+For more information about how to set authentication strengths for external users, see [Conditional Access: Require an authentication strength for external users](../conditional-access/howto-conditional-access-policy-authentication-strength-external.md).

+- **Using 'Require one of the selected controls' with 'require authentication strength' control** - After you select authentication strengths grant control and additional controls, all the selected controls must be satisfied in order to gain access to the resource. Using **Require one of the selected controls** isn't applicable, and will default to requiring all the controls in the policy.

+- The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You donΓÇÖt have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically.

+|- Device limit|Azure AD limits users to five cumulative devices (mobile app instances + hardware OATH token + software OATH token) per user|

+1. Change **Azure multifactor authentication** to **On**, and then click **Manage groups**.

+A Temporary Access Pass is a time-limited passcode that can be configured for multi or single use to allow users to onboard other authentication methods including passwordless methods such as Microsoft Authenticator, FIDO2 or Windows Hello for Business.

+# Getting started with the Azure AD Multi-Factor Authentication Server

+This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure AD Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure AD Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).

+> In September 2022, Microsoft announced deprecation of Azure AD Multi-Factor Authentication Server. Beginning September 30, 2024, Azure AD Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

+Before you download the Azure AD Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.

+A good guideline for the amount of memory you need is the number of users you expect to authenticate regularly.

+Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Azure MFA Server. When you install your first Azure MFA Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.

+Make sure the server that you're using for Azure AD Multi-Factor Authentication meets the following requirements:

+| Azure AD Multi-Factor Authentication Server Requirements | Description |

+* User portal - An IIS web site that allows users to enroll in Azure AD Multi-Factor Authentication (MFA) and maintain their accounts.

+All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Azure MFA application server and the User portal and Mobile App Web Service are installed on an internet-facing server.

+Follow these steps to download the Azure AD Multi-Factor Authentication Server from the Azure portal:

+The email you send should be determined by how you configure your users for two-step verification. For example, if you are able to import phone numbers from the company directory, the email should include the default phone numbers so that users know what to expect. If you do not import phone numbers, or your users are going to use the mobile app, send them an email that directs them to complete their account enrollment. Include a hyperlink to the Azure AD Multi-Factor Authentication User portal in the email.

+## How the Azure AD Multi-Factor Authentication Server handles user data

+- Set up and configure the [User portal](howto-mfaserver-deploy-userportal.md) for user self-service.

+- Set up and configure [Remote Desktop Gateway and Azure AD Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).

+- [Deploy the Azure AD Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).

+- [Advanced scenarios with Azure AD Multi-Factor Authentication and third-party VPNs](howto-mfaserver-nps-vpn.md).

+> When you set up an Azure Active Directory (Azure AD) account, you create a tenant. This is a digital representation of your organization, and is primarily associated with a domain, like Microsoft.com. If you wish to learn how applications can work with multiple tenants, refer to the [application model](/articles/active-directory/develop/application-model.md).

+ <script src="https://alcdn.msauth.net/browser/2.30.0/js/msal-browser.js"

+ integrity="sha384-L8LyrNcolaRZ4U+N06atid1fo+kBo8hdlduw0yx+gXuACcdZjjquuGZTA5uMmUdS"

+ crossorigin="anonymous"></script>

+ <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-o4ufwq3oKqc7IoCcR08YtZXmgOljhTggRwxP2CLbSqeXGtitAxwYaUln/05nJjit" crossorigin="anonymous">

+1. In the *JavaScriptSPA* folder create a *.js* file named *graphConfig.js*, which stores the Representational State Transfer ([REST](/rest/api/azure/)) endpoints. Add the following code:

+ const response = await axios.get(endpoint, options);

+2. Underneath the imports in *src/index.js* create a `PublicClientApplication` instance using the configuration from step 1.

+3. Find the `<App />` component in *src/index.js* and wrap it in the `MsalProvider` component. Your render function should look like this:

+ root.render(

+ </React.StrictMode>

+ const handleLogin = (loginType) => {

+ if (loginType === "popup") {

+ instance.loginPopup(loginRequest).catch(e => {

+ console.log(e);

+ });

+ }

+ }

+ <Button variant="secondary" className="ml-auto" onClick={() => handleLogin("popup")}>Sign in using Popup</Button>

+ const handleLogin = (loginType) => {

+ if (loginType === "redirect") {

+ instance.loginRedirect(loginRequest).catch(e => {

+ console.log(e);

+ });

+ }

+ }

+ <Button variant="secondary" className="ml-auto" onClick={() => handleLogin("redirect")}>Sign in using Redirect</Button>

+1. Now open *src/App.js* and add replace the existing content with the following code:

+ const handleLogout = (logoutType) => {

+ if (logoutType === "popup") {

+ instance.logoutPopup({

+ postLogoutRedirectUri: "/",

+ mainWindowRedirectUri: "/" // redirects the top level app after logout

+ });

+ }

+ }

+ <Button variant="secondary" className="ml-auto" onClick={() => handleLogout("popup")}>Sign out using Popup</Button>

+

+ const handleLogout = (logoutType) => {

+ if (logoutType === "redirect") {

+ instance.logoutRedirect({

+ postLogoutRedirectUri: "/",

+ });

+ }

+ }

+ <Button variant="secondary" className="ml-auto" onClick={() => handleLogout("redirect")}>Sign out using Redirect</Button>

+ ```jsx

+You can add an existing Security group to another Security group (also known as nested groups). Depending on the group types, you can add a group as a member of another group, just like a user, which applies settings like roles and access to the nested groups. You'll need the **Groups Administrator** or **User Administrator** role to edit group membership.

+You can remove an existing Security group from another Security group; however, removing the group also removes any inherited settings for its members.

+To delete a group, you'll need the **Groups Administrator** or **User Administrator** role.

+>[!IMPORTANT]

+> The steps outlined below show is how you grant access to a service using Azure RBAC. Check specific service documentation on how to grant access - for example check Azure Data Explorer for instructions. Some Azure services are in the process of adopting Azure RBAC on the data plane

+Assign the Authentication Administrator role to users who need to do the following:

+- Set or reset any authentication method (including passwords) for non-administrators and some roles. For a list of the roles that an Authentication Administrator can read or update authentication methods, see [Who can reset passwords](#who-can-reset-passwords).

+- Require users who are non-administrators or assigned to some roles to re-register against existing non-password credentials (for example, MFA or FIDO), and can also revoke **remember MFA on the device**, which prompts for MFA on the next sign-in.

+- Perform sensitive actions for some users. For more information, see [Who can perform sensitive actions](#who-can-perform-sensitive-actions).

+- Create and manage support tickets in Azure and the Microsoft 365 admin center.

+Users with this role **cannot** do the following:

+- Cannot change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+- Cannot manage MFA settings in the legacy MFA management portal or Hardware OATH tokens. The same functions can be accomplished using the [Set-MsolUser](/powershell/module/msonline/set-msoluser) commandlet Azure AD PowerShell module.

+Assign the Authentication Policy Administrator role to users who need to do the following:

+- Configure the authentication methods policy, tenant-wide MFA settings, and password protection policy that determine which methods each user can register and use.

+- Manage Password Protection settings: smart lockout configurations and updating the custom banned passwords list.

+- Create and manage verifiable credentials.

+- Create and manage Azure support tickets.

+Users with this role **cannot** do the following:

+- Cannot update sensitive properties. For more information, see [Who can perform sensitive actions](#who-can-perform-sensitive-actions).

+- Cannot delete or restore users. For more information, see [Who can perform sensitive actions](#who-can-perform-sensitive-actions).

+- Cannot manage MFA settings in the legacy MFA management portal or Hardware OATH tokens.

+Users with this role **cannot** do the following:

+- Cannot change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+Users with this role **cannot** do the following:

+- Cannot change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+Assign the Privileged Authentication Administrator role to users who need to do the following:

+- Set or reset any authentication method (including passwords) for any user, including Global Administrators.

+- Delete or restore any users, including Global Administrators. For more information, see [Who can perform sensitive actions](#who-can-perform-sensitive-actions).

+- Force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke **remember MFA on the device**, prompting for MFA on the next sign-in of all users.

+- Update sensitive properties for all users. For more information, see [Who can perform sensitive actions](#who-can-perform-sensitive-actions).

+- Create and manage support tickets in Azure and the Microsoft 365 admin center.

+Users with this role **cannot** do the following:

+- Cannot manage per-user MFA in the legacy MFA management portal. The same functions can be accomplished using the [Set-MsolUser](/powershell/module/msonline/set-msoluser) commandlet Azure AD PowerShell module.

+Assign the User Administrator role to users who need to do the following:

+| Permission | More information |

+| Create users | |

+| Update most user properties for all users, including all administrators | [Who can perform sensitive actions](#who-can-perform-sensitive-actions) |

+| Update sensitive properties (including user principal name) for some users | [Who can perform sensitive actions](#who-can-perform-sensitive-actions) |

+| Disable or enable some users | [Who can perform sensitive actions](#who-can-perform-sensitive-actions) |

+| Delete or restore some users | [Who can perform sensitive actions](#who-can-perform-sensitive-actions) |

+| Create and manage user views | |

+| Create and manage all groups | |

+| Assign licenses for all users, including all administrators | |

+| Reset passwords | [Who can reset passwords](#who-can-reset-passwords) |

+| Invalidate refresh tokens | [Who can reset passwords](#who-can-reset-passwords) |

+| Update (FIDO) device keys | |

+| Update password expiration policies | |

+| Create and manage support tickets in Azure and the Microsoft 365 admin center | |

+| Monitor service health | |

+Users with this role **cannot** do the following:

+- Cannot manage MFA.

+- Cannot change the credentials or reset MFA for members and owners of a [role-assignable group](groups-concept.md).

+- Cannot manage shared mailboxes.

+- Create and manage support tickets in Azure and the Microsoft 365 admin center

+In the following table, the columns list the roles that can reset passwords and invalidate refresh tokens. The rows list the roles for which their password can be reset.

+> The ability to reset a password includes the ability to update the following sensitive properties required for [self-service password reset](../authentication/concept-sspr-howitworks.md):

+## Who can perform sensitive actions

+Some administrators can perform the following sensitive actions for some users. All users can read the sensitive properties.

+| Sensitive action | Sensitive property name |

+| | |

+| Disable or enable users | `accountEnabled` |

+| Update business phone | `businessPhones` |

+| Update mobile phone | `mobilePhone` |

+| Update on-premises immutable ID | `onPremisesImmutableId` |

+| Update other emails | `otherMails` |

+| Update password profile | `passwordProfile` |

+| Update user principal name | `userPrincipalName` |

+| Delete or restore users | Not applicable |

+In the following table, the columns list the roles that can perform sensitive actions. The rows list the roles for which the sensitive action can be performed upon.

+Role that sensitive action can be performed upon | Auth Admin | User Admin | Privileged Auth Admin | Global Admin

+ Title: 'Tutorial: Azure AD SSO integration with MongoDB Atlas - SSO'

+description: Learn how to configure single sign-on between Azure Active Directory and MongoDB Atlas - SSO.

+# Tutorial: Azure AD SSO integration with MongoDB Atlas - SSO

+In this tutorial, you'll learn how to integrate MongoDB Atlas - SSO with Azure Active Directory (Azure AD). When you integrate MongoDB Atlas - SSO with Azure AD, you can:

+* Enable your users to be automatically signed in to MongoDB Atlas - SSO with their Azure AD accounts.

+* MongoDB Atlas - SSO single sign-on (SSO) enabled subscription.

+* MongoDB Atlas - SSO supports **SP** and **IDP** initiated SSO.

+* MongoDB Atlas - SSO supports **Just In Time** user provisioning.

+## Add MongoDB Atlas - SSO from the gallery

+To configure the integration of MongoDB Atlas - SSO into Azure AD, you need to add MongoDB Atlas - SSO from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **MongoDB Atlas - SSO** in the search box.

+1. Select **MongoDB Atlas - SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for MongoDB Atlas - SSO

+Configure and test Azure AD SSO with MongoDB Atlas - SSO, by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in MongoDB Atlas - SSO.

+To configure and test Azure AD SSO with MongoDB Atlas - SSO, perform the following steps:

+ 1. [Create a MongoDB Atlas SSO test user](#create-a-mongodb-atlas-sso-test-user) to have a counterpart of B.Simon in MongoDB Atlas - SSO, linked to the Azure AD representation of the user.

+1. In the Azure portal, on the **MongoDB Atlas - SSO** application integration page, find the **Manage** section. Select **single sign-on**.

+ > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-on URL. To get these values, contact the [MongoDB Atlas - SSO Client support team](https://support.mongodb.com/). You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. The MongoDB Atlas - SSO application expects the SAML assertions to be in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+1. In addition to the preceding attributes, the MongoDB Atlas - SSO application expects a few more attributes to be passed back in the SAML response. These attributes are also pre-populated, but you can review them per your requirements.

+1. In the **Set up MongoDB Atlas - SSO** section, copy the appropriate URLs, based on your requirement.

+In this section, you'll enable B.Simon or Group 1 to use Azure single sign-on by granting access to MongoDB Atlas - SSO.

+1. In the applications list, select **MongoDB Atlas - SSO**.

+### Create a MongoDB Atlas SSO test user

+You can also use Microsoft My Apps to test the application in any mode. When you click the MongoDB Atlas - SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MongoDB Atlas - SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+Once you configure MongoDB Atlas - SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with OpenText XM Fax and XM SendSecure'

+description: Learn how to configure single sign-on between Azure Active Directory and OpenText XM Fax and XM SendSecure.

+# Tutorial: Azure AD SSO integration with OpenText XM Fax and XM SendSecure

+In this tutorial, you'll learn how to integrate OpenText XM Fax and XM SendSecure with Azure Active Directory (Azure AD). When you integrate OpenText XM Fax and XM SendSecure with Azure AD, you can:

+* Control in Azure AD who has access to OpenText XM Fax and XM SendSecure.

+* Enable your users to be automatically signed-in to OpenText XM Fax and XM SendSecure with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* OpenText XM Fax and XM SendSecure single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* OpenText XM Fax and XM SendSecure supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add OpenText XM Fax and XM SendSecure from the gallery

+To configure the integration of OpenText XM Fax and XM SendSecure into Azure AD, you need to add OpenText XM Fax and XM SendSecure from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **OpenText XM Fax and XM SendSecure** in the search box.

+1. Select **OpenText XM Fax and XM SendSecure** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+ Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Azure AD SSO for OpenText XM Fax and XM SendSecure

+Configure and test Azure AD SSO with OpenText XM Fax and XM SendSecure using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at OpenText XM Fax and XM SendSecure.

+To configure and test Azure AD SSO with OpenText XM Fax and XM SendSecure, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure OpenText XM Fax and XM SendSecure SSO](#configure-opentext-xm-fax-and-xm-sendsecure-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create OpenText XM Fax and XM SendSecure test user](#create-opentext-xm-fax-and-xm-sendsecure-test-user)** - to have a counterpart of B.Simon in OpenText XM Fax and XM SendSecure that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **OpenText XM Fax and XM SendSecure** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type one of the following URLs:

+ | **Identifier** |

+ |-|

+ | `https://login.xmedius.com/` |

+ | `https://login.xmedius.eu/` |

+ | `https://login.xmedius.ca/` |

+ b. In the **Reply URL** textbox, type one of the following URLs:

+ | **Reply URL** |

+ |-|

+ | `https://login.xmedius.com/auth/saml/callback` |

+ | `https://login.xmedius.eu/auth/saml/callback` |

+ | `https://login.xmedius.ca/auth/saml/callback` |

+ c. In the **Sign-on URL** text box, type one of the following URLs:

+ | **Sign-on URL** |

+ |-|

+ | `https://login.xmedius.com/` |

+ | `https://login.xmedius.eu/` |

+ | `https://login.xmedius.ca/` |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up OpenText XM Fax and XM SendSecure** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to OpenText XM Fax and XM SendSecure.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **OpenText XM Fax and XM SendSecure**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure OpenText XM Fax and XM SendSecure SSO

+To configure single sign-on on **OpenText XM Fax and XM SendSecure** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [OpenText XM Fax and XM SendSecure support team](mailto:support@opentext.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create OpenText XM Fax and XM SendSecure test user

+In this section, you create a user called Britta Simon at OpenText XM Fax and XM SendSecure. Work with [OpenText XM Fax and XM SendSecure support team](mailto:support@opentext.com) to add the users in the OpenText XM Fax and XM SendSecure platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to OpenText XM Fax and XM SendSecure Sign-on URL where you can initiate the login flow.

+* Go to OpenText XM Fax and XM SendSecure Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the OpenText XM Fax and XM SendSecure tile in the My Apps, this will redirect to OpenText XM Fax and XM SendSecure Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure OpenText XM Fax and XM SendSecure you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+>

+1. Sign in to Snowflake as an administrator and execute the following from either the Snowflake worksheet interface or SnowSQL.

+ create role if not exists aad_provisioner;

+ grant create user on account to role aad_provisioner;

+ grant create role on account to role aad_provisioner;

+ create or replace security integration aad_provisioning

+ type = scim

+ scim_client = 'azure'

+ run_as_role = 'AAD_PROVISIONER';

+ select system$generate_scim_access_token('AAD_PROVISIONING');

+2. Use the ACCOUNTADMIN role.

+ 

+3. Create the custom role AAD_PROVISIONER. All users and roles in Snowflake created by Azure AD will be owned by the scoped down AAD_PROVISIONER role.

+ 

+4. Let the ACCOUNTADMIN role create the security integration using the AAD_PROVISIONER custom role.

+ 

+5. Create and copy the authorization token to the clipboard and store securely for later use. Use this token for each SCIM REST API request and place it in the request header. The access token expires after six months and a new access token can be generated with this statement.

+ 

+Add Snowflake from the Azure AD application gallery to start managing provisioning to Snowflake. If you previously set up Snowflake for single sign-on (SSO), you can use the same application. However, we recommend that you create a separate app when you're initially testing the integration. [Learn more about adding an application from the gallery](../manage-apps/add-application-portal.md).

+## Step 4: Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application, or based on attributes of the user or group. If you choose to scope who will be provisioned to your app based on assignment, you can use the [steps to assign users and groups to the application](../manage-apps/assign-user-or-group-access-portal.md). If you choose to scope who will be provisioned based solely on attributes of the user or group, you can [use a scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* When you're assigning users and groups to Snowflake, you must select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the Default Access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.

+## Step 5: Configure automatic user provisioning to Snowflake

+ 

+ 

+ 

+ 

+5. In the **Admin Credentials** section, enter the SCIM 2.0 base URL and authentication token that you retrieved earlier in the **Tenant URL** and **Secret Token** boxes, respectively.

+ 

+ 

+ 

+ 

+ 

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully.

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion.

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. [Learn more about quarantine states](../app-provisioning/application-provisioning-quarantine-status.md).

+Snowflake-generated SCIM tokens expire in 6 months. Be aware that you need to refresh these tokens before they expire, to allow the provisioning syncs to continue working.

+The Azure AD provisioning service currently operates under particular [IP ranges](../app-provisioning/use-scim-to-provision-users-and-groups.md#ip-ranges). If necessary, you can restrict other IP ranges and add these particular IP ranges to the allowlist of your application. That technique will allow traffic flow from the Azure AD provisioning service to your application.

+* 10/12/2022: Updated Snowflake SCIM Configuration.

+This tutorial describes the steps you need to perform in both TeamViewer and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [TeamViewer](https://www.teamviewer.com/buy-now/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two usersto the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in TestApp based on user assignments in Azure AD.

+12. Define the users that you would like to provision to TeamViewer by choosing the desired values in **Scope** in the **Settings** section.

+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: d9bd44ed-2e9a-4a1b-b33c-cb9e9fe8ff47

+ms.devlang: na

+1. Sign in to your [Zoom Admin Console](https://zoom.us/signin). Navigate to **ADMIN > Advanced > App Marketplace** in the left navigation pane.

+ 

+ 

+ > [!NOTE]

+ > If you don't have an Azure AD app already created, then have a [JWT type Azure AD app](https://marketplace.zoom.us/docs/guides/build/jwt-app) created.

+* 10/20/2020 - Added support for two new roles "Licensed" and "on-premises" to replace existing roles "Pro" and "Corp". Support for roles "Pro" and "Corp" will be removed in the future.

+The Azure AD Verifiable Credential service supports the [W3C Status List 2021](https://w3c-ccg.github.io/vc-status-list-2021/) standard. Each Issuer tenant now has an Identity Hub endpoint used by verifiers to check on the status of a credential using a privacy-respecting mechanism. The identity hub endpoint for the tenant is also published in the DID document. This feature replaces the current status endpoint.

+> | `Microsoft.Network/virtualNetworks/joinLoadBalancer/action` | Required to configure the IP-based Load Balancer Backend Pools. |

+> [!NOTE]

+> The policy filters the immediate caller's IP address. However, if API Management is hosted behind Application Gateway, the policy considers its IP address, not the originator of the API request. Presently, IP addresses in the `X-Forwarded-For` are not considered.

+1. Configure the WAF mode.

+ > [!TIP]

+ > For a short period during setup and to test your firewall rules, you might want to configure "Detection" mode, which monitors and logs threat alerts but doesn't block traffic. You can then make any updates to firewall rules before transitioning to "Prevention" mode, which blocks intrusions and attacks that the rules detect.

+## HTTP(S) proxy

+The self-hosted gateway provides support for HTTP(S) proxy by using the traditional `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables.

+Once configured, the self-hosted gateway will automatically use the proxy for all outbound HTTP(S) requests to the backend services.

+Starting with version 2.1.5 or above, the self-hosted gateway provides observability related to request proxying:

+- [API Inspector](api-management-howto-api-inspector.md) will show additional steps when HTTP(S) proxy is being used and its related interactions.

+- Verbose logs are provided to provide indication of the request proxy behavior.

+> [!Warning]

+> Ensure that the [infrastructure requirements](self-hosted-gateway-overview.md#fqdn-dependencies) have been met and that the self-hosted gateway can still connect to them or certain functionality will not work properly.

+Install @fluidframework/azure-client and "@fluidframework/test-client-utils packages and import Azure Client and InsecureTokenProvider.

+```javascript

+import { InsecureTokenProvider } from "@fluidframework/test-client-utils";

+import { AzureClient } from "@fluidframework/azure-client";

+```

+In a class library, a function is a method with a `FunctionName` and a trigger attribute, as shown in the following example:

+The `FunctionName` attribute marks the method as a function entry point. The name must be unique within a project, start with a letter and only contain letters, numbers, `_`, and `-`, up to 127 characters in length. Project templates often create a method named `Run`, but the method name can be any valid C# method name. The above example shows a static method being used, but functions aren't required to be static.

+az vm extension set --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true --settings '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+az vm extension set --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true --settings '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+| `[log_collection_settings.env_var] enabled =` | Boolean | true or false | This setting controls environment variable collection<br> across all pods/nodes in the cluster<br> and defaults to `enabled = true` when not specified<br> in ConfigMaps.<br> If collection of environment variables is globally enabled, you can disable it for a specific container<br> by setting the environment variable<br> `AZMON_COLLECT_ENV` to **False** either with a Dockerfile setting or in the [configuration file for the Pod](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) under the **env:** section.<br> If collection of environment variables is globally disabled, then you cannot enable collection for a specific container (that is, the only override that can be applied at the container level is to disable collection when it's already enabled globally.). |

+The configuration change can take a few minutes to finish before taking effect, and all Azure Monitor Agent pods in the cluster will restart. The restart is a rolling restart for all Azure Monitor Agent pods, not all restart at the same time. When the restarts are finished, a message is displayed that's similar to the following and includes the result: `configmap "container-azm-ms-agentconfig" created`.

+To verify the configuration was successfully applied to a cluster, use the following command to review the logs from an agent pod: `kubectl logs ama-logs-fdf58 -n kube-system`. If there are configuration errors from the Azure Monitor Agent pods, the output will show errors similar to the following:

+The configuration change can take a few minutes to finish before taking effect, and all Azure Monitor Agent pods in the cluster will restart. The restart is a rolling restart for all Azure Monitor Agent pods, not all restart at the same time. When the restarts are finished, a message is displayed that's similar to the following and includes the result: `configmap "container-azm-ms-agentconfig" updated`.

+Supported config schema versions are available as pod annotation (schema-versions) on the Azure Monitor Agent pod. You can see them with the following kubectl command: `kubectl describe pod ama-logs-fdf58 -n=kube-system`

+ Name: ama-logs-fdf58

+ dsName=ama-logs-ds

+kubectl get ds ama-logs --namespace=kube-system

+User@aksuser:~$ kubectl get ds ama-logs --namespace=kube-system

+ama-logs 2 2 2 2 2 beta.kubernetes.io/os=linux 1d

+kubectl get ds ama-logs-windows --namespace=kube-system

+User@aksuser:~$ kubectl get ds ama-logs-windows --namespace=kube-system

+ama-logs-windows 2 2 2 2 2 beta.kubernetes.io/os=windows 1d

+kubectl get deployment ama-logs-rs -n=kube-system

+ama-logs-rs 1 1 1 1 3h

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.useAADAuth=true

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.resources.daemonset.limits.cpu=150m amalogsagent.resources.daemonset.limits.memory=600Mi amalogsagent.resources.deployment.limits.cpu=1 amalogsagent.resources.deployment.limits.memory=750Mi

+Checkout the [resource requests and limits section of Helm chart](https://github.com/helm/charts/blob/master/incubator/azuremonitor-containers/values.yaml) for the available configuration settings.

+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.logsettings.custommountpath=/home/data/docker

+az k8s-extension create --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogsagent.useAADAuth=true logAnalyticsWorkspaceResourceID=\<workspace-resource-id\>

+- To scrape and analyze Prometheus metrics from your cluster, review [Configure Prometheus metrics scraping](container-insights-prometheus-integration.md)

+In this section you install the containerized agent for Container insights. Before proceeding, you need to identify the workspace ID required for the `amalogsagent.secret.wsid` parameter, and primary key required for the `amalogsagent.secret.key` parameter. You can identify this information by performing the following steps, and then run the commands to install the agent using the HELM chart.

+>If your Kubernetes cluster communicates through a proxy server, configure the parameter `amalogsagent.proxy` with the URL of the proxy server. If the cluster does not communicate through a proxy server, then you don't need to specify this parameter. For more information, see [Configure proxy endpoint](#configure-proxy-endpoint) later in this article.

+ --set amalogsagent.secret.wsid=<logAnalyticsWorkspaceId>,amalogsagent.secret.key=<logAnalyticsWorkspaceKey>,amalogsagent.env.clusterName=<my_prod_cluster> microsoft/azuremonitor-containers

+ --set amalogsagent.domain=opinsights.azure.cn,amalogsagent.secret.wsid=<logAnalyticsWorkspaceId>,amalogsagent.secret.key=<logAnalyticsWorkspaceKey>,amalogsagent.env.clusterName=<your_cluster_name> incubator/azuremonitor-containers

+ --set amalogsagent.domain=opinsights.azure.us,amalogsagent.secret.wsid=<logAnalyticsWorkspaceId>,amalogsagent.secret.key=<logAnalyticsWorkspaceKey>,amalogsagent.env.clusterName=<your_cluster_name> incubator/azuremonitor-containers

+Starting with chart version 2.7.1, chart will support specifying the proxy endpoint with the `amalogsagent.proxy` chart parameter. This allows it to communicate through your proxy server. Communication between the Container insights agent and Azure Monitor can be an HTTP or HTTPS proxy server, and both anonymous and basic authentication (username/password) are supported.

+For example: `amalogsagent.proxy=http://user01:password@proxy01.contoso.com:8080`

+- Azure Monitor Agent replicaset pods are running

+- Azure Monitor Agent daemonset pods are running

+- Azure Monitor Agent Health service is running

+>[!NOTE]

+>The Container Insights agent name has changed from OMSAgent to Azure Monitor Agent, along with a few other resoruce names. This doc reflects the new name. Please update your commands, alerts and scripts referencing the old name. Read more about the name change in [our blog post](https://techcommunity.microsoft.com/t5/azure-monitor-status-archive/name-update-for-agent-and-associated-resources-in-azure-monitor/ba-p/3576810).

+>

+Container insights uses a containerized version of the Log Analytics agent for Linux. When a new version of the agent is released, the agent is automatically upgraded on your managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS) and Azure Red Hat OpenShift version 3.x. For a [hybrid Kubernetes cluster](container-insights-hybrid-setup.md) and Azure Red Hat OpenShift version 4.x, the agent is not managed, and you need to manually upgrade the agent.

+If the agent upgrade fails for a cluster hosted on AKS or Azure Red Hat OpenShift version 3.x, this article also describes the process to manually upgrade the agent. To follow the versions released, see [agent release announcements](https://github.com/microsoft/docker-provider/tree/ci_feature_prod).

+* Run the command: `kubectl get pod <ama-logs-agent-pod-name> -n kube-system -o=jsonpath='{.spec.containers[0].image}'`. In the status returned, note the value under **Image** for Azure Monitor Agent in the *Containers* section of the output.

+### Upgrade agent on Azure Red Hat OpenShift v4

+Perform the following steps to upgrade the agent on a Kubernetes cluster running on Azure Red Hat OpenShift version 4.x.

+>[!NOTE]

+>Azure Red Hat OpenShift version 4.x only supports running in the Azure commercial cloud.

+>

+```console

+curl -o upgrade-monitoring.sh -L https://aka.ms/upgrade-monitoring-bash-script

+export azureAroV4ClusterResourceId="/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.RedHatOpenShift/OpenShiftClusters/<clusterName>"

+bash upgrade-monitoring.sh --resource-id $ azureAroV4ClusterResourceId

+```

+Run the following command to apply the change to Kubernetes clusters other than Azure Red Hat OpenShift): `kubectl apply -f <path to yaml file>`. To edit ConfigMap and apply this change for Azure Red Hat OpenShift clusters, run the command:

+```bash

+oc edit configmaps container-azm-ms-agentconfig -n openshift-azure-logging

+```

+This opens your default text editor. After setting the variable, save the file in the editor.

+ Title: Metric alerts from Container insights

+description: This article reviews the recommended metric alerts available from Container insights in public preview.

+# Recommended metric alerts (preview) from Container insights

+To alert on system resource issues when they are experiencing peak demand and running near capacity, with Container insights you would create a log alert based on performance data stored in Azure Monitor Logs. Container insights now includes pre-configured metric alert rules for your AKS and Azure Arc-enabled Kubernetes cluster, which is in public preview.

+This article reviews the experience and provides guidance on configuring and managing these alert rules.

+If you're not familiar with Azure Monitor alerts, see [Overview of alerts in Microsoft Azure](../alerts/alerts-overview.md) before you start. To learn more about metric alerts, see [Metric alerts in Azure Monitor](../alerts/alerts-metric-overview.md).

+> [!NOTE]

+> Beginning October 8, 2021, three alerts have been updated to correctly calculate the alert condition: **Container CPU %**, **Container working set memory %**, and **Persistent Volume Usage %**. These new alerts have the same names as their corresponding previously available alerts, but they use new, updated metrics. We recommend that you disable the alerts that use the "Old" metrics, described in this article, and enable the "New" metrics. The "Old" metrics will no longer be available in recommended alerts after they are disabled, but you can manually re-enable them.

+## Prerequisites

+Before you start, confirm the following:

+* Custom metrics are only available in a subset of Azure regions. A list of supported regions is documented in [Supported regions](../essentials/metrics-custom-overview.md#supported-regions).

+* To support metric alerts and the introduction of additional metrics, the minimum agent version required is **mcr.microsoft.com/azuremonitor/containerinsights/ciprod:ciprod05262020** for AKS and **mcr.microsoft.com/azuremonitor/containerinsights/ciprod:ciprod09252020** for Azure Arc-enabled Kubernetes cluster.

+ To verify your cluster is running the newer version of the agent, you can either:

+ * Run the command: `kubectl describe pod <azure-monitor-agent-pod-name> --namespace=kube-system`. In the status returned, note the value under **Image** for Azure Monitor agent in the *Containers* section of the output.

+ * On the **Nodes** tab, select the cluster node and on the **Properties** pane to the right, note the value under **Agent Image Tag**.

+ The value shown for AKS should be version **ciprod05262020** or later. The value shown for Azure Arc-enabled Kubernetes cluster should be version **ciprod09252020** or later. If your cluster has an older version, see [How to upgrade the Container insights agent](container-insights-manage-agent.md#upgrade-agent-on-aks-cluster) for steps to get the latest version.

+ For more information related to the agent release, see [agent release history](https://github.com/microsoft/docker-provider/tree/ci_feature_prod). To verify metrics are being collected, you can use Azure Monitor metrics explorer and verify from the **Metric namespace** that **insights** is listed. If it is, you can go ahead and start setting up the alerts. If you don't see any metrics collected, the cluster Service Principal or MSI is missing the necessary permissions. To verify the SPN or MSI is a member of the **Monitoring Metrics Publisher** role, follow the steps described in the section [Upgrade per cluster using Azure CLI](container-insights-update-metrics.md#update-one-cluster-by-using-the-azure-cli) to confirm and set role assignment.

+

+> [!TIP]

+> Download the new ConfigMap from [here](https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml).

+## Alert rules overview

+To alert on what matters, Container insights includes the following metric alerts for your AKS and Azure Arc-enabled Kubernetes clusters:

+|Name| Description |Default threshold |

+|-|-||

+|**(New)Average container CPU %** |Calculates average CPU used per container.|When average CPU usage per container is greater than 95%.|

+|**(New)Average container working set memory %** |Calculates average working set memory used per container.|When average working set memory usage per container is greater than 95%. |

+|Average CPU % |Calculates average CPU used per node. |When average node CPU utilization is greater than 80% |

+| Daily Data Cap Breach | When data cap is breached| When the total data ingestion to your Log Analytics workspace exceeds the [designated quota](../logs/daily-cap.md) |

+|Average Disk Usage % |Calculates average disk usage for a node.|When disk usage for a node is greater than 80%. |

+|**(New)Average Persistent Volume Usage %** |Calculates average PV usage per pod. |When average PV usage per pod is greater than 80%.|

+|Average Working set memory % |Calculates average Working set memory for a node. |When average Working set memory for a node is greater than 80%. |

+|Restarting container count |Calculates number of restarting containers. | When container restarts are greater than 0. |

+|Failed Pod Counts |Calculates if any pod in failed state.|When a number of pods in failed state are greater than 0. |

+|Node NotReady status |Calculates if any node is in NotReady state.|When a number of nodes in NotReady state are greater than 0. |

+|OOM Killed Containers |Calculates number of OOM killed containers. |When a number of OOM killed containers is greater than 0. |

+|Pods ready % |Calculates the average ready state of pods. |When ready state of pods is less than 80%.|

+|Completed job count |Calculates number of jobs completed more than six hours ago. |When number of stale jobs older than six hours is greater than 0.|

+There are common properties across all of these alert rules:

+* All alert rules are metric based.

+* All alert rules are disabled by default.

+* All alert rules are evaluated once per minute and they look back at last 5 minutes of data.

+* Alerts rules do not have an action group assigned to them by default. You can add an [action group](../alerts/action-groups.md) to the alert either by selecting an existing action group or creating a new action group while editing the alert rule.

+* You can modify the threshold for alert rules by directly editing them. However, refer to the guidance provided in each alert rule before modifying its threshold.

+The following alert-based metrics have unique behavior characteristics compared to the other metrics:

+* *completedJobsCount* metric is only sent when there are jobs that are completed greater than six hours ago.

+* *containerRestartCount* metric is only sent when there are containers restarting.

+* *oomKilledContainerCount* metric is only sent when there are OOM killed containers.

+* *cpuExceededPercentage*, *memoryRssExceededPercentage*, and *memoryWorkingSetExceededPercentage* metrics are sent when the CPU, memory Rss, and Memory Working set values exceed the configured threshold (the default threshold is 95%). *cpuThresholdViolated*, *memoryRssThresholdViolated*, and *memoryWorkingSetThresholdViolated* metrics are equal to 0 is the usage percentage is below the threshold and are equal to 1 if the usage percentage is above the threshold. These thresholds are exclusive of the alert condition threshold specified for the corresponding alert rule. Meaning, if you want to collect these metrics and analyze them from [Metrics explorer](../essentials/metrics-getting-started.md), we recommend you configure the threshold to a value lower than your alerting threshold. The configuration related to the collection settings for their container resource utilization thresholds can be overridden in the ConfigMaps file under the section `[alertable_metrics_configuration_settings.container_resource_utilization_thresholds]`. See the section [Configure alertable metrics ConfigMaps](#configure-alertable-metrics-in-configmaps) for details related to configuring your ConfigMap configuration file.

+* *pvUsageExceededPercentage* metric is sent when the persistent volume usage percentage exceeds the configured threshold (the default threshold is 60%). *pvUsageThresholdViolated* metric is equal to 0 when the PV usage percentage is below the threshold and is equal 1 if the usage is above the threshold. This threshold is exclusive of the alert condition threshold specified for the corresponding alert rule. Meaning, if you want to collect these metrics and analyze them from [Metrics explorer](../essentials/metrics-getting-started.md), we recommend you configure the threshold to a value lower than your alerting threshold. The configuration related to the collection settings for persistent volume utilization thresholds can be overridden in the ConfigMaps file under the section `[alertable_metrics_configuration_settings.pv_utilization_thresholds]`. See the section [Configure alertable metrics ConfigMaps](#configure-alertable-metrics-in-configmaps) for details related to configuring your ConfigMap configuration file. Collection of persistent volume metrics with claims in the *kube-system* namespace are excluded by default. To enable collection in this namespace, use the section `[metric_collection_settings.collect_kube_system_pv_metrics]` in the ConfigMap file. See [Metric collection settings](./container-insights-agent-config.md#metric-collection-settings) for details.

+## Metrics collected

+The following metrics are enabled and collected, unless otherwise specified, as part of this feature. The metrics in **bold** with label "Old" are the ones replaced by "New" metrics collected for correct alert evaluation.

+|Metric namespace |Metric |Description |

+||-||

+|Insights.container/nodes |cpuUsageMillicores |CPU utilization in millicores by host.|

+|Insights.container/nodes |cpuUsagePercentage, cpuUsageAllocatablePercentage (preview) |CPU usage percentage by node and allocatable respectively.|

+|Insights.container/nodes |memoryRssBytes |Memory RSS utilization in bytes by host.|

+|Insights.container/nodes |memoryRssPercentage, memoryRssAllocatablePercentage (preview) |Memory RSS usage percentage by host and allocatable respectively.|

+|Insights.container/nodes |memoryWorkingSetBytes |Memory Working Set utilization in bytes by host.|

+|Insights.container/nodes |memoryWorkingSetPercentage, memoryRssAllocatablePercentage (preview) |Memory Working Set usage percentage by host and allocatable respectively.|

+|Insights.container/nodes |nodesCount |Count of nodes by status.|

+|Insights.container/nodes |diskUsedPercentage |Percentage of disk used on the node by device.|

+|Insights.container/pods |podCount |Count of pods by controller, namespace, node, and phase.|

+|Insights.container/pods |completedJobsCount |Completed jobs count older user configurable threshold (default is six hours) by controller, Kubernetes namespace. |

+|Insights.container/pods |restartingContainerCount |Count of container restarts by controller, Kubernetes namespace.|

+|Insights.container/pods |oomKilledContainerCount |Count of OOMkilled containers by controller, Kubernetes namespace.|

+|Insights.container/pods |podReadyPercentage |Percentage of pods in ready state by controller, Kubernetes namespace.|

+|Insights.container/containers |**(Old)cpuExceededPercentage** |CPU utilization percentage for containers exceeding user configurable threshold (default is 95.0) by container name, controller name, Kubernetes namespace, pod name.<br> Collected |

+|Insights.container/containers |**(New)cpuThresholdViolated** |Metric triggered when CPU utilization percentage for containers exceeding user configurable threshold (default is 95.0) by container name, controller name, Kubernetes namespace, pod name.<br> Collected |

+|Insights.container/containers |**(Old)memoryRssExceededPercentage** |Memory RSS percentage for containers exceeding user configurable threshold (default is 95.0) by container name, controller name, Kubernetes namespace, pod name.|

+|Insights.container/containers |**(New)memoryRssThresholdViolated** |Metric triggered when Memory RSS percentage for containers exceeding user configurable threshold (default is 95.0) by container name, controller name, Kubernetes namespace, pod name.|

+|Insights.container/containers |**(Old)memoryWorkingSetExceededPercentage** |Memory Working Set percentage for containers exceeding user configurable threshold (default is 95.0) by container name, controller name, Kubernetes namespace, pod name.|

+|Insights.container/containers |**(New)memoryWorkingSetThresholdViolated** |Metric triggered when Memory Working Set percentage for containers exceeding user configurable threshold (default is 95.0) by container name, controller name, Kubernetes namespace, pod name.|

+|Insights.container/persistentvolumes |**(Old)pvUsageExceededPercentage** |PV utilization percentage for persistent volumes exceeding user configurable threshold (default is 60.0) by claim name, Kubernetes namespace, volume name, pod name, and node name.|

+|Insights.container/persistentvolumes |**(New)pvUsageThresholdViolated** |Metric triggered when PV utilization percentage for persistent volumes exceeding user configurable threshold (default is 60.0) by claim name, Kubernetes namespace, volume name, pod name, and node name.

+## Enable alert rules

+Follow these steps to enable the metric alerts in Azure Monitor from the Azure portal. To enable using a Resource Manager template, see [Enable with a Resource Manager template](#enable-with-a-resource-manager-template).

+### From the Azure portal

+This section walks through enabling Container insights metric alert (preview) from the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+2. Access to the Container insights metrics alert (preview) feature is available directly from an AKS cluster by selecting **Insights** from the left pane in the Azure portal.

+3. From the command bar, select **Recommended alerts**.

+ 

+4. The **Recommended alerts** property pane automatically displays on the right side of the page. By default, all alert rules in the list are disabled. After selecting **Enable**, the alert rule is created and the rule name updates to include a link to the alert resource.

+ 

+ After selecting the **Enable/Disable** toggle to enable the alert, an alert rule is created and the rule name updates to include a link to the actual alert resource.

+ 

+5. Alert rules are not associated with an [action group](../alerts/action-groups.md) to notify users that an alert has been triggered. Select **No action group assigned** and on the **Action Groups** page, specify an existing or create an action group by selecting **Add** or **Create**.

+ 

+### Enable with a Resource Manager template

+You can use an Azure Resource Manager template and parameters file to create the included metric alerts in Azure Monitor.

+The basic steps are as follows:

+3. Deploy the template from the Azure portal, PowerShell, or Azure CLI.

+#### Deploy through Azure portal

+1. Download and save to a local folder, the Azure Resource Manager template and parameter file, to create the alert rule using the following commands:

+2. To deploy a customized template through the portal, select **Create a resource** from the [Azure portal](https://portal.azure.com).

+3. Search for **template**, and then select **Template deployment**.

+4. Select **Create**.

+5. You see several options for creating a template, select **Build your own template in editor**.

+6. On the **Edit template page**, select **Load file** and then select the template file.

+7. On the **Edit template** page, select **Save**.

+8. On the **Custom deployment** page, specify the following and then when complete select **Purchase** to deploy the template and create the alert rule.

+ * Resource group

+ * Location

+ * Alert Name

+ * Cluster Resource ID

+#### Deploy with Azure PowerShell or CLI

+1. Download and save to a local folder, the Azure Resource Manager template and parameter file, to create the alert rule using the following commands:

+2. You can create the metric alert using the template and parameters file using PowerShell or Azure CLI.

+ Using Azure PowerShell

