+Azure AD B2C custom policy [starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#get-the-starter-pack) comes with several pre-built policies to get you started quickly. Each of these starter packs contains the smallest number of technical profiles and user journeys needed to achieve the scenarios described:

+In the [Azure AD B2C samples GitHub repository](https://github.com/azure-ad-b2c/samples), you'll find samples for several enhanced Azure AD B2C custom CIAM user journeys and scenarios. For example, local account policy enhancements, social account policy enhancements, MFA enhancements, user interface enhancements, generic enhancements, app migration, user migration, conditional access, web test, and CI/CD.

+A claim provides temporary storage of data during an Azure AD B2C policy execution. Claims are more like variable in a programing language. It can store information about the user, such as first name, last name, or any other claim obtained from the user or other systems (claims exchanges). The [claims schema](claimsschema.md) is the place where you declare your claims.

+The [claims transformations](claimstransformations.md) are predefined functions that can be used to convert a given claim into another one, evaluate a claim, or set a claim value. For example adding an item to a string collection, changing the case of a string, or evaluate a date and time claim. A claims transformation specifies a transform method, which is also predefined.

+Each [starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack) includes the following files:

+Within an Azure AD B2C custom policy, you can integrate your own business logic to build the user experiences you require and extend functionality of the service. We've a set of best practices and recommendations to get started.

+1. We recommend that you download and install [Visual Studio Code](https://code.visualstudio.com/) (VS Code). Visual Studio Code is a lightweight but powerful source code editor, which runs on your desktop and is available for Windows, macOS, and Linux. With VS Code, you can quickly navigate through and edit your Azure AD B2C custom policy XML files by installing the [Azure AD B2C extension for VS Code](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c)

+To authorize access to a web API, you can serve only requests that include a valid access token that's issued by Azure Active Directory B2C (Azure AD B2C). This article shows you how to enable Azure AD B2C authorization to your web API. After you complete the steps in this article, only users who obtain a valid access token will be authorized to call your web API endpoints.

+ Authorization: Bearer <access token>

+To enable your app to sign in with Azure AD B2C and call a web API, you need to register two applications in the Azure AD B2C directory.

+- [List identity providers configured in the Azure AD B2C tenant](/graph/api/identitycontainer-list-identityproviders)

+During sign-up or password reset, an end user must supply a password that meets the complexity rules. Password complexity rules are enforced per user flow. It's possible to have one user flow require a four-digit pin during sign-up while another user flow requires an eight character string during sign-up. For example, you may use a user flow with different password complexity for adults than for children.

+You can configure password complexity in the following types of user flows:

+If you're using custom policies, you can [configure password complexity in a custom policy](password-complexity.md).

+1. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ 1. Select the **Directories + subscriptions** icon in the portal toolbar.

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**..

+| Simple | A password that's at least *8* to *64* characters. |

+| Strong | A password that's at least *8* to *64* characters. It requires *3* out of *4* of lowercase, uppercase, numbers, or symbols. |

+1. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ 1. Select the **Directories + subscriptions** icon in the portal toolbar.

+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

+1. On the Custom Policies page, select **Upload Policy**.

+1. Select **Upload**.

+1. Open the sign-up or sign-in policy such as *B2C_1A_signup_signin*.

+3. Select **Run now**.

+4. Select **Sign up now**, enter an email address, and enter a new password. Guidance is presented on password restrictions. Finish entering the user information, and then select **Create**. You should see the contents of the token that was returned.

+Your Azure Active Directory B2C (Azure AD B2C) directory user profile comes with a set of built-in attributes, such as given name, surname, city, postal code, and phone number. You can extend the user profile with your own application data without requiring an external data store.

+> You should'nt use built-in or extension attributes to store sensitive personal data, such as account credentials, government identification numbers, cardholder data, financial account data, healthcare information, or sensitive background information.

+- Whether the attribute is available in the Azure portal

+- Whether the attribute can be used in a user flow

+- Whether the attribute can be used in a custom policy [Azure AD technical profile](active-directory-technical-profile.md) and in which section (&lt;InputClaims&gt;, &lt;OutputClaims&gt;, or &lt;PersistedClaims&gt;)

+|userState (externalUserState)³|String|For Azure AD B2B account only, and it indicates whether the invitation is PendingAcceptance or Accepted.|No|No|Persisted, Output|

+¹Not supported by Microsoft Graph<br>²For more information, see [MFA phone number attribute](#mfa-phone-number-attribute)<br>³Shouldn't be used with Azure AD B2C

+The `displayName` is the name to display in Azure portal user management for the user, and in the access token that Azure AD B2C returns to the application. This property is required.

+The following JSON snippet shows **Identities** attribute, with a local account identity with a sign-in name, an email address as sign-in, and with a social identity.

+For a local identity, the **passwordProfile** attribute is required, and contains the user's password. The `forceChangePasswordNextSignIn` attribute indicates whether a user must reset the password at the next sign-in. To handle a forced password reset, us the the instructions in [set up forced password reset flow](force-password-reset.md).

+Extension attributes [extend the schema](/graph/extensibility-overview#schema-extensions) of the user objects in the directory. The extension attributes can only be registered on an application object, even though they might contain data for a user. The extension attribute is attached to the application called `b2c-extensions-app`. Do not modify this application, as it's used by Azure AD B2C for storing user data. You can find this application under Azure Active Directory App registrations. [Learn more about Azure AD B2C](extensions-app.md) `b2c-extensions-app`.

+> - You can write up to 100 extension attributes to any user account.

+Extension attributes in the Graph API are named by using the convention `extension_ApplicationClientID_AttributeName`, where:

+- The `ApplicationClientID` is the **Application (client) ID** of the `b2c-extensions-app` application. [Learn how to find the extensions app](extensions-app.md#verifying-that-the-extensions-app-is-present).

+- The `AttributeName` is the name of the extension attribute.

+Note that the **Application (client) ID** as it's represented in the extension attribute name includes no hyphens. For example:

+ "extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyNumber": "212342"

+Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory &gt; Users &gt;** select a user **&gt; Properties &gt; Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization.

+| **Restrict non-admin users from creating tenants** | Users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant will become the Global Administrator of that tenant. The newly created tenant does not inherit any settings or configurations. </p><p></p><p>**What does this switch do?** <br> Setting this option to **Yes** restricts creation of Azure AD tenants to the Global Administrator or tenant creator roles. Setting this option to **No** allows non-admin users to create Azure AD tenants. Tenant create will continue to be recorded in the Audit log. </p><p></p><p>**How do I grant only a specific non-administrator users the ability to create new tenants?** <br> Set this option to Yes, then assign them the tenant creator role.|

+As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we will end support for the Azure Active Directory Authentication Library (ADAL). The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to **June 30, 2023**.

+### Why are we doing this?

+### What happens?

+We recognize that changing libraries is not an easy task, and cannot be accomplished quickly. We are committed to helping customers plan their migrations to MSAL as well as execute them with minimal disruption.

+### How to find out which applications in my tenant are using ADAL?

+### If IΓÇÖm using ADAL, what can I expect after the deadline?

+- We will not be accepting any incident reports or support requests for ADAL. ADAL to MSAL migration support would continue.

+- The underpinning services will continue working and applications that depend on ADAL should continue working; however, applications and the resources they access will be at increased security and reliability risk due to not having the latest updates, service configuration, and enhancements made available through the Microsoft Identity platform.

+- Allow access to trusted applications that meet certain criteria and protect against those applications that don't:

+- [Compromised and malicious applications investigation](/security/compass/incident-response-playbook-compromised-malicious-app)

+ - The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is <app-name>/slots/<slot-name>.

+ Title: Azure Active Directory SSO integration with Exterro Legal GRC Software Platform

+description: Learn how to configure single sign-on between Azure Active Directory and Exterro Legal GRC Software Platform.

+# Azure Active Directory SSO integration with Exterro Legal GRC Software Platform

+In this article, you'll learn how to integrate Exterro Legal GRC Software Platform with Azure Active Directory (Azure AD). The Exterro Platform unifies all of Exterro's E-Discovery and Information Governance solutions, giving you the ability to easily add new Exterro applications as your business needs expand. When you integrate Exterro Legal GRC Software Platform with Azure AD, you can:

+* Control in Azure AD who has access to Exterro Legal GRC Software Platform.

+* Enable your users to be automatically signed-in to Exterro Legal GRC Software Platform with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Exterro Legal GRC Software Platform in a test environment. Exterro Legal GRC Software Platform supports both **SP** and **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with Exterro Legal GRC Software Platform, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Exterro Legal GRC Software Platform single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Exterro Legal GRC Software Platform application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Exterro Legal GRC Software Platform from the Azure AD gallery

+Add Exterro Legal GRC Software Platform from the Azure AD application gallery to configure single sign-on with Exterro Legal GRC Software Platform. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Exterro Legal GRC Software Platform** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<tenant_id>.exterro.net/exterrosso`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<tenant_id>.exterro.net/exterrosso/saml/SSO`

+1. If you want to configure **SP** initiated SSO, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using one of the following patterns:

+ | **Sign on URL** |

+ |-|

+ | `https://<tenant_id>.exterro.net/exterrosso/saml/` |

+ | `https://<tenant_id>.<domain>` |

+ > [!Note]

+ > These values are not the real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Exterro Legal GRC Software Platform Client support team](mailto:support@exterro.com) to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

+

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Exterro Legal GRC Software Platform** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Exterro Legal GRC Software Platform SSO

+To configure single sign-on on **Exterro Legal GRC Software Platform** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Exterro Legal GRC Software Platform support team](mailto:support@exterro.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Exterro Legal GRC Software Platform test user

+In this section, you create a user called Britta Simon at Exterro Legal GRC Software Platform. Work with [Exterro Legal GRC Software Platform support team](mailto:support@exterro.com) to add the users in the Exterro Legal GRC Software Platform platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Exterro Legal GRC Software Platform Sign-on URL where you can initiate the login flow.

+* Go to Exterro Legal GRC Software Platform Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Exterro Legal GRC Software Platform for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Exterro Legal GRC Software Platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Exterro Legal GRC Software Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Exterro Legal GRC Software Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Lusha

+description: Learn how to configure single sign-on between Azure Active Directory and Lusha.

+# Azure Active Directory SSO integration with Lusha

+In this article, you'll learn how to integrate Lusha with Azure Active Directory (Azure AD). Lusha is a sales intelligence solution that delivers instant and accurate contact and company data to help leading sales, marketing, and recruitment teams speed up sales with less work. When you integrate Lusha with Azure AD, you can:

+* Control in Azure AD who has access to Lusha.

+* Enable your users to be automatically signed-in to Lusha with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Lusha in a test environment. Lusha supports both **SP** and **IDP** initiated single sign-on and also supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with Lusha, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Lusha single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Lusha application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Lusha from the Azure AD gallery

+Add Lusha from the Azure AD application gallery to configure single sign-on with Lusha. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Lusha** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user doesn't have to perform any step as the app is already pre-integrated with Azure.

+1. If you want to configure **SP** initiated SSO, then perform the following step:

+ In the **Sign on URL** textbox, type the URL:

+ `https://auth.lusha.com/sso-login`

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure Lusha SSO

+To configure single sign-on on **Lusha** side, you need to send the **App Federation Metadata Url** to [Lusha support team](mailto:support@lusha.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Lusha test user

+In this section, a user called B.Simon is created in Lusha. Lusha supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Lusha, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Lusha Sign-on URL where you can initiate the login flow.

+* Go to Lusha Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Lusha for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Lusha tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Lusha for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Lusha you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with MINT TMS

+description: Learn how to configure single sign-on between Azure Active Directory and MINT TMS.

+# Azure Active Directory SSO integration with MINT TMS

+In this article, you'll learn how to integrate MINT TMS with Azure Active Directory (Azure AD). MINT TMS is a Training, Resource and Qualification Management System used as a reliable tool to plan, optimize and measure training and career progress and the actual records of their employees. When you integrate MINT TMS with Azure AD, you can:

+* Control in Azure AD who has access to MINT TMS.

+* Enable your users to be automatically signed-in to MINT TMS with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for MINT TMS in a test environment. MINT TMS supports **IDP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with MINT TMS, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* MINT TMS single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the MINT TMS application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add MINT TMS from the Azure AD gallery

+Add MINT TMS from the Azure AD application gallery to configure single sign-on with MINT TMS. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **MINT TMS** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `<environment-name>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<environment-name>.mint-online.com/`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [MINT TMS Client support team](mailto:support@media-interactive.de) to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

+

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up MINT TMS** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure MINT TMS SSO

+To configure single sign-on on **MINT TMS** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [MINT TMS support team](mailto:support@media-interactive.de). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create MINT TMS test user

+In this section, you create a user called Britta Simon at MINT TMS. Work with [MINT TMS support team](mailto:support@media-interactive.de) to add the users in the MINT TMS platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the MINT TMS for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the MINT TMS tile in the My Apps, you should be automatically signed in to the MINT TMS for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure MINT TMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with my.sdworx.com

+description: Learn how to configure single sign-on between Azure Active Directory and my.sdworx.com.

+# Azure Active Directory SSO integration with my.sdworx.com

+In this article, you'll learn how to integrate my.sdworx.com with Azure Active Directory (Azure AD). my.sdworx.com is a SD Worx portal. When you integrate my.sdworx.com with Azure AD, you can:

+* Control in Azure AD who has access to my.sdworx.com.

+* Enable your users to be automatically signed-in to my.sdworx.com with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for my.sdworx.com in a test environment. my.sdworx.com supports **IDP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with my.sdworx.com, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* my.sdworx.com single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the my.sdworx.com application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add my.sdworx.com from the Azure AD gallery

+Add my.sdworx.com from the Azure AD application gallery to configure single sign-on with my.sdworx.com. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **my.sdworx.com** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure my.sdworx.com SSO

+To configure single sign-on on **my.sdworx.com** side, you need to send the **App Federation Metadata Url** to [my.sdworx.com support team](mailto:support@sdworx.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create my.sdworx.com test user

+In this section, you create a user called Britta Simon at my.sdworx.com. Work with [my.sdworx.com support team](mailto:support@sdworx.com) to add the users in the my.sdworx.com platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the my.sdworx.com for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the my.sdworx.com tile in the My Apps, you should be automatically signed in to the my.sdworx.com for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure my.sdworx.com you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with Pinpoint (SAML)

+description: Learn how to configure single sign-on between Azure Active Directory and Pinpoint (SAML).

+# Azure Active Directory SSO integration with Pinpoint (SAML)

+In this article, you'll learn how to integrate Pinpoint (SAML) with Azure Active Directory (Azure AD). DDIΓÇÖs Pinpoint platform makes it easy to design, deliver, and track blended learning journeys for leaders. Pinpoint is seamlessly integrated into DDIΓÇÖs award-winning leadership development solutions. When you integrate Pinpoint (SAML) with Azure AD, you can:

+* Control in Azure AD who has access to Pinpoint (SAML).

+* Enable your users to be automatically signed-in to Pinpoint (SAML) with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Pinpoint (SAML) in a test environment. Pinpoint (SAML) supports only **SP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with Pinpoint (SAML), you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Pinpoint (SAML) single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Pinpoint (SAML) application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Pinpoint (SAML) from the Azure AD gallery

+Add Pinpoint (SAML) from the Azure AD application gallery to configure single sign-on with Pinpoint (SAML). For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Pinpoint (SAML)** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the URL:

+ `https://login.ddiworld.com`

+ b. In the **Reply URL** textbox, type the URL:

+ `https://login.ddiworld.com/SAML/sp/profile/post/acs`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://pinpoint.ddiworld.com/<CustomerName>`

+ > [!Note]

+ > This value is not real. Update this value with the actual Sign on URL. Contact [Pinpoint (SAML) Client support team](mailto:ssosupport@ddiworld.com) to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

+

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Pinpoint (SAML)** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Pinpoint (SAML) SSO

+To configure single sign-on on **Pinpoint (SAML)** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Pinpoint (SAML) support team](mailto:ssosupport@ddiworld.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Pinpoint (SAML) test user

+In this section, you create a user called Britta Simon at Pinpoint (SAML). Work with [Pinpoint (SAML) support team](mailto:ssosupport@ddiworld.com) to add the users in the Pinpoint (SAML) platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Pinpoint (SAML) Sign-on URL where you can initiate the login flow.

+* Go to Pinpoint (SAML) Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Pinpoint (SAML) tile in the My Apps, this will redirect to Pinpoint (SAML) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Pinpoint (SAML) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (Azure AD) for user authentication. In this configuration, you sign in to an AKS cluster using an Azure AD authentication token. Once authenticated, you can use the built-in Kubernetes role-based access control (Kubernetes RBAC) to manage access to namespaces and cluster resources based on a user's identity or group membership.

+This article shows you how to:

+* Control access using Kubernetes RBAC in an AKS cluster based on Azure AD group membership.

+* Create example groups and users in Azure AD.

+* Create Roles and RoleBindings in an AKS cluster to grant the appropriate permissions to create and view resources.

+## Before you begin

+* This article assumes that you have an existing AKS cluster enabled with Azure AD integration. If you need an AKS cluster, see [Integrate Azure AD with AKS][azure-ad-aks-cli].

+* Kubernetes RBAC is enabled by default during AKS cluster creation. If Kubernetes RBAC wasn't enabled when you originally deployed your cluster, you'll need to delete and recreate your cluster.

+* Make sure that Azure CLI version 2.0.61 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* If using Terraform, install [Terraform][terraform-on-azure] version 2.99.0 or later.

+Use the Azure portal or Azure CLI to verify if Kubernetes RBAC is enabled.

