-Logging is done asynchronously for both base and custom model endpoints. Audio and transcription logs are stored by the Speech service and not written locally. The logs are retained for 30 days. After this period, the logs are automatically deleted. However you can [delete](#delete-audio-and-transcription-logs) specific logs or a range of available logs at any time.

-1. Use the ID [18814]( https://grafana.com/grafana/dashboards/18814/) to import the dashboard from Grafana's public dashboard repo.

-1. Verify the Grafana dashboard is visible.

-1. Create a static public IP address using the [`az network public ip create`][az-network-public-ip-create] command.

- --resource-group myNetworkResourceGroup \

-2. Get the name of the node resource group using the [`az aks show`][az-aks-show] command and query for the `nodeResourceGroup` property.

- ```azurecli-interactive

- az aks show --name myAKSCluster --resource-group myNetworkResourceGroup --query nodeResourceGroup -o tsv

- ```

-3. Get the static public IP address using the [`az network public-ip list`][az-network-public-ip-list] command. Specify the name of the node resource group and public IP address you created, and query for the `ipAddress`.

- az network public-ip show --resource-group <node resource group> --name myAKSPublicIP --query ipAddress --output tsv

-1. Ensure the cluster identity used by the AKS cluster has delegated permissions to the node resource group using the [`az role assignment create`][az-role-assignment-create] command.

- > Adding the `loadBalancerIP` property to the load balancer YAML manifest is deprecating following [upstream Kubernetes](https://github.com/kubernetes/kubernetes/pull/107235). While current usage remains the same and existing services are expected to work without modification, we **highly recommend setting service annotations** instead. To set service annotations, you can use `service.beta.kubernetes.io/azure-load-balancer-ipv4` for an IPv4 address and `service.beta.kubernetes.io/azure-load-balancer-ipv6` for an IPv6 address, as shown in the example YAML.

- service.beta.kubernetes.io/azure-load-balancer-resource-group: <node resource group>

- service.beta.kubernetes.io/azure-load-balancer-ipv4: <public IP address>

- service.beta.kubernetes.io/azure-pip-name: <public IP Name>

- service.beta.kubernetes.io/azure-load-balancer-resource-group: <node resource group>

- service.beta.kubernetes.io/azure-load-balancer-ipv4: <public IP address>

- service.beta.kubernetes.io/azure-pip-name: <public IP Name>

-## Preview limitations

- 1. In **Region**, select one of the [available regions](overview.md#preview-limitations) for API Center preview.

-description: Learn about policies in API Management, a way for API publishers to change API behavior through configuration. Policies are statements that run sequentially on the request or response of an API.

-For more information, see [Error handling in API Management policies](./api-management-error-handling-policies.md)

-Policy expressions provide a sophisticated means to control traffic and modify API behavior without requiring you to write specialized code or modify backend services. Some policies are based on policy expressions, such as the [Control flow][Control flow] and [Set variable][Set variable]. For more information, see [Advanced policies][Advanced policies].

-* Not all policies can be applied at each scope and policy section

-* When configuring policy definitions at more than one scope, you control the policy evaluation order in each policy section by placement of the `base` element

-For more information, see [Set or edit policies](set-edit-policies.md#use-base-element-to-set-policy-evaluation-order).

-> [!NOTE]

-> If you're using an API-scoped subscription or the all-access subscription, any [policies](api-management-howto-policies.md) configured at the product scope aren't applied to requests from that subscription.

-description: Learn how to use the Azure portal to set or edit policies in an Azure API Management instance. Policies are defined in XML documents that contain a sequence of statements that are run sequentially on the request or response of an API.

-## Next steps

-### From the Kudu console

-In the console terminal, you can't access the `C:\home\LogFiles` folder by default because persistent shared storage is not enabled. To enable this behavior in the console terminal, [enable persistent shared storage](#use-persistent-shared-storage).

-Verify your adjusted number by going to the Kudu Console (`https://<app-name>.scm.azurewebsites.net`) and typing in the following commands using PowerShell. Each command outputs a number.

-For Arc-enabled VMware vSphere (preview), manual upgrade is available, and cloud-managed upgrade is supported for appliances on version 1.0.15 and higher. When Arc-enabled VMware vSphere announces General Availability, appliances on version 1.0.15 and higher will receive cloud-managed upgrade as the default experience. Appliances that are below version 1.0.15 must be manually upgraded.

-Generally, the latest released version and the previous three versions (n-3) of Arc resource bridge are supported. For example, if the current version is 1.0.10, then the typical n-3 supported versions are:

-There might be instances where supported versions are not sequential. For example, version 1.0.11 is released and later found to contain a bug. A hot fix is released in version 1.0.12 and version 1.0.11 is removed. In this scenario, n-3 supported versions become 1.0.12, 1.0.10, 1.0.9, 1.0.8.

-description: This article provides a detailed overview of the Azure Connected Machine agent, which supports monitoring virtual machines hosted in hybrid environments.

-ms.

-# Overview of Azure Connected Machine agent to manage Windows and Linux machines

-The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.

-## Agent components

-The Azure Connected Machine agent package contains several logical components bundled together:

-* The Hybrid Instance Metadata service (HIMDS) manages the connection to Azure and the connected machine's Azure identity.

-* The guest configuration agent provides functionality such as assessing whether the machine complies with required policies and enforcing compliance.

- Note the following behavior with Azure Policy [guest configuration](../../governance/machine-configuration/overview.md) for a disconnected machine:

- * An Azure Policy assignment that targets disconnected machines is unaffected.

- * Guest assignment is stored locally for 14 days. Within the 14-day period, if the Connected Machine agent reconnects to the service, policy assignments are reapplied.

- * Assignments are deleted after 14 days, and aren't reassigned to the machine after the 14-day period.

-* The Extension agent manages VM extensions, including install, uninstall, and upgrade. Azure downloads extensions and copies them to the `%SystemDrive%\%ProgramFiles%\AzureConnectedMachineAgent\ExtensionService\downloads` folder on Windows, and to `/opt/GC_Ext/downloads` on Linux. On Windows, the extension installs to the following path `%SystemDrive%\Packages\Plugins\<extension>`, and on Linux the extension installs to `/var/lib/waagent/<extension>`.

->[!NOTE]

-> The [Azure Monitor agent](../../azure-monitor/agents/azure-monitor-agent-overview.md) (AMA) is a separate agent that collects monitoring data, and it does not replace the Connected Machine agent; the AMA only replaces the Log Analytics agent, Diagnostics extension, and Telegraf agent for both Windows and Linux machines.

-## Agent resources

-The following information describes the directories and user accounts used by the Azure Connected Machine agent.

-### Windows agent installation details

-The Windows agent is distributed as a Windows Installer package (MSI). Download the Windows agent from the [Microsoft Download Center](https://aka.ms/AzureConnectedMachineAgent).

-Installing the Connected Machine agent for Window applies the following system-wide configuration changes:

-* The installation process creates the following folders during setup.

- | Directory | Description |

- |--|-|

- | %ProgramFiles%\AzureConnectedMachineAgent | azcmagent CLI and instance metadata service executables.|

- | %ProgramFiles%\AzureConnectedMachineAgent\ExtensionService\GC | Extension service executables.|

- | %ProgramFiles%\AzureConnectedMachineAgent\GCArcService\GC | Guest configuration (policy) service executables.|

- | %ProgramData%\AzureConnectedMachineAgent | Configuration, log and identity token files for azcmagent CLI and instance metadata service.|

- | %ProgramData%\GuestConfig | Extension package downloads, guest configuration (policy) definition downloads, and logs for the extension and guest configuration services.|

- | %SYSTEMDRIVE%\packages | Extension package executables |

-* Installing the agent creates the following Windows services on the target machine.

- | Service name | Display name | Process name | Description |

- |--|--|--|-|

- | himds | Azure Hybrid Instance Metadata Service | himds | Synchronizes metadata with Azure and hosts a local REST API for extensions and applications to access the metadata and request Microsoft Entra managed identity tokens |

- | GCArcService | Guest configuration Arc Service | gc_service | Audits and enforces Azure guest configuration policies on the machine. |

- | ExtensionService | Guest configuration Extension Service | gc_service | Installs, updates, and manages extensions on the machine. |

-* Agent installation creates the following virtual service account.

- | Virtual Account | Description |

- ||-|

- | NT SERVICE\\himds | Unprivileged account used to run the Hybrid Instance Metadata Service. |

- > [!TIP]

- > This account requires the "Log on as a service" right. This right is automatically granted during agent installation, but if your organization configures user rights assignments with Group Policy, you might need to adjust your Group Policy Object to grant the right to "NT SERVICE\\himds" or "NT SERVICE\\ALL SERVICES" to allow the agent to function.

-* Agent installation creates the following local security group.

- | Security group name | Description |

- ||-|

- | Hybrid agent extension applications | Members of this security group can request Microsoft Entra tokens for the system-assigned managed identity |

-* Agent installation creates the following environmental variables

- | Name | Default value | Description |

- ||||

- | IDENTITY_ENDPOINT | `http://localhost:40342/metadata/identity/oauth2/token` |

- | IMDS_ENDPOINT | `http://localhost:40342` |

-* There are several log files available for troubleshooting, described in the following table.

- | Log | Description |

- |--|-|

- | %ProgramData%\AzureConnectedMachineAgent\Log\himds.log | Records details of the heartbeat and identity agent component. |

- | %ProgramData%\AzureConnectedMachineAgent\Log\azcmagent.log | Contains the output of the azcmagent tool commands. |

- | %ProgramData%\GuestConfig\arc_policy_logs\gc_agent.log | Records details about the guest configuration (policy) agent component. |

- | %ProgramData%\GuestConfig\ext_mgr_logs\gc_ext.log | Records details about extension manager activity (extension install, uninstall, and upgrade events). |

- | %ProgramData%\GuestConfig\extension_logs | Directory containing logs for individual extensions. |

-* The process creates the local security group **Hybrid agent extension applications**.

-* After uninstalling the agent, the following artifacts remain.

- * %ProgramData%\AzureConnectedMachineAgent\Log

- * %ProgramData%\AzureConnectedMachineAgent

- * %ProgramData%\GuestConfig

- * %SystemDrive%\packages

-### Linux agent installation details

-The preferred package format for the distribution (`.rpm` or `.deb`) that's hosted in the Microsoft [package repository](https://packages.microsoft.com/) provides the Connected Machine agent for Linux. The shell script bundle [Install_linux_azcmagent.sh](https://aka.ms/azcmagent) installs and configures the agent.

-Installing, upgrading, and removing the Connected Machine agent isn't required after server restart.

-Installing the Connected Machine agent for Linux applies the following system-wide configuration changes.

-* Setup creates the following installation folders.

- | Directory | Description |

- |--|-|

- | /opt/azcmagent/ | azcmagent CLI and instance metadata service executables. |

- | /opt/GC_Ext/ | Extension service executables. |

- | /opt/GC_Service/ | Guest configuration (policy) service executables. |

- | /var/opt/azcmagent/ | Configuration, log and identity token files for azcmagent CLI and instance metadata service.|

- | /var/lib/GuestConfig/ | Extension package downloads, guest configuration (policy) definition downloads, and logs for the extension and guest configuration services.|

-* Installing the agent creates the following daemons.

- | Service name | Display name | Process name | Description |

- |--|--|--|-|

- | himdsd.service | Azure Connected Machine Agent Service | himds | This service implements the Hybrid Instance Metadata service (IMDS) to manage the connection to Azure and the connected machine's Azure identity.|

- | gcad.service | GC Arc Service | gc_linux_service | Audits and enforces Azure guest configuration policies on the machine. |

- | extd.service | Extension Service | gc_linux_service | Installs, updates, and manages extensions on the machine. |

-* There are several log files available for troubleshooting, described in the following table.

- | Log | Description |

- |--|-|

- | /var/opt/azcmagent/log/himds.log | Records details of the heartbeat and identity agent component. |

- | /var/opt/azcmagent/log/azcmagent.log | Contains the output of the azcmagent tool commands. |

- | /var/lib/GuestConfig/arc_policy_logs | Records details about the guest configuration (policy) agent component. |

- | /var/lib/GuestConfig/ext_mgr_logs | Records details about extension manager activity (extension install, uninstall, and upgrade events). |

- | /var/lib/GuestConfig/extension_logs | Directory containing logs for individual extensions. |

-* Agent installation creates the following environment variables, set in `/lib/systemd/system.conf.d/azcmagent.conf`.

- | Name | Default value | Description |

- |||-|

- | IDENTITY_ENDPOINT | `http://localhost:40342/metadata/identity/oauth2/token` |

- | IMDS_ENDPOINT | `http://localhost:40342` |

-* After uninstalling the agent, the following artifacts remain.

- * /var/opt/azcmagent

- * /var/lib/GuestConfig

-## Agent resource governance

-The Azure Connected Machine agent is designed to manage agent and system resource consumption. The agent approaches resource governance under the following conditions:

-* The Guest Configuration agent can use up to 5% of the CPU to evaluate policies.

-* The Extension Service agent can use up to 5% of the CPU to install, upgrade, run, and delete extensions. Some extensions might apply more restrictive CPU limits once installed. The following exceptions apply:

- | Extension type | Operating system | CPU limit |

- | -- | - | |

- | AzureMonitorLinuxAgent | Linux | 60% |

- | AzureMonitorWindowsAgent | Windows | 100% |

- | AzureSecurityLinuxAgent | Linux | 30% |

- | LinuxOsUpdateExtension | Linux | 60% |

- | MDE.Linux | Linux | 60% |

- | MicrosoftDnsAgent | Windows | 100% |

- | MicrosoftMonitoringAgent | Windows | 60% |

- | OmsAgentForLinux | Windows | 60%|

-During normal operations, defined as the Azure Connected Machine agent being connected to Azure and not actively modifying an extension or evaluating a policy, you can expect the agent to consume the following system resources:

-| | Windows | Linux |

-| | - | -- |

-| **CPU usage (normalized to 1 core)** | 0.07% | 0.02% |

-| **Memory usage** | 57 MB | 42 MB |

-The performance data above was gathered in April 2023 on virtual machines running Windows Server 2022 and Ubuntu 20.04. Actual agent performance and resource consumption will vary based on the hardware and software configuration of your servers.

-## Instance metadata

-Metadata information about a connected machine is collected after the Connected Machine agent registers with Azure Arc-enabled servers. Specifically:

-* Operating system name, type, and version

-* Computer name

-* Computer manufacturer and model

-* Computer fully qualified domain name (FQDN)

-* Domain name (if joined to an Active Directory domain)

-* Active Directory and DNS fully qualified domain name (FQDN)

-* UUID (BIOS ID)

-* Connected Machine agent heartbeat

-* Connected Machine agent version

-* Public key for managed identity

-* Policy compliance status and details (if using guest configuration policies)

-* SQL Server installed (Boolean value)

-* Cluster resource ID (for Azure Stack HCI nodes)

-* Hardware manufacturer

-* Hardware model

-* CPU family, socket, physical core and logical core counts

-* Total physical memory

-* Serial number

-* SMBIOS asset tag

-* Cloud provider

-The agent requests the following metadata information from Azure:

-* Resource location (region)

-* Virtual machine ID

-* Tags

-* Microsoft Entra managed identity certificate

-* Guest configuration policy assignments

-* Extension requests - install, update, and delete.

-> [!NOTE]

-> Azure Arc-enabled servers doesn't store/process customer data outside the region the customer deploys the service instance in.

-## Next steps

-description: Learn about Azure Arc resource bridge.

-ms.

