+# Customer intent: I want to enrich tokens with claims from external identity data sources using APIs or outbound webhooks.

+#Customer Intent: As a developer or IT administrator, I want to use API connectors to integrate sign-up user flows with REST APIs to customize the sign-up experience and integrate with external systems.

+#Customer Intent: As a developer integrating Azure AD B2C into my application, I want to add an identity provider, so that users can sign in with their existing social or enterprise accounts without creating a new account.

+#Customer Intent: As an Azure AD B2C administrator, I want to set up a password reset flow for local accounts, so that users can reset their passwords if they forget them.

+#Customer Intent: As a developer integrating Azure Active Directory B2C into my application, I want to set up a sign-up and sign-in flow, so that users can sign up and sign in with local or social accounts, and reset their passwords if needed.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to add a new attribute to the sign-up journey, customize the input type, and define whether it's required, so that I can collect specific user information during the sign-up process.

+#Customer Intent: As an Azure AD B2C administrator, I want to investigate and mitigate identity-based risks using Identity Protection, so that I can identify at-risk users, view risk detections, and take appropriate actions to secure the Azure AD B2C tenant.

+#Customer Intent: As an Azure AD B2C administrator, I want to add AD FS as a SAML identity provider using custom policies, so that users can sign in with their AD FS accounts and access Azure AD B2C resources.

+#Customer Intent: As a developer integrating Azure AD B2C with AD FS, I want to configure AD FS as an OpenID Connect identity provider, so that users can sign in with their AD FS accounts in Azure AD B2C.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with an Amazon account, so that users can authenticate using their Amazon credentials.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with an Apple ID, so that users can authenticate using their Apple ID.

+#Customer Intent: As an Azure AD B2C administrator, I want to set up federation with another Azure AD B2C tenant, so that users from the other tenant can sign in to applications protected by my tenant using their existing accounts.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-in for multi-tenant Microsoft Entra ID, so that users from multiple Entra tenants can sign in without configuring an identity provider for each tenant.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-in for a single Microsoft Entra ID tenant, so that users from that organization can authenticate and access my application securely.

+#Customer Intent: As a developer integrating Azure Active Directory B2C, I want to set up sign-in with eBay as an identity provider, so that users can sign in with their eBay accounts.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-in with a Facebook account, so that users can authenticate with their Facebook credentials and access my application.

+#Customer Intent: As a developer integrating Azure AD B2C with a custom OpenID Connect identity provider, I want to understand the steps to add the identity provider and configure the necessary settings, so that users can sign in securely using the custom identity provider.

+#Customer Intent: As a developer integrating Azure AD B2C with a SAML identity provider, I want to understand how to configure the SAML identity provider options, so that I can enable sign-in with the identity provider and map the claims correctly.

+#Customer Intent: As a developer integrating Azure AD B2C with a SAML identity provider, I want to configure the SAML technical profile and map the claims, so that users can sign in to my application using an existing social or enterprise identity.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to integrate GitHub as an identity provider, so that users can sign up and sign in with their GitHub accounts.

+#Customer Intent: As a developer, I want to set up sign-up and sign-in with an ID.me account using Azure Active Directory B2C, so that I can enable users to authenticate with their ID.me accounts.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with a LinkedIn account, so that users can authenticate using their LinkedIn credentials.

+#Customer Intent: As an Azure AD B2C administrator, I want to configure the sign-in methods for local accounts, so that users can sign up and sign in to the application using their preferred method (email, username, or phone number).

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with a Microsoft account, so that users can authenticate using their Microsoft account credentials.

+#Customer Intent: As a developer integrating Azure Active Directory B2C, I want to set up sign-up and sign-in with Mobile ID, so that I can provide a strong multi-factor authentication solution for my customers and protect access to company data and applications.

+#Customer Intent: As a developer integrating PingOne with Azure Active Directory B2C, I want to set up sign-up and sign-in with a PingOne account, so that users can authenticate using their PingOne credentials.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with a QQ account, so that users can authenticate with their QQ accounts in my application.

+#Customer Intent: As a developed using Azure Active Directory B2C, I want to set up sign-in with a Salesforce SAML provider, so that users from my Salesforce organization can sign in to Azure AD B2C using their Salesforce accounts.

+#Customer Intent: As a developer integrating Salesforce with Azure Active Directory B2C, I want to set up sign-up and sign-in with a Salesforce account using Azure AD B2C, so that users can authenticate with their Salesforce credentials in my application.

+#Customer Intent: As a developer integrating SwissID accounts with Azure Active Directory B2C, I want to set up sign-up and sign-in functionality for customers with SwissID accounts, so that they can easily access my application using their existing credentials.

+#Customer Intent: As a developer setting up sign-up and sign-in with a Twitter account using Azure Active Directory B2C, I want to configure Twitter as an identity provider so that I can enable users to sign in with their Twitter accounts.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with a WeChat account, so that users can authenticate using their WeChat credentials.

+#Customer Intent: As a developer using Azure Active Directory B2C, I want to set up sign-up and sign-in with a Weibo account, so that users can authenticate with their Weibo credentials and access my application.

+#Customer Intent: As a developer, I want to access code samples for Azure Active Directory B2C, so that I can learn how to integrate authentication and user management into my web, mobile, and desktop applications using Azure AD B2C.

+#Customer Intent: As a developer customizing the user interface of an application in Azure Active Directory B2C, I want to enable JavaScript and page layout versions, so that I can create a more interactive and customized user experience for my users.

+#Customer Intent: As a developer integrating Azure Active Directory B2C into my application, I want to customize the language of a user flow, so that I can provide a localized experience for my customers in different locales.

+#Customer Intent: As an Azure AD B2C administrator, I want to manually create and delete consumer users in the Azure portal, so that I can manage user accounts for my applications.

+#Customer Intent: As an IT administrator or developer, I want to understand what Azure Active Directory B2C is and how it can be used for customer identity access management, so that I can determine if it is the right solution for authenticating end users to my web/mobile applications and managing access to API resources.

+#Customer Intent: As a developer building a desktop app, I want to set up sign-in functionality using Azure Active Directory B2C, so that I can authenticate users with social and enterprise accounts and protect my application and customer data.

+#Customer Intent: As a developer building a desktop app, I want to set up sign-in functionality using Azure Active Directory B2C, so that I can authenticate users with social and enterprise accounts and protect my application and customer data.

+#Customer Intent: As a developer building a single-page app, I want to set up sign-in functionality using Azure Active Directory B2C, so that I can authenticate users with social accounts and call a protected web API to retrieve user information.

+#Customer Intent: As a developer building an ASP.NET application, I want to set up sign-in functionality using Azure Active Directory B2C, so that I can authenticate users with social or enterprise accounts and protect my application and customer data.

+#Customer Intent: As an Azure AD B2C administrator, I want to assign users the least privileged role required to access resources, so that I can ensure proper access control and security within my tenant.

+#Customer intent: As a developer implementing Azure Active Directory B2C, I want to know the best practices for securing my identity solution, so that I can protect my users from bot attacks, fraudulent activities, and resource exhaustion.

+#Customer Intent: As a developer integrating Azure AD B2C into my application, I want to understand the different sign-in options available so that I can choose the appropriate method for my users and configure the sign-in flow accordingly.

+#Customer intent: As an Azure AD B2C tenant administrator, I want to monitor and manage the directory size quota, so that I can ensure that I don't exceed the maximum number of objects allowed in the directory and take necessary actions such as removing inactive users or requesting a quota increase.

+#Customer Intent: As an Azure AD B2C administrator, I want to mitigate credential attacks by using smart lockout, so that I can protect user accounts from unauthorized access.

+#Customer intent: As a developer, I want to understand the difference between user flows and custom policies, so that I can choose the best method for my business needs. I want to understand the scenarios that can be enabled with each method, and how to integrate them with my applications.

+# Quickstart: Custom sentiment analysis (preview)

+#### [Custom model (preview)](#tab/custom)

+Quota is specified in Provisioned throughput units and is specific to a (deployment type, model, region) triplet. Quota isn't interchangeable. Meaning you can't use quota for GPT-4 to deploy GPT-35-turbo. You can raise a support request to move quota across deployment types, models, or regions but the swap isn't guaranteed.

+### Determining the number of PTUs needed for a workload

+PTUs represent an amount of model processing capacity. Similar to your computer or databases, different workloads or requests to the model will consume different amounts of underlying processing capacity. The conversion from call shape characteristics (prompt size, generation size and call rate) to PTUs is complex and non-linear. To simplify this process, you can use the [Azure OpenAI Capacity calculator](https://oai.azure.com/portal/calculator) to size specific workload shapes.

+A few high-level considerations:

+- Generations require more capacity than prompts

+- Larger calls are progressively more expensive to compute. For example, 100 calls of with a 1000 token prompt size will require less capacity than 1 call with 100,000 tokens in the prompt. This also means that the distribution of these call shapes is important in overall throughput. Traffic patterns with a wide distribution that includes some very large calls may experience lower throughput per PTU than a narrower distribution with the same average prompt & completion token sizes.

+> [!NOTE]

+> Calls are accepted until utilization reaches 100%. Bursts just over 100% maybe permitted in short periods, but over time, your traffic is capped at 100% utilization.

+ "endpoint": "<your_computer_vision_endpoint>",

+ },

+| ```stop``` | string or array | Optional | null | Up to four sequences where the API will stop generating further tokens. The returned text won't contain the stop sequence. For GPT-4 Turbo with Vision, up to two sequences are supported. |

+> [!NOTE]

+> If you would like to enable [client source IP preservation][client-source-ip] for requests to containers in your cluster, add `--set controller.service.externalTrafficPolicy=Local` to the Helm install command. The client source IP is stored in the request header under *X-Forwarded-For*. When you're using an ingress controller with client source IP preservation enabled, TLS pass-through won't work.

+ --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \

+ --set controller.service.externalTrafficPolicy=Local

+ --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz `

+ --set controller.service.externalTrafficPolicy=Local

+ --set controller.service.externalTrafficPolicy=Local \

+ --set controller.service.externalTrafficPolicy=Local `

+| 1.29 | Dec 2023 | Feb 2024 | Mar 2024 | | Until 1.33 GA |

+> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on was deprecated in Sept. 2024.

+> [!IMPORTANT]

+> The open source [Microsoft Entra pod-managed identity][entra-id-pod-managed-identity] (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on was deprecated in Sept. 2024.

+>

+> We recommend you first review [Microsoft Entra Workload ID][workload-identity-overview] overview. This authentication method replaces Microsoft Entra pod-managed identity (preview) and is the recommended method.

+* AKS doesn't support the use of a system-assigned managed identity when using a custom private DNS zone.

+> If your cluster is already using managed identity and the identity was changed, for example you update the cluster identity type from system-assigned to user-assigned, there is a delay for control plane components to switch to the new identity. Control plane components keep using the old identity until its token expires. After the token is refreshed, they switch to the new identity. This process can take several hours.

+> Migrating a managed identity for the control plane, from system-assigned to user-assigned, doesn't cause any downtime for control plane and agent pools. Meanwhile, control plane components keep using the old system-assigned identity for several hours until the next token refresh.

+> Updating kubelet managed identity upgrades node pools, which causes downtime for your AKS cluster as the nodes in the node pools are cordoned/drained and reimaged.

+[entra-id-pod-managed-identity]: https://github.com/furkanyildiz/azure-docs/blob/feature/inform-deprecated-aks-identity/articles/aks/use-azure-ad-pod-identity.md

+Use GitHub Copilot Chat to search for APIs and API definitions based on semantic search queries.

+* [Getting started with GitHub Copilot](https://docs.github.com/copilot/using-github-copilot/getting-started-with-github-copilot)

+### [.NET 6.0+](#tab/core6x)

+### [.NET Core 3.x](#tab/core3x)

+description: Learn how to use feature filters in Azure App Configuration to enable conditional feature flags for your app.

+#Customerintent: As a developer, I want to create a feature filter to activate a feature flag depending on a specific scenario.

+## Prerequisites

+- An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+## Register a feature filter

+## Configure a feature filter in Azure App Configuration

+1. In the Azure portal, go to your configuration store and select **Feature manager**.

+ :::image type="content" source="./media/feature-filters/edit-beta-feature-flag.png" alt-text="Screenshot of the Azure portal, selecting the Edit option for the Beta feature flag, under Feature manager.":::

+1. On the line with the Beta feature flag you created in the quickstart, select the context menu and then **Edit**.

+1. In the **Edit feature flag** pane that opens, check the **Enable feature flag** checkbox if it isn't already enabled. Then check the **Use feature filter** checkbox and select **Create**.

+ :::image type="content" source="./media/feature-filters/edit-a-feature-flag.png" alt-text="Screenshot of the Azure portal, filling out the form 'Edit feature flag'.":::

+1. The pane **Create a new filter** opens. Under **Filter type**, select **Targeting filter** to enable a new filter for specific users or a group.

+ :::image type="content" source="./media/feature-filters/add-targeting-filter.png" alt-text="Screenshot of the Azure portal, creating a new targeting filter.":::

+1. Optionally expand the **Evaluation flow** menu to see a graph showing how the targeting filter is evaluated in the selected scenario. Leave the **Default Percentage** at 50. The options **Override by Groups** and **Override by Users** let you enable or disable the feature flag for select groups or users. These options are disabled by default.

+1. Select **Add** to save the new feature filter and return to the **Edit feature flag** screen.

+1. The feature filter you created is now listed in the feature flag details. Select **Apply** to save the new feature flag settings.

+ :::image type="content" source="./media/feature-filters/feature-flag-edit-apply-filter.png" alt-text="Screenshot of the Azure portal, applying new targeting filter.":::

+1. On the **Feature manager** page, the feature flag now has a **Feature filter(s)** value of **1**.

+ :::image type="content" source="./media/feature-filters/updated-feature-flag.png" alt-text="Screenshot of the Azure portal, displaying updated feature flag.":::

+ ### [.NET 6.0+](#tab/core6x)

+ ### [.NET Core 3.x](#tab/core3x)

+- West US 2

+- West US 3

+- South Central US

+- Canada Central

+- West Europe

+- North Europe

+- UK South

+- UK West

+- Sweden Central

+- Southeast Asia

+1. Configure your client application to acquire a Microsoft Entra token for scope `https://redis.azure.com/.default` or `acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default` using the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview).

+

+*HttpExample.cs* contains a `Run` method that receives request data in the `req` variable as an [HttpRequest](/dotnet/api/microsoft.aspnetcore.http.httprequest) object. That parameter is decorated with the **HttpTriggerAttribute**, to define the trigger behavior.

+

+```csharp

+using System.Net;

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.Logging;

+using Microsoft.AspNetCore.Http;

+using Microsoft.AspNetCore.Mvc;

+namespace Company.Function

+{

+ public class HttpExample

+ {

+ private readonly ILogger<HttpExample> _logger;

+ public HttpExample(ILogger<HttpExample> logger)

+ {

+ _logger = logger;

+ }

+ [Function("HttpExample")]

+ public IActionResult Run([HttpTrigger(AuthorizationLevel.AuthLevelValue, "get", "post")] HttpRequest req)

+ {

+ _logger.LogInformation("C# HTTP trigger function processed a request.");

+ return new OkObjectResult("Welcome to Azure Functions!");

+ }

+ }

+}

+```

+

+The return object is an [IActionResult](/dotnet/api/microsoft.aspnetcore.mvc.iactionresult) object that contains the data that's handed back to the HTTP response.

+ |**Select a template for your project's first function**|Choose `HTTP trigger`.¹|

+ ¹ Depending on your VS Code settings, you may need to use the `Change template filter` option to see the full list of templates.

+public IActionResult Run([HttpTrigger(AuthorizationLevel.AuthLevelValue, "get", "post")] HttpRequest req)

+{

+ return new OkObjectResult("Welcome to Azure Functions!");

+}

+ > [!TIP]

+ > You can view additional templates by selecting the `Change template filter` option and setting it to "Core" or "All".

