+* The "type" sub-attribute values of multivalued complex attributes must be unique. For example, there can not be two different email addresses with the "work" sub-type.

+1. From the **Properties** page, under the option *Self service password reset enabled*, choose **Selected**.

+1. If your group isn't visible, choose **No groups selected**, browse for and select your Azure AD group, like *SSPR-Test-Group*, and then choose *Select*.

+1. From the menu on the left side of the **Authentication methods** page, set the **Number of methods required to reset** to *2*.

+ * Set **Notify users on password resets?** option to *Yes*.

+ * Set **Notify all admins when other admins reset their password?** to *Yes*.

+If users need more help with the SSPR process, you can customize the "Contact your administrator" link. The user can select this link in the SSPR registration process and when they unlock their account or resets their password. To make sure your users get the support needed, we recommend you provide a custom helpdesk email or URL.

+> [!NOTE]

+> Any claim starting with "xms_" is restricted.

+|.|

+|_claim_names|

+|_claim_sources|

+|aai|

+|access_token|

+|account_type|

+|acct|

+|acr|

+|acrs|

+|actor|

+|ageGroup|

+|aio|

+|altsecid|

+|amr|

+|app_chain|

+|app_displayname|

+|app_res|

+|appctx|

+|appctxsender|

+|appid|

+|appidacr|

+|at_hash|

+|auth_time|

+|azp|

+|azpacr|

+|c_hash|

+|ca_enf|

+|ca_policy_result|

+|capolids_latebind|

+|capolids|

+|cc|

+|cnf|

+|code|

+|controls_auds|

+|controls|

+|credential_keys|

+|ctry|

+|deviceid|

+|domain_dns_name|

+|domain_netbios_name|

+|e_exp|

+|email|

+|endpoint|

+|enfpolids|

+|expires_on|

+|fido_auth_data|

+|fwd_appidacr|

+|fwd|

+|graph|

+|group_sids|

+|groups|

+|hasgroups|

+|haswids|

+|home_oid|

+|home_puid|

+|home_tid|

+|identityprovider|

+|idp|

+|idtyp|

+|in_corp|

+|instance|

+|inviteTicket|

+|ipaddr|

+|isbrowserhostedapp|

+|isViral|

+|login_hint|

+|mam_compliance_url|

+|mam_enrollment_url|

+|mam_terms_of_use_url|

+|mdm_compliance_url|

+|mdm_enrollment_url|

+|mdm_terms_of_use_url|

+|msproxy|

+|nameid|

+|nickname|

+|nonce|

+|oid|

+|on_prem_id|

+|onprem_sam_account_name|

+|onprem_sid|

+|openid2_id|

+|origin_header|

+|platf|

+|polids|

+|pop_jwk|

+|preferred_username|

+|primary_sid|

+|prov_data|

+|puid|

+|pwd_exp|

+|pwd_url|

+|rdp_bt|

+|refresh_token_issued_on|

+|refreshtoken|

+|rh|

+|roles|

+|rt_type|

+|scp|

+|secaud|

+|sid|

+|sid|

+|signin_state|

+|source_anchor|

+|src1|

+|src2|

+|sub|

+|target_deviceid|

+|tbid|

+|tbidv2|

+|tenant_ctry|

+|tenant_display_name|

+|tenant_region_scope|

+|tenant_region_sub_scope|

+|thumbnail_photo|

+|tid|

+|tokenAutologonEnabled|

+|trustedfordelegation|

+|ttr|

+|unique_name|

+|upn|

+|user_setting_sync_url|

+|uti|

+|ver|

+|verified_primary_email|

+|verified_secondary_email|

+|vnet|

+|wamcompat_client_info|

+|wamcompat_id_token|

+|wamcompat_scopes|

+|wids|

+|xcb2b_rclient|

+|xcb2b_rcloud|

+|xcb2b_rtenant|

+|ztdid|

+|`http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged`|

+|`http://schemas.microsoft.com/2014/02/devicecontext/claims/isknown`|

+|`http://schemas.microsoft.com/2014/03/psso`|

+|`http://schemas.microsoft.com/2014/09/devicecontext/claims/iscompliant`|

+|`http://schemas.microsoft.com/claims/authnmethodsreferences`|

+|`http://schemas.microsoft.com/claims/groups.link`|

+|`http://schemas.microsoft.com/identity/claims/acct`|

+|`http://schemas.microsoft.com/identity/claims/agegroup`|

+|`http://schemas.microsoft.com/identity/claims/aio`|

+|`http://schemas.microsoft.com/identity/claims/openid2_id`|

+|`http://schemas.microsoft.com/identity/claims/xms_et`|

+|`http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration`|

+|`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`|

+Set the **MatchOn** property to one of the following values:

+ASP.NET Core 3.1 uses the Microsoft.AspNetCore.AzureAD.UI library. The middleware is initialized in the Startup.cs file.

+* [Manage access reviews](/graph/api/resources/accessreviewsv2-overview)

+Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when it subscribed for a Microsoft Online service such as Microsoft 365 and Azure. For information on where your identity data is stored, you can use the [Where is your data located?](https://www.microsoft.com/trustcenter/privacy/where-your-data-is-located) section of the Microsoft Trust Center.

+* Multi-factor authentication using phone calls originate from datacenters in the customer's region and are routed by global providers.

+If a customer creates a new enterprise application (whether through Azure AD Gallery or non-Gallery) and enables password-based SSO, the Application sign in URL, and custom capture sign in fields are stored in the United States. For more information, see [Configure password-based single sign-on](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md)

+Azure AD B2C policy configuration data and Key Containers are stored in U.S. datacenters, which do not contain any user personal data. For more info about policy configurations, see the [Azure Active Directory B2C: Built-in policies](../../active-directory-b2c/user-flow-overview.md) article.

+A new delegated permission EntitlementManagement.Read.All is now available for use with the Entitlement Management API in Microsoft Graph beta. To find out more about the available APIs, see [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview).

+Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. [Learn more](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true).

+- [Access reviews - Graph API](/graph/api/resources/accessreviewsv2-overview)

+- [Entitlement management - Graph API](/graph/api/resources/entitlementmanagement-overview)

+>If you have many exclusion groups and therefore need to create multiple access reviews, we now have an API in the Microsoft Graph beta endpoint that allows you to create and manage them programmatically. To get started, see the [Azure AD access reviews API reference](/graph/api/resources/accessreviewsv2-overview) and [Example of retrieving Azure AD access reviews via Microsoft Graph](https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Example-of-retrieving-Azure-AD-access-reviews-via-Microsoft/td-p/236096).

+To interact with and manage reviewable resources, see [Microsoft Graph API methods](/graph/api/resources/accessreviewsv2-overview) and [role and application permission authorization checks](/graph/api/resources/accessreviewsv2-overview). The access reviews methods in the Microsoft Graph API are available for both application and user contexts. When you run scripts in the application context, the account used to run the API (the service principle) must be granted the AccessReview.Read.All permission to query access reviews information.

+When you create new Microsoft Graph API queries for automation, use [Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) to build and explore your Microsoft Graph queries before you put them into scripts and code. This step can help you to quickly iterate your query so that you get exactly the results you're looking for, without changing the code of your script.

+You can also retrieve assignments in an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access packages from multiple catalogs, if user is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API.

+You can also directly assign a user to an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application with that application permission, can call the API to [create an accessPackageAssignmentRequest](/graph/api/entitlementmanagement-post-accesspackageassignmentrequests?view=graph-rest-beta&preserve-view=true). In this request, the value of the `requestType` property should be `AdminAdd`, and the `accessPackageAssignment` property is a structure that contains the `targetId` of the user being assigned.

+You can also remove an assignment of a user to an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application with that application permission, can call the API to [create an accessPackageAssignmentRequest](/graph/api/entitlementmanagement-post-accesspackageassignmentrequests?view=graph-rest-beta&preserve-view=true). In this request, the value of the `requestType` property should be `AdminRemove`, and the `accessPackageAssignment` property is a structure that contains the `id` property identifying the `accessPackageAssignment` being removed.

+You can also create an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to

+1. [List the accessPackageResources in the catalog](/graph/api/entitlementmanagement-list-accesspackagecatalogs?tabs=http&view=graph-rest-beta&preserve-view=true) and [create an accessPackageResourceRequest](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?tabs=http&view=graph-rest-beta&preserve-view=true) for any resources that are not yet in the catalog.

+1. [Create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-accesspackageassignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true).

+You can also retrieve requests for an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignmentRequests](/graph/api/entitlementmanagement-list-accesspackageassignmentrequests?view=graph-rest-beta&preserve-view=true). You can supply a filter to indicate a specific access package, such as: `$expand=accessPackage&$filter=accessPackage/id eq '9bbe5f7d-f1e7-4eb1-a586-38cdf6f8b1ea'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API.

+You can create a catalog by using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application with that application permission, can call the API to [create an accessPackageCatalog](/graph/api/entitlementmanagement-post-accesspackagecatalogs?view=graph-rest-beta&preserve-view=true).

+You can also add a resource to a catalog by using Microsoft Graph. A user in an appropriate role, or a catalog and resource owner, with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageResourceRequest](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?view=graph-rest-beta&preserve-view=true). An application with application permissions can't yet programmatically add a resource without a user context at the time of the request, however.

+### (Public preview) Sync AD objects to multiple Azure AD tenants

+**Application:** BIG-IP published service to be protected by and Azure AD SHA. The application host is domain-joined and so is integrated with Active Directory (AD).

+| 1| User connects to SAML SP endpoint for application (BIG-IP APM) |

+| 2| APM access policy redirects user to Azure AD (SAML IdP) |

+With the **Easy Button**, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The end-to-end deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.

+Before a client or service can access Microsoft Graph, it must be trusted by the Microsoft identity platform by being registered with Azure AD. A BIG-IP must also be registered as a client in Azure AD, before the Easy Button wizard is trusted to access Microsoft Graph.

+Ideally, application access should be managed directly by Azure AD but being legacy it lacks any form of modern authentication protocol. Modernization would take considerable effort and time, introducing inevitable costs and risk of potential downtime.

+Instead, a BIG-IP deployed between the public internet and the internal application will be used to gate inbound access to the application.

+Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application.

+**Application:** BIG-IP published service to be protected by and Azure AD SHA.

+**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP APM. Trough SSO, Azure AD provides the BIG-IP with any required session attributes.

+**HR system:** Legacy employee database acting as source of truth for fine grained application permissions.

+Before a client or service can access Microsoft Graph, it must be trusted by the Microsoft identity platform by being registered with Azure AD. A BIG-IP must also be registered as a client in Azure AD, before the Easy Button wizard is trusted to access Microsoft Graph.

+ curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PUT -d '{"location":"westus","name":"myVM","identity":{"type":"SystemAssigned"},"properties":{"hardwareProfile":{"vmSize":"Standard_D2_v2"},"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"StandardSSD_LRS"},"name":"myVM3osdisk","createOption":"FromImage"},"dataDisks":[{"diskSizeGB":1023,"createOption":"Empty","lun":0},{"diskSizeGB":1023,"createOption":"Empty","lun":1}]},"osProfile":{"adminUsername":"azureuser","computerName":"myVM","adminPassword":"<SECURE PASSWORD STRING>"},"networkProfile":{"networkInterfaces":[{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic","properties":{"primary":true}}]}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+ "storageAccountType":"StandardSSD_LRS"

+ curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PUT -d '{"location":"westus","name":"myVM","identity":{"type":"UserAssigned","identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"]},"properties":{"hardwareProfile":{"vmSize":"Standard_D2_v2"},"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"StandardSSD_LRS"},"name":"myVM3osdisk","createOption":"FromImage"},"dataDisks":[{"diskSizeGB":1023,"createOption":"Empty","lun":0},{"diskSizeGB":1023,"createOption":"Empty","lun":1}]},"osProfile":{"adminUsername":"azureuser","computerName":"myVM","adminPassword":"myPassword12"},"networkProfile":{"networkInterfaces":[{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic","properties":{"primary":true}}]}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+ "storageAccountType":"StandardSSD_LRS"

+ curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01' -X PUT -d '{"location":"westus","name":"myVM","identity":{"type":"UserAssigned","identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"]},"properties":{"hardwareProfile":{"vmSize":"Standard_D2_v2"},"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"StandardSSD_LRS"},"name":"myVM3osdisk","createOption":"FromImage"},"dataDisks":[{"diskSizeGB":1023,"createOption":"Empty","lun":0},{"diskSizeGB":1023,"createOption":"Empty","lun":1}]},"osProfile":{"adminUsername":"azureuser","computerName":"myVM","adminPassword":"myPassword12"},"networkProfile":{"networkInterfaces":[{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic","properties":{"primary":true}}]}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+ "storageAccountType":"StandardSSD_LRS"

+ curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/myVMSS?api-version=2018-06-01' -X PUT -d '{"sku":{"tier":"Standard","capacity":3,"name":"Standard_D1_v2"},"location":"eastus","identity":{"type":"SystemAssigned"},"properties":{"overprovision":true,"virtualMachineProfile":{"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"StandardSSD_LRS"},"createOption":"FromImage"}},"osProfile":{"computerNamePrefix":"myVMSS","adminUsername":"azureuser","adminPassword":"myPassword12"},"networkProfile":{"networkInterfaceConfigurations":[{"name":"myVMSS","properties":{"primary":true,"enableIPForwarding":true,"ipConfigurations":[{"name":"myVMSS","properties":{"subnet":{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"}}}]}}]}},"upgradePolicy":{"mode":"Manual"}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+ "storageAccountType":"StandardSSD_LRS"

+ curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/myVMSS?api-version=2018-06-01' -X PUT -d '{"sku":{"tier":"Standard","capacity":3,"name":"Standard_D1_v2"},"location":"eastus","identity":{"type":"UserAssigned","userAssignedIdentities":{"/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1":{}}},"properties":{"overprovision":true,"virtualMachineProfile":{"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"StandardSSD_LRS"},"createOption":"FromImage"}},"osProfile":{"computerNamePrefix":"myVMSS","adminUsername":"azureuser","adminPassword":"myPassword12"},"networkProfile":{"networkInterfaceConfigurations":[{"name":"myVMSS","properties":{"primary":true,"enableIPForwarding":true,"ipConfigurations":[{"name":"myVMSS","properties":{"subnet":{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"}}}]}}]}},"upgradePolicy":{"mode":"Manual"}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+ "storageAccountType":"StandardSSD_LRS"

+ curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/myVMSS?api-version=2017-12-01' -X PUT -d '{"sku":{"tier":"Standard","capacity":3,"name":"Standard_D1_v2"},"location":"eastus","identity":{"type":"UserAssigned","identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"]},"properties":{"overprovision":true,"virtualMachineProfile":{"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"StandardSSD_LRS"},"createOption":"FromImage"}},"osProfile":{"computerNamePrefix":"myVMSS","adminUsername":"azureuser","adminPassword":"myPassword12"},"networkProfile":{"networkInterfaceConfigurations":[{"name":"myVMSS","properties":{"primary":true,"enableIPForwarding":true,"ipConfigurations":[{"name":"myVMSS","properties":{"subnet":{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet"}}}]}}]}},"upgradePolicy":{"mode":"Manual"}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"

+ "storageAccountType":"StandardSSD_LRS"

+- Directory.Read.All

+- RoleManagement.ReadWrite.Directory Microsoft Graph permission is required to be able to manage the membership of such groups; Group.ReadWrite.All won't work.

+ > These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact [CloudPassage Client support team](https://fidelissecurity.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+[24]: ./media/cloudpassage-tutorial/tutorial_cloudpassage_17.png

+ | `https://www.google.com` |

+ | `https://www.google.com/a/<yourdomain.com>` |

+ 

+1. Go to the **Menu -> Security -> Authentication -> SSO with third party IDP**.

+ 

+4. Perform the following configuration changes in the **Third-party SSO profile for your organization** tab:

+ 

+ a. Turn ON the **SSO profile for your organization**.

+ 

+ > [!NOTE]

+ > Please use the below URL for the Logout URL.

+ ```Logout URL

+ https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

+ ```

+ c. In the **ID provider logout URL** textbox, paste the value of **Logout URL** which is explained in [Configure Azure AD SSO](#configure-azure-ad-sso) section.

+## OIDC Issuer (Preview)

+This enables an OIDC Issuer URL of the provider which allows the API server to discover public signing keys.

+### Before you begin

+You must have the following resource installed:

+* The Azure CLI

+* The `aks-preview` extension version 0.5.50 or later

+* Kubernetes version 1.19.x or above

+#### Register the `EnableOIDCIssuerPreview` feature flag

+To use the OIDC Issuer feature, you must enable the `EnableOIDCIssuerPreview` feature flag on your subscription.

+```azurecli

+az feature register --name EnableOIDCIssuerPreview --namespace Microsoft.ContainerService

+```

+You can check on the registration status by using the [az feature list][az-feature-list] command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableOIDCIssuerPreview')].{Name:name,State:properties.state}"

+```

+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+#### Install the aks-preview CLI extension

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+### Create an AKS cluster with OIDC Issuer

+To create a cluster using the OIDC Issuer.

+```azurecli-interactive

+az group create --name myResourceGroup --location eastus

+az aks create -n aks -g myResourceGroup --enable-oidc-issuer

+```

+### Upgrade an AKS cluster with OIDC Issuer

+To upgrade a cluster to use OIDC Issuer.

+```azurecli-interactive

+az aks upgrade -n aks -g myResourceGroup --enable-oidc-issuer

+```

+[aks-add-np-containerd]: windows-container-cli.md#add-a-windows-server-node-pool-with-containerd-preview

+1. In [GitHub](https://github.com/), browse to your repository, select **Settings > Secrets > New repository secret**.

+ :::image type="content" source="media/kubernetes-action/secrets.png" alt-text="Screenshot shows the Add a new secret link for a repository.":::

+ :::image type="content" source="media/kubernetes-action/kubernetes-secrets.png" alt-text="Screenshot shows existing secrets for a repository.":::

+The build and push of the container images is done using `azure/docker-login@v1` action.

+ working-directory: ./<path-to-Dockerfile-directory>

+To deploy a container image to AKS, you will need to use the `azure/k8s-deploy@v1` action. This action has five parameters:

+ kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o json | kubectl apply -f -

+Complete your deployment with the `azure/k8s-deploy@v1` action. Replace the environment variables with values for your application.

+ working-directory: ./<path-to-Dockerfile-directory>

+ kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o json | kubectl apply -f -

+ arguments: --force true

+ ${{ github.workspace }}/manifests/deployment.yaml

+ ${{ github.workspace }}/manifests/service.yaml

+## Kubernetes version alias (Preview)

+> Kubernetes version alias requires Azure CLI version 2.31.0 or above with the aks-preview extension installed. Please use `az upgrade` to install the latest version of the CLI.

+| \*.prod.warm.ingest.monitor.core.windows.net |

+| \*.prod.warm.ingest.monitor.core.usgovcloudapi.net |

+## Scenario: Error while onboarding a machine

+#### Issue

+You receive a `agent has a problem` error when you onboard a machine.

+### Cause

+This is a known issue. You cannot assign the same configuration again as the node remains in pending state.

+### Resolution

+The work around is to apply different test configuration and apply the original configuration again.

+Azure Maps supports various languages and views based on country/region. This article provides the supported languages and views to help guide your Azure Maps implementation.

+Azure Maps have been localized in variety languages across its services. The following table provides the supported language codes for each service.

+| Code | Name | Maps | Search | Routing | Traffic | Weather |

+|||:-:|::|:-:|:-:|:-:|

+| af-ZA | Afrikaans | | Γ£ô | Γ£ô | | |

+| ar | Arabic | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| bg-BG | Bulgarian | Γ£ô | Γ£ô | Γ£ô | | Γ£ô |

+| bn-BD | Bangla (Bangladesh) | | | | | Γ£ô |

+| bn-IN | Bangla (India) | | | | | Γ£ô |

+| bs-BA | Bosnian | | | | | Γ£ô |

+| ca-ES | Catalan | | Γ£ô | | | Γ£ô |

+| cs-CZ | Czech | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| da-DK | Danish | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| de-DE | German | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| el-GR | Greek | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| en-AU | English (Australia) | Γ£ô | Γ£ô | | | Γ£ô |

+| en-GB | English (Great Britain) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| en-NZ | English (New Zealand) | Γ£ô | Γ£ô | | Γ£ô | Γ£ô |

+| en-US | English (USA) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| es-419 | Spanish (Latin America) | | Γ£ô | | | Γ£ô |

+| es-ES | Spanish (Spain) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| es-MX | Spanish (Mexico) | Γ£ô | | Γ£ô | | Γ£ô |

+| et-EE | Estonian | | Γ£ô | | Γ£ô | Γ£ô |

+| eu-ES | Basque | | Γ£ô | | | |

+| fi-FI | Finnish | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| fil-PH | Filipino | | | | | Γ£ô |

+| fr-CA | French (Canada) | | Γ£ô | | | Γ£ô |

+| fr-FR | French (France) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| gl-ES | Galician | | Γ£ô | | | |

+| gu-IN | Gujarati | | | | | Γ£ô |

+| he-IL | Hebrew | | Γ£ô | | Γ£ô | Γ£ô |

+| hi-IN | Hindi | | | | | Γ£ô |

+| hr-HR | Croatian | | Γ£ô | | | Γ£ô |

+| hu-HU | Hungarian | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| id-ID | Indonesian | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| is-IS | Icelandic | | | | | Γ£ô |

+| it-IT | Italian | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| ja-JP | Japanese | | | | | Γ£ô |

+| kk-KZ | Kazakh | | Γ£ô | | | Γ£ô |

+| kn-IN | Kannada | | | | | Γ£ô |

+| ko-KR | Korean | Γ£ô | | Γ£ô | | Γ£ô |

+| lt-LT | Lithuanian | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| lv-LV | Latvian | | Γ£ô | | Γ£ô | Γ£ô |

+| mk-MK | Macedonian | | | | | Γ£ô |

+| mr-IN | Marathi | | | | | Γ£ô |

+| ms-MY | Malay | Γ£ô | Γ£ô | Γ£ô | | Γ£ô |

+| nb-NO | Norwegian Bokmål | ✓ | ✓ | ✓ | ✓ | ✓ |

+| NGT | Neutral Ground Truth (Local)¹ | Γ£ô | Γ£ô | | | |

+| NGT-Latn | Neutral Ground Truth (Latin)² | Γ£ô | Γ£ô | | | |

+| nl-BE | Dutch (Belgium) | | Γ£ô | | | Γ£ô |

+| nl-NL | Dutch (Netherlands) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| pa-IN | Punjabi | | | | | Γ£ô |

+| pl-PL | Polish | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| pt-BR | Portuguese (Brazil) | Γ£ô | Γ£ô | Γ£ô | | Γ£ô |

+| pt-PT | Portuguese (Portugal) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| ro-RO | Romanian | | Γ£ô | | Γ£ô | Γ£ô |

+| ru-RU | Russian | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| sk-SK | Slovak | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| sl-SI | Slovenian | Γ£ô | Γ£ô | Γ£ô | | Γ£ô |

+| sr-Cyrl-RS | Serbian (Cyrillic) | | Γ£ô | | | Γ£ô |

+| sr-Latn-RS | Serbian (Latin) | | | | | Γ£ô |

+| sv-SE | Swedish | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| ta-IN | Tamil | | | | | Γ£ô |

+| te-IN | Telugu | | | | | Γ£ô |

+| th-TH | Thai | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| tr-TR | Turkish | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+| uk-UA | Ukrainian | | Γ£ô | | | Γ£ô |

+| ur-PK | Urdu | | | | | Γ£ô |

+| uz-Latn-UZ | Uzbek | | | | | Γ£ô |

+| vi-VN | Vietnamese | | Γ£ô | | | Γ£ô |

+| zh-HanS-CN | Chinese (Simplified, China) | Γ£ô | Γ£ô | | | Γ£ô |

+| zh-HanT-HK | Chinese (Traditional, Hong Kong SAR) | | | | | Γ£ô |

+| zh-HanT-TW | Chinese (Traditional, Taiwan) | Γ£ô | Γ£ô | Γ£ô | | Γ£ô |

+¹ Neutral Ground Truth (Local) - Official languages for all regions in local scripts if available<br>

+² Neutral Ground Truth (Latin) - Latin exonyms will be used if available

+> After August 1, 2019, the **View** parameter will define the returned map content for the new regions/countries listed above. Azure Maps **View** parameter (also referred to as "user region parameter") is a two letter ISO-3166 Country Code that will show the correct maps for that country/region specifying which set of geopolitically disputed content is returned via Azure Maps services, including borders and labels displayed on the map.

