-> Microsoft recommends that you have a Conditional Access policy for unsupported device platforms. As an example, if you want to block access to your corporate resources from Linux or any other unsupported clients, you should configure a policy with a Device platforms condition that includes any device and excludes supported device platforms and Grant control set to Block access.

-Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet specific compliance requirements. This policy compliance information is forwarded from Intune to Azure AD where Conditional Access can make decisions to grant or block access to resources. For more information about compliance policies, see the article [Set rules on devices to allow access to resources in your organization using Intune](/intune/protect/device-compliance-get-started).

- - Only supports Windows Windows current (Windows 10+), iOS, Android and macOS devices registered with Azure AD and enrolled with Intune.

- - Conditional Access cannot consider Microsoft Edge in InPrivate mode as a compliant device.

-When using the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), the require managed device grant control or a device state condition are not supported. This is because the device performing authentication cannot provide its device state to the device providing a code and the device state in the token is locked to the device performing authentication. Use the require multi-factor authentication grant control instead.

- - Conditional Access cannot consider Microsoft Edge in InPrivate mode as a hybrid Azure AD joined device.

-In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.

-In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.

- - A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.

-When a user is prompted to change their password, they will first be required to complete multi-factor authentication. YouΓÇÖll want to make sure all of your users have registered for multi-factor authentication, so they are prepared in case risk is detected for their account.

-1. Require password change cannot be used with other controls, like requiring a compliant device.

-1. The password change control can only be used with the user and group assignment condition, cloud app assignment condition (which must be set to all) and user risk conditions.

-To improve the security of Linux virtual machines (VMs) in Azure, you can integrate with Azure Active Directory (Azure AD) authentication. You can now use Azure AD as a core authentication platform and a certificate authority to SSH into a Linux VM using Azure AD and openSSH certificate-based authentication. This functionality allows organizations to centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that manage access to the VMs. This article shows you how to create and configure a Linux VM and login with Azure AD using openSSH certificate-based authentication.

-| RedHat Enterprise Linux | RHEL 7.4 to RHEL 7.10, RHEL 8.3+ |

-| SUSE Linux Enterprise Server | SLES 12, SLES 15.1+ |

-If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.22.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

-To enable Azure AD login using SSH certificate-based authentication for your Linux VMs in Azure, you need to ensure the following network, virtual machine, and client (ssh client) requirements are met.

-You can enable Azure AD login for any of the supported Linux distributions mentioned above using the Azure portal.

-As an example, to create an Ubuntu Server 18.04 LTS VM in Azure with Azure AD logon:

-1. Go through the rest of the experience of creating a virtual machine. During this preview, you will have to create an administrator account with username and password/SSH public key.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.22.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see the article Install Azure CLI.

-The following example deploys a VM named *myVM*, using *Ubuntu 18.04 LTS*, into a resource group named *AzureADLinuxVM*, in the *southcentralus* region. It then installs the *Azure AD login VM extension* to enable Azure AD login for Linux VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines.

-The AADSSHLoginForLinux extension can be installed on an existing (supported distribution) Linux VM with a running VM agent to enable Azure AD authentication. If deploying this extension to a previously created VM, ensure the machine has at least 1 GB of memory allocated else the extension will fail to install.

-Now that you have created the VM, you need to configure Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login:

-To allow a user to log in to the VM over SSH, you must assign them either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to Azure AD login to the VM over SSH. This separation is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.

-If you are using Azure Cloud Shell, then no other setup is needed as both the minimum required version of Az CLI and SSH extension for Az CLI are already included in the Cloud Shell environment.

-You can enforce Conditional Access policies such as require MFA for the user, require compliant/Hybrid Azure AD joined device for the device running SSH client, check for low user and sign-in risk before authorizing access to Linux VMs in Azure that are enabled with Azure AD login in.

-To apply Conditional Access policy, you must select the "Azure Linux VM Sign-In" app from the cloud apps or actions assignment option and then use user and /or sign-in risk as a condition and Access controls as Grant access after satisfying require multi-factor authentication and/or require compliant/Hybrid Azure AD joined device.

-If prompted, enter your Azure AD login credentials at the login page, perform an MFA, and/or satisfy device checks. You will only be prompted if your az CLI session does not already meet any required Conditional Access criteria. Close the browser window, return to the SSH prompt, and you will be automatically connected to the VM.

-You are now signed in to the Azure Linux virtual machine with the role permissions as assigned, such as VM User or VM Administrator. If your user account is assigned the Virtual Machine Administrator Login role, you can use sudo to run commands that require root privileges.

-Then you can use the normal az ssh vm commands to connect using name and resource group or IP address of the VM.

-Once, users assigned the VM Administrator role successfully SSH into a Linux VM, they will be able to run sudo with no other interaction or authentication requirement. Users assigned the VM User role will not be able to run sudo.

-Virtual machine scale sets usually don't have public IP addresses, so you must have connectivity to them from another machine that can reach their Azure virtual network. This example shows how to use the private IP of a virtual machine scale set VM to connect from a machine in the same virtual network.

-1. Install the AADSSHLoginForLinux extension on the VM

-Use Azure Policy to ensure Azure AD login is enabled for your new and existing Linux virtual machines and assess compliance of your environment at scale on your Azure Policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Linux VMs within your environment that do not have Azure AD login enabled. You can also use Azure Policy to deploy the Azure AD extension on new Linux VMs that do not have Azure AD login enabled, as well as remediate existing Linux VMs to the same standard. In addition to these capabilities, you can also use Azure Policy to detect and flag Linux VMs that have non-approved local accounts created on their machines. To learn more, review [Azure Policy](../../governance/policy/overview.md).

-### Could not retrieve token from local cache

-If you see the following error on your SSH prompt, verify that you have configured Azure RBAC policies for the VM that grants the user either the Virtual Machine Administrator Login or Virtual Machine User Login role. If you are running into issues with Azure role assignments, see the article [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit).

-If the uninstall scripts fail, the extension may get stuck in a transitioning state. When this happens, it can leave packages that it is supposed to uninstall during its removal. In such cases, it is better to manually uninstall the old packages and then try to run az vm extension delete command.

-1. Make sure there are no logged in AAD users. Call **who -u** command to see who is logged in; then **sudo kill** `<pid>` for all session processes reported by the previous command.

-1. Run **sudo apt remove --purge aadlogin** (Ubuntu/Debian), **sudo yum erase aadlogin** (RHEL/CentOS) or **sudo zypper remove aadlogin** (OpenSuse/SLES).

- 1. For Ubuntu/Deian run **sudo dpkg --purge aadlogin** . If it is still failing because of the script, delete **/var/lib/dpkg/info/aadlogin.prerm** file and try again.

- 1. For everything else run **rpm -e ΓÇônoscripts aadogin**.

-1. Repeat steps 3-4 for package **aadlogin-selinux**.

-Cause 1: This failure is due to a System Assigned Managed Identity being required.

-1. Enable a System Assigned Managed Identity on the Azure VM.

-Cause 1: The user is not assigned to the either the Virtual Machine Administrator/User Login Azure RBAC roles within the scope of this VM.

-Cause 2: The user is in a required Azure RBAC role but the System Assigned managed identity has been disabled on the VM.

-1. Enable the System Assigned managed identity on the VM.

-Virtual machine scale set VM connections may fail if the virtual machine scale set instances are running an old model. Upgrading virtual machine scale set instances to the latest model may resolve issues, especially if an upgrade has not been done since the Azure AD Login extension was installed. Upgrading an instance applies a standard virtual machine scale set configuration to the individual instance.

->- [Teams admin center](https://admin.teams.microsoft.com) - Global Reader cannot read **Teams lifecycle**, **Analytics & reports**, **IP phone device management** and **App catalog**.

-Windows Defender ATP and EDR | Assign roles<br>Manage machine groups<br>Configure endpoint threat detection and automated remediation<br>View, investigate, and respond to alerts

-| Windows Defender ATP and EDR | All permissions of the Security Reader role<br>View, investigate, and respond to security alerts |

-Windows Defender ATP and EDR | View and investigate alerts. When you turn on role-based access control in Windows Defender ATP, users with read-only permissions such as the Azure AD Security Reader role lose access until they are assigned to a Windows Defender ATP role.

-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

- 

-1. In the **Basic SAML Configuration** section, if you see **Service Provider metadata file**, follow these steps:

- 1. Select **Upload metadata file**.

- 1. Select the folder icon to select the metadata file which you have downloaded in **Configure Palantir Foundry SSO** section, and then select **Upload**.

- 1. When the metadata file is successfully uploaded, the values for **Identifier** and **Reply URL** appear automatically in the Palantir Foundry section text box.

- > If the **Identifier** and **Reply URL** values don't appear automatically, fill in the values manually according to your requirements.

-1. If you don't see **Service Provider metadata file** in the **Basic SAML Configuration** section, perform the following steps:

- 1. In the **Identifier** text box, type a value using the following pattern: `urn:uuid:<SOME_UUID>`

- 1. In the **Reply URL** text box, type a URL using the following pattern: `https://<DOMAIN>/multipass/api/collectors/<SOME_UUID>/saml/SSO`

- 1. In the **Logout URL** text box, type a URL using the following pattern: `https://<DOMAIN>/multipass/api/collectors/<SOME_UUID>/SingleLogout`

- > [!NOTE]

- > These values are not real. Update these values with the actual Identifier, Reply URL and Logout URL. Contact [Palantir Foundry Client support team](mailto:support@palantir.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. On the **Set up Palantir Foundry** section, copy the appropriate URL(s) based on your requirement.

- 

-1. Log in to the Palantir Foundry as an administrator.

-1. In Foundry Control Panel tab, go to the **Authentication** and click **Add SAML provider**.

-Once you configure Palantir Foundry you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

-FIPS-enabled node pools are currently in preview.

-You will need the *aks-preview* Azure CLI extension version *0.5.11* or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.

-```azurecli-interactive

-# Install the aks-preview extension

-az extension add --name aks-preview

-# Update the extension to make sure you have the latest version installed

-az extension update --name aks-preview

-```

-> To call the API from the PowerApps test console, you need to add the "https://flow.microsoft.com" URL as an origin to the [CORS policy](api-management-cross-domain-policies.md#CORS) in your API Management instance.

-> This article describes a feature that is currently in preview. You should use this feature for dev environments first before migrating any production environments to ensure there are no unexpected issues. Please provide any feedback related to this article or the feature using the buttons at the bottom of the page.

-An App Service Environment v2 can be migrated to an [App Service Environment v3](overview.md). To learn more about the migration process and to see if your App Service Environment supports migration at this time, see the [Migration to App Service Environment v3 Overview](migrate.md).

-For the initial preview of the migration feature, you should follow the below steps in order and as written since you'll be making Azure REST API calls. The recommended way for making these calls is by using the [Azure CLI](/cli/azure/). For information about other methods, see [Getting Started with Azure REST](/rest/api/azure/).

-## 2. Delegate your App Service Environment subnet

-App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Previous versions didn't require this delegation. You'll need to confirm your subnet is delegated properly and update the delegation if needed before migrating. You can update the delegation either by running the following command or by navigating to the subnet in the [Azure portal](https://portal.azure.com).

-```azurecli

-az network vnet subnet update -g $ASE_RG -n <subnet-name> --vnet-name <vnet-name> --delegations Microsoft.Web/hostingEnvironments

-```

-

-## 3. Validate migration is supported

-The following command will check whether your App Service Environment is supported for migration. If you receive an error or if your App Service Environment is in an unhealthy or suspended state, you can't migrate at this time. For an estimate of when you can migrate, see the [timeline](migrate.md#preview-limitations). If your environment [won't be supported for migration](migrate.md#migration-feature-limitations) or you want to migrate to App Service Environment v3 without using the migration feature, see [migration alternatives](migration-alternatives.md).

-## 4. Generate IP addresses for your new App Service Environment v3

-Run the following command to create the new IPs. This step will take about 5 minutes to complete. Don't scale or make changes to your existing App Service Environment during this time.

-az rest --method post --uri "${ASE_ID}/migrate?api-version=2021-02-01&phase=premigration" --verbose

-az rest --method get --uri "${ASE_ID}?api-version=2018-11-01" --query properties.status

-az rest --method get --uri "${ASE_ID}/configurations/networking?api-version=2018-11-01"

-## 5. Update dependent resources with new IPs

-Don't move on to full migration immediately after completing the previous step. Using the new IPs, update any resources and networking components to ensure your new environment functions as intended once migration is complete. It's your responsibility to make any necessary updates.

-## 6. Full migration

-Only start this step once you've completed all pre-migration actions listed above and understand the [implications of full migration](migrate.md#full-migration) including what will happen during this time. There will be about one hour of downtime. Don't scale or make changes to your existing App Service Environment during this step.

-az rest --method post --uri "${ASE_ID}/migrate?api-version=2021-02-01&phase=fullmigration" --verbose

-az rest --method get --uri "${ASE_ID}?api-version=2018-11-01" --query properties.status

-Once you get a status of "Ready", migration is done and you have an App Service Environment v3.

-> This article describes a feature that is currently in preview. You should use this feature for dev environments first before migrating any production environments to ensure there are no unexpected issues. Please provide any feedback related to this article or the feature using the buttons at the bottom of the page.

-App Service can now migrate your App Service Environment v2 to an [App Service Environment v3](overview.md). App Service Environment v3 provides [advantages and feature differences](overview.md#feature-differences) over earlier versions. Make sure to review the [supported features](overview.md#feature-differences) of App Service Environment v3 before migrating to reduce the risk of an unexpected application issue.

-### Preview limitations

-For this version of the preview, your new App Service Environment will be placed in the existing subnet that was used for your old environment. Internet facing App Service Environment cannot be migrated to ILB App Service Environment v3 and vice versa.

-The following scenarios aren't supported in this version of the preview.

-The App Service platform will review your App Service Environment to confirm migration support. If your scenario doesn't pass all validation checks, you won't be able to migrate at this time.

-## Overview of the migration process

-Migration consists of a series of steps that must be followed in order. Key points are given below for a subset of the steps. It's important to understand what will happen during these steps and how your environment and apps will be impacted. After reviewing the following information and when you're ready to migrate, follow the [step-by-step guide](how-to-migrate.md).

-> [!NOTE]

-> For this version of the preview, migration must be carried out using Azure REST API calls.

->

-### Delegate your App Service Environment subnet

-App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. If the App Service Environment's subnet isn't delegated or it's delegated to a different resource, migration will fail.

-The platform will create the [new inbound IP (if you're migrating an internet facing App Service Environment) and the new outbound IP](networking.md#addresses). While these IPs are getting created, activity with your existing App Service Environment won't be interrupted, however, you won't be able to scale or make changes to your existing environment. This process will take about 5 minutes to complete.

-When completed, you'll be given the new IPs that will be used by your future App Service Environment v3. These new IPs have no effect on your existing environment. The IPs used by your existing environment will continue to be used up until your existing environment is shut down during the full migration step.

-### Full migration

-After updating all dependent resources with your new IPs, you should continue with full migration as soon as possible. It's recommended that you move on within one week.

-During full migration, the following events will occur:

- - If you can't support downtime, see [migration-alternatives](migration-alternatives.md#guidance-for-manual-migration)

-There's no cost to migrate your App Service Environment. You'll stop being charged for your previous App Service Environment as soon as it shuts down during the full migration process, and you'll begin getting charged for your new App Service Environment v3 as soon as it's deployed. For more information about App Service Environment v3 pricing, see the [pricing details](overview.md#pricing).

-## Migration feature limitations

-The migration feature doesn't plan on supporting App Service Environment v1 within a classic VNet. See [migration alternatives](migration-alternatives.md) if your App Service Environment falls into this category. Also, you won't be able to migrate if your App Service Environment is in an unhealthy or suspended state.

- Yes, you should expect about one hour of downtime during the full migration step so plan accordingly. If downtime isn't an option for you, see [migration alternatives](migration-alternatives.md).

-> The App Service Environment v3 [migration feature](migrate.md) is now available in preview for a set of supported environment configurations. Consider that feature which provides an automated migration path to [App Service Environment v3](overview.md).

-If you're currently using App Service Environment v1 or v2, you have the opportunity to migrate your workloads to [App Service Environment v3](overview.md). App Service Environment v3 has [advantages and feature differences](overview.md#feature-differences) that provide enhanced support for your workloads and can reduce overall costs. Consider using the [migration feature](migrate.md) if your environment falls into one of the [supported scenarios](migrate.md#supported-scenarios). If your environment isn't currently supported by the migration feature, you can wait for support if your scenario is listed in the [upcoming supported scenarios](migrate.md#preview-limitations). Otherwise, you can choose to use one of the alternative migration options given below.

-Note that multiple App Service Environments can't exist in a single subnet. If you need to use your existing subnet for your new App Service Environment v3, you'll need to delete the existing App Service Environment before you create a new one. For this scenario, the recommended migration method is to [back up your apps and then restore them](#back-up-and-restore) on the new environment after it gets created and configured. There will be application downtime during this process because of the time it takes to delete the old environment (15 minutes), create the new App Service Environment v3 (30 minutes), configure any infrastructure and connected resources to work with the new environment (your responsibility), and deploy your apps onto the new environment (application deployment, type, and quantity dependent).

-The step-by-step instructions in the current documentation for [back up](../manage-backup.md) and [restore](../web-sites-restore.md) should be sufficient to allow you to use this feature. When restoring, the **Storage** option lets you select any backup ZIP file from any existing Azure Storage account container in your subscription. A sample of a restore configuration is given below.

-|Multiple apps can be restored at the same time (restoration needs to be configured for each app individually) |Old and new environments as well as supporting resources (for example apps, databases, storage accounts and containers) must all be in the same subscription |

-This solution is recommended for users that are using Windows App Service and can't migrate using the [migration feature](migrate.md). You'll need to set up your new App Service Environment v3 before cloning any apps. Cloning an app can take up to 30 minutes to complete. Cloning can be done using PowerShell as described in the [documentation](../app-service-web-app-cloning.md#cloning-an-existing-app-to-an-app-service-environment) or using the Azure portal as described below.

-1. Select an existing or create a new **Resource Group**

-1. Use your App Service Environment v3 name for **Region**

-1. Choose whether or not to clone your deployment source

-|Can integrate with [Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md) and [Azure Application Gateway](../../application-gateway/overview.md) to distribute traffic across old and new environments |Old and new environments as well as supporting resources (for example apps, databases, storage accounts and containers) must all be in the same subscription |

-

-1. Push Model: This uses [App Configuration events](./concept-app-configuration-event.md) to detect changes in configuration. Once App Configuration is set up to send key value change events to Azure Event Grid, the application can use these events to optimize the total number of requests needed to keep the configuration updated. Applications can choose to subscribe to these either directly from Event Grid, or though one of the [supported event handlers](../event-grid/event-handlers.md) such as a webhook, an Azure function or a Service Bus topic.

-Applications can choose to subscribe to these events either directly from Event Grid, or through a web hook, or by forwarding events to Azure Service Bus. The Azure Service Bus SDK provides an API to register a message handler that simplifies this process for applications that either do not have an HTTP endpoint or do not wish to poll the event grid for changes continuously.

-This tutorial uses the Service Bus integration for Event Grid to simplify the detection of configuration changes for applications that do not wish to poll App Configuration for changes continuously. The Azure Service Bus SDK provides an API to register a message handler that can be used to update configuration when changes are detected in App Configuration. Follow steps in the [Quickstart: Use the Azure portal to create a Service Bus topic and subscription](../service-bus-messaging/service-bus-quickstart-topics-subscriptions-portal.md) to create a service bus namespace, topic and subscription.

-The [SetDirty](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration.iconfigurationrefresher.setdirty) method is used to set the cached value for key-values registered for refresh as dirty. This ensures that the next call to `RefreshAsync` or `TryRefreshAsync` re-validates the cached values with App Configuration and updates them if needed.

-1. Set an environment variable named **AppConfigurationConnectionString**, and set it to the access key to your App Configuration store. If you use the Windows command prompt, run the following command and restart the command prompt to allow the change to take effect:

- setx AppConfigurationConnectionString "connection-string-of-your-app-configuration-store"

- $Env:AppConfigurationConnectionString = "connection-string-of-your-app-configuration-store"

- If you use macOS or Linux, run the following command:

- export AppConfigurationConnectionString='connection-string-of-your-app-configuration-store'

- dotnet build

- dotnet run

-az sql mi-arc create --name sqldemo --resource-group rg --location uswest2 ΓÇôsubscription a97da202-47ad-4de9-8991-9f7cf689eeb9 --custom-location private-location

-# Azure Arc-enabled SQL Managed Instance high availability

-Azure Arc-enabled SQL Managed Instance is deployed on Kubernetes as a containerized application and uses kubernetes constructs such as stateful sets and persistent storage to provide built-in health monitoring, failure detection, and failover mechanisms to maintain service health. For increased reliability, you can also configure Azure Arc-enabled SQL Managed Instance to deploy with extra replicas in a high availability configuration. Monitoring, failure detection, and automatic failover are managed by the Arc data services data controller. This service is provided without user intervention ΓÇô all from availability group setup, configuring database mirroring endpoints, to adding databases to the availability group or failover and upgrade coordination. This document explores both types of high availability.

-## Built-in high availability

-Built-in high availability is provided by Kubernetes when remote persistent storage is configured and shared with nodes used by the Arc data service deployment. In this configuration, Kubernetes plays the role of the cluster orchestrator. When the managed instance in a container or the underlying node fails, the orchestrator bootstraps another instance of the container and attaches to the same persistent storage. This type is enabled by default when you deploy Azure Arc-enabled SQL Managed Instance.

-This section, you verify the built-in high availability provided by Kubernetes. When you follow the steps to test out this functionality, you delete the pod of an existing managed instance and verify that Kubernetes recovers from this action.

- For example

-## Deploy with Always On availability groups

-For increased reliability, you can configure Azure Arc-enabled SQL Managed Instance to deploy with extra replicas in a high availability configuration.

-Capabilities that availability groups enable:

-### Deploy

-To deploy a managed instance with availability groups, run the following command.

-az sql mi-arc create -n <name of instance> --replicas 3 --k8s-namespace <namespace> --use-k8s

-### Check status

-Once the instance has been deployed, run the following commands to check the status of your instance:

-az sql mi-arc list --k8s-namespace <namespace> --use-k8s

-az sql mi-arc show -n <name of instance> --k8s-namespace <namespace> --use-k8s

-Example output:

-```output

-user@pc:/# az sql mi-arc list --k8s-namespace <namespace> --use-k8s

-ExternalEndpoint Name Replicas State

- - -

-20.131.31.58,1433 sql2 3/3 Ready

-user@pc:/# az sql mi-arc show -n sql2 --k8s-namespace <namespace> --use-k8s

-{

-...

- "status": {

- "externalEndpoint": "20.131.31.58,1433",

- "logSearchDashboard": "link to logs dashboard",

- "metricsDashboard": "link to metrics dashboard",

- "readyReplicas": "3/3",

-}

-Notice the additional number of `Replicas` and the `AGstatus` field indicating the health of the availability group. If all replicas are up and synchronized, then this value is `healthy`.

-### Restore a database

- Create the kubernetes service to the primary instance by running the command below if your kubernetes cluster uses nodePort services. Replace `podName` with the name of the server returned at previous step, `serviceName` with the preferred name for the Kubernetes service created.

- ```bash

- ```bash

- ```bash

- ```bash

->```bash

-Azure Arc-enabled SQL Managed Instance availability groups has the same [limitations as Big Data Cluster availability groups. Click here to learn more.](/sql/big-data-cluster/deployment-high-availability#known-limitations)

-|CRD names and versions | `datacontrollers.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`postgresqls.arcdata.microsoft.com`: v1beta1, v2beta2 <br/>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1 <br/>`dags.sql.arcdata.microsoft.com`: v1beta1, v2beta2<br/>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1 |

-|CRD names and versions | `datacontrollers.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1, v2 <br/>`postgresqls.arcdata.microsoft.com`: v1beta1, v2beta2 <br/>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1 <br/>`dags.sql.arcdata.microsoft.com`: v1beta1, v2beta2 |

-|Azure Monitor Agent |Microsoft.Azure.Monitor |AzureMonitorWindowsAgent |[Install the Azure Monitor agent (preview)](../../azure-monitor/agents/azure-monitor-agent-install.md) |

-|Azure Monitor Agent |Microsoft.Azure.Monitor |AzureMonitorLinuxAgent |[Install the Azure Monitor agent (preview)](../../azure-monitor/agents/azure-monitor-agent-install.md) |

-| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across AZs, with automatic failover | Up to 99.99% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Γ£ö|Γ£ö|

-*redis-cli.exe* is a popular command-line tool for interacting with an Azure Cache for Redis as a client. This tool is also available for use with Azure Cache for Redis.

-The tool is available for Windows platforms by downloading the [Redis command-line tools for Windows](https://github.com/MSOpenTech/redis/releases/).