+JIT access works with multi-factor authentication that requires Microsoft engineers to use a smartcard to confirm their identity. All access to production systems is performed using Secure Admin Workstations (SAWs) that are consistent with published guidance on securing privileged access. Use of SAWs for access to production systems is required by Microsoft policy and compliance with this policy is closely monitored. These workstations use a fixed image with all software fully managed ΓÇô only select activities are allowed and users cannot accidentally circumvent the SAW design since they don't have admin privileges on these machines. Access is permitted only with a smartcard and access to each SAW is limited to specific set of users.

+In addition to consolidating and improving on the legacy Log Analytics agents, Azure Monitor Agent provides [various immediate benefits](./azure-monitor-agent-overview.md#benefits), including **cost savings, a simplified management experience, and enhanced security and performance.**

+ Review the generated rules before you create them and take advantage of advanced options, such as [filtering](../essentials/data-collection-transformations.md), granular targeting (per machine), and other optimizations. There are special steps needed to [migrate MMA custom logs to AMA custom logs](./azure-monitor-agent-custom-text-log-migration.md)

+ - If you've migrated to Azure Monitor Agent for all your requirements, [uninstall the Log Analytics agent](./agent-manage.md#uninstall-agent) from monitored resources. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent. Continue using the legacy Log Analytics for features and solutions that Azure Monitor Agent doesn't support.

+

+ Use the [MMA removal tool](../agents/azure-monitor-agent-mma-removal-tool.md) to discovery and remove the Log Analytics agent extension from all machines within your tenant.

+¹ The DCR generator only converts the configurations for Windows event logs, Linux syslog and performance counters. Support for more features and solutions will be available soon.

+| [VM insights, Service Map, and Dependency agent](../vm/vminsights-overview.md) | Migrate to Azure Monitor Agent | Generally Available | [Enable VM Insights](../vm/vminsights-enable-overview.md) |

+| [Microsoft Sentinel](../../sentinel/overview.md) | Migrate to Azure Monitor Agent | Public Preview | See [AMA migration for Microsoft Sentinel](../../sentinel/ama-migrate.md). |

+| [Change Tracking and Inventory](../../automation/change-tracking/overview-monitoring-agent.md) | Migrate to Azure Monitor Agent | Generally Available | [Migration guidance from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version](../../automation/change-tracking/guidance-migration-log-analytics-monitoring-agent.md) |

+| [Network Watcher](../../network-watcher/network-watcher-monitoring-overview.md) | Migrate to new service called Connection Monitor with Azure Monitor Agent | Generally Available | [Monitor network connectivity using Azure Monitor agent with connection monitor](../../network-watcher/azure-monitor-agent-with-connection-monitor.md) |

+| Azure Stack HCI Insights | Migrate to Azure Monitor Agent | Generally Available| [Monitor Azure Stack HCI with Insights](/azure-stack/hci/manage/monitor-hci-single) |

+| [Azure Virtual Desktop (AVD) Insights](../../virtual-desktop/insights.md) | Migrate to Azure Monitor Agent |Generally Available | [Use Azure Virtual Desktop Insights to monitor your deployment](../../virtual-desktop/insights.md#session-host-data-settings) |

+| [DNS Collector](../../sentinel/connect-dns-ama.md) | Use new Sentinel Connector | Generally Available | [Enable DNS Connector](../../sentinel/connect-dns-ama.md)|

+Webhook action groups generally follow these rules when called:

+ > [!NOTE]

+ > When you create a metric alert on a single resource, the syntax uses the `TargetResourceId`. When you create a metric alert on multiple resources, the syntax contains the `TargetResourceScope`, `TargetResourceType`, and `TargetResourceRegion`.

+ > [!NOTE]

+ > - We recommend that you create the metric alert using the same resource group as your target resource.

+ > - Metric alerts for an Azure Log Analytics workspace resource type (`Microsoft.OperationalInsights/workspaces`) are configured differently than other metric alerts. For more information, see [Resource Template for Metric Alerts for Logs](alerts-metric-logs.md#resource-template-for-metric-alerts-for-logs).

+ > - If you are creating a metric alert for a single resource, the template uses the `ResourceId` of the target resource. If you are creating a metric alert for multiple resources, the template uses the `scope`, `TargetResourceType`, and `TargetResourceRegion` for the target resources.

+> - In a metric alert rule that monitors multiple resources, only one condition is allowed.

+> - If you are creating a metric alert for a single resource, the template uses the `ResourceId` of the target resource. If you are creating a metric alert for multiple resources, the template uses the `scope`, `TargetResourceType`, and `TargetResourceRegion` for the target resources.

+> Microsoft Entra authentication is only available for Python v2.7, v3.6, and v3.7. Support for Microsoft Entra ID in the Application Insights OpenCensus Python SDK

+> [!NOTE]

+> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](./opentelemetry-enable.md?tabs=python) and provide [migration guidance](./opentelemetry-python-opencensus-migrate.md?tabs=aspnetcore).

+> [!NOTE]

+> If your hosting environment or resource provider is not listed in the following table, autoinstrumentation is not supported. You can manually instrument your code using Application Insights SDKs or Azure Monitor OpenTelemetry Distros. For more information, see [Data Collection Basics of Azure Monitor Application Insights](opentelemetry-overview.md).

+- Python Application using Python 3.8+

+### Python < 3.8 support

+OpenTelemetry's Python-based monitoring solutions only support Python 3.8 and greater, excluding the previously supported Python versions 2.7, 3.4, 3.5, 3.6, and 3.7 from OpenCensus. We suggest upgrading for users who are on the older versions of Python since, as of writing this document, those versions have already reached [end of life](https://devguide.python.org/versions/). Users who are adamant about not upgrading may still use the OpenTelemetry solutions, but may find unexpected or breaking behavior that is unsupported. In any case, the last supported version of [opencensus-ext-azure](https://pypi.org/project/opencensus-ext-azure/) always exists, and stills work for those versions, but no new releases are made for that project.

+ * If the cluster is already onboarded, use [this ARM template](https://github.com/Azure/prometheus-collector/blob/main/AddonArmTemplate/WindowsRecordingRuleGroupTemplate/WindowsRecordingRules.json) and [this parameter file](https://github.com/Azure/prometheus-collector/blob/main/AddonArmTemplate/WindowsRecordingRuleGroupTemplate/WindowsRecordingRulesParameters.json) to create the rule groups.

+| (any) | Azure Monitor | Free Benefit - M365 Defender Data Ingestion | yes |

+The **Standard Data Included per Node** meter is used both for the Log Analytics [Per Node tier](logs/cost-logs.md#per-node-pricing-tier) data allowance, and also the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud), for workspaces in any pricing tier.

+The **Free Benefit - M365 Defender Data Ingestion** meter is used to record the benefit from the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/).

+- **Daily cost analysis emails.** Once you've configured your Cost Analysis view, you should click **Subscribe** at the top of the screen to receive regular email updates from Cost Analysis.

+These exports are in CSV format and will contain a list of daily usage (billed quantity and cost) by resource, [billing meter](cost-meters.md), and several other fields such as [AdditionalInfo](../cost-management-billing/automate/understand-usage-details-fields.md#list-of-fields-and-descriptions). You can use Microsoft Excel to do rich analyses of your usage not possible in the **Cost Analytics** experiences in the portal.

+#### View data benefits used

+Since the usage export has both the number of units of usage and their cost, you can use this export to see the amount of benefits you are receiving from various offers such as the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/). In the usage export, to see the benefits, look for the meters named:

+- **Standard Data Included per Node**: this meter is under the service "Insight and Analytics" and tracks the benefits received when a workspace in either in Log Analytics [Per Node tier](logs/cost-logs.md#per-node-pricing-tier) data allowance and/or has [Defender for Servers](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) enabled.

+- **Free Benefit - M365 Defender Data Ingestion**: this meter, under the service "Azure Monitor", tracks the benefit from the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/).

+> Data allocations from Defender for Servers 500 MB/server/day will appear in rows with the meter name "Standard Data Included per Node" and the meter category to "Insight and Analytics" (the name of a legacy offer still used with this meter.) If the workspace is in the legacy Per Node Log Analytics pricing tier, this meter will also include the data allocations from this Log Analytics pricing tier.

+An [Azure Monitor Logs dedicated cluster](logs-dedicated-clusters.md) is a collection of workspaces in a single managed Azure Data Explorer cluster. Dedicated clusters support advanced features, such as [customer-managed keys](customer-managed-keys.md), and use the same commitment-tier pricing model as workspaces, although they must have a commitment level of at least 100 GB per day. Any usage above the commitment level (overage) is billed at that same price per GB as provided by the current commitment tier. There's no pay-as-you-go option for clusters.

+Linking a Log Analytics workspace to a dedicated cluster in Azure Monitor provides advanced capabilities and higher query utilization. Clusters require a minimum ingestion commitment of 100 GB per day. You can link and unlink workspaces from a dedicated cluster without any data loss or service interruption.

+Log Analytics Dedicated Clusters use a commitment tier pricing model of at least 100 GB/day. Any usage above the tier level incurs charges based on the per-GB rate of that commitment tier. See [Azure Monitor Logs pricing details](cost-logs.md#dedicated-clusters) for pricing details for dedicated clusters. The commitment tiers have a 31-day commitment period from the time a commitment tier is selected.

+- **SkuCapacity**: You can set the commitment tier to 100, 200, 300, 400, 500, 1000, 2000, 5000, 10000, 25000, 50000 GB per day. For more information on cluster costs, see [Dedicate clusters](./cost-logs.md#dedicated-clusters).

+ "Capacity": 100

+ "capacity": 100

+ "minCapacity": 100

+ "capacity": 100

+ "minCapacity": 100

+When the data volume to linked workspaces changes over time, you can update the Commitment Tier level appropriately to optimize cost. The tier is specified in units of Gigabytes (GB) and can have values of 100, 200, 300, 400, 500, 1000, 2000, 5000, 10000, 25000, 50000 GB per day. You don't have to provide the full REST request body, but you must include the sku.

+az monitor log-analytics cluster update --resource-group "resource-group-name" --name "cluster-name" --sku-capacity 100

+Update-AzOperationalInsightsCluster -ResourceGroupName "resource-group-name" -ClusterName "cluster-name" -SkuCapacity 100

+- 400--Missing Capacity in SKU. Set Capacity value to 100, 200, 300, 400, 500, 1000, 2000, 5000, 10000, 25000, 50000 GB per day.

+- 400--No SKU was set. Set the SKU name to capacityReservation and Capacity value to 100, 200, 300, 400, 500, 1000, 2000, 5000, 10000, 25000, 50000 GB per day.

+Azure NetApp Files offers [multiple tools](https://aka.ms/anftools) to estimate costs, understand features and availability, and monitor your Azure NetApp Files deployment.

+| initialValue |Yes |any |Initial value.|

+When you create a template spec, you provide a version name for it. As you iterate on the template code, you can either update an existing version (for hotfixes) or publish a new version. The version is a text string. You can choose to follow any versioning system, including semantic versioning. Users of the template spec can provide the version name they want to use when deploying it. You can have an unlimit number of versions.

+| initialValue |Yes |any |Initial value.|

+When you create a template spec, you provide a version name for it. As you iterate on the template code, you can either update an existing version (for hotfixes) or publish a new version. The version is a text string. You can choose to follow any versioning system, including semantic versioning. Users of the template spec can provide the version name they want to use when deploying it. You can have an unlimit number of versions.

+- Communications are drafted and published according to the risk rating assigned.

+>[!tip]

+>Communications are surfaced through [Azure Service Health Portal](/azure/service-health/service-health-portal-update), [Known Issues](/azure/azure-vmware/azure-vmware-solution-known-issues) and Email.

+In this article, learn how to deploy Arc for Azure VMware Solution. Once you set up the components needed, you're ready to execute operations in Azure VMware Solution vCenter Server from the Azure portal. Arc-enabled Azure VMware Solution allows you to do the actions:

+## Deployment Considerations

+Running software in Azure VMware Solution, as a private cloud in Azure, offers some benefits not realized by operating your environment outside of Azure. For software running in a VM, such as SQL Server and Windows Server, running in Azure VMware Solution provides additional value such as free Extended Security Updates (ESUs).

+To take advantage of these benefits if you are running in an Azure VMware Solution it is important to enable Arc through this document to fully integrate the experience with the AVS private cloud. Alternatively, Arc-enabling VMs through the following mechanisms will not create the necessary attributes to register the VM and software as part of Azure VMware Solution and therefore result in billing for SQL Server ESUs for:

+- Arc-enabled servers,

+- Arc-enabled VMware vSphere

+- SQL Server enabled by Azure Arc

+## How to manually integrate an Arc-enabled VM into Azure VMware Solutions

+When a VM in Azure VMware Solution private cloud is Arc-enabled using a method distinct from the one outlined in this document, the following steps are provided to refresh the integration between the Arc-enabled VMs and Azure VMware Solution

+These steps change the VM machine type from _Machine – Azure Arc_ to type _Machine – Azure Arc (AVS),_ which has the necessary integrations with Azure VMware Solution. 

+There are two ways to refresh the integration between the Arc-enabled VMs and Azure VMware Solution:  

+1. In the Azure VMware Solution private cloud, navigate to the vCenter Server inventory and Virtual Machines section within the portal. Locate the virtual machine that requires updating and follow the process to 'Enable in Azure'. If the option is grayed out, you must first **Remove from Azure** and then proceed to **Enable in Azure**

+2. Run the [az connectedvmware vm create ](/cli/azure/connectedvmware/vm?view=azure-cli-latest%22%20\l%20%22az-connectedvmware-vm-create)Azure CLI command on the VM in Azure VMware Solution to update the machine type. 

+```azurecli

+az connectedvmware vm create --subscription <subscription-id> --location <Azure region of the machine> --resource-group <resource-group-name> --custom-location /providers/microsoft.extendedlocation/customlocations/<custom-location-name> --name <machine-name> --inventory-item /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ConnectedVMwarevSphere/VCenters/<vcenter-name>/InventoryItems/<machine-name>

+```

+- Is Enabled in Azure.

+- **Soft Delete**: With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you. Additionally, Azure Backup provides *Enhanced soft delete*, an improvement to the soft delete feature. With enhanced soft delete, you can *customize soft delete retention period* and make *soft delete always-on*, thus protecting it from being disabled by any malicious actors. Learn more about [Soft delete](backup-azure-security-feature-cloud.md) and [Enhanced soft delete](backup-azure-enhanced-soft-delete-about.md).

+This update contains the following enhancement to improve the backup time. For more information on the enhancements and the installation, see the [KB article](https://support.microsoft.com/topic/hotfix-for-update-rollup-2-for-microsoft-azure-backup-server-v3-3ef522f7-c307-47e2-827d-8e14f1e84017).

+* [Use Modern Backup Storage with Backup Server](backup-mabs-add-storage.md)

+## Advantages of this approach

+## Migration procedure using the Azure portal

+1. Create a non vnet classic cloud service in the same region as the vnet you want to migrate to. In the Azure portal, select the 'Staging' drop-down.

+- No outgoing and incoming audio when switching browser to background or locking the device. This issue has been fixed in iOS version 16.4+.

+> [!IMPORTANT]

+> Azure Notification Hubs has announced that Firebase Cloud Messaging (FCM) legacy API will be deprecated in July 2024. This will affect all Azure Communiation Services Calling applications who send Android push notifications. Customers impacted will need to migrate their registrations from FCM legacy to FCM v1, and can start doing so in March 2024. For more information including migration steps, please see [Notifcation Hub documentation](../../notification-hubs/notification-hubs-gcm-to-fcm.md).

+## Using Diagnostic Settings

+Diagnostic Settings for container groups is a preview feature and it can be enabled through preview features options in Azure portal. Once this feature is enabled for a subscription, Diagnostic Settings can be applied to a container group. Applying Diagnostic Settings will cause a container group to restart.

+For example, here is how we can use New-AzDiagnosticSetting command to apply a Diagnostic Settings object to a container group.

+```azurepowershell

+$log = @()

+$log += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category ContainerInstanceLog -RetentionPolicyDay 7 -RetentionPolicyEnabled $true

+

+New-AzDiagnosticSetting -Name test-setting -ResourceId <container-group-resource-id> -WorkspaceId <log-analytics-workspace-id> -Log $log

+```

+> [!IMPORTANT]

+> Docker Compose's integration for ACI has been retired in November 2023. See also: [Retirement Date Pending](https://github.com/docker/compose-cli?tab=readme-ov-file#warning-retirement-date-pending).

