+| Windows Server 2016 | [October 12, 2021ΓÇöKB5006669 (OS Build 14393.4704)](https://support.microsoft.com/topic/october-12-2021-kb5006669-os-build-14393-4704-bcc95546-0768-49ae-bec9-240cc59df384) |

+- Methods registered (Email, Mobile Phone, Alternative Mobile Phone, Office Phone, Microsoft Authenticator Push, Software One Time Passcode, FIDO2, Security Key, Security questions, Hardware OATH token)

+- The **PhoneAppNotification** or **PhoneAppOTP** methods that a user might have configured are not displayed in the dashboard on **Azure AD Authentication methods - Policies**.

+> [!IMPORTANT]

+> The following installation instructions assume that you've met all the [prerequisites](how-to-prerequisites.md).

+>This article deals with installing the provisioning agent by using the wizard. For information about installing the Azure AD Connect provisioning agent by using a CLI, see [Install the Azure AD Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md).

+For more information and an example, view the following video:

+A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).

+### Update an existing agent to use the gMSA

+To update an existing agent to use the Group Managed Service Account created during installation, upgrade the agent service to the latest version by running *AADConnectProvisioningAgent.msi*. Now run through the installation wizard again and provide the credentials to create the account when you're prompted to do so.

+## Verify the agent installation

+> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).

+To use *password writeback* and enable the self-service password reset (SSPR) service to detect the cloud sync agent, use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and the tenantΓÇÖs global administrator credentials:

+For more information about using password writeback with Azure AD Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).

+## Install an agent in the US government cloud

+By default, the Azure AD Connect provisioning agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure:

+- Instead of selecting **Open file**, select **Start** > **Run**, and then go to the *AADConnectProvisioningAgentSetup.exe* file. In the **Run** box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment**, and then select **OK**.

+ [](media/how-to-install/new-install-12.png#lightbox)

+If your server has been locked down according to the Federal Information Processing Standard (FIPS), MD5 (message-digest algorithm 5) is disabled.

+To enable MD5 for password hash synchronization, do the following:

+1. Open *AADConnectProvisioningAgent.exe.config*.

+1. Go to the configuration/runtime node at the top of the file.

+1. Add the `<enforceFIPSPolicy enabled="false"/>` node.

+1. Save your changes.

+For reference, your code should look like the following snippet:

+For more information about security and FIPS, see [Azure AD password hash sync, encryption, and FIPS compliance](https://blogs.technet.microsoft.com/enterprisemobility/2014/06/28/aad-password-sync-encryption-and-fips-compliance/).

+ Title: Tutorial - Integrate an existing forest and a new forest with a single Azure AD tenant by using Azure AD Connect cloud sync

+# Tutorial: Integrate an existing forest and a new forest with a single Azure AD tenant

+In this scenario, you sync an existing forest with an Azure AD tenant by using Azure Active Directory (Azure AD) Connect. You want to sync a new forest with the same Azure AD tenant. You'll set up cloud sync for the new forest.

+Before you begin, set up your environments.

+### In the Azure AD admin center

+1. Create a cloud-only global administrator account on your Azure AD tenant.

+ This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. [Learn how to add a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Complete this step to ensure that you don't get locked out of your tenant.

+1. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.

+1. Identify a domain-joined host server that's running Windows Server 2012 R2 or later, with at least 4 GB of RAM and .NET 4.7.1+ runtime.

+1. If there's a firewall between your servers and Azure AD, configure the following items:

+ | **80** | Downloads the certificate revocation lists (CRLs) while it validates the TLS/SSL certificate. |

+ | **443** | Handles all outbound communication with the service. |

+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |

+ - If your firewall or proxy allows you to specify safe suffixes, add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If it doesn't, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.

+ - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Because these URLs are used to validate certificates for other Microsoft products, you might already have these URLs unblocked.

+If you're using the [Basic Active Directory and Azure environment](tutorial-basic-ad-azure.md) tutorial, the agent is DC1. To install the agent, do the following:

+To configure the cloud sync setup, do the following:

+1. Select **Azure Active Directory**.

+1. Select **Azure AD Connect**.

+1. Select **Manage cloud sync**.

+ 

+1. Select **New Configuration**.

+ 

+1. On the **Configuration** page, enter a **Notification email**, move the selector to **Enable**, and then select **Save**.

+ 

+ 

+## Verify that users are created and synchronization is occurring

+You'll now verify that the users in your on-premises Active Directory have been synchronized and exist in your Azure AD tenant. This process might take a few hours to complete. To verify that the users are synchronized, do the following:

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that has an Azure subscription.

+1. On the left pane, select **Azure Active Directory**.

+1. Under **Manage**, select **Users**.

+1. Verify that the new users are displayed in your tenant.

+## Test signing in with one of your users

+1. Go to the [Microsoft My Apps](https://myapps.microsoft.com) page.

+1. Sign in with a user account that was created in your new tenant. You'll need to sign in by using the following format: *user@domain.onmicrosoft.com*. Use the same password that the user uses to sign in on-premises.

+ 

+ Title: Tutorial - Pilot Azure AD Connect cloud sync for an existing synced Active Directory forest

+description: Learn how to pilot cloud sync for a test Active Directory forest that is already synced by using Azure Active Directory (Azure AD) Connect sync.

+# Pilot cloud sync for an existing synced Active Directory forest

+This tutorial walks you through piloting cloud sync for a test Active Directory forest that's already synced by using Azure Active Directory (Azure AD) Connect sync.

+Before you try this tutorial, keep the following in mind:

+* You should be familiar with the basics of cloud sync.

+* Ensure that you're running Azure AD Connect cloud sync version 1.4.32.0 or later and you've configured the sync rules as documented.

+* When you're piloting, you'll be removing a test organizational unit (OU) or group from the Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.

+ - **User objects**: The objects in Azure AD that are soft-deleted and can be restored.

+ - **Group objects**: The objects in Azure AD that are hard-deleted and can't be restored.

+ A new link type has been introduced in Azure AD Connect sync, which will prevent deletions in a piloting scenario.

+* Ensure that the objects in the pilot scope have *ms-ds-consistencyGUID* populated so that cloud sync hard matches the objects.

+ > Azure AD Connect sync doesn't populate *ms-ds-consistencyGUID* by default for group objects.

+* This configuration is for advanced scenarios. Be sure to follow the steps documented in this tutorial precisely.

+Before you begin, be sure that you've set up your environment to meet the following prerequisites:

+- A test environment with [Azure AD connect version 1.4.32.0 or later](https://www.microsoft.com/download/details.aspx?id=47594).

+

+ To update Azure AD Connect sync, complete the steps in [Azure AD Connect: Upgrade to the latest version](../hybrid/how-to-upgrade-previous-version.md).

+- An OU or group that's in scope of sync and can be used in the pilot. We recommend starting with a small set of objects.

+- Windows Server 2012 R2 or later, which will host the provisioning agent.

+- The source anchor for Azure AD Connect sync should be either *objectGuid* or *ms-ds-consistencyGUID*.

+Azure AD Connect sync synchronizes changes occurring in your on-premises directory by using a scheduler. To modify and add custom rules, disable the scheduler so that synchronizations won't run while you're making the changes. To stop the scheduler:

+1. On the server that's running Azure AD Connect sync, open PowerShell with administrative privileges.

+1. Run `Stop-ADSyncSyncCycle`, and then select **Enter**.

+1. Run `Set-ADSyncScheduler -SyncCycleEnabled $false`.

+>If you're running your own custom scheduler for Azure AD Connect sync, be sure to disable the scheduler.

+## Create a custom user inbound rule

+1. Open **Synchronization Rules Editor** from the application menu in the desktop, as shown in the following screenshot:

+ 

+1. Under **Direction**, select **Inbound** from the dropdown list, and then select **Add new rule**.

+ 

+1. On the **Description** page, do the following:

+ - **Name**: Give the rule a meaningful name.

+ - **Description**: Add a meaningful description.

+ - **Connected System**: Select the Active Directory connector that you're writing the custom sync rule for.

+ - **Connected System Object Type**: Select **User**.

+ - **Metaverse Object Type**: Select **Person**.

+ - **Link Type**: Select **Join**.

+ - **Precedence**: Enter a value that's unique in the system.

+ - **Tag**: Leave this field empty.

+1. On the **Scoping filter** page, enter the OU or security group that the pilot is based on.

+

+ To filter on OU, add the OU portion of the *distinguished name* (DN). This rule will be applied to all users who are in that OU. for example, if DN ends with "OU=CPUsers,DC=contoso,DC=com, add this filter.

+ |Scoping&nbsp;OU|DN|ENDSWITH|The distinguished name of the OU.|

+ |Scoping&nbsp;group||ISMEMBEROF|The distinguished name of the security group.|

+ 

+1. Select **Next**.

+1. On the **Join** rules page, select **Next**.

+1. Under **Add transformations**, do the following:

+

+ * **FlowType**: Select **Constant**.

+ * **Target Attribute**: Select **cloudNoFlow**.

+ * **Source**: Select **True**.

+1. Select **Next**.

+1. Select **Add**.

+Follow the same steps for all object types (*user*, *group*, and *contact*). Repeat the steps for each configured AD Connector and Active Directory forest.

+## Create a custom user outbound rule

+1. In the **Direction** dropdown list, select **Outbound**, and then select **Add rule**.

+ 

+1. On the **Description** page, do the following:

+ - **Name**: Give the rule a meaningful name.

+ - **Description**: Add a meaningful description.

+ - **Connected System**: Select the Azure AD connector that you're writing the custom sync rule for.

+ - **Connected System Object Type**: Select **User**.

+ - **Metaverse Object Type**: Select **Person**.

+ - **Link Type**: Select **JoinNoFlow**.

+ - **Precedence**: Enter a value that's unique in the system.

+ - **Tag**: Leave this field empty.

+ 

+1. Select **Next**.

+1. On the **Create outbound synchronization rule** pane, under **Add scoping filters**, do the following:

+

+ * **Attribute**: Select **cloudNoFlow**.

+ * **Operator**: Select **EQUAL**.

+ * **Value**: Select **True**.

+1. Select **Next**.

+1. On the **Join** rules pane, select **Next**.

+1. On the **Transformations** pane, select **Add**.

+Follow the same steps for all object types (*user*, *group*, and *contact*).

+If you're using the [Basic Active Directory and Azure environment](tutorial-basic-ad-azure.md) tutorial, the agent is CP1. To install the agent, do the following:

+## Verify the agent installation

+To configure the cloud sync setup, do the following:

+1. Sign in to the Azure AD portal.

+1. Select **Azure Active Directory**.

+1. Select **Azure AD Connect**.

+1. Select the **Manage provisioning (Preview)** link.

+ 

+1. Select **New Configuration**

+ 

+1. On the **Configure** pane, under **Settings**, enter a **Notification email** and then, under **Deploy**, move the selector to **Enable**.

+ 

+1. Select **Save**.

+1. Under **Scope**, select the **All users** link to change the scope of the configuration rule.

+ 

+1. Under **Scope users**, change the scope to include the OU that you created: **OU=CPUsers,DC=contoso,DC=com**.

+ 

+1. Select **Done** and **Save**.

+ The scope should now be set to **1 organizational unit**.

+ 

+## Verify that users have been set up by cloud sync

+You'll now verify that the users in your on-premises Active Directory have been synchronized and now exist in your Azure AD tenant. This process might take a few hours to complete. To verify that the users have been synchronized, do the following:

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that has an Azure subscription.

+1. On the left pane, select **Azure Active Directory**.

+1. Select **Azure AD Connect**.

+1. Select **Manage cloud sync**.

+1. Select the **Logs** button.

+1. Search for a username to confirm that the user has been set up by cloud sync.

+Azure AD Connect sync synchronizes changes that occur in your on-premises directory by using a scheduler. Now that you've modified the rules, you can restart the scheduler.

+1. On the server that's running Azure AD Connect sync, open PowerShell with administrative privileges.

+1. Run `Set-ADSyncScheduler -SyncCycleEnabled $true`.

+1. Run `Start-ADSyncSyncCycle`, and then select <kbd>Enter</kbd>.

+> If you're running your own custom scheduler for Azure AD Connect sync, be sure to enable the scheduler.

+After the scheduler is enabled, Azure AD Connect stops exporting any changes on objects with `cloudNoFlow=true` in the metaverse, unless any reference attribute (such as `manager`) is being updated.

+If there's any reference attribute update on the object, Azure AD Connect will ignore the `cloudNoFlow` signal and export all updates on the object.

+## Does your setup work?

+If the pilot doesn't work as you had expected, you can go back to the Azure AD Connect sync setup by doing the following:

+1. Disable the provisioning configuration in the Azure portal.

+1. Disable all the custom sync rules that were created for cloud provisioning by using the Sync Rule Editor tool. Disabling the rules should result in a full sync of all the connectors.

+description: This article describes the prerequisites and the hardware requirements for using Azure AD Connect cloud sync.

+This tutorial walks you through creating a hybrid identity environment by using Azure Active Directory (Azure AD) Connect cloud sync.

+Before you begin, set up your environments by doing the following.

+1. Create a cloud-only global administrator account on your Azure AD tenant.

+ This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. [Learn how to add a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Complete this step to ensure that you don't get locked out of your tenant.

+1. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.

+1. Identify a domain-joined host server that's running Windows Server 2016 or later, with at least 4 GB of RAM and .NET 4.7.1+ runtime.

+1. If there's a firewall between your servers and Azure AD, configure the following items:

+ | **80** | Downloads the certificate revocation lists (CRLs) while it validates the TLS/SSL certificate. |

+ | **443** | Handles all outbound communication with the service. |

+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |

+ - If your firewall or proxy allows you to specify safe suffixes, add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.

+ - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Because these URLs are used to validate certificates for other Microsoft products, you might already have these URLs unblocked.

+If you're using the [Basic Active Directory and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:

+To configure provisioning, do the following:

+1. Sign in to the Azure AD portal.

+1. Select **Azure Active Directory**.

+1. Select **Azure AD Connect**.

+1. Select **Manage cloud sync**.

+ 

+1. Select **New Configuration**.

+ 

+1. On the **Configuration** page, enter a **Notification email**, move the selector to **Enable**, and then select **Save**.

+ 

+1. The configuration status should now be **Healthy**.

+ 

+## Verify that users are created and synchronization is occurring

+You'll now verify that the users in your on-premises directory have been synchronized and exist in your Azure AD tenant. This process might take a few hours to complete. To verify that the users are synchronized, do the following:

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that has an Azure subscription.

+1. On the left pane, select **Azure Active Directory**.

+1. Under **Manage**, select **Users**.

+1. Verify that the new users are displayed in your tenant.

+1. Go to the [Microsoft My Apps](https://myapps.microsoft.com) page.

+1. Sign in with a user account that was created in your new tenant. You'll need to sign in by using the following format: *user@domain.onmicrosoft.com*. Use the same password that the user uses to sign in on-premises.

+ 

+You have now successfully set up a hybrid identity environment that you can use to test and familiarize yourself with what Azure has to offer.

+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)

+- [Microsoft Power Apps](/power-apps) (in Public Preview)

+# Customer intent: As a tenant administrator, I want to set up Facebook as an identity provider for guest user login.

+After you've added Facebook as one of your application's sign-in options, on the **Sign in** page, a user can simply enter the email they use to sign in to Facebook, or they can select **Sign-in options** and choose **Sign in with Facebook**. In either case, they'll be redirected to the Facebook sign in page for authentication.

+2. If you haven't already done so, you need to register as a Facebook developer. To do this, select **Get Started** on the upper-right corner of the page, accept Facebook's policies, and complete the registration steps.

+1. **Select an app type** and then **Details**

+1. **Add an app name** and a valid **App contact email**.

+1. Select **Create app**. This may require you to accept Facebook platform policies and complete an online security check.

+1. Select **Settings** > **Basic**.

+1. Choose a **Category**, for example **Business and pages**. This value is required by Facebook, but not used for Azure AD.

+1. At the bottom of the page, select **Add Platform**, and then select **Website**.

+1. In **Site URL**, enter the appropriate URL (noted above).

+1. In **Privacy Policy URL** at the top of the page, enter the URL for the page where you maintain privacy information for your application, for example `http://www.contoso.com`.

+1. Select **Save changes**.

+1. At the top of the page, copy the value of **App ID**.

+1. At the top of the page, select **Show** and copy the value of **App secret**. You use both of them to configure Facebook as an identity provider in your tenant. **App secret** is an important security credential.

+1. In the left menu select **Add Product** next to **Products**, and then select **Set up** under **Facebook Login**.

+1. Under **Facebook Login** in the left, select **Settings**.

+1. In **Valid OAuth redirect URIs**, enter the appropriate URL (noted above).

+1. Select **Save changes** at the bottom of the page.

+1. To make your Facebook application available to Azure AD, select the **App Mode** selector at the top of the page and turn it **Live** to make the Application public.

+6. For the **Client secret**, enter the **App secret** that you recorded.

+ :::image type="content" source="media/facebook-federation/add-social-identity-provider-page.png" alt-text="Screenshot showing the Add social identity provider page.":::

+You can delete your Facebook federation setup. If you do so, any users who have signed up through user flows with their Facebook accounts will no longer be able to sign in.

+1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD tenant.

+2. Under **Azure services**, select **Azure Active Directory**.

+3. In the left menu, select **External Identities**.

+4. Select the **Facebook** line, and then select **Delete**.

+- [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)

+- [SAML/WS-Fed IdP federation](direct-federation.md)

+- [Google federation](google-federation.md)

+ Title: Add Microsoft account (MSA) as an identity provider - Azure AD

+#Customer intent: As an Azure AD administrator user, I want to set up an invitation flow or a self-service sign-up user flow for guest users, so they can sign into my Azure AD apps with their Microsoft account (MSA).

+Microsoft account is available by default in the list of **External Identities** > **All identity providers**. No further configuration is needed to allow guest users to sign in with their Microsoft account, using either the invitation flow, or a self-service sign-up user flow.

+As of November 2020, new application registrations show up as unverified in the user consent prompt, unless [the application's publisher domain is verified](../develop/howto-configure-publisher-domain.md), ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. For Azure AD user flows, the publisherΓÇÖs domain appears only when using a Microsoft account or another Azure AD tenant as the identity provider. To meet these new requirements, follow the steps below:

+- [Publisher verification overview](../develop/publisher-verification-overview.md)

+- [Add Azure Active Directory (Azure AD) as an identity provider for External Identities](azure-ad-account.md)

+# Customer intent: As a tenant administrator, I want to add API connectors for custom approval workflows in self-service sign-up.

+12. Copy the value of the client secret. Client secret values can be viewed only immediately after creation. Make sure to save the secret when created, before leaving the page.

+Your approval system can use its responses when called to control the sign-up flow.

+The exact claims sent to the API depend on which information is provided by the identity provider. 'email' is always sent.

+- The user hasn't previously requested an approval.

+The exact claims sent to the API depend on which information is collected from the user or is provided by the identity provider.

+- [Add a self-service sign-up user flow](self-service-sign-up-user-flow.md)

+- [Add an API connector](self-service-sign-up-add-api-connector.md)

+- [Secure your API connector](self-service-sign-up-secure-api-connector.md)

+- [self-service sign-up for guest users with manual approval sample](code-samples-self-service-sign-up.md#custom-approval-workflows).

+# Customer intent: As a tenant administrator, I want to set up user flows that allow a user to sign up for an app and create a new guest account.

+For applications you build, you can create user flows that allow a user to sign up for an app and create a new guest account. A self-service sign-up user flow defines the series of steps the user will follow during sign-up, the [identity providers](identity-providers.md) you'll allow them to use, and the user attributes you want to collect. You can associate one or more applications with a single user flow.

+Azure AD is the default identity provider for self-service sign-up. This means that users are able to sign up by default with an Azure AD account. In your self-service sign-up user flows, you can also include social identity providers like Google and Facebook, Microsoft Account, and the email one-time passcode feature. For more information, see these articles:

+- [Add Facebook to your list of social identity providers](facebook-federation.md)

+- [Add Microsoft account as an identity provider](microsoft-account.md)

+- [Email one-time passcode authentication](one-time-passcode.md)

+1. Under **Manage** in the left menu, select **Users**.

+1. Select **User settings**, and then under **External users**, select **Manage external collaboration settings**.

+1. Set the **Enable guest self-service sign up via user flows** toggle to **Yes**.

+KMSI setting is available in User settings. Some features of SharePoint Online and Office 2010 depend on users being able to choose to remain signed in. If you uncheck the **Show option to remain signed in** option, your users may see other unexpected prompts during the sign-in process.

+You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory.

+The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding will appear in your sign-in pages. You can customize this default experience with a custom background image or color, favicon, layout, header, and footer. You can also upload a custom CSS.

+The updated experience for adding company branding covered in this article is available as an Azure AD preview feature. To opt in and explore the new experience, go to **Azure AD** > **Preview features** and enable the **Enhanced Company Branding** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## User experience

+You can customize the sign-in pages when users access your organization's tenant-specific apps. For Microsoft and SaaS applications (multi-tenant apps) such as <https://myapps.microsoft.com>, or <https://outlook.com> the customized sign-in page appears only after the user types their **Email**, or **Phone**, and select **Next**.

+Some of the Microsoft applications support the home realm discovery `whr` query string parameter, or a domain variable. With the home realm discovery and domain parameter, the customized sign-in page will appear immediately in the first step.

+In the following examples replace the contoso.com with your own tenant name, or verified domain name:

+- For Microsoft Outlook `https://outlook.com/contoso.com`

+- For SharePoint online `https://contoso.sharepoint.com`

+- For my app portal `https://myapps.microsoft.com/?whr=contoso.com`

+- Self-service password reset `https://passwordreset.microsoftonline.com/?whr=contoso.com`

+- [Manage the 'stay signed in' prompt](active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt)

+### Why do I see "Lifecycle Management" instead of "Lifecycle Workflows"?

+For a small portion of our customers, Lifecycle Workflows may still be listed under the former name Lifecycle Management in the audit logs and enterprise applications.

+### Disable automatic writeback of new Microsoft 365 groups

+### Disable writeback for all existing Microsoft 365 group

+To disable writeback of all Microsoft 365 groups that were created before these modifications, use one of the folowing methods:

+- PowerShell: Use the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). For example:

+

+ ```PowerShell

+ #Import-module

+ Import-module Microsoft.Graph

+ #Connect to MgGraph and select the Beta API Version

+ Connect-MgGraph -Scopes Group.ReadWrite.All

+ Select-MgProfile -Name beta

+ #List all Microsoft 365 Groups

+ $Groups = Get-MgGroup -All | Where-Object {$_.GroupTypes -like "*unified*"}

+ #Disable Microsoft 365 Groups

+ Foreach ($group in $Groups)

+ {

+ Update-MgGroup -GroupId $group.id -WritebackConfiguration @{isEnabled=$false}

+ }

+> We recomend using Microsoft Graph PowerShell SDK with [Windows PowerShell 7](/powershell/scripting/whats-new/migrating-from-windows-powershell-51-to-powershell-7?view=powershell-7.3&preserve-view=true)

+- Microsoft Graph Explorer: Use a [group object](/graph/api/group-update?tabs=http&view=graph-rest-beta&preserve-view=true).

+**Complete the conversion by using the Microsoft Graph PowerShell SDK:**