+Verify Kubernetes RBAC is enabled using the Azure portal:

+* From your browser, sign in to the [Azure portal](https://portal.azure.com).

+* Navigate to Kubernetes services, and from the left-hand pane select **Cluster configuration**.

+* Under the **Authentication and Authorization** section, check to see if the **Local accounts with Kubernetes RBAC** or the **Azure AD authentication with Kubernetes RBAC** option is shown.

+Verify Kubernetes RBAC is enabled using Azure CLI, with the `az aks show` command:

+```azurecli

+az aks show --resource-group myResourceGroup --name myAKSCluster

+If it's enabled, the output will show the value for `enableRbac` is `true`.

+In this article, we'll create two user roles to show how Kubernetes RBAC and Azure AD control access to cluster resources. The following two example roles are used:

+ * A user named *aksdev* that's part of the *appdev* group.

+ * A user named *akssre* that's part of the *opssre* group.

+1. First, get the resource ID of your AKS cluster using the [`az aks show`][az-aks-show] command. Then, assign the resource ID to a variable named *AKS_ID* so it can be referenced in other commands.

+ ```azurecli-interactive

+ AKS_ID=$(az aks show \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --query id -o tsv)

+ ```

+2. Create the first example group in Azure AD for the application developers using the [`az ad group create`][az-ad-group-create] command. The following example creates a group named *appdev*:

+ ```azurecli-interactive

+ APPDEV_ID=$(az ad group create --display-name appdev --mail-nickname appdev --query Id -o tsv)

+ ```

+3. Create an Azure role assignment for the *appdev* group using the [`az role assignment create`][az-role-assignment-create] command. This assignment lets any member of the group use `kubectl` to interact with an AKS cluster by granting them the *Azure Kubernetes Service Cluster User* Role.

+ ```azurecli-interactive

+ az role assignment create \

+ --assignee $APPDEV_ID \

+ --role "Azure Kubernetes Service Cluster User Role" \

+ --scope $AKS_ID

+ ```

+> If you receive an error such as `Principal 35bfec9328bd4d8d9b54dea6dac57b82 doesn't exist in the directory a5443dcd-cd0e-494d-a387-3039b419f0d5.`, wait a few seconds for the Azure AD group object ID to propagate through the directory then try the `az role assignment create` command again.

+4. Create a second example group for SREs named *opssre*.

+ ```azurecli-interactive

+ OPSSRE_ID=$(az ad group create --display-name opssre --mail-nickname opssre --query objectId -o tsv)

+ ```

+5. Create an Azure role assignment to grant members of the group the *Azure Kubernetes Service Cluster User* Role.

+ ```azurecli-interactive

+ az role assignment create \

+ --assignee $OPSSRE_ID \

+ --role "Azure Kubernetes Service Cluster User Role" \

+ --scope $AKS_ID

+ ```

+Now that we have two example groups created in Azure AD for our application developers and SREs, we'll create two example users. To test the Kubernetes RBAC integration at the end of the article, you'll sign in to the AKS cluster with these accounts.

+### Set the user principal name and password for application developers

+Set the user principal name (UPN) and password for the application developers. The UPN must include the verified domain name of your tenant, for example `aksdev@contoso.com`.

+The following command prompts you for the UPN and sets it to *AAD_DEV_UPN* so it can be used in a later command:

+The following command prompts you for the password and sets it to *AAD_DEV_PW* for use in a later command:

+### Create the user accounts

+1. Create the first user account in Azure AD using the [`az ad user create`][az-ad-user-create] command. The following example creates a user with the display name *AKS Dev* and the UPN and secure password using the values in *AAD_DEV_UPN* and *AAD_DEV_PW*:

+2. Add the user to the *appdev* group created in the previous section using the [`az ad group member add`][az-ad-group-member-add] command.

+3. Set the UPN and password for SREs. The UPN must include the verified domain name of your tenant, for example `akssre@contoso.com`. The following command prompts you for the UPN and sets it to *AAD_SRE_UPN* for use in a later command:

+4. The following command prompts you for the password and sets it to *AAD_SRE_PW* for use in a later command:

+5. Create a second user account. The following example creates a user with the display name *AKS SRE* and the UPN and secure password using the values in *AAD_SRE_UPN* and *AAD_SRE_PW*:

+## Create AKS cluster resources for app devs

+We have our Azure AD groups, users, and Azure role assignments created. Now, we'll configure the AKS cluster to allow these different groups access to specific resources.

+1. Get the cluster admin credentials using the [`az aks get-credentials`][az-aks-get-credentials] command. In one of the following sections, you get the regular *user* cluster credentials to see the Azure AD authentication flow in action.

+2. Create a namespace in the AKS cluster using the [`kubectl create namespace`][kubectl-create] command. The following example creates a namespace name *dev*:

+> [!NOTE]

+> In Kubernetes, *Roles* define the permissions to grant, and *RoleBindings* apply them to desired users or groups. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization].

+3. Create a Role for the *dev* namespace, which grants full permissions to the namespace. In production environments, you can specify more granular permissions for different users or groups. Create a file named `role-dev-namespace.yaml` and paste the following YAML manifest:

+4. Create the Role using the [`kubectl apply`][kubectl-apply] command and specify the filename of your YAML manifest.

+5. Get the resource ID for the *appdev* group using the [`az ad group show`][az-ad-group-show] command. This group is set as the subject of a RoleBinding in the next step.

+6. Create a RoleBinding for the *appdev* group to use the previously created Role for namespace access. Create a file named `rolebinding-dev-namespace.yaml` and paste the following YAML manifest. On the last line, replace *groupObjectId* with the group object ID output from the previous command.

+7. Create the RoleBinding using the [`kubectl apply`][kubectl-apply] command and specify the filename of your YAML manifest:

+Now, we'll repeat the previous steps to create a namespace, Role, and RoleBinding for the SREs.

+1. Create a namespace for *sre* using the [`kubectl create namespace`][kubectl-create] command.

+2. Create a file named `role-sre-namespace.yaml` and paste the following YAML manifest:

+3. Create the Role using the [`kubectl apply`][kubectl-apply] command and specify the filename of your YAML manifest.

+4. Get the resource ID for the *opssre* group using the [az ad group show][az-ad-group-show] command.

+4. Create a RoleBinding for the *opssre* group to use the previously created Role for namespace access. Create a file named `rolebinding-sre-namespace.yaml` and paste the following YAML manifest. On the last line, replace *groupObjectId* with the group object ID output from the previous command.

+5. Create the RoleBinding using the [`kubectl apply`][kubectl-apply] command and specify the filename of your YAML manifest.

+Now, we'll test that the expected permissions work when you create and manage resources in an AKS cluster. In these examples, we'll schedule and view pods in the user's assigned namespace, and try to schedule and view pods outside of the assigned namespace.

+1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Azure AD sign-in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Azure AD.

+2. Schedule a basic NGINX pod using the [`kubectl run`][kubectl-run] command in the *dev* namespace.

+3. Enter the credentials for your own `appdev@contoso.com` account created at the start of the article as the sign-in prompt. Once you're successfully signed in, the account token is cached for future `kubectl` commands. The NGINX is successfully schedule, as shown in the following example output:

+4. Use the [`kubectl get pods`][kubectl-get] command to view pods in the *dev* namespace.

+5. Ensure the status of the NGINX pod is *Running*. The output will look similar to the following output:

+Try to view pods outside of the *dev* namespace. Use the [`kubectl get pods`][kubectl-get] command again, this time to see `--all-namespaces`.

+The user's group membership doesn't have a Kubernetes Role that allows this action, as shown in the following example output:

+In the same way, try to schedule a pod in a different namespace, such as the *sre* namespace. The user's group membership doesn't align with a Kubernetes Role and RoleBinding to grant these permissions, as shown in the following example output:

+1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command that clears the previously cached authentication token for the *aksdev* user.

+2. Try to schedule and view pods in the assigned *sre* namespace. When prompted, sign in with your own `opssre@contoso.com` credentials created at the start of the article.

+3. To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BM4RHP3FD to authenticate.

+4. Try to view or schedule pods outside of assigned SRE namespace.

+These `kubectl` commands fail, as shown in the following example output. The user's group membership and Kubernetes Role and RoleBindings don't grant permissions to create or manager resources in other namespaces.

+In this article, you created resources in the AKS cluster and users and groups in Azure AD. To clean up all of the resources, run the following commands:

+# Get the admin kubeconfig context to delete the necessary cluster resources.

+# Delete the dev and sre namespaces. This also deletes the pods, Roles, and RoleBindings.

+# Delete the Azure AD user accounts for aksdev and akssre.

+* For more information about how to secure Kubernetes clusters, see [Access and identity options for AKS][rbac-authorization].

+* For best practices on identity and resource control, see [Best practices for authentication and authorization in AKS][operator-best-practices-identity].

+ labels:

+ azure.workload.identity/use: "true"

+## Deploy your application

+> [!IMPORTANT]

+> Ensure your application pods using workload identity have added the following label [azure.workload.identity/use: "true"] to your running pods/deployments, otherwise the pods will fail once restarted.

+```azurecli-interactive

+kubectl apply -f <your application>

+```

+The following IP addresses are divided by **Azure Environment** and **Region**. In some cases, two IP addresses are listed. Permit both IP addresses.

+| **Business Card** | &bullet; `latest` </br> &bullet; `2.1` |`docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/businesscard` |

+## Supported mappings for Log Analytics and Azure Automation

+> - Update assessment of Linux machines is only supported in certain regions as listed in the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings-for-log-analytics-and-azure-automation).

+> Update assessment of Linux machines is only supported in certain regions as listed in the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings-for-log-analytics-and-azure-automation).

+> Update assessment of Linux machines is supported in certain regions only. See the Automation account and Log Analytics workspace [mappings table](../how-to/region-mappings.md#supported-mappings-for-log-analytics-and-azure-automation).

+Azure Automation region mapping updated to support Update Management feature in South Central US region. See [Supported region mapping](how-to/region-mappings.md#supported-mappings-for-log-analytics-and-azure-automation) for updates to the documentation to reflect this change.

+Azure Automation region mapping updated to support Update Management feature in China East 2 region. See [Supported region mapping](how-to/region-mappings.md#supported-mappings-for-log-analytics-and-azure-automation) for updates to the documentation to reflect this change.

+## January 2023

+### Public Preview of Automation extension for Visual Studio Code

+ Azure Automation now provides an [extension from VS Code](https://marketplace.visualstudio.com/items?itemName=azure-automation.vscode-azureautomation&ssr=false#overview) that allows you to create and manage runbooks. For more information, see the [Key features and limitations](automation-runbook-authoring.md) and [runbook management operations](how-to/runbook-authoring-extension-for-vscode.md).

+Set up disaster recovery for your Automation accounts to handle a region-wide or zone-wide failure. [Learn more](automation-disaster-recovery.md).

+Azure Automation now supports [Azure availability zones](../reliability/availability-zones-overview.md#availability-zones) to provide improved resiliency and reliability by providing high availability to the service, runbooks, and other Automation assets. [Learn more](automation-availability-zones.md).

+Region mapping has been updated to support Update Management and Change Tracking in Norway East, UAE North, North Central US, Brazil South, and Korea Central. For more information, see [Supported mappings](./how-to/region-mappings.md#supported-mappings-for-log-analytics-and-azure-automation).

+Authenticating with Azure AD credentials has additional requirements:

+ - `aadsshlogin` and `aadsshlogin-selinux` (as appropriate) must be installed on the Arc-enabled server. These packages are installed with the AADSSHLoginForLinux VM extension.

+ - Configure role assignments for the VM. Two Azure roles are used to authorize VM login:

+ - **Virtual Machine Administrator Login**: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.

+ - **Virtual Machine User Login**: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.

+

+ An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to Azure AD login to the VM over SSH. There's an intentional (and audited) separation between the set of people who control virtual machines and the set of people who can access virtual machines.

+ > [!NOTE]

+ > The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshooting.md#limits) per subscription.

+ @app.route(route="hello", auth_level=func.AuthLevel.ANONYMOUS)

+ app = func.FunctionApp()

+ @app.route(route="hello", auth_level=func.AuthLevel.ANONYMOUS)

+- A VM, Virtual Machine Scale Set, or Arc-enabled on-premises server that writes logs to a text file.

+

+ Text file requirements:

+ - Store on the local drive of the machine on which Azure Monitor Agent is running.

+ - Delineate with an end of line.

+ - Use ASCII or UTF-8 encoding. Other formats such as UTF-16 aren't supported.

+ - Do not allow circular logging, log rotation where the file is overwritten with new entries, or renaming where a file is moved and a new file with the same name is opened.

+description: Understand the common alert schema definitions for Azure Monitor for the Test Action group.

+# Common alert schema definitions for Test Action Group (preview)

+This article describes the [common alert schema definitions](./alerts-common-schema.md) for Azure Monitor. It includes schema definitions for webhooks, Azure Logic Apps, Azure Functions, and Azure Automation runbooks.

+* **Essentials**: A set of standardized fields common across all alert types that describes what resource the alert is on, along with more common alert metadata like severity or description.

+* **Alert context**: A set of fields that describes the cause of the alert, with fields that vary based on the alert type. For example, a metric alert includes fields like the metric name and metric value in the alert context. An activity log alert has information about the event that generated the alert.

+| `alertId` | The unique resource ID that identifies the alert instance. |

+| `alertRule` | The name of the alert rule that generated the alert instance. |

+| `Severity` | The severity of the alert. Possible values: `Sev0`, `Sev1`, `Sev2`, `Sev3`, or `Sev4`. |

+| `signalType` | Identifies the signal on which the alert rule was defined. Possible values: `Metric`, `Log`, or `Activity Log`. |

+| `monitorCondition` | When an alert fires, the alert's monitor condition is set to `Fired`. When the underlying condition that caused the alert to fire clears, the monitor condition is set to `Resolved`. |

+| `monitoringService` | The monitoring service or solution that generated the alert. The fields for the alert context are dictated by the monitoring service. |

+| `alertTargetIds` | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |

+| `configurationItems` | The list of affected resources of an alert. The configuration items can be different from the alert targets in some cases, for example, in metric-for-log or log alerts defined on a Log Analytics workspace. The configuration items are the actual resources that send the telemetry and not the workspace. This field is used by IT service management systems to correlate alerts to resources in a configuration management database. |

+| `originAlertId` | The ID of the alert instance, as generated by the monitoring service generating it. |

+| `firedDateTime` | The date and time when the alert instance was fired in Coordinated Universal Time (UTC). |

+| `resolvedDateTime` | The date and time when the monitor condition for the alert instance is set to `Resolved` in UTC. Currently, only applicable for metric alerts.|

+| `description` | The description, as defined in the alert rule. |

+|`essentialsVersion`| The version number for the `essentials` section.|

+|`alertContextVersion` | The version number for the `alertContext` section. |

+#### monitoringService = Platform

+#### monitoringService = Platform

+> For log alerts that have a custom email subject and/or JSON payload defined, enabling the common schema reverts email subject and/or payload schema to the one described as follows. This means that if you want to have a custom JSON payload defined, the webhook can't use the common alert schema.

+Alerts with the common schema enabled have an upper size limit of 256 KB per alert. Search results aren't embedded in the log alerts payload if they cause the alert size to cross this threshold. To determine size, check the flag `IncludedSearchResults`. When the search results aren't included, use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get).

+#### monitoringService = Log Alerts V1 ΓÇô Metric

+#### monitoringService = Log Alerts V1 - Numresults

+#### monitoringService = Log Alerts V2

+> Log alerts rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when you use this version. Use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts.

+You can also use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get). If you must embed the results, use a logic app with the provided links to generate a custom payload.

+#### monitoringService = Activity Log - Administrative

+#### monitoringService = ServiceHealth

+#### monitoringService = Resource Health

+#### monitoringService = Budget

+#### monitoringService = Smart Alert

+ - We recommend using [Dimensions](alerts-types.md#narrow-the-target-by-using-dimensions). Dimensions provide the column value that fired the alert, which gives you context for why the alert fired and how to fix the issue.

+- [PowerShell cmdlets](./alerts-manage-alerts-previous-version.md#manage-log-alerts-by-using-powershell) and [Azure CLI](./alerts-log.md#manage-log-alerts-using-cli) support for switched rules.

+- All switched rules must be created/edited with the current API. See [sample use via Azure Resource Template](alerts-log-create-templates.md) and [sample use via PowerShell](./alerts-manage-alerts-previous-version.md#manage-log-alerts-by-using-powershell).

+- Learn how to [manage log alerts using PowerShell](./alerts-manage-alerts-previous-version.md#manage-log-alerts-by-using-powershell).

+## Manage your alerts programmatically

+You can query your alerts instances to create custom views outside of the Azure portal, or to analyze your alerts to identify patterns and trends.

+We recommended that you use [Azure Resource Graphs](https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade) with the 'AlertsManagementResources' schema for managing alerts across multiple subscriptions. For a sample query, see [Azure Resource Graph sample queries for Azure Monitor](../resource-graph-samples.md).

+You can use Azure Resource Graphs:

+ - with [Azure PowerShell](/powershell/module/az.monitor/)

+ - with the [Azure CLI](/cli/azure/monitor?view=azure-cli-latest&preserve-view=true)

+ - in the Azure portal

+

+You can also use the [Alert Management REST API](/rest/api/monitor/alertsmanagement/alerts) for lower scale querying or to update fired alerts.

+description: Use the Azure Monitor portal to manage log alert rules created in earlier versions.

+This article describes the process of managing alert rules created in the previous UI or by using API version `2018-04-16` or earlier. Alert rules created in the latest UI are viewed and managed in the new UI, as described in [Create, view, and manage log alerts by using Azure Monitor](alerts-log.md).