+Ensure that you have set up the View parameter as required. View parameter specifies which set of geopolitically disputed content is returned via Azure Maps services.

+| View | Description | Maps | Search |

+||-|:-:|::|

+| AE | United Arab Emirates (Arabic View) | Γ£ô | |

+| AR | Argentina (Argentinian View) | Γ£ô | Γ£ô |

+| BH | Bahrain (Arabic View) | Γ£ô | |

+| IN | India (Indian View) | Γ£ô | Γ£ô |

+| IQ | Iraq (Arabic View) | Γ£ô | |

+| JO | Jordan (Arabic View) | Γ£ô | |

+| KW | Kuwait (Arabic View) | Γ£ô | |

+| LB | Lebanon (Arabic View) | Γ£ô | |

+| MA | Morocco (Moroccan View) | Γ£ô | Γ£ô |

+| OM | Oman (Arabic View) | Γ£ô | |

+| PK | Pakistan (Pakistani View) | Γ£ô | Γ£ô |

+| PS | Palestinian Authority (Arabic View) | Γ£ô | |

+| QA | Qatar (Arabic View) | Γ£ô | |

+| SA | Saudi Arabia (Arabic View) | Γ£ô | |

+| SY | Syria (Arabic View) | Γ£ô | |

+| YE | Yemen (Arabic View) | Γ£ô | |

+| Auto | Automatically detect based on request | Γ£ô | Γ£ô |

+| Unified | Unified View (Others) | Γ£ô | Γ£ô |

+| December 2021 | Fixed issues impacting Linux Arc-enabled servers | N/A | 1.14.7.0 |

+ - Not all Log Analytics solutions are supported today. [View supported features and services](#supported-services-and-features).

+ - No support for Azure Private Links.

+ - No support for collecting file based logs or IIS logs.

+- **Current and new feature requirements:** The Azure Monitor agent introduces several new capabilities, such as filtering, scoping, and multi-homing. But it isn't at parity yet with the current agents for other functionality, such as custom log collection and integration with all solutions. ([View supported features and services](#supported-services-and-features).)

+In the **Monitor** menu in the Azure portal, select **Data Collection Rules** from the **Settings** section. Click **Create** to create a new Data Collection Rule and assignment.

+ using Microsoft.ApplicationInsights.DataContracts;

+| `db.system` | string | Identifier for the database management system (DBMS) product being used. See [list of identifiers](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/database.md#connection-level-attributes). |

+This use case is supported in Application Insights Java 3.x using [Instrumentation keys overrides (preview)](./java-standalone-config.md#instrumentation-keys-overrides-preview).

+|Activity Log JSON | Log Analytics column name<br/>*(older deprecated)* | New Log Analytics column name | Notes |

+|:|:|:|:|

+|category | Category | CategoryValue ||

+|status<br/><br/>*values are (success, start, accept, failure)* |ActivityStatus <br/><br/>*values same as JSON* |ActivityStatusValue<br/><br/>*values change to (succeeded, started, accepted, failed)* |The valid values change as shown|

+|subStatus |ActivitySubstatus |ActivitySubstatusValue||

+|operationName | OperationName | OperationNameValue |REST API localizes operation name value. Log Analytics UI always shows English. |

+|resourceProviderName | ResourceProvider | ResourceProviderValue ||

+- Deployed in any Azure region [supported](../agents/azure-monitor-agent-overview.md#supported-regions) by the Azure Monitor agent, and meeting all Azure Monitor agent [prerequisites](../agents/azure-monitor-agent-install.md#prerequisites).

+ Title: Ways to monitor Azure NetApp Files | Microsoft Docs

+description: Describes ways to monitor Azure NetApp Files, including the Activity log, metrics, and capacity utilization monitoring.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Ways to monitor Azure NetApp Files

+This article describes ways to monitor Azure NetApp Files.

+## Azure Activity log

+The Activity log provides insight into subscription-level events. For instance, you can get information about when a resource is modified or when a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and CLI. This article provides details on viewing the Activity log and sending it to different destinations.

+To understand how Activity log works, see [Azure Activity log](../azure-monitor/essentials/activity-log.md).

+For Activity log warnings for Azure NetApp Files volumes, see [Activity log warnings for Azure NetApp Files volumes](troubleshoot-volumes.md#activity-log-warnings-for-volumes).

+## Azure NetApp Files metrics

+Azure NetApp Files provides metrics on allocated storage, actual storage usage, volume IOPS, and latency. By analyzing these metrics, you can gain a better understanding on the usage pattern and volume performance of your NetApp accounts.

+You can find metrics for a capacity pool or volume by selecting the **capacity pool** or **volume**. Then click **Metric** to view the available metrics.

+For more information about Azure NetApp Files metrics, see [Metrics for Azure NetApp Files](azure-netapp-files-metrics.md).

+## Capacity utilization monitoring

+It's important to monitor capacity regularly. You can monitor capacity utilization at the VM level. You can check the used and available capacity of a volume by using Windows or Linux clients. You can also configure alerts by using `ANFCapacityManager`.

+For more information, see [Monitor capacity utilization](volume-hard-quota-guidelines.md#how-to-operationalize-the-volume-hard-quota-change).

+## Next steps

+* [Azure Activity log](../azure-monitor/essentials/activity-log.md)

+* [Activity log warnings for Azure NetApp Files volumes](troubleshoot-volumes.md#activity-log-warnings-for-volumes)

+* [Metrics for Azure NetApp Files](azure-netapp-files-metrics.md)

+* [Monitor capacity utilization](volume-hard-quota-guidelines.md#how-to-operationalize-the-volume-hard-quota-change)

+## Activity log warnings for volumes

+| Warnings | Resolutions |

+|-|-|

+| The `Microsoft.NetApp/netAppAccounts/capacityPools/volumes/ScaleUp` operation displays a warning: <br> `Percentage Volume Consumed Size reached 90%` | The used size of an Azure NetApp Files volume has reached 90% of the volume quota. You should [resize the volume](azure-netapp-files-resize-capacity-pools-or-volumes.md) soon. |

+| Microsoft.Cache/redis | [listKeys](/rest/api/redis/2021-06-01/redis/list-keys) |

+To work with module registries, you must have [Bicep CLI](./install.md#deployment-environment) version **0.4.1008** or later. To use with [Azure CLI](/cli/azure/install-azure-cli), you must also have Azure CLI version **2.31.0** or later; to use with [Azure PowerShell](/powershell/azure/install-az-ps), you must also have Azure PowerShell version **7.0.0** or later.

+As with other resource types, you can set dependencies between the nested/linked templates. If the resources in one nested/linked template must be deployed before resources in a second nested/linked template, set the second template dependent on the first.

+| Microsoft.Cache/redis | [listKeys](/rest/api/redis/2021-06-01/redis/list-keys) |

+> [!NOTE]

+> Integration with App Service Environment is currently not supported.

+- [SignalR Service Trigger binding sample](https://github.com/aspnet/AzureSignalR-samples/tree/master/samples/BidirectionChat)

+## Samples

+## Clean up resources

+This Azure CLI script example creates a single database, adds it to an elastic pool, creates a failover group, and tests failover.

+## Clean up resources

+This Azure CLI script example configures SQL Database auditing and Advanced Threat Protection.

+## Clean up resources

+This Azure CLI example backs up a database in SQL Database to an Azure storage container.

+## Clean up resources

+This Azure CLI script example creates a copy of an existing database in a new server.

+## Clean up resources

+This Azure CLI script example creates a single database in Azure SQL Database and configures a server-level firewall rule. After the script has been successfully run, the database can be accessed from all Azure services and the allowed IP address range.

+## Clean up resources

+This Azure PowerShell script example creates a single database in Azure SQL Database and configures a server-level firewall rule. After the script has been successfully run, the database can be accessed from all Azure services and the allowed IP address range.

+This Azure CLI script example imports a database from a *.bacpac* file into a database in SQL Database.

+## Clean up resources

+## Clean up resources

+This Azure CLI script example creates two elastic pools, moves a pooled database in SQL Database from one SQL elastic pool into another SQL elastic pool, and then moves the pooled database out of the SQL elastic pool to be a single database in SQL Database.

+## Clean up resources

+This Azure CLI example restores a single database in Azure SQL Database to a specific point in time.

+## Clean up resources

+## Clean up resources

+This Azure CLI script example configures active geo-replication for a single database and fails it over to a secondary replica of the database.

+## Clean up resources

+## Clean up resources

+This Azure CLI script example configures active geo-replication for a pooled database in Azure SQL Database and fails it over to the secondary replica of the database.

+## Clean up resources

+You can create an Azure resource group, server, and single database using the Azure command-line interface (Azure CLI).

+Use the following command to remove the resource group and all resources associated with it using the [az group delete](/cli/azure/vm/extension#az_vm_extension_set) command - unless you have an ongoing need for these resources. Some of these resources may take a while to create, as well as to delete.

+## Clean up resources

+This Azure CLI script example restores an Azure SQL Managed Instance database from a remote geo-region (geo-restore) to a point in time.

+This sample requires an existing pair of managed instances, see [Use Azure CLI to create an Azure SQL Managed Instance](create-configure-managed-instance-cli.md) to create a pair of managed instances in different regions.

+## Clean up resources

+This Azure CLI script example configures Transparent Data Encryption (TDE) with customer-managed key for Azure SQL Managed Instance, using a key from Azure Key Vault. This is often referred to as a Bring Your Own Key scenario for TDE. To learn more about the TDE with customer-managed key, see [TDE Bring Your Own Key to Azure SQL](../../../azure-sql/database/transparent-data-encryption-byok-overview.md).

+This sample requires an existing Managed Instance, see [Use Azure CLI to create an Azure SQL Managed Instance](create-configure-managed-instance-cli.md).

+## Clean up resources

+4. Set up scheduled jobs and alerts that back up on-premises data in a virtual machine disk in Azure. For more information, see [SQL Server Backup and Restore with Azure Blob Storage](/sql/relational-databases/backup-restore/sql-server-backup-and-restore-with-microsoft-azure-blob-storage-service) and [Backup and Restore for SQL Server on Azure Virtual Machines](../../../azure-sql/virtual-machines/windows/backup-restore.md).

+For more information on running SQL Server on Azure Virtual Machines, see [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md).

+## Known Issues

+If the assessment or uploading the results failed for some reason, the status of that run will indicate the failure. Clicking on the status will open a context pane where you can see the details about the failure and possible ways to remediate the issue.

+description: Audio Effects Detection is one of Azure Video Analyzer for Media AI capabilities. It can detects a various of acoustics events and classify them into different acoustic categories (for example, gunshot, screaming, crowd reaction and more).

+# Audio effects detection

+**Audio effects detection** is one of Azure Video Analyzer for Media AI capabilities. It can detects a various of acoustics events and classify them into different acoustic categories (such as dog barking, crowd reactions, laugher and more).

+Some scenarios where this feature is useful:

+- Companies with a large set of video archives can easily improve accessibility with audio effects detection. The feature provides more context for persons who are hard of hearing, and enhances video transcription with non-speech effects.

+- In the Media & Entertainment domain, the detection feature can improve efficiency when creating raw data for content creators. Important moments in promos and trailers (such as laughter, crowd reactions, gunshot, or explosion) can be identified by using **audio effects detection**.