+ ```powershell

+ Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

+ ```

+ Update-MgDomain -DomainId <domain name> -AuthenticationType "Managed"

+ See [Update-MgDomain](https://learn.microsoft.com/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomain?view=graph-powershell-1.0)

+ Get-MgDomainFederationConfiguration -DomainId yourdomain.com

+### Remove AD FS

+For a full list of steps to take to completely remove AD FS from the environment follow the [Active Directory Federation Services (AD FS) decommision guide](https://learn.microsoft.com/windows-server/identity/ad-fs/decommission/adfs-decommission-guide).

+Azure Monitor provides the option to exclude whole events, fields, or parts of fields when ingesting logs from Azure AD. Learn more about this cost saving feature in [Data collection transformation in Azure Monitor](../../azure-monitor/essentials/data-collection-transformations.md).

+- If you're unsure of a detail in the logs, gather the **Request ID** and **Correlation ID** to use for further analyzing or troubleshooting.

+ - The **Primary authentication** row isn't initially logged.

+- If you're unsure of a detail in the logs, gather the **Request ID** and **Correlation ID** to use for further analyzing or troubleshooting.

+The Azure Active Directory (Azure AD) [reporting APIs](/graph/api/resources/azure-ad-auditlog-overview) provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools. The reporting API uses [OAuth](../../api-management/api-management-howto-protect-backend-with-aad.md) to authorize access to the web APIs.

+This article describes how to enable Microsoft Graph to access the Azure AD reporting APIs in the Azure portal and through PowerShell

+## Roles and license requirements

+To get access to the reporting data through the API, you need to have one of the following roles:

+In order to access the sign-in reports for a tenant, an Azure AD tenant must have associated Azure AD Premium P1 or P2 license. Alternatively if the directory type is Azure AD B2C, the sign-in reports are accessible through the API without any additional license requirement.

+Registration is needed even if you're accessing the reporting API using a script. The registration gives you an **Application ID**, which is required for the authorization calls and enables your code to receive tokens. To configure your directory to access the Azure AD reporting API, you must sign in to the [Azure portal](https://portal.azure.com) in one of the required roles.

+> Applications running under credentials with administrator privileges can be very powerful, so be sure to keep the application's ID and secret credentials in a secure location.

+## Enable the Microsoft Graph API through the Azure portal

+To enable your application to access Microsoft Graph without user intervention, you'll need to register your application with Azure AD, then grant permissions to the Microsoft Graph API. This article covers the steps to follow in the Azure portal.

+### Register an Azure AD application

+1. In the [Azure portal](https://portal.azure.com), go to **Azure Active Directory** > **App registrations**.

+1. Select **New registration**.

+ 

+1. On the **Registration an Application** page:

+ 1. Give the application a **Name** such as `Reporting API application`.

+ 1. For **Supported accounts type**, select **Accounts in this organizational directory only**.

+ 1. In the **Redirect URI** section, select **Web** from the list and type `https://localhost`.

+ 1. Select **Register**.

+### Grant permissions

+To access the Azure AD reporting API, you must grant your app *Read directory data* and *Read all audit log data* permissions for the Microsoft Graph API.

+1. **Azure Active Directory** > **App Registrations**> **API permissions** and select **Add a permission**.

+ 

+1. Select **Microsoft Graph** > **Application permissions**.

+1. Add **Directory.ReadAll** and **AuditLog.Read.All**, then select the **Add permissions** button.

+ - If you need more permissions to run the queries you need, you can add them now or modify the permissions as needed in Microsoft Graph.

+ - For more information, see [Work with Graph Explorer](/graph/graph-explorer/graph-explorer-features).

+ 

+1. On the **Reporting API Application - API Permissions** page, select **Grant admin consent for Default Directory**.

+ 

+## Access reports using Microsoft Graph Explorer

+Once you have the app registration configured, you can run activity log queries in Microsoft Graph.

+1. Sign in to https://graph.microsoft.com using the **Security Reader** role. You may need to confirm that you're signed into the appropriate role. Select your profile icon in the upper-right corner of Microsoft Graph.

+1. Use one of the following queries to start using Microsoft Graph for accessing activity logs:

+ - GET `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits`

+ - GET `https://graph.microsoft.com/v1.0/auditLogs/signIns`

+ - For more information on Microsoft Graph queries for activity logs, see [Activity reports API overview](/graph/api/resources/azuread-auditlog-overview)

+ 

+## Access reports using Microsoft Graph PowerShell

+To use PowerShell to access the Azure AD reporting API, you'll need to gather a few configuration settings. These settings were created as a part of the [app registration process](#register-an-azure-ad-application).

+- Tenant ID

+- Client app ID

+1. Go to **Azure Active Directory** > **App Registrations**.

+1. Copy the **Directory (tenant) ID**.

+1. Copy the **Application (client) ID**.

+1. Go to **App Registration** > Select your application > **Certificates & secrets** > **Certificates** > **Upload certificate** and upload your certificate's public key file.

+ - If you don't have a certificate to upload, follow the steps outlined in the [Create a self-signed certificate to authenticate your application](../develop/howto-create-self-signed-certificate.md) article.

+Next you'll authenticate with the configuration settings you just gathered. Open PowerShell and run the following command, replacing the placeholders with your information.

+```powershell

+Connect-MgGraph -ClientID YOUR_APP_ID -TenantId YOUR_TENANT_ID -CertificateName YOUR_CERT_SUBJECT ## Or -CertificateThumbprint instead of -CertificateName

+```

+Microsoft Graph PowerShell cmdlets:

+- **Audit logs:** `Get-MgAuditLogDirectoryAudit`

+- **Sign-in logs:** `Get-MgAuditLogSignIn`

+- **Provisioning logs:** `Get-MgAuditLogProvisioning`

+- Explore the full list of [reporting-related Microsoft Graph PowerShell cmdlets](/powershell/module/microsoft.graph.reports).

+Programmatic access APIs:

+- **Security detections:** [Identity Protection risk detections API](/graph/api/resources/identityprotection-root)

+- **Tenant provisioning events:** [Provisioning logs API](/graph/api/resources/provisioningobjectsummary)

+### Troubleshoot errors in Azure Active Directory reporting API

+**500 HTTP internal server error while accessing Microsoft Graph beta endpoint**: We don't currently support the Microsoft Graph beta endpoint - make sure to access the activity logs using the Microsoft Graph v1.0 endpoint.

+- GET `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits`

+- GET `https://graph.microsoft.com/v1.0/auditLogs/signIns`

+**Error: Neither tenant is B2C or tenant doesn't have premium license**: Accessing sign-in reports requires an Azure Active Directory premium 1 (P1) license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with an Azure AD P1 license.

+**Error: User isn't in the allowed roles**: If you see this error message while trying to access audit logs or sign-ins using the API, make sure that your account is part of the **Security Reader** or **Reports Reader** role in your Azure Active Directory tenant.

+**Error: Application missing Azure AD 'Read directory data' or 'Read all audit log data' permission**: Revisit the **[Grant permissions](#grant-permissions)** section of this article to ensure the permissions are properly set.

+* [Get started with Azure Active Directory Identity Protection and Microsoft Graph](../identity-protection/howto-identity-protection-graph-api.md)

+* [Sign-in API reference](/graph/api/resources/signin)

+With the information in the Azure Active Directory (Azure AD) sign-in logs, you can figure out what happened if a sign-in of a user failed. This quickstart shows you how to access the sign-ins log using the Graph API.

+- **Access to an Azure AD tenant**: If you don't have access to an Azure AD tenant, see [Create your Azure free account today](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- **A test account called Isabella Simonsen**: If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users-azure-active-directory.md#add-a-new-user).

+- **Access to the reporting API**: If you haven't configured access yet, see [How to configure the prerequisites for the reporting API](howto-configure-prerequisites-for-reporting-api.md).

+ Title: Sign-ins using legacy authentication workbook in Azure AD | Microsoft Docs

+description: Learn how to use the sign-ins using legacy authentication workbook.

+# Sign-ins using legacy authentication workbook

+Have you ever wondered how you can determine whether it's safe to turn off legacy authentication in your tenant? The sign-ins using legacy authentication workbook helps you to answer this question.

+This article gives you an overview of this workbook.

+## Description

+

+Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to basic authentication, which was once a widely used industry-standard method for passing user name and password information through a client to an identity provider.

+Examples of applications that commonly or only use legacy authentication are:

+- Microsoft Office 2013 or older.

+- Apps using legacy auth with mail protocols like POP, IMAP, and SMTP AUTH.

+Single-factor authentication (for example, username and password) doesnΓÇÖt provide the required level of protection for todayΓÇÖs computing environments. Passwords are bad as they're easy to guess and humans are bad at choosing good passwords.

+Unfortunately, legacy authentication:

+- Doesn't support multi-factor authentication (MFA) or other strong authentication methods.

+- Makes it impossible for your organization to move to passwordless authentication.

+To improve the security of your Azure AD tenant and experience of your users, you should disable legacy authentication. However, important user experiences in your tenant might depend on legacy authentication. Before shutting off legacy authentication, you may want to find those cases so you can migrate them to more secure authentication.

+The sign-ins using legacy authentication workbook lets you see all legacy authentication sign-ins in your environment so you can find and migrate critical workflows to more secure authentication methods before you shut off legacy authentication.

+

+

+## Sections

+With this workbook, you can distinguish between interactive and non-interactive sign-ins. This workbook highlights which legacy authentication protocols are used throughout your tenant.

+The data collection consists of three steps:

+1. Select a legacy authentication protocol, and then select an application to filter by users accessing that application.

+2. Select a user to see all their legacy authentication sign-ins to the selected app.

+3. View all legacy authentication sign-ins for the user to understand how legacy authentication is being used.

+

+## Filters

+This workbook supports multiple filters:

+- Time range (up to 90 days)

+- User principal name

+- Application

+- Status of the sign-in (success or failure)

+

+## Best practices

+- For guidance on blocking legacy authentication in your environment, see [Block legacy authentication to Azure AD with conditional access](../conditional-access/block-legacy-authentication.md).

+- Many email protocols that once relied on legacy authentication now support more secure modern authentication methods. If you see legacy email authentication protocols in this workbook, consider migrating to modern authentication for email instead. For more information, see [Deprecation of Basic authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online).

+- Some clients can use both legacy authentication or modern authentication depending on client configuration. If you see ΓÇ£modern mobile/desktop clientΓÇ¥ or ΓÇ£browserΓÇ¥ for a client in the Azure AD logs, it's using modern authentication. If it has a specific client or protocol name, such as ΓÇ£Exchange ActiveSyncΓÇ¥, it's using legacy authentication to connect to Azure AD. The client types in conditional access, and the Azure AD reporting page in the Azure portal demarcate modern authentication clients and legacy authentication clients for you, and only legacy authentication is captured in this workbook.

+## Next steps

+- To learn more about identity protection, see [What is identity protection](../identity-protection/overview-identity-protection.md).

+- For more information about Azure AD workbooks, see [How to use Azure AD workbooks](howto-use-azure-monitor-workbooks.md).

+- When using this feature with clusters that use [Node Public IP](use-node-public-ips.md), the node pools using Node Public IP must use public IP prefixes. The public IP prefixes must be added as authorized ranges.

+Create a cluster using the [`az aks create`][az-aks-create] and specify the *`--api-server-authorized-ip-ranges`* parameter to provide a list of authorized IP address ranges. These IP address ranges are usually address ranges used by your on-premises networks or public IPs. When you specify a CIDR range, start with the first IP address in the range. For example, *137.117.106.90/29* is a valid range, but make sure you specify the first IP address in the range, such as *137.117.106.88/29*.

+To update the API server authorized IP ranges on an existing cluster, use [`az aks update`][az-aks-update] command and use the *`--api-server-authorized-ip-ranges`*, *`--load-balancer-outbound-ip-prefixes`*, *`--load-balancer-outbound-ips`*, or *`--load-balancer-outbound-ip-prefixes`* parameters.

+To disable authorized IP ranges, use [`az aks update`][az-aks-update] and specify an empty range to disable API server authorized IP ranges. For example:

+To find IP ranges that have been authorized, use [`az aks show`][az-aks-show] and specify the cluster's name and resource group. For example:

+>

+> If the user you grant the Kubernetes RBAC binding for is in the same Azure AD tenant, assign permissions based on the *userPrincipalName (UPN)*. If the user is in a different Azure AD tenant, query for and use the *objectId* property instead.

+| OS platforms supported | Linux and Windows | Linux only |

+The overlay solution has the following limitations:

+* On a Linux node: */var/lib/kubelet/bootstrap-kubeconfig* or */host/var/lib/kubelet/bootstrap-kubeconfig*

+This article introduces the core concepts that secure your applications in AKS.

+As the entry point for the Supply Chain, it is important to conduct static analysis of image builds before they are promoted down the pipeline. This includes vulnerability and compliance assessment. It is not about failing a build because it has a vulnerability, as that will break development. It is about looking at the "Vendor Status" to segment based on vulnerabilities that are actionable by the development teams. Also leverage "Grace Periods" to allow developers time to remediate identified issues.

+* **Azure CLI**: Specify the `--max-pods` argument when you deploy a cluster with the [`az aks create`][az-aks-create] command. The maximum value is 250.

+Use the [`az aks create`][az-aks-create] command with the `--network-plugin azure` argument to create a cluster with advanced networking. Update the `--vnet-subnet-id` value with the subnet ID collected in the previous step:

+1. Download or grep the file named container-azm-ms-agentconfig.yaml from [GitHub][github].

+ Title: Customize cluster egress with outbound types in Azure Kubernetes Service (AKS)

+description: Learn how to configure outbound types in Azure Kubernetes Service (AKS)

+# Customize cluster egress with outbound types in Azure Kubernetes Service (AKS)

+This article covers the various types of outbound connectivity that are available in AKS Clusters.

+* Outbound type can only be defined at cluster create time and can't be updated afterwards.

+ * Reconfiguring outbound type is now supported in preview; see below.

+An AKS cluster can be configured with three different categories of outbound type: load balancer, NAT gateway, or user-defined routing.

+For more information, see [using a standard load balancer in AKS](load-balancer-standard.md) for more information.

+### Outbound type of `managedNatGateway` or `userAssignedNatGateway`

+If `managedNatGateway` or `userAssignedNatGateway` are selected for `outboundType`, AKS relies on [Azure Networking NAT gateway](/azure/virtual-network/nat-gateway/manage-nat-gateway) for cluster egress.

+- `managedNatGateway` is used when using managed virtual networks, and tells AKS to provision a NAT gateway and attach it to the cluster subnet.

+- `userAssignedNatGateway` is used when using bring-your-own virtual networking, and requires that a NAT gateway has been provisioned before cluster creation.

+NAT gateway has significantly improved handling of SNAT ports when compared to Standard Load Balancer.

+For more information, see [using NAT Gateway with AKS](nat-gateway.md) for more information.

+For more information, see [configuring cluster egress via user-defined routing](egress-udr.md) for more information.

+## Updating `outboundType` after cluster creation (PREVIEW)

+Changing the outbound type after cluster creation will deploy or remove resources as required to put the cluster into the new egress configuration.

+Migration is only supported between `loadBalancer`, `managedNATGateway` (if using a managed virtual network), and `userDefinedNATGateway` (if using a custom virtual network).

+> [!WARNING]

+> Changing the outbound type on a cluster is disruptive to network connectivity and will result in a change of the cluster's egress IP address. If any firewall rules have been configured to restrict traffic from the cluster, they will need to be updated to match the new egress IP address.

+### Install the aks-preview Azure CLI extension

+`aks-preview` version 0.5.113 is required.

+To install the `aks-preview` extension, run the following command:

+```azurecli

+az extension add --name aks-preview

+```

+Run the following command to update to the latest version of the extension released:

+```azurecli

+az extension update --name aks-preview

+```

+### Register the 'AKS-OutBoundTypeMigrationPreview' feature flag

+Register the `AKS-OutBoundTypeMigrationPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:

+```azurecli-interactive

+az feature show --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"

+```

+When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+### Update a cluster to use a new outbound type

+Run the following command to change a cluster's outbound configuration:

+```azurecli-interactive

+az aks update -g <resourceGroup> -n <clusterName> --outbound-type <loadBalancer|managedNATGateway|userAssignedNATGateway>

+```

+## Next steps

+- [Configure standard load balancing in an AKS cluster](load-balancer-standard.md)

+- [Configure NAT gateway in an AKS cluster](nat-gateway.md)

+- [Configure user-defined routing in an AKS cluster](egress-udr.md)

+- [NAT gateway documentation](/azure/aks/nat-gateway)

+- [Azure networking UDR overview](../virtual-network/virtual-networks-udr-overview.md).

+- [Manage route tables](../virtual-network/manage-route-table.md).

+ Title: Customize user-defined routes (UDR) in Azure Kubernetes Service (AKS)

+description: Learn how to define a custom egress route in Azure Kubernetes Service (AKS)

+#Customer intent: As a cluster operator, I want to define my own egress paths with user-defined routes. Since I define this up front I do not want AKS provided load balancer configurations.

+# Customize cluster egress with a user-defined routing table

+Egress from an AKS cluster can be customized to fit specific scenarios. By default, AKS will provision a Standard SKU Load Balancer to be set up and used for egress. However, the default setup may not meet the requirements of all scenarios if public IPs are disallowed or additional hops are required for egress.

+This article walks through how to customize a cluster's egress route to support custom network scenarios, such as those which disallows public IPs and requires the cluster to sit behind a network virtual appliance (NVA).

+## Prerequisites

+* Azure CLI version 2.0.81 or greater

+* API version of `2020-01-01` or greater

+## Limitations

+* Setting `outboundType` requires AKS clusters with a `vm-set-type` of `VirtualMachineScaleSets` and `load-balancer-sku` of `Standard`.

+* Setting `outboundType` to a value of `UDR` requires a user-defined route with valid outbound connectivity for the cluster.

+* Setting `outboundType` to a value of `UDR` implies the ingress source IP routed to the load-balancer may **not match** the cluster's outgoing egress destination address.

+## Overview

+> [!NOTE]

+> Using outbound type is an advanced networking scenario and requires proper network configuration.

+If `userDefinedRouting` is set, AKS won't automatically configure egress paths. The egress setup must be done by you.

+The AKS cluster must be deployed into an existing virtual network with a subnet that has been previously configured because when not using standard load balancer (SLB) architecture, you must establish explicit egress. As such, this architecture requires explicitly sending egress traffic to an appliance like a firewall, gateway, proxy or to allow the Network Address Translation (NAT) to be done by a public IP assigned to the standard load balancer or appliance.

+#### Load balancer creation with userDefinedRouting

+AKS clusters with an outbound type of UDR receive a standard load balancer (SLB) only when the first Kubernetes service of type 'loadBalancer' is deployed. The load balancer is configured with a public IP address for *inbound* requests and a backend pool for *inbound* requests. Inbound rules are configured by the Azure cloud provider, but **no outbound public IP address or outbound rules** are configured as a result of having an outbound type of UDR. Your UDR will still be the only source for egress traffic.

+Azure load balancers [don't incur a charge until a rule is placed](https://azure.microsoft.com/pricing/details/load-balancer/).

+## Deploy a cluster with outbound type of UDR and Azure Firewall

+To illustrate the application of a cluster with outbound type using a user-defined route, a cluster can be configured on a virtual network with an Azure Firewall on its own subnet. See this example on the [restrict egress traffic with Azure firewall example](limit-egress-traffic.md#restrict-egress-traffic-using-azure-firewall).

+> [!IMPORTANT]

+> Outbound type of UDR requires there is a route for 0.0.0.0/0 and next hop destination of NVA (Network Virtual Appliance) in the route table.

+> The route table already has a default 0.0.0.0/0 to Internet, without a Public IP to SNAT just adding this route will not provide you egress. AKS will validate that you don't create a 0.0.0.0/0 route pointing to the Internet but instead to NVA or gateway, etc.

+> When using an outbound type of UDR, a load balancer public IP address for **inbound requests** is not created unless a service of type *loadbalancer* is configured. A public IP address for **outbound requests** is never created by AKS if an outbound type of UDR is set.

+## Next steps

+See [Azure networking UDR overview](../virtual-network/virtual-networks-udr-overview.md).

+See [how to create, change, or delete a route table](../virtual-network/manage-route-table.md).

+<!-- LINKS - internal -->

+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials

+[byo-route-table]: configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet

+## Add a Windows node pool

+By default, an AKS cluster is created with a node pool that can run Linux containers. Use the `az aks nodepool add` command to add an additional node pool that can run Windows Server containers alongside the Linux node pool.

+AKS supports Windows Server 2019 and Windows Server 2022 node pools. For Kubernetes versions "1.25.0" and higher, Windows Server 2022 is the default operating system. For earlier versions, Windows Server 2019 will be the default operating system.

+Use the `az aks nodepool add` command to add a Windows nodepool:

+```azurecli

+az aks nodepool add \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --os-type Windows \

+ --name npwin \

+ --node-count 1

+```

+The above command creates a new node pool named *npwin* and adds it to the *myAKSCluster*. The above command also uses the default subnet in the default vnet created when running `az aks create`. The OS SKU was not specified so the nodepool will be set to the default operating system based on the Kubernetes version of the cluster.

+When creating a Windows node pool, the default operating system will be Windows Server 2019 for Kubernetes versions below "1.25.0". To use Windows Server 2019 nodes when not default, you will need to specify an OS SKU type of `Windows2019`.

+ --os-sku Windows2019 \

+The above command creates a new Windows Server 2019 node pool named *npwin* and adds it to the *myAKSCluster*. The above command also uses the default subnet in the default vnet created when running `az aks create`.

+When creating a Windows node pool, the default operating system will be Windows Server 2022 for Kubernetes versions "1.25.0" and higher. To use Windows Server 2022 nodes when not default, you will need to specify an OS SKU type of `Windows2022`.

+Use the `az aks nodepool add` command to add a Windows Server 2022 node pool:

+## Disable OutboundNAT for Windows (preview)

+> [!NOTE]

+> OutboundNAT can only be disabled on Windows Server 2019 nodepools.

+In Azure Kubernetes Service (AKS), nodes of the same configuration are grouped together into *node pools*. These node pools contain the underlying VMs that run your applications. The initial number of nodes and their size (SKU) is defined when you create an AKS cluster, which creates a [system node pool][use-system-pool]. To support applications that have different compute or storage demands, you can create additional *user node pools*. System node pools serve the primary purpose of hosting critical system pods such as CoreDNS and `konnectivity`. User node pools serve the primary purpose of hosting your application pods. However, application pods can be scheduled on system node pools if you wish to only have one pool in your AKS cluster. User node pools are where you place your application-specific pods. For example, use these additional user node pools to provide GPUs for compute-intensive applications, or access to high-performance SSD storage.

+* The AKS cluster must use Virtual Machine Scale Sets for the nodes.

+To get started, create an AKS cluster with a single node pool. The following example uses the [az group create][az-group-create] command to create a resource group named *myResourceGroup* in the *eastus* region. An AKS cluster named *myAKSCluster* is then created using the [`az aks create`][az-aks-create] command.

+When the cluster is ready, use the [`az aks get-credentials`][az-aks-get-credentials] command to get the cluster credentials for use with `kubectl`:

+The cluster created in the previous step has a single node pool. Let's add a second node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command. The following example creates a node pool named *mynodepool* that runs *3* nodes:

+To see the status of your node pools, use the [`az aks node pool list`][az-aks-nodepool-list] command and specify your resource group and cluster name:

+* If you expand your VNET after creating the cluster you must update your cluster (perform any managed cluster operation but node pool operations don't count) before adding a subnet outside the original CIDR block. AKS will error-out on the agent pool add now though we originally allowed it. The `aks-preview` Azure CLI extension (version 0.5.66+) now supports running `az aks update -g <resourceGroup> -n <clusterName>` without any optional arguments. This command will perform an update operation without making any changes, which can recover a cluster stuck in a failed state.

+Since there are two node pools in this example, we must use [`az aks nodepool upgrade`][az-aks-nodepool-upgrade] to upgrade a node pool. To see the available upgrades use [`az aks get-upgrades`][az-aks-get-upgrades]

+Let's upgrade the *mynodepool*. Use the [`az aks nodepool upgrade`][az-aks-nodepool-upgrade] command to upgrade the node pool, as shown in the following example:

+List the status of your node pools again using the [`az aks node pool list`][az-aks-nodepool-list] command. The following example shows that *mynodepool* is in the *Upgrading* state to *KUBERNETES_VERSION*:

+To scale the number of nodes in a node pool, use the [`az aks node pool scale`][az-aks-nodepool-scale] command. The following example scales the number of nodes in *mynodepool* to *5*:

+List the status of your node pools again using the [`az aks node pool list`][az-aks-nodepool-list] command. The following example shows that *mynodepool* is in the *Scaling* state with a new count of *5* nodes:

+If you no longer need a pool, you can delete it and remove the underlying VM nodes. To delete a node pool, use the [`az aks node pool delete`][az-aks-nodepool-delete] command and specify the node pool name. The following example deletes the *mynodepool* created in the previous steps:

+The following example output from the [`az aks node pool list`][az-aks-nodepool-list] command shows that *mynodepool* is in the *Deleting* state:

+Associating a node pool with an existing capacity reservation group can be done using [`az aks nodepool add`][az-aks-nodepool-add] command and specifying a capacity reservation group with the --capacityReservationGroup flag" The capacity reservation group should already exist, otherwise the node pool will be added to the cluster with a warning and no capacity reservation group gets associated.

+Associating a system node pool with an existing capacity reservation group can be done using [`az aks create`][az-aks-create] command. If the capacity reservation group specified doesn't exist, then a warning is issued and the cluster gets created without any capacity reservation group association.

+In the previous examples to create a node pool, a default VM size was used for the nodes created in the cluster. A more common scenario is for you to create node pools with different VM sizes and capabilities. For example, you may create a node pool that contains nodes with large amounts of CPU or memory, or a node pool that provides GPU support. In the next step, you [use taints and tolerations](#setting-node-pool-taints) to tell the Kubernetes scheduler how to limit access to pods that can run on these nodes.

+Create a node pool using the [`az aks node pool add`][az-aks-nodepool-add] command again. This time, specify the name *gpunodepool*, and use the `--node-vm-size` parameter to specify the *Standard_NC6* size:

+The following example output from the [`az aks node pool list`][az-aks-nodepool-list] command shows that *gpunodepool* is *Creating* nodes with the specified *VmSize*:

+### Setting node pool taints

+To create a node pool with a taint, use [`az aks nodepool add`][az-aks-nodepool-add]. Specify the name *taintnp* and use the `--node-taints` parameter to specify *sku=gpu:NoSchedule* for the taint.

+The following example output from the [`az aks nodepool list`][az-aks-nodepool-list] command shows that *taintnp* is *Creating* nodes with the specified *nodeTaints*:

+### Setting node pool labels

+### Setting node pool Azure tags

+Deploy this template using the [`az deployment group create`][az-deployment-group-create] command, as shown in the following example. You're prompted for the existing AKS cluster name and location:

+To delete the GPU-based node pool, use the [`az aks nodepool delete`][az-aks-nodepool-delete] command as shown in following example:

+To delete the cluster itself, use the [`az group delete`][az-group-delete] command to delete the AKS resource group:

+* Use [instance-level public IP addresses](use-node-public-ips.md) to make your nodes able to serve traffic directly.

+ Title: Use instance-level public IPs in Azure Kubernetes Service (AKS)

+description: Learn how to manage instance-level public IPs Azure Kubernetes Service (AKS)

+# Use instance-level public IPs in Azure Kubernetes Service (AKS)

+AKS nodes don't require their own public IP addresses for communication. However, scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. This scenario can be achieved on AKS by using Node Public IP.

+First, create a new resource group.

+```azurecli-interactive

+az group create --name myResourceGroup2 --location eastus

+```

+Create a new AKS cluster and attach a public IP for your nodes. Each of the nodes in the node pool receives a unique public IP. You can verify this by looking at the Virtual Machine Scale Set instances.

+```azurecli-interactive

+az aks create -g MyResourceGroup2 -n MyManagedCluster -l eastus --enable-node-public-ip

+```

+For existing AKS clusters, you can also add a new node pool, and attach a public IP for your nodes.

+```azurecli-interactive

+az aks nodepool add -g MyResourceGroup2 --cluster-name MyManagedCluster -n nodepool2 --enable-node-public-ip

+```

+## Use a public IP prefix

+There are a number of [benefits to using a public IP prefix][public-ip-prefix-benefits]. AKS supports using addresses from an existing public IP prefix for your nodes by passing the resource ID with the flag `node-public-ip-prefix` when creating a new cluster or adding a node pool.

+First, create a public IP prefix using [az network public-ip prefix create][az-public-ip-prefix-create]:

+```azurecli-interactive

+az network public-ip prefix create --length 28 --location eastus --name MyPublicIPPrefix --resource-group MyResourceGroup3

+```

+View the output, and take note of the `id` for the prefix:

+```output

+{

+ ...

+ "id": "/subscriptions/<subscription-id>/resourceGroups/myResourceGroup3/providers/Microsoft.Network/publicIPPrefixes/MyPublicIPPrefix",

+ ...

+}

+```

+Finally, when creating a new cluster or adding a new node pool, use the flag `node-public-ip-prefix` and pass in the prefix's resource ID:

+```azurecli-interactive

+az aks create -g MyResourceGroup3 -n MyManagedCluster -l eastus --enable-node-public-ip --node-public-ip-prefix /subscriptions/<subscription-id>/resourcegroups/MyResourceGroup3/providers/Microsoft.Network/publicIPPrefixes/MyPublicIPPrefix

+```

+## Locate public IPs for nodes

+You can locate the public IPs for your nodes in various ways:

+* Use the Azure CLI command [`az vmss list-instance-public-ips`][az-list-ips].

+* Use [PowerShell or Bash commands][vmss-commands].

+* You can also view the public IPs in the Azure portal by viewing the instances in the Virtual Machine Scale Set.

+> [!Important]

+> The [node resource group][node-resource-group] contains the nodes and their public IPs. Use the node resource group when executing commands to find the public IPs for your nodes.

+```azurecli

+az vmss list-instance-public-ips -g MC_MyResourceGroup2_MyManagedCluster_eastus -n YourVirtualMachineScaleSetName

+```

+## Use public IP tags on node public IPs (PREVIEW)

+Public IP tags can be utilized on node public IPs to utilize the [Azure Routing Preference](/azure/virtual-network/ip-services/routing-preference-overview.md) feature.

+### Requirements

+* AKS version 1.24 or greater is required.

+* Version 0.5.115 of the aks-preview extension is required.

+### Install the aks-preview Azure CLI extension

+To install the aks-preview extension, run the following command:

+```azurecli

+az extension add --name aks-preview

+```

+Run the following command to update to the latest version of the extension released:

+```azurecli

+az extension update --name aks-preview

+```

+### Register the 'NodePublicIPTagsPreview' feature flag

+Register the `NodePublicIPTagsPreview` feature flag by using the [`az feature register`][az-feature-register] command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "NodePublicIPTagsPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [`az feature show`][az-feature-show] command:

+```azurecli-interactive

+az feature show --namespace "Microsoft.ContainerService" --name "NodePublicIPTagsPreview"

+```

+When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [`az provider register`][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+### Create a new cluster using routing preference internet

+```azurecli-interactive

+az aks create -n <clusterName> -l <location> -g <resourceGroup> \

+ --enable-node-public-ip \

+ --node-public-ip-tags RoutingPreference=Internet

+```

+### Add a node pool with routing preference internet

+```azurecli-interactive

+az aks nodepool add --cluster-name <clusterName> -n <nodepoolName> -l <location> -g <resourceGroup> \

+ --enable-node-public-ip \

+ --node-public-ip-tags RoutingPreference=Internet

+```

+## Allow host port connections and add node pools to application security groups (PREVIEW)

+AKS nodes utilizing node public IPs that host services on their host address need to have an NSG rule added to allow the traffic. Adding the desired ports in the node pool configuration will create the appropriate allow rules in the cluster network security group.

+If a network security group is in place on the subnet with a cluster using bring-your-own virtual network, an allow rule must be added to that network security group. This can be limited to the nodes in a given node pool by adding the node pool to an [application security group](/azure/virtual-network/network-security-groups-overview#application-security-groups) (ASG). A managed ASG will be created by default in the managed resource group if allowed host ports are specified. Nodes can also be added to one or more custom ASGs by specifying the resource ID of the NSG(s) in the node pool parameters.

+### Host port specification format

+When specifying the list of ports to allow, use a comma-separate list with entries in the format of `port/protocol` or `startPort-endPort/protocol`.

+Examples:

+- 80/tcp

+- 80/tcp,443/tcp

+- 53/udp,80/tcp

+- 50000-60000/tcp

+### Requirements

+* AKS version 1.24 or greater is required.

+* Version 0.5.110 of the aks-preview extension is required.

+### Install the aks-preview Azure CLI extension

+To install the aks-preview extension, run the following command:

+```azurecli

+az extension add --name aks-preview

+```

+Run the following command to update to the latest version of the extension released:

+```azurecli

+az extension update --name aks-preview

+```

+### Register the 'NodePublicIPNSGControlPreview' feature flag

+Register the `NodePublicIPNSGControlPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "NodePublicIPNSGControlPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:

+```azurecli-interactive

+az feature show --namespace "Microsoft.ContainerService" --name "NodePublicIPNSGControlPreview"

+```

+When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+### Create a new cluster with allowed ports and application security groups

+```azurecli-interactive

+az aks create \

+ --resource-group <resourceGroup> \

+ --name <clusterName> \

+ --nodepool-name <nodepoolName> \

+ --nodepool-allowed-host-ports 80/tcp,443/tcp,53/udp,40000-60000/tcp,40000-50000/udp\

+ --nodepool-asg-ids "<asgId>,<asgId>"

+```

+### Add a new node pool with allowed ports and application security groups

+```azurecli-interactive

+az aks nodepool add \

+ --resource-group <resourceGroup> \

+ --cluster-name <clusterName> \

+ --name <nodepoolName> \

+ --nodepool-allowed-host-ports 80/tcp,443/tcp,53/udp,40000-60000/tcp,40000-50000/udp\

+ --nodepool-asg-ids "<asgId>,<asgId>"

+```

+### Update the allowed ports and application security groups for a node pool

+```azurecli-interactive

+az aks nodepool update \

+ --resource-group <resourceGroup> \

+ --cluster-name <clusterName> \

+ --name <nodepoolName> \

+ --nodepool-allowed-host-ports 80/tcp,443/tcp,53/udp,40000-60000/tcp,40000-50000/udp\

+ --nodepool-asg-ids "<asgId>,<asgId>"

+```

+## Automatically assign host ports for pod workloads (PREVIEW)

+When public IPs are configured on nodes, host ports can be utilized to allow pods to directly receive traffic without having to configure a load balancer service. This is especially useful in scenarios like gaming, where the ephemeral nature of the node IP and port is not a problem because a matchmaker service at a well-known hostname can provide the correct host and port to use at connection time. However, because only one process on a host can be listening on the same port, using applications with host ports can lead to problems with scheduling. To avoid this issue, AKS provides the ability to have the system dynamically assign an available port at scheduling time, preventing conflicts.

+> [!WARNING]

+> Pod host port traffic will be blocked by the default NSG rules in place on the cluster. This feature should be combined with allowing host ports on the node pool to allow traffic to flow.

+### Requirements

+* AKS version 1.24 or greater is required.

+### Register the 'PodHostPortAutoAssignPreview' feature flag

+Register the `PodHostPortAutoAssignPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

+```azurecli-interactive

+az feature register --namespace "Microsoft.ContainerService" --name "PodHostPortAutoAssignPreview"

+```

+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:

+```azurecli-interactive

+az feature show --namespace "Microsoft.ContainerService" --name "PodHostPortAutoAssignPreview"

+```

+When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+### Automatically assign a host port to a pod

+Triggering host port auto assignment is done by deploying a workload without any host ports and applying the `kubernetes.azure.com/assign-hostports-for-containerports` annotation with the list of ports that need host port assignments. The value of the annotation should be specified as a comma-separated list of entries like `port/protocol`, where the port is an individual port number that is defined in the Pod spec and the protocol is `tcp` or `udp`.

+Ports will be assigned from the range `40000-59999` and will be unique across the cluster. The assigned ports will also be added to environment variables inside the pod so that the application can determine what ports were assigned.

+Here is an example `echoserver` deployment, showing the mapping of host ports for ports 8080 and 8443:

+```yml

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: echoserver-hostport

+ labels:

+ app: echoserver-hostport

+spec:

+ replicas: 3

+ selector:

+ matchLabels:

+ app: echoserver-hostport

+ template:

+ metadata:

+ annotations:

+ kubernetes.azure.com/assign-hostports-for-containerports: 8080/tcp,8443/tcp

+ labels:

+ app: echoserver-hostport

+ spec:

+ nodeSelector:

+ kubernetes.io/os: linux

+ containers:

+ - name: echoserver-hostport

+ image: k8s.gcr.io/echoserver:1.10

+ ports:

+ - name: http

+ containerPort: 8080

+ protocol: TCP

+ - name: https

+ containerPort: 8443

+ protocol: TCP

+```

+When the deployment is applied, the `hostPort` entries will be in the YAML of the individual pods:

+```shell

+$ kubectl describe pod echoserver-hostport-75dc8d8855-4gjfc

+<cut for brevity>

+Containers:

+ echoserver-hostport:

+ Container ID: containerd://d0b75198afe0612091f412ee7cf7473f26c80660143a96b459b3e699ebaee54c

+ Image: k8s.gcr.io/echoserver:1.10

+ Image ID: k8s.gcr.io/echoserver@sha256:cb5c1bddd1b5665e1867a7fa1b5fa843a47ee433bbb75d4293888b71def53229 Ports: 8080/TCP, 8443/TCP

+ Host Ports: 46645/TCP, 49482/TCP

+ State: Running

+ Started: Thu, 12 Jan 2023 18:02:50 +0000

+ Ready: True

+ Restart Count: 0

+ Environment:

+ echoserver-hostport_PORT_8443_TCP_HOSTPORT: 49482

+ echoserver-hostport_PORT_8080_TCP_HOSTPORT: 46645

+```

+## Next steps

+* Learn about [using multiple node pools in AKS](use-multiple-node-pools.md).

+* Learn about [using standard load balancers in AKS](load-balancer-standard.md)

+<!-- EXTERNAL LINKS -->

+[kubernetes-drain]: https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/

+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

+[kubectl-taint]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#taint

+[kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

+[kubernetes-labels]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

+[kubernetes-label-syntax]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set

+[capacity-reservation-groups]:/azure/virtual-machines/capacity-reservation-associate-virtual-machine-scale-set

+<!-- INTERNAL LINKS -->

+[arm-sku-vm1]: ../virtual-machines/dpsv5-dpdsv5-series.md

+[arm-sku-vm2]: ../virtual-machines/dplsv5-dpldsv5-series.md

+[arm-sku-vm3]: ../virtual-machines/epsv5-epdsv5-series.md

+[aks-quickstart-windows-cli]: ./learn/quick-windows-container-deploy-cli.md

+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials

+[az-aks-create]: /cli/azure/aks#az_aks_create

+[az-aks-get-upgrades]: /cli/azure/aks#az_aks_get_upgrades

+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add

+[az-aks-nodepool-list]: /cli/azure/aks/nodepool#az_aks_nodepool_list

+[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az_aks_nodepool_update

+[az-aks-nodepool-upgrade]: /cli/azure/aks/nodepool#az_aks_nodepool_upgrade

+[az-aks-nodepool-scale]: /cli/azure/aks/nodepool#az_aks_nodepool_scale

+[az-aks-nodepool-delete]: /cli/azure/aks/nodepool#az_aks_nodepool_delete

+[az-aks-show]: /cli/azure/aks#az_aks_show

+[az-extension-add]: /cli/azure/extension#az_extension_add

+[az-extension-update]: /cli/azure/extension#az_extension_update

+[az-feature-register]: /cli/azure/feature#az-feature-register

+[az-feature-list]: /cli/azure/feature#az-feature-list

+[az-feature-show]: /cli/azure/feature#az-feature-show

+[az-provider-register]: /cli/azure/provider#az_provider_register

+[az-group-create]: /cli/azure/group#az_group_create

+[az-group-delete]: /cli/azure/group#az_group_delete

+[az-deployment-group-create]: /cli/azure/deployment/group#az_deployment_group_create

+[az-aks-nodepool-add]: /cli/azure/aks#az_aks_nodepool_add

+[enable-fips-nodes]: enable-fips-nodes.md

+[gpu-cluster]: gpu-cluster.md

+[install-azure-cli]: /cli/azure/install-azure-cli

+[operator-best-practices-advanced-scheduler]: operator-best-practices-advanced-scheduler.md

+[quotas-skus-regions]: quotas-skus-regions.md

+[supported-versions]: supported-kubernetes-versions.md

+[tag-limitation]: ../azure-resource-manager/management/tag-resources.md

+[taints-tolerations]: operator-best-practices-advanced-scheduler.md#provide-dedicated-nodes-using-taints-and-tolerations

+[vm-sizes]: ../virtual-machines/sizes.md

+[use-system-pool]: use-system-pools.md

+[node-resource-group]: faq.md#why-are-two-resource-groups-created-with-aks

+[vmss-commands]: ../virtual-machine-scale-sets/virtual-machine-scale-sets-networking.md#public-ipv4-per-virtual-machine

+[az-list-ips]: /cli/azure/vmss#az_vmss_list_instance_public_ips

+[reduce-latency-ppg]: reduce-latency-ppg.md

+[public-ip-prefix-benefits]: ../virtual-network/ip-services/public-ip-address-prefix.md

+[az-public-ip-prefix-create]: /cli/azure/network/public-ip/prefix#az_network_public_ip_prefix_create

+[node-image-upgrade]: node-image-upgrade.md

+[use-tags]: use-tags.md

+[use-labels]: use-labels.md

+[cordon-and-drain]: resize-node-pool.md#cordon-the-existing-nodes

+[internal-lb-different-subnet]: internal-lb.md#specify-a-different-subnet

+[drain-nodes]: resize-node-pool.md#drain-the-existing-nodes

+[aks-taints]: use-multiple-node-pools.md#setting-node-pool-taints

+* (Developer and Premium tiers) API Management service is moved to a different subnet.

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]

+> [!NOTE]

+> IP-based access restriction rules only handle virtual network address ranges when your app is in an App Service Environment. If your app is in the multi-tenant service, you need to use **service endpoints** to restrict traffic to select subnets in your virtual network.

+Microsoft Azure Attestation is a unified solution for attesting different types of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves. While attesting SGX enclaves, Azure Attestation validates the evidence against Azure default Trusted Computing Base (TCB) baseline. The default TCB baseline is provided by an Azure service named [Trusted Hardware Identity Management](/azure/security/fundamentals/trusted-hardware-identity-management) (THIM) and includes collateral fetched from Intel like certificate revocation lists (CRLs), Intel certificates, Trusted Computing Base (TCB) information and Quoting Enclave identity (QEID). The default TCB baseline from THIM might lag the latest baseline offered by Intel. This is to prevent any attestation failure scenarios for ACC customers who require more time for patching platform software (PSW) updates.

+The custom TCB baseline enforcement feature in Azure Attestation will empower you to perform SGX attestation against a desired TCB baseline. It is always recommended for [Azure Confidential Computing](/azure/confidential-computing/overview) (ACC) SGX customers to install the latest PSW version supported by Intel and configure their SGX attestation policy with the latest TCB baseline supported by Azure.

+**To perform SGX attestation against a newer TCB offered by Intel** ΓÇô Customers can perform timely roll out of platform software (PSW) updates as recommended by Intel and use the custom baseline enforcement feature to perform their SGX attestation against the newer TCB versions supported by Intel

+## Default TCB baseline currently referred by Azure Attestation when no custom TCB baseline is configured by users

+- For customers using an attestation policy without configurationrules section, attestation will be performed against the Azure default TCB baseline

+## January 13, 2023

+### Image tag

+`v1.15.0_2023-01-10`

+For complete release version information, see [Version log](version-log.md#january-13-2023).

+New for this release:

+- Arc data

+ - Kafka separate mode - Description of this change and all customer and developer impacts are enumerated in the linked feature.

+- Arc-SQL MI

+ - Time series functions are available.

+## January 13, 2023

+|Component|Value|

+|--|--|

+|Container images tag |`v1.15.0_2023-01-10`|

+|CRD names and version|`datacontrollers.arcdata.microsoft.com`: v1beta1, v1 through v6<br/>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`kafkas.arcdata.microsoft.com`: v1beta1, v1beta2<br/>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1 through v7<br/>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3<br/>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1<br/>`failovergroups.sql.arcdata.microsoft.com`: v1beta1, v1beta2, v1 through v2<br/>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1<br/>`sqlmanagedinstancereprovisionreplicatask.tasks.sql.arcdata.microsoft.com`: v1beta1<br/>`telemetrycollectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3 *use to be otelcollectors*<br/>`telemetryrouters.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3, v1beta4<br/>`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`: v1beta1, v1beta2<br/>|

+|Azure Resource Manager (ARM) API version|2022-06-15-preview|

+|`arcdata` Azure CLI extension version|1.4.9 ([Download](https://aka.ms/az-cli-arcdata-ext))|

+|Arc-enabled Kubernetes helm chart extension version|1.14.0|

+|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|*No Changes*<br/>1.7.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.7.0 ([Download](https://aka.ms/ads-azcli-ext))|

+**SDK endpoint modifications** - In order to send data from Application Insights to an Azure Government region, you'll need to modify the default endpoint addresses that are used by the Application Insights SDKs. Each SDK requires slightly different modifications, as described in [Application Insights overriding default endpoints](../azure-monitor/app/create-new-resource.md#override-default-endpoints).

+| 4 | Invalid package type *or* invalid proxy settings. The omsagent-*rpm*.sh packages can only be installed on RPM-based systems. The omsagent-*deb*.sh packages can only be installed on Debian-based systems. We recommend that you use the universal installer from the [latest release](agent-linux.md#agent-install-package). Also review to verify your proxy settings. |

+1. Double-check that the endpoints outlined in the Azure Monitor [network firewall requirements](./log-analytics-agent.md#firewall-requirements) list are added to an allowlist correctly. If you use Azure Automation, the necessary network configuration steps are also linked above.

+### Sample log queries

+- **Count the IIS log entries by URL for the host www.contoso.com.**

+