+ACR is temporarily pausing ACR Tasks runs from Azure free credits. This may affect existing Tasks runs. If you encounter problems, open a [support case](../azure-portal/supportability/how-to-create-azure-support-request.md) for our team to provide additional guidance. We'll remove this note when this pause is lifted.

+- We don't support enabling CMK on existing accounts that are enabled for Materialized Views and [all versions and deletes change feed mode](nosql/change-feed-modes.md#all-versions-and-deletes-change-feed-mode-preview).

+ :::image type="content" source="./media/enable-preview-features-cost-management-labs/reopen-cost-management.png" alt-text="Screenshot showing a Reopen Cost Management notification." :::

+## Exports (preview)

+The improved exports experience is designed to streamline your FinOps practice. It includes automatic exports of more cost-impacting datasets, optimized to handle large datasets while enhancing the user experience. You can export more datasets, including price sheets, reservation recommendations, reservation details, and reservation transactions. Furthermore, you can download cost and usage details using the open-source [FinOps Open Cost and Usage Specification (FOCUS)](https://focus.finops.org) format. The format combines actual and amortized costs and reduces data processing times and storage and compute costs.

+The enhanced user interface allows you to easily create multiple exports for various cost management datasets using a single, simplified creation experience. You can also selectively rerun an existing Export job for a historical date range instead of creating a new one-time export of the required date range.

+You can easily handle large datasets through features like file partitioning, break the file into manageable chunks and file overwrite for daily exports, which replaces the previous dayΓÇÖs file with an updated file each day and the upcoming support for Parquet format and file compression. These optimizations improve file manageability, reduce download latency, and save on storage and network charges.

+You can choose the latest or any of the previous dataset schema versions during the export creation. Selecting a version ensures that the data processing layers that you build on top of the datasets can be reused without compromising on the latest API functionality.

+And, you can enhance security and compliance by configuring exports to storage accounts behind a firewall, which provides access control for the public endpoint of the storage account.

+- Importing data into NFS Azure file shares isn't supported by Azure Data Box. Copying data from Data Box into an existing NFS Azure file share with an identical name as your source folder creates a conflict. To resolve this conflict, Data Box renames the source share to `databox-<GUID>` and uploads it to the target storage account as an SMB Azure file share.

+| **Adaptive application control policy violation was audited**<br>VM_AdaptiveApplicationControlWindowsViolationAudited | The below users ran applications that are violating the application control policy of your organization on this machine. It can possibly expose the machine to malware or application vulnerabilities. | Execution | Informational |

+| **Adaptive application control policy violation was audited**<br>(VM_AdaptiveApplicationControlLinuxViolationAudited) | The below users ran applications that are violating the application control policy of your organization on this machine. It can possibly expose the machine to malware or application vulnerabilities. | Execution | Informational |

+| **Communication with possible phishing domain**<br>(AzureDNS_PhishingDomain) | Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service. | Exfiltration | Informational |

+| **Communication with suspicious algorithmically generated domain**<br>(AzureDNS_DomainGenerationAlgorithm) | Analysis of DNS transactions from %{CompromisedEntity} detected possible usage of a domain generation algorithm. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Informational |

+| **Communication with suspicious random domain name**<br>(AzureDNS_RandomizedDomain) | Analysis of DNS transactions from %{CompromisedEntity} detected usage of a suspicious randomly generated domain name. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Informational |

+| **NMap scanning detected**<br>(AppServices_Nmap) | Azure App Service activity log indicates a possible web fingerprinting activity on your App Service resource.<br>The suspicious activity detected is associated with NMAP. Attackers often use this tool for probing the web application to find vulnerabilities.<br>(Applies to: App Service on Windows and App Service on Linux) | PreAttack | Informational |

+| **Suspicious User Agent detected**<br>(AppServices_UserAgentInjection) | Azure App Service activity log indicates requests with suspicious user agent. This behavior can indicate on attempts to exploit a vulnerability in your App Service application.<br>(Applies to: App Service on Windows and App Service on Linux) | Initial Access | Informational |

+| **Attempt to create a new Linux namespace from a container detected**<br>(K8S.NODE_NamespaceCreation) ^{[1](#footnote1)} | Analysis of processes running within a container in Kubernetes cluster detected an attempt to create a new Linux namespace. While this behavior might be legitimate, it might indicate that an attacker tries to escape from the container to the node. Some CVE-2022-0185 exploitations use this technique. | PrivilegeEscalation | Informational |

+| **Command within a container running with high privileges**<br>(K8S.NODE_PrivilegedExecutionInContainer) ^{[1](#footnote1)} | Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine. | PrivilegeEscalation | Informational |

+| **Container running in privileged mode**<br>(K8S.NODE_PrivilegedContainerArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a Docker command that is running a privileged container. The privileged container has full access to the hosting pod or host resource. If compromised, an attacker may use the privileged container to gain access to the hosting pod or host. | PrivilegeEscalation, Execution | Informational |

+| **Container with a sensitive volume mount detected**<br>(K8S_SensitiveMount) | Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. | Privilege Escalation | Informational |

+| **Creation of admission webhook configuration detected**<br>(K8S_AdmissionController) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook). | Credential Access, Persistence | Informational |

+| **Detected suspicious file download**<br>(K8S.NODE_SuspectDownloadArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious download of a remote file. | Persistence | Informational |

+| **Docker build operation detected on a Kubernetes node**<br>(K8S.NODE_ImageBuildOnNode) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection. | DefenseEvasion | Informational |

+| **New container in the kube-system namespace detected**<br>(K8S_KubeSystemContainer) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace for hiding malicious components. | Persistence | Informational |

+| **New high privileges role detected**<br>(K8S_HighPrivilegesRole) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster. | Persistence | Informational |

+| **Privileged container detected**<br>(K8S_PrivilegedContainer) | Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node. | Privilege Escalation | Informational |

+| **Process seen accessing the SSH authorized keys file in an unusual way**<br>(K8S.NODE_SshKeyAccess) ^{[1](#footnote1)} | An SSH authorized_keys file was accessed in a method similar to known malware campaigns. This access could signify that an actor is attempting to gain persistent access to a machine. | Unknown | Informational |

+| **Role binding to the cluster-admin role detected**<br>(K8S_ClusterAdminBinding) | Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster. | Persistence | Informational |

+| **SSH server is running inside a container**<br>(K8S.NODE_ContainerSSH) ^{[1](#footnote1)} | Analysis of processes running within a container detected an SSH server running inside the container. | Execution | Informational |

+| **Privileged custom role created for your subscription in a suspicious way (Preview)**<br>(ARM_PrivilegedRoleDefinitionCreation) | Microsoft Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection. | Privilege Escalation, Defense Evasion | Informational |

+| **Possible incoming %{Service Name} brute force attempts detected**<br>(Generic_Incoming_BF_OneToOne) | Network traffic analysis detected incoming %{Service Name} communication to %{Victim IP}, associated with your resource %{Compromised Host} from %{Attacker IP}. When the compromised resource is a load balancer or an application gateway, the suspected incoming traffic has been forwarded to one or more of the resources in the backend pool (of the load balancer or application gateway). Specifically, sampled network data shows suspicious activity between %{Start Time} and %{End Time} on port %{Victim Port}. This activity is consistent with brute force attempts against %{Service Name} servers. | PreAttack | Informational |

+| **Traffic detected from IP addresses recommended for blocking** <br>(Network_TrafficFromUnrecommendedIP) | Microsoft Defender for Cloud detected inbound traffic from IP addresses that are recommended to be blocked. This typically occurs when this IP address doesn't communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Defender for Cloud's threat intelligence sources. | Probing | Informational |

+ Title: Configure monitoring coverage

+description: Learn how to configure the different monitoring components that are available in Defender for Servers in Microsoft Defender for Cloud.

+# Configure monitoring coverage

+Microsoft Defender for Cloud's Defender for Servers plans contains components that monitor your environments to provide extended coverage on your servers. Each of these components can be enabled, disabled or configured to your meet your specific requirements.

+| Component | Availability | Description | Learn more |

+|--|--|--|--|

+| [Log Analytics agent](plan-defender-for-servers-agents.md) | Plan 1 and Plan 2 | Collects security-related configurations and event logs from the machine and stores the data in your Log Analytics default or custom workspace for analysis. | [Learn more](../azure-monitor/agents/log-analytics-agent.md) about the Log Analytics agent. |

+| [Vulnerability assessment for machines](deploy-vulnerability-assessment-defender-vulnerability-management.md) | Plan 1 and Plan 2 |Enables vulnerability assessment on your Azure and hybrid machines. | [Learn more](monitoring-components.md) about how Defender for Cloud collects data. |

+| [Endpoint protection](integration-defender-for-endpoint.md) | Plan 1 and Plan 2 | Enables protection powered by Microsoft Defender for Endpoint, including automatic agent deployment to your servers, and security data integration with Defender for Cloud | [Learn more](integration-defender-for-endpoint.md) about endpoint protection. |

+| [Agentless scanning for machines](concept-agentless-data-collection.md) | Plan 2 | Scans your machines for installed software and vulnerabilities without relying on agents or impacting machine performance. | [Learn more](concept-agentless-data-collection.md) about agentless scanning for machines. |

+When you enable Defender for Servers plan 2, all of these components are toggled to **On** by default.

+## Configure Log Analytics agent

+After enabling the Log Analytics agent, you'll be presented with the option to select which workspace should be utilized.

+**To configure the Log Analytics agent**:

+1. Select **Edit configuration**.

+ :::image type="content" source="media/configure-servers-coverage/edit-configuration-log.png" alt-text="Screenshot that shows you where on the screen you need to select edit configuration, to edit the log analytics agent/azure monitor agent." lightbox="media/configure-servers-coverage/edit-configuration-log.png":::

+1. Select either a **Default workspace(s)** or a **Custom workspace** depending on your need.

+ :::image type="content" source="media/configure-servers-coverage/auto-provisioning-screen.png" alt-text="Screenshot of the auto provisioning configuration screen with the available options to select." lightbox="media/configure-servers-coverage/auto-provisioning-screen.png":::

+1. Select **Apply**.

+1. Select **Continue**.

+## Configure vulnerability assessment for machines

+Vulnerability assessment for machines allows you to select between two vulnerability assessment solutions:

+- Microsoft Defender Vulnerability Management

+- Microsoft Defender for Cloud integrated Qualys scanner

+**To select either of the vulnerability assessment solutions**:

+1. Select **Edit configuration**.

+ :::image type="content" source="media/configure-servers-coverage/vulnerability-edit.png" alt-text="Screenshot that shows you where to select edit for vulnerabilities assessment for machines." lightbox="media/configure-servers-coverage/vulnerability-edit.png":::

+1. In the Extension deployment configuration window, select either of the solutions depending on your need.

+1. Select **Apply**.

+1. Select **Continue**.

+## Configure endpoint protection

+With Microsoft Defender for Servers, you enable the protections provided by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) to your server resources. Defender for Endpoint includes automatic agent deployment to your servers, and security data integration with Defender for Cloud.

+To configure endpoint protection:

+1. Toggle the switch to **On**.

+1. Select **Continue**.

+## Configure agentless scanning for machines

+Defender for Cloud has the ability to scan your Azure machines for installed software and vulnerabilities without requiring you to install agents, have network connectivity or affect your machine's performance.

+**To configure agentless scanning for machines**:

+1. Select **Edit configuration**.

+ :::image type="content" source="media/configure-servers-coverage/agentless-scanning-edit.png" alt-text="Screenshot that shows where you need to select to edit the configuration of the agentless scanner." lightbox="media/configure-servers-coverage/agentless-scanning-edit.png":::

+1. Enter a tag name and tag value for any machines to be excluded from scans.

+1. Select **Apply**.

+1. Select **Continue**.

+Learn more about agentless scanning and how to [enable agentless scanning](enable-agentless-scanning-vms.md) on other cloud environments.

+|Date | Update |

+|-|-|

+| January 25 | [Deprecation of security alerts and update of security alerts to informational severity level](#deprecation-of-security-alerts-and-update-of-security-alerts-to-informational-severity-level) |

+### Deprecation of security alerts and update of security alerts to informational severity level

+January 25, 2024

+This announcement includes container security alerts that are deprecated, and security alerts whose severity level is updated to **Informational**.

+- The following container security alerts are deprecated:

+ - `Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment)`

+ - `Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly)`

+ - `Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess)`

+The following security alerts are updated to the **informational** severity level:

+- **Alerts for Windows machines**:

+

+ - `Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited)`

+ - `Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited)`

+

+- **Alerts for containers**:

+

+ - `Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation)`

+ - `Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled)`

+ - `Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer)`

+ - `Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts)`

+ - `Container with a sensitive volume mount detected (K8S_SensitiveMount)`

+ - `Creation of admission webhook configuration detected (K8S_AdmissionController)`

+ - `Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts)`

+ - `Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode)`

+ - `New container in the kube-system namespace detected (K8S_KubeSystemContainer)`

+ - `New high privileges role detected (K8S_HighPrivilegesRole)`

+ - `Privileged container detected (K8S_PrivilegedContainer)`

+ - `Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess)`

+ - `Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding)`

+ - `SSH server is running inside a container (K8S.NODE_ContainerSSH)`

+

+- **Alerts for DNS**:

+ - `Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm)`

+ - `Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm)`

+ - `Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain)`

+ - `Communication with suspicious random domain name (AzureDNS_RandomizedDomain)`

+ - `Communication with possible phishing domain (AzureDNS_PhishingDomain)`

+ - `Communication with possible phishing domain (Preview) (DNS_PhishingDomain)`

+

+- **Alerts for Azure App Service**:

+ - `NMap scanning detected (AppServices_Nmap)`

+ - `Suspicious User Agent detected (AppServices_UserAgentInjection)`

+

+- **Alerts for Azure network layer**:

+

+ - `Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne)`

+ - `Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP)`

+- **Alerts for Azure Resource Manager**:

+ - `Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation)`

+

+See the full [list of security alerts](alerts-reference.md).

+Once the plan has been enabled, you have the ability to [configure the monitoring settings](configure-servers-coverage.md) to suit your needs.

+Once the plan has been enabled, you have the ability to [configure the monitoring settings](configure-servers-coverage.md) to suit your needs.

+Once the plan has been enabled, you have the ability to [configure the monitoring settings](configure-servers-coverage.md) to suit your needs.

+Once the plan has been enabled, you have the ability to [configure the monitoring settings](configure-servers-coverage.md) to suit your needs.

+Once the plan has been enabled, you have the ability to [configure the monitoring settings](configure-servers-coverage.md) to suit your needs.

+[Configure monitoring coverage](configure-servers-coverage.md)

+When creating a Web Hook event subscription, you can configure it to use the same TLS version as the topic or explicitly specify the minimum TLS version. If you do so, Event Grid fails to deliver events to a Web Hook that doesn't support the minimum version of TLS or higher.

+## Configure minimum TLS version for a topic or a domain in the Azure portal

+You can specify the minimum TLS version when creating an Event Grid topic or a domain in the Azure portal on the **Security** tab. The screenshots are for an Event Grid topic and the user interface for configuring this property for a domain is similar.

+## Configure minimum TLS version for a topic or a domain using Resource Manager template

+To configure the minimum TLS version for an Event Grid topic or domain with a template, create a template with the `MinimumTlsVersion` property set to 1.0, 1.1, or 1.2. When you create an Event Grid topic or domain with an Azure Resource Manager template, the `MinimumTlsVersion` property is set to 1.2 by default, unless explicitly set to another version The sample template in this article is for an Event Grid topic and the template for configuring the TLS version for a domain is similar.

+## Configure minimum TLS version for a Web Hook event subscription

+When creating a Web Hook event subscription, you can configure it to use the same TLS version as the topic or explicitly specify the minimum TLS version.

+For an existing Web Hook event subscription, navigate to the **Event Subscription** page and then you can update the TLS setting on the **Additional features** tab. By default, the event subscription uses the same TLS version as the topic.