+1. In the [Azure portal](https://portal.azure.com/), select the resource you want.

+1. On the top bar, select **Alert rules**.

+1. The **Configure signal logic** pane opens with historical data for the query that appears as a graph. You can change the **Time range** of the chart to display data from the last six hours to last week.

+ If your query results contain summarized data or specific columns without the time column, the chart shows a single value.

+ :::image type="content" source="media/alerts-log/alerts-edit-alerts-rule.png" alt-text="Screenshot that shows the Configure signal logic pane.":::

+1. Edit the alert rule conditions by using these sections:

+ - **Search query**: In this section, you can modify your query.

+ - **Alert logic**: Log alerts can be based on two types of [measures](./alerts-unified-log.md#measure):

+ 1. **Number of results**: Count of records returned by the query.

+ 1. **Metric measurement**: **Aggregate value** is calculated by using `summarize` grouped by the expressions chosen and the [bin()](/azure/data-explorer/kusto/query/binfunction) selection. For example:

+ For metric measurements alert logic, you can specify how to [split the alerts by dimensions](./alerts-unified-log.md#split-by-alert-dimensions) by using the **Aggregate on** option. The row grouping expression must be unique and sorted.

+

+ The [bin()](/azure/data-explorer/kusto/query/binfunction) function can result in uneven time intervals, so the alert service automatically converts the [bin()](/azure/data-explorer/kusto/query/binfunction) function to a [binat()](/azure/data-explorer/kusto/query/binatfunction) function with appropriate time at runtime to ensure results with a fixed point.

+

+ > The **Split by alert dimensions** option is only available for the current scheduledQueryRules API. If you use the legacy [Log Analytics Alert API](./api-alerts.md), you'll need to switch. [Learn more about switching](./alerts-log-api-switch.md). Resource-centric alerting at scale is only supported in the API version `2021-08-01` and later.

+ :::image type="content" source="media/alerts-log/aggregate-on.png" alt-text="Screenshot that shows Aggregate on.":::

+ - **Period**: Choose the time range over which to assess the specified condition by using the [Period](./alerts-unified-log.md#query-time-range) option.

+1. When you're finished editing the conditions, select **Done**.

+1. Use the preview data to set the [Operator, Threshold value](./alerts-unified-log.md#threshold-and-operator), and [Frequency](./alerts-unified-log.md#frequency).

+1. Set the [number of violations to trigger an alert](./alerts-unified-log.md#number-of-violations-to-trigger-alert) by using **Total** or **Consecutive breaches**.

+1. Select **Done**.

+1. You can edit the rule **Description** and **Severity**. These details are used in all alert actions. You can also choose to not activate the alert rule on creation by selecting **Enable rule upon creation**.

+1. Use the [Suppress Alerts](./alerts-unified-log.md#state-and-resolving-alerts) option if you want to suppress rule actions for a specified time after an alert is fired. The rule will still run and create alerts, but actions won't be triggered to prevent noise. The **Mute actions** value must be greater than the frequency of the alert to be effective.

+ 

+1. Specify if the alert rule should trigger one or more [action groups](./action-groups.md#webhook) when the alert condition is met.

+ > For limits on the actions that can be performed, see [Azure subscription service limits](../../azure-resource-manager/management/azure-subscription-service-limits.md).

+ - **Custom email subject**: Overrides the *email subject* of email actions. You can't modify the body of the mail and this field *isn't for email addresses*.

+ - **Include custom Json payload for webhook**: Overrides the webhook JSON used by action groups, assuming that the action group contains a webhook action. Learn more about [webhook actions for log alerts](./alerts-log-webhook.md).

+ 

+1. After you've finished editing all the alert rule options, select **Save**.

+## Manage log alerts by using PowerShell

+Use the following PowerShell cmdlets to manage rules with the [Scheduled Query Rules API](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules):

+- [New-AzScheduledQueryRule](/powershell/module/az.monitor/new-azscheduledqueryrule): PowerShell cmdlet to create a new log alert rule.

+- [Set-AzScheduledQueryRule](/powershell/module/az.monitor/set-azscheduledqueryrule): PowerShell cmdlet to update an existing log alert rule.

+- [New-AzScheduledQueryRuleSource](/powershell/module/az.monitor/new-azscheduledqueryrulesource): PowerShell cmdlet to create or update the object that specifies source parameters for a log alert. Used as input by the [New-AzScheduledQueryRule](/powershell/module/az.monitor/new-azscheduledqueryrule) and [Set-AzScheduledQueryRule](/powershell/module/az.monitor/set-azscheduledqueryrule) cmdlets.

+- [New-AzScheduledQueryRuleSchedule](/powershell/module/az.monitor/new-azscheduledqueryruleschedule): PowerShell cmdlet to create or update the object that specifies schedule parameters for a log alert. Used as input by the [New-AzScheduledQueryRule](/powershell/module/az.monitor/new-azscheduledqueryrule) and [Set-AzScheduledQueryRule](/powershell/module/az.monitor/set-azscheduledqueryrule) cmdlets.

+- [New-AzScheduledQueryRuleAlertingAction](/powershell/module/az.monitor/new-azscheduledqueryrulealertingaction): PowerShell cmdlet to create or update the object that specifies action parameters for a log alert. Used as input by the [New-AzScheduledQueryRule](/powershell/module/az.monitor/new-azscheduledqueryrule) and [Set-AzScheduledQueryRule](/powershell/module/az.monitor/set-azscheduledqueryrule) cmdlets.

+- [New-AzScheduledQueryRuleAznsActionGroup](/powershell/module/az.monitor/new-azscheduledqueryruleaznsactiongroup): PowerShell cmdlet to create or update the object that specifies action group parameters for a log alert. Used as input by the [New-AzScheduledQueryRuleAlertingAction](/powershell/module/az.monitor/new-azscheduledqueryrulealertingaction) cmdlet.

+- [New-AzScheduledQueryRuleTriggerCondition](/powershell/module/az.monitor/new-azscheduledqueryruletriggercondition): PowerShell cmdlet to create or update the object that specifies trigger condition parameters for a log alert. Used as input by the [New-AzScheduledQueryRuleAlertingAction](/powershell/module/az.monitor/new-azscheduledqueryrulealertingaction) cmdlet.

+- [New-AzScheduledQueryRuleLogMetricTrigger](/powershell/module/az.monitor/new-azscheduledqueryrulelogmetrictrigger): PowerShell cmdlet to create or update the object that specifies metric trigger condition parameters for a metric measurement log alert. Used as input by the [New-AzScheduledQueryRuleTriggerCondition](/powershell/module/az.monitor/new-azscheduledqueryruletriggercondition) cmdlet.

+- [Get-AzScheduledQueryRule](/powershell/module/az.monitor/get-azscheduledqueryrule): PowerShell cmdlet to list existing log alert rules or a specific log alert rule.

+- [Update-AzScheduledQueryRule](/powershell/module/az.monitor/update-azscheduledqueryrule): PowerShell cmdlet to enable or disable a log alert rule.

+- [Remove-AzScheduledQueryRule](/powershell/module/az.monitor/remove-azscheduledqueryrule): PowerShell cmdlet to delete an existing log alert rule.

+> The `ScheduledQueryRules` PowerShell cmdlets can only manage rules created in [this version of the Scheduled Query Rules API](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules). Log alert rules created by using the legacy [Log Analytics Alert API](./api-alerts.md) can only be managed by using PowerShell after you [switch to the Scheduled Query Rules API](../alerts/alerts-log-api-switch.md).

+Example steps for creating a log alert rule by using PowerShell:

+Example steps for creating a log alert rule by using PowerShell with cross-resource queries:

+You can also create the log alert by using [a template and parameters](./alerts-log-create-templates.md) files using PowerShell:

+* Create log alerts by using [Azure Resource Manager templates](./alerts-log-create-templates.md).

+ Title: Upgrade Azure Monitor Application Insights smart detection to alerts (preview) | Microsoft Docs

+description: Learn about the steps required to upgrade your Azure Monitor Application Insights smart detection to alert rules.

+# Migrate Azure Monitor Application Insights smart detection to alerts (preview)

+This article describes the process of migrating Application Insights smart detection to alerts. The migration creates alert rules for the different smart detection modules. You can manage and configure these rules like any other Azure Monitor alert rules. You can also configure action groups for these rules to get multiple methods of actions or notifications on new detections.

+- **Rich notification options for all detectors**: Use [action groups](../alerts/action-groups.md) to configure multiple types of notifications and actions that are triggered when an alert is fired. You can configure notification by email, SMS, voice call, or push notifications. You can configure actions like calling a secure webhook, logic app, and automation runbook. Action groups further management at scale by allowing you to configure actions once and use them across multiple alert rules.

+- **At-scale management**: Smart detection alerts use the Azure Monitor alerts experience and API.

+- **Rule-based suppression of notifications**: Use [action rules](../alerts/alerts-action-rules.md) to define or suppress actions at any Azure Resource Manager scope such as Azure subscription, resource group, or target resource. Filters help you narrow down the specific subset of alert instances that you want to act on.

+A new set of alert rules is created when you migrate an Application Insights resource. One rule is created for each of the migrated smart detection capabilities. The following table maps the pre-migration smart detection capabilities to post-migration alert rules.

+| Slow page load time | No longer supported ⁽³⁾ |

+| Slow server response time | No longer supported ⁽³⁾ |

+| Long dependency duration | No longer supported ⁽³⁾ |

+| Potential security issue detected (preview) | No longer supported ⁽³⁾ |

+| Abnormal rise in daily data volume (preview) | No longer supported ⁽³⁾ |

+⁽¹⁾ The name of the rule as it appears in the smart detection **Settings** pane.<br>

+⁽²⁾ The name of the new alert rule after migration.<br>

+⁽³⁾ These smart detection capabilities aren't converted to alerts because of low usage and reassessment of detection effectiveness. These detectors will no longer be supported for this resource after its migration is finished.

+ > The **Failure Anomalies** smart detector is already created as an alert rule and doesn't require migration. It isn't discussed in this article.

+- If the smart detection rule had the default email or no notifications configured, the new alert rule is configured with an action group named Application Insights Smart Detection.

+ - If the migration tool finds an existing action group with that name, it links the new alert rule to that action group.

+ - Otherwise, it creates a new action group with that name. The new group is configured for Email Azure Resource Manager Role actions and sends notification to your Azure Resource Manager Monitoring Contributor and Monitoring Reader users.

+- If the default email notification was changed before migration, an action group called Application Insights Smart Detection \<n\> is created, with an email action sending notifications to the previously configured email addresses.

+## Execute the smart detection migration process

+Use the Azure portal, the Azure CLI, or Azure Resource Manager templates (ARM templates) to perform the migration.

+### Migrate your smart detection by using the Azure portal

+To migrate smart detection in your resource:

+1. Select **Smart detection** under the **Investigate** heading in your Application Insights resource.

+1. Select the banner reading **Migrate smart detection to alerts (Preview)**. The migration dialog appears.

+ 

+1. Select the **Migrate all Application Insights resources in this subscription** option. Or you can leave the option cleared if you want to migrate only the current resource you're in.

+ > [!NOTE]

+ > Selecting this option affects all existing Application Insights resources that weren't migrated yet. As long as the migration to alerts is in preview, new Application Insights resources will still be created with non-alerts smart detection.

+1. Select an action group to be configured for the new alert rules. You can use the default action group as explained or use one of your existing action groups.

+1. Select **Migrate** to start the migration process.

+ 

+After the migration, new alert rules are created for your Application Insight resource, as explained.

+### Migrate your smart detection by using the Azure CLI

+Start the smart detection migration by using the following Azure CLI command. The command triggers the preconfigured migration process as previously described.

+To migrate a single Application Insights resource, *body.txt* should include:

+To migrate all the Application Insights resources in a subscription, *body.txt* should include:

+The `ActionGroupCreationPolicy` parameter selects the policy for migrating the email settings in the smart detection rules into action groups. Allowed values are:

+- **Auto**: Uses the default action groups as described in this document.

+- **Custom**: Creates all alert rules with the action group specified in `customActionGroupName`.

+- **\<blank\>**: If `ActionGroupCreationPolicy` isn't specified, the `Auto` policy is used.

+### Migrate your smart detection by using ARM templates

+You can trigger the smart detection migration to alerts for a specific Application Insights resource by using ARM templates. To use this method, you need to:

+- Create a smart detection alert rule for each of the supported detectors.

+- Modify the Application Insight properties to indicate that the migration was completed.

+With this method, you can control which alert rules to create, define your own alert rule name and description, and select any action group you desire for each rule.

+Use the following templates for this purpose. Edit them as needed to provide your subscription ID and Application Insights resource name.

+## View your alerts after the migration

+After migration, you can view your smart detection alerts by selecting the **Alerts** entry in your Application Insights resource. For **Signal type**, select **Smart Detector** to filter and present only smart detection alerts. You can select an alert to see its detection details.

+

+You can also still see the available detections in the **Smart Detection** feed of your Application Insights resource.

+

+## Manage smart detection alert rules settings after migration

+Use the Azure portal or ARM templates to manage smart detection alert rules settings after migration.

+### Manage alert rules settings by using the Azure portal

+After the migration is finished, you access the new smart detection alert rules in a similar way to other alert rules defined for the resource.

+1. Select **Alerts** under the **Monitoring** heading in your Application Insights resource.

+ 

+1. Select **Manage alert rules**.

+ 

+1. For **Signal type**, select **Smart Detector** to filter and present the smart detection alert rules.

+ 

+### Enable or disable smart detection alert rules

+Smart detection alert rules can be enabled or disabled through the portal UI or programmatically, like any other alert rule.

+If a specific smart detection rule was disabled before the migration, the new alert rule will also be disabled.

+### Configure action groups for your alert rules

+You can create and manage action groups for the new smart detection alert rules like for any other Azure Monitor alert rule.

+### Manage alert rule settings by using ARM templates

+After the migration is finished, you can use ARM templates to configure settings for smart detection alert rule settings.

+> After migration is finished, smart detection settings must be configured by using smart detection alert rule templates. They can no longer be configured by using the [Application Insights Resource Manager template](./proactive-arm-config.md#smart-detection-rule-configuration).

+This ARM template example demonstrates how to configure a `Response Latency Degradation` alert rule in an `Enabled` state with a severity of `2`.

+* Smart detection is a global service, so rule location is created in the `global` location.

+* The `id` property should change according to the specific detector configured. The value must be one of:

+ - `FailureAnomaliesDetector`

+ - `RequestPerformanceDegradationDetector`

+ - `DependencyPerformanceDegradationDetector`

+ - `ExceptionVolumeChangedDetector`

+ - `TraceSeverityDetector`

+ - `MemoryLeakDetector`

+## Next steps

+This article describes the kinds of Azure Monitor alerts you can create. It helps you understand when to use each type of alert.

+The types of alerts are:

+## Choose the right alert type

+The information in this table can help you decide when to use each type of alert. For more information about pricing, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/).

+|Alert type |When to use |Pricing information|

+|Metric alert|Metric data is stored in the system already pre-computed. Metric alerts are useful when you want to be alerted about data that requires little or no manipulation. Use metric alerts if the data you want to monitor is available in metric data.|Each metric alert rule is charged based on the number of time series that are monitored. |

+|Log alert|You can use log alerts to perform advanced logic operations on your data. If the data you want to monitor is available in logs, or requires advanced logic, you can use the robust features of Kusto Query Language (KQL) for data manipulation by using log alerts.|Each log alert rule is billed based on the interval at which the log query is evaluated. More frequent query evaluation results in a higher cost. For log alerts configured for [at-scale monitoring](#splitting-by-dimensions-in-log-alert-rules), the cost also depends on the number of time series created by the dimensions resulting from your query. |

+|Activity log alert|Activity logs provide auditing of all actions that occurred on resources. Use activity log alerts to be alerted when a specific event happens to a resource like a restart, a shutdown, or the creation or deletion of a resource. Service Health alerts and Resource Health alerts let you know when there's an issue with one of your services or resources.|For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/).|

+|Prometheus alerts (preview)| Prometheus alerts are primarily used for alerting on performance and health of Kubernetes clusters, including Azure Kubernetes Service. The alert rules are based on PromQL, which is an open-source query language. | There's no charge for Prometheus alerts during the preview period. |

+You can create rules by using these metrics:

+- You can add granularity by [monitoring multiple metric dimensions](#narrow-the-target-by-using-dimensions).

+- You can use [dynamic thresholds](#dynamic-thresholds) driven by machine learning.

+- A single resource, such as a virtual machine (VM). For supported resource types, see [Supported resources for metric alerts in Azure Monitor](alerts-metric-near-real-time.md).

+When you create an alert rule for a single resource, you can apply multiple conditions. For example, you could create an alert rule to monitor an Azure VM and alert when both "Percentage CPU is higher than 90%" and "Queue length is over 300 items." When an alert rule has multiple conditions, the alert fires when all the conditions in the alert rule are true. It's resolved when at least one of the conditions is no longer true for three consecutive checks.

+### Narrow the target by using dimensions

+Dimensions are name-value pairs that contain more data about the metric value. When you use dimensions, you can filter metrics and monitor specific time-series instead of monitoring the aggregate of all the dimensional values.

+For example, the Transactions metric of a storage account can have an API name dimension that contains the name of the API called by each transaction like GetBlob, DeleteBlob, and PutPage. You can choose to have an alert fired when there's a high number of transactions in any API name, which is the aggregated data. Or you can use dimensions to further break it down to alert only when the number of transactions is high for specific API names.