+ ```kusto

+ W3CIISLog

+ | where csHost=="www.contoso.com"

+ | summarize count() by csUriStem

+ ```

+- **Review the total bytes received by each IIS machine.**

+ ```kusto

+ W3CIISLog

+ | summarize sum(csBytes) by Computer

+ ```

+## Sample alert rule

+- **Create an alert rule on any record with a return status of 500.**

+

+ ```kusto

+ W3CIISLog

+ | where scStatus==500

+ | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)

+ ```

+The table created in the script has two columns TimeGenerated: datetime and RawData: string, which is the default schema for a custom text log. If you know your final schema, then you can add columns in the script before creating the table. If you don't, columns can always be added in the log analytics table UI.

+The easiest way to make the REST call is from an Azure Cloud PowerShell command line (CLI). To open the shell, go to the Azure portal, press the Cloud Shell button, and select PowerShell. If this is your first-time using Azure Cloud PowerShell, you will need to walk through the one-time configuration wizard.

+### Sample log queries

+The column names used here are for example only. The column names for your log will most likely be different.

+- **Count the number of events by code.**

+

+ ```kusto

+ MyApp_CL

+ | summarize count() by code

+ ```

+### Sample alert rule

+- **Create an alert rule on any error event.**

+

+ ```kusto

+ MyApp_CL

+ | where status == "Error"

+ | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)

+ ```

+For apps written by using [ASP.NET Core](asp-net-core.md#add-telemetry-processors) or [WorkerService](worker-service.md#add-telemetry-processors), adding a new telemetry processor is done by using the `AddApplicationInsightsTelemetryProcessor` extension method on `IServiceCollection`, as shown. This method is called in the `ConfigureServices` method of your `Startup.cs` class.

+For apps written using [ASP.NET Core](asp-net-core.md#add-telemetryinitializers) or [WorkerService](worker-service.md#add-telemetry-initializers), adding a new telemetry initializer is done by adding it to the Dependency Injection container, as shown. Accomplish this step in the `Startup.ConfigureServices` method.

+For [ASP.NET Core](asp-net-core.md#add-telemetryinitializers) applications, to add a new `TelemetryInitializer` instance, you add it to the Dependency Injection container, as shown. You do this step in the `ConfigureServices` method of your `Startup.cs` class.

+ Title: Application Insights for ASP.NET Core applications | Microsoft Docs

+We'll use an [MVC application](/aspnet/core/tutorials/first-mvc-app) example. If you're using the [Worker Service](/aspnet/core/fundamentals/host/hosted-services#worker-service-template), use the instructions in [Application Insights for Worker Service applications](./worker-service.md).

+A preview [OpenTelemetry-based .NET offering](opentelemetry-enable.md?tabs=net) is available. For more information, see [OpenTelemetry overview](opentelemetry-overview.md).

+You can also use the Microsoft.Extensions.Logging.ApplicationInsights package to capture logs. For more information, see [Application Insights logging with .NET](ilogger.md). For an example, see [Console application](ilogger.md#console-application).

+* **Web server**: Internet Information Server (IIS) or Kestrel

+* **Hosting platform**: The Web Apps feature of Azure App Service, Azure Virtual Machines, Docker, and Azure Kubernetes Service (AKS)

+> ASP.NET Core 6.0 requires [Application Insights 2.19.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.19.0) or later.

+You need:

+1. Go to **Project** > **Add Application Insights Telemetry**.

+1. Select **Azure Application Insights** > **Next**.

+1. Choose your subscription and Application Insights instance. Or you can create a new instance with **Create new**. Select **Next**.

+1. Add or confirm your Application Insights connection string. It should be prepopulated based on your selection in the previous step. Select **Finish**.

+1. After you add Application Insights to your project, check to confirm that you're using the latest stable release of the SDK. Go to **Project** > **Manage NuGet Packages** > **Microsoft.ApplicationInsights.AspNetCore**. If you need to, select **Update**.

+ :::image type="content" source="./media/asp-net-core/update-nuget-package.png" alt-text="Screenshot that shows where to select the Application Insights package for update.":::

+1. Install the [Application Insights SDK NuGet package for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore).

+ The following code sample shows the changes to add to your project's `.csproj` file:

+1. Add `AddApplicationInsightsTelemetry()` to your `startup.cs` or `program.cs` class. The choice depends on your .NET Core version.

+1. Set up the connection string.

+ Although you can provide a connection string as part of the `ApplicationInsightsServiceOptions` argument to `AddApplicationInsightsTelemetry`, we recommend that you specify the connection string in configuration. The following code sample shows how to specify a connection string in `appsettings.json`. Make sure `appsettings.json` is copied to the application root folder during publishing.

+ Alternatively, specify the connection string in the `APPLICATIONINSIGHTS_CONNECTION_STRING` environment variable or `ApplicationInsights:ConnectionString` in the JSON configuration file.

+ * Typically, `APPLICATIONINSIGHTS_CONNECTION_STRING` is used in [Web Apps](./azure-web-apps.md?tabs=net). It can also be used in all places where this SDK is supported.

+ > A connection string specified in code wins over the environment variable `APPLICATIONINSIGHTS_CONNECTION_STRING`, which wins over other options.

+If you want to store the connection string in ASP.NET Core user secrets or retrieve it from another configuration provider, you can use the overload with a `Microsoft.Extensions.Configuration.IConfiguration` parameter. An example parameter is `services.AddApplicationInsightsTelemetry(Configuration);`.

+In `Microsoft.ApplicationInsights.AspNetCore` version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) and later, calling `services.AddApplicationInsightsTelemetry()` automatically reads the connection string from `Microsoft.Extensions.Configuration.IConfiguration` of the application. There's no need to explicitly provide `IConfiguration`.

+If `IConfiguration` has loaded configuration from multiple providers, then `services.AddApplicationInsightsTelemetry` prioritizes configuration from `appsettings.json`, irrespective of the order in which providers are added. Use the `services.AddApplicationInsightsTelemetry(IConfiguration)` method to read configuration from `IConfiguration` without this preferential treatment for `appsettings.json`.

+[Live Metrics](./live-stream.md) can be used to quickly verify if Application Insights monitoring is configured correctly. It might take a few minutes for telemetry to appear in the portal and analytics, but Live Metrics shows CPU usage of the running process in near real time. It can also show other telemetry like requests, dependencies, and traces.

+The default configuration collects `ILogger` `Warning` logs and more severe logs. For more information, see [How do I customize ILogger logs collection?](#how-do-i-customize-ilogger-logs-collection).

+Dependency collection is enabled by default. [Dependency tracking in Application Insights](asp-net-dependencies.md#automatically-tracked-dependencies) explains the dependencies that are automatically collected and also contains steps to do manual tracking.

+* SDK versions 2.4.1 and later collect performance counters if the application is running in Web Apps (Windows).

+* For applications that target the .NET Framework, all versions of the SDK support performance counters.

+* SDK versions 2.8.0 and later support the CPU/memory counter in Linux. No other counter is supported in Linux. To get system counters in Linux and other non-Windows environments, use [EventCounters](#eventcounter).

+1. In `_Layout.cshtml`, insert `HtmlHelper` at the end of the `<head>` section but before any other script. If you want to report any custom JavaScript telemetry from the page, inject it after this snippet:

+As an alternative to using `FullScript`, `ScriptBody` is available starting in Application Insights SDK for ASP.NET Core version 2.14. Use `ScriptBody` if you need to control the `<script>` tag to set a Content Security Policy:

+> JavaScript injection provides a default configuration experience. If you require [configuration](./javascript.md#configuration) beyond setting the connection string, you're required to remove auto-injection as described and manually add the [JavaScript SDK](./javascript.md#add-the-javascript-sdk).

+### Use ApplicationInsightsServiceOptions

+|EnablePerformanceCounterCollectionModule | Enable/Disable `PerformanceCounterCollectionModule`. | True

+|EnableRequestTrackingTelemetryModule | Enable/Disable `RequestTrackingTelemetryModule`. | True

+|EnableEventCounterCollectionModule | Enable/Disable `EventCounterCollectionModule`. | True

+|EnableDependencyTrackingTelemetryModule | Enable/Disable `DependencyTrackingTelemetryModule`. | True

+|EnableAppServicesHeartbeatTelemetryModule | Enable/Disable `AppServicesHeartbeatTelemetryModule`. | True

+|EnableAzureInstanceMetadataTelemetryModule | Enable/Disable `AzureInstanceMetadataTelemetryModule`. | True

+|EnableQuickPulseMetricStream | Enable/Disable LiveMetrics feature. | True

+|EnableAdaptiveSampling | Enable/Disable Adaptive Sampling. | True

+|EnableHeartbeat | Enable/Disable the heartbeats feature. It periodically (15-min default) sends a custom metric named `HeartbeatState` with information about the runtime like .NET version and Azure environment information, if applicable. | True

+|AddAutoCollectedMetricExtractor | Enable/Disable the `AutoCollectedMetrics extractor`. This telemetry processor sends pre-aggregated metrics about requests/dependencies before sampling takes place. | True

+|RequestCollectionOptions.TrackExceptions | Enable/Disable reporting of unhandled exception tracking by the request collection module. | False in NETSTANDARD2.0 (because exceptions are tracked with `ApplicationInsightsLoggerProvider`). True otherwise.

+|EnableDiagnosticsTelemetryModule | Enable/Disable `DiagnosticsTelemetryModule`. Disabling will cause the following settings to be ignored: `EnableHeartbeat`, `EnableAzureInstanceMetadataTelemetryModule`, and `EnableAppServicesHeartbeatTelemetryModule`. | True

+In Microsoft.ApplicationInsights.AspNetCore SDK version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.15.0) and later, configure every setting available in `ApplicationInsightsServiceOptions`, including `ConnectionString`. Use the application's `IConfiguration` instance. The settings must be under the section `ApplicationInsights`, as shown in the following example. The following section from *appsettings.json* configures the connection string and disables adaptive sampling and performance counter collection.

+### Add TelemetryInitializers

+When you want to enrich telemetry with more information, use [telemetry initializers](./api-filtering-sampling.md#addmodify-properties-itelemetryinitializer).

+> `builder.Services.AddSingleton<ITelemetryInitializer, MyCustomTelemetryInitializer>();` works for simple initializers. For others, `builder.Services.AddSingleton(new MyCustomTelemetryInitializer() { fieldName = "myfieldName" });` is required.

+> `services.AddSingleton<ITelemetryInitializer, MyCustomTelemetryInitializer>();` works for simple initializers. For others, `services.AddSingleton(new MyCustomTelemetryInitializer() { fieldName = "myfieldName" });` is required.

+### Remove TelemetryInitializers

+By default, telemetry initializers are present. To remove all or specific telemetry initializers, use the following sample code *after* you call `AddApplicationInsightsTelemetry()`.

+### Add telemetry processors

+You can add custom telemetry processors to `TelemetryConfiguration` by using the extension method `AddApplicationInsightsTelemetryProcessor` on `IServiceCollection`. You use telemetry processors in [advanced filtering scenarios](./api-filtering-sampling.md#itelemetryprocessor-and-itelemetryinitializer). Use the following example:

+### Configure or remove default TelemetryModules

+* `RequestTrackingTelemetryModule`: Collects RequestTelemetry from incoming web requests.

+* `DependencyTrackingTelemetryModule`: Collects [DependencyTelemetry](./asp-net-dependencies.md) from outgoing HTTP calls and SQL calls.

+* `PerformanceCollectorModule`: Collects Windows PerformanceCounters.

+* `QuickPulseTelemetryModule`: Collects telemetry to show in the Live Metrics portal.

+* `AppServicesHeartbeatTelemetryModule`: Collects heartbeats (which are sent as custom metrics), about the App Service environment where the application is hosted.

+* `AzureInstanceMetadataTelemetryModule`: Collects heartbeats (which are sent as custom metrics), about the Azure VM environment where the application is hosted.

+* `EventCounterCollectionModule`: Collects [EventCounters](eventcounters.md). This module is a new feature and is available in SDK version 2.8.0 and later.

+To configure any default `TelemetryModule`, use the extension method `ConfigureTelemetryModule<T>` on `IServiceCollection`, as shown in the following example:

+In versions 2.12.2 and later, [`ApplicationInsightsServiceOptions`](#use-applicationinsightsserviceoptions) includes an easy option to disable any of the default modules.

+### Configure a telemetry channel

+> If you want to flush the buffer, see [Flushing data](api-custom-events-metrics.md#flushing-data). For example, you might need to flush the buffer if you're using the SDK in an application that shuts down.

+The preceding code sample prevents the sending of telemetry to Application Insights. It doesn't prevent any automatic collection modules from collecting telemetry. If you want to remove a particular autocollection module, see [Remove the telemetry module](#configure-or-remove-default-telemetrymodules).

+This section provides answers to common questions.

+Get an instance of `TelemetryClient` by using constructor injection and call the required `TrackXXX()` method on it. We don't recommend creating new `TelemetryClient` or `TelemetryConfiguration` instances in an ASP.NET Core application. A singleton instance of `TelemetryClient` is already registered in the `DependencyInjection` container, which shares `TelemetryConfiguration` with the rest of the telemetry. Create a new `TelemetryClient` instance only if it needs a configuration that's separate from the rest of the telemetry.

+For more information about custom data reporting in Application Insights, see [Application Insights custom metrics API reference](./api-custom-events-metrics.md). A similar approach can be used for sending custom metrics to Application Insights by using the [GetMetric API](./get-metric.md).

+By default, only `Warning` logs and more severe logs are automatically captured. To change this behavior, explicitly override the logging configuration for the provider `ApplicationInsights`, as shown in the following code. The following configuration allows Application Insights to capture all `Information` logs and more severe logs.

+The extension method `UseApplicationInsights()` is still supported, but it's marked as obsolete in Application Insights SDK version 2.8.0 and later. It will be removed in the next major version of the SDK. To enable Application Insights telemetry, use `AddApplicationInsightsTelemetry()` because it provides overloads to control some configuration. Also, in ASP.NET Core 3.X apps, `services.AddApplicationInsightsTelemetry()` is the only way to enable Application Insights.

+ * All hosting options, including Web Apps, VMs, Linux, containers, AKS, and non-Azure hosting.

+ * All .NET Core versions, including preview versions.

+* Although `ServerTelemetryChannel` is enabled by default, if the application is running in Linux or macOS, the channel doesn't automatically create a local storage folder to keep telemetry temporarily if there are network issues. Because of this limitation, telemetry is lost when there are temporary network or server issues. To work around this issue, configure a local folder for the channel.

+This SDK requires `HttpContext`. It doesn't work in any non-HTTP applications, including the .NET Core 3.X Worker Service applications. To enable Application Insights in such applications by using the newly released Microsoft.ApplicationInsights.WorkerService SDK, see [Application Insights for Worker Service applications (non-HTTP applications)](worker-service.md).

+[Read and contribute to the code](https://github.com/microsoft/ApplicationInsights-dotnet).

+* [Explore user flows](./usage-flows.md) to understand how users move through your app.

+* Learn about [dependency injection in ASP.NET Core](/aspnet/core/fundamentals/dependency-injection).

+If you want to switch off the standard dependency tracking module, remove the reference to `DependencyTrackingTelemetryModule` in [ApplicationInsights.config](../../azure-monitor/app/configuration-with-applicationinsights-config.md) for ASP.NET applications. For ASP.NET Core applications, follow the instructions in [Application Insights for ASP.NET Core applications](asp-net-core.md#configure-or-remove-default-telemetrymodules).

+* Set up custom dependency tracking for [Java](java-in-process-agent.md#add-spans-by-using-the-opentelemetry-annotation).

+ Title: Continuous monitoring of your Azure DevOps release pipeline | Microsoft Docs

+description: This article provides instructions to quickly set up continuous monitoring with Azure Pipelines and Application Insights.

+Azure Pipelines integrates with Application Insights to allow continuous monitoring of your Azure DevOps release pipeline throughout the software development lifecycle.

+With continuous monitoring, release pipelines can incorporate monitoring data from Application Insights and other Azure resources. When the release pipeline detects an Application Insights alert, the pipeline can gate or roll back the deployment until the alert is resolved. If all checks pass, deployments can proceed automatically from test all the way to production, without the need for manual intervention.

+1. On the left menu of the project page, select **Pipelines** > **Releases**.

+1. Select the dropdown arrow next to **New** and select **New release pipeline**. Or, if you don't have a pipeline yet, select **New pipeline** on the page that appears.

+1. On the **Select a template** pane, search for and select **Azure App Service deployment with continuous monitoring**, and then select **Apply**.

+ 

+ 

+1. In the **Stage 1** configuration pane, fill in the following fields:

+ | **Stage name** | Provide a stage name or leave it at **Stage 1**. |

+ | **Azure subscription** | Select the dropdown arrow and select the linked Azure subscription you want to use.|

+ | **App type** | Select the dropdown arrow and select your app type. |

+ | **Resource Group name for Application Insights** | Select the dropdown arrow and select the resource group you want to use. |

+ | **Application Insights resource name** | Select the dropdown arrow and select the Application Insights resource for the resource group you selected.

+1. To save the pipeline with default alert rule settings, select **Save** in the upper-right corner of the Azure DevOps window. Enter a descriptive comment and select **OK**.

+Out of the box, the **Azure App Service deployment with continuous monitoring** template has four alert rules: **Availability**, **Failed requests**, **Server response time**, and **Server exceptions**. You can add more rules or change the rule settings to meet your service level needs.

+You can modify the script and add more alert rules. You can also modify the alert conditions. And you can remove alert rules that don't make sense for your deployment purposes.

+When you add deployment gates to your release pipeline, an alert that exceeds the thresholds you set prevents unwanted release promotion. After you resolve the alert, the deployment can proceed automatically.

+ 

+ 

+1. Under **Evaluation options**, enter the values you want for settings like **The time between re-evaluation of gates** and **The timeout after which gates fail**.

+1. Select **Releases** from the left menu of the pipeline page.

+1. Select any release.

+1. Under **Stages**, select any stage to view a release summary.

+1. To view logs, select **View logs** in the release summary, select the **Succeeded** or **Failed** hyperlink in any stage, or hover over any stage and select **Logs**.

+ 

+ Title: Create a new Application Insights resource | Microsoft Docs

+Application Insights displays data about your application in an Azure resource. Creating a new resource is part of [setting up Application Insights to monitor a new application][start]. After you've created your new resource, you can get its instrumentation key and use it to configure the Application Insights SDK. The instrumentation key links your telemetry to the resource.

+> On **February 29, 2024,** [support for classic Application Insights will end](https://azure.microsoft.com/updates/we-re-retiring-classic-application-insights-on-29-february-2024). [Transition to workspace-based Application Insights](convert-classic-resource.md) to take advantage of [new capabilities](create-workspace-resource.md#new-capabilities). Newer regions introduced after February 2021 don't support creating classic Application Insights resources.

+## Sign in to Azure

+Sign in to the [Azure portal](https://portal.azure.com) and create an Application Insights resource.

+

+ | **Name** | `Unique value` | Name that identifies the app you're monitoring. |

+ | **Resource group** | `myResourceGroup` | Name for the new or existing resource group to host Application Insights data. |

+ | **Region** | `East US` | Select a location near you or near where your app is hosted. |

+ | **Resource mode** | `Classic` or `Workspace-based` | Workspace-based resources allow you to send your Application Insights telemetry to a common Log Analytics workspace. For more information, see [Workspace-based Application Insights resources](create-workspace-resource.md).

+> You can use the same resource name across different resource groups, but it can be beneficial to use a globally unique name. If you plan to [perform cross-resource queries](../logs/cross-workspace-query.md#identifying-an-application), using a globally unique name simplifies the required syntax.

+Enter the appropriate values in the required fields. Select **Review + create**.

+> 

+After your app is created, a new pane displays performance and usage data about your monitored application.

+The instrumentation key identifies the resource that you want to associate with your telemetry data. You'll need to copy the instrumentation key and add it to your application's code.

+The SDK includes standard modules that send telemetry, so you don't have to write any more code. To track user actions or diagnose issues in more detail, [use the API][api] to send your own telemetry.

+## Create a resource automatically

+Use PowerShell or the Azure CLI to create a resource automatically.

+Create a new Application Insights resource.

+For the full PowerShell documentation for this cmdlet, and to learn how to retrieve the instrumentation key, see the [Azure PowerShell documentation](/powershell/module/az.applicationinsights/new-azapplicationinsights).

+If you don't run the `az extension add` command, you'll see an error message that states: `az : ERROR: az monitor: 'app-insights' is not in the 'az monitor' command group. See 'az monitor --help'.`

+Run the following command to create your Application Insights resource:

+For the full Azure CLI documentation for this command, and to learn how to retrieve the instrumentation key, see the [Azure CLI documentation](/cli/azure/monitor/app-insights/component#az-monitor-app-insights-component-create).

+## Override default endpoints

+> Don't modify endpoints. [Transition to connection strings](migrate-from-instrumentation-keys-to-connection-strings.md#migrate-from-application-insights-instrumentation-keys-to-connection-strings) to simplify configuration and eliminate the need for endpoint modification.

+To send data from Application Insights to certain regions, you'll need to override the default endpoint addresses. Each SDK requires slightly different modifications, all of which are described in this article.

+These changes require you to adjust the sample code and replace the placeholder values for `QuickPulse_Endpoint_Address`, `TelemetryChannel_Endpoint_Address`, and `Profile_Query_Endpoint_address` with the actual endpoint addresses for your specific region. The end of this article contains links to the endpoint addresses for regions where this configuration is required.

+> The *applicationinsights.config* file is automatically overwritten anytime an SDK upgrade is performed. After you perform an SDK upgrade, be sure to reenter the region-specific endpoint values.

+Modify the *appsettings.json* file in your project to adjust the main endpoint:

+The values for Live Metrics and the Profile Query endpoint can only be set via code. To override the default values for all endpoint values via code, make the following changes in the `ConfigureServices` method of the `Startup.cs` file:

+For Azure Functions, we recommend that you use [connection strings](./sdk-connection-string.md?tabs=net) set in the function's Application settings. To access Application settings for your function from within the functions pane, select **Settings** > **Configuration** > **Application settings**.

+**Name**: `APPLICATIONINSIGHTS_CONNECTION_STRING`<br>

+**Value**: `Connection String Value`

+Modify the *applicationinsights.xml* file to change the default endpoint address:

+**Instrumentation Key*: "APPINSIGHTS_INSTRUMENTATIONKEY"

+*Profile endpoint*: "Profile_Query_Endpoint_address"

+*Live Metrics endpoint*: "QuickPulse_Endpoint_Address"

+The current snippet listed here is version 5. The version is encoded in the snippet as `sv:"#"`. The [current version is also available on GitHub](https://go.microsoft.com/fwlink/?linkid=2156318).

+// name: "appInsights", // Global SDK Instance name defaults to "appInsights" when not supplied.

+// ld: 0, // Defines the load delay (in ms) before attempting to load the sdk. -1 = block page load and add to head (default) = 0ms load after timeout.

+// useXhr: 1, // Use XHR instead of fetch to report failures (if available).

+crossOrigin: "anonymous", // When supplied, this will add the provided value as the cross origin attribute on the script tag.

+// onInit: null, // Once the Application Insights instance has loaded and initialized, this callback function will be called with 1 argument -- the sdk instance. (DO NOT ADD anything to the sdk.queue -- as they won't get called.)

+> For readability and to reduce possible JavaScript errors, all the possible configuration options are listed on a new line in the preceding snippet code. If you don't want to change the value of a commented line, it can be removed.

+For guidance on modifying the ingestion endpoint for the opencensus-python SDK, consult the [opencensus-python repo](https://github.com/census-instrumentation/opencensus-python/blob/af284a92b80bcbaf5db53e7e0813f96691b4c696/contrib/opencensus-ext-azure/opencensus/ext/azure/common/__init__.py).

+Currently, the only regions that require endpoint modifications are [Azure Government](../../azure-government/compare-azure-government-global-azure.md#application-insights) and [Azure China](/azure/china/resources-developer-guide).

+|Region | Endpoint name | Value |

+If you currently use the [Application Insights REST API](/rest/api/application-insights/), which is normally accessed via `api.applicationinsights.io`, you'll need to use an endpoint that's local to your region.

+|Region | Endpoint name | Value |

+* Use [Diagnostic Search](./diagnostic-search.md).

+* [Explore metrics](../essentials/metrics-charts.md).

+* [Write Log Analytics queries](../logs/log-query-overview.md).

+* To learn more about the custom modifications for Azure Government, see the detailed guidance for [Azure monitoring and management](../../azure-government/compare-azure-government-global-azure.md#application-insights).

+* To learn more about Azure China, see the [Azure China Playbook](/azure/china/).

+description: Application performance monitoring for Java applications running in any environment without requiring code modification. The article also discusses distributed tracing and the application map.

+This article describes how to enable and configure the OpenTelemetry-based Azure Monitor Java offering. It can be used for any environment, including on-premises. After you finish the instructions in this article, you can use Azure Monitor Application Insights to monitor your application.

+Java auto-instrumentation is enabled through configuration changes. No code changes are required.

+You need:

+- A Java application using Java 8+.

+- An Azure subscription: [Create an Azure subscription for free](https://azure.microsoft.com/free/).

+- An Application Insights resource: [Create an Application Insights resource](create-workspace-resource.md#create-a-workspace-based-resource).

+> If you're upgrading from an earlier 3.x version:

+> - Rate-limited sampling is now the default, if you haven't configured a fixed percentage previously. By default, it will capture at most around five requests per second, along with their dependencies, traces, and custom events. See [fixed-percentage sampling](./java-standalone-config.md#fixed-percentage-sampling) if you want to revert to the previous behavior of capturing 100% of requests.

+> - `LoggingLevel` isn't captured by default as part of Traces' custom dimension because that data is already captured in the `SeverityLevel` field. For information on how to reenable it, see the [config options](./java-standalone-config.md#logging-level-as-a-custom-dimension).

+> - Exception records are no longer recorded for failed dependencies. They're only recorded for failed requests.

+>

+> - Controller `InProc` dependencies are no longer captured by default. For information on how to reenable these dependencies, see the [config options](./java-standalone-config.md#autocollect-inproc-dependencies-preview).

+> For more information, see the [3.2.0 release notes](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.0).

+>

+>

+> For more information, see the [3.1.0 release notes](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.1.0).

+If you develop a Spring Boot application, you can replace the JVM argument by a programmatic configuration. For more information, see [Using Azure Monitor Application Insights with Spring Boot](./java-spring-boot.md).

+ - Set an environment variable:

+ - Create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.4.7.jar` with the following content:

+ :::image type="content" source="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png" alt-text="Screenshot that shows Application Insights overview and connection string." lightbox="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png":::

+In the *applicationinsights.json* file, you can also configure these settings:

+* Autocollected Micrometer metrics, including Spring Boot Actuator metrics

+## Auto-instrumentation

+> Servlet and Netty auto-instrumentation covers the majority of Java HTTP services, including Java EE, Jakarta EE, Spring Boot, Quarkus, and Micronaut.

+* Micrometer, including Spring Boot Actuator metrics

+### Add spans by using the OpenTelemetry annotation

+The simplest way to add your own spans is by using OpenTelemetry's `@WithSpan` annotation.

+By default, the span will end up in the `dependencies` table with dependency type `InProc`.

+If your method represents a background job that isn't already captured by auto-instrumentation,

+we recommend that you apply the attribute `kind = SpanKind.SERVER` to the `@WithSpan` annotation

+### Add spans by using the OpenTelemetry API

+If the preceding OpenTelemetry `@WithSpan` annotation doesn't meet your needs, you can add your spans by using the OpenTelemetry API.

+1. Use the `GlobalOpenTelemetry` class to create a `Tracer`:

+You can use `opentelemetry-api` to create span events, which populate the `traces` table in Application Insights. The string passed in to `addEvent()` is saved to the `message` field within the trace.

+Adding one or more span attributes populates the `customDimensions` field in the `requests`, `dependencies`, `traces`, or `exceptions` table.

+1. Set status to `error` and record an exception in your code:

+Populate the `user ID` field in the `requests`, `dependencies`, or `exceptions` table.

+Consult applicable privacy laws before you set the Authenticated User ID.

+- Custom metrics are supported through Micrometer.

+1. Use the Micrometer [global registry](https://micrometer.io/docs/concepts#_global_registry) to create a meter:

+1. Use the counter to record metrics:

+1. The metrics will be ingested into the

+ [metrics explorer](../essentials/metrics-getting-started.md) under the `Log-based metrics` metric namespace.

+ > Application Insights Java replaces all non-alphanumeric characters (except dashes) in the Micrometer metric name with underscores. As a result, the preceding `test.counter` metric will show up as `test_counter`.

+By default, logging is only collected when that logging is performed at the INFO level or higher.

+1. Create a `TelemetryClient` instance:

+- Engage with other Azure Monitor users in the [Microsoft Tech Community](https://techcommunity.microsoft.com/t5/azure-monitor/bd-p/AzureMonitor).

+For more information on how to configure ASP.NET Core applications, see [Configuring telemetry modules in ASP.NET Core](./asp-net-core.md#configure-or-remove-default-telemetrymodules).

+* [Create an Application Insights resource](./create-new-resource.md#create-a-resource-automatically) via a quick method without using a template.

+ Title: Application Insights User Flows analyzes navigation flows

+description: Analyze how users move between the pages and features of your web app.

+

+The User Flows tool visualizes how users move between the pages and features of your site. It's great for answering questions like:

+* How do users move away from a page on your site?

+* What do users select on a page on your site?

+The User Flows tool starts from an initial page view, custom event, or exception that you specify. From this initial event, User Flows shows the events that happened before and after user sessions. Lines of varying thickness show how many times users followed each path. Special **Session Started** nodes show where the subsequent nodes began a session. **Session Ended** nodes show how many users sent no page views or custom events after the preceding node, highlighting where users probably left your site.

+## Choose an initial event

+

+1. Select the link in the **What do users do after?** title or select **Edit**.

+1. Select a page view, custom event, or exception from the **Initial event** dropdown list.

+1. Select **Create graph**.

+The **Step 1** column of the visualization shows what users did most frequently after the initial event. The items are ordered from top to bottom and from most to least frequent. The **Step 2** and subsequent columns show what users did next. The information creates a picture of all the ways that users moved through your site.

+By default, the User Flows tool randomly samples only the last 24 hours of page views and custom events from your site. You can increase the time range and change the balance of performance and accuracy for random sampling on the **Edit** menu.

+If some of the page views, custom events, and exceptions aren't relevant to you, select **X** on the nodes you want to hide. After you've selected the nodes you want to hide, select **Create graph**. To see all the nodes you've hidden, select **Edit** and look at the **Excluded events** section.

+If page views or custom events are missing that you expect to see in the visualization:

+* Check the **Excluded events** section on the **Edit** menu.

+* If the page view or custom event you expect is sent infrequently by users, increase the time range of the visualization on the **Edit** menu.

+* Make sure the page view, custom event, or exception you expect is set up to be collected by the Application Insights SDK in the source code of your site. Learn more about [collecting custom events](./api-custom-events-metrics.md).

+If you want to see more steps in the visualization, use the **Previous steps** and **Next steps** dropdown lists above the visualization.

+## After users visit a page or feature, where do they go and what do they select?

+

+If your initial event is a page view, the first column (**Step 1**) of the visualization is a quick way to understand what users did immediately after they visited the page.

+Open your site in a window next to the User Flows visualization. Compare your expectations of how users interact with the page to the list of events in the **Step 1** column. Often, a UI element on the page that seems insignificant to your team can be among the most used on the page. It can be a great starting point for design improvements to your site.

+If your initial event is a custom event, the first column shows what users did after they performed that action. As with page views, consider if the observed behavior of your users matches your team's goals and expectations.

+If your selected initial event is **Added Item to Shopping Cart**, for example, look to see if **Go to Checkout** and **Completed Purchase** appear in the visualization shortly thereafter. If user behavior is different from your expectations, use the visualization to understand how users are getting "trapped" by your site's current design.

+Watch for **Session Ended** nodes that appear high up in a column in the visualization, especially early in a flow. This positioning means many users probably churned from your site after they followed the preceding path of pages and UI interactions.

+Sometimes churn is expected. For example, it's expected after a user makes a purchase on an e-commerce site. But usually churn is a sign of design problems, poor performance, or other issues with your site that can be improved.

+Keep in mind that **Session Ended** nodes are based only on telemetry collected by this Application Insights resource. If Application Insights doesn't receive telemetry for certain user interactions, users might have interacted with your site in those ways after the User Flows tool says the session ended.

+Look for a page view or custom event that's repeated by many users across subsequent steps in the visualization. This activity usually means that users are performing repetitive actions on your site. If you find repetition, think about changing the design of your site or adding new functionality to reduce repetition. For example, you might add bulk edit functionality if you find users performing repetitive actions on each row of a table element.

+This section provides answers to common questions.

+### Does the initial event represent the first time the event appears in a session or any time it appears in a session?

+The initial event on the visualization only represents the first time a user sent that page view or custom event during a session. If users can send the initial event multiple times in a session, then the **Step 1** column only shows how users behave after the *first* instance of an initial event, not all instances.

+### Some of the nodes in my visualization have a level that's too high. How can I get more detailed nodes?

+Use the **Split by** options on the **Edit** menu:

+1. Select the event you want to break down on the **Event** menu.

+1. Select a dimension on the **Dimension** menu. For example, if you have an event called **Button Clicked**, try a custom property called **Button Name**.

+* [Users, sessions, and events](usage-segmentation.md)

+* [Adding custom events to your app](./api-custom-events-metrics.md)

+For [ASP.NET Core](asp-net-core.md#add-telemetryinitializers) applications, adding a new telemetry initializer is done by adding it to the Dependency Injection container, as shown here. This step is done in the `ConfigureServices` method of your `Startup.cs` class.

+| Configure VM agents to collect only critical events. | Virtual machines can vary significantly in the amount of data they collect, depending on the amount of telemetry generated by the applications and services they have installed. See [Monitor virtual machines with Azure Monitor: Workloads](vm/monitor-virtual-machine-data-collection.md#controlling-costs) for guidance on data to collect and strategies for using XPath queries and transformations to limit it.|

+To create a log query alert rule by using the portal, see [this example of a log query alert](../alerts/tutorial-log-alert.md), which provides a complete walkthrough. You can use these same processes to create alert rules for AKS clusters by using queries similar to the ones in this article.

+ * [Install the Azure VM Agent](../../virtual-machines/extensions/agent-windows.md#install-the-vm-agent)

+ Title: 'Monitor virtual machines with Azure Monitor: Deploy agent'

+description: Learn how to deploy the Azure Monitor agent to your virtual machines for monitoring in Azure Monitor. Monitor virtual machines and their workloads with an Azure Monitor guide.

+# Monitor virtual machines with Azure Monitor: Deploy agent

+This article is part of the guide [Monitor virtual machines and their workloads in Azure Monitor](monitor-virtual-machine.md). It describes how to deploy the Azure Monitor agent to your Azure and hybrid virtual machines in Azure Monitor.

+> [!NOTE]

+> This scenario describes how to implement complete monitoring of your Azure and hybrid virtual machine environment. To get started monitoring your first Azure virtual machine, see [Monitor Azure virtual machines](../../virtual-machines/monitor-vm.md).

+Any monitoring tool like Azure Monitor, requires an agent installed on a machine to collect data from its guest operating system. Azure Monitor uses the [Azure Monitor agent](../agents/agents-overview.md), which supports virtual machines in Azure, other cloud environments, and on-premises.

+## Legacy agents

+The Azure Monitor agent replaces legacy agents that are still available but should only be used if you require particular functionality not yet available with Azure Monitor agent. Most users will be able to use Azure Monitor without the legacy agents.

+The legacy agents include the following:

+- [Log Analytics agent](../agents/log-analytics-agent.md): Supports virtual machines in Azure, other cloud environments, and on-premises. Sends data to Azure Monitor Logs. This agent is the same agent used for System Center Operations Manager.

+- [Azure Diagnostic extension](../agents/diagnostics-extension-overview.md): Supports Azure Monitor virtual machines only. Sends data to Azure Monitor Metrics, Azure Event Hubs, and Azure Storage.

+See [Supported services and features](../agents/agents-overview.md#supported-services-and-features) for the current features supported by Azure Monitor agent. See [Migrate to Azure Monitor Agent from Log Analytics agent](../agents/azure-monitor-agent-migration.md) for details on migrating to the Azure Monitor agent if you already have the Log Analytics agent deployed.

+## Prerequisites

+### Create a Log Analytics workspace

+You don't need a Log Analytics workspace to deploy the Azure Monitor agent, but you will need one to collect the data that it sends. There's no cost for the workspace, but you do incur ingestion and retention costs when you collect data.

+Many environments use a single workspace for all their virtual machines and other Azure resources they monitor. You can even share a workspace used by [Microsoft Defender for Cloud and Microsoft Sentinel](monitor-virtual-machine-security.md), although many customers choose to segregate their availability and performance telemetry from security data. If you're getting started with Azure Monitor, start with a single workspace and consider creating more workspaces as your requirements evolve. [VM insights]() will create a default workspace which you can use to get started quickly.

+For complete details on logic that you should consider for designing a workspace configuration, see [Design a Log Analytics workspace configuration](../logs/workspace-design.md).

+### Workspace permissions

+The access mode of the workspace defines which users can access different sets of data. For details on how to define your access mode and configure permissions, see [Manage access to log data and workspaces in Azure Monitor](../logs/manage-access.md). If you're just getting started with Azure Monitor, consider accepting the defaults when you create your workspace and configure its permissions later.

+## Multihoming agents

+Multihoming refers to a virtual machine that connects to multiple workspaces. There's typically little reason to multihome agents for Azure Monitor alone. Having an agent send data to multiple workspaces most likely creates duplicate data in each workspace, which increases your overall cost. You can combine data from multiple workspaces by using [cross-workspace queries](../logs/cross-workspace-query.md) and [workbooks](../visualizations/../visualize/workbooks-overview.md).

+One reason you might consider multihoming, though, is if you have an environment with Microsoft Defender for Cloud or Microsoft Sentinel stored in a workspace that's separate from Azure Monitor. A machine being monitored by each service needs to send data to each workspace.

+## Prepare hybrid machines

+A hybrid machine is any machine not running in Azure. It's a virtual machine running in another cloud or hosted provider or a virtual or physical machine running on-premises in your datacenter. Use [Azure Arc-enabled servers](../../azure-arc/servers/overview.md) on hybrid machines so you can manage them similarly to your Azure virtual machines. You can use VM insights in Azure Monitor to use the same process to enable monitoring for Azure Arc-enabled servers as you do for Azure virtual machines. For a complete guide on preparing your hybrid machines for Azure, see [Plan and deploy Azure Arc-enabled servers](../../azure-arc/servers/plan-at-scale-deployment.md). This task includes enabling individual machines and using [Azure Policy](../../governance/policy/overview.md) to enable your entire hybrid environment at scale.

+There's no additional cost for Azure Arc-enabled servers, but there might be some cost for different options that you enable. For details, see [Azure Arc pricing](https://azure.microsoft.com/pricing/details/azure-arc/). There is a cost for the data collected in the workspace after your hybrid machines are onboarded, but this is the same as for an Azure virtual machine.

+### Network requirements

+The Azure Monitor agent for both Linux and Windows communicates outbound to the Azure Monitor service over TCP port 443. The Dependency agent uses the Azure Monitor agent for all communication, so it doesn't require any another ports. For details on how to configure your firewall and proxy, see [Network requirements](../agents/log-analytics-agent.md#network-requirements).

+### Log Analytics gateway

+With the Log Analytics gateway, you can channel communications from your on-premises machines through a single gateway. Azure Arc doesn't use the gateway, but its Connected Machine agent is required to install Azure Monitor agent. For details on how to configure and use the Log Analytics gateway, see [Log Analytics gateway](../agents/gateway.md).

+### Azure Private Link

+By using Azure Private Link, you can create a private endpoint for your Log Analytics workspace. After it's configured, any connections to the workspace must be made through this private endpoint. Private Link works by using DNS overrides, so there's no configuration requirement on individual agents. For details on Private Link, see [Use Azure Private Link to securely connect networks to Azure Monitor](../logs/private-link-security.md). For specific guidance on configuring private link for your virtual machines, see [Enable network isolation for the Azure Monitor agent](../agents/azure-monitor-agent-data-collection-endpoint.md).

+## Agent deployment options

+The Azure Monitor agent is implemented as a [virtual machine extension](../../virtual-machines/extensions/overview.md), so you can install it using a variety of standard methods including PowerShell, CLI, and Resource Manager templates. See [Manage Azure Monitor Agent](../agents/azure-monitor-agent-manage.md) for details on each. Other notable methods for installation are described below.

+### Azure Policy

+If you have a significant number of virtual machines, you should deploy the agent using Azure Policy as described in [Manage Azure Monitor Agent](../agents/azure-monitor-agent-manage.md?tabs=azure-portal#use-azure-policy). This will ensure that the agent is automatically added to existing virtual machines and any new ones that you deploy. See [Enable VM insights by using Azure Policy](vminsights-enable-policy.md) for deploying the agent with VM insights.

+### Data collection rule in the Azure portal

+When you create a data collection rule in the Azure portal as described in [Collect events and performance counters from virtual machines with Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md), you have the option of specifying virtual machines to receive it. The Azure Monitor agent will be automatically installed on any machines that don't already have it.

+### VM insights

+VM insights provides simplified onboarding of agents in the Azure portal. With a single click for a particular machine, it installs the Azure Monitor agent, connects to a workspace, and starts collecting performance data. You can optionally have it install the dependency agent and collect processes and dependency data to enable the map feature of VM insights.

+You can enable VM insights on individual machines by using the same methods for Azure virtual machines and Azure Arc-enabled servers. These methods include onboarding individual machines with the Azure portal or Azure Resource Manager templates or enabling machines at scale by using Azure Policy. For different options to enable VM insights for your machines, see [Enable VM insights overview](vminsights-enable-overview.md). To create a policy that automatically enables VM insights on any new machines as they're created, see [Enable VM insights by using Azure Policy](vminsights-enable-policy.md).

+### Windows client installer

+Use the [Windows client installer](../agents/azure-monitor-agent-windows-client.md) to install the agent on Windows clients such as Windows 11. For different options deploying the agent on a single machine or as part of a script, see [Manage Azure Monitor Agent](../agents/azure-monitor-agent-manage.md?tabs=azure-portal#install).

+## Next steps

+* [Configure data collection for machines with the Azure Monitor agent](monitor-virtual-machine-data-collection.md).

+This article is part of the guide [Monitor virtual machines and their workloads in Azure Monitor](monitor-virtual-machine.md). [Alerts in Azure Monitor](../alerts/alerts-overview.md) proactively notify you of interesting data and patterns in your monitoring data. There are no preconfigured alert rules for virtual machines, but you can create your own based on data you collect from the Azure Monitor agent. This article presents alerting concepts specific to virtual machines and common alert rules used by other Azure Monitor customers.

+> This scenario describes how to implement complete monitoring of your Azure and hybrid virtual machine environment. To get started monitoring your first Azure virtual machine, see [Monitor Azure virtual machines](../../virtual-machines/monitor-vm.md). To quickly enable a recommended set of alerts, see [Enable recommended alert rules for Azure virtual machine](tutorial-monitor-vm-alert-recommended.md)

+## Data collection

+Alert rules inspect data that's already been collected in Azure Monitor. You need to ensure that data is being collected for a particular scenario before you can create an alert rule. See [Monitor virtual machines with Azure Monitor: Collect data](monitor-virtual-machine-data-collection.md) for guidance on configuring data collection for a variety of scenarios including all of the alert rules in this article.

+## Recommended alert rules

+Azure Monitor provides a set of [recommended alert rules](tutorial-monitor-vm-alert-availability.md) that you can quickly enable for any Azure virtual machine. These are a great starting point for basic monitoring but alone will not provide sufficient alerting for most enterprise implementations for the following reasons:

+- Recommended alerts only apply to Azure virtual machines and not hybrid machines.

+- Recommended alerts only include host metrics and not guest metrics or logs. These are useful to monitor the health of the machine itself but give you minimal visibility into the workloads and applications running on the machine.

+- Recommended alerts are associated with individual machines creating an excessive number of alert rules. Instead of relying on this method for each machine, see [Scaling alert rules](#scaling-alert-rules) for strategies on using a minimal number of alert rules for multiple machines.

+## Alert types

+The most common types of alert rules in Azure Monitor are [metric alerts](../alerts/alerts-metric.md) and [log query alerts](../alerts/alerts-log-query.md).

+The type of alert rule that you create for a particular scenario depends on where the data that you're alerting on is located. You might have cases where data for a particular alerting scenario is available in both Metrics and Logs, and you'll need to determine which rule type to use. You might also have flexibility in how you [collect certain data]() and let your decision of alert rule type drive your decision for data collection method.

+### Metric alerts

+Common uses for metric alerts include:

+- Alert when a particular metric exceeds a threshold. An example is when the CPU of a machine is running high.

+Data sources for metric alerts include:

+- Host metrics for Azure virtual machines, which are collected automatically.

+- Metrics collected by the Azure Monitor agent from the guest operating system

+Common uses for log alerts include:

+- Alert when a particular event or pattern of events from Windows event log or syslog are found. These alert rules will typically measure table rows returned from the query.

+- Alert based on a calculation of numeric data across multiple machines. These alert rules will typically measure the calculation of a numeric column in the query results.

+Data sources for metric alerts include:

+- All data collected in a Log Analytics workspace.

+## Scaling alert rules

+Since you may have many virtual machines that require the same monitoring, you don't want to have to create individual alert rules for each one. You also want to ensure There are different strategies to limit the number of alert rules you need to manage, depending on the type of rule. Each of these strategies depends on understanding the target resource of the alert rule.

+### Metric alert rules

+Virtual machines support multiple resource metric alert rules as described in [Monitor multiple resources](../alerts/alerts-types.md#metric-alerts). This allows you to create a single metric alert rule that applies to all virtual machines in a resource group or subscription within the same region. Start with the [recommended alerts](#recommended-alert-rules) and [create a corresponding rule]() for each using your subscription or a resource group as the target resource. You will need to create duplicate rules for each region if you have machines in multiple regions.

+As you identify requirements for additional metric alert rules, use this same strategy of using a subscription or resource group as the target resource to minimize the number of alert rules you need to manage and ensure that they're automatically applied to any new machines.

+### Log alert rules

+If you set the target resource of a log alert rule to a specific machine, then queries are limited to data associated with that machine giving you individual alerts for it. This would require a separate alert rule for each machine.

+If you set the target resource of a log alert rule to a Log Analytics workspace, you have access to all data in that workspace which allows you to alert on data from all machines in the workgroup with a single rule. This gives you the option of creating a single alert for all machines. You can then use dimensions to create a separate alert for each machine.

+For example, you may want to alert when an error event is created in the Windows event log by any machine. You would first need to create a data collection rule as described in [Collect events and performance counters from virtual machines with Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md) to send these events to the `Event` table in the Log Analytics workspace. You could then create an alert rule that queries this table using the workspace as the target resource and the condition shown below.

+The query will return a record for any error messages on any machine. Use the **Split by dimensions** option and specify **_ResourceId** to instruct the rule to create an alert for each machine if multiple machines are returned in the results.

+#### Dimensions

+Depending on the information you would like to include in the alert, you might need to split using different dimensions. In this case, make sure the necessary dimensions are projected in the query using the [project](/azure/data-explorer/kusto/query/projectoperator) or [extend](/azure/data-explorer/kusto/query/extendoperator) operator. Set the **Resource ID column** field to **Don't split** and include all the meaningful dimensions in the list. Make sure the **Include all future values** is selected, so any value returned from the query will be included.

+#### Dynamic thresholds

+An additional benefit using log alert rules is the ability to include complex logic in the query for determining the threshold value. This threshold could be hardcoded, applied to all resources, or calculated dynamically based on some field or calculated value. This allows the threshold to be applied to only resources according to specific conditions. For example, you might create an alert based on available memory but only for machines with a particular amount of total memory.

+The following section lists common alert rules for virtual machines in Azure Monitor. Details for metric alerts and log alerts are provided for each. For guidance on which type of alert to use, see [Alert types](#alert-types). If you're unfamiliar with the process for creating alert rules in Azure Monitor, see [instructions to create a new alert rule](../alerts/alerts-create-new-alert-rule.md).

+> [!NOTE]

+> The details for log alerts provided below are using data collected using [VM Insights](vminsights-overview.md) which provides a set of common performance counters for the client operating system. This name is independent of the operating system type.

+One of the most common monitoring requirements for a virtual machine is to create an alert if it stops running. The best method for this is to create a metric alert rule in Azure Monitor using the VM availability metric which is currently in public preview. See [Create availability alert rule for Azure virtual machine](tutorial-monitor-vm-alert-availability.md) for a complete walk-through on this metric.

+As described in [Scaling alert rules](#scaling-alert-rules), create an availability alert rule using a subscription or resource group as the target resource to have the rule apply to multiple virtual machines, including new machines that you create after the alter rule.

+### Agent heartbeat

+The agent heartbeat is slightly different than the machine unavailable alert because it relies on the Azure Monitor agent to send a heartbeat. This can alert you if the machine is running, but the agent is unresponsive.

+#### Metric alert rules

+A metric called *Heartbeat* is included in each Log Analytics workspace. Each virtual machine connected to that workspace sends a heartbeat metric value each minute. Because the computer is a dimension on the metric, you can fire an alert when any computer fails to send a heartbeat. Set the **Aggregation type** to **Count** and the **Threshold** value to match the **Evaluation granularity**.

+#### Log alert rules

+Log query alerts use the [Heartbeat table](/azure/azure-monitor/reference/tables/heartbeat), which should have a heartbeat record every minute from each machine.

+| Host | Percentage CPU (included in recommended alerts) |

+| Host | Available Memory Bytes (preview) (included in recommended alerts) |

+### Network alerts

+| Host | Network In Total, Network Out Total (included in recommended alerts) |

+#### Log query alert rules

+### Windows and Linux events

+The following sample creates an alert when a specific Windows event is created. It uses a metric measurement alert rule to create a separate alert for each computer.

+- **Create an alert rule on a specific Windows event.**

+ This example shows an event in the Application log. Specify a threshold of 0 and consecutive breaches greater than 0.

+ Event

+ | where EventLog == "Application"

+ | where EventID == 123

+ | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)

+- **Create an alert rule on Syslog events with a particular severity.**

+ The following example shows error authorization events. Specify a threshold of 0 and consecutive breaches greater than 0.