-#Customer intent: As an IT infrastructure admin, I want to know about the the Azure Arc resource bridge that facilitates the Arc connection between SCVMM server and Azure

-# Azure Arc resource bridge

-Azure Arc resource bridge (preview) is a Microsoft managed product that is part of the core Azure Arc platform. It is designed to host other Azure Arc services. The resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](https://learn.microsoft.com/azure-stack/hci/manage/azure-arc-vm-management-overview), VMware ([Arc-enabled VMware vSphere](https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/) preview), and System Center Virtual Machine Manager (SCVMM) ([Arc-enabled SCVMM](https://learn.microsoft.com/azure/azure-arc/system-center-virtual-machine-manager/).

-Azure Arc resource bridge is a Kubernetes management cluster installed on the customerΓÇÖs on-premises infrastructure. The resource bridge is provided with the credentials to the infrastructure control plane that allows it to apply guest management services on the on-premises resources. Arc resource bridge enables projection of on-premises resources as ARM resources and management from ARM as *arc-enabled* Azure resources.

-Arc resource bridge delivers the following benefits:

-## Overview

-Azure Arc resource bridge (preview) hosts other components such as [custom locations](https://microsoftapc.sharepoint.com/:w:/t/AzureCoreIDC/EQ4_NliWVCFMtRqzCpkQfrUB3HkS1JwLE8KpoZBUmtNGjg?e=HANuI5), cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports. This complex system is composed of three layers:

-Azure Arc resource bridge (preview) can host other Azure services or solutions running on-premises. For this preview, there are two objects hosted on the Arc resource bridge (preview):

- - Azure Arc-enabled VMware

- - Azure Arc-enabled Azure Stack HCI

- - Azure Arc-enabled System Center Virtual Machine Manager (SCVMM)

-Custom locations and cluster extension are both Azure resources, which are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter, Azure Stack HCI cluster, or SCVMM.

-Some resources are unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network, and template to create a VM.

-To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources that are projected in Azure. For example, if the resource bridge is deleted by accident, all the resources projected in Azure by the resource bridge are impacted. The on-premises VMs in your on-premises private cloud are not impacted, as they are running on vCenter, but you won't be able to start or stop the VMs from Azure. It is not recommended to directly manage or modify the resource bridge using any on-premises applications.

-## Benefits of Azure Arc resource bridge (preview)

-Through Azure Arc resource bridge (preview), you can connect an SCVMM management server to Azure by deploying Azure Arc resource bridge (preview) in the VMM environment. Azure Arc resource bridge (preview) enables you to represent the SCVMM resources (clouds, VMs, templates etc.) in Azure and perform various operations on them:

-### Regional resiliency

-While Azure has a number of redundancy features at every level of failure, if a service impacting event occurs, the current release of Azure Arc resource bridge does not support cross-region failover or other resiliency capabilities. In the event of the service becoming unavailable, the on-premises VMs continue to operate unaffected.

-Management from Azure is unavailable during that service outage.

-### Supported versions

-Arc resource bridge typically releases a new version on a monthly cadence, at the end of the month. Delays might occur that could push the release date further out. Regardless of when a new release comes out, if you are within n-3 supported versions, then your Arc resource bridge version is supported. To stay updated on releases, visit the [Arc resource bridge release notes](https://github.com/Azure/ArcResourceBridge/releases) on GitHub. To learn more about upgrade options, visit [Upgrade Arc resource bridge](https://learn.microsoft.com/azure/azure-arc/resource-bridge/upgrade).

-## Next steps

-Learn more about [Arc-enabled SCVMM](https://learn.microsoft.com/azure/azure-arc/system-center-virtual-machine-manager/overview)

-description: Learn about Custom locations.

-ms.

-#Customer intent: As an IT infrastructure admin, I want to know about the concepts behind Azure Arc

-# Custom locations for Arc-enabled SCVMM

-As an extension of the Azure location construct, a *custom location* provides a reference as deployment target which administrators can set up, and users can point to, when creating an Azure resource. It abstracts the backend infrastructure details from application developers, database admin users, or other users in the organization.

-## Custom location for on-premises SCVMM management server:

-Since the custom location is an Azure Resource Manager resource that supports [Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/azure/role-based-access-control/overview), an administrator or operator can determine which users have access to create resource instances on the compute, storage, networking, and other SCVMM resources to deploy and manage VMs.

-For example, an IT administrator could create a custom location **Contoso-vmm** representing the SCVMM management server in your organization's Data Center. The operator can then assign Azure RBAC permissions to application developers on this custom location so that they can deploy virtual machines. The developers can then deploy these virtual machines without having to know details of the SCVMM management server.

-Custom locations create the granular [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) necessary for other Azure services to access the SCVMM resources.

-## Next steps

-[Connect your SCVMM Server to Azure Arc](https://learn.microsoft.com/azure/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc)

-description: Learn about Azure Arc agent

-# Azure Arc agent

-The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.

-## Agent components

-The Azure Connected Machine agent package contains several logical components bundled together:

-* The Hybrid Instance Metadata service (HIMDS) manages the connection to Azure and the connected machine's Azure identity.

-* The guest configuration agent provides functionality such as assessing whether the machine complies with required policies and enforcing compliance.

- Note the following behavior with Azure Policy [guest configuration](../../governance/machine-configuration/overview.md) for a disconnected machine:

- * An Azure Policy assignment that targets disconnected machines is unaffected.

- * Guest assignment is stored locally for 14 days. Within the 14-day period, if the Connected Machine agent reconnects to the service, policy assignments are reapplied.

- * Assignments are deleted after 14 days and aren't reassigned to the machine after the 14-day period.

-* The Extension agent manages VM extensions, including install, uninstall, and upgrade. Azure downloads extensions and copies them to the `%SystemDrive%\%ProgramFiles%\AzureConnectedMachineAgent\ExtensionService\downloads` folder on Windows, and to `/opt/GC_Ext/downloads` on Linux. On Windows, the extension installs to the path `%SystemDrive%\Packages\Plugins\<extension>`, and on Linux the extension installs to `/var/lib/waagent/<extension>`.

->[!NOTE]

-> The [Azure Monitor agent](../../azure-monitor/agents/azure-monitor-agent-overview.md) (AMA) is a separate agent that collects monitoring data, and it does not replace the Connected Machine agent; the AMA only replaces the Log Analytics agent, Diagnostics extension, and Telegraf agent for both Windows and Linux machines.

-## Agent resources

-The following information describes the directories and user accounts used by the Azure Connected Machine agent.

-### Windows agent installation details

-The Windows agent is distributed as a Windows Installer package (MSI). Download the Windows agent from the [Microsoft Download Center](https://aka.ms/AzureConnectedMachineAgent).

-Installing the Connected Machine agent for Window applies the following system-wide configuration changes:

-* The installation process creates the following folders during setup.

- | Directory | Description |

- |--|-|

- | %ProgramFiles%\AzureConnectedMachineAgent | azcmagent CLI and instance metadata service executables.|

- | %ProgramFiles%\AzureConnectedMachineAgent\ExtensionService\GC | Extension service executables.|

- | %ProgramFiles%\AzureConnectedMachineAgent\GCArcService\GC | Guest configuration (policy) service executables.|

- | %ProgramData%\AzureConnectedMachineAgent | Configuration, log and identity token files for azcmagent CLI and instance metadata service.|

- | %ProgramData%\GuestConfig | Extension package downloads, guest configuration (policy) definition downloads, and logs for the extension and guest configuration services.|

- | %SYSTEMDRIVE%\packages | Extension package executables. |

-* Installing the agent creates the following Windows services on the target machine.

- | Service name | Display name | Process name | Description |

- |--|--|--|-|

- | himds | Azure Hybrid Instance Metadata Service | himds | Synchronizes metadata with Azure and hosts a local REST API for extensions and applications to access the metadata and request Microsoft Entra managed identity tokens |

- | GCArcService | Guest configuration Arc Service | gc_service | Audits and enforces Azure guest configuration policies on the machine. |

- | ExtensionService | Guest configuration Extension Service | gc_service | Installs, updates, and manages extensions on the machine. |

-* Agent installation creates the following virtual service account.

- | Virtual Account | Description |

- ||-|

- | NT SERVICE\\himds | Unprivileged account used to run the Hybrid Instance Metadata Service. |

- > [!TIP]

- > This account requires the *Log on as a service* right. This right is automatically granted during agent installation, but if your organization configures user rights assignments with Group Policy, you might need to adjust your Group Policy Object to grant the right to **NT SERVICE\\himds** or **NT SERVICE\\ALL SERVICES** to allow the agent to function.

-* Agent installation creates the following local security group.

- | Security group name | Description |

- ||-|

- | Hybrid agent extension applications | Members of this security group can request Microsoft Entra tokens for the system-assigned managed identity |

-* Agent installation creates the following environmental variables

- | Name | Default value | Description |

- ||||

- | IDENTITY_ENDPOINT | `http://localhost:40342/metadata/identity/oauth2/token` |

- | IMDS_ENDPOINT | `http://localhost:40342` |

-* There are several log files available for troubleshooting, described in the following table.

- | Log | Description |

- |--|-|

- | %ProgramData%\AzureConnectedMachineAgent\Log\himds.log | Records details of the heartbeat and identity agent component. |

- | %ProgramData%\AzureConnectedMachineAgent\Log\azcmagent.log | Contains the output of the azcmagent tool commands. |

- | %ProgramData%\GuestConfig\arc_policy_logs\gc_agent.log | Records details about the guest configuration (policy) agent component. |

- | %ProgramData%\GuestConfig\ext_mgr_logs\gc_ext.log | Records details about extension manager activity (extension install, uninstall, and upgrade events). |

- | %ProgramData%\GuestConfig\extension_logs | Directory containing logs for individual extensions. |

-* The process creates the local security group **Hybrid agent extension applications**.

-* After uninstalling the agent, the following artifacts remain:

- * %ProgramData%\AzureConnectedMachineAgent\Log

- * %ProgramData%\AzureConnectedMachineAgent

- * %ProgramData%\GuestConfig

- * %SystemDrive%\packages

-### Linux agent installation details

-The preferred package format for the distribution (`.rpm` or `.deb`) that's hosted in the Microsoft [package repository](https://packages.microsoft.com/) provides the Connected Machine agent for Linux. The shell script bundle [Install_linux_azcmagent.sh](https://aka.ms/azcmagent) installs and configures the agent.

-Installing, upgrading, and removing the Connected Machine agent isn't required after server restart.

-Installing the Connected Machine agent for Linux applies the following system-wide configuration changes.

-* Setup creates the following installation folders.

- | Directory | Description |

- |--|-|

- | /opt/azcmagent/ | azcmagent CLI and instance metadata service executables. |

- | /opt/GC_Ext/ | Extension service executables. |

- | /opt/GC_Service/ | Guest configuration (policy) service executables. |

- | /var/opt/azcmagent/ | Configuration, log and identity token files for azcmagent CLI and instance metadata service.|

- | /var/lib/GuestConfig/ | Extension package downloads, guest configuration (policy) definition downloads, and logs for the extension and guest configuration services.|

-* Installing the agent creates the following daemons.

- | Service name | Display name | Process name | Description |

- |--|--|--|-|

- | himdsd.service | Azure Connected Machine Agent Service | himds | This service implements the Hybrid Instance Metadata service (IMDS) to manage the connection to Azure and the connected machine's Azure identity.|

- | gcad.service | GC Arc Service | gc_linux_service | Audits and enforces Azure guest configuration policies on the machine. |

- | extd.service | Extension Service | gc_linux_service | Installs, updates, and manages extensions on the machine. |

-* There are several log files available for troubleshooting, described in the following table.

- | Log | Description |

- |--|-|

- | /var/opt/azcmagent/log/himds.log | Records details of the heartbeat and identity agent component. |

- | /var/opt/azcmagent/log/azcmagent.log | Contains the output of the azcmagent tool commands. |

- | /var/lib/GuestConfig/arc_policy_logs | Records details about the guest configuration (policy) agent component. |

- | /var/lib/GuestConfig/ext_mgr_logs | Records details about extension manager activity (extension install, uninstall, and upgrade events). |

- | /var/lib/GuestConfig/extension_logs | Directory containing logs for individual extensions. |

-* Agent installation creates the following environment variables, set in `/lib/systemd/system.conf.d/azcmagent.conf`.

- | Name | Default value | Description |

- |||-|

- | IDENTITY_ENDPOINT | `http://localhost:40342/metadata/identity/oauth2/token` |

- | IMDS_ENDPOINT | `http://localhost:40342` |

-* After uninstalling the agent, the following artifacts remain:

- * /var/opt/azcmagent

- * /var/lib/GuestConfig

-## Agent resource governance

-The Azure Connected Machine agent is designed to manage agent and system resource consumption. The agent approaches resource governance under the following conditions:

-* The Guest Configuration agent can use up to 5% of the CPU to evaluate policies.

-* The Extension Service agent can use up to 5% of the CPU to install, upgrade, run, and delete extensions. Some extensions might apply more restrictive CPU limits once installed. The following exceptions apply:

- | Extension type | Operating system | CPU limit |

- | -- | - | |

- | AzureMonitorLinuxAgent | Linux | 60% |

- | AzureMonitorWindowsAgent | Windows | 100% |

- | AzureSecurityLinuxAgent | Linux | 30% |

- | LinuxOsUpdateExtension | Linux | 60% |

- | MDE.Linux | Linux | 60% |

- | MicrosoftDnsAgent | Windows | 100% |

- | MicrosoftMonitoringAgent | Windows | 60% |

- | OmsAgentForLinux | Windows | 60%|

-During normal operations, defined as the Azure Connected Machine agent being connected to Azure and not actively modifying an extension or evaluating a policy, you can expect the agent to consume the following system resources:

-| | Windows | Linux |

-| | - | -- |

-| **CPU usage (normalized to 1 core)** | 0.07% | 0.02% |

-| **Memory usage** | 57 MB | 42 MB |

-The performance data above was gathered in April 2023 on virtual machines running Windows Server 2022 and Ubuntu 20.04. The actual agent performance and resource consumption vary based on the hardware and software configuration of your servers.

-## Instance metadata

-Metadata information about a connected machine is collected after the Connected Machine agent registers with Azure Arc-enabled servers, specifically:

-* Operating system name, type, and version

-* Computer name

-* Computer manufacturer and model

-* Computer fully qualified domain name (FQDN)

-* Domain name (if joined to an Active Directory domain)

-* Active Directory and DNS fully qualified domain name (FQDN)

-* UUID (BIOS ID)

-* Connected Machine agent heartbeat

-* Connected Machine agent version

-* Public key for managed identity

-* Policy compliance status and details (if using guest configuration policies)

-* SQL Server installed (Boolean value)

-* Cluster resource ID (for Azure Stack HCI nodes)

-* Hardware manufacturer

-* Hardware model

-* CPU family, socket, physical core and logical core counts

-* Total physical memory

-* Serial number

-* SMBIOS asset tag

-* Cloud provider

-* Amazon Web Services (AWS) metadata, when running in AWS:

- * Account ID

- * Instance ID

- * Region

-* Google Cloud Platform (GCP) metadata, when running in GCP:

- * Instance ID

- * Image

- * Machine type

- * Project ID

- * Project number

- * Service accounts

- * Zone

-The agent requests the following metadata information from Azure:

-* Resource location (region)

-* Virtual machine ID

-* Tags

-* Microsoft Entra managed identity certificate

-* Guest configuration policy assignments

-* Extension requests - install, update, and delete.

-> [!NOTE]

-> Azure Arc-enabled servers don't store/process customer data outside the region the customer deploys the service instance in.

-## Next steps

-description: Learn about Azure Arc resource bridge (preview)

-#Customer intent: As an IT infrastructure admin, I want to know about the Azure Arc resource bridge (preview) that facilitates the Arc connection between vCenter server and Azure.