+- In the Public Safety & Justice domain, the feature can detect and classify gunshots, explosions, and glass shattering. It can be implemented in a smart-city system or in other public environments that include cameras and microphones to offer fast and accurate detection of violence incidents.

+**Audio effect detection** can detect and classify 7 different categories. In the next table, you can find the different categories split in to the different presets, divided to **Standard** and **Advanced**. For more information, see [pricing](https://azure.microsoft.com/pricing/details/media-services/).

+| Crowd Reactions || V|

+| Gunshot or explosion ||V |

+| Alarm or siren|| V |

+| Dog barking|| V|

+ type: "Gunshot or explosion",

+## How to index audio effects

+In order to set the index process to include the detection of audio effects, the user should chose one of the **Advanced** presets under **Video + audio indexing** menu as can be seen below.

+When audio effects are retrieved in the closed caption files, they will be retrieved in square brackets the following structure:

+|SRT |00:00:00,000 00:00:03,671<br/>[Gunshot or explosion]|

+|VTT |00:00:00.000 00:00:03.671<br/>[Gunshot or explosion]|

+|TTML|Confidence: 0.9047 <br/> `<p begin="00:00:00.000" end="00:00:03.671">[Gunshot or explosion]</p>`|

+|TXT |[Gunshot or explosion]|

+|CSV |0.9047,00:00:00.000,00:00:03.671, [Gunshot or explosion]|

+Audio effects can be added to the closed captions files supported by Azure Video Analyzer for Media via the [Get video captions API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Get-Video-Captions) by choosing true in the `includeAudioEffects` parameter or via the video.ai portal experience by selecting **Download** -> **Closed Captions** -> **Include Audio Effects**.

+* The audio effects are detected when present in non-speech segments only.

+* The model is optimized for cases where there is no loud background music.

+* Low quality audio may impact the detection results .

+* Minimal non-speech section duration is 2 seconds.

+* Music that is characterized with repetitive and/or linearly scanned frequency can be mistakenly classified as Alarm or siren.

+* The model is currently optimized for natural and non-synthetic gunshot and explosions sounds.

+* Door knocks and door slams can sometimes be mistakenly labeled as gunshot and explosions.

+* Prolonged shouting and human physical effort sounds can sometimes be mistakenly detected.

+* Group of people laughing can sometime be classified as both Laughter and Crowd reactions.

+## January 2022

+### Improved audio effects detection

+The audio effects detection capability was improved to have a better detection rate over the following classes:

+* Crowd reactions (cheering, clapping, and booing),

+* Gunshot or explosion,

+* Laughter

+For more information, see [Audio effects detection](audio-effects-detection.md).

+* **Audio effects detection**: Detects the following audio effects in the non-speech segments of the content: alarm or siren, dog barking, crowd reactions (cheering, clapping, and booing), gunshot or explosion, laughter, breaking glass, and silence.

+ The detected acoustic events are in the closed captions file. The file can be downloaded from the Video Analyzer for Media portal. For more information, see [Audio effects detection](audio-effects-detection.md).

+ > [!NOTE]

+ > The full set of events is available only when you choose **Advanced Audio Analysis** when uploading a file, in upload preset. By default, only silence is detected.

+If you want to selectively back up a few disks and exclude others as mentioned in [these scenarios](selective-disk-backup-restore.md#scenarios), you can configure protection and backup only the relevant disks as documented [here](selective-disk-backup-restore.md#enable-backup-with-powershell).

+Azure VM backup provides a capability to selectively exclude or include disks which are helpful in [these scenarios](selective-disk-backup-restore.md#scenarios). If the virtual machine is already protected by Azure VM backup and if all disks are backed up, then you can modify the protection to selectively include or exclude disks as mentioned [here](selective-disk-backup-restore.md#modify-protection-for-already-backed-up-vms-with-powershell).

+If you wish to use the vault's system assigned managed identity to restore disks, pass an additional flag ***-UseSystemAssignedIdentity*** to the Restore-AzRecoveryServicesBackupItem command. If you wish to use a user-assigned managed identity, pass a parameter ***-UserAssignedIdentityId*** with the Azure Resource Manager ID of the vault's managed identity as the value of the parameter. Refer to [this article](encryption-at-rest-with-cmk.md#enable-managed-identity-for-your-recovery-services-vault) to learn how to enable managed identity for your vaults.

+#### Cross-zonal restore

+You can restore [Azure zone pinned VMs](../virtual-machines/windows/create-portal-availability-zone.md) in any [availability zones](../availability-zones/az-overview.md) of the same region.

+To restore a VM to another zone, specify the `TargetZoneNumber` parameter in the [Restore-AzRecoveryServicesBackupItem](/powershell/module/az.recoveryservices/restore-azrecoveryservicesbackupitem) cmdlet.

+```powershell

+$restorejob = Restore-AzRecoveryServicesBackupItem -RecoveryPoint $rp[0] -StorageAccountName "DestAccount" -StorageAccountResourceGroupName "DestRG" -VaultId $targetVault.ID -TargetZoneNumber 3

+```

+The output will be similar to the following example:

+```output

+WorkloadName Operation Status StartTime EndTime JobID

+ - --

+zonevmeus2 Restore InProgress 1/3/2022 10:27:20 AM b2298...

+```

+Cross-zonal restore is supported only in scenarios where:

+- The source VM is zone pinned and is NOT encrypted.

+- The recovery point is present in vault tier only. Snapshots only or snapshot and vault tier are not supported.

+- The recovery option is to create a new VM or restore disks. Replace disks option replaces source data; therefore, the availability zone option is not applicable.

+- Creating VM/disks in the same region when vault's storage redundancy is ZRS. Note that it doesn't work if vault's storage redundancy is GRS, even though the source VM is zone pinned.

+- Creating VM/disks in the paired region when vault's storage redundancy is enabled for Cross-Region Restore and if the paired region supports zones.

+The following section lists steps necessary to create a VM using _VMConfig_ file.

+### Restore disks to secondary region

+The backup data replicates to the secondary region when you enable cross-region restore on the vault you've protected your VMs. You can use the backup data to perform a restore operation.

+To restore disks to the secondary region, use the `--use-secondary-region` flag in the [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks) command. Ensure that you specify a target storage account that's located in the secondary region.

+```azurecli-interactive

+az backup restore restore-disks \

+ --resource-group myResourceGroup \

+ --vault-name myRecoveryServicesVault \

+ --container-name myVM \

+ --item-name myVM \

+ --storage-account targetStorageAccountID \

+ --rp-name myRecoveryPointName \

+ --target-resource-group targetRG

+ --use-secondary-region

+```

+### Cross-zonal restore

+You can restore [Azure zone pinned VMs](../virtual-machines/windows/create-portal-availability-zone.md) in any [availability zones](../availability-zones/az-overview.md) of the same region.

+To restore a VM to another zone, specify the `TargetZoneNumber` parameter in the [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks) command.

+```azurecli-interactive

+az backup restore restore-disks \

+ --resource-group myResourceGroup \

+ --vault-name myRecoveryServicesVault \

+ --container-name myVM \

+ --item-name myVM \

+ --storage-account targetStorageAccountID \

+ --rp-name myRecoveryPointName \

+ --target-resource-group targetRG

+ --target-zone 3

+```

+Cross-zonal restore is supported only in scenarios where:

+- The source VM is zone pinned and is NOT encrypted.

+- The recovery point is present in vault tier only. Snapshots only or snapshot and vault tier are not supported.

+- The recovery option is to create a new VM or restore disks. Replace disks option replaces source data; therefore, the availability zone option is not applicable.

+- Creating VM/disks in the same region when vault's storage redundancy is ZRS. Note that it doesn't work if vault's storage redundancy is GRS, even though the source VM is zone pinned.

+- Creating VM/disks in the paired region when vault's storage redundancy is enabled for Cross-Region Restore and if the paired region supports zones.

+If you wish to use the vault's system assigned managed identity to restore disks, pass an additional flag ***--mi-system-assigned*** to the [az backup restore restore-disks](/cli/azure/backup/restore#az_backup_restore_restore_disks) command. If you wish to use a user-assigned managed identity, pass a parameter ***--mi-user-assigned*** with the Azure Resource Manager ID of the vault's managed identity as the value of the parameter. Refer to [this article](encryption-at-rest-with-cmk.md#enable-managed-identity-for-your-recovery-services-vault) to learn how to enable managed identity for your vaults.

+Save it under `$profile.CurrentUserAllHosts` (or `$profile.CurrentUserCurrentHost`), so that it can be loaded in every PowerShell in Cloud Shell session.

+| Chinese (Mandarin, Simplified) | `zh-CN` | Male | `zh-CN-YunyeNeural` | Optimized for story narrating,<br /> multiple voice styles available [using SSML](speech-synthesis-markup.md#adjust-speaking-styles) |

+Every client interaction with Azure Communication Services needs to be authenticated. In a typical architecture, see [client and server architecture](./client-and-server-architecture.md), *access keys* or *Azure AD authentication* are used for server-side authentication.

+| Identity | Access Key or Azure AD authentication |

+| SMS | Access Key or Azure AD authentication |

+| Phone Numbers | Access Key or Azure AD authentication |

+### Azure AD authentication

+The Azure platform provides role-based access (Azure RBAC) to control access to the resources. Azure RBAC security principal represents a user, group, service principal, or managed identity that is requesting access to Azure resources. Azure AD authentication provides superior security and ease of use over other authorization options. For example, by using managed identity, you avoid having to store your account access key within your code, as you do with Access Key authorization. While you can continue to use Access Key authorization with communication services applications, Microsoft recommends moving to Azure AD where possible.

+To set up a service principal, [create a registered application from the Azure CLI](../quickstarts/identity/service-principal-from-cli.md). Then, the endpoint and credentials can be used to authenticate the SDKs. See examples of how [service principal](../quickstarts/identity/service-principal.md) is used.

+Communication services support Azure AD authentication but do not support managed identity for Communication services resources. You can find more details, about the managed identity support in the [Azure Active Directory documentation](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities).

+User access tokens are generated using the Identity SDK and are associated with users created in the Identity SDK. See an example of how to [create users and generate tokens](../quickstarts/access-tokens.md). Then, user access tokens are used to authenticate participants added to conversations in the Chat or Calling SDK. For more information, see [add chat to your app](../quickstarts/chat/get-started.md). User access token authentication is different compared to access key and Azure AD authentication in that it is used to authenticate a user rather than a secured Azure resource.

+> [Create an Azure Active Directory service principal application from the Azure CLI](../quickstarts/identity/service-principal-from-cli.md)

+Azure Communication Services clients must present `user access tokens` to access Communication Services resources securely. `User access tokens` should be generated and managed by a trusted service due to the sensitive nature of the token and the connection string or Azure AD authentication secrets necessary to generate them. Failure to properly manage access tokens can result in additional charges due to misuse of resources.

+We recommend issuing access tokens in your server-side service and not in the client's application. The reasoning is that issuing requires an access key or Azure AD authentication. Sharing secrets with the client's application isn't recommended for security reasons.

+**Voice and video calling events**

+[Communication Services voice and video calling events](/azure/event-grid/communication-services-voice-video-events) are raised for calls between a Communication Services user and Teams users.

+- [Communication Services voice and video calling events](/azure/event-grid/communication-services-voice-video-events) are not raised for Teams meeting.

+- A setup Service Principal for a development environment, see [Authorize access with service principal](./service-principal-from-cli.md)

+* [Bicep](/azure/azure-resource-manager/bicep/install)

+For most subscriptions, you can download your invoice from the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) or have it sent in email.

+If you're an Azure customer with a direct Enterprise Agreement (EA customer), you download your organization's invoices using the information at [Download or view your Azure billing invoice](direct-ea-azure-usage-charges-invoices.md#download-or-view-your-azure-billing-invoice). For indirect EA customers, see [Azure Enterprise enrollment invoices](ea-portal-enrollment-invoices.md).