+If you use more than one dimension, the metric alert rule can monitor multiple dimension values from different dimensions of a metric. The alert rule separately monitors all the dimensions value combinations.

+For instructions on using dimensions in metric alert rules, see [Monitor multiple time series in a single metric alert rule](alerts-metric-multiple-time-series-single-rule.md).

+### Create resource-centric alerts by using splitting by dimensions

+To monitor for the same condition on multiple Azure resources, you can use splitting by dimensions. When you use splitting by dimensions, you can create resource-centric alerts at scale for a subscription or resource group. Alerts are split into separate alerts by grouping combinations. Splitting on an Azure resource ID column makes the specified resource into the alert target.

+You might also decide not to split when you want a condition applied to multiple resources in the scope. For example, you might want to fire an alert if at least five machines in the resource group scope have CPU usage over 80%.

+| Virtual machines | Yes |Yes | Yes |

+| SQL Server databases | Yes | Yes | Yes |

+| SQL Server elastic pools | Yes | Yes | Yes |

+| Azure Key Vault | Yes | Yes | Yes |

+| Azure Database for PostgreSQL - Flexible Server | Yes | Yes | Yes |

+ > Multi-resource metric alerts aren't supported for:

+ > - Alerting on VM guest metrics.

+ > - Alerting on VM network metrics (Network In Total, Network Out Total, Inbound Flows, Outbound Flows, Inbound Flows Maximum Creation Rate, and Outbound Flows Maximum Creation Rate).

+You can specify the scope of monitoring with a single metric alert rule in one of three ways. For example, with VMs you can specify the scope as:

+- A list of VMs in one Azure region within a subscription.

+- All VMs in one Azure region in one or more resource groups in a subscription.

+- All VMs in one Azure region in a subscription.

+Dynamic thresholds use advanced machine learning to:

+- Learn the historical behavior of metrics.

+- Identify patterns and adapt to metric changes over time, such as hourly, daily, or weekly patterns.

+- Recognize anomalies that indicate possible service issues.

+- Calculate the most appropriate threshold for the metric.

+Machine learning continuously uses new data to learn more and make the threshold more accurate. Because the system adapts to the metrics' behavior over time, and alerts based on deviations from its pattern, you don't have to know the "right" threshold for each metric.

+- Create rules without having to know what threshold to configure.

+- Configure metric alerts by using high-level concepts without extensive domain knowledge about the metric.

+- Prevent noisy (low precision) or wide (low recall) thresholds that donΓÇÖt have an expected pattern.

+For instructions on using dynamic thresholds in metric alert rules, see [Dynamic thresholds in metric alerts](alerts-dynamic-thresholds.md).

+- Multiple resources that use a [cross-resource query](../logs/cross-workspace-query.md).

+- **Table rows**: The number of rows returned can be used to work with events such as Windows event logs, Syslog, and application exceptions.

+- **Calculation of a numeric column**: Calculations based on any numeric column can be used to include any number of resources. An example is CPU percentage.

+You can configure if log alerts are [stateful or stateless](alerts-overview.md#alerts-and-state). This feature is currently in preview.

+> Log alerts work best when you're trying to detect specific data in the logs, as opposed to when you're trying to detect a lack of data in the logs. Because logs are semi-structured data, they're inherently more latent than metric data on information like a VM heartbeat. To avoid misfires when you're trying to detect a lack of data in the logs, consider using [metric alerts](#metric-alerts). You can send data to the metric store from logs by using [metric alerts for logs](alerts-metric-logs.md).

+You can use dimensions when you create log alert rules to monitor the values of multiple instances of a resource with one rule. For example, you can monitor CPU usage on multiple instances running your website or app. Each instance is monitored individually. Notifications are sent for each instance.

+To monitor for the same condition on multiple Azure resources, you can use splitting by dimensions. When you use splitting by dimensions, you can create resource-centric alerts at scale for a subscription or resource group. Alerts are split into separate alerts by grouping combinations by using numerical or string columns. Splitting on the Azure resource ID column makes the specified resource into the alert target.

+You might also decide not to split when you want a condition applied to multiple resources in the scope. For example, you might want to fire an alert if at least five machines in the resource group scope have CPU usage over 80%.

+### Use the API

+Manage new rules in your workspaces by using the [ScheduledQueryRules](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules) API.

+> Log alerts for Log Analytics used to be managed by using the legacy [Log Analytics Alert API](api-alerts.md). Learn more about [switching to the current ScheduledQueryRules API](alerts-log-api-switch.md).

+Log alerts are listed under resource provider `microsoft.insights/scheduledqueryrules` with:

+- Log alerts on Application Insights shown with the exact resource name along with resource group and alert properties.

+- Log alerts on Log Analytics are shown with the exact resource name along with resource group and alert properties when they're created by using the scheduledQueryRules API.

+- Log alerts created from the [legacy Log Analytics API](./api-alerts.md) aren't tracked [Azure resources](../../azure-resource-manager/management/overview.md) and don't have enforced unique resource names. These alerts are still created on `microsoft.insights/scheduledqueryrules` as hidden resources, which have the resource naming structure `<WorkspaceName>|<savedSearchId>|<scheduleId>|<ActionId>`. Log alerts on the legacy API are shown with the preceding hidden resource name along with resource group and alert properties.

+> Unsupported resource characters like <, >, %, &, \, ? and / are replaced with an underscore (_) in the hidden resource names. This character change is also reflected in the billing information.

+An activity log alert monitors a resource by checking the activity logs for a new activity log event that matches the defined conditions.

+You might want to use activity log alerts for these types of scenarios:

+- When a specific operation occurs on resources in a specific resource group or subscription. For example, you might want to be notified when:

+ - A VM in a production resource group is deleted.

+ - New roles are assigned to a user in your subscription.

+- A Service Health event occurs. Service Health events include notifications of incidents and maintenance events that apply to resources in your subscription.

+- Any activity log event in a top-level property in the JSON object.

+Activity log alert rules are Azure resources, so they can be created by using an Azure Resource Manager template. They also can be created, updated, or deleted in the Azure portal.

+Service Health alerts are a type of activity alert. [Service Health](../../service-health/overview.md) lets you know about outages, planned maintenance activities, and other health advisories because the authenticated Service Health experience knows which services and resources you currently use.

+The best way to use Service Health is to set up Service Health alerts to notify you by using your preferred communication channels when service issues, planned maintenance, or other changes might affect the Azure services and regions you use.

+Resource Health alerts are a type of activity alert. The [Resource Health overview](../../service-health/resource-health-overview.md) helps you diagnose and get support for service problems that affect your Azure resources. It reports on the current and past health of your resources.

+Resource Health relies on signals from different Azure services to assess whether a resource is healthy. If a resource is unhealthy, Resource Health analyzes more information to determine the source of the problem. It also reports on actions that Microsoft is taking to fix the problem and identifies actions you can take to address it.

+## Smart detection alerts

+After you set up Application Insights for your project and your app generates a certain amount of data, smart detection takes 24 hours to learn the normal behavior of your app. Your app's performance has a typical pattern of behavior. Some requests or dependency calls will be more prone to failure than others, and the overall failure rate might go up as load increases.

+Smart detection uses machine learning to find these anomalies. Smart detection monitors the data received from your app, and in particular the failure rates. Application Insights automatically alerts you in near real time if your web app experiences an abnormal rise in the rate of failed requests.

+As data comes into Application Insights from your web app, smart detection compares the current behavior with the patterns seen over the past few days. If there's an abnormal rise in failure rate compared to previous performance, an analysis is triggered.

+To help you triage and diagnose a problem, an analysis of the characteristics of the failures and related application data is provided in the alert details. There are also links to the Application Insights portal for further diagnosis. The feature doesn't need setup or configuration because it uses machine learning algorithms to predict the normal failure rate.

+Although metric alerts tell you there might be a problem, smart detection starts the diagnostic work for you. It performs much of the analysis you would otherwise have to do yourself. You get the results neatly packaged, which helps you to quickly get to the root of the problem.

+Prometheus alerts are based on metric values stored in [Azure Monitor managed services for Prometheus](../essentials/prometheus-metrics-overview.md). They fire when the result of a PromQL query resolves to true. Prometheus alerts are displayed and managed like other alert types when they fire, but they're configured with a Prometheus rule group. For more information, see [Rule groups in Azure Monitor managed service for Prometheus](../essentials/prometheus-rule-groups.md).

+- Learn more about [smart detection](proactive-failure-diagnostics.md).

+# IT Service Management integration

+Azure services like Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service.

+Azure Monitor provides a bidirectional connection between Azure and ITSM tools to help you resolve issues faster. You can create work items in your ITSM tool based on your Azure metric alerts, activity log alerts, and Log Analytics alerts.

+- ServiceNow ITSM or IT Operations Management (ITOM)

+- BMC

+For information about legal terms and the privacy policy, see the [Microsoft privacy statement](https://go.microsoft.com/fwLink/?LinkID=522330&clcid=0x9).

+## ITSM integration workflow

+Depending on your integration, start connecting to your ITSM tool with these steps:

+- For ServiceNow ITOM events or BMC Helix, use the secure webhook action:

+ 1. [Register your app with Azure Active Directory](./itsm-connector-secure-webhook-connections-azure-configuration.md#register-with-azure-active-directory).

+ 1. [Define a service principal](./itsm-connector-secure-webhook-connections-azure-configuration.md#define-service-principal).

+ 1. [Create a secure webhook action group](./itsm-connector-secure-webhook-connections-azure-configuration.md#create-a-secure-webhook-action-group).

+ 1. Connect to your ITSM. For more information, see the [ServiceNow connection instructions](./itsmc-connections-servicenow.md).

+ 1. (Optional) Set up the IP ranges. To list the ITSM IP addresses to allow ITSM connections from partner ITSM tools, list the whole public IP range of an Azure region where the Log Analytics workspace belongs. For more information, see the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=56519). For regions EUS/WEU/EUS2/WUS2/US South Central, the customer can list the ActionGroup network tag only.

+ 1. [Configure your Azure ITSM solution and create the ITSM connection](./itsmc-definition.md#install-it-service-management-connector).

+ 1. [Configure an action group to use the ITSM connector](./itsmc-definition.md#define-a-template).

+[ServiceNow connection instructions](./itsmc-connections-servicenow.md)

+| Run a search job. | `Microsoft.OperationalInsights/workspaces/tables/write` <br> `Microsoft.OperationalInsights/workspaces/searchJobs/write`|

+| Restore data from archived table. | `Microsoft.OperationalInsights/workspaces/tables/write` <br> `Microsoft.OperationalInsights/workspaces/restoreLogs/write`|

+**Example 1: Grant a user permission to read log data from their resources.**

+**Example 2: Grant a user permission to read log data from their resources and run a search job.**

+- Configure the workspace access control mode to *use workspace or resource permissions*.

+- Grant users `*/read` or `Microsoft.Insights/logs/*/read` permissions to their resources. If they're already assigned the [Log Analytics Reader](../../role-based-access-control/built-in-roles.md#reader) role on the workspace, it's sufficient.

+- Grant users the following permissions on the workspace:

+ - `Microsoft.OperationalInsights/workspaces/tables/write`: Required to be able to create the search results table (_SRCH).

+ - `Microsoft.OperationalInsights/workspaces/searchJobs/write`: Required to allow executing the search job operation.

+**Example 3: Grant a user permission to read log data from their resources and configure their resources to send logs to the Log Analytics workspace.**

+**Example 4: Grant a user permission to read log data from their resources, but not to send logs to the Log Analytics workspace or read security events.**

+**Example 5: Grant a user permission to read log data from their resources and all Azure AD sign-in and read Update Management solution log data in the Log Analytics workspace.**

+**Example 6: Restrict a user from restoring archived logs.**

+- Configure the workspace access control mode to *use workspace or resource permissions*.

+- Assign the user to the [Log Analytics Contributor](../../role-based-access-control/built-in-roles.md#contributor) role.

+- Add the following NonAction to block users from restoring archived logs: `Microsoft.OperationalInsights/workspaces/restoreLogs/write`

+The template used in this quickstart is from [Azure Quickstart Templates](/samples/azure/azure-quickstart-templates/azure-web-pubsub/).

+> [Quickstart: Create Bicep files with Visual Studio Code](../azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code.md)

+Azure Web PubSub service works as a data processor service and doesn't store any customer content. Azure Web PubSub service processes customer data within the region the customer deploys the service instance in. If you use Azure Web PubSub service together with other Azure services, like Azure Storage for diagnostics, see [this white paper](https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/) for guidance about how to keep data residency in Azure regions.

+|`synthesisConfig.style`|For some voices, you can adjust the speaking style to express different emotions like cheerfulness, empathy, and calm. You can optimize the voice for different scenarios like customer service, newscast, and voice assistant.<br/><br/>For information about the available styles per voice, see [voice styles and roles](language-support.md?tabs=tts#voice-styles-and-roles).<br/><br/>This optional property is only applicable when `textType` is set to `"PlainText"`.|

+|`synthesisConfig.voice`|The voice that speaks the audio output.<br/><br/>For information about the available prebuilt neural voices, see [language and voice support](language-support.md?tabs=tts). To use a custom voice, you must specify a valid custom voice and deployment ID mapping in the `customVoices` property.<br/><br/>This property is required when `textType` is set to `"PlainText"`.|

+Currently, conversation transcription supports [all speech-to-text languages](language-support.md?tabs=stt) in the following regions:ΓÇ»`centralus`, `eastasia`, `eastus`, `westeurope`.

+See the [supported languages](language-support.md?tabs=tts) for Custom Neural Voice.

+Out of the box, [text-to-speech](text-to-speech.md) can be used with prebuilt neural voices for each [supported language](language-support.md?tabs=tts). The prebuilt neural voices work very well in most text-to-speech scenarios if a unique voice isn't required.

+Custom Neural Voice is based on the neural text-to-speech technology and the multilingual, multi-speaker, universal model. You can create synthetic voices that are rich in speaking styles, or adaptable cross languages. The realistic and natural sounding voice of Custom Neural Voice can represent brands, personify machines, and allow users to interact with applications conversationally. See the [supported languages](language-support.md?tabs=tts) for Custom Neural Voice.

+Out of the box, speech to text utilizes a Universal Language Model as a base model that is trained with Microsoft-owned data and reflects commonly used spoken language. The base model is pre-trained with dialects and phonetics representing a variety of common domains. When you make a speech recognition request, the most recent base model for each [supported language](language-support.md?tabs=stt) is used by default. The base model works very well in most speech recognition scenarios.

+> Customization options vary by language/locale (see [Supported languages](./language-support.md?tabs=stt)).

+You have easy access to a broad portfolio of [languages and voices](language-support.md?tabs=tts). These voices include state-of-the-art prebuilt neural voices and your custom neural voice, if you've built one.

+1. Choose the voice and the language for your script content. Audio Content Creation includes all of the [prebuilt text-to-speech voices](language-support.md?tabs=tts). You can use prebuilt neural voices or a custom neural voice.

+Custom Speech projects contain models, training and testing datasets, and deployment endpoints. Each project is specific to a [locale](language-support.md?tabs=stt). For example, you might create a project for English in the United States.

+|Custom endpoint|Speech recognition requests will fall back to the most recent base model for the same [locale](language-support.md?tabs=stt). You will get results, but recognition might not accurately transcribe your domain data. |Update the endpoint's model as described in the [Deploy a Custom Speech model](how-to-custom-speech-deploy-model.md) guide. |

+For a list of base models that support training with audio data, see [Language support](language-support.md?tabs=stt). Even if a base model does support training with audio data, the service might use only part of the audio. And it will still use all the transcripts.

+For a list of supported base models and locales for training with structured text, see [Language support](language-support.md?tabs=stt). You must use the latest base model for these locales. For locales that don't support training with structured text, the service will take any training sentences that don't reference any classes as part of training with plain-text data.

+You can provide a custom pronunciation file to improve recognition. Don't use custom pronunciation files to alter the pronunciation of common words. For a list of languages that support custom pronunciation, see [language support](language-support.md?tabs=stt).

+- [Neural - cross lingual](?tabs=crosslingual#train-your-custom-neural-voice-model) (Preview): Create a secondary language for your voice model to speak a different language from your training data. For example, with the `zh-CN` training data, you can create a voice that speaks `en-US`. The language of the training data and the target language must both be one of the [languages that are supported](language-support.md?tabs=tts) for cross lingual voice training. You don't need to prepare training data in the target language, but your test script must be in the target language.

+The language of the training data must be one of the [languages that are supported](language-support.md?tabs=tts) for custom neural voice neural, cross-lingual, or multi-style training.

+All it takes to get started are a handful of audio files and the associated transcriptions. See if Custom Neural Voice supports your [language](language-support.md?tabs=tts) and [region](regions.md#speech-service).

+> We are retiring the standard voices from September 1, 2021 through August 31, 2024. If you used a standard voice with your Speech resource prior to September 1, 2021 then you can continue to do so until August 31, 2024. All other Speech resources can only use prebuilt neural voices. You can choose from the supported [neural voice names](language-support.md?tabs=tts). After August 31, the standard voices won't be supported with any Speech resource.

+> Viseme ID supports neural voices in [all viseme-supported locales](language-support.md?tabs=tts). Scalable Vector Graphics (SVG) only supports neural voices in `en-US` locale, and blend shapes supports neural voices in `en-US` and `zh-CN` locales.

+You can also get a list of locales and voices supported for each specific region or endpoint through the [Speech SDK](speech-sdk.md), [Speech-to-text REST API](rest-speech-to-text.md), [Speech-to-text REST API for short audio](rest-speech-to-text-short.md) and [Text-to-speech REST API](rest-text-to-speech.md#get-a-list-of-voices).