-# Azure Arc resource bridge (preview)

-Azure Arc resource bridge (preview) is a Microsoft managed product that is part of the core Azure Arc platform. It's designed to host other Azure Arc services. The resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-overview), VMware [(Arc-enabled VMware vSphere)](/azure/azure-arc/vmware-vsphere), and System Center Virtual Machine Manager (SCVMM) [(Arc-enabled SCVMM preview)](/azure/azure-arc/system-center-virtual-machine-manager).

-Azure Arc resource bridge (preview) is a Kubernetes management cluster installed on the customerΓÇÖs on-premises infrastructure. The resource bridge is provided with the credentials to the infrastructure control plane that allows it to apply guest management services on the on-premises resources. Arc resource bridge enables projection of on-premises resources as ARM resources and management from ARM as **Arc-enabled** Azure resources.

-Arc resource bridge delivers the following benefits:

-## Overview

-Azure Arc resource bridge (preview) hosts other components such as [custom locations](custom-locations.md), cluster extensions, and other Azure Arc agents to deliver the level of functionality with the private cloud infrastructures it supports.

-This complex system is composed of three layers:

-Azure Arc resource bridge (preview) can host other Azure services or solutions running on-premises. For this preview, there are two objects hosted on the Arc resource bridge (preview):

- - Azure Arc-enabled VMware

- - Azure Arc-enabled Azure Stack HCI

- - Azure Arc-enabled System Center Virtual Machine Manager (SCVMM)

-Custom locations and cluster extension are both Azure resources, which are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter, Azure Stack HCI cluster, or SCVMM.

-Some resources are unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network, and template to create a VM.

-To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource isn't healthy, it can affect the health of the related resources that are projected in Azure. For example, if the resource bridge is deleted by accident, all the resources projected in Azure by the resource bridge are affected. The on-premises VMs in your on-premises private cloud aren't affected, as they are running on vCenter but you won't be able to start or stop the VMs from Azure. It's not recommended to directly manage or modify the resource bridge using any on-premises applications.

-## Benefits of Azure Arc resource bridge (preview)

-Through Azure Arc resource bridge (preview), you can represent a subset of your vCenter resources in Azure to enable self-service by registering resource pools, networks, and VM templates. Integration with Azure allows you to manage access to your vCenter resources in Azure to maintain a secure environment. You can also perform various operations on the VMware virtual machines that are enabled by Arc-enabled VMware vSphere:

-## Regional resiliency

-While Azure has many redundancy features at every level of failure, if a service impacting event occurs, the current release of Azure Arc resource bridge (preview) doesn't support cross-region failover or other resiliency capabilities. If the service becomes unavailable, the on-premises VMs continue to operate unaffected.

-Management from Azure is unavailable during that service outage.

-## Supported versions

-Arc resource bridge typically releases a new version on a monthly cadence, at the end of the month. Delays can occur that could push the release date further out. Regardless of when a new release comes out, if you are within n-3 supported versions, then your Arc resource bridge version is supported. To stay updated on releases, visit the [Arc resource bridge release notes](https://github.com/Azure/ArcResourceBridge/releases) on GitHub. To learn more about upgrade options, visit [Upgrade Arc resource bridge](../resource-bridge/upgrade.md).

-## Next steps

-[Learn more about Arc-enabled VMware vSphere](/azure/azure-arc/vmware-vsphere).

-description: Learn about custom locations for VMware vSphere

-#Customer intent: As an IT infrastructure admin, I want to know about the concepts behind Azure Arc.

-# Custom locations for VMware vSphere

-As an extension of the Azure location construct, a *custom location* provides a reference as a deployment target which administrators can set up and users can point to when creating an Azure resource. It abstracts the backend infrastructure details from application developers, database admin users, or other users in the organization.

-## Custom location for on-premises vCenter server

-Since the custom location is an Azure Resource Manager resource that supports [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview), an administrator or operator can determine which users have access to create resource instances on the compute, storage, networking, and other vCenter resources to deploy and manage VMs.

-For example, an IT administrator could create a custom location **Contoso-vCenter** representing the vCenter server in your organization's data center. The operator can then assign Azure RBAC permissions to application developers on this custom location so that they can deploy virtual machines. The developers can then deploy these virtual machines without having to know details of the vCenter management server.

-Custom locations create the granular [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) necessary for other Azure services to access the VMware resources.

-## Next steps

-[Connect VMware vCenter Server to Azure Arc](./quick-start-connect-vcenter-to-arc-using-script.md).

-The Azure Functions logger includes a *category* for every log. The category indicates which part of the runtime code or your function code wrote the log. Categories differ between version 1.x and later versions. The following chart describes the main categories of logs that the runtime creates:

-The example below defines logging based on the following rules:

-+ For logs of `Host.Results` or `Function`, only log events at `Error` or a higher level.

-+ For logs of `Host.Aggregator`, log all generated metrics (`Trace`).

-+ For all other logs, including user logs, log only `Information` level and higher events.

-+ For `fileLoggingMode` the default is `debugOnly`. The value `always` should only be used for short periods of time to review logs in the filesystem. Revert this setting when you are done debugging.

- "default": "Information",

- "Host.Results": "Error",

- "Function": "Error",

- "Host.Aggregator": "Trace"

- "defaultLevel": "Information",

- "Host.Results": "Error",

- "Function": "Error",

- "Host.Aggregator": "Trace"

-The `EntityTrigger` Function, `Run` in this sample, does not need to reside within the Entity class itself. It can reside within any valid location for an Azure Function: inside the top-level namespace, or inside a top-level class. However, if nested deeper (e.g, the Function is declared inside a *nested* class), then this Function will not be recognized by the latest runtime.

- - To delete via setting state to null will require `TState` to be nullable.

- - The implicitly defined delete operation will delete non-nullable `TState`.

-Also, any method that is intended to be invoked as an operation must satisfy additional requirements:

-#### [In-Process](#tab/in-process)

-Class-based entities can be accessed directly, using explicit string names for the entity and its operations. We provide some examples below; for a deeper explanation of the underlying concepts (such as signals vs. calls) see the discussion in [Access entities](durable-functions-entities.md#access-entities).

-> Where possible, we recommend [Accessing entities through interfaces](#accessing-entities-through-interfaces), because it provides more type checking.

-### Example: orchestration first signals, then calls entity

-#### [In-Process](#tab/in-process)

-### Example: orchestration first signals, then calls entity through proxy

-#### [In-Process](#tab/in-process)

-We also enforce some additional rules:

-Since the state of an entity is durably persisted, the entity class must be serializable. The Durable Functions runtime uses the [Json.NET](https://www.newtonsoft.com/json) library for this purpose, which supports a number of policies and attributes to control the serialization and deserialization process. Most commonly used C# data types (including arrays and collection types) are already serializable, and can easily be used for defining the state of durable entities.

-By default, the name of the class is *not* stored as part of the JSON representation: that is, we use `TypeNameHandling.None` as the default setting. This default behavior can be overridden using `JsonObject` or `JsonProperty` attributes.

-Some care is required when making changes to a class definition after an application has been run, because the stored JSON object can no longer match the new class definition. Still, it is often possible to deal correctly with changing data formats as long as one understands the deserialization process used by `JsonConvert.PopulateObject`.

-1. If a new property is added, which is not present in the stored JSON, it assumes its default value.

-1. If a property is removed, which is present in the stored JSON, the previous content is lost.

-1. If a property is renamed, the effect is as if removing the old one and adding a new one.

-1. If the type of a property is changed so it can no longer be deserialized from the stored JSON, an exception is thrown.

-1. If the type of a property is changed, but it can still be deserialized from the stored JSON, it will do so.

-There are many options available for customizing the behavior of Json.NET. For example, to force an exception if the stored JSON contains a field that is not present in the class, specify the attribute `JsonObject(MissingMemberHandling = MissingMemberHandling.Error)`. It is also possible to write custom code for deserialization that can read JSON stored in arbitrary formats.

-Unlike regular functions, entity class methods don't have direct access to input and output bindings. Instead, binding data must be captured in the entry-point function declaration and then passed to the `DispatchAsync<T>` method. Any objects passed to `DispatchAsync<T>` will be automatically passed into the entity class constructor as an argument.

-* `GetState<TState>()`: gets the current state of the entity. If it does not already exist, it is created.

-If the state returned by `GetState` is an object, it can be directly modified by the application code. There is no need to call `SetState` again at the end (but also no harm). If `GetState<TState>` is called multiple times, the same type must be used.

-### Entity operations ###

-Operations can return a result value or an error result, such as a JavaScript error or a .NET exception. This result or error can be observed by orchestrations that called the operation.

-Currently, the two distinct APIs for defining entities are:

-**Function-based syntax**, where entities are represented as functions and operations are explicitly dispatched by the application. This syntax works well for entities with simple state, few operations, or a dynamic set of operations like in application frameworks. This syntax can be tedious to maintain because it doesn't catch type errors at compile time.

-**Class-based syntax (.NET only)**, where entities and operations are represented by classes and methods. This syntax produces more easily readable code and allows operations to be invoked in a type-safe way. The class-based syntax is a thin layer on top of the function-based syntax, so both variants can be used interchangeably in the same application.

-# [C# (In-proc)](#tab/in-process)

-### Example: Function-based syntax - C#

-### Example: Class-based syntax - C#

-# [C# (Isolated)](#tab/isolated-process)

-### Example: Function-based syntax - C#

-### Example: Class-based syntax - C#

-# [JavaScript](#tab/javascript)

-### Example: JavaScript entity

-# [Python](#tab/python)

-### Example: Python entity

-# [C# (In-proc)](#tab/in-process)

-# [C# (Isolated)](#tab/isolated-process)

-# [JavaScript](#tab/javascript)

-# [Python](#tab/python)

-# [C# (In-proc)](#tab/in-process)

-# [C# (Isolated)](#tab/isolated-process)

-# [JavaScript](#tab/javascript)

-# [Python](#tab/python)

-# [C# (In-proc)](#tab/in-process)

-# [C# (Isolated)](#tab/isolated-process)

-# [JavaScript](#tab/javascript)

-# [Python](#tab/python)

-# [C# (In-proc)](#tab/in-process)

-# [C# (Isolated)](#tab/isolated-process)

-# [JavaScript](#tab/javascript)

-# [Python](#tab/python)

-> Python does not support entity-to-entity signals yet. Please use an orchestrator for signaling entities instead.

-## <a name="entity-coordination"></a>Entity coordination (currently .NET only)

-### Example: Transfer funds (C#)

-In the preceding example, an orchestrator function transferred funds from a source entity to a destination entity. The `LockAsync` method locked both the source and destination account entities. This locking ensured that no other client could query or modify the state of either account until the orchestration logic exited the critical section at the end of the `using` statement. This behavior prevents the possibility of overdrafting from the source account.

-Unlike transactions, critical sections don't automatically roll back changes in the case of errors. Instead, any error handling, such as roll-back or retry, must be explicitly coded, for example by catching errors or exceptions. This design choice is intentional. Automatically rolling back all the effects of an orchestration is difficult or impossible in general, because orchestrations might run activities and make calls to external services that can't be rolled back. Also, attempts to roll back might themselves fail and require further error handling.

-Many of the durable entities features are inspired by the [actor model](https://en.wikipedia.org/wiki/Actor_model). If you're already familiar with actors, you might recognize many of the concepts described in this article. Durable entities are particularly similar to [virtual actors](https://research.microsoft.com/projects/orleans/), or grains, as popularized by the [Orleans project](http://dotnet.github.io/orleans/). For example:

-* When not executing operations, durable entities are silently unloaded from memory.

-* Durable entities can be used in conjunction with durable orchestrations and support distributed locking mechanisms.

-+ You may have issues with remote build when your app was created before the feature was made available (August 1, 2019). For older apps, either create a new function app or run `az functionapp update -resource-group <RESOURCE_GROUP_NAME> -name <APP_NAME>` to update your function app. This command might take two tries to succeed.

-Learn how to use additional features of the drawing tools module:

-| [Change Tracking and Inventory Management](../../automation/change-tracking/overview.md) | Moving to an agentless solution | | Available Novermber 2023 |

-4. You may need tenant admin permissions on the Microsoft Entra tenant.

-Since MO is a tenant level resource, the scope of the permission would be higher than a subscription scope. Therefore, an Azure tenant admin may be needed to perform this step. [Follow these steps to elevate Microsoft Entra tenant admin as Azure Tenant Admin](../../role-based-access-control/elevate-access-global-admin.md). It gives the Microsoft Entra admin 'owner' permissions at the root scope. This is needed for all methods described in the following section.

-| principalId | Provide the `Object Id` of the identity of the user to which the role needs to be assigned. It may be the user who elevated at the beginning of step 1, or another user or group who will perform later steps. |

-1. Enter a **Rule name** and specify a **Subscription**, **Resource Group**, **Region**, and **Platform Type**:

- If you need network isolation using private links, select existing endpoints from the same region for the respective resources or [create a new endpoint](../essentials/data-collection-endpoint-overview.md).

- 1. Select a data collection endpoint for each of the resources associate to the data collection rule.

-> You can use the PowerShell cmdlet `Get-WinEvent` with the `FilterXPath` parameter to test the validity of an XPath query locally on your machine first. The following script shows an example:

-> The column names are case sensitive. For example Rawdata will not correcly collect the event data. It must be RawData.

-1. Enter a **Rule name** and specify a **Subscription**, **Resource Group**, **Region**, **Platform Type**, and **Data Collection Endpoint**:

- - **Data Collection Endpoint** is required to collect custom logs.

- If you need network isolation using private links, select existing endpoints from the same region for the respective resources or [create a new endpoint](../essentials/data-collection-endpoint-overview.md).

- 1. Select a data collection endpoint for each of the resources associate to the data collection rule.

-The Azure Monitor Agent isn't a service that runs in the context of an Azure Resource Provider. It may even be running in on premise machines within a customer network boundary. The Azure Monitor Agent Troubleshooter is designed to help diagnose issues with the agent, and general agent health checks. It can run checks to verify agent installation, connection, general heartbeat, and collect AMA-related logs automatically from the affected Windows or Linux VM. More scenarios will be added over time to increase the number of issues that can be diagnosed.

-The detailed data collected by the troubleshooter include system configuration, network configuration, environment variables, and agent configuration that can aid the customer in finding any issues. The troubleshooter make is easy to send this data to customer support by creating a Zip file that should be attached to any customer support request. The file is located in C:/Packages/Plugins/Microsoft.Azure.Monitor.AzureMonitorWindowsAgent/{version}/Troubleshooter. The agent logs can be cryptic but they can give you insight into problems that you may be experiencing.

-1. On the **Alerts** page, select **Enable recommended alert rules**. The **Enable recommended alert rules** pane opens with a list of recommended alert rules based on your type of resource.

-1. In the **Alert me if** section, select all of the rules you want to enable. The rules are populated with the default values for the rule condition, such as the percentage of CPU usage that you want to trigger an alert. You can change the default values if you would like.

-1. Select **Enable**.

- :::image type="content" source="media/alerts-managing-alert-instances/alerts-enable-recommended-alert-rule-pane.png" alt-text="Screenshot of recommended alert rules pane.":::

-Within the profiler user interface (see [profiler settings](../profiler/profiler-settings.md)) there's a **Profile now** button. Selecting this button immediately requests a profile in all agents that are attached to the Application Insights instance.

-description: Overview of data collection endpoints (DCEs) in Azure Monitor, including their contents and structure and how you can create and work with them.