+ ```powershell

+ Connect-AzAccount

+ Select-AzSubscription -SubscriptionName <yourSubscriptionName>

+ New-AzResourceGroupDeployment -Name CIMetricAlertDeployment -ResourceGroupName ResourceGroupofTargetResource `

+ -TemplateFile templateFilename.json -TemplateParameterFile templateParameterFilename.parameters.json

+ ```

+ Using Azure CLI

+ ```azurecli

+ az login

+ az deployment group create \

+ --name AlertDeployment \

+ --resource-group ResourceGroupofTargetResource \

+ --template-file templateFileName.json \

+ --parameters @templateParameterFilename.parameters.json

+ ```

+ >[!NOTE]

+ >While the metric alert could be created in a different resource group to the target resource, we recommend using the same resource group as your target resource.

+## Edit alert rules

+You can view and manage Container insights alert rules, to edit its threshold or configure an [action group](../alerts/action-groups.md) for your AKS cluster. While you can perform these actions from the Azure portal and Azure CLI, it can also be done directly from your AKS cluster in Container insights.

+1. From the command bar, select **Recommended alerts**.

+2. To modify the threshold, on the **Recommended alerts** pane, select the enabled alert. In the **Edit rule**, select the **Alert criteria** you want to edit.

+ * To modify the alert rule threshold, select the **Condition**.

+ * To specify an existing or create an action group, select **Add** or **Create** under **Action group**

+To view alerts created for the enabled rules, in the **Recommended alerts** pane select **View in alerts**. You are redirected to the alert menu for the AKS cluster, where you can see all the alerts currently created for your cluster.

+## Configure alertable metrics in ConfigMaps

+Perform the following steps to configure your ConfigMap configuration file to override the default utilization thresholds. These steps are applicable only for the following alertable metrics:

+* *cpuExceededPercentage*

+* *cpuThresholdViolated*

+* *memoryRssExceededPercentage*

+* *memoryRssThresholdViolated*

+* *memoryWorkingSetExceededPercentage*

+* *memoryWorkingSetThresholdViolated*

+* *pvUsageExceededPercentage*

+* *pvUsageThresholdViolated*

+1. Edit the ConfigMap YAML file under the section `[alertable_metrics_configuration_settings.container_resource_utilization_thresholds]` or `[alertable_metrics_configuration_settings.pv_utilization_thresholds]`.

+ - To modify the *cpuExceededPercentage* threshold to 90% and begin collection of this metric when that threshold is met and exceeded, configure the ConfigMap file using the following example:

+ ```

+ [alertable_metrics_configuration_settings.container_resource_utilization_thresholds]

+ # Threshold for container cpu, metric will be sent only when cpu utilization exceeds or becomes equal to the following percentage

+ container_cpu_threshold_percentage = 90.0

+ # Threshold for container memoryRss, metric will be sent only when memory rss exceeds or becomes equal to the following percentage

+ container_memory_rss_threshold_percentage = 95.0

+ # Threshold for container memoryWorkingSet, metric will be sent only when memory working set exceeds or becomes equal to the following percentage

+ container_memory_working_set_threshold_percentage = 95.0

+ ```

+ - To modify the *pvUsageExceededPercentage* threshold to 80% and begin collection of this metric when that threshold is met and exceeded, configure the ConfigMap file using the following example:

+ ```

+ [alertable_metrics_configuration_settings.pv_utilization_thresholds]

+ # Threshold for persistent volume usage bytes, metric will be sent only when persistent volume utilization exceeds or becomes equal to the following percentage