- Add the following entry for *redis-cli.exe* under the **Service definitions** section. Insert your actual cache name in place of `yourcachename`.

- ```

- Save and close the configuration file.

-When using *stunnel*, run *redis-cli.exe*, and pass only your *port*, and *access key* (primary or secondary) to connect to the cache.

-```

-```

- input_ = context.get_input()

- return f"Hello {name}!"

- input_ = context.get_input()

- result = yield context.call_activity('SayHello', name)

-Enables debug-level logging in a Python function app. A value of '1' enables debug-level logging. Without this setting, only information and higher level logs are sent from the Python worker to the Functions host. Use this setting when debugging or tracing your Python function executions.

-|Key|Sample value|

-|||

-|PYTHON_ENABLE_DEBUG_LOGGING|`1`|

-Working with the trigger and bindings requires that you reference the appropriate package. The NuGet package is used for .NET class libraries while the extension bundle is used for all other application types.

-The Azure SQL bindings for Azure Functions are open source and available on the repository at [https://github.com/Azure/azure-functions-sql-extension](https://github.com/Azure/azure-functions-sql-extension).

-| [Multifactor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | &#x2705; | &#x2705; |

-| [Video Analyzer for Media (formerly Video Indexer)](../../azure-video-analyzer/video-analyzer-for-media-docs/index.yml) | &#x2705; | &#x2705; |

-| [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

-| [Multifactor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

-description: This article compares features and provides guidance on developing applications for Azure Government.

-cloud: gov

-When you create and deploy applications to Azure Government services, as opposed to global Azure, you need to know the key differences between the two cloud environments. The specific areas to understand are:

-This content is intended for partners and developers who are deploying to Azure Government.

-Therefore, it's important to review your sample code, configurations, and steps to ensure that you are building and executing within the Azure Government cloud services environment.

-For current Azure Government regions and available services, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).

-Navigate through the links below to get started using Azure Government:

-For more information on Azure Government Compliance, refer to the [compliance documentation](./documentation-government-plan-compliance.md).

-### Azure Blueprints

-[Azure Blueprints](../governance/blueprints/overview.md) is a service that helps you deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organizationΓÇÖs standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help you deploy a core set of policies for any Azure-based architecture that requires compliance with certain US government compliance requirements, see [Azure Blueprints samples](../governance/blueprints/samples/index.md).

-## Endpoint mapping

-Service endpoints in Azure Government are different than in Azure. For a mapping between Azure and Azure Government endpoints, see [Compare Azure Government and global Azure](./compare-azure-government-global-azure.md#guidance-for-developers).

-description: Provides and overview of the available compliance services for Azure Government

-cloud: gov

-## Azure Blueprints

-[Azure Blueprints](https://azure.microsoft.com/services/blueprints/) can help you automate the process of achieving compliance on Azure Government. FedRAMP and other [standards-based blueprint samples](../governance/blueprints/samples/index.md) are available in Azure Blueprints.

-## General Data Protection Regulation (GDPR) Data Subject Requests (DSRs) on Azure Government

-Azure tenant administrators can use the [User Privacy blade](https://portal.azure.us/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) in the Azure portal to export and/or delete personal data generated during a customer's use of Azure Government services. For more information about Data Subject Requests, see [Data Subject Requests for the GDPR](/microsoft-365/compliance/gdpr-dsr-azure).

-## Next steps

-Learn about [Azure Blueprints](https://azure.microsoft.com/services/blueprints/)

-Visit the [Microsoft Azure Government Blog](https://devblogs.microsoft.com/azuregov/)

-US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be confident that [Microsoft Azure Government](https://azure.microsoft.com/global-infrastructure/government/) provides world-class [security and compliance](../compliance/index.yml). Azure Government delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services handle data that is subject to various [US government regulations and requirements](/azure/compliance/offerings/offering-cjis). To provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks located in the US only.

-This article provides coverage information for Azure Maps [Weather services](/rest/api/maps/weather). Azure Maps Weather data services returns details such as radar tiles, current weather conditions, weather forecasts, and the weather along a route.

-The following table provides information about what kind of weather information you can request from each country/region.

-| Symbol | Meaning |

-|--||

-|* |Covers Current Conditions, Hourly Forecast, Quarter-day Forecast, Daily Forecast, Weather Along Route and Daily Indices. |

-The [Azure Monitor agent](./azure-monitor-agent-install.md#virtual-machine-extension-details) is only available as a virtual machine extension. The Log Analytics extension for [Windows](../../virtual-machines/extensions/oms-windows.md) and [Linux](../../virtual-machines/extensions/oms-linux.md) install the Log Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for [Windows](../../virtual-machines/extensions/agent-dependency-windows.md) and [Linux](../../virtual-machines/extensions/agent-dependency-linux.md) install the Dependency agent on Azure virtual machines. These are the same agents described above but allow you to manage them through [virtual machine extensions](../../virtual-machines/extensions/overview.md). You should use extensions to install and manage the agents whenever possible.

-description: Guidance for migrating from the existing legacy agents to the new Azure Monitor agent (AMA) and data collection rules (DCR).

-2. Install the Azure Monitor agent extension. Deploy data collection rule associations on all target resources by using the [built-in policy initiative](azure-monitor-agent-install.md#install-with-azure-policy). Provide the preceding data collection rule as an input parameter.

-| [Microsoft Sentinel](../../sentinel/overview.md) | <ul><li>Windows Forwarding Event (WEF): [Public preview](../../sentinel/data-connectors-reference.md#windows-forwarded-events-preview)</li><li>Windows Security Events: [GA](../../sentinel/connect-windows-security-events.md?tabs=AMA)</li></ul> | <ul><li>No sign-up needed </li><li>No sign-up needed</li></ul> |

-Download the [applicationinsights-agent-3.2.4.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.2.4/applicationinsights-agent-3.2.4.jar) file.

-Add `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` to your application's JVM args.

- - Or you can create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.2.4.jar` with the following content:

-Add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` somewhere before `-jar`, for example:

-java -javaagent:path/to/applicationinsights-agent-3.2.4.jar -jar <myapp.jar>

-If you are using the *exec* form, add the parameter `"-javaagent:path/to/applicationinsights-agent-3.2.4.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

-ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.2.4.jar", "-jar", "<myapp.jar>"]

-If you are using the *shell* form, add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` somewhere before `-jar`, for example:

-ENTRYPOINT java -javaagent:path/to/applicationinsights-agent-3.2.4.jar -jar <myapp.jar>

-JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.2.4.jar"

-CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.2.4.jar"

-If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` to `CATALINA_OPTS`.

-set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.2.4.jar

-set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.2.4.jar"

-If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` to `CATALINA_OPTS`.

-Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` to the `Java Options` under the `Java` tab.

-Add `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

- JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.2.4.jar -Xms1303m -Xmx1303m ..."

-Add `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

- <option value="-javaagent:path/to/applicationinsights-agent-3.2.4.jar"/>

-Add `-javaagent:path/to/applicationinsights-agent-3.2.4.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

- -javaagent:path/to/applicationinsights-agent-3.2.4.jar>

-go to **servers > WebSphere application servers > Application servers**, choose the appropriate application servers and click on:

-The connection string is required, and the role name is important any time you are sending data

-By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.2.4.jar`.

-If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.2.4.jar` is located.

-Starting from 3.2.5-BETA, you can capture request and response headers on your server (request) telemetry:

-Starting from version 3.2.5-BETA, you can change this behavior to capture them as success if you prefer:

-> Authentication feature is available starting from version 3.2.0-BETA

-Starting from 3.2.5-BETA, authenticated proxies are supported. You can add `"user"` and `"password"` under `"proxy"` in

-`applicationinsights-agent-3.2.4.jar` is located.

-```

- Once you have the certificate downloaded, generate a SHA-1 hash on the certificate using the below command:

-In this case, the client is the JVM on which your instrumented application is running. Starting from 3.2.5-BETA, Application Insights Java will log a warning message if missing cipher suites could be causing connection failures to one of the service endpoints.

-Check [prerequisites](../agents/azure-monitor-agent-install.md#prerequisites) for the Azure Monitor agent.

-description: Log Analytics data export allows you to continuously export data of selected tables from your Log Analytics workspace to an Azure storage account or Azure Event Hubs as it's collected.

-Log Analytics workspace data export in Azure Monitor allows you to continuously export data from selected tables in your Log Analytics workspace to an Azure storage account or Azure Event Hubs as it's collected. This article provides details on this feature and steps to configure data export in your workspaces.

-Data in Log Analytics is available for the retention period defined in your workspace and used in various experiences provided in Azure Monitor and other Azure services. There are more capabilities that can be met with data export:

-* Comply with tamper protected store requirement -- data can't be altered in Log Analytics once ingested, but can be purged. Export to storage account set with [immutability policies](../../storage/blobs/immutable-policy-configure-version-scope.md) to keep data tamper protected.

-* Integration with Azure services and other tools -- export to event hub in near-real-time to send data to your services and tools at it arrives to Azure Monitor.

-* Keep audit and security data for long time at low cost -- export to storage account in the same region as your workspace, or replicate data to other storage accounts in other regions using any of the [Azure Storage redundancy options](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region) including GRS and GZRS.

-Once data export is configured in your Log Analytics workspace, any new data sent to the selected tables in the workspace is automatically exported in near-real-time to your storage account or to your event hub.

-All data from included tables is exported without a filter. For example, when you configure a data export rule for *SecurityEvent* table, all data sent to the *SecurityEvent* table is exported starting from the configuration time.

-Log Analytics workspace data export continuously exports data from a Log Analytics workspace. Other options to export data for particular scenarios include the following:

- - Korea South

- - Jio India Central

- - Government regions

-Data export is optimized for moving large data volume to your destinations and in certain retry conditions, can include a fraction of duplicated records. The export operation to your destination could fail when ingress limits are reached, see details under [Create or update data export rule](#create-or-update-data-export-rule). Export continues to retry for up to 30 minutes and if destination is unavailable to accept data, data will be discarded until the destination becomes available.

-### Storage account

-Don't use an existing storage account that has other, non-monitoring data stored in it to better control access to the data and prevent reaching storage ingress rate limit, failures, and latency.

-To send data to immutable storage, set the immutable policy for the storage account as described in [Set and manage immutability policies for Blob storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this article, including enabling protected append blobs writes.

-The storage account must be StorageV1 or above and in the same region as your workspace. If you need to replicate your data to other storage accounts in other regions, you can use any of the [Azure Storage redundancy options](../../storage/common/storage-redundancy.md#redundancy-in-a-secondary-region) including GRS and GZRS.

-Data is sent to storage accounts as it reaches Azure Monitor and exported to destinations located in workspace region. A container is created for each table in the storage account with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to a container named *am-SecurityEvent*.

-Blobs are stored in 5-minute folders in the following path structure: *WorkspaceResourceId=/subscriptions/subscription-id/resourcegroups/\<resource-group\>/providers/microsoft.operationalinsights/workspaces/\<workspace\>/y=\<four-digit numeric year\>/m=\<two-digit numeric month\>/d=\<two-digit numeric day\>/h=\<two-digit 24-hour clock hour\>/m=\<two-digit 60-minute clock minute\>/PT05M.json*. Append blobs is limited to 50-K writes and could be reached, the naming pattern for blobs in such case would be PT05M_#.json*, where # is incremental blob count.

-The storage account data format is in [JSON lines](../essentials/resource-logs-blob-format.md), where each record is delimited by a newline, with no outer records array and no commas between JSON records.

-[](media/logs-data-export/storage-data-expand.png#lightbox)

-### Event hub

-You need to have 'write' permissions to both workspace and destination to configure data export rule. The shared access policy for the event hub namespace defines the permissions that the streaming mechanism has. Streaming to event hub requires Manage, Send, and Listen permissions. To update the export rule, you must have the ListKey permission on that Event Hubs authorization rule.

-Don't use an existing event hub that has other, non-monitoring data stored in it to better control access to the data and prevent reaching event hub namespace ingress rate limit, failures, and latency.

-Data is sent to your event hub as it reaches Azure Monitor and exported to destinations located in workspace region. You can create multiple export rules to the same event hub namespace by providing different `event hub name` in rule.When `event hub name` isn't provided, a default event hub is created for each table that you export with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to an event hub named *am-SecurityEvent*. The [number of supported event hubs in 'Basic' and 'Standard' namespaces tiers is 10](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). When exporting more than 10 tables to these tiers, either split the tables between several export rules to different event hub namespaces, or provide an event hub name in the rule to export all tables to that event hub.

-> - 'Basic' event hub tier is limited--it supports [lower event size](../../event-hubs/event-hubs-quotas.md#basic-vs-standard-vs-premium-vs-dedicated-tiers) and no [Auto-inflate](../../event-hubs/event-hubs-auto-inflate.md) option to automatically scale up and increase the number of throughput units. Since data volume to your workspace increases over time and consequence event hub scaling is required, use 'Standard', 'Premium' or 'Dedicated' event hub tiers with **Auto-inflate** feature enabled. See [Automatically scale up Azure Event Hubs throughput units](../../event-hubs/event-hubs-auto-inflate.md).

-> - Data export can't reach event hub resources when virtual networks are enabled. You have to enable the **Allow trusted Microsoft services** to bypass this firewall setting in event hub, to grant access to your Event Hubs resources.

-If you have configured your storage account to allow access from selected networks, you need to add an exception to allow Azure Monitor to write to the account. From **Firewalls and virtual networks** for your storage account, select **Allow trusted Microsoft services to access this storage account**.

-[](media/logs-data-export/storage-account-network.png#lightbox)

-### Destinations monitoring

-> Export destinations have limits and should be monitored to minimize throttling, failures, and latency. See [storage accounts scalability](../../storage/common/scalability-targets-standard-account.md#scale-targets-for-standard-storage-accounts) and [event hub namespace quota](../../event-hubs/event-hubs-quotas.md).

-**Monitoring storage account**

-1. Use separate storage account for export

-2. Configure alert on the metric below:

- - Use separate storage account for export that isn't shared with non-monitoring data.

- - Split tables between more storage accounts.

-**Monitoring event hub**

-1. Configure alerts on the [metrics](../../event-hubs/monitor-event-hubs-reference.md) below:

- | namespaces-name | Event Hub standard metrics | Incoming bytes | Sum | 80% of max ingress per alert evaluation period. For example, limit is 1 MB/s per unit (TU or PU) and five units used. Threshold is 1200 MB per 5-minutes evaluation period |

- | namespaces-name | Event Hub standard metrics | Incoming requests | Count | 80% of max events per alert evaluation period. For example, limit is 1000/s per unit (TU or PU) and five units used. Threshold is 1200000 per 5-minutes evaluation period |

- | namespaces-name | Event Hub standard metrics | Quota Exceeded Errors | Count | Between 1% of request. For example, requests per 5 minutes is 600000. Threshold is 6000 per 5-minutes evaluation period |

- - Use separate event hub namespace for export that isn't shared with non-monitoring data.

-Data export rule defines the destination and tables for which data is exported. You can create 10 rules in 'enable' state in your workspace, more rules are allowed in 'disable' state. Storage account must be unique across rules in workspace. Multiple rules can use the same event hub namespace when sending to separate event hubs.

-> - Export to storage account - a separate container is created in storage account for each table.

-> - Export to event hub - if event hub name isn't provided, a separate event hub is created for each table. The [number of supported event hubs in 'Basic' and 'Standard' namespaces tiers is 10](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). When exporting more than 10 tables to these tiers, either split the tables between several export rules to different event hub namespaces, or provide an event hub name in the rule to export all tables to that event hub.

-Use the following command to create a data export rule to a storage account using PowerShell. A separate container is created for each table.

-Use the following command to create a data export rule to a specific event hub using PowerShell. All tables are exported to the provided event hub name and can be filtered by "Type" field to separate tables.

-Use the following command to create a data export rule to an event hub using PowerShell. When specific event hub name isn't provided, a separate container is created for each table up to the [number of supported event hubs for your event hub tier](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). If you have more tables to export, provide event hub name to export any number of tables, or set another rule to export the remaining tables to another event hub namespace.

-Use the following command to create a data export rule to a storage account using CLI. A separate container is created for each table.

-Use the following command to create a data export rule to a specific event hub using CLI. All tables are exported to the provided event hub name and can be filtered by "Type" field to separate tables.

-Use the following command to create a data export rule to an event hub using CLI. When specific event hub name isn't provided, a separate container is created for each table up to the [number of supported event hubs for your event hub tier](../../event-hubs/event-hubs-quotas.md#common-limits-for-all-tiers). If you have more tables to export, provide event hub name to export any number of tables, or set another rule to export the remaining tables to another event hub namespace.

-Use the following request to create a data export rule a storage account using the REST API. A separate container is created for each table. The request should use bearer token authorization and content type application/json.

-Following is a sample body for the REST request for an event hub.

-Following is a sample body for the REST request for an event hub where event hub name is provided. In this case, all exported data is sent to this event hub.

-Use the following command to create a data export rule to a storage account using Resource Manager template.

-Use the following command to create a data export rule to an event hub using Resource Manager template. A separate event hub is created for each table.

-Use the following command to create a data export rule to a specific event hub using Resource Manager template. All tables are exported to the provided event hub name.

-Export rules can be disabled to let you stop the export when you donΓÇÖt need to retain data for a certain period such as when testing is being performed. Set ```"enable": false``` in template to disable a data export.

-Supported tables are currently limited to those specified below. All data from the table will be exported unless limitations are specified. This list is updated as more tables are added.

-| ACRConnectedClientList | |

-| ACRConnectedClientList | |

-| AEWAuditLogs | |

-| AEWComputePipelinesLogs | |

-| AgriFoodApplicationAuditLogs | |

-| AgriFoodFarmManagementLogs | |

-| AgriFoodInsightLogs | |

-| AgriFoodModelInferenceLogs | |

-| AgriFoodSatelliteLogs | |

-| AgriFoodWeatherLogs | |

-| Alert | |

-| AmlOnlineEndpointConsoleLog | |

-| ATCExpressRouteCircuitIpfix | |

-| AWSCloudTrail | |

-| AWSGuardDuty | |

-| AWSVPCFlow | |

-| AZFWApplicationRule | |

-| AZFWApplicationRuleAggregation | |

-| AZFWDnsQuery | |

-| AZFWIdpsSignature | |

-| AZFWNatRule | |

-| AZFWNatRuleAggregation | |

-| AZFWNetworkRule | |

-| AZFWNetworkRuleAggregation | |

-| BlockchainApplicationLog | |

-| BlockchainProxyLog | |

-| CassandraAudit | |

-| CassandraLogs | |

-| DatabricksSecrets | |

-| DeviceNetworkInfo | |

-| DSMAzureBlobStorageLogs | |

-| DummyHydrationFact | |

-| Event | Partial support ΓÇô data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported in export. Data arriving via Diagnostics Extension agent is collected though storage while this path isnΓÇÖt supported in export.2 |

-| HDInsightHadoopAndYarnLogs | |

-| HDInsightHadoopAndYarnMetrics | |

-| McasShadowItReporting | |

-| MCVPAuditLogs | |

-| MicrosoftDataShareShareLog | |

-| PowerBIActivity | |

-| ProjectActivity | |

-| SecurityEvent | Partial support ΓÇô data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported in export. Data arriving via Diagnostics Extension agent is collected though storage while this path isnΓÇÖt supported in export. |

-| SfBOnlineAssessmentRecommendation | |

-| SPAssessmentRecommendation | |

-| SQLAssessmentRecommendation | |

-| SQLSecurityAuditEvents | |

-| Syslog | Partial support ΓÇô data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported in export. Data arriving via Diagnostics Extension agent is collected though storage while this path isnΓÇÖt supported in export. |

-| UCClient | |

-| UCDeviceAlert | |

-| UCServiceUpdateStatus | |

-| UserAccessAnalytics | |

-| Watchlist | |

-| WindowsEvent | |

-| WindowsFirewall | |

-| WireData | Partial support ΓÇô some of the data is ingested through internal services that aren't supported in export. This portion is missing in export currently. |

-| WorkloadDiagnosticLogs | |

-The easiest way to view your billed usage for a partciular Log Analytics workspace is to go to the **Overview** page of the workspace and click **View Cost** in the upper right corner of the Essentials section at the top of the page. This will launch the Cost Analysis from Azure Cost Management + Billing already scoped to this workspace. You might need additional access to Cost Management data ([learn more](../../cost-management-billing/costs/assign-access-acm-data.md))

-To learn about your usage trends and choose the most cost effective log Analytics pricing tier, use **Log Analytics Usage and Estimated Costs**. This shows how much data is collected by each solution, how much data is being retained, and an estimate of your costs for each pricing tier based on recent data ingestion patterns.

-| extend TimeGenerated=datetime_add("hour",-1*DailyCapResetHour,TimeGenerated)

-| where TimeGenerated > startofday(ago(31d))

-| summarize IngestedGbBetweenDailyCapResets=sum(Quantity)/1000. by day=bin(TimeGenerated, 1d) // Quantity in units of MB

-## Troubleshooting why usage is higher than expected

-## Understanding nodes sending data

-To understand the number of nodes that are reporting heartbeats from the agent each day in the last month, use this query:

-```kusto

-Heartbeat

-| where TimeGenerated > startofday(ago(31d))

-| summarize nodes = dcount(Computer) by bin(TimeGenerated, 1d)

-| render timechart

-```

-The get a count of nodes sending data in the last 24 hours, use this query:

-```kusto

-find where TimeGenerated > ago(24h) project Computer

-| extend computerName = tolower(tostring(split(Computer, '.')[0]))

-| where computerName != ""

-| summarize nodes = dcount(computerName)

-```

-To get a list of nodes sending any data (and the amount of data sent by each), use this query:

-```kusto

-find where TimeGenerated > ago(24h) project _BilledSize, Computer

-| extend computerName = tolower(tostring(split(Computer, '.')[0]))

-| where computerName != ""

-| summarize TotalVolumeBytes=sum(_BilledSize) by computerName

-```

-### Nodes billed by the legacy Per Node pricing tier

-The [legacy Per Node pricing tier](#legacy-pricing-tiers) bills for nodes with hourly granularity and also doesn't count nodes that are only sending a set of security data types. Its daily count of nodes would be close to the following query:

-```kusto

-find where TimeGenerated >= startofday(ago(7d)) and TimeGenerated < startofday(now()) project Computer, _IsBillable, Type, TimeGenerated

-| where Type !in ("SecurityAlert", "SecurityBaseline", "SecurityBaselineSummary", "SecurityDetection", "SecurityEvent", "WindowsFirewall", "MaliciousIPCommunication", "LinuxAuditLog", "SysmonEvent", "ProtectionStatus", "WindowsEvent")

-| extend computerName = tolower(tostring(split(Computer, '.')[0]))

-| where computerName != ""

-| where _IsBillable == true

-| summarize billableNodesPerHour=dcount(computerName) by bin(TimeGenerated, 1h)

-| summarize billableNodesPerDay = sum(billableNodesPerHour)/24., billableNodeMonthsPerDay = sum(billableNodesPerHour)/24./31. by day=bin(TimeGenerated, 1d)

-| sort by day asc

-```

-The number of units on your bill is in units of node months, which is represented by `billableNodeMonthsPerDay` in the query.

-If the workspace has the Update Management solution installed, add the **Update** and **UpdateSummary** data types to the list in the where clause in the above query. Finally, there's some additional complexity in the actual billing algorithm when solution targeting is used that's not represented in the above query.

-> [!TIP]

-> Use these `find` queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you don't need results **per computer**, then query on the **Usage** data type (see below).

-## Late-arriving data

-Situations can arise where data is ingested with old timestamps. For example, if an agent can't communicate to Log Analytics because of a connectivity issue or when a host has an incorrect time date/time. This can manifest itself by an apparent discrepancy between the ingested data reported by the **Usage** data type and a query summing **_BilledSize** over the raw data for a particular day specified by **TimeGenerated**, the timestamp when the event was generated.

-To diagnose late-arriving data issues, use the **_TimeReceived** column ([learn more](./log-standard-columns.md#_timereceived)) in addition to the **TimeGenerated** column. **_TimeReceived** is the time when the record was received by the Azure Monitor ingestion point in the Azure cloud. For example, when using the **Usage** records, you have observed high ingested data volumes of **W3CIISLog** data on May 2, 2021, here is a query that identifies the timestamps on this ingested data:

-```Kusto

-W3CIISLog

-| where TimeGenerated > datetime(1970-01-01)

-| where _TimeReceived >= datetime(2021-05-02) and _TimeReceived < datetime(2021-05-03)

-| where _IsBillable == true

-| summarize BillableDataMB = sum(_BilledSize)/1.E6 by bin(TimeGenerated, 1d)

-| sort by TimeGenerated asc

-```

-The `where TimeGenerated > datetime(1970-01-01)` statement is present only to provide the clue to the Log Analytics user interface to look over all data.

-## Tips for reducing data volume

-This table lists some suggestions for reducing the volume of logs collected.

-| Source of high data volume | How to reduce data volume |

-| -- | - |

-| Data Collection Rules | The [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) uses Data Collection Rules to manage the collection of data. You can [limit the collection of data](../agents/data-collection-rule-azure-monitor-agent.md#limit-data-collection-with-custom-xpath-queries) using custom XPath queries. |

-| Container Insights | [Configure Container Insights](../containers/container-insights-cost.md#controlling-ingestion-to-reduce-cost) to collect only the data you required. |

-| Microsoft Sentinel | Review any [Sentinel data sources](../../sentinel/connect-data-sources.md) that you recently enabled as sources of additional data volume. [Learn more](../../sentinel/azure-sentinel-billing.md) about Sentinel costs and billing. |

-| Security events | Select [common or minimal security events](../../security-center/security-center-enable-data-collection.md#data-collection-tier). <br> Change the security audit policy to collect only needed events. In particular, review the need to collect events for: <br> - [audit filtering platform](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772749(v=ws.10)). <br> - [audit registry](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v%3dws.10)). <br> - [audit file system](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772661(v%3dws.10)). <br> - [audit kernel object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941615(v%3dws.10)). <br> - [audit handle manipulation](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772626(v%3dws.10)). <br> - audit removable storage. |

-| Performance counters | Change the [performance counter configuration](../agents/data-sources-performance-counters.md) to: <br> - Reduce the frequency of collection. <br> - Reduce the number of performance counters. |

-| Event logs | Change the [event log configuration](../agents/data-sources-windows-events.md) to: <br> - Reduce the number of event logs collected. <br> - Collect only required event levels. For example, do not collect *Information* level events. |

-| Syslog | Change the [syslog configuration](../agents/data-sources-syslog.md) to: <br> - Reduce the number of facilities collected. <br> - Collect only required event levels. For example, do not collect *Info* and *Debug* level events. |

-| AzureDiagnostics | Change the [resource log collection](../essentials/diagnostic-settings.md#create-in-azure-portal) to: <br> - Reduce the number of resources that send logs to Log Analytics. <br> - Collect only required logs. |

-| Solution data from computers that don't need the solution | Use [solution targeting](../insights/solution-targeting.md) to collect data from only required groups of computers. |

-| Application Insights | Review options for [managing Application Insights data volume](../app/pricing.md#managing-your-data-volume). |

-| [SQL Analytics](../insights/azure-sql.md) | Use [Set-AzSqlServerAudit](/powershell/module/az.sql/set-azsqlserveraudit) to tune the auditing settings. |

-### Getting nodes as billed in the Per Node pricing tier

-To get a list of computers that will be billed as nodes if the workspace is in the legacy Per Node pricing tier, look for nodes that are sending **billed data types** (some data types are free). To do this, use the [_IsBillable property](./log-standard-columns.md#_isbillable) and use the leftmost field of the fully qualified domain name. This returns the count of computers with billed data per hour (which is the granularity at which nodes are counted and billed):

-find where TimeGenerated > ago(24h) project Computer, TimeGenerated

-| summarize billableNodes=dcount(computerName) by bin(TimeGenerated, 1h) | sort by TimeGenerated asc

-## Create an alert when data collection is high

-This section describes how to create an alert when the data volume in the last 24 hours exceeded a specified amount, using Azure Monitor [Log Alerts](../alerts/alerts-unified-log.md).

-To alert if the billable data volume ingested in the last 24 hours was greater than 50 GB:

- - **Signal Name** select **Custom log search**

- - **Search query** to `Usage | where IsBillable | summarize DataGB = sum(Quantity / 1000.) | where DataGB > 50`.

- - **Alert logic** is **Based on** *number of results* and **Condition** is *Greater than* a **Threshold** of *0*

- - **Time period** of *1440* minutes and **Alert frequency** to every *1440* minutes to run once a day.

- - **Name** to *Billable data volume greater than 50 GB in 24 hours*

- - **Severity** to *Warning*

-To be notified when the log alert matches criteria, specify an existing or create a new [action group](../alerts/action-groups.md).

-When you receive an alert, use the steps in the above sections about how to troubleshoot why usage is higher than expected.

-To create a DCR and deploy the Azure Monitor agent to one or more agents by using the Azure portal, see [Create rule and association in the Azure portal](../agents/data-collection-rule-azure-monitor-agent.md). Other installation methods are described at [Install the Azure Monitor agent](../agents/azure-monitor-agent-install.md). To create a policy that automatically deploys the agent and DCR to any new machines as they're created, see [Deploy Azure Monitor at scale using Azure Policy](../best-practices.md).

-| Log | - | - | Log volumes are not replicated. |

- This value defines the size of the SAP HANA database on the host. It is used to calculate the required volume size and throughput.

- Select this option if you are adding additional hosts to a multiple-hosts HANA system.

- Even if you do not need the VMΓÇÖs for replication, you need to start at least one VM to anchor the PPG while provisioning the volumes.