-Data collection endpoints (DCEs) provide a connection for certain data sources of Azure Monitor. This article provides an overview of DCEs, including their contents and structure and how you can create and work with them.

-## Data sources that use DCEs

-The following data sources currently use DCEs:

-A DCE includes the following components:

-| Component | Description |

-|:|:|

-| Configuration access endpoint | The endpoint used to access the configuration service to fetch associated data collection rules (DCRs) for Azure Monitor Agent.<br>Example: `<unique-dce-identifier>.<regionname>-1.handler.control`. |

-| Logs ingestion endpoint | The endpoint used to ingest logs to Log Analytics workspaces.<br>Example: `<unique-dce-identifier>.<regionname>-1.ingest`. |

-| Network access control lists | Network access control rules for the endpoints.

-## Regionality

-Data collection endpoints are Azure Resource Manager resources created within specific regions. An endpoint in a given region *can only be associated with machines in the same region*. However, you can have more than one endpoint within the same region according to your needs.

-## Limitations

-Data collection endpoints only support Log Analytics workspaces as a destination for collected data. [Custom metrics (preview)](../essentials/metrics-custom-overview.md) collected and uploaded via Azure Monitor Agent aren't currently controlled by DCEs. Data collection endpoints also can't be configured over private links.

-## Create a data collection endpoint

-> [!IMPORTANT]

-> If agents will connect to your DCE, it must be created in the same region. If you have agents in different regions, you'll need multiple DCEs.

-Create DCRs by using the [DCE REST APIs](/cli/azure/monitor/data-collection/endpoint).

-We recommend you do NOT explicit set your agent to only use TLS 1.2 unless necessary. Allowing the agent to automatically detect, negotiate, and take advantage of future security standards is preferable. Otherwise you may miss the added security of the newer standards and possibly experience problems if TLS 1.2 is ever deprecated in favor of those newer standards.

- * Assess the impact and severity of an incident by an on-call incident response team member. Based on evidence, the assessment may or may not result in further escalation to the security response team.

- * Diagnose an incident by security response experts to conduct the technical or forensic investigation, identify containment, mitigation, and work around strategies. If the security team believes that customer data may have become exposed to an unlawful or unauthorized individual, parallel execution of the Customer Incident Notification process begins in parallel.

- * Stabilize and recover from the incident. The incident response team creates a recovery plan to mitigate the issue. Crisis containment steps such as quarantining impacted systems may occur immediately and in parallel with diagnosis. Longer term mitigations may be planned which occur after the immediate risk has passed.

-* [ISO/IEC 27001](https://www.iso.org/iso/home/standards/management-standards/iso27001.htm)

-As described above, data from the management server or direct-connected agents is sent over TLS to Microsoft Azure datacenters. Optionally, you can use ExpressRoute to provide extra security for the data. ExpressRoute is a way to directly connect to Azure from your existing WAN network, such as a multi-protocol label switching (MPLS) VPN, provided by a network service provider. For more information, see [ExpressRoute](https://azure.microsoft.com/services/expressroute/).

-Click on the picture above for a to see the Data Platform in the context of the whole of Azure Monitor.

-description: Azure Monitor SCOM Managed Instance allows you maintain your investment in your existing System Center Operations Manager (SCOM) environment while moving your monitoring infrastructure into the Azure cloud.

-While Azure Monitor can use the [Azure Monitor agent](../agents/agents-overview.md) to collect telemetry from a virtual machine, it isn't able to replicate the extensive monitoring provided by management packs written for SCOM, including any management packs that you may have written for your custom applications.

-You may have an eventual goal to move your monitoring completely to Azure Monitor, but you must maintain SCOM functionality until you no longer rely on management packs for monitoring your virtual machine workloads. SCOM Managed Instance (preview) is compatible with all existing management packs and provides migration from your existing on-premises SCOM infrastructure.

-| Security | [Use Managed identities for Azure with Azure Monitor SCOM Managed Instance (preview)](/system-center/scom/use-managed-identities-with-scom-mi)<br>[Azure Monitor SCOM Managed Instance (preview) Data Encryption at Rest](/system-center/scom/scom-mi-data-encryption-at-rest) |

-Click **Enable** to create the alert rules.

-The map feature of VM insights visualizes virtual machine dependencies by discovering running processes that have active network connection between servers, inbound and outbound connection latency, or ports across any TCP-connected architecture over a specified time range. For more information about the benefits of the VM insights map feature over Service Map, see [How is VM insights Map feature different from Service Map?](/azure/azure-monitor/faq#how-is-vm-insights-map-feature-different-from-service-map-).

-3. If you're using [Enhanced policy](backup-azure-vms-enhanced-policy.md), you can use this solution to exclude unsupported disks (Shared Disks) and configure a VM for backup.

-For more information about SKUs, including how to upgrade a SKU and information about the new Developer SKU, see the [Configuration settings](configuration-settings.md#skus) article.

-* [Quickstart: Quickstart: Deploy Bastion automatically - Basic SKU](quickstart-host-portal.md)

-## 1. Collect the required information

-### Register the resource provider

-Azure Cloud Shell runs in a container. The **Microsoft.ContainerInstances** resource provider needs

-to be registered in the subscription that holds the virtual network for your deployment. Depending

-when your tenant was created, the provider may already be registered.

-Use the following commands to check the registration status.

-```powershell

-Set-AzContext -Subscription MySubscriptionName

-Get-AzResourceProvider -ProviderNamespace Microsoft.ContainerInstance |

- Select-Object ResourceTypes, RegistrationState

-```

-```Output

-ResourceTypes RegistrationState

-{containerGroups} Registered

-{serviceAssociationLinks} Registered

-{locations} Registered

-{locations/capabilities} Registered

-{locations/usages} Registered

-{locations/operations} Registered

-{locations/operationresults} Registered

-{operations} Registered

-{locations/cachedImages} Registered

-{locations/validateDeleteVirtualNetworkOrSubnets} Registered

-{locations/deleteVirtualNetworkOrSubnets} Registered

-```

-If **RegistrationState** for `{containerGroups}` is `NotRegistered`, run the following command to

-register the provider:

-```powershell

-Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerInstance

-```

-To configure the virtual network for Cloud Shell using the quickstarts, retrieve the `Azure Container Instance`

-ID for your organization.

-```powershell

-Get-AzADServicePrincipal -DisplayNameBeginsWith 'Azure Container Instance'

-```

-```Output

-DisplayName Id AppId

-Azure Container Instance Service 8fe7fd25-33fe-4f89-ade3-0e705fcf4370 34fbe509-d6cb-4813-99df-52d944bfd95a

-```

-Take note of the **Id** value for the `Azure Container Instance` service principal. It's needed for

-the **Azure Cloud Shell - VNet storage** template.

-## 2. Create the virtual network using the ARM template

-network. The template creates three subnets under the virtual network created earlier. You may

-| Subscription | Defaults to the current subscription context.<br>For this example, we're using `MyCompany Subscription` |

-## 3. Create the virtual network storage using the ARM template

-| Subscription | Defaults to the current subscription context.<br>For this example, we're using `MyCompany Subscription` |

-## 4. Configuring Cloud Shell to use a virtual network

-[  ](media/quickstart-deploy-vnet/setup-cloud-shell-storage.png#lightbox)

- - Phonenumber isn't associated with a WhatsApp Business Account.

- | **At these hours** | `hours` | No | Integer or integer array | If you select "Day" or "Week", you can select one or more integers from 0 to 23 as the hours of the day for when you want to run the workflow. <br><br>For example, if you specify "10", "12" and "14", you get 10 AM, 12 PM, and 2 PM for the hours of the day, but the minutes of the day are calculated based on when the recurrence starts. To set specific minutes of the day, for example, 10:00 AM, 12:00 PM, and 2:00 PM, specify those values by using the property named **At these minutes**. |

-| Processing | Scaling in or out is occurring. One or more running replicas, while other replicas are being provisioned. |

-| Running | One or more replicas running. There are no issues to report. |

-| Degraded | At least one replica in the revision is failed. View running state details for specific issues. |

-description: Learn how to build a .NET app to manage Azure Cosmos DB for NoSQL account resources in this quickstart.

-Get started with the Azure Cosmos DB client library for .NET to create databases, containers, and items within your account. Follow these steps to install the package and try out example code for basic tasks.

-> [!NOTE]

-> The [example code snippets](https://github.com/azure-samples/cosmos-db-nosql-dotnet-samples) are available on GitHub as a .NET project.

-[API reference documentation](/dotnet/api/microsoft.azure.cosmos) | [Library source code](https://github.com/Azure/azure-cosmos-dotnet-v3) | [Package (NuGet)](https://www.nuget.org/packages/Microsoft.Azure.Cosmos) | [Samples](samples-dotnet.md)

-### Prerequisite check

-## Setting up

-This section walks you through creating an Azure Cosmos DB account and setting up a project that uses Azure Cosmos DB for NoSQL client library for .NET to manage resources.

-### <a id="create-account"></a>Create an Azure Cosmos DB account

-> [!TIP]

-> No Azure subscription? You can [try Azure Cosmos DB free](../try-free.md) with no credit card required. If you create an account using the free trial, you can safely skip ahead to the [Create a new .NET app](#create-a-new-net-app) section.

-### Create a new .NET app

-Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new``](/dotnet/core/tools/dotnet-new) command specifying the **console** template.

-```dotnetcli

-dotnet new console

-```

-### Install the package

-Add the [Microsoft.Azure.Cosmos](https://www.nuget.org/packages/Microsoft.Azure.Cosmos) NuGet package to the .NET project. Use the [``dotnet add package``](/dotnet/core/tools/dotnet-add-package) command specifying the name of the NuGet package.

-```dotnetcli

-dotnet add package Microsoft.Azure.Cosmos

-```

-Build the project with the [``dotnet build``](/dotnet/core/tools/dotnet-build) command.

-```dotnetcli

-dotnet build

-```

-Make sure that the build was successful with no errors. The expected output from the build should look something like this:

-```output

- Determining projects to restore...

- All projects are up-to-date for restore.

- dslkajfjlksd -> C:\Users\sidandrews\Demos\dslkajfjlksd\bin\Debug\net6.0\dslkajfjlksd.dll

-Build succeeded.

- 0 Warning(s)

- 0 Error(s)

-```

-### Configure environment variables

-## Object model

-You'll use the following .NET classes to interact with these resources:

-## Code examples

-The sample code described in this article creates a database named ``cosmicworks`` with a container named ``products``. The ``products`` table is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.

-For this sample code, the container will use the category as a logical partition key.

-### Authenticate the client

-## [Passwordless (Recommended)](#tab/passwordless)

-## Authenticate using DefaultAzureCredential

-You can authenticate to Cosmos DB for NoSQL using `DefaultAzureCredential` by adding the `Azure.Identity` NuGet package to your application. `DefaultAzureCredential` will automatically discover and use the account you signed-in with in the previous step.

-```dotnetcli

-dotnet add package Azure.Identity

-```

-From the project directory, open the `Program.cs` file. In your editor, add using directives for the ``Microsoft.Azure.Cosmos`` and `Azure.Identity` namespaces.

-Define a new instance of the ``CosmosClient`` class using the constructor, and [``Environment.GetEnvironmentVariable``](/dotnet/api/system.environment.getenvironmentvariable) to read the `COSMOS_ENDPOINT` environment variable you created earlier.

-For more information on different ways to create a ``CosmosClient`` instance, see [Get started with Azure Cosmos DB for NoSQL and .NET](how-to-dotnet-get-started.md#connect-to-azure-cosmos-db-sql-api).

-## [Connection String](#tab/connection-string)

-From the project directory, open the `Program.cs` file. In your editor, add a using directive for ``Microsoft.Azure.Cosmos``.

-Define a new instance of the ``CosmosClient`` class using the constructor, and [``Environment.GetEnvironmentVariable``](/dotnet/api/system.environment.getenvironmentvariable) to read the two environment variables you created earlier.

-For more information on different ways to create a ``CosmosClient`` instance, see [Get started with Azure Cosmos DB for NoSQL and .NET](how-to-dotnet-get-started.md#connect-to-azure-cosmos-db-sql-api).

-### Create and query the database

-Next you'll create a database and container to store products, and perform queries to insert and read those items.

-## [Passwordless (Recommended)](#tab/passwordless)

-The `Microsoft.Azure.Cosmos` client libraries enable you to perform *data* operations using [Azure RBAC](../role-based-access-control.md). However, to authenticate *management* operations such as creating and deleting databases you must use RBAC through one of the following options:

-> - [Azure CLI scripts](manage-with-cli.md)

-> - [Azure PowerShell scripts](manage-with-powershell.md)

-> - [Azure Resource Manager templates (ARM templates)](manage-with-templates.md)

-> - [Azure Resource Manager .NET client library](https://www.nuget.org/packages/Azure.ResourceManager.CosmosDB/)

-The Azure CLI approach is used in this example. Use the [`az cosmosdb sql database create`](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create) and [`az cosmosdb sql container create`](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-create) commands to create a Cosmos DB NoSQL database and container.

-```azurecli

-# Create a SQL API database

-az cosmosdb sql database create

- --account-name msdocs-cosmos-nosql

- --resource-group msdocs

- --name cosmicworks

-# Create a SQL API container

-az cosmosdb sql container create

- --account-name msdocs-cosmos-nosql

- --resource-group msdocs

- --database-name cosmicworks

- --name products

-```

-After the resources have been created, use classes from the `Microsoft.Azure.Cosmos` client libraries to connect to and query the database.

-### Get the database

-Use the [``CosmosClient.GetDatabase``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.getdatabase) method will return a reference to the specified database.

-### Get the container

-The [``Database.GetContainer``](/dotnet/api/microsoft.azure.cosmos.database.getcontainer) will return a reference to the specified container.

-## [Connection String](#tab/connection-string)

-### Create a database

-Use the [``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) method to create a new database if it doesn't already exist. This method will return a reference to the existing or newly created database.

-For more information on creating a database, see [Create a database in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-create-database.md).

-### Create a container

-The [``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) will create a new container if it doesn't already exist. This method will also return a reference to the container.

-For more information on creating a container, see [Create a container in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-create-container.md).

-### Create an item

-The easiest way to create a new item in a container is to first build a C# [class](/dotnet/csharp/language-reference/keywords/class) or [record](/dotnet/csharp/language-reference/builtin-types/record) type with all of the members you want to serialize into JSON. In this example, the C# record has a unique identifier, a *categoryId* field for the partition key, and extra *categoryName*, *name*, *quantity*, and *sale* fields.

-Create an item in the container by calling [``Container.CreateItemAsync``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync).

-For more information on creating, upserting, or replacing items, see [Create an item in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-create-item.md).

-### Get an item

-In Azure Cosmos DB, you can perform a point read operation by using both the unique identifier (``id``) and partition key fields. In the SDK, call [``Container.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) passing in both values to return a deserialized instance of your C# type.

-For more information about reading items and parsing the response, see [Read an item in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-read-item.md).

-After you insert an item, you can run a query to get all items that match a specific filter. This example runs the SQL query: ``SELECT * FROM products p WHERE p.categoryId = "61dba35b-4f02-45c5-b648-c6badc0cbd79"``. This example uses the **QueryDefinition** type and a parameterized query expression for the partition key filter. Once the query is defined, call [``Container.GetItemQueryIterator<>``](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) to get a result iterator that will manage the pages of results. Then, use a combination of ``while`` and ``foreach`` loops to retrieve pages of results and then iterate over the individual items.

-## Run the code

-This app creates an API for NoSQL database and container. The example then creates an item and then reads the exact same item back. Finally, the example issues a query that should only return that single item. With each step, the example outputs metadata to the console about the steps it has performed.