+ pv_usage_threshold_percentage = 80.0

+ ```

+2. Run the following kubectl command: `kubectl apply -f <configmap_yaml_file.yaml>`.

+ Example: `kubectl apply -f container-azm-ms-agentconfig.yaml`.

+The configuration change can take a few minutes to finish before taking effect, and all Azure Monitor agent pods in the cluster will restart. The restart is a rolling restart for all Azure Monitor agent pods; they don't all restart at the same time. When the restarts are finished, a message is displayed that's similar to the following example and includes the result: `configmap "container-azm-ms-agentconfig" created`.

+- View [log query examples](container-insights-log-query.md) to see pre-defined queries and examples to evaluate or customize for alerting, visualizing, or analyzing your clusters.

+- To learn more about Azure Monitor and how to monitor other aspects of your Kubernetes cluster, see [View Kubernetes cluster performance](container-insights-analyze.md).

+The configuration change can take a few minutes to finish before taking effect. You must restart all Azure Monitor Agent pods manually. When the restarts are finished, a message appears that's similar to the following and includes the result `configmap "container-azm-ms-agentconfig" created`.

+To verify the configuration was successfully applied to a cluster, use the following command to review the logs from an agent pod: `kubectl logs ama-logs-fdf58 -n=kube-system`.

+If there are configuration errors from the Azure Monitor Agent pods, the output will show errors similar to the following example:

+- For Azure Red Hat OpenShift v3.x and v4.x, check the Azure Monitor Agent logs by searching the **ContainerLog** table to verify if log collection of openshift-azure-logging is enabled.

+Errors prevent Azure Monitor Agent from parsing the file, causing it to restart and use the default configuration. After you correct the errors in ConfigMap on clusters other than Azure Red Hat OpenShift v3.x, save the YAML file and apply the updated ConfigMaps by running the command `kubectl apply -f <configmap_yaml_file.yaml`.

+ `kubectl get ds ama-logs --namespace=kube-system`

+ User@aksuser:~$ kubectl get ds ama-logs --namespace=kube-system

+ ama-logs 2 2 2 2 2 beta.kubernetes.io/os=linux 1d

+ User@aksuser:~$ kubectl get ds ama-logs-windows --namespace=kube-system

+ ama-logs-windows 2 2 2 2 2 beta.kubernetes.io/os=windows 1d

+ `kubectl get deployment ama-logs-rs -n=kube-system`

+ ama-logs 1 1 1 1 3h

+ ama-logs-484hw 1/1 Running 0 1d

+ ama-logs-fkq7g 1/1 Running 0 1d

+ ama-logs-windows-6drwq 1/1 Running 0 1d

+ az role assignment list --assignee "SP/UserassignedMSI for Azure Monitor Agent" --scope "/subscriptions/<subid>/resourcegroups/<RG>/providers/Microsoft.ContainerService/managedClusters/<clustername>" --role "Monitoring Metrics Publisher"

+ For clusters with MSI, the user assigned client ID for Azure Monitor Agent changes every time monitoring is enabled and disabled, so the role assignment should exist on the current msi client ID.

+ - Verify the required label **kubernetes.azure.com/managedby: aks** is present on the Azure Monitor Agent pods using the following command:

+ `kubectl get pods --show-labels -n kube-system | grep ama-logs`

+1. Run the following commands and look for Azure Monitor Agent addon profile to verify whether the AKS monitoring addon is enabled:

+2. If the output includes an Azure Monitor Agent addon profile config with a log analytics workspace resource ID, this indicates that AKS Monitoring addon is enabled and needs to be disabled:

+Some data security-related data types collected [Microsoft Defender for Cloud](../../security-center/index.yml) or Microsoft Sentinel are collected despite any daily cap. The data types listed below will not be capped except for workspaces in which Microsoft Defender for Cloud was installed before June 19, 2017:

+- See [Analyze usage in Log Analytics workspace](analyze-usage.md) for details on analyzing the data in your workspace to determine to source of any higher than expected usage and opportunities to reduce your amount of data collected.

+- Create multiple datastores of 4-TB size for better performance. The default limit is 64 but it can be increased up to a maximum of 256 by submitting a support ticket. To submit a support ticket, go to [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+- [EA customers](request-host-quota-azure-vmware-solution.md#request-host-quota-for-ea-and-mca-customers)

+- A [Microsoft Customer Agreement (MCA)](../cost-management-billing/understand/mca-overview.md) with Microsoft.

+## Request host quota for EA and MCA customers

+Azure file shares backup is available in all regions, **except** for Germany Central (Sovereign), Germany Northeast (Sovereign), China East, China East 2, China North, China North 2, China North 3, France South, and US Gov Iowa.

+>- Supported regions

+>- Supported scenarios

+## Supported regions

+Enhanced soft delete is currently available in the following regions: West Central US, Australia East, and North Europe.

+## Supported scenarios

+- Enhanced soft delete is supported for Recovery Services vaults and Backup vaults. Also, it's supported for new and existing vaults.

+- All existing Recovery Services vaults in the preview regions are upgraded with an option to use enhanced soft delete.

+There is no retention cost for the default duration of *14* days, after which, it incurs regular backup charges. For soft delete retention *>14* days, the default period applies to the *last 14 days* of the continuous retention configured in soft delete, and then backups are permanently deleted.

+For example, you've deleted backups for one of the instances in the vault that has soft delete retention of *60* days. If you want to recover the soft deleted data after *52* days of deletion, the pricing is:

+- Standard rates (similar rates apply when the instance is in *stop protection with retain data* state) are applicable for the first *46* days (*60* days of soft delete retention configured minus *14* days of default soft delete retention).

+In this article, you'll learn about:

+> [!div class="checklist"]

+>

+> - Before you start

+> - How does immutability work?

+> - Making immutability irreversible

+> - Restricted operations

+- Immutable vault is supported for Recovery Services vaults and Backup vaults.

+**Choose a vault**

+# [Recovery Services vault](#tab/recovery-services-vault)

+| **Stop protection with delete data** | A protected item can't have its recovery points deleted before their respective expiry date. However, you can still stop protection of the instances while retaining data forever or until their expiry. |

+# [Backup vault](#tab/backup-vault)

+| Operation type | Description |

+| | |

+| **Stop protection with delete data** | A protected item can't have its recovery points deleted before their respective expiry date. However, you can still stop protection of the instances while retaining data forever or until their expiry. |

+You can enable immutability for a vault through its properties.

+**Choose a vault**

+# [Recovery Services vault](#tab/recovery-services-vault)

+Follow these steps:

+1. Go to the **Recovery Services vault** for which you want to enable immutability.

+1. In the vault, go to **Properties** > **Immutable vault**, and then select **Settings**.

+1. On **Immutable vault**, select the **Enable vault immutability** checkbox to enable immutability for the vault.

+ Once you enable this lock, it makes immutability setting for the vault irreversible. While this helps secure the backup data in the vault, we recommend you make a well-informed decision when opting to lock. You can also test and validate how the current settings of the vault, backup policies, and so on, meet your requirements and can lock the immutability setting later.

+# [Backup vault](#tab/backup-vault)

+Follow these steps:

+1. Go to the **Backup vault** for which you want to enable immutability.

+1. In the vault, go to **Properties** > **Immutable vault**, and then select **Settings**.

+ :::image type="content" source="./media/backup-azure-immutable-vault/enable-immutable-vault-settings-backup-vault.png" alt-text="Screenshot showing how to open the Immutable vault settings for a Backup vault.":::

+1. On **Immutable vault**, select the **Enable vault immutability** checkbox to enable immutability for the vault.

+ At this point, immutability of the vault is reversible, and it can be disabled, if needed.

+1. Once you enable immutability, the option to lock the immutability for the vault appears.

+ Once you enable this lock, it makes immutability setting for the vault irreversible. While this helps secure the backup data in the vault, we recommend you to make a well-informed decision when opting to lock. You can also test and validate how the current settings of the vault, backup policies, and so on, meet your requirements, and can lock the immutability setting later.

+1. Select **Apply** to save the changes.

+ :::image type="content" source="./media/backup-azure-immutable-vault/backup-azure-enable-immutability.png" alt-text="Screenshot showing how to enable the Immutable vault settings for a Backup vault.":::

+[Restricted operations](backup-azure-immutable-vault-concept.md#restricted-operations) are disallowed on the vault. Consider the following example when trying to modify a policy to reduce its retention in a vault with immutability enabled. This example shows operation on the Recovery Services vaults; however, similar experiences apply for other operations and operations on the Backup vaults.

+You can disable immutability only for vaults that have immutability enabled, but not locked.

+**Choose a vault**

+# [Recovery Services vault](#tab/recovery-services-vault)

+Follow these steps:

+1. Go to the **Recovery Services** vault for which you want to disable immutability.

+1. In the vault, go to **Properties** > **Immutable vault**, and then select **Settings**.

+1. In the **Immutable vault** blade, clear the **Enable vault Immutability** checkbox.

+# [Backup vault](#tab/backup-vault)

+Follow these steps:

+1. Go to the **Backup vault** for which you want to disable immutability.

+1. In the vault, go to **Properties** > **Immutable vault**, and then select **Settings**.

+ :::image type="content" source="./media/backup-azure-immutable-vault/disable-immutable-vault-settings-backup-vault.png" alt-text="Screenshot showing how to open the Immutable vault settings to disable for a Backup vault.":::

+1. In the **Immutable vault** blade, clear the **Enable vault Immutability** checkbox.

+1. Select **Apply** to save the changes.

+ :::image type="content" source="./media/backup-azure-immutable-vault/backup-azure-disable-immutability.png" alt-text="Screenshot showing how to disable the Immutable vault settings for a Backup vault.":::

+- The backup traffic from servers to the Recovery Services vault is encrypted by using Advanced Encryption Standard 256.

+- When data is backed-up from on-premises servers with the MARS agent, data is encrypted with a passphrase before upload to the Azure Backup service and decrypted only after it's downloaded from Azure Backup.

+## Zone-redundant storage support

+Azure Backup now supports zone-redundant storage (ZRS).

+### Supported regions

+- Azure Backup currently supports ZRS for all workloads, except Azure Disk, in the following regions: UK South, South East Asia, Australia East, North Europe, Central US, East US 2, Brazil South, South Central US, Korea Central, Norway East, France Central, West Europe, East Asia, Sweden Central, Canada Central, India Central, South Africa North, West US 2, Japan East, East US, US Gov Virginia, Switzerland North, Qatar, UAE North, and West US 3.

+- ZRS support for Azure Disk is generally available in the following regions: UK South, Southeast Asia, Australia East, North Europe, Central US, South Central US, West Europe, West US 2, Japan East, East US, US Gov Virginia, Qatar, and West US 3.

+### Supported scenarios

+Here's the list of scenarios supported even if zone gets unavailable in the supported regions:

+- Create/List/Update Policy

+- List backup jobs

+- List of protected items

+- Update vault config

+- Create vault

+- Get vault credential file

+### Supported operations

+The following table lists the workload specific operations supported even if zone gets unavailable in the supported regions:

+| Protected workload | Supported Operations |

+| | |

+| **IAAS VM** | - Backups are successful, if the protected VM is in an active zone. <br><br> - Original location recovery (OLR) is successful, if the protected VM is in an active zone. <br><br> - Alternate location restores (ALR) to an active zone is successful. |

+| **SQL/ SAP HANA database in Azure VM** | - Backups are successful, if the protected workload is in an active zone. <br><br> - Original location recovery (OLR) is successful, if the protected workload is in an active zone. <br><br> - Alternate location restores (ALR) to an active zone is successful. |

+| **Azure Files** | Backups, OLR, and ALR are successful, if the protected file share is in a ZRS account. |

+| **Blob** | Recovery is successful, if the protected storage account is in ZRS. |

+| **Disk** | - Backups are successful, if the protected disk is in an active zone. <br><br> - Restore to an active zone is successful. |

+| **MARS** | Backups and restores are successful. |

+ "projectFileVersion": "2022-10-01-preview",

+ "language": "{LANGUAGE-CODE}",

+ "settings": {

+ "confidenceThreshold": 0

+ }

+ "compositionSetting": "{COMPOSITION-SETTING}",

+ "category": "{PREBUILT-COMPONENTS}"

+ ],

+ "regex": {

+ "expressions": [

+ {

+ "regexKey": "regex1",

+ "language": "{LANGUAGE-CODE}",

+ "regexPattern": "{REGEX-PATTERN}"

+ }

+ ]

+ },

+ "requiredComponents": [

+ "{REQUIRED-COMPONENTS}"

+|`confidenceThreshold`|`{CONFIDENCE-THRESHOLD}`|This is the threshold score below which the intent will be predicted as [none intent](none-intent.md). Values are from `0` to `1`|`0.7`|

+| `multilingual` | `true`| A boolean value that enables you to have utterances in multiple languages in your dataset and when your model is deployed you can query the model in any supported language (not necessarily included in your training documents. See [Language support](../language-support.md#multi-lingual-option) for more information about supported language codes. | `true`|

+|`sublists`|`[]`|Array containing sublists. Each sublist is a key and its associated values.|`[]`|

+|`compositionSetting`|`{COMPOSITION-SETTING}`|Rule that defines how to manage multiple components in your entity. Options are `combineComponents` or `separateComponents`. |`combineComponents`|

+| `language` | `{LANGUAGE-CODE}` | A string specifying the language code for the utterances, synonyms, and regular expressions used in your project. If your project is a multilingual project, choose the [language code](../language-support.md) of the majority of the utterances. |`en-us`|

+| `intents` | `[]` | Array containing all the intents you have in the project. These are the intents that will be classified from your utterances.| `[]` |

+| `entities` | `[]` | Array containing all the entities in your project. These are the entities that will be extracted from your utterances. Every entity can have additional optional components defined with them: list, prebuilt, or regex. | `[]` |

+| `listKey`| ` ` | A normalized value for the list of synonyms to map back to in prediction. | `Microsoft` |

+| `values`| `{VALUES-FOR-LIST}` | A list of comma separated strings that will be matched exactly for extraction and map to the list key. | `"msft", "microsoft", "MS"` |

+| `regexKey`| `{REGEX-PATTERN}` | A regular expression. | `ProductPattern1` |

+| `regexPattern`| `{REGEX-PATTERN}` | A regular expression. | `^pre` |

+| `prebuilts`| `{PREBUILT-COMPONENTS}` | The prebuilt components that can extract common types. You can find the list of prebuilts you can add [here](../prebuilt-component-reference.md). | `Quantity.Number` |

+| `requiredComponents` | `{REQUIRED-COMPONENTS}` | A setting that specifies a requirement that a specific component be present to return the entity. You can learn more [here](./entity-components.md#required-components). The possible values are `learned`, `regex`, `list`, or `prebuilts` |`"learned", "prebuilt"`|

+- Improved accuracy with state-of-the-art machine learning models for better intent classification and entity extraction. LUIS required more examples to generalize certain concepts in intents and entities, while CLU's more advanced machine learning reduces the burden on customers by requiring significantly less data.

+- Multilingual support for model learning and training. Train projects in one language and immediately predict intents and entities across 96 languages.

+|Machine-learned and Structured ML entities| Learned [entity components](#how-are-entities-different-in-clu) |Machine-learned entities without subentities will be transferred as CLU entities. Structured ML entities will only transfer leaf nodes (lowest level subentities that do not have their own subentities) as entities in CLU. The name of the entity in CLU will be the name of the subentity concatenated with the parent. For example, _Order.Size_|

+|List, regex, and prebuilt entities| List, regex, and prebuilt [entity components](#how-are-entities-different-in-clu) | List, regex, and prebuilt entities will be transferred as entities in CLU with a populated entity component based on the entity type.|

+|`Pattern.Any` entities| Not currently available | `Pattern.Any` entities will be removed.|

+|Versioning| Every time you train, a model is created and acts as a version of your [project](#how-do-i-manage-versions-in-clu). | A project will be created for the selected application version. |

+|Evaluation using batch testing |Evaluation using testing sets | [Adding your testing dataset](../how-to/tag-utterances.md#how-to-label-your-utterances) will be required.|

+|Single training mode| Standard and advanced [training modes](#how-are-the-training-times-different-in-clu-how-is-standard-training-different-from-advanced-training) | Training will be required after application migration. |

+In CLU, a single entity can have multiple entity components, which are different methods for extraction. Those components are then combined together using rules you can define. The available components are:

+- Learned: Equivalent to ML entities in LUIS, labels are used to train a machine-learned model to predict an entity based on the content and context of the provided labels.

+- List: Just like list entities in LUIS, list components exact match a set of synonyms and maps them back to a normalized value called a **list key**.

+- Prebuilt: Prebuilt components allow you to define an entity with the prebuilt extractors for common types available in both LUIS and CLU.

+- Regex: Regex components use regular expressions to capture custom defined patterns, exactly like regex entities in LUIS.

+Entities in LUIS will be transferred over as entities of the same name in CLU with the equivalent components transferred.

+After migrating, your structured machine-learned leaf nodes and bottom-level subentities will be transferred to the new CLU model while all the parent entities and higher-level entities will be ignored. The name of the entity will be the bottom-level entityΓÇÖs name concatenated with its parent entity.

+

+You also cannot label 2 different entities in CLU for the same span of characters. Learned components in CLU are mutually exclusive and do not provide overlapping predictions for learned components only. When migrating your LUIS application, entity labels that overlapped preserved the longest label and ignored any others.

+### How do entity features get transferred in CLU?

+Entities used as features for intents will not be transferred. Entities used as features for other entities will populate the relevant component of the entity. For example, if a list entity named _SizeList_ was used as a feature to a machine-learned entity named _Size_, then the _Size_ entity will be transferred to CLU with the list values from _SizeList_ added to its list component. The same is applied for prebuilt and regex entities.

+### How are entity confidence scores different in CLU?

+Any extracted entity has a 100% confidence score and therefore entity confidence scores should not be used to make decisions between entities.

+Additionally, the new models do not support phrase list features as they no longer require supplementary information from the user to provide semantically similar words for better accuracy. Patterns were also used to provide improved intent classification using rule-based matching techniques that are not necessary in the new model paradigm. The question below explains this in more detail.

+### What do I do if the features I am using in LUIS are no longer present?

+There are several features that were present in LUIS that will no longer be available in CLU. This includes the ability to do feature engineering, having patterns and pattern.any entities, and structured entities. If you had dependencies on these features in LUIS, use the following guidance:

+- **Patterns**: Patterns were added in LUIS to assist the intent classification through defining regular expression template utterances. This included the ability to define Pattern only intents (without utterance examples). CLU is capable of generalizing by leveraging the state-of-the-art models. You can provide a few utterances to that matched a specific pattern to the intent in CLU, and it will likely classify the different patterns as the top intent without the need of the pattern template utterance. This simplifies the requirement to formulate these patterns, which was limited in LUIS, and provides a better intent classification experience.

+- **Phrase list features**: The ability to associate features mainly occurred to assist the classification of intents by highlighting the key elements/features to use. This is no longer required since the deep models used in CLU already possess the ability to identify the elements that are inherent in the language. In turn removing these features will have no effect on the classification ability of the model.

+- **Structured entities**: The ability to define structured entities was mainly to enable multilevel parsing of utterances. With the different possibilities of the sub-entities, LUIS needed all the different combinations of entities to be defined and presented to the model as examples. In CLU, these structured entities are no longer supported, since overlapping learned components are not supported. There are a few possible approaches to handling these structured extractions:

+ - **Non-ambiguous extractions**: In most cases the detection of the leaf entities is enough to understand the required items within a full span. For example, structured entity such as _Trip_ that fully spanned a source and destination (_London to New York_ or _Home to work_) can be identified with the individual spans predicted for source and destination. Their presence as individual predictions would inform you of the _Trip_ entity.

+ - **Ambiguous extractions**: When the boundaries of different sub-entities are not very clear. To illustrate, take the example ΓÇ£I want to order a pepperoni pizza and an extra cheese vegetarian pizzaΓÇ¥. While the different pizza types as well as the topping modifications can be extracted, having them extracted without context would have a degree of ambiguity of where the extra cheese is added. In this case the extent of the span is context based and would require ML to determine this. For ambiguous extractions you can use one of the following approaches:

+1. Combine sub-entities into different entity components within the same entity.

+#### Example:

+LUIS Implementation:

+* Pizza Order (entity)

+ * Size (subentity)

+ * Quantity (subentity)

+CLU Implementation:

+* Pizza Order (entity)

+ * Size (list entity component: small, medium, large)

+ * Quantity (prebuilt entity component: number)

+In CLU, you would label the entire span for _Pizza Order_ inclusive of the size and quantity, which would return the pizza order with a list key for size, and a number value for quantity in the same entity object.

+2. For more complex problems where entities contain several levels of depth, you can create a project for each level of depth in the entity structure. This gives you the option to:

+- Pass the utterance to each project.

+- Combine the analyses of each project in the stage proceeding CLU.

+For a detailed example on this concept, check out the pizza sample projects available on [GitHub](https://aka.ms/clu-pizza).

+CLU saves the data assets used to train your model. You can export a model's assets or load them back into the project at any point. So models act as different versions of your project.

+You can export your CLU projects using [Language Studio](https://language.cognitive.azure.com/home) or [programmatically](../how-to/fail-over.md#export-your-primary-project-assets) and store different versions of the assets locally.

+### How are the training times different in CLU? How is standard training different from advanced training?

+CLU offers standard training, which trains and learns in English and is comparable to the training time of LUIS. It also offers advanced training, which takes a considerably longer duration as it extends the training to all other [supported languages](../language-support.md). The train API will continue to be an asynchronous process, and you will need to assess the change in the DevOps process you employ for your solution.

+### How has the experience changed in CLU compared to LUIS? How is the development lifecycle different?

+In LUIS you would Build-Train-Test-Publish, whereas in CLU you Build-Train-Evaluate-Deploy-Test.

+1. **Build**: In CLU, you can define your intents, entities, and utterances before you train. CLU additionally offers you the ability to specify _test data_ as you build your application to be used for model evaluation. Evaluation assesses how well your model is performing on your test data and provides you with precision, recall, and F1 metrics.

+2. **Train**: You create a model with a name each time you train. You can overwrite an already trained model. You can specify either _standard_ or _advanced_ training, and determine if you would like to use your test data for evaluation, or a percentage of your training data to be left out from training and used as testing data. After training is complete, you can evaluate how well your model is doing on the outside.

+3. **Deploy**: After training is complete and you have a model with a name, it can be deployed for predictions. A deployment is also named and has an assigned model. You could have multiple deployments for the same model. A deployment can be overwritten with a different model, or you can swap models with other deployments in the project.

+4. **Test**: Once deployment is complete, you can use it for predictions through the deployment endpoint. You can also test it in the studio in the Test deployment page.

+This process is in contrast to LUIS, where the application ID was attached to everything, and you deployed a version of the application in either the staging or production slots.

+This will influence the DevOps processes you use.

+### Does CLU have container support?

+No, you cannot export CLU to containers.

+* [CLU FAQ](../faq.md)

+Custom named entity recognition is only available in some Azure regions. Some regions are available for **both authoring and prediction**, while other regions are **prediction only**. Language resources in authoring regions allow you to create, edit, train, and deploy your projects. Language resources in prediction regions allow you to get [predictions from a deployment](../concepts/custom-features/multi-region-deployment.md).

+| Region | Authoring | Prediction |

+|--|--|-|

+| Australia East | Γ£ô | Γ£ô |

+| Brazil South | | Γ£ô |

+| Canada Central | | Γ£ô |

+| Central India | Γ£ô | Γ£ô |

+| Central US | | Γ£ô |

+| East Asia | | Γ£ô |

+| East US | Γ£ô | Γ£ô |

+| East US 2 | Γ£ô | Γ£ô |

+| France Central | | Γ£ô |

+| Japan East | | Γ£ô |

+| Japan West | | Γ£ô |

+| Jio India West | | Γ£ô |

+| Korea Central | | Γ£ô |

+| North Central US | | Γ£ô |

+| North Europe | Γ£ô | Γ£ô |

+| Norway East | | Γ£ô |

+| South Africa North | | Γ£ô |

+| South Central US | Γ£ô | Γ£ô |

+| Southeast Asia | | Γ£ô |

+| Sweden Central | | Γ£ô |

+| Switzerland North | Γ£ô | Γ£ô |

+| UAE North | | Γ£ô |

+| UK South | Γ£ô | Γ£ô |

+| West Central US | | Γ£ô |

+Custom text classification is only available in some Azure regions. Some regions are available for **both authoring and prediction**, while other regions are **prediction only**. Language resources in authoring regions allow you to create, edit, train, and deploy your projects. Language resources in prediction regions allow you to get [predictions from a deployment](../concepts/custom-features/multi-region-deployment.md).

+| Region | Authoring | Prediction |

+|--|--|-|

+| Australia East | Γ£ô | Γ£ô |

+| Brazil South | | Γ£ô |

+| Canada Central | | Γ£ô |

+| Central India | Γ£ô | Γ£ô |

+| Central US | | Γ£ô |

+| East Asia | | Γ£ô |

+| East US | Γ£ô | Γ£ô |

+| East US 2 | Γ£ô | Γ£ô |

+| France Central | | Γ£ô |

+| Japan East | | Γ£ô |

+| Japan West | | Γ£ô |

+| Jio India West | | Γ£ô |

+| Korea Central | | Γ£ô |

+| North Central US | | Γ£ô |

+| North Europe | Γ£ô | Γ£ô |

+| Norway East | | Γ£ô |

+| South Africa North | | Γ£ô |

+| South Central US | Γ£ô | Γ£ô |

+| Southeast Asia | | Γ£ô |

+| Sweden Central | | Γ£ô |

+| Switzerland North | Γ£ô | Γ£ô |

+| UAE North | | Γ£ô |

+| UK South | Γ£ô | Γ£ô |

+| West Central US | | Γ£ô |

+ To get this entity category, add `Person` to the `piiCategories` parameter. `Person` will be returned in the API response if detected.

+ To get this entity category, add `PersonType` to the `piiCategories` parameter. `PersonType` will be returned in the API response if detected.

+ To get this entity category, add `PhoneNumber` to the `piiCategories` parameter. `PhoneNumber` will be returned in the API response if detected.

+ To get this entity category, add `Organization` to the `piiCategories` parameter. `Organization` will be returned in the API response if detected.

+ To get this entity category, add `OrganizationMedical` to the `piiCategories` parameter. `OrganizationMedical` will be returned in the API response if detected.

+ To get this entity category, add `OrganizationStockExchange` to the `piiCategories` parameter. `OrganizationStockExchange` will be returned in the API response if detected.

+ To get this entity category, add `OrganizationSports` to the `piiCategories` parameter. `OrganizationSports` will be returned in the API response if detected.

+ To get this entity category, add `Address` to the `piiCategories` parameter. `Address` will be returned in the API response if detected.

+ To get this entity category, add `Email` to the `piiCategories` parameter. `Email` will be returned in the API response if detected.

+ To get this entity category, add `URL` to the `piiCategories` parameter. `URL` will be returned in the API response if detected.

+ To get this entity category, add `IP` to the `piiCategories` parameter. `IP` will be returned in the API response if detected.

+ To get this entity category, add `DateTime` to the `piiCategories` parameter. `DateTime` will be returned in the API response if detected.

+ To get this entity category, add `Date` to the `piiCategories` parameter. `Date` will be returned in the API response if detected.

+ To get this entity category, add `Quantity` to the `piiCategories` parameter. `Quantity` will be returned in the API response if detected.

+ To get this entity category, add `Age` to the `piiCategories` parameter. `Age` will be returned in the API response if detected.

+ To get this entity category, add `AzureDocumentDBAuthKey` to the `piiCategories` parameter. `AzureDocumentDBAuthKey` will be returned in the API response if detected.

+ To get this entity category, add `AzureIAASDatabaseConnectionAndSQLString` to the `piiCategories` parameter. `AzureIAASDatabaseConnectionAndSQLString` will be returned in the API response if detected.

+ To get this entity category, add `AzureIoTConnectionString` to the `piiCategories` parameter. `AzureIoTConnectionString` will be returned in the API response if detected.

+ To get this entity category, add `AzurePublishSettingPassword` to the `piiCategories` parameter. `AzurePublishSettingPassword` will be returned in the API response if detected.

+ To get this entity category, add `AzureRedisCacheString` to the `piiCategories` parameter. `AzureRedisCacheString` will be returned in the API response if detected.

+ To get this entity category, add `AzureSAS` to the `piiCategories` parameter. `AzureSAS` will be returned in the API response if detected.

+ To get this entity category, add `AzureServiceBusString` to the `piiCategories` parameter. `AzureServiceBusString` will be returned in the API response if detected.

+ To get this entity category, add `AzureStorageAccountKey` to the `piiCategories` parameter. `AzureStorageAccountKey` will be returned in the API response if detected.

+ To get this entity category, add `AzureStorageAccountGeneric` to the `piiCategories` parameter. `AzureStorageAccountGeneric` will be returned in the API response if detected.

+ To get this entity category, add `SQLServerConnectionString` to the `piiCategories` parameter. `SQLServerConnectionString` will be returned in the API response if detected.

+ * [Custom named entity recognition](./custom-named-entity-recognition/overview.md)

+* New region support for:

+ * [Conversational language understanding](./conversational-language-understanding/service-limits.md#regional-availability)

+ * [Orchestration workflow](./orchestration-workflow/service-limits.md#regional-availability)

+ * [Custom text classification](./custom-text-classification/service-limits.md#regional-availability)

+ * [Custom named entity recognition](./custom-named-entity-recognition/service-limits.md#regional-availability)

+- Access to a public or private container registry, such as the [Azure Container Registry](/azure/container-registry/).

+For details on how to provide values for any of these parameters to the `create` command, run `az containerapp create --help` or [visit the online reference](/cli/azure/containerapp#az-containerapp-create). To generate credentials for an Azure Container Registry, use [az acr credential show](/cli/azure/acr/credential#az-acr-credential-show).

+ --yaml app.yaml

+sudo apt-get install cassandra=3.11.13

+Azure Synapse Link is available for Azure Cosmos DB SQL API or for Azure Cosmos DB API for Mongo DB accounts. And it is in preview for Gremlin API, with activation via CLI commands. Use the following steps to run analytical queries with the Azure Synapse Link for Azure Cosmos DB:

+> Currently you can't enable Synapse Link on your existing MongoDB API containers. Synapse Link can be enabled on newly created Mongo DB containers.

+* Azure Synapse Link for Azure Cosmos DB is not supported for Cassandra, and Table APIs. It is supported for API for NoSQL and MongoDB. And it is in preview for Gremlin API.

+You can view budgets for your subscriptions and resource groups from the **Cost Management** card in the [Azure app](https://azure.microsoft.com/get-started/azure-portal/mobile-app/).

+> [!NOTE]

+> Currently, the Azure mobile app only supports the subscription and resource group scopes for budgets.

+## Benefit allocation window

+With an Azure savings plan, you get significant and flexible discounts off your pay-as-you-go rates in exchange for a one or three-year spend commitment. When you use an Azure resource, usage details are periodically reported to the Azure billing system. The billing system is tasked with quickly applying your savings plan in the most beneficial manner possible. The plan benefits are applied to usage that has the largest discount percentage first. For the application to be most effective, the billing system needs visibility to your usage in a timely manner.

+The Azure savings plan benefit application operates under a best fit benefit model. When your benefit application is evaluated for a given hour, the billing system incorporates usage arriving up to 48 hours after the given hour. During the sliding 48-hour window, you may see changes to charges, including the possibility of savings plan utilization that's greater than 100%. This situation happens because the system is constantly working to provide the best possible benefit application. Keep the 48-hour window in mind when you inspect your usage.

+ Title: Troubleshoot Azure savings plan utilization

+description: This article helps you understand why Azure savings plans can temporarily have utilization greater than 100% in usage reporting UIs and APIs.

+# Troubleshoot Azure savings plan utilization

+This article helps you understand why Azure savings plans can temporarily have high utilization.

+## Why is my savings plan utilization greater than 100%?

+Azure savings plans can temporarily have utilization greater than 100%, as shown in the Azure portal and from APIs.

+Azure saving plan benefits are flexible and cover usage across various products and regions. Under an Azure savings plan, Azure applies plan benefits to your usage that has the largest percentage discount off its pay-as-you-go rate first, until we reach your hourly commitment.

+The Azure usage and billing systems determine your hourly cost by examining your usage for each hour. Usage is reported to the Azure billing systems. It's sent by all services that you used for the previous hour. However, usage isn't always sent instantly, which makes it difficult to determine which resources should receive the benefit. To compensate, Azure temporarily applies the maximum benefit to all usage received. Azure then does extra processing to quickly reconcile utilization to 100%.

+Periods of such high utilization are most likely to occur immediately after a usage hour.

+## Next steps

+- Learn more about [Azure saving plans](index.yml).

+| Unused Savings Plan (provides the number of hours the savings plan wasn't used in a day and the monetary value of the waste) | Not applicable in the view. | Available in the view.<br><br>To get the data, filter on ChargeType = `UnusedSavingsPlan`.<br><br>Refer to `BenefitID` or `BenefitName` to know which savings plan was underutilized. Indicates how much of the savings plan was wasted for the day. |

+| **Unused savings plan report** | Request for an AmortizedCost report.<br><br> Once you've ingested all of the usage, filter for usage records with ChargeType = 'UnusedSavingsPlan' and PricingModel ='SavingsPlan'. |

+| **Savings plan purchases** | Request for an ActualCost report.<br><br> Once you've ingested all of the usage, filter for usage records with ChargeType = 'Purchase' and PricingModel = 'SavingsPlan'. |

+| **Refunds** | Request for an ActualCost report.<br><br> Once you've ingested all of the usage, filter for usage records with ChargeType = 'Refund'. |

+Get amortized cost data and filter for `ChargeType` = `UnusedSavingsPlan` and `PricingModel` = `SavingsPlan`. You get the daily unused savings plan quantity and the cost. You can filter the data for a savings plan or savings plan order using `BenefitId` and `ProductOrderId` fields, respectively. If a savings plan was 100% utilized, the record has a quantity of 0.

+Keep in mind that if you have an underutilized savings plan, the _UnusedSavingsPlan_ entry for _ChargeType_ becomes a factor to consider. When you have a fully utilized savings plan, you receive the maximum savings possible. Any _UnusedSavingsPlan_ quantity reduces savings.

+Group by _Charge Type_ to see a breakdown of usage, purchases, and refunds; or by _Pricing Model_ for a breakdown of savings plan and on-demand costs. You can also group by _Benefit_ and use the _BenefitId_ and _BenefitName_ associated with your Savings Plan to identify the costs related to specific savings plan purchases. The only savings plan costs that you see when looking at actual cost are purchases. Costs aren't allocated to the individual resources that used the benefit when looking at amortized cost. You'll also see a new _**UnusedSavingsPlan**_ plan charge type when looking at amortized cost.

+When you perform data integration and ETL processes in the cloud, your jobs can perform much better and be more effective when you only read the source data that has changed since the last time the pipeline ran, rather than always querying an entire dataset on each run. Executing pipelines that only read the latest changed data is available in many of ADF's source connectors by simply enabling a checkbox property inside the source transformation. Support for full-fidelity CDC, which includes row markers for inserts, upserts, deletes, and updates, as well as rules for resetting the ADF-managed checkpoint are available in several ADF connectors. To easily capture changes and deltas, ADF supports patterns and templates for managing incremental pipelines with user-controlled checkpoints as well, which you'll find in the table below.

+| [Azure Cosmos DB (SQL API)](connector-azure-cosmos-db.md) | Γ£ô | Γ£ô | &nbsp; |

+ "*": {

+ "properties": {

+ "typeProperties": {

+ "folderPath": "=",

+ "fileName": "="

+ }

+ }

+ }

+You can either create your own keys and store them in a key vault. Or you can use the Azure Key Vault APIs to generate keys. Only RSA keys are supported with Data Factory encryption. RSA-HSM is also supported. For more information, see [About keys, secrets, and certificates](../key-vault/general/about-keys-secrets-certificates.md).

+> * Configure advanced networking

+> * Validate network settings

+ 

+ After you have configured and applied the network settings, select **Next: Advanced networking** to configure compute network.

+1. In the **Advanced networking** page, select a network interface that you want to enable for compute.

+## Configure virtual switches

+Follow these steps to add or delete virtual switches and virtual networks.

+1. In the local UI, go to **Advanced networking** page.

+1. In the **Virtual switch** section, you'll add or delete virtual switches. Select **Add virtual switch** to create a new switch.

+ 

+1. In the **Network settings** blade, if using a new switch, provide the following:

+ 1. Provide a name for your virtual switch.

+ 1. Choose the network interface on which the virtual switch should be created.

+ 1. If deploying 5G workloads, set **Supports accelerated networking** to **Yes**.

+ 1. Select **Apply**. You can see that the specified virtual switch is created.

+ 

+1. You can create more than one switch by following the steps described earlier.

+1. To delete a virtual switch, under the **Virtual switch** section, select **Delete virtual switch**. When a virtual switch is deleted, the associated virtual networks will also be deleted.

+You can now create virtual networks and associate with the virtual switches you created.

+## Configure virtual networks

+You can add or delete virtual networks associated with your virtual switches. To add a virtual switch, follow these steps:

+1. In the local UI on the **Advanced networking** page, under the **Virtual network** section, select **Add virtual network**.

+1. In the **Add virtual network** blade, input the following information:

+ 1. Select a virtual switch for which you want to create a virtual network.

+ 1. Provide a **Name** for your virtual network.

+ 1. Enter a **VLAN ID** as a unique number in 1-4094 range. The VLAN ID that you provide should be in your trunk configuration. For more information on trunk configuration for your switch, refer to the instructions from your physical switch manufacturer.

+ 1. Specify the **Subnet mask** and **Gateway** for your virtual LAN network as per the physical network configuration.

+ 1. Select **Apply**. A virtual network is created on the specified virtual switch.

+ <!--![Screenshot of how to add virtual network in **Advanced networking** page in local UI for one node.()-->

+1. To delete a virtual network, under the **Virtual network** section, select **Delete virtual network** and select the virtual network you want to delete.

+1. Select **Next: Kubernetes >** to next configure your compute IPs for Kubernetes.

+## Configure compute IPs

+Follow these steps to configure compute IPs for your Kubernetes workloads.

+1. In the local UI, go to the **Kubernetes** page.

+1. From the dropdown select a virtual switch that you will use for Kubernetes compute traffic. <!--By default, all switches are configured for management. You can't configure storage intent as storage traffic was already configured based on the network topology that you selected earlier.-->

+1. Assign **Kubernetes node IPs**. These static IP addresses are for the Kubernetes VMs.

+ For an *n*-node device, a contiguous range of a minimum of *n+1* IPv4 addresses (or more) are provided for the compute VM using the start and end IP addresses. For a 1-node device, provide a minimum of two, free, contiguous IPv4 addresses.

+ > [!IMPORTANT]

+ > * Kubernetes on Azure Stack Edge uses 172.27.0.0/16 subnet for pod and 172.28.0.0/16 subnet for service. Make sure that these are not in use in your network. If these subnets are already in use in your network, you can change these subnets by running the ```Set-HcsKubeClusterNetworkInfo``` cmdlet from the PowerShell interface of the device. For more information, see Change Kubernetes pod and service subnets. <!--Target URL not available.-->

+ > * DHCP mode is not supported for Kubernetes node IPs. If you plan to deploy IoT Edge/Kubernetes, you must assign static Kubernetes IPs and then enable IoT role. This will ensure that static IPs are assigned to Kubernetes node VMs.

+ > * If your datacenter firewall is restricting or filtering traffic based on source IPs or MAC addresses, make sure that the compute IPs (Kubernetes node IPs) and MAC addresses are on the allowed list. The MAC addresses can be specified by running the ```Set-HcsMacAddressPool``` cmdlet on the PowerShell interface of the device.

+1. Assign **Kubernetes external service IPs**. These are also the load-balancing IP addresses. These contiguous IP addresses are for services that you want to expose outside of the Kubernetes cluster and you specify the static IP range depending on the number of services exposed.

+ > [!IMPORTANT]

+ > We strongly recommend that you specify a minimum of one IP address for Azure Stack Edge Hub service to access compute modules. You can then optionally specify additional IP addresses for other services/IoT Edge modules (1 per service/module) that need to be accessed from outside the cluster. The service IP addresses can be updated later.

+ 

+1. The configuration takes a couple minutes to apply and you may need to refresh the browser.

+1. Select **Next: Web proxy** to configure web proxy.

+> Proxy-auto config (PAC) files are not supported. A PAC file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL. Proxies that try to intercept and read all the traffic (then re-sign everything with their own certification) aren't compatible since the proxy's certificate is not trusted. Typically, transparent proxies work well with Azure Stack Edge Pro R. Non-transparent web proxies are not supported.

+> * Configure advanced networking

+> * Validate network settings

+ 

+ 

+ runner: ARM

+ templatePath: azuredeploy.json

+## Idempotency

+Event Hubs for Apache Kafka supports both idempotent producers and idempotent consumers.

+One of the core tenets of Azure Event Hubs is the concept of **at-least once** delivery. This approach ensures that events will always be delivered. It also means that events can be received more than once, even repeatedly, by consumers such as a function. For this reason, it's important that the consumer supports the [idempotent consumer](https://microservices.io/patterns/communication-style/idempotent-consumer.html) pattern.

+HDInsight will automatically renew the certificates for the managed identities you use for these scenarios. However, there is a limitation when multiple different managed identities are used for long running clusters, the certificate renewal may not work as expected for all of the managed identities. Due to this limitation, we recommend to use the same managed identity for all of the above scenarios.

+ 1. Consumes offset-syncsr.

+ 1. Emits checkpoints to enable failover points.