+

+ Title: Enforce a minimum TLS version for requests to an Azure Event Grid topic, domain, or subscription

+description: Configure an Azure Event Grid topic or domain to require a minimum version of Transport Layer Security (TLS) for clients making requests against the topic, domain, or subscription.

+# Enforce a minimum required version of Transport Layer Security (TLS) for an Event Grid topic, domain, or subscription

+Communication between a client application and an Azure Grid topic, domain, or subscription is encrypted using Transport Layer Security (TLS). For information about TLS in general, see [Transport Layer Security](https://datatracker.ietf.org/wg/tls/about/).

+Azure Event Grid supports choosing a specific TLS version for topics, domains, or subscriptions (when using a Web Hook destination). Currently Azure Event Grid uses TLS 1.2 on public endpoints by default, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.

+Azure Event Grid topics or domains permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Grid topic or domain to require that clients send and receive data with a newer version of TLS. If an Event Grid topic or domain requires a minimum version of TLS, then any requests made with an older version fail.

+When creating a Web Hook event subscription, you can configure it to use the same TLS version as the topic or explicitly specify the minimum TLS version. If you do so, Event Grid will fail to deliver events to a Web Hook that doesn't support the minimum version of TLS or above.

+ Title: 'Quickstart: Create and modify ExpressRoute circuits - Azure portal'

+description: In this quickstart, you learn how to create, provision, verify, update, delete, and deprovision ExpressRoute circuits by using the Azure portal.

+zone_pivot_groups: expressroute-experience

+# Quickstart: Create and modify ExpressRoute circuits

+### Sign in to the Azure portal

+Sign in to the Azure portal with this [Preview link](https://aka.ms/expressrouteguidedportal). This link is required to access the new preview create experience for an ExpressRoute circuit.

+### Create a new ExpressRoute circuit (Preview)

+> [!IMPORTANT]

+> Your ExpressRoute circuit is billed from the moment a service key is issued. Ensure that you perform this operation when the connectivity provider is ready to provision the circuit.

+1. On the Azure portal menu, select **+ Create a resource**. Search for **ExpressRoute (preview)** and then select **Create**.

+ :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/create-expressroute-circuit-new.png" alt-text="Screenshot of preview create experience of ExpressRoute circuit resource.":::

+1. Select the **Subscription** and **Resource Group** for the circuit. Then select the type of **Resiliency** for your setup.

+ **Maximum Resiliency** - This option provides the highest level of resiliency for your ExpressRoute circuit. It provides two ExpressRoute circuits with local redundancy in two different ExpressRoute locations.

+ :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/maximum-resiliency.png" alt-text="Diagram of maximum resiliency for an ExpressRoute connection.":::

+ **Standard Resiliency** - This option provides a single ExpressRoute circuit with local redundancy at a single ExpressRoute location.

+

+ :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/standard-resiliency.png" alt-text="Diagram of standard resiliency for an ExpressRoute connection.":::

+1. Enter or select the following information for the respective resiliency type.

+ :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/new-configuration.png" alt-text="Screenshot of the new ExpressRoute circuit configuration page.":::

+ **Maximum Resiliency**

+ | Setting | Value |

+ | | |

+ | Use existing circuit or create new | You can augment resiliency of an existing standard circuit by selecting **Use existing circuit** and selecting an existing circuit for the first location. If you select **Use existing circuit**, you only need to configure the second circuit. If you select **Create new**, enter following information for both the new ExpressRoute circuit. |

+ | Region | Select the region closest to the peering location of the circuit. |

+ | Name | Enter a name for the ExpressRoute circuit. |

+ | Port type | Select if you're connecting to a service provider or directly into Microsoft's global network at a peering location. |

+ | Peering Location (Provider port type) | Select the physical location where you're peering with Microsoft. |

+ | Provider (Provider port type)| Select the internet service provider who you are requesting your service from. |

+ | ExpressRoute Direct resource (Direct port type) | Select the ExpressRoute Direct resource that you want to use. |

+ | Bandwidth | Select the bandwidth for the ExpressRoute circuit. |

+ | SKU | Select the SKU for the ExpressRoute circuit. You can specify **Local** to get the local SKU, **Standard** to get the standard SKU or **Premium** for the premium add-on. You can change between Local, Standard and Premium. |

+ | Billing model | Select the billing type for egress data charge. You can specify **Metered** for a metered data plan and **Unlimited** for an unlimited data plan. You can change the billing type from **Metered** to **Unlimited**. |

+ > [!IMPORTANT]

+ > * The Peering Location indicates the [physical location](expressroute-locations.md) where you are peering with Microsoft. This is **not** linked to "Location" property, which refers to the geography where the Azure Network Resource Provider is located. While they're not related, it is a good practice to choose a Network Resource Provider geographically close to the Peering Location of the circuit.

+ > * You can't change the SKU from **Standard/Premium** to **Local** in Azure portal. To downgrade the SKU to **Local**, you can use [Azure PowerShell](expressroute-howto-circuit-arm.md) or [Azure CLI](howto-circuit-cli.md).

+ > * You can't change the type from **Unlimited** to **Metered**.

+ Complete the same information for the second ExpressRoute circuit. When selecting an ExpressRoute location for the second circuit, you are provided with distances information from the first ExpressRoute location. This information can help you select the second ExpressRoute location.

+ :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/peering-location-distance.png" alt-text="Screenshot of distance information from first ExpressRoute circuit.":::

+ **Standard Resiliency**

+ For standard resiliency, you only need to enter information for one ExpressRoute circuit.

+1. Select **Review + create** and then select **Create** to deploy the ExpressRoute circuit.

+ :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/expressroute-create-basic.png" alt-text="Screenshot of how to configure the resource group and region.":::

+1. When you enter in the values on this page, make sure that you specify the correct SKU tier (Local, Standard, or Premium) and data metering billing model (Unlimited or Metered).

+| [Number of VMs in virtual network](#vm) | Availability | Count | Maximum | Estimated number of VMs in the virtual network | No Dimensions | Yes |

+On the rightmost pane of the asset details page, users can access more expansive data related to the selected asset. This data is organized in a series of categorized tabs. The available metadata tabs change depending on the type of asset you're viewing.

+Certain tabs display a "Recent only" toggle in the upper-right corner. By default, Defender EASM displays all data that we've collected for each asset, including historical observations that may not be actively running on your current attack surface. While this historical context is very valuable for certain use cases, the "Recent only" toggle will limit all results on the Asset Details page to those most recently observed on the asset. It is recommended that you use the "Recent only" toggle when you only wish to view data that represents the current state of the asset for remediation purposes.

+

+

+5. Select the seeds that you want to use for this discovery group. Seeds are known assets that belong to your organization. The Defender EASM platform scans these entities and maps their connections to other online infrastructure to create your attack surface. Since Defender EASM is intended to monitor your attack surface from an external perspective, private IP addresses cannot be included as discovery seeds.

+ > * With Standard tier, you can only use custom rules with WAF. To deploy managed rules and bot protection, choose Premium tier. For detailed comparison, see [Azure Front Door tier comparison](./standard-premium/tier-comparison.md).

+> [!NOTE]

+> * The endpoint list will only show Front Door and CDN profiles within the same subscription.

+After a customer has added an offer, a service provider may publish an updated version of the same offer to Azure Marketplace, such as to add a new role definition. If a new version of the offer has been published, the **Service provider offers** page shows an "update" icon in the row for that offer. Select this icon to see the differences between the current version of the offer and the new one.

+Before a service provider can access and manage a customer's resources, one or more specific subscriptions and/or resource groups must be delegated. When a customer adds an offer without delegating any resources, a note appears at the top of the **Service provider offers** section. The service provider can't work on any resources in the customer's tenant until the delegation is completed.

+1. Select the checkbox at the bottom of the page to confirm that you want to grant this service provider access to these resources, then select **Delegate**.

+> When [viewing role assignments for the delegated scope in the Azure portal](../../role-based-access-control/role-assignments-list-portal.md#list-role-assignments-at-a-scope) or via APIs, customers won't see role assignments for users from the service provider tenant who have access through Azure Lighthouse. Similarly, users in the service provider tenant won't see role assignments for users in a customer's tenant, regardless of the role they've been assigned.

+>

+> Note that [classic administrator](../../role-based-access-control/classic-administrators.md) assignments in a customer tenant may be visible to users in the managing tenant, or the other way around, because classic administrator roles don't use the Resource Manager deployment model.

+We provide an [Azure Policy built-in policy definition](../../governance/policy/samples/built-in-policies.md#lighthouse) to [audit delegation of scopes to a managing tenant](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Lighthouse/Lighthouse_Delegations_Audit.json). You can assign this policy to a management group that includes all of the subscriptions that you want to audit. When you check for compliance with this policy, any delegated subscriptions and/or resource groups (within the management group to which the policy is assigned) are shown in a noncompliant state. You can then review the results and confirm that there are no unexpected delegations.

+In many organizations, the need can arise where an Azure Load Balancer isn't associated with a Virtual Machine Scale Set, but needs to be added. Or an existing Virtual Machine Scale Set is deployed with an Azure Load Balancer that requires updating. The Azure portal can be used to add or update an Azure Load Balancer associated with a Virtual Machine Scale Set.

+In this section, you create a Virtual Machine Scale Set that is attached to a load balancer created later.

+ | Resource group | Select **load-balancer-rg**. |

+ | Virtual machine scale set name | Enter **lb-vmss**. |

+ | Region | Select **(US) East US**. |

+ | Virtual network | Select **lb-vnet**. |

+In this section, you create a backend pool for load-balancer. You create a health probe to monitor HTTP and Port 80 to ensure the health of the virtual machines in the backend pool. Additionally, you create a load-balancing rule for Port 80 with outbound SNAT disabled. The outbound connectivity of the virtual machines is handled by the NAT gateway created earlier.

+1. Select **load-balancer**.

+1. In **load-balancer**, select **Backend pools** in **Settings**.

+ | Name | Enter **lb-backend-pool**. |

+ | Virtual network | Select **lb-vnet**. |

+ | Name | Enter **lb-HTTP-rule**. |

+ | Frontend IP address | Select **lb-Frontend-IP**. |

+ | Backend pool | Select **lb-backend-pool**. |

+ | Health probe | Select **Create new**.<br/> Enter **lb-HTTP-probe** for **Name**.</br><br/>Select **HTTP** for **Protocol**.</br><br/> Select **Ok**.</br>|

+In this section, you add a load balancer to the scale set in the Azure portal.

+1. In the search results, select **Virtual machine scale sets**.

+1. Select **lb-vmss**.

+1. In the **Settings** section of **lb-vmss**, select **Networking**.

+1. Select the **Load balancing** tab in the **Overview** page of the **Networking** settings of **lb-vmss**.

+1. Select the blue **Add load balancing** button.

+1. In **Add load balancing**, enter or select the following information:

+ | Select a load balancer | Select **load-balancer**. |

+ | Select a backend pool | Select **lb-backend-pool**. |

+1. Select **Save**.

+1. Select **Resource groups** in the search results.

+1. Select **load-balancer-rg**.

+1. In the overview page of **load-balancer-rg**, select **Delete resource group**.

+1. Enter **load-balancer-rg** in **TYPE THE RESOURCE GROUP NAME**.

+1. Select **Delete**.

+* An AKS cluster running in Azure. If you haven't previously used cluster extensions, you need to [register the KubernetesConfiguration service provider](../aks/dapr.md#register-the-kubernetesconfiguration-service-provider).

+- Azure Machine Learning doesn't support attaching an AKS cluster cross subscription. If you have an AKS cluster in a different subscription, you must first [connect it to Azure-Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md) and specify in the same subscription as your Azure Machine Learning workspace.

+- Azure Machine Learning doesn't guarantee support for all preview stage features in AKS. For example, [Microsoft Entra pod identity](../aks/use-azure-ad-pod-identity.md) isn't supported.

+- If you've followed the steps from [Azure Machine Learning AKS v1 document](./v1/how-to-create-attach-kubernetes.md?view=azureml-api-1&preserve-view=true) to create or attach your AKS as inference cluster, use the following link to [clean up the legacy azureml-fe related resources](./v1/how-to-create-attach-kubernetes.md?view=azureml-api-1&preserve-view=true#delete-azureml-fe-related-resources) before you continue the next step.

+ | `inferenceRouterHA` |`True` or `False`, default `True`. By default, Azure Machine Learning extension deploys three inference router replicas for high availability, which requires at least three worker nodes in a cluster. Set to `False` if your cluster has fewer than three worker nodes, in this case only one inference router service is deployed. | N/A| Optional | Optional |

+ |`installPromOp`|`True` or `False`, default `True`. Azure Machine Learning extension needs prometheus operator to manage prometheus. Set to `False` to reuse the existing prometheus operator. For more information about reusing the existing prometheus operator, see [reusing the prometheus operator](./how-to-troubleshoot-kubernetes-extension.md#prometheus-operator)| Optional| Optional | Optional |

+ |`installVolcano`| `True` or `False`, default `True`. Azure Machine Learning extension needs volcano scheduler to schedule the job. Set to `False` to reuse existing volcano scheduler. For more information about reusing the existing volcano scheduler, see [reusing volcano scheduler](./how-to-troubleshoot-kubernetes-extension.md#volcano-scheduler) | Optional| N/A | Optional |

+ |`installDcgmExporter` |`True` or `False`, default `False`. Dcgm-exporter can expose GPU metrics for Azure Machine Learning workloads, which can be monitored in Azure portal. Set `installDcgmExporter` to `True` to install dcgm-exporter. But if you want to utilize your own dcgm-exporter, see [DCGM exporter](./how-to-troubleshoot-kubernetes-extension.md#dcgm-exporter) |Optional |Optional |Optional |

+As you can see from the configuration settings table, the combinations of different configuration settings allow you to deploy Azure Machine Learning extension for different ML workload scenarios:

+ For Azure Machine Learning extension deployment on AKS, make sure to specify `managedClusters` value for `--cluster-type` parameter. Assuming your cluster has more than three nodes, and you use an Azure public load balancer and HTTPS for inference workload support. Run the following Azure CLI command to deploy Azure Machine Learning extension:

+ For Azure Machine Learning extension deployment on [Arc Kubernetes](../azure-arc/kubernetes/overview.md) cluster, make sure to specify `connectedClusters` value for `--cluster-type` parameter. Assuming your cluster has more than three nodes, you use a NodePort service type and HTTPS for inference workload support, run following Azure CLI command to deploy Azure Machine Learning extension:

+- Azure Machine Learning studio Visual Studio Code extension. For install instructions, see the [Setup Azure Machine Learning Visual Studio Code extension guide](./how-to-setup-vs-code.md)

+The code for this tutorial uses TensorFlow to train an image classification machine learning model that categorizes handwritten digits from 0-9. It does so by creating a neural network that takes the pixel values of 28 px x 28 px image as input and outputs a list of 10 probabilities, one for each of the digits being classified. This is a sample of what the data looks like.

+The first thing you have to do to build an application in Azure Machine Learning is to create a workspace. A workspace contains the resources to train models and the trained models themselves. For more information, see [what is a workspace](./concept-workspace.md).

+Like workspaces and compute targets, training jobs are defined using resource templates. For this sample, the specification is defined in the *job.yml* file, which looks like the following:

+1. In the left menu, select **Integrations** > **Azure Monitor workspaces**.

+1. In your Azure Managed Grafana workspace, select **Integrations** > **Azure Monitor workspaces from the left menu.

+# How to manage Grafana plugins

+1. Select **Plugin management**. This page shows a table with three columns containing checkboxes, plugin names, and plugin IDs. Review the checkboxes. A checked box indicates that the corresponding plugin is already installed and can be removed, an unchecked box indicates that the corresponding plugin isn't installed and can be added.

+1. Select **Plugin management**. This page displays a table with data source plugins. It contains three columns including checkboxes, plugin names, and plugin IDs. Review the checkboxes. A checked box indicates that the corresponding plugin is already installed and can be removed, an unchecked box indicates that the corresponding plugin can be added.

+Azure Database for MySQL allows you to restore the server back to a point-in-time and into a new copy of the server. You can use this new server to recover your data, or have your client applications point to this new server.

+For example, if a table was accidentally dropped at noon today, you could restore it to the time just before noon and retrieve the missing table and data from that new copy of the server. Point-in-time restore is at the server level, not at the database level.