+# [Speech-to-text](#tab/stt)

+The table in this section summarizes the locales and voices supported for Speech-to-text. Please see the table footnotes for more details.

+Additional remarks for Speech-to-text locales are included in the [Custom Speech](#custom-speech) section below.

+# [Text-to-speech](#tab/tts)

+The tables in this section summarizes the locales and voices supported for Text-to-speech. Please see the table footnotes for more details.

+Additional remarks for Text-to-speech locales are included in the [Voice styles and roles](#voice-styles-and-roles), [Prebuilt neural voices](#prebuilt-neural-voices), and [Custom Neural Voice](#custom-neural-voice) sections below.

+### Prebuilt neural voices

+Each prebuilt neural voice supports a specific language and dialect, identified by locale. You can try the demo and hear the voices on [this website](https://azure.microsoft.com/services/cognitive-services/text-to-speech/#features).

+> [!IMPORTANT]

+> Pricing varies for Prebuilt Neural Voice (see *Neural* on the pricing page) and Custom Neural Voice (see *Custom Neural* on the pricing page). For more information, see the [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) page.

+Each prebuilt neural voice model is available at 24kHz and high-fidelity 48kHz. Other sample rates can be obtained through upsampling or downsampling when synthesizing.

+Please note that the following neural voices are retired.

+- The English (United Kingdom) voice `en-GB-MiaNeural` retired on October 30, 2021. All service requests to `en-GB-MiaNeural` will be redirected to `en-GB-SoniaNeural` automatically as of October 30, 2021. If you're using container Neural TTS, [download](speech-container-howto.md#get-the-container-image-with-docker-pull) and deploy the latest version. Starting from October 30, 2021, all requests with previous versions will not succeed.

+- The `en-US-JessaNeural` voice is retired and replaced by `en-US-AriaNeural`. If you were using "Jessa" before, convert to "Aria."

+Batch synthesis API supports all [text-to-speech voices and styles](language-support.md?tabs=tts).

+> We are retiring the standard voices from September 1, 2021 through August 31, 2024. If you used a standard voice with your Speech resource prior to September 1, 2021 then you can continue to do so until August 31, 2024. All other Speech resources can only use prebuilt neural voices. You can choose from the supported [neural voice names](language-support.md?tabs=tts). After August 31, the standard voices won't be supported with any Speech resource.

+Check the [public voices available](language-support.md?tabs=tts). You can also change the sample code above if you would like to fail over to a different voice or in a different region.

+| `language` | Identifies the spoken language that's being recognized. See [Supported languages](language-support.md?tabs=stt). | Required |

+Projects are applicable for [Custom Speech](custom-speech-overview.md). Custom Speech projects contain models, training and testing datasets, and deployment endpoints. Each project is specific to a [locale](language-support.md?tabs=stt). For example, you might create a project for English in the United States.

+- For a complete list of voices, see [Language and voice support for the Speech service](language-support.md?tabs=tts).

+> [Voices and styles in preview](language-support.md?tabs=tts) are only available in three service regions: East US, West Europe, and Southeast Asia.

+If you're using a custom neural voice, the body of a request can be sent as plain text (ASCII or UTF-8). Otherwise, the body of each `POST` request is sent as [SSML](speech-synthesis-markup.md). SSML allows you to choose the voice and language of the synthesized speech that the text-to-speech feature returns. For a complete list of supported voices, see [Language and voice support for the Speech service](language-support.md?tabs=tts).

+Speech containers enable customers to build one speech application architecture that is optimized to take advantage of both robust cloud capabilities and edge locality. The supported speech containers are **speech-to-text**, **Custom speech-to-text**, **speech language identification** and **Neural text-to-speech**.

+> The volume mount settings are only applicable to **Custom Speech-to-text** containers. The **Speech-to-text**, **Neural Text-to-speech** and **Speech language identification** containers do not use volume mounts.

+> When you construct a neural text-to-speech HTTP POST, the [SSML](speech-synthesis-markup.md) message requires a `voice` element with a `name` attribute. The value is the corresponding container [locale and voice](language-support.md?tabs=tts). For example, the `latest` tag would have a voice name of `en-US-AriaNeural`.

+* [Voice Gallery](https://aka.ms/speechstudio/voicegallery): Build apps and services that speak naturally. Choose from a broad portfolio of [languages, voices, and variants](language-support.md?tabs=tts). Bring your scenarios to life with highly expressive and human-like neural voices.

+> For a list of locales that support phonemes, see footnotes in the [language support](language-support.md?tabs=tts) table.

+> For a list of locales that support custom lexicon, see footnotes in the [language support](language-support.md?tabs=tts) table.

+- [Language support: Voices, locales, languages](language-support.md?tabs=tts)

+- [Language support: Voices, locales, languages](language-support.md?tabs=tts)

+| `name` | The voice used for text-to-speech output. For a complete list of supported prebuilt voices, see [Language support](language-support.md?tabs=tts).| Required|

+> Styles, style degree, and roles are supported for a subset of neural voices as described in the [voice styles and roles](language-support.md?tabs=tts#voice-styles-and-roles) documentation. To determine what styles and roles are supported for each voice, you can also use the [list voices](rest-text-to-speech.md#get-a-list-of-voices) API and the [Audio Content Creation](https://aka.ms/audiocontentcreation) web application.

+- [Language support: Voices, locales, languages](language-support.md?tabs=tts)

+- [Language support: Voices, locales, languages](language-support.md?tabs=tts)

+Speech-to-text, also known as speech recognition, enables real-time or offline transcription of audio streams into text. For a full list of available speech-to-text languages, see [Language and voice support for the Speech service](language-support.md?tabs=stt).

+Customization options vary by language or locale. To verify support, see [Language and voice support for the Speech service](./language-support.md?tabs=stt).

+These examples presume that you're testing in English. However, Speech service supports speech synthesis in many languages. You can pull down a full list of voices either by running the following command or by visiting the [language support page](./language-support.md?tabs=tts).

+> For a list of all supported languages and their corresponding locale codes, see [Language and voice support for the Speech service](language-support.md?tabs=tts).

+Text-to-speech enables your applications, tools, or devices to convert text into humanlike synthesized speech. The text-to-speech capability is also known as speech synthesis. Use humanlike prebuilt neural voices out of the box, or create a custom neural voice that's unique to your product or brand. For a full list of supported voices, languages, and locales, see [Language and voice support for the Speech service](language-support.md?tabs=tts).

+* **Real-time speech synthesis**: Use the [Speech SDK](./get-started-text-to-speech.md) or [REST API](rest-text-to-speech.md) to convert text-to-speech by using [prebuilt neural voices](language-support.md?tabs=tts) or [custom neural voices](custom-neural-voice.md).

+ For a full list of platform neural voices, see [Language and voice support for the Speech service](language-support.md?tabs=tts).

+ By using viseme events in Speech SDK, you can generate facial animation data. This data can be used to animate faces in lip-reading communication, education, entertainment, and customer service. Viseme is currently supported only for the `en-US` (US English) [neural voices](language-support.md?tabs=tts).

+You can choose from any of the languages mentioned in the [speech-to-text](language-support.md?tabs=stt) table. The following example changes the language to German.

+1. Open the Windows Voice Assistant Client app, select the **Settings** button (upper-right gear icon), and enter **de-de** in the **Language** field. This is the locale value mentioned in the [speech-to-text](language-support.md?tabs=stt) table.

+The following example adds SSML to the echo bot reply so that the German voice `de-DE-RalfNeural` (a male voice) is used instead of the default female voice. See the [list of standard voices](how-to-migrate-to-prebuilt-neural-voice.md) and [list of neural voices](language-support.md?tabs=tts) that are supported for your language.

+* [Speech Service: Speech-to-Text](./speech-service/language-support.md?tabs=stt)

+* [Speech Service:Text-to-Speech](./speech-service/language-support.md?tabs=tts)

+ Title: Quickstart - Integrate chat experiences in your app by using UI Library

+description: Get started with Azure Communication Services UI Library composites to add Chat communication experiences to your applications.

+zone_pivot_groups: acs-plat-web-ios-android

+# Quickstart: Add chat with UI Library

+Get started with Azure Communication Services UI Library to quickly integrate communication experiences into your applications. In this quickstart, learn how to integrate UI Library chat composites into an application and set up the experience for your app users.

+Communication Services UI Library renders a full chat experience right in your application. It takes care of connecting to ACS chat services, and updates participant's presence automatically. As a developer, you need to worry about where in your app's user experience you want the chat experience to launch and only create the ACS resources as required.

+## Clean up resources

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group.

+Deleting the resource group also deletes any other resources associated with it.

+Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

+description: Get started with Azure Communication Services UI Library composites to add Calling communication experiences to your applications.

+[Azure Data Center Attestation Primitives (DCAP)](https://learn.microsoft.com/azure/security/fundamentals/trusted-hardware-identity-management#what-is-the-azure-dcap-library), a replacement for Intel Quote Provider Library (QPL), fetches quote generation collateral and quote validation collateral directly from the THIM Service.

+The [Trusted Hardware Identity Management (THIM)](https://learn.microsoft.com/azure/security/fundamentals/trusted-hardware-identity-management) service handles cache management of certificates for all trusted execution environments (TEE) residing in Azure and provides trusted computing base (TCB) information to enforce a minimum baseline for attestation solutions.

+DCsv3 and DCdsv3 only support [ECDSA-based Attestation](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/attestation-services.html) and the users are required to install [Azure DCAP](https://github.com/Microsoft/Azure-DCAP-Client) client to interact with THIM and fetch TEE collateral for quote generation during attestation process. DCsv2 continues to support [EPID-based Attestation](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/attestation-services.html).

+groupId=$(az group show \

+The following Python code creates a Synapse Link enabled container by setting the `analytical_storage_ttl` property. To update an existing container, use the `replace_container` method.

+### December 2022

+* General availability: Azure Cosmos DB for PostgreSQL is now available in the Sweden Central and Switzerland West regions.

+ * See [full list of supported Azure regions](resources-regions.md).

+* PostgreSQL 15 is now the default Postgres version for Azure Cosmos DB for PostgreSQL in Azure portal.

+ * See [all supported PostgreSQL versions](reference-versions.md).

+ * See [this guidance](howto-upgrade.md) for the steps to upgrade your Azure Cosmos DB for PostgreSQL cluster to PostgreSQL 15.

+The invoice notification email address is changing from `msftinv@microsoft.com` to `microsoft-noreply@microsoft.com` for customers and partners under the enhanced invoicing experience.

+ Title: Choose the right integration runtime configuration for your scenario

+# Choose the right integration runtime configuration for your scenario

+ > [!NOTE]

+ > Currently, this information is available only for GitHub repositories.

+In Defender for Cloud, you only see information related to a resource when you're assigned the Owner, Contributor, or Reader role for the subscription or for the resource group the resource is in.

+- Risk-based vulnerability management and assessment

+[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) protects your Windows and Linux machines whether they're hosted in Azure, hybrid clouds (on-premises), or multicloud environments.

+ - **Azure virtual machines (Windows or Linux)** - Configure the network settings described in configure device proxy and internet connectivity settings: [Windows](/microsoft-365/security/defender-endpoint/configure-proxy-internet) or [Linux](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration).

+- If you've moved your subscription between Azure tenants, some manual preparatory steps are also required. For details, [contact Microsoft support](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).

+ 1. In the confirmation prompt, verify the information and select **Enable** to continue.

+ 1. In the confirmation prompt, verify the information and select **Enable** to continue.

+1. Ensure the user account has the necessary permissions. Learn more in [Assign user access to Microsoft Defender Security Center](/microsoft-365/security/defender-endpoint/assign-portal-access).

+1. Check whether you have a proxy or firewall that is blocking anonymous traffic. The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in [Enable access to service URLs in the proxy server](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).

+1. Open the [Microsoft 365 Defender portal](https://security.microsoft.com/). Learn about [Microsoft Defender for Endpoint in Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-center-mde).

+1. Download the test alert tool from: <https://aka.ms/LinuxDIY>

+In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytics agent. When [we expanded support to include Windows Server 2019](release-notes-archive.md#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-on-windows-virtual-desktop-released-for-general-availability-ga) and Linux, we also added an extension to perform the automatic onboarding.

+1. You need to wait at least 12 hours to be sure there's an issue to investigate.

+- [Cleanup of deleted Azure Arc machines in connected AWS and GCP accounts](#cleanup-of-deleted-azure-arc-machines-in-connected-aws-and-gcp-accounts)

+### Cleanup of deleted Azure Arc machines in connected AWS and GCP accounts

+A machine connected to an AWS and GCP account and covered by Defender for Servers or Defender for SQL on machines is represented in Defender for Cloud as an Azure Arc machine. Until now, that machine wasn't deleted from the inventory when the machine was deleted from the AWS or GCP account. This leads to unnecessary Azure Arc resources left in Defender for Cloud that represent deleted machines.

+Defender for Cloud will now automatically delete Azure Arc machines when those machines are deleted in connected AWS or GCP account.

+Users that have one Defender bundle enabled can enable other standards.

+Users that have one Defender bundle enabled can enable other standards.

+ :::image type="content" source="media/concept-regulatory-compliance/compliance-dashboard.png" alt-text="Screenshot showing regulatory compliance dashboard." lightbox="media/concept-regulatory-compliance/compliance-dashboard.png":::

+Make sure that your sensor is connected to your network, and then you can sign in to your sensor via a network-connected browser. For more information, see [Activate and set up your sensor](../how-to-activate-and-set-up-your-sensor.md#activate-and-set-up-your-sensor).

+If you choose to link your virtual network with the private DNS zone without autoregistration, the virtual network is treated as a resolution virtual network only. DNS records for virtual machines deployed this virtual network won't be created automatically in the private zone. However, virtual machines deployed in the virtual network can successfully query for DNS records in the private zone. These records include manually created and auto registered records from other virtual networks linked to the private DNS zone.

+> - Azure Resource Manager template (ARM template) including an Azure Iot Hub using the **Deploy to Azure** button.

+> - ARM template using the **Deploy to Azure** button.

+> - Manually in the Azure portal.

+## ARM template including an Azure Iot Hub using the Deploy to Azure button

+ Using an ARM template with the **Deploy to Azure** button is an easy and fast deployment method because it automates the deployment, most configuration steps, and uses the Azure portal. The deployed MedTech service and Azure IoT Hub are fully functional including conforming and valid device and Fast Healthcare Interoperability Resources (FHIR&#174;) destination mappings. Use the Azure IoT Hub to create devices and send device messages to the MedTech service.

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.healthcareapis%2Fworkspaces%2Fiotconnectors-with-iothub%2Fazuredeploy.json)

+To learn more about deploying the MedTech service including an Azure IoT Hub using an ARM template and the **Deploy to Azure** button, see [Receive device messages through Azure IoT Hub](device-data-through-iot-hub.md).

+Using an ARM template with the **Deploy to Azure** button is an easy and fast deployment method because it automates the deployment, most configuration steps, and uses the Azure portal. The deployed MedTech service will still require conforming and valid device and FHIR destination mappings to be fully functional.

+ [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.healthcareapis%2Fworkspaces%2Fiotconnectors%2Fazuredeploy.json).

+To learn more about deploying the MedTech service using an ARM template and the **Deploy to Azure** button, see [Deploy the MedTech service using an Azure Resource Manager template](deploy-new-arm.md).

+Using an ARM template with Azure PowerShell or the Azure CLI is a more advanced deployment method. This deployment method can be useful for adding automation and repeatability so that you can scale and customize your deployments. The deployed MedTech service will still require conforming and valid device and FHIR destination mappings to be fully functional.

+To learn more about deploying the MedTech service using an ARM template and Azure PowerShell or the Azure CLI, see [Deploy the MedTech service using an Azure Resource Manager template and Azure PowerShell or the Azure CLI](deploy-new-powershell-cli.md).

+## Manually in the Azure portal

+To learn more about deploying the MedTech service manually using the Azure portal, see [Deploy the MedTech service manually using the Azure portal](deploy-new-manual.md).

+| Windows 10/11 Pro |  | |  |

+| Windows 10/11 Enterprise |  | |  |

+| Windows 10/11 IoT Enterprise |  | |  |

+| deviceId |required, read-only on updates |A case-sensitive string (up to 128 characters long) of ASCII 7-bit alphanumeric characters plus certain special characters: `- . % _ * ? ! ( ) , : = @ $ '`. The special characters: `+ #` are not supported. |

+* [Azure IoT Hub Device Provisioning Service](../iot-dps/index.yml)

+| `testId` | string | | *Required*. Id of the test to run. For a new test, enter an Id with characters [a-z0-9_-]. For an existing test, you can get the test Id from the test details page in Azure portal. This field was called `testName` earlier, which has been deprecated. You can still run existing tests with `testName`field. |

+| `displayName` | string | | Display name of the test. This will be shown in the list of tests in Azure portal. If not provided, testId is used as the display name. |

+| `description` | string | | Short description of the test. |

+testId: SampleTest

+displayName: Sample Test

+## January 10, 2023

+[Data Science VM ΓÇô Ubuntu 20.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-2004?tab=Overview)

+Version: `23.01.06`

+Main changes:

+- Added R package "ranger"

+- Pinned `pandas==1.1.5` and `numpy==1.23.0` in `azureml_py38` environment

+|Kubernetes - Azure Arc or Azure Kubernetes Service|Reader|Applicable for both Arc-enabled Kubernetes cluster and AKS cluster.|

+1. Select the **Kubernetes clusters** tab.