+ ```

+ ./bin/connect-mirror-maker.sh ./config/mirror-maker.properties

+ ```

+# specify any number of cluster aliases

+clusters = source, destination

+# connection information for each cluster

+# This is a comma separated host:port pairs for each cluster

+# for example. "A_host1:9092, A_host2:9092, A_host3:9092" and you can see the exact host name on Ambari > Hosts

+source.bootstrap.servers = wn0-src-kafka.bx.internal.cloudapp.net:9092,wn1-src-kafka.bx.internal.cloudapp.net:9092,wn2-src-kafka.bx.internal.cloudapp.net:9092

+destination.bootstrap.servers = wn0-dest-kafka.bx.internal.cloudapp.net:9092,wn1-dest-kafka.bx.internal.cloudapp.net:9092,wn2-dest-kafka.bx.internal.cloudapp.net:9092

+# enable and configure individual replication flows

+source->destination.enabled = true

+# regex which defines which topics gets replicated. For eg "foo-.*"

+source->destination.topics = toa.evehicles-latest-dev

+groups=.*

+topics.blacklist="*.internal,__.*"

+# Setting replication factor of newly created remote topics

+replication.factor=3

+checkpoints.topic.replication.factor=1

+heartbeats.topic.replication.factor=1

+offset-syncs.topic.replication.factor=1

+offset.storage.replication.factor=1

+status.storage.replication.factor=1

+config.storage.replication.factor=1

+/** Defines which topics are "remote topics", e.g. "us-west.topic1". */

+public interface ReplicationPolicy {

+The OpenAPI Doc for the supported versions can be found at the following url:

+```json

+```json

+The Medical Imaging Server for DICOM supports a subset of the DICOMwebΓäó Standard. Support includes:

+* [Studies Service](#studies-service)

+ * [Store (STOW-RS)](#store-stow-rs)

+ * [Retrieve (WADO-RS)](#retrieve-wado-rs)

+ * [Search (QIDO-RS)](#search-qido-rs)

+ * [Delete](#delete)

+* [Worklist Service (UPS Push and Pull SOPs)](#worklist-service-ups-rs)

+ * [Create Workitem](#create-workitem)

+ * [Retrieve Workitem](#retrieve-workitem)

+ * [Update Workitem](#update-workitem)

+ * [Change Workitem State](#change-workitem-state)

+ * [Request Cancellation](#request-cancellation)

+ * [Search Workitems](#search-workitems)

+* [Change Feed](dicom-change-feed-overview.md)

+* [Extended Query Tags](dicom-extended-query-tags-overview.md)

+The service uses REST API versioning. The version of the REST API must be explicitly specified as part of the base URL, as in the following example:

+`https://<service_url>/v<version>/studies`

+For more information on how to specify the version when making requests, see the [API Versioning Documentation](api-versioning-dicom-service.md).

+You'll find example requests for supported transactions in the [Postman collection](https://github.com/microsoft/dicom-server/blob/main/docs/resources/Conformance-as-Postman.postman_collection.json).

+## Preamble Sanitization

+The service ignores the 128-byte File Preamble, and replaces its contents with null characters. This ensures that no files passed through the service are vulnerable to the [malicious preamble vulnerability](https://dicom.nema.org/medical/dicom/current/output/chtml/part10/sect_7.5.html). However, this also means that [preambles used to encode dual format content](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6489422/) such as TIFF can't be used with the service.

+## Studies Service

+The [Studies Service](https://dicom.nema.org/medical/dicom/current/output/html/part18.html#chapter_10) allows users to store, retrieve, and search for DICOM Studies, Series, and Instances. We've added the non-standard Delete transaction to enable a full resource lifecycle.

+### Store (STOW-RS)

+* `StudyInstanceUID`

+* `SeriesInstanceUID`

+* `SOPInstanceUID`

+* `SOPClassUID`

+* `PatientID`

+> All identifiers must be between 1 and 64 characters long, and only contain alpha numeric characters or the following special characters: `.`, `-`.

+Each file stored must have a unique combination of `StudyInstanceUID`, `SeriesInstanceUID`, and `SopInstanceUID`. The warning code `45070` will be returned if a file with the same identifiers already exists.

+Only transfer syntaxes with explicit Value Representations are accepted.

+#### Store response status codes

+| Code | Description |

+| :-- | :- |

+| `200 (OK)` | All the SOP instances in the request have been stored. |

+| `202 (Accepted)` | Some instances in the request have been stored but others have failed. |

+| `204 (No Content)` | No content was provided in the store transaction request. |

+| `400 (Bad Request)` | The request was badly formatted. For example, the provided study instance identifier didn't conform to the expected UID format. |

+| `401 (Unauthorized)` | The client isnn't authenticated. |

+| `403 (Forbidden)` | The user isn't authorized. |

+| `406 (Not Acceptable)` | The specified `Accept` header isn't supported. |

+| `409 (Conflict)` | None of the instances in the store transaction request have been stored. |

+| `415 (Unsupported Media Type)` | The provided `Content-Type` isn't supported. |

+| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

+| (0008, 1190) | `RetrieveURL` | The Retrieve URL of the study if the StudyInstanceUID was provided in the store request and at least one instance is successfully stored. |

+| (0008, 1198) | `FailedSOPSequence` | The sequence of instances that failed to store. |

+| (0008, 1199) | `ReferencedSOPSequence` | The sequence of stored instances. |

+| (0008, 1150) | `ReferencedSOPClassUID` | The SOP class unique identifier of the instance that failed to store. |

+| (0008, 1155) | `ReferencedSOPInstanceUID` | The SOP instance unique identifier of the instance that failed to store. |

+| (0008, 1197) | `FailureReason` | The reason code why this instance failed to store. |

+| (0008, 1150) | `ReferencedSOPClassUID` | The SOP class unique identifier of the instance that failed to store. |

+| (0008, 1155) | `ReferencedSOPInstanceUID` | The SOP instance unique identifier of the instance that failed to store. |

+| (0008, 1190) | `RetrieveURL` | The retrieve URL of this instance on the DICOM server. |

+An example response with `Accept` header `application/dicom+json`:

+#### Store failure reason codes

+| `272` | The store transaction didn't store the instance because of a general failure in processing the operation. |

+| `43264` | The DICOM instance failed the validation. |

+| `43265` | The provided instance `StudyInstanceUID` didn't match the specified `StudyInstanceUID` in the store request. |

+| `45070` | A DICOM instance with the same `StudyInstanceUID`, `SeriesInstanceUID`, and `SopInstanceUID` has already been stored. If you wish to update the contents, delete this instance first. |

+| `45071` | A DICOM instance is being created by another process, or the previous attempt to create has failed and the cleanup process hasn't had chance to clean up yet. Delete the instance first before attempting to create again. |

+### Retrieve (WADO-RS)

+| Method | Path | Description |

+| :-- | :| :- |

+| GET | ../studies/{study} | Retrieves all instances within a study. |

+| GET | ../studies/{study}/metadata | Retrieves the metadata for all instances within a study. |

+| GET | ../studies/{study}/series/{series} | Retrieves all instances within a series. |

+| GET | ../studies/{study}/series/{series}/metadata | Retrieves the metadata for all instances within a series. |

+| GET | ../studies/{study}/series/{series}/instances/{instance} | Retrieves a single instance. |

+| GET | ../studies/{study}/series/{series}/instances/{instance}/metadata | Retrieves the metadata for a single instance. |

+#### Retrieve instances within study or series

+#### Retrieve an Instance

+* `application/dicom;` (when transfer-syntax isn't specified, `1.2.840.10008.1.2.1` is used as default)

+* `multipart/related; type="application/dicom"` (when transfer-syntax isn't specified, `1.2.840.10008.1.2.1` is used as default)

+#### Retrieve Frames

+* `multipart/related; type="application/octet-stream";` (when transfer-syntax isn't specified, `1.2.840.10008.1.2.1` is used as default)

+* `multipart/related; type="image/jp2";` (when transfer-syntax isn't specified, `1.2.840.10008.1.2.4.90` is used as default)

+#### Retrieve transfer syntax

+The following `Accept` header is supported for retrieving metadata for a study, a series, or an instance:

+Retrieving metadata will not return attributes with the following value representations:

+* Data hasn't changed since the last request: `HTTP 304 (Not Modified)` response will be sent with no response body.

+* Data has changed since the last request: `HTTP 200 (OK)` response will be sent with updated ETag. Required data will also be returned as part of the body.

+| `200 (OK)` | All requested data has been retrieved. |

+| `304 (Not Modified)` | The requested data hasn't been modified since the last request. Content isn't added to the response body in such case. For more information, see the above section **Retrieve Metadata Cache Validation (for Study, Series, or Instance)**. |

+| `400 (Bad Request)` | The request was badly formatted. For example, the provided study instance identifier didn't conform to the expected UID format, or the requested transfer-syntax encoding isn't supported. |

+| `401 (Unauthorized)` | The client isn't authenticated. |

+| `403 (Forbidden)` | The user isn't authorized. |

+| `404 (Not Found)` | The specified DICOM resource couldn't be found. |

+| `406 (Not Acceptable)` | The specified `Accept` header isn't supported. |

+| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

+### Search (QIDO-RS)

+| Method | Path | Description |

+| :-- | :-- | : |

+| *Search for Studies* |

+| GET | ../studies?... | Search for studies |

+| *Search for Series* |

+| GET | ../series?... | Search for series |

+| GET |../studies/{study}/series?... | Search for series in a study |

+| *Search for Instances* |

+| GET |../instances?... | Search for instances |

+| GET |../studies/{study}/instances?... | Search for instances in a study |

+* `application/dicom+json`

+| Key | Support Value(s) | Allowed Count | Description |

+| :-- | :-- | : | :- |

+| `{attributeID}=` | `{value}` | 0...N | Search for attribute/ value matching in query. |

+| `includefield=` | `{attributeID}`<br/>`all` | 0...N | The additional attributes to return in the response. Both, public and private tags are supported.<br/>When `all` is provided. Refer to [Search Response](#search-response) for more information about which attributes will be returned for each query type.<br/>If a mixture of `{attributeID}` and `all` is provided, the server will default to using `all`. |

+| `limit=` | `{value}` | 0..1 | Integer value to limit the number of values returned in the response.<br/>Value can be between the range 1 >= x <= 200. Defaulted to 100. |

+| `offset=` | `{value}` | 0..1 | Skip `{value}` results.<br/>If an offset is provided larger than the number of search query results, a 204 (no content) response will be returned. |

+| `fuzzymatching=` | `true` / `false` | 0..1 | If true fuzzy matching is applied to PatientName attribute. It will do a prefix word match of any name part inside PatientName value. For example, if PatientName is "John^Doe", then "joh", "do", "jo do", "Doe" and "John Doe" will all match. However, "ohn" won't match. |

+| `StudyInstanceUID` | X | X | X |

+| `PatientName` | X | X | X |

+| `PatientID` | X | X | X |

+| `PatientBirthDate` | X | X | X |

+| `AccessionNumber` | X | X | X |

+| `ReferringPhysicianName` | X | X | X |

+| `StudyDate` | X | X | X |

+| `StudyDescription` | X | X | X |

+| `SeriesInstanceUID` | | X | X |

+| `Modality` | | X | X |

+| `PerformedProcedureStepStartDate` | | X | X |

+| `SOPInstanceUID` | | | X |

+| Range Query | `StudyDate`/`PatientBirthDate` | `{attributeID}={value1}-{value2}`. For date/ time values, we support an inclusive range on the tag. This will be mapped to `attributeID >= {value1} AND attributeID <= {value2}`. If `{value1}` isn't specified, all occurrences of dates/times prior to and including `{value2}` will be matched. Likewise, if `{value2}` isn't specified, all occurrences of `{value1}` and subsequent dates/times will be matched. However, one of these values has to be present. `{attributeID}={value1}-` and `{attributeID}=-{value2}` are valid, however, `{attributeID}=-` is invalid. |

+| Exact Match | All supported attributes | `{attributeID}={value1}` |

+| Fuzzy Match | `PatientName`, `ReferringPhysicianName` | Matches any component of the name which starts with the value. |

+Tags can be encoded in a number of ways for the query parameter. We've partially implemented the standard as defined in [PS3.18 6.7.1.1.1](http://dicom.nema.org/medical/dicom/2019a/output/chtml/part18/sect_6.7.html#sect_6.7.1.1.1). The following encodings for a tag are supported:

+| `{group}{element}` | `0020000D` |

+| `{dicomKeyword}` | `StudyInstanceUID` |

+Example query searching for instances:

+ `../instances?Modality=CT&00280011=512&includefield=00280010&limit=5&offset=0`

+The response will be an array of DICOM datasets. Depending on the resource, by *default* the following attributes are returned

+| (0008, 0005) | `SpecificCharacterSet` |

+| (0008, 0020) | `StudyDate` |

+| (0008, 0030) | `StudyTime` |

+| (0008, 0050) | `AccessionNumber` |

+| (0008, 0056) | `InstanceAvailability` |

+| (0008, 0090) | `ReferringPhysicianName` |

+| (0008, 0201) | `TimezoneOffsetFromUTC` |

+| (0010, 0010) | `PatientName` |

+| (0010, 0020) | `PatientID` |

+| (0010, 0030) | `PatientBirthDate` |

+| (0010, 0040) | `PatientSex` |

+| (0020, 0010) | `StudyID` |

+| (0020, 000D) | `StudyInstanceUID` |

+| (0008, 0005) | `SpecificCharacterSet` |

+| (0008, 0060) | `Modality` |

+| (0008, 0201) | `TimezoneOffsetFromUTC` |

+| (0008, 103E) | `SeriesDescription` |

+| (0020, 000E) | `SeriesInstanceUID` |

+| (0040, 0244) | `PerformedProcedureStepStartDate` |

+| (0040, 0245) | `PerformedProcedureStepStartTime` |

+| (0040, 0275) | `RequestAttributesSequence` |

+| (0008, 0005) | `SpecificCharacterSet` |

+| (0008, 0016) | `SOPClassUID` |

+| (0008, 0018) | `SOPInstanceUID` |

+| (0008, 0056) | `InstanceAvailability` |

+| (0008, 0201) | `TimezoneOffsetFromUTC` |

+| (0020, 0013) | `InstanceNumber` |

+| (0028, 0010) | `Rows` |

+| (0028, 0011) | `Columns` |

+| (0028, 0100) | `BitsAllocated` |

+| (0028, 0008) | `NumberOfFrames` |

+If `includefield=all`, the below attributes are included along with default attributes. Along with the default attributes, this is the full list of attributes supported at each resource level.

+#### Additional Study tags

+| (0008, 1030) | `Study Description` |

+| (0008, 0063) | `AnatomicRegionsInStudyCodeSequence` |

+| (0008, 1032) | `ProcedureCodeSequence` |

+| (0008, 1060) | `NameOfPhysiciansReadingStudy` |

+| (0008, 1080) | `AdmittingDiagnosesDescription` |

+| (0008, 1110) | `ReferencedStudySequence` |

+| (0010, 1010) | `PatientAge` |

+| (0010, 1020) | `PatientSize` |

+| (0010, 1030) | `PatientWeight` |

+| (0010, 2180) | `Occupation` |

+| (0010, 21B0) | `AdditionalPatientHistory` |

+#### Additional Series tags

+| (0020, 0011) | `SeriesNumber` |

+| (0020, 0060) | `Laterality` |

+| (0008, 0021) | `SeriesDate` |

+| (0008, 0031) | `SeriesTime` |

+Along with those below attributes are returned:

+* `IncludeField` attributes supported at that resource level.

+* If the target resource is `All Series`, then `Study` level attributes are also returned.

+* If the target resource is `All Instances`, then `Study` and `Series` level attributes are also returned.

+* If the target resource is `Study's Instances`, then `Series` level attributes are also returned.

+| `200 (OK)` | The response payload contains all the matching resources. |

+| `204 (No Content)` | The search completed successfully but returned no results. |

+| `400 (Bad Request)` | The server was unable to perform the query because the query component was invalid. Response body contains details of the failure. |

+| `401 (Unauthorized)` | The client isn't authenticated. |

+| `403 (Forbidden)` | The user isn't authorized. |

+| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

+### Additional notes

+* Querying using the `TimezoneOffsetFromUTC (00080201)` isn't supported.

+* The query API won't return `413 (request entity too large)`. If the requested query response limit is outside of the acceptable range, a bad request will be returned. Anything requested within the acceptable range, will be resolved.

+* When target resource is Study/Series there's a potential for inconsistent study/series level metadata across multiple instances. For example, two instances could have different patientName. In this case, the latest will win and you can search only on the latest data.

+* Paged results are optimized to return matched newest instance first, this may result in duplicate records in subsequent pages if newer data matching the query was added.

+* Only the first value will be indexed of a single valued data element that incorrectly has multiple values.

+### Delete

+| Method | Path | Description |

+| :-- | : | :- |

+| DELETE | ../studies/{study} | Delete all instances for a specific study. |

+| DELETE | ../studies/{study}/series/{series} | Delete all instances for a specific series within a study. |

+Parameters `study`, `series`, and `instance` correspond to the DICOM attributes `StudyInstanceUID`, `SeriesInstanceUID`, and `SopInstanceUID` respectively.

+> After a Delete transaction, the deleted instances will not be recoverable.

+| `204 (No Content)` | When all the SOP instances have been deleted. |

+| `400 (Bad Request)` | The request was badly formatted. |

+| `401 (Unauthorized)` | The client isn't authenticated. |

+| `403 (Forbidden)` | The user isn't authorized. |

+| `404 (Not Found)` | When the specified series wasn't found within a study or the specified instance wasn't found within the series. |

+| `503 (Service Unavailable)` | The service is unavailable or busy. Please try again later. |

+## Worklist Service (UPS-RS)

+The DICOM service supports the Push and Pull SOPs of the [Worklist Service (UPS-RS)](https://dicom.nema.org/medical/dicom/current/output/html/part18.html#chapter_11). This service provides access to one Worklist containing Workitems, each of which represents a Unified Procedure Step (UPS).

+Throughout, the variable `{workitem}` in a URI template stands for a Workitem UID.

+Available UPS-RS endpoints include:

+|Verb| Path | Description |

+|: |: |: |

+|POST| {s}/workitems{?AffectedSOPInstanceUID}| Create a work item|

+|POST| {s}/workitems/{instance}{?transaction}| Update a work item

+|GET| {s}/workitems{?query*} | Search for work items

+|GET| {s}/workitems/{instance}| Retrieve a work item

+|PUT| {s}/workitems/{instance}/state| Change work item state

+|POST| {s}/workitems/{instance}/cancelrequest | Cancel work item|

+|POST |{s}/workitems/{instance}/subscribers/{AETitle}{?deletionlock} | Create subscription|

+|POST| {s}/workitems/1.2.840.10008.5.1.4.34.5/ | Suspend subscription|

+|DELETE | {s}/workitems/{instance}/subscribers/{AETitle} | Delete subscription

+|GET | {s}/subscribers/{AETitle}| Open subscription channel |

+### Create Workitem

+This transaction uses the POST method to create a new Workitem.

+|Method| Path |Description|

+|:|:|:|

+| POST |../workitems| Create a Workitem.|

+| POST |../workitems?{workitem}| Creates a Workitem with the specified UID.|

+If not specified in the URI, the payload dataset must contain the Workitem in the `SOPInstanceUID` attribute.

+The `Accept` and `Content-Type` headers are required in the request, and must both have the value `application/dicom+json`.

+There are a number of requirements related to DICOM data attributes in the context of a specific transaction. Attributes may be required to be present, required to not be present, required to be empty, or required to not be empty. These requirements can be found [in this table](https://dicom.nema.org/medical/dicom/current/output/html/part04.html#table_CC.2.5-3).

+Notes on dataset attributes:

+* **SOP Instance UID:** Although the reference table above says that SOP Instance UID shouldn't be present, this guidance is specific to the DIMSE protocol and is handled differently in DICOMWebΓäó. SOP Instance UID should be present in the dataset if not in the URI.

+* **Conditional requirement codes:** All the conditional requirement codes including 1C and 2C are treated as optional.

+#### Create Response Status Codes

+|Code |Description|

+|:|:|

+|`201 (Created)`| The target Workitem was successfully created.|

+|`400 (Bad Request)`| There was a problem with the request. For example, the request payload didn't satisfy the requirements above.|

+|`401 (Unauthorized)`| The client isn't authenticated.

+|`403 (Forbidden)` | The user isn't authorized. |

+|`409 (Conflict)` |The Workitem already exists.

+|`415 (Unsupported Media Type)`| The provided `Content-Type` isn't supported.

+|`503 (Service Unavailable)`| The service is unavailable or busy. Please try again later.|

+#### Create Response Payload

+A success response will have no payload. The `Location` and `Content-Location` response headers will contain a URI reference to the created Workitem.

+A failure response payload will contain a message describing the failure.

+### Request Cancellation

+This transaction enables the user to request cancellation of a non-owned Workitem.

+There are [four valid Workitem states](https://dicom.nema.org/medical/dicom/current/output/html/part04.html#table_CC.1.1-1):

+* `SCHEDULED`

+* `IN PROGRESS`

+* `CANCELED`

+* `COMPLETED`

+This transaction will only succeed against Workitems in the `SCHEDULED` state. Any user can claim ownership of a Workitem by setting its Transaction UID and changing its state to `IN PROGRESS`. From then on, a user can only modify the Workitem by providing the correct Transaction UID. While UPS defines Watch and Event SOP classes that allow cancellation requests and other events to be forwarded, this DICOM service does not implement these classes, and so cancellation requests on workitems that are `IN PROGRESS` will return failure. An owned Workitem can be canceled via the [Change Workitem State](#change-workitem-state) transaction.

+|Method |Path| Description|

+|:|:|:|

+|POST |../workitems/{workitem}/cancelrequest| Request the cancellation of a scheduled Workitem|

+The `Content-Type` header is required, and must have the value `application/dicom+json`.

+The request payload may include Action Information as [defined in the DICOM Standard](https://dicom.nema.org/medical/dicom/current/output/html/part04.html#table_CC.2.2-1).

+#### Request Cancellation Response Status Codes

+|Code |Description|

+|:|:|

+|`202 (Accepted)`| The request was accepted by the server, but the Target Workitem state hasn't necessarily changed yet.|

+|`400 (Bad Request)`| There was a problem with the syntax of the request.|

+|`401 (Unauthorized)`| The client isn;t authenticated.

+|`403 (Forbidden)` | The user isn't authorized. |

+|`404 (Not Found)`| The Target Workitem wasn't found.

+|`409 (Conflict)`| The request is inconsistent with the current state of the Target Workitem. For example, the Target Workitem is in the **SCHEDULED** or **COMPLETED** state.

+|`415 (Unsupported Media Type)` |The provided `Content-Type` isn't supported.|

+#### Request Cancellation Response Payload

+A success response will have no payload, and a failure response payload will contain a message describing the failure. If the Workitem Instance is already in a canceled state, the response will include the following HTTP Warning header: `299: The UPS is already in the requested state of CANCELED.`

+### Retrieve Workitem

+This transaction retrieves a Workitem. It corresponds to the UPS DIMSE N-GET operation.

+Refer to: https://dicom.nema.org/medical/dicom/current/output/html/part18.html#sect_11.5

+If the Workitem exists on the origin server, the Workitem shall be returned in an Acceptable Media Type. The returned Workitem shall not contain the Transaction UID (0008,1195) Attribute. This is necessary to preserve this Attribute's role as an access lock.

+|Method |Path |Description

+|:|:|:|

+|GET| ../workitems/{workitem}| Request to retrieve a Workitem

+The `Accept` header is required and must have the value `application/dicom+json`.

+#### Retrieve Workitem Response Status Codes

+|Code |Description|

+|: |:

+|`200 (OK)`| Workitem Instance was successfully retrieved.|

+|`400 (Bad Request)`| There was a problem with the request.|

+|`401 (Unauthorized)`| The client isn't authenticated.|

+|`403 (Forbidden)` | The user isn't authorized. |

+|`404 (Not Found)`| The Target Workitem wasn't found.|

+#### Retrieve Workitem Response Payload

+* A success response has a single part payload containing the requested Workitem in the Selected Media Type.

+* The returned Workitem shall not contain the Transaction UID (0008, 1195) attribute of the Workitem, since that should only be known to the Owner.

+### Update Workitem

+This transaction modifies attributes of an existing Workitem. It corresponds to the UPS DIMSE N-SET operation.

+Refer to: https://dicom.nema.org/medical/dicom/current/output/html/part18.html#sect_11.6

+To update a Workitem currently in the **SCHEDULED** state, the `Transaction UID` attribute shall not be present. For a Workitem in the **IN PROGRESS** state, the request must include the current Transaction UID as a query parameter. If the Workitem is already in the **COMPLETED** or **CANCELED** states, the response will be `400 (Bad Request)`.

+|Method |Path |Description

+|:|:|:|

+|POST| ../workitems/{workitem}?{transaction-uid}| Update Workitem Transaction|

+The `Content-Type` header is required, and must have the value `application/dicom+json`.

+The request payload contains a dataset with the changes to be applied to the target Workitem. When modifying a sequence, the request must include all Items in the sequence, not just the Items to be modified. When multiple Attributes need updating as a group, do this as multiple Attributes in a single request, not as multiple requests.

+There are a number of requirements related to DICOM data attributes in the context of a specific transaction. Attributes may be required to be present, required to not be present, required to be empty, or required to not be empty. These requirements can be found in this table.