- * **DP** - Indicates destination in the cross-region replication setting. Volumes of this type are not online but in replication mode.

- The default type for the log volume is RW, and the setting cannot be changed.

- The default type for the data, shared, and log-backup volumes is DP, and the setting cannot be changed.

-Azure NetApp Files volumes are designed to be contained in a special purpose subnet called a [delegated subnet](../virtual-network/virtual-network-manage-subnet.md) within your Azure Virtual Network. Therefore, you can access the volumes directly from within Azure over VNet peering or from on-premises over a Virtual Network Gateway (ExpressRoute or VPN Gateway) as necessary. The subnet is dedicated to Azure NetApp Files and there is no connectivity to the Internet.

- The [**Standard network features**](configure-network-features.md) configuration for Azure NetApp Files is available for public preview. After registering for this feature with your subscription, you can create new volumes choosing *Standard* or *Basic* network features in supported regions. In regions where the Standard network features are not supported, the volume defaults to using the Basic network features.

-| The number of IPs in use in a VNet with Azure NetApp Files (including immediately peered VNets) | [Standard limits as VMs](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits) | 1000 |

-| ANF Delegated subnets per VNet | 1 | 1 |

-If you use a new VNet, you can create a subnet and delegate the subnet to Azure NetApp Files by following instructions in [Delegate a subnet to Azure NetApp Files](azure-netapp-files-delegate-subnet.md). You can also delegate an existing empty subnet that is not already delegated to other services.

-If the VNet is peered with another VNet, you cannot expand the VNet address space. For that reason, the new delegated subnet needs to be created within the VNet address space. If you need to extend the address space, you must delete the VNet peering before expanding the address space.

-Configuring user-defined routes (UDRs) on the source VM subnets with address prefix of delegated subnet and next hop as NVA is not supported for volumes with the Basic network features. Such a setting will result in connectivity issues.

-A basic scenario is to create or connect to an Azure NetApp Files volume from a virtual machine (VM) in the same VNet. For VNet 2 in the diagram above, Volume 1 is created in a delegated subnet and can be mounted on VM 1 in the default subnet.

-Additionally, consider a scenario where VNet 1 is peered with VNet 2, and VNet 2 is peered with VNet 3 in the same region. The resources from VNet 1 can connect to resources in VNet 2 but it cannot connect to resources in VNet 3, unless VNet 1 and VNet 3 are peered.

-In the diagram above, although VM 3 can connect to Volume 1, VM 4 cannot connect to Volume 2. The reason for this is that the spoke VNets are not peered, and _transit routing is not supported over VNet peering_.

-* VM 4 in spoke VNet 1 cannot connect to Volume 3 in spoke VNet 2. Also, VM 5 in spoke VNet2 cannot connect to Volume 2 in spoke VNet 1. This is the case because the spoke VNets are not peered and _transit routing is not supported over VNet peering_.

-* In the above architecture if there is a gateway in the spoke VNET as well, the connectivity to the ANF volume from on-prem connecting over the gateway in the Hub will be lost. By design, preference would be given to the gateway in the spoke VNet and so only machines connecting over that gateway can connect to the ANF volume.

-| Number of subnets delegated to Azure NetApp Files (Microsoft.NetApp/volumes) per Azure Virtual Network | 1 | No |

-| Maximum number of files ([maxfiles](#maxfiles)) per volume | 100 million | Yes |

-For a 320-MB directory, the number of blocks is 655360, with each block size being 512 bytes. (That is, 320x1024x1024/512.) This number translates to approximately 4 million files maximum for a 320-MB directory. However, the actual number of maximum files might be lower, depending on factors such as the number of files containing non-ASCII characters in the directory. As such, you should use the `stat` command as follows to determine whether your directory is approaching its limit.

-## Maxfiles limits <a name="maxfiles"></a>

-Azure NetApp Files volumes have a limit called *maxfiles*. The maxfiles limit is the number of files a volume can contain. Linux file systems refer to the limit as *inodes*. The maxfiles limit for an Azure NetApp Files volume is indexed based on the size (quota) of the volume. The maxfiles limit for a volume increases or decreases at the rate of 20 million files per TiB of provisioned volume size.

-The service dynamically adjusts the maxfiles limit for a volume based on its provisioned size. For example, a volume configured initially with a size of 1 TiB would have a maxfiles limit of 20 million. Subsequent changes to the size of the volume would result in an automatic readjustment of the maxfiles limit based on the following rules:

-| Volume size (quota) | Automatic readjustment of the maxfiles limit |

-If you have already allocated at least 4 TiB of quota for a volume, you can initiate a [support request](#request-limit-increase) to increase the maxfiles (inodes) limit beyond 100 million. For every 100 million files you increase (or a fraction thereof), you need to increase the corresponding volume quota by 4 TiB. For example, if you increase the maxfiles limit from 100 million files to 200 million files (or any number in between), you need to increase the volume quota from 4 TiB to 8 TiB.

-You can increase the maxfiles limit to 500 million if your volume quota is at least 20 TiB. <!-- ANF-11854 -->

- | Error condition | Resolution |

- |-|-|

-From there, follow the steps as described above to complete your quota increase request.

-From there, follow the steps as described above to complete your regional quota increase request.

-From there, follow the steps as described above to complete your spot quota increase request.

-If an instance participates in an [auto-failover group](../database/auto-failover-group-overview.md), changing the instance's [connection type](../managed-instance/connection-types-overview.md) does not take effect for the connections established through the failover group listener endpoint.

-[Server Trust Groups](../managed-instance/server-trust-group-overview.md) are used to establish trust between managed instances that is prerequisite for executing [distributed transactions](../database/elastic-transactions-overview.md). After removing managed instance from Server Trust Group or deleting the group, you still might be able to execute distributed transactions. There is a workaround you can apply to be sure that distributed transactions are disabled and that is [user-initiated manual failover](../managed-instance/user-initiated-failover.md) on managed instance.

-A DNS record of `<name>.database.windows.com` is created when you create a [logical server in Azure](../database/logical-servers.md) for Azure SQL Database, and when you create a SQL Managed Instance. The DNS record must be unique. As such, if you create a logical server for SQL Database and then delete it, there is a threshold period of 7 days before the name is released from the records. In that period, a SQL Managed Instance cannot be created with the same name as the deleted logical server. As a workaround, use a different name for the SQL Managed Instance, or create a support ticket to release the logical server name.

-**Workaround**: To prevent this issue from occurring on your SQL Managed Instance before executing any update commands, or in case you have already experienced this issue after update commands, go to Azure portal, access SQL Managed Instance [Active Directory admin page](../database/authentication-aad-configure.md?tabs=azure-powershell#azure-portal). Verify if you can see the error message "Managed Instance needs a Service Principal to access Azure Active Directory. Click here to create a Service Principal". In case you have encountered this error message, click on it, and follow the step-by-step instructions provided until this error have been resolved.

-You can neglect this error message if Service Principal for the managed instance already exists, and/or AAD authentication on the managed instance works.

-| East US | | Yes |

-| North Central US | Yes | Yes |

- >The role assignment might take up to 10 minutes to take effect.

- - [Azure Disk Backup (in preview)](#azure-disk-backup-in-preview)

- - [Encryption at rest using customer-managed keys (general availability)](#encryption-at-rest-using-customer-managed-keys)

- - [Azure Resource Manager template for Azure file share (AFS) backup](#azure-resource-manager-template-for-afs-backup)

- - [Incremental backups for SAP HANA databases on Azure VMs (in preview)](#incremental-backups-for-sap-hana-databases-in-preview)

- - [Backup Center (in preview)](#backup-center-in-preview)

- - [Back up Azure Database for PostgreSQL (in preview)](#back-up-azure-database-for-postgresql-in-preview)

- - [Selective disk backup and restore](#selective-disk-backup-and-restore)

- - [Cross Region Restore for SQL Server and SAP HANA databases on Azure VMs (in preview)](#cross-region-restore-for-sql-server-and-sap-hana-in-preview)

- - [Support for backup of VMs with up to 32 disks (general availability)](#support-for-backup-of-vms-with-up-to-32-disks)

- - [Simplified backup configuration experience for SQL in Azure VMs](#simpler-backup-configuration-for-sql-in-azure-vms)

- - [Back up SAP HANA in RHEL Azure Virtual Machines (in preview)](#back-up-sap-hana-in-rhel-azure-virtual-machines-in-preview)

- - [Zone redundant storage (ZRS) for backup data (in preview)](#zone-redundant-storage-zrs-for-backup-data-in-preview)

- - [Soft delete for SQL Server and SAP HANA workloads in Azure VMs](#soft-delete-for-sql-server-and-sap-hana-workloads)

-## Azure Disk Backup (in preview)

-Azure Disk Backup offers a turnkey solution that provides snapshot lifecycle management for [Azure Managed Disks](../virtual-machines/managed-disks-overview.md) by automating periodic creation of snapshots and retaining it for a configured duration using backup policy. You can manage the disk snapshots with zero infrastructure cost and without the need for custom scripting or any management overhead. This is a crash-consistent backup solution that takes point-in-time backup of a managed disk using [incremental snapshots](../virtual-machines/disks-incremental-snapshots.md) with support for multiple backups per day. It's also an agent-less solution and doesn't impact production application performance. It supports backup and restore of both OS and data disks (including shared disks), whether or not they're currently attached to a running Azure virtual machine.

-For more information, see [Azure Disk Backup (in preview)](disk-backup-overview.md).

-## Encryption at rest using customer-managed keys

-Support for encryption at rest using customer-managed keys is now generally available. This gives you the ability to encrypt the backup data in your Recovery Services vaults using your own keys stored in Azure Key Vaults. The encryption key used for encrypting backups in the Recovery Services vault may be different from the ones used for encrypting the source. The data is protected using an AES 256 based data encryption key (DEK), which is, in turn, protected using your keys stored in the Key Vault. Compared to encryption using platform-managed keys (which is available by default), this gives you more control over your keys and can help you better meet your compliance needs.

-For more information, see [Encryption of backup data using customer-managed keys](encryption-at-rest-with-cmk.md).

-## Azure Resource Manager template for AFS backup

-Azure Backup now supports configuring backup for existing Azure file shares using an Azure Resource Manager (ARM) template. The template configures protection for an existing Azure file share by specifying appropriate details for the Recovery Services vault and backup policy. It optionally creates a new Recovery Services vault and backup policy, and registers the storage account containing the file share to the Recovery Services vault.

-For more information, see [Azure Resource Manager templates for Azure Backup](backup-rm-template-samples.md).

-## Incremental backups for SAP HANA databases (in preview)

-Azure Backup now supports incremental backups for SAP HANA databases hosted on Azure VMs. This allows for faster and more cost-efficient backups of your SAP HANA data.

-For more information, see [various options available during creation of a backup policy](./sap-hana-faq-backup-azure-vm.yml) and [how to create a backup policy for SAP HANA databases](tutorial-backup-sap-hana-db.md#creating-a-backup-policy).

-## Backup Center (in preview)

-Azure Backup has enabled a new native management capability to manage your entire backup estate from a central console. Backup Center provides you with the capability to monitor, operate, govern, and optimize data protection at scale in a unified manner consistent with AzureΓÇÖs native management experiences.

-With Backup Center, you get an aggregated view of your inventory across subscriptions, locations, resource groups, vaults, and even tenants using Azure Lighthouse. Backup Center is also an action center from where you can trigger your backup related activities, such as configuring backup, restore, creation of policies or vaults, all from a single place. In addition, with seamless integration to Azure Policy, you can now govern your environment and track compliance from a backup perspective. In-built Azure Policies specific to Azure Backup also allow you to configure backups at scale.

-For more information, see [Overview of Backup Center](backup-center-overview.md).

-## Back up Azure Database for PostgreSQL (in preview)

-Azure Backup and Azure Database Services have come together to build an enterprise-class backup solution for Azure PostgreSQL (now in preview). Now you can meet your data protection and compliance needs with a customer-controlled backup policy that enables retention of backups for up to 10 years. With this, you have granular control to manage the backup and restore operations at the individual database level. Likewise, you can restore across PostgreSQL versions or to blob storage with ease.

-For more information, see [Azure Database for PostgreSQL backup](backup-azure-database-postgresql.md).

-## Selective disk backup and restore

-Azure Backup supports backing up all the disks (operating system and data) in a VM together using the virtual machine backup solution. Now, using the selective disks backup and restore functionality, you can back up a subset of the data disks in a VM. This provides an efficient and cost-effective solution for your backup and restore needs. Each recovery point contains only the disks that are included in the backup operation.

-For more information, see [Selective disk backup and restore for Azure virtual machines](selective-disk-backup-restore.md).

-## Cross Region Restore for SQL Server and SAP HANA (in preview)

-With the introduction of cross-region restore, you can now initiate restores in a secondary region at will to mitigate real downtime issues in a primary region for your environment. This makes the secondary region restores completely customer controlled. Azure Backup uses the backed-up data replicated to the secondary region for such restores.

-Now, in addition to support for cross-region restore for Azure virtual machines, the feature has been extended to restoring SQL and SAP HANA databases in Azure virtual machines as well.

-For more information, see [Cross Region Restore for SQL databases](restore-sql-database-azure-vm.md#cross-region-restore) and [Cross Region Restore for SAP HANA databases](sap-hana-db-restore.md#cross-region-restore).

-## Support for backup of VMs with up to 32 disks

-Until now, Azure Backup has supported 16 managed disks per VM. Now, Azure Backup supports backup of up to 32 managed disks per VM.

-For more information, see the [VM storage support matrix](backup-support-matrix-iaas.md#vm-storage-support).

-## Simpler backup configuration for SQL in Azure VMs

-Configuring backups for your SQL Server in Azure VMs is now even easier with inline backup configuration integrated into the VM pane of the Azure portal. In just a few steps, you can enable backup of your SQL Server to protect all the existing databases as well as the ones that get added in the future.

-For more information, see [Back up a SQL Server from the VM pane](backup-sql-server-vm-from-vm-pane.md).

-## Back up SAP HANA in RHEL Azure virtual machines (in preview)

-Azure Backup is the native backup solution for Azure and is BackInt certified by SAP. Azure Backup has now added support for Red Hat Enterprise Linux (RHEL), one of the most widely used Linux operating systems running SAP HANA.

-For more information, see the [SAP HANA database backup scenario support matrix](sap-hana-backup-support-matrix.md#scenario-support).

-## Zone redundant storage (ZRS) for backup data (in preview)

-Azure Storage provides a great balance of high performance, high availability, and high data resiliency with its varied redundancy options. Azure Backup allows you to extend these benefits to the backup data as well, with options to store your backups in locally redundant storage (LRS) and geo-redundant storage (GRS). Now, there are additional durability options with the added support for zone redundant storage (ZRS).

-For more information, see [Set storage redundancy for the Recovery Services vault](backup-create-rs-vault.md#set-storage-redundancy).

-## Soft delete for SQL Server and SAP HANA workloads

-Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup provides security features to help protect backup data even after deletion.

-One such feature is soft delete. With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you.

-Now, in addition to soft delete support for Azure VMs, SQL Server and SAP HANA workloads in Azure VMs are also protected with soft delete.

-For more information, see [Soft delete for SQL server in Azure VM and SAP HANA in Azure VM workloads](soft-delete-sql-saphana-in-azure-vm.md).

-## Enhancements to encryption using customer-managed keys for Azure Backup (in preview)

-Azure Backup now provides enhanced capabilities (in preview) to manage encryption with customer-managed keys. Azure Backup allows you to bring in your own keys to encrypt the backup data in the Recovery Services vaults, thus providing you a better control.

- >[!NOTE]

- >This feature is currently in limited preview. To sign up, fill [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR0H3_nezt2RNkpBCUTbWEapURDNTVVhGOUxXSVBZMEwxUU5FNDkyQkU4Ny4u), and write to us at [AskAzureBackupTeam@microsoft.com](mailto:AskAzureBackupTeam@microsoft.com).

->[!NOTE]

->- The above capabilities are supported through the Azure portal only, PowerShell is currently not supported.<br>If you are using PowerShell for managing encryption keys for Backup, we do not recommend to update the keys from the portal.<br>If you update the key from the portal, you canΓÇÖt use PowerShell to update the encryption key further, till a PowerShell update to support the new model is available. However, you can continue updating the key from the Azure portal.

->- You can use the audit policy for auditing vaults with encryption using customer-managed keys that are enabled after 04/01/2021.

->- For vaults with the CMK encryption enabled before this date, the policy might fail to apply, or might show false negative results (that is, these vaults may be reported as non-compliant, despite having CMK encryption enabled). [Learn more](encryption-at-rest-with-cmk.md#use-azure-policies-to-audit-and-enforce-encryption-with-customer-managed-keys-in-preview).

-For more information, see [Encryption for Azure Backup using customer-managed keys](encryption-at-rest-with-cmk.md).

-|Yes| `Billing` | String | Billing endpoint URI. For more information on obtaining the billing URI, see [gathering required parameters](anomaly-detector-container-howto.md#gathering-required-parameters). For more information and a complete list of regional endpoints, see [Custom subdomain names for Cognitive Services](../cognitive-services-custom-subdomains.md). |

-| **{ENDPOINT_URI}** | The billing endpoint value is available on the Azure `Anomaly Detector` Overview page.| See [gathering required parameters](anomaly-detector-container-howto.md#gathering-required-parameters) for explicit examples. |

-Use the [docker run](https://docs.docker.com/engine/reference/commandline/run/) command to run the container. Refer to [gathering required parameters](#gathering-required-parameters) for details on how to get the `{ENDPOINT_URI}` and `{API_KEY}` values.

-Use the [docker run](https://docs.docker.com/engine/reference/commandline/run/) command to run the container. Refer to [gathering required parameters](#gathering-required-parameters) for details on how to get the `{ENDPOINT_URI}` and `{API_KEY}` values.

-| **{ENDPOINT_URI}** | The billing endpoint value is available on the Azure `Computer Vision` Overview page.| See [gathering required parameters](computer-vision-how-to-install-containers.md#gathering-required-parameters) for explicit examples. |

-| Yes | `Billing` | string | Billing endpoint URI. For more information on obtaining the billing URI, see [gathering required parameters](luis-container-howto.md#gathering-required-parameters). For more information and a complete list of regional endpoints, see [Custom subdomain names for Cognitive Services](../cognitive-services-custom-subdomains.md). |

-| **{ENDPOINT_URI}** | The billing endpoint value is available on the Azure `LUIS` Overview page.| See [gathering required parameters](luis-container-howto.md#gathering-required-parameters) for explicit examples. |

-Use the [docker run](https://docs.docker.com/engine/reference/commandline/run/) command to run the container. Refer to [gathering required parameters](#gathering-required-parameters) for details on how to get the `{ENDPOINT_URI}` and `{API_KEY}` values.

-description: Batch transcription is ideal if you want to transcribe a large quantity of audio in storage, such as Azure Blobs. By using the dedicated REST API, you can point to audio files with a shared access signature (SAS) URI and asynchronously receive transcriptions.

-Batch transcription is a set of REST API operations that enables you to transcribe a large amount of audio in storage. You can point to audio files using a typical URI or a [shared access signature (SAS)](../../storage/common/storage-sas-overview.md) URI and asynchronously receive transcription results. With the v3.0 API, you can transcribe one or more audio files, or process a whole storage container.

-| Batch Transcription Operation | Method | REST API Call |

-| Gets the transcription identified by the given ID. | GET | speechtotext/v3.0/transcriptions/{id} |

-| Gets the result files of the transcription identified by the given ID. | GET | speechtotext/v3.0/transcriptions/{id}/files |

-Batch transcription jobs are scheduled on a best effort basis.

-You cannot estimate when a job will change into the running state,

-but it should happen within minutes under normal system load.

-Once in the running state, the transcription occurs faster than the audio runtime playback speed.

-> A standard subscription (S0) for Speech service is required to use batch transcription. Free subscription keys (F0) will not work. For more information, see [pricing and limits](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/).

-If you plan to customize models, follow the steps in [Acoustic customization](./how-to-custom-speech-train-model.md) and [Language customization](./how-to-custom-speech-train-model.md). To use the created models in batch transcription, you need their model location. You can retrieve the model location when you inspect the details of the model (`self` property). A deployed custom endpoint is *not needed* for the batch transcription service.

-> As a part of the REST API, Batch Transcription has a set of [quotas and limits](speech-services-quotas-and-limits.md#batch-transcription), which we encourage to review. To take the full advantage of Batch Transcription ability to efficiently transcribe a large number of audio files we recommend always sending multiple files per request or pointing to a Blob Storage container with the audio files to transcribe. The service will transcribe the files concurrently reducing the turnaround time. Using multiple files in a single request is very simple and straightforward - see [Configuration](#configuration) section.

-| Format | Codec | Bits Per Sample | Sample Rate |

-For stereo audio streams, the left and right channels are split during the transcription. A JSON result file is being created for each channel.

-To create an ordered final transcript, use the timestamps generated per utterance.

-Configuration parameters are provided as JSON.

-**Transcribing one or more individual files.** If you have more than one file to transcribe, we recommend sending multiple files in one request. The example below is using three files:

-**Processing a whole storage container.** Container [SAS](../../storage/common/storage-sas-overview.md) should contain `r` (read) and `l` (list) permissions:

-**Use a custom trained model in a batch transcription.** The example is using three files:

- Optional, defaults to `Masked`. Specifies how to handle profanity in recognition results. Accepted values are `None` to disable profanity filtering, `Masked` to replace profanity with asterisks, `Removed` to remove all profanity from the result, or `Tags` to add "profanity" tags.

- Optional, `false` by default. Specifies that diarization analysis should be carried out on the input, which is expected to be mono channel containing two voices. Note: Requires `wordLevelTimestampsEnabled` to be set to `true`.

- Optional, `0` and `1` transcribed by default. An array of channel numbers to process. Here a subset of the available channels in the audio file can be specified to be processed (for example `0` only).

- Optional, no deletion by default. A duration to automatically delete transcriptions after completing the transcription. The `timeToLive` is useful in mass processing transcriptions to ensure they will be eventually deleted (for example, `PT12H` for 12 hours).

- Optional URL with [ad hoc SAS](../../storage/common/storage-sas-overview.md) to a writeable container in Azure. The result is stored in this container. SAS with stored access policy are **not** supported. When not specified, Microsoft stores the results in a storage container managed by Microsoft. When the transcription is deleted by calling [Delete transcription](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/DeleteTranscription), the result data will also be deleted.

-and can read audio or write transcriptions using a SAS URI with [Azure Blob storage](../../storage/blobs/storage-blobs-overview.md).

-For each audio input, one transcription result file is created.

-The [Get transcriptions files](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetTranscriptionFiles) operation

-returns a list of result files for this transcription.

-To find the transcription file for a specific input file,

-filter all returned files with `kind` == `Transcription` and `name` == `{originalInputName.suffix}.json`.

- Inverse-text-normalized form of the recognized text. Abbreviations ("doctor smith" to "dr smith"), phone numbers, and other transformations are applied.

-Diarization is the process of separating speakers in a piece of audio. The batch pipeline supports diarization and is capable of recognizing two speakers on mono channel recordings. The feature is not available on stereo recordings.

-The output of transcription with diarization enabled contains a `Speaker` entry for each transcribed phrase. If diarization is not used, the `Speaker` property is not present in the JSON output. For diarization we support two voices, so the speakers are identified as `1` or `2`.

-To request diarization, add set the `diarizationEnabled` property to `true` like the HTTP request shows below.

-Word-level timestamps must be enabled as the parameters in the above request indicate.

-The batch transcription service can handle large number of submitted transcriptions. You can query the status of your transcriptions

-with [Get transcriptions](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetTranscriptions).

-Call [Delete transcription](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/DeleteTranscription)

-regularly from the service once you retrieved the results. Alternatively set `timeToLive` property to ensure eventual

-deletion of the results.

-> You can use the [Ingestion Client](ingestion-client.md) tool and resulting solution to process high volume of audio.

-Complete samples are available in the [GitHub sample repository](https://aka.ms/csspeech/samples) inside the `samples/batch` subdirectory.

-The sample code sets up the client and submits the transcription request. It then polls for the status information and print details about the transcription progress.

-This sample uses an asynchronous setup to post audio and receive transcription status.

-The `PostTranscriptions` method sends the audio file details and the `GetTranscriptions` method receives the states.

-`PostTranscriptions` returns a handle, and `GetTranscriptions` uses it to create a handle to get the transcription status.

-description: Custom Speech is a set of online tools that allow you to evaluate and improve the Microsoft speech-to-text accuracy for your applications, tools, and products.

-Custom Speech allows you to evaluate and improve the Microsoft speech-to-text accuracy for your applications and products. Follow the links in this article to start creating a custom speech-to-text experience.

-This diagram highlights the pieces that make up the [Custom Speech area of the Speech Studio](https://aka.ms/speechstudio/customspeech). Use the links below to learn more about each step.

-1. [Evaluate and improve accuracy](how-to-custom-speech-evaluate-data.md). Evaluate and improve the accuracy of the speech-to-text model. The [Speech Studio](https://speech.microsoft.com/customspeech) will provide a *Word Error Rate*, which you can use to determine if additional training is required. If you're satisfied with the accuracy, you can use the Speech service APIs directly. If you want to improve accuracy by a relative average of 5% to 20%, use the **Training** tab in the portal to upload additional training data, like human-labeled transcripts and related text.

-1. [Train and deploy a model](how-to-custom-speech-train-model.md). Improve the accuracy of your speech-to-text model by providing written transcripts (10 to 1,000 hours) and related text (<200 MB) along with your audio test data. This data helps to train the speech-to-text model. After training, retest. If you're satisfied with the result, you can deploy your model to a custom endpoint.

-If you plan to train a custom model with **audio data**, pick one of the following regions that have dedicated hardware available for training. This will reduce the time it takes to train a model and allow you to use more audio for training. In these regions, the Speech service will use up to 20 hours of audio for training; in other regions it will only use up to 8 hours.

-After you create an Azure account and a Speech service subscription, you'll need to sign in to the [Speech Studio](https://speech.microsoft.com/customspeech) and connect your subscription.

-1. Select the subscription you need to work in and create a speech project.

-1. If you want to modify your subscription, select the cog button in the top menu.

-## How to create a project

-Content like data, models, tests, and endpoints are organized into *projects* in the [Speech Studio](https://speech.microsoft.com/customspeech). Each project is specific to a domain and country/language. For example, you might create a project for call centers that use English in the United States.

-## Model and Endpoint lifecycle

-Older models typically become less useful over time because the newest model usually has higher accuracy. Therefore, base models as well as custom models and endpoints created through the portal are subject to expiration after 1 year for adaptation and 2 years for decoding. See a detailed description in the [Model and endpoint lifecycle](./how-to-custom-speech-model-and-endpoint-lifecycle.md) article.

-[Audio Content Creation](https://aka.ms/audiocontentcreation) is an easy-to-use and powerful tool that lets you build highly natural audio content for a variety of scenarios, like audiobooks, news broadcasts, video narrations, and chat bots. With Audio Content Creation, you can fine-tune Text-to-Speech voices and design-customized audio experiences in an efficient and low-cost way.

-The tool is based on [Speech Synthesis Markup Language (SSML)](speech-synthesis-markup.md). It allows you to adjust Text-to-Speech output attributes in real time or batch synthesis, such as voice characters, voice styles, speaking speed, pronunciation, and prosody.

-You can have easy access to more than 270 neural voices across 119 different languages as of November, 2021, including the state-of-the-art prebuilt neural voices, and your custom neural voice if you have built one.

-See the [video tutorial](https://youtu.be/ygApYuOOG6w) for Audio Content Creation.

-## How to Get Started?

-Audio Content Creation is a free tool, but you will pay for the Azure Speech service you consume. To work with the tool, you need to log in with an Azure account and create a speech resource. For each Azure account, you have free monthly speech quotas which include 0.5 million characters for prebuilt neural voices (referred as *Neural* on [pricing page](https://aka.ms/speech-pricing)). The monthly allotted amount is usually enough for a small content team of around 3-5 people. Here are the steps for how to create an Azure account and get a speech resource.

-### Step 1 - Create an Azure account

-To work with Audio Content Creation, you need to have a [Microsoft account](https://account.microsoft.com/account) and an [Azure account](https://azure.microsoft.com/free/ai/). Follow these instructions to [set up the account](./overview.md#try-the-speech-service-for-free).

-[Azure portal](https://portal.azure.com/) is the centralized place for you to manage your Azure account. You can create the speech resource, manage the product access, and monitor everything from simple web apps to complex cloud deployments.

-### Step 2 - Create a Speech resource

-After signing up for the Azure account, you need to create a Speech resource under your Azure account to access Speech services. View the instructions for [how to create a Speech resource](./overview.md#create-the-azure-resource).

-It takes a few moments to deploy your new Speech resource. Once the deployment is complete, you can start the Audio Content Creation journey.

-### Step 3 - Log into the Audio Content Creation with your Azure account and Speech resource

-1. After getting the Azure account and the Speech resource, you can log into [Audio Content Creation](https://aka.ms/audiocontentcreation) by selecting **Get started**.

-2. The home page lists all the products under Speech Studio. Select **Audio Content Creation** to start.

-3. The **Welcome to Speech Studio** page will appear to you to set up the speech service. Select the Azure subscription and the Speech resource you want to work on. Select **Use resource** to complete the settings. When you log into the Audio Content Creation tool for the Next time, we will link you directly to the audio work files under the current speech resource. You can check your Azure subscriptions details and status in [Azure portal](https://portal.azure.com/). If you do not have available speech resource and you are the owner or admin of an Azure subscription, you can also create a new Speech resource in Speech Studio by selecting **Create a new resource**. If you are a user role for a certain Azure subscription, you may not have the permission to create a new speech resource. Please contact your admin to get the speech resource access.