+When you enable either of these plans, all supported resources that exist within the subscription are protected. Future resources created on the same subscription will also be protected.

+| Release state: | General availability (GA) |

+| Supported VMs: | :::image type="icon" source="./medi). |

+| Required roles and permissions: | **Reader** and **SecurityReader** roles can both view the JIT status and parameters.<br>To create custom roles that can work with JIT, see [What permissions are needed to configure and use JIT?](just-in-time-access-overview.md#what-permissions-are-needed-to-configure-and-use-jit).<br>To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages. |

+| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected AWS accounts |

+^{<a name="footnote1"></a>1} For any VM protected by Azure Firewall, JIT will only fully protect the machine if it's in the same VNET as the firewall. VMs using VNET peering will not be fully protected.

+## July 2021

+Updates in July include:

+- [Azure Sentinel connector now includes optional bi-directional alert synchronization (in preview)](#azure-sentinel-connector-now-includes-optional-bi-directional-alert-synchronization-in-preview)

+- [Logical reorganization of Azure Defender for Resource Manager alerts](#logical-reorganization-of-azure-defender-for-resource-manager-alerts)

+- [Enhancements to recommendation to enable Azure Disk Encryption (ADE)](#enhancements-to-recommendation-to-enable-azure-disk-encryption-ade)

+- [Continuous export of secure score and regulatory compliance data released for general availability (GA)](#continuous-export-of-secure-score-and-regulatory-compliance-data-released-for-general-availability-ga)

+- [Workflow automations can be triggered by changes to regulatory compliance assessments (GA)](#workflow-automations-can-be-triggered-by-changes-to-regulatory-compliance-assessments-ga)

+- [Assessments API field 'FirstEvaluationDate' and 'StatusChangeDate' now available in workspace schemas and logic apps](#assessments-api-field-firstevaluationdate-and-statuschangedate-now-available-in-workspace-schemas-and-logic-apps)

+- ['Compliance over time' workbook template added to Azure Monitor Workbooks gallery](#compliance-over-time-workbook-template-added-to-azure-monitor-workbooks-gallery)

+### Azure Sentinel connector now includes optional bi-directional alert synchronization (in preview)

+Security Center natively integrates with [Azure Sentinel](../sentinel/index.yml), Azure's cloud-native SIEM and SOAR solution.

+Azure Sentinel includes built-in connectors for Azure Security Center at the subscription and tenant levels. Learn more in [Stream alerts to Azure Sentinel](export-to-siem.md#stream-alerts-to-microsoft-sentinel).

+When you connect Azure Defender to Azure Sentinel, the status of Azure Defender alerts that get ingested into Azure Sentinel is synchronized between the two services. So, for example, when an alert is closed in Azure Defender, that alert will display as closed in Azure Sentinel as well. Changing the status of an alert in Azure Defender "won't"* affect the status of any Azure Sentinel **incidents** that contain the synchronized Azure Sentinel alert, only that of the synchronized alert itself.

+Enabling this preview feature, **bi-directional alert synchronization**, will automatically sync the status of the original Azure Defender alerts with Azure Sentinel incidents that contain the copies of those Azure Defender alerts. So, for example, when an Azure Sentinel incident containing an Azure Defender alert is closed, Azure Defender will automatically close the corresponding original alert.

+Learn more in [Connect Azure Defender alerts from Azure Security Center](../sentinel/connect-azure-security-center.md).

+### Logical reorganization of Azure Defender for Resource Manager alerts

+The alerts listed below were provided as part of the [Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md) plan.

+As part of a logical reorganization of some of the Azure Defender plans, we've moved some alerts from **Azure Defender for Resource Manager** to **Azure Defender for servers**.

+The alerts are organized according to two main principles:

+- Alerts that provide control-plane protection - across many Azure resource types - are part of Azure Defender for Resource Manager

+- Alerts that protect specific workloads are in the Azure Defender plan that relates to the corresponding workload

+These are the alerts that were part of Azure Defender for Resource Manager, and which, as a result of this change, are now part of Azure Defender for servers:

+- ARM_AmBroadFilesExclusion

+- ARM_AmDisablementAndCodeExecution

+- ARM_AmDisablement

+- ARM_AmFileExclusionAndCodeExecution

+- ARM_AmTempFileExclusionAndCodeExecution

+- ARM_AmTempFileExclusion

+- ARM_AmRealtimeProtectionDisabled

+- ARM_AmTempRealtimeProtectionDisablement

+- ARM_AmRealtimeProtectionDisablementAndCodeExec

+- ARM_AmMalwareCampaignRelatedExclusion

+- ARM_AmTemporarilyDisablement

+- ARM_UnusualAmFileExclusion

+- ARM_CustomScriptExtensionSuspiciousCmd

+- ARM_CustomScriptExtensionSuspiciousEntryPoint

+- ARM_CustomScriptExtensionSuspiciousPayload

+- ARM_CustomScriptExtensionSuspiciousFailure

+- ARM_CustomScriptExtensionUnusualDeletion

+- ARM_CustomScriptExtensionUnusualExecution

+- ARM_VMAccessUnusualConfigReset

+- ARM_VMAccessUnusualPasswordReset

+- ARM_VMAccessUnusualSSHReset

+Learn more about the [Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md) and [Azure Defender for servers](defender-for-servers-introduction.md) plans.

+### Enhancements to recommendation to enable Azure Disk Encryption (ADE)

+Following user feedback, we've renamed the recommendation **Disk encryption should be applied on virtual machines**.

+The new recommendation uses the same assessment ID and is called **Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources**.

+The description has also been updated to better explain the purpose of this hardening recommendation:

+| Recommendation | Description | Severity |

+|--|--|:--:|

+| **Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources** | By default, a virtual machineΓÇÖs OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches arenΓÇÖt encrypted, and data isnΓÇÖt encrypted when flowing between compute and storage resources. For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.<br>Use Azure Disk Encryption to encrypt all this data. Disregard this recommendation if: (1) youΓÇÖre using the encryption-at-host feature, or (2) server-side encryption on Managed Disks meets your security requirements. Learn more in Server-side encryption of Azure Disk Storage. | High |

+| | | |

+### Continuous export of secure score and regulatory compliance data released for general availability (GA)

+[Continuous export](continuous-export.md) provides the mechanism for exporting your security alerts and recommendations for tracking with other monitoring tools in your environment.

+When you set up your continuous export, you configure what is exported, and where it will go. Learn more in the [overview of continuous export](continuous-export.md).

+We've enhanced and expanded this feature over time:

+- In November 2020, we added the **preview** option to stream changes to your **secure score**.<br/>For full details, see [Secure score is now available in continuous export (preview)](release-notes-archive.md#secure-score-is-now-available-in-continuous-export-preview).

+- In December 2020, we added the **preview** option to stream changes to your **regulatory compliance assessment data**.<br/>For full details, see [Continuous export gets new data types (preview)](release-notes-archive.md#continuous-export-gets-new-data-types-and-improved-deployifnotexist-policies).

+With this update, these two options are released for general availability (GA).

+### Workflow automations can be triggered by changes to regulatory compliance assessments (GA)

+In February 2021, we added a **preview** third data type to the trigger options for your workflow automations: changes to regulatory compliance assessments. Learn more in [Workflow automations can be triggered by changes to regulatory compliance assessments](release-notes-archive.md#workflow-automations-can-be-triggered-by-changes-to-regulatory-compliance-assessments-in-preview).

+With this update, this trigger option is released for general availability (GA).

+Learn how to use the workflow automation tools in [Automate responses to Security Center triggers](workflow-automation.md).

+### Assessments API field 'FirstEvaluationDate' and 'StatusChangeDate' now available in workspace schemas and logic apps

+In May 2021, we updated the Assessment API with two new fields, **FirstEvaluationDate** and **StatusChangeDate**. For full details, see [Assessments API expanded with two new fields](release-notes-archive.md#assessments-api-expanded-with-two-new-fields).

+Those fields were accessible through the REST API, Azure Resource Graph, continuous export, and in CSV exports.

+With this change, we're making the information available in the Log Analytics workspace schema and from logic apps.

+### 'Compliance over time' workbook template added to Azure Monitor Workbooks gallery

+In March, we announced the integrated Azure Monitor Workbooks experience in Security Center (see [Azure Monitor Workbooks integrated into Security Center and three templates provided](release-notes-archive.md#azure-monitor-workbooks-integrated-into-security-center-and-three-templates-provided)).

+The initial release included three templates to build dynamic and visual reports about your organization's security posture.

+We've now added a workbook dedicated to tracking a subscription's compliance with the regulatory or industry standards applied to it.

+Learn about using these reports or building your own in [Create rich, interactive reports of Security Center data](custom-dashboards-azure-workbooks.md).

+This is part of an ongoing change to this recommendation announced in our upcoming changes page.

+## January 2022

+Updates in January include:

+- [Recommendations to enable Microsoft Defender plans on workspaces (in preview)](#recommendations-to-enable-microsoft-defender-plans-on-workspaces-in-preview)

+- [Auto provision Log Analytics agent to Azure Arc-enabled machines (preview)](#auto-provision-log-analytics-agent-to-azure-arc-enabled-machines-preview)

+- [Deprecated the recommendation to classify sensitive data in SQL databases](#deprecated-the-recommendation-to-classify-sensitive-data-in-sql-databases)

+### Recommendations to enable Microsoft Defender plans on workspaces (in preview)

+To benefit from all of the security features available from [Microsoft Defender for servers](defender-for-servers-introduction.md) and [Microsoft Defender for SQL on machines](defender-for-sql-introduction.md), the plans must be enabled on **both** the subscription and workspace levels.

+When a machine is in a subscription with one of these plan enabled, you'll be billed for the full protections. However, if that machine is reporting to a workspace *without* the plan enabled, you won't actually receive those benefits.

+We've added two recommendations that highlight workspaces without these plans enabled, that nevertheless have machines reporting to them from subscriptions that *do* have the plan enabled.

+The two recommendations, which both offer automated remediation (the 'Fix' action), are:

+|Recommendation |Description |Severity |

+||||

+|[Microsoft Defender for servers should be enabled on workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1ce68079-b783-4404-b341-d2851d6f0fa2) |Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.<br>With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.<br>When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.<br>Learn more in <a target="_blank" href="/azure/defender-for-cloud/defender-for-servers-introduction?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation">Introduction to Microsoft Defender for servers</a>.<br />(No related policy) |Medium |

+|[Microsoft Defender for SQL on machines should be enabled on workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281) |Microsoft Defender for servers brings threat detection and advanced defenses for your Windows and Linux machines.<br>With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for servers but missing out on some of the benefits.<br>When you enable Microsoft Defender for servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.<br>Learn more in <a target="_blank" href="/azure/defender-for-cloud/defender-for-servers-introduction?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation">Introduction to Microsoft Defender for servers</a>.<br />(No related policy) |Medium |

+||||

+### Auto provision Log Analytics agent to Azure Arc-enabled machines (preview)

+Defender for Cloud uses the Log Analytics agent to gather security-related data from machines. The agent reads various security-related configurations and event logs and copies the data to your workspace for analysis.

+Defender for Cloud's auto provisioning settings have a toggle for each type of supported extension, including the Log Analytics agent.

+In a further expansion of our hybrid cloud features, we've added an option to auto provision the Log Analytics agent to machines connected to Azure Arc.

+As with the other other auto provisioning options, this is configured at the subscription level.

+When you enable this option, you'll be prompted for the workspace.

+> [!NOTE]

+> For this preview, you can't select the default workspaces that was created by Defender for Cloud. To ensure you receive the full set of security features available for the Azure Arc-enabled servers, verify that you have the relevant security solution installed on the selected workspace.

+### Deprecated the recommendation to classify sensitive data in SQL databases

+We've removed the recommendation **Sensitive data in your SQL databases should be classified** as part of an overhaul of how Defender for Cloud identifies and protects sensitive date in your cloud resources.

+Advance notice of this change appeared for the last six months in the [Important upcoming changes to Microsoft Defender for Cloud](upcoming-changes.md) page.

