft.BatchAI
clusters No No
fileservers No No
jobs No No
workspaces No No
Microsoft.Billing
billingperiods No No
billingpermissions No No
billingroleassignments No No
billingroledefinitions No No
createbillingroleassignment No No
Microsoft.BingMaps
mapapis No No
Microsoft.BizTalkServices
biztalk No No
blockchainmembers No No
watchers No No
Microsoft.Blueprint
blueprintassignments No No
blueprints No No
botservices Yes Yes
Microsoft.Cache
redis Yes Yes
IMPORTANT
If the Azure Cache for Redis instance is configured with a virtual network, the instance can't be moved to a different
subscription. See Networking move limitations.
Microsoft.Cdn
cdnwebapplicationfirewallpolicies Yes Yes
profiles Yes Yes
profiles / endpoints Yes Yes
certificateorders Yes Yes

IMPORTANT
Microsoft.ClassicCompute
domainnames Yes No
virtualmachines Yes No
IMPORTANT
See Classic deployment move guidance. Classic deployment resources can be moved across subscriptions with an operation
specific to that scenario.
Microsoft.ClassicNetwork
networksecuritygroups No No
reservedips No No
virtualnetworks No No
IMPORTANT
Microsoft.ClassicStorage
storageaccounts Yes No
IMPORTANT
accounts Yes Yes

Microsoft.Compute
availabilitysets Yes Yes
diskencryptionsets No No
disks Yes Yes
galleries No No
galleries / images No No
galleries / images / versions No No
hostgroups No No
hostgroups / hosts No No
images Yes Yes
proximityplacementgroups No No
restorepointcollections No No
sharedvmimages No No
sharedvmimages / versions No No
snapshots Yes Yes
virtualmachines Yes Yes
virtualmachines / extensions Yes Yes
virtualmachinescalesets Yes Yes
IMPORTANT
See Virtual Machines move guidance.
Microsoft.Consumption
aggregatedcost No No
balances No No
budgets No No
charges No No
costtags No No
credits No No
events No No
forecasts No No
lots No No
marketplaces No No
operationresults No No
operationstatus No No
pricesheets No No
products No No
reservationdetails No No
reservationrecommendations No No
reservationsummaries No No
reservationtransactions No No
tags No No
tenants No No
terms No No
usagedetails No No
Microsoft.Container
containergroups No No
serviceassociationlinks No No
registries Yes Yes
registries / buildtasks Yes Yes
registries / replications Yes Yes
registries / taskruns Yes Yes
registries / tasks Yes Yes
registries / webhooks Yes Yes
containerservices No No
managedclusters No No
openshiftmanagedclusters No No
Microsoft.ContentModerator
applications No No
Microsoft.CortanaAnalytics
accounts No No
Microsoft.CostManagement
alerts No No
budgets No No
connectors Yes Yes
dimensions No No
exports No No
externalsubscriptions No No
forecast No No
query No No
reportconfigs No No
reports No No
showbackrules No No
views No No
hubs No No
associations No No
resourceproviders Yes Yes
Microsoft.DataBox
jobs No No
Microsoft.DataBoxEdge
databoxedgedevices No No
workspaces No No
Microsoft.DataCatalog
catalogs Yes Yes
datacatalogs No No
Microsoft.DataConnect
connectionmanagers No No
Microsoft.DataExchange
packages No No
plans No No
datafactories Yes Yes
factories Yes Yes
Microsoft.DataLake
datalakeaccounts No No
accounts Yes Yes
accounts Yes Yes
services No No
services / projects No No
slots No No
Microsoft.DataProtection
backupvaults No No
Microsoft.DataShare
accounts Yes Yes
servers Yes Yes
servers Yes Yes
servergroups No No
servers Yes Yes
serversv2 Yes Yes
Microsoft.DeploymentManager
artifactsources Yes Yes
rollouts Yes Yes
servicetopologies Yes Yes
servicetopologies / services Yes Yes
servicetopologies / services / Yes Yes

serviceunits
steps Yes Yes
Microsoft.Devices
elasticpools No No
elasticpools / iothubtenants No No
iothubs Yes Yes
provisioningservices Yes Yes
Microsoft.DevOps
pipelines Yes Yes
Microsoft.DevSpaces
controllers Yes Yes
labcenters No No
labs Yes No
labs / environments Yes Yes

labs / servicerunners Yes Yes
labs / virtualmachines Yes No
schedules Yes Yes
databaseaccounts Yes Yes
Microsoft.DomainRegistration
domains Yes Yes
services Yes Yes
Microsoft.EventGrid
domains Yes Yes
eventSubscriptions No - can't be moved independently but No - can't be moved independently but

automatically moved with subscribed automatically moved with subscribed
resource. resource.
eventsubscriptions No - can't be moved independently but No - can't be moved independently but

automatically moved with subscribed automatically moved with subscribed
resource. resource.
extensiontopics No No
topics Yes Yes
Microsoft.EventHub
clusters Yes Yes

namespaces Yes Yes
Microsoft.Genomics
accounts No No
guestconfigurationassignments No No
software No No
softwareupdateprofile No No
softwareupdates No No
Microsoft.HanaOnAzure
hanainstances No No
sapmonitors Yes Yes
Microsoft.HDInsight
clusters Yes Yes
IMPORTANT
You can move HDInsight clusters to a new subscription or resource group. However, you can't move across subscriptions the
networking resources linked to the HDInsight cluster (such as the virtual network, NIC, or load balancer). In addition, you
can't move to a new resource group a NIC that is attached to a virtual machine for the cluster.
When moving an HDInsight cluster to a new subscription, first move other resources (like the storage account). Then, move
the HDInsight cluster by itself.
Microsoft.HealthcareApis
services Yes Yes
Microsoft.HybridCompute
machines Yes Yes
machines / extensions No No
Microsoft.HybridData
datamanagers Yes Yes
jobs Yes Yes
microsoft.insights
actiongroups Yes Yes
activitylogalerts No No
alertrules Yes Yes
automatedexportsettings No No
autoscalesettings Yes Yes
baseline No No
calculatebaseline No No
components Yes Yes
diagnosticsettings No No
diagnosticsettingscategories No No
eventtypes No No
extendeddiagnosticsettings No No
logdefinitions No No
logs No No
metricalerts No No
metricbaselines No No
metricdefinitions No No
metricnamespaces No No
metrics No No
myworkbooks No No
scheduledqueryrules Yes Yes
topology No No
transactions No No
vminsightsonboardingstatuses No No
webtests Yes Yes
workbooks Yes Yes
workbooktemplates Yes Yes
IMPORTANT
Make sure moving to new subscription doesn't exceed subscription quotas.
iotapps Yes Yes
Microsoft.IoTSpaces
checknameavailability Yes Yes

graph Yes Yes
Microsoft.KeyVault
vaults Yes Yes
IMPORTANT
Key Vaults used for disk encryption can't be moved to a resource group in the same subscription or across subscriptions.
Microsoft.Kubernetes
connectedclusters No No
Microsoft.Kusto
clusters Yes Yes
Microsoft.LabServices
labaccounts No No
Microsoft.LocationBasedServices
accounts No No
Microsoft.LocationServices
accounts No No
Microsoft.Logic
hostingenvironments No No
integrationaccounts Yes Yes
integrationserviceenvironments Yes No
integrationserviceenvironments / Yes No
managedapis
isolatedenvironments No No
workflows Yes Yes
commitmentplans Yes Yes
webservices Yes No
workspaces Yes Yes
Microsoft.MachineLearningCompute
operationalizationclusters No No
Microsoft.MachineLearningExperimentation
accounts No No
accounts / workspaces No No
accounts / workspaces / projects No No
teamaccounts No No
teamaccounts / workspaces No No
teamaccounts / workspaces / projects No No
Microsoft.MachineLearningModelManagement
accounts No No
Microsoft.MachineLearningOperationalization
hostingaccounts No No
workspaces No No
identities No No
userassignedidentities No No
Microsoft.ManagedServices
registrationassignments No No
registrationdefinitions No No
Microsoft.Maps
accounts Yes Yes
Microsoft.MarketplaceApps
classicdevservices No No
Microsoft.Media
mediaservices Yes Yes
mediaservices / liveevents Yes Yes
mediaservices / streamingendpoints Yes Yes
Microsoft.Microservices4Spring
appclusters No No
Microsoft.Migrate
assessmentprojects Yes Yes
migrateprojects Yes Yes
projects No No
Microsoft.NetApp
netappaccounts No No
netappaccounts / backuppolicies No No
netappaccounts / capacitypools No No
netappaccounts / capacitypools / No No
volumes
volumes / mounttargets
volumes / snapshots
Microsoft.Network
applicationgateways No No
applicationgatewaywebapplicationfirewa No No
llpolicies
applicationsecuritygroups Yes Yes
azurefirewalls Yes Yes
bastionhosts No No
connections Yes Yes
ddoscustompolicies Yes Yes
ddosprotectionplans No No
dnszones Yes Yes
expressroutecircuits No No
expressroutegateways No No
frontdoors No No
frontdoorwebapplicationfirewallpolicies No No
loadbalancers Yes - Basic SKU Yes - Basic SKU

No - Standard SKU No - Standard SKU
localnetworkgateways Yes Yes
networkexperimentprofiles Yes Yes
networkintentpolicies Yes Yes
networkinterfaces Yes Yes
networkprofiles No No
networksecuritygroups Yes Yes
networkwatchers Yes Yes
networkwatchers / connectionmonitors Yes Yes
networkwatchers / flowlogs Yes Yes
networkwatchers / lenses Yes Yes
networkwatchers / pingmeshes Yes Yes

p2svpngateways No No
privatednszones Yes Yes
privatednszones / virtualnetworklinks Yes Yes
privateendpointredirectmaps No No
privateendpoints No No
privatelinkservices No No
publicipaddresses Yes - Basic SKU Yes - Basic SKU

publicipprefixes Yes Yes
routefilters No No
routetables Yes Yes
serviceendpointpolicies Yes Yes
trafficmanagerprofiles Yes Yes
virtualhubs No No
virtualnetworkgateways Yes Yes
virtualnetworks Yes Yes
virtualnetworktaps No No
virtualrouters Yes Yes
virtualwans No No
vpngateways (Virtual WAN) No No
vpnserverconfigurations No No
vpnsites (Virtual WAN) No No
webapplicationfirewallpolicies Yes Yes
IMPORTANT
See Networking move guidance.
namespaces Yes Yes
namespaces / notificationhubs Yes Yes
Microsoft.ObjectStore
osnamespaces Yes Yes
storageinsightconfigs No No
workspaces Yes Yes
IMPORTANT
Make sure moving to new subscription doesn't exceed subscription quotas.
Microsoft.OperationsManagement
managementassociations No No
managementconfigurations Yes Yes
solutions Yes Yes
views Yes Yes
Microsoft.Peering
peerings Yes Yes
peeringservices No No
Microsoft.PolicyInsights
policyevents No No
policystates No No
policytrackedresources No No
remediations No No
Microsoft.Portal
dashboards Yes Yes
Microsoft.PortalSdk
rootresources No No
Microsoft.PowerBI
workspacecollections Yes Yes
capacities Yes Yes
Microsoft.ProjectBabylon
accounts No No
Microsoft.ProjectOxford
accounts No No
Microsoft.ProviderHub
rollouts No No
backupprotecteditems No No
replicationeligibilityresults No No
vaults Yes Yes
IMPORTANT
See Recovery Services move guidance.
Microsoft.Relay
namespaces Yes Yes
Microsoft.ResourceGraph
queries Yes Yes
Microsoft.ResourceHealth
availabilitystatuses No No
childavailabilitystatuses No No
childresources No No
events No No
notifications No No
Microsoft.Resources
deploymentscripts No No
links No No
tags No No
Microsoft.SaaS
applications Yes No
Microsoft.Scheduler
jobcollections Yes Yes
Microsoft.Search
searchservices Yes Yes
IMPORTANT
You can't move several Search resources in different regions in one operation. Instead, move them in separate operations.
Microsoft.Security
adaptivenetworkhardenings No No
advancedthreatprotectionsettings No No
assessmentmetadata No No
assessments No No
automations Yes Yes
complianceresults No No
compliances No No
datacollectionagents No No
datacollectionresults No No
devicesecuritygroups No No
informationprotectionpolicies No No
iotsecuritysolutions Yes Yes
servervulnerabilityassessments No No
Microsoft.SecurityInsights
aggregations No No
alertrules No No
alertruletemplates No No
bookmarks No No
cases No No
dataconnectors No No
entities No No
entityqueries No No
officeconsents No No
settings No No
Microsoft.ServerManagement
gateways No No
nodes No No
namespaces Yes Yes

applications No No
clusters Yes Yes
clusters / applications No No
containergroupsets No No
edgeclusters No No
networks No No
secretstores No No
volumes No No
applications Yes Yes
gateways Yes Yes
networks Yes Yes
secrets Yes Yes
volumes Yes Yes
Microsoft.Services
rollouts No No
signalr Yes Yes
Microsoft.SoftwarePlan
hybridusebenefits No No
Microsoft.Solutions
applicationdefinitions No No
applications No No
jitrequests No No
Microsoft.Sql
instancepools No No
managedinstances No No
managedinstances / databases No No
servers Yes Yes
servers / databases Yes Yes
servers / elasticpools Yes Yes
virtualclusters Yes Yes
IMPORTANT
A database and server must be in the same resource group. When you move a SQL server, all its databases are also moved.
This behavior applies to Azure SQL Database and Azure SQL Data Warehouse databases.
Microsoft.SqlVirtualMachine
sqlvirtualmachinegroups Yes Yes
sqlvirtualmachines Yes Yes
Microsoft.SqlVM
dwvm No No
Microsoft.Storage
storageaccounts Yes Yes
storagesyncservices Yes Yes
Microsoft.StorageSyncDev
storagesyncservices No No
Microsoft.StorageSyncInt
storagesyncservices No No
managers No No
streamingjobs Yes Yes
IMPORTANT
Stream Analytics jobs can't be moved when in running state.
Microsoft.StreamAnalyticsExplorer
environments No No
environments / eventsources No No
instances No No
instances / environments No No
instances / environments / eventsources No No
Microsoft.Subscription
createsubscription No No
microsoft.support
createsupportticket No No
supporttickets No No
Microsoft.TerraformOSS
providerregistrations No No
resources No No
environments Yes Yes
environments / eventsources Yes Yes
environments / referencedatasets Yes Yes
Microsoft.Token
stores Yes Yes

Microsoft.VMwareCloudSimple
dedicatedcloudnodes No No
dedicatedcloudservices No No
virtualmachines No No
Microsoft.VSOnline
accounts Yes Yes
plans Yes Yes
Microsoft.Web
certificates No Yes
connectiongateways Yes Yes
connections Yes Yes
customapis Yes Yes
hostingenvironments No No
serverfarms Yes Yes
sites Yes Yes
sites / premieraddons Yes Yes
sites / slots Yes Yes
staticsites No No
IMPORTANT
Microsoft.WindowsIoT
deviceservices No No
Microsoft.WorkloadMonitor
components No No
monitorinstances No No
monitors No No
notificationsettings No No
Third-party services
Third-party services currently don't support the move operation.
Next steps
For commands to move resources, see Move resources to new resource group or subscription.
To get the same data as a file of comma-separated values, download move-support-resources.csv.
Troubleshoot moving Azure resources to new
resource group or subscription
This article provides suggestions to help resolve problems when moving resources.
Upgrade a subscription
If you actually want to upgrade your Azure subscription (such as switching from free to pay-as-you-go), you need
to convert your subscription.
To upgrade a free trial, see Upgrade your Free Trial or Microsoft Imagine Azure subscription to Pay-As-You-Go.
To change a pay-as-you-go account, see Change your Azure Pay-As-You-Go subscription to a different offer.
If you can't convert the subscription, create an Azure support request. Select Subscription Management for the
issue type.
Service limitations
Some services require additional considerations when moving resources. If you're moving the following services,
make sure you check the guidance and limitations.
App Services
Azure DevOps Services
Classic deployment model
Networking
Recovery Services
Virtual Machines
Large requests
When possible, break large moves into separate move operations. Resource Manager immediately returns an error
when there are more than 800 resources in a single operation. However, moving less than 800 resources may also
fail by timing out.
Resource not in succeeded state

When you get an error message that indicates a resource can't be moved because it isn't in a succeeded state, it
may actually be a dependent resource that is blocking the move. Typically, the error code is
MoveCannotProceedWithResourcesNotInSucceededState.
If the source or target resource group contains a virtual network, the states of all dependent resources for the
virtual network are checked during the move. The check includes those resources directly and indirectly dependent
on the virtual network. If any of those resources are in a failed state, the move is blocked. For example, if a virtual
machine that uses the virtual network has failed, the move is blocked. The move is blocked even when the virtual
machine isn't one of the resources being moved and isn't in one of the resource groups for the move.
When you receive this error, you have two options. Either move your resources to a resource group that doesn't
have a virtual network, or contact support.
Next steps
Move guidance for App Service resources
This article describes the steps to move App Service resources. There are specific requirements for moving App
Service resources to a new subscription.
Move across subscriptions

When moving a Web App across subscriptions, the following guidance applies:
The destination resource group must not have any existing App Service resources. App Service resources
include:
Web Apps
App Service plans
Uploaded or imported SSL certificates
App Service Environments
All App Service resources in the resource group must be moved together. Note that App Service Environments
cannot be moved to a new Resource Group nor to a new Subscription.
You can move a certificate bound to a web without deleting the SSL bindings, as long as the certificate is
moved with all other resources in the resource group.
App Service resources can only be moved from the resource group in which they were originally created. If an
App Service resource is no longer in its original resource group, move it back to its original resource group.
Then, move the resource across subscriptions.
If you don't remember the original resource group, you can find it through diagnostics. For your web app, select
Diagnose and solve problems. Then, select Configuration and Management.
Select Migration Options.

Select the option for recommended steps to move the web app.
You see the recommended actions to take before moving the resources. The information includes the original
resource group for the web app.
Move support
To determine which App Service resources can be moved, see move support status for:
Microsoft.Web
Next steps
Move guidance for Classic deployment model
resources
The steps to move resources deployed through the classic model differ based on whether you're moving the
resources within a subscription or to a new subscription.
Move in the same subscription

When moving resources from one resource group to another resource group within the same subscription, the
following restrictions apply:
Virtual networks (classic) can't be moved.
Virtual machines (classic) must be moved with the cloud service.
Cloud service can only be moved when the move includes all its virtual machines.
Only one cloud service can be moved at a time.
Only one storage account (classic) can be moved at a time.
Storage account (classic) can't be moved in the same operation with a virtual machine or a cloud service.
To move classic resources to a new resource group within the same subscription, use the standard move
operations through the portal, Azure PowerShell, Azure CLI, or REST API. You use the same operations as you
use for moving Resource Manager resources.
Move across subscriptions

When moving resources to a new subscription, the following restrictions apply:
All classic resources in the subscription must be moved in the same operation.
The target subscription must not have any other classic resources.
The move can only be requested through a separate REST API for classic moves. The standard Resource
Manager move commands don't work when moving classic resources to a new subscription.
To move classic resources to a new subscription, use the REST operations that are specific to classic resources. To
use REST, do the following steps:
1. Check if the source subscription can participate in a cross-subscription move. Use the following operation:
POST
https://management.azure.com/subscriptions/{sourceSubscriptionId}/providers/Microsoft.ClassicCompute/va
lidateSubscriptionMoveAvailability?api-version=2016-04-01
In the request body, include:
{
"role": "source"
}
The response for the validation operation is in the following format:

{
"status": "{status}",
"reasons": [
"reason1",
"reason2"
]
}
2. Check if the destination subscription can participate in a cross-subscription move. Use the following
operation:
POST
https://management.azure.com/subscriptions/{destinationSubscriptionId}/providers/Microsoft.ClassicCompu
te/validateSubscriptionMoveAvailability?api-version=2016-04-01
{
"role": "target"
}
The response is in the same format as the source subscription validation.