-4. You can modify your Speech resource at any time with the **Settings** option, located in the top nav.

-5. If you want to switch directory, please go the **Settings** or your profile to operate.

-## How to use the tool?

-This diagram shows the steps it takes to fine-tune Text-to-Speech outputs. Use the links below to learn more about each step.

-1. Choose the speech resource you want to work on.

-2. [Create an audio tuning file](#create-an-audio-tuning-file) using plain text or SSML scripts. Type or upload your content in to Audio Content Creation.

-3. Choose the voice and the language for your script content. Audio Content Creation includes all of the [Microsoft Text-to-Speech voices](language-support.md#text-to-speech). You can use prebuilt neural voices or your custom neural voices.

- > Gated access is available for Custom Neural Voice, which allow you to create high-definition voices similar to natural-sounding speech. For additional details, see [Gating process](./text-to-speech.md).

-4. Select the content you want to preview and select the **play** icon (a triangle) to preview the default synthesis output. Please note that if you make any changes on the text, you need to select the **Stop** icon and then select **play** icon again to re-generate the audio with changed scripts.

-5. Improve the output by adjusting pronunciation, break, pitch, rate, intonation, voice style, and more. For a complete list of options, see [Speech Synthesis Markup Language](speech-synthesis-markup.md). Here is a [video](https://youtu.be/ygApYuOOG6w) to show how to fine-tune speech output with Audio Content Creation.

-6. Save and [export your tuned audio](#export-tuned-audio). When you save the tuning track in the system, you can continue to work and iterate on the output. When you're satisfied with the output, you can create an audio creation task with the export feature. You can observe the status of the export task and download the output for use with your apps and products.

-There are two ways to get your content into the Audio Content Creation tool.

-**Option 1:**

-1. Select **New** > **file** to create a new audio tuning file.

-2. Type or paste your content into the editing window. The characters for each file is up to 20,000. If your script is longer than 20,000 characters, you can use Option 2 to automatically split your content into multiple files.

-3. Don't forget to save.

-**Option 2:**

-1. Select **Upload** to import one or more text files. Both plain text and SSML are supported. If your script file is more than 20,000 characters, please split the file by paragraphs, by character or by regular expressions.

-3. When you upload your text files, make sure that the file meets these requirements.

- | Property | Value / Notes |

- |-||

- | File format | Plain text (.txt)<br/> SSML text (.txt)<br/> Zip files aren't supported |

- | Encoding format | UTF-8 |

- | File name | Each file must have a unique name. Duplicates aren't supported. |

- | Text length | Character limitation of the text file is 20,000. If your files exceed the limitation, please split the files with the instructions in the tool. |

- | SSML restrictions | Each SSML file can only contain a single piece of SSML. |

-**Plain text example**

-```txt

-Welcome to use Audio Content Creation to customize audio output for your products.

-```

-**SSML text example**

-```xml

-<speak xmlns="http://www.w3.org/2001/10/synthesis" xmlns:mstts="http://www.w3.org/2001/mstts" version="1.0" xml:lang="en-US">

- <voice name="Microsoft Server Speech Text to Speech Voice (en-US, JennyNeural)">

- Welcome to use Audio Content Creation <break time="10ms" />to customize audio output for your products.

- </voice>

-</speak>

-```

-1. Select **Export** to create an audio creation task. **Export to Audio Library** is recommended as it supports the long audio output and the full audio output experience. You can also download the audio to your local disk directly, but only the first 10 minutes are available.

-2. Choose the output format for your tuned audio. A list of supported formats and sample rates is available below.

-3. You can view the status of the task on the **Export task** tab. If the task fails, see the detailed information page for a full report.

-4. When the task is complete, your audio is available for download on the **Audio Library** tab.

-5. Select **Download**. Now you're ready to use your custom tuned audio in your apps or products.

-**Supported audio formats**

-| Format | 8 kHz sample rate | 16 kHz sample rate | 24 kHz sample rate | 48 kHz sample rate |

-|--|--|--|--|--|

-| wav | riff-8khz-16bit-mono-pcm | riff-16khz-16bit-mono-pcm | riff-24khz-16bit-mono-pcm |riff-48khz-16bit-mono-pcm |

-| mp3 | N/A | audio-16khz-128kbitrate-mono-mp3 | audio-24khz-160kbitrate-mono-mp3 |audio-48khz-192kbitrate-mono-mp3 |

-## How to add/remove Audio Content Creation users?

-If more than one user wants to use Audio Content Creation, you can grant user access to the Azure subscription and the speech resource. If you add a user to an Azure subscription, the user can access all the resources under the Azure subscription. But if you only add a user to a speech resource, the user will only have access to the speech resource, and cannot access other resources under this Azure subscription. A user with access to the speech resource can use Audio Content Creation.

-The user need to prepare a [Microsoft account](https://account.microsoft.com/account). If the user do not have a Microsoft account, create one with just a few minutes. The user can use the existing email and link as a Microsoft account, or creat a new outlook email as Microsoft account.

-### Add users to a speech resource

-Follow these steps to add a user to a speech resource so they can use Audio Content Creation.

-1. Search for **Cognitive services** in the [Azure portal](https://portal.azure.com/), select the speech resource that you want to add users to.

-2. Select **Access control (IAM)**. Select **Add** > **Add role assignment (Preview)** to open the Add role assignment pane.

-1. On the **Role** tab, select the **Cognitive Service User** role. If you want to give the user ownership of this speech resource, you can select the **Owner** role.

-1. On the **Members** tab, type in user's email address and select the user in the directory. The email address must be a **Microsoft account**, which is trusted by Azure active directory. Users can easily sign up a [Microsoft account](https://account.microsoft.com/account) using a personal email address.

-1. On the **Review + assign** tab, select **Review + assign** to assign the role.

-1. The user will receive an email invitation. Accept the invitation by selecting **Accept invitation** > **Accept to join Azure** in the email. Then the user will be redirected to the Azure portal. The user does not need to take further action in the Azure portal. After a few moments, the user is assigned the role at the speech resource scope, and will have the access to this speech resource. If the user didn't receive the invitation email, you can search the user's account under "Role assignments" and go inside the user's profile. Find "Identity" -> "Invitation accepted", and select **(manage)** to resend the email invitation. You can also copy the invitation link to the users.

-1. The user now visits or refreshes the [Audio Content Creation](https://aka.ms/audiocontentcreation) product page, and sign in with the user's Microsoft account. Select **Audio Content Creation** block among all speech products. Choose the speech resource in the pop-up window or in the settings at the upper right of the page. If the user cannot find available speech resource, check if you are in the right directory. To check the right directory, select the account profile in the upper right corner, and select **Switch** besides the "Current directory". If there are more than one directory available, it means you have access to multiple directories. Switch to different directories and go to settings to see if the right speech resource is available.

- :::image type="content" source="media/audio-content-creation/add-role-first.png" alt-text="Add role dialog":::

-Users who are in the same speech resource will see each other's work in Audio Content Creation studio. If you want each individual user to have a unique and private workplace in Audio Content Creation, please [create a new speech resource](#step-2create-a-speech-resource) for each user and give each user the unique access to the speech resource.

-### Remove users from a speech resource

-1. Search for **Cognitive services** in the Azure portal, select the speech resource that you want to remove users from.

-2. Select **Access control (IAM)** > **Role assignments** tab to view all the role assignments for this speech resource.

-3. Select the users you want to remove, select **Remove** > **Ok**.

- :::image type="content" source="media/audio-content-creation/remove-user.png" alt-text="Remove button":::

-### Enable users to grant access

-If you want one of the users to give access to other users, you need to give the user the owner role for the speech resource and set the user as the Azure directory reader.

-1. Add the user as the owner of the speech resource. See [how to add users to a speech resource](#add-users-to-a-speech-resource).

- :::image type="content" source="media/audio-content-creation/add-role.png" alt-text="Role Owner field":::

-2. In the [Azure portal](https://portal.azure.com/), select the collapsed menu in the upper left. Select **Azure Active Directory**, and then Select **Users**.

-3. Search the user's Microsoft account, and go to the user's detail page. Select **Assigned roles**.

-4. Select **Add assignments** > **Directory Readers**. If the button "Add assignments" is grayed out, it means that you do not have the access. Only the global administrator of this directory can add assignment to users.

-description: Language identification can be used with speech recognition to determine the language being spoken in speech audio being recognized.

-# How to use language identification

-Language identification is used to determine the language being spoken in audio passed to the Speech SDK when compared against a list of provided languages. The value returned by language identification is then used to select the language model for speech to text, providing you with a more accurate transcription.

-Language identification can also be used while doing [speech translation](./get-started-speech-translation.md?pivots=programming-language-csharp&tabs=script%2cwindowsinstall#multi-lingual-translation-with-language-identification), or by doing [standalone identification](./language-identification.md).

-To see which languages are available, see [Language support](language-support.md).

-This article assumes you have an Azure subscription and speech resource, and also assumes knowledge of speech recognition basics. [Complete the quickstart](get-started-speech-to-text.md) if you haven't already.

-Language identification currently has a limit of **four languages** for at-start recognition, and **10 languages** for continuous recognition. Keep this limitation in mind when constructing your `AutoDetectSourceLanguageConfig` object. In the samples below, you use `AutoDetectSourceLanguageConfig` to define a list of possible languages that you want to identify, and then reference those languages when running speech recognition.

-> Continuous language identification is only supported in C#, C++, and Python.

-The following example runs at-start recognition, prioritizing `Latency`. This property can also be set to `Accuracy` depending on the priority for your use-case. `Latency` is the best option to use if you need a low-latency result (e.g. for live streaming scenarios), but don't know the language in the audio sample.

-`Accuracy` should be used in scenarios where the audio quality may be poor, and more latency is acceptable. For example, a voicemail could have background noise, or some silence at the beginning, and allowing the engine more time will improve recognition results.

-In either case, at-start recognition as shown below should **not be used** for scenarios where the language may be changing within the same audio sample. See below for continuous recognition for these types of scenarios.

-The following example shows continuous speech recognition set up for a multilingual scenario. This example only uses `en-US` and `ja-JP` in the language config, but you can use up to **ten languages** for this design pattern. Each time speech is detected, the source language is identified and the audio is also converted to text output. This example uses `Latency` mode, which prioritizes response time.

-> `Latency` and `Accuracy` modes, and multilingual continuous recognition, are currently only supported in C#, C++, and Python.

-The following example runs at-start recognition, prioritizing `Latency`. This property can also be set to `Accuracy` depending on the priority for your use-case. `Latency` is the best option to use if you need a low-latency result (e.g. for a live streaming case), but don't know the language in the audio sample.

-`Accuracy` should be used in scenarios where the audio quality may be poor, and more latency is acceptable. For example, a voicemail could have background noise, or some silence at the beginning, and allowing the engine more time will improve recognition results.

-In either case, at-start recognition as shown below should **not be used** for scenarios where the language may be changing within the same audio sample. See below for continuous recognition for these types of scenarios.

-The following example shows continuous speech recognition set up for a multilingual scenario. This example only uses `en-US` and `ja-JP` in the language config, but you can use up to **ten languages** for this design pattern. Each time speech is detected, the source language is identified and the audio is also converted to text output. This example uses `Latency` mode, which prioritizes response time.

-> `Latency` and `Accuracy` modes, and multilingual continuous recognition, are currently only supported in C#, C++, and Python.

-## Use language detection with a custom Speech-to-Text model

-In addition to language identification using Speech service base models, you can also specify a custom model for enhanced recognition. If a custom model isn't provided, the service will use the default language model.

-The snippets below illustrate how to specify a custom model in your call to the Speech service. If the detected language is `en-US`, then the default model is used. If the detected language is `fr-FR`, then the endpoint for the custom model is used:

-* See the [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/csharp/sharedcontent/console/speech_recognition_samples.cs#L741) on GitHub for language identification

-* See the [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/cpp/windows/console/samples/speech_recognition_samples.cpp#L507) on GitHub for language identification

-* See the [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/java/jre/console/src/com/microsoft/cognitiveservices/speech/samples/console/SpeechRecognitionSamples.java#L521) on GitHub for language identification

-* See the [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/python/console/speech_sample.py#L458) on GitHub for language identification

-* See the [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/objective-c/ios/speech-samples/speech-samples/ViewController.m#L525) on GitHub for language identification

-description: "In this document you learn how to quantitatively measure and improve the quality of our speech-to-text model or your custom model. Audio + human-labeled transcription data is required to test accuracy, and 30 minutes to 5 hours of representative audio should be provided."

-In this article, you learn how to quantitatively measure and improve the accuracy of Microsoft speech-to-text models or your own custom models. Audio + human-labeled transcription data is required to test accuracy, and 30 minutes to 5 hours of representative audio should be provided.

-The industry standard to measure model accuracy is [Word Error Rate](https://en.wikipedia.org/wiki/Word_error_rate) (WER). WER counts the number of incorrect words identified during recognition,

-then divides by the total number of words provided in the human-labeled transcript (shown below as N). Finally, that number is multiplied by 100% to calculate the WER.

-

-

-If you want to replicate WER measurements locally, you can use `sclite` from the [NIST Scoring Toolkit (SCTK)](https://github.com/usnistgov/SCTK).

-You can use the WER from the machine recognition results to evaluate the quality of the model you are using with your app, tool, or product. A WER of 5%-10% is considered to be good quality and is ready to use. A WER of 20% is acceptable, however you may want to consider additional training. A WER of 30% or more signals poor quality and requires customization and training.

-How the errors are distributed is important. When many deletion errors are encountered, it's usually because of weak audio signal strength. To resolve this issue, you'll need to collect audio data closer to the source. Insertion errors mean that the audio was recorded in a noisy environment and crosstalk may be present, causing recognition issues. Substitution errors are often encountered when an insufficient sample of domain-specific terms has been provided as either human-labeled transcriptions or related text.

-If you'd like to test the quality of Microsoft's speech-to-text baseline model or a custom model that you've trained, you can compare two models side by side to evaluate accuracy. The comparison includes WER and recognition results. Typically, a custom model is compared with Microsoft's baseline model.

-To evaluate models side by side:

-2. Navigate to **Speech-to-text** > **Custom Speech** > [Project Name] > **Testing**.

-3. Select **Add Test**.

-4. Select **Evaluate accuracy**. Give the test a name, description, and select your audio + human-labeled transcription dataset.

-5. Select up to two models that you'd like to test.

-6. Select **Create**.

-Once the test is complete, indicated by the status change to *Succeeded*, you'll find a WER number for both models included in your test. Select on the test name to view the testing detail page. This detail page lists all the utterances in your dataset, indicating the recognition results of the two models alongside the transcription from the submitted dataset. To help inspect the side-by-side comparison, you can toggle various error types including insertion, deletion, and substitution. By listening to the audio and comparing recognition results in each column, which shows the human-labeled transcription and the results for two speech-to-text models, you can decide which model meets your needs and where additional training and improvements are required.

-| Scenario | Audio Quality | Vocabulary | Speaking Style |

-| Call center | Low, 8 kHz, could be two people on one audio channel, could be compressed | Narrow, unique to domain and products | Conversational, loosely structured |

-| Voice assistant (such as Cortana, or a drive-through window) | High, 16 kHz | Entity heavy (song titles, products, locations) | Clearly stated words and phrases |

-| Dictation (instant message, notes, search) | High, 16 kHz | Varied | Note-taking |

-Different scenarios produce different quality outcomes. The following table examines how content from these four scenarios rates in the [word error rate (WER)](how-to-custom-speech-evaluate-data.md). The table shows which error types are most common in each scenario.

-| Scenario | Speech Recognition Quality | Insertion Errors | Deletion Errors | Substitution Errors |

-|-|-||--||

-| Call center | Medium (< 30% WER) | Low, except when other people talk in the background | Can be high. Call centers can be noisy, and overlapping speakers can confuse the model | Medium. Products and people's names can cause these errors |

-| Voice assistant | High (can be < 10% WER) | Low | Low | Medium, due to song titles, product names, or locations |

-| Dictation | High (can be < 10% WER) | Low | Low | High |

-| Video closed captioning | Depends on video type (can be < 50% WER) | Low | Can be high due to music, noises, microphone quality | Jargon may cause these errors |

-Plan to maintain your custom model by adding source materials periodically. Your custom model needs additional training to stay aware of changes to your entities. For example, you may need updates to product names, song names, or new service locations.

-You can use structured text data in markdown format similarly to plain text sentences, but you would use structured text data when your data follows a particular pattern in particular utterances that only differ by words or phrases from a list. For more information, see [Structured text data for training](how-to-custom-speech-test-and-train.md#structured-text-data-for-training-public-preview).

-> Training with structured text is only supported for these locales: `en-US`, `de-DE`, `en-UK`, `en-IN`, `fr-FR`, `fr-CA`, `es-ES`, `es-MX` and you must use the latest base model for these locales. See [Language support](language-support.md) for a list of base models that support training with structured text data.

-> For locales that donΓÇÖt support training with structured text, the service will take any training sentences that donΓÇÖt reference any classes as part of training with plain text data.

-Audio with human-labeled transcripts offers the greatest accuracy improvements if the audio comes from the target use case. Samples must cover the full scope of speech. For example, a call center for a retail store would get most calls about swimwear and sunglasses during summer months. Assure that your sample includes the full scope of speech you want to detect.

-* Training with audio will bring the most benefits if the audio is also hard to understand for humans. In most cases, you should start training by just using related text.

-* If you use one of the most heavily used languages such as US-English, there's a good chance that there's no need to train with audio data. For such languages, the base models offer already very good recognition results in most scenarios; it's probably enough to train with related text.

-* Custom Speech can only capture word context to reduce substitution errors, not insertion, or deletion errors.

-* Avoid sentences that are not related to your problem domain. Unrelated sentences can harm your model.

-* When the quality of transcripts varies, you can duplicate exceptionally good sentences (like excellent transcriptions that include key phrases) to increase their weight.

-* The Speech service will automatically use the transcripts to improve the recognition of domain-specific words and phrases, as if they were added as related text.

-* It can take several days for a training operation to complete. To improve the speed of training, make sure to create your Speech service subscription in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.

-> Not all base models support training with audio. If a base model does not support it, the Speech service will only use the text from the transcripts and ignore the audio. See [Language support](language-support.md#speech-to-text) for a list of base models that support training with audio data. Even if a base model supports training with audio data, the service might use only part of the audio. Still it will use all the transcripts.

-> In cases when you change the base model used for training, and you have audio in the training dataset, *always* check whether the new selected base model [supports training with audio data](language-support.md#speech-to-text). If the previously used base model did not support training with audio data, and the training dataset contains audio, training time with the new base model will **drastically** increase, and may easily go from several hours to several days and more. This is especially true if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.

-> If you face the issue described in the paragraph above, you can quickly decrease the training time by reducing the amount of audio in the dataset or removing it completely and leaving only the text. The latter option is highly recommended if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.

-Words that are made-up or highly specialized may have unique pronunciations. These words can be recognized if the word can be broken down into smaller words to pronounce it. For example, to recognize **Xbox**, pronounce as **X box**. This approach will not increase overall accuracy, but can increase recognition of these keywords.

-> This technique is only available for some languages at this time. See customization for pronunciation in [the Speech-to-text table](language-support.md) for details.

-The following table shows voice recognition scenarios and lists source materials to consider within the three training content categories listed above.

-|-||||

-| Call center | marketing documents, website, product reviews related to call center activity | call center calls transcribed by humans | terms that have ambiguous pronunciations (see Xbox above) |

-| Voice assistant | list sentences using all combinations of commands and entities | record voices speaking commands into device, and transcribe into text | names (movies, songs, products) that have unique pronunciations |

-| Dictation | written input, like instant messages or emails | similar to above | similar to above |

-| Video closed captioning | TV show scripts, movies, marketing content, video summaries | exact transcripts of videos | similar to above |

-description: Learn how to train and deploy Custom Speech models. Training a speech-to-text model can improve recognition accuracy for the Microsoft baseline model or a for custom model.

-In this article, you'll learn how to train and deploy Custom Speech models. Training a speech-to-text model can improve recognition accuracy for the Microsoft baseline model. You use human-labeled transcriptions and related text to train a model. These datasets, along with previously uploaded audio data, are used to refine and train the speech-to-text model.

-If you're encountering recognition problems with a base model, you can use human-labeled transcripts and related data to train a custom model and help improve accuracy. Use this table to determine which dataset to use to address your problems:

-| Improve recognition accuracy on industry-specific vocabulary and grammar, like medical terminology or IT jargon | Plain text or structured text data |

-| Define the phonetic and displayed form of a word or term that has nonstandard pronunciation, like product names or acronyms | Pronunciation data or phonetic pronunciation in structured text |

-| Improve recognition accuracy on speaking styles, accents, or specific background noises | Audio + human-labeled transcripts |

-The first step to train a model is to upload training data. See [Prepare and test your data](./how-to-custom-speech-test-and-train.md) for step-by-step instructions to prepare human-labeled transcriptions and related text (utterances and pronunciations). After you upload training data, follow these instructions to start training your model:

-2. Go to **Speech-to-text** > **Custom Speech** > **[name of project]** > **Training**.

-3. Select **Train model**.

-4. Give your training a **Name** and **Description**.

-5. In the **Scenario and Baseline model** list, select the scenario that best fits your domain. If you're not sure which scenario to choose, select **General**. The baseline model is the starting point for training. The latest model is usually the best choice.

-6. On the **Select training data** page, choose one or more related text datasets or audio + human-labeled transcription datasets that you want to use for training.

-> [!NOTE]

-> When you train a new model, start with related text; training with audio + human-labeled transcription might take much longer **(up to [several days](how-to-custom-speech-evaluate-data.md#add-audio-with-human-labeled-transcripts)**).

-> [!NOTE]

-> Not all base models support training with audio. If a base model does not support it, the Speech service will only use the text from the transcripts and ignore the audio. See [Language support](language-support.md#speech-to-text) for a list of base models that support training with audio data.

-> [!NOTE]

-> In cases when you change the base model used for training, and you have audio in the training dataset, *always* check whether the new selected base model [supports training with audio data](language-support.md#speech-to-text). If the previously used base model did not support training with audio data, and the training dataset contains audio, training time with the new base model will **drastically** increase, and may easily go from several hours to several days and more. This is especially true if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.

->

-> If you face the issue described in the paragraph above, you can quickly decrease the training time by reducing the amount of audio in the dataset or removing it completely and leaving only the text. The latter option is highly recommended if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.

-7. After training is complete, you can do accuracy testing on the newly trained model. This step is optional.

-8. Select **Create** to build your custom model.

-The **Training** table displays a new entry that corresponds to the new model. The table also displays the status: **Processing**, **Succeeded**, or **Failed**.

-See the [how-to](how-to-custom-speech-evaluate-data.md) on evaluating and improving Custom Speech model accuracy. If you choose to test accuracy, it's important to select an acoustic dataset that's different from the one you used with your model to get a realistic sense of the model's performance.

-> Base models and custom models can be used up to a certain date as described in [Model and endpoint lifecycle](./how-to-custom-speech-model-and-endpoint-lifecycle.md). Speech Studio shows this date in the **Expiration** column for each model and endpoint. After that date request to an endpoint or to batch transcription might fail or fall back to base model.

-> Retrain your model using the then most recent base model to benefit from accuracy improvements and to avoid that your model expires.

-To create a custom endpoint, sign in to the [Custom Speech portal](https://speech.microsoft.com/customspeech). Select **Deployment** in the **Custom Speech** menu at the top of the page. If this is your first run, you'll notice that there are no endpoints listed in the table. After you create an endpoint, you use this page to track each deployed endpoint.

-Next, select **Add endpoint** and enter a **Name** and **Description** for your custom endpoint. Then select the custom model that you want to associate with the endpoint. You can also enable logging from this page. Logging allows you to monitor endpoint traffic. If logging is disabled, traffic won't be stored.

-

-> [!NOTE]

-> Don't forget to accept the terms of use and pricing details.

-Next, select **Create**. This action returns you to the **Deployment** page. The table now includes an entry that corresponds to your custom endpoint. The endpointΓÇÖs status shows its current state. It can take up to 30 minutes to instantiate a new endpoint using your custom models. When the status of the deployment changes to **Complete**, the endpoint is ready to use.

-After your endpoint is deployed, the endpoint name appears as a link. Select the link to see information specific to your endpoint, like the endpoint key, endpoint URL, and sample code. Take a note of the expiration date and update the endpoint's model before that date to ensure uninterrupted service.

-Logging data is available for export if you go to the endpoint's page under **Deployments**.

->Logging data is available for 30 days on Microsoft-owned storage. It will be removed afterwards. If a customer-owned storage account is linked to the Cognitive Services subscription, the logging data won't be automatically deleted.

-description: "When you're ready to upload your data, go to the Custom Voice portal. Create or select a Custom Voice project. The project must share the right language/locale and the gender properties as the data you intend to use for your voice training."

-In [Prepare training data](how-to-custom-voice-prepare-data.md), you learned about the different data types you can use to train a custom neural voice and the different format requirements. Once you've prepared your data and the voice talent verbal statement, you can start to upload them to the [Speech Studio](https://aka.ms/custom-voice-portal). In this article, you learn how to train a custom neural voice through the Speech Studio portal. See the [supported languages](language-support.md#custom-neural-voice) for custom neural voice.

-A voice talent is an individual or target speaker whose voices are recorded and used to create neural voice models. Before you create a voice, define your voice persona and select a right voice talent. For details on recording voice samples, see [the tutorial](record-custom-voice-samples.md).

-To train a neural voice, you must create a voice talent profile with an audio file recorded by the voice talent consenting to the usage of their speech data to train a custom voice model. When preparing your recording script, make sure you include the statement sentence. You can find the statement in multiple languages [here](https://github.com/Azure-Samples/Cognitive-Speech-TTS/blob/master/CustomVoice/script/verbal-statement-all-locales.txt). The language of the verbal statement must be the same as your recording. You need to upload this audio file to the Speech Studio as shown below to create a voice talent profile, which is used to verify against your training data when you create a voice model. Read more about the [voice talent verification](/legal/cognitive-services/speech-service/custom-neural-voice/data-privacy-security-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext) here.

- :::image type="content" source="media/custom-voice/upload-verbal-statement.png" alt-text="Upload voice talent statement":::

-> Custom neural voice is available with limited access. Make sure you understand the [responsible AI requirements](/legal/cognitive-services/speech-service/custom-neural-voice/limited-access-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext), and then [apply for access](https://aka.ms/customneural).

-The following steps assume you've prepared the voice talent verbal consent files. Go to [Speech Studio](https://aka.ms/custom-voice-portal) to select a custom neural voice project, then follow the following steps to create a voice talent profile.

-1. Navigate to **Text-to-Speech** > **Custom Voice** > **select a project** > **Set up voice talent**.

-2. Select **Add voice talent**.

-3. Next, to define voice characteristics, select **Target scenario** to be used. Then describe your **Voice characteristics**.

-> [!NOTE]

-> The scenarios you provide must be consistent with what you've applied for in the application form.

-4. Then, go to **Upload voice talent statement**, follow the instruction to upload voice talent statement you've prepared beforehand.

-> [!NOTE]

-> Make sure the verbal statement is recorded in the same settings as your training data, including the recording environment and speaking style.

-5. Finally, go to **Review and create**, you can review the settings and select **Submit**.

-When you're ready to upload your data, go to the **Prepare training data** tab to add your first training set and upload data. A training set is a set of audio utterances and their mapping scripts used for training a voice model. You can use a training set to organize your training data. Data readiness checking will be done per each training set. You can import multiple data to a training set.