+Notes on dataset attributes:

+* **Conditional requirement codes:** All the conditional requirement codes including 1C and 2C are treated as optional.

+* The request can't set the value of the Procedure Step State (0074,1000) attribute. Procedure Step State is managed using the Change State transaction, or the Request Cancellation transaction.

+#### Update Workitem Transaction Response Status Codes

+|Code |Description|

+|:|:|

+|`200 (OK)`| The Target Workitem was updated.|

+|`400 (Bad Request)`| There was a problem with the request. For example: (1) the Target Workitem was in the `COMPLETED` or `CANCELED` state. (2) the Transaction UID is missing. (3) the Transaction UID is incorrect. (4) the dataset didn't conform to the requirements.|

+|`401 (Unauthorized)`| The client isn't authenticated.|

+| `403 (Forbidden)` | The user isn't authorized. |

+|`404 (Not Found)`| The Target Workitem wasn't found.|

+|`409 (Conflict)` |The request is inconsistent with the current state of the Target Workitem.|

+|`415 (Unsupported Media Type)`| The provided `Content-Type` isn't supported.|

+#### Update Workitem Transaction Response Payload

+The origin server shall support header fields as required in [Table 11.6.3-2](https://dicom.nema.org/medical/dicom/current/output/html/part18.html#table_11.6.3-2).

+A success response shall have either no payload or a payload containing a Status Report document.

+A failure response payload may contain a Status Report describing any failures, warnings, or other useful information.

+### Change Workitem State

+This transaction is used to change the state of a Workitem. It corresponds to the UPS DIMSE N-ACTION operation "Change UPS State". State changes are used to claim ownership, complete, or cancel a Workitem.

+Refer to: https://dicom.nema.org/medical/dicom/current/output/html/part18.html#sect_11.7

+If the Workitem exists on the origin server, the Workitem shall be returned in an Acceptable Media Type. The returned Workitem shall not contain the Transaction UID (0008,1195) attribute. This is necessary to preserve this attribute's role as an access lock, as described here.

+|Method| Path| Description|

+|:|:|:|

+|PUT| ../workitems/{workitem}/state|Change Workitem State |

+The `Accept` header is required, and must have the value `application/dicom+json`.

+The request payload shall contain the Change UPS State Data Elements. These data elements are:

+* **Transaction UID (0008, 1195)** The request payload shall include a Transaction UID. The user agent creates the Transaction UID when requesting a transition to the `IN PROGRESS` state for a given Workitem. The user agent provides that Transaction UID in subsequent transactions with that Workitem.

+* **Procedure Step State (0074, 1000)** The legal values correspond to the requested state transition. They are: `IN PROGRESS`, `COMPLETED`, or `CANCELED`.

+#### Change Workitem State Response Status Codes

+|Code| Description|

+|:|:|

+|`200 (OK)`| Workitem Instance was successfully retrieved.|

+|`400 (Bad Request)` |The request cannot be performed for one of the following reasons: (1) the request is invalid given the current state of the Target Workitem. (2) the Transaction UID is missing. (3) the Transaction UID is incorrect|

+|`401 (Unauthorized)` |The client isn't authenticated.|

+|`403 (Forbidden)` | The user isn't authorized. |

+|`404 (Not Found)`| The Target Workitem wasn't found.|

+|`409 (Conflict)`| The request is inconsistent with the current state of the Target Workitem.|

+#### Change Workitem State Response Payload

+* Responses will include the header fields specified in [section 11.7.3.2](https://dicom.nema.org/medical/dicom/current/output/html/part18.html#sect_11.7.3.2).

+* A success response shall have no payload.

+* A failure response payload may contain a Status Report describing any failures, warnings, or other useful information.

+### Search Workitems

+This transaction enables you to search for Workitems by attributes.

+|Method |Path| Description|

+|:|:|:|

+|GET| ../workitems?| Search for Workitems|

+The following `Accept` header(s) are supported for searching:

+`application/dicom+json`

+#### Supported Search Parameters

+The following parameters for each query are supported:

+|Key |Support| Values| Allowed| Count |Description|

+|: |: |: |: |: |:|

+|`{attributeID}=`| `{value}` |0...N |Search for attribute/ value matching in query.

+|`includefield=` |`{attributeID} all`| 0...N |The additional attributes to return in the response. Only top-level attributes can be specified to be included - not attributes that are part of sequences. Both public and private tags are supported. When `all` is provided, see [Search Response](#search-response) for more information about which attributes will be returned for each query type. If a mixture of `{attributeID}` and `all` is provided, the server will default to using 'all'.

+|`limit=`| `{value}`| 0...1| Integer value to limit the number of values returned in the response. Value can be between the range `1 >= x <= 200`. Defaulted to `100`.|

+|`offset=`| `{value}`| 0...1| Skip {value} results. If an offset is provided larger than the number of search query results, a `204 (no content)` response will be returned.

+|`fuzzymatching=` |`true/false`| 0...1 |If true fuzzy matching is applied to any attributes with the Person Name (PN) Value Representation (VR). It will do a prefix word match of any name part inside these attributes. For example, if `PatientName` is `John^Doe`, then `joh`, `do`, `jo do`, `Doe` and `John Doe` will all match. However `ohn` will **not** match.|

+##### Searchable Attributes

+We support searching on these attributes:

+|Attribute Keyword|

+|:|

+|`PatientName`|

+|`PatientID`|

+|`ReferencedRequestSequence.AccessionNumber`|

+|`ReferencedRequestSequence.RequestedProcedureID`|

+|`ScheduledProcedureStepStartDateTime`|

+|`ScheduledStationNameCodeSequence.CodeValue`|

+|`ScheduledStationClassCodeSequence.CodeValue`|

+|`ScheduledStationGeographicLocationCodeSequence.CodeValue`|

+|`ProcedureStepState`|

+|`StudyInstanceUID`|

+##### Search Matching

+We support these matching types:

+|Search Type |Supported Attribute| Example|

+|:|:|:|

+|Range Query| `ScheduledΓÇïProcedureΓÇïStepΓÇïStartΓÇïDateΓÇïTime`| `{attributeID}={value1}-{value2}`. For date/time values, we support an inclusive range on the tag. This will be mapped to `attributeID >= {value1}` AND `attributeID <= {value2}`. If `{value1}` isn't specified, all occurrences of dates/times prior to and including `{value2}` will be matched. Likewise, if `{value2}` isn't specified, all occurrences of `{value1}` and subsequent dates/times will be matched. However, one of these values has to be present. `{attributeID}={value1}-` and `{attributeID}=-{value2}` are valid, however, `{attributeID}=-` is invalid.

+|Exact Match |All supported attributes| `{attributeID}={value1}`

+|Fuzzy Match| `PatientName` |Matches any component of the name that starts with the value.

+> [!NOTE]

+> While we don't support full sequence matching, we do support exact match on the attributes listed above that are contained in a sequence.

+##### Attribute ID

+Tags can be encoded in a number of ways for the query parameter. We've partially implemented the standard as defined in [PS3.18 6.7.1.1.1](http://dicom.nema.org/medical/dicom/2019a/output/chtml/part18/sect_6.7.html#sect_6.7.1.1.1). The following encodings for a tag are supported:

+|Value |Example|

+|:|:|

+|`{group}{element}` |`00100010`|

+|`{dicomKeyword}` |`PatientName`|

+Example query:

+`../workitems?PatientID=K123&0040A370.00080050=1423JS&includefield=00404005&limit=5&offset=0`

+#### Search Response

+The response will be an array of `0...N` DICOM datasets with the following attributes returned:

+* All attributes in [DICOM PowerShell 3.4 Table CC.2.5-3](https://dicom.nema.org/medical/dicom/current/output/html/part04.html#table_CC.2.5-3) with a Return Key Type of 1 or 2

+* All attributes in [DICOM PowerShell 3.4 Table CC.2.5-3](https://dicom.nema.org/medical/dicom/current/output/html/part04.html#table_CC.2.5-3) with a Return Key Type of 1C for which the conditional requirements are met

+* All other Workitem attributes passed as match parameters

+* All other Workitem attributes passed as includefield parameter values

+#### Search Response Codes

+The query API will return one of the following status codes in the response:

+|Code |Description|

+|:|:|

+|`200 (OK)`| The response payload contains all the matching resource.|

+|`206 (Partial Content)` | The response payload contains only some of the search results, and the rest can be requested through the appropriate request.|

+|`204 (No Content)`| The search completed successfully, but returned no results.|

+|`400 (Bad Request)`| The was a problem with the request. For example, invalid Query Parameter syntax. The Response body contains details of the failure.|

+|`401 (Unauthorized)`| The client isn't authenticated.|

+|`403 (Forbidden)` | The user isn't authorized. |

+|`503 (Service Unavailable)` | The service is unavailable or busy. Please try again later.|

+#### Additional Notes

+The query API will not return `413 (request entity too large)`. If the requested query response limit is outside of the acceptable range, a bad request will be returned. Anything requested within the acceptable range, will be resolved.

+* Paged results are optimized to return matched newest instance first, this may result in duplicate records in subsequent pages if newer data matching the query was added.

+* Matching is case insensitive and accent insensitive for PN VR types.

+* Matching is case insensitive and accent sensitive for other string VR types.

+* If there's a scenario where canceling a Workitem and querying the same happens at the same time, then the query will most likely exclude the Workitem that's getting updated and the response code will be `206 (Partial Content)`.

+For more information, see

+* [Store (STOW-RS)](dicom-services-conformance-statement.md#store-stow-rs)

+* [Retrieve (WADO-RS)](dicom-services-conformance-statement.md#retrieve-wado-rs)

+* [Search (QIDO-RS)](dicom-services-conformance-statement.md#search-qido-rs)

+* [Delete](dicom-services-conformance-statement.md#delete)

+* [Change Feed](dicom-change-feed-overview.md)

+* [Extended Query Tags](dicom-extended-query-tags-overview.md)

+Because DICOM service is exposed as a REST API, you can access it using any modern development language. For language-agnostic information on working with the service, see [DICOM Services Conformance Statement](dicom-services-conformance-statement.md).

+* Swift

+Azure Health Data Services supports multiple health data standards for the exchange of structured data. A single collection of Azure Health Data Services enables you to deploy multiple instances of different service types (FHIR, DICOM, and MedTech) that seamlessly work with one another. Services deployed within a workspace also share a compliance boundary and common configuration settings. The product scales automatically to meet the varying demands of your workloads, so you spend less time managing infrastructure and more time generating insights from health data.

+**DICOM service**

+Azure Health Data Services includes support for the DICOM service. DICOM enables the secure exchange of image data and its associated metadata. DICOM is the international standard to transmit, store, retrieve, print, process, and display medical imaging information, and is the primary medical imaging standard accepted across healthcare. For more information about the DICOM service, see [Overview of DICOM](./dicom/dicom-services-overview.md).

+**MedTech service**

+Azure Health Data Services includes support for the MedTech service. The MedTech service enables you to ingest high-frequency IoT device data into the FHIR Service in a scalable, secure, and compliant manner. For more information about MedTech, see [Overview of MedTech](../healthcare-apis/iot/iot-connector-overview.md).

+**FHIR service**

+Azure Health Data Services includes support for FHIR service. The FHIR service enables rapid exchange of health data using the Fast Healthcare Interoperability Resources (FHIR®) data standard. For more information about MedTech, see [Overview of FHIR](../healthcare-apis/fhir/overview.md).

+* The `$convert-data` operation can now transform JSON objects to FHIR R4.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+When you're satisfied with your configuration and it has been successfully validated, you can complete the deployment and post-deployment process.

+The process for granting your MedTech service system-assigned managed identity access to your FHIR service requires the same 13 steps that you used to grant access to your device message event hub. There are two exceptions. The first is that, instead of navigating to the Access Control (IAM) menu from within your event hub (as outlined in steps 1-4), you should navigate to the equivalent Access Control (IAM) menu from within your FHIR service. The second exception is that, in step 6, your MedTech service system-assigned managed identity will require you to select the **View** button directly across from **FHIR Data Writer** access instead of the button across from **Azure Event Hubs Data Receiver**.

+The MedTech service enables you to ingest high-frequency IoT device data into the FHIR Service in a scalable, secure, and compliant manner. For more information, see [the MedTech service documentation page]see [Overview of MedTech](../healthcare-apis/iot/iot-connector-overview.md).

+ |`WIFI_SSID` |{*Your Wi-Fi SSID*}|

+6. Select the *Connect Settings* tab, select the *Speed* dropdown, and set the speed to 1,000,000 bps.

+ > [!IMPORTANT]

+ > If there are errors when you try to flash the board, you might need to lower the speed in this setting to 750,000 bps or lower.

+6. Select the *Operation* tab, then select the *Browse...* button and locate the *rx65n_azure_iot.hex* file created in the previous section.

+7. Press *Start* to begin flashing. This process takes less than a minute.

+

+ MAC address:

+ Firmware version 0.14

+ SUCCESS: WiFi initialized

+

+ Connecting WiFi

+ Connecting to SSID

+ Attempt 1...

+ SUCCESS: WiFi connected

+

+ IP address: 192.168.0.31

+ Mask: 255.255.255.0

+ Gateway: 192.168.0.1

+

+ DNS address: 192.168.0.1

+

+ Initializing SNTP time sync

+ SNTP server 0.pool.ntp.org

+ SNTP server 1.pool.ntp.org

+ SNTP time update: Oct 14, 2022 15:23:15.578 UTC

+

+ DPS endpoint: global.azure-devices-provisioning.net

+ DPS ID scope:

+ Registration ID: mydevice

+

+ Hub hostname:

+ Device id: mydevice

+ Model id: dtmi:azurertos:devkit:gsgrx65ncloud;1

+ SUCCESS: Connected to IoT Hub

+

+ Receive properties: {"desired":{"$version":1},"reported":{"$version":1}}

+ Sending property: $iothub/twin/PATCH/properties/reported/?$rid=3{"deviceInformation":{"__t":"c","manufacturer":"Renesas","model":"RX65N Cloud Kit","swVersion":"1.0.0","osName":"Azure RTOS","processorArchitecture":"RX65N","processorManufacturer":"Renesas","totalStorage":2048,"totalMemory":640}}

+ Sending property: $iothub/twin/PATCH/properties/reported/?$rid=5{"ledState":false}

+ Sending property: $iothub/twin/PATCH/properties/reported/?$rid=7{"telemetryInterval":{"ac":200,"av":1,"value":10}}

+

+ Starting Main loop

+ Telemetry message sent: {"humidity":29.37,"temperature":25.83,"pressure":92818.25,"gasResistance":151671.25}.

+ Telemetry message sent: {"accelerometerX":-887,"accelerometerY":236,"accelerometerZ":8272}.

+ Telemetry message sent: {"gyroscopeX":9,"gyroscopeY":1,"gyroscopeZ":4}.

+1. In the **State** dropdown, select **False**, and then select **Run**. The LED light should turn off.

+>[!NOTE]

+> If you've previously completed [Quickstart: Provision a simulated symmetric key device](quick-create-simulated-device-symm-key.md) and still have your Azure resources and development environment set up, you can proceed to [Create a symmetric key enrollment group](#create-a-symmetric-key-enrollment-group) in this tutorial.

+Provision multiple symmetric key devices using an enrollment group:

+> [Tutorial: Provision devices using symmetric key enrollment groups](how-to-legacy-device-symm-key.md)

+

+ Title: How to determine your quota usage

+description: Learn how to determine where the cores for your subscription are used and if you have any spare capacity against your quota.

+

+# Determine usage and quota

+Keeping track of how your quota of VM cores is being used across your subscriptions can be difficult. You may want to know what your current usage is, how much you have left, and in what regions you have capacity. To help you understand where and how you're using your quota, Azure provides the Usage + Quotas page.

+## Determine your usage and quota

+1. In the [Azure portal](https://portal.azure.com), go to the subscription you want to examine.

+1. On the Subscription page, under Settings, select **Usage + quotas**.

+ :::image type="content" source="media/how-to-determine-your-core-usage/subscription-overview.png" alt-text="Screenshot showing the Subscription overview left menu, with Usage and quotas highlighted.":::

+

+1. To view Usage + quotas information about Azure Lab Services, select **Azure Lab Services**.

+ :::image type="content" source="media/how-to-determine-your-core-usage/select-azure-lab-services.png" alt-text="Screenshot showing the Usage and quotas page, Compute drop-down, with Azure Lab Services highlighted.":::

+

+ >[!Tip]

+ >If you donΓÇÖt see any data on the Usage + quotas page, or youΓÇÖre not able to select Azure Lab Services from the list, your subscription may not be registered with Azure Lab Services.

+ >Follow the steps in the Register your subscription with Azure Labs Services section below to resolve the issue.

+

+1. In this example, you can see the **Quota name**, the **Region**, the **Subscription** the quota is assigned to, and the **Current Usage**.

+ :::image type="content" source="media/how-to-determine-your-core-usage/example-subscription.png" alt-text="Screenshot showing the Usage and quotas page, with column headings highlighted.":::

+1. You can also see that the usage is grouped by level; regular, low, and no usage. Within the usage levels, the items are grouped in their sizes ΓÇô including Small / Medium / Large cores, and by labs and lab plans.

+ :::image type="content" source="media/how-to-determine-your-core-usage/example-subscription-groups.png" alt-text="Screenshot showing the Usage and quotas page, with VM size groups highlighted.":::

+

+1. To view quota and usage information for specific regions, select **Region:** and select the regions to display, and then select **Apply**.

+ :::image type="content" source="media/how-to-determine-your-core-usage/select-regions.png" alt-text="Screenshot showing the Usage and quotas page, with Regions drop down highlighted.":::

+

+1. To view only the items that are using part of your quota, select **Usage:**, and then select **Only items with usage**.

+ :::image type="content" source="media/how-to-determine-your-core-usage/select-items-with-usage.png" alt-text="Screenshot showing the Usage and quotas page, with Usage drop down and Only show items with usage option highlighted.":::

+

+1. To view items that are using above a certain amount of your quota, select **Usage:**, and then select **Select custom usage**.

+ :::image type="content" source="media/how-to-determine-your-core-usage/select-custom-usage-before.png" alt-text="Screenshot showing the Usage and quotas page, with Usage drop down and Select custom usage option highlighted.":::

+

+1. You can then set a custom usage threshold, so only the items using above the specified percentage of the quota are displayed.

+

+ :::image type="content" source="media/how-to-determine-your-core-usage/select-custom-usage.png" alt-text="Screenshot showing the Usage and quotas page, with Select custom usage option and configuration settings highlighted.":::

+1. Select **Apply**.

+ Each subscription has its own Usage + quotas page, which covers all the various services in the subscription, not just Azure Lab Services. Although you can request a quota increase from the Usage + quotas page, you'll have more relevant information at hand if you make your request from your lab plan page.

+## Register your subscription with Azure Labs Services

+In most cases, Azure Lab Services will register your subscription when you perform certain actions, like creating a lab plan. In some cases, you must register your subscription with the Azure Labs Service manually before you can view your usage and quota information on the Usage + Quotas page.

+### To register your subscription:

+1. In the [Azure portal](https://portal.azure.com), go to the subscription you want to examine.

+1. On the Subscription page, under Settings, select **Usage + quotas**.

+ :::image type="content" source="media/how-to-determine-your-core-usage/subscription-overview.png" alt-text="Screenshot showing the Subscription overview left menu, with Usage and quotas highlighted.":::

+1. If you arenΓÇÖt registered with Azure Lab Services, youΓÇÖll see the message *ΓÇ£One or more resource providers selected are not registered for this subscription. To access your quotas, register the resource provider.ΓÇ¥*

+ :::image type="content" source="media/how-to-determine-your-core-usage/register-to-service.png" alt-text="Screenshot showing the register with service message and link to register the resource provider highlighted.":::

+1. Select the link and follow the instructions to register your account with Azure Lab Services.

+## Next steps

+- Learn more about [Capacity limits in Azure Lab Services](./capacity-limits.md).

+- Learn how to [Request a core limit increase](./how-to-request-capacity-increase.md).

+

+<!-- As a lab administrator, I want more VM cores available for my subscription so that I can support more students. -->

+If you reach the cores limit for your subscription, you can request a core limit increase (sometimes called an increase in capacity, or a quota increase) to continue using Azure Lab Services. The request process allows the Azure Lab Services team to ensure your subscription isn't involved in any cases of fraud or unintentional, sudden large-scale deployments.

+Before you begin your request for a core limit increase, you should make sure that you have all the information you need available and verify that you have the appropriate permissions. Gather information like the number and size of cores you want to add, the regions you can use, and the location of resources like your existing labs and virtual networks.

+Your cores can be divided amongst virtual machines (VMs) of different sizes. You must calculate the total number of cores for each size. You must include the number of cores you already have, and the number of cores you want to add to determine the total number of cores. You must then map the total number of cores you want to the SKU size groups listed below.

+As an example, suppose you have existing VMs, and want to request more as shown in the following table:

+Remember that the total number of cores is the existing cores and the new cores you are requesting.

+You can follow these steps to request a core limit increase:

+1. In the Azure portal, navigate to your lab plan or lab account, and then select **Create support request**.

+ :::image type="content" source="./media/how-to-request-capacity-increase/request-from-lab-plan.png" alt-text="Screenshot of the Help + support page with Create support request highlighted.":::

+When you request core limit increase, you must supply some information to help the Azure Lab Services team evaluate and action your request as quickly as possible. The more information you can supply and the earlier you supply it, the more quickly the Azure Lab Services team will be able to process your request.

+#### [**Lab Account (Classic) - May 2019 version**](#tab/LabAccounts/)

+ |**What is the ideal date to have this by?**|It's best to request a core limit increase well before you need the new cores. Use this option to specify when the new cores are required.|

+ |**Alternate regions**|If you're flexible with the location of your cores, you can select alternate regions.|

+ |**Virtual machine size**|Select the virtual machine size(s) that you require for the new cores.|

+ |**Requested total core limit**|Enter the total number of cores you require; your existing cores + the number you're requesting. See [Determine the total number of cores in your request](#determine-the-total-number-of-cores-in-your-request) to learn how to calculate the total number of cores for each size group.|

+ |**Is this for an existing lab or to create a new lab?**|Select **Existing lab** or **New lab**.|

+ |**What is the lab account name?**|Only applies if you're adding cores to an existing lab. Select the lab account name.|

+Learn more at [Train machine learning models with MLflow projects and Azure Machine Learning](how-to-train-mlflow-projects.md).

+Compute instances get the latest VM images at the time of provisioning. Microsoft releases new VM images on a monthly basis. Once a compute instance is deployed, it does not get actively updated. To keep current with the latest software updates and security patches, you could:

+1. Recreate a compute instance to get the latest OS image (recommended)

+ * Data and customizations such as installed packages that are stored on the instanceΓÇÖs OS and temporary disks will be lost.

+ * [Store notebooks under "User files"](/azure/machine-learning/concept-compute-instance#accessing-files) to persist them when recreating your instance.

+ * [Mount data using datasets and datastores](/azure/machine-learning/v1/concept-azure-machine-learning-architecture#datasets-and-datastores) to persist files when recreating your instance.

+ * See [Compute Instance release notes](azure-machine-learning-ci-image-release-notes.md) for details on image releases.

+1. Alternatively, regularly update OS and python packages.

+ * Use Linux package management tools to update the package list with the latest versions.

+