+ ```kusto

+ Syslog

+ | where Facility == "auth"

+ | where SeverityLevel == "err"

+ | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)

+ ```

+### Custom performance counters

+- **Create an alert on the maximum value of a counter.**

+ ```kusto

+ Perf

+ | where CounterName == "My Counter"

+ | summarize AggregatedValue = max(CounterValue) by Computer

+ ```

+- **Create an alert on the average value of a counter.**

+ ```kusto

+ Perf

+ | where CounterName == "My Counter"

+ | summarize AggregatedValue = avg(CounterValue) by Computer

+ ```

+This article is part of the guide [Monitor virtual machines and their workloads in Azure Monitor](monitor-virtual-machine.md). It describes how to analyze monitoring data for your virtual machines after you've completed their configuration.

+After you've [configured data collection](monitor-virtual-machine-data-collection.md) for your virtual machines, data will be available for analysis. This article describes the different features of Azure Monitor that you can use to analyze the health and performance of your virtual machines. Several of these features provide a different experience depending on whether you're analyzing a single machine or multiple. Each experience is described here with any unique behavior of each feature depending on which experience is being used.

+| Option | Description |

+|:|:|

+| Overview page | Select the **Monitoring** tab to display alerts, [platform metrics](../essentials/data-platform-metrics.md), and other monitoring information for the virtual machine host. You can see the number of active alerts on the tab. In the **Monitoring** tab, you get a quick view of:<br><br>**Alerts:** the alerts fired in the last 24 hours, with some important statistics about those alerts. If you do not have any alerts set up for this VM, there is a link to help you quickly create new alerts for your VM.<br><br>**Key metrics:** the trend over different time periods for important metrics, such as CPU, network, and disk. Because these are host metrics though, counters from the guest operating system such as memory aren't included. Select a graph to work with this data in [metrics explorer](../essentials/metrics-getting-started.md) where you can perform different aggregations, and add more counters for analysis. |

+| Activity log | See [activity log](../essentials/activity-log.md#view-the-activity-log) entries filtered for the current virtual machine. Use this log to view the recent activity of the machine, such as any configuration changes and when it was stopped and started.

+| Insights | Displays VM insights views if If the VM is enabled for [VM insights](../vm/vminsights-overview.md).<br><br>Select the **Performance** tab to view trends of critical performance counters over different periods of time. When you open VM insights from the virtual machine menu, you also have a table with detailed metrics for each disk. For details on how to use the Map view for a single machine, see [Chart performance with VM insights](vminsights-performance.md#view-performance-directly-from-an-azure-vm).<br><br>If *processes and dependencies* is enabled for the VM, select the **Map** tab to view the running processes on the machine, dependencies on other machines, and external processes. For details on how to use the Map view for a single machine, see [Use the Map feature of VM insights to understand application components](vminsights-maps.md#view-a-map-from-a-vm).<br><br>If the VM is not enabled for VM insights, it offers the option to enable VM insights. |

+| Alerts | View [alerts](../alerts/alerts-overview.md) for the current virtual machine. These alerts only use the machine as the target resource, so there might be other alerts associated with it. You might need to use the **Alerts** option in the Azure Monitor menu to view alerts for all resources. For details, see [Monitor virtual machines with Azure Monitor - Alerts](monitor-virtual-machine-alerts.md). |

+| Metrics | Open metrics explorer with the scope set to the machine. This option is the same as selecting one of the performance charts from the **Overview** page except that the metric isn't already added. |

+| Diagnostic settings | Enable and configure the [diagnostics extension](../agents/diagnostics-extension-overview.md) for the current virtual machine. This option is different than the **Diagnostic settings** option for other Azure resources. This is a [legacy agent](monitor-virtual-machine-agent.md#legacy-agents) that has been replaced by the [Azure Monitor agent](monitor-virtual-machine-agent.md). |

+| Advisor recommendations | See recommendations for the current virtual machine from [Azure Advisor](../../advisor/index.yml). |

+| Logs | Open [Log Analytics](../logs/log-analytics-overview.md) with the [scope](../logs/scope.md) set to the current virtual machine. You can select from a variety of existing queries to drill into log and performance data for only this machine. |

+| Connection monitor | Open [Network Watcher Connection Monitor](../../network-watcher/connection-monitor-overview.md) to monitor connections between the current virtual machine and other virtual machines. |

+| Workbooks | Open the workbook gallery with the VM insights workbooks for single machines. For a list of the VM insights workbooks designed for individual machines, see [VM insights workbooks](vminsights-workbooks.md#vm-insights-workbooks). |

+Access the multiple machine analysis experience from the **Monitor** menu in the Azure portal for each Azure virtual machine and Azure Arc-enabled server. This will include only VMs that are enabled for VM insights. These options provide access to all data so that you can select the virtual machines that you're interested in comparing.

+| Option | Description |

+|:|:|

+| Activity log | See [activity log](../essentials/activity-log.md#view-the-activity-log) entries filtered for all resources. Create a filter for a **Resource Type** of virtual machines or Virtual Machine Scale Sets to view events for all your machines. |

+| Alerts | View [alerts](../alerts/alerts-overview.md) for all resources. This includes alerts related to all virtual machines in the workspace. Create a filter for a **Resource Type** of virtual machines or Virtual Machine Scale Sets to view alerts for all your machines. |

+| Metrics | Open [metrics explorer](../essentials/metrics-getting-started.md) with no scope selected. This feature is particularly useful when you want to compare trends across multiple machines. Select a subscription or a resource group to quickly add a group of machines to analyze together. |

+| Logs | Open [Log Analytics](../logs/log-analytics-overview.md) with the [scope](../logs/scope.md) set to the workspace. You can select from a variety of existing queries to drill into log and performance data for all machines. Or you can create a custom query to perform additional analysis. |

+| Workbooks | Open the workbook gallery with the VM insights workbooks for multiple machines. For a list of the VM insights workbooks designed for multiple machines, see [VM insights workbooks](vminsights-workbooks.md#vm-insights-workbooks). |

+## VM insights experience

+## Compare Metrics and Logs

+For many features of Azure Monitor, you don't need to understand the different types of data it uses and where it's stored. You can use VM insights, for example, without any understanding of what data is being used to populate the Performance view, Map view, and workbooks. You just focus on the logic that you're analyzing. As you dig deeper, you'll need to understand the difference between [Azure Monitor Metrics](../essentials/data-platform-metrics.md) and [Azure Monitor Logs](../logs/data-platform-logs.md). Different features of Azure Monitor use different kinds of data. The type of alerting that you use for a particular scenario depends on having that data available in a particular location.

+This level of detail can be confusing if you're new to Azure Monitor. The following information helps you understand the differences between the types of data:

+- Any non-numeric data, such as events, is stored in Logs. Metrics can only include numeric data that's sampled at regular intervals.

+- Numeric data can be stored in both Metrics and Logs so that it can be analyzed in different ways and support different types of alerts.

+- Performance data from the guest operating system is sent to either Metrics or Logs or both by the Azure Monitor agent.

+- Performance data from the guest operating system is sent to Logs by VM insights.

+The following namespaces are used by virtual machines.

+| Virtual Machine Guest | Guest operating system and application performance data on Windows machines. | Azure Monitor agent installed with a [Data Collection Rule](monitor-virtual-machine-data-collection.md#collect-performance-counters). |

+| azure.vm.linux.guestmetrics | Guest operating system and application performance data on Linux machines. | Azure Monitor agent installed with a [Data Collection Rule](monitor-virtual-machine-data-collection.md#collect-performance-counters). |

+Use Log Analytics to perform custom analysis of your log data and when you want to dig deeper into the data used to create the views in workbooks and VM insights. You might want to analyze different logic and aggregations of that data or correlate security data collected by Microsoft Defender for Cloud and Microsoft Sentinel with your [health and availability data](monitor-virtual-machine-data-collection.md).

+When you start Log Analytics from the **Logs** menu for a machine, its [scope](../logs/scope.md) is set to that computer. Any queries will only return records associated with that computer. For a simple query that returns all records in a table, double-click a table in the left pane. Work with these results or modify the query for more complex analysis. To set the scope to all records in a workspace, change the scope or select **Logs** from the **Monitor** menu.

+| AMA Migration Helper | Helps you discover what to migrate and track progress as you move from Log Analytics Agent to Azure Monitor Agent. This workbook isn't available from VM insights like the other workbooks. On the Azure Monitor menu, go to **Workbooks** and select **Public Templates**. See [Tools for migrating from Log Analytics Agent to Azure Monitor Agent](../agents/azure-monitor-agent-migration-tools.md#using-ama-migration-helper) |

+## VM availability information in Azure Resource Graph

+[Azure Resource Graph](../../governance/resource-graph/overview.md) is an Azure service that allows you to use the same KQL query language used in log queries to query your Azure resources at scale with complex filtering, grouping, and sorting by resource properties. You can use [VM health annotations](../../service-health/resource-health-vm-annotation.md) to Azure Resource Graph (ARG) for detailed failure attribution and downtime analysis including the following:

+- Query the latest snapshot of VM availability together across all your Azure subscriptions.

+- Assess the impact to business SLAs and trigger decisive mitigation actions, in response to disruptions and type of failure signature.

+- Set up custom dashboards to supervise the comprehensive health of applications by [joining](../../governance/resource-graph/concepts/work-with-data.md) VM availability information with additional [resource metadata](../../governance/resource-graph/samples/samples-by-table.md?tabs=azure-cli) in Resource Graph.

+- Track relevant changes in VM availability across a rolling 14 days window, by using the [change tracking](../../governance/resource-graph/how-to/get-resource-changes.md) mechanism for conducting detailed investigations.

+To get started with Resource Graph, open **Resource Graph Explorer** in the Azure portal. Select the **Table** tab and have a look at the [microsoft.resourcehealth/availabilitystatuses](#microsoftresourcehealthavailabilitystatuses) and [microsoft.resourcehealth/resourceannotations](#microsoftresourcehealthresourceannotations) tables which are described below. Click on **healthresources** to create a simple query and then click **Run** to return the records.

+To view the details for a record, scroll to the right and select **See details**.

+There will be two types of events populated in the HealthResources table:

+### microsoft.resourcehealth/availabilitystatuses

+This event denotes the latest availability status of a VM, based on the [health checks](../../service-health/resource-health-checks-resource-types.md#microsoftcomputevirtualmachines) performed by the underlying Azure platform. The [availability states](../../service-health/resource-health-overview.md#health-status) currently emitted for VMs are as follows:

+- **Available**: The VM is up and running as expected.

+- **Unavailable**: A disruption to the normal functioning of the VM has been detected.

+- **Unknown**: The platform is unable to accurately detect the health of the VM. Check back in a few minutes.

+The availability state is in the `properties` field of the record which includes the following properties:

+| Field | Description |

+|:|:|

+| targetResourceType | Type of resource for which health data is flowing |

+| targetResourceId | Resource ID |

+| occurredTime | Timestamp when the latest availability state is emitted by the platform |

+| previousAvailabilityState | Previous availability state of the VM |

+| availabilityState | Current availability state of the VM |

+A sample `properties` value looks similar to the following:

+```json

+{

+ "targetResourceType": "Microsoft.Compute/virtualMachines",

+ "previousAvailabilityState": "Available",

+"targetResourceId": "/subscriptions/<subscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Compute/virtualMachines/<VMName>",

+ "occurredTime": "2022-10-11T11:13:59.9570000Z",

+ "availabilityState": "Unavailable"

+}

+```

+### microsoft.resourcehealth/resourceannotations

+This event contextualizes any changes to VM availability, by detailing necessary failure attributes to help you investigate and mitigate the disruption as needed. The full list of VM health annotations are listed at [Resource Health virtual machine Health Annotations] (../../service-health/resource-health-vm-annotation.md).

+These annotations can be broadly classified into the following:

+- **Downtime Annotations**: Emitted when the platform detects VM availability transitioning to Unavailable. Examples include host crashes or reboot operations.

+- **Informational Annotations**: Emitted during control plane activities with no impact to VM availability. Examples include VM allocation, stop, delete, start. Usually, no additional customer action is required in response.

+- **Degraded Annotations**: Emitted when VM availability is detected to be at risk. Examples include when failure prediction models predict a degraded hardware component that can cause the VM to reboot at any given time. You should redeploy by the deadline specified in the annotation message to avoid any unanticipated loss of data or downtime.

+| Field | Description |

+|:|:|

+| targetResourceType | Type of resource for which health data is flowing |

+| targetResourceId | Resource ID |

+| occurredTime | Timestamp when the latest availability state is emitted by the platform |

+| annotationName | Name of the Annotation emitted |

+| reason | Brief overview of the availability impact observed by the customer |

+| category | Denotes whether the platform activity triggering the annotation was either planned maintenance or unplanned repair. This field is not applicable to customer/VM-initiated events.<br><br>Possible values: Planned \| Unplanned \| Not Applicable \| Null |

+| context | Denotes whether the activity triggering the annotation was due to an authorized user or process (customer initiated), or due to the Azure platform (platform initiated) or even activity in the guest OS that has resulted in availability impact (VM initiated).<br><br>Possible values: Platform-Initiated \| User-initiated \|VM-initiated \| Not Applicable \| Null |

+| summary | Statement detailing the cause for annotation emission, along with remediation steps that can be taken by users |

+See [Azure Resource Graph sample queries by table](../../governance/resource-graph/samples/samples-by-table.md?tabs=azure-cli#healthresources) for sample queries using this data.

+ Title: 'Monitor virtual machines with Azure Monitor: Collect data'

+description: Learn how to configure data collection for virtual machines for monitoring in Azure Monitor. Monitor virtual machines and their workloads with an Azure Monitor guide.

+# Monitor virtual machines with Azure Monitor: Collect data

+This article is part of the guide [Monitor virtual machines and their workloads in Azure Monitor](monitor-virtual-machine.md). It describes how to configure collection of data once you've deployed the Azure Monitor agent to your Azure and hybrid virtual machines in Azure Monitor.

+This article provides guidance on collecting the most common types of telemetry from virtual machines. The exact configuration that you choose will depend on the workloads that you run on your machines. Included in each section are sample log query alerts that you can use with that data.

+- See [Monitor virtual machines with Azure Monitor: Analyze monitoring data](monitor-virtual-machine-analyze.md) for more information about analyzing telemetry collected from your virtual machines.

+- See [Monitor virtual machines with Azure Monitor: Alerts](monitor-virtual-machine-alerts.md) for more information about using telemetry collected from your virtual machines to create alerts in Azure Monitor.

+> [!NOTE]

+> This scenario describes how to implement complete monitoring of your Azure and hybrid virtual machine environment. To get started monitoring your first Azure virtual machine, see [Monitor Azure virtual machines](../../virtual-machines/monitor-vm.md).

+## Data collection rules

+Data collection from the Azure Monitor agent is defined by one or more [data collection rules (DCR)](../essentials/data-collection-rule-overview.md) stored in your Azure subscription and are associated with your virtual machines.

+For virtual machines, DCRs will define data such as events and performance counters to collect and specify the Log Analytics workspaces that data should be sent to. The DCR can also use [transformations](../essentials/data-collection-transformations.md) to filter out unwanted data and to add calculated columns. A single machine can be associated with multiple DCRs, and a single DCR can be associated with multiple machines. DCRs are delivered to any machines they're associated with where they're processed by the Azure Monitor agent.

+### View data collection rules

+You can view the DCRs in your Azure subscription from **Data Collection Rules** in the **Monitor** menu in the Azure portal. DCRs support other data collection scenarios in Azure Monitor, so all of your DCRs won't necessarily be for virtual machines.

+### Create data collection rules

+There are multiple methods to create data collection rules depending on the data collection scenario. In some cases, the Azure portal will walk you through the configuration while other scenarios will require you to edit the DCR directly. When you configure VM insights, it will create a preconfigured DCR for you automatically. The sections below identify common data to collect and how to configure data collection.

+In some cases, you may need to [edit an existing DCR](../essentials/data-collection-rule-edit.md) to add functionality. For example, you may use the Azure portal to create a DCR that collects Windows or Syslog events. You then want to add a transformation to that DCR to filter out columns in the events that you don't want to collect.

+As your environment matures and grows in complexity, you should implement a strategy for organizing your DCRs to assist in their management. See [Best practices for data collection rule creation and management in Azure Monitor](../essentials/data-collection-rule-best-practices.md) for guidance on different strategies.

+## Controlling costs

+Since your Azure Monitor cost is dependent on how much data you collect, you should ensure that you're not collecting any more than you need to meet your monitoring requirements. Your configuration will be a balance between your budget and how much insight you want into the operation of your virtual machines.

+A typical virtual machine will generate between 1GB and 3GB of data per month, but this data size is highly dependent on the configuration of the machine itself, the workloads running on it, and the configuration of your data collection rules. Before you configure data collection across your entire virtual machine environment, you should begin collection on some representative machines to better predict your expected costs when deployed across your environment. Use log queries in [Data volume by computer](../logs/analyze-usage.md#data-volume-by-computer) to determine the amount of billable data collected for each machine and adjust accordingly.

+Each data source that you collect may have a different method for filtering out unwanted data. You can also use [transformations](../essentials/data-collection-transformations.md) to implement more granular filtering and also to filter data from columns that provide little value. For example, you might have a Windows event that's valuable for alerting, but it includes columns with redundant or excessive data. You can create a transformation that allows the event to be collected but removes this excessive data.

+## Default data collection

+Azure Monitor will automatically perform the following data collection without requiring any additional configuration.

+### Platform metrics

+Platform metrics for Azure virtual machines include important host metrics such as CPU, network, and disk utilization. They can be viewed on the [Overview page](monitor-virtual-machine-analyze.md#single-machine-experience), analyzed with [metrics explorer](../essentials/tutorial-metrics.md) for the machine in the Azure portal and used for [metric alerts](tutorial-monitor-vm-alert-recommended.md).

+### Activity log

+The [Activity log](../essentials/activity-log.md) is collected automatically and includes the recent activity of the machine, such as any configuration changes and when it was stopped and started. You can view the platform metrics and Activity log collected for each virtual machine host in the Azure portal.

+You can [view the Activity log](../essentials/activity-log.md#view-the-activity-log) for an individual machine or for all resources in a subscription. You should [create a diagnostic setting](../essentials/diagnostic-settings.md) to send this data into the same Log Analytics workspace used by your Azure Monitor agent to analyze it with the other monitoring data collected for the virtual machine. There's no cost for ingestion or retention of Activity log data.

+### VM availability information in Azure Resource Graph

+[Azure Resource Graph](../../governance/resource-graph/overview.md) is an Azure service that allows you to use the same KQL query language used in log queries to query your Azure resources at scale with complex filtering, grouping, and sorting by resource properties. You can use [VM health annotations](../../service-health/resource-health-vm-annotation.md) to Azure Resource Graph (ARG) for detailed failure attribution and downtime analysis.

+See [Monitor virtual machines with Azure Monitor: Analyze monitoring data](monitor-virtual-machine-analyze.md) for details on what data is collected and how to view it.

+### VM insights

+When you enable VM insights, then it will create a data collection rule, with the **_MSVMI-_** prefix that collects the following information. You can use this same DCR with other machines as opposed to creating a new one for each VM.

+- Common performance counters for the client operating system are sent to the [InsightsMetrics](/azure/azure-monitor/reference/tables/insightsmetrics) table in the Log Analytics workspace. Counter names will be normalized to use the same common name regardless of the operating system type.

+- If you specified processes and dependencies to be collected, then the following tables are populated:

+

+ - [VMBoundPort](/azure/azure-monitor/reference/tables/vmboundport) - Traffic for open server ports on the machine

+ - [VMComputer](/azure/azure-monitor/reference/tables/vmcomputer) - Inventory data for the machine

+ - [VMConnection](/azure/azure-monitor/reference/tables/vmconnection) - Traffic for inbound and outbound connections to and from the machine

+ - [VMProcess](/azure/azure-monitor/reference/tables/vmprocess) - Processes running on the machine

+By default, [VM insights](../vm/vminsights-overview.md) will not enable collection of processes and dependencies to save data ingestion costs. This data is required for the map feature and will also deploy the dependency agent to the machine. [Enable this collection](vminsights-enable-portal.md#enable-vm-insights-for-azure-monitor-agent) if you want to use this feature.

+## Collect Windows and Syslog events

+The operating system and applications in virtual machines will often write to the Windows Event Log or Syslog. You may create an alert as soon as a single event is found or wait for a series of matching events within a particular time window. You may also collect events for later analysis such as identifying particular trends over time, or for performing troubleshooting after a problem occurs.

+See [Collect events and performance counters from virtual machines with Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md) for guidance on creating a DCR to collect Windows and Syslog events. This will allow you to quickly create a DCR using the most common Windows event logs and Syslog facilities filtering by event level. For more granular filtering by criteria such as event ID, you can create a custom filter using [XPath queries](../agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries). You can further filter the collected data by [editing the DCR](../essentials/data-collection-rule-edit.md) to add a [transformation](../essentials/data-collection-transformations.md).

+Use the following guidance as a recommended starting point for event collection. Modify the DCR settings to filter unneeded events and add additional events depending on your requirements.

+| Source | Strategy |

+|:|:|

+| Windows events | Collect at least **Critical**, **Error**, and **Warning** events for the **System** and **Application** logs to support alerting. Add **Information** events to analyze trends and support troubleshooting. **Verbose** events will rarely be useful and typically shouldn't be collected. |

+| Syslog events | Collect at least **LOG_WARNING** events for each facility to support alerting. Add **Information** events to analyze trends and support troubleshooting. **LOG_DEBUG** events will rarely be useful and typically shouldn't be collected. |

+### Sample log queries - Windows events

+| Query | Description |

+|:|:|

+| `Event` | All Windows events. |

+| `Event | where EventLevelName == "Error"` |All Windows events with severity of error. |

+| `Event | summarize count() by Source` |Count of Windows events by source. |

+| `Event | where EventLevelName == "Error" | summarize count() by Source` |Count of Windows error events by source. |

+### Sample log queries - Syslog events

+| Query | Description |

+|: |: |

+| `Syslog` |All Syslogs |

+| `Syslog | where SeverityLevel == "error"` |All Syslog records with severity of error |

+| `Syslog | summarize AggregatedValue = count() by Computer` |Count of Syslog records by computer |

+| `Syslog | summarize AggregatedValue = count() by Facility` |Count of Syslog records by facility |

+## Collect performance counters

+Performance data from the client can be sent to either [Azure Monitor Metrics](../essentials/data-platform-metrics.md) or [Azure Monitor Logs](../logs/data-platform-logs.md), and you'll typically send them to both destinations. If you enabled VM insights, then a common set of performance counters is collected in Logs to support its performance charts. You can't modify this set of counters, but you can create additional DCRs to collect additional counters and send them to different destinations.

+There are multiple reasons why you would want to create a DCR to collect guest performance:

+- You aren't using VM insights, so client performance data isn't already being collected.

+- Collect additional performance counters that aren't being collected by VM insights.

+- Collect performance counters from other workloads running on your client.

+- Send performance data to [Azure Monitor Metrics](../essentials/data-platform-metrics.md) where you can use them with metrics explorer and metrics alerts.

+See [Collect events and performance counters from virtual machines with Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md) for guidance on creating a DCR to collect performance counters. This will allow you to quickly create a DCR using the most common counters. For more granular filtering by criteria such as event ID, you can create a custom filter using [XPath queries](../agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries).

+> [!NOTE]

+> You may choose to combine performance and event collection in the same data collection rule.

+ Destination | Description |

+|:|:|

+| Metrics | Host metrics are automatically sent to Azure Monitor Metrics, and you can use a DCR to collect client metrics so they can be analyzed together with [metrics explorer](../essentials/metrics-getting-started.md) or used with [metrics alerts](../alerts/alerts-create-new-alert-rule.md?tabs=metric). This data is stored for 93 days. |

+| Logs | Performance data stored in Azure Monitor Logs can be stored for extended periods and can be analyzed along with your event data using [log queries](../logs/log-query-overview.md) with [Log Analytics](../logs/log-analytics-overview.md) or [log query alerts](../alerts/alerts-create-new-alert-rule.md?tabs=log). You can also corelate data using complex logic across multiple machines, regions, and subscriptions.<br><br>Performance data is sent to the following tables:<br>VM insights - [InsightsMetrics](/azure/azure-monitor/reference/tables/insightsmetrics)<br>Other performance data - [Perf](/azure/azure-monitor/reference/tables/perf) |

+### Sample log queries

+The following samples use the `Perf` table with custom performance data. For details on performance data collected by VM insights, see [How to query logs from VM insights](../vm/vminsights-log-query.md#performance-records).

+| Query | Description |

+|: |:|

+| `Perf` | All Performance data |

+| `Perf | where Computer == "MyComputer"` |All Performance data from a particular computer |

+| `Perf | where CounterName == "Current Disk Queue Length"` |All Performance data for a particular counter |

+| `Perf | where ObjectName == "Processor" and CounterName == "% Processor Time" and InstanceName == "_Total" | summarize AVGCPU = avg(CounterValue) by Computer` |Average CPU Utilization across all computers |

+| `Perf | where CounterName == "% Processor Time" | summarize AggregatedValue = max(CounterValue) by Computer` |Maximum CPU Utilization across all computers |

+| `Perf | where ObjectName == "LogicalDisk" and CounterName == "Current Disk Queue Length" and Computer == "MyComputerName" | summarize AggregatedValue = avg(CounterValue) by InstanceName` |Average Current Disk Queue length across all the instances of a given computer |

+| `Perf | where CounterName == "Disk Transfers/sec" | summarize AggregatedValue = percentile(CounterValue, 95) by Computer` |95th Percentile of Disk Transfers/Sec across all computers |

+| `Perf | where CounterName == "% Processor Time" and InstanceName == "_Total" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 1h), Computer` |Hourly average of CPU usage across all computers |

+| `Perf | where Computer == "MyComputer" and CounterName startswith_cs "%" and InstanceName == "_Total" | summarize AggregatedValue = percentile(CounterValue, 70) by bin(TimeGenerated, 1h), CounterName` | Hourly 70 percentile of every % percent counter for a particular computer |

+| `Perf | where CounterName == "% Processor Time" and InstanceName == "_Total" and Computer == "MyComputer" | summarize ["min(CounterValue)"] = min(CounterValue), ["avg(CounterValue)"] = avg(CounterValue), ["percentile75(CounterValue)"] = percentile(CounterValue, 75), ["max(CounterValue)"] = max(CounterValue) by bin(TimeGenerated, 1h), Computer` |Hourly average, minimum, maximum, and 75-percentile CPU usage for a specific computer |

+| | |

+| `Perf | where ObjectName == "MSSQL$INST2:Databases" and InstanceName == "master"` | All Performance data from the Database performance object for the master database from the named SQL Server instance INST2. |

+## Collect text logs

+Some applications write events written to a text log stored on the virtual machine. Create a [custom table and DCR](../agents/data-collection-text-log.md) to collect this data. You define the location of the text log, its detailed configuration, and the schema of the custom table. There's a cost for the ingestion and retention of this data in the workspace.

+### Sample log queries

+The column names used here are for example only. The column names for your log will most likely be different.

+| Query | Description |

+|: |: |

+| `MyApp_CL | summarize count() by code` | Count the number of events by code. |

+| `MyApp_CL | where status == "Error" | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 15m)` | Create an alert rule on any error event. |

+

+## Collect IIS logs

+IIS running on Windows machines writes logs to a text file. Configure IIS log collection using [Collect IIS logs with Azure Monitor Agent](../agents/data-collection-iis.md). There's a cost for the ingestion and retention of this data in the workspace. Records from the IIS log are stored in the [W3CIISLog](/azure/azure-monitor/reference/tables/w3ciislog) table in the Log Analytics workspace. There's a cost for the ingestion and retention of this data in the workspace.

+### Sample log queries

+| Query | Description |

+|: |: |

+| `W3CIISLog | where csHost=="www.contoso.com" | summarize count() by csUriStem` | Count the IIS log entries by URL for the host www.contoso.com. |

+| `W3CIISLog | summarize sum(csBytes) by Computer` | Review the total bytes received by each IIS machine. |

+## Monitor a service or daemon

+To monitor the status of a Windows service or Linux daemon, enable the [Change Tracking and Inventory](../../automation/change-tracking/overview.md) solution in [Azure Automation](../../automation/automation-intro.md).

+Azure Monitor has no ability on its own to monitor the status of a service or daemon. There are some possible methods to use, such as looking for events in the Windows event log, but this method is unreliable. You can also look for the process associated with the service running on the machine from the [VMProcess](/azure/azure-monitor/reference/tables/vmprocess) table populated by VM insights. This table only updates every hour, which isn't typically sufficient if you want to use this data for alerting.

+> [!NOTE]

+> The Change Tracking and Analysis solution is different from the [Change Analysis](vminsights-change-analysis.md) feature in VM insights. This feature is in public preview and not yet included in this scenario.

+For different options to enable the Change Tracking solution on your virtual machines, see [Enable Change Tracking and Inventory](../../automation/change-tracking/overview.md#enable-change-tracking-and-inventory). This solution includes methods to configure virtual machines at scale. You'll have to [create an Azure Automation account](../../automation/quickstarts/create-azure-automation-account-portal.md) to support the solution.

+When you enable Change Tracking and Inventory, two new tables are created in your Log Analytics workspace. Use these tables for logs queries and log query alert rules.

+| Table | Description |

+|:|:|

+| [ConfigurationChange](/azure/azure-monitor/reference/tables/configurationdata) | Changes to in-guest configuration data |

+| [ConfigurationData](/azure/azure-monitor/reference/tables/configurationdata) | Last reported state for in-guest configuration data |

+### Sample log queries

+- **List all services and daemons that have recently started.**

+