-You can do the following to create and review your training data.

-1. Select **Upload data** > **Choose data type** > **Upload data** > **Specify the target training set**.

-1. Enter **Name** and **Description** for your data > review the settings and select **Submit**.

->- Duplicate audio names will be removed from the training. Make sure the data you select don't contain the same audio names within the .zip file or across multiple .zip files. If utterance IDs (either in audio or script files) are duplicate, they'll be rejected.

->- If you've created data files in the previous version of Speech Studio, you must specify a training set for your data in advance to use them. Or else, an exclamation mark will be appended to the data name, and the data could not be used.

-All data you upload must meet the requirements for the data type that you choose. It's important to correctly format your data before it's uploaded, which ensures the data will be accurately processed by the Speech service. Go to [Prepare training data](how-to-custom-voice-prepare-data.md) and make sure your data has been rightly formatted.

-> - The maximum number of data files allowed to be imported per subscription is 10 .zip files for free subscription (F0) users and 500 for standard subscription (S0) users.

-Data files are automatically validated once you hit the **Submit** button. Data validation includes series of checks on the audio files to verify their file format, size, and sampling rate. Fix the errors if any and submit again.

-Once the data is uploaded, you can check the details in the training set detail view. On the **Overview** tab, you can further check the pronunciation scores and the noise level for each of your data. The pronunciation score ranges from 0-100. A score below 70 normally indicates a speech error or script mismatch. A heavy accent can reduce your pronunciation score and affect the generated digital voice.

-On the **Data details**, you can check the data details of the training set. If there are any typical issues with the data, follow the instructions in the message displayed to fix them before training.

-The issues are divided into three types. Referring to the following three tables to check the respective types of errors. Data with these errors will be excluded during training.

-| Script | Invalid separator| You must separate the utterance ID and the script content with a TAB character.|

-| Script | Invalid script ID| Script line ID must be numeric.|

-| Script | No valid script| No valid script found in this dataset. Fix the script lines that appear in the detailed issue list.|

-| Audio | No matching script| No audio files match the script ID. The name of the wav files must match with the IDs in the script file.|

-| Audio | Invalid audio format| The audio format of the .wav files is invalid. Check the wav file format using an audio tool like [SoX](http://sox.sourceforge.net/).|

-| Audio | Low sampling rate| The sampling rate of the .wav files cannot be lower than 16 KHz.|

-| Audio | Too long audio| Audio duration is longer than 30 seconds. Split the long audio into multiple files. We suggest utterances should be shorter than 15 seconds.|

-The second type of errors listed in the next table will be automatically fixed, but double checking the fixed data is recommended.

-Unresolved errors listed in the next table will affect the quality of training. However, the data with these errors won't be excluded during training. For higher-quality training, manually fixing these errors is recommended.

-| Script | Non-normalized text|This script contains digit 0-9. Expand them to normalized words and match with the audio. For example, normalize "123" to "one hundred and twenty-three".|

-| Script | Non-normalized text|This script contains symbols {}. Normalize the symbols to match the audio. For example, '50%' to "fifty percent".|

-| Script | Not enough question utterances| At least 10% of the total utterances should be question sentences. This helps the voice model properly express a questioning tone.|

-| Script |Not enough exclamation utterances| At least 10% of the total utterances should be exclamation sentences. This helps the voice model properly express an excited tone.|

-| Audio| Low sampling rate for neural voice | It's recommended that the sampling rate of your .wav files should be 24 KHz or higher for creating neural voices. It will be automatically upsampled to 24 KHz if it's lower.|

-| Volume |Overall volume too low|Volume shouldn't be lower than -18 dB (10% of max volume). Control the volume average level within proper range during the sample recording or data preparation.|

-| Volume | Start silence issue | The first 100 ms silence isn't clean. Reduce the recording noise floor level and leave the first 100 ms at the start silent.|

-| Volume| End silence issue| The last 100 ms silence isn't clean. Reduce the recording noise floor level and leave the last 100 ms at the end silent.|

-| Mismatch | Low scored words|Review the script and the audio content to make sure they match and control the noise floor level. Reduce the length of long silence or split the audio into multiple utterances if it's too long.|

-## Train your custom neural voice model

-After your data files have been validated, you can use them to build your custom neural voice model.

-2. Select the neural training method for your model and target language.

-By default, your voice model is trained in the same language of your training data. You can also select to create a secondary language (preview) for your voice model. Check the languages supported for custom neural voice and cross-lingual feature: [language for custom neural voice](language-support.md#custom-neural-voice).

-Training of custom neural voices isn't free. Check the [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) for details. However, if you have statistical parametric or concatenative voice models deployed before March 31, 2021 with S0 Speech resources, free neural training credits are offered to your Azure subscription, and you can train 5 different versions of neural voices for free.

-3. Next, choose the data you want to use for training, and specify a speaker file.

->[!NOTE]

->- You need to select at least 300 utterances to create a custom neural voice.

->- To train a neural voice, you must specify a voice talent profile with the audio consent file provided of the voice talent acknowledging to use his/her speech data to train a custom neural voice model. Custom neural voice is available with limited access. Make sure you understand the [responsible AI requirements](/legal/cognitive-services/speech-service/custom-neural-voice/limited-access-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext) and [apply the access here](https://aka.ms/customneural).

-4. Then, choose your test script.

-Each training will generate 100 sample audio files automatically to help you test the model with a default script. You can also provide your own test script as optional. The test script must exclude the filenames (the ID of each utterance), otherwise, these IDs will be spoken. Below is an example of how the utterances are organized in one .txt file:

-```

-This is the waistline, and it's falling.

-We have trouble scoring.

-It was Janet Maslin.

-```

-Each paragraph of the utterance will result in a separate audio. If you want to combine all sentences into one audio, make them in one paragraph.

->[!NOTE]

->- The test script must be a txt file, less than 1 MB. Supported encoding format includes ANSI/ASCII, UTF-8, UTF-8-BOM, UTF-16-LE, or UTF-16-BE.

->- The generated audios are a combination of the uploaded test script and the default test script.

-5. Enter a **Name** and **Description** to help you identify this model.

-Choose a name carefully. The name you enter here will be the name you use to specify the voice in your request for speech synthesis as part of the SSML input. Only letters, numbers, and a few punctuation characters such as -, _, and (', ') are allowed. Use different names for different neural voice models.

-A common use of the **Description** field is to record the names of the data that were used to create the model.

-6. Review the settings, then select **Submit** to start training the model.

-> [!NOTE]

-> Duplicate audio names will be removed from the training. Make sure the data you select don't contain the same audio names across multiple .zip files.

-The **Train model** table displays a new entry that corresponds to this newly created model. The table also displays the status: Processing, Succeeded, Failed.

-The status that's shown reflects the process of converting your data to a voice model, as shown here.

-| State | Meaning |

-| -- | - |

-| Processing | Your voice model is being created. |

-| Succeeded | Your voice model has been created and can be deployed. |

-| Failed | Your voice model has been failed in training because of many reasons, for example, unseen data problems or network issues. |

-Training duration varies depending on how much data you're training. It takes about 40 compute hours on average to train a custom neural voice.

-> [!NOTE]

-> Standard subscription (S0) users can train three voices simultaneously. If you reach the limit, wait until at least one of your voice models finishes training, and then try again.

-7. After you finish training the model successfully, you can review the model details.

-After your voice model is successfully built, you can use the generated sample audio files to test it before deploying it for use.

-The quality of the voice depends on many factors, including the size of the training data, the quality of the recording, the accuracy of the transcript file, how well the recorded voice in the training data matches the personality of the designed voice for your intended use case, and more. [Check here to learn more about the capabilities and limits of our technology and the best practice to improve your model quality](/legal/cognitive-services/speech-service/custom-neural-voice/characteristics-and-limitations-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext).

-> Custom neural voice training is only available in the three regions: East US, Southeast Asia, and UK South. But you can easily copy a neural voice model from the three regions to other different regions. Check the regions supported for custom neural voice: [regions for custom neural voice](regions.md#text-to-speech).

-## Create and use a custom neural voice endpoint

-After you've successfully created and tested your voice model, you deploy it in a custom Text-to-Speech endpoint. You then use this endpoint in place of the usual endpoint when making Text-to-Speech requests through the REST API. Your custom endpoint can be called only by the subscription that you've used to deploy the model.

-You can do the following to create a custom neural voice endpoint.

-1. Select **Deploy model** > **Deploy model**.

-1. Select a voice model you would like to associate with this endpoint.

-After you've selected the **Deploy** button, you'll see an entry for your new endpoint. It may take a few minutes for the Speech service to deploy the new endpoint. When the status of the deployment is **Succeeded**, the endpoint is ready for use.

-You can **Suspend** and **Resume** your endpoint if you don't use it all the time. When an endpoint is reactivated after suspension, the endpoint URL will be kept the same so you don't need to change your code in your apps.

->- To use your custom neural voice, you must specify the voice model name, use the custom URI directly in an HTTP request, and use the same subscription to pass through the authentication of TTS service.

-After your endpoint is deployed, the endpoint name appears as a link. Click the link to display information specific to your endpoint, such as the endpoint key, endpoint URL, and sample code.

-The custom endpoint is functionally identical to the standard endpoint that's used for Text-to-Speech requests. For more information, see [Speech SDK](./get-started-text-to-speech.md) or [REST API](rest-text-to-speech.md).

-We also provide an online tool, [Audio Content Creation](https://speech.microsoft.com/audiocontentcreation), that allows you to fine-tune their audio output using a friendly UI.

-> Viseme events are only available for `en-US` English (United States) [neural voices](language-support.md#text-to-speech) for now.

-A _viseme_ is the visual description of a phoneme in spoken language. It defines the position of the face and mouth when speaking a word. Each viseme depicts the key facial poses for a specific set of phonemes.

-Viseme can be used to control the movement of 2D and 3D avatar models, perfectly matching mouth movements to synthetic speech. For example, you can:

- * Make more effective language teaching videos that help language learners to understand the mouth behavior of each word and phoneme.

-See [the introduction video](https://youtu.be/ui9XT47uwxs) of the viseme.

-## Azure neural TTS can produce visemes with speech

-A neural voice turns input text or SSML (Speech Synthesis Markup Language) into synthesized speech. Speech audio output can be accompanied by viseme IDs and their offset timestamps. Each viseme ID specifies a specific pose in observed speech, such as the position of the lips, jaw, and tongue when producing a particular phoneme. Using a 2D or 3D rendering engine, you can use these viseme events to animate your avatar.

-The overall workflow of viseme is depicted in the flowchart below.

-

-| Parameter | Description |

-| Viseme ID | Integer number that specifies a viseme. In English (United States), we offer 22 different visemes to depict the mouth shapes for a specific set of phonemes. There is no one-to-one correspondence between visemes and phonemes. Often several phonemes correspond to a single viseme, as several phonemes look the same on the face when produced, such as `s` and `z`. See the [mapping table between Viseme ID and phonemes](#map-phonemes-to-visemes). |

-To get viseme with your synthesized speech, subscribe to the `VisemeReceived` event in Speech SDK.

-The following snippet shows how to subscribe to the viseme event.

-After obtaining the viseme output, you can use these events to drive character animation. You can build your own characters and automatically animate the characters.

-For 2D characters, you can design a character that suits your scenario and use Scalable Vector Graphics (SVG) for each viseme ID to get a time-based face position. With temporal tags provided in viseme event, these well-designed SVGs will be processed with smoothing modifications, and provide robust animation to the users. For example, below illustration shows a red lip character designed for language learning.

-

-Visemes vary by language. Each language has a set of visemes that correspond to its specific phonemes. The following table shows the correspondence between International Phonetic Alphabet (IPA) phonemes and viseme IDs for English (United States).

-description: In this quickstart, you'll learn how to install the Speech SDK for your preferred platform and programming language combination.

-# Quickstart: Setup development environment

-#### [NodeJS](#tab/nodejs)

-description: Speaker Recognition provides algorithms that verify and identify speakers by their unique voice characteristics using voice biometry. Speaker Recognition is used to answer the question ΓÇ£who is speaking?ΓÇ¥. This article is an overview of the benefits and capabilities of the Speaker Recognition service.

-# What is Speaker Recognition?

-Speaker Recognition can help determine who is speaking in an audio clip. The service can verify and identify speakers by their unique voice characteristics using voice biometry.

-You provide audio training data for a single speaker, which creates an enrollment profile based on the unique characteristics of the speaker's voice. You can then cross-check audio voice samples against this profile to verify that the speaker is the same person (speaker verification), or cross-check audio voice samples against a *group* of enrolled speaker profiles to see if it matches any profile in the group (speaker identification).

-> Microsoft limits access to Speaker Recognition. You can apply for access through the [Azure Cognitive Services Speaker Recognition Limited Access Review](https://aka.ms/azure-speaker-recognition). For more information, please visit [Limited access for Speaker Recognition](/legal/cognitive-services/speech-service/speaker-recognition/limited-access-speaker-recognition).

-## Speaker Verification

-Speaker Verification streamlines the process of verifying an enrolled speaker identity with either passphrases or free-form voice input. For example, you can use it for customer identity verification in call centers or contact-less facility access.

-### How does Speaker Verification work?

-Speaker verification can be either text-dependent or text-independent. **Text-dependent** verification means speakers need to choose the same passphrase to use during both enrollment and verification phases. **Text-independent** verification means speakers can speak in everyday language in the enrollment and verification phrases.

-For **text-dependent** verification, the speaker's voice is enrolled by saying a passphrase from a set of predefined phrases. Voice features are extracted from the audio recording to form a unique voice signature, while the chosen passphrase is also recognized. Together, the voice signature and the passphrase are used to verify the speaker.

-**Text-independent** verification has no restrictions on what the speaker says during enrollment, besides the initial activation phrase to activate the enrollment. It doesn't have any restrictions on the audio sample to be verified, as it only extracts voice features to score similarity.

-The APIs are not intended to determine whether the audio is from a live person or an imitation/recording of an enrolled speaker.

-## Speaker Identification

-Speaker Identification is used to determine an unknown speakerΓÇÖs identity within a group of enrolled speakers. Speaker Identification enables you to attribute speech to individual speakers, and unlock value from scenarios with multiple speakers, such as:

-* Support solutions for remote meeting productivity

-* Build multi-user device personalization

-### How does Speaker Identification work?

-Enrollment for speaker identification is **text-independent**, which means that there are no restrictions on what the speaker says in the audio, besides the initial activation phrase to activate the enrollment. Similar to Speaker Verification, the speaker's voice is recorded in the enrollment phase, and the voice features are extracted to form a unique voice signature. In the identification phase, the input voice sample is compared to a specified list of enrolled voices (up to 50 in each request).

-Speaker enrollment data is stored in a secured system, including the speech audio for enrollment and the voice signature features. The speech audio for enrollment is only used when the algorithm is upgraded, and the features need to be extracted again. The service does not retain the speech recording or the extracted voice features that are sent to the service during the recognition phase.

-As with all of the Cognitive Services resources, developers who use the Speaker Recognition service must be aware of Microsoft's policies on customer data. You should ensure that you have received the appropriate permissions from the users for Speaker Recognition. You can find more details in [Data and privacy for Speaker Recognition](/legal/cognitive-services/speech-service/speaker-recognition/data-privacy-speaker-recognition). For more information, see the [Cognitive Services page](https://azure.microsoft.com/support/legal/cognitive-services-compliance-and-privacy/) on the Microsoft Trust Center.

-| What scenarios can Speaker Recognition be used for? | Call center customer verification, voice-based patient check-in, meeting transcription, multi-user device personalization|

-| What is the difference between Identification and Verification? | Identification is the process of detecting which member from a group of speakers is speaking. Verification is the act of confirming that a speaker matches a known, or **enrolled** voice.|

-| What's the difference between text-dependent and text-independent verification? | Text-dependent verification requires a specific pass-phrase for both enrollment and recognition. Text-independent verification requires a longer voice sample that must start with a particular activation phrase for enrollment, but anything can be spoken, including during recognition.|

-| What languages are supported? | See [Speaker recognition language support](language-support.md#speaker-recognition) |

-| What Azure regions are supported? | See [Speaker recognition region support](regions.md#speaker-recognition)|

-| What audio formats are supported? | Mono 16 bit, 16 kHz PCM-encoded WAV |

-| **Accept** and **Reject** responses aren't accurate, how do you tune the threshold? | Since the optimal threshold varies highly with scenarios, the service decides whether to accept or reject based on a default threshold of 0.5. You should override the default decision and fine tune the result based on your own scenario. |

-| What data is stored in Azure? | Enrollment audio is stored in the service until the voice profile is [deleted](./get-started-speaker-recognition.md#deleting-voice-profile-enrollments). Recognition audio samples are not retained or stored. |

-> [Speaker Recognition quickstart](./get-started-speaker-recognition.md)

-| Yes | `Billing` | String | Billing endpoint URI. For more information on obtaining the billing URI, see [gathering required parameters](speech-container-howto.md#gathering-required-parameters). For more information and a complete list of regional endpoints, see [Custom subdomain names for Cognitive Services](../cognitive-services-custom-subdomains.md). |

-| **{ENDPOINT_URI}** | The billing endpoint value is available on the Azure `Speech` Overview page. | See [gathering required parameters](speech-container-howto.md#gathering-required-parameters) for explicit examples. |

-# Install and run Docker containers for the Speech service APIs

-Containers enable you to run _some_ of the Speech service APIs in your own environment. Containers are great for specific security and data governance requirements. In this article you'll learn how to download, install, and run a Speech container.

-Speech containers enable customers to build a speech application architecture that is optimized for both robust cloud capabilities and edge locality. There are several containers available, which use the same [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) as the cloud-based Azure Speech Services.

-> We retired the standard speech synthesis voices and text-to-speech container on August 31st 2021. Consider migrating your applications to use the Neural text-to-speech container instead. [Follow these steps](./how-to-migrate-to-prebuilt-neural-voice.md) for more information on updating your application.

-| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 3.0.0 | Generally Available |

-| Custom Speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 3.0.0 | Generally Available |

-| Text-to-speech | Converts text to natural-sounding speech with plain text input or Speech Synthesis Markup Language (SSML). | 1.15.0 | Generally Available |

-| Speech Language Identification | Detect the language spoken in audio files. | 1.5.0 | preview |

-| Neural Text-to-speech | Converts text to natural-sounding speech using deep neural network technology, allowing for more natural synthesized speech. | 1.12.0 | Generally Available |

-> * To use the speech containers you must submit an online request, and have it approved. See the **Request approval to the run the container** section below for more information.

-> * *Generally Available* containers meet Microsoft's stability and support requirements. Containers in *Preview* are still under development.

-You must meet the following prerequisites before using Speech service containers. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.

-* [Docker](https://docs.docker.com/) installed on a host computer. Docker must be configured to allow the containers to connect with and send billing data to Azure.

-The following table describes the minimum and recommended allocation of resources for each Speech container.

-| Custom Speech-to-text | 2 core, 2-GB memory | 4 core, 4-GB memory |

-| Speech Language Identification | 1 core, 1-GB memory | 1 core, 1-GB memory |

-| Neural Text-to-speech | 6 core, 12-GB memory | 8 core, 16-GB memory |

-* Each core must be at least 2.6 gigahertz (GHz) or faster.

-> The minimum and recommended are based off of Docker limits, *not* the host machine resources. For example, speech-to-text containers memory map portions of a large language model, and it is *recommended* that the entire file fits in memory, which is an additional 4-6 GB. Also, the first run of either container may take longer, since models are being paged into memory.

-The **host** is the computer that runs the docker container. The host *must support* [Advanced Vector Extensions](https://en.wikipedia.org/wiki/Advanced_Vector_Extensions#CPUs_with_AVX2) (AVX2). You can check for AVX2 support on Linux hosts with the following command:

-## Request approval to the run the container

-Fill out and submit the [request form](https://aka.ms/csgate) to request access to the container.

-## Get the container image with `docker pull`

-Container images for Speech are available in the following Container Registry.

-# [Custom Speech-to-text](#tab/cstt)

-| Custom Speech-to-text | `mcr.microsoft.com/azure-cognitive-services/speechservices/custom-speech-to-text:latest` |

-# [Neural Text-to-speech](#tab/ntts)

-| Neural Text-to-speech | `mcr.microsoft.com/azure-cognitive-services/speechservices/neural-text-to-speech:latest` |

-# [Speech Language Identification](#tab/lid)

-> To get the most useful results, we recommend using the Speech language identification container with the Speech-to-text or Custom speech-to-text containers.

-| Speech Language Identification | `mcr.microsoft.com/azure-cognitive-services/speechservices/language-detection:latest` |

-#### Docker pull for the Speech-to-text container

-Use the [docker pull](https://docs.docker.com/engine/reference/commandline/pull/) command to download a container image from Microsoft Container registry.

-> The `latest` tag pulls the `en-US` locale. For additional locales see [Speech-to-text locales](#speech-to-text-locales).

-All tags, except for `latest` are in the following format and are case-sensitive:

-For all of the supported locales of the **speech-to-text** container, please see [Speech-to-text image tags](../containers/container-image-tags.md#speech-to-text).

-# [Custom Speech-to-text](#tab/cstt)

-#### Docker pull for the Custom Speech-to-text container

-Use the [docker pull](https://docs.docker.com/engine/reference/commandline/pull/) command to download a container image from Microsoft Container registry.

-#### Docker pull for the Text-to-speech container

-Use the [docker pull](https://docs.docker.com/engine/reference/commandline/pull/) command to download a container image from Microsoft Container registry.

-> The `latest` tag pulls the `en-US` locale and `ariarus` voice. For additional locales see [Text-to-speech locales](#text-to-speech-locales).

-All tags, except for `latest` are in the following format and are case-sensitive:

-For all of the supported locales and corresponding voices of the **text-to-speech** container, please see [Text-to-speech image tags](../containers/container-image-tags.md#text-to-speech).

-> When constructing a *Text-to-speech* HTTP POST, the [Speech Synthesis Markup Language (SSML)](speech-synthesis-markup.md) message requires a `voice` element with a `name` attribute. The value is the corresponding container locale and voice, also known as the ["short name"](how-to-migrate-to-prebuilt-neural-voice.md). For example, the `latest` tag would have a voice name of `en-US-AriaRUS`.

-# [Neural Text-to-speech](#tab/ntts)

-#### Docker pull for the Neural Text-to-speech container

-Use the [docker pull](https://docs.docker.com/engine/reference/commandline/pull/) command to download a container image from Microsoft Container registry.

-> The `latest` tag pulls the `en-US` locale and `arianeural` voice. For additional locales see [Neural Text-to-speech locales](#neural-text-to-speech-locales).

-#### Neural Text-to-speech locales

-All tags, except for `latest` are in the following format and are case-sensitive:

-For all of the supported locales and corresponding voices of the **neural text-to-speech** container, please see [Neural Text-to-speech image tags](../containers/container-image-tags.md#neural-text-to-speech).

-> When constructing a *Neural Text-to-speech* HTTP POST, the [Speech Synthesis Markup Language (SSML)](speech-synthesis-markup.md) message requires a `voice` element with a `name` attribute. The value is the corresponding container locale and voice, also known as the ["short name"](language-support.md#prebuilt-neural-voices). For example, the `latest` tag would have a voice name of `en-US-AriaNeural`.

-# [Speech Language Identification](#tab/lid)

-#### Docker pull for the Speech Language Identification container

-Use the [docker pull](https://docs.docker.com/engine/reference/commandline/pull/) command to download a container image from Microsoft Container registry.

-## How to use the container

-Once the container is on the [host computer](#host-computer-requirements-and-recommendations), use the following process to work with the container.

-1. [Run the container](#run-the-container-with-docker-run), with the required billing settings. More [examples](speech-container-configuration.md#example-docker-run-commands) of the `docker run` command are available.

-## Run the container with `docker run`

-Use the [docker run](https://docs.docker.com/engine/reference/commandline/run/) command to run the container. Refer to [gathering required parameters](#gathering-required-parameters) for details on how to get the `{Endpoint_URI}` and `{API_Key}` values. Additional [examples](speech-container-configuration.md#example-docker-run-commands) of the `docker run` command are also available.

-Starting in container version 3.0.0, select customers can run speech-to-text containers in an environment without Internet accessibility. See [Run Cognitive Services containers in disconnected environments](../containers/disconnected-containers.md) for more information.

-To run the Standard *Speech-to-text* container, execute the following `docker run` command.

-* Runs a *Speech-to-text* container from the container image.

-* Allocates 4 CPU cores and 4 gigabytes (GB) of memory.

-> Containers support compressed audio input to Speech SDK using GStreamer.

-Diarization is enabled by default. to get diarization in your response, use `diarize_speech_config.set_service_property`.

-```python

-diarize_speech_config.set_service_property(

- name='speechcontext-PhraseOutput.Format',

- value='Detailed',

- channel=speechsdk.ServicePropertyChannel.UriQueryParameter

-)

-diarize_speech_config.set_service_property(

- name='speechcontext-phraseDetection.speakerDiarization.mode',

- value='Identity',

- channel=speechsdk.ServicePropertyChannel.UriQueryParameter

-)

-```

-> [!NOTE]

-> "Identity" mode returns `"SpeakerId": "Customer"` or `"SpeakerId": "Agent"`.

-> "Anonymous" mode returns `"SpeakerId": "Speaker 1"` or `"SpeakerId": "Speaker 2"`

-#### Analyze sentiment on the speech-to-text output

-Starting in v2.6.0 of the speech-to-text container, you should use Language service 3.0 API endpoint instead of the preview one. For example

-> The Language service `v3.0` API is not backward compatible with `v3.0-preview.1`. To get the latest sentiment feature support, use `v2.6.0` of the speech-to-text container image and Language service `v3.0`.

-Starting in v2.2.0 of the speech-to-text container, you can call the [sentiment analysis v3 API](../text-analytics/how-tos/text-analytics-how-to-sentiment-analysis.md) on the output. To call sentiment analysis, you will need a Language service API resource endpoint. For example:

-If you're accessing a Language service endpoint in the cloud, you will need a key. If you're running Language service features locally, you may not need to provide this.

-The key and endpoint are passed to the Speech container as arguments, as in the following example.

-* Performs the same steps as the command above.

-* Stores a Language service API endpoint and key, for sending sentiment analysis requests.

-#### Phraselist v2 on the speech-to-text output

-Starting in v2.6.0 of the speech-to-text container, you can get the output with your own phrases - either the whole sentence, or phrases in the middle. For example *the tall man* in the following sentence:

-If you have multiple phrases to add, call `.addPhrase()` for each phrase to add it to the phrase list.

-# [Custom Speech-to-text](#tab/cstt)

-The *Custom Speech-to-text* container relies on a custom speech model. The custom model has to have been [trained](how-to-custom-speech-train-model.md) using the [custom speech portal](https://speech.microsoft.com/customspeech).

-The custom speech **Model ID** is required to run the container. It can be found on the **Training** page of the custom speech portal. From the custom speech portal, navigate to the **Training** page and select the model.

-

-

-| `{VOLUME_MOUNT}` | The host computer [volume mount](https://docs.docker.com/storage/volumes/), which docker uses to persist the custom model. For example, *C:\CustomSpeech* where the *C drive* is located on the host machine. |

-| `{MODEL_ID}` | The Custom Speech **Model ID** from the **Training** page of the custom speech portal. |

-| `{ENDPOINT_URI}` | The endpoint is required for metering and billing. For more information, see [gathering required parameters](#gathering-required-parameters). |

-| `{API_KEY}` | The API key is required. For more information, see [gathering required parameters](#gathering-required-parameters). |

-To run the *Custom Speech-to-text* container, execute the following `docker run` command:

-* Runs a *Custom Speech-to-text* container from the container image.

-* Allocates 4 CPU cores and 4 gigabytes (GB) of memory.

-* Loads the *Custom Speech-to-Text* model from the volume input mount, for example *C:\CustomSpeech*.

-#### Base model download on the custom speech-to-text container

-Starting in v2.6.0 of the custom-speech-to-text container, you can get the available base model information by using option `BaseModelLocale=<locale>`. This option will give you a list of available base models on that locale under your billing account. For example:

-* Runs a *Custom Speech-to-text* container from the container image.

-* Check and return the available base models of the target locale.

-#### Custom pronunciation on the custom speech-to-text container

-Starting in v2.5.0 of the custom-speech-to-text container, you can get custom pronunciation result in the output. All you need to do is to have your own custom pronunciation rules set up in your custom model and mount the model to custom-speech-to-text container.

-To run the Standard *Text-to-speech* container, execute the following `docker run` command.

-* Runs a Standard *Text-to-speech* container from the container image.

-* Allocates 1 CPU core and 2 gigabytes (GB) of memory.

-# [Neural Text-to-speech](#tab/ntts)

-To run the *Neural Text-to-speech* container, execute the following `docker run` command.

-* Runs a *Neural Text-to-speech* container from the container image.

-* Allocates 6 CPU cores and 12 gigabytes (GB) of memory.

-# [Speech Language Identification](#tab/lid)

-To run the *Speech Language Identification* container, execute the following `docker run` command.

-This command:

-* Runs a speech language-detection container from the container image. Currently you will not be charged for running this image.