+In July, [we announced](release-notes-archive.md#azure-sentinel-connector-now-includes-optional-bi-directional-alert-synchronization-in-preview) a preview feature, **bi-directional alert synchronization**, for the built-in connector in [Microsoft Sentinel](../sentinel/index.yml) (Microsoft's cloud-native SIEM and SOAR solution). This feature is now released for general availability (GA).

+In July 2021, we announced a [logical reorganization of Azure Defender for Resource Manager alerts](release-notes-archive.md#logical-reorganization-of-azure-defender-for-resource-manager-alerts)

+Sensors monitor and analyzes mirrored traffic. In some cases, because of organization-specific network configuration policies, some information might not be transmitted.

+**Import requirements**

+**To avoid conflicts, don't import the data that you exported from one sensor to another sensor.**

+**To import:**

+**To import the IP address, OS, and patch level:**

+1. Download the [Devices settings file](https://download.microsoft.com/download/8/2/3/823c55c4-7659-4236-bfda-cc2427be2cee/CSS/devices_info_2.2.8%20and%20up.xlsx) and enter the information as follows:

+**To import the authorization status:**

+1. Download the [Authorization file](https://download.microsoft.com/download/8/2/3/823c55c4-7659-4236-bfda-cc2427be2cee/CSS/authorized_devices%20-%20example.csv) and save. Verify that you saved the file as a CSV.

+* [Endpoints and event routes](concepts-route-events.md)

+* [Endpoints and event routes](concepts-route-events.md)

+ Title: Endpoints and event routes

+To learn more about dead-lettering, see [Endpoints and event routes](concepts-route-events.md#dead-letter-events). For instructions on how to set up an endpoint with dead-lettering, continue through the rest of this section.

+To actually send data from Azure Digital Twins to an endpoint, you'll need to define an **event route**. These routes let developers wire up event flow, throughout the system and to downstream services. A single route can allow multiple notifications and event types to be selected. Read more about event routes in [Endpoints and event routes](concepts-route-events.md).

+Once a system-assigned identity is created for your Azure Digital Twins instance, you'll need to assign it appropriate roles to authenticate with different types of [endpoints](concepts-route-events.md) for routing events to supported destinations. This section describes the role options and how to assign them to the system-assigned identity.

+* **Advanced**: In this tab, you can enable a system-managed identity for your instance that can be used when forwarding events along [event routes](concepts-route-events.md). For more information about using system-managed identities with Azure Digital Twins, see [Security for Azure Digital Twins solutions](concepts-security.md#managed-identity-for-accessing-other-resources).

+> - Only Azure services can publish events to system topics. Therefore, you don't get an endpoint or access keys that you can use to publish events like you do for [custom topics](custom-topics.md) or [event domains](event-domains.md).

+Here's the current list of Azure services that support creation of system topics on them.

+> [!NOTE]

+> Azure Event Grid creates a system topic resource in the same Azure subscription that has the event source. For example, if you create a system topic for a storage account *ContosoStorage* in an Azure subscription *ContosoSubscription*, Event Grid creates the system topic in the *ContosoSubscription*. It's not possible to create a system topic in an Azure subscription that's different from the event source's Azure subscription.

+ When you use the Azure portal, you're always using this method. When you create an event subscription using the [**Events** page of an Azure resource](blob-event-quickstart-portal.md#subscribe-to-the-blob-storage), the system topic is created first and then the subscription for the topic is created. You can explicitly create a system topic first by using the [**Event Grid System Topics** page](create-view-manage-system-topics.md#create-a-system-topic) and then create a subscription for that topic.

+When you use [CLI](create-view-manage-system-topics-cli.md), [REST](/rest/api/eventgrid/version2021-12-01/event-subscriptions/create-or-update), or [Azure Resource Manager template](create-view-manage-system-topics-arm.md), you can choose either of the above methods. We recommend that you create a system topic first and then create a subscription on the topic, as it's the latest way of creating system topics.

+The system topic creation fails if you have set up Azure policies in such a way that the Event Grid service can't create it. For example, you may have a policy that allows creation of only certain types of resources (for example: Azure Storage, Azure Event Hubs, and so on.) in the subscription.

+#### PowerShell

+```azurepowershell-interactive

+[Reflection.Assembly]::LoadWithPartialName("System.Web")| out-null

+$URI="myNamespace.servicebus.windows.net/myEventHub"

+$Access_Policy_Name="RootManageSharedAccessKey"

+$Access_Policy_Key="myPrimaryKey"

+#Token expires now+300

+$Expires=([DateTimeOffset]::Now.ToUnixTimeSeconds())+300

+$SignatureString=[System.Web.HttpUtility]::UrlEncode($URI)+ "`n" + [string]$Expires

+$HMAC = New-Object System.Security.Cryptography.HMACSHA256

+$HMAC.key = [Text.Encoding]::ASCII.GetBytes($Access_Policy_Key)

+$Signature = $HMAC.ComputeHash([Text.Encoding]::ASCII.GetBytes($SignatureString))

+$Signature = [Convert]::ToBase64String($Signature)

+$SASToken = "SharedAccessSignature sr=" + [System.Web.HttpUtility]::UrlEncode($URI) + "&sig=" + [System.Web.HttpUtility]::UrlEncode($Signature) + "&se=" + $Expires + "&skn=" + $Access_Policy_Name

+$SASToken

+```

+#### BASH

+```bash

+get_sas_token() {

+ local EVENTHUB_URI=$1

+ local SHARED_ACCESS_KEY_NAME=$2

+ local SHARED_ACCESS_KEY=$3

+ local EXPIRY=${EXPIRY:=$((60 * 60 * 24))} # Default token expiry is 1 day

+ local ENCODED_URI=$(echo -n $EVENTHUB_URI | jq -s -R -r @uri)

+ local TTL=$(($(date +%s) + $EXPIRY))

+ local UTF8_SIGNATURE=$(printf "%s\n%s" $ENCODED_URI $TTL | iconv -t utf8)

+ local HASH=$(echo -n "$UTF8_SIGNATURE" | openssl sha256 -hmac $SHARED_ACCESS_KEY -binary | base64)

+ local ENCODED_HASH=$(echo -n $HASH | jq -s -R -r @uri)

+ echo -n "SharedAccessSignature sr=$ENCODED_URI&sig=$ENCODED_HASH&se=$TTL&skn=$SHARED_ACCESS_KEY_NAME"

+}

+```

+2. Generate a SAS token with an expiry time for a specific publisher by using the key generated in step1. For the sample code, see [Generating a signature(token) from a policy](#generating-a-signaturetoken-from-a-policy).

+## <a name="oms-with-firewall"></a>Prerequisites for clusters behind a firewall

+When Azure Monitor integration is enabled on a cluster, the Log Analytics agent, or Operations Management Suite (OMS) Agent, is installed on the cluster and is not updated unless you disable and re-enable Azure Monitor Integration. Complete the following steps if you need to update the OMS Agent on the cluster. If you are behind a firewall you may need to complete the [Prerequisites for clusters behind a firewall](hdinsight-hadoop-oms-log-analytics-tutorial.md?tabs=previous#oms-with-firewall) before completing these steps.

+> * Any HDI 4.0 clusters created post 27 Dec 2021 00:00 UTC are created with an updated version of the image which mitigates the log4j vulnerabilities. Hence, customers need not patch/reboot these clusters.

+Azure API for FHIR offers two delete types. There is [Delete](https://www.hl7.org/fhir/http.html#delete), which is also know as Hard + Soft Delete, and [Conditional Delete](https://www.hl7.org/fhir/http.html#3.1.0.7.1).

+Delete defined by the FHIR specification requires that after deleting a resource, subsequent non-version specific reads of a resource returns a 410 HTTP status code. Therefore, the resource is no longer found through searching. Additionally, Azure API for FHIR enables you to fully delete (including all history) the resource. To fully delete the resource, you can pass a parameter settings `hardDelete` to true `(DELETE {{FHIR_URL}}/{resource}/{id}?hardDelete=true)`. If you don't pass this parameter or set `hardDelete` to false, the historic versions of the resource will still be available.

+> If you only want to delete the history, Azure API for FHIR supports a custom operation called `$purge-history`. This operation allows you to delete the history off of a resource.

+If you don't use the hard delete parameter, then the record(s) in Azure API for FHIR should still exist. The record(s) can be found by doing a history search on the resource and looking for the last version with data.

+Patch is a valuable RESTful operation when you need to update only a portion of the FHIR resource. Using Patch allows you to specify the element(s) that you want to update in the resource without having to update the entire record. FHIR defines three types of ways to Patch resources in FHIR: JSON Patch, XML Patch, and FHIR Path Patch. Azure API for FHIR supports JSON Patch and Conditional JSON Patch (which allows you to Patch a resource based on a search criteria instead of an ID). To walk through some examples of using JSON Patch, refer to the sample [REST file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PatchRequests.http).

+* Install [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download) or later on your Windows-based machine. You can use the following command to check your version.

+ Registration Information received from service:

+ test-docs-hub.azure-devices.net, deviceId: device-007

+In this quickstart, you'll create a simulated device on your Windows machine. The simulated device will be configured to use a [Trusted Platform Module (TPM) attestation](concepts-tpm-attestation.md) mechanism for authentication. After you've configured your device, you'll provision it to your IoT hub using the Azure IoT Hub Device Provisioning Service. Sample code will then be used to help enroll the device with a Device Provisioning Service instance.

+* A TPM 2.0 hardware security module on your Windows-based machine.

+* Install [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download) or later on your Windows-based machine. You can use the following command to check your version.

+In this section, you'll build and execute a sample that reads the endorsement key from your TPM 2.0 hardware security module. This value will be used for device enrollment with your Device Provisioning Service instance.

+1. In a command prompt, change directories to the project directory for the TPM device provisioning sample.

+ ```cmd

+ cd .\azure-iot-samples-csharp\provisioning\Samples\device\TpmSample

+ ```

+2. Type the following command to build and run the TPM device provisioning sample. Copy the endorsement key returned from your TPM 2.0 hardware security module to use later when enrolling your device.

+ ```cmd

+ dotnet run -- -e

+ ```

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. On the left-hand menu or on the portal page, select **All resources**.

+3. Select your Device Provisioning Service.

+4. In the **Settings** menu, select **Manage enrollments**.

+5. At the top of the page, select **+ Add individual enrollment**.

+6. In the **Add Enrollment** panel, enter the following information:

+ * Select **TPM** as the identity attestation *Mechanism*.

+ * Enter the *Endorsement key* you retrieved earlier from your HSM.

+ * Enter a unique *Registration ID* for your device. You will also use this registration ID when registering your device, so make a note of it for later.

+ * Select an IoT hub linked with your provisioning service.

+ * Optionally, you may provide the following information:

+ * Enter a unique *Device ID* (you can use the suggested **test-docs-device** or provide your own). Make sure to avoid sensitive data while naming your device. If you choose not to provide one, the registration ID will be used to identify the device instead.

+ * Update the **Initial device twin state** with the desired initial configuration for the device.

+ * Once complete, press the **Save** button.

+ 

+7. Select **Save**.

+6. Find the definition for the `main()` function in the same file. Make sure the `hsm_type` variable is set to `SECURE_DEVICE_TYPE_TPM` as shown below.

+1. In the Azure portal, select the **Overview** tab for your Device Provisioning Service.

+2. Copy the **_ID Scope_** value.

+ 

+3. In a command prompt, change directories to the project directory for the TPM device provisioning sample.

+ ```cmd

+ cd .\azure-iot-samples-csharp\provisioning\Samples\device\TpmSample

+ ```

+4. Run the following command to register your device. Replace `<IdScope>` with the value for the DPS you just copied and `<RegistrationId>` with the value you used when creating the device enrollment.

+ ```cmd

+ dotnet run -- -s <IdScope> -r <RegistrationId>

+ ```

+ If the device registration was successful, you'll see the following messages:

+ ```cmd/sh

+ Initializing security using the local TPM...

+ Initializing the device provisioning client...

+ Initialized for registration Id <RegistrationId>.

+ Registering with the device provisioning service...

+ Registration status: Assigned.

+ Device <RegistrationId> registered to <HubName>.azure-devices.net.

+ Creating TPM authentication for IoT Hub...

+ Testing the provisioned device with IoT Hub...

+ Sending a telemetry message...

+ Finished.