-To run the app, use a terminal to navigate to the application directory and run the application.

-```dotnetcli

-dotnet run

-```

-The output of the app should be similar to this example:

-```output

-New database: adventureworks

-New container: products

-Created item: 68719518391 [gear-surf-surfboards]

-## Clean up resources

-## Next steps

-In this quickstart, you learned how to create an Azure Cosmos DB for NoSQL account, create a database, and create a container using the .NET SDK. You can now dive deeper into a tutorial where you manage your Azure Cosmos DB for NoSQL resources and data using a .NET console application.

-description: See how you can create new user accounts to interact with an Azure Cosmos DB for PostgreSQL cluster.

-# Create users in Azure Cosmos DB for PostgreSQL

-The PostgreSQL engine uses

-[roles](https://www.postgresql.org/docs/current/sql-createrole.html) to control

-access to database objects, and a newly created cluster

-comes with several roles pre-defined:

-* The [default PostgreSQL roles](https://www.postgresql.org/docs/current/default-roles.html)

-* `azure_pg_admin`

-* `postgres`

-* `citus`

-Since Azure Cosmos DB for PostgreSQL is a managed PaaS service, only Microsoft can sign in with the

-`postgres` superuser role. For limited administrative access, Azure Cosmos DB for PostgreSQL

-provides the `citus` role.

-## The Citus role

-Permissions for the `citus` role:

-* Read all configuration variables, even variables normally visible only to

- superusers.

-* Read all pg\_stat\_\* views and use various statistics-related

- extensions--even views or extensions normally visible only to superusers.

-* Execute monitoring functions that may take ACCESS SHARE locks on tables,

- potentially for a long time.

-* [Create PostgreSQL extensions](reference-extensions.md), because

- the role is a member of `azure_pg_admin`.

-Notably, the `citus` role has some restrictions:

-* Can't create roles

-* Can't create databases

-## How to create user roles

-As mentioned, the `citus` admin account lacks permission to create user roles. To add a user role, use the Azure portal interface.

-1. On your cluster page, select the **Roles** menu item, and on the **Roles** page, select **Add**.

- :::image type="content" source="media/howto-create-users/1-role-page.png" alt-text="Screenshot that shows the Roles page.":::

-2. Enter the role name and password. Select **Save**.

- :::image type="content" source="media/howto-create-users/2-add-user-fields.png" alt-text="Screenshot that shows the Add role page.":::

-The user will be created on the coordinator node of the cluster,

-and propagated to all the worker nodes. Roles created through the Azure

-portal have the `LOGIN` attribute, which means theyΓÇÖre true users who

-can sign in to the database.

-## How to modify privileges for user roles

-New user roles are commonly used to provide database access with restricted

-privileges. To modify user privileges, use standard PostgreSQL commands, using

-a tool such as PgAdmin or psql. For more information, see [Connect to a cluster](quickstart-connect-psql.md).

-For example, to allow `db_user` to read `mytable`, grant the permission:

-```sql

-GRANT SELECT ON mytable TO db_user;

-```

-Azure Cosmos DB for PostgreSQL propagates single-table GRANT statements through the entire

-cluster, applying them on all worker nodes. It also propagates GRANTs that are

-system-wide (for example, for all tables in a schema):

-```sql

-GRANT SELECT ON ALL TABLES IN SCHEMA public TO db_user;

-```

-## How to delete a user role or change their password

-To update a user, visit the **Roles** page for your cluster,

-and select the ellipses **...** next to the user. The ellipses will open a menu

-to delete the user or reset their password.

- :::image type="content" source="media/howto-create-users/edit-role.png" alt-text="Edit a role":::

-The `citus` role is privileged and can't be deleted.

-## Next steps

-Open the firewall for the IP addresses of the new users' machines to enable

-them to connect: [Create and manage firewall rules using

-the Azure portal](howto-manage-firewall-using-portal.md).

-For more information about database user management, see PostgreSQL

-product documentation:

-* [Database Roles and Privileges](https://www.postgresql.org/docs/current/static/user-manag.html)

-* [GRANT Syntax](https://www.postgresql.org/docs/current/static/sql-grant.html)

-* [Privileges](https://www.postgresql.org/docs/current/static/ddl-priv.html)

-A reservation discount is "*use-it-or-lose-it*". So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.

-Like Reserved VM Instances, SUSE plan purchases offer instance size flexibility. This means that your discount applies even when you deploy a VM with a different vCPU count. The discount applies to different VM sizes within the software plan.

-This article is specific to EA users. Microsoft Customer Agreement (MCA) users can use similar steps to calculate their savings plan savings through invoices. However, the MCA amortized usage file doesn't contain UnitPrice (on-demand pricing) for savings plans. Other resources in the file do. For more information, see [Download usage for your Microsoft Customer Agreement](../savings-plan/utilization-cost-reports.md).

-In addition, virtual machines used with the [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/products/kubernetes-service/) and [Azure Virtual Desktop (AVD)](https://azure.microsoft.com/products/virtual-desktop/) are eligible for the savings plan.

-| Alert (alertype) | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |

-| October 18 | [Releasing CIS Azure Foundations Benchmark v2.0.0 in Regulatory Compliance dashboard](#releasing-cis-azure-foundations-benchmark-v200-in-regulatory-compliance-dashboard)

-Microsoft Defender for Cloud now supports the latest [CIS Azure Security Foundations Benchmark - version 2.0.0](https://www.cisecurity.org/benchmark/azure) in the Regulatory Compliance [dashboard](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/22), as well as a built-in policy initiative in Azure Policy. The release of version 2.0.0 in Microsoft Defender for Cloud is a joint collaborative effort between Microsoft, the Center for Internet Security (CIS), and the user communities. The version 2.0.0 significantly expands assessment scope which now includes 90+ built-in Azure policies and will succeed the prior versions 1.4.0 and 1.3.0 and 1.0 in Microsoft Defender for Cloud and Azure Policy. Please refer to this [blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-cloud-now-supports-cis-azure-security/ba-p/3944860) for more details.

-Microsoft Defender Cloud now supports the latest [CIS Azure Security Foundations Benchmark - version 2.0.0](https://www.cisecurity.org/benchmark/azure) in the Regulatory Compliance [dashboard](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/22), as well as a built-in policy initiative in Azure Policy. The release of version 2.0.0 in Microsoft Defender for Cloud is a joint collaborative effort between Microsoft, the Center for Internet Security (CIS), and the user communities. The version 2.0.0 significantly expands assessment scope which now includes 90+ built-in Azure policies and will succeed the prior versions 1.4.0 and 1.3.0 and 1.0 in Microsoft Defender for Cloud and Azure Policy. Please refer to this [blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-cloud-now-supports-cis-azure-security/ba-p/3944860) for more details.

-You can now view GitHub Advanced Security for Azure DevOps (GHAzDO) alerts related to CodeQL, secrets, and dependencies in Defender for Cloud. Results will be displayed in the DevOps blade and in Recommendations. To see these results, onboard your GHAzDO-enabled repositories to Defender for Cloud.

-[Defender for Servers](#defender-for-servers)

-Announcement date: October 23, 2023

-Estimated date for change: November 23, 2023

-|**Hardware profile** | L500 |

-> This feature is supported only when using MQTT v5

-A client using Microsoft Entra ID based JWT authentication needs to be authorized to communicate with the Event Grid namespace. You can create custom roles to enable the client to communicate with Event Grid instances in your resource group, and then assign the roles to the client. You can use following two data actions to provide publish or subscribe permissions, to clients with Microsoft Entra identities, on specific topic spaces.

-**Topic spaces publish** data action

-Microsoft.EventGrid/topicSpaces/publish/action

-**Topic spaces subscribe** data action

-Microsoft.EventGrid/topicSpaces/subscribe/action

-> [!NOTE]

-> Currently, we recommend using custom roles with the actions provided.

-### Custom roles

-You can create custom roles using the publish and subscribe actions.

-The following are sample role definitions that allow you to publish and subscribe to MQTT messages. These custom roles give permissions at topic space scope. You can also create roles to provide permissions at subscription, resource group scope.

-**EventGridMQTTPublisherRole.json**: MQTT messages publish operation.

-```json

-{

- "roleName": "Event Grid namespace MQTT publisher",

- "description": "Event Grid namespace MQTT message publisher role",

- "assignableScopes": [

- "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/Microsoft.EventGrid/namespaces/<namespace name>/topicSpaces/<topicspace name>"

- ],

- "permissions": [

- {

- "actions": [],

- "notActions": [],

- "dataActions": [

- "Microsoft.EventGrid/topicSpaces/publish/action"

- ],

- "notDataActions": []

- }

- ]

-}

-```

-**EventGridMQTTSubscriberRole.json**: MQTT messages subscribe operation.

-```json

-{

- "roleName": "Event Grid namespace MQTT subscriber",

- "description": "Event Grid namespace MQTT message subscriber role",

- "assignableScopes": [

- "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/Microsoft.EventGrid/namespaces/<namespace name>/topicSpaces/<topicspace name>"

- ]

- "permissions": [

- {

- "actions": [],

- "notActions": [],

- "dataActions": [

- "Microsoft.EventGrid/topicSpaces/subscribe/action"

- ],

- "notDataActions": []

- }

- ]

-}

-```

-## Create custom roles

-1. Navigate to topic spaces page in your Event Grid namespace

-1. Select the topic space for which the custom RBAC role needs to be created

-1. Navigate to the Access control (IAM) page within the topic space

-1. In the Roles tab, right select any of the roles to clone a new custom role. Provide the custom role name.

-1. Switch the Baseline permissions to **Start from scratch**

-1. On the Permissions tab, select **Add permissions**

-1. In the selection page, find and select Microsoft Event Grid

- :::image type="content" source="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions.png" lightbox="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions.png" alt-text="Screenshot showing the Microsoft Event Grid option to find the permissions.":::

-1. Navigate to Data Actions

-1. Select **Topic spaces publish** data action and select **Add**

- :::image type="content" source="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions-data-actions.png" lightbox="./media/mqtt-client-azure-ad-token-and-rbac/event-grid-custom-role-permissions-data-actions.png" alt-text="Screenshot showing the data action selection.":::

-1. Select Next to see the topic space in the Assignable scopes tab. You can add other assignable scopes if needed.

-1. Select **Create** in Review + create tab to create the custom role.

-1. Once the custom role is created, you can assign the role to an identity to provide the publish permission on the topic space. You can learn how to assign roles [here](/azure/role-based-access-control/role-assignments-portal).

-<a name='assign-the-custom-role-to-your-azure-ad-identity'></a>

-## Assign the custom role to your Microsoft Entra identity

-1. Navigate to the topic space to which you want to authorize access.

-1. Go to the Access control (IAM) page of the topic space

-1. On the Role tab, select the role that you created in the previous step.

-1. On the Members tab, select User, group, or service principal to assign the selected role to one or more service principals (applications).

-1. Select **Select members**.

-> You can follow similar steps to create and assign a custom Event Grid MQTT subscriber permission to a topic space.

- "operatorType": "`StringContains` ",

- "value": ΓÇ£ContosoΓÇ¥

- operatorType": "`StringContains` ",

- "key": "`clienttype`",

- "value": ΓÇ£sensorΓÇ¥

-* [Add a site-to-site connection to a VNet with an existing VPN gateway connection](../vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal.md)

-Azure Firewall provides 2,496 SNAT ports per public IP address configured per backend virtual machine scale set instance (Minimum of 2 instances), and you can associate up to [250 public IP addresses](./deploy-multi-public-ip-powershell.md). Depending on your architecture and traffic patterns, you might need more than the 1,248,000 available SNAT ports with this configuration. For example, when you use it to protect large [Azure Virtual Desktop deployments](./protect-azure-virtual-desktop.md) that integrate with Microsoft 365 Apps.

-> Deploying NAT gateway with a [zone redundant firewall](deploy-availability-zone-powershell.md) is not recommended deployment option, as the NAT gateway does not support zonal deployment at this time. In order to use NAT gateway with Azure Firewall, a zonal Firewall deployment is required.

-4. Next, choose a log analytics workspace. The log analytics workspace should be the same as the Firewall attached to the policy.

-## Spark versions supported in Azure HDInsight

-Apache Spark versions supported in Azure HDIinsight

-|Apache Spark version on HDInsight|Release date|Release stage|End of life announcement date|End of standard support|End of basic support|

-|--|--|--|--|--|--|

-|2.4|July 8, 2019|End of Life Announced (EOLA)| Feb10,2023| Aug 10,2023|Feb 10,2024|

-|3.1|March 11,2022|GA |-|-|-|

-|3.3|To be announced for Public Preview|-|-|-|-|

-## Preview

-On February 27, 2023, we started rolling out a new version of HDInsight: version 5.1. This version is backward compatible with HDInsight 4.0. and 5.0. All new open-source releases will be added as incremental releases on HDInsight 5.1.

-All upgraded cluster shapes are supported as part of HDInsight 5.1.

-| Apache Spark | 3.3.1 ** | 3.1.3 |

-| Apache Hive | 3.1.2 ** | 3.1.2 |

-| Apache Kafka | 3.2.0 ** | 2.4.1 |

-| Apache Hadoop | 3.3.4 ** | 3.1.1 |

-| Apache Tez | 0.9.1 ** | 0.9.1 |

-| Apache Ranger | 2.3.0 ** | 1.1.0 |

-| Apache HBase | 2.4.11 ** | 2.1.6 |

-| Apache Oozie | 5.2.1 ** | 4.3.1 |

-| Apache ZooKeeper | 3.6.3 ** | 3.4.6 |

-| Apache Livy | 0.5. ** | 0.5 |

-| Apache Ambari | 2.7.3 ** | 2.7.3 |

-| Apache Zeppelin | 0.10.1 ** | 0.8.0 |

-| Apache Phoenix | 5.1.2 ** | - |

-** Preview

-### Spark versions supported in Azure HDInsight

-Azure HDInsight supports the following Apache Spark versions.

-|Apache Spark version on HDInsight|Release date|Release stage|End-of-life announcement date|End of standard support|End of basic support|

-|--|--|--|--|--|--|

-|2.4|July 8, 2019|End of life announced (EOLA)| February 10, 2023| August 10, 2023|February 10, 2024|

-|3.1|March 11, 2022|General availability |-|-|-|

-|3.3|Available for preview|-|-|-|-|

-**Support expiration** means that Microsoft no longer provides support for the specific HDInsight version. You may not be able to create clusters from the Azure portal.

-End of support for Azure HDInsight clusters on Spark 2.4 February 10, 2024. For more information, see [Spark versions supported in Azure HDInsight](./hdinsight-40-component-versioning.md#spark-versions-supported-in-azure-hdinsight)

-1. Go to **Script actions** in your cluster and select **Submit now** to start the process of creating a script action.

-> [!IMPORTANT]

-> Bundle parallel processing is currently in public preview. Preview APIs and SDKs are provided without a service-level agreement. We recommend that you don't use them for production workloads. Some features might not be supported, or they might have constrained capabilities. For more information, review Supplemental Terms of Use for Microsoft Azure Previews

-> Azure App Service certificate configuration through Azure Portal does not support Key Vault RBAC permission model. You can use Azure PowerShell, Azure CLI, ARM template deployments with **Key Vault Secrets User** and **Key Vault Reader** role assignemnts for 'Microsoft Azure App Service' global indentity.

->On September 30, 2025, default outbound access for new deployments will be retired. For more information, see the [official announcement](https://azure.microsoft.com/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/). It is reccomended to use one the explict forms of connectivity as shown in options 1-3 above.

-description: In this tutorial, deploy an Azure Load Balancer with more than one availability set in the backend pool.