3. If both subscriptions pass validation, move all classic resources from one subscription to another
subscription with the following operation:
POST https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.ClassicCompute/moveSubscriptionResources?api-version=2016-04-01
{
"target": "/subscriptions/{target-subscription-id}"
}
The operation may run for several minutes.
Next steps
If you have trouble moving classic resources, contact Support.
Move guidance for networking resources
This article describes how to move virtual networks and other networking resources for specific scenarios.
Dependent resources
When moving a virtual network, you must also move its dependent resources. For VPN Gateways, you must
move IP addresses, virtual network gateways, and all associated connection resources. Local network gateways
can be in a different resource group.
To move a virtual machine with a network interface card to a new subscription, you must move all dependent
resources. Move the virtual network for the network interface card, all other network interface cards for the virtual
network, and the VPN gateways.
For more information, see Scenario for move across subscriptions.
Peered virtual network

To move a peered virtual network, you must first disable the virtual network peering. Once disabled, you can
move the virtual network. After the move, reenable the virtual network peering.
Subnet links
You can't move a virtual network to a different subscription if the virtual network contains a subnet with resource
navigation links. For example, if an Azure Cache for Redis resource is deployed into a subnet, that subnet has a
resource navigation link.
Next steps
Move a Recovery Services vault across Azure
Subscriptions and Resource Groups
This article explains how to move a Recovery Services vault configured for Azure Backup across Azure
subscriptions, or to another resource group in the same subscription. You can use the Azure portal or PowerShell
to move a Recovery Services vault.
Supported regions
Resource move for Recovery Services vault is supported in Australia East, Australia South East, Canada Central,
Canada East, South East Asia, East Asia, Central US, North Central US, East US, East US2, South central US, West
Central US, West Central US2, West US, Central India, South India, Japan East, Japan West, Korea Central, Korea
South, North Europe, West Europe, South Africa North, South Africa West, UK South, and UK West.
Prerequisites for moving Recovery Services vault

During vault move across resource groups, both the source and target resource groups are locked preventing
the write and delete operations. For more information, see this article.
Only admin subscription has the permissions to move a vault.
For moving vault across subscriptions, the target subscription must reside in the same tenant as the source
subscription and its state should be enabled.
You must have permission to perform write operations on the target resource group.
Moving the vault only changes the resource group. The Recovery Services vault will reside on the same
location and it cannot be changed.
You can move only one Recovery Services vault, per region, at a time.
If a VM doesn’t move with the Recovery Services vault across subscriptions, or to a new resource group, the
current VM recovery points will remain intact in the vault until they expire.
Whether the VM is moved with the vault or not, you can always restore the VM from the retained backup
history in the vault.
The Azure Disk Encryption requires that the key vault and VMs reside in the same Azure region and
subscription.
To move a virtual machine with managed disks, see this article.
The options for moving resources deployed through the Classic model differ depending on whether you are
moving the resources within a subscription, or to a new subscription. For more information, see this article.
Backup policies defined for the vault are retained after the vault moves across subscriptions or to a new
resource group.
Moving vault with the Azure Files, Azure File Sync, or SQL in IaaS VMs across subscriptions and resource
groups is not supported.
If you move a vault containing VM backup data, across subscriptions, you must move your VMs to the same
subscription, and use the same target VM resource group name (as it was in old subscription) to continue
backups.
NOTE
Recovery Services vaults configured to use with Azure Site Recovery can’t move, yet. If you have configured any VMs
(Azure IaaS, Hyper-V, VMware) or physical machines for disaster recovery using the Azure Site Recovery, the move
operation will be blocked. The resource move feature for Site Recovery service is not yet available.
Use Azure portal to move Recovery Services vault to different resource

group
To move a recovery services vault and its associated resources to different resource group
1. Sign in to the Azure portal.
2. Open the list of Recovery Services vaults and select the vault you want to move. When the vault
dashboard opens, it appears as shown in the following image.
If you do not see the Essentials information for your vault, click the drop-down icon. You should now see
the Essentials information for your vault.
3. In the vault overview menu, click change next to the Resource group, to open the Move resources blade.
4. In the Move resources blade, for the selected vault it is recommended to move the optional related
resources by selecting the checkbox as shown in the following image.
5. To add the target resource group, in the Resource group drop-down list select an existing resource group
or click create a new group option.
6. After adding the resource group, confirm I understand that tools and scripts associated with moved
resources will not work until I update them to use new resource IDs option and then click OK to
complete moving the vault.
Use Azure portal to move Recovery Services vault to a different

subscription
You can move a Recovery Services vault and its associated resources to a different subscription
2. Open the list of Recovery Services vaults and select the vault you want to move. When the vault dashboard
opens, it appears as shown the following image.
If you do not see the Essentials information for your vault, click the drop-down icon. You should now see
the Essentials information for your vault.
3. In the vault overview menu, click change next to Subscription, to open the Move resources blade.
4. Select the resources to be moved, here we recommend you to use the Select All option to select all the
listed optional resources.
5. Select the target subscription from the Subscription drop-down list, where you want the vault to be
moved.
6. To add the target resource group, in the Resource group drop-down list select an existing resource group
or click create a new group option.
7. Click I understand that tools and scripts associated with moved resources will not work until I
update them to use new resource IDs option to confirm, and then click OK.
NOTE
Cross subscription backup (RS vault and protected VMs are in different subscriptions) is not a supported scenario. Also,
storage redundancy option from local redundant storage (LRS) to global redundant storage (GRS) and vice versa cannot be
modified during the vault move operation.
Use PowerShell to move Recovery Services vault

To move a Recovery Services vault to another resource group, use the Move-AzureRMResource cmdlet.
Move-AzureRMResource requires the resource name and type of resource. You can get both from the
Get-AzureRmRecoveryServicesVault cmdlet.
$destinationRG = "<destinationResourceGroupName>"
$vault = Get-AzureRmRecoveryServicesVault -Name <vaultname> -ResourceGroupName <vaultRGname>
Move-AzureRmResource -DestinationResourceGroupName $destinationRG -ResourceId $vault.ID
To move the resources to different subscription, include the -DestinationSubscriptionId parameter.
Move-AzureRmResource -DestinationSubscriptionId "<destinationSubscriptionID>" -DestinationResourceGroupName

$destinationRG -ResourceId $vault.ID
After executing the above cmdlets, you will be asked to confirm that you want to move the specified resources.
Type Y to confirm. After a successful validation, the resource moves.
Use CLI to move Recovery Services vault

To move a Recovery Services vault to another resource group, use the following cmdlet:
az resource move --destination-group <destinationResourceGroupName> --ids <VaultResourceID>
To move to a new subscription, provide the --destination-subscription-id parameter.
Post migration
1. Set/verify the access controls for the resource groups.
2. The Backup reporting and monitoring feature needs to be configured again for the vault post the move
completes. The previous configuration will be lost during the move operation.
Next steps
You can move many different types of resources between resource groups and subscriptions.
For more information, see Move resources to new resource group or subscription.
Move guidance for virtual machines
This article describes the scenarios that aren't currently supported and the steps to move virtual machines with
backup.
Scenarios not supported

The following scenarios aren't yet supported:
Managed Disks in Availability Zones can't be moved to a different subscription.
Virtual Machine Scale Sets with Standard SKU Load Balancer or Standard SKU Public IP can't be moved.
Virtual machines created from Marketplace resources with plans attached can't be moved across resource
groups or subscriptions. De-provision the virtual machine in the current subscription, and deploy again in the
new subscription.
Virtual machines in an existing virtual network can't be moved to a new subscription when you aren't moving
all resources in the virtual network.
Low priority virtual machines and low priority virtual machine scale sets can't be moved across resource
groups or subscriptions.
Virtual machines in an availability set can't be moved individually.
Virtual machines with Azure Backup

To move virtual machines configured with Azure Backup, use the following workaround:
Find the location of your Virtual Machine.
Find a resource group with the following naming pattern: AzureBackupRG_<location of your VM>_1 for example,
AzureBackupRG_westus2_1
If in Azure portal, then check "Show hidden types"
If in PowerShell, use the Get-AzResource -ResourceGroupName AzureBackupRG_<location of your VM>_1 cmdlet
If in CLI, use the az resource list -g AzureBackupRG_<location of your VM>_1
Find the resource with type Microsoft.Compute/restorePointCollections that has the naming pattern
AzureBackup_<name of your VM that you're trying to move>_###########
Delete this resource. This operation deletes only the instant recovery points, not the backed-up data in the
vault.
After delete is complete, you can move the vault and virtual machine to the target subscription. After the move,
you can continue backups with no loss in data.
For information about moving Recovery Service vaults for backup, see Recovery Services limitations.
Next steps
Moving Azure resources across regions
This article provides information about moving Azure resources across Azure regions.
Azure geographies, regions, and Availability Zones form the foundation of the Azure global infrastructure. Azure
geographies typically contain two or more Azure regions. A region is an area within a geography, containing
Availability Zones, and multiple data centers.
After deploying resources in specific Azure region, there are a number of reasons that you might want to move
resources to a different region.
Align to a region launch: Move your resources to a newly introduced Azure region that wasn't previously
available.
Align for services/features: Move resources to take advantage of services or features that are available in a
specific region.
Respond to business developments: Move resources to a region in response to business changes, such as
mergers or acquisitions.
Align for proximity: Move resources to a region local to your business.
Meet data requirements: Move resources in order to align with data residency requirements, or data
classification needs. Learn more.
Respond to deployment requirements: Move resources that were deployed in error, or move in response to
capacity needs.
Respond to decommissioning: Move resources due to decommissioning of regions.
Move process
The actual move process depends on the resources you're moving. However, there are some common key steps:
Verify prerequisites: Prerequisites include making sure that the resources you need are available in the target
region, checking that you have enough quota, and verifying that your subscription can access the target region.
Analyze dependencies: Your resources might have dependencies on other resources. Before moving, figure
out dependencies so that moved resources continue to function as expected after the move.
Prepare for move: These are the steps you take in your primary region before the move. For example, you
might need to export an Azure Resource Manager template, or start replicating resources from source to target.
Move the resources: How you move resources depends on what they are. You might need to deploy a
template in the target region, or fail resources over to the target.
Discard target resources: After moving resources, you might want to take a look at the resources now in the
target region, and decide if there's anything you don't need.
Commit the move: After verifying resources in the target region, some resources might require a final commit
action. For example, in a target region that's now the primary region, you might need to set up disaster recovery
to a new secondary region.
Clean up the source: Finally, after everything's up and running in the new region, you can clean up and
decommission resources you created for the move, and resources in your primary region.
Next steps
For a list of which resources support moving across regions, see Move operation support for resources.
Support for moving Azure resources across regions
This article confirms whether an Azure resource type is supported for moving to another Azure region.
Microsoft.AAD
RESOURCE TYPE REGION MOVE
domainservices No
domainservices / replicasets No
microsoft.aadiam
tenants No
actionrules No
servers No
service No
configurationstores No
apiapps No
appidentities No
gateways No
policyassignments No
automationaccounts No
automationaccounts / configurations No
automationaccounts / runbooks No
b2cdirectories No
Microsoft.AzureData
sqlserverregistrations No
registrations No
Microsoft.Batch
batchaccounts No
Microsoft.BatchAI
clusters No
fileservers No
jobs No
workspaces No
Microsoft.BingMaps
mapapis No
Microsoft.BizTalkServices
biztalk No
blockchainmembers No
watchers No
Microsoft.Blueprint
blueprintassignments No
botservices No
Microsoft.Cache
Microsoft.Cache
redis No
Microsoft.Cdn
cdnwebapplicationfirewallpolicies No
profiles No
profiles / endpoints No
certificateorders No
domainnames No
virtualmachines No
networksecuritygroups No
reservedips No
virtualnetworks No
storageaccounts Yes
accounts No
Microsoft.Compute
availabilitysets No
diskencryptionsets No
disks No
galleries No
galleries / images No
galleries / images / versions No
hostgroups No
hostgroups / hosts No
images No
proximityplacementgroups No
restorepointcollections No
sharedvmimages No
sharedvmimages / versions No
snapshots No
virtualmachines Yes
virtualmachines / extensions No
virtualmachinescalesets No
Microsoft.Container
containergroups No
containergroups No
registries No
registries / buildtasks No
registries / replications No
registries / tasks No
registries / webhooks No
containerservices No
managedclusters No
openshiftmanagedclusters No
Microsoft.ContentModerator
applications No
accounts No
connectors No
hubs No
resourceproviders No
Microsoft.DataBox
jobs No
databoxedgedevices No
workspaces No
catalogs No
datacatalogs No
Microsoft.DataConnect
connectionmanagers No
Microsoft.DataExchange
packages No
plans No
datafactories No
factories No
Microsoft.DataLake
datalakeaccounts No
accounts No
accounts No
services No
services / projects No
slots No
Microsoft.DataShare
accounts No
servers No
servers No
servergroups No
servers No
serversv2 No
artifactsources No
rollouts No
servicetopologies No
servicetopologies / services No
servicetopologies / services / serviceunits No
steps No
Microsoft.Devices
elasticpools No
elasticpools / iothubtenants No
iothubs Yes
provisioningservices No
Microsoft.DevSpaces
controllers No
labcenters No
labs No
labs / environments No
labs / servicerunners No
labs / virtualmachines No
schedules No
databaseaccounts No
domains No
services No
Microsoft.EventGrid
domains No
topics No
Microsoft.EventHub
clusters No
namespaces No
Microsoft.Genomics
accounts No
hanainstances No
sapmonitors No
Microsoft.HDInsight
clusters No
services No
machines No
datamanagers No
jobs No
microsoft.insights
accounts No
actiongroups No
activitylogalerts No
alertrules No
autoscalesettings No
components No
guestdiagnosticsettings No
metricalerts No
notificationgroups No
notificationrules No
scheduledqueryrules No
webtests No
workbooks No
iotapps No
Microsoft.IoTSpaces
checknameavailability No
graph No
Microsoft.KeyVault
hsmpools No
vaults No
Microsoft.Kusto
clusters No
labaccounts No
Microsoft.LocationBasedServices
accounts No
Microsoft.LocationServices
accounts No
Microsoft.Logic
hostingenvironments No
integrationaccounts No
integrationserviceenvironments No
isolatedenvironments No
workflows No
commitmentplans No
webservices No
workspaces No
Microsoft.MachineLearningCompute
operationalizationclusters No
Microsoft.MachineLearningExperimentation
accounts No
accounts / workspaces No
accounts / workspaces / projects No
teamaccounts No
teamaccounts / workspaces No
teamaccounts / workspaces / projects No
Microsoft.MachineLearningModelManagement
accounts No
Microsoft.MachineLearningOperationalization
hostingaccounts No
workspaces No
userassignedidentities No
Microsoft.Maps
accounts No
classicdevservices No
Microsoft.Media
mediaservices No
mediaservices / liveevents No
mediaservices / streamingendpoints No
appclusters No
Microsoft.Migrate
assessmentprojects No
migrateprojects No
projects No
Microsoft.NetApp
netappaccounts No
netappaccounts / capacitypools No
netappaccounts / capacitypools / volumes No
netappaccounts / capacitypools / volumes / mounttargets No
netappaccounts / capacitypools / volumes / snapshots No
Microsoft.Network
applicationgateways No
applicationgatewaywebapplicationfirewa No
llpolicies
applicationsecuritygroups No
azurefirewalls No
bastionhosts No
connections No
ddoscustompolicies No
ddosprotectionplans No
dnszones No
expressroutecircuits No
expressroutecrossconnections No
expressroutegateways No
expressrouteports No
frontdoors No
frontdoorwebapplicationfirewallpolicies No
loadbalancers Yes - Basic SKU Yes - Basic SKU

No - Standard SKU -Yes Standard SKU
localnetworkgateways No
natgateways No
networkintentpolicies No
networkinterfaces Yes
networkprofiles No
networksecuritygroups Yes
networkwatchers No
networkwatchers / connectionmonitors No
networkwatchers / lenses No
networkwatchers / pingmeshes No
p2svpngateways No
privatednszones No
privatednszones / virtualnetworklinks No
privateendpoints No
privatelinkservices No
publicipaddresses Yes - Basic SKU Yes - Basic SKU

publicipprefixes No
routefilters No
routetables No
serviceendpointpolicies No
trafficmanagerprofiles No
virtualhubs No
virtualnetworkgateways No
virtualnetworks No
virtualnetworktaps No
virtualwans No
vpngateways (Virtual WAN) No
vpnsites (Virtual WAN) No
webapplicationfirewallpolicies No
namespaces No
namespaces / notificationhubs No
workspaces No
managementconfigurations No
views No
Microsoft.Peering
peerings No
Microsoft.Portal
dashboards No
Microsoft.PortalSdk
rootresources No
Microsoft.PowerBI
Microsoft.PowerBI
workspacecollections No
capacities No
Microsoft.ProjectOxford
accounts No
vaults Yes (for Backup vaults I think?
Microsoft.Relay
namespaces No
queries No
Microsoft.SaaS
applications No
Microsoft.Scheduler
flows No
jobcollections No
Microsoft.Search
searchservices No
Microsoft.Security
iotsecuritysolutions No
playbookconfigurations No
Microsoft.ServerManagement
gateways No
nodes No
namespaces No
applications No
clusters No
clusters / applications No
containergroups No
containergroupsets No
edgeclusters No
networks No
secretstores No
volumes No
applications No
containergroups No
gateways No
networks No
secrets No
volumes No
signalr No
Microsoft.Solutions
appliancedefinitions No
appliances No
applicationdefinitions No
applications No
jitrequests No
Microsoft.Sql
instancepools No
managedinstances Yes
managedinstances / databases Yes
servers Yes
servers / databases Yes
servers / elasticpools Yes
virtualclusters Yes
sqlvirtualmachinegroups No
sqlvirtualmachines No
Microsoft.SqlVM
dwvm No
Microsoft.Storage
storageaccounts Yes??
Microsoft.StorageCache
caches No
storagesyncservices No
managers No
streamingjobs No
Microsoft.StreamAnalyticsExplorer
environments No
environments / eventsources No
instances No
instances / environments No
instances / environments / eventsources No
Microsoft.TerraformOSS
providerregistrations No
resources No
environments No
environments / eventsources No
environments / referencedatasets No
Microsoft.Token
stores No
Microsoft.VirtualMachineImages
imagetemplates No
microsoft.visualstudio
account No
account / extension No
account / project No
dedicatedcloudnodes No
dedicatedcloudservices No
virtualmachines No
Microsoft.Web
certificates No
connectiongateways No
connections No
customapis No
hostingenvironments No
serverfarms No
sites No
sites / premieraddons No
sites / slots No
deviceservices No
Microsoft.WindowsVirtualDesktop
applicationgroups No
hostpools No
workspaces No
Third-party services
Third-party services currently don't support the move operation.
Move Azure VMs to another region
There are various scenarios in which you'd want to move your existing Azure IaaS virtual machines (VMs) from
one region to another. For example, you want to improve reliability and availability of your existing VMs, to
improve manageability, or to move for governance reasons. For more information, see the Azure VM move
overview.
You can use the Azure Site Recovery service to manage and orchestrate disaster recovery of on-premises machines
and Azure VMs for business continuity and disaster recovery (BCDR ). You can also use Site Recovery to manage
the move of Azure VMs to a secondary region.
In this tutorial, you will:
Verify prerequisites for the move
Prepare the source VMs and the target region
Copy the data and enable replication
Test the configuration and perform the move
Delete the resources in the source region
NOTE
This tutorial shows you how to move Azure VMs from one region to another as is. If you need to improve availability by
moving VMs in an availability set to zone pinned VMs in a different region, see the Move Azure VMs into Availability Zones
tutorial.
Prerequisites
Make sure that the Azure VMs are in the Azure region from which you want to move.
Verify that your choice of source region - target region combination is supported, and make an informed
decision about the target region.
Make sure that you understand the scenario architecture and components.
Review the support limitations and requirements.
Verify account permissions. If you created your free Azure account, you're the administrator of your
subscription. If you're not the subscription administrator, work with the administrator to assign the
permissions that you need. To enable replication for a VM and essentially copy data by using Azure Site
Recovery, you must have:
Permissions to create a VM in Azure resources. The Virtual Machine Contributor built-in role has
these permissions, which include:
Permission to create a VM in the selected resource group
Permission to create a VM in the selected virtual network
Permission to write to the selected storage account
Permissions to manage Azure Site Recovery operations. The Site Recovery Contributor role has all
the permissions that are required to manage Site Recovery operations in a Recovery Services vault.
Make sure that all the latest root certificates are on the Azure VMs that you want to move. If the latest root
certificates aren't on the VM, security constraints will prevent the data copy to the target region.
For Windows VMs, install all the latest Windows updates on the VM, so that all the trusted root certificates
are on the machine. In a disconnected environment, follow the standard Windows Update and certificate
update processes for your organization.
For Linux VMs, follow the guidance provided by your Linux distributor to get the latest trusted root
certificates and certificate revocation list on the VM.
Make sure that you're not using an authentication proxy to control network connectivity for VMs that you
want to move.
If the VM that you're trying to move doesn't have access to the internet, or it's using a firewall proxy to
control outbound access, check the requirements.
Identify the source networking layout and all the resources that you're currently using. This includes but isn't
limited to load balancers, network security groups (NSGs), and public IPs.
Verify that your Azure subscription allows you to create VMs in the target region that's used for disaster
recovery. Contact support to enable the required quota.
Make sure that your subscription has enough resources to support VMs with sizes that match your source
VMs. If you're using Site Recovery to copy data to the target, Site Recovery chooses the same size or the
closest possible size for the target VM.
Make sure that you create a target resource for every component that's identified in the source networking
layout. This step is important to ensure that your VMs have all the functionality and features in the target
region that you had in the source region.
NOTE
Azure Site Recovery automatically discovers and creates a virtual network when you enable replication for the source
VM. You can also pre-create a network and assign it to the VM in the user flow for enable replication. As mentioned
later, you need to manually create any other resources in the target region.
To create the most commonly used network resources that are relevant for you based on the source VM
configuration, see the following documentation:
Network security groups
Load balancers
Public IP
For any other networking components, see the networking documentation.
Prepare
The following steps shows how to prepare the virtual machine for the move using Azure Site Recovery as a
solution.
Create the vault in any region, except the source region
1. Sign in to the Azure portal > Recovery Services.
2. Select Create a resource > Management Tools > Backup and Site Recovery.
3. In Name, specify the friendly name ContosoVMVault. If you have more than one subscription, select the
appropriate one.
4. Create the resource group ContosoRG.
5. Specify an Azure region. To check supported regions, see geographic availability in Azure Site Recovery pricing
details.
6. In Recovery Services vaults, select Overview > ContosoVMVault > +Replicate.
7. In Source, select Azure.
8. In Source location, select the source Azure region where your VMs are currently running.
9. Select the Resource Manager deployment model. Then select the Source subscription and Source resource
group.
10. Select OK to save the settings.
Enable replication for Azure VMs and start copying the data
Site Recovery retrieves a list of the VMs that are associated with the subscription and resource group.
1. In the next step, select the VM that you want to move, then select OK.
2. In Settings, select Disaster recovery.
3. In Configure disaster recovery > Target region, select the target region to which you'll replicate.
4. For this tutorial, accept the other default settings.
5. Select Enable replication. This step starts a job to enable replication for the VM.
Move
The following steps shows how to perform the move to the target region.
1. Go to the vault. In Settings > Replicated items, select the VM, and then select Failover.
2. In Failover, select Latest.
3. Select Shut down machine before beginning failover. Site Recovery attempts to shut down the source VM
before triggering the failover. Failover continues even if shutdown fails. You can follow the failover progress on
the Jobs page.
4. After the job is finished, check that the VM appears in the target Azure region as expected.
Discard
In case you checked the moved VM and need to make changed to point of failover or want to go back to a previous
point, in the Replicated items, right-select the VM > Change recovery point. This step provides you the option
to specify a different recovery point and failover to that one.
Commit
Once you have checked the moved VM and are ready to commit the change, in the Replicated items, right-select
the VM > Commit. This step finishes the move process to the target region. Wait until the commit job finishes.
Clean up
The following steps will guide you through how to clean up the source region as well as related resources that were
used for the move.
For all resources that were used for the move:
Go to the VM. Select Disable Replication. This step stops the process from copying the data for the VM.
IMPORTANT
It's important to perform this step to avoid being charged for Azure Site Recovery replication.
If you have no plans to reuse any of the source resources, complete these additional steps:
1. Delete all the relevant network resources in the source region that you identified in prerequisites.
2. Delete the corresponding storage account in the source region.
Next steps
In this tutorial, you moved an Azure VM to a different Azure region. Now you can configure disaster recovery for
the VM that you moved.
Set up disaster recovery after migration
Move an Azure Storage account to another region
To move a storage account, create a copy of your storage account in another region. Then, move your data to that
account by using AzCopy, or another tool of your choice.
In this article, you'll learn how to:
Export a template.
Modify the template by adding the target region and storage account name.
Deploy the template to create the new storage account.
Configure the new storage account.
Move data to the new storage account.
Delete the resources in the source region.
Prerequisites
Ensure that the services and features that your account uses are supported in the target region.
For preview features, ensure that your subscription is whitelisted for the target region.
Prepare
To get started, export, and then modify a Resource Manager template.
Export a template
This template contains settings that describe your storage account.
Portal
PowerShell
To export a template by using Azure portal:
2. Select All resources and then select your storage account.
3. Select > Settings > Export template.
4. Choose Download in the Export template blade.
5. Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.
This zip file contains the .json files that comprise the template and scripts to deploy the template.
Modify the template
Modify the template by changing the storage account name and region.
Portal
PowerShell
To deploy the template by using Azure portal:
1. In the Azure portal, select Create a resource.
2. In Search the Marketplace, type template deployment, and then press ENTER.
3. Select Template deployment.
4. Select Create.
5. Select Build your own template in the editor.
6. Select Load file, and then follow the instructions to load the template.json file that you downloaded in the
last section.
7. In the template.json file, name the target storage account by setting the default value of the storage
account name. This example sets the default value of the storage account name to mytargetaccount .
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccounts_mysourceaccount_name": {
"defaultValue": "mytargetaccount",
"type": "String"
}
},
8. Edit the location property in the template.json file to the target region. This example sets the target region
to centralus .
"resources": [{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[parameters('storageAccounts_mysourceaccount_name')]",
"location": "centralus"
}]
To obtain region location codes, see Azure Locations. The code for a region is the region name with no
spaces, Central US = centralus.
Move
Deploy the template to create a new storage account in the target region.
Portal
PowerShell
1. Save the template.json file.
2. Enter or select the property values:
Subscription: Select an Azure subscription.
Resource group: Select Create new and give the resource group a name.
Location: Select an Azure location.
3. Click the I agree to the terms and conditions stated above checkbox, and then click the Select Purchase
button.
Configure the new storage account
Some features won't export to a template, so you'll have to add them to the new storage account.
The following table lists these features along with guidance for adding them to your new storage account.
FEATURE GUIDANCE
Lifecycle management policies Manage the Azure Blob storage lifecycle
Static websites Host a static website in Azure Storage
Event subscriptions Reacting to Blob storage events
Alerts Create, view, and manage activity log alerts by using Azure
Monitor
Content Delivery Network (CDN) Use Azure CDN to access blobs with custom domains over
HTTPS
NOTE
If you set up a CDN for the source storage account, just change the origin of your existing CDN to the primary blob service
endpoint (or the primary static website endpoint) of your new account.
Move data to the new storage account