+ ```kusto

+ ConfigurationChange

+ | where ConfigChangeType == "Daemons" or ConfigChangeType == "WindowsServices"

+ | where SvcState == "Running"

+ | sort by Computer, SvcName

+ ```

+- **Alert when a specific service stops.**

+Use this query in a log alert rule.

+

+ ```kusto

+ ConfigurationData

+ | where SvcName == "W3SVC"

+ | where SvcState == "Stopped"

+ | where ConfigDataType == "WindowsServices"

+ | where SvcStartupType == "Auto"

+ | summarize AggregatedValue = count() by Computer, SvcName, SvcDisplayName, SvcState, bin(TimeGenerated, 15m)

+ ```

+- **Alert when one of a set of services stops.**

+Use this query in a log alert rule.

+ ```kusto

+ let services = dynamic(["omskd","cshost","schedule","wuauserv","heathservice","efs","wsusservice","SrmSvc","CertSvc","wmsvc","vpxd","winmgmt","netman","smsexec","w3svc","sms_site_vss_writer","ccmexe","spooler","eventsystem","netlogon","kdc","ntds","lsmserv","gpsvc","dns","dfsr","dfs","dhcp","DNSCache","dmserver","messenger","w32time","plugplay","rpcss","lanmanserver","lmhosts","eventlog","lanmanworkstation","wnirm","mpssvc","dhcpserver","VSS","ClusSvc","MSExchangeTransport","MSExchangeIS"]);

+ ConfigurationData

+ | where ConfigDataType == "WindowsServices"

+ | where SvcStartupType == "Auto"

+ | where SvcName in (services)

+ | where SvcState == "Stopped"

+ | project TimeGenerated, Computer, SvcName, SvcDisplayName, SvcState

+ | summarize AggregatedValue = count() by Computer, SvcName, SvcDisplayName, SvcState, bin(TimeGenerated, 15m)

+ ```

+## Monitor a port

+Port monitoring verifies that a machine is listening on a particular port. Two potential strategies for port monitoring are described here.

+### Dependency agent tables

+If you're using VM insights with Processes and dependencies collection enabled, you can use [VMConnection](/azure/azure-monitor/reference/tables/vmconnection) and [VMBoundPort](/azure/azure-monitor/reference/tables/vmboundport) to analyze connections and ports on the machine. The VMBoundPort table is updated every minute with each process running on the computer and the port it's listening on. You can create a log query alert similar to the missing heartbeat alert to find processes that have stopped or to alert when the machine isn't listening on a particular port.

+- **Review the count of ports open on your VMs, which is useful for assessing which VMs have configuration and security vulnerabilities.**

+ ```kusto

+ VMBoundPort

+ | where Ip != "127.0.0.1"

+ | summarize by Computer, Machine, Port, Protocol

+ | summarize OpenPorts=count() by Computer, Machine

+ | order by OpenPorts desc

+ ```

+- **List the bound ports on your VMs, which is useful for assessing which VMs have configuration and security vulnerabilities.**

+ ```kusto

+ VMBoundPort

+ | distinct Computer, Port, ProcessName

+ ```

+- **Analyze network activity by port to determine how your application or service is configured.**

+ ```kusto

+ VMBoundPort

+ | where Ip != "127.0.0.1"

+ | summarize BytesSent=sum(BytesSent), BytesReceived=sum(BytesReceived), LinksEstablished=sum(LinksEstablished), LinksTerminated=sum(LinksTerminated), arg_max(TimeGenerated, LinksLive) by Machine, Computer, ProcessName, Ip, Port, IsWildcardBind

+ | project-away TimeGenerated

+ | order by Machine, Computer, Port, Ip, ProcessName

+ ```

+- **Review bytes sent and received trends for your VMs.**

+ ```kusto

+ VMConnection

+ | summarize sum(BytesSent), sum(BytesReceived) by bin(TimeGenerated,1hr), Computer

+ | order by Computer desc

+ | render timechart

+ ```

+- **Use connection failures over time to determine if the failure rate is stable or changing.**

+ ```kusto

+ VMConnection

+ | where Computer == <replace this with a computer name, e.g. 'acme-demo'>

+ | extend bythehour = datetime_part("hour", TimeGenerated)

+ | project bythehour, LinksFailed

+ | summarize failCount = count() by bythehour

+ | sort by bythehour asc

+ | render timechart

+ ```

+- **Link status trends to analyze the behavior and connection status of a machine.**

+ ```kusto

+ VMConnection

+ | where Computer == <replace this with a computer name, e.g. 'acme-demo'>

+ | summarize dcount(LinksEstablished), dcount(LinksLive), dcount(LinksFailed), dcount(LinksTerminated) by bin(TimeGenerated, 1h)