+ ```bash

+ sudo apt-get update

+ ```

+

+ * Use Linux package management tools to upgrade packages to the latest versions. Note that package conflicts might occur using this approach.

+

+ ```bash

+ sudo apt-get upgrade

+ ```

+

+ * Use Python package management tools to upgrade packages and check for updates.

+

+ ```bash

+ pip list --outdated

+ ```

+

+You may install and run additional scanning software on compute instance to scan for security issues.

+

+* [Trivy](https://github.com/aquasecurity/trivy) may be used to discover OS and python package level vulnerabilities.

+* [ClamAV](https://www.clamav.net/) may be used to discover malware and comes pre-installed on compute instance.

+* Defender for Server agent installation is currently not supported.

+* Consider using [customization scripts](/azure/machine-learning/how-to-customize-compute-instance) for automation.

+# Set up AutoML to train a natural language processing model

+For AutoML jobs via the SDK, you configure the job with the specific NLP task function. The following example demonstrates the configuration for `text_classification`.

+# Train ML models with MLflow Projects and Azure Machine Learning

+## [Azure CLI](#tab/cli)

+## [Python SDK](#tab/python)

+This error is returned when the environment (docker image) is being built. You can check the build log for more information on the failure(s). The build log is located in the default storage for your Azure Machine Learning workspace. The exact location may be returned as part of the error. For example, "The build log is available in the workspace blob store '[storage-account-name]' under the path '/azureml/ImageLogs/your-image-id/build.log'". In this case, "azureml" is the name of the blob container in the storage account.

+Below is a list of common image build failure scenarios:

+* [Azure Container Registry (ACR) authorization failure](#container-registry-authorization-failure)

+* [Generic or unknown failure](#generic-image-build-failure)

+#### Container registry authorization failure

+If the error message mentions `"container registry authorization failure"`, that means the container registry could not be accessed with the current credentials.

+This can be caused by desynchronization of a workspace resource's keys and it takes some time to automatically synchronize.

+However, you can [manually call for a synchronization of keys](https://learn.microsoft.com/cli/azure/ml/workspace#az-ml-workspace-sync-keys) which may resolve the authorization failure.

+Container registries that are behind a virtual network may also encounter this error if set up incorrectly. You must verify that the virtual network been set up properly.

+#### Generic image build failure

+As stated above, you can check the build log for more information on the failure.

+If no obvious error is found in the build log and the last line is `Installing pip dependencies: ...working...`, then the error may be caused by a dependency. Pinning version dependencies in your conda file can fix this problem.

+We also recommend [deploying locally](#deploy-locally) to test and debug your models locally before deploying to the cloud.

+#### [Azure CLI](#tab/cli)

+#### [Python SDK](#tab/python)

+ #### [Azure CLI](#tab/cli)

+ #### [Python SDK](#tab/python)

+ #### [Azure CLI](#tab/cli)

+ #### [Python SDK](#tab/python)

+| 404 | Not found | The endpoint doesn't have any valid deployment with positive weight. |

+| 429 | Too many pending requests | Your model is getting more requests than it can handle. We allow maximum 2 * `max_concurrent_requests_per_instance` * `instance_count` / `request_process_time (in seconds)` requests per second. Additional requests are rejected. You can confirm these settings in your model deployment config under `request_settings` and `scale_settings`, respectively. If you're using auto-scaling, your model is getting requests faster than the system can scale up. With auto-scaling, you can try to resend requests with [exponential backoff](https://aka.ms/exponential-backoff). Doing so can give the system time to adjust. Apart from enable auto-scaling, you could also increase the number of instances by using the below [code](#how-to-calculate-instance-count). |

+target_rps = 20

+concurrent_requests = target_rps * request_process_time / target_utilization

+## Train MLflow projects

+You can use MLflow Tracking to submit training jobs with [MLflow Projects](https://www.mlflow.org/docs/latest/projects.html) and Azure Machine Learning back-end support. You can submit jobs locally with Azure Machine Learning tracking or migrate your runs to the cloud via [Azure Machine Learning compute](../how-to-create-attach-compute-cluster.md).

+Learn more at [Train machine learning models with MLflow projects and Azure Machine Learning](../how-to-train-mlflow-projects.md).

+Azure Managed Instance for Apache Cassandra does not create nodes with public IP addresses. To connect to your newly created Cassandra cluster, you must create another resource inside the virtual network. This resource can be an application, or a virtual machine with Apache's open-source query tool [CQLSH](https://cassandra.apache.org/doc/latest/cassandra/tools/cqlsh.html) installed. You can use a [Resource Manager template](https://azure.microsoft.com/resources/templates/vm-simple-linux/) to deploy an Ubuntu virtual machine.

+### Connecting from CQLSH

+After the virtual machine is deployed, use SSH to connect to the machine and install CQLSH as shown in the following commands:

+### Connecting from an application

+As with CQLSH, connecting from an application using one of the supported [Apache Cassandra client drivers](https://cassandra.apache.org/doc/latest/cassandra/getting_started/drivers.html) requires SSL to be enabled. See samples for connecting to Azure Managed Instance for Apache Cassandra using [Java](https://github.com/Azure-Samples/azure-cassandra-mi-java-v4-getting-started) and [.NET](https://github.com/Azure-Samples/azure-cassandra-mi-dotnet-core-getting-started). For Java, we highly recommend enabling [speculative execution policy](https://docs.datastax.com/en/developer/java-driver/4.10/manual/core/speculative_execution/). You can find a demo illustrating how this works and how to enable the policy [here](https://github.com/Azure-Samples/azure-cassandra-mi-java-v4-speculative-execution).

+Disabling certificate verification is recommended because certificate verification will not work unless you either store and validate against locally held copies of our certificates, or map I.P addresses of your cluster nodes to the appropriate domain. If you have an internal policy which mandates that you do SSL certificate verification for any application, you can facilitate this by either:

+- Storing our certificates locally and verifying against them. Our certificates are signed with Digicert - see [here](/azure/active-directory/fundamentals/certificate-authorities). You would need to ensure that you keep this up-to-date.

+- Adding entries like `10.0.1.5 host1.managedcassandra.cosmos.azure.com` in your hosts file for each node. If taking this approach, you would also need to add new entries whenever scaling up nodes.

+Azure Managed Instance for Apache Cassandra does not create nodes with public IP addresses, so to connect to your newly created Cassandra cluster, you will need to create another resource inside the VNet. This could be an application, or a Virtual Machine with Apache's open-source query tool [CQLSH](https://cassandra.apache.org/doc/latest/cassandra/tools/cqlsh.html) installed. You can use a [template](https://azure.microsoft.com/resources/templates/vm-simple-linux/) to deploy an Ubuntu Virtual Machine.

+### Connecting from CQLSH

+After the virtual machine is deployed, use SSH to connect to the machine, and install CQLSH using the below commands:

+### Connecting from an application

+As with CQLSH, connecting from an application using one of the supported [Apache Cassandra client drivers](https://cassandra.apache.org/doc/latest/cassandra/getting_started/drivers.html) requires SSL to be enabled. See samples for connecting to Azure Managed Instance for Apache Cassandra using [Java](https://github.com/Azure-Samples/azure-cassandra-mi-java-v4-getting-started) and [.NET](https://github.com/Azure-Samples/azure-cassandra-mi-dotnet-core-getting-started). For Java, we highly recommend enabling [speculative execution policy](https://docs.datastax.com/en/developer/java-driver/4.10/manual/core/speculative_execution/). You can find a demo illustrating how this works and how to enable the policy [here](https://github.com/Azure-Samples/azure-cassandra-mi-java-v4-speculative-execution).

+Disabling certificate verification is recommended because certificate verification will not work unless you either store and validate against locally held copies of our certificates, or map I.P addresses of your cluster nodes to the appropriate domain. If you have an internal policy which mandates that you do SSL certificate verification for any application, you can facilitate this by either:

+- Storing our certificates locally and verifying against them. Our certificates are signed with Digicert - see [here](/azure/active-directory/fundamentals/certificate-authorities). You would need to ensure that you keep this up-to-date.

+- Adding entries like `10.0.1.5 host1.managedcassandra.cosmos.azure.com` in your hosts file for each node. If taking this approach, you would also need to add new entries whenever scaling up nodes.

+|Slow_queries|slow_queries|Count|The total count of slow queries on your server in the selected time range.|

+## Enhanced metrics

+### DML statistics

+|Metric display name|Metric|Unit|Description|

+|||||

+|Com_select|Com_select|Count|The total count of select statements that have been executed on your server in the selected time range.|

+|Com_update|Com_update|Count|The total count of update statements that have been executed on your server in the selected time range.|

+|Com_insert|Com_insert|Count|The total count of insert statements that have been executed on your server in the selected time range.|

+|Com_delete|Com_delete|Count|The total count of delete statements that have been executed on your server in the selected time range.|

+### DDL statistics

+|Metric display name|Metric|Unit|Description|

+|||||

+|Com_create_db|Com_create_db|Count|The total count of create database statements that have been executed on your server in the selected time range.|

+|Com_drop_db|Com_drop_db|Count|The total count of drop database statements that have been executed on your server in the selected time range.|

+|Com_create_table|Com_create_table|Count|The total count of create table statements that have been executed on your server in the selected time range.|

+|Com_drop_table|Com_drop_table|Count|The total count of drop table statements that have been executed on your server in the selected time range.|

+|Com_Alter|Com_Alter|Count|The total count of alter table statements that have been executed on your server in the selected time range.|

+### Innodb metrics

+|Metric display name|Metric|Unit|Description|

+|||||

+|Innodb_buffer_pool_reads|Innodb_buffer_pool_reads|Count|The total count of logical reads that InnoDB engine couldn't satisfy from the Innodb buffer pool, and had to be fetched from the disk.|

+|Innodb_buffer_pool_read_requests|Innodb_buffer_pool_read_requests|Count|The total count of logical read requests to read from the Innodb Buffer pool.|

+|Innodb_buffer_pool_pages_free|Innodb_buffer_pool_pages_free|Count|The total count of free pages in InnoDB buffer pool.|

+|Innodb_buffer_pool_pages_data|Innodb_buffer_pool_pages_data|Count|The total count of pages in the InnoDB buffer pool containing data. The number includes both dirty and clean pages.|

+|Innodb_buffer_pool_pages_dirty|Innodb_buffer_pool_pages_dirty|Count|The total count of pages in the InnoDB buffer pool containing dirty pages.|

+ You can now scale IOPS on demand without having to pre-provision a certain amount of IOPS. With this feature, you can now enjoy worry free IO management in Azure Database for MySQL - Flexible Server because the server scales IOPs up or down automatically depending on workload needs. With this feature you, pay only for the IO you use and no longer need to provision and pay for resources they arenΓÇÖt fully using, saving both time and money. In addition, mission-critical Tier-1 applications can achieve consistent performance by making additional IO available to the workload at any time. Auto scale IO eliminates the administration required to provide the best performance at the least cost for Azure Database for MySQL customers. [Learn more](./concepts-service-tiers-storage.md)

+- **Perform Major version upgrade with minimal efforts for Azure Database for MySQL - Flexible Server (Preview)**

+ The major version upgrade feature allows you to perform in-place upgrades of existing instances of Azure Database for MySQL - Flexible Server from MySQL 5.7 to MySQL 8.0 with the click of a button, without any data movement or the need to make any application connection string changes. Take advantage of this functionality to efficiently perform major version upgrades on your instances of Azure Database for MySQL - Flexible Server and leverage the latest that MySQL 8.0 has to offer. Learn [more](./how-to-upgrade.md).

+- **MySQL extension for Azure Data Studio (Preview)**

+ When you’re working with multiple databases across data platforms and cloud deployment models, being able to perform the most common tasks on all your databases using a single tool enhances your productivity several fold. With the MySQL extension for Azure Data Studio, you can now connect to and modify MySQL databases along with your other databases, taking advantage of the modern editor experience and capabilities in Azure Data Studio, such as IntelliSense, code snippets, source control integration, native Jupyter Notebooks, an integrated terminal, and more. Use this new tooling with any MySQL server hosted on-premises, on virtual machines, on managed MySQL in other clouds, and on Azure Database for MySQL – Flexible Server. Learn [more](/sql/azure-data-studio/quickstart-mysql).

+- **Known issues**

+ - Change of compute size is not currently permitted after the Major version upgrade of your Azure Database for MySQL - Flexible Server. It is recommended to change the compute size of your Azure Database for MySQL - Flexible Server before the major version upgrade from version 5.7 to version 8.0.

+ Customers can now specify their preferred Availability zone at the time of server creation. This functionality allows customers to collocate their applications hosted on Azure VM, Virtual Machine Scale Set, or AKS and database in the same Availability zones to minimize database latency and improve performance. [Learn more](quickstart-create-server-portal.md#create-an-azure-database-for-mysql-flexible-server).

+> This tutorial covers Connection Monitor. Try the new and improved [Connection Monitor](connection-monitor-overview.md) to experience enhanced connectivity monitoring

+Create a virtual machine scale set.

+You can deploy a scale set with a Windows Server image or Linux images such as RHEL, CentOS, Ubuntu, or SLES.

+1. In the **Basics** tab, under **Project details**, make sure the correct subscription is selected and select *myVMSSResourceGroup* from the resource group list.

+ - A **Password** must be at least 12 characters long and meet three out of the four following complexity requirements: one lowercase character, one uppercase character, one number, and one special character. For more information, see [username and password requirements](../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).

+| 1 | Select a version of the **Ubuntu Server** | |

+ * **Test Frequency**: In this list, specify how frequently sources will ping destinations on the protocol and port that you specified. You can choose 30 seconds, 1 minute, 5 minutes, 15 minutes, or 30 minutes. Select **custom** to enter another frequency that's between 30 seconds and 30 minutes. Sources will test connectivity to destinations based on the value that you choose. For example, if you select 30 seconds, sources will check connectivity to the destination at least once every 30 seconds period.

+ * In case the virtual machine scale set selected is set for manual upgradation, the user will have to upgrade the scale set post Network Watcher extension installation in order to continue setting up the Connection Monitor with the virtual machine scale set as endpoints. In case the virtual machine scale set is set to auto upgradation, the user need not worry about any upgradation after Network Watcher extension installation.

+ * In the scenario mentioned above, user can consent to auto upgradation of the virtual machine scale set with auto enablement of Network Watcher extension during the creation of Connection Monitor for virtual machine scale sets with manual upgradation. This would eliminate the need for the user to manually upgrade the virtual machine scale set after installing the Network Watcher extension.

+Once all the steps are completed, the process will proceed with the unified enablement of monitoring extensions for all endpoints without monitoring agents enabled, followed by creation of Connection Monitor.

+As a best practice, to avoid loss of data due to downscaling of instances, it is advised to select ALL instances in a scale set while creating a test group instead of selecting a particular few for monitoring your endpoints.

+In this tutorial, you learned how to monitor a connection between a virtual machine scale set and a VM. You learned that a network security group rule prevented communication to a VM. To learn about all of the different responses the connection monitor can return, see [response types](network-watcher-connectivity-overview.md#response). You can also monitor a connection between a VM, a fully qualified domain name, a uniform resource identifier, or an IP address.

+| 1 | Select a version of **Ubuntu Server** | |

+1. In Azure portal, select the **Monitor** service, and then select **Alerts** > **New alert rule**.

+A virtual network gateway connects an Azure virtual network to an on-premises or other virtual network. In this tutorial, you learn how to:

+ However, when you ran the test using 172.31.0.100, the result informed you that there was no next hop type. As you can see in the previous picture, though there is a default route to the 172.16.0.0/12 prefix, which includes the 172.31.0.100 address, the **NEXT HOP TYPE** is **None**. Azure creates a default route to 172.16.0.0/12 but doesn't specify a next hop type until there is a reason to. If, for example, you added the 172.16.0.0/12 address range to the address space of the virtual network, Azure changes the **NEXT HOP TYPE** to **Virtual network** for the route. A check would then show **Virtual network** as the **NEXT HOP TYPE**.

+The checks in this quickstart tested Azure configuration. If the checks return the expected results and you still have network problems, ensure that you don't have a firewall between your VM and the endpoint you're communicating with and that the operating system in your VM doesn't have a firewall that is allowing or denying communication.

+The virtual machine takes a few minutes to create. Don't continue with the remaining steps until the VM has finished creating. While the portal creates the virtual machine, it also creates a network security group with the name **myVM-nsg** and associates it with the network interface for the VM.

+The storage account may take around a minute to create. Don't continue with the remaining steps until the storage account is created. In all cases, the storage account must be in the same region as the NSG.

+The following example JSON displays data that you'll see in the PT1H.json file for each flow logged:

+The value for **mac** in the previous output is the MAC address of the network interface that was created when the VM was created. The comma-separated information for **flowTuples** is as follows:

+| 30 | Packets sent - Source to destination **Version 2 Only** | The total number of TCP or UDP packets sent from source to destination since the last update. |

+| 16978 | Bytes sent - Source to destination **Version 2 Only** | The total number of TCP or UDP packet bytes sent from source to destination since the last update. Packet bytes include the packet header and payload. |

+| 24 | Packets sent - Destination to source **Version 2 Only** | The total number of TCP or UDP packets sent from destination to source since the last update. |

+| 14008| Bytes sent - Destination to source **Version 2 Only** | The total number of TCP and UDP packet bytes sent from destination to source since the last update. Packet bytes include packet header and payload.|

+The raw data in the JSON file can be difficult to interpret. To visualize Flow Logs data, you can use [Azure Traffic Analytics](traffic-analytics.md) and [Microsoft Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md).

+You can delete Azure resources by using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about [complete deployment mode](../azure-resource-manager/templates/deployment-modes.md#complete-mode).

+You can delete Azure resources by using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about [complete deployment mode](../azure-resource-manager/templates/deployment-modes.md#complete-mode).

+The below three steps are mandatory to use Azure Active Directory Authentication with Azure Database for PostgreSQL Flexible Server and must be run by `tenant administrator`or a user with tenant admin rights and this is one time activity per tenant.

+### 5G handover procedures

+- TS 23.502: Procedures for the 5G System (5GS):

+ - 4.9.1.2: Xn based inter NG-RAN handover.

+ - 4.9.1.3: Inter NG-RAN node N2 based handover.

+### 4G handover procedures

+- TS 23.401: General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access:

+ - 5.5.1.1 X2-based handover.

+| Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Sql | privatelink.documents.azure.com | documents.azure.com |

+| Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / MongoDB | privatelink.mongo.cosmos.azure.com | mongo.cosmos.azure.com |

+| Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Cassandra | privatelink.cassandra.cosmos.azure.com | cassandra.cosmos.azure.com |

+| Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Gremlin | privatelink.gremlin.cosmos.azure.com | gremlin.cosmos.azure.com |

+| Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Table | privatelink.table.cosmos.azure.com | table.cosmos.azure.com |

+## Managing the Debug Session state

+The debug session can be run again after its creation and its first run using the **Start** button. It may also be canceled while it is still executing using the **Cancel** button. Finally, it may be deleted using the **Delete** button.

+A debug session can be canceled while it's executing using the **Cancel** button.

+ Title: Add scoring profiles

+# Add scoring profiles to boost search scores

+In this article, you'll learn how to define a scoring profile for boosting search scores based on criteria.

+Criteria can be a weighted field, such as when a match found in a "tags" field is more relevant than a match found in "descriptions". Criteria can also be a function, such as the `distance` function that favors results that are within a specified distance of the current location.

+Scoring profiles are defined in a search index and invoked on query requests. You can create multiple profiles and then modify query logic to choose which one is used.

+> [!NOTE]

+> Unfamiliar with relevance concepts? The following video segment fast-forwards to how scoring profiles work in Azure Cognitive Search. You can also visit [Relevance and scoring in Azure Cognitive Search](index-similarity-and-scoring.md) for more background.

+>

+> > [!VIDEO https://www.youtube.com/embed/Y_X6USgvB1g?version=3&start=463&end=970]

+>

+## Scoring profile definition

+A scoring profile is part of the index definition and is composed of weighted fields, functions, and parameters.

+Parameters are specified on invocation. To use this scoring profile, your query is formulated to specify scoringProfile parameter in the request.

+You can use the [featuresMode (preview)](index-similarity-and-scoring.md#featuresmode-parameter-preview) parameter to request additional scoring details with the search results (including the field level scores).

+<a name="bkmk_ex"></a>

+## Extended example

+The following example shows the schema of an index with two scoring profiles (`boostGenre`, `newAndHighlyRated`). Any query against this index that includes either profile as a query parameter will use the profile to score the result set.

+The `boostGenre` profile uses weighted text fields, boosting matches found in albumTitle, genre, and artistName fields. The fields are boosted 1.5, 5, and 2 respectively. Why is genre boosted so much higher than the others? If search is conducted over data that is somewhat homogenous (as is the case with 'genre' in the musicstoreindex), you might need a larger variance in the relative weights. For example, in the musicstoreindex, 'rock' appears as both a genre and in identically phrased genre descriptions. If you want genre to outweigh genre description, the genre field will need a much higher relative weight.

+```json

+{

+ "name": "musicstoreindex",

+ "fields": [

+ { "name": "key", "type": "Edm.String", "key": true },

+ { "name": "albumTitle", "type": "Edm.String" },

+ { "name": "albumUrl", "type": "Edm.String", "filterable": false },

+ { "name": "genre", "type": "Edm.String" },

+ { "name": "genreDescription", "type": "Edm.String", "filterable": false },

+ { "name": "artistName", "type": "Edm.String" },

+ { "name": "orderableOnline", "type": "Edm.Boolean" },

+ { "name": "rating", "type": "Edm.Int32" },

+ { "name": "tags", "type": "Collection(Edm.String)" },

+ { "name": "price", "type": "Edm.Double", "filterable": false },

+ { "name": "margin", "type": "Edm.Int32", "retrievable": false },

+ { "name": "inventory", "type": "Edm.Int32" },

+ { "name": "lastUpdated", "type": "Edm.DateTimeOffset" }

+ ],

+ "scoringProfiles": [

+ {

+ "name": "boostGenre",

+ "text": {

+ "weights": {

+ "albumTitle": 1.5,

+ "genre": 5,

+ "artistName": 2

+ }

+ }

+ },

+ {

+ "name": "newAndHighlyRated",

+ "functions": [

+ {

+ "type": "freshness",

+ "fieldName": "lastUpdated",

+ "boost": 10,

+ "interpolation": "quadratic",

+ "freshness": {

+ "boostingDuration": "P365D"

+ }

+ },

+ {

+ "type": "magnitude",

+ "fieldName": "rating",

+ "boost": 10,

+ "interpolation": "linear",

+ "magnitude": {

+ "boostingRangeStart": 1,

+ "boostingRangeEnd": 5,

+ "constantBoostBeyondRange": false

+ }

+ }

+ ]

+ }

+ ],

+ "suggesters": [

+ {

+ "name": "sg",

+ "searchMode": "analyzingInfixMatching",

+ "sourceFields": [ "albumTitle", "artistName" ]

+ }

+ ]

+}

+```

+ Title: Configure relevance scoring

+# Configure relevance scoring

+In this article, you'll learn how to configure the similarity scoring algorithm used by Azure Cognitive Search. The BM25 scoring model has defaults for weighting term frequency and document length. You can customize these properties if the defaults aren't suited to your content.

+Configuration changes are scoped to individual indexes, which means you can adjust relevance scoring based on the characteristics of each index.

+## Default scoring algorithm

+Depending on the age of your search service, Azure Cognitive Search supports two [similarity scoring algorithms](index-similarity-and-scoring.md) for assigning relevance to results in a full text search query:

+BM25 ranking is the default because it tends to produce search rankings that align better with user expectations. It includes [parameters](#set-bm25-parameters) for tuning results based on factors such as document size. For search services created after July 2020, BM25 is the only scoring algorithm. If you try to set "similarity" to ClassicSimilarity on a new service, an HTTP 400 error will be returned because that algorithm is not supported by the service.

+BM25 similarity adds two parameters to control the relevance score calculation.

+1. Formulate a [Create or Update Index](/rest/api/searchservice/create-index) request as illustrated by the following example.