+ ```

+* Install [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download) or later on your Windows-based machine. You can use the following command to check your version.

+* Install [Node.js v4.0 or above](https://nodejs.org) on your machine.

+ CertUtil: -dump command completed successfully.

+3. Enter **N** for _Do you want to input common name_.

+6. Open *_X509individual.pem_* in an editor of your choice, and copy the clipboard contents to this file.

+ * Under the *Primary certificate .pem or .cer file*, choose *Select a file* to select the certificate file *X509individual.pem* created in the previous steps.

+ * Enter a unique device ID. Make sure to avoid sensitive data while naming your device.

+4. Find the `id_scope` constant, and replace the value with your **ID Scope** value that you copied earlier.

+1. In the Azure portal, select the **Overview** tab for your Device Provisioning Service.

+ * Replace `id scope` with the **_ID Scope_** noted in **Step 1** above.

+ ```

+| `PROVISIONING_HOST` | This value is the global endpoint used for connecting to your DPS resource |

+| `PROVISIONING_IDSCOPE` | This value is the ID Scope for your DPS resource |

+| `DPS_X509_REGISTRATION_ID` | This value is the ID for your device. It must also match the subject name on the device certificate |

+| `X509_CERT_FILE` | Your device certificate filename |

+| `PASS_PHRASE` | The pass phrase you used to encrypt the certificate and private key file (`1234`). |

+> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework.

+- [Azure RBAC: Built-in roles](../../role-based-access-control/built-in-roles.md)

+Azure Load Balancer has three SKUs.

+> Microsoft recommends Standard load balancer. See [Upgrade from Basic to Standard Load Balancer](upgrade-basic-standard.md) for a guided instruction on upgrading SKUs along with an upgrade script.

+>

+> Standalone VMs, availability sets, and virtual machine scale sets can be connected to only one SKU, never both. Load balancer and the public IP address SKU must match when you use them with public IP addresses. Load balancer and public IP SKUs aren't mutable.

+1. Open a browser and go to the sample application's [source GitHub repository](https://github.com/Azure-Samples/nodejs-appsvc-cosmosdb-bottleneck.git).

+ The sample application is a Node.js app that consists of an Azure App Service web component and an Azure Cosmos DB database.

+1. Select **Fork** to fork the sample application's repository to your GitHub account.

+ :::image type="content" source="./media/tutorial-cicd-azure-pipelines/fork-github-repo.png" alt-text="Screenshot that shows the button to fork the sample application's GitHub repo.":::

+In this section, you'll set up an Azure Pipelines workflow that triggers the load test. The sample application repository contains a pipelines definition file. The pipeline first deploys the sample web application to Azure App Service, and then invokes the load test. The pipeline uses an environment variable to pass the URL of the web application to the Apache JMeter script.

+1. Open a browser and go to the sample application's [source GitHub repository](https://github.com/Azure-Samples/nodejs-appsvc-cosmosdb-bottleneck.git).

+ The sample application is a Node.js app that consists of an Azure App Service web component and an Azure Cosmos DB database.

+1. Select **Fork** to fork the sample application's repository to your GitHub account.

+ :::image type="content" source="./media/tutorial-cicd-github-actions/fork-github-repo.png" alt-text="Screenshot that shows the button to fork the sample application's GitHub repo.":::

+In this section, you'll set up a GitHub Actions workflow that triggers the load test. The sample application repository contains a workflow file *SampleApp.yaml*. The workflow first deploys the sample web application to Azure App Service, and then invokes the load test. The GitHub action uses an environment variable to pass the URL of the web application to the Apache JMeter script.

+Update the *SampleApp.yaml* GitHub Actions workflow file to configure the parameters for running the load test.

+1. On the **Parameters** tab, add a new environment variable. Enter *webapp* for the **Name** and *`<yourappname>.azurewebsites.net`* for the **Value**. Replace the placeholder text `<yourappname>` with the name of the newly deployed sample application. Don't include the `https://` prefix.

+ The Apache JMeter test script uses the environment variable to retrieve the web application URL. The script then invokes the three APIs in the web application.

+ :::image type="content" source="media/tutorial-identify-bottlenecks-azure-portal/create-new-test-parameters.png" alt-text="Screenshot that shows the parameters tab to add environment variable.":::

+## Training and validation data

+The most important difference between a forecasting regression task type and regression task type within automated ML is including a feature in your training data that represents a valid time series. A regular time series has a well-defined and consistent frequency and has a value at every sample point in a continuous time span.

+You can specify separate [training data and validation data](concept-automated-ml.md#training-validation-and-test-data) directly in the `AutoMLConfig` object. Learn more about the [AutoMLConfig](#configure-experiment).

+ training_data= training_data,

+Automated machine learning automatically tries different models and algorithms as part of the model creation and tuning process. As a user, there is no need for you to specify the algorithm. For forecasting experiments, both native time-series and deep learning models are part of the recommendation system.

+> Traditional regression models are also tested as part of the recommendation system for forecasting experiments. See a complete list of the [supported models](/python/api/azureml-train-automl-client/azureml.train.automl.constants.supportedmodels) in the SDK reference documentation.

+Similar to a regression problem, you define standard training parameters like task type, number of iterations, training data, and number of cross-validations. Forecasting tasks require the `time_column_name` and `forecast_horizon` parameters to configure your experiment. You can also include additional parameters to better configure your run, see the [optional configurations](#optional-configurations) section for more detail on what can be included.

+| Parameter&nbsp;name | Description |

+|-|-|

+|`time_column_name`|Used to specify the datetime column in the input data used for building the time series and inferring its frequency.|

+|`forecast_horizon`|Defines how many periods forward you would like to forecast. The horizon is in units of the time series frequency. Units are based on the time interval of your training data, for example, monthly, weekly that the forecaster should predict out.|

+* Defines the `time_series_id_column_names` parameter to `auto`.

+ time_series_id_column_names='auto',

+ freq='W')

+An `Error exception` is raised for any series in the dataset that does not meet the required amount of historic data for the relevant settings specified.

+Additional optional configurations are available for forecasting tasks, such as enabling deep learning and specifying a target rolling window aggregation. A complete list of additional parameters is available in the [ForecastingParameters SDK reference documentation](/python/api/azureml-automl-core/azureml.automl.core.forecasting_parameters.forecastingparameters).

+|Function | Description

+To enable DNN for an AutoML experiment created in the Azure Machine Learning studio, see the [task type settings in the studio UI how-to](how-to-use-automated-ml-for-ml-models.md#create-and-run-experiment).

+Automated ML considers a time series a **short series** if there are not enough data points to conduct the train and validation phases of model development. The number of data points varies for each experiment, and depends on the max_horizon, the number of cross validation splits, and the length of the model lookback, that is the maximum of history that's needed to construct the time-series features.

+Use the best model iteration to forecast values for data that wasn't used to train the model.

+ test_dataset, label_query, forecast_destination=pd.Timestamp(2019, 1, 8))

+ test_dataset, label_query, forecast_destination=pd.Timestamp(2019, 1, 8))

+You can calculate model metrics like, root mean squared error (RMSE) or mean absolute percentage error (MAPE) to help you estimate the models performance. See the Evaluate section of the [Bike share demand notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb) for an example.

+After the overall model accuracy has been determined, the most realistic next step is to use the model to forecast unknown future values.

+Supply a data set in the same format as the test set `test_dataset` but with future datetimes, and the resulting prediction set is the forecasted values for each time-series step. Assume the last time-series records in the data set were for 12/31/2018. To forecast demand for the next day (or as many periods as you need to forecast, <= `forecast_horizon`), create a single time series record for each store for 01/01/2019.

+Repeat the necessary steps to load this future data to a dataframe and then run `best_run.forecast_quantiles(test_dataset)` to predict future values.

+The following code demonstrates the key parameters users need to set up their many models run. See the [Many Models- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-many-models/auto-ml-forecasting-many-models.ipynb) for a many models forecasting example

+The following code demonstrates the key parameters to set up your hierarchical time series forecasting runs. See the [Hierarchical time series- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-hierarchical-timeseries/auto-ml-forecasting-hierarchical-timeseries.ipynb), for an end to end example.

+**Frequency detection** |Passed <br><br><br><br> Done |<br> The time series was analyzed, and all data points are aligned with the detected frequency. <br> <br> The time series was analyzed, and data points that don't align with the detected frequency were detected. These data points were removed from the dataset.

+## Supported languages for BERT in AutoML

+AutoML currently supports around 100 languages and depending on the dataset's language, AutoML chooses the appropriate BERT model. For German data, we use the German BERT model. For English, we use the English BERT model. For all other languages, we use the multilingual BERT model.

+ * Attempting to export a template for a workspace from the Azure portal may return an error similar to the following text: `Could not get resource of the type <type>. Resources of this type will not be exported.` As a workaround, use one of the templates provided at [https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices) as the basis for your template.

+ - "Microsoft.Network/virtualNetworks/*/read" on the virtual network resource. This permission is not needed for Azure Resource Manager (ARM) template deployments.

+* Compute clusters and instances create the following resources. If they are unable to create these resources (for example, if there is a resource lock on the resource group) then creation, scale out, or scale in, may fail.

+ * IP address.

+ * Network Security Group (NSG).

+ * Load balancer.

+* If put multiple compute instances or clusters in one virtual network, you may need to request a quota increase for one or more of your resources. The Machine Learning compute instance or cluster automatically allocates networking resources __in the resource group that contains the virtual network__. For each compute instance or cluster, the service allocates the following resources:

+ * For compute cluster or instance, it is now possible to remove the public IP address (a preview feature). If you have Azure Policy assignments prohibiting Public IP creation, then deployment of the compute cluster or instance will succeed.

+When you enable **No public IP**, your compute cluster doesn't use a public IP for communication with any dependencies. Instead, it communicates solely within the virtual network using Azure Private Link ecosystem and service/private endpoints, eliminating the need for a public IP entirely. No public IP removes access and discoverability of compute cluster nodes from the internet thus eliminating a significant threat vector. **No public IP** clusters help comply with no public IP policies many enterprises have.

+A compute cluster with **No public IP** enabled has **no inbound communication requirements** from public internet. Specifically, neither inbound NSG rule (`BatchNodeManagement`, `AzureMachineLearning`) is required. You still need to allow inbound from source of **VirtualNetwork** and any port source, to destination of **VirtualNetwork**, and destination port of **29876, 29877**.

+* If you get this error message during creation of cluster `The specified subnet has PrivateLinkServiceNetworkPolicies or PrivateEndpointNetworkEndpoints enabled`, follow the instructions from [Disable network policies for Private Link service](../private-link/disable-private-link-service-network-policy.md) and [Disable network policies for Private Endpoint](../private-link/disable-private-endpoint-network-policy.md).

+When you enable **No public IP**, your compute instance doesn't use a public IP for communication with any dependencies. Instead, it communicates solely within the virtual network using Azure Private Link ecosystem and service/private endpoints, eliminating the need for a public IP entirely. No public IP removes access and discoverability of compute instance node from the internet thus eliminating a significant threat vector. Compute instances will also do packet filtering to reject any traffic from outside virtual network. **No public IP** instances are dependent on [Azure Private Link](how-to-configure-private-link.md) for Azure Machine Learning workspace.