+ | render timechart

+ ```

+### Connection Manager

+The [Connection Monitor](../../network-watcher/connection-monitor-overview.md) feature of [Network Watcher](../../network-watcher/network-watcher-monitoring-overview.md) is used to test connections to a port on a virtual machine. A test verifies that the machine is listening on the port and that it's accessible on the network.

+Connection Manager requires the Network Watcher extension on the client machine initiating the test. It doesn't need to be installed on the machine being tested. For details, see [Tutorial - Monitor network communication using the Azure portal](../../network-watcher/connection-monitor.md).

+There's an extra cost for Connection Manager. For details, see [Network Watcher pricing](https://azure.microsoft.com/pricing/details/network-watcher/).

+## Run a process on a local machine

+Monitoring of some workloads requires a local process. An example is a PowerShell script that runs on the local machine to connect to an application and collect or process data. You can use [Hybrid Runbook Worker](../../automation/automation-hybrid-runbook-worker.md), which is part of [Azure Automation](../../automation/automation-intro.md), to run a local PowerShell script. There's no direct charge for Hybrid Runbook Worker, but there is a cost for each runbook that it uses.

+The runbook can access any resources on the local machine to gather required data. It can't send data directly to Azure Monitor or create an alert. To create an alert, have the runbook write an entry to a custom log and then configure that log to be collected by Azure Monitor. Create a log query alert rule that fires on that log entry.

+## Next steps

+* [Analyze monitoring data collected for virtual machines](monitor-virtual-machine-analyze.md)

+* [Create alerts from collected data](monitor-virtual-machine-alerts.md)

+ Title: 'Monitor virtual machines with Azure Monitor: Migrate management pack logic'

+description: Includes a general approach that existing customers of System Center Operations Manager (SCOM) might take to translate critical logic in their management packs to Azure Monitor.

+# Monitor virtual machines with Azure Monitor: Migrate management pack logic

+This article is part of the guide [Monitor virtual machines and their workloads in Azure Monitor](monitor-virtual-machine.md). It discusses a general approach that existing customers of System Center Operations Manager (SCOM) might take to translate critical logic in their management packs to Azure Monitor.

+> [!NOTE]

+> [Azure Monitor SCOM Managed Instance (preview)](scom-managed-instance-overview.md) is now in public preview. This allows you to move your existing SCOM environment into the Azure portal with Azure Monitor while continuing to use the same management packs. The rest of the recommendations in this article still apply as you migrate your monitoring logic into Azure Monitor.

+## Translating logic

+You may currently use SCOM to monitor your virtual machines and their workloads and are starting to consider which monitoring you can move to Azure Monitor. As described in [Azure Monitor for existing Operations Manager customer](../azure-monitor-operations-manager.md), you may continue using SCOM for some period of time until you no longer require the extensive monitoring that SCOM provides. See [Cloud monitoring guide: Monitoring platforms overview](/azure/cloud-adoption-framework/manage/monitor/platform-overview) for a complete comparison of Azure Monitor and SCOM.

+There are no migration tools to convert SCOM management packs to Azure Monitor because the platforms are fundamentally different. Your migration instead constitutes a standard Azure Monitor implementation while you continue to use SCOM. As you customize Azure Monitor to meet your requirements for different applications and components and as it gains more features, then you can start to retire different management packs and agents in Operations Manager.

+Management packs in SCOM contain rules and monitors that combine collection of data and the resulting alert into a single end-to-end workflow. Data that's already been collected by SCOM is rarely used for alerting. Azure Monitor separates data collection and alerts into separate processes. Alert rules access data from Azure Monitor Logs and Azure Monitor Metrics that has already been collected from agents. Also, rules and monitors are typically narrowly focused on very specific data such as a particular event or performance counter. Data collection rules in Azure Monitor are typically more broad collecting multiple sets of events and performance counters in a single DCR.

+- Data that you need to collect to support alerting, analysis, and visualization. See [Monitor virtual machines with Azure Monitor: Data collection](monitor-virtual-machine-data-collection.md)

+- Alerts rules that analyze the collected data to proactively notify of you of issues. See [Monitor virtual machines with Azure Monitor: Alerts](monitor-virtual-machine-alerts.md)

+## Identify critical management pack logic

+Instead of attempting to replicate the entire functionality of a management pack, analyze the critical monitoring provided by the management pack. Decide whether you can replicate those monitoring requirements by using the methods described in the previous sections. In many cases, you can configure data collection and alert rules in Azure Monitor that replicate enough functionality that you can retire a particular management pack. Management packs can often include hundreds and even thousands of rules and monitors.

+In most scenarios, Operations Manager combines data collection and alerting conditions in the same rule or monitor. In Azure Monitor, you must configure data collection and an alert rule for any alerting scenarios.

+One strategy is to focus on those monitors and rules that triggered alerts in your environment. Refer to [existing reports available in Operations Manager](/system-center/scom/manage-reports-installed-during-setup), such as **Alerts** and **Most Common Alerts**, which can help you identify alerts over time. You can also run the following query on the Operations Database to evaluate the most common recent alerts.

+```sql

+select AlertName, COUNT(AlertName) as 'Total Alerts' from

+Alert.vAlertResolutionState ars

+inner join Alert.vAlertDetail adt on ars.AlertGuid = adt.AlertGuid

+inner join Alert.vAlert alt on ars.AlertGuid = alt.AlertGuid

+group by AlertName

+order by 'Total Alerts' DESC

+```

+Evaluate the output to identify specific alerts for migration. Ignore any alerts that were tuned out or are known to be problematic. Review your management packs to identify any critical alerts of interest that never fired.

+## Synthetic transactions

+Management packs often make use of synthetic transactions that connect to an application or service running on a machine to simulate a user connection or actual user traffic. If the application is available, you can assume that the machine is running properly. [Application insights](../app/app-insights-overview.md) in Azure Monitor provides this functionality. It only works for applications that are accessible from the internet. For internal applications, you must open a firewall to allow access from specific Microsoft URLs performing the test. Or you can use an alternate monitoring solution, such as System Center Operations Manager.

+|Method | Description |

+|:|:|

+| [URL test](../app/monitor-web-app-availability.md) | Ensures that HTTP is available and returning a web page |

+| [Multistep test](../app/availability-multistep.md) | Simulates a user session |

+## Next steps

+* [Learn how to analyze data in Azure Monitor logs using log queries](../logs/get-started-queries.md)

+* [Learn about alerts using metrics and logs in Azure Monitor](../alerts/alerts-overview.md)

+This guide describes how to use Azure Monitor to monitor the health and performance of virtual machines and their workloads. It includes collection of telemetry critical for monitoring and analysis and visualization of collected data to identify trends. It also shows you how to configure alerting to be proactively notified of critical issues.

+> This scenario describes how to implement complete monitoring of your enterprise Azure and hybrid virtual machine environment. To get started monitoring your first Azure virtual machine, see [Monitor Azure virtual machines](../../virtual-machines/monitor-vm.md).

+This guide includes monitoring of the following types of machines using Azure Monitor. Many of the processes described here are the same regardless of the type of machine. Considerations for different types of machines are clearly identified where appropriate. The types of machines include:

+- Azure Virtual Machine Scale Sets.

+| Virtual machine host | The host virtual machine in Azure. Azure Monitor has no access to the host in other clouds but must rely on information collected from the guest operating system. The host can be useful for tracking activity such as configuration changes, and basic alerting such as processor utilization and whether the machine is running. |

+| Guest operating system | The operating system running on the virtual machine, which is some version of either Windows or Linux. A significant amount of monitoring data is available from the guest operating system, such as performance data and events. You must install Azure Monitor agent to retrieve this telemetry. |

+| Workloads | Workloads running in the guest operating system that support your business applications. These will typically generate performance data and events similar to the operating system that you can retrieve. You must install Azure Monitor agent to retrieve this telemetry. |

+| Application | The business application that depends on your virtual machines. This will typically be monitored by Application insights. |

+## Configuration steps

+The following table lists the different steps for configuration of VM monitoring. Each one links to an article with the detailed description of that configuration step.

+| Step | Description |

+|:|:|

+| [Deploy Azure Monitor agent](monitor-virtual-machine-agent.md) | Deploy the Azure Monitor agent to your Azure and hybrid virtual machines to collect data from the guest operating system and workloads. |

+| [Configure data collection](monitor-virtual-machine-data-collection.md)) | Create data collection rules to instruct the Azure Monitor agent to collect telemetry from the guest operating system. |

+| [Analyze collect data](monitor-virtual-machine-analyze.md) | Analyze monitoring data collected by Azure Monitor from virtual machines and their guest operating systems and applications to identify trends and critical information. |

+| [Create alert rules](monitor-virtual-machine-alerts.md) | Create alerts to proactively identify critical issues in your monitoring data. |

+| [Migrate management pack logic](monitor-virtual-machine-management-packs.md) | General guidance for translation the logic from your System Center Operations Manager management packs to Azure Monitor. |

+

+## VM insights

+[VM insights](../vm/vminsights-overview.md) is a feature in Azure Monitor that allows you to quickly get started monitoring your virtual machines. While it's not required to take advantage of most Azure Monitor features for monitoring your VMs, it provides the following value:

+- Simplified onboarding of the Azure Monitor agent to enable monitoring of a virtual machine guest operating system and workloads.

+- Preconfigured data collection rule that collects the most common set of performance counters for Windows and Linux.

+- Optional collection of details for each virtual machine, the processes running on it, and dependencies with other services.

+- Optional dependency map that displays interconnected components with other machines and external sources.

+The articles in this guide provide guidance on configuring VM insights and using the data it collects with other Azure Monitor features. They also identify alternatives if you choose not to use VM insights.

+## Security monitoring

+Azure Monitor focuses on operational data like Activity logs, Metrics, and Log Analytics supported sources, including Windows Events (excluding security events), performance counters, logs, and Syslog. Security monitoring in Azure is performed by [Microsoft Defender for Cloud](/azure/defender-for-cloud/) and [Microsoft Sentinel](/azure/sentinel/). Configuration of these services is not included in this guide.

+> [!IMPORTANT]

+> The security services have their own cost independent of Azure Monitor. Before you configure these services, refer to their pricing information to determine your appropriate investment in their usage.

+### Integration with Azure Monitor

+The following table lists the integration points for Azure Monitor with the security services. All the services use the same Azure Monitor agent, which reduces complexity because there are no other components being deployed to your virtual machines. Defender for Cloud and Microsoft Sentinel store their data in a Log Analytics workspace so that you can use log queries to correlate data collected by the different services. Or you can create a custom workbook that combines security data and availability and performance data in a single view.

+See [Design a Log Analytics workspace architecture](../logs/workspace-design.md) for guidance on the most effective workspace design for your requirements taking into account all your services that use them.

+| Integration point | Azure Monitor | Microsoft Defender for Cloud | Microsoft Sentinel | Defender for Endpoint |

+|:|::|::|::|::|

+| Collects security events | | X | X | X |

+| Stores data in Log Analytics workspace | X | X | X | |

+| Uses Azure Monitor agent | X | X | X | X |

+> [!IMPORTANT]

+> Azure Monitor agent is in preview for some service features. See [Supported services and features](../agents/agents-overview.md#supported-services-and-features) for current details.

+[Deploy the Azure Monitor agent to your virtual machines](monitor-virtual-machine-agent.md)

+|[Azure Application Insights override default SDK endpoints](app/create-new-resource.md#override-default-endpoints)|We've clarified that endpoint modification isn't recommended and to use connection strings instead.|

+4. Navigate to **Properties** to confirm your availability zone configuration.

+ :::image type="content" source="../media/azure-netapp-files/availability-zone-volume-overview.png" alt-text="Screenshot of volume properties interface." lightbox="../media/azure-netapp-files/availability-zone-volume-overview.png":::

+1. [Deploy Azure VMware Solution](./deploy-azure-vmware-solution.md) private cloud and a dedicated virtual network connected via ExpressRoute gateway. The virtual network gateway should be configured with the Ultra performance or ErGw3Az SKU and have FastPath enabled. For more information, see [Configure networking for your VMware private cloud](tutorial-configure-networking.md) and [Network planning checklist](tutorial-network-checklist.md).

+Azure VMware Solution continuously monitors the health of both the VMware components and underlay. When Azure VMware Solution detects a failure, it takes action to repair the failed components. When Azure VMware Solution detects a degradation or failure on an Azure VMware Solution node, it triggers the host remediation process.

+Host remediation involves replacing the faulty node with a new healthy node in the cluster. Then, when possible, the faulty host is placed in VMware vSphere maintenance mode. VMware vMotion moves the VMs off the faulty host to other available servers in the cluster, potentially allowing zero downtime for live migration of workloads. If the faulty host can't be placed in maintenance mode, the host is removed from the cluster. Before the faulty host is removed, the customer workloads will be migrated to a newly added host.

+> [!TIP]

+> **Customer communication:** An email is sent to the customer's email address before the replacement is initiated and again after the replacement is successful.

+>

+> To receive emails related to host replacement, you need to be added to any of the following Azure RBAC roles in the subscription: 'ServiceAdmin', 'CoAdmin', 'Owner', 'Contributor'.

+> Azure VMware Solution tenant admins must not edit or delete the previously defined VMware vCenter Server alarms because they are managed by the Azure VMware Solution control plane on vCenter Server. These alarms are used by Azure VMware Solution monitoring to trigger the Azure VMware Solution host remediation process.

+ | **SKU** | Select the gateway SKU appropriate for your workload. <br> For Azure NetApp Files datastores, select UltraPerformance or ErGw3Az. |

+ >When specifying the encryption key using the full Key URI, the key will not be auto-rotated, and you need to perform key updates manually by specifying the new key when required. Alternatively, remove the Version component of the Key URI to get automatic rotation.

+- To use the audit policy for auditing vaults with **CMK encryption** enabled before 04/01/2021, use the Azure portal to update an encryption key. This helps to upgrade to the new model. If you don't want to change the encryption key, provide the same key again through the key URI or the key selection option.

+No, the vault must haven't had any attempts to protect any items to it in the past.

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]

+To get container name, run the following command. [Learn about this CLI command](/cli/azure/backup/container#az-backup-container-list).

+> Even without an Azure account, you can listen to voice samples at the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery) and determine the right voice for your business needs.

+1. Review the [price](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) structure.

+| `GradingSystem` | The point system for score calibration. The `FivePoint` system gives a 0-5 floating point score, and `HundredMark` gives a 0-100 floating point score. Default: `FivePoint`. |

+| `Granularity` | Determines the lowest level of evaluation granularity. Scores for levels above or equal to the minimal value are returned. Accepted values are `Phoneme`, which shows the score on the full text, word, syllable, and phoneme level, `Syllable`, which shows the score on the full text, word, and syllable level, `Word`, which shows the score on the full text and word level, or `FullText`, which shows the score on the full text level only. The provided full reference text can be a word, sentence, or paragraph, and it depends on your input reference text. Default: `Phoneme`.|

+Whether you use language identification with [speech-to-text](#speech-to-text) or with [speech translation](#speech-translation), there are some common concepts and configuration options.

+* **Continuous:** With continuous LID in `Latency` mode the results are returned every 2 seconds for the duration of the audio. Continuous LID in `Accuracy` mode isn't supported with [speech-to-text](#speech-to-text) and [speech translation](#speech-translation) continuous recognition.

+> With [speech-to-text](#speech-to-text) and [speech translation](#speech-translation) continuous recognition, do not set `Accuracy` with the SpeechServiceConnection_ContinuousLanguageIdPriority property. The setting will be ignored without error, and the default priority of `Latency` will remain in effect.

+

+# Set the Priority (optional, default Latency)

+translation_config.set_property(property_id=speechsdk.PropertyId.SpeechServiceConnection_SingleLanguageIdPriority, value='Latency')

+> Check the the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery) and determine the right voice for your business needs.

+Each prebuilt neural voice supports a specific language and dialect, identified by locale. You can try the demo and hear the voices in the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery).

+Prebuilt neural voice is powered by deep neural networks. You need to create an Azure account and Speech service subscription. Then you can use the [Speech SDK](./get-started-text-to-speech.md) or visit the [Speech Studio portal](https://speech.microsoft.com/portal), and select prebuilt neural voices to get started. Listening to the voice sample without creating an Azure account, you can visit the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery) and determine the right voice for your business needs.

+- Prebuilt neural voice: Highly natural out-of-the-box voices. Check the prebuilt neural voice samples the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery) and determine the right voice for your business needs.

+> You can hear voices in different styles and pitches reading example text via the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery).

+spx synthesize --text "Bienvenue chez moi." --voice fr-FR-AlainNeural --speakers

+| Prebuilt neural voice (called *Neural* on the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/)) | Highly natural out-of-the-box voices. Create an Azure account and Speech service subscription, and then use the [Speech SDK](./get-started-text-to-speech.md) or visit the [Speech Studio portal](https://speech.microsoft.com/portal) and select prebuilt neural voices to get started. Check the [pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/). | Check the the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery) and determine the right voice for your business needs. |

+# Configure cross-tenant customer-managed keys for your Azure Cosmos DB account with Azure Key Vault

+1. Then, the necessary permissions must be assigned to Cosmos DBΓÇÖs principal. So, like the last role assignment, go to the assignment page but this time look for the **ΓÇ£Key Vault Crypto Service Encryption UserΓÇ¥** role and on the members tab look for Cosmos DBΓÇÖs principal. To find the principal, search for **Azure Cosmos DB** principal and select it.

+> [!IMPORTANT]

+>

+> The pg_azure_storage extension is available only on Azure Cosmos DB for

+> PostgreSQL clusters running PostgreSQL 13 and above.

+If you're an EA customer, you'll notice that the terms in the Azure billing profile usage CSV file differ from the terms in the Azure EA usage CSV file. Here's a mapping of EA usage terms to billing profile usage terms:

+| Azure EA usage CSV | Microsoft Customer Agreement Azure usage and charges CSV | Description |

+| | | |

+| Date | date | Date that the resource was consumed. |

+| Month | date | Month that the resource was consumed. |

+| Day | date | Day that the resource was consumed. |

+| Year | date | Year that the resourced was consumed. |

+| Product | product | Name of the product. |

+| MeterId | meterID | The unique identifier for the meter. |

+| MeterCategory | meterCategory | Name of the classification category for the meter. Same as the service in the Microsoft Customer Agreement Price Sheet. Exact string values differ. |

+| MeterSubCategory | meterSubCategory | Azure usage meter subclassification. |

+| MeterRegion | meterRegion | Detail required for a service. Useful to find the region context of the resource. |

+| MeterName | meterName | Name of the meter. Represents the Azure service deployable resource. |

+| ConsumedQuantity | quantity | Measured quantity purchased or consumed. The amount of the meter used during the billing period. |

+| ResourceRate | effectivePrice | The price represents the actual rate that you end up paying per unit, after discounts are taken into account. It's the price that should be used with the `Quantity` to do `Price` \* `Quantity` calculations to reconcile charges. The price takes into account the following scenarios and the scaled unit price that's also present in the files. As a result, it might differ from the scaled unit price. |

+| ExtendedCost | cost | Cost of the charge in the billing currency before credits or taxes. |

+| ResourceLocation | resourceLocation | Location of the used resource's data center. |

+| ConsumedService | consumedService | Name of the service. |

+| InstanceId | instanceId | Identifier of the resource instance. Shown as a ResourceURI that includes complete resource properties. |

+| ServiceInfo1 | serviceInfo1 | Legacy field that captures optional service-specific metadata. |

+| ServiceInfo2 | serviceInfo2 | Legacy field with optional service-specific metadata. |

+| AdditionalInfo | additionalInfo | Service-specific metadata. For example, an image type for a virtual machine. |

+| Tags | tags | Tags assigned to the resource. Doesn't include resource group tags. Can be used to group or distribute costs for internal chargeback. For more information, see [Organize your Azure resources with tags](https://azure.microsoft.com/updates/organize-your-azure-resources-with-tags/). |

+| StoreServiceIdentifier | N/A | |

+| DepartmentName | invoiceSection | `DepartmentName` is the department ID. You can see department IDs in the Azure portal on the **Cost Management + Billing** \> **Departments** page. `invoiceSection` is the MCA invoice section name. |

+| CostCenter | costCenter | Cost center associated to the subscription. |

+| UnitOfMeasure | unitofMeasure | The unit of measure for billing for the service. For example, compute services are billed per hour. |

+| ResourceGroup | resourceGroup | Name of the resource group associated with the resource. |

+| ChargesBilledSeparately | isAzureCreditEligible | Indicates if the charge is eligible to be paid for using Azure credits. |

+servicePeriodStartDate | The start date of the rating period that has defined and locked pricing for the consumed or purchased service

+servicePeriodEndDate | The end date of the rating period that has defined and locked pricing for the consumed or purchased service

+date | For Azure and Marketplace usage-based charges, it's the rating date. For one-time purchases (Reservations, Marketplace) or fixed recurring charges (support offers), it's the purchase date.

+meterSubCategory | Name of the meter subclassification category

+publisherType | Microsoft, Azure, Marketplace, and AWS costs. Values are `Microsoft` for Microsoft Customer Agreement accounts and `Azure` for EA and pay-as-you-go accounts.

+chargeType | The type of charge. Values: <br><br>ΓÇó AsCharged-Usage - Charges that are accrued based on usage of an Azure service. It includes usage against VMs that aren't charged because of reserved instances.<br><br>ΓÇó AsCharged-PurchaseMarketplace - Either one-time or fixed recurring charges from Marketplace purchases<br><br>ΓÇó AsCharged-UsageMarketplace - Charges for Marketplace services that are charged based on units of consumption

+additionalInfo | Other service-specific metadata.

+> [!NOTE]

+> Regardless of the payment method selected to complete your payment, you must specify the invoice number in the payment details.

+> [!NOTE]

+> When multiple invoices are remitted in a single check or wire transfer, you must specify the invoice numbers for all of the invoices.

+Account policies help you control how resources an Azure Data Lake Analytics account are used. These policies allow you to control the cost of using Azure Data Lake Analytics. For example, with these policies you can prevent unexpected cost spikes by limiting how many AUs the account can simultaneously use.

+## Account-level policies

+### Maximum number of AUs in a Data Lake Analytics account

+### Maximum number of jobs that can run simultaneously

+### How long to keep job metadata and resources

+Azure Data Lake Analytics will be retired on **29 February 2024**. Learn more [with this announcement](https://azure.microsoft.com/updates/migrate-to-azure-synapse-analytics/).

+If you're already using Azure Data Lake Analytics, you can create a migration plan to Azure Synapse Analytics for your organization.

+Microsoft launched Azure Synapse Analytics that aims at bringing both data lakes and data warehouse together for a unique big data analytics experience. It will help you gather and analyze your data to solve data inefficiency, and help your teams work together. Moreover, SynapseΓÇÖs integration with Azure Machine Learning and Power BI will allow the improved ability for organizations to get insights from its data and execute machine learning to all its smart apps.

+The document shows you how to do the migration from Azure Data Lake Analytics to Azure Synapse Analytics.

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]

+New-AzStaticWebAppSetting -ResourceGroupName myResourceGroup -Name $webapp `

+ -AppSetting @{ `

+ AzureStorageConfig__AccountName = $blobStorageAccount `

+ AzureStorageConfig__ImageContainer = images `

+ AzureStorageConfig__ThumbnailContainer = thumbnails `

+ AzureStorageConfig__AccountKey = $blobStorageAccountKey `

+ }

+1. Stops processing events after 30 seconds by invoking [StopProcessingAsync](/dotnet/api/azure.messaging.eventhubs.eventprocessorclient.stopprocessingasync) on the [EventProcessorClient](/dotnet/api/azure.messaging.eventhubs.eventprocessorclient) object.

+

+1. Stops processing events after 30 seconds by invoking [StopProcessingAsync](/dotnet/api/azure.messaging.eventhubs.eventprocessorclient.stopprocessingasync) on the [EventProcessorClient](/dotnet/api/azure.messaging.eventhubs.eventprocessorclient) object.

+

+ > In order for the certificate to be automatically rotated to the latest version when a newer version of the certificate is available in your Key Vault, set the secret version to 'Latest'. If a specific version is selected, you have to re-select the new version manually for certificate rotation. It takes up to 72 hours for the new version of the certificate/secret to be deployed.

+ > [!WARNING]

+ > This is an Azure portal only warning. You need to configure your service principal to have a GET permission on the Key Vault. In order for a user to see the certificate in the portal drop-down, the user account must have LIST and GET permissions on the Key Vault. If a user doesn't have these permissions, they'll see an inaccessible error message in portal. An inaccessible error message doesn't have any impact on certificate auto-rotation or any HTTPS function. No actions are required for this error message if you don't intend to make changes to the certificate or the version. If you want to change the information on this page, see [provide permission to Key Vault](../key-vault/general/rbac-guide.md?tabs=azure-cli) to add your account to the LIST and GET permission of the Key Vault.

+Operating systems where the module can be installed:

+The module can be installed on a machine running PowerShell 7.x. Install the

+- Ensure you have access to Azure Subscription of FHIR service, to create resources and add role assignments.

+## SMART on FHIR using AHDS Samples OSS

+> Samples are open-source code, and you should review the information and licensing terms on GitHub before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples can be used to demonstrate how Azure Health Data Services and other open-source tools can be used together to demonstrate ONC (g)(10) compliance, using Azure Active Directory as the identity provider workflow.

+- Ensure you have access to Azure Subscription of FHIR service, to create resources and add role assignments.

+## SMART on FHIR using AHDS Samples OSS

+> Samples are open-source code, and you should review the information and licensing terms on GitHub before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples can be used to demonstrate how Azure Health Data Services and other open-source tools can be used together to demonstrate ONC (g)(10) compliance, using Azure Active Directory as the identity provider workflow.

+<details>

+ <summary> Click to expand! </summary>

+> [!NOTE]

+> This is another option to using "SMART on FHIR using AHDS Samples OSS" mentioned above. SMART on FHIR Proxy option only enables EHR launch sequence.

+ </details>

+> [What is the MedTech service?](overview.md)

+> [What is the MedTech service?](overview.md)

+> [What is the MedTech service?](overview.md)

+description: The MedTech service has a robust open-source (GitHub) library for ingesting device messages from popular wearable devices.

+To learn about the different deployment methods for the MedTech service, see

+## Device mappings validations

+The validation process validates the device mappings before allowing them to be saved for use. These elements are required in the device mapping templates.

+**Device mappings**

+|Element|Required|

+|:-|:|

+|TypeName|True|

+|TypeMatchExpression|True|

+|DeviceIdExpression|True|

+|TimestampExpression|True|

+|Values[].ValueName|True|

+|Values[].ValueExpression|True|

+> [!NOTE]

+> `Values[].ValueName and Values[].ValueExpression` elements are only required if you have a value entry in the array. It's valid to have no values mapped. This is used when the telemetry being sent is an event.

+>

+> For example:

+>

+> Some IoMT scenarios may require creating an Observation Resource in the FHIR service that does not contain a value.

+> See the MedTech service article [Troubleshoot MedTech service errors](troubleshoot-errors.md) for assistance fixing common MedTech service errors.

+## FHIR destination mappings validations

+The validation process validates the FHIR destination mappings before allowing them to be saved for use. These elements are required in the FHIR destination mappings templates.

+**FHIR destination mappings**

+|Element|Required|

+|:|:-|

+|TypeName|True|

+> [!NOTE]

+> This is the only required FHIR destination mapping element validated at this time.

+> See the MedTech service article [Troubleshoot MedTech service errors](troubleshoot-errors.md) for assistance fixing common MedTech service errors.

+description: This article explains how to configure the MedTech service metrics.

+To learn how to enable the MedTech service diagnostic settings to export logs and metrics to another location (for example: Azure Log Analytics workspace) for audit, backup, or troubleshooting, see

+To learn how to troubleshoot MedTech service errors, see

+> [Troubleshoot MedTech service errors](troubleshoot-errors.md)

+> See the MedTech service article [Troubleshoot MedTech service errors](troubleshoot-errors.md) for assistance fixing MedTech service errors.

+In this article, you learned how to configure the MedTech service device mappings using CalculatedContentTemplate mappings.

+> See the MedTech service article [Troubleshoot MedTech service errors](troubleshoot-errors.md) for assistance fixing MedTech service errors.

+In this article, you learned how to use the MedTech service custom functions with the device mappings.

+To learn how to configure the MedTech service device mappings, see

+> See the MedTech service article [Troubleshoot MedTech service errors](troubleshoot-errors.md) for assistance fixing MedTech service errors.

+In this article, you learned how to use IotJsonPathContentTemplate mappings with the MedTech service device mappings.

+To learn how to configure the MedTech service FHIR destination mappings, see

+In this article, you learned how to use the MedTech service monitoring tab.

+ Title: Troubleshoot MedTech service errors - Azure Health Data Services

+description: This article assists troubleshooting and resolving MedTech service errors.

+# Troubleshoot MedTech service errors

+This article provides assistance troubleshooting and fixing MedTech service errors.

+> [!TIP]

+> Having access to metrics and logs are essential tools for assisting you in troubleshooting and assessing the overall performance of your MedTech service. Check out these MedTech service articles to learn more about how to enable, configure, and use these monitoring features:

+>

+> [How to use the MedTech service monitoring tab](how-to-use-monitoring-tab.md)

+>

+> [How to configure the MedTech service metrics](how-to-configure-metrics.md)

+>

+> [How to enable diagnostic settings for the MedTech service](how-to-enable-diagnostic-settings.md)

+> [!NOTE]

+> When you open an [Azure Technical Support](https://azure.microsoft.com/support/create-ticket/) ticket for the MedTech service, include [copies of your device and FHIR destination mappings](how-to-create-mappings-copies.md) to assist in the troubleshooting process.

+## Errors and fixes

+### The operation being performed by the MedTech service

+This property represents the operation being performed by the MedTech service when the error has occurred. An operation generally represents the data flow stage while processing a device message. Here's a list of possible values for this property.

+> [!NOTE]

+> For information about the different stages of data flow in the MedTech service, see [The MedTech service data flow](data-flow.md).

+|Data flow stage|Description|

+||--|

+|Setup|The setup data flow stage is the operation specific to setting up your instance of the MedTech service.|

+|Normalization|Normalization is the data flow stage where the device data gets normalized.|

+|Grouping|The grouping data flow stage where the normalized data gets grouped.|

+|FHIRConversion|FHIRConversion is the data flow stage where the grouped-normalized data is transformed into a FHIR resource.|

+|Unknown|Unknown is the operation type that's unknown when an error occurs.|

+#### The severity of the error

+This property represents the severity of the occurred error. Here's a list of possible values for this property.

+|Severity|Description|

+||--|

+|Warning|Some minor issue exists in the data flow process, but processing of the device message doesn't stop.|

+|Error|This message occurs when the processing of a specific device message has run into an error and other messages may continue to execute as expected.|

+|Critical|This error is when some system level issue exists with the MedTech service and no messages are expected to process.|

+#### The type of error

+This property signifies a category for a given error, which it basically represents a logical grouping for similar types of errors. Here's a list of possible values for this property.

+|Error type|Description|

+|-|--|

+|`DeviceTemplateError`|This error type is related to the Device mapping.|

+|`DeviceMessageError`|This error type occurs when processing a specific device message.|

+|`FHIRTemplateError`|This error type is related to the FHIR destination mapping|

+|`FHIRConversionError`|This error type occurs when transforming a message into a FHIR resource.|

+|`FHIRResourceError`|This error type is related to existing resources in the FHIR service that are referenced by the MedTech service.|

+|`FHIRServerError`|This error type occurs when communicating with the FHIR service.|

+|`GeneralError`|This error type is about all other types of errors.|

+#### The name of the error

+This property provides the name for a specific error. Here's the list of all error names with their description and associated error type(s), severity, and data flow stage(s).

+|Error name|Description|Error type(s)|Error severity|Data flow stage(s)|

+|-|--|-|--||

+|`MultipleResourceFoundException`|This error occurs when multiple patient or device resources are found in the FHIR service for the respective identifiers present in the device message.|`FHIRResourceError`|Error|`FHIRConversion`|