+ - **Location**: You cannot select the region. By default, it is the same as the source server.

+ - **Pricing tier**: You cannot change these parameters when doing a point-in-time restore. It is the same as the source server.

+You will need to copy over the value from the primary server and set it on the restored server by reconfiguring the [server parameter](how-to-server-parameters.md)

+3. Select **Backup** as the **Data source**. This action loads a dropdown that provides a list of servers that have geo-redundant backups enabled.

+ms.lastreviewed: 01/25/2024

+We're pleased to announce the launch of OpenShift 4.13 for Azure Red Hat OpenShift. This release enables [OpenShift Container Platform 4.13](https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html). Version 4.11 will be outside of support after February 10, 2024. Existing clusters version 4.11 and below should be upgraded before then.

+ >

+ > If you are using a local developer command line, you must install the `mysql` CLI. For instructions see [How To Install MySQL](https://www.digitalocean.com/community/tutorials/how-to-install-mysql-on-ubuntu-20-04).

+ --resource-group ${RG_NAME} \

+ --resource-group ${RG_NAME} \

+ --resource-group ${RG_NAME} \

+ ```

+ You must see `secret/eaparo-sample-pull-secret created` to indicate successful creation of the secret. If you don't see this output, troubleshoot and resolve the problem before proceeding. Finally, link the secret to the default service account for downloading container images so the cluster can run them.

+ It may take a few minutes to reach the proper state. You may even see `STATUS` column values including `ErrImagePull` and `ImagePullBackOff` before `Running` is shown.

+

+1. Add and delete some rows to verify the database connectivity is correctly functioning.

+|4.11|August 2022| March 2 2023|February 10 2024|

+Oracle Support is your first line of support for all Oracle Database@Azure issues. Oracle Support can help you with the following types of Oracle Database@Azure issues:

+The following example is from the [Postman collection of REST APIs](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python) that demonstrate hybrid query configurations.

+As a next step, we recommend reviewing the demo code for [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet) or [JavaScript](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript).

+| [Vector search sample](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/search/Azure.Search.Documents/samples/Sample07_VectorSearch.md) | Shows you how to index a vector field and perform vector search using the Azure SDK for .NET. |

+| [Semantic ranking sample](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/search/Azure.Search.Documents/samples/Sample08_SemanticSearch.md) | Shows you how to configure semantic ranking in an index and invoke semantic queries using the Azure SDK for .NET. |

+| [create-mvc-app](https://github.com/Azure-Samples/azure-search-dotnet-samples/tree/main/create-mvc-app) | [Tutorial: Add search to an ASP.NET Core (MVC) app](tutorial-csharp-create-mvc-app.md) | While most samples are console applications, this MVC sample uses a web page to front the sample Hotels index, demonstrating basic search, pagination, and other server-side behaviors.|

+| [quickstart-semantic-search](https://github.com/Azure-Samples/azure-search-dotnet-samples/blob/main/quickstart-semantic-search/) | [Quickstart: Semantic ranking using the Azure SDKs](search-get-started-semantic.md) | Shows the index schema and query request for invoking semantic ranking. |

+| [tutorial-ai-enrichment](https://github.com/Azure-Samples/azure-search-dotnet-samples/tree/main/tutorial-ai-enrichment) | [Tutorial: AI-generated searchable content from Azure blobs](cognitive-search-tutorial-blob-dotnet.md) | Shows how to configure an indexer and skillset. |

+| [multiple-data-sources](https://github.com/Azure-Samples/azure-search-dotnet-scale/tree/main/multiple-data-sources) | [Tutorial: Index from multiple data sources](tutorial-multiple-data-sources.md). | Merges content from two data sources into one search index.

+| [Optimize-data-indexing](https://github.com/Azure-Samples/azure-search-dotnet-scale/tree/main/optimize-data-indexing) | [Tutorial: Optimize indexing with the push API](tutorial-optimize-indexing-push-api.md).| Demonstrates optimization techniques for pushing data into a search index. |

+| [DotNetVectorDemo](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet/DotNetVectorDemo) | [readme](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet/DotNetVectorDemo/readme.md) | Create, load, and query a vector store. |

+| [DotNetIntegratedVectorizationDemo](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet/DotNetIntegratedVectorizationDemo) | [readme](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet/DotNetIntegratedVectorizationDemo/readme.md) | Extends the vector workflow to include skills-based automation for data chunking and embedding. |

+| [VectorSearch](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/search/search-documents/samples/v12-bet). |

+| [VectorSearch](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/search/search-documents/samples/v12/typescript/src/vectorSearch.ts) | Demonstrates how to index vectors and send a [vector query](vector-search-how-to-query.md). |

+| [azure-search-vector-sample.js](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript/JavaScriptVectorDemo) | Vector search sample using the Azure SDK for JavaScript |

+| [Semantic ranking sample](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/search/azure-search-documents/samples/sample_semantic_search.py) | Shows you how to configure semantic ranking in an index and invoke semantic queries. |

+| [quickstart-semantic-search](https://github.com/Azure-Samples/azure-search-python-samples/blob/main/quickstart-semantic-search/) | Source code for the Python portion of [Quickstart: Semantic ranking using the Azure SDKs](search-get-started-semantic.md). It shows the index schema and query request for invoking semantic ranking. |

+| [azure-search-vector-python-sample.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-vector-image-python-sample.ipynb) | Uses the **azure.search.documents** library in the Azure SDK for Python to create, load, and query a vector store. |

+| [azure-search-integrated-vectorization-sample.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-integrated-vectorization-sample.ipynb) | Extends the vector store workflow to include integrated data chunking and embedding. |

+| [azure-search-vector-image-index-creation-python-sample.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-vector-image-index-creation-python-sample.ipynb) | Demonstrates image embedding. |

+| [azure-search-vector-image-python-sample.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-vector-image-python-sample.ipynb) | Demonstrates image retrieval. |

+| [azure-search-vector-python-huggingface-model-sample.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-vector-python-huggingface-model-sample.ipynb) | Hugging Face integration. |

+| [azure-search-vector-python-langchain-sample.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-vector-python-langchain-sample.ipynb) | LangChain integration. |

+| [azure-search-vector-python-llamaindex-sample.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-vector-python-llamaindex-sample.ipynb) | Llamaindex integration. |

+| [azure-search-openai-demo](https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/README.md) | ChatGPT + Enterprise data with Azure OpenAI Python code showing how to use Azure AI Search with the large language models in Azure OpenAI. For background, see this Tech Community blog post: [Revolutionize your Enterprise Data with ChatGPT](https://techcommunity.microsoft.com/t5/ai-applied-ai-blog/revolutionize-your-enterprise-data-with-chatgpt-next-gen-apps-w/ba-p/3762087). |

+## Other samples

+The following samples are also published by the Azure AI Search team, but aren't referenced in documentation. Associated readme files provide usage instructions.

+| Repository | Description |

+||-|

+| [azure-search-backup-and-restore.ipynb](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-backup-and-restore.ipynb) | Uses the **azure.search.documents** library in the Azure SDK for Python to make a local copy of the retrievable fields of a search index, and then push those fields to a new search index. |

+This quickstart introduced you to the **Import and vectorize data** wizard that creates all of the objects necessary for integrated vectorization. If you want to explore each step in detail, try an [integrated vectorization sample](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-integrated-vectorization-sample.ipynb).

+As a next step, we recommend reviewing the demo code for [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet), or [JavaScript](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript).

+Code samples in the [azure-search-vector](https://github.com/Azure/azure-search-vector-samples) repository demonstrate end-to-end workflows that include schema definition, vectorization, indexing, and queries.

+There's demo code for [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet), and [JavaScript](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-javascript).

+Azure AI Search doesn't host vectorization models, so one of your challenges is creating embeddings for query inputs and outputs. You can use any embedding model, but this article assumes Azure OpenAI embeddings models. Demos in the [sample repository](https://github.com/Azure/azure-search-vector-samples/tree/main) tap the [similarity embedding models](/azure/ai-services/openai/concepts/models#embeddings-models) of Azure OpenAI.

+Code samples in the [azure-search-vector](https://github.com/Azure/azure-search-vector-samples) repository demonstrate end-to-end workflows that include schema definition, vectorization, indexing, and queries.

+You can find multiple instances of query string conversion in the [azure-search-vector](https://github.com/Azure/azure-search-vector-samples) repository for each of the Azure SDKs.

+As a next step, we recommend reviewing the demo code for [Python](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python), [C#](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-dotnet) or [JavaScript](https://github.com/Azure/cazure-search-vector-samplesr/tree/main/demo-javascript).

+You could also begin with the [vector quickstart](search-get-started-vector.md) or the [code samples on GitHub](https://github.com/Azure/azure-search-vector-samples).

+| [**Vector demo (Azure SDK for Python)**](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/azure-search-vector-image-python-sample.ipynb) | Sample | Uses the latest beta release of the **azure.search.documents** to generate embeddings, create and load an index, and run several vector queries. Visit the [azure-search-vector-samples/demo-python](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python) repo for more vector search demos. |

+While early ransomware mostly used malware that spread with phishing or between devices, human-operated ransomware has emerged where a gang of active attackers, driven by human attack operators, target all systems in an organization (rather than a single device or set of devices). An attack can:

+In this article, you learned how to improve your backup and restore plan to protect against ransomware. For best practices on deploying ransomware protection, see Rapidly protect against ransomware and extortion.

+* Securing Privileged Access - get the technical details for designing and building a secure administrative workstation for Azure management

+Organizations should have elevated security for privileged accounts (tightly protect, closely monitor, and rapidly respond to incidents related to these roles). See Microsoft's Security rapid modernization plan, which covers:

+- **Review MicrosoftΓÇÖs Enterprise access model**.

+> Ensure that any actions taken are performed from a trusted device, built from a clean source. For example, use a fresh, privileged access workstation.

+|**Remove unnecessary admin users** | Remove unnecessary members from Domain Admins, Backup Operators, and Enterprise Admin groups. For more information, see Securing Privileged Access. |

+For more information, see the article [Plan a Privileged Identity Management deployment](../../active-directory/privileged-identity-management/pim-deployment-plan.md) and securing privileged access.

+ :::image type="content" source="media/access-app-virtual-network/find-ip-address.png" alt-text="Screenshot of the Azure portal that shows the Vnet injection Endpoint information." lightbox="media/access-app-virtual-network/find-ip-address.png":::

+ :::image type="content" source="media/access-app-virtual-network/add-virtual-network-link.png" alt-text="Screenshot of the Azure portal that shows the Add virtual network link page." lightbox="media/access-app-virtual-network/add-virtual-network-link.png":::

+ :::image type="content" source="media/access-app-virtual-network/private-dns-zone-add-record.png" alt-text="Screenshot of the Azure portal that shows the Add record set page." lightbox="media/access-app-virtual-network/private-dns-zone-add-record.png":::

+ :::image type="content" source="media/access-app-virtual-network/assign-private-endpoint.png" alt-text="Screenshot of the Azure portal that shows the Overview page with Assign endpoint highlighted." lightbox="media/access-app-virtual-network/assign-private-endpoint.png":::

+* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+## Create a managed identity for Application Gateway

+Application Gateway will need to be able to access Key Vault to read the certificate. To do so, it will use a user-assigned [managed identity](/entra/identity/managed-identities-azure-resources/overview). Create the managed identity by using the following command:

+Then fetch the objectId for the managed identity as it will be used later on to give rights to access the certificate in Key Vault:

+Configure Key Vault using the following command so that the managed identity for Application Gateway is allowed to access the certificate stored in Key Vault:

+Create an application gateway using `az network application-gateway create` and specify your application's private fully qualified domain name (FQDN) as servers in the backend pool. Make sure to use the user-assigned managed identity and to point to the certificate in Key Vault using the certificate's Secret ID. Then update the HTTP setting using `az network application-gateway http-settings update` to use the public host name.

+Your application gateway will need to be able to access Key Vault to read the certificate. To do this, the application gateway will use a user-assigned managed identity. For more information, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) Create the managed identity by using the following command, replacing the *\<...>* placeholder:

+If you're unfamiliar with managed identities for Azure resources, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+You may need to [configure the target resource to allow access from your application](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that can use managed identities to access other services](/entra/identity/managed-identities-azure-resources/managed-identities-status).

+Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token. See [How to use VM token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token) for various code and script examples and guidance on important topics such as handling token expiration and HTTP errors.

+* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+- If you're unfamiliar with managed identities for Azure resources, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).

+- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).

+You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, be sure you've added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](/entra/identity/managed-identities-azure-resources/services-id-authentication-support)

+Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token).

+- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+For more information on Application Registration, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).

+The `scope` property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to permissions. Identity platform supports several OpenID Connect scopes, such as `openid`, `email` and `profile`. For more information, see the [OpenID Connect scopes](/entra/identity-platform/scopes-oidc#openid-connect-scopes) section of [Scopes and permissions in the Microsoft identity platform](/entra/identity-platform/scopes-oidc).

+You can configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](/entra/identity/managed-identities-azure-resources/services-id-authentication-support).

+- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+This article describes how to deploy a RESTful API application protected by [Microsoft Entra ID](/entra/fundamentals/whatis) to Azure Spring Apps. The sample project is a simplified version based on the [Simple Todo](https://github.com/Azure-Samples/ASA-Samples-Web-Application) web application, which only provides the backend service and uses Microsoft Entra ID to protect the RESTful APIs.

+- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant).

+- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant).

+- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant).

+- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant).

+Use the following steps to use [OAuth 2.0 authorization code flow](/entra/identity-platform/v2-oauth2-auth-code-flow) method to obtain an access token with Microsoft Entra ID, then access the RESTful APIs of the `ToDo` app:

+To securely load certificates from [Azure Key Vault](../key-vault/index.yml), Spring Boot apps use [managed identities](/entra/identity/managed-identities-azure-resources/overview) and [Azure role-based access control (RBAC)](../role-based-access-control/index.yml). Azure Spring Apps uses a provider [service principal](/entra/identity-platform/app-objects-and-service-principals#service-principal-object) and Azure role-based access control. This secure loading is powered using the Azure Key Vault Java Cryptography Architecture (JCA) Provider. For more information, see [Azure Key Vault JCA client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca).

+This quickstart shows you how to secure communication between a client application and a microservice application that is hosted on Azure Spring Apps and shielded with a Spring Cloud Gateway app. The client application is verified as a security principal to initiate contact with the microservice deployed on Azure Spring Apps, using the app built with [Spring Cloud Gateway](https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/). This method employs Spring Cloud Gateway's Token Relay and Spring Security's Resource Server features for the processes of authentication and authorization, realized through the execution of the [OAuth 2.0 client credentials flow](/entra/identity-platform/v2-oauth2-client-creds-grant-flow).