-* Allocates 1 CPU cores and 1 gigabyte (GB) of memory.

-If you want to run this container with the speech-to-text container, you can use this [Docker image](https://hub.docker.com/r/antsu/on-prem-client). After both containers have been started, use this Docker Run command to execute `speech-to-text-with-languagedetection-client`.

-> [!NOTE]

-> Increasing the number of concurrent calls can impact reliability and latency. For language identification, we recommend a maximum of 4 concurrent calls using 1 CPU with and 1GB of memory. For hosts with 2 CPUs and 2GB of memory, we recommend a maximum of 6 concurrent calls.

-> The `Eula`, `Billing`, and `ApiKey` options must be specified to run the container; otherwise, the container won't start. For more information, see [Billing](#billing).

-| Standard Speech-to-text and Custom Speech-to-text | `ws://localhost:5000` | WS |

-| Text-to-speech (including Standard and Neural), Speech Language identification | `http://localhost:5000` | HTTP |

-For more information on using WSS and HTTPS protocols, see [container security](../cognitive-services-container-support.md#azure-cognitive-services-container-security).

-### Speech-to-text (Standard and Custom)

-> v1.13 of the Speech Service Python SDK has an identified issue with sentiment analysis. Please use v1.12.x or earlier if you're using sentiment analysis in the Speech Service Python SDK.

-`Simple.Extensions` will return the sentiment result in root layer of the response.

-`Detailed.Extensions` provides sentiment result in the root layer of the response. `Detailed.Options` provides the result in `NBest` layer of the response. They can be used separately or together.

-### Text-to-speech (Standard and Neural)

-You can have this container and a different Azure Cognitive Services container running on the HOST together. You also can have multiple containers of the same Cognitive Services container running.

-When starting or running the container, you may experience issues. Use an output [mount](speech-container-configuration.md#mount-settings) and enable logging. Doing so will allow the container to generate log files that are helpful when troubleshooting issues.

-The Speech containers send billing information to Azure, using a *Speech* resource on your Azure account.

-In this article, you learned concepts and workflow for downloading, installing, and running Speech containers. In summary:

-* Speech provides four Linux containers for Docker, encapsulating various capabilities:

- * *Speech-to-text*

- * *Custom Speech-to-text*

- * *Text-to-speech*

- * *Custom Text-to-speech*

- * *Neural Text-to-speech*

- * *Speech Language Identification*

-* Whether using the REST API (Text-to-speech only) or the SDK (Speech-to-text or Text-to-speech) you specify the host URI of the container.

-* You're required to provide billing information when instantiating a container.

-> Cognitive Services containers are not licensed to run without being connected to Azure for metering. Customers need to enable the containers to communicate billing information with the metering service at all times. Cognitive Services containers do not send customer data (e.g., the image or text that is being analyzed) to Microsoft.

-* Review [configure containers](speech-container-configuration.md) for configuration settings

-* Learn how to [use Speech service containers with Kubernetes and Helm](speech-container-howto-on-premises.md)

-* Use more [Cognitive Services containers](../cognitive-services-container-support.md)

-|Yes| `Billing` | String | Billing endpoint URI. For more information on obtaining the billing URI, see [gathering required parameters](use-containers.md#gathering-required-parameters). For more information and a complete list of regional endpoints, see [Custom subdomain names for Cognitive Services](../../../cognitive-services-custom-subdomains.md). |

-## Prerequisites

-## Setting up

-### Create a new C# application

-In a console window (such as cmd, PowerShell, or Bash), use the `dotnet new` command to create a new console app with the name `RoomsQuickstart`. This command creates a simple "Hello World" C# project with a single source file: **Program.cs**.

-```console

-dotnet new console -o RoomsQuickstart

-```

-Change your directory to the newly created app folder and use the `dotnet build` command to compile your application.

-```console

-cd RoomsQuickstart

-dotnet build

-```

-### Initialize a room client

-Create a new `RoomsClient` object that will be used to create new `rooms` and manage their properties and lifecycle. The connection string of your `Communications Service` will be used to authenticate the request. For more information on connection strings, see [this page](../create-communication-resource.md#access-your-connection-strings-and-service-endpoints).

-```csharp

-// Find your Communication Services resource in the Azure portal

-var connectionString = "<connection_string>";

-RoomsClient roomsClient = new RoomsClient(connectionString);

-```

-### Create a room

-Create a new `room` with default properties using the code snippet below:

-```csharp

-CreateRoomRequest createRoomRequest = new CreateRoomRequest();

-Response<CommunicationRoom> createRoomResponse = await roomsClient.CreateRoomAsync(createRoomRequest);

-CommunicationRoom createCommunicationRoom = createRoomResponse.Value;

-string roomId = createCommunicationRoom.Id;

-```

-Since `rooms` are server-side entities, you may want to keep track of and persist the `roomId` in the storage medium of choice. You can reference the `roomId` to view or update the properties of a `room` object.

-### Get properties of an existing room

-Retrieve the details of an existing `room` by referencing the `roomId`:

-```csharp

-Response<CommunicationRoom> getRoomResponse = await roomsClient.GetRoomAsync(roomId)

-CommunicationRoom getCommunicationRoom = getRoomResponse.Value;

-```

-### Update the lifetime of a room

-The lifetime of a `room` can be modified by issuing an update request for the `ValidFrom` and `ValidUntil` parameters.

-```csharp

-var validFrom = new DateTime(2022, 05, 01, 00, 00, 00, DateTimeKind.Utc);

-var validUntil = validFrom.AddDays(1);

-UpdateRoomRequest updateRoomRequest = new UpdateRoomRequest();

-updateRoomRequest.ValidFrom = validFrom;

-updateRoomRequest.ValidUntil = validUntil;

-Response<CommunicationRoom> updateRoomResponse = await roomsClient.UpdateRoomAsync(roomId, updateRoomRequest);

-CommunicationRoom updateCommunicationRoom = updateRoomResponse.Value;

-```

-### Add new participants

-To add new participants to a `room`, issue an update request on the room's `Participants`:

-```csharp

-var communicationUser1 = "<CommunicationUserId1>";

-var communicationUser2 = "<CommunicationUserId2>";

-var communicationUser3 = "<CommunicationUserId3>";

-UpdateRoomRequest updateRoomRequest = new UpdateRoomRequest()

-updateRoomRequest.Participants.Add(communicationUser1, new RoomParticipant());

-updateRoomRequest.Participants.Add(communicationUser2, new RoomParticipant());

-updateRoomRequest.Participants.Add(communicationUser3, new RoomParticipant());

-Response<CommunicationRoom> updateRoomResponse = await roomsClient.UpdateRoomAsync(roomId, updateRoomRequest);

-CommunicationRoom updateCommunicationRoom = updateRoomResponse.Value;

-```

-Participants that have been added to a `room` become eligible to join calls.

-### Remove participants

-To remove a participant from a `room` and revoke their access, update the `Participants` list:

-```csharp

-var communicationUser1 = "<CommunicationUserId1>";

-var communicationUser2 = "<CommunicationUserId2>";

-var communicationUser3 = "<CommunicationUserId3>";

-UpdateRoomRequest updateRoomRequest = new UpdateRoomRequest()

-updateRoomRequest.Participants.Add(communicationUser1, null);

-updateRoomRequest.Participants.Add(communicationUser2, null);

-updateRoomRequest.Participants.Add(communicationUser3, null);

-Response<CommunicationRoom> updateRoomResponse = await roomsClient.UpdateRoomAsync(roomId, updateRoomRequest);

-CommunicationRoom updateCommunicationRoom = updateRoomResponse.Value;

-```

-### Join a room call

-To join a room call, set up your web application using the [Add voice calling to your client app](../voice-video-calling/getting-started-with-calling.md) guide. Once you have an initialized and authenticated `callAgent`, you may specify a context object with the `roomId` property as the `room` identifier. To join the call, use the `join` method and pass the context instance.

-```js

-const context = { roomId: '<RoomId>' }

-const call = callAgent.join(context);

-```

-### Delete room

-If you wish to disband an existing `room`, you may issue an explicit delete request. All `rooms` and their associated resources are automatically deleted at the end of their validity plus a grace period.

-```csharp

-Response deleteRoomResponse = await roomsClient.DeleteRoomAsync(roomId)

-```

-The Gremlin console is Groovy/Java based and runs on Linux, Mac, and Windows. You can download it from the [Apache TinkerPop site](https://tinkerpop.apache.org/downloads.html).

-You also need to install the [Gremlin Console](https://tinkerpop.apache.org/downloads.html). The **recommended version is v3.4.3** or earlier. (To use Gremlin Console on Windows, you need to install [Java Runtime](https://www.oracle.com/technetwork/java/javase/overview/https://docsupdatetracker.net/index.html), minimum requires Java 8 but it is preferable to use Java 11).

-| [Gremlin console](https://tinkerpop.apache.org/downloads.html) | [TinkerPop docs](https://tinkerpop.apache.org/docs/current/reference/#gremlin-console) | [Create Graph using Gremlin Console](create-graph-console.md) | 3.2.0 + |

-Next, you need to configure how the Azure Cosmos DB SDK will access your Azure Key Vault instance. This authentication is done through an Azure Active Directory (AD) identity. Most likely, you'll use the identity of an Azure AD application or a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) as the proxy between your client code and your Azure Key Vault instance, although any kind of identity could be used. Use the following steps to use an Azure AD application as the proxy:

-1. Create a new application and add a client secret as described in [this quickstart](../active-directory/develop/quickstart-register-app.md).

-1. Go back to your Azure Key Vault instance, browse to the **Access policies** section, and add a new policy:

- 1. In **Select principal**, search for the AAD application you've created before.

-To use Always Encrypted, an instance of an `EncryptionKeyStoreProvider` must be attached to your Azure Cosmos DB SDK instance. This object is used to interact with the key store hosting your CMKs. The default key store provider for Azure Key Vault is named `AzureKeyVaultKeyStoreProvider`.

-The following snippets show how to use the identity of an Azure AD application with a client secret. You can find examples of creating different kinds of `TokenCredential` classes:

-> In .NET, you will need the additional [Microsoft.Data.Encryption.AzureKeyVaultProvider package](https://www.nuget.org/packages/Microsoft.Data.Encryption.AzureKeyVaultProvider) to access the `AzureKeyVaultKeyStoreProvider` class.

-var tokenCredential = new ClientSecretCredential(

- "<aad-app-tenant-id>", "<aad-app-client-id>", "<aad-app-secret>");

-var keyStoreProvider = new AzureKeyVaultKeyStoreProvider(tokenCredential);

-TokenCredential tokenCredential = new ClientSecretCredentialBuilder()

- .authorityHost("https://login.microsoftonline.com")

- .tenantId("<aad-app-tenant-id>")

- .clientId("<aad-app-client-id>")

- .clientSecret("<aad-app-secret>")

- DataEncryptionKeyAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256,

- keyStoreProvider.ProviderName,

- EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256.ToString()

- EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AEAD_AES_256_CBC_HMAC_SHA256.ToString()

- keyStoreProvider.ProviderName,

-description: Learn about Azure Synapse Link for Azure Cosmos DB. Synapse Link lets you run near real-time analytics (HTAP) using Azure Synapse Analytics over operational data in Azure Cosmos DB.

-Azure Synapse Link for Azure Cosmos DB is a cloud-native hybrid transactional and analytical processing (HTAP) capability that enables you to run near real-time analytics over operational data in Azure Cosmos DB. Azure Synapse Link creates a tight seamless integration between Azure Cosmos DB and Azure Synapse Analytics.

-Using [Azure Cosmos DB analytical store](analytical-store-introduction.md), a fully isolated column store, Azure Synapse Link enables no Extract-Transform-Load (ETL) analytics in [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md) against your operational data at scale. Business analysts, data engineers and data scientists can now use Synapse Spark or Synapse SQL interchangeably to run near real-time business intelligence, analytics, and machine learning pipelines. You can achieve this without impacting the performance of your transactional workloads on Azure Cosmos DB.

-Azure Synapse Link allows you to directly access Azure Cosmos DB analytical store using Azure Synapse Analytics without complex data movement. Any updates made to the operational data are visible in the analytical store in near real-time with no ETL or change feed jobs. You can run large scale analytics against analytical store, from Azure Synapse Analytics, without additional data transformation.

-You can now get rich insights on your operational data in near real-time, using Azure Synapse Link. ETL-based systems tend to have higher latency for analyzing your operational data, due to many layers needed to extract, transform and load the operational data. With native integration of Azure Cosmos DB analytical store with Azure Synapse Analytics, you can analyze operational data in near real-time enabling new business scenarios.

-With Azure Synapse Link, you can run analytical queries against an Azure Cosmos DB analytical store (a separate column store) while the transactional operations are processed using provisioned throughput for the transactional workload (a row-based transactional store). The analytical workload is served independent of the transactional workload traffic without consuming any of the throughput provisioned for your operational data.

-### Cost effective

-With Azure Synapse Link, you can get a cost-optimized, fully managed solution for operational analytics. It eliminates the extra layers of storage and compute required in traditional ETL pipelines for analyzing operational data.

-Azure Cosmos DB analytical store follows a consumption-based pricing model, which is based on data storage and analytical read/write operations and queries executed . It doesnΓÇÖt require you to provision any throughput, as you do today for the transactional workloads. Accessing your data with highly elastic compute engines from Azure Synapse Analytics makes the overall cost of running storage and compute very efficient.

-Synapse Link brings together Azure Cosmos DB analytical store with Azure Synapse analytics runtime support. This integration enables you to build cloud native HTAP (Hybrid transactional/analytical processing) solutions that generate insights based on real-time updates to your operational data over large datasets. It unlocks new business scenarios to raise alerts based on live trends, build near real-time dashboards, and business experiences based on user behavior.

-Azure Cosmos DB analytical store is a column-oriented representation of your operational data in Azure Cosmos DB. This analytical store is suitable for fast, cost effective queries on large operational data sets, without copying data and impacting the performance of your transactional workloads.

-Analytical store automatically picks up high frequency inserts, updates, deletes in your transactional workloads in near real time, as a fully managed capability (ΓÇ£auto-syncΓÇ¥) of Azure Cosmos DB. No change feed or ETL is required.

-* A BI engineer who wants to model and publish a Power BI report to access the live operational data in Azure Cosmos DB directly through Synapse SQL.

-* A data analyst who wants to derive insights from the operational data in an Azure Cosmos DB container by querying it with Synapse SQL, read the data at scale and combine those findings with other data sources.

-* A data scientist who wants to use Synapse Spark to find a feature to improve their model and train that model without doing complex data engineering. They can also write the results of the model post inference into Azure Cosmos DB for real-time scoring on the data through Spark Synapse.

-* A data engineer who wants to make data accessible for consumers, by creating SQL or Spark tables over Azure Cosmos DB containers without manual ETL processes.

-* If you are an Azure Cosmos DB customer and you want to run analytics, BI, and machine learning over your operational data. In such cases, Synapse Link provides a more integrated analytics experience without impacting your transactional storeΓÇÖs provisioned throughput. For example:

- * If you are running analytics or BI on your Azure Cosmos DB operational data directly using separate connectors today, or

- * If you are running ETL processes to extract operational data into a separate analytics system.

-Synapse Link is not recommended if you are looking for traditional data warehouse requirements such as high concurrency, workload management, and persistence of aggregates across multiple data sources. For more information, see [common scenarios that can be powered with Azure Synapse Link for Azure Cosmos DB](synapse-link-use-cases.md).

-* Azure Synapse Link for Azure Cosmos DB is supported for SQL API and Azure Cosmos DB API for MongoDB. It is not supported for Gremlin API, Cassandra API, and Table API.

-* Accessing the Azure Cosmos DB analytics store with Azure Synapse Dedicated SQL Pool currently is not supported.

-* Enabling Synapse Link on existing Cosmos DB containers is only supported for SQL API acconts. Synapse Link can be enabled on new containers for both SQL API and MongoDB API accounts.

-* Backup and restore of your data in analytical store is not supported at this time. You can recreate your analytical store data in some scenarios as below:

- * Azure Synapse Link and periodic backup mode can coexist in the same database account. In this mode, your transactional store data will be automatically backed up. However, analytical store data is not included in backups and restores. If you use `transactional TTL` equal or bigger than your `analytical TTL` on your container, you can

- * Synapse Link and continuous backup mode (point=in-time restore) coexistence in the same database account is not supported. If you enable continuous backup mode, you can't

-* RBAC is not supported when querying using Synapse SQL serverless pools.

-* Checkout the learn module on how to [Design hybrid transactional and analytical processing using Azure Synapse Analytics](/learn/modules/design-hybrid-transactional-analytical-processing-using-azure-synapse-analytics/)

-Management groups are only supported if they contain up to 3,000 Enterprise Agreement (EA), Pay-as-you-go (PAYG), or Microsoft internal subscriptions. Management groups with more than 3,000 subscriptions or subscriptions with other offer types, like Microsoft Customer Agreement or Azure Active Directory subscriptions, can't view costs. If you have a mix of subscriptions, move the unsupported subscriptions to a separate arm of the management group hierarchy to enable Cost Management for the supported subscriptions. As an example, create two management groups under the root management group: **Azure AD** and **My Org**. Move your Azure AD subscription to the **Azure AD** management group and then view and manage costs using the **My Org** management group.

-description: 'Learn about how to enable session log in copy activity in Azure Data Factory.'

-# Session log in copy activity

-You can log your copied file names in copy activity, which can help you to further ensure the data is not only successfully copied from source to destination store, but also consistent between source and destination store by reviewing the copied files in copy activity session logs.

-When you enable fault tolerance setting in copy activity to skip faulty data, the skipped files and skipped rows can also be logged. You can get more details from [fault tolerance in copy activity](copy-activity-fault-tolerance.md).

-Given you have the opportunity to get all the file names copied by ADF copy activity via enabling session log, it will be helpful for you in the following scenarios:

-## Configuration

-enableCopyActivityLog | When set it to true, you will have the opportunity to log copied files, skipped files or skipped rows. | True<br/>False (default) | No

-enableReliableLogging | When it is true, copy activity in reliable mode will flush logs immediately once each file is copied to the destination. When you are copying huge amounts of files with reliable logging mode enabled in copy activity, you should expect the copy throughput would be impacted, since double write operations are required for each file copying. One request is to the destination store and another request is to the log storage store. Copy activity in best effort mode will flush logs with batch of records within a period of time, where the copy throughput will be much less impacted. The completeness and timeliness of logging is not guaranteed in this mode since there are a few possibilities that the last batch of log events has not been flushed to the log file when copy activity failed. At this moment, you will see a few files copied to the destination are not logged. | True<br/>False (default) | No

-path | The path of the log files. | Specify the path that you want to store the log files. If you do not provide a path, the service creates a container for you. | No

-### Output from copy activity

-After the copy activity runs completely, you can see the path of log files from the output of each copy activity run. You can find the log files from the path: `https://[your-blob-account].blob.core.windows.net/[logFilePath]/copyactivity-logs/[copy-activity-name]/[copy-activity-run-id]/[auto-generated-GUID].txt`. The log files generated have the .txt extension and their data is in CSV format.

-The following is the schema of a log file.

-OperationName | ADF copy activity operational behavior on each object. It can be 'FileRead',' FileWrite', 'FileSkip', or 'TabularRowSkip'.

-The following is an example of a log file.

-From the log file above, you can see sample1.csv has been skipped because it failed to be verified to be consistent between source and destination store. You can get more details about why sample1.csv becomes inconsistent is because it was being changed by other applications when ADF copy activity is copying at the same time. You can also see sample2.csv has been successfully copied from source to destination store.

-* [Managed identity for Data Factory](./data-factory-service-identity.md)

-A private endpoint requires a virtual network and subnet for the link, and a virtual machine within the subnet, which will be used to run the Self-Hosted Integration Runtime (SHIR), connecting via the private endpoint link.

-1. In **Help + support**, select **New support request**.

-> Protected resources include public IPs attached to an IaaS VM, Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Firewall, Bastion, VPN Gateway, Service Fabric or an IaaS based Network Virtual Appliance (NVA). PaaS services (multitenant) are not supported at present. This includes Azure App Service Environment for PowerApps or API management in a virtual network with a public IP.

-> Azure App Service Environment for PowerApps or API management in a virtual network with a public IP are both not natively supported.

-|**Suspicious request to Kubernetes API**<br>(VM_KubernetesAPI)|Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.|Execution|Medium|

-|**Suspicious request to the Kubernetes Dashboard**<br>(VM_KubernetesDashboard) | Machine logs indicate that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container. | Lateral movement | Medium |

-| **Suspicious request to Kubernetes API (Preview)**<br>(K8S.NODE_KubernetesAPI) | Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes API. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster. | Execution | Medium |

-| **Action** | [Security Reader](../role-based-access-control/built-in-roles.md#security-reader) / <br> [Reader](../role-based-access-control/built-in-roles.md#reader) | [Security Admin](../role-based-access-control/built-in-roles.md#security-admin) | [Contributor](../role-based-access-control/built-in-roles.md#contributor) / [Owner](../role-based-access-control/built-in-roles.md#owner)| [Contributor](../role-based-access-control/built-in-roles.md#contributor)| [Owner](../role-based-access-control/built-in-roles.md#owner)|

-|:-|:--:|:--:|::|::|::|

-||||**(Resource group level)**|**(Subscription level)**|**(Subscription level)**|

-| Add/assign initiatives (including) regulatory compliance standards) | - | - | - | - | Γ£ö |

-| Edit security policy | - | Γ£ö | - | - | Γ£ö |

-| Enable / disable Microsoft Defender plans | - | Γ£ö | - | - | Γ£ö |

-| Dismiss alerts | - | Γ£ö | - | Γ£ö | Γ£ö |

-| Apply security recommendations for a resource</br> (and use [Fix](implement-security-recommendations.md#fix-button)) | - | - | Γ£ö | Γ£ö | Γ£ö |

-| View alerts and recommendations | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

-||||||

-description: Learn how to deploy nested Azure Resource Manager templates to provide environments with Azure DevTest Labs.

-# Deploy nested Azure Resource Manager templates for testing environments

-A nested deployment allows you to execute other Azure Resource Manager templates from within a main Resource Manager template. You can decompose your deployment into a set of targeted and purpose-specific templates. A nested deployment provides testing, reuse, and readability benefits. The article [Using linked templates when deploying Azure resources](../azure-resource-manager/templates/linked-templates.md) provides a good overview of this solution with several code samples. This article provides an example that's specific to Azure DevTest Labs.

-## Key parameters

-While you can create your own Resource Manager template from scratch, we recommend that you use the [Azure Resource Group project](../azure-resource-manager/templates/create-visual-studio-deployment-project.md) in Visual Studio. This project makes it easy to develop and debug templates. When you add a nested deployment resource to azuredeploy.json, Visual Studio adds several items to make the template more flexible. These items include:

-If you aren't familiar with how DevTest Labs works with environments, see [Create multi-VM environments and PaaS resources with Azure Resource Manager templates](devtest-lab-create-environment-from-arm.md). Your templates are stored in the repository linked to the lab in DevTest Labs. When you create a new environment with those templates, the files move into an Azure Storage container in the lab. To locate and copy the nested files, DevTest Labs identifies the _artifactsLocation and _artifactsLocationSasToken parameters, and copies the subfolders up to the storage container. Then, DevTest Labs automatically inserts the location and Shared Access Signature (SaS) token into parameters.

-Here's a simple example of a nested deployment:

-The folder in the repository containing this template has a subfolder `nestedtemplates` with the files **NestOne.json** and **NestOne.parameters.json**. In the **azuredeploy.json**, URI for the template is built using the artifacts location, nested template folder, nested template file name. Similarly, URI for the parameters is built using the artifacts location, nested template folder, and parameter file for the nested template.

-Here's the image of the same project structure in Visual Studio:

-

-You can add more folders in the primary folder, but not any deeper than a single level.

-See the following articles for details about environments:

-description: Add owners and users in Azure DevTest Labs using either the Azure portal or PowerShell

-# Add owners and users in Azure DevTest Labs

-Access in Azure DevTest Labs is controlled by [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Using Azure RBAC, you can segregate duties within your team into *roles* where you grant only the amount of access necessary to users to perform their jobs. Three of these Azure roles are *Owner*, *DevTest Labs User*, and *Contributor*. In this article, you learn what actions can be performed in each of the three main Azure roles. From there, you learn how to add users to a lab - both via the portal and via a PowerShell script, and how to add users at the subscription level.

-## Actions that can be performed in each role

-There are three main roles that you can assign a user:

-* Owner

-* DevTest Labs User

-* Contributor

-The following table illustrates the actions that can be performed by users in each of these roles:

-| **Actions users in this role can perform** | **DevTest Labs User** | **Owner** | **Contributor** |

-| | | | |

-| **Lab tasks** | | | |

-| Add users to a lab |No |Yes |No |

-| Update cost settings |No |Yes |Yes |

-| **VM base tasks** | | | |

-| Add and remove custom images |No |Yes |Yes |

-| Add, update, and delete formulas |Yes |Yes |Yes |

-| Enable Marketplace images |No |Yes |Yes |

-| **VM tasks** | | | |

-| Create VMs |Yes |Yes |Yes |

-| Start, stop, and delete VMs |Only VMs created by the user |Yes |Yes |

-| Update VM policies |No |Yes |Yes |

-| Add/remove data disks to/from VMs |Only VMs created by the user |Yes |Yes |

-| **Artifact tasks** | | | |

-| Add and remove artifact repositories |No |Yes |Yes |

-| Apply artifacts |Yes |Yes |Yes |

-> [!NOTE]

-> When a user creates a VM, that user is automatically assigned to the **Owner** role of the created VM.

->

->

-## Add an owner or user at the lab level

-Owners and users can be added at the lab level via the Azure portal.

-A user can be an external user with a valid [Microsoft account (MSA)](./devtest-lab-faq.yml).

-The following steps guide you through the process of adding an owner or user to a lab in Azure DevTest Labs:

-1. Sign in to the [Azure portal](https://portal.azure.com) as [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../role-based-access-control/built-in-roles.md#owner).

-1. Open the desired resource group and select **DevTest Labs**.

-1. In the navigation menu, select **Access control (IAM)**.

-1. Select **Add** > **Add role assignment**.

- 

-1. On the **Role** tab, select the **OWNER** or **USER** role.

- 

-1. On the **Members** tab, select the user you want to give the desired role to.

-1. On the **Review + assign** tab, select **Review + assign** to assign the role.

-## Add an external user to a lab using PowerShell

-In addition to adding users in the Azure portal, you can add an external user to your lab using a PowerShell script.

-In the following example, modify the parameter values under the **Values to change** comment.

-You can retrieve the `subscriptionId`, `labResourceGroup`, and `labName` values from the lab blade in the Azure portal.

-> The sample script assumes that the specified user has been added as a guest to the Active Directory, and will fail if that is not the case. To add a user not in the Active Directory to a lab, use the Azure portal to assign the user to a role as illustrated in the section, [Add an owner or user at the lab level](#add-an-owner-or-user-at-the-lab-level).

->

->

-```azurepowershell

-# Add an external user in DevTest Labs user role to a lab

-# Ensure that guest users can be added to the Azure Active directory:

-# https://azure.microsoft.com/documentation/articles/active-directory-create-users/#set-guest-user-access-policies

-# Values to change

-$subscriptionId = "<Enter Azure subscription ID here>"

-$labResourceGroup = "<Enter lab's resource name here>"

-$labName = "<Enter lab name here>"

-$userDisplayName = "<Enter user's display name here>"

-# Log into your Azure account

-Connect-AzAccount

-# Select the Azure subscription that contains the lab.

-# This step is optional if you have only one subscription.

-Select-AzSubscription -SubscriptionId $subscriptionId

-# Retrieve the user object

-$adObject = Get-AzADUser -SearchString $userDisplayName

-# Create the role assignment.

-$labId = ('subscriptions/' + $subscriptionId + '/resourceGroups/' + $labResourceGroup + '/providers/Microsoft.DevTestLab/labs/' + $labName)

-New-AzRoleAssignment -ObjectId $adObject.Id -RoleDefinitionName 'DevTest Labs User' -Scope $labId

-```

-## Add an owner or user at the subscription level

-Azure permissions are propagated from parent scope to child scope in Azure. Therefore, owners of an Azure subscription that contains labs are automatically owners of those labs. They also own the VMs and other resources created by the lab's users, and the Azure DevTest Labs service.

-You can add additional owners to a lab via the lab's blade in the [Azure portal](https://go.microsoft.com/fwlink/p/?LinkID=525040).

-However, the added owner's scope of administration is more narrow than the subscription owner's scope.

-For example, the added owners do not have full access to some of the resources that are created in the subscription by the DevTest Labs service.

-To add an owner to an Azure subscription, follow these steps:

-1. Sign in to the [Azure portal](https://portal.azure.com) as [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../role-based-access-control/built-in-roles.md#owner).

-1. Open the desired Subscription group.

-1. In the navigation menu, select **Access control (IAM)**.

-1. Select **Add** > **Add role assignment**.

- 

-1. On the **Role** tab, select the **OWNER** role.

- 

-1. On the **Members** tab, select the user you want to give the owner role to.

-1. On the **Review + assign** tab, select **Review + assign** to assign the role.

-Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user defined routes (UDRs).

-3. Under **Subnet name**, select **default**.

-4. For **Subnet name**, type **Workload-01-SN**.

-5. For **Subnet address range**, type **10.0.1.0/24**.

-6. Select **Save**.

-2. Select **Create**.

-3. On the **Firewall Manager** page, select **View secured virtual hubs**.

-4. On the **Firewall Manager | Secured virtual hubs** page, select **Create new secured virtual hub**.

-3. For the new vWAN name, type **Vwan-01**.

-6. Accept the default **Azure Firewall** **Enabled** setting and then select **Next: Trusted Security Partner**.

-7. Accept the default **Trusted Security Partner** **Disabled** setting, and select **Next: Review + create**.

-8. Select **Create**.

-2. Select **Windows Server 2016 Datacenter** in the **Popular** list.

-1. From Firewall Manager, select **View Azure Firewall policies**.

-1. Select **Next: TLS Inspection (preview)**.

-1. Select **Manage associations/Associate hubs**.

-When you are done testing your firewall resources, delete the **fw-manager-rg** resource group to delete all firewall-related resources.

-Commands are run in Azure PowerShell to enable the features. For the feature to immediately take effect, an operation needs to be run on the firewall. This can be a rule change (least intrusive), a setting change, or a stop/start operation. Otherwise, the firewall/s is updated with the feature within several days.

-description: You can integrate Azure Firewall with NAT Gateway to increase SNAT ports.

-# Scale SNAT ports with Azure NAT Gateway

-A better option to scale outbound SNAT ports is to use [NAT gateway resource](../virtual-network/nat-gateway/nat-overview.md). It provides 64,000 SNAT ports per public IP address and supports up to 16 public IP addresses, effectively providing up to 1,024,000 outbound SNAT ports.