-> * Create a virtual network and a network security group

-## Create a virtual network

-In this section, you'll create a virtual network for the load balancer and the other resources used in the tutorial.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the search box at the top of the portal, enter **Virtual network**.

-1. In the search results, select **Virtual networks**.

-1. Select **+ Create**.

-1. In the **Basics** tab of the **Create virtual network**, enter, or select the following information:

- | Setting | Value |

- | - | |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **Create new**. </br> Enter **myResourceGroup** in **Name**. |

- | **Instance details** | |

- | Name | Enter **myVNet**. |

- | Region | Select **(US) West US 2**. |

-1. Select the **IP addresses** tab, or the **Next: Security** and **Next: IP Addresses** buttons at the bottom of the page.

-1. In the **IP Addresses** tab, enter this information:

- | Setting | Value |

- |--|-|

- | IPv4 address space | Enter **10.0.0.0** and choose **/16 (65,536 addresses)** |

-1. Select **default** under **Subnets**.

-1. Under **Subnet details**, enter **myBackendSubnet** for **Name**.

-1. In **Add subnet**, enter this information:

- | Setting | Value |

- | -- | - |

- | Subnet address range | Enter **10.1.0.0/24** |

-1. Select **Save**.

-1. Select the **Review + create** tab, or the blue **Review + create** button at the bottom of the page.

-1. Select **Create**.

-## Create a network security group

-In this section, you'll create a network security group for the virtual machines in the backend pool of the load balancer. The NSG will allow inbound traffic on port 80.

-1. In the search box at the top of the portal, enter **Network security group**.

-1. Select **Network security groups** in the search results.

-1. Select **+ Create** or **Create network security group** button.

-1. On the **Basics** tab, enter or select this information:

- | Setting | Value |

- | - | -- |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **myResourceGroup**. |

- | **Instance details** | |

- | Name | Enter **myNSG**. |

- | Region | Select **(US) West US 2**. |

-1. Select *Review + create* tab, or select the blue **Review + create** button at the bottom of the page.

-1. Select **Create**.

-1. When deployment is complete, select **Go to resource**.

-1. In the **Settings** section of the **myNSG** page, select **Inbound security rules**.

-1. Select **+ Add**.

-1. In the **Add inbound security rule** window, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | Source | Select **Any**. |

- | Source port ranges | Enter **\***. |

- | Destination | Select **Any**. |

- | Service | Select **HTTP**. |

- | Action | Select **Allow**. |

- | Priority | Enter **100**. |

- | Name | Enter **allowHTTPrule**. |

-1. Select **Add**.

-## Create NAT gateway

-In this section, you'll create a NAT gateway for outbound connectivity of the virtual machines.

-1. In the search box at the top of the portal, enter **NAT gateway**.

-1. Select **NAT gateway** in the search results.

-1. Select **+ Create** or **Create NAT Gateway** button.

-1. In the **Basics** tab of **Create network address translation (NAT) gateway**, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **myResourceGroup**. |

- | **Instance details** | |

- | NAT gateway name | Enter **myNATgateway**. |

- | Region | Select **(US) West US 2**. |

- | Availability zone | Select **No Zone**. |

- | Idle timeout (minutes) | Enter **15**. |

-1. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

-1. Select **Create a new public IP address** next to **Public IP addresses** in the **Outbound IP** tab.

-1. Enter **myNATgatewayIP** in **Name**.

-1. Select **OK**.

-1. Select the **Subnet** tab, or select the **Next: Subnet** button at the bottom of the page.

-1. Select **myVNet** in the pull-down menu under **Virtual network**.

-1. Select the check box next to **myBackendSubnet**.

-1. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

-1. Select **Create**.

-## Create load balancer

-In this section, you'll create a load balancer for the virtual machines.

-1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

-1. In the **Load balancer** page, select **Create** or the **Create load balancer** button.

-1. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

- | Setting | Value |

- | | |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **myResourceGroup**. |

- | **Instance details** | |

- | Name | Enter **myLoadBalancer** |

- | Region | Select **(US) West US 2**. |

- | SKU | Leave the default **Standard**. |

- | Type | Select **Public**. |

- | Tier | Leave the default **Regional**. |

-1. Select the **Frontend IP configuration** tab, or select the **Next: Frontend IP configuration** button at the bottom of the page.

-1. In **Frontend IP configuration**, select **+ Add a frontend IP configuration**.

-1. Enter **myLoadBalancerFrontEnd** in **Name**.

-1. Select **IPv4** or **IPv6** for the **IP version**.

- > [!NOTE]

- > IPv6 isn't currently supported with Routing Preference or Cross-region load-balancing (Global Tier).

-1. Select **IP address** for the **IP type**.

- > [!NOTE]

- > For more information on IP prefixes, see [Azure Public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md).

-1. Select **Create new** in **Public IP address**.

-1. In **Add a public IP address**, enter **myPublicIP-lb** for **Name**.

-1. Select **Zone-redundant** in **Availability zone**.

- > [!NOTE]

- > In regions with [Availability Zones](../availability-zones/az-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json#availability-zones), you have the option to select no zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements. In regions without Availability Zones, this field won't appear. </br> For more information on availability zones, see [Availability zones overview](../availability-zones/az-overview.md).

-1. Select **OK**.

-1. Select **Add**.

-1. Select the **Next: Backend pools>** button at the bottom of the page.

-1. In the **Backend pools** tab, select **+ Add a backend pool**.

-1. Enter **myBackendPool** for **Name** in **Add backend pool**.

-1. Select **myVNet** in **Virtual network**.

-1. Select **IP Address** for **Backend Pool Configuration** and select **Save**.

-1. Select the **Inbound rules** tab, or select the **Next: Inbound rules** button at the bottom of the page.

-1. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

-1. In **Add load balancing rule**, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | Name | Enter **myHTTPRule** |

- | IP Version | Select **IPv4** or **IPv6** depending on your requirements. |

- | Frontend IP address | Select **myLoadBalancerFrontEnd**. |

- | Backend pool | Select **myBackendPool**. |

- | Protocol | Select **TCP**. |

- | Port | Enter **80**. |

- | Backend port | Enter **80**. |

- | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **HTTP** in **Protocol**. </br> Leave the rest of the defaults, and select **Save**. |

- | Session persistence | Select **None**. |

- | Idle timeout (minutes) | Enter **15**. |

- | Enable TCP reset | Select checkbox. |

- | Enable Floating IP | Select checkbox. |

- | Outbound source network address translation (SNAT) | Leave the default of **(Recommended) Use outbound rules to provide backend pool members access to the internet.** |

-1. Select **Save**.

-1. Select the blue **Review + create** button at the bottom of the page.

-1. Select **Create**.

- > [!NOTE]

- > In this example we created a NAT gateway to provide outbound Internet access. The outbound rules tab in the configuration is bypassed as it's optional and isn't needed with the NAT gateway. For more information on Azure NAT gateway, see [What is Azure Virtual Network NAT?](../virtual-network/nat-gateway/nat-overview.md)

- > For more information about outbound connections in Azure, see [Source Network Address Translation (SNAT) for outbound connections](../load-balancer/load-balancer-outbound-connections.md)

-In this section, you'll create two availability groups with two virtual machines per group. These machines will be added to the backend pool of the load balancer during creation.

- | Resource group | Select **myResourceGroup**. |

- | Virtual machine name | Enter **myVM1**. |

- | Region | Select **(US) West US 2**. |

- | Availability set | Select **Create new**. </br> Enter **myAvailabilitySet1** in **Name**. </br> Select **OK**. |

- | Virtual network | Select **myVNet**. |

- | Subnet | Select **myBackendSubnet**. |

- | Select a load balancer | Select **myLoadBalancer**. |

- | Select a backend pool | Select **myBackendPool**. |

- | Configure network security group | Select **Create new**. </br> In the **Create network security group**, enter **myNSG** in **Name**. </br> Under **Inbound rules**, select **+Add an inbound rule**. </br> Under **Service**, select **HTTP**. </br> Under **Priority**, enter **100**. </br> In **Name**, enter **myNSGRule** </br> Select **Add** </br> Select **OK** |

- | Name | Enter **myVM2**. |

- | Availability set | Select **myAvailabilitySet1**. |

- | Virtual Network | Select **myVNet**. |

- | Subnet | Select **myBackendSubnet**. |

- | Select a load balancer | Select **myLoadBalancer**. |

- | Select a backend pool | Select **myBackendPool**. |

- | Configure network security group | Select **myNSG**. |

- | Resource group | Select **myResourceGroup**. |

- | Virtual machine name | Enter **myVM3**. |

- | Region | Select **(US) West US 2**. |

- | Availability set | Select **Create new**. </br> Enter **myAvailabilitySet2** in **Name**. </br> Select **OK**. |

- | Virtual network | Select **myVNet**. |

- | Subnet | Select **myBackendSubnet**. |

- | Select a load balancer | Select **myLoadBalancer**. |

- | Select a backend pool | Select **myBackendPool**. |

- | Configure network security group | Select **myNSG**. |

- | Name | Enter **myVM4**. |

- | Availability set | Select **myAvailabilitySet2**. |

- | Virtual Network | Select **myVM3**. |

- | Select a load balancer | Select **myLoadBalancer**. |

- | Select a backend pool | Select **myBackendPool**. |

- | Configure network security group | Select **myNSG**. |

-In this section, you'll use the Azure Bastion host you created previously to connect to the virtual machines and install IIS.

-1. Select **myVM1**.

-1. Under **Operations** in the left-side menu, select **Run command > RunPowerShellScript**.

-1. Repeat steps 1 through 8 for **myVM2**, **myVM3**, and **myVM4**.

-In this section, you'll discover the public IP address of the load balancer. You'll use the IP address to test the operation of the load balancer.

-1. Select **myPublicIP-lb**.

-1. Note the public IP address listed in **IP address** in the **Overview** page of **myPublicIP-lb**:

-1. Select **myResourceGroup**.

-1. In the overview page of **myResourceGroup**, select **Delete resource group**.

-1.Select **Apply force delete for selected Virtual Machines and Virtual machine scale sets**.

-1. Enter **myResourceGroup** in **Enter resource group name to confirm deletion**.

-1. Create a secret to use for authentication as explained at [Option 32: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret).

-| Max request time-out at endpoint level | 90 seconds | - |

-tbl.save(save_path_dirc= "azureml://subscriptions/<subid>/resourcegroups/<rgname>/workspaces/<wsname>/datastores/<name>/paths/titanic", collocated=True, show_progress=True, allow_copy_errors=False, overwrite=True)

-> - If collocated == True, then we will copy the data to the same folder with MLTable yaml file if they are not currently collocated, and we will use relative paths in MLTable yaml.

-> - If collocated == False, we will not move the data and we will use absolute paths for cloud data and use relative paths for local data.

-> - We donΓÇÖt support this parameter combination: data is in local, collocated == False, `save_path_dirc` is a cloud directory. Please upload your local data to cloud and use the cloud data paths for MLTable instead.

-> - Parameters `show_progress` (default as True), `allow_copy_errors` (default as False), `overwrite`(default as True) are optional.

-description: Introduction to the Prompt flow community ecosystem, which includes the SDK and VS Code extension.

-# Prompt Flow community ecosystem (preview)

-The Prompt Flow community ecosystem aims to provide a comprehensive set of tools and resources for developers who want to leverage the power of Prompt Flow to experimentally tune their prompts and develop their LLM-based application in a local environment. This article goes through the key components of the ecosystem, including the **Prompt Flow SDK** and the **VS Code extension**.

-The Prompt Flow SDK/CLI empowers developers to use code manage credentials, initialize flows, develop flows, and execute batch testing and evaluation of prompt flows locally.

-To get started with the Prompt Flow SDK, explore and follow the [SDK quick start notebook](https://github.com/microsoft/promptflow/blob/main/examples/tutorials/get-started/quickstart.ipynb) in steps.

-To get started with the Prompt Flow VS Code extension, navigate to the extension marketplace to install and read the details tab.

-After successful development and testing of your prompt flow within our community ecosystem, the subsequent step you're considering may involve transitioning to a production-grade LLM application. We recommend Azure Machine Learning for this phase to ensure security, efficiency, and scalability.

-The prompt flow community ecosystem empowers developers to build interactive and dynamic prompts with ease. By using the Prompt Flow SDK and the VS Code extension, you can create compelling user experiences and fine-tune your prompts in a local environment.

-| `request_timeout_ms` | integer | The scoring timeout in milliseconds. Note that the maximum value allowed is `90000` milliseconds. See [Managed online endpoint quotas](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints) for more. | `5000` |

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=start-spark-session)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=root-dir)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=install-ml-ext-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=auth-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=set-default-subs-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=init-ws-crud-client)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=init-fs-crud-client)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=init-fs-core-sdk)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=setup-utility-fns)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=set-offline-store-params)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=create-new-storage)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=create-new-storage)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=create-new-storage-container)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=set-container-arm-id-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=use-existing-storage)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=use-existing-storage)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=set-uai-params)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=create-new-uai)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=use-existing-uai)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=retrieve-uai-properties)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai-fs)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai-offline-store)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-user-identity)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=enable-offline-store)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=dump_featurestore_yaml)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=enable-offline-store)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=enable-offline-mat-txns-fset)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/Enable materialization and backfill feature data.ipynb?name=enable-offline-mat-txns-fset)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=dump-txn-fset-yaml)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=backfill-txns-fset)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=sample-txns-fset-data)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=start-spark-session)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=root-dir)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/1. Develop a feature set and register with managed feature store.ipynb?name=install-ml-ext-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/1. Develop a feature set and register with managed feature store.ipynb?name=auth-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/1. Develop a feature set and register with managed feature store.ipynb?name=set-default-subs-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=fs-params)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=create-fs)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/1. Develop a feature set and register with managed feature store.ipynb?name=create-fs-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=init-fs-core-sdk)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=explore-txn-src-data)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=develop-txn-fset-locally)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=dump-transactions-fs-spec)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=init-fset-crud-client)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=register-acct-entity)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/1. Develop a feature set and register with managed feature store.ipynb?name=register-acct-entity-cli)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=register-txn-fset)]

-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/1. Develop a feature set and register with managed feature store.ipynb?name=register-txn-fset-cli)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=load-obs-data)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=get-txn-fset)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=print-txn-fset-sample-values)]

- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/1. Develop a feature set and register with managed feature store.ipynb?name=select-features-and-gen-training-data)]

-2. The `networkcloud` cli extension is required. If the `networkcloud` extension isn't installed, it can be installed following the steps listed [here](https://github.com/MicrosoftDocs/azure-docs-pr/blob/main/articles/operator-nexus/howto-install-cli-extensions.md).

-Workloads may be impacted while the worker nodes in a rack is in the process of being upgraded, however workloads in all other racks will not be impacted. Consideration of workload placement in light of this implementation design is encouraged.

-During a runtime upgrade it's possible that the upgrade fails to move forward but the detail status reflects that the upgrade is still ongoing. **Because the runtime upgrade may take a very long time to successfully finish, there is no set timeout length currently specified**.

-From here, we recommend checking Cluster logs or configured LAW, to see if there is a failure, or a specific upgrade that is causing the lack of progress.

-If a hardware failure occurs, and the runtime upgrade has failed because thresholds weren't met for compute and control nodes, re-execution of the runtime upgrade may be needed depending on when the failure occurred and the state of the individual servers in a rack. If a rack was updated before a failure, then the upgraded runtime version would be used when the nodes are reprovisioned.

-### After a runtime upgrade the cluster shows "Failed" Provisioning State

-During a runtime upgrade the cluster will enter a state of `Upgrading` In the event of a failure of the runtime upgrade, for reasons related to the resources, the cluster will go into a `Failed` provisioning state. This state could be linked to the lifecycle of the components related to the cluster (e.g StorageAppliance) and may be necessary to diagnose the failure with Microsoft support.