Here's some ways to move your data over.
✔ Azure Storage Explorer
It's easy-to-use, and suitable for small data sets. You can copy containers and file shares, and then paste them into
the target account.
See Azure Storage Explorer;
✔ AzCopy
This is the preferred approach. It's optimized for performance. One way that it's faster, is that data is copied directly
between storage servers, so AzCopy doesn't use the network bandwidth of your computer. Use AzCopy at the
command line or as part of a custom script.
See Get started with AzCopy
✔ Azure Data Factory
Use this tool only if you need functionality that isn't supported in the current release of AzCopy. For example, in the
current release of AzCopy, you can't copy blobs between accounts that have a hierarchical namespace. Also
AzCopy doesn't preserve file access control lists or file timestamps (For example: create and modified time stamps).
See these links:
Copy data to or from Azure Blob storage by using Azure Data Factory
Copy data to or from Azure Data Lake Storage Gen2 using Azure Data Factory
Copy data from or to Azure File Storage by using Azure Data Factory
Copy data to and from Azure Table storage by using Azure Data Factory
Discard or clean up
After the deployment, if you want to start over, you can delete the target storage account, and repeat the steps
described in the Prepare and Move sections of this article.
To commit the changes and complete the move of a storage account, delete the source storage account.
Portal
PowerShell
To remove a storage account by using the Azure portal:
1. In the Azure portal, expand the menu on the left side to open the menu of services, and choose Storage
accounts to display the list of your storage accounts.
2. Locate the target storage account to delete, and right-click the More button (...) on the right side of the
listing.
3. Select Delete, and confirm.
Next steps
In this tutorial, you moved an Azure storage account from one region to another and cleaned up the source
resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to:
Move resources to a new resource group or subscription
How to move Azure SQL resources to another region
This article teaches you a generic workflow for how to move your Azure SQL Database single database, elastic
pool, and managed instance to a new region.
Overview
There are various scenarios in which you'd want to move your existing Azure SQL resources from one region to
another. For example, you expand your business to a new region and want to optimize it for the new customer
base. Or you need to move the operations to a different region for compliance reasons. Or Azure released a brand-
new region that provides a better proximity and improves the customer experience.
This article provides a general workflow for moving resources to a different region. The workflow consists of the
following steps:
Verify the prerequisites for the move
Prepare to move the resources in scope
Monitor the preparation process
Test the move process
Initiate the actual move
Remove the resources from the source region
NOTE
This article applies to migrations within the Azure public cloud, or within the same sovereign cloud.
NOTE
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will
continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM
compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure
PowerShell.
Move single database

Verify prerequisites
1. Create a target logical server for each source server.
2. Configure the firewall with the right exceptions using PowerShell.
3. Configure the logical servers with the correct logins. If you're not the subscription administrator or SQL server
administrator, work with the administrator to assign the permissions that you need. For more information, see
How to manage Azure SQL database security after disaster recovery.
4. If your databases are encrypted with TDE and use your own encryption key in Azure key vault, ensure that the
correct encryption material is provisioned in the target regions. For more information, see Azure SQL
Transparent Data Encryption with customer-managed keys in Azure Key Vault
5. If database-level audit is enabled, disable it and enable server-level auditing instead. After failover, database
level auditing will require the cross-region traffic, which will is not desired or possible after the move.
6. For server-level audits, ensure that:
The storage container, Log Analytics, or event hub with the existing audit logs is moved to the target
region.
Auditing is configured on the target server. For more information, see Get started with SQL database
auditing.
7. If your instance has a long-term retention policy (LTR ), the existing LTR backups will remain associated with the
current server. Because the target server is different, you will be able to access the older LTR backups in the
source region using the source server, even if the server is deleted.
NOTE
This will be insufficient for moving between the sovereign cloud and a public region. Such a migration will require moving the
LTR backups to the target server, which is not currently supported.
Prepare resources
1. Create a failover group between the logical server of the source to the logical server of the target.
2. Add the databases you want to move to the failover group.
Replication of all added databases will be initiated automatically. For more information, see Best practices
for using failover groups with single databases.
You can periodically call Get-AzSqlDatabaseFailoverGroup to monitor replication of your databases from the
source to the target. The output object of Get-AzSqlDatabaseFailoverGroup includes a property for the
ReplicationState:
ReplicationState = 2 (CATCH_UP ) indicates the database is synchronized and can be safely failed over.
ReplicationState = 0 (SEEDING ) indicates that the database is not yet seeded, and an attempt to failover will
fail.
Test synchronization
Once ReplicationState is , connect to each database, or subset of databases using the secondary endpoint
2
<fog-name>.secondary.database.windows.net and perform any query against the databases to ensure connectivity,
proper security configuration, and data replication.
Initiate the move
1. Connect to the target server using the secondary endpoint <fog-name>.secondary.database.windows.net .
2. Use Switch-AzSqlDatabaseFailoverGroup to switch the secondary managed instance to be the primary with full
synchronization. This operation will either succeed, or it will roll back.
3. Verify that the command has completed successfully by using
nslook up <fog-name>.secondary.database.windows.net to ascertain that the DNS CNAME entry points to the
target region IP address. If the switch command fails, the CNAME will not get updated.
Remove the source databases
Once the move completes, remove the resources in the source region to avoid unnecessary charges.
1. Delete the failover group using Remove-AzSqlDatabaseFailoverGroup.
2. Delete each source database using Remove-AzSqlDatabase for each of the databases on the source server. This
will automatically terminate geo-replication links.
3. Delete the source server using Remove-AzSqlServer.
4. Remove the key vault, audit storage containers, event hub, AAD instance, and other dependent resources to
stop being billed for them.
Move elastic pools
1. Create a target logical server for each source server.
2. Configure the firewall with the right exceptions using PowerShell.
3. Configure the logical servers with the correct logins. If you're not the subscription administrator or SQL server
administrator, work with the administrator to assign the permissions that you need. For more information, see
How to manage Azure SQL database security after disaster recovery.
correct encryption material is provisioned in the target region.
5. Create a target elastic pool for each source elastic pool, making sure the pool is created in the same service tier,
with the same name and the same size.
6. If a database-level audit is enabled, disable it and enable server-level auditing instead. After failover, database-
level auditing will require cross-region traffic, which is not desired, or possible after the move.
7. For server-level audits, ensure that:
The storage container, Log Analytics, or event hub with the existing audit logs is moved to the target
region.
Audit configuration is configured at the target server. For more information, see SQL database auditing.
NOTE
Prepare to move
1. Create a separate failover group between each elastic pool on the source logical server and its counterpart
elastic pool on the target server.
2. Add all the databases in the pool to the failover group.
Replication of the added databases will be initiated automatically. For more information, see best
practices for failover groups with elastic pools.
NOTE
While it is possible to create a failover group that includes multiple elastic pools, we strongly recommend that you create a
separate failover group for each pool. If you have a large number of databases across multiple elastic pools that you need to
move, you can run the preparation steps in parallel and then initiate the move step in parallel. This process will scale better
and will take less time compared to having multiple elastic pools in the same failover group.

ReplicationState:
fail.
Once ReplicationState is , connect to each database, or subset of databases using the secondary endpoint
2
Initiate the move
Remove the source elastic pools
1. Delete the failover group using Remove-AzSqlDatabaseFailoverGroup.
2. Delete each source elastic pool on the source server using Remove-AzSqlElasticPool.
3. Delete the source server using Remove-AzSqlServer.
4. Remove the key vault, audit storage containers, event hub, AAD instance, and other dependent resources to
stop being billed for them.
Move managed instance

1. For each source managed instance create a target managed instance of the same size in the target region.
2. Configure the network for a managed instance. For more information, see network configuration.
3. Configure the target master database with the correct logins. If you're not the subscription administrator or SQL
server administrator, work with the administrator to assign the permissions that you need.
AKV with identical encryption keys exists in both source and target regions. For more information, see TDE with
customer-managed keys in Azure Key Vault.
5. If audit is enabled for the instance, ensure that:
The storage container or event hub with the existing logs is moved to the target region.
Audit is configured on the target instance. For more information, see auditing with managed instance.
NOTE
Prepare resources
Create a failover group between each source instance and the corresponding target instance. - Replication of all
databases on each instance will be initiated automatically. See Auto-failover groups for more information.
ReplicationState:
fail.
Once ReplicationState is 2 , connect to each database, or subset of databases using the secondary endpoint
Initiate the move
Remove the source managed instances
1. Delete the failover group using Remove-AzSqlDatabaseFailoverGroup. This will drop the failover group
configuration and terminate geo-replication links between the two instances.
2. Delete the source managed instance using Remove-AzSqlInstance.
3. Remove any additional resources in the resource group, such as the virtual cluster, virtual network, and security
group.
Next steps
Manage your Azure SQL Database once it's been migrated.
Move Azure network security group (NSG) to another
region using the Azure portal
There are various scenarios in which you'd want to move your existing NSGs from one region to another. For
example, you may want to create an NSG with the same configuration and security rules for testing. You may also
want to move an NSG to another region as part of disaster recovery planning.
Azure security groups can't be moved from one region to another. You can however, use an Azure Resource
Manager template to export the existing configuration and security rules of an NSG. You can then stage the
resource in another region by exporting the NSG to a template, modifying the parameters to match the destination
region, and then deploy the template to the new region. For more information on Resource Manager and
templates, see Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal.
Prerequisites
Make sure that the Azure network security group is in the Azure region from which you want to move.
Azure network security groups can't be moved between regions. You'll have to associate the new NSG to
resources in the target region.
To export an NSG configuration and deploy a template to create an NSG in another region, you'll need the
Network Contributor role or higher.
Identify the source networking layout and all the resources that you're currently using. This layout includes
but isn't limited to load balancers, public IPs, and virtual networks.
Verify that your Azure subscription allows you to create NSGs in the target region that's used. Contact
support to enable the required quota.
Make sure that your subscription has enough resources to support the addition of NSGs for this process.
See Azure subscription and service limits, quotas, and constraints.
Prepare and move

The following steps show how to prepare the network security group for the configuration and security rule move
using a Resource Manager template, and move the NSG configuration and security rules to the target region using
the portal.
Export the template and deploy from the portal
1. Login to the Azure portal > Resource Groups.
2. Locate the Resource Group that contains the source NSG and click on it.
4. Choose Deploy in the Export template blade.
5. Click TEMPLATE > Edit parameters to open the parameters.json file in the online editor.
6. To edit the parameter of the NSG name, change the value property under parameters:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"parameters": {
"networkSecurityGroups_myVM1_nsg_name": {
"value": "<target-nsg-name>"
}
}
}
7. Change the source NSG value in the editor to a name of your choice for the target NSG. Ensure you enclose
the name in quotes.
8. Click Save in the editor.
9. Click TEMPLATE > Edit template to open the template.json file in the online editor.
10. To edit the target region where the NSG configuration and security rules will be moved, change the location
property under resources in the online editor:
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-06-01",
"name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",
"location": "<target-region>",
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",
}
}
]
11. To obtain region location codes, see Azure Locations. The code for a region is the region name with no
12. You can also change other parameters in the template if you choose, and are optional depending on your
requirements:
Security rules - You can edit which rules are deployed into the target NSG by adding or removing
rules to the securityRules section in the template.json file:
"resources": [
{
"apiVersion": "2019-06-01",
"properties": {
"securityRules": [
{
"name": "RDP",
"etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
]
}
To complete the addition or the removal of the rules in the target NSG, you must also edit the custom
rule types at the end of the template.json file in the format of the example below:
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups',
parameters('networkSecurityGroups_myVM1_nsg_name'))]"
],
"properties": {
"protocol": "*",
"access": "Allow",
"priority": 310,
}
13. Click Save in the online editor.

14. Click BASICS > Subscription to choose the subscription where the target NSG will be deployed.
15. Click BASICS > Resource group to choose the resource group where the target NSG will be deployed. You
can click Create new to create a new resource group for the target NSG. Ensure the name isn't the same as
the source resource group of the existing NSG.
16. Verify BASICS > Location is set to the target location where you wish for the NSG to be deployed.
17. Verify under SETTINGS that the name matches the name that you entered in the parameters editor above.
18. Check the box under TERMS AND CONDITIONS.
19. Click the Purchase button to deploy the target network security group.
Discard
If you wish to discard the target NSG, delete the resource group that contains the target NSG. To do so, select the
resource group from your dashboard in the portal and select Delete at the top of the overview page.
Clean up
To commit the changes and complete the move of the NSG, delete the source NSG or resource group. To do so,
select the network security group or resource group from your dashboard in the portal and select Delete at the top
of each page.
Next steps
In this tutorial, you moved an Azure network security group from one region to another and cleaned up the source
Move Azure network security group (NSG) to another
region using the Azure portal
There are various scenarios in which you'd want to move your existing NSGs from one region to another. For
example, you may want to create an NSG with the same configuration and security rules for testing. You may also
want to move an NSG to another region as part of disaster recovery planning.
Azure security groups can't be moved from one region to another. You can however, use an Azure Resource
Manager template to export the existing configuration and security rules of an NSG. You can then stage the
resource in another region by exporting the NSG to a template, modifying the parameters to match the destination
region, and then deploy the template to the new region. For more information on Resource Manager and
templates, see Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal.
Prerequisites
Make sure that the Azure network security group is in the Azure region from which you want to move.
Azure network security groups can't be moved between regions. You'll have to associate the new NSG to
resources in the target region.
To export an NSG configuration and deploy a template to create an NSG in another region, you'll need the
Network Contributor role or higher.
but isn't limited to load balancers, public IPs, and virtual networks.
Verify that your Azure subscription allows you to create NSGs in the target region that's used. Contact
Make sure that your subscription has enough resources to support the addition of NSGs for this process.
See Azure subscription and service limits, quotas, and constraints.
Prepare and move

The following steps show how to prepare the network security group for the configuration and security rule move
using a Resource Manager template, and move the NSG configuration and security rules to the target region using
the portal.
Export the template and deploy from the portal
2. Locate the Resource Group that contains the source NSG and click on it.
6. To edit the parameter of the NSG name, change the value property under parameters:
{
"parameters": {
"networkSecurityGroups_myVM1_nsg_name": {
"value": "<target-nsg-name>"
}
}
}
7. Change the source NSG value in the editor to a name of your choice for the target NSG. Ensure you enclose
the name in quotes.
10. To edit the target region where the NSG configuration and security rules will be moved, change the
location property under resources in the online editor:
"resources": [
{
"apiVersion": "2019-06-01",
"properties": {
}
}
]
requirements:
Security rules - You can edit which rules are deployed into the target NSG by adding or removing
rules to the securityRules section in the template.json file:
"resources": [
{
"apiVersion": "2019-06-01",
"properties": {
"securityRules": [
{
"name": "RDP",
"etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"",
"properties": {
"protocol": "TCP",
"access": "Allow",
"priority": 300,
}
},
]
}
To complete the addition or the removal of the rules in the target NSG, you must also edit the custom
rule types at the end of the template.json file in the format of the example below:
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups',
parameters('networkSecurityGroups_myVM1_nsg_name'))]"
],
"properties": {
"protocol": "*",
"access": "Allow",
"priority": 310,
}

14. Click BASICS > Subscription to choose the subscription where the target NSG will be deployed.
15. Click BASICS > Resource group to choose the resource group where the target NSG will be deployed.
You can click Create new to create a new resource group for the target NSG. Ensure the name isn't the
same as the source resource group of the existing NSG.
16. Verify BASICS > Location is set to the target location where you wish for the NSG to be deployed.
19. Click the Purchase button to deploy the target network security group.
Discard
If you wish to discard the target NSG, delete the resource group that contains the target NSG. To do so, select the
resource group from your dashboard in the portal and select Delete at the top of the overview page.
Clean up
To commit the changes and complete the move of the NSG, delete the source NSG or resource group. To do so,
select the network security group or resource group from your dashboard in the portal and select Delete at the
top of each page.
Next steps
In this tutorial, you moved an Azure network security group from one region to another and cleaned up the source
Move Azure Public IP to another region using the
Azure portal
There are various scenarios in which you'd want to move your existing Azure Public IPs from one region to
another. For example, you may want to create a public IP with the same configuration and sku for testing. You may
also want to move a public IP to another region as part of disaster recovery planning.
Azure Public IPs are region specific and can't be moved from one region to another. You can however, use an Azure
Resource Manager template to export the existing configuration of a public IP. You can then stage the resource in
another region by exporting the public IP to a template, modifying the parameters to match the destination region,
and then deploy the template to the new region. For more information on Resource Manager and templates, see
Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal.
Prerequisites
Make sure that the Azure Public IP is in the Azure region from which you want to move.
Azure Public IPs can't be moved between regions. You'll have to associate the new public ip to resources in
the target region.
To export a public IP configuration and deploy a template to create a public IP in another region, you'll need
the Network Contributor role or higher.
but isn't limited to load balancers, network security groups (NSGs), and virtual networks.
Verify that your Azure subscription allows you to create public IPs in the target region that's used. Contact
Make sure that your subscription has enough resources to support the addition of public IPs for this
process. See Azure subscription and service limits, quotas, and constraints.
Prepare and move

The following steps show how to prepare the public IP for the configuration move using a Resource Manager
template, and move the public IP configuration to the target region using the Azure portal.
Export the template and deploy from a script
2. Locate the Resource Group that contains the source public IP and click on it.
6. To edit the parameter of the public IP name, change the property under parameters > value from the
source public IP name to the name of your target public IP, ensure the name is in quotes:
{
"parameters": {
"publicIPAddresses_myVM1pubIP_name": {
"value": "<target-publicip-name>"
}
}
}

9. To edit the target region where the public IP will be moved, change the location property under resources:
"resources": [
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2019-06-01",
"name": "[parameters('publicIPAddresses_myPubIP_name')]",
"sku": {
"name": "Basic",
"tier": "Regional"
},
"properties": {
"resourceGuid": "7549a8f1-80c2-481a-a073-018f5b0b69be",
"ipAddress": "52.177.6.204",
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Dynamic",
"idleTimeoutInMinutes": 4,
"ipTags": []
}
}
]
requirements:
Sku - You can change the sku of the public IP in the configuration from standard to basic or basic to
standard by altering the sku > name property in the template.json file:
"resources": [
{
"apiVersion": "2019-06-01",
"sku": {
"name": "Basic",
"tier": "Regional"
},
For more information on the differences between basic and standard sku public ips, see Create,
change, or delete a public IP address:
Public IP allocation method and Idle timeout - You can change both of these options in the
template by altering the publicIPAllocationMethod property from Dynamic to Static or Static to
Dynamic. The idle timeout can be changed by altering the idleTimeoutInMinutes property to your
desired amount. The default is 4:
"resources": [
{
"apiVersion": "2019-06-01",
"sku": {
"name": "Basic",
"tier": "Regional"
},
"properties": {
"resourceGuid": "7549a8f1-80c2-481a-a073-018f5b0b69be",
"ipAddress": "52.177.6.204",
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Dynamic",
"idleTimeoutInMinutes": 4,
"ipTags": []
For more information on the allocation methods and the idle timeout values, see Create, change, or
delete a public IP address.
13. Click BASICS > Subscription to choose the subscription where the target public IP will be deployed.
14. Click BASICS > Resource group to choose the resource group where the target public IP will be deployed.
You can click Create new to create a new resource group for the target public IP. Ensure the name isn't the
same as the source resource group of the existing source public IP.
15. Verify BASICS > Location is set to the target location where you wish for the public IP to be deployed.
18. Click the Purchase button to deploy the target public IP.
Discard
If you wish to discard the target public IP, delete the resource group that contains the target public IP. To do so,
select the resource group from your dashboard in the portal and select Delete at the top of the overview page.
Clean up
To commit the changes and complete the move of the public IP, delete the source public IP or resource group. To
do so, select the public IP or resource group from your dashboard in the portal and select Delete at the top of each
page.
Next steps
In this tutorial, you moved an Azure Public IP from one region to another and cleaned up the source resources. To
learn more about moving resources between regions and disaster recovery in Azure, refer to:
Use tags to organize your Azure resources
You apply tags to your Azure resources to logically organize them into a taxonomy. Each tag consists of a name
and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the
resources in production.
After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Tags
enable you to retrieve related resources from different resource groups. This approach is helpful when you need to
organize resources for billing or management.
Your taxonomy should consider a self-service metadata tagging strategy in addition to an autotagging strategy to
reduce the burden on users and increase accuracy.
NOTE
This article provides steps for how to delete personal data from the device or service and can be used to support your
obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Limitations
The following limitations apply to tags:
Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support
for Azure resources.
Each resource or resource group can have a maximum of 50 tag name/value pairs. If you need to apply
more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can
contain many values that are applied to a single tag name. A resource group can contain many resources
that each have 50 tag name/value pairs.
The tag name is limited to 512 characters, and the tag value is limited to 256 characters. For storage
accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
Generalized VMs don't support tags.
Tags applied to the resource group are not inherited by the resources in that resource group.
Tags can't be applied to classic resources such as Cloud Services.
Tag names can't contain these characters: < , > , % , & , \ , ? , /
NOTE
Currently Azure DNS zones and Traffic Manger services also don't allow the use of spaces in the tag.
Required access
To apply tags to resources, the user must have write access to that resource type. To apply tags to all resource
types, use the Contributor role. To apply tags to only one resource type, use the contributor role for that resource.
For example, to apply tags to virtual machines, use the Virtual Machine Contributor.
Policies
You can use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of
resources being deployed to your subscription that don't comply with the expected tags for your organization.
Instead of manually applying tags or searching for resources that aren't compliant, you can create a policy that
automatically applies the needed tags during deployment. Tags can also now be applied to existing resources with
the new Modify effect and a remediation task. The following section shows example policies for tags.
Tags
Apply tag and its default value Appends a specified tag name and value, if that tag is not
provided. You specify the tag name and value to apply.
Billing Tags Policy Initiative Requires specified tag values for cost center and product
name. Uses built-in policies to apply and enforce required
tags. You specify the required values for the tags.
Enforce tag and its value Requires a specified tag name and value. You specify the tag
name and value to enforce.
Enforce tag and its value on resource groups Requires a tag and value on a resource group. You specify the
required tag name and value.
PowerShell
To see the existing tags for a resource group, use:
(Get-AzResourceGroup -Name examplegroup).Tags
That script returns the following format:
Name Value
---- -----
Dept IT
Environment Test
To see the existing tags for a resource that has a specified name and resource group, use:
(Get-AzResource -ResourceName examplevnet -ResourceGroupName examplegroup).Tags
Or, if you have the resource ID for a resource, you can pass that resource ID to get the tags.
(Get-AzResource -ResourceId /subscriptions/<subscription-id>/resourceGroups/<rg-

name>/providers/Microsoft.Storage/storageAccounts/<storage-name>).Tags
To get resource groups that have a specific tag name and value, use:
(Get-AzResourceGroup -Tag @{ "Dept"="Finance" }).ResourceGroupName
To get resources that have a specific tag name and value, use:
(Get-AzResource -Tag @{ "Dept"="Finance"}).Name
To get resources that have a specific tag name, use:
(Get-AzResource -TagName "Dept").Name
Every time you apply tags to a resource or a resource group, you overwrite the existing tags on that resource or
resource group. Therefore, you must use a different approach based on whether the resource or resource group
has existing tags.
To add tags to a resource group without existing tags, use:
Set-AzResourceGroup -Name examplegroup -Tag @{ "Dept"="IT"; "Environment"="Test" }
To add tags to a resource group that has existing tags, retrieve the existing tags, add the new tag, and reapply the
tags:
$tags = (Get-AzResourceGroup -Name examplegroup).Tags