+- A Microsoft Entra tenant. For more information on how to create a Microsoft Entra tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant).

+This sample invokes the HTTP triggered function by first requesting an access token from the MSI endpoint and using that token to authenticate the function HTTP request. For more information, see the [Get a token using HTTP](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) section of [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token).

+- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+ Title: What's new in Azure Spring Apps?

+# What's new in Azure Spring Apps?

+If you prefer to use an on-premises backup solution, backups should be performed on a server in the sync group that has cloud tiering disabled and make sure there are no tiered files. When performing a restore, use the volume-level or file-level restore options. Files restored using the file-level restore option will be synced to all endpoints in the sync group, and existing files will be replaced with the version restored from backup. Volume-level restores won't replace newer file versions in the Azure file share or other server endpoints.

+> Bare-metal (BMR) restore, VM restore, system restore (Windows built-in OS restore), and file-level restore with its tiered version (this happens when backup software backs up a tiered file instead of a full file) can cause unexpected results and aren't currently supported when cloud tiering is enabled. VSS snapshots (including Previous Versions tab) are supported on volumes which have cloud tiering enabled. However, you must enable previous version compatibility through PowerShell. [Learn how](file-sync-deployment-guide.md#optional-self-service-restore-through-previous-versions-and-vss-volume-shadow-copy-service).

+description: Learn how to migrate SMB file shares from on-premises Network Attached Storage (NAS) to a hybrid cloud deployment with Azure File Sync and Azure file shares.

+The goal is to move the SMB file shares on your NAS appliance to a Windows Server, then utilize Azure File Sync for a hybrid cloud deployment. Generally, migrations need to be done in a way that guarantees the integrity of the production data and its availability during the migration. The latter requires keeping downtime to a minimum, so that it can fit into or only slightly exceed regular maintenance windows.

+As mentioned in [Migrate to SMB Azure file shares](storage-files-migration-overview.md), using the correct copy tool and approach is important. Your NAS appliance is exposing SMB shares directly on your local network. You can either use Azure Storage Mover or RoboCopy to move your files.

+- Phase 7: [Copy data using Azure Storage Mover or RoboCopy](#phase-7-copy-data-using-azure-storage-mover-or-robocopy)

+ 3. When more free space is created on the volume, proceed with the next batch of files. Alternatively, review the RoboCopy command in the [RoboCopy section](#phase-7-copy-data-using-azure-storage-mover-or-robocopy) of this article for use of the new `/LFSM` switch. Using `/LFSM` can significantly simplify your RoboCopy jobs, but it isn't compatible with some other RoboCopy switches you might depend on. Only use the `/LFSM` switch when the migration destination is local storage. It's not supported when the destination is a remote SMB share.

+## Phase 7: Copy data using Azure Storage Mover or RoboCopy

+Now you can use Azure Storage Mover or RoboCopy to copy data from your NAS appliance to your Windows Server, and use Azure File Sync to move the data to Azure file shares. This guide uses RoboCopy for the initial copy. To use Azure Storage Mover instead, see [Migrate to SMB Azure file shares using Azure Storage Mover](migrate-files-storage-mover.md).

+* Start the copy.

+It's possible that RoboCopy moves files faster than you can sync to the cloud and tier locally, thus running out of local disk space. In this case, RoboCopy will fail. We recommend that you work through the shares in a sequence that prevents this - for example, not starting copy jobs for all shares at the same time, or only moving shares that fit on the current amount of free space on the Windows Server.

+* [Azure File Sync troubleshooting](/troubleshoot/azure/azure-storage/file-sync-troubleshoot?toc=/azure/storage/file-sync/toc.json)

+<sup>3 Azure Files supports 10,000 open handles on the root directory and 2,000 open handles per file and directory within the share. The number of active users supported per share is dependent on the applications that are accessing the share. If your applications aren't opening a handle on the root directory, Azure Files can support more than 10,000 active users per share. However, if you're using Azure Files to store disk images for large-scale virtual desktop workloads, you might run out of handles for the root directory or per file/directory. In this case, you might need to use multiple Azure file shares. For more information, see [Azure Files sizing guidance for Azure Virtual Desktop](#azure-files-sizing-guidance-for-azure-virtual-desktop).</sup>

+### Azure Files sizing guidance for Azure Virtual Desktop

+A popular use case for Azure Files is storing user profile containers and disk images for Azure Virtual Desktop, using either FSLogix or App attach. In large scale Azure Virtual Desktop deployments, you might run out of handles for the root directory or per file/directory if you're using a single Azure file share. This section describes how handles are consumed by various types of disk images, and provides sizing guidance depending on the technology you're using.

+#### FSLogix

+If you're using [FSLogix with Azure Virtual Desktop](../../virtual-desktop/fslogix-containers-azure-files.md), your user profile containers are either Virtual Hard Disk (VHD) or Hyper-V Virtual Hard Disk (VHDX) files, and they're mounted in a user context, not a system context. Each user will open a single root directory handle, which should be to the file share. Azure Files can support a maximum of 10,000 users assuming you have the file share (`\\storageaccount.file.core.windows.net\sharename`) + the profile directory (`%sid%_%username%`) + profile container (`profile_%username.vhd(x)`).

+If you're hitting the limit of 10,000 concurrent handles for the root directory or users are seeing poor performance, try using an additional Azure file share and distributing the containers between the shares.

+> [!WARNING]

+> While Azure Files can support up to 10,000 concurrent users from a single file share, it's critical to properly test your workloads against the size and type of file share you've created. Your requirements might vary based on users, profile size, and workload.

+For example, if you have 2,400 concurrent users, you'd need 2,400 handles on the root directory (one for each user), which is below the limit of 10,000 open handles. For FSLogix users, reaching the limit of 2,000 open file and directory handles is extremely unlikely. If you have a single FSLogix profile container per user, you'd only consume two file/directory handles: one for the profile directory and one for the profile container file. If users have two containers each (profile and ODFC), you'd need one additional handle for the ODFC file.

+#### App attach with CimFS

+If you're using [MSIX App attach or App attach](../../virtual-desktop/app-attach-overview.md) to dynamically attach applications, you can use Composite Image File System (CimFS) or VHD/VHDX files for [disk images](../../virtual-desktop/app-attach-overview.md#application-images). Either way, the scale limits are per VM mounting the image, not per user. The number of users is irrelevant when calculating scale limits. When a VM is booted, it mounts the disk image, even if there are zero users.

+If you're using App attach with CimFS, the disk images only consume handles on the disk image files. They don't consume handles on the root directory or the directory containing the disk image. However, because a CimFS image is a combination of the .cim file and at least two other files, for every VM mounting the disk image, you'll need one handle each for three files in the directory. So if you have 100 VMs, you'll need 300 file handles.

+You might run out of file handles if the number of VMs per app exceeds 2,000. In this case, use an additional Azure file share.

+#### App attach with VHD/VHDX

+If you're using App attach with VHD/VHDX files, the files are mounted in a system context, not a user context, and they are shared and read-only. More than one handle on the VHDX file can be consumed by a connecting system. To stay within Azure Files scale limits, the number of VMs multiplied by the number of apps must be less than 10,000, and the number of VMs per app can't exceed 2,000. So the constraint is whichever you hit first.

+In this scenario, you could hit the per file/directory limit with 2,000 mounts of a single VHD/VHDX. Or, if the share contains multiple VHD/VHDX files, you could hit the root directory limit first. For example, 100 VMs mounting 100 shared VHDX files will hit the 10,000 handle root directory limit.

+In another example, 100 VMs accessing 20 apps will require 2,000 root directory handles (100 x 20 = 2,000), which is well within the 10,000 limit for root directory handles. You'll also need a file handle and a directory/folder handle for every VM mounting the VHD(X) image, so 200 handles in this case (100 file handles + 100 directory handles), which is comfortably below the 2,000 handle limit per file/directory.

+If you're hitting the limits on maximum concurrent handles for the root directory or per file/directory, use an additional Azure file share.

+> [!NOTE]

+> An Azure File Sync endpoint can scale up to the size of an Azure file share. If the Azure file share size limit is reached, sync won't be able to operate.

+Stream Analytics supports compression for all input sources. Supported compression types are: None, Gzip, and Deflate. The support for compression isn't available for reference data. If the input data is compressed Avro data, Stream Analytics handles it transparently. You don't need to specify the compression type with Avro serialization.

+You can use the [Azure portal](stream-analytics-quick-create-portal.md), [Visual Studio](stream-analytics-quick-create-vs.md), and [Visual Studio Code](quick-create-visual-studio-code.md) to add and view or edit existing inputs on your streaming job. You can also test input connections and test queries from sample data from the Azure portal, [Visual Studio](stream-analytics-vs-tools-local-run.md), and [Visual Studio Code](visual-studio-code-local-run.md). When you write a query, you list the input in the FROM clause. You can get the list of available inputs from the **Query** page in the portal. If you wish to use multiple inputs, `JOIN` them or write multiple `SELECT` queries.

+> We strongly recommend that you use [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for the best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+Azure Event Hubs is a highly scalable publish-subscribe event ingestor. An event hub can collect millions of events per second so that you can process and analyze the massive amounts of data produced by your connected devices and applications. Together, Event Hubs and Stream Analytics can provide an end-to-end solution for real-time analytics. Event Hubs lets you feed events into Azure in real-time, and Stream Analytics jobs can process those events in real-time. For example, you can send web clicks, sensor readings, or online log events to Event Hubs. You can then create Stream Analytics jobs to use Event Hubs for the input data for real-time filtering, aggregating, and correlation.

+You should configure each event hub input to have its own consumer group. When a job contains a self-join or has multiple inputs, some inputs might be read by more than one reader downstream. This situation impacts the number of readers in a single consumer group. To avoid exceeding the Event Hubs limit of five readers per consumer group per partition, it's a best practice to designate a consumer group for each Stream Analytics job. There's also a limit of 20 consumer groups for a Standard tier event hub. For more information, see [Troubleshoot Azure Stream Analytics inputs](stream-analytics-troubleshoot-input.md).

+| **Input alias** | A friendly name that you use in the job's query to reference this input. |

+| **Subscription** | Choose the Azure subscription in which the Event hub resource exists. |

+| **Event Hub namespace** | The Event Hubs namespace is a container for event hubs. When you create an event hub, you also create the namespace. |

+| **Event Hub consumer group** (recommended) | We recommend that you use a distinct consumer group for each Stream Analytics job. This string identifies the consumer group to use to ingest data from the event hub. If no consumer group is specified, the Stream Analytics job uses the `$Default` consumer group. |

+| **Authentication mode** | Specify the type of the authentication you want to use to connect to the event hub. You can use a connection string or a managed identity to authenticate with the event hub. For the managed identity option, you can either create a system-assigned managed identity to the Stream Analytics job or a user-assigned managed identity to authenticate with the event hub. When you use a managed identity, the managed identity must be a member of [Azure Event Hubs Data Receiver or Azure Event Hubs Data Owner roles](../event-hubs/authenticate-application.md#built-in-roles-for-azure-event-hubs). |

+| **Partition key** | It's an optional field that is available only if your job is configured to use [compatibility level](./stream-analytics-compatibility-level.md) 1.2 or higher. If your input is partitioned by a property, you can add the name of this property here. It's used for improving the performance of your query if it includes a `PARTITION BY` or `GROUP BY` clause on this property. If this job uses compatibility level 1.2 or higher, this field defaults to `PartitionId.` |

+| **Event serialization format** | The serialization format (JSON, CSV, Avro, Parquet, or [Other (Protobuf, XML, proprietary...)](custom-deserializer.md)) of the incoming data stream. Ensure the JSON format aligns with the specification and doesnΓÇÖt include leading 0 for decimal numbers. |

+| **Schema registry (preview)** | You can select the schema registry with schemas for event data that's received from the event hub. |

+| **EventProcessedUtcTime** |The date and time when Stream Analytics processes the event. |

+| **EventEnqueuedUtcTime** |The date and time that when Event Hubs receives the events. |

+> When using Event Hubs as an endpoint for IoT Hub Routes, you can access to the IoT Hub metadata using the [GetMetadataPropertyValue function](/stream-analytics-query/getmetadatapropertyvalue).

+| **Consumer group** | We recommend that you use a different consumer group for each Stream Analytics job. The consumer group is used to ingest data from the IoT Hub. Stream Analytics uses the $Default consumer group unless you specify otherwise. |

+| **Shared access policy key** | The shared access key used to authorize access to the IoT Hub. This option is automatically populated in unless you select the option to provide the Iot Hub settings manually. |

+| **Endpoint** | The endpoint for the IoT Hub.|

+| **Partition key** | It's an optional field that is available only if your job is configured to use [compatibility level](./stream-analytics-compatibility-level.md) 1.2 or higher. If your input is partitioned by a property, you can add the name of this property here. It's used for improving the performance of your query if it includes a PARTITION BY or GROUP BY clause on this property. If this job uses compatibility level 1.2 or higher, this field defaults to "PartitionId." |

+| **Event serialization format** | The serialization format (JSON, CSV, Avro, Parquet, or [Other (Protobuf, XML, proprietary...)](custom-deserializer.md)) of the incoming data stream. Ensure the JSON format aligns with the specification and doesnΓÇÖt include leading 0 for decimal numbers. |

+| **EventEnqueuedUtcTime** | The date and time when the IoT Hub receives the event. |

+| **IoTHub.ConnectionDeviceId** | The authentication ID used to send this message. This value is stamped on service-bound messages by the IoT Hub. |

+| **IoTHub.EnqueuedTime** | The time when the IoT Hub receives the message. |

+For scenarios with large quantities of unstructured data to store in the cloud, Azure Blob storage or Azure Data Lake Storage Gen2 offers a cost-effective and scalable solution. Data in Blob storage or Azure Data Lake Storage Gen2 is considered data at rest. However, this data can be processed as a data stream by Stream Analytics.

+Log processing is a commonly used scenario for using such inputs with Stream Analytics. In this scenario, telemetry data files are captured from a system and need to be parsed and processed to extract meaningful data.

+The default timestamp of a Blob storage or Azure Data Lake Storage Gen2 event in Stream Analytics is the timestamp that it was last modified, which is `BlobLastModifiedUtcTime`. If a blob is uploaded to a storage account at 13:00, and the Azure Stream Analytics job is started using the option *Now* at 13:01, it will not be picked up as its modified time falls outside the job run period.

+If an Azure Stream Analytics job is started using *Now* at 13:00, and a blob is uploaded to the storage account container at 13:01, Azure Stream Analytics picks up the blob. The timestamp assigned to each blob is based only on `BlobLastModifiedTime`. The folder the blob is in has no relation to the timestamp assigned. For example, if there's a blob `2019/10-01/00/b1.txt` with a `BlobLastModifiedTime` of `2019-11-11`, then the timestamp assigned to this blob is `2019-11-11`.

+To process the data as a stream using a timestamp in the event payload, you must use the [TIMESTAMP BY](/stream-analytics-query/stream-analytics-query-language-reference) keyword. A Stream Analytics job pulls data from Azure Blob storage or Azure Data Lake Storage Gen2 input every second if the blob file is available. If the blob file is unavailable, there's an exponential backoff with a maximum time delay of 90 seconds.

+| **Authentication mode** | Specify the type of the authentication you want to use to connect to the storage account. You can use a connection string or a managed identity to authenticate with the storage account. For the managed identity option, you can either create a system-assigned managed identity to the Stream Analytics job or a user-assigned managed identity to authenticate with the storage account. When you use a managed identity, the managed identity must be a member of an [appropriate role](/azure/role-based-access-control/built-in-roles#storage) on the storage account. |