+ :::image type="content" source="media/how-to-attach-arc-kubernetes/kubernetes-attach.png" alt-text="Screenshot of settings for Kubernetes cluster to make available in your workspace.":::

+ In the Kubernetes clusters tab, the initial state of your cluster is *Creating*. When the cluster is successfully attached, the state changes to *Succeeded*. Otherwise, the state changes to *Failed*.

+ :::image type="content" source="media/how-to-attach-arc-kubernetes/kubernetes-creating.png" alt-text="Screenshot of attached settings for configuration of Kubernetes cluster.":::

+ :::image type="content" source="media/how-to-create-attach-studio/compute-targets.png" alt-text="View list of compute targets":::

+## Kubernetes clusters

+For information on configuring and attaching a Kubernetes cluster to your workspace, see [Configure Kubernetes cluster for Azure Machine Learning](how-to-attach-kubernetes-anywhere.md).

+1. In the tabs at the top, select **Attached compute** to attach a compute target for **training**.

+* An AKS cluster running in Azure. If you have not previously used cluster extensions, you need to [register the KubernetesConfiguration service provider](../aks/dapr.md#register-the-kubernetesconfiguration-service-provider).

+ > * By default, the kubernetes deployment resources are randomly deployed to 1 or more nodes of the cluster, and daemonset resources are deployed to ALL nodes. If you want to restrict the extension deployment to specific nodes, use `nodeSelector` configuration setting described in [configuration settings table](#review-azureml-extension-configuration-settings).

+## Secure Azure Kubernetes Service online endpoints

+To use Azure Kubernetes Service cluster for secure inference, use the following steps:

+2. Deploy [AzureML extension](how-to-deploy-kubernetes-extension.md).

+3. [Attach the Kubernetes cluster to the workspace](how-to-attach-kubernetes-anywhere.md).

+4. Model deployment with Kubernetes online endpoint can be done using CLI v2, Python SDK v2 and Studio UI.

+

+ * CLI v2 - https://github.com/Azure/azureml-examples/tree/main/cli/endpoints/online/kubernetes

+ * Python SDK V2 - https://github.com/Azure/azureml-examples/tree/main/sdk/python/endpoints/online/kubernetes

+ * Studio UI - Follow the steps in [managed online endpoint deployment](how-to-use-managed-online-endpoint-studio.md) through the Studio. After entering the __Endpoint name__ select __Kubernetes__ as the compute type instead of __Managed__

+* [Use a firewall](how-to-access-azureml-behind-firewall.md)

+* `max_concurrent_trials`: (optional) Maximum number of trial jobs that can run concurrently. If not specified, max_total_trials number of jobs launch in parallel. If specified, must be an integer between 1 and 1000.

+>If both max_total_trials and timeout are specified, the hyperparameter tuning experiment terminates when the first of these two thresholds is reached.

+> **Explainability** is supported only for **multi-class classification** and **multi-label classification**. While generating explanations on online endpoint, if you encounter timeout issues, use [batch scoring notebook](https://github.com/Azure/azureml-examples/tree/main/v1/python-sdk/tutorials/automl-with-azureml/image-classification-multiclass-batch-scoring) to generate explanations.

+> While generating explanations on online endpoint, make sure to select only few classes based on confidence score in order to avoid timeout issues on the endpoint or use the endpoint with GPU instance type. To generate explanations for large number of classes in multi-label classification, refer to [batch scoring notebook](https://github.com/Azure/azureml-examples/tree/main/v1/python-sdk/tutorials/automl-with-azureml/image-classification-multiclass-batch-scoring).

+| `max_total_trials` | integer | The maximum number of trial jobs. | `1000` |

+| `max_concurrent_trials` | integer | The maximum number of trial jobs that can run concurrently. | Defaults to `max_total_trials`. |

+| `timeout` | integer | The maximum time in seconds the entire sweep job is allowed to run. Once this limit is reached, the system will cancel the sweep job, including all its trials. | `5184000` |

+If you want to provide a custom HTTPS certificate at site creation, follow the steps below. You'll need a certificate signed by a globally known and trusted CA. Your certificate must use a private key of type RSA or EC to ensure it's exportable (see [Exportable or non-exportable key](../key-vault/certificates/about-certificates.md) for more information).

+ 1. Either [create an Azure Key Vault](../key-vault/general/quick-create-portal.md) or choose an existing one to host your certificate. Ensure the Azure Key Vault is configured with **Azure Virtual Machines for deployment** resource access.

+ 1. [Add the certificate to your Key Vault](../key-vault/certificates/quick-create-portal.md). If you want to configure your certificate to renew automatically, see [Tutorial: Configure certificate auto-rotation in Key Vault](../key-vault/certificates/tutorial-rotate-certificates.md) for information on enabling auto-rotation.

+ - [Assign a Key Vault access policy](../key-vault/general/assign-access-policy.md?tabs=azure-portal). Provide **Get** and **List** permissions under **Secret permissions** and **Certificate permissions** to the **Private Mobile Network** service principal.

+ - [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](../key-vault/general/rbac-guide.md?tabs=azure-cli). Provide **Key Vault Reader** and **Key Vault Secrets User** permissions to the **Private Mobile Network** service principal.

+- Refer to the release notes for the current version of packet core, and whether it's supported by the version your Azure Stack Edge (ASE) is currently running. If your ASE version is incompatible with the latest packet core, [update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md).

+ > If a warning appears about an incompatibility between the selected packet core version and the current Azure Stack Edge version, you'll need to update ASE first. Select **Upgrade ASE** from the warning prompt and follow the instructions in [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md). Once you've finished updating your ASE, go back to the beginning of this step to create the site resource.

+- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md)

+- Refer to the release notes for the current version of packet core, and whether it's supported by the version your Azure Stack Edge (ASE) is currently running. If your ASE version is incompatible with the latest packet core, [update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md).

+- If you want to add or update a custom HTTPS certificate for accessing your local monitoring tools, you'll need a certificate signed by a globally known and trusted CA. Your certificate must use a private key of type RSA or EC to ensure it's exportable (see [Exportable or non-exportable key](../key-vault/certificates/about-certificates.md) for more information).

+- [Learn more about the packet core dashboards](packet-core-dashboards.md)

+If you decide to provide your own certificates for local monitoring access, you'll need to add the certificate to an [Azure Key Vault](../key-vault/index.yml) and set up the appropriate access permissions. See [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values) for additional information on configuring custom HTTPS certificates for local monitoring access.

+For more information on how to generate a Key Vault certificate, see [Certificate creation methods](../key-vault/certificates/create-certificate.md).

+- If your ASE version is incompatible with the packet core version you're upgrading to, you'll need to upgrade ASE first. Refer to [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md) for the latest available version of ASE.

+ - If you're currently running a packet core version that the ASE version you're upgrading to doesn't support, it's possible that packet core won't operate normally with the new ASE version. In this case, we recommend planning a maintenance window that allows you time to upgrade both ASE and packet core. Refer to [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md) for how long the ASE upgrade will take.

+If you determined in [Plan for your upgrade](#plan-for-your-upgrade) that you need to upgrade your ASE, follow the steps in [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md).

+ > If a warning appears about an incompatibility between the selected packet core version and the current Azure Stack Edge version, you'll need to upgrade ASE first. Select **Upgrade ASE** from the warning prompt and follow the instructions in [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md). Once you've finished updating your ASE, go back to the beginning of this step to upgrade packet core.

+- Use [Log Analytics](monitor-private-5g-core-with-log-analytics.md) or the [packet core dashboards](packet-core-dashboards.md) to monitor your deployment.

+- If your ASE version is incompatible with the packet core version you're upgrading to, you'll need to upgrade ASE first. Refer to [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md) for the latest available version of ASE.

+ - If you're currently running a packet core version that the ASE version you're upgrading to doesn't support, it's possible that packet core won't operate normally with the new ASE version. In this case, we recommend planning a maintenance window that allows you time to upgrade both ASE and packet core. Refer to [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md) for how long the ASE upgrade will take.

+If you determined in [Plan for your upgrade](#plan-for-your-upgrade) that you need to upgrade your ASE, follow the steps in [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md).

+ > If a warning appears about an incompatibility between the selected packet core version and the current Azure Stack Edge version, you'll need to upgrade ASE first. Select **Upgrade ASE** from the warning prompt and follow the instructions in [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md). Once you've finished updating your ASE, go back to the beginning of this step to upgrade packet core.

+- Use [Log Analytics](monitor-private-5g-core-with-log-analytics.md) or the [packet core dashboards](packet-core-dashboards.md) to monitor your deployment.

+| | -- | -- | | -- | - |

+| users | Automatic | Power BI | Power BI Dashboard | No | dashboard.Users |

+| users | Automatic | Power BI | Power BI dataflow | No | dataflow.Users |

+| users | Automatic | Power BI | Power BI Dataset | No | dataset.Users |

+| users | Automatic | Power BI | Power BI Report | No | workspace.Users |

+You can register multiple nodes for a self-hosted integration runtime using the same key. Learn more from [High availability and scalability](#high-availability-and-scalability).

+You can edit a self-hosted integration runtime by navigating to **Integration runtimes** in the Microsoft Purview governance portal, hover on the IR then click the **Edit** button.

+In the **Settings** tab, you can update the description, copy the key, or regenerate new keys. In the **Nodes** tab, you can manage the registered nodes. And in the **Version** tab, you can see the IR version status.

+You can delete a self-hosted integration runtime by navigating to **Integration runtimes**, hover on the IR then click the **Delete** button.

+## High availability and scalability

+You can associate a self-hosted integration runtime with multiple on-premises machines or virtual machines in Azure. These machines are called nodes. You can have up to four nodes associated with a self-hosted integration runtime. The benefits of having multiple nodes are:

+- Higher availability of the self-hosted integration runtime so that it's no longer the single point of failure for scan. This availability helps ensure continuity when you use up to four nodes.

+- Run more concurrent scans. Each self-hosted integration runtime can empower a number of scans at the same time, auto determined based on the machine's CPU/memory. You can install additional nodes if you have more concurrency need. Each scan will be executed on one of the nodes. Having more nodes doesn't improve the performance of a single scan execution.

+You can associate multiple nodes by installing the self-hosted integration runtime software from [Download Center](https://www.microsoft.com/download/details.aspx?id=39717). Then, register it by using the same authentication key.

+> [!NOTE]

+> Before you add another node for high availability and scalability, ensure that the **Remote access to intranet** option is enabled on the first node. To do so, select **Microsoft Integration Runtime Configuration Manager** > **Settings** > **Remote access to intranet**.

+| `*.servicebus.windows.net` | 443 | Required for setting up scan in the Microsoft Purview governance portal. This endpoint is used for interactive authoring from UI, for example, test connection, browse folder list and table list to scope scan. To avoid using wildcard, see [Get URL of Azure Relay](#get-url-of-azure-relay).|

+> As currently Azure Relay doesn't support service tag, you have to use service tag AzureCloud or Internet in NSG rules for the communication to Azure Relay.

+### Get URL of Azure Relay

+One required domain and port that need to be put in the allowlist of your firewall is for the communication to Azure Relay. The self-hosted integration runtime uses it for interactive authoring such as test connection and browse folder/table list. If you don't want to allow **.servicebus.windows.net** and would like to have more specific URLs, then you can see all the FQDNs that are required by your self-hosted integration runtime. Follow these steps:

+1. Go to the Microsoft Purview governance portal -> Data map -> Integration runtimes, and edit your self-hosted integration runtime.

+2. In Edit page, select **Nodes** tab.

+3. Select **View Service URLs** to get all FQDNs.

+ :::image type="content" source="media/manage-integration-runtimes/get-azure-relay-urls.png" alt-text="Screenshot that shows how to get Azure Relay URLs for an integration runtime.":::

+4. You can add these FQDNs in the allowlist of firewall rules.

+> [!NOTE]

+> For the details related to Azure Relay connections protocol, see [Azure Relay Hybrid Connections protocol](../azure-relay/relay-hybrid-connections-protocol.md).

+- West US 3

+ When applicable, you can further drill down to see the lineage at SQL statement level within a stored procedure, along with column level lineage. When using Self-hosted Integration Runtime for scan, retrieving the lineage drilldown information during scan is supported since version 5.25.8374.1.

+ :::image type="content" source="media/register-scan-azure-sql-database/register-scan-azure-sql-db-lineage-drilldown.png" alt-text="Screenshot that shows stored procedure lineage drilldown.":::

+> [Reliability in Azure](./overview.md)

+> Azure DDoS protection Standard incurs a cost per public IP address in the virtual network where you enable the service. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing](https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md).

+> [Configure peering between Azure Route Server and network virtual appliance](tutorial-configure-route-server-with-quagga.md)

+Because Azure Cognitive Search is a [monitored resource](../azure-monitor/monitor-reference.md), you can review the built-in [**activity logs**](../azure-monitor/essentials/activity-log.md) and [**platform metrics**](../azure-monitor/essentials/data-platform-metrics.md#types-of-metrics) for insights into service operations. Activity logs and the data used to report on platform metrics are retained for the periods described in the following table.

+If you opt in for [**resource logging**](../azure-monitor/essentials/resource-logs.md), you'll specify durable storage over which you'll have full control over data retention and data access through Kusto queries. For more information on how to set up resource logging in Cognitive Search, see [Collect and analyze log data](monitor-azure-cognitive-search.md).

+## Types of API keys

+¹ Having two allows you to roll over one key while using the second key for continued access to the service.

+You can specify API keys in a request header for REST API calls, or in code that calls the azure.search.documents client libraries in the Azure SDKs. If you're using the Azure portal to perform tasks, your role assignment determines the [level of access](#permissions-to-view-or-manage-api-keys).

+Best practices for using hard-coded keys in source files include:

+### [**Portal**](#tab/portal-use)

+In Cognitive Search, most tasks can be performed in Azure portal, including object creation, indexing through the Import data wizard, and queries through Search explorer.

+Authentication is built in so no action is required. By default, the portal uses API keys to authenticate the request automatically. However, if you [disable API keys](search-security-rbac.md#disable-api-key-authentication) and set up role assignments, the portal uses role assignments instead.

+### [**PowerShell**](#tab/azure-ps-use)

+A script example showing API key usage for various operations can be found at [Quickstart: Create an Azure Cognitive Search index in PowerShell using REST APIs](search-get-started-powershell.md).

+### [**REST API**](#tab/rest-use)

+### [**C#**](#tab/dotnet-use)

+> It's considered a poor security practice to pass sensitive data such as an `api-key` in the request URI. For this reason, Azure Cognitive Search only accepts a query key as an `api-key` in the query string. As a general rule, we recommend passing your `api-key` as a request header.

+## Permissions to view or manage API keys

+Permissions for viewing and managing API keys are conveyed through [role assignments](search-security-rbac.md). Members of the following roles can view and regenerate keys:

+The following roles don't have access to API keys:

+### [**Portal**](#tab/portal-find)

+### [**PowerShell**](#tab/azure-ps-find)

+1. Install the Az.Search module:

+ ```azurepowershell

+ Install-Module Az.Search

+ ```

+1. Return admin keys:

+ ```azurepowershell

+ Get-AzSearchAdminKeyPair -ResourceGroupName <resource-group-name> -ServiceName <search-service-name>

+ ```

+1. Return query keys:

+ ```azurepowershell

+ Get-AzSearchQueryKey -ResourceGroupName <resource-group-name> -ServiceName <search-service-name>

+ ```

+### [**Azure CLI**](#tab/azure-cli-find)

+Use the following commands to return admin and query API keys, respectively:

+```azurecli

+az search admin-key show --resource-group <myresourcegroup> --service-name <myservice>

+az search query-key list --resource-group <myresourcegroup> --service-name <myservice>

+```

+### [**REST API**](#tab/rest-find)

+Use [List Admin Keys](/rest/api/searchmanagement/2020-08-01/admin-keys) or [List Query Keys](/rest/api/searchmanagement/2020-08-01/query-keys/list-by-search-service) in the Management REST API to return API keys.

+### [**Portal**](#tab/portal-query)

+### [**PowerShell**](#tab/azure-ps-query)

+A script example showing API key usage can be found at [Create or delete query keys](search-manage-powershell.md#create-or-delete-query-keys).

+### [**REST API**](#tab/rest-query)

+Use [Create Query Keys](/rest/api/searchmanagement/2020-08-01/query-keys/create) in the Management REST API.

+You must have a [valid role assignment](#permissions-to-view-or-manage-api-keys) to create or manage API keys. See [Manage your Azure Cognitive Search service with REST APIs](search-manage-rest.md) for guidance on meeting role requirements using the REST APIs.

+```rest

+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Search/searchServices/{searchServiceName}/createQueryKey/{name}?api-version=2020-08-01

+```

+1. Under **Settings**, select **Keys**, then copy the secondary key.

+## Secure API keys

+1. As a precaution, also check the **Classic administrators** tab to determine whether administrators and co-administrators have access.

+To remove references to specific objects, or to change the data retention period, [file a support ticket](../azure-portal/supportability/how-to-create-azure-support-request.md) for your search service.

+For data handled internally by the search service, the following table describes the [data encryption models](../security/fundamentals/encryption-models.md). Some features, such as knowledge store, incremental enrichment, and indexer-based indexing, read from or write to data structures in other Azure Services. Services that have a dependency on Azure Storage can use the [encryption features](../storage/common/storage-service-encryption.md) of that technology.

+ > You might need to provide a tenant ID, which you can find in the Azure portal in [Portal settings > Directories + subscriptions](../azure-portal/set-preferences.md).

+[Deploy your Static Web App](tutorial-csharp-deploy-static-web-app.md)

+ > You might need to provide a tenant ID, which you can find in the Azure portal in [Portal settings > Directories + subscriptions](../azure-portal/set-preferences.md).