$tags.Add("Status", "Approved")
Set-AzResourceGroup -Tag $tags -Name examplegroup
To add tags to a resource without existing tags, use:
$resource = Get-AzResource -ResourceName examplevnet -ResourceGroupName examplegroup

Set-AzResource -Tag @{ "Dept"="IT"; "Environment"="Test" } -ResourceId $resource.ResourceId -Force
You may have more than one resource with the same name in a resource group. In that case, you can set each
resource with the following commands:
$resource = Get-AzResource -ResourceName sqlDatabase1 -ResourceGroupName examplegroup

$resource | ForEach-Object { Set-AzResource -Tag @{ "Dept"="IT"; "Environment"="Test" } -ResourceId
$_.ResourceId -Force }
To add tags to a resource that has existing tags, use:
$resource = Get-AzResource -ResourceName examplevnet -ResourceGroupName examplegroup

$resource.Tags.Add("Status", "Approved")
Set-AzResource -Tag $resource.Tags -ResourceId $resource.ResourceId -Force
To apply all tags from a resource group to its resources, and not keep existing tags on the resources, use the
following script:
$group = Get-AzResourceGroup -Name examplegroup

Get-AzResource -ResourceGroupName $group.ResourceGroupName | ForEach-Object {Set-AzResource -ResourceId
$_.ResourceId -Tag $group.Tags -Force }
To apply all tags from a resource group to its resources, and keep existing tags on resources that aren't duplicates,
use the following script:
$group = Get-AzResourceGroup -Name examplegroup
if ($null -ne $group.Tags) {
$resources = Get-AzResource -ResourceGroupName $group.ResourceGroupName
foreach ($r in $resources)
{
$resourcetags = (Get-AzResource -ResourceId $r.ResourceId).Tags
if ($resourcetags)
{
foreach ($key in $group.Tags.Keys)
{
if (-not($resourcetags.ContainsKey($key)))
{
$resourcetags.Add($key, $group.Tags[$key])
}
}
Set-AzResource -Tag $resourcetags -ResourceId $r.ResourceId -Force
}
else
{
Set-AzResource -Tag $group.Tags -ResourceId $r.ResourceId -Force
}
}
}
To remove all tags, pass an empty hash table:
Set-AzResourceGroup -Tag @{} -Name examplegroup
Azure CLI
To see the existing tags for a resource group, use:
az group show -n examplegroup --query tags
That script returns the following format:
{
"Dept" : "IT",
"Environment" : "Test"
}
Or, to see the existing tags for a resource that has a specified name, type, and resource group, use:
az resource show -n examplevnet -g examplegroup --resource-type "Microsoft.Network/virtualNetworks" --query

tags
When looping through a collection of resources, you might want to show the resource by resource ID. A complete
example is shown later in this article. To see the existing tags for a resource that has a specified resource ID, use:
az resource show --id <resource-id> --query tags
To get resource groups that have a specific tag, use az group list :
az group list --tag Dept=IT

To get all the resources that have a particular tag and value, use az resource list :
az resource list --tag Dept=Finance
When adding tags to a resource group or resource, you can either overwrite the existing tags or append new tags
to existing tags.
To overwrite the existing tags on a resource group, use:
az group update -n examplegroup --tags 'Environment=Test' 'Dept=IT'
To append a tag to the existing tags on a resource group, use:
az group update -n examplegroup --set tags.'Status'='Approved'
To overwrite the tags on a resource, use:
az resource tag --tags 'Dept=IT' 'Environment=Test' -g examplegroup -n examplevnet --resource-type

"Microsoft.Network/virtualNetworks"
To append a tag to the existing tags on a resource, use:
az resource update --set tags.'Status'='Approved' -g examplegroup -n examplevnet --resource-type

"Microsoft.Network/virtualNetworks"
To apply all tags from a resource group to its resources, and not keep existing tags on the resources, use the
following script:
jsontags=$(az group show --name examplegroup --query tags -o json)

tags=$(echo $jsontags | tr -d '"{},' | sed 's/: /=/g')
resourceids=$(az resource list -g examplegroup --query [].id --output tsv)
for id in $resourceids
do
az resource tag --tags $tags --id $id
done
To apply all tags from a resource group to its resources, and keep existing tags on resources, use the following
script:

tags=$(echo $jsontags | tr -d '"{},' | sed 's/: /=/g')

do
resourcejsontags=$(az resource show --id $id --query tags -o json)
resourcetags=$(echo $resourcejsontags | tr -d '"{},' | sed 's/: /=/g')
az resource tag --tags $tags$resourcetags --id $id
done
If your tag names or values include spaces, you must take a couple of extra steps. The following example applies all
tags from a resource group to its resources when the tags may contain spaces.
tags=$(echo $jsontags | tr -d '{}"' | sed 's/: /=/g' | sed "s/\"/'/g" | sed 's/, /,/g' | sed 's/ *$//g' | sed
's/^ *//g')
origIFS=$IFS
IFS=','
read -a tagarr <<< "$tags"
do
az resource tag --tags "${tagarr[@]}" --id $id
done
IFS=$origIFS
Templates
To tag a resource during deployment, add the tags element to the resource you're deploying. Provide the tag
name and value.
Apply a literal value to the tag name
The following example shows a storage account with two tags ( Dept and Environment ) that are set to literal
values:
{
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"resources": [
{
"apiVersion": "2019-04-01",
"name": "[concat('storage', uniqueString(resourceGroup().id))]",
"location": "[parameters('location')]",
"tags": {
"Dept": "Finance",
"Environment": "Production"
},
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {}
}
]
}
To set a tag to a datetime value, use the utcNow function.

Apply an object to the tag element
You can define an object parameter that stores several tags, and apply that object to the tag element. Each property
in the object becomes a separate tag for the resource. The following example has a parameter named tagValues
that is applied to the tag element.
{
"parameters": {
"location": {
"type": "string",
},
"tagValues": {
"type": "object",
"defaultValue": {
"Dept": "Finance",
"Environment": "Production"
}
}
},
"resources": [
{
"apiVersion": "2019-04-01",
"tags": "[parameters('tagValues')]",
"sku": {
},
"kind": "Storage",
"properties": {}
}
]
}
Apply a JSON string to the tag name

To store many values in a single tag, apply a JSON string that represents the values. The entire JSON string is
stored as one tag that can't exceed 256 characters. The following example has a single tag named CostCenter that
contains several values from a JSON string:
{
"parameters": {
"location": {
"type": "string",
}
},
"resources": [
{
"apiVersion": "2019-04-01",
"tags": {
"CostCenter": "{\"Dept\":\"Finance\",\"Environment\":\"Production\"}"
},
"sku": {
},
"kind": "Storage",
"properties": {}
}
]
}
Apply tags from resource group
To apply tags from a resource group to a resource, use the resourceGroup function. When getting the tag value,
use the tags.[tag-name] syntax instead of the tags.tag-name syntax, because some characters aren't parsed
correctly in the dot notation.
{
"parameters": {
"location": {
"type": "string",
}
},
"resources": [
{
"apiVersion": "2019-04-01",
"tags": {
"Dept": "[resourceGroup().tags['Dept']]",
"Environment": "[resourceGroup().tags['Environment']]"
},
"sku": {
},
"kind": "Storage",
"properties": {}
}
]
}
Portal
1. To view the tags for a resource or a resource group, look for existing tags in the overview. If you have not
previously applied tags, the list is empty.
2. To add a tag, select Click here to add tags.

3. Provide a name and value. Select + to add the tag.
4. Continue adding tags as needed. When done, select Save.

5. The tags are now displayed in the overview.
6. To add or delete a tag, select change.

7. To delete a tag, select the trash icon. Then, select Save.
To bulk assign tags to multiple resources:

1. From any list of resources, select the checkbox for the resources you want to assign the tag.
2. Select Assign tags
3. After each name and value, select +. When done, select Assign.
To view all resources with a tag:
1. On the Azure portal menu, select All services. Select General, then Tags.
2. Select the tag for viewing resources.

3. All resources with that tag are displayed.
REST API
The Azure portal and PowerShell both use the Resource Manager REST API behind the scenes. If you need to
integrate tagging into another environment, you can get tags by using GET on the resource ID and update the set
of tags by using a PATCH call.
Tags and billing

You can use tags to group your billing data. For example, if you're running multiple VMs for different
organizations, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime
environment, such as the billing usage for VMs running in the production environment.
You can retrieve information about tags through the Azure Resource Usage and RateCard APIs or the usage
comma-separated values (CSV ) file. You download the usage file from the Azure Account Center or Azure portal.
For more information, see Download or view your Azure billing invoice and daily usage data. When downloading
the usage file from the Azure Account Center, select Version 2. For services that support tags with billing, the tags
appear in the Tags column.
For REST API operations, see Azure Billing REST API Reference.
Next steps
Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for
Azure resources.
For an introduction to using the portal, see Using the Azure portal to manage your Azure resources.
Tag support for Azure resources
This article describes whether a resource type supports tags. The column labeled Supports tags indicates whether
the resource type has a property for the tag. The column labeled Tag in cost report indicates whether that
resource type passes the tag to the cost report. You can view costs by tags in the Cost Management cost analysis
and the Azure billing invoice and daily usage data.
To get the same data as a file of comma-separated values, download tag-support.csv.
Microsoft.AAD
RESOURCE TYPE SUPPORTS TAGS TAG IN COST REPORT
DomainServices Yes Yes
DomainServices / oucontainer No No
Microsoft.Addons
supportProviders No No
Microsoft.ADHybridHealthService
aadsupportcases No No
addsservices No No
agents No No
anonymousapiusers No No
configuration No No
logs No No
reports No No
servicehealthmetrics No No
services No No
Microsoft.Advisor
configurations No No
generateRecommendations No No
metadata No No
suppressions No No
actionRules Yes Yes
alerts No No
alertsList No No
alertsMetaData No No
alertsSummary No No
alertsSummaryList No No
feedback No No
smartDetectorAlertRules Yes Yes
smartDetectorRuntimeEnvironments No No
smartGroups No No
servers Yes Yes
reportFeedback No No
service Yes Yes
validateServiceName No No
configurationStores Yes Yes
configurationStores / eventGridFilters No No
Microsoft.AppPlatform
Spring Yes Yes
Microsoft.Attestation
attestationProviders No No
classicAdministrators No No
dataAliases No No
denyAssignments No No
elevateAccess No No
findOrphanRoleAssignments No No
locks No No
permissions No No
policyAssignments No No
policyDefinitions No No
policySetDefinitions No No
providerOperations No No
roleAssignments No No
roleDefinitions No No
automationAccounts Yes Yes
automationAccounts / configurations Yes Yes
automationAccounts / jobs No No
automationAccounts / runbooks Yes Yes
automationAccounts / No No
softwareUpdateConfigurations
automationAccounts / webhooks No No
Microsoft.Azconfig
configurationStores Yes Yes
configurationStores / eventGridFilters No No
Microsoft.Azure.Geneva
environments No No
environments / accounts No No
environments / accounts / namespaces No No
environments / accounts / namespaces No No

/ configurations
b2cDirectories Yes No
b2ctenants No No
Microsoft.AzureData
hybridDataManagers Yes Yes
postgresInstances Yes Yes
sqlBigDataClusters Yes Yes
sqlInstances Yes Yes
sqlServerRegistrations Yes Yes
sqlServerRegistrations / sqlServers No No
registrations Yes Yes
registrations / customerSubscriptions No No
registrations / products No No
verificationKeys No No
Microsoft.Batch
batchAccounts Yes Yes
Microsoft.Billing
billingAccounts No No
billingAccounts / agreements No No
billingAccounts / billingPermissions No No
billingAccounts / billingProfiles No No
billingAccounts / billingProfiles / No No
billingPermissions
billingRoleAssignments
billingRoleDefinitions
billingSubscriptions
createBillingRoleAssignment
customers
invoices
invoices / pricesheet
invoiceSections
invoiceSections / billingPermissions
invoiceSections /
invoiceSections / billingRoleDefinitions
invoiceSections / billingSubscriptions
invoiceSections /
invoiceSections / initiateTransfer
invoiceSections / products
invoiceSections / products / transfer
invoiceSections / products /
updateAutoRenew
invoiceSections / transactions
invoiceSections / transfers
billingAccounts / BillingProfiles / No No
patchOperations
paymentMethods
billingAccounts / billingProfiles / policies No No
pricesheet
pricesheetDownloadOperations
products
transactions
billingAccounts / No No
billingAccounts / billingRoleDefinitions No No
billingAccounts / billingSubscriptions No No
billingAccounts / billingSubscriptions / No No
invoices
createInvoiceSectionOperations
billingAccounts / customers No No
billingAccounts / customers / No No
billingPermissions
initiateTransfer
billingAccounts / customers / policies No No
billingAccounts / customers / products No No
transactions
billingAccounts / customers / transfers No No
billingAccounts / departments No No
billingAccounts / enrollmentAccounts No No
billingAccounts / invoices No No
billingAccounts / invoiceSections No No
billingAccounts / invoiceSections / No No
billingSubscriptionMoveOperations
billingSubscriptions / transfer
elevate
initiateTransfer
patchOperations
productMoveOperations
products
products / transfer
products / updateAutoRenew
transactions
transfers
billingAccounts / lineOfCredit No No
billingAccounts / patchOperations No No
billingAccounts / paymentMethods No No
billingAccounts / products No No
billingAccounts / transactions No No
billingPeriods No No
billingPermissions No No
billingProperty No No
billingRoleAssignments No No
billingRoleDefinitions No No
createBillingRoleAssignment No No
departments No No
enrollmentAccounts No No
invoices No No
transfers No No
transfers / acceptTransfer No No
transfers / declineTransfer No No
transfers / operationStatus No No
transfers / validateTransfer No No
validateAddress No No
Microsoft.BingMaps
mapApis Yes Yes
updateCommunicationPreference No No
blockchainMembers Yes Yes
cordaMembers Yes Yes
watchers Yes Yes
Microsoft.Blueprint
blueprintAssignments No No
blueprintAssignments / No No
assignmentOperations
blueprintAssignments / operations No No
blueprints No No
blueprints / artifacts No No
blueprints / versions No No
blueprints / versions / artifacts No No
botServices Yes Yes
botServices / channels No No
botServices / connections No No
languages No No
templates No No
Microsoft.Cache
Redis Yes Yes
RedisConfigDefinition No No
Microsoft.Capacity
appliedReservations No No
calculateExchange No No
calculatePrice No No
calculatePurchasePrice No No
catalogs No No
commercialReservationOrders No No
exchange No No
placePurchaseOrder No No
reservationOrders No No
reservationOrders / calculateRefund No No
reservationOrders / merge No No
reservationOrders / reservations No No
reservationOrders / reservations / No No
revisions
reservationOrders / return No No
reservationOrders / split No No
reservationOrders / swap No No
reservations No No
resources No No
validateReservationOrder No No
Microsoft.Cdn
CdnWebApplicationFirewallManagedRul No No
eSets
CdnWebApplicationFirewallPolicies Yes Yes

edgenodes No No
profiles Yes Yes
profiles / endpoints Yes Yes
profiles / endpoints / customdomains No No
profiles / endpoints / origins No No
validateProbe No No
certificateOrders Yes Yes
certificateOrders / certificates No No
validateCertificateRegistrationInformati No No
on
capabilities No No
domainNames No No
domainNames / capabilities No No
domainNames / internalLoadBalancers No No
domainNames / serviceCertificates No No
domainNames / slots No No
domainNames / slots / roles No No
domainNames / slots / roles / No No

metricDefinitions
domainNames / slots / roles / metrics No No
moveSubscriptionResources No No
operatingSystemFamilies No No
operatingSystems No No
quotas No No
resourceTypes No No
validateSubscriptionMoveAvailability No No
virtualMachines No No
virtualMachines / diagnosticSettings No No
virtualMachines / metricDefinitions No No
virtualMachines / metrics No No
Microsoft.ClassicInfrastructureMigrate
classicInfrastructureResources No No
capabilities No No
expressRouteCrossConnections No No
expressRouteCrossConnections / No No
peerings
gatewaySupportedDevices No No
networkSecurityGroups No No
quotas No No
reservedIps No No
virtualNetworks No No
virtualNetworks / No No
remoteVirtualNetworkPeeringProxies
virtualNetworks / No No
virtualNetworkPeerings
capabilities No No
disks No No
images No No
osImages No No
osPlatformImages No No
publicImages No No
quotas No No
storageAccounts No No
storageAccounts / blobServices No No
storageAccounts / fileServices No No
storageAccounts / metricDefinitions No No
storageAccounts / metrics No No
storageAccounts / queueServices No No
storageAccounts / services No No
storageAccounts / services / No No
diagnosticSettings
metricDefinitions
storageAccounts / services / metrics No No
storageAccounts / tableServices No No
storageAccounts / vmImages No No
vmImages No No
accounts Yes Yes

Microsoft.Commerce
RateCard No No
UsageAggregates No No
Microsoft.Compute
availabilitySets Yes Yes
diskEncryptionSets Yes Yes
disks Yes Yes
galleries Yes Yes
galleries / applications No No
galleries / applications / versions No No
galleries / images No No
galleries / images / versions No No
hostGroups Yes Yes
hostGroups / hosts Yes Yes
images Yes Yes
proximityPlacementGroups Yes Yes
restorePointCollections Yes Yes
restorePointCollections / restorePoints No No
sharedVMImages Yes Yes
sharedVMImages / versions No No
snapshots Yes Yes
virtualMachines Yes Yes
virtualMachines / extensions Yes Yes
virtualMachines / metricDefinitions No No
virtualMachineScaleSets Yes Yes
virtualMachineScaleSets / extensions No No
virtualMachineScaleSets / No No
networkInterfaces
publicIPAddresses
virtualMachines
virtualMachines / networkInterfaces
Microsoft.Consumption
AggregatedCost No No
Balances No No
Budgets No No
Charges No No
CostTags No No
credits No No
events No No
Forecasts No No
lots No No
Marketplaces No No
Pricesheets No No
products No No
ReservationDetails No No
ReservationRecommendations No No
ReservationSummaries No No
ReservationTransactions No No
Tags No No
tenants No No
Terms No No
UsageDetails No No
containerGroups Yes Yes
serviceAssociationLinks No No
registries Yes Yes
registries / builds No No
registries / builds / cancel No No
registries / builds / getLogLink No No
registries / buildTasks Yes Yes
registries / buildTasks / steps No No
registries / eventGridFilters No No
registries / generateCredentials No No
registries / getBuildSourceUploadUrl No No
registries / GetCredentials No No
registries / importImage No No
registries / queueBuild No No
registries / regenerateCredential No No
registries / regenerateCredentials No No
registries / replications Yes Yes
registries / runs No No
registries / runs / cancel No No
registries / scheduleRun No No
registries / scopeMaps No No
registries / taskRuns Yes Yes
registries / tasks Yes Yes
registries / tokens No No
registries / updatePolicies No No
registries / webhooks Yes Yes
registries / webhooks / No No
getCallbackConfig
registries / webhooks / ping No No
containerServices Yes Yes
managedClusters Yes Yes
openShiftManagedClusters Yes Yes
accounts Yes Yes
Alerts No No
BillingAccounts No No
Budgets No No
CloudConnectors No No
Connectors Yes Yes
Departments No No
Dimensions No No
EnrollmentAccounts No No
Exports No No
ExternalBillingAccounts No No
ExternalBillingAccounts / Alerts No No
ExternalBillingAccounts / Dimensions No No
ExternalBillingAccounts / Forecast No No
ExternalBillingAccounts / Query No No
ExternalSubscriptions No No
ExternalSubscriptions / Alerts No No
ExternalSubscriptions / Dimensions No No
ExternalSubscriptions / Forecast No No
ExternalSubscriptions / Query No No
Forecast No No
Query No No
register No No
Reportconfigs No No
Reports No No
Settings No No
showbackRules No No
Views No No
Microsoft.CustomerLockbox
requests No No
associations No No
resourceProviders Yes Yes
Microsoft.DataBox
jobs Yes Yes
DataBoxEdgeDevices Yes Yes
workspaces Yes No
workspaces / virtualNetworkPeerings No No
catalogs Yes Yes
datacatalogs Yes Yes
datacatalogs / datasources No No
datacatalogs / datasources / scans No No
datacatalogs / datasources / scans / No No

datasets
datacatalogs / datasources / scans / No No

triggers
dataFactories Yes No
dataFactories / diagnosticSettings No No
dataFactories / metricDefinitions No No
dataFactorySchema No No
factories Yes No
factories / integrationRuntimes No No
accounts Yes Yes
accounts / dataLakeStoreAccounts No No
accounts / storageAccounts No No
accounts / storageAccounts / No No
containers
accounts / transferAnalyticsUnits No No
accounts Yes Yes
accounts / eventGridFilters No No
accounts / firewallRules No No
services No No
services / projects No No
Microsoft.DataShare
accounts Yes Yes
accounts / shares No No
accounts / shares / datasets No No
accounts / shares / invitations No No
accounts / shares / No No
providersharesubscriptions
accounts / shares / No No
synchronizationSettings
accounts / sharesubscriptions No No
accounts / sharesubscriptions / No No
consumerSourceDataSets
accounts / sharesubscriptions / No No
datasetmappings
accounts / sharesubscriptions / triggers No No
servers Yes Yes
servers / advisors No No
servers / No No
privateEndpointConnectionProxies
servers / privateEndpointConnections No No
servers / privateLinkResources No No
servers / queryTexts No No
servers / recoverableServers No No
servers / topQueryStatistics No No
servers / virtualNetworkRules No No
servers / waitStatistics No No
servers Yes Yes
servers / No No
serverGroups Yes Yes
servers Yes Yes
servers / keys No No
servers / No No
serversv2 Yes Yes
artifactSources Yes Yes
rollouts Yes Yes
serviceTopologies Yes Yes
serviceTopologies / services Yes Yes
serviceTopologies / services / Yes Yes