+|`TemplateNotFoundException`|A device or FHIR destination mapping that isn't configured with the instance of the MedTech service.|`DeviceTemplateError`, `FHIRTemplateError`|Critical|`Normalization`, `FHIRConversion`|

+|`CorrelationIdNotDefinedException`|The correlation ID isn't specified in the Device mapping. `CorrelationIdNotDefinedException` is a conditional error that occurs only when the FHIR Observation must group device measurements using a correlation ID because it's not configured correctly.|`DeviceMessageError`|Error|Normalization|

+|`PatientDeviceMismatchException`|This error occurs when the device resource on the FHIR service has a reference to a patient resource. This error type means it doesn't match with the patient identifier present in the message.|`FHIRResourceError`|Error|`FHIRConversionError`|

+|`PatientNotFoundException`|No Patient FHIR resource is referenced by the Device FHIR resource associated with the device identifier present in the device message. Note this error will only occur when the MedTech service instance is configured with the *Lookup* resolution type.|`FHIRConversionError`|Error|`FHIRConversion`|

+|`DeviceNotFoundException`|No device resource exists on the FHIR service associated with the device identifier present in the device message.|`DeviceMessageError`|Error|Normalization|

+|`PatientIdentityNotDefinedException`|This error occurs when expression to parse patient identifier from the device message isn't configured on the device mapping or patient identifer isn't present in the device message. Note this error occurs only when MedTech service's resolution type is set to *Create*.|`DeviceTemplateError`|Critical|Normalization|

+|`DeviceIdentityNotDefinedException`|This error occurs when the expression to parse device identifier from the device message isn't configured on the device mapping or device identifer isn't present in the device message.|`DeviceTemplateError`|Critical|Normalization|

+|`NotSupportedException`|Error occurred when device message with unsupported format is received.|`DeviceMessageError`|Error|Normalization|

+### The MedTech service resource

+|Message|Displayed|Condition|Fix|

+|-||||

+|The maximum number of resource type `iotconnectors` has been reached.|API and Azure portal|MedTech service subscription quota is reached (default is 10 MedTech services per workspace and 10 workspaces per subscription).|Delete one of the existing instances of the MedTech service. Use a different subscription that hasn't reached the subscription quota. Request a subscription quota increase.

+|Invalid `deviceMapping` mapping. Validation errors: {List of errors}|API and Azure portal|The `properties.deviceMapping` provided in the MedTech service Resource provisioning request is invalid.|Correct the errors in the mapping JSON provided in the `properties.deviceMapping` property.

+|`fullyQualifiedEventHubNamespace` is null, empty, or formatted incorrectly.|API and Azure portal|The MedTech service provisioning request `properties.ingestionEndpointConfiguration.fullyQualifiedEventHubNamespace` isn't valid.|Update the MedTech service `properties.ingestionEndpointConfiguration.fullyQualifiedEventHubNamespace` to the correct format. Should be `{YOUR_NAMESPACE}.servicebus.windows.net`.

+|Ancestor resources must be fully provisioned before a child resource can be provisioned.|API|The parent workspace is still provisioning.|Wait until the parent workspace provisioning has completed and submit the provisioning request again.

+|`Location` property of child resources must match the `Location` property of parent resources.|API|The MedTech service provisioning request `location` property is different from the parent workspace `location` property.|Set the `location` property of the MedTech service in the provisioning request to the same value as the parent workspace `location` property.

+### Destination resource

+|Message|Displayed|Condition|Fix|

+|-||||

+|The maximum number of resource type `iotconnectors/destinations` has been reached.|API and Azure portal|MedTech service Destination Resource quota is reached and the default is 1 per MedTech service).|Delete the existing instance of MedTech service Destination Resource. Only one Destination Resource is permitted per MedTech service.

+|The `fhirServiceResourceId` provided is invalid.|API and Azure portal|The `properties.fhirServiceResourceId` provided in the Destination Resource provisioning request isn't a valid resource ID for an instance of the Azure Health Data Services FHIR service.|Ensure the resource ID is formatted correctly, and make sure the resource ID is for an Azure Health Data Services FHIR service instance. The format should be: `/subscriptions/{SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP_NAME}/providers/Microsoft.HealthcareApis/workspaces/{workspace_NAME}/fhirservices/{FHIR_SERVICE_NAME}`

+|Ancestor resources must be fully provisioned before a child resource can be provisioned.|API|The parent workspace or the parent MedTech service is still provisioning.|Wait until the parent workspace or the parent MedTech service provisioning completes, and then submit the provisioning request again.

+|`Location` property of child resources must match the `Location` property of parent resources.|API|The Destination provisioning request `location` property is different from the parent MedTech service `location` property.|Set the `location` property of the Destination in the provisioning request to the same value as the parent MedTech service `location` property.

+## Why is the MedTech service data not showing up in the FHIR service?

+|Potential issues|Fixes|

+|-|--|

+|Data is still being processed.|Data is egressed to the FHIR service in batches (every ~5 minutes). ItΓÇÖs possible the data is still being processed and extra time is needed for the data to be persisted in the FHIR service.|

+|Device mapping hasn't been configured.|Configure and save conforming Device mapping.|

+|FHIR destination mapping hasn't been configured.|Configure and save conforming FHIR destination mapping.|

+|The device message doesn't contain an expected expression defined in the Device mapping.|Verify `JsonPath` expressions defined in the Device mapping match tokens defined in the device message.|

+|A Device Resource hasn't been created in the FHIR service (Resolution Type: Look up only)*.|Create a valid Device Resource in the FHIR service. Ensure the Device Resource contains an identifier that matches the device identifier provided in the incoming message.|

+|A Patient Resource hasn't been created in the FHIR service (Resolution Type: Look up only)*.|Create a valid Patient Resource in the FHIR service.|

+|The `Device.patient` reference isn't set, or the reference is invalid (Resolution Type: Look up only)*.|Make sure the Device Resource contains a valid [Reference](https://www.hl7.org/fhir/device-definitions.html#Device.patient) to a Patient Resource.|

+*Reference [Quickstart: Part 2: Configure the MedTech service for manual deployment using the Azure portal](deploy-new-config.md#destination-properties) for a functional description of the MedTech service resolution types (For example: Create or Lookup).

+## Next steps

+In this article, you learned how to troubleshoot MedTech service error messages and conditions.

+To learn about the MedTech service frequently asked question (FAQs), see

+> [!div class="nextstepaction"]

+> [Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+ Last updated 01/13/2023

+# IoT Hub support for virtual networks with Azure Private Link

+By default, IoT Hub's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this IoT Hub public endpoint, and IoT devices in wide-area networks and on-premises networks can all access it.

+

+Some IoT Hub features, including [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md), also require connectivity from IoT Hub to a customer-owned Azure resource over its public endpoint. These connectivity paths make up the egress traffic from IoT Hub to customer resources.

+You might want to restrict connectivity to your Azure resources (including IoT Hub) through a VNet that you own and operate for several reasons, including:

+* Enabling a private connectivity experience from your on-premises network assets, which ensures that your data and traffic is transmitted directly to Azure backbone network.

+* Preventing exfiltration attacks from sensitive on-premises networks.

+A private endpoint is a private IP address allocated inside a customer-owned VNet through which an Azure resource is reachable. With Azure Private Link, you can set up a private endpoint for your IoT hub to allow services inside your VNet to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, your on-premises devices can use [Virtual Private Network (VPN)](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) peering to gain connectivity to your VNet and your IoT hub (via its private endpoint). As a result, you can restrict or completely block off connectivity to your IoT hub's public endpoints by using [IoT Hub IP filter](./iot-hub-ip-filtering.md) or [the public network access toggle](iot-hub-public-network-access.md). This approach keeps connectivity to your hub using the private endpoint for devices. The main focus of this setup is for devices inside an on-premises network. This setup isn't advised for devices deployed in a wide-area network.

+

+Private endpoint works for IoT Hub device APIs (like device-to-cloud messages) and service APIs (like creating and updating devices).

+1. In the [Azure portal](https://portal.azure.com), navigate to your IoT hub.

+1. Select **Networking** > **Private access**, and then select **Create a private endpoint**.

+ :::image type="content" source="media/virtual-network-support/private-link.png" alt-text="Screenshot showing where to add private endpoint for IoT Hub." border="true":::

+1. Provide the subscription, resource group, name, and region to create the new private endpoint. Ideally, a private endpoint should be created in the same region as your hub.

+1. Select **Next: Resource**, and provide the subscription for your IoT Hub resource, and select **"Microsoft.Devices/IotHubs"** as resource type, your IoT hub name as **resource**, and **iotHub** as target subresource.

+1. Select **Next: Configuration** and provide your virtual network and subnet to create the private endpoint in. Select the option to integrate with Azure private DNS zone, if desired.

+1. Select **Next: Tags**, and optionally provide any tags for your resource.

+1. Select **Review + create** to create your private link resource.

+### Built-in Event Hubs compatible endpoint

+The [built-in Event Hubs compatible endpoint](iot-hub-devguide-messages-read-builtin.md) can also be accessed over private endpoint. When private link is configured, you should see another private endpoint connection for the built-in endpoint. It's the one with `servicebus.windows.net` in the FQDN.

+IoT Hub's [IP filter](iot-hub-ip-filtering.md) can optionally control public access to the built-in endpoint.

+IoT Hub can connect to your Azure blob storage, event hub, service bus resources for [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md) over the resources' public endpoint. Binding your resource to a VNet blocks connectivity to the resource by default. As a result, this configuration prevents IoT hubs from sending data to your resources. To fix this issue, enable connectivity from your IoT Hub resource to your storage account, event hub, or service bus resources via the **trusted Microsoft service** option.

+To allow other services to find your IoT hub as a trusted Microsoft service, your hub must use a managed identity. Once a managed identity is provisioned, grant permission to your hub's managed identity to access your custom endpoint. Follow the article [Managed identities support in IoT Hub](./iot-hub-managed-identity.md) to provision a managed identity with Azure role-based access control (RBAC) permission, and add the custom endpoint to your IoT hub. Make sure you turn on the trusted Microsoft first party exception to allow your IoT hubs access to the custom endpoint if you have the firewall configurations in place.

+Use the following links to learn more about IoT Hub features:

+ Title: Quickstart - Azure Key Vault certificates client library for .NET

+description: Learn how to create, retrieve, and delete certificates from an Azure key vault using the .NET client library

+# Quickstart: Azure Key Vault certificate client library for .NET

+* [.NET 6 SDK or later](https://dotnet.microsoft.com/download)

+For this quickstart, you'll also need to install the Azure Identity client library:

+Application requests to most Azure services must be authorized. Using the [DefaultAzureCredential](/dotnet/azure/sdk/authentication#defaultazurecredential) class provided by the [Azure Identity client library](/dotnet/api/overview/azure/identity-readme) is the recommended approach for implementing passwordless connections to Azure services in your code. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.

+In this quickstart, `DefaultAzureCredential` authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same `DefaultAzureCredential` code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see [Managed Identity Overview](/azure/active-directory/managed-identities-azure-resources/overview).

+In this example, the name of your key vault is expanded to the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).

+Modify the .NET console app to interact with the Key Vault by completing the following steps:

+| ConflictError | You're requesting multiple operations on the same item, for example, Key Vault, secret, key, certificate, or common components within a Key Vault like VNET. It's recommended to sequence operations or to implement retry logic. |

+description: The parameters and headers common to all operations that you might perform on Key Vault resources.

+The following information is common to all operations that you might perform on Key Vault resources:

+- The HTTP `Host` header must always be present and must specify the vault hostname. Example: `Host: contoso.vault.azure.net`. Note that most client technologies populate the `Host` header from the URI. For instance, `GET https://contoso.vault.azure.net/secrets/mysecret{...}` will set the `Host` as `contoso.vault.azure.net`. If you access Key Vault using raw IP address like `GET https://10.0.0.23/secrets/mysecret{...}`, the automatic value of `Host` header will be wrong, and you'll have to manually ensure that the `Host` header contains the vault hostname.

+- Set the Authorization header to a JSON Web Token that you obtain from Azure Active Directory (Azure AD). For more information, see [Authenticating Azure Resource Manager](authentication-requests-and-responses.md) requests.

+Soft-delete allows you to recover deleted data for 90 days after deletion. When using soft-delete, the data may be permanently deleted prior to the 90 days retention period expires by performing a purge operation. If the vault or subscription has been configured to block purge operations, it isn't possible to permanently delete data until the scheduled retention period has passed.

+In this guide, you will learn how to respond to Azure Key Vault events that are received via [Azure Event Grid](../../event-grid/index.yml) by using [Azure Logic Apps](../../logic-apps/index.yml). By the end, you will have an Azure logic app set up to send a notification email every time a secret is created in Azure Key Vault.

+First, create Logic App with Event Grid handler and subscribe to Azure Key Vault "SecretNewVersionCreated" events.

+1. In the Azure portal, go to your key vault, select **Events > Get Started** and select **Logic Apps**

+1. On **Logic Apps Designer** validate the connection and select **Continue**

+8. Select **Save as**.

+9. Enter a **name** for new logic app and select **Create**.

+ Title: Monitoring Key Vault with Azure Event Grid

+description: Use Azure Event Grid to subscribe to Key Vault events

+Event Grid uses [event subscriptions](../../event-grid/concepts.md#event-subscriptions) to route event messages to subscribers. Key Vault events contain all the information you need to respond to changes in your data. You can identify a Key Vault event because the eventType property starts with "Microsoft.KeyVault".

+* Multiple subscriptions can be configured to route events to the same event handler. It's important not to assume events are from a particular source, but to check the topic of the message to ensure that it comes from the key vault you're expecting.

+* Similarly, check that the eventType is one you're prepared to process, and do not assume that all events you receive will be the types you expect.

+1. Select the Automation account you created.

+1. Select **Webhooks** from the **Resources** section of the runbook you published.

+1. Select **Parameters and run settings** and then select **OK**. Don't enter any parameters. The **Create** button will be enabled.

+You can now reference the key that you created or uploaded to Azure Key Vault, by using its URI. Use `https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey` to always get the current version. Use `https://<keyvault-name>.vault.azure.net/keys/<keyname>/<key-unique-id>` to get this specific version. For example, `https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey/cgacf4f763ar42ffb0a1gca546aygd87`.

+Add a secret to the vault, which is a password named SQLPassword, and that has the value of "hVFkk965BuUv" to Azure Key Vaults.

+Reference this password by using its URI. Use **https://ContosoVault.vault.azure.net/secrets/SQLPassword** to always get the current version, and `https://<keyvault-name>.vault.azure.net/secret/<secret-name>/<secret-unique-id>` to get this specific version. For example, `https://ContosoVault.vault.azure.net/secrets/SQLPassword/90018dbb96a84117a0d2847ef8e7189d`.

+* To view your keys, type:

+* To view your secrets, type:

+* To view certificates, type:

+## Setting key vault advanced access policies

+Service limits in Key Vault prevent misuse of resources and ensure quality of service for all of Key Vault's clients. When a service threshold is exceeded, Key Vault limits any further requests from that client, returns HTTP status code 429 (Too many requests), and the request fails. Failed requests that return a 429 do not count towards the throttle limits tracked by Key Vault.

+Key Vault was originally designed to store and retrieve your secrets at deployment time. The world has evolved, and Key Vault is being used at run-time to store and retrieve secrets, and often apps and services want to use Key Vault like a database. Current limits do not support high throughput rates.

+1. Ensure you have throttling in place. Client must honor exponential back-off policies for 429s and ensure you are doing retries as per the guidance below.

+1. Key Vault is designed for your own services secrets. If you are storing your customers' secrets (especially for high-throughput key storage scenarios), consider putting the keys in a database or storage account with encryption, and storing just the primary key in Azure Key Vault.

+1. If your app comprises multiple nodes that need to read the same secret(s), then consider using a fan-out pattern, where one entity reads the secret from Key Vault, and fans out to all nodes. Cache the retrieved secrets only in memory.

+Here is code that implements exponential backoff:

+### No authentication token attached to the request

+Here's an example PUT request, setting the value of a secret:

+### The token lacks the correct resource associated with it

+- aud (audience): The resource of the token. Notice that this is `https://vault.azure.net`. This token will NOT work for any resource that doesn't explicitly match this value, such as graph.

+It is important that all of the values be properly identified in the token in order for the request to work. If everything is correct, then the request won't result in 401.

+```

+If you can only get the response access token, you can decode it to ensure the tenant ID, the client ID (app ID), and the resource.

+If due to access policy: find the object ID for the request and ensure that the object ID matches the object to which the user is trying to assign the access policy. There will often be multiple objects in Azure AD, which have the same name, so choosing the correct one is important. By deleting and readding the access policy, it is possible to see if multiple objects exist with the same name.

+In addition, most access policies do not require the use of the "Authorized application" as shown in the portal. Authorized applications are used for "on-behalf-of" authentication scenarios, which are rare.

+- Reduce number of requests made to the Key Vault by determining if there are patterns to a requested resource and attempting to cache them in the calling application.

+- When Key Vault throttling occurs, adapt the requesting code to use an exponential backoff for retrying. The algorithm is explained here: [How to throttle your app](overview-throttling.md#how-to-throttle-your-app-in-response-to-service-limits)

+- If the number of requests cannot be reduced by caching and timed backoff does not work, then consider splitting the keys up into multiple Key Vaults. The service limit for a single subscription is 5x the individual Key Vault limit. If using more than five Key Vaults, consideration should be given to using multiple subscriptions.

+- Integration with Azure Functions. For an example scenario using [Azure Functions](../../azure-functions/index.yml) for key vault operations, see [Automate the rotation of a secret](../secrets/tutorial-rotation.md).

+- Managed storage account keys. Storage Account Keys feature added easier integration with Azure Storage. For more information, see [Managed Storage Account Keys overview](../secrets/overview-storage-keys.md).

+- Soft delete. Soft-delete feature improves data protection of your key vaults and key vault objects. For more information, see [Soft-delete overview](./soft-delete-overview.md).

+ Title: Quickstart - Azure Key Vault keys client library for .NET

+description: Learn how to create, retrieve, and delete keys from an Azure key vault using the .NET client library

+# Quickstart: Azure Key Vault key client library for .NET

+* [.NET 6 SDK or later](https://dotnet.microsoft.com/download)

+For this quickstart, you'll also need to install the Azure Identity client library:

+Application requests to most Azure services must be authorized. Using the [DefaultAzureCredential](/dotnet/azure/sdk/authentication#defaultazurecredential) class provided by the [Azure Identity client library](/dotnet/api/overview/azure/identity-readme) is the recommended approach for implementing passwordless connections to Azure services in your code. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.

+In this quickstart, `DefaultAzureCredential` authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same `DefaultAzureCredential` code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see [Managed Identity Overview](/azure/active-directory/managed-identities-azure-resources/overview).

+In this example, the name of your key vault is expanded to the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).

+var kvUri = $"https://{keyVaultName}.vault.azure.net";

+Modify the .NET console app to interact with the Key Vault by completing the following steps:

+> Azure AD allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an [Azure AD managed identity](../../active-directory/managed-identities-azure-resources/index.yml) when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use this solution only when Azure AD authentication is not possible.

+First, set the variables to be used by the PowerShell cmdlets in the following steps. Be sure to update the "YourResourceGroupName", "YourStorageAccountName", and "YourKeyVaultName" placeholders, and set $keyVaultSpAppId to `cfa8b339-82a2-471a-a3c9-0fc0be7a4093` (as specified in [Service principal application ID](#service-principal-application-id)).

+We'll also use the Azure PowerShell [Get-AzContext](/powershell/module/az.accounts/get-azcontext) and [Get-AzStorageAccount](/powershell/module/az.storage/get-azstorageaccount) cmdlets to get your user ID and the context of your Azure storage account.

+The permissions for storage accounts aren't available on the storage account "Access policies" page in the Azure portal.

+If you want Key Vault to regenerate your storage account keys periodically, you can use the Azure PowerShell [Add-AzKeyVaultManagedStorageAccount](/powershell/module/az.keyvault/add-azkeyvaultmanagedstorageaccount) cmdlet to set a regeneration period. In this example, we set a regeneration period of 30 days. When it's time to rotate, Key Vault regenerates the inactive key and then sets the newly created key as active. The key used to issue SAS tokens is the active key.

+|`SignedResourceTypes (srt)`|Required. Specifies the signed resource types that are accessible with the account SAS.<br /><br /> - Service (`s`): Access to service-level APIs (*for example*, Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)<br />- Container (`c`): Access to container-level APIs (*for example*, Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)<br />- Object (`o`): Access to object-level APIs for blobs, queue messages, table entities, and files(*for example,* Put Blob, Query Entity, Get Messages, Create File, etc.)<br /><br /> You can combine values to provide access to more than one resource type. For example, `srt=sc` specifies access to service and container resources.|

+|`SignedProtocol (spr)`|Optional. Specifies the protocol permitted for a request made with the account SAS. Possible values are both HTTPS and HTTP (`https,http`) or HTTPS only (`https`). The default value is `https,http`.<br /><br /> HTTP only is not a permitted value.|

+Use the Azure PowerShell [Set-AzKeyVaultManagedStorageSasDefinition](/powershell/module/az.keyvault/set-azkeyvaultmanagedstoragesasdefinition) cmdlet to create a shared access signature definition. You can provide the name of your choice to the `-Name` parameter.

+Permissions for storage accounts aren't available on the storage account "Access policies" page in the Azure portal.

+ Create a Key Vault managed storage account using the Azure CLI [az keyvault storage](/cli/azure/keyvault/storage?#az-keyvault-storage-add) command. Set a regeneration period of 30 days. When it's time to rotate, KeyVault regenerates the key that isn't active, and then sets the newly created key as active. Only one of the keys is used to issue SAS tokens at any one time, this is the active key. Provide the command the following parameter values:

+|`SignedProtocol (spr)`|Optional. Specifies the protocol permitted for a request made with the account SAS. Possible values are both HTTPS and HTTP (`https,http`) or HTTPS only (`https`). The default value is `https,http`.<br /><br /> HTTP only isn't a permitted value. |

+Get started with the Azure Key Vault Secret client library for Java. Follow these steps to install the package and try out example code for basic tasks.

+This quickstart assumes you're running [Azure CLI](/cli/azure/install-azure-cli) and [Apache Maven](https://maven.apache.org) in a Linux terminal window.

+In this example, the name of your key vault is expanded to the key vault URI, in the format `https://\<your-key-vault-name\>.vault.azure.net`. This example is using the ['DefaultAzureCredential()'](/java/api/com.azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/java/api/overview/azure/identity-readme).

+Now that your application is authenticated, you can put a secret into your key vault using the `secretClient.setSecret` method. This requires a name for the secretΓÇöwe've assigned the value "mySecret" to the `secretName` variable in this sample.

+In this quickstart, you created a key vault, stored a secret, retrieved it, and then deleted it. To learn more about Key Vault and how to integrate it with your applications, continue on to these articles.

+ Title: Quickstart - Azure Key Vault secrets client library for .NET

+description: Learn how to create, retrieve, and delete secrets from an Azure key vault using the .NET client library

+# Quickstart: Azure Key Vault secret client library for .NET

+* [.NET 6 SDK or later](https://dotnet.microsoft.com/download)

+* [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps)

+* A Key Vault - you can create one using [Azure portal](../general/quick-create-portal.md), [Azure CLI](../general/quick-create-cli.md), or [Azure PowerShell](../general/quick-create-powershell.md)

+For this quickstart, you'll also need to install the Azure Identity client library:

+Application requests to most Azure services must be authorized. Using the [DefaultAzureCredential](/dotnet/azure/sdk/authentication#defaultazurecredential) class provided by the [Azure Identity client library](/dotnet/api/overview/azure/identity-readme) is the recommended approach for implementing passwordless connections to Azure services in your code. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.

+In this quickstart, `DefaultAzureCredential` authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same `DefaultAzureCredential` code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see [Managed Identity Overview](/azure/active-directory/managed-identities-azure-resources/overview).

+In this example, the name of your key vault is expanded to the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).

+Modify the .NET console app to interact with the Key Vault by completing the following steps:

+For more information, see [Key Vault Overview](../general/overview.md) and [Secrets Overview](about-secrets.md).

+1. Select on **Generate/Import**.

+ - Leave the other values to their defaults. Select **Create**.

+Once that you receive the message that the secret has been successfully created, you may select on it on the list.

+If you select on the current version, you can see the value you specified in the previous step.

+In this quickstart, you created a Key Vault and stored a secret in it. To learn more about Key Vault and how to integrate it with your applications, continue on to these articles.

+ > [!NOTE]

+ > To expose the service via the internal IP instead of public one, add the annotation to the MultiClusterService:

+ >

+ > ```yaml

+ > apiVersion: networking.fleet.azure.com/v1alpha1

+ > kind: MultiClusterService

+ > metadata:

+ > name: kuard

+ > namespace: kuard-demo

+ > annotations:

+ > service.beta.kubernetes.io/azure-load-balancer-internal: "true"

+ > ...

+ > ```

+> [!IMPORTANT]

+> When assigning roles, be sure to review the [actions](../../role-based-access-control/role-definitions.md) specified for each role. In some cases, even though roles with [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission are not supported, the actions included in a role may allow access to data, where data is exposed through access keys and not accessed via the user's identity. For example, the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles) role includes the `Microsoft.Storage/storageAccounts/listKeys/action` action, which returns storage account access keys that could be used to retrieve certain customer data.

+* West Europe

+>[!NOTE]

+> If the Virtual Machine Scale Set in the Load Balancer backend pool has Public IP Addresses in its network configuration, the Public IP Addresses will change during migration (the Public IPs must be removed prior to the migration, then added back post migration with a Standard SKU configuration)

+|Cross region balancer in West Europe| Currently, there are a limited amount of IP addresses available in West Europe for Azure's cross region Load Balancer. This may impact customers' ability to deploy cross region load balancers in the West Europe region.| We recommend that customers use another home region as part of their cross region deployment.|

+> * We don't host MLflow server instances under the hood. The workspace can talk the MLflow standard.

+> * You can use Azure Machine Learning workspaces as your tracking server for any MLflow code, whether it runs on Azure Machine Learning or not. You only need to configure MLflow to point to the workspace where the tracking should happen.

+> * You can run any training routine that uses MLflow in Azure Machine Learning without any change.

+> [!NOTE]

+> Unlike the Azure Machine Learning SDK v1, there's no logging functionality in the SDK v2 and we recommend using MLflow for logging. Such strategy allows your training routines to become cloud-agnostic and portable, removing any dependency in your code with Azure Machine Learning.

+Azure Machine Learning uses MLflow Tracking for metric logging and artifact storage for your experiments. When connected to Azure Machine Learning, all tracking performed using MLflow is materialized in the workspace you are working on. To learn more about how to instrument your experiments for tracking experiments and training routines, see [Log metrics, parameters, and files with MLflow](how-to-log-view-metrics.md). You can also use MLflow to [Query & compare experiments and runs with MLflow](how-to-track-experiments-mlflow.md).

+### Centralize tracking

+You can connect MLflow to Azure Machine Learning workspaces even when you are running locally or in a different cloud. The workspace provides a centralized, secure, and scalable location to store training metrics and models.

+### Example notebooks

+* [Training and tracking an XGBoost classifier with MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/train-and-log/xgboost_classification_mlflow.ipynb): Demonstrates how to track experiments by using MLflow, log models, and combine multiple flavors into pipelines.

+* [Training and tracking an XGBoost classifier with MLflow using service principal authentication](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/train-and-log/xgboost_service_principal.ipynb): Demonstrates how to track experiments by using MLflow from compute that's running outside Azure Machine Learning. It shows how to authenticate against Azure Machine Learning services by using a service principal.

+* [Hyper-parameter optimization using Hyperopt and nested runs in MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/train-and-log/xgboost_nested_runs.ipynb): Demonstrates how to use child runs in MLflow to do hyper-parameter optimization for models by using the popular library Hyperopt. It shows how to transfer metrics, parameters, and artifacts from child runs to parent runs.

+* [Logging models with MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/train-and-log/logging_and_customizing_models.ipynb): Demonstrates how to use the concept of models instead of artifacts with MLflow, including how to construct custom models.

+* [Manage runs and experiments with MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/runs-management/run_history.ipynb): Demonstrates how to query experiments, runs, metrics, parameters, and artifacts from Azure Machine Learning by using MLflow.

+> - MLflow in R support is limited to tracking experiment's metrics, parameters and models on Azure Machine Learning jobs. Interactive training on RStudio, Posit (formerly RStudio Workbench) or Jupyter Notebooks with R kernels is not supported. Model management and registration is not supported using the MLflow R SDK. As an alternative, use Azure ML CLI or [Azure ML studio](https://ml.azure.com) for model registration and management. View the following [R example about using the MLflow tracking client with Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step/r).

+## Model deployment with MLflow

+You can [deploy MLflow models to Azure Machine Learning](how-to-deploy-mlflow-models.md) and take advantage of the improved experience when you use this type of models. Azure Machine Learning supports deploying MLflow models to both real-time and batch endpoints without having to indicate and environment or a scoring script. Deployment is supported using either MLflow SDK, Azure Machine Learning CLI, Azure Machine Learning SDK for Python, or the [Azure Machine Learning studio](https://ml.azure.com) portal.

+Learn more at [Guidelines for deploying MLflow models](how-to-deploy-mlflow-models.md).

+* [Deploy MLflow to Online Endpoints with safe rollout](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/deploy/mlflow_sdk_online_endpoints_progresive.ipynb): Demonstrates how to deploy models in MLflow format to online endpoints using MLflow SDK with progressive rollout of models and the deployment of multiple model's versions in the same endpoint.

+* [Track an MLflow project in Azure Machine Learning workspaces](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/track-and-monitor-experiments/using-mlflow/train-projects-local/train-projects-local.ipynb)

+* [Train and run an MLflow project on Azure Machine Learning jobs](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/track-and-monitor-experiments/using-mlflow/train-projects-remote/train-projects-remote.ipynb).

+| Feature | MLflow SDK | Azure Machine Learning CLI/SDK | Azure Machine Learning studio |

+| Submit training jobs | **&check;** ² | **&check;** | **&check;** |

+| Submit training jobs with Azure Machine learning data assets | | **&check;** | **&check;** |

+| Submit training jobs with machine learning pipelines | | **&check;** | **&check;** |

+> - ² Using MLflow projects (preview).

+> - ⁴ Deployment of MLflow models to batch inference by using the MLflow SDK is not possible at the moment. As an alternative, see [Deploy and run MLflow models in Spark jobs](how-to-deploy-mlflow-model-spark-jobs.md).

+* [Concept: From artifacts to models in MLflow](concept-mlflow-models.md).

+* [How-to: Configure MLflow for Azure Machine Learning](how-to-use-mlflow-configure-tracking.md).

+* [How-to: Migrate logging from SDK v1 to MLflow](reference-migrate-sdk-v1-mlflow-tracking.md)

+* [How-to: Track ML experiments and models with MLflow](how-to-use-mlflow-cli-runs.md).

+* [How-to: Log MLflow models](how-to-log-mlflow-models.md).

+* [Guidelines for deploying MLflow models](how-to-deploy-mlflow-models.md).

+- Try out [CLI v2 component example](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components)

+1. Assign all the traffic to the deployment: So far, the endpoint has one deployment, but none of its traffic is assigned to it. Let's assign it.

+ *This step in not required in the Azure CLI since we used the `--all-traffic` during creation. If you need to change traffic, you can use the command `az ml online-endpoint update --traffic` as explained at [Progressively update traffic](how-to-deploy-mlflow-models-online-progressive.md#progressively-update-the-traffic).*

+ *This step in not required in the Azure CLI since we used the `--all-traffic` during creation. If you need to change traffic, you can use the command `az ml online-endpoint update --traffic` as explained at [Progressively update traffic](how-to-deploy-mlflow-models-online-progressive.md#progressively-update-the-traffic).*