+| **Partition key** | It's an optional field that is available only if your job is configured to use [compatibility level](./stream-analytics-compatibility-level.md) 1.2 or higher. If your input is partitioned by a property, you can add the name of this property here. It's used for improving the performance of your query if it includes a PARTITION BY or GROUP BY clause on this property. If this job uses compatibility level 1.2 or higher, this field defaults to "PartitionId." |

+| **Event serialization format** | The serialization format (JSON, CSV, Avro, Parquet, or [Other (Protobuf, XML, proprietary...)](custom-deserializer.md)) of the incoming data stream. Ensure the JSON format aligns with the specification and doesnΓÇÖt include leading 0 for decimal numbers. |

+| **EventProcessedUtcTime** |The date and time when Stream Analytics processes the event. |

+## Stream data from Apache Kafka

+Azure Stream Analytics lets you connect directly to Apache Kafka clusters to ingest data. The solution is low code and entirely managed by the Azure Stream Analytics team at Microsoft, allowing it to meet business compliance standards. The Kafka input is backward compatible and supports all versions with the latest client release starting from version 0.10. Users can connect to Kafka clusters inside a virtual network and Kafka clusters with a public endpoint, depending on the configurations. The configuration relies on existing Kafka configuration conventions. Supported compression types are None, Gzip, Snappy, LZ4, and Zstd.

+For more information, see [Stream data from Kafka into Azure Stream Analytics (Preview)](stream-analytics-define-kafka-input.md).

+> We strongly recommend that you use [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for the best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+Some outputs types support [partitioning](#partitioning) as shown in the following table.

+All outputs support batching, but only some support setting the output batch size explicitly. For more information, see the [output batch sizes](#output-batch-size) section.

+|[Azure Functions](azure-functions-output.md)|Yes|Access key|

+|[Azure Cosmos DB](azure-cosmos-db-output.md)|Yes|Access key, </br> Managed Identity|

+|[Azure Data Lake Storage Gen 1](azure-data-lake-storage-gen1-output.md)|Yes|Microsoft Entra user </br> Managed Identity|

+|[Kafka (preview)](kafka-output.md)|Yes, need to set the partition key column in output configuration.|Access key, </br> Managed Identity|

+|[Azure Database for PostgreSQL](postgresql-database-output.md)|Yes|Username and password auth|

+|[Azure SQL Database](sql-database-output.md)|Yes, optional.|SQL user auth, </br> Managed Identity|

+|[Azure Table storage](table-storage-output.md)|Yes|Account key|

+Stream Analytics supports partitions for all outputs except for Power BI. For more information on partition keys and the number of output writers, see the article for the specific output type you're interested in. Articles for output types are linked in the previous section.

+Additionally, for more advanced tuning of the partitions, the number of output writers can be controlled using an `INTO <partition count>` (see [INTO](/stream-analytics-query/into-azure-stream-analytics#into-shard-count)) clause in your query, which can be helpful in achieving a desired job topology. If your output adapter isn't partitioned, lack of data in one input partition causes a delay up to the late arrival amount of time. In such cases, the output is merged to a single writer, which might cause bottlenecks in your pipeline. To learn more about late arrival policy, see [Azure Stream Analytics event order considerations](./stream-analytics-time-handling.md).

+All outputs support batching, but only some support settings the batch size explicitly. Azure Stream Analytics uses variable-size batches to process events and write to outputs. Typically the Stream Analytics engine doesn't write one message at a time, and uses batches for efficiency. When the rate of both the incoming and outgoing events is high, Stream Analytics uses larger batches. When the egress rate is low, it uses smaller batches to keep latency low.

+By design, the Avro and Parquet formats don't support variable schemas in a single file.

+The following behaviors might occur when directing a stream with variable schemas to an output using these formats:

+- If the schema change can be detected, the current output file is closed, and a new one initialized on the new schema. Splitting files as such severely slows down the output when schema changes happen frequently. This behavior can severely impact the overall performance of the job

+- If the schema change can't be detected, the row is most likely be rejected, and the job gets stuck as the row can't be output. Nested columns, or multi-type arrays, are situations that aren't discovered and be rejected.

+We recommend that you consider outputs using the Avro or Parquet format to be strongly typed, or schema-on-write, and queries targeting them to be written as such (explicit conversions and projections for a uniform schema).

+When you use Azure Resource Manager template deployment or the REST API, the two batching window properties are:

+ The maximum wait time per batch. The value should be a string of `Timespan`. For example, `00:02:00` for two minutes. After this time, the batch is written to the output even if the minimum rows requirement isn't met. The default value is 1 minute and the allowed maximum is 2 hours. If your blob output has path pattern frequency, the wait time can't be higher than the partition time range.

+These batching window properties are only supported by API version **2017-04-01-preview** or higher. Here's is an example of the JSON payload for a REST API call:

+Azure Stream Analytics supports processing events in CSV, JSON, and Avro data formats. The JSON and Avro formats can contain complex types such as nested objects (records) or arrays. For more information on working with these complex data types, see [Parsing JSON and AVRO data](stream-analytics-parsing-json.md).

+Multiple **SELECT** statements can be used to output data to different output sinks. For example, one **SELECT** statement can output a threshold-based alert while another one can output events to a blob storage.

+Consider the following **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |

+| Make1 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:01.0000000Z |

+| Make2 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:03.0000000Z |

+And, you want the following two outputs from the query:

+**ArchiveOutput**:

+| Make1 |2023-01-01T00:00:01.0000000Z |

+| Make1 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:01.0000000Z |

+| Make2 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:03.0000000Z |

+**AlertOutput**:

+| Make2 |2023-01-01T00:00:10.0000000Z |3 |

+**Query with two SELECT statements with Archive output and Alert output as outputs**:

+The **INTO** clause tells the Stream Analytics service which of the outputs to write the data to. The first **SELECT** defines a pass-through query that receives data from the input and sends it to the output named **ArchiveOutput**. The second query aggregates and filters data before sending the results to a downstream alerting system output called **AlertOutput**.

+The **WITH** clause can be used to define multiple subquery blocks. This option has the benefit of opening fewer readers to the input source.

+Consider the following **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |"1000" |

+| Make1 |2023-01-01T00:00:02.0000000Z |"2000" |

+You want the **output** to be the same as the input:

+| Make1 |2023-01-01T00:00:01.0000000Z |"1000" |

+| Make1 |2023-01-01T00:00:02.0000000Z |"2000" |

+Here's the **query**:

+This **SELECT** * query projects **all** the fields of an incoming event and sends them to the output. Instead, you can project only the required fields in a **SELECT** statement. In the following example, the **SELECT** statement projects only the *Make* and *Time* fields from the input data.

+Consider the following **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |1000 |

+| Make1 |2023-01-01T00:00:02.0000000Z |2000 |

+| Make2 |2023-01-01T00:00:04.0000000Z |1500 |

+You want the **output** to have only the Make and Time fields:

+| Make1 |2023-01-01T00:00:01.0000000Z |

+| Make1 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:04.0000000Z |

+Here's the **query** that projects only the required fields:

+**LIKE** and **NOT LIKE** can be used to verify if a field matches a certain pattern. For example, you can use a filter to return only the license plates that start with the letter `A` and end with the number `9`.

+Consider the following **input**:

+| Make1 |ABC-123 |2023-01-01T00:00:01.0000000Z |

+| Make2 |AAA-999 |2023-01-01T00:00:02.0000000Z |

+| Make3 |ABC-369 |2023-01-01T00:00:03.0000000Z |

+You want the **output** to have the license plates that start with the letter `A` and end with the number `9`:

+| Make2 |AAA-999 |2023-01-01T00:00:02.0000000Z |

+| Make3 |ABC-369 |2023-01-01T00:00:03.0000000Z |

+Here's **query** that uses the LIKE operator:

+Use the **LIKE** statement to check the **License_plate** field value. It should start with the letter `A`, then have any string of zero or more characters, ending with the number 9.

+The **LAG** function can be used to look at past events within a time window and compare them against the current event. For example, make of the current car can be outputted if itΓÇÖs different from make of the last car that passed through the toll booth.

+Sample **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |

+| Make2 |2023-01-01T00:00:02.0000000Z |

+Sample **output**:

+| Make2 |2023-01-01T00:00:02.0000000Z |

+Sample **query**:

+As events are consumed by the system in real time, thereΓÇÖs no function that can determine if an event is the last one to arrive for that time window. To achieve this, the input stream needs to be joined with another one where the time of an event is the maximum time for all events at that window.

+Sample **input**:

+| DXE 5291 |Make1 |2023-07-27T00:00:05.0000000Z |

+| YZK 5704 |Make3 |2023-07-27T00:02:17.0000000Z |

+| RMV 8282 |Make1 |2023-07-27T00:05:01.0000000Z |

+| YHN 6970 |Make2 |2023-07-27T00:06:00.0000000Z |

+| VFE 1616 |Make2 |2023-07-27T00:09:31.0000000Z |

+| QYF 9358 |Make1 |2023-07-27T00:12:02.0000000Z |

+| MDR 6128 |Make4 |2023-07-27T00:13:45.0000000Z |

+Sample **output** with information about last cars in two ten-minute time windows:

+| VFE 1616 |Make2 |2023-07-27T00:09:31.0000000Z |

+| MDR 6128 |Make4 |2023-07-27T00:13:45.0000000Z |

+Sample **query**:

+To compute information over a time window, you can aggregate the data. In this example, the statement computes a count over the last 10 seconds of time for every specific make of a car.

+Sample **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |1000 |

+| Make1 |2023-01-01T00:00:02.0000000Z |2000 |

+| Make2 |2023-01-01T00:00:04.0000000Z |1500 |

+Sample **output**:

+This aggregation groups the cars by *Make* and counts them every 10 seconds. The output has the *Make* and *Count* of cars that went through the toll booth.

+When events are missing or irregular, a regular interval output can be generated from a more sparse data input. For example, generate an event every 5 seconds that reports the most recently seen data point.

+Sample **input**:

+Sample **output (first 10 rows)**:

+Sample **query**:

+Correlating events in the same stream can be done by looking at past events using the **LAG** function. For example, an output can be generated every time two consecutive cars from the same *Make* go through the toll booth in the last 90 seconds.

+Sample **input**:

+| Make1 |ABC-123 |2023-01-01T00:00:01.0000000Z |

+| Make1 |AAA-999 |2023-01-01T00:00:02.0000000Z |

+| Make2 |DEF-987 |2023-01-01T00:00:03.0000000Z |

+| Make1 |GHI-345 |2023-01-01T00:00:04.0000000Z |

+Sample **output**:

+| Make1 |2023-01-01T00:00:02.0000000Z |AAA-999 |ABC-123 |2023-01-01T00:00:01.0000000Z |

+Sample **query**:

+Sample **input**:

+| user@location.com |RightMenu |Start |2023-01-01T00:00:01.0000000Z |

+| user@location.com |RightMenu |End |2023-01-01T00:00:08.0000000Z |

+Sample **output**:

+Sample **query**:

+The **LAST** function can be used to retrieve the last event within a specific condition. In this example, the condition is an event of type Start, partitioning the search by **PARTITION BY** user and feature. This way, every user, and feature are treated independently when searching for the Start event. **LIMIT DURATION** limits the search back in time to 1 hour between the End and Start events.

+**COUNT** and **DISTINCT** can be used to count the number of unique field values that appear in the stream within a time window. You can create a query to calculate how many unique *Makes* of cars have passed through the toll booth in a 2-second window.

+Sample **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |

+| Make1 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:01.0000000Z |

+| Make2 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:03.0000000Z |

+Sample **output:**

+| 2 |2023-01-01T00:00:02.000Z |

+| 1 |2023-01-01T00:00:04.000Z |

+Sample **query:**

+**COUNT(DISTINCT Make)** returns the count of distinct values in the **Make** column within a time window. For more information, see [**COUNT** aggregate function](/stream-analytics-query/count-azure-stream-analytics).

+You can use `IsFirst` to retrieve the first event in a time window. For example, outputting the first car information at every 10-minute interval.

+Sample **input**:

+| DXE 5291 |Make1 |2023-07-27T00:00:05.0000000Z |

+| YZK 5704 |Make3 |2023-07-27T00:02:17.0000000Z |

+| RMV 8282 |Make1 |2023-07-27T00:05:01.0000000Z |

+| YHN 6970 |Make2 |2023-07-27T00:06:00.0000000Z |

+| VFE 1616 |Make2 |2023-07-27T00:09:31.0000000Z |

+| QYF 9358 |Make1 |2023-07-27T00:12:02.0000000Z |

+| MDR 6128 |Make4 |2023-07-27T00:13:45.0000000Z |

+Sample **output**:

+| DXE 5291 |Make1 |2023-07-27T00:00:05.0000000Z |

+| QYF 9358 |Make1 |2023-07-27T00:12:02.0000000Z |

+Sample **query**:

+Sample **output**:

+| DXE 5291 |Make1 |2023-07-27T00:00:05.0000000Z |

+| YZK 5704 |Make3 |2023-07-27T00:02:17.0000000Z |

+| YHN 6970 |Make2 |2023-07-27T00:06:00.0000000Z |

+| QYF 9358 |Make1 |2023-07-27T00:12:02.0000000Z |

+| MDR 6128 |Make4 |2023-07-27T00:13:45.0000000Z |

+Sample **query**:

+When you perform an operation such as calculating averages over events in a given time window, duplicate events should be filtered. In the following example, the second event is a duplicate of the first.

+Sample **input**:

+Sample **output**:

+Sample **query**:

+**CASE** statements can provide different computations for different fields, based on particular criterion. For example, assign lane `A` to cars of `Make1` and lane `B` to any other make.

+Sample **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |

+| Make2 |2023-01-01T00:00:02.0000000Z |

+| Make2 |2023-01-01T00:00:03.0000000Z |

+Sample **output**:

+| Make1 |"A" |2023-01-01T00:00:01.0000000Z |

+| Make2 |"B" |2023-01-01T00:00:02.0000000Z |

+Sample **query**:

+Data can be cast in real time using the **CAST** method. For example, car weight can be converted from type **nvarchar(max)** to type **bigint** and be used in a numeric calculation.

+Sample **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |"1000" |

+| Make1 |2023-01-01T00:00:02.0000000Z |"2000" |

+Sample **output**:

+Sample **query**:

+Sample **input**:

+| Make1 |2023-01-01T00:00:01.0000000Z |2000 |

+| Make2 |2023-01-01T00:00:02.0000000Z |25000 |

+| Make1 |2023-01-01T00:00:03.0000000Z |26000 |

+| Make2 |2023-01-01T00:00:04.0000000Z |25000 |

+| Make1 |2023-01-01T00:00:05.0000000Z |26000 |

+| Make2 |2023-01-01T00:00:06.0000000Z |25000 |

+| Make1 |2023-01-01T00:00:07.0000000Z |26000 |

+| Make2 |2023-01-01T00:00:08.0000000Z |2000 |

+Sample **output**:

+| 2023-01-01T00:00:02.000Z |2023-01-01T00:00:07.000Z |

+Sample **query**:

+The End_fault is the current nonfaulty event where the previous event was faulty, and the Start_fault is the last nonfaulty event before that.

+Sample **input**:

+| DXE 5291 |Make1 |2023-07-27T00:00:01.0000000Z | 1 |

+| YHN 6970 |Make2 |2023-07-27T00:00:05.0000000Z | 1 |

+| QYF 9358 |Make1 |2023-07-27T00:00:01.0000000Z | 2 |

+| GXF 9462 |Make3 |2023-07-27T00:00:04.0000000Z | 2 |

+| VFE 1616 |Make2 |2023-07-27T00:00:10.0000000Z | 1 |

+| RMV 8282 |Make1 |2023-07-27T00:00:03.0000000Z | 3 |

+| MDR 6128 |Make3 |2023-07-27T00:00:11.0000000Z | 2 |

+| YZK 5704 |Make4 |2023-07-27T00:00:07.0000000Z | 3 |

+Sample **output**:

+Sample **query**:

+A session window is a window that keeps expanding as events occur and closes for computation if no event is received after a specific amount of time or if the window reaches its maximum duration. This window is particularly useful when computing user interaction data. A window starts when a user starts interacting with the system and closes when no more events are observed, meaning, the user has stopped interacting. For example, a user is interacting with a web page where the number of clicks is logged, a Session Window can be used to find out how long the user interacted with the site.

+Sample **input**:

+Sample **output**:

+Sample **query**:

+## User defined functions in JavaScript and C#

+Sample **input**:

+Sample **output**:

+The User-Defined Function computes the *bigint* value from the HexValue on every event consumed.

+ 2. Grant the service principal the following permissions to the new Synapse workspace:

+ - Microsoft.Synapse/workspaces/integrationruntimes/write

+ - Microsoft.Synapse/workspaces/operationResults/read

+ - Microsoft.Synapse/workspaces/read

+ 3. In the workspace, don't configure the Git repository connection.

+ 4. In the Azure Synapse workspace, go to **Studio** > **Manage** > **Access Control**. 4. In the Azure Synapse workspace, go to Studio > Manage > Access Control. Assign the ΓÇ£Synapse Artifact PublisherΓÇ¥ to the service principal. If the deployment pipeline will need to deploy managed private endpoints, then assign the ΓÇ£Synapse AdministratorΓÇ¥ instead.

+ 5. When you use linked services whose connection information is stored in Azure Key Vault, it is recommended to keep separate key vaults for different environments. You can also configure separate permission levels for each key vault. For example, you might not want your team members to have permissions to production secrets. If you follow this approach, we recommend that you to keep the same secret names across all stages. If you keep the same secret names, you don't need to parameterize each connection string across CI/CD environments because the only thing that changes is the key vault name, which is a separate parameter.

+### Performant copy file

+This method provides a faster way of copying or moving files, especially large volumes of data.