serviceUnits
steps Yes Yes
Microsoft.DesktopVirtualization
applicationgroups Yes Yes
applicationgroups / applications No No
applicationgroups / desktops No No
applicationgroups / startmenuitems No No
hostpools Yes Yes
hostpools / sessionhosts No No
hostpools / sessionhosts / usersessions No No
hostpools / usersessions No No
workspaces Yes Yes
Microsoft.Devices
ElasticPools Yes Yes
ElasticPools / IotHubTenants Yes Yes
IotHubs Yes Yes
IotHubs / eventGridFilters No No
ProvisioningServices Yes Yes
usages No No
Microsoft.DevOps
pipelines Yes Yes
Microsoft.DevSpaces
controllers Yes Yes
labcenters Yes Yes
labs Yes Yes
labs / environments Yes Yes
labs / serviceRunners Yes Yes
labs / virtualMachines Yes Yes
schedules Yes Yes
databaseAccountNames No No
databaseAccounts Yes Yes
domains Yes Yes
domains / domainOwnershipIdentifiers No No
generateSsoRequest No No
topLevelDomains No No
validateDomainRegistrationInformation No No
Microsoft.DynamicsLcs
lcsprojects No No
lcsprojects / clouddeployments No No
lcsprojects / connectors No No
services Yes Yes
Microsoft.EventGrid
domains Yes Yes
domains / topics No No
eventSubscriptions No No
extensionTopics No No
topics Yes Yes

topicTypes No No
Microsoft.EventHub
clusters Yes Yes
namespaces Yes Yes
namespaces / authorizationrules No No
namespaces / disasterrecoveryconfigs No No
namespaces / eventhubs No No
namespaces / eventhubs / No No
authorizationrules
namespaces / eventhubs / No No
consumergroups
namespaces / networkrulesets No No
Microsoft.Features
features No No
providers No No
Microsoft.Gallery
enroll No No
galleryitems No No
generateartifactaccessuri No No
myareas No No
myareas / areas No No
myareas / areas / areas No No
myareas / areas / areas / galleryitems No No

myareas / areas / galleryitems No No
myareas / galleryitems No No
register No No
resources No No
retrieveresourcesbyid No No
Microsoft.Genomics
accounts Yes Yes
configurationProfileAssignments No No
guestConfigurationAssignments No No
software No No
softwareUpdateProfile No No
softwareUpdates No No
hanaInstances Yes Yes
sapMonitors Yes Yes
Microsoft.HardwareSecurityModules
dedicatedHSMs Yes Yes
Microsoft.HDInsight
clusters Yes Yes
services Yes Yes
machines Yes Yes
machines / extensions Yes Yes
dataManagers Yes Yes
Microsoft.Hydra
components Yes Yes
networkScopes Yes Yes
jobs Yes Yes
Microsoft.Intune
diagnosticSettings No No
diagnosticSettingsCategories No No
appTemplates No No
IoTApps Yes Yes
Microsoft.IoTSpaces
Graph Yes Yes
Microsoft.KeyVault
deletedVaults No No
hsmPools Yes Yes
vaults Yes Yes
vaults / accessPolicies No No
vaults / eventGridFilters No No
vaults / secrets No No
Microsoft.Kusto
clusters Yes Yes
clusters / No No
attacheddatabaseconfigurations
clusters / databases No No
clusters / databases / dataconnections No No
clusters / databases / No No
eventhubconnections
clusters / sharedidentities No No
labaccounts Yes Yes
users No No
Microsoft.Logic
hostingEnvironments Yes Yes
integrationAccounts Yes Yes
integrationServiceEnvironments Yes Yes
integrationServiceEnvironments / Yes Yes

managedApis
isolatedEnvironments Yes Yes
workflows Yes Yes
commitmentPlans Yes Yes
webServices Yes Yes
Workspaces Yes Yes
workspaces Yes Yes
workspaces / computes No No
workspaces / eventGridFilters No No
Identities No No
userAssignedIdentities Yes Yes

Microsoft.ManagedServices
marketplaceRegistrationDefinitions No No
registrationAssignments No No
registrationDefinitions No No
Microsoft.Management
getEntities No No
managementGroups No No
resources No No
startTenantBackfill No No
tenantBackfillStatus No No
Microsoft.Maps
accounts Yes Yes
accounts / eventGridFilters No No
Microsoft.Marketplace
offers No No
offerTypes No No
offerTypes / publishers No No
offerTypes / publishers / offers No No
offerTypes / publishers / offers / plans No No
offerTypes / publishers / offers / plans / No No

agreements

configs

configs / importImage
privategalleryitems No No
products No No
publishers No No
publishers / offers No No
publishers / offers / amendments No No
classicDevServices Yes Yes
updateCommunicationPreference No No
Microsoft.MarketplaceOrdering
agreements No No
offertypes No No
Microsoft.Media
mediaservices Yes Yes
mediaservices / accountFilters No No
mediaservices / assets No No
mediaservices / assets / assetFilters No No
mediaservices / contentKeyPolicies No No
mediaservices / eventGridFilters No No
mediaservices / liveEventOperations No No
mediaservices / liveEvents Yes Yes

mediaservices / liveEvents / liveOutputs No No
mediaservices / liveOutputOperations No No
mediaservices / mediaGraphs No No
mediaservices / No No
streamingEndpointOperations
mediaservices / streamingEndpoints Yes Yes
mediaservices / streamingLocators No No
mediaservices / streamingPolicies No No
mediaservices / transforms No No
mediaservices / transforms / jobs No No
appClusters Yes Yes
Microsoft.Migrate
assessmentProjects Yes Yes
migrateprojects Yes Yes
projects Yes Yes
Microsoft.MixedReality
holographicsBroadcastAccounts Yes Yes
objectUnderstandingAccounts Yes Yes
remoteRenderingAccounts Yes Yes
spatialAnchorsAccounts Yes Yes
surfaceReconstructionAccounts Yes Yes

Microsoft.NetApp
netAppAccounts Yes No
netAppAccounts / capacityPools Yes No
netAppAccounts / capacityPools / Yes No

volumes

volumes / mountTargets

volumes / snapshots
Microsoft.Network
applicationGateways Yes Yes
applicationGatewayWebApplicationFire Yes Yes

wallPolicies
applicationSecurityGroups Yes Yes
azureFirewallFqdnTags No No
azureFirewalls Yes No
bastionHosts Yes Yes
bgpServiceCommunities No No
connections Yes Yes
ddosCustomPolicies Yes Yes
ddosProtectionPlans Yes Yes
dnsOperationStatuses No No
dnszones Yes Yes
dnszones / A No No
dnszones / AAAA No No
dnszones / all No No
dnszones / CAA No No
dnszones / CNAME No No
dnszones / MX No No
dnszones / NS No No
dnszones / PTR No No
dnszones / recordsets No No
dnszones / SOA No No
dnszones / SRV No No
dnszones / TXT No No
expressRouteCircuits Yes Yes
expressRouteCrossConnections Yes Yes
expressRouteGateways Yes Yes
expressRoutePorts Yes Yes
expressRouteServiceProviders No No
firewallPolicies Yes Yes
frontdoors Yes, but limited (see note below) Yes
frontdoorWebApplicationFirewallManag Yes, but limited (see note below) No

edRuleSets
frontdoorWebApplicationFirewallPolicies Yes, but limited (see note below) Yes
getDnsResourceReference No No
internalNotify No No
loadBalancers Yes No
localNetworkGateways Yes Yes
natGateways Yes Yes
networkIntentPolicies Yes Yes
networkInterfaces Yes Yes

networkProfiles Yes Yes
networkSecurityGroups Yes Yes
networkWatchers Yes No
networkWatchers / connectionMonitors Yes No
networkWatchers / lenses Yes No
networkWatchers / pingMeshes Yes No
p2sVpnGateways Yes Yes
privateDnsOperationStatuses No No
privateDnsZones Yes Yes
privateDnsZones / A No No
privateDnsZones / AAAA No No
privateDnsZones / all No No
privateDnsZones / CNAME No No
privateDnsZones / MX No No
privateDnsZones / PTR No No
privateDnsZones / SOA No No
privateDnsZones / SRV No No
privateDnsZones / TXT No No
privateDnsZones / virtualNetworkLinks Yes Yes
privateEndpoints Yes Yes
privateLinkServices Yes Yes
publicIPAddresses Yes Yes
publicIPPrefixes Yes Yes
routeFilters Yes Yes
routeTables Yes Yes

serviceEndpointPolicies Yes Yes
trafficManagerGeographicHierarchies No No
trafficmanagerprofiles Yes Yes
trafficmanagerprofiles/heatMaps No No
trafficManagerUserMetricsKeys No No
virtualHubs Yes Yes
virtualNetworkGateways Yes Yes
virtualNetworks Yes Yes
virtualNetworkTaps Yes Yes
virtualWans Yes Yes
vpnGateways Yes No
vpnSites Yes Yes
webApplicationFirewallPolicies Yes Yes
NOTE
For Azure Front Door Service, you can apply tags when creating the resource, but updating or adding tags is not currently
supported.
namespaces Yes No
namespaces / notificationHubs Yes No
Microsoft.ObjectStore
osNamespaces Yes Yes
Microsoft.OffAzure
HyperVSites Yes Yes
ImportSites Yes Yes
ServerSites Yes Yes
VMwareSites Yes Yes
clusters Yes Yes
devices No No
linkTargets No No
storageInsightConfigs No No
workspaces Yes Yes
workspaces / dataSources No No
workspaces / linkedServices No No
workspaces / query No No
managementassociations No No
managementconfigurations Yes Yes
solutions Yes Yes
views Yes Yes
Microsoft.Peering
legacyPeerings No No
peerAsns No No
peerings Yes Yes
peeringServiceProviders No No
peeringServices Yes Yes
Microsoft.PolicyInsights
policyEvents No No
policyMetadata No No
policyStates No No
policyTrackedResources No No
remediations No No
Microsoft.Portal
consoles No No
dashboards Yes Yes
userSettings No No
Microsoft.PowerBI
workspaceCollections Yes Yes
capacities Yes Yes
backupProtectedItems No No
vaults Yes Yes
Microsoft.Relay
namespaces Yes Yes
namespaces / hybridconnections No No
namespaces / hybridconnections / No No
authorizationrules
namespaces / wcfrelays No No
namespaces / wcfrelays / No No
authorizationrules
Microsoft.RemoteApp
accounts No No
collections Yes Yes
collections / applications No No
collections / securityprincipals No No
templateImages No No
queries Yes Yes
resourceChangeDetails No No
resourceChanges No No
resources No No
resourcesHistory No No
subscriptionsStatus No No
Microsoft.ResourceHealth
availabilityStatuses No No
childAvailabilityStatuses No No
childResources No No
events No No
impactedResources No No
metadata No No
notifications No No
Microsoft.Resources
deployments Yes No
deployments / operations No No
deploymentScripts Yes Yes
deploymentScripts / logs No No
links No No
notifyResourceJobs No No
providers No No
resourceGroups Yes No
subscriptions No No
tenants No No
Microsoft.SaaS
saasresources No No
Microsoft.Scheduler
jobcollections Yes Yes
Microsoft.Search
resourceHealthMetadata No No
searchServices Yes Yes
Microsoft.Security
adaptiveNetworkHardenings No No
advancedThreatProtectionSettings No No
alerts No No
allowedConnections No No
applicationWhitelistings No No
assessmentMetadata No No
assessments No No
autoDismissAlertsRules No No
automations Yes Yes
AutoProvisioningSettings No No
Compliances No No
dataCollectionAgents No No
deviceSecurityGroups No No
discoveredSecuritySolutions No No
externalSecuritySolutions No No
InformationProtectionPolicies No No
iotSecuritySolutions Yes Yes
iotSecuritySolutions / analyticsModels No No
iotSecuritySolutions / analyticsModels / No No
aggregatedAlerts
iotSecuritySolutions / analyticsModels / No No
aggregatedRecommendations
jitNetworkAccessPolicies No No
networkData No No
policies No No
pricings No No
regulatoryComplianceStandards No No
regulatoryComplianceStandards / No No
regulatoryComplianceControls
regulatoryComplianceStandards / No No
regulatoryComplianceControls /
regulatoryComplianceAssessments
securityContacts No No
securitySolutions No No
securitySolutionsReferenceData No No
securityStatuses No No
securityStatusesSummaries No No
serverVulnerabilityAssessments No No
settings No No
subAssessments No No
tasks No No
topologies No No
workspaceSettings No No
Microsoft.SecurityGraph
Microsoft.SecurityInsights
aggregations No No
alertRules No No
alertRuleTemplates No No
bookmarks No No
cases No No
dataConnectors No No
entities No No
entityQueries No No
officeConsents No No
settings No No
namespaces Yes No
namespaces / disasterrecoveryconfigs No No
namespaces / eventgridfilters No No
namespaces / networkrulesets No No
namespaces / queues No No
namespaces / queues / No No
authorizationrules
namespaces / topics No No
namespaces / topics / No No
authorizationrules
namespaces / topics / subscriptions No No
namespaces / topics / subscriptions / No No

rules
premiumMessagingRegions No No
clusters Yes Yes
containerGroupSets Yes Yes
edgeclusters Yes Yes
edgeclusters / applications No No
networks Yes Yes
secretstores Yes Yes
secretstores / certificates No No
secretstores / secrets No No
volumes Yes Yes
gateways Yes Yes
networks Yes Yes
secrets Yes Yes
volumes Yes Yes
Microsoft.Services
providerRegistrations No No
providerRegistrations / No No
resourceTypeRegistrations
rollouts Yes Yes
SignalR Yes Yes
SignalR / eventGridFilters No No
Microsoft.SiteRecovery
SiteRecoveryVault Yes Yes
Microsoft.SoftwarePlan
hybridUseBenefits No No
Microsoft.Solutions
applicationDefinitions Yes Yes
jitRequests Yes Yes
Microsoft.SQL
managedInstances Yes Yes
managedInstances / databases No No
managedInstances / databases / No No
backupShortTermRetentionPolicies
schemas / tables / columns /
sensitivityLabels
vulnerabilityAssessments
vulnerabilityAssessments / rules /
baselines
managedInstances / No No
encryptionProtector
managedInstances / keys No No
restorableDroppedDatabases /
backupShortTermRetentionPolicies
vulnerabilityAssessments
servers Yes Yes
servers / administrators No No
servers / communicationLinks No No
servers / databases Yes (see note below) Yes
servers / encryptionProtector No No
servers / firewallRules No No
servers / keys No No
servers / restorableDroppedDatabases No No
servers / serviceobjectives No No
servers / tdeCertificates No No
virtualClusters No No
NOTE
The Master database doesn't support tags, but other databases, including Azure SQL Data Warehouse databases, support
tags. Azure SQL Data Warehouse databases must be in Active (not Paused) state.
SqlVirtualMachineGroups Yes Yes
SqlVirtualMachineGroups / No No
AvailabilityGroupListeners
SqlVirtualMachines Yes Yes
Microsoft.Storage
storageAccounts Yes Yes
storageAccounts / blobServices No No
storageAccounts / fileServices No No
storageAccounts / queueServices No No
storageAccounts / services No No
metricDefinitions
storageAccounts / tableServices No No
usages No No
Microsoft.StorageCache
caches Yes Yes
caches / storageTargets No No
usageModels No No
Microsoft.StorageReplication
replicationGroups No No
storageSyncServices Yes Yes
storageSyncServices / registeredServers No No
storageSyncServices / syncGroups No No
storageSyncServices / syncGroups / No No
cloudEndpoints
serverEndpoints
storageSyncServices / workflows No No
cloudEndpoints
serverEndpoints
cloudEndpoints
serverEndpoints
managers Yes Yes
streamingjobs Yes (see note below) Yes
NOTE
You can't add a tag when streamingjobs is running. Stop the resource to add a tag.
Microsoft.Subscription
cancel No No
CreateSubscription No No
enable No No
rename No No
SubscriptionDefinitions No No
SubscriptionOperations No No
environments Yes No
environments / accessPolicies No No
environments / eventsources Yes No
environments / referenceDataSets Yes No
dedicatedCloudNodes Yes Yes
dedicatedCloudServices Yes Yes
virtualMachines Yes Yes
Microsoft.Web
apiManagementAccounts No No
apiManagementAccounts / apiAcls No No
apiManagementAccounts / apis No No
apiManagementAccounts / apis / No No
apiAcls
connectionAcls
connections
connections / connectionAcls
localizedDefinitions
apiManagementAccounts / No No
connectionAcls
apiManagementAccounts / connections No No
billingMeters No No
certificates Yes Yes
connectionGateways Yes Yes
connections Yes Yes
customApis Yes Yes
deletedSites No No
functions No No
hostingEnvironments Yes Yes
hostingEnvironments / multiRolePools No No
hostingEnvironments / workerPools No No
publishingUsers No No
resourceHealthMetadata No No
runtimes No No
serverFarms Yes Yes
serverFarms / eventGridFilters No No
sites Yes Yes
sites / config No No
sites / eventGridFilters No No
sites / hostNameBindings No No
sites / networkConfig No No
sites / premieraddons Yes Yes
sites / slots Yes Yes
sites / slots / eventGridFilters No No
sites / slots / hostNameBindings No No

sites / slots / networkConfig No No
sourceControls No No
validate No No
verifyHostingEnvironmentVnet No No
Microsoft.WindowsDefenderATP
DeviceServices Yes Yes
Microsoft.WorkloadMonitor
components No No
componentsSummary No No
monitorInstances No No
monitorInstancesSummary No No
monitors No No
notificationSettings No No
Next steps
To learn how to apply tags to resources, see Use tags to organize your Azure resources.
Manage Azure Resource Manager resource groups
by using the Azure portal
Learn how to use the Azure portal with Azure Resource Manager to manage your Azure resource groups. For
managing Azure resources, see Manage Azure resources by using the Azure portal.
Other articles about managing resource groups:
Manage Azure resource groups by using Azure CLI
Manage Azure resource groups by using Azure PowerShell
NOTE
What is a resource group

A resource group is a container that holds related resources for an Azure solution. The resource group can include
all the resources for the solution, or only those resources that you want to manage as a group. You decide how you
want to allocate resources to resource groups based on what makes the most sense for your organization.
Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update,
and delete them as a group.
The resource group stores metadata about the resources. Therefore, when you specify a location for the resource
group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that
your data is stored in a particular region.
The resource group stores metadata about the resources. When you specify a location for the resource group,
you're specifying where that metadata is stored.
Create resource groups

2. Select Resource groups
3. Select Add.
4. Enter the following values:
Subscription: Select your Azure subscription.
Resource group: Enter a new resource group name.
Region: Select an Azure location, such as Central US.
5. Select Review + Create

6. Select Create. It takes a few seconds to create a resource group.
7. Select Refresh from the top menu to refresh the resource group list, and then select the newly created
resource group to open it. Or select Notification(the bell icon) from the top, and then select Go to
resource group to open the newly created resource group
List resource groups
2. To list the resource groups, select Resource groups
3. To customize the information displayed for the resource groups, select Edit columns. The following
screenshot shows the addition columns you could add to the display:
Open resource groups

2. Select Resource groups.
3. Select the resource group you want to open.
Delete resource groups

1. Open the resource group you want to delete. See Open resource groups.
2. Select Delete resource group.
For more information about how Azure Resource Manager orders the deletion of resources, see Azure Resource
Manager resource group deletion.
Deploy resources to a resource group

After you have created a Resource Manager template, you can use the Azure portal to deploy your Azure
resources. For creating a template, see Quickstart: Create and deploy Azure Resource Manager templates by using
the Azure portal. For deploying a template using the portal, see Deploy resources with Resource Manager
templates and Azure portal.
Move to another resource group or subscription

You can move the resources in the group to another resource group. For more information, see Move resources to
new resource group or subscription.
Lock resource groups

Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such
as Azure subscription, resource group, or resource.
1. Open the resource group you want to delete. See Open resource groups.
2. In the left pane, select Locks.
3. To add a lock to the resource group, select Add.
4. Enter Lock name, Lock type, and Notes. The lock types include Read-only, and Delete.
For more information, see Lock resources to prevent unexpected changes.
Tag resource groups

You can apply tags to resource groups and resources to logically organize your assets. For information, see Using
tags to organize your Azure resources.
Export resource groups to templates
For information about exporting templates, see Single and multi-resource export to template - Portal.
Manage access to resource groups

Role-based access control (RBAC ) is the way that you manage access to resources in Azure. For more information,
see Manage access using RBAC and the Azure portal.
Next steps
To learn Azure Resource Manager, see Azure Resource Manager overview.
To learn the Resource Manager template syntax, see Understand the structure and syntax of Azure Resource
Manager templates.
To learn how to develop templates, see the step-by-step tutorials.
To view the Azure Resource Manager template schemas, see template reference.
by using Azure CLI
Learn how to use Azure CLI with Azure Resource Manager to manage your Azure resource groups. For managing
Azure resources, see Manage Azure resources by using Azure CLI.
Manage Azure resource groups by using the Azure portal
Manage Azure resource groups by using Azure PowerShell

group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that
your data is stored in a particular region.

The following CLI script creates a resource group, and then shows the resource group.
echo "Enter the Resource Group name:" &&

read resourceGroupName &&
echo "Enter the location (i.e. centralus):" &&
read location &&
az group create --name $resourceGroupName --location $location

The following CLI script lists the resource groups under your subscription.
az group list
To get one resource group:

az group show --name $resourceGroupName
The following CLI script deletes a resource group:

az group delete --name $resourceGroupName
Deploy resources to an existing resource group

See Deploy resources to an existing resource group.
Deploy a resource group and resources

You can create a resource group and deploy resources to the group by using a Resource Manager template. For
more information, see Create resource group and deploy resources.
Redeploy when deployment fails

This feature is also known as Rollback on error. For more information, see Redeploy when deployment fails.

You can move the resources in the group to another resource group. For more information, see Move resources.

The following script locks a resource group so the resource group can't be deleted.

az lock create --name LockGroup --lock-type CanNotDelete --resource-group $resourceGroupName
The following script gets all locks for a resource group:

az lock list --resource-group $resourceGroupName
The following script deletes a lock:

echo "Enter the lock name:" &&
read lockName &&
az lock delete --name $lockName --resource-group $resourceGroupName
For more information, see Lock resources with Azure Resource Manager.
Tag resource groups

After setting up your resource group successfully, you may want to view the Resource Manager template for the
resource group. Exporting the template offers two benefits:
Automate future deployments of the solution because the template contains all the complete infrastructure.
Learn template syntax by looking at the JavaScript Object Notation (JSON ) that represents your solution.

az group export --name $resourceGroupName
The script displays the template on the console. Copy the JSON, and save as a file.
The export template feature doesn't support exporting Azure Data Factory resources. To learn about how you can
export Data Factory resources, see Copy or clone a data factory in Azure Data Factory.
To export resources created through classic deployment model, you must migrate them to the Resource Manager
deployment model.
For more information, see Single and multi-resource export to template in Azure portal .

see Manage access using RBAC and Azure CLI.
Next steps
Manager templates.
by using Azure PowerShell
Learn how to use Azure PowerShell with Azure Resource Manager to manage your Azure resource groups. For
managing Azure resources, see Manage Azure resources by using Azure PowerShell.
Manage Azure resource groups by using the Azure portal
Manage Azure resource groups by using Azure CLI

group, you're specifying where that metadata is stored. For compliance reasons, you may need to ensure that your
data is stored in a particular region.