+ ```http

+ PUT [service-name].search.windows.net/indexes/[index-name]?api-version=2020-06-30&allowIndexDowntime=true

+ {

+ "similarity": {

+ "@odata.type": "#Microsoft.Azure.Search.BM25Similarity",

+ "b" : 0.75,

+ "k1" : 1.2

+ }

+ ```

+1. Set "b" and "k1" to custom values. See the property descriptions in the next section for details.

+1. If the index is live, append the "allowIndexDowntime=true" URI parameter on the request.

+ Because Cognitive Search won't allow updates to a live index, you'll need to take the index offline so that the parameters can be added. Indexing and query requests will fail while the index is offline. The duration of the outage is the amount of time it takes to update the index, usually no more than several seconds. When the update is complete, the index comes back automatically.

+1. Send the request.

+### BM25 property descriptions

+This article explains the relevance and the scoring algorithms used to compute search scores in Azure Cognitive Search. A relevance score is computed for each match found in a [full text search](search-lucene-query-architecture.md), where the strongest matches are assigned higher search scores.

+Relevance applies to full text search only. Filter queries, autocomplete and suggested queries, wildcard search or fuzzy search queries are not scored or ranked for relevance.

+You can customize the way different fields are ranked by defining a *scoring profile*. Scoring profiles provide criteria for boosting the search score of a match based on content characteristics. For example, you might want to boost matches based on their revenue potential, promote newer items, or perhaps boost items that have been in inventory too long.

+| [Azure Cognitive Search Lab readme](https://github.com/Azure-Samples/azure-search-lab/blob/main/README.md) | Connects to your search service with a Web UI that exercises the full REST API, including the ability to edit a live search index. | [https://github.com/Azure-Samples/azure-search-lab](https://github.com/Azure-Samples/azure-search-lab) |

+| [Back up and Restore readme](https://github.com/liamc) | Download a populated search index to your local device and then upload the index and its content to a new search service. | [https://github.com/liamca/azure-search-backup-restore](https://github.com/liamca/azure-search-backup-restore) |

+| [Performance testing readme](https://github.com/Azure-Samples/azure-search-performance-testing/blob/main/README.md) | This solution helps you load test Azure Cognitive Search. It uses Apache JMeter as an open source load and performance testing tool and Terraform to dynamically provision and destroy the required infrastructure on Azure. | [https://github.com/Azure-Samples/azure-search-performance-testing](https://github.com/Azure-Samples/azure-search-performance-testing) |

+1. [Create data source](/rest/api/searchservice/create-data-source) or [Update data source](/rest/api/searchservice/update-data-source) to set its definition:

+ Title: 'Tutorial: Index at scale (Spark)'

+description: Search big data from Apache Spark that's been transformed by SynapseML. You'll load invoices into data frames, apply machine learning, and then send output to a generated search index.

+# Tutorial: Index large data from Apache Spark using SynapseML and Cognitive Search

+In this Azure Cognitive Search tutorial, learn how to index and query large data loaded from a Spark cluster. You'll set up a Jupyter Notebook that performs the following actions:

+> + Write the output to a search index hosted in Azure Cognitive Search

+> + Explore and query over the content you created

+This tutorial takes a dependency on [SynapseML](https://www.microsoft.com/research/blog/synapseml-a-simple-multilingual-and-massively-parallel-machine-learning-library/), an open source library that supports massively parallel machine learning over big data. In SynapseML, search indexing and machine learning are exposed through *transformers* that perform specialized tasks. Transformers tap into a wide range of AI capabilities. In this exercise, you'll use the **AzureSearchWriter** transformer that calls Cognitive Search for indexing, and other transformers that calls Cognitive Services for analysis and AI enrichment.

+Although Azure Cognitive Search has native [AI enrichment](cognitive-search-concept-intro.md), this tutorial shows you how to access AI capabilities outside of Cognitive Search. By using SynapseML instead of indexers or skills, you're not subject to data limits or other constraints associated with those objects.

+> Watch a short video of this demo at [https://www.youtube.com/watch?v=iXnBLwp7f88](https://www.youtube.com/watch?v=iXnBLwp7f88). The video expands on this tutorial with more steps and visuals.

+¹ This tutorial includes instructions for loading the package.

+² You can use the free tier but [choose a higher tier](search-sku-tier.md) if data volumes are large. You'll need the [API key](search-security-api-keys.md#find-existing-keys) for this resource.

+³ This tutorial uses Azure Forms Recognizer and Azure Translator. In the instructions below, you'll provide a [Cognitive Services multi-service key](../cognitive-services/cognitive-services-apis-create-account.md?tabs=multiservice%2cwindows#get-the-keys-for-your-resource) and the region, and it will work for both services.

+⁴ In this tutorial, Azure Databricks provides the computing platform. You could also use Azure Synapse Analytics or any other computing platform supported by `synapseml`. The Azure Databricks article listed in the prerequisites includes multiple steps. For this tutorial, follow only the instructions in "Create a workspace".

+> All of the above Azure resources support security features in the Microsoft Identity platform. For simplicity, this tutorial assumes key-based authentication, using endpoints and keys copied from the portal pages of each service. If you implement this workflow in a production environment, or share the solution with others, remember to replace hard-coded keys with integrated security or encrypted keys.

+## 1 - Create a Spark cluster and notebook

+## 2 - Set up dependencies

+This code imports multiple packages and sets up access to the Azure resources used in this workflow.

+## 3 - Load data into Spark

+## 4 - Add form recognition

+## 5 - Restructure form recognition output

+## 6 - Add translations

+## 7 - Add a search index with AzureSearchWriter

+## 8 - Query the index

+In this tutorial, you learned about the [AzureSearchWriter](https://microsoft.github.io/SynapseML/docs/documentation/transformers/transformers_cognitive/#azuresearch) transformer in SynapseML, which is a new way of creating and loading search indexes in Azure Cognitive Search. The transformer takes structured JSON as an input. The FormOntologyLearner can provide the necessary structure for output produced by the Forms Recognizer transformers in SynapseML.

+1. The @search.rerankerScore is assigned to each document based on the semantic relevance of the caption. Scores range from 4 to 0 (high to low), where a higher score indicates a stronger match.

+> - This feature is rolling out during Ignite 2022, and will initially be available in East US and North Europe, with more regions following later.

+This can be done by calling [QueueClient.DeadLetterAsync(Guid lockToken, string deadLetterReason, string deadLetterErrorDescription) method](/dotnet/api/microsoft.servicebus.messaging.queueclient.deadletterasync#microsoft-servicebus-messaging-queueclient-deadletterasync(system-guid-system-string-system-string)).

+It is recommended to include the type of the exception in the DeadLetterReason and the StackTrace of the exception in the DeadLetterDescription as this makes it easier to troubleshoot the cause of the problem resulting in messages being dead-lettered. Be aware that this may result in some messages exceeding [the 256KB quota limit for the Standard Tier of Azure Service Bus](/azure/service-bus-messaging/service-bus-quotas), further indicating that the Premium Tier is what should be used for production environments.

+2. Traffic replicates to Azure storage public endpoints over the internet. Alternately, you can use Azure ExpressRoute with [Microsoft peering](../expressroute/expressroute-circuit-peerings.md#microsoftpeering). Replicating traffic over a site-to-site virtual private network (VPN) from an on-premises site to Azure is only supported when using [private endpoints](../private-link/private-endpoint-overview.md).

+description: Use an external provider to manage your custom domain in Azure Static Web Apps.

+By default, Azure Static Web Apps provides an auto-generated domain name for your website, but you can point a custom domain to your site. Free SSL/TLS certificates automatically get created for the auto-generated domain name and any custom domains that you might add. This article shows how to configure your domain name with the `www` subdomain, using an external provider.

+> [!NOTE]

+> Static Web Apps doesn't support set-up of a custom domain with a private DNS server, hosted on-premises. Consider using an [Azure Private DNS zone](../dns/private-dns-privatednszone.md).

+## Prerequisites

+- Consider how you want to support your apex domain. Domain names without a subdomain are known as apex root domains. For example, the domain `www.example.com` is the `www` subdomain joined with the `example.com` apex domain.

+- You create an apex domain by configuring an `ALIAS` or `ANAME` record or flattening `CNAME`. Some domain registrars, like GoDaddy and Google, don't support these DNS records. If your domain registrar doesn't support all the DNS records you need, consider using [Azure DNS to configure your domain](custom-domain-azure-dns.md).

+> If your domain registrar doesn't support specialized DNS records and you don't want to use Azure DNS, you can forward your apex domain to the `www` subdomain. For more information, see [Set up an apex domain in Azure Static Web Apps](apex-domain-external.md).

+## Watch the video

+## Get your static web app URL

+Domain registrars are the services you can use to purchase and manage domain names. Common providers include GoDaddy, Namecheap, Google, Tucows, and the like.

+1. Under *Settings*, select **Custom domains** > **+ Add**. Select **Custom domain on other DNS**.

+1. Select **+ Add**.

+1. In the *Enter domain* tab, enter your domain name prefixed with **www**, and then select **Next**.

+ For instance, if your domain name is `example.com`, enter `www.example.com`.

+ :::image type="content" source="media/custom-domain/add-domain.png" alt-text="Screenshot showing sequence of steps in add custom domain form.":::

+1. In the *Validate + Configure* tab, enter the following values.

+1. Select **Add**.

+ Azure creates your `CNAME` record and updates the DNS settings. Since DNS settings need to propagate, this process can take up to an hour or longer to complete.

+1. When the update completes, open a new browser tab and go to your domain with the `www` subdomain.

+ You should see your static web app in the browser. Also, inspect the location to verify that your site is served securely using `https`.

+ Title: "Quickstart: Azure Blob Storage library - Java"

+description: In this quickstart, you learn how to use the Azure Blob Storage client library for Java to create a container and a blob in Blob (object) storage. Next, you learn how to download the blob to your local computer, and how to list all of the blobs in a container.

+# Quickstart: Azure Blob Storage client library for Java

+Get started with the Azure Blob Storage client library for Java to manage blobs and containers. Follow steps to install the package and try out example code for basic tasks.

+[API reference documentation](/jav?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#blob-samples)

+- Azure account with an active subscription - [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+- Azure Storage account - [create a storage account](../common/storage-account-create.md).

+This section walks you through preparing a project to work with the Azure Blob Storage client library for Java.

+Create a Java application named *blob-quickstart*.

+1. In a console window (such as PowerShell or Bash), use Maven to create a new console app with the name *blob-quickstart*. Type the following **mvn** command to create a "Hello world!" Java project.

+ --define artifactId=blob-quickstart `

+ --define artifactId=blob-quickstart \

+ [INFO] Parameter: artifactId, Value: blob-quickstart

+ [INFO] Parameter: artifactId, Value: blob-quickstart

+ [INFO] Project created from Archetype in dir: C:\QuickStarts\blob-quickstart

+1. Switch to the newly created *blob-quickstart* folder.

+ cd blob-quickstart

+1. In side the *blob-quickstart* directory, create another directory called *data*. This folder is where the blob data files will be created and stored.

+### Install the packages

+Open the `pom.xml` file in your text editor.

+Add **azure-sdk-bom** to take a dependency on the latest version of the library. In the following snippet, replace the `{bom_version_to_target}` placeholder with the version number. Using **azure-sdk-bom** keeps you from having to specify the version of each individual dependency. To learn more about the BOM, see the [Azure SDK BOM README](https://github.com/Azure/azure-sdk-for-jav).

+```xml

+<dependencyManagement>

+ <dependencies>

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-sdk-bom</artifactId>

+ <version>{bom_version_to_target}</version>

+ <type>pom</type>

+ <scope>import</scope>

+ </dependency>

+ </dependencies>

+</dependencyManagement>

+```

+Then add the following dependency elements to the group of dependencies. The **azure-identity** dependency is needed for passwordless connections to Azure services.

+</dependency>

+<dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity</artifactId>

+From the project directory, follow steps to create the basic structure of the app:

+1. Open the `App.java` file in your editor

+1. Delete the line `System.out.println("Hello world!");`

+1. Add the necessary `import` directives

+The code should resemble this framework:

+ * Azure Blob Storage quickstart

+import com.azure.identity.*;

+ public static void main(String[] args) throws IOException

+ // Quickstart code goes here

+Azure Blob Storage is optimized for storing massive amounts of unstructured data. Unstructured data doesn't adhere to a particular data model or definition, such as text or binary data. Blob storage offers three types of resources:

+These example code snippets show you how to perform the following actions with the Azure Blob Storage client library for Java:

+- [Authenticate the client](#authenticate-the-client)

+

+> [!IMPORTANT]

+> Make sure you have the correct dependencies in pom.xml and the necessary directives for the code samples to work, as described in the [setting up](#setting-up) section.

+### Authenticate the client

+Application requests to Azure Blob Storage must be authorized. Using the `DefaultAzureCredential` class provided by the **azure-identity** client library is the recommended approach for implementing passwordless connections to Azure services in your code, including Blob Storage.

+You can also authorize requests to Azure Blob Storage by using the account access key. However, this approach should be used with caution. Developers must be diligent to never expose the access key in an unsecure location. Anyone who has the access key is able to authorize requests against the storage account, and effectively has access to all the data. `DefaultAzureCredential` offers improved management and security benefits over the account key to allow passwordless authentication. Both options are demonstrated in the following example.

+### [Passwordless (Recommended)](#tab/managed-identity)

+`DefaultAzureCredential` is a class provided by the Azure Identity client library for Java. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.

+The order and locations in which `DefaultAzureCredential` looks for credentials can be found in the [Azure Identity library overview](/java/api/overview/azure/identity-readme#defaultazurecredential).

+For example, your app can authenticate using your Visual Studio Code sign-in credentials with when developing locally. Your app can then use a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview) once it has been deployed to Azure. No code changes are required for this transition.

+#### Assign roles to your Azure AD user account

+#### Sign-in and connect your app code to Azure using DefaultAzureCredential

+You can authorize access to data in your storage account using the following steps:

+1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell.

+ #### [Azure CLI](#tab/sign-in-azure-cli)

+ Sign-in to Azure through the Azure CLI using the following command:

+ ```azurecli

+ az login

+ ```

+ #### [Visual Studio Code](#tab/sign-in-visual-studio-code)

+ You'll need to [install the Azure CLI](/cli/azure/install-azure-cli) to work with `DefaultAzureCredential` through Visual Studio Code.

+ On the main menu of Visual Studio Code, navigate to **Terminal > New Terminal**.

+ Sign-in to Azure through the Azure CLI using the following command:

+ ```azurecli

+ az login

+ ```

+ #### [PowerShell](#tab/sign-in-powershell)

+ Sign-in to Azure using PowerShell via the following command:

+ ```azurepowershell

+ Connect-AzAccount

+ ```

+2. To use `DefaultAzureCredential`, make sure that the **azure-identity** dependency is added in `pom.xml`:

+ ```xml

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity</artifactId>

+ </dependency>

+ ```

+3. Add this code to the `Main` method. When the code runs on your local workstation, it will use the developer credentials of the prioritized tool you're logged into to authenticate to Azure, such as the Azure CLI or Visual Studio Code.

+ :::code language="java" source="~/azure-storage-snippets/blobs/quickstarts/Java/blob-quickstart/src/main/java/com/blobs/quickstart/App.java" id="Snippet_CreateServiceClientDAC":::

+4. Make sure to update the storage account name in the URI of your `BlobServiceClient`. The storage account name can be found on the overview page of the Azure portal.

+ :::image type="content" source="./media/storage-quickstart-blobs-java/storage-account-name.png" alt-text="A screenshot showing how to find the storage account name.":::

+ > [!NOTE]

+ > When deployed to Azure, this same code can be used to authorize requests to Azure Storage from an application running in Azure. However, you'll need to enable managed identity on your app in Azure. Then configure your storage account to allow that managed identity to connect. For detailed instructions on configuring this connection between Azure services, see the [Auth from Azure-hosted apps](/dotnet/azure/sdk/authentication-azure-hosted-apps) tutorial.

+### [Connection String](#tab/connection-string)

+A connection string includes the storage account access key and uses it to authorize requests. Always be careful to never expose the keys in an unsecure location.

+> [!NOTE]

+> If you plan to use connection strings, you'll need permissions for the following Azure RBAC action: [Microsoft.Storage/storageAccounts/listkeys/action](/azure/role-based-access-control/resource-provider-operations#microsoftstorage). The least privilege built-in role with permissions for this action is [Storage Account Key Operator Service Role](/azure/role-based-access-control/built-in-roles#storage-account-key-operator-service-role), but any role which includes this action will work.

+#### Configure your storage connection string

+After you copy the connection string, write it to a new environment variable on the local machine running the application. To set the environment variable, open a console window, and follow the instructions for your operating system. Replace `<yourconnectionstring>` with your actual connection string.

+**Windows**:

+```cmd

+setx AZURE_STORAGE_CONNECTION_STRING "<yourconnectionstring>"

+After you add the environment variable in Windows, you must start a new instance of the command window.

+**Linux**:

+```bash

+export AZURE_STORAGE_CONNECTION_STRING="<yourconnectionstring>"

+```

+The code below retrieves the connection string for the storage account from the environment variable created earlier, and uses the connection string to construct a service client object.

+// Retrieve the connection string for use with the application.

+String connectStr = System.getenv("AZURE_STORAGE_CONNECTION_STRING");

+// Create a BlobServiceClient object using a connection string

+BlobServiceClient client = new BlobServiceClientBuilder()

+ .connectionString(connectStr)

+ .buildClient();

+> [!IMPORTANT]

+> The account access key should be used with caution. If your account access key is lost or accidentally placed in an insecure location, your service may become vulnerable. Anyone who has the access key is able to authorize requests against the storage account, and effectively has access to all the data. `DefaultAzureCredential` provides enhanced security features and benefits and is the recommended approach for managing authorization to Azure services.

+### Create a container

+Decide on a name for the new container. The code below appends a UUID value to the container name to ensure that it's unique.

+> [!IMPORTANT]

+> Container names must be lowercase. For more information about naming containers and blobs, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata).

+Next, create an instance of the [BlobContainerClient](/java/api/com.azure.storage.blob.blobcontainerclient) class, then call the [create](/java/api/com.azure.storage.blob.blobcontainerclient.create) method to actually create the container in your storage account.

+### Upload blobs to a container

+Add this code to the end of the `Main` method:

+The code snippet completes the following steps:

+1. Creates a text file in the local *data* directory.

+1. Gets a reference to a [BlobClient](/java/api/com.azure.storage.blob.blobclient) object by calling the [getBlobClient](/java/api/com.azure.storage.blob.blobcontainerclient.getblobclient) method on the container from the [Create a container](#create-a-container) section.

+1. Uploads the local text file to the blob by calling the [uploadFromFile](/java/api/com.azure.storage.blob.blobclient.uploadfromfile) method. This method creates the blob if it doesn't already exist, but won't overwrite it if it does.

+### List the blobs in a container

+List the blobs in the container by calling the [listBlobs](/java/api/com.azure.storage.blob.blobcontainerclient.listblobs) method. In this case, only one blob has been added to the container, so the listing operation returns just that one blob.

+### Download blobs

+Download the previously created blob by calling the [downloadToFile](/java/api/com.azure.storage.blob.specialized.blobclientbase.downloadtofile) method. The example code adds a suffix of "DOWNLOAD" to the file name so that you can see both files in local file system.

+Add this code to the end of the `Main` method:

+### Delete a container

+The following code cleans up the resources the app created by removing the entire container using the [delete](/java/api/com.azure.storage.blob.blobcontainerclient.delete) method. It also deletes the local files created by the app.

+The app pauses for user input by calling `System.console().readLine()` before it deletes the blob, container, and local files. This is a good chance to verify that the resources were created correctly, before they're deleted.

+Add this code to the end of the `Main` method:

+## Run the code

+This app creates a test file in your local folder and uploads it to Blob storage. The example then lists the blobs in the container and downloads the file with a new name so that you can compare the old and new files.

+Follow steps to compile, package, and run the code

+1. Navigate to the directory containing the `pom.xml` file and compile the project by using the following `mvn` command:

+ ```console

+ mvn compile

+ ```

+1. Package the compiled code in its distributable format:

+ ```console

+ mvn package

+ ```

+1. Run the following `mvn` command to execute the app:

+ ```console

+ mvn exec:java -D exec.mainClass=com.blobs.quickstart.App -D exec.cleanupDaemonThreads=false

+ ```

+ To simplify the run step, you can add `exec-maven-plugin` to `pom.xml` and configure as shown below:

+ ```xml

+ <plugin>

+ <groupId>org.codehaus.mojo</groupId>

+ <artifactId>exec-maven-plugin</artifactId>

+ <version>1.4.0</version>

+ <configuration>

+ <mainClass>com.blobs.quickstart.App</mainClass>

+ <cleanupDaemonThreads>false</cleanupDaemonThreads>

+ </configuration>

+ </plugin>

+ ```

+ With this configuration, you can execute the app with the following command:

+ ```console

+ mvn exec:java

+ ```

+

+The output of the app is similar to the following example (UUID values omitted for readability):

+Azure Blob Storage - Java quickstart sample

+ https://mystorageacct.blob.core.windows.net/quickstartblobsUUID/quickstartUUID.txt

+ quickstartUUID.txt

+ ./data/quickstartUUIDDOWNLOAD.txt

+Before you begin the clean-up process, check your *data* folder for the two files. You can open them and observe that they're identical.

+> [Azure Blob Storage SDK for Java samples](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/storage/azure-storage-blob/src/samples/java/com/azure/storage/blob)

+az elastic-san volume delete -e $sanName -g $resourceGroupName -v $volumeGroupName -n $volumeName

+az elastic-san volume-group delete -e $sanName -g $resourceGroupName -n $volumeGroupName

+3. Verify the **SMB security settings** on the storage account are allowing **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+A serverless Spark pool is a way of indicating how a user wants to work with Spark. When you start using a pool, a Spark session is created if needed. The pool controls how many Spark resources will be used by that session and how long the session will last before it automatically pauses. You pay for spark resources used during that session and not for the pool itself. This way a Spark pool lets you use Apache Spark without managing clusters. This is similar to how a serverless SQL pool works.

+1. Create a new code cell and enter the following code. We'll analyze this data and save the results into a table called **nyctaxi.passengercountstats**.

+# Serverless SQL pool in Azure Synapse Analytics

+- A familiar [T-SQL syntax](overview-features.md) to query data in place without the need to copy or load data into a specialized store. To learn more, see the [T-SQL support](#t-sql-support) section.

+- Integrated connectivity via the T-SQL interface that offers a wide range of business intelligence and ad-hoc querying tools, including the most popular drivers. To learn more, see the [Client tools](#client-tools) section.

+ Title: Azure Virtual Desktop for Azure Stack HCI (preview) overview

+description: Overview of Azure Virtual Desktop for Azure Stack HCI (preview).

+Azure Virtual Desktop for Azure Stack HCI (preview) lets you deploy Azure Virtual Desktop session hosts on your on-premises Azure Stack HCI infrastructure. You manage your session hosts from the Azure portal.

+## Overview

+If you already have an existing on-premises Virtual Desktop Infrastructure (VDI) deployment, Azure Virtual Desktop for Azure Stack HCI can improve your experience. If you're already using Azure Virtual Desktop in the cloud, you can extend your deployment to your on-premises infrastructure to better meet your performance or data locality needs.

+Azure Virtual Desktop for Azure Stack HCI is currently in public preview. As such, it doesn't currently support certain important Azure Virtual Desktop features. Because of these limitations, we don't recommend using this feature for production workloads yet.

+> [!IMPORTANT]

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta.

+> [!NOTE]

+> Azure Virtual Desktop for Azure Stack HCI is not an Azure Arc-enabled service. As such, it is not supported outside of Azure, in a multi-cloud environment, or on Azure Arc-enabled servers besides Azure Stack HCI virtual machines as described in this article.

+## Benefits

+- Achieve best performance by leveraging [RDP Shortpath](rdp-shortpath.md?tabs=managed-networks) for low-latency user access.

+- Deploy the latest fully patched images quickly and easily using [Azure Marketplace images](/azure-stack/hci/manage/virtual-machine-image-azure-marketplace?tabs=azurecli).

+## Supported platforms

+Azure Virtual Desktop for Azure Stack HCI supports the same [Remote Desktop clients](user-documentation/index.yml) as Azure Virtual Desktop, and supports the following x64 operating system images:

+- Windows 11 Enterprise multi-session

+- Windows 11 Enterprise

+- Windows 10 Enterprise multi-session, version 21H2

+- Windows 10 Enterprise, version 21H2

+- Windows Server 2022

+- Windows Server 2019

+ - **Infrastructure costs.** You'll pay monthly service fees for Azure Stack HCI. Learn more at [Azure Stack HCI pricing](https://azure.microsoft.com/pricing/details/azure-stack/hci/).

+- **User access rights.** The same licenses that grant access to Azure Virtual Desktop in the cloud also apply to Azure Virtual Desktop for Azure Stack HCI. Learn more at [Azure Virtual Desktop pricing](https://azure.microsoft.com/pricing/details/virtual-desktop/).

+- **Hybrid service fee.** This fee requires you to pay for each active virtual CPU (vCPU) of Azure Virtual Desktop session hosts you're running on Azure Stack HCI. This fee will become active once the preview period ends.

+## Data storage

+Azure Virtual Desktop for Azure Stack HCI doesn't guarantee that all data is stored on-premises. You can choose to store user data on-premises by locating session host virtual machines (VMs) and associated services such as file servers on-premises. However, some customer data, diagnostic data, and service-generated data are still stored in Azure. For more information on how Azure Virtual Desktop stores different kinds of data, seeΓÇ»[Data locations for Azure Virtual Desktop](data-locations.md).

+The following issues affect the preview version of Azure Virtual Desktop for Azure Stack HCI:

+- Templates may show failures in certain cases at the domain-joining step. To proceed, you can manually join the session hosts to the domain. For more information, see [VM provisioning through Azure portal on Azure Stack HCI](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).

+ - [Autoscale plan](autoscale-scaling-plan.md)

+ - [Start VM On Connect](start-virtual-machine-connect.md)

+- When connecting to a Windows 10 or Windows 11 Enterprise multi-session virtual desktop, users may see activation issues, such as a desktop watermark saying "Activate Windows", even if they have an eligible license.

+[Set up Azure Virtual Desktop for Azure Stack HCI (preview)](azure-stack-hci.md).

+With Azure Virtual Desktop for Azure Stack HCI (preview), you can use Azure Virtual Desktop session hosts in your on-premises Azure Stack HCI infrastructure. For more information, see [Azure Virtual Desktop for Azure Stack HCI (preview)](azure-stack-hci-overview.md).

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply.

+## Prerequisites

+- An Azure subscription for Azure Virtual Desktop session host pool creation with all required admin permissions. For more information, see [Built-in Azure RBAC roles for Azure Virtual Desktop](rbac.md).

+- An [Azure Stack HCI cluster registered with Azure](/azure-stack/hci/deploy/register-with-azure) in the same subscription.

+- Azure Arc VM management should be set up on the Azure Stack HCI cluster. For more information, see [VM provisioning through Azure portal on Azure Stack HCI (preview)](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).

+- [An on-premises Active Directory (AD) synced with Azure Active Directory](/azure/architecture/reference-architectures/identity/azure-ad). The AD domain should resolve using DNS. For more information, see [Prerequisites for Azure Virtual Desktop](prerequisites.md#network).

+- There should be at least one Windows OS image available on the cluster. For more information, see [Create Azure Stack HCI VM image using Azure Marketplace images](/azure-stack/hci/manage/virtual-machine-image-azure-marketplace?tabs=azurecli) and [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/).

+## Set up and configuration

+Follow the steps below for a simplified process of setting up Azure Virtual Desktop on Azure Stack HCI. This deployment is based on an Azure Resource Manager template that automates creating the host pool and workspace, creating the session hosts on the HCI cluster, joining the domain, downloading and installing the Azure Virtual Desktop agents, and then registering them to the host pool.

+1. Sign into the Azure Portal.

+1. On the Azure portal menu or from the Home page, select **Azure Stack HCI**.

+1. Select your Azure Stack HCI cluster.

+ :::image type="content" source="media/azure-virtual-desktop-hci/azure-portal.png" alt-text="Screenshot of Azure portal." lightbox="media/azure-virtual-desktop-hci/azure-portal.png":::

+1. On the **Overview** page, select the **Get Started** tab.

+1. Select the **Deploy button** on the **Azure Virtual Desktop** tile - the **Custom deployment** page will open.

+ :::image type="content" source="media/azure-virtual-desktop-hci/custom-template.png" alt-text="Screenshot of custom deployment template." lightbox="media/azure-virtual-desktop-hci/custom-template.png":::

+1. Select the correct subscription under **Project details**.

+1. Select either **Create new** to create a new resource group or select an existing resource group from the drop-down menu.

+1. Select the Azure region for the host pool thatΓÇÖs right for you and your customers.

+1. Enter a unique name for your host pool.

+1. In **Location**, enter a region where Host Pool, Workspace, and VMs machines will be created. The metadata for these objects is stored in the geography associated with the region. *Example: East US*.

+ > [!NOTE]

+ > This location must match the Azure region you selected in step 8 above.

+1. In **Custom Location Id**, enter the resource ID of the deployment target for creating VMs, which is associated with an Azure Stack HCI cluster.

+*Example: /subscriptions/My_subscriptionID/resourcegroups/Contoso-rg/providers/microsoft.extendedlocation/customlocations/Contoso-CL*.

+1. Enter a value for **Virtual Processor Count** (vCPU) and for **Memory GB** for your VM. Defaults are 4 vCPU and 8GB respectively.

+1. Enter a unique name for **Workspace Name**.

+1. Enter local administrator credentials for **Vm Administrator Account Username** and **Vm Administrator Account Password**.

+1. Enter the **OU Path** value for domain join. *Example: OU=unit1,DC=contoso,DC=com*.

+1. Enter the **Domain** name to join your session hosts to the required domain.

+1. Enter domain administrator credentials for **Domain Administrator Username** and **Domain Administrator Password** to join your session hosts to the domain. These are mandatory fields.

+1. Enter the number of VMs to be created for **Vm Number of Instances**. Default is 1.

+1. Enter a prefix for the VMs for **Vm Name Prefix**.

+1. Enter the **Image Id** of the image to be used. This can be a custom image or an Azure Marketplace image. *Example: /subscriptions/My_subscriptionID/resourceGroups/Contoso-rg/providers/microsoft.azurestackhci/marketplacegalleryimages/Contoso-Win11image*.

+1. Enter the **Virtual Network Id** of the virtual network. *Example: /subscriptions/My_subscriptionID/resourceGroups/Contoso-rg/providers/Microsoft.AzureStackHCI/virtualnetworks/Contoso-virtualnetwork*.

+1. Enter the **Token Expiration Time**. If left blank, the default will be the current UTC time.

+1. Enter values for **Tags**. *Example format: { "CreatedBy": "name", "Test": "Test2ΓÇ¥ }*

+1. Enter the **Deployment Id**. A new GUID will be created by default.

+1. Select the **Validation Environment** - it's **false** by default.

+> [!NOTE]

+> For more session host configurations, use the Full Configuration [(CreateHciHostpoolTemplate.json)](https://github.com/Azure/RDS-Templates/blob/master/ARM-wvd-templates/HCI/CreateHciHostpoolTemplate.json) template, which offers all the features that can be used to deploy Azure Virtual Desktop on Azure Stack HCI.

+## Optional configuration

+Now that you've set up Azure Virtual Desktop for Azure Stack HCI, here are a few optional things you can do depending on your deployment needs:

+

+### Add session hosts

+You can add new session hosts to an existing host pool that was created either manually or using the custom template. Use the **Quick Deploy** [(AddHciVirtualMachinesQuickDeployTemplate.json)](https://github.com/Azure/RDS-Templates/blob/master/ARM-wvd-templates/HCI/QuickDeploy/AddHciVirtualMachinesQuickDeployTemplate.json) template to get started.

+For information on how to deploy a custom template, see [Quickstart: Create and deploy ARM templates by using the Azure portal](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal).

+> [!NOTE]

+> For more session host configurations, use the **Full Configuration** [(AddHciVirtualMachinesTemplate.json)](https://github.com/Azure/RDS-Templates/blob/master/ARM-wvd-templates/HCI/AddHciVirtualMachinesTemplate.json) template, which offers all the features that can be used to deploy Azure Virtual Desktop on Azure Stack HCI. Learn more at [RDS-Templates](https://github.com/Azure/RDS-Templates/blob/master/ARM-wvd-templates/HCI/Readme.md).

+### Create a profile container

+To create a profile container using a file share on Azure Stack HCI, do the following:

+1. Deploy a file share on a single or clustered Windows Server VM deployment. The Windows Server VMs with file server role can also be co-located on the same cluster where the session host VMs are deployed.

+1. Connect to the VM with the credentials you provided when creating the VM.

+3. Join the VM to an Active Directory domain.

+7. Follow the instructions in [Create a profile container for a host pool using a file share](create-host-pools-user-profile.md) to prepare your VM and configure your profile container.

+For an overview and pricing information, see [Azure Virtual Desktop for Azure Stack HCI](azure-stack-hci-overview.md).

+> Host caching isn't supported for shared disks.

+>

+> Host caching isn't supported for shared disks.

+>

+> Host caching isn't supported for shared disks.

+>

+> Host caching isn't supported for shared disks.

+>

+ >[!NOTE]

+ > Newly added data disk encryption must be enabled via Powershell, or CLI only. Currently, the Azure portal does not support enabling encryption on new disks.

+| **SAP S/4HANA 2021 FPS01, Fully-Activated Appliance** April 26 2022 | [Create Appliance](https://cal.sap.com/registration?sguid=3f4931de-b15b-47f1-b93d-a4267296b8bc&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+|This appliance contains SAP S/4HANA 2021 (FPS01) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service, Master Data Governance (MDG), Portfolio Mgmt. (PPM), Human Capital Management (HCM), Analytics, Migration Cockpit, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows remote desktop, or the backend operating system for full administrative access. | [Details]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/3f4931de-b15b-47f1-b93d-a4267296b8bc) ||

+| **SAP BusinessObjects BI Platform 4.3 SP02** October 05 2022 | [Create Appliance](https://cal.sap.com/registration?sguid=f4626c2f-d9d8-49e0-b1ce-59371e0f8749&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+|This appliance contains SAP BusinessObjects BI Platform 4.3 Support Package 2 Patch 4: (i) On the Linux instance, the BI Platorm, Web Intelligence and Live Data Connect servers are running on the default installed Tomcat (ii) On the Windows instance, you can use the SAP BI SP2 Patch 4 version of the clients tools to connect to the server: Web Intelligence Rich Client, Information Design Tool, Universe Design Tool. | [Details](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/f4626c2f-d9d8-49e0-b1ce-59371e0f8749) |

+| **SAP Solution Manager 7.2 SP15 & Focused Solutions SP10 (Baseline)** October 03 2022 | [Create Appliance](https://cal.sap.com/registration?sguid=65c36516-6779-46e5-9c30-61b5d145209f&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+|This template contains a partly configured SAP Solution Manager 7.2 SP15 (incl. Focused Build and Focused Insights 2.0 SP10). Only the Mandatory Configuration and Focused Build configuration are performed. The system is clean and does not contain pre-defined demo scenarios. | [Details]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/65c36516-6779-46e5-9c30-61b5d145209f) |

+- If you're considering using HANA System Replication, the storage used for **/hana/data** on each replica must be same and the storage type used for **/hana/log** on each replica must be same. For example, using Azure premium storage for **/hana/data** with one VM and Azure Ultra disk for **/hana/data** in another VM running a replica of the same HANA System replication configuration, isn't supported

+- Every Premium SSD v2 storage disk comes with 3,000 IOPS and 125 MBps on throughput that is included in the capacity pricing

+- Changes to the provisioned IOPS and throughput can be executed once in 6 hours

+> The configurations suggested below keep the HANA minimum KPIs, as listed in [SAP HANA Azure virtual machine storage configurations](./hana-vm-operations-storage.md) in mind. Our tests so far gave no indications that with the values listed, SAP HCMT tests would fail in throughput or latency. That stated, not all variations possible and combinations around stripe sets stretched across multiple disks or different stripe sizes were tested. Tests condcuted with striped volumes across multiple disks were done with the stripe sizes documented in [SAP HANA Azure virtual machine storage configurations](./hana-vm-operations-storage.md).

+- You try to simplify your storage architecture by using a single disk for **/hana/data** and **/hana/log** and pay for more IOPS and throughput as needed to achieve the levels we recommend below. With the awareness that a single disk has a throughput level of 1,200 MBps and 80,000 IOPS.

+Since we don't want to define which direction you should go, we're leaving the decision to you on whether to take the single disk approach or to take the multiple disk approach. Though keep in mind that the single disk approach can hit its limitations with the 1,200MB/sec throughput. There might be a point where you need to stretch /hana/data across multiple volumes. also keep in mind that the capabilities of Azure VMs in providing storage throughput are going to grow over time. And that HANA savepoints are extremely critical and demand high throughput for the **/hana/data** volume

+| E20ds_v4 | 160 GiB | 480 MBps | 32,000 | 192 GB | 425 MBps | 3,000 |

+| E20(d)s_v5| 160 GiB | 750 MBps | 32,000 | 192 GB | 425 MBps | 3,000 |

+| E32ds_v4 | 256 GiB | 768 MBps | 51,200| 304 GB | 425 MBps | 3,000 |

+| E32ds_v5 | 256 GiB | 865 MBps | 51,200| 304 GB | 425 MBps | 3,000 |

+| E48ds_v4 | 384 GiB | 1,152 MBps | 76,800 | 464 GB |425 MBps | 3,000 |

+| E48ds_v4 | 384 GiB | 1,315 MBps | 76,800 | 464 GB |425 MBps | 3,000 |

+| E64ds_v4 | 504 GiB | 1,200 MBps | 80,000 | 608 GB | 425 MBps | 3,000 |

+| E64(d)s_v5 | 512 GiB | 1,735 MBps | 80,000 | 608 GB| 425 MBps | 3,000 |

+| E96(d)s_v5 | 672 GiB | 2,600 MBps | 80,000 | 800 GB | 425 MBps | 3,000 |

+| M32ts | 192 GiB | 500 MBps | 20,000 | 224 GB | 425 MBps | 3,000|

+| M32ls | 256 GiB | 500 MBps | 20,000 | 304 GB | 425 MBps | 3,000 |

+| M64ls | 512 GiB | 1,000 MBps | 40,000 | 608 GB | 425 MBps | 3,000 |

+| M32dms_v2, M32ms_v2 | 875 GiB | 500 MBps | 30,000 | 1056 GB | 425 MBps | 3,000 |

+| M64s, M64ds_v2, M64s_v2 | 1,024 GiB | 1,000 MBps | 40,000 | 1232 GB | 680 MBps | 5,000 |

+| M64ms, M64dms_v2, M64ms_v2 | 1,792 GiB | 1,000 MBps | 50,000 | 2144 GB | 600 MBps | 5,000 |

+| M128s, M128ds_v2, M128s_v2 | 2,048 GiB | 2,000 MBps | 80,000 | 2464 GB | 800 MBps | 12,000|

+| M192ids_v2, M192is_v2 | 2,048 GiB | 2,000 MBps | 80,000| 2464 GB | 800 MBps | 12,000|

+| M128ms, M128dms_v2, M128ms_v2 | 3,892 GiB | 2,000 MBps | 80,000 | 4672 GB | 800 MBps | 12,000 |

+| M192ims, M192idms_v2 | 4,096 GiB | 2,000 MBps | 80,000 | 4912 GB | 800 MBps | 12,000 |

+| M208s_v2 | 2,850 GiB | 1,000 MBps | 40,000 | 3424 GB | 1,000 MBps| 15,000 |

+| M208ms_v2 | 5,700 GiB | 1,000 MBps | 40,000 | 6,848 GB | 1,000 MBps | 15,000 |

+| M416s_v2 | 5,700 GiB | 2,000 MBps | 80,000 | 6,848 GB | 1,200 MBps| 17,000 |

+| M416ms_v2 | 11,400 GiB | 2,000 MBps | 80,000 | 13,680 GB | 1,200 MBps| 25,000 |

+| VM SKU | RAM | Max. VM I/O<br /> Throughput | Max VM IOPS | **/hana/log** capacity | **/hana/log** throughput | **/hana/log** IOPS | **/hana/shared** capacity <br />using default IOPS <br /> and throughput |

+A few examples on how combining multiple Premium SSD v2 disks with a stripe set could impact the requirement to provision more IOPS or throughput for **/hana/data** is displayed in this table:

+| VM SKU | RAM | number of <br />disks | individual disk<br /> capacity | Proposed IOPS | Default IOPS provisioned | Extra IOPS <br />provisioned | Proposed throughput<br /> for volume | Default throughput provisioned | Extra throughput <br />provisioned |

+| M128s, M128ds_v2, M128s_v2 | 2,048 GiB | 4 | 616 GB | 12,000 | 12,000 | 0 | 800 MBps | 500 MBps | 300 MBps |

+| M416ms_v2 | 11,400 GiB | 2 | 6,840 | 25,000 | 6,000 | 19,000 | 1,200 MBps | 250 MBps | 950 MBps |

+| M416ms_v2 | 11,400 GiB | 4 | 3,420 | 25,000 | 12,000 | 13,000 | 1,200 MBps | 500 MBps | 700 MBps |

+| VM SKU | RAM | number of <br />disks | individual disk<br /> capacity | Proposed IOPS | Default IOPS provisioned | Extra IOPS <br />provisioned | Proposed throughput<br /> for volume | Default throughput provisioned | Extra throughput <br />provisioned |

+| E96(d)s_v5 | 672 GiB | 2 | 256 GB | 3,000 | 6,000 | 0 | 275 MBps | 250 MBps | 25 MBps |

+¹ With usage of [Azure Write Accelerator](../../how-to-enable-write-accelerator.md) for M/Mv2 VM families for log/redo log volumes

+² Using ANF requires /hana/data and /hana/log to be on ANF

+³ So far tested on SLES only

+³ Creation of different ANF capacity pools doesn't guarantee deployment of capacity pools onto different storage units

+- The I/O throughput for this storage isn't linear with the size of the disk category. For smaller disks, like the category between 65 GiB and 128 GiB capacity, the throughput is around 780 KB per GiB. Whereas for the extreme large disks like a 32,767 GiB disk, the throughput is around 28 KB per GiB

+- The IOPS and throughput SLAs can't be changed without changing the capacity of the disk

+**Summary:** Azure ultra disks are a suitable storage with low submillisecond latency for all kinds of SAP workload. So far, Ultra disk can only be used in combinations with VMs that have been deployed through Availability Zones (zonal deployment). Ultra disk isn't supporting storage snapshots. In opposite to all other storage, Ultra disk can't be used for the base VHD disk. Ultra disk is ideal for cases where I/O workload fluctuates a lot and you want to adapt deployed storage throughput or IOPS to storage workload patterns instead of sizing for maximum usage of bandwidth and IOPS.

+[Azure Premium Files](../../../storage/files/storage-files-planning.md) is a shared storage that offers SMB and NFS for a moderate price and sufficient latency to handle shares of the SAP application layer. On top, Azure premium Files offers synchronous zonal replication of the shares with an automatism that in case one replica fails, another replica in another zone can take over. In opposite to Azure NetApp Files, there are no performance tiers. There also is no need for a capacity pool. Charging is based on the real provisioned capacity of the different shares. Azure Premium Files haven't been tested as DBMS storage for SAP workload at all. But instead the usage scenario for SAP workload focused on all types of SMB and NFS shares as they're used on the SAP application layer. Azure Premium Files is also suited for the usage for **/hana/shared**.

+ | Resource using Basic SKU public IP addresses | Decision path |

+ | | |

+ | Virtual Machine or Virtual Machine Scale Sets (flex model) | Disassociate IP(s) and utilize the upgrade options detailed after the table. |

+ | Load Balancer (Basic SKU) | New LB SKU required. Use the upgrade scripts for [virtual machines](../../load-balancer/upgrade-basic-standard.md) or [Virtual Machine Scale Sets (without IPs per VM)](../../load-balancer/upgrade-basic-standard-virtual-machine-scale-sets.md) to upgrade to Standard Load Balancer |

+ | VPN Gateway (Basic SKU or VpnGw1-5 SKU using Basic IPs) | New VPN Gateway SKU required. Create a [new Virtual Network Gateway with a Standard SKU IP](../../vpn-gateway/tutorial-create-gateway-portal.md). |

+ | ExpressRoute Gateway (using Basic IPs) | New ExpressRoute Gateway required. Create a [new ExpressRoute Gateway with a Standard SKU IP](../../expressroute/expressroute-howto-add-gateway-portal-resource-manager.md). |

+ | Application Gateway (v1 SKU) | New AppGW SKU required. Use this [migration script to migrate from v1 to v2](../../application-gateway/migrate-v1-v2.md). |

+> [!NOTE]

+> If you have a virtual machine scale set (uniform model) with public IP configurations per instance, note these are not Public IP resources and as such cannot be upgraded; a new virtual machine scale set is required. You can use the SKU property to specify that Standard IP configurations are required for each VMSS instance as shown [here](../../virtual-machine-scale-sets/virtual-machine-scale-sets-networking.md#public-ipv4-per-virtual-machine).

+ Title: 'Virtual WAN virtual hub routing preference'

+# Virtual hub routing preference

+ Title: 'Configure virtual hub routing preference'

+# Configure virtual hub routing preference

+* Currently we only support 4,000 routes from the NVA to the virtual hub.

+* When configuring BGP peering with the hub, you will see two IP addresses. Peering with both these addresses is required. Not peering with both addresses can cause routing issues.

+* The next hop IP address on the routes being advertised from the NVA to the virtual HUB route server has to be the same as the IP address of the NVA, the IP address configured on the BGP peer. Having a different IP address advertised as next hop IS NOT supported on virtual WAN at the moment.