-You can enforce this behavior by creating a dedicated system node pool. Use the `CriticalAddonsOnly=true:NoSchedule` taint to prevent application pods from being scheduled on system node pools. If you intend to use the system pool for application pods (not dedicated), do not apply any application specific taints to the pool, as this can cause cluster creation to fail.

-* Change the default value for the `max_connections` parameter using server parameter. This parameter is static and will require an instance restart.

-When using PostgreSQL for a busy database with a large number of concurrent connections, there may be a significant strain on resources. This strain can result in high CPU utilization, particularly when many connections are established simultaneously and when connections have short durations (less than 60 seconds). These factors can negatively impact overall database performance by increasing the time spent on processing connections and disconnections. It's important to note that each connection in Postgres, regardless of whether it is idle or active, consumes a significant amount of resources from your database. This can lead to performance issues beyond high CPU utilization, such as disk and lock contention, which are discussed in more detail in the PostgreSQL Wiki article on the [Number of Database Connections](https://wiki.postgresql.org/wiki/Number_Of_Database_Connections). To learn more about identifying and solving connection performance issues in Azure Database for Postgres, visit our [Identify and solve connection performance in Azure Postgres](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/identify-and-solve-connection-performance-in-azure-postgres/ba-p/3698375).

-When a server is dropped, the database server backup is retained for five days in the service. The database backup can be accessed and restored only from the Azure subscription where the server originally resided. The following recommended steps can be followed to recover a dropped PostgreSQL server resource within five days from the time of server deletion. The recommended steps work only if the backup for the server is still available and not deleted from the system.

-ora2pg -t COPY -o data.sql -b %namespace/data -c %namespace/config/ora2pg.conf

-> | [Key Vault Data Access Administrator (preview)](#key-vault-data-access-administrator-preview) | Add or remove key vault data plane role assignments and read resources of all types, except secrets. Includes an ABAC condition to constrain role assignments. | 8b54135c-b56d-4d72-a534-26097cfdc8d8 |

-Add or remove key vault data plane role assignments and read resources of all types, except secrets. Includes an ABAC condition to constrain role assignments.

- "description": "Add or remove key vault data plane role assignments and read resources of all types, except secrets. Includes an ABAC condition to constrain role assignments.",

- "Microsoft.Support/*"

-| `maximumPageLength` | Only applies if `textSplitMode` is set to `pages`. This parameter refers to the maximum page length in characters as measured by `String.Length`. The minimum value is 300, the maximum is 50000, and the default value is 5000. The algorithm does its best to break the text on sentence boundaries, so the size of each chunk may be slightly less than `maximumPageLength`. |

-| `pageOverlapLength` | Only applies if `textSplitMode` is set to `pages`. If it's specificied (needs to be >= 0), (n+1)th page starts with this number of characters from the end of the nth page. If it's set to 0, it should behave the same as if this value isn't set. |

-| `maximumPagesToTake` | Only applies if `textSplitMode` is set to `pages`. Number of pages to return. Default (0) to all pages. It can be used if only a partial number of pages is needed.

-| `defaultLanguageCode` | (optional) One of the following language codes: `am, bs, cs, da, de, en, es, et, fr, he, hi, hr, hu, fi, id, is, it, ja, ko, lv, no, nl, pl, pt-PT, pt-BR, ru, sk, sl, sr, sv, tr, ur, zh-Hans`. Default is English (en). Few things to consider:<ul><li>Providing a language code is useful to avoid cutting a word in half for nonwhitespace languages such as Chinese, Japanese, and Korean.</li><li>If you don't know the language (that is, you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), the default of English (en) should be sufficient. </li></ul> |

-| `languageCode` | (Optional) Language code for the document. If you don't know the language (that is, you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), it's safe to remove this input. If the language isn't in the supported list for the `defaultLanguageCode` parameter above, a warning is emitted and the text won't be split. |

- "pageOverlapLength": 100,

- "maximumPagesToTake": 1,

- "This is the loan...Here is the overlap part...",

- "Here is the overlap part...On the second page we..."

- "This is the second document...Here is the overlap part...",

- "Here is the overlap part...On the second page of the second doc..."

-+ If a language isn't supported, a warning is generated.

-Your security organization needs visibility to assess risk and to determine whether the policies of your organization, and any regulatory requirements, are being followed. You should ensure that your security organization has visibility into all subscriptions connected to your production environment and network (via [Azure ExpressRoute](../../expressroute/expressroute-introduction.md) or [site-to-site VPN](../../vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal.md)). A [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) in Microsoft Entra ID can elevate their access to the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role and see all subscriptions and managed groups connected to your environment.

-There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Microsoft Entra edition youΓÇÖre running, and your licensing program. See [How to require two-step verification for a user](../../active-directory/authentication/howto-mfa-userstates.md) to determine the best option for you. See the [Microsoft Entra ID](https://azure.microsoft.com/pricing/details/active-directory/) and [Microsoft Entra multifactor Authentication](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) pricing pages for more information about licenses and pricing.

-* [Site-to-site VPN](../../vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal.md). It's a trusted, reliable, and established technology, but the connection takes place over the internet. Bandwidth is constrained to a maximum of about 1.25 Gbps. Site-to-site VPN is a desirable option in some scenarios.

-## CyberPion

-description: "Learn how to install the connector Cisco ASA/FTD via AMA (Preview) to connect your data source to Microsoft Sentinel."

-# Cisco ASA/FTD via AMA (Preview) connector for Microsoft Sentinel

-The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.

-## Connector attributes

-| Connector attribute | Description |

-| | |

-| **Log Analytics table(s)** | CommonSecurityLog<br/> |

-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) |

-| **Supported by** | [Microsoft Corporation](https://support.microsoft.com/) |

-## Query samples

-**All logs**

- ```kusto

-CommonSecurityLog

- | where DeviceVendor == "Cisco"

- | where DeviceProduct == "ASA"

-

- | sort by TimeGenerated

- ```

-## Prerequisites

-To integrate with Cisco ASA/FTD via AMA (Preview) make sure you have:

-## Vendor installation instructions

-Enable data collection ruleΓÇï

-> Cisco ASA/FTD event logs are collected only from **Linux** agents.

-Run the following command to install and apply the Cisco ASA/FTD collector:

-```

- sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python Forwarder_AMA_installer.py

-```

-## Next steps

-For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-ciscoasa?tab=Overview) in the Azure Marketplace.

- > This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-Online-parser) and [**ESI_ExchConfigAvailableEnvironments**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-Online-parser)

-| **Supported by** | [Holm Security](https://support.holmsecurity.com/hc/en-us) |

-net_assets_Cl

-web_assets_Cl

- [Follow these instructions](https://support.holmsecurity.com/hc/en-us/articles/360027651591-How-do-I-set-up-an-API-token-) to create an API authentication token.

-**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update.

-The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.

-| **Supported by** | [NXLog](https://nxlog.co/user?destination=node/add/support-ticket) |

-Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.

-description: "Learn how to install the connector Okta Single Sign-On (using Azure Functions) to connect your data source to Microsoft Sentinel."

-# Okta Single Sign-On (using Azure Functions) connector for Microsoft Sentinel

-The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.

-## Connector attributes

-| Connector attribute | Description |

-| | |

-| **Azure functions app code** | https://aka.ms/sentineloktaazurefunctioncodev2 |

-| **Log Analytics table(s)** | Okta_CL<br/> |

-| **Data collection rules support** | Not currently supported |

-| **Supported by** | [Microsoft Corporation](https://support.microsoft.com) |

-## Query samples

-**Top 10 Active Applications**

- ```kusto

- Okta_CL

- | mv-expand todynamic(target_s)

- | where target_s.type == "AppInstance"

- | summarize count() by tostring(target_s.alternateId)

- | top 10 by count_

- ```

-**Top 10 Client IP Addresses**

- ```kusto

- Okta_CL

- | summarize count() by client_ipAddress_s

- | top 10 by count_

- ```

-## Prerequisites

-To integrate with Okta Single Sign-On (using Azure Function), make sure you have the following prerequisites:

-## Vendor installation instructions

-> [!NOTE]

-> This connector uses Azure Functions to connect to Okta SSO to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.

-> [!NOTE]

-> This connector has been updated. If you have previously deployed an earlier version, and want to update, please delete the existing Okta Azure Function before redeploying this version.

->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.

-**STEP 1 - Configuration steps for the Okta SSO API**

- [Follow these instructions](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) to create an API Token.

- > [!NOTE]

- > For more information on the rate limit restrictions enforced by Okta, see **[OKTA developer reference documentation](https://developer.okta.com/docs/reference/rl-global-mgmt/)**.

-**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**

-> [!IMPORTANT]

-> Before deploying the Okta SSO connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Okta SSO API Authorization Token, readily available.

-### Option 1 - Azure Resource Manager (ARM) Template

-This method provides an automated deployment of the Okta SSO connector using an ARM Template.

-1. Select the following **Deploy to Azure** button.

- [](https://aka.ms/sentineloktaazuredeployv2-solution)

-2. Select the preferred **Subscription**, **Resource Group** and **Location**.

-3. Enter the **Workspace ID**, **Workspace Key**, **API Token** and **URI**.

- Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. [Click here](https://developer.okta.com/docs/reference/api-overview/#url-namespace) for further details on how to identify your Okta domain namespace. There's no need to add a time value to the URI. The Function App will dynamically append the initial start time of logs to UTC 0:00 for the current UTC date as a time value to the URI in the proper format.

- > [!NOTE]

- > If using Azure Key Vault secrets for any of the preceding values, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details.

-4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

-

-5. Select **Purchase** to deploy.

-### Option 2 - Manual Deployment of Azure Functions

-Use the following step-by-step instructions to deploy the Okta SSO connector manually with Azure Functions.

-**1. Create a Function App**

-1. From the Azure portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.

-2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**.

-3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.

-4. Make other preferable configuration changes, if needed, then click **Create**.

-**2. Import Function App Code**

-1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.

-2. Select **Timer Trigger**.

-3. Enter a unique Function **Name** and change the default cron schedule to every 10 minutes, then click **Create**.

-4. Click on **Code + Test** on the left pane.

-5. Copy the [Function App Code](https://aka.ms/sentineloktaazurefunctioncodev2) and paste into the Function App `run.ps1` editor.

-5. Click **Save**.

-**3. Configure the Function App**

-1. In the Function App, select the Function App Name and select **Configuration**.

-2. In the **Application settings** tab, select **+ New application setting**.

-3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive):

- - apiToken

- - workspaceID

- - workspaceKey

- - uri

- - logAnalyticsUri (optional)

- Use the following schema for the `uri` value: `https://<OktaDomain>/api/v1/logs?since=` Replace `<OktaDomain>` with your domain. For more information on how to identify your Okta domain namespace, see the [Okta Developer reference](https://developer.okta.com/docs/reference/api-overview/#url-namespace). There's no need to add a time value to the URI. The Function App dynamically appends the initial start time of logs to UTC 0:00 (for the current UTC date) as a time value to the URI in the proper format.

-

- > [!NOTE]

- > If using Azure Key Vault secrets for any of the preceding values, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details.

-

- Use logAnalyticsUri to override the log analytics API endpoint for a dedicated cloud. For example, for the public cloud, leave the value empty; for the Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.

-

-5. Once all application settings have been entered, click **Save**.

-## Next steps

-For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-okta?tab=Overview) in the Azure Marketplace.

-| **Application settings** | OneLoginBearerToken<br/>WorkspaceID<br/>WorkspaceKey<br/>logAnalyticsUri (optional) |

-| **Azure function app code** | https://aka.ms/sentinel-OneLogin-functionapp |

-Option 1 - Azure Resource Manager (ARM) Template

-Use this method for automated deployment of the OneLogin data connector using an ARM Template.

-1. Click the **Deploy to Azure** button below.

- [](https://aka.ms/sentinel-OneLogin-azuredeploy)

-2. Select the preferred **Subscription**, **Resource Group** and **Location**.

-> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.

-3. Enter the **OneLoginBearerToken** and deploy.

-4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

-5. Click **Purchase** to deploy.

-6. After deploying open Function App page, select your app, go to the **Functions** and click **Get Function Url** copy it and follow p.7 from STEP 1.

-Option 2 - Manual Deployment of Azure Functions

-Use the following step-by-step instructions to deploy the OneLogin data connector manually with Azure Functions (Deployment via Visual Studio Code).

-**1. Deploy a Function App**

-> **NOTE:** You will need to [prepare VS code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.

-1. Download the [Azure Function App](https://aka.ms/sentinel-OneLogin-functionapp) file. Extract archive to your local development computer.

-2. Start VS Code. Choose File in the main menu and select Open Folder.

-3. Select the top level folder from extracted files.

-4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.

-If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**

-If you're already signed in, go to the next step.

-5. Provide the following information at the prompts:

- a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.

- b. **Select Subscription:** Choose the subscription to use.

- c. Select **Create new Function App in Azure** (Don't choose the Advanced option)

- d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. OneLoginXXXXX).

- e. **Select a runtime:** Choose Python 3.8.

- f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.

-6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

-7. Go to Azure Portal for the Function App configuration.

-**2. Configure the Function App**

-1. In the Function App, select the Function App Name and select **Configuration**.

-2. In the **Application settings** tab, select ** New application setting**.

-3. Add each of the following application settings individually, with their respective string values (case-sensitive):

- OneLoginBearerToken

- WorkspaceID

- WorkspaceKey

- logAnalyticsUri (optional)

-> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.

-4. Once all application settings have been entered, click **Save**.

-| **Azure function app code** | https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-functionapp |

-Option 1 - Azure Resource Manager (ARM) Template

-Use this method for automated deployment of the OCI data connector using an ARM Template.

-1. Click the **Deploy to Azure** button below.

- [](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-azuredeploy)

-2. Select the preferred **Subscription**, **Resource Group** and **Location**.

-3. Enter the **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**, **User**, **Key_content**, **Pass_phrase**, **Fingerprint**, **Tenancy**, **Region**, **Message Endpoint**, **Stream Ocid**

-4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

-5. Click **Purchase** to deploy.

-Option 2 - Manual Deployment of Azure Functions

-Use the following step-by-step instructions to deploy the OCI data connector manually with Azure Functions (Deployment via Visual Studio Code).

-**1. Deploy a Function App**

-> **NOTE:** You will need to [prepare VS code](/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.

-1. Download the [Azure Function App](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-functionapp) file. Extract archive to your local development computer.

-2. Start VS Code. Choose File in the main menu and select Open Folder.

-3. Select the top level folder from extracted files.

-4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.

-If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**

-If you're already signed in, go to the next step.

-5. Provide the following information at the prompts:

- a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.

- b. **Select Subscription:** Choose the subscription to use.

- c. Select **Create new Function App in Azure** (Don't choose the Advanced option)

- d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. OciAuditXX).

- e. **Select a runtime:** Choose Python 3.8.

- f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.

-6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

-7. Go to Azure Portal for the Function App configuration.

-**2. Configure the Function App**

-1. In the Function App, select the Function App Name and select **Configuration**.

-2. In the **Application settings** tab, select **+ New application setting**.

-3. Add each of the following application settings individually, with their respective string values (case-sensitive):

- AzureSentinelWorkspaceId

- AzureSentinelSharedKey

- user

- key_content

- pass_phrase (Optional)

- fingerprint

- tenancy

- region

- Message Endpoint

- StreamOcid

- logAnalyticsUri (Optional)

-4. Once all application settings have been entered, click **Save**.