The following PowerShell script creates a resource group, and then shows the resource group.
$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
New-AzResourceGroup -Name $resourceGroupName -Location $location
Get-AzResourceGroup -Name $resourceGroupName

The following PowerShell script lists the resource groups under your subscription.
Get-AzResourceGroup
To get one resource group:
Get-AzResourceGroup -Name $resourceGroupName

The following PowerShell script deletes a resource group:
Remove-AzResourceGroup -Name $resourceGroupName

See Deploy resources to an existing resource group.
To validate a resource group deployment, see Test-AzResourceGroupDeployment.

You can create a resource group and deploy resources to the group by using a Resource Manager template. For
more information, see Create resource group and deploy resources.
Redeploy when deployment fails

This feature is also known as Rollback on error. For more information, see Redeploy when deployment fails.

You can move the resources in the group to another resource group. For more information, see Move resources to
new resource group or subscription.

The following script locks a resource group so the resource group can't be deleted.
New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName $resourceGroupName
The following script gets all locks for a resource group:
Get-AzResourceLock -ResourceGroupName $resourceGroupName
Tag resource groups

After setting up your resource group, you can view a Resource Manager template for the resource group.
Exporting the template offers two benefits:
Automate future deployments of the solution because the template contains the complete infrastructure.
Learn template syntax by looking at the JavaScript Object Notation (JSON ) that represents your solution.
To export all resources in a resource group, use the Export-AzResourceGroup cmdlet and provide the resource
group name.
Export-AzResourceGroup -ResourceGroupName $resourceGroupName
It saves the template as a local file.

Instead of exporting all resources in the resource group, you can select which resources to export.
To export one resource, pass that resource ID.
$resource = Get-AzResource `
-ResourceGroupName <resource-group-name> `
-ResourceName <resource-name> `
-ResourceType <resource-type>
Export-AzResourceGroup `
-Resource $resource.ResourceId
To export more than one resource, pass the resource IDs in an array.
Export-AzResourceGroup `
-Resource @($resource1.ResourceId, $resource2.ResourceId)
When exporting the template, you can specify whether parameters are used in the template. By default, parameters
for resource names are included but they don't have a default value. You must pass that parameter value during
deployment.
"parameters": {
"serverfarms_demoHostPlan_name": {
"defaultValue": null,
"type": "String"
},
"sites_webSite3bwt23ktvdo36_name": {
"defaultValue": null,
"type": "String"
}
}
In the resource, the parameter is used for the name.

"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2016-09-01",
"name": "[parameters('serverfarms_demoHostPlan_name')]",
...
}
]
If you use the -IncludeParameterDefaultValue parameter when exporting the template, the template parameter
includes a default value that is set to the current value. You can either use that default value or overwrite the default
value by passing in a different value.
"parameters": {
"serverfarms_demoHostPlan_name": {
"defaultValue": "demoHostPlan",
"type": "String"
},
"sites_webSite3bwt23ktvdo36_name": {
"defaultValue": "webSite3bwt23ktvdo36",
"type": "String"
}
}
If you use the -SkipResourceNameParameterization parameter when exporting the template, parameters for resource
names aren't included in the template. Instead, the resource name is set directly on the resource to its current value.
You can't customize the name during deployment.
"resources": [
{
"apiVersion": "2016-09-01",
"name": "demoHostPlan",
...
}
]
The export template feature doesn't support exporting Azure Data Factory resources. To learn about how you can
export Data Factory resources, see Copy or clone a data factory in Azure Data Factory.
To export resources created through classic deployment model, you must migrate them to the Resource Manager
deployment model.
For more information, see Single and multi-resource export to template in Azure portal .

see Manage access using RBAC and Azure PowerShell.
Next steps
Manager templates.
Manage Azure resources by using the Azure portal
Learn how to use the Azure portal with Azure Resource Manager to manage your Azure resources. For managing
resource groups, see Manage Azure resource groups by using the Azure portal.
Other articles about managing resources:
Manage Azure resources by using Azure CLI
Manage Azure resources by using Azure PowerShell
NOTE
Deploy resources to a resource group

After you have created a Resource Manager template, you can use the Azure portal to deploy your Azure
resources. For creating a template, see Quickstart: Create and deploy Azure Resource Manager templates by using
the Azure portal. For deploying a template using the portal, see Deploy resources with Resource Manager
templates and Azure portal.
Open resources
Azure resources are organized by Azure services and by resource groups. The following procedures shows how to
open a storage account called mystorage0207. The virtual machine resides in a resource group called
mystorage0207rg.
To open a resource by the service type:
2. In the left pane, select the Azure service. In this case, Storage accounts. If you don't see the service listed,
select All services, and then select the service type.
3. Select the resource you want to open.

A storage account looks like:
To open a resource by resource group:

2. In the left pane, select Resource groups to list the resource within the group.
3. Select the resource you want to open.
Manage resources
When viewing a resource in the portal, you see the options for managing that particular resource.
The screenshot shows the management options for an Azure virtual machine. You can perform operations such as
starting, restarting, and stopping a virtual machine.
Delete resources
1. Open the resource in the portal. For the steps, see Open resources.
2. Select Delete. The following screenshot shows the management options for a virtual machine.
3. Type the name of the resource to confirm the deletion, and then select Delete.
Move resources
2. Select Move. The following screenshot shows the management options for a storage account.
3. Select Move to another resource group or Move to another subscription depending on your needs.
Lock resources
2. Select Locks. The following screenshot shows the management options for a storage account.
3. Select Add, and then specify the lock properties.

Tag resources
Tagging helps organizing your resource group and resources logically.
2. Select Tags. The following screenshot shows the management options for a storage account.
3. Specify the tag properties, and then select Save.
For information, see Using tags to organize your Azure resources.
Monitor resources
When you open a resource, the portal presents default graphs and tables for monitoring that resource type. The
following screenshot shows the graphs for a virtual machine:
You can select the pin icon on the upper right corner of the graphs to pin the graph to the dashboard. To learn
about working with dashboards, see Creating and sharing dashboards in the Azure portal.
Manage access to resources

see Manage access using RBAC and the Azure portal.
Next steps
Manager templates.
Learn how to use Azure CLI with Azure Resource Manager to manage your Azure resources. For managing
resource groups, see Manage Azure resource groups by using Azure CLI.

You can deploy Azure resources directly by using Azure CLI, or deploy a Resource Manager template to create
Azure resources.
Deploy a resource
The following script creates a storage account.

read location &&
echo "Enter the storage account name:" &&
read storageAccountName &&
az storage account create --resource-group $resourceGroupName --name $storageAccountName --location $location
--sku Standard_LRS --kind StorageV2 &&
az storage account show --resource-group $resourceGroupName --name $storageAccountName
Deploy a template
The following script creates deploy a Quickstart template to create a storage account. For more information, see
Quickstart: Create Azure Resource Manager templates by using Visual Studio Code.

read location &&
az group deployment create --resource-group $resourceGroupName --template-uri
"https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-storage-account-
create/azuredeploy.json"
For more information, see Deploy resources with Resource Manager templates and Azure CLI.

You can create a resource group and deploy resources to the group. For more information, see Create resource
group and deploy resources.
Deploy resources to multiple subscriptions or resource groups

Typically, you deploy all the resources in your template to a single resource group. However, there are scenarios
where you want to deploy a set of resources together but place them in different resource groups or
subscriptions. For more information, see Deploy Azure resources to multiple subscriptions or resource groups.
Delete resources
The following script shows how to delete a storage account.

az storage account delete --resource-group $resourceGroupName --name $storageAccountName
Move resources
The following script shows how to remove a storage account from one resource group to another resource group.
echo "Enter the source Resource Group name:" &&

read srcResourceGroupName &&
echo "Enter the destination Resource Group name:" &&
read destResourceGroupName &&
storageAccount=$(az resource show --resource-group $srcResourceGroupName --name $storageAccountName --
resource-type Microsoft.Storage/storageAccounts --query id --output tsv) &&
az resource move --destination-group $destResourceGroupName --ids $storageAccount
Lock resources
The following script locks a storage account so the account can't be deleted.

az lock create --name LockSite --lock-type CanNotDelete --resource-group $resourceGroupName --resource-name
$storageAccountName --resource-type Microsoft.Storage/storageAccounts
The following script gets all locks for a storage account:

az lock list --resource-group $resourceGroupName --resource-name $storageAccountName --resource-type
Microsoft.Storage/storageAccounts --parent ""
The following script deletes a lock of a storage account:

lockId=$(az lock show --name LockSite --resource-group $resourceGroupName --resource-type
Microsoft.Storage/storageAccounts --resource-name $storageAccountName --output tsv --query id)&&
az lock delete --ids $lockId
Tag resources
Tagging helps organizing your resource group and resources logically. For information, see Using tags to organize
your Azure resources.

see Manage access using RBAC and Azure CLI.
Next steps
Manager templates.
Learn how to use Azure PowerShell with Azure Resource Manager to manage your Azure resources. For
managing resource groups, see Manage Azure resource groups by using Azure PowerShell.

You can deploy Azure resources directly by using Azure PowerShell, or deploy a Resource Manager template to
create Azure resources.
Deploy a resource
The following script creates a storage account.

$storageAccountName = Read-Host -Prompt "Enter the storage account name"
# Create the storage account.

$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroupName `
-Name $storageAccountName `
-Location $location `
-SkuName "Standard_LRS"
# Retrieve the context.

$ctx = $storageAccount.Context
Deploy a template
The following script creates deploy a Quickstart template to create a storage account. For more information, see
Quickstart: Create Azure Resource Manager templates by using Visual Studio Code.

$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-storage-
account-create/azuredeploy.json"
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -Location
$location
For more information, see Deploy resources with Resource Manager templates and Azure PowerShell.

You can create a resource group and deploy resources to the group. For more information, see Create resource
group and deploy resources.
Deploy resources to multiple subscriptions or resource groups

Typically, you deploy all the resources in your template to a single resource group. However, there are scenarios
where you want to deploy a set of resources together but place them in different resource groups or
subscriptions. For more information, see Deploy Azure resources to multiple subscriptions or resource groups.
Delete resources
The following script shows how to delete a storage account.

Remove-AzStorageAccount -ResourceGroupName $resourceGroupName -AccountName $storageAccountName
Move resources
The following script shows how to remove a storage account from one resource group to another resource group.
$srcResourceGroupName = Read-Host -Prompt "Enter the source Resource Group name"

$destResourceGroupName = Read-Host -Prompt "Enter the destination Resource Group name"
$storageAccount = Get-AzResource -ResourceGroupName $srcResourceGroupName -ResourceName $storageAccountName

Move-AzResource -DestinationResourceGroupName $destResourceGroupName -ResourceId $storageAccount.ResourceId
Lock resources
The following script locks a storage account so the account can't be deleted.

New-AzResourceLock -LockName LockStorage -LockLevel CanNotDelete -ResourceGroupName $resourceGroupName -

ResourceName $storageAccountName -ResourceType Microsoft.Storage/storageAccounts
The following script gets all locks for a storage account:

Get-AzResourceLock -ResourceGroupName $resourceGroupName -ResourceName $storageAccountName -ResourceType

Microsoft.Storage/storageAccounts
The following script deletes a lock of a storage account:

$lockId = (Get-AzResourceLock -ResourceGroupName $resourceGroupName -ResourceName $storageAccountName -

ResourceType Microsoft.Storage/storageAccounts).LockId
Remove-AzResourceLock -LockId $lockId
Tag resources
Tagging helps organizing your resource group and resources logically. For information, see Using tags to organize
your Azure resources.

Role-based access control (RBAC ) is the way that you manage access to resources in Azure. For more
information, see Manage access using RBAC and Azure PowerShell.
Next steps
Manager templates.
Azure Resource Manager resource group and
resource deletion
This article shows how to delete resource groups and resources. It describes how Azure Resource Manager
orders the deletion of resources when you delete a resource group.
How order of deletion is determined

When you delete a resource group, Resource Manager determines the order to delete resources. It uses the
following order:
1. All the child (nested) resources are deleted.
2. Resources that manage other resources are deleted next. A resource can have the managedBy property set
to indicate that a different resource manages it. When this property is set, the resource that manages the
other resource is deleted before the other resources.
3. The remaining resources are deleted after the previous two categories.
After the order is determined, Resource Manager issues a DELETE operation for each resource. It waits for any
dependencies to finish before proceeding.
For synchronous operations, the expected successful response codes are:
200
204
404
For asynchronous operations, the expected successful response is 202. Resource Manager tracks the location
header or the azure-async operation header to determine the status of the asynchronous delete operation.
Deletion errors
When a delete operation returns an error, Resource Manager retries the DELETE call. Retries happen for the 5xx,
429 and 408 status codes. By default, the time period for retry is 15 minutes.
After deletion
Resource Manager issues a GET call on each resource that it tried to delete. The response of this GET call is
expected to be 404. When Resource Manager gets a 404, it considers the deletion to have completed successfully.
Resource Manager removes the resource from its cache.
However, if the GET call on the resource returns a 200 or 201, Resource Manager recreates the resource.
If the GET operation returns an error, Resource Manager retries the GET for the following error code:
Less than 100
408
429
Greater than 500
For other error codes, Resource Manager fails the deletion of the resource.
Delete resource group
Use one of the following methods to delete the resource group.
PowerShell
Azure CLI
Portal
Remove-AzResourceGroup -Name ExampleResourceGroup
Delete resource
Use one of the following methods to delete a resource.
PowerShell
Azure CLI
Portal
Remove-AzResource `
-ResourceGroupName ExampleResourceGroup `
-ResourceName ExampleVM `
-ResourceType Microsoft.Compute/virtualMachines
Next steps
To understand Resource Manager concepts, see Azure Resource Manager overview.
For deletion commands, see PowerShell, Azure CLI, and REST API.
Lock resources to prevent unexpected changes
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in
your organization from accidentally deleting or modifying critical resources. You can set the lock level to
CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the
resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying
this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
NOTE
compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install
Azure PowerShell.
How locks are applied

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources
you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles. To
learn about setting permissions for users and roles, see Azure Role-based Access Control.
Resource Manager locks apply only to operations that happen in the management plane, which consists of
operations sent to https://management.azure.com . The locks don't restrict how resources perform their own
functions. Resource changes are restricted, but resource operations aren't restricted. For example, a ReadOnly
lock on a SQL Database prevents you from deleting or modifying the database. It doesn't prevent you from
creating, updating, or deleting data in the database. Data transactions are permitted because those operations
aren't sent to https://management.azure.com .
Applying ReadOnly can lead to unexpected results because some operations that don't seem to modify the
resource actually require actions that are blocked by the lock. The ReadOnly lock can be applied to the resource
or to the resource group containing the resource. Some common examples of the operations that are blocked by
a ReadOnly lock are:
A ReadOnly lock on a storage account prevents all users from listing the keys. The list keys operation is
handled through a POST request because the returned keys are available for write operations.
A ReadOnly lock on an App Service resource prevents Visual Studio Server Explorer from displaying files
for the resource because that interaction requires write access.
A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or
restarting the virtual machine. These operations require a POST request.
Who can create or delete locks

To create or delete management locks, you must have access to Microsoft.Authorization/* or
Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are
granted those actions.
Managed Applications and locks

Some Azure services, such as Azure Databricks, use managed applications to implement the service. In that case,
the service creates two resource groups. One resource group contains an overview of the service and isn't locked.
The other resource group contains the infrastructure for the service and is locked.
If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. If
you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be
deleted because it's owned by a system application.
Instead, delete the service, which also deletes the infrastructure resource group.
For managed applications, select the service you deployed.
Notice the service includes a link for a Managed Resource Group. That resource group holds the infrastructure
and is locked. It can't be directly deleted.
To delete everything for the service, including the locked infrastructure resource group, select Delete for the
service.
Portal
1. In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.
2. To add a lock, select Add. If you want to create a lock at a parent level, select the parent. The currently
selected resource inherits the lock from the parent. For example, you could lock the resource group to
apply a lock to all its resources.
3. Give the lock a name and lock level. Optionally, you can add notes that describe the lock.
4. To delete the lock, select the ellipsis and Delete from the available options.
Template
When using a Resource Manager template to deploy a lock, you use different values for the name and type
depending on the scope of the lock.
When applying a lock to a resource, use the following formats:
name - {resourceName}/Microsoft.Authorization/{lockName}
type - {resourceProviderNamespace}/{resourceType}/providers/locks
When applying a lock to a resource group or subscription, use the following formats:
name - {lockName}
type - Microsoft.Authorization/locks
The following example shows a template that creates an app service plan, a web site, and a lock on the web site.
The resource type of the lock is the resource type of the resource to lock and /providers/locks. The name of the
lock is created by concatenating the resource name with /Microsoft.Authorization/ and the name of the lock.
{
"parameters": {
"hostingPlanName": {
"type": "string"
}
},
"variables": {
"siteName": "[concat('ExampleSite', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"apiVersion": "2016-09-01",
"name": "[parameters('hostingPlanName')]",
"location": "[resourceGroup().location]",
"sku": {
"tier": "Free",
"name": "f1",
"capacity": 0
},
"properties": {
"targetWorkerCount": 1
}
},
{
"apiVersion": "2016-08-01",
"name": "[variables('siteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
],
"properties": {
"serverFarmId": "[parameters('hostingPlanName')]"
}
},
{
"type": "Microsoft.Web/sites/providers/locks",
"apiVersion": "2016-09-01",
"name": "[concat(variables('siteName'), '/Microsoft.Authorization/siteLock')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('siteName'))]"
],
"properties": {
"level": "CanNotDelete",
"notes": "Site should not be deleted."
}
}
]
}
For an example of setting a lock on a resource group, see Create a resource group and lock it.
PowerShell
You lock deployed resources with Azure PowerShell by using the New -AzResourceLock command.
To lock a resource, provide the name of the resource, its resource type, and its resource group name.
New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType

Microsoft.Web/sites -ResourceGroupName exampleresourcegroup
To lock a resource group, provide the name of the resource group.
New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup
To get information about a lock, use Get-AzResourceLock. To get all the locks in your subscription, use:
Get-AzResourceLock
To get all locks for a resource, use:
Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName

exampleresourcegroup
To get all locks for a resource group, use:
Get-AzResourceLock -ResourceGroupName exampleresourcegroup
To delete a lock, use:
$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType

Microsoft.Web/sites).LockId
Remove-AzResourceLock -LockId $lockId
Azure CLI
You lock deployed resources with Azure CLI by using the az lock create command.
To lock a resource, provide the name of the resource, its resource type, and its resource group name.
az lock create --name LockSite --lock-type CanNotDelete --resource-group exampleresourcegroup --resource-name

examplesite --resource-type Microsoft.Web/sites
To lock a resource group, provide the name of the resource group.
az lock create --name LockGroup --lock-type CanNotDelete --resource-group exampleresourcegroup
To get information about a lock, use az lock list. To get all the locks in your subscription, use:
az lock list
To get all locks for a resource, use:
az lock list --resource-group exampleresourcegroup --resource-name examplesite --namespace Microsoft.Web --

resource-type sites --parent ""
To get all locks for a resource group, use:
az lock list --resource-group exampleresourcegroup

To delete a lock, use:
lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --resource-type

Microsoft.Web/sites --resource-name examplesite --output tsv --query id)
az lock delete --ids $lockid
REST API
You can lock deployed resources with the REST API for management locks. The REST API enables you to create
and delete locks, and retrieve information about existing locks.
To create a lock, run:
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version=
{api-version}
The scope could be a subscription, resource group, or resource. The lock-name is whatever you want to call the
lock. For api-version, use 2016-09-01.
In the request, include a JSON object that specifies the properties for the lock.
{
"properties": {
"level": "CanNotDelete",
"notes": "Optional text notes."
}
}
Next steps
To learn about logically organizing your resources, see Using tags to organize your resources
You can apply restrictions and conventions across your subscription with customized policies. For more
information, see What is Azure Policy?.
For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see Azure
enterprise scaffold - prescriptive subscription governance.
Programmatically create Azure subscriptions
(preview)
Azure customers with an Enterprise Agreement (EA), Microsoft Customer Agreement (MCA) or Microsoft Partner
Agreement (MPA) billing account can create subscriptions programmatically. In this article, you learn how to create
subscriptions programmatically using Azure Resource Manager.
When you create an Azure subscription programmatically, that subscription is governed by the agreement under
which you obtained Azure services from Microsoft or an authorized reseller. To learn more, see Microsoft Azure
Legal Information.
NOTE
PowerShell.
Create subscriptions for an EA billing account

Prerequisites
You must have an Owner role on an Enrollment Account to create a subscription. There are two ways to get the
role:
The Enterprise Administrator of your enrollment can make you an Account Owner (sign in required) which
makes you an Owner of the Enrollment Account.
An existing Owner of the Enrollment Account can grant you access. Similarly, if you want to use a service
principal to create an EA subscription, you must grant that service principal the ability to create
subscriptions.
Find accounts you have access to
After you're added to an Enrollment Account associated to an Account Owner, Azure uses the account-to-
enrollment relationship to determine where to bill the subscription charges. All subscriptions created under the
account are billed to the EA enrollment that the account is in. To create subscriptions, you must pass in values
about the enrollment account and the user principals to own the subscription.
To run the following commands, you must be logged in to the Account Owner's home directory, which is the
directory that subscriptions are created in by default.
REST
PowerShell
Azure CLI
Request to list all enrollment accounts you have access to:
GET https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview
The API response lists all enrollment accounts you have access to:
{
"value": [
{
"id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "Microsoft.Billing/enrollmentAccounts",
"properties": {
"principalName": "[email protected]"
}
},
{
"id": "/providers/Microsoft.Billing/enrollmentAccounts/4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"properties": {
}
}
]
}
Use the principalName property to identify the account that you want subscriptions to be billed to. Copy the name
of that account. For example, if you wanted to create subscriptions under the [email protected]
enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx . This identifier is the object ID of the
enrollment account. Paste this value somewhere so that you can use it in the next step as
enrollmentAccountObjectId .
Create subscriptions under a specific enrollment account

The following example creates a subscription named Dev Team Subscription in the enrollment account selected in
the previous step. The subscription offer is MS -AZR -0017P (regular Microsoft Enterprise Agreement). It also
optionally adds two users as RBAC Owners for the subscription.
REST
PowerShell
Azure CLI
Make the following request, replacing <enrollmentAccountObjectId> with the name copied from the first step (
747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx ). If you'd like to specify owners, learn how to get user object IDs.
POST
https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/provid
ers/Microsoft.Subscription/createSubscription?api-version=2018-03-01-preview
{
"displayName": "Dev Team Subscription",
"offerType": "MS-AZR-0017P",
"owners": [
{
"objectId": "<userObjectId>"
},
{
"objectId": "<servicePrincipalObjectId>"
}
]
}
ELEMENT NAME REQUIRED TYPE DESCRIPTION
displayName No String The display name of the

subscription. If not specified,
it's set to the name of the
offer, like "Microsoft Azure
Enterprise."
offerType Yes String The offer of the subscription.