-When a NAT gateway resource is associated with an Azure Firewall subnet, all outbound Internet traffic automatically uses the public IP address of the NAT gateway. There is no need to configure [User Defined Routes](../virtual-network/tutorial-create-route-table-portal.md). Response traffic uses the Azure Firewall public IP address to maintain flow symmetry. If there are multiple IP addresses associated with the NAT gateway the IP address is randomly selected. It isn't possible to specify what address to use.

-There is no double NAT with this architecture. Azure Firewall instances send the traffic to NAT gateway using their private IP address rather than Azure Firewall public IP address.

-> Using Azure NAT Gateway is currently incompatible with Azure Firewall if you have deployed your [Azure Firewall across multiple availability zones](deploy-availability-zone-powershell.md).

-## Associate NAT gateway with Azure Firewall subnet - Azure PowerShell

-## Associate NAT gateway with Azure Firewall subnet - Azure CLI

-* Accelerated application performance by using **[split TCP](front-door-routing-architecture.md#splittcp)**-based **[anycast protocol](front-door-routing-architecture.md#anycast)**.

-When Azure Front Door receives your client requests, it will do one of two things. Either answer them if you enable caching or forward them to the appropriate application backend as a reverse proxy.

-## <a name = "anycast"></a>Selecting the Front Door environment for traffic routing (Anycast)

-Traffic routed to the Azure Front Door environments uses [Anycast](https://en.wikipedia.org/wiki/Anycast) for both DNS (Domain Name System) and HTTP (Hypertext Transfer Protocol) traffic, which allows for user requests to reach the closest environment in the fewest network hops. This architecture offers better round-trip times for end users by maximizing the benefits of Split TCP. Front Door organizes its environments into primary and fallback "rings". The outer ring has environments that are closer to users, offering lower latencies. The inner ring has environments that can handle the failover for the outer ring environment in case any issues happen. The outer ring is the preferred target for all traffic and the inner ring is to handle traffic overflow from the outer ring. Each frontend host or domain served by Front Door gets assigned a primary VIP (Virtual Internet Protocol addresses), which gets announced by environments in both the inner and outer ring. A fallback VIP is only announced by environments in the inner ring.

-This architecture ensures that requests from your end users always reach the closest Front Door environment. If the preferred Front Door environment is unhealthy, all traffic automatically moves to the next closest environment.

-## <a name = "splittcp"></a>Connecting to Front Door environment (Split TCP)

-[Split TCP](https://en.wikipedia.org/wiki/Performance-enhancing_proxy) is a technique to reduce latencies and TCP problems by breaking a connection that would incur a high round-trip time into smaller pieces. With Front Door environments closer to end users, TCP connections terminates inside the Front Door environment. A TCP connection that has a large round-trip time (RTT) to the application backend gets split into two separate connections. The "short connection" between the end user and the Front Door environment means the connection gets established over three short roundtrips instead of three long round trips, which results in saving latency. The "long connection" between the Front Door environment and the backend can be pre-established and then reused across other end users requests save connectivity time. The effect of Split TCP is multiplied when establishing a SSL/TLS (Transport Layer Security) connection as there are more round trips to secure a connection.

-## Processing request to match a routing rule

-After establishing a connection and completing a TLS handshake, the first step after a request lands on a Front Door environment is to match it to routing rule. The matching is determined by configurations on Front Door to which particular routing rule to match the request to. Read about how Front Door does [route matching](front-door-route-matching.md) to learn more.

-## Identifying available backends in the backend pool for the routing rule

-Once Front Door has matched a routing rule for an incoming request, the next step is to get health probe status for the backend pool associated with the routing rule if there's no caching. Read about how Front Door monitors backend health using [Health Probes](front-door-health-probes.md) to learn more.

-## Forwarding the request to your application backend

-Finally, assuming caching isn't configured, the user request is forwarded to the "best" backend based on your [routing method](front-door-routing-methods.md) configuration.

-Azure Front Door supports different kinds of traffic-routing methods to determine how to route your HTTP/HTTPS traffic to different service endpoints. When your client requests reaching Front Door, the configured routing method gets applied to ensure the requests are forwarded to the best backend instance.

-Once Azure Front Door Standard/Premium has matched to a single routing rule, it then needs to choose how to process the request. If Azure Front Door Standard/Premium has a cached response available for the matched routing rule, then the request gets served back to the client. The next thing Azure Front Door Standard/Premium evaluates is whether or not you have a Rule Set for the matched routing rule. If there isn't a Rule Set defined, then the request gets forwarded to the backend pool as is. Otherwise, the Rule Set gets executed in the order as they're configured.

-Azure Front Door Standard/Premium is a fast, reliable, and secure modern cloud CDN that uses the Microsoft global edge network and integrates with intelligent threat protection. It combines the capabilities of Azure Front Door, Azure Content Delivery Network (CDN) standard, and Azure Web Application Firewall (WAF) into a single secure cloud CDN platform.

-Azure Front Door Standard/Premium works at Layer 7 (HTTP/HTTPS layer) using anycast protocol with split TCP and Microsoft's global network to improve global connectivity. Based on your customized routing method using rules set, you can ensure that Azure Front Door will route your client requests to the fastest and most available origin. An application origin is any Internet-facing service hosted inside or outside of Azure. Azure Front Door Standard/Premium provides a range of traffic-routing methods and origin health monitoring options to suit different application needs and automatic failover scenarios. Similar to Traffic Manager, Front Door is resilient to failures, including failures to an entire Azure region.

-Azure Front Door also protects your app at the edges with integrated Web Application Firewall protection, Bot Protection, and built-in layer 3/layer 4 distributed denial of service (DDoS) protection. It also secures your private back-ends with private link service. Azure Front Door gives you Microsoft’s best-in-practice security at global scale. 

-Azure Front Door Standard/Premium provides a single unified platform which caters to both dynamic and static acceleration with built in turnkey security integration, and a simple and predictable pricing model. Front Door also enables you to define, manage, and monitor the global routing for your app.

-In the previous tutorial, you deployed and set up your Azure API for FHIR. Now that you have your Azure API for FHIR setup, we will register a public client application. You can read through the full [register a public client app](register-public-azure-ad-client-app.md) how-to guide for more details or troubleshooting, but we have called out the major steps for this tutorial below.

-Once your client application is registered, copy the Application (client) ID and the Tenant ID from the Overview Page. You will need these two values later when accessing the client.

-If you have [written your web app](tutorial-web-app-write-web-app.md) to connect with the Azure API for FHIR, you also need to set the correct authentication options.

-1. Set up the redirect URI in preparation for when you create your web application in the fourth part of this tutorial. To do this, add `https://\<WEB-APP-NAME>.azurewebsites.net` to the redirect URI list. If you choose a different name during the step where you [write your web app](tutorial-web-app-write-web-app.md), you will need to come back and update this.

-Now that you have setup the correct authentication, set the API permissions:

-1. Select **API permissions** and click **Add a permission**.

-1. Select **user_impersonation** and click **add permissions**.

-You now have a public client application. In the next tutorial, we will walk through testing and gaining access to this application through Postman.

-Now that you are able to connect to your FHIR server and POST data, you are ready to write a web application that will read FHIR data. In this final step of the tutorial, we will walk through writing and accessing the web application.

-Once the web application is available, **Go to resource**. Select **App Service Editor (Preview)** under Development Tools on the right and then select **Go**. Selecting Go will open up the App Service Editor. Right click in the grey space under *Explore* and create a new file called **https://docsupdatetracker.net/index.html**.

-Below is the code that you can input into **https://docsupdatetracker.net/index.html**. You will need to update the following items:

-From here, you can go back to your web application resource and open the URL found on the Overview page. Log in to see the patient James Tiberious Kirk that you previously created.

-You have successfully deployed the Azure API for FHIR, registered a public client application, tested access, and created a small web application. Check out the Azure API for FHIR supported features as a next step.

-Authentication is based on OAuth2. But because SMART on FHIR uses parameter naming conventions that are not immediately compatible with Azure Active Directory (Azure AD), the Azure API for FHIR has a built-in Azure AD SMART on FHIR proxy that enables a subset of the SMART on FHIR launch sequences. Specifically, the proxy enables the [EHR launch sequence](https://hl7.org/fhir/smart-app-launch/#ehr-launch-sequence).

-You will also need a client application registration. Most SMART on FHIR applications are single-page JavaScript applications. So you should follow the instructions for configuring a [public client application in Azure AD](register-public-azure-ad-client-app.md).

-If you do have administrative privileges, complete the following steps to grant admin consent to yourself directly. (You also can grant admin consent to yourself later when you are prompted in the app.) You can complete the same steps to add other users as owners, so they can view and edit this app registration.

-This request will create the new resource you are specifying in the request payload and validate the uploaded resource. Then, it will return an `OperationOutcome` as a result of the validation on the new resource.

-> This is set up to only follow `seealso` links one **layer deep**. It doesn't process a `seealso` link's `seealso` links.

-az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --certificate-permissions delete get list create

-```

-#### Set environment variables

-This application is using key vault name as an environment variable called `KEY_VAULT_NAME`.

-Windows

-```cmd

-set KEY_VAULT_NAME=<your-key-vault-name>

-````

-Windows PowerShell

-```powershell

-$Env:KEY_VAULT_NAME="<your-key-vault-name>"

-```

-macOS or Linux

-```cmd

-export KEY_VAULT_NAME=<your-key-vault-name>

-az group delete --resource-group KeyVault-PythonQS-rg

-Purge protection is an optional Key Vault behavior and is **not enabled by default**. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via [CLI](./key-vault-recovery.md?tabs=azure-cli) or [PowerShell](./key-vault-recovery.md?tabs=azure-powershell).

-az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --secret-permissions delete get list set

-```

-#### Set environment variables

-This application is using key vault name as an environment variable called `KEY_VAULT_NAME`.

-Windows

-```cmd

-set KEY_VAULT_NAME=<your-key-vault-name>

-````

-Windows PowerShell

-```powershell

-$Env:KEY_VAULT_NAME="<your-key-vault-name>"

-```

-macOS or Linux

-```cmd

-export KEY_VAULT_NAME=<your-key-vault-name>

-az group delete --resource-group KeyVault-PythonQS-rg

-[Azure Key Vault](../general/overview.md) is a cloud service that provides a secure store for secrets, such as keys, passwords, certificates, and other secrets. This quickstart focuses on the process of deploying an Azure Resource Manager template (ARM template) to create a key vault and a key.

- 1. Write down the object ID. You need it in the next section of this quickstart.

-|**keyOps** | Specifies operations that can be performed by using the key. If you do not specify this parameter, all operations can be performed. The acceptable values for this parameter are a comma-separated list of key operations as defined by the [JSON Web Key (JWK) specification](https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41): <br> `["sign", "verify", "encrypt", "decrypt", " wrapKey", "unwrapKey"]` |

-|**CurveName** | Elliptic curve name for EC key type. See [JsonWebKeyCurveName](/rest/api/keyvault/createkey/createkey#jsonwebkeycurvename) |

-|**Tags** | Application specific metadata in the form of key-value pairs. |

-|**nbf** | Specifies the time, as a DateTime object, before which the key cannot be used. The format would be Unix time stamp (the number of seconds after Unix Epoch on January 1st, 1970 at UTC). |

-You can either use the Azure portal to check the key vault and the key, or use the following Azure CLI or Azure PowerShell script to list the key created.

-In this quickstart, you created a key vault and a key using an ARM template, and validated the deployment. To learn more about Key Vault and Azure Resource Manager, continue on to the articles below.

-Get started with the Azure Key Vault secret client library for Python. Follow the steps below to install the package and try out example code for basic tasks. By using Key Vault to store secrets, you avoid storing secrets in your code, which increases the security of your app.

-This quickstart assumes you are running [Azure CLI](/cli/azure/install-azure-cli) in a Linux terminal window.

-az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --secret-permissions delete get list set

-In the example below, the name of your key vault is expanded using the value of the "KVUri" variable, in the format: "https://\<your-key-vault-name\>.vault.azure.net". This example is using ['DefaultAzureCredential()'](/python/api/azure-identity/azure.identity.defaultazurecredential) class, which allows to use the same code across different environments with different options to provide identity. For more information, see [Default Azure Credential Authentication](/python/api/overview/azure/identity-readme).

-az group delete --resource-group KeyVault-PythonQS-rg

-When you define an Azure Load Balancer, a frontend and a backend pool configuration are connected with rules. The health probe referenced by the rule is used to determine how new flows are sent to a node in the backend pool. The frontend (aka VIP) is defined by a 3-tuple comprised of an IP address (public or internal), a transport protocol (UDP or TCP), and a port number from the load balancing rule. The backend pool is a collection of Virtual Machine IP configurations (part of the NIC resource) which reference the Load Balancer backend pool.

-* Multiple frontend configurations are only supported with IaaS VMs.

-description: Use the available metrics, alerts, and resource health information to diagnose your Azure Standard Load Balancer.

-# Standard Load Balancer diagnostics with metrics, alerts and resource health

-Azure Standard Load Balancer exposes the following diagnostic capabilities:

-* **Resource health**: The Resource Health status of your Load Balancer is available in the Resource Health page under Monitor. This automatic check informs you of the current availability of your Load Balancer resource.

-This article provides a quick tour of these capabilities, and it offers ways to use them for Standard Load Balancer.

-The various Standard Load Balancer configurations provide the following metrics:

-| Data path availability | Public and internal load balancer | Standard Load Balancer continuously exercises the data path from within a region to the load balancer front end, all the way to the SDN stack that supports your VM. As long as healthy instances remain, the measurement follows the same path as your application's load-balanced traffic. The data path that your customers use is also validated. The measurement is invisible to your application and does not interfere with other operations.| Average |

-| Health probe status | Public and internal load balancer | Standard Load Balancer uses a distributed health-probing service that monitors your application endpoint's health according to your configuration settings. This metric provides an aggregate or per-endpoint filtered view of each instance endpoint in the load balancer pool. You can see how Load Balancer views the health of your application, as indicated by your health probe configuration. | Average |

-| SYN (synchronize) count | Public and internal load balancer | Standard Load Balancer does not terminate Transmission Control Protocol (TCP) connections or interact with TCP or UDP packet flows. Flows and their handshakes are always between the source and the VM instance. To better troubleshoot your TCP protocol scenarios, you can make use of SYN packets counters to understand how many TCP connection attempts are made. The metric reports the number of TCP SYN packets that were received.| Sum |

-| SNAT connection count | Public load balancer |Standard Load Balancer reports the number of outbound flows that are masqueraded to the Public IP address front end. Source network address translation (SNAT) ports are an exhaustible resource. This metric can give an indication of how heavily your application is relying on SNAT for outbound originated flows. Counters for successful and failed outbound SNAT flows are reported and can be used to troubleshoot and understand the health of your outbound flows.| Sum |

-| Allocated SNAT ports | Public load balancer | Standard Load Balancer reports the number of SNAT ports allocated per backend instance | Average. |

-| Used SNAT ports | Public load balancer | Standard Load Balancer reports the number of SNAT ports that are utilized per backend instance. | Average |

-| Byte count | Public and internal load balancer | Standard Load Balancer reports the data processed per front end. You may notice that the bytes are not distributed equally across the backend instances. This is expected as Azure's Load Balancer algorithm is based on flows | Sum |

-| Packet count | Public and internal load balancer | Standard Load Balancer reports the packets processed per front end.| Sum |

- >When using distributing traffic from an internal load balancer through an NVA or firewall Syn Packet, Byte Count, and Packet Count metrics are not be available and will show as zero.

-

- >[!NOTE]

- >Max and min aggregations are not available for the SYN count, packet count, SNAT connection count, and byte count metrics

-

-The Azure portal exposes the load balancer metrics via the Metrics page, which is available on both the load balancer resource page for a particular resource and the Azure Monitor page.

-To view the metrics for your Standard Load Balancer resources:

-1. Go to the Metrics page and do either of the following:

- * On the load balancer resource page, select the metric type in the drop-down list.

- >Time aggregation is important when interpreting certain metrics as data is sampled once per minute. If time aggregation is set to five minutes and metric aggregation type Sum is used for metrics such as SNAT Allocation, your graph will display five times the total allocated SNAT ports.

-

-*Figure: Data Path Availability metric for Standard Load Balancer*

-For API guidance for retrieving multi-dimensional metric definitions and values, see [Azure Monitoring REST API walkthrough](../azure-monitor/essentials/rest-api-walkthrough.md#retrieve-metric-definitions). These metrics can be written to a storage account by adding a [Diagnostic Setting](../azure-monitor/essentials/diagnostic-settings.md) for the 'All Metrics' category.

-#### Is the data path up and available for my Load Balancer Frontend?

-The data path availability metric describes the health of the data path within the region to the compute host where your VMs are located. The metric is a reflection of the health of the Azure infrastructure. You can use the metric to:

-To get the Data Path Availability for your Standard Load Balancer resources:

-4. Additionally, add a filter on the Frontend IP address or Frontend port as the dimension with the required front-end IP address or front-end port, and then group them by the selected dimension.

-

-*Figure: Load Balancer Frontend probing details*

-A packet matching your deployment's front end and rule is generated periodically. It traverses the region from the source to the host where a VM in the back-end pool is located. The load balancer infrastructure performs the same load balancing and translation operations as it does for all other traffic. This probe is in-band on your load-balanced endpoint. After the probe arrives on the compute host, where a healthy VM in the back-end pool is located, the compute host generates a response to the probing service. Your VM does not see this traffic.

-Datapath availability fails for the following reasons:

-For diagnostic purposes, you can use the [Data Path Availability metric together with the health probe status](#vipavailabilityandhealthprobes).

-#### Are the Backend Instances for my Load Balancer responding to probes?

-To get the health probe status for your Standard Load Balancer resources:

-2. Apply a filter on the required Frontend IP address or port (or both).

-

-*Figure: Load Balancer SNAT connection count*

-</details>

-The Used SNAT Ports metric tracks how many SNAT ports are being consumed to maintain outbound flows. This indicates how many unique flows are established between an internet source and a backend VM or virtual machine scale set that is behind a load balancer and does not have a public IP address. By comparing the number of SNAT ports you are using with the Allocated SNAT Ports metric, you can determine if your service is experiencing or at risk of SNAT exhaustion and resulting outbound flow failure.

-1. Select **Used SNAT Ports** and/or **Allocated SNAT Ports** as the metric type and **Average** as the aggregation

- * By default these metrics are the average number of SNAT ports allocated to or used by each backend VM or virtual machine scale set, corresponding to all frontend public IPs mapped to the Load Balancer, aggregated over TCP and UDP.

- * To view total SNAT ports used by or allocated for the load balancer use metric aggregation **Sum**

-1. Filter to a specific **Protocol Type**, a set of **Backend IPs**, and/or **Frontend IPs**.

-1. To monitor health per backend or frontend instance, apply splitting.

-1. For example, to monitor SNAT usage for TCP flows per machine, aggregate by **Average**, split by **Backend IPs** and filter by **Protocol Type**.

-

-

-A SYN packets metric describes the volume of TCP SYN packets, which have arrived or were sent (for [outbound flows](../load-balancer-outbound-connections.md)) that are associated with a specific front end. You can use this metric to understand TCP connection attempts to your service.

-

-*Figure: Load Balancer SYN count*

-</details>

- * Apply a filter on a specific front-end IP, front-end port, back-end IP, or back-end port.

- * Get overall statistics for your load balancer resource without any filtering.

-

-*Figure: Load Balancer byte count*

-By using a combination of the Data Path Availability and Health Probe Status metrics on a single chart you can identify where to look for the problem and resolve the problem. You can gain assurance that Azure is working correctly and use this knowledge to conclusively determine that the configuration or application is the root cause.

-You can use health probe metrics to understand how Azure views the health of your deployment as per the configuration you have provided. Looking at health probes is always a great first step in monitoring or determining a cause.

-You can take it a step further and use Data Path availability metric to gain insight into how Azure views the health of the underlying data plane that's responsible for your specific deployment. When you combine both metrics, you can isolate where the fault might be, as illustrated in this example:

-

-*Figure: Combining Data Path Availability and Health Probe Status metrics*

-The chart allows customers to troubleshoot the deployment on their own without having to guess or ask support whether other issues are occurring. The service was unavailable because health probes were failing due to either a misconfiguration or a failed application.

-Azure Standard Load Balancer supports easily configurable alerts for multi-dimensional metrics. Configure custom thresholds for specific metrics to trigger alerts with varying levels of severity to empower a touchless resource monitoring experience.

-1. Create new alert rule

- 1. (Optional) Add action group for automated repair

- 1. Assign alert severity, name and description that enables intuitive reaction

-Using data path availability, you can fire alerts whenever a specific load balancing rule becomes unavailable. You can configure this alert by setting an alert condition for the data path availability and splitting by all current values and future values for both Frontend Port and Frontend IP Address. Setting the alert logic to be less than or equal to 0 will cause this alert to be fired whenever any load balancing rule becomes unresponsive. Set the aggregation granularity and frequency of evaluation according to your desired evaluation.

-With health probe status you can alert when a given backend instance fails to respond to the health probe for a significant amount of time. Set up your alert condition to use the health probe status metric and split by Backend IP Address and Backend Port. This will ensure that you can alert separately for each individual backend instanceΓÇÖs ability to serve traffic on a specific port. Use the **Average** aggregation type and set the threshold value according to how frequently your backend instance is probed and what you consider to be your healthy threshold.

-To configure for outbound availability, you can configure two separate alerts using the SNAT Connection Count and Used SNAT Port metrics.

-To detect outbound connection failures, configure an alert using SNAT Connection Count and filtering to Connection State = Failed. Use the **Total** aggregation. You can then also split this by Backend IP Address set to all current and future values to alert separately for each backend instance experiencing failed connections. Set the threshold to be greater than zero or a higher number if you expect to see some outbound connection failures.

-Through Used SNAT Ports you can alert on a higher risk of SNAT exhaustion and outbound connection failure. Ensure you are splitting by Backend IP address and Protocol when using this alert and use the **Average** aggregation. Set the threshold to be greater than a percentage(s) of the number of ports you have allocated per instance that you deem unsafe. For example, you may configure a low severity alert when a backend instance uses 75% of its allocated ports and a high severity when it uses 90% or 100% of its allocated ports.

-Health status for the Standard Load Balancer resources is exposed via the existing **Resource health** under **Monitor > Service Health**. It is evaluated every **two minutes** by measuring Data Path Availability which determines whether your Frontend Load Balancing endpoints are available.

-| Degraded | Your standard load balancer has platform or user initiated events impacting performance. The Datapath Availability metric has reported less than 90% but greater than 25% health for at least two minutes. You will experience moderate to severe performance impact. [Follow the troubleshooting RHC guide](./troubleshoot-rhc.md) to determine whether there are user initiated events causing impacting your availability.

-| Unavailable | Your standard load balancer resource is not healthy. The Datapath Availability metric has reported less the 25% health for at least two minutes. You will experience significant performance impact or lack of availability for inbound connectivity. There may be user or platform events causing unavailability. [Follow the troubleshooting RHC guide](./troubleshoot-rhc.md) to determine whether there are user initiated events impacting your availability. |

-| Unknown | Resource health status for your standard load balancer resource has not been updated yet or has not received Data Path availability information for the last 10 minutes. This state should be transient and will reflect correct status as soon as data is received. |

-To view the health of your public Standard Load Balancer resources:

-1. Select **Monitor** > **Service Health**.

- 

- *Figure: The Service Health link on Azure Monitor*

-2. Select **Resource Health**, and then make sure that **Subscription ID** and **Resource Type = Load Balancer** are selected.

- 

-3. In the list, select the Load Balancer resource to view its historical health status.

- 

- *Figure: Load Balancer resource health view*

-Generic resource health status description are available in the [RHC documentation](../service-health/resource-health-overview.md). For specific statuses for the Azure Load Balancer are listed in the below table:

-* A GitHub account, where you can create a repository. If you don't have one, you can [create one for free](https://github.com/).

-* An existing Azure Load Testing resource. To create a Load Testing resource, see [Create and run a load test](./quickstart-create-and-run-load-test.md#create_resource).

- "value": "$(mySecret1)",

- "value": "$(mySecret1)",

- "value": "<Value of the variable>",

- "value": "<Value of the variable>",

-* An existing Azure Load Testing resource. To create a Load Testing resource, see [Create and run a load test](./quickstart-create-and-run-load-test.md#create_resource).

-## Try now

-[Deploy a fully operational sample logic app that sends and receives AS2 messages](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.logic/logic-app-as2-send-receive)

-description: Reference guide to functions in expressions for Azure Logic Apps and Power Automate

-# Reference guide to using functions in expressions for Azure Logic Apps and Power Automate

-For workflow definitions in [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and [Power Automate](/power-automate/getting-started), some [expressions](../logic-apps/logic-apps-workflow-definition-language.md#expressions) get their values from runtime actions that might not yet exist when your workflow starts running. To reference these values or process the values in these expressions, you can use *functions* provided by the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md).

-

-

-| [item](../logic-apps/workflow-definition-language-functions-reference.md#item) | When inside a repeating action over an array, return the current item in the array during the action's current iteration. |

-> If you use logical functions or conditions to compare values, null values are converted to empty string (`""`) values. The behavior of conditions differs when you compare with an empty string instead of a null value. For more information, see the [string() function](#string).

-To change a value's type or format, you can use these conversion functions. For example, you can change a value from a Boolean to an integer. For more information about how Logic Apps handles content types during conversion, see [Handle content types](../logic-apps/logic-apps-content-type.md). For the full reference about each function, see the [alphabetical list](../logic-apps/workflow-definition-language-functions-reference.md#alphabetical-list).

-If you use this numerical output where string input is expected, such as a URL, Logic Apps automatically converts the value into a string by using the curly braces (`{}`) notation:

-| [item](../logic-apps/workflow-definition-language-functions-reference.md#item) | When inside a repeating action over an array, return the current item in the array during the action's current iteration. |

-| [items](../logic-apps/workflow-definition-language-functions-reference.md#items) | When inside a Foreach or Until loop, return the current item from the specified loop.|

-| [iterationIndexes](../logic-apps/workflow-definition-language-functions-reference.md#iterationIndexes) | When inside an Until loop, return the index value for the current iteration. You can use this function inside nested Until loops. |

-Return the index value for the current iteration inside an Until loop. You can use this function inside nested Until loops.

-| Parameter | Required | Type | Description |

-| | -- | - | -- |

-| <*loopName*> | Yes | String | The name for the Until loop |

-|||||

-| Return value | Type | Description |

-| | - | -- |

-| <*index*> | Integer | The index value for the current iteration inside the specified Until loop |

-||||

-*Example*

->

-Return a collection that has *only* the

-common items across the specified collections.

-To appear in the result, an item must appear in

-all the collections passed to this function.

-If one or more items have the same name,

-the last item with that name appears in the result.

-Return the "callback URL" that calls a trigger or action.

-This function works only with triggers and actions for the

-**HttpWebhook** and **ApiConnectionWebhook** connector types,

-but not the **Manual**, **Recurrence**, **HTTP**, and **APIConnection** types.

-Return the value for a parameter that is

-described in your workflow definition.

-Return a random integer from a specified range,

-which is inclusive only at the starting end.

-This example creates an integer array that starts from

-the specified index and has the specified number of integers:

-This example finds the "old" substring in "the old string"

-and replaces "old" with "new":

-Remove items from the front of a collection,

-and return *all the other* items.

-Return an array that contains substrings, separated by commas,

-based on the specified delimiter character in the original string.

-This example creates an array with substrings from the specified

-string based on the specified character as the delimiter:

-Check whether a string starts with a specific substring.

-Return true when the substring is found, or return false when not found.

-This function is not case-sensitive.

-This example checks whether the "hello world"

-string starts with the "hello" substring:

-This example checks whether the "hello world"

-string starts with the "greetings" substring:

-This example creates a string for the specified JSON object

-and uses the backslash character (\\)

-as an escape character for the double-quotation mark (").

-This example creates a five-character substring from the specified string,

-starting from the index value 6:

-Subtract a number of time units from a timestamp.

-See also [getPastTime](#getPastTime).

-These examples get the specified number of

-items from the front of these collections:

-Return a string in lowercase format. If a character

-in the string doesn't have a lowercase version,

-that character stays unchanged in the returned string.

-Return a string in uppercase format. If a character

-in the string doesn't have an uppercase version,

-that character stays unchanged in the returned string.

-Return a trigger's output at runtime,

-or values from other JSON name-and-value pairs,