-| **Application settings** | apiUsername<br/>apipassword<br/>workspaceID<br/>workspaceKey<br/>uri<br/>logAnalyticsUri (optional) |

-| **Azure function app code** | https://aka.ms/sentinelproofpointtapazurefunctioncode |

-Option 1 - Azure Resource Manager (ARM) Template

-Use this method for automated deployment of the Proofpoint TAP connector.

-1. Click the **Deploy to Azure** button below.

- [](https://aka.ms/sentinelproofpointtapazuredeploy)

-2. Select the preferred **Subscription**, **Resource Group** and **Location**.

-3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, and validate the **Uri**.

-> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.

-> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details.

-4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

-5. Click **Purchase** to deploy.

-Option 2 - Manual Deployment of Azure Functions

-This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function.

-**1. Create a Function App**

-1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.

-2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**.

-3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.

-4. Make other preferrable configuration changes, if needed, then click **Create**.

-**2. Import Function App Code**

-1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.

-2. Select **Timer Trigger**.

-3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.

-4. Click on **Code + Test** on the left pane.

-5. Copy the [Function App Code](https://aka.ms/sentinelproofpointtapazurefunctioncode) and paste into the Function App `run.ps1` editor.

-5. Click **Save**.

-**3. Configure the Function App**

-1. In the Function App, select the Function App Name and select **Configuration**.

-2. In the **Application settings** tab, select **+ New application setting**.

-3. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive):

- apiUsername

- apipassword

- workspaceID

- workspaceKey

- uri

- logAnalyticsUri (optional)

-> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`

-> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.

-> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details.

-> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`

-4. Once all application settings have been entered, click **Save**.

-description: "Learn how to install the connector Qualys VM KnowledgeBase (using Azure Function) to connect your data source to Microsoft Sentinel."

-# Qualys VM KnowledgeBase (using Azure Function) connector for Microsoft Sentinel

-The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) KnowledgeBase (KB) connector provides the capability to ingest the latest vulnerability data from the Qualys KB into Microsoft Sentinel.

- This data can used to correlate and enrich vulnerability detections found by the [Qualys Vulnerability Management (VM)](/azure/sentinel/data-connectors-reference#qualys) data connector.

-## Connector attributes

-| Connector attribute | Description |

-| | |

-| **Application settings** | apiUsername<br/>apiPassword<br/>workspaceID<br/>workspaceKey<br/>uri<br/>filterParameters<br/>logAnalyticsUri (optional) |

-| **Azure function app code** | https://aka.ms/sentinel-qualyskb-functioncode |

-| **Log Analytics table(s)** | QualysKB_CL<br/> |

-| **Data collection rules support** | Not currently supported |

-| **Supported by** | [Microsoft Corporation](https://support.microsoft.com/) |

-## Query samples

-**Vulnerabilities by Category**

- ```kusto

-QualysKB

-

- | summarize count() by Category

- ```

-**Top 10 Software Vendors**

- ```kusto

-QualysKB

-

- | summarize count() by SoftwareVendor

- | top 10 by count_

- ```

-## Prerequisites

-To integrate with Qualys VM KnowledgeBase (using Azure Function) make sure you have:

-## Vendor installation instructions

-**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias QualysVM Knowledgebase and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Parsers/CrowdstrikeFalconEventStream.txt), on the second line of the query, enter the hostname(s) of your QualysVM Knowledgebase device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.

->This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-qualyskb-parser) to use the Kusto function alias, **QualysKB**

->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.

-**STEP 1 - Configuration steps for the Qualys API**

-1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab.

-2. Click on the **New** drop-down menu and select **Users**.

-3. Create a username and password for the API account.

-4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**

-4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account.

-5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**.

-6. Save all changes.

-**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**

->**IMPORTANT:** Before deploying the Qualys KB connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys API username and password, readily available.

-Option 1 - Azure Resource Manager (ARM) Template

-Use this method for automated deployment of the Qualys KB connector using an ARM Tempate.

-1. Click the **Deploy to Azure** button below.

- [](https://aka.ms/sentinel-qualyskb-azuredeploy)

-2. Select the preferred **Subscription**, **Resource Group** and **Location**.

-3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (This value should include a "&" symbol between each parameter and should not include any spaces)

-> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348)

-> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details.

-4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

-5. Click **Purchase** to deploy.

-Option 2 - Manual Deployment of Azure Functions

-This method provides the step-by-step instructions to deploy the Qualys KB connector manually with Azure Function.

-**1. Create a Function App**

-1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.

-2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**.

-3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.

-4. Make other preferrable configuration changes, if needed, then click **Create**.

-**2. Import Function App Code**

-1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.

-2. Select **Timer Trigger**.

-3. Enter a unique Function **Name** and modify the cron schedule, if needed. Leave the default **Schedule** value, which will run the Function App every 5 minutes and click **Create**.

-4. Click on **Code + Test** on the left pane.

-5. Copy the [Function App Code](https://aka.ms/sentinel-qualyskb-functioncode) and paste into the Function App `run.ps1` editor.

-5. Click **Save**.

-**3. Configure the Function App**

-1. In the Function App, select the Function App Name and select **Configuration**.

-2. In the **Application settings** tab, select **+ New application setting**.

-3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive):

- apiUsername

- apiPassword

- workspaceID

- workspaceKey

- uri

- filterParameters

- logAnalyticsUri (optional)

-> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https://<API Server>/api/2.0`

-> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. The `filterParameter` value should include a "&" symbol between each parameter and should not include any spaces.

-> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details.

-4. Once all application settings have been entered, click **Save**.

-## Next steps

-For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-qualysvmknowledgebase?tab=Overview) in the Azure Marketplace.

-description: "Learn how to install the connector Salesforce Service Cloud (using Azure Function) to connect your data source to Microsoft Sentinel."

-# Salesforce Service Cloud (using Azure Function) connector for Microsoft Sentinel

-The Salesforce Service Cloud data connector provides the capability to ingest information about your Salesforce operational events into Microsoft Sentinel through the REST API. The connector provides ability to review events in your org on an accelerated basis, get [event log files](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/event_log_file_hourly_overview.htm) in hourly increments for recent activity.

-## Connector attributes

-| Connector attribute | Description |

-| | |

-| **Azure function app code** | https://aka.ms/sentinel-SalesforceServiceCloud-functionapp |

-| **Log Analytics table(s)** | SalesforceServiceCloud_CL<br/> |

-| **Data collection rules support** | Not currently supported |

-| **Supported by** | [Microsoft Corporation](https://support.microsoft.com/) |

-## Query samples

-**Last Salesforce Service Cloud EventLogFile Events**

- ```kusto

-SalesforceServiceCloud

-

- | sort by TimeGenerated desc

- ```

-## Prerequisites

-To integrate with Salesforce Service Cloud (using Azure Function) make sure you have:

-## Vendor installation instructions

-> [!NOTE]

- > This connector uses Azure Functions to connect to the Salesforce Lightning Platform REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.

->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.

-**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SalesforceServiceCloud and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce%20Service%20Cloud/Parsers/SalesforceServiceCloud.txt). The function usually takes 10-15 minutes to activate after solution installation/update.

-**STEP 1 - Configuration steps for the Salesforce Lightning Platform REST API**

-1. See the [link](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart.htm) and follow the instructions for obtaining Salesforce API Authorization credentials.

-2. On the **Set Up Authorization** step choose **Session ID Authorization** method.

-3. You must provide your client id, client secret, username, and password with user security token.

-> [!NOTE]

- > Ingesting data from on an hourly interval may require additional licensing based on the edition of the Salesforce Service Cloud being used. Please refer to [Salesforce documentation](https://www.salesforce.com/editions-pricing/service-cloud/) and/or support for more details.

-**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**

->**IMPORTANT:** Before deploying the Salesforce Service Cloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Salesforce API Authorization credentials, readily available.

-Option 1 - Azure Resource Manager (ARM) Template

-Use this method for automated deployment of the Salesforce Service Cloud data connector using an ARM Tempate.

-1. Click the **Deploy to Azure** button below.

- [](https://aka.ms/sentinel-SalesforceServiceCloud-azuredeploy)

-2. Select the preferred **Subscription**, **Resource Group** and **Location**.

-3. Enter the **Workspace ID**, **Workspace Key**, **Salesforce API Username**, **Salesforce API Password**, **Salesforce Security Token**, **Salesforce Consumer Key**, **Salesforce Consumer Secret** and deploy.

-4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

-5. Click **Purchase** to deploy.

-Option 2 - Manual Deployment of Azure Functions

-Use the following step-by-step instructions to deploy the Salesforce Service Cloud data connector manually with Azure Functions (Deployment via Visual Studio Code).

-**1. Deploy a Function App**

-> NOTE:You will need to [prepare VS code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.

-1. Download the [Azure Function App](https://aka.ms/sentinel-SalesforceServiceCloud-functionapp) file. Extract archive to your local development computer.

-2. Start VS Code. Choose File in the main menu and select Open Folder.

-3. Select the top level folder from extracted files.

-4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.

-If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**

-If you're already signed in, go to the next step.

-5. Provide the following information at the prompts:

- a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.

- b. **Select Subscription:** Choose the subscription to use.

- c. Select **Create new Function App in Azure** (Don't choose the Advanced option)

- d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SalesforceXXXXX).

- e. **Select a runtime:** Choose Python 3.8.

- f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.

-6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

-7. Go to Azure Portal for the Function App configuration.

-**2. Configure the Function App**

-1. In the Function App, select the Function App Name and select **Configuration**.

-2. In the **Application settings** tab, select **+ New application setting**.

-3. Add each of the following application settings individually, with their respective string values (case-sensitive):

- SalesforceUser

- SalesforcePass

- SalesforceSecurityToken

- SalesforceConsumerKey

- SalesforceConsumerSecret

- WorkspaceID

- WorkspaceKey

- logAnalyticsUri (optional)

-3. Once all application settings have been entered, click **Save**.

-## Next steps

-For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-salesforceservicecloud?tab=Overview) in the Azure Marketplace.

-description: "Learn how to install the connector Snowflake (using Azure Function) to connect your data source to Microsoft Sentinel."

-# Snowflake (using Azure Functions) connector for Microsoft Sentinel

-The Snowflake data connector provides the capability to ingest Snowflake [login logs](https://docs.snowflake.com/en/sql-reference/account-usage/login_history.html) and [query logs](https://docs.snowflake.com/en/sql-reference/account-usage/query_history.html) into Microsoft Sentinel using the Snowflake Python Connector. Refer to [Snowflake documentation](https://docs.snowflake.com/en/user-guide/python-connector.html) for more information.

-## Connector attributes

-| Connector attribute | Description |

-| | |

-| **Azure functions app code** | https://aka.ms/sentinel-SnowflakeDataConnector-functionapp |

-| **Log Analytics table(s)** | Snowflake_CL<br/> |

-| **Data collection rules support** | Not currently supported |

-| **Supported by** | [Microsoft Corporation](https://support.microsoft.com) |

-## Query samples

-**All Snowflake Events**

- ```kusto

-Snowflake_CL

- | sort by TimeGenerated desc

- ```

-## Prerequisites

-To integrate with Snowflake (using Azure Functions) make sure you have:

-## Vendor installation instructions

-> [!NOTE]

- > This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.

->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.

-> [!NOTE]

- > This data connector depends on a parser based on a Kusto Function to work as expected [**Snowflake**](https://aka.ms/sentinel-SnowflakeDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.

-**STEP 1 - Creating user in Snowflake**

-To query data from Snowflake you need a user that is assigned to a role with sufficient privileges and a virtual warehouse cluster. The initial size of this cluster will be set to small but if it is insufficient, the cluster size can be increased as necessary.

-1. Enter the Snowflake console.

-2. Switch role to SECURITYADMIN and [create a new role](https://docs.snowflake.com/en/sql-reference/sql/create-role.html):

-USE ROLE SECURITYADMIN;

-CREATE OR REPLACE ROLE EXAMPLE_ROLE_NAME;

-3. Switch role to SYSADMIN and [create warehouse](https://docs.snowflake.com/en/sql-reference/sql/create-warehouse.html) and [grand access](https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html) to it:

-USE ROLE SYSADMIN;

-CREATE OR REPLACE WAREHOUSE EXAMPLE_WAREHOUSE_NAME

- WAREHOUSE_SIZE = 'SMALL'

- AUTO_SUSPEND = 5

- AUTO_RESUME = true

- INITIALLY_SUSPENDED = true;

-GRANT USAGE, OPERATE ON WAREHOUSE EXAMPLE_WAREHOUSE_NAME TO ROLE EXAMPLE_ROLE_NAME;

-4. Switch role to SECURITYADMIN and [create a new user](https://docs.snowflake.com/en/sql-reference/sql/create-user.html):

-USE ROLE SECURITYADMIN;

-CREATE OR REPLACE USER EXAMPLE_USER_NAME

- PASSWORD = 'example_password'

- DEFAULT_ROLE = EXAMPLE_ROLE_NAME

- DEFAULT_WAREHOUSE = EXAMPLE_WAREHOUSE_NAME

-;

-5. Switch role to ACCOUNTADMIN and [grant access to snowflake database](https://docs.snowflake.com/en/sql-reference/account-usage.html#enabling-account-usage-for-other-roles) for role.

-USE ROLE ACCOUNTADMIN;

-GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE EXAMPLE_ROLE_NAME;

-6. Switch role to SECURITYADMIN and [assign role](https://docs.snowflake.com/en/sql-reference/sql/grant-role.html) to user:

-USE ROLE SECURITYADMIN;

-GRANT ROLE EXAMPLE_ROLE_NAME TO USER EXAMPLE_USER_NAME;

->**IMPORTANT:** Save user and API password created during this step as they will be used during deployment step.

-**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**

->**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Snowflake credentials, readily available.

-Option 1 - Azure Resource Manager (ARM) Template

-Use this method for automated deployment of the data connector using an ARM Template.

-1. Click the **Deploy to Azure** button below.

- [](https://aka.ms/sentinel-SnowflakeDataConnector-azuredeploy)

-2. Select the preferred **Subscription**, **Resource Group** and **Location**.

-3. Enter the **Snowflake Account Identifier**, **Snowflake User**, **Snowflake Password**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**

-4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.

-5. Click **Purchase** to deploy.

-Option 2 - Manual Deployment of Azure Functions

-Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).

-**1. Deploy a Function App**

-> **NOTE:** You will need to [prepare VS code](/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.

-1. Download the [Azure Function App](https://aka.ms/sentinel-SnowflakeDataConnector-functionapp) file. Extract archive to your local development computer.

-2. Start VS Code. Choose File in the main menu and select Open Folder.

-3. Select the top level folder from extracted files.

-4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.

-If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**

-If you're already signed in, go to the next step.

-5. Provide the following information at the prompts:

- a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.

- b. **Select Subscription:** Choose the subscription to use.

- c. Select **Create new Function App in Azure** (Don't choose the Advanced option)

- d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. Snowflake12).

- e. **Select a runtime:** Choose Python 3.8.

- f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.

-6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.

-7. Go to Azure Portal for the Function App configuration.

-**2. Configure the Function App**

-1. In the Function App, select the Function App Name and select **Configuration**.

-2. In the **Application settings** tab, select **+ New application setting**.

-3. Add each of the following application settings individually, with their respective string values (case-sensitive):

- SNOWFLAKE_ACCOUNT

- SNOWFLAKE_USER

- SNOWFLAKE_PASSWORD

- WORKSPACE_ID

- SHARED_KEY

- logAnalyticsUri (optional)

-4. Once all application settings have been entered, click **Save**.

-## Next steps

-For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-snowflake?tab=Overview) in the Azure Marketplace.