The two options for EA are
MS-AZR-0017P (production
use) and MS-AZR-0148P
(dev/test, needs to be
turned on using the EA
portal).
owners No String The Object ID of any user

that you'd like to add as an
RBAC Owner on the
subscription when it's
created.
In the response, you get back a subscriptionOperation object for monitoring. When the subscription creation is
finished, the subscriptionOperation object would return a subscriptionLink object, which has the subscription ID.
Limitations of Azure Enterprise subscription creation API
Only Azure Enterprise subscriptions can be created using this API.
There's a limit of 200 subscriptions per enrollment account. After that, more subscriptions for the account can
only be created in the Azure portal. If you want to create more subscriptions through the API, create another
enrollment account.
Users who aren't Account Owners, but were added to an enrollment account via RBAC, can't create
subscriptions in the Azure portal.
You can't select the tenant for the subscription to be created in. The subscription is always created in the home
tenant of the Account Owner. To move the subscription to a different tenant, see change subscription tenant.
Create subscriptions for an MCA account

Prerequisites
You must have an owner, contributor, or Azure subscription creator role on an invoice section or owner or
contributor role on a billing profile or a billing account to create subscriptions. For more information, see
Subscription billing roles and tasks.
The example shown below use REST APIs. Currently, PowerShell and Azure CLI are not supported.
Find billing accounts that you have access to
Make the request below to list all the billing accounts.
GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts?api-version=2019-10-01-preview
The API response lists the billing accounts that you have access to.
{
"value": [
{
"id": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-
xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"name": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountId": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"accountStatus": "Active",
"accountType": "Enterprise",
"agreementType": "MicrosoftCustomerAgreement",
"displayName": "Contoso",
"hasReadAccess": true,
"organizationId": "41b29574-xxxx-xxxx-xxxx-xxxxxxxxxxxxx_xxxx-xx-xx"
},
"type": "Microsoft.Billing/billingAccounts"
},
{
"id": "/providers/Microsoft.Billing/billingAccounts/4f89e155-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-
"name": "4f89e155-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountId": "4f89e155-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"displayName": "Fabrikam",
"organizationId": "41b29574-xxxx-xxxx-xxxx-xxxxxxxxxxxxx_xxxx-xx-xx"
},
}
]
}
Use the displayName property to identify the billing account for which you want to create subscriptions. Ensure,
the agreeementType of the account is MicrosoftCustomerAgreement. Copy the name of the account. For example,
if you want to create a subscription for the Contoso billing account, you'd copy
5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx . Paste this value
somewhere so that you can use it in the next step.
Find invoice sections to create subscriptions
The charges for your subscription appear on a section of a billing profile's invoice. Use the following API to get the
list of invoice sections and billing profiles on which you have permission to create Azure subscriptions.
Make the following request, replacing <billingAccountName> with the copied from the first step (
name
5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx ).
POST
https://management.azure.com/providers/Microsoft.Billing/billingAccounts/<billingAccountName>/listInvoiceSecti
onsWithCreateSubscriptionPermission?api-version=2019-10-01-preview
The API response lists all the invoice sections and their billing profiles on which you have access to create
subscriptions:
{
"value": [{
"billingProfileDisplayName": "Contoso finance",
"billingProfileId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-
xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-xxxx-xxx-xxx",
"enabledAzurePlans": [{
"productId": "DZH318Z0BPS6",
"skuId": "0001",
"skuDescription": "Microsoft Azure Plan"
}, {
"skuId": "0002",
"skuDescription": "Microsoft Azure Plan for DevTest"
}],
"invoiceSectionDisplayName": "Development",
"invoiceSectionId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-
xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-xxxx-xxx-
xxx/invoiceSections/GJ77-xxxx-xxx-xxx"
}, {
"billingProfileDisplayName": "Contoso finance",
"billingProfileId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-
xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-xxxx-xxx-xxx",
"enabledAzurePlans": [{
"skuId": "0001",
"skuDescription": "Microsoft Azure Plan"
}, {
"skuId": "0002",
"skuDescription": "Microsoft Azure Plan for DevTest"
}],
"invoiceSectionDisplayName": "Testing",
"invoiceSectionId": "/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-
xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/PBFV-XXXX-XXX-
XXX/invoiceSections/GJGR-XXXX-XXX-XXX"
}]
}
Use the invoiceSectionDisplayName property to identify the invoice section for which you want to create
subscriptions. Copy the invoiceSectionId , billingProfileId and one of the skuId for the invoice section. For
example, if you want to create a subscription of type Microsoft Azure plan for Development invoice section, you'd
copy
/providers/Microsoft.Billing/billingAccounts/5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx_2019-05-31/billingProfiles/PBFV-XXXX-XXX-XXX/invoiceSections/GJGR-XXXX-XXX-XXX
,
xxxxxxxxxxxx_2019-05-31/billingProfiles/PBFV-xxxx-xxx-xxx
, and 0001 . Paste these values somewhere so that you can use them in the next step.
Create a subscription for an invoice section
The following example creates a subscription named Dev Team subscription of type Microsoft Azure Plan for the
Development invoice section. The subscription will be billed to the Contoso finance's billing profile and appear on
the Development section of its invoice.
Make the following request, replacing <invoiceSectionId> with the invoiceSectionId copied from the second step
(
xxxxxxxxxxxx_2019-05-31/billingProfiles/PBFV-XXXX-XXX-XXX/invoiceSections/GJGR-XXXX-XXX-XXX
). You'd need to pass the billingProfileId and skuId copied from the second step in the request parameters of
the API. If you'd like to specify owners, learn how to get user object IDs.
POST https://management.azure.com<invoiceSectionId>/providers/Microsoft.Subscription/createSubscription?api-
version=2018-11-01-preview
'{"displayName": "Dev Team subscription",

"billingProfileId": "<billingProfileId>",
"skuId": "<skuId>",
"owners": [
{
"objectId": "<userObjectId>"
},
{
"objectId": "<servicePrincipalObjectId>"
}
],
"costCenter": "35683",
"managementGroupId": "/providers/Microsoft.Management/managementGroups/xxxxxxx",",
}'
displayName Yes String The display name of the

subscription.
billingProfileId Yes String The ID of the billing profile

that will be billed for the
subscription's charges.
skuId Yes String The sku ID that determines

the type of Azure plan.
owners No String The Object ID of any user or

service principal that you'd
like to add as an RBAC
Owner on the subscription
when it's created.
costCenter No String The cost center associated

with the subscription. It
shows up in the usage csv
file.
managementGroupId No String The ID of the management

group to which the
subscription will be added.
To get the list of
management groups, see
Management Groups - List
API. Use the ID of a
management group from
the API.
In the response, you get back a subscriptionCreationResult object for monitoring. When the subscription creation
is finished, the subscriptionCreationResult object would return a subscriptionLink object, which has the
subscription ID.
Create subscriptions for an MPA billing account

Prerequisites
You must have a Global Admin or Admin Agent role in your organization's cloud solution provider account to
create subscription for your billing account. For more information, see Partner Center - Assign users roles and
permissions.
The example shown below use REST APIs. Currently, PowerShell and Azure CLI are not supported.
Find the billing accounts that you have access to
Make the request below to list all billing accounts that you have access to.
GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts?api-version=2019-10-01-preview
The API response list the billing accounts.
{
"value": [
{
"id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-
"name": "99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountId": "5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"agreementType": "MicrosoftPartnerAgreement",
"displayName": "Contoso",
"organizationId": "1d100e69-xxxx-xxxx-xxxx-xxxxxxxxxxxxx_xxxx-xx-xx"
},
},
{
"id": "/providers/Microsoft.Billing/billingAccounts/4f89e155-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-
"name": "4f89e155-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx",
"properties": {
"accountId": "4f89e155-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"displayName": "Fabrikam",
"organizationId": "1d100e69-xxxx-xxxx-xxxx-xxxxxxxxxxxxx_xxxx-xx-xx"
},
}
]
}
Use the displayName property to identify the billing account for which you want to create subscriptions. Ensure,
the agreeementType of the account is MicrosoftPartnerAgreement. Copy the name for the account. For example, if
you want to create a subscription for the Contoso billing account, you'd copy
99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx . Paste this value
Find customers that have Azure plans
Make the following request, replacing <billingAccountName> with the copied from the first step (
name
5e98e158-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx ) to list all customers in the
billing account for whom you can create Azure subscriptions.
GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts/<billingAccountName>/customers?
api-version=2019-10-01-preview
The API response lists the customers in the billing account with Azure plans. You can create subscriptions for these
customers.
{
"value": [
{
xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"properties": {
"billingProfileDisplayName": "Contoso USD",
"billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-
xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/JUT6-xxxx-xxxx-xxxx",
"displayName": "Fabrikam toys"
},
"type": "Microsoft.Billing/billingAccounts/customers"
},
{
xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/97c3fac4-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "97c3fac4-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"properties": {
"billingProfileDisplayName": "Fabrikam sports",
"billingProfileId": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-
xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxx-xx-xx/billingProfiles/JUT6-xxxx-xxxx-xxxx",
"displayName": "Fabrikam bakery"
},
"type": "Microsoft.Billing/billingAccounts/customers"
}]
}
Use the displayName property to identify the customer for which you want to create subscriptions. Copy the id
for the customer. For example, if you want to create a subscription for Fabrikam toys , you'd copy
/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx_xxxx-xx-xx/customers/2281f543-xxxx-xxxx-xxxx-xxxxxxxxxxxx
. Paste this value somewhere to use it in the subsequent steps.
Optional for Indirect providers: Get the resellers for a customer
If you're an Indirect provider in the CSP two-tier model, you can specify a reseller while creating subscriptions for
customers.
Make the following request, replacing <customerId> with the id copied from the second step (
) to list all resellers that are available for a customer.
GET https://management.azure.com<customerId>?$expand=resellers&api-version=2019-10-01-preview
The API response lists the resellers for the customer:

{
"value": [{
"id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-
xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/2ed2c490-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "2ed2c490-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "Microsoft.Billing/billingAccounts/customers",
"properties": {
"displayName": "Fabrikam toys",
"resellers": [
{
"resellerId": "3xxxxx",
"description": "Wingtip"
}
]
}
},
{
"id": "/providers/Microsoft.Billing/billingAccounts/99a13315-xxxx-xxxx-xxxx-xxxxxxxxxxxx:xxxxxxxx-xxxx-xxxx-
xxxx-xxxxxxxxxxxx_xxxx-xx-xx/customers/4ed2c793-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "4ed2c793-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "Microsoft.Billing/billingAccounts/customers",
"properties": {
"displayName": "Fabrikam toys",
"resellers": [
{
"resellerId": "5xxxxx",
"description": "Tailspin"
}
]
}
}]
}
Use the property to identify the reseller who will be associated with the subscription. Copy the
description
resellerIdfor the reseller. For example, if you want to associate Wingtip , you'd copy 3xxxxx . Paste this value
Create a subscription for a customer
The following example creates a subscription named Dev Team subscription for Fabrikam toys and associate
Wingtip reseller to the subscription. T
Make the following request, replacing <customerId> with the id copied from the second step (
). Pass the optional resellerId copied from the second step in the request parameters of the API.
POST https://management.azure.com<customerId>/providers/Microsoft.Subscription/createSubscription?api-
version=2018-11-01-preview
'{"displayName": "Dev Team subscription",

"skuId": "0001",
"resellerId": "<resellerId>",
}'
displayName Yes String The display name of the

subscription.
skuId Yes String The sku ID of the Azure plan.

Use 0001 for subscriptions
of type Microsoft Azure Plan
resellerId No String The MPN ID of the reseller

who will be associated with
the subscription.
In the response, you get back a subscriptionCreationResult object for monitoring. When the subscription creation
is finished, the subscriptionCreationResult object would return a subscriptionLink object, which has the
subscription ID.
Next steps
For an example on creating an Enterprise Agreement (EA) subscription using .NET, see sample code on GitHub.
Now that you've created a subscription, you can grant that ability to other users and service principals. For
more information, see Grant access to create Azure Enterprise subscriptions (preview ).
To learn more about managing large numbers of subscriptions using management groups, see Organize your
resources with Azure management groups
Grant access to create Azure Enterprise subscriptions
(preview)
As an Azure customer on Enterprise Agreement (EA), you can give another user or service principal permission to
create subscriptions billed to your account. In this article, you learn how to use Role-Based Access Control (RBAC )
to share the ability to create subscriptions, and how to audit subscription creations. You must have the Owner role
on the account you wish to share.
NOTE
PowerShell.
Grant access
To create subscriptions under an enrollment account, users must have the RBAC Owner role on that account. You
can grant a user or a group of users the RBAC Owner role on an enrollment account by following these steps:
1. Get the object ID of the enrollment account you want to grant access to
To grant others the RBAC Owner role on an enrollment account, you must either be the Account Owner or
an RBAC Owner of the account.
REST
PowerShell
Azure CLI
Request to list all enrollment accounts you have access to:
GET https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-
preview
Azure responds with a list of all enrollment accounts you have access to:
{
"value": [
{
"id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"properties": {
}
},
{
"id": "/providers/Microsoft.Billing/enrollmentAccounts/4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"properties": {
}
}
]
}
Use the principalName property to identify the account that you want to grant RBAC Owner access to.
Copy the name of that account. For example, if you wanted to grant RBAC Owner access to the
[email protected] enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx .
This is the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next
step as enrollmentAccountObjectId .
Use the principalName property to identify the account that you want to grant RBAC Owner access to.
Copy the name of that account. For example, if you wanted to grant RBAC Owner access to the
[email protected] enrollment account, you'd copy 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx .
This is the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next
step as enrollmentAccountObjectId .
2. Get object ID of the user or group you want to give the RBAC Owner role to
a. In the Azure portal, search on Azure Active Directory.
b. If you want to grant a user access, click on Users in the menu on the left. If you want to grant access to a
group, click Groups.
c. Select the User or Group you want to give the RBAC Owner role to.
d. If you selected a User, you'll find the object ID in the Profile page. If you selected a Group, the object ID
will be in the Overview page. Copy the ObjectID by clicking the icon to the right of the text box. Paste
this somewhere so that you can use it in the next step as userObjectId .
3. Grant the user or group the RBAC Owner role on the enrollment account
Using the values you collected in the first two steps, grant the user or group the RBAC Owner role on the
enrollment account.
REST
PowerShell
Azure CLI
Run the following command, replacing <enrollmentAccountObjectId> with the name you copied in the first
step ( 747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx ). Replace <userObjectId> with the object ID you copied from
the second step.
PUT
https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>
/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01
{
"properties": {
"roleDefinitionId":
"/providers/Microsoft.Billing/enrollmentAccounts/providers/Microsoft.Authorization/roleDefinitions/<own
erRoleDefinitionId>",
"principalId": "<userObjectId>"
}
}
When the Owner role is successfully assigned at the enrollment account scope, Azure responds with
information of the role assignment:
{
"properties": {
"roleDefinitionId":
"principalId": "<userObjectId>",
"scope": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdOn": "2018-03-05T08:36:26.4014813Z",
"updatedOn": "2018-03-05T08:36:26.4014813Z",
"createdBy": "<assignerObjectId>",
"updatedBy": "<assignerObjectId>"
},
"id":
"type": "Microsoft.Authorization/roleAssignments",
"name": "<roleAssignmentGuid>"
}
Audit who created subscriptions using activity logs

To track the subscriptions created via this API, use the Tenant Activity Log API. It's currently not possible to use
PowerShell, CLI, or Azure portal to track subscription creation.
1. As a tenant admin of the Azure AD tenant, elevate access then assign a Reader role to the auditing user
over the scope /providers/microsoft.insights/eventtypes/management .
2. As the auditing user, call the Tenant Activity Log API to see subscription creation activities. Example:
GET "/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-
01&$filter=eventTimestamp ge '{greaterThanTimeStamp}' and eventTimestamp le '{lessThanTimestamp}' and
eventChannels eq 'Operation' and resourceProvider eq 'Microsoft.Subscription'"
To conveniently call this API from the command line, try ARMClient.
Next steps
Now that the user or service principal has permission to create a subscription, you can use that identity to
programmatically create Azure Enterprise subscriptions.
For an example on creating subscriptions using .NET, see sample code on GitHub.
To learn more about Azure Resource Manager and its APIs, see Azure Resource Manager overview.
To learn more about managing large numbers of subscriptions using management groups, see Organize your
resources with Azure management groups
To see a comprehensive best practice guidance for large organizations on subscription governance, see Azure
enterprise scaffold - prescriptive subscription governance
Authenticate requests across tenants
When creating a multi-tenant application, you may need to handle authentication requests for resources that are in
different tenants. A common scenario is when a virtual machine in one tenant must join a virtual network in
another tenant. Azure Resource Manager provides a header value for storing auxiliary tokens to authenticate the
requests to different tenants.
Header values for authentication

The request has the following authentication header values:
HEADER NAME DESCRIPTION EXAMPLE VALUE
Authorization Primary token Bearer <primary-token>
x-ms-authorization-auxiliary Auxiliary tokens Bearer <auxiliary-token1>,

EncryptedBearer <auxiliary-token2>,
Bearer <auxiliary-token3>
The auxiliary header can hold up to three auxiliary tokens.

In the code of your multi-tenant app, get the authentication token for other tenants and store them in the auxiliary
headers. All the tokens must be from the same user or application. The user or application must have been invited
as a guest to the other tenants.
Processing the request

When your app sends a request to Resource Manager, the request is run under the identity from the primary
token. The primary token must be valid and unexpired. This token must be from a tenant that can manage the
subscription.
When the request references a resource from different tenant, Resource Manager checks the auxiliary tokens to
determine if the request can be processed. All auxiliary tokens in the header must be valid and unexpired. If any
token is expired, Resource Manager returns a 401 response code. The response includes the client ID and tenant ID
from the token that isn't valid. If the auxiliary header contains a valid token for the tenant, the cross tenant request
is processed.
Next steps
To learn about authentication requests, see Authentication flows and application scenarios.
For more information about tokens, see Azure Active Directory access tokens.
View activity logs to monitor actions on resources
Through activity logs, you can determine:

what operations were taken on the resources in your subscription
who started the operation
when the operation occurred
the status of the operation
the values of other properties that might help you research the operation
The activity log contains all write operations (PUT, POST, DELETE ) for your resources. It doesn't include read
operations (GET). For a list of resource actions, see Azure Resource Manager Resource Provider operations. You
can use the activity logs to find an error when troubleshooting or to monitor how a user in your organization
modified a resource.
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn't more than
90 days in the past.
You can retrieve information from the activity logs through the portal, PowerShell, Azure CLI, Insights REST API,
or Insights .NET Library.
Azure portal
To view the activity logs through the portal, follow these steps:
1. On the Azure portal menu, select Monitor, or search for and select Monitor from any page.
2. Select Activity Log.

3. You see a summary of recent operations. A default set of filters is applied to the operations. Notice the
information on the summary includes who started the action and when it happened.
4. To quickly run a pre-defined set of filters, select Quick Insights.
5. Select one of the options. For example, select Failed deployments to see errors from deployments.
6. Notice the filters have been changed to focus on deployment errors in the last 24 hours. Only operations
that match the filters are displayed.
7. To focus on specific operations, change the filters or apply new ones. For example, the following image
shows a new value for the Timespan and Resource type is set to storage accounts.
8. If you need to run the query again later, select Pin current filters.
9. Give the filter a name.

10. The filter is available in the dashboard. On the Azure portal menu, select Dashboard.
11. From the portal, you can view changes to a resource. Go back to the default view in Monitor, and select an
operation that involved changing a resource.
12. Select Change history (Preview) and pick one of the available operations.
13. The changes in the resource are displayed.
To learn more about change history, see Get resource changes.
PowerShell
NOTE
PowerShell.
To retrieve log entries, run the Get-AzLog command. You provide additional parameters to filter the list of entries.
If you don't specify a start and end time, entries for the last seven days are returned.
Get-AzLog -ResourceGroup ExampleGroup
The following example shows how to use the activity log to research operations taken during a specified time. The
start and end dates are specified in a date format.
Get-AzLog -ResourceGroup ExampleGroup -StartTime 2019-05-05T06:00 -EndTime 2019-05-09T06:00
Or, you can use date functions to specify the date range, such as the last 14 days.
Get-AzLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14)
You can look up the actions taken by a particular user.
Get-AzLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14) -Caller [email protected]
You can filter for failed operations.
Get-AzLog -ResourceGroup ExampleGroup -Status Failed
You can focus on one error by looking at the status message for that entry.
(Get-AzLog -ResourceGroup ExampleGroup -Status Failed).Properties.Content.statusMessage | ConvertFrom-Json
You can select specific values to limit the data that is returned.
Get-AzLog -ResourceGroupName ExampleGroup | Format-table EventTimeStamp, Caller, @{n='Operation'; e=

{$_.OperationName.value}}, @{n='Status'; e={$_.Status.value}}, @{n='SubStatus'; e=
{$_.SubStatus.LocalizedValue}}
Depending on the start time you specify, the previous commands can return a long list of operations for the
resource group. You can filter the results for what you are looking for by providing search criteria. For example,
you can filter by the type of operation.
Get-AzLog -ResourceGroup ExampleGroup | Where-Object {$_.OperationName.value -eq

"Microsoft.Resources/deployments/write"}
You can use Resource Graph to see the change history for a resource. For more information, see Get resource
changes.
Azure CLI
To retrieve log entries, run the az monitor activity-log list command with an offset to indicate the time span.
az monitor activity-log list --resource-group ExampleGroup --offset 7d
The following example shows how to use the activity log to research operations taken during a specified time. The
start and end dates are specified in a date format.
az monitor activity-log list -g ExampleGroup --start-time 2019-05-01 --end-time 2019-05-15
You can look up the actions taken by a particular user, even for a resource group that no longer exists.
az monitor activity-log list -g ExampleGroup --caller [email protected] --offset 5d
You can filter for failed operations.
az monitor activity-log list -g ExampleGroup --status Failed --offset 1d

You can focus on one error by looking at the status message for that entry.
az monitor activity-log list -g ExampleGroup --status Failed --offset 1d --query [].properties.statusMessage
You can select specific values to limit the data that is returned.
az monitor activity-log list -g ExampleGroup --offset 1d --query '[].{Operation: operationName.value, Status:

status.value, SubStatus: subStatus.localizedValue}'
Depending on the start time you specify, the previous commands can return a long list of operations for the
resource group. You can filter the results for what you are looking for by providing search criteria. For example,
you can filter by the type of operation.
az monitor activity-log list -g ExampleGroup --offset 1d --query "[?