+[Deploy your Static Web App](tutorial-javascript-deploy-static-web-app.md)

+ > You might need to provide a tenant ID, which you can find in the Azure portal in [Portal settings > Directories + subscriptions](../azure-portal/set-preferences.md).

+[Deploy your Static Web App](tutorial-python-deploy-static-web-app.md)

+To normalize data at ingest, you will need to use a [Data Collection Rule (DCR)](../azure-monitor/essentials/data-collection-rule-overview.md). The procedure for implementing the DCR depends on the method used to ingest the data. For more information, refer to the article [Transform or customize data at ingestion time in Microsoft Sentinel](configure-data-transformation.md).

+- **Onboard Microsoft services**: Make sure that you have both [Microsoft Sentinel](quickstart-onboard.md) and [Microsoft Defender for Cloud](../defender-for-cloud/get-started.md) enabled in your Azure subscription.

+ - Continuously export Microsoft Defender for Cloud data to your Log Analytics workspace. For more information, see [Continuously export Microsoft Defender for Cloud data](../defender-for-cloud/continuous-export.md?tabs=azure-portal).

+- **Required user permissions**. To install the **Zero Trust (TIC 3.0)** solution, you must have access to your Microsoft Sentinel workspace with [Security Reader](../active-directory/roles/permissions-reference.md#security-reader) permissions.

+Yes. The **Zero Trust (TIC 3.0)** solution is in Public Preview and deployable to Commercial/Government regions. For more information, see [Cloud feature availability for commercial and US Government customers](../security/fundamentals/feature-availability.md).

+- [Microsoft Sentinel Contributor](../role-based-access-control/built-in-roles.md#microsoft-sentinel-contributor) users can create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.

+- [Microsoft Sentinel Reader](../role-based-access-control/built-in-roles.md#microsoft-sentinel-reader) users can view data, incidents, workbooks, and other Microsoft Sentinel resources.

+- [Implementing Zero Trust with Microsoft Azure: Identity and Access Management (6 Part Series)](https://devblogs.microsoft.com/azuregov/implementing-zero-trust-with-microsoft-azure-identity-and-access-management-1-of-6/)

+For further background on cluster upgrade concepts and processes, see [Upgrading and updating Azure Service Fabric clusters](service-fabric-cluster-upgrade.md).

+If you want to find a list of all the available Service Fabric runtime versions in available for your subscription, follow the guidance in the [Check for supported cluster versions section of the Manage Service Fabric Cluster Upgrades guide](service-fabric-cluster-upgrade-version-azure.md#check-for-supported-cluster-versions).

+| 8.2 CU7<br>8.2.1692.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU6<br>8.2.1686.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU4<br>8.2.1659.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 5.2 | .NET 5.0, >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU3<br>8.2.1620.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 5.2 | .NET 5.0, >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023|

+| 8.2 CU2.1<br>8.2.1571.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 5.2 | .NET 5.0, >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU2<br>8.2.1486.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 5.2 | .NET 6.0 (Preview), .NET 5.0, >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU1<br>8.2.1363.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 5.2 | .NET 5.0, >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 RTO<br>8.2.1235.9590 | 8.0 CU3<br>8.0.536.9590 | 8.0 | Less than or equal to version 5.2 | .NET 5.0, >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU6<br>8.2.1485.1 | 8.0 CU3<br>8.0.527.1 | N/A | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU5.1<br>8.2.1483.1 | 8.0 CU3<br>8.0.527.1 | N/A | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU4<br>8.2.1458.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU3<br>8.2.1434.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU2.1<br>8.2.1397.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU2<br>8.2.1285.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 CU1<br>8.2.1204.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+| 8.2 RTO<br>8.2.1124.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | March 31, 2023 |

+ >Azure Site Recovery supports High churn (Public Preview) where you can choose to use **High Churn** for the VM. With this, you can use a *Premium Block Blob* type of storage account. By default, **Normal Churn** is selected. For more information, see [Azure VM Disaster Recovery - High Churn Support](./concepts-azure-to-azure-high-churn-support.md).

+[Learn more](site-recovery-test-failover-to-azure.md) about running a test failover.

+|Cache storage | You can specify a cache storage account to be used during replication. By default, a new cache storage account is created, if it doesn't exist. </br>By default, type of storage account (Standard storage account or Premium Block Blob storage account) that you have selected for the source VM in original primary location is used. For example, during replication from original source to target, if you have selected *High Churn*, during re-protection back from target to original source, Premium Block blob will be used by default. You can configure and change it for re-protection. For more information, see [Azure VM Disaster Recovery - High Churn Support](./concepts-azure-to-azure-high-churn-support.md).|

+After the VM is protected, you can initiate a failover. The failover shuts down the VM in the secondary region and creates and boots the VM in the primary region, with brief downtime during this process. We recommend you choose an appropriate time for this process and that you run a test failover before initiating a full failover to the primary site. [Learn more](site-recovery-failover.md) about Azure Site Recovery failover.

+A cache storage account is a standard storage account in the same Azure region as the virtual machine being replicated. The cache storage account is used to hold replication changes temporarily, before the changes are moved to the recovery Azure region. High churn support (Public Preview) is now available in Azure Site Recovery using which you can create a Premium Block Blob type of storage accounts that can be used as cache storage account to get high churn limits. You can choose to, but it's not necessary, to specify different cache storage accounts for the different disks of a virtual machine. If you use different cache storage accounts, ensure they are of the same type (Standard or Premium Block Blobs). For more information, see [Azure VM Disaster Recovery - High Churn Support](./concepts-azure-to-azure-high-churn-support.md).

+View the [Azure Site Recovery PowerShell reference](/powershell/module/az.RecoveryServices) to learn how you can do other tasks such as creating recovery plans and testing failover of recovery plans with PowerShell.

+Premium storage | Supported | Use Premium Block Blob storage accounts to get High Churn support (in Public Preview). For more information, see [Azure VM Disaster Recovery - High Churn Support](./concepts-azure-to-azure-high-churn-support.md).

+>High churn support is now available in Azure Site Recovery where churn limit per virtual machine has increased up to 100 MB/s. For more information, see [Azure VM Disaster Recovery - High Churn Support](./concepts-azure-to-azure-high-churn-support.md).

+- Deploy disaster recovery by [replicating Azure VMs](./azure-to-azure-quickstart.md).

+1. Select source VMs on which you want to enable replication. To enable replication, follow the steps [here](./azure-to-azure-how-to-enable-replication.md).

+- For High churn VMs, more data changes may get replicated to target for **High churn** compared to **Normal churn**. This may lead to more network cost.

+- Ensure Azure Az PowerShell module is installed. For information on how to install, see [Install the Azure Az PowerShell module](/powershell/azure/install-az-ps?view=azps-9.2.0)

+- Ensure the Linux distro version and kernel is supported by Azure Site Recovery. For more information, see the [support matrix](./azure-to-azure-support-matrix.md#linux).

+- Ensure the Linux distro version and kernel is supported by Azure Site Recovery. For more information, see the [support matrix](./azure-to-azure-support-matrix.md#linux).

+ ```

+ Title: Start, stop, and delete an application in Azure Spring Apps

+description: Need to start, stop, or delete your Azure Spring Apps application? Learn how to manage the state of an Azure Spring Apps application.

+## Prerequisites

+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- A deployed Azure Spring Apps service instance. Follow the [quickstart on deploying an app via the Azure CLI](./quickstart.md) to get started.

+- At least one application already created in your service instance.

+## Application state

+Your applications running in Azure Spring Apps may not need to run continuously. For example, an application may not always need to run if it's only used during business hours.

+There may be times where you wish to stop or start an application. You can also restart an application as part of general troubleshooting steps or delete an application you no longer require.

+## Manage application state

+After you deploy an application, you can start, stop, and delete it by using the [Azure portal](https://portal.azure.com) or [Azure CLI](/cli/azure/).

+### [Azure portal](#tab/azure-portal)

+1. Go to your Azure Spring Apps service instance in the [Azure portal](https://portal.azure.com).

+1. Select **Application Dashboard**.

+### [Azure CLI](#tab/azure-cli)

+> You can use optional parameters and configure defaults with the Azure CLI. Learn more about the Azure CLI by reading the [az spring](/cli/azure/spring) reference documentation.

+1. First, use the following command to install the Azure Spring Apps extension for Azure CLI:

+ ```azurecli-interactive

+ az extension add --name spring

+ ```

+1. Next, perform any of the following Azure CLI operations:

+ - Start your application:

+ ```azurecli-interactive

+ az spring app start \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <application-name>

+ ```

+ - Stop your application:

+ ```azurecli

+ az spring app stop \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <application-name>

+ ```

+ - Restart your application:

+ ```azurecli

+ az spring app restart \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <application-name>

+ ```

+ - Delete your application:

+ ```azurecli

+ az spring app delete \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <application-name>

+ ```

+## Next steps

+> [!div class="nextstepaction"]

+> [Start or stop your Azure Spring Apps service instance](how-to-start-stop-service.md)

+1. In **Search services and marketplace**, type **template deployment**, and then press **ENTER**.

+1. Choose **Template deployment (deploy using custom templates)**, choose **Create**, and then choose **Build your own template in the editor**.

+> Cross-tenant object replication is permitted by default for a storage account. To prevent replication across tenants, you can set the **AllowCrossTenantReplication** property to disallow cross-tenant object replication for your storage accounts. For more information, see [Prevent object replication across Azure Active Directory tenants](object-replication-prevent-cross-tenant-policies.md).

+To authorize with Azure AD, you'll need to use a [security principal](../../active-directory/develop/app-objects-and-service-principals.md). Which type of security principal you need depends on where your application runs. Use the following table as a guide:

+> To learn more about this feature, see [Manage and find data on Azure Blob storage with blob index](storage-manage-find-blobs.md).

+- Azure AD built-in role assigned as [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) or higher

+- Azure RBAC action [Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write](../../role-based-access-control/resource-provider-operations.md#microsoftstorage)

+- Azure AD built-in role assigned as [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) or higher

+- Azure RBAC action [Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read](../../role-based-access-control/resource-provider-operations.md#microsoftstorage)

+- Azure AD built-in role assigned as [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) or higher

+- Azure RBAC action [Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action](../../role-based-access-control/resource-provider-operations.md#microsoftstorage)

+Service-level encryption supports the use of either Microsoft-managed keys or customer-managed keys with Azure Key Vault or Key Vault Managed Hardware Security Model (HSM). Infrastructure-level encryption relies on Microsoft-managed keys and always uses a separate key. For more information about key management with Azure Storage encryption, see [About encryption key management](storage-service-encryption.md#about-encryption-key-management).

+For a reference of fields available in Azure Storage logs in Azure Monitor, see [Resource logs](../blobs/monitor-blob-storage-reference.md#resource-logs).

+Each service is accessed through a storage account with a unique address. To get started, see [Create a storage account](storage-account-create.md).

+- [Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-introduction.md): Enterprise files storage, powered by NetApp: makes it easy for enterprise line-of-business (LOB) and storage professionals to migrate and run complex, file-based applications with no code change. Azure NetApp Files is managed via NetApp accounts and can be accessed via NFS, SMB and dual-protocol volumes. To get started, see [Create a NetApp account](../../azure-netapp-files/azure-netapp-files-create-netapp-account.md).

+For help in deciding which data services to use for your scenario, see [Review your storage options](/azure/cloud-adoption-framework/ready/considerations/storage-options) in the Microsoft Cloud Adoption Framework.

+Copy blobs to another storage account and add [blob index tags](../blobs/storage-manage-find-blobs.md) to the target blob.

+You can upload a file and add [blob index tags](../blobs/storage-manage-find-blobs.md) to the target blob.

+To log Azure Storage data with Azure Monitor and analyze it with Azure Log Analytics, you must first create a diagnostic setting that indicates what types of requests and for which storage services you want to log data. To create a diagnostic setting in the Azure portal, follow these steps:

+1. In the Monitoring section, select **Diagnostic settings**.

+For a reference of fields available in Azure Storage logs in Azure Monitor, see [Resource logs](../blobs/monitor-blob-storage-reference.md#resource-logs).

+1. Choose **Template deployment (deploy using custom templates)**, choose **Create**, and then choose **Build your own template in the editor**.

+This section highlights some of the key features of the Table service that are especially relevant to designing for performance and scalability. If you're new to Azure Storage and the Table service, first read [Get started with Azure Table Storage using .NET](../../cosmos-db/tutorial-develop-table-dotnet.md) before reading the remainder of this article. Although the focus of this guide is on the Table service, it includes discussion of the Azure Queue and Blob services, and how you might use them with the Table service.

+- [Azure Cognitive search](../search/search-what-is-azure-search.md) ([Scala](https://mmlspark.blob.core.windows.net/docs/0.10.2/scala/https://docsupdatetracker.net/index.html#com.microsoft.azure.synapse.ml.cognitive.search.AzureSearchWriter$), [Python](https://mmlspark.blob.core.windows.net/docs/0.10.2/pyspark/synapse.ml.cognitive.html#module-synapse.ml.cognitive.AzureSearchWriter))

+1. Follow the steps in [Getting started](../cognitive-services/big-dat) to set up your Azure Databricks and Cognitive Services environment. This tutorial shows you how to install SynapseML and how to create your Spark cluster in Databricks.

+The [Text Analytics for Health Service](../cognitive-services/language-service/text-analytics-for-health/overview.md?tabs=ner) extracts and labels relevant medical information from unstructured texts such as doctor's notes, discharge summaries, clinical documents, and electronic health records.

+```

+ Title: Spark Advisor

+description: Spark Advisor is a system to automatically analyze commands/queries, and show the appropriate advice when a customer executes code or query.

+# Spark Advisor

+Spark Advisor is a system to automatically analyze commands/queries, and show the appropriate advice when customer executes code or query. After applying the advice, you would have chance to improve your execution performance, decrease cost and fix the execution failures.

+## May return inconsistent results when using 'randomSplit'

+Inconsistent or inaccurate results may be returned when working with the results of the 'randomSplit' method. Use Apache Spark (RDD) caching before using the 'randomSplit' method.

+Method randomSplit() is equivalent to performing sample() on your data frame multiple times, with each sample refetching, partitioning, and sorting your data frame within partitions. The data distribution across partitions and sorting order is important for both randomSplit() and sample(). If either changes upon data refetch, there may be duplicates, or missing values across splits and the same sample using the same seed may produce different results.

+These inconsistencies may not happen on every run, but to eliminate them completely, cache your data frame, repartition on a column(s), or apply aggregate functions such as groupBy.

+## Table/view name is already in use

+A view already exists with the same name as the created table, or a table already exists with the same name as the created view.

+When this name is used in queries or applications, only the view will be returned no matter which one created first. To avoid conflicts, rename either the table or the view.

+## Hints related advise

+### Unable to recognize a hint

+The selected query contains a hint that isn't recognized. Verify that the hint is spelled correctly.

+### Unable to find a specified relation name(s)

+Unable to find the relation(s) specified in the hint. Verify that the relation(s) are spelled correctly and accessible within the scope of the hint.

+The selected query contains a hint that prevents another hint from being applied.

+## Enable 'spark.advise.divisionExprConvertRule.enable' to reduce rounding error propagation

+This query contains the expression with Double type. We recommend that you enable the configuration 'spark.advise.divisionExprConvertRule.enable', which can help reduce the division expressions and to reduce the rounding error propagation.

+## Enable 'spark.advise.nonEqJoinConvertRule.enable' to improve query performance

+This query contains time consuming join due to "Or" condition within query. We recommend that you enable the configuration 'spark.advise.nonEqJoinConvertRule.enable', which can help to convert the join triggered by "Or" condition to SMJ or BHJ to accelerate this query.

+## Optimize delta table with small files compaction

+This query is on a delta table with many small files. To improve the performance of queries, run the OPTIMIZE command on the delta table. More details could be found within this [article](https://aka.ms/small-file-advise-delta).

+## Optimize Delta table with ZOrder

+This query is on a Delta table and contains a highly selective filter. To improve the performance of queries, run the OPTIMIZE ZORDER BY command on the delta table. More details could be found within this [article](https://aka.ms/small-file-advise-delta).

+For more information on monitoring pipeline runs, see the [Monitor pipeline runs using Synapse Studio](how-to-monitor-pipeline-runs.md) article.

+- [Quickstart: Create an Apache Spark pool in Azure Synapse Analytics using web tools](../quickstart-create-apache-spark-pool-portal.md)

+- [What is Apache Spark in Azure Synapse Analytics](./apache-spark-overview.md)

+- [Automatically scale Azure Synapse Analytics Apache Spark pools](./apache-spark-autoscale.md)

+- [Azure Synapse Analytics](../index.yml)

+> Synapse Dedicated SQL pool is an evergreen platform service. Under [shared responsibility model in the cloud](../../security/fundamentals/shared-responsibility.md#division-of-responsibility), Microsoft continues to invest in advancements to underlying software and hardware which host dedicated SQL pool. As a result, the number of nodes or the type of computer hardware which underpins a given performance level (SLO) may change. The number of compute nodes listed here are provided as a reference, and shouldn't be used for sizing or performance purposes. Irrespective of number of nodes or underlying infrastructure, Microsoft's goal is to deliver performance in accordance with SLO; hence, we recommend that all sizing exercises must use cDWU as a guide. For more information on SLO and compute Data Warehouse Units, see [Data Warehouse Units (DWUs) for dedicated SQL pool (formerly SQL DW)](what-is-a-data-warehouse-unit-dwu-cdwu.md#service-level-objective).

+* [Analyzing your workload](analyze-your-workload.md)

+For more information, see [Resource Health](../../service-health/resource-health-overview.md).

+Create a [support ticket](sql-data-warehouse-get-started-create-support-ticket.md) so the engineering team can support you.

+If you use an Azure AD login without explicit credentials, make sure that your Azure AD identity can access the files in storage. To access the files, your Azure AD identity must have the **Blob Data Reader** permission, or permissions to **List** and **Read** [access control lists (ACL) in ADLS](../../storage/blobs/data-lake-storage-access-control-model.md). For more information, see [Query fails because file cannot be opened](#query-fails-because-file-cant-be-opened).

+- [Troubleshoot a slow query on a dedicated SQL Pool](/troubleshoot/azure/synapse-analytics/dedicated-sql/troubleshoot-dsql-perf-slow-query)

+| November 2022 | **Ingest data from Azure Stream Analytics into Synapse Data Explorer** | The ability to use a Streaming Analytics job to collect data from an event hub and send it to your Azure Data Explorer cluster is now generally available. For more information, see [Ingest data from Azure Stream Analytics into Azure Data Explorer](/azure/data-explorer/stream-analytics-connector) and [ADX output from Azure Stream Analytics](../stream-analytics/azure-database-explorer-output.md).|

+| November 2022 | **R Support (preview)** | Azure Synapse Analytics [now provides built-in R support for Apache Spark](./spark/apache-spark-r-language.md), currently in preview. For an example, [install an R library from CRAN and CRAN snapshots](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-update-2022/ba-p/3680019#TOCREF_16). |

+| November 2022 | **Ingest data from Azure Stream Analytics into Synapse Data Explorer** | The ability to use a Streaming Analytics job to collect data from an event hub and send it to your Azure Data Explorer cluster is now generally available. For more information, see [Ingest data from Azure Stream Analytics into Azure Data Explorer](/azure/data-explorer/stream-analytics-connector) and [ADX output from Azure Stream Analytics](../stream-analytics/azure-database-explorer-output.md).|

+This list refers to the list of regions where the *metadata* for the host pool will be stored. Session hosts added to a host pool can be located in any region, as well as on-premises when using [Azure Virtual Desktop on Azure Stack HCI](azure-stack-hci-overview.md).

+>This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects.

+- The remote client machines must be running at least Windows 10 and have the [Windows Desktop client](/windows-server/remote/remote-desktop-services/clients/windowsdesktop) installed. The web client isn't currently supported.

+> - Azure Virtual Desktop doesn't support 32-bit operating systems or SKUs not listed in the previous table.

+- You can't use the [manual connection approval method](../private-link/private-endpoint-overview.md#access-to-a-private-link-resource-using-approval-workflow) when using Private Link with Azure Virtual Desktop. We're aware of this issue and are working on fixing it.

+- See the [Required URL list](safe-url-list.md) for the list of URLs you'll need to unblock to ensure network access to the Azure Virtual Desktop service.

+> [Connect to the Remote Desktop client on Windows 10](./users/connect-windows.md)

+1. Sign in to your session host VM as an administrator and run the agent installer and bootloader for your session host VM:

+ - [Azure Virtual Desktop Agent](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrmXv)

+ - [Azure Virtual Desktop Agent Bootloader](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrxrH)

+1. In the search bar, enter **Azure Virtual Desktop** and select the matching service entry.

+Authentication issues can happen when your local Windows device doesn't have TLS 1.2 enabled. To enable TLS 1.2, you need to set the following registry values:

+- .NET Framework 4.6.2 or later. You may need to install this on Windows Server 2012 R2, Windows Server 2016, and some versions of Windows 10. To download the latest version, see [Download .NET Framework](https://dotnet.microsoft.com/download/dotnet-framework).

+- [Connect with the Windows Desktop client](connect-windows-2019.md)

+ Title: Connect to Azure Virtual Desktop (classic) Windows 10 or 7 - Azure

+description: How to connect to Azure Virtual Desktop (classic) using the Windows Desktop client.

+# Connect with the Windows Desktop (classic) client

+> Applies to: Windows 10 and Windows 10 IoT Enterprise

+>[!IMPORTANT]

+>This content applies to Azure Virtual Desktop (classic), which doesn't support Azure Resource Manager Azure Virtual Desktop objects. If you're trying to manage Azure Resource Manager Azure Virtual Desktop objects, see [this article](../users/connect-windows.md).

+You can access Azure Virtual Desktop resources on devices with Windows 10, and Windows 10 IoT Enterprise using the Windows Desktop client. The client doesn't support Windows 8 or Windows 8.1.

+>[!NOTE]

+>The Windows client automatically defaults to Azure Virtual Desktop (classic). However, if the client detects that the user also has Azure Resource Manager resources, it automatically adds the resources or notifies the user that they are available.

+> [!IMPORTANT]

+> - Azure Virtual Desktop doesn't support the RemoteApp and Desktop Connections (RADC) client or the Remote Desktop Connection (MSTSC) client.

+>

+> - Azure Virtual Desktop doesn't currently support the Remote Desktop client from the Windows Store.

+## Install the Windows Desktop client

+Choose the client that matches your version of Windows:

+- [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2068602)

+- [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2098960)

+- [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2098961)

+You can install the client for the current user, which doesn't require admin rights, or your admin can install and configure the client so that all users on the device can access it.

+Once installed, the client can be launched from the Start menu by searching for **Remote Desktop**.

+## Subscribe to a Workspace

+There are two ways you can subscribe to a Workspace. The client can try to discover the resources available to you from your work or school account or you can directly specify the URL where your resources are for cases where the client is unable to find them. Once you've subscribed to a Workspace, you can launch resources with one of the following methods:

+- Go to the Connection Center and double-click a resource to launch it.

+- You can also go to the Start menu and look for a folder with the Workspace name or enter the resource name in the search bar.

+### Subscribe with a user account

+1. From the main page of the client, select **Subscribe**.

+2. Sign in with your user account when prompted.

+3. The resources will appear in the Connection Center, and are grouped by workspace.

+### Subscribe with a URL

+1. From the main page of the client, select **Subscribe with URL**.

+2. Enter the Workspace URL or your email address:

+ - If you use the **Workspace URL**, use the one your admin gave you. If accessing resources from Azure Virtual Desktop, you can use one of the following URLs:

+ - Azure Virtual Desktop (classic): `https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx`

+ - Azure Virtual Desktop: `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`

+ - If you're using the **Email** field instead, enter your email address. This tells the client to search for a URL associated with your email address if your admin has set up [email discovery](/windows-server/remote/remote-desktop-services/rds-email-discovery).

+3. Select **Next**.

+4. Sign in with your user account when prompted.

+5. The resources should appear in the Connection Center, grouped by workspace.

+## Next steps

+To learn more about how to use the Windows Desktop client, check out [Get started with the Windows Desktop client](/windows-server/remote/remote-desktop-services/clients/windowsdesktop/).

+- [Remote Desktop client for Windows 10](connect-windows-2019.md)

+- [Azure Virtual Desktop web client](connect-web-2019.md)

+ - [Connect from the Windows Desktop client](connect-windows-2019.md)

+ - [Connect from a web browser](connect-web-2019.md)

+- [Connect with the Windows Desktop client](connect-windows-2019.md)

+- [Connect from the Windows Desktop client](connect-windows-2019.md)

+- [Connect with the Windows Desktop client](connect-windows-2019.md)

+> [Connect to the Remote Desktop client on Windows](connect-windows-2019.md)

+* [Manage users, SSH, and check or repair disks on Azure Linux VMs using the 'VMAccess' Extension](./extensions/vmaccess.md)

+| Standard_HB120-96rs_v2 | 96 | AMD EPYC 7V12 | 456 | 350 | 2.45 | 3.1 | 3.3 | 200 | All | 480 + 960 | 8 | 8 |

+| Standard_HB120-64rs_v2 | 64 | AMD EPYC 7V12 | 456 | 350 | 2.45 | 3.1 | 3.3 | 200 | All | 480 + 960 | 8 | 8 |

+| Standard_HB120-32rs_v2 | 32 | AMD EPYC 7V12 | 456 | 350 | 2.45 | 3.1 | 3.3 | 200 | All | 480 + 960 | 8 | 8 |

+| Standard_HB120-16rs_v2 | 16 | AMD EPYC 7V12 | 456 | 350 | 2.45 | 3.1 | 3.3 | 200 | All | 480 + 960 | 8 | 8 |

+ For more information on the waagent.conf configuration options, see the [Linux agent configuration](../extensions/agent-linux.md#configuration) documentation.

+You're now ready to use your SUSE Linux virtual hard disk to create new virtual machines in Azure. If this is the first time that you're uploading the .vhd file to Azure, see [Create a Linux VM from a custom disk](upload-vhd.md#option-1-upload-a-vhd).

+You can perform the deployment and configuration activities from either Azure Pipelines or by using the provided shell scripts directly from Azure hosted Linux virtual machines. This environment is referred to as the control plane. For setting up Azure DevOps for the deployment framework, see [Set up Azure DevOps for SDAF](./automation-configure-control-plane.md).

+> [About manual deployments of automation framework](automation-manual-deployment.md)

+- A decision about which Azure regions to deploy to. See the [list of Azure regions](https://azure.microsoft.com/global-infrastructure/regions/), and list of [regions with availability zone support](../../../reliability/availability-zones-service-support.md). To learn which services are available in each region, see [products available by region](https://azure.microsoft.com/global-infrastructure/services/).

+ - Look into Azure Site Recovery as a method for replicating the SAP application layer into the Azure DR region. For more information, see a [set-up disaster recovery for a multi-tier SAP NetWeaver app deployment](../../../site-recovery/site-recovery-sap.md).

+ - [Azure Center for SAP solutions](../../../center-sap-solutions/index.yml) ΓÇô Azure service to deploy and operate a SAP systemΓÇÖs infrastructure

+ - Evaluate and test the sizing of your Azure VMs for maximum storage and network throughput of the VM types you chose during the planning phase. Details of [VM performance limits](../../sizes.md) are available, for storage itΓÇÖs important to consider the limit of max uncached disk throughput for sizing. Carefully consider sizing and temporary effects of [disk and VM level bursting](../../disk-bursting.md).

+ - [Build a generalized image of a Windows VM deployed in Azure](../../windows/capture-image-resource.md)

+ - [Build a generalized image of a Linux VM deployed in Azure](../../linux/capture-image.md)

+ - Choosing an OS image determines the type of Azure VMΓÇÖs generation. Azure supports both [Hyper-V generation 1 and 2 VMs](../../generation-2.md). Some VM families are available as [generation 2 only](../../generation-2.md#generation-2-vm-sizes), some VM families are certified for SAP use as generation 2 only ([SAP note 1928533](https://launchpad.support.sap.com/#/notes/1928533)) even if Azure allows both generations. **It is recommended to use generation 2 VM for every VM of SAP landscape.**

+ - Use [Azure premium storage](../../disks-types.md#premium-ssds), [premium storage v2](../../disks-types.md#premium-ssd-v2) for all production grade SAP environments and when ensuring high SLA. For some DBMS, Azure NetApp Files can be used for [large parts of the overall storage requirements](./planning-guide-storage.md#azure-netapp-files-anf).

+ - At a minimum, use [Azure standard SSD](../../disks-types.md#standard-ssds) storage for VMs that represent SAP application layers and for deployment of DBMSs that aren't performance sensitive. Keep in mind different Azure storage types influence the [single VM availability SLA](https://azure.microsoft.com/support/legal/sla/virtual-machines).

+ - Costs of data exchange [between peered Azure virtual networks](../../../virtual-network/virtual-network-peering-overview.md)

+ - You can use [application security group and network security group rules](../../..//virtual-network/network-security-groups-overview.md) to secure communication paths to and between the SAP application layer and the SAP DBMS layer.

+ - Make sure that [accelerated networking](../../../virtual-network/accelerated-networking-overview.md) is enabled on every VM used for SAP.

+ - Always use standard load balancer for clustered environments. Basic load balancer will be [retired](../../../load-balancer/skus.md).

+ - If you deploy the SAP application layer without defining a specific availability zone, make sure that all VMs that run SAP application instances of a single SAP system are deployed in an [availability set](../../availability-set-overview.md).

+ - Verify that [network security group and ASG rules](../../../virtual-network/network-security-groups-overview.md) work as expected and shield the protected resources.

+ - For storage encryption, server-side encryption with platform managed key (SSE-PMK) is enabled for every storage service used for SAP in Azure by default, including managed disks, Azure Files and Azure NetApp Files. [Key management](../../disk-encryption.md) with customer managed keys can be considered, if required for customer owned key rotation.

+ - [Host based server-side encryption](../../disk-encryption.md#encryption-at-hostend-to-end-encryption-for-your-vm-data) should not be enabled for performance reasons on M-series family Linux VMs.

+ - Do not use Azure Disk Encryption on Linux with SAP as [OS images ΓÇÿfor SAPΓÇÖ](../../linux/disk-encryption-overview.md#supported-operating-systems) are not supported.

+- Verify that Azure portal monitoring and other monitoring tools are working. Use Azure tools such as [Azure Monitor](../../../azure-monitor/overview.md) for infrastructure monitoring. [Azure Monitor for SAP](./monitor-sap-on-azure.md) for a combination of OS and application KPIs, allowing you to integrate all in one dashboard for visibility during and after go-live.

+10. [Azure managed disks](https://azure.microsoft.com/services/managed-disks/) or [Azure NetApp Files](../../../azure-netapp-files/azure-netapp-files-solution-architectures.md#sap-on-azure-solutions) NFS volumes are used exclusively for DBMS VMs.

+11. For Azure NetApp Files, [correct mount options are used](../../../azure-netapp-files/performance-linux-mount-options.md) and volumes are sized appropriately on correct storage tier.

+13. [Azure accelerated networking](../../../virtual-network/accelerated-networking-overview.md) is enabled on every network interface for all SAP VMs.

+> Same [quality checks and additional insights](../../../center-sap-solutions/get-quality-checks-insights.md) are executed regularly when SAP systems are deployed or registered with [Azure Center for SAP solution](../../../center-sap-solutions/index.yml) as well and are part of the service.

+> * [Azure Virtual Machines deployment for SAP NetWeaver](./deployment-guide.md)

+- [Tutorial: Azure Active Directory Single sign-on (SSO) integration with SAP NetWeaver](../../../active-directory/saas-apps/sap-netweaver-tutorial.md)

+- [Tutorial: Azure Active Directory single sign-on (SSO) integration with SAP Fiori](../../../active-directory/saas-apps/sap-fiori-tutorial.md)

+- [Tutorial: Azure Active Directory integration with SAP HANA](../../../active-directory/saas-apps/saphana-tutorial.md)

+- [SAP Data Integration Using Azure Data Factory](https://github.com/Azure/Azure-DataFactory/blob/main/whitepaper/SAP%20Data%20Integration%20using%20Azure%20Data%20Factory.pdf)

+For more information about Azure DNS, see [What is Azure DNS?](../dns/dns-overview.md).

+- [What is Azure Kubernetes Service?](../aks/intro-kubernetes.md)

+- [Deploy the Azure Virtual Network container network interface plug-in](deploy-container-networking.md)

+- [What is Azure Kubernetes Service?](../aks/intro-kubernetes.md)

+- [Deploy the Azure Virtual Network container network interface plug-in](deploy-container-networking.md)

+| 4 | 10.0.0.1: 4285 | 65.52.1.1: **1234** | 23.53.254.143: 80 |

+| TCP RST | After a connection is closed by a TCP RST packet (reset), a 20-second timer is activated that holds down the SNAT port. When the timer ends, the port is available for reuse. | 16 seconds |

+* NAT gateway can be used to provide outbound connectivity in a hub and spoke model when associated with Azure Firewall. NAT gateway can be associated to an Azure Firewall subnet in a hub virtual network and provide outbound connectivity from spoke virtual networks peered to the hub. To learn more, see [Azure Firewall integration with NAT gateway](../../firewall/integrate-with-nat-gateway.md).

+* To learn more about architecture options for Azure Virtual Network NAT, see [Azure Well-Architected Framework review of an Azure NAT gateway](/azure/architecture/networking/guide/well-architected-network-address-translation-gateway).

+NAT gateway must be detached from all subnets within a virtual network before the resource can be removed or deleted. See [Remove NAT gateway from an existing subnet and delete the resource](./manage-nat-gateway.md?tabs=manage-nat-portal#remove-a-nat-gateway-from-an-existing-subnet-and-delete-the-resource) for step by step guidance.

+NAT gateway is a [zonal resource](./nat-availability-zones.md) and can either be designated to a specific zone or to ΓÇÿno zoneΓÇÖ. When NAT gateway is placed in ΓÇÿno zoneΓÇÖ, Azure places the NAT gateway into a zone for you, but you don't have visibility into which zone the NAT gateway is located.

+* [Manage NAT gateway](./manage-nat-gateway.md)

+* [Metrics and alerts for NAT gateway resources](nat-metrics.md).

+|Data|[RedisCache](../azure-cache-for-redis/cache-how-to-premium-vnet.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure SQL Managed Instance](/azure/azure-sql/managed-instance/connectivity-architecture-overview?toc=%2fazure%2fvirtual-network%2ftoc.json) </br> [Azure Database for MySQL - Flexible Server](../mysql/flexible-server/concepts-networking-vnet.md) </br> [Azure Database for PostgreSQL - Flexible Server](../postgresql/flexible-server/concepts-networking.md#private-access-vnet-integration)| Yes <br/> Yes <br/> Yes </br> Yes |

+² It's recommended as a best practice to have these services in a dedicated subnet, but not a mandatory requirement imposed by the service.

+## 1. Generate VPN client configuration files

+## 2. Generate client certificates

+## 3. Configure the VPN client