-which you can assign to an expression.

-* Inside a trigger's inputs, this function

-returns the output from the previous execution.

-* Inside a trigger's condition, this function

-returns the output from the current execution.

-By default, the function references the entire trigger object,

-but you can optionally specify a property whose value that you want.

-Also, this function has shorthand versions available,

-see [triggerOutputs()](#triggerOutputs) and [triggerBody()](#triggerBody).

-Return a trigger's `body` output at runtime.

-Shorthand for `trigger().outputs.body`.

-See [trigger()](#trigger).

-Return a string with a single value that matches a key

-name in a trigger's *form-data* or *form-encoded* output.

-If the function finds more than one match,

-the function throws an error.

-This example creates a string from the "feedUrl" key value in

-an RSS trigger's form-data or form-encoded output:

-Return a trigger's output at runtime,

-or values from other JSON name-and-value pairs.

-Shorthand for `trigger().outputs`.

-See [trigger()](#trigger).

-Remove leading and trailing whitespace from a string,

-and return the updated string.

-This example removes the leading and trailing

-whitespace from the string " Hello World ":

-Return a collection that has *all* the items from the specified collections.

-To appear in the result, an item can appear in any collection

-passed to this function. If one or more items have the same name,

-the last item with that name appears in the result.

-Return a uniform resource identifier (URI) encoded version for a

-string by replacing URL-unsafe characters with escape characters.

-Use this function rather than [encodeUriComponent()](#encodeUriComponent).

-Although both functions work the same way,

-`uriComponent()` is preferred.

-Return the string version for a uniform resource identifier (URI) encoded string,

-effectively decoding the URI-encoded string.

-Suppose the current value for a "numItems" variable is 20.

-This example gets the integer value for this variable:

-This example creates the XML version for this string,

-which contains a JSON object:

-Here is the result array with the nodes that match `<name></name`:

-Here is the result: `Gala`

-Here is the result: `Honeycrisp`

-Here is the result: `[ Gala, Honeycrisp ]`

-Here is the result: `[ Gala ]`

-Here is the result: `Honeycrisp`

-Here is the result: `30`

-Here is the result node that matches the `<location></location>` node:

-Here is the result: `Paris`

-Learn about the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md)

-Another value directly correlated to epsilon is **delta**. Delta is a measure of the probability that a report is not fully private. The higher the delta, the higher the epsilon. Because these values are correlated, epsilon is used more often.

-Although the preservation of privacy should be the goal, there is a tradeoff when it comes to usability and reliability of the data. In data analytics, accuracy can be thought of as a measure of uncertainty introduced by sampling errors. This uncertainty tends to fall within certain bounds. **Accuracy** from a differential privacy perspective instead measures the reliability of the data, which is affected by the uncertainty introduced by the privacy mechanisms. In short, a higher level of noise or privacy translates to data that has a lower epsilon, accuracy, and reliability.

-|Evaluator | Stochastic evaluator that checks for privacy violations, accuracy, and bias. The evaluator supports the following tests: <ul><li>Privacy Test - Determines whether a report adheres to the conditions of differential privacy.</li><li>Accuracy Test - Measures whether the reliability of reports falls within the upper and lower bounds given a 95% confidence level.</li><li>Utility Test - Determines whether the confidence bounds of a report are close enough to the data while still maximizing privacy.</li><li>Bias Test - Measures the distribution of reports for repeated queries to ensure they are not unbalanced</li></ul> |

-In the Fairlearn open-source package, fairness is conceptualized though an approach known as **group fairness**, which asks: Which groups of individuals are at risk for experiencing harms? The relevant groups, also known as subpopulations, are defined through **sensitive features** or sensitive attributes. Sensitive features are passed to an estimator in the Fairlearn open-source package as a vector or a matrix called `sensitive_features`. The term suggests that the system designer should be sensitive to these features when assessing group fairness.

-> A fairness assessment is not a purely technical exercise. The Fairlearn open-source package can help you assess the fairness of a model, but it will not perform the assessment for you. The Fairlearn open-source package helps identify quantitative metrics to assess fairness, but developers must also perform a qualitative analysis to evaluate the fairness of their own models. The sensitive features noted above is an example of this kind of qualitative analysis.

-The Fairlearn open-source package includes a variety of unfairness mitigation algorithms. These algorithms support a set of constraints on the predictor's behavior called **parity constraints** or criteria. Parity constraints require some aspects of the predictor behavior to be comparable across the groups that sensitive features define (e.g., different races). The mitigation algorithms in the Fairlearn open-source package use such parity constraints to mitigate the observed fairness issues.

-Throughout the development and use of AI systems, trust must be at the core. Trust in the platform, process, and models. At Microsoft, responsible AI with regards tomachine learning encompasses the following values and principles:

-Many aspects of fairness cannot be captured or represented by metrics. There are tools and practices that can improve fairness in the design and development of AI systems.

-Models tend to be thought of as "opaque boxes" and often there is little information about them. Because machine learning systems are becoming more pervasive and are used for decision making, using datasheets is a step towards developing more responsible machine learning systems.

-* Use a visualization dashboard to interact with your model explanations, both in a Jupyter notebook and in the Azure Machine Learning studio.

-### Explain the entire model behavior (global explanation)

-The following example shows how you can use the `ExplanationClient` class to enable model interpretability for remote runs. It is conceptually similar to the local process, except you:

-When attempting to interpret a model with respect to the original dataset, it is recommended to use raw explanations as each feature importance will correspond to a column from the original dataset. One scenario where engineered explanations might be useful is when examining the impact of individual categories from a categorical feature. If a one-hot encoding is applied to a categorical feature, then the resulting engineered explanations will include a different importance value per category, one per one-hot engineered feature. This encoding can be useful when narrowing down which part of the dataset is most informative to the model.

-### Create, edit and view dataset cohorts

-Evaluate the performance of your model by exploring the distribution of your prediction values and the values of your model performance metrics. You can further investigate your model by looking at a comparative analysis of its performance across different cohorts or subgroups of your dataset. Select filters along y-value and x-value to cut across different dimensions. View metrics such as accuracy, precision, recall, false positive rate (FPR) and false negative rate (FNR).

-Explore the top-k important features that impact your overall model predictions (also known as global explanation). Use the slider to show descending feature importance values. Select up to three cohorts to see their feature importance values side by side. Click on any of the feature bars in the graph to see how values of the selected feature impact model prediction in the dependence plot below.

-If you complete the [remote interpretability](how-to-machine-learning-interpretability-aml.md#generate-feature-importance-values-via-remote-runs) steps (uploading generated explanations to Azure Machine Learning Run History), you can view the visualizations on the explanations dashboard in [Azure Machine Learning studio](https://ml.azure.com). This dashboard is a simpler version of the dashboard widget that's generated within your Jupyter notebook. What-If datapoint generation and ICE plots are disabled as there is no active compute in Azure Machine Learning studio that can perform their real time computations.

-If the dataset, global, and local explanations are available, data populates all of the tabs. If only a global explanation is available, the Individual feature importance tab will be disabled.

-* **Sparse data not supported**: The model explanation dashboard breaks/slows down substantially with a large number of features, therefore we currently do not support sparse data format. Additionally, general memory issues will arise with large datasets and large number of features.

-Dataset explorer | Supported (not forecasting) | Not supported. Since sparse data is not uploaded and UI has issues rendering sparse data. | Supported | Not supported. Since sparse data is not uploaded and UI has issues rendering sparse data. |

- Individual feature importance| Supported (not forecasting) | Not supported. Since sparse data is not uploaded and UI has issues rendering sparse data. | Supported | Not supported. Since sparse data is not uploaded and UI has issues rendering sparse data. |

-* **Forecasting models not supported with model explanations**: Interpretability, best model explanation, is not available for AutoML forecasting experiments that recommend the following algorithms as the best model: TCNForecaster, AutoArima, Prophet, ExponentialSmoothing, Average, Naive, Seasonal Average, and Seasonal Naive. AutoML Forecasting regression models support explanations. However, in the explanation dashboard, the "Individual feature importance" tab is not supported for forecasting because of complexity in their data pipelines.

-* **Local explanation for data index**: The explanation dashboard does not support relating local importance values to a row identifier from the original validation dataset if that dataset is greater than 5000 datapoints as the dashboard randomly downsamples the data. However, the dashboard shows raw dataset feature values for each datapoint passed into the dashboard under the Individual feature importance tab. Users can map local importances back to the original dataset through matching the raw dataset feature values. If the validation dataset size is less than 5000 samples, the `index` feature in AzureML studio will correspond to the index in the validation dataset.

-* **What-if/ICE plots not supported in studio**: What-If and Individual Conditional Expectation (ICE) plots are not supported in Azure Machine Learning studio under the Explanations tab since the uploaded explanation needs an active compute to recalculate predictions and probabilities of perturbed features. It is currently supported in Jupyter notebooks when run as a widget using the SDK.

- >

- > Your storage account, compute cluster, and Azure Container Registry must all be in the same subnet of the virtual network.

-* A Python environment in which you've installed both the `azureml-core` and `azureml-pipelines` packages. This environment is for defining and controlling your Azure Machine Learning resources and is separate from the environment used at runtime for training.

-> Currently, the most recent Python release compatible with `azureml-pipelines` is Python 3.8. If you've difficulty installing the `azureml-pipelines` package, ensure that `python --version` is a compatible release. Consult the documentation of your Python virtual environment manager (`venv`, `conda`, and so on) for instructions.

-Fashion-MNIST] is a dataset of fashion images divided into 10 classes. Each image is a 28x28 grayscale image and there are 60,000 training and 10,000 test images. As an image classification problem, Fashion-MNIST is harder than the classic MNIST handwritten digit database. It's distributed in the same compressed binary form as the original [handwritten digit database](http://yann.lecun.com/exdb/mnist/) .

-* The model architecture is written to "outputs/model/model.json" and the weights to `outputs/model/model.h5`

-For more information on the column names, attributes, and description, see these articles:

-The following sections provide report queries for various reports.

-|<img width=200/>|<img width=500/>|

-6. Create a new Security Group and add it to Canvas App (Power Apps). This step is only applicable to Dynamics 365 for Customer Engagement & PowerApps offers with the Canvas Apps option.

-|[Create an account from code](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Account/CreateAccount/create-account.ts)|The sample shows how to create a Media Services account and set the primary storage account, in addition to advanced configuration settings including Key Delivery IP allowlist, Managed Identity, storage auth, and bring your own encryption key.|

-|[Create an account with user assigned managed identity code](https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/Account/CreateAccount/create-account_with_managed_identity.ts)|The sample shows how to create a Media Services account and set the primary storage account, in addition to advanced configuration settings including Key Delivery IP allowlist, user or system assigned Managed Identity, storage auth, and bring your own encryption key.|

-| **Media processor name** | **Retirement date** | **Additional notes** |

-| Azure Media Indexer | January 1st, 2020 | This media processor will be replaced by the [Media Services v3 AudioAnalyzerPreset Basic mode](../latest/analyze-video-audio-files-concept.md). For more information, see [Migrate from Azure Media Indexer 2 to Azure Video Analyzer for Media](migrate-indexer-v1-v2.md) (formerly Video Indexer). |

-| Azure Media Indexer 2 | March 1, 2023 | This media processor will be replaced by the [Media Services v3 AudioAnalyzerPreset Basic mode](../latest/analyze-video-audio-files-concept.md). For more information, see [Migrate from Azure Media Indexer 2 to Azure Video Analyzer for Media](migrate-indexer-v1-v2.md) (formerly Video Indexer). |

-| Motion Detection | June 1st, 2020|No replacement plans at this time. |

-| Video Summarization |June 1st, 2020|No replacement plans at this time.|

-| Video Optical Character Recognition | June 1st, 2020 |This media processor was replaced by Azure Video Analyzer for Media. Also, consider using [Azure Media Services v3 API](../latest/analyze-video-audio-files-concept.md). <br/>See [Compare Azure Media Services v3 presets and Video Analyzer for Media](../../azure-video-analyzer/video-analyzer-for-media-docs/compare-video-indexer-with-media-services-presets.md). |

-| Face Detector | June 1st, 2020 | This media processor was replaced by Azure Video Analyzer for Media. Also, consider using [Azure Media Services v3 API](../latest/analyze-video-audio-files-concept.md). <br/>See [Compare Azure Media Services v3 presets and Video Analyzer for Media](../../azure-video-analyzer/video-analyzer-for-media-docs/compare-video-indexer-with-media-services-presets.md). |

-| Content Moderator | June 1st, 2020 |This media processor was replaced by Azure Video Analyzer for Media. Also, consider using [Azure Media Services v3 API](../latest/analyze-video-audio-files-concept.md). <br/>See [Compare Azure Media Services v3 presets and Video Analyzer for Media](../../azure-video-analyzer/video-analyzer-for-media-docs/compare-video-indexer-with-media-services-presets.md). |

-## Next steps

-## Running the JavaScript code in Node.js

-1. Paste the JavaScript code into text files, and then save it into a project folder with file extension .js (such as C:\nodejsmysql\createtable.js or /home/username/nodejsmysql/createtable.js).

-2. Open the command prompt or bash shell, and then change directory into your project folder `cd nodejsmysql`.

-3. To run the application, enter the node command followed by the file name, such as `node createtable.js`.

-4. On Windows, if the node application is not in your environment variable path, you may need to use the full path to launch the node application, such as `"C:\Program Files\nodejs\node.exe" createtable.js`

-Replace the `host`, `user`, `password`, and `database` parameters with the values that you specified when you created the server and database.

- ssl: true

-Replace the `host`, `user`, `password`, and `database` parameters with the values that you specified when you created the server and database.

- ssl: true

-Use the following code to connect and read the data by using an **UPDATE** SQL statement.

-Replace the `host`, `user`, `password`, and `database` parameters with the values that you specified when you created the server and database.

- ssl: true

-Use the following code to connect and read the data by using a **DELETE** SQL statement.

-Replace the `host`, `user`, `password`, and `database` parameters with the values that you specified when you created the server and database.

- ssl: true

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s

- | summarize count() by LogicalServerName_s, bin(TimeGenerated, 5m)

- | project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s

- | summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s

- | where LogicalServerName_s == '<your server name>'

- | project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s

- | summarize count() by LogicalServerName_s, bin(TimeGenerated, 5m)

- | project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s

- - Make sure that the 3D model is encoded in one of the supported formats: `.glb`, `.gltf`, `.ply`, `.fbx`, `.obj`.

-**A:** We currently support `fbx`, `ply`, `obj`, `glb`, and `gltf` file types. For more information, see [Asset Requirements](overview.md).

-The asset formats currently supported are: `fbx`, `ply`, `obj`, `glb`, and `gltf`.

- | InputAssetPath | The absolute path to a 3D model on your local machine. Supported file formats are `fbx`, `ply`, `obj`, `glb`, and `gltf`. |

-1. Prepare a local machine with a Unix-like operating system that is supported by the various products installed (for example Red Hat Enterprise Linux 8 (latest update) in the case of JBoss EAP).

-jboss-on-aro-jakartaee (main) $ git checkout bootable-jar

-jboss-on-aro-jakartaee (bootable-jar) $

- jboss-on-aro-jakartaee (bootable-jar) $ MSSQLSERVER_DRIVER_VERSION=7.4.1.jre11 \

- jboss-on-aro-jakartaee (bootable-jar) $ MSSQLSERVER_USER=SA \

- jboss-on-aro-jakartaee (bootable-jar) $ MSSQLSERVER_USER=SA \

- jboss-on-aro-jakartaee (bootable-jar) $ curl http://localhost:9990/health/live

- jboss-on-aro-jakartaee (bootable-jar) $ curl http://localhost:9990/health/ready

-jboss-on-aro-jakartaee (bootable-jar) $ git checkout bootable-jar-openshift

-jboss-on-aro-jakartaee (bootable-jar-openshift) $

- jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc create secret generic mssqlserver-secret \

- jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc apply -f ./deployment/msqlserver/mssqlserver.yaml

- jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc get pods -w

- jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc rsh mssqlserver-1-gw7qw

- jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc create secret generic todo-list-secret \

-jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc delete secrets/todo-list-secret

-jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc delete all -l app=mssql2019

-jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc delete secrets/mssqlserver-secret

-jboss-on-aro-jakartaee (bootable-jar-openshift) $ oc delete project eap-demo

-For any questions or suggestions you might have on Azure Database for PostgreSQL flexible server, send an email to the Azure Database for PostgreSQL Team ([@Ask Azure DB for PostgreSQL](mailto:AskAzureDBforPostgreSQL@service.microsoft.com)). Please note that this email address is not a technical support alias.

-|| [DB2](register-scan-db2.md) |

-#### Name resolution for single Azure Purview account

-If you have one Azure Purview account in your tenant, and you have enabled private endpoints for account, portal and ingestion, you can use any of [the supported scenarios](catalog-private-link-name-resolution.md#deployment-options) for name resolution in your network.

-2. Deploy at least one _ingestion_ private endpoint for each Azure Purview account.

-3. Deploy one _portal_ private endpoint for one of the Azure Purview accounts in your Azure environments. Create one DNS A record for _portal_ private endpoint to resolve `web.purview.azure.com`.

-

-> _Portal_ private endpoint mainly renders static assets related to Azure Purview Studio, thus, it is independent of Azure Purview account, therefore, only one _portal_ private endpoint is needed to visit all Azure Purview accounts in the Azure environment.

-You may need to deploy separate _portal_ private endpoints for each Azure Purview account in the scenarios where Azure Purview accounts are deployed in isolated network segmentations.

-> Azure Purview _portal_ is static contents for all customers without any customer information. Optionally, you can use public network to launch `web.purview.azure.com` if your end users are allowed to launch the Internet.

-* **Scan rule sets** ΓÇô This is your collection of rules assigned to specific scan such as file type and classifications to detect. If you donΓÇÖt have that many scan rule sets, itΓÇÖs possible to just re-create them manually again via Production. This will require an internal process and good documentation. However, if you rule sets change on the daily or weekly basis, this could be addressed by exploring the REST API route.

-|| [DB2](register-scan-db2.md) | [Yes](register-scan-db2.md#register) | No | [Yes](register-scan-db2.md#lineage) | No |

-description: This guide describes how to connect to DB2 in Azure Purview, and use Azure Purview's features to scan and manage your DB2 source.

-# Connect to and manage DB2 in Azure Purview (Preview)

-This article outlines how to register DB2, and how to authenticate and interact with DB2 in Azure Purview. For more information about Azure Purview, read the [introductory article](overview.md).

-> DB2 as a source is currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-The supported IBM DB2 versions are DB2 for LUW 9.7 to 11.x. DB2 for z/OS (mainframe) and iSeries (AS/400) are not supported now.

-When scanning IBM DB2 source, Azure Purview supports:

-When setting up scan, you can choose to scan an entire DB2 database, or scope the scan to a subset of schemas matching the given name(s) or name pattern(s).

-* Manually download a DB2 JDBC driver from [here](https://www.ibm.com/support/pages/db2-jdbc-driver-versions-and-downloads) onto your virtual machine where self-hosted integration runtime is running.

-* The DB2 user must have the CONNECT permission. Azure Purview connects to the syscat tables in IBM DB2 environment when importing metadata.

-This section describes how to register DB2 in Azure Purview using the [Azure Purview Studio](https://web.purview.azure.com/).

-To register a new DB2 source in your data catalog, do the following:

-1. On Register sources, select **DB2**. Select **Continue**.

-On the **Register sources (DB2)** screen, do the following:

-1. Enter the **Server** name to connect to a DB2 source. This can either be:

-1. Enter the **Port** used to connect to the database server (446 by default for DB2).

-Follow the steps below to scan DB2 to automatically identify assets and classify your data. For more information about scanning in general, see our [introduction to scans and ingestion](concept-scans-and-ingestion.md).

-The supported authentication type for a DB2 source is **Basic authentication**.

-1. Select the registered DB2 source.

- 1. **Maximum memory available**: Maximum memory (in GB) available on customer's VM to be used by scanning processes. This is dependent on the size of DB2 source to be scanned.

- :::image type="content" source="media/register-scan-db2/scan.png" alt-text="scan DB2" border="true":::

-After scanning your DB2 source, you can [browse data catalog](how-to-browse-catalog.md) or [search data catalog](how-to-search-catalog.md) to view the asset details.

-Go to the asset -> lineage tab, you can see the asset relationship when applicable. Refer to the [supported capabilities](#supported-capabilities) section on the supported DB2 lineage scenarios. For more information about lineage in general, see [data lineage](concept-data-lineage.md) and [lineage user guide](catalog-lineage-user-guide.md).

-Azure Router Server needs to ensure connectivity to the backend service that manages the Route Server configuration, as such a public IP address is required.

-|[Azure Cloud Services](../../cloud-services/cloud-services-choose-me.md)|*.cloudapp.azure.com|

-|[Visual Studio Codespaces](https://visualstudio.microsoft.com/services/visual-studio-codespaces/)|*.visualstudio.com|

-| **Microsoft MITRE ATT&CK solution for Cloud**| Workbooks, analytics rules, hunting queries|Security - Threat protection, Security - Others |Microsoft |

-Azure blob storage allows you to store large amounts of unstructured object data. You can use Blob Storage to gather or expose media, content, or application data to users. Because all blob data is stored within containers, you must create a storage container before you can begin to upload data. To learn more about Blob Storage, read the [Introduction to Azure Blob storage](storage-blobs-introduction.md).

-A container exposes both system properties and user-defined metadata. System properties exist on each Blob Storage resource. Some properties are read-only, while others can be read or set. Under the covers, some system properties map to certain standard HTTP headers.

-User-defined metadata consists of one or more name-value pairs that you specify for a Blob Storage resource. You can use metadata to store additional values with the resource. Metadata values are for your own purposes only, and don't affect how the resource behaves.

-If a directory is deleted in an account that has the hierarchical namespace feature enabled on it, the directory and all its contents are marked as soft-deleted.

-In accounts that have a hierarchical namespace, the **Undelete Blob** operation can also be used to restore a soft-deleted directory and all its contents. If you rename a directory that contains soft deleted blobs, those soft deleted blobs become disconnected from the directory. If you want to restore those blobs, you'll have to revert the name of the directory back to its original name or create a separate directory that uses the original directory name. Otherwise, you'll receive an error when you attempt to restore those soft deleted blobs.

-You can switch a storage account from one type of replication to any other type, but some scenarios are more straightforward than others. If you want to add or remove geo-replication or read access to the secondary region, you can use the Azure portal, PowerShell, or Azure CLI to update the replication setting. However, if you want to change how data is replicated in the primary region, by moving from LRS to ZRS or vice versa, then you must perform a manual migration.

-| <b>ΓǪfrom ZRS</b> | Perform a manual migration | Perform a manual migration | N/A | Request a live migration³ <br /><br /> OR <br /><br /> Use Azure portal, PowerShell, or Azure CLI to change the replication setting as part of a failback operation only⁴ |

-⁴ After an account failover to the secondary region, it's possible to initiate a fail back from the new primary back to the new secondary with Azure portal, PowerShell, or Azure CLI (version 2.30.0 or later). For more information, see [Use caution when failing back to the original primary](storage-disaster-recovery-guidance.md#use-caution-when-failing-back-to-the-original-primary). <br />

-If you need to migrate your storage account from LRS to ZRS in the primary region with no application downtime, you can request a live migration from Microsoft. To migrate from LRS to GZRS or RA-GZRS, first switch to GRS or RA-GRS and then request a live migration. Similarly, you can request a live migration from GRS or RA-GRS to GZRS or RA-GZRS. To migrate from GRS or RA-GRS to ZRS, first switch to LRS, then request a live migration.

-| Azure Cache for Redis | Microsoft.Cache/Redis | Allows access to storage accounts through Azure Cache for Redis. |

- return event.toLocaleDateString('de-DE', options);

-A complete Encryption-at-Rest solution ensures the data is never persisted in un-encrypted form. Double encryption of data at rest mitigates threats with two, separate layers of encryption to protect against compromises of any single layer. Azure Synapse Analytics offers a second layer of encryption for the data in your workspace with a customer-managed key. This key is safeguarded in your [Azure Key Vault](../../key-vault/general/overview.md), which allows you to take ownership of key management and rotation.

-This section will help you better understand how customer-managed key encryption is enabled and enforced in Synapse workspaces. This encryption uses existing keys or new keys generated in Azure Key Vault. A single key is used to encrypt all the data in a workspace. Synapse workspaces support RSA 2048 and 3072 byte-sized keys, as well as RSA-HSM keys.

-The Azure Synapse encryption model with customer-managed keys involves the workspace accessing the keys in Azure Key Vault to encrypt and decrypt as needed. The keys are made accessible to the workspace either through an access policy or [Azure Key Vault RBAC access](../../key-vault/general/rbac-guide.md). When granting permissions via an Azure Key Vault access policy, choose the ["Application-only"](../../key-vault/general/security-features.md#key-vault-authentication-options) option during policy creation (select the workspaces managed identity and do not add it as an authorized application).

- The workspace managed identity must be granted the permissions it needs on the key vault before the workspace can be activated. This phased approach to workspace activation ensures that data in the workspace is encrypted with the customer-managed key. Note that encryption can be enabled or disabled for dedicated SQL Pools- each pool is not enabled for encryption by default.

-Workspaces can be configured to use a [User-assigned Managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to access your customer-managed key stored in Azure Key Vault. Configure a User-assigned Managed identity to avoid phased activation of your Azure Synapse workspace when using double encryption with customer managed keys. The Managed Identity Contributor built-in role is required to assign a user-assigned managed identity to an Azure Synapse workspace.

-To encrypt or decrypt data at rest, the managed identity must have the following permissions:

-If you do not configure a user-assigned managed identity to access customer managed keys during workspace creation, your workspace will remain in a "Pending" state until activation succeeds. The workspace must be activated before you can fully use all functionality. For example, you can only create a new dedicated SQL pool once activation succeeds. Grant the workspace managed identity access to the key vault and click on the activation link in the workspace Azure portal banner. Once the activation completes successfully, your workspace is ready to use with the assurance that all data in it is protected with your customer-managed key. As previously noted, the key vault must have purge protection enabled for activation to succeed.

-You can change the customer-managed key used to encrypt data from the **Encryption** page in the Azure portal. Here too, you can choose a new key using a key identifier or select from Key Vaults that you have access to in the same region as the workspace. If you choose a key in a different key vault from the ones previously used, grant the workspace managed identity "Get", "Wrap", and "Unwrap" permissions on the new key vault. The workspace will validate its access to the new key vault and all data in the workspace will be re-encrypted with the new key.

-[Create an Azure key vault and a key by using ARM template](../../key-vault/keys/quick-create-template.md)

-Cmd.exe also expects executable files to have the extension .exe, so you need to rename the file to have te .exe extension.

-**Q: What can I to do re-create the same virtual network in a different region?**

-Although Azure Virtual WAN itself is a Software Defined WAN (SD-WAN), it is also designed to enable seamless interconnection with the premises-based SD-WAN technologies and services. Many such services are offered by our [Virtual WAN](virtual-wan-locations-partners.md) ecosystem and Azure Networking Managed Services partners [(MSPs)](../networking/networking-partners-msp.md). Enterprises that are transforming their private WAN to SD-WAN have options when interconnecting their private SD-WAN with Azure Virtual WAN. Enterprises can choose from these options:

-# Generate and install VPN client configuration files for P2S certificate authentication

-When you connect to an Azure VNet using Point-to-Site and certificate authentication, you use the VPN client that is natively installed on the operating system from which you are connecting. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients for Windows, Mac IKEv2 VPN, or Linux.

-* **Generic**, which contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder is not present.

-In order to connect to Azure, you must manually configure the native IKEv2 VPN client. Azure does not provide a *mobileconfig* file. You can find all of the information that you need for configuration in the **Generic** folder.

-If you don't see the Generic folder in your download, it's likely that IKEv2 was not selected as a tunnel type. Note that the VPN gateway Basic SKU does not support IKEv2. On the VPN gateway, verify that the SKU is not Basic. Then, select IKEv2 and generate the zip file again to retrieve the Generic folder.

-* **VpnServerRoot.cer**, which contains the root certificate required to validate the Azure VPN Gateway during P2S connection setup.

-1. Copy to the root certificate file to your Mac. Double-click the certificate. The certificate will either automatically install, or you will see the **Add Certificates** page.

- * Select **Certificate**, click **Select** and select the correct client certificate that you installed earlier. Then, click **OK**.

- * Click **Authentication Settings**, then select **Certificate**. 

- * Click **Select** to open the **Choose An Identity** page. The **Choose An Identity** page displays a list of certificates for you to choose from. If you are unsure which certificate to use, you can click **Show Certificate** to see more information about each certificate.

- * On the **Authentication Settings** page, verify that the correct certificate is shown, then click **OK**.

-1. For both Catalina and Big Sur, in the **Local ID** field, specify the name of the certificate. In this example, it is `P2SChildCert`.

-If you have not already generated certificates, use the following steps:

-The following instructions were created on Ubuntu 18.0.4. Ubuntu 16.0.10 does not support strongSwan GUI. If you want to use Ubuntu 16.0.10, you will have to use the [command line](#linuxinstallcli). The examples below may not match screens that you see, depending on your version of Linux and strongSwan.

-If you have not already generated certificates, use the following steps:

-1. Open the **VpnSettings.xml** file and copy the `<VpnServer>` value. You will use this value in the next step.

-1. Adjust the values in the example below, then add the example to the **/etc/ipsec.conf** configuration.