+A compute instance with **No public IP** enabled has **no inbound communication requirements** from public internet. Specifically, neither inbound NSG rule (`BatchNodeManagement`, `AzureMachineLearning`) is required. You still need to allow inbound from source of **VirtualNetwork**, any port source, destination of **VirtualNetwork**, and destination port of **29876, 29877, 44224**.

+Media Services lets you extract insights from your video and audio files using the audio and video analyzer presets. This article describes the analyzer presets used to extract insights. If you want more detailed insights from your videos, use the [Azure Video Analyzer for Media service](/azure/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-overview). To understand when to use Video Analyzer for Media vs. Media Services analyzer presets, check out the [comparison document](../../azure-video-analyzer/video-analyzer-for-media-docs/compare-video-indexer-with-media-services-presets.md).

+If a scheduled backup fails, our backup service tries every 20 minutes to take a backup until a successful backup is taken. These backup failures may occur due to heavy transactional production loads on the server instance.

+- If you are trying to restore a server within five days, and still receive an error after accurately following the steps discussed earlier, open a support incident for assistance. If you are trying to restore a deleted server after five days, an error is expected since the backup file cannot be found. Do not open a support ticket in this scenario. The support team cannot provide any assistance if the backup is deleted from the system.

+- If you are trying to restore a dropped server whose consequent resource group has been deleted/dropped as well, re-create the resource group with the same name before trying to restore the dropped server.

+2. Navigate to **Operators** > **OperatorHub** and search for **Open Liberty**.

+3. Select **Open Liberty** from the search results.

+5. In the page **Install Operator**, check **beta2** for **Update channel**, **All namespaces on the cluster (default)** for **Installation mode**, and **Automatic** for **Update approval**:

+6. Select **Install** and wait a minute or two until the installation completes.

+7. Observe the Open Liberty Operator is successfully installed and ready for use. If you don't, diagnose and resolve the problem before continuing.

+ > [!NOTE]

+ > ARO pull secret does not change the cost of the RH OpenShift license for ARO.

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.5.1 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.5.1 | Address Standardizer US dataset example|

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.5.1 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.5.1 | Address Standardizer US dataset example|

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.3.2 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.3.2 | Address Standardizer US dataset example|

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.3.0 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.3.0 | Address Standardizer US dataset example|

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 3.1.1 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 3.1.1 | Address Standardizer US dataset example|

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 3.0.0 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 3.0.0 | Address Standardizer US dataset example|

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.5.1 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 2.5.1 | Address Standardizer US dataset example|

+For more information, see [Create, import, and export glossary terms](./how-to-create-import-export-glossary.md)

+The following shows an example of the properties in a role definition when displayed using [Azure PowerShell](role-definitions-list.md#azure-powershell):

+The following shows an example of the properties in a role definition when displayed using the [Azure portal](role-definitions-list.md#azure-portal), [Azure CLI](role-definitions-list.md#azure-cli), or the [REST API](role-definitions-list.md#rest-api):

+Contributor role as displayed in [Azure PowerShell](role-definitions-list.md#azure-powershell):

+Contributor role as displayed in [Azure CLI](role-definitions-list.md#azure-cli):

+The following indexer definitions are typical of what you might create for text-based and AI enrichment scenarios.

+```http

+POST /indexers?api-version=[api-version]

+All of the above properties and parameters apply to indexers that perform AI enrichment. The following properties are specific to AI enrichment: **`skillSetName`**, **`outputFieldMappings`**, **`cache`** (preview and REST only).

+```http

+POST /indexers?api-version=[api-version]

+The portal provides two options for creating an indexer: [**Import data wizard**](search-import-data-portal.md) and **New Indexer** that provides a visual editor for specifying an indexer definition. The wizard is unique in that it creates all of the required elements. Other approaches require that you have predefined a data source and index.

+To flatten relational data into a row set, you should create a SQL view, or build a query that returns parent and child records in the same row. For example, the built-in hotels sample dataset is a SQL database that has 50 records (one for each hotel), linked to room records in a related table. The query that flattens the collective data into a row set embeds all of the room information in JSON documents in each hotel record. The embedded room information is a generated by a query that uses a **FOR JSON AUTO** clause. You can learn more about this technique in [define a query that returns embedded JSON](index-sql-relational-data.md#define-a-query-that-returns-embedded-json). This is just one example; you can find other approaches that will produce the same result.

+The Defender for IoT workbooks provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.

+The protocol is based on the [W3C Trace-Context](https://www.w3.org/TR/trace-context/).

+| Diagnostic-Id | Unique identifier of an external call from producer to the queue. Refer to [W3C Trace-Context traceparent header](https://www.w3.org/TR/trace-context/#traceparent-header) for the format |

+### Tracking with OpenTelemetry

+Service Bus .NET Client library version 7.5.0 and later supports OpenTelemetry in experimental mode. Refer to [Distributed tracing in .NET SDK](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/core/Azure.Core/samples/Diagnostics.md#opentelemetry-with-azure-monitor-zipkin-and-others) documentation for more details.

+>- Zone to Zone disaster recovery is not supported for VMs having ZRS managed disks.

+ZRS | Supported | ZRS Managed disks are supported. If the source VM has one or more ZRS managed disks, Site Recovery ensures the target VM also has the same configuration of disks. If the source managed disks are of a different type, they cannot be converted to ZRS managed disks at target, and vice versa.

+- Check out the [automatic upgrade](./upgrade-mobility-service-preview.md) and [switch](./switch-replication-appliance-preview.md) capability for ASR replication appliance.

+ az monitor diagnostic-settings create \

+### Log entries

+The following sections show an example log entry for each supported Azure Storage service.

+##### Example log entry for Blob Storage

+`2.0;2022-01-03T20:34:54.4617505Z;PutBlob;SASSuccess;201;7;7;sas;;logsamples;blob;https://logsamples.blob.core.windows.net/container1/1.txt?se=2022-02-02T20:34:54Z&amp;sig=XXXXX&amp;sp=rwl&amp;sr=c&amp;sv=2020-04-08&amp;timeout=901;"/logsamples/container1/1.txt";xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx;0;71.197.193.44:53371;2019-12-12;654;13;337;0;13;"xxxxxxxxxxxxxxxxxxxxx==";"xxxxxxxxxxxxxxxxxxxxx==";"&quot;0x8D9CEF88004E296&quot;";Monday, 03-Jan-22 20:34:54 GMT;;"Microsoft Azure Storage Explorer, 1.20.1, win32, azcopy-node, 2.0.0, win32, AzCopy/10.11.0 Azure-Storage/0.13 (go1.15; Windows_NT)";;"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx";;;;;;;;`

+##### Example log entry for Blob Storage (Data Lake Storage Gen2 enabled)

+`2.0;2022-01-04T22:50:56.0000775Z;RenamePathFile;Success;201;49;49;authenticated;logsamples;logsamples;blob;"https://logsamples.dfs.core.windows.net/my-container/myfileorig.png?mode=legacy";"/logsamples/my-container/myfilerenamed.png";xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx;0;73.157.16.8;2020-04-08;591;0;224;0;0;;;;Friday, 11-Jun-21 17:58:15 GMT;;"Microsoft Azure Storage Explorer, 1.19.1, win32 azsdk-js-storagedatalake/12.3.1 (NODE-VERSION v12.16.3; Windows_NT 10.0.22000)";;"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx";;;;;;;;`

+##### Example log entry for Queue Storage

+`2.0;2022-01-03T20:35:04.6097590Z;PeekMessages;Success;200;5;5;authenticated;logsamples;logsamples;queue;https://logsamples.queue.core.windows.net/queue1/messages?numofmessages=32&amp;peekonly=true&amp;timeout=30;"/logsamples/queue1";xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx;0;71.197.193.44:53385;2020-04-08;536;0;232;62;0;;;;;;"Microsoft Azure Storage Explorer, 1.20.1, win32 azsdk-js-storagequeue/12.3.1 (NODE-VERSION v12.16.3; Windows_NT 10.0.22000)";;"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx";;;;;;;;`

+##### Example log entry for Table Storage

+`1.0;2022-01-03T20:35:13.0719766Z;CreateTable;Success;204;30;30;authenticated;logsamples;logsamples;table;https://logsamples.table.core.windows.net/Tables;"/logsamples/Table1";xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx;0;71.197.193.44:53389;2018-03-28;601;22;339;0;22;;;;;;"Microsoft Azure Storage Explorer, 1.20.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v12.16.3; Windows_NT 10.0.22000)";;"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"`

+3. Only a single server endpoint can overlap with a DFS-R location. Multiple server endpoints overlapping with other active DFS-R locations may lead to conflicts.

+| is tightly integrated with Azure. Besides having an Azure portal deployment experience, it also uses role-based access control, Azure Active Directory, Azure Policy enforcement, and Activity log integration. With Azure Billing integration, you don't need to add a vendor contract or get more vendor approvals.<br><br>Accelerate the replication of Hadoop data between multiple sources and targets for any data architecture. With LiveData Cloud Services, your data will be available for Azure Databricks, Synapse Analytics, and HDInsight as soon as it lands, with guaranteed 100% data consistency. |[Partner page](https://www.wandisco.com/microsoft/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma?tab=Overview)|

+> [!NOTE]

+> - Expansion of a volume typically takes about 30 minutes.

+> - If you expand a locally pinned volume and then expand another locally pinned volume immediately afterwards, the volume expansion jobs run sequentially. The first volume expansion job must finish before the next volume expansion job can begin.

+| Authorization | To authenticate with Azure Time Series Insights, a valid OAuth 2.0 Bearer token must be passed in the [Authorization header](/rest/api/apimanagement/current-preview/authorization-server/create-or-update). |

+ "storageAccountType": "StandardSSD_LRS"

+ "storageAccountType": "StandardSSD_LRS"

+ "storageAccountType": "StandardSSD_LRS"

+[PowerShell Desired State Configuration (DSC)](/powershell/dsc/overview) is a management platform to define the configuration of target machines. DSC configurations define what to install on a machine and how to configure the host. A Local Configuration Manager (LCM) engine runs on each target node that processes requested actions based on pushed configurations.

+For more information about PowerShell DSC, [visit the PowerShell documentation center](/powershell/dsc/overview).

+When you deploy a disk pool, there are two areas that will incur billing costs: The price of the disk pool service fee itself, and the price of each individual disk added to the pool. For example, if you have a disk pool with one P30 disk added, you will be billed for the P30 disk and the disk pool. Other than the disk pool and your disks, there are no extra service charges for a disk pool and you will not be billed for the resources deployed in the managed resource group: MSP_(resource-group-name)_(diskpool-name)_(region-name).

+See the [Azure managed disk pricing page](https://azure.microsoft.com/pricing/details/managed-disks/) for regional pricing on disk pools and disks to evaluate the cost of a disk pool for you.

+- For more information about PowerShell DSC, go to the [PowerShell documentation center](/powershell/dsc/overview/).

+- For more information about PowerShell DSC, go to the [PowerShell documentation center](/powershell/dsc/overview).

+- For more information about PowerShell DSC, go to the [PowerShell documentation center](/powershell/dsc/overview).

+- For Cloud Service Provider (CSP), see the [Partner Center](/partner-center/azure-plan-get-started) or contact your partner directly.

+ "storageAccountType": "StandardSSD_LRS"

+ "storageAccountType": "StandardSSD_LRS"

+ "storageAccountType": "StandardSSD_LRS"

+ -PublishingProfileEndOfLifeDate '2030-12-01'

+- [Flowmon](https://www.flowmon.com/en/blog/azure-vtap)

+Both Azure Virtual WAN hub and Azure Route Server provide Border Gateway Protocol (BGP) peering capabilities that can be utilized by NVAs (Network Virtual Appliance) to advertise IP addresses from the NVA to the userΓÇÖs Azure virtual networks. The deployment options differ in the sense that Azure Route Server is typically deployed by a self-managed customer hub VNet whereas Azure Virtual WAN provides a zero-touch fully meshed hub service to which customers connect their various spokes end points (Azure VNET, on-premise branches with Site-to-site VPN or SDWAN, remote users with Point-to-site/Remote User VPN and Private connections with ExpressRoute) and enjoy BGP Peering for NVAs deployed in spoke VNET along with other vWAN capabilities such as transit connectivity for VNet-to-VNet , transit connectivity between VPN and ExpressRoute , custom/advanced routing, custom route association and propagation, routing intent/policies for no hassle inter-region security, Secure Hub/Azure firewall etc. For more details about Virtual WAN BGP Peering, please see [How to peer BGP with a virtual hub](scenario-bgp-peering-hub.md).