operationName.value=='Microsoft.Storage/storageAccounts/write']"
You can use Resource Graph to see the change history for a resource. For more information, see Get resource
changes.
REST API
The REST operations for working with the activity log are part of the Insights REST API. To retrieve activity log
events, see List the management events in a subscription.
Next steps
Azure Activity logs can be used with Power BI to gain greater insights about the actions in your subscription.
See View and analyze Azure Activity Logs in Power BI and more.
To learn about setting security policies, see Azure Role-based Access Control.
To view more details about the changes to your applications from the infrastructure layer all the way to
application deployment, see Use Application Change Analysis in Azure Monitor.
To learn about the commands for viewing deployment operations, see View deployment operations.
To learn how to prevent deletions on a resource for all users, see Lock resources with Azure Resource Manager.
To see the list of operations available for each Microsoft Azure Resource Manager provider, see Azure Resource
Manager Resource Provider operations
Azure resource providers and types
When deploying resources, you frequently need to retrieve information about the resource providers and types.
For example, if you want to store keys and secrets, you work with the Microsoft.KeyVault resource provider. This
resource provider offers a resource type called vaults for creating the key vault.
The name of a resource type is in the format: {resource-provider}/{resource-type}. The resource type for a key
vault is Microsoft.KeyVault/vaults.
In this article, you learn how to:
View all resource providers in Azure
Check registration status of a resource provider
Register a resource provider
View resource types for a resource provider
View valid locations for a resource type
View valid API versions for a resource type
You can do these steps through the Azure portal, Azure PowerShell, or Azure CLI.
For a list that maps resource providers to Azure services, see Resource providers for Azure services.
Azure portal
To see all resource providers, and the registration status for your subscription:
2. On the Azure portal menu, select All services.
3. In the All services box, enter subscription, and then select Subscriptions.
4. Select the subscription from the subscription list to view.
5. Select Resource providers and view the list of available resource providers.
6. Registering a resource provider configures your subscription to work with the resource provider. The scope
for registration is always the subscription. By default, many resource providers are automatically registered.
However, you may need to manually register some resource providers. To register a resource provider, you
must have permission to do the /register/action operation for the resource provider. This operation is
included in the Contributor and Owner roles. To register a resource provider, select Register. In the previous
screenshot, the Register link is highlighted for Microsoft.Blueprint.
You can't unregister a resource provider when you still have resource types from that resource provider in
your subscription.
To see information for a particular resource provider:
2. On the Azure portal menu, select All services.
3. In the All services box, enter resource explorer, and then select Resource Explorer.
4. Expand Providers by selecting the right arrow.
5. Expand a resource provider and resource type that you want to view.
6. Resource Manager is supported in all regions, but the resources you deploy might not be supported in all
regions. In addition, there may be limitations on your subscription that prevent you from using some
regions that support the resource. The resource explorer displays valid locations for the resource type.
7. The API version corresponds to a version of REST API operations that are released by the resource
provider. As a resource provider enables new features, it releases a new version of the REST API. The
resource explorer displays valid API versions for the resource type.
Azure PowerShell
NOTE
PowerShell.
To see all resource providers in Azure, and the registration status for your subscription, use:
Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState

Which returns results similar to:
ProviderNamespace RegistrationState
-------------------------------- ------------------
Microsoft.ClassicCompute Registered
Microsoft.ClassicNetwork Registered
Microsoft.ClassicStorage Registered
Microsoft.CognitiveServices Registered
...
Registering a resource provider configures your subscription to work with the resource provider. The scope for
registration is always the subscription. By default, many resource providers are automatically registered. However,
you may need to manually register some resource providers. To register a resource provider, you must have
permission to do the /register/action operation for the resource provider. This operation is included in the
Contributor and Owner roles.
Register-AzResourceProvider -ProviderNamespace Microsoft.Batch
ProviderNamespace : Microsoft.Batch
RegistrationState : Registering
ResourceTypes : {batchAccounts, operations, locations, locations/quotas}
Locations : {West Europe, East US, East US 2, West US...}
You can't unregister a resource provider when you still have resource types from that resource provider in your
subscription.
To see information for a particular resource provider, use:
Get-AzResourceProvider -ProviderNamespace Microsoft.Batch
{ProviderNamespace : Microsoft.Batch
RegistrationState : Registered
ResourceTypes : {batchAccounts}
Locations : {West Europe, East US, East US 2, West US...}
...
To see the resource types for a resource provider, use:
(Get-AzResourceProvider -ProviderNamespace Microsoft.Batch).ResourceTypes.ResourceTypeName
Which returns:
batchAccounts
operations
locations
locations/quotas
The API version corresponds to a version of REST API operations that are released by the resource provider. As a
resource provider enables new features, it releases a new version of the REST API.
To get the available API versions for a resource type, use:
((Get-AzResourceProvider -ProviderNamespace Microsoft.Batch).ResourceTypes | Where-Object ResourceTypeName -eq

batchAccounts).ApiVersions
Which returns:
2017-05-01
2017-01-01
2015-12-01
2015-09-01
2015-07-01
Resource Manager is supported in all regions, but the resources you deploy might not be supported in all regions.
In addition, there may be limitations on your subscription that prevent you from using some regions that support
the resource.
To get the supported locations for a resource type, use.
((Get-AzResourceProvider -ProviderNamespace Microsoft.Batch).ResourceTypes | Where-Object ResourceTypeName -eq

batchAccounts).Locations
Which returns:
West Europe
East US
East US 2
West US
...
Azure CLI
To see all resource providers in Azure, and the registration status for your subscription, use:
az provider list --query "[].{Provider:namespace, Status:registrationState}" --out table
Provider Status
-------------------------------- ----------------
Microsoft.ClassicCompute Registered
Microsoft.ClassicNetwork Registered
Microsoft.ClassicStorage Registered
Microsoft.CognitiveServices Registered
...
Registering a resource provider configures your subscription to work with the resource provider. The scope for
registration is always the subscription. By default, many resource providers are automatically registered. However,
you may need to manually register some resource providers. To register a resource provider, you must have
permission to do the /register/action operation for the resource provider. This operation is included in the
Contributor and Owner roles.
az provider register --namespace Microsoft.Batch
Which returns a message that registration is on-going.

You can't unregister a resource provider when you still have resource types from that resource provider in your
subscription.
To see information for a particular resource provider, use:
az provider show --namespace Microsoft.Batch
{
"id": "/subscriptions/####-####/providers/Microsoft.Batch",
"namespace": "Microsoft.Batch",
"registrationsState": "Registering",
"resourceTypes:" [
...
]
}
To see the resource types for a resource provider, use:
az provider show --namespace Microsoft.Batch --query "resourceTypes[*].resourceType" --out table
Which returns:
Result
---------------
batchAccounts
operations
locations
locations/quotas
The API version corresponds to a version of REST API operations that are released by the resource provider. As a
resource provider enables new features, it releases a new version of the REST API.
To get the available API versions for a resource type, use:
az provider show --namespace Microsoft.Batch --query "resourceTypes[?

resourceType=='batchAccounts'].apiVersions | [0]" --out table
Which returns:
Result
---------------
2017-05-01
2017-01-01
2015-12-01
2015-09-01
2015-07-01
Resource Manager is supported in all regions, but the resources you deploy might not be supported in all regions.
In addition, there may be limitations on your subscription that prevent you from using some regions that support
the resource.
To get the supported locations for a resource type, use.
az provider show --namespace Microsoft.Batch --query "resourceTypes[?resourceType=='batchAccounts'].locations

| [0]" --out table
Which returns:
Result
---------------
West Europe
East US
East US 2
West US
...
Next steps
To learn about creating Resource Manager templates, see Authoring Azure Resource Manager templates.
To view the resource provider template schemas, see Template reference.
For a list that maps resource providers to Azure services, see Resource providers for Azure services.
To view the operations for a resource provider, see Azure REST API.
Throttling Resource Manager requests
This article describes how Azure Resource Manager throttles requests. It shows you how to track the number of
requests that remain before reaching the limit, and how to respond when you've reached the limit.
Throttling happens at two levels. Azure Resource Manager throttles requests for the subscription and tenant. If the
request is under the throttling limits for the subscription and tenant, Resource Manager routes the request to the
resource provider. The resource provider applies throttling limits that are tailored to its operations. The following
image shows how throttling is applied as a request goes from the user to Azure Resource Manager and the
resource provider.
Subscription and tenant limits

Every subscription-level and tenant-level operation is subject to throttling limits. Subscription requests are ones
that involve passing your subscription ID, such as retrieving the resource groups in your subscription. Tenant
requests don't include your subscription ID, such as retrieving valid Azure locations.
The default throttling limits per hour are shown in the following table.
SCOPE OPERATIONS LIMIT
Subscription reads 12000
Subscription deletes 15000
Subscription writes 1200
Tenant reads 12000
Tenant writes 1200
These limits are scoped to the security principal (user or application) making the requests and the subscription ID
or tenant ID. If your requests come from more than one security principal, your limit across the subscription or
tenant is greater than 12,000 and 1,200 per hour.
These limits apply to each Azure Resource Manager instance. There are multiple instances in every Azure region,
and Azure Resource Manager is deployed to all Azure regions. So, in practice, the limits are higher than these
limits. The requests from a user are usually handled by different instances of Azure Resource Manager.
Resource provider limits

Resource providers apply their own throttling limits. Because Resource Manager throttles by principal ID and by
instance of Resource Manager, the resource provider might receive more requests than the default limits in the
previous section.
This section discusses the throttling limits of some widely used resource providers.
Storage throttling
The following limits apply only when you perform management operations by using Azure Resource Manager with
Azure Storage.
Storage account management operations (read) 800 per 5 minutes
Storage account management operations (write) 200 per hour
Storage account management operations (list) 100 per 5 minutes
Network throttling
The Microsoft.Network resource provider applies the following throttle limits:
OPERATION LIMIT
write / delete (PUT) 1000 per 5 minutes
read (GET) 10000 per 5 minutes
Compute throttling
For information about throttling limits for compute operations, see Troubleshooting API throttling errors -
Compute.
For checking virtual machine instances within a virtual machine scale set, use the Virtual Machine Scale Sets
operations. For example, use the Virtual Machine Scale Set VMs - List with parameters to check the power state of
virtual machine instances. This API reduces the number of requests.
Azure Resource Graph throttling
Azure Resource Graph limits the number of requests to its operations. The steps in this article to determine the
remaining requests and how to respond when the limit is reached also apply to Resource Graph. However,
Resource Graph sets its own limit and reset rate. For more information, see Resource Graph throttling headers.
Request increase
Sometimes, throttle limits can be increased. To see if the throttling limits for your scenario can be increased, create
a support request. The details of your calling pattern will be evaluated.
Error code
When you reach the limit, you receive the HTTP status code 429 Too many requests. The response includes a
Retry-After value, which specifies the number of seconds your application should wait (or sleep) before sending
the next request. If you send a request before the retry value has elapsed, your request isn't processed and a new
retry value is returned.
After waiting for specified time, you can also close and reopen your connection to Azure. By resetting the
connection, you may connect to a different instance of Azure Resource Manager.
If you're using an Azure SDK, the SDK may have an auto retry configuration. For more information, see Retry
guidance for Azure services.
Some resource providers return 429 to report a temporary problem. The problem could be an overload condition
that isn't directly caused by your request. Or, it could represent a temporary error about the state of the target
resource or dependent resource. For example, the network resource provider returns 429 with the
RetryableErrorDueToAnotherOperation error code when the target resource is locked by another operation. To
determine if the error comes from throttling or a temporary condition, view the error details in the response.
Remaining requests
You can determine the number of remaining requests by examining response headers. Read requests return a
value in the header for the number of remaining read requests. Write requests include a value for the number of
remaining write requests. The following table describes the response headers you can examine for those values:
RESPONSE HEADER DESCRIPTION
x-ms-ratelimit-remaining-subscription-reads Subscription scoped reads remaining. This value is returned on

read operations.
x-ms-ratelimit-remaining-subscription-writes Subscription scoped writes remaining. This value is returned

on write operations.
x-ms-ratelimit-remaining-tenant-reads Tenant scoped reads remaining
x-ms-ratelimit-remaining-tenant-writes Tenant scoped writes remaining
x-ms-ratelimit-remaining-subscription-resource-requests Subscription scoped resource type requests remaining.
This header value is only returned if a service has overridden

the default limit. Resource Manager adds this value instead of
the subscription reads or writes.
x-ms-ratelimit-remaining-subscription-resource-entities-read Subscription scoped resource type collection requests

remaining.
This header value is only returned if a service has overridden

the default limit. This value provides the number of remaining
collection requests (list resources).
x-ms-ratelimit-remaining-tenant-resource-requests Tenant scoped resource type requests remaining.
This header is only added for requests at tenant level, and only
if a service has overridden the default limit. Resource Manager
adds this value instead of the tenant reads or writes.
x-ms-ratelimit-remaining-tenant-resource-entities-read Tenant scoped resource type collection requests remaining.
This header is only added for requests at tenant level, and only
if a service has overridden the default limit.
The resource provider can also return response headers with information about remaining requests. For
information about response headers returned by the Compute resource provider, see Call rate informational
response headers.
Retrieving the header values

Retrieving these header values in your code or script is no different than retrieving any header value.
For example, in C#, you retrieve the header value from an HttpWebResponse object named response with the
following code:
response.Headers.GetValues("x-ms-ratelimit-remaining-subscription-reads").GetValue(0)
In PowerShell, you retrieve the header value from an Invoke-WebRequest operation.
$r = Invoke-WebRequest -Uri https://management.azure.com/subscriptions/{guid}/resourcegroups?api-version=2016-

09-01 -Method GET -Headers $authHeaders
$r.Headers["x-ms-ratelimit-remaining-subscription-reads"]
For a complete PowerShell example, see Check Resource Manager Limits for a Subscription.
If you want to see the remaining requests for debugging, you can provide the -Debug parameter on your
PowerShell cmdlet.
Get-AzResourceGroup -Debug
Which returns many values, including the following response value:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11999
To get write limits, use a write operation:
New-AzResourceGroup -Name myresourcegroup -Location westus -Debug
Which returns many values, including the following values:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Created
Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-subscription-writes: 1199
In Azure CLI, you retrieve the header value by using the more verbose option.
az group list --verbose --debug
msrest.http_logger : Response status: 200

msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger : 'Content-Encoding': 'gzip'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'Vary': 'Accept-Encoding'
msrest.http_logger : 'x-ms-ratelimit-remaining-subscription-reads': '11998'
To get write limits, use a write operation:
az group create -n myresourcegroup --location westus --verbose --debug
msrest.http_logger : Response status: 201

msrest.http_logger : Response headers:
msrest.http_logger : 'Cache-Control': 'no-cache'
msrest.http_logger : 'Pragma': 'no-cache'
msrest.http_logger : 'Content-Length': '163'
msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger : 'Expires': '-1'
msrest.http_logger : 'x-ms-ratelimit-remaining-subscription-writes': '1199'
Next steps
For a complete PowerShell example, see Check Resource Manager Limits for a Subscription.
For more information about limits and quotas, see Azure subscription and service limits, quotas, and
constraints.
To learn about handling asynchronous REST requests, see Track asynchronous Azure operations.
Track asynchronous Azure operations
Some Azure REST operations run asynchronously because the operation can't be completed quickly. This article
describes how to track the status of asynchronous operations through values returned in the response.
Status codes for asynchronous operations

An asynchronous operation initially returns an HTTP status code of either:
201 (Created)
202 (Accepted)
When the operation successfully completes, it returns either:
200 (OK)
204 (No Content)
Refer to the REST API documentation to see the responses for the operation you're executing.
Monitor status of operation

The asynchronous REST operations return header values, which you use to determine the status of the operation.
There are potentially three header values to examine:
Azure-AsyncOperation - URL for checking the ongoing status of the operation. If your operation returns this
value, always use it (instead of Location) to track the status of the operation.
Location - URL for determining when an operation has completed. Use this value only when Azure-
AsyncOperation isn't returned.
Retry-After - The number of seconds to wait before checking the status of the asynchronous operation.
However, not every asynchronous operation returns all these values. For example, you may need to evaluate the
Azure-AsyncOperation header value for one operation, and the Location header value for another operation.
You retrieve the header values as you would retrieve any header value for a request. For example, in C#, you
retrieve the header value from an HttpWebResponse object named response with the following code:
response.Headers.GetValues("Azure-AsyncOperation").GetValue(0)
Azure-AsyncOperation request and response

To get the status of the asynchronous operation, send a GET request to the URL in Azure-AsyncOperation header
value.
The body of the response from this operation contains information about the operation. The following example
shows the possible values returned from the operation:
{
"id": "{resource path from GET operation}",
"name": "{operation-id}",
"status" : "Succeeded | Failed | Canceled | {resource provider values}",
"startTime": "2017-01-06T20:56:36.002812+00:00",
"endTime": "2017-01-06T20:56:56.002812+00:00",
"percentComplete": {double between 0 and 100 },
"properties": {
/* Specific resource provider values for successful operations */
},
"error" : {
"code": "{error code}",
"message": "{error description}"
}
}
Only status is returned for all responses. The error object is returned when the status is Failed or Canceled. All
other values are optional; therefore, the response you receive may look different than the example.
provisioningState values
Operations that create, update, or delete (PUT, PATCH, DELETE ) a resource typically return a provisioningState
value. When an operation has completed, one of following three values is returned:
Succeeded
Failed
Canceled
All other values indicate the operation is still running. The resource provider can return a customized value that
indicates its state. For example, you may receive Accepted when the request is received and running.
Example requests and responses

Start virtual machine (202 with Azure -AsyncOperation)
This example shows how to determine the status of start operation for virtual machines. The initial request is in
the following format:
POST
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-
group}/providers/Microsoft.Compute/virtualMachines/{vm-name}/start?api-version=2016-03-30
It returns status code 202. Among the header values, you see:
Azure-AsyncOperation : https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Compute/locations/{region}/operations/{operation-id}?api-version=2016-03-30
To check the status of the asynchronous operation, sending another request to that URL.
GET
https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Compute/locations/{region}/operations/{operation-id}?api-version=2016-03-30
The response body contains the status of the operation:

{
"startTime": "2017-01-06T18:58:24.7596323+00:00",
"status": "InProgress",
"name": "9a062a88-e463-4697-bef2-fe039df73a02"
}
Deploy resources (201 with Azure -AsyncOperation)

This example shows how to determine the status of deployments operation for deploying resources to Azure. The
initial request is in the following format:
PUT
https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-
group}/providers/microsoft.resources/deployments/{deployment-name}?api-version=2016-09-01
It returns status code 201. The body of the response includes:
"provisioningState":"Accepted",
Among the header values, you see:
Azure-AsyncOperation: https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-
group}/providers/Microsoft.Resources/deployments/{deployment-name}/operationStatuses/{operation-id}?api-
version=2016-09-01
To check the status of the asynchronous operation, sending another request to that URL.
GET
https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-
group}/providers/Microsoft.Resources/deployments/{deployment-name}/operationStatuses/{operation-id}?api-
version=2016-09-01
The response body contains the status of the operation:
{"status":"Running"}
When the deployment is finished, the response contains:
{"status":"Succeeded"}
Create storage account (202 with Location and Retry-After)

This example shows how to determine the status of the create operation for storage accounts. The initial request is
in the following format:
PUT
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-
group}/providers/Microsoft.Storage/storageAccounts/{storage-name}?api-version=2016-01-01
And the request body contains properties for the storage account:
{ "location": "South Central US", "properties": {}, "sku": { "name": "Standard_LRS" }, "kind": "Storage" }
It returns status code 202. Among the header values, you see the following two values:
Location: https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Storage/operations/{operation-id}?monitor=true&api-version=2016-01-01
Retry-After: 17
After waiting for number of seconds specified in Retry-After, check the status of the asynchronous operation by
sending another request to that URL.
GET
https://management.azure.com/subscriptions/{subscription-
id}/providers/Microsoft.Storage/operations/{operation-id}?monitor=true&api-version=2016-01-01
If the request is still running, you receive a status code 202. If the request has completed, your receive a status code
200, and the body of the response contains the properties of the storage account that has been created.
Next steps
For documentation about each REST operation, see REST API documentation.
For information about deploying templates through the Resource Manager REST API, see Deploy resources
with Resource Manager templates and Resource Manager REST API.
Manage personal data associated with Azure
Resource Manager
To avoid exposing sensitive information, delete any personal information you may have provided in deployments,
resource groups, or tags. Azure Resource Manager provides operations that let you manage personal data you may
have provided in deployments, resource groups, or tags.
NOTE
NOTE
PowerShell.
Delete personal data in deployment history

For deployments, Resource Manager retains parameter values and status messages in the deployment history.
These values persist until you delete the deployment from the history. To see if you have provided personal data in
these values, list the deployments. If you find personal data, delete the deployments from the history.
To list deployments in the history, use:
List By Resource Group
Get-AzResourceGroupDeployment
az group deployment list
To delete deployments from the history, use:
Delete
Remove-AzResourceGroupDeployment
az group deployment delete
Delete personal data in resource group names

The name of the resource group persists until you delete the resource group. To see if you have provided personal
data in the names, list the resource groups. If you find personal data, move the resources to a new resource group,
and delete the resource group with personal data in the name.
To list resource groups, use:
List
Get-AzResourceGroup
az group list
To delete resource groups, use:
Delete
Remove-AzResourceGroup
az group delete
Delete personal data in tags

Tags names and values persist until you delete or modify the tag. To see if you have provided personal data in the
tags, list the tags. If you find personal data, delete the tags.
To list tags, use:
List
Get-AzTag
az tag list
To delete tags, use:
Delete
Remove-AzTag
az tag delete
Next steps
For an overview of Azure Resource Manager, see the What is Resource Manager?

Azure Dicumentation

Uploaded by

Copyright:

Available Formats

Azure Dicumentation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Azure Dicumentation

Uploaded by

Copyright:

Available Formats

Contents

Manage Azure resources documentation

Consistent management layer

The benefits of using Resource Manager

Resiliency of Azure Resource Manager

Limits and Azure Resource Manager

RESOURCE DEFAULT LIMIT MAXIMUM LIMIT

vCPUs per subscription1 20 10,000

Coadministrators per subscription 200 200

Storage accounts per subscription2 100 100

Cloud services per subscription 20 200

Local networks per subscription 10 500

DNS servers per subscription 9 100

Reserved IPs per subscription 20 100

Affinity groups per subscription 256 256

Subscription name length (characters) 64 64

RESOURCE DEFAULT LIMIT MAXIMUM LIMIT

VMs per subscription 25,0001 per region. 25,000 per region.

VM total cores per subscription 201 per region. Contact support.

Coadministrators per subscription Unlimited. Unlimited.

Storage accounts per region per 250 250

Resource groups per subscription 980 980

Azure Resource Manager API request 4,194,304 bytes. 4,194,304 bytes.

Tags per subscription2 Unlimited. Unlimited.

Unique tag calculations per 10,000 10,000

Cloud services per subscription N/A3 N/A3

Affinity groups per subscription N/A3 N/A3

Subscription-level deployments per 8004 800

1Default limits vary by offer

Resource group limits

Deployments per resource group in the 8001 800

Resources per deployment 800 800

Management locks per unique scope 20 20

Number of tags per resource or 50 50

Tag key length 512 512

Tag value length 256 256

1If you reach the limit of 800

VALUE DEFAULT LIMIT MAXIMUM LIMIT

Parameters 256 256

Variables 256 256

Resources (including copy count) 800 800

Template expression 24,576 chars 24,576 chars

Resources in exported templates 200 200

Parameter file size 64 KB 64 KB

RESOURCE DEFAULT LIMIT MAXIMUM LIMIT

Virtual machines per cloud service1 50 50

Input endpoints per cloud service 2 150 150

RESOURCE DEFAULT LIMIT

Virtual machines per availability set 200

Certificates per subscription Unlimited1

Maximum number of VMs in a scale set 1,000 1,000

Maximum number of VMs based on a 600 600

Maximum number of scale sets in a 2,000 2,000

Container Instances limits

Standard sku container groups per region per subscription 1001

Dedicated sku container groups per region per subscription 01

Number of containers per container group 60

Number of volumes per container group 20

Container instance log size - running instance 4 MB