+```python

+mssparkutils.fs.fastcp('source file or directory', 'destination file or directory', True) # Set the third parameter as True to copy all files and directories recursively

+```

+> [!NOTE]

+> The method only supports in Spark 3.3 and Spark 3.4.

+### Reference run multiple notebooks in parallel

+The method `mssparkutils.notebook.runMultiple()` allows you to run multiple notebooks in parallel or with a predefined topological structure. The API is using a multi-thread implementation mechanism within a spark session, which means the compute resources are shared by the reference notebook runs.

+With `mssparkutils.notebook.runMultiple()`, you can:

+- Execute multiple notebooks simultaneously, without waiting for each one to finish.

+- Specify the dependencies and order of execution for your notebooks, using a simple JSON format.

+- Optimize the use of Spark compute resources and reduce the cost of your Synapse projects.

+- View the Snapshots of each notebook run record in the output, and debug/monitor your notebook tasks conveniently.

+- Get the exit value of each executive activity and use them in downstream tasks.

+You can also try to run the mssparkutils.notebook.help("runMultiple") to find the example and detailed usage.

+Here's a simple example of running a list of notebooks in parallel using this method:

+```python

+mssparkutils.notebook.runMultiple(["NotebookSimple", "NotebookSimple2"])

+```

+The execution result from the root notebook is as follows:

+The following is an example of running notebooks with topological structure using `mssparkutils.notebook.runMultiple()`. Use this method to easily orchestrate notebooks through a code experience.

+```python

+# run multiple notebooks with parameters

+DAG = {

+ "activities": [

+ {

+ "name": "NotebookSimple", # activity name, must be unique

+ "path": "NotebookSimple", # notebook path

+ "timeoutPerCellInSeconds": 90, # max timeout for each cell, default to 90 seconds

+ "args": {"p1": "changed value", "p2": 100}, # notebook parameters

+ },

+ {

+ "name": "NotebookSimple2",

+ "path": "NotebookSimple2",

+ "timeoutPerCellInSeconds": 120,

+ "args": {"p1": "changed value 2", "p2": 200}

+ },

+ {

+ "name": "NotebookSimple2.2",

+ "path": "NotebookSimple2",

+ "timeoutPerCellInSeconds": 120,

+ "args": {"p1": "changed value 3", "p2": 300},

+ "retry": 1,

+ "retryIntervalInSeconds": 10,

+ "dependencies": ["NotebookSimple"] # list of activity names that this activity depends on

+ }

+ ]

+}

+mssparkutils.notebook.runMultiple(DAG)

+```

+> [!NOTE]

+>

+> - The method only supports in Spark 3.3 and Spark 3.4.

+> - The parallelism degree of the multiple notebook run is restricted to the total available compute resource of a Spark session.

+Azure Files has limits on the number of open handles per root directory, directory, and file. When using MSIX app attach or app attach, VHDX or CimFS disk images are mounted using the computer account of the session host, meaning one handle is opened per session host per disk image, rather than per user. For more information on the limits and sizing guidance, see [Azure Files scalability and performance targets](../storage/files/storage-files-scale-targets.md#file-scale-targets) and [Azure Files sizing guidance for Azure Virtual Desktop](../storage/files/storage-files-scale-targets.md#azure-files-sizing-guidance-for-azure-virtual-desktop).

+The staging script prepares your machine to receive the MSIX package and mounts the relevant package to your machine.

+To stage packages using PowerShell 6 or later, you need to run the following commands before the staging operations to bring the capabilities of the Windows Runtime package to PowerShell.

+1. Run the following command to download and install the Windows Runtime Package. You only need to run the following commands once per machine.

+ $dllWinRT = Get-ChildItem (Split-Path -Parent $winRT.Source) -Recurse -File WinRT.Runtime.dll

+ $dllSdkNet = Get-ChildItem (Split-Path -Parent $winRT.Source) -Recurse -File Microsoft.Windows.SDK.NET.dll

+To stage packages with PowerShell version 5.1 or earlier, you need to run the following command before the staging operations to bring the capabilities of the Windows Runtime package to PowerShell.

+ $diskImage = "<Local or UNC path to the disk image>"

+ $mount = Mount-CimDiskImage -ImagePath $diskImage -PassThru -NoMountPath

+ $diskImage = "<Local or UNC path to the disk image>"

+ $mount = Mount-DiskImage -ImagePath $diskImage -PassThru -NoDriveLetter -Access ReadOnly

+ $manifest = Get-ChildItem -LiteralPath $deviceId -Recurse -File AppxManifest.xml

+1. Monitor the staging progress for the application package by running the following commands. The time it takes to stage the package depends on its size. The `Status` property of the `$stagingResult` variable will be `RanToCompletion` when the staging is complete.

+ $stagingResult = $asTaskAsyncOperation.Invoke($null, @($asyncOperation))

+ while ($stagingResult.Status -eq "WaitingForActivation") {

+ Write-Output "Waiting for activation..."

+ Start-Sleep -Seconds 5

+ }

+Now that your MSIX package is registered, your application should be available for use in your session. You can now open the application for testing and troubleshooting. Once you're finished, you need to deregister and destage your MSIX package.

+Once you're finished with your MSIX package and are ready to remove it, first you need to deregister it. To deregister the MSIX package, run the following commands in the same PowerShell session. These commands get the disk's `DeviceId` parameter again, and removes the package using the `$msixPackageFullName` variable created in a previous section.

+$appPath = Join-Path (Join-Path $Env:ProgramFiles 'WindowsApps') $msixPackageFullName

+$folderInfo = Get-Item $appPath

+$deviceId = '\\?\' + $folderInfo.Target.Split('\')[0] +'\'

+Write-Output $deviceId #Save this for later

+Finally, to destage the MSIX package, you need to dismount your disk image, run the following command in the same PowerShell session to ensure that the package isn't still registered for any user. This command uses the `$msixPackageFullName` variable created in a previous section.

+```powershell

+Remove-AppxPackage -AllUsers -Package $msixPackageFullName -ErrorAction SilentlyContinue

+### Dismount the disks image

+Dismount-CimDiskImage -DeviceId $deviceId

+Dismount-DiskImage -DevicePath $deviceId.TrimEnd('\')

+If you want to add and remove MSIX packages to your device automatically, you can use the PowerShell commands in this article to create scripts that run at startup, logon, logoff, and shutdown. To learn more, see [Using startup, shutdown, logon, and logoff scripts in Group Policy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn789196(v=ws.11)/). You need to make sure that any variables required for each phase are available in each script.

+ Write-Host $_ | Out-String

+Azure Files has limits on the number of open handles per root directory, directory, and file. For more information on the limits and sizing guidance, see [Azure Files scalability and performance targets](../storage/files/storage-files-scale-targets.md#file-scale-targets) and [Azure Files sizing guidance for Azure Virtual Desktop](../storage/files/storage-files-scale-targets.md#azure-files-sizing-guidance-for-azure-virtual-desktop).

+| Validation | 1.0.8297.400 |

+## Version 1.0.8297.400 (validation)

+*Published: January 2024*

+In this update, we've made the following changes:

+- General improvements and bug fixes.

+## Version 1.0.7909.1200

+| Insider | 1.2.5126 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368) |

+## Updates for version 1.2.5126 (Insider)

+*Published: January 24, 2024*

+Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368)

+In this release, we've made the following changes:

+- Fixed the regression that caused a display issue when a user selects monitors for their session.

+- Made the following accessibility improvements:

+ - Improved screen reader experience.

+ - Greater contrast for background color of the connection bar remote commands drop-down menu.

+- Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and feed issues.

+Ultra disks are designed to provide low sub millisecond latencies and provisioned IOPS and throughput 99.99% of the time. Ultra disks also feature a flexible performance configuration model that allows you to independently configure IOPS and throughput, before and after you provision the disk. Ultra disks come in several fixed sizes, ranging from 4 GiB up to 64 TiB.

+Premium SSD v2 offers up to 100 TiBs per region per subscription by default, but supports higher capacity by request. To request an increase in capacity, request a quota increase or contact Azure Support.

+The following table provides an overview of disk capacities and performance maximums to help you decide which to use.

+            "diskControllerTypes": "NVME"

+With VM Image Builder, you can migrate your existing image customization pipeline to Azure as you continue to use existing scripts, commands, and processes. You can integrate your core applications into a VM image, so that your VMs can take on workloads after the images are created. You can even add configurations to build images for Azure Virtual Desktop, as virtual hard disks (VHDs) for use in Azure Stack, or for ease of exporting.

+ | VPN Gateway (Basic SKU or VpnGw1-5 SKU using Basic IPs) | New VPN Gateway SKU required. Create a [new VPN Gateway with a Standard SKU IP](../../vpn-gateway/tutorial-create-gateway-portal.md). |

+| ExpressRoute Gateway (using Basic IPs) | New ExpressRoute Gateway required. Create a [new ExpressRoute Gateway with a Standard SKU IP](../../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md). For non-production workloads, use this [migration script (Preview)](../../expressroute/gateway-migration.md). |

+| **AzureFrontDoor.Frontend** <br/> **AzureFrontDoor.Backend** <br/> **AzureFrontDoor.FirstParty** | *Frontend* service tag contains the IP addresses that clients use to reach Front Door. You can apply the **AzureFrontDoor.Frontend** service tag when you want to control the outbound traffic that can connect to services behind Azure Front Door. *Backend* service tag contains the IP addresses that Azure Front Door uses to access your origins. You can apply this service tag when you [configure security for your origins](../frontdoor/origin-security.md). *FirstParty* is a special tag reserved for a select group of Microsoft services hosted on Azure Front Door. | Both | Yes | Yes |

+1. [Generate files to configure the VPN client](#1-generate-vpn-client-configuration-files).

+1. [Generate certificates for the VPN client](#2-generate-client-certificates).

+1. [Configure the VPN client](#3-configure-the-vpn-client). The steps you use to configure your VPN client depend on the tunnel type for your P2S VPN gateway, and the VPN client on the client computer.

+ * **IKEv2 and SSTP - native VPN client steps** - If your P2S VPN gateway is configured to use IKEv2/SSTP and certificate authentication, you can connect to your VNet using the native VPN client that's part of your Windows operating system. This configuration doesn't require additional client software. For steps, see [IKEv2 and SSTP - native VPN client](point-to-site-vpn-client-certificate-windows-native.md).

+ * **OpenVPN** - If your P2S VPN gateway is configured to use an OpenVPN tunnel and certificate authentication, you have the option of using either the [Azure VPN Client](#openvpn), or the [OpenVPN client](#azurevpn) steps in this article.

+* [IKEv2 and SSTP - native VPN client steps](point-to-site-vpn-client-certificate-windows-native.md)

+ Title: 'Configure P2S VPN clients: certificate authentication: Windows native client'

+description: Learn how to configure the native VPN client on a Windows computer for point-to-site certificate authentication connections.

+# Configure the Windows native VPN client for P2S Certificate Authentication connections

+If your point-to-site (P2S) VPN gateway is configured to use IKEv2/SSTP and certificate authentication, you can connect to your virtual network using the native VPN client that's part of your Windows operating system. This article walks you through the steps to configure the native VPN client and connect to your virtual network.

+## Before you begin

+This article assumes that you've already performed the following prerequisites:

+* You created and configured your VPN gateway for point-to-site certificate authentication and an IKEv2/SSTP tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](vpn-gateway-howto-point-to-site-resource-manager-portal.md) for steps.

+* You generated client certificates and downloaded the VPN client configuration files. See [Point-to-site VPN clients: certificate authentication - Windows ](point-to-site-vpn-client-cert-windows.md)

+Before beginning the workflow, verify that you're on the correct VPN client configuration article. The following table shows the configuration articles available for VPN Gateway point-to-site VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.

+## View configuration files

+The VPN client profile configuration package contains specific folders. The files within the folders contain the settings needed to configure the VPN client profile on the client computer. The files and the settings they contain are specific to the VPN gateway and the type of authentication and tunnel your VPN gateway is configured to use.

+Locate and unzip the VPN client profile configuration package you generated. For Certificate authentication and IKEv2/SSTP, you'll see the following files:

+* **WindowsAmd64** and **WindowsX86** contain the Windows 64-bit and 32-bit installer packages, respectively. The **WindowsAmd64** installer package is for all supported 64-bit Windows clients, not just AMD.

+* **Generic** contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder isnΓÇÖt present.

+## Configure the VPN client profile

+To connect, you'll first need to configure the VPN client with the required settings. You do this by configuring the VPN client profile using the settings contained in the VPN client configuration package. The settings in the package are specific to the VPN gateway to which you connect.

+You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the point-to-site section of the [VPN Gateway FAQ](vpn-gateway-vpn-faq.md#P2S).

+>[!NOTE]

+>You must have Administrator rights on the Windows client computer from which you want to connect.

+1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.

+1. Double-click the package to install it. If you see a SmartScreen popup, select **More info**, then **Run anyway**.

+1. Install the client certificate. Typically, you can do this by double-clicking the certificate file and providing a password (if required). For more information, see [Install client certificates](point-to-site-how-to-vpn-client-install-azure-cert.md).

+## Connect

+Connect to your virtual network via point-to-site VPN.

+1. Go to the **VPN** settings and locate the VPN connection that you created. It's the same name as your virtual network. Select **Connect**. A pop-up message might appear. Select **Continue** to use elevated privileges.

+1. On the **Connection status** page, select **Connect** to start the connection. If you see a **Select Certificate** screen, verify that the client certificate showing is the one that you want to use to connect. If it isn't, use the drop-down arrow to select the correct certificate, and then select **OK**.

+## Next steps

+[Point-to-site configuration steps](vpn-gateway-howto-point-to-site-resource-manager-portal.md)

+1. Navigate to your **Virtual network gateway -> Point-to-site configuration** page in the **Root certificate** section. This section is only visible if you have selected **Azure certificate** for the authentication type.

+The Azure-managed rule sets in the Application Gateway web application firewall (WAF) actively protect web applications from common vulnerabilities and exploits. These rule sets, managed by Azure, receive updates as necessary to guard against new attack signatures. The default rule set also incorporates the Microsoft Threat Intelligence Collection rules. The Microsoft Intelligence team collaborates in writing these rules, ensuring enhanced coverage, specific vulnerability patches, and improved false positive reduction.

+You also have the option of using rules that are defined based on the OWASP core rule sets 3.2, 3.1, 3.0, or 2.2.9.

+You can disable rules individually, or set specific actions for each rule. This article lists the current rules and rule sets available. If a published rule set requires an update, we'll document it here.

+> When changing from one ruleset version to another all disabled and enabled rule settings will return to the default for the ruleset you're migrating to. This means that if you previously disabled or enabled a rule, you will need to disable or enable it again once you've moved to the new ruleset version.

+> Please use the following guidance to tune WAF while you get started with 2.1 on Application Gateway WAF. Details of the rules are described next.

+The Application Gateway WAF comes preconfigured with CRS 3.2 by default, but you can choose to use any other supported CRS version.

+By default, DRS version 2.1 / CRS version 3.2 and above uses anomaly scoring when a request matches a rule. CRS 3.1 and below blocks matching requests by default. Additionally, custom rules can be configured in the same WAF policy if you want to bypass any of the preconfigured rules in the Core Rule Set.

+DRS 2.1 rules offer better protection than earlier versions of the DRS. It includes more rules developed by the Microsoft Threat Intelligence team and updates to signatures to reduce false positives. It also supports transformations beyond just URL decoding.

+|911100|Method isn't allowed by policy|

+|920160|Content-Length HTTP header isn't numeric.|

+|920420|Request content type isn't allowed by policy|

+|920430|HTTP protocol version isn't allowed by policy|

+|920480|Request content type charset isn't allowed by policy|

+|911100|Method isn't allowed by policy|

+|920160|Content-Length HTTP header isn't numeric.|

+|920420|Request content type isn't allowed by policy|

+|920430|HTTP protocol version isn't allowed by policy|

+|911100|Method isn't allowed by policy|

+|920160|Content-Length HTTP header isn't numeric.|

+|920420|Request content type isn't allowed by policy|

+|920430|HTTP protocol version isn't allowed by policy|

+|911100|Method isn't allowed by policy|

+|920160|Content-Length HTTP header isn't numeric.|

+|920420|Request content type isn't allowed by policy|

+|920430|HTTP protocol version isn't allowed by policy|

+|960016|Content-Length HTTP header isn't numeric.|

+|960032|Method isn't allowed by policy|

+|960010|Request content type isn't allowed by policy|

+|960034|HTTP protocol version isn't